@agentuity/cli 1.0.41 → 1.0.43

package/src/cmd/cloud/oidc/create.ts

@@ -0,0 +1,230 @@
+import { oauthClientCreate, oauthScopes, type OAuthClientCreateRequest } from '@agentuity/core';
+import enquirer from 'enquirer';
+import { z } from 'zod';
+import { getCommand } from '../../../command-prefix';
+import * as tui from '../../../tui';
+import { createSubcommand as createSubcommandHelper } from '../../../types';
+import { createOAuthClient } from './util';
+
+const OAuthClientCreateResponseSchema = z.object({
+	client: z.object({
+		id: z.string(),
+		name: z.string(),
+		description: z.string(),
+		homepage_url: z.string(),
+		client_type: z.enum(['public', 'confidential']),
+		redirect_uris: z.array(z.string()),
+		scopes: z.array(z.string()),
+		created_at: z.string(),
+		updated_at: z.string(),
+	}),
+	client_secret: z.string(),
+});
+
+function parseCsv(value?: string): string[] {
+	if (!value) return [];
+	return value
+		.split(',')
+		.map((part) => part.trim())
+		.filter(Boolean);
+}
+
+export const createSubcommand = createSubcommandHelper({
+	name: 'create',
+	aliases: ['new'],
+	description: 'Create a new OAuth application',
+	tags: ['creates-resource', 'slow', 'requires-auth'],
+	examples: [
+		{
+			command: getCommand(
+				'cloud oidc create --name "My App" --description "OAuth app" --homepage-url "https://example.com" --type confidential --redirect-uris "https://example.com/callback" --scopes "openid,profile,email"'
+			),
+			description: 'Create OAuth application non-interactively',
+		},
+		{
+			command: getCommand('cloud oidc create'),
+			description: 'Create OAuth application interactively',
+		},
+	],
+	requires: { auth: true },
+	idempotent: false,
+	webUrl: '/settings/oauth-apps',
+	schema: {
+		options: z.object({
+			name: z.string().optional().describe('the OAuth application name'),
+			description: z.string().optional().describe('the OAuth application description'),
+			'homepage-url': z.string().optional().describe('the homepage URL'),
+			type: z
+				.enum(['public', 'confidential'])
+				.optional()
+				.describe('OAuth client type: public or confidential'),
+			'redirect-uris': z
+				.string()
+				.optional()
+				.describe('comma-separated redirect URIs (e.g. https://app/callback,https://app/alt)'),
+			scopes: z
+				.string()
+				.optional()
+				.describe('comma-separated OAuth scopes (e.g. openid,profile,email)'),
+		}),
+		response: OAuthClientCreateResponseSchema,
+	},
+
+	async handler(ctx) {
+		const { opts, options } = ctx;
+		const catalystClient = await createOAuthClient(ctx);
+
+		const availableScopes = await tui.spinner('Fetching available OAuth scopes', () => {
+			return oauthScopes(catalystClient);
+		});
+
+		const nonInteractive = !process.stdin.isTTY || !process.stdout.isTTY;
+
+		let name = opts?.name?.trim() || '';
+		let description = opts?.description?.trim() || '';
+		let homepageUrl = opts?.['homepage-url']?.trim() || '';
+		let clientType = opts?.type;
+		let redirectUris = parseCsv(opts?.['redirect-uris']);
+		let scopes = parseCsv(opts?.scopes);
+
+		if (!name) {
+			if (nonInteractive) {
+				tui.fatal('--name is required in non-interactive mode');
+			}
+			const answer = await enquirer.prompt<{ name: string }>({
+				type: 'input',
+				name: 'name',
+				message: 'Application name:',
+			});
+			name = answer.name?.trim() || '';
+		}
+
+		if (!description && !nonInteractive) {
+			const answer = await enquirer.prompt<{ description: string }>({
+				type: 'input',
+				name: 'description',
+				message: 'Description:',
+			});
+			description = answer.description?.trim() || '';
+		}
+
+		if (!homepageUrl) {
+			if (nonInteractive) {
+				tui.fatal('--homepage-url is required in non-interactive mode');
+			}
+			const answer = await enquirer.prompt<{ homepageUrl: string }>({
+				type: 'input',
+				name: 'homepageUrl',
+				message: 'Homepage URL:',
+			});
+			homepageUrl = answer.homepageUrl?.trim() || '';
+		}
+
+		if (!clientType) {
+			if (nonInteractive) {
+				tui.fatal('--type is required in non-interactive mode');
+			}
+			const answer = await enquirer.prompt<{ clientType: 'public' | 'confidential' }>({
+				type: 'select',
+				name: 'clientType',
+				message: 'Client type:',
+				choices: [
+					{ name: 'public', message: 'public' },
+					{ name: 'confidential', message: 'confidential' },
+				],
+			});
+			clientType = answer.clientType;
+		}
+
+		if (redirectUris.length === 0) {
+			if (nonInteractive) {
+				tui.fatal('--redirect-uris is required in non-interactive mode');
+			}
+			const answer = await enquirer.prompt<{ redirectUris: string }>({
+				type: 'input',
+				name: 'redirectUris',
+				message: 'Redirect URIs (comma-separated):',
+			});
+			redirectUris = parseCsv(answer.redirectUris);
+		}
+
+		if (scopes.length === 0) {
+			if (nonInteractive) {
+				tui.fatal('--scopes is required in non-interactive mode');
+			}
+
+			const choices = availableScopes.scopes.map((scope) => ({
+				name: scope.name,
+				message: `${scope.name} — ${scope.description}`,
+			}));
+
+			const answer = await enquirer.prompt<{ scopes: string[] }>({
+				type: 'multiselect',
+				name: 'scopes',
+				message: 'Select OAuth scopes:',
+				choices,
+			});
+			scopes = answer.scopes;
+		}
+
+		if (!name) {
+			tui.fatal('Name is required');
+		}
+		if (!homepageUrl) {
+			tui.fatal('Homepage URL is required');
+		}
+		if (!clientType) {
+			tui.fatal('Client type is required');
+		}
+		if (redirectUris.length === 0) {
+			tui.fatal('At least one redirect URI is required');
+		}
+		if (scopes.length === 0) {
+			tui.fatal('At least one scope is required');
+		}
+
+		const availableScopeNames = new Set(availableScopes.scopes.map((scope) => scope.name));
+		const invalidScopes = scopes.filter((scope) => !availableScopeNames.has(scope));
+		if (invalidScopes.length > 0) {
+			tui.fatal(`Invalid scopes: ${invalidScopes.join(', ')}`);
+		}
+
+		const request: OAuthClientCreateRequest = {
+			name,
+			description,
+			homepage_url: homepageUrl,
+			client_type: clientType,
+			redirect_uris: redirectUris,
+			scopes,
+		};
+
+		const result = await tui.spinner('Creating OAuth application', () => {
+			return oauthClientCreate(catalystClient, request);
+		});
+
+		if (!options.json) {
+			tui.newline();
+			tui.success('OAuth application created successfully!');
+			tui.newline();
+			tui.warning('Copy the client secret now. It will only be shown once.');
+			tui.newline();
+
+			tui.table(
+				[
+					{
+						ID: result.client.id,
+						Name: result.client.name,
+						Type: result.client.client_type,
+						'Client Secret': result.client_secret,
+						'Redirect URIs': result.client.redirect_uris.join(', '),
+						Scopes: result.client.scopes.join(', '),
+					},
+				],
+				undefined,
+				{ layout: 'vertical' }
+			);
+		}
+
+		return result;
+	},
+});

package/src/cmd/cloud/oidc/delete.ts

@@ -0,0 +1,66 @@
+import { oauthClientDelete } from '@agentuity/core';
+import { z } from 'zod';
+import { getCommand } from '../../../command-prefix';
+import { ErrorCode } from '../../../errors';
+import * as tui from '../../../tui';
+import { createSubcommand } from '../../../types';
+import { createOAuthClient } from './util';
+
+const OAuthClientDeleteResponseSchema = z.object({
+	success: z.boolean().describe('Whether the operation succeeded'),
+	id: z.string().describe('OAuth client id that was deleted'),
+});
+
+export const deleteSubcommand = createSubcommand({
+	name: 'delete',
+	aliases: ['del', 'rm'],
+	description: 'Delete an OAuth application',
+	tags: ['destructive', 'deletes-resource', 'slow', 'requires-auth'],
+	idempotent: true,
+	examples: [
+		{ command: getCommand('cloud oidc delete <id>'), description: 'Delete OAuth application' },
+		{
+			command: getCommand('cloud oidc delete <id> --force'),
+			description: 'Delete OAuth application without confirmation',
+		},
+	],
+	requires: { auth: true },
+	webUrl: '/settings/oauth-apps',
+	schema: {
+		args: z.object({
+			id: z.string().describe('the OAuth client id to delete'),
+		}),
+		options: z.object({
+			force: z.boolean().optional().default(false).describe('Skip confirmation prompt'),
+			yes: z.boolean().optional().default(false).describe('Skip confirmation prompt'),
+		}),
+		response: OAuthClientDeleteResponseSchema,
+	},
+
+	async handler(ctx) {
+		const { args, opts, options } = ctx;
+		const catalystClient = await createOAuthClient(ctx);
+
+		const skipConfirm = opts.force || opts.yes;
+
+		if (!skipConfirm) {
+			const confirmed = await tui.confirm(`Delete OAuth application "${args.id}"?`, false);
+			if (!confirmed) {
+				tui.fatal('Operation cancelled', ErrorCode.USER_CANCELLED);
+			}
+		}
+
+		await tui.spinner('Deleting OAuth application', () => {
+			return oauthClientDelete(catalystClient, args.id);
+		});
+
+		if (!options.json) {
+			tui.success(`OAuth application '${args.id}' deleted successfully`);
+		}
+
+		return {
+			success: true,
+			id: args.id,
+		};
+	},
+});

package/src/cmd/cloud/oidc/get.ts

@@ -0,0 +1,68 @@
+import { oauthClientGet } from '@agentuity/core';
+import { z } from 'zod';
+import { getCommand } from '../../../command-prefix';
+import { ErrorCode } from '../../../errors';
+import * as tui from '../../../tui';
+import { createSubcommand } from '../../../types';
+import { createOAuthClient } from './util';
+
+export const getSubcommand = createSubcommand({
+	name: 'get',
+	description: 'Get a specific OAuth application',
+	tags: ['read-only', 'fast', 'requires-auth'],
+	examples: [
+		{ command: getCommand('cloud oidc get <id>'), description: 'Get OAuth application details' },
+	],
+	requires: { auth: true },
+	idempotent: true,
+	webUrl: (ctx) => `/settings/oauth-apps/${encodeURIComponent(ctx.args.id)}`,
+	schema: {
+		args: z.object({
+			id: z.string().describe('the OAuth client id'),
+		}),
+	},
+
+	async handler(ctx) {
+		const { args, options } = ctx;
+		const catalystClient = await createOAuthClient(ctx);
+
+		let client: Awaited<ReturnType<typeof oauthClientGet>>;
+		try {
+			client = await tui.spinner('Fetching OAuth application', () => {
+				return oauthClientGet(catalystClient, args.id);
+			});
+		} catch (error) {
+			if (error instanceof Error && error.message.includes('not found')) {
+				tui.fatal(`OAuth application '${args.id}' not found`, ErrorCode.RESOURCE_NOT_FOUND);
+			}
+			throw error;
+		}
+
+		if (!options.json) {
+			if (process.stdout.isTTY) {
+				tui.newline();
+				tui.success('OAuth Application Details:');
+				tui.newline();
+			}
+
+			const rows = [
+				{
+					ID: client.id,
+					Name: client.name,
+					Description: client.description || '-',
+					Type: client.client_type,
+					'Homepage URL': client.homepage_url || '-',
+					'Redirect URIs':
+						client.redirect_uris.length > 0 ? client.redirect_uris.join('\n') : '-',
+					Scopes: client.scopes.length > 0 ? client.scopes.join(', ') : '-',
+					Created: new Date(client.created_at).toLocaleString(),
+					Updated: new Date(client.updated_at).toLocaleString(),
+				},
+			];
+
+			tui.table(rows, undefined, { layout: 'vertical' });
+		}
+
+		return client;
+	},
+});

package/src/cmd/cloud/oidc/index.ts

@@ -0,0 +1,35 @@
+import { createCommand } from '../../../types';
+import { getCommand } from '../../../command-prefix';
+import { listSubcommand } from './list';
+import { getSubcommand } from './get';
+import { createSubcommand } from './create';
+import { deleteSubcommand } from './delete';
+import { rotateSecretSubcommand } from './rotate-secret';
+import { activitySubcommand } from './activity';
+import { usersSubcommand } from './users';
+
+export const command = createCommand({
+	name: 'oidc',
+	description: 'Manage OAuth applications',
+	tags: ['fast', 'requires-auth'],
+	examples: [
+		{ command: getCommand('cloud oidc list'), description: 'List all OAuth applications' },
+		{
+			command: getCommand(
+				'cloud oidc create --name "My App" --type confidential --redirect-uris "https://example.com/callback"'
+			),
+			description: 'Create a new OAuth application',
+		},
+	],
+	subcommands: [
+		createSubcommand,
+		listSubcommand,
+		getSubcommand,
+		deleteSubcommand,
+		rotateSecretSubcommand,
+		activitySubcommand,
+		usersSubcommand,
+	],
+});
+
+export default command;

package/src/cmd/cloud/oidc/list.ts

@@ -0,0 +1,53 @@
+import { oauthClientList } from '@agentuity/core';
+import { getCommand } from '../../../command-prefix';
+import * as tui from '../../../tui';
+import { createSubcommand } from '../../../types';
+import { createOAuthClient } from './util';
+
+export const listSubcommand = createSubcommand({
+	name: 'list',
+	aliases: ['ls'],
+	description: 'List all OAuth applications',
+	tags: ['read-only', 'fast', 'requires-auth'],
+	examples: [
+		{ command: getCommand('cloud oidc list'), description: 'List OAuth applications' },
+		{ command: getCommand('cloud oidc ls'), description: 'List OAuth applications' },
+	],
+	requires: { auth: true },
+	idempotent: true,
+	webUrl: '/settings/oauth-apps',
+
+	async handler(ctx) {
+		const { options } = ctx;
+		const catalystClient = await createOAuthClient(ctx);
+
+		const clients = await tui.spinner('Fetching OAuth applications', () => {
+			return oauthClientList(catalystClient);
+		});
+
+		if (!options.json) {
+			if (clients.length === 0) {
+				tui.info('No OAuth applications found');
+			} else {
+				if (process.stdout.isTTY) {
+					tui.newline();
+					tui.success(`OAuth Applications (${clients.length}):`);
+					tui.newline();
+				}
+
+				const rows = clients.map((client) => ({
+					ID: client.id,
+					Name: client.name,
+					Type: client.client_type,
+					Scopes: client.scopes.length,
+					Users: client.user_count,
+					Created: new Date(client.created_at).toLocaleString(),
+				}));
+
+				tui.table(rows);
+			}
+		}
+
+		return clients;
+	},
+});

package/src/cmd/cloud/oidc/rotate-secret.ts

@@ -0,0 +1,80 @@
+import { oauthClientRotateSecret } from '@agentuity/core';
+import { z } from 'zod';
+import { getCommand } from '../../../command-prefix';
+import { ErrorCode } from '../../../errors';
+import * as tui from '../../../tui';
+import { createSubcommand } from '../../../types';
+import { createOAuthClient } from './util';
+
+const OAuthClientRotateSecretResponseSchema = z.object({
+	client_id: z.string(),
+	client_secret: z.string(),
+});
+
+export const rotateSecretSubcommand = createSubcommand({
+	name: 'rotate-secret',
+	description: 'Rotate the client secret for an OAuth application',
+	tags: ['destructive', 'requires-auth'],
+	examples: [
+		{
+			command: getCommand('cloud oidc rotate-secret <id>'),
+			description: 'Rotate OAuth client secret',
+		},
+		{
+			command: getCommand('cloud oidc rotate-secret <id> --force'),
+			description: 'Rotate OAuth client secret without confirmation',
+		},
+	],
+	requires: { auth: true },
+	idempotent: false,
+	webUrl: (ctx) => `/settings/oauth-apps/${encodeURIComponent(ctx.args.id)}`,
+	schema: {
+		args: z.object({
+			id: z.string().describe('the OAuth client id'),
+		}),
+		options: z.object({
+			force: z.boolean().optional().default(false).describe('Skip confirmation prompt'),
+		}),
+		response: OAuthClientRotateSecretResponseSchema,
+	},
+
+	async handler(ctx) {
+		const { args, opts, options } = ctx;
+		const catalystClient = await createOAuthClient(ctx);
+
+		if (!opts.force) {
+			const confirmed = await tui.confirm(
+				`Rotate secret for OAuth application "${args.id}"?`,
+				false
+			);
+			if (!confirmed) {
+				tui.fatal('Operation cancelled', ErrorCode.USER_CANCELLED);
+			}
+		}
+
+		const result = await tui.spinner('Rotating OAuth client secret', () => {
+			return oauthClientRotateSecret(catalystClient, args.id);
+		});
+
+		if (!options.json) {
+			tui.newline();
+			tui.success('OAuth client secret rotated successfully!');
+			tui.newline();
+			tui.warning('Copy the new client secret now. It will only be shown once.');
+			tui.newline();
+
+			tui.table(
+				[
+					{
+						'Client ID': result.client_id,
+						'Client Secret': result.client_secret,
+					},
+				],
+				undefined,
+				{ layout: 'vertical' }
+			);
+		}
+
+		return result;
+	},
+});

package/src/cmd/cloud/oidc/users.ts

@@ -0,0 +1,60 @@
+import { oauthClientUsers } from '@agentuity/core';
+import { z } from 'zod';
+import { getCommand } from '../../../command-prefix';
+import * as tui from '../../../tui';
+import { createSubcommand } from '../../../types';
+import { createOAuthClient } from './util';
+
+const OAuthClientUsersResponseSchema = z.array(
+	z.object({
+		user_id: z.string(),
+		scopes: z.array(z.string()),
+		created_at: z.string(),
+	})
+);
+
+export const usersSubcommand = createSubcommand({
+	name: 'users',
+	description: 'List connected users for an OAuth application',
+	tags: ['read-only', 'requires-auth'],
+	examples: [
+		{
+			command: getCommand('cloud oidc users <id>'),
+			description: 'List connected users for OAuth application',
+		},
+	],
+	requires: { auth: true },
+	idempotent: true,
+	webUrl: (ctx) => `/settings/oauth-apps/${encodeURIComponent(ctx.args.id)}`,
+	schema: {
+		args: z.object({
+			id: z.string().describe('the OAuth client id'),
+		}),
+		response: OAuthClientUsersResponseSchema,
+	},
+
+	async handler(ctx) {
+		const { args, options } = ctx;
+		const catalystClient = await createOAuthClient(ctx);
+
+		const users = await tui.spinner('Fetching connected OAuth users', () => {
+			return oauthClientUsers(catalystClient, args.id);
+		});
+
+		if (!options.json) {
+			if (users.length === 0) {
+				tui.info('No connected users found');
+			} else {
+				const rows = users.map((user) => ({
+					user_id: user.user_id,
+					scopes: user.scopes.join(', '),
+					connected_at: new Date(user.created_at).toLocaleString(),
+				}));
+
+				tui.table(rows);
+			}
+		}
+
+		return users;
+	},
+});

package/src/cmd/cloud/oidc/util.ts

@@ -0,0 +1,28 @@
+import type { Logger } from '@agentuity/core';
+import { getGlobalCatalystAPIClient } from '../../../config';
+import * as tui from '../../../tui';
+import type { AuthData, Config, GlobalOptions, ProjectConfig } from '../../../types';
+
+export async function createOAuthClient(
+	ctx: {
+		logger: Logger;
+		auth: AuthData;
+		project?: ProjectConfig;
+		config: Config | null;
+		options: GlobalOptions;
+	},
+	explicitOrgId?: string
+) {
+	const orgId =
+		explicitOrgId ??
+		ctx.project?.orgId ??
+		ctx.options.orgId ??
+		(process.env.AGENTUITY_CLOUD_ORG_ID || ctx.config?.preferences?.orgId);
+	if (!orgId) {
+		tui.fatal(
+			'Organization ID is required. Either run from a project directory or use --org-id flag.'
+		);
+	}
+
+	return getGlobalCatalystAPIClient(ctx.logger, ctx.auth, ctx.config?.name, orgId, ctx.config);
+}

package/src/cmd/coder/hub-url.ts

@@ -41,7 +41,11 @@ export async function resolveHubUrl(flagUrl?: string): Promise<string | null> {
 export async function resolveHubWsUrl(flagUrl?: string): Promise<string | null> {
 	const httpUrl = await resolveHubUrl(flagUrl);
 	if (!httpUrl) return null;
-	return normalizeToWs(httpUrl);
+	return toHubWsUrl(httpUrl);
+}
+
+export function toHubWsUrl(hubHttpUrl: string): string {
+	return normalizeToWs(hubHttpUrl);
 }
 
 /**

package/src/cmd/coder/start.ts

@@ -5,7 +5,8 @@ import { createSubcommand } from '../../types';
 import * as tui from '../../tui';
 import { getCommand } from '../../command-prefix';
 import { ErrorCode } from '../../errors';
-import { resolveHubWsUrl, resolveHubUrl, hubFetchHeaders } from './hub-url';
+import { toHubWsUrl, resolveHubUrl, hubFetchHeaders } from './hub-url';
+import { probeTuiInitAccess } from './tui-init';
 
 /**
  * Resolve the Coder extension path.
@@ -129,14 +130,32 @@ export const startSubcommand = createSubcommand({
 		const { opts, options } = ctx;
 
 		// Resolve Hub URL
-		const hubWsUrl = await resolveHubWsUrl(opts?.hubUrl);
-		if (!hubWsUrl) {
+		const hubHttpUrl = await resolveHubUrl(opts?.hubUrl);
+		if (!hubHttpUrl) {
 			tui.fatal(
 				'Could not find a running Coder Hub.\n\nEither:\n  - Start the Hub with: bun run dev\n  - Set AGENTUITY_CODER_HUB_URL environment variable\n  - Pass --hub-url flag',
 				ErrorCode.NETWORK_ERROR
 			);
 			return;
 		}
+		const hubWsUrl = toHubWsUrl(hubHttpUrl);
+
+		const tuiInitProbe = await probeTuiInitAccess(hubHttpUrl);
+		if (!tuiInitProbe.ok) {
+			if (tuiInitProbe.code === 'unauthorized') {
+				tui.fatal(
+					`Coder Hub at ${hubHttpUrl} requires authentication.\n\nSet AGENTUITY_CODER_API_KEY in your shell and retry.\n\nServer said: ${tuiInitProbe.message}`,
+					ErrorCode.NETWORK_ERROR
+				);
+				return;
+			}
+
+			tui.fatal(
+				`Could not bootstrap the Coder Hub at ${hubHttpUrl}: ${tuiInitProbe.message}`,
+				ErrorCode.NETWORK_ERROR
+			);
+			return;
+		}
 
 		// Resolve extension path
 		const extensionPath = resolveExtensionPath(opts?.extension);
@@ -160,11 +179,6 @@ export const startSubcommand = createSubcommand({
 				remoteSessionId = remoteValue;
 			} else {
 				// No session ID — fetch connectable sessions and show picker
-				const hubHttpUrl = await resolveHubUrl(opts?.hubUrl);
-				if (!hubHttpUrl) {
-					tui.fatal('Could not find Hub URL for session picker.', ErrorCode.NETWORK_ERROR);
-					return;
-				}
 				try {
 					type SessionInfo = {
 						id: string;