driggsby 0.1.10 → 0.1.11

package/README.md

@@ -18,6 +18,10 @@ Node `20+` is required.
 
 If you prefer not to install globally, you can also use `npx -y driggsby ...`.
 
+On machines without working platform keyring support, such as some headless
+Linux servers, Driggsby falls back to an owner-only local file-backed secret
+store so the CLI can still complete login and run the broker.
+
 ## Quick Start
 
 1. Sign in:

package/dist/auth/config.js

@@ -2,7 +2,7 @@ import { assertBrokerRemoteUrl } from "./url-security.js";
 const DEFAULT_REMOTE_BASE_URL = "https://app.driggsby.com";
 const DEFAULT_SCOPE = "driggsby.default";
 const DEFAULT_LOGIN_TIMEOUT_MS = 5 * 60 * 1_000;
-const DEFAULT_CLIENT_NAME = "Driggsby Local Broker";
+const DEFAULT_CLIENT_NAME = "Driggsby CLI";
 export function resolveBrokerAuthConfig(env = process.env) {
     const remoteBaseUrl = normalizeBaseUrl(env["DRIGGSBY_REMOTE_BASE_URL"] ?? DEFAULT_REMOTE_BASE_URL);
     return {

package/dist/broker/daemon.js

@@ -1,11 +1,11 @@
 import { buildBrokerStatus, ensureBrokerInstallation, readBrokerDpopKeyPair, readBrokerLocalAuthToken, readBrokerPrivateJwk, } from "./installation.js";
 import { BrokerRemoteSessionManager } from "./remote-session.js";
 import { callRemoteTool, listRemoteTools } from "./remote-mcp.js";
-import { KeyringSecretStore } from "./secret-store.js";
+import { resolveSecretStore } from "./resolve-secret-store.js";
 import { LocalBrokerServer } from "./server.js";
 import { buildReauthenticationRequiredMessage } from "../lib/user-guidance.js";
 export async function runBrokerDaemon(runtimePaths) {
-    const secretStore = new KeyringSecretStore();
+    const secretStore = (await resolveSecretStore(runtimePaths)).store;
     const metadata = await ensureBrokerInstallation(runtimePaths, secretStore);
     const localAuthToken = await readRequiredLocalAuthToken(secretStore, metadata.brokerId);
     const privateJwk = await readRequiredPrivateJwk(secretStore, metadata.brokerId);

package/dist/broker/file-secret-store.js

@@ -0,0 +1,130 @@
+import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
+import { promises as fs } from "node:fs";
+import path from "node:path";
+import { readJsonFile, removeFileIfPresent, writeJsonFile, } from "../lib/json-file.js";
+const FILE_SECRET_KEY_BYTES = 32;
+const FILE_SECRET_STORE_INCOMPLETE_MESSAGE = "The local Driggsby file-backed secret store is incomplete. Run `driggsby logout` and then `driggsby login`.";
+const FILE_SECRET_STORE_INVALID_MESSAGE = "The local Driggsby file-backed secret store is invalid. Run `driggsby logout` and then `driggsby login`.";
+const FILE_SECRET_STORE_SCHEMA_VERSION = 1;
+const FILE_SECRET_IV_BYTES = 12;
+export class FileSecretStore {
+    encryptionKeyPath;
+    secretsPath;
+    constructor(runtimePaths) {
+        this.encryptionKeyPath = path.join(runtimePaths.stateDir, "broker-secrets.key");
+        this.secretsPath = path.join(runtimePaths.configDir, "broker-secrets.json");
+    }
+    async hasStoredSecrets() {
+        const storedSecrets = await this.readStoredSecretsFile();
+        return Object.keys(storedSecrets?.secrets ?? {}).length > 0;
+    }
+    async setSecret(account, secret) {
+        const encryptionKey = await this.readOrCreateEncryptionKey();
+        const storedSecrets = (await this.readStoredSecretsFile()) ?? {
+            schemaVersion: FILE_SECRET_STORE_SCHEMA_VERSION,
+            secrets: {},
+        };
+        storedSecrets.secrets[account] = encryptSecret(secret, encryptionKey);
+        await writeJsonFile(this.secretsPath, storedSecrets);
+    }
+    async getSecret(account) {
+        const storedSecrets = await this.readStoredSecretsFile();
+        const encryptedSecret = storedSecrets?.secrets[account];
+        if (encryptedSecret === undefined) {
+            return null;
+        }
+        const encryptionKey = await this.readEncryptionKey(true);
+        if (encryptionKey === null) {
+            throw new Error(FILE_SECRET_STORE_INCOMPLETE_MESSAGE);
+        }
+        return decryptSecret(encryptedSecret, encryptionKey);
+    }
+    async deleteSecret(account) {
+        const storedSecrets = await this.readStoredSecretsFile();
+        if (storedSecrets?.secrets[account] === undefined) {
+            return false;
+        }
+        const remainingSecrets = Object.fromEntries(Object.entries(storedSecrets.secrets).filter(([storedAccount]) => storedAccount !== account));
+        if (Object.keys(remainingSecrets).length === 0) {
+            await Promise.all([
+                removeFileIfPresent(this.secretsPath),
+                removeFileIfPresent(this.encryptionKeyPath),
+            ]);
+            return true;
+        }
+        await writeJsonFile(this.secretsPath, {
+            ...storedSecrets,
+            secrets: remainingSecrets,
+        });
+        return true;
+    }
+    async readStoredSecretsFile() {
+        return await readJsonFile(this.secretsPath);
+    }
+    async readEncryptionKey(errorIfMissing) {
+        try {
+            const encodedKey = await fs.readFile(this.encryptionKeyPath, "utf8");
+            const encryptionKey = Buffer.from(encodedKey.trim(), "base64");
+            if (encryptionKey.length !== FILE_SECRET_KEY_BYTES) {
+                throw new Error(FILE_SECRET_STORE_INVALID_MESSAGE);
+            }
+            return encryptionKey;
+        }
+        catch (error) {
+            if (!errorIfMissing &&
+                error instanceof Error &&
+                "code" in error &&
+                error.code === "ENOENT") {
+                return null;
+            }
+            if (errorIfMissing &&
+                error instanceof Error &&
+                "code" in error &&
+                error.code === "ENOENT") {
+                throw new Error(FILE_SECRET_STORE_INCOMPLETE_MESSAGE);
+            }
+            throw error;
+        }
+    }
+    async readOrCreateEncryptionKey() {
+        const existingKey = await this.readEncryptionKey(false);
+        if (existingKey !== null) {
+            return existingKey;
+        }
+        await fs.mkdir(path.dirname(this.secretsPath), {
+            recursive: true,
+            mode: 0o700,
+        });
+        await fs.mkdir(path.dirname(this.encryptionKeyPath), {
+            recursive: true,
+            mode: 0o700,
+        });
+        const encryptionKey = randomBytes(FILE_SECRET_KEY_BYTES);
+        await fs.writeFile(this.encryptionKeyPath, encryptionKey.toString("base64"), {
+            encoding: "utf8",
+            mode: 0o600,
+        });
+        return encryptionKey;
+    }
+}
+function encryptSecret(secret, encryptionKey) {
+    const iv = randomBytes(FILE_SECRET_IV_BYTES);
+    const cipher = createCipheriv("aes-256-gcm", encryptionKey, iv);
+    const ciphertext = Buffer.concat([
+        cipher.update(secret, "utf8"),
+        cipher.final(),
+    ]);
+    return {
+        authTagBase64: cipher.getAuthTag().toString("base64"),
+        ciphertextBase64: ciphertext.toString("base64"),
+        ivBase64: iv.toString("base64"),
+    };
+}
+function decryptSecret(encryptedSecret, encryptionKey) {
+    const decipher = createDecipheriv("aes-256-gcm", encryptionKey, Buffer.from(encryptedSecret.ivBase64, "base64"));
+    decipher.setAuthTag(Buffer.from(encryptedSecret.authTagBase64, "base64"));
+    return Buffer.concat([
+        decipher.update(Buffer.from(encryptedSecret.ciphertextBase64, "base64")),
+        decipher.final(),
+    ]).toString("utf8");
+}

package/dist/broker/keyring-secret-store.js

@@ -0,0 +1,34 @@
+import { randomBytes } from "node:crypto";
+export class KeyringSecretStore {
+    serviceName;
+    constructor(serviceName = "driggsby.local-broker") {
+        this.serviceName = serviceName;
+    }
+    async isAvailable() {
+        try {
+            const AsyncEntry = await loadAsyncEntry();
+            await new AsyncEntry(this.serviceName, `driggsby-probe-${randomBytes(12).toString("hex")}`).getPassword();
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async setSecret(account, secret) {
+        const AsyncEntry = await loadAsyncEntry();
+        await new AsyncEntry(this.serviceName, account).setPassword(secret);
+    }
+    async getSecret(account) {
+        const AsyncEntry = await loadAsyncEntry();
+        const secret = await new AsyncEntry(this.serviceName, account).getPassword();
+        return secret ?? null;
+    }
+    async deleteSecret(account) {
+        const AsyncEntry = await loadAsyncEntry();
+        return await new AsyncEntry(this.serviceName, account).deleteCredential();
+    }
+}
+async function loadAsyncEntry() {
+    const keyringModule = await import("@napi-rs/keyring");
+    return keyringModule.AsyncEntry;
+}

package/dist/broker/resolve-secret-store.js

@@ -0,0 +1,52 @@
+import { readBrokerMetadata } from "./installation.js";
+import { FileSecretStore } from "./file-secret-store.js";
+import { KeyringSecretStore } from "./keyring-secret-store.js";
+const KEYRING_UNAVAILABLE_WITH_EXISTING_INSTALL_MESSAGE = "This Driggsby broker install already depends on platform secure storage, but that storage is unavailable in this shell. Reopen the original desktop session or restore keyring access before using this install.";
+const LOGOUT_FALLBACK_NOTICE = "Platform secure storage is unavailable here, so logout will clear local broker files only. Any unreachable platform-keyring entries will remain until you return to the original session.";
+export class ExistingInstallRequiresKeyringError extends Error {
+    constructor() {
+        super(KEYRING_UNAVAILABLE_WITH_EXISTING_INSTALL_MESSAGE);
+        this.name = "ExistingInstallRequiresKeyringError";
+    }
+}
+export async function resolveSecretStore(runtimePaths, options = {}) {
+    const fileStore = options.fileStore ?? new FileSecretStore(runtimePaths);
+    if (await fileStore.hasStoredSecrets()) {
+        return {
+            backend: "file",
+            notice: null,
+            store: fileStore,
+        };
+    }
+    const keyringStore = options.keyringStore ?? new KeyringSecretStore();
+    if (await keyringStore.isAvailable()) {
+        return {
+            backend: "keyring",
+            notice: null,
+            store: keyringStore,
+        };
+    }
+    if ((await readBrokerMetadata(runtimePaths)) !== null) {
+        throw new ExistingInstallRequiresKeyringError();
+    }
+    return {
+        backend: "file",
+        notice: `Platform secure storage is unavailable here. Driggsby will use an owner-only file-backed secret store under ${runtimePaths.configDir}.`,
+        store: fileStore,
+    };
+}
+export async function resolveSecretStoreForLogout(runtimePaths, options = {}) {
+    try {
+        return await resolveSecretStore(runtimePaths, options);
+    }
+    catch (error) {
+        if (!(error instanceof ExistingInstallRequiresKeyringError)) {
+            throw error;
+        }
+        return {
+            backend: "file",
+            notice: LOGOUT_FALLBACK_NOTICE,
+            store: options.fileStore ?? new FileSecretStore(runtimePaths),
+        };
+    }
+}

package/dist/broker/secret-store.js

@@ -1,20 +1,3 @@
-import { AsyncEntry } from "@napi-rs/keyring";
-export class KeyringSecretStore {
-    serviceName;
-    constructor(serviceName = "driggsby.local-broker") {
-        this.serviceName = serviceName;
-    }
-    async setSecret(account, secret) {
-        await new AsyncEntry(this.serviceName, account).setPassword(secret);
-    }
-    async getSecret(account) {
-        const secret = await new AsyncEntry(this.serviceName, account).getPassword();
-        return secret ?? null;
-    }
-    async deleteSecret(account) {
-        return await new AsyncEntry(this.serviceName, account).deleteCredential();
-    }
-}
 export class MemorySecretStore {
     secrets = new Map();
     setSecret(account, secret) {

package/dist/cli/commands/login.js

@@ -1,10 +1,14 @@
 import { loginBroker } from "../../auth/login.js";
-import { KeyringSecretStore } from "../../broker/secret-store.js";
+import { resolveSecretStore } from "../../broker/resolve-secret-store.js";
 import { ensureRuntimeDirectories } from "../../lib/runtime-paths.js";
 export async function runLoginCommand(runtimePaths) {
     await ensureRuntimeDirectories(runtimePaths);
-    const secretStore = new KeyringSecretStore();
+    const resolvedSecretStore = await resolveSecretStore(runtimePaths);
+    const secretStore = resolvedSecretStore.store;
     process.stdout.write("Opening Driggsby sign-in in your browser...\n");
+    if (resolvedSecretStore.notice !== null) {
+        process.stdout.write(`${resolvedSecretStore.notice}\n`);
+    }
     const result = await loginBroker(runtimePaths, {
         onBrowserPrompt: ({ browserOpened, signInUrl }) => {
             if (!browserOpened) {

package/dist/cli/commands/logout.js

@@ -1,8 +1,9 @@
 import { getBrokerStatus, shutdownBroker } from "../../broker/client.js";
 import { clearBrokerInstallation } from "../../broker/installation.js";
-import { KeyringSecretStore } from "../../broker/secret-store.js";
+import { resolveSecretStoreForLogout } from "../../broker/resolve-secret-store.js";
 export async function runLogoutCommand(runtimePaths) {
-    const secretStore = new KeyringSecretStore();
+    const resolvedSecretStore = await resolveSecretStoreForLogout(runtimePaths);
+    const secretStore = resolvedSecretStore.store;
     const clientOptions = {
         runtimePaths,
         secretStore,
@@ -12,5 +13,8 @@ export async function runLogoutCommand(runtimePaths) {
         throw new Error("The local Driggsby broker did not shut down cleanly. Close active MCP sessions and try again.");
     }
     await clearBrokerInstallation(runtimePaths, secretStore);
+    if (resolvedSecretStore.notice !== null) {
+        process.stdout.write(`${resolvedSecretStore.notice}\n`);
+    }
     process.stdout.write("Local Driggsby broker state cleared.\n");
 }

package/dist/cli/commands/status.js

@@ -1,9 +1,9 @@
 import { getBrokerStatus } from "../../broker/client.js";
 import { resolveBrokerStatusForDisplay } from "../../broker/installation.js";
-import { KeyringSecretStore } from "../../broker/secret-store.js";
+import { resolveSecretStore } from "../../broker/resolve-secret-store.js";
 import { formatStatusText } from "../format.js";
 export async function runStatusCommand(runtimePaths) {
-    const secretStore = new KeyringSecretStore();
+    const secretStore = (await resolveSecretStore(runtimePaths)).store;
     const liveStatus = await getBrokerStatus({
         runtimePaths,
         secretStore,

package/dist/shim/server.js

@@ -4,7 +4,7 @@ import { CallToolRequestSchema, ListToolsRequestSchema, } from "@modelcontextpro
 import { ensureBrokerRunning } from "../broker/launch.js";
 import { callBrokerTool, getBrokerStatus, listBrokerTools, } from "../broker/client.js";
 import { resolveBrokerStatusForDisplay } from "../broker/installation.js";
-import { KeyringSecretStore } from "../broker/secret-store.js";
+import { resolveSecretStore } from "../broker/resolve-secret-store.js";
 import { retryOperation } from "../lib/retry.js";
 import { buildBrokerInvestigationMessage, errorMessageIncludesReauthenticationCommand, formatRetryWindow, } from "../lib/user-guidance.js";
 import { formatStatusText, } from "../cli/format.js";
@@ -20,7 +20,7 @@ const LOCAL_STATUS_TOOL = {
 };
 const BROKER_OPERATION_RETRY_DELAYS_MS = [0, 250, 500, 1_000, 2_000];
 export async function runMcpServerCommand(runtimePaths, entrypointPath) {
-    const secretStore = new KeyringSecretStore();
+    const secretStore = (await resolveSecretStore(runtimePaths)).store;
     await ensureBrokerRunning({
         entrypointPath,
         runtimePaths,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "driggsby",
-  "version": "0.1.10",
+  "version": "0.1.11",
   "description": "Local MCP broker and CLI for connecting AI clients to Driggsby",
   "license": "UNLICENSED",
   "type": "module",