ttsd-colabcli 1.0.0

package/cli.js

@@ -0,0 +1,148 @@
+#!/usr/bin/env node
+
+const fs = require('fs');
+const path = require('path');
+const { spawn, execSync } = require('child_process');
+
+const CMD = process.argv[2] || 'status';
+const ENV_PATH = path.join(__dirname, '.env');
+const CORE_DIR = path.join(__dirname, 'core');
+const PID_FILE = path.join(__dirname, '.daemon.pid');
+
+async function promptConfig() {
+  const inquirer = require('inquirer');
+  console.log('=====================================');
+  console.log('  SATELLITE NODE INITIAL SETUP');
+  console.log('=====================================\n');
+  const answers = await inquirer.prompt([
+    {
+      type: 'input',
+      name: 'masterUrl',
+      message: 'Enter MASTER_URL (e.g., http://api.yourdomain.com):',
+      validate: input => input ? true : 'Required!'
+    },
+    {
+      type: 'input',
+      name: 'nodeApiKey',
+      message: 'Enter NODE_API_KEY (e.g., satellite-secret-key-123):',
+      validate: input => input ? true : 'Required!'
+    }
+  ]);
+
+  const envContent = `MASTER_URL=${answers.masterUrl}\nNODE_API_KEY=${answers.nodeApiKey}\n`;
+  fs.writeFileSync(ENV_PATH, envContent);
+  console.log('Configuration saved to .env file.\n');
+}
+
+function setupPythonEnv() {
+  const venvDir = path.join(CORE_DIR, 'venv');
+  if (!fs.existsSync(venvDir)) {
+    console.log('Creating Python virtual environment...');
+    try {
+      execSync(`python3 -m venv "${venvDir}"`, { stdio: 'inherit' });
+    } catch (e) {
+      console.log('python3 not found, trying python...');
+      execSync(`python -m venv "${venvDir}"`, { stdio: 'inherit' });
+    }
+  }
+
+  console.log('Installing dependencies...');
+  const pip = process.platform === 'win32' 
+    ? path.join(venvDir, 'Scripts', 'pip')
+    : path.join(venvDir, 'bin', 'pip');
+  execSync(`"${pip}" install -r "${path.join(CORE_DIR, 'requirements.txt')}" -q`, { stdio: 'inherit' });
+}
+
+async function start() {
+  if (fs.existsSync(PID_FILE)) {
+    const oldPid = fs.readFileSync(PID_FILE, 'utf8').trim();
+    try {
+      process.kill(parseInt(oldPid), 0);
+      console.log(`Daemon is already running with PID ${oldPid}.`);
+      return;
+    } catch (e) {
+      // Process not running, clean up PID file
+      fs.unlinkSync(PID_FILE);
+    }
+  }
+
+  if (!fs.existsSync(ENV_PATH)) {
+    await promptConfig();
+  }
+
+  setupPythonEnv();
+
+  console.log('Starting Satellite Daemon in background...');
+  
+  const pythonBin = process.platform === 'win32'
+    ? path.join(CORE_DIR, 'venv', 'Scripts', 'python')
+    : path.join(CORE_DIR, 'venv', 'bin', 'python');
+
+  // Copy .env to core dir so daemon.py can load it
+  fs.copyFileSync(ENV_PATH, path.join(CORE_DIR, '.env'));
+
+  const out = fs.openSync(path.join(__dirname, 'daemon.log'), 'a');
+  const err = fs.openSync(path.join(__dirname, 'daemon.error.log'), 'a');
+
+  const child = spawn(pythonBin, ['daemon.py'], {
+    cwd: CORE_DIR,
+    detached: true,
+    stdio: ['ignore', out, err]
+  });
+
+  child.unref();
+
+  fs.writeFileSync(PID_FILE, child.pid.toString());
+  console.log(`Daemon started successfully (PID: ${child.pid}).`);
+  console.log('You can now close this terminal. The node will keep running in the background.');
+  console.log('Run "colabcli status" to check its status or "colabcli stop" to stop it.');
+}
+
+function stop() {
+  if (!fs.existsSync(PID_FILE)) {
+    console.log('No daemon is currently running.');
+    return;
+  }
+
+  const pid = fs.readFileSync(PID_FILE, 'utf8').trim();
+  try {
+    process.kill(parseInt(pid), 'SIGTERM');
+    console.log(`Daemon (PID ${pid}) stopped successfully.`);
+  } catch (e) {
+    console.log(`Could not stop process ${pid}. It might have already stopped.`);
+  }
+  
+  fs.unlinkSync(PID_FILE);
+}
+
+function status() {
+  if (!fs.existsSync(PID_FILE)) {
+    console.log('Satellite Daemon is NOT running.');
+    return;
+  }
+
+  const pid = fs.readFileSync(PID_FILE, 'utf8').trim();
+  try {
+    process.kill(parseInt(pid), 0);
+    console.log(`Satellite Daemon is RUNNING (PID ${pid}).`);
+  } catch (e) {
+    console.log('Satellite Daemon is NOT running (stale PID file found).');
+    fs.unlinkSync(PID_FILE);
+  }
+}
+
+async function main() {
+  if (CMD === 'start') {
+    await start();
+  } else if (CMD === 'stop') {
+    stop();
+  } else if (CMD === 'status') {
+    status();
+  } else {
+    console.log('Usage: colabcli <start|stop|status>');
+  }
+}
+
+main().catch(err => {
+  console.error('Error:', err);
+});

package/core/app/colab_cli/auth.py

@@ -0,0 +1,278 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import enum
+import json
+import logging
+from importlib import resources
+import os
+import sys
+import warnings
+from typing import Optional
+
+import google.auth
+import typer
+from google.auth.transport import requests
+from google.auth.transport.requests import Request
+from google.oauth2.credentials import Credentials
+from google_auth_oauthlib.flow import InstalledAppFlow
+
+logger = logging.getLogger(__name__)
+
+# Set by worker to skip interactive OAuth prompt
+_DISABLE_INTERACTIVE_AUTH = False
+
+
+class AuthProvider(str, enum.Enum):
+    """Authentication strategy for talking to the Colab backend.
+
+    Values are the lowercase strings accepted by the global ``--auth`` flag.
+    """
+
+    OAUTH2 = "oauth2"
+    ADC = "adc"
+
+
+# Standard Scopes for Colab and Drive (Public Auth)
+PUBLIC_SCOPES = [
+    "openid",
+    "https://www.googleapis.com/auth/userinfo.profile",
+    "https://www.googleapis.com/auth/userinfo.email",
+    "https://www.googleapis.com/auth/cloud-platform",
+    "https://www.googleapis.com/auth/colaboratory",
+    "https://www.googleapis.com/auth/drive.file",
+]
+
+
+TOKEN_CONFIG_PATH = os.getenv("COLAB_CLI_TOKEN_PATH") or os.path.expanduser("~/.config/colab-cli/token.json")
+
+# Remote copy-paste OAuth flow.
+#
+# We deliberately do NOT use a localhost redirect (`run_local_server`) or the
+# out-of-band (OOB) redirect `urn:ietf:wg:oauth:2.0:oob`. OOB was blocked by
+# Google in 2022 ("The out-of-band (OOB) flow has been blocked in order to
+# keep users secure") and a localhost server is environment-dependent (fails
+# on headless/remote/container hosts, requires an auto-openable browser, etc.).
+#
+# Instead we use the same mechanism `gcloud auth application-default login`
+# uses: a real registered HTTPS landing page that displays the authorization
+# code for the user to copy & paste, combined with the `token_usage=remote`
+# consent parameter. This works identically in local and remote environments.
+#
+# The landing page below is registered to Google's cloud-SDK OAuth client
+# (`764086051850-...`), which is also the client shipped in
+# `colab_cli/oauth_config.json`; reusing another client id with this redirect
+# yields `redirect_uri_mismatch`.
+REMOTE_REDIRECT_URI = "https://sdk.cloud.google.com/applicationdefaultauthcode.html"
+
+
+def _run_remote_flow(client_config: dict) -> Credentials:
+    """Run the remote copy-paste OAuth2 flow.
+
+    Interactive prompt when a TTY is available. No TTY → raises error.
+    Pre-configure tokens via `refresh_tokens.py` to avoid this flow.
+    """
+    flow = InstalledAppFlow.from_client_config(client_config, PUBLIC_SCOPES)
+    flow.redirect_uri = REMOTE_REDIRECT_URI
+    auth_url, _ = flow.authorization_url(prompt="consent", token_usage="remote")
+
+    if _DISABLE_INTERACTIVE_AUTH or not sys.stdin.isatty():
+        raise RuntimeError(
+            f"No saved token and interactive auth disabled. "
+            f"Run `refresh_tokens.py` first, or open URL manually: {auth_url}"
+        )
+
+    typer.echo("\nTo authorize colab-cli, visit this URL in any browser:\n", err=True)
+    typer.echo("  " + auth_url + "\n", err=True)
+    typer.echo("After approving, Google will display an authorization code.", err=True)
+    try:
+        code = input("Enter the authorization code: ").strip()
+    except (EOFError, OSError) as e:
+        raise RuntimeError(f"Interactive input failed: {e}")
+
+    if not code:
+        raise RuntimeError("No authorization code provided.")
+
+    flow.fetch_token(code=code)
+    return flow.credentials
+
+
+def _get_google_auth_credentials(config_path: str) -> Credentials:
+    """
+    Retrieves credentials using standard public OAuth2 flow.
+    """
+    client_config = None
+    if os.path.exists(config_path):
+        with open(config_path, "r") as f:
+            client_config = json.load(f)
+    else:
+        # Try inlined config — check multiple possible package paths
+        for pkg in ("colab_cli", "app.colab_cli"):
+            try:
+                config_resource = resources.files(pkg).joinpath("oauth_config.json")
+                if config_resource.is_file():
+                    client_config = json.loads(config_resource.read_text())
+                    break
+            except (Exception, ModuleNotFoundError):
+                continue
+        # Fallback: direct file path
+        if not client_config:
+            bundled = os.path.join(os.path.dirname(__file__), "oauth_config.json")
+            if os.path.exists(bundled):
+                with open(bundled) as f:
+                    client_config = json.load(f)
+
+    if not client_config:
+        raise FileNotFoundError(
+            f"Client OAuth config not found at {config_path} and no inlined config available. "
+            "Please provide a valid path via -c/--client-oauth-config."
+        )
+
+    creds = None
+
+    # Ensure config directory exists for the token file
+    os.makedirs(os.path.dirname(TOKEN_CONFIG_PATH), exist_ok=True)
+
+    if os.path.exists(TOKEN_CONFIG_PATH):
+        try:
+            creds = Credentials.from_authorized_user_file(
+                TOKEN_CONFIG_PATH, PUBLIC_SCOPES
+            )
+        except Exception as e:
+            logger.warning(f"Failed to load token from {TOKEN_CONFIG_PATH}: {e}")
+
+    if not creds or not creds.valid:
+        if creds and creds.expired and creds.refresh_token:
+            try:
+                creds.refresh(Request())
+            except Exception as e:
+                logger.warning(f"Failed to refresh token: {e}")
+                creds = None
+
+        if not creds:
+            creds = _run_remote_flow(client_config)
+
+        # Save the credentials for the next run
+        try:
+            with open(TOKEN_CONFIG_PATH, "w") as token_file:
+                token_file.write(creds.to_json())
+        except Exception as e:
+            logger.error(f"Failed to save token to {TOKEN_CONFIG_PATH}: {e}")
+
+    return creds
+
+
+def _get_adc_credentials() -> Credentials:
+    """Retrieves credentials using Google Application Default Credentials.
+
+    Honors the standard ADC discovery chain (``GOOGLE_APPLICATION_CREDENTIALS``,
+    ``gcloud auth application-default login``, GCE/GKE metadata server, etc.).
+
+    The RuntimeService at colab.pa.googleapis.com requires the
+    `colaboratory` scope (otherwise keep-alive returns 403 SCOPE_NOT_PERMITTED).
+    Most ADC credential types (service accounts, GCE/GKE, impersonated)
+    support `with_scopes`; user credentials minted by
+    `gcloud auth application-default login` do not. For the latter, the user
+    must re-run `gcloud auth application-default login` with
+    `--scopes=openid,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/colaboratory`
+    (`openid` and `cloud-platform` are required by `gcloud` itself; `userinfo.email`
+    is required by the session backend; `colaboratory` is required by this RPC).
+    """
+    # `google.auth._default` emits a UserWarning when ADC user credentials
+    # don't have a quota project pinned ("Your application has authenticated
+    # using end user credentials from Google Cloud SDK without a quota
+    # project. You might receive a 'quota exceeded' or 'API not enabled'
+    # error.").
+    #
+    # That heuristic does not apply to this CLI: every call we make to
+    # `colab.pa.googleapis.com` carries `X-Goog-User-Project: 1014160490159`
+    # (Colab's project id) — see AGENTS.md item 18 — so the user's
+    # quota-project setting is irrelevant. The warning shows up on every
+    # single `colab` invocation under ADC, which is pure noise. Filter it,
+    # but keep the scope as tight as possible: only this exact message,
+    # only during this one call.
+    with warnings.catch_warnings():
+        warnings.filterwarnings(
+            "ignore",
+            message=r"Your application has authenticated using end user credentials.*",
+            category=UserWarning,
+        )
+        creds, _ = google.auth.default(scopes=list(PUBLIC_SCOPES))
+
+    if not creds.valid:
+        from google.auth import compute_engine
+
+        if isinstance(creds, compute_engine.Credentials):
+            creds = None
+        else:
+            logger.warning("Failed to obtain valid ADC credentials.")
+            try:
+                logger.warning("Trying to refresh ADC credentials")
+                creds.refresh(Request())
+            except Exception as e:
+                logger.warning(f"Failed to refresh token: {e}")
+                creds = None
+
+    if not creds:
+        raise RuntimeError(
+            "No valid ADC credentials found. "
+            "Set GOOGLE_APPLICATION_CREDENTIALS or run:\n"
+            "  gcloud auth application-default login \\\n"
+            "      --scopes=openid,"
+            "https://www.googleapis.com/auth/cloud-platform,"
+            "https://www.googleapis.com/auth/userinfo.email,"
+            "https://www.googleapis.com/auth/colaboratory"
+        )
+
+    # Some credential subclasses ignore the `scopes=` kwarg in `default()`
+    # (e.g. user creds), so re-apply via `with_scopes` when supported.
+    if getattr(creds, "requires_scopes", False):
+        try:
+            creds = creds.with_scopes(list(PUBLIC_SCOPES))
+        except Exception as e:  # NotImplementedError for non-scopable creds.
+            logger.debug(f"Could not augment ADC scopes via with_scopes: {e}")
+    return creds
+
+
+def get_credentials(
+    config_path: Optional[str] = None,
+    provider: AuthProvider = AuthProvider.OAUTH2,
+    token_path: Optional[str] = None,
+) -> requests.AuthorizedSession:
+    """Unified entry point for retrieving an authorized session.
+
+    Args:
+      config_path: Path to the OAuth2 client config JSON.
+      provider: Authentication strategy.
+      token_path: Path to the saved token JSON file. If provided, overrides
+        the global TOKEN_CONFIG_PATH for this call.
+    """
+    if provider == AuthProvider.OAUTH2:
+        if not config_path:
+            config_path = os.path.expanduser("~/.colab-cli-oauth-config.json")
+        if token_path:
+            orig_token_path = TOKEN_CONFIG_PATH
+            try:
+                globals()["TOKEN_CONFIG_PATH"] = token_path
+                creds = _get_google_auth_credentials(config_path)
+            finally:
+                globals()["TOKEN_CONFIG_PATH"] = orig_token_path
+        else:
+            creds = _get_google_auth_credentials(config_path)
+    elif provider == AuthProvider.ADC:
+        creds = _get_adc_credentials()
+    else:
+        raise ValueError(f"Unknown auth provider: {provider!r}")
+
+    return requests.AuthorizedSession(creds)