ultraclaude-agent 0.0.19 → 0.0.21

package/src/claude-profiles.ts

@@ -0,0 +1,597 @@
+// Claude Code credential profile management
+// Manages named profiles for Claude Code's OAuth credentials (~/.claude/.credentials.json)
+
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { readFile, writeFile, rename, mkdir, unlink, readdir, stat } from 'node:fs/promises';
+import { spawn, execFileSync } from 'node:child_process';
+import { logger } from './logger.js';
+import type {
+  ClaudeOAuthCredentials,
+  ClaudeProfile,
+  ClaudeProfileActive,
+  ClaudeAuthIdentity,
+} from '@ultra-claude/shared';
+
+// --- Paths ---
+
+const CLAUDE_DIR = join(homedir(), '.claude');
+const CREDENTIALS_FILE = join(CLAUDE_DIR, '.credentials.json');
+const PROFILES_DIR = join(homedir(), '.claude', 'ultra', 'claude-profiles');
+const BACKUPS_DIR = join(PROFILES_DIR, 'backups');
+const ACTIVE_FILE = join(PROFILES_DIR, 'active.json');
+
+export { CREDENTIALS_FILE, PROFILES_DIR, BACKUPS_DIR, ACTIVE_FILE };
+
+// --- Self-trigger flag ---
+// Set before switch-initiated credential writes, checked by the daemon watcher
+// to skip processing for self-initiated changes.
+
+let selfTriggered = false;
+
+export function setSelfTriggerFlag(): void {
+  selfTriggered = true;
+}
+
+export function clearSelfTriggerFlag(): void {
+  selfTriggered = false;
+}
+
+export function isSelfTriggered(): boolean {
+  return selfTriggered;
+}
+
+// --- Atomic write helper ---
+
+async function atomicWriteJson(filePath: string, data: unknown): Promise<void> {
+  const dir = join(filePath, '..');
+  await mkdir(dir, { recursive: true, mode: 0o700 });
+  const tmpFile = `${filePath}.tmp`;
+  await writeFile(tmpFile, JSON.stringify(data, null, 2), { encoding: 'utf8', mode: 0o600 });
+  await rename(tmpFile, filePath);
+}
+
+// --- JSON read helper ---
+
+async function readJsonFile<T>(filePath: string): Promise<T | null> {
+  try {
+    const content = await readFile(filePath, 'utf8');
+    if (!content.trim()) return null;
+    return JSON.parse(content) as T;
+  } catch (e: unknown) {
+    if ((e as NodeJS.ErrnoException).code === 'ENOENT') return null;
+    logger.warn({ err: e, filePath }, 'Failed to read/parse JSON file');
+    return null;
+  }
+}
+
+// --- Claude CLI detection ---
+
+function findClaudeBinary(): string | null {
+  try {
+    return execFileSync('which', ['claude'], {
+      encoding: 'utf8',
+      stdio: 'pipe',
+    }).trim();
+  } catch {
+    return null;
+  }
+}
+
+// --- Identity resolution ---
+
+/**
+ * Run `claude auth status` to get the current account identity.
+ * Tries JSON output first, falls back to text parsing.
+ */
+export async function runClaudeAuthStatus(): Promise<ClaudeAuthIdentity | null> {
+  const log = logger.child({ op: 'claudeAuthStatus' });
+
+  if (!findClaudeBinary()) {
+    log.error('Claude CLI not found in PATH. Install from https://docs.anthropic.com/en/docs/claude-code');
+    return null;
+  }
+
+  return new Promise((resolve) => {
+    const child = spawn('claude', ['auth', 'status'], { stdio: 'pipe' });
+    let stdout = '';
+    let stderr = '';
+
+    child.stdout!.on('data', (d: Buffer) => { stdout += d.toString(); });
+    child.stderr!.on('data', (d: Buffer) => { stderr += d.toString(); });
+
+    const timer = setTimeout(() => {
+      child.kill('SIGTERM');
+      log.error('claude auth status timed out');
+      resolve(null);
+    }, 10_000);
+
+    child.on('error', (err) => {
+      clearTimeout(timer);
+      log.error({ err }, 'Failed to spawn claude auth status');
+      resolve(null);
+    });
+
+    child.on('close', (code) => {
+      clearTimeout(timer);
+
+      if (code !== 0) {
+        log.warn({ code, stderr }, 'claude auth status exited with non-zero code');
+        // Still try to parse — some versions return non-zero when not logged in
+      }
+
+      const combined = stdout + stderr;
+
+      // Try JSON parse first (if --json flag was used or output is JSON)
+      try {
+        const json = JSON.parse(combined.trim());
+        const email = json.email ?? json.primaryEmail ?? json.emailAddress ?? null;
+        if (email) {
+          resolve({
+            email,
+            orgName: json.orgName ?? json.org_name ?? '',
+            subscriptionType: json.subscriptionType ?? json.subscription_type ?? '',
+            loggedIn: json.loggedIn ?? json.logged_in ?? true,
+          });
+          return;
+        }
+      } catch {
+        // Not JSON — fall through to text parsing
+      }
+
+      // Text parsing fallback
+      const identity = parseAuthStatusText(combined);
+      if (identity) {
+        resolve(identity);
+      } else {
+        log.warn({ output: combined.slice(0, 500) }, 'Could not parse claude auth status output');
+        resolve(null);
+      }
+    });
+  });
+}
+
+/**
+ * Parse text output from `claude auth status`.
+ * Handles various output formats:
+ *   "Logged in as: user@example.com"
+ *   "Email: user@example.com"
+ *   "Org: MyOrg"
+ *   "Subscription: team"
+ */
+function parseAuthStatusText(text: string): ClaudeAuthIdentity | null {
+  const emailMatch = text.match(/(?:Logged in as|Email)[:\s]+(\S+@\S+)/i);
+  if (!emailMatch) return null;
+
+  const orgMatch = text.match(/Org(?:anization)?[:\s]+(.+)/i);
+  const subMatch = text.match(/Subscription[:\s]+(\S+)/i);
+  const notLoggedIn = /not logged in/i.test(text);
+
+  return {
+    email: emailMatch[1]!,
+    orgName: orgMatch?.[1]?.trim() ?? '',
+    subscriptionType: subMatch?.[1]?.trim() ?? '',
+    loggedIn: !notLoggedIn,
+  };
+}
+
+// --- Profile CRUD ---
+
+export function profilePath(name: string): string {
+  return join(PROFILES_DIR, `${name}.json`);
+}
+
+export async function loadProfile(name: string): Promise<ClaudeProfile | null> {
+  return readJsonFile<ClaudeProfile>(profilePath(name));
+}
+
+export async function saveProfile(profile: ClaudeProfile): Promise<void> {
+  await atomicWriteJson(profilePath(profile.name), profile);
+}
+
+export async function deleteProfileFile(name: string): Promise<boolean> {
+  try {
+    await unlink(profilePath(name));
+    return true;
+  } catch (e: unknown) {
+    if ((e as NodeJS.ErrnoException).code === 'ENOENT') return false;
+    throw e;
+  }
+}
+
+export async function listProfiles(): Promise<ClaudeProfile[]> {
+  const profiles: ClaudeProfile[] = [];
+  try {
+    const entries = await readdir(PROFILES_DIR);
+    for (const entry of entries) {
+      if (!entry.endsWith('.json') || entry === 'active.json') continue;
+      const profile = await readJsonFile<ClaudeProfile>(join(PROFILES_DIR, entry));
+      if (profile?.name) {
+        profiles.push(profile);
+      }
+    }
+  } catch (e: unknown) {
+    if ((e as NodeJS.ErrnoException).code !== 'ENOENT') {
+      logger.warn({ err: e }, 'Failed to list profiles');
+    }
+  }
+  return profiles.sort((a, b) => a.name.localeCompare(b.name));
+}
+
+// --- Active profile tracking ---
+
+export async function loadActiveProfile(): Promise<ClaudeProfileActive | null> {
+  return readJsonFile<ClaudeProfileActive>(ACTIVE_FILE);
+}
+
+export async function setActiveProfile(name: string): Promise<void> {
+  const active: ClaudeProfileActive = {
+    profile: name,
+    switchedAt: new Date().toISOString(),
+  };
+  await atomicWriteJson(ACTIVE_FILE, active);
+}
+
+export async function clearActiveProfile(): Promise<void> {
+  try {
+    await unlink(ACTIVE_FILE);
+  } catch (e: unknown) {
+    if ((e as NodeJS.ErrnoException).code !== 'ENOENT') throw e;
+  }
+}
+
+// --- Credential file I/O ---
+
+export async function readCredentialsFile(): Promise<ClaudeOAuthCredentials | null> {
+  return readJsonFile<ClaudeOAuthCredentials>(CREDENTIALS_FILE);
+}
+
+/**
+ * Write credentials to ~/.claude/.credentials.json using atomic temp+rename.
+ * Pure write — does NOT manage the self-trigger flag. Callers that need to
+ * suppress watcher processing (e.g., switchProfile) must call setSelfTriggerFlag()
+ * themselves before calling this function.
+ */
+export async function writeCredentialsFile(credentials: ClaudeOAuthCredentials): Promise<void> {
+  await atomicWriteJson(CREDENTIALS_FILE, credentials);
+}
+
+// --- Backup management ---
+
+export async function createBackup(credentials: ClaudeOAuthCredentials): Promise<string> {
+  await mkdir(BACKUPS_DIR, { recursive: true, mode: 0o700 });
+  const timestamp = new Date().toISOString().replace(/:/g, '-').replace(/\.\d+Z$/, 'Z');
+  const backupPath = join(BACKUPS_DIR, `${timestamp}.json`);
+  await writeFile(backupPath, JSON.stringify(credentials, null, 2), { encoding: 'utf8', mode: 0o600 });
+  return backupPath;
+}
+
+export async function pruneBackups(maxAgeDays = 7): Promise<number> {
+  const log = logger.child({ op: 'pruneBackups' });
+  const maxAgeMs = maxAgeDays * 24 * 60 * 60 * 1000;
+  const cutoff = Date.now() - maxAgeMs;
+  let pruned = 0;
+
+  try {
+    const entries = await readdir(BACKUPS_DIR);
+    for (const entry of entries) {
+      if (!entry.endsWith('.json')) continue;
+      const filePath = join(BACKUPS_DIR, entry);
+      try {
+        const fileStat = await stat(filePath);
+        if (fileStat.mtimeMs < cutoff) {
+          await unlink(filePath);
+          pruned++;
+        }
+      } catch (statErr: unknown) {
+        log.debug({ err: statErr, filePath }, 'Could not stat backup file — skipping');
+      }
+    }
+    if (pruned > 0) {
+      log.info({ pruned }, `Pruned ${pruned} old backup(s)`);
+    }
+  } catch (e: unknown) {
+    if ((e as NodeJS.ErrnoException).code !== 'ENOENT') {
+      log.warn({ err: e }, 'Failed to prune backups');
+    }
+  }
+
+  return pruned;
+}
+
+// --- Token expiry status ---
+
+export interface ExpiryStatus {
+  label: string;
+  status: 'valid' | 'expiring' | 'expired';
+}
+
+export function getExpiryStatus(profile: ClaudeProfile): ExpiryStatus {
+  const expiresAt = profile.credentials.claudeAiOauth?.expiresAt;
+  if (!expiresAt) return { label: '? unknown', status: 'valid' };
+
+  const now = Date.now();
+  const diff = expiresAt - now;
+
+  if (diff < 0) {
+    return { label: '\u2717 expired', status: 'expired' };
+  }
+  if (diff < 2 * 60 * 60 * 1000) {
+    const minutes = Math.round(diff / 60_000);
+    if (minutes < 60) {
+      return { label: `\u26a0 expires in ${minutes}m`, status: 'expiring' };
+    }
+    const hours = Math.round(minutes / 60);
+    return { label: `\u26a0 expires in ${hours}h`, status: 'expiring' };
+  }
+
+  return { label: '\u2713 valid', status: 'valid' };
+}
+
+// --- High-level operations ---
+
+/**
+ * Switch to a named credential profile.
+ * Atomically writes the profile's credentials to ~/.claude/.credentials.json,
+ * updates active.json, then runs `claude auth status` to verify and refresh tokens.
+ */
+export async function switchProfile(name: string): Promise<{ success: boolean; message: string }> {
+  const log = logger.child({ op: 'switchProfile', name });
+
+  const profile = await loadProfile(name);
+  if (!profile) {
+    return { success: false, message: `Profile "${name}" not found` };
+  }
+
+  // Set self-trigger flag so the daemon watcher skips this write
+  setSelfTriggerFlag();
+  log.info({ email: profile.email }, 'Switching to profile');
+  await writeCredentialsFile(profile.credentials);
+  await setActiveProfile(name);
+
+  // Verify and potentially refresh tokens via auth status
+  const identity = await runClaudeAuthStatus();
+  if (!identity || !identity.loggedIn) {
+    log.warn('Auth status verification failed after switch — profile may need re-login');
+    return {
+      success: false,
+      message: `Switched to "${name}" but verification failed. Tokens may be expired — run \`claude login ${name}\` to re-authenticate.`,
+    };
+  }
+
+  // Update profile with potentially refreshed credentials and identity
+  const freshCredentials = await readCredentialsFile();
+  if (freshCredentials) {
+    const updatedProfile: ClaudeProfile = {
+      ...profile,
+      email: identity.email,
+      orgName: identity.orgName,
+      subscriptionType: identity.subscriptionType,
+      savedAt: new Date().toISOString(),
+      credentials: freshCredentials,
+    };
+    await saveProfile(updatedProfile);
+  }
+
+  return {
+    success: true,
+    message: `Switched to "${name}" (${identity.email})`,
+  };
+}
+
+/**
+ * Managed login flow: spawn `claude auth login`, wait for completion,
+ * capture identity via `claude auth status`, save as named profile.
+ */
+export async function loginProfile(
+  name: string,
+  email?: string,
+): Promise<{ success: boolean; message: string }> {
+  const log = logger.child({ op: 'loginProfile', name });
+
+  if (!findClaudeBinary()) {
+    return {
+      success: false,
+      message: 'Claude CLI not found in PATH. Install from https://docs.anthropic.com/en/docs/claude-code',
+    };
+  }
+
+  // Backup current credentials before login
+  const currentCreds = await readCredentialsFile();
+  if (currentCreds) {
+    await createBackup(currentCreds);
+  }
+
+  // Build args — add --email if profile already has one or caller provides it
+  const args = ['auth', 'login'];
+  const existingProfile = await loadProfile(name);
+  const loginEmail = email ?? existingProfile?.email;
+  if (loginEmail) {
+    args.push('--email', loginEmail);
+  }
+
+  log.info({ email: loginEmail }, 'Starting managed login');
+
+  // Spawn interactive login
+  const exitCode = await new Promise<number>((resolve, reject) => {
+    const child = spawn('claude', args, { stdio: 'inherit' });
+
+    const timer = setTimeout(() => {
+      child.kill('SIGTERM');
+      reject(new Error('Login timed out after 2 minutes'));
+    }, 120_000);
+
+    child.on('error', (err) => {
+      clearTimeout(timer);
+      reject(err);
+    });
+
+    child.on('close', (code) => {
+      clearTimeout(timer);
+      resolve(code ?? 1);
+    });
+  });
+
+  if (exitCode !== 0) {
+    return { success: false, message: `Login process exited with code ${exitCode}` };
+  }
+
+  // Capture identity
+  const identity = await runClaudeAuthStatus();
+  if (!identity || !identity.loggedIn) {
+    return { success: false, message: 'Login completed but could not verify identity' };
+  }
+
+  // Read new credentials and save profile
+  const credentials = await readCredentialsFile();
+  if (!credentials) {
+    return { success: false, message: 'Login completed but could not read credentials file' };
+  }
+
+  const profile: ClaudeProfile = {
+    name,
+    email: identity.email,
+    orgName: identity.orgName,
+    subscriptionType: identity.subscriptionType,
+    savedAt: new Date().toISOString(),
+    credentials,
+  };
+
+  await saveProfile(profile);
+  await setActiveProfile(name);
+
+  log.info({ email: identity.email, org: identity.orgName }, 'Login complete, profile saved');
+
+  return {
+    success: true,
+    message: `Logged in and saved as "${name}" (${identity.email}, ${identity.orgName})`,
+  };
+}
+
+/**
+ * Save current credentials as a named profile without login.
+ */
+export async function saveCurrentAsProfile(name: string): Promise<{ success: boolean; message: string }> {
+  const credentials = await readCredentialsFile();
+  if (!credentials) {
+    return { success: false, message: 'No credentials file found at ~/.claude/.credentials.json' };
+  }
+
+  const identity = await runClaudeAuthStatus();
+  if (!identity) {
+    return { success: false, message: 'Could not determine account identity — is Claude CLI installed?' };
+  }
+
+  const profile: ClaudeProfile = {
+    name,
+    email: identity.email,
+    orgName: identity.orgName,
+    subscriptionType: identity.subscriptionType,
+    savedAt: new Date().toISOString(),
+    credentials,
+  };
+
+  await saveProfile(profile);
+  await setActiveProfile(name);
+
+  return {
+    success: true,
+    message: `Saved current credentials as "${name}" (${identity.email})`,
+  };
+}
+
+/**
+ * Delete a named profile. Warns if it's the active profile.
+ */
+export async function deleteProfileByName(name: string): Promise<{ success: boolean; message: string; wasActive: boolean }> {
+  const profile = await loadProfile(name);
+  if (!profile) {
+    return { success: false, message: `Profile "${name}" not found`, wasActive: false };
+  }
+
+  const active = await loadActiveProfile();
+  const wasActive = active?.profile === name;
+
+  await deleteProfileFile(name);
+
+  if (wasActive) {
+    await clearActiveProfile();
+  }
+
+  return {
+    success: true,
+    message: wasActive
+      ? `Deleted profile "${name}" (was active — no profile is now active)`
+      : `Deleted profile "${name}"`,
+    wasActive,
+  };
+}
+
+/**
+ * Get current Claude auth status for display.
+ */
+export async function getClaudeStatus(): Promise<{ success: boolean; message: string; identity?: ClaudeAuthIdentity }> {
+  const identity = await runClaudeAuthStatus();
+  if (!identity) {
+    return { success: false, message: 'Could not get Claude auth status — is Claude CLI installed and in PATH?' };
+  }
+
+  return { success: true, message: '', identity };
+}
+
+// --- Credential watcher handler (called from daemon.ts) ---
+
+/**
+ * Handle an external credential file change detected by the daemon watcher.
+ * Creates a backup, identifies the account, and updates the matching profile.
+ */
+export async function handleCredentialChange(): Promise<void> {
+  const log = logger.child({ op: 'credentialChange' });
+
+  // Check self-trigger flag
+  if (isSelfTriggered()) {
+    clearSelfTriggerFlag();
+    log.debug('Skipping self-triggered credential change');
+    return;
+  }
+
+  // Read the new credentials
+  const credentials = await readCredentialsFile();
+  if (!credentials) {
+    log.warn('Credential file changed but could not be read');
+    return;
+  }
+
+  // Create backup
+  await createBackup(credentials);
+
+  // Identify the account
+  const identity = await runClaudeAuthStatus();
+  if (!identity) {
+    log.warn('Could not identify account after credential change');
+    return;
+  }
+
+  // Compare against saved profiles
+  const profiles = await listProfiles();
+  const matchingProfile = profiles.find((p) => p.email === identity.email);
+
+  if (matchingProfile) {
+    // Update the matching profile's credentials and savedAt
+    const updated: ClaudeProfile = {
+      ...matchingProfile,
+      savedAt: new Date().toISOString(),
+      credentials,
+    };
+    await saveProfile(updated);
+    log.info(
+      { profile: matchingProfile.name, email: identity.email },
+      `Updated profile "${matchingProfile.name}" with refreshed credentials`,
+    );
+  } else {
+    log.warn(
+      { email: identity.email },
+      `Unknown Claude account detected: ${identity.email}. Run \`claude save <name>\` to save it.`,
+    );
+  }
+}