coding-agent-wrapper 0.1.0__py3-none-any.whl

caw/auth/linker.py

@@ -0,0 +1,174 @@
+"""Link/unlink credential files between original locations and ~/.caw/auth/."""
+
+from __future__ import annotations
+
+import shutil
+from pathlib import Path
+
+from rich.console import Console
+
+from .manifest import Manifest
+
+console = Console()
+
+AUTH_DIR = Path.home() / ".caw" / "auth"
+BACKUPS_DIR = AUTH_DIR / ".backups"
+
+
+def _load_manifest(auth_dir: Path | None = None) -> tuple[Manifest, Path]:
+    """Load manifest from auth_dir. Returns (manifest, resolved_auth_dir)."""
+    resolved = auth_dir if auth_dir else AUTH_DIR
+    manifest_path = resolved / "manifest.json"
+    if not manifest_path.exists():
+        console.print("[red]Error: manifest.json not found. Run `caw auth setup` first.[/red]")
+        raise SystemExit(1)
+    return Manifest.load(manifest_path), resolved
+
+
+def link(
+    agents: list[str] | None = None,
+    dry_run: bool = False,
+    force: bool = False,
+    auth_dir: Path | None = None,
+) -> None:
+    """Replace host credential files with symlinks to the auth directory.
+
+    Only links files with type=credential and strategy=symlink.
+    Backs up originals to <auth_dir>/.backups/ first.
+
+    Args:
+        agents: Agent names to link, or None for all.
+        dry_run: Show what would be done without making changes.
+        force: Overwrite existing backups.
+        auth_dir: Custom auth directory. Defaults to ~/.caw/auth/.
+    """
+    manifest, resolved_dir = _load_manifest(auth_dir)
+    backups_dir = resolved_dir / ".backups"
+    host_home = Path(manifest.host_home)
+
+    console.print("[bold]Linking credential files...[/bold]\n")
+
+    # Filter agents
+    agent_names = set(agents) if agents and "all" not in agents else set(manifest.agents.keys())
+
+    linked = 0
+    skipped = 0
+
+    for agent_name, agent_manifest in manifest.agents.items():
+        if agent_name not in agent_names:
+            continue
+
+        for mf in agent_manifest.files:
+            if mf.type != "credential" or mf.strategy != "symlink":
+                continue
+
+            canonical = resolved_dir / mf.src
+            original = host_home / mf.host_original
+
+            if not canonical.exists():
+                console.print(f"  [yellow]Skip {mf.host_original}:[/yellow] canonical file not found at {canonical}")
+                skipped += 1
+                continue
+
+            # Check if already symlinked correctly
+            if original.is_symlink() and original.resolve() == canonical.resolve():
+                console.print(f"  [dim]Already linked: {mf.host_original} -> {canonical}[/dim]")
+                skipped += 1
+                continue
+
+            if dry_run:
+                console.print(f"  [cyan]Would link:[/cyan] {mf.host_original} -> {canonical}")
+                linked += 1
+                continue
+
+            # Backup original if it exists and is not already a symlink
+            if original.exists() and not original.is_symlink():
+                backup_path = backups_dir / mf.host_original
+                backup_path.parent.mkdir(parents=True, exist_ok=True)
+                if backup_path.exists() and not force:
+                    console.print(
+                        f"  [yellow]Backup already exists for {mf.host_original}.[/yellow] Use --force to overwrite."
+                    )
+                    skipped += 1
+                    continue
+                shutil.copy2(str(original), str(backup_path))
+                console.print(f"  [dim]Backed up: {mf.host_original} -> .backups/{mf.host_original}[/dim]")
+
+            # Remove original and create symlink
+            if original.exists() or original.is_symlink():
+                original.unlink()
+            original.parent.mkdir(parents=True, exist_ok=True)
+            original.symlink_to(canonical)
+            console.print(f"  [green]Linked:[/green] {mf.host_original} -> {canonical}")
+            linked += 1
+
+    action = "Would link" if dry_run else "Linked"
+    console.print(f"\n{action} {linked} file(s), skipped {skipped}.")
+
+
+def teardown(
+    agents: list[str] | None = None,
+    dry_run: bool = False,
+    auth_dir: Path | None = None,
+) -> None:
+    """Restore original credential files from backups.
+
+    Removes symlinks and copies backups back to original locations.
+
+    Args:
+        agents: Agent names to restore, or None for all.
+        dry_run: Show what would be done without making changes.
+        auth_dir: Custom auth directory. Defaults to ~/.caw/auth/.
+    """
+    manifest, resolved_dir = _load_manifest(auth_dir)
+    backups_dir = resolved_dir / ".backups"
+    host_home = Path(manifest.host_home)
+
+    console.print("[bold]Unlinking credential files...[/bold]\n")
+
+    agent_names = set(agents) if agents and "all" not in agents else set(manifest.agents.keys())
+
+    restored = 0
+    skipped = 0
+
+    for agent_name, agent_manifest in manifest.agents.items():
+        if agent_name not in agent_names:
+            continue
+
+        for mf in agent_manifest.files:
+            if mf.type != "credential" or mf.strategy != "symlink":
+                continue
+
+            original = host_home / mf.host_original
+            backup_path = backups_dir / mf.host_original
+
+            # Check if it's currently a symlink pointing to our canonical
+            canonical = resolved_dir / mf.src
+            if original.is_symlink() and original.resolve() == canonical.resolve():
+                if backup_path.exists():
+                    if dry_run:
+                        console.print(f"  [cyan]Would restore:[/cyan] {mf.host_original} from backup")
+                        restored += 1
+                        continue
+
+                    original.unlink()
+                    shutil.copy2(str(backup_path), str(original))
+                    console.print(f"  [green]Restored:[/green] {mf.host_original} from backup")
+                    restored += 1
+                else:
+                    if dry_run:
+                        console.print(f"  [cyan]Would copy canonical:[/cyan] {mf.host_original} (no backup found)")
+                        restored += 1
+                        continue
+
+                    # No backup — copy the canonical file as a regular file
+                    original.unlink()
+                    shutil.copy2(str(canonical), str(original))
+                    console.print(f"  [green]Restored:[/green] {mf.host_original} from canonical (no backup)")
+                    restored += 1
+            else:
+                console.print(f"  [dim]Skip {mf.host_original}: not a symlink to our canonical[/dim]")
+                skipped += 1
+
+    action = "Would restore" if dry_run else "Restored"
+    console.print(f"\n{action} {restored} file(s), skipped {skipped}.")

caw/auth/manifest.py

@@ -0,0 +1,77 @@
+"""Manifest schema for ~/.caw/auth/ — describes all managed auth/config files."""
+
+from __future__ import annotations
+
+import json
+from dataclasses import asdict, dataclass, field
+from datetime import datetime, timezone
+from pathlib import Path
+
+
+@dataclass
+class ManifestFile:
+    """A single file entry in the manifest."""
+
+    src: str  # relative path within ~/.caw/auth/, e.g. "claude/credentials.json"
+    container_target: str  # relative to $HOME in container, e.g. ".claude/.credentials.json"
+    host_original: str  # relative to $HOME on host, e.g. ".claude/.credentials.json"
+    type: str  # "credential" or "config"
+    strategy: str  # "symlink" or "copy"
+    mode: str  # e.g. "0600"
+
+
+@dataclass
+class AgentManifest:
+    """Per-agent manifest."""
+
+    files: list[ManifestFile] = field(default_factory=list)
+
+
+@dataclass
+class Manifest:
+    """Top-level manifest for ~/.caw/auth/manifest.json."""
+
+    version: int = 1
+    created_at: str = ""
+    host_home: str = ""
+    container_home: str = "/home/playground"
+    mount_point: str = "/tmp/caw_auth"
+    agents: dict[str, AgentManifest] = field(default_factory=dict)
+
+    def to_dict(self) -> dict:
+        return asdict(self)
+
+    def to_json(self, indent: int = 2) -> str:
+        return json.dumps(self.to_dict(), indent=indent)
+
+    @classmethod
+    def from_dict(cls, data: dict) -> Manifest:
+        agents = {}
+        for name, agent_data in data.get("agents", {}).items():
+            files = [ManifestFile(**f) for f in agent_data.get("files", [])]
+            agents[name] = AgentManifest(files=files)
+        return cls(
+            version=data.get("version", 1),
+            created_at=data.get("created_at", ""),
+            host_home=data.get("host_home", ""),
+            container_home=data.get("container_home", "/home/playground"),
+            mount_point=data.get("mount_point", "/tmp/caw_auth"),
+            agents=agents,
+        )
+
+    @classmethod
+    def load(cls, path: Path) -> Manifest:
+        with open(path) as f:
+            return cls.from_dict(json.load(f))
+
+    def save(self, path: Path) -> None:
+        path.parent.mkdir(parents=True, exist_ok=True)
+        with open(path, "w") as f:
+            f.write(self.to_json())
+
+    @classmethod
+    def create(cls, host_home: str) -> Manifest:
+        return cls(
+            created_at=datetime.now(timezone.utc).isoformat(),
+            host_home=host_home,
+        )

caw/auth/providers.py

@@ -0,0 +1,433 @@
+"""Agent auth providers — knows where each agent stores credentials and config."""
+
+from __future__ import annotations
+
+import json
+from abc import ABC, abstractmethod
+from dataclasses import dataclass
+from pathlib import Path
+
+from rich.console import Console
+
+from .manifest import ManifestFile
+
+console = Console()
+
+# Default container home directory
+CONTAINER_HOME = "/home/playground"
+
+
+@dataclass
+class CollectedFile:
+    """A file collected from the host, ready to be written to ~/.caw/auth/."""
+
+    manifest_file: ManifestFile
+    content: bytes
+
+
+class AgentAuthProvider(ABC):
+    """Base class for agent auth providers."""
+
+    name: str
+
+    @abstractmethod
+    def validate(self, src_home: Path) -> list[str]:
+        """Return list of missing required file paths (as strings)."""
+
+    @abstractmethod
+    def describe(self, src_home: Path) -> str:
+        """Return a short account info summary."""
+
+    @abstractmethod
+    def collect(self, src_home: Path) -> list[CollectedFile]:
+        """Collect cleaned auth/config files. Returns list of CollectedFile."""
+
+
+# ---------------------------------------------------------------------------
+# Claude
+# ---------------------------------------------------------------------------
+
+CLAUDE_JSON_KEEP_KEYS = {
+    "oauthAccount",
+    "userID",
+    "hasCompletedOnboarding",
+    "lastOnboardingVersion",
+    "numStartups",
+    "installMethod",
+    "firstStartTime",
+    "claudeCodeFirstTokenDate",
+    "s1mAccessCache",
+    "passesEligibilityCache",
+    "groveConfigCache",
+    "sonnet45MigrationComplete",
+    "opus45MigrationComplete",
+    "opusProMigrationComplete",
+    "thinkingMigrationComplete",
+    "autoUpdates",
+}
+
+
+def _build_clean_claude_json(source: dict) -> dict:
+    """Build a minimal .claude.json, keeping only essential keys."""
+    clean = {k: source[k] for k in CLAUDE_JSON_KEEP_KEYS if k in source}
+    clean["projects"] = {
+        CONTAINER_HOME: {
+            "allowedTools": [],
+            "mcpContextUris": [],
+            "mcpServers": {},
+            "enabledMcpjsonServers": [],
+            "disabledMcpjsonServers": [],
+            "hasTrustDialogAccepted": False,
+            "projectOnboardingSeenCount": 1,
+            "hasClaudeMdExternalIncludesApproved": False,
+            "hasClaudeMdExternalIncludesWarningShown": False,
+            "exampleFiles": [],
+            "lastTotalWebSearchRequests": 0,
+        }
+    }
+    return clean
+
+
+class ClaudeAuthProvider(AgentAuthProvider):
+    name = "claude"
+
+    def validate(self, src_home: Path) -> list[str]:
+        missing = []
+        if not (src_home / ".claude.json").exists():
+            missing.append(str(src_home / ".claude.json"))
+        if not (src_home / ".claude" / ".credentials.json").exists():
+            missing.append(str(src_home / ".claude" / ".credentials.json"))
+        return missing
+
+    def describe(self, src_home: Path) -> str:
+        try:
+            with open(src_home / ".claude.json") as f:
+                cfg = json.load(f)
+            account = cfg.get("oauthAccount", {})
+            email = account.get("emailAddress", "unknown")
+            org = account.get("organizationName", "unknown")
+
+            with open(src_home / ".claude" / ".credentials.json") as f:
+                creds = json.load(f)
+            expires_at = creds.get("claudeAiOauth", {}).get("expiresAt")
+            parts = [f"Account: {email}", f"Org: {org}"]
+            if expires_at:
+                from datetime import datetime, timezone
+
+                dt = datetime.fromtimestamp(expires_at / 1000, tz=timezone.utc)
+                parts.append(f"Token expires: {dt.isoformat()}")
+            return ", ".join(parts)
+        except Exception:
+            return "Could not read account info"
+
+    def collect(self, src_home: Path) -> list[CollectedFile]:
+        # credentials.json — credential, symlinked for token refresh write-back
+        with open(src_home / ".claude" / ".credentials.json") as f:
+            credentials = json.load(f)
+
+        cred_file = CollectedFile(
+            manifest_file=ManifestFile(
+                src="claude/credentials.json",
+                container_target=".claude/.credentials.json",
+                host_original=".claude/.credentials.json",
+                type="credential",
+                strategy="symlink",
+                mode="0600",
+            ),
+            content=json.dumps(credentials).encode(),
+        )
+
+        # config.json — cleaned .claude.json for containers, copied (not symlinked)
+        with open(src_home / ".claude.json") as f:
+            local_config = json.load(f)
+
+        clean_config = _build_clean_claude_json(local_config)
+        original_keys = len(local_config)
+        clean_keys = len(clean_config)
+        original_projects = len(local_config.get("projects", {}))
+        console.print(f"  [dim]Stripped .claude.json: {original_keys} keys -> {clean_keys} keys[/dim]")
+        console.print(f"  [dim]Stripped projects: {original_projects} entries -> 1 entry[/dim]")
+
+        config_file = CollectedFile(
+            manifest_file=ManifestFile(
+                src="claude/config.json",
+                container_target=".claude.json",
+                host_original=".claude.json",
+                type="config",
+                strategy="copy",
+                mode="0644",
+            ),
+            content=json.dumps(clean_config, indent=2).encode(),
+        )
+
+        return [cred_file, config_file]
+
+
+# ---------------------------------------------------------------------------
+# Codex
+# ---------------------------------------------------------------------------
+
+
+def _build_clean_codex_config(source_toml: str) -> str:
+    """Build a minimal config.toml for codex, stripping local project trust."""
+    lines: list[str] = []
+    skip_section = False
+
+    for line in source_toml.splitlines():
+        stripped = line.strip()
+        if stripped.startswith("["):
+            if stripped.startswith("[project_trust."):
+                skip_section = True
+                continue
+            skip_section = False
+        if skip_section:
+            continue
+        lines.append(line)
+
+    lines.append("")
+    lines.append(f'[project_trust."{CONTAINER_HOME}"]')
+    lines.append('trust_mode = "full"')
+    lines.append("")
+
+    return "\n".join(lines)
+
+
+class CodexAuthProvider(AgentAuthProvider):
+    name = "codex"
+
+    def validate(self, src_home: Path) -> list[str]:
+        missing = []
+        if not (src_home / ".codex" / "auth.json").exists():
+            missing.append(str(src_home / ".codex" / "auth.json"))
+        return missing
+
+    def describe(self, src_home: Path) -> str:
+        try:
+            with open(src_home / ".codex" / "auth.json") as f:
+                auth_data = json.load(f)
+            has_token = bool(auth_data.get("tokens") or auth_data.get("token") or auth_data.get("access_token"))
+            has_api_key = bool(auth_data.get("OPENAI_API_KEY"))
+            parts = []
+            if has_api_key:
+                parts.append("API key present")
+            if has_token:
+                parts.append("OAuth tokens present")
+            return ", ".join(parts) if parts else "Auth file found (no recognized keys)"
+        except Exception:
+            return "Could not read auth info"
+
+    def collect(self, src_home: Path) -> list[CollectedFile]:
+        files: list[CollectedFile] = []
+
+        # auth.json — credential, symlinked
+        with open(src_home / ".codex" / "auth.json", "rb") as f:
+            auth_content = f.read()
+        files.append(
+            CollectedFile(
+                manifest_file=ManifestFile(
+                    src="codex/auth.json",
+                    container_target=".codex/auth.json",
+                    host_original=".codex/auth.json",
+                    type="credential",
+                    strategy="symlink",
+                    mode="0600",
+                ),
+                content=auth_content,
+            )
+        )
+
+        # config.toml — config, copied (cleaned)
+        config_path = src_home / ".codex" / "config.toml"
+        if config_path.exists():
+            config_text = config_path.read_text()
+            clean_config = _build_clean_codex_config(config_text)
+            files.append(
+                CollectedFile(
+                    manifest_file=ManifestFile(
+                        src="codex/config.toml",
+                        container_target=".codex/config.toml",
+                        host_original=".codex/config.toml",
+                        type="config",
+                        strategy="copy",
+                        mode="0644",
+                    ),
+                    content=clean_config.encode(),
+                )
+            )
+            console.print("  [dim]Stripped config.toml: local project trust -> container trust only[/dim]")
+
+        return files
+
+
+# ---------------------------------------------------------------------------
+# Gemini
+# ---------------------------------------------------------------------------
+
+
+class GeminiAuthProvider(AgentAuthProvider):
+    name = "gemini"
+
+    _CREDENTIAL_FILES = ["oauth_creds.json"]
+    _CONFIG_FILES = ["google_accounts.json", "settings.json", "installation_id"]
+
+    def validate(self, src_home: Path) -> list[str]:
+        creds = src_home / ".gemini" / "oauth_creds.json"
+        if not creds.exists():
+            return [str(creds)]
+        return []
+
+    def describe(self, src_home: Path) -> str:
+        try:
+            accounts_path = src_home / ".gemini" / "google_accounts.json"
+            if accounts_path.exists():
+                with open(accounts_path) as f:
+                    accounts = json.load(f)
+                if isinstance(accounts, list) and accounts:
+                    email = accounts[0].get("email", "unknown")
+                    return f"Account: {email}"
+            return "Credentials present"
+        except Exception:
+            return "Could not read account info"
+
+    def collect(self, src_home: Path) -> list[CollectedFile]:
+        files: list[CollectedFile] = []
+        gemini_dir = src_home / ".gemini"
+
+        # Credential files — symlinked
+        for filename in self._CREDENTIAL_FILES:
+            path = gemini_dir / filename
+            if path.exists():
+                files.append(
+                    CollectedFile(
+                        manifest_file=ManifestFile(
+                            src=f"gemini/{filename}",
+                            container_target=f".gemini/{filename}",
+                            host_original=f".gemini/{filename}",
+                            type="credential",
+                            strategy="symlink",
+                            mode="0600",
+                        ),
+                        content=path.read_bytes(),
+                    )
+                )
+
+        # Config files — copied
+        for filename in self._CONFIG_FILES:
+            path = gemini_dir / filename
+            if path.exists():
+                files.append(
+                    CollectedFile(
+                        manifest_file=ManifestFile(
+                            src=f"gemini/{filename}",
+                            container_target=f".gemini/{filename}",
+                            host_original=f".gemini/{filename}",
+                            type="config",
+                            strategy="copy",
+                            mode="0600",
+                        ),
+                        content=path.read_bytes(),
+                    )
+                )
+
+        found = [f.manifest_file.src.split("/")[-1] for f in files]
+        console.print(f"  [dim]Collected {len(found)} files: {', '.join(found)}[/dim]")
+        return files
+
+
+# ---------------------------------------------------------------------------
+# Cursor
+# ---------------------------------------------------------------------------
+
+CURSOR_CLI_CONFIG_KEEP_KEYS = {
+    "authInfo",
+    "permissions",
+    "model",
+    "approvalMode",
+    "sandbox",
+}
+
+
+class CursorAuthProvider(AgentAuthProvider):
+    name = "cursor"
+
+    def validate(self, src_home: Path) -> list[str]:
+        missing = []
+        auth_json = src_home / ".config" / "cursor" / "auth.json"
+        cli_config = src_home / ".cursor" / "cli-config.json"
+        if not auth_json.exists() and not cli_config.exists():
+            missing.append(str(auth_json))
+            missing.append(str(cli_config))
+        return missing
+
+    def describe(self, src_home: Path) -> str:
+        try:
+            auth_path = src_home / ".config" / "cursor" / "auth.json"
+            if auth_path.exists():
+                with open(auth_path) as f:
+                    auth_data = json.load(f)
+                email = auth_data.get("email", auth_data.get("user", "unknown"))
+                return f"Account: {email}"
+            return "Credentials present"
+        except Exception:
+            return "Could not read account info"
+
+    def collect(self, src_home: Path) -> list[CollectedFile]:
+        files: list[CollectedFile] = []
+
+        # .config/cursor/auth.json — credential, symlinked
+        auth_path = src_home / ".config" / "cursor" / "auth.json"
+        if auth_path.exists():
+            files.append(
+                CollectedFile(
+                    manifest_file=ManifestFile(
+                        src="cursor/auth.json",
+                        container_target=".config/cursor/auth.json",
+                        host_original=".config/cursor/auth.json",
+                        type="credential",
+                        strategy="symlink",
+                        mode="0600",
+                    ),
+                    content=auth_path.read_bytes(),
+                )
+            )
+
+        # .cursor/cli-config.json — config, copied (cleaned)
+        cli_config_path = src_home / ".cursor" / "cli-config.json"
+        if cli_config_path.exists():
+            with open(cli_config_path) as f:
+                full_config = json.load(f)
+            clean = {k: full_config[k] for k in CURSOR_CLI_CONFIG_KEEP_KEYS if k in full_config}
+            stripped = len(full_config) - len(clean)
+            console.print(f"  [dim]Stripped cli-config.json: removed {stripped} keys, kept {len(clean)}[/dim]")
+            files.append(
+                CollectedFile(
+                    manifest_file=ManifestFile(
+                        src="cursor/cli-config.json",
+                        container_target=".cursor/cli-config.json",
+                        host_original=".cursor/cli-config.json",
+                        type="config",
+                        strategy="copy",
+                        mode="0600",
+                    ),
+                    content=json.dumps(clean, indent=2).encode(),
+                )
+            )
+
+        found = [f.manifest_file.src for f in files]
+        console.print(f"  [dim]Files: {', '.join(found)}[/dim]")
+        return files
+
+
+# ---------------------------------------------------------------------------
+# Provider registry
+# ---------------------------------------------------------------------------
+
+PROVIDERS: dict[str, AgentAuthProvider] = {
+    p.name: p
+    for p in [
+        ClaudeAuthProvider(),
+        CodexAuthProvider(),
+        GeminiAuthProvider(),
+        CursorAuthProvider(),
+    ]
+}