@botdocs/cli 0.3.1 → 0.4.0

package/dist/commands/login.js

@@ -1,87 +1,252 @@
+import React from 'react';
+import { randomBytes } from 'node:crypto';
+import open from 'open';
+import { render } from 'ink';
+import * as p from '@clack/prompts';
 import { saveAuth } from '../lib/config.js';
-const DEFAULT_GITHUB_CLIENT_ID = 'Ov23lizUYDKJOhumsyee';
-const GITHUB_CLIENT_ID = process.env.GITHUB_CLIENT_ID || process.env.GITHUB_ID || DEFAULT_GITHUB_CLIENT_ID;
+import { getApiUrl } from '../lib/api.js';
+import { LoginApp } from './views/login-app.js';
+/** Total wall-clock budget for the polling loop. After this we tell the user
+ * the request expired and exit 1. Mirrors the server-side state TTL. */
+const POLL_TIMEOUT_MS = 10 * 60 * 1000;
+const POLL_INITIAL_DELAY_MS = 1500;
+const POLL_MAX_DELAY_MS = 5000;
+const POLL_BACKOFF_FACTOR = 1.3;
 export async function login(options) {
-    // Step 1: Request device code
-    const deviceResponse = await fetch('https://github.com/login/device/code', {
-        method: 'POST',
-        headers: {
-            Accept: 'application/json',
-            'Content-Type': 'application/json',
-        },
-        body: JSON.stringify({
-            client_id: GITHUB_CLIENT_ID,
-            scope: 'read:user',
-        }),
-    });
-    if (!deviceResponse.ok) {
-        console.error('Failed to initiate device code flow.');
+    if (options?.token) {
+        await loginWithToken(options.token, options.syncLibrary === true);
+        return;
+    }
+    // Pick a render path: Ink for a real TTY (unless --no-ink), plain otherwise.
+    // The plain path covers piped output, CI, screen readers, and explicit opt-out.
+    const useInk = !options?.noInk && Boolean(process.stdout.isTTY);
+    if (useInk) {
+        await loginInkInteractive(options?.syncLibrary === true);
+        return;
+    }
+    await loginPlainInteractive(options?.syncLibrary === true);
+}
+/** --token flag flow: validate the supplied token by hitting the API and, on
+ * success, persist it to ~/.botdocs/auth.json so subsequent commands can reuse
+ * the bearer. Stays plain — this is paste-then-save with no perceivable
+ * latency, so a TUI adds friction with no upside. */
+async function loginWithToken(token, syncLibrary) {
+    if (!token.startsWith('bd_')) {
+        console.error('Invalid token. Tokens start with `bd_` and are minted at /settings/tokens.');
         process.exit(1);
     }
-    const deviceData = (await deviceResponse.json());
-    // Step 2: Display user code
-    console.log('\nTo authenticate, visit:');
-    console.log(`\n  ${deviceData.verification_uri}\n`);
-    console.log(`Enter code: ${deviceData.user_code}\n`);
-    console.log('Waiting for authorization...');
-    // Step 3: Poll for token
-    const interval = (deviceData.interval || 5) * 1000;
-    const expiresAt = Date.now() + deviceData.expires_in * 1000;
-    while (Date.now() < expiresAt) {
-        await new Promise((resolve) => setTimeout(resolve, interval));
-        const tokenResponse = await fetch('https://github.com/login/oauth/access_token', {
-            method: 'POST',
-            headers: {
-                Accept: 'application/json',
-                'Content-Type': 'application/json',
-            },
-            body: JSON.stringify({
-                client_id: GITHUB_CLIENT_ID,
-                device_code: deviceData.device_code,
-                grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
-            }),
+    const baseUrl = getApiUrl();
+    let res;
+    try {
+        res = await fetch(`${baseUrl}/api/cli/whoami`, {
+            headers: { Authorization: `Bearer ${token}`, Accept: 'application/json' },
         });
-        const tokenData = (await tokenResponse.json());
-        if (tokenData.access_token) {
-            // Step 4: Get user info
-            const userResponse = await fetch('https://api.github.com/user', {
-                headers: {
-                    Authorization: `Bearer ${tokenData.access_token}`,
-                    Accept: 'application/vnd.github+json',
-                },
-            });
-            if (!userResponse.ok) {
-                console.error('Failed to get user info from GitHub.');
-                process.exit(1);
-            }
-            const user = (await userResponse.json());
-            // Step 5: Save credentials
-            saveAuth({
-                githubToken: tokenData.access_token,
-                username: user.login,
-                displayName: user.name || user.login,
-                syncLibrary: options?.syncLibrary === true,
-            });
-            console.log(`\nAuthenticated as ${user.login}`);
-            if (options?.syncLibrary) {
-                console.log('  Library sync enabled. Your installed-refs list will appear at https://botdocs.ai/library after install/sync/uninstall.');
-            }
-            else {
-                console.log('  Library sync is OFF. Re-run `botdocs login --sync-library` to enable the personalized Library page.');
-            }
-            return;
+    }
+    catch (err) {
+        console.error(`Failed to contact ${baseUrl}: ${err instanceof Error ? err.message : String(err)}`);
+        process.exit(1);
+    }
+    if (res.status === 401) {
+        console.error('Authentication failed. The token is invalid or expired.');
+        process.exit(1);
+    }
+    if (!res.ok) {
+        console.error(`Token validation failed (${res.status}). Try again later.`);
+        process.exit(1);
+    }
+    const user = (await res.json());
+    saveAuth({
+        token,
+        username: user.username,
+        displayName: user.displayName,
+        syncLibrary,
+    });
+    printSignedIn(user.username, syncLibrary);
+}
+/** Helper: register a new state with the server and return the public auth
+ * URL plus the last-6-chars suffix the user can verify in their browser. */
+async function initLoginState(baseUrl) {
+    const state = randomBytes(32).toString('hex');
+    const initRes = await fetch(`${baseUrl}/api/cli/auth/init`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', Accept: 'application/json' },
+        body: JSON.stringify({ state }),
+    });
+    if (!initRes.ok) {
+        throw new Error(`Failed to start login (HTTP ${initRes.status}).`);
+    }
+    return {
+        state,
+        authUrl: `${baseUrl}/cli-auth?state=${state}`,
+        tail: state.slice(-6),
+    };
+}
+/** Browser-mediated flow rendered via Ink. The component is a pure function
+ * of `status`; we drive that state via React updates from the actual auth
+ * work (init → open → poll → save) happening here. On any terminal state
+ * (success/expired/error) we re-render once with the final values and let
+ * the component's effect call `useApp().exit()` to unmount. */
+async function loginInkInteractive(syncLibrary) {
+    const baseUrl = getApiUrl();
+    let status = 'initializing';
+    let authUrl;
+    let stateTail;
+    let resolvedUsername;
+    let errorMessage;
+    const instance = render(React.createElement(LoginApp, {
+        status,
+        syncLibrary,
+    }));
+    // Re-render the LoginApp with current state. Wrapped in a helper because
+    // we update the screen at multiple points across the async flow.
+    const rerender = () => {
+        instance.rerender(React.createElement(LoginApp, {
+            status,
+            authUrl,
+            stateTail,
+            username: resolvedUsername,
+            errorMessage,
+            syncLibrary,
+        }));
+    };
+    // Allow Ctrl-C to cleanly cancel mid-poll. We let Ink unmount the screen
+    // before exiting so the terminal isn't left in raw mode.
+    const onSigInt = () => {
+        instance.unmount();
+        console.log('\nLogin cancelled. Re-run `botdocs login` to try again.');
+        process.exit(130);
+    };
+    process.once('SIGINT', onSigInt);
+    try {
+        // Phase 1: register state with the server.
+        let init;
+        try {
+            init = await initLoginState(baseUrl);
         }
-        if (tokenData.error === 'expired_token') {
-            console.error('\nDevice code expired. Please try again.');
+        catch (err) {
+            status = 'error';
+            errorMessage = err instanceof Error ? err.message : String(err);
+            rerender();
+            await instance.waitUntilExit();
             process.exit(1);
         }
-        if (tokenData.error &&
-            tokenData.error !== 'authorization_pending' &&
-            tokenData.error !== 'slow_down') {
-            console.error(`\nAuthentication error: ${tokenData.error_description || tokenData.error}`);
+        authUrl = init.authUrl;
+        stateTail = init.tail;
+        status = 'browser-opening';
+        rerender();
+        // Phase 2: best-effort browser open. We don't await long here — the
+        // printed URL in the polling state acts as the fallback if the OS hook
+        // is unreliable (CI, restricted shells, etc.).
+        try {
+            await open(init.authUrl);
+        }
+        catch {
+            // Swallowed — URL is still visible on screen.
+        }
+        // Phase 3: poll until the server hands us a token.
+        status = 'polling';
+        rerender();
+        const granted = await pollUntilGranted(baseUrl, init.state);
+        if (!granted) {
+            status = 'expired';
+            rerender();
+            await instance.waitUntilExit();
             process.exit(1);
         }
+        saveAuth({
+            token: granted.token,
+            username: granted.username,
+            displayName: granted.displayName,
+            syncLibrary,
+        });
+        resolvedUsername = granted.username;
+        status = 'success';
+        rerender();
+        await instance.waitUntilExit();
+    }
+    finally {
+        process.off('SIGINT', onSigInt);
+    }
+}
+/** Plain-text fallback for non-TTY environments (CI, piped output, screen
+ * readers) and `--no-ink`. Uses a clack spinner for a tasteful single-line
+ * polling indicator; the spinner degrades gracefully when stdout isn't a TTY. */
+async function loginPlainInteractive(syncLibrary) {
+    const baseUrl = getApiUrl();
+    let init;
+    try {
+        init = await initLoginState(baseUrl);
+    }
+    catch (err) {
+        console.error(err instanceof Error ? err.message : String(err));
+        process.exit(1);
+    }
+    console.log('\nOpening your browser to authorize this terminal session.');
+    console.log(`If it doesn't open, visit:\n\n  ${init.authUrl}\n`);
+    console.log(`Confirm the suffix matches: …${init.tail}\n`);
+    try {
+        await open(init.authUrl);
+    }
+    catch {
+        // Suppressed — the printed URL is the fallback.
+    }
+    const sp = p.spinner();
+    sp.start('Waiting for authorization (up to 10 minutes)…');
+    const granted = await pollUntilGranted(baseUrl, init.state);
+    if (!granted) {
+        sp.stop('Login expired.');
+        // Tests assert on stderr — keep the human-readable failure there so
+        // automation can pipe stderr separately without losing the signal.
+        console.error('\nLogin expired — re-run `botdocs login`.');
+        process.exit(1);
+    }
+    sp.stop(`Signed in as @${granted.username}`);
+    saveAuth({
+        token: granted.token,
+        username: granted.username,
+        displayName: granted.displayName,
+        syncLibrary,
+    });
+    printSyncLibraryHint(syncLibrary);
+}
+/** Polls the server with exponential backoff. Returns the granted payload on
+ * success or null if the loop ran out of budget (matching the server's TTL). */
+async function pollUntilGranted(baseUrl, state) {
+    const deadline = Date.now() + POLL_TIMEOUT_MS;
+    let delay = POLL_INITIAL_DELAY_MS;
+    while (Date.now() < deadline) {
+        await sleep(delay);
+        delay = Math.min(delay * POLL_BACKOFF_FACTOR, POLL_MAX_DELAY_MS);
+        const res = await fetch(`${baseUrl}/api/cli/auth/poll?state=${encodeURIComponent(state)}`, { headers: { Accept: 'application/json' } });
+        if (res.status === 410) {
+            return null;
+        }
+        if (!res.ok) {
+            // Transient server errors — keep polling instead of exiting.
+            continue;
+        }
+        const body = (await res.json());
+        if ('pending' in body && body.pending) {
+            continue;
+        }
+        if ('token' in body) {
+            return body;
+        }
     }
-    console.error('\nAuthentication timed out. Please try again.');
-    process.exit(1);
+    return null;
+}
+function printSignedIn(username, syncLibrary) {
+    console.log(`\n✓ Signed in as @${username}`);
+    printSyncLibraryHint(syncLibrary);
+}
+function printSyncLibraryHint(syncLibrary) {
+    if (syncLibrary) {
+        console.log('  Library sync enabled. Your installed-refs list will appear at https://botdocs.ai/library after install/sync/uninstall.');
+    }
+    else {
+        console.log('  Library sync is OFF. Re-run `botdocs login --sync-library` to enable the personalized Library page.');
+    }
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
 }

package/dist/commands/publish.js

@@ -65,6 +65,11 @@ export async function publish(source, options) {
         console.error('Description is required. Use --description "..."');
         process.exit(1);
     }
+    // Pull type + sourceEcosystem from botdocs.json so the server stores
+    // the row as a SKILL/BUNDLE (instead of defaulting to SPEC).
+    const manifest = stat.isDirectory() ? readManifest(resolved) : null;
+    const botdocType = manifest?.type ?? 'SPEC';
+    const sourceEcosystem = manifest?.sourceEcosystem ?? null;
     console.log(`Publishing "${title}" (${files.length} file(s))...`);
     const result = await apiFetch('/api/botdocs', {
         method: 'POST',
@@ -76,6 +81,8 @@ export async function publish(source, options) {
             tags,
             license,
             files,
+            botdocType,
+            sourceEcosystem,
         },
     });
     if (options.json) {
@@ -85,6 +92,21 @@ export async function publish(source, options) {
         console.log(`\nPublished: ${result.url}`);
     }
 }
+function readManifest(source) {
+    const manifestPath = path.join(source, 'botdocs.json');
+    if (!fs.existsSync(manifestPath))
+        return null;
+    try {
+        const raw = JSON.parse(fs.readFileSync(manifestPath, 'utf-8'));
+        return parseManifest(raw);
+    }
+    catch {
+        // Validate is the canonical place to surface manifest errors; here we
+        // silently fall back so a malformed file doesn't break a publish that
+        // was already going to default to SPEC anyway.
+        return null;
+    }
+}
 async function maybeAutoCompile(source, options) {
     if (options.noCompile)
         return;
@@ -124,25 +146,38 @@ function collectFromFile(filePath) {
     return [{ filename, content, sortOrder: 0 }];
 }
 function collectFromDirectory(dirPath) {
-    const entries = fs.readdirSync(dirPath);
     const files = [];
-    for (let i = 0; i < entries.length; i++) {
-        const entry = entries[i];
+    walkDirectory(dirPath, dirPath, files);
+    files.sort((a, b) => a.sortOrder - b.sortOrder);
+    return files;
+}
+function walkDirectory(rootDir, currentDir, out) {
+    const entries = fs.readdirSync(currentDir);
+    for (const entry of entries) {
         if (entry.startsWith('.'))
             continue;
-        const fullPath = path.join(dirPath, entry);
+        const fullPath = path.join(currentDir, entry);
         const stat = fs.statSync(fullPath);
-        if (stat.isFile() && (entry.endsWith('.md') || entry.endsWith('.markdown'))) {
-            files.push({
-                filename: entry,
-                content: fs.readFileSync(fullPath, 'utf-8'),
-                sortOrder: entry === 'index.md' ? 0 : i + 1,
-            });
+        if (stat.isDirectory()) {
+            walkDirectory(rootDir, fullPath, out);
+            continue;
         }
+        if (!stat.isFile())
+            continue;
+        if (!entry.endsWith('.md') && !entry.endsWith('.markdown'))
+            continue;
+        // POSIX-style relative path so the install-time prefix check
+        // (e.g. `claude/SKILL.md`) works on every platform.
+        const relative = path
+            .relative(rootDir, fullPath)
+            .split(path.sep)
+            .join('/');
+        out.push({
+            filename: relative,
+            content: fs.readFileSync(fullPath, 'utf-8'),
+            sortOrder: relative === 'index.md' ? 0 : out.length + 1,
+        });
     }
-    // Ensure index.md is first
-    files.sort((a, b) => a.sortOrder - b.sortOrder);
-    return files;
 }
 function collectFromZip(zipPath) {
     const zip = new AdmZip(zipPath);
@@ -152,11 +187,13 @@ function collectFromZip(zipPath) {
         const entry = entries[i];
         if (entry.isDirectory)
             continue;
-        // Get the filename (strip any directory prefix)
-        const filename = path.basename(entry.entryName);
+        // POSIX-style path inside the archive — preserves directory prefixes
+        // (e.g. `claude/SKILL.md`) so install can route the file correctly.
+        const filename = entry.entryName.replace(/\\/g, '/');
+        const basename = path.basename(filename);
         if (!filename.endsWith('.md') && !filename.endsWith('.markdown'))
             continue;
-        if (filename.startsWith('.'))
+        if (basename.startsWith('.'))
             continue;
         files.push({
             filename,

package/dist/commands/sync.d.ts

@@ -1,7 +1,23 @@
+import type { SyncAction } from './views/sync-state.js';
 interface SyncOptions {
     yes?: boolean;
     dryRun?: boolean;
     json?: boolean;
+    /** When true, skip backups before overwriting. Default behavior backs up
+     * any locally-edited or untracked file at a sync destination before the
+     * overwrite. --dry-run prints "would back up" lines without writing. */
+    noBackup?: boolean;
+    /** Force the plain-text rendering path even on a real TTY. Mirrors the
+     * same flag on `login` — useful for screen readers and anyone who finds
+     * the live redraw distracting. */
+    noInk?: boolean;
 }
+/** The three choices a user can make on a per-skill conflict. `keep` and
+ * `skip` are semantically identical today (both leave the local file alone)
+ * but kept separate so we can distinguish "I explicitly want my version" from
+ * "let me decide later" in future UX. */
+export type ConflictChoice = 'keep' | 'overwrite' | 'skip';
+export type AwaitConflictChoice = (ref: string, file: string) => Promise<ConflictChoice>;
+export type SyncDispatch = (action: SyncAction) => void;
 export declare function sync(rawRef: string | undefined, options: SyncOptions): Promise<void>;
 export {};