npm - @dreamboard-games/cli - Versions diffs - 0.1.30-alpha.0 → 0.1.30-alpha.2 - Mend

@dreamboard-games/cli 0.1.30-alpha.0 → 0.1.30-alpha.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (114) hide show

package/dist/chunk-7FOO4AJI.js DELETED Viewed

@@ -1,50 +0,0 @@
-#!/usr/bin/env node
-// ../../node_modules/.pnpm/@dreamboard-games+sdk@0.4.0-alpha.0_@types+react-dom@19.2.3_@types+react@19.2.17__@type_b74cbe125b074769500a56e94fa7f664/node_modules/@dreamboard-games/sdk/dist/chunk-PZ5AY32C.js
-var __defProp = Object.defineProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-// ../../node_modules/.pnpm/@dreamboard-games+sdk@0.4.0-alpha.0_@types+react-dom@19.2.3_@types+react@19.2.17__@type_b74cbe125b074769500a56e94fa7f664/node_modules/@dreamboard-games/sdk/dist/chunk-3OZMHZK3.js
-var DEFAULT_REMEDY_BY_ARTIFACT = {
-  "base-states": "run `dreamboard test generate`, then re-run the tests.",
-  "session-state": "reset the dev session or run `dreamboard test generate`."
-};
-function artifactLabel(artifact) {
-  return artifact === "base-states" ? "base states" : "session state";
-}
-function artifactVerb(artifact) {
-  return artifact === "base-states" ? "were" : "was";
-}
-var StaleContractArtifactError = class extends Error {
-  code = "STALE_CONTRACT_ARTIFACT";
-  artifact;
-  expected;
-  found;
-  remedy;
-  constructor(options) {
-    const remedy = options.remedy ?? DEFAULT_REMEDY_BY_ARTIFACT[options.artifact];
-    super(
-      `${artifactLabel(options.artifact)} ${artifactVerb(
-        options.artifact
-      )} generated for contract ${options.found} but the current contract is ${options.expected}. Your state or phase schemas changed since the artifact was created. Remedy: ${remedy}`
-    );
-    this.name = "StaleContractArtifactError";
-    this.artifact = options.artifact;
-    this.expected = options.expected;
-    this.found = options.found;
-    this.remedy = remedy;
-  }
-};
-function isStaleContractArtifactError(error) {
-  return error instanceof StaleContractArtifactError || typeof error === "object" && error !== null && error.code === "STALE_CONTRACT_ARTIFACT";
-}
-export {
-  __export,
-  StaleContractArtifactError,
-  isStaleContractArtifactError
-};
-//# sourceMappingURL=chunk-7FOO4AJI.js.map

package/dist/chunk-7FOO4AJI.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"sources":["../../../node_modules/.pnpm/@dreamboard-games+sdk@0.4.0-alpha.0_@types+react-dom@19.2.3_@types+react@19.2.17__@type_b74cbe125b074769500a56e94fa7f664/node_modules/@dreamboard-games/sdk/dist/chunk-PZ5AY32C.js","../../../node_modules/.pnpm/@dreamboard-games+sdk@0.4.0-alpha.0_@types+react-dom@19.2.3_@types+react@19.2.17__@type_b74cbe125b074769500a56e94fa7f664/node_modules/@dreamboard-games/sdk/src/reducer/stale-contract-artifact-error.ts"],"sourcesContent":["var __defProp = Object.defineProperty;\nvar __export = (target, all) => {\n for (var name in all)\n __defProp(target, name, { get: all[name], enumerable: true });\n};\n\nexport {\n __export\n};\n//# sourceMappingURL=chunk-PZ5AY32C.js.map","export type StaleContractArtifactKind = \"base-states\" | \"session-state\";\n\nexport type StaleContractArtifactErrorOptions = {\n artifact: StaleContractArtifactKind;\n expected: string;\n found: string;\n remedy?: string;\n};\n\nconst DEFAULT_REMEDY_BY_ARTIFACT: Record<StaleContractArtifactKind, string> = {\n \"base-states\": \"run `dreamboard test generate`, then re-run the tests.\",\n \"session-state\": \"reset the dev session or run `dreamboard test generate`.\",\n};\n\nfunction artifactLabel(artifact: StaleContractArtifactKind): string {\n return artifact === \"base-states\" ? \"base states\" : \"session state\";\n}\n\nfunction artifactVerb(artifact: StaleContractArtifactKind): string {\n return artifact === \"base-states\" ? \"were\" : \"was\";\n}\n\nexport class StaleContractArtifactError extends Error {\n readonly code = \"STALE_CONTRACT_ARTIFACT\";\n readonly artifact: StaleContractArtifactKind;\n readonly expected: string;\n readonly found: string;\n readonly remedy: string;\n\n constructor(options: StaleContractArtifactErrorOptions) {\n const remedy =\n options.remedy ?? DEFAULT_REMEDY_BY_ARTIFACT[options.artifact];\n super(\n `${artifactLabel(options.artifact)} ${artifactVerb(\n options.artifact,\n )} generated for contract ${options.found} but the current contract is ${\n options.expected\n }. ` +\n `Your state or phase schemas changed since the artifact was created. ` +\n `Remedy: ${remedy}`,\n );\n this.name = \"StaleContractArtifactError\";\n this.artifact = options.artifact;\n this.expected = options.expected;\n this.found = options.found;\n this.remedy = remedy;\n }\n}\n\nexport function isStaleContractArtifactError(\n error: unknown,\n): error is StaleContractArtifactError {\n return (\n error instanceof StaleContractArtifactError ||\n (typeof error === \"object\" &&\n error !== null &&\n (error as { code?: unknown }).code === \"STALE_CONTRACT_ARTIFACT\")\n );\n}\n"],"mappings":";;;AAAA,IAAI,YAAY,OAAO;AACvB,IAAI,WAAW,CAAC,QAAQ,QAAQ;AAC9B,WAAS,QAAQ;AACf,cAAU,QAAQ,MAAM,EAAE,KAAK,IAAI,IAAI,GAAG,YAAY,KAAK,CAAC;AAChE;;;ACKA,IAAM,6BAAwE;EAC5E,eAAe;EACf,iBAAiB;AACnB;AAEA,SAAS,cAAc,UAA6C;AAClE,SAAO,aAAa,gBAAgB,gBAAgB;AACtD;AAEA,SAAS,aAAa,UAA6C;AACjE,SAAO,aAAa,gBAAgB,SAAS;AAC/C;AAEO,IAAM,6BAAN,cAAyC,MAAM;EAC3C,OAAO;EACP;EACA;EACA;EACA;EAET,YAAY,SAA4C;AACtD,UAAM,SACJ,QAAQ,UAAU,2BAA2B,QAAQ,QAAQ;AAC/D;MACE,GAAG,cAAc,QAAQ,QAAQ,CAAC,IAAI;QACpC,QAAQ;MACV,CAAC,2BAA2B,QAAQ,KAAK,gCACvC,QAAQ,QACV,iFAEa,MAAM;IACrB;AACA,SAAK,OAAO;AACZ,SAAK,WAAW,QAAQ;AACxB,SAAK,WAAW,QAAQ;AACxB,SAAK,QAAQ,QAAQ;AACrB,SAAK,SAAS;EAChB;AACF;AAEO,SAAS,6BACd,OACqC;AACrC,SACE,iBAAiB,8BAChB,OAAO,UAAU,YAChB,UAAU,QACT,MAA6B,SAAS;AAE7C;","names":[]}

package/dist/chunk-TSJVWTJO.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"sources":["../src/config/global-config.ts","../src/constants.ts","../src/utils/fs.ts","../src/utils/atomic-file.ts","../src/config/credential-store.ts"],"sourcesContent":["import os from \"node:os\";\nimport path from \"node:path\";\nimport type { CredentialBackendPreference, GlobalConfig } from \"../types.js\";\nimport { PROJECT_DIR_NAME } from \"../constants.js\";\nimport { ensureDir, readJsonFile } from \"../utils/fs.js\";\nimport { atomicWriteFile } from \"../utils/atomic-file.js\";\nimport { getCredentialFilePath } from \"./credential-store.js\";\n\nfunction normalizeCredentialBackend(\n value: unknown,\n): CredentialBackendPreference | undefined {\n if (value === \"file\" || value === \"keychain\") return value;\n // Tolerate unknown / malformed values rather than refusing to load the\n // whole config - an unrecognised backend name should degrade to \"use\n // the default\" instead of locking the user out of their CLI.\n return undefined;\n}\n\nexport function getGlobalConfigPath(): string {\n return path.join(os.homedir(), PROJECT_DIR_NAME, \"config.json\");\n}\n\n/**\n * Path to the on-disk credential file used by the file backend of\n * `CredentialStore`. Re-exported here to avoid circular / ad-hoc imports\n * in UI surface (`auth status`, `config show`, etc).\n */\nexport function getGlobalAuthPath(): string {\n return getCredentialFilePath();\n}\n\n/**\n * Load non-credential CLI configuration.\n *\n * Note: this function used to also load `authToken` / `refreshToken`\n * from `auth.json` and flatten them onto `GlobalConfig`. That shape\n * enabled the refresh-token-wipe bug: `saveGlobalConfig({ ...config })`\n * without explicit auth fields erased the stored refresh token.\n *\n * Credentials are now owned exclusively by `CredentialStore`. Callers\n * that need them must import `getCredentials()` directly.\n */\nexport async function loadGlobalConfig(): Promise<GlobalConfig> {\n const config = await readJsonFile<GlobalConfig>(getGlobalConfigPath()).catch(\n () => ({}) as GlobalConfig,\n );\n return {\n environment: config.environment,\n credentialBackend: normalizeCredentialBackend(config.credentialBackend),\n };\n}\n\n/**\n * Persist non-credential CLI configuration.\n *\n * This function cannot write credentials, by construction: the\n * `GlobalConfig` type has no credential fields. Credentials must be\n * persisted through `setCredentials` / `clearCredentials` from\n * `credential-store.ts`.\n */\nexport async function saveGlobalConfig(config: GlobalConfig): Promise<void> {\n const configDir = path.join(os.homedir(), PROJECT_DIR_NAME);\n await ensureDir(configDir);\n const normalized: GlobalConfig = {\n environment: config.environment,\n credentialBackend: normalizeCredentialBackend(config.credentialBackend),\n };\n await atomicWriteFile(\n getGlobalConfigPath(),\n `${JSON.stringify(normalized, null, 2)}\\n`,\n { mode: 0o600 },\n );\n}\n","import type { EnvironmentConfig } from \"./types.js\";\n\nexport const DEFAULT_API_BASE_URL = \"https://api.dreamboard.games\";\nexport const DEFAULT_WEB_BASE_URL = \"https://dreamboard.games\";\n\nexport const PROJECT_DIR_NAME = \".dreamboard\";\n\n// Predefined environment configurations\nexport const ENVIRONMENT_CONFIGS: Record<string, EnvironmentConfig> = {\n local: {\n apiBaseUrl: \"http://localhost:8080\",\n webBaseUrl: \"http://localhost:5173\",\n clerkOAuthIssuer: process.env.DREAMBOARD_LOCAL_CLERK_OAUTH_ISSUER,\n clerkOAuthClientId: process.env.DREAMBOARD_LOCAL_CLERK_OAUTH_CLIENT_ID,\n clerkOAuthScope: process.env.DREAMBOARD_LOCAL_CLERK_OAUTH_SCOPE,\n },\n staging: {\n apiBaseUrl: \"https://api-staging.dreamboard.games\",\n webBaseUrl: \"https://staging.dreamboard.games\",\n clerkOAuthIssuer:\n process.env.DREAMBOARD_STAGING_CLERK_OAUTH_ISSUER ??\n process.env.DREAMBOARD_CLERK_OAUTH_ISSUER,\n clerkOAuthClientId:\n process.env.DREAMBOARD_STAGING_CLERK_OAUTH_CLIENT_ID ??\n process.env.DREAMBOARD_CLERK_OAUTH_CLIENT_ID,\n clerkOAuthScope:\n process.env.DREAMBOARD_STAGING_CLERK_OAUTH_SCOPE ??\n process.env.DREAMBOARD_CLERK_OAUTH_SCOPE,\n },\n prod: {\n apiBaseUrl: \"https://api.dreamboard.games\",\n webBaseUrl: \"https://dreamboard.games\",\n clerkOAuthIssuer:\n process.env.DREAMBOARD_PROD_CLERK_OAUTH_ISSUER ??\n process.env.DREAMBOARD_CLERK_OAUTH_ISSUER,\n clerkOAuthClientId:\n process.env.DREAMBOARD_PROD_CLERK_OAUTH_CLIENT_ID ??\n process.env.DREAMBOARD_CLERK_OAUTH_CLIENT_ID,\n clerkOAuthScope:\n process.env.DREAMBOARD_PROD_CLERK_OAUTH_SCOPE ??\n process.env.DREAMBOARD_CLERK_OAUTH_SCOPE,\n },\n};\nexport const PROJECT_CONFIG_FILE = \"project.json\";\nexport const PROJECT_STATE_FILE = \"state.json\";\nexport const SNAPSHOT_FILE = \"snapshot.json\";\nexport const MANIFEST_FILE = \"manifest.ts\";\nexport const GENERATED_DIR_NAME = \"generated\";\nexport const MATERIALIZED_MANIFEST_FILE = `${PROJECT_DIR_NAME}/${GENERATED_DIR_NAME}/manifest.json`;\nexport const MANIFEST_TYPECHECK_CONFIG_FILE = \"manifest.tsconfig.json\";\nexport const RULE_FILE = \"rule.md\";\nexport const DEFAULT_LOGIN_TIMEOUT_MS = 5 * 60 * 1000;\nexport const DEFAULT_TURN_DELAY_MS = 250;\n\nexport const LOCAL_IGNORE_DIRS = new Set([\n \".dreamboard\",\n \".git\",\n \"node_modules\",\n \"dist\",\n]);\n","import { mkdir, readFile, stat, writeFile } from \"node:fs/promises\";\nimport path from \"node:path\";\n\nexport async function ensureDir(dirPath: string): Promise<void> {\n await mkdir(dirPath, { recursive: true });\n}\n\nexport async function exists(filePath: string): Promise<boolean> {\n try {\n await stat(filePath);\n return true;\n } catch {\n return false;\n }\n}\n\nexport async function readTextFile(filePath: string): Promise<string> {\n return readFile(filePath, \"utf8\");\n}\n\nexport async function readTextFileIfExists(\n filePath: string,\n): Promise<string | null> {\n try {\n return await readFile(filePath, \"utf8\");\n } catch {\n return null;\n }\n}\n\nexport async function writeTextFile(\n filePath: string,\n content: string,\n): Promise<void> {\n await ensureDir(path.dirname(filePath));\n await writeFile(filePath, content, \"utf8\");\n}\n\nexport async function readJsonFile<T>(filePath: string): Promise<T> {\n const data = await readTextFile(filePath);\n return JSON.parse(data) as T;\n}\n\nexport async function writeJsonFile(\n filePath: string,\n data: unknown,\n): Promise<void> {\n await writeTextFile(filePath, `${JSON.stringify(data, null, 2)}\\n`);\n}\n","/**\n * Primitives for safely mutating local state files owned by the CLI.\n *\n * Two guarantees:\n * - Writes are atomic-ish: we stage the payload in a sibling temp file with\n * the target permissions, fsync the contents, then `rename` over the target.\n * On POSIX `rename` within the same directory is atomic; on Windows it is\n * atomic within the same volume which is always the case for files we write\n * inside `~/.dreamboard`.\n * - We refuse to clobber a file with an empty payload. The original bug that\n * wiped refresh tokens on a failing `sync`/`compile` hinged on `undefined`\n * JSON values being persisted and reloaded as `{}`. Forbidding empty\n * writes here removes that entire failure mode at the primitive level.\n *\n * Additionally, `withFileLock` provides a cross-process advisory lock built on\n * `O_CREAT | O_EXCL` so that parallel CLI invocations (e.g. `dreamboard sync`\n * running while `dreamboard compile` is in flight) serialize around mutations\n * of the same credential state.\n */\n\nimport { constants as fsConstants, promises as fs, type Stats } from \"node:fs\";\nimport path from \"node:path\";\nimport crypto from \"node:crypto\";\n\nexport type AtomicWriteOptions = {\n /** File mode applied to the written file (default: 0o600). */\n mode?: number;\n /** Call `fsync` on the temp file before renaming. Default: true. */\n fsync?: boolean;\n};\n\nexport async function atomicWriteFile(\n targetPath: string,\n contents: string,\n options: AtomicWriteOptions = {},\n): Promise<void> {\n if (contents.length === 0) {\n throw new Error(\n `Refusing to atomicWriteFile an empty payload to ${targetPath}`,\n );\n }\n const mode = options.mode ?? 0o600;\n const shouldFsync = options.fsync ?? true;\n const dir = path.dirname(targetPath);\n await fs.mkdir(dir, { recursive: true });\n\n const suffix = crypto.randomBytes(6).toString(\"hex\");\n const tmpPath = `${targetPath}.tmp-${process.pid}-${suffix}`;\n\n const fh = await fs.open(\n tmpPath,\n fsConstants.O_WRONLY | fsConstants.O_CREAT | fsConstants.O_EXCL,\n mode,\n );\n try {\n await fh.writeFile(contents, \"utf8\");\n try {\n await fh.chmod(mode);\n } catch {\n // Some filesystems (e.g. network volumes, Windows) refuse chmod.\n // Ignoring here is safe: the `open` call above already created the\n // file with the requested mode on systems that honor it.\n }\n if (shouldFsync) {\n try {\n await fh.sync();\n } catch {\n // Best-effort. Not all backends (tmpfs on some platforms) support fsync.\n }\n }\n } finally {\n await fh.close();\n }\n\n try {\n await fs.rename(tmpPath, targetPath);\n } catch (err) {\n await fs.unlink(tmpPath).catch(() => undefined);\n throw err;\n }\n}\n\nexport type FileLockOptions = {\n /** Max number of acquisition attempts before giving up. Default: 100. */\n retries?: number;\n /** Minimum backoff between retries in ms. Default: 20. */\n minDelayMs?: number;\n /** Maximum backoff between retries in ms. Default: 200. */\n maxDelayMs?: number;\n /**\n * A lockfile older than this is considered stale and forcibly removed.\n * Guards against crashed processes leaving a permanent lock. Default: 30s.\n */\n staleMs?: number;\n};\n\nexport async function withFileLock<T>(\n lockPath: string,\n fn: () => Promise<T>,\n options: FileLockOptions = {},\n): Promise<T> {\n const retries = options.retries ?? 100;\n const minDelayMs = options.minDelayMs ?? 20;\n const maxDelayMs = options.maxDelayMs ?? 200;\n const staleMs = options.staleMs ?? 30_000;\n\n await fs.mkdir(path.dirname(lockPath), { recursive: true });\n\n let attempt = 0;\n let acquired = false;\n while (!acquired) {\n try {\n const fh = await fs.open(\n lockPath,\n fsConstants.O_WRONLY | fsConstants.O_CREAT | fsConstants.O_EXCL,\n 0o600,\n );\n await fh.writeFile(`${process.pid}\\n`, \"utf8\");\n await fh.close();\n acquired = true;\n break;\n } catch (err) {\n const code = (err as NodeJS.ErrnoException).code;\n if (code !== \"EEXIST\") {\n throw err;\n }\n }\n\n let stat: Stats | null = null;\n try {\n stat = await fs.stat(lockPath);\n } catch {\n continue;\n }\n if (stat !== null) {\n const ageMs = Date.now() - stat.mtimeMs;\n if (ageMs > staleMs) {\n await fs.unlink(lockPath).catch(() => undefined);\n continue;\n }\n }\n\n attempt += 1;\n if (attempt >= retries) {\n throw new Error(\n `Timed out acquiring file lock at ${lockPath} after ${retries} attempts.`,\n );\n }\n const jitter = Math.floor(\n Math.random() * Math.max(1, maxDelayMs - minDelayMs),\n );\n await new Promise((resolve) => setTimeout(resolve, minDelayMs + jitter));\n }\n\n try {\n return await fn();\n } finally {\n await fs.unlink(lockPath).catch(() => undefined);\n }\n}\n","/**\n * Single writer for the long-lived Dreamboard session credentials.\n *\n * Design invariants (enforced at the type level and tested in\n * `credential-store.test.ts`):\n *\n * 1. This module is the ONLY place in the CLI that writes credentials to\n * disk or the OS keychain. `global-config.ts` used to own both the\n * config and the credentials via `saveGlobalConfig`, which made it\n * trivial to wipe a refresh token by accident. The `GlobalConfig` type\n * no longer carries credentials, so attempting to persist one through\n * the config path is a type error.\n *\n * 2. The mutating surface is intentionally narrow:\n * - `setCredentials(c)` for refreshable sessions (both tokens present)\n * - `setAccessOnlySession(accessToken)` for the `auth set` / `config set\n * --token` power-user path, which has no refresh token by\n * construction\n * - `clearCredentials()` wipes the file entirely\n * There is no \"partial update\" API. `Credentials` requires both\n * `accessToken` and `refreshToken`, so it is impossible to persist a\n * half-populated refreshable session.\n *\n * 3. Writes go through `atomicWriteFile` + `withFileLock`, so a crash or\n * interrupt during `dreamboard sync`/`compile` cannot leave `auth.json`\n * truncated, and parallel CLI invocations cannot clobber each other's\n * rotated refresh tokens.\n *\n * 4. The on-disk JSON shape for the file backend is kept backward\n * compatible: we continue to read/write `authToken` + `refreshToken`\n * so existing users are not forced to log in again after this change.\n * A newer `accessToken` key is also accepted for read to ease any\n * future format bump.\n *\n * 5. The file backend is the default. The OS keychain is opt-in via\n * `credentialBackend: \"keychain\"` in `~/.dreamboard/config.json`\n * because on macOS the first keychain write triggers a login-password\n * prompt, and re-prompts whenever the executing Node binary's code\n * signature changes (e.g. after an `nvm`/`volta` upgrade). Users who\n * want encrypted-at-rest storage can opt in explicitly; everyone else\n * gets a zero-prompt experience.\n */\n\nimport os from \"node:os\";\nimport path from \"node:path\";\nimport { promises as fs } from \"node:fs\";\nimport { PROJECT_DIR_NAME } from \"../constants.js\";\nimport {\n atomicWriteFile,\n withFileLock,\n type FileLockOptions,\n} from \"../utils/atomic-file.js\";\n\n/** Fully refreshable session: both tokens required. */\nexport type Credentials = {\n readonly accessToken: string;\n readonly refreshToken: string;\n readonly tokenExpiresAt?: string;\n readonly clerkOAuthIssuer?: string;\n readonly clerkOAuthClientId?: string;\n readonly clerkOAuthTokenUrl?: string;\n readonly environment?: string;\n};\n\n/**\n * Raw on-disk snapshot. Either or both fields may be present. The refresh\n * coordinator only acts on snapshots that have both tokens populated.\n */\nexport type StoredSessionSnapshot = {\n readonly accessToken?: string;\n readonly refreshToken?: string;\n readonly tokenExpiresAt?: string;\n readonly clerkOAuthIssuer?: string;\n readonly clerkOAuthClientId?: string;\n readonly clerkOAuthTokenUrl?: string;\n readonly environment?: string;\n};\n\nexport type CredentialBackendName = \"file\" | \"keychain\";\n\nexport type CredentialBackend = {\n readonly name: CredentialBackendName;\n read(): Promise<StoredSessionSnapshot | null>;\n writeFull(creds: Credentials): Promise<void>;\n writeAccessOnly(accessToken: string): Promise<void>;\n clear(): Promise<void>;\n};\n\nexport type CredentialLockOps = {\n readonly backendName: CredentialBackendName;\n read(): Promise<StoredSessionSnapshot | null>;\n writeFull(creds: Credentials): Promise<void>;\n writeAccessOnly(accessToken: string): Promise<void>;\n clear(): Promise<void>;\n};\n\ntype DiskShape = Partial<{\n accessToken: string;\n authToken: string;\n refreshToken: string;\n tokenExpiresAt: string;\n clerkOAuthIssuer: string;\n clerkOAuthClientId: string;\n clerkOAuthTokenUrl: string;\n environment: string;\n}>;\n\nexport function getCredentialFilePath(): string {\n return path.join(os.homedir(), PROJECT_DIR_NAME, \"auth.json\");\n}\n\nfunction getCredentialLockPath(): string {\n return `${getCredentialFilePath()}.lock`;\n}\n\nasync function fileRead(): Promise<StoredSessionSnapshot | null> {\n const filePath = getCredentialFilePath();\n let data: string;\n try {\n data = await fs.readFile(filePath, \"utf8\");\n } catch (err) {\n if ((err as NodeJS.ErrnoException).code === \"ENOENT\") return null;\n throw err;\n }\n if (data.trim().length === 0) {\n return null;\n }\n let parsed: DiskShape;\n try {\n parsed = JSON.parse(data) as DiskShape;\n } catch {\n return null;\n }\n const accessToken = parsed.accessToken ?? parsed.authToken;\n const refreshToken = parsed.refreshToken;\n if (!accessToken && !refreshToken) return null;\n return {\n accessToken: accessToken || undefined,\n refreshToken: refreshToken || undefined,\n tokenExpiresAt: parsed.tokenExpiresAt || undefined,\n clerkOAuthIssuer: parsed.clerkOAuthIssuer || undefined,\n clerkOAuthClientId: parsed.clerkOAuthClientId || undefined,\n clerkOAuthTokenUrl: parsed.clerkOAuthTokenUrl || undefined,\n environment: parsed.environment || undefined,\n };\n}\n\nasync function writeFilePayload(payload: DiskShape): Promise<void> {\n await atomicWriteFile(\n getCredentialFilePath(),\n `${JSON.stringify(payload, null, 2)}\\n`,\n { mode: 0o600 },\n );\n}\n\nasync function fileWriteFull(creds: Credentials): Promise<void> {\n if (!creds.accessToken || !creds.refreshToken) {\n throw new Error(\n \"Refusing to persist credentials with an empty accessToken or refreshToken.\",\n );\n }\n await writeFilePayload({\n authToken: creds.accessToken,\n refreshToken: creds.refreshToken,\n tokenExpiresAt: creds.tokenExpiresAt,\n clerkOAuthIssuer: creds.clerkOAuthIssuer,\n clerkOAuthClientId: creds.clerkOAuthClientId,\n clerkOAuthTokenUrl: creds.clerkOAuthTokenUrl,\n environment: creds.environment,\n });\n}\n\nasync function fileWriteAccessOnly(accessToken: string): Promise<void> {\n if (!accessToken) {\n throw new Error(\"Refusing to persist an empty access token.\");\n }\n await writeFilePayload({ authToken: accessToken });\n}\n\nasync function fileClear(): Promise<void> {\n const filePath = getCredentialFilePath();\n try {\n await fs.unlink(filePath);\n } catch (err) {\n if ((err as NodeJS.ErrnoException).code !== \"ENOENT\") throw err;\n }\n}\n\nexport const fileCredentialBackend: CredentialBackend = {\n name: \"file\",\n read: fileRead,\n writeFull: fileWriteFull,\n writeAccessOnly: fileWriteAccessOnly,\n clear: fileClear,\n};\n\nexport type BackendResolver = () =>\n | CredentialBackend\n | Promise<CredentialBackend>;\n\nlet cachedBackend: CredentialBackend | null = null;\nlet migrationCompleted = false;\nlet backendResolver: BackendResolver = defaultBackendResolver;\n\n/**\n * Default resolver precedence:\n *\n * 1. `DREAMBOARD_CREDENTIAL_BACKEND` env var (debugging / CI override).\n * - \"file\" -> force file\n * - \"keychain\" -> force keychain (falls back to file if the native\n * module or the OS keyring is unavailable)\n * - \"auto\" -> same as unset (use config)\n * - unknown -> throw so typos fail loud\n * 2. `credentialBackend` in `~/.dreamboard/config.json`.\n * - \"keychain\" -> opt in to the OS keychain (with file fallback)\n * - \"file\" / unset / malformed -> file\n * 3. Default: file backend.\n *\n * Keychain is opt-in because on macOS the OS login-keychain prompts for\n * the user's password the first time a new binary tries to write to an\n * item, and re-prompts whenever the Node binary signature changes. We\n * would rather ship a zero-prompt default and let users who care about\n * encrypted-at-rest storage enable it.\n *\n * The resolver is async because the keychain probe requires a dynamic\n * `@napi-rs/keyring` import.\n */\nasync function defaultBackendResolver(): Promise<CredentialBackend> {\n const override = (process.env.DREAMBOARD_CREDENTIAL_BACKEND ?? \"\")\n .trim()\n .toLowerCase();\n if (override === \"file\") {\n return fileCredentialBackend;\n }\n if (override && override !== \"keychain\" && override !== \"auto\") {\n // Fail loud on typos rather than silently falling back: this env\n // var exists specifically for users who are debugging auth issues\n // and need to know their override took effect.\n throw new Error(\n `Unknown DREAMBOARD_CREDENTIAL_BACKEND value \"${override}\" (expected \"file\", \"keychain\", or \"auto\").`,\n );\n }\n\n const useKeychain =\n override === \"keychain\" || (await readCredentialBackendPreference());\n if (!useKeychain) {\n return fileCredentialBackend;\n }\n\n const { tryKeychainBackend } = await import(\"./keychain-backend.js\");\n const keychain = await tryKeychainBackend();\n if (keychain.available) {\n return keychain.backend;\n }\n // The user explicitly asked for keychain but the platform can't\n // provide one (no libsecret on Linux, missing native module, etc).\n // Silently degrade to the file backend so the CLI stays usable; the\n // active backend is still visible through `dreamboard auth status`.\n return fileCredentialBackend;\n}\n\nasync function readCredentialBackendPreference(): Promise<boolean> {\n try {\n // Dynamic import to avoid a top-level cycle with `global-config.ts`\n // (which imports `getCredentialFilePath` from this module). Using\n // the async path keeps the cycle purely lazy.\n const { loadGlobalConfig } = await import(\"./global-config.js\");\n const config = await loadGlobalConfig();\n return config.credentialBackend === \"keychain\";\n } catch {\n // If the config file is unreadable or the dynamic import fails\n // (e.g. during early bootstrap), fall back to the file-backed\n // default rather than crashing credential lookups.\n return false;\n }\n}\n\n/**\n * Override which backend is used. Tests use this to inject in-memory\n * backends; production code uses the default keychain-first resolver.\n */\nexport function setCredentialBackendResolver(resolver: BackendResolver): void {\n backendResolver = resolver;\n cachedBackend = null;\n migrationCompleted = false;\n}\n\nexport async function getCredentialBackend(): Promise<CredentialBackend> {\n if (cachedBackend === null) {\n cachedBackend = await backendResolver();\n // One-time migration: if we resolved to a non-file backend and\n // `auth.json` still has credentials from the old layout, copy them\n // over and remove the file. We only do this when the new backend is\n // empty, so repeated migrations cannot stomp a newer keychain\n // session with a stale file session.\n if (!migrationCompleted && cachedBackend.name !== \"file\") {\n await migrateFromFileBackendIfNeeded(cachedBackend);\n }\n migrationCompleted = true;\n }\n return cachedBackend;\n}\n\nasync function migrateFromFileBackendIfNeeded(\n target: CredentialBackend,\n): Promise<void> {\n try {\n const [onDisk, onTarget] = await Promise.all([\n fileCredentialBackend.read(),\n target.read(),\n ]);\n if (!onDisk) return;\n if (onTarget) {\n // Target already has a session - the user has already migrated.\n // Remove the file so it cannot get re-used accidentally.\n await fileCredentialBackend.clear();\n return;\n }\n if (onDisk.accessToken && onDisk.refreshToken) {\n await target.writeFull({\n accessToken: onDisk.accessToken,\n refreshToken: onDisk.refreshToken,\n });\n } else if (onDisk.accessToken) {\n await target.writeAccessOnly(onDisk.accessToken);\n } else {\n return;\n }\n await fileCredentialBackend.clear();\n } catch {\n // Migration is best-effort. A failure here should not block CLI\n // operation; on next run the file backend is still consulted\n // directly because the keychain backend's `read` returns null and\n // callers fall through to \"missing session\" → login prompt.\n }\n}\n\nexport async function getActiveCredentialBackendName(): Promise<CredentialBackendName> {\n const backend = await getCredentialBackend();\n return backend.name;\n}\n\n/** Loose read: returns whatever is on disk, including access-only sessions. */\nexport async function getStoredSession(): Promise<StoredSessionSnapshot | null> {\n const backend = await getCredentialBackend();\n return backend.read();\n}\n\n/** Strict read: returns a refreshable pair, or null if either token is missing. */\nexport async function getCredentials(): Promise<Credentials | null> {\n const snapshot = await getStoredSession();\n if (!snapshot) return null;\n const { accessToken, refreshToken } = snapshot;\n if (!accessToken || !refreshToken) return null;\n return { accessToken, refreshToken };\n}\n\nexport async function setCredentials(creds: Credentials): Promise<void> {\n await withFileLock(getCredentialLockPath(), async () => {\n const backend = await getCredentialBackend();\n await backend.writeFull(creds);\n });\n}\n\nexport async function setAccessOnlySession(accessToken: string): Promise<void> {\n await withFileLock(getCredentialLockPath(), async () => {\n const backend = await getCredentialBackend();\n await backend.writeAccessOnly(accessToken);\n });\n}\n\nexport async function clearCredentials(): Promise<void> {\n await withFileLock(getCredentialLockPath(), async () => {\n const backend = await getCredentialBackend();\n await backend.clear();\n });\n}\n\n/**\n * Run `fn` while holding the cross-process credential lock. `fn` receives\n * an ops handle that reads/writes the active backend without re-acquiring\n * the lock (avoiding deadlock).\n *\n * This is the only correct way to perform a read-modify-write on stored\n * credentials (e.g. CLI refresh rotation) in the presence of\n * concurrent CLI invocations.\n */\nexport async function withCredentialLock<T>(\n fn: (ops: CredentialLockOps) => Promise<T>,\n options?: FileLockOptions,\n): Promise<T> {\n return withFileLock(\n getCredentialLockPath(),\n async () => {\n const backend = await getCredentialBackend();\n const ops: CredentialLockOps = {\n backendName: backend.name,\n read: () => backend.read(),\n writeFull: (creds) => backend.writeFull(creds),\n writeAccessOnly: (accessToken) => backend.writeAccessOnly(accessToken),\n clear: () => backend.clear(),\n };\n return fn(ops);\n },\n options,\n );\n}\n\n/** Test-only reset of module state. Not exported through the barrel. */\nexport function _resetCredentialStoreForTests(): void {\n cachedBackend = null;\n migrationCompleted = false;\n backendResolver = defaultBackendResolver;\n}\n"],"mappings":";;;AAAA,OAAOA,SAAQ;AACf,OAAOC,WAAU;;;ACCV,IAAM,uBAAuB;AAC7B,IAAM,uBAAuB;AAE7B,IAAM,mBAAmB;AAGzB,IAAM,sBAAyD;AAAA,EACpE,OAAO;AAAA,IACL,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,kBAAkB,QAAQ,IAAI;AAAA,IAC9B,oBAAoB,QAAQ,IAAI;AAAA,IAChC,iBAAiB,QAAQ,IAAI;AAAA,EAC/B;AAAA,EACA,SAAS;AAAA,IACP,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,kBACE,QAAQ,IAAI,yCACZ,QAAQ,IAAI;AAAA,IACd,oBACE,QAAQ,IAAI,4CACZ,QAAQ,IAAI;AAAA,IACd,iBACE,QAAQ,IAAI,wCACZ,QAAQ,IAAI;AAAA,EAChB;AAAA,EACA,MAAM;AAAA,IACJ,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,kBACE,QAAQ,IAAI,sCACZ,QAAQ,IAAI;AAAA,IACd,oBACE,QAAQ,IAAI,yCACZ,QAAQ,IAAI;AAAA,IACd,iBACE,QAAQ,IAAI,qCACZ,QAAQ,IAAI;AAAA,EAChB;AACF;AACO,IAAM,sBAAsB;AAC5B,IAAM,qBAAqB;AAC3B,IAAM,gBAAgB;AACtB,IAAM,gBAAgB;AACtB,IAAM,qBAAqB;AAC3B,IAAM,6BAA6B,GAAG,gBAAgB,IAAI,kBAAkB;AAC5E,IAAM,iCAAiC;AACvC,IAAM,YAAY;AAClB,IAAM,2BAA2B,IAAI,KAAK;AAG1C,IAAM,oBAAoB,oBAAI,IAAI;AAAA,EACvC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;;;AC3DD,SAAS,OAAO,UAAU,MAAM,iBAAiB;AACjD,OAAO,UAAU;AAEjB,eAAsB,UAAU,SAAgC;AAC9D,QAAM,MAAM,SAAS,EAAE,WAAW,KAAK,CAAC;AAC1C;AAEA,eAAsB,OAAO,UAAoC;AAC/D,MAAI;AACF,UAAM,KAAK,QAAQ;AACnB,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,aAAa,UAAmC;AACpE,SAAO,SAAS,UAAU,MAAM;AAClC;AAEA,eAAsB,qBACpB,UACwB;AACxB,MAAI;AACF,WAAO,MAAM,SAAS,UAAU,MAAM;AAAA,EACxC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,cACpB,UACA,SACe;AACf,QAAM,UAAU,KAAK,QAAQ,QAAQ,CAAC;AACtC,QAAM,UAAU,UAAU,SAAS,MAAM;AAC3C;AAEA,eAAsB,aAAgB,UAA8B;AAClE,QAAM,OAAO,MAAM,aAAa,QAAQ;AACxC,SAAO,KAAK,MAAM,IAAI;AACxB;AAEA,eAAsB,cACpB,UACA,MACe;AACf,QAAM,cAAc,UAAU,GAAG,KAAK,UAAU,MAAM,MAAM,CAAC,CAAC;AAAA,CAAI;AACpE;;;AC5BA,SAAS,aAAa,aAAa,YAAY,UAAsB;AACrE,OAAOC,WAAU;AACjB,OAAO,YAAY;AASnB,eAAsB,gBACpB,YACA,UACA,UAA8B,CAAC,GAChB;AACf,MAAI,SAAS,WAAW,GAAG;AACzB,UAAM,IAAI;AAAA,MACR,mDAAmD,UAAU;AAAA,IAC/D;AAAA,EACF;AACA,QAAM,OAAO,QAAQ,QAAQ;AAC7B,QAAM,cAAc,QAAQ,SAAS;AACrC,QAAM,MAAMA,MAAK,QAAQ,UAAU;AACnC,QAAM,GAAG,MAAM,KAAK,EAAE,WAAW,KAAK,CAAC;AAEvC,QAAM,SAAS,OAAO,YAAY,CAAC,EAAE,SAAS,KAAK;AACnD,QAAM,UAAU,GAAG,UAAU,QAAQ,QAAQ,GAAG,IAAI,MAAM;AAE1D,QAAM,KAAK,MAAM,GAAG;AAAA,IAClB;AAAA,IACA,YAAY,WAAW,YAAY,UAAU,YAAY;AAAA,IACzD;AAAA,EACF;AACA,MAAI;AACF,UAAM,GAAG,UAAU,UAAU,MAAM;AACnC,QAAI;AACF,YAAM,GAAG,MAAM,IAAI;AAAA,IACrB,QAAQ;AAAA,IAIR;AACA,QAAI,aAAa;AACf,UAAI;AACF,cAAM,GAAG,KAAK;AAAA,MAChB,QAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF,UAAE;AACA,UAAM,GAAG,MAAM;AAAA,EACjB;AAEA,MAAI;AACF,UAAM,GAAG,OAAO,SAAS,UAAU;AAAA,EACrC,SAAS,KAAK;AACZ,UAAM,GAAG,OAAO,OAAO,EAAE,MAAM,MAAM,MAAS;AAC9C,UAAM;AAAA,EACR;AACF;AAgBA,eAAsB,aACpB,UACA,IACA,UAA2B,CAAC,GAChB;AACZ,QAAM,UAAU,QAAQ,WAAW;AACnC,QAAM,aAAa,QAAQ,cAAc;AACzC,QAAM,aAAa,QAAQ,cAAc;AACzC,QAAM,UAAU,QAAQ,WAAW;AAEnC,QAAM,GAAG,MAAMA,MAAK,QAAQ,QAAQ,GAAG,EAAE,WAAW,KAAK,CAAC;AAE1D,MAAI,UAAU;AACd,MAAI,WAAW;AACf,SAAO,CAAC,UAAU;AAChB,QAAI;AACF,YAAM,KAAK,MAAM,GAAG;AAAA,QAClB;AAAA,QACA,YAAY,WAAW,YAAY,UAAU,YAAY;AAAA,QACzD;AAAA,MACF;AACA,YAAM,GAAG,UAAU,GAAG,QAAQ,GAAG;AAAA,GAAM,MAAM;AAC7C,YAAM,GAAG,MAAM;AACf,iBAAW;AACX;AAAA,IACF,SAAS,KAAK;AACZ,YAAM,OAAQ,IAA8B;AAC5C,UAAI,SAAS,UAAU;AACrB,cAAM;AAAA,MACR;AAAA,IACF;AAEA,QAAIC,QAAqB;AACzB,QAAI;AACF,MAAAA,QAAO,MAAM,GAAG,KAAK,QAAQ;AAAA,IAC/B,QAAQ;AACN;AAAA,IACF;AACA,QAAIA,UAAS,MAAM;AACjB,YAAM,QAAQ,KAAK,IAAI,IAAIA,MAAK;AAChC,UAAI,QAAQ,SAAS;AACnB,cAAM,GAAG,OAAO,QAAQ,EAAE,MAAM,MAAM,MAAS;AAC/C;AAAA,MACF;AAAA,IACF;AAEA,eAAW;AACX,QAAI,WAAW,SAAS;AACtB,YAAM,IAAI;AAAA,QACR,oCAAoC,QAAQ,UAAU,OAAO;AAAA,MAC/D;AAAA,IACF;AACA,UAAM,SAAS,KAAK;AAAA,MAClB,KAAK,OAAO,IAAI,KAAK,IAAI,GAAG,aAAa,UAAU;AAAA,IACrD;AACA,UAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,aAAa,MAAM,CAAC;AAAA,EACzE;AAEA,MAAI;AACF,WAAO,MAAM,GAAG;AAAA,EAClB,UAAE;AACA,UAAM,GAAG,OAAO,QAAQ,EAAE,MAAM,MAAM,MAAS;AAAA,EACjD;AACF;;;ACpHA,OAAO,QAAQ;AACf,OAAOC,WAAU;AACjB,SAAS,YAAYC,WAAU;AA8DxB,SAAS,wBAAgC;AAC9C,SAAOC,MAAK,KAAK,GAAG,QAAQ,GAAG,kBAAkB,WAAW;AAC9D;AAEA,SAAS,wBAAgC;AACvC,SAAO,GAAG,sBAAsB,CAAC;AACnC;AAEA,eAAe,WAAkD;AAC/D,QAAM,WAAW,sBAAsB;AACvC,MAAI;AACJ,MAAI;AACF,WAAO,MAAMC,IAAG,SAAS,UAAU,MAAM;AAAA,EAC3C,SAAS,KAAK;AACZ,QAAK,IAA8B,SAAS,SAAU,QAAO;AAC7D,UAAM;AAAA,EACR;AACA,MAAI,KAAK,KAAK,EAAE,WAAW,GAAG;AAC5B,WAAO;AAAA,EACT;AACA,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,IAAI;AAAA,EAC1B,QAAQ;AACN,WAAO;AAAA,EACT;AACA,QAAM,cAAc,OAAO,eAAe,OAAO;AACjD,QAAM,eAAe,OAAO;AAC5B,MAAI,CAAC,eAAe,CAAC,aAAc,QAAO;AAC1C,SAAO;AAAA,IACL,aAAa,eAAe;AAAA,IAC5B,cAAc,gBAAgB;AAAA,IAC9B,gBAAgB,OAAO,kBAAkB;AAAA,IACzC,kBAAkB,OAAO,oBAAoB;AAAA,IAC7C,oBAAoB,OAAO,sBAAsB;AAAA,IACjD,oBAAoB,OAAO,sBAAsB;AAAA,IACjD,aAAa,OAAO,eAAe;AAAA,EACrC;AACF;AAEA,eAAe,iBAAiB,SAAmC;AACjE,QAAM;AAAA,IACJ,sBAAsB;AAAA,IACtB,GAAG,KAAK,UAAU,SAAS,MAAM,CAAC,CAAC;AAAA;AAAA,IACnC,EAAE,MAAM,IAAM;AAAA,EAChB;AACF;AAEA,eAAe,cAAc,OAAmC;AAC9D,MAAI,CAAC,MAAM,eAAe,CAAC,MAAM,cAAc;AAC7C,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,QAAM,iBAAiB;AAAA,IACrB,WAAW,MAAM;AAAA,IACjB,cAAc,MAAM;AAAA,IACpB,gBAAgB,MAAM;AAAA,IACtB,kBAAkB,MAAM;AAAA,IACxB,oBAAoB,MAAM;AAAA,IAC1B,oBAAoB,MAAM;AAAA,IAC1B,aAAa,MAAM;AAAA,EACrB,CAAC;AACH;AAEA,eAAe,oBAAoB,aAAoC;AACrE,MAAI,CAAC,aAAa;AAChB,UAAM,IAAI,MAAM,4CAA4C;AAAA,EAC9D;AACA,QAAM,iBAAiB,EAAE,WAAW,YAAY,CAAC;AACnD;AAEA,eAAe,YAA2B;AACxC,QAAM,WAAW,sBAAsB;AACvC,MAAI;AACF,UAAMA,IAAG,OAAO,QAAQ;AAAA,EAC1B,SAAS,KAAK;AACZ,QAAK,IAA8B,SAAS,SAAU,OAAM;AAAA,EAC9D;AACF;AAEO,IAAM,wBAA2C;AAAA,EACtD,MAAM;AAAA,EACN,MAAM;AAAA,EACN,WAAW;AAAA,EACX,iBAAiB;AAAA,EACjB,OAAO;AACT;AAMA,IAAI,gBAA0C;AAC9C,IAAI,qBAAqB;AACzB,IAAI,kBAAmC;AAyBvC,eAAe,yBAAqD;AAClE,QAAM,YAAY,QAAQ,IAAI,iCAAiC,IAC5D,KAAK,EACL,YAAY;AACf,MAAI,aAAa,QAAQ;AACvB,WAAO;AAAA,EACT;AACA,MAAI,YAAY,aAAa,cAAc,aAAa,QAAQ;AAI9D,UAAM,IAAI;AAAA,MACR,gDAAgD,QAAQ;AAAA,IAC1D;AAAA,EACF;AAEA,QAAM,cACJ,aAAa,cAAe,MAAM,gCAAgC;AACpE,MAAI,CAAC,aAAa;AAChB,WAAO;AAAA,EACT;AAEA,QAAM,EAAE,mBAAmB,IAAI,MAAM,OAAO,gCAAuB;AACnE,QAAM,WAAW,MAAM,mBAAmB;AAC1C,MAAI,SAAS,WAAW;AACtB,WAAO,SAAS;AAAA,EAClB;AAKA,SAAO;AACT;AAEA,eAAe,kCAAoD;AACjE,MAAI;AAIF,UAAM,EAAE,kBAAAC,kBAAiB,IAAI,MAAM,OAAO,6BAAoB;AAC9D,UAAM,SAAS,MAAMA,kBAAiB;AACtC,WAAO,OAAO,sBAAsB;AAAA,EACtC,QAAQ;AAIN,WAAO;AAAA,EACT;AACF;AAYA,eAAsB,uBAAmD;AACvE,MAAI,kBAAkB,MAAM;AAC1B,oBAAgB,MAAM,gBAAgB;AAMtC,QAAI,CAAC,sBAAsB,cAAc,SAAS,QAAQ;AACxD,YAAM,+BAA+B,aAAa;AAAA,IACpD;AACA,yBAAqB;AAAA,EACvB;AACA,SAAO;AACT;AAEA,eAAe,+BACb,QACe;AACf,MAAI;AACF,UAAM,CAAC,QAAQ,QAAQ,IAAI,MAAM,QAAQ,IAAI;AAAA,MAC3C,sBAAsB,KAAK;AAAA,MAC3B,OAAO,KAAK;AAAA,IACd,CAAC;AACD,QAAI,CAAC,OAAQ;AACb,QAAI,UAAU;AAGZ,YAAM,sBAAsB,MAAM;AAClC;AAAA,IACF;AACA,QAAI,OAAO,eAAe,OAAO,cAAc;AAC7C,YAAM,OAAO,UAAU;AAAA,QACrB,aAAa,OAAO;AAAA,QACpB,cAAc,OAAO;AAAA,MACvB,CAAC;AAAA,IACH,WAAW,OAAO,aAAa;AAC7B,YAAM,OAAO,gBAAgB,OAAO,WAAW;AAAA,IACjD,OAAO;AACL;AAAA,IACF;AACA,UAAM,sBAAsB,MAAM;AAAA,EACpC,QAAQ;AAAA,EAKR;AACF;AAQA,eAAsB,mBAA0D;AAC9E,QAAM,UAAU,MAAM,qBAAqB;AAC3C,SAAO,QAAQ,KAAK;AACtB;AAWA,eAAsB,eAAe,OAAmC;AACtE,QAAM,aAAa,sBAAsB,GAAG,YAAY;AACtD,UAAM,UAAU,MAAM,qBAAqB;AAC3C,UAAM,QAAQ,UAAU,KAAK;AAAA,EAC/B,CAAC;AACH;AAEA,eAAsB,qBAAqB,aAAoC;AAC7E,QAAM,aAAa,sBAAsB,GAAG,YAAY;AACtD,UAAM,UAAU,MAAM,qBAAqB;AAC3C,UAAM,QAAQ,gBAAgB,WAAW;AAAA,EAC3C,CAAC;AACH;AAEA,eAAsB,mBAAkC;AACtD,QAAM,aAAa,sBAAsB,GAAG,YAAY;AACtD,UAAM,UAAU,MAAM,qBAAqB;AAC3C,UAAM,QAAQ,MAAM;AAAA,EACtB,CAAC;AACH;;;AJhXA,SAAS,2BACP,OACyC;AACzC,MAAI,UAAU,UAAU,UAAU,WAAY,QAAO;AAIrD,SAAO;AACT;AAEO,SAAS,sBAA8B;AAC5C,SAAOC,MAAK,KAAKC,IAAG,QAAQ,GAAG,kBAAkB,aAAa;AAChE;AAOO,SAAS,oBAA4B;AAC1C,SAAO,sBAAsB;AAC/B;AAaA,eAAsB,mBAA0C;AAC9D,QAAM,SAAS,MAAM,aAA2B,oBAAoB,CAAC,EAAE;AAAA,IACrE,OAAO,CAAC;AAAA,EACV;AACA,SAAO;AAAA,IACL,aAAa,OAAO;AAAA,IACpB,mBAAmB,2BAA2B,OAAO,iBAAiB;AAAA,EACxE;AACF;AAUA,eAAsB,iBAAiB,QAAqC;AAC1E,QAAM,YAAYD,MAAK,KAAKC,IAAG,QAAQ,GAAG,gBAAgB;AAC1D,QAAM,UAAU,SAAS;AACzB,QAAM,aAA2B;AAAA,IAC/B,aAAa,OAAO;AAAA,IACpB,mBAAmB,2BAA2B,OAAO,iBAAiB;AAAA,EACxE;AACA,QAAM;AAAA,IACJ,oBAAoB;AAAA,IACpB,GAAG,KAAK,UAAU,YAAY,MAAM,CAAC,CAAC;AAAA;AAAA,IACtC,EAAE,MAAM,IAAM;AAAA,EAChB;AACF;","names":["os","path","path","stat","path","fs","path","fs","loadGlobalConfig","path","os"]}

package/dist/internal.d.ts DELETED Viewed

@@ -1,311 +0,0 @@
-import { z } from 'zod';
-import { CompiledResult } from '@dreamboard-games/api-client';
-import { GameTopologyManifest } from '@dreamboard-games/sdk/types';
-type Environment = "local" | "staging" | "prod";
-type LocalMaintainerRegistryPackages = {
-    "@dreamboard-games/api-client"?: string;
-    "@dreamboard-games/sdk": string;
-};
-type LocalMaintainerRegistryConfig = {
-    registryUrl: string;
-    snapshotId: string;
-    fingerprint: string;
-    publishedAt: string;
-    packages: LocalMaintainerRegistryPackages;
-};
-type EnvironmentConfig = {
-    apiBaseUrl: string;
-    webBaseUrl: string;
-    clerkOAuthIssuer?: string;
-    clerkOAuthClientId?: string;
-    clerkOAuthScope?: string;
-};
-/**
- * Non-credential configuration persisted at `~/.dreamboard/config.json`.
- *
- * IMPORTANT: `authToken` and `refreshToken` intentionally do NOT live here.
- * Credentials are owned exclusively by the `CredentialStore` module
- * (`config/credential-store.ts`). Mixing them into `GlobalConfig` was the
- * root cause of the refresh-token-wipe bug: `saveGlobalConfig({ ...config })`
- * could silently erase stored credentials if the caller forgot to include
- * them. With credentials removed from this type, that failure mode is a
- * type error.
- *
- * `credentialBackend` is a *selector*, not a credential: it only says where
- * tokens are stored. The default (unset) is `"file"` because the OS keychain
- * prompts the user for their login password on first use on macOS (and is
- * re-prompted whenever the Node binary signature changes, e.g. after an
- * `nvm`/`volta` upgrade). Users who want encrypted-at-rest storage can opt
- * in by writing `"credentialBackend": "keychain"` into this file.
- */
-type CredentialBackendPreference = "file" | "keychain";
-type GlobalConfig = {
-    environment?: Environment;
-    credentialBackend?: CredentialBackendPreference;
-};
-type ProjectPendingSyncPhase = "source_revision_created" | "authoring_state_created";
-type ProjectPendingAuthoringSync = {
-    phase: ProjectPendingSyncPhase;
-    revisionDigest?: string;
-    authoringStateId?: string;
-    ruleId?: string;
-    manifestId?: string;
-    manifestContentHash?: string;
-    localManifestContentHash?: string;
-    sourceRevisionId: string;
-    sourceTreeHash: string;
-};
-type ProjectAuthoringState = {
-    revisionDigest?: string;
-    authoringStateId?: string;
-    ruleId?: string;
-    manifestId?: string;
-    manifestContentHash?: string;
-    localManifestContentHash?: string;
-    sourceRevisionId?: string;
-    sourceTreeHash?: string;
-    pendingSync?: ProjectPendingAuthoringSync;
-};
-type ProjectCompileAttempt = {
-    resultId?: string;
-    jobId?: string;
-    revisionDigest?: string;
-    authoringStateId: string;
-    status: "successful" | "failed";
-    diagnosticsSummary?: string;
-};
-type ProjectCompileState = {
-    latestAttempt?: ProjectCompileAttempt;
-    latestSuccessful?: {
-        resultId: string;
-        authoringStateId: string;
-        revisionDigest?: string;
-    };
-};
-type ProjectManifestV2 = {
-    schemaVersion: 2;
-    projectId: string;
-    slug: string;
-};
-type ProjectEnvironmentBindingV1 = {
-    deploymentId: string;
-    ownerScopeId: string;
-    gameId?: string;
-    remoteHeadDigest?: string;
-    jobId?: string;
-    agentManaged?: boolean;
-    workspacePrepared?: boolean;
-    allowCreateGame?: boolean;
-    environment?: Environment;
-    authoring?: ProjectAuthoringState;
-    compile?: ProjectCompileState;
-    localMaintainerRegistry?: LocalMaintainerRegistryConfig;
-    apiBaseUrl?: string;
-    webBaseUrl?: string;
-    packageManifest?: Record<string, unknown>;
-    environmentManifest?: Record<string, unknown>;
-};
-type ProjectConfig = ProjectManifestV2 & Omit<ProjectEnvironmentBindingV1, "gameId"> & {
-    gameId: string;
-    bindingKey?: string;
-};
-/**
- * A resolved, read-only snapshot of "what should this CLI invocation do".
- *
- * `authToken` and `refreshToken` are read-only projections of the active
- * credentials at the moment `resolveConfig` runs. They are marked `readonly`
- * to discourage reassignment from command code; the refresh path never
- * mutates this object and instead goes through `CredentialStore` directly.
- * Persisting a `ResolvedConfig` back into `GlobalConfig`/`auth.json` is
- * not possible because `GlobalConfig` has no credential fields.
- */
-type ResolvedConfig = {
-    readonly environment: Environment;
-    readonly apiBaseUrl: string;
-    readonly webBaseUrl: string;
-    readonly authToken?: string;
-    readonly refreshToken?: string;
-    readonly tokenExpiresAt?: string;
-    readonly clerkOAuthIssuer?: string;
-    readonly clerkOAuthClientId?: string;
-    readonly clerkOAuthTokenUrl?: string;
-    readonly clerkOAuthScope?: string;
-    readonly authTokenSource?: "global" | "env" | "agent-env" | "flag" | "none";
-    readonly refreshTokenSource?: "global" | "env" | "none";
-};
-declare const configFlagsSchema: z.ZodObject<{
-    env: z.ZodOptional<z.ZodEnum<{
-        local: "local";
-        staging: "staging";
-        prod: "prod";
-    }>>;
-    token: z.ZodOptional<z.ZodString>;
-}, z.core.$strip>;
-type ConfigFlags = z.infer<typeof configFlagsSchema>;
-declare function parseConfigFlags(args: unknown): ConfigFlags;
-/**
- * Single writer for the long-lived Dreamboard session credentials.
- *
- * Design invariants (enforced at the type level and tested in
- * `credential-store.test.ts`):
- *
- * 1. This module is the ONLY place in the CLI that writes credentials to
- *    disk or the OS keychain. `global-config.ts` used to own both the
- *    config and the credentials via `saveGlobalConfig`, which made it
- *    trivial to wipe a refresh token by accident. The `GlobalConfig` type
- *    no longer carries credentials, so attempting to persist one through
- *    the config path is a type error.
- *
- * 2. The mutating surface is intentionally narrow:
- *      - `setCredentials(c)` for refreshable sessions (both tokens present)
- *      - `setAccessOnlySession(accessToken)` for the `auth set` / `config set
- *        --token` power-user path, which has no refresh token by
- *        construction
- *      - `clearCredentials()` wipes the file entirely
- *    There is no "partial update" API. `Credentials` requires both
- *    `accessToken` and `refreshToken`, so it is impossible to persist a
- *    half-populated refreshable session.
- *
- * 3. Writes go through `atomicWriteFile` + `withFileLock`, so a crash or
- *    interrupt during `dreamboard sync`/`compile` cannot leave `auth.json`
- *    truncated, and parallel CLI invocations cannot clobber each other's
- *    rotated refresh tokens.
- *
- * 4. The on-disk JSON shape for the file backend is kept backward
- *    compatible: we continue to read/write `authToken` + `refreshToken`
- *    so existing users are not forced to log in again after this change.
- *    A newer `accessToken` key is also accepted for read to ease any
- *    future format bump.
- *
- * 5. The file backend is the default. The OS keychain is opt-in via
- *    `credentialBackend: "keychain"` in `~/.dreamboard/config.json`
- *    because on macOS the first keychain write triggers a login-password
- *    prompt, and re-prompts whenever the executing Node binary's code
- *    signature changes (e.g. after an `nvm`/`volta` upgrade). Users who
- *    want encrypted-at-rest storage can opt in explicitly; everyone else
- *    gets a zero-prompt experience.
- */
-/**
- * Raw on-disk snapshot. Either or both fields may be present. The refresh
- * coordinator only acts on snapshots that have both tokens populated.
- */
-type StoredSessionSnapshot = {
-    readonly accessToken?: string;
-    readonly refreshToken?: string;
-    readonly tokenExpiresAt?: string;
-    readonly clerkOAuthIssuer?: string;
-    readonly clerkOAuthClientId?: string;
-    readonly clerkOAuthTokenUrl?: string;
-    readonly environment?: string;
-};
-/** Loose read: returns whatever is on disk, including access-only sessions. */
-declare function getStoredSession(): Promise<StoredSessionSnapshot | null>;
-/**
- * Resolve the effective CLI config for this invocation.
- *
- * `resolveConfig` is pure and synchronous: it takes pre-loaded inputs
- * (global config, flags, optional project config, optional credential
- * snapshot) and assembles a read-only `ResolvedConfig`. It intentionally
- * does not touch disk or the network - refreshing/persisting credentials
- * is the job of `configureClient` + `RefreshCoordinator`.
- *
- * Passing `credentials = undefined` is equivalent to "no stored session
- * for this call", used by contexts that should never inherit the local
- * session (e.g. `dreamboard login` before the browser flow).
- */
-declare function resolveConfig(globalConfig: GlobalConfig, flags: ConfigFlags, project?: ProjectConfig, credentials?: StoredSessionSnapshot | null): ResolvedConfig;
-/**
- * Configure the API client for the resolved environment, refreshing the
- * stored CLI session first if it is close to expiry.
- *
- * The refresh path never mutates `config`. It goes through
- * Clerk OAuth directly and the CredentialStore writes. After a successful
- * rotation the HTTP client
- * is configured with the rotated access token; on transient failures we
- * fall back to the `config.authToken` snapshot (which is why commands
- * still see a bearer header and can surface the original error).
- */
-declare function configureClient(config: ResolvedConfig): Promise<void>;
-declare function requireAuth(config: ResolvedConfig): void;
-/**
- * Common init pattern used by pull, push, status, update, run commands:
- * find project root, load config, resolve config, require auth,
- * configure client.
- */
-declare function resolveProjectContext(flags: ConfigFlags, opts?: {
-    requireAuth?: boolean;
-}): Promise<{
-    projectRoot: string;
-    projectConfig: ProjectConfig;
-    config: ResolvedConfig;
-}>;
-/**
- * Load non-credential CLI configuration.
- *
- * Note: this function used to also load `authToken` / `refreshToken`
- * from `auth.json` and flatten them onto `GlobalConfig`. That shape
- * enabled the refresh-token-wipe bug: `saveGlobalConfig({ ...config })`
- * without explicit auth fields erased the stored refresh token.
- *
- * Credentials are now owned exclusively by `CredentialStore`. Callers
- * that need them must import `getCredentials()` directly.
- */
-declare function loadGlobalConfig(): Promise<GlobalConfig>;
-declare const CONFIG_FLAG_ARGS: {
-    env: {
-        type: "string";
-        description: string;
-    };
-    token: {
-        type: "string";
-        description: string;
-    };
-};
-declare const ENVIRONMENT_CONFIGS: Record<string, EnvironmentConfig>;
-declare function loadProjectConfig(rootDir: string): Promise<ProjectConfig>;
-declare function updateProjectState(rootDir: string, config: ProjectConfig): Promise<void>;
-declare function readJsonFile<T>(filePath: string): Promise<T>;
-declare function writeJsonFile(filePath: string, data: unknown): Promise<void>;
-declare function findCompiledResultsForAuthoringState(options: {
-    gameId: string;
-    authoringStateId: string;
-}): Promise<CompiledResult[]>;
-declare function setLatestCompileAttempt(projectConfig: ProjectConfig, attempt: ProjectCompileAttempt): ProjectConfig;
-declare function loadManifest(rootDir: string): Promise<GameTopologyManifest>;
-declare function writeSnapshot(rootDir: string): Promise<void>;
-interface WorkspaceCodegenWriteResult {
-    written: string[];
-    skipped: string[];
-    merged: string[];
-}
-declare function applyWorkspaceCodegen(options: {
-    projectRoot: string;
-    manifest: GameTopologyManifest;
-}): Promise<WorkspaceCodegenWriteResult>;
-declare function ensureReducerNativeTestingFiles(projectRoot: string): Promise<void>;
-declare function shortHash(value: string): string;
-/**
- * Browser test runner helpers shared with reducer-native-test-harness (browser runner).
- * Screenshot / JSON scenario navigation helpers lived in the deleted `run` command.
- */
-declare function configurePlaywrightBrowsersPath(): void;
-export { CONFIG_FLAG_ARGS, type ConfigFlags, ENVIRONMENT_CONFIGS, type ProjectConfig, type ResolvedConfig, applyWorkspaceCodegen, configureClient, configurePlaywrightBrowsersPath, ensureReducerNativeTestingFiles, findCompiledResultsForAuthoringState, getStoredSession, loadGlobalConfig, loadManifest, loadProjectConfig, parseConfigFlags, readJsonFile, requireAuth, resolveConfig, resolveProjectContext, setLatestCompileAttempt, shortHash, updateProjectState, writeJsonFile, writeSnapshot };

package/dist/keychain-backend-JHTXAKWC.js DELETED Viewed

@@ -1,135 +0,0 @@
-#!/usr/bin/env node
-import "./chunk-2H7UOFLK.js";
-// src/config/keychain-backend.ts
-var KEYCHAIN_SERVICE = "dreamboard-cli";
-var KEYCHAIN_ACCOUNT = "session";
-var cachedModule;
-async function loadKeyringModule() {
-  if (cachedModule !== void 0) return cachedModule;
-  try {
-    const mod = await import("@napi-rs/keyring");
-    cachedModule = mod;
-  } catch {
-    cachedModule = null;
-  }
-  return cachedModule;
-}
-function keychainProbe(entry) {
-  try {
-    entry.getPassword();
-    return true;
-  } catch {
-    return false;
-  }
-}
-function parsePayload(raw) {
-  if (raw === null || raw === void 0) return null;
-  const trimmed = raw.trim();
-  if (trimmed.length === 0) return null;
-  try {
-    const parsed = JSON.parse(trimmed);
-    if (!parsed.accessToken && !parsed.refreshToken) return null;
-    return {
-      accessToken: parsed.accessToken || void 0,
-      refreshToken: parsed.refreshToken || void 0,
-      tokenExpiresAt: parsed.tokenExpiresAt || void 0,
-      clerkOAuthIssuer: parsed.clerkOAuthIssuer || void 0,
-      clerkOAuthClientId: parsed.clerkOAuthClientId || void 0,
-      clerkOAuthTokenUrl: parsed.clerkOAuthTokenUrl || void 0,
-      environment: parsed.environment || void 0
-    };
-  } catch {
-    return null;
-  }
-}
-function writeFull(entry, creds) {
-  if (!creds.accessToken || !creds.refreshToken) {
-    throw new Error(
-      "Refusing to persist credentials with an empty accessToken or refreshToken."
-    );
-  }
-  const payload = {
-    accessToken: creds.accessToken,
-    refreshToken: creds.refreshToken,
-    tokenExpiresAt: creds.tokenExpiresAt,
-    clerkOAuthIssuer: creds.clerkOAuthIssuer,
-    clerkOAuthClientId: creds.clerkOAuthClientId,
-    clerkOAuthTokenUrl: creds.clerkOAuthTokenUrl,
-    environment: creds.environment
-  };
-  entry.setPassword(JSON.stringify(payload));
-}
-function writeAccessOnly(entry, accessToken) {
-  if (!accessToken) {
-    throw new Error("Refusing to persist an empty access token.");
-  }
-  const payload = { accessToken };
-  entry.setPassword(JSON.stringify(payload));
-}
-function clear(entry) {
-  try {
-    entry.deletePassword();
-  } catch {
-  }
-}
-async function tryKeychainBackend() {
-  const mod = await loadKeyringModule();
-  if (!mod) {
-    return {
-      available: false,
-      reason: "@napi-rs/keyring is not installed for this platform"
-    };
-  }
-  let entry;
-  try {
-    entry = new mod.Entry(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT);
-  } catch (err) {
-    return {
-      available: false,
-      reason: `Failed to construct keyring entry: ${String(err.message ?? err)}`
-    };
-  }
-  if (!keychainProbe(entry)) {
-    return {
-      available: false,
-      reason: "OS keyring is not accessible from this process"
-    };
-  }
-  const backend = {
-    name: "keychain",
-    async read() {
-      try {
-        return parsePayload(entry.getPassword());
-      } catch (err) {
-        const message = String(err.message ?? err);
-        if (/no matching entry|not found/i.test(message)) {
-          return null;
-        }
-        throw err;
-      }
-    },
-    async writeFull(creds) {
-      writeFull(entry, creds);
-    },
-    async writeAccessOnly(accessToken) {
-      writeAccessOnly(entry, accessToken);
-    },
-    async clear() {
-      clear(entry);
-    }
-  };
-  return { available: true, backend };
-}
-function _setKeyringModuleForTests(mod) {
-  cachedModule = mod;
-}
-function _resetKeyringModuleForTests() {
-  cachedModule = void 0;
-}
-export {
-  _resetKeyringModuleForTests,
-  _setKeyringModuleForTests,
-  tryKeychainBackend
-};
-//# sourceMappingURL=keychain-backend-JHTXAKWC.js.map