kiwi-code 0.0.20__tar.gz → 0.0.22__tar.gz

{kiwi_code-0.0.20 → kiwi_code-0.0.22}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: kiwi-code
-Version: 0.0.20
+Version: 0.0.22
 Summary: A textual-based terminal user interface application
 Project-URL: Homepage, https://meetkiwi.ai
 Project-URL: Repository, https://github.com/jetoslabs/kiwi-code
@@ -40,12 +40,43 @@ Kiwi Code is a terminal-first UI (TUI) for chatting with **Kiwi Actions** and ma
 
 ## Quick start
 
-### 1) Install deps (repo)
+### 1) Install
 
-```bash
-cd kiwi-code
-uv sync
-```
+pip install kiwi-code
+
+### 2) Start the TUI
+
+Connect using a server preset:
+
+kiwi connect --server app
+
+Available presets:
+- app (prod)
+- dev (dev)
+
+### 3) Login
+
+The TUI will prompt for login if you’re not authenticated.
+
+Tokens/config are stored under:
+
+- ~/.kiwi/tokens.json
+- ~/.kiwi/config.json
+
+### 4) (Optional) Start the Runtime
+
+If you want to run the runtime manually:
+
+kiwi-runtime connect --server dev --scope full
+
+Or for production:
+
+kiwi-runtime connect --server app --scope full
+
+### Notes
+
+- --scope full gives unrestricted access. Use restricted if you want tighter control.
+- In most cases, you can skip manual runtime startup and just use /connect-cli inside the TUI.
 
 ### 2) Start the TUI
 

{kiwi_code-0.0.20 → kiwi_code-0.0.22}/README.md

@@ -11,12 +11,43 @@ Kiwi Code is a terminal-first UI (TUI) for chatting with **Kiwi Actions** and ma
 
 ## Quick start
 
-### 1) Install deps (repo)
+### 1) Install
 
-```bash
-cd kiwi-code
-uv sync
-```
+pip install kiwi-code
+
+### 2) Start the TUI
+
+Connect using a server preset:
+
+kiwi connect --server app
+
+Available presets:
+- app (prod)
+- dev (dev)
+
+### 3) Login
+
+The TUI will prompt for login if you’re not authenticated.
+
+Tokens/config are stored under:
+
+- ~/.kiwi/tokens.json
+- ~/.kiwi/config.json
+
+### 4) (Optional) Start the Runtime
+
+If you want to run the runtime manually:
+
+kiwi-runtime connect --server dev --scope full
+
+Or for production:
+
+kiwi-runtime connect --server app --scope full
+
+### Notes
+
+- --scope full gives unrestricted access. Use restricted if you want tighter control.
+- In most cases, you can skip manual runtime startup and just use /connect-cli inside the TUI.
 
 ### 2) Start the TUI
 

{kiwi_code-0.0.20 → kiwi_code-0.0.22}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "kiwi-code"
-version = "0.0.20"
+version = "0.0.22"
 description = "A textual-based terminal user interface application"
 readme = {file = "README.md", content-type = "text/markdown"}
 requires-python = ">=3.11,<4.0"

{kiwi_code-0.0.20 → kiwi_code-0.0.22}/src/kiwi_cli/auth.py

@@ -1,14 +1,65 @@
 """Authentication and token management."""
 
+from __future__ import annotations
+
 import json
+import os
 import sys
+import time
+from contextlib import contextmanager
 from pathlib import Path
 from typing import Optional
+def _lock_path_for(token_path: Path) -> Path:
+    return token_path.with_suffix(".lock")
+
+
+@contextmanager
+def _file_lock(lock_path: Path):
+    """Cross-process lock using a lockfile.
+
+    This prevents concurrent refresh-token rotation races and avoids partial writes.
+    """
+    lock_path.parent.mkdir(parents=True, exist_ok=True)
+    fp = open(lock_path, "a+")
+    try:
+        if sys.platform == "win32":
+            import msvcrt
+            # Lock 1 byte; blocks until available.
+            msvcrt.locking(fp.fileno(), msvcrt.LK_LOCK, 1)
+        else:
+            import fcntl
+            fcntl.flock(fp.fileno(), fcntl.LOCK_EX)
+        yield
+    finally:
+        try:
+            if sys.platform == "win32":
+                import msvcrt
+                msvcrt.locking(fp.fileno(), msvcrt.LK_UNLCK, 1)
+            else:
+                import fcntl
+                fcntl.flock(fp.fileno(), fcntl.LOCK_UN)
+        finally:
+            fp.close()
+
+
+def _atomic_write_json(path: Path, data: dict) -> None:
+    """Atomically write JSON (write temp + replace) to avoid corruption."""
+    path.parent.mkdir(parents=True, exist_ok=True)
+    tmp = path.with_suffix(path.suffix + f".tmp.{os.getpid()}")
+    with open(tmp, "w", encoding="utf-8") as f:
+        json.dump(data, f, indent=2, default=str)
+        f.flush()
+        os.fsync(f.fileno())
+    os.replace(tmp, path)
+    if sys.platform != "win32":
+        path.chmod(0o600)
+
 from loguru import logger
 
 from .models import AuthTokens
 
 
+
 class TokenManager:
     """Manages authentication tokens with secure storage."""
 
@@ -24,27 +75,25 @@ class TokenManager:
         self.token_path = token_path
         self._tokens: Optional[AuthTokens] = None
 
+    @contextmanager
+    def file_lock(self):
+        """Acquire an exclusive cross-process lock for refresh/write operations."""
+        with _file_lock(_lock_path_for(self.token_path)):
+            yield
     def save_tokens(self, tokens: AuthTokens) -> None:
-        """Save tokens to secure storage.
+        """Save tokens to secure storage (atomic write).
+
+        Notes:
+            Refresh flows should acquire `file_lock()` before calling this to avoid
+            refresh-token rotation races across processes.
 
         Args:
             tokens: Authentication tokens to save
         """
         self._tokens = tokens
-        self.token_path.parent.mkdir(parents=True, exist_ok=True)
-
-        try:
-            with open(self.token_path, "w") as f:
-                json.dump(tokens.model_dump(mode="json"), f, indent=2, default=str)
-
-            # Set file permissions to user read/write only (0600)
-            if sys.platform != "win32":
-                self.token_path.chmod(0o600)
-
-            logger.info("Authentication tokens saved securely")
-        except Exception as e:
-            logger.error(f"Failed to save tokens: {e}")
-            raise
+        data = tokens.model_dump(mode="json")
+        _atomic_write_json(self.token_path, data)
+        logger.info("Authentication tokens saved securely")
 
     def load_tokens(self) -> Optional[AuthTokens]:
         """Load tokens from storage.

{kiwi_code-0.0.20 → kiwi_code-0.0.22}/src/kiwi_cli/models.py

@@ -1,8 +1,13 @@
 """Pydantic models for Autobots TUI."""
 
+from __future__ import annotations
+
+import base64
+import json
 from datetime import datetime, timedelta
 from enum import Enum
 from typing import Optional, Any
+
 from pydantic import BaseModel, Field
 
 
@@ -63,11 +68,42 @@ class AuthTokens(BaseModel):
     expires_at: Optional[datetime] = None
 
     def is_expired(self) -> bool:
-        """Check if access token is expired."""
-        if not self.expires_at:
+        """Check if access token is expired.
+
+        Notes:
+        - Prefer `expires_at` when present.
+        - If `expires_at` is missing (common when the backend doesn't return expires_in),
+          fall back to the JWT `exp` claim (if the access token is a JWT).
+        """
+        def _jwt_exp(token: str) -> datetime | None:
+            try:
+                parts = token.split(".")
+                if len(parts) < 2:
+                    return None
+                payload_b64 = parts[1]
+                # base64url decode with padding
+                payload_b64 += "=" * (-len(payload_b64) % 4)
+                payload = base64.urlsafe_b64decode(payload_b64.encode("utf-8"))
+                data = json.loads(payload.decode("utf-8"))
+                exp = data.get("exp")
+                if not isinstance(exp, (int, float)):
+                    return None
+                return datetime.fromtimestamp(exp)
+            except Exception:
+                return None
+
+        jwt_expires_at = _jwt_exp(self.access_token)
+        effective_expires_at = self.expires_at or jwt_expires_at
+        if self.expires_at and jwt_expires_at:
+            # Be conservative if they disagree.
+            effective_expires_at = min(self.expires_at, jwt_expires_at)
+
+        if not effective_expires_at:
+            # No expiry info; assume valid (server will decide).
             return False
+
         # Add 60 second buffer before expiry
-        return datetime.now() >= (self.expires_at - timedelta(seconds=60))
+        return datetime.now() >= (effective_expires_at - timedelta(seconds=60))
 
 
 class LoginCredentials(BaseModel):

{kiwi_code-0.0.20 → kiwi_code-0.0.22}/src/kiwi_runtime/main.py

@@ -13,6 +13,10 @@ Usage:
     kiwi connect --server dev --allow /path/to/extra/dir
 """
 
+from __future__ import annotations
+
+from datetime import datetime
+
 import argparse
 import asyncio
 import getpass
@@ -23,6 +27,9 @@ import shlex
 import signal
 import subprocess
 import sys
+from pathlib import Path
+from typing import Any
+
 
 IS_WINDOWS = sys.platform == "win32"
 
@@ -36,6 +43,226 @@ import httpx
 import websockets
 import threading
 FS_MAX_CONCURRENCY = 8
+
+# ---------------------------------------------------------------------------
+# Shared token storage (used by both kiwi-code and standalone kiwi-runtime)
+# ---------------------------------------------------------------------------
+
+TOKENS_PATH = Path.home() / ".kiwi" / "tokens.json"
+TOKENS_LOCK_PATH = Path.home() / ".kiwi" / "tokens.lock"
+TOKEN_EXPIRY_SKEW_SEC = 60  # refresh a bit early to avoid edge cases
+
+
+def _parse_expires_at(value: Any) -> datetime | None:
+    """Parse expires_at from tokens.json.
+
+    Supports:
+    - ISO8601 strings written by Pydantic (e.g. 2026-05-03T12:34:56.789)
+    - str(datetime) legacy (e.g. 2026-05-03 12:34:56.789)
+    - epoch seconds (int/float)
+    - None / missing
+    """
+    try:
+        if value is None:
+            return None
+        if isinstance(value, (int, float)):
+            return datetime.fromtimestamp(value)
+        if not isinstance(value, str):
+            return None
+        s = value.strip()
+        if not s:
+            return None
+        # Handle Zulu suffix
+        s = s.replace("Z", "+00:00")
+        return datetime.fromisoformat(s)
+    except Exception:
+        return None
+
+
+def _jwt_expires_at(token: str) -> datetime | None:
+    """Best-effort parse of JWT exp claim."""
+    try:
+        import base64
+        import json as _json
+        parts = token.split(".")
+        if len(parts) < 2:
+            return None
+        payload_b64 = parts[1] + "=" * (-len(parts[1]) % 4)
+        payload = base64.urlsafe_b64decode(payload_b64.encode("utf-8"))
+        data = _json.loads(payload.decode("utf-8"))
+        exp = data.get("exp")
+        if not isinstance(exp, (int, float)):
+            return None
+        return datetime.fromtimestamp(exp)
+    except Exception:
+        return None
+
+
+def _token_is_expired(*, access_token: str, expires_at: datetime | None) -> bool:
+    from datetime import timedelta
+    # Prefer explicit expires_at, but fall back to JWT exp if available.
+    jwt_exp = _jwt_expires_at(access_token)
+    effective = expires_at or jwt_exp
+    if expires_at and jwt_exp:
+        effective = min(expires_at, jwt_exp)
+    if not effective:
+        return False
+    return datetime.now() >= (effective - timedelta(seconds=TOKEN_EXPIRY_SKEW_SEC))
+
+
+def _load_tokens_file(path: Path = TOKENS_PATH) -> dict[str, Any] | None:
+    """Load tokens.json (best-effort)."""
+    if not path.exists():
+        return None
+    # Avoid occasional partial-read issues during replace on some platforms by retrying quickly.
+    for _ in range(3):
+        try:
+            raw = path.read_text(encoding="utf-8")
+            return json.loads(raw) if raw.strip() else None
+        except Exception:
+            import time
+            time.sleep(0.05)
+    return None
+
+
+def _atomic_write_tokens(path: Path, data: dict[str, Any]) -> None:
+    """Atomic tokens.json write to avoid corruption."""
+    path.parent.mkdir(parents=True, exist_ok=True)
+    tmp = path.with_suffix(path.suffix + f".tmp.{os.getpid()}")
+    with open(tmp, "w", encoding="utf-8") as f:
+        json.dump(data, f, indent=2, default=str)
+        f.flush()
+        os.fsync(f.fileno())
+    os.replace(tmp, path)
+    if sys.platform != "win32":
+        try:
+            path.chmod(0o600)
+        except Exception:
+            pass
+
+
+class _TokensLock:
+    def __init__(self, lock_path: Path = TOKENS_LOCK_PATH):
+        self.lock_path = lock_path
+        self.fp = None
+
+    def __enter__(self):
+        self.lock_path.parent.mkdir(parents=True, exist_ok=True)
+        self.fp = open(self.lock_path, "a+")
+        if sys.platform == "win32":
+            import msvcrt
+            msvcrt.locking(self.fp.fileno(), msvcrt.LK_LOCK, 1)
+        else:
+            import fcntl
+            fcntl.flock(self.fp.fileno(), fcntl.LOCK_EX)
+        return self
+
+    def __exit__(self, exc_type, exc, tb):
+        try:
+            if self.fp:
+                if sys.platform == "win32":
+                    import msvcrt
+                    msvcrt.locking(self.fp.fileno(), msvcrt.LK_UNLCK, 1)
+                else:
+                    import fcntl
+                    fcntl.flock(self.fp.fileno(), fcntl.LOCK_UN)
+        finally:
+            try:
+                if self.fp:
+                    self.fp.close()
+            except Exception:
+                pass
+            self.fp = None
+
+
+async def _refresh_tokens(http_base_url: str, refresh_token: str) -> dict[str, Any]:
+    """Refresh tokens via the backend and return tokens.json-compatible dict."""
+    from datetime import datetime, timedelta
+    url = f"{http_base_url.rstrip('/')}/v1/auth/session/refresh"
+    async with httpx.AsyncClient(timeout=30) as client:
+        resp = await client.post(url, params={"refresh_token": refresh_token})
+    if resp.status_code != 200:
+        raise Exception(f"Token refresh failed (HTTP {resp.status_code}): {resp.text[:200]}")
+    body = resp.json()
+    session = body.get("session") or {}
+    access = session.get("access_token")
+    new_refresh = session.get("refresh_token") or refresh_token
+    expires_in = session.get("expires_in")
+    token_type = session.get("token_type") or "Bearer"
+    if not access:
+        raise Exception(f"Token refresh response missing access_token: {body}")
+    expires_at = None
+    try:
+        if isinstance(expires_in, (int, float)):
+            expires_at = (datetime.now() + timedelta(seconds=int(expires_in))).isoformat()
+    except Exception:
+        expires_at = None
+    out: dict[str, Any] = {
+        "access_token": access,
+        "refresh_token": new_refresh,
+        "token_type": token_type,
+    }
+    if expires_at:
+        out["expires_at"] = expires_at
+    return out
+
+
+async def _get_valid_access_token(http_base_url: str, fallback_token: str) -> str:
+    """Return a non-expired access token, preferring ~/.kiwi/tokens.json when available.
+
+    Behavior:
+    - If tokens.json contains a valid access_token, use it.
+    - If tokens.json exists but is expired and has refresh_token, try refresh under a lock.
+    - Otherwise fall back to the provided token.
+    """
+    data = _load_tokens_file(TOKENS_PATH)
+    if not data:
+        return fallback_token
+    access = data.get("access_token") or fallback_token
+    refresh = data.get("refresh_token")
+    expires_at = _parse_expires_at(data.get("expires_at"))
+    if access and not _token_is_expired(access_token=access, expires_at=expires_at):
+        return access
+    if not refresh:
+        return access or fallback_token
+    # Lock: another process may have refreshed already.
+    with _TokensLock():
+        data2 = _load_tokens_file(TOKENS_PATH) or data
+        access2 = data2.get("access_token") or access
+        refresh2 = data2.get("refresh_token") or refresh
+        expires_at2 = _parse_expires_at(data2.get("expires_at"))
+        if access2 and not _token_is_expired(access_token=access2, expires_at=expires_at2):
+            return access2
+        # Still expired -> attempt refresh. If refresh fails, fall back to the best token we have.
+        try:
+            new_data = await _refresh_tokens(http_base_url, refresh2)
+            _atomic_write_tokens(TOKENS_PATH, new_data)
+            return str(new_data.get("access_token"))
+        except Exception:
+            # Another process may have refreshed while we attempted, or refresh token may be invalid.
+            data3 = _load_tokens_file(TOKENS_PATH) or data2
+            return str(data3.get("access_token") or access2 or fallback_token)
+
+
+async def _force_refresh_access_token(http_base_url: str, fallback_token: str) -> str:
+    """Force a refresh (if refresh_token exists). Used after HTTP 401."""
+    data = _load_tokens_file(TOKENS_PATH)
+    refresh = None
+    with _TokensLock():
+        data2 = _load_tokens_file(TOKENS_PATH) or data or {}
+        refresh2 = data2.get("refresh_token") or refresh
+        try:
+            new_data = await _refresh_tokens(http_base_url, refresh2)
+            _atomic_write_tokens(TOKENS_PATH, new_data)
+            return str(new_data.get("access_token"))
+        except Exception:
+            data3 = _load_tokens_file(TOKENS_PATH) or data2
+            return str(data3.get("access_token") or fallback_token)
+        refresh2 = data2.get("refresh_token") or refresh
+        new_data = await _refresh_tokens(http_base_url, refresh2)
+        _atomic_write_tokens(TOKENS_PATH, new_data)
+        return str(new_data.get("access_token"))
+
 _chunked_writes_lock = threading.Lock()
 MAX_OUTPUT_BYTES = 50 * 1024  # 50KB cap on command output
 
@@ -63,8 +290,6 @@ import shutil
 import tempfile
 import uuid
 from dataclasses import dataclass
-from pathlib import Path
-from typing import Any
 
 
 @dataclass
@@ -1347,9 +1572,62 @@ def _is_within_allowed(resolved_path: str, allowed_dirs: list[str]) -> bool:
 # ---------------------------------------------------------------------------
 
 async def login(http_base_url: str, email: str, password: str) -> str:
-    """Authenticate with email/password and return the JWT access token."""
-    url = f"{http_base_url}/v1/auth/token"
+    """Authenticate with email/password and return the access token.
+
+    We prefer the session-based endpoint (/v1/auth/) which returns a refresh token so
+    this runtime can keep making authenticated HTTP requests (e.g. file uploads) even
+    after long uptimes.
+
+    On success, we persist tokens to ~/.kiwi/tokens.json (shared with kiwi-code).
+    """
+    base = http_base_url.rstrip("/")
     async with httpx.AsyncClient(timeout=30) as client:
+        # Prefer session-based login (returns refresh_token + expires_in).
+        url = f"{base}/v1/auth/"
+        resp = await client.post(
+            url,
+            data={"username": email, "password": password},
+            headers={"Content-Type": "application/x-www-form-urlencoded"},
+        )
+        if resp.status_code == 200:
+            body = resp.json()
+            session = body.get("session") or {}
+            access = session.get("access_token") or body.get("access_token")
+            refresh = session.get("refresh_token")
+            expires_in = session.get("expires_in")
+            token_type = session.get("token_type") or "Bearer"
+            if not access:
+                raise Exception(f"No access_token in response: {body}")
+            tokens_out: dict[str, Any] = {
+                "access_token": access,
+                "token_type": token_type,
+            }
+            if refresh:
+                tokens_out["refresh_token"] = refresh
+            # Compute expires_at from expires_in when available.
+            try:
+                from datetime import datetime, timedelta
+                if isinstance(expires_in, (int, float)):
+                    tokens_out["expires_at"] = (
+                        datetime.now() + timedelta(seconds=int(expires_in))
+                    ).isoformat()
+            except Exception:
+                pass
+            # Write shared tokens.json under lock; preserve an existing refresh_token if
+            # server doesn't return one for some reason.
+            try:
+                with _TokensLock():
+                    existing = _load_tokens_file(TOKENS_PATH) or {}
+                    if "refresh_token" not in tokens_out and existing.get("refresh_token"):
+                        tokens_out["refresh_token"] = existing.get("refresh_token")
+                    _atomic_write_tokens(TOKENS_PATH, tokens_out)
+            except Exception:
+                # Best-effort persistence; auth is still successful.
+                pass
+            return access
+
+        # Fallback: OAuth-style token endpoint (access token only).
+        url = f"{base}/v1/auth/token"
         resp = await client.post(
             url,
             data={"username": email, "password": password},
@@ -2034,6 +2312,7 @@ async def handle_read_files(
         open_handles = []
         try:
             upload_url = f"{http_base_url.rstrip('/')}/v1/files/public/"
+            upload_token = await _get_valid_access_token(http_base_url, token)
             async with httpx.AsyncClient(timeout=120) as client:
                 file_tuples = []
                 for filename, filepath, _ in files_to_upload:
@@ -2044,9 +2323,27 @@ async def handle_read_files(
                 resp = await client.post(
                     upload_url,
                     files=file_tuples,
-                    headers={"Authorization": f"Bearer {token}"},
+                    headers={"Authorization": f"Bearer {upload_token}"},
                 )
 
+                # If the access token expired mid-session, try once more after a refresh.
+                if resp.status_code in (401, 403):
+                    try:
+                        upload_token2 = await _force_refresh_access_token(http_base_url, upload_token)
+                        for fh in open_handles:
+                            try:
+                                fh.seek(0)
+                            except Exception:
+                                pass
+                        resp = await client.post(
+                            upload_url,
+                            files=file_tuples,
+                            headers={"Authorization": f"Bearer {upload_token2}"},
+                        )
+                    except Exception:
+                        # Fall through to error handling below.
+                        pass
+
                 if resp.status_code == 200:
                     file_metas = resp.json()
                     for meta in file_metas:
@@ -2102,6 +2399,10 @@ async def connect(
             if not agent_id:
                 agent_id = str(uuid.uuid4())
 
+            # Always prefer a fresh access token from ~/.kiwi/tokens.json when available.
+            # This keeps long-running runtimes working even after kiwi-code refreshes tokens.
+            token = await _get_valid_access_token(http_base_url, token)
+
             await ws.send(json.dumps({
                 "type": "auth",
                 "token": token,
@@ -2575,23 +2876,31 @@ def main():
             print_status(">", "Using provided access token", GREEN)
         else:
             print_section("Authentication")
-            email = args.email
-            if email:
-                print_status(">", f"Email: {email}", GREY)
-            else:
-                email = input(f"  {C}>{RESET}  Email: ")
-            password = getpass.getpass(f"  {C}>{RESET}  Password: ")
-            print()
-            print_status(">", f"Agent ID: {BOLD}{agent_id}{RESET}", GREY)
-
-            print_status("~", f"Authenticating with {BOLD}{http_url}{RESET}...", C)
             try:
-                token = loop.run_until_complete(login(http_url, email, password))
-                print_status(">", "Login successful!", GREEN)
-            except Exception as e:
-                print_status("x", f"Login failed: {e}", RED)
+                email = args.email
+                if email:
+                    print_status(">", f"Email: {email}", GREY)
+                else:
+                    email = input(f"  {C}>{RESET}  Email: ")
+                password = getpass.getpass(f"  {C}>{RESET}  Password: ")
+                print()
+                print_status(">", f"Agent ID: {BOLD}{agent_id}{RESET}", GREY)
+
+                print_status("~", f"Authenticating with {BOLD}{http_url}{RESET}...", C)
+                try:
+                    token = loop.run_until_complete(login(http_url, email, password))
+                    print_status(">", "Login successful!", GREEN)
+                except Exception as e:
+                    print_status("x", f"Login failed: {e}", RED)
+                    loop.close()
+                    sys.exit(1)
+            except (KeyboardInterrupt, EOFError):
+                print()
+                print(f"  {GREY}{'─' * 50}{RESET}")
+                print_status(">", "Disconnected. Goodbye!", C)
+                print()
                 loop.close()
-                sys.exit(1)
+                sys.exit(0)
 
         print_section("Connection")