crewly 1.11.4 → 1.11.6

package/dist/cli/backend/src/services/cloud/device-identity.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-identity.service.d.ts","sourceRoot":"","sources":["../../../../../../backend/src/services/cloud/device-identity.service.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AASH;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,yCAAyC;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,2DAA2D;IAC3D,UAAU,EAAE,MAAM,CAAC;IACnB,wDAAwD;IACxD,SAAS,EAAE,MAAM,CAAC;IAClB,qCAAqC;IACrC,UAAU,EAAE,MAAM,CAAC;CACpB;AAKD;;;;;;;;;;;;GAYG;AACH,qBAAa,qBAAqB;IAChC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAsC;IAC7D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAkB;IACzC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAS;IACxC,OAAO,CAAC,cAAc,CAA+B;IAErD;;;;OAIG;gBACS,UAAU,CAAC,EAAE,MAAM;IAM/B;;;;OAIG;IACH,MAAM,CAAC,WAAW,IAAI,qBAAqB;IAO3C;;OAEG;IACH,MAAM,CAAC,aAAa,IAAI,IAAI;IAI5B;;;;;;OAMG;IACG,mBAAmB,IAAI,OAAO,CAAC,cAAc,CAAC;IAiCpD;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC;IAOrC;;;;OAIG;IACG,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC;IAKpC;;;;OAIG;IACG,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC;IAKtC;;;;OAIG;YACW,eAAe;CAa9B"}

package/dist/cli/backend/src/services/cloud/device-identity.service.js

@@ -0,0 +1,148 @@
+/**
+ * Device Identity Service
+ *
+ * Manages a persistent device identity stored in ~/.crewly/device.json.
+ * Used by the relay auto-discovery system to uniquely identify this
+ * Crewly installation across sessions and restarts.
+ *
+ * @module services/cloud/device-identity.service
+ */
+import { readFile, writeFile, mkdir } from 'fs/promises';
+import { existsSync } from 'fs';
+import { join } from 'path';
+import { homedir, hostname } from 'os';
+import { v4 as uuidv4 } from 'uuid';
+import { LoggerService } from '../core/logger.service.js';
+/** Path to device identity file relative to ~/.crewly/ */
+const DEVICE_FILE = 'device.json';
+/**
+ * Singleton service that manages device identity for relay auto-discovery.
+ *
+ * On first run, generates a UUID and captures the OS hostname, persisting
+ * both to ~/.crewly/device.json. Subsequent calls read from disk.
+ *
+ * @example
+ * ```typescript
+ * const identity = DeviceIdentityService.getInstance();
+ * const id = await identity.getOrCreateIdentity();
+ * console.log(id.deviceId, id.deviceName);
+ * ```
+ */
+export class DeviceIdentityService {
+    static instance = null;
+    logger;
+    crewlyHome;
+    deviceFilePath;
+    cachedIdentity = null;
+    /**
+     * Creates a DeviceIdentityService instance.
+     *
+     * @param crewlyHome - Override ~/.crewly path (for testing)
+     */
+    constructor(crewlyHome) {
+        this.logger = LoggerService.getInstance().createComponentLogger('DeviceIdentityService');
+        this.crewlyHome = crewlyHome || join(homedir(), '.crewly');
+        this.deviceFilePath = join(this.crewlyHome, DEVICE_FILE);
+    }
+    /**
+     * Get the singleton instance.
+     *
+     * @returns DeviceIdentityService instance
+     */
+    static getInstance() {
+        if (!DeviceIdentityService.instance) {
+            DeviceIdentityService.instance = new DeviceIdentityService();
+        }
+        return DeviceIdentityService.instance;
+    }
+    /**
+     * Reset the singleton (for testing).
+     */
+    static resetInstance() {
+        DeviceIdentityService.instance = null;
+    }
+    /**
+     * Get or create the device identity.
+     * Reads from ~/.crewly/device.json if it exists, otherwise creates
+     * a new identity with a fresh UUID and the OS hostname.
+     *
+     * @returns The device identity
+     */
+    async getOrCreateIdentity() {
+        if (this.cachedIdentity) {
+            return this.cachedIdentity;
+        }
+        try {
+            if (existsSync(this.deviceFilePath)) {
+                const content = await readFile(this.deviceFilePath, 'utf-8');
+                const identity = JSON.parse(content);
+                this.cachedIdentity = identity;
+                this.logger.debug('Loaded device identity from disk', { deviceId: identity.deviceId });
+                return identity;
+            }
+        }
+        catch (error) {
+            this.logger.warn('Failed to read device identity, creating new one', {
+                error: error instanceof Error ? error.message : String(error),
+            });
+        }
+        // Create new identity
+        const identity = {
+            deviceId: uuidv4(),
+            deviceName: hostname(),
+            createdAt: new Date().toISOString(),
+            lastSeenAt: new Date().toISOString(),
+        };
+        await this.persistIdentity(identity);
+        this.cachedIdentity = identity;
+        this.logger.info('Created new device identity', { deviceId: identity.deviceId, deviceName: identity.deviceName });
+        return identity;
+    }
+    /**
+     * Update the lastSeenAt timestamp on the persisted identity.
+     */
+    async updateLastSeen() {
+        const identity = await this.getOrCreateIdentity();
+        identity.lastSeenAt = new Date().toISOString();
+        await this.persistIdentity(identity);
+        this.logger.debug('Updated lastSeenAt', { deviceId: identity.deviceId });
+    }
+    /**
+     * Get the device ID string.
+     *
+     * @returns The device UUID
+     */
+    async getDeviceId() {
+        const identity = await this.getOrCreateIdentity();
+        return identity.deviceId;
+    }
+    /**
+     * Get the device name string.
+     *
+     * @returns The device hostname
+     */
+    async getDeviceName() {
+        const identity = await this.getOrCreateIdentity();
+        return identity.deviceName;
+    }
+    /**
+     * Write identity to disk, ensuring the directory exists.
+     *
+     * @param identity - The identity to persist
+     */
+    async persistIdentity(identity) {
+        try {
+            if (!existsSync(this.crewlyHome)) {
+                await mkdir(this.crewlyHome, { recursive: true });
+            }
+            await writeFile(this.deviceFilePath, JSON.stringify(identity, null, 2), 'utf-8');
+        }
+        catch (error) {
+            this.logger.error('Failed to persist device identity', {
+                error: error instanceof Error ? error.message : String(error),
+            });
+            throw error;
+        }
+    }
+}
+//# sourceMappingURL=device-identity.service.js.map

package/dist/cli/backend/src/services/cloud/device-identity.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-identity.service.js","sourceRoot":"","sources":["../../../../../../backend/src/services/cloud/device-identity.service.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AACzD,OAAO,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AAChC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AACvC,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAC;AACpC,OAAO,EAAE,aAAa,EAAwB,MAAM,2BAA2B,CAAC;AAgBhF,0DAA0D;AAC1D,MAAM,WAAW,GAAG,aAAa,CAAC;AAElC;;;;;;;;;;;;GAYG;AACH,MAAM,OAAO,qBAAqB;IACxB,MAAM,CAAC,QAAQ,GAAiC,IAAI,CAAC;IAC5C,MAAM,CAAkB;IACxB,UAAU,CAAS;IACnB,cAAc,CAAS;IAChC,cAAc,GAA0B,IAAI,CAAC;IAErD;;;;OAIG;IACH,YAAY,UAAmB;QAC7B,IAAI,CAAC,MAAM,GAAG,aAAa,CAAC,WAAW,EAAE,CAAC,qBAAqB,CAAC,uBAAuB,CAAC,CAAC;QACzF,IAAI,CAAC,UAAU,GAAG,UAAU,IAAI,IAAI,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,CAAC;QAC3D,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IAC3D,CAAC;IAED;;;;OAIG;IACH,MAAM,CAAC,WAAW;QAChB,IAAI,CAAC,qBAAqB,CAAC,QAAQ,EAAE,CAAC;YACpC,qBAAqB,CAAC,QAAQ,GAAG,IAAI,qBAAqB,EAAE,CAAC;QAC/D,CAAC;QACD,OAAO,qBAAqB,CAAC,QAAQ,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,aAAa;QAClB,qBAAqB,CAAC,QAAQ,GAAG,IAAI,CAAC;IACxC,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,mBAAmB;QACvB,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC,cAAc,CAAC;QAC7B,CAAC;QAED,IAAI,CAAC;YACH,IAAI,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC;gBACpC,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;gBAC7D,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAmB,CAAC;gBACvD,IAAI,CAAC,cAAc,GAAG,QAAQ,CAAC;gBAC/B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,kCAAkC,EAAE,EAAE,QAAQ,EAAE,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;gBACvF,OAAO,QAAQ,CAAC;YAClB,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,kDAAkD,EAAE;gBACnE,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC,CAAC;QACL,CAAC;QAED,sBAAsB;QACtB,MAAM,QAAQ,GAAmB;YAC/B,QAAQ,EAAE,MAAM,EAAE;YAClB,UAAU,EAAE,QAAQ,EAAE;YACtB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACrC,CAAC;QAEF,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;QACrC,IAAI,CAAC,cAAc,GAAG,QAAQ,CAAC;QAC/B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,6BAA6B,EAAE,EAAE,QAAQ,EAAE,QAAQ,CAAC,QAAQ,EAAE,UAAU,EAAE,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;QAClH,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc;QAClB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAClD,QAAQ,CAAC,UAAU,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC/C,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;QACrC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,oBAAoB,EAAE,EAAE,QAAQ,EAAE,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC3E,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,WAAW;QACf,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAClD,OAAO,QAAQ,CAAC,QAAQ,CAAC;IAC3B,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,aAAa;QACjB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAClD,OAAO,QAAQ,CAAC,UAAU,CAAC;IAC7B,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,eAAe,CAAC,QAAwB;QACpD,IAAI,CAAC;YACH,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;gBACjC,MAAM,KAAK,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACpD,CAAC;YACD,MAAM,SAAS,CAAC,IAAI,CAAC,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;QACnF,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE;gBACrD,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC9D,CAAC,CAAC;YACH,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC"}

package/dist/cli/backend/src/services/user/user-identity.service.d.ts

@@ -0,0 +1,86 @@
+export type ConnectedProvider = 'google' | 'github' | 'calendar' | 'drive';
+export interface ConnectedService {
+    provider: ConnectedProvider;
+    encryptedRefreshToken: string;
+    encryptedAccessToken?: string;
+    scopes: string[];
+    connectedAt: string;
+}
+export interface UserIdentity {
+    id: string;
+    email: string;
+    slackUserId?: string;
+    connectedServices: ConnectedService[];
+    createdAt: string;
+    updatedAt: string;
+}
+/**
+ * Service for managing user identities and encrypted service tokens.
+ *
+ * Uses a file-backed JSON store with an in-memory cache for reads.
+ * Tokens are encrypted with AES-256-GCM using a key derived from
+ * environment variables.
+ */
+export declare class UserIdentityService {
+    private static instance;
+    private readonly logger;
+    private readonly storePath;
+    /** Cached encryption key (derived once from env) */
+    private cachedKey;
+    /** In-memory cache of the user store to avoid repeated disk reads */
+    private storeCache;
+    private constructor();
+    static getInstance(): UserIdentityService;
+    /**
+     * Reset the singleton instance (for testing).
+     */
+    static resetInstance(): void;
+    private ensureStoreDir;
+    /**
+     * Load the user store from disk, using in-memory cache when available.
+     *
+     * @returns The parsed user store
+     */
+    private loadStore;
+    /**
+     * Persist the user store to disk using atomic write (temp + rename).
+     *
+     * @param store - The store data to persist
+     */
+    private saveStore;
+    /**
+     * Derive the AES-256 encryption key from environment variables.
+     * Caches the result to avoid recomputing SHA-256 on every call.
+     *
+     * @returns 32-byte key buffer
+     */
+    private getKey;
+    /**
+     * Encrypt a plaintext token using AES-256-GCM.
+     *
+     * @param value - The plaintext token
+     * @returns Encrypted string in the format `iv.tag.ciphertext` (base64)
+     */
+    encryptToken(value: string): string;
+    /**
+     * Decrypt an encrypted token string produced by {@link encryptToken}.
+     *
+     * @param value - Encrypted string in `iv.tag.ciphertext` format
+     * @returns The decrypted plaintext
+     * @throws Error if the token format is invalid or decryption fails
+     */
+    decryptToken(value: string): string;
+    listUsers(): Promise<UserIdentity[]>;
+    getUserById(id: string): Promise<UserIdentity | null>;
+    getUserBySlackUserId(slackUserId: string): Promise<UserIdentity | null>;
+    createOrUpdateUser(input: {
+        email: string;
+        slackUserId?: string;
+    }): Promise<UserIdentity>;
+    connectService(userId: string, provider: ConnectedProvider, tokens: {
+        refreshToken: string;
+        accessToken?: string;
+        scopes: string[];
+    }): Promise<UserIdentity>;
+}
+//# sourceMappingURL=user-identity.service.d.ts.map

package/dist/cli/backend/src/services/user/user-identity.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-identity.service.d.ts","sourceRoot":"","sources":["../../../../../../backend/src/services/user/user-identity.service.ts"],"names":[],"mappings":"AAOA,MAAM,MAAM,iBAAiB,GAAG,QAAQ,GAAG,QAAQ,GAAG,UAAU,GAAG,OAAO,CAAC;AAE3E,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,iBAAiB,CAAC;IAC5B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,EAAE,gBAAgB,EAAE,CAAC;IACtC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AASD;;;;;;GAMG;AACH,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAoC;IAC3D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAkB;IACzC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,oDAAoD;IACpD,OAAO,CAAC,SAAS,CAAuB;IACxC,qEAAqE;IACrE,OAAO,CAAC,UAAU,CAA0B;IAE5C,OAAO;IAKP,MAAM,CAAC,WAAW,IAAI,mBAAmB;IAOzC;;OAEG;IACH,MAAM,CAAC,aAAa,IAAI,IAAI;YAId,cAAc;IAI5B;;;;OAIG;YACW,SAAS;IAmBvB;;;;OAIG;YACW,SAAS;IAQvB;;;;;OAKG;IACH,OAAO,CAAC,MAAM;IAYd;;;;;OAKG;IACH,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;IASnC;;;;;;OAMG;IACH,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;IAgB7B,SAAS,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;IAKpC,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IAKrD,oBAAoB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IAKvE,kBAAkB,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,YAAY,CAAC;IA8BzF,cAAc,CAClB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,iBAAiB,EAC3B,MAAM,EAAE;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,GACvE,OAAO,CAAC,YAAY,CAAC;CAwBzB"}

package/dist/cli/backend/src/services/user/user-identity.service.js

@@ -0,0 +1,190 @@
+import { promises as fs } from 'fs';
+import path from 'path';
+import os from 'os';
+import crypto from 'crypto';
+import { CREWLY_CONSTANTS } from '../../constants.js';
+import { LoggerService } from '../core/logger.service.js';
+const STORE_SCHEMA_VERSION = 1;
+/**
+ * Service for managing user identities and encrypted service tokens.
+ *
+ * Uses a file-backed JSON store with an in-memory cache for reads.
+ * Tokens are encrypted with AES-256-GCM using a key derived from
+ * environment variables.
+ */
+export class UserIdentityService {
+    static instance = null;
+    logger;
+    storePath;
+    /** Cached encryption key (derived once from env) */
+    cachedKey = null;
+    /** In-memory cache of the user store to avoid repeated disk reads */
+    storeCache = null;
+    constructor() {
+        this.logger = LoggerService.getInstance().createComponentLogger('UserIdentityService');
+        this.storePath = path.join(os.homedir(), CREWLY_CONSTANTS.PATHS.CREWLY_HOME, 'users.json');
+    }
+    static getInstance() {
+        if (!UserIdentityService.instance) {
+            UserIdentityService.instance = new UserIdentityService();
+        }
+        return UserIdentityService.instance;
+    }
+    /**
+     * Reset the singleton instance (for testing).
+     */
+    static resetInstance() {
+        UserIdentityService.instance = null;
+    }
+    async ensureStoreDir() {
+        await fs.mkdir(path.dirname(this.storePath), { recursive: true });
+    }
+    /**
+     * Load the user store from disk, using in-memory cache when available.
+     *
+     * @returns The parsed user store
+     */
+    async loadStore() {
+        if (this.storeCache) {
+            return this.storeCache;
+        }
+        try {
+            const raw = await fs.readFile(this.storePath, 'utf8');
+            const parsed = JSON.parse(raw);
+            if (!Array.isArray(parsed.users)) {
+                this.storeCache = { schemaVersion: STORE_SCHEMA_VERSION, users: [] };
+                return this.storeCache;
+            }
+            this.storeCache = parsed;
+            return this.storeCache;
+        }
+        catch {
+            this.storeCache = { schemaVersion: STORE_SCHEMA_VERSION, users: [] };
+            return this.storeCache;
+        }
+    }
+    /**
+     * Persist the user store to disk using atomic write (temp + rename).
+     *
+     * @param store - The store data to persist
+     */
+    async saveStore(store) {
+        await this.ensureStoreDir();
+        const tmpPath = `${this.storePath}.tmp`;
+        await fs.writeFile(tmpPath, JSON.stringify(store, null, 2) + '\n', 'utf8');
+        await fs.rename(tmpPath, this.storePath);
+        this.storeCache = store;
+    }
+    /**
+     * Derive the AES-256 encryption key from environment variables.
+     * Caches the result to avoid recomputing SHA-256 on every call.
+     *
+     * @returns 32-byte key buffer
+     */
+    getKey() {
+        if (this.cachedKey) {
+            return this.cachedKey;
+        }
+        const source = process.env.CREWLY_TOKEN_ENCRYPTION_KEY || process.env.CREWLY_SECRET;
+        if (!source) {
+            this.logger.warn('No CREWLY_TOKEN_ENCRYPTION_KEY or CREWLY_SECRET set — using insecure fallback key');
+        }
+        this.cachedKey = crypto.createHash('sha256').update(source || 'crewly-local-dev-key').digest();
+        return this.cachedKey;
+    }
+    /**
+     * Encrypt a plaintext token using AES-256-GCM.
+     *
+     * @param value - The plaintext token
+     * @returns Encrypted string in the format `iv.tag.ciphertext` (base64)
+     */
+    encryptToken(value) {
+        const iv = crypto.randomBytes(12);
+        const key = this.getKey();
+        const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+        const encrypted = Buffer.concat([cipher.update(value, 'utf8'), cipher.final()]);
+        const tag = cipher.getAuthTag();
+        return `${iv.toString('base64')}.${tag.toString('base64')}.${encrypted.toString('base64')}`;
+    }
+    /**
+     * Decrypt an encrypted token string produced by {@link encryptToken}.
+     *
+     * @param value - Encrypted string in `iv.tag.ciphertext` format
+     * @returns The decrypted plaintext
+     * @throws Error if the token format is invalid or decryption fails
+     */
+    decryptToken(value) {
+        const parts = value.split('.');
+        if (parts.length !== 3 || parts.some((p) => !p)) {
+            throw new Error('Invalid encrypted token format: expected iv.tag.ciphertext');
+        }
+        const [ivB64, tagB64, bodyB64] = parts;
+        const key = this.getKey();
+        const decipher = crypto.createDecipheriv('aes-256-gcm', key, Buffer.from(ivB64, 'base64'));
+        decipher.setAuthTag(Buffer.from(tagB64, 'base64'));
+        const decrypted = Buffer.concat([
+            decipher.update(Buffer.from(bodyB64, 'base64')),
+            decipher.final(),
+        ]);
+        return decrypted.toString('utf8');
+    }
+    async listUsers() {
+        const store = await this.loadStore();
+        return store.users;
+    }
+    async getUserById(id) {
+        const store = await this.loadStore();
+        return store.users.find((u) => u.id === id) || null;
+    }
+    async getUserBySlackUserId(slackUserId) {
+        const store = await this.loadStore();
+        return store.users.find((u) => u.slackUserId === slackUserId) || null;
+    }
+    async createOrUpdateUser(input) {
+        const store = await this.loadStore();
+        const now = new Date().toISOString();
+        const existing = store.users.find((u) => u.email.toLowerCase() === input.email.toLowerCase() || (input.slackUserId && u.slackUserId === input.slackUserId));
+        if (existing) {
+            existing.email = input.email;
+            if (input.slackUserId) {
+                existing.slackUserId = input.slackUserId;
+            }
+            existing.updatedAt = now;
+            await this.saveStore(store);
+            return existing;
+        }
+        const created = {
+            id: crypto.randomUUID(),
+            email: input.email,
+            slackUserId: input.slackUserId,
+            connectedServices: [],
+            createdAt: now,
+            updatedAt: now,
+        };
+        store.users.push(created);
+        await this.saveStore(store);
+        return created;
+    }
+    async connectService(userId, provider, tokens) {
+        const store = await this.loadStore();
+        const user = store.users.find((u) => u.id === userId);
+        if (!user) {
+            throw new Error(`User not found: ${userId}`);
+        }
+        const now = new Date().toISOString();
+        const next = {
+            provider,
+            encryptedRefreshToken: this.encryptToken(tokens.refreshToken),
+            encryptedAccessToken: tokens.accessToken ? this.encryptToken(tokens.accessToken) : undefined,
+            scopes: tokens.scopes,
+            connectedAt: now,
+        };
+        user.connectedServices = user.connectedServices.filter((s) => s.provider !== provider);
+        user.connectedServices.push(next);
+        user.updatedAt = now;
+        await this.saveStore(store);
+        this.logger.info('Connected service for user', { userId, provider, scopeCount: tokens.scopes.length });
+        return user;
+    }
+}
+//# sourceMappingURL=user-identity.service.js.map

package/dist/cli/backend/src/services/user/user-identity.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-identity.service.js","sourceRoot":"","sources":["../../../../../../backend/src/services/user/user-identity.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,IAAI,CAAC;AACpC,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAmB,MAAM,2BAA2B,CAAC;AA0B3E,MAAM,oBAAoB,GAAG,CAAC,CAAC;AAE/B;;;;;;GAMG;AACH,MAAM,OAAO,mBAAmB;IACtB,MAAM,CAAC,QAAQ,GAA+B,IAAI,CAAC;IAC1C,MAAM,CAAkB;IACxB,SAAS,CAAS;IACnC,oDAAoD;IAC5C,SAAS,GAAkB,IAAI,CAAC;IACxC,qEAAqE;IAC7D,UAAU,GAAqB,IAAI,CAAC;IAE5C;QACE,IAAI,CAAC,MAAM,GAAG,aAAa,CAAC,WAAW,EAAE,CAAC,qBAAqB,CAAC,qBAAqB,CAAC,CAAC;QACvF,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,gBAAgB,CAAC,KAAK,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC;IAC7F,CAAC;IAED,MAAM,CAAC,WAAW;QAChB,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE,CAAC;YAClC,mBAAmB,CAAC,QAAQ,GAAG,IAAI,mBAAmB,EAAE,CAAC;QAC3D,CAAC;QACD,OAAO,mBAAmB,CAAC,QAAQ,CAAC;IACtC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,aAAa;QAClB,mBAAmB,CAAC,QAAQ,GAAG,IAAI,CAAC;IACtC,CAAC;IAEO,KAAK,CAAC,cAAc;QAC1B,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACpE,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,SAAS;QACrB,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC,UAAU,CAAC;QACzB,CAAC;QACD,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;YACtD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAc,CAAC;YAC5C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;gBACjC,IAAI,CAAC,UAAU,GAAG,EAAE,aAAa,EAAE,oBAAoB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;gBACrE,OAAO,IAAI,CAAC,UAAU,CAAC;YACzB,CAAC;YACD,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC;YACzB,OAAO,IAAI,CAAC,UAAU,CAAC;QACzB,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,UAAU,GAAG,EAAE,aAAa,EAAE,oBAAoB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;YACrE,OAAO,IAAI,CAAC,UAAU,CAAC;QACzB,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,SAAS,CAAC,KAAgB;QACtC,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC5B,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC,SAAS,MAAM,CAAC;QACxC,MAAM,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;QAC3E,MAAM,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;QACzC,IAAI,CAAC,UAAU,GAAG,KAAK,CAAC;IAC1B,CAAC;IAED;;;;;OAKG;IACK,MAAM;QACZ,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,OAAO,IAAI,CAAC,SAAS,CAAC;QACxB,CAAC;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,2BAA2B,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;QACpF,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,mFAAmF,CAAC,CAAC;QACxG,CAAC;QACD,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,IAAI,sBAAsB,CAAC,CAAC,MAAM,EAAE,CAAC;QAC/F,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED;;;;;OAKG;IACH,YAAY,CAAC,KAAa;QACxB,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAClC,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QAC1B,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QAC7D,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAChF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAChC,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;IAC9F,CAAC;IAED;;;;;;OAMG;IACH,YAAY,CAAC,KAAa;QACxB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAChD,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QACD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,GAAG,KAAK,CAAC;QACvC,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QAC1B,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC;QAC3F,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;QACnD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;YAC9B,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YAC/C,QAAQ,CAAC,KAAK,EAAE;SACjB,CAAC,CAAC;QACH,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,SAAS;QACb,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACrC,OAAO,KAAK,CAAC,KAAK,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,EAAU;QAC1B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACrC,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,IAAI,IAAI,CAAC;IACtD,CAAC;IAED,KAAK,CAAC,oBAAoB,CAAC,WAAmB;QAC5C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACrC,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,WAAW,CAAC,IAAI,IAAI,CAAC;IACxE,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,KAA8C;QACrE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACrC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACrC,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAC/B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,KAAK,CAAC,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,IAAI,CAAC,CAAC,WAAW,KAAK,KAAK,CAAC,WAAW,CAAC,CACzH,CAAC;QAEF,IAAI,QAAQ,EAAE,CAAC;YACb,QAAQ,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;YAC7B,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC;gBACtB,QAAQ,CAAC,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC;YAC3C,CAAC;YACD,QAAQ,CAAC,SAAS,GAAG,GAAG,CAAC;YACzB,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YAC5B,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,MAAM,OAAO,GAAiB;YAC5B,EAAE,EAAE,MAAM,CAAC,UAAU,EAAE;YACvB,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,iBAAiB,EAAE,EAAE;YACrB,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG;SACf,CAAC;QACF,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC1B,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC5B,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,cAAc,CAClB,MAAc,EACd,QAA2B,EAC3B,MAAwE;QAExE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACrC,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,MAAM,CAAC,CAAC;QACtD,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,mBAAmB,MAAM,EAAE,CAAC,CAAC;QAC/C,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACrC,MAAM,IAAI,GAAqB;YAC7B,QAAQ;YACR,qBAAqB,EAAE,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,YAAY,CAAC;YAC7D,oBAAoB,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS;YAC5F,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,WAAW,EAAE,GAAG;SACjB,CAAC;QAEF,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;QACvF,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClC,IAAI,CAAC,SAAS,GAAG,GAAG,CAAC;QACrB,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAE5B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,4BAA4B,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QACvG,OAAO,IAAI,CAAC;IACd,CAAC"}

package/dist/cli/cli/src/commands/backup.d.ts

@@ -0,0 +1,31 @@
+/**
+ * `crewly backup` — workspace backup CLI (P0: local `create`).
+ *
+ * Builds a portable `.tar.gz` of this machine's workspace (CREWLY_HOME globals
+ * + each project's `.crewly/` + chat.db) that can later be restored on another
+ * machine. Runs fully locally and offline. Cloud push/pull/list (Pro-gated)
+ * land in later phases. See specs/2026-06-07-workspace-backup.md.
+ *
+ * @module cli/commands/backup
+ */
+/** Options accepted by `crewly backup`. */
+export interface BackupCommandOptions {
+    /** Output archive path (create). */
+    out?: string;
+    /** Exclude chat.db from the archive (create). commander sets chatDb=false for --no-chat-db. */
+    chatDb?: boolean;
+    /** Restore conflict mode: 'abort' (default) | 'overwrite'. */
+    mode?: string;
+    /** Restore source→target path remaps, each "OLD=NEW" (repeatable). */
+    map?: string[];
+    /** Actually apply the restore. Without this, restore is a dry-run preview. */
+    apply?: boolean;
+}
+/**
+ * `crewly backup <action>` dispatcher.
+ *
+ * @param action - Subcommand: `create` (P0). Others are placeholders.
+ * @param options - CLI options
+ */
+export declare function backupCommand(action: string, target?: string, options?: BackupCommandOptions): Promise<void>;
+//# sourceMappingURL=backup.d.ts.map

package/dist/cli/cli/src/commands/backup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"backup.d.ts","sourceRoot":"","sources":["../../../../../cli/src/commands/backup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAiBH,2CAA2C;AAC3C,MAAM,WAAW,oBAAoB;IACnC,oCAAoC;IACpC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,+FAA+F;IAC/F,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,8DAA8D;IAC9D,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,sEAAsE;IACtE,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,8EAA8E;IAC9E,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AA+BD;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,MAAM,EACd,MAAM,CAAC,EAAE,MAAM,EACf,OAAO,GAAE,oBAAyB,GACjC,OAAO,CAAC,IAAI,CAAC,CAuBf"}