codespeak-cli 0.2.0__py3-none-any.whl

codespeak_cli-0.2.0.dist-info/METADATA

@@ -0,0 +1,11 @@
+Metadata-Version: 2.4
+Name: codespeak-cli
+Version: 0.2.0
+Summary: CodeSpeak Console Client
+Requires-Python: >=3.13
+Requires-Dist: codespeak-api-stubs==0.2.0
+Requires-Dist: codespeak-shared==0.2.0
+Requires-Dist: python-dotenv>=1.0.0
+Requires-Dist: requests>=2.32.4
+Requires-Dist: rich>=13.0.0
+Requires-Dist: ripgrep==14.1

codespeak_cli-0.2.0.dist-info/RECORD

@@ -0,0 +1,19 @@
+console_client/__init__.py,sha256=sY7kWaw7NGBMJAeOJvlMlwpiulhQpaa8_841H_nkxiU,42
+console_client/build_client.py,sha256=P58nJ1AZMMgw2aD9BvCji1MxEwnQghaZzi_nDxN-Clk,14019
+console_client/build_client_event_converter.py,sha256=SBVPkunBKqhyeIqEGiLU2nuTCSdC_Hma3as79GkEP18,6848
+console_client/client_feature_flags.py,sha256=hDvab8bgDqPedpRJNgFdS41krO8bAcUBEw417aBY1Pk,966
+console_client/console_client_logging.py,sha256=9xWdmAg_0qPJMpkY1pQulzw3wfVqmcTYH8RnkYJnhb0,7817
+console_client/console_client_main.py,sha256=gf3osr90ZMnpwsjeA2mnbN7E75QkzPYFa0Er_bWBbPA,14248
+console_client/os_environment_servicer.py,sha256=Y7_rno1iWExIA3s_KWxIUF-KOnGgn_ecRyMOKa102Xs,31194
+console_client/sequence_reorder_buffer.py,sha256=thLpyk0jLT7yCWSWT2A8LV_YyRWtmDiFN71DCZMGKjk,3406
+console_client/version.py,sha256=JlndyH3QDUIEcgChbg7FLBX75b87VrU47TQP7Scgh9M,329
+console_client/auth/__init__.py,sha256=5bTbyJoj2lMXSpb1_3tVtwSswYqIkWH4HgNn8gfWfwY,47
+console_client/auth/auth_manager.py,sha256=hvaADY1P7DcMZkzi4vgTd666OnOIBChCDgr2gR-De7k,6188
+console_client/auth/callback_server.py,sha256=sclAiQPbcqJo_B43E2XlNzb5U8X4DDyZuBP5RyoprPc,6300
+console_client/auth/exceptions.py,sha256=QlP2tE7MIMZaxzG3LqevYNMgaU8qR3w34oz-UzRGst4,3001
+console_client/auth/oauth_pkce.py,sha256=Ok6g1HGSe_O0VZ1rMEuULgADSPPGUMOQTuh71ZUDWZI,4008
+console_client/auth/token_storage.py,sha256=b-SlDFyHpbH3XYlh6COmI3TXe-LUskHPlmr0B5miyxw,3364
+codespeak_cli-0.2.0.dist-info/METADATA,sha256=0gDpsr88qXjVqMBbiHCiZ9dUZOhrST7xoUBahq9Ksfk,321
+codespeak_cli-0.2.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+codespeak_cli-0.2.0.dist-info/entry_points.txt,sha256=Vcsd4x8g7uMTL4g9E6NwKDIeRMNToU5ltoBhOcQARHM,126
+codespeak_cli-0.2.0.dist-info/RECORD,,

codespeak_cli-0.2.0.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.28.0
+Root-Is-Purelib: true
+Tag: py3-none-any

codespeak_cli-0.2.0.dist-info/entry_points.txt

@@ -0,0 +1,3 @@
+[console_scripts]
+codespeak = console_client.console_client_main:main
+codespeak-cli = console_client.console_client_main:main

console_client/__init__.py

@@ -0,0 +1 @@
+"""Build client package for CodeSpeak."""

console_client/auth/__init__.py

@@ -0,0 +1 @@
+"""Authentication module for CodeSpeak CLI."""

console_client/auth/auth_manager.py

@@ -0,0 +1,156 @@
+"""Authentication manager for orchestrating the OAuth login flow."""
+
+import os
+import secrets
+import webbrowser
+
+import requests
+from rich.console import Console
+
+from console_client.auth.callback_server import OAuthCallbackServer
+from console_client.auth.exceptions import (
+    Auth0CallbackError,
+    LoginTimeoutUserError,
+    StateMismatchUserError,
+    TokenExchangeFailedUserError,
+    TokenStorageFailedUserError,
+)
+from console_client.auth.oauth_pkce import (
+    OAuthConfig,
+    build_authorization_url,
+    exchange_code_for_token,
+    generate_code_challenge,
+    generate_code_verifier,
+)
+from console_client.auth.token_storage import save_token
+from console_client.client_feature_flags import ConsoleClientFeatureFlags
+
+
+def login(console: Console, client_feature_flags: ConsoleClientFeatureFlags) -> None:
+    """
+    Orchestrate the OAuth PKCE login flow with Auth0.
+
+    Steps:
+    1. Read Auth0 configuration from feature flags
+    2. Start local callback server
+    3. Generate PKCE parameters (code_verifier, code_challenge, state)
+    4. Build authorization URL
+    5. Open browser to Auth0 login page
+    6. Wait for callback
+    7. Validate state parameter
+    8. Exchange authorization code for token
+    9. Save access token to ~/.codespeak/token
+    10. Display success message
+
+    Args:
+        console: Rich console for user output.
+        client_feature_flags: Feature flags instance for reading Auth0 configuration.
+
+    Raises:
+        Auth0NotConfiguredUserError: If Auth0 configuration is missing.
+        LoginTimeoutUserError: If user doesn't complete login in time.
+        StateMismatchUserError: If OAuth state validation fails.
+        TokenExchangeFailedUserError: If code-to-token exchange fails.
+        TokenStorageFailedUserError: If token cannot be saved.
+        Auth0CallbackError: If Auth0 returns an error.
+    """
+    # Step 1: Read Auth0 configuration from feature flags
+    auth0_domain = client_feature_flags.get_flag_value(ConsoleClientFeatureFlags.CONSOLE_CLIENT_AUTH0_DOMAIN)
+    client_id = client_feature_flags.get_flag_value(ConsoleClientFeatureFlags.CONSOLE_CLIENT_AUTH0_CLIENT_ID)
+    scopes_str = client_feature_flags.get_flag_value(ConsoleClientFeatureFlags.CONSOLE_CLIENT_AUTH0_SCOPES)
+    scopes = scopes_str.split()
+    callback_timeout = client_feature_flags.get_flag_value(
+        ConsoleClientFeatureFlags.CONSOLE_CLIENT_AUTH0_CALLBACK_TIMEOUT
+    )
+
+    # Step 2: Start local callback server
+    console.print("[blue]Starting local callback server...[/blue]")
+    callback_server = OAuthCallbackServer(timeout=callback_timeout)
+
+    try:
+        redirect_uri = callback_server.start()
+        console.print(f"[dim]Callback server listening on {redirect_uri}[/dim]")
+
+        # Step 3: Generate PKCE parameters
+        code_verifier = generate_code_verifier()
+        code_challenge = generate_code_challenge(code_verifier)
+        state = secrets.token_urlsafe(32)
+
+        # Step 4: Build authorization URL
+        oauth_config = OAuthConfig(
+            auth0_domain=auth0_domain,
+            client_id=client_id,
+            redirect_uri=redirect_uri,
+            scopes=scopes,
+        )
+
+        auth_url = build_authorization_url(oauth_config, code_challenge, state)
+
+        # Step 5: Open browser
+        console.print(f"\n[bold green]Opening browser for authentication...[/bold green]")
+        console.print(f"[dim]If browser doesn't open automatically, visit:[/dim]")
+        console.print(f"[dim]{auth_url}[/dim]\n")
+
+        browser_opened = webbrowser.open(auth_url)
+        if not browser_opened:
+            console.print("[yellow]Warning: Failed to open browser automatically.[/yellow]")
+            console.print(f"[yellow]Please manually visit: {auth_url}[/yellow]\n")
+
+        # Step 6: Wait for callback
+        console.print("[blue]Waiting for authentication...[/blue]")
+        console.print("[dim](You can press Ctrl+C to cancel)[/dim]\n")
+
+        try:
+            authorization_code, state_received, error = callback_server.wait_for_callback()
+        except TimeoutError:
+            raise LoginTimeoutUserError(callback_timeout) from None
+
+        # Check for Auth0 error
+        if error:
+            error_description = os.environ.get("error_description")
+            raise Auth0CallbackError(error, error_description)
+
+        # Step 7: Validate state
+        if state_received != state:
+            raise StateMismatchUserError()
+
+        # Step 8: Exchange code for token
+        console.print("[blue]Exchanging authorization code for token...[/blue]")
+
+        try:
+            tokens = exchange_code_for_token(oauth_config, authorization_code, code_verifier)  # type: ignore
+        except requests.RequestException as e:
+            error_detail = str(e)
+            if hasattr(e, "response") and e.response is not None:
+                try:
+                    error_json = e.response.json()
+                    error_detail = error_json.get("error_description", error_json.get("error", str(e)))
+                except Exception:  # noqa: BLE001
+                    error_detail = e.response.text or str(e)
+            raise TokenExchangeFailedUserError(error_detail) from e
+
+        # Step 9: Save token
+        console.print("[blue]Saving authentication token...[/blue]")
+
+        try:
+            save_token(tokens.access_token, tokens.expires_in)
+        except OSError as e:
+            raise TokenStorageFailedUserError(str(e)) from e
+
+        # Step 10: Display success
+        console.print("\n[bold green]✓ Authentication successful![/bold green]")
+        console.print("[green]Token saved to ~/.codespeak/token.json[/green]")
+
+        if tokens.expires_in > 0:
+            hours = tokens.expires_in // 3600
+            minutes = (tokens.expires_in % 3600) // 60
+            if hours > 0:
+                console.print(f"[dim]Token expires in {hours}h {minutes}m[/dim]")
+            else:
+                console.print(f"[dim]Token expires in {minutes}m[/dim]")
+
+        console.print("\n[green]You can now use CodeSpeak commands that require authentication.[/green]")
+
+    finally:
+        # Always shutdown the callback server
+        callback_server.shutdown()

console_client/auth/callback_server.py

@@ -0,0 +1,170 @@
+"""Local HTTP server for OAuth callback handling."""
+
+import threading
+from http.server import BaseHTTPRequestHandler, HTTPServer
+from typing import ClassVar
+from urllib.parse import parse_qs, urlparse
+
+from codespeak_shared.utils.ports import is_port_free
+
+
+class OAuthCallbackServer:
+    """Local HTTP server to receive OAuth callback."""
+
+    # Ports to try (must all be configured in Auth0's Allowed Callback URLs)
+    # Configure these in Auth0: http://localhost:8080/callback, http://localhost:8081/callback, etc.
+    ALLOWED_PORTS = [8080, 8081, 8082, 8083, 8084, 8085, 8086, 8087, 8088, 8089]
+
+    # Class variables shared with handler (intentionally not private)
+    authorization_code: ClassVar[str | None] = None
+    state_received: ClassVar[str | None] = None
+    error: ClassVar[str | None] = None
+    callback_received: ClassVar[threading.Event] = threading.Event()
+
+    def __init__(self, timeout: int = 300):
+        """
+        Initialize the OAuth callback server.
+
+        Args:
+            timeout: Maximum time to wait for callback in seconds (default: 300 = 5 minutes).
+        """
+        self._timeout = timeout
+        self._port: int = 0
+        self._server: HTTPServer | None = None
+        self._server_thread: threading.Thread | None = None
+
+    def start(self) -> str:
+        """
+        Start the callback server on a free port.
+
+        Returns:
+            The redirect URI (e.g., "http://localhost:8080/callback").
+
+        Raises:
+            RuntimeError: If the server fails to start.
+        """
+        # Reset class variables
+        OAuthCallbackServer.authorization_code = None
+        OAuthCallbackServer.state_received = None
+        OAuthCallbackServer.error = None
+        OAuthCallbackServer.callback_received.clear()
+
+        # Try each allowed port in sequence
+        server_started = False
+        for port in self.ALLOWED_PORTS:
+            if is_port_free(port):
+                try:
+                    self._server = HTTPServer(("localhost", port), _OAuthCallbackHandler)
+                    self._port = port
+                    server_started = True
+                    break
+                except OSError:
+                    # Port became busy between check and bind, try next
+                    continue
+
+        if not server_started:
+            ports_str = ", ".join(str(p) for p in self.ALLOWED_PORTS)
+            raise RuntimeError(
+                f"Failed to start callback server. All allowed ports are busy: {ports_str}\n"
+                f"Please close other applications using these ports and try again.\n"
+                f"These ports must be configured in Auth0's Allowed Callback URLs."
+            )
+
+        # Start server in background thread
+        assert self._server is not None  # Ensured by server_started check above
+        self._server_thread = threading.Thread(target=self._server.serve_forever, daemon=True)
+        self._server_thread.start()
+
+        return f"http://localhost:{self._port}/callback"
+
+    def wait_for_callback(self) -> tuple[str | None, str | None, str | None]:
+        """
+        Wait for the OAuth callback.
+
+        Blocks until callback is received or timeout occurs.
+
+        Returns:
+            Tuple of (authorization_code, state_received, error).
+            If timeout, all values will be None.
+
+        Raises:
+            TimeoutError: If no callback is received within the timeout period.
+        """
+        # Wait for callback with timeout
+        callback_received = OAuthCallbackServer.callback_received.wait(timeout=self._timeout)
+
+        if not callback_received:
+            raise TimeoutError(f"No callback received within {self._timeout} seconds")
+
+        return (
+            OAuthCallbackServer.authorization_code,
+            OAuthCallbackServer.state_received,
+            OAuthCallbackServer.error,
+        )
+
+    def shutdown(self) -> None:
+        """Shutdown the callback server."""
+        if self._server:
+            self._server.shutdown()
+            self._server = None
+        if self._server_thread:
+            self._server_thread.join(timeout=1)
+            self._server_thread = None
+
+
+class _OAuthCallbackHandler(BaseHTTPRequestHandler):
+    """HTTP request handler for OAuth callback."""
+
+    def log_message(self, format: str, *args: object) -> None:  # noqa: ARG002, A002
+        """Suppress default HTTP server logging."""
+
+    def do_GET(self) -> None:  # noqa: N802
+        """Handle GET request to /callback."""
+        # Parse URL
+        parsed_url = urlparse(self.path)
+
+        if parsed_url.path == "/callback":
+            # Parse query parameters
+            query_params = parse_qs(parsed_url.query)
+
+            # Extract authorization code, state, and error
+            OAuthCallbackServer.authorization_code = query_params.get("code", [None])[0]
+            OAuthCallbackServer.state_received = query_params.get("state", [None])[0]
+            OAuthCallbackServer.error = query_params.get("error", [None])[0]
+
+            # Signal that callback was received
+            OAuthCallbackServer.callback_received.set()
+
+            # Send success response
+            self.send_response(200)
+            self.send_header("Content-type", "text/html")
+            self.end_headers()
+
+            # Display success page
+            if OAuthCallbackServer.error:
+                html = f"""
+                <html>
+                <head><title>Authentication Error</title></head>
+                <body>
+                    <h1>Authentication Error</h1>
+                    <p>Error: {OAuthCallbackServer.error}</p>
+                    <p>You can close this window now.</p>
+                </body>
+                </html>
+                """
+            else:
+                html = """
+                <html>
+                <head><title>Authentication Successful</title></head>
+                <body>
+                    <h1>Authentication Successful!</h1>
+                    <p>You have been successfully authenticated with CodeSpeak.</p>
+                    <p>You can close this window now and return to the terminal.</p>
+                </body>
+                </html>
+                """
+
+            self.wfile.write(html.encode("utf-8"))
+        else:
+            # Return 404 for other paths
+            self.send_error(404)

console_client/auth/exceptions.py

@@ -0,0 +1,83 @@
+"""Authentication-specific exceptions for CodeSpeak CLI."""
+
+from codespeak_shared.exceptions import CodespeakUserError
+
+
+class Auth0NotConfiguredUserError(CodespeakUserError):
+    """Raised when Auth0 configuration is missing or incomplete."""
+
+    def __init__(self, missing_config: str):
+        message = (
+            f"Auth0 is not configured. Missing: {missing_config}\n\n"
+            "Please set the following environment variables:\n"
+            "  - CODESPEAK_AUTH0_CLIENT_ID (required)\n"
+            "  - CODESPEAK_AUTH0_DOMAIN (optional, defaults to codespeak.us.auth0.com)\n\n"
+            "See documentation for Auth0 setup instructions."
+        )
+        super().__init__(message)
+
+
+class LoginTimeoutUserError(CodespeakUserError):
+    """Raised when the user doesn't complete login within the timeout period."""
+
+    def __init__(self, timeout_seconds: int):
+        message = f"Login timed out after {timeout_seconds} seconds.\nPlease try again with: codespeak login"
+        super().__init__(message)
+
+
+class LoginCancelledUserError(CodespeakUserError):
+    """Raised when the user cancels the login process."""
+
+    def __init__(self):
+        message = "Login cancelled by user."
+        super().__init__(message)
+
+
+class StateMismatchUserError(CodespeakUserError):
+    """Raised when the OAuth state parameter doesn't match (potential CSRF attack)."""
+
+    def __init__(self):
+        message = (
+            "Security error: OAuth state mismatch detected.\n"
+            "This could indicate a CSRF attack. Please try logging in again."
+        )
+        super().__init__(message)
+
+
+class TokenExchangeFailedUserError(CodespeakUserError):
+    """Raised when the authorization code to token exchange fails."""
+
+    def __init__(self, error_detail: str):
+        message = f"Failed to exchange authorization code for token.\nError: {error_detail}"
+        super().__init__(message)
+
+
+class TokenStorageFailedUserError(CodespeakUserError):
+    """Raised when the token cannot be saved to the filesystem."""
+
+    def __init__(self, error_detail: str):
+        message = (
+            f"Failed to save authentication token to ~/.codespeak/token.json\n"
+            f"Error: {error_detail}\n\n"
+            "Please check file permissions and disk space."
+        )
+        super().__init__(message)
+
+
+class Auth0CallbackError(CodespeakUserError):
+    """Raised when Auth0 returns an error in the callback."""
+
+    def __init__(self, error: str, error_description: str | None = None):
+        if error_description:
+            message = f"Authentication failed: {error}\nDetails: {error_description}"
+        else:
+            message = f"Authentication failed: {error}"
+        super().__init__(message)
+
+
+class TokenExpiredUserError(CodespeakUserError):
+    """Raised when the user's access token has expired."""
+
+    def __init__(self):
+        message = "Your authentication token has expired. Please run 'codespeak login' to re-authenticate."
+        super().__init__(message)

console_client/auth/oauth_pkce.py

@@ -0,0 +1,134 @@
+# ruff: noqa: TID251
+"""OAuth 2.0 Authorization Code with PKCE flow implementation."""
+
+import base64
+import hashlib
+import secrets
+from dataclasses import dataclass
+from urllib.parse import urlencode
+
+import requests
+
+
+@dataclass
+class OAuthConfig:
+    """OAuth configuration for Auth0 authentication."""
+
+    auth0_domain: str  # e.g., "codespeak.us.auth0.com"
+    client_id: str  # Auth0 application client ID
+    redirect_uri: str  # e.g., "http://localhost:8080/callback"
+    scopes: list[str]  # e.g., ["openid", "profile", "email"]
+
+
+@dataclass
+class OAuthTokens:
+    """OAuth tokens returned from token exchange."""
+
+    access_token: str
+    id_token: str | None
+    refresh_token: str | None
+    expires_in: int
+    token_type: str
+
+
+def generate_code_verifier() -> str:
+    """
+    Generate a cryptographically random code verifier for PKCE.
+
+    The verifier is a random string between 43-128 characters using
+    unreserved characters [A-Z, a-z, 0-9, -, ., _, ~].
+
+    Returns:
+        Base64url-encoded random string (64 characters).
+    """
+    # Generate 32 random bytes and base64url encode (results in 43 chars without padding)
+    # Using 48 bytes to get ~64 characters for better security
+    random_bytes = secrets.token_bytes(48)
+    # Base64url encoding without padding
+    return base64.urlsafe_b64encode(random_bytes).decode("utf-8").rstrip("=")
+
+
+def generate_code_challenge(code_verifier: str) -> str:
+    """
+    Generate the code challenge from the code verifier for PKCE.
+
+    The challenge is the SHA256 hash of the verifier, base64url encoded.
+
+    Args:
+        code_verifier: The code verifier string.
+
+    Returns:
+        Base64url-encoded SHA256 hash of the code verifier.
+    """
+    # SHA256 hash of the verifier
+    sha256_hash = hashlib.sha256(code_verifier.encode("utf-8")).digest()
+    # Base64url encoding without padding
+    return base64.urlsafe_b64encode(sha256_hash).decode("utf-8").rstrip("=")
+
+
+def build_authorization_url(config: OAuthConfig, code_challenge: str, state: str) -> str:
+    """
+    Build the Auth0 authorization URL for the OAuth flow.
+
+    Args:
+        config: OAuth configuration.
+        code_challenge: The PKCE code challenge.
+        state: Random state parameter for CSRF protection.
+
+    Returns:
+        Complete authorization URL to open in browser.
+    """
+    params = {
+        "response_type": "code",
+        "client_id": config.client_id,
+        "redirect_uri": config.redirect_uri,
+        "scope": " ".join(config.scopes),
+        "state": state,
+        "code_challenge": code_challenge,
+        "code_challenge_method": "S256",
+    }
+
+    base_url = f"https://{config.auth0_domain}/authorize"
+    return f"{base_url}?{urlencode(params)}"
+
+
+def exchange_code_for_token(config: OAuthConfig, code: str, code_verifier: str) -> OAuthTokens:
+    """
+    Exchange the authorization code for access token.
+
+    Args:
+        config: OAuth configuration.
+        code: Authorization code from callback.
+        code_verifier: The original code verifier for PKCE.
+
+    Returns:
+        OAuth tokens including access_token.
+
+    Raises:
+        requests.RequestException: If the token exchange request fails.
+        KeyError: If the response doesn't contain expected fields.
+    """
+    token_url = f"https://{config.auth0_domain}/oauth/token"
+
+    payload = {
+        "grant_type": "authorization_code",
+        "client_id": config.client_id,
+        "code": code,
+        "redirect_uri": config.redirect_uri,
+        "code_verifier": code_verifier,
+    }
+
+    headers = {"Content-Type": "application/x-www-form-urlencoded"}
+
+    response = requests.post(token_url, data=payload, headers=headers, timeout=30)
+    response.raise_for_status()
+
+    data = response.json()
+
+    return OAuthTokens(
+        access_token=data["access_token"],
+        id_token=data.get("id_token"),
+        refresh_token=data.get("refresh_token"),
+        expires_in=data.get("expires_in", 0),
+        token_type=data.get("token_type", "Bearer"),
+    )