postgresai 0.11.0-alpha.7 → 0.11.0-alpha.9

package/dist/lib/pkce.js

@@ -0,0 +1,101 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateCodeVerifier = generateCodeVerifier;
+exports.generateCodeChallenge = generateCodeChallenge;
+exports.generateState = generateState;
+exports.generatePKCEParams = generatePKCEParams;
+const crypto = __importStar(require("crypto"));
+/**
+ * Generate a cryptographically random string for PKCE
+ * @param length - Length of the string (43-128 characters per RFC 7636)
+ * @returns Base64URL-encoded random string
+ */
+function generateRandomString(length = 64) {
+    const bytes = crypto.randomBytes(length);
+    return base64URLEncode(bytes);
+}
+/**
+ * Base64URL encode (without padding)
+ * @param buffer - Buffer to encode
+ * @returns Base64URL-encoded string
+ */
+function base64URLEncode(buffer) {
+    return buffer
+        .toString("base64")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=/g, "");
+}
+/**
+ * Generate PKCE code verifier
+ * @returns Random code verifier (43-128 characters)
+ */
+function generateCodeVerifier() {
+    return generateRandomString(32); // 32 bytes = 43 chars after base64url encoding
+}
+/**
+ * Generate PKCE code challenge from verifier
+ * Uses S256 method (SHA256)
+ * @param verifier - Code verifier string
+ * @returns Base64URL-encoded SHA256 hash of verifier
+ */
+function generateCodeChallenge(verifier) {
+    const hash = crypto.createHash("sha256").update(verifier).digest();
+    return base64URLEncode(hash);
+}
+/**
+ * Generate random state for CSRF protection
+ * @returns Random state string
+ */
+function generateState() {
+    return generateRandomString(16); // 16 bytes = 22 chars
+}
+/**
+ * Generate complete PKCE parameters
+ * @returns Object with verifier, challenge, challengeMethod, and state
+ */
+function generatePKCEParams() {
+    const verifier = generateCodeVerifier();
+    const challenge = generateCodeChallenge(verifier);
+    const state = generateState();
+    return {
+        codeVerifier: verifier,
+        codeChallenge: challenge,
+        codeChallengeMethod: "S256",
+        state: state,
+    };
+}
+//# sourceMappingURL=pkce.js.map

package/dist/lib/pkce.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../lib/pkce.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuCA,oDAEC;AAQD,sDAGC;AAMD,sCAEC;AAMD,gDAWC;AA7ED,+CAAiC;AAYjC;;;;GAIG;AACH,SAAS,oBAAoB,CAAC,SAAiB,EAAE;IAC/C,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IACzC,OAAO,eAAe,CAAC,KAAK,CAAC,CAAC;AAChC,CAAC;AAED;;;;GAIG;AACH,SAAS,eAAe,CAAC,MAAc;IACrC,OAAO,MAAM;SACV,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AACvB,CAAC;AAED;;;GAGG;AACH,SAAgB,oBAAoB;IAClC,OAAO,oBAAoB,CAAC,EAAE,CAAC,CAAC,CAAC,+CAA+C;AAClF,CAAC;AAED;;;;;GAKG;AACH,SAAgB,qBAAqB,CAAC,QAAgB;IACpD,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,CAAC;IACnE,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,SAAgB,aAAa;IAC3B,OAAO,oBAAoB,CAAC,EAAE,CAAC,CAAC,CAAC,sBAAsB;AACzD,CAAC;AAED;;;GAGG;AACH,SAAgB,kBAAkB;IAChC,MAAM,QAAQ,GAAG,oBAAoB,EAAE,CAAC;IACxC,MAAM,SAAS,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;IAClD,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;IAE9B,OAAO;QACL,YAAY,EAAE,QAAQ;QACtB,aAAa,EAAE,SAAS;QACxB,mBAAmB,EAAE,MAAM;QAC3B,KAAK,EAAE,KAAK;KACb,CAAC;AACJ,CAAC"}

package/dist/package.json

@@ -0,0 +1,42 @@
+{
+    "name": "postgresai",
+    "version": "0.11.0-alpha.9",
+    "description": "postgres_ai CLI (Node.js)",
+    "license": "Apache-2.0",
+    "private": false,
+    "repository": {
+        "type": "git",
+        "url": "git+https://gitlab.com/postgres-ai/postgres_ai.git"
+    },
+    "homepage": "https://gitlab.com/postgres-ai/postgres_ai",
+    "bugs": {
+        "url": "https://gitlab.com/postgres-ai/postgres_ai/-/issues"
+    },
+    "bin": {
+        "postgres-ai": "./dist/bin/postgres-ai.js",
+        "postgresai": "./dist/bin/postgres-ai.js",
+        "pgai": "./dist/bin/postgres-ai.js"
+    },
+    "type": "commonjs",
+    "engines": {
+        "node": ">=18"
+    },
+    "scripts": {
+        "build": "tsc",
+        "prepare": "npm run build",
+        "start": "node ./dist/bin/postgres-ai.js --help",
+        "dev": "tsc --watch"
+    },
+    "dependencies": {
+        "commander": "^12.1.0",
+        "js-yaml": "^4.1.0"
+    },
+    "devDependencies": {
+        "@types/js-yaml": "^4.0.9",
+        "@types/node": "^18.19.0",
+        "typescript": "^5.3.3"
+    },
+    "publishConfig": {
+        "access": "public"
+    }
+}

package/lib/auth-server.ts

@@ -0,0 +1,267 @@
+import * as http from "http";
+import { URL } from "url";
+
+/**
+ * OAuth callback result
+ */
+export interface CallbackResult {
+  code: string;
+  state: string;
+}
+
+/**
+ * Callback server structure
+ */
+export interface CallbackServer {
+  server: http.Server;
+  promise: Promise<CallbackResult>;
+  getPort: () => number;
+}
+
+/**
+ * Simple HTML escape utility
+ * @param str - String to escape
+ * @returns Escaped string
+ */
+function escapeHtml(str: string | null): string {
+  if (!str) return "";
+  return String(str)
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#39;");
+}
+
+/**
+ * Create and start callback server, returning server object and promise
+ * @param port - Port to listen on (0 for random available port)
+ * @param expectedState - Expected state parameter for CSRF protection
+ * @param timeoutMs - Timeout in milliseconds
+ * @returns Server object with promise and getPort function
+ */
+export function createCallbackServer(
+  port: number = 0,
+  expectedState: string | null = null,
+  timeoutMs: number = 300000
+): CallbackServer {
+  let resolved = false;
+  let server: http.Server | null = null;
+  let actualPort = port;
+  let resolveCallback: (value: CallbackResult) => void;
+  let rejectCallback: (reason: Error) => void;
+  
+  const promise = new Promise<CallbackResult>((resolve, reject) => {
+    resolveCallback = resolve;
+    rejectCallback = reject;
+  });
+  
+  // Timeout handler
+  const timeout = setTimeout(() => {
+    if (!resolved) {
+      resolved = true;
+      if (server) {
+        server.close();
+      }
+      rejectCallback(new Error("Authentication timeout. Please try again."));
+    }
+  }, timeoutMs);
+  
+  // Request handler
+  const requestHandler = (req: http.IncomingMessage, res: http.ServerResponse): void => {
+    if (resolved) {
+      return;
+    }
+
+    // Only handle /callback path
+    if (!req.url || !req.url.startsWith("/callback")) {
+      res.writeHead(404, { "Content-Type": "text/plain" });
+      res.end("Not Found");
+      return;
+    }
+
+    try {
+      const url = new URL(req.url, `http://localhost:${actualPort}`);
+      const code = url.searchParams.get("code");
+      const state = url.searchParams.get("state");
+      const error = url.searchParams.get("error");
+      const errorDescription = url.searchParams.get("error_description");
+
+      // Handle OAuth error
+      if (error) {
+        resolved = true;
+        clearTimeout(timeout);
+        
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(`
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Authentication Failed</title>
+  <style>
+    body { font-family: system-ui, -apple-system, sans-serif; max-width: 600px; margin: 50px auto; padding: 20px; }
+    .error { background: #fee; border: 1px solid #fcc; padding: 20px; border-radius: 8px; }
+    h1 { color: #c33; margin-top: 0; }
+    code { background: #f5f5f5; padding: 2px 6px; border-radius: 3px; }
+  </style>
+</head>
+<body>
+  <div class="error">
+    <h1>Authentication Failed</h1>
+    <p><strong>Error:</strong> ${escapeHtml(error)}</p>
+    ${errorDescription ? `<p><strong>Description:</strong> ${escapeHtml(errorDescription)}</p>` : ""}
+    <p>You can close this window and return to your terminal.</p>
+  </div>
+</body>
+</html>
+        `);
+        
+        if (server) {
+          server.close();
+        }
+        rejectCallback(new Error(`OAuth error: ${error}${errorDescription ? ` - ${errorDescription}` : ""}`));
+        return;
+      }
+
+      // Validate required parameters
+      if (!code || !state) {
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(`
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Authentication Failed</title>
+  <style>
+    body { font-family: system-ui, -apple-system, sans-serif; max-width: 600px; margin: 50px auto; padding: 20px; }
+    .error { background: #fee; border: 1px solid #fcc; padding: 20px; border-radius: 8px; }
+    h1 { color: #c33; margin-top: 0; }
+  </style>
+</head>
+<body>
+  <div class="error">
+    <h1>Authentication Failed</h1>
+    <p>Missing required parameters (code or state).</p>
+    <p>You can close this window and return to your terminal.</p>
+  </div>
+</body>
+</html>
+        `);
+        return;
+      }
+
+      // Validate state (CSRF protection)
+      if (expectedState && state !== expectedState) {
+        resolved = true;
+        clearTimeout(timeout);
+        
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(`
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Authentication Failed</title>
+  <style>
+    body { font-family: system-ui, -apple-system, sans-serif; max-width: 600px; margin: 50px auto; padding: 20px; }
+    .error { background: #fee; border: 1px solid #fcc; padding: 20px; border-radius: 8px; }
+    h1 { color: #c33; margin-top: 0; }
+  </style>
+</head>
+<body>
+  <div class="error">
+    <h1>Authentication Failed</h1>
+    <p>Invalid state parameter (possible CSRF attack).</p>
+    <p>You can close this window and return to your terminal.</p>
+  </div>
+</body>
+</html>
+        `);
+        
+        if (server) {
+          server.close();
+        }
+        rejectCallback(new Error("State mismatch (possible CSRF attack)"));
+        return;
+      }
+
+      // Success!
+      resolved = true;
+      clearTimeout(timeout);
+      
+      res.writeHead(200, { "Content-Type": "text/html" });
+      res.end(`
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Authentication Successful</title>
+  <style>
+    body { font-family: system-ui, -apple-system, sans-serif; max-width: 600px; margin: 50px auto; padding: 20px; }
+    .success { background: #efe; border: 1px solid #cfc; padding: 20px; border-radius: 8px; }
+    h1 { color: #3c3; margin-top: 0; }
+  </style>
+</head>
+<body>
+  <div class="success">
+    <h1>Authentication Successful</h1>
+    <p>You have successfully authenticated the PostgresAI CLI.</p>
+    <p>You can close this window and return to your terminal.</p>
+  </div>
+</body>
+</html>
+      `);
+      
+      if (server) {
+        server.close();
+      }
+      resolveCallback({ code, state });
+    } catch (err) {
+      if (!resolved) {
+        resolved = true;
+        clearTimeout(timeout);
+        res.writeHead(500, { "Content-Type": "text/plain" });
+        res.end("Internal Server Error");
+        if (server) {
+          server.close();
+        }
+        rejectCallback(err instanceof Error ? err : new Error(String(err)));
+      }
+    }
+  };
+
+  // Create server
+  server = http.createServer(requestHandler);
+  
+  server.on("error", (err: Error) => {
+    if (!resolved) {
+      resolved = true;
+      clearTimeout(timeout);
+      rejectCallback(err);
+    }
+  });
+
+  server.listen(port, "127.0.0.1", () => {
+    const address = server?.address();
+    if (address && typeof address === "object") {
+      actualPort = address.port;
+    }
+  });
+  
+  return {
+    server,
+    promise,
+    getPort: () => {
+      const address = server?.address();
+      return address && typeof address === "object" ? address.port : 0;
+    },
+  };
+}
+
+/**
+ * Get the actual port the server is listening on
+ * @param server - HTTP server instance
+ * @returns Port number
+ */
+export function getServerPort(server: http.Server): number {
+  const address = server.address();
+  return address && typeof address === "object" ? address.port : 0;
+}
+

package/lib/config.ts

@@ -0,0 +1,161 @@
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+
+/**
+ * Configuration object structure
+ */
+export interface Config {
+  apiKey: string | null;
+  baseUrl: string | null;
+  orgId: number | null;
+}
+
+/**
+ * Get the user-level config directory path
+ * @returns Path to ~/.config/postgresai
+ */
+export function getConfigDir(): string {
+  const configHome = process.env.XDG_CONFIG_HOME || path.join(os.homedir(), ".config");
+  return path.join(configHome, "postgresai");
+}
+
+/**
+ * Get the user-level config file path
+ * @returns Path to ~/.config/postgresai/config.json
+ */
+export function getConfigPath(): string {
+  return path.join(getConfigDir(), "config.json");
+}
+
+/**
+ * Get the legacy project-local config file path
+ * @returns Path to .pgwatch-config in current directory
+ */
+export function getLegacyConfigPath(): string {
+  return path.resolve(process.cwd(), ".pgwatch-config");
+}
+
+/**
+ * Read configuration from file
+ * Tries user-level config first, then falls back to legacy project-local config
+ * @returns Configuration object with apiKey, baseUrl, orgId
+ */
+export function readConfig(): Config {
+  const config: Config = {
+    apiKey: null,
+    baseUrl: null,
+    orgId: null,
+  };
+
+  // Try user-level config first
+  const userConfigPath = getConfigPath();
+  if (fs.existsSync(userConfigPath)) {
+    try {
+      const content = fs.readFileSync(userConfigPath, "utf8");
+      const parsed = JSON.parse(content);
+      config.apiKey = parsed.apiKey || null;
+      config.baseUrl = parsed.baseUrl || null;
+      config.orgId = parsed.orgId || null;
+      return config;
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      console.error(`Warning: Failed to read config from ${userConfigPath}: ${message}`);
+    }
+  }
+
+  // Fall back to legacy project-local config
+  const legacyPath = getLegacyConfigPath();
+  if (fs.existsSync(legacyPath)) {
+    try {
+      const stats = fs.statSync(legacyPath);
+      if (stats.isFile()) {
+        const content = fs.readFileSync(legacyPath, "utf8");
+        const lines = content.split(/\r?\n/);
+        for (const line of lines) {
+          const match = line.match(/^api_key=(.+)$/);
+          if (match) {
+            config.apiKey = match[1].trim();
+            break;
+          }
+        }
+      }
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      console.error(`Warning: Failed to read legacy config from ${legacyPath}: ${message}`);
+    }
+  }
+
+  return config;
+}
+
+/**
+ * Write configuration to user-level config file
+ * @param config - Configuration object with apiKey, baseUrl, orgId
+ */
+export function writeConfig(config: Partial<Config>): void {
+  const configDir = getConfigDir();
+  const configPath = getConfigPath();
+
+  // Ensure config directory exists
+  if (!fs.existsSync(configDir)) {
+    fs.mkdirSync(configDir, { recursive: true, mode: 0o700 });
+  }
+
+  // Read existing config and merge
+  let existingConfig: Record<string, unknown> = {};
+  if (fs.existsSync(configPath)) {
+    try {
+      const content = fs.readFileSync(configPath, "utf8");
+      existingConfig = JSON.parse(content);
+    } catch (err) {
+      // Ignore parse errors, will overwrite
+    }
+  }
+
+  const mergedConfig = {
+    ...existingConfig,
+    ...config,
+  };
+
+  // Write config file with restricted permissions
+  fs.writeFileSync(configPath, JSON.stringify(mergedConfig, null, 2) + "\n", {
+    mode: 0o600,
+  });
+}
+
+/**
+ * Delete specific keys from configuration
+ * @param keys - Array of keys to delete (e.g., ['apiKey'])
+ */
+export function deleteConfigKeys(keys: string[]): void {
+  const configPath = getConfigPath();
+  if (!fs.existsSync(configPath)) {
+    return;
+  }
+
+  try {
+    const content = fs.readFileSync(configPath, "utf8");
+    const config: Record<string, unknown> = JSON.parse(content);
+
+    for (const key of keys) {
+      delete config[key];
+    }
+
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n", {
+      mode: 0o600,
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    console.error(`Warning: Failed to update config: ${message}`);
+  }
+}
+
+/**
+ * Check if config file exists
+ * @returns True if config exists
+ */
+export function configExists(): boolean {
+  return fs.existsSync(getConfigPath()) || fs.existsSync(getLegacyConfigPath());
+}
+

package/lib/pkce.ts

@@ -0,0 +1,79 @@
+import * as crypto from "crypto";
+
+/**
+ * PKCE parameters for OAuth 2.0 Authorization Code Flow with PKCE
+ */
+export interface PKCEParams {
+  codeVerifier: string;
+  codeChallenge: string;
+  codeChallengeMethod: "S256";
+  state: string;
+}
+
+/**
+ * Generate a cryptographically random string for PKCE
+ * @param length - Length of the string (43-128 characters per RFC 7636)
+ * @returns Base64URL-encoded random string
+ */
+function generateRandomString(length: number = 64): string {
+  const bytes = crypto.randomBytes(length);
+  return base64URLEncode(bytes);
+}
+
+/**
+ * Base64URL encode (without padding)
+ * @param buffer - Buffer to encode
+ * @returns Base64URL-encoded string
+ */
+function base64URLEncode(buffer: Buffer): string {
+  return buffer
+    .toString("base64")
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=/g, "");
+}
+
+/**
+ * Generate PKCE code verifier
+ * @returns Random code verifier (43-128 characters)
+ */
+export function generateCodeVerifier(): string {
+  return generateRandomString(32); // 32 bytes = 43 chars after base64url encoding
+}
+
+/**
+ * Generate PKCE code challenge from verifier
+ * Uses S256 method (SHA256)
+ * @param verifier - Code verifier string
+ * @returns Base64URL-encoded SHA256 hash of verifier
+ */
+export function generateCodeChallenge(verifier: string): string {
+  const hash = crypto.createHash("sha256").update(verifier).digest();
+  return base64URLEncode(hash);
+}
+
+/**
+ * Generate random state for CSRF protection
+ * @returns Random state string
+ */
+export function generateState(): string {
+  return generateRandomString(16); // 16 bytes = 22 chars
+}
+
+/**
+ * Generate complete PKCE parameters
+ * @returns Object with verifier, challenge, challengeMethod, and state
+ */
+export function generatePKCEParams(): PKCEParams {
+  const verifier = generateCodeVerifier();
+  const challenge = generateCodeChallenge(verifier);
+  const state = generateState();
+
+  return {
+    codeVerifier: verifier,
+    codeChallenge: challenge,
+    codeChallengeMethod: "S256",
+    state: state,
+  };
+}
+

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "postgresai",
-  "version": "0.11.0-alpha.7",
-  "description": "PostgresAI CLI (Node.js)",
-  "license": "MIT",
+  "version": "0.11.0-alpha.9",
+  "description": "postgres_ai CLI (Node.js)",
+  "license": "Apache-2.0",
   "private": false,
   "repository": {
     "type": "git",
@@ -13,19 +13,28 @@
     "url": "https://gitlab.com/postgres-ai/postgres_ai/-/issues"
   },
   "bin": {
-    "postgres-ai": "./bin/postgres-ai.js",
-    "postgresai": "./bin/postgres-ai.js",
-    "pgai": "./bin/postgres-ai.js"
+    "postgres-ai": "./dist/bin/postgres-ai.js",
+    "postgresai": "./dist/bin/postgres-ai.js",
+    "pgai": "./dist/bin/postgres-ai.js"
   },
   "type": "commonjs",
   "engines": {
     "node": ">=18"
   },
   "scripts": {
-    "start": "node ./bin/postgres-ai.js --help"
+    "build": "tsc",
+    "prepare": "npm run build",
+    "start": "node ./dist/bin/postgres-ai.js --help",
+    "dev": "tsc --watch"
   },
   "dependencies": {
-    "commander": "^12.1.0"
+    "commander": "^12.1.0",
+    "js-yaml": "^4.1.0"
+  },
+  "devDependencies": {
+    "@types/js-yaml": "^4.0.9",
+    "@types/node": "^18.19.0",
+    "typescript": "^5.3.3"
   },
   "publishConfig": {
     "access": "public"