@doubledigit/cli 0.11.1 → 0.13.0

package/README.md

@@ -126,6 +126,28 @@ npx @doubledigit/cli@latest actions component-hub register-component --json-file
 
 Component Hub uses the canonical `component-hub` action command. `init` and `add` are handled locally by the CLI because they create or modify files on the caller's machine. Other actions, such as search and registry lookup, call the configured Double Digit app over HTTP. The old `remotion-hub` action name remains a legacy alias.
 
+### Authentication
+
+Public catalog actions can still run without credentials. Project-scoped actions and private deployments require either an interactive login or an API key:
+
+```bash
+npx @doubledigit/cli@latest login --url https://your-double-digit-app.example
+npx @doubledigit/cli@latest whoami --url https://your-double-digit-app.example
+npx @doubledigit/cli@latest org list --url https://your-double-digit-app.example
+npx @doubledigit/cli@latest org use acme --url https://your-double-digit-app.example
+npx @doubledigit/cli@latest actions component-hub list-projects --org acme --url https://your-double-digit-app.example
+```
+
+`dd login` stores a per-host bearer credential under the user config directory (`~/.config/doubledigit/credentials.json` on Linux/macOS, `%APPDATA%\doubledigit\credentials.json` on Windows) with private file permissions where supported. `dd logout` removes the stored host credential.
+
+CI and agent automation should use an API key created from the app admin security dashboard at `/admin/security/api-keys`:
+
+```bash
+DD_API_KEY=dd_... DD_ORG=acme npx @doubledigit/cli@latest actions component-hub list-projects --url https://your-double-digit-app.example
+```
+
+Auth header resolution is `DD_API_KEY` or `DD_TOKEN` first, then the stored login token. Active organization resolution is `--org`, then `DD_ORG`, then the stored default selected by `dd org use`.
+
 Pass `--framework remotion|hyperframe` when the target framework is known. Remotion remains the default for compatibility and creates Remotion's Hello World starter so `remotion studio` opens with a visible composition. HyperFrames init requires Node.js 22 or newer and uses `npx hyperframes preview` as its dev command.
 
 Pass `--skip-framework-create` when adding Component Hub files to an existing project. `--skip-remotion-create` and `--hub-only` remain compatibility aliases.
@@ -139,6 +161,7 @@ npx skills add crystalphantom/double-digit --skill dd-component-hub --agent '*'
 ```
 
 Pass `--skip-skills` to skip skill installation. If skill installation fails, init still completes the project scaffold and prints exact retry commands. Use `--yes` for agent-run or scripted init flows; `-y` and `--non-interactive` are accepted compatibility aliases and are forwarded to nested framework scaffolds where supported.
+For HyperFrames, non-interactive init accepts the framework skill defaults by installing `animejs` for all agents without prompting.
 
 Register a component with simple JSON:
 

package/dist/commands/actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"actions.d.ts","sourceRoot":"","sources":["../../src/commands/actions.ts"],"names":[],"mappings":"AAuCA,wBAAgB,uBAAuB,WAKtC;AAsED,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE;WACf,MAAM;WAAS,MAAM;IAuBxD;AAED,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,MAAM,EAAE,WAGtD;AAED,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,EAAE,WAGrD;AAED,wBAAgB,gCAAgC,CAAC,IAAI,EAAE,MAAM,EAAE,YAI9D;AAED,wBAAgB,+BAA+B,CAAC,IAAI,EAAE,MAAM,EAAE,YAI7D;AAED,wBAAsB,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAuC3D"}
+{"version":3,"file":"actions.d.ts","sourceRoot":"","sources":["../../src/commands/actions.ts"],"names":[],"mappings":"AAwCA,wBAAgB,uBAAuB,WAKtC;AAuED,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE;WACf,MAAM;WAAS,MAAM;IAuBxD;AAED,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,MAAM,EAAE,WAGtD;AAED,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,EAAE,WAGrD;AAED,wBAAgB,gCAAgC,CAAC,IAAI,EAAE,MAAM,EAAE,YAI9D;AAED,wBAAgB,+BAA+B,CAAC,IAAI,EAAE,MAAM,EAAE,YAI7D;AAED,wBAAsB,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAuC3D"}

package/dist/commands/actions.js

@@ -16,6 +16,7 @@ const actionValueOptions = new Set([
     '--kind',
     '--limit',
     '--namespace',
+    '--org',
     '--preview-type',
     '--query',
     '--json-file',
@@ -41,6 +42,7 @@ Usage:
 
 Options:
   --url, --app-url <url>      App URL (default: DD_APP_URL, APP_URL, BETTER_AUTH_URL, or ${getDefaultActionsAppUrl()})
+  --org <slug>                Active organization slug (default: --org, DD_ORG, or stored login default)
   --json <json>               JSON request body to send to the action
   --json-file <path>          Read the JSON request body from a file
   --query <text>              Set input.query

package/dist/commands/auth.d.ts

@@ -0,0 +1,15 @@
+import { type AuthStorePathsOptions } from '../lib/auth-store.js';
+type FetchLike = (input: string | URL, init?: RequestInit) => Promise<Response>;
+export interface AuthCommandOptions extends AuthStorePathsOptions {
+    env?: NodeJS.ProcessEnv;
+    fetchImpl?: FetchLike;
+    sleep?: (ms: number) => Promise<void>;
+    log?: (...parts: unknown[]) => void;
+    now?: () => number;
+}
+export declare function login(args: string[], options?: AuthCommandOptions): Promise<void>;
+export declare function logout(args: string[], options?: AuthCommandOptions): Promise<void>;
+export declare function whoami(args: string[], options?: AuthCommandOptions): Promise<void>;
+export declare function org(args: string[], options?: AuthCommandOptions): Promise<void>;
+export {};
+//# sourceMappingURL=auth.d.ts.map

package/dist/commands/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/commands/auth.ts"],"names":[],"mappings":"AASA,OAAO,EAIL,KAAK,qBAAqB,EAE3B,MAAM,sBAAsB,CAAC;AAK9B,KAAK,SAAS,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,GAAG,EAAE,IAAI,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;AAEhF,MAAM,WAAW,kBAAmB,SAAQ,qBAAqB;IAC/D,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;IACxB,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,KAAK,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACtC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,EAAE,OAAO,EAAE,KAAK,IAAI,CAAC;IACpC,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CACpB;AAyZD,wBAAsB,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,OAAO,GAAE,kBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC,CAwD3F;AAED,wBAAsB,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,OAAO,GAAE,kBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC,CAc5F;AAED,wBAAsB,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,OAAO,GAAE,kBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC,CAkC5F;AAED,wBAAsB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,OAAO,GAAE,kBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC,CA+EzF"}

package/dist/commands/auth.js

@@ -0,0 +1,467 @@
+import path from 'node:path';
+import { GENERATED_DEFAULT_ACTIONS_APP_URL } from '../generated/defaults.js';
+import { normalizeAppUrl, resolveActionAppUrl, resolveDefaultActionAppUrl, } from '../lib/actions-client.js';
+import { resolveAuthHeaders } from '../lib/auth-credential.js';
+import { clearStoredCredential, readStoredCredential, writeStoredCredential, } from '../lib/auth-store.js';
+import { DEFAULT_APP_URL, readEnvFile } from '../lib/onboarding.js';
+import { resolveWorkspacePaths } from '../paths.js';
+const CLIENT_ID = 'dd-cli';
+const DEVICE_GRANT_TYPE = 'urn:ietf:params:oauth:grant-type:device_code';
+const HELP = `
+dd auth — Authenticate the Double Digit CLI
+
+Usage:
+  dd login [--url <url>]
+  dd logout [--url <url>]
+  dd whoami [--url <url>] [--json]
+  dd org list [--url <url>] [--json]
+  dd org use <slug> [--url <url>]
+
+Options:
+  --url, --app-url <url>      App URL (default: DD_APP_URL, APP_URL, BETTER_AUTH_URL, or ${getDefaultAuthAppUrl()})
+  --json                     Print machine-readable output where supported
+`;
+function getDefaultAuthAppUrl() {
+    return resolveDefaultActionAppUrl({
+        generatedUrl: GENERATED_DEFAULT_ACTIONS_APP_URL,
+        localDefaultUrl: DEFAULT_APP_URL,
+    });
+}
+function readAuthEnvFiles(paths) {
+    const env = {};
+    for (const envPath of [
+        path.join(paths.root, '.env'),
+        path.join(paths.mainAppDir, '.env'),
+        path.join(paths.root, '.env.local'),
+        path.join(paths.mainAppDir, '.env.local'),
+    ]) {
+        Object.assign(env, readEnvFile(envPath));
+    }
+    return env;
+}
+function tryResolveWorkspacePaths() {
+    try {
+        return resolveWorkspacePaths();
+    }
+    catch {
+        return undefined;
+    }
+}
+function parseAuthArgs(args) {
+    const positionals = [];
+    let appUrl;
+    let json = false;
+    let help = false;
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i];
+        if (arg === '--help' || arg === '-h') {
+            help = true;
+            continue;
+        }
+        if (arg === '--json') {
+            json = true;
+            continue;
+        }
+        if (!arg.startsWith('--')) {
+            positionals.push(arg);
+            continue;
+        }
+        const [flag, inlineValue] = arg.split(/=(.*)/s, 2);
+        if (flag !== '--url' && flag !== '--app-url') {
+            throw new Error(`Unknown option: ${flag}`);
+        }
+        if (inlineValue !== undefined) {
+            appUrl = inlineValue;
+            continue;
+        }
+        const value = args[i + 1];
+        if (!value || value.startsWith('--')) {
+            throw new Error(`${flag} requires a value`);
+        }
+        appUrl = value;
+        i++;
+    }
+    return { appUrl, json, help, positionals };
+}
+function resolveAuthAppUrl(parsed) {
+    const paths = tryResolveWorkspacePaths();
+    return normalizeAppUrl(resolveActionAppUrl({
+        explicitUrl: parsed.appUrl,
+        fileEnv: paths ? readAuthEnvFiles(paths) : {},
+        defaultUrl: getDefaultAuthAppUrl(),
+    }));
+}
+async function parseJsonResponse(response, url) {
+    const text = await response.text();
+    if (!text)
+        return null;
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        if (!response.ok) {
+            throw new Error(`Request to ${url} failed with HTTP ${response.status}`);
+        }
+        throw new Error(`Expected JSON response from ${url}`);
+    }
+}
+function objectPayload(payload) {
+    return payload && typeof payload === 'object' && !Array.isArray(payload)
+        ? payload
+        : {};
+}
+function readString(payload, ...keys) {
+    for (const key of keys) {
+        const value = payload[key];
+        if (typeof value === 'string' && value.trim())
+            return value;
+        if (typeof value === 'number' && Number.isFinite(value))
+            return String(value);
+    }
+    return undefined;
+}
+function readNumber(payload, fallback, ...keys) {
+    for (const key of keys) {
+        const value = payload[key];
+        if (typeof value === 'number' && Number.isFinite(value))
+            return value;
+    }
+    return fallback;
+}
+function getErrorCode(payload) {
+    const object = objectPayload(payload);
+    return readString(object, 'error', 'code') ?? 'request_failed';
+}
+function getErrorMessage(payload, fallback) {
+    const object = objectPayload(payload);
+    return readString(object, 'error_description', 'message', 'error') ?? fallback;
+}
+async function fetchJson(fetchImpl, url, init) {
+    let response;
+    try {
+        response = await fetchImpl(url, init);
+    }
+    catch (error) {
+        const detail = error instanceof Error ? error.message : String(error);
+        throw new Error(`Unable to reach ${url}: ${detail}. Set DD_APP_URL or pass --url.`);
+    }
+    return { response, payload: await parseJsonResponse(response, url) };
+}
+function normalizeDeviceCode(payload) {
+    const object = objectPayload(payload);
+    const deviceCode = readString(object, 'device_code', 'deviceCode');
+    const userCode = readString(object, 'user_code', 'userCode');
+    const verificationUri = readString(object, 'verification_uri', 'verificationUri');
+    if (!deviceCode || !userCode || !verificationUri) {
+        throw new Error('Device authorization response did not include a device code, user code, and verification URL.');
+    }
+    return {
+        deviceCode,
+        userCode,
+        verificationUri,
+        verificationUriComplete: readString(object, 'verification_uri_complete', 'verificationUriComplete'),
+        expiresIn: readNumber(object, 600, 'expires_in', 'expiresIn'),
+        interval: readNumber(object, 5, 'interval'),
+    };
+}
+function normalizeTokenSuccess(payload) {
+    const object = objectPayload(payload);
+    const accessToken = readString(object, 'access_token', 'accessToken');
+    if (!accessToken) {
+        throw new Error('Device authorization token response did not include an access token.');
+    }
+    return {
+        accessToken,
+        expiresIn: readNumber(object, 0, 'expires_in', 'expiresIn') || undefined,
+    };
+}
+function normalizeSessionIdentity(payload) {
+    const object = objectPayload(payload);
+    const userPayload = objectPayload(object.user);
+    const sessionPayload = objectPayload(object.session);
+    const user = {};
+    const id = readString(userPayload, 'id');
+    const email = readString(userPayload, 'email');
+    if (id)
+        user.id = id;
+    if (email)
+        user.email = email;
+    const activeOrganizationId = readString(sessionPayload, 'activeOrganizationId');
+    return {
+        ...(Object.keys(user).length > 0 ? { user } : {}),
+        session: activeOrganizationId ? { activeOrganizationId } : undefined,
+    };
+}
+function normalizeOrganizations(payload) {
+    const source = Array.isArray(payload)
+        ? payload
+        : Array.isArray(objectPayload(payload).organizations)
+            ? objectPayload(payload).organizations
+            : [];
+    return source.map((entry) => {
+        const object = objectPayload(entry);
+        return {
+            id: readString(object, 'id'),
+            slug: readString(object, 'slug'),
+            name: readString(object, 'name'),
+        };
+    }).filter((organization) => organization.id || organization.slug || organization.name);
+}
+async function fetchSession(appUrl, headers, fetchImpl) {
+    const url = `${appUrl}/api/auth/get-session`;
+    const { response, payload } = await fetchJson(fetchImpl, url, {
+        method: 'GET',
+        headers,
+    });
+    if (!response.ok || !payload) {
+        throw new Error(getErrorMessage(payload, 'Not signed in.'));
+    }
+    const identity = normalizeSessionIdentity(payload);
+    if (!identity.user?.id && !identity.user?.email) {
+        throw new Error('Not signed in.');
+    }
+    return identity;
+}
+async function fetchOrganizations(appUrl, headers, fetchImpl) {
+    const url = `${appUrl}/api/auth/organization/list`;
+    const { response, payload } = await fetchJson(fetchImpl, url, {
+        method: 'GET',
+        headers,
+    });
+    if (!response.ok) {
+        throw new Error(getErrorMessage(payload, 'Unable to list organizations.'));
+    }
+    return normalizeOrganizations(payload);
+}
+async function resolveLoginDefaultOrg({ existingDefaultOrg, activeOrganizationId, appUrl, headers, fetchImpl, }) {
+    if (existingDefaultOrg) {
+        return existingDefaultOrg;
+    }
+    if (!activeOrganizationId) {
+        return undefined;
+    }
+    try {
+        const organizations = await fetchOrganizations(appUrl, headers, fetchImpl);
+        const match = organizations.find((organization) => organization.id === activeOrganizationId);
+        return match?.slug ?? match?.id ?? activeOrganizationId;
+    }
+    catch {
+        return activeOrganizationId;
+    }
+}
+async function requestDeviceCode(appUrl, fetchImpl) {
+    const url = `${appUrl}/api/auth/device/code`;
+    const { response, payload } = await fetchJson(fetchImpl, url, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ client_id: CLIENT_ID }),
+    });
+    if (!response.ok) {
+        throw new Error(getErrorMessage(payload, 'Unable to start device authorization.'));
+    }
+    return normalizeDeviceCode(payload);
+}
+async function pollDeviceToken({ appUrl, deviceCode, expiresIn, interval, fetchImpl, sleep, now, }) {
+    const url = `${appUrl}/api/auth/device/token`;
+    const deadline = now() + expiresIn * 1000;
+    let intervalMs = Math.max(1, interval) * 1000;
+    while (now() < deadline) {
+        const { response, payload } = await fetchJson(fetchImpl, url, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                grant_type: DEVICE_GRANT_TYPE,
+                device_code: deviceCode,
+                client_id: CLIENT_ID,
+            }),
+        });
+        if (response.ok) {
+            return normalizeTokenSuccess(payload);
+        }
+        const code = getErrorCode(payload);
+        if (code === 'authorization_pending') {
+            await sleep(intervalMs);
+            continue;
+        }
+        if (code === 'slow_down') {
+            intervalMs += 5000;
+            await sleep(intervalMs);
+            continue;
+        }
+        if (code === 'expired_token') {
+            throw new Error('Device authorization expired. Run `dd login` again.');
+        }
+        if (code === 'access_denied') {
+            throw new Error('Device authorization was denied.');
+        }
+        throw new Error(getErrorMessage(payload, 'Device authorization failed.'));
+    }
+    throw new Error('Device authorization expired. Run `dd login` again.');
+}
+export async function login(args, options = {}) {
+    const parsed = parseAuthArgs(args);
+    const log = options.log ?? console.log;
+    if (parsed.help) {
+        log(HELP);
+        return;
+    }
+    if (parsed.positionals.length > 0) {
+        throw new Error(`Unexpected positional argument: ${parsed.positionals[0]}`);
+    }
+    const appUrl = resolveAuthAppUrl(parsed);
+    const fetchImpl = options.fetchImpl ?? fetch;
+    const sleep = options.sleep ?? ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
+    const now = options.now ?? Date.now;
+    const code = await requestDeviceCode(appUrl, fetchImpl);
+    log(`Visit: ${code.verificationUriComplete ?? code.verificationUri}`);
+    log(`Code: ${code.userCode}`);
+    log('Waiting for approval...');
+    const token = await pollDeviceToken({
+        appUrl,
+        deviceCode: code.deviceCode,
+        expiresIn: code.expiresIn,
+        interval: code.interval,
+        fetchImpl,
+        sleep,
+        now,
+    });
+    const existing = readStoredCredential({ appUrl, env: options.env, platform: options.platform, homedir: options.homedir });
+    const authHeaders = { Authorization: `Bearer ${token.accessToken}` };
+    const identity = await fetchSession(appUrl, authHeaders, fetchImpl);
+    const defaultOrg = await resolveLoginDefaultOrg({
+        existingDefaultOrg: existing?.defaultOrg,
+        activeOrganizationId: identity.session?.activeOrganizationId,
+        appUrl,
+        headers: authHeaders,
+        fetchImpl,
+    });
+    writeStoredCredential({
+        appUrl,
+        env: options.env,
+        platform: options.platform,
+        homedir: options.homedir,
+        credential: {
+            token: token.accessToken,
+            ...(defaultOrg ? { defaultOrg } : {}),
+            ...(identity.user ? { user: identity.user } : {}),
+        },
+    });
+    const label = identity.user?.email ?? identity.user?.id ?? 'current user';
+    log(`Signed in to ${appUrl} as ${label}.`);
+}
+export async function logout(args, options = {}) {
+    const parsed = parseAuthArgs(args);
+    const log = options.log ?? console.log;
+    if (parsed.help) {
+        log(HELP);
+        return;
+    }
+    if (parsed.positionals.length > 0) {
+        throw new Error(`Unexpected positional argument: ${parsed.positionals[0]}`);
+    }
+    const appUrl = resolveAuthAppUrl(parsed);
+    clearStoredCredential({ appUrl, env: options.env, platform: options.platform, homedir: options.homedir });
+    log(`Signed out of ${appUrl}.`);
+}
+export async function whoami(args, options = {}) {
+    const parsed = parseAuthArgs(args);
+    const log = options.log ?? console.log;
+    if (parsed.help) {
+        log(HELP);
+        return;
+    }
+    if (parsed.positionals.length > 0) {
+        throw new Error(`Unexpected positional argument: ${parsed.positionals[0]}`);
+    }
+    const appUrl = resolveAuthAppUrl(parsed);
+    const headers = resolveAuthHeaders({
+        appUrl,
+        env: options.env,
+        platform: options.platform,
+        homedir: options.homedir,
+    });
+    if (!headers.Authorization && !headers['x-api-key']) {
+        throw new Error('Not signed in. Run `dd login` or set DD_API_KEY.');
+    }
+    const identity = await fetchSession(appUrl, headers, options.fetchImpl ?? fetch);
+    if (parsed.json) {
+        log(JSON.stringify({ appUrl, ...identity }, null, 2));
+        return;
+    }
+    const stored = readStoredCredential({ appUrl, env: options.env, platform: options.platform, homedir: options.homedir });
+    log(`Signed in to ${appUrl}`);
+    log(`User: ${identity.user?.email ?? identity.user?.id ?? 'unknown'}`);
+    if (stored?.defaultOrg) {
+        log(`Default organization: ${stored.defaultOrg}`);
+    }
+}
+export async function org(args, options = {}) {
+    const parsed = parseAuthArgs(args);
+    const log = options.log ?? console.log;
+    const subcommand = parsed.positionals[0] ?? 'list';
+    if (parsed.help) {
+        log(HELP);
+        return;
+    }
+    const appUrl = resolveAuthAppUrl(parsed);
+    const headers = resolveAuthHeaders({
+        appUrl,
+        env: options.env,
+        platform: options.platform,
+        homedir: options.homedir,
+    });
+    if (!headers.Authorization && !headers['x-api-key']) {
+        throw new Error('Not signed in. Run `dd login` or set DD_API_KEY.');
+    }
+    if (subcommand === 'list') {
+        if (parsed.positionals.length > 1) {
+            throw new Error(`Unexpected positional argument: ${parsed.positionals[1]}`);
+        }
+        const organizations = await fetchOrganizations(appUrl, headers, options.fetchImpl ?? fetch);
+        if (parsed.json) {
+            log(JSON.stringify({ appUrl, organizations }, null, 2));
+            return;
+        }
+        if (organizations.length === 0) {
+            log('No organizations found.');
+            return;
+        }
+        for (const organization of organizations) {
+            const slug = organization.slug ? ` (${organization.slug})` : '';
+            const id = organization.id ? ` [${organization.id}]` : '';
+            log(`${organization.name ?? organization.slug ?? organization.id}${slug}${id}`);
+        }
+        return;
+    }
+    if (subcommand === 'use') {
+        const slug = parsed.positionals[1];
+        if (!slug) {
+            throw new Error('Usage: dd org use <slug>');
+        }
+        if (parsed.positionals.length > 2) {
+            throw new Error(`Unexpected positional argument: ${parsed.positionals[2]}`);
+        }
+        const stored = readStoredCredential({ appUrl, env: options.env, platform: options.platform, homedir: options.homedir });
+        if (!stored?.token) {
+            throw new Error('No stored login found. Run `dd login` before saving a default organization.');
+        }
+        const organizations = await fetchOrganizations(appUrl, headers, options.fetchImpl ?? fetch);
+        const match = organizations.find((organization) => organization.slug === slug || organization.id === slug);
+        if (!match) {
+            throw new Error(`Organization not found or not available to this user: ${slug}`);
+        }
+        writeStoredCredential({
+            appUrl,
+            env: options.env,
+            platform: options.platform,
+            homedir: options.homedir,
+            credential: {
+                ...stored,
+                defaultOrg: match.slug ?? match.id ?? slug,
+            },
+        });
+        log(`Default organization set to ${match.slug ?? match.id ?? slug}.`);
+        return;
+    }
+    throw new Error(`Unknown org subcommand: ${subcommand}`);
+}

package/dist/commands/component-hub-init.d.ts

@@ -1,4 +1,5 @@
 import { type RunComponentHubInitResult } from '../lib/component-hub-init.js';
 export declare function buildComponentHubInitHelp(): string;
+export declare function buildComponentHubInitNextSteps(result: RunComponentHubInitResult): string[];
 export declare function runComponentHubInitCommand(args: string[]): RunComponentHubInitResult | undefined;
 //# sourceMappingURL=component-hub-init.d.ts.map

package/dist/commands/component-hub-init.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"component-hub-init.d.ts","sourceRoot":"","sources":["../../src/commands/component-hub-init.ts"],"names":[],"mappings":"AAAA,OAAO,EAAuB,KAAK,yBAAyB,EAAE,MAAM,8BAA8B,CAAC;AAuFnG,wBAAgB,yBAAyB,WAgCxC;AAkCD,wBAAgB,0BAA0B,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,yBAAyB,GAAG,SAAS,CA8BhG"}
+{"version":3,"file":"component-hub-init.d.ts","sourceRoot":"","sources":["../../src/commands/component-hub-init.ts"],"names":[],"mappings":"AAAA,OAAO,EAAuB,KAAK,yBAAyB,EAAE,MAAM,8BAA8B,CAAC;AAuFnG,wBAAgB,yBAAyB,WAgCxC;AAED,wBAAgB,8BAA8B,CAAC,MAAM,EAAE,yBAAyB,GAAG,MAAM,EAAE,CAyB1F;AAuCD,wBAAgB,0BAA0B,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,yBAAyB,GAAG,SAAS,CA8BhG"}

package/dist/commands/component-hub-init.js

@@ -102,6 +102,24 @@ Examples:
   npx @doubledigit/cli@latest actions component-hub init my-video --registry https://double-digit.example
 `;
 }
+export function buildComponentHubInitNextSteps(result) {
+    const ddComponentHubSkillInstalled = result.skills.commands.some((command) => command.success && command.args.includes('dd-component-hub'));
+    const lines = [
+        'Next steps:',
+        `  1. cd ${result.projectDir}`,
+    ];
+    if (result.skills.skipped) {
+        lines.push('  2. Install the project skills when you want agent guidance, or rerun init without --skip-skills.');
+    }
+    else if (ddComponentHubSkillInstalled) {
+        lines.push('  2. Start your AI coding agent from this directory so it loads .agents/skills/dd-component-hub.');
+    }
+    else {
+        lines.push('  2. Retry the failed skill installs above, then start your AI coding agent from this directory.');
+    }
+    lines.push('  3. First agent prompt:', `     "Use dd-component-hub. Search Component Hub for a ${result.framework} component before building anything custom."`, `  4. Preview locally: ${result.devCommand}`);
+    return lines;
+}
 function printInit(result) {
     console.log(`Initialized Component Hub in ${result.projectDir}`);
     console.log(`Framework: ${result.framework}`);
@@ -132,6 +150,10 @@ function printInit(result) {
             }
         }
     }
+    console.log('');
+    for (const line of buildComponentHubInitNextSteps(result)) {
+        console.log(line);
+    }
 }
 export function runComponentHubInitCommand(args) {
     const parsed = parseArgs(args);

package/dist/generated/defaults.d.ts

@@ -1,2 +1,2 @@
-export declare const GENERATED_DEFAULT_ACTIONS_APP_URL = "https://necto.pro";
+export declare const GENERATED_DEFAULT_ACTIONS_APP_URL = "https://doubledigit.vercel.app";
 //# sourceMappingURL=defaults.d.ts.map

package/dist/generated/defaults.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"defaults.d.ts","sourceRoot":"","sources":["../../src/generated/defaults.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,iCAAiC,sBAAsB,CAAC"}
+{"version":3,"file":"defaults.d.ts","sourceRoot":"","sources":["../../src/generated/defaults.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,iCAAiC,mCAAmC,CAAC"}

package/dist/generated/defaults.js

@@ -1 +1 @@
-export const GENERATED_DEFAULT_ACTIONS_APP_URL = "https://necto.pro";
+export const GENERATED_DEFAULT_ACTIONS_APP_URL = "https://doubledigit.vercel.app";

package/dist/index.d.ts

@@ -6,7 +6,7 @@
  * without importing the full extension-management dependency graph first.
  */
 declare const command: string, args: string[];
-declare const HELP = "\n@doubledigit/cli \u2014 Manage extensions and local setup\n\nCommands:\n  doctor                 Check local prerequisites and project health\n  onboard                Prepare local development and start the app\n  run                    Start the local app with automatic DB bootstrap\n  dev                    Start DB + app without migrations or seed data\n  db <subcommand>        Database helpers (status, migrate, create)\n  actions <app> [action] Discover and invoke micro-app actions\n  create <name>          Scaffold a new micro-app from the template\n  init <project-name>    Scaffold a new Double Digit project\n  add|install <source>   Install an extension from GitHub or a marketplace\n  sync                   Regenerate micro-apps.ts from dd-apps.config.json\n  enable <name>          Enable a micro-app (updates config + runs sync)\n  disable <name>         Disable a micro-app (updates config + runs sync)\n  uninstall|remove <name> Completely remove a micro-app\n  list                   List all discovered micro-apps with enabled/disabled status\n  info <name>            Show detailed info about an installed extension\n  outdated               Check for outdated marketplace extensions\n  reconcile              Detect drift between lock file, marketplace, and local files\n  marketplace <sub>      Manage marketplace registrations (add/list/update/remove)\n  browse [marketplace]   Browse available extensions in registered marketplaces\n\nOptions:\n  --help, -h             Show this help message\n\nExamples:\n  dd doctor\n  dd onboard --yes\n  dd onboard                    # setup + start the dev server\n  dd onboard --no-run           # setup only\n  dd init my-project           # scaffold and bootstrap a fresh project\n  dd init my-project --run      # scaffold + bootstrap + start\n  dd init my-project --skip-install --no-git\n  dd run\n  dd dev\n  dd db status\n  npx @doubledigit/cli@latest actions component-hub init my-video --framework remotion --yes\n  npx @doubledigit/cli@latest actions component-hub init my-video --framework remotion --skip-skills\n  npx @doubledigit/cli@latest actions component-hub search-components --framework remotion --query \"animated chart\"\n  dd create invoice-tracker\n  dd add gh:owner/repo/extensions/micro-apps/habit-tracker\n  dd add habit-tracker@community\n  dd info habit-tracker\n  dd reconcile\n  dd marketplace add digitaldouble/dd-marketplace\n  dd browse community\n  DD_APPS=tasks,agent-v2 dd sync\n  dd sync --profile necto-component-hub\n";
+declare const HELP = "\n@doubledigit/cli \u2014 Manage extensions and local setup\n\nCommands:\n  doctor                 Check local prerequisites and project health\n  onboard                Prepare local development and start the app\n  run                    Start the local app with automatic DB bootstrap\n  dev                    Start DB + app without migrations or seed data\n  db <subcommand>        Database helpers (status, migrate, create)\n  login                  Sign in with browser-based device authorization\n  logout                 Remove stored CLI credentials\n  whoami                 Show the signed-in CLI user\n  org <subcommand>       List or select the default organization\n  actions <app> [action] Discover and invoke micro-app actions\n  create <name>          Scaffold a new micro-app from the template\n  init <project-name>    Scaffold a new Double Digit project\n  add|install <source>   Install an extension from GitHub or a marketplace\n  sync                   Regenerate micro-apps.ts from dd-apps.config.json\n  enable <name>          Enable a micro-app (updates config + runs sync)\n  disable <name>         Disable a micro-app (updates config + runs sync)\n  uninstall|remove <name> Completely remove a micro-app\n  list                   List all discovered micro-apps with enabled/disabled status\n  info <name>            Show detailed info about an installed extension\n  outdated               Check for outdated marketplace extensions\n  reconcile              Detect drift between lock file, marketplace, and local files\n  marketplace <sub>      Manage marketplace registrations (add/list/update/remove)\n  browse [marketplace]   Browse available extensions in registered marketplaces\n\nOptions:\n  --help, -h             Show this help message\n\nExamples:\n  dd doctor\n  dd onboard --yes\n  dd onboard                    # setup + start the dev server\n  dd onboard --no-run           # setup only\n  dd init my-project           # scaffold and bootstrap a fresh project\n  dd init my-project --run      # scaffold + bootstrap + start\n  dd init my-project --skip-install --no-git\n  dd run\n  dd dev\n  dd login --url https://component-hub.example.com\n  dd whoami\n  dd org list\n  dd org use my-org\n  dd db status\n  npx @doubledigit/cli@latest actions component-hub init my-video --framework remotion --yes\n  npx @doubledigit/cli@latest actions component-hub init my-video --framework remotion --skip-skills\n  npx @doubledigit/cli@latest actions component-hub search-components --framework remotion --query \"animated chart\"\n  dd create invoice-tracker\n  dd add gh:owner/repo/extensions/micro-apps/habit-tracker\n  dd add habit-tracker@community\n  dd info habit-tracker\n  dd reconcile\n  dd marketplace add digitaldouble/dd-marketplace\n  dd browse community\n  DD_APPS=tasks,agent-v2 dd sync\n  dd sync --profile necto-component-hub\n";
 declare function requireArg(value: string | undefined, usage: string): string;
 declare function runAddCommand(rawArgs: string[]): Promise<void>;
 declare function main(): Promise<void>;

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;GAKG;AAEH,QAAA,MAAW,OAAO,UAAK,IAAI,UAAgB,CAAC;AAE5C,QAAA,MAAM,IAAI,q+EAkDT,CAAC;AAEF,iBAAS,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAOpE;AAED,iBAAe,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAuB7D;AAED,iBAAe,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAsInC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;GAKG;AAEH,QAAA,MAAW,OAAO,UAAK,IAAI,UAAgB,CAAC;AAE5C,QAAA,MAAM,IAAI,o0FA0DT,CAAC;AAEF,iBAAS,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAOpE;AAED,iBAAe,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAuB7D;AAED,iBAAe,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CA8JnC"}

package/dist/index.js

@@ -16,6 +16,10 @@ Commands:
   run                    Start the local app with automatic DB bootstrap
   dev                    Start DB + app without migrations or seed data
   db <subcommand>        Database helpers (status, migrate, create)
+  login                  Sign in with browser-based device authorization
+  logout                 Remove stored CLI credentials
+  whoami                 Show the signed-in CLI user
+  org <subcommand>       List or select the default organization
   actions <app> [action] Discover and invoke micro-app actions
   create <name>          Scaffold a new micro-app from the template
   init <project-name>    Scaffold a new Double Digit project
@@ -44,6 +48,10 @@ Examples:
   dd init my-project --skip-install --no-git
   dd run
   dd dev
+  dd login --url https://component-hub.example.com
+  dd whoami
+  dd org list
+  dd org use my-org
   dd db status
   npx @doubledigit/cli@latest actions component-hub init my-video --framework remotion --yes
   npx @doubledigit/cli@latest actions component-hub init my-video --framework remotion --skip-skills
@@ -116,6 +124,26 @@ async function main() {
             await db(args);
             break;
         }
+        case 'login': {
+            const { login } = await import('./commands/auth.js');
+            await login(args);
+            break;
+        }
+        case 'logout': {
+            const { logout } = await import('./commands/auth.js');
+            await logout(args);
+            break;
+        }
+        case 'whoami': {
+            const { whoami } = await import('./commands/auth.js');
+            await whoami(args);
+            break;
+        }
+        case 'org': {
+            const { org } = await import('./commands/auth.js');
+            await org(args);
+            break;
+        }
         case 'actions':
         case 'action': {
             const { actions } = await import('./commands/actions.js');

package/dist/lib/actions-client.d.ts

@@ -1,8 +1,10 @@
+import { type ResolveAuthHeadersOptions } from './auth-credential.js';
 export interface ParsedActionsArgs {
     microApp?: string;
     actionName?: string;
     extraPositionals: string[];
     appUrl?: string;
+    org?: string;
     input: Record<string, unknown>;
     help: boolean;
 }
@@ -10,6 +12,9 @@ export interface ActionRequest {
     url: string;
     init: RequestInit;
 }
+export interface BuildActionRequestOptions extends Pick<ResolveAuthHeadersOptions, 'env' | 'platform' | 'homedir'> {
+    org?: string;
+}
 export interface ResolveActionAppUrlOptions {
     explicitUrl?: string;
     env?: Record<string, string | undefined>;
@@ -26,6 +31,6 @@ export declare function resolveActionAppUrl({ explicitUrl, env, fileEnv, default
 export declare function parseActionsArgs(args: string[]): ParsedActionsArgs;
 export declare function normalizeAppUrl(appUrl: string): string;
 export declare function isLocalAppUrl(appUrl: string): boolean;
-export declare function buildActionRequest(parsed: Pick<ParsedActionsArgs, 'microApp' | 'actionName' | 'input'>, appUrl: string): ActionRequest;
+export declare function buildActionRequest(parsed: Pick<ParsedActionsArgs, 'microApp' | 'actionName' | 'input' | 'org'>, appUrl: string, options?: BuildActionRequestOptions): ActionRequest;
 export declare function fetchActionRequest(request: ActionRequest): Promise<unknown>;
 //# sourceMappingURL=actions-client.d.ts.map

package/dist/lib/actions-client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"actions-client.d.ts","sourceRoot":"","sources":["../../src/lib/actions-client.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,IAAI,EAAE,OAAO,CAAC;CACf;AAED,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,WAAW,CAAC;CACnB;AAED,MAAM,WAAW,0BAA0B;IACzC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;IACzC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;IAC7C,UAAU,EAAE,MAAM,CAAC;CACpB;AAOD,MAAM,WAAW,iCAAiC;IAChD,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;IACzC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,wBAAgB,0BAA0B,CAAC,EACzC,GAAiB,EACjB,YAAY,EACZ,eAAe,GAChB,EAAE,iCAAiC,UAKnC;AAED,wBAAgB,mBAAmB,CAAC,EAClC,WAAW,EACX,GAAiB,EACjB,OAAY,EACZ,UAAU,GACX,EAAE,0BAA0B,UAS5B;AA4ED,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,iBAAiB,CA+DlE;AAED,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,UAS7C;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,WAK3C;AAED,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,IAAI,CAAC,iBAAiB,EAAE,UAAU,GAAG,YAAY,GAAG,OAAO,CAAC,EACpE,MAAM,EAAE,MAAM,GACb,aAAa,CAoBf;AAED,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,CAiCjF"}
+{"version":3,"file":"actions-client.d.ts","sourceRoot":"","sources":["../../src/lib/actions-client.ts"],"names":[],"mappings":"AAEA,OAAO,EAAsB,KAAK,yBAAyB,EAAE,MAAM,sBAAsB,CAAC;AAE1F,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,IAAI,EAAE,OAAO,CAAC;CACf;AAED,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,WAAW,CAAC;CACnB;AAED,MAAM,WAAW,yBAA0B,SAAQ,IAAI,CAAC,yBAAyB,EAAE,KAAK,GAAG,UAAU,GAAG,SAAS,CAAC;IAChH,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,0BAA0B;IACzC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;IACzC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;IAC7C,UAAU,EAAE,MAAM,CAAC;CACpB;AAOD,MAAM,WAAW,iCAAiC;IAChD,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;IACzC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,wBAAgB,0BAA0B,CAAC,EACzC,GAAiB,EACjB,YAAY,EACZ,eAAe,GAChB,EAAE,iCAAiC,UAKnC;AAED,wBAAgB,mBAAmB,CAAC,EAClC,WAAW,EACX,GAAiB,EACjB,OAAY,EACZ,UAAU,GACX,EAAE,0BAA0B,UAS5B;AA4ED,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,iBAAiB,CAmElE;AAED,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,UAS7C;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,WAK3C;AAED,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,IAAI,CAAC,iBAAiB,EAAE,UAAU,GAAG,YAAY,GAAG,OAAO,GAAG,KAAK,CAAC,EAC5E,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,yBAA8B,GACtC,aAAa,CAiCf;AAED,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,CAoCjF"}

package/dist/lib/actions-client.js

@@ -1,4 +1,5 @@
 import { readFileSync } from 'node:fs';
+import { resolveAuthHeaders } from './auth-credential.js';
 function readUrlValue(value) {
     const trimmed = value?.trim();
     return trimmed || undefined;
@@ -90,6 +91,7 @@ export function parseActionsArgs(args) {
     const input = {};
     const positional = [];
     let appUrl;
+    let org;
     let help = false;
     for (let i = 0; i < args.length; i++) {
         const arg = args[i];
@@ -112,6 +114,9 @@ export function parseActionsArgs(args) {
         if (flag === '--url' || flag === '--app-url') {
             appUrl = readValue();
         }
+        else if (flag === '--org') {
+            org = readValue();
+        }
         else if (flag === '--json') {
             Object.assign(input, parseJsonValue(readValue(), '--json'));
         }
@@ -154,6 +159,7 @@ export function parseActionsArgs(args) {
         actionName: positional[1],
         extraPositionals: positional.slice(2),
         appUrl,
+        org,
         input,
         help,
     };
@@ -174,23 +180,36 @@ export function isLocalAppUrl(appUrl) {
         || parsed.hostname === '127.0.0.1'
         || parsed.hostname === '::1';
 }
-export function buildActionRequest(parsed, appUrl) {
+export function buildActionRequest(parsed, appUrl, options = {}) {
     if (!parsed.microApp) {
         throw new Error('missing micro-app name');
     }
     const base = normalizeAppUrl(appUrl);
+    const authHeaders = resolveAuthHeaders({
+        appUrl: base,
+        org: parsed.org,
+        env: options.env,
+        platform: options.platform,
+        homedir: options.homedir,
+    });
     const actionPath = parsed.actionName
         ? `/${encodeURIComponent(parsed.actionName)}`
         : '';
+    const requestHeaders = parsed.actionName
+        ? { 'Content-Type': 'application/json', ...authHeaders }
+        : authHeaders;
     return {
         url: `${base}/api/${encodeURIComponent(parsed.microApp)}/actions${actionPath}`,
         init: parsed.actionName
             ? {
                 method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
+                headers: requestHeaders,
                 body: JSON.stringify(parsed.input),
             }
-            : { method: 'GET' },
+            : {
+                method: 'GET',
+                ...(Object.keys(requestHeaders).length > 0 ? { headers: requestHeaders } : {}),
+            },
     };
 }
 export async function fetchActionRequest(request) {
@@ -220,6 +239,9 @@ export async function fetchActionRequest(request) {
         const error = payload && typeof payload === 'object' && 'error' in payload
             ? String(payload.error)
             : `Request failed with HTTP ${response.status}`;
+        if (response.status === 401) {
+            throw new Error(`${error}. Run \`dd login\` or set DD_API_KEY.`);
+        }
         throw new Error(error);
     }
     return payload;

package/dist/lib/auth-credential.d.ts

@@ -0,0 +1,8 @@
+import { type AuthStorePathsOptions } from './auth-store.js';
+export interface ResolveAuthHeadersOptions extends AuthStorePathsOptions {
+    appUrl: string;
+    org?: string;
+    env?: NodeJS.ProcessEnv;
+}
+export declare function resolveAuthHeaders({ appUrl, org, env, ...storeOptions }: ResolveAuthHeadersOptions): Record<string, string>;
+//# sourceMappingURL=auth-credential.d.ts.map

package/dist/lib/auth-credential.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-credential.d.ts","sourceRoot":"","sources":["../../src/lib/auth-credential.ts"],"names":[],"mappings":"AAAA,OAAO,EAAwB,KAAK,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAEnF,MAAM,WAAW,yBAA0B,SAAQ,qBAAqB;IACtE,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;CACzB;AAED,wBAAgB,kBAAkB,CAAC,EACjC,MAAM,EACN,GAAG,EACH,GAAiB,EACjB,GAAG,YAAY,EAChB,EAAE,yBAAyB,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAsBpD"}

package/dist/lib/auth-credential.js

@@ -0,0 +1,25 @@
+import { readStoredCredential } from './auth-store.js';
+export function resolveAuthHeaders({ appUrl, org, env = process.env, ...storeOptions }) {
+    const headers = {};
+    const apiKey = readTrimmedValue(env.DD_API_KEY) ?? readTrimmedValue(env.DD_TOKEN);
+    const storedCredential = apiKey
+        ? undefined
+        : readStoredCredential({ appUrl, env, ...storeOptions });
+    if (apiKey) {
+        headers['x-api-key'] = apiKey;
+    }
+    else if (storedCredential?.token) {
+        headers.Authorization = `Bearer ${storedCredential.token}`;
+    }
+    const resolvedOrg = readTrimmedValue(org)
+        ?? readTrimmedValue(env.DD_ORG)
+        ?? readTrimmedValue(storedCredential?.defaultOrg);
+    if (resolvedOrg) {
+        headers['x-active-organization'] = resolvedOrg;
+    }
+    return headers;
+}
+function readTrimmedValue(value) {
+    const trimmed = value?.trim();
+    return trimmed || undefined;
+}

package/dist/lib/auth-store.d.ts

@@ -0,0 +1,33 @@
+export interface StoredAuthUser {
+    id?: string;
+    email?: string;
+}
+export interface StoredHostCredential {
+    token: string;
+    defaultOrg?: string;
+    user?: StoredAuthUser;
+}
+export interface AuthStorePathsOptions {
+    env?: NodeJS.ProcessEnv;
+    platform?: NodeJS.Platform;
+    homedir?: () => string;
+}
+export interface ReadStoredCredentialOptions extends AuthStorePathsOptions {
+    appUrl: string;
+}
+export interface WriteStoredCredentialOptions extends AuthStorePathsOptions {
+    appUrl: string;
+    credential: StoredHostCredential;
+}
+export interface ClearStoredCredentialOptions extends AuthStorePathsOptions {
+    appUrl: string;
+}
+export declare function getAuthStorePaths({ env, platform, homedir, }?: AuthStorePathsOptions): {
+    configDir: string;
+    credentialsPath: string;
+};
+export declare function getAuthHostKey(appUrl: string): string;
+export declare function readStoredCredential({ appUrl, ...options }: ReadStoredCredentialOptions): StoredHostCredential | undefined;
+export declare function writeStoredCredential({ appUrl, credential, ...options }: WriteStoredCredentialOptions): void;
+export declare function clearStoredCredential({ appUrl, ...options }: ClearStoredCredentialOptions): void;
+//# sourceMappingURL=auth-store.d.ts.map

package/dist/lib/auth-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-store.d.ts","sourceRoot":"","sources":["../../src/lib/auth-store.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,cAAc;IAC7B,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,cAAc,CAAC;CACvB;AAMD,MAAM,WAAW,qBAAqB;IACpC,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC;IAC3B,OAAO,CAAC,EAAE,MAAM,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,2BAA4B,SAAQ,qBAAqB;IACxE,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,4BAA6B,SAAQ,qBAAqB;IACzE,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,oBAAoB,CAAC;CAClC;AAED,MAAM,WAAW,4BAA6B,SAAQ,qBAAqB;IACzE,MAAM,EAAE,MAAM,CAAC;CAChB;AAUD,wBAAgB,iBAAiB,CAAC,EAChC,GAAiB,EACjB,QAA2B,EAC3B,OAAoB,GACrB,GAAE,qBAA0B;;;EAS5B;AAED,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,UAE5C;AAwDD,wBAAgB,oBAAoB,CAAC,EACnC,MAAM,EACN,GAAG,OAAO,EACX,EAAE,2BAA2B,GAAG,oBAAoB,GAAG,SAAS,CAGhE;AAED,wBAAgB,qBAAqB,CAAC,EACpC,MAAM,EACN,UAAU,EACV,GAAG,OAAO,EACX,EAAE,4BAA4B,GAAG,IAAI,CAIrC;AAED,wBAAgB,qBAAqB,CAAC,EACpC,MAAM,EACN,GAAG,OAAO,EACX,EAAE,4BAA4B,GAAG,IAAI,CAWrC"}

package/dist/lib/auth-store.js

@@ -0,0 +1,89 @@
+import { chmodSync, mkdirSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+const CONFIG_DIR_NAME = 'doubledigit';
+const CREDENTIALS_FILE_NAME = 'credentials.json';
+function readTrimmedValue(value) {
+    const trimmed = value?.trim();
+    return trimmed || undefined;
+}
+export function getAuthStorePaths({ env = process.env, platform = process.platform, homedir = os.homedir, } = {}) {
+    const configRoot = platform === 'win32'
+        ? readTrimmedValue(env.APPDATA) ?? path.join(homedir(), 'AppData', 'Roaming')
+        : readTrimmedValue(env.XDG_CONFIG_HOME) ?? path.join(homedir(), '.config');
+    const configDir = path.join(configRoot, CONFIG_DIR_NAME);
+    return {
+        configDir,
+        credentialsPath: path.join(configDir, CREDENTIALS_FILE_NAME),
+    };
+}
+export function getAuthHostKey(appUrl) {
+    return new URL(normalizeAuthStoreAppUrl(appUrl)).origin.toLowerCase();
+}
+function normalizeAuthStoreAppUrl(appUrl) {
+    const trimmed = appUrl.trim().replace(/\/+$/, '');
+    if (/^https?:\/\//i.test(trimmed)) {
+        return trimmed;
+    }
+    if (/^(localhost|127(?:\.\d{1,3}){3}|\[::1\])(?::|\/|$)/i.test(trimmed)) {
+        return `http://${trimmed}`;
+    }
+    return `https://${trimmed}`;
+}
+function readAuthStoreFile(options = {}) {
+    const { credentialsPath } = getAuthStorePaths(options);
+    try {
+        const raw = readFileSync(credentialsPath, 'utf8');
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+            return { hosts: {} };
+        }
+        const hosts = parsed.hosts;
+        if (!hosts || typeof hosts !== 'object' || Array.isArray(hosts)) {
+            return { hosts: {} };
+        }
+        return { hosts: hosts };
+    }
+    catch (error) {
+        if (error.code === 'ENOENT') {
+            return { hosts: {} };
+        }
+        const detail = error instanceof Error ? error.message : String(error);
+        throw new Error(`Unable to read CLI credentials store: ${detail}`);
+    }
+}
+function writeAuthStoreFile(file, options = {}) {
+    const { configDir, credentialsPath } = getAuthStorePaths(options);
+    mkdirSync(configDir, { recursive: true });
+    writeFileSync(credentialsPath, `${JSON.stringify(file, null, 2)}\n`, {
+        encoding: 'utf8',
+        mode: 0o600,
+    });
+    if ((options.platform ?? process.platform) !== 'win32') {
+        try {
+            chmodSync(credentialsPath, 0o600);
+        }
+        catch {
+            // Best-effort on filesystems that do not support POSIX permissions.
+        }
+    }
+}
+export function readStoredCredential({ appUrl, ...options }) {
+    const file = readAuthStoreFile(options);
+    return file.hosts[getAuthHostKey(appUrl)];
+}
+export function writeStoredCredential({ appUrl, credential, ...options }) {
+    const file = readAuthStoreFile(options);
+    file.hosts[getAuthHostKey(appUrl)] = credential;
+    writeAuthStoreFile(file, options);
+}
+export function clearStoredCredential({ appUrl, ...options }) {
+    const file = readAuthStoreFile(options);
+    delete file.hosts[getAuthHostKey(appUrl)];
+    if (Object.keys(file.hosts).length === 0) {
+        const { credentialsPath } = getAuthStorePaths(options);
+        rmSync(credentialsPath, { force: true });
+        return;
+    }
+    writeAuthStoreFile(file, options);
+}

package/dist/lib/component-frameworks.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"component-frameworks.d.ts","sourceRoot":"","sources":["../../src/lib/component-frameworks.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,oBAAoB,GAAG,UAAU,GAAG,YAAY,CAAC;AAE7D,MAAM,WAAW,yBAAyB;IACxC,EAAE,EAAE,oBAAoB,CAAC;IACzB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,oBAAoB,EAAE,MAAM,CAAC;IAC7B,kBAAkB,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE;QAAE,cAAc,EAAE,OAAO,CAAA;KAAE,KAAK;QAChF,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,EAAE,MAAM,EAAE,CAAC;KAChB,CAAC;IACF,cAAc,EAAE,CAAC,OAAO,EAAE;QAAE,cAAc,EAAE,OAAO,CAAA;KAAE,KAAK,KAAK,CAAC;QAC9D,OAAO,EAAE,KAAK,CAAC;QACf,IAAI,EAAE,MAAM,EAAE,CAAC;QACf,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC,CAAC;IACH,mBAAmB,EAAE,CAAC,KAAK,EAAE;QAC3B,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,CAAC;QACf,UAAU,EAAE,MAAM,CAAC;QACnB,MAAM,EAAE,OAAO,CAAC;KACjB,KAAK,MAAM,CAAC;CACd;AAsDD,eAAO,MAAM,0BAA0B,EAAE,yBAAyB,EAuDjE,CAAC;AAEF,wBAAgB,oBAAoB,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,oBAAoB,CASzE;AAED,wBAAgB,4BAA4B,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,yBAAyB,CAKtF;AAED,wBAAgB,8BAA8B,CAAC,OAAO,EAAE,yBAAyB,EAAE,WAAW,SAAwB,QAKrH"}
+{"version":3,"file":"component-frameworks.d.ts","sourceRoot":"","sources":["../../src/lib/component-frameworks.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,oBAAoB,GAAG,UAAU,GAAG,YAAY,CAAC;AAE7D,MAAM,WAAW,yBAAyB;IACxC,EAAE,EAAE,oBAAoB,CAAC;IACzB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,oBAAoB,EAAE,MAAM,CAAC;IAC7B,kBAAkB,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE;QAAE,cAAc,EAAE,OAAO,CAAA;KAAE,KAAK;QAChF,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,EAAE,MAAM,EAAE,CAAC;KAChB,CAAC;IACF,cAAc,EAAE,CAAC,OAAO,EAAE;QAAE,cAAc,EAAE,OAAO,CAAA;KAAE,KAAK,KAAK,CAAC;QAC9D,OAAO,EAAE,KAAK,CAAC;QACf,IAAI,EAAE,MAAM,EAAE,CAAC;QACf,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC,CAAC;IACH,mBAAmB,EAAE,CAAC,KAAK,EAAE;QAC3B,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,CAAC;QACf,UAAU,EAAE,MAAM,CAAC;QACnB,MAAM,EAAE,OAAO,CAAC;KACjB,KAAK,MAAM,CAAC;CACd;AA0ED,eAAO,MAAM,0BAA0B,EAAE,yBAAyB,EAuDjE,CAAC;AAEF,wBAAgB,oBAAoB,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,oBAAoB,CASzE;AAED,wBAAgB,4BAA4B,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,yBAAyB,CAKtF;AAED,wBAAgB,8BAA8B,CAAC,OAAO,EAAE,yBAAyB,EAAE,WAAW,SAAwB,QAKrH"}

package/dist/lib/component-frameworks.js

@@ -1,11 +1,25 @@
 import path from 'node:path';
-function addNonInteractiveAgentFlags(command, nonInteractive) {
-    if (!nonInteractive || !command.args.includes('--skill'))
+function addNonInteractiveSkillFlags(command, nonInteractive, options = {}) {
+    if (!nonInteractive)
         return command;
+    const args = [...command.args];
+    const displayParts = [command.display];
+    if (!args.includes('--skill') && options.defaultSkill) {
+        args.push('--skill', options.defaultSkill);
+        displayParts.push('--skill', options.defaultSkill);
+    }
+    if (!args.includes('--all') && !args.includes('--agent') && !args.includes('-a')) {
+        args.push('--agent', '*');
+        displayParts.push('--agent', "'*'");
+    }
+    if (!args.includes('--all') && !args.includes('--yes') && !args.includes('-y')) {
+        args.push('--yes');
+        displayParts.push('--yes');
+    }
     return {
         ...command,
-        args: [...command.args, '--agent', '*', '--yes'],
-        display: `${command.display} --agent '*' --yes`,
+        args,
+        display: displayParts.join(' '),
     };
 }
 function normalizeSlashes(value) {
@@ -57,7 +71,7 @@ export const componentFrameworkAdapters = [
                 args: ['skills', 'add', 'remotion-dev/skills', '--all'],
                 display: 'npx skills add remotion-dev/skills --all',
             },
-            addNonInteractiveAgentFlags({
+            addNonInteractiveSkillFlags({
                 command: 'npx',
                 args: ['skills', 'add', 'crystalphantom/double-digit', '--skill', 'dd-component-hub'],
                 display: 'npx skills add crystalphantom/double-digit --skill dd-component-hub',
@@ -82,12 +96,12 @@ export const componentFrameworkAdapters = [
             ],
         }),
         skillsCommands: ({ nonInteractive }) => [
-            addNonInteractiveAgentFlags({
+            addNonInteractiveSkillFlags({
                 command: 'npx',
                 args: ['skills', 'add', 'heygen-com/hyperframes'],
                 display: 'npx skills add heygen-com/hyperframes',
-            }, nonInteractive),
-            addNonInteractiveAgentFlags({
+            }, nonInteractive, { defaultSkill: 'animejs' }),
+            addNonInteractiveSkillFlags({
                 command: 'npx',
                 args: ['skills', 'add', 'crystalphantom/double-digit', '--skill', 'dd-component-hub'],
                 display: 'npx skills add crystalphantom/double-digit --skill dd-component-hub',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@doubledigit/cli",
-  "version": "0.11.1",
+  "version": "0.13.0",
   "private": false,
   "description": "CLI for Double Digit local setup and extension management.",
   "license": "MIT",