kanibako-cli 1.5.0__py3-none-any.whl

kanibako/__init__.py

@@ -0,0 +1,3 @@
+"""kanibako: Run AI coding agents in rootless containers with per-project isolation."""
+
+__version__ = "1.5.0"

kanibako/__main__.py

@@ -0,0 +1,6 @@
+"""Allow running kanibako as `python -m kanibako`."""
+
+from kanibako.cli import main
+
+if __name__ == "__main__":
+    main()

kanibako/_atomic.py

@@ -0,0 +1,62 @@
+"""Atomic file writes for persistent state.
+
+A crash mid-write with a plain ``path.write_text(...)`` leaves a torn/truncated
+file that the next run fails to parse.  Writing to a temp file in the *same
+directory* and then ``os.replace``-ing it over the target is atomic on POSIX
+(``rename(2)`` within one filesystem), so a reader sees either the old file or
+the new one — never a half-written one.
+
+These helpers are dependency-free (only the stdlib) so any module can route its
+registry/state writes through them without risking an import cycle.
+"""
+
+from __future__ import annotations
+
+import os
+import tempfile
+from pathlib import Path
+
+import yaml
+
+
+def atomic_write_text(path: Path, data: str) -> None:
+    """Write *data* to *path* atomically.
+
+    The bytes land in a temp file in ``path.parent`` (so ``os.replace`` stays on
+    one filesystem), are flushed and ``fsync``-ed, then renamed over *path*.  On
+    any failure the temp file is removed and the original *path* is left intact.
+    Parent directories are created if needed.
+    """
+    path = Path(path)
+    path.parent.mkdir(parents=True, exist_ok=True)
+
+    encoded = data.encode("utf-8")
+    # Create the temp file in the SAME directory as the target so os.replace is
+    # a same-filesystem rename (atomic).  delete=False so we control the rename.
+    fd, tmp_name = tempfile.mkstemp(
+        prefix=f".{path.name}.", suffix=".tmp", dir=str(path.parent),
+    )
+    tmp_path = Path(tmp_name)
+    try:
+        with os.fdopen(fd, "wb") as fh:
+            fh.write(encoded)
+            fh.flush()
+            os.fsync(fh.fileno())
+        os.replace(tmp_path, path)
+    except BaseException:
+        # Leave the original file untouched; clean up the temp on any failure.
+        try:
+            tmp_path.unlink()
+        except OSError:
+            pass
+        raise
+
+
+def atomic_write_yaml(path: Path, data: object, **dump_kwargs: object) -> None:
+    """Serialize *data* to YAML and write it to *path* atomically.
+
+    A thin convenience over :func:`atomic_write_text` for the common case of a
+    YAML document.  Extra keyword arguments are forwarded to ``yaml.safe_dump``.
+    """
+    text = yaml.safe_dump(data, **dump_kwargs)
+    atomic_write_text(path, text)

kanibako/auth_browser.py

@@ -0,0 +1,296 @@
+"""Automated OAuth refresh via headless browser.
+
+Uses Playwright (optional dependency) to navigate the Claude Code OAuth
+authorization page and click "Authorize" when the IdP session is still
+valid.  Falls back to manual login when the session is stale.
+
+Requires: ``pip install playwright && playwright install chromium``
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Any
+
+from kanibako.browser_state import (
+    from_playwright_context,
+    load_state,
+    save_state,
+    to_playwright_context,
+)
+from kanibako.log import get_logger
+
+logger = get_logger("auth_browser")
+
+_AUTHORIZE_TIMEOUT_MS = 30_000
+_NAVIGATION_TIMEOUT_MS = 30_000
+
+# Lazy-loaded Playwright symbols.  Populated by _check_playwright() so that
+# tests can patch them at the module level without actually importing Playwright.
+sync_playwright: Any = None
+PWTimeout: type[Exception] = Exception  # fallback type for except clauses
+
+
+@dataclass
+class AuthResult:
+    """Result of an automated OAuth refresh attempt."""
+
+    success: bool
+    key: str | None = None
+    error: str | None = None
+
+
+def _check_playwright() -> bool:
+    """Check if Playwright is available and populate module-level symbols."""
+    global sync_playwright, PWTimeout  # noqa: PLW0603
+    try:
+        from playwright.sync_api import (  # type: ignore[import-not-found]
+            sync_playwright as _sp,
+            TimeoutError as _te,
+        )
+        sync_playwright = _sp
+        PWTimeout = _te
+        return True
+    except ImportError:
+        return False
+
+
+def refresh_auth(
+    url: str,
+    data_path: Path,
+    *,
+    headless: bool = True,
+) -> AuthResult:
+    """Attempt automated OAuth re-authorization via headless browser.
+
+    1. Load stored browser state (cookies from previous sessions)
+    2. Navigate to the OAuth URL
+    3. If authorize button is visible → click it → extract key
+    4. If IdP login form is shown → abort (manual login required)
+    5. Save updated browser state on success
+
+    Returns :class:`AuthResult` with success status and optional key.
+    """
+    if not _check_playwright():
+        return AuthResult(
+            success=False,
+            error="Playwright not installed. Run: pip install playwright && playwright install chromium",
+        )
+
+    state = load_state(data_path)
+    storage_state = to_playwright_context(state) if state.cookies else None
+
+    try:
+        with sync_playwright() as pw:
+            browser = pw.chromium.launch(headless=headless)
+            try:
+                context = browser.new_context(
+                    storage_state=storage_state,
+                ) if storage_state else browser.new_context()
+
+                page = context.new_page()
+                page.set_default_timeout(_NAVIGATION_TIMEOUT_MS)
+
+                logger.debug("Navigating to OAuth URL: %s", url)
+                page.goto(url, wait_until="networkidle")
+
+                # Detect page state
+                result = _handle_auth_page(page)
+
+                if result.success:
+                    # Save updated browser context
+                    ctx_data = context.storage_state()
+                    new_state = from_playwright_context(ctx_data)
+                    save_state(data_path, new_state)
+                    logger.info("OAuth refresh succeeded")
+
+                context.close()
+                return result
+
+            finally:
+                browser.close()
+
+    except PWTimeout:
+        return AuthResult(success=False, error="OAuth page timed out")
+    except Exception as exc:
+        logger.warning("Browser automation failed: %s", exc)
+        return AuthResult(success=False, error=str(exc))
+
+
+def _handle_auth_page(page) -> AuthResult:
+    """Detect and handle the OAuth authorization page.
+
+    Looks for an authorize button or a login form. If the IdP session
+    is still valid, the authorize button should be visible. If not,
+    a login form (Google, GitHub, etc.) will be shown instead.
+    """
+
+    # Check for authorize/approve button (Anthropic consent screen)
+    authorize_selectors = [
+        'button:has-text("Authorize")',
+        'button:has-text("Allow")',
+        'button:has-text("Approve")',
+        'input[type="submit"][value*="Authorize"]',
+        'input[type="submit"][value*="Allow"]',
+    ]
+
+    for selector in authorize_selectors:
+        try:
+            button = page.wait_for_selector(selector, timeout=3000)
+            if button and button.is_visible():
+                logger.debug("Found authorize button: %s", selector)
+                button.click()
+
+                # Wait for redirect after authorization
+                page.wait_for_load_state("networkidle")
+
+                # Try to extract the authorization key from the page
+                key = _extract_key(page)
+                return AuthResult(success=True, key=key)
+        except PWTimeout:
+            continue
+
+    # Check for IdP login form (Google, GitHub, etc.)
+    login_indicators = [
+        'input[type="email"]',
+        'input[type="password"]',
+        '#identifierId',  # Google
+        '#login_field',   # GitHub
+    ]
+
+    for selector in login_indicators:
+        try:
+            el = page.wait_for_selector(selector, timeout=2000)
+            if el and el.is_visible():
+                return AuthResult(
+                    success=False,
+                    error="IdP session expired — manual login required",
+                )
+        except PWTimeout:
+            continue
+
+    # Neither authorize nor login found
+    page_text = page.text_content("body") or ""
+    logger.debug("Unrecognized page state. Body preview: %s", page_text[:200])
+    return AuthResult(
+        success=False,
+        error="Unrecognized OAuth page — manual login required",
+    )
+
+
+def auto_refresh_auth(
+    claude_path: str,
+    data_path: Path,
+    *,
+    headless: bool = True,
+    login_timeout: float = 60,
+) -> AuthResult:
+    """Orchestrate fully automated OAuth: start login, parse URL, automate browser.
+
+    1. Start ``claude auth login`` capturing stdout
+    2. Parse the OAuth URL from the output
+    3. Use :func:`refresh_auth` to navigate with stored cookies
+    4. If the browser clicks "Authorize", the redirect completes the login
+    5. Wait for ``claude auth login`` to finish
+
+    Returns :class:`AuthResult` indicating success or failure.
+    """
+    import subprocess
+    import threading
+
+    from kanibako.auth_parser import parse_auth_output
+
+    if not _check_playwright():
+        return AuthResult(
+            success=False,
+            error="Playwright not installed",
+        )
+
+    # Start claude auth login, capturing output to find the URL.
+    try:
+        proc = subprocess.Popen(
+            [claude_path, "auth", "login"],
+            stdout=subprocess.PIPE,
+            stderr=subprocess.STDOUT,
+            stdin=subprocess.PIPE,
+            text=True,
+        )
+    except (FileNotFoundError, OSError) as exc:
+        return AuthResult(success=False, error=f"Failed to start auth: {exc}")
+
+    # Read output lines until we find an OAuth URL or the process exits.
+    output_lines: list[str] = []
+    url: str | None = None
+    code: str | None = None
+
+    def _read_output() -> None:
+        nonlocal url, code
+        assert proc.stdout is not None
+        for line in proc.stdout:
+            output_lines.append(line)
+            if url is None:
+                prompt = parse_auth_output("".join(output_lines))
+                if prompt:
+                    url = prompt.url
+                    code = prompt.code
+                    return  # Got what we need
+
+    reader = threading.Thread(target=_read_output, daemon=True)
+    reader.start()
+    reader.join(timeout=15)
+
+    if not url:
+        # No URL found — kill process and bail.
+        proc.kill()
+        proc.wait()
+        return AuthResult(success=False, error="No OAuth URL found in auth output")
+
+    logger.info("Auto-auth: navigating to %s", url)
+    result = refresh_auth(url, data_path, headless=headless)
+
+    if result.success:
+        # If we got a key and the process is waiting for input, feed it.
+        key = result.key or code
+        if key and proc.poll() is None and proc.stdin:
+            try:
+                proc.stdin.write(key + "\n")
+                proc.stdin.flush()
+            except OSError:
+                pass
+
+        # Wait for claude auth login to complete.
+        try:
+            proc.wait(timeout=login_timeout)
+        except subprocess.TimeoutExpired:
+            proc.kill()
+            proc.wait()
+    else:
+        proc.kill()
+        proc.wait()
+
+    return result
+
+
+def _extract_key(page) -> str | None:
+    """Try to extract the authorization key from the post-authorize page."""
+    # Look for common patterns: displayed code, input field with key, etc.
+    key_selectors = [
+        'code',
+        '.authorization-code',
+        'input[readonly]',
+        'pre',
+    ]
+
+    for selector in key_selectors:
+        try:
+            el = page.wait_for_selector(selector, timeout=3000)
+            if el:
+                text = el.text_content() or el.get_attribute("value") or ""
+                text = text.strip()
+                if text and len(text) < 200:  # reasonable key length
+                    return text
+        except Exception:
+            continue
+
+    return None

kanibako/auth_parser.py

@@ -0,0 +1,51 @@
+"""Parse Claude Code auth command output to extract OAuth URLs and codes.
+
+Used by the automated OAuth refresh flow to extract the authorization URL
+from ``claude auth login`` output and feed back the authorization code.
+"""
+
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass
+
+
+@dataclass
+class AuthPrompt:
+    """Parsed auth prompt from ``claude auth login`` output."""
+
+    url: str
+    code: str | None = None  # verification code (if displayed)
+
+
+# URL pattern: look for anthropic or console.anthropic URLs
+_URL_RE = re.compile(
+    r"(https?://(?:console\.anthropic\.com|claude\.ai)[^\s\"'<>]+)",
+)
+
+# Verification code: typically 4-8 character alphanumeric.
+# Matches patterns like "code: ABCD1234", "code is: XY12AB", "key = WXYZ99"
+# Requires a colon or equals as separator to avoid false positives.
+_CODE_RE = re.compile(
+    r"(?:verification\s+code|code|key)\s*(?:is)?[:=]\s*([A-Z0-9]{4,8})\b",
+    re.IGNORECASE,
+)
+
+
+def parse_auth_output(output: str) -> AuthPrompt | None:
+    """Extract OAuth URL and optional code from claude auth login output.
+
+    Returns *None* if no recognizable URL is found.
+    """
+    url_match = _URL_RE.search(output)
+    if not url_match:
+        return None
+
+    url = url_match.group(1)
+
+    code: str | None = None
+    code_match = _CODE_RE.search(output)
+    if code_match:
+        code = code_match.group(1)
+
+    return AuthPrompt(url=url, code=code)

kanibako/baseline.py

@@ -0,0 +1,124 @@
+"""Image-baseline manifest: the universal in-box runtime tool contract.
+
+The baseline is a mapping of ``apt-package-name -> [executables]``.  The shipped
+default lives in :mod:`kanibako.data` (``image-baseline.yaml``); site and user
+overlays are merged on top **additively** (the scoped-shares spirit in
+:mod:`kanibako.settings_shares`): later layers add new packages or override an
+existing package's executable list.  Precedence, least- to most-specific:
+
+    built-in default  <  /etc/kanibako/image-baseline.yaml  <  ~/.config/kanibako/image-baseline.yaml
+
+The package NAME is what ``apt-get install`` consumes (auto-install assumes
+apt/debian); the EXECUTABLE values are what ``command -v`` probes (verify is
+package-manager-agnostic).  They differ on purpose (e.g. ``ripgrep`` -> ``rg``).
+"""
+
+from __future__ import annotations
+
+import importlib.resources
+import sys
+from collections.abc import Callable
+from pathlib import Path
+
+import yaml
+
+from kanibako.paths import xdg
+
+# Filename used both for the shipped default (in kanibako.data) and the overlays.
+BASELINE_FILENAME = "image-baseline.yaml"
+
+
+def _read_doc(path: Path) -> dict[str, list[str]]:
+    """Parse a baseline YAML file into ``{package: [executables]}``.
+
+    Tolerates a missing/empty file (returns ``{}``).  Normalizes each value to
+    a list of strings; a bare string value becomes a single-element list.
+    """
+    if not path.is_file():
+        return {}
+    raw = yaml.safe_load(path.read_text()) or {}
+    if not isinstance(raw, dict):
+        return {}
+    result: dict[str, list[str]] = {}
+    for pkg, exes in raw.items():
+        if exes is None:
+            result[str(pkg)] = []
+        elif isinstance(exes, str):
+            result[str(pkg)] = [exes]
+        else:
+            result[str(pkg)] = [str(e) for e in exes]
+    return result
+
+
+def _shipped_default() -> dict[str, list[str]]:
+    """Read the bundled default baseline shipped as package data."""
+    ref = importlib.resources.files("kanibako.data").joinpath(BASELINE_FILENAME)
+    return _read_doc(Path(str(ref)))
+
+
+def _overlay_paths() -> list[Path]:
+    """Overlay locations, in additive merge order (machine then user)."""
+    config_home = xdg("XDG_CONFIG_HOME", ".config")
+    return [
+        Path("/etc/kanibako") / BASELINE_FILENAME,
+        config_home / "kanibako" / BASELINE_FILENAME,
+    ]
+
+
+def load_baseline() -> dict[str, list[str]]:
+    """Return the merged baseline ``{package: [executables]}``.
+
+    Starts from the shipped default, then additively merges the machine
+    (``/etc``) and user (``~/.config``) overlays if present: a later layer adds
+    a new package or replaces an existing package's executable list.  Missing
+    overlay files are treated as empty levels.
+    """
+    merged = _shipped_default()
+    for path in _overlay_paths():
+        merged.update(_read_doc(path))
+    return merged
+
+
+def packages() -> list[str]:
+    """Return the baseline package names in sorted, stable order."""
+    return sorted(load_baseline())
+
+
+def executables() -> list[tuple[str, str]]:
+    """Return ``(package, executable)`` pairs, sorted by package then executable."""
+    pairs: list[tuple[str, str]] = []
+    baseline = load_baseline()
+    for pkg in sorted(baseline):
+        for exe in baseline[pkg]:
+            pairs.append((pkg, exe))
+    return pairs
+
+
+def verify(probe: Callable[[str], bool]) -> list[tuple[str, str]]:
+    """Return the ``(package, executable)`` pairs whose executable is missing.
+
+    *probe* answers "is this executable present?" (typically a ``command -v``
+    check inside an image).  An empty result means the baseline is satisfied.
+    """
+    return [(pkg, exe) for pkg, exe in executables() if not probe(exe)]
+
+
+def install_command(pkgs: list[str]) -> list[str]:
+    """Build the apt-get install argv for *pkgs* (debian).
+
+    Returns the full argv (``apt-get install -y --no-install-recommends ...``).
+    The caller decides where it runs (host vs. in-box) and on non-debian
+    systems should skip it (see :func:`warn_non_debian`).
+    """
+    return [
+        "apt-get", "install", "-y", "--no-install-recommends", *pkgs,
+    ]
+
+
+def warn_non_debian() -> None:
+    """Emit a stderr warning that auto-install only supports apt/debian."""
+    print(
+        "kanibako baseline: automatic install assumes apt/debian; "
+        "install the baseline packages with your distro's package manager.",
+        file=sys.stderr,
+    )