@agentuity/cli 1.0.41 → 1.0.42

package/src/cmd/cloud/oidc/delete.ts

@@ -0,0 +1,63 @@
+import { oauthClientDelete, type APIClient } from '@agentuity/core';
+import { z } from 'zod';
+import { getCommand } from '../../../command-prefix';
+import { ErrorCode } from '../../../errors';
+import * as tui from '../../../tui';
+import { createSubcommand } from '../../../types';
+
+const OAuthClientDeleteResponseSchema = z.object({
+	success: z.boolean().describe('Whether the operation succeeded'),
+	id: z.string().describe('OAuth client id that was deleted'),
+});
+
+export const deleteSubcommand = createSubcommand({
+	name: 'delete',
+	aliases: ['del', 'rm'],
+	description: 'Delete an OAuth application',
+	tags: ['destructive', 'deletes-resource', 'slow', 'requires-auth'],
+	idempotent: true,
+	examples: [
+		{ command: getCommand('cloud oidc delete <id>'), description: 'Delete OAuth application' },
+		{
+			command: getCommand('cloud oidc delete <id> --force'),
+			description: 'Delete OAuth application without confirmation',
+		},
+	],
+	requires: { auth: true, apiClient: true },
+	schema: {
+		args: z.object({
+			id: z.string().describe('the OAuth client id to delete'),
+		}),
+		options: z.object({
+			force: z.boolean().optional().default(false).describe('Skip confirmation prompt'),
+			yes: z.boolean().optional().default(false).describe('Skip confirmation prompt'),
+		}),
+		response: OAuthClientDeleteResponseSchema,
+	},
+
+	async handler(ctx) {
+		const { args, opts, apiClient, options } = ctx;
+
+		const skipConfirm = opts.force || opts.yes;
+
+		if (!skipConfirm) {
+			const confirmed = await tui.confirm(`Delete OAuth application "${args.id}"?`, false);
+			if (!confirmed) {
+				tui.fatal('Operation cancelled', ErrorCode.USER_CANCELLED);
+			}
+		}
+
+		await tui.spinner('Deleting OAuth application', () => {
+			return oauthClientDelete(apiClient as APIClient, args.id);
+		});
+
+		if (!options.json) {
+			tui.success(`OAuth application '${args.id}' deleted successfully`);
+		}
+
+		return {
+			success: true,
+			id: args.id,
+		};
+	},
+});

package/src/cmd/cloud/oidc/get.ts

@@ -0,0 +1,65 @@
+import { oauthClientGet, type APIClient } from '@agentuity/core';
+import { z } from 'zod';
+import { getCommand } from '../../../command-prefix';
+import { ErrorCode } from '../../../errors';
+import * as tui from '../../../tui';
+import { createSubcommand } from '../../../types';
+
+export const getSubcommand = createSubcommand({
+	name: 'get',
+	description: 'Get a specific OAuth application',
+	tags: ['read-only', 'fast', 'requires-auth'],
+	examples: [
+		{ command: getCommand('cloud oidc get <id>'), description: 'Get OAuth application details' },
+	],
+	requires: { auth: true, apiClient: true },
+	idempotent: true,
+	schema: {
+		args: z.object({
+			id: z.string().describe('the OAuth client id'),
+		}),
+	},
+
+	async handler(ctx) {
+		const { args, apiClient, options } = ctx;
+
+		let client: Awaited<ReturnType<typeof oauthClientGet>>;
+		try {
+			client = await tui.spinner('Fetching OAuth application', () => {
+				return oauthClientGet(apiClient as APIClient, args.id);
+			});
+		} catch (error) {
+			if (error instanceof Error && error.message.includes('not found')) {
+				tui.fatal(`OAuth application '${args.id}' not found`, ErrorCode.RESOURCE_NOT_FOUND);
+			}
+			throw error;
+		}
+
+		if (!options.json) {
+			if (process.stdout.isTTY) {
+				tui.newline();
+				tui.success('OAuth Application Details:');
+				tui.newline();
+			}
+
+			const rows = [
+				{
+					ID: client.id,
+					Name: client.name,
+					Description: client.description || '-',
+					Type: client.client_type,
+					'Homepage URL': client.homepage_url || '-',
+					'Redirect URIs':
+						client.redirect_uris.length > 0 ? client.redirect_uris.join('\n') : '-',
+					Scopes: client.scopes.length > 0 ? client.scopes.join(', ') : '-',
+					Created: new Date(client.created_at).toLocaleString(),
+					Updated: new Date(client.updated_at).toLocaleString(),
+				},
+			];
+
+			tui.table(rows, undefined, { layout: 'vertical' });
+		}
+
+		return client;
+	},
+});

package/src/cmd/cloud/oidc/index.ts

@@ -0,0 +1,35 @@
+import { createCommand } from '../../../types';
+import { getCommand } from '../../../command-prefix';
+import { listSubcommand } from './list';
+import { getSubcommand } from './get';
+import { createSubcommand } from './create';
+import { deleteSubcommand } from './delete';
+import { rotateSecretSubcommand } from './rotate-secret';
+import { activitySubcommand } from './activity';
+import { usersSubcommand } from './users';
+
+export const command = createCommand({
+	name: 'oidc',
+	description: 'Manage OAuth applications',
+	tags: ['fast', 'requires-auth'],
+	examples: [
+		{ command: getCommand('cloud oidc list'), description: 'List all OAuth applications' },
+		{
+			command: getCommand(
+				'cloud oidc create --name "My App" --type confidential --redirect-uris "https://example.com/callback"'
+			),
+			description: 'Create a new OAuth application',
+		},
+	],
+	subcommands: [
+		createSubcommand,
+		listSubcommand,
+		getSubcommand,
+		deleteSubcommand,
+		rotateSecretSubcommand,
+		activitySubcommand,
+		usersSubcommand,
+	],
+});
+
+export default command;

package/src/cmd/cloud/oidc/list.ts

@@ -0,0 +1,50 @@
+import { oauthClientList, type APIClient } from '@agentuity/core';
+import { getCommand } from '../../../command-prefix';
+import * as tui from '../../../tui';
+import { createSubcommand } from '../../../types';
+
+export const listSubcommand = createSubcommand({
+	name: 'list',
+	aliases: ['ls'],
+	description: 'List all OAuth applications',
+	tags: ['read-only', 'fast', 'requires-auth'],
+	examples: [
+		{ command: getCommand('cloud oidc list'), description: 'List OAuth applications' },
+		{ command: getCommand('cloud oidc ls'), description: 'List OAuth applications' },
+	],
+	requires: { auth: true, apiClient: true },
+	idempotent: true,
+
+	async handler(ctx) {
+		const { apiClient, options } = ctx;
+
+		const clients = await tui.spinner('Fetching OAuth applications', () => {
+			return oauthClientList(apiClient as APIClient);
+		});
+
+		if (!options.json) {
+			if (clients.length === 0) {
+				tui.info('No OAuth applications found');
+			} else {
+				if (process.stdout.isTTY) {
+					tui.newline();
+					tui.success(`OAuth Applications (${clients.length}):`);
+					tui.newline();
+				}
+
+				const rows = clients.map((client) => ({
+					ID: client.id,
+					Name: client.name,
+					Type: client.client_type,
+					Scopes: client.scopes.length,
+					Users: client.user_count,
+					Created: new Date(client.created_at).toLocaleString(),
+				}));
+
+				tui.table(rows);
+			}
+		}
+
+		return clients;
+	},
+});

package/src/cmd/cloud/oidc/rotate-secret.ts

@@ -0,0 +1,77 @@
+import { oauthClientRotateSecret, type APIClient } from '@agentuity/core';
+import { z } from 'zod';
+import { getCommand } from '../../../command-prefix';
+import { ErrorCode } from '../../../errors';
+import * as tui from '../../../tui';
+import { createSubcommand } from '../../../types';
+
+const OAuthClientRotateSecretResponseSchema = z.object({
+	client_id: z.string(),
+	client_secret: z.string(),
+});
+
+export const rotateSecretSubcommand = createSubcommand({
+	name: 'rotate-secret',
+	description: 'Rotate the client secret for an OAuth application',
+	tags: ['destructive', 'requires-auth'],
+	examples: [
+		{
+			command: getCommand('cloud oidc rotate-secret <id>'),
+			description: 'Rotate OAuth client secret',
+		},
+		{
+			command: getCommand('cloud oidc rotate-secret <id> --force'),
+			description: 'Rotate OAuth client secret without confirmation',
+		},
+	],
+	requires: { auth: true, apiClient: true },
+	idempotent: false,
+	schema: {
+		args: z.object({
+			id: z.string().describe('the OAuth client id'),
+		}),
+		options: z.object({
+			force: z.boolean().optional().default(false).describe('Skip confirmation prompt'),
+		}),
+		response: OAuthClientRotateSecretResponseSchema,
+	},
+
+	async handler(ctx) {
+		const { args, opts, apiClient, options } = ctx;
+
+		if (!opts.force) {
+			const confirmed = await tui.confirm(
+				`Rotate secret for OAuth application "${args.id}"?`,
+				false
+			);
+			if (!confirmed) {
+				tui.fatal('Operation cancelled', ErrorCode.USER_CANCELLED);
+			}
+		}
+
+		const result = await tui.spinner('Rotating OAuth client secret', () => {
+			return oauthClientRotateSecret(apiClient as APIClient, args.id);
+		});
+
+		if (!options.json) {
+			tui.newline();
+			tui.success('OAuth client secret rotated successfully!');
+			tui.newline();
+			tui.warning('Copy the new client secret now. It will only be shown once.');
+			tui.newline();
+
+			tui.table(
+				[
+					{
+						'Client ID': result.client_id,
+						'Client Secret': result.client_secret,
+					},
+				],
+				undefined,
+				{ layout: 'vertical' }
+			);
+		}
+
+		return result;
+	},
+});

package/src/cmd/cloud/oidc/users.ts

@@ -0,0 +1,57 @@
+import { oauthClientUsers, type APIClient } from '@agentuity/core';
+import { z } from 'zod';
+import { getCommand } from '../../../command-prefix';
+import * as tui from '../../../tui';
+import { createSubcommand } from '../../../types';
+
+const OAuthClientUsersResponseSchema = z.array(
+	z.object({
+		user_id: z.string(),
+		scopes: z.array(z.string()),
+		created_at: z.string(),
+	})
+);
+
+export const usersSubcommand = createSubcommand({
+	name: 'users',
+	description: 'List connected users for an OAuth application',
+	tags: ['read-only', 'requires-auth'],
+	examples: [
+		{
+			command: getCommand('cloud oidc users <id>'),
+			description: 'List connected users for OAuth application',
+		},
+	],
+	requires: { auth: true, apiClient: true },
+	idempotent: true,
+	schema: {
+		args: z.object({
+			id: z.string().describe('the OAuth client id'),
+		}),
+		response: OAuthClientUsersResponseSchema,
+	},
+
+	async handler(ctx) {
+		const { args, apiClient, options } = ctx;
+
+		const users = await tui.spinner('Fetching connected OAuth users', () => {
+			return oauthClientUsers(apiClient as APIClient, args.id);
+		});
+
+		if (!options.json) {
+			if (users.length === 0) {
+				tui.info('No connected users found');
+			} else {
+				const rows = users.map((user) => ({
+					user_id: user.user_id,
+					scopes: user.scopes.join(', '),
+					connected_at: new Date(user.created_at).toLocaleString(),
+				}));
+
+				tui.table(rows);
+			}
+		}
+
+		return users;
+	},
+});

package/src/config.ts

@@ -10,7 +10,7 @@ import {
 	APIClient as ServerAPIClient,
 } from '@agentuity/server';
 import { YAML } from 'bun';
-import JSON5 from 'json5';
+import { parseJSONC } from './utils/jsonc';
 import { z } from 'zod';
 import { clearProfileCache } from './cache';
 import { getCatalystUrl } from './catalyst';
@@ -265,8 +265,19 @@ function formatYAML(obj: unknown, indent = 0): string {
 		} else if (typeof value === 'string') {
 			if (value === '') {
 				lines.push(`${spaces}${key}: ""`);
-			} else if (value.includes(':') || value.includes('#') || value.includes(' ')) {
-				lines.push(`${spaces}${key}: "${value}"`);
+			} else if (
+				value.includes(':') ||
+				value.includes('#') ||
+				value.includes(' ') ||
+				value.includes('\\')
+			) {
+				// Use single quotes to avoid YAML escape-sequence processing.
+				// Double-quoted YAML strings interpret backslash sequences (\n, \t, etc.),
+				// which breaks Windows paths like C:\Users\... where \U would be invalid.
+				// Single-quoted strings treat backslashes literally.
+				// Escape any embedded single quotes by doubling them (YAML spec).
+				const escaped = value.replace(/'/g, "''");
+				lines.push(`${spaces}${key}: '${escaped}'`);
 			} else {
 				lines.push(`${spaces}${key}: ${value}`);
 			}
@@ -602,7 +613,7 @@ export async function loadProjectConfig(
 		throw new ProjectConfigNotFoundException({ message: 'project config not found' });
 	}
 	const text = await file.text();
-	const parsedConfig = JSON5.parse(text);
+	const parsedConfig = parseJSONC(text);
 	const result = ProjectSchema.safeParse(parsedConfig);
 	if (!result.success) {
 		tui.error(`Invalid project config at ${configPath}:`);
@@ -707,7 +718,7 @@ export async function updateProjectConfig(
 	}
 
 	const text = await file.text();
-	const existing = JSON5.parse(text);
+	const existing = parseJSONC(text) as Record<string, unknown>;
 	const updated = { ...existing, ...updates };
 
 	const result = ProjectSchema.safeParse(updated);

package/src/utils/jsonc.ts

@@ -0,0 +1,67 @@
+/**
+ * Parse JSON with Comments (JSONC).
+ *
+ * Strips single-line (`//`) and block (`/* *​/`) comments as well as trailing
+ * commas that appear before `}` or `]`, then delegates to the built-in
+ * `JSON.parse`.  This covers the comment syntax used by `tsconfig.json` and
+ * similar config files without pulling in a full JSON5 parser.
+ *
+ * String literals are respected — comments and trailing commas inside quoted
+ * strings are left untouched.
+ */
+export function parseJSONC(text: string): unknown {
+	let result = '';
+	let i = 0;
+	const len = text.length;
+
+	while (i < len) {
+		const ch = text[i];
+
+		// --- quoted string: copy verbatim, including any escape sequences ---
+		if (ch === '"') {
+			const start = i;
+			i++; // skip opening quote
+			while (i < len) {
+				if (text[i] === '\\') {
+					i += i + 1 < len ? 2 : 1; // skip escaped character (guard end-of-input)
+				} else if (text[i] === '"') {
+					i++; // skip closing quote
+					break;
+				} else {
+					i++;
+				}
+			}
+			result += text.slice(start, i);
+			continue;
+		}
+
+		// --- single-line comment: skip to end of line ---
+		if (ch === '/' && text[i + 1] === '/') {
+			i += 2;
+			while (i < len && text[i] !== '\n') {
+				i++;
+			}
+			continue;
+		}
+
+		// --- block comment: skip to closing *​/ ---
+		if (ch === '/' && text[i + 1] === '*') {
+			i += 2;
+			while (i < len && !(text[i] === '*' && text[i + 1] === '/')) {
+				i++;
+			}
+			if (i < len) {
+				i += 2; // skip closing */
+			}
+			continue;
+		}
+
+		result += ch;
+		i++;
+	}
+
+	// Strip trailing commas before } or ] (with optional whitespace between).
+	result = result.replace(/,(\s*[}\]])/g, '$1');
+
+	return JSON.parse(result);
+}

package/src/utils/route-migration.ts

@@ -697,7 +697,8 @@ export function performMigration(rootDir: string, routeFiles: string[]): Migrati
  * Show the migration notice and optionally perform migration.
  *
  * Called during `dev` and `build` after dependency upgrades.
- * Shows a banner the first time, then a shorter reminder on subsequent runs.
+ * Only prompts in interactive TTY sessions and only once — if the user
+ * dismisses the prompt, it won't be shown again.
  *
  * @returns true if migration was performed, false otherwise
  */
@@ -707,6 +708,12 @@ export async function promptRouteMigration(
 	options?: { interactive?: boolean }
 ): Promise<boolean> {
 	const interactive = options?.interactive ?? process.stdin.isTTY;
+
+	// Only show the interactive migration prompt in TTY sessions
+	if (!interactive) {
+		return false;
+	}
+
 	const eligibility = checkMigrationEligibility(rootDir);
 
 	if (!eligibility.available) {
@@ -715,48 +722,30 @@ export async function promptRouteMigration(
 
 	const { routeFiles, alreadyNotified } = eligibility;
 
-	// Non-interactive mode (CI, piped, AI agent): just log a notice
-	if (!interactive) {
-		if (!alreadyNotified) {
-			logger.info(
-				'[migration] This project uses file-based routing with %d route files in src/api/. ' +
-					'Agentuity is moving to explicit routing, which will become the default in the next major release. ' +
-					'Run `agentuity dev --migrate-routes` to migrate.',
-				routeFiles.length
-			);
-			writeMigrationState(rootDir, 'notified');
-		}
+	// Only prompt once — if the user has already been notified or dismissed, don't ask again
+	if (alreadyNotified) {
 		return false;
 	}
 
-	// First time: show full banner
-	if (!alreadyNotified) {
-		tui.newline();
-		tui.banner(
-			'✨ Migrate to Explicit Routing',
-			'Agentuity is moving to explicit routing, which will become the\n' +
-				'default in the next major release. File-based route discovery\n' +
-				'will be deprecated.\n' +
-				'\n' +
-				`Your project has ${routeFiles.length} route files in src/api/ that are\n` +
-				'auto-discovered at build time. Explicit routing gives you a single\n' +
-				'src/api/index.ts that imports and mounts all sub-routers — just\n' +
-				'like a standard Hono application.\n' +
-				'\n' +
-				`${tui.muted('Before:')} ${routeFiles.length} files auto-discovered from src/api/**/*.ts\n` +
-				`${tui.muted('After:')}  One src/api/index.ts that imports and mounts them\n` +
-				'\n' +
-				'Your existing route files are not modified. Your app.ts will be\n' +
-				'updated to import the router and pass it to createApp({ router }).',
-			{ centerTitle: false }
-		);
-	} else {
-		// Subsequent runs: shorter reminder
-		tui.newline();
-		tui.info(
-			`${tui.bold('Explicit routing migration available')} — run with ${tui.muted('--migrate-routes')} or choose below.`
-		);
-	}
+	tui.newline();
+	tui.banner(
+		'✨ Migrate to Explicit Routing',
+		'Agentuity is moving to explicit routing, which will become the\n' +
+			'default in the next major release. File-based route discovery\n' +
+			'will be deprecated.\n' +
+			'\n' +
+			`Your project has ${routeFiles.length} route files in src/api/ that are\n` +
+			'auto-discovered at build time. Explicit routing gives you a single\n' +
+			'src/api/index.ts that imports and mounts all sub-routers — just\n' +
+			'like a standard Hono application.\n' +
+			'\n' +
+			`${tui.muted('Before:')} ${routeFiles.length} files auto-discovered from src/api/**/*.ts\n` +
+			`${tui.muted('After:')}  One src/api/index.ts that imports and mounts them\n` +
+			'\n' +
+			'Your existing route files are not modified. Your app.ts will be\n' +
+			'updated to import the router and pass it to createApp({ router }).',
+		{ centerTitle: false }
+	);
 
 	tui.newline();
 

package/src/utils/zip.ts

@@ -1,3 +1,4 @@
+import { readFileSync, lstatSync } from 'node:fs';
 import { relative } from 'node:path';
 import { Glob } from 'bun';
 import AdmZip from 'adm-zip';
@@ -11,7 +12,7 @@ interface Options {
 export async function zipDir(dir: string, outdir: string, options?: Options) {
 	const zip = new AdmZip();
 	const files = await Array.fromAsync(
-		new Glob('**/*').scan({ cwd: dir, absolute: true, dot: true })
+		new Glob('**/*').scan({ cwd: dir, absolute: true, dot: true, followSymlinks: false })
 	);
 	const total = files.length;
 	let count = 0;
@@ -24,7 +25,21 @@ export async function zipDir(dir: string, outdir: string, options?: Options) {
 			}
 		}
 		if (!skip) {
-			zip.addLocalFile(file, undefined, rel);
+			try {
+				// Skip symlinks and directories — symlinks are workspace artefacts
+				// (e.g. bun's node_modules links) that cannot be resolved portably
+				// across machines and would cause EISDIR errors on extraction.
+				const stat = lstatSync(file);
+				if (!stat.isSymbolicLink() && !stat.isDirectory()) {
+					// Use addFile with explicit Unix permissions (0o644) instead of addLocalFile.
+					// On Windows, addLocalFile relies on OS file stats which may produce zip entries
+					// with incorrect Unix permission bits, causing EACCES errors when extracted on Linux.
+					const data = readFileSync(file);
+					zip.addFile(rel, data, '', 0o644);
+				}
+			} catch (err) {
+				throw new Error(`Failed to add file to zip: ${rel} (${file})`, { cause: err });
+			}
 		}
 		count++;
 		if (options?.progress) {