signet-auth 1.0.0-beta.0

package/src/cli/commands/doctor.ts

@@ -0,0 +1,301 @@
+/**
+ * sig doctor — Environment diagnostics.
+ * Runs a series of checks and reports pass/fail for each.
+ * Does NOT take deps (can run before config is fully wired).
+ */
+
+import fs from 'node:fs';
+import fsp from 'node:fs/promises';
+import os from 'node:os';
+import path from 'node:path';
+import { execSync } from 'node:child_process';
+import { getConfigPath, loadConfig } from '../../config/loader.js';
+import { isOk } from '../../core/result.js';
+import type { SignetConfig } from '../../config/schema.js';
+
+interface CheckResult {
+  label: string;
+  ok: boolean;
+  detail?: string;
+  hint?: string;
+}
+
+const PASS = '\u2713';  // ✓
+const FAIL = '\u2717';  // ✗
+
+function printResults(results: CheckResult[]): void {
+  let failures = 0;
+
+  for (const r of results) {
+    if (r.ok) {
+      const detail = r.detail ? ` (${r.detail})` : '';
+      console.log(`  ${PASS} ${r.label}${detail}`);
+    } else {
+      failures++;
+      console.log(`  ${FAIL} ${r.label}`);
+      if (r.hint) {
+        console.log(`    \u2192 ${r.hint}`);
+      }
+    }
+  }
+
+  console.log('');
+  if (failures === 0) {
+    console.log('All checks passed.');
+  } else {
+    console.log(`${failures} issue${failures > 1 ? 's' : ''} found.`);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Individual checks
+// ---------------------------------------------------------------------------
+
+function checkConfigExists(): CheckResult {
+  const configPath = getConfigPath();
+  const exists = fs.existsSync(configPath);
+  return {
+    label: 'Config file exists',
+    ok: exists,
+    detail: exists ? configPath.replace(os.homedir(), '~') : undefined,
+    hint: exists ? undefined : 'Run "sig init" to create ~/.signet/config.yaml',
+  };
+}
+
+async function checkConfigValid(): Promise<CheckResult & { config?: SignetConfig }> {
+  const configResult = await loadConfig();
+  if (!isOk(configResult)) {
+    return {
+      label: 'Config is valid',
+      ok: false,
+      hint: configResult.error.message,
+    };
+  }
+  return {
+    label: 'Config is valid',
+    ok: true,
+    config: configResult.value,
+  };
+}
+
+async function checkCredentialsDir(config: SignetConfig | undefined): Promise<CheckResult> {
+  if (!config) {
+    return {
+      label: 'Credentials directory exists',
+      ok: false,
+      hint: 'Fix config first',
+    };
+  }
+
+  const dir = config.storage.credentialsDir.replace(/^~/, os.homedir());
+  try {
+    await fsp.access(dir, fs.constants.R_OK | fs.constants.W_OK);
+    return {
+      label: 'Credentials directory exists',
+      ok: true,
+      detail: config.storage.credentialsDir,
+    };
+  } catch {
+    return {
+      label: 'Credentials directory exists',
+      ok: false,
+      hint: `Directory not found or not writable: ${config.storage.credentialsDir}`,
+    };
+  }
+}
+
+async function checkBrowserDataDir(config: SignetConfig | undefined): Promise<CheckResult> {
+  if (!config) {
+    return {
+      label: 'Browser data directory exists',
+      ok: false,
+      hint: 'Fix config first',
+    };
+  }
+
+  const dir = config.browser.browserDataDir.replace(/^~/, os.homedir());
+  const exists = fs.existsSync(dir);
+  return {
+    label: 'Browser data directory exists',
+    ok: exists,
+    detail: exists ? config.browser.browserDataDir : undefined,
+    hint: exists ? undefined : `Directory not found: ${config.browser.browserDataDir}`,
+  };
+}
+
+function findChannelBrowser(channel: string): boolean {
+  const platform = process.platform;
+
+  // Check common browser locations based on channel and platform
+  if (platform === 'darwin') {
+    const apps: Record<string, string> = {
+      chrome: '/Applications/Google Chrome.app',
+      msedge: '/Applications/Microsoft Edge.app',
+      chromium: '/Applications/Chromium.app',
+    };
+    if (apps[channel]) return fs.existsSync(apps[channel]);
+  }
+
+  if (platform === 'linux') {
+    const bins: Record<string, string> = {
+      chrome: 'google-chrome',
+      msedge: 'microsoft-edge',
+      chromium: 'chromium',
+    };
+    if (bins[channel]) {
+      try {
+        execSync(`which ${bins[channel]}`, { stdio: 'ignore' });
+        return true;
+      } catch {
+        return false;
+      }
+    }
+  }
+
+  return false;
+}
+
+async function checkBrowserAvailable(config: SignetConfig | undefined): Promise<CheckResult> {
+  if (!config) {
+    return {
+      label: 'Browser available',
+      ok: false,
+      hint: 'Fix config first',
+    };
+  }
+
+  const channel = config.browser.channel;
+  try {
+    // Verify playwright-core is importable
+    await import('playwright-core');
+
+    // Check if the channel browser is installed on the system
+    const found = findChannelBrowser(channel);
+    if (found) {
+      return {
+        label: 'Browser available',
+        ok: true,
+        detail: channel,
+      };
+    }
+
+    // Fallback: if we can't detect by channel but playwright-core is available, report cautiously
+    return {
+      label: 'Browser available',
+      ok: true,
+      detail: `${channel} (playwright-core loaded, browser not verified)`,
+    };
+  } catch {
+    return {
+      label: 'Browser available',
+      ok: false,
+      hint: 'playwright-core not installed. Run "npm install playwright-core".',
+    };
+  }
+}
+
+function checkNodeVersion(): CheckResult {
+  const version = process.version;
+  const match = version.match(/^v(\d+)/);
+  const major = match ? parseInt(match[1], 10) : 0;
+  return {
+    label: 'Node.js version',
+    ok: major >= 18,
+    detail: version,
+    hint: major < 18 ? `Node.js >= 18 is required. Current: ${version}` : undefined,
+  };
+}
+
+async function checkStoredCredentials(config: SignetConfig | undefined): Promise<CheckResult> {
+  if (!config) {
+    return {
+      label: 'Stored credentials',
+      ok: true,
+      detail: 'skipped (no config)',
+    };
+  }
+
+  const dir = config.storage.credentialsDir.replace(/^~/, os.homedir());
+  try {
+    const files = await fsp.readdir(dir);
+    const jsonFiles = files.filter(f => f.endsWith('.json') && !f.endsWith('.lock'));
+    const total = jsonFiles.length;
+
+    // Check for expired credentials by reading each file
+    let expired = 0;
+    for (const file of jsonFiles) {
+      try {
+        const content = await fsp.readFile(path.join(dir, file), 'utf-8');
+        const data = JSON.parse(content);
+        const cred = data?.credential;
+        if (cred?.type === 'bearer' && cred?.token) {
+          try {
+            const { isJwtExpired } = await import('../../utils/jwt.js');
+            if (isJwtExpired(cred.token)) expired++;
+          } catch {
+            // JWT decode failed, skip
+          }
+        }
+      } catch {
+        // Skip unreadable files
+      }
+    }
+
+    const detail = expired > 0
+      ? `${total} stored credential${total !== 1 ? 's' : ''} (${expired} expired)`
+      : `${total} stored credential${total !== 1 ? 's' : ''}`;
+
+    return {
+      label: 'Stored credentials',
+      ok: true,
+      detail,
+    };
+  } catch {
+    return {
+      label: 'Stored credentials',
+      ok: true,
+      detail: '0 stored credentials',
+    };
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Main command
+// ---------------------------------------------------------------------------
+
+export async function runDoctor(
+  positionals: string[],
+  flags: Record<string, string | boolean>,
+): Promise<void> {
+  const results: CheckResult[] = [];
+
+  // a. Config file exists
+  results.push(checkConfigExists());
+
+  // b. Config is valid
+  const configCheck = await checkConfigValid();
+  results.push(configCheck);
+  const config = configCheck.config;
+
+  // c. Credentials directory
+  results.push(await checkCredentialsDir(config));
+
+  // d. Browser data directory
+  results.push(await checkBrowserDataDir(config));
+
+  // e. Browser available
+  results.push(await checkBrowserAvailable(config));
+
+  // f. Node.js version
+  results.push(checkNodeVersion());
+
+  // g. Stored credentials
+  results.push(await checkStoredCredentials(config));
+
+  printResults(results);
+
+  const hasFailures = results.some(r => !r.ok);
+  if (hasFailures) {
+    process.exitCode = 1;
+  }
+}

package/src/cli/commands/get.ts

@@ -0,0 +1,96 @@
+import type { AuthDeps } from '../../deps.js';
+import { isOk } from '../../core/result.js';
+import { formatJson, formatCredentialHeaders } from '../formatters.js';
+
+const PRIMARY_HEADERS = ['cookie', 'authorization'];
+
+export async function runGet(
+  positionals: string[],
+  flags: Record<string, string | boolean>,
+  deps: AuthDeps,
+): Promise<void> {
+  const target = positionals[0];
+  if (!target) {
+    process.stderr.write('Usage: sig get <provider|url>\n');
+    process.exitCode = 1;
+    return;
+  }
+
+  const isUrl = target.startsWith('http://') || target.startsWith('https://');
+  let providerId: string;
+  let credential;
+
+  if (isUrl) {
+    const result = await deps.authManager.getCredentialsByUrl(target);
+    if (!isOk(result)) {
+      process.stderr.write(`Error: ${result.error.message}\n`);
+      process.exitCode = result.error.code === 'PROVIDER_NOT_FOUND' ? 2 : 3;
+      return;
+    }
+    providerId = result.value.provider.id;
+    credential = result.value.credential;
+  } else {
+    const provider = deps.authManager.providerRegistry.get(target);
+    if (!provider) {
+      process.stderr.write(`Error: No provider found with ID "${target}".\n`);
+      process.exitCode = 2;
+      return;
+    }
+    providerId = provider.id;
+    const result = await deps.authManager.getCredentials(providerId);
+    if (!isOk(result)) {
+      process.stderr.write(`Error: ${result.error.message}\n`);
+      process.exitCode = result.error.code === 'CREDENTIAL_NOT_FOUND' ? 3 : 1;
+      return;
+    }
+    credential = result.value;
+  }
+
+  const headers = deps.authManager.applyToRequest(providerId, credential);
+  const entries = Object.entries(headers);
+
+  if (entries.length === 0) {
+    process.stderr.write(`Error: No credential headers produced for "${providerId}".\n`);
+    process.exitCode = 3;
+    return;
+  }
+
+  const primaryEntry = entries.find(([name]) => PRIMARY_HEADERS.includes(name.toLowerCase()))
+    ?? entries[0];
+  const [primaryHeaderName, primaryHeaderValue] = primaryEntry;
+
+  const xHeaders: Record<string, string> = {};
+  for (const [name, value] of entries) {
+    if (name !== primaryHeaderName) {
+      xHeaders[name] = value;
+    }
+  }
+
+  const format = (flags.format as string) ?? 'json';
+
+  switch (format) {
+    case 'json': {
+      const output: Record<string, unknown> = {
+        provider: providerId,
+        credential: primaryHeaderValue,
+        headerName: primaryHeaderName,
+        type: credential.type,
+      };
+      if (Object.keys(xHeaders).length > 0) output.xHeaders = xHeaders;
+      process.stdout.write(formatJson(output) + '\n');
+      break;
+    }
+    case 'header': {
+      process.stdout.write(formatCredentialHeaders(headers) + '\n');
+      break;
+    }
+    case 'value': {
+      process.stdout.write(primaryHeaderValue + '\n');
+      break;
+    }
+    default: {
+      process.stderr.write(`Unknown format: ${format}\n`);
+      process.exitCode = 1;
+    }
+  }
+}

package/src/cli/commands/init.ts

@@ -0,0 +1,289 @@
+/**
+ * sig init — Interactive setup command.
+ * Creates ~/.signet/config.yaml with sensible defaults.
+ * Does NOT take deps (runs before config exists).
+ */
+
+import fs from 'node:fs';
+import fsp from 'node:fs/promises';
+import path from 'node:path';
+import os from 'node:os';
+import { execSync } from 'node:child_process';
+import { createInterface } from 'node:readline/promises';
+import YAML from 'yaml';
+import { getConfigPath } from '../../config/loader.js';
+import { generateConfigYaml } from '../../config/generator.js';
+import { validateConfig } from '../../config/validator.js';
+import { isOk } from '../../core/result.js';
+
+// ---------------------------------------------------------------------------
+// Provider templates
+// ---------------------------------------------------------------------------
+
+interface ProviderTemplate {
+  name: string;
+  domains: string[];
+  strategy: string;
+  config?: Record<string, unknown>;
+  needsDomain?: boolean;
+}
+
+const PROVIDER_TEMPLATES: Record<string, ProviderTemplate> = {
+  github: {
+    name: 'GitHub',
+    domains: ['github.com', 'api.github.com'],
+    strategy: 'api-token',
+    config: { headerName: 'Authorization', headerPrefix: 'Bearer' },
+  },
+  gitlab: {
+    name: 'GitLab',
+    domains: ['gitlab.com'],
+    strategy: 'api-token',
+    config: { headerName: 'PRIVATE-TOKEN', headerPrefix: '' },
+  },
+  jira: {
+    name: 'Jira (Cloud)',
+    domains: [],
+    strategy: 'cookie',
+    needsDomain: true,
+  },
+  confluence: {
+    name: 'Confluence',
+    domains: [],
+    strategy: 'cookie',
+    needsDomain: true,
+  },
+};
+
+// ---------------------------------------------------------------------------
+// Browser channel detection
+// ---------------------------------------------------------------------------
+
+function detectBrowserChannel(): string {
+  const platform = process.platform;
+
+  if (platform === 'darwin') {
+    if (fs.existsSync('/Applications/Google Chrome.app')) return 'chrome';
+    if (fs.existsSync('/Applications/Microsoft Edge.app')) return 'msedge';
+    return 'chrome';
+  }
+
+  if (platform === 'linux') {
+    try { execSync('which google-chrome', { stdio: 'ignore' }); return 'chrome'; } catch { /* not found */ }
+    try { execSync('which microsoft-edge', { stdio: 'ignore' }); return 'msedge'; } catch { /* not found */ }
+    try { execSync('which chromium', { stdio: 'ignore' }); return 'chromium'; } catch { /* not found */ }
+    return 'chrome';
+  }
+
+  // Windows or unknown
+  return 'chrome';
+}
+
+// ---------------------------------------------------------------------------
+// Interactive prompts
+// ---------------------------------------------------------------------------
+
+async function promptProviders(rl: ReturnType<typeof createInterface>): Promise<Array<{
+  id: string;
+  domains: string[];
+  strategy: string;
+  entryUrl?: string;
+  config?: Record<string, unknown>;
+}>> {
+  const providers: Array<{
+    id: string;
+    domains: string[];
+    strategy: string;
+    entryUrl?: string;
+    config?: Record<string, unknown>;
+  }> = [];
+
+  const addMore = await rl.question('\nWould you like to add a provider? (y/N) ');
+  if (addMore.toLowerCase() !== 'y') return providers;
+
+  let keepAdding = true;
+  while (keepAdding) {
+    const templateNames = Object.keys(PROVIDER_TEMPLATES);
+    console.log('\nProvider templates:');
+    for (let i = 0; i < templateNames.length; i++) {
+      const key = templateNames[i];
+      const tmpl = PROVIDER_TEMPLATES[key];
+      console.log(`  ${i + 1}. ${tmpl.name} (${key})`);
+    }
+    console.log(`  ${templateNames.length + 1}. Custom`);
+
+    const choice = await rl.question(`\nSelect template (1-${templateNames.length + 1}): `);
+    const choiceNum = parseInt(choice, 10);
+
+    if (choiceNum >= 1 && choiceNum <= templateNames.length) {
+      const templateKey = templateNames[choiceNum - 1];
+      const template = PROVIDER_TEMPLATES[templateKey];
+
+      let domains = template.domains;
+      if (template.needsDomain) {
+        const domain = await rl.question(`Enter your ${template.name} domain (e.g., ${templateKey}.example.com): `);
+        if (domain.trim()) {
+          domains = [domain.trim()];
+        } else {
+          console.log('  Skipping — domain is required.');
+          const again = await rl.question('\nAdd another provider? (y/N) ');
+          keepAdding = again.toLowerCase() === 'y';
+          continue;
+        }
+      }
+
+      providers.push({
+        id: templateKey,
+        domains,
+        strategy: template.strategy,
+        ...(template.config ? { config: template.config } : {}),
+      });
+      console.log(`  Added ${template.name}.`);
+    } else if (choiceNum === templateNames.length + 1) {
+      const id = await rl.question('Provider id (e.g., my-api): ');
+      if (!id.trim()) {
+        console.log('  Skipping — id is required.');
+        const again = await rl.question('\nAdd another provider? (y/N) ');
+        keepAdding = again.toLowerCase() === 'y';
+        continue;
+      }
+      const domain = await rl.question('Domain(s) (comma-separated): ');
+      const domains = domain.split(',').map(d => d.trim()).filter(Boolean);
+      if (domains.length === 0) {
+        console.log('  Skipping — at least one domain is required.');
+        const again = await rl.question('\nAdd another provider? (y/N) ');
+        keepAdding = again.toLowerCase() === 'y';
+        continue;
+      }
+      const strategy = await rl.question('Strategy (cookie, oauth2, api-token, basic) [cookie]: ') || 'cookie';
+      providers.push({ id: id.trim(), domains, strategy });
+      console.log(`  Added custom provider "${id.trim()}".`);
+    } else {
+      console.log('  Invalid selection.');
+    }
+
+    const again = await rl.question('\nAdd another provider? (y/N) ');
+    keepAdding = again.toLowerCase() === 'y';
+  }
+
+  return providers;
+}
+
+// ---------------------------------------------------------------------------
+// Main command
+// ---------------------------------------------------------------------------
+
+export async function runInit(
+  positionals: string[],
+  flags: Record<string, string | boolean>,
+): Promise<void> {
+  const configPath = getConfigPath();
+  const signetDir = path.dirname(configPath);
+  const force = flags.force === true;
+  const yes = flags.yes === true;
+
+  // Check if config already exists
+  if (fs.existsSync(configPath) && !force) {
+    process.stderr.write(
+      `Config file already exists: ${configPath}\n` +
+      'Use --force to overwrite.\n',
+    );
+    process.exitCode = 1;
+    return;
+  }
+
+  // Detect defaults
+  const detectedChannel = detectBrowserChannel();
+  const defaultChannel = typeof flags.channel === 'string' ? flags.channel : detectedChannel;
+  const defaultBrowserDataDir = typeof flags['browser-data-dir'] === 'string'
+    ? flags['browser-data-dir']
+    : path.join(signetDir, 'browser-data');
+  const defaultCredentialsDir = typeof flags['credentials-dir'] === 'string'
+    ? flags['credentials-dir']
+    : path.join(signetDir, 'credentials');
+
+  let channel = defaultChannel;
+  let browserDataDir = defaultBrowserDataDir;
+  let credentialsDir = defaultCredentialsDir;
+  let providers: Array<{
+    id: string;
+    domains: string[];
+    strategy: string;
+    entryUrl?: string;
+    config?: Record<string, unknown>;
+  }> = [];
+
+  // Interactive mode
+  const isTTY = process.stdin.isTTY && process.stdout.isTTY;
+  if (isTTY && !yes) {
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    try {
+      console.log('\nWelcome to Signet! Let\'s set up your configuration.\n');
+
+      const channelAnswer = await rl.question(`Browser channel [${defaultChannel}]: `);
+      if (channelAnswer.trim()) channel = channelAnswer.trim();
+
+      providers = await promptProviders(rl);
+    } finally {
+      rl.close();
+    }
+  } else {
+    if (!yes) {
+      // Non-TTY, non-yes: use defaults silently
+    }
+  }
+
+  // Resolve ~ in paths for display but keep ~ in config for portability
+  const displayBrowserDataDir = browserDataDir.replace(os.homedir(), '~');
+  const displayCredentialsDir = credentialsDir.replace(os.homedir(), '~');
+
+  // Generate config YAML
+  const yaml = generateConfigYaml({
+    channel,
+    browserDataDir: displayBrowserDataDir,
+    credentialsDir: displayCredentialsDir,
+    headlessTimeout: 30_000,
+    visibleTimeout: 120_000,
+    waitUntil: 'load',
+    providers: providers.length > 0 ? providers : undefined,
+  });
+
+  // Validate the generated config before writing (sanity check)
+  let raw: unknown;
+  try {
+    raw = YAML.parse(yaml);
+  } catch (e: unknown) {
+    process.stderr.write(`Bug: generated invalid YAML: ${(e as Error).message}\n`);
+    process.exitCode = 1;
+    return;
+  }
+
+  const validationResult = validateConfig(raw as Record<string, unknown>);
+  if (!isOk(validationResult)) {
+    process.stderr.write(`Bug: generated config failed validation: ${validationResult.error.message}\n`);
+    process.exitCode = 1;
+    return;
+  }
+
+  // Create directories
+  await fsp.mkdir(signetDir, { recursive: true });
+  await fsp.mkdir(browserDataDir, { recursive: true });
+  await fsp.mkdir(credentialsDir, { recursive: true });
+
+  // Write config
+  await fsp.writeFile(configPath, yaml, 'utf-8');
+
+  // Success message
+  console.log(`\n  Config written to ${configPath}`);
+  console.log(`  Browser data:   ${browserDataDir}`);
+  console.log(`  Credentials:    ${credentialsDir}`);
+  console.log(`  Browser:        ${channel}`);
+  if (providers.length > 0) {
+    console.log(`  Providers:      ${providers.map(p => p.id).join(', ')}`);
+  }
+  console.log('\nNext steps:');
+  console.log('  sig login <url>       Authenticate with a service');
+  console.log('  sig providers         List configured providers');
+  console.log('  sig doctor            Check your setup');
+  console.log('');
+}