pdd-cli 0.0.90__py3-none-any.whl → 0.0.118__py3-none-any.whl

pdd/get_jwt_token.py

@@ -1,5 +1,12 @@
 import asyncio
+import base64
+import json
+import os
+import subprocess
+import sys
 import time
+import webbrowser
+from pathlib import Path
 from typing import Dict, Optional, Tuple
 
 # Cross-platform keyring import with fallback for WSL compatibility
@@ -39,6 +46,195 @@ class RateLimitError(AuthError):
     """Raised when rate limits are exceeded."""
     pass
 
+
+# JWT file cache path (Issue #273 - reduces keyring access to avoid password prompts)
+JWT_CACHE_FILE = Path.home() / ".pdd" / "jwt_cache"
+
+
+def _decode_jwt_payload(token: str) -> Dict:
+    """
+    Decode JWT payload without verification to extract claims.
+
+    Args:
+        token: The JWT token string.
+
+    Returns:
+        Dict containing the JWT payload claims, or empty dict on error.
+    """
+    try:
+        # JWT is header.payload.signature
+        parts = token.split(".")
+        if len(parts) != 3:
+            return {}
+
+        payload = parts[1]
+        # Add padding if needed for base64 decoding
+        padding = len(payload) % 4
+        if padding:
+            payload += "=" * (4 - padding)
+
+        decoded = base64.urlsafe_b64decode(payload)
+        return json.loads(decoded)
+    except Exception:
+        return {}
+
+def _get_expected_jwt_audience() -> Optional[str]:
+    """
+    Determine the expected JWT audience based on PDD_ENV.
+
+    This keeps the JWT cache environment-aware when PDD_ENV is set
+    (e.g., staging vs prod) without changing the public API.
+    """
+    explicit_aud = os.environ.get("PDD_JWT_EXPECTED_AUD")
+    if explicit_aud:
+        return explicit_aud
+
+    env = (os.environ.get("PDD_ENV") or "").lower()
+    if not env or env == "local":
+        return None
+
+    project_id = os.environ.get("PDD_PROJECT_ID") or os.environ.get("GOOGLE_CLOUD_PROJECT")
+    if project_id:
+        return project_id
+
+    if env in ("prod", "production"):
+        return "prompt-driven-development"
+    if env == "staging":
+        return os.environ.get("STAGING_PROJECT_ID") or "prompt-driven-development-stg"
+    return None
+
+
+def _get_jwt_audience(jwt: str) -> Optional[str]:
+    """Extract the aud claim without verifying the signature."""
+    try:
+        parts = jwt.split(".")
+        if len(parts) < 2:
+            return None
+        payload_part = parts[1] + "=" * (-len(parts[1]) % 4)
+        payload_bytes = base64.urlsafe_b64decode(payload_part.encode("utf-8"))
+        payload = json.loads(payload_bytes.decode("utf-8"))
+        return payload.get("aud") or payload.get("firebase", {}).get("aud")
+    except Exception:
+        return None
+
+
+def _get_cached_jwt(verbose: bool = False) -> Optional[str]:
+    """
+    Get cached JWT if it exists and is not expired.
+
+    Args:
+        verbose: If True, print helpful messages when cache is invalid
+
+    Returns:
+        Optional[str]: The cached JWT if valid, None otherwise.
+    """
+    if not JWT_CACHE_FILE.exists():
+        return None
+    try:
+        with open(JWT_CACHE_FILE, 'r') as f:
+            cache = json.load(f)
+        # Check expiration with 5 minute buffer
+        expires_at = cache.get('expires_at', 0)
+        current_time = time.time()
+        if expires_at > current_time + 300:
+            # Check both 'id_token' (new) and 'jwt' (legacy) keys for backwards compatibility
+            jwt = cache.get('id_token') or cache.get('jwt')
+            expected_aud = _get_expected_jwt_audience()
+            if expected_aud:
+                actual_aud = _get_jwt_audience(jwt or "")
+                if actual_aud != expected_aud:
+                    if verbose:
+                        print(f"JWT cache invalidated: audience mismatch")
+                        print(f"  Expected: {expected_aud}")
+                        print(f"  Got:      {actual_aud}")
+                        print(f"  This usually means you switched environments (staging vs prod)")
+                        print(f"  Clearing cache and re-authenticating...")
+                    try:
+                        JWT_CACHE_FILE.unlink()
+                    except OSError:
+                        pass
+                    return None
+            return jwt
+        else:
+            if verbose:
+                time_remaining = expires_at - current_time
+                if time_remaining < 0:
+                    print(f"JWT cache invalidated: token expired {int(-time_remaining / 60)} minutes ago")
+                else:
+                    print(f"JWT cache invalidated: token expires soon (in {int(time_remaining / 60)} minutes)")
+    except (json.JSONDecodeError, IOError, KeyError) as e:
+        if verbose:
+            print(f"JWT cache invalidated: corrupted cache file ({e})")
+        # Cache corrupted, delete it
+        try:
+            JWT_CACHE_FILE.unlink()
+        except OSError:
+            pass
+    return None
+
+
+def _cache_jwt(jwt: str, expires_in: int = 3600) -> None:
+    """
+    Cache JWT with expiration time.
+
+    Args:
+        jwt: The JWT token to cache.
+        expires_in: Fallback time in seconds if exp claim cannot be extracted (default: 3600 = 1 hour).
+    """
+    try:
+        JWT_CACHE_FILE.parent.mkdir(parents=True, exist_ok=True)
+
+        # Try to extract actual expiration from JWT's exp claim
+        payload = _decode_jwt_payload(jwt)
+        exp_claim = payload.get('exp')
+        if exp_claim:
+            expires_at = exp_claim
+        else:
+            # Fallback to calculated expiration if exp claim not found
+            expires_at = time.time() + expires_in
+
+        cache = {
+            'id_token': jwt,  # Use 'id_token' key to match auth.py format
+            'expires_at': expires_at,
+            'cached_at': time.time()
+        }
+        with open(JWT_CACHE_FILE, 'w') as f:
+            json.dump(cache, f)
+        # Secure the file (user read/write only)
+        os.chmod(JWT_CACHE_FILE, 0o600)
+    except (IOError, OSError) as e:
+        # Cache write failed, continue without caching
+        print(f"Warning: Failed to cache JWT: {e}")
+
+
+def _macos_force_delete_keychain_item(service_name: str, account_name: str) -> bool:
+    """
+    Force delete a keychain item using macOS security command.
+
+    This is a fallback when keyring.delete_password() fails due to ACL issues
+    in subprocess contexts (e.g., pytest-xdist workers).
+
+    Args:
+        service_name: The keychain service name
+        account_name: The keychain account name
+
+    Returns:
+        bool: True if deletion succeeded or item didn't exist, False otherwise
+    """
+    if sys.platform != 'darwin':
+        return False
+
+    try:
+        result = subprocess.run(
+            ['security', 'delete-generic-password', '-s', service_name, '-a', account_name],
+            capture_output=True, text=True, timeout=10
+        )
+        # 0 = success, 44 = item not found (also acceptable)
+        return result.returncode in (0, 44)
+    except (subprocess.TimeoutExpired, FileNotFoundError, OSError):
+        return False
+
+
 class DeviceFlow:
     """
     Handles the GitHub Device Flow authentication process.
@@ -139,15 +335,62 @@ class FirebaseAuthenticator:
         self.keyring_service_name = f"firebase-auth-{app_name}"
         self.keyring_user_name = "refresh_token"
 
-    def _store_refresh_token(self, refresh_token: str):
-        """Stores the Firebase refresh token in the system keyring."""
+    def _store_refresh_token(self, refresh_token: str) -> bool:
+        """
+        Stores the Firebase refresh token in the system keyring.
+
+        Handles the macOS errSecDuplicateItem (-25299) error by attempting
+        to force-delete the existing item and retrying.
+
+        Args:
+            refresh_token: The Firebase refresh token to store
+
+        Returns:
+            bool: True if storage succeeded, False otherwise
+        """
         if not KEYRING_AVAILABLE or keyring is None:
             print("Warning: No keyring available, refresh token not stored")
-            return
-        try:
-            keyring.set_password(self.keyring_service_name, self.keyring_user_name, refresh_token)
-        except Exception as e:
-            print(f"Warning: Failed to store refresh token in keyring: {e}")
+            return False
+
+        max_retries = 2
+
+        for attempt in range(max_retries):
+            try:
+                keyring.set_password(
+                    self.keyring_service_name,
+                    self.keyring_user_name,
+                    refresh_token
+                )
+                return True
+            except Exception as e:
+                error_str = str(e)
+
+                # Check for errSecDuplicateItem (-25299) on macOS
+                is_duplicate_error = '-25299' in error_str
+
+                if is_duplicate_error and attempt < max_retries - 1:
+                    # Try to delete the existing item before retrying
+                    try:
+                        keyring.delete_password(
+                            self.keyring_service_name,
+                            self.keyring_user_name
+                        )
+                    except Exception:
+                        pass  # Ignore delete errors, try force delete
+
+                    # Try macOS-specific force delete
+                    if sys.platform == 'darwin':
+                        _macos_force_delete_keychain_item(
+                            self.keyring_service_name,
+                            self.keyring_user_name
+                        )
+                    continue
+
+                # Non-duplicate error or final retry failed
+                print(f"Warning: Failed to store refresh token in keyring: {e}")
+                return False
+
+        return False
 
     def _get_stored_refresh_token(self) -> Optional[str]:
         """Retrieves the Firebase refresh token from the system keyring."""
@@ -159,21 +402,37 @@ class FirebaseAuthenticator:
             print(f"Warning: Failed to retrieve refresh token from keyring: {e}")
             return None
 
-    def _delete_stored_refresh_token(self):
-        """Deletes the stored Firebase refresh token from the keyring."""
+    def _delete_stored_refresh_token(self) -> bool:
+        """
+        Deletes the stored Firebase refresh token from the keyring.
+
+        Returns:
+            bool: True if deletion succeeded or token didn't exist, False otherwise
+        """
         if not KEYRING_AVAILABLE or keyring is None:
             print("No keyring available. Token deletion skipped.")
-            return
+            return True
+
         try:
             keyring.delete_password(self.keyring_service_name, self.keyring_user_name)
+            return True
         except Exception as e:
-            # Handle both keyring.errors and generic exceptions for cross-platform compatibility
-            if "NoKeyringError" in str(type(e)) or "no keyring" in str(e).lower():
-                print("No keyring found. Token deletion skipped.")
-            elif "PasswordDeleteError" in str(type(e)) or "delete" in str(e).lower():
-                print("Failed to delete token from keyring.")
-            else:
-                print(f"Warning: Error deleting token from keyring: {e}")
+            error_str = str(e)
+
+            # Check if it's a "not found" error (acceptable)
+            if 'PasswordDeleteError' in str(type(e)) or 'not found' in error_str.lower():
+                return True
+
+            # Try macOS force delete as fallback
+            if sys.platform == 'darwin':
+                if _macos_force_delete_keychain_item(
+                    self.keyring_service_name,
+                    self.keyring_user_name
+                ):
+                    return True
+
+            print(f"Warning: Error deleting token from keyring: {e}")
+            return False
 
     async def _refresh_firebase_token(self, refresh_token: str) -> str:
         """
@@ -266,7 +525,12 @@ class FirebaseAuthenticator:
         """
         return bool(id_token)
 
-async def get_jwt_token(firebase_api_key: str, github_client_id: str, app_name: str = "my-cli-app") -> str:
+async def get_jwt_token(
+    firebase_api_key: str,
+    github_client_id: str,
+    app_name: str = "my-cli-app",
+    no_browser: bool = False
+) -> str:
     """
     Get a Firebase ID token using GitHub's Device Flow authentication.
 
@@ -274,6 +538,7 @@ async def get_jwt_token(firebase_api_key: str, github_client_id: str, app_name:
         firebase_api_key: Firebase Web API key
         github_client_id: OAuth client ID for GitHub app
         app_name: Unique name for your CLI application
+        no_browser: If True, skip automatic browser opening (for remote/SSH sessions)
 
     Returns:
         str: A valid Firebase ID token
@@ -283,15 +548,21 @@ async def get_jwt_token(firebase_api_key: str, github_client_id: str, app_name:
         NetworkError: If there are connectivity issues
         TokenError: If token exchange fails
     """
+    # Check JWT cache FIRST to avoid keyring access (Issue #273)
+    cached_jwt = _get_cached_jwt()
+    if cached_jwt:
+        return cached_jwt
+
     firebase_auth = FirebaseAuthenticator(firebase_api_key, app_name)
 
-    # Check for existing refresh token
+    # Check for existing refresh token in keyring
     refresh_token = firebase_auth._get_stored_refresh_token()
     if refresh_token:
         try:
             # Attempt to refresh the token
             id_token = await firebase_auth._refresh_firebase_token(refresh_token)
             if firebase_auth.verify_firebase_token(id_token):
+                _cache_jwt(id_token)  # Cache for next time
                 return id_token
             else:
                 print("Refreshed token is invalid. Attempting re-authentication.")
@@ -311,7 +582,21 @@ async def get_jwt_token(firebase_api_key: str, github_client_id: str, app_name:
     # Display instructions to the user
     print(f"To authenticate, visit: {device_code_response['verification_uri']}")
     print(f"Enter code: {device_code_response['user_code']}")
+    sys.stdout.flush()  # Ensure visibility in piped contexts
+
+    # Open browser only if not explicitly disabled
+    if not no_browser:
+        try:
+            webbrowser.open(device_code_response['verification_uri'])
+            print("Opening browser for authentication...")
+        except Exception as e:
+            print(f"Note: Could not open browser: {e}")
+            print("Please open the URL manually in your browser.")
+    else:
+        print("Browser opening disabled. Please open the URL manually in your browser.")
+
     print("Waiting for authentication...")
+    sys.stdout.flush()
 
     # Poll for GitHub token
     github_token = await device_flow.poll_for_token(
@@ -319,11 +604,15 @@ async def get_jwt_token(firebase_api_key: str, github_client_id: str, app_name:
         device_code_response["interval"],
         device_code_response["expires_in"],
     )
+    print("Authentication successful!")
 
     # Exchange GitHub token for Firebase token
     id_token, refresh_token = await firebase_auth.exchange_github_token_for_firebase_token(github_token)
 
-    # Store refresh token
+    # Store refresh token in keyring
     firebase_auth._store_refresh_token(refresh_token)
 
+    # Cache JWT for subsequent calls
+    _cache_jwt(id_token)
+
     return id_token

pdd/get_language.py

@@ -1,5 +1,5 @@
-import os
 import csv
+from pdd.path_resolution import get_default_resolver
 
 def get_language(extension: str) -> str:
     """
@@ -14,10 +14,12 @@ def get_language(extension: str) -> str:
     Raises:
         ValueError: If PDD_PATH environment variable is not set.
     """
-    # Step 1: Load environment variable PDD_PATH
-    pdd_path = os.environ.get('PDD_PATH')
-    if not pdd_path:
-        raise ValueError("PDD_PATH environment variable is not set")
+    # Step 1: Resolve CSV path from PDD_PATH
+    resolver = get_default_resolver()
+    try:
+        csv_path = resolver.resolve_data_file("data/language_format.csv")
+    except ValueError as exc:
+        raise ValueError("PDD_PATH environment variable is not set") from exc
 
     # Step 2: Ensure the extension starts with a dot and convert to lowercase
     if not extension.startswith('.'):
@@ -25,7 +27,6 @@ def get_language(extension: str) -> str:
     extension = extension.lower()
 
     # Step 3 & 4: Look up the language name and handle exceptions
-    csv_path = os.path.join(pdd_path, 'data', 'language_format.csv')
     try:
         with open(csv_path, 'r') as csvfile:
             reader = csv.DictReader(csvfile)
@@ -38,4 +39,4 @@ def get_language(extension: str) -> str:
     except csv.Error as e:
         print(f"Error reading CSV file: {e}")
 
-    return ''  # Return empty string if extension not found or any error occurs
+    return ''  # Return empty string if extension not found or any error occurs

pdd/get_run_command.py

@@ -2,6 +2,7 @@
 
 import os
 import csv
+from pdd.path_resolution import get_default_resolver
 
 
 def get_run_command(extension: str) -> str:
@@ -18,10 +19,12 @@ def get_run_command(extension: str) -> str:
     Raises:
         ValueError: If the PDD_PATH environment variable is not set.
     """
-    # Step 1: Load environment variable PDD_PATH
-    pdd_path = os.environ.get('PDD_PATH')
-    if not pdd_path:
-        raise ValueError("PDD_PATH environment variable is not set")
+    # Step 1: Resolve CSV path from PDD_PATH
+    resolver = get_default_resolver()
+    try:
+        csv_path = resolver.resolve_data_file("data/language_format.csv")
+    except ValueError as exc:
+        raise ValueError("PDD_PATH environment variable is not set") from exc
 
     # Step 2: Ensure the extension starts with a dot and convert to lowercase
     if not extension.startswith('.'):
@@ -29,7 +32,6 @@ def get_run_command(extension: str) -> str:
     extension = extension.lower()
 
     # Step 3: Look up the run command
-    csv_path = os.path.join(pdd_path, 'data', 'language_format.csv')
     try:
         with open(csv_path, 'r') as csvfile:
             reader = csv.DictReader(csvfile)

pdd/insert_includes.py

@@ -1,3 +1,4 @@
+from __future__ import annotations
 from typing import Callable, Optional, Tuple
 from pathlib import Path
 from rich import print
@@ -62,7 +63,7 @@ def insert_includes(
         except FileNotFoundError:
             if verbose:
                 print(f"[yellow]CSV file {csv_filename} not found. Creating empty CSV.[/yellow]")
-            csv_content = "full_path,file_summary,date\n"
+            csv_content = "full_path,file_summary,content_hash\n"
             Path(csv_filename).write_text(csv_content)
 
         # Step 3: Preprocess the prompt template