buildhive-agent 1.0.0-beta.1 → 1.0.0-beta.10

package/LICENSE

@@ -0,0 +1,194 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship made available under
+      the License, as indicated by a copyright notice that is included in
+      or attached to the work (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other transformations
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean, as submitted to the Licensor for inclusion
+      in the Work by the copyright owner or by an individual or Legal Entity
+      authorized to submit on behalf of the copyright owner. For the purposes
+      of this definition, "submit" means any form of electronic, verbal, or
+      written communication sent to the Licensor or its representatives,
+      including but not limited to communication on electronic mailing lists,
+      source code control systems, and issue tracking systems that are managed
+      by, or on behalf of, the Licensor for the purpose of discussing and
+      improving the Work, but excluding communication that is conspicuously
+      marked or designated in writing by the copyright owner as "Not a
+      Contribution."
+
+      "Contributor" shall mean Licensor and any Legal Entity on behalf of
+      whom a Contribution has been received by the Licensor and incorporated
+      within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by the combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a cross-claim
+      or counterclaim in a lawsuit) alleging that the Work or any
+      Contribution embodied within the Work constitutes direct or contributory
+      patent infringement, then any patent licenses granted to You under
+      this License for that Work shall terminate as of the date such
+      litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or Derivative
+          Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, You must include a readable copy of the
+          attribution notices contained within such NOTICE file, in
+          at least one of the following places: within a NOTICE text
+          file distributed as part of the Derivative Works; within
+          the Source form or documentation, if provided along with the
+          Derivative Works; or, within a display generated by the
+          Derivative Works, if and wherever such third-party notices
+          normally appear. The contents of the NOTICE file are for
+          informational purposes only and do not modify the License.
+          You may add Your own attribution notices within Derivative
+          Works that You distribute, alongside or as an addendum to
+          the NOTICE text from the Work, provided that such additional
+          attribution notices cannot be construed as modifying the License.
+
+      You may add Your own license statement for Your modifications and
+      may provide additional grant of rights to use, copy, modify, merge,
+      publish, distribute, sublicense, and/or sell copies of the
+      Derivative Works, as set forth in this Section, provided, however,
+      that such additional terms cannot be construed as a modification
+      of this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or exemplary damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or all other
+      commercial damages or losses), even if such Contributor has been
+      advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may offer
+      such conditions only on Your own behalf and on Your sole
+      responsibility, not on behalf of any other Contributor, and
+      only if You agree to indemnify, defend, and hold each Contributor
+      harmless for any liability incurred by, or claims asserted against,
+      such Contributor by reason of your accepting any warranty or
+      additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format in use.
+
+   Copyright 2026 BuildHive contributors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -30,7 +30,7 @@ All configuration options can be overridden using environment variables:
 
 | Environment Variable | Configuration Field | Type | Example |
 |---------------------|---------------------|------|---------|
-| `BUILDHIVE_PLATFORM_URL` | `platformUrl` | string | `https://api.buildhive.dev` |
+| `BUILDHIVE_PLATFORM_URL` | `platformUrl` | string | `https://api.buildhive.app` |
 | `BUILDHIVE_API_KEY` | `apiKey` | string | `your-api-key` |
 | `BUILDHIVE_AGENT_ID` | `agentId` | string | `agent-123` |
 | `BUILDHIVE_AGENT_NAME` | `name` | string | `My Agent` |
@@ -86,7 +86,7 @@ Note: You cannot specify both `allowedRepositories` and `blockedRepositories`.
 
 ```json
 {
-  "platformUrl": "https://api.buildhive.dev",
+  "platformUrl": "https://api.buildhive.app",
   "apiKey": "your-api-key-here",
   "agentId": "agent-unique-id",
   "name": "My Build Agent",
@@ -122,8 +122,116 @@ Note: You cannot specify both `allowedRepositories` and `blockedRepositories`.
 }
 ```
 
+## Build cache (opt-in)
+
+BuildHive can cache npm/pip/gradle/cargo/etc. dependencies locally on your
+machine to speed up repeat builds. **This is OFF by default.**
+
+To enable, pick ONE of:
+
+- Environment variable (recommended for trying it out):
+    ```bash
+    BUILDHIVE_CACHE_ENABLED=1 buildhive-agent start
+    ```
+
+- Config file (persistent across restarts):
+    ```json
+    {
+      "cacheConfig": {
+        "enabled": true,
+        "directory": "/tmp/buildhive/cache",
+        "maxSizeGB": 20,
+        "strategy": "lru"
+      }
+    }
+    ```
+
+The cache lives entirely on your local disk under the configured directory.
+Nothing is uploaded anywhere. To wipe it manually:
+
+```bash
+buildhive-agent stop
+rm -rf ~/.buildhive/cache
+```
+
+Verify your cache is on or off with:
+
+```bash
+buildhive-agent doctor
+```
+
+`Cache` row in the output shows the current state (OFF/ON), size, and entry count.
+
+### What is NOT cached
+
+For safety, the following path patterns are refused even if a workflow tries
+to cache them (defense-in-depth against accidental credential caching):
+
+- `~/.aws/**`
+- `~/.ssh/**`
+- `**/.env*`
+- `**/credentials`
+- `**/.netrc`
+- `**/.npmrc`
+- `**/.docker/config.json`
+- `~/.kube/config`
+- `**/.gnupg/**`
+- `**/*.pem`
+- `**/*.key`
+- `**/*.p12`
+- `**/*.pfx`
+- `**/id_rsa*`
+- `**/id_ed25519*`
+- `**/id_ecdsa*`
+
+If a cache request is refused you'll see `denied:<reason>` in the agent logs.
+
+### When to disable cache
+
+If a build produces incorrect output and you suspect cache staleness:
+
+```bash
+BUILDHIVE_CACHE_ENABLED=0 buildhive-agent start   # one-off override
+```
+
+Or set `cacheConfig.enabled: false` in your config file.
+
+Always treat cache as advisory — if a build fails with cache, retry without
+cache before assuming it's a real failure.
+
 ## Installation
 
+### End-user install (recommended)
+
+```bash
+# 1. Install the agent globally via npm
+npm install -g buildhive-agent
+
+# 2. Initialize config (creates ~/.buildhive/buildhive-agent.json)
+buildhive-agent init
+
+# 3. Install as a launchd service
+buildhive-agent service:install              # macOS LaunchAgent (default)
+buildhive-agent service:install --system     # build-farm LaunchDaemon (opt-in,
+                                             # runs as _buildhive — NEVER root)
+
+# 4. Verify
+buildhive-agent service:status
+buildhive-agent doctor
+```
+
+Migrating from a pre-2026-05-10 LaunchDaemon install:
+
+```bash
+buildhive-agent service:migrate --dry-run    # detect first
+buildhive-agent service:migrate              # cleans legacy + installs LaunchAgent
+```
+
+Distribution + daemon-model constraints are documented in `CLAUDE.md`
+under "Phase 10 binding architectural constraints".
+
+### Development install (from source)
+
 ```bash
 npm install
 ```
@@ -163,4 +271,60 @@ const validation = validateConfigFile('./config.json');
 if (!validation.isValid) {
   console.error('Configuration errors:', validation.errors);
 }
-```
+```
+
+## Licenses & dependency audit
+
+### This package
+
+`buildhive-agent` is released under the **Apache License 2.0**.
+See [`LICENSE`](./LICENSE) for the full text.
+Copyright 2026 BuildHive contributors.
+
+### npm audit summary
+
+Date audited: 2026-05-11
+Tool: `npm audit` (npm v10, node_modules fully installed)
+
+```
+found 0 vulnerabilities
+```
+
+**Status: CLEAN** — 0 HIGH, 0 CRITICAL.
+Previously flagged `fast-xml-builder <=1.1.6` (GHSA-5wm8-gmm8-39j9,
+GHSA-45c6-75p6-83cc) was resolved by bumping `@aws-sdk/client-s3` (and
+`lib-storage`, `s3-request-presigner`) from `3.1036.0` → `3.1045.0`.
+The transitive chain now resolves `fast-xml-builder@1.2.0` (safe).
+See PR #181.
+
+### Runtime dependency licenses
+
+All 15 direct runtime dependencies use OSI-approved open-source licenses
+(MIT or Apache-2.0). No proprietary licenses present.
+
+| Package | Version | License |
+|---------|---------|---------|
+| `@aws-sdk/client-s3` | 3.1045.0 | Apache-2.0 |
+| `@aws-sdk/lib-storage` | 3.1045.0 | Apache-2.0 |
+| `@aws-sdk/s3-request-presigner` | 3.1045.0 | Apache-2.0 |
+| `@napi-rs/keyring` | 1.3.0 | MIT |
+| `@sentry/node` | 10.51.0 | MIT |
+| `axios` | 1.15.2 | MIT |
+| `commander` | 11.1.0 | MIT |
+| `dockerode` | 4.0.12 | Apache-2.0 |
+| `inquirer` | 9.3.8 | MIT |
+| `node-machine-id` | 1.1.12 | MIT |
+| `pino` | 9.14.0 | MIT |
+| `pino-pretty` | 11.3.0 | MIT |
+| `pino-roll` | 3.1.0 | MIT |
+| `systeminformation` | 5.31.5 | MIT |
+| `ws` | 8.20.0 | MIT |
+
+Verified via `node -e "require('./node_modules/<pkg>/package.json').license"` for each entry.
+No proprietary dependencies detected.
+
+### 2026-05-12 packaging fix
+
+- v1.0.0-beta.7 unintentionally shipped a 172 MB nested old tarball + 55 MB of runtime workspace data due to a missing `files` allowlist in `package.json`. **Use v1.0.0-beta.8 or later.** beta.7 is deprecated on npm.
+- v1.0.0-beta.8 adds: explicit `files` allowlist, expanded `.gitignore`, disabled source maps in published `dist/`.
+- Expected published size: ~0.5 MB compressed.

package/dist/auth/agentEnrollmentKeyringStore.d.ts

@@ -0,0 +1,78 @@
+/**
+ * Agent-enrollment keyring wrapper — stores the 5 agent-enrollment credentials
+ * under the `agent-enrollment.*` namespace in the OS keyring (@napi-rs/keyring).
+ *
+ * Row 17c — zero-GH developer onboarding (Wave A).
+ * Design: docs/ops/zero-github-dev-onboarding-design-2026-05-17.md §1.3 step 4 + §3.1
+ *
+ * 5 stored keys (sibling to DeviceFlowKeyringStore's `device-flow.*` namespace —
+ * different prefix guarantees zero collision):
+ *   agent-enrollment.jwt              — signed JWT (~600-800 chars)
+ *   agent-enrollment.jwt_exp          — unix seconds (avoid jwt.decode per call in `start`)
+ *   agent-enrollment.agent_id         — for local whoami without network round-trip
+ *   agent-enrollment.tenant_id        — client-side defensive tenant check
+ *   agent-enrollment.platform_url     — bound at enroll; refuses cross-instance reuse
+ */
+import type { SecretStore } from '../security/secretStore.js';
+import { PlatformUrlMismatchError } from './types.js';
+export declare const AGENT_ENROLLMENT_KEY_PREFIX = "agent-enrollment.";
+export declare const KEY_JWT = "agent-enrollment.jwt";
+export declare const KEY_JWT_EXP = "agent-enrollment.jwt_exp";
+export declare const KEY_AGENT_ID = "agent-enrollment.agent_id";
+export declare const KEY_TENANT_ID = "agent-enrollment.tenant_id";
+export declare const KEY_PLATFORM_URL = "agent-enrollment.platform_url";
+export interface AgentEnrollmentCredentials {
+    readonly jwt: string;
+    readonly jwtExpiresAtUnix: number;
+    readonly agentId: string;
+    readonly tenantId: string;
+    readonly platformUrl: string;
+}
+export interface AgentEnrollmentKeyringStoreOptions {
+    /** Override the SecretStore (tests + environments without OS keyring). */
+    readonly store?: SecretStore;
+}
+/**
+ * Custom error thrown when the stored platform_url doesn't match the current
+ * platform URL — prevents cross-instance JWT reuse. Same pattern as
+ * DeviceFlowKeyringStore.PlatformUrlMismatchError.
+ */
+export declare class AgentPlatformUrlMismatchError extends PlatformUrlMismatchError {
+    constructor(stored: string, current: string);
+}
+export declare class AgentEnrollmentKeyringStore {
+    private readonly store;
+    constructor(opts?: AgentEnrollmentKeyringStoreOptions);
+    /** Throws KeyringUnavailableError if the OS keyring is unreachable. */
+    static assertAvailable(): Promise<void>;
+    /**
+     * Persist all 5 enrollment credentials atomically.
+     * On any write failure, rolls back by clearing all keys (prevents partial state).
+     */
+    persist(creds: AgentEnrollmentCredentials): Promise<void>;
+    /**
+     * Read the stored JWT + its cached exp. Throws NotLoggedInError if absent
+     * (guides the user to `buildhive-agent join`).
+     */
+    readJwt(): Promise<{
+        jwt: string;
+        expiresAtUnix: number;
+    }>;
+    /**
+     * Read the full stored credentials (for display or row-17b supervisor).
+     * Throws NotLoggedInError if any required key is missing.
+     */
+    readAll(): Promise<AgentEnrollmentCredentials>;
+    /**
+     * Cross-platform-url check. Refuses to use credentials minted against a
+     * different BuildHive instance.
+     */
+    assertPlatformUrlMatches(currentPlatformUrl: string): Promise<void>;
+    /** Returns true if any enrollment key exists in the keyring. */
+    hasEnrollment(): Promise<boolean>;
+    /**
+     * Delete all 5 `agent-enrollment.*` keys. Idempotent.
+     * Called by a hypothetical `buildhive-agent leave` command (out of scope for v1).
+     */
+    clear(): Promise<void>;
+}

package/dist/auth/agentEnrollmentKeyringStore.js

@@ -0,0 +1,149 @@
+/**
+ * Agent-enrollment keyring wrapper — stores the 5 agent-enrollment credentials
+ * under the `agent-enrollment.*` namespace in the OS keyring (@napi-rs/keyring).
+ *
+ * Row 17c — zero-GH developer onboarding (Wave A).
+ * Design: docs/ops/zero-github-dev-onboarding-design-2026-05-17.md §1.3 step 4 + §3.1
+ *
+ * 5 stored keys (sibling to DeviceFlowKeyringStore's `device-flow.*` namespace —
+ * different prefix guarantees zero collision):
+ *   agent-enrollment.jwt              — signed JWT (~600-800 chars)
+ *   agent-enrollment.jwt_exp          — unix seconds (avoid jwt.decode per call in `start`)
+ *   agent-enrollment.agent_id         — for local whoami without network round-trip
+ *   agent-enrollment.tenant_id        — client-side defensive tenant check
+ *   agent-enrollment.platform_url     — bound at enroll; refuses cross-instance reuse
+ */
+import { KeyringSecretStore } from '../security/keyringSecretStore.js';
+import { KeyringUnavailableError, NotLoggedInError, PlatformUrlMismatchError, } from './types.js';
+export const AGENT_ENROLLMENT_KEY_PREFIX = 'agent-enrollment.';
+export const KEY_JWT = `${AGENT_ENROLLMENT_KEY_PREFIX}jwt`;
+export const KEY_JWT_EXP = `${AGENT_ENROLLMENT_KEY_PREFIX}jwt_exp`;
+export const KEY_AGENT_ID = `${AGENT_ENROLLMENT_KEY_PREFIX}agent_id`;
+export const KEY_TENANT_ID = `${AGENT_ENROLLMENT_KEY_PREFIX}tenant_id`;
+export const KEY_PLATFORM_URL = `${AGENT_ENROLLMENT_KEY_PREFIX}platform_url`;
+const ALL_KEYS = [
+    KEY_JWT,
+    KEY_JWT_EXP,
+    KEY_AGENT_ID,
+    KEY_TENANT_ID,
+    KEY_PLATFORM_URL,
+];
+/**
+ * Custom error thrown when the stored platform_url doesn't match the current
+ * platform URL — prevents cross-instance JWT reuse. Same pattern as
+ * DeviceFlowKeyringStore.PlatformUrlMismatchError.
+ */
+export class AgentPlatformUrlMismatchError extends PlatformUrlMismatchError {
+    constructor(stored, current) {
+        super(stored, current);
+        this.name = 'AgentPlatformUrlMismatchError';
+        this.message =
+            `Stored agent enrollment bound to ${stored}, but current config targets ${current}. ` +
+                `Run \`buildhive-agent join <token>\` to re-enroll.`;
+    }
+}
+export class AgentEnrollmentKeyringStore {
+    store;
+    constructor(opts = {}) {
+        this.store = opts.store ?? new KeyringSecretStore();
+    }
+    /** Throws KeyringUnavailableError if the OS keyring is unreachable. */
+    static async assertAvailable() {
+        const ok = await KeyringSecretStore.isAvailable();
+        if (!ok)
+            throw new KeyringUnavailableError();
+    }
+    /**
+     * Persist all 5 enrollment credentials atomically.
+     * On any write failure, rolls back by clearing all keys (prevents partial state).
+     */
+    async persist(creds) {
+        const writes = [
+            [KEY_JWT, creds.jwt],
+            [KEY_JWT_EXP, String(creds.jwtExpiresAtUnix)],
+            [KEY_AGENT_ID, creds.agentId],
+            [KEY_TENANT_ID, creds.tenantId],
+            [KEY_PLATFORM_URL, creds.platformUrl],
+        ];
+        try {
+            for (const [k, v] of writes) {
+                await this.store.setSecret(k, v);
+            }
+        }
+        catch (err) {
+            // Partial-state cleanup: best-effort delete-all on any write failure.
+            await this.clear().catch(() => undefined);
+            throw err;
+        }
+    }
+    /**
+     * Read the stored JWT + its cached exp. Throws NotLoggedInError if absent
+     * (guides the user to `buildhive-agent join`).
+     */
+    async readJwt() {
+        const [token, expStr] = await Promise.all([
+            this.store.getSecret(KEY_JWT),
+            this.store.getSecret(KEY_JWT_EXP),
+        ]);
+        if (!token || !expStr)
+            throw new NotLoggedInError();
+        const exp = Number(expStr);
+        return {
+            jwt: token,
+            expiresAtUnix: Number.isFinite(exp) ? exp : 0,
+        };
+    }
+    /**
+     * Read the full stored credentials (for display or row-17b supervisor).
+     * Throws NotLoggedInError if any required key is missing.
+     */
+    async readAll() {
+        const [jwt, expStr, agentId, tenantId, platformUrl] = await Promise.all([
+            this.store.getSecret(KEY_JWT),
+            this.store.getSecret(KEY_JWT_EXP),
+            this.store.getSecret(KEY_AGENT_ID),
+            this.store.getSecret(KEY_TENANT_ID),
+            this.store.getSecret(KEY_PLATFORM_URL),
+        ]);
+        if (!jwt || !expStr || !agentId || !tenantId || !platformUrl) {
+            throw new NotLoggedInError();
+        }
+        const exp = Number(expStr);
+        return {
+            jwt,
+            jwtExpiresAtUnix: Number.isFinite(exp) ? exp : 0,
+            agentId,
+            tenantId,
+            platformUrl,
+        };
+    }
+    /**
+     * Cross-platform-url check. Refuses to use credentials minted against a
+     * different BuildHive instance.
+     */
+    async assertPlatformUrlMatches(currentPlatformUrl) {
+        const stored = await this.store.getSecret(KEY_PLATFORM_URL);
+        if (!stored)
+            throw new NotLoggedInError();
+        if (normalizeUrl(stored) !== normalizeUrl(currentPlatformUrl)) {
+            throw new AgentPlatformUrlMismatchError(stored, currentPlatformUrl);
+        }
+    }
+    /** Returns true if any enrollment key exists in the keyring. */
+    async hasEnrollment() {
+        const jwt = await this.store.getSecret(KEY_JWT);
+        return jwt !== null && jwt.length > 0;
+    }
+    /**
+     * Delete all 5 `agent-enrollment.*` keys. Idempotent.
+     * Called by a hypothetical `buildhive-agent leave` command (out of scope for v1).
+     */
+    async clear() {
+        for (const k of ALL_KEYS) {
+            await this.store.deleteSecret(k).catch(() => false);
+        }
+    }
+}
+function normalizeUrl(u) {
+    return u.replace(/\/$/, '').toLowerCase();
+}

package/dist/auth/deviceFlow.d.ts

@@ -0,0 +1,45 @@
+/**
+ * deviceFlow orchestrator — initiate + poll-with-backoff + atomic persist.
+ *
+ * Phase 4 Task 5 commit 4. This is the high-level entry point the
+ * `buildhive-agent login` command calls. Pure logic + DI'd dependencies;
+ * no commander, no TUI.
+ */
+import { DeviceFlowClient } from './deviceFlowClient.js';
+import { DeviceFlowKeyringStore } from './keyringStore.js';
+import { type StoredIdentity, type TokenPair } from './types.js';
+export interface LoginOptions {
+    /** Hard ceiling on poll loop wall-time. Defaults to expires_in from /code. */
+    readonly maxWaitSeconds?: number;
+    /** Override scope (default: AGENT_CLI_DEFAULT_SCOPE). */
+    readonly scope?: string;
+    /** Hook called after /code with the user-facing prompt data. Synchronous
+     *  to keep the TUI rendering snappy. Tests use it to capture rendered UX. */
+    readonly onPromptUser?: (panel: {
+        userCode: string;
+        verificationUri: string;
+        expiresIn: number;
+    }) => void;
+    /** Hook called when the server signals slow_down. Tests + TUI use this
+     *  to update the spinner copy. */
+    readonly onSlowDown?: () => void;
+    /** Sleep implementation (tests inject a fake clock). */
+    readonly sleep?: (ms: number) => Promise<void>;
+}
+export interface LoginResult {
+    readonly identity: StoredIdentity;
+    readonly tokenPair: TokenPair;
+}
+export interface LoginContext {
+    readonly client: DeviceFlowClient;
+    readonly store: DeviceFlowKeyringStore;
+    readonly platformUrl: string;
+}
+/**
+ * Drive the device flow end-to-end:
+ *   1. POST /code
+ *   2. Surface user_code + verification_uri to the operator via the hook
+ *   3. Poll /token at the server-suggested interval (backoff on slow_down)
+ *   4. On success: persist token pair + identity atomically
+ */
+export declare function loginViaDeviceFlow(ctx: LoginContext, opts?: LoginOptions): Promise<LoginResult>;