@doow/cli 0.1.2 → 0.1.5

package/dist/cli.cjs

@@ -231,7 +231,7 @@ function getApiUrl(profile) {
         return profile.apiUrl;
     if (process.env['DOOW_API_URL'])
         return process.env['DOOW_API_URL'];
-    return 'https://api.doow.com';
+    return 'https://dev-api.doow.co';
 }
 
 // ---------------------------------------------------------------------------
@@ -287,26 +287,55 @@ function createFileStore() {
 // Keyring-backed store
 // ---------------------------------------------------------------------------
 function createKeyringStore(keytar) {
+    const fileStore = createFileStore();
+    let currentBackend = 'keyring';
     return {
         async get(profileName) {
             try {
                 const raw = await withTimeout(keytar.getPassword(SERVICE_NAME, profileName), OP_TIMEOUT_MS);
-                if (raw == null)
-                    return undefined;
-                return JSON.parse(raw);
+                if (raw != null) {
+                    currentBackend = 'keyring';
+                    return JSON.parse(raw);
+                }
+                currentBackend = 'keyring';
             }
             catch {
-                return undefined;
+                printFallbackWarning();
+                currentBackend = 'file';
             }
+            const fallback = await fileStore.get(profileName);
+            if (fallback !== undefined) {
+                currentBackend = 'file';
+                return fallback;
+            }
+            return undefined;
         },
         async set(profileName, creds) {
-            await withTimeout(keytar.setPassword(SERVICE_NAME, profileName, JSON.stringify(creds)), OP_TIMEOUT_MS);
+            try {
+                await withTimeout(keytar.setPassword(SERVICE_NAME, profileName, JSON.stringify(creds)), OP_TIMEOUT_MS);
+                currentBackend = 'keyring';
+                // Remove stale fallback data once the keyring becomes the source of truth.
+                await fileStore.clear(profileName);
+            }
+            catch {
+                printFallbackWarning();
+                currentBackend = 'file';
+                await fileStore.set(profileName, creds);
+            }
         },
         async clear(profileName) {
-            await withTimeout(keytar.deletePassword(SERVICE_NAME, profileName), OP_TIMEOUT_MS);
+            try {
+                await withTimeout(keytar.deletePassword(SERVICE_NAME, profileName), OP_TIMEOUT_MS);
+                currentBackend = 'keyring';
+            }
+            catch {
+                printFallbackWarning();
+                currentBackend = 'file';
+            }
+            await fileStore.clear(profileName);
         },
         backend() {
-            return 'keyring';
+            return currentBackend;
         },
     };
 }
@@ -325,7 +354,6 @@ async function createCredentialStore() {
     let keytar;
     try {
         // Dynamic import so missing keytar never crashes the module at load time.
-        // @ts-expect-error — keytar is an optional peer dep and may not be installed.
         const mod = await import('keytar');
         // Support both default-export and named-export module shapes.
         keytar = (mod.default ?? mod);
@@ -469,7 +497,8 @@ async function resolveAuth(options = {}) {
     }
     if (creds?.accessToken) {
         const token = creds.accessToken;
-        const needsRefresh = isTokenExpiredOrExpiring(creds.expiresAt);
+        const canRefresh = typeof creds.refreshToken === 'string' && creds.refreshToken.trim().length > 0;
+        const needsRefresh = canRefresh ? isTokenExpiredOrExpiring(creds.expiresAt) : false;
         return {
             type: 'oauth-token',
             token,
@@ -626,13 +655,12 @@ function startCallbackServer(expectedState, timeoutMs) {
 // ---------------------------------------------------------------------------
 // Token exchange
 // ---------------------------------------------------------------------------
-async function exchangeCodeForTokens(apiUrl, code, codeVerifier, state) {
+async function exchangeCodeForTokens(apiUrl, codeVerifier, state) {
     const response = await fetch(`${apiUrl}/v1/auth/cli/token`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({
             grant_type: 'authorization_code',
-            code,
             code_verifier: codeVerifier,
             state,
         }),
@@ -643,6 +671,31 @@ async function exchangeCodeForTokens(apiUrl, code, codeVerifier, state) {
     }
     return response.json();
 }
+async function requestAuthorizationUrl(apiUrl, codeChallenge, state, redirectUri) {
+    const response = await fetch(`${apiUrl}/v1/auth/cli/authorize`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+            client_id: 'doow-cli',
+            code_challenge: codeChallenge,
+            code_challenge_method: 'S256',
+            redirect_uri: redirectUri,
+            state,
+        }),
+    });
+    if (!response.ok) {
+        const body = await response.text().catch(() => '(no body)');
+        throw new Error(`Authorize request failed: HTTP ${response.status} — ${body}`);
+    }
+    const payload = (await response.json());
+    if (payload.state !== state) {
+        throw new Error('Authorize response state mismatch — possible server bug. Try again.');
+    }
+    if (!payload.authorization_url) {
+        throw new Error('Authorize response did not include authorization_url.');
+    }
+    return payload.authorization_url;
+}
 // ---------------------------------------------------------------------------
 // Main flow
 // ---------------------------------------------------------------------------
@@ -666,14 +719,9 @@ async function executePkceFlow(options = {}) {
     // Step 3: Start callback server
     const { server, port, callbackPromise } = await startCallbackServer(state, timeout);
     try {
-        // Step 4: Build authorize URL
+        // Step 4: Request an authorization URL from the API
         const redirectUri = `http://127.0.0.1:${port}/callback`;
-        const authorizeUrl = `${apiUrl}/v1/auth/cli/authorize` +
-            `?response_type=code` +
-            `&code_challenge=${codeChallenge}` +
-            `&code_challenge_method=S256` +
-            `&state=${state}` +
-            `&redirect_uri=${encodeURIComponent(redirectUri)}`;
+        const authorizeUrl = await requestAuthorizationUrl(apiUrl, codeChallenge, state, redirectUri);
         // Step 5: Open browser
         try {
             const { default: open } = await import('open');
@@ -684,9 +732,9 @@ async function executePkceFlow(options = {}) {
             throw new Error(`Failed to open browser: ${msg}. Try doow login --device for headless environments.`);
         }
         // Step 6: Wait for callback
-        const { code } = await callbackPromise;
+        await callbackPromise;
         // Step 7: Exchange code for tokens
-        const tokenResponse = await exchangeCodeForTokens(apiUrl, code, codeVerifier, state);
+        const tokenResponse = await exchangeCodeForTokens(apiUrl, codeVerifier, state);
         // Step 8: Store tokens
         const expiresAt = new Date(Date.now() + tokenResponse.expires_in * 1000).toISOString();
         const result = {
@@ -714,7 +762,7 @@ async function executePkceFlow(options = {}) {
  * environments where a browser cannot be opened on the same machine.
  *
  * Steps:
- *   1. POST /v1/auth/device/authorize  → get device_code + user_code
+ *   1. POST /v1/auth/cli/device        → get device_code + user_code
  *   2. Display verification URI + user_code on stderr
  *   3. Optionally open the browser (best-effort)
  *   4. Poll POST /v1/auth/device/token until granted or expired
@@ -734,6 +782,15 @@ function sleep$1(ms) {
 function expiresAtFromSecondsIn(secondsIn) {
     return new Date(Date.now() + secondsIn * 1000).toISOString();
 }
+function isLegacyPendingPollResponse(status, body) {
+    const legacyBody = body;
+    return (status === 400 &&
+        body != null &&
+        typeof body === 'object' &&
+        legacyBody.name === 'HttpException' &&
+        legacyBody.message === 'Bad Request Exception' &&
+        legacyBody.response === 'Bad Request Exception');
+}
 // ---------------------------------------------------------------------------
 // Core function
 // ---------------------------------------------------------------------------
@@ -756,7 +813,7 @@ async function executeDeviceFlow(options = {}) {
     // -------------------------------------------------------------------------
     // Step 1: Request device authorization
     // -------------------------------------------------------------------------
-    const authorizeRes = await fetch(`${apiUrl}/v1/auth/device/authorize`, {
+    const authorizeRes = await fetch(`${apiUrl}/v1/auth/cli/device`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({ client_id: 'doow-cli' }),
@@ -766,6 +823,7 @@ async function executeDeviceFlow(options = {}) {
         throw new Error(`Device authorization request failed: HTTP ${authorizeRes.status}${body ? ` — ${body}` : ''}`);
     }
     const auth = (await authorizeRes.json());
+    const deviceCodeExpiresAt = Date.now() + auth.expires_in * 1000;
     // -------------------------------------------------------------------------
     // Step 2: Display instructions on stderr
     // -------------------------------------------------------------------------
@@ -785,6 +843,9 @@ async function executeDeviceFlow(options = {}) {
     let pollInterval = auth.interval; // seconds; RFC 8628 §3.5
     while (true) {
         await sleep$1(pollInterval * 1000);
+        if (Date.now() > deviceCodeExpiresAt) {
+            throw new Error('Device code expired. Run doow login --device again.');
+        }
         const tokenRes = await fetch(`${apiUrl}/v1/auth/device/token`, {
             method: 'POST',
             headers: { 'Content-Type': 'application/json' },
@@ -829,6 +890,9 @@ async function executeDeviceFlow(options = {}) {
             case 'access_denied':
                 throw new Error('Authorization denied by user.');
             default:
+                if (isLegacyPendingPollResponse(tokenRes.status, errBody)) {
+                    continue;
+                }
                 throw new Error(`Token polling failed: ${errBody.error}${errBody.error_description ? ` — ${errBody.error_description}` : ''}`);
         }
     }
@@ -9137,29 +9201,45 @@ async function checkNetwork(apiUrl) {
     }
 }
 async function checkApiVersion(apiUrl) {
+    const healthPaths = ['/health', '/v1/health'];
     try {
         const controller = new AbortController();
         const timeoutId = setTimeout(() => controller.abort(), 5000);
-        const res = await fetch(`${apiUrl}/v1/health`, { signal: controller.signal });
-        clearTimeout(timeoutId);
-        if (!res.ok) {
-            return { name: 'api_version', status: 'warn', detail: `HTTP ${res.status} from /v1/health` };
-        }
-        let version;
-        try {
-            const body = await res.json();
-            if (typeof body['version'] === 'string')
-                version = body['version'];
-            else if (typeof body['server_version'] === 'string')
-                version = body['server_version'];
-        }
-        catch {
-            // non-JSON body is acceptable
+        let lastPath = healthPaths[0];
+        let lastStatus;
+        for (const path of healthPaths) {
+            lastPath = path;
+            const res = await fetch(`${apiUrl}${path}`, { signal: controller.signal });
+            if (res.ok) {
+                clearTimeout(timeoutId);
+                let version;
+                try {
+                    const body = await res.json();
+                    if (typeof body['version'] === 'string')
+                        version = body['version'];
+                    else if (typeof body['server_version'] === 'string')
+                        version = body['server_version'];
+                }
+                catch {
+                    // non-JSON body is acceptable
+                }
+                return {
+                    name: 'api_version',
+                    status: 'pass',
+                    detail: version ? `server ${version}` : 'reachable (no version in response)',
+                };
+            }
+            lastStatus = res.status;
+            if (res.status !== 404 && res.status !== 410) {
+                clearTimeout(timeoutId);
+                return { name: 'api_version', status: 'warn', detail: `HTTP ${res.status} from ${path}` };
+            }
         }
+        clearTimeout(timeoutId);
         return {
             name: 'api_version',
-            status: 'pass',
-            detail: version ? `server ${version}` : 'reachable (no version in response)',
+            status: 'warn',
+            detail: `HTTP ${lastStatus ?? 404} from ${lastPath}`,
         };
     }
     catch (err) {
@@ -33863,7 +33943,7 @@ async function startStdioServer(options) {
     await server.connect(transport);
 }
 
-const VERSION = "0.1.2" ;
+const VERSION = "0.1.5" ;
 const ASCII_LOGO = `
      _
   __| |  ___    ___   __      __
@@ -33880,6 +33960,10 @@ function printLogo() {
     process.stdout.write('  Not logged in.\n\n');
     process.stdout.write('  Run \x1b[36mdoow login\x1b[0m to get started.\n\n');
 }
+function readString(data, key) {
+    const value = data[key];
+    return typeof value === 'string' ? value : undefined;
+}
 // ---------------------------------------------------------------------------
 // loginHandler — exported for testability
 // ---------------------------------------------------------------------------
@@ -33989,14 +34073,28 @@ async function whoamiHandler(globalOpts, credentialStore) {
         process.exit(1);
     }
     const data = (await res.json());
-    const email = data['email'] ?? '(unknown)';
-    const org = data['organization'] ?? '(unknown)';
+    const email = readString(data, 'email') ?? '(unknown)';
+    const organizationId = readString(data, 'organization_id');
+    const org = readString(data, 'organization') ?? organizationId ?? '(unknown)';
+    const role = readString(data, 'role');
+    const capabilities = Array.isArray(data['capabilities'])
+        ? data['capabilities'].filter((value) => typeof value === 'string')
+        : undefined;
     if (isJson) {
-        process.stdout.write(JSON.stringify({ email, organization: org, profile: profileName }) + '\n');
+        process.stdout.write(JSON.stringify({
+            email,
+            organization: org,
+            organizationId,
+            role,
+            capabilities,
+            profile: profileName,
+        }) + '\n');
     }
     else {
         process.stderr.write(`Logged in as ${email}\n`);
         process.stderr.write(`Organization: ${org}\n`);
+        if (role)
+            process.stderr.write(`Role: ${role}\n`);
         process.stderr.write(`Auth: ${resolved.source}\n`);
         process.stderr.write(`Profile: ${profileName}\n`);
     }
@@ -34071,8 +34169,12 @@ program
     .option('--token-stdin', 'Read raw access token from stdin')
     .action(async (opts) => {
     const globalOpts = program.opts();
+    const mergedOpts = {
+        ...opts,
+        apiKey: opts.apiKey ?? globalOpts.apiKey,
+    };
     try {
-        await loginHandler(opts, globalOpts);
+        await loginHandler(mergedOpts, globalOpts);
     }
     catch (err) {
         process.stderr.write(`Error: ${err instanceof Error ? err.message : String(err)}\n`);