@alchemy/cli 0.5.1 → 0.5.2

package/README.md

@@ -39,26 +39,20 @@ alchemy completions fish > ~/.config/fish/completions/alchemy.fish
 
 ### Authentication Quick Start
 
-Authentication is required before making requests. Configure auth first, then run commands.
-
-If you are using the CLI as a human in an interactive terminal, the easiest path is:
+Authentication is required before making requests. The recommended path is browser login:
 
 ```bash
-alchemy
+alchemy auth
 ```
 
-Then follow the setup flow in the terminal UI to configure auth.
+This opens a browser to link your Alchemy account, then prompts you to select an app. The selected app's API key is saved to your config automatically. Pass `-y` to skip the confirmation prompt.
 
-Know which auth method does what:
+If you run `alchemy` with no command and no auth configured, the CLI will guide you through browser login automatically.
 
-- **API key** - direct auth for blockchain queries (`balance`, `tx`, `block`, `nfts`, `tokens`, `rpc`)
-- **Access key** - Admin/API app management; app setup/selection can also provide API key auth for blockchain queries
-- **x402 wallet auth** - wallet-authenticated, pay-per-request model for supported blockchain queries
+If you have an auth token but haven't selected an app yet, the CLI will prompt you to pick one before running any command that requires an API key. Teams with many apps can type to search by name.
 
 If you use Notify webhooks, add webhook auth on top via `alchemy config set webhook-api-key <key>`, `--webhook-api-key`, or `ALCHEMY_WEBHOOK_API_KEY`.
 
-For setup commands, env vars, and resolution order, see [Authentication Reference](#authentication-reference).
-
 ### Usage By Workflow
 
 After auth is configured, use the CLI differently depending on who is driving it:
@@ -165,6 +159,9 @@ Use `alchemy help` or `alchemy help <command>` for generated command help.
 | Command | What it does | Example |
 |---|---|---|
 | `(no command)` | Starts interactive REPL mode (TTY only) | `alchemy` |
+| `auth` (`auth login`) | Log in via browser (PKCE) | `alchemy auth` |
+| `auth status` | Show current authentication status | `alchemy auth status` |
+| `auth logout` | Clear saved authentication token | `alchemy auth logout` |
 | `apps list` | Lists apps (supports pagination/filtering) | `alchemy apps list --all` |
 | `apps chains` | Lists Admin API chain identifiers (e.g. `ETH_MAINNET`) | `alchemy apps chains` |
 | `apps get <id>` | Gets app details | `alchemy apps get <app-id>` |
@@ -231,6 +228,7 @@ Additional env vars:
 
 | Command | Flags |
 |---|---|
+| `auth login` | `--force`, `-y, --yes` |
 | `nfts` | `--limit <n>`, `--page-key <key>` |
 | `nfts metadata` | `--contract <address>` (required), `--token-id <id>` (required) |
 | `tokens` | `--page-key <key>` |
@@ -258,74 +256,27 @@ Additional env vars:
 
 ## Authentication Reference
 
-The CLI supports three auth inputs:
-
-- API key for blockchain queries (`balance`, `tx`, `block`, `nfts`, `tokens`, `rpc`)
-- Access key for Admin API operations (`apps`, `chains`, configured network lookups`) and app setup/selection, which can also supply the API key used by blockchain query commands
-- x402 wallet key for wallet-authenticated blockchain queries in a pay-per-request model
-
-Notify/webhook commands use a webhook API key with resolution order:
-`--webhook-api-key` -> `ALCHEMY_WEBHOOK_API_KEY` -> `ALCHEMY_NOTIFY_AUTH_TOKEN` -> config `webhook-api-key` -> configured app webhook key.
-
-Get API/access keys at [alchemy.com](https://dashboard.alchemy.com/).
-
-#### API key
-
 ```bash
-# Config
-alchemy config set api-key <your-key>
+# Interactive login — opens browser to link your Alchemy account
+alchemy auth
 
-# Environment variable
-export ALCHEMY_API_KEY=<your-key>
-
-# Per-command override
-alchemy balance 0x... --api-key <your-key>
-```
+# Skip the confirmation prompt
+alchemy auth -y
 
-Resolution order: `--api-key` -> `ALCHEMY_API_KEY` -> config file -> configured app API key.
-
-#### Access key
-
-```bash
-# Config (in TTY, this may trigger app setup flow)
-alchemy config set access-key <your-key>
+# Force re-authentication
+alchemy auth login --force
 
-# Environment variable
-export ALCHEMY_ACCESS_KEY=<your-key>
+# Check auth status
+alchemy auth status
 
-# Per-command override
-alchemy apps list --access-key <your-key>
+# Log out
+alchemy auth logout
 ```
 
-Resolution order: `--access-key` -> `ALCHEMY_ACCESS_KEY` -> config file.
+After login, the CLI prompts you to select an app. The app's API key is saved to config and used for all subsequent commands. If you skip app selection during login, the CLI will prompt you to pick one before running any command that needs an API key.
 
-#### x402 wallet auth
-
-x402 is a wallet-authenticated, pay-per-request usage model for supported blockchain queries.
-The CLI can generate or import the wallet key used for these requests.
-
-```bash
-# Generate/import a wallet managed by CLI
-alchemy wallet generate
-# or
-alchemy wallet import ./private-key.txt
-
-# Use x402 per command
-alchemy balance 0x... --x402
-
-# Or enable by default
-alchemy config set x402 true
-```
-
-Generated/imported wallets are stored as unique key files under `~/.config/alchemy/wallet-keys/` so creating another wallet does not overwrite prior private keys.
-
-You can also provide wallet key directly:
-
-```bash
-export ALCHEMY_WALLET_KEY=0x...
-```
-
-Wallet key resolution order: `--wallet-key-file` -> `ALCHEMY_WALLET_KEY` -> `wallet-key-file` in config.
+Notify/webhook commands use a webhook API key with resolution order:
+`--webhook-api-key` -> `ALCHEMY_WEBHOOK_API_KEY` -> `ALCHEMY_NOTIFY_AUTH_TOKEN` -> config `webhook-api-key` -> configured app webhook key.
 
 ## REPL Mode
 

package/dist/{auth-E26YCAJV.js → auth-76PDHQ3U.js}

@@ -9,7 +9,7 @@ import {
   performBrowserLogin,
   revokeToken,
   waitForCallback
-} from "./chunk-IGD4NIK7.js";
+} from "./chunk-5ZAK2VSS.js";
 import "./chunk-56ZVYB4G.js";
 export {
   AUTH_PORT,

package/dist/{auth-7E33EMAI.js → auth-PYH5WEC3.js}

@@ -3,9 +3,12 @@ if(process.argv.includes("--no-color"))process.env.NO_COLOR="1";
 import {
   registerAuth,
   selectAppAfterAuth
-} from "./chunk-LYUW7O6X.js";
-import "./chunk-IGD4NIK7.js";
-import "./chunk-T2XSNZE3.js";
+} from "./chunk-DBTRDS35.js";
+import "./chunk-5ZAK2VSS.js";
+import "./chunk-KDMIWPZH.js";
+import "./chunk-NM25MEJZ.js";
+import "./chunk-NBDWF4ZQ.js";
+import "./chunk-BAAQ7ELR.js";
 import "./chunk-56ZVYB4G.js";
 export {
   registerAuth,

package/dist/{chunk-IGD4NIK7.js → chunk-5ZAK2VSS.js}

@@ -18,7 +18,7 @@ var SHARED_STYLE = `
     font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', system-ui, sans-serif;
     display: flex; justify-content: center; align-items: center;
     min-height: 100vh;
-    background: #000;
+    background: linear-gradient(180deg, #4F46E5 0%, #06B6D4 100%);
     color: #fff;
     overflow: hidden;
   }
@@ -35,7 +35,7 @@ var SHARED_STYLE = `
     letter-spacing: -0.01em;
   }
   p {
-    color: #6b6b6b;
+    color: #fff;
     font-size: 0.875rem;
   }
 `;

package/dist/chunk-BAAQ7ELR.js

@@ -0,0 +1,143 @@
+#!/usr/bin/env node
+if(process.argv.includes("--no-color"))process.env.NO_COLOR="1";
+import {
+  isRevealMode
+} from "./chunk-56ZVYB4G.js";
+
+// src/lib/secrets.ts
+function maskSecret(value) {
+  if (value.length <= 8) return "\u2022".repeat(value.length);
+  return value.slice(0, 4) + "\u2022".repeat(value.length - 8) + value.slice(-4);
+}
+function maskIf(value) {
+  return isRevealMode() ? value : maskSecret(value);
+}
+
+// src/lib/config.ts
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from "fs";
+import { homedir } from "os";
+import { join, dirname } from "path";
+import { z } from "zod";
+var KEY_MAP = {
+  "api-key": "api_key",
+  api_key: "api_key",
+  "access-key": "access_key",
+  access_key: "access_key",
+  "webhook-api-key": "webhook_api_key",
+  webhook_api_key: "webhook_api_key",
+  network: "network",
+  verbose: "verbose",
+  "wallet-key-file": "wallet_key_file",
+  wallet_key_file: "wallet_key_file",
+  "wallet-address": "wallet_address",
+  wallet_address: "wallet_address",
+  x402: "x402",
+  "auth-token": "auth_token",
+  auth_token: "auth_token",
+  "auth-token-expires-at": "auth_token_expires_at",
+  auth_token_expires_at: "auth_token_expires_at"
+};
+var SAFE_ID_RE = /^[A-Za-z0-9:_-]{1,128}$/;
+var SAFE_NETWORK_RE = /^[A-Za-z0-9:_-]{1,128}$/;
+var MAX_SECRET_LEN = 512;
+var MAX_APP_NAME_LEN = 128;
+var CONTROL_CHAR_RE = /[\u0000-\u001f\u007f]/;
+var safeTextSchema = (maxLen) => z.string().min(1).max(maxLen).refine((value) => !CONTROL_CHAR_RE.test(value));
+var appConfigSchema = z.object({
+  id: z.string().regex(SAFE_ID_RE),
+  name: safeTextSchema(MAX_APP_NAME_LEN),
+  apiKey: safeTextSchema(MAX_SECRET_LEN),
+  webhookApiKey: safeTextSchema(MAX_SECRET_LEN).optional().catch(void 0)
+}).strip();
+var MAX_PATH_LEN = 4096;
+var configSchema = z.object({
+  api_key: safeTextSchema(MAX_SECRET_LEN).optional().catch(void 0),
+  access_key: safeTextSchema(MAX_SECRET_LEN).optional().catch(void 0),
+  webhook_api_key: safeTextSchema(MAX_SECRET_LEN).optional().catch(void 0),
+  app: appConfigSchema.optional().catch(void 0),
+  network: z.string().regex(SAFE_NETWORK_RE).optional().catch(void 0),
+  verbose: z.boolean().optional().catch(void 0),
+  wallet_key_file: safeTextSchema(MAX_PATH_LEN).optional().catch(void 0),
+  wallet_address: safeTextSchema(MAX_SECRET_LEN).optional().catch(void 0),
+  x402: z.boolean().optional().catch(void 0),
+  auth_token: safeTextSchema(MAX_SECRET_LEN).optional().catch(void 0),
+  auth_token_expires_at: safeTextSchema(MAX_SECRET_LEN).optional().catch(void 0),
+  siwe_token: safeTextSchema(MAX_PATH_LEN).optional().catch(void 0),
+  siwe_token_expires_at: safeTextSchema(MAX_SECRET_LEN).optional().catch(void 0)
+}).strip();
+function sanitizeConfig(input) {
+  const parsed = configSchema.safeParse(input);
+  if (!parsed.success) {
+    return {};
+  }
+  return parsed.data;
+}
+function getHome() {
+  return process.env.HOME || homedir();
+}
+function configPath() {
+  if (process.env.ALCHEMY_CONFIG) return process.env.ALCHEMY_CONFIG;
+  const configHome = process.env.XDG_CONFIG_HOME || join(getHome(), ".config");
+  return join(configHome, "alchemy", "config.json");
+}
+function configDir() {
+  return dirname(configPath());
+}
+function load() {
+  const p = configPath();
+  if (!existsSync(p)) return {};
+  try {
+    const data = readFileSync(p, "utf-8");
+    return sanitizeConfig(JSON.parse(data));
+  } catch {
+    console.error(`warning: could not parse config file at ${p} \u2014 using defaults`);
+    return {};
+  }
+}
+function save(cfg) {
+  const p = configPath();
+  const sanitized = sanitizeConfig(cfg);
+  mkdirSync(dirname(p), { recursive: true, mode: 493 });
+  writeFileSync(p, JSON.stringify(sanitized, null, 2) + "\n", {
+    mode: 384
+  });
+}
+function get(cfg, key) {
+  if (key === "app") {
+    if (!cfg.app) return void 0;
+    return `${cfg.app.name} (${cfg.app.id})`;
+  }
+  const mapped = KEY_MAP[key];
+  if (!mapped) return void 0;
+  const value = cfg[mapped];
+  if (value === void 0) return void 0;
+  if (typeof value === "boolean") return String(value);
+  if (typeof value === "string") return value;
+  return void 0;
+}
+function toMap(cfg) {
+  const m = {};
+  if (cfg.api_key) m["api-key"] = maskIf(cfg.api_key);
+  if (cfg.access_key) m["access-key"] = maskIf(cfg.access_key);
+  if (cfg.webhook_api_key) m["webhook-api-key"] = maskIf(cfg.webhook_api_key);
+  if (cfg.app) m["app"] = `${cfg.app.name} (${cfg.app.id})`;
+  if (cfg.network) m["network"] = cfg.network;
+  if (cfg.verbose !== void 0) m["verbose"] = String(cfg.verbose);
+  if (cfg.wallet_key_file) m["wallet-key-file"] = cfg.wallet_key_file;
+  if (cfg.wallet_address) m["wallet-address"] = cfg.wallet_address;
+  if (cfg.x402 !== void 0) m["x402"] = String(cfg.x402);
+  if (cfg.auth_token) m["auth-token"] = maskIf(cfg.auth_token);
+  if (cfg.auth_token_expires_at) m["auth-token-expires-at"] = cfg.auth_token_expires_at;
+  return m;
+}
+
+export {
+  maskIf,
+  KEY_MAP,
+  configPath,
+  configDir,
+  load,
+  save,
+  get,
+  toMap
+};

package/dist/{chunk-LYUW7O6X.js → chunk-DBTRDS35.js}

@@ -5,22 +5,29 @@ import {
   getLoginUrl,
   performBrowserLogin,
   revokeToken
-} from "./chunk-IGD4NIK7.js";
+} from "./chunk-5ZAK2VSS.js";
+import {
+  isInteractiveAllowed
+} from "./chunk-KDMIWPZH.js";
 import {
   AdminClient,
+  resolveAuthToken
+} from "./chunk-NM25MEJZ.js";
+import {
   bold,
   brand,
-  configPath,
   dim,
   green,
-  isInteractiveAllowed,
+  promptAutocomplete,
+  promptText,
+  withSpinner
+} from "./chunk-NBDWF4ZQ.js";
+import {
+  configPath,
   load,
   maskIf,
-  promptSelect,
-  resolveAuthToken,
-  save,
-  withSpinner
-} from "./chunk-T2XSNZE3.js";
+  save
+} from "./chunk-BAAQ7ELR.js";
 import {
   CLIError,
   ErrorCode,
@@ -32,8 +39,9 @@ import {
 
 // src/commands/auth.ts
 function registerAuth(program) {
-  const cmd = program.command("auth").description("Authenticate with your Alchemy account");
-  cmd.command("login", { isDefault: true }).description("Log in via browser").option("--force", "Force re-authentication even if a valid token exists").action(async (opts) => {
+  const cmd = program.command("auth").description("Authenticate with your Alchemy account").option("-y, --yes", "Skip confirmation prompt and open browser immediately");
+  cmd.command("login", { isDefault: true }).description("Log in via browser").option("--force", "Force re-authentication even if a valid token exists").option("-y, --yes", "Skip confirmation prompt and open browser immediately").action(async (opts) => {
+    const yes = opts.yes || cmd.opts().yes;
     try {
       if (!opts.force) {
         const existing = resolveAuthToken();
@@ -60,9 +68,18 @@ function registerAuth(program) {
         console.log(`  ${brand("\u25C6")} ${bold("Alchemy Authentication")}`);
         console.log(`  ${dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500")}`);
         console.log("");
-        console.log(`  Opening browser to log in...`);
         console.log(`  ${dim(getLoginUrl(AUTH_PORT))}`);
         console.log("");
+      }
+      if (!yes && !isJSONMode() && isInteractiveAllowed(program)) {
+        const answer = await promptText({
+          message: "Press Enter to open browser and link your Alchemy account",
+          cancelMessage: "Login cancelled."
+        });
+        if (answer === null) return;
+      }
+      if (!isJSONMode()) {
+        console.log(`  Opening browser to log in...`);
         console.log(`  ${dim("Waiting for authentication...")}`);
       }
       const result = await performBrowserLogin();
@@ -196,8 +213,9 @@ async function selectAppAfterAuth(authToken) {
     console.log(`  ${green("\u2713")} Auto-selected app: ${bold(selectedApp.name)}`);
   } else {
     console.log("");
-    const appId = await promptSelect({
+    const appId = await promptAutocomplete({
       message: "Select an app",
+      placeholder: "Type to search by name",
       options: apps.map((app) => ({
         value: app.id,
         label: app.name,

package/dist/{chunk-5X6YRTPU.js → chunk-FM7GQX6U.js}

@@ -1,9 +1,11 @@
 #!/usr/bin/env node
 if(process.argv.includes("--no-color"))process.env.NO_COLOR="1";
 import {
-  isInteractiveAllowed,
+  isInteractiveAllowed
+} from "./chunk-KDMIWPZH.js";
+import {
   resolveAuthToken
-} from "./chunk-T2XSNZE3.js";
+} from "./chunk-NM25MEJZ.js";
 import {
   getBaseDomain
 } from "./chunk-56ZVYB4G.js";

package/dist/chunk-KDMIWPZH.js

@@ -0,0 +1,27 @@
+#!/usr/bin/env node
+if(process.argv.includes("--no-color"))process.env.NO_COLOR="1";
+import {
+  isJSONMode
+} from "./chunk-56ZVYB4G.js";
+
+// src/lib/interaction.ts
+import { stdin, stdout } from "process";
+function isTruthy(value) {
+  if (!value) return false;
+  const normalized = value.trim().toLowerCase();
+  return normalized === "1" || normalized === "true" || normalized === "yes";
+}
+function isNonInteractiveEnv() {
+  return isTruthy(process.env.ALCHEMY_NON_INTERACTIVE);
+}
+function isInteractiveAllowed(program) {
+  if (!stdin.isTTY || !stdout.isTTY) return false;
+  if (isJSONMode()) return false;
+  if (isNonInteractiveEnv()) return false;
+  if (program && program.opts().interactive === false) return false;
+  return true;
+}
+
+export {
+  isInteractiveAllowed
+};