sentinelayer-cli 0.1.0

package/src/auth/session-store.js

@@ -0,0 +1,345 @@
+import crypto from "node:crypto";
+import os from "node:os";
+import path from "node:path";
+import fsp from "node:fs/promises";
+import process from "node:process";
+
+const CREDENTIALS_VERSION = 1;
+const KEYRING_SERVICE = "sentinelayer-cli";
+
+function nowIso() {
+  return new Date().toISOString();
+}
+
+function resolveHomeDir(homeDir) {
+  return path.resolve(String(homeDir || os.homedir()));
+}
+
+/**
+ * Resolve the deterministic credentials metadata file path for the current user/home override.
+ *
+ * @param {{ homeDir?: string }} [options]
+ * @returns {string}
+ */
+export function resolveCredentialsFilePath({ homeDir } = {}) {
+  const resolvedHome = resolveHomeDir(homeDir);
+  return path.join(resolvedHome, ".sentinelayer", "credentials.json");
+}
+
+function buildKeyringAccountName(apiUrl) {
+  const digest = crypto
+    .createHash("sha256")
+    .update(String(apiUrl || "").trim().toLowerCase())
+    .digest("hex")
+    .slice(0, 16);
+  return `default-${digest}`;
+}
+
+function normalizeUser(user = {}) {
+  return {
+    id: String(user.id || "").trim(),
+    githubUsername: String(user.githubUsername || user.github_username || "").trim(),
+    email: String(user.email || "").trim(),
+    avatarUrl: String(user.avatarUrl || user.avatar_url || "").trim(),
+    isAdmin: Boolean(user.isAdmin || user.is_admin),
+  };
+}
+
+function normalizeMetadata(raw = {}) {
+  return {
+    version: Number(raw.version || CREDENTIALS_VERSION),
+    apiUrl: String(raw.apiUrl || "").trim(),
+    storage: String(raw.storage || "file").trim(),
+    keyringService: String(raw.keyringService || KEYRING_SERVICE).trim(),
+    keyringAccount: String(raw.keyringAccount || "").trim(),
+    tokenId: String(raw.tokenId || "").trim() || null,
+    tokenPrefix: String(raw.tokenPrefix || "").trim() || null,
+    tokenExpiresAt: String(raw.tokenExpiresAt || "").trim() || null,
+    createdAt: String(raw.createdAt || "").trim() || nowIso(),
+    updatedAt: String(raw.updatedAt || "").trim() || nowIso(),
+    user: normalizeUser(raw.user),
+    token: String(raw.token || "").trim() || null,
+  };
+}
+
+async function loadKeytarClient() {
+  const disableKeyring = String(process.env.SENTINELAYER_DISABLE_KEYRING || "")
+    .trim()
+    .toLowerCase();
+  if (disableKeyring === "1" || disableKeyring === "true" || disableKeyring === "yes" || disableKeyring === "on") {
+    return null;
+  }
+  try {
+    const mod = await import("keytar");
+    const client = mod && typeof mod === "object" ? mod.default || mod : null;
+    if (!client) {
+      return null;
+    }
+    if (
+      typeof client.getPassword !== "function" ||
+      typeof client.setPassword !== "function" ||
+      typeof client.deletePassword !== "function"
+    ) {
+      return null;
+    }
+    return client;
+  } catch {
+    return null;
+  }
+}
+
+async function readMetadata({ homeDir } = {}) {
+  const filePath = resolveCredentialsFilePath({ homeDir });
+  try {
+    const raw = await fsp.readFile(filePath, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      return { filePath, metadata: null };
+    }
+    return { filePath, metadata: normalizeMetadata(parsed) };
+  } catch (error) {
+    if (error && typeof error === "object" && error.code === "ENOENT") {
+      return { filePath, metadata: null };
+    }
+    throw error;
+  }
+}
+
+async function writeMetadata(filePath, metadata) {
+  await fsp.mkdir(path.dirname(filePath), { recursive: true });
+  await fsp.writeFile(filePath, `${JSON.stringify(metadata, null, 2)}\n`, {
+    encoding: "utf-8",
+    mode: 0o600,
+  });
+  try {
+    await fsp.chmod(filePath, 0o600);
+  } catch {
+    // Windows does not reliably support POSIX chmod semantics.
+  }
+}
+
+/**
+ * Load the active stored session, resolving keyring-backed tokens when configured.
+ *
+ * @param {{ homeDir?: string }} [options]
+ * @returns {Promise<null | {
+ *   version: number,
+ *   apiUrl: string,
+ *   storage: "file" | "keyring",
+ *   keyringService: string,
+ *   keyringAccount: string,
+ *   tokenId: string | null,
+ *   tokenPrefix: string | null,
+ *   tokenExpiresAt: string | null,
+ *   createdAt: string,
+ *   updatedAt: string,
+ *   user: {
+ *     id: string,
+ *     githubUsername: string,
+ *     email: string,
+ *     avatarUrl: string,
+ *     isAdmin: boolean
+ *   },
+ *   token: string,
+ *   filePath: string
+ * }>}
+ */
+export async function readStoredSession({ homeDir } = {}) {
+  const { filePath, metadata } = await readMetadata({ homeDir });
+  if (!metadata) {
+    return null;
+  }
+
+  if (metadata.storage === "keyring") {
+    const keytar = await loadKeytarClient();
+    if (!keytar || !metadata.keyringAccount) {
+      return null;
+    }
+    const token = await keytar.getPassword(
+      metadata.keyringService || KEYRING_SERVICE,
+      metadata.keyringAccount
+    );
+    if (!token) {
+      return null;
+    }
+    return {
+      ...metadata,
+      filePath,
+      token,
+      storage: "keyring",
+    };
+  }
+
+  if (!metadata.token) {
+    return null;
+  }
+  return {
+    ...metadata,
+    filePath,
+    token: metadata.token,
+    storage: "file",
+  };
+}
+
+/**
+ * Read persisted session metadata without returning secret token material.
+ *
+ * @param {{ homeDir?: string }} [options]
+ * @returns {Promise<null | {
+ *   version: number,
+ *   apiUrl: string,
+ *   storage: string,
+ *   keyringService: string,
+ *   keyringAccount: string,
+ *   tokenId: string | null,
+ *   tokenPrefix: string | null,
+ *   tokenExpiresAt: string | null,
+ *   createdAt: string,
+ *   updatedAt: string,
+ *   user: {
+ *     id: string,
+ *     githubUsername: string,
+ *     email: string,
+ *     avatarUrl: string,
+ *     isAdmin: boolean
+ *   },
+ *   filePath: string,
+ *   token: null
+ * }>}
+ */
+export async function readStoredSessionMetadata({ homeDir } = {}) {
+  const { filePath, metadata } = await readMetadata({ homeDir });
+  if (!metadata) {
+    return null;
+  }
+  return {
+    ...metadata,
+    filePath,
+    token: null,
+  };
+}
+
+/**
+ * Persist a new session token and metadata using keyring storage when available.
+ *
+ * @param {{
+ *   apiUrl: string,
+ *   token: string,
+ *   tokenId?: string | null,
+ *   tokenPrefix?: string | null,
+ *   tokenExpiresAt?: string | null,
+ *   user?: Record<string, unknown>
+ * }} [session]
+ * @param {{ homeDir?: string }} [options]
+ * @returns {Promise<{
+ *   version: number,
+ *   apiUrl: string,
+ *   storage: "file" | "keyring",
+ *   keyringService: string,
+ *   keyringAccount: string,
+ *   tokenId: string | null,
+ *   tokenPrefix: string | null,
+ *   tokenExpiresAt: string | null,
+ *   createdAt: string,
+ *   updatedAt: string,
+ *   user: {
+ *     id: string,
+ *     githubUsername: string,
+ *     email: string,
+ *     avatarUrl: string,
+ *     isAdmin: boolean
+ *   },
+ *   filePath: string,
+ *   token: string
+ * }>}
+ */
+export async function writeStoredSession(
+  {
+    apiUrl,
+    token,
+    tokenId = null,
+    tokenPrefix = null,
+    tokenExpiresAt = null,
+    user = {},
+  } = {},
+  { homeDir } = {}
+) {
+  const normalizedApiUrl = String(apiUrl || "").trim();
+  const normalizedToken = String(token || "").trim();
+  if (!normalizedApiUrl) {
+    throw new Error("apiUrl is required to persist CLI auth session.");
+  }
+  if (!normalizedToken) {
+    throw new Error("token is required to persist CLI auth session.");
+  }
+
+  const { filePath, metadata: existingMetadata } = await readMetadata({ homeDir });
+  const keytar = await loadKeytarClient();
+  const keyringAccount = buildKeyringAccountName(normalizedApiUrl);
+  const updatedAt = nowIso();
+
+  const nextMetadata = normalizeMetadata({
+    version: CREDENTIALS_VERSION,
+    apiUrl: normalizedApiUrl,
+    tokenId,
+    tokenPrefix,
+    tokenExpiresAt,
+    user: normalizeUser(user),
+    createdAt: existingMetadata?.createdAt || updatedAt,
+    updatedAt,
+  });
+
+  if (keytar) {
+    const previousKeyringAccount = String(existingMetadata?.keyringAccount || "").trim();
+    const previousStorage = String(existingMetadata?.storage || "").trim();
+    if (previousStorage === "keyring" && previousKeyringAccount && previousKeyringAccount !== keyringAccount) {
+      await keytar.deletePassword(KEYRING_SERVICE, previousKeyringAccount);
+    }
+
+    await keytar.setPassword(KEYRING_SERVICE, keyringAccount, normalizedToken);
+    nextMetadata.storage = "keyring";
+    nextMetadata.keyringService = KEYRING_SERVICE;
+    nextMetadata.keyringAccount = keyringAccount;
+    nextMetadata.token = null;
+  } else {
+    nextMetadata.storage = "file";
+    nextMetadata.keyringService = KEYRING_SERVICE;
+    nextMetadata.keyringAccount = "";
+    nextMetadata.token = normalizedToken;
+  }
+
+  await writeMetadata(filePath, nextMetadata);
+
+  return {
+    ...nextMetadata,
+    filePath,
+    token: normalizedToken,
+  };
+}
+
+/**
+ * Remove local session metadata and keyring credentials for the active account.
+ *
+ * @param {{ homeDir?: string }} [options]
+ * @returns {Promise<{ filePath: string, hadSession: boolean }>}
+ */
+export async function clearStoredSession({ homeDir } = {}) {
+  const { filePath, metadata } = await readMetadata({ homeDir });
+  if (metadata && metadata.storage === "keyring") {
+    const keytar = await loadKeytarClient();
+    if (keytar && metadata.keyringAccount) {
+      await keytar.deletePassword(metadata.keyringService || KEYRING_SERVICE, metadata.keyringAccount);
+    }
+  }
+
+  try {
+    await fsp.rm(filePath, { force: true });
+  } catch {
+    // Ignore cleanup errors.
+  }
+
+  return {
+    filePath,
+    hadSession: Boolean(metadata),
+  };
+}

package/src/cli.js

@@ -0,0 +1,244 @@
+import process from "node:process";
+import { Command } from "commander";
+
+import { CLI_VERSION, runLegacyCliWithErrorHandling } from "./legacy-cli.js";
+
+const COMMAND_REGISTRARS = {
+  init: {
+    loader: () => import("./commands/init.js"),
+    exportName: "registerInitCommand",
+    needsLegacy: true,
+  },
+  omargate: {
+    loader: () => import("./commands/omargate.js"),
+    exportName: "registerOmarGateCommand",
+    needsLegacy: true,
+  },
+  audit: {
+    loader: () => import("./commands/audit.js"),
+    exportName: "registerAuditCommand",
+    needsLegacy: true,
+  },
+  persona: {
+    loader: () => import("./commands/persona.js"),
+    exportName: "registerPersonaCommand",
+    needsLegacy: true,
+  },
+  apply: {
+    loader: () => import("./commands/apply.js"),
+    exportName: "registerApplyCommand",
+    needsLegacy: true,
+  },
+  config: {
+    loader: () => import("./commands/config.js"),
+    exportName: "registerConfigCommand",
+    needsLegacy: false,
+  },
+  ingest: {
+    loader: () => import("./commands/ingest.js"),
+    exportName: "registerIngestCommand",
+    needsLegacy: false,
+  },
+  spec: {
+    loader: () => import("./commands/spec.js"),
+    exportName: "registerSpecCommand",
+    needsLegacy: false,
+  },
+  prompt: {
+    loader: () => import("./commands/prompt.js"),
+    exportName: "registerPromptCommand",
+    needsLegacy: false,
+  },
+  scan: {
+    loader: () => import("./commands/scan.js"),
+    exportName: "registerScanCommand",
+    needsLegacy: false,
+  },
+  guide: {
+    loader: () => import("./commands/guide.js"),
+    exportName: "registerGuideCommand",
+    needsLegacy: false,
+  },
+  cost: {
+    loader: () => import("./commands/cost.js"),
+    exportName: "registerCostCommand",
+    needsLegacy: false,
+  },
+  telemetry: {
+    loader: () => import("./commands/telemetry.js"),
+    exportName: "registerTelemetryCommand",
+    needsLegacy: false,
+  },
+  auth: {
+    loader: () => import("./commands/auth.js"),
+    exportName: "registerAuthCommand",
+    needsLegacy: false,
+  },
+  watch: {
+    loader: () => import("./commands/watch.js"),
+    exportName: "registerWatchCommand",
+    needsLegacy: false,
+  },
+  mcp: {
+    loader: () => import("./commands/mcp.js"),
+    exportName: "registerMcpCommand",
+    needsLegacy: false,
+  },
+  plugin: {
+    loader: () => import("./commands/plugin.js"),
+    exportName: "registerPluginCommand",
+    needsLegacy: false,
+  },
+  ai: {
+    loader: () => import("./commands/ai.js"),
+    exportName: "registerAiCommand",
+    needsLegacy: false,
+  },
+  review: {
+    loader: () => import("./commands/review.js"),
+    exportName: "registerReviewCommand",
+    needsLegacy: false,
+  },
+  chat: {
+    loader: () => import("./commands/chat.js"),
+    exportName: "registerChatCommand",
+    needsLegacy: false,
+  },
+  policy: {
+    loader: () => import("./commands/policy.js"),
+    exportName: "registerPolicyCommand",
+    needsLegacy: false,
+  },
+  swarm: {
+    loader: () => import("./commands/swarm.js"),
+    exportName: "registerSwarmCommand",
+    needsLegacy: false,
+  },
+  daemon: {
+    loader: () => import("./commands/daemon.js"),
+    exportName: "registerDaemonCommand",
+    needsLegacy: false,
+  },
+};
+
+const COMMAND_SET = new Set(Object.keys(COMMAND_REGISTRARS));
+
+// Map slash-prefixed commands to their Commander equivalents.
+// /omargate → omargate, /audit → audit local, etc.
+// Only remap /omargate to Commander. The others (/audit, /persona, /apply)
+// stay on the legacy path for backward compatibility (different output format).
+const SLASH_TO_COMMANDER = {
+  "/omargate": "omargate",
+};
+
+function normalizeSlashArgs(rawArgs) {
+  if (!Array.isArray(rawArgs) || rawArgs.length === 0) return rawArgs;
+  const first = String(rawArgs[0] || "").trim();
+
+  // Direct slash match: /omargate → omargate
+  const mapped = SLASH_TO_COMMANDER[first];
+  if (mapped) {
+    return [mapped, ...rawArgs.slice(1)];
+  }
+
+  // Windows Git Bash path mangling fix: /omargate gets converted to
+  // "C:/Program Files/Git/omargate" by MSYS. Detect and recover.
+  for (const [slash, cmd] of Object.entries(SLASH_TO_COMMANDER)) {
+    const suffix = slash.slice(1); // "omargate" from "/omargate"
+    if (first.endsWith("/" + suffix) || first.endsWith("\\" + suffix)) {
+      return [cmd, ...rawArgs.slice(1)];
+    }
+  }
+
+  return rawArgs;
+}
+
+function shouldBypassCommander(rawArgs) {
+  if (!Array.isArray(rawArgs) || rawArgs.length === 0) {
+    return true;
+  }
+
+  const first = String(rawArgs[0] || "").trim();
+  if (!first) {
+    return true;
+  }
+
+  // Slash commands are now handled by normalizeSlashArgs before this check
+  if (first.startsWith("/") && !SLASH_TO_COMMANDER[first]) {
+    return true;
+  }
+
+  if (first === "--help" || first === "-h" || first === "--version" || first === "-v") {
+    return true;
+  }
+
+  if (first.startsWith("-")) {
+    return true;
+  }
+
+  const resolved = SLASH_TO_COMMANDER[first] || first;
+  return !COMMAND_SET.has(resolved);
+}
+
+async function registerCommands(program, { invokeLegacy, onlyCommand } = {}) {
+  const commandNames =
+    onlyCommand && COMMAND_REGISTRARS[onlyCommand]
+      ? [onlyCommand]
+      : Object.keys(COMMAND_REGISTRARS);
+
+  for (const commandName of commandNames) {
+    const descriptor = COMMAND_REGISTRARS[commandName];
+    const loaded = await descriptor.loader();
+    const registerFn = loaded[descriptor.exportName];
+    if (typeof registerFn !== "function") {
+      throw new Error(
+        `Command registrar '${descriptor.exportName}' was not exported by '${commandName}' loader.`
+      );
+    }
+    if (descriptor.needsLegacy) {
+      registerFn(program, invokeLegacy);
+    } else {
+      registerFn(program);
+    }
+  }
+}
+
+export async function buildCliProgram({
+  invokeLegacy = runLegacyCliWithErrorHandling,
+  onlyCommand = null,
+} = {}) {
+  const program = new Command();
+
+  program
+    .name("sentinelayer-cli")
+    .description("Sentinelayer CLI")
+    .version(CLI_VERSION)
+    .option("--verbose", "Verbose execution logs")
+    .option("--quiet", "Suppress progress indicators and terminal notifications")
+    .option("--json", "Emit machine-readable output when supported")
+    .showHelpAfterError();
+
+  await registerCommands(program, {
+    invokeLegacy,
+    onlyCommand: onlyCommand && COMMAND_SET.has(onlyCommand) ? onlyCommand : null,
+  });
+
+  return program;
+}
+
+export async function runCli(rawArgs = process.argv.slice(2)) {
+  // Normalize slash commands (/omargate → omargate, /audit → audit, etc.)
+  const normalizedArgs = normalizeSlashArgs(rawArgs);
+
+  if (shouldBypassCommander(normalizedArgs)) {
+    await runLegacyCliWithErrorHandling(normalizedArgs);
+    return;
+  }
+
+  const program = await buildCliProgram({
+    invokeLegacy: runLegacyCliWithErrorHandling,
+    onlyCommand: normalizedArgs[0],
+  });
+  await program.parseAsync(["node", "sentinelayer-cli", ...normalizedArgs]);
+}
+