kanibako-cli 1.5.0.dev14__py3-none-any.whl

kanibako/__init__.py

@@ -0,0 +1,3 @@
+"""kanibako: Run AI coding agents in rootless containers with per-project isolation."""
+
+__version__ = "1.5.0.dev14"

kanibako/__main__.py

@@ -0,0 +1,6 @@
+"""Allow running kanibako as `python -m kanibako`."""
+
+from kanibako.cli import main
+
+if __name__ == "__main__":
+    main()

kanibako/auth_browser.py

@@ -0,0 +1,296 @@
+"""Automated OAuth refresh via headless browser.
+
+Uses Playwright (optional dependency) to navigate the Claude Code OAuth
+authorization page and click "Authorize" when the IdP session is still
+valid.  Falls back to manual login when the session is stale.
+
+Requires: ``pip install playwright && playwright install chromium``
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Any
+
+from kanibako.browser_state import (
+    from_playwright_context,
+    load_state,
+    save_state,
+    to_playwright_context,
+)
+from kanibako.log import get_logger
+
+logger = get_logger("auth_browser")
+
+_AUTHORIZE_TIMEOUT_MS = 30_000
+_NAVIGATION_TIMEOUT_MS = 30_000
+
+# Lazy-loaded Playwright symbols.  Populated by _check_playwright() so that
+# tests can patch them at the module level without actually importing Playwright.
+sync_playwright: Any = None
+PWTimeout: type[Exception] = Exception  # fallback type for except clauses
+
+
+@dataclass
+class AuthResult:
+    """Result of an automated OAuth refresh attempt."""
+
+    success: bool
+    key: str | None = None
+    error: str | None = None
+
+
+def _check_playwright() -> bool:
+    """Check if Playwright is available and populate module-level symbols."""
+    global sync_playwright, PWTimeout  # noqa: PLW0603
+    try:
+        from playwright.sync_api import (  # type: ignore[import-not-found]
+            sync_playwright as _sp,
+            TimeoutError as _te,
+        )
+        sync_playwright = _sp
+        PWTimeout = _te
+        return True
+    except ImportError:
+        return False
+
+
+def refresh_auth(
+    url: str,
+    data_path: Path,
+    *,
+    headless: bool = True,
+) -> AuthResult:
+    """Attempt automated OAuth re-authorization via headless browser.
+
+    1. Load stored browser state (cookies from previous sessions)
+    2. Navigate to the OAuth URL
+    3. If authorize button is visible → click it → extract key
+    4. If IdP login form is shown → abort (manual login required)
+    5. Save updated browser state on success
+
+    Returns :class:`AuthResult` with success status and optional key.
+    """
+    if not _check_playwright():
+        return AuthResult(
+            success=False,
+            error="Playwright not installed. Run: pip install playwright && playwright install chromium",
+        )
+
+    state = load_state(data_path)
+    storage_state = to_playwright_context(state) if state.cookies else None
+
+    try:
+        with sync_playwright() as pw:
+            browser = pw.chromium.launch(headless=headless)
+            try:
+                context = browser.new_context(
+                    storage_state=storage_state,
+                ) if storage_state else browser.new_context()
+
+                page = context.new_page()
+                page.set_default_timeout(_NAVIGATION_TIMEOUT_MS)
+
+                logger.debug("Navigating to OAuth URL: %s", url)
+                page.goto(url, wait_until="networkidle")
+
+                # Detect page state
+                result = _handle_auth_page(page)
+
+                if result.success:
+                    # Save updated browser context
+                    ctx_data = context.storage_state()
+                    new_state = from_playwright_context(ctx_data)
+                    save_state(data_path, new_state)
+                    logger.info("OAuth refresh succeeded")
+
+                context.close()
+                return result
+
+            finally:
+                browser.close()
+
+    except PWTimeout:
+        return AuthResult(success=False, error="OAuth page timed out")
+    except Exception as exc:
+        logger.warning("Browser automation failed: %s", exc)
+        return AuthResult(success=False, error=str(exc))
+
+
+def _handle_auth_page(page) -> AuthResult:
+    """Detect and handle the OAuth authorization page.
+
+    Looks for an authorize button or a login form. If the IdP session
+    is still valid, the authorize button should be visible. If not,
+    a login form (Google, GitHub, etc.) will be shown instead.
+    """
+
+    # Check for authorize/approve button (Anthropic consent screen)
+    authorize_selectors = [
+        'button:has-text("Authorize")',
+        'button:has-text("Allow")',
+        'button:has-text("Approve")',
+        'input[type="submit"][value*="Authorize"]',
+        'input[type="submit"][value*="Allow"]',
+    ]
+
+    for selector in authorize_selectors:
+        try:
+            button = page.wait_for_selector(selector, timeout=3000)
+            if button and button.is_visible():
+                logger.debug("Found authorize button: %s", selector)
+                button.click()
+
+                # Wait for redirect after authorization
+                page.wait_for_load_state("networkidle")
+
+                # Try to extract the authorization key from the page
+                key = _extract_key(page)
+                return AuthResult(success=True, key=key)
+        except PWTimeout:
+            continue
+
+    # Check for IdP login form (Google, GitHub, etc.)
+    login_indicators = [
+        'input[type="email"]',
+        'input[type="password"]',
+        '#identifierId',  # Google
+        '#login_field',   # GitHub
+    ]
+
+    for selector in login_indicators:
+        try:
+            el = page.wait_for_selector(selector, timeout=2000)
+            if el and el.is_visible():
+                return AuthResult(
+                    success=False,
+                    error="IdP session expired — manual login required",
+                )
+        except PWTimeout:
+            continue
+
+    # Neither authorize nor login found
+    page_text = page.text_content("body") or ""
+    logger.debug("Unrecognized page state. Body preview: %s", page_text[:200])
+    return AuthResult(
+        success=False,
+        error="Unrecognized OAuth page — manual login required",
+    )
+
+
+def auto_refresh_auth(
+    claude_path: str,
+    data_path: Path,
+    *,
+    headless: bool = True,
+    login_timeout: float = 60,
+) -> AuthResult:
+    """Orchestrate fully automated OAuth: start login, parse URL, automate browser.
+
+    1. Start ``claude auth login`` capturing stdout
+    2. Parse the OAuth URL from the output
+    3. Use :func:`refresh_auth` to navigate with stored cookies
+    4. If the browser clicks "Authorize", the redirect completes the login
+    5. Wait for ``claude auth login`` to finish
+
+    Returns :class:`AuthResult` indicating success or failure.
+    """
+    import subprocess
+    import threading
+
+    from kanibako.auth_parser import parse_auth_output
+
+    if not _check_playwright():
+        return AuthResult(
+            success=False,
+            error="Playwright not installed",
+        )
+
+    # Start claude auth login, capturing output to find the URL.
+    try:
+        proc = subprocess.Popen(
+            [claude_path, "auth", "login"],
+            stdout=subprocess.PIPE,
+            stderr=subprocess.STDOUT,
+            stdin=subprocess.PIPE,
+            text=True,
+        )
+    except (FileNotFoundError, OSError) as exc:
+        return AuthResult(success=False, error=f"Failed to start auth: {exc}")
+
+    # Read output lines until we find an OAuth URL or the process exits.
+    output_lines: list[str] = []
+    url: str | None = None
+    code: str | None = None
+
+    def _read_output() -> None:
+        nonlocal url, code
+        assert proc.stdout is not None
+        for line in proc.stdout:
+            output_lines.append(line)
+            if url is None:
+                prompt = parse_auth_output("".join(output_lines))
+                if prompt:
+                    url = prompt.url
+                    code = prompt.code
+                    return  # Got what we need
+
+    reader = threading.Thread(target=_read_output, daemon=True)
+    reader.start()
+    reader.join(timeout=15)
+
+    if not url:
+        # No URL found — kill process and bail.
+        proc.kill()
+        proc.wait()
+        return AuthResult(success=False, error="No OAuth URL found in auth output")
+
+    logger.info("Auto-auth: navigating to %s", url)
+    result = refresh_auth(url, data_path, headless=headless)
+
+    if result.success:
+        # If we got a key and the process is waiting for input, feed it.
+        key = result.key or code
+        if key and proc.poll() is None and proc.stdin:
+            try:
+                proc.stdin.write(key + "\n")
+                proc.stdin.flush()
+            except OSError:
+                pass
+
+        # Wait for claude auth login to complete.
+        try:
+            proc.wait(timeout=login_timeout)
+        except subprocess.TimeoutExpired:
+            proc.kill()
+            proc.wait()
+    else:
+        proc.kill()
+        proc.wait()
+
+    return result
+
+
+def _extract_key(page) -> str | None:
+    """Try to extract the authorization key from the post-authorize page."""
+    # Look for common patterns: displayed code, input field with key, etc.
+    key_selectors = [
+        'code',
+        '.authorization-code',
+        'input[readonly]',
+        'pre',
+    ]
+
+    for selector in key_selectors:
+        try:
+            el = page.wait_for_selector(selector, timeout=3000)
+            if el:
+                text = el.text_content() or el.get_attribute("value") or ""
+                text = text.strip()
+                if text and len(text) < 200:  # reasonable key length
+                    return text
+        except Exception:
+            continue
+
+    return None

kanibako/auth_parser.py

@@ -0,0 +1,51 @@
+"""Parse Claude Code auth command output to extract OAuth URLs and codes.
+
+Used by the automated OAuth refresh flow to extract the authorization URL
+from ``claude auth login`` output and feed back the authorization code.
+"""
+
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass
+
+
+@dataclass
+class AuthPrompt:
+    """Parsed auth prompt from ``claude auth login`` output."""
+
+    url: str
+    code: str | None = None  # verification code (if displayed)
+
+
+# URL pattern: look for anthropic or console.anthropic URLs
+_URL_RE = re.compile(
+    r"(https?://(?:console\.anthropic\.com|claude\.ai)[^\s\"'<>]+)",
+)
+
+# Verification code: typically 4-8 character alphanumeric.
+# Matches patterns like "code: ABCD1234", "code is: XY12AB", "key = WXYZ99"
+# Requires a colon or equals as separator to avoid false positives.
+_CODE_RE = re.compile(
+    r"(?:verification\s+code|code|key)\s*(?:is)?[:=]\s*([A-Z0-9]{4,8})\b",
+    re.IGNORECASE,
+)
+
+
+def parse_auth_output(output: str) -> AuthPrompt | None:
+    """Extract OAuth URL and optional code from claude auth login output.
+
+    Returns *None* if no recognizable URL is found.
+    """
+    url_match = _URL_RE.search(output)
+    if not url_match:
+        return None
+
+    url = url_match.group(1)
+
+    code: str | None = None
+    code_match = _CODE_RE.search(output)
+    if code_match:
+        code = code_match.group(1)
+
+    return AuthPrompt(url=url, code=code)

kanibako/browser_sidecar.py

@@ -0,0 +1,183 @@
+"""On-demand browser sidecar for AI agents.
+
+Launches a headless Chrome container (``chromedp/headless-shell``) that
+agents can connect to via the Chrome DevTools Protocol over WebSocket.
+The agent receives the ``BROWSER_WS_ENDPOINT`` environment variable
+pointing to the sidecar's DevTools port.
+
+The sidecar is started before the agent container and stopped after it
+exits.  It is *not* a long-running service — it only lives for the
+duration of one agent session.
+"""
+
+from __future__ import annotations
+
+import json
+import subprocess
+import time
+from dataclasses import dataclass
+
+from kanibako.container import ContainerRuntime
+from kanibako.log import get_logger
+
+logger = get_logger("browser_sidecar")
+
+_DEFAULT_IMAGE = "chromedp/headless-shell:latest"
+_CDP_PORT = 9222
+_STARTUP_TIMEOUT = 30
+_HEALTH_CHECK_INTERVAL = 0.5
+
+
+@dataclass
+class BrowserSidecar:
+    """Manages a headless browser container for agent web access.
+
+    The sidecar publishes Chrome DevTools Protocol on a host port.
+    The agent container connects via the host gateway IP.
+    """
+
+    runtime: ContainerRuntime
+    container_name: str
+    image: str = _DEFAULT_IMAGE
+    host_port: int = 0  # 0 = auto-assign
+    _started: bool = False
+
+    def start(self) -> str:
+        """Start the browser sidecar and return the WebSocket endpoint URL.
+
+        Blocks until the container is healthy or *_STARTUP_TIMEOUT* elapses.
+
+        Returns the ``ws://`` URL suitable for ``BROWSER_WS_ENDPOINT``.
+
+        Raises :class:`BrowserSidecarError` on failure.
+        """
+        if self._started:
+            raise BrowserSidecarError("Sidecar already started")
+
+        port_spec = (
+            f"{self.host_port}:{_CDP_PORT}"
+            if self.host_port
+            else str(_CDP_PORT)
+        )
+
+        cmd = [
+            self.runtime.cmd,
+            "run",
+            "-d",
+            "--rm",
+            "--name",
+            self.container_name,
+            "--shm-size=2g",
+            "-p",
+            port_spec,
+            self.image,
+            # headless-shell uses --remote-debugging-address by default;
+            # ensure it listens on all interfaces inside the container.
+            "--remote-debugging-address=0.0.0.0",
+            f"--remote-debugging-port={_CDP_PORT}",
+        ]
+
+        logger.debug("Starting browser sidecar: %s", cmd)
+        result = subprocess.run(cmd, capture_output=True, text=True)
+        if result.returncode != 0:
+            raise BrowserSidecarError(
+                f"Failed to start sidecar: {result.stderr.strip()}"
+            )
+
+        self._started = True
+
+        # Resolve the actual host port (if auto-assigned).
+        actual_port = self._resolve_port()
+
+        # Wait for the DevTools endpoint to be ready.
+        ws_url = self._wait_for_endpoint(actual_port)
+        logger.info("Browser sidecar ready: %s", ws_url)
+        return ws_url
+
+    def stop(self) -> None:
+        """Stop and remove the browser sidecar."""
+        if not self._started:
+            return
+
+        logger.debug("Stopping browser sidecar: %s", self.container_name)
+        self.runtime.stop(self.container_name)
+        # --rm flag means container is auto-removed after stop, but
+        # call rm() defensively in case stop fails to clean up.
+        self.runtime.rm(self.container_name)
+        self._started = False
+
+    def _resolve_port(self) -> int:
+        """Discover the host port assigned to the sidecar's CDP port."""
+        if self.host_port:
+            return self.host_port
+
+        cmd = [
+            self.runtime.cmd,
+            "port",
+            self.container_name,
+            str(_CDP_PORT),
+        ]
+        result = subprocess.run(cmd, capture_output=True, text=True)
+        if result.returncode != 0:
+            raise BrowserSidecarError(
+                f"Failed to resolve sidecar port: {result.stderr.strip()}"
+            )
+
+        # Output format: "0.0.0.0:PORT\n" or "[::]:PORT\n"
+        for line in result.stdout.splitlines():
+            line = line.strip()
+            if ":" in line:
+                port_str = line.rsplit(":", 1)[-1]
+                try:
+                    return int(port_str)
+                except ValueError:
+                    continue
+
+        raise BrowserSidecarError(
+            f"Could not parse port from: {result.stdout.strip()}"
+        )
+
+    def _wait_for_endpoint(self, port: int) -> str:
+        """Poll the DevTools endpoint until it returns a WebSocket URL.
+
+        Chrome's ``/json/version`` endpoint returns the browser's WS URL.
+        """
+        import urllib.request
+
+        url = f"http://127.0.0.1:{port}/json/version"
+        deadline = time.monotonic() + _STARTUP_TIMEOUT
+
+        while time.monotonic() < deadline:
+            try:
+                with urllib.request.urlopen(url, timeout=2) as resp:
+                    data = json.loads(resp.read())
+                ws_url = data.get("webSocketDebuggerUrl", "")
+                if ws_url:
+                    # Replace the internal address with the host-accessible one.
+                    # From inside another container, use the gateway IP.
+                    ws_url = ws_url.replace("ws://0.0.0.0:", f"ws://127.0.0.1:{port}/")
+                    ws_url = ws_url.replace(
+                        f"ws://127.0.0.1:{_CDP_PORT}/",
+                        f"ws://127.0.0.1:{port}/",
+                    )
+                    return ws_url
+            except Exception:
+                time.sleep(_HEALTH_CHECK_INTERVAL)
+
+        raise BrowserSidecarError(
+            f"Sidecar did not become ready within {_STARTUP_TIMEOUT}s"
+        )
+
+
+def ws_endpoint_for_container(ws_url: str) -> str:
+    """Convert a host-local WS URL to one reachable from a container.
+
+    In rootless Podman, the host gateway is typically ``10.0.2.2``
+    (slirp4netns) or ``host.containers.internal`` (pasta).
+    We use ``host.containers.internal`` which works with both.
+    """
+    return ws_url.replace("127.0.0.1", "host.containers.internal")
+
+
+class BrowserSidecarError(Exception):
+    """Error starting or managing the browser sidecar."""

kanibako/browser_state.py

@@ -0,0 +1,103 @@
+"""Persistent browser state for automated OAuth refresh.
+
+Stores Playwright browser context (cookies, localStorage) so that the
+OAuth provider recognizes the session on subsequent refreshes without
+requiring a full re-login.
+"""
+
+from __future__ import annotations
+
+import json
+import time
+from dataclasses import dataclass, field
+from pathlib import Path
+
+from kanibako.log import get_logger
+
+logger = get_logger("browser_state")
+
+
+@dataclass
+class BrowserState:
+    """Persistent browser context for OAuth session reuse.
+
+    Serialized as JSON at ``{data_path}/browser-state/context.json``.
+    """
+
+    cookies: list[dict] = field(default_factory=list)
+    origins: list[dict] = field(default_factory=list)  # localStorage per origin
+    updated_at: float = 0.0
+
+    def is_fresh(self, max_age_days: float = 30.0) -> bool:
+        """Check if the stored state is recent enough to be useful."""
+        if not self.cookies:
+            return False
+        age = time.time() - self.updated_at
+        return age < max_age_days * 86400
+
+
+def state_path(data_path: Path) -> Path:
+    """Return the browser state file path."""
+    return data_path / "browser-state" / "context.json"
+
+
+def load_state(data_path: Path) -> BrowserState:
+    """Load browser state from disk.  Returns empty state on missing/corrupt file."""
+    path = state_path(data_path)
+    if not path.is_file():
+        return BrowserState()
+
+    try:
+        with open(path) as f:
+            data = json.load(f)
+        if not isinstance(data, dict):
+            return BrowserState()
+        return BrowserState(
+            cookies=data.get("cookies", []),
+            origins=data.get("origins", []),
+            updated_at=float(data.get("updated_at", 0)),
+        )
+    except (json.JSONDecodeError, OSError, ValueError) as exc:
+        logger.warning("Failed to load browser state: %s", exc)
+        return BrowserState()
+
+
+def save_state(data_path: Path, state: BrowserState) -> None:
+    """Persist browser state to disk."""
+    path = state_path(data_path)
+    path.parent.mkdir(parents=True, exist_ok=True)
+
+    state.updated_at = time.time()
+    data = {
+        "cookies": state.cookies,
+        "origins": state.origins,
+        "updated_at": state.updated_at,
+    }
+    with open(path, "w") as f:
+        json.dump(data, f, indent=2)
+    logger.debug("Saved browser state: %d cookies", len(state.cookies))
+
+
+def clear_state(data_path: Path) -> None:
+    """Remove stored browser state (e.g. on logout or credential invalidation)."""
+    path = state_path(data_path)
+    if path.is_file():
+        path.unlink()
+        logger.debug("Cleared browser state")
+
+
+def to_playwright_context(state: BrowserState) -> dict:
+    """Convert BrowserState to Playwright's storageState format."""
+    return {
+        "cookies": state.cookies,
+        "origins": state.origins,
+    }
+
+
+def from_playwright_context(context: dict) -> BrowserState:
+    """Create BrowserState from Playwright's storageState output."""
+    return BrowserState(
+        cookies=context.get("cookies", []),
+        origins=context.get("origins", []),
+        updated_at=time.time(),
+    )