feat: add vibe-auth authentication module #74
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add foundational utility module for vibe functionality: - HTTP fetch with timeout and retry logic - Exponential backoff for transient failures - URL validation and security checks - Verbose logging utilities - Error handling with error-causes This is the first module in the vibe command implementation, providing shared functionality for authentication, file handling, code generation, and publishing modules. Co-Authored-By: Claude Opus 4.5 <[email protected]>
Add authentication module for Vibecodr API access: - PKCE (Proof Key for Code Exchange) flow support - Token storage with secure file permissions - Automatic token refresh with configurable buffer - Windows permission remediation for credential files - Session state management Depends on: vibe-utils Co-Authored-By: Claude Opus 4.5 <[email protected]>
3 tasks
Braden-sui
added a commit
to Braden-sui/aidd
that referenced
this pull request
Jan 8, 2026
Add API discovery, code generation, and publishing modules: jiron-discovery: - API contract discovery from Jiron endpoints - Schema extraction and validation - Endpoint metadata collection vibe-generate: - AI-powered code generation - Template-based output formatting - Multi-file generation support vibe-publish: - Capsule packaging and upload - Authentication retry with token refresh - Progress tracking and error handling Depends on: vibe-utils (paralleldrive#73), vibe-auth (paralleldrive#74), vibe-prompt (paralleldrive#75) Co-Authored-By: Claude Opus 4.5 <[email protected]>
4 tasks
Braden-sui
added a commit
to Braden-sui/aidd
that referenced
this pull request
Jan 8, 2026
Add orchestration layer and CLI support for vibe command: vibe-core: - Main orchestration module coordinating all vibe operations - Authentication flow management - File collection and validation - Code generation and publishing pipeline CLI integration: - Add --vibe, --title, --prompt options to aidd CLI - Validation and error handling for vibe options - Help text and usage examples Also includes: - Windows permission remediation documentation - Updated cli-vibes reference implementation Depends on: paralleldrive#73, paralleldrive#74, paralleldrive#75, paralleldrive#76 Co-Authored-By: Claude Opus 4.5 <[email protected]>
3 tasks
Two security fixes for vibe-utils: 1. fetchWithTimeout - AbortSignal combination (P2) - Previously overwrote caller-provided signals with timeout signal - Now uses AbortSignal.any() to combine timeout and external signals - External cancellation (user abort) is now properly respected - Distinguishes timeout aborts from external aborts in error handling 2. isPathSafe - UNC path detection (P2) - Previously only checked for Unix and Windows drive letter absolute paths - UNC paths like \server\share bypassed validation - Now detects UNC paths (\\) as absolute paths and rejects them Both fixes include comprehensive test coverage. Co-Authored-By: Claude Opus 4.5 <[email protected]>
Extends absolute path detection to catch single-backslash root-relative paths like \Windows\System32 which resolve to the current drive's root on Windows. Previous check only caught: - Unix absolute: /etc/passwd - Drive letter: C:\Windows - UNC paths: \server\share Now also catches: - Root-relative: \Windows\System32 - Any path starting with backslash TDD approach: tests written first (RED), then implementation (GREEN). Co-Authored-By: Claude Opus 4.5 <[email protected]>
SECURITY: Prevent credential exfiltration via malicious apiBase. The exchangeForVibecodrToken function now validates apiBase against trusted origins before sending the Clerk access token. A tampered apiBase (from CLI args, env vars, or config file) could have allowed an attacker to steal the access token. Changes: - Add validateApiBase call before token exchange - Add SecurityBlockError type for security validation failures - Ensure security errors propagate directly (not wrapped as AUTH_EXPIRED) - Add test for malicious apiBase rejection Co-Authored-By: Claude Opus 4.5 <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
vibe-authmodule for Vibecodr API authenticationPR 2 of 5 - Vibe Command Implementation
Series:
Test plan
🤖 Generated with Claude Code