@barekey/cli 0.4.0 → 0.5.0

package/README.md

@@ -1,34 +1,75 @@
 # @barekey/cli
 
-CLI for logging into Barekey, managing environment variables, and pulling resolved values into local workflows.
+CLI for Barekey login, variable management, pull workflows, and SDK type generation.
 
 ## Install
 
 ```bash
-bun add -g @barekey/cli
+npm install -g @barekey/cli
 ```
 
 ## Quickstart
 
 ```bash
 barekey auth login
-barekey env list --org acme --project api --stage development
-barekey env get DATABASE_URL --org acme --project api --stage development
-barekey env pull --org acme --project api --stage development --out .env
+barekey auth whoami
+```
+
+Create `barekey.json`:
+
+```json
+{
+  "organization": "acme",
+  "project": "web",
+  "environment": "development"
+}
+```
+
+Create and read a variable:
+
+```bash
+barekey env new DATABASE_URL "postgres://localhost:5432/app" --type string
+barekey env get DATABASE_URL
+```
+
+Update it:
+
+```bash
+barekey env set DATABASE_URL "postgres://localhost:5432/app_v2"
+```
+
+Pull local files:
+
+```bash
+barekey env pull --out .env.local
+barekey env pull --format json --out barekey.local.json
+```
+
+Generate SDK types:
+
+```bash
+barekey typegen
+barekey typegen --watch
 ```
 
 ## Common commands
 
 ```bash
-barekey auth whoami
-barekey env new FEATURE_FLAG true --type boolean --org acme --project api --stage development
-barekey env set CHECKOUT_COPY original --ab redesign --chance 0.25 --org acme --project api --stage development
-barekey env delete FEATURE_FLAG --yes --org acme --project api --stage development
-barekey env get-many --names DATABASE_URL,FEATURE_FLAG --org acme --project api --stage development
-barekey typegen --org acme --project api --stage development
-barekey typegen --watch --org acme --project api --stage development
+barekey env list
+barekey env get-many --names DATABASE_URL,REDIS_URL
+barekey env new FEATURE_ENABLED true --type boolean
+barekey env set PUBLIC_TITLE "Barekey Docs" --visibility public
+barekey env set CHECKOUT_FLOW control --ab treatment --chance 0.5
+barekey env delete FEATURE_ENABLED --yes
 ```
 
+## Notes
+
+- `env new` creates with an initial value.
+- `env set` is the upsert command.
+- `get-many` uses a comma-separated `--names` value.
+- Target resolution comes from flags, `barekey.json`, and the stored login org.
+
 ## Development
 
 ```bash

package/bun.lock

@@ -5,9 +5,9 @@
     "": {
       "name": "@barekey/cli",
       "dependencies": {
-        "@barekey/sdk": "^0.5.0",
         "@clack/prompts": "^0.11.0",
         "commander": "^14.0.1",
+        "effect": "3.19.19",
         "open": "^10.2.0",
         "picocolors": "^1.1.1",
       },
@@ -18,12 +18,12 @@
     },
   },
   "packages": {
-    "@barekey/sdk": ["@barekey/sdk@0.5.0", "", {}, "sha512-+8RoKix9DZee3ZheGP5wJLnet6XaEGHTfcJOuvtJLmfQKRBllUy+wevsvELi1wOjw42pWaG3DYyb68XHznZRQw=="],
-
     "@clack/core": ["@clack/core@0.5.0", "", { "dependencies": { "picocolors": "^1.0.0", "sisteransi": "^1.0.5" } }, "sha512-p3y0FIOwaYRUPRcMO7+dlmLh8PSRcrjuTndsiA0WAFbWES0mLZlrjVoBRZ9DzkPFJZG6KGkJmoEAY0ZcVWTkow=="],
 
     "@clack/prompts": ["@clack/prompts@0.11.0", "", { "dependencies": { "@clack/core": "0.5.0", "picocolors": "^1.0.0", "sisteransi": "^1.0.5" } }, "sha512-pMN5FcrEw9hUkZA4f+zLlzivQSeQf5dRGJjSUbvVYDLvpKCdQx5OaknvKzgbtXOizhP+SJJJjqEbOe55uKKfAw=="],
 
+    "@standard-schema/spec": ["@standard-schema/spec@1.1.0", "", {}, "sha512-l2aFy5jALhniG5HgqrD6jXLi/rUWrKvqN/qJx6yoJsgKhblVd+iqqU4RCXavm/jPityDo5TCvKMnpjKnOriy0w=="],
+
     "@types/node": ["@types/node@24.12.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-GYDxsZi3ChgmckRT9HPU0WEhKLP08ev/Yfcq2AstjrDASOYCSXeyjDsHg4v5t4jOj7cyDX3vmprafKlWIG9MXQ=="],
 
     "bundle-name": ["bundle-name@4.1.0", "", { "dependencies": { "run-applescript": "^7.0.0" } }, "sha512-tjwM5exMg6BGRI+kNmTntNsvdZS1X8BFYS6tnJ2hdH0kVxM6/eVZ2xy+FqStSWvYmtfFMDLIxurorHwDKfDz5Q=="],
@@ -36,6 +36,10 @@
 
     "define-lazy-prop": ["define-lazy-prop@3.0.0", "", {}, "sha512-N+MeXYoqr3pOgn8xfyRPREN7gHakLYjhsHhWGT3fWAiL4IkAt0iDw14QiiEm2bE30c5XX5q0FtAA3CK5f9/BUg=="],
 
+    "effect": ["effect@3.19.19", "", { "dependencies": { "@standard-schema/spec": "^1.0.0", "fast-check": "^3.23.1" } }, "sha512-Yc8U/SVXo2dHnaP7zNBlAo83h/nzSJpi7vph6Hzyl4ulgMBIgPmz3UzOjb9sBgpFE00gC0iETR244sfXDNLHRg=="],
+
+    "fast-check": ["fast-check@3.23.2", "", { "dependencies": { "pure-rand": "^6.1.0" } }, "sha512-h5+1OzzfCC3Ef7VbtKdcv7zsstUQwUDlYpUTvjeUsJAssPgLn7QzbboPtL5ro04Mq0rPOsMzl7q5hIbRs2wD1A=="],
+
     "is-docker": ["is-docker@3.0.0", "", { "bin": { "is-docker": "cli.js" } }, "sha512-eljcgEDlEns/7AXFosB5K/2nCM4P7FQPkGc/DWLy5rmFEWvZayGrik1d9/QIY5nJ4f9YsVvBkA6kJpHn9rISdQ=="],
 
     "is-inside-container": ["is-inside-container@1.0.0", "", { "dependencies": { "is-docker": "^3.0.0" }, "bin": { "is-inside-container": "cli.js" } }, "sha512-KIYLCCJghfHZxqjYBE7rEy0OBuTd5xCHS7tHVgvCLkx7StIoaxwNW3hCALgEUjFfeRk+MG/Qxmp/vtETEF3tRA=="],
@@ -46,6 +50,8 @@
 
     "picocolors": ["picocolors@1.1.1", "", {}, "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA=="],
 
+    "pure-rand": ["pure-rand@6.1.0", "", {}, "sha512-bVWawvoZoBYpp6yIoQtQXHZjmz35RSVHnUOTefl8Vcjr8snTPY1wnpSPMWekcFwbxI6gtmT7rSYPFvz71ldiOA=="],
+
     "run-applescript": ["run-applescript@7.1.0", "", {}, "sha512-DPe5pVFaAsinSaV6QjQ6gdiedWDcRCbUuiQfQa2wmWV7+xC9bGulGI8+TdRmoFkAPaBXk8CrAbnlY2ISniJ47Q=="],
 
     "sisteransi": ["sisteransi@1.0.5", "", {}, "sha512-bLGGlR1QxBcynn2d5YmDX4MGjlZvy2MRBDRNHLJ8VI6l6+9FUiyTFNJ0IveOSP0bcXgVDPRcfGqA0pjaqUpfVg=="],

package/dist/auth-provider.js

@@ -1,5 +1,6 @@
 import { postJson } from "./http.js";
 import { loadConfig, loadCredentials, saveCredentials } from "./credentials-store.js";
+import { buildSessionId } from "./context/session-id.js";
 export function createCliAuthProvider() {
     let cachedCredentials = null;
     let forceRefresh = false;
@@ -8,19 +9,19 @@ export function createCliAuthProvider() {
         if (config === null) {
             throw new Error("Not logged in. Run barekey login first.");
         }
-        const credentials = await loadCredentials(config.activeAccountId);
+        const credentials = await loadCredentials(config.activeSessionId);
         if (credentials === null) {
             throw new Error("CLI credentials are missing. Run barekey login again.");
         }
         cachedCredentials = credentials;
         return {
             baseUrl: config.baseUrl,
-            accountId: config.activeAccountId,
+            sessionId: config.activeSessionId,
             credentials,
         };
     }
     async function refreshIfNeeded() {
-        const { baseUrl, accountId, credentials } = await readCurrentCredentials();
+        const { baseUrl, credentials } = await readCurrentCredentials();
         const now = Date.now();
         if (!forceRefresh && credentials.accessTokenExpiresAtMs > now + 10_000) {
             return credentials;
@@ -40,8 +41,10 @@ export function createCliAuthProvider() {
             clerkUserId: refreshed.clerkUserId,
             orgId: refreshed.orgId,
             orgSlug: refreshed.orgSlug,
+            lastOrgId: refreshed.orgId,
+            lastOrgSlug: refreshed.orgSlug,
         };
-        await saveCredentials(accountId, nextCredentials);
+        await saveCredentials(buildSessionId(baseUrl, refreshed.clerkUserId), nextCredentials);
         cachedCredentials = nextCredentials;
         forceRefresh = false;
         return nextCredentials;

package/dist/command-utils.js

@@ -27,13 +27,13 @@ export async function requireLocalSession() {
     if (config === null) {
         throw new Error("Not logged in. Run barekey auth login first.");
     }
-    const credentials = await loadCredentials(config.activeAccountId);
+    const credentials = await loadCredentials(config.activeSessionId);
     if (credentials === null) {
         throw new Error("Saved credentials not found. Run barekey auth login again.");
     }
     return {
         baseUrl: config.baseUrl,
-        accountId: config.activeAccountId,
+        accountId: config.activeSessionId,
         credentials,
     };
 }
@@ -42,12 +42,12 @@ export async function resolveTarget(options, local) {
     const isStandalone = runtime?.config.config?.mode === "standalone";
     const projectSlug = options.project?.trim() || runtime?.config.project || "";
     const stageSlug = options.stage?.trim() || runtime?.config.environment || "";
-    const orgSlug = options.org?.trim() || runtime?.config.org || local?.credentials.orgSlug || "";
-    if (!isStandalone && (projectSlug.length === 0 || stageSlug.length === 0)) {
+    const orgSlug = options.org?.trim() || runtime?.config.org || "";
+    if (!isStandalone && (orgSlug.length === 0 || projectSlug.length === 0 || stageSlug.length === 0)) {
         const hint = runtime
-            ? `Found ${runtime.path} but project/environment is incomplete.`
+            ? `Found ${runtime.path} but organization/project/environment is incomplete.`
             : "No barekey.json found in current directory tree.";
-        throw new Error(`${hint} Pass --project/--stage, or create barekey.json with {"organization":"...","project":"...","environment":"..."}.`);
+        throw new Error(`${hint} Run barekey init or pass --org/--project/--stage.`);
     }
     return {
         projectSlug,

package/dist/commands/audit.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function registerAuditCommands(program: Command): void;

package/dist/commands/audit.js

@@ -0,0 +1,47 @@
+import { createCliAuthProvider } from "../auth-provider.js";
+import { requireLocalSession, toJsonOutput } from "../command-utils.js";
+import { AuditListResponseSchema } from "../contracts/index.js";
+import { postJson } from "../http.js";
+import { promptForOrganizationSlug } from "./target-prompts.js";
+async function runAuditList(options) {
+    const local = await requireLocalSession();
+    const authProvider = createCliAuthProvider();
+    const accessToken = await authProvider.getAccessToken();
+    const orgSlug = await promptForOrganizationSlug(options.org);
+    const limit = options.limit ? Number.parseInt(options.limit, 10) : 25;
+    const response = await postJson({
+        baseUrl: local.baseUrl,
+        path: "/v1/cli/audit/list",
+        accessToken,
+        payload: {
+            orgSlug,
+            projectSlug: options.project?.trim() || null,
+            limit: Number.isFinite(limit) ? limit : 25,
+        },
+        schema: AuditListResponseSchema,
+    });
+    if (options.json) {
+        toJsonOutput(true, response);
+        return;
+    }
+    if (response.items.length === 0) {
+        console.log("No audit events found.");
+        return;
+    }
+    for (const item of response.items) {
+        console.log(`${new Date(item.occurredAtMs).toISOString()} ${item.category} ${item.title}`);
+    }
+}
+export function registerAuditCommands(program) {
+    const audit = program.command("audit").description("Audit history");
+    audit
+        .command("list")
+        .description("List recent audit events")
+        .option("--org <slug>", "Organization slug")
+        .option("--project <slug>", "Project slug")
+        .option("--limit <count>", "Maximum number of events", "25")
+        .option("--json", "Machine-readable output", false)
+        .action(async (options) => {
+        await runAuditList(options);
+    });
+}

package/dist/commands/auth.js

@@ -4,7 +4,9 @@ import { intro, outro, spinner } from "@clack/prompts";
 import pc from "picocolors";
 import open from "open";
 import { createCliAuthProvider } from "../auth-provider.js";
+import { buildSessionId } from "../context/session-id.js";
 import { clearConfig, deleteCredentials, saveConfig, saveCredentials, } from "../credentials-store.js";
+import { CliSessionResponseSchema, DevicePollResponseSchema, DeviceStartResponseSchema, RefreshResponseSchema, } from "../contracts/index.js";
 import { getJson, postJson } from "../http.js";
 import { requireLocalSession, resolveBaseUrl, toJsonOutput } from "../command-utils.js";
 function resolveClientName() {
@@ -48,6 +50,7 @@ async function runLogin(options) {
             payload: {
                 clientName: resolveClientName(),
             },
+            schema: DeviceStartResponseSchema,
         });
         const verificationUri = resolveVerificationUri(baseUrl, started.verificationUri);
         loading.stop("Authorization initialized");
@@ -72,28 +75,40 @@ async function runLogin(options) {
                 payload: {
                     deviceCode: started.deviceCode,
                 },
+                schema: DevicePollResponseSchema,
             });
             if (poll.status === "pending") {
                 await wait(Math.max(1, poll.intervalSec) * 1000);
                 continue;
             }
-            const accountId = `${poll.orgSlug}:${poll.clerkUserId}`;
-            await saveCredentials(accountId, {
+            const refreshed = RefreshResponseSchema.make({
                 accessToken: poll.accessToken,
                 refreshToken: poll.refreshToken,
                 accessTokenExpiresAtMs: poll.accessTokenExpiresAtMs,
                 refreshTokenExpiresAtMs: poll.refreshTokenExpiresAtMs,
-                clerkUserId: poll.clerkUserId,
                 orgId: poll.orgId,
                 orgSlug: poll.orgSlug,
+                clerkUserId: poll.clerkUserId,
+            });
+            const sessionId = buildSessionId(baseUrl, refreshed.clerkUserId);
+            await saveCredentials(sessionId, {
+                accessToken: refreshed.accessToken,
+                refreshToken: refreshed.refreshToken,
+                accessTokenExpiresAtMs: refreshed.accessTokenExpiresAtMs,
+                refreshTokenExpiresAtMs: refreshed.refreshTokenExpiresAtMs,
+                clerkUserId: refreshed.clerkUserId,
+                orgId: refreshed.orgId,
+                orgSlug: refreshed.orgSlug,
+                lastOrgId: refreshed.orgId,
+                lastOrgSlug: refreshed.orgSlug,
             });
             await saveConfig({
                 baseUrl,
-                activeAccountId: accountId,
+                activeSessionId: sessionId,
             });
             pollSpinner.stop("Login approved");
             pollActive = false;
-            outro(`Logged in as ${pc.bold(poll.clerkUserId)} in ${pc.bold(poll.orgSlug)}.`);
+            outro(`Logged in as ${pc.bold(refreshed.clerkUserId)}.`);
             return;
         }
         pollSpinner.stop("Timed out");
@@ -131,13 +146,14 @@ async function runWhoami(options) {
         baseUrl: local.baseUrl,
         path: "/v1/cli/session",
         accessToken,
+        schema: CliSessionResponseSchema,
     });
     if (options.json) {
         toJsonOutput(true, session);
         return;
     }
     console.log(`${pc.bold("User")}: ${session.clerkUserId}`);
-    console.log(`${pc.bold("Org")}: ${session.orgSlug}`);
+    console.log(`${pc.bold("Current org")}: ${session.orgSlug}`);
     console.log(`${pc.bold("Source")}: ${session.source}`);
 }
 export function registerAuthCommands(program) {
@@ -162,7 +178,6 @@ export function registerAuthCommands(program) {
         .action(async (options) => {
         await runWhoami(options);
     });
-    // Backward-compatible top-level auth aliases.
     program
         .command("login")
         .description("Alias for barekey auth login")

package/dist/commands/billing.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export declare function registerBillingCommands(program: Command): void;

package/dist/commands/billing.js

@@ -0,0 +1,62 @@
+import { createCliAuthProvider } from "../auth-provider.js";
+import { requireLocalSession, toJsonOutput } from "../command-utils.js";
+import { BillingCatalogResponseSchema, BillingStatusResponseSchema } from "../contracts/index.js";
+import { getJson, postJson } from "../http.js";
+import { promptForOrganizationSlug } from "./target-prompts.js";
+async function runBillingCatalog(options) {
+    const local = await requireLocalSession();
+    const authProvider = createCliAuthProvider();
+    const accessToken = await authProvider.getAccessToken();
+    const response = await getJson({
+        baseUrl: local.baseUrl,
+        path: "/v1/cli/billing/catalog",
+        accessToken,
+        schema: BillingCatalogResponseSchema,
+    });
+    if (options.json) {
+        toJsonOutput(true, response);
+        return;
+    }
+    console.log(`Plans: ${response.variants.length}`);
+    console.log(`Metered features: ${Object.values(response.featureIds).join(", ")}`);
+}
+async function runBillingStatus(options) {
+    const local = await requireLocalSession();
+    const authProvider = createCliAuthProvider();
+    const accessToken = await authProvider.getAccessToken();
+    const orgSlug = await promptForOrganizationSlug(options.org);
+    const response = await postJson({
+        baseUrl: local.baseUrl,
+        path: "/v1/cli/billing/status",
+        accessToken,
+        payload: {
+            orgSlug,
+        },
+        schema: BillingStatusResponseSchema,
+    });
+    if (options.json) {
+        toJsonOutput(true, response);
+        return;
+    }
+    console.log(`Tier: ${response.currentTier ?? "none"}`);
+    console.log(`Product: ${response.currentProductId ?? "none"}`);
+    console.log(`Can manage billing: ${response.canManageBilling ? "yes" : "no"}`);
+}
+export function registerBillingCommands(program) {
+    const billing = program.command("billing").description("Billing information");
+    billing
+        .command("catalog")
+        .description("Show the public billing catalog")
+        .option("--json", "Machine-readable output", false)
+        .action(async (options) => {
+        await runBillingCatalog(options);
+    });
+    billing
+        .command("status")
+        .description("Show billing status for an organization")
+        .option("--org <slug>", "Organization slug")
+        .option("--json", "Machine-readable output", false)
+        .action(async (options) => {
+        await runBillingStatus(options);
+    });
+}