archbyte 0.1.0

package/dist/cli/auth.js

@@ -0,0 +1,397 @@
+import * as fs from "fs";
+import * as path from "path";
+import * as http from "http";
+import { spawn } from "child_process";
+import chalk from "chalk";
+const CONFIG_DIR = path.join(process.env.HOME ?? process.env.USERPROFILE ?? ".", ".archbyte");
+const CREDENTIALS_PATH = path.join(CONFIG_DIR, "credentials.json");
+const API_BASE = process.env.ARCHBYTE_API_URL ?? "https://api.heartbyte.io";
+const CLI_CALLBACK_PORT = 19274;
+export async function handleLogin(provider) {
+    console.log();
+    console.log(chalk.bold.cyan("ArchByte Login"));
+    console.log();
+    const existing = loadCredentials();
+    if (existing && !isExpired(existing)) {
+        // Refresh tier from server in case it changed (e.g. upgraded via dashboard)
+        try {
+            const res = await fetch(`${API_BASE}/api/v1/me`, {
+                headers: { Authorization: `Bearer ${existing.token}` },
+            });
+            if (res.ok) {
+                const { user } = (await res.json());
+                if (user.tier !== existing.tier) {
+                    existing.tier = user.tier;
+                    saveCredentials(existing);
+                }
+                // Cache server-verified tier
+                cacheVerifiedTier(user.tier === "premium" ? "premium" : "free", existing.email);
+            }
+        }
+        catch {
+            // Offline — use cached tier
+        }
+        console.log(chalk.green(`Already logged in as ${chalk.bold(existing.email)} (${existing.tier} tier)`));
+        console.log(chalk.gray("Run `archbyte logout` to sign out."));
+        return;
+    }
+    const selectedProvider = provider ?? "github";
+    console.log(chalk.gray(`Opening browser for ${selectedProvider} authentication...`));
+    console.log();
+    try {
+        const credentials = await startOAuthFlow(selectedProvider);
+        saveCredentials(credentials);
+        // Cache server-verified tier from fresh login
+        cacheVerifiedTier(credentials.tier === "premium" ? "premium" : "free", credentials.email);
+        console.log();
+        console.log(chalk.green(`Logged in as ${chalk.bold(credentials.email)} (${credentials.tier} tier)`));
+        console.log(chalk.gray(`Credentials saved to ${CREDENTIALS_PATH}`));
+    }
+    catch (err) {
+        console.error(chalk.red(`Login failed: ${err instanceof Error ? err.message : "Unknown error"}`));
+        console.log();
+        console.log(chalk.gray("You can also log in manually:"));
+        console.log(chalk.gray(`  1. Visit ${API_BASE.replace("api.", "")}/auth`));
+        console.log(chalk.gray("  2. Copy your token"));
+        console.log(chalk.gray("  3. Run: archbyte login --token <your-token>"));
+        process.exit(1);
+    }
+}
+export async function handleLoginWithToken(token) {
+    console.log();
+    console.log(chalk.bold.cyan("ArchByte Login (token)"));
+    console.log();
+    try {
+        const res = await fetch(`${API_BASE}/api/v1/me`, {
+            headers: { Authorization: `Bearer ${token}` },
+        });
+        if (!res.ok) {
+            console.error(chalk.red("Invalid token."));
+            process.exit(1);
+        }
+        const { user } = (await res.json());
+        const payload = parseJWTPayload(token);
+        saveCredentials({
+            token,
+            email: user.email,
+            tier: user.tier,
+            expiresAt: payload?.exp
+                ? new Date(payload.exp * 1000).toISOString()
+                : new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString(),
+        });
+        // Cache server-verified tier
+        cacheVerifiedTier(user.tier === "premium" ? "premium" : "free", user.email);
+        console.log(chalk.green(`Logged in as ${chalk.bold(user.email)} (${user.tier} tier)`));
+    }
+    catch (err) {
+        console.error(chalk.red(`Login failed: ${err instanceof Error ? err.message : "Unknown error"}`));
+        process.exit(1);
+    }
+}
+// === Logout ===
+export async function handleLogout() {
+    console.log();
+    const creds = loadCredentials();
+    if (!creds) {
+        console.log(chalk.gray("Not logged in."));
+        return;
+    }
+    try {
+        fs.unlinkSync(CREDENTIALS_PATH);
+    }
+    catch {
+        // Ignore
+    }
+    // Clean up tier cache and offline action tracker
+    try {
+        fs.unlinkSync(TIER_CACHE_PATH);
+    }
+    catch { /* Ignore */ }
+    resetOfflineActions();
+    console.log(chalk.green(`Logged out (was ${creds.email}).`));
+}
+// === Status ===
+export async function handleStatus() {
+    console.log();
+    console.log(chalk.bold.cyan("ArchByte Account"));
+    console.log();
+    const creds = loadCredentials();
+    if (!creds) {
+        console.log(chalk.yellow("Not logged in. Run `archbyte login` to sign in."));
+        return;
+    }
+    if (isExpired(creds)) {
+        console.log(chalk.yellow("Session expired. Run `archbyte login` to refresh."));
+        return;
+    }
+    console.log(`  ${chalk.bold("Email")}: ${creds.email}`);
+    console.log(`  ${chalk.bold("Tier")}:  ${creds.tier === "premium" ? chalk.green("Pro") : "Basic"}`);
+    console.log(`  ${chalk.bold("Expires")}: ${new Date(creds.expiresAt).toLocaleDateString()}`);
+    // Fetch live usage from server
+    try {
+        const res = await fetch(`${API_BASE}/api/v1/scans/count`, {
+            headers: { Authorization: `Bearer ${creds.token}` },
+        });
+        if (res.ok) {
+            const data = (await res.json());
+            console.log(`  ${chalk.bold("Scans")}: ${data.scansUsed}${data.scansAllowed === -1 ? " (unlimited)" : `/${data.scansAllowed}`}`);
+        }
+    }
+    catch {
+        // Offline — show cached info only
+    }
+    console.log();
+}
+// === Credential Helpers (exported for license gate) ===
+export function loadCredentials() {
+    try {
+        if (fs.existsSync(CREDENTIALS_PATH)) {
+            const data = JSON.parse(fs.readFileSync(CREDENTIALS_PATH, "utf-8"));
+            // Validate structure — reject malformed credentials
+            if (typeof data?.token !== "string" ||
+                typeof data?.email !== "string" ||
+                typeof data?.tier !== "string" ||
+                typeof data?.expiresAt !== "string") {
+                return null;
+            }
+            return data;
+        }
+    }
+    catch {
+        // Ignore — corrupt file treated as no credentials
+    }
+    return null;
+}
+function saveCredentials(creds) {
+    if (!fs.existsSync(CONFIG_DIR)) {
+        fs.mkdirSync(CONFIG_DIR, { recursive: true });
+    }
+    fs.writeFileSync(CREDENTIALS_PATH, JSON.stringify(creds, null, 2), "utf-8");
+    // Restrict permissions (owner-only read/write)
+    try {
+        fs.chmodSync(CREDENTIALS_PATH, 0o600);
+    }
+    catch {
+        // Windows doesn't support chmod
+    }
+}
+function isExpired(creds) {
+    return new Date(creds.expiresAt) < new Date();
+}
+function parseJWTPayload(token) {
+    try {
+        const parts = token.split(".");
+        if (parts.length !== 3)
+            return null;
+        return JSON.parse(Buffer.from(parts[1], "base64url").toString());
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Get the tier from the JWT token payload. NEVER falls back to the
+ * editable credentials file — that would allow trivial tier bypass
+ * by editing ~/.archbyte/credentials.json.
+ *
+ * WARNING: This reads from an UNVERIFIED JWT payload. The CLI cannot
+ * verify HMAC signatures (no shared secret). Use getVerifiedTier()
+ * instead, which reads from the server-verified tier cache.
+ */
+export function getTierFromToken() {
+    const creds = loadCredentials();
+    if (!creds?.token)
+        return "free";
+    const payload = parseJWTPayload(creds.token);
+    return payload?.tier === "premium" ? "premium" : "free";
+}
+// === Server-Verified Tier Cache ===
+// The CLI cannot verify JWT signatures (HMAC requires the server secret).
+// Instead, we cache the tier returned by the server after successful
+// verification. This cache is the ONLY trusted source of tier info locally.
+const TIER_CACHE_PATH = path.join(CONFIG_DIR, "tier-cache.json");
+const TIER_CACHE_MAX_AGE_MS = 60 * 60 * 1000; // 1 hour
+/**
+ * Cache the server-verified tier. Called by license-gate after a
+ * successful server response. Uses email as the identifier since
+ * the license-gate has access to it from credentials.
+ */
+export function cacheVerifiedTier(tier, email) {
+    const data = { tier, verifiedAt: Date.now(), email };
+    try {
+        if (!fs.existsSync(CONFIG_DIR)) {
+            fs.mkdirSync(CONFIG_DIR, { recursive: true });
+        }
+        fs.writeFileSync(TIER_CACHE_PATH, JSON.stringify(data), "utf-8");
+        try {
+            fs.chmodSync(TIER_CACHE_PATH, 0o600);
+        }
+        catch { /* Windows */ }
+    }
+    catch {
+        // Non-critical — offline fallback just won't work
+    }
+}
+/**
+ * Get the tier from the server-verified cache. Returns "free" if cache
+ * is missing, stale (> 1 hour), or belongs to a different user.
+ */
+export function getVerifiedTier() {
+    try {
+        if (!fs.existsSync(TIER_CACHE_PATH))
+            return "free";
+        const data = JSON.parse(fs.readFileSync(TIER_CACHE_PATH, "utf-8"));
+        // Validate cache structure
+        if (!data || typeof data.verifiedAt !== "number" || typeof data.tier !== "string") {
+            return "free";
+        }
+        // Check staleness
+        if (Date.now() - data.verifiedAt > TIER_CACHE_MAX_AGE_MS)
+            return "free";
+        // Check user match (prevent tier cache from a different account)
+        const creds = loadCredentials();
+        if (creds?.email && data.email !== creds.email)
+            return "free";
+        return data.tier === "premium" ? "premium" : "free";
+    }
+    catch {
+        return "free";
+    }
+}
+// === Offline Action Tracking ===
+const OFFLINE_ACTIONS_PATH = path.join(CONFIG_DIR, "offline-actions.json");
+const OFFLINE_MAX_PREMIUM = 3; // Premium users: 3 offline actions within cache window
+const OFFLINE_MAX_FREE = 0; // Free users: 0 offline actions (must verify online)
+/**
+ * Check if an offline action is allowed. Returns true if within limits.
+ * Increments the counter when allowed.
+ */
+export function checkOfflineAction() {
+    const tier = getVerifiedTier();
+    const maxActions = tier === "premium" ? OFFLINE_MAX_PREMIUM : OFFLINE_MAX_FREE;
+    if (maxActions === 0) {
+        return {
+            allowed: false,
+            reason: "Server verification required. Check your internet connection and try again.",
+        };
+    }
+    try {
+        let data = { count: 0, lastReset: Date.now() };
+        if (fs.existsSync(OFFLINE_ACTIONS_PATH)) {
+            data = JSON.parse(fs.readFileSync(OFFLINE_ACTIONS_PATH, "utf-8"));
+        }
+        // Reset counter if cache window expired
+        if (Date.now() - data.lastReset > TIER_CACHE_MAX_AGE_MS) {
+            data = { count: 0, lastReset: Date.now() };
+        }
+        if (data.count >= maxActions) {
+            return {
+                allowed: false,
+                reason: `Offline action limit reached (${maxActions}/${maxActions}). Reconnect to the license server to continue.`,
+            };
+        }
+        // Increment and save
+        data.count++;
+        fs.writeFileSync(OFFLINE_ACTIONS_PATH, JSON.stringify(data), "utf-8");
+        try {
+            fs.chmodSync(OFFLINE_ACTIONS_PATH, 0o600);
+        }
+        catch { /* Windows */ }
+        return { allowed: true };
+    }
+    catch {
+        return { allowed: false, reason: "Could not verify offline action limit." };
+    }
+}
+/**
+ * Reset offline action counter. Called after successful server verification.
+ */
+export function resetOfflineActions() {
+    try {
+        if (fs.existsSync(OFFLINE_ACTIONS_PATH)) {
+            fs.unlinkSync(OFFLINE_ACTIONS_PATH);
+        }
+    }
+    catch {
+        // Non-critical
+    }
+}
+// === OAuth Flow ===
+function startOAuthFlow(provider = "github") {
+    return new Promise((resolve, reject) => {
+        const timeout = setTimeout(() => {
+            server.close();
+            reject(new Error("Login timed out (60s). Try again or use --token."));
+        }, 60000);
+        const server = http.createServer(async (req, res) => {
+            const url = new URL(req.url ?? "/", `http://localhost:${CLI_CALLBACK_PORT}`);
+            if (url.pathname === "/callback") {
+                const token = url.searchParams.get("token");
+                if (!token) {
+                    res.writeHead(400, { "Content-Type": "text/html" });
+                    res.end("<h1>Login failed</h1><p>No token received. Close this window and try again.</p>");
+                    return;
+                }
+                res.writeHead(200, { "Content-Type": "text/html" });
+                res.end("<h1>Login successful!</h1><p>You can close this window and return to your terminal.</p>");
+                clearTimeout(timeout);
+                server.close();
+                // Fetch user info with the token
+                try {
+                    const meRes = await fetch(`${API_BASE}/api/v1/me`, {
+                        headers: { Authorization: `Bearer ${token}` },
+                    });
+                    if (!meRes.ok) {
+                        reject(new Error("Failed to fetch user info"));
+                        return;
+                    }
+                    const { user } = (await meRes.json());
+                    const payload = parseJWTPayload(token);
+                    resolve({
+                        token,
+                        email: user.email,
+                        tier: user.tier,
+                        expiresAt: payload?.exp
+                            ? new Date(payload.exp * 1000).toISOString()
+                            : new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString(),
+                    });
+                }
+                catch (err) {
+                    reject(err);
+                }
+            }
+        });
+        server.listen(CLI_CALLBACK_PORT, "127.0.0.1", () => {
+            const authUrl = `${API_BASE}/api/v1/auth/${provider}?cli=1`;
+            // Open browser without shell interpolation (prevents command injection)
+            const opener = process.platform === "darwin"
+                ? "open"
+                : process.platform === "win32"
+                    ? "start"
+                    : "xdg-open";
+            const child = spawn(opener, [authUrl], { stdio: "ignore" });
+            child.on("error", () => {
+                console.log(chalk.yellow("Could not open browser automatically."));
+                console.log(chalk.gray(`Open this URL manually: ${authUrl}`));
+            });
+            child.on("close", (code) => {
+                if (code === 0) {
+                    console.log(chalk.gray("Browser opened. Waiting for authentication..."));
+                }
+                else {
+                    console.log(chalk.yellow("Could not open browser automatically."));
+                    console.log(chalk.gray(`Open this URL manually: ${authUrl}`));
+                }
+            });
+        });
+        server.on("error", (err) => {
+            clearTimeout(timeout);
+            if (err.code === "EADDRINUSE") {
+                reject(new Error(`Port ${CLI_CALLBACK_PORT} is in use. Close other archbyte instances and try again.`));
+            }
+            else {
+                reject(err);
+            }
+        });
+    });
+}

package/dist/cli/config.d.ts

@@ -0,0 +1,11 @@
+import type { ArchByteConfig } from "../agents/runtime/types.js";
+interface ConfigOptions {
+    args: string[];
+}
+export declare function handleConfig(options: ConfigOptions): Promise<void>;
+/**
+ * Resolve the full ArchByteConfig from config file + env vars.
+ * Env vars override config file.
+ */
+export declare function resolveConfig(): ArchByteConfig | null;
+export {};

package/dist/cli/config.js

@@ -0,0 +1,177 @@
+import * as fs from "fs";
+import * as path from "path";
+import chalk from "chalk";
+const CONFIG_DIR = path.join(process.env.HOME ?? process.env.USERPROFILE ?? ".", ".archbyte");
+const CONFIG_PATH = path.join(CONFIG_DIR, "config.json");
+const VALID_PROVIDERS = ["anthropic", "openai", "google", "ollama"];
+export async function handleConfig(options) {
+    const [action, key, value] = options.args;
+    if (!action || action === "show") {
+        showConfig();
+        return;
+    }
+    if (action === "set") {
+        if (!key || !value) {
+            console.error(chalk.red("Usage: archbyte config set <key> <value>"));
+            console.error(chalk.gray("  Keys: provider, api-key, ollama-url"));
+            process.exit(1);
+        }
+        setConfig(key, value);
+        return;
+    }
+    if (action === "get") {
+        if (!key) {
+            console.error(chalk.red("Usage: archbyte config get <key>"));
+            process.exit(1);
+        }
+        getConfig(key);
+        return;
+    }
+    if (action === "path") {
+        console.log(CONFIG_PATH);
+        return;
+    }
+    console.error(chalk.red(`Unknown action: ${action}`));
+    console.error(chalk.gray("  archbyte config show       — show current config"));
+    console.error(chalk.gray("  archbyte config set <k> <v> — set a config value"));
+    console.error(chalk.gray("  archbyte config get <k>     — get a config value"));
+    console.error(chalk.gray("  archbyte config path        — show config file path"));
+    process.exit(1);
+}
+function loadConfig() {
+    try {
+        if (fs.existsSync(CONFIG_PATH)) {
+            return JSON.parse(fs.readFileSync(CONFIG_PATH, "utf-8"));
+        }
+    }
+    catch {
+        // Ignore
+    }
+    return {};
+}
+function saveConfig(config) {
+    if (!fs.existsSync(CONFIG_DIR)) {
+        fs.mkdirSync(CONFIG_DIR, { recursive: true });
+    }
+    fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), "utf-8");
+}
+function showConfig() {
+    const config = loadConfig();
+    console.log();
+    console.log(chalk.bold.cyan("ArchByte Configuration"));
+    console.log(chalk.gray(`Config file: ${CONFIG_PATH}`));
+    console.log();
+    if (!config.provider && !config.apiKey) {
+        console.log(chalk.yellow("No configuration found. Set up with:"));
+        console.log(chalk.gray("  archbyte config set provider anthropic"));
+        console.log(chalk.gray("  archbyte config set api-key sk-ant-..."));
+        console.log();
+        console.log(chalk.gray("Or use environment variables:"));
+        console.log(chalk.gray("  export ARCHBYTE_PROVIDER=anthropic"));
+        console.log(chalk.gray("  export ARCHBYTE_API_KEY=sk-ant-..."));
+        return;
+    }
+    console.log(`  ${chalk.bold("provider")}: ${config.provider ?? chalk.gray("not set")}`);
+    console.log(`  ${chalk.bold("api-key")}:  ${config.apiKey ? maskKey(config.apiKey) : chalk.gray("not set")}`);
+    if (config.ollamaBaseUrl) {
+        console.log(`  ${chalk.bold("ollama-url")}: ${config.ollamaBaseUrl}`);
+    }
+    console.log();
+}
+function setConfig(key, value) {
+    const config = loadConfig();
+    switch (key) {
+        case "provider": {
+            if (!VALID_PROVIDERS.includes(value)) {
+                console.error(chalk.red(`Invalid provider: ${value}. Must be: ${VALID_PROVIDERS.join(", ")}`));
+                process.exit(1);
+            }
+            config.provider = value;
+            break;
+        }
+        case "api-key":
+        case "apiKey":
+        case "key":
+            config.apiKey = value;
+            break;
+        case "ollama-url":
+        case "ollamaUrl":
+            config.ollamaBaseUrl = value;
+            break;
+        default:
+            console.error(chalk.red(`Unknown config key: ${key}`));
+            console.error(chalk.gray("  Valid keys: provider, api-key, ollama-url"));
+            process.exit(1);
+    }
+    saveConfig(config);
+    console.log(chalk.green(`Set ${key} = ${key.includes("key") ? maskKey(value) : value}`));
+}
+function getConfig(key) {
+    const config = loadConfig();
+    switch (key) {
+        case "provider":
+            console.log(config.provider ?? "");
+            break;
+        case "api-key":
+        case "apiKey":
+        case "key":
+            console.log(config.apiKey ?? "");
+            break;
+        case "ollama-url":
+        case "ollamaUrl":
+            console.log(config.ollamaBaseUrl ?? "");
+            break;
+        default:
+            console.error(chalk.red(`Unknown config key: ${key}`));
+            process.exit(1);
+    }
+}
+function maskKey(key) {
+    if (key.length <= 8)
+        return "****";
+    return key.slice(0, 6) + "..." + key.slice(-4);
+}
+/**
+ * Resolve the full ArchByteConfig from config file + env vars.
+ * Env vars override config file.
+ */
+export function resolveConfig() {
+    const config = loadConfig();
+    const provider = process.env.ARCHBYTE_PROVIDER ?? config.provider;
+    const apiKey = process.env.ARCHBYTE_API_KEY ?? config.apiKey;
+    // Auto-detect from known env vars if nothing explicit
+    if (!provider && !apiKey) {
+        if (process.env.ANTHROPIC_API_KEY) {
+            return { provider: "anthropic", apiKey: process.env.ANTHROPIC_API_KEY };
+        }
+        if (process.env.OPENAI_API_KEY) {
+            return { provider: "openai", apiKey: process.env.OPENAI_API_KEY };
+        }
+        if (process.env.GOOGLE_API_KEY || process.env.GEMINI_API_KEY) {
+            return {
+                provider: "google",
+                apiKey: process.env.GOOGLE_API_KEY ?? process.env.GEMINI_API_KEY ?? "",
+            };
+        }
+        return null;
+    }
+    if (!provider)
+        return null;
+    // Ollama doesn't need an API key
+    if (provider === "ollama") {
+        return {
+            provider: "ollama",
+            apiKey: "",
+            ollamaBaseUrl: process.env.OLLAMA_BASE_URL ??
+                config.ollamaBaseUrl ??
+                "http://localhost:11434",
+        };
+    }
+    if (!apiKey)
+        return null;
+    return {
+        provider,
+        apiKey,
+        ollamaBaseUrl: config.ollamaBaseUrl,
+    };
+}

package/dist/cli/diff.d.ts

@@ -0,0 +1,10 @@
+interface DiffOptions {
+    baseline: string;
+    current?: string;
+    config?: string;
+}
+/**
+ * Compare two architecture snapshots and show drift report.
+ */
+export declare function handleDiff(options: DiffOptions): Promise<void>;
+export {};