berget 2.2.6 → 2.2.8

package/src/commands/code/adapters/clack-prompter.ts

@@ -1,43 +1,57 @@
-import * as p from '@clack/prompts'
-import { CancelledError } from '../errors'
-import type { Prompter, Spinner } from '../ports/prompter'
+import * as p from '@clack/prompts';
 
-const unwrap = <T>(v: T | symbol): T => {
-	if (p.isCancel(v)) throw new CancelledError()
-	return v as T
-}
+import type { Prompter, Spinner } from '../ports/prompter';
+
+import { CancelledError } from '../errors';
+
+const unwrap = <T>(v: symbol | T): T => {
+  if (p.isCancel(v)) throw new CancelledError();
+  return v as T;
+};
 
 export class ClackPrompter implements Prompter {
-	intro(message: string): void {
-		p.intro(message)
-	}
-	outro(message: string): void {
-		p.outro(message)
-	}
-	note(message: string, title?: string): void {
-		p.note(message, title)
-	}
-	spinner(): Spinner {
-		const s = p.spinner()
-		return {
-			start: (msg: string) => s.start(msg),
-			stop: (msg: string) => s.stop(msg),
-		}
-	}
-	async select<T>(opts: {
-		message: string
-		options: ReadonlyArray<{
-			value: T
-			label: string
-			hint?: string
-		}>
-	}): Promise<T> {
-		return unwrap(await p.select(opts as any))
-	}
-	async confirm(opts: {
-		message: string
-		initialValue?: boolean
-	}): Promise<boolean> {
-		return unwrap(await p.confirm(opts))
-	}
+  async confirm(options: { initialValue?: boolean; message: string }): Promise<boolean> {
+    return unwrap(await p.confirm(options));
+  }
+  intro(message: string): void {
+    p.intro(message);
+  }
+  async multiselect<T>(options: {
+    message: string;
+    options: ReadonlyArray<{
+      hint?: string;
+      label: string;
+      value: T;
+    }>;
+  }): Promise<T[]> {
+    return unwrap(await p.multiselect(options as any));
+  }
+  note(message: string, title?: string): void {
+    p.note(message, title);
+  }
+  outro(message: string): void {
+    p.outro(message);
+  }
+  async select<T>(options: {
+    message: string;
+    options: ReadonlyArray<{
+      hint?: string;
+      label: string;
+      value: T;
+    }>;
+  }): Promise<T> {
+    return unwrap(await p.select(options as any));
+  }
+
+  spinner(): Spinner {
+    const s = p.spinner();
+    return {
+      start: (message: string) => s.start(message),
+      stop: (message: string) => s.stop(message),
+    };
+  }
+
+  async text(options: { message: string; placeholder?: string }): Promise<string> {
+    return unwrap(await p.text(options));
+  }
 }

package/src/commands/code/adapters/fs-file-store.ts

@@ -1,33 +1,38 @@
-import { promises as fs } from 'node:fs'
-import * as path from 'node:path'
-import type { FileStore } from '../ports/file-store'
+import { promises as fs } from 'node:fs';
+import * as path from 'node:path';
+
+import type { FileStore } from '../ports/file-store';
 
 export class FsFileStore implements FileStore {
-	async exists(filePath: string): Promise<boolean> {
-		try {
-			await fs.access(filePath)
-			return true
-		} catch {
-			return false
-		}
-	}
+  async chmod(filePath: string, mode: number): Promise<void> {
+    await fs.chmod(filePath, mode);
+  }
+
+  async exists(filePath: string): Promise<boolean> {
+    try {
+      await fs.access(filePath);
+      return true;
+    } catch {
+      return false;
+    }
+  }
 
-	async readFile(filePath: string): Promise<string | null> {
-		try {
-			return await fs.readFile(filePath, 'utf8')
-		} catch (err: any) {
-			if (err.code === 'ENOENT') return null
-			throw err
-		}
-	}
+  async mkdir(dir: string): Promise<void> {
+    await fs.mkdir(dir, { recursive: true });
+  }
 
-	async writeFile(filePath: string, content: string): Promise<void> {
-		const dir = path.dirname(filePath)
-		await fs.mkdir(dir, { recursive: true })
-		await fs.writeFile(filePath, content, 'utf8')
-	}
+  async readFile(filePath: string): Promise<null | string> {
+    try {
+      return await fs.readFile(filePath, 'utf8');
+    } catch (error: any) {
+      if (error.code === 'ENOENT') return null;
+      throw error;
+    }
+  }
 
-	async mkdir(dir: string): Promise<void> {
-		await fs.mkdir(dir, { recursive: true })
-	}
+  async writeFile(filePath: string, content: string): Promise<void> {
+    const dir = path.dirname(filePath);
+    await fs.mkdir(dir, { recursive: true });
+    await fs.writeFile(filePath, content, 'utf8');
+  }
 }

package/src/commands/code/adapters/spawn-command-runner.ts

@@ -1,36 +1,45 @@
-import { spawn } from 'node:child_process'
-import type { CommandRunner } from '../ports/command-runner'
+import { spawn } from 'node:child_process';
+
+import type { CommandRunner } from '../ports/command-runner';
 
 export class SpawnCommandRunner implements CommandRunner {
-	async checkInstalled(binary: string): Promise<boolean> {
-		return new Promise((resolve) => {
-			const child = spawn('which', [binary], { stdio: 'pipe' })
-			child.on('close', (code) => resolve(code === 0))
-			child.on('error', () => resolve(false))
-		})
-	}
+  async checkInstalled(binary: string): Promise<boolean> {
+    return new Promise((resolve) => {
+      const child = spawn('which', [binary], { stdio: 'pipe' });
+      child.on('close', (code) => resolve(code === 0));
+      child.on('error', () => resolve(false));
+    });
+  }
 
-	async run(command: string, args: readonly string[], options?: { cwd?: string }): Promise<string> {
-		return new Promise<string>((resolve, reject) => {
-			const child = spawn(command, args as string[], {
-				stdio: 'pipe',
-				cwd: options?.cwd || process.cwd(),
-			})
+  async run(
+    command: string,
+    arguments_: readonly string[],
+    options?: { cwd?: string },
+  ): Promise<string> {
+    return new Promise<string>((resolve, reject) => {
+      const child = spawn(command, arguments_ as string[], {
+        cwd: options?.cwd || process.cwd(),
+        stdio: 'pipe',
+      });
 
-			let stdout = ''
-			let stderr = ''
+      let stdout = '';
+      let stderr = '';
 
-			child.stdout?.on('data', (d) => { stdout += d.toString() })
-			child.stderr?.on('data', (d) => { stderr += d.toString() })
+      child.stdout?.on('data', (d) => {
+        stdout += d.toString();
+      });
+      child.stderr?.on('data', (d) => {
+        stderr += d.toString();
+      });
 
-			child.on('close', (code) => {
-				if (code === 0) {
-					resolve(stdout)
-				} else {
-					reject(new Error(stderr.trim() || `Command failed with exit code ${code}`))
-				}
-			})
-			child.on('error', (err) => reject(err))
-		})
-	}
+      child.on('close', (code) => {
+        if (code === 0) {
+          resolve(stdout);
+        } else {
+          reject(new Error(stderr.trim() || `Command failed with exit code ${code}`));
+        }
+      });
+      child.on('error', (error) => reject(error));
+    });
+  }
 }

package/src/commands/code/auth-sync.ts

@@ -0,0 +1,329 @@
+import type { ApiKeyServicePort, AuthServicePort } from './ports/auth-services';
+import type { FileStore } from './ports/file-store';
+import type { Prompter } from './ports/prompter';
+
+export interface AuthDeps {
+  apiKeyService: ApiKeyServicePort;
+  authService: AuthServicePort;
+  files: FileStore;
+  homeDir: string;
+  prompter: Prompter;
+}
+
+export interface AuthResult {
+  authenticated: boolean;
+}
+
+export interface CliAuth {
+  access_token: string;
+  expires_at: number;
+  refresh_token: string;
+}
+
+const CLI_AUTH_PATH = (homeDir: string) => homeDir + '/.berget/auth.json';
+
+const TOOL_AUTH_PATHS = {
+  opencode: (homeDir: string) => homeDir + '/.local/share/opencode/auth.json',
+  pi: (homeDir: string) => homeDir + '/.pi/agent/auth.json',
+} as const;
+
+const TOOL_API_KEY_TYPES: Record<'opencode' | 'pi', string> = {
+  opencode: 'api',
+  pi: 'api_key',
+};
+
+export async function configureAuth(deps: AuthDeps, tool: 'opencode' | 'pi'): Promise<AuthResult> {
+  const { apiKeyService, authService, files, homeDir, prompter } = deps;
+
+  const alreadyAuth = await isToolAuthenticated(files, homeDir, tool);
+
+  if (alreadyAuth) {
+    const choice = await prompter.select<'keep' | 'reconfigure'>({
+      message: `Account is already connected to Berget AI (${tool === 'opencode' ? 'OpenCode' : 'Pi'}). How do you want to proceed?`,
+      options: [
+        { label: 'Keep existing authentication', value: 'keep' },
+        { label: 'Reconfigure — choose a different method', value: 'reconfigure' },
+      ],
+    });
+
+    if (choice === 'keep') {
+      return { authenticated: true };
+    }
+    // Fall through to reconfigure
+  } else {
+    prompter.note('Authentication required to use Berget AI.', 'Connect your account');
+  }
+
+  // Try to reuse existing CLI tokens (from ~/.berget/auth.json)
+  let cliAuth: CliAuth | null = await readCliAuth(files, homeDir);
+
+  if (!cliAuth || isTokenExpired(cliAuth.expires_at)) {
+    // No valid tokens → full browser login
+    const s = prompter.spinner();
+    s.start('Waiting for browser login...');
+
+    const loginResult = await authService.loginInteractive();
+    if (!loginResult.success) {
+      s.stop('Login failed.');
+      prompter.note(
+        `${loginResult.error || 'Login timed out or was cancelled.'}\n\nPlease run \`berget auth login\` manually, then run \`berget code setup\` again.`,
+        'Authentication Failed',
+      );
+      return { authenticated: false };
+    }
+
+    s.stop('Successfully logged in to Berget.');
+
+    const jwtExpiresAt = extractJwtExpiresAt(loginResult.accessToken!);
+    if (jwtExpiresAt === 0) {
+      s.stop('Login succeeded but received invalid token.');
+      prompter.note('Please try logging in again or contact support.', 'Authentication Error');
+      return { authenticated: false };
+    }
+
+    cliAuth = {
+      access_token: loginResult.accessToken!,
+      expires_at: jwtExpiresAt,
+      refresh_token: loginResult.refreshToken!,
+    };
+  }
+
+  // Check Berget Code seat
+  const jwtPayload = decodeJwtPayload(cliAuth.access_token);
+  const hasSeat = jwtPayload ? hasBergetCodeSeat(cliAuth.access_token) : true;
+
+  // If we can't decode the JWT, sync OAuth anyway — the tokens are valid even if
+  // we can't verify the subscription role. Let the tool handle authorization.
+  if (!jwtPayload) {
+    const s = prompter.spinner();
+    s.start('Authenticating with Berget AI...');
+    await syncOAuthToTool(files, homeDir, tool, cliAuth);
+    s.stop('Authenticated.');
+    prompter.note(
+      'Warning: Could not verify Berget Code subscription status.\nIf you do not have a subscription, the tool may show an authorization error.',
+      'Authentication',
+    );
+    return { authenticated: true };
+  }
+
+  if (hasSeat) {
+    // Case B: Has seat — ask how to authenticate
+    const method = await prompter.select<'api_key' | 'subscription'>({
+      message: 'You have a Berget Code subscription. How do you want to authenticate?',
+      options: [
+        { label: 'Use my Berget Code subscription', value: 'subscription' },
+        { label: 'Use an API key instead', value: 'api_key' },
+      ],
+    });
+
+    if (method === 'subscription') {
+      const s = prompter.spinner();
+      s.start('Authenticating with Berget AI via subscription...');
+      await syncOAuthToTool(files, homeDir, tool, cliAuth);
+      s.stop('Authenticated.');
+      return { authenticated: true };
+    }
+
+    // Create API key instead
+    const s = prompter.spinner();
+    s.start('Creating API key...');
+    try {
+      const { key } = await apiKeyService.create({
+        description: 'Created by berget code setup',
+        name: `${tool === 'opencode' ? 'OpenCode' : 'Pi'} (created by berget CLI)`,
+      });
+      await syncApiKeyToTool(files, homeDir, tool, key);
+      s.stop('API key created and saved.');
+      return { authenticated: true };
+    } catch {
+      s.stop('API key creation failed.');
+      prompter.note(
+        'Could not create API key. Please create one manually with `berget api-keys create`.',
+        'Error',
+      );
+      return { authenticated: false };
+    }
+  }
+
+  // No Berget Code seat — prompt for API key creation
+  const shouldCreate = await prompter.confirm({
+    initialValue: true,
+    message: 'You do not have a Berget Code subscription. Would you like to create a new API key?',
+  });
+
+  if (shouldCreate) {
+    const s = prompter.spinner();
+    s.start('Creating API key...');
+    try {
+      const { key } = await apiKeyService.create({
+        description: 'Created by berget code setup',
+        name: `${tool === 'opencode' ? 'OpenCode' : 'Pi'} (created by berget CLI)`,
+      });
+      await syncApiKeyToTool(files, homeDir, tool, key);
+      s.stop('API key created and saved.');
+      return { authenticated: true };
+    } catch {
+      s.stop('API key creation failed.');
+      prompter.note(
+        'Could not create API key. Please create one manually with `berget api-keys create`.',
+        'Error',
+      );
+      return { authenticated: false };
+    }
+  }
+
+  // Case D: Declined
+  prompter.note(
+    'Authentication skipped. You\'ll need to set up authentication manually:\n1. Run: berget api-keys create --name "My Key"\n2. Set BERGET_API_KEY environment variable, or\n3. Run `berget auth login` and try again',
+    'Authentication',
+  );
+  return { authenticated: false };
+}
+
+export function decodeJwtPayload(token: string): null | unknown {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) return null;
+    const payload = Buffer.from(parts[1], 'base64url').toString('utf8');
+    return JSON.parse(payload);
+  } catch {
+    return null;
+  }
+}
+
+export function hasBergetCodeSeat(accessToken: string): boolean {
+  const payload = decodeJwtPayload(accessToken);
+  if (!payload || typeof payload !== 'object') return false;
+  const p = payload as Record<string, unknown>;
+  const realmAccess = p.realm_access as Record<string, unknown> | undefined;
+  if (!realmAccess) return false;
+  const roles = realmAccess.roles as string[] | undefined;
+  if (!Array.isArray(roles)) return false;
+  return roles.includes('berget_code_seat');
+}
+
+export function isTokenExpired(expiresAt: number): boolean {
+  const now = Date.now();
+  const timeUntilExpiry = expiresAt - now;
+  const buffer = Math.min(30 * 1000, timeUntilExpiry * 0.1);
+  return now + buffer >= expiresAt;
+}
+
+export async function isToolAuthenticated(
+  files: FileStore,
+  homeDir: string,
+  tool: 'opencode' | 'pi',
+): Promise<boolean> {
+  const content = await files.readFile(TOOL_AUTH_PATHS[tool](homeDir));
+  if (!content) return false;
+  try {
+    const parsed = JSON.parse(content);
+    return typeof parsed.berget === 'object' && parsed.berget !== null;
+  } catch {
+    return false;
+  }
+}
+
+export async function readCliAuth(files: FileStore, homeDir: string): Promise<CliAuth | null> {
+  const content = await files.readFile(CLI_AUTH_PATH(homeDir));
+  if (!content) return null;
+  try {
+    const parsed = JSON.parse(content);
+    if (parsed.access_token && parsed.refresh_token) {
+      // Extract the actual expiry time from the JWT token instead of using the stored expires_at
+      const jwtExpiresAt = extractJwtExpiresAt(parsed.access_token);
+      if (jwtExpiresAt === 0) {
+        // Invalid token, return null
+        return null;
+      }
+      return {
+        access_token: parsed.access_token,
+        expires_at: jwtExpiresAt,
+        refresh_token: parsed.refresh_token,
+      };
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+export async function syncApiKeyToTool(
+  files: FileStore,
+  homeDir: string,
+  tool: 'opencode' | 'pi',
+  apiKey: string,
+): Promise<void> {
+  const authPath = TOOL_AUTH_PATHS[tool](homeDir);
+  let existing: Record<string, unknown> = {};
+
+  const content = await files.readFile(authPath);
+  if (content) {
+    try {
+      existing = JSON.parse(content) as Record<string, unknown>;
+    } catch {
+      existing = {};
+    }
+  }
+
+  const updated = {
+    ...existing,
+    berget: {
+      key: apiKey,
+      type: TOOL_API_KEY_TYPES[tool],
+    },
+  };
+
+  await files.writeFile(authPath, JSON.stringify(updated, null, 2) + '\n');
+  await files.chmod(authPath, 0o600);
+}
+
+export async function syncOAuthToTool(
+  files: FileStore,
+  homeDir: string,
+  tool: 'opencode' | 'pi',
+  cliAuth: CliAuth,
+): Promise<void> {
+  const authPath = TOOL_AUTH_PATHS[tool](homeDir);
+  let existing: Record<string, unknown> = {};
+
+  const content = await files.readFile(authPath);
+  if (content) {
+    try {
+      existing = JSON.parse(content) as Record<string, unknown>;
+    } catch {
+      existing = {};
+    }
+  }
+
+  // Use the JWT's actual expiry time for consistency
+  const jwtExpiresAt = extractJwtExpiresAt(cliAuth.access_token);
+
+  const updated = {
+    ...existing,
+    berget: {
+      access: cliAuth.access_token,
+      expires: jwtExpiresAt,
+      refresh: cliAuth.refresh_token,
+      type: 'oauth',
+    },
+  };
+
+  await files.writeFile(authPath, JSON.stringify(updated, null, 2) + '\n');
+  await files.chmod(authPath, 0o600);
+}
+
+function extractJwtExpiresAt(accessToken: string): number {
+  try {
+    const parts = accessToken.split('.');
+    if (parts.length !== 3) return 0;
+    const payload = Buffer.from(parts[1], 'base64url').toString('utf8');
+    const decoded = JSON.parse(payload);
+    if (typeof decoded.exp === 'number') {
+      return decoded.exp * 1000; // JWT exp is in seconds, convert to milliseconds
+    }
+  } catch {
+    // If decoding fails, return 0 (treated as expired)
+  }
+  return 0;
+}

package/src/commands/code/errors.ts

@@ -1,23 +1,23 @@
-export class PrerequisiteError extends Error {
-	constructor(public readonly binary: string) {
-		super(`Required binary not found: ${binary}`)
-		this.name = 'PrerequisiteError'
-	}
-}
-
 export class CancelledError extends Error {
-	constructor() {
-		super('Wizard cancelled')
-		this.name = 'CancelledError'
-	}
+  constructor() {
+    super('Wizard cancelled');
+    this.name = 'CancelledError';
+  }
 }
 
 export class CommandFailedError extends Error {
-	constructor(
-		public readonly command: string,
-		public readonly exitCode: number
-	) {
-		super(`Command "${command}" failed with exit code ${exitCode}`)
-		this.name = 'CommandFailedError'
-	}
+  constructor(
+    public readonly command: string,
+    public readonly exitCode: number,
+  ) {
+    super(`Command "${command}" failed with exit code ${exitCode}`);
+    this.name = 'CommandFailedError';
+  }
+}
+
+export class PrerequisiteError extends Error {
+  constructor(public readonly binary: string) {
+    super(`Required binary not found: ${binary}`);
+    this.name = 'PrerequisiteError';
+  }
 }

package/src/commands/code/ports/auth-services.ts

@@ -0,0 +1,14 @@
+export interface ApiKeyServicePort {
+  create(options: { description?: string; name: string }): Promise<{ key: string }>;
+}
+
+export interface AuthServicePort {
+  login(): Promise<boolean>;
+  loginInteractive(): Promise<{
+    accessToken?: string;
+    error?: string;
+    expiresIn?: number;
+    refreshToken?: string;
+    success: boolean;
+  }>;
+}

package/src/commands/code/ports/command-runner.ts

@@ -1,6 +1,10 @@
 export interface CommandRunner {
-	checkInstalled(binary: string): Promise<boolean>
-	run(command: string, args: readonly string[], options?: {
-		cwd?: string
-	}): Promise<string>
+  checkInstalled(binary: string): Promise<boolean>;
+  run(
+    command: string,
+    arguments_: readonly string[],
+    options?: {
+      cwd?: string;
+    },
+  ): Promise<string>;
 }

package/src/commands/code/ports/file-store.ts

@@ -1,6 +1,7 @@
 export interface FileStore {
-	exists(path: string): Promise<boolean>
-	readFile(path: string): Promise<string | null>
-	writeFile(path: string, content: string): Promise<void>
-	mkdir(path: string): Promise<void>
+  chmod(path: string, mode: number): Promise<void>;
+  exists(path: string): Promise<boolean>;
+  mkdir(path: string): Promise<void>;
+  readFile(path: string): Promise<null | string>;
+  writeFile(path: string, content: string): Promise<void>;
 }