groove-dev 0.17.0 → 0.17.2

package/node_modules/@groove-dev/daemon/integrations-registry.json

@@ -11,10 +11,20 @@
     "transport": "stdio",
     "command": "npx",
     "args": ["-y", "@modelcontextprotocol/server-slack"],
+    "authType": "api-key",
     "envKeys": [
       { "key": "SLACK_BOT_TOKEN", "label": "Bot Token", "placeholder": "xoxb-...", "required": true },
       { "key": "SLACK_TEAM_ID", "label": "Team ID", "placeholder": "T01234567", "required": true }
     ],
+    "setupUrl": "https://api.slack.com/apps",
+    "setupSteps": [
+      "Go to api.slack.com/apps and click 'Create New App'",
+      "Choose 'From scratch', name it 'Groove', pick your workspace",
+      "Go to 'OAuth & Permissions', add scopes: channels:read, channels:history, chat:write, users:read",
+      "Click 'Install to Workspace' and authorize",
+      "Copy the 'Bot User OAuth Token' (starts with xoxb-)",
+      "Your Team ID is in the workspace URL: app.slack.com/client/TXXXXXXX"
+    ],
     "featured": true,
     "downloads": 0,
     "rating": 0,
@@ -33,9 +43,16 @@
     "transport": "stdio",
     "command": "npx",
     "args": ["-y", "@modelcontextprotocol/server-github"],
+    "authType": "api-key",
     "envKeys": [
       { "key": "GITHUB_PERSONAL_ACCESS_TOKEN", "label": "Personal Access Token", "placeholder": "ghp_...", "required": true }
     ],
+    "setupUrl": "https://github.com/settings/tokens/new",
+    "setupSteps": [
+      "Click the link below to create a new token on GitHub",
+      "Select scopes: repo, read:org, read:user",
+      "Click 'Generate token' and copy it"
+    ],
     "featured": true,
     "downloads": 0,
     "rating": 0,
@@ -54,9 +71,16 @@
     "transport": "stdio",
     "command": "npx",
     "args": ["-y", "@stripe/agent-toolkit", "mcp"],
+    "authType": "api-key",
     "envKeys": [
       { "key": "STRIPE_SECRET_KEY", "label": "Secret Key", "placeholder": "sk_...", "required": true }
     ],
+    "setupUrl": "https://dashboard.stripe.com/apikeys",
+    "setupSteps": [
+      "Click the link below to open your Stripe API keys",
+      "Copy the 'Secret key' (starts with sk_live_ or sk_test_)",
+      "Use a test key (sk_test_) for safe experimentation"
+    ],
     "featured": true,
     "downloads": 0,
     "rating": 0,
@@ -75,10 +99,17 @@
     "transport": "stdio",
     "command": "npx",
     "args": ["-y", "@anthropic-ai/mcp-server-google-calendar"],
+    "authType": "oauth-google",
+    "oauthScopes": ["https://www.googleapis.com/auth/calendar"],
     "envKeys": [
-      { "key": "GOOGLE_CLIENT_ID", "label": "OAuth Client ID", "required": true },
-      { "key": "GOOGLE_CLIENT_SECRET", "label": "OAuth Client Secret", "required": true },
-      { "key": "GOOGLE_REFRESH_TOKEN", "label": "Refresh Token", "required": true }
+      { "key": "GOOGLE_CLIENT_ID", "label": "OAuth Client ID", "required": true, "hidden": true },
+      { "key": "GOOGLE_CLIENT_SECRET", "label": "OAuth Client Secret", "required": true, "hidden": true },
+      { "key": "GOOGLE_REFRESH_TOKEN", "label": "Refresh Token", "required": true, "hidden": true }
+    ],
+    "setupSteps": [
+      "Click 'Connect with Google' below",
+      "Sign in and authorize Groove to access your calendar",
+      "That's it — your credentials are stored securely"
     ],
     "featured": false,
     "downloads": 0,
@@ -98,10 +129,17 @@
     "transport": "stdio",
     "command": "npx",
     "args": ["-y", "@anthropic-ai/mcp-server-gmail"],
+    "authType": "oauth-google",
+    "oauthScopes": ["https://www.googleapis.com/auth/gmail.modify"],
     "envKeys": [
-      { "key": "GOOGLE_CLIENT_ID", "label": "OAuth Client ID", "required": true },
-      { "key": "GOOGLE_CLIENT_SECRET", "label": "OAuth Client Secret", "required": true },
-      { "key": "GOOGLE_REFRESH_TOKEN", "label": "Refresh Token", "required": true }
+      { "key": "GOOGLE_CLIENT_ID", "label": "OAuth Client ID", "required": true, "hidden": true },
+      { "key": "GOOGLE_CLIENT_SECRET", "label": "OAuth Client Secret", "required": true, "hidden": true },
+      { "key": "GOOGLE_REFRESH_TOKEN", "label": "Refresh Token", "required": true, "hidden": true }
+    ],
+    "setupSteps": [
+      "Click 'Connect with Google' below",
+      "Sign in and authorize Groove to access your email",
+      "That's it — your credentials are stored securely"
     ],
     "featured": false,
     "downloads": 0,
@@ -121,9 +159,14 @@
     "transport": "stdio",
     "command": "npx",
     "args": ["-y", "@modelcontextprotocol/server-postgres"],
+    "authType": "api-key",
     "envKeys": [
       { "key": "POSTGRES_CONNECTION_STRING", "label": "Connection String", "placeholder": "postgresql://user:pass@host:5432/db", "required": true }
     ],
+    "setupSteps": [
+      "Enter your PostgreSQL connection string",
+      "Format: postgresql://username:password@host:port/database"
+    ],
     "featured": false,
     "downloads": 0,
     "rating": 0,
@@ -142,9 +185,16 @@
     "transport": "stdio",
     "command": "npx",
     "args": ["-y", "@modelcontextprotocol/server-brave-search"],
+    "authType": "api-key",
     "envKeys": [
       { "key": "BRAVE_API_KEY", "label": "API Key", "placeholder": "BSA...", "required": true }
     ],
+    "setupUrl": "https://brave.com/search/api/",
+    "setupSteps": [
+      "Click the link below to get a Brave Search API key",
+      "Sign up for a free plan (2,000 queries/month)",
+      "Copy your API key"
+    ],
     "featured": false,
     "downloads": 0,
     "rating": 0,
@@ -163,10 +213,17 @@
     "transport": "stdio",
     "command": "npx",
     "args": ["-y", "@modelcontextprotocol/server-gdrive"],
+    "authType": "oauth-google",
+    "oauthScopes": ["https://www.googleapis.com/auth/drive.readonly"],
     "envKeys": [
-      { "key": "GOOGLE_CLIENT_ID", "label": "OAuth Client ID", "required": true },
-      { "key": "GOOGLE_CLIENT_SECRET", "label": "OAuth Client Secret", "required": true },
-      { "key": "GOOGLE_REFRESH_TOKEN", "label": "Refresh Token", "required": true }
+      { "key": "GOOGLE_CLIENT_ID", "label": "OAuth Client ID", "required": true, "hidden": true },
+      { "key": "GOOGLE_CLIENT_SECRET", "label": "OAuth Client Secret", "required": true, "hidden": true },
+      { "key": "GOOGLE_REFRESH_TOKEN", "label": "Refresh Token", "required": true, "hidden": true }
+    ],
+    "setupSteps": [
+      "Click 'Connect with Google' below",
+      "Sign in and authorize Groove to access your Drive",
+      "That's it — your credentials are stored securely"
     ],
     "featured": false,
     "downloads": 0,
@@ -186,9 +243,16 @@
     "transport": "stdio",
     "command": "npx",
     "args": ["-y", "@ibraheem4/linear-mcp-server"],
+    "authType": "api-key",
     "envKeys": [
       { "key": "LINEAR_API_KEY", "label": "API Key", "required": true }
     ],
+    "setupUrl": "https://linear.app/settings/api",
+    "setupSteps": [
+      "Click the link below to open Linear API settings",
+      "Click 'Create key', give it a label like 'Groove'",
+      "Copy the API key"
+    ],
     "featured": false,
     "downloads": 0,
     "rating": 0,
@@ -207,9 +271,17 @@
     "transport": "stdio",
     "command": "npx",
     "args": ["-y", "@notionhq/notion-mcp-server"],
+    "authType": "api-key",
     "envKeys": [
       { "key": "NOTION_API_KEY", "label": "Integration Token", "placeholder": "ntn_...", "required": true }
     ],
+    "setupUrl": "https://www.notion.so/my-integrations",
+    "setupSteps": [
+      "Click the link below to open Notion integrations",
+      "Click 'New integration', name it 'Groove'",
+      "Copy the 'Internal Integration Secret'",
+      "Share the pages/databases you want accessible with the integration"
+    ],
     "featured": false,
     "downloads": 0,
     "rating": 0,
@@ -228,9 +300,18 @@
     "transport": "stdio",
     "command": "npx",
     "args": ["-y", "mcp-discord"],
+    "authType": "api-key",
     "envKeys": [
       { "key": "DISCORD_BOT_TOKEN", "label": "Bot Token", "required": true }
     ],
+    "setupUrl": "https://discord.com/developers/applications",
+    "setupSteps": [
+      "Click the link below to open Discord Developer Portal",
+      "Click 'New Application', name it 'Groove'",
+      "Go to 'Bot' tab, click 'Reset Token', copy it",
+      "Enable 'Message Content Intent' under Privileged Gateway Intents",
+      "Go to OAuth2 > URL Generator, select 'bot' scope, invite to your server"
+    ],
     "featured": false,
     "downloads": 0,
     "rating": 0,
@@ -249,10 +330,16 @@
     "transport": "stdio",
     "command": "npx",
     "args": ["-y", "mcp-home-assistant"],
+    "authType": "api-key",
     "envKeys": [
       { "key": "HOME_ASSISTANT_URL", "label": "HA URL", "placeholder": "http://homeassistant.local:8123", "required": true },
       { "key": "HOME_ASSISTANT_TOKEN", "label": "Long-Lived Access Token", "required": true }
     ],
+    "setupSteps": [
+      "Enter your Home Assistant URL (usually http://homeassistant.local:8123)",
+      "In HA: Profile (bottom left) > Security > Long-Lived Access Tokens",
+      "Click 'Create Token', name it 'Groove', copy the token"
+    ],
     "featured": false,
     "downloads": 0,
     "rating": 0,
@@ -271,6 +358,7 @@
     "transport": "stdio",
     "command": "npx",
     "args": ["-y", "@modelcontextprotocol/server-filesystem"],
+    "authType": "none",
     "envKeys": [],
     "featured": false,
     "downloads": 0,
@@ -290,9 +378,16 @@
     "transport": "stdio",
     "command": "npx",
     "args": ["-y", "@modelcontextprotocol/server-google-maps"],
+    "authType": "api-key",
     "envKeys": [
       { "key": "GOOGLE_MAPS_API_KEY", "label": "API Key", "required": true }
     ],
+    "setupUrl": "https://console.cloud.google.com/apis/credentials",
+    "setupSteps": [
+      "Click the link below to open Google Cloud Console",
+      "Create or select a project, then 'Create Credentials' > 'API Key'",
+      "Enable the Maps JavaScript API, Geocoding API, and Places API"
+    ],
     "featured": false,
     "downloads": 0,
     "rating": 0,
@@ -311,6 +406,7 @@
     "transport": "stdio",
     "command": "npx",
     "args": ["-y", "@modelcontextprotocol/server-sqlite"],
+    "authType": "none",
     "envKeys": [],
     "featured": false,
     "downloads": 0,

package/node_modules/@groove-dev/daemon/src/api.js

@@ -505,6 +505,58 @@ export function createApi(app, daemon) {
     }
   });
 
+  // --- Google OAuth flow ---
+
+  app.get('/api/integrations/google-oauth/status', (req, res) => {
+    res.json({ configured: daemon.integrations.isGoogleOAuthConfigured() });
+  });
+
+  app.post('/api/integrations/google-oauth/setup', (req, res) => {
+    try {
+      const { clientId, clientSecret } = req.body || {};
+      if (!clientId || !clientSecret) return res.status(400).json({ error: 'clientId and clientSecret are required' });
+      daemon.integrations.setCredential('google-oauth', 'GOOGLE_CLIENT_ID', clientId);
+      daemon.integrations.setCredential('google-oauth', 'GOOGLE_CLIENT_SECRET', clientSecret);
+      res.json({ ok: true });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  app.post('/api/integrations/:id/oauth/start', (req, res) => {
+    try {
+      const url = daemon.integrations.getOAuthUrl(req.params.id);
+      res.json({ url });
+    } catch (err) {
+      res.status(400).json({ error: err.message });
+    }
+  });
+
+  app.get('/api/integrations/oauth/callback', async (req, res) => {
+    try {
+      const { code, state } = req.query;
+      if (!code || !state) return res.status(400).send('Missing code or state parameter');
+      await daemon.integrations.handleOAuthCallback(code, state);
+      // Return a nice HTML page that auto-closes
+      res.send(`<!DOCTYPE html><html><body style="font-family:system-ui;display:flex;align-items:center;justify-content:center;height:100vh;margin:0;background:#1e2127;color:#e6e6e6">
+        <div style="text-align:center">
+          <div style="font-size:48px;margin-bottom:16px">&#10003;</div>
+          <h2>Connected!</h2>
+          <p style="color:#7a8394">You can close this tab and return to Groove.</p>
+          <script>setTimeout(()=>window.close(),2000)</script>
+        </div>
+      </body></html>`);
+    } catch (err) {
+      res.status(400).send(`<!DOCTYPE html><html><body style="font-family:system-ui;display:flex;align-items:center;justify-content:center;height:100vh;margin:0;background:#1e2127;color:#e06c75">
+        <div style="text-align:center">
+          <h2>Connection Failed</h2>
+          <p>${err.message}</p>
+          <p style="color:#7a8394">Close this tab and try again in Groove.</p>
+        </div>
+      </body></html>`);
+    }
+  });
+
   // --- Agent Integrations (attach/detach) ---
 
   app.post('/api/agents/:agentId/integrations/:integrationId', (req, res) => {

package/node_modules/@groove-dev/daemon/src/integrations.js

@@ -235,6 +235,8 @@ export class IntegrationStore {
   /**
    * Build MCP config object for a set of integration IDs.
    * Returns the mcpServers object to merge into .mcp.json.
+   * SECURITY: credentials are NOT included in the config file.
+   * They are injected at spawn time via process environment only.
    */
   buildMcpConfig(integrationIds) {
     const mcpServers = {};
@@ -244,23 +246,33 @@ export class IntegrationStore {
       if (!entry) continue;
       if (!this._isInstalled(id)) continue;
 
-      // Build environment with credentials
-      const env = {};
-      for (const ek of (entry.envKeys || [])) {
-        const val = this.getCredential(id, ek.key);
-        if (val) env[ek.key] = val;
-      }
-
+      // No env block — credentials stay out of .mcp.json
       mcpServers[`groove-${id}`] = {
         command: entry.command || 'npx',
         args: entry.args || ['-y', entry.npmPackage],
-        env,
       };
     }
 
     return mcpServers;
   }
 
+  /**
+   * Get environment variables with decrypted credentials for a set of integration IDs.
+   * These are passed to the agent process at spawn time (in-memory only, never written to disk).
+   */
+  getSpawnEnv(integrationIds) {
+    const env = {};
+    for (const id of integrationIds) {
+      const entry = this.registry.find((s) => s.id === id);
+      if (!entry) continue;
+      for (const ek of (entry.envKeys || [])) {
+        const val = this.getCredential(id, ek.key);
+        if (val) env[ek.key] = val;
+      }
+    }
+    return env;
+  }
+
   /**
    * Write/merge MCP config into the project root .mcp.json.
    * Only adds/updates groove-* entries, preserves user's own MCP configs.
@@ -359,6 +371,92 @@ export class IntegrationStore {
     }
   }
 
+  /**
+   * Start an OAuth flow for a Google integration.
+   * Returns the authorization URL to open in a browser.
+   */
+  getOAuthUrl(integrationId) {
+    const entry = this.registry.find((s) => s.id === integrationId);
+    if (!entry) throw new Error(`Integration not found: ${integrationId}`);
+    if (entry.authType !== 'oauth-google') throw new Error('Integration does not use OAuth');
+
+    // Check if user has provided their own Google OAuth client (stored globally)
+    const clientId = this.getCredential('google-oauth', 'GOOGLE_CLIENT_ID');
+    const clientSecret = this.getCredential('google-oauth', 'GOOGLE_CLIENT_SECRET');
+    if (!clientId || !clientSecret) {
+      throw new Error('Google OAuth not configured. Set up your Google Cloud project first.');
+    }
+
+    const port = this.daemon.port || 31415;
+    const redirectUri = `http://localhost:${port}/api/integrations/oauth/callback`;
+    const scopes = entry.oauthScopes || [];
+
+    const params = new URLSearchParams({
+      client_id: clientId,
+      redirect_uri: redirectUri,
+      response_type: 'code',
+      scope: scopes.join(' '),
+      access_type: 'offline',
+      prompt: 'consent',
+      state: integrationId,
+    });
+
+    return `https://accounts.google.com/o/oauth2/v2/auth?${params}`;
+  }
+
+  /**
+   * Handle OAuth callback — exchange code for tokens.
+   */
+  async handleOAuthCallback(code, integrationId) {
+    const clientId = this.getCredential('google-oauth', 'GOOGLE_CLIENT_ID');
+    const clientSecret = this.getCredential('google-oauth', 'GOOGLE_CLIENT_SECRET');
+    if (!clientId || !clientSecret) {
+      throw new Error('Google OAuth credentials not found');
+    }
+
+    const port = this.daemon.port || 31415;
+    const redirectUri = `http://localhost:${port}/api/integrations/oauth/callback`;
+
+    const res = await fetch('https://oauth2.googleapis.com/token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        code,
+        client_id: clientId,
+        client_secret: clientSecret,
+        redirect_uri: redirectUri,
+        grant_type: 'authorization_code',
+      }),
+    });
+
+    if (!res.ok) {
+      const err = await res.json().catch(() => ({}));
+      throw new Error(`OAuth token exchange failed: ${err.error_description || err.error || 'unknown'}`);
+    }
+
+    const tokens = await res.json();
+
+    // Store the tokens for this integration
+    this.setCredential(integrationId, 'GOOGLE_CLIENT_ID', clientId);
+    this.setCredential(integrationId, 'GOOGLE_CLIENT_SECRET', clientSecret);
+    if (tokens.refresh_token) {
+      this.setCredential(integrationId, 'GOOGLE_REFRESH_TOKEN', tokens.refresh_token);
+    }
+
+    this.daemon.audit.log('integration.oauth.complete', { id: integrationId });
+
+    return { ok: true, integrationId };
+  }
+
+  /**
+   * Check if Google OAuth is configured (user has set up their Cloud project).
+   */
+  isGoogleOAuthConfigured() {
+    const clientId = this.getCredential('google-oauth', 'GOOGLE_CLIENT_ID');
+    const clientSecret = this.getCredential('google-oauth', 'GOOGLE_CLIENT_SECRET');
+    return !!(clientId && clientSecret);
+  }
+
   // --- Internal ---
 
   _isInstalled(integrationId) {

package/node_modules/@groove-dev/daemon/src/process.js

@@ -201,9 +201,12 @@ For normal file edits within your scope, proceed without review.
       }
     }
 
-    // Write MCP config for agent integrations
+    // Write MCP config for agent integrations (command/args only, no secrets)
+    // Credentials are injected via process environment below
+    let integrationEnv = {};
     if (config.integrations?.length > 0 && this.daemon.integrations) {
       this.daemon.integrations.writeMcpJson(config.integrations);
+      integrationEnv = this.daemon.integrations.getSpawnEnv(config.integrations);
     }
 
     const { command, args, env } = provider.buildSpawnCommand(spawnConfig);
@@ -232,7 +235,7 @@ For normal file edits within your scope, proceed without review.
     // Spawn the process
     const proc = cpSpawn(command, args, {
       cwd: agent.workingDir || this.daemon.projectDir,
-      env: { ...process.env, ...env, GROOVE_AGENT_ID: agent.id, GROOVE_AGENT_NAME: agent.name },
+      env: { ...process.env, ...env, ...integrationEnv, GROOVE_AGENT_ID: agent.id, GROOVE_AGENT_NAME: agent.name },
       stdio: ['ignore', 'pipe', 'pipe'],
       // Don't let agent process prevent daemon from exiting
       detached: false,