invokora 0.1.0

package/dist/cli/oauth.js

@@ -0,0 +1,594 @@
+import { spawn } from 'node:child_process';
+import { createHash, randomBytes } from 'node:crypto';
+import { createServer } from 'node:http';
+import { API_V1, OAUTH_CALLBACK_PATH, OAUTH_DEFAULT_TIMEOUT_MS } from './constants.js';
+import { readJsonResponse } from './http.js';
+const OAUTH_CALLBACK_COPY = {
+    en: {
+        title: 'Invokora Login',
+        brand: 'Invokora CLI auth',
+        status: {
+            success: 'AUTHORIZED',
+            warning: 'ACTION REQUIRED',
+        },
+        heading: {
+            success: ['Login', 'complete'],
+            blocked: ['Login', 'blocked'],
+        },
+        messages: {
+            success: 'Login complete. Returning control to the terminal.',
+            stateMismatch: 'State mismatch. You can close this window.',
+            authorizationFailed: 'Authorization failed. You can close this window.',
+            missingCode: 'Missing authorization code. You can close this window.',
+        },
+        autoCloseHint: 'This loopback window should close automatically. If it stays open, you can close it manually.',
+        runtimeBoundary: 'Runtime boundary',
+        boundary: {
+            runtime: 'Runtime',
+            runtimeValue: 'Localhost',
+            client: 'Client',
+            clientValue: 'Terminal',
+            access: 'Access',
+            accessValue: 'OAuth code',
+        },
+    },
+    zh: {
+        title: 'Invokora 登录',
+        brand: 'Invokora CLI 认证',
+        status: {
+            success: '已授权',
+            warning: '需要处理',
+        },
+        heading: {
+            success: ['登录', '完成'],
+            blocked: ['登录', '受阻'],
+        },
+        messages: {
+            success: '登录已完成，正在把控制权交回终端。',
+            stateMismatch: 'state 不匹配。你可以关闭这个窗口。',
+            authorizationFailed: '授权失败。你可以关闭这个窗口。',
+            missingCode: '缺少授权码。你可以关闭这个窗口。',
+        },
+        autoCloseHint: '这个本地回调窗口会自动关闭。如果没有关闭，可以手动关闭。',
+        runtimeBoundary: '运行边界',
+        boundary: {
+            runtime: '运行环境',
+            runtimeValue: '本地回环',
+            client: '客户端',
+            clientValue: '终端',
+            access: '访问凭据',
+            accessValue: 'OAuth 授权码',
+        },
+    },
+};
+function escapeHTML(value) {
+    return value.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+}
+function resolveOAuthCallbackLocale(acceptLanguage) {
+    const raw = Array.isArray(acceptLanguage) ? acceptLanguage.join(',') : acceptLanguage;
+    if (!raw)
+        return 'en';
+    const entries = raw
+        .split(',')
+        .map((part, index) => {
+        const [language = '', ...params] = part.trim().split(';');
+        const qParam = params.find((param) => param.trim().startsWith('q='));
+        const q = qParam ? Number(qParam.trim().slice(2)) : 1;
+        return { language: language.toLowerCase(), q: Number.isFinite(q) ? q : 0, index };
+    })
+        .filter((entry) => entry.q > 0)
+        .sort((a, b) => b.q - a.q || a.index - b.index);
+    for (const entry of entries) {
+        if (entry.language === 'zh' || entry.language.startsWith('zh-'))
+            return 'zh';
+        if (entry.language === 'en' || entry.language.startsWith('en-'))
+            return 'en';
+    }
+    return 'en';
+}
+function renderOAuthCallbackHTML(view, locale) {
+    const copy = OAUTH_CALLBACK_COPY[locale];
+    const autoClose = view === 'success';
+    const statusKey = autoClose ? 'success' : 'warning';
+    const statusLabel = copy.status[statusKey];
+    const statusTone = statusKey;
+    const heading = copy.heading[autoClose ? 'success' : 'blocked'].map(escapeHTML).join('<br />');
+    const escapedMessage = escapeHTML(copy.messages[view]);
+    const script = autoClose
+        ? `<script>
+(() => {
+  const closeWindow = () => {
+    try {
+      window.close();
+    } catch {}
+  };
+  closeWindow();
+  setTimeout(closeWindow, 150);
+})();
+</script>`
+        : '';
+    return `<!doctype html>
+<html lang="${locale === 'zh' ? 'zh-CN' : 'en'}">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>${escapeHTML(copy.title)}</title>
+    <style>
+      :root {
+        color-scheme: dark;
+        --warp-bg: #030b13;
+        --warp-bg-deep: #01060b;
+        --fg: #edf7ff;
+        --muted: #b8c4cf;
+        --muted-low: #7f909c;
+        --signal: #5cf28f;
+        --signal-cyan: #38caff;
+        --signal-cyan-dim: rgba(56, 202, 255, 0.16);
+        --line: rgba(56, 202, 255, 0.34);
+        --line-muted: rgba(184, 196, 207, 0.14);
+        --surface: rgba(4, 18, 30, 0.88);
+        --surface-low: rgba(8, 28, 43, 0.72);
+        --warning: #f6c86b;
+      }
+      * { box-sizing: border-box; }
+      body {
+        margin: 0;
+        min-height: 100vh;
+        overflow: hidden;
+        display: grid;
+        place-items: center;
+        padding: 24px;
+        background:
+          radial-gradient(circle at 24% 18%, rgba(56, 202, 255, 0.18), transparent 32%),
+          radial-gradient(circle at 80% 22%, rgba(92, 242, 143, 0.12), transparent 26%),
+          linear-gradient(180deg, #06111c 0%, var(--warp-bg-deep) 54%, #06111c 100%);
+        color: var(--fg);
+        font: 16px/1.55 "Space Grotesk", ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+      }
+      body::before {
+        content: "";
+        position: fixed;
+        inset: 0;
+        pointer-events: none;
+        background-image:
+          linear-gradient(rgba(56, 202, 255, 0.06) 1px, transparent 1px),
+          linear-gradient(90deg, rgba(56, 202, 255, 0.06) 1px, transparent 1px);
+        background-size: 42px 42px;
+        mask-image: linear-gradient(to bottom, rgba(0, 0, 0, 0.88), rgba(0, 0, 0, 0.14));
+      }
+      main {
+        position: relative;
+        width: min(560px, 100%);
+        padding: 1px;
+        border: 1px solid var(--line);
+        clip-path: polygon(18px 0, 100% 0, 100% calc(100% - 18px), calc(100% - 18px) 100%, 0 100%, 0 18px);
+        background:
+          linear-gradient(135deg, rgba(56, 202, 255, 0.38), rgba(92, 242, 143, 0.18) 44%, rgba(56, 202, 255, 0.10)),
+          var(--surface);
+        box-shadow: 0 30px 80px rgba(0, 0, 0, 0.42), 0 0 46px rgba(56, 202, 255, 0.12);
+      }
+      .panel {
+        padding: clamp(24px, 7vw, 40px);
+        clip-path: inherit;
+        background:
+          linear-gradient(180deg, rgba(4, 18, 30, 0.92), rgba(1, 6, 11, 0.95)),
+          var(--surface);
+      }
+      .status-strip {
+        display: flex;
+        gap: 8px;
+        margin-bottom: 28px;
+      }
+      .status-strip span {
+        width: 38px;
+        height: 3px;
+        background: var(--signal-cyan);
+        box-shadow: 0 0 14px rgba(56, 202, 255, 0.4);
+      }
+      .brand {
+        display: inline-flex;
+        align-items: center;
+        gap: 10px;
+        color: var(--signal);
+        font-size: 12px;
+        font-weight: 800;
+        letter-spacing: 0.16em;
+        text-transform: uppercase;
+      }
+      .brand-mark {
+        display: grid;
+        width: 26px;
+        height: 26px;
+        place-items: center;
+        border: 1px solid rgba(92, 242, 143, 0.48);
+        background: rgba(92, 242, 143, 0.10);
+        color: var(--signal);
+      }
+      .brand-mark::before {
+        content: ">_";
+        transform: translateY(-1px);
+      }
+      .status {
+        display: inline-flex;
+        margin-top: 24px;
+        border: 1px solid var(--signal-cyan-dim);
+        background: var(--surface-low);
+        padding: 6px 9px;
+        color: var(--status-color);
+        font-size: 11px;
+        font-weight: 800;
+        letter-spacing: 0.14em;
+        text-transform: uppercase;
+      }
+      .status.success { --status-color: var(--signal); }
+      .status.warning { --status-color: var(--warning); }
+      h1 {
+        margin: 14px 0 10px;
+        color: var(--fg);
+        font-size: clamp(34px, 8vw, 54px);
+        font-weight: 900;
+        letter-spacing: 0.035em;
+        line-height: 0.98;
+        text-transform: uppercase;
+      }
+      p {
+        margin: 0;
+        color: var(--muted);
+        max-width: 34rem;
+      }
+      .hint {
+        margin-top: 16px;
+        color: var(--muted-low);
+        font-size: 14px;
+      }
+      .boundary {
+        display: grid;
+        grid-template-columns: repeat(3, minmax(0, 1fr));
+        gap: 1px;
+        margin-top: 28px;
+        border: 1px solid var(--line-muted);
+        background: var(--line-muted);
+      }
+      .boundary div {
+        min-width: 0;
+        background: rgba(3, 11, 19, 0.86);
+        padding: 12px;
+      }
+      .boundary dt {
+        margin: 0 0 4px;
+        color: var(--muted-low);
+        font-size: 10px;
+        letter-spacing: 0.14em;
+        text-transform: uppercase;
+      }
+      .boundary dd {
+        margin: 0;
+        color: var(--signal-cyan);
+        font-size: 12px;
+        font-weight: 700;
+      }
+      @media (max-width: 520px) {
+        body { padding: 16px; }
+        .boundary { grid-template-columns: 1fr; }
+      }
+    </style>
+  </head>
+  <body>
+    <main>
+      <div class="panel">
+        <div class="status-strip" aria-hidden="true"><span></span><span></span><span></span></div>
+        <div class="brand"><span class="brand-mark" aria-hidden="true"></span><span>${escapeHTML(copy.brand)}</span></div>
+        <div class="status ${statusTone}">${escapeHTML(statusLabel)}</div>
+        <h1>${heading}</h1>
+        <p>${escapedMessage}</p>
+        ${autoClose ? `<p class="hint">${escapeHTML(copy.autoCloseHint)}</p>` : ''}
+        <dl class="boundary" aria-label="${escapeHTML(copy.runtimeBoundary)}">
+          <div><dt>${escapeHTML(copy.boundary.runtime)}</dt><dd>${escapeHTML(copy.boundary.runtimeValue)}</dd></div>
+          <div><dt>${escapeHTML(copy.boundary.client)}</dt><dd>${escapeHTML(copy.boundary.clientValue)}</dd></div>
+          <div><dt>${escapeHTML(copy.boundary.access)}</dt><dd>${escapeHTML(copy.boundary.accessValue)}</dd></div>
+        </dl>
+      </div>
+    </main>
+    ${script}
+  </body>
+</html>`;
+}
+export function base64UrlEncode(input) {
+    return input.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, '');
+}
+export function generateOAuthState() {
+    return base64UrlEncode(randomBytes(32));
+}
+export function generateCodeVerifier() {
+    return base64UrlEncode(randomBytes(64));
+}
+export function buildS256CodeChallenge(codeVerifier) {
+    return base64UrlEncode(createHash('sha256').update(codeVerifier).digest());
+}
+export function parseLoginCommandOptions(args) {
+    const options = {
+        timeoutMs: OAUTH_DEFAULT_TIMEOUT_MS,
+        noOpen: false,
+    };
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i];
+        if (arg === '--timeout') {
+            const val = args[i + 1];
+            if (!val)
+                throw new Error('Missing value for --timeout');
+            const ms = Number(val);
+            if (!Number.isFinite(ms) || ms <= 0) {
+                throw new Error('--timeout must be a positive number (milliseconds)');
+            }
+            options.timeoutMs = ms;
+            i++;
+            continue;
+        }
+        if (arg === '--no-open') {
+            options.noOpen = true;
+            continue;
+        }
+        throw new Error(`Unknown login option: ${arg}`);
+    }
+    return options;
+}
+export function chooseLoopbackHost(address) {
+    return address === '::1' ? '[::1]' : address;
+}
+export async function openBrowserURL(url) {
+    const platform = process.platform;
+    const command = platform === 'darwin' ? 'open' : platform === 'win32' ? 'start' : 'xdg-open';
+    const args = platform === 'win32' ? ['/c', 'start', '""', url] : [url];
+    const executable = platform === 'win32' ? 'cmd' : command;
+    return new Promise((resolve) => {
+        const child = spawn(executable, args, {
+            stdio: 'ignore',
+            detached: platform !== 'win32',
+        });
+        child.on('error', () => resolve(false));
+        child.on('spawn', () => {
+            child.unref();
+            resolve(true);
+        });
+    });
+}
+export function normalizeCallbackError(payload) {
+    if (payload.error === 'access_denied') {
+        return 'Authorization denied by user';
+    }
+    const code = payload.error?.trim() || 'oauth_error';
+    const desc = payload.error_description?.trim();
+    return desc ? `${code}: ${desc}` : code;
+}
+export function withTimeout(promise, timeoutMs, timeoutMessage) {
+    return new Promise((resolve, reject) => {
+        const timer = setTimeout(() => reject(new Error(timeoutMessage)), timeoutMs);
+        promise
+            .then((value) => {
+            clearTimeout(timer);
+            resolve(value);
+        })
+            .catch((error) => {
+            clearTimeout(timer);
+            reject(error);
+        });
+    });
+}
+export class OAuthLoopbackServer {
+    expectedState;
+    timeoutMs;
+    server;
+    closed = false;
+    settled = false;
+    redirectUrl = '';
+    resolveCallback;
+    callbackPromise = new Promise((resolve) => {
+        this.resolveCallback = resolve;
+    });
+    constructor(expectedState, timeoutMs, server) {
+        this.expectedState = expectedState;
+        this.timeoutMs = timeoutMs;
+        this.server = server;
+    }
+    static async create(expectedState, timeoutMs) {
+        const server = createServer();
+        const instance = new OAuthLoopbackServer(expectedState, timeoutMs, server);
+        server.on('request', (req, res) => instance.handleRequest(req, res));
+        await instance.listen();
+        instance.redirectUrl = instance.buildRedirectURI();
+        return instance;
+    }
+    get redirectURI() {
+        return this.redirectUrl;
+    }
+    async waitForCallback() {
+        try {
+            return await withTimeout(this.callbackPromise, this.timeoutMs, 'OAuth callback timed out');
+        }
+        finally {
+            await this.close();
+        }
+    }
+    async close() {
+        if (this.closed)
+            return;
+        this.closed = true;
+        await new Promise((resolve) => {
+            this.server.close(() => resolve());
+        });
+    }
+    async listen() {
+        await new Promise((resolve, reject) => {
+            const onError = (error) => {
+                this.server.off('error', onError);
+                reject(error);
+            };
+            this.server.once('error', onError);
+            // 回环地址只允许本机回调，避免 CLI 登录口暴露给局域网其他机器。
+            this.server.listen(0, '127.0.0.1', () => {
+                this.server.off('error', onError);
+                resolve();
+            });
+        });
+    }
+    buildRedirectURI() {
+        const address = this.server.address();
+        if (!address || typeof address === 'string') {
+            throw new Error('Failed to bind loopback callback listener');
+        }
+        const host = chooseLoopbackHost(address.address || '127.0.0.1');
+        return `http://${host}:${address.port}${OAUTH_CALLBACK_PATH}`;
+    }
+    complete(payload) {
+        if (this.settled)
+            return;
+        this.settled = true;
+        this.resolveCallback?.(payload);
+    }
+    handleRequest(req, res) {
+        const reqUrl = req.url ?? '/';
+        const incoming = new URL(reqUrl, 'http://127.0.0.1');
+        if (incoming.pathname !== OAUTH_CALLBACK_PATH) {
+            res.statusCode = 404;
+            res.setHeader('content-type', 'text/plain; charset=utf-8');
+            res.end('Not found');
+            return;
+        }
+        const payload = {
+            code: incoming.searchParams.get('code') ?? undefined,
+            state: incoming.searchParams.get('state') ?? undefined,
+            error: incoming.searchParams.get('error') ?? undefined,
+            error_description: incoming.searchParams.get('error_description') ?? undefined,
+        };
+        const locale = resolveOAuthCallbackLocale(req.headers['accept-language']);
+        if (payload.state && payload.state !== this.expectedState) {
+            res.statusCode = 400;
+            res.setHeader('content-type', 'text/html; charset=utf-8');
+            res.end(renderOAuthCallbackHTML('stateMismatch', locale));
+            // 这里要提前结束等待，终端才能立即报 state 错，而不是傻等到超时。
+            this.complete(payload);
+            return;
+        }
+        if (payload.error) {
+            res.statusCode = 400;
+            res.setHeader('content-type', 'text/html; charset=utf-8');
+            res.end(renderOAuthCallbackHTML('authorizationFailed', locale));
+            this.complete(payload);
+            return;
+        }
+        if (!payload.code) {
+            res.statusCode = 400;
+            res.setHeader('content-type', 'text/html; charset=utf-8');
+            res.end(renderOAuthCallbackHTML('missingCode', locale));
+            this.complete(payload);
+            return;
+        }
+        res.statusCode = 200;
+        res.setHeader('content-type', 'text/html; charset=utf-8');
+        res.end(renderOAuthCallbackHTML('success', locale));
+        this.complete(payload);
+    }
+}
+export async function createOAuthLoopbackListener(expectedState, timeoutMs) {
+    return OAuthLoopbackServer.create(expectedState, timeoutMs);
+}
+export class OAuthCLIClient {
+    backendUrl;
+    fetchImpl;
+    constructor(backendUrl, fetchImpl = fetch) {
+        this.backendUrl = backendUrl;
+        this.fetchImpl = fetchImpl;
+    }
+    async start(redirectURI, state, codeChallenge) {
+        const response = await this.fetchImpl(new URL(`${API_V1}/auth/cli/start`, this.backendUrl), {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                redirect_uri: redirectURI,
+                state,
+                code_challenge: codeChallenge,
+            }),
+        });
+        const json = await readJsonResponse(response);
+        if (!response.ok) {
+            throw new Error(`OAuth start failed: ${json?.error?.message ?? `HTTP ${response.status}`}`);
+        }
+        if (!json.authorize_url || !json.state || !json.flow_id) {
+            throw new Error('OAuth start response missing authorize_url/state/flow_id');
+        }
+        return json;
+    }
+    async exchange(state, codeVerifier, code) {
+        const response = await this.fetchImpl(new URL(`${API_V1}/auth/cli/exchange`, this.backendUrl), {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                code,
+                state,
+                code_verifier: codeVerifier,
+            }),
+        });
+        const json = await readJsonResponse(response);
+        if (!response.ok) {
+            throw new Error(`OAuth exchange failed: ${json?.error?.message ?? `HTTP ${response.status}`}`);
+        }
+        if (!json.access_token) {
+            throw new Error('OAuth exchange response missing access_token');
+        }
+        return json;
+    }
+}
+export async function startOAuthCLI(backendUrl, redirectURI, state, codeChallenge, fetchImpl) {
+    return new OAuthCLIClient(backendUrl, fetchImpl).start(redirectURI, state, codeChallenge);
+}
+export async function exchangeOAuthCode(backendUrl, state, codeVerifier, code, fetchImpl) {
+    return new OAuthCLIClient(backendUrl, fetchImpl).exchange(state, codeVerifier, code);
+}
+export class OAuthBrowserLoginFlow {
+    params;
+    constructor(params) {
+        this.params = params;
+    }
+    async run() {
+        const fetchImpl = this.params.fetchImpl ?? fetch;
+        const log = this.params.log ?? ((message) => console.log(message));
+        const state = this.params.state ?? generateOAuthState();
+        const codeVerifier = this.params.codeVerifier ?? generateCodeVerifier();
+        const codeChallenge = buildS256CodeChallenge(codeVerifier);
+        const loopbackFactory = this.params.loopbackFactory ?? createOAuthLoopbackListener;
+        const listener = await loopbackFactory(state, this.params.timeoutMs);
+        const client = new OAuthCLIClient(this.params.backendUrl, fetchImpl);
+        try {
+            const startResp = await client.start(listener.redirectURI, state, codeChallenge);
+            if (this.params.noOpen) {
+                log('Open this URL in your browser to continue login:');
+                log(startResp.authorize_url);
+            }
+            else {
+                const openUrl = this.params.openUrl ?? openBrowserURL;
+                const opened = await openUrl(startResp.authorize_url);
+                if (!opened) {
+                    log('Failed to open browser automatically. Open this URL manually:');
+                    log(startResp.authorize_url);
+                }
+            }
+            const callback = await listener.waitForCallback();
+            if (callback.state !== state) {
+                throw new Error('State mismatch from OAuth callback');
+            }
+            if (callback.error) {
+                throw new Error(normalizeCallbackError(callback));
+            }
+            if (!callback.code) {
+                throw new Error('Missing authorization code from OAuth callback');
+            }
+            return client.exchange(state, codeVerifier, callback.code);
+        }
+        finally {
+            await listener.close();
+        }
+    }
+}
+export async function runOAuthBrowserLogin(params) {
+    return new OAuthBrowserLoginFlow(params).run();
+}

package/dist/cli/prompts.d.ts

@@ -0,0 +1,23 @@
+import type { McpTarget, SyncScope, SyncTarget } from './types.js';
+interface PromptChoice {
+    value: string;
+    label: string;
+    hint?: string;
+}
+export type SkillAddSelectionMode = 'all' | 'custom' | 'none';
+export declare class CliPrompts {
+    line(question: string): Promise<string>;
+    yesNo(question: string, defaultValue: boolean): Promise<boolean>;
+    pickMcpTargets(): Promise<McpTarget[]>;
+    pickSyncScope(): Promise<SyncScope>;
+    pickSyncTargets(scope: SyncScope): Promise<SyncTarget[]>;
+    pickSyncableSkills(skills: PromptChoice[]): Promise<string[]>;
+    pickSyncableSkillAddMode(): Promise<SkillAddSelectionMode>;
+    pickSyncableWorkflows(workflows: PromptChoice[]): Promise<string[]>;
+    pickLocalManagedSkills(skills: PromptChoice[]): Promise<string[]>;
+    private pickMany;
+    private defaultMcpTargets;
+    private defaultSyncTargets;
+    private uniqueTargets;
+}
+export {};