pi-simocracy 0.1.1 → 0.2.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-simocracy",
-  "version": "0.1.1",
+  "version": "0.2.0",
   "description": "Pi extension: load a Simocracy sim into your chat — see its pixel-art sprite render inline in the terminal and roleplay with it.",
   "type": "module",
   "author": "David Dao <david@gainforest.earth> (https://github.com/daviddao)",
@@ -43,6 +43,8 @@
     "@mariozechner/pi-tui": ">=0.58.0"
   },
   "dependencies": {
+    "@atproto/api": "^0.19.11",
+    "@atproto/oauth-client-node": "^0.3.17",
     "pngjs": "^7.0.0",
     "typebox": "^1.1.24"
   },

package/src/auth/callback-server.ts

@@ -0,0 +1,93 @@
+/**
+ * Loopback HTTP server that catches the OAuth redirect after the user
+ * authorizes pi-simocracy in their browser. Pattern adapted from
+ * pi-mono's anthropic.ts.
+ *
+ * The server listens on 127.0.0.1:53682 (overridable via
+ * `PI_SIMOCRACY_OAUTH_PORT`), accepts a single `/callback` GET, and
+ * resolves with the URLSearchParams the OAuth client needs.
+ */
+
+import { createServer, type Server } from "node:http";
+
+import { oauthErrorHtml, oauthSuccessHtml } from "./pages.ts";
+
+export const CALLBACK_HOST = process.env.PI_SIMOCRACY_OAUTH_HOST ?? "127.0.0.1";
+export const CALLBACK_PORT = Number(process.env.PI_SIMOCRACY_OAUTH_PORT ?? "53682");
+export const CALLBACK_PATH = "/callback";
+export const CALLBACK_REDIRECT_URI = `http://${CALLBACK_HOST}:${CALLBACK_PORT}${CALLBACK_PATH}`;
+
+export interface CallbackHandle {
+  server: Server;
+  redirectUri: string;
+  /** Resolves with the params from the redirect URL (or null if cancelled). */
+  waitForParams: () => Promise<URLSearchParams | null>;
+  cancel: () => void;
+  close: () => void;
+}
+
+export async function startCallbackServer(): Promise<CallbackHandle> {
+  return new Promise((resolve, reject) => {
+    let settle: ((value: URLSearchParams | null) => void) | undefined;
+    const wait = new Promise<URLSearchParams | null>((resolveWait) => {
+      let settled = false;
+      settle = (v) => {
+        if (settled) return;
+        settled = true;
+        resolveWait(v);
+      };
+    });
+
+    const server = createServer((req, res) => {
+      try {
+        const url = new URL(req.url ?? "", `http://${CALLBACK_HOST}:${CALLBACK_PORT}`);
+        if (url.pathname !== CALLBACK_PATH) {
+          res.writeHead(404, { "Content-Type": "text/html; charset=utf-8" });
+          res.end(oauthErrorHtml("Callback route not found."));
+          return;
+        }
+        const params = url.searchParams;
+        const error = params.get("error");
+        if (error) {
+          res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+          res.end(
+            oauthErrorHtml(
+              "ATProto sign-in did not complete.",
+              `Error: ${error}${params.get("error_description") ? `\n${params.get("error_description")}` : ""}`,
+            ),
+          );
+          settle?.(null);
+          return;
+        }
+        if (!params.get("code")) {
+          res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+          res.end(oauthErrorHtml("Missing `code` parameter on callback."));
+          settle?.(null);
+          return;
+        }
+        res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+        res.end(
+          oauthSuccessHtml(
+            "Sign-in complete. You can close this browser tab and return to the terminal.",
+          ),
+        );
+        settle?.(params);
+      } catch {
+        res.writeHead(500, { "Content-Type": "text/plain; charset=utf-8" });
+        res.end("Internal error in callback server");
+      }
+    });
+
+    server.on("error", (err) => reject(err));
+
+    server.listen(CALLBACK_PORT, CALLBACK_HOST, () => {
+      resolve({
+        server,
+        redirectUri: CALLBACK_REDIRECT_URI,
+        waitForParams: () => wait,
+        cancel: () => settle?.(null),
+        close: () => server.close(),
+      });
+    });
+  });
+}

package/src/auth/commands.ts

@@ -0,0 +1,159 @@
+/**
+ * Handlers for `/sim login`, `/sim logout`, `/sim whoami`.
+ *
+ * These power the ATProto / Bluesky sign-in flow used by `--apply`
+ * subcommands that write records to the user's PDS. They are dispatched
+ * from inside the `/sim` slash command in `src/index.ts` rather than
+ * registered as top-level slash commands, because pi itself ships a
+ * built-in `/login` (Anthropic OAuth) and `/logout` — colliding with
+ * those would emit "Skipping in autocomplete" warnings on every boot
+ * and confuse users about which account they're signing into.
+ *
+ * `/sim login` runs the loopback OAuth flow described in
+ * https://atproto.com/guides/oauth-cli-tutorial:
+ *   1. Start a localhost server on 127.0.0.1:53682/callback.
+ *   2. Build the authorize URL via `oauthClient.authorize(handle)`.
+ *   3. Open the URL in the user's default browser; also print it as a
+ *      fallback in case the browser can't be opened (SSH, etc.).
+ *   4. Wait for the `/callback` GET, exchange the code via
+ *      `oauthClient.callback(searchParams)` (DPoP-bound).
+ *   5. Persist the auth record (DID + handle) to
+ *      ~/.config/pi-simocracy/auth.json so subsequent commands can
+ *      call `getAuthenticatedAgent()` from `src/writes.ts`.
+ */
+
+import { exec } from "node:child_process";
+import { platform } from "node:os";
+
+import type { ExtensionCommandContext } from "@mariozechner/pi-coding-agent";
+
+import { resolveHandle } from "../simocracy.ts";
+import { startCallbackServer } from "./callback-server.ts";
+import { getOAuthClient } from "./oauth.ts";
+import { clearAuth, readAuth, writeAuth } from "./storage.ts";
+
+export async function runLogin(
+  ctx: ExtensionCommandContext,
+  arg: string,
+): Promise<void> {
+  const handleArg = arg.trim();
+  let handle: string;
+  if (handleArg) {
+    handle = handleArg.replace(/^@/, "");
+  } else {
+    const prompt = await ctx.ui.input(
+      "Sign in with ATProto / Bluesky — your handle",
+      "alice.bsky.social",
+    );
+    if (!prompt?.trim()) {
+      ctx.ui.notify("Cancelled.", "info");
+      return;
+    }
+    handle = prompt.trim().replace(/^@/, "");
+  }
+
+  ctx.ui.notify(
+    `Signing in with ATProto / Bluesky as @${handle}. Starting loopback OAuth flow on 127.0.0.1:53682… (this is NOT Anthropic auth — pi's built-in /login does that.)`,
+    "info",
+  );
+
+  let callback: Awaited<ReturnType<typeof startCallbackServer>>;
+  try {
+    callback = await startCallbackServer();
+  } catch (err) {
+    ctx.ui.notify(`Could not bind callback server: ${(err as Error).message}`, "error");
+    return;
+  }
+
+  try {
+    const client = getOAuthClient();
+    let authUrl: URL;
+    try {
+      authUrl = await client.authorize(handle, {
+        scope: "atproto transition:generic",
+      });
+    } catch (err) {
+      ctx.ui.notify(
+        `Could not start OAuth: ${(err as Error).message}. Check the handle and try again.`,
+        "error",
+      );
+      return;
+    }
+
+    ctx.ui.notify(
+      `Opening ${authUrl.origin} in your browser — grant pi-simocracy access to your ATProto repo. If the browser doesn't open automatically, paste this URL: ${authUrl.toString()}`,
+      "info",
+    );
+    openInBrowser(authUrl.toString());
+
+    const params = await callback.waitForParams();
+    if (!params) {
+      ctx.ui.notify("Sign-in cancelled.", "info");
+      return;
+    }
+
+    let result;
+    try {
+      result = await client.callback(params);
+    } catch (err) {
+      ctx.ui.notify(`Token exchange failed: ${(err as Error).message}`, "error");
+      return;
+    }
+
+    const did = result.session.did;
+    const handleResolved = await resolveHandle(did).catch(() => null);
+    writeAuth({ did, handle: handleResolved, lastLogin: new Date().toISOString() });
+
+    ctx.ui.notify(
+      handleResolved
+        ? `🔐 Signed in to ATProto as @${handleResolved} (${did}). You can now use /sim interview --apply and /sim train apply --apply to write to your PDS.`
+        : `🔐 Signed in to ATProto as ${did}. You can now use /sim interview --apply and /sim train apply --apply to write to your PDS.`,
+      "info",
+    );
+  } finally {
+    callback.close();
+  }
+}
+
+export async function runLogout(ctx: ExtensionCommandContext): Promise<void> {
+  const auth = readAuth();
+  if (!auth) {
+    ctx.ui.notify("Not signed into ATProto. (Note: this is separate from pi's Anthropic /login.)", "info");
+    return;
+  }
+  clearAuth();
+  ctx.ui.notify(
+    `Signed out of ATProto ${auth.handle ? `@${auth.handle}` : auth.did}. Local OAuth tokens cleared from ~/.config/pi-simocracy/auth.json. (Pi's Anthropic session is unaffected.)`,
+    "info",
+  );
+}
+
+export async function runWhoami(ctx: ExtensionCommandContext): Promise<void> {
+  const auth = readAuth();
+  if (!auth) {
+    ctx.ui.notify(
+      "Not signed into ATProto. Run `/sim login <handle>` (e.g. `/sim login alice.bsky.social`) to sign in with your Bluesky / ATProto account. This is separate from pi's built-in `/login` (Anthropic).",
+      "info",
+    );
+    return;
+  }
+  ctx.ui.notify(
+    auth.handle
+      ? `Signed into ATProto as @${auth.handle} (${auth.did}) since ${auth.lastLogin}. Use /sim interview --apply or /sim train apply --apply to write records to your PDS.`
+      : `Signed into ATProto as ${auth.did} since ${auth.lastLogin}. Use /sim interview --apply or /sim train apply --apply to write records to your PDS.`,
+    "info",
+  );
+}
+
+function openInBrowser(url: string): void {
+  const escaped = url.replace(/"/g, '\\"');
+  const command =
+    platform() === "darwin"
+      ? `open "${escaped}"`
+      : platform() === "win32"
+        ? `start "" "${escaped}"`
+        : `xdg-open "${escaped}"`;
+  exec(command, () => {
+    /* best effort — failure is fine, user has the URL printed */
+  });
+}

package/src/auth/oauth.ts

@@ -0,0 +1,55 @@
+/**
+ * NodeOAuthClient singleton for the loopback OAuth flow.
+ *
+ * Builds client metadata via `buildAtprotoLoopbackClientMetadata` so
+ * we don't need a hosted client_metadata.json — the redirect URI is
+ * the loopback URL the callback server listens on. The client is
+ * cached process-wide because building it does some PKCE crypto and
+ * registering can fail on subsequent calls.
+ */
+
+import {
+  NodeOAuthClient,
+  type NodeOAuthClientOptions,
+} from "@atproto/oauth-client-node";
+
+import { CALLBACK_REDIRECT_URI } from "./callback-server.ts";
+import { sessionStore, stateStore } from "./storage.ts";
+
+const SCOPES = "atproto transition:generic";
+
+let cached: NodeOAuthClient | null = null;
+
+export function getOAuthClient(): NodeOAuthClient {
+  if (cached) return cached;
+  // Note: NodeOAuthClient builds the loopback client metadata
+  // internally when client_id starts with `http://localhost`.
+  // We pass the loopback URL so it picks the loopback flow.
+  const clientId =
+    `http://localhost?` +
+    new URLSearchParams({
+      scope: SCOPES,
+      redirect_uri: CALLBACK_REDIRECT_URI,
+    }).toString();
+
+  const options: NodeOAuthClientOptions = {
+    clientMetadata: {
+      client_id: clientId,
+      client_name: "pi-simocracy",
+      redirect_uris: [CALLBACK_REDIRECT_URI as `http://127.0.0.1:${string}`],
+      scope: SCOPES,
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      application_type: "native",
+      token_endpoint_auth_method: "none",
+      dpop_bound_access_tokens: true,
+    },
+    stateStore,
+    sessionStore,
+  };
+
+  cached = new NodeOAuthClient(options);
+  return cached;
+}
+
+export const OAUTH_SCOPES = SCOPES;

package/src/auth/pages.ts

@@ -0,0 +1,100 @@
+/**
+ * HTML pages served by the loopback callback server.
+ *
+ * Pattern adapted from pi-mono's `oauth-page.ts` (MIT) — same dark
+ * card style, no third-party assets, escapes user-supplied strings.
+ */
+
+function escapeHtml(value: string): string {
+  return value
+    .replaceAll("&", "&")
+    .replaceAll("<", "&lt;")
+    .replaceAll(">", "&gt;")
+    .replaceAll('"', "&quot;")
+    .replaceAll("'", "&#39;");
+}
+
+function renderPage(opts: {
+  title: string;
+  heading: string;
+  message: string;
+  details?: string;
+}): string {
+  const title = escapeHtml(opts.title);
+  const heading = escapeHtml(opts.heading);
+  const message = escapeHtml(opts.message);
+  const details = opts.details ? escapeHtml(opts.details) : undefined;
+  return `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>${title}</title>
+  <style>
+    :root {
+      --text: #fafafa;
+      --text-dim: #a1a1aa;
+      --page-bg: #09090b;
+      --font-sans: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
+      --font-mono: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", monospace;
+    }
+    * { box-sizing: border-box; }
+    html { color-scheme: dark; }
+    body {
+      margin: 0;
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      padding: 24px;
+      background: var(--page-bg);
+      color: var(--text);
+      font-family: var(--font-sans);
+      text-align: center;
+    }
+    main {
+      width: 100%;
+      max-width: 560px;
+      display: flex;
+      flex-direction: column;
+      align-items: center;
+      justify-content: center;
+    }
+    h1 { margin: 0 0 10px; font-size: 28px; line-height: 1.15; font-weight: 650; }
+    p { margin: 0; line-height: 1.7; color: var(--text-dim); font-size: 15px; }
+    .details {
+      margin-top: 16px;
+      font-family: var(--font-mono);
+      font-size: 13px;
+      color: var(--text-dim);
+      white-space: pre-wrap;
+      word-break: break-word;
+    }
+  </style>
+</head>
+<body>
+  <main>
+    <h1>${heading}</h1>
+    <p>${message}</p>
+    ${details ? `<div class="details">${details}</div>` : ""}
+  </main>
+</body>
+</html>`;
+}
+
+export function oauthSuccessHtml(message: string): string {
+  return renderPage({
+    title: "Signed in",
+    heading: "Signed in",
+    message,
+  });
+}
+
+export function oauthErrorHtml(message: string, details?: string): string {
+  return renderPage({
+    title: "Sign-in failed",
+    heading: "Sign-in failed",
+    message,
+    details,
+  });
+}

package/src/auth/storage.ts

@@ -0,0 +1,121 @@
+/**
+ * File-backed StateStore + SessionStore for the ATProto loopback
+ * OAuth flow, plus a single-DID `auth.json` that records who's
+ * currently signed in (so `/whoami` works without round-tripping the
+ * session store).
+ *
+ * Files live in the platform's XDG config dir:
+ *   ~/.config/pi-simocracy/auth.json            — { did, handle, lastLogin }
+ *   ~/.config/pi-simocracy/oauth-state.json     — OAuth state map
+ *   ~/.config/pi-simocracy/oauth-sessions.json  — OAuth session map
+ *
+ * The session/state stores serialize per-call to keep the file
+ * authoritative — these stores are accessed once per command, not in
+ * a hot path, so locking isn't needed.
+ */
+
+import { existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+
+import type {
+  NodeSavedSession,
+  NodeSavedSessionStore,
+  NodeSavedState,
+  NodeSavedStateStore,
+} from "@atproto/oauth-client-node";
+
+const DATA_DIR = process.env.XDG_CONFIG_HOME
+  ? join(process.env.XDG_CONFIG_HOME, "pi-simocracy")
+  : join(homedir(), ".config", "pi-simocracy");
+
+const STATE_FILE = join(DATA_DIR, "oauth-state.json");
+const SESSION_FILE = join(DATA_DIR, "oauth-sessions.json");
+const AUTH_FILE = join(DATA_DIR, "auth.json");
+
+export interface AuthRecord {
+  did: string;
+  handle: string | null;
+  lastLogin: string;
+}
+
+function ensureDir(): void {
+  mkdirSync(DATA_DIR, { recursive: true });
+}
+
+function readMap<V>(path: string): Record<string, V> {
+  if (!existsSync(path)) return {};
+  try {
+    return JSON.parse(readFileSync(path, "utf8")) as Record<string, V>;
+  } catch (err) {
+    console.error(`[pi-simocracy] Could not parse ${path}:`, (err as Error).message);
+    return {};
+  }
+}
+
+function writeMap<V>(path: string, value: Record<string, V>): void {
+  ensureDir();
+  writeFileSync(path, JSON.stringify(value, null, 2), "utf8");
+}
+
+export const stateStore: NodeSavedStateStore = {
+  get(key: string) {
+    const map = readMap<NodeSavedState>(STATE_FILE);
+    return map[key];
+  },
+  set(key: string, value: NodeSavedState) {
+    const map = readMap<NodeSavedState>(STATE_FILE);
+    map[key] = value;
+    writeMap(STATE_FILE, map);
+  },
+  del(key: string) {
+    const map = readMap<NodeSavedState>(STATE_FILE);
+    delete map[key];
+    writeMap(STATE_FILE, map);
+  },
+};
+
+export const sessionStore: NodeSavedSessionStore = {
+  get(key: string) {
+    const map = readMap<NodeSavedSession>(SESSION_FILE);
+    return map[key];
+  },
+  set(key: string, value: NodeSavedSession) {
+    const map = readMap<NodeSavedSession>(SESSION_FILE);
+    map[key] = value;
+    writeMap(SESSION_FILE, map);
+  },
+  del(key: string) {
+    const map = readMap<NodeSavedSession>(SESSION_FILE);
+    delete map[key];
+    writeMap(SESSION_FILE, map);
+  },
+};
+
+export function readAuth(): AuthRecord | null {
+  if (!existsSync(AUTH_FILE)) return null;
+  try {
+    const parsed = JSON.parse(readFileSync(AUTH_FILE, "utf8")) as Partial<AuthRecord>;
+    if (!parsed.did) return null;
+    return {
+      did: parsed.did,
+      handle: parsed.handle ?? null,
+      lastLogin: parsed.lastLogin ?? new Date().toISOString(),
+    };
+  } catch {
+    return null;
+  }
+}
+
+export function writeAuth(record: AuthRecord): void {
+  ensureDir();
+  writeFileSync(AUTH_FILE, JSON.stringify(record, null, 2), "utf8");
+}
+
+export function clearAuth(): void {
+  if (existsSync(AUTH_FILE)) rmSync(AUTH_FILE, { force: true });
+  if (existsSync(SESSION_FILE)) rmSync(SESSION_FILE, { force: true });
+  if (existsSync(STATE_FILE)) rmSync(STATE_FILE, { force: true });
+}
+
+export const AUTH_DIR = DATA_DIR;