npm - nothumanallowed - Versions diffs - 1.0.1 → 2.0.0 - Mend

nothumanallowed 1.0.1 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/README.md +12 -4
package/package.json +2 -2
package/src/cli.mjs +44 -7
package/src/commands/ask.mjs +111 -0
package/src/commands/google-auth.mjs +29 -0
package/src/commands/ops.mjs +77 -0
package/src/commands/plan.mjs +45 -0
package/src/commands/tasks.mjs +132 -0
package/src/config.mjs +27 -0
package/src/constants.mjs +1 -1
package/src/services/google-calendar.mjs +216 -0
package/src/services/google-gmail.mjs +242 -0
package/src/services/google-oauth.mjs +272 -0
package/src/services/llm.mjs +319 -0
package/src/services/notification.mjs +109 -0
package/src/services/ops-daemon.mjs +247 -0
package/src/services/ops-pipeline.mjs +281 -0
package/src/services/task-store.mjs +156 -0
package/src/services/token-store.mjs +145 -0

package/src/services/token-store.mjs ADDED Viewed

@@ -0,0 +1,145 @@
+/**
+ * Encrypted token storage — AES-256-GCM with machine-derived key.
+ * Stores OAuth tokens at ~/.nha/ops/tokens.enc
+ * Zero dependencies — uses Node.js native crypto.
+ */
+import crypto from 'crypto';
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { NHA_DIR } from '../constants.mjs';
+const OPS_DIR = path.join(NHA_DIR, 'ops');
+const TOKENS_FILE = path.join(OPS_DIR, 'tokens.enc');
+/** Derive encryption key from machine-specific fingerprint */
+function deriveKey() {
+  const fingerprint = os.hostname() + os.userInfo().username + os.homedir();
+  return crypto.createHash('sha256').update(fingerprint).digest();
+}
+/** Encrypt JSON data with AES-256-GCM */
+function encrypt(data) {
+  const key = deriveKey();
+  const iv = crypto.randomBytes(16);
+  const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+  const plaintext = JSON.stringify(data);
+  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf-8'), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return {
+    iv: iv.toString('base64'),
+    tag: tag.toString('base64'),
+    ciphertext: encrypted.toString('base64'),
+  };
+}
+/** Decrypt AES-256-GCM data back to JSON */
+function decrypt(envelope) {
+  const key = deriveKey();
+  const iv = Buffer.from(envelope.iv, 'base64');
+  const tag = Buffer.from(envelope.tag, 'base64');
+  const ciphertext = Buffer.from(envelope.ciphertext, 'base64');
+  const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+  decipher.setAuthTag(tag);
+  const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+  return JSON.parse(decrypted.toString('utf-8'));
+}
+/**
+ * Save OAuth tokens (encrypted).
+ * @param {object} tokens — { access_token, refresh_token, expires_at, scope, email }
+ */
+export function saveTokens(tokens) {
+  fs.mkdirSync(OPS_DIR, { recursive: true });
+  const envelope = encrypt(tokens);
+  fs.writeFileSync(TOKENS_FILE, JSON.stringify(envelope, null, 2), { mode: 0o600 });
+}
+/**
+ * Load OAuth tokens (decrypted).
+ * @returns {object|null} tokens or null if not stored
+ */
+export function loadTokens() {
+  if (!fs.existsSync(TOKENS_FILE)) return null;
+  try {
+    const envelope = JSON.parse(fs.readFileSync(TOKENS_FILE, 'utf-8'));
+    return decrypt(envelope);
+  } catch {
+    return null;
+  }
+}
+/**
+ * Delete stored tokens.
+ */
+export function deleteTokens() {
+  if (fs.existsSync(TOKENS_FILE)) fs.rmSync(TOKENS_FILE);
+}
+/**
+ * Check if access token is expired (with 5-minute buffer).
+ * @param {object} tokens
+ * @returns {boolean}
+ */
+export function isExpired(tokens) {
+  if (!tokens?.expires_at) return true;
+  return Date.now() >= tokens.expires_at - 300_000;
+}
+/**
+ * Refresh access token using refresh_token.
+ * @param {string} clientId
+ * @param {string} clientSecret
+ * @param {string} refreshToken
+ * @returns {Promise<object>} new token set
+ */
+export async function refreshAccessToken(clientId, clientSecret, refreshToken) {
+  const params = new URLSearchParams({
+    client_id: clientId,
+    client_secret: clientSecret,
+    refresh_token: refreshToken,
+    grant_type: 'refresh_token',
+  });
+  const res = await fetch('https://oauth2.googleapis.com/token', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: params.toString(),
+  });
+  if (!res.ok) {
+    const err = await res.text();
+    throw new Error(`Token refresh failed: ${err}`);
+  }
+  const data = await res.json();
+  return {
+    access_token: data.access_token,
+    refresh_token: refreshToken, // Google doesn't always return a new refresh token
+    expires_at: Date.now() + (data.expires_in * 1000),
+    scope: data.scope,
+  };
+}
+/**
+ * Get a valid access token — refreshes automatically if expired.
+ * @param {object} config — NHA config with google.clientId etc.
+ * @returns {Promise<string>} access_token
+ */
+export async function getAccessToken(config) {
+  let tokens = loadTokens();
+  if (!tokens) throw new Error('Not authenticated. Run: nha google auth');
+  if (isExpired(tokens)) {
+    const clientId = config.google?.clientId;
+    const clientSecret = config.google?.clientSecret || '';
+    if (!clientId) throw new Error('Google client ID not configured');
+    tokens = await refreshAccessToken(clientId, clientSecret, tokens.refresh_token);
+    tokens.email = loadTokens()?.email; // preserve email
+    saveTokens(tokens);
+  }
+  return tokens.access_token;
+}