gramatr 0.3.0

package/CLAUDE.md

@@ -0,0 +1,18 @@
+<!-- GMTR-START — Do not edit between these markers. Managed by gramatr installer. -->
+# gramatr
+
+You have gramatr installed. A hook pre-classifies every user request and injects
+intelligence as `[GMTR Intelligence — ...]` into your context.
+
+**Follow the intelligence packet.** It contains behavioral directives, effort level,
+ISC scaffold, capability audit, phase templates, and composed agents.
+
+**Memory:** Use gramatr MCP tools (`search_semantic`, `create_entity`, `add_observation`),
+not local markdown files.
+
+**Identity:** Read from `~/gmtr-client/settings.json` — `daidentity` for your name,
+`principal` for the user's name.
+
+**If the server is unreachable:** Use 7-phase structure (OBSERVE → THINK → PLAN → BUILD →
+EXECUTE → VERIFY → LEARN). Create ISC before work. Never combine phases.
+<!-- GMTR-END -->

package/README.md

@@ -0,0 +1,78 @@
+# grāmatr Client Package
+
+This package contains the shared grāmatr client runtime plus per-target adapters.
+
+Current target model:
+
+- local / thick-client targets
+  - `claude-code`
+  - `codex`
+- hosted / remote targets
+  - `remote-mcp`
+  - `claude-web`
+  - `chatgpt-web`
+
+The important distinction is that hosted targets are not local hook installs. They use remote MCP or future hosted-client packaging.
+
+## CLI
+
+The package exposes a `gramatr` CLI:
+
+```bash
+gramatr install
+gramatr install claude-code
+gramatr install codex
+gramatr install all
+gramatr detect
+gramatr doctor
+gramatr migrate
+gramatr migrate --apply
+gramatr upgrade
+```
+
+## Command Behavior
+
+- `gramatr install`
+  - interactive local target selection
+  - installs local adapter(s)
+  - prints remote target guidance separately
+- `gramatr detect`
+  - reports detected local targets and known hosted targets
+- `gramatr doctor`
+  - reports current target detection, payload presence, and stale legacy artifacts
+- `gramatr migrate`
+  - dry-run legacy cleanup and Claude config sanitization
+- `gramatr migrate --apply`
+  - applies legacy cleanup and configuration sanitization
+- `gramatr upgrade`
+  - performs migration cleanup when needed, then re-syncs detected local targets
+
+## Thin-Client Default
+
+Claude installs now default to the thin-client hook set.
+
+Optional Claude UX hooks are disabled by default and can be enabled with:
+
+```bash
+GMTR_ENABLE_OPTIONAL_CLAUDE_UX=1
+```
+
+## Development
+
+Install dependencies:
+
+```bash
+pnpm install --frozen-lockfile
+```
+
+Run package tests:
+
+```bash
+pnpm --filter @aios-v2/client test
+```
+
+Run target detection locally:
+
+```bash
+pnpm --filter @aios-v2/client exec bun bin/gramatr.ts detect
+```

package/bin/clean-legacy-install.ts

@@ -0,0 +1,28 @@
+#!/usr/bin/env node
+
+import { join } from 'path';
+import { runLegacyMigration } from '../core/migration.ts';
+
+function log(message: string): void {
+  process.stdout.write(`${message}\n`);
+}
+
+function main(): void {
+  const home = process.env.HOME || process.env.USERPROFILE;
+  if (!home) {
+    throw new Error('HOME is not set');
+  }
+
+  const apply = process.argv.includes('--apply');
+  const includeOptionalUx = process.env.GMTR_ENABLE_OPTIONAL_CLAUDE_UX === '1';
+  const clientDir = process.env.GMTR_DIR || join(home, 'gmtr-client');
+  runLegacyMigration({
+    homeDir: home,
+    clientDir,
+    includeOptionalUx,
+    apply,
+    log,
+  });
+}
+
+main();

package/bin/get-token.py

@@ -0,0 +1,3 @@
+import json, os
+s = os.path.expanduser("~/gmtr-client/settings.json")
+print(json.load(open(s)).get("auth",{}).get("api_key",""))

package/bin/gmtr-login.ts

@@ -0,0 +1,547 @@
+#!/usr/bin/env node
+/**
+ * gmtr-login — Authenticate with the gramatr server
+ *
+ * Opens the grāmatr dashboard login flow, captures a Firebase ID token
+ * on localhost, and stores it in ~/.gmtr.json.
+ *
+ * Usage:
+ *   bun gmtr-login.ts                    # Interactive browser login via Firebase dashboard
+ *   bun gmtr-login.ts --token <token>    # Paste a token directly (API key or Firebase token)
+ *   bun gmtr-login.ts --status           # Check current auth status
+ *   bun gmtr-login.ts --logout           # Remove stored credentials
+ *
+ * Token is stored in ~/.gmtr.json under the "token" key.
+ * The GMTRPromptEnricher hook reads this on every prompt.
+ */
+
+import { randomBytes } from 'crypto';
+import { readFileSync, writeFileSync, existsSync } from 'fs';
+import { join } from 'path';
+import { createServer, type IncomingMessage, type ServerResponse } from 'http';
+
+// ── Config ──
+
+const HOME = process.env.HOME || process.env.USERPROFILE || '';
+const CONFIG_PATH = join(HOME, '.gmtr.json');
+const DEFAULT_SERVER = process.env.GMTR_URL || 'https://api.gramatr.com/mcp';
+// Strip /mcp suffix to get base URL
+const SERVER_BASE = DEFAULT_SERVER.replace(/\/mcp\/?$/, '');
+const DASHBOARD_BASE = process.env.GMTR_DASHBOARD_URL || (() => {
+  try {
+    const url = new URL(SERVER_BASE);
+    if (url.hostname.startsWith('api.')) {
+      url.hostname = `app.${url.hostname.slice(4)}`;
+    }
+    url.pathname = '';
+    url.search = '';
+    url.hash = '';
+    return url.toString().replace(/\/$/, '');
+  } catch {
+    return 'https://app.gramatr.com';
+  }
+})();
+const CALLBACK_PORT = 58787; // Must match server's redirect_uris
+
+// ── HTML Templates ──
+
+const BRAND_CSS = `
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+  body {
+    font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+    background: #0a0e17;
+    color: #e0e6ed;
+    min-height: 100vh;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+  }
+  .card {
+    background: #141b2d;
+    border: 1px solid #1e2940;
+    border-radius: 16px;
+    padding: 48px;
+    max-width: 440px;
+    width: 90%;
+    text-align: center;
+    box-shadow: 0 8px 32px rgba(0,0,0,0.4);
+  }
+  .logo {
+    font-size: 28px;
+    font-weight: 700;
+    letter-spacing: -0.5px;
+    margin-bottom: 8px;
+  }
+  .logo .accent { color: #00b4d8; }
+  .logo .dim { color: #5a6a8a; }
+  .subtitle {
+    color: #5a6a8a;
+    font-size: 13px;
+    margin-bottom: 32px;
+  }
+  .status {
+    font-size: 48px;
+    margin-bottom: 16px;
+  }
+  h2 {
+    font-size: 20px;
+    font-weight: 600;
+    margin-bottom: 12px;
+  }
+  h2.success { color: #00b4d8; }
+  h2.error { color: #e74c3c; }
+  p {
+    color: #7a8aaa;
+    font-size: 14px;
+    line-height: 1.6;
+  }
+  .hint {
+    margin-top: 24px;
+    padding-top: 24px;
+    border-top: 1px solid #1e2940;
+    font-size: 12px;
+    color: #4a5a7a;
+  }
+`;
+
+function htmlPage(title: string, body: string): string {
+  return `<!DOCTYPE html>
+<html lang="en"><head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>${title} — gramatr</title>
+  <style>${BRAND_CSS}</style>
+</head><body>
+  <div class="card">
+    <div class="logo"><span class="accent">gr</span>āma<span class="accent">tr</span></div>
+    <div class="subtitle">your cross-agent AI brain</div>
+    ${body}
+  </div>
+</body></html>`;
+}
+
+function successPage(): string {
+  return htmlPage('Authenticated', `
+    <div class="status">✓</div>
+    <h2 class="success">Authenticated</h2>
+    <p>Token saved. You can close this tab and return to your terminal.</p>
+    <div class="hint">gramatr intelligence is now active across all your AI tools.</div>
+  `);
+}
+
+function errorPage(title: string, detail: string): string {
+  return htmlPage('Error', `
+    <div class="status">✗</div>
+    <h2 class="error">${title}</h2>
+    <p>${detail}</p>
+    <div class="hint">Return to your terminal and try again, or use <code>gmtr-login --token</code> to paste a token directly.</div>
+  `);
+}
+
+// ── Headless Detection ──
+
+function isHeadless(): boolean {
+  // SSH session without display forwarding
+  if (process.env.SSH_CONNECTION || process.env.SSH_TTY) {
+    if (!process.env.DISPLAY && process.platform !== 'darwin') return true;
+  }
+  // Docker / CI / no TTY
+  if (process.env.CI || process.env.DOCKER) return true;
+  // Linux without display
+  if (process.platform === 'linux' && !process.env.DISPLAY && !process.env.WAYLAND_DISPLAY) return true;
+  return false;
+}
+
+// ── Helpers ──
+
+function readConfig(): Record<string, any> {
+  try {
+    return JSON.parse(readFileSync(CONFIG_PATH, 'utf8'));
+  } catch {
+    return {};
+  }
+}
+
+function writeConfig(config: Record<string, any>): void {
+  writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2) + '\n');
+}
+
+async function checkServerHealth(): Promise<{ ok: boolean; version?: string; error?: string }> {
+  try {
+    const res = await fetch(`${SERVER_BASE}/health`, { signal: AbortSignal.timeout(5000) });
+    if (res.ok) {
+      const data = await res.json() as any;
+      return { ok: true, version: data.version };
+    }
+    return { ok: false, error: `HTTP ${res.status}` };
+  } catch (e: any) {
+    return { ok: false, error: e.message };
+  }
+}
+
+async function testToken(token: string): Promise<{ valid: boolean; user?: string; error?: string }> {
+  try {
+    const res = await fetch(`${SERVER_BASE}/mcp`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        Accept: 'application/json, text/event-stream',
+        Authorization: `Bearer ${token}`,
+      },
+      body: JSON.stringify({
+        jsonrpc: '2.0',
+        id: 1,
+        method: 'tools/call',
+        params: { name: 'aggregate_stats', arguments: {} },
+      }),
+      signal: AbortSignal.timeout(10000),
+    });
+
+    const text = await res.text();
+
+    // Check for auth errors
+    if (text.includes('JWT token is required') || text.includes('signature validation failed') || text.includes('Unauthorized')) {
+      return { valid: false, error: 'Token rejected by server' };
+    }
+
+    // Check for successful response
+    for (const line of text.split('\n')) {
+      if (line.startsWith('data: ')) {
+        try {
+          const d = JSON.parse(line.slice(6));
+          if (d?.result?.isError) {
+            return { valid: false, error: d.result.content?.[0]?.text || 'Unknown error' };
+          }
+          if (d?.result?.content?.[0]?.text) {
+            return { valid: true, user: 'authenticated' };
+          }
+        } catch {
+          continue;
+        }
+      }
+    }
+
+    return { valid: false, error: 'Unexpected response' };
+  } catch (e: any) {
+    return { valid: false, error: e.message };
+  }
+}
+
+async function startDeviceAuthorization(): Promise<{
+  device_code: string;
+  user_code: string;
+  verification_uri: string;
+  verification_uri_complete?: string;
+  expires_in: number;
+  interval: number;
+}> {
+  const res = await fetch(`${SERVER_BASE}/device/start`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ client_name: 'gmtr-login' }),
+    signal: AbortSignal.timeout(10000),
+  });
+
+  const payload = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    throw new Error(payload.error_description || payload.error || `HTTP ${res.status}`);
+  }
+  return payload;
+}
+
+async function pollDeviceAuthorization(deviceCode: string): Promise<string> {
+  while (true) {
+    const res = await fetch(`${SERVER_BASE}/device/token`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ device_code: deviceCode }),
+      signal: AbortSignal.timeout(10000),
+    });
+
+    const payload = await res.json().catch(() => ({}));
+    if (res.ok && payload.access_token) {
+      return payload.access_token as string;
+    }
+
+    if ((res.status === 428 || res.status === 400) && payload.error === 'authorization_pending') {
+      const waitSeconds = Math.max(1, Number(payload.interval) || 5);
+      await new Promise((resolve) => setTimeout(resolve, waitSeconds * 1000));
+      continue;
+    }
+
+    throw new Error(payload.error_description || payload.error || `HTTP ${res.status}`);
+  }
+}
+
+// ── Commands ──
+
+async function showStatus(): Promise<void> {
+  console.log('\n  gramatr authentication status\n');
+
+  const config = readConfig();
+  const token = config.token;
+
+  console.log(`  Server:  ${SERVER_BASE}`);
+
+  const health = await checkServerHealth();
+  if (health.ok) {
+    console.log(`  Health:  ✓ healthy (v${health.version || 'unknown'})`);
+  } else {
+    console.log(`  Health:  ✗ ${health.error}`);
+  }
+
+  if (!token) {
+    console.log('  Token:   ✗ not configured');
+    console.log('\n  Run: bun gmtr-login.ts to authenticate\n');
+    return;
+  }
+
+  const prefix = token.substring(0, 15);
+  console.log(`  Token:   ${prefix}...`);
+
+  const result = await testToken(token);
+  if (result.valid) {
+    console.log('  Auth:    ✓ token is valid');
+  } else {
+    console.log(`  Auth:    ✗ ${result.error}`);
+    console.log('\n  Run: bun gmtr-login.ts to re-authenticate\n');
+  }
+
+  console.log('');
+}
+
+async function logout(): Promise<void> {
+  const config = readConfig();
+  delete config.token;
+  delete config.token_type;
+  delete config.token_expires;
+  delete config.authenticated_at;
+  writeConfig(config);
+  console.log('\n  ✓ Logged out. Token removed from ~/.gmtr.json\n');
+}
+
+async function loginWithToken(token: string): Promise<void> {
+  console.log('\n  Testing token...');
+
+  const result = await testToken(token);
+  if (result.valid) {
+    const config = readConfig();
+    config.token = token;
+    config.token_type = token.startsWith('aios_sk_') || token.startsWith('gmtr_sk_') ? 'api_key' : 'oauth';
+    config.authenticated_at = new Date().toISOString();
+    writeConfig(config);
+    console.log('  ✓ Token valid. Saved to ~/.gmtr.json');
+    console.log('  gramatr intelligence is now active.\n');
+  } else {
+    console.log(`  ✗ Token rejected: ${result.error}`);
+    console.log('  Token was NOT saved.\n');
+    process.exit(1);
+  }
+}
+
+async function loginBrowser(): Promise<void> {
+  console.log('\n  gramatr login\n');
+  console.log(`  Server: ${SERVER_BASE}`);
+  console.log(`  Dashboard: ${DASHBOARD_BASE}`);
+
+  // Check server health first
+  const health = await checkServerHealth();
+  if (!health.ok) {
+    console.log(`  ✗ Server unreachable: ${health.error}`);
+    console.log('  Cannot authenticate. Is the server running?\n');
+    process.exit(1);
+  }
+  console.log(`  Health: ✓ v${health.version || 'unknown'}`);
+
+  console.log('');
+
+  // Headless environments use device auth (no local server needed)
+  if (isHeadless()) {
+    console.log('  Headless environment detected. Starting device login...\n');
+    try {
+      const device = await startDeviceAuthorization();
+      console.log(`  Code: ${device.user_code}`);
+      console.log(`  Open: ${device.verification_uri_complete || device.verification_uri}`);
+      console.log('  Sign in with Google or GitHub, approve the device, then return here.\n');
+      console.log('  Waiting for authorization...');
+
+      const accessToken = await Promise.race([
+        pollDeviceAuthorization(device.device_code),
+        new Promise<string>((_, reject) => setTimeout(() => reject(new Error('Device login timed out')), device.expires_in * 1000)),
+      ]);
+
+      const config = readConfig();
+      config.token = accessToken;
+      config.token_type = 'oauth';
+      config.authenticated_at = new Date().toISOString();
+      config.server_url = SERVER_BASE;
+      config.dashboard_url = DASHBOARD_BASE;
+      writeConfig(config);
+
+      console.log('');
+      console.log('  ✓ Authenticated successfully');
+      console.log('  Token saved to ~/.gmtr.json');
+      console.log('  gramatr intelligence is now active.\n');
+      return;
+    } catch (e: any) {
+      console.log(`  ✗ Device login failed: ${e.message}`);
+      console.log('  Fallback: gmtr-login --token\n');
+      process.exit(1);
+    }
+  }
+
+  // Browser environments use local callback server
+  const state = randomBytes(16).toString('base64url');
+  const callbackUrl = `http://localhost:${CALLBACK_PORT}/callback`;
+
+  const tokenPromise = new Promise<string>((resolve, reject) => {
+    const server = createServer(async (req: IncomingMessage, res: ServerResponse) => {
+      const url = new URL(req.url || '/', `http://localhost:${CALLBACK_PORT}`);
+
+      if (url.pathname !== '/callback') {
+        res.writeHead(404);
+        res.end('Not found');
+        return;
+      }
+
+      const token = url.searchParams.get('token');
+      const returnedState = url.searchParams.get('state');
+      const error = url.searchParams.get('error');
+
+      if (error) {
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.end(errorPage('Authentication Failed', error));
+        server.close();
+        reject(new Error(`OAuth error: ${error}`));
+        return;
+      }
+
+      if (!token || returnedState !== state) {
+        res.writeHead(400, { 'Content-Type': 'text/html' });
+        res.end(errorPage('Invalid Callback', 'Missing Firebase token or state mismatch. Please try again.'));
+        server.close();
+        reject(new Error('Invalid callback'));
+        return;
+      }
+
+      try {
+        const validation = await testToken(token);
+        if (!validation.valid) {
+          res.writeHead(200, { 'Content-Type': 'text/html' });
+          res.end(errorPage('Token Validation Failed', validation.error || 'Server rejected token'));
+          server.close();
+          reject(new Error(validation.error || 'Server rejected token'));
+          return;
+        }
+
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.end(successPage());
+        server.close();
+        resolve(token);
+      } catch (e: any) {
+        res.writeHead(500, { 'Content-Type': 'text/html' });
+        res.end(errorPage('Unexpected Error', e.message));
+        server.close();
+        reject(e);
+      }
+    });
+
+    server.listen(CALLBACK_PORT, () => {
+      // Server ready
+    });
+
+    // Timeout after 2 minutes
+    setTimeout(() => {
+      server.close();
+      reject(new Error('Login timed out after 2 minutes'));
+    }, 120000);
+  });
+
+  const authorizeUrl = new URL('/login', `${DASHBOARD_BASE}/`);
+  authorizeUrl.searchParams.set('callback', callbackUrl);
+  authorizeUrl.searchParams.set('state', state);
+
+  console.log('  Opening browser for authentication...');
+  console.log(`  If it doesn't open, visit:`);
+  console.log(`  ${authorizeUrl.toString()}`);
+  console.log('');
+
+  // Open browser
+  const { exec } = await import('child_process');
+  const openCmd = process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'start' : 'xdg-open';
+  exec(`${openCmd} "${authorizeUrl.toString()}"`);
+
+  console.log('  Waiting for authorization...');
+
+  try {
+    const accessToken = await tokenPromise;
+
+    // Save token
+    const config = readConfig();
+    config.token = accessToken;
+    config.token_type = 'firebase';
+    config.authenticated_at = new Date().toISOString();
+    config.server_url = SERVER_BASE;
+    config.dashboard_url = DASHBOARD_BASE;
+    writeConfig(config);
+
+    console.log('');
+    console.log('  ✓ Authenticated successfully');
+    console.log('  Token saved to ~/.gmtr.json');
+    console.log('  gramatr intelligence is now active.\n');
+  } catch (e: any) {
+    console.log(`\n  ✗ Authentication failed: ${e.message}\n`);
+    process.exit(1);
+  }
+}
+
+// ── CLI ──
+
+const args = process.argv.slice(2);
+
+if (args.includes('--status') || args.includes('status')) {
+  await showStatus();
+} else if (args.includes('--logout') || args.includes('logout')) {
+  await logout();
+} else if (args.includes('--token') || args.includes('-t')) {
+  const tokenIdx = args.indexOf('--token') !== -1 ? args.indexOf('--token') : args.indexOf('-t');
+  const token = args[tokenIdx + 1];
+  if (!token) {
+    // Interactive paste mode — like Claude's login
+    console.log('\n  Paste your gramatr token below.');
+    console.log('  (API keys start with aios_sk_ or gmtr_sk_)\n');
+    process.stdout.write('  Token: ');
+
+    const { createInterface } = await import('readline');
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    const pastedToken = await new Promise<string>((resolve) => {
+      rl.on('line', (line: string) => { rl.close(); resolve(line.trim()); });
+    });
+    if (!pastedToken) {
+      console.log('  No token provided.\n');
+      process.exit(1);
+    }
+    await loginWithToken(pastedToken);
+  } else {
+    await loginWithToken(token);
+  }
+} else if (args.includes('--help') || args.includes('-h')) {
+  console.log(`
+  gmtr-login — Authenticate with the gramatr server
+
+  Usage:
+    gmtr-login              Interactive dashboard login (browser or headless device flow)
+    gmtr-login --token      Paste a token (API key or Firebase token)
+    gmtr-login --token <t>  Provide token directly
+    gmtr-login --status     Check authentication status
+    gmtr-login --logout     Remove stored credentials
+    gmtr-login --help       Show this help
+
+  Token storage: ~/.gmtr.json
+  Server: ${SERVER_BASE}
+  Dashboard: ${DASHBOARD_BASE}
+`);
+} else {
+  // Default: browser login flow
+  await loginBrowser();
+}