@dreamboard-games/cli 0.1.30-alpha.30 → 0.1.30-alpha.31

package/dist/agent-verifier/agent-workspace-verifier.mjs

@@ -4,11 +4,10 @@ import {
   loadProjectConfig
 } from "./chunk-M6YNQZCC.mjs";
 import {
-  clearCredentials,
   getStoredSession,
   loadGlobalConfig,
   withCredentialLock
-} from "./chunk-FNSHNMDY.mjs";
+} from "./chunk-MIRGCMUC.mjs";
 import "./chunk-GWRZRWCF.mjs";
 import {
   readJsonFile,
@@ -1134,6 +1133,18 @@ var BUILD_CHANNEL = injectedBuildChannel === "published" ? "published" : "develo
 var IS_PUBLISHED_BUILD = BUILD_CHANNEL === "published";
 var PUBLISHED_ENVIRONMENT = "prod";
 
+// src/auth/refresh-error.ts
+function classifyRefreshError(error) {
+  const message = error.message?.toLowerCase() ?? "";
+  if (error.status === 400 || error.status === 401 || message.includes("invalid_grant") || message.includes("refresh token") || message.includes("expired") || message.includes("revoked")) {
+    return { kind: "permanent_invalid", reason: error.message };
+  }
+  if (error.status === 408 || error.status === 429 || typeof error.status === "number" && error.status >= 500 || message.includes("timeout") || message.includes("network") || message.includes("fetch failed")) {
+    return { kind: "transient", reason: error.message };
+  }
+  return { kind: "unknown", reason: error.message };
+}
+
 // src/auth/clerk-oauth.ts
 import crypto from "crypto";
 async function refreshClerkOAuthToken(input) {
@@ -1241,75 +1252,183 @@ async function exchangeDreamboardUserToken(input) {
   };
 }
 
-// src/auth/user-token-manager.ts
-var TOKEN_REFRESH_WINDOW_MS = 60 * 1e3;
-function createUserTokenManager(config) {
+// src/auth/user-session-manager.ts
+var DEFAULT_TOKEN_MIN_VALIDITY_MS = 60 * 1e3;
+function createUserSessionManager(config) {
   return {
-    async resolveApiToken() {
-      const localOrInjected = resolveNonStoredToken(config, "dreamboard-api");
-      if (localOrInjected) return localOrInjected;
-      if (!usesStoredSession(config)) return null;
+    async establishRefreshableSession(session) {
       return withCredentialLock(async (ops) => {
-        const stored = await ops.read();
-        const apiToken = freshStoredApiToken(stored);
-        if (apiToken) return apiToken;
-        const clerk = await resolveFreshClerkAccessToken(config, stored);
+        const credentials = credentialsFromRefreshableSession(session);
+        await ops.writeFull(credentials);
         const exchanged = await exchangeDreamboardUserToken({
           apiBaseUrl: config.apiBaseUrl,
-          clerkAccessToken: clerk.accessToken,
+          clerkAccessToken: credentials.accessToken,
           audience: "dreamboard-api"
         });
-        await ops.writeFull({
-          ...clerk,
-          dreamboardApiToken: exchanged.accessToken,
-          dreamboardApiExpiresAt: exchanged.expiresAt
-        });
-        return {
-          token: exchanged.accessToken,
-          expiresAt: exchanged.expiresAt,
-          audience: "dreamboard-api"
-        };
+        const apiToken = toAccessToken(exchanged);
+        await ops.writeFull(withApiToken(credentials, apiToken));
+        return apiToken;
+      });
+    },
+    async establishAccessOnlySession(accessToken) {
+      await withCredentialLock((ops) => ops.writeAccessOnly(accessToken));
+    },
+    async resolveApiToken(options) {
+      const localOrInjected = resolveNonStoredToken(config, "dreamboard-api");
+      if (localOrInjected) return localOrInjected;
+      if (!usesStoredSession(config)) return null;
+      const minValidityMs = options?.minValiditySeconds === void 0 ? DEFAULT_TOKEN_MIN_VALIDITY_MS : Math.max(0, options.minValiditySeconds * 1e3);
+      return withCredentialLock(async (ops) => {
+        const stored = await ops.read();
+        return resolveStoredApiToken(ops, config, stored, minValidityMs);
       });
     },
     async resolveGitToken() {
-      if (!usesStoredSession(config) && config.authToken) {
-        const exchanged = await exchangeDreamboardUserToken({
-          apiBaseUrl: config.apiBaseUrl,
-          clerkAccessToken: config.authToken,
-          audience: "dreamboard-git"
-        });
-        return {
-          token: exchanged.accessToken,
-          expiresAt: exchanged.expiresAt,
-          audience: "dreamboard-git"
-        };
-      }
+      const localOrInjected = resolveNonStoredToken(config, "dreamboard-git");
+      if (localOrInjected) return localOrInjected;
       if (!usesStoredSession(config)) {
-        throw new Error(
-          "Missing Dreamboard session. Run `dreamboard auth login` to authenticate."
+        throw missingSessionError();
+      }
+      return withCredentialLock(async (ops) => {
+        const stored = await ops.read();
+        const clerk = await resolveFreshClerkSession(ops, config, stored);
+        return toAccessToken(
+          await exchangeDreamboardUserToken({
+            apiBaseUrl: config.apiBaseUrl,
+            clerkAccessToken: clerk.accessToken,
+            audience: "dreamboard-git"
+          })
         );
+      });
+    },
+    async inspectSession() {
+      const localOrInjected = resolveNonStoredToken(config, "dreamboard-api");
+      if (localOrInjected) {
+        return inspectAccessOnlyToken(localOrInjected);
+      }
+      if (!usesStoredSession(config)) {
+        return { kind: "none" };
       }
       return withCredentialLock(async (ops) => {
         const stored = await ops.read();
-        const clerk = await resolveFreshClerkAccessToken(config, stored);
-        const exchanged = await exchangeDreamboardUserToken({
-          apiBaseUrl: config.apiBaseUrl,
-          clerkAccessToken: clerk.accessToken,
-          audience: "dreamboard-git"
-        });
-        await ops.writeFull(clerk);
-        return {
-          token: exchanged.accessToken,
-          expiresAt: exchanged.expiresAt,
-          audience: "dreamboard-git"
-        };
+        if (!stored) return { kind: "none" };
+        const cached = freshStoredApiToken(
+          stored,
+          DEFAULT_TOKEN_MIN_VALIDITY_MS
+        );
+        if (cached) {
+          return activeStatus("refreshable", cached, false);
+        }
+        try {
+          const token = await resolveStoredApiToken(
+            ops,
+            config,
+            stored,
+            DEFAULT_TOKEN_MIN_VALIDITY_MS
+          );
+          return activeStatus("refreshable", token, true);
+        } catch (error) {
+          return failedRefreshableStatus(error);
+        }
       });
     },
     async logout() {
-      await clearCredentials("user_token_manager_logout");
+      await withCredentialLock((ops) => ops.clear("logout_command"));
     }
   };
 }
+async function resolveStoredApiToken(ops, config, stored, minValidityMs) {
+  const cached = freshStoredApiToken(stored, minValidityMs);
+  if (cached) return cached;
+  const clerk = await resolveFreshClerkSession(ops, config, stored);
+  const exchanged = await exchangeDreamboardUserToken({
+    apiBaseUrl: config.apiBaseUrl,
+    clerkAccessToken: clerk.accessToken,
+    audience: "dreamboard-api"
+  });
+  const apiToken = toAccessToken(exchanged);
+  await ops.writeFull(withApiToken(clerk, apiToken));
+  return apiToken;
+}
+async function resolveFreshClerkSession(ops, config, stored) {
+  if (!stored) {
+    throw missingSessionError();
+  }
+  if (!stored.refreshToken) {
+    throw new Error(
+      "Stored Dreamboard session is missing its refresh token. Run `dreamboard auth login` to authenticate again."
+    );
+  }
+  if (stored.accessToken && isFresh(
+    stored.tokenExpiresAt,
+    stored.accessToken,
+    DEFAULT_TOKEN_MIN_VALIDITY_MS
+  )) {
+    return credentialsFromStored(config, stored);
+  }
+  const payload = await refreshClerkOAuthToken({
+    config: {
+      issuer: stored.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
+      clientId: stored.clerkOAuthClientId ?? config.clerkOAuthClientId,
+      tokenUrl: stored.clerkOAuthTokenUrl ?? config.clerkOAuthTokenUrl
+    },
+    refreshToken: stored.refreshToken
+  });
+  const refreshed = {
+    accessToken: payload.accessToken,
+    refreshToken: payload.refreshToken,
+    tokenExpiresAt: payload.expiresAt,
+    dreamboardApiToken: stored.dreamboardApiToken,
+    dreamboardApiExpiresAt: stored.dreamboardApiExpiresAt,
+    clerkOAuthIssuer: stored.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
+    clerkOAuthClientId: stored.clerkOAuthClientId ?? config.clerkOAuthClientId,
+    clerkOAuthTokenUrl: payload.tokenUrl,
+    environment: stored.environment ?? config.environment
+  };
+  await ops.writeFull(refreshed);
+  return refreshed;
+}
+function credentialsFromStored(config, stored) {
+  if (!stored.accessToken || !stored.refreshToken) {
+    throw missingSessionError();
+  }
+  return {
+    accessToken: stored.accessToken,
+    refreshToken: stored.refreshToken,
+    tokenExpiresAt: stored.tokenExpiresAt,
+    dreamboardApiToken: stored.dreamboardApiToken,
+    dreamboardApiExpiresAt: stored.dreamboardApiExpiresAt,
+    clerkOAuthIssuer: stored.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
+    clerkOAuthClientId: stored.clerkOAuthClientId ?? config.clerkOAuthClientId,
+    clerkOAuthTokenUrl: stored.clerkOAuthTokenUrl ?? config.clerkOAuthTokenUrl,
+    environment: stored.environment ?? config.environment
+  };
+}
+function credentialsFromRefreshableSession(session) {
+  return {
+    accessToken: session.clerkAccessToken,
+    refreshToken: session.refreshToken,
+    tokenExpiresAt: session.clerkAccessExpiresAt,
+    clerkOAuthIssuer: session.clerkOAuthIssuer,
+    clerkOAuthClientId: session.clerkOAuthClientId,
+    clerkOAuthTokenUrl: session.clerkOAuthTokenUrl,
+    environment: session.environment
+  };
+}
+function withApiToken(credentials, token) {
+  return {
+    ...credentials,
+    dreamboardApiToken: token.token,
+    dreamboardApiExpiresAt: token.expiresAt
+  };
+}
+function toAccessToken(token) {
+  return {
+    token: token.accessToken,
+    expiresAt: token.expiresAt,
+    audience: token.audience
+  };
+}
 function resolveNonStoredToken(config, audience) {
   if (usesStoredSession(config)) return null;
   if (!config.authToken) return null;
@@ -1319,9 +1438,13 @@ function resolveNonStoredToken(config, audience) {
     audience
   };
 }
-function freshStoredApiToken(stored) {
+function freshStoredApiToken(stored, minValidityMs) {
   if (!stored?.dreamboardApiToken) return null;
-  if (isFresh(stored.dreamboardApiExpiresAt, stored.dreamboardApiToken)) {
+  if (isFresh(
+    stored.dreamboardApiExpiresAt,
+    stored.dreamboardApiToken,
+    minValidityMs
+  )) {
     return {
       token: stored.dreamboardApiToken,
       expiresAt: stored.dreamboardApiExpiresAt,
@@ -1330,49 +1453,60 @@ function freshStoredApiToken(stored) {
   }
   return null;
 }
-async function resolveFreshClerkAccessToken(config, stored) {
-  const accessToken = stored?.accessToken ?? config.clerkAccessToken;
-  const refreshToken = stored?.refreshToken ?? config.refreshToken;
-  const tokenExpiresAt = stored?.tokenExpiresAt ?? config.clerkAccessExpiresAt;
-  if (!refreshToken) {
-    throw new Error(
-      "Stored Dreamboard session is missing its refresh token. Run `dreamboard auth login` to authenticate again."
-    );
-  }
-  if (accessToken && isFresh(tokenExpiresAt, accessToken)) {
+function inspectAccessOnlyToken(token) {
+  const expiry = resolveExpiry(token.expiresAt, token.token);
+  if (expiry && expiry.getTime() <= Date.now()) {
     return {
-      accessToken,
-      refreshToken,
-      tokenExpiresAt,
-      dreamboardApiToken: stored?.dreamboardApiToken,
-      dreamboardApiExpiresAt: stored?.dreamboardApiExpiresAt,
-      clerkOAuthIssuer: stored?.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
-      clerkOAuthClientId: stored?.clerkOAuthClientId ?? config.clerkOAuthClientId,
-      clerkOAuthTokenUrl: stored?.clerkOAuthTokenUrl ?? config.clerkOAuthTokenUrl,
-      environment: stored?.environment ?? config.environment
+      kind: "invalid",
+      sessionKind: "access-only",
+      message: "Stored Dreamboard access token is expired. Run `dreamboard auth login` to authenticate again."
     };
   }
-  const payload = await refreshClerkOAuthToken({
-    config: {
-      issuer: stored?.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
-      clientId: stored?.clerkOAuthClientId ?? config.clerkOAuthClientId,
-      tokenUrl: stored?.clerkOAuthTokenUrl ?? config.clerkOAuthTokenUrl
-    },
-    refreshToken
+  return activeStatus("access-only", token, false);
+}
+function failedRefreshableStatus(error) {
+  const message = error instanceof Error ? error.message : String(error);
+  const errorStatus = typeof error === "object" && error !== null && "status" in error ? error.status : void 0;
+  const classification = classifyRefreshError({
+    message,
+    status: typeof errorStatus === "number" ? errorStatus : void 0
   });
+  if (classification.kind === "permanent_invalid") {
+    return {
+      kind: "invalid",
+      sessionKind: "refreshable",
+      message
+    };
+  }
   return {
-    accessToken: payload.accessToken,
-    refreshToken: payload.refreshToken,
-    tokenExpiresAt: payload.expiresAt,
-    clerkOAuthIssuer: stored?.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
-    clerkOAuthClientId: stored?.clerkOAuthClientId ?? config.clerkOAuthClientId,
-    clerkOAuthTokenUrl: payload.tokenUrl,
-    environment: stored?.environment ?? config.environment
+    kind: "degraded",
+    sessionKind: "refreshable",
+    message
   };
 }
-function isFresh(expiresAt, token) {
-  const expiry = expiresAt ? new Date(expiresAt) : getJwtExpiry(token);
-  return expiry !== null && Number.isFinite(expiry.getTime()) && expiry.getTime() > Date.now() + TOKEN_REFRESH_WINDOW_MS;
+function activeStatus(sessionKind, apiToken, repaired) {
+  return {
+    kind: "active",
+    sessionKind,
+    apiToken,
+    repaired
+  };
+}
+function missingSessionError() {
+  return new Error(
+    "Missing Dreamboard session. Run `dreamboard auth login` to authenticate."
+  );
+}
+function isFresh(expiresAt, token, minValidityMs) {
+  const expiry = resolveExpiry(expiresAt, token);
+  return expiry !== null && Number.isFinite(expiry.getTime()) && expiry.getTime() > Date.now() + minValidityMs;
+}
+function resolveExpiry(expiresAt, token) {
+  if (expiresAt) {
+    const parsed = new Date(expiresAt);
+    return Number.isFinite(parsed.getTime()) ? parsed : null;
+  }
+  return getJwtExpiry(token);
 }
 function getJwtExpiry(accessToken) {
   if (!accessToken) return null;
@@ -1479,7 +1613,6 @@ function isLocalAwsUrl(rawUrl) {
 }
 
 // src/config/resolve.ts
-var DEFAULT_REFRESH_WINDOW_MS = 5 * 60 * 1e3;
 var TRANSIENT_READ_RETRY_DELAYS_MS = [100, 300];
 function resolveConfig(globalConfig, flags, project, credentials) {
   if (IS_PUBLISHED_BUILD) {
@@ -1618,7 +1751,7 @@ function assertPublicRuntimeFlags(flags) {
 }
 async function configureClient(config) {
   const localHarnessToken = resolveLocalHarnessAccessToken(config);
-  const resolvedToken = localHarnessToken ? { token: localHarnessToken } : await createUserTokenManager(config).resolveApiToken();
+  const resolvedToken = localHarnessToken ? { token: localHarnessToken } : await createUserSessionManager(config).resolveApiToken();
   const effectiveAccessToken = resolvedToken?.token;
   client.setConfig({
     baseUrl: config.apiBaseUrl,
@@ -1879,7 +2012,7 @@ Usage:
 }
 async function materializePreparedWorkspace(args) {
   const inputPath = readRequiredOption(args, "--input");
-  const { materializeWorkspaceProject } = await import("./materialize-workspace-K4WYFG5E.mjs");
+  const { materializeWorkspaceProject } = await import("./materialize-workspace-MAGKDMK5.mjs");
   const input = JSON.parse(await readFile(inputPath, "utf8"));
   await materializeWorkspaceProject({
     ...input,
@@ -1947,7 +2080,7 @@ async function runCloudLocalVerification(projectRoot, projectConfig, config) {
     { assertReducerContractPreflight },
     { getProjectLocalMaintainerRegistry }
   ] = await Promise.all([
-    import("./static-scaffold-MHVM63HU.mjs"),
+    import("./static-scaffold-CLRRWXON.mjs"),
     import("./local-files-OF4QFISU.mjs"),
     import("./workspace-codegen-SPPVHURX.mjs"),
     import("./workspace-dependencies-5HEEKZFP.mjs"),