opencode-account-manager 0.6.4 → 0.6.6

package/src/core/crypto.ts

@@ -1,162 +1,162 @@
-import * as crypto from "crypto";
-
-// ============================================================================
-// Constants
-// ============================================================================
-
-const ALGORITHM = "aes-256-gcm";
-const KEY_LENGTH = 32; // 256 bits
-const SALT_LENGTH = 32; // 256 bits
-const IV_LENGTH = 12; // 96 bits (recommended for GCM)
-const AUTH_TAG_LENGTH = 16; // 128 bits
-
-// scrypt parameters (N=16384, r=8, p=1)
-const SCRYPT_N = 16384;
-const SCRYPT_R = 8;
-const SCRYPT_P = 1;
-
-// ============================================================================
-// Types
-// ============================================================================
-
-export interface EncryptedData {
-  salt: string; // hex
-  iv: string; // hex
-  authTag: string; // hex
-  data: string; // hex (encrypted content)
-}
-
-// ============================================================================
-// Helper Functions
-// ============================================================================
-
-/**
- * Generate random bytes and return as hex string
- */
-function randomHex(length: number): string {
-  return crypto.randomBytes(length).toString("hex");
-}
-
-/**
- * Derive encryption key from password using scrypt
- */
-function deriveKey(password: string, salt: Buffer): Buffer {
-  return crypto.scryptSync(password, salt, KEY_LENGTH, {
-    N: SCRYPT_N,
-    r: SCRYPT_R,
-    p: SCRYPT_P,
-  });
-}
-
-// ============================================================================
-// Public Functions
-// ============================================================================
-
-/**
- * Generate a random salt for encryption
- */
-export function generateSalt(): string {
-  return randomHex(SALT_LENGTH);
-}
-
-/**
- * Generate a random IV for encryption
- */
-export function generateIV(): string {
-  return randomHex(IV_LENGTH);
-}
-
-/**
- * Encrypt data object with password using AES-256-GCM
- * 
- * @param data - Object to encrypt (will be JSON stringified)
- * @param password - Password for encryption
- * @returns Encrypted data with salt, iv, authTag, and encrypted content
- */
-export function encrypt(data: object, password: string): EncryptedData {
-  // Generate random salt and IV
-  const salt = Buffer.from(generateSalt(), "hex");
-  const iv = Buffer.from(generateIV(), "hex");
-
-  // Derive key from password
-  const key = deriveKey(password, salt);
-
-  // Create cipher
-  const cipher = crypto.createCipheriv(ALGORITHM, key, iv, {
-    authTagLength: AUTH_TAG_LENGTH,
-  });
-
-  // Encrypt data
-  const plaintext = JSON.stringify(data);
-  const encrypted = Buffer.concat([
-    cipher.update(plaintext, "utf8"),
-    cipher.final(),
-  ]);
-
-  // Get auth tag
-  const authTag = cipher.getAuthTag();
-
-  return {
-    salt: salt.toString("hex"),
-    iv: iv.toString("hex"),
-    authTag: authTag.toString("hex"),
-    data: encrypted.toString("hex"),
-  };
-}
-
-/**
- * Decrypt data with password using AES-256-GCM
- * 
- * @param encrypted - Encrypted data object
- * @param password - Password for decryption
- * @returns Decrypted object
- * @throws Error if password is wrong or data is corrupted
- */
-export function decrypt<T = unknown>(encrypted: EncryptedData, password: string): T {
-  // Convert hex strings to buffers
-  const salt = Buffer.from(encrypted.salt, "hex");
-  const iv = Buffer.from(encrypted.iv, "hex");
-  const authTag = Buffer.from(encrypted.authTag, "hex");
-  const data = Buffer.from(encrypted.data, "hex");
-
-  // Derive key from password
-  const key = deriveKey(password, salt);
-
-  // Create decipher
-  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv, {
-    authTagLength: AUTH_TAG_LENGTH,
-  });
-
-  // Set auth tag for verification
-  decipher.setAuthTag(authTag);
-
-  try {
-    // Decrypt data
-    const decrypted = Buffer.concat([
-      decipher.update(data),
-      decipher.final(),
-    ]);
-
-    // Parse JSON
-    return JSON.parse(decrypted.toString("utf8")) as T;
-  } catch (error) {
-    // Auth tag verification failed or JSON parse failed
-    throw new Error("Invalid password or corrupted file");
-  }
-}
-
-/**
- * Verify if a password can decrypt the data
- * 
- * @param encrypted - Encrypted data object
- * @param password - Password to verify
- * @returns true if password is correct
- */
-export function verifyPassword(encrypted: EncryptedData, password: string): boolean {
-  try {
-    decrypt(encrypted, password);
-    return true;
-  } catch {
-    return false;
-  }
-}
+import * as crypto from "crypto";
+
+// ============================================================================
+// Constants
+// ============================================================================
+
+const ALGORITHM = "aes-256-gcm";
+const KEY_LENGTH = 32; // 256 bits
+const SALT_LENGTH = 32; // 256 bits
+const IV_LENGTH = 12; // 96 bits (recommended for GCM)
+const AUTH_TAG_LENGTH = 16; // 128 bits
+
+// scrypt parameters (N=16384, r=8, p=1)
+const SCRYPT_N = 16384;
+const SCRYPT_R = 8;
+const SCRYPT_P = 1;
+
+// ============================================================================
+// Types
+// ============================================================================
+
+export interface EncryptedData {
+  salt: string; // hex
+  iv: string; // hex
+  authTag: string; // hex
+  data: string; // hex (encrypted content)
+}
+
+// ============================================================================
+// Helper Functions
+// ============================================================================
+
+/**
+ * Generate random bytes and return as hex string
+ */
+function randomHex(length: number): string {
+  return crypto.randomBytes(length).toString("hex");
+}
+
+/**
+ * Derive encryption key from password using scrypt
+ */
+function deriveKey(password: string, salt: Buffer): Buffer {
+  return crypto.scryptSync(password, salt, KEY_LENGTH, {
+    N: SCRYPT_N,
+    r: SCRYPT_R,
+    p: SCRYPT_P,
+  });
+}
+
+// ============================================================================
+// Public Functions
+// ============================================================================
+
+/**
+ * Generate a random salt for encryption
+ */
+export function generateSalt(): string {
+  return randomHex(SALT_LENGTH);
+}
+
+/**
+ * Generate a random IV for encryption
+ */
+export function generateIV(): string {
+  return randomHex(IV_LENGTH);
+}
+
+/**
+ * Encrypt data object with password using AES-256-GCM
+ * 
+ * @param data - Object to encrypt (will be JSON stringified)
+ * @param password - Password for encryption
+ * @returns Encrypted data with salt, iv, authTag, and encrypted content
+ */
+export function encrypt(data: object, password: string): EncryptedData {
+  // Generate random salt and IV
+  const salt = Buffer.from(generateSalt(), "hex");
+  const iv = Buffer.from(generateIV(), "hex");
+
+  // Derive key from password
+  const key = deriveKey(password, salt);
+
+  // Create cipher
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+
+  // Encrypt data
+  const plaintext = JSON.stringify(data);
+  const encrypted = Buffer.concat([
+    cipher.update(plaintext, "utf8"),
+    cipher.final(),
+  ]);
+
+  // Get auth tag
+  const authTag = cipher.getAuthTag();
+
+  return {
+    salt: salt.toString("hex"),
+    iv: iv.toString("hex"),
+    authTag: authTag.toString("hex"),
+    data: encrypted.toString("hex"),
+  };
+}
+
+/**
+ * Decrypt data with password using AES-256-GCM
+ * 
+ * @param encrypted - Encrypted data object
+ * @param password - Password for decryption
+ * @returns Decrypted object
+ * @throws Error if password is wrong or data is corrupted
+ */
+export function decrypt<T = unknown>(encrypted: EncryptedData, password: string): T {
+  // Convert hex strings to buffers
+  const salt = Buffer.from(encrypted.salt, "hex");
+  const iv = Buffer.from(encrypted.iv, "hex");
+  const authTag = Buffer.from(encrypted.authTag, "hex");
+  const data = Buffer.from(encrypted.data, "hex");
+
+  // Derive key from password
+  const key = deriveKey(password, salt);
+
+  // Create decipher
+  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+
+  // Set auth tag for verification
+  decipher.setAuthTag(authTag);
+
+  try {
+    // Decrypt data
+    const decrypted = Buffer.concat([
+      decipher.update(data),
+      decipher.final(),
+    ]);
+
+    // Parse JSON
+    return JSON.parse(decrypted.toString("utf8")) as T;
+  } catch (error) {
+    // Auth tag verification failed or JSON parse failed
+    throw new Error("Invalid password or corrupted file");
+  }
+}
+
+/**
+ * Verify if a password can decrypt the data
+ * 
+ * @param encrypted - Encrypted data object
+ * @param password - Password to verify
+ * @returns true if password is correct
+ */
+export function verifyPassword(encrypted: EncryptedData, password: string): boolean {
+  try {
+    decrypt(encrypted, password);
+    return true;
+  } catch {
+    return false;
+  }
+}

package/src/core/health-log.ts

@@ -0,0 +1,173 @@
+import fs from "fs";
+import path from "path";
+import { AccountHealthResult, AccountHealthStatus } from "./types";
+import { getAntigravityLogsPath } from "./paths";
+import { normalizeHealthKey } from "./config-store";
+
+const DEFAULT_MAX_FILES = 10;
+const DEFAULT_MAX_BYTES = 2 * 1024 * 1024;
+const EMAIL_REGEX = /[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}/gi;
+
+const STATUS_PRIORITY: Record<AccountHealthStatus, number> = {
+  verification_required: 9,
+  disabled: 8,
+  deleted: 7,
+  password_changed: 6,
+  revoked: 5,
+  network_error: 4,
+  unknown_error: 3,
+  not_configured: 2,
+  not_checked: 1,
+  ok: 0,
+};
+
+function mapLineToStatus(line: string): AccountHealthStatus | undefined {
+  const text = line.toLowerCase();
+
+  if (
+    text.includes("verification required") ||
+    text.includes("complete verification") ||
+    text.includes("verify your account") ||
+    text.includes("login_required") ||
+    text.includes("challenge")
+  ) {
+    return "verification_required";
+  }
+
+  if (text.includes("invalid_grant")) {
+    if (text.includes("disabled")) return "disabled";
+    if (text.includes("deleted")) return "deleted";
+    if (text.includes("password")) return "password_changed";
+    if (text.includes("revoked") || text.includes("expired")) return "revoked";
+    return "revoked";
+  }
+
+  if (text.includes("account has been disabled")) return "disabled";
+  if (text.includes("account has been deleted")) return "deleted";
+  if (text.includes("password changed")) return "password_changed";
+  if (text.includes("revoked")) return "revoked";
+
+  if (
+    text.includes("timeout") ||
+    text.includes("econnreset") ||
+    text.includes("enetunreach") ||
+    text.includes("eai_again") ||
+    text.includes("rate limit")
+  ) {
+    return "network_error";
+  }
+
+  return undefined;
+}
+
+function mergeHealthResults(
+  left: AccountHealthResult | undefined,
+  right: AccountHealthResult | undefined
+): AccountHealthResult | undefined {
+  if (!left) return right;
+  if (!right) return left;
+
+  const leftPriority = STATUS_PRIORITY[left.status] ?? 0;
+  const rightPriority = STATUS_PRIORITY[right.status] ?? 0;
+  if (leftPriority !== rightPriority) {
+    return leftPriority > rightPriority ? left : right;
+  }
+
+  if (left.checkedAt !== right.checkedAt) {
+    return left.checkedAt > right.checkedAt ? left : right;
+  }
+
+  const sourcePriority = { oauth: 3, log: 2, cache: 1, manual: 0 } as const;
+  const leftSource = sourcePriority[left.source] ?? 0;
+  const rightSource = sourcePriority[right.source] ?? 0;
+  return leftSource >= rightSource ? left : right;
+}
+
+function readFileTail(filePath: string, maxBytes: number): string {
+  const stat = fs.statSync(filePath);
+  const size = stat.size;
+  if (size <= maxBytes) {
+    return fs.readFileSync(filePath, "utf8");
+  }
+
+  const fd = fs.openSync(filePath, "r");
+  try {
+    const buffer = Buffer.allocUnsafe(maxBytes);
+    const start = Math.max(0, size - maxBytes);
+    fs.readSync(fd, buffer, 0, maxBytes, start);
+    return buffer.toString("utf8");
+  } finally {
+    fs.closeSync(fd);
+  }
+}
+
+export interface LogHealthOptions {
+  logDir?: string;
+  maxFiles?: number;
+  maxBytes?: number;
+}
+
+export function collectLogHealthResults(
+  options: LogHealthOptions = {}
+): Record<string, AccountHealthResult> {
+  const logDir = options.logDir || getAntigravityLogsPath();
+  if (!fs.existsSync(logDir)) return {};
+
+  const maxFiles = options.maxFiles ?? DEFAULT_MAX_FILES;
+  const maxBytes = options.maxBytes ?? DEFAULT_MAX_BYTES;
+
+  const entries = fs.readdirSync(logDir)
+    .map((name) => {
+      const fullPath = path.join(logDir, name);
+      try {
+        const stat = fs.statSync(fullPath);
+        return { name, fullPath, stat };
+      } catch {
+        return undefined;
+      }
+    })
+    .filter((entry): entry is { name: string; fullPath: string; stat: fs.Stats } => !!entry)
+    .filter((entry) => entry.stat.isFile())
+    .sort((a, b) => b.stat.mtimeMs - a.stat.mtimeMs)
+    .slice(0, maxFiles);
+
+  const results: Record<string, AccountHealthResult> = {};
+
+  for (const entry of entries) {
+    let content = "";
+    try {
+      content = readFileTail(entry.fullPath, maxBytes);
+    } catch {
+      continue;
+    }
+
+    const lines = content.split(/\r?\n/);
+    for (const line of lines) {
+      const status = mapLineToStatus(line);
+      if (!status) continue;
+
+      const emails = line.match(EMAIL_REGEX) || [];
+      if (emails.length === 0) continue;
+
+      for (const email of emails) {
+        const key = normalizeHealthKey(email);
+        const candidate: AccountHealthResult = {
+          status,
+          source: "log",
+          checkedAt: entry.stat.mtimeMs,
+          message: line.trim().slice(0, 200),
+        };
+        results[key] = mergeHealthResults(results[key], candidate) || candidate;
+      }
+    }
+  }
+
+  return results;
+}
+
+export function mergeAccountHealth(
+  primary: AccountHealthResult | undefined,
+  secondary: AccountHealthResult | undefined
+): AccountHealthResult | undefined {
+  return mergeHealthResults(primary, secondary);
+}

package/src/core/health-oauth.ts

@@ -0,0 +1,190 @@
+import https from "https";
+import {
+  AccountHealthResult,
+  AccountHealthStatus,
+  HealthOAuthConfig,
+} from "./types";
+import { getHealthOAuthConfig } from "./config-store";
+
+const DEFAULT_TOKEN_ENDPOINT = "https://oauth2.googleapis.com/token";
+const REQUEST_TIMEOUT_MS = 10000;
+
+interface OAuthErrorResponse {
+  error?: string;
+  error_description?: string;
+}
+
+interface OAuthSuccessResponse {
+  access_token: string;
+  expires_in?: number;
+  scope?: string;
+  token_type?: string;
+}
+
+function resolveOAuthConfig(): HealthOAuthConfig | undefined {
+  const config = getHealthOAuthConfig() || {};
+  const clientId = process.env.OCAM_OAUTH_CLIENT_ID || config.clientId;
+  const clientSecret = process.env.OCAM_OAUTH_CLIENT_SECRET || config.clientSecret;
+  const tokenEndpoint = process.env.OCAM_OAUTH_TOKEN_ENDPOINT || config.tokenEndpoint;
+  if (!clientId || !clientSecret) return undefined;
+  return {
+    clientId,
+    clientSecret,
+    tokenEndpoint: tokenEndpoint || DEFAULT_TOKEN_ENDPOINT,
+  };
+}
+
+export function isOAuthHealthCheckConfigured(): boolean {
+  return !!resolveOAuthConfig();
+}
+
+function mapOAuthError(
+  error?: string,
+  description?: string,
+  httpStatus?: number
+): AccountHealthStatus {
+  const desc = (description || "").toLowerCase();
+
+  if (error === "invalid_client") return "not_configured";
+
+  if (error === "invalid_grant") {
+    if (desc.includes("disabled")) return "disabled";
+    if (desc.includes("deleted")) return "deleted";
+    if (desc.includes("password")) return "password_changed";
+    if (
+      desc.includes("verify") ||
+      desc.includes("verification") ||
+      desc.includes("challenge") ||
+      desc.includes("login_required") ||
+      desc.includes("login required")
+    ) {
+      return "verification_required";
+    }
+    if (desc.includes("revoked") || desc.includes("expired")) return "revoked";
+    return "revoked";
+  }
+
+  if (error === "consent_required") return "verification_required";
+  if (error === "access_denied") return "disabled";
+  if (error === "rate_limit_exceeded") return "network_error";
+  if (error === "server_error") return "network_error";
+  if (error === "temporarily_unavailable") return "network_error";
+
+  if (httpStatus && httpStatus >= 500) return "network_error";
+
+  return "unknown_error";
+}
+
+function buildResult(
+  status: AccountHealthStatus,
+  source: "oauth",
+  detail?: {
+    error?: string;
+    errorDescription?: string;
+    httpStatus?: number;
+    message?: string;
+  }
+): AccountHealthResult {
+  return {
+    status,
+    source,
+    checkedAt: Date.now(),
+    message: detail?.message,
+    errorCode: detail?.error,
+    errorDescription: detail?.errorDescription,
+    httpStatus: detail?.httpStatus,
+  };
+}
+
+export function buildOAuthRequestBody(refreshToken: string, config: HealthOAuthConfig): string {
+  const params = new URLSearchParams({
+    client_id: config.clientId || "",
+    client_secret: config.clientSecret || "",
+    refresh_token: refreshToken,
+    grant_type: "refresh_token",
+  });
+  return params.toString();
+}
+
+export async function checkAccountHealthOAuth(
+  refreshToken: string
+): Promise<AccountHealthResult> {
+  const config = resolveOAuthConfig();
+  if (!config) {
+    return buildResult("not_configured", "oauth", {
+      message: "Missing OAuth client_id/client_secret",
+    });
+  }
+
+  if (!refreshToken) {
+    return buildResult("unknown_error", "oauth", {
+      message: "Missing refresh token",
+    });
+  }
+
+  const tokenEndpoint = config.tokenEndpoint || DEFAULT_TOKEN_ENDPOINT;
+  const body = buildOAuthRequestBody(refreshToken, config);
+
+  return new Promise<AccountHealthResult>((resolve) => {
+    const request = https.request(
+      tokenEndpoint,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+          "Content-Length": Buffer.byteLength(body),
+        },
+        timeout: REQUEST_TIMEOUT_MS,
+      },
+      (response) => {
+        const chunks: Buffer[] = [];
+        response.on("data", (chunk) => chunks.push(chunk));
+        response.on("end", () => {
+          const raw = Buffer.concat(chunks).toString("utf8");
+          const httpStatus = response.statusCode || 0;
+
+          try {
+            const parsed = JSON.parse(raw) as OAuthSuccessResponse & OAuthErrorResponse;
+
+            if (httpStatus >= 200 && httpStatus < 300 && parsed.access_token) {
+              resolve(buildResult("ok", "oauth", { httpStatus }));
+              return;
+            }
+
+            const status = mapOAuthError(parsed.error, parsed.error_description, httpStatus);
+            resolve(
+              buildResult(status, "oauth", {
+                error: parsed.error,
+                errorDescription: parsed.error_description,
+                httpStatus,
+              })
+            );
+          } catch (error) {
+            const status = httpStatus >= 500 ? "network_error" : "unknown_error";
+            resolve(
+              buildResult(status, "oauth", {
+                httpStatus,
+                message: `Invalid response: ${error instanceof Error ? error.message : "unknown"}`,
+              })
+            );
+          }
+        });
+      }
+    );
+
+    request.on("timeout", () => {
+      request.destroy(new Error("Request timeout"));
+    });
+
+    request.on("error", (err) => {
+      resolve(
+        buildResult("network_error", "oauth", {
+          message: err.message,
+        })
+      );
+    });
+
+    request.write(body);
+    request.end();
+  });
+}