pdd-cli 0.0.90__py3-none-any.whl → 0.0.118__py3-none-any.whl

pdd/commands/auth.py

@@ -0,0 +1,309 @@
+from __future__ import annotations
+
+import asyncio
+import base64
+import json
+import os
+import sys
+import time
+from pathlib import Path
+from typing import Optional, Dict, Any
+
+import click
+from rich.console import Console
+
+# Internal imports
+try:
+    from ..auth_service import (
+        get_auth_status,
+        logout as service_logout,
+        JWT_CACHE_FILE,
+    )
+    from ..get_jwt_token import (
+        get_jwt_token,
+        AuthError,
+        NetworkError,
+        TokenError,
+        UserCancelledError,
+        RateLimitError,
+    )
+except ImportError:
+    pass
+
+console = Console()
+
+# Constants
+PDD_ENV = os.environ.get("PDD_ENV", "local")
+
+
+def _load_firebase_api_key() -> str:
+    """Load the Firebase API key from environment or .env files."""
+    # 1. Check direct env var
+    env_key = os.environ.get("NEXT_PUBLIC_FIREBASE_API_KEY")
+    if env_key:
+        return env_key
+
+    # 2. Check .env files in current directory
+    candidates = [Path(".env"), Path(".env.local")]
+    
+    for candidate in candidates:
+        if candidate.exists():
+            try:
+                content = candidate.read_text(encoding="utf-8")
+                for line in content.splitlines():
+                    if line.strip().startswith("NEXT_PUBLIC_FIREBASE_API_KEY="):
+                        return line.split("=", 1)[1].strip().strip('"').strip("'")
+            except Exception:
+                continue
+                
+    return ""
+
+
+def _get_client_id() -> Optional[str]:
+    """Get the GitHub Client ID for the current environment."""
+    return os.environ.get(f"GITHUB_CLIENT_ID_{PDD_ENV.upper()}") or os.environ.get("GITHUB_CLIENT_ID")
+
+
+def _decode_jwt_payload(token: str) -> Dict[str, Any]:
+    """Decode JWT payload without verification to extract claims."""
+    try:
+        # JWT is header.payload.signature
+        parts = token.split(".")
+        if len(parts) != 3:
+            return {}
+        
+        payload = parts[1]
+        # Add padding if needed
+        padding = len(payload) % 4
+        if padding:
+            payload += "=" * (4 - padding)
+            
+        decoded = base64.urlsafe_b64decode(payload)
+        return json.loads(decoded)
+    except Exception:
+        return {}
+
+
+@click.group("auth")
+def auth_group():
+    """Manage PDD Cloud authentication."""
+    pass
+
+
+@auth_group.command("login")
+@click.option(
+    "--browser/--no-browser",
+    default=None,
+    help="Control browser opening (auto-detect if not specified)"
+)
+def login(browser: Optional[bool]):
+    """Authenticate with PDD Cloud via GitHub."""
+
+    api_key = _load_firebase_api_key()
+    if not api_key:
+        console.print("[red]Error: NEXT_PUBLIC_FIREBASE_API_KEY not found.[/red]")
+        console.print("Please set it in your environment or .env file.")
+        sys.exit(1)
+
+    client_id = _get_client_id()
+    app_name = "PDD CLI"
+
+    async def run_login():
+        try:
+            # Import remote session detection
+            from ..core.remote_session import should_skip_browser
+
+            # Determine if browser should be skipped
+            skip_browser, reason = should_skip_browser(explicit_flag=browser)
+
+            if skip_browser:
+                console.print(f"[yellow]Note: {reason}[/yellow]")
+                console.print("[yellow]Please open the authentication URL manually in a browser.[/yellow]")
+
+            # Pass no_browser parameter to get_jwt_token
+            token = await get_jwt_token(
+                firebase_api_key=api_key,
+                github_client_id=client_id,
+                app_name=app_name,
+                no_browser=skip_browser
+            )
+            
+            if not token:
+                console.print("[red]Authentication failed: No token received.[/red]")
+                sys.exit(1)
+                
+            # Decode token to get expiration
+            payload = _decode_jwt_payload(token)
+            expires_at = payload.get("exp")
+            
+            # Ensure cache directory exists
+            if not JWT_CACHE_FILE.parent.exists():
+                JWT_CACHE_FILE.parent.mkdir(parents=True, exist_ok=True)
+            
+            # Save token and expiration to cache
+            # We store id_token for retrieval and expires_at for auth_service checks
+            cache_data = {
+                "id_token": token,
+                "expires_at": expires_at
+            }
+            
+            JWT_CACHE_FILE.write_text(json.dumps(cache_data))
+            
+            console.print("[green]Successfully authenticated to PDD Cloud.[/green]")
+            
+        except AuthError as e:
+            console.print(f"[red]Authentication failed: {e}[/red]")
+            sys.exit(1)
+        except NetworkError as e:
+            console.print(f"[red]Network error: {e}[/red]")
+            sys.exit(1)
+        except TokenError as e:
+            console.print(f"[red]Token error: {e}[/red]")
+            sys.exit(1)
+        except UserCancelledError:
+            console.print("[yellow]Authentication cancelled by user.[/yellow]")
+            sys.exit(1)
+        except RateLimitError as e:
+            console.print(f"[red]Rate limit exceeded: {e}[/red]")
+            sys.exit(1)
+        except Exception as e:
+            console.print(f"[red]An unexpected error occurred: {e}[/red]")
+            sys.exit(1)
+
+    asyncio.run(run_login())
+
+
+@auth_group.command("status")
+def status():
+    """Check current authentication status."""
+    auth_status = get_auth_status()
+    
+    if not auth_status.get("authenticated"):
+        console.print("Not authenticated.")
+        return
+        
+    username = "Unknown"
+    
+    # If we have a cached token, try to extract user info
+    if auth_status.get("cached") and JWT_CACHE_FILE.exists():
+        try:
+            data = json.loads(JWT_CACHE_FILE.read_text())
+            token = data.get("id_token")
+            if token:
+                payload = _decode_jwt_payload(token)
+                # Try to find a meaningful identifier
+                username = payload.get("email") or payload.get("sub")
+                
+                # Check for GitHub specific claims if available in Firebase token
+                firebase_claims = payload.get("firebase", {})
+                identities = firebase_claims.get("identities", {})
+                if "github.com" in identities:
+                    # identities['github.com'] is a list of IDs, not usernames usually
+                    pass
+        except Exception:
+            pass
+            
+    console.print(f"Authenticated as: [bold green]{username}[/bold green]")
+    sys.exit(0)
+
+
+@auth_group.command("logout")
+def logout_cmd():
+    """Log out of PDD Cloud."""
+    success, error = service_logout()
+    if success:
+        console.print("Logged out of PDD Cloud.")
+    else:
+        console.print(f"[red]Failed to logout: {error}[/red]")
+        # We don't exit with 1 here as partial logout might have occurred
+        # and the user is effectively logged out locally anyway.
+
+
+@auth_group.command("token")
+@click.option("--format", "output_format", type=click.Choice(["raw", "json"]), default="raw", help="Output format.")
+def token_cmd(output_format: str):
+    """Print the current authentication token."""
+
+    token_str = None
+    expires_at = None
+
+    # Attempt to read valid token from cache
+    if JWT_CACHE_FILE.exists():
+        try:
+            data = json.loads(JWT_CACHE_FILE.read_text())
+            cached_token = data.get("id_token")
+            cached_exp = data.get("expires_at")
+
+            # Simple expiry check
+            if cached_token and cached_exp and cached_exp > time.time():
+                token_str = cached_token
+                expires_at = cached_exp
+        except Exception:
+            pass
+
+    if not token_str:
+        # Removed err=True because rich.console.Console.print does not support it
+        console.print("[red]No valid token available. Please login.[/red]")
+        sys.exit(1)
+
+    if output_format == "json":
+        output = {
+            "token": token_str,
+            "expires_at": expires_at
+        }
+        console.print_json(data=output)
+    else:
+        console.print(token_str)
+
+
+@auth_group.command("clear-cache")
+def clear_cache():
+    """Clear the JWT token cache.
+
+    This is useful when:
+    - Switching between environments (staging vs production)
+    - Experiencing authentication issues
+    - JWT token audience mismatch errors
+
+    After clearing the cache, you'll need to re-authenticate
+    with 'pdd auth login' or source the appropriate environment
+    setup script (e.g., setup_staging_env.sh).
+    """
+    if not JWT_CACHE_FILE.exists():
+        console.print("[yellow]No JWT cache found at ~/.pdd/jwt_cache[/yellow]")
+        console.print("Nothing to clear.")
+        return
+
+    try:
+        # Try to read cache before deleting to show what was cached
+        cache_data = json.loads(JWT_CACHE_FILE.read_text())
+        token = cache_data.get("id_token") or cache_data.get("jwt")
+        if token:
+            payload = _decode_jwt_payload(token)
+            aud = payload.get("aud") or payload.get("firebase", {}).get("aud")
+            exp = payload.get("exp")
+
+            console.print("[dim]Cached token info:[/dim]")
+            if aud:
+                console.print(f"  Audience: {aud}")
+            if exp:
+                if exp > time.time():
+                    time_remaining = int((exp - time.time()) / 60)
+                    console.print(f"  Expires in: {time_remaining} minutes")
+                else:
+                    console.print("  Status: [red]Expired[/red]")
+    except Exception:
+        # If we can't read the cache, that's fine - just proceed with deletion
+        pass
+
+    # Delete the cache file
+    try:
+        JWT_CACHE_FILE.unlink()
+        console.print("[green]✓[/green] JWT cache cleared successfully")
+        console.print()
+        console.print("[dim]To re-authenticate:[/dim]")
+        console.print("  - For production: [bold]pdd auth login[/bold]")
+        console.print("  - For staging: [bold]source setup_staging_env.sh[/bold]")
+    except OSError as e:
+        console.print(f"[red]Failed to clear cache: {e}[/red]")
+        sys.exit(1)

pdd/commands/connect.py

@@ -0,0 +1,290 @@
+"""
+PDD Connect Command.
+
+This module provides the `pdd connect` CLI command which launches a local
+REST server to enable the web frontend to interact with PDD.
+"""
+
+from __future__ import annotations
+
+import asyncio
+import os
+import webbrowser
+from pathlib import Path
+from typing import Optional
+
+import click
+
+# Handle optional dependencies - uvicorn may not be installed
+try:
+    import uvicorn
+except ImportError:
+    uvicorn = None
+
+# Internal imports
+# We wrap this in a try/except block to allow the module to be imported
+# even if the server dependencies are not present (e.g. in partial environments)
+try:
+    from ..server.app import create_app
+except (ImportError, ValueError):
+    def create_app(*args, **kwargs):
+        raise ImportError("Could not import pdd.server.app.create_app. Ensure server dependencies are installed.")
+
+
+@click.command("connect")
+@click.option(
+    "--port",
+    default=9876,
+    help="Port to listen on",
+    show_default=True,
+    type=int,
+)
+@click.option(
+    "--host",
+    default="127.0.0.1",
+    help="Host to bind to",
+    show_default=True,
+)
+@click.option(
+    "--allow-remote",
+    is_flag=True,
+    help="Allow non-localhost connections",
+)
+@click.option(
+    "--token",
+    help="Bearer token for authentication",
+    default=None,
+)
+@click.option(
+    "--no-browser",
+    is_flag=True,
+    help="Don't open browser automatically",
+)
+@click.option(
+    "--frontend-url",
+    help="Custom frontend URL",
+    default=None,
+)
+@click.option(
+    "--local-only",
+    is_flag=True,
+    help="Skip cloud registration (local access only)",
+)
+@click.option(
+    "--session-name",
+    help="Custom session name for identification",
+    default=None,
+)
+@click.pass_context
+def connect(
+    ctx: click.Context,
+    port: int,
+    host: str,
+    allow_remote: bool,
+    token: Optional[str],
+    no_browser: bool,
+    frontend_url: Optional[str],
+    local_only: bool,
+    session_name: Optional[str],
+) -> None:
+    """
+    Launch the local REST server for the PDD web frontend.
+
+    This command starts a FastAPI server that exposes the PDD functionality
+    via a REST API. It automatically opens the web interface in your default
+    browser unless --no-browser is specified.
+
+    For authenticated users, the session is automatically registered with
+    PDD Cloud for remote access. Use --local-only to skip cloud registration.
+    """
+    # Check uvicorn is available
+    if uvicorn is None:
+        click.echo(click.style("Error: 'uvicorn' is not installed. Please install it to use the connect command.", fg="red"))
+        ctx.exit(1)
+
+    # 1. Determine Project Root
+    # We assume the current working directory is the project root
+    project_root = Path.cwd()
+
+    # 2. Security Checks & Configuration
+    if allow_remote:
+        if not token:
+            click.echo(click.style(
+                "SECURITY WARNING: You are allowing remote connections without an authentication token.",
+                fg="red", bold=True
+            ))
+            click.echo("Anyone with access to your network could execute code on your machine.")
+            if not click.confirm("Do you want to proceed?"):
+                ctx.exit(1)
+
+        # If user explicitly asked for remote but left host as localhost,
+        # bind to all interfaces to actually allow remote connections.
+        if host == "127.0.0.1":
+            host = "0.0.0.0"
+            click.echo(click.style("Binding to 0.0.0.0 to allow remote connections.", fg="yellow"))
+    else:
+        # Warn if binding to non-localhost without explicit allow-remote
+        if host not in ("127.0.0.1", "localhost"):
+            click.echo(click.style(
+                f"Warning: Binding to {host} without --allow-remote flag. "
+                "External connections may be blocked or insecure.",
+                fg="yellow"
+            ))
+
+    # 3. Determine URLs
+    # The server URL is where the API lives
+    server_url = f"http://{host}:{port}"
+
+    # The frontend URL is what we open in the browser
+    # If binding to 0.0.0.0, we still use localhost for the local browser
+    browser_host = "localhost" if host == "0.0.0.0" else host
+    target_url = frontend_url if frontend_url else f"http://{browser_host}:{port}"
+
+    # 4. Configure CORS
+    # We need to allow the frontend to talk to the backend
+    allowed_origins = [
+        "http://localhost:3000",
+        "http://127.0.0.1:3000",
+        "http://localhost:5173",
+        "http://127.0.0.1:5173",
+        f"http://localhost:{port}",
+        f"http://127.0.0.1:{port}",
+        # PDD Cloud frontend
+        "https://pdd.dev",
+        "https://www.pdd.dev",
+    ]
+    if frontend_url:
+        allowed_origins.append(frontend_url)
+
+    # 4.5 Cloud Session Registration (automatic for authenticated users)
+    session_manager = None
+    cloud_url = None
+    if not local_only:
+        try:
+            from ..core.cloud import CloudConfig
+            from ..remote_session import (
+                RemoteSessionManager,
+                RemoteSessionError,
+                set_active_session_manager,
+            )
+
+            # Check if user is authenticated
+            jwt_token = CloudConfig.get_jwt_token(verbose=False)
+            if not jwt_token:
+                click.echo(click.style(
+                    "Not authenticated. Running in local-only mode.",
+                    dim=True
+                ))
+                click.echo(click.style(
+                    "Run 'pdd login' to enable remote access via cloud.",
+                    dim=True
+                ))
+            else:
+                click.echo("Registering session with PDD Cloud...")
+                session_manager = RemoteSessionManager(jwt_token, project_root)
+                try:
+                    # Register with cloud - no public URL needed, cloud hosts everything
+                    cloud_url = asyncio.run(session_manager.register(
+                        session_name=session_name,
+                    ))
+                    # Heartbeat will be started by the app's lifespan manager
+                    set_active_session_manager(session_manager)
+
+                    click.echo(click.style(
+                        "Session registered with PDD Cloud!", fg="green", bold=True
+                    ))
+                    # TODO: Re-enable when production /connect page is deployed
+                    # click.echo(f"  Access URL: {click.style(cloud_url, fg='cyan', underline=True)}")
+                    # click.echo(click.style(
+                    #     "  Share this URL to access your PDD session from any browser.",
+                    #     dim=True
+                    # ))
+                except RemoteSessionError as e:
+                    click.echo(click.style(
+                        f"Warning: Failed to register with cloud: {e.message}",
+                        fg="yellow"
+                    ))
+                    click.echo(click.style(
+                        "Running in local-only mode.",
+                        dim=True
+                    ))
+                    session_manager = None
+        except ImportError as e:
+            click.echo(click.style(
+                f"Running in local-only mode (cloud dependencies not available).",
+                dim=True
+            ))
+    else:
+        click.echo(click.style(
+            "Running in local-only mode (--local-only flag set).",
+            dim=True
+        ))
+
+    # 5. Initialize Server App
+    try:
+        # Pass token via environment variable if provided, as create_app might not take it directly
+        if token:
+            os.environ["PDD_ACCESS_TOKEN"] = token
+
+        app = create_app(project_root, allowed_origins=allowed_origins)
+    except Exception as e:
+        click.echo(click.style(f"Failed to initialize server: {e}", fg="red", bold=True))
+        ctx.exit(1)
+
+    # 6. Print Status Messages
+    click.echo(click.style(f"Starting PDD server on {server_url}", fg="green", bold=True))
+    click.echo(f"Project Root: {click.style(str(project_root), fg='blue')}")
+    click.echo(f"API Documentation: {click.style(f'{server_url}/docs', underline=True)}")
+    click.echo(f"Local Frontend: {click.style(target_url, underline=True)}")
+    # TODO: Re-enable when production /connect page is deployed
+    # if cloud_url:
+    #     click.echo(f"Remote Access: {click.style(cloud_url, fg='cyan', underline=True)}")
+    click.echo(click.style("Press Ctrl+C to stop the server", dim=True))
+
+    # 7. Open Browser
+    if not no_browser:
+        # Import remote session detection
+        from ..core.remote_session import is_remote_session
+
+        is_remote, reason = is_remote_session()
+        if is_remote:
+            click.echo(click.style(f"Note: {reason}", fg="yellow"))
+            click.echo("Opening browser may not work in remote sessions. Use the URL above to connect manually.")
+
+        click.echo("Opening browser...")
+        try:
+            webbrowser.open(target_url)
+        except Exception as e:
+            click.echo(click.style(f"Could not open browser: {e}", fg="yellow"))
+            click.echo(f"Please open {target_url} manually in your browser.")
+
+    # 8. Run Server
+    try:
+        # Run uvicorn
+        # Disable access_log to avoid noisy polling logs - custom middleware handles important logging
+        uvicorn.run(
+            app,
+            host=host,
+            port=port,
+            log_level="warning",  # Only show warnings and errors from uvicorn
+            access_log=False  # Custom middleware handles request logging
+        )
+    except KeyboardInterrupt:
+        click.echo(click.style("\nServer stopping...", fg="yellow", bold=True))
+    except Exception as e:
+        click.echo(click.style(f"\nServer error: {e}", fg="red", bold=True))
+        ctx.exit(1)
+    finally:
+        # Clean up cloud session if registered
+        if session_manager is not None:
+            click.echo("Deregistering from PDD Cloud...")
+            try:
+                from ..remote_session import set_active_session_manager
+                asyncio.run(session_manager.stop_heartbeat())
+                asyncio.run(session_manager.deregister())
+                set_active_session_manager(None)
+                click.echo(click.style("Session deregistered.", fg="green"))
+            except Exception as e:
+                click.echo(click.style(f"Warning: Error during session cleanup: {e}", fg="yellow"))
+
+        click.echo(click.style("Goodbye!", fg="blue"))