@construct-space/cli 1.8.0 → 1.9.0

package/dist/index.js

@@ -2876,26 +2876,92 @@ function listDesktopProfiles() {
   }
   return results;
 }
-function credentialsPath() {
-  return join12(dataDir(), CREDENTIALS_FILE);
+function legacyCredentialsPath() {
+  return join12(dataDir(), LEGACY_CREDENTIALS_FILE);
 }
-function store(creds) {
-  const path = credentialsPath();
+function registryPath() {
+  return join12(dataDir(), PROFILES_REGISTRY);
+}
+function readRegistry() {
+  const path = registryPath();
+  if (!existsSync10(path))
+    return {};
+  try {
+    return JSON.parse(readFileSync7(path, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function writeRegistry(reg) {
+  const path = registryPath();
   mkdirSync4(dirname4(path), { recursive: true });
-  writeFileSync5(path, JSON.stringify(creds, null, 2) + `
-`, { mode: 384 });
+  writeFileSync5(path, JSON.stringify({ version: 1, ...reg }, null, 2));
 }
-function load2() {
-  const path = credentialsPath();
-  if (existsSync10(path)) {
-    const data = JSON.parse(readFileSync7(path, "utf-8"));
-    if (data.token) {
-      if (!data.publisherKey && data.token.startsWith("csk_live_")) {
-        data.publisherKey = data.token;
-      }
-      return data;
-    }
+function store(creds) {
+  const profileId = creds.profileId || creds.user?.id;
+  if (!profileId) {
+    throw new Error("cannot store credentials without a profile id (user.id or profileId)");
+  }
+  const profilePath = join12(profilesDir(), profileId, "auth.json");
+  mkdirSync4(dirname4(profilePath), { recursive: true });
+  let existing = {};
+  if (existsSync10(profilePath)) {
+    try {
+      existing = JSON.parse(readFileSync7(profilePath, "utf-8"));
+    } catch {}
+  }
+  existing.token = creds.token;
+  existing.authenticated = true;
+  existing.updated_at = new Date().toISOString();
+  if (creds.user) {
+    existing.user = { ...existing.user, ...creds.user };
+  }
+  if (creds.publisherKey) {
+    existing.publisher = {
+      ...existing.publisher,
+      name: creds.publisherName || existing.publisher?.name || "",
+      kind: creds.publisherKind || existing.publisher?.kind || "user",
+      api_key: creds.publisherKey
+    };
   }
+  writeFileSync5(profilePath, JSON.stringify(existing, null, 2), { mode: 384 });
+  const reg = readRegistry();
+  reg.active_profile = profileId;
+  reg.profiles = reg.profiles || [];
+  const existingEntry = reg.profiles.find((p) => p.id === profileId);
+  if (existingEntry) {
+    if (creds.user?.name)
+      existingEntry.name = creds.user.name;
+    if (creds.user?.email)
+      existingEntry.email = creds.user.email;
+  } else if (creds.user) {
+    reg.profiles.push({
+      id: profileId,
+      name: creds.user.name,
+      email: creds.user.email
+    });
+  }
+  writeRegistry(reg);
+}
+function migrateLegacyCredentials() {
+  const legacy = legacyCredentialsPath();
+  if (!existsSync10(legacy))
+    return;
+  try {
+    const data = JSON.parse(readFileSync7(legacy, "utf-8"));
+    if (!data.token)
+      return;
+    const pid = data.profileId || data.user?.id;
+    if (!pid)
+      return;
+    const profilePath = join12(profilesDir(), pid, "auth.json");
+    if (existsSync10(profilePath))
+      return;
+    store({ ...data, profileId: pid });
+  } catch {}
+}
+function load2() {
+  migrateLegacyCredentials();
   const fromProfile = loadFromActiveProfile();
   if (fromProfile)
     return fromProfile;
@@ -2945,11 +3011,24 @@ function isAuthenticated() {
   }
 }
 function clear() {
-  const path = credentialsPath();
-  if (existsSync10(path))
-    unlinkSync(path);
+  const reg = readRegistry();
+  const activeId = reg.active_profile;
+  if (activeId) {
+    const profilePath = join12(profilesDir(), activeId, "auth.json");
+    if (existsSync10(profilePath)) {
+      try {
+        const data = JSON.parse(readFileSync7(profilePath, "utf-8"));
+        data.authenticated = false;
+        data.updated_at = new Date().toISOString();
+        writeFileSync5(profilePath, JSON.stringify(data, null, 2), { mode: 384 });
+      } catch {}
+    }
+  }
+  const legacy = legacyCredentialsPath();
+  if (existsSync10(legacy))
+    unlinkSync(legacy);
 }
-var CREDENTIALS_FILE = "credentials.json", DEFAULT_PORTAL = "https://my.construct.space/api/developer";
+var LEGACY_CREDENTIALS_FILE = "credentials.json", PROFILES_REGISTRY = "profiles.json", DEFAULT_PORTAL = "https://my.construct.space/api/developer";
 var init_auth = __esm(() => {
   init_appdir();
 });
@@ -3011,6 +3090,83 @@ var init_whoami = __esm(() => {
   init_auth();
 });
 
+// src/commands/org.ts
+var exports_org = {};
+__export(exports_org, {
+  orgStatus: () => orgStatus
+});
+async function orgStatus() {
+  let creds;
+  try {
+    creds = load2();
+  } catch {
+    console.error(source_default.red("Not signed in."));
+    console.error(source_default.dim("Run 'construct login' first."));
+    process.exit(1);
+  }
+  let s;
+  try {
+    const res = await fetch(ACCOUNTS_SCOPE_URL3, {
+      headers: { Authorization: `Bearer ${creds.token}`, Accept: "application/json" }
+    });
+    if (!res.ok) {
+      console.error(source_default.red(`Scope lookup failed (${res.status}).`));
+      console.error(source_default.dim("Token may be expired. Try: construct login"));
+      process.exit(1);
+    }
+    s = await res.json();
+  } catch (err) {
+    console.error(source_default.red(`Could not reach accounts service: ${err?.message || err}`));
+    process.exit(1);
+  }
+  if (!s.authenticated || !s.user) {
+    console.error(source_default.red("Token rejected."));
+    process.exit(1);
+  }
+  if (s.scope === "org" && s.org) {
+    console.log(source_default.cyan("Scope: ") + source_default.bold(`org \u2014 ${s.org.name || s.org.slug || s.org.id}`));
+    if (s.org.slug)
+      console.log(source_default.dim(`  slug: ${s.org.slug}`));
+    if (s.org.id)
+      console.log(source_default.dim(`  id:   ${s.org.id}`));
+    if (s.roles && s.roles.length) {
+      console.log(source_default.dim(`  roles: ${s.roles.join(", ")}`));
+    }
+  } else {
+    console.log(source_default.cyan("Scope: ") + source_default.bold("personal"));
+    console.log(source_default.dim("  (switch to an org at https://my.construct.space)"));
+  }
+  console.log();
+  console.log(source_default.cyan("Signed in as"));
+  console.log(`  ${s.user.email || s.user.username || s.user.uuid || "(unknown)"}`);
+  if (s.user.uuid)
+    console.log(source_default.dim(`  ${s.user.uuid}`));
+  console.log();
+  console.log(source_default.cyan("Publisher (from auth.json)"));
+  if (creds.publisherKey) {
+    const kind = creds.publisherKind || "user";
+    const expected = s.scope === "org" ? "org" : "user";
+    const matches = kind === expected;
+    console.log(`  ${source_default.bold(creds.publisherName || "(unnamed)")}  ${source_default.dim(`[${kind}]`)}`);
+    console.log(source_default.dim(`  key: ${creds.publisherKey.slice(0, 14)}\u2026`));
+    if (!matches) {
+      console.log(source_default.yellow(`  \u26A0 publisher kind (${kind}) doesn't match active scope (${expected}).`));
+      console.log(source_default.dim("    Restart the desktop app or run 'construct login' to re-sync."));
+    }
+  } else {
+    console.log(source_default.dim("  (none \u2014 enroll as a developer to get a publisher key)"));
+  }
+  if (s.developer) {
+    console.log();
+    console.log(source_default.dim("developer capability: ") + source_default.green("enabled"));
+  }
+}
+var ACCOUNTS_SCOPE_URL3 = "https://my.construct.space/api/accounts/me/scope";
+var init_org = __esm(() => {
+  init_source();
+  init_auth();
+});
+
 // src/lib/graphClient.ts
 function graphBaseURL() {
   return process.env.GRAPH_URL || "https://graph.construct.space";
@@ -10389,6 +10545,13 @@ async function publish(options) {
   const yes = options?.yes ?? false;
   const wantPrivate = options?.private ?? false;
   const wantPublic = options?.public ?? false;
+  const scopeOpt = options?.scope ? options.scope.toLowerCase() : undefined;
+  if (scopeOpt && scopeOpt !== "user" && scopeOpt !== "org") {
+    console.error(source_default.red(`--scope must be 'user' or 'org', got '${options?.scope}'.`));
+    process.exit(1);
+  }
+  const wantOrgScope = scopeOpt === "org";
+  const wantUserScope = scopeOpt === "user";
   if (wantPrivate && wantPublic) {
     console.error(source_default.red("Cannot combine --private and --public. Pick one."));
     process.exit(1);
@@ -10482,10 +10645,19 @@ async function publish(options) {
     console.log(source_default.dim("  (Org Settings \u2192 Developer), then re-run this command."));
     console.log();
   }
-  if (wantPrivate && creds.publisherKind !== "org") {
+  if (wantUserScope && creds.publisherKind === "org" && !options?.apiKey) {
+    console.error(source_default.red("--scope=user, but the active publisher in auth.json is an org publisher."));
+    console.error(source_default.dim("  Switch context to personal in the desktop app, or pass --api-key with a personal key."));
+    process.exit(1);
+  }
+  if (wantOrgScope && creds.publisherKind === "user" && !options?.apiKey) {
+    creds = { ...creds, publisherKey: undefined, publisherKind: undefined, publisherName: undefined };
+  }
+  if (wantPrivate && creds.publisherKind !== "org" && !wantOrgScope) {
     console.error(source_default.red("--private requires an org publisher key."));
     console.error(source_default.dim("  Personal publishes are always public."));
-    console.error(source_default.dim("  Enrol an org from the desktop app (Org Settings \u2192 Developer) and re-run."));
+    console.error(source_default.dim("  Pass --scope=org to publish as your active org, or enrol an org"));
+    console.error(source_default.dim("  from the desktop app (Org Settings \u2192 Developer) first."));
     process.exit(1);
   }
   console.log();
@@ -10530,12 +10702,24 @@ async function publish(options) {
   const uploadSpinner = ora("Uploading & building...").start();
   try {
     const explicitKey = options?.apiKey || process.env.CONSTRUCT_PUBLISHER_KEY;
-    const initialKey = explicitKey || creds.publisherKey;
+    let initialKey = explicitKey || creds.publisherKey;
+    if (wantOrgScope && !explicitKey && !initialKey) {
+      uploadSpinner.text = "Fetching org publisher key\u2026";
+      const orgKey = await fetchOrgPublisherKey(creds.portal, creds.token);
+      if (!orgKey) {
+        uploadSpinner.fail("No org publisher available for --scope=org");
+        console.error(source_default.dim("  Switch into an org context in the desktop app, or pass --api-key"));
+        console.error(source_default.dim("  with a csk_live_* key the org owns."));
+        unlinkSync2(tarballPath);
+        process.exit(1);
+      }
+      initialKey = orgKey;
+    }
     let result;
     try {
       result = await uploadSource(creds.portal, creds.token, initialKey, tarballPath, m, { private: wantPrivate, public: wantPublic });
     } catch (e) {
-      if (e?.ownerKind === "org" && !creds.publisherKey) {
+      if (e?.ownerKind === "org" && !creds.publisherKey && !wantUserScope) {
         uploadSpinner.text = "Fetching org publisher key\u2026";
         const orgKey = await fetchOrgPublisherKey(creds.portal, creds.token);
         if (!orgKey)
@@ -10786,6 +10970,19 @@ async function loginFromProfile(profiles) {
   console.log(source_default.dim(`  profile: ${picked.id}`));
 }
 async function loginWithToken(token) {
+  if (token.startsWith("cst_live_")) {
+    console.error(source_default.red("cst_live_* tokens are being retired."));
+    console.error(source_default.dim("  Sign in via the Construct desktop app, or get a new"));
+    console.error(source_default.dim(`  identity token at ${source_default.cyan("https://my.construct.space/settings/tokens")}.`));
+    process.exit(1);
+  }
+  if (token.startsWith("csk_live_")) {
+    console.error(source_default.red("That's a publisher key, not an identity token."));
+    console.error(source_default.dim("  Publisher keys (csk_live_*) authorize publish-as-publisher"));
+    console.error(source_default.dim("  on top of identity. Pass an identity token (cat_*) here;"));
+    console.error(source_default.dim("  the CLI loads your publisher key automatically once logged in."));
+    process.exit(1);
+  }
   let resp;
   try {
     resp = await fetch(ACCOUNTS_SCOPE_URL, {
@@ -11501,7 +11698,7 @@ function graphFork(newSpaceID) {
 // package.json
 var package_default = {
   name: "@construct-space/cli",
-  version: "1.8.0",
+  version: "1.9.0",
   description: "Construct CLI \u2014 scaffold, build, develop, and publish spaces",
   type: "module",
   bin: {
@@ -11553,7 +11750,7 @@ program2.command("scaffold [name]").alias("new").alias("create").description("Cr
 program2.command("build").description("Build the space (generate entry + run Vite)").option("--entry-only", "Only generate src/entry.ts").action(async (opts) => build(opts));
 program2.command("dev").description("Start dev mode with file watching and live reload").action(async () => dev());
 program2.command("install").alias("run").description("Install built space to Construct spaces directory").action(() => install());
-program2.command("publish").description("Publish a space to the Construct registry").option("-y, --yes", "Skip all confirmation prompts").option("--bump <type>", "Auto-bump version (patch, minor, major)").option("--private", "Publish as org-private (catalog-listed only inside the owning org). Requires an org publisher key.").option("--public", "Flip a previously-private space back to the public catalog on this publish. Without --private or --public, visibility is preserved on update (and defaults to public on first publish).").option("--api-key <key>", "Publisher API key (csk_live_\u2026). Overrides any key stored in the active profile. Also reads CONSTRUCT_PUBLISHER_KEY.").action(async (opts) => publish(opts));
+program2.command("publish").description("Publish a space to the Construct registry").option("-y, --yes", "Skip all confirmation prompts").option("--bump <type>", "Auto-bump version (patch, minor, major)").option("--private", "Publish as org-private (catalog-listed only inside the owning org). Requires an org publisher key.").option("--public", "Flip a previously-private space back to the public catalog on this publish. Without --private or --public, visibility is preserved on update (and defaults to public on first publish).").option("--scope <scope>", "Publish as 'user' (personal) or 'org'. Without this flag, the active publisher in auth.json decides.").option("--api-key <key>", "Publisher API key (csk_live_\u2026). Overrides any key stored in the active profile. Also reads CONSTRUCT_PUBLISHER_KEY.").action(async (opts) => publish(opts));
 program2.command("validate").description("Validate space.manifest.json").action(() => validate3());
 program2.command("check").description("Run type-check (vue-tsc) and linter (eslint)").action(() => check());
 program2.command("clean").description("Remove build artifacts").option("--all", "Also remove node_modules and lockfiles").action((opts) => clean(opts));
@@ -11561,6 +11758,8 @@ program2.command("login").description("Authenticate with Construct").option("--p
 program2.command("logout").description("Sign out").action(() => logout());
 program2.command("update").description("Update the CLI to the latest version").action(() => update());
 program2.command("whoami").alias("status").description("Show the signed-in user + current org scope").action(async () => (await Promise.resolve().then(() => (init_whoami(), exports_whoami))).whoami());
+var org = program2.command("org").description("Inspect the active organization context");
+org.command("status").description("Show active scope, publisher, and roles").action(async () => (await Promise.resolve().then(() => (init_org(), exports_org))).orgStatus());
 var graph = program2.command("graph").description("Construct Graph \u2014 data models and GraphQL");
 graph.command("init").description("Initialize Graph in a space project").action(() => graphInit());
 graph.command("generate <model> [fields...]").alias("g").description("Generate a data model").option("--access <rules>", "Access rules (e.g. read:member,create:member,update:owner,delete:admin)").action((model, fields, opts) => generate2(model, fields, opts));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@construct-space/cli",
-  "version": "1.8.0",
+  "version": "1.9.0",
   "description": "Construct CLI — scaffold, build, develop, and publish spaces",
   "type": "module",
   "bin": {