berget 2.2.6 → 2.2.7

package/src/commands/clusters.ts

@@ -1,6 +1,6 @@
-import { Command } from 'commander'
-import { ClusterService, Cluster } from '../services/cluster-service'
-import { handleError } from '../utils/error-handler'
+import { Command } from "commander";
+import { ClusterService, Cluster } from "../services/cluster-service";
+import { handleError } from "../utils/error-handler";
 
 /**
  * Register cluster commands
@@ -8,58 +8,58 @@ import { handleError } from '../utils/error-handler'
 export function registerClusterCommands(program: Command): void {
   const cluster = program
     .command(ClusterService.COMMAND_GROUP)
-    .description('Manage Berget clusters')
+    .description("Manage Berget clusters");
 
   cluster
     .command(ClusterService.COMMANDS.LIST)
-    .description('List all Berget clusters')
+    .description("List all Berget clusters")
     .action(async () => {
       try {
-        const clusterService = ClusterService.getInstance()
-        const clusters = await clusterService.list()
+        const clusterService = ClusterService.getInstance();
+        const clusters = await clusterService.list();
 
-        console.log('NAME                   STATUS    NODES    CREATED')
+        console.log("NAME                   STATUS    NODES    CREATED");
         clusters.forEach((cluster: Cluster) => {
           console.log(
-            `${cluster.name.padEnd(22)} ${cluster.status.padEnd(9)} ${String(
-              cluster.nodes,
-            ).padEnd(8)} ${cluster.created}`,
-          )
-        })
+            `${cluster.name.padEnd(22)} ${cluster.status.padEnd(9)} ${String(cluster.nodes).padEnd(
+              8
+            )} ${cluster.created}`
+          );
+        });
       } catch (error) {
-        handleError('Failed to list clusters', error)
+        handleError("Failed to list clusters", error);
       }
-    })
+    });
 
   cluster
     .command(ClusterService.COMMANDS.GET_USAGE)
-    .description('Get usage metrics for a specific cluster')
-    .argument('<clusterId>', 'Cluster ID')
-    .action(async (clusterId) => {
+    .description("Get usage metrics for a specific cluster")
+    .argument("<clusterId>", "Cluster ID")
+    .action(async clusterId => {
       try {
-        const clusterService = ClusterService.getInstance()
-        const usage = await clusterService.getUsage(clusterId)
+        const clusterService = ClusterService.getInstance();
+        const usage = await clusterService.getUsage(clusterId);
 
-        console.log('Cluster Usage:')
-        console.log(JSON.stringify(usage, null, 2))
+        console.log("Cluster Usage:");
+        console.log(JSON.stringify(usage, null, 2));
       } catch (error) {
-        handleError('Failed to get cluster usage', error)
+        handleError("Failed to get cluster usage", error);
       }
-    })
+    });
 
   cluster
     .command(ClusterService.COMMANDS.DESCRIBE)
-    .description('Get detailed information about a cluster')
-    .argument('<clusterId>', 'Cluster ID')
-    .action(async (clusterId) => {
+    .description("Get detailed information about a cluster")
+    .argument("<clusterId>", "Cluster ID")
+    .action(async clusterId => {
       try {
-        const clusterService = ClusterService.getInstance()
-        const clusterInfo = await clusterService.describe(clusterId)
+        const clusterService = ClusterService.getInstance();
+        const clusterInfo = await clusterService.describe(clusterId);
 
-        console.log('Cluster Details:')
-        console.log(JSON.stringify(clusterInfo, null, 2))
+        console.log("Cluster Details:");
+        console.log(JSON.stringify(clusterInfo, null, 2));
       } catch (error) {
-        handleError('Failed to describe cluster', error)
+        handleError("Failed to describe cluster", error);
       }
-    })
+    });
 }

package/src/commands/code/__tests__/auth-sync.test.ts

@@ -0,0 +1,481 @@
+import { describe, expect, it } from "vitest";
+import {
+  readCliAuth,
+  isToolAuthenticated,
+  decodeJwtPayload,
+  hasBergetCodeSeat,
+  syncOAuthToTool,
+  syncApiKeyToTool,
+  configureAuth,
+  type CliAuth,
+  type AuthDeps,
+} from "../auth-sync";
+import { FakeFileStore } from "./fake-file-store";
+import { FakePrompter, select, confirm } from "./fake-prompter";
+import { FakeAuthService } from "./fake-auth-service";
+import { FakeApiKeyService } from "./fake-api-key-service";
+
+function base64urlEncode(data: string): string {
+  return Buffer.from(data).toString("base64url");
+}
+
+function makeJwt(payload: Record<string, unknown>): string {
+  const header = base64urlEncode(JSON.stringify({ alg: "none", typ: "JWT" }));
+  const body = base64urlEncode(JSON.stringify(payload));
+  return `${header}.${body}.signature`;
+}
+
+const HOME = "/home/user";
+
+const fakeCliAuth = (overrides: Partial<CliAuth> = {}): CliAuth => ({
+  access_token: makeJwt({
+    realm_access: { roles: ["default-roles-berget"] },
+    exp: 9999999999999, // JWT exp in seconds (different from expires_at in ms)
+  }),
+  refresh_token: "refreshtoken",
+  expires_at: 9999999999999,
+  ...overrides,
+});
+
+describe("readCliAuth", () => {
+  it("returns null when auth file does not exist", async () => {
+    const files = new FakeFileStore();
+    const result = await readCliAuth(files, HOME);
+    expect(result).toBeNull();
+  });
+
+  it("parses valid auth file", async () => {
+    const files = new FakeFileStore();
+    const auth: CliAuth = fakeCliAuth();
+    files.seed(HOME + "/.berget/auth.json", JSON.stringify(auth));
+
+    const result = await readCliAuth(files, HOME);
+    // The JWT's exp claim should be extracted and converted to milliseconds
+    const jwtPayload = JSON.parse(
+      Buffer.from(auth.access_token.split(".")[1], "base64url").toString()
+    );
+    const expectedAuth = {
+      access_token: auth.access_token,
+      refresh_token: auth.refresh_token,
+      expires_at: (jwtPayload.exp as number) * 1000,
+    };
+    expect(result).toEqual(expectedAuth);
+  });
+
+  it("returns null for malformed JSON", async () => {
+    const files = new FakeFileStore();
+    files.seed(HOME + "/.berget/auth.json", "not json");
+    const result = await readCliAuth(files, HOME);
+    expect(result).toBeNull();
+  });
+
+  it("returns null when fields are missing", async () => {
+    const files = new FakeFileStore();
+    files.seed(HOME + "/.berget/auth.json", JSON.stringify({ access_token: "only" }));
+    const result = await readCliAuth(files, HOME);
+    expect(result).toBeNull();
+  });
+});
+
+describe("isToolAuthenticated", () => {
+  it("returns false when auth file does not exist", async () => {
+    const files = new FakeFileStore();
+    const result = await isToolAuthenticated(files, HOME, "opencode");
+    expect(result).toBe(false);
+  });
+
+  it("returns true when berget entry exists", async () => {
+    const files = new FakeFileStore();
+    files.seed(
+      HOME + "/.local/share/opencode/auth.json",
+      JSON.stringify({ berget: { type: "oauth", access: "tok" } })
+    );
+    const result = await isToolAuthenticated(files, HOME, "opencode");
+    expect(result).toBe(true);
+  });
+
+  it("returns false when berget entry is missing", async () => {
+    const files = new FakeFileStore();
+    files.seed(
+      HOME + "/.local/share/opencode/auth.json",
+      JSON.stringify({ openai: { type: "api" } })
+    );
+    const result = await isToolAuthenticated(files, HOME, "opencode");
+    expect(result).toBe(false);
+  });
+
+  it("checks correct path for pi", async () => {
+    const files = new FakeFileStore();
+    files.seed(HOME + "/.pi/agent/auth.json", JSON.stringify({ berget: { type: "oauth" } }));
+    const result = await isToolAuthenticated(files, HOME, "pi");
+    expect(result).toBe(true);
+  });
+});
+
+describe("decodeJwtPayload", () => {
+  it("decodes a valid JWT payload", () => {
+    const payload = { sub: "123", realm_access: { roles: ["admin"] } };
+    const jwt = makeJwt(payload);
+    expect(decodeJwtPayload(jwt)).toEqual(payload);
+  });
+
+  it("returns null for invalid format", () => {
+    expect(decodeJwtPayload("not.a")).toBeNull();
+    expect(decodeJwtPayload("onlyOnePart")).toBeNull();
+  });
+
+  it("returns null for invalid base64", () => {
+    expect(decodeJwtPayload("header.bad\.base64.signature")).toBeNull();
+  });
+});
+
+describe("hasBergetCodeSeat", () => {
+  it("returns true when berget_code_seat is present", () => {
+    const token = makeJwt({
+      realm_access: { roles: ["berget_code_seat", "default-roles-berget"] },
+    });
+    expect(hasBergetCodeSeat(token)).toBe(true);
+  });
+
+  it("returns false when role is missing", () => {
+    const token = makeJwt({
+      realm_access: { roles: ["default-roles-berget"] },
+    });
+    expect(hasBergetCodeSeat(token)).toBe(false);
+  });
+
+  it("returns false when realm_access is missing", () => {
+    const token = makeJwt({ sub: "123" });
+    expect(hasBergetCodeSeat(token)).toBe(false);
+  });
+
+  it("returns false for invalid JWT", () => {
+    expect(hasBergetCodeSeat("invalid")).toBe(false);
+  });
+});
+
+describe("syncOAuthToTool", () => {
+  it("writes oauth tokens to opencode auth file", async () => {
+    const files = new FakeFileStore();
+    const auth = fakeCliAuth();
+
+    await syncOAuthToTool(files, HOME, "opencode", auth);
+
+    const written = files.getWrittenFiles();
+    const content = written.get(HOME + "/.local/share/opencode/auth.json")!;
+    const parsed = JSON.parse(content);
+    // The expires field should now use the JWT's exp claim (converted to milliseconds)
+    const jwtPayload = JSON.parse(
+      Buffer.from(auth.access_token.split(".")[1], "base64url").toString()
+    );
+    expect(parsed.berget).toEqual({
+      type: "oauth",
+      access: auth.access_token,
+      refresh: auth.refresh_token,
+      expires: (jwtPayload.exp as number) * 1000,
+    });
+  });
+
+  it("writes oauth tokens to pi auth file", async () => {
+    const files = new FakeFileStore();
+    const auth = fakeCliAuth();
+
+    await syncOAuthToTool(files, HOME, "pi", auth);
+
+    const written = files.getWrittenFiles();
+    const content = written.get(HOME + "/.pi/agent/auth.json")!;
+    const parsed = JSON.parse(content);
+    expect(parsed.berget.type).toBe("oauth");
+  });
+
+  it("merges with existing providers", async () => {
+    const files = new FakeFileStore();
+    files.seed(
+      HOME + "/.local/share/opencode/auth.json",
+      JSON.stringify({ openai: { type: "api", key: "sk-openai" } })
+    );
+
+    const auth = fakeCliAuth();
+    await syncOAuthToTool(files, HOME, "opencode", auth);
+
+    const written = files.getWrittenFiles();
+    const parsed = JSON.parse(written.get(HOME + "/.local/share/opencode/auth.json")!);
+    expect(parsed.openai).toEqual({ type: "api", key: "sk-openai" });
+    expect(parsed.berget.type).toBe("oauth");
+  });
+
+  it("sets 0o600 permissions on the auth file", async () => {
+    const files = new FakeFileStore();
+    const auth = fakeCliAuth();
+
+    await syncOAuthToTool(files, HOME, "opencode", auth);
+
+    const chmodCalls = files.getChmodCalls();
+    expect(chmodCalls).toHaveLength(1);
+    expect(chmodCalls[0]).toEqual({
+      path: HOME + "/.local/share/opencode/auth.json",
+      mode: 0o600,
+    });
+  });
+});
+
+describe("syncApiKeyToTool", () => {
+  it('writes api key to opencode auth file with type "api"', async () => {
+    const files = new FakeFileStore();
+
+    await syncApiKeyToTool(files, HOME, "opencode", "sk_ber_test");
+
+    const written = files.getWrittenFiles();
+    const content = written.get(HOME + "/.local/share/opencode/auth.json")!;
+    const parsed = JSON.parse(content);
+    expect(parsed.berget).toEqual({
+      type: "api",
+      key: "sk_ber_test",
+    });
+  });
+
+  it('writes api key to pi auth file with type "api_key"', async () => {
+    const files = new FakeFileStore();
+
+    await syncApiKeyToTool(files, HOME, "pi", "sk_ber_pi");
+
+    const written = files.getWrittenFiles();
+    const content = written.get(HOME + "/.pi/agent/auth.json")!;
+    const parsed = JSON.parse(content);
+    expect(parsed.berget).toEqual({
+      type: "api_key",
+      key: "sk_ber_pi",
+    });
+  });
+
+  it("merges with existing providers", async () => {
+    const files = new FakeFileStore();
+    files.seed(
+      HOME + "/.local/share/opencode/auth.json",
+      JSON.stringify({ anthropic: { type: "api", key: "sk-ant" } })
+    );
+
+    await syncApiKeyToTool(files, HOME, "opencode", "sk_ber_test");
+
+    const written = files.getWrittenFiles();
+    const parsed = JSON.parse(written.get(HOME + "/.local/share/opencode/auth.json")!);
+    expect(parsed.anthropic).toEqual({ type: "api", key: "sk-ant" });
+  });
+
+  it("sets 0o600 permissions on the auth file", async () => {
+    const files = new FakeFileStore();
+
+    await syncApiKeyToTool(files, HOME, "opencode", "sk_ber_test");
+
+    const chmodCalls = files.getChmodCalls();
+    expect(chmodCalls).toHaveLength(1);
+    expect(chmodCalls[0]).toEqual({
+      path: HOME + "/.local/share/opencode/auth.json",
+      mode: 0o600,
+    });
+  });
+});
+
+describe("configureAuth", () => {
+  const makeAuthDeps = (overrides: Partial<AuthDeps> = {}): AuthDeps =>
+    ({
+      prompter: new FakePrompter([]),
+      files: new FakeFileStore(),
+      authService: new FakeAuthService(true),
+      apiKeyService: new FakeApiKeyService("sk_ber_test"),
+      homeDir: HOME,
+      ...overrides,
+    }) as AuthDeps;
+
+  it("Case A: already authenticated — chooses keep → skips flow", async () => {
+    const files = new FakeFileStore();
+    files.seed(
+      HOME + "/.local/share/opencode/auth.json",
+      JSON.stringify({ berget: { type: "oauth" } })
+    );
+
+    const prompter = new FakePrompter([select("keep")]);
+
+    const deps = makeAuthDeps({ files, prompter });
+    const result = await configureAuth(deps, "opencode");
+
+    expect(result.authenticated).toBe(true);
+    expect((deps.prompter as FakePrompter).calls.length).toBe(1); // Only the select prompt
+  });
+
+  it("Case A reconfigure: already authenticated — reconfigure with fresh browser login", async () => {
+    const files = new FakeFileStore();
+    files.seed(
+      HOME + "/.local/share/opencode/auth.json",
+      JSON.stringify({ berget: { type: "oauth" } })
+    );
+
+    const prompter = new FakePrompter([select("reconfigure"), select("subscription")]);
+
+    const deps = makeAuthDeps({ files, prompter });
+    const authService = deps.authService as FakeAuthService;
+    const result = await configureAuth(deps, "opencode");
+
+    expect(result.authenticated).toBe(true);
+    // Should have called loginInteractive (no token reuse since no ~/.berget/auth.json seeded)
+    expect(authService.loginInteractiveCallCount).toBeGreaterThanOrEqual(1);
+  });
+
+  it("Case A reconfigure: already authenticated — reconfigure with valid CLI token → skips browser", async () => {
+    const farFuture = Date.now() + 365 * 24 * 60 * 60 * 1000; // 1 year from now
+    const files = new FakeFileStore();
+    files.seed(
+      HOME + "/.local/share/opencode/auth.json",
+      JSON.stringify({ berget: { type: "oauth" } })
+    );
+    files.seed(
+      HOME + "/.berget/auth.json",
+      JSON.stringify({
+        access_token: makeJwt({ realm_access: { roles: ["berget_code_seat"] }, exp: farFuture }),
+        refresh_token: "ref",
+        expires_at: farFuture,
+      })
+    );
+
+    const prompter = new FakePrompter([select("reconfigure"), select("subscription")]);
+
+    const authService = new FakeAuthService(true);
+    const deps = makeAuthDeps({ files, prompter, authService });
+    const result = await configureAuth(deps, "opencode");
+
+    expect(result.authenticated).toBe(true);
+    // Should NOT have called loginInteractive since token was reused
+    expect(authService.loginInteractiveCallCount).toBe(0);
+  });
+
+  it("Case B: login success + berget_code_seat → chooses subscription", async () => {
+    const files = new FakeFileStore();
+    const jwt = makeJwt({
+      realm_access: { roles: ["berget_code_seat"] },
+      exp: 9999999999999,
+    });
+    files.seed(
+      HOME + "/.berget/auth.json",
+      JSON.stringify({
+        access_token: jwt,
+        refresh_token: "ref",
+        expires_at: 9999999999999,
+      })
+    );
+
+    const prompter = new FakePrompter([select("subscription")]);
+
+    const deps = makeAuthDeps({ files, prompter });
+    const result = await configureAuth(deps, "opencode");
+
+    expect(result.authenticated).toBe(true);
+    const written = files.getWrittenFiles();
+    expect(written.has(HOME + "/.local/share/opencode/auth.json")).toBe(true);
+    const parsed = JSON.parse(written.get(HOME + "/.local/share/opencode/auth.json")!);
+    expect(parsed.berget.type).toBe("oauth");
+  });
+
+  it("Case B variant: login success + seat → chooses api_key", async () => {
+    const files = new FakeFileStore();
+    const jwt = makeJwt({
+      realm_access: { roles: ["berget_code_seat"] },
+      exp: 9999999999999,
+    });
+    files.seed(
+      HOME + "/.berget/auth.json",
+      JSON.stringify({
+        access_token: jwt,
+        refresh_token: "ref",
+        expires_at: 9999999999999,
+      })
+    );
+
+    const prompter = new FakePrompter([select("api_key")]);
+
+    const deps = makeAuthDeps({ files, prompter });
+    const result = await configureAuth(deps, "opencode");
+
+    expect(result.authenticated).toBe(true);
+    const written = files.getWrittenFiles();
+    const parsed = JSON.parse(written.get(HOME + "/.local/share/opencode/auth.json")!);
+    expect(parsed.berget.type).toBe("api");
+    expect(parsed.berget.key).toBe("sk_ber_test");
+  });
+
+  it("Case C: login success + no seat → creates api key", async () => {
+    const files = new FakeFileStore();
+    const prompter = new FakePrompter([confirm(true)]);
+
+    const deps = makeAuthDeps({ files, prompter, authService: new FakeAuthService(true, false) });
+    const result = await configureAuth(deps, "opencode");
+
+    expect(result.authenticated).toBe(true);
+    const written = files.getWrittenFiles();
+    const parsed = JSON.parse(written.get(HOME + "/.local/share/opencode/auth.json")!);
+    expect(parsed.berget.type).toBe("api");
+    expect(parsed.berget.key).toBe("sk_ber_test");
+  });
+
+  it("Case D: login success + no seat → declines api key", async () => {
+    const files = new FakeFileStore();
+    const prompter = new FakePrompter([confirm(false)]);
+
+    const deps = makeAuthDeps({ files, prompter, authService: new FakeAuthService(true, false) });
+    const result = await configureAuth(deps, "opencode");
+
+    expect(result.authenticated).toBe(false);
+    expect(files.getWrittenFiles().has(HOME + "/.local/share/opencode/auth.json")).toBe(false);
+  });
+
+  it("Case E: login fails", async () => {
+    const files = new FakeFileStore();
+    const authService = new FakeAuthService(false);
+
+    const deps = makeAuthDeps({ files, authService });
+    const result = await configureAuth(deps, "opencode");
+
+    expect(result.authenticated).toBe(false);
+  });
+
+  it("fails authentication when jwt decode fails", async () => {
+    const prompter = new FakePrompter([]);
+
+    const deps = makeAuthDeps({
+      prompter,
+      authService: new FakeAuthService(true, true, false), // valid login, has seat, but invalid token
+    });
+    const result = await configureAuth(deps, "opencode");
+
+    expect(result.authenticated).toBe(false); // Should fail due to invalid JWT
+    const written = (deps.files as FakeFileStore).getWrittenFiles();
+    expect(written.size).toBe(0); // No files should be written
+  });
+
+  it("preserves existing providers during sync", async () => {
+    const files = new FakeFileStore();
+    files.seed(
+      HOME + "/.local/share/opencode/auth.json",
+      JSON.stringify({ openai: { type: "api", key: "sk-openai" } })
+    );
+    files.seed(
+      HOME + "/.berget/auth.json",
+      JSON.stringify({
+        access_token: makeJwt({
+          realm_access: { roles: ["berget_code_seat"], exp: 9999999999999 },
+        }),
+        refresh_token: "ref",
+        expires_at: 9999999999999,
+      })
+    );
+
+    const prompter = new FakePrompter([select("subscription")]);
+
+    const deps = makeAuthDeps({ files, prompter });
+    await configureAuth(deps, "opencode");
+
+    const written = files.getWrittenFiles();
+    const parsed = JSON.parse(written.get(HOME + "/.local/share/opencode/auth.json")!);
+    expect(parsed.openai).toEqual({ type: "api", key: "sk-openai" });
+    expect(parsed.berget).toBeDefined();
+  });
+});

package/src/commands/code/__tests__/fake-api-key-service.ts

@@ -0,0 +1,13 @@
+import type { ApiKeyServicePort } from "../ports/auth-services";
+
+export class FakeApiKeyService implements ApiKeyServicePort {
+  private readonly _key: string;
+
+  constructor(key: string) {
+    this._key = key;
+  }
+
+  async create(_options: { name: string; description?: string }): Promise<{ key: string }> {
+    return { key: this._key };
+  }
+}

package/src/commands/code/__tests__/fake-auth-service.ts

@@ -0,0 +1,50 @@
+import type { AuthServicePort } from "../ports/auth-services";
+
+function base64urlEncode(data: string): string {
+  return Buffer.from(data).toString("base64url");
+}
+
+function makeJwt(payload: Record<string, unknown>): string {
+  const header = base64urlEncode(JSON.stringify({ alg: "none", typ: "JWT" }));
+  const body = base64urlEncode(JSON.stringify(payload));
+  return `${header}.${body}.signature`;
+}
+
+export class FakeAuthService implements AuthServicePort {
+  loginCallCount = 0;
+  loginInteractiveCallCount = 0;
+
+  constructor(
+    private readonly _shouldSucceed: boolean,
+    private readonly _hasSeat: boolean = true,
+    private readonly _validToken: boolean = true
+  ) {}
+
+  async login(): Promise<boolean> {
+    this.loginCallCount++;
+    return this._shouldSucceed;
+  }
+
+  loginInteractive(): ReturnType<AuthServicePort["loginInteractive"]> {
+    this.loginInteractiveCallCount++;
+    if (!this._shouldSucceed) {
+      return Promise.resolve({ success: false, error: "Login failed" });
+    }
+
+    const farFuture = Math.floor(Date.now() / 1000) + 3600 * 24 * 365; // 1 year from now in seconds
+
+    const accessToken = this._validToken
+      ? makeJwt({
+          realm_access: { roles: this._hasSeat ? ["berget_code_seat"] : ["default-roles-berget"] },
+          exp: farFuture,
+        })
+      : "invalid.token.here";
+
+    return Promise.resolve({
+      success: true,
+      accessToken,
+      refreshToken: "refresh",
+      expiresIn: 3600,
+    });
+  }
+}