keystone-cli 0.2.0 → 0.3.1

package/src/runner/step-executor.test.ts

@@ -34,7 +34,7 @@ interface RequestOutput {
 // Mock node:readline/promises
 const mockRl = {
   question: mock(() => Promise.resolve('')),
-  close: mock(() => {}),
+  close: mock(() => { }),
 };
 
 mock.module('node:readline/promises', () => ({
@@ -49,13 +49,13 @@ describe('step-executor', () => {
   beforeAll(() => {
     try {
       mkdirSync(tempDir, { recursive: true });
-    } catch (e) {}
+    } catch (e) { }
   });
 
   afterAll(() => {
     try {
       rmSync(tempDir, { recursive: true, force: true });
-    } catch (e) {}
+    } catch (e) { }
   });
 
   beforeEach(() => {
@@ -330,7 +330,7 @@ describe('step-executor', () => {
       };
 
       // @ts-ignore
-      const result = await executeStep(step, context, { log: () => {} });
+      const result = await executeStep(step, context, { log: () => { } });
       expect(result.status).toBe('success');
       expect(result.output).toBe(true);
       expect(mockRl.question).toHaveBeenCalled();
@@ -347,11 +347,54 @@ describe('step-executor', () => {
       };
 
       // @ts-ignore
-      const result = await executeStep(step, context, { log: () => {} });
+      const result = await executeStep(step, context, { log: () => { } });
       expect(result.status).toBe('success');
       expect(result.output).toBe('user response');
     });
 
+    it('should handle human confirmation (yes/no/empty)', async () => {
+      const step: HumanStep = {
+        id: 'h1',
+        type: 'human',
+        message: 'Proceed?',
+        inputType: 'confirm',
+      };
+
+      // Test 'yes'
+      mockRl.question.mockResolvedValue('yes');
+      // @ts-ignore
+      let result = await executeStep(step, context, { log: () => { } });
+      expect(result.output).toBe(true);
+
+      // Test 'no'
+      mockRl.question.mockResolvedValue('no');
+      // @ts-ignore
+      result = await executeStep(step, context, { log: () => { } });
+      expect(result.output).toBe(false);
+
+      // Test empty string (default to true)
+      mockRl.question.mockResolvedValue('');
+      // @ts-ignore
+      result = await executeStep(step, context, { log: () => { } });
+      expect(result.output).toBe(true);
+    });
+
+    it('should fallback to text in confirm mode', async () => {
+      mockRl.question.mockResolvedValue('some custom response');
+
+      const step: HumanStep = {
+        id: 'h1',
+        type: 'human',
+        message: 'Proceed?',
+        inputType: 'confirm',
+      };
+
+      // @ts-ignore
+      const result = await executeStep(step, context, { log: () => { } });
+      expect(result.status).toBe('success');
+      expect(result.output).toBe('some custom response');
+    });
+
     it('should suspend if not a TTY', async () => {
       process.stdin.isTTY = false;
 
@@ -363,7 +406,7 @@ describe('step-executor', () => {
       };
 
       // @ts-ignore
-      const result = await executeStep(step, context, { log: () => {} });
+      const result = await executeStep(step, context, { log: () => { } });
       expect(result.status).toBe('suspended');
       expect(result.error).toBe('Proceed?');
     });
@@ -374,7 +417,7 @@ describe('step-executor', () => {
       const step: WorkflowStep = {
         id: 'w1',
         type: 'workflow',
-        workflow: 'child.yaml',
+        path: 'child.yaml',
       };
       // @ts-ignore
       const executeWorkflowFn = mock(() =>
@@ -392,7 +435,7 @@ describe('step-executor', () => {
       const step: WorkflowStep = {
         id: 'w1',
         type: 'workflow',
-        workflow: 'child.yaml',
+        path: 'child.yaml',
       };
       const result = await executeStep(step, context);
       expect(result.status).toBe('failed');

package/src/runner/step-executor.ts

@@ -5,6 +5,7 @@ import type {
   FileStep,
   HumanStep,
   RequestStep,
+  ScriptStep,
   ShellStep,
   SleepStep,
   Step,
@@ -14,6 +15,7 @@ import { executeShell } from './shell-executor.ts';
 import type { Logger } from './workflow-runner.ts';
 
 import * as readline from 'node:readline/promises';
+import { SafeSandbox } from '../utils/sandbox.ts';
 import { executeLlmStep } from './llm-executor.ts';
 import type { MCPManager } from './mcp-manager.ts';
 
@@ -42,7 +44,8 @@ export async function executeStep(
   context: ExpressionContext,
   logger: Logger = console,
   executeWorkflowFn?: (step: WorkflowStep, context: ExpressionContext) => Promise<StepResult>,
-  mcpManager?: MCPManager
+  mcpManager?: MCPManager,
+  workflowDir?: string
 ): Promise<StepResult> {
   try {
     let result: StepResult;
@@ -66,9 +69,10 @@ export async function executeStep(
         result = await executeLlmStep(
           step,
           context,
-          (s, c) => executeStep(s, c, logger, executeWorkflowFn, mcpManager),
+          (s, c) => executeStep(s, c, logger, executeWorkflowFn, mcpManager, workflowDir),
           logger,
-          mcpManager
+          mcpManager,
+          workflowDir
         );
         break;
       case 'workflow':
@@ -77,6 +81,9 @@ export async function executeStep(
         }
         result = await executeWorkflowFn(step, context);
         break;
+      case 'script':
+        result = await executeScriptStep(step, context, logger);
+        break;
       default:
         throw new Error(`Unknown step type: ${(step as Step).type}`);
     }
@@ -180,6 +187,13 @@ async function executeFileStep(
         throw new Error('Content is required for write operation');
       }
       const content = ExpressionEvaluator.evaluateString(step.content, context);
+
+      // Ensure parent directory exists
+      const fs = await import('node:fs/promises');
+      const pathModule = await import('node:path');
+      const dir = pathModule.dirname(path);
+      await fs.mkdir(dir, { recursive: true });
+
       const bytes = await Bun.write(path, content);
       return {
         output: { path, bytes },
@@ -193,8 +207,13 @@ async function executeFileStep(
       }
       const content = ExpressionEvaluator.evaluateString(step.content, context);
 
-      // Use Node.js fs for efficient append operation
+      // Ensure parent directory exists
       const fs = await import('node:fs/promises');
+      const pathModule = await import('node:path');
+      const dir = pathModule.dirname(path);
+      await fs.mkdir(dir, { recursive: true });
+
+      // Use Node.js fs for efficient append operation
       await fs.appendFile(path, content, 'utf-8');
 
       return {
@@ -310,10 +329,25 @@ async function executeHumanStep(
   try {
     if (step.inputType === 'confirm') {
       logger.log(`\n❓ ${message}`);
-      logger.log('Press Enter to continue, or Ctrl+C to cancel...');
-      await rl.question('');
+      const answer = (await rl.question('Response (Y/n/text): ')).trim();
+
+      const lowerAnswer = answer.toLowerCase();
+      if (lowerAnswer === '' || lowerAnswer === 'y' || lowerAnswer === 'yes') {
+        return {
+          output: true,
+          status: 'success',
+        };
+      }
+      if (lowerAnswer === 'n' || lowerAnswer === 'no') {
+        return {
+          output: false,
+          status: 'success',
+        };
+      }
+
+      // Fallback to text if it's not a clear yes/no
       return {
-        output: true,
+        output: answer,
         status: 'success',
       };
     }
@@ -353,3 +387,31 @@ async function executeSleepStep(
     status: 'success',
   };
 }
+/**
+ * Execute a script step in a safe sandbox
+ */
+async function executeScriptStep(
+  step: ScriptStep,
+  context: ExpressionContext,
+  _logger: Logger
+): Promise<StepResult> {
+  try {
+    const result = await SafeSandbox.execute(step.run, {
+      inputs: context.inputs,
+      secrets: context.secrets,
+      steps: context.steps,
+      env: context.env,
+    });
+
+    return {
+      output: result,
+      status: 'success',
+    };
+  } catch (error) {
+    return {
+      output: null,
+      status: 'failed',
+      error: error instanceof Error ? error.message : String(error),
+    };
+  }
+}

package/src/runner/workflow-runner.ts

@@ -1,4 +1,5 @@
 import { randomUUID } from 'node:crypto';
+import { dirname } from 'node:path';
 import { WorkflowDb } from '../db/workflow-db.ts';
 import type { ExpressionContext } from '../expression/evaluator.ts';
 import { ExpressionEvaluator } from '../expression/evaluator.ts';
@@ -24,7 +25,7 @@ class RedactingLogger implements Logger {
   constructor(
     private inner: Logger,
     private redactor: Redactor
-  ) {}
+  ) { }
 
   log(msg: string): void {
     this.inner.log(this.redactor.redact(msg));
@@ -46,12 +47,13 @@ export interface RunOptions {
   logger?: Logger;
   mcpManager?: MCPManager;
   preventExit?: boolean; // Defaults to false
+  workflowDir?: string;
 }
 
 export interface StepContext {
   output?: unknown;
   outputs?: Record<string, unknown>;
-  status: 'success' | 'failed' | 'skipped';
+  status: 'success' | 'failed' | 'skipped' | 'pending' | 'suspended';
 }
 
 // Type for foreach results - wraps array to ensure JSON serialization preserves all properties
@@ -194,7 +196,7 @@ export class WorkflowRunner {
             items[exec.iteration_index] = {
               output: null,
               outputs: {},
-              status: exec.status as 'failed' | 'running' | 'pending',
+              status: exec.status as 'failed' | 'pending' | 'success' | 'skipped' | 'suspended',
             };
           }
         }
@@ -303,9 +305,37 @@ export class WorkflowRunner {
   private loadSecrets(): Record<string, string> {
     const secrets: Record<string, string> = {};
 
+    // Common non-secret environment variables to exclude from redaction
+    const blocklist = new Set([
+      'USER',
+      'PATH',
+      'SHELL',
+      'HOME',
+      'PWD',
+      'LOGNAME',
+      'LANG',
+      'TERM',
+      'EDITOR',
+      'VISUAL',
+      '_',
+      'SHLVL',
+      'LC_ALL',
+      'OLDPWD',
+      'DISPLAY',
+      'TMPDIR',
+      'SSH_AUTH_SOCK',
+      'XPC_FLAGS',
+      'XPC_SERVICE_NAME',
+      'ITERM_SESSION_ID',
+      'ITERM_PROFILE',
+      'TERM_PROGRAM',
+      'TERM_PROGRAM_VERSION',
+      'COLORTERM',
+    ]);
+
     // Bun automatically loads .env file
     for (const [key, value] of Object.entries(Bun.env)) {
-      if (value) {
+      if (value && !blocklist.has(key)) {
         secrets[key] = value;
       }
     }
@@ -456,7 +486,8 @@ export class WorkflowRunner {
         context,
         this.logger,
         this.executeSubWorkflow.bind(this),
-        this.mcpManager
+        this.mcpManager,
+        this.options.workflowDir
       );
       if (result.status === 'failed') {
         throw new Error(result.error || 'Step failed');
@@ -482,11 +513,7 @@ export class WorkflowRunner {
         return result;
       }
 
-      // Redact secrets from output and error before storing
-      const redactedOutput = this.redactor.redactValue(result.output);
-      const redactedError = result.error ? this.redactor.redact(result.error) : undefined;
-
-      await this.db.completeStep(stepExecId, result.status, redactedOutput, redactedError);
+      await this.db.completeStep(stepExecId, result.status, result.output, result.error);
 
       // Ensure outputs is always an object for consistent access
       let outputs: Record<string, unknown>;
@@ -618,6 +645,7 @@ export class WorkflowRunner {
 
               // Execute and store result at correct index
               try {
+                this.logger.log(`  ⤷ [${i + 1}/${items.length}] Executing iteration...`);
                 itemResults[i] = await this.executeStepInternal(step, itemContext, stepExecId);
                 if (itemResults[i].status === 'failed') {
                   aborted = true;
@@ -700,6 +728,7 @@ export class WorkflowRunner {
   ): Promise<StepResult> {
     const workflowPath = WorkflowRegistry.resolvePath(step.path);
     const workflow = WorkflowParser.loadWorkflow(workflowPath);
+    const subWorkflowDir = dirname(workflowPath);
 
     // Evaluate inputs for the sub-workflow
     const inputs: Record<string, unknown> = {};
@@ -716,6 +745,7 @@ export class WorkflowRunner {
       dbPath: this.db.dbPath,
       logger: this.logger,
       mcpManager: this.mcpManager,
+      workflowDir: subWorkflowDir,
     });
 
     try {
@@ -755,7 +785,7 @@ export class WorkflowRunner {
     this.logger.log(`Run ID: ${this.runId}`);
     this.logger.log(
       '\n⚠️  Security Warning: Only run workflows from trusted sources.\n' +
-        '   Workflows can execute arbitrary shell commands and access your environment.\n'
+      '   Workflows can execute arbitrary shell commands and access your environment.\n'
     );
 
     // Apply defaults and validate inputs
@@ -782,8 +812,7 @@ export class WorkflowRunner {
         this.logger.log('All steps already completed. Nothing to resume.\n');
         // Evaluate outputs from completed state
         const outputs = this.evaluateOutputs();
-        const redactedOutputs = this.redactor.redactValue(outputs) as Record<string, unknown>;
-        await this.db.updateRunStatus(this.runId, 'completed', redactedOutputs);
+        await this.db.updateRunStatus(this.runId, 'completed', outputs);
         this.logger.log('✨ Workflow already completed!\n');
         return outputs;
       }
@@ -794,6 +823,9 @@ export class WorkflowRunner {
 
       this.logger.log(`Execution order: ${executionOrder.join(' → ')}\n`);
 
+      const totalSteps = executionOrder.length;
+      const stepIndices = new Map(executionOrder.map((id, index) => [id, index + 1]));
+
       // Execute steps in parallel where possible (respecting dependencies)
       const pendingSteps = new Set(remainingSteps);
       const runningPromises = new Map<string, Promise<void>>();
@@ -806,18 +838,21 @@ export class WorkflowRunner {
             if (!step) {
               throw new Error(`Step ${stepId} not found in workflow`);
             }
-            const dependenciesMet = step.needs.every((dep) => completedSteps.has(dep));
+            const dependenciesMet = step.needs.every((dep: string) => completedSteps.has(dep));
 
             if (dependenciesMet) {
               pendingSteps.delete(stepId);
 
               // Start execution
-              this.logger.log(`▶ Executing step: ${step.id} (${step.type})`);
+              const stepIndex = stepIndices.get(stepId);
+              this.logger.log(
+                `[${stepIndex}/${totalSteps}] ▶ Executing step: ${step.id} (${step.type})`
+              );
               const promise = this.executeStepWithForeach(step)
                 .then(() => {
                   completedSteps.add(stepId);
                   runningPromises.delete(stepId);
-                  this.logger.log(`  ✓ Step ${step.id} completed\n`);
+                  this.logger.log(`[${stepIndex}/${totalSteps}] ✓ Step ${step.id} completed\n`);
                 })
                 .catch((err) => {
                   runningPromises.delete(stepId);
@@ -852,11 +887,8 @@ export class WorkflowRunner {
       // Evaluate outputs
       const outputs = this.evaluateOutputs();
 
-      // Redact secrets from outputs before storing
-      const redactedOutputs = this.redactor.redactValue(outputs) as Record<string, unknown>;
-
       // Mark run as complete
-      await this.db.updateRunStatus(this.runId, 'completed', redactedOutputs);
+      await this.db.updateRunStatus(this.runId, 'completed', outputs);
 
       this.logger.log('✨ Workflow completed successfully!\n');
 
@@ -874,7 +906,9 @@ export class WorkflowRunner {
     } finally {
       this.removeSignalHandlers();
       await this.runFinally();
-      await this.mcpManager.stopAll();
+      if (!this.options.mcpManager) {
+        await this.mcpManager.stopAll();
+      }
       this.db.close();
     }
   }
@@ -893,6 +927,8 @@ export class WorkflowRunner {
     const completedFinallySteps = new Set<string>();
     const pendingFinallySteps = new Set(this.workflow.finally.map((s) => s.id));
     const runningPromises = new Map<string, Promise<void>>();
+    const totalFinallySteps = this.workflow.finally.length;
+    const finallyStepIndices = new Map(this.workflow.finally.map((s, index) => [s.id, index + 1]));
 
     try {
       while (pendingFinallySteps.size > 0 || runningPromises.size > 0) {
@@ -902,18 +938,23 @@ export class WorkflowRunner {
 
           // Dependencies can be from main steps (already in this.stepContexts) or previous finally steps
           const dependenciesMet = step.needs.every(
-            (dep) => this.stepContexts.has(dep) || completedFinallySteps.has(dep)
+            (dep: string) => this.stepContexts.has(dep) || completedFinallySteps.has(dep)
           );
 
           if (dependenciesMet) {
             pendingFinallySteps.delete(stepId);
 
-            this.logger.log(`▶ Executing finally step: ${step.id} (${step.type})`);
+            const finallyStepIndex = finallyStepIndices.get(stepId);
+            this.logger.log(
+              `[${finallyStepIndex}/${totalFinallySteps}] ▶ Executing finally step: ${step.id} (${step.type})`
+            );
             const promise = this.executeStepWithForeach(step)
               .then(() => {
                 completedFinallySteps.add(stepId);
                 runningPromises.delete(stepId);
-                this.logger.log(`  ✓ Finally step ${step.id} completed\n`);
+                this.logger.log(
+                  `[${finallyStepIndex}/${totalFinallySteps}] ✓ Finally step ${step.id} completed\n`
+                );
               })
               .catch((err) => {
                 runningPromises.delete(stepId);

package/src/utils/auth-manager.test.ts

@@ -149,4 +149,90 @@ describe('AuthManager', () => {
       consoleSpy.mockRestore();
     });
   });
+
+  describe('Device Login', () => {
+    it('initGitHubDeviceLogin should return device code data', async () => {
+      const mockFetch = mock(() =>
+        Promise.resolve(
+          new Response(
+            JSON.stringify({
+              device_code: 'dev_code',
+              user_code: 'USER-CODE',
+              verification_uri: 'https://github.com/login/device',
+              expires_in: 900,
+              interval: 5,
+            }),
+            { status: 200 }
+          )
+        )
+      );
+      // @ts-ignore
+      global.fetch = mockFetch;
+
+      const result = await AuthManager.initGitHubDeviceLogin();
+      expect(result.device_code).toBe('dev_code');
+      expect(result.user_code).toBe('USER-CODE');
+      expect(mockFetch).toHaveBeenCalled();
+    });
+
+    it('pollGitHubDeviceLogin should return token when successful', async () => {
+      let callCount = 0;
+      const mockFetch = mock(() => {
+        callCount++;
+        if (callCount === 1) {
+          return Promise.resolve(
+            new Response(
+              JSON.stringify({
+                error: 'authorization_pending',
+              }),
+              { status: 200 }
+            )
+          );
+        }
+        return Promise.resolve(
+          new Response(
+            JSON.stringify({
+              access_token: 'gh_access_token',
+            }),
+            { status: 200 }
+          )
+        );
+      });
+      // @ts-ignore
+      global.fetch = mockFetch;
+
+      // Mock setTimeout to resolve immediately
+      const originalTimeout = global.setTimeout;
+      // @ts-ignore
+      global.setTimeout = (fn) => fn();
+
+      try {
+        const token = await AuthManager.pollGitHubDeviceLogin('dev_code');
+        expect(token).toBe('gh_access_token');
+        expect(callCount).toBe(2);
+      } finally {
+        global.setTimeout = originalTimeout;
+      }
+    });
+
+    it('pollGitHubDeviceLogin should throw on other errors', async () => {
+      const mockFetch = mock(() =>
+        Promise.resolve(
+          new Response(
+            JSON.stringify({
+              error: 'expired_token',
+              error_description: 'The device code has expired',
+            }),
+            { status: 200 }
+          )
+        )
+      );
+      // @ts-ignore
+      global.fetch = mockFetch;
+
+      await expect(AuthManager.pollGitHubDeviceLogin('dev_code')).rejects.toThrow(
+        'The device code has expired'
+      );
+    });
+  });
 });

package/src/utils/auth-manager.ts

@@ -6,6 +6,16 @@ export interface AuthData {
   github_token?: string;
   copilot_token?: string;
   copilot_expires_at?: number;
+  openai_api_key?: string;
+  anthropic_api_key?: string;
+  mcp_tokens?: Record<
+    string,
+    {
+      access_token: string;
+      expires_at?: number;
+      refresh_token?: string;
+    }
+  >;
 }
 
 export const COPILOT_HEADERS = {
@@ -14,6 +24,8 @@ export const COPILOT_HEADERS = {
   'User-Agent': 'GithubCopilot/1.255.0',
 };
 
+const GITHUB_CLIENT_ID = '013444988716b5155f4c'; // GitHub CLI Client ID
+
 export class AuthManager {
   private static getAuthPath(): string {
     if (process.env.KEYSTONE_AUTH_PATH) {
@@ -44,6 +56,83 @@ export class AuthManager {
     writeFileSync(path, JSON.stringify({ ...current, ...data }, null, 2));
   }
 
+  static async initGitHubDeviceLogin(): Promise<{
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    expires_in: number;
+    interval: number;
+  }> {
+    const response = await fetch('https://github.com/login/device/code', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        Accept: 'application/json',
+      },
+      body: JSON.stringify({
+        client_id: GITHUB_CLIENT_ID,
+        scope: 'read:user workflow repo',
+      }),
+    });
+
+    if (!response.ok) {
+      throw new Error(`Failed to initialize device login: ${response.statusText}`);
+    }
+
+    return response.json() as Promise<{
+      device_code: string;
+      user_code: string;
+      verification_uri: string;
+      expires_in: number;
+      interval: number;
+    }>;
+  }
+
+  static async pollGitHubDeviceLogin(deviceCode: string): Promise<string> {
+    const poll = async (): Promise<string> => {
+      const response = await fetch('https://github.com/login/oauth/access_token', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          Accept: 'application/json',
+        },
+        body: JSON.stringify({
+          client_id: GITHUB_CLIENT_ID,
+          device_code: deviceCode,
+          grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+        }),
+      });
+
+      if (!response.ok) {
+        throw new Error(`Failed to poll device login: ${response.statusText}`);
+      }
+
+      const data = (await response.json()) as {
+        access_token?: string;
+        error?: string;
+        error_description?: string;
+      };
+
+      if (data.access_token) {
+        return data.access_token;
+      }
+
+      if (data.error === 'authorization_pending') {
+        return ''; // Continue polling
+      }
+
+      throw new Error(data.error_description || data.error || 'Failed to get access token');
+    };
+
+    // Poll every 5 seconds (GitHub's default interval is usually 5)
+    // In a real implementation, we should use the interval from initGitHubDeviceLogin
+    while (true) {
+      const token = await poll();
+      if (token) return token;
+      await new Promise((resolve) => setTimeout(resolve, 5000));
+    }
+  }
+
   static async getCopilotToken(): Promise<string | undefined> {
     const auth = AuthManager.load();