@autohq/cli 0.1.83 → 0.1.84

package/dist/agent-bridge.js

@@ -19605,7 +19605,6 @@ var AuthScopeSchema = external_exports.enum([
   "environments:write",
   "profiles:read",
   "profiles:write",
-  "resources:apply_dry_run",
   "runs:read",
   "runs:write",
   "events:write",
@@ -19696,6 +19695,24 @@ var AuthWhoamiResponseSchema = external_exports.object({
     })
   }).optional()
 });
+var SERVICE_ACCOUNT_READ_ONLY_SCOPES = [
+  "environments:read",
+  "profiles:read",
+  "tools:read",
+  "sessions:read",
+  "runs:read"
+];
+var SERVICE_ACCOUNT_SCOPE_PRESETS = {
+  "read-only": SERVICE_ACCOUNT_READ_ONLY_SCOPES,
+  applier: [
+    ...SERVICE_ACCOUNT_READ_ONLY_SCOPES,
+    "environments:write",
+    "profiles:write",
+    "tools:write",
+    "sessions:write"
+  ]
+};
+var ServiceAccountScopePresetSchema = external_exports.enum(["read-only", "applier"]);
 
 // ../../packages/schemas/src/primitives.ts
 var JsonValueSchema2 = external_exports.lazy(
@@ -20867,16 +20884,12 @@ var ProjectServiceAccountSchema = external_exports.object({
   scopes: external_exports.array(AuthScopeSchema),
   createdAt: external_exports.string().datetime()
 });
-var ProjectServiceAccountScopeInputSchema = external_exports.union([
-  AuthScopeSchema,
-  external_exports.literal("members:none")
-]);
 var ProjectServiceAccountCreateRequestSchema = external_exports.object({
   name: ResourceNameSchema,
-  scopes: external_exports.array(ProjectServiceAccountScopeInputSchema).optional()
+  scopes: external_exports.array(AuthScopeSchema).min(1)
 });
 var ProjectServiceAccountUpdateRequestSchema = external_exports.object({
-  scopes: external_exports.array(ProjectServiceAccountScopeInputSchema)
+  scopes: external_exports.array(AuthScopeSchema).min(1)
 });
 var ProjectServiceAccountTokenResponseSchema = external_exports.object({
   serviceAccount: ProjectServiceAccountSchema,

package/dist/index.js

@@ -15196,7 +15196,7 @@ var init_ids = __esm({
 });
 
 // ../../packages/schemas/src/auth.ts
-var AuthRoleSchema, AuthIdentityProviderSchema, AuthScopeSchema, AUTH_SCOPES, PrincipalSchema, AuthClientSchema, AuthActorSchema, AuthContextSchema, AuthWhoamiResponseSchema;
+var AuthRoleSchema, AuthIdentityProviderSchema, AuthScopeSchema, AUTH_SCOPES, PrincipalSchema, AuthClientSchema, AuthActorSchema, AuthContextSchema, AuthWhoamiResponseSchema, SERVICE_ACCOUNT_READ_ONLY_SCOPES, SERVICE_ACCOUNT_SCOPE_PRESETS, ServiceAccountScopePresetSchema;
 var init_auth = __esm({
   "../../packages/schemas/src/auth.ts"() {
     "use strict";
@@ -15213,7 +15213,6 @@ var init_auth = __esm({
       "environments:write",
       "profiles:read",
       "profiles:write",
-      "resources:apply_dry_run",
       "runs:read",
       "runs:write",
       "events:write",
@@ -15304,6 +15303,24 @@ var init_auth = __esm({
         })
       }).optional()
     });
+    SERVICE_ACCOUNT_READ_ONLY_SCOPES = [
+      "environments:read",
+      "profiles:read",
+      "tools:read",
+      "sessions:read",
+      "runs:read"
+    ];
+    SERVICE_ACCOUNT_SCOPE_PRESETS = {
+      "read-only": SERVICE_ACCOUNT_READ_ONLY_SCOPES,
+      applier: [
+        ...SERVICE_ACCOUNT_READ_ONLY_SCOPES,
+        "environments:write",
+        "profiles:write",
+        "tools:write",
+        "sessions:write"
+      ]
+    };
+    ServiceAccountScopePresetSchema = external_exports.enum(["read-only", "applier"]);
   }
 });
 
@@ -16646,7 +16663,7 @@ var init_mounts = __esm({
 });
 
 // ../../packages/schemas/src/project-service-accounts.ts
-var ProjectServiceAccountSchema, ProjectServiceAccountScopeInputSchema, ProjectServiceAccountCreateRequestSchema, ProjectServiceAccountUpdateRequestSchema, ProjectServiceAccountTokenResponseSchema, ProjectServiceAccountUpdateResponseSchema, ProjectServiceAccountRemoveResponseSchema, ProjectServiceAccountListResponseSchema;
+var ProjectServiceAccountSchema, ProjectServiceAccountCreateRequestSchema, ProjectServiceAccountUpdateRequestSchema, ProjectServiceAccountTokenResponseSchema, ProjectServiceAccountUpdateResponseSchema, ProjectServiceAccountRemoveResponseSchema, ProjectServiceAccountListResponseSchema;
 var init_project_service_accounts = __esm({
   "../../packages/schemas/src/project-service-accounts.ts"() {
     "use strict";
@@ -16662,16 +16679,12 @@ var init_project_service_accounts = __esm({
       scopes: external_exports.array(AuthScopeSchema),
       createdAt: external_exports.string().datetime()
     });
-    ProjectServiceAccountScopeInputSchema = external_exports.union([
-      AuthScopeSchema,
-      external_exports.literal("members:none")
-    ]);
     ProjectServiceAccountCreateRequestSchema = external_exports.object({
       name: ResourceNameSchema,
-      scopes: external_exports.array(ProjectServiceAccountScopeInputSchema).optional()
+      scopes: external_exports.array(AuthScopeSchema).min(1)
     });
     ProjectServiceAccountUpdateRequestSchema = external_exports.object({
-      scopes: external_exports.array(ProjectServiceAccountScopeInputSchema)
+      scopes: external_exports.array(AuthScopeSchema).min(1)
     });
     ProjectServiceAccountTokenResponseSchema = external_exports.object({
       serviceAccount: ProjectServiceAccountSchema,
@@ -21114,7 +21127,7 @@ var init_package = __esm({
   "package.json"() {
     package_default = {
       name: "@autohq/cli",
-      version: "0.1.83",
+      version: "0.1.84",
       license: "SEE LICENSE IN README.md",
       publishConfig: {
         access: "public"
@@ -23628,7 +23641,11 @@ function useCreateServiceAccount(apiUrl) {
   const client = useApiClient();
   const queryClient = useQueryClient();
   return useMutation({
-    mutationFn: (name) => client.createProjectServiceAccount({ name }, { apiBaseUrl: apiUrl }),
+    mutationFn: (name) => client.createProjectServiceAccount(
+      // The TUI has no scope picker yet; mint with the applier preset.
+      { name, scopes: [...SERVICE_ACCOUNT_SCOPE_PRESETS.applier] },
+      { apiBaseUrl: apiUrl }
+    ),
     onSuccess: () => queryClient.invalidateQueries({
       queryKey: queryKeys.serviceAccounts(apiUrl)
     })
@@ -23927,6 +23944,7 @@ var queryKeys, RUNS_REFETCH_INTERVAL_MS;
 var init_queries = __esm({
   "src/tui/hooks/queries.ts"() {
     "use strict";
+    init_src();
     init_ApiClientContext();
     queryKeys = {
       environments: (apiUrl) => ["environments", apiUrl],
@@ -30436,16 +30454,17 @@ function withApiBaseUrl(context, commandOptions) {
 }
 
 // src/commands/service-accounts/actions.ts
+init_src();
 async function createServiceAccount(input) {
   const response = await input.client.createProjectServiceAccount(
-    { name: input.name, scopes: input.commandOptions.scope },
+    { name: input.name, scopes: requestedScopes(input.commandOptions) },
     { apiBaseUrl: input.commandOptions.apiBaseUrl }
   );
   writeServiceAccountTokenResponse(response, input);
 }
 async function updateServiceAccount(input) {
   const response = await input.client.updateProjectServiceAccount(
-    { name: input.name, scopes: input.commandOptions.scope ?? [] },
+    { name: input.name, scopes: requestedScopes(input.commandOptions) },
     { apiBaseUrl: input.commandOptions.apiBaseUrl }
   );
   if (input.commandOptions.json) {
@@ -30472,6 +30491,33 @@ async function removeServiceAccount(input) {
   }
   input.writeOutput(`removed service-account ${response.serviceAccount.name}`);
 }
+function requestedScopes(options) {
+  const presetNames = Object.keys(SERVICE_ACCOUNT_SCOPE_PRESETS).join(", ");
+  const scopes = [];
+  if (options.preset !== void 0) {
+    const preset = ServiceAccountScopePresetSchema.safeParse(options.preset);
+    if (!preset.success) {
+      throw new Error(
+        `Unknown preset "${options.preset}". Available presets: ${presetNames}.`
+      );
+    }
+    scopes.push(...SERVICE_ACCOUNT_SCOPE_PRESETS[preset.data]);
+  }
+  for (const scope of options.scope ?? []) {
+    if (!AuthScopeSchema.safeParse(scope).success) {
+      throw new Error(
+        `Unknown scope "${scope}". Valid scopes: ${AUTH_SCOPES.join(", ")}.`
+      );
+    }
+    scopes.push(scope);
+  }
+  if (scopes.length === 0) {
+    throw new Error(
+      `Provide --preset <preset> (${presetNames}) or at least one --scope.`
+    );
+  }
+  return [...new Set(scopes)];
+}
 function writeServiceAccountTokenResponse(response, input) {
   if (input.commandOptions.json) {
     input.writeOutput(JSON.stringify(response));
@@ -30494,6 +30540,9 @@ function writeServiceAccountScopesResponse(response, writeOutput) {
 function registerServiceAccountCommands(program, context) {
   const serviceAccount = program.command("service-account").description("Manage Auto project service accounts.");
   serviceAccount.command("create").description("Create a project service account and print its token.").argument("<name>", "service account name").option(
+    "--preset <preset>",
+    "grant a named scope bundle (read-only, applier)"
+  ).option(
     "--scope <scope>",
     "grant a scope; repeat to grant multiple scopes",
     collectScopes
@@ -30507,11 +30556,13 @@ function registerServiceAccountCommands(program, context) {
       });
     }
   );
-  serviceAccount.command("update").description("Update project service account scopes.").argument("<name>", "service account name").requiredOption(
+  serviceAccount.command("update").description("Update project service account scopes.").argument("<name>", "service account name").option(
+    "--preset <preset>",
+    "grant a named scope bundle (read-only, applier)"
+  ).option(
     "--scope <scope>",
     "grant a scope; repeat to grant multiple scopes",
-    collectScopes,
-    []
+    collectScopes
   ).option("--json", "print the updated service account as JSON").option("--api-url <url>", "Auto API base URL").option("--api-base-url <url>", "Auto API base URL").action(
     async (name, commandOptions) => {
       await updateServiceAccount({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@autohq/cli",
-  "version": "0.1.83",
+  "version": "0.1.84",
   "license": "SEE LICENSE IN README.md",
   "publishConfig": {
     "access": "public"