typeclaw 0.1.2 → 0.1.3

package/src/secrets/kakao-store.ts

@@ -0,0 +1,129 @@
+import type { KakaoAccountCredentials, KakaoConfig } from 'agent-messenger/kakaotalk'
+import type { PendingLoginState } from 'agent-messenger/kakaotalk'
+
+import { sendHttp } from '@/hostd/client'
+
+import { type KakaoChannelBlock, kakaoChannelBlockSchema } from './schema'
+import { SecretsBackend } from './storage'
+
+export type SecretsKakaoCredentialStoreOptions =
+  | { mode: 'host'; secretsPath: string }
+  | { mode: 'container'; secretsPath: string; hostdUrl: string; restartToken: string; containerName: string }
+
+const EMPTY_BLOCK: KakaoChannelBlock = { currentAccount: null, accounts: {} }
+
+export class SecretsKakaoCredentialStore {
+  private readonly backend: SecretsBackend
+  private writeChain: Promise<void> = Promise.resolve()
+
+  constructor(private readonly options: SecretsKakaoCredentialStoreOptions) {
+    this.backend = new SecretsBackend(options.secretsPath)
+  }
+
+  async load(): Promise<KakaoConfig> {
+    return toKakaoConfig(this.readBlock())
+  }
+
+  async save(config: KakaoConfig): Promise<void> {
+    await this.writeBlock(() => fromKakaoConfig(config))
+  }
+
+  async getAccount(id?: string): Promise<KakaoAccountCredentials | null> {
+    const config = await this.load()
+    if (id) return config.accounts[id] ?? null
+    if (!config.current_account) return null
+    return config.accounts[config.current_account] ?? null
+  }
+
+  async setAccount(account: KakaoAccountCredentials): Promise<void> {
+    await this.writeBlock((block) => {
+      const accounts = { ...block.accounts, [account.account_id]: account }
+      return { ...block, currentAccount: block.currentAccount ?? account.account_id, accounts }
+    })
+  }
+
+  async removeAccount(id: string): Promise<void> {
+    await this.writeBlock((block) => {
+      const accounts = { ...block.accounts }
+      delete accounts[id]
+      const currentAccount = block.currentAccount === id ? (Object.keys(accounts)[0] ?? null) : block.currentAccount
+      return { ...block, currentAccount, accounts }
+    })
+  }
+
+  async listAccounts(): Promise<Array<KakaoAccountCredentials & { is_current: boolean }>> {
+    const config = await this.load()
+    return Object.values(config.accounts).map((account) => ({
+      ...account,
+      is_current: account.account_id === config.current_account,
+    }))
+  }
+
+  async setCurrentAccount(id: string): Promise<void> {
+    await this.writeBlock((block) => ({ ...block, currentAccount: id }))
+  }
+
+  async savePendingLogin(state: PendingLoginState): Promise<void> {
+    await this.writeBlock((block) => ({ ...block, pendingLogin: state }))
+  }
+
+  async loadPendingLogin(): Promise<PendingLoginState | null> {
+    return this.readBlock().pendingLogin ?? null
+  }
+
+  async clearPendingLogin(): Promise<void> {
+    await this.writeBlock((block) => {
+      const { pendingLogin: _pendingLogin, ...next } = block
+      return next
+    })
+  }
+
+  private readBlock(): KakaoChannelBlock {
+    const channels =
+      this.options.mode === 'container' ? this.backend.tryReadChannelsSync() : this.backend.readChannelsSync()
+    const raw = channels?.kakaotalk
+    return parseBlock(raw)
+  }
+
+  private async writeBlock(update: (current: KakaoChannelBlock) => KakaoChannelBlock): Promise<void> {
+    return this.enqueueWrite(async () => {
+      if (this.options.mode === 'container') {
+        const next = update(this.readBlock())
+        const response = await sendHttp(
+          {
+            kind: 'secrets-patch',
+            containerName: this.options.containerName,
+            patch: { channels: { kakaotalk: next } },
+          },
+          { url: this.options.hostdUrl, token: this.options.restartToken },
+        )
+        if (!response.ok) throw new Error(`secrets-patch failed: ${response.reason}`)
+        return
+      }
+
+      await this.backend.updateChannelsAsync(async (channels) => {
+        const next = { ...channels, kakaotalk: update(parseBlock(channels.kakaotalk)) }
+        return { result: undefined, next }
+      })
+    })
+  }
+
+  private enqueueWrite(op: () => Promise<void>): Promise<void> {
+    const next = this.writeChain.then(op, op)
+    this.writeChain = next.catch(() => {})
+    return next
+  }
+}
+
+function parseBlock(value: unknown): KakaoChannelBlock {
+  if (value === undefined) return EMPTY_BLOCK
+  return kakaoChannelBlockSchema.parse(value)
+}
+
+function toKakaoConfig(block: KakaoChannelBlock): KakaoConfig {
+  return { current_account: block.currentAccount, accounts: block.accounts }
+}
+
+function fromKakaoConfig(config: KakaoConfig): KakaoChannelBlock {
+  return { currentAccount: config.current_account, accounts: config.accounts }
+}

package/src/secrets/migrate-kakaotalk.ts

@@ -0,0 +1,82 @@
+import { existsSync } from 'node:fs'
+import { rename } from 'node:fs/promises'
+import { join } from 'node:path'
+
+import { KakaoCredentialManager } from 'agent-messenger/kakaotalk'
+import type { KakaoConfig, PendingLoginState } from 'agent-messenger/kakaotalk'
+
+import { type KakaoChannelBlock, kakaoChannelBlockSchema } from './schema'
+import { SecretsBackend } from './storage'
+
+const KAKAO_CONFIG_DIR = join('workspace', '.agent-messenger')
+const CREDENTIALS_FILE = 'kakaotalk-credentials.json'
+const PENDING_LOGIN_FILE = 'kakaotalk-pending-login.json'
+
+export type KakaotalkCredentialMigrationResult = { promoted: boolean }
+
+export async function migrateKakaotalkCredentials(agentDir: string): Promise<KakaotalkCredentialMigrationResult> {
+  const configDir = join(agentDir, KAKAO_CONFIG_DIR)
+  const credentialsPath = join(configDir, CREDENTIALS_FILE)
+  const pendingLoginPath = join(configDir, PENDING_LOGIN_FILE)
+  if (!existsSync(credentialsPath) && !existsSync(pendingLoginPath)) return { promoted: false }
+
+  const secretsPath = join(agentDir, 'secrets.json')
+  const legacy = new KakaoCredentialManager(configDir)
+  const config = await legacy.load()
+  const pendingLogin = await legacy.loadPendingLogin()
+  if (Object.keys(config.accounts).length === 0 && pendingLogin === null) return { promoted: false }
+
+  const backend = new SecretsBackend(secretsPath)
+  const result = await backend.updateChannelsAsync(async (channels) => {
+    const existing = parseExistingBlock(channels.kakaotalk)
+    const next = mergeLegacyBlock(existing, config, pendingLogin)
+    if (next === existing) return { result: { promoted: false, renameCredentials: false, renamePending: false } }
+
+    return {
+      result: {
+        promoted: true,
+        renameCredentials: isEmptyBlock(existing) && Object.keys(config.accounts).length > 0,
+        renamePending: pendingLogin !== null && existing?.pendingLogin === undefined,
+      },
+      next: { ...channels, kakaotalk: next },
+    }
+  })
+  if (!result.promoted) return { promoted: false }
+
+  if (result.renameCredentials) await renameIfPresent(credentialsPath, `${credentialsPath}.migrated`)
+  if (result.renamePending) await renameIfPresent(pendingLoginPath, `${pendingLoginPath}.migrated`)
+  return { promoted: true }
+}
+
+function parseExistingBlock(value: unknown): KakaoChannelBlock | null {
+  if (value === undefined) return null
+  return kakaoChannelBlockSchema.parse(value)
+}
+
+function isEmptyBlock(block: KakaoChannelBlock | null): boolean {
+  return (
+    block === null ||
+    (block.currentAccount === null && Object.keys(block.accounts).length === 0 && block.pendingLogin === undefined)
+  )
+}
+
+function mergeLegacyBlock(
+  existing: KakaoChannelBlock | null,
+  config: KakaoConfig,
+  pendingLogin: PendingLoginState | null,
+): KakaoChannelBlock | null {
+  if (existing === null || isEmptyBlock(existing)) {
+    return {
+      currentAccount: config.current_account,
+      accounts: config.accounts,
+      ...(pendingLogin ? { pendingLogin } : {}),
+    }
+  }
+  if (pendingLogin === null || existing.pendingLogin !== undefined) return existing
+  return { ...existing, pendingLogin }
+}
+
+async function renameIfPresent(from: string, to: string): Promise<void> {
+  if (!existsSync(from)) return
+  await rename(from, to)
+}

package/src/secrets/migrate.ts

@@ -70,9 +70,10 @@ function renameWithRaceFallback(from: string, to: string): void {
   }
 }
 
-// "Empty envelope" = no actual credentials. Parsed shape with empty llm and
-// empty channels. We do NOT try to be clever about "approximately empty" —
-// exact emptiness is the only safe auto-delete / auto-overwrite case.
+// "Empty envelope" = no actual credentials. parseSecretsFile normalises both
+// legacy v1 and current v2 to a v2-shaped SecretsFile, so we only check the
+// v2 fields. We do NOT try to be clever about "approximately empty" — exact
+// emptiness is the only safe auto-delete / auto-overwrite case.
 function isEmptyEnvelope(path: string): boolean {
   let raw: string
   try {
@@ -91,5 +92,5 @@ function isEmptyEnvelope(path: string): boolean {
 
   const result = parseSecretsFile(parsed)
   if (!result.ok) return false
-  return Object.keys(result.file.llm).length === 0 && Object.keys(result.file.channels).length === 0
+  return Object.keys(result.file.providers).length === 0 && Object.keys(result.file.channels).length === 0
 }

package/src/secrets/resolve.ts

@@ -0,0 +1,57 @@
+import { z } from 'zod'
+
+// A Secret is the on-disk shape for any env-injectable credential field.
+// String shorthand is sugar for `{ value }`. The schema normalises to the
+// object form at parse time so consumers only ever handle one shape, but
+// writers MAY emit the string shorthand for the common no-custom-env case
+// to keep `secrets.json` terse.
+//
+// Empty objects `{}` are rejected because they carry no information — the
+// resolver would always return undefined for them and the file would silently
+// fail to provide credentials at boot.
+const secretObjectSchema = z
+  .object({
+    value: z.string().min(1).optional(),
+    env: z.string().min(1).optional(),
+  })
+  .refine((s) => s.value !== undefined || s.env !== undefined, {
+    message: 'Secret object must have at least one of `value` or `env`',
+  })
+
+export const secretFieldSchema = z
+  .union([z.string().min(1), secretObjectSchema])
+  .transform((v) => (typeof v === 'string' ? { value: v } : v))
+
+export type Secret = z.infer<typeof secretFieldSchema>
+
+// Env-wins resolution. The single place env-vs-file precedence lives.
+//
+// Precedence (highest to lowest):
+//   1. process.env[secret.env]    — explicit binding wins
+//   2. process.env[defaultEnv]    — canonical env-var-name fallback
+//   3. secret.value               — on-disk value
+//   4. undefined                  — caller decides (missing-credential error)
+//
+// Empty-string env values are treated as unset, matching the existing
+// hydrate.ts policy (`env[key] !== '' `). This keeps `unset` and `set to ""`
+// behaviorally identical for credentials, which is what every shell ecosystem
+// converges on.
+export function resolveSecret(
+  secret: Secret,
+  defaultEnv: string | undefined,
+  env: NodeJS.ProcessEnv,
+): string | undefined {
+  const envName = secret.env ?? defaultEnv
+  if (envName !== undefined) {
+    const fromEnv = env[envName]
+    if (fromEnv !== undefined && fromEnv !== '') return fromEnv
+  }
+  return secret.value
+}
+
+// Returns the env-var name that resolveSecret would consult for a given
+// Secret + default. Used by doctor / diagnostics to report "if you want to
+// override this, set $envName". Does NOT consult process.env — pure mapping.
+export function effectiveEnvName(secret: Secret, defaultEnv: string | undefined): string | undefined {
+  return secret.env ?? defaultEnv
+}

package/src/secrets/schema.ts

@@ -1,72 +1,192 @@
 import { z } from 'zod'
 
-// The api_key shape exactly matches pi-coding-agent's ApiKeyCredential. We
-// re-state it here (rather than import the upstream type into the schema)
-// because Zod schemas are the source of truth for validation and JSON Schema
-// generation, and pi-coding-agent does not export Zod schemas.
-const llmApiKeyCredentialSchema = z.object({
+import { CHANNEL_ENV_TO_FIELD } from './defaults'
+import { secretFieldSchema, type Secret } from './resolve'
+
+// providers.<id> for api-key credentials: the `key` field is a Secret (string
+// shorthand or `{ value?, env? }` object). resolveSecret turns this into a
+// flat string at read time so AuthStorage (which expects `key: string`)
+// stays happy. OAuth credentials carry stateful refresh/access tokens that
+// are not env-injectable, so they pass through unchanged via catchall.
+const apiKeyProviderSchema = z.object({
   type: z.literal('api_key'),
-  key: z.string().min(1),
+  key: secretFieldSchema,
 })
 
-// pi-coding-agent's OAuth credential carries provider-specific fields
-// (access, refresh, expires, plus arbitrary upstream additions). We accept
-// them as a passthrough object so future upstream additions don't break parse.
-// Upstream is the runtime authority on OAuth shape; our job here is only to
-// route the slice safely through the file envelope.
-const llmOAuthCredentialSchema = z
+const oauthProviderSchema = z
   .object({
     type: z.literal('oauth'),
   })
   .catchall(z.unknown())
 
-export const llmCredentialSchema = z.discriminatedUnion('type', [llmApiKeyCredentialSchema, llmOAuthCredentialSchema])
+export const providerCredentialSchema = z.discriminatedUnion('type', [apiKeyProviderSchema, oauthProviderSchema])
+
+export const providersSchema = z.record(z.string(), providerCredentialSchema)
+
+// Per-adapter channel slots use named fields (`botToken`, `appToken`, `token`)
+// instead of env-var-name keys. The Secret union per field carries the env-var
+// override. Unknown adapter ids pass through via catchall so a future
+// plugin-contributed adapter doesn't fail validation.
+const slackBotChannelSchema = z.object({
+  botToken: secretFieldSchema.optional(),
+  appToken: secretFieldSchema.optional(),
+})
+
+const discordBotChannelSchema = z.object({
+  token: secretFieldSchema.optional(),
+})
+
+const telegramBotChannelSchema = z.object({
+  token: secretFieldSchema.optional(),
+})
+
+export const kakaoAccountRecordSchema = z.object({
+  account_id: z.string(),
+  oauth_token: z.string(),
+  user_id: z.string(),
+  refresh_token: z.string().optional(),
+  device_uuid: z.string(),
+  device_type: z.union([z.literal('pc'), z.literal('tablet')]),
+  auth_method: z.union([z.literal('login'), z.literal('extract')]).optional(),
+  created_at: z.string(),
+  updated_at: z.string(),
+})
+
+export const kakaoPendingLoginRecordSchema = z.object({
+  device_uuid: z.string(),
+  device_type: z.union([z.literal('pc'), z.literal('tablet')]),
+  email: z.string(),
+  created_at: z.string(),
+})
 
-// Map keyed by provider id ("openai", "openai-codex", "fireworks", ...).
-// Exactly the shape pi-coding-agent persists today as the entire secrets file.
-export const llmCredentialsSchema = z.record(z.string(), llmCredentialSchema)
+export const kakaoChannelBlockSchema = z.object({
+  currentAccount: z.string().nullable(),
+  accounts: z.record(z.string(), kakaoAccountRecordSchema),
+  pendingLogin: kakaoPendingLoginRecordSchema.optional(),
+})
 
-// Empty channels schema today; channel adapter tokens (Slack/Discord/Telegram)
-// will move here in a follow-up plan. The catchall keeps forward compatibility
-// when a future TypeClaw reads a file written by an even-newer TypeClaw.
-export const channelsSchema = z.object({}).catchall(z.unknown())
+export const channelsSchema = z
+  .object({
+    'slack-bot': slackBotChannelSchema.optional(),
+    'discord-bot': discordBotChannelSchema.optional(),
+    'telegram-bot': telegramBotChannelSchema.optional(),
+    kakaotalk: kakaoChannelBlockSchema.optional(),
+  })
+  .catchall(z.unknown())
+
+// version 2 = providers.* with Secret-typed api-key.key + per-adapter
+// channel field shapes. version 1 = the previous shape (flat `llm.*`, channel
+// slots keyed by env-var name). Legacy v1 input is upgraded transparently by
+// parseSecretsFile; the first write persists v2.
+export const SECRETS_FILE_VERSION = 2
 
 export const secretsFileSchema = z.object({
   $schema: z.string().optional(),
-  version: z.literal(1),
-  llm: llmCredentialsSchema.default({}),
+  version: z.literal(SECRETS_FILE_VERSION),
+  providers: providersSchema.default({}),
   channels: channelsSchema.default({}),
 })
 
-export type LlmCredential = z.infer<typeof llmCredentialSchema>
-export type LlmCredentials = z.infer<typeof llmCredentialsSchema>
+export type ProviderCredential = z.infer<typeof providerCredentialSchema>
+export type Providers = z.infer<typeof providersSchema>
+export type Channels = z.infer<typeof channelsSchema>
+export type KakaoAccountRecord = z.infer<typeof kakaoAccountRecordSchema>
+export type PendingLoginRecord = z.infer<typeof kakaoPendingLoginRecordSchema>
+export type KakaoChannelBlock = z.infer<typeof kakaoChannelBlockSchema>
 export type SecretsFile = z.infer<typeof secretsFileSchema>
 
 export type ParseSecretsResult = { ok: true; file: SecretsFile } | { ok: false; reason: string }
 
-// parseSecretsFile recognises two shapes:
-//   1. The new envelope: { version: 1, llm: {...}, channels: {...} }
-//   2. The legacy flat shape pi-coding-agent writes today: a top-level
-//      Record<string, AuthCredential>. Treated as { version: 1, llm: <flat>,
-//      channels: {} } so existing OAuth users transparently upgrade on the
-//      next write that goes through this code path.
+// parseSecretsFile recognises three shapes, in priority order:
+//   1. The v2 envelope (current): { version: 2, providers, channels }
+//   2. The v1 envelope (legacy): { version: 1, llm, channels } where channel
+//      slots are keyed by env-var name. Both `llm` and `channels` get
+//      reshaped — llm -> providers, env-keyed channel slots -> field-keyed.
+//   3. The pre-envelope flat shape (very legacy): Record<string, AuthCredential>
+//      at top level. Treated as { version: 2, providers: <flat>, channels: {} }
+//      so existing OAuth users transparently upgrade.
 //
-// An empty object {} is a legitimate legacy state — a freshly-created
-// secrets file with no providers logged in yet. It upgrades cleanly to the
-// new envelope with empty llm and channels.
+// Every legacy upgrade produces a v2-shaped SecretsFile in memory; the next
+// write persists v2 to disk. The legacy branches stay forever as a quiet
+// compatibility seam — only the v2 form is documented.
 export function parseSecretsFile(raw: unknown): ParseSecretsResult {
-  const direct = secretsFileSchema.safeParse(raw)
-  if (direct.success) return { ok: true, file: direct.data }
+  const v2 = secretsFileSchema.safeParse(raw)
+  if (v2.success) return { ok: true, file: v2.data }
+
+  const v1 = legacyV1Schema.safeParse(raw)
+  if (v1.success) return { ok: true, file: upgradeV1ToV2(v1.data) }
+
+  const flat = legacyFlatProviderSchema.safeParse(raw)
+  if (flat.success) {
+    return { ok: true, file: upgradeV1ToV2({ version: 1, llm: flat.data, channels: {} }) }
+  }
 
-  const legacy = llmCredentialsSchema.safeParse(raw)
-  if (legacy.success) {
-    return { ok: true, file: { version: 1, llm: legacy.data, channels: {} } }
+  return { ok: false, reason: v2.error.issues.map(formatIssue).join('; ') }
+}
+
+// Legacy v1 schema: `llm` (flat string-key) and `channels` (env-var-keyed
+// flat map per adapter). Used only for upgrade reads; never written.
+const legacyV1ApiKeySchema = z.object({
+  type: z.literal('api_key'),
+  key: z.string().min(1),
+})
+
+const legacyV1OAuthSchema = z
+  .object({
+    type: z.literal('oauth'),
+  })
+  .catchall(z.unknown())
+
+const legacyV1CredentialSchema = z.discriminatedUnion('type', [legacyV1ApiKeySchema, legacyV1OAuthSchema])
+
+const legacyV1LlmSchema = z.record(z.string(), legacyV1CredentialSchema)
+
+const legacyV1ChannelsSchema = z.record(z.string(), z.record(z.string(), z.string()))
+
+const legacyV1Schema = z.object({
+  $schema: z.string().optional(),
+  version: z.literal(1),
+  llm: legacyV1LlmSchema.default({}),
+  channels: legacyV1ChannelsSchema.default({}),
+})
+
+const legacyFlatProviderSchema = z.record(z.string(), legacyV1CredentialSchema)
+
+function upgradeV1ToV2(legacy: z.infer<typeof legacyV1Schema>): SecretsFile {
+  const providers: Providers = {}
+  for (const [providerId, cred] of Object.entries(legacy.llm)) {
+    if (cred.type === 'api_key') {
+      providers[providerId] = { type: 'api_key', key: { value: cred.key } }
+    } else {
+      providers[providerId] = cred
+    }
   }
 
-  // Neither shape matched. We surface the new-shape error because that's the
-  // target the user is presumably moving toward; the legacy path is a quiet
-  // compatibility seam, not a documented format.
-  return { ok: false, reason: direct.error.issues.map(formatIssue).join('; ') }
+  const channels: Channels = {}
+  for (const [adapterId, envKeyedSlot] of Object.entries(legacy.channels)) {
+    const upgradedSlot: Record<string, Secret> = {}
+    for (const [envKey, value] of Object.entries(envKeyedSlot)) {
+      const mapping = CHANNEL_ENV_TO_FIELD[envKey]
+      if (mapping && mapping.adapterId === adapterId) {
+        upgradedSlot[mapping.fieldName] = { value }
+      } else {
+        // Unknown env-var-name key on a known adapter, or an adapter we don't
+        // recognise: pass through verbatim under the original key. Better to
+        // preserve user data than drop it; the catchall on channelsSchema
+        // makes this safe.
+        upgradedSlot[envKey] = { value }
+      }
+    }
+    channels[adapterId] = upgradedSlot
+  }
+
+  const result: SecretsFile = {
+    version: SECRETS_FILE_VERSION,
+    providers,
+    channels,
+  }
+  if (legacy.$schema !== undefined) result.$schema = legacy.$schema
+  return result
 }
 
 function formatIssue(issue: { path: PropertyKey[]; message: string }): string {