npm - @dreamboard-games/cli - Versions diffs - 0.1.30-alpha.12 → 0.1.30-alpha.15 - Mend

@dreamboard-games/cli 0.1.30-alpha.12 → 0.1.30-alpha.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (143) hide show

package/dist/agent-verifier/{chunk-UIJ2NDG6.mjs → chunk-NFL3Z4Z7.mjs} RENAMED Viewed

@@ -2,23 +2,26 @@
 import {
   findProjectRoot,
   loadProjectConfig
-} from "./chunk-3IJBOLGT.mjs";
+} from "./chunk-WSIYUUSD.mjs";
 import {
-  getStoredSession,
-  loadGlobalConfig,
-  setCredentials
-} from "./chunk-W2MDP5ZN.mjs";
+  createUserTokenManager,
+  resolveLocalHarnessAccessToken
+} from "./chunk-CO3BRUD6.mjs";
 import {
-  IS_PUBLISHED_BUILD,
-  PUBLISHED_ENVIRONMENT
-} from "./chunk-KK47X7RV.mjs";
+  loadGlobalConfig
+} from "./chunk-DPYC2NDB.mjs";
 import {
-  client
-} from "./chunk-NAK77WXW.mjs";
+  IS_PUBLISHED_BUILD,
+  PUBLISHED_ENVIRONMENT,
+  getStoredSession
+} from "./chunk-AXXUGU7Q.mjs";
 import {
   readJsonFile,
   readTextFileIfExists
-} from "./chunk-IAYRNVUC.mjs";
+} from "./chunk-RDYXWXXC.mjs";
+import {
+  client
+} from "./chunk-MYMVXTZT.mjs";
 import {
   DEFAULT_API_BASE_URL,
   DEFAULT_WEB_BASE_URL,
@@ -1126,155 +1129,6 @@ function _getDefaultLogLevel() {
 }
 var consola = createConsola2();
-// src/auth/clerk-oauth.ts
-import crypto from "crypto";
-async function refreshClerkOAuthToken(input) {
-  const { clientId, tokenUrl } = assertConfigured(input.config);
-  const body = new URLSearchParams({
-    grant_type: "refresh_token",
-    client_id: clientId,
-    refresh_token: input.refreshToken
-  });
-  return requestClerkToken(tokenUrl, body);
-}
-function assertConfigured(config) {
-  const issuer = config.issuer?.trim().replace(/\/$/, "");
-  const clientId = config.clientId?.trim();
-  if (!issuer || !clientId) {
-    throw new Error(
-      [
-        "Clerk OAuth CLI is not configured for this environment.",
-        "The CLI expects first-party environments to be configured in its built-in registry.",
-        "If this environment has no registered public Clerk OAuth client, create one and release a CLI with its client id.",
-        "For emergency overrides, set the environment-specific DREAMBOARD_<ENV>_CLERK_OAUTH_* variables or DREAMBOARD_CLERK_OAUTH_*.",
-        "For local harness auth, use `pnpm auth:local` or the auto-bootstrapped local harness flows instead."
-      ].join(" ")
-    );
-  }
-  return {
-    issuer,
-    clientId,
-    tokenUrl: config.tokenUrl?.trim() || new URL("/oauth/token", issuer).toString(),
-    scope: config.scope?.trim() || void 0
-  };
-}
-async function requestClerkToken(tokenUrl, body) {
-  const response = await fetch(tokenUrl, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/x-www-form-urlencoded",
-      Accept: "application/json"
-    },
-    body
-  });
-  if (!response.ok) {
-    const detail = await response.text();
-    throw new Error(
-      `Clerk OAuth token request failed (${response.status}): ${detail}`
-    );
-  }
-  const payload = await response.json();
-  if (typeof payload.access_token !== "string") {
-    throw new Error("Clerk OAuth token response did not include access_token.");
-  }
-  if (typeof payload.refresh_token !== "string") {
-    throw new Error(
-      "Clerk OAuth token response did not include refresh_token."
-    );
-  }
-  const expiresAt = typeof payload.expires_in === "number" ? new Date(Date.now() + payload.expires_in * 1e3).toISOString() : void 0;
-  return {
-    accessToken: payload.access_token,
-    refreshToken: payload.refresh_token,
-    expiresAt,
-    tokenUrl
-  };
-}
-// src/config/local-harness-auth.ts
-import { createHmac, randomUUID } from "crypto";
-var DEFAULT_SUBJECT = "harness-smoke-local@dreamboard.local";
-var DEFAULT_ISSUER = "dreamboard-local-harness";
-var DEFAULT_SECRET = "dreamboard-local-harness-token-secret";
-var LOCAL_AWS_ISSUER = "dreamboard-local-aws-harness";
-var LOCAL_AWS_SECRET = "dreamboard-local-aws-harness-token-secret";
-var DEFAULT_TTL_SECONDS = 8 * 60 * 60;
-var mintedTokens = /* @__PURE__ */ new Map();
-function resolveLocalHarnessAccessToken(config) {
-  if (IS_PUBLISHED_BUILD || config.environment !== "local") {
-    return void 0;
-  }
-  const profile = inferLocalHarnessProfile(config);
-  if (config.authToken && (profile !== "local-aws" || isExplicitTokenSource(config.authTokenSource))) {
-    return void 0;
-  }
-  const cacheKey = [
-    profile,
-    process.env.LOCAL_HARNESS_TOKEN_ISSUER ?? "",
-    process.env.LOCAL_HARNESS_TOKEN_SECRET ?? "",
-    process.env.LOCAL_HARNESS_SUBJECT ?? "",
-    process.env.HARNESS_USER_EMAIL ?? "",
-    process.env.LOCAL_HARNESS_EMAIL ?? "",
-    process.env.LOCAL_HARNESS_TOKEN_TTL_SECONDS ?? ""
-  ].join("\0");
-  const cached = mintedTokens.get(cacheKey);
-  if (cached) return cached;
-  const token = mintLocalHarnessToken(profile);
-  mintedTokens.set(cacheKey, token);
-  return token;
-}
-function isExplicitTokenSource(source) {
-  return source === "flag" || source === "env" || source === "agent-env";
-}
-function inferLocalHarnessProfile(config) {
-  return isLocalAwsUrl(config.apiBaseUrl) || isLocalAwsUrl(config.webBaseUrl) ? "local-aws" : "local";
-}
-function mintLocalHarnessToken(profile) {
-  const subject = envValue(process.env.LOCAL_HARNESS_SUBJECT) ?? envValue(process.env.HARNESS_USER_EMAIL) ?? DEFAULT_SUBJECT;
-  const email = envValue(process.env.LOCAL_HARNESS_EMAIL) ?? (subject.includes("@") ? subject : void 0);
-  const issuer = envValue(process.env.LOCAL_HARNESS_TOKEN_ISSUER) ?? (profile === "local-aws" ? LOCAL_AWS_ISSUER : DEFAULT_ISSUER);
-  const secret = envValue(process.env.LOCAL_HARNESS_TOKEN_SECRET) ?? (profile === "local-aws" ? LOCAL_AWS_SECRET : DEFAULT_SECRET);
-  const ttlSeconds = Number(
-    envValue(process.env.LOCAL_HARNESS_TOKEN_TTL_SECONDS) ?? String(DEFAULT_TTL_SECONDS)
-  );
-  if (!Number.isFinite(ttlSeconds) || ttlSeconds <= 0) {
-    throw new Error(
-      "LOCAL_HARNESS_TOKEN_TTL_SECONDS must be a positive number."
-    );
-  }
-  const now = Math.floor(Date.now() / 1e3);
-  const payload = {
-    typ: "local_harness_access",
-    dreamboard_provider: "local-harness",
-    dreamboard_provider_subject: subject,
-    ...email ? { email } : {},
-    iss: issuer,
-    sub: subject,
-    iat: now,
-    exp: now + Math.floor(ttlSeconds),
-    jti: randomUUID()
-  };
-  const headerPart = base64UrlJson({ alg: "HS256", typ: "JWT" });
-  const payloadPart = base64UrlJson(payload);
-  const signature = createHmac("sha256", secret).update(`${headerPart}.${payloadPart}`).digest("base64url");
-  return `${headerPart}.${payloadPart}.${signature}`;
-}
-function base64UrlJson(value) {
-  return Buffer.from(JSON.stringify(value), "utf8").toString("base64url");
-}
-function envValue(raw) {
-  return typeof raw === "string" && raw.trim().length > 0 ? raw.trim() : void 0;
-}
-function isLocalAwsUrl(rawUrl) {
-  if (!rawUrl) return false;
-  try {
-    const url = new URL(rawUrl);
-    return (url.hostname === "localhost" || url.hostname === "127.0.0.1") && (url.port === "18080" || url.port === "8088");
-  } catch {
-    return false;
-  }
-}
 // src/config/resolve.ts
 var DEFAULT_REFRESH_WINDOW_MS = 5 * 60 * 1e3;
 var TRANSIENT_READ_RETRY_DELAYS_MS = [100, 300];
@@ -1298,9 +1152,13 @@ function resolveConfig(globalConfig, flags, project, credentials) {
     environment,
     apiBaseUrl,
     webBaseUrl,
-    authToken: snapshot.accessToken,
+    authToken: snapshot.dreamboardApiToken ?? (snapshot.refreshToken ? void 0 : snapshot.accessToken),
     refreshToken: snapshot.refreshToken,
-    tokenExpiresAt: snapshot.tokenExpiresAt,
+    tokenExpiresAt: snapshot.dreamboardApiExpiresAt ?? (snapshot.refreshToken ? void 0 : snapshot.tokenExpiresAt),
+    clerkAccessToken: snapshot.accessToken,
+    clerkAccessExpiresAt: snapshot.tokenExpiresAt,
+    dreamboardApiToken: snapshot.dreamboardApiToken,
+    dreamboardApiExpiresAt: snapshot.dreamboardApiExpiresAt,
     clerkOAuthIssuer: snapshot.clerkOAuthIssuer ?? oauthConfig.issuer,
     clerkOAuthClientId: snapshot.clerkOAuthClientId ?? oauthConfig.clientId,
     clerkOAuthTokenUrl: snapshot.clerkOAuthTokenUrl ?? oauthConfig.tokenUrl,
@@ -1321,9 +1179,7 @@ function resolveEnvironmentOAuthConfig(environment, envConfig) {
     tokenUrl: valueOrUndefined(
       process.env[`DREAMBOARD_${prefix}_CLERK_OAUTH_TOKEN_URL`]
     ) ?? valueOrUndefined(process.env.DREAMBOARD_CLERK_OAUTH_TOKEN_URL) ?? envConfig?.clerkOAuthTokenUrl,
-    scope: valueOrUndefined(
-      process.env[`DREAMBOARD_${prefix}_CLERK_OAUTH_SCOPE`]
-    ) ?? valueOrUndefined(process.env.DREAMBOARD_CLERK_OAUTH_SCOPE) ?? envConfig?.clerkOAuthScope
+    scope: valueOrUndefined(process.env[`DREAMBOARD_${prefix}_CLERK_OAUTH_SCOPE`]) ?? valueOrUndefined(process.env.DREAMBOARD_CLERK_OAUTH_SCOPE) ?? envConfig?.clerkOAuthScope
   };
 }
 function buildCredentialSnapshot(flags, storedCredentials, environment) {
@@ -1346,11 +1202,13 @@ function buildCredentialSnapshot(flags, storedCredentials, environment) {
       accessToken: stored?.accessToken,
       refreshToken: stored?.refreshToken,
       tokenExpiresAt: stored?.tokenExpiresAt,
+      dreamboardApiToken: stored?.dreamboardApiToken,
+      dreamboardApiExpiresAt: stored?.dreamboardApiExpiresAt,
       clerkOAuthIssuer: stored?.clerkOAuthIssuer,
       clerkOAuthClientId: stored?.clerkOAuthClientId,
       clerkOAuthTokenUrl: stored?.clerkOAuthTokenUrl,
       environment: stored?.environment,
-      authTokenSource: stored?.accessToken ? "global" : "none",
+      authTokenSource: stored?.dreamboardApiToken || stored?.accessToken && !stored.refreshToken ? "global" : "none",
       refreshTokenSource: stored?.refreshToken ? "global" : "none"
     };
   }
@@ -1362,6 +1220,8 @@ function buildCredentialSnapshot(flags, storedCredentials, environment) {
     accessToken,
     refreshToken,
     tokenExpiresAt: environmentScopedStoredCredentials?.tokenExpiresAt,
+    dreamboardApiToken: environmentScopedStoredCredentials?.dreamboardApiToken,
+    dreamboardApiExpiresAt: environmentScopedStoredCredentials?.dreamboardApiExpiresAt,
     clerkOAuthIssuer: environmentScopedStoredCredentials?.clerkOAuthIssuer,
     clerkOAuthClientId: environmentScopedStoredCredentials?.clerkOAuthClientId,
     clerkOAuthTokenUrl: environmentScopedStoredCredentials?.clerkOAuthTokenUrl,
@@ -1408,7 +1268,9 @@ function assertPublicRuntimeFlags(flags) {
   }
 }
 async function configureClient(config) {
-  const effectiveAccessToken = await ensureEffectiveAccessToken(config);
+  const localHarnessToken = resolveLocalHarnessAccessToken(config);
+  const resolvedToken = localHarnessToken ? { token: localHarnessToken } : await createUserTokenManager(config).resolveApiToken();
+  const effectiveAccessToken = resolvedToken?.token;
   client.setConfig({
     baseUrl: config.apiBaseUrl,
     fetch: createRetryingReadFetch(globalThis.fetch.bind(globalThis)),
@@ -1448,58 +1310,8 @@ function isTransientFetchError(error) {
 function sleep(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
-async function ensureEffectiveAccessToken(config) {
-  const localHarnessToken = resolveLocalHarnessAccessToken(config);
-  if (localHarnessToken) return localHarnessToken;
-  if (!usesStoredSession(config)) {
-    return config.authToken;
-  }
-  if (config.refreshToken) {
-    const credentials = await refreshClerkOAuthSessionIfNeeded(config);
-    return credentials?.accessToken ?? config.authToken;
-  }
-  return config.authToken;
-}
-async function refreshClerkOAuthSessionIfNeeded(config) {
-  const expiry = config.tokenExpiresAt ? new Date(config.tokenExpiresAt) : getAuthTokenExpiry(config.authToken);
-  if (expiry && expiry.getTime() > Date.now() + DEFAULT_REFRESH_WINDOW_MS) {
-    if (!config.authToken || !config.refreshToken) return null;
-    return {
-      accessToken: config.authToken,
-      refreshToken: config.refreshToken,
-      tokenExpiresAt: config.tokenExpiresAt,
-      clerkOAuthIssuer: config.clerkOAuthIssuer,
-      clerkOAuthClientId: config.clerkOAuthClientId,
-      clerkOAuthTokenUrl: config.clerkOAuthTokenUrl,
-      environment: config.environment
-    };
-  }
-  return refreshClerkOAuthSession(config);
-}
-async function refreshClerkOAuthSession(config) {
-  if (!config.refreshToken) return null;
-  const payload = await refreshClerkOAuthToken({
-    config: {
-      issuer: config.clerkOAuthIssuer,
-      clientId: config.clerkOAuthClientId,
-      tokenUrl: config.clerkOAuthTokenUrl
-    },
-    refreshToken: config.refreshToken
-  });
-  const credentials = {
-    accessToken: payload.accessToken,
-    refreshToken: payload.refreshToken,
-    tokenExpiresAt: payload.expiresAt,
-    clerkOAuthIssuer: config.clerkOAuthIssuer,
-    clerkOAuthClientId: config.clerkOAuthClientId,
-    clerkOAuthTokenUrl: payload.tokenUrl,
-    environment: config.environment
-  };
-  await setCredentials(credentials);
-  return credentials;
-}
 function requireAuth(config) {
-  if (!config.authToken && !resolveLocalHarnessAccessToken(config)) {
+  if (!config.authToken && !config.refreshToken && !resolveLocalHarnessAccessToken(config)) {
     throw new Error(
       "Missing Dreamboard session. Run `dreamboard login` to authenticate."
     );
@@ -1508,25 +1320,6 @@ function requireAuth(config) {
 function valueOrUndefined(value) {
   return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
 }
-function getAuthTokenExpiry(accessToken) {
-  if (!accessToken) return null;
-  const parts = accessToken.split(".");
-  if (parts.length !== 3) return null;
-  try {
-    const payload = JSON.parse(
-      Buffer.from(parts[1], "base64url").toString("utf8")
-    );
-    if (typeof payload.exp !== "number" || !Number.isFinite(payload.exp)) {
-      return null;
-    }
-    return new Date(payload.exp * 1e3);
-  } catch {
-    return null;
-  }
-}
-function usesStoredSession(config) {
-  return config.authTokenSource === "global" && config.refreshTokenSource === "global";
-}
 async function resolveProjectContext(flags, opts) {
   const projectRoot = await findProjectRoot(process.cwd());
   if (!projectRoot) {
@@ -1747,4 +1540,4 @@ export {
   assertCompilerPortableDependencies,
   assertReleaseEnvironmentPortableDependencies
 };
-//# sourceMappingURL=chunk-UIJ2NDG6.mjs.map
+//# sourceMappingURL=chunk-NFL3Z4Z7.mjs.map