keystone-cli 0.8.0 → 1.0.0

package/src/utils/auth-manager.ts

@@ -1,6 +1,8 @@
+import { createHash, randomBytes } from 'node:crypto';
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
+import { ConsoleLogger, type Logger } from './logger';
 
 export interface AuthData {
   github_token?: string;
@@ -8,6 +10,18 @@ export interface AuthData {
   copilot_expires_at?: number;
   openai_api_key?: string;
   anthropic_api_key?: string;
+  google_gemini?: {
+    access_token: string;
+    refresh_token: string;
+    expires_at: number;
+    email?: string;
+    project_id?: string;
+  };
+  anthropic_claude?: {
+    access_token: string;
+    refresh_token: string;
+    expires_at: number;
+  };
   mcp_tokens?: Record<
     string,
     {
@@ -16,6 +30,12 @@ export interface AuthData {
       refresh_token?: string;
     }
   >;
+  openai_chatgpt?: {
+    access_token: string;
+    refresh_token: string;
+    expires_at: number;
+    account_id?: string;
+  };
 }
 
 export const COPILOT_HEADERS = {
@@ -25,11 +45,33 @@ export const COPILOT_HEADERS = {
 };
 
 const GITHUB_CLIENT_ID = '013444988716b5155f4c'; // GitHub CLI Client ID
-
-/** Buffer time in seconds before token expiry to trigger refresh (5 minutes) */
 const TOKEN_REFRESH_BUFFER_SECONDS = 300;
+const OPENAI_CHATGPT_CLIENT_ID = 'app_EMoamEEZ73f0CkXaXp7hrann';
+const OPENAI_CHATGPT_REDIRECT_URI = 'http://localhost:1455/callback';
+const ANTHROPIC_OAUTH_CLIENT_ID = '9d1c250a-e61b-44d9-88ed-5944d1962f5e';
+const ANTHROPIC_OAUTH_REDIRECT_URI = 'https://console.anthropic.com/oauth/code/callback';
+const ANTHROPIC_OAUTH_SCOPE = 'org:create_api_key user:profile user:inference';
+const GOOGLE_GEMINI_OAUTH_CLIENT_ID =
+  '1071006060591-tmhssin2h21lcre235vtolojh4g403ep.apps.googleusercontent.com';
+const GOOGLE_GEMINI_OAUTH_REDIRECT_URI = 'http://localhost:51121/oauth-callback';
+const GOOGLE_GEMINI_OAUTH_SCOPES = [
+  'https://www.googleapis.com/auth/cloud-platform',
+  'https://www.googleapis.com/auth/userinfo.email',
+  'https://www.googleapis.com/auth/userinfo.profile',
+  'https://www.googleapis.com/auth/cclog',
+  'https://www.googleapis.com/auth/experimentsandconfigs',
+];
+const GOOGLE_GEMINI_LOAD_ENDPOINTS = [
+  'https://cloudcode-pa.googleapis.com',
+  'https://daily-cloudcode-pa.sandbox.googleapis.com',
+  'https://autopush-cloudcode-pa.sandbox.googleapis.com',
+];
+const GOOGLE_GEMINI_METADATA_HEADER =
+  '{"ideType":"IDE_UNSPECIFIED","platform":"PLATFORM_UNSPECIFIED","pluginType":"GEMINI"}';
 
 export class AuthManager {
+  private static logger: Logger = new ConsoleLogger();
+
   private static getAuthPath(): string {
     if (process.env.KEYSTONE_AUTH_PATH) {
       return process.env.KEYSTONE_AUTH_PATH;
@@ -59,14 +101,16 @@ export class AuthManager {
     try {
       writeFileSync(path, JSON.stringify({ ...current, ...data }, null, 2), { mode: 0o600 });
     } catch (error) {
-      // Use ConsoleLogger as a safe fallback for top-level utility
-      console.error(
-        'Failed to save auth data:',
-        error instanceof Error ? error.message : String(error)
+      AuthManager.logger.error(
+        `Failed to save auth data: ${error instanceof Error ? error.message : String(error)}`
       );
     }
   }
 
+  static setLogger(logger: Logger): void {
+    AuthManager.logger = logger;
+  }
+
   static async initGitHubDeviceLogin(): Promise<{
     device_code: string;
     user_code: string;
@@ -197,8 +241,541 @@ export class AuthManager {
 
       return data.token;
     } catch (error) {
-      // Use ConsoleLogger as a safe fallback for top-level utility
-      console.error('Error refreshing Copilot token:', error);
+      AuthManager.logger.error(`Error refreshing Copilot token: ${String(error)}`);
+      return undefined;
+    }
+  }
+
+  private static generateCodeVerifier(): string {
+    return randomBytes(32).toString('hex');
+  }
+
+  private static createCodeChallenge(verifier: string): string {
+    const hash = createHash('sha256').update(verifier).digest();
+    return hash.toString('base64url');
+  }
+
+  private static getGoogleGeminiClientSecret(): string {
+    const secret =
+      process.env.GOOGLE_GEMINI_OAUTH_CLIENT_SECRET || process.env.KEYSTONE_GEMINI_CLIENT_SECRET;
+    if (!secret) {
+      throw new Error(
+        'Missing Google Gemini OAuth client secret. Set GOOGLE_GEMINI_OAUTH_CLIENT_SECRET or KEYSTONE_GEMINI_CLIENT_SECRET.'
+      );
+    }
+    return secret;
+  }
+
+  static createAnthropicClaudeAuth(): { url: string; verifier: string } {
+    const verifier = AuthManager.generateCodeVerifier();
+    const challenge = AuthManager.createCodeChallenge(verifier);
+
+    const authUrl = `https://claude.ai/oauth/authorize?${new URLSearchParams({
+      code: 'true',
+      client_id: ANTHROPIC_OAUTH_CLIENT_ID,
+      response_type: 'code',
+      redirect_uri: ANTHROPIC_OAUTH_REDIRECT_URI,
+      scope: ANTHROPIC_OAUTH_SCOPE,
+      code_challenge: challenge,
+      code_challenge_method: 'S256',
+      state: verifier,
+    }).toString()}`;
+
+    return { url: authUrl, verifier };
+  }
+
+  static async exchangeAnthropicClaudeCode(
+    code: string,
+    verifier: string
+  ): Promise<{ access_token: string; refresh_token: string; expires_in: number }> {
+    const [authCode, stateFromCode] = code.split('#');
+    if (stateFromCode && stateFromCode !== verifier) {
+      throw new Error('Invalid OAuth state');
+    }
+    const response = await fetch('https://console.anthropic.com/v1/oauth/token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        code: authCode,
+        state: stateFromCode || verifier,
+        grant_type: 'authorization_code',
+        client_id: ANTHROPIC_OAUTH_CLIENT_ID,
+        redirect_uri: ANTHROPIC_OAUTH_REDIRECT_URI,
+        code_verifier: verifier,
+      }),
+    });
+
+    if (!response.ok) {
+      const error = await response.text();
+      throw new Error(`Failed to exchange Claude auth code: ${response.status} - ${error}`);
+    }
+
+    return (await response.json()) as {
+      access_token: string;
+      refresh_token: string;
+      expires_in: number;
+    };
+  }
+
+  private static async fetchGoogleGeminiProjectId(
+    accessToken: string
+  ): Promise<string | undefined> {
+    const loadHeaders: Record<string, string> = {
+      Authorization: `Bearer ${accessToken}`,
+      'Content-Type': 'application/json',
+      'User-Agent': 'google-api-nodejs-client/9.15.1',
+      'X-Goog-Api-Client': 'google-cloud-sdk vscode_cloudshelleditor/0.1',
+      'Client-Metadata': GOOGLE_GEMINI_METADATA_HEADER,
+    };
+
+    for (const baseEndpoint of GOOGLE_GEMINI_LOAD_ENDPOINTS) {
+      try {
+        const response = await fetch(`${baseEndpoint}/v1internal:loadCodeAssist`, {
+          method: 'POST',
+          headers: loadHeaders,
+          body: JSON.stringify({
+            metadata: {
+              ideType: 'IDE_UNSPECIFIED',
+              platform: 'PLATFORM_UNSPECIFIED',
+              pluginType: 'GEMINI',
+            },
+          }),
+        });
+
+        if (!response.ok) {
+          continue;
+        }
+
+        const data = (await response.json()) as {
+          cloudaicompanionProject?: string | { id?: string };
+        };
+
+        if (typeof data.cloudaicompanionProject === 'string' && data.cloudaicompanionProject) {
+          return data.cloudaicompanionProject;
+        }
+        if (
+          data.cloudaicompanionProject &&
+          typeof data.cloudaicompanionProject.id === 'string' &&
+          data.cloudaicompanionProject.id
+        ) {
+          return data.cloudaicompanionProject.id;
+        }
+      } catch {}
+    }
+
+    return undefined;
+  }
+
+  static async loginGoogleGemini(projectId?: string): Promise<void> {
+    const verifier = AuthManager.generateCodeVerifier();
+    const challenge = AuthManager.createCodeChallenge(verifier);
+    const state = randomBytes(16).toString('hex');
+
+    return new Promise((resolve, reject) => {
+      const serverRef: { current?: ReturnType<typeof Bun.serve> } = {};
+      const stopServer = () => {
+        serverRef.current?.stop();
+      };
+      const timeout = setTimeout(
+        () => {
+          stopServer();
+          reject(new Error('Login timed out after 5 minutes'));
+        },
+        5 * 60 * 1000
+      );
+
+      serverRef.current = Bun.serve({
+        port: 51121,
+        async fetch(req) {
+          const url = new URL(req.url);
+          if (url.pathname === '/oauth-callback') {
+            const error = url.searchParams.get('error');
+            if (error) {
+              clearTimeout(timeout);
+              setTimeout(stopServer, 100);
+              reject(new Error(`Authorization error: ${error}`));
+              return new Response(`Error: ${error}`, { status: 400 });
+            }
+
+            const code = url.searchParams.get('code');
+            const returnedState = url.searchParams.get('state');
+            if (!code) {
+              return new Response('Missing code parameter', { status: 400 });
+            }
+            if (returnedState && returnedState !== state) {
+              clearTimeout(timeout);
+              setTimeout(stopServer, 100);
+              reject(new Error('Invalid OAuth state'));
+              return new Response('Invalid state parameter', { status: 400 });
+            }
+
+            try {
+              const response = await fetch('https://oauth2.googleapis.com/token', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                body: new URLSearchParams({
+                  client_id: GOOGLE_GEMINI_OAUTH_CLIENT_ID,
+                  client_secret: AuthManager.getGoogleGeminiClientSecret(),
+                  code,
+                  grant_type: 'authorization_code',
+                  redirect_uri: GOOGLE_GEMINI_OAUTH_REDIRECT_URI,
+                  code_verifier: verifier,
+                }),
+              });
+
+              if (!response.ok) {
+                const errorText = await response.text();
+                throw new Error(`Failed to exchange code: ${response.status} - ${errorText}`);
+              }
+
+              const data = (await response.json()) as {
+                access_token: string;
+                refresh_token?: string;
+                expires_in: number;
+              };
+
+              if (!data.refresh_token) {
+                throw new Error('Missing refresh token in response. Try re-authenticating.');
+              }
+
+              let email: string | undefined;
+              try {
+                const userInfoResponse = await fetch(
+                  'https://www.googleapis.com/oauth2/v1/userinfo?alt=json',
+                  { headers: { Authorization: `Bearer ${data.access_token}` } }
+                );
+                if (userInfoResponse.ok) {
+                  const userInfo = (await userInfoResponse.json()) as { email?: string };
+                  email = userInfo.email;
+                }
+              } catch {
+                // Ignore user info lookup failures
+              }
+
+              let resolvedProjectId =
+                projectId ||
+                process.env.GOOGLE_GEMINI_PROJECT_ID ||
+                process.env.KEYSTONE_GEMINI_PROJECT_ID;
+              if (!resolvedProjectId) {
+                resolvedProjectId = await AuthManager.fetchGoogleGeminiProjectId(data.access_token);
+              }
+
+              AuthManager.save({
+                google_gemini: {
+                  access_token: data.access_token,
+                  refresh_token: data.refresh_token,
+                  expires_at: Math.floor(Date.now() / 1000) + data.expires_in,
+                  email,
+                  project_id: resolvedProjectId,
+                },
+              });
+
+              clearTimeout(timeout);
+              setTimeout(stopServer, 100);
+              resolve();
+              return new Response(
+                '<h1>Authentication Successful!</h1><p>You can close this window and return to the terminal.</p>',
+                { headers: { 'Content-Type': 'text/html' } }
+              );
+            } catch (err) {
+              clearTimeout(timeout);
+              setTimeout(stopServer, 100);
+              reject(err);
+              return new Response(`Error: ${err instanceof Error ? err.message : String(err)}`, {
+                status: 500,
+              });
+            }
+          }
+          return new Response('Not Found', { status: 404 });
+        },
+      });
+
+      const authUrl = `https://accounts.google.com/o/oauth2/v2/auth?${new URLSearchParams({
+        client_id: GOOGLE_GEMINI_OAUTH_CLIENT_ID,
+        response_type: 'code',
+        redirect_uri: GOOGLE_GEMINI_OAUTH_REDIRECT_URI,
+        scope: GOOGLE_GEMINI_OAUTH_SCOPES.join(' '),
+        code_challenge: challenge,
+        code_challenge_method: 'S256',
+        access_type: 'offline',
+        prompt: 'consent',
+        state,
+      }).toString()}`;
+
+      AuthManager.logger.log('\nTo login with Google Gemini (OAuth):');
+      AuthManager.logger.log('1. Visit the following URL in your browser:');
+      AuthManager.logger.log(`   ${authUrl}\n`);
+      AuthManager.logger.log('Waiting for authorization...');
+
+      try {
+        const { platform } = process;
+        const command =
+          platform === 'win32' ? 'start' : platform === 'darwin' ? 'open' : 'xdg-open';
+        const { spawn } = require('node:child_process');
+        spawn(command, [authUrl]);
+      } catch {
+        // Ignore if we can't open the browser automatically
+      }
+    });
+  }
+
+  static async loginOpenAIChatGPT(): Promise<void> {
+    const verifier = AuthManager.generateCodeVerifier();
+    const challenge = AuthManager.createCodeChallenge(verifier);
+    const state = randomBytes(16).toString('hex');
+
+    return new Promise((resolve, reject) => {
+      const serverRef: { current?: ReturnType<typeof Bun.serve> } = {};
+      const stopServer = () => {
+        serverRef.current?.stop();
+      };
+      const timeout = setTimeout(
+        () => {
+          stopServer();
+          reject(new Error('Login timed out after 5 minutes'));
+        },
+        5 * 60 * 1000
+      );
+
+      serverRef.current = Bun.serve({
+        port: 1455,
+        async fetch(req) {
+          const url = new URL(req.url);
+          if (url.pathname === '/callback') {
+            const code = url.searchParams.get('code');
+            const returnedState = url.searchParams.get('state');
+            if (!returnedState || returnedState !== state) {
+              clearTimeout(timeout);
+              setTimeout(stopServer, 100);
+              reject(new Error('Invalid OAuth state'));
+              return new Response('Invalid state parameter', { status: 400 });
+            }
+            if (code) {
+              try {
+                const response = await fetch('https://chatgpt.com/oauth/token', {
+                  method: 'POST',
+                  headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                  body: new URLSearchParams({
+                    client_id: OPENAI_CHATGPT_CLIENT_ID,
+                    grant_type: 'authorization_code',
+                    code,
+                    redirect_uri: OPENAI_CHATGPT_REDIRECT_URI,
+                    code_verifier: verifier,
+                  }),
+                });
+
+                if (!response.ok) {
+                  const error = await response.text();
+                  throw new Error(`Failed to exchange code: ${response.status} - ${error}`);
+                }
+
+                const data = (await response.json()) as {
+                  access_token: string;
+                  refresh_token: string;
+                  expires_in: number;
+                };
+
+                AuthManager.save({
+                  openai_chatgpt: {
+                    access_token: data.access_token,
+                    refresh_token: data.refresh_token,
+                    expires_at: Math.floor(Date.now() / 1000) + data.expires_in,
+                  },
+                });
+
+                clearTimeout(timeout);
+                setTimeout(stopServer, 100);
+                resolve();
+                return new Response(
+                  '<h1>Authentication Successful!</h1><p>You can close this window and return to the terminal.</p>',
+                  { headers: { 'Content-Type': 'text/html' } }
+                );
+              } catch (err) {
+                clearTimeout(timeout);
+                setTimeout(stopServer, 100);
+                reject(err);
+                return new Response(`Error: ${err instanceof Error ? err.message : String(err)}`, {
+                  status: 500,
+                });
+              }
+            } else {
+              return new Response('Missing code parameter', { status: 400 });
+            }
+          }
+          return new Response('Not Found', { status: 404 });
+        },
+      });
+
+      const authUrl = `https://chatgpt.com/oauth/authorize?${new URLSearchParams({
+        client_id: OPENAI_CHATGPT_CLIENT_ID,
+        code_challenge: challenge,
+        code_challenge_method: 'S256',
+        redirect_uri: OPENAI_CHATGPT_REDIRECT_URI,
+        response_type: 'code',
+        scope: 'openid profile email offline_access',
+        state,
+      }).toString()}`;
+
+      AuthManager.logger.log('\nTo login with OpenAI ChatGPT:');
+      AuthManager.logger.log('1. Visit the following URL in your browser:');
+      AuthManager.logger.log(`   ${authUrl}\n`);
+      AuthManager.logger.log('Waiting for authorization...');
+
+      // Attempt to open the browser
+      try {
+        const { platform } = process;
+        const command =
+          platform === 'win32' ? 'start' : platform === 'darwin' ? 'open' : 'xdg-open';
+        const { spawn } = require('node:child_process');
+        spawn(command, [authUrl]);
+      } catch (e) {
+        // Ignore if we can't open the browser automatically
+      }
+    });
+  }
+
+  static async getOpenAIChatGPTToken(): Promise<string | undefined> {
+    const auth = AuthManager.load();
+    if (!auth.openai_chatgpt) return undefined;
+
+    const { access_token, refresh_token, expires_at } = auth.openai_chatgpt;
+
+    // Check if valid
+    if (expires_at > Date.now() / 1000 + TOKEN_REFRESH_BUFFER_SECONDS) {
+      return access_token;
+    }
+
+    // Refresh
+    try {
+      const response = await fetch('https://chatgpt.com/oauth/token', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+          client_id: OPENAI_CHATGPT_CLIENT_ID,
+          grant_type: 'refresh_token',
+          refresh_token,
+        }),
+      });
+
+      if (!response.ok) {
+        throw new Error(`Failed to refresh token: ${response.statusText}`);
+      }
+
+      const data = (await response.json()) as {
+        access_token: string;
+        refresh_token: string;
+        expires_in: number;
+      };
+
+      AuthManager.save({
+        openai_chatgpt: {
+          access_token: data.access_token,
+          refresh_token: data.refresh_token,
+          expires_at: Math.floor(Date.now() / 1000) + data.expires_in,
+        },
+      });
+
+      return data.access_token;
+    } catch (error) {
+      AuthManager.logger.error(`Error refreshing OpenAI ChatGPT token: ${String(error)}`);
+      return undefined;
+    }
+  }
+
+  static async getGoogleGeminiToken(): Promise<string | undefined> {
+    const auth = AuthManager.load();
+    if (!auth.google_gemini) return undefined;
+
+    const { access_token, refresh_token, expires_at } = auth.google_gemini;
+
+    if (expires_at > Date.now() / 1000 + TOKEN_REFRESH_BUFFER_SECONDS) {
+      return access_token;
+    }
+
+    if (!refresh_token) {
+      return undefined;
+    }
+
+    try {
+      const response = await fetch('https://oauth2.googleapis.com/token', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({
+          client_id: GOOGLE_GEMINI_OAUTH_CLIENT_ID,
+          client_secret: AuthManager.getGoogleGeminiClientSecret(),
+          grant_type: 'refresh_token',
+          refresh_token,
+        }),
+      });
+
+      if (!response.ok) {
+        throw new Error(`Failed to refresh token: ${response.statusText}`);
+      }
+
+      const data = (await response.json()) as {
+        access_token: string;
+        refresh_token?: string;
+        expires_in: number;
+      };
+
+      AuthManager.save({
+        google_gemini: {
+          ...auth.google_gemini,
+          access_token: data.access_token,
+          refresh_token: data.refresh_token || refresh_token,
+          expires_at: Math.floor(Date.now() / 1000) + data.expires_in,
+        },
+      });
+
+      return data.access_token;
+    } catch (error) {
+      AuthManager.logger.error(`Error refreshing Google Gemini token: ${String(error)}`);
+      return undefined;
+    }
+  }
+
+  static async getAnthropicClaudeToken(): Promise<string | undefined> {
+    const auth = AuthManager.load();
+    if (!auth.anthropic_claude) return undefined;
+
+    const { access_token, refresh_token, expires_at } = auth.anthropic_claude;
+
+    if (expires_at > Date.now() / 1000 + TOKEN_REFRESH_BUFFER_SECONDS) {
+      return access_token;
+    }
+
+    try {
+      const response = await fetch('https://console.anthropic.com/v1/oauth/token', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          grant_type: 'refresh_token',
+          refresh_token,
+          client_id: ANTHROPIC_OAUTH_CLIENT_ID,
+        }),
+      });
+
+      if (!response.ok) {
+        throw new Error(`Failed to refresh token: ${response.statusText}`);
+      }
+
+      const data = (await response.json()) as {
+        access_token: string;
+        refresh_token: string;
+        expires_in: number;
+      };
+
+      AuthManager.save({
+        anthropic_claude: {
+          access_token: data.access_token,
+          refresh_token: data.refresh_token,
+          expires_at: Math.floor(Date.now() / 1000) + data.expires_in,
+        },
+      });
+
+      return data.access_token;
+    } catch (error) {
+      AuthManager.logger.error(`Error refreshing Anthropic Claude token: ${String(error)}`);
       return undefined;
     }
   }

package/src/utils/blueprint-utils.test.ts

@@ -0,0 +1,49 @@
+import { describe, expect, it } from 'bun:test';
+import type { Blueprint } from '../parser/schema';
+import { BlueprintUtils } from './blueprint-utils';
+
+describe('BlueprintUtils', () => {
+  const mockBlueprint: Blueprint = {
+    architecture: {
+      description: 'Test Architecture',
+      patterns: ['MVC'],
+    },
+    files: [
+      { path: 'src/index.ts', purpose: 'Main entry point' },
+      { path: 'src/app.ts', purpose: 'App logic' },
+    ],
+  };
+
+  it('should calculate a stable hash', () => {
+    const hash1 = BlueprintUtils.calculateHash(mockBlueprint);
+    const hash2 = BlueprintUtils.calculateHash({
+      ...mockBlueprint,
+      files: [...mockBlueprint.files].reverse(), // Different order
+    });
+    expect(hash1).toBe(hash2);
+    expect(hash1).toHaveLength(64);
+  });
+
+  it('should detect missing files', () => {
+    const generated = [{ path: 'src/index.ts' }];
+    const diffs = BlueprintUtils.detectDrift(mockBlueprint, generated);
+    expect(diffs).toContain('Missing file: src/app.ts');
+  });
+
+  it('should detect extra files', () => {
+    const generated = [{ path: 'src/index.ts' }, { path: 'src/app.ts' }, { path: 'src/extra.ts' }];
+    const diffs = BlueprintUtils.detectDrift(mockBlueprint, generated);
+    expect(diffs).toContain('Extra file not in blueprint: src/extra.ts');
+  });
+
+  it('should detect purpose drift', () => {
+    const generated = [
+      { path: 'src/index.ts', purpose: 'Different purpose' },
+      { path: 'src/app.ts', purpose: 'App logic' },
+    ];
+    const diffs = BlueprintUtils.detectDrift(mockBlueprint, generated);
+    expect(diffs).toContain(
+      'Purpose drift in src/index.ts: expected "Main entry point", got "Different purpose"'
+    );
+  });
+});