@barekey/cli 0.1.0

package/dist/runtime-config.js

@@ -0,0 +1,49 @@
+import { access, readFile } from "node:fs/promises";
+import path from "node:path";
+async function fileExists(filePath) {
+    try {
+        await access(filePath);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function findBarekeyConfigPath(startDirectory) {
+    let current = path.resolve(startDirectory);
+    while (true) {
+        const candidate = path.join(current, "barekey.json");
+        if (await fileExists(candidate)) {
+            return candidate;
+        }
+        const parent = path.dirname(current);
+        if (parent === current) {
+            return null;
+        }
+        current = parent;
+    }
+}
+export async function loadRuntimeConfig() {
+    const configPath = await findBarekeyConfigPath(process.cwd());
+    if (configPath === null) {
+        return null;
+    }
+    const raw = await readFile(configPath, "utf8");
+    const parsed = JSON.parse(raw);
+    return {
+        path: configPath,
+        config: {
+            org: typeof parsed.organization === "string"
+                ? parsed.organization.trim()
+                : typeof parsed.org === "string"
+                    ? parsed.org.trim()
+                    : undefined,
+            project: typeof parsed.project === "string" ? parsed.project.trim() : undefined,
+            environment: typeof parsed.environment === "string"
+                ? parsed.environment.trim()
+                : typeof parsed.stage === "string"
+                    ? parsed.stage.trim()
+                    : undefined,
+        },
+    };
+}

package/dist/typegen.d.ts

@@ -0,0 +1,20 @@
+export type TypegenManifest = {
+    orgId: string;
+    orgSlug: string;
+    projectSlug: string;
+    stageSlug: string;
+    generatedAtMs: number;
+    manifestVersion: string;
+    variables: Array<{
+        name: string;
+        kind: "secret" | "ab_roll" | "rollout";
+        declaredType: "string" | "boolean" | "int64" | "float" | "date" | "json";
+        required: boolean;
+        updatedAtMs: number;
+        typeScriptType: string;
+    }>;
+};
+export declare function writeTypegenFile(input: {
+    manifest: TypegenManifest;
+    outPath: string;
+}): Promise<void>;

package/dist/typegen.js

@@ -0,0 +1,14 @@
+import { writeFile } from "node:fs/promises";
+export async function writeTypegenFile(input) {
+    const keys = input.manifest.variables
+        .map((row) => row.name)
+        .sort((left, right) => left.localeCompare(right));
+    const unionLines = keys.map((key) => `  | ${JSON.stringify(key)}`).join("\n");
+    const mapLines = input.manifest.variables
+        .slice()
+        .sort((left, right) => left.name.localeCompare(right.name))
+        .map((row) => `    ${JSON.stringify(row.name)}: ${row.typeScriptType};`)
+        .join("\n");
+    const contents = `/* eslint-disable */\n/* This file is generated by barekey typegen. */\n\nimport type { BarekeyTemporalInstant } from "@barekey/sdk";\nimport "@barekey/sdk";\n\ndeclare module "@barekey/sdk" {\n  interface BarekeyGeneratedTypeMap {\n${mapLines}\n  }\n}\n\nexport type BarekeyKnownKey =\n${unionLines.length > 0 ? unionLines : "  never"};\n\nexport const barekeyManifestVersion = ${JSON.stringify(input.manifest.manifestVersion)};\n`;
+    await writeFile(input.outPath, contents, "utf8");
+}

package/dist/types.d.ts

@@ -0,0 +1,13 @@
+export type CliCredentials = {
+    accessToken: string;
+    refreshToken: string;
+    accessTokenExpiresAtMs: number;
+    refreshTokenExpiresAtMs: number;
+    clerkUserId: string;
+    orgId: string;
+    orgSlug: string;
+};
+export type CliConfig = {
+    baseUrl: string;
+    activeAccountId: string;
+};

package/dist/types.js

@@ -0,0 +1 @@
+export {};

package/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "@barekey/cli",
+  "version": "0.1.0",
+  "description": "Barekey command line interface",
+  "type": "module",
+  "bin": {
+    "barekey": "./dist/index.js"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "start": "node dist/index.js"
+  },
+  "dependencies": {
+    "@clack/prompts": "^0.11.0",
+    "@barekey/sdk": "^0.1.0",
+    "commander": "^14.0.1",
+    "open": "^10.2.0",
+    "picocolors": "^1.1.1"
+  },
+  "devDependencies": {
+    "@types/node": "^24.10.1",
+    "typescript": "^5.9.3"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "license": "BSD-3-Clause",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/usebarekey/cli.git"
+  },
+  "homepage": "https://github.com/usebarekey/cli#readme",
+  "bugs": {
+    "url": "https://github.com/usebarekey/cli/issues"
+  }
+}

package/src/auth-provider.ts

@@ -0,0 +1,86 @@
+import { postJson } from "./http.js";
+import type { CliCredentials } from "./types.js";
+import { loadConfig, loadCredentials, saveCredentials } from "./credentials-store.js";
+
+type CliAuthProvider = {
+  getAccessToken(): Promise<string>;
+  onAuthError?(): Promise<void>;
+};
+
+export function createCliAuthProvider(): CliAuthProvider {
+  let cachedCredentials: CliCredentials | null = null;
+  let forceRefresh = false;
+
+  async function readCurrentCredentials(): Promise<{
+    baseUrl: string;
+    accountId: string;
+    credentials: CliCredentials;
+  }> {
+    const config = await loadConfig();
+    if (config === null) {
+      throw new Error("Not logged in. Run barekey login first.");
+    }
+
+    const credentials = await loadCredentials(config.activeAccountId);
+    if (credentials === null) {
+      throw new Error("CLI credentials are missing. Run barekey login again.");
+    }
+
+    cachedCredentials = credentials;
+
+    return {
+      baseUrl: config.baseUrl,
+      accountId: config.activeAccountId,
+      credentials,
+    };
+  }
+
+  async function refreshIfNeeded(): Promise<CliCredentials> {
+    const { baseUrl, accountId, credentials } = await readCurrentCredentials();
+    const now = Date.now();
+    if (!forceRefresh && credentials.accessTokenExpiresAtMs > now + 10_000) {
+      return credentials;
+    }
+
+    const refreshed = await postJson<{
+      accessToken: string;
+      refreshToken: string;
+      accessTokenExpiresAtMs: number;
+      refreshTokenExpiresAtMs: number;
+      clerkUserId: string;
+      orgId: string;
+      orgSlug: string;
+    }>({
+      baseUrl,
+      path: "/v1/cli/token/refresh",
+      payload: {
+        refreshToken: credentials.refreshToken,
+      },
+    });
+
+    const nextCredentials: CliCredentials = {
+      accessToken: refreshed.accessToken,
+      refreshToken: refreshed.refreshToken,
+      accessTokenExpiresAtMs: refreshed.accessTokenExpiresAtMs,
+      refreshTokenExpiresAtMs: refreshed.refreshTokenExpiresAtMs,
+      clerkUserId: refreshed.clerkUserId,
+      orgId: refreshed.orgId,
+      orgSlug: refreshed.orgSlug,
+    };
+
+    await saveCredentials(accountId, nextCredentials);
+    cachedCredentials = nextCredentials;
+    forceRefresh = false;
+    return nextCredentials;
+  }
+
+  return {
+    async getAccessToken(): Promise<string> {
+      const credentials = await refreshIfNeeded();
+      return credentials.accessToken;
+    },
+    async onAuthError(): Promise<void> {
+      forceRefresh = true;
+    },
+  };
+}

package/src/command-utils.ts

@@ -0,0 +1,118 @@
+import { Command } from "commander";
+
+import { loadConfig, loadCredentials } from "./credentials-store.js";
+import { DEFAULT_BAREKEY_API_URL } from "./constants.js";
+import { loadRuntimeConfig } from "./runtime-config.js";
+import type { CliCredentials } from "./types.js";
+
+export type LocalSession = {
+  baseUrl: string;
+  accountId: string;
+  credentials: CliCredentials;
+};
+
+export type EnvTargetOptions = {
+  project?: string;
+  stage?: string;
+  org?: string;
+};
+
+export function toJsonOutput(enabled: boolean, value: unknown): void {
+  if (!enabled) {
+    return;
+  }
+  console.log(JSON.stringify(value, null, 2));
+}
+
+export async function resolveBaseUrl(explicit: string | undefined): Promise<string> {
+  const explicitUrl = explicit?.trim();
+  if (explicitUrl && explicitUrl.length > 0) {
+    return explicitUrl.replace(/\/$/, "");
+  }
+
+  const envUrl = process.env.BAREKEY_API_URL?.trim();
+  if (envUrl && envUrl.length > 0) {
+    return envUrl.replace(/\/$/, "");
+  }
+
+  const config = await loadConfig();
+  if (config && config.baseUrl.length > 0) {
+    return config.baseUrl.replace(/\/$/, "");
+  }
+
+  return DEFAULT_BAREKEY_API_URL;
+}
+
+export async function requireLocalSession(): Promise<LocalSession> {
+  const config = await loadConfig();
+  if (config === null) {
+    throw new Error("Not logged in. Run barekey auth login first.");
+  }
+
+  const credentials = await loadCredentials(config.activeAccountId);
+  if (credentials === null) {
+    throw new Error("Saved credentials not found. Run barekey auth login again.");
+  }
+
+  return {
+    baseUrl: config.baseUrl,
+    accountId: config.activeAccountId,
+    credentials,
+  };
+}
+
+export async function resolveTarget(
+  options: EnvTargetOptions,
+  local: LocalSession,
+): Promise<{
+  projectSlug: string;
+  stageSlug: string;
+  orgSlug?: string;
+}> {
+  const runtime = await loadRuntimeConfig();
+
+  const projectSlug = options.project?.trim() || runtime?.config.project || "";
+  const stageSlug = options.stage?.trim() || runtime?.config.environment || "";
+  const orgSlug = options.org?.trim() || runtime?.config.org || local.credentials.orgSlug;
+
+  if (projectSlug.length === 0 || stageSlug.length === 0) {
+    const hint = runtime
+      ? `Found ${runtime.path} but project/environment is incomplete.`
+      : "No barekey.json found in current directory tree.";
+    throw new Error(
+      `${hint} Pass --project/--stage, or create barekey.json with {"organization":"...","project":"...","environment":"..."}.`,
+    );
+  }
+
+  return {
+    projectSlug,
+    stageSlug,
+    orgSlug: orgSlug.length > 0 ? orgSlug : undefined,
+  };
+}
+
+export function parseChance(value: string | undefined): number {
+  if (value === undefined) {
+    throw new Error("--chance is required when using --ab.");
+  }
+
+  const parsed = Number(value);
+  if (!Number.isFinite(parsed) || parsed < 0 || parsed > 1) {
+    throw new Error("--chance must be a number between 0 and 1.");
+  }
+  return parsed;
+}
+
+export function dotenvEscape(value: string): string {
+  if (/^[A-Za-z0-9_./:-]+$/.test(value)) {
+    return value;
+  }
+  return JSON.stringify(value);
+}
+
+export function addTargetOptions(command: Command): Command {
+  return command
+    .option("--project <slug>", "Project slug")
+    .option("--stage <slug>", "Stage slug")
+    .option("--org <slug>", "Organization slug");
+}

package/src/commands/auth.ts

@@ -0,0 +1,247 @@
+import os from "node:os";
+import { setTimeout as wait } from "node:timers/promises";
+
+import { intro, outro, spinner } from "@clack/prompts";
+import { Command } from "commander";
+import pc from "picocolors";
+import open from "open";
+
+import { createCliAuthProvider } from "../auth-provider.js";
+import {
+  clearConfig,
+  deleteCredentials,
+  saveConfig,
+  saveCredentials,
+} from "../credentials-store.js";
+import { getJson, postJson } from "../http.js";
+import { requireLocalSession, resolveBaseUrl, toJsonOutput } from "../command-utils.js";
+
+function resolveClientName(): string | undefined {
+  const configured =
+    process.env.BAREKEY_CLIENT_NAME?.trim() ||
+    process.env.COMPUTERNAME?.trim() ||
+    process.env.HOSTNAME?.trim() ||
+    os.hostname().trim();
+  if (configured.length === 0) {
+    return undefined;
+  }
+  return configured.slice(0, 120);
+}
+
+function resolveVerificationUri(baseUrl: string, verificationUri: string): string {
+  try {
+    const resolvedBaseUrl = new URL(baseUrl);
+    const resolvedVerificationUrl = new URL(verificationUri);
+    const isConvexHost =
+      resolvedVerificationUrl.host.endsWith(".convex.site") ||
+      resolvedVerificationUrl.host.endsWith(".convex.cloud");
+    const usesPublicApiHost = resolvedBaseUrl.host.startsWith("api.");
+
+    if (isConvexHost && usesPublicApiHost) {
+      return new URL(
+        `${resolvedVerificationUrl.pathname}${resolvedVerificationUrl.search}`,
+        `${resolvedBaseUrl.protocol}//${resolvedBaseUrl.host.replace(/^api\./, "")}`,
+      ).toString();
+    }
+  } catch {
+    return verificationUri;
+  }
+
+  return verificationUri;
+}
+
+async function runLogin(options: { baseUrl?: string }): Promise<void> {
+  const baseUrl = await resolveBaseUrl(options.baseUrl);
+  intro("Barekey CLI login");
+  const loading = spinner();
+  loading.start("Starting device authorization");
+  let loadingActive = true;
+  let pollSpinner: ReturnType<typeof spinner> | null = null;
+  let pollActive = false;
+
+  try {
+    const started = await postJson<{
+      deviceCode: string;
+      userCode: string;
+      verificationUri: string;
+      intervalSec: number;
+      expiresInSec: number;
+    }>({
+      baseUrl,
+      path: "/v1/cli/device/start",
+      payload: {
+        clientName: resolveClientName(),
+      },
+    });
+    const verificationUri = resolveVerificationUri(baseUrl, started.verificationUri);
+
+    loading.stop("Authorization initialized");
+    loadingActive = false;
+    console.log(`${pc.bold("Open")}: ${verificationUri}`);
+    console.log(`${pc.bold("Code")}: ${started.userCode}`);
+
+    try {
+      await open(verificationUri);
+    } catch {
+      // Browser-open can fail in headless environments.
+    }
+
+    const startedAtMs = Date.now();
+    const expiresAtMs = startedAtMs + started.expiresInSec * 1000;
+    pollSpinner = spinner();
+    pollSpinner.start("Waiting for approval in browser");
+    pollActive = true;
+
+    while (Date.now() < expiresAtMs) {
+      const poll = await postJson<
+        | {
+            status: "pending";
+            intervalSec: number;
+          }
+        | {
+            status: "approved";
+            accessToken: string;
+            refreshToken: string;
+            accessTokenExpiresAtMs: number;
+            refreshTokenExpiresAtMs: number;
+            orgId: string;
+            orgSlug: string;
+            clerkUserId: string;
+          }
+      >({
+        baseUrl,
+        path: "/v1/cli/device/poll",
+        payload: {
+          deviceCode: started.deviceCode,
+        },
+      });
+
+      if (poll.status === "pending") {
+        await wait(Math.max(1, poll.intervalSec) * 1000);
+        continue;
+      }
+
+      const accountId = `${poll.orgSlug}:${poll.clerkUserId}`;
+      await saveCredentials(accountId, {
+        accessToken: poll.accessToken,
+        refreshToken: poll.refreshToken,
+        accessTokenExpiresAtMs: poll.accessTokenExpiresAtMs,
+        refreshTokenExpiresAtMs: poll.refreshTokenExpiresAtMs,
+        clerkUserId: poll.clerkUserId,
+        orgId: poll.orgId,
+        orgSlug: poll.orgSlug,
+      });
+      await saveConfig({
+        baseUrl,
+        activeAccountId: accountId,
+      });
+
+      pollSpinner.stop("Login approved");
+      pollActive = false;
+      outro(`Logged in as ${pc.bold(poll.clerkUserId)} in ${pc.bold(poll.orgSlug)}.`);
+      return;
+    }
+
+    pollSpinner.stop("Timed out");
+    pollActive = false;
+    throw new Error("Login timed out before device approval completed.");
+  } catch (error: unknown) {
+    if (loadingActive) {
+      loading.stop("Authorization failed");
+    }
+    if (pollSpinner && pollActive) {
+      pollSpinner.stop("Login failed");
+    }
+    throw error;
+  }
+}
+
+async function runLogout(): Promise<void> {
+  const local = await requireLocalSession();
+  await postJson<{ revoked: boolean }>({
+    baseUrl: local.baseUrl,
+    path: "/v1/cli/logout",
+    payload: {
+      refreshToken: local.credentials.refreshToken,
+    },
+  });
+  await deleteCredentials(local.accountId);
+  await clearConfig();
+  console.log("Logged out.");
+}
+
+async function runWhoami(options: { json?: boolean }): Promise<void> {
+  const local = await requireLocalSession();
+  const authProvider = createCliAuthProvider();
+  const accessToken = await authProvider.getAccessToken();
+  const session = await getJson<{
+    clerkUserId: string;
+    orgId: string;
+    orgSlug: string;
+    source: "clerk" | "cli";
+  }>({
+    baseUrl: local.baseUrl,
+    path: "/v1/cli/session",
+    accessToken,
+  });
+
+  if (options.json) {
+    toJsonOutput(true, session);
+    return;
+  }
+
+  console.log(`${pc.bold("User")}: ${session.clerkUserId}`);
+  console.log(`${pc.bold("Org")}: ${session.orgSlug}`);
+  console.log(`${pc.bold("Source")}: ${session.source}`);
+}
+
+export function registerAuthCommands(program: Command): void {
+  const auth = program.command("auth").description("Authentication commands");
+
+  auth
+    .command("login")
+    .description("Authenticate this machine using browser device flow")
+    .option("--base-url <url>", "Barekey API base URL")
+    .action(async (options: { baseUrl?: string }) => {
+      await runLogin(options);
+    });
+
+  auth
+    .command("logout")
+    .description("Revoke local CLI session")
+    .action(async () => {
+      await runLogout();
+    });
+
+  auth
+    .command("whoami")
+    .description("Show active CLI auth context")
+    .option("--json", "Machine-readable output", false)
+    .action(async (options: { json?: boolean }) => {
+      await runWhoami(options);
+    });
+
+  // Backward-compatible top-level auth aliases.
+  program
+    .command("login")
+    .description("Alias for barekey auth login")
+    .option("--base-url <url>", "Barekey API base URL")
+    .action(async (options: { baseUrl?: string }) => {
+      await runLogin(options);
+    });
+
+  program
+    .command("logout")
+    .description("Alias for barekey auth logout")
+    .action(async () => {
+      await runLogout();
+    });
+
+  program
+    .command("whoami")
+    .description("Alias for barekey auth whoami")
+    .option("--json", "Machine-readable output", false)
+    .action(async (options: { json?: boolean }) => {
+      await runWhoami(options);
+    });
+}