@dreamboard-games/cli 0.1.30-alpha.1 → 0.1.30-alpha.2

package/dist/internal.d.ts

@@ -1,311 +0,0 @@
-import { z } from 'zod';
-import { CompiledResult } from '@dreamboard-games/api-client';
-import { GameTopologyManifest } from '@dreamboard-games/sdk/types';
-
-type Environment = "local" | "staging" | "prod";
-type LocalMaintainerRegistryPackages = {
-    "@dreamboard-games/api-client"?: string;
-    "@dreamboard-games/sdk": string;
-};
-type LocalMaintainerRegistryConfig = {
-    registryUrl: string;
-    snapshotId: string;
-    fingerprint: string;
-    publishedAt: string;
-    packages: LocalMaintainerRegistryPackages;
-};
-type EnvironmentConfig = {
-    apiBaseUrl: string;
-    webBaseUrl: string;
-    clerkOAuthIssuer?: string;
-    clerkOAuthClientId?: string;
-    clerkOAuthScope?: string;
-};
-/**
- * Non-credential configuration persisted at `~/.dreamboard/config.json`.
- *
- * IMPORTANT: `authToken` and `refreshToken` intentionally do NOT live here.
- * Credentials are owned exclusively by the `CredentialStore` module
- * (`config/credential-store.ts`). Mixing them into `GlobalConfig` was the
- * root cause of the refresh-token-wipe bug: `saveGlobalConfig({ ...config })`
- * could silently erase stored credentials if the caller forgot to include
- * them. With credentials removed from this type, that failure mode is a
- * type error.
- *
- * `credentialBackend` is a *selector*, not a credential: it only says where
- * tokens are stored. The default (unset) is `"file"` because the OS keychain
- * prompts the user for their login password on first use on macOS (and is
- * re-prompted whenever the Node binary signature changes, e.g. after an
- * `nvm`/`volta` upgrade). Users who want encrypted-at-rest storage can opt
- * in by writing `"credentialBackend": "keychain"` into this file.
- */
-type CredentialBackendPreference = "file" | "keychain";
-type GlobalConfig = {
-    environment?: Environment;
-    credentialBackend?: CredentialBackendPreference;
-};
-type ProjectPendingSyncPhase = "source_revision_created" | "authoring_state_created";
-type ProjectPendingAuthoringSync = {
-    phase: ProjectPendingSyncPhase;
-    revisionDigest?: string;
-    authoringStateId?: string;
-    ruleId?: string;
-    manifestId?: string;
-    manifestContentHash?: string;
-    localManifestContentHash?: string;
-    sourceRevisionId: string;
-    sourceTreeHash: string;
-};
-type ProjectAuthoringState = {
-    revisionDigest?: string;
-    authoringStateId?: string;
-    ruleId?: string;
-    manifestId?: string;
-    manifestContentHash?: string;
-    localManifestContentHash?: string;
-    sourceRevisionId?: string;
-    sourceTreeHash?: string;
-    pendingSync?: ProjectPendingAuthoringSync;
-};
-type ProjectCompileAttempt = {
-    resultId?: string;
-    jobId?: string;
-    revisionDigest?: string;
-    authoringStateId: string;
-    status: "successful" | "failed";
-    diagnosticsSummary?: string;
-};
-type ProjectCompileState = {
-    latestAttempt?: ProjectCompileAttempt;
-    latestSuccessful?: {
-        resultId: string;
-        authoringStateId: string;
-        revisionDigest?: string;
-    };
-};
-type ProjectManifestV2 = {
-    schemaVersion: 2;
-    projectId: string;
-    slug: string;
-};
-type ProjectEnvironmentBindingV1 = {
-    deploymentId: string;
-    ownerScopeId: string;
-    gameId?: string;
-    remoteHeadDigest?: string;
-    jobId?: string;
-    agentManaged?: boolean;
-    workspacePrepared?: boolean;
-    allowCreateGame?: boolean;
-    environment?: Environment;
-    authoring?: ProjectAuthoringState;
-    compile?: ProjectCompileState;
-    localMaintainerRegistry?: LocalMaintainerRegistryConfig;
-    apiBaseUrl?: string;
-    webBaseUrl?: string;
-    packageManifest?: Record<string, unknown>;
-    environmentManifest?: Record<string, unknown>;
-};
-type ProjectConfig = ProjectManifestV2 & Omit<ProjectEnvironmentBindingV1, "gameId"> & {
-    gameId: string;
-    bindingKey?: string;
-};
-/**
- * A resolved, read-only snapshot of "what should this CLI invocation do".
- *
- * `authToken` and `refreshToken` are read-only projections of the active
- * credentials at the moment `resolveConfig` runs. They are marked `readonly`
- * to discourage reassignment from command code; the refresh path never
- * mutates this object and instead goes through `CredentialStore` directly.
- * Persisting a `ResolvedConfig` back into `GlobalConfig`/`auth.json` is
- * not possible because `GlobalConfig` has no credential fields.
- */
-type ResolvedConfig = {
-    readonly environment: Environment;
-    readonly apiBaseUrl: string;
-    readonly webBaseUrl: string;
-    readonly authToken?: string;
-    readonly refreshToken?: string;
-    readonly tokenExpiresAt?: string;
-    readonly clerkOAuthIssuer?: string;
-    readonly clerkOAuthClientId?: string;
-    readonly clerkOAuthTokenUrl?: string;
-    readonly clerkOAuthScope?: string;
-    readonly authTokenSource?: "global" | "env" | "agent-env" | "flag" | "none";
-    readonly refreshTokenSource?: "global" | "env" | "none";
-};
-
-declare const configFlagsSchema: z.ZodObject<{
-    env: z.ZodOptional<z.ZodEnum<{
-        local: "local";
-        staging: "staging";
-        prod: "prod";
-    }>>;
-    token: z.ZodOptional<z.ZodString>;
-}, z.core.$strip>;
-type ConfigFlags = z.infer<typeof configFlagsSchema>;
-declare function parseConfigFlags(args: unknown): ConfigFlags;
-
-/**
- * Single writer for the long-lived Dreamboard session credentials.
- *
- * Design invariants (enforced at the type level and tested in
- * `credential-store.test.ts`):
- *
- * 1. This module is the ONLY place in the CLI that writes credentials to
- *    disk or the OS keychain. `global-config.ts` used to own both the
- *    config and the credentials via `saveGlobalConfig`, which made it
- *    trivial to wipe a refresh token by accident. The `GlobalConfig` type
- *    no longer carries credentials, so attempting to persist one through
- *    the config path is a type error.
- *
- * 2. The mutating surface is intentionally narrow:
- *      - `setCredentials(c)` for refreshable sessions (both tokens present)
- *      - `setAccessOnlySession(accessToken)` for the `auth set` / `config set
- *        --token` power-user path, which has no refresh token by
- *        construction
- *      - `clearCredentials()` wipes the file entirely
- *    There is no "partial update" API. `Credentials` requires both
- *    `accessToken` and `refreshToken`, so it is impossible to persist a
- *    half-populated refreshable session.
- *
- * 3. Writes go through `atomicWriteFile` + `withFileLock`, so a crash or
- *    interrupt during `dreamboard sync`/`compile` cannot leave `auth.json`
- *    truncated, and parallel CLI invocations cannot clobber each other's
- *    rotated refresh tokens.
- *
- * 4. The on-disk JSON shape for the file backend is kept backward
- *    compatible: we continue to read/write `authToken` + `refreshToken`
- *    so existing users are not forced to log in again after this change.
- *    A newer `accessToken` key is also accepted for read to ease any
- *    future format bump.
- *
- * 5. The file backend is the default. The OS keychain is opt-in via
- *    `credentialBackend: "keychain"` in `~/.dreamboard/config.json`
- *    because on macOS the first keychain write triggers a login-password
- *    prompt, and re-prompts whenever the executing Node binary's code
- *    signature changes (e.g. after an `nvm`/`volta` upgrade). Users who
- *    want encrypted-at-rest storage can opt in explicitly; everyone else
- *    gets a zero-prompt experience.
- */
-
-/**
- * Raw on-disk snapshot. Either or both fields may be present. The refresh
- * coordinator only acts on snapshots that have both tokens populated.
- */
-type StoredSessionSnapshot = {
-    readonly accessToken?: string;
-    readonly refreshToken?: string;
-    readonly tokenExpiresAt?: string;
-    readonly clerkOAuthIssuer?: string;
-    readonly clerkOAuthClientId?: string;
-    readonly clerkOAuthTokenUrl?: string;
-    readonly environment?: string;
-};
-/** Loose read: returns whatever is on disk, including access-only sessions. */
-declare function getStoredSession(): Promise<StoredSessionSnapshot | null>;
-
-/**
- * Resolve the effective CLI config for this invocation.
- *
- * `resolveConfig` is pure and synchronous: it takes pre-loaded inputs
- * (global config, flags, optional project config, optional credential
- * snapshot) and assembles a read-only `ResolvedConfig`. It intentionally
- * does not touch disk or the network - refreshing/persisting credentials
- * is the job of `configureClient` + `RefreshCoordinator`.
- *
- * Passing `credentials = undefined` is equivalent to "no stored session
- * for this call", used by contexts that should never inherit the local
- * session (e.g. `dreamboard login` before the browser flow).
- */
-declare function resolveConfig(globalConfig: GlobalConfig, flags: ConfigFlags, project?: ProjectConfig, credentials?: StoredSessionSnapshot | null): ResolvedConfig;
-/**
- * Configure the API client for the resolved environment, refreshing the
- * stored CLI session first if it is close to expiry.
- *
- * The refresh path never mutates `config`. It goes through
- * Clerk OAuth directly and the CredentialStore writes. After a successful
- * rotation the HTTP client
- * is configured with the rotated access token; on transient failures we
- * fall back to the `config.authToken` snapshot (which is why commands
- * still see a bearer header and can surface the original error).
- */
-declare function configureClient(config: ResolvedConfig): Promise<void>;
-declare function requireAuth(config: ResolvedConfig): void;
-/**
- * Common init pattern used by pull, push, status, update, run commands:
- * find project root, load config, resolve config, require auth,
- * configure client.
- */
-declare function resolveProjectContext(flags: ConfigFlags, opts?: {
-    requireAuth?: boolean;
-}): Promise<{
-    projectRoot: string;
-    projectConfig: ProjectConfig;
-    config: ResolvedConfig;
-}>;
-
-/**
- * Load non-credential CLI configuration.
- *
- * Note: this function used to also load `authToken` / `refreshToken`
- * from `auth.json` and flatten them onto `GlobalConfig`. That shape
- * enabled the refresh-token-wipe bug: `saveGlobalConfig({ ...config })`
- * without explicit auth fields erased the stored refresh token.
- *
- * Credentials are now owned exclusively by `CredentialStore`. Callers
- * that need them must import `getCredentials()` directly.
- */
-declare function loadGlobalConfig(): Promise<GlobalConfig>;
-
-declare const CONFIG_FLAG_ARGS: {
-    env: {
-        type: "string";
-        description: string;
-    };
-    token: {
-        type: "string";
-        description: string;
-    };
-};
-
-declare const ENVIRONMENT_CONFIGS: Record<string, EnvironmentConfig>;
-
-declare function loadProjectConfig(rootDir: string): Promise<ProjectConfig>;
-declare function updateProjectState(rootDir: string, config: ProjectConfig): Promise<void>;
-
-declare function readJsonFile<T>(filePath: string): Promise<T>;
-declare function writeJsonFile(filePath: string, data: unknown): Promise<void>;
-
-declare function findCompiledResultsForAuthoringState(options: {
-    gameId: string;
-    authoringStateId: string;
-}): Promise<CompiledResult[]>;
-
-declare function setLatestCompileAttempt(projectConfig: ProjectConfig, attempt: ProjectCompileAttempt): ProjectConfig;
-
-declare function loadManifest(rootDir: string): Promise<GameTopologyManifest>;
-
-declare function writeSnapshot(rootDir: string): Promise<void>;
-
-interface WorkspaceCodegenWriteResult {
-    written: string[];
-    skipped: string[];
-    merged: string[];
-}
-declare function applyWorkspaceCodegen(options: {
-    projectRoot: string;
-    manifest: GameTopologyManifest;
-}): Promise<WorkspaceCodegenWriteResult>;
-
-declare function ensureReducerNativeTestingFiles(projectRoot: string): Promise<void>;
-
-declare function shortHash(value: string): string;
-
-/**
- * Browser test runner helpers shared with reducer-native-test-harness (browser runner).
- * Screenshot / JSON scenario navigation helpers lived in the deleted `run` command.
- */
-declare function configurePlaywrightBrowsersPath(): void;
-
-export { CONFIG_FLAG_ARGS, type ConfigFlags, ENVIRONMENT_CONFIGS, type ProjectConfig, type ResolvedConfig, applyWorkspaceCodegen, configureClient, configurePlaywrightBrowsersPath, ensureReducerNativeTestingFiles, findCompiledResultsForAuthoringState, getStoredSession, loadGlobalConfig, loadManifest, loadProjectConfig, parseConfigFlags, readJsonFile, requireAuth, resolveConfig, resolveProjectContext, setLatestCompileAttempt, shortHash, updateProjectState, writeJsonFile, writeSnapshot };

package/dist/keychain-backend-JHTXAKWC.js

@@ -1,135 +0,0 @@
-#!/usr/bin/env node
-import "./chunk-2H7UOFLK.js";
-
-// src/config/keychain-backend.ts
-var KEYCHAIN_SERVICE = "dreamboard-cli";
-var KEYCHAIN_ACCOUNT = "session";
-var cachedModule;
-async function loadKeyringModule() {
-  if (cachedModule !== void 0) return cachedModule;
-  try {
-    const mod = await import("@napi-rs/keyring");
-    cachedModule = mod;
-  } catch {
-    cachedModule = null;
-  }
-  return cachedModule;
-}
-function keychainProbe(entry) {
-  try {
-    entry.getPassword();
-    return true;
-  } catch {
-    return false;
-  }
-}
-function parsePayload(raw) {
-  if (raw === null || raw === void 0) return null;
-  const trimmed = raw.trim();
-  if (trimmed.length === 0) return null;
-  try {
-    const parsed = JSON.parse(trimmed);
-    if (!parsed.accessToken && !parsed.refreshToken) return null;
-    return {
-      accessToken: parsed.accessToken || void 0,
-      refreshToken: parsed.refreshToken || void 0,
-      tokenExpiresAt: parsed.tokenExpiresAt || void 0,
-      clerkOAuthIssuer: parsed.clerkOAuthIssuer || void 0,
-      clerkOAuthClientId: parsed.clerkOAuthClientId || void 0,
-      clerkOAuthTokenUrl: parsed.clerkOAuthTokenUrl || void 0,
-      environment: parsed.environment || void 0
-    };
-  } catch {
-    return null;
-  }
-}
-function writeFull(entry, creds) {
-  if (!creds.accessToken || !creds.refreshToken) {
-    throw new Error(
-      "Refusing to persist credentials with an empty accessToken or refreshToken."
-    );
-  }
-  const payload = {
-    accessToken: creds.accessToken,
-    refreshToken: creds.refreshToken,
-    tokenExpiresAt: creds.tokenExpiresAt,
-    clerkOAuthIssuer: creds.clerkOAuthIssuer,
-    clerkOAuthClientId: creds.clerkOAuthClientId,
-    clerkOAuthTokenUrl: creds.clerkOAuthTokenUrl,
-    environment: creds.environment
-  };
-  entry.setPassword(JSON.stringify(payload));
-}
-function writeAccessOnly(entry, accessToken) {
-  if (!accessToken) {
-    throw new Error("Refusing to persist an empty access token.");
-  }
-  const payload = { accessToken };
-  entry.setPassword(JSON.stringify(payload));
-}
-function clear(entry) {
-  try {
-    entry.deletePassword();
-  } catch {
-  }
-}
-async function tryKeychainBackend() {
-  const mod = await loadKeyringModule();
-  if (!mod) {
-    return {
-      available: false,
-      reason: "@napi-rs/keyring is not installed for this platform"
-    };
-  }
-  let entry;
-  try {
-    entry = new mod.Entry(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT);
-  } catch (err) {
-    return {
-      available: false,
-      reason: `Failed to construct keyring entry: ${String(err.message ?? err)}`
-    };
-  }
-  if (!keychainProbe(entry)) {
-    return {
-      available: false,
-      reason: "OS keyring is not accessible from this process"
-    };
-  }
-  const backend = {
-    name: "keychain",
-    async read() {
-      try {
-        return parsePayload(entry.getPassword());
-      } catch (err) {
-        const message = String(err.message ?? err);
-        if (/no matching entry|not found/i.test(message)) {
-          return null;
-        }
-        throw err;
-      }
-    },
-    async writeFull(creds) {
-      writeFull(entry, creds);
-    },
-    async writeAccessOnly(accessToken) {
-      writeAccessOnly(entry, accessToken);
-    },
-    async clear() {
-      clear(entry);
-    }
-  };
-  return { available: true, backend };
-}
-function _setKeyringModuleForTests(mod) {
-  cachedModule = mod;
-}
-function _resetKeyringModuleForTests() {
-  cachedModule = void 0;
-}
-export {
-  _resetKeyringModuleForTests,
-  _setKeyringModuleForTests,
-  tryKeychainBackend
-};
-//# sourceMappingURL=keychain-backend-JHTXAKWC.js.map