skilluse 0.1.0

package/dist/services/credentials.d.ts

@@ -0,0 +1,69 @@
+/**
+ * Secure credential storage service.
+ *
+ * Stores OAuth tokens securely using:
+ * 1. System keychain (preferred) - macOS Keychain, Windows Credential Manager, Linux libsecret
+ * 2. Encrypted file fallback - when keychain is unavailable
+ *
+ * Storage strategy:
+ * - User token → Keychain/encrypted file (sensitive)
+ * - Installation list → Config file JSON via store.ts (metadata)
+ * - Installation token → Memory cache (short-lived, 1 hour)
+ */
+/** @deprecated Use UserCredentials instead */
+export interface Credentials {
+    token: string;
+    user: string;
+}
+export interface UserCredentials {
+    token: string;
+    userName: string;
+}
+export interface InstallationTokenCache {
+    installationId: number;
+    token: string;
+    expiresAt: Date;
+}
+/**
+ * Check if the system keychain is available and working.
+ */
+export declare function isKeychainAvailable(): Promise<boolean>;
+/**
+ * Get stored credentials from keychain or encrypted file.
+ */
+export declare function getCredentials(): Promise<Credentials | null>;
+/**
+ * Store credentials in keychain or encrypted file.
+ */
+export declare function setCredentials(token: string, user: string): Promise<void>;
+/**
+ * Clear stored credentials from both keychain and encrypted file.
+ */
+export declare function clearCredentials(): Promise<void>;
+/**
+ * Store user credentials (token and username) securely.
+ */
+export declare function setUserCredentials(token: string, userName: string): Promise<void>;
+/**
+ * Get user credentials from secure storage.
+ */
+export declare function getUserCredentials(): Promise<UserCredentials | null>;
+/**
+ * Get cached installation token if it exists and is not expired.
+ * Returns null if no valid token is cached.
+ */
+export declare function getCachedInstallationToken(installationId: number): InstallationTokenCache | null;
+/**
+ * Cache an installation token.
+ */
+export declare function setCachedInstallationToken(cache: InstallationTokenCache): void;
+/**
+ * Clear all cached installation tokens.
+ */
+export declare function clearInstallationTokenCache(): void;
+/**
+ * Clear all credentials: user token, and installation token cache.
+ * Note: Installation list and default installation are cleared via store.ts
+ */
+export declare function clearAllCredentials(): Promise<void>;
+//# sourceMappingURL=credentials.d.ts.map

package/dist/services/credentials.js

@@ -0,0 +1,216 @@
+/**
+ * Secure credential storage service.
+ *
+ * Stores OAuth tokens securely using:
+ * 1. System keychain (preferred) - macOS Keychain, Windows Credential Manager, Linux libsecret
+ * 2. Encrypted file fallback - when keychain is unavailable
+ *
+ * Storage strategy:
+ * - User token → Keychain/encrypted file (sensitive)
+ * - Installation list → Config file JSON via store.ts (metadata)
+ * - Installation token → Memory cache (short-lived, 1 hour)
+ */
+import crypto from "crypto";
+import fs from "fs/promises";
+import os from "os";
+import path from "path";
+import keytar from "keytar";
+import { dataPath } from "./paths.js";
+const SERVICE_NAME = "skilluse";
+const CREDENTIALS_FILE = "credentials.enc";
+// In-memory cache for short-lived installation tokens
+const installationTokenCache = new Map();
+// Cache keychain availability to avoid repeated checks
+let keychainAvailable = null;
+/**
+ * Check if the system keychain is available and working.
+ */
+export async function isKeychainAvailable() {
+    if (keychainAvailable !== null) {
+        return keychainAvailable;
+    }
+    try {
+        // Try a test operation to see if keychain is working
+        const testKey = "__keychain_test__";
+        await keytar.setPassword(SERVICE_NAME, testKey, "test");
+        await keytar.deletePassword(SERVICE_NAME, testKey);
+        keychainAvailable = true;
+    }
+    catch {
+        keychainAvailable = false;
+    }
+    return keychainAvailable;
+}
+/**
+ * Get stored credentials from keychain or encrypted file.
+ */
+export async function getCredentials() {
+    if (await isKeychainAvailable()) {
+        return getCredentialsFromKeychain();
+    }
+    return getCredentialsFromFile();
+}
+/**
+ * Store credentials in keychain or encrypted file.
+ */
+export async function setCredentials(token, user) {
+    if (await isKeychainAvailable()) {
+        await setCredentialsToKeychain(token, user);
+    }
+    else {
+        await setCredentialsToFile(token, user);
+    }
+}
+/**
+ * Clear stored credentials from both keychain and encrypted file.
+ */
+export async function clearCredentials() {
+    // Clear from keychain
+    try {
+        await keytar.deletePassword(SERVICE_NAME, "github-token");
+        await keytar.deletePassword(SERVICE_NAME, "github-user");
+    }
+    catch {
+        // Ignore keychain errors
+    }
+    // Clear encrypted file
+    try {
+        const filePath = path.join(dataPath, CREDENTIALS_FILE);
+        await fs.unlink(filePath);
+    }
+    catch {
+        // Ignore file errors (file may not exist)
+    }
+}
+// --- Keychain operations ---
+async function getCredentialsFromKeychain() {
+    try {
+        const token = await keytar.getPassword(SERVICE_NAME, "github-token");
+        const user = await keytar.getPassword(SERVICE_NAME, "github-user");
+        if (token && user) {
+            return { token, user };
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+async function setCredentialsToKeychain(token, user) {
+    await keytar.setPassword(SERVICE_NAME, "github-token", token);
+    await keytar.setPassword(SERVICE_NAME, "github-user", user);
+}
+// --- Encrypted file operations ---
+/**
+ * Derive an encryption key from machine-specific information.
+ * This provides basic protection against copying the file to another machine.
+ */
+function deriveKey() {
+    const machineInfo = `${os.hostname()}:${os.userInfo().username}:${SERVICE_NAME}`;
+    return crypto.scryptSync(machineInfo, "skilluse-salt", 32);
+}
+function encrypt(data) {
+    const key = deriveKey();
+    const iv = crypto.randomBytes(16);
+    const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+    let encrypted = cipher.update(data, "utf8", "hex");
+    encrypted += cipher.final("hex");
+    const authTag = cipher.getAuthTag();
+    // Format: iv:authTag:encryptedData
+    return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted}`;
+}
+function decrypt(encryptedData) {
+    const [ivHex, authTagHex, encrypted] = encryptedData.split(":");
+    const key = deriveKey();
+    const iv = Buffer.from(ivHex, "hex");
+    const authTag = Buffer.from(authTagHex, "hex");
+    const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(encrypted, "hex", "utf8");
+    decrypted += decipher.final("utf8");
+    return decrypted;
+}
+async function getCredentialsFromFile() {
+    try {
+        const filePath = path.join(dataPath, CREDENTIALS_FILE);
+        const encryptedData = await fs.readFile(filePath, "utf8");
+        const decrypted = decrypt(encryptedData);
+        return JSON.parse(decrypted);
+    }
+    catch {
+        return null;
+    }
+}
+async function setCredentialsToFile(token, user) {
+    const credentials = { token, user };
+    const encrypted = encrypt(JSON.stringify(credentials));
+    // Ensure data directory exists
+    await fs.mkdir(dataPath, { recursive: true });
+    const filePath = path.join(dataPath, CREDENTIALS_FILE);
+    await fs.writeFile(filePath, encrypted, { mode: 0o600 }); // Owner read/write only
+}
+// ============================================================================
+// New GitHub App Credential Functions
+// ============================================================================
+/**
+ * Store user credentials (token and username) securely.
+ */
+export async function setUserCredentials(token, userName) {
+    // Reuse existing implementation with new interface
+    await setCredentials(token, userName);
+}
+/**
+ * Get user credentials from secure storage.
+ */
+export async function getUserCredentials() {
+    const creds = await getCredentials();
+    if (!creds)
+        return null;
+    return {
+        token: creds.token,
+        userName: creds.user,
+    };
+}
+// ============================================================================
+// Installation Token Cache (in-memory, short-lived)
+// ============================================================================
+/**
+ * Get cached installation token if it exists and is not expired.
+ * Returns null if no valid token is cached.
+ */
+export function getCachedInstallationToken(installationId) {
+    const cached = installationTokenCache.get(installationId);
+    if (!cached)
+        return null;
+    // Check if token is expired (with 5 minute buffer for safety)
+    const bufferMs = 5 * 60 * 1000;
+    if (new Date(cached.expiresAt).getTime() - bufferMs < Date.now()) {
+        // Token is expired or about to expire, remove it
+        installationTokenCache.delete(installationId);
+        return null;
+    }
+    return cached;
+}
+/**
+ * Cache an installation token.
+ */
+export function setCachedInstallationToken(cache) {
+    installationTokenCache.set(cache.installationId, cache);
+}
+/**
+ * Clear all cached installation tokens.
+ */
+export function clearInstallationTokenCache() {
+    installationTokenCache.clear();
+}
+/**
+ * Clear all credentials: user token, and installation token cache.
+ * Note: Installation list and default installation are cleared via store.ts
+ */
+export async function clearAllCredentials() {
+    // Clear user credentials
+    await clearCredentials();
+    // Clear installation token cache
+    clearInstallationTokenCache();
+}
+//# sourceMappingURL=credentials.js.map

package/dist/services/index.d.ts

@@ -0,0 +1,6 @@
+export { requestDeviceCode, pollForAccessToken, pollUntilComplete, openBrowser, sleep, getUserInstallations, getInstallationRepositories, getInstallationToken, type DeviceCodeResponse, type AccessTokenResponse, type OAuthError, type PollResult, type Installation, type Repository, type InstallationToken, } from "./oauth.js";
+export { getConfig, addRepo, removeRepo, setDefaultRepo, addInstalledSkill, removeInstalledSkill, setInstallations, getInstallations, setDefaultInstallation, getDefaultInstallation, clearInstallations, isFirstRun, type Config, type RepoConfig, type InstalledSkill, type StoredInstallation, } from "./store.js";
+export { configPath, dataPath, cachePath, logPath, tempPath, } from "./paths.js";
+export { getCredentials, setCredentials, clearCredentials, isKeychainAvailable, type Credentials, setUserCredentials, getUserCredentials, getCachedInstallationToken, setCachedInstallationToken, clearInstallationTokenCache, clearAllCredentials, type UserCredentials, type InstallationTokenCache, } from "./credentials.js";
+export { checkForUpdate, getCurrentVersion, type UpdateInfo, } from "./update.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/services/index.js

@@ -0,0 +1,10 @@
+export { requestDeviceCode, pollForAccessToken, pollUntilComplete, openBrowser, sleep, getUserInstallations, getInstallationRepositories, getInstallationToken, } from "./oauth.js";
+export { getConfig, addRepo, removeRepo, setDefaultRepo, addInstalledSkill, removeInstalledSkill, setInstallations, getInstallations, setDefaultInstallation, getDefaultInstallation, clearInstallations, isFirstRun, } from "./store.js";
+export { configPath, dataPath, cachePath, logPath, tempPath, } from "./paths.js";
+export { 
+// Legacy (deprecated)
+getCredentials, setCredentials, clearCredentials, isKeychainAvailable, 
+// New GitHub App credential functions
+setUserCredentials, getUserCredentials, getCachedInstallationToken, setCachedInstallationToken, clearInstallationTokenCache, clearAllCredentials, } from "./credentials.js";
+export { checkForUpdate, getCurrentVersion, } from "./update.js";
+//# sourceMappingURL=index.js.map

package/dist/services/oauth.d.ts

@@ -0,0 +1,106 @@
+/**
+ * GitHub OAuth Device Flow implementation
+ * Reference: https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow
+ */
+export interface Installation {
+    id: number;
+    account: {
+        login: string;
+        type: "User" | "Organization";
+    };
+    repository_selection: "all" | "selected";
+    permissions: Record<string, string>;
+}
+export interface Repository {
+    id: number;
+    name: string;
+    full_name: string;
+    private: boolean;
+}
+export interface InstallationToken {
+    token: string;
+    expires_at: string;
+    permissions: Record<string, string>;
+    repositories?: Repository[];
+}
+export interface DeviceCodeResponse {
+    device_code: string;
+    user_code: string;
+    verification_uri: string;
+    expires_in: number;
+    interval: number;
+}
+export interface AccessTokenResponse {
+    access_token: string;
+    token_type: string;
+    scope: string;
+}
+export interface OAuthError {
+    error: string;
+    error_description?: string;
+}
+export type PollResult = {
+    status: "success";
+    token: AccessTokenResponse;
+} | {
+    status: "pending";
+} | {
+    status: "slow_down";
+    newInterval: number;
+} | {
+    status: "expired";
+} | {
+    status: "access_denied";
+} | {
+    status: "error";
+    message: string;
+};
+/**
+ * Request a device code from GitHub
+ * This is the first step in the device flow
+ */
+export declare function requestDeviceCode(clientId: string, scope?: string): Promise<DeviceCodeResponse>;
+/**
+ * Poll GitHub for the access token
+ * Returns the poll result which can be:
+ * - success: user authorized, token received
+ * - pending: user hasn't authorized yet
+ * - slow_down: polling too fast, increase interval
+ * - expired: device code expired
+ * - access_denied: user denied authorization
+ * - error: other error occurred
+ */
+export declare function pollForAccessToken(clientId: string, deviceCode: string): Promise<PollResult>;
+/**
+ * Helper to sleep for a given number of milliseconds
+ */
+export declare function sleep(ms: number): Promise<void>;
+/**
+ * Poll for access token with automatic retry
+ * This handles the full polling loop until success, timeout, or error
+ */
+export declare function pollUntilComplete(clientId: string, deviceCode: string, expiresIn: number, initialInterval: number, onPoll?: (attempt: number) => void): Promise<{
+    success: true;
+    token: AccessTokenResponse;
+} | {
+    success: false;
+    reason: "expired" | "denied" | "error";
+    message?: string;
+}>;
+/**
+ * Open URL in the default browser
+ */
+export declare function openBrowser(url: string): Promise<void>;
+/**
+ * Get all GitHub App installations for the authenticated user
+ */
+export declare function getUserInstallations(userToken: string): Promise<Installation[]>;
+/**
+ * Get repositories accessible by a specific installation
+ */
+export declare function getInstallationRepositories(userToken: string, installationId: number): Promise<Repository[]>;
+/**
+ * Get an installation access token for API operations
+ */
+export declare function getInstallationToken(userToken: string, installationId: number): Promise<InstallationToken>;
+//# sourceMappingURL=oauth.d.ts.map

package/dist/services/oauth.js

@@ -0,0 +1,208 @@
+/**
+ * GitHub OAuth Device Flow implementation
+ * Reference: https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow
+ */
+const DEVICE_CODE_URL = "https://github.com/login/device/code";
+const ACCESS_TOKEN_URL = "https://github.com/login/oauth/access_token";
+/**
+ * Request a device code from GitHub
+ * This is the first step in the device flow
+ */
+export async function requestDeviceCode(clientId, scope = "repo") {
+    const response = await fetch(DEVICE_CODE_URL, {
+        method: "POST",
+        headers: {
+            Accept: "application/json",
+            "Content-Type": "application/x-www-form-urlencoded",
+        },
+        body: new URLSearchParams({
+            client_id: clientId,
+            scope,
+        }),
+    });
+    if (!response.ok) {
+        throw new Error(`Failed to request device code: ${response.status}`);
+    }
+    const data = (await response.json());
+    if (data.error) {
+        throw new Error(data.error_description || data.error);
+    }
+    return data;
+}
+/**
+ * Poll GitHub for the access token
+ * Returns the poll result which can be:
+ * - success: user authorized, token received
+ * - pending: user hasn't authorized yet
+ * - slow_down: polling too fast, increase interval
+ * - expired: device code expired
+ * - access_denied: user denied authorization
+ * - error: other error occurred
+ */
+export async function pollForAccessToken(clientId, deviceCode) {
+    const response = await fetch(ACCESS_TOKEN_URL, {
+        method: "POST",
+        headers: {
+            Accept: "application/json",
+            "Content-Type": "application/x-www-form-urlencoded",
+        },
+        body: new URLSearchParams({
+            client_id: clientId,
+            device_code: deviceCode,
+            grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+        }),
+    });
+    if (!response.ok) {
+        return {
+            status: "error",
+            message: `HTTP error: ${response.status}`,
+        };
+    }
+    const data = (await response.json());
+    // Check for error responses
+    if (data.error) {
+        switch (data.error) {
+            case "authorization_pending":
+                return { status: "pending" };
+            case "slow_down":
+                // GitHub requires adding 5 seconds to the interval
+                return { status: "slow_down", newInterval: 5 };
+            case "expired_token":
+                return { status: "expired" };
+            case "access_denied":
+                return { status: "access_denied" };
+            default:
+                return {
+                    status: "error",
+                    message: data.error_description || data.error,
+                };
+        }
+    }
+    // Success - we got the token
+    return {
+        status: "success",
+        token: data,
+    };
+}
+/**
+ * Helper to sleep for a given number of milliseconds
+ */
+export function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+/**
+ * Poll for access token with automatic retry
+ * This handles the full polling loop until success, timeout, or error
+ */
+export async function pollUntilComplete(clientId, deviceCode, expiresIn, initialInterval, onPoll) {
+    const startTime = Date.now();
+    const expiresAt = startTime + expiresIn * 1000;
+    let interval = initialInterval;
+    let attempt = 0;
+    while (Date.now() < expiresAt) {
+        await sleep(interval * 1000);
+        attempt++;
+        if (onPoll) {
+            onPoll(attempt);
+        }
+        const result = await pollForAccessToken(clientId, deviceCode);
+        switch (result.status) {
+            case "success":
+                return { success: true, token: result.token };
+            case "pending":
+                // Continue polling
+                break;
+            case "slow_down":
+                interval += result.newInterval;
+                break;
+            case "expired":
+                return { success: false, reason: "expired" };
+            case "access_denied":
+                return { success: false, reason: "denied" };
+            case "error":
+                return { success: false, reason: "error", message: result.message };
+        }
+    }
+    return { success: false, reason: "expired" };
+}
+/**
+ * Open URL in the default browser
+ */
+export async function openBrowser(url) {
+    const { exec } = await import("child_process");
+    const { promisify } = await import("util");
+    const execAsync = promisify(exec);
+    // Determine the command based on the platform
+    const platform = process.platform;
+    let command;
+    if (platform === "darwin") {
+        command = `open "${url}"`;
+    }
+    else if (platform === "win32") {
+        command = `start "" "${url}"`;
+    }
+    else {
+        // Linux and others
+        command = `xdg-open "${url}"`;
+    }
+    await execAsync(command);
+}
+// ============================================================================
+// GitHub App Installation Management
+// ============================================================================
+const GITHUB_API_URL = "https://api.github.com";
+/**
+ * Get all GitHub App installations for the authenticated user
+ */
+export async function getUserInstallations(userToken) {
+    const response = await fetch(`${GITHUB_API_URL}/user/installations`, {
+        headers: {
+            Accept: "application/vnd.github+json",
+            Authorization: `Bearer ${userToken}`,
+            "X-GitHub-Api-Version": "2022-11-28",
+        },
+    });
+    if (!response.ok) {
+        const error = await response.text();
+        throw new Error(`Failed to get installations: ${response.status} - ${error}`);
+    }
+    const data = (await response.json());
+    return data.installations;
+}
+/**
+ * Get repositories accessible by a specific installation
+ */
+export async function getInstallationRepositories(userToken, installationId) {
+    const response = await fetch(`${GITHUB_API_URL}/user/installations/${installationId}/repositories`, {
+        headers: {
+            Accept: "application/vnd.github+json",
+            Authorization: `Bearer ${userToken}`,
+            "X-GitHub-Api-Version": "2022-11-28",
+        },
+    });
+    if (!response.ok) {
+        const error = await response.text();
+        throw new Error(`Failed to get installation repositories: ${response.status} - ${error}`);
+    }
+    const data = (await response.json());
+    return data.repositories;
+}
+/**
+ * Get an installation access token for API operations
+ */
+export async function getInstallationToken(userToken, installationId) {
+    const response = await fetch(`${GITHUB_API_URL}/user/installations/${installationId}/access_tokens`, {
+        method: "POST",
+        headers: {
+            Accept: "application/vnd.github+json",
+            Authorization: `Bearer ${userToken}`,
+            "X-GitHub-Api-Version": "2022-11-28",
+        },
+    });
+    if (!response.ok) {
+        const error = await response.text();
+        throw new Error(`Failed to get installation token: ${response.status} - ${error}`);
+    }
+    return (await response.json());
+}
+//# sourceMappingURL=oauth.js.map

package/dist/services/paths.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Platform-native paths for configuration, data, and cache storage.
+ *
+ * Uses env-paths to provide appropriate directories per platform:
+ * - macOS: ~/Library/Application Support/skilluse/, ~/Library/Caches/skilluse/
+ * - Linux: ~/.config/skilluse/, ~/.local/share/skilluse/, ~/.cache/skilluse/
+ * - Windows: %APPDATA%/skilluse/, %LOCALAPPDATA%/skilluse/
+ */
+/** Directory for user configuration (settings, preferences) */
+export declare const configPath: string;
+/** Directory for application data (installed skills, repos) */
+export declare const dataPath: string;
+/** Directory for cached data (temporary files) */
+export declare const cachePath: string;
+/** Directory for log files */
+export declare const logPath: string;
+/** Directory for temporary files */
+export declare const tempPath: string;
+//# sourceMappingURL=paths.d.ts.map

package/dist/services/paths.js

@@ -0,0 +1,21 @@
+/**
+ * Platform-native paths for configuration, data, and cache storage.
+ *
+ * Uses env-paths to provide appropriate directories per platform:
+ * - macOS: ~/Library/Application Support/skilluse/, ~/Library/Caches/skilluse/
+ * - Linux: ~/.config/skilluse/, ~/.local/share/skilluse/, ~/.cache/skilluse/
+ * - Windows: %APPDATA%/skilluse/, %LOCALAPPDATA%/skilluse/
+ */
+import envPaths from "env-paths";
+const paths = envPaths("skilluse", { suffix: "" });
+/** Directory for user configuration (settings, preferences) */
+export const configPath = paths.config;
+/** Directory for application data (installed skills, repos) */
+export const dataPath = paths.data;
+/** Directory for cached data (temporary files) */
+export const cachePath = paths.cache;
+/** Directory for log files */
+export const logPath = paths.log;
+/** Directory for temporary files */
+export const tempPath = paths.temp;
+//# sourceMappingURL=paths.js.map