wizelit-client 0.1.18__tar.gz

wizelit_client-0.1.18/.gitignore

@@ -0,0 +1,47 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.egg-info/
+dist/
+build/
+.cli_bundle/
+.agent/
+.venv/
+*.egg
+
+# Node
+node_modules/
+dist/
+
+# Environment
+.env
+!.env.template
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Data
+data/
+
+# Test
+.pytest_cache/
+.coverage
+htmlcov/
+videos/
+
+# Build
+*.whl
+
+# AWS CDK
+cdk.out/
+cdk.context.json
+
+local_*

wizelit_client-0.1.18/PKG-INFO

@@ -0,0 +1,26 @@
+Metadata-Version: 2.4
+Name: wizelit-client
+Version: 0.1.18
+Summary: Wizelit client auth — device-link pairing and credential storage for CLI and ACP
+Author-email: Wizeline <engineering@wizeline.com>
+License-Expression: MIT
+Keywords: acp,auth,cli,wizelit
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Requires-Python: >=3.12
+Requires-Dist: httpx>=0.27.0
+Provides-Extra: dev
+Requires-Dist: pytest-asyncio>=0.24.0; extra == 'dev'
+Requires-Dist: pytest>=8.0.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# wizelit-client
+
+Shared device-link authentication and credential storage for Wizelit CLI and ACP clients.
+
+Credentials are stored in `~/.wizelit/credentials.json` after browser pairing.

wizelit_client-0.1.18/README.md

@@ -0,0 +1,5 @@
+# wizelit-client
+
+Shared device-link authentication and credential storage for Wizelit CLI and ACP clients.
+
+Credentials are stored in `~/.wizelit/credentials.json` after browser pairing.

wizelit_client-0.1.18/pyproject.toml

@@ -0,0 +1,41 @@
+[project]
+name = "wizelit-client"
+version = "0.1.18"
+description = "Wizelit client auth — device-link pairing and credential storage for CLI and ACP"
+readme = "README.md"
+license = "MIT"
+requires-python = ">=3.12"
+authors = [{ name = "Wizeline", email = "engineering@wizeline.com" }]
+keywords = ["wizelit", "auth", "cli", "acp"]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Environment :: Console",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+]
+dependencies = [
+    "httpx>=0.27.0",
+]
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["wizelit_client"]
+
+[tool.hatch.build.targets.sdist]
+include = ["LICENSE", "README.md", "wizelit_client/**/*.py"]
+
+[tool.pytest.ini_options]
+asyncio_mode = "auto"
+testpaths = ["tests"]
+
+[project.optional-dependencies]
+dev = [
+    "pytest>=8.0.0",
+    "pytest-asyncio>=0.24.0",
+]

wizelit_client-0.1.18/wizelit_client/__init__.py

@@ -0,0 +1,5 @@
+"""Shared client auth for Wizelit CLI and ACP."""
+
+from importlib.metadata import version
+
+__version__ = version("wizelit-client")

wizelit_client-0.1.18/wizelit_client/auth.py

@@ -0,0 +1,54 @@
+"""Shared hub authentication for Wizelit CLI and ACP clients."""
+
+from __future__ import annotations
+
+import asyncio
+from collections.abc import Awaitable, Callable
+
+from wizelit_client.credentials import delete_credentials, load_credentials
+from wizelit_client.device_login import pair_device
+from wizelit_client.user_config import resolve_hub_api_url
+
+StatusCallback = Callable[[str], Awaitable[None] | None]
+
+
+def resolve_credentials() -> tuple[str, str] | None:
+    """Return saved ``(token, api_base)`` when they match the resolved hub URL."""
+    creds = load_credentials()
+    if not creds:
+        return None
+    if creds["api_base"].rstrip("/") != resolve_hub_api_url().rstrip("/"):
+        return None
+    return creds["token"], creds["api_base"]
+
+
+async def _emit_status(on_status: StatusCallback | None, msg: str) -> None:
+    if on_status is None:
+        return
+    result = on_status(msg)
+    if asyncio.iscoroutine(result):
+        await result
+
+
+async def ensure_authenticated(
+    *,
+    client_name: str,
+    on_status: StatusCallback | None = None,
+    force_pair: bool = False,
+) -> tuple[str, str] | None:
+    """Load saved credentials or run device-link pairing."""
+    if not force_pair:
+        resolved = resolve_credentials()
+        if resolved is not None:
+            return resolved
+
+    if force_pair:
+        delete_credentials()
+        await _emit_status(
+            on_status,
+            "Hub credentials were rejected. Starting a new device-link pairing…",
+        )
+    else:
+        await _emit_status(on_status, "No hub credentials found. Starting device-link pairing…")
+
+    return await pair_device(client_name=client_name, on_status=on_status)

wizelit_client-0.1.18/wizelit_client/credentials.py

@@ -0,0 +1,67 @@
+"""Read/write hub credentials for Wizelit CLI and ACP clients."""
+
+from __future__ import annotations
+
+import json
+import os
+from pathlib import Path
+from typing import TypedDict
+
+
+class WizelitCredentials(TypedDict):
+    token: str
+    api_base: str
+
+
+def credentials_path() -> Path:
+    override = os.environ.get("WIZELIT_CREDENTIALS_FILE")
+    if override:
+        return Path(override).expanduser()
+    return Path.home() / ".wizelit" / "credentials.json"
+
+
+def load_credentials() -> WizelitCredentials | None:
+    path = credentials_path()
+    try:
+        raw = path.read_text(encoding="utf-8")
+        data = json.loads(raw)
+        token = data.get("token")
+        api_base = data.get("api_base")
+        if isinstance(token, str) and token.startswith("wiz_") and isinstance(api_base, str):
+            return {"token": token, "api_base": api_base.rstrip("/")}
+    except (OSError, json.JSONDecodeError, TypeError):
+        return None
+    return None
+
+
+def _restrict_credentials_dir(path: Path) -> None:
+    """Tighten ``~/.wizelit`` so only the owner can traverse it."""
+    if os.environ.get("WIZELIT_CREDENTIALS_FILE") is not None:
+        return
+    try:
+        os.chmod(path, 0o700)
+    except OSError:
+        pass
+
+
+def save_credentials(token: str, api_base: str) -> Path:
+    path = credentials_path()
+    path.parent.mkdir(parents=True, exist_ok=True, mode=0o700)
+    _restrict_credentials_dir(path.parent)
+    payload = {"token": token, "api_base": api_base.rstrip("/")}
+    data = json.dumps(payload, indent=2) + "\n"
+    fd = os.open(path, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
+    with os.fdopen(fd, "w", encoding="utf-8") as handle:
+        handle.write(data)
+    return path
+
+
+def delete_credentials() -> bool:
+    path = credentials_path()
+    try:
+        path.unlink()
+        return True
+    except FileNotFoundError:
+        return False
+    except OSError:
+        return False

wizelit_client-0.1.18/wizelit_client/device_login.py

@@ -0,0 +1,142 @@
+"""Device-link login for Wizelit CLI and ACP clients."""
+
+from __future__ import annotations
+
+import asyncio
+import json
+import os
+import sys
+import time
+import webbrowser
+from collections.abc import Awaitable, Callable
+from typing import Any
+
+import httpx
+
+from wizelit_client.credentials import delete_credentials, load_credentials, save_credentials
+from wizelit_client.transport_security import require_secure_transport
+from wizelit_client.user_config import resolve_hub_api_url
+
+StatusCallback = Callable[[str], Awaitable[None] | None]
+
+
+def api_url() -> str:
+    return resolve_hub_api_url()
+
+
+def _log(msg: str) -> None:
+    print(f"wizelit: {msg}", file=sys.stderr, flush=True)
+
+
+async def _notify(on_status: StatusCallback | None, msg: str) -> None:
+    _log(msg)
+    if on_status is None:
+        return
+    result = on_status(msg)
+    if asyncio.iscoroutine(result):
+        await result
+
+
+async def pair_device(
+    *,
+    client_name: str | None = None,
+    on_status: StatusCallback | None = None,
+    open_browser: bool = True,
+) -> tuple[str, str] | None:
+    """Start device-link pairing and return ``(token, api_base)`` when approved."""
+    api_base = api_url()
+    try:
+        require_secure_transport(api_base)
+    except ValueError as exc:
+        await _notify(on_status, str(exc))
+        return None
+
+    payload: dict[str, str] = {}
+    if client_name:
+        payload["clientName"] = client_name
+
+    async with httpx.AsyncClient(timeout=30.0) as client:
+        start_resp = await client.post(f"{api_base}/api/auth/device", json=payload or None)
+        if start_resp.status_code != 200:
+            await _notify(
+                on_status,
+                f"Device pairing failed to start ({start_resp.status_code}). "
+                "Is the Wizelit backend running?",
+            )
+            return None
+
+        start = start_resp.json()
+        device_code = start["deviceCode"]
+        verification_uri = start.get("verificationUriComplete") or start["verificationUri"]
+        interval = max(1, int(start.get("interval", 5)))
+        expires_in = int(start.get("expiresIn", 600))
+
+        await _notify(
+            on_status,
+            f"Approve pairing in your browser: {verification_uri} (expires in {expires_in}s)",
+        )
+        if open_browser:
+            try:
+                webbrowser.open(verification_uri)
+            except Exception:
+                await _notify(
+                    on_status,
+                    "Could not open a browser automatically — open the URL above manually.",
+                )
+
+        deadline = time.monotonic() + expires_in
+        while time.monotonic() < deadline:
+            await asyncio.sleep(interval)
+            poll_resp = await client.post(
+                f"{api_base}/api/auth/device/token",
+                json={"deviceCode": device_code},
+            )
+            if poll_resp.status_code == 200:
+                token = poll_resp.json()["token"]
+                cred_path = save_credentials(token, api_base)
+                await _notify(on_status, f"Pairing complete. Credentials saved to {cred_path}")
+                return token, api_base
+
+            try:
+                detail: Any = poll_resp.json().get("detail")
+            except json.JSONDecodeError:
+                detail = poll_resp.text
+            if isinstance(detail, dict):
+                err = detail.get("error")
+                if err == "authorization_pending":
+                    continue
+                if err == "slow_down":
+                    retry = float(detail.get("retryAfter", interval))
+                    interval = min(interval + 5, 60)
+                    await asyncio.sleep(max(retry, 0.1))
+                    continue
+            await _notify(on_status, f"Device poll failed ({poll_resp.status_code}): {detail}")
+            return None
+
+    await _notify(on_status, "Timed out waiting for browser authorization.")
+    return None
+
+
+async def run_device_login(*, client_name: str | None = None) -> int:
+    paired = await pair_device(client_name=client_name)
+    return 0 if paired is not None else 1
+
+
+async def run_device_logout() -> int:
+    creds = load_credentials()
+    if creds:
+        try:
+            require_secure_transport(creds["api_base"])
+            async with httpx.AsyncClient(timeout=10.0) as client:
+                await client.post(
+                    f"{creds['api_base']}/api/auth/ide-tokens/revoke-current",
+                    headers={"Authorization": f"Bearer {creds['token']}"},
+                )
+        except Exception as exc:
+            _log(f"server revoke skipped: {exc}")
+
+    if delete_credentials():
+        _log("removed saved credentials")
+    else:
+        _log("no credentials file found")
+    return 0

wizelit_client-0.1.18/wizelit_client/transport_security.py

@@ -0,0 +1,74 @@
+"""Transport security checks before sending hub bearer tokens."""
+
+from __future__ import annotations
+
+import ipaddress
+import os
+from urllib.parse import urlparse
+
+
+def allow_insecure_transport() -> bool:
+    """Opt-in for sending credentials over plain HTTP/WS to remote hosts."""
+    return os.environ.get("WIZELIT_ALLOW_INSECURE", "").strip().lower() in {
+        "1",
+        "true",
+        "yes",
+        "on",
+    }
+
+
+def is_loopback_host(host: str | None) -> bool:
+    if not host:
+        return False
+    normalized = host.strip("[]").lower()
+    if normalized == "localhost":
+        return True
+    try:
+        return ipaddress.ip_address(normalized).is_loopback
+    except ValueError:
+        return False
+
+
+def is_insecure_remote_plaintext(url: str) -> bool:
+    """True when ``url`` uses plain HTTP or WS to a non-loopback host."""
+    parsed = urlparse(url)
+    if parsed.scheme not in {"http", "ws"}:
+        return False
+    return not is_loopback_host(parsed.hostname)
+
+
+def require_secure_transport(url: str) -> None:
+    """Refuse cleartext hub token transport to remote hosts unless opted in."""
+    if not is_insecure_remote_plaintext(url):
+        return
+    if allow_insecure_transport():
+        return
+    secure_scheme = "wss://" if url.startswith("ws://") else "https://"
+    raise ValueError(
+        f"Refusing to send hub token over plaintext to non-loopback host ({url}). "
+        f"Use {secure_scheme} or set WIZELIT_ALLOW_INSECURE=1 to override (not recommended)."
+    )
+
+
+def is_insecure_remote_http(base_url: str) -> bool:
+    """True when ``base_url`` is plain HTTP to a non-loopback host."""
+    parsed = urlparse(base_url)
+    if parsed.scheme != "http":
+        return False
+    return not is_loopback_host(parsed.hostname)
+
+
+def bearer_auth_headers(base_url: str, token: str | None) -> dict[str, str]:
+    """Build Authorization headers, refusing cleartext token to remote hosts."""
+    if not token:
+        return {}
+    if is_insecure_remote_http(base_url):
+        if allow_insecure_transport():
+            pass
+        else:
+            raise ValueError(
+                f"Refusing to send hub token over plain HTTP to non-loopback host "
+                f"({base_url}). Use https:// or set WIZELIT_ALLOW_INSECURE=1 to "
+                "override (not recommended)."
+            )
+    return {"Authorization": f"Bearer {token}"}

wizelit_client-0.1.18/wizelit_client/user_config.py

@@ -0,0 +1,84 @@
+"""User-local Wizelit client configuration (``~/.wizelit/config.json``)."""
+
+from __future__ import annotations
+
+import json
+import os
+from pathlib import Path
+from typing import Any
+
+from wizelit_client.credentials import credentials_path, load_credentials
+
+_CONFIG_VERSION = 1
+_DEFAULT_API_URL = "http://localhost:8000"
+
+
+def config_dir() -> Path:
+    return credentials_path().parent
+
+
+def config_path() -> Path:
+    override = os.environ.get("WIZELIT_CONFIG_FILE")
+    if override:
+        return Path(override).expanduser()
+    return config_dir() / "config.json"
+
+
+def load_config() -> dict[str, Any]:
+    path = config_path()
+    try:
+        raw = path.read_text(encoding="utf-8")
+        data = json.loads(raw)
+        return data if isinstance(data, dict) else {}
+    except (OSError, json.JSONDecodeError):
+        return {}
+
+
+def save_config(data: dict[str, Any]) -> Path:
+    path = config_path()
+    path.parent.mkdir(parents=True, exist_ok=True, mode=0o700)
+    try:
+        os.chmod(path.parent, 0o700)
+    except OSError:
+        pass
+    payload = {"version": _CONFIG_VERSION, **data}
+    text = json.dumps(payload, indent=2) + "\n"
+    fd = os.open(path, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
+    with os.fdopen(fd, "w", encoding="utf-8") as handle:
+        handle.write(text)
+    return path
+
+
+def resolve_hub_api_url() -> str:
+    """Hub REST base URL: env → config.json → credentials.json → default."""
+    if raw := os.environ.get("WIZELIT_API_URL"):
+        return raw.rstrip("/")
+
+    config = load_config()
+    api_url = config.get("api_url")
+    if isinstance(api_url, str) and api_url.strip():
+        return api_url.strip().rstrip("/")
+
+    creds = load_credentials()
+    if creds:
+        return creds["api_base"].rstrip("/")
+
+    return _DEFAULT_API_URL
+
+
+def apply_config_to_environ() -> None:
+    """Load ``config.json`` values into the process env (existing env wins)."""
+    config = load_config()
+
+    api_url = config.get("api_url")
+    if isinstance(api_url, str) and api_url.strip() and not os.getenv("WIZELIT_API_URL"):
+        os.environ["WIZELIT_API_URL"] = api_url.strip().rstrip("/")
+
+    env_block = config.get("env")
+    if not isinstance(env_block, dict):
+        return
+    for key, value in env_block.items():
+        if not isinstance(key, str) or not isinstance(value, str):
+            continue
+        if not os.getenv(key):
+            os.environ[key] = value