cerebras-cli 1.0.0

package/src/mcp/oauth-callback.ts

@@ -0,0 +1,203 @@
+import { Log } from "../util/log"
+import { OAUTH_CALLBACK_PORT, OAUTH_CALLBACK_PATH } from "./oauth-provider"
+
+const log = Log.create({ service: "mcp.oauth-callback" })
+
+const HTML_SUCCESS = `<!DOCTYPE html>
+<html>
+<head>
+  <title>OpenCode - Authorization Successful</title>
+  <style>
+    body { font-family: system-ui, -apple-system, sans-serif; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; background: #1a1a2e; color: #eee; }
+    .container { text-align: center; padding: 2rem; }
+    h1 { color: #4ade80; margin-bottom: 1rem; }
+    p { color: #aaa; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>Authorization Successful</h1>
+    <p>You can close this window and return to OpenCode.</p>
+  </div>
+  <script>setTimeout(() => window.close(), 2000);</script>
+</body>
+</html>`
+
+const HTML_ERROR = (error: string) => `<!DOCTYPE html>
+<html>
+<head>
+  <title>OpenCode - Authorization Failed</title>
+  <style>
+    body { font-family: system-ui, -apple-system, sans-serif; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; background: #1a1a2e; color: #eee; }
+    .container { text-align: center; padding: 2rem; }
+    h1 { color: #f87171; margin-bottom: 1rem; }
+    p { color: #aaa; }
+    .error { color: #fca5a5; font-family: monospace; margin-top: 1rem; padding: 1rem; background: rgba(248,113,113,0.1); border-radius: 0.5rem; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>Authorization Failed</h1>
+    <p>An error occurred during authorization.</p>
+    <div class="error">${error}</div>
+  </div>
+</body>
+</html>`
+
+interface PendingAuth {
+  resolve: (code: string) => void
+  reject: (error: Error) => void
+  timeout: ReturnType<typeof setTimeout>
+}
+
+export namespace McpOAuthCallback {
+  let server: ReturnType<typeof Bun.serve> | undefined
+  const pendingAuths = new Map<string, PendingAuth>()
+
+  const CALLBACK_TIMEOUT_MS = 5 * 60 * 1000 // 5 minutes
+
+  export async function ensureRunning(): Promise<void> {
+    if (server) return
+
+    const running = await isPortInUse()
+    if (running) {
+      log.info("oauth callback server already running on another instance", { port: OAUTH_CALLBACK_PORT })
+      return
+    }
+
+    server = Bun.serve({
+      port: OAUTH_CALLBACK_PORT,
+      fetch(req) {
+        const url = new URL(req.url)
+
+        if (url.pathname !== OAUTH_CALLBACK_PATH) {
+          return new Response("Not found", { status: 404 })
+        }
+
+        const code = url.searchParams.get("code")
+        const state = url.searchParams.get("state")
+        const error = url.searchParams.get("error")
+        const errorDescription = url.searchParams.get("error_description")
+
+        log.info("received oauth callback", { hasCode: !!code, state, error })
+
+        if (error) {
+          const errorMsg = errorDescription || error
+          if (state && pendingAuths.has(state)) {
+            const pending = pendingAuths.get(state)!
+            clearTimeout(pending.timeout)
+            pendingAuths.delete(state)
+            pending.reject(new Error(errorMsg))
+          }
+          return new Response(HTML_ERROR(errorMsg), {
+            headers: { "Content-Type": "text/html" },
+          })
+        }
+
+        if (!code) {
+          return new Response(HTML_ERROR("No authorization code provided"), {
+            status: 400,
+            headers: { "Content-Type": "text/html" },
+          })
+        }
+
+        // Try to find the pending auth by state parameter, or if no state, use the single pending auth
+        let pending: PendingAuth | undefined
+        let pendingKey: string | undefined
+
+        if (state && pendingAuths.has(state)) {
+          pending = pendingAuths.get(state)!
+          pendingKey = state
+        } else if (!state && pendingAuths.size === 1) {
+          // No state parameter but only one pending auth - use it
+          const [key, value] = pendingAuths.entries().next().value as [string, PendingAuth]
+          pending = value
+          pendingKey = key
+          log.info("no state parameter, using single pending auth", { key })
+        }
+
+        if (!pending || !pendingKey) {
+          const errorMsg = !state
+            ? "No state parameter provided and multiple pending authorizations"
+            : "Unknown or expired authorization request"
+          return new Response(HTML_ERROR(errorMsg), {
+            status: 400,
+            headers: { "Content-Type": "text/html" },
+          })
+        }
+
+        clearTimeout(pending.timeout)
+        pendingAuths.delete(pendingKey)
+        pending.resolve(code)
+
+        return new Response(HTML_SUCCESS, {
+          headers: { "Content-Type": "text/html" },
+        })
+      },
+    })
+
+    log.info("oauth callback server started", { port: OAUTH_CALLBACK_PORT })
+  }
+
+  export function waitForCallback(mcpName: string): Promise<string> {
+    return new Promise((resolve, reject) => {
+      const timeout = setTimeout(() => {
+        if (pendingAuths.has(mcpName)) {
+          pendingAuths.delete(mcpName)
+          reject(new Error("OAuth callback timeout - authorization took too long"))
+        }
+      }, CALLBACK_TIMEOUT_MS)
+
+      pendingAuths.set(mcpName, { resolve, reject, timeout })
+    })
+  }
+
+  export function cancelPending(mcpName: string): void {
+    const pending = pendingAuths.get(mcpName)
+    if (pending) {
+      clearTimeout(pending.timeout)
+      pendingAuths.delete(mcpName)
+      pending.reject(new Error("Authorization cancelled"))
+    }
+  }
+
+  export async function isPortInUse(): Promise<boolean> {
+    return new Promise((resolve) => {
+      Bun.connect({
+        hostname: "127.0.0.1",
+        port: OAUTH_CALLBACK_PORT,
+        socket: {
+          open(socket) {
+            socket.end()
+            resolve(true)
+          },
+          error() {
+            resolve(false)
+          },
+          data() {},
+          close() {},
+        },
+      }).catch(() => {
+        resolve(false)
+      })
+    })
+  }
+
+  export async function stop(): Promise<void> {
+    if (server) {
+      server.stop()
+      server = undefined
+      log.info("oauth callback server stopped")
+    }
+
+    for (const [name, pending] of pendingAuths) {
+      clearTimeout(pending.timeout)
+      pending.reject(new Error("OAuth callback server stopped"))
+    }
+    pendingAuths.clear()
+  }
+
+  export function isRunning(): boolean {
+    return server !== undefined
+  }
+}

package/src/mcp/oauth-provider.ts

@@ -0,0 +1,132 @@
+import type { OAuthClientProvider } from "@modelcontextprotocol/sdk/client/auth.js"
+import type {
+  OAuthClientMetadata,
+  OAuthTokens,
+  OAuthClientInformation,
+  OAuthClientInformationFull,
+} from "@modelcontextprotocol/sdk/shared/auth.js"
+import { McpAuth } from "./auth"
+import { Log } from "../util/log"
+
+const log = Log.create({ service: "mcp.oauth" })
+
+const OAUTH_CALLBACK_PORT = 19876
+const OAUTH_CALLBACK_PATH = "/mcp/oauth/callback"
+
+export interface McpOAuthConfig {
+  clientId?: string
+  clientSecret?: string
+  scope?: string
+}
+
+export interface McpOAuthCallbacks {
+  onRedirect: (url: URL) => void | Promise<void>
+}
+
+export class McpOAuthProvider implements OAuthClientProvider {
+  constructor(
+    private mcpName: string,
+    private serverUrl: string,
+    private config: McpOAuthConfig,
+    private callbacks: McpOAuthCallbacks,
+  ) {}
+
+  get redirectUrl(): string {
+    return `http://127.0.0.1:${OAUTH_CALLBACK_PORT}${OAUTH_CALLBACK_PATH}`
+  }
+
+  get clientMetadata(): OAuthClientMetadata {
+    return {
+      redirect_uris: [this.redirectUrl],
+      client_name: "OpenCode",
+      client_uri: "https://opencode.ai",
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      token_endpoint_auth_method: this.config.clientSecret ? "client_secret_post" : "none",
+    }
+  }
+
+  async clientInformation(): Promise<OAuthClientInformation | undefined> {
+    // Check config first (pre-registered client)
+    if (this.config.clientId) {
+      return {
+        client_id: this.config.clientId,
+        client_secret: this.config.clientSecret,
+      }
+    }
+
+    // Check stored client info (from dynamic registration)
+    const entry = await McpAuth.get(this.mcpName)
+    if (entry?.clientInfo) {
+      // Check if client secret has expired
+      if (entry.clientInfo.clientSecretExpiresAt && entry.clientInfo.clientSecretExpiresAt < Date.now() / 1000) {
+        log.info("client secret expired, need to re-register", { mcpName: this.mcpName })
+        return undefined
+      }
+      return {
+        client_id: entry.clientInfo.clientId,
+        client_secret: entry.clientInfo.clientSecret,
+      }
+    }
+
+    // No client info - will trigger dynamic registration
+    return undefined
+  }
+
+  async saveClientInformation(info: OAuthClientInformationFull): Promise<void> {
+    await McpAuth.updateClientInfo(this.mcpName, {
+      clientId: info.client_id,
+      clientSecret: info.client_secret,
+      clientIdIssuedAt: info.client_id_issued_at,
+      clientSecretExpiresAt: info.client_secret_expires_at,
+    })
+    log.info("saved dynamically registered client", {
+      mcpName: this.mcpName,
+      clientId: info.client_id,
+    })
+  }
+
+  async tokens(): Promise<OAuthTokens | undefined> {
+    const entry = await McpAuth.get(this.mcpName)
+    if (!entry?.tokens) return undefined
+
+    return {
+      access_token: entry.tokens.accessToken,
+      token_type: "Bearer",
+      refresh_token: entry.tokens.refreshToken,
+      expires_in: entry.tokens.expiresAt
+        ? Math.max(0, Math.floor(entry.tokens.expiresAt - Date.now() / 1000))
+        : undefined,
+      scope: entry.tokens.scope,
+    }
+  }
+
+  async saveTokens(tokens: OAuthTokens): Promise<void> {
+    await McpAuth.updateTokens(this.mcpName, {
+      accessToken: tokens.access_token,
+      refreshToken: tokens.refresh_token,
+      expiresAt: tokens.expires_in ? Date.now() / 1000 + tokens.expires_in : undefined,
+      scope: tokens.scope,
+    })
+    log.info("saved oauth tokens", { mcpName: this.mcpName })
+  }
+
+  async redirectToAuthorization(authorizationUrl: URL): Promise<void> {
+    log.info("redirecting to authorization", { mcpName: this.mcpName, url: authorizationUrl.toString() })
+    await this.callbacks.onRedirect(authorizationUrl)
+  }
+
+  async saveCodeVerifier(codeVerifier: string): Promise<void> {
+    await McpAuth.updateCodeVerifier(this.mcpName, codeVerifier)
+  }
+
+  async codeVerifier(): Promise<string> {
+    const entry = await McpAuth.get(this.mcpName)
+    if (!entry?.codeVerifier) {
+      throw new Error(`No code verifier saved for MCP server: ${this.mcpName}`)
+    }
+    return entry.codeVerifier
+  }
+}
+
+export { OAUTH_CALLBACK_PORT, OAUTH_CALLBACK_PATH }

package/src/notification/index.ts

@@ -0,0 +1,101 @@
+import { Log } from "@/util/log"
+import { Global } from "@/global"
+import path from "path"
+
+const log = Log.create({ service: "notification" })
+
+const NOTIFICATION_ENDPOINT = "https://cerebras-code-cli-notifs.kevin-taylor-d8d.workers.dev"
+const SEEN_KEY = "notification.seen"
+
+export interface Notification {
+  id: string
+  type: "info" | "warning" | "critical"
+  title: string
+  message: string
+  display: "toast" | "fullscreen" | "banner"
+  expires?: string
+}
+
+// Simple KV storage for notifications (outside TUI context)
+async function getKV(): Promise<Record<string, any>> {
+  try {
+    const file = Bun.file(path.join(Global.Path.state, "kv.json"))
+    return await file.json()
+  } catch {
+    return {}
+  }
+}
+
+async function setKV(key: string, value: any): Promise<void> {
+  const kv = await getKV()
+  kv[key] = value
+  await Bun.write(path.join(Global.Path.state, "kv.json"), JSON.stringify(kv, null, 2))
+}
+
+export namespace Notification {
+  /**
+   * Fetch the current notification from the server.
+   * Returns null if no notification or already seen.
+   */
+  export async function check(): Promise<Notification | null> {
+    try {
+      const res = await fetch(NOTIFICATION_ENDPOINT, {
+        signal: AbortSignal.timeout(3000), // 3s timeout
+      })
+
+      if (!res.ok) {
+        log.debug("notification fetch failed", { status: res.status })
+        return null
+      }
+
+      const notification = (await res.json()) as Notification | null
+      if (!notification) return null
+
+      // Check if expired
+      if (notification.expires) {
+        const expiresAt = new Date(notification.expires)
+        if (expiresAt < new Date()) {
+          log.debug("notification expired", { id: notification.id })
+          return null
+        }
+      }
+
+      // Check if already seen
+      const seen = await getSeenIds()
+      if (seen.includes(notification.id)) {
+        log.debug("notification already seen", { id: notification.id })
+        return null
+      }
+
+      return notification
+    } catch (e) {
+      log.debug("notification check error", { error: e })
+      return null
+    }
+  }
+
+  /**
+   * Mark a notification as seen so it won't show again.
+   */
+  export async function markSeen(id: string): Promise<void> {
+    const seen = await getSeenIds()
+    if (!seen.includes(id)) {
+      seen.push(id)
+      const trimmed = seen.slice(-50)
+      await setKV(SEEN_KEY, trimmed)
+    }
+  }
+
+  async function getSeenIds(): Promise<string[]> {
+    const kv = await getKV()
+    const raw = kv[SEEN_KEY]
+    if (!raw) return []
+    if (Array.isArray(raw)) return raw
+    try {
+      return JSON.parse(raw) as string[]
+    } catch {
+      return []
+    }
+  }
+}
+