Octocode MCP

octocode-mcp
packages
octocode-shared

AGENTS.md•18.8 KiB

# AGENTS.md - Octocode Shared > **Location**: `packages/octocode-shared/AGENTS.md` AI agent guidance for the `octocode-shared` package - Shared utilities for credential management, session persistence, and platform detection across Octocode packages. This file **overrides** the root [`AGENTS.md`](../../AGENTS.md) for work within this package. --- ## Overview Octocode Shared provides common utilities used by multiple Octocode packages: - **Credential Management**: Secure token storage with AES-256-GCM encryption - **Session Persistence**: Session state with deferred writes and usage statistics - **Platform Detection**: Cross-platform path and environment utilities - **Keychain Integration**: Native file storage access via `file storage-napi` **Key Consumers**: `octocode-cli`, `octocode-mcp` --- ## 🛠️ Commands All commands run from this package directory (`packages/octocode-shared/`). | Task | Command | Description | |------|---------|-------------| | **Build** | `yarn build` | Lint + compile TypeScript | | **Build (Dev)** | `yarn build:dev` | Compile without lint | | **Clean** | `yarn clean` | Remove `dist/` directory | | **Test** | `yarn test` | Run tests with coverage | | **Test (Quiet)** | `yarn test:quiet` | Minimal test output | | **Test (Watch)** | `yarn test:watch` | Watch mode for tests | | **Lint** | `yarn lint` | ESLint check | | **Lint (Fix)** | `yarn lint:fix` | Auto-fix linting issues | | **Typecheck** | `yarn typecheck` | TypeScript type checking | --- ## 📚 Documentation Technical documentation for the shared utilities: | Document | Description | |----------|-------------| | [`CREDENTIALS_ARCHITECTURE.md`](./docs/CREDENTIALS_ARCHITECTURE.md) | Token storage, encryption, file storage integration, refresh flow | | [`SESSION_PERSISTENCE.md`](./docs/SESSION_PERSISTENCE.md) | Deferred writes, exit handlers, statistics tracking | | [`API_REFERENCE.md`](./docs/API_REFERENCE.md) | Complete API documentation for all modules | --- ## 📂 Package Structure ``` src/ ├── index.ts # Package exports │ ├── credentials/ # 🔐 Secure credential storage │ ├── index.ts # Credentials module exports │ ├── file storage.ts # System file storage wrapper (internal) │ ├── storage.ts # AES-256-GCM encrypted storage │ └── types.ts # Credential type definitions │ ├── platform/ # 🖥️ Platform utilities │ ├── index.ts # Platform module exports │ └── platform.ts # OS detection & paths │ └── session/ # 📊 Session persistence ├── index.ts # Session module exports ├── storage.ts # Session storage with deferred writes └── types.ts # Session type definitions ``` ### Tests Structure ``` tests/ ├── credentials/ │ ├── file storage.test.ts # Keychain integration tests │ └── storage.test.ts # Credential storage tests ├── platform/ │ └── platform.test.ts # Platform detection tests └── session/ └── storage.test.ts # Session storage tests ``` --- ## 📦 Module Exports The package provides four entry points: ```typescript // Main entry - all exports import { ... } from 'octocode-shared'; // Credentials only import { ... } from 'octocode-shared/credentials'; // Platform only import { ... } from 'octocode-shared/platform'; // Session only import { ... } from 'octocode-shared/session'; ``` ### Credentials Module | Export | Type | Purpose | |--------|------|---------| | `storeCredentials` | Function | Store encrypted credentials | | `getCredentials` | Function | Retrieve credentials (async, cached) | | `getCredentialsSync` | Function | Retrieve credentials (sync, file only) | | `deleteCredentials` | Function | Remove stored credentials | | `getToken` | Function | Get token for a host (async) | | `getTokenSync` | Function | Get token for a host (sync) | | `getTokenWithRefresh` | Function | Get token with auto-refresh (recommended) | | `resolveToken` | Function | Resolve token from env/storage | | `resolveTokenWithRefresh` | Function | Resolve with auto-refresh | | `resolveTokenFull` | Function | Full resolution with gh CLI fallback | | `refreshAuthToken` | Function | Manually refresh an expired token | | `updateToken` | Function | Update stored token | | `invalidateCredentialsCache` | Function | Invalidate cached credentials | | `listStoredHosts` | Function | List all stored hosts | | `hasCredentials` | Function | Check if credentials exist | | `isTokenExpired` | Function | Check token expiration | | `isRefreshTokenExpired` | Function | Check refresh token expiration | | `initializeSecureStorage` | Function | Initialize file storage-backed storage | | `isSecureStorageAvailable` | Function | Check if secure storage works | | `getTokenFromEnv` | Function | Get token from environment | | `hasEnvToken` | Function | Check for env token | | `OAuthToken` | Type | OAuth token structure | | `StoredCredentials` | Type | Credential data structure | | `TokenSource` | Type | Token origin (env/storage) | | `GetCredentialsOptions` | Type | Options for getCredentials | ### Platform Module | Export | Type | Purpose | |--------|------|---------| | `getPlatform()` | Function | Get current OS (`darwin`, `win32`, `linux`) | | `getConfigPath()` | Function | Platform-specific config directory | | `isWindows()` | Function | Windows detection | | `isMacOS()` | Function | macOS detection | | `isLinux()` | Function | Linux detection | ### Session Module | Export | Type | Purpose | |--------|------|---------| | `readSession` | Function | Read current session from cache/disk | | `writeSession` | Function | Write session (deferred to disk) | | `getOrCreateSession` | Function | Get existing or create new session | | `getSessionId` | Function | Get current session ID | | `deleteSession` | Function | Delete session file | | `flushSession` | Function | Flush pending writes to disk | | `flushSessionSync` | Function | Sync flush for exit handlers | | `updateSessionStats` | Function | Update session statistics | | `incrementToolCalls` | Function | Increment tool call counter | | `incrementPromptCalls` | Function | Increment prompt call counter | | `incrementErrors` | Function | Increment error counter | | `incrementRateLimits` | Function | Increment rate limit counter | | `resetSessionStats` | Function | Reset all statistics | | `SESSION_FILE` | Constant | Path to session file | | `PersistedSession` | Type | Session data structure | | `SessionStats` | Type | Usage statistics structure | | `SessionUpdateResult` | Type | Update result type | | `SessionOptions` | Type | Session creation options | --- ## 🔐 Credential Storage Architecture ### Encryption Details ``` ┌─────────────────────────────────────────────────────────────┐ │ CREDENTIAL STORAGE │ ├─────────────────────────────────────────────────────────────┤ │ │ │ Token → AES-256-GCM Encryption → Base64 → File Storage │ │ │ │ Encryption Key: │ │ └── Stored in system file storage (via file storage-napi) │ │ └── Fallback: File-based key storage │ │ │ │ Storage Location: │ │ └── ~/.octocode/credentials.json │ │ │ └─────────────────────────────────────────────────────────────┘ ``` ### Security Features - **AES-256-GCM**: Authenticated encryption with associated data - **Random IV**: Unique initialization vector per encryption - **Keychain Integration**: Native OS file storage for encryption key - **Secure Fallback**: File-based key when file storage unavailable - **Token Resolution**: Automatic env → storage → gh CLI fallback chain - **Auto-Refresh**: Octocode tokens refreshed automatically when expired (via `@octokit/oauth-methods`) - **In-Memory Cache**: 5-minute TTL with automatic invalidation on credential updates --- ## 📊 Session Storage Architecture ### Session Persistence ``` ┌─────────────────────────────────────────────────────────────┐ │ SESSION STORAGE │ ├─────────────────────────────────────────────────────────────┤ │ │ │ In-Memory Cache ←→ Deferred Writes → File Storage │ │ │ │ Write Strategy: │ │ └── Writes are cached in memory │ │ └── Flushed to disk on timer or explicit flush │ │ └── Sync flush on process exit (SIGINT, SIGTERM) │ │ │ │ Storage Location: │ │ └── ~/.octocode/session.json │ │ │ │ Data Tracked: │ │ └── sessionId, createdAt, lastActiveAt │ │ └── stats: toolCalls, promptCalls, errors, rateLimits │ │ │ └─────────────────────────────────────────────────────────────┘ ``` ### Session Features - **Deferred Writes**: Batches writes for performance - **In-Memory Caching**: Fast reads from memory - **Exit Handlers**: Automatic flush on process exit - **Statistics Tracking**: Tool calls, prompts, errors, rate limits - **Atomic Counters**: Thread-safe stat increments --- ## 📦 Package Guidelines These are the core principles for this shared package: 1. **Minimal Dependencies**: Only `file storage-napi` for file storage access. 2. **Cross-Platform**: Must work on macOS, Linux, and Windows. 3. **Type-Safe Exports**: Full TypeScript types with strict mode. 4. **Security First**: All credential operations use encryption. 5. **Performance**: Session writes are deferred for efficiency. 6. **Minimal API Surface**: Export only what's needed by consumers. --- ## 🏗️ Architecture Patterns ### Token Resolution Flow ``` resolveTokenFull(options) ↓ getTokenFromEnv() ← Checked first (highest priority, NO REFRESH) ├── 1. Check OCTOCODE_TOKEN ├── 2. Check GH_TOKEN ├── 3. Check GITHUB_TOKEN └── Return { token, source: 'env:*' } if found (user manages these) ↓ getTokenWithRefresh(host) ← ONLY OCTOCODE TOKENS ARE REFRESHED ├── Read from in-memory cache (5-min TTL) ├── Fallback to file storage or encrypted storage ├── Auto-refresh if token expired (using @octokit/oauth-methods) └── Return { token, source: 'file storage'|'file' } if found ↓ getGhCliToken(host) ← Fallback (NO REFRESH - gh CLI manages its own tokens) └── Return { token, source: 'gh-cli' } if found ↓ Return result or null ``` ### Token Refresh Policy | Token Source | Auto-Refresh? | Reason | |--------------|---------------|--------| | **Env vars** (`OCTOCODE_TOKEN`, `GH_TOKEN`, `GITHUB_TOKEN`) | ❌ No | User-managed tokens | | **Octocode credentials** (file storage/file) | ✅ If supported | GitHub App tokens only (see below) | | **gh CLI token** | ❌ No | gh CLI handles its own token refresh | **Token Type Support:** | Token Type | Expires? | Refresh Token? | Auto-Refresh? | |------------|----------|----------------|---------------| | **GitHub App user tokens** | ✅ 8 hours | ✅ Yes | ✅ Yes | | **OAuth App tokens** (classic) | ❌ Never | ❌ No | ❌ N/A | **Note:** Only tokens with a `refreshToken` field are auto-refreshed. OAuth App tokens never expire and don't need refresh. Octocode uses a GitHub App, so tokens from `octocode login` support auto-refresh. ### Credentials Caching ``` ┌─────────────────────────────────────────────────────────────┐ │ IN-MEMORY CREDENTIALS CACHE │ ├─────────────────────────────────────────────────────────────┤ │ │ │ Cache TTL: 5 minutes (matches token expiry buffer) │ │ │ │ Cache Invalidation: │ │ └── storeCredentials() → invalidates hostname │ │ └── deleteCredentials() → invalidates hostname │ │ └── updateToken() → calls storeCredentials() │ │ └── refreshAuthToken() → calls updateToken() │ │ │ │ Bypass Cache: │ │ └── getCredentials(host, { bypassCache: true }) │ │ │ │ Manual Invalidation: │ │ └── invalidateCredentialsCache(hostname?) │ │ │ └─────────────────────────────────────────────────────────────┘ ``` ### Session Write Flow ``` writeSession(session) ↓ cachedSession = session isDirty = true ↓ registerExitHandlers() (once) ├── SIGINT → flushSessionSync() ├── SIGTERM → flushSessionSync() └── beforeExit → flushSessionSync() ↓ startFlushTimer() └── setTimeout → flushSession() → writeSessionToDisk() ``` ### Key Management ``` ┌─────────────────────────────────────────────────────────────┐ │ KEY MANAGEMENT │ ├─────────────────────────────────────────────────────────────┤ │ │ │ Primary: System Keychain (file storage-napi) │ │ └── Service: "octocode" │ │ └── Account: "encryption-key" │ │ │ │ Fallback: File-Based Key │ │ └── Location: ~/.octocode/.key │ │ └── Used when file storage unavailable │ │ │ └─────────────────────────────────────────────────────────────┘ ``` --- ## 🛡️ Safety & Permissions ### Package-Level Access | Path | Access | Description | |------|--------|-------------| | `src/` | ✅ FULL | Source code | | `tests/` | ✅ FULL | Test files | | `*.json`, `*.config.*` | ⚠️ ASK | Package configs | | `dist/`, `coverage/`, `node_modules/` | ❌ NEVER | Generated files | ### Protected Files - **Never Modify**: `dist/`, `coverage/`, `node_modules/` - **Ask Before Modifying**: `package.json`, `tsconfig.json`, `vitest.config.ts` ### Security Considerations - **Key Isolation**: Encryption keys never leave the system file storage - **No Plaintext Storage**: Tokens are always encrypted at rest - **Env Variable Priority**: Environment tokens take precedence - **Deferred Writes**: Session data is flushed safely on exit --- ## 🧪 Testing Protocol ### Requirements - **Coverage**: 90% required (Statements, Branches, Functions, Lines) - **Framework**: Vitest with v8 coverage ### Test Categories | Category | Path | Purpose | |----------|------|---------| | Unit | `tests/credentials/storage.test.ts` | Encryption/decryption, token management | | Unit | `tests/credentials/file storage.test.ts` | Keychain integration | | Unit | `tests/platform/platform.test.ts` | OS detection, path resolution | | Unit | `tests/session/storage.test.ts` | Session persistence, stats, flushing | ### Running Tests ```bash yarn test # Full test with coverage yarn test:watch # Watch mode yarn test:quiet # Minimal output ``` --- ## 📝 Development Notes ### Adding New Modules 1. Create module directory under `src/` 2. Add `index.ts` with exports 3. Update `src/index.ts` to re-export 4. Add export path in `package.json` exports field 5. Create corresponding test file ### Dependencies | Dependency | Purpose | |------------|---------| | `file storage-napi` | Native file storage access | | `@octokit/oauth-methods` | GitHub OAuth token refresh | | `@octokit/request` | HTTP requests to GitHub API | ### Build Output ``` dist/ ├── index.js # Main entry ├── index.d.ts # Type declarations ├── credentials/ # Credentials module │ ├── index.js │ ├── index.d.ts │ ├── file storage.js # Internal file storage wrapper │ ├── storage.js │ └── types.d.ts ├── platform/ # Platform module │ ├── index.js │ ├── index.d.ts │ └── platform.js └── session/ # Session module ├── index.js ├── index.d.ts ├── storage.js └── types.d.ts ```

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/bgauryy/octocode-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

AGENTS.md•18.8 KiB