@autohq/cli 0.1.83 → 0.1.85

package/dist/agent-bridge.js

@@ -19605,7 +19605,6 @@ var AuthScopeSchema = external_exports.enum([
   "environments:write",
   "profiles:read",
   "profiles:write",
-  "resources:apply_dry_run",
   "runs:read",
   "runs:write",
   "events:write",
@@ -19696,6 +19695,24 @@ var AuthWhoamiResponseSchema = external_exports.object({
     })
   }).optional()
 });
+var SERVICE_ACCOUNT_READ_ONLY_SCOPES = [
+  "environments:read",
+  "profiles:read",
+  "tools:read",
+  "sessions:read",
+  "runs:read"
+];
+var SERVICE_ACCOUNT_SCOPE_PRESETS = {
+  "read-only": SERVICE_ACCOUNT_READ_ONLY_SCOPES,
+  applier: [
+    ...SERVICE_ACCOUNT_READ_ONLY_SCOPES,
+    "environments:write",
+    "profiles:write",
+    "tools:write",
+    "sessions:write"
+  ]
+};
+var ServiceAccountScopePresetSchema = external_exports.enum(["read-only", "applier"]);
 
 // ../../packages/schemas/src/primitives.ts
 var JsonValueSchema2 = external_exports.lazy(
@@ -20867,16 +20884,12 @@ var ProjectServiceAccountSchema = external_exports.object({
   scopes: external_exports.array(AuthScopeSchema),
   createdAt: external_exports.string().datetime()
 });
-var ProjectServiceAccountScopeInputSchema = external_exports.union([
-  AuthScopeSchema,
-  external_exports.literal("members:none")
-]);
 var ProjectServiceAccountCreateRequestSchema = external_exports.object({
   name: ResourceNameSchema,
-  scopes: external_exports.array(ProjectServiceAccountScopeInputSchema).optional()
+  scopes: external_exports.array(AuthScopeSchema).min(1)
 });
 var ProjectServiceAccountUpdateRequestSchema = external_exports.object({
-  scopes: external_exports.array(ProjectServiceAccountScopeInputSchema)
+  scopes: external_exports.array(AuthScopeSchema).min(1)
 });
 var ProjectServiceAccountTokenResponseSchema = external_exports.object({
   serviceAccount: ProjectServiceAccountSchema,

package/dist/index.js

@@ -15196,7 +15196,7 @@ var init_ids = __esm({
 });
 
 // ../../packages/schemas/src/auth.ts
-var AuthRoleSchema, AuthIdentityProviderSchema, AuthScopeSchema, AUTH_SCOPES, PrincipalSchema, AuthClientSchema, AuthActorSchema, AuthContextSchema, AuthWhoamiResponseSchema;
+var AuthRoleSchema, AuthIdentityProviderSchema, AuthScopeSchema, AUTH_SCOPES, PrincipalSchema, AuthClientSchema, AuthActorSchema, AuthContextSchema, AuthWhoamiResponseSchema, SERVICE_ACCOUNT_READ_ONLY_SCOPES, SERVICE_ACCOUNT_SCOPE_PRESETS, ServiceAccountScopePresetSchema;
 var init_auth = __esm({
   "../../packages/schemas/src/auth.ts"() {
     "use strict";
@@ -15213,7 +15213,6 @@ var init_auth = __esm({
       "environments:write",
       "profiles:read",
       "profiles:write",
-      "resources:apply_dry_run",
       "runs:read",
       "runs:write",
       "events:write",
@@ -15304,6 +15303,24 @@ var init_auth = __esm({
         })
       }).optional()
     });
+    SERVICE_ACCOUNT_READ_ONLY_SCOPES = [
+      "environments:read",
+      "profiles:read",
+      "tools:read",
+      "sessions:read",
+      "runs:read"
+    ];
+    SERVICE_ACCOUNT_SCOPE_PRESETS = {
+      "read-only": SERVICE_ACCOUNT_READ_ONLY_SCOPES,
+      applier: [
+        ...SERVICE_ACCOUNT_READ_ONLY_SCOPES,
+        "environments:write",
+        "profiles:write",
+        "tools:write",
+        "sessions:write"
+      ]
+    };
+    ServiceAccountScopePresetSchema = external_exports.enum(["read-only", "applier"]);
   }
 });
 
@@ -16646,7 +16663,7 @@ var init_mounts = __esm({
 });
 
 // ../../packages/schemas/src/project-service-accounts.ts
-var ProjectServiceAccountSchema, ProjectServiceAccountScopeInputSchema, ProjectServiceAccountCreateRequestSchema, ProjectServiceAccountUpdateRequestSchema, ProjectServiceAccountTokenResponseSchema, ProjectServiceAccountUpdateResponseSchema, ProjectServiceAccountRemoveResponseSchema, ProjectServiceAccountListResponseSchema;
+var ProjectServiceAccountSchema, ProjectServiceAccountCreateRequestSchema, ProjectServiceAccountUpdateRequestSchema, ProjectServiceAccountTokenResponseSchema, ProjectServiceAccountUpdateResponseSchema, ProjectServiceAccountRemoveResponseSchema, ProjectServiceAccountListResponseSchema;
 var init_project_service_accounts = __esm({
   "../../packages/schemas/src/project-service-accounts.ts"() {
     "use strict";
@@ -16662,16 +16679,12 @@ var init_project_service_accounts = __esm({
       scopes: external_exports.array(AuthScopeSchema),
       createdAt: external_exports.string().datetime()
     });
-    ProjectServiceAccountScopeInputSchema = external_exports.union([
-      AuthScopeSchema,
-      external_exports.literal("members:none")
-    ]);
     ProjectServiceAccountCreateRequestSchema = external_exports.object({
       name: ResourceNameSchema,
-      scopes: external_exports.array(ProjectServiceAccountScopeInputSchema).optional()
+      scopes: external_exports.array(AuthScopeSchema).min(1)
     });
     ProjectServiceAccountUpdateRequestSchema = external_exports.object({
-      scopes: external_exports.array(ProjectServiceAccountScopeInputSchema)
+      scopes: external_exports.array(AuthScopeSchema).min(1)
     });
     ProjectServiceAccountTokenResponseSchema = external_exports.object({
       serviceAccount: ProjectServiceAccountSchema,
@@ -21114,7 +21127,7 @@ var init_package = __esm({
   "package.json"() {
     package_default = {
       name: "@autohq/cli",
-      version: "0.1.83",
+      version: "0.1.85",
       license: "SEE LICENSE IN README.md",
       publishConfig: {
         access: "public"
@@ -23628,7 +23641,11 @@ function useCreateServiceAccount(apiUrl) {
   const client = useApiClient();
   const queryClient = useQueryClient();
   return useMutation({
-    mutationFn: (name) => client.createProjectServiceAccount({ name }, { apiBaseUrl: apiUrl }),
+    mutationFn: (name) => client.createProjectServiceAccount(
+      // The TUI has no scope picker yet; mint with the applier preset.
+      { name, scopes: [...SERVICE_ACCOUNT_SCOPE_PRESETS.applier] },
+      { apiBaseUrl: apiUrl }
+    ),
     onSuccess: () => queryClient.invalidateQueries({
       queryKey: queryKeys.serviceAccounts(apiUrl)
     })
@@ -23927,6 +23944,7 @@ var queryKeys, RUNS_REFETCH_INTERVAL_MS;
 var init_queries = __esm({
   "src/tui/hooks/queries.ts"() {
     "use strict";
+    init_src();
     init_ApiClientContext();
     queryKeys = {
       environments: (apiUrl) => ["environments", apiUrl],
@@ -29129,7 +29147,7 @@ var onboardingSkillMarkdown = `# Onboard your user to auto
 
 You are a coding agent running inside the user's repository. Your job is to
 take them from zero to a working auto deployment in one conversation, with
-the least possible friction. Follow the five beats in order, and run every
+the least possible friction. Follow the six beats in order, and run every
 waiting step in parallel with your own work.
 
 ## Ground rules
@@ -29181,7 +29199,8 @@ get me into your Slack." Then, without waiting:
 Build a repo dossier while the clicks happen. Explore the codebase and git
 history for:
 
-- Stack and layout: languages, frameworks, build and test setup, CI config.
+- Stack and layout: languages, frameworks, build and test setup, CI and
+  deploy workflows (Beat 6 wires into these).
 - How the team works: PR conventions, review patterns, branch and release
   habits, merge frequency.
 - Tools referenced: issue tracker keys in commits and branches, chat or
@@ -29262,6 +29281,102 @@ one workflow. Then:
 5. Apply with \`auto apply\` and confirm the trigger is active. Route the
    workflow's reports to the Slack channel from Beat 2.
 
+## Beat 6: Wire CI to apply on merge
+
+Every apply so far ran from this terminal under the user's own login. Its
+durable home is CI: a dry-run plan as a check on every PR, and the real
+apply when changes merge \u2014 \`.auto/\` ships the same way the code does. Do
+this once the GitHub App is connected and the first apply has succeeded.
+
+1. CI authenticates as a service account, never as the user. Create two \u2014
+   the \`applier\` token lives only on the merge path, while the \`read-only\`
+   token is exposed to PR-triggered runs: it can produce the dry-run plan
+   but cannot perform a real apply, and it stays revocable on its own. Pipe
+   each token straight into a GitHub secret so it never touches your
+   transcript or disk \u2014 with \`pipefail\` and \`jq -re\` so a failed create
+   cannot silently store an empty secret:
+
+   \`\`\`sh
+   set -o pipefail
+   auto service-account create github-actions-auto-apply \\
+     --preset applier --json \\
+     | jq -re .token | gh secret set AUTO_APPLY_SERVICE_ACCOUNT_TOKEN
+   auto service-account create github-actions-auto-apply-dry-run \\
+     --preset read-only --json \\
+     | jq -re .token | gh secret set AUTO_APPLY_DRY_RUN_SERVICE_ACCOUNT_TOKEN
+   \`\`\`
+
+   Confirm both pipelines exited 0 and \`gh secret list\` shows both names
+   before moving on. If deploys go through a GitHub environment, scope the
+   apply secret to it (\`gh secret set --env\`).
+2. Fit into the deploy process you mapped in Beat 3. If a workflow already
+   ships merges, splice two steps in after its deploy succeeds \u2014 plan
+   (\`auto apply --dry-run\`), then \`auto apply\` \u2014 reusing its checkout and
+   Node setup. If nothing deploys from CI yet, add the standalone workflow
+   below. Either way, keep the PR dry-run check: it shows reviewers the
+   exact create/update/archive plan their merge will execute.
+3. Workflow files live outside \`.auto/\`, so show the user the file and get
+   a yes; commit it on the same branch as the \`.auto/\` resources.
+
+\`\`\`yaml
+name: Auto Apply
+
+# Both triggers assume the default branch is main; swap in the repo's
+# actual default branch before committing.
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: auto-apply-\${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: \${{ github.event_name == 'pull_request' }}
+
+jobs:
+  plan:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+      - run: npx -y --package=@autohq/cli auto apply --dry-run
+        env:
+          AUTO_API_TOKEN: \${{ secrets.AUTO_APPLY_DRY_RUN_SERVICE_ACCOUNT_TOKEN }}
+
+  apply:
+    if: \${{ github.event_name == 'push' }}
+    needs: plan
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+      - run: npx -y --package=@autohq/cli auto apply
+        env:
+          AUTO_API_TOKEN: \${{ secrets.AUTO_APPLY_SERVICE_ACCOUNT_TOKEN }}
+\`\`\`
+
+Adapt it to the repo: the default branch name, the team's Node setup or
+pinned tool versions, and set \`AUTO_API_BASE_URL\` only if the project runs
+against a non-default Auto host. \`pull_request\` runs from forks do not
+receive secrets; if fork PRs are routine here, run the dry-run from a
+\`pull_request_target\` workflow that checks out workflow code from the base
+branch and only \`.auto/\` from the PR head.
+
+After the PR merges, watch the first run and confirm its plan reports the
+resources you already applied as unchanged. From then on, \`.auto/\` on the
+default branch is the source of truth \u2014 directory apply prunes resources
+that are no longer declared, so the team changes agents by PR, not by
+terminal.
+
 ## Workflow playbook
 
 Candidates, strongest signals, and what confirms fit:
@@ -29287,15 +29402,20 @@ out loud when proposing.
   the install is approved, and have the concierge retry.
 - Sign-in stalls: the user may not have an invite yet; point them at the
   auto site and pause gracefully rather than failing.
+- \`gh secret set\` fails (no repo admin rights, gh not authenticated):
+  leave the CI workflow in the PR anyway and hand the user the two
+  create-and-pipe commands from Beat 6 to run themselves. Tokens are shown
+  once and must never be pasted into the conversation.
 - A command disagrees with this document: the command is right. Re-read
   \`auto --help\` and adapt.
 
 ## What you leave behind
 
 - \`.auto/\` committed on a branch with a PR the user can merge: the
-  concierge and workflow session YAML plus \`context.md\` (the distilled
-  dossier). Write the PR description for teammates \u2014 it doubles as the
-  announcement that this repo now has an auto agent.
+  concierge and workflow session YAML, the CI apply workflow from Beat 6,
+  plus \`context.md\` (the distilled dossier). Write the PR description for
+  teammates \u2014 it doubles as the announcement that this repo now has an
+  auto agent.
 - With the user's opt-in, an AGENTS.md section that tells every future
   coding agent in this repo that auto exists, what is deployed, and how to
   add workflows.
@@ -30436,16 +30556,17 @@ function withApiBaseUrl(context, commandOptions) {
 }
 
 // src/commands/service-accounts/actions.ts
+init_src();
 async function createServiceAccount(input) {
   const response = await input.client.createProjectServiceAccount(
-    { name: input.name, scopes: input.commandOptions.scope },
+    { name: input.name, scopes: requestedScopes(input.commandOptions) },
     { apiBaseUrl: input.commandOptions.apiBaseUrl }
   );
   writeServiceAccountTokenResponse(response, input);
 }
 async function updateServiceAccount(input) {
   const response = await input.client.updateProjectServiceAccount(
-    { name: input.name, scopes: input.commandOptions.scope ?? [] },
+    { name: input.name, scopes: requestedScopes(input.commandOptions) },
     { apiBaseUrl: input.commandOptions.apiBaseUrl }
   );
   if (input.commandOptions.json) {
@@ -30472,6 +30593,33 @@ async function removeServiceAccount(input) {
   }
   input.writeOutput(`removed service-account ${response.serviceAccount.name}`);
 }
+function requestedScopes(options) {
+  const presetNames = Object.keys(SERVICE_ACCOUNT_SCOPE_PRESETS).join(", ");
+  const scopes = [];
+  if (options.preset !== void 0) {
+    const preset = ServiceAccountScopePresetSchema.safeParse(options.preset);
+    if (!preset.success) {
+      throw new Error(
+        `Unknown preset "${options.preset}". Available presets: ${presetNames}.`
+      );
+    }
+    scopes.push(...SERVICE_ACCOUNT_SCOPE_PRESETS[preset.data]);
+  }
+  for (const scope of options.scope ?? []) {
+    if (!AuthScopeSchema.safeParse(scope).success) {
+      throw new Error(
+        `Unknown scope "${scope}". Valid scopes: ${AUTH_SCOPES.join(", ")}.`
+      );
+    }
+    scopes.push(scope);
+  }
+  if (scopes.length === 0) {
+    throw new Error(
+      `Provide --preset <preset> (${presetNames}) or at least one --scope.`
+    );
+  }
+  return [...new Set(scopes)];
+}
 function writeServiceAccountTokenResponse(response, input) {
   if (input.commandOptions.json) {
     input.writeOutput(JSON.stringify(response));
@@ -30494,6 +30642,9 @@ function writeServiceAccountScopesResponse(response, writeOutput) {
 function registerServiceAccountCommands(program, context) {
   const serviceAccount = program.command("service-account").description("Manage Auto project service accounts.");
   serviceAccount.command("create").description("Create a project service account and print its token.").argument("<name>", "service account name").option(
+    "--preset <preset>",
+    "grant a named scope bundle (read-only, applier)"
+  ).option(
     "--scope <scope>",
     "grant a scope; repeat to grant multiple scopes",
     collectScopes
@@ -30507,11 +30658,13 @@ function registerServiceAccountCommands(program, context) {
       });
     }
   );
-  serviceAccount.command("update").description("Update project service account scopes.").argument("<name>", "service account name").requiredOption(
+  serviceAccount.command("update").description("Update project service account scopes.").argument("<name>", "service account name").option(
+    "--preset <preset>",
+    "grant a named scope bundle (read-only, applier)"
+  ).option(
     "--scope <scope>",
     "grant a scope; repeat to grant multiple scopes",
-    collectScopes,
-    []
+    collectScopes
   ).option("--json", "print the updated service account as JSON").option("--api-url <url>", "Auto API base URL").option("--api-base-url <url>", "Auto API base URL").action(
     async (name, commandOptions) => {
       await updateServiceAccount({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@autohq/cli",
-  "version": "0.1.83",
+  "version": "0.1.85",
   "license": "SEE LICENSE IN README.md",
   "publishConfig": {
     "access": "public"