typeclaw 0.10.0 → 0.11.1

package/src/cli/channel.ts

@@ -1,5 +1,4 @@
 import { randomBytes } from 'node:crypto'
-import { readFile } from 'node:fs/promises'
 
 import { cancel, confirm, intro, isCancel, log, note, password, select, spinner, text } from '@clack/prompts'
 import { defineCommand } from 'citty'
@@ -8,8 +7,10 @@ import { config } from '@/config'
 import { start, status, stop } from '@/container'
 import {
   CHANNEL_KINDS,
+  appendOrReplaceEnvKey,
   findAgentDir,
   formatEagerGithubWebhookInstallResult,
+  hasEnvKey,
   isInitialized,
   readConfiguredChannels,
   readGithubAuthType,
@@ -25,7 +26,8 @@ import {
 import { runKakaotalkBootstrap } from '@/init/kakaotalk-auth'
 import { SecretsKakaoCredentialStore } from '@/secrets/kakao-store'
 
-import { c, done, errorLine, printSlackAppManifestSetup } from './ui'
+import { CANCEL_SYMBOL, promptPrivateKeyPem } from './prompt-pem'
+import { c, done, errorLine, printDiscordInviteHint, printSlackAppManifestSetup } from './ui'
 
 const CHANNEL_LABELS: Record<ChannelKind, string> = {
   'slack-bot': 'Slack',
@@ -61,7 +63,7 @@ const addSub = defineCommand({
 
     intro(`Adding channel: ${CHANNEL_LABELS[channel]}`)
 
-    const credentials = await collectCredentials(channel)
+    const credentials = await collectCredentials(channel, cwd)
 
     const events: AddChannelStepEvent[] = []
     try {
@@ -518,14 +520,14 @@ async function runSetGithub(cwd: string): Promise<void> {
   }
   const authLabel =
     authType === 'pat'
-      ? 'Personal access token (PAT) — the authentication credential (recommended)'
-      : 'GitHub App private key — the authentication credential (recommended)'
+      ? 'Auth credential — rotate the PAT, or switch to GitHub App auth (recommended)'
+      : 'Auth credential — rotate the App private key, or switch to PAT auth (recommended)'
   const choice = await select<GithubSetChoice>({
-    message: 'Which GitHub secret do you want to rotate?',
+    message: 'Which GitHub secret do you want to update?',
     options: [
       { value: 'auth', label: authLabel },
       { value: 'webhook', label: 'Webhook secret — shared secret for verifying GitHub payloads' },
-      { value: 'both', label: 'Both secrets — rotate the auth credential and the webhook secret' },
+      { value: 'both', label: 'Both secrets — update the auth credential and the webhook secret' },
     ],
     initialValue: 'auth',
   })
@@ -537,36 +539,7 @@ async function runSetGithub(cwd: string): Promise<void> {
   const patch: GithubCredentialPatch = {}
 
   if (choice === 'auth' || choice === 'both') {
-    if (authType === 'pat') {
-      note(
-        [
-          'Rotate at https://github.com/settings/personal-access-tokens.',
-          'Required permissions: Issues read/write, Pull requests read/write, Discussions read/write (if used),',
-          'Metadata read, and Webhooks read/write.',
-        ].join('\n'),
-        'Rotate the GitHub PAT',
-      )
-      const { pat } = await promptGithubPatAuth()
-      patch.auth = { type: 'pat', pat }
-    } else {
-      note(
-        [
-          'Rotate at https://github.com/settings/apps/<your-app> → Private keys → Generate a private key.',
-          'GitHub immediately downloads the new .pem. The previous key keeps working until you delete it,',
-          'so it is safe to rotate without downtime.',
-        ].join('\n'),
-        'Rotate the GitHub App private key',
-      )
-      const privateKeyInput = await text({
-        message: 'New GitHub App private key PEM, escaped PEM, or path to .pem file',
-        validate: (value) => (value && value.length > 0 ? undefined : 'Private key is required'),
-      })
-      if (isCancel(privateKeyInput)) {
-        cancel('Aborted.')
-        process.exit(0)
-      }
-      patch.auth = { type: 'app', privateKey: await resolvePrivateKeyInput(privateKeyInput) }
-    }
+    patch.auth = await promptGithubAuthUpdate(authType)
   }
 
   if (choice === 'webhook' || choice === 'both') {
@@ -604,7 +577,7 @@ type CollectedCredentials =
       auth: { type: 'pat'; pat: string } | { type: 'app'; appId: number; privateKey: string; installationId?: number }
     }
 
-async function collectCredentials(channel: ChannelKind): Promise<CollectedCredentials> {
+async function collectCredentials(channel: ChannelKind, cwd: string): Promise<CollectedCredentials> {
   switch (channel) {
     case 'discord-bot':
       return { channel, discordBotToken: await promptDiscordToken() }
@@ -628,17 +601,19 @@ async function collectCredentials(channel: ChannelKind): Promise<CollectedCreden
       }
     }
     case 'github': {
-      const creds = await promptGithubCredentials()
+      const creds = await promptGithubCredentials(cwd)
       return { channel, ...creds }
     }
   }
 }
 
-async function promptGithubCredentials(): Promise<{
+async function promptGithubCredentials(cwd: string): Promise<{
   webhookSecret: string
   tunnelProvider: GithubTunnelProvider
   webhookUrl?: string
   webhookPort?: number
+  hostname?: string
+  tokenEnv?: string
   repos: string[]
   auth: { type: 'pat'; pat: string } | { type: 'app'; appId: number; privateKey: string; installationId?: number }
 }> {
@@ -670,6 +645,10 @@ async function promptGithubCredentials(): Promise<{
         value: 'cloudflare-quick',
         label: 'Cloudflare Quick Tunnel — no signup, URL rotates on restart (recommended)',
       },
+      {
+        value: 'cloudflare-named',
+        label: 'Cloudflare Named Tunnel — stable URL, needs Cloudflare account + domain',
+      },
       { value: 'external', label: 'External URL — I have my own reverse proxy / tunnel' },
       { value: 'none', label: 'None — configure later by hand-editing typeclaw.json' },
     ],
@@ -690,6 +669,7 @@ async function promptGithubCredentials(): Promise<{
     cancel('Aborted.')
     process.exit(0)
   }
+  const namedCreds = tunnelProvider === 'cloudflare-named' ? await promptCloudflareNamedTunnel(cwd) : undefined
   const port = await text({
     message: 'Local webhook port inside the agent container',
     initialValue: '8975',
@@ -727,11 +707,125 @@ async function promptGithubCredentials(): Promise<{
     tunnelProvider,
     ...(webhookUrl !== undefined ? { webhookUrl } : {}),
     webhookPort: Number(port),
+    ...(namedCreds !== undefined ? namedCreds : {}),
     repos: parseRepos(reposRaw),
     auth,
   }
 }
 
+async function promptCloudflareNamedTunnel(cwd: string): Promise<{ hostname: string; tokenEnv: string }> {
+  const tokenEnv = 'CLOUDFLARE_TUNNEL_TOKEN'
+  note(
+    [
+      'Cloudflare Named Tunnel needs a tunnel you created in the Zero Trust dashboard:',
+      '  1. Networks → Tunnels → Create a tunnel → Cloudflared. Copy the token shown on the install screen.',
+      '  2. Public Hostname tab → Add: subdomain + your-domain, service type HTTP, URL localhost:<webhook port>.',
+      `  3. Paste the token below when prompted — TypeClaw will write it to .env as ${tokenEnv}.`,
+      'A tunnel without a Public Hostname registers but routes nothing.',
+    ].join('\n'),
+    'Cloudflare named tunnel',
+  )
+  const hostname = await text({
+    message: 'Public hostname configured in the dashboard (https://...)',
+    validate: (value) => validateUrl(value ?? '', 'Hostname is required'),
+  })
+  if (isCancel(hostname)) {
+    cancel('Aborted.')
+    process.exit(0)
+  }
+  if (!hasEnvKey(cwd, tokenEnv)) {
+    const token = await password({
+      message: `Cloudflare tunnel token (will be written to .env as ${tokenEnv})`,
+      validate: (value) => (value && value.length > 0 ? undefined : 'Token is required'),
+    })
+    if (isCancel(token)) {
+      cancel('Aborted.')
+      process.exit(0)
+    }
+    appendOrReplaceEnvKey(cwd, tokenEnv, token)
+  }
+  return { hostname, tokenEnv }
+}
+
+type GithubAuthUpdateAction = 'rotate' | 'switch'
+
+async function promptGithubAuthUpdate(currentType: 'pat' | 'app'): Promise<GithubCredentialPatch['auth']> {
+  const rotateLabel =
+    currentType === 'pat'
+      ? 'Rotate the PAT (replace the current personal access token)'
+      : 'Rotate the App private key (replace the current GitHub App private key)'
+  const switchLabel =
+    currentType === 'pat'
+      ? 'Switch to GitHub App auth (replace the PAT with App credentials)'
+      : 'Switch to PAT auth (replace the App credentials with a personal access token)'
+  const action = await select<GithubAuthUpdateAction>({
+    message: 'Update the GitHub auth credential',
+    options: [
+      { value: 'rotate', label: rotateLabel },
+      { value: 'switch', label: switchLabel },
+    ],
+    initialValue: 'rotate',
+  })
+  if (isCancel(action)) {
+    cancel('Aborted.')
+    process.exit(0)
+  }
+
+  const nextType: 'pat' | 'app' = action === 'rotate' ? currentType : currentType === 'pat' ? 'app' : 'pat'
+
+  if (nextType === 'pat') {
+    if (action === 'rotate') {
+      note(
+        [
+          'Rotate at https://github.com/settings/personal-access-tokens.',
+          'Required permissions: Issues read/write, Pull requests read/write, Discussions read/write (if used),',
+          'Metadata read, and Webhooks read/write.',
+        ].join('\n'),
+        'Rotate the GitHub PAT',
+      )
+    } else {
+      note(
+        [
+          'Create a fine-grained PAT at https://github.com/settings/personal-access-tokens.',
+          'Required permissions: Issues read/write, Pull requests read/write, Discussions read/write (if used),',
+          'Metadata read, and Webhooks read/write.',
+        ].join('\n'),
+        'Switch to GitHub PAT auth',
+      )
+    }
+    return await promptGithubPatAuth()
+  }
+
+  if (action === 'rotate') {
+    note(
+      [
+        'Rotate at https://github.com/settings/apps/<your-app> → Private keys → Generate a private key.',
+        'GitHub immediately downloads the new .pem. The previous key keeps working until you delete it,',
+        'so it is safe to rotate without downtime.',
+      ].join('\n'),
+      'Rotate the GitHub App private key',
+    )
+    const privateKey = await promptPrivateKeyPem('New GitHub App private key PEM, escaped PEM, or path to .pem file')
+    if (privateKey === CANCEL_SYMBOL) {
+      cancel('Aborted.')
+      process.exit(0)
+    }
+    return { type: 'app', privateKey }
+  }
+
+  note(
+    [
+      'Create a GitHub App at https://github.com/settings/apps/new and install it on your repositories.',
+      'Required permissions: Issues read/write, Pull requests read/write, Discussions read/write (if used),',
+      'Metadata read, and Webhooks read/write.',
+      'Then collect the App ID, generate a private key (.pem), and grab the Installation ID from the URL',
+      'of the installation page (https://github.com/settings/installations/<installation-id>).',
+    ].join('\n'),
+    'Switch to GitHub App auth',
+  )
+  return await promptGithubAppAuth()
+}
+
 async function promptGithubPatAuth(): Promise<{ type: 'pat'; pat: string }> {
   const pat = await password({
     message: 'GitHub fine-grained PAT',
@@ -758,11 +852,8 @@ async function promptGithubAppAuth(): Promise<{
     cancel('Aborted.')
     process.exit(0)
   }
-  const privateKeyInput = await text({
-    message: 'GitHub App private key PEM, escaped PEM, or path to .pem file',
-    validate: (value) => (value && value.length > 0 ? undefined : 'Private key is required'),
-  })
-  if (isCancel(privateKeyInput)) {
+  const privateKey = await promptPrivateKeyPem('GitHub App private key PEM, escaped PEM, or path to .pem file')
+  if (privateKey === CANCEL_SYMBOL) {
     cancel('Aborted.')
     process.exit(0)
   }
@@ -779,17 +870,11 @@ async function promptGithubAppAuth(): Promise<{
   return {
     type: 'app',
     appId: Number(appId),
-    privateKey: await resolvePrivateKeyInput(privateKeyInput),
+    privateKey,
     ...(parsedInstallationId !== undefined ? { installationId: parsedInstallationId } : {}),
   }
 }
 
-async function resolvePrivateKeyInput(input: string): Promise<string> {
-  const normalized = input.replace(/\\n/g, '\n')
-  if (normalized.includes('-----BEGIN') && normalized.includes('PRIVATE KEY-----')) return normalized
-  return await readFile(input, 'utf8')
-}
-
 function parseRepos(input: string): string[] {
   return input
     .split(',')
@@ -830,6 +915,7 @@ async function promptDiscordToken(): Promise<string> {
     cancel('Aborted.')
     process.exit(0)
   }
+  printDiscordInviteHint(token)
   return token
 }