skill-cli 0.3.0

Command-line interface for the Skill runtime - install, run, and manage AI agent skills
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394

//! Auth provider trait and types for the Skill Engine authentication system.
//!
//! This module defines the core abstractions for authentication providers,
//! supporting OAuth2, API keys, AWS IAM, mTLS, and custom authentication flows.

use anyhow::Result;
use async_trait::async_trait;
use chrono::{DateTime, Utc};
use secrecy::{ExposeSecret, SecretString};
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::fmt;

/// Type of authentication supported by a provider.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum AuthType {
    /// OAuth2 Device Authorization Grant (RFC 8628)
    /// Best for CLI applications - user authenticates in browser
    OAuth2DeviceFlow,

    /// OAuth2 Authorization Code Grant
    /// Requires local HTTP server to receive callback
    OAuth2AuthorizationCode,

    /// OAuth2 Client Credentials Grant
    /// For service-to-service authentication
    OAuth2ClientCredentials,

    /// Simple API key authentication
    ApiKey,

    /// AWS IAM credentials (access key + secret key)
    AwsIam,

    /// Azure Active Directory authentication
    AzureAd,

    /// Mutual TLS certificate authentication
    MutualTls,

    /// Custom authentication provider
    Custom,
}

impl fmt::Display for AuthType {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            AuthType::OAuth2DeviceFlow => write!(f, "OAuth2 Device Flow"),
            AuthType::OAuth2AuthorizationCode => write!(f, "OAuth2 Authorization Code"),
            AuthType::OAuth2ClientCredentials => write!(f, "OAuth2 Client Credentials"),
            AuthType::ApiKey => write!(f, "API Key"),
            AuthType::AwsIam => write!(f, "AWS IAM"),
            AuthType::AzureAd => write!(f, "Azure AD"),
            AuthType::MutualTls => write!(f, "Mutual TLS"),
            AuthType::Custom => write!(f, "Custom"),
        }
    }
}

/// Configuration for an authentication provider.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ProviderConfig {
    /// Provider identifier (e.g., "github", "aws", "google")
    pub id: String,

    /// Human-readable display name
    pub display_name: String,

    /// Authentication type
    pub auth_type: AuthType,

    /// OAuth2-specific configuration
    #[serde(default)]
    pub oauth2: Option<OAuth2Config>,

    /// API key configuration
    #[serde(default)]
    pub api_key: Option<ApiKeyConfig>,

    /// AWS-specific configuration
    #[serde(default)]
    pub aws: Option<AwsConfig>,

    /// Custom configuration as key-value pairs
    #[serde(default)]
    pub custom: HashMap<String, String>,
}

/// OAuth2-specific provider configuration.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct OAuth2Config {
    /// Device authorization endpoint (for Device Flow)
    pub device_authorization_endpoint: Option<String>,

    /// Authorization endpoint (for Authorization Code Flow)
    pub authorization_endpoint: Option<String>,

    /// Token endpoint
    pub token_endpoint: String,

    /// Token revocation endpoint
    pub revocation_endpoint: Option<String>,

    /// Client ID
    pub client_id: String,

    /// Client secret (optional for public clients)
    #[serde(default)]
    pub client_secret: Option<String>,

    /// Default scopes to request
    #[serde(default)]
    pub scopes: Vec<String>,

    /// Audience parameter (required by some providers)
    pub audience: Option<String>,
}

/// API key provider configuration.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ApiKeyConfig {
    /// Header name for the API key (e.g., "X-API-Key", "Authorization")
    pub header_name: String,

    /// Prefix for the header value (e.g., "Bearer ", "Api-Key ")
    #[serde(default)]
    pub header_prefix: Option<String>,

    /// Environment variable name to map the key to
    pub env_var_name: String,
}

/// AWS-specific provider configuration.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AwsConfig {
    /// AWS region
    pub region: Option<String>,

    /// AWS profile name
    pub profile: Option<String>,

    /// Credential source (environment, profile, imds, ecs)
    pub credential_source: Option<String>,
}

/// Result of a successful authentication.
#[derive(Debug, Clone)]
pub struct AuthResult {
    /// The obtained credentials
    pub credentials: Credentials,

    /// When the credentials expire (if known)
    pub expires_at: Option<DateTime<Utc>>,

    /// Refresh token for obtaining new access tokens
    pub refresh_token: Option<SecretString>,

    /// Granted scopes (may differ from requested)
    pub scopes: Vec<String>,

    /// Additional metadata from the auth response
    pub metadata: HashMap<String, String>,
}

/// Stored credentials for a provider.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Credentials {
    /// Provider that issued these credentials
    pub provider_id: String,

    /// Type of credential
    pub credential_type: CredentialType,

    /// When these credentials expire
    pub expires_at: Option<DateTime<Utc>>,

    /// Scopes granted with these credentials
    #[serde(default)]
    pub scopes: Vec<String>,

    /// Credential data (access token, API key, etc.)
    /// Note: Sensitive values stored separately in keyring
    #[serde(default)]
    pub data: HashMap<String, String>,

    /// Additional metadata
    #[serde(default)]
    pub metadata: HashMap<String, String>,
}

impl Credentials {
    /// Check if these credentials have expired.
    pub fn is_expired(&self) -> bool {
        match self.expires_at {
            Some(expires) => Utc::now() >= expires,
            None => false, // No expiry means never expires
        }
    }

    /// Check if these credentials will expire within the given duration.
    pub fn expires_within(&self, duration: chrono::Duration) -> bool {
        match self.expires_at {
            Some(expires) => Utc::now() + duration >= expires,
            None => false,
        }
    }

    /// Check if these credentials need refresh (expired or expiring soon).
    pub fn needs_refresh(&self) -> bool {
        // Refresh if expiring within 5 minutes
        self.expires_within(chrono::Duration::minutes(5))
    }
}

/// Type of credential stored.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum CredentialType {
    /// OAuth2 access token
    OAuth2AccessToken,

    /// OAuth2 refresh token
    OAuth2RefreshToken,

    /// Simple API key
    ApiKey,

    /// AWS access key ID
    AwsAccessKeyId,

    /// AWS secret access key
    AwsSecretAccessKey,

    /// AWS session token
    AwsSessionToken,

    /// Client certificate
    Certificate,

    /// Client private key
    PrivateKey,

    /// Generic secret
    Secret,
}

/// Status of authentication for a provider.
#[derive(Debug, Clone)]
pub struct AuthStatus {
    /// Provider ID
    pub provider_id: String,

    /// Provider display name
    pub display_name: String,

    /// Whether authenticated
    pub authenticated: bool,

    /// Associated skill (if any)
    pub skill: Option<String>,

    /// Associated instance (if any)
    pub instance: Option<String>,

    /// When credentials expire
    pub expires_at: Option<DateTime<Utc>>,

    /// Granted scopes
    pub scopes: Vec<String>,

    /// Human-readable status message
    pub message: String,
}

/// Trait for authentication providers.
///
/// Providers handle the authentication flow for their specific auth type,
/// including token refresh and revocation.
#[async_trait]
pub trait AuthProvider: Send + Sync {
    /// Get the provider's unique identifier.
    fn id(&self) -> &str;

    /// Get the provider's human-readable display name.
    fn display_name(&self) -> &str;

    /// Get the authentication type this provider uses.
    fn auth_type(&self) -> AuthType;

    /// Get the provider's configuration.
    fn config(&self) -> &ProviderConfig;

    /// Initiate the authentication flow.
    ///
    /// For OAuth2 Device Flow, this returns instructions for the user
    /// (URL to visit, code to enter) and polls for completion.
    ///
    /// For API key auth, this prompts for the key interactively.
    async fn authenticate(&self, scopes: Option<Vec<String>>) -> Result<AuthResult>;

    /// Refresh credentials using a refresh token.
    ///
    /// Returns new credentials if refresh succeeds, or an error if
    /// re-authentication is required.
    async fn refresh(&self, credentials: &Credentials, refresh_token: &SecretString) -> Result<AuthResult>;

    /// Validate that credentials are still valid.
    ///
    /// This may make a test API call or introspect the token.
    async fn validate(&self, credentials: &Credentials) -> Result<bool>;

    /// Revoke credentials (logout).
    ///
    /// This invalidates the credentials with the provider.
    async fn revoke(&self, credentials: &Credentials) -> Result<()>;

    /// Convert credentials to configuration map for skills.
    ///
    /// Returns a map of environment variable names to values that
    /// will be passed to skills via get-config().
    fn to_skill_config(&self, credentials: &Credentials) -> HashMap<String, String>;

    /// Get the list of secret keys that should be stored in keyring.
    ///
    /// These are the keys from to_skill_config() that contain sensitive
    /// values and should be stored securely rather than in plain config.
    fn secret_keys(&self) -> Vec<&str>;
}

/// Device authorization response from OAuth2 Device Flow.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct DeviceAuthorizationResponse {
    /// Device code for polling
    pub device_code: String,

    /// User code to enter at verification URI
    pub user_code: String,

    /// URI for user to visit
    pub verification_uri: String,

    /// Optional URI with code pre-filled
    pub verification_uri_complete: Option<String>,

    /// Seconds until device code expires
    pub expires_in: u64,

    /// Minimum seconds between polling requests
    pub interval: u64,
}

/// Token response from OAuth2 token endpoint.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TokenResponse {
    /// Access token
    pub access_token: String,

    /// Token type (usually "Bearer")
    pub token_type: String,

    /// Seconds until access token expires
    pub expires_in: Option<u64>,

    /// Refresh token for obtaining new access tokens
    pub refresh_token: Option<String>,

    /// Granted scopes (space-separated)
    pub scope: Option<String>,
}

/// Error response from OAuth2 endpoints.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct OAuth2Error {
    /// Error code
    pub error: String,

    /// Human-readable error description
    pub error_description: Option<String>,

    /// URI with more information
    pub error_uri: Option<String>,
}

impl fmt::Display for OAuth2Error {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match &self.error_description {
            Some(desc) => write!(f, "{}: {}", self.error, desc),
            None => write!(f, "{}", self.error),
        }
    }
}

impl std::error::Error for OAuth2Error {}