@dreamboard-games/cli 0.1.30-alpha.29 → 0.1.30-alpha.30

package/README.md

@@ -112,7 +112,8 @@ dreamboard dev
 ## Notes
 
 - Project state lives in `.dreamboard/project.json`.
-- Published/public CLI installs target Node 20+ and support remote workflows.
+- Published/public CLI installs target Node 20+ and support commit-scoped
+  build, preview, release, and status workflows.
 - Published/public CLI builds are production-only; they do not support environment overrides or direct JWT injection.
 - Local embedded-harness testing remains Bun-only and requires a source checkout with local backend support.
 - Internal source-checkout builds may expose extra auth and environment helpers, but those are not part of the published CLI contract.

package/dist/agent-verifier/agent-workspace-verifier.mjs

@@ -2,24 +2,18 @@
 import {
   findProjectRoot,
   loadProjectConfig
-} from "./chunk-TIDX3YLW.mjs";
+} from "./chunk-M6YNQZCC.mjs";
 import {
-  IS_PUBLISHED_BUILD,
-  PUBLISHED_ENVIRONMENT,
-  createUserTokenManager,
-  resolveLocalHarnessAccessToken
-} from "./chunk-B7M2TJSP.mjs";
-import {
-  loadGlobalConfig
-} from "./chunk-UXGTT25Q.mjs";
-import {
-  getStoredSession
-} from "./chunk-IWB4L2HV.mjs";
+  clearCredentials,
+  getStoredSession,
+  loadGlobalConfig,
+  withCredentialLock
+} from "./chunk-FNSHNMDY.mjs";
 import "./chunk-GWRZRWCF.mjs";
 import {
   readJsonFile,
   readTextFileIfExists
-} from "./chunk-RDYXWXXC.mjs";
+} from "./chunk-LMW66VBH.mjs";
 import {
   client
 } from "./chunk-MYMVXTZT.mjs";
@@ -1134,6 +1128,356 @@ function _getDefaultLogLevel() {
 }
 var consola = createConsola2();
 
+// src/build-target.ts
+var injectedBuildChannel = true ? "development" : void 0;
+var BUILD_CHANNEL = injectedBuildChannel === "published" ? "published" : "development";
+var IS_PUBLISHED_BUILD = BUILD_CHANNEL === "published";
+var PUBLISHED_ENVIRONMENT = "prod";
+
+// src/auth/clerk-oauth.ts
+import crypto from "crypto";
+async function refreshClerkOAuthToken(input) {
+  const { clientId, tokenUrl } = assertConfigured(input.config);
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    client_id: clientId,
+    refresh_token: input.refreshToken
+  });
+  return requestClerkToken(tokenUrl, body);
+}
+function assertConfigured(config) {
+  const issuer = config.issuer?.trim().replace(/\/$/, "");
+  const clientId = config.clientId?.trim();
+  if (!issuer || !clientId) {
+    throw new Error(
+      [
+        "Clerk OAuth CLI is not configured for this environment.",
+        "The CLI expects first-party environments to be configured in its built-in registry.",
+        "If this environment has no registered public Clerk OAuth client, create one and release a CLI with its client id.",
+        "For emergency overrides, set the environment-specific DREAMBOARD_<ENV>_CLERK_OAUTH_* variables or DREAMBOARD_CLERK_OAUTH_*.",
+        "For local harness auth, use `pnpm auth:local` or the auto-bootstrapped local harness flows instead."
+      ].join(" ")
+    );
+  }
+  return {
+    issuer,
+    clientId,
+    tokenUrl: config.tokenUrl?.trim() || new URL("/oauth/token", issuer).toString(),
+    scope: config.scope?.trim() || void 0
+  };
+}
+async function requestClerkToken(tokenUrl, body) {
+  const response = await fetch(tokenUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body
+  });
+  if (!response.ok) {
+    const detail = await response.text();
+    throw new Error(
+      `Clerk OAuth token request failed (${response.status}): ${detail}`
+    );
+  }
+  const payload = await response.json();
+  if (typeof payload.access_token !== "string") {
+    throw new Error("Clerk OAuth token response did not include access_token.");
+  }
+  if (typeof payload.refresh_token !== "string") {
+    throw new Error(
+      "Clerk OAuth token response did not include refresh_token."
+    );
+  }
+  const expiresAt = typeof payload.expires_in === "number" ? new Date(Date.now() + payload.expires_in * 1e3).toISOString() : void 0;
+  return {
+    accessToken: payload.access_token,
+    refreshToken: payload.refresh_token,
+    expiresAt,
+    tokenUrl
+  };
+}
+
+// src/auth/token-exchange.ts
+async function exchangeDreamboardUserToken(input) {
+  const fetchImpl = input.fetchImpl ?? globalThis.fetch.bind(globalThis);
+  const response = await fetchImpl(
+    new URL("/api/auth/token-exchange", input.apiBaseUrl),
+    {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${input.clerkAccessToken}`,
+        "Content-Type": "application/json",
+        Accept: "application/json"
+      },
+      body: JSON.stringify({ audience: input.audience })
+    }
+  );
+  if (!response.ok) {
+    throw new Error(
+      `Dreamboard token exchange failed (${response.status}). Run \`dreamboard auth login\` to authenticate again.`
+    );
+  }
+  const payload = await response.json();
+  if (typeof payload.accessToken !== "string" || payload.accessToken === "") {
+    throw new Error("Dreamboard token exchange response omitted accessToken.");
+  }
+  if (payload.tokenType !== "Bearer") {
+    throw new Error(
+      "Dreamboard token exchange response had invalid tokenType."
+    );
+  }
+  if (payload.audience !== input.audience) {
+    throw new Error("Dreamboard token exchange response had wrong audience.");
+  }
+  const expiresIn = typeof payload.expiresIn === "number" && Number.isFinite(payload.expiresIn) ? payload.expiresIn : void 0;
+  return {
+    accessToken: payload.accessToken,
+    tokenType: "Bearer",
+    audience: input.audience,
+    expiresIn,
+    expiresAt: expiresIn === void 0 ? void 0 : new Date(Date.now() + expiresIn * 1e3).toISOString()
+  };
+}
+
+// src/auth/user-token-manager.ts
+var TOKEN_REFRESH_WINDOW_MS = 60 * 1e3;
+function createUserTokenManager(config) {
+  return {
+    async resolveApiToken() {
+      const localOrInjected = resolveNonStoredToken(config, "dreamboard-api");
+      if (localOrInjected) return localOrInjected;
+      if (!usesStoredSession(config)) return null;
+      return withCredentialLock(async (ops) => {
+        const stored = await ops.read();
+        const apiToken = freshStoredApiToken(stored);
+        if (apiToken) return apiToken;
+        const clerk = await resolveFreshClerkAccessToken(config, stored);
+        const exchanged = await exchangeDreamboardUserToken({
+          apiBaseUrl: config.apiBaseUrl,
+          clerkAccessToken: clerk.accessToken,
+          audience: "dreamboard-api"
+        });
+        await ops.writeFull({
+          ...clerk,
+          dreamboardApiToken: exchanged.accessToken,
+          dreamboardApiExpiresAt: exchanged.expiresAt
+        });
+        return {
+          token: exchanged.accessToken,
+          expiresAt: exchanged.expiresAt,
+          audience: "dreamboard-api"
+        };
+      });
+    },
+    async resolveGitToken() {
+      if (!usesStoredSession(config) && config.authToken) {
+        const exchanged = await exchangeDreamboardUserToken({
+          apiBaseUrl: config.apiBaseUrl,
+          clerkAccessToken: config.authToken,
+          audience: "dreamboard-git"
+        });
+        return {
+          token: exchanged.accessToken,
+          expiresAt: exchanged.expiresAt,
+          audience: "dreamboard-git"
+        };
+      }
+      if (!usesStoredSession(config)) {
+        throw new Error(
+          "Missing Dreamboard session. Run `dreamboard auth login` to authenticate."
+        );
+      }
+      return withCredentialLock(async (ops) => {
+        const stored = await ops.read();
+        const clerk = await resolveFreshClerkAccessToken(config, stored);
+        const exchanged = await exchangeDreamboardUserToken({
+          apiBaseUrl: config.apiBaseUrl,
+          clerkAccessToken: clerk.accessToken,
+          audience: "dreamboard-git"
+        });
+        await ops.writeFull(clerk);
+        return {
+          token: exchanged.accessToken,
+          expiresAt: exchanged.expiresAt,
+          audience: "dreamboard-git"
+        };
+      });
+    },
+    async logout() {
+      await clearCredentials("user_token_manager_logout");
+    }
+  };
+}
+function resolveNonStoredToken(config, audience) {
+  if (usesStoredSession(config)) return null;
+  if (!config.authToken) return null;
+  return {
+    token: config.authToken,
+    expiresAt: config.tokenExpiresAt,
+    audience
+  };
+}
+function freshStoredApiToken(stored) {
+  if (!stored?.dreamboardApiToken) return null;
+  if (isFresh(stored.dreamboardApiExpiresAt, stored.dreamboardApiToken)) {
+    return {
+      token: stored.dreamboardApiToken,
+      expiresAt: stored.dreamboardApiExpiresAt,
+      audience: "dreamboard-api"
+    };
+  }
+  return null;
+}
+async function resolveFreshClerkAccessToken(config, stored) {
+  const accessToken = stored?.accessToken ?? config.clerkAccessToken;
+  const refreshToken = stored?.refreshToken ?? config.refreshToken;
+  const tokenExpiresAt = stored?.tokenExpiresAt ?? config.clerkAccessExpiresAt;
+  if (!refreshToken) {
+    throw new Error(
+      "Stored Dreamboard session is missing its refresh token. Run `dreamboard auth login` to authenticate again."
+    );
+  }
+  if (accessToken && isFresh(tokenExpiresAt, accessToken)) {
+    return {
+      accessToken,
+      refreshToken,
+      tokenExpiresAt,
+      dreamboardApiToken: stored?.dreamboardApiToken,
+      dreamboardApiExpiresAt: stored?.dreamboardApiExpiresAt,
+      clerkOAuthIssuer: stored?.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
+      clerkOAuthClientId: stored?.clerkOAuthClientId ?? config.clerkOAuthClientId,
+      clerkOAuthTokenUrl: stored?.clerkOAuthTokenUrl ?? config.clerkOAuthTokenUrl,
+      environment: stored?.environment ?? config.environment
+    };
+  }
+  const payload = await refreshClerkOAuthToken({
+    config: {
+      issuer: stored?.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
+      clientId: stored?.clerkOAuthClientId ?? config.clerkOAuthClientId,
+      tokenUrl: stored?.clerkOAuthTokenUrl ?? config.clerkOAuthTokenUrl
+    },
+    refreshToken
+  });
+  return {
+    accessToken: payload.accessToken,
+    refreshToken: payload.refreshToken,
+    tokenExpiresAt: payload.expiresAt,
+    clerkOAuthIssuer: stored?.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
+    clerkOAuthClientId: stored?.clerkOAuthClientId ?? config.clerkOAuthClientId,
+    clerkOAuthTokenUrl: payload.tokenUrl,
+    environment: stored?.environment ?? config.environment
+  };
+}
+function isFresh(expiresAt, token) {
+  const expiry = expiresAt ? new Date(expiresAt) : getJwtExpiry(token);
+  return expiry !== null && Number.isFinite(expiry.getTime()) && expiry.getTime() > Date.now() + TOKEN_REFRESH_WINDOW_MS;
+}
+function getJwtExpiry(accessToken) {
+  if (!accessToken) return null;
+  const parts = accessToken.split(".");
+  if (parts.length !== 3) return null;
+  try {
+    const payload = JSON.parse(
+      Buffer.from(parts[1], "base64url").toString("utf8")
+    );
+    if (typeof payload.exp !== "number" || !Number.isFinite(payload.exp)) {
+      return null;
+    }
+    return new Date(payload.exp * 1e3);
+  } catch {
+    return null;
+  }
+}
+function usesStoredSession(config) {
+  return config.refreshTokenSource === "global";
+}
+
+// src/config/local-harness-auth.ts
+import { createHmac, randomUUID } from "crypto";
+var DEFAULT_SUBJECT = "harness-smoke-local@dreamboard.local";
+var DEFAULT_ISSUER = "dreamboard-local-harness";
+var DEFAULT_SECRET = "dreamboard-local-harness-token-secret";
+var LOCAL_AWS_ISSUER = "dreamboard-local-aws-harness";
+var LOCAL_AWS_SECRET = "dreamboard-local-aws-harness-token-secret";
+var DEFAULT_TTL_SECONDS = 8 * 60 * 60;
+var mintedTokens = /* @__PURE__ */ new Map();
+function resolveLocalHarnessAccessToken(config) {
+  if (IS_PUBLISHED_BUILD || config.environment !== "local") {
+    return void 0;
+  }
+  const profile = inferLocalHarnessProfile(config);
+  if (config.authToken && (profile !== "local-aws" || isExplicitTokenSource(config.authTokenSource))) {
+    return void 0;
+  }
+  const cacheKey = [
+    profile,
+    process.env.LOCAL_HARNESS_TOKEN_ISSUER ?? "",
+    process.env.LOCAL_HARNESS_TOKEN_SECRET ?? "",
+    process.env.LOCAL_HARNESS_SUBJECT ?? "",
+    process.env.HARNESS_USER_EMAIL ?? "",
+    process.env.LOCAL_HARNESS_EMAIL ?? "",
+    process.env.LOCAL_HARNESS_TOKEN_TTL_SECONDS ?? ""
+  ].join("\0");
+  const cached = mintedTokens.get(cacheKey);
+  if (cached) return cached;
+  const token = mintLocalHarnessToken(profile);
+  mintedTokens.set(cacheKey, token);
+  return token;
+}
+function isExplicitTokenSource(source) {
+  return source === "flag" || source === "env" || source === "agent-env";
+}
+function inferLocalHarnessProfile(config) {
+  return isLocalAwsUrl(config.apiBaseUrl) || isLocalAwsUrl(config.webBaseUrl) ? "local-aws" : "local";
+}
+function mintLocalHarnessToken(profile) {
+  const subject = envValue(process.env.LOCAL_HARNESS_SUBJECT) ?? envValue(process.env.HARNESS_USER_EMAIL) ?? DEFAULT_SUBJECT;
+  const email = envValue(process.env.LOCAL_HARNESS_EMAIL) ?? (subject.includes("@") ? subject : void 0);
+  const issuer = envValue(process.env.LOCAL_HARNESS_TOKEN_ISSUER) ?? (profile === "local-aws" ? LOCAL_AWS_ISSUER : DEFAULT_ISSUER);
+  const secret = envValue(process.env.LOCAL_HARNESS_TOKEN_SECRET) ?? (profile === "local-aws" ? LOCAL_AWS_SECRET : DEFAULT_SECRET);
+  const ttlSeconds = Number(
+    envValue(process.env.LOCAL_HARNESS_TOKEN_TTL_SECONDS) ?? String(DEFAULT_TTL_SECONDS)
+  );
+  if (!Number.isFinite(ttlSeconds) || ttlSeconds <= 0) {
+    throw new Error(
+      "LOCAL_HARNESS_TOKEN_TTL_SECONDS must be a positive number."
+    );
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  const payload = {
+    typ: "local_harness_access",
+    dreamboard_provider: "local-harness",
+    dreamboard_provider_subject: subject,
+    ...email ? { email } : {},
+    iss: issuer,
+    sub: subject,
+    iat: now,
+    exp: now + Math.floor(ttlSeconds),
+    jti: randomUUID()
+  };
+  const headerPart = base64UrlJson({ alg: "HS256", typ: "JWT" });
+  const payloadPart = base64UrlJson(payload);
+  const signature = createHmac("sha256", secret).update(`${headerPart}.${payloadPart}`).digest("base64url");
+  return `${headerPart}.${payloadPart}.${signature}`;
+}
+function base64UrlJson(value) {
+  return Buffer.from(JSON.stringify(value), "utf8").toString("base64url");
+}
+function envValue(raw) {
+  return typeof raw === "string" && raw.trim().length > 0 ? raw.trim() : void 0;
+}
+function isLocalAwsUrl(rawUrl) {
+  if (!rawUrl) return false;
+  try {
+    const url = new URL(rawUrl);
+    return (url.hostname === "localhost" || url.hostname === "127.0.0.1") && (url.port === "18080" || url.port === "8088");
+  } catch {
+    return false;
+  }
+}
+
 // src/config/resolve.ts
 var DEFAULT_REFRESH_WINDOW_MS = 5 * 60 * 1e3;
 var TRANSIENT_READ_RETRY_DELAYS_MS = [100, 300];
@@ -1535,7 +1879,7 @@ Usage:
 }
 async function materializePreparedWorkspace(args) {
   const inputPath = readRequiredOption(args, "--input");
-  const { materializeWorkspaceProject } = await import("./materialize-workspace-XYYCQQGB.mjs");
+  const { materializeWorkspaceProject } = await import("./materialize-workspace-K4WYFG5E.mjs");
   const input = JSON.parse(await readFile(inputPath, "utf8"));
   await materializeWorkspaceProject({
     ...input,
@@ -1603,7 +1947,7 @@ async function runCloudLocalVerification(projectRoot, projectConfig, config) {
     { assertReducerContractPreflight },
     { getProjectLocalMaintainerRegistry }
   ] = await Promise.all([
-    import("./static-scaffold-M7QPX76Z.mjs"),
+    import("./static-scaffold-MHVM63HU.mjs"),
     import("./local-files-OF4QFISU.mjs"),
     import("./workspace-codegen-SPPVHURX.mjs"),
     import("./workspace-dependencies-5HEEKZFP.mjs"),
@@ -1641,7 +1985,7 @@ async function runCloudLocalVerification(projectRoot, projectConfig, config) {
     generateReducerNativeArtifacts,
     isReducerNativeTestingWorkspace,
     runReducerNativeScenarios
-  } = await import("./reducer-native-test-harness-BY5SZ7XE.mjs");
+  } = await import("./reducer-native-test-harness-UFMSNNDY.mjs");
   if (await isReducerNativeTestingWorkspace(projectRoot)) {
     const { bases } = await generateReducerNativeArtifacts({
       projectRoot,
@@ -1652,7 +1996,6 @@ async function runCloudLocalVerification(projectRoot, projectConfig, config) {
       projectRoot,
       projectConfig,
       resolvedConfig: config,
-      runner: "reducer",
       gameId: projectConfig.gameId,
       compiledResultId: projectConfig.compile?.latestSuccessful?.resultId
     });