typeclaw 0.1.0

package/src/init/kakaotalk-auth.ts

@@ -0,0 +1,114 @@
+import { createRequire } from 'node:module'
+import { join } from 'node:path'
+
+import { KakaoCredentialManager } from 'agent-messenger/kakaotalk'
+
+export type KakaotalkBootstrapStatus = { ok: true } | { ok: false; reason: string }
+
+export type KakaotalkLoginCallbacks = {
+  onPasscode: (passcode: string) => void
+}
+
+export type KakaotalkLoginInput = {
+  email: string
+  password: string
+  agentDir: string
+  callbacks: KakaotalkLoginCallbacks
+  loginFlow?: LoginFlowFn
+}
+
+export type LoginFlowOptions = {
+  email: string
+  password: string
+  deviceType?: 'pc' | 'tablet'
+  force?: boolean
+  savedDeviceUuid?: string
+  onPasscodeDisplay?: (code: string) => void
+  debugLog?: (message: string) => void
+}
+
+export type LoginFlowCredentials = {
+  access_token: string
+  refresh_token: string
+  user_id: string
+  device_uuid: string
+  device_type: 'pc' | 'tablet'
+}
+
+export type LoginFlowResult = {
+  authenticated: boolean
+  next_action?: string
+  message?: string
+  warning?: string
+  error?: string
+  credentials?: LoginFlowCredentials
+}
+
+export type LoginFlowFn = (options: LoginFlowOptions) => Promise<LoginFlowResult>
+
+export function kakaotalkConfigDir(agentDir: string): string {
+  return join(agentDir, 'workspace', '.agent-messenger')
+}
+
+export async function runKakaotalkBootstrap(input: KakaotalkLoginInput): Promise<KakaotalkBootstrapStatus> {
+  const configDir = kakaotalkConfigDir(input.agentDir)
+  try {
+    const loginFlow = input.loginFlow ?? (await resolveLoginFlow())
+    const credManager = new KakaoCredentialManager(configDir)
+    const pending = await credManager.loadPendingLogin()
+    const existing = await credManager.getAccount()
+    const savedDeviceUuid =
+      pending?.device_uuid ?? (existing?.auth_method === 'login' ? existing.device_uuid : undefined)
+
+    const result = await loginFlow({
+      email: input.email,
+      password: input.password,
+      deviceType: 'tablet',
+      force: false,
+      ...(savedDeviceUuid !== undefined ? { savedDeviceUuid } : {}),
+      onPasscodeDisplay: input.callbacks.onPasscode,
+    })
+
+    if (!result.authenticated || !result.credentials) {
+      const reason = result.message ?? result.error ?? 'agent-kakaotalk did not authenticate (check email/password)'
+      return { ok: false, reason }
+    }
+
+    const now = new Date().toISOString()
+    const accountId = result.credentials.user_id || 'default'
+    await credManager.setAccount({
+      account_id: accountId,
+      oauth_token: result.credentials.access_token,
+      user_id: result.credentials.user_id,
+      refresh_token: result.credentials.refresh_token,
+      device_uuid: result.credentials.device_uuid,
+      device_type: result.credentials.device_type,
+      auth_method: 'login',
+      created_at: now,
+      updated_at: now,
+    })
+    await credManager.setCurrentAccount(accountId)
+    await credManager.clearPendingLogin()
+
+    return { ok: true }
+  } catch (err) {
+    return { ok: false, reason: err instanceof Error ? err.message : String(err) }
+  }
+}
+
+// agent-messenger does not export `loginFlow` from its public `exports` map
+// (only the runtime client + credential manager), so we resolve the package's
+// installed location and import the implementation file directly. This
+// bypasses the exports gate but stays within the same installed copy of the
+// package — no version drift risk. If a future agent-messenger release adds
+// `loginFlow` to its public exports, swap this for a normal import and delete
+// the resolveLoginFlow helper.
+async function resolveLoginFlow(): Promise<LoginFlowFn> {
+  const require = createRequire(import.meta.url)
+  const pkgJson = require.resolve('agent-messenger/package.json')
+  const pkgDir = pkgJson.replace(/\/package\.json$/, '')
+  const mod = (await import(`${pkgDir}/dist/src/platforms/kakaotalk/auth/kakao-login.js`)) as {
+    loginFlow: LoginFlowFn
+  }
+  return mod.loginFlow
+}

package/src/init/models-dev.ts

@@ -0,0 +1,130 @@
+import { KNOWN_PROVIDERS, type KnownModelRef, type KnownProviderId, listKnownModelRefs } from '@/config/providers'
+
+const MODELS_DEV_URL = 'https://models.dev/api.json'
+const REQUEST_TIMEOUT_MS = 10_000
+
+// models.dev keys providers by a string id that does NOT always match our
+// KnownProviderId. Specifically, they ship Fireworks under `fireworks-ai`.
+// This map is the single place that bridges the two namespaces; every other
+// helper in this file works in OUR namespace.
+const PROVIDER_TO_MODELS_DEV: Record<KnownProviderId, string> = {
+  openai: 'openai',
+  // openai-codex models live under the `openai` namespace on models.dev too
+  // (Codex is a backend, not a separate provider in their taxonomy). Curated
+  // entries are surfaced regardless of upstream membership.
+  'openai-codex': 'openai',
+  fireworks: 'fireworks-ai',
+}
+
+export type ModelOption = {
+  ref: KnownModelRef
+  providerId: KnownProviderId
+  providerName: string
+  modelId: string
+  modelName: string
+  reasoning: boolean
+  contextWindow: number | null
+  curated: boolean
+}
+
+type ModelsDevModel = {
+  id?: string
+  name?: string
+  reasoning?: boolean
+  tool_call?: boolean
+  status?: string
+  release_date?: string
+  modalities?: { input?: string[]; output?: string[] }
+  limit?: { context?: number }
+}
+
+type ModelsDevProvider = {
+  id?: string
+  name?: string
+  models?: Record<string, ModelsDevModel>
+}
+
+export type FetchModelsResult = {
+  options: ModelOption[]
+  source: 'models.dev' | 'curated'
+  warning?: string
+}
+
+// Pulls the live model catalog from models.dev, intersects it with our
+// curated KNOWN_PROVIDERS allowlist, and returns one ModelOption per
+// (provider, model) pair the user is allowed to pick at init time.
+//
+// Falls back to the curated list alone if the network is unreachable, the
+// response is malformed, or any unexpected error fires — the wizard MUST
+// stay functional offline because `typeclaw init` is the very first thing a
+// user does on a fresh machine, often before networking is sorted.
+export async function fetchModelOptions(
+  options: { fetchImpl?: typeof fetch; timeoutMs?: number } = {},
+): Promise<FetchModelsResult> {
+  const fetchImpl = options.fetchImpl ?? fetch
+  const timeoutMs = options.timeoutMs ?? REQUEST_TIMEOUT_MS
+  try {
+    const res = await fetchImpl(MODELS_DEV_URL, { signal: AbortSignal.timeout(timeoutMs) })
+    if (!res.ok) {
+      return { options: curatedOptions(), source: 'curated', warning: `models.dev returned ${res.status}` }
+    }
+    const data = (await res.json()) as Record<string, ModelsDevProvider>
+    return { options: mergeWithCurated(data), source: 'models.dev' }
+  } catch (error) {
+    const reason = error instanceof Error ? error.message : String(error)
+    return { options: curatedOptions(), source: 'curated', warning: reason }
+  }
+}
+
+// The curated-only path: every model in KNOWN_PROVIDERS, sorted with the
+// default model first so the picker can use index-0 as `initialValue`.
+export function curatedOptions(): ModelOption[] {
+  const refs = listKnownModelRefs()
+  return refs.map((ref) => buildOption(ref, { curated: true }))
+}
+
+// `data` is the parsed models.dev JSON. We walk only the providers we care
+// about (openai, fireworks-ai) and only emit options for models that are
+// also in our curated allowlist — anything outside the allowlist would fail
+// schema validation when written to typeclaw.json. Curated entries that
+// models.dev doesn't list (e.g. kimi-k2p6-turbo) are still surfaced so the
+// user can pick them.
+function mergeWithCurated(data: Record<string, ModelsDevProvider>): ModelOption[] {
+  const out: ModelOption[] = []
+  for (const providerId of Object.keys(KNOWN_PROVIDERS) as KnownProviderId[]) {
+    const known = KNOWN_PROVIDERS[providerId]
+    const upstream = data[PROVIDER_TO_MODELS_DEV[providerId]]
+    const upstreamModels = upstream?.models ?? {}
+    for (const modelId of Object.keys(known.models)) {
+      const upstreamModel = upstreamModels[modelId]
+      const ref = `${providerId}/${modelId}` as KnownModelRef
+      out.push(buildOption(ref, { curated: true, upstream: upstreamModel }))
+    }
+  }
+  return out
+}
+
+type BuildOptionOpts = {
+  curated: boolean
+  upstream?: ModelsDevModel
+}
+
+function buildOption(ref: KnownModelRef, opts: BuildOptionOpts): ModelOption {
+  const slash = ref.indexOf('/')
+  const providerId = ref.slice(0, slash) as KnownProviderId
+  const modelId = ref.slice(slash + 1)
+  const provider = KNOWN_PROVIDERS[providerId]
+  const curatedModel = (
+    provider.models as Record<string, { name: string; contextWindow?: number; reasoning?: boolean }>
+  )[modelId]
+  return {
+    ref,
+    providerId,
+    providerName: provider.name,
+    modelId,
+    modelName: opts.upstream?.name ?? curatedModel?.name ?? modelId,
+    reasoning: opts.upstream?.reasoning ?? curatedModel?.reasoning ?? false,
+    contextWindow: opts.upstream?.limit?.context ?? curatedModel?.contextWindow ?? null,
+    curated: opts.curated,
+  }
+}

package/src/init/oauth-login.ts

@@ -0,0 +1,74 @@
+import { join } from 'node:path'
+
+import {
+  KNOWN_PROVIDERS,
+  providerForModelRef,
+  supportsOAuth,
+  type KnownModelRef,
+  type KnownProviderId,
+} from '@/config/providers'
+import { createSecretsStoreForAgent } from '@/secrets'
+
+export type OAuthLoginResult = { ok: true } | { ok: false; reason: string }
+
+export type OAuthLoginRunner = (options: { cwd: string; model: KnownModelRef }) => Promise<OAuthLoginResult>
+
+// Wrap pi-ai's OAuth callbacks so the CLI doesn't have to know about the
+// upstream callback shape. The CLI only sees three lifecycle events:
+// (1) onAuth(url) — print the URL the user must visit
+// (2) onProgress(message) — show waiting/finalizing status
+// (3) onPrompt(prompt) — ask the user for a manual code if the browser flow
+//     can't reach the local callback server. Most users won't see this; it
+//     fires when they paste the post-redirect URL by hand.
+export type OAuthCallbacks = {
+  onAuth: (url: string, instructions?: string) => void
+  onProgress?: (message: string) => void
+  onPrompt: (message: string, placeholder?: string) => Promise<string | null>
+}
+
+// Default runner: real OAuth flow against pi-ai. Tests inject a stub to skip
+// network entirely. The runner's only job is to log in, write to the secrets
+// file, and report ok/error — it does NOT update typeclaw.json (the model
+// ref is already chosen by the caller and written by `scaffold`).
+export function makeOAuthLoginRunner(callbacks: OAuthCallbacks): OAuthLoginRunner {
+  return async ({ cwd, model }) => {
+    const providerId = providerForModelRef(model)
+    const provider = KNOWN_PROVIDERS[providerId]
+    if (!supportsOAuth(provider) || !provider.oauthProviderId) {
+      return { ok: false, reason: `Provider ${provider.name} does not support OAuth` }
+    }
+
+    try {
+      const secrets = createSecretsStoreForAgent(join(cwd, 'secrets.json'))
+      await secrets.login(provider.oauthProviderId, {
+        onAuth: (info) => callbacks.onAuth(info.url, info.instructions),
+        onProgress: callbacks.onProgress,
+        onPrompt: async (prompt) => {
+          const value = await callbacks.onPrompt(prompt.message, prompt.placeholder)
+          if (value === null) {
+            throw new Error('Login cancelled by user')
+          }
+          return value
+        },
+      })
+      return { ok: true }
+    } catch (error) {
+      return { ok: false, reason: error instanceof Error ? error.message : String(error) }
+    }
+  }
+}
+
+// Test seam: lets unit tests assert "OAuth login was invoked with these
+// params" without spinning up a real secrets store / browser callback server.
+export type FakeOAuthLoginRunnerOptions = {
+  result?: OAuthLoginResult
+  onCalled?: (options: { cwd: string; model: KnownModelRef; providerId: KnownProviderId }) => void
+}
+
+export function makeFakeOAuthLoginRunner(options: FakeOAuthLoginRunnerOptions = {}): OAuthLoginRunner {
+  return async ({ cwd, model }) => {
+    const providerId = providerForModelRef(model)
+    options.onCalled?.({ cwd, model, providerId })
+    return options.result ?? { ok: true }
+  }
+}

package/src/init/packagejson.ts

@@ -0,0 +1,94 @@
+import { existsSync } from 'node:fs'
+import { mkdir, readFile, writeFile } from 'node:fs/promises'
+import { join } from 'node:path'
+
+import { GITKEEP_FILE, PACKAGES_DIR } from './paths'
+
+export const PACKAGE_FILE = 'package.json'
+export const WORKSPACES_GLOB = `${PACKAGES_DIR}/*`
+
+export type PackageJsonRefreshResult = {
+  changed: boolean
+  files: string[]
+}
+
+// Migrates an existing agent folder into a bun monorepo layout. Idempotent —
+// running twice is a no-op. Skips silently when:
+//   - package.json is missing (folder not initialized yet)
+//   - package.json is unparseable (we never touch corrupt user files)
+//   - workspaces is already set (user opted in or customized)
+//
+// Always ensures `packages/<GITKEEP_FILE>` exists so the directory survives the
+// initial git commit, regardless of whether package.json was touched.
+//
+// Returns the list of paths the caller should consider for git auto-commit.
+// The caller (typeclaw start) commits these via the same `commitSystemFile`
+// pattern as .gitignore, keeping the monorepo migration on git's record.
+export async function refreshPackageJson(cwd: string): Promise<PackageJsonRefreshResult> {
+  const changed: string[] = []
+  const pkgPath = join(cwd, PACKAGE_FILE)
+
+  if (existsSync(pkgPath)) {
+    const updated = await ensureWorkspacesField(pkgPath)
+    if (updated) changed.push(PACKAGE_FILE)
+  }
+
+  const gitkeepRel = join(PACKAGES_DIR, GITKEEP_FILE)
+  const gitkeepPath = join(cwd, gitkeepRel)
+  if (!existsSync(gitkeepPath)) {
+    await mkdir(join(cwd, PACKAGES_DIR), { recursive: true })
+    await writeFile(gitkeepPath, '')
+    changed.push(gitkeepRel)
+  }
+
+  return { changed: changed.length > 0, files: changed }
+}
+
+async function ensureWorkspacesField(pkgPath: string): Promise<boolean> {
+  let raw: string
+  try {
+    raw = await readFile(pkgPath, 'utf8')
+  } catch {
+    return false
+  }
+
+  let pkg: Record<string, unknown>
+  try {
+    const parsed = JSON.parse(raw) as unknown
+    if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) return false
+    pkg = parsed as Record<string, unknown>
+  } catch {
+    return false
+  }
+
+  if ('workspaces' in pkg) return false
+
+  // Insertion order matters: place `workspaces` right after `type` (or after
+  // top-of-object metadata if `type` is absent) so the diff reads cleanly
+  // alongside the buildPackageJson template's field order. Without this, a
+  // freshly-migrated package.json has `workspaces` at the bottom — visually
+  // jarring and harder to spot on review.
+  const next = insertAfterKey(pkg, 'type', 'workspaces', [WORKSPACES_GLOB])
+  await writeFile(pkgPath, `${JSON.stringify(next, null, 2)}\n`)
+  return true
+}
+
+function insertAfterKey(
+  obj: Record<string, unknown>,
+  anchor: string,
+  key: string,
+  value: unknown,
+): Record<string, unknown> {
+  const out: Record<string, unknown> = {}
+  const keys = Object.keys(obj)
+  const anchorIdx = keys.indexOf(anchor)
+  if (anchorIdx === -1) {
+    return { [key]: value, ...obj }
+  }
+  for (let i = 0; i < keys.length; i++) {
+    const k = keys[i] as string
+    out[k] = obj[k]
+    if (i === anchorIdx) out[key] = value
+  }
+  return out
+}

package/src/init/paths.ts

@@ -0,0 +1,2 @@
+export const PACKAGES_DIR = 'packages'
+export const GITKEEP_FILE = '.gitkeep'

package/src/init/run-bun-install.ts

@@ -0,0 +1,20 @@
+export type InstallResult = { ok: true } | { ok: false; reason: string }
+
+export async function runBunInstall(cwd: string): Promise<InstallResult> {
+  const bun = (globalThis as { Bun?: { spawn: typeof Bun.spawn } }).Bun
+  if (!bun) return { ok: false, reason: 'bun runtime not available' }
+  try {
+    const proc = bun.spawn({
+      cmd: ['bun', 'install'],
+      cwd,
+      stdout: 'pipe',
+      stderr: 'pipe',
+    })
+    const code = await proc.exited
+    if (code === 0) return { ok: true }
+    const stderr = await new Response(proc.stderr).text()
+    return { ok: false, reason: `bun install exited with code ${code}: ${stderr.trim() || 'no stderr'}` }
+  } catch (error) {
+    return { ok: false, reason: error instanceof Error ? error.message : String(error) }
+  }
+}