@balise.dev/cli 0.3.0 → 0.3.2

package/README.md

@@ -32,7 +32,7 @@ balise sync
 | `balise logout` | Remove the credentials file. |
 | `balise whoami` | Print current user (`GET /v1/me`). |
 | `balise init` | Create/link a repo & write `.balise/config`. |
-| `balise sync` | Tarball current git repo → multipart upload → poll progress. |
+| `balise sync` | Bundle current git repo → multipart upload → print a progress link. |
 
 ## Config
 
@@ -52,12 +52,12 @@ url = https://api.balise.dev
 
 Tokens are written to a plaintext JSON file with restrictive permissions:
 
-- **Path**: `$XDG_CONFIG_HOME/balise/credentials.json` (defaults to `~/.config/balise/credentials.json`)
-- **Permissions**: file `0600`, parent directory `0700` — re-enforced on every write
+- **Path**: `$XDG_CONFIG_HOME/balise/credentials.json` (defaults to `~/.config/balise/credentials.json`; on **Windows**, `%APPDATA%\balise\credentials.json`)
+- **Permissions**: file `0600`, parent directory `0700` — re-enforced on every write (POSIX only; on Windows the file inherits the per-user `%APPDATA%` ACL)
 - **Override path**: `BALISE_CREDENTIALS_FILE=<path>`
 - **Stateless / CI**: `BALISE_TOKEN=<jwt>` bypasses the file entirely (no file is ever read or written)
 
-> Windows: file storage is **not yet supported** — use the `BALISE_TOKEN` env var.
+> **Windows**: file storage works out of the box under `%APPDATA%`. If the write ever fails (locked profile, restricted ACLs), `balise login` prints your access token and the per-shell command to export it as `BALISE_TOKEN` (PowerShell `$env:BALISE_TOKEN`, cmd `set`, Git Bash `export`). That token is short-lived (~1h) — re-run `balise login` to refresh.
 
 If you need OS-keychain-grade protection, set `BALISE_CREDENTIALS_FILE` to a path on an encrypted volume, or feed `BALISE_TOKEN` from your existing secret manager.
 

package/dist/index.js

@@ -192,8 +192,13 @@ function credentialsPath() {
   const fileOverride = process.env.BALISE_CREDENTIALS_FILE;
   if (fileOverride && fileOverride.length > 0) return fileOverride;
   const xdg = process.env.XDG_CONFIG_HOME;
-  const base = xdg && xdg.length > 0 ? xdg : path.join(os.homedir(), ".config");
-  return path.join(base, APP_DIR, FILENAME);
+  if (xdg && xdg.length > 0) return path.join(xdg, APP_DIR, FILENAME);
+  if (process.platform === "win32") {
+    const appData = process.env.APPDATA;
+    const base = appData && appData.length > 0 ? appData : path.join(os.homedir(), ".config");
+    return path.join(base, APP_DIR, FILENAME);
+  }
+  return path.join(os.homedir(), ".config", APP_DIR, FILENAME);
 }
 function hasEnvToken() {
   const v = process.env.BALISE_TOKEN;
@@ -260,15 +265,11 @@ async function saveTokens(t) {
     );
     return;
   }
-  if (process.platform === "win32") {
-    throw new CredentialsError(
-      "Windows credential file storage not yet supported. Use BALISE_TOKEN env var instead."
-    );
-  }
+  const isWin = process.platform === "win32";
   const p = credentialsPath();
   const dir = path.dirname(p);
   try {
-    await fs.mkdir(dir, { recursive: true, mode: 448 });
+    await fs.mkdir(dir, isWin ? { recursive: true } : { recursive: true, mode: 448 });
   } catch (err) {
     throw new CredentialsError(
       `Cannot create credentials directory ${dir}: ${err.message}. Set BALISE_TOKEN env var instead.`,
@@ -276,8 +277,8 @@ async function saveTokens(t) {
     );
   }
   try {
-    await fs.writeFile(p, JSON.stringify(t), { mode: 384 });
-    await fs.chmod(p, 384);
+    await fs.writeFile(p, JSON.stringify(t), isWin ? void 0 : { mode: 384 });
+    if (!isWin) await fs.chmod(p, 384);
   } catch (err) {
     throw new CredentialsError(
       `Cannot write credentials file ${p}: ${err.message}. Set BALISE_TOKEN env var instead.`,
@@ -315,102 +316,6 @@ function credentialsHelpMessage() {
   \u2022 Set BALISE_CREDENTIALS_FILE=<path> to override the storage location.`;
 }
 
-// src/commands/login.ts
-async function runLogin(opts) {
-  if (process.env.BALISE_TOKEN && process.env.BALISE_TOKEN.length > 0) {
-    process.stderr.write(
-      "Already authenticated via BALISE_TOKEN env var. Unset it to run browser-based login.\n"
-    );
-    return;
-  }
-  const verifier = generateCodeVerifier();
-  const challenge = codeChallengeFor(verifier);
-  const state = crypto2.randomBytes(16).toString("hex");
-  const { port: portPromise, waitForCode } = startLoopbackServer({
-    expectedState: state,
-    timeoutMs: opts.timeoutMs ?? 3e5
-  });
-  const port = await portPromise;
-  const redirectUri = `http://127.0.0.1:${port}/callback`;
-  const clientId = await registerClient({
-    supabaseUrl: opts.supabaseUrl,
-    clientName: "Balise CLI",
-    redirectUri
-  });
-  const url = buildAuthorizeUrl({
-    supabaseUrl: opts.supabaseUrl,
-    clientId,
-    redirectUri,
-    codeChallenge: challenge,
-    state
-  });
-  process.stderr.write(`Opening browser to log in\u2026
-  ${url}
-`);
-  const opener = opts.openBrowser ?? (async (u) => {
-    await open(u);
-  });
-  try {
-    await opener(url);
-  } catch {
-    process.stderr.write(
-      "Could not auto-open browser. Copy the URL above manually.\n"
-    );
-  }
-  const code = await waitForCode;
-  const tokens = await exchangeCodeForTokens({
-    supabaseUrl: opts.supabaseUrl,
-    code,
-    codeVerifier: verifier,
-    redirectUri,
-    clientId
-  });
-  try {
-    await saveTokens({
-      access_token: tokens.access_token,
-      refresh_token: tokens.refresh_token,
-      client_id: clientId,
-      expires_at: Math.floor(Date.now() / 1e3) + (tokens.expires_in ?? 3600),
-      user_id: tokens.user?.id
-    });
-  } catch (err) {
-    if (err instanceof CredentialsError) {
-      process.stderr.write(`
-${err.message}
-
-${credentialsHelpMessage()}
-`);
-      process.exit(1);
-    }
-    throw err;
-  }
-  const who = tokens.user?.email ?? tokens.user?.id ?? "you";
-  process.stdout.write(`Logged in as ${who}
-`);
-}
-
-// src/commands/logout.ts
-async function runLogout() {
-  try {
-    const existed = await clearTokens();
-    if (existed) {
-      process.stdout.write("Logged out \u2014 credentials file removed.\n");
-    } else {
-      process.stdout.write("Already logged out (no credentials file found).\n");
-    }
-  } catch (err) {
-    if (err instanceof CredentialsError) {
-      process.stderr.write(`
-${err.message}
-
-${credentialsHelpMessage()}
-`);
-      process.exit(1);
-    }
-    throw err;
-  }
-}
-
 // src/api.ts
 import { request as request2 } from "undici";
 var NotAuthenticatedError = class extends Error {
@@ -707,6 +612,162 @@ async function ensureGitignored(cwd = process.cwd()) {
 `, "utf8");
 }
 
+// src/commands/login.ts
+function printWindowsTokenFallback(token, who) {
+  process.stdout.write(
+    `
+\u2713 Authenticated as ${who}
+
+\u26A0  Windows detected \u2014 Balise can't store credentials in a file on Windows yet.
+   Instead, set the token below as the BALISE_TOKEN environment variable.
+
+   Your access token (valid ~1h \u2014 re-run \`balise login\` to refresh):
+
+   ${token}
+
+\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+ Set it for your shell:
+
+ \u2022 PowerShell (current session)
+     $env:BALISE_TOKEN = "<token>"
+
+ \u2022 Command Prompt (current session)
+     set BALISE_TOKEN=<token>
+
+ \u2022 Git Bash / MSYS2 (current session)
+     export BALISE_TOKEN="<token>"
+\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+
+ Verify connection with:   balise whoami
+`
+  );
+}
+async function runLogin(opts) {
+  if (process.env.BALISE_TOKEN && process.env.BALISE_TOKEN.length > 0) {
+    process.stderr.write(
+      "Already authenticated via BALISE_TOKEN env var. Unset it to run browser-based login.\n"
+    );
+    return;
+  }
+  const verifier = generateCodeVerifier();
+  const challenge = codeChallengeFor(verifier);
+  const state = crypto2.randomBytes(16).toString("hex");
+  const { port: portPromise, waitForCode } = startLoopbackServer({
+    expectedState: state,
+    timeoutMs: opts.timeoutMs ?? 3e5
+  });
+  const port = await portPromise;
+  const redirectUri = `http://127.0.0.1:${port}/callback`;
+  const clientId = await registerClient({
+    supabaseUrl: opts.supabaseUrl,
+    clientName: "Balise CLI",
+    redirectUri
+  });
+  const url = buildAuthorizeUrl({
+    supabaseUrl: opts.supabaseUrl,
+    clientId,
+    redirectUri,
+    codeChallenge: challenge,
+    state
+  });
+  process.stderr.write(`Opening browser to log in\u2026
+  ${url}
+`);
+  const opener = opts.openBrowser ?? (async (u) => {
+    await open(u);
+  });
+  try {
+    await opener(url);
+  } catch {
+    process.stderr.write(
+      "Could not auto-open browser. Copy the URL above manually.\n"
+    );
+  }
+  const code = await waitForCode;
+  const tokens = await exchangeCodeForTokens({
+    supabaseUrl: opts.supabaseUrl,
+    code,
+    codeVerifier: verifier,
+    redirectUri,
+    clientId
+  });
+  try {
+    await saveTokens({
+      access_token: tokens.access_token,
+      refresh_token: tokens.refresh_token,
+      client_id: clientId,
+      expires_at: Math.floor(Date.now() / 1e3) + (tokens.expires_in ?? 3600),
+      user_id: tokens.user?.id
+    });
+  } catch (err) {
+    if (err instanceof CredentialsError) {
+      if (process.platform === "win32") {
+        printWindowsTokenFallback(
+          tokens.access_token,
+          tokens.user?.email ?? tokens.user?.id ?? "you"
+        );
+        return;
+      }
+      process.stderr.write(`
+${err.message}
+
+${credentialsHelpMessage()}
+`);
+      process.exit(1);
+    }
+    throw err;
+  }
+  let who = tokens.user?.email ?? tokens.user?.id ?? "you";
+  try {
+    const client = new ApiClient({
+      apiUrl: DEFAULT_API_URL,
+      supabaseUrl: opts.supabaseUrl
+    });
+    const me = await client.getJson("/v1/me");
+    who = me.login;
+  } catch {
+  }
+  process.stdout.write(`Logged in as ${who}
+`);
+}
+
+// src/commands/logout.ts
+async function runLogout() {
+  try {
+    const existed = await clearTokens();
+    if (existed) {
+      process.stdout.write("Logged out \u2014 credentials file removed.\n");
+    } else {
+      process.stdout.write("Already logged out (no credentials file found).\n");
+    }
+  } catch (err) {
+    if (err instanceof CredentialsError) {
+      process.stderr.write(`
+${err.message}
+
+${credentialsHelpMessage()}
+`);
+      process.exit(1);
+    }
+    throw err;
+  }
+}
+
+// src/auth-ensure.ts
+var NotLoggedInError = class extends Error {
+  constructor() {
+    super("not logged in");
+    this.name = "NotLoggedInError";
+  }
+};
+var NOT_LOGGED_IN_MESSAGE = "You're not signed in to Balise.\n  Run `balise login` to authenticate via your browser.\n  For CI / non-interactive env: set BALISE_TOKEN=<jwt>.";
+var SESSION_EXPIRED_MESSAGE = "Your Balise session has expired \u2014 run `balise login` to sign in again.";
+async function ensureAuthenticated() {
+  const existing = await loadTokens();
+  if (existing) return;
+  throw new NotLoggedInError();
+}
+
 // src/commands/whoami.ts
 async function runWhoami(opts) {
   const cfg = await readConfig().catch(() => null);
@@ -726,7 +787,7 @@ account_id  : ${me.account_id}
     );
   } catch (err) {
     if (err instanceof NotAuthenticatedError) {
-      process.stderr.write("Not logged in \u2014 run `balise login`.\n");
+      process.stderr.write(SESSION_EXPIRED_MESSAGE + "\n");
       process.exit(1);
     }
     throw err;
@@ -806,6 +867,10 @@ async function isDirty(opts) {
   const status = await runGit(opts, ["status", "--porcelain"]);
   return status.trim().length > 0;
 }
+async function isPathUncommitted(opts, relPath) {
+  const status = await runGit(opts, ["status", "--porcelain", "--", relPath]);
+  return status.trim().length > 0;
+}
 async function gitBundle(opts) {
   await assertGitRepo(opts);
   const [commitSha, branch, dirty] = await Promise.all([
@@ -828,90 +893,6 @@ async function gitBundle(opts) {
   return { stream, commitSha, branch, dirty };
 }
 
-// src/auth-ensure.ts
-import crypto3 from "crypto";
-import open2 from "open";
-var LoginDeclinedError = class extends Error {
-  constructor() {
-    super("login declined by user");
-    this.name = "LoginDeclinedError";
-  }
-};
-function isInteractive(stdin) {
-  const s = stdin ?? process.stdin;
-  return Boolean(s.isTTY);
-}
-var LOGIN_AUTOLAUNCH_MESSAGE = "Not logged in, launching balise login...";
-async function ensureAuthenticated(opts) {
-  const existing = await loadTokens();
-  if (existing) return;
-  const stderr = opts.stderr ?? process.stderr;
-  if (!isInteractive(opts.stdin)) {
-    throw new LoginDeclinedError();
-  }
-  stderr.write(`${LOGIN_AUTOLAUNCH_MESSAGE}
-`);
-  const verifier = generateCodeVerifier();
-  const challenge = codeChallengeFor(verifier);
-  const state = crypto3.randomBytes(16).toString("hex");
-  const { port: portPromise, waitForCode } = startLoopbackServer({
-    expectedState: state,
-    timeoutMs: opts.timeoutMs ?? 3e5
-  });
-  const port = await portPromise;
-  const redirectUri = `http://127.0.0.1:${port}/callback`;
-  const clientId = await registerClient({
-    supabaseUrl: opts.supabaseUrl,
-    clientName: "Balise CLI",
-    redirectUri
-  });
-  const url = buildAuthorizeUrl({
-    supabaseUrl: opts.supabaseUrl,
-    clientId,
-    redirectUri,
-    codeChallenge: challenge,
-    state
-  });
-  stderr.write(`Opening browser to log in\u2026
-  ${url}
-`);
-  const opener = opts.openBrowser ?? (async (u) => {
-    await open2(u);
-  });
-  try {
-    await opener(url);
-  } catch {
-    stderr.write("Could not auto-open browser. Copy the URL above manually.\n");
-  }
-  const code = await waitForCode;
-  const tokens = await exchangeCodeForTokens({
-    supabaseUrl: opts.supabaseUrl,
-    code,
-    codeVerifier: verifier,
-    redirectUri,
-    clientId
-  });
-  try {
-    await saveTokens({
-      access_token: tokens.access_token,
-      refresh_token: tokens.refresh_token,
-      client_id: clientId,
-      expires_at: Math.floor(Date.now() / 1e3) + (tokens.expires_in ?? 3600),
-      user_id: tokens.user?.id
-    });
-  } catch (err) {
-    if (err instanceof CredentialsError) {
-      stderr.write(`
-${err.message}
-
-${credentialsHelpMessage()}
-`);
-      throw err;
-    }
-    throw err;
-  }
-}
-
 // src/ui/InitPicker.tsx
 import React, { useMemo, useState } from "react";
 import { Box, Text, useApp, useInput } from "ink";
@@ -1759,12 +1740,10 @@ async function runInit(opts) {
     throw err;
   }
   try {
-    await ensureAuthenticated({
-      supabaseUrl: opts.supabaseUrl
-    });
+    await ensureAuthenticated();
   } catch (err) {
-    if (err instanceof LoginDeclinedError) {
-      process.stderr.write("Login required. Aborting.\n");
+    if (err instanceof NotLoggedInError) {
+      process.stderr.write(NOT_LOGGED_IN_MESSAGE + "\n");
       process.exit(1);
     }
     throw err;
@@ -1796,7 +1775,7 @@ async function runInit(opts) {
     repos = repoList;
   } catch (err) {
     if (err instanceof NotAuthenticatedError) {
-      process.stderr.write("Not logged in \u2014 run `balise login` first.\n");
+      process.stderr.write(SESSION_EXPIRED_MESSAGE + "\n");
       process.exit(1);
     }
     throw err;
@@ -1882,7 +1861,7 @@ async function runInit(opts) {
 `
   );
   process.stdout.write(
-    '\n\u26A0  .baliseignore takes effect only once committed (it\'s read per commit\n   server-side). Commit it before your next `balise sync`:\n     git add .baliseignore && git commit -m "chore: update .baliseignore"\n'
+    '\n\u26A0  .baliseignore takes effect only once committed (it\'s read per commit server-side). Commit it before your next `balise sync`:\n     git add .baliseignore && git commit -m "chore: update .baliseignore"\n'
   );
 }
 
@@ -2000,7 +1979,6 @@ function buildSyncQuery(opts) {
   if (opts.base) q.base = opts.base;
   return q;
 }
-var INIT_AUTOLAUNCH_MESSAGE = "Repo not initialized, launching balise init...";
 function drainStdinBuffer(stdin) {
   if (stdin !== process.stdin) return;
   const s = stdin;
@@ -2008,7 +1986,7 @@ function drainStdinBuffer(stdin) {
   while (s.read() !== null) {
   }
 }
-function isInteractive2() {
+function isInteractive() {
   return Boolean(process.stdin.isTTY);
 }
 async function confirmRetryWithForce(opts) {
@@ -2050,6 +2028,25 @@ function resolveWebUrl(webUrl, frontUrl) {
 function formatAcceptedSummary(body, frontUrl) {
   return `Sync queued. Track it here: ${resolveWebUrl(body.web_url, frontUrl)}`;
 }
+function formatInsufficientCredits(rawBody) {
+  let estimate;
+  let available;
+  try {
+    const detail = JSON.parse(rawBody).detail;
+    if (detail?.error === "insufficient_credits") {
+      if (typeof detail.estimate === "number") estimate = detail.estimate;
+      if (typeof detail.available === "number") available = detail.available;
+    }
+  } catch {
+  }
+  const topUp = "Top up your balance, then run `balise sync` again.\n";
+  if (estimate !== void 0 && available !== void 0) {
+    return `Not enough credits \u2014 this sync needs ~${fmtEstimate(estimate)} cr but only ${fmtCredits(available)} cr available.
+${topUp}`;
+  }
+  return `Not enough credits to run this sync.
+${topUp}`;
+}
 async function runSync(opts) {
   try {
     await runSyncInner(opts);
@@ -2080,28 +2077,23 @@ async function runSyncInner(opts) {
     throw err;
   }
   try {
-    await ensureAuthenticated({
-      supabaseUrl: opts.supabaseUrl
-    });
+    await ensureAuthenticated();
   } catch (err) {
-    if (err instanceof LoginDeclinedError) {
-      process.stderr.write("Login required. Aborting.\n");
+    if (err instanceof NotLoggedInError) {
+      process.stderr.write(NOT_LOGGED_IN_MESSAGE + "\n");
       process.exit(1);
     }
     throw err;
   }
-  let cfg = await readConfig(cwd);
+  const cfg = await readConfig(cwd);
   if (!cfg) {
-    process.stderr.write(`${INIT_AUTOLAUNCH_MESSAGE}
-`);
-    await runInit({ ...opts, cwd });
-    cfg = await readConfig(cwd);
-    if (!cfg) {
-      process.stderr.write("Init cancelled. Aborting sync.\n");
-      process.exit(1);
-    }
+    process.stderr.write(
+      "This repo isn't linked to Balise yet.\n  Run `balise init` to set up your repo.\n"
+    );
+    process.exit(1);
   }
   const dirty = await isDirty({ cwd });
+  const ignoreUncommitted = await isPathUncommitted({ cwd }, ".baliseignore");
   const client = new ApiClient({
     apiUrl: cfg.api.url,
     supabaseUrl: opts.supabaseUrl
@@ -2110,6 +2102,15 @@ async function runSyncInner(opts) {
     `Packing ${cfg.repo.owner_login}/${cfg.repo.slug} at HEAD\u2026
 `
   );
+  if (ignoreUncommitted) {
+    process.stderr.write(
+      `\u26A0  .baliseignore has uncommitted changes \u2014 it's read per commit
+   server-side, so those edits will NOT apply to this sync.
+   Commit it first if you want them to take effect:
+     git add .baliseignore && git commit -m "chore: update .baliseignore"
+`
+    );
+  }
   const submit = async (force, dryRun) => {
     const { stream, commitSha, branch } = await gitBundle({ cwd });
     const query = buildSyncQuery({ commitSha, branch, force, base: opts.base, dryRun });
@@ -2194,7 +2195,7 @@ async function runSyncInner(opts) {
   if (dry.outcome.kind !== "dry_run") {
     process.exit(1);
   }
-  if (!isInteractive2()) {
+  if (!isInteractive()) {
     process.stdout.write(formatDryRunSummary(dry.outcome.body) + "\n");
     process.stderr.write(
       "Non-interactive terminal \u2014 re-run with -y to confirm and sync.\n"
@@ -2255,7 +2256,7 @@ async function uploadOnce(client, owner, slug, stream, query) {
 }
 function handleUploadError(err) {
   if (err instanceof NotAuthenticatedError) {
-    process.stderr.write("Not logged in \u2014 run `balise login`.\n");
+    process.stderr.write(SESSION_EXPIRED_MESSAGE + "\n");
     return;
   }
   if (err instanceof ApiUnreachableError) {
@@ -2264,6 +2265,10 @@ function handleUploadError(err) {
     );
     return;
   }
+  if (err instanceof ApiError && err.status === 402) {
+    process.stderr.write(formatInsufficientCredits(err.body));
+    return;
+  }
   process.stderr.write(
     "Something went wrong while uploading. Please try again.\n"
   );
@@ -2314,7 +2319,7 @@ var initCmd = defineCommand({
 var syncCmd = defineCommand({
   meta: {
     name: "sync",
-    description: "Tarball current repo \u2192 upload \u2192 poll extraction progress."
+    description: "Bundle current repo \u2192 upload \u2192 track sync progress."
   },
   args: {
     yes: {
@@ -2346,8 +2351,8 @@ var syncCmd = defineCommand({
 var main = defineCommand({
   meta: {
     name: "balise",
-    version: "0.1.0",
-    description: "Balise CLI \u2014 push codebase for spec extraction."
+    version: "0.3.2",
+    description: "Balise CLI \u2014 keep your spec graph in sync with your code."
   },
   subCommands: {
     login: loginCmd,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@balise.dev/cli",
-  "version": "0.3.0",
+  "version": "0.3.2",
   "description": "Balise CLI — push codebase to Balise backend for spec extraction.",
   "type": "module",
   "bin": {