@appspacer/cli 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 AppSpacer
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,271 @@
+# AppSpacer CLI
+
+**Professional-grade Over-The-Air (OTA) update CLI for React Native. Deploy JavaScript bundles and assets instantly — no app store review required.**
+
+AppSpacer CLI lets you bundle, sign, and deploy over-the-air updates to your mobile apps in seconds. It also includes a built-in secrets vault for managing environment variables across teams.
+
+Full documentation: [docs.appspacer.com](https://docs.appspacer.com)
+
+---
+
+## Installation
+
+```bash
+npm install -g @appspacer/cli
+```
+
+**Requirements:** Node.js 18 or higher.
+
+---
+
+## Quick Start
+
+```bash
+# 1. Authenticate
+appspacer login -t pat_your_token_here
+
+# 2. Auto-configure your native project (React Native only)
+appspacer setup
+
+# 3. Push an OTA update
+appspacer release-react-native android -a my-app -d Staging -t 1.0.0
+```
+
+---
+
+## Commands
+
+### `appspacer login`
+
+Authenticate with AppSpacer using a Personal Access Token (PAT).
+
+```bash
+appspacer login -t pat_your_token_here
+
+# Interactive — prompts for token if -t is omitted
+appspacer login
+```
+
+| Flag | Description |
+|------|-------------|
+| `-t, --token <token>` | Personal Access Token (must start with `pat_`) |
+| `--api-url <url>` | Override the API base URL (for self-hosted deployments) |
+
+Generate tokens at [appspacer.com/settings/tokens](https://appspacer.com/settings/tokens).
+
+---
+
+### `appspacer whoami`
+
+Display the currently authenticated user.
+
+```bash
+appspacer whoami
+```
+
+---
+
+### `appspacer setup`
+
+Auto-configure native Android and iOS files to load OTA bundles from AppSpacer. Run this once after installing `react-native-appspacer`.
+
+```bash
+# Configure both platforms
+appspacer setup
+
+# Android only
+appspacer setup --android-only
+
+# iOS only
+appspacer setup --ios-only
+
+# Preview changes without writing files
+appspacer setup --dry-run
+
+# Point to a project in a different directory
+appspacer setup --project-dir ../my-app
+```
+
+| Flag | Description |
+|------|-------------|
+| `--android-only` | Only configure Android |
+| `--ios-only` | Only configure iOS |
+| `--project-dir <dir>` | Root of the React Native project (default: `.`) |
+| `--dry-run` | Preview injected code without modifying files |
+
+The command auto-detects your React Native architecture (New Architecture / Traditional) and injects the correct bundle resolver into `MainApplication.kt` / `MainApplication.java` (Android) and `AppDelegate.mm` / `AppDelegate.swift` (iOS). Original files are backed up as `.appspacer.bak`.
+
+---
+
+### `appspacer setup:undo`
+
+Remove all AppSpacer injections from native files.
+
+```bash
+appspacer setup:undo
+
+appspacer setup:undo --project-dir ../my-app
+```
+
+---
+
+### `appspacer release-react-native`
+
+Bundle your React Native JavaScript and push it as an OTA update.
+
+```bash
+# Android
+appspacer release-react-native android -a my-app -d Staging -t 1.0.0
+
+# iOS — mandatory update with a description
+appspacer release-react-native ios -a my-app -d Production -t 2.1.0 --mandatory --description "Critical bug fix"
+
+# Include assets (images, fonts) in the bundle
+appspacer release-react-native android -a my-app -d Staging -t 1.0.0 --include-assets
+```
+
+| Flag | Description |
+|------|-------------|
+| `<platform>` | `android` or `ios` (required positional argument) |
+| `-a, --app <id>` | App ID or Name (required) |
+| `-d, --deployment <name>` | Deployment name, e.g. `Staging`, `Production` (required) |
+| `-t, --target-version <version>` | App store version this update targets, e.g. `1.0.0` (required) |
+| `--description <text>` | Human-readable release notes |
+| `--mandatory` | Mark update as mandatory (applied immediately on next launch) |
+| `--include-assets` | Bundle assets along with JS (increases bundle size) |
+
+---
+
+### `appspacer release-flutter`
+
+Package your Flutter `assets/` directory and push it as an OTA update. Run from your Flutter project root — the app version is read automatically from `pubspec.yaml`.
+
+```bash
+# Android
+appspacer release-flutter -p android -a my-app -d Staging
+
+# iOS — mandatory
+appspacer release-flutter -p ios -a my-app -d Production --mandatory
+
+# With a description
+appspacer release-flutter -p android -a my-app -d Staging --description "New onboarding assets"
+```
+
+| Flag | Description |
+|------|-------------|
+| `-p, --platform <os>` | `android` or `ios` (required) |
+| `-a, --app <id>` | App ID or Name (required) |
+| `-d, --deployment <name>` | Deployment name (required) |
+| `--description <text>` | Release notes |
+| `--mandatory` | Mark update as mandatory |
+
+---
+
+### `appspacer release`
+
+Upload a pre-built zip bundle manually (platform-agnostic).
+
+```bash
+appspacer release -a my-app -d Staging -p android -t "1.x.x" -f ./bundle.zip
+```
+
+| Flag | Description |
+|------|-------------|
+| `-a, --app <id>` | App ID or Name (required) |
+| `-d, --deployment <name>` | Deployment name (required) |
+| `-p, --platform <os>` | `android` or `ios` (required) |
+| `-t, --target-version <version>` | Target app version (required) |
+| `-f, --file <path>` | Path to the `.zip` bundle (required) |
+| `--description <text>` | Release notes |
+| `--mandatory` | Mark update as mandatory |
+
+---
+
+### `appspacer deployments`
+
+List all releases in a deployment.
+
+```bash
+appspacer deployments -a my-app
+```
+
+---
+
+### `appspacer rollback`
+
+Disable the latest release and reactivate the previous one.
+
+```bash
+appspacer rollback -a my-app -d Staging -p android
+
+appspacer rollback -a my-app -d Production -p ios
+```
+
+| Flag | Description |
+|------|-------------|
+| `-a, --app <id>` | App ID or Name (required) |
+| `-d, --deployment <name>` | Deployment name (required) |
+| `-p, --platform <os>` | `android` or `ios` (required) |
+
+---
+
+### `appspacer vault`
+
+Manage and sync environment variables (secrets) via AppSpacer Vault.
+
+```bash
+# Initialize vault in the current directory (interactive)
+appspacer vault init
+
+# Push local .env to the remote vault
+appspacer vault push
+
+# Pull secrets from the vault into a local .env file
+appspacer vault pull
+
+# Revert the most recent vault change
+appspacer vault rollback
+
+# View audit history
+appspacer vault audit
+```
+
+#### `vault env` — Environment management
+
+```bash
+# List environments in the current project
+appspacer vault env list
+
+# Switch the active environment (and pull its secrets)
+appspacer vault env use Production
+```
+
+#### `vault secrets` — Individual secret management
+
+```bash
+# List all remote secrets (values masked)
+appspacer vault secrets ls
+
+# Set a single secret
+appspacer vault secrets set API_KEY=abc123
+```
+
+---
+
+## Configuration
+
+AppSpacer CLI stores its configuration (token, API URL) in `~/.appspacer/config.json`. No manual editing is required.
+
+---
+
+## Links
+
+- **Dashboard:** [appspacer.com](https://appspacer.com)
+- **Documentation:** [docs.appspacer.com](https://docs.appspacer.com)
+- **Issues / Support:** [appspacer.com/support](https://appspacer.com/support)
+
+---
+
+## License
+
+MIT

package/dist/__tests__/api.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/api.test.js

@@ -0,0 +1,142 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+vi.mock("../config.js", () => ({
+    getApiUrl: () => "https://api.test",
+    getToken: () => "pat_test_token",
+}));
+import { apiRequest } from "../api.js";
+describe("apiRequest", () => {
+    const fetchMock = vi.fn();
+    beforeEach(() => {
+        vi.useFakeTimers();
+        vi.stubGlobal("fetch", fetchMock);
+    });
+    afterEach(() => {
+        vi.restoreAllMocks();
+        vi.useRealTimers();
+    });
+    // ── Happy path ───────────────────────────────────────────────────────────
+    it("makes a GET request to the correct URL with Authorization header", async () => {
+        fetchMock.mockResolvedValueOnce({
+            ok: true,
+            status: 200,
+            headers: new Headers(),
+            json: async () => ({ success: true, data: { id: "123" } }),
+        });
+        await apiRequest("/profile");
+        const [url, options] = fetchMock.mock.calls[0];
+        expect(url).toBe("https://api.test/profile");
+        expect(options.headers["Authorization"]).toBe("Bearer pat_test_token");
+        expect(options.headers["Content-Type"]).toBe("application/json");
+    });
+    it("returns the data field from the response body", async () => {
+        fetchMock.mockResolvedValueOnce({
+            ok: true,
+            status: 200,
+            headers: new Headers(),
+            json: async () => ({ success: true, data: { name: "Alice" } }),
+        });
+        const result = await apiRequest("/profile");
+        expect(result).toEqual({ name: "Alice" });
+    });
+    it("forwards custom request options (method, body)", async () => {
+        fetchMock.mockResolvedValueOnce({
+            ok: true,
+            status: 200,
+            headers: new Headers(),
+            json: async () => ({ success: true, data: {} }),
+        });
+        await apiRequest("/release", {
+            method: "POST",
+            body: JSON.stringify({ app_id: "abc" }),
+        });
+        const [, options] = fetchMock.mock.calls[0];
+        expect(options.method).toBe("POST");
+        expect(options.body).toBe(JSON.stringify({ app_id: "abc" }));
+    });
+    // ── Error handling ───────────────────────────────────────────────────────
+    it("throws when response.ok is false", async () => {
+        fetchMock.mockResolvedValueOnce({
+            ok: false,
+            status: 401,
+            headers: new Headers(),
+            json: async () => ({ success: false, error: { code: "UNAUTHORIZED", message: "Invalid token" } }),
+        });
+        await expect(apiRequest("/profile")).rejects.toThrow("Invalid token");
+    });
+    it("throws when success flag is false even with HTTP 200", async () => {
+        fetchMock.mockResolvedValueOnce({
+            ok: true,
+            status: 200,
+            headers: new Headers(),
+            json: async () => ({ success: false, error: { code: "NOT_FOUND", message: "App not found" } }),
+        });
+        await expect(apiRequest("/codepush/deployments?app_id=x")).rejects.toThrow("App not found");
+    });
+    it("throws a generic message when no error body is present", async () => {
+        fetchMock.mockResolvedValueOnce({
+            ok: false,
+            status: 500,
+            headers: new Headers(),
+            json: async () => ({ success: false }),
+        });
+        await expect(apiRequest("/release")).rejects.toThrow("Request failed with status 500");
+    });
+    // ── Timeout ──────────────────────────────────────────────────────────────
+    it("throws a timeout error when the request exceeds 30 seconds", async () => {
+        fetchMock.mockImplementationOnce((_url, opts) => {
+            // Simulate a request that never resolves, but respects abort
+            return new Promise((_resolve, reject) => {
+                opts.signal?.addEventListener("abort", () => {
+                    reject(Object.assign(new Error("The operation was aborted"), { name: "AbortError" }));
+                });
+            });
+        });
+        const promise = apiRequest("/profile");
+        // Advance timers past the 30s timeout
+        vi.advanceTimersByTime(31_000);
+        await expect(promise).rejects.toThrow(/timed out/i);
+    });
+    // ── 429 retry ────────────────────────────────────────────────────────────
+    it("retries once on 429 and succeeds on the second attempt", async () => {
+        fetchMock
+            .mockResolvedValueOnce({
+            ok: false,
+            status: 429,
+            headers: new Headers({ "Retry-After": "1" }),
+            json: async () => ({ success: false }),
+        })
+            .mockResolvedValueOnce({
+            ok: true,
+            status: 200,
+            headers: new Headers(),
+            json: async () => ({ success: true, data: { id: "ok" } }),
+        });
+        const promise = apiRequest("/profile");
+        // Advance past the Retry-After: 1 second delay
+        await vi.advanceTimersByTimeAsync(2_000);
+        const result = await promise;
+        expect(result).toEqual({ id: "ok" });
+        expect(fetchMock).toHaveBeenCalledTimes(2);
+    });
+    it("uses the Retry-After header value as the delay before retrying", async () => {
+        fetchMock
+            .mockResolvedValueOnce({
+            ok: false,
+            status: 429,
+            headers: new Headers({ "Retry-After": "3" }),
+            json: async () => ({ success: false }),
+        })
+            .mockResolvedValueOnce({
+            ok: true,
+            status: 200,
+            headers: new Headers(),
+            json: async () => ({ success: true, data: { retried: true } }),
+        });
+        const promise = apiRequest("/profile");
+        // Flush microtasks then advance past the 3s Retry-After delay
+        await vi.advanceTimersByTimeAsync(4_000);
+        const result = await promise;
+        expect(result).toEqual({ retried: true });
+        expect(fetchMock).toHaveBeenCalledTimes(2);
+    });
+});

package/dist/__tests__/config.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/config.test.js

@@ -0,0 +1,109 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import path from "path";
+// Inline the mock value in the factory — the factory is hoisted before const
+// initializations run, so referencing outer-scope variables causes TDZ errors.
+vi.mock("os", () => ({
+    default: { homedir: () => "/mock_home" },
+}));
+// Must match the value returned by the mocked os.homedir() above.
+const MOCK_HOME = "/mock_home";
+// In-memory filesystem shared across tests; mutated in-place so closures stay valid
+const mockFiles = {};
+vi.mock("fs", () => ({
+    default: {
+        existsSync: vi.fn((p) => p in mockFiles),
+        readFileSync: vi.fn((p) => {
+            if (!(p in mockFiles)) {
+                const e = new Error(`ENOENT: ${p}`);
+                e.code = "ENOENT";
+                throw e;
+            }
+            return mockFiles[p];
+        }),
+        writeFileSync: vi.fn((p, content) => {
+            mockFiles[p] = content;
+        }),
+        renameSync: vi.fn((from, to) => {
+            if (from in mockFiles) {
+                mockFiles[to] = mockFiles[from];
+                delete mockFiles[from];
+            }
+        }),
+        mkdirSync: vi.fn(),
+    },
+}));
+import { loadConfig, saveConfig, getToken, getApiUrl } from "../config.js";
+// Mirror exactly how config.ts computes CONFIG_FILE so keys match on all platforms
+const CONFIG_FILE = path.join(MOCK_HOME, ".appspacer", "config.json");
+const DEFAULT_API_URL = "https://appspacer-middleware.onrender.com/api";
+beforeEach(() => {
+    for (const key of Object.keys(mockFiles))
+        delete mockFiles[key];
+});
+// ─── loadConfig ──────────────────────────────────────────────────────────────
+describe("loadConfig", () => {
+    it("returns default config when config file does not exist", () => {
+        const config = loadConfig();
+        expect(config.accessToken).toBeNull();
+        expect(config.apiUrl).toBe(DEFAULT_API_URL);
+    });
+    it("merges saved values over defaults", () => {
+        mockFiles[CONFIG_FILE] = JSON.stringify({ accessToken: "pat_abc123" });
+        const config = loadConfig();
+        expect(config.accessToken).toBe("pat_abc123");
+        expect(config.apiUrl).toBe(DEFAULT_API_URL);
+    });
+    it("returns default config when file contains invalid JSON", () => {
+        mockFiles[CONFIG_FILE] = "{ not valid json }}}";
+        const config = loadConfig();
+        expect(config.accessToken).toBeNull();
+    });
+    it("returns the full config when all fields are present", () => {
+        mockFiles[CONFIG_FILE] = JSON.stringify({
+            accessToken: "pat_xyz",
+            apiUrl: "https://custom.api",
+        });
+        const config = loadConfig();
+        expect(config.accessToken).toBe("pat_xyz");
+        expect(config.apiUrl).toBe("https://custom.api");
+    });
+});
+// ─── saveConfig ──────────────────────────────────────────────────────────────
+describe("saveConfig", () => {
+    it("writes the config file as JSON", () => {
+        saveConfig({ accessToken: "pat_new" });
+        expect(mockFiles[CONFIG_FILE]).toBeDefined();
+        const saved = JSON.parse(mockFiles[CONFIG_FILE]);
+        expect(saved.accessToken).toBe("pat_new");
+    });
+    it("merges partial updates without overwriting other fields", () => {
+        mockFiles[CONFIG_FILE] = JSON.stringify({
+            accessToken: "pat_old",
+            apiUrl: "https://custom.api",
+        });
+        saveConfig({ accessToken: "pat_new" });
+        const saved = JSON.parse(mockFiles[CONFIG_FILE]);
+        expect(saved.apiUrl).toBe("https://custom.api");
+        expect(saved.accessToken).toBe("pat_new");
+    });
+});
+// ─── getToken ────────────────────────────────────────────────────────────────
+describe("getToken", () => {
+    it("returns the token when one is saved", () => {
+        mockFiles[CONFIG_FILE] = JSON.stringify({ accessToken: "pat_secret" });
+        expect(getToken()).toBe("pat_secret");
+    });
+    it("throws when accessToken is null", () => {
+        expect(() => getToken()).toThrow(/Not logged in/);
+    });
+});
+// ─── getApiUrl ───────────────────────────────────────────────────────────────
+describe("getApiUrl", () => {
+    it("returns the default API URL when no config saved", () => {
+        expect(getApiUrl()).toBe(DEFAULT_API_URL);
+    });
+    it("returns the custom API URL when one is saved", () => {
+        mockFiles[CONFIG_FILE] = JSON.stringify({ apiUrl: "https://my-server.com/api" });
+        expect(getApiUrl()).toBe("https://my-server.com/api");
+    });
+});

package/dist/__tests__/hash.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/__tests__/hash.test.js

@@ -0,0 +1,47 @@
+import { describe, it, expect, afterAll } from "vitest";
+import crypto from "crypto";
+import fs from "fs";
+import os from "os";
+import path from "path";
+import { computeFileHash } from "../utils/hash.js";
+const TMP_DIR = path.join(os.tmpdir(), "appspacer-hash-tests");
+describe("computeFileHash", () => {
+    afterAll(() => {
+        if (fs.existsSync(TMP_DIR))
+            fs.rmSync(TMP_DIR, { recursive: true, force: true });
+    });
+    function writeTmp(name, content) {
+        if (!fs.existsSync(TMP_DIR))
+            fs.mkdirSync(TMP_DIR, { recursive: true });
+        const p = path.join(TMP_DIR, name);
+        fs.writeFileSync(p, content);
+        return p;
+    }
+    it("returns a 64-char hex SHA-256 digest", () => {
+        const p = writeTmp("a.txt", "hello world");
+        const hash = computeFileHash(p);
+        expect(hash).toHaveLength(64);
+        expect(hash).toMatch(/^[0-9a-f]+$/);
+    });
+    it("returns the same hash for identical content", () => {
+        const p1 = writeTmp("b1.txt", "same content");
+        const p2 = writeTmp("b2.txt", "same content");
+        expect(computeFileHash(p1)).toBe(computeFileHash(p2));
+    });
+    it("returns different hashes for different content", () => {
+        const p1 = writeTmp("c1.txt", "content A");
+        const p2 = writeTmp("c2.txt", "content B");
+        expect(computeFileHash(p1)).not.toBe(computeFileHash(p2));
+    });
+    it("matches Node crypto SHA-256 for the same content", () => {
+        const data = "hello world";
+        const p = writeTmp("d.txt", data);
+        const expected = crypto.createHash("sha256").update(Buffer.from(data)).digest("hex");
+        expect(computeFileHash(p)).toBe(expected);
+    });
+    it("handles empty files without throwing", () => {
+        const p = writeTmp("empty.txt", "");
+        expect(() => computeFileHash(p)).not.toThrow();
+        expect(computeFileHash(p)).toHaveLength(64);
+    });
+});

package/dist/__tests__/setup-injections.test.d.ts

@@ -0,0 +1 @@
+export {};