@dreamboard-games/cli 0.1.30-alpha.30 → 0.1.30-alpha.31

package/dist/{chunk-RTNKVNQA.js → chunk-X244CUU4.js}

@@ -24,14 +24,12 @@ import {
   writeWorkspaceJsonFile,
   writeWorkspaceTextFile,
   zProblemDetails
-} from "./chunk-I4SZ7FA4.js";
+} from "./chunk-YNJVKC2T.js";
 import {
-  clearCredentials,
   getStoredSession,
   loadGlobalConfig,
-  setCredentials,
   withCredentialLock
-} from "./chunk-UI7NWSYA.js";
+} from "./chunk-6NYVJYN4.js";
 import {
   DEFAULT_API_BASE_URL,
   DEFAULT_WEB_BASE_URL,
@@ -47,6 +45,18 @@ var BUILD_CHANNEL = injectedBuildChannel === "published" ? "published" : "develo
 var IS_PUBLISHED_BUILD = BUILD_CHANNEL === "published";
 var PUBLISHED_ENVIRONMENT = "prod";
 
+// src/auth/refresh-error.ts
+function classifyRefreshError(error) {
+  const message = error.message?.toLowerCase() ?? "";
+  if (error.status === 400 || error.status === 401 || message.includes("invalid_grant") || message.includes("refresh token") || message.includes("expired") || message.includes("revoked")) {
+    return { kind: "permanent_invalid", reason: error.message };
+  }
+  if (error.status === 408 || error.status === 429 || typeof error.status === "number" && error.status >= 500 || message.includes("timeout") || message.includes("network") || message.includes("fetch failed")) {
+    return { kind: "transient", reason: error.message };
+  }
+  return { kind: "unknown", reason: error.message };
+}
+
 // src/auth/clerk-oauth.ts
 import crypto from "crypto";
 function createPkcePair() {
@@ -187,75 +197,183 @@ async function exchangeDreamboardUserToken(input) {
   };
 }
 
-// src/auth/user-token-manager.ts
-var TOKEN_REFRESH_WINDOW_MS = 60 * 1e3;
-function createUserTokenManager(config) {
+// src/auth/user-session-manager.ts
+var DEFAULT_TOKEN_MIN_VALIDITY_MS = 60 * 1e3;
+function createUserSessionManager(config) {
   return {
-    async resolveApiToken() {
-      const localOrInjected = resolveNonStoredToken(config, "dreamboard-api");
-      if (localOrInjected) return localOrInjected;
-      if (!usesStoredSession(config)) return null;
+    async establishRefreshableSession(session) {
       return withCredentialLock(async (ops) => {
-        const stored = await ops.read();
-        const apiToken = freshStoredApiToken(stored);
-        if (apiToken) return apiToken;
-        const clerk = await resolveFreshClerkAccessToken(config, stored);
+        const credentials = credentialsFromRefreshableSession(session);
+        await ops.writeFull(credentials);
         const exchanged = await exchangeDreamboardUserToken({
           apiBaseUrl: config.apiBaseUrl,
-          clerkAccessToken: clerk.accessToken,
+          clerkAccessToken: credentials.accessToken,
           audience: "dreamboard-api"
         });
-        await ops.writeFull({
-          ...clerk,
-          dreamboardApiToken: exchanged.accessToken,
-          dreamboardApiExpiresAt: exchanged.expiresAt
-        });
-        return {
-          token: exchanged.accessToken,
-          expiresAt: exchanged.expiresAt,
-          audience: "dreamboard-api"
-        };
+        const apiToken = toAccessToken(exchanged);
+        await ops.writeFull(withApiToken(credentials, apiToken));
+        return apiToken;
+      });
+    },
+    async establishAccessOnlySession(accessToken) {
+      await withCredentialLock((ops) => ops.writeAccessOnly(accessToken));
+    },
+    async resolveApiToken(options) {
+      const localOrInjected = resolveNonStoredToken(config, "dreamboard-api");
+      if (localOrInjected) return localOrInjected;
+      if (!usesStoredSession(config)) return null;
+      const minValidityMs = options?.minValiditySeconds === void 0 ? DEFAULT_TOKEN_MIN_VALIDITY_MS : Math.max(0, options.minValiditySeconds * 1e3);
+      return withCredentialLock(async (ops) => {
+        const stored = await ops.read();
+        return resolveStoredApiToken(ops, config, stored, minValidityMs);
       });
     },
     async resolveGitToken() {
-      if (!usesStoredSession(config) && config.authToken) {
-        const exchanged = await exchangeDreamboardUserToken({
-          apiBaseUrl: config.apiBaseUrl,
-          clerkAccessToken: config.authToken,
-          audience: "dreamboard-git"
-        });
-        return {
-          token: exchanged.accessToken,
-          expiresAt: exchanged.expiresAt,
-          audience: "dreamboard-git"
-        };
-      }
+      const localOrInjected = resolveNonStoredToken(config, "dreamboard-git");
+      if (localOrInjected) return localOrInjected;
       if (!usesStoredSession(config)) {
-        throw new Error(
-          "Missing Dreamboard session. Run `dreamboard auth login` to authenticate."
+        throw missingSessionError();
+      }
+      return withCredentialLock(async (ops) => {
+        const stored = await ops.read();
+        const clerk = await resolveFreshClerkSession(ops, config, stored);
+        return toAccessToken(
+          await exchangeDreamboardUserToken({
+            apiBaseUrl: config.apiBaseUrl,
+            clerkAccessToken: clerk.accessToken,
+            audience: "dreamboard-git"
+          })
         );
+      });
+    },
+    async inspectSession() {
+      const localOrInjected = resolveNonStoredToken(config, "dreamboard-api");
+      if (localOrInjected) {
+        return inspectAccessOnlyToken(localOrInjected);
+      }
+      if (!usesStoredSession(config)) {
+        return { kind: "none" };
       }
       return withCredentialLock(async (ops) => {
         const stored = await ops.read();
-        const clerk = await resolveFreshClerkAccessToken(config, stored);
-        const exchanged = await exchangeDreamboardUserToken({
-          apiBaseUrl: config.apiBaseUrl,
-          clerkAccessToken: clerk.accessToken,
-          audience: "dreamboard-git"
-        });
-        await ops.writeFull(clerk);
-        return {
-          token: exchanged.accessToken,
-          expiresAt: exchanged.expiresAt,
-          audience: "dreamboard-git"
-        };
+        if (!stored) return { kind: "none" };
+        const cached = freshStoredApiToken(
+          stored,
+          DEFAULT_TOKEN_MIN_VALIDITY_MS
+        );
+        if (cached) {
+          return activeStatus("refreshable", cached, false);
+        }
+        try {
+          const token = await resolveStoredApiToken(
+            ops,
+            config,
+            stored,
+            DEFAULT_TOKEN_MIN_VALIDITY_MS
+          );
+          return activeStatus("refreshable", token, true);
+        } catch (error) {
+          return failedRefreshableStatus(error);
+        }
       });
     },
     async logout() {
-      await clearCredentials("user_token_manager_logout");
+      await withCredentialLock((ops) => ops.clear("logout_command"));
     }
   };
 }
+async function resolveStoredApiToken(ops, config, stored, minValidityMs) {
+  const cached = freshStoredApiToken(stored, minValidityMs);
+  if (cached) return cached;
+  const clerk = await resolveFreshClerkSession(ops, config, stored);
+  const exchanged = await exchangeDreamboardUserToken({
+    apiBaseUrl: config.apiBaseUrl,
+    clerkAccessToken: clerk.accessToken,
+    audience: "dreamboard-api"
+  });
+  const apiToken = toAccessToken(exchanged);
+  await ops.writeFull(withApiToken(clerk, apiToken));
+  return apiToken;
+}
+async function resolveFreshClerkSession(ops, config, stored) {
+  if (!stored) {
+    throw missingSessionError();
+  }
+  if (!stored.refreshToken) {
+    throw new Error(
+      "Stored Dreamboard session is missing its refresh token. Run `dreamboard auth login` to authenticate again."
+    );
+  }
+  if (stored.accessToken && isFresh(
+    stored.tokenExpiresAt,
+    stored.accessToken,
+    DEFAULT_TOKEN_MIN_VALIDITY_MS
+  )) {
+    return credentialsFromStored(config, stored);
+  }
+  const payload = await refreshClerkOAuthToken({
+    config: {
+      issuer: stored.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
+      clientId: stored.clerkOAuthClientId ?? config.clerkOAuthClientId,
+      tokenUrl: stored.clerkOAuthTokenUrl ?? config.clerkOAuthTokenUrl
+    },
+    refreshToken: stored.refreshToken
+  });
+  const refreshed = {
+    accessToken: payload.accessToken,
+    refreshToken: payload.refreshToken,
+    tokenExpiresAt: payload.expiresAt,
+    dreamboardApiToken: stored.dreamboardApiToken,
+    dreamboardApiExpiresAt: stored.dreamboardApiExpiresAt,
+    clerkOAuthIssuer: stored.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
+    clerkOAuthClientId: stored.clerkOAuthClientId ?? config.clerkOAuthClientId,
+    clerkOAuthTokenUrl: payload.tokenUrl,
+    environment: stored.environment ?? config.environment
+  };
+  await ops.writeFull(refreshed);
+  return refreshed;
+}
+function credentialsFromStored(config, stored) {
+  if (!stored.accessToken || !stored.refreshToken) {
+    throw missingSessionError();
+  }
+  return {
+    accessToken: stored.accessToken,
+    refreshToken: stored.refreshToken,
+    tokenExpiresAt: stored.tokenExpiresAt,
+    dreamboardApiToken: stored.dreamboardApiToken,
+    dreamboardApiExpiresAt: stored.dreamboardApiExpiresAt,
+    clerkOAuthIssuer: stored.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
+    clerkOAuthClientId: stored.clerkOAuthClientId ?? config.clerkOAuthClientId,
+    clerkOAuthTokenUrl: stored.clerkOAuthTokenUrl ?? config.clerkOAuthTokenUrl,
+    environment: stored.environment ?? config.environment
+  };
+}
+function credentialsFromRefreshableSession(session) {
+  return {
+    accessToken: session.clerkAccessToken,
+    refreshToken: session.refreshToken,
+    tokenExpiresAt: session.clerkAccessExpiresAt,
+    clerkOAuthIssuer: session.clerkOAuthIssuer,
+    clerkOAuthClientId: session.clerkOAuthClientId,
+    clerkOAuthTokenUrl: session.clerkOAuthTokenUrl,
+    environment: session.environment
+  };
+}
+function withApiToken(credentials, token) {
+  return {
+    ...credentials,
+    dreamboardApiToken: token.token,
+    dreamboardApiExpiresAt: token.expiresAt
+  };
+}
+function toAccessToken(token) {
+  return {
+    token: token.accessToken,
+    expiresAt: token.expiresAt,
+    audience: token.audience
+  };
+}
 function resolveNonStoredToken(config, audience) {
   if (usesStoredSession(config)) return null;
   if (!config.authToken) return null;
@@ -265,9 +383,13 @@ function resolveNonStoredToken(config, audience) {
     audience
   };
 }
-function freshStoredApiToken(stored) {
+function freshStoredApiToken(stored, minValidityMs) {
   if (!stored?.dreamboardApiToken) return null;
-  if (isFresh(stored.dreamboardApiExpiresAt, stored.dreamboardApiToken)) {
+  if (isFresh(
+    stored.dreamboardApiExpiresAt,
+    stored.dreamboardApiToken,
+    minValidityMs
+  )) {
     return {
       token: stored.dreamboardApiToken,
       expiresAt: stored.dreamboardApiExpiresAt,
@@ -276,49 +398,60 @@ function freshStoredApiToken(stored) {
   }
   return null;
 }
-async function resolveFreshClerkAccessToken(config, stored) {
-  const accessToken = stored?.accessToken ?? config.clerkAccessToken;
-  const refreshToken = stored?.refreshToken ?? config.refreshToken;
-  const tokenExpiresAt = stored?.tokenExpiresAt ?? config.clerkAccessExpiresAt;
-  if (!refreshToken) {
-    throw new Error(
-      "Stored Dreamboard session is missing its refresh token. Run `dreamboard auth login` to authenticate again."
-    );
-  }
-  if (accessToken && isFresh(tokenExpiresAt, accessToken)) {
+function inspectAccessOnlyToken(token) {
+  const expiry = resolveExpiry(token.expiresAt, token.token);
+  if (expiry && expiry.getTime() <= Date.now()) {
     return {
-      accessToken,
-      refreshToken,
-      tokenExpiresAt,
-      dreamboardApiToken: stored?.dreamboardApiToken,
-      dreamboardApiExpiresAt: stored?.dreamboardApiExpiresAt,
-      clerkOAuthIssuer: stored?.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
-      clerkOAuthClientId: stored?.clerkOAuthClientId ?? config.clerkOAuthClientId,
-      clerkOAuthTokenUrl: stored?.clerkOAuthTokenUrl ?? config.clerkOAuthTokenUrl,
-      environment: stored?.environment ?? config.environment
+      kind: "invalid",
+      sessionKind: "access-only",
+      message: "Stored Dreamboard access token is expired. Run `dreamboard auth login` to authenticate again."
     };
   }
-  const payload = await refreshClerkOAuthToken({
-    config: {
-      issuer: stored?.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
-      clientId: stored?.clerkOAuthClientId ?? config.clerkOAuthClientId,
-      tokenUrl: stored?.clerkOAuthTokenUrl ?? config.clerkOAuthTokenUrl
-    },
-    refreshToken
+  return activeStatus("access-only", token, false);
+}
+function failedRefreshableStatus(error) {
+  const message = error instanceof Error ? error.message : String(error);
+  const errorStatus = typeof error === "object" && error !== null && "status" in error ? error.status : void 0;
+  const classification = classifyRefreshError({
+    message,
+    status: typeof errorStatus === "number" ? errorStatus : void 0
   });
+  if (classification.kind === "permanent_invalid") {
+    return {
+      kind: "invalid",
+      sessionKind: "refreshable",
+      message
+    };
+  }
   return {
-    accessToken: payload.accessToken,
-    refreshToken: payload.refreshToken,
-    tokenExpiresAt: payload.expiresAt,
-    clerkOAuthIssuer: stored?.clerkOAuthIssuer ?? config.clerkOAuthIssuer,
-    clerkOAuthClientId: stored?.clerkOAuthClientId ?? config.clerkOAuthClientId,
-    clerkOAuthTokenUrl: payload.tokenUrl,
-    environment: stored?.environment ?? config.environment
+    kind: "degraded",
+    sessionKind: "refreshable",
+    message
   };
 }
-function isFresh(expiresAt, token) {
-  const expiry = expiresAt ? new Date(expiresAt) : getJwtExpiry(token);
-  return expiry !== null && Number.isFinite(expiry.getTime()) && expiry.getTime() > Date.now() + TOKEN_REFRESH_WINDOW_MS;
+function activeStatus(sessionKind, apiToken, repaired) {
+  return {
+    kind: "active",
+    sessionKind,
+    apiToken,
+    repaired
+  };
+}
+function missingSessionError() {
+  return new Error(
+    "Missing Dreamboard session. Run `dreamboard auth login` to authenticate."
+  );
+}
+function isFresh(expiresAt, token, minValidityMs) {
+  const expiry = resolveExpiry(expiresAt, token);
+  return expiry !== null && Number.isFinite(expiry.getTime()) && expiry.getTime() > Date.now() + minValidityMs;
+}
+function resolveExpiry(expiresAt, token) {
+  if (expiresAt) {
+    const parsed = new Date(expiresAt);
+    return Number.isFinite(parsed.getTime()) ? parsed : null;
+  }
+  return getJwtExpiry(token);
 }
 function getJwtExpiry(accessToken) {
   if (!accessToken) return null;
@@ -425,7 +558,6 @@ function isLocalAwsUrl(rawUrl) {
 }
 
 // src/config/resolve.ts
-var DEFAULT_REFRESH_WINDOW_MS = 5 * 60 * 1e3;
 var TRANSIENT_READ_RETRY_DELAYS_MS = [100, 300];
 function resolveConfig(globalConfig, flags, project, credentials) {
   if (IS_PUBLISHED_BUILD) {
@@ -564,7 +696,7 @@ function assertPublicRuntimeFlags(flags) {
 }
 async function configureClient(config) {
   const localHarnessToken = resolveLocalHarnessAccessToken(config);
-  const resolvedToken = localHarnessToken ? { token: localHarnessToken } : await createUserTokenManager(config).resolveApiToken();
+  const resolvedToken = localHarnessToken ? { token: localHarnessToken } : await createUserSessionManager(config).resolveApiToken();
   const effectiveAccessToken = resolvedToken?.token;
   client.setConfig({
     baseUrl: config.apiBaseUrl,
@@ -605,35 +737,6 @@ function isTransientFetchError(error) {
 function sleep(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
-async function refreshResolvedAuthSession(config) {
-  if (!usesStoredSession2(config)) return null;
-  if (config.refreshToken) {
-    return refreshClerkOAuthSession(config);
-  }
-  return null;
-}
-async function refreshClerkOAuthSession(config) {
-  if (!config.refreshToken) return null;
-  const payload = await refreshClerkOAuthToken({
-    config: {
-      issuer: config.clerkOAuthIssuer,
-      clientId: config.clerkOAuthClientId,
-      tokenUrl: config.clerkOAuthTokenUrl
-    },
-    refreshToken: config.refreshToken
-  });
-  const credentials = {
-    accessToken: payload.accessToken,
-    refreshToken: payload.refreshToken,
-    tokenExpiresAt: payload.expiresAt,
-    clerkOAuthIssuer: config.clerkOAuthIssuer,
-    clerkOAuthClientId: config.clerkOAuthClientId,
-    clerkOAuthTokenUrl: payload.tokenUrl,
-    environment: config.environment
-  };
-  await setCredentials(credentials);
-  return credentials;
-}
 function requireAuth(config) {
   if (!config.authToken && !config.refreshToken && !resolveLocalHarnessAccessToken(config)) {
     throw new Error(
@@ -660,9 +763,6 @@ function getAuthTokenExpiry(accessToken) {
     return null;
   }
 }
-function usesStoredSession2(config) {
-  return config.refreshTokenSource === "global";
-}
 async function loadProjectContextCredentials(requireAuth2, loadCredentials = getStoredSession) {
   return requireAuth2 ? loadCredentials() : void 0;
 }
@@ -733,13 +833,6 @@ var commitScopedCommandArgsSchema = configFlagsSchema.extend({
   commit: external_exports.string().min(1),
   json: external_exports.boolean().default(false)
 });
-var projectRepositoryCommandArgsSchema = configFlagsSchema.extend({
-  project: external_exports.string().min(1),
-  wait: external_exports.boolean().default(false),
-  "wait-timeout-ms": external_exports.string().optional(),
-  "repository-poll-interval-ms": external_exports.string().optional(),
-  json: external_exports.boolean().default(false)
-});
 var buildCommandArgsSchema = commitScopedCommandArgsSchema.extend({
   profile: external_exports.enum(["preview", "release"]).optional().default("preview")
 });
@@ -770,14 +863,7 @@ var configCommandArgsSchema = configFlagsSchema.extend({
   scope: external_exports.enum(["global", "workspace"]).optional().default("global")
 });
 var authCommandArgsSchema = external_exports.object({
-  action: external_exports.enum([
-    "set",
-    "login",
-    "logout",
-    "env",
-    "status",
-    "git-credential"
-  ]),
+  action: external_exports.enum(["set", "login", "logout", "env", "status", "git-credential"]),
   tokenValue: external_exports.string().optional(),
   token: external_exports.string().optional(),
   jwt: external_exports.boolean().optional(),
@@ -809,9 +895,6 @@ function parseCloneCommandArgs(args) {
 function parseCommitScopedCommandArgs(commandName, args) {
   return parseArgs(commandName, commitScopedCommandArgsSchema, args);
 }
-function parseProjectRepositoryCommandArgs(commandName, args) {
-  return parseArgs(commandName, projectRepositoryCommandArgsSchema, args);
-}
 function parseBuildCommandArgs(args) {
   return parseArgs("build", buildCommandArgsSchema, args);
 }
@@ -3683,14 +3766,12 @@ export {
   createPkcePair,
   buildClerkAuthorizationUrl,
   exchangeClerkOAuthCode,
-  exchangeDreamboardUserToken,
+  createUserSessionManager,
   IS_PUBLISHED_BUILD,
   PUBLISHED_ENVIRONMENT,
-  createUserTokenManager,
   resolveLocalHarnessAccessToken,
   resolveConfig,
   configureClient,
-  refreshResolvedAuthSession,
   requireAuth,
   getAuthTokenExpiry,
   resolveProjectContext,
@@ -3699,7 +3780,6 @@ export {
   parseNewCommandArgs,
   parseCloneCommandArgs,
   parseCommitScopedCommandArgs,
-  parseProjectRepositoryCommandArgs,
   parseBuildCommandArgs,
   parseReleasePublishCommandArgs,
   parseDevCommandArgs,
@@ -3732,4 +3812,4 @@ export {
   isLocalMaintainerRegistryEnabled,
   didLocalMaintainerSnapshotChange
 };
-//# sourceMappingURL=chunk-RTNKVNQA.js.map
+//# sourceMappingURL=chunk-X244CUU4.js.map