poe-code 3.0.99 → 3.0.101

package/dist/providers/poe-agent.js

@@ -630,8 +630,8 @@ function resourceNotFound(resource) {
     `Resource not found: ${resource}`
   );
 }
-function assertAbsolutePath(path7) {
-  if (!isAbsolute(path7)) {
+function assertAbsolutePath(path6) {
+  if (!isAbsolute(path6)) {
     throw invalidParams('"path" must be an absolute path');
   }
 }
@@ -1406,7 +1406,7 @@ var require_config_toml = __commonJS({
   }
 });
 
-// packages/poe-auth/src/encrypted-file-auth-store.ts
+// packages/auth-store/src/encrypted-file-store.ts
 import { createCipheriv, createDecipheriv, randomBytes, scrypt } from "node:crypto";
 import { promises as fs } from "node:fs";
 import { homedir as homedir2, hostname, userInfo } from "node:os";
@@ -1417,11 +1417,11 @@ function defaultMachineIdentity() {
     username: userInfo().username
   };
 }
-async function deriveEncryptionKey(getMachineIdentity) {
+async function deriveEncryptionKey(getMachineIdentity, salt) {
   const machineIdentity = await getMachineIdentity();
   const secret = `${machineIdentity.hostname}:${machineIdentity.username}`;
   return await new Promise((resolve, reject) => {
-    scrypt(secret, ENCRYPTION_SALT, ENCRYPTION_KEY_BYTES, (error, derivedKey) => {
+    scrypt(secret, salt, ENCRYPTION_KEY_BYTES, (error, derivedKey) => {
       if (error) {
         reject(error);
         return;
@@ -1460,34 +1460,35 @@ function isNotFoundError(error) {
     error && typeof error === "object" && "code" in error && error.code === "ENOENT"
   );
 }
-var ENCRYPTION_ALGORITHM, ENCRYPTION_VERSION, ENCRYPTION_KEY_BYTES, ENCRYPTION_IV_BYTES, ENCRYPTION_AUTH_TAG_BYTES, ENCRYPTION_SALT, ENCRYPTION_FILE_MODE, EncryptedFileAuthStore;
-var init_encrypted_file_auth_store = __esm({
-  "packages/poe-auth/src/encrypted-file-auth-store.ts"() {
+var ENCRYPTION_ALGORITHM, ENCRYPTION_VERSION, ENCRYPTION_KEY_BYTES, ENCRYPTION_IV_BYTES, ENCRYPTION_AUTH_TAG_BYTES, ENCRYPTION_FILE_MODE, EncryptedFileStore;
+var init_encrypted_file_store = __esm({
+  "packages/auth-store/src/encrypted-file-store.ts"() {
     "use strict";
     ENCRYPTION_ALGORITHM = "aes-256-gcm";
     ENCRYPTION_VERSION = 1;
     ENCRYPTION_KEY_BYTES = 32;
     ENCRYPTION_IV_BYTES = 12;
     ENCRYPTION_AUTH_TAG_BYTES = 16;
-    ENCRYPTION_SALT = "poe-code:encrypted-file-auth-store:v1";
     ENCRYPTION_FILE_MODE = 384;
-    EncryptedFileAuthStore = class {
+    EncryptedFileStore = class {
       fs;
       filePath;
+      salt;
       getMachineIdentity;
       getRandomBytes;
       keyPromise = null;
-      constructor(input = {}) {
+      constructor(input) {
         this.fs = input.fs ?? fs;
+        this.salt = input.salt;
         this.filePath = input.filePath ?? path2.join(
           (input.getHomeDirectory ?? homedir2)(),
-          ".poe-code",
-          "credentials.enc"
+          input.defaultDirectory ?? ".auth-store",
+          input.defaultFileName ?? "credentials.enc"
         );
         this.getMachineIdentity = input.getMachineIdentity ?? defaultMachineIdentity;
         this.getRandomBytes = input.getRandomBytes ?? randomBytes;
       }
-      async getApiKey() {
+      async get() {
         let rawDocument;
         try {
           rawDocument = await this.fs.readFile(this.filePath, "utf8");
@@ -1517,12 +1518,12 @@ var init_encrypted_file_auth_store = __esm({
           return null;
         }
       }
-      async setApiKey(apiKey) {
+      async set(value) {
         const key = await this.getEncryptionKey();
         const iv = this.getRandomBytes(ENCRYPTION_IV_BYTES);
         const cipher = createCipheriv(ENCRYPTION_ALGORITHM, key, iv);
         const ciphertext = Buffer.concat([
-          cipher.update(apiKey, "utf8"),
+          cipher.update(value, "utf8"),
           cipher.final()
         ]);
         const authTag = cipher.getAuthTag();
@@ -1538,7 +1539,7 @@ var init_encrypted_file_auth_store = __esm({
         });
         await this.fs.chmod(this.filePath, ENCRYPTION_FILE_MODE);
       }
-      async deleteApiKey() {
+      async delete() {
         try {
           await this.fs.unlink(this.filePath);
         } catch (error) {
@@ -1549,7 +1550,7 @@ var init_encrypted_file_auth_store = __esm({
       }
       getEncryptionKey() {
         if (!this.keyPromise) {
-          this.keyPromise = deriveEncryptionKey(this.getMachineIdentity);
+          this.keyPromise = deriveEncryptionKey(this.getMachineIdentity, this.salt);
         }
         return this.keyPromise;
       }
@@ -1557,7 +1558,7 @@ var init_encrypted_file_auth_store = __esm({
   }
 });
 
-// packages/poe-auth/src/keychain-auth-store.ts
+// packages/auth-store/src/keychain-store.ts
 import { spawn } from "node:child_process";
 function runSecurityCommand(command, args) {
   return new Promise((resolve) => {
@@ -1617,27 +1618,25 @@ function createSecurityCliFailure(operation, result) {
   }
   return new Error(`Failed to ${operation}: security exited with code ${result.exitCode}`);
 }
-var SECURITY_CLI, KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT, KEYCHAIN_ITEM_NOT_FOUND_EXIT_CODE, KeychainAuthStore;
-var init_keychain_auth_store = __esm({
-  "packages/poe-auth/src/keychain-auth-store.ts"() {
+var SECURITY_CLI, KEYCHAIN_ITEM_NOT_FOUND_EXIT_CODE, KeychainStore;
+var init_keychain_store = __esm({
+  "packages/auth-store/src/keychain-store.ts"() {
     "use strict";
     SECURITY_CLI = "security";
-    KEYCHAIN_SERVICE = "poe-code";
-    KEYCHAIN_ACCOUNT = "api-key";
     KEYCHAIN_ITEM_NOT_FOUND_EXIT_CODE = 44;
-    KeychainAuthStore = class {
+    KeychainStore = class {
       runCommand;
       service;
       account;
-      constructor(input = {}) {
+      constructor(input) {
         this.runCommand = input.runCommand ?? runSecurityCommand;
-        this.service = input.service ?? KEYCHAIN_SERVICE;
-        this.account = input.account ?? KEYCHAIN_ACCOUNT;
+        this.service = input.service;
+        this.account = input.account;
       }
-      async getApiKey() {
+      async get() {
         const result = await this.executeSecurityCommand(
           ["find-generic-password", "-s", this.service, "-a", this.account, "-w"],
-          "read API key from macOS Keychain"
+          "read secret from macOS Keychain"
         );
         if (result.exitCode === 0) {
           return stripTrailingLineBreak(result.stdout);
@@ -1645,9 +1644,9 @@ var init_keychain_auth_store = __esm({
         if (isKeychainEntryNotFound(result)) {
           return null;
         }
-        throw createSecurityCliFailure("read API key from macOS Keychain", result);
+        throw createSecurityCliFailure("read secret from macOS Keychain", result);
       }
-      async setApiKey(apiKey) {
+      async set(value) {
         const result = await this.executeSecurityCommand(
           [
             "add-generic-password",
@@ -1656,24 +1655,24 @@ var init_keychain_auth_store = __esm({
             "-a",
             this.account,
             "-w",
-            apiKey,
+            value,
             "-U"
           ],
-          "store API key in macOS Keychain"
+          "store secret in macOS Keychain"
         );
         if (result.exitCode !== 0) {
-          throw createSecurityCliFailure("store API key in macOS Keychain", result);
+          throw createSecurityCliFailure("store secret in macOS Keychain", result);
         }
       }
-      async deleteApiKey() {
+      async delete() {
         const result = await this.executeSecurityCommand(
           ["delete-generic-password", "-s", this.service, "-a", this.account],
-          "delete API key from macOS Keychain"
+          "delete secret from macOS Keychain"
         );
         if (result.exitCode === 0 || isKeychainEntryNotFound(result)) {
           return;
         }
-        throw createSecurityCliFailure("delete API key from macOS Keychain", result);
+        throw createSecurityCliFailure("delete secret from macOS Keychain", result);
       }
       async executeSecurityCommand(args, operation) {
         try {
@@ -1687,222 +1686,58 @@ var init_keychain_auth_store = __esm({
   }
 });
 
-// packages/poe-auth/src/create-auth-store.ts
-import { promises as nodeFs } from "node:fs";
-import { homedir as homedir3 } from "node:os";
-import path3 from "node:path";
-function createAuthStore(input = {}) {
+// packages/auth-store/src/create-secret-store.ts
+function createSecretStore(input) {
   const backend = resolveBackend(input);
   const platform = input.platform ?? process.platform;
   if (backend === "keychain" && platform !== MACOS_PLATFORM) {
     throw new Error(
-      `POE_AUTH_BACKEND=keychain is only supported on macOS. Current platform: ${platform}`
+      `Keychain backend is only supported on macOS. Current platform: ${platform}`
     );
   }
-  const store = authStoreFactories[backend](input);
-  return {
-    backend,
-    store: enableLegacyCredentialsMigration(store, input)
-  };
+  const store = storeFactories[backend](input);
+  return { backend, store };
 }
 function resolveBackend(input) {
-  const configuredBackend = input.backend ?? input.env?.[AUTH_BACKEND_ENV_VAR] ?? process.env[AUTH_BACKEND_ENV_VAR];
+  const envVar = input.backendEnvVar ?? DEFAULT_BACKEND_ENV_VAR;
+  const configuredBackend = input.backend ?? input.env?.[envVar] ?? process.env[envVar];
   if (configuredBackend === "keychain") {
     return "keychain";
   }
   return "file";
 }
-function enableLegacyCredentialsMigration(store, input) {
-  const migrationContext = createLegacyMigrationContext(input);
-  const readApiKeyFromStore = store.getApiKey.bind(store);
-  let hasCheckedLegacyCredentials = false;
-  let legacyMigrationPromise = null;
-  store.getApiKey = async () => {
-    const storedApiKey = await readApiKeyFromStore();
-    if (isNonEmptyString(storedApiKey)) {
-      return storedApiKey;
-    }
-    if (hasCheckedLegacyCredentials) {
-      return null;
-    }
-    if (!legacyMigrationPromise) {
-      legacyMigrationPromise = migrateLegacyApiKey(store, migrationContext).finally(() => {
-        hasCheckedLegacyCredentials = true;
-        legacyMigrationPromise = null;
-      });
-    }
-    return legacyMigrationPromise;
-  };
-  return store;
-}
-async function migrateLegacyApiKey(store, migrationContext) {
-  const legacyCredentials = await loadLegacyCredentials(
-    migrationContext.fs,
-    migrationContext.filePath
-  );
-  if (!legacyCredentials || !isNonEmptyString(legacyCredentials.apiKey)) {
-    return null;
-  }
-  const plaintextApiKey = legacyCredentials.apiKey;
-  try {
-    await store.setApiKey(plaintextApiKey);
-    delete legacyCredentials.apiKey;
-    await saveLegacyCredentials(
-      migrationContext.fs,
-      migrationContext.filePath,
-      legacyCredentials
-    );
-  } catch (error) {
-    migrationContext.logWarning(
-      `Failed to migrate plaintext API key from ${migrationContext.filePath}.`,
-      error
-    );
-  }
-  return plaintextApiKey;
-}
-function createLegacyMigrationContext(input) {
-  const legacyCredentialsInput = input.legacyCredentials;
-  const getHomeDirectory = legacyCredentialsInput?.getHomeDirectory ?? homedir3;
-  return {
-    fs: legacyCredentialsInput?.fs ?? input.fileStore?.fs ?? nodeFs,
-    filePath: legacyCredentialsInput?.filePath ?? path3.join(
-      getHomeDirectory(),
-      LEGACY_CREDENTIALS_RELATIVE_PATH
-    ),
-    logWarning: legacyCredentialsInput?.logWarning ?? defaultMigrationWarning
-  };
-}
-async function loadLegacyCredentials(fs2, filePath) {
-  let raw;
-  try {
-    raw = await fs2.readFile(filePath, "utf8");
-  } catch (error) {
-    if (isNotFoundError2(error)) {
-      return null;
-    }
-    return null;
-  }
-  try {
-    const parsed = JSON.parse(raw);
-    if (!isRecord2(parsed)) {
-      return null;
-    }
-    return parsed;
-  } catch {
-    return null;
-  }
-}
-async function saveLegacyCredentials(fs2, filePath, document) {
-  await fs2.mkdir(path3.dirname(filePath), { recursive: true });
-  await fs2.writeFile(filePath, `${JSON.stringify(document, null, 2)}
-`, {
-    encoding: "utf8"
-  });
-}
-function defaultMigrationWarning(message, error) {
-  const details = toErrorDetails(error);
-  if (details.length > 0) {
-    console.warn(`${message} ${details}`);
-    return;
-  }
-  console.warn(message);
-}
-function toErrorDetails(error) {
-  if (error instanceof Error) {
-    return error.message;
-  }
-  return typeof error === "string" ? error : "";
-}
-function isNonEmptyString(value) {
-  return typeof value === "string" && value.length > 0;
-}
-function isRecord2(value) {
-  return Boolean(value && typeof value === "object" && !Array.isArray(value));
-}
-function isNotFoundError2(error) {
-  return Boolean(
-    error && typeof error === "object" && "code" in error && error.code === "ENOENT"
-  );
-}
-var AUTH_BACKEND_ENV_VAR, MACOS_PLATFORM, LEGACY_CREDENTIALS_RELATIVE_PATH, authStoreFactories;
-var init_create_auth_store = __esm({
-  "packages/poe-auth/src/create-auth-store.ts"() {
+var DEFAULT_BACKEND_ENV_VAR, MACOS_PLATFORM, storeFactories;
+var init_create_secret_store = __esm({
+  "packages/auth-store/src/create-secret-store.ts"() {
     "use strict";
-    init_encrypted_file_auth_store();
-    init_keychain_auth_store();
-    AUTH_BACKEND_ENV_VAR = "POE_AUTH_BACKEND";
+    init_encrypted_file_store();
+    init_keychain_store();
+    DEFAULT_BACKEND_ENV_VAR = "AUTH_BACKEND";
     MACOS_PLATFORM = "darwin";
-    LEGACY_CREDENTIALS_RELATIVE_PATH = ".poe-code/credentials.json";
-    authStoreFactories = {
-      file: (input) => new EncryptedFileAuthStore(input.fileStore),
-      keychain: (input) => new KeychainAuthStore(input.keychainStore)
+    storeFactories = {
+      file: (input) => {
+        if (!input.fileStore) {
+          throw new Error("fileStore configuration is required for file backend");
+        }
+        return new EncryptedFileStore(input.fileStore);
+      },
+      keychain: (input) => {
+        if (!input.keychainStore) {
+          throw new Error("keychainStore configuration is required for keychain backend");
+        }
+        return new KeychainStore(input.keychainStore);
+      }
     };
   }
 });
 
-// packages/poe-auth/src/check-auth.ts
-var init_check_auth = __esm({
-  "packages/poe-auth/src/check-auth.ts"() {
-    "use strict";
-    init_create_auth_store();
-  }
-});
-
-// packages/poe-auth/src/get-token.ts
-var init_get_token = __esm({
-  "packages/poe-auth/src/get-token.ts"() {
-    "use strict";
-    init_create_auth_store();
-  }
-});
-
-// packages/poe-auth/src/api-key-validation.ts
-var init_api_key_validation = __esm({
-  "packages/poe-auth/src/api-key-validation.ts"() {
-    "use strict";
-  }
-});
-
-// packages/poe-auth/src/oauth-client.ts
-import http from "node:http";
-import crypto from "node:crypto";
-var init_oauth_client = __esm({
-  "packages/poe-auth/src/oauth-client.ts"() {
-    "use strict";
-  }
-});
-
-// packages/poe-auth/src/login.ts
-var init_login = __esm({
-  "packages/poe-auth/src/login.ts"() {
-    "use strict";
-    init_api_key_validation();
-    init_create_auth_store();
-    init_oauth_client();
-  }
-});
-
-// packages/poe-auth/src/logout.ts
-var init_logout = __esm({
-  "packages/poe-auth/src/logout.ts"() {
-    "use strict";
-    init_create_auth_store();
-  }
-});
-
-// packages/poe-auth/src/index.ts
+// packages/auth-store/src/index.ts
 var init_src2 = __esm({
-  "packages/poe-auth/src/index.ts"() {
+  "packages/auth-store/src/index.ts"() {
     "use strict";
-    init_create_auth_store();
-    init_check_auth();
-    init_get_token();
-    init_api_key_validation();
-    init_login();
-    init_logout();
-    init_oauth_client();
-    init_encrypted_file_auth_store();
-    init_keychain_auth_store();
+    init_create_secret_store();
+    init_encrypted_file_store();
+    init_keychain_store();
   }
 });
 
@@ -2727,7 +2562,7 @@ var init_acp_core = __esm({
 });
 
 // packages/poe-agent/src/plugins/plugin-args.ts
-import path4 from "node:path";
+import path3 from "node:path";
 function isObjectRecord3(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
@@ -2758,13 +2593,13 @@ function getOptionalString(args, key) {
   return value;
 }
 function resolveAllowedPath(cwd, allowedPaths, inputPath) {
-  const resolvedPath = path4.resolve(cwd, inputPath);
+  const resolvedPath = path3.resolve(cwd, inputPath);
   const isAllowed = allowedPaths.some((allowedPath) => {
     if (allowedPath === resolvedPath) {
       return true;
     }
-    const rel = path4.relative(allowedPath, resolvedPath);
-    return rel.length > 0 && !rel.startsWith("..") && !path4.isAbsolute(rel);
+    const rel = path3.relative(allowedPath, resolvedPath);
+    return rel.length > 0 && !rel.startsWith("..") && !path3.isAbsolute(rel);
   });
   if (!isAllowed) {
     throw new Error(`Path is outside allowed paths: ${inputPath}`);
@@ -2779,7 +2614,7 @@ var init_plugin_args = __esm({
 
 // packages/poe-agent/src/plugins/poe-agent-plugin-files.ts
 import fsPromises2 from "node:fs/promises";
-import path5 from "node:path";
+import path4 from "node:path";
 async function fileExists(fs2, filePath) {
   try {
     await fs2.readFile(filePath, "utf8");
@@ -2803,9 +2638,9 @@ var init_poe_agent_plugin_files = __esm({
     "use strict";
     init_plugin_args();
     filesPlugin = (options = {}) => {
-      const cwd = path5.resolve(options.cwd ?? process.cwd());
+      const cwd = path4.resolve(options.cwd ?? process.cwd());
       const allowedPaths = (options.allowedPaths ?? [cwd]).map(
-        (allowedPath) => path5.resolve(cwd, allowedPath)
+        (allowedPath) => path4.resolve(cwd, allowedPath)
       );
       const fs2 = options.fs ?? fsPromises2;
       const readFileTool = {
@@ -2859,7 +2694,7 @@ var init_poe_agent_plugin_files = __esm({
         async call(args) {
           const command = getRequiredString(args, "command");
           const filePath = resolveAllowedPath(cwd, allowedPaths, getRequiredString(args, "path"));
-          const displayedPath = path5.relative(cwd, filePath) || path5.basename(filePath);
+          const displayedPath = path4.relative(cwd, filePath) || path4.basename(filePath);
           if (command === "str_replace") {
             const oldStr = getRequiredString(args, "old_str", true);
             const newStr = getRequiredString(args, "new_str", true);
@@ -2879,7 +2714,7 @@ var init_poe_agent_plugin_files = __esm({
             if (await fileExists(fs2, filePath)) {
               throw new Error("File already exists \u2014 use str_replace to edit");
             }
-            await fs2.mkdir(path5.dirname(filePath), { recursive: true });
+            await fs2.mkdir(path4.dirname(filePath), { recursive: true });
             await fs2.writeFile(filePath, fileText, "utf8");
             return `Created file: ${displayedPath}`;
           }
@@ -2920,7 +2755,7 @@ var init_poe_agent_plugin_files = __esm({
 
 // packages/poe-agent/src/plugins/poe-agent-plugin-shell.ts
 import { exec as execCallback } from "node:child_process";
-import path6 from "node:path";
+import path5 from "node:path";
 import { promisify } from "node:util";
 async function defaultRunCommand(command, cwd) {
   try {
@@ -2953,9 +2788,9 @@ var init_poe_agent_plugin_shell = __esm({
     init_plugin_args();
     exec = promisify(execCallback);
     shellPlugin = (options = {}) => {
-      const cwd = path6.resolve(options.cwd ?? process.cwd());
+      const cwd = path5.resolve(options.cwd ?? process.cwd());
       const allowedPaths = (options.allowedPaths ?? [cwd]).map(
-        (allowedPath) => path6.resolve(cwd, allowedPath)
+        (allowedPath) => path5.resolve(cwd, allowedPath)
       );
       const runCommand = options.runCommand ?? defaultRunCommand;
       const runCommandTool = {
@@ -5282,8 +5117,15 @@ async function resolveApiKey(explicitApiKey) {
   if (normalizedExplicitApiKey) {
     return normalizedExplicitApiKey;
   }
-  const { store } = createAuthStore();
-  const storedApiKey = normalizeNonEmptyString(await store.getApiKey());
+  const { store } = createSecretStore({
+    backendEnvVar: "POE_AUTH_BACKEND",
+    fileStore: {
+      salt: "poe-code:encrypted-file-auth-store:v1",
+      defaultDirectory: ".poe-code",
+      defaultFileName: "credentials.enc"
+    }
+  });
+  const storedApiKey = normalizeNonEmptyString(await store.get());
   if (storedApiKey) {
     return storedApiKey;
   }
@@ -5857,16 +5699,16 @@ function getConfigFormat(pathOrFormat) {
   }
   return formatRegistry[formatName];
 }
-function detectFormat(path7) {
-  const ext = getExtension(path7);
+function detectFormat(path6) {
+  const ext = getExtension(path6);
   return extensionMap[ext];
 }
-function getExtension(path7) {
-  const lastDot = path7.lastIndexOf(".");
+function getExtension(path6) {
+  const lastDot = path6.lastIndexOf(".");
   if (lastDot === -1) {
     return "";
   }
-  return path7.slice(lastDot).toLowerCase();
+  return path6.slice(lastDot).toLowerCase();
 }
 
 // packages/config-mutations/src/execution/path-utils.ts