sub-bridge 1.0.0

package/src/auth/provider.ts

@@ -0,0 +1,412 @@
+import crypto from 'crypto'
+import { execFile } from 'node:child_process'
+import { promisify } from 'node:util'
+
+// ============================================================================
+// Types
+// ============================================================================
+
+export interface AuthSession {
+  authUrl: string
+  userCode?: string  // For device flow (OpenAI)
+  interval?: number // Polling interval in seconds (OpenAI)
+  sessionId: string
+  expiresAt: number
+}
+
+export interface TokenResult {
+  accessToken: string
+  refreshToken?: string
+  expiresIn?: number
+  accountId?: string
+  email?: string
+}
+
+export interface AuthProvider {
+  id: string
+  name: string
+  startAuth(): Promise<AuthSession>
+  completeAuth(input: string, sessionId: string): Promise<TokenResult>
+}
+
+// ============================================================================
+// Claude Provider - OAuth + PKCE
+// ============================================================================
+
+const CLAUDE_CLIENT_ID =
+  process.env.ANTHROPIC_OAUTH_CLIENT_ID || '9d1c250a-e61b-44d9-88ed-5944d1962f5e'
+const CLAUDE_REDIRECT_URI = 'https://console.anthropic.com/oauth/code/callback'
+const CLAUDE_TOKEN_URL = 'https://console.anthropic.com/v1/oauth/token'
+
+export class ClaudeProvider implements AuthProvider {
+  id = 'claude'
+  name = 'Claude'
+
+  async startAuth(): Promise<AuthSession> {
+    const verifier = crypto.randomBytes(32).toString('base64url')
+    const challenge = crypto.createHash('sha256').update(verifier).digest('base64url')
+
+    const authUrl = new URL('https://claude.ai/oauth/authorize')
+    authUrl.searchParams.set('code', 'true')
+    authUrl.searchParams.set('client_id', CLAUDE_CLIENT_ID)
+    authUrl.searchParams.set('response_type', 'code')
+    authUrl.searchParams.set('redirect_uri', CLAUDE_REDIRECT_URI)
+    authUrl.searchParams.set('scope', 'org:create_api_key user:profile user:inference')
+    authUrl.searchParams.set('code_challenge', challenge)
+    authUrl.searchParams.set('code_challenge_method', 'S256')
+    authUrl.searchParams.set('state', verifier)
+
+    return {
+      authUrl: authUrl.toString(),
+      sessionId: verifier,
+      expiresAt: Date.now() + 15 * 60 * 1000,
+    }
+  }
+
+  async completeAuth(codeInput: string, sessionId: string): Promise<TokenResult> {
+    // Parse CODE#STATE format
+    const parts = codeInput.trim().split('#')
+    const code = parts[0]
+    const state = parts[1] || sessionId
+
+    const response = await fetch(CLAUDE_TOKEN_URL, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        code,
+        state,
+        grant_type: 'authorization_code',
+        client_id: CLAUDE_CLIENT_ID,
+        redirect_uri: CLAUDE_REDIRECT_URI,
+        code_verifier: sessionId,
+      }),
+    })
+
+    if (!response.ok) {
+      const error = await response.text()
+      throw new Error(`Claude token exchange failed: ${error}`)
+    }
+
+    const data = (await response.json()) as {
+      access_token: string
+      refresh_token: string
+      expires_in: number
+      account?: {
+        uuid: string
+        email_address: string
+      }
+      organization?: {
+        uuid: string
+        name: string
+      }
+    }
+
+    return {
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      expiresIn: data.expires_in,
+      email: data.account?.email_address,
+    }
+  }
+}
+
+export async function refreshClaudeToken(refreshToken: string): Promise<TokenResult> {
+  const response = await fetch(CLAUDE_TOKEN_URL, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      grant_type: 'refresh_token',
+      client_id: CLAUDE_CLIENT_ID,
+      refresh_token: refreshToken,
+    }),
+  })
+
+  if (!response.ok) {
+    const error = await response.text()
+    throw new Error(`Claude token refresh failed: ${error}`)
+  }
+
+  const data = (await response.json()) as {
+    access_token: string
+    refresh_token?: string
+    expires_in?: number
+  }
+
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    expiresIn: data.expires_in,
+  }
+}
+
+// ============================================================================
+// OpenAI Provider - Device Code Flow
+// ============================================================================
+
+const OPENAI_CLIENT_ID = 'app_EMoamEEZ73f0CkXaXp7hrann'
+const OPENAI_AUTH_BASE_URL = 'https://auth.openai.com'
+const OPENAI_DEVICE_AUTH_BASE_URL = `${OPENAI_AUTH_BASE_URL}/api/accounts`
+const OPENAI_DEVICE_CODE_URL = `${OPENAI_DEVICE_AUTH_BASE_URL}/deviceauth/usercode`
+const OPENAI_DEVICE_POLL_URL = `${OPENAI_DEVICE_AUTH_BASE_URL}/deviceauth/token`
+const OPENAI_DEVICE_REDIRECT_URI = `${OPENAI_AUTH_BASE_URL}/deviceauth/callback`
+const OPENAI_TOKEN_URL = `${OPENAI_AUTH_BASE_URL}/oauth/token`
+const OPENAI_USER_AUTH_URL = `${OPENAI_AUTH_BASE_URL}/codex/device`
+const OPENAI_OAUTH_SCOPE = process.env.OPENAI_OAUTH_SCOPE || 'model.request'
+const OPENAI_DEVICE_HEADERS = {
+  'Content-Type': 'application/json',
+  'User-Agent': 'reqwest/0.12.24',
+}
+const OPENAI_TOKEN_HEADERS = {
+  'Content-Type': 'application/x-www-form-urlencoded',
+  'User-Agent': 'reqwest/0.12.24',
+}
+
+function parseJwtPayload(token: string): Record<string, unknown> | null {
+  const parts = token.split('.')
+  if (parts.length < 2) return null
+  const payload = parts[1].replace(/-/g, '+').replace(/_/g, '/')
+  const padded = payload + '='.repeat((4 - (payload.length % 4)) % 4)
+  try {
+    const decoded = Buffer.from(padded, 'base64').toString('utf8')
+    return JSON.parse(decoded) as Record<string, unknown>
+  } catch {
+    return null
+  }
+}
+
+function extractChatGptAccountId(idToken: string | undefined, accessToken?: string): string | undefined {
+  const tokens = [idToken, accessToken].filter((value): value is string => Boolean(value))
+  for (const token of tokens) {
+    const payload = parseJwtPayload(token)
+    if (!payload) continue
+    const direct = payload?.chatgpt_account_id
+    if (typeof direct === 'string' && direct.trim()) return direct
+    const authClaim = payload?.['https://api.openai.com/auth']
+    const nested = (authClaim as Record<string, unknown> | undefined)?.chatgpt_account_id
+    if (typeof nested === 'string' && nested.trim()) return nested
+  }
+  return undefined
+}
+
+function extractEmailFromIdToken(idToken: string | undefined): string | undefined {
+  if (!idToken) return undefined
+  const payload = parseJwtPayload(idToken)
+  if (!payload) return undefined
+  const email = payload?.email
+  if (typeof email === 'string' && email.trim()) return email
+  return undefined
+}
+
+const execFileAsync = promisify(execFile)
+
+type HttpResult = {
+  status: number
+  ok: boolean
+  text: string
+}
+
+function parseCurlResult(stdout: string): HttpResult {
+  const marker = '\n__STATUS__:'
+  const idx = stdout.lastIndexOf(marker)
+  if (idx === -1) {
+    return { status: 0, ok: false, text: stdout }
+  }
+  const body = stdout.slice(0, idx)
+  const statusText = stdout.slice(idx + marker.length).trim()
+  const status = parseInt(statusText, 10)
+  return { status, ok: status >= 200 && status < 300, text: body }
+}
+
+async function curlPost(url: string, contentType: string, body: string): Promise<HttpResult> {
+  const args = [
+    '-sS',
+    '-X',
+    'POST',
+    url,
+    '-H',
+    `Content-Type: ${contentType}`,
+    '-H',
+    'User-Agent: reqwest/0.12.24',
+    '-d',
+    body,
+    '-w',
+    '\n__STATUS__:%{http_code}',
+  ]
+  const { stdout } = await execFileAsync('curl', args, { maxBuffer: 5 * 1024 * 1024 })
+  return parseCurlResult(stdout)
+}
+
+async function postWithFallback(
+  url: string,
+  headers: Record<string, string>,
+  body: string,
+  contentType: string,
+): Promise<HttpResult> {
+  const response = await fetch(url, { method: 'POST', headers, body })
+  const text = await response.text()
+  if (response.ok) {
+    return { status: response.status, ok: true, text }
+  }
+  if (text.includes('cdn-cgi/challenge-platform')) {
+    try {
+      return await curlPost(url, contentType, body)
+    } catch {
+      return { status: response.status, ok: false, text }
+    }
+  }
+  return { status: response.status, ok: false, text }
+}
+
+function normalizeOpenAIError(status: number, body: string) {
+  const trimmed = body.trim()
+  if (!trimmed) return `HTTP ${status}`
+  if (trimmed.startsWith('<') || trimmed.includes('cdn-cgi/challenge-platform')) {
+    return `OpenAI auth endpoint returned a Cloudflare challenge (HTTP ${status}).`
+  }
+  return trimmed
+}
+
+interface DeviceCodeResponse {
+  device_auth_id: string
+  user_code: string
+  interval: number | string
+}
+
+interface DevicePollResponse {
+  authorization_code: string
+  code_challenge: string
+  code_verifier: string
+}
+
+// Store active device sessions for polling
+const deviceSessions = new Map<
+  string,
+  {
+    deviceAuthId: string
+    userCode: string
+    interval: number
+    createdAt: number
+  }
+>()
+
+export class OpenAIProvider implements AuthProvider {
+  id = 'openai'
+  name = 'ChatGPT'
+
+  getAuthUrl(): string {
+    return OPENAI_USER_AUTH_URL
+  }
+
+  async startAuth(): Promise<AuthSession> {
+    const body = JSON.stringify({ client_id: OPENAI_CLIENT_ID, scope: OPENAI_OAUTH_SCOPE })
+    const response = await postWithFallback(
+      OPENAI_DEVICE_CODE_URL,
+      OPENAI_DEVICE_HEADERS,
+      body,
+      'application/json',
+    )
+
+    if (!response.ok) {
+      throw new Error(`Failed to get device code: ${normalizeOpenAIError(response.status, response.text)}`)
+    }
+
+    const data = JSON.parse(response.text) as DeviceCodeResponse
+    const sessionId = data.device_auth_id
+    const interval = typeof data.interval === 'string' ? parseInt(data.interval, 10) : data.interval
+    const safeInterval = Number.isFinite(interval) && interval > 0 ? interval : 5
+
+    // Store session for polling
+    deviceSessions.set(sessionId, {
+      deviceAuthId: data.device_auth_id,
+      userCode: data.user_code,
+      interval: safeInterval,
+      createdAt: Date.now(),
+    })
+
+    return {
+      authUrl: OPENAI_USER_AUTH_URL,
+      userCode: data.user_code,
+      interval: safeInterval,
+      sessionId,
+      expiresAt: Date.now() + 15 * 60 * 1000,
+    }
+  }
+
+  async completeAuth(_input: string, sessionId: string): Promise<TokenResult> {
+    const session = deviceSessions.get(sessionId)
+    if (!session) {
+      throw new Error('Session not found or expired')
+    }
+
+    // Poll for authorization
+    const pollBody = JSON.stringify({
+      device_auth_id: session.deviceAuthId,
+      user_code: session.userCode,
+    })
+    const pollResponse = await postWithFallback(
+      OPENAI_DEVICE_POLL_URL,
+      OPENAI_DEVICE_HEADERS,
+      pollBody,
+      'application/json',
+    )
+
+    if (!pollResponse.ok) {
+      if (pollResponse.status === 403 || pollResponse.status === 404 || pollResponse.status === 429) {
+        throw new Error('PENDING') // User hasn't authorized yet
+      }
+      throw new Error(`Poll failed: ${normalizeOpenAIError(pollResponse.status, pollResponse.text)}`)
+    }
+
+    const pollData = JSON.parse(pollResponse.text) as DevicePollResponse
+
+    // Exchange authorization code for tokens
+    const tokenBody = new URLSearchParams({
+      grant_type: 'authorization_code',
+      client_id: OPENAI_CLIENT_ID,
+      code: pollData.authorization_code,
+      code_verifier: pollData.code_verifier,
+      redirect_uri: OPENAI_DEVICE_REDIRECT_URI,
+      scope: OPENAI_OAUTH_SCOPE,
+    }).toString()
+    const tokenResponse = await postWithFallback(
+      OPENAI_TOKEN_URL,
+      OPENAI_TOKEN_HEADERS,
+      tokenBody,
+      'application/x-www-form-urlencoded',
+    )
+
+    if (!tokenResponse.ok) {
+      throw new Error(`Token exchange failed: ${normalizeOpenAIError(tokenResponse.status, tokenResponse.text)}`)
+    }
+
+    const tokenData = JSON.parse(tokenResponse.text) as {
+      access_token: string
+      refresh_token: string
+      id_token: string
+      expires_in: number
+    }
+
+    const accountId = extractChatGptAccountId(tokenData.id_token, tokenData.access_token)
+    const email = extractEmailFromIdToken(tokenData.id_token)
+
+    // Clean up session
+    deviceSessions.delete(sessionId)
+
+    return {
+      accessToken: tokenData.access_token,
+      refreshToken: tokenData.refresh_token,
+      expiresIn: tokenData.expires_in,
+      accountId,
+      email,
+    }
+  }
+
+  // Get session info for polling UI
+  getSession(sessionId: string) {
+    return deviceSessions.get(sessionId)
+  }
+}
+
+// Export singleton instances
+export const claudeProvider = new ClaudeProvider()
+export const openaiProvider = new OpenAIProvider()

package/src/cli.ts

@@ -0,0 +1,97 @@
+#!/usr/bin/env node
+/**
+ * Sub Bridge CLI
+ *
+ * Main entry point that can run in different modes:
+ * - Default: Starts HTTP server + MCP server (original behavior)
+ * - --server-only: Just HTTP server
+ * - --mcp-only: Just MCP proxy (discovers/starts HTTP server)
+ *
+ * For development, use the separate entry points:
+ * - npm run dev:server - HTTP server with hot reload
+ * - npm run dev:mcp - MCP proxy (connects to existing server or starts inline)
+ */
+import { program } from 'commander'
+import chalk from 'chalk'
+import { startServer, type ServerConfig } from './server'
+import { findPort } from './utils/port'
+import { startMcpServer } from './mcp/proxy'
+import { addSharedOptions } from './utils/cli-args'
+
+const log = (...args: Parameters<typeof console.error>) => console.error(...args)
+
+async function main() {
+  const prog = program
+    .name('sub-bridge')
+    .description('MCP bridge for ChatGPT Pro, Claude Max, etc. in Cursor')
+  
+  addSharedOptions(prog)
+    .option('--server-only', 'Run HTTP server only (no MCP)')
+    .option('--mcp-only', 'Run MCP proxy only (discovers existing server)')
+    .parse()
+
+  const opts = program.opts()
+
+  const config: ServerConfig = {
+    port: opts.port ? parseInt(opts.port, 10) : undefined,
+    tunnelUrl: opts.tunnel,
+    verbose: opts.verbose || false,
+  }
+
+  // MCP-only mode: just run the thin proxy
+  if (opts.mcpOnly) {
+    const discovery = await findPort(config.port)
+
+    if (discovery.hasServer) {
+      log(`[sub-bridge] Found existing HTTP server on port ${discovery.port}`)
+      await startMcpServer(discovery.port, log)
+    } else {
+      log(`[sub-bridge] No HTTP server found, starting inline on port ${discovery.port}`)
+      const server = await startServer({ ...config, port: discovery.port })
+      await startMcpServer(server.port, log)
+    }
+    return
+  }
+
+  // Server-only mode: just run the HTTP server
+  if (opts.serverOnly) {
+    await startServer(config)
+    log(chalk.dim('  Press Ctrl+C to stop'))
+    return
+  }
+
+  // Default mode: start HTTP server + MCP (original behavior)
+  const server = await startServer(config)
+
+  printSetupInstructions(server.publicUrl)
+
+  await startMcpServer(server.port, log)
+}
+
+function printSetupInstructions(publicUrl: string) {
+  log()
+  log(chalk.bold.yellow('  Setup in Cursor:'))
+  log(chalk.dim('  ─────────────────────────────────────'))
+  log()
+  log(chalk.dim('  1. Command Palette (Cmd+Shift+P / Ctrl+Shift+P)'))
+  log(chalk.dim('  2. Search "Cursor Settings" → Open'))
+  log(chalk.dim('  3. Navigate: Models → API Keys (expand)'))
+  log(chalk.dim('  4. Enable "OpenAI API Key" toggle'))
+  log(chalk.dim('  5. Set API key with routing:'))
+  log(chalk.dim('     '), chalk.cyan('o3=opus-4.5,o3-mini=sonnet-4.5:sk-ant-xxx'))
+  log(chalk.dim('  6. Enable "Override OpenAI Base URL" toggle'))
+  log(chalk.dim('  7. Set Base URL:'), chalk.cyan.bold(`${publicUrl}/v1`))
+  log()
+  log(chalk.dim('  Getting API keys:'))
+  log(chalk.dim('    • Open'), chalk.cyan(publicUrl), chalk.dim('in your external browser and click Login buttons'))
+  log(chalk.dim('    • Or use Claude Code CLI:'), chalk.cyan('claude setup-token'))
+  log(chalk.dim('    • Or use Codex CLI:'), chalk.cyan('codex login'))
+  log()
+  log(chalk.dim('  Use MCP tool: "get_status" to get URL anytime'))
+  log()
+}
+
+main().catch((error) => {
+  log('[sub-bridge] Fatal error:', error)
+  process.exit(1)
+})

package/src/mcp/proxy.ts

@@ -0,0 +1,64 @@
+/**
+ * Shared MCP proxy functionality
+ */
+import { buildStatusText } from '../utils/setup-instructions'
+
+export interface McpToolResult {
+  [x: string]: unknown
+  content: Array<{ type: 'text'; text: string }>
+}
+
+/**
+ * Call a tool on the HTTP server
+ */
+export async function callTool(port: number, name: string, args: Record<string, unknown> = {}): Promise<McpToolResult> {
+  const localUrl = `http://localhost:${port}`
+
+  try {
+    const response = await fetch(`${localUrl}/mcp/tools/${name}`, {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({ arguments: args }),
+    })
+
+    if (!response.ok) {
+      const error = await response.text()
+      return {
+        content: [{ type: 'text' as const, text: `Error calling tool ${name}: ${error}` }],
+      }
+    }
+
+    return response.json() as Promise<McpToolResult>
+  } catch {
+    // Server not reachable - return helpful setup instructions
+    return {
+      content: [{ type: 'text' as const, text: buildStatusText({ mode: 'proxy', baseUrl: localUrl }) }],
+    }
+  }
+}
+
+/**
+ * Start MCP server and register tools that forward to HTTP server
+ */
+export async function startMcpServer(serverPort: number, log: (...args: any[]) => void) {
+  const { McpServer } = await import('@modelcontextprotocol/sdk/server/mcp.js')
+  const { StdioServerTransport } = await import('@modelcontextprotocol/sdk/server/stdio.js')
+
+  const server = new McpServer({
+    name: 'Sub Bridge',
+    version: '2.1.0',
+  })
+
+  // Register tools that forward to HTTP server
+  server.tool(
+    'get_status',
+    'Get Sub Bridge status and login URL for Claude/ChatGPT authentication',
+    {},
+    async () => callTool(serverPort, 'get_status'),
+  )
+
+  // Start MCP transport
+  const transport = new StdioServerTransport()
+  await server.connect(transport)
+  log('[mcp] MCP server started, connected to HTTP server on port', serverPort)
+}

package/src/mcp.ts

@@ -0,0 +1,56 @@
+#!/usr/bin/env node
+/**
+ * Thin MCP Proxy Entry Point
+ *
+ * This is the entry point for Cursor's MCP integration.
+ * It discovers or starts an HTTP server and forwards tool calls to it.
+ *
+ * Dev mode: Developer runs HTTP server separately with `tsx watch src/server.ts`
+ * Production: MCP proxy starts HTTP server inline if not found
+ */
+import { program } from 'commander'
+import { findPort } from './utils/port'
+import { startServer, type ServerConfig } from './server'
+import { startMcpServer } from './mcp/proxy'
+import { addSharedOptions } from './utils/cli-args'
+
+const log = (...args: Parameters<typeof console.error>) => console.error(...args)
+
+async function main() {
+  // Parse CLI arguments
+  addSharedOptions(program).parse()
+  const opts = program.opts()
+
+  const cliPort = opts.port ? parseInt(opts.port, 10) : undefined
+  const tunnelUrl = opts.tunnel || process.env.TUNNEL_URL
+  const verbose = opts.verbose || process.env.VERBOSE === 'true'
+
+  // Discover existing server or find a free port
+  const discovery = await findPort(cliPort)
+
+  let serverPort = discovery.port
+
+  if (discovery.hasServer) {
+    log(`[mcp] Found existing HTTP server on port ${serverPort}`)
+  } else {
+    log(`[mcp] No HTTP server found, starting inline on port ${serverPort}`)
+
+    // Start HTTP server inline (production mode)
+    const config: ServerConfig = {
+      port: serverPort,
+      tunnelUrl,
+      verbose,
+    }
+
+    const server = await startServer(config)
+    serverPort = server.port
+    log(`[mcp] HTTP server started on port ${serverPort}`)
+  }
+
+  await startMcpServer(serverPort, log)
+}
+
+main().catch((error) => {
+  log('[mcp] Fatal error:', error)
+  process.exit(1)
+})