horizon-code 0.1.0

package/src/platform/config.ts

@@ -0,0 +1,121 @@
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { mkdirSync, readFileSync, writeFileSync, existsSync } from "node:fs";
+
+const CONFIG_DIR = join(homedir(), ".horizon");
+const CONFIG_FILE = join(CONFIG_DIR, "config.json");
+
+// ── Hardcoded constants (same Supabase project as the platform) ──
+// The anon key is public — it's in client-side JS on the website. RLS protects data.
+export const SUPABASE_URL = "https://pjhydvnnptabkiiluoji.supabase.co";
+export const SUPABASE_ANON_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InBqaHlkdm5ucHRhYmtpaWx1b2ppIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NzA3NTMwMDQsImV4cCI6MjA4NjMyOTAwNH0.vwa7fwDIwDX9rJkWDq9K_mgWyCMsGqnKE3OMNOR8KOM";
+export const AUTH_URL = "https://api.mathematicalcompany.com";       // API key portal (auth, keys, billing)
+export const PLATFORM_URL = "https://horizon.mathematicalcompany.com"; // Deploy platform (strategies, deployments, metrics)
+
+export interface HorizonConfig {
+  api_key?: string;
+  user_email?: string;
+  user_id?: string;
+  supabase_session?: {
+    access_token: string;
+    refresh_token: string;
+  };
+  session_encrypted?: boolean;
+  encrypted_env?: Record<string, string>;
+  settings?: Record<string, unknown>;
+  hooks?: Array<{ event: string; command: string; enabled: boolean; label?: string }>;
+  has_launched?: boolean;
+  open_chat_ids?: string[];
+}
+
+function ensureDir(): void {
+  if (!existsSync(CONFIG_DIR)) {
+    mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+  }
+}
+
+export function loadConfig(): HorizonConfig {
+  try {
+    if (!existsSync(CONFIG_FILE)) return {};
+    const raw = readFileSync(CONFIG_FILE, "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    return {};
+  }
+}
+
+export function saveConfig(config: HorizonConfig): void {
+  ensureDir();
+  writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2), { mode: 0o600 });
+}
+
+export function getApiKey(): string | null {
+  return process.env.HORIZON_API_KEY ?? loadConfig().api_key ?? null;
+}
+
+export function getPlatformUrl(): string {
+  return process.env.HORIZON_PLATFORM_URL ?? PLATFORM_URL;
+}
+
+export function getAuthUrl(): string {
+  return process.env.HORIZON_AUTH_URL ?? AUTH_URL;
+}
+
+// ── Encrypted environment variables ──
+// Encrypted with AES-256-GCM, key derived from the user's API key
+
+import { createCipheriv, createDecipheriv, pbkdf2Sync, randomBytes } from "node:crypto";
+
+function deriveKey(apiKey: string): Buffer {
+  return pbkdf2Sync(apiKey, "horizon-env-v1", 100000, 32, "sha256");
+}
+
+export function encryptEnvVar(value: string): string {
+  const apiKey = getApiKey();
+  if (!apiKey) throw new Error("Not authenticated");
+  const key = deriveKey(apiKey);
+  const iv = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const encrypted = Buffer.concat([cipher.update(value, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([iv, encrypted, tag]).toString("base64");
+}
+
+export function decryptEnvVar(ciphertext: string): string {
+  const apiKey = getApiKey();
+  if (!apiKey) throw new Error("Not authenticated");
+  const key = deriveKey(apiKey);
+  const buf = Buffer.from(ciphertext, "base64");
+  const iv = buf.subarray(0, 12);
+  const tag = buf.subarray(buf.length - 16);
+  const data = buf.subarray(12, buf.length - 16);
+  const decipher = createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  return decipher.update(data) + decipher.final("utf8");
+}
+
+export function setEncryptedEnv(name: string, value: string): void {
+  const config = loadConfig();
+  if (!config.encrypted_env) config.encrypted_env = {};
+  config.encrypted_env[name] = encryptEnvVar(value);
+  saveConfig(config);
+}
+
+export function removeEncryptedEnv(name: string): void {
+  const config = loadConfig();
+  if (config.encrypted_env) {
+    delete config.encrypted_env[name];
+    saveConfig(config);
+  }
+}
+
+export function getDecryptedEnv(name: string): string | null {
+  const config = loadConfig();
+  const enc = config.encrypted_env?.[name];
+  if (!enc) return null;
+  try { return decryptEnvVar(enc); } catch { return null; }
+}
+
+export function listEncryptedEnvNames(): string[] {
+  return Object.keys(loadConfig().encrypted_env ?? {});
+}

package/src/platform/session-sync.ts

@@ -0,0 +1,158 @@
+// Session sync — persists chat sessions to Supabase
+// Saves are fire-and-forget (async, non-blocking). Loads happen on startup.
+
+import { store } from "../state/store.ts";
+import {
+  fetchSessions, createDbSession, updateDbSession, deleteDbSession,
+  fetchMessages, insertMessage,
+  isLoggedIn,
+} from "./supabase.ts";
+import type { Session } from "../state/types.ts";
+import type { Message } from "../chat/types.ts";
+
+// Track which sessions/messages have been synced
+const syncedMessageIds = new Set<string>();
+const knownDbSessionIds = new Set<string>();
+
+/**
+ * Load sessions from Supabase on startup.
+ * Merges with any existing in-memory sessions.
+ */
+export async function loadSessions(): Promise<void> {
+  if (!(await isLoggedIn())) return;
+
+  try {
+    const dbSessions = await fetchSessions();
+    for (const dbs of dbSessions) knownDbSessionIds.add(dbs.id);
+    if (dbSessions.length === 0) return;
+
+    const sessions: Session[] = [];
+
+    for (const dbs of dbSessions) {
+      const dbMessages = await fetchMessages(dbs.id);
+
+      // Skip empty sessions — don't load chats with no messages
+      if (dbMessages.length === 0) continue;
+
+      sessions.push({
+        id: dbs.id,
+        name: dbs.name,
+        messages: dbMessages.map((m) => ({
+          id: m.id,
+          role: m.role as any,
+          content: m.content,
+          timestamp: new Date(m.created_at).getTime(),
+          status: m.status as any,
+        })),
+        createdAt: new Date(dbs.created_at).getTime(),
+        updatedAt: new Date(dbs.updated_at).getTime(),
+        pinned: false,
+        mode: (dbs.mode as any) ?? "research",
+        isStreaming: false,
+        streamingMsgId: null,
+        strategyDraft: dbs.strategy_draft ?? null,
+      });
+
+      // Mark all loaded messages as synced
+      for (const m of dbMessages) syncedMessageIds.add(m.id);
+    }
+
+    if (sessions.length > 0) {
+      const sessionIds = new Set(sessions.map((s) => s.id));
+
+      // Only keep in-memory sessions that have actual messages (user was actively chatting)
+      const currentState = store.get();
+      const unsaved = currentState.sessions.filter((s) =>
+        !sessionIds.has(s.id) && s.messages.length > 0
+      );
+      const merged = [...sessions, ...unsaved];
+      const mergedIds = new Set(merged.map((s) => s.id));
+
+      // Restore open chat IDs from config, filtered + deduped
+      const { loadConfig } = await import("./config.ts");
+      const cfg = loadConfig();
+      const savedOpenIds = [...new Set(
+        (cfg.open_chat_ids ?? []).filter((id: string) => mergedIds.has(id))
+      )];
+
+      const openIds = savedOpenIds.length > 0 ? savedOpenIds : [sessions[0]!.id];
+      const activeId = mergedIds.has(openIds[0]!) ? openIds[0]! : sessions[0]!.id;
+
+      store.update({
+        sessions: merged,
+        activeSessionId: activeId,
+        openTabIds: openIds,
+      });
+    }
+  } catch {}
+}
+
+/**
+ * Save the current active session to Supabase.
+ * Creates the session if it doesn't exist, inserts new messages.
+ */
+export async function saveActiveSession(): Promise<void> {
+  if (!(await isLoggedIn())) return;
+
+  const session = store.getActiveSession();
+  if (!session || session.messages.length === 0) return;
+
+  try {
+    let dbId = session.id;
+
+    if (!knownDbSessionIds.has(session.id)) {
+      // Session not in DB yet — create it
+      const newId = await createDbSession(session.name, session.mode ?? "research");
+      if (!newId) return;
+
+      // Remap: update the session ID in the store to match the DB UUID
+      const oldId = session.id;
+      const state = store.get();
+      const sessions = state.sessions.map((s) =>
+        s.id === oldId ? { ...s, id: newId } : s
+      );
+      const openTabIds = state.openTabIds.map((id) => id === oldId ? newId : id);
+      const activeSessionId = state.activeSessionId === oldId ? newId : state.activeSessionId;
+      store.update({ sessions, openTabIds, activeSessionId });
+
+      knownDbSessionIds.add(newId);
+      dbId = newId;
+    }
+
+    // Batch insert unsynced messages
+    const unsynced = session.messages.filter((msg) => !syncedMessageIds.has(msg.id));
+    for (const msg of unsynced) {
+      await insertMessage(dbId, {
+        role: msg.role,
+        content: msg.content,
+        status: msg.status,
+      });
+      syncedMessageIds.add(msg.id);
+    }
+
+    // Update session metadata
+    await updateDbSession(dbId, { name: session.name }).catch(() => {});
+  } catch {}
+}
+
+/**
+ * Delete a session from Supabase.
+ */
+export async function deleteSessionFromDb(sessionId: string): Promise<void> {
+  if (!(await isLoggedIn())) return;
+  try { await deleteDbSession(sessionId); } catch {}
+}
+
+/**
+ * Auto-save on a timer (every 30 seconds).
+ */
+let saveTimer: ReturnType<typeof setInterval> | null = null;
+
+export function startAutoSave(): void {
+  if (saveTimer) return;
+  saveTimer = setInterval(() => saveActiveSession(), 30000);
+}
+
+export function stopAutoSave(): void {
+  if (saveTimer) { clearInterval(saveTimer); saveTimer = null; }
+}

package/src/platform/supabase.ts

@@ -0,0 +1,376 @@
+// Supabase client — always-connected, auto-refreshing session
+// Once authenticated, the client maintains the session automatically.
+// DB operations (chats, messages) work as long as the user is logged in.
+
+import { createClient, type SupabaseClient, type Session } from "@supabase/supabase-js";
+import { loadConfig, saveConfig, getAuthUrl, SUPABASE_URL, SUPABASE_ANON_KEY, encryptEnvVar, decryptEnvVar, getApiKey } from "./config.ts";
+import { platform } from "./client.ts";
+import type { ContentBlock } from "../chat/types.ts";
+
+let client: SupabaseClient | null = null;
+
+// ── Client (singleton, auto-refreshes tokens) ──
+
+export function getSupabase(): SupabaseClient {
+  if (client) return client;
+
+  client = createClient(SUPABASE_URL, SUPABASE_ANON_KEY, {
+    auth: {
+      persistSession: false,
+      autoRefreshToken: true,
+      detectSessionInUrl: false,
+    },
+  });
+
+  // Listen for auth state changes — keep config in sync
+  client.auth.onAuthStateChange((_event, session) => {
+    if (session) {
+      const config = loadConfig();
+      // Encrypt tokens at rest if we have an API key for key derivation
+      if (getApiKey()) {
+        try {
+          config.supabase_session = {
+            access_token: encryptEnvVar(session.access_token),
+            refresh_token: encryptEnvVar(session.refresh_token),
+          };
+          config.session_encrypted = true;
+        } catch {
+          // Fallback to plaintext if encryption fails
+          config.supabase_session = {
+            access_token: session.access_token,
+            refresh_token: session.refresh_token,
+          };
+          config.session_encrypted = false;
+        }
+      } else {
+        config.supabase_session = {
+          access_token: session.access_token,
+          refresh_token: session.refresh_token,
+        };
+        config.session_encrypted = false;
+      }
+      config.user_email = session.user.email ?? config.user_email;
+      config.user_id = session.user.id;
+      saveConfig(config);
+    }
+  });
+
+  return client;
+}
+
+// ── User info ──
+
+/** Encrypt and save session tokens to config */
+function saveSessionTokens(config: ReturnType<typeof loadConfig>, accessToken: string, refreshToken: string): void {
+  if (getApiKey()) {
+    try {
+      config.supabase_session = { access_token: encryptEnvVar(accessToken), refresh_token: encryptEnvVar(refreshToken) };
+      config.session_encrypted = true;
+      return;
+    } catch {}
+  }
+  config.supabase_session = { access_token: accessToken, refresh_token: refreshToken };
+  config.session_encrypted = false;
+}
+
+export function getUser(): { id: string; email: string } | null {
+  const config = loadConfig();
+  if (config.user_id) {
+    return { id: config.user_id, email: config.user_email ?? "" };
+  }
+  return null;
+}
+
+export async function isLoggedIn(): Promise<boolean> {
+  const sb = getSupabase();
+  const { data } = await sb.auth.getSession();
+  if (data.session) return true;
+
+  // Try to restore from config
+  const restored = await restoreSession();
+  return restored;
+}
+
+// ── Session restore ──
+
+export async function restoreSession(): Promise<boolean> {
+  const sb = getSupabase();
+  const config = loadConfig();
+
+  if (config.supabase_session?.refresh_token) {
+    let accessToken = config.supabase_session.access_token;
+    let refreshToken = config.supabase_session.refresh_token;
+
+    // Decrypt if encrypted
+    if (config.session_encrypted && getApiKey()) {
+      try {
+        accessToken = decryptEnvVar(accessToken);
+        refreshToken = decryptEnvVar(refreshToken);
+      } catch {
+        // Decryption failed — tokens corrupted or key changed
+        delete config.supabase_session;
+        saveConfig(config);
+        return config.api_key ? (platform.setApiKey(config.api_key), true) : false;
+      }
+    }
+
+    const { data, error } = await sb.auth.setSession({
+      access_token: accessToken,
+      refresh_token: refreshToken,
+    });
+
+    if (!error && data.session) {
+      // Session restored — auto-refresh will keep it alive
+      if (config.api_key) platform.setApiKey(config.api_key);
+      return true;
+    }
+
+    // Tokens fully expired — user needs to /login again
+    delete config.supabase_session;
+    saveConfig(config);
+  }
+
+  // API key still works for the LLM proxy even without a Supabase session
+  if (config.api_key) {
+    platform.setApiKey(config.api_key);
+    return true;
+  }
+
+  return false;
+}
+
+// ── Has live Supabase session (needed for DB operations) ──
+
+export async function hasLiveSession(): Promise<boolean> {
+  const sb = getSupabase();
+  const { data } = await sb.auth.getSession();
+  return !!data.session;
+}
+
+// ── Browser login flow ──
+
+function generateSessionId(): string {
+  const bytes = new Uint8Array(32);
+  crypto.getRandomValues(bytes);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+export async function loginWithBrowser(): Promise<{ success: boolean; error?: string; email?: string }> {
+  const sb = getSupabase();
+  const sessionId = generateSessionId();
+  const authBaseUrl = getAuthUrl();
+
+  // Create pending auth session in DB
+  const { error: insertError } = await sb.from("cli_auth_sessions").insert({
+    id: sessionId,
+    status: "pending",
+  });
+  if (insertError) {
+    return { success: false, error: `Auth init failed: ${insertError.message}` };
+  }
+
+  // Open browser
+  const authUrl = `${authBaseUrl}/auth/cli?session_id=${sessionId}`;
+  const openCmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
+  Bun.spawn([openCmd, authUrl], { stdout: "ignore", stderr: "ignore" });
+
+  // Poll until auth completes
+  const pollUrl = `${authBaseUrl}/api/auth/cli/poll?session_id=${sessionId}`;
+  const deadline = Date.now() + 90_000;
+
+  while (Date.now() < deadline) {
+    await new Promise((r) => setTimeout(r, 2000));
+    try {
+      const res = await fetch(pollUrl);
+      if (res.status === 202) continue;
+
+      if (res.ok) {
+        const data = await res.json() as { status: string; access_token: string; refresh_token: string; email: string };
+        if (data.status === "ready" && data.access_token) {
+          const { data: sd, error: se } = await sb.auth.setSession({
+            access_token: data.access_token,
+            refresh_token: data.refresh_token,
+          });
+          if (se || !sd.session) return { success: false, error: se?.message ?? "Session error" };
+
+          // Save everything
+          const config = loadConfig();
+          saveSessionTokens(config, sd.session.access_token, sd.session.refresh_token);
+          config.user_email = data.email || sd.session.user.email;
+          config.user_id = sd.session.user.id;
+
+          if (!config.api_key) {
+            try {
+              const apiKey = await createApiKey();
+              if (apiKey) { config.api_key = apiKey; platform.setApiKey(apiKey); }
+            } catch {}
+          } else {
+            platform.setApiKey(config.api_key);
+          }
+
+          saveConfig(config);
+          return { success: true, email: data.email };
+        }
+      }
+      if (res.status === 410) return { success: false, error: "Session expired. Type /login to sign in again." };
+      if (res.status === 404) return { success: false, error: "Auth session not found." };
+    } catch {}
+  }
+
+  try { await sb.from("cli_auth_sessions").delete().eq("id", sessionId); } catch {}
+  return { success: false, error: "Login timed out (90s). Try /login again." };
+}
+
+// ── Email/password login ──
+
+export async function loginWithPassword(email: string, password: string): Promise<{ success: boolean; error?: string; email?: string }> {
+  const sb = getSupabase();
+  const { data, error } = await sb.auth.signInWithPassword({ email, password });
+  if (error) return { success: false, error: error.message };
+  if (!data.session) return { success: false, error: "No session returned" };
+
+  const config = loadConfig();
+  saveSessionTokens(config, data.session.access_token, data.session.refresh_token);
+  config.user_email = data.session.user.email ?? email;
+  config.user_id = data.session.user.id;
+
+  if (!config.api_key) {
+    try {
+      const apiKey = await createApiKey();
+      if (apiKey) { config.api_key = apiKey; platform.setApiKey(apiKey); }
+    } catch {}
+  } else {
+    platform.setApiKey(config.api_key);
+  }
+
+  saveConfig(config);
+  return { success: true, email: data.session.user.email ?? email };
+}
+
+// ── API Key ──
+
+async function createApiKey(): Promise<string | null> {
+  const sb = getSupabase();
+  const { data: { session } } = await sb.auth.getSession();
+  if (!session) return null;
+
+  try {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const hex = Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+    const rawKey = `hz_live_${hex}`;
+    const hashBuf = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(rawKey));
+    const keyHash = Array.from(new Uint8Array(hashBuf)).map((b) => b.toString(16).padStart(2, "0")).join("");
+
+    const expiresAt = new Date(Date.now() + 90 * 24 * 3600 * 1000).toISOString();
+    const { error } = await sb.from("api_keys").insert({
+      user_id: session.user.id,
+      name: "Horizon CLI",
+      key_hash: keyHash,
+      key_prefix: rawKey.slice(0, 12),
+      expires_at: expiresAt,
+      scopes: ["read", "write", "deploy"],
+    });
+    if (error) return null;
+    return rawKey;
+  } catch { return null; }
+}
+
+// ── Logout ──
+
+export async function signOut(): Promise<void> {
+  const sb = getSupabase();
+  await sb.auth.signOut().catch(() => {});
+  const config = loadConfig();
+  delete config.supabase_session;
+  saveConfig(config);
+}
+
+// ── Session CRUD (uses live Supabase session for RLS) ──
+
+async function getUserId(): Promise<string | null> {
+  const sb = getSupabase();
+  const { data } = await sb.auth.getSession();
+  return data.session?.user.id ?? null;
+}
+
+export interface DbSession {
+  id: string; name: string; mode: string;
+  strategy_draft: any; created_at: string; updated_at: string;
+}
+
+export async function fetchSessions(): Promise<DbSession[]> {
+  const userId = await getUserId();
+  if (!userId) return [];
+  const sb = getSupabase();
+  const { data } = await sb.from("tui_sessions")
+    .select("id, name, mode, strategy_draft, created_at, updated_at")
+    .order("updated_at", { ascending: false }).limit(50);
+  return data ?? [];
+}
+
+export async function createDbSession(name: string, mode: string): Promise<string | null> {
+  const userId = await getUserId();
+  if (!userId) return null;
+  const sb = getSupabase();
+  const { data } = await sb.from("tui_sessions")
+    .insert({ user_id: userId, name, mode })
+    .select("id").single();
+  return data?.id ?? null;
+}
+
+export async function updateDbSession(sessionId: string, updates: {
+  name?: string; mode?: string; strategy_draft?: any;
+}): Promise<void> {
+  const userId = await getUserId();
+  if (!userId) return;
+  const sb = getSupabase();
+  await sb.from("tui_sessions").update(updates).eq("id", sessionId);
+}
+
+export async function deleteDbSession(sessionId: string): Promise<void> {
+  const userId = await getUserId();
+  if (!userId) return;
+  const sb = getSupabase();
+  await sb.from("tui_sessions").delete().eq("id", sessionId);
+}
+
+// ── Message CRUD ──
+
+export interface DbMessage {
+  id: string; role: string; content: ContentBlock[];
+  status: string; created_at: string;
+}
+
+export async function fetchMessages(sessionId: string): Promise<DbMessage[]> {
+  const userId = await getUserId();
+  if (!userId) return [];
+  const sb = getSupabase();
+  const { data } = await sb.from("tui_messages")
+    .select("id, role, content, status, created_at")
+    .eq("session_id", sessionId).order("created_at", { ascending: true });
+  return data ?? [];
+}
+
+export async function insertMessage(sessionId: string, message: {
+  role: string; content: ContentBlock[]; status: string;
+}): Promise<string | null> {
+  const userId = await getUserId();
+  if (!userId) return null;
+  const sb = getSupabase();
+  const { data } = await sb.from("tui_messages")
+    .insert({
+      session_id: sessionId, user_id: userId,
+      role: message.role, content: message.content, status: message.status,
+    }).select("id").single();
+  return data?.id ?? null;
+}
+
+export async function updateDbMessage(messageId: string, updates: {
+  content?: ContentBlock[]; status?: string;
+}): Promise<void> {
+  const userId = await getUserId();
+  if (!userId) return;
+  const sb = getSupabase();
+  await sb.from("tui_messages").update(updates).eq("id", messageId);
+}