octocode-shared 1.0.0

package/dist/storage-DuH3rTiu.js

@@ -0,0 +1,737 @@
+import { existsSync, readFileSync, mkdirSync, writeFileSync, unlinkSync } from "node:fs";
+import { join } from "node:path";
+import { randomBytes, createCipheriv, createDecipheriv } from "node:crypto";
+import { refreshToken } from "@octokit/oauth-methods";
+import { request } from "@octokit/request";
+import { H as HOME } from "./platform-1V_81nPi.js";
+import { AsyncEntry, findCredentialsAsync } from "@napi-rs/keyring";
+function isKeychainAvailable() {
+  return true;
+}
+async function setPassword(service, account, password) {
+  const entry = new AsyncEntry(service, account);
+  await entry.setPassword(password);
+}
+async function getPassword(service, account) {
+  try {
+    const entry = new AsyncEntry(service, account);
+    const result = await entry.getPassword();
+    return result ?? null;
+  } catch {
+    return null;
+  }
+}
+async function deletePassword(service, account) {
+  try {
+    const entry = new AsyncEntry(service, account);
+    return await entry.deleteCredential();
+  } catch {
+    return false;
+  }
+}
+async function findCredentials(service) {
+  try {
+    const credentials = await findCredentialsAsync(service);
+    return credentials;
+  } catch {
+    return [];
+  }
+}
+const DEFAULT_CLIENT_ID = "178c6fc778ccc68e1d6a";
+const DEFAULT_HOSTNAME = "github.com";
+const KEYRING_TIMEOUT_MS = 3e3;
+class TimeoutError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "TimeoutError";
+  }
+}
+async function withTimeout(promise, ms) {
+  return Promise.race([
+    promise,
+    new Promise(
+      (_, reject) => setTimeout(
+        () => reject(new TimeoutError(`Operation timed out after ${ms}ms`)),
+        ms
+      )
+    )
+  ]);
+}
+let _keychainAvailable = null;
+function checkKeychainAvailable() {
+  if (_keychainAvailable === null) {
+    _keychainAvailable = isKeychainAvailable();
+  }
+  return _keychainAvailable;
+}
+const KEYCHAIN_SERVICE = "octocode-cli";
+const OCTOCODE_DIR = join(HOME, ".octocode");
+const CREDENTIALS_FILE = join(OCTOCODE_DIR, "credentials.json");
+const KEY_FILE = join(OCTOCODE_DIR, ".key");
+const ALGORITHM = "aes-256-gcm";
+const IV_LENGTH = 16;
+const credentialsCache = /* @__PURE__ */ new Map();
+const CACHE_TTL_MS = 5 * 60 * 1e3;
+function isCacheValid(hostname) {
+  const cached = credentialsCache.get(hostname);
+  if (!cached) return false;
+  const age = Date.now() - cached.cachedAt;
+  return age < CACHE_TTL_MS;
+}
+function invalidateCredentialsCache(hostname) {
+  if (hostname) {
+    credentialsCache.delete(normalizeHostname(hostname));
+  } else {
+    credentialsCache.clear();
+  }
+}
+function _getCacheStats() {
+  const now = Date.now();
+  return {
+    size: credentialsCache.size,
+    entries: Array.from(credentialsCache.entries()).map(
+      ([hostname, entry]) => ({
+        hostname,
+        age: now - entry.cachedAt,
+        valid: isCacheValid(hostname)
+      })
+    )
+  };
+}
+function _resetCredentialsCache() {
+  credentialsCache.clear();
+}
+const ENV_TOKEN_VARS = [
+  "OCTOCODE_TOKEN",
+  // octocode-specific (highest priority)
+  "GH_TOKEN",
+  // gh CLI compatible
+  "GITHUB_TOKEN"
+  // GitHub Actions native
+];
+function getTokenFromEnv() {
+  for (const envVar of ENV_TOKEN_VARS) {
+    const token = process.env[envVar];
+    if (token && token.trim()) {
+      return token.trim();
+    }
+  }
+  return null;
+}
+function getEnvTokenSource() {
+  for (const envVar of ENV_TOKEN_VARS) {
+    const token = process.env[envVar];
+    if (token && token.trim()) {
+      return `env:${envVar}`;
+    }
+  }
+  return null;
+}
+function hasEnvToken() {
+  return getTokenFromEnv() !== null;
+}
+let _useSecureStorage = null;
+let _keychainInitialized = false;
+async function initializeSecureStorage() {
+  if (_keychainInitialized) {
+    return _useSecureStorage ?? false;
+  }
+  _keychainInitialized = true;
+  _useSecureStorage = checkKeychainAvailable();
+  return _useSecureStorage;
+}
+function isSecureStorageAvailable() {
+  if (_useSecureStorage !== null) {
+    return _useSecureStorage;
+  }
+  _useSecureStorage = checkKeychainAvailable();
+  return _useSecureStorage;
+}
+function _setSecureStorageAvailable(available) {
+  _useSecureStorage = available;
+  _keychainAvailable = available;
+  _keychainInitialized = true;
+}
+function _resetSecureStorageState() {
+  _useSecureStorage = null;
+  _keychainAvailable = null;
+  _keychainInitialized = false;
+}
+async function keychainStore(hostname, credentials) {
+  if (!checkKeychainAvailable()) {
+    throw new Error("Keychain not available");
+  }
+  const data = JSON.stringify(credentials);
+  await setPassword(KEYCHAIN_SERVICE, hostname, data);
+}
+async function keychainGet(hostname) {
+  if (!checkKeychainAvailable()) return null;
+  try {
+    const data = await getPassword(KEYCHAIN_SERVICE, hostname);
+    if (!data) return null;
+    return JSON.parse(data);
+  } catch {
+    return null;
+  }
+}
+async function keychainDelete(hostname) {
+  if (!checkKeychainAvailable()) return false;
+  try {
+    return await deletePassword(KEYCHAIN_SERVICE, hostname);
+  } catch {
+    return false;
+  }
+}
+async function keychainList() {
+  if (!checkKeychainAvailable()) return [];
+  try {
+    const credentials = await findCredentials(KEYCHAIN_SERVICE);
+    return credentials.map((c) => c.account);
+  } catch {
+    return [];
+  }
+}
+function getOrCreateKey() {
+  ensureOctocodeDir();
+  if (existsSync(KEY_FILE)) {
+    return Buffer.from(readFileSync(KEY_FILE, "utf8"), "hex");
+  }
+  const key = randomBytes(32);
+  writeFileSync(KEY_FILE, key.toString("hex"), { mode: 384 });
+  return key;
+}
+function encrypt(data) {
+  const key = getOrCreateKey();
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGORITHM, key, iv);
+  let encrypted = cipher.update(data, "utf8", "hex");
+  encrypted += cipher.final("hex");
+  const authTag = cipher.getAuthTag();
+  return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted}`;
+}
+function decrypt(encryptedData) {
+  const key = getOrCreateKey();
+  const [ivHex, authTagHex, encrypted] = encryptedData.split(":");
+  if (!ivHex || !authTagHex || !encrypted) {
+    throw new Error("Invalid encrypted data format");
+  }
+  const iv = Buffer.from(ivHex, "hex");
+  const authTag = Buffer.from(authTagHex, "hex");
+  const decipher = createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAuthTag(authTag);
+  let decrypted = decipher.update(encrypted, "hex", "utf8");
+  decrypted += decipher.final("utf8");
+  return decrypted;
+}
+function ensureOctocodeDir() {
+  if (!existsSync(OCTOCODE_DIR)) {
+    mkdirSync(OCTOCODE_DIR, { recursive: true, mode: 448 });
+  }
+}
+function readCredentialsStore() {
+  ensureOctocodeDir();
+  if (!existsSync(CREDENTIALS_FILE)) {
+    return { version: 1, credentials: {} };
+  }
+  try {
+    const encryptedContent = readFileSync(CREDENTIALS_FILE, "utf8");
+    const decrypted = decrypt(encryptedContent);
+    return JSON.parse(decrypted);
+  } catch (error) {
+    console.error(
+      "\n  ⚠ Warning: Could not read credentials file. You may need to login again."
+    );
+    console.error(`  File: ${CREDENTIALS_FILE}`);
+    if (error instanceof Error && error.message) {
+      console.error(`  Reason: ${error.message}
+`);
+    }
+    return { version: 1, credentials: {} };
+  }
+}
+function writeCredentialsStore(store) {
+  ensureOctocodeDir();
+  const encrypted = encrypt(JSON.stringify(store, null, 2));
+  writeFileSync(CREDENTIALS_FILE, encrypted, { mode: 384 });
+}
+function removeFromFileStorage(hostname) {
+  try {
+    const store = readCredentialsStore();
+    if (store.credentials[hostname]) {
+      delete store.credentials[hostname];
+      if (Object.keys(store.credentials).length === 0) {
+        cleanupKeyFile();
+      } else {
+        writeCredentialsStore(store);
+      }
+      return true;
+    }
+    return false;
+  } catch (err) {
+    console.warn(
+      `[token-storage] Failed to remove from file storage: ${err instanceof Error ? err.message : String(err)}`
+    );
+    return false;
+  }
+}
+function cleanupKeyFile() {
+  try {
+    if (existsSync(CREDENTIALS_FILE)) {
+      unlinkSync(CREDENTIALS_FILE);
+    }
+    if (existsSync(KEY_FILE)) {
+      unlinkSync(KEY_FILE);
+    }
+  } catch {
+  }
+}
+async function migrateSingleCredential(hostname, credentials) {
+  try {
+    await withTimeout(keychainStore(hostname, credentials), KEYRING_TIMEOUT_MS);
+    removeFromFileStorage(hostname);
+  } catch {
+  }
+}
+function normalizeHostname(hostname) {
+  return hostname.toLowerCase().replace(/^https?:\/\//, "").replace(/\/$/, "");
+}
+async function storeCredentials(credentials) {
+  const hostname = normalizeHostname(credentials.hostname);
+  const normalizedCredentials = {
+    ...credentials,
+    hostname,
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  if (isSecureStorageAvailable()) {
+    try {
+      await withTimeout(
+        keychainStore(hostname, normalizedCredentials),
+        KEYRING_TIMEOUT_MS
+      );
+      removeFromFileStorage(hostname);
+      invalidateCredentialsCache(hostname);
+      return { success: true, insecureStorageUsed: false };
+    } catch (err) {
+      console.warn(
+        `[token-storage] Keyring storage failed, using file fallback: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  try {
+    const store = readCredentialsStore();
+    store.credentials[hostname] = normalizedCredentials;
+    writeCredentialsStore(store);
+    invalidateCredentialsCache(hostname);
+    return { success: true, insecureStorageUsed: true };
+  } catch (fileError) {
+    console.error(`[token-storage] CRITICAL: All storage methods failed!`);
+    console.error(
+      `  Error: ${fileError instanceof Error ? fileError.message : String(fileError)}`
+    );
+    throw new Error("Failed to store credentials");
+  }
+}
+async function getCredentials(hostname = "github.com", options) {
+  const normalizedHostname = normalizeHostname(hostname);
+  if (!options?.bypassCache && isCacheValid(normalizedHostname)) {
+    return credentialsCache.get(normalizedHostname).credentials;
+  }
+  const credentials = await fetchCredentialsFromStorage(normalizedHostname);
+  if (credentials) {
+    credentialsCache.set(normalizedHostname, {
+      credentials,
+      cachedAt: Date.now()
+    });
+  } else {
+    credentialsCache.delete(normalizedHostname);
+  }
+  return credentials;
+}
+async function fetchCredentialsFromStorage(normalizedHostname) {
+  if (isSecureStorageAvailable()) {
+    try {
+      const creds = await withTimeout(
+        keychainGet(normalizedHostname),
+        KEYRING_TIMEOUT_MS
+      );
+      if (creds) return creds;
+    } catch (err) {
+      if (!(err instanceof TimeoutError)) {
+        console.warn(
+          `[token-storage] Keyring read failed: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+    }
+  }
+  const store = readCredentialsStore();
+  const fileCreds = store.credentials[normalizedHostname];
+  if (fileCreds) {
+    if (isSecureStorageAvailable()) {
+      migrateSingleCredential(normalizedHostname, fileCreds).catch(() => {
+      });
+    }
+    return fileCreds;
+  }
+  return null;
+}
+function getCredentialsSync(hostname = "github.com") {
+  const normalizedHostname = normalizeHostname(hostname);
+  const store = readCredentialsStore();
+  return store.credentials[normalizedHostname] || null;
+}
+async function deleteCredentials(hostname = "github.com") {
+  const normalizedHostname = normalizeHostname(hostname);
+  let deletedFromKeyring = false;
+  let deletedFromFile = false;
+  if (isSecureStorageAvailable()) {
+    try {
+      deletedFromKeyring = await withTimeout(
+        keychainDelete(normalizedHostname),
+        KEYRING_TIMEOUT_MS
+      );
+    } catch (err) {
+      console.warn(
+        `[token-storage] Keyring delete failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  const store = readCredentialsStore();
+  if (store.credentials[normalizedHostname]) {
+    delete store.credentials[normalizedHostname];
+    if (Object.keys(store.credentials).length === 0) {
+      cleanupKeyFile();
+    } else {
+      writeCredentialsStore(store);
+    }
+    deletedFromFile = true;
+  }
+  invalidateCredentialsCache(normalizedHostname);
+  return {
+    success: deletedFromKeyring || deletedFromFile,
+    deletedFromKeyring,
+    deletedFromFile
+  };
+}
+async function listStoredHosts() {
+  const hosts = /* @__PURE__ */ new Set();
+  if (isSecureStorageAvailable()) {
+    try {
+      const keychainHosts = await withTimeout(
+        keychainList(),
+        KEYRING_TIMEOUT_MS
+      );
+      keychainHosts.forEach((h) => hosts.add(h));
+    } catch (err) {
+      if (!(err instanceof TimeoutError)) {
+        console.warn(
+          `[token-storage] Keyring list failed: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+    }
+  }
+  const store = readCredentialsStore();
+  Object.keys(store.credentials).forEach((h) => hosts.add(h));
+  return Array.from(hosts);
+}
+function listStoredHostsSync() {
+  const store = readCredentialsStore();
+  return Object.keys(store.credentials);
+}
+async function hasCredentials(hostname = "github.com") {
+  return await getCredentials(hostname) !== null;
+}
+function hasCredentialsSync(hostname = "github.com") {
+  return getCredentialsSync(hostname) !== null;
+}
+async function updateToken(hostname, token) {
+  const credentials = await getCredentials(hostname);
+  if (!credentials) {
+    return false;
+  }
+  credentials.token = token;
+  credentials.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+  await storeCredentials(credentials);
+  return true;
+}
+function getCredentialsFilePath() {
+  if (isSecureStorageAvailable()) {
+    return "System Keychain (secure)";
+  }
+  return CREDENTIALS_FILE;
+}
+function isUsingSecureStorage() {
+  return isSecureStorageAvailable();
+}
+function isTokenExpired(credentials) {
+  if (!credentials.token.expiresAt) {
+    return false;
+  }
+  const expiresAt = new Date(credentials.token.expiresAt);
+  if (isNaN(expiresAt.getTime())) {
+    return true;
+  }
+  const now = /* @__PURE__ */ new Date();
+  return expiresAt.getTime() - now.getTime() < 5 * 60 * 1e3;
+}
+function isRefreshTokenExpired(credentials) {
+  if (!credentials.token.refreshTokenExpiresAt) {
+    return false;
+  }
+  const expiresAt = new Date(credentials.token.refreshTokenExpiresAt);
+  if (isNaN(expiresAt.getTime())) {
+    return true;
+  }
+  return /* @__PURE__ */ new Date() >= expiresAt;
+}
+async function getToken(hostname = "github.com") {
+  const credentials = await getCredentials(hostname);
+  if (!credentials || !credentials.token) {
+    return null;
+  }
+  if (isTokenExpired(credentials)) {
+    return null;
+  }
+  return credentials.token.token;
+}
+function getApiBaseUrl(hostname) {
+  if (hostname === "github.com" || hostname === DEFAULT_HOSTNAME) {
+    return "https://api.github.com";
+  }
+  return `https://${hostname}/api/v3`;
+}
+async function refreshAuthToken(hostname = DEFAULT_HOSTNAME, clientId = DEFAULT_CLIENT_ID) {
+  const credentials = await getCredentials(hostname);
+  if (!credentials) {
+    return {
+      success: false,
+      error: `Not logged in to ${hostname}`
+    };
+  }
+  if (!credentials.token.refreshToken) {
+    return {
+      success: false,
+      error: "Token does not support refresh (OAuth App tokens do not expire)"
+    };
+  }
+  if (isRefreshTokenExpired(credentials)) {
+    return {
+      success: false,
+      error: "Refresh token has expired. Please login again."
+    };
+  }
+  try {
+    const response = await refreshToken({
+      clientType: "github-app",
+      clientId,
+      clientSecret: "",
+      // Empty for OAuth apps
+      refreshToken: credentials.token.refreshToken,
+      request: request.defaults({
+        baseUrl: getApiBaseUrl(hostname)
+      })
+    });
+    const newToken = {
+      token: response.authentication.token,
+      tokenType: "oauth",
+      refreshToken: response.authentication.refreshToken,
+      expiresAt: response.authentication.expiresAt,
+      refreshTokenExpiresAt: response.authentication.refreshTokenExpiresAt
+    };
+    await updateToken(hostname, newToken);
+    return {
+      success: true,
+      username: credentials.username,
+      hostname
+    };
+  } catch (error) {
+    return {
+      success: false,
+      error: error instanceof Error ? error.message : "Token refresh failed"
+    };
+  }
+}
+async function getTokenWithRefresh(hostname = DEFAULT_HOSTNAME, clientId = DEFAULT_CLIENT_ID) {
+  const credentials = await getCredentials(hostname);
+  if (!credentials || !credentials.token) {
+    return { token: null, source: "none" };
+  }
+  if (!isTokenExpired(credentials)) {
+    return {
+      token: credentials.token.token,
+      source: "stored",
+      username: credentials.username
+    };
+  }
+  if (credentials.token.refreshToken) {
+    const refreshResult = await refreshAuthToken(hostname, clientId);
+    if (refreshResult.success) {
+      const updatedCredentials = await getCredentials(hostname);
+      if (updatedCredentials?.token.token) {
+        return {
+          token: updatedCredentials.token.token,
+          source: "refreshed",
+          username: updatedCredentials.username
+        };
+      }
+    }
+    return {
+      token: null,
+      source: "none",
+      refreshError: refreshResult.error
+    };
+  }
+  return {
+    token: null,
+    source: "none",
+    refreshError: "Token expired and no refresh token available"
+  };
+}
+async function resolveToken(hostname = "github.com") {
+  const envToken = getTokenFromEnv();
+  if (envToken) {
+    return {
+      token: envToken,
+      source: getEnvTokenSource() ?? "env:GITHUB_TOKEN"
+    };
+  }
+  const storedToken = await getToken(hostname);
+  if (storedToken) {
+    const source = isSecureStorageAvailable() ? "keychain" : "file";
+    return {
+      token: storedToken,
+      source
+    };
+  }
+  return null;
+}
+async function resolveTokenWithRefresh(hostname = DEFAULT_HOSTNAME, clientId = DEFAULT_CLIENT_ID) {
+  const envToken = getTokenFromEnv();
+  if (envToken) {
+    return {
+      token: envToken,
+      source: getEnvTokenSource() ?? "env:GITHUB_TOKEN",
+      wasRefreshed: false
+    };
+  }
+  const result = await getTokenWithRefresh(hostname, clientId);
+  if (result.token) {
+    const source = isSecureStorageAvailable() ? "keychain" : "file";
+    return {
+      token: result.token,
+      source,
+      wasRefreshed: result.source === "refreshed",
+      username: result.username
+    };
+  }
+  if (result.refreshError) {
+    return {
+      token: "",
+      source: null,
+      wasRefreshed: false,
+      refreshError: result.refreshError
+    };
+  }
+  return null;
+}
+async function resolveTokenFull(options) {
+  const hostname = options?.hostname ?? DEFAULT_HOSTNAME;
+  const clientId = options?.clientId ?? DEFAULT_CLIENT_ID;
+  const getGhCliToken = options?.getGhCliToken;
+  const envToken = getTokenFromEnv();
+  if (envToken) {
+    return {
+      token: envToken,
+      source: getEnvTokenSource() ?? "env:GITHUB_TOKEN",
+      wasRefreshed: false
+    };
+  }
+  return resolveTokenFullInternalNoEnv(hostname, clientId, getGhCliToken);
+}
+async function resolveTokenFullInternalNoEnv(hostname, clientId, getGhCliToken) {
+  const result = await getTokenWithRefresh(hostname, clientId);
+  if (result.token) {
+    const source = isSecureStorageAvailable() ? "keychain" : "file";
+    return {
+      token: result.token,
+      source,
+      wasRefreshed: result.source === "refreshed",
+      username: result.username
+    };
+  }
+  const refreshError = result.refreshError;
+  if (getGhCliToken) {
+    try {
+      const ghToken = await Promise.resolve(getGhCliToken(hostname));
+      if (ghToken?.trim()) {
+        return {
+          token: ghToken.trim(),
+          source: "gh-cli",
+          wasRefreshed: false,
+          refreshError
+          // Include any refresh error from step 4-5
+        };
+      }
+    } catch {
+    }
+  }
+  if (refreshError) {
+    return {
+      token: "",
+      source: null,
+      wasRefreshed: false,
+      refreshError
+    };
+  }
+  return null;
+}
+function getTokenSync(hostname = "github.com") {
+  const credentials = getCredentialsSync(hostname);
+  if (!credentials || !credentials.token) {
+    return null;
+  }
+  if (isTokenExpired(credentials)) {
+    return null;
+  }
+  return credentials.token.token;
+}
+export {
+  ensureOctocodeDir as A,
+  getTokenFromEnv as B,
+  CREDENTIALS_FILE as C,
+  getEnvTokenSource as D,
+  ENV_TOKEN_VARS as E,
+  hasEnvToken as F,
+  _resetSecureStorageState as G,
+  _getCacheStats as H,
+  _resetCredentialsCache as I,
+  KEY_FILE as K,
+  OCTOCODE_DIR as O,
+  TimeoutError as T,
+  _setSecureStorageAvailable as _,
+  isSecureStorageAvailable as a,
+  isUsingSecureStorage as b,
+  getCredentialsSync as c,
+  deleteCredentials as d,
+  invalidateCredentialsCache as e,
+  getToken as f,
+  getCredentials as g,
+  getTokenSync as h,
+  initializeSecureStorage as i,
+  getTokenWithRefresh as j,
+  resolveTokenWithRefresh as k,
+  refreshAuthToken as l,
+  resolveTokenFull as m,
+  listStoredHosts as n,
+  listStoredHostsSync as o,
+  hasCredentials as p,
+  hasCredentialsSync as q,
+  resolveToken as r,
+  storeCredentials as s,
+  isTokenExpired as t,
+  updateToken as u,
+  isRefreshTokenExpired as v,
+  getCredentialsFilePath as w,
+  readCredentialsStore as x,
+  encrypt as y,
+  decrypt as z
+};