@clankmates/cli 0.11.1 → 0.13.0

package/src/lib/cache.ts

@@ -1,214 +1,24 @@
-import { Database } from "bun:sqlite";
-import { mkdir } from "node:fs/promises";
-import path from "node:path";
-import { createHash } from "node:crypto";
-
 import { booleanFlag, stringFlag, type ParsedArgs } from "./args";
 import type { CommandContext } from "./context";
 import { CliError } from "./errors";
-import { getCachePath } from "./paths";
-import { CLI_VERSION } from "./version";
-import type { WhoamiActor } from "../types/api";
-
-const MIGRATION_VERSION = 1;
-const PUBLIC_ACTOR_KEY = "public";
-const SHARED_ACTOR_KEY = "shared";
-
-export interface SyncScopeRow {
-  scope_key: string;
-  base_url: string;
-  profile: string;
-  actor_key: string;
-  resource: string;
-  params_json: string;
-  server_timestamp?: string | null;
-  cached_at: string;
-  cli_version: string;
-}
-
-export interface CacheScope {
-  scopeKey: string;
-  resource: string;
-  params: Record<string, unknown>;
-  actorKey: string;
-}
-
-export interface CachePlan {
-  scope: CacheScope;
-  previousServerTimestamp?: string;
-  hit: boolean;
-}
-
-export interface CacheResult {
-  scopeKey: string;
-  hit: boolean;
-  previousServerTimestamp?: string;
-  savedServerTimestamp?: string;
-}
-
-export class SyncCache {
-  private readonly db: Database;
-
-  constructor(private readonly dbPath = getCachePath()) {
-    this.db = new Database(dbPath, { create: true });
-    this.db.exec("PRAGMA journal_mode = WAL");
-    this.db.exec("PRAGMA foreign_keys = ON");
-    this.migrate();
-  }
-
-  path(): string {
-    return this.dbPath;
-  }
-
-  get(scopeKey: string): SyncScopeRow | undefined {
-    return this.db
-      .query<SyncScopeRow, [string]>(
-        `select scope_key, base_url, profile, actor_key, resource, params_json,
-                server_timestamp, cached_at, cli_version
-           from sync_scopes
-          where scope_key = ?`,
-      )
-      .get(scopeKey) ?? undefined;
-  }
-
-  list(input: { baseUrl?: string; profile?: string } = {}): SyncScopeRow[] {
-    if (input.baseUrl && input.profile) {
-      return this.db
-        .query<SyncScopeRow, [string, string]>(
-          `select scope_key, base_url, profile, actor_key, resource, params_json,
-                  server_timestamp, cached_at, cli_version
-             from sync_scopes
-            where base_url = ? and profile = ?
-            order by resource, scope_key`,
-        )
-        .all(input.baseUrl, input.profile);
-    }
-
-    return this.db
-      .query<SyncScopeRow, []>(
-        `select scope_key, base_url, profile, actor_key, resource, params_json,
-                server_timestamp, cached_at, cli_version
-           from sync_scopes
-          order by base_url, profile, resource, scope_key`,
-      )
-      .all();
-  }
-
-  upsert(input: {
-    scope: CacheScope;
-    baseUrl: string;
-    profile: string;
-    serverTimestamp: string;
-  }): void {
-    this.db
-      .query<
-        unknown,
-        [string, string, string, string, string, string, string, string, string]
-      >(
-        `insert into sync_scopes (
-           scope_key, base_url, profile, actor_key, resource, params_json,
-           server_timestamp, cached_at, cli_version
-         )
-         values (?, ?, ?, ?, ?, ?, ?, ?, ?)
-         on conflict(scope_key) do update set
-           base_url = excluded.base_url,
-           profile = excluded.profile,
-           actor_key = excluded.actor_key,
-           resource = excluded.resource,
-           params_json = excluded.params_json,
-           server_timestamp = excluded.server_timestamp,
-           cached_at = excluded.cached_at,
-           cli_version = excluded.cli_version`,
-      )
-      .run(
-        input.scope.scopeKey,
-        input.baseUrl,
-        input.profile,
-        input.scope.actorKey,
-        input.scope.resource,
-        stableJson(input.scope.params),
-        input.serverTimestamp,
-        new Date().toISOString(),
-        CLI_VERSION,
-      );
-  }
-
-  clear(input: { scopeKey?: string; baseUrl?: string; profile?: string } = {}): number {
-    if (input.scopeKey) {
-      const result = this.db
-        .query<unknown, [string]>("delete from sync_scopes where scope_key = ?")
-        .run(input.scopeKey);
-      return result.changes;
-    }
-
-    if (input.baseUrl && input.profile) {
-      const result = this.db
-        .query<unknown, [string, string]>(
-          "delete from sync_scopes where base_url = ? and profile = ?",
-        )
-        .run(input.baseUrl, input.profile);
-      return result.changes;
-    }
-
-    const result = this.db.query<unknown, []>("delete from sync_scopes").run();
-    return result.changes;
-  }
-
-  close(): void {
-    this.db.close();
-  }
-
-  private migrate(): void {
-    this.db.exec(`
-      create table if not exists schema_migrations (
-        version integer primary key,
-        applied_at text not null
-      );
-    `);
-
-    const applied = this.db
-      .query<{ version: number }, [number]>(
-        "select version from schema_migrations where version = ?",
-      )
-      .get(MIGRATION_VERSION);
-
-    if (applied) {
-      return;
-    }
-
-    this.db.exec(`
-      create table if not exists sync_scopes (
-        scope_key text primary key,
-        base_url text not null,
-        profile text not null,
-        actor_key text not null,
-        resource text not null,
-        params_json text not null,
-        server_timestamp text,
-        cached_at text not null,
-        cli_version text not null
-      );
-
-      create index if not exists sync_scopes_profile_idx
-        on sync_scopes(base_url, profile);
-    `);
-
-    this.db
-      .query<unknown, [number, string]>(
-        "insert into schema_migrations(version, applied_at) values (?, ?)",
-      )
-      .run(MIGRATION_VERSION, new Date().toISOString());
-  }
-}
-
-export async function ensureCacheParentDirectory(cachePath = getCachePath()): Promise<void> {
-  await mkdir(path.dirname(cachePath), { recursive: true });
-}
-
-export async function openSyncCache(cachePath = getCachePath()): Promise<SyncCache> {
-  await ensureCacheParentDirectory(cachePath);
-  return new SyncCache(cachePath);
-}
+import { actorKey } from "./cache/scopes";
+import { openSyncCache } from "./cache/store";
+import type { CachePlan, CacheResult, CacheScope } from "./cache/types";
+
+export type { CachePlan, CacheResult, CacheScope, SyncScopeRow } from "./cache/types";
+export { SyncCache, ensureCacheParentDirectory, openSyncCache } from "./cache/store";
+export {
+  feedMyScope,
+  feedSearchScope,
+  hashValue,
+  inboxMessagesScope,
+  inboxThreadsScope,
+  ownedPostsScope,
+  publicActorKey,
+  publicPostsScope,
+  sharedActorKey,
+  sharedPostsScope,
+} from "./cache/scopes";
 
 export function cacheFlags(args: ParsedArgs): {
   sinceCache: boolean;
@@ -323,177 +133,3 @@ export async function authenticatedActorKey(
 ): Promise<string> {
   return actorKey((await context.client.whoami(channelToken)).actor);
 }
-
-export function publicActorKey(): string {
-  return PUBLIC_ACTOR_KEY;
-}
-
-export function sharedActorKey(): string {
-  return SHARED_ACTOR_KEY;
-}
-
-export function feedMyScope(input: {
-  context: CommandContext;
-  actorKey: string;
-  channelId?: string;
-}): CacheScope {
-  const channel = input.channelId ?? "all";
-  return scoped({
-    context: input.context,
-    actorKey: input.actorKey,
-    resource: "feed:my",
-    parts: ["feed", "my", channel],
-    params: { channel },
-  });
-}
-
-export function feedSearchScope(input: {
-  context: CommandContext;
-  actorKey: string;
-  query: string;
-  channelId?: string;
-}): CacheScope {
-  const channel = input.channelId ?? "all";
-  return scoped({
-    context: input.context,
-    actorKey: input.actorKey,
-    resource: "feed:search",
-    parts: ["feed", "search", input.query, channel],
-    params: { query: input.query, channel },
-  });
-}
-
-export function inboxThreadsScope(input: {
-  context: CommandContext;
-  actorKey: string;
-  status?: string;
-  mailbox?: string;
-}): CacheScope {
-  const status = input.status ?? "default";
-  const mailbox = input.mailbox ?? "default";
-  return scoped({
-    context: input.context,
-    actorKey: input.actorKey,
-    resource: "inbox:threads",
-    parts: ["inbox", "threads", status, mailbox, input.actorKey],
-    params: { status, mailbox },
-  });
-}
-
-export function inboxMessagesScope(input: {
-  context: CommandContext;
-  actorKey: string;
-  threadId: string;
-}): CacheScope {
-  return scoped({
-    context: input.context,
-    actorKey: input.actorKey,
-    resource: "inbox:messages",
-    parts: ["inbox", "messages", input.threadId, input.actorKey],
-    params: { threadId: input.threadId },
-  });
-}
-
-export function ownedPostsScope(input: {
-  context: CommandContext;
-  actorKey: string;
-  channelId: string;
-}): CacheScope {
-  return scoped({
-    context: input.context,
-    actorKey: input.actorKey,
-    resource: "posts:owned",
-    parts: ["posts", "owned", input.channelId],
-    params: { channelId: input.channelId },
-  });
-}
-
-export function publicPostsScope(input: {
-  context: CommandContext;
-  publicHandle: string;
-  channelName: string;
-}): CacheScope {
-  return scoped({
-    context: input.context,
-    actorKey: PUBLIC_ACTOR_KEY,
-    resource: "posts:public",
-    parts: ["posts", "public", input.publicHandle, input.channelName],
-    params: {
-      publicHandle: input.publicHandle,
-      channelName: input.channelName,
-    },
-  });
-}
-
-export function sharedPostsScope(input: {
-  context: CommandContext;
-  shareToken: string;
-}): CacheScope {
-  const shareTokenHash = hashValue(input.shareToken);
-  return scoped({
-    context: input.context,
-    actorKey: SHARED_ACTOR_KEY,
-    resource: "posts:shared",
-    parts: ["posts", "shared", shareTokenHash],
-    params: { shareTokenHash },
-  });
-}
-
-export function hashValue(value: string): string {
-  return createHash("sha256").update(value).digest("hex");
-}
-
-function actorKey(actor: WhoamiActor): string {
-  if (actor.type === "user") {
-    return `user:${actor.id}:${actor.scope ?? "master"}`;
-  }
-
-  return `channel:${actor.id}`;
-}
-
-function scoped(input: {
-  context: CommandContext;
-  actorKey: string;
-  resource: string;
-  parts: string[];
-  params: Record<string, unknown>;
-}): CacheScope {
-  const prefix = [
-    "v1",
-    normalizePart(input.context.profile.baseUrl),
-    normalizePart(input.context.profileName),
-    normalizePart(input.actorKey),
-  ];
-  const scopeKey = [...prefix, ...input.parts.map(normalizePart)].join(":");
-
-  return {
-    scopeKey,
-    resource: input.resource,
-    params: input.params,
-    actorKey: input.actorKey,
-  };
-}
-
-function normalizePart(value: string): string {
-  return encodeURIComponent(value);
-}
-
-function stableJson(value: Record<string, unknown>): string {
-  return JSON.stringify(sortObject(value));
-}
-
-function sortObject(value: unknown): unknown {
-  if (Array.isArray(value)) {
-    return value.map(sortObject);
-  }
-
-  if (typeof value !== "object" || value === null) {
-    return value;
-  }
-
-  return Object.fromEntries(
-    Object.entries(value as Record<string, unknown>)
-      .sort(([left], [right]) => left.localeCompare(right))
-      .map(([key, entry]) => [key, sortObject(entry)]),
-  );
-}

package/src/lib/client/auth.ts

@@ -0,0 +1,122 @@
+import { requestJson } from "../http";
+import { CliError } from "../errors";
+import {
+  requireMasterToken,
+  requireOwnerReadToken,
+} from "../tokens";
+import type {
+  AccessKeyAttributes,
+  AccessKeyIssueResponse,
+  AccessKeyRevokeResponse,
+  AccessKeyScope,
+  WhoamiResponse,
+} from "../../types/api";
+import { API_PREFIX, type ApiClientCore } from "./core";
+
+export async function canAuthenticate(
+  core: ApiClientCore,
+  token: string,
+): Promise<boolean> {
+  try {
+    await whoami(core, token);
+    return true;
+  } catch (error) {
+    if (isUnauthorizedCliError(error)) {
+      return false;
+    }
+
+    throw error;
+  }
+}
+
+export async function validateMasterToken(
+  core: ApiClientCore,
+  token: string,
+): Promise<void> {
+  const response = await whoami(core, token);
+
+  if (
+    response.actor.type !== "user" ||
+    response.actor.scope === "read_only"
+  ) {
+    throw new CliError("Provided token is not a master token.");
+  }
+}
+
+export async function validateReadOnlyToken(
+  core: ApiClientCore,
+  token: string,
+): Promise<void> {
+  const response = await whoami(core, token);
+
+  if (
+    response.actor.type !== "user" ||
+    response.actor.scope !== "read_only"
+  ) {
+    throw new CliError("Provided token is not a read-only token.");
+  }
+}
+
+export async function whoami(
+  core: ApiClientCore,
+  token = requireOwnerReadToken(core.profile),
+): Promise<WhoamiResponse> {
+  return (
+    await requestJson<WhoamiResponse>(
+      core.profile.baseUrl,
+      `${API_PREFIX}/auth/whoami`,
+      { token },
+    )
+  ).data;
+}
+
+export async function listAccessKeys(
+  core: ApiClientCore,
+  scope?: AccessKeyScope,
+) {
+  const path = scope
+    ? `${API_PREFIX}/me/access-keys/scopes/${encodeURIComponent(scope)}`
+    : `${API_PREFIX}/me/access-keys`;
+
+  return core.requestCollection<AccessKeyAttributes>(path, {
+    token: requireOwnerReadToken(core.profile),
+  });
+}
+
+export async function issueAccessKey(
+  core: ApiClientCore,
+  input: { scope: AccessKeyScope; name: string },
+) {
+  return core.requestAction<AccessKeyIssueResponse>(
+    `${API_PREFIX}/me/access-keys`,
+    {
+      method: "POST",
+      token: requireMasterToken(core.profile),
+      body: {
+        data: {
+          scope: input.scope,
+          name: input.name,
+        },
+      },
+    },
+  );
+}
+
+export async function revokeAccessKey(core: ApiClientCore, id: string) {
+  return core.requestAction<AccessKeyRevokeResponse>(
+    `${API_PREFIX}/me/access-keys/${id}`,
+    {
+      method: "DELETE",
+      token: requireMasterToken(core.profile),
+    },
+  );
+}
+
+function isUnauthorizedCliError(error: unknown): boolean {
+  return (
+    error instanceof CliError &&
+    error.exitCode === 1 &&
+    (error.message.includes("Authentication required") ||
+      error.message.includes("code=unauthorized"))
+  );
+}

package/src/lib/client/channel-keys.ts

@@ -0,0 +1,57 @@
+import {
+  requireMasterToken,
+  requireOwnerReadToken,
+} from "../tokens";
+import type {
+  ChannelKeyAttributes,
+  ChannelKeyIssueResponse,
+  ChannelKeyRevokeResponse,
+} from "../../types/api";
+import { API_PREFIX, withQuery, type ApiClientCore } from "./core";
+
+export async function listChannelKeys(
+  core: ApiClientCore,
+  input: {
+    channelId: string;
+    limit?: number;
+    cursor?: string;
+  },
+) {
+  return core.requestCollection<ChannelKeyAttributes>(
+    withQuery(`${API_PREFIX}/channels/${input.channelId}/tokens`, {
+      "page[limit]": input.limit,
+      "page[after]": input.cursor,
+    }),
+    {
+      token: requireOwnerReadToken(core.profile),
+    },
+  );
+}
+
+export async function issueChannelKey(
+  core: ApiClientCore,
+  input: { channelId: string; name: string },
+) {
+  return core.requestAction<ChannelKeyIssueResponse>(
+    `${API_PREFIX}/channels/${input.channelId}/tokens`,
+    {
+      method: "POST",
+      token: requireMasterToken(core.profile),
+      body: {
+        data: {
+          name: input.name,
+        },
+      },
+    },
+  );
+}
+
+export async function revokeChannelKey(core: ApiClientCore, id: string) {
+  return core.requestAction<ChannelKeyRevokeResponse>(
+    `${API_PREFIX}/channel-keys/${id}`,
+    {
+      method: "DELETE",
+      token: requireMasterToken(core.profile),
+    },
+  );
+}