@fixprompt/cli 0.0.1 → 0.2.0

package/dist/cli.js

@@ -86,12 +86,235 @@ function detectContext() {
   return merged;
 }
 
+// src/connect.ts
+import { readFileSync, readdirSync, statSync } from "fs";
+import { join } from "path";
+import { spawnSync } from "child_process";
+var DEFAULT_ENDPOINT = "https://geosloghub-production.up.railway.app";
+var TOKEN_ENV_VAR_NAME = "FIXPROMPT_DEPLOY_TOKEN";
+function fileExists(p) {
+  try {
+    return statSync(p).isFile();
+  } catch {
+    return false;
+  }
+}
+function dirExists(p) {
+  try {
+    return statSync(p).isDirectory();
+  } catch {
+    return false;
+  }
+}
+function detectProvider(cwd) {
+  if (fileExists(join(cwd, "app.json")) || fileExists(join(cwd, "app.config.js")) || fileExists(join(cwd, "app.config.ts")) || fileExists(join(cwd, "eas.json"))) {
+    return "eas";
+  }
+  if (fileExists(join(cwd, "vercel.json")) || fileExists(join(cwd, ".vercel", "project.json"))) {
+    return "vercel";
+  }
+  const wfDir = join(cwd, ".github", "workflows");
+  if (dirExists(wfDir)) {
+    try {
+      const files = readdirSync(wfDir);
+      if (files.some((f) => /\.ya?ml$/i.test(f))) return "github-actions";
+    } catch {
+    }
+  }
+  return null;
+}
+async function mintDeployToken(opts) {
+  const url = `${opts.endpoint.replace(/\/$/, "")}/admin/projects/${opts.projectId}/deploy-tokens`;
+  const res = await fetch(url, {
+    method: "POST",
+    headers: {
+      "x-internal-admin-token": opts.adminToken,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({ label: opts.label })
+  });
+  const text = await res.text();
+  if (!res.ok) {
+    throw new Error(`broker /admin/projects/${opts.projectId}/deploy-tokens responded ${res.status}: ${text.slice(0, 200)}`);
+  }
+  return JSON.parse(text);
+}
+function writeEas(token, env) {
+  console.log(`
+\u2022 Writing ${TOKEN_ENV_VAR_NAME} to EAS env '${env}'\u2026`);
+  const useShell = process.platform === "win32";
+  const args = [
+    "eas-cli",
+    "env:create",
+    env,
+    "--name",
+    TOKEN_ENV_VAR_NAME,
+    "--value",
+    token,
+    "--type",
+    "plain",
+    "--visibility",
+    "plaintext",
+    "--non-interactive"
+  ];
+  const r = spawnSync("npx", useShell ? args.map((a) => `"${a.replace(/"/g, '\\"')}"`) : args, {
+    stdio: "inherit",
+    shell: useShell
+  });
+  if (r.status !== 0) {
+    throw new Error(
+      `eas env:create exited ${r.status}. Common causes:
+  \u2022 Not logged in to EAS \u2014 run 'eas login'
+  \u2022 Wrong env name \u2014 pass --eas-env <production|preview|development>
+  \u2022 Variable already exists with a different value \u2014 delete it first or use the rotate flow.`
+    );
+  }
+}
+function writeGitHubActions(token, cwd) {
+  console.log(`
+\u2022 Writing ${TOKEN_ENV_VAR_NAME} to GitHub Actions repo secrets\u2026`);
+  const useShell = process.platform === "win32";
+  const args = ["secret", "set", TOKEN_ENV_VAR_NAME, "--body", "-"];
+  const r = spawnSync("gh", useShell ? args.map((a) => `"${a.replace(/"/g, '\\"')}"`) : args, {
+    input: token,
+    cwd,
+    stdio: ["pipe", "inherit", "inherit"],
+    shell: useShell
+  });
+  if (r.status !== 0) {
+    throw new Error(
+      `gh secret set exited ${r.status}. Common causes:
+  \u2022 Not logged in to gh \u2014 run 'gh auth login'
+  \u2022 Wrong repo \u2014 run 'fixprompt connect' from the repo root, or set GH_REPO.`
+    );
+  }
+}
+async function writeVercel(token, target) {
+  const vt = process.env.VERCEL_TOKEN;
+  if (!vt) {
+    throw new Error(
+      `Vercel provider needs VERCEL_TOKEN env. Generate one at
+  https://vercel.com/account/tokens
+then re-run with that token exported.`
+    );
+  }
+  let projectId = target.vercelProjectId;
+  if (!projectId) {
+    const pj = join(process.cwd(), ".vercel", "project.json");
+    if (!fileExists(pj)) {
+      throw new Error(
+        `Could not resolve Vercel project id. Either run from a 'vercel link'-ed
+directory or pass --vercel-project-id <prj_\u2026>.`
+      );
+    }
+    try {
+      const parsed = JSON.parse(readFileSync(pj, "utf8"));
+      projectId = parsed.projectId;
+    } catch (e) {
+      throw new Error(`failed to read .vercel/project.json: ${e.message}`);
+    }
+  }
+  const targets = target.vercelTargets ?? ["production", "preview"];
+  console.log(`
+\u2022 Writing ${TOKEN_ENV_VAR_NAME} to Vercel project ${projectId} (${targets.join(", ")})\u2026`);
+  const res = await fetch(`https://api.vercel.com/v10/projects/${projectId}/env`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${vt}`,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({
+      key: TOKEN_ENV_VAR_NAME,
+      value: token,
+      type: "plain",
+      target: targets
+    })
+  });
+  const text = await res.text();
+  if (!res.ok) {
+    throw new Error(`Vercel /env responded ${res.status}: ${text.slice(0, 200)}`);
+  }
+}
+async function connect(args) {
+  const cwd = process.cwd();
+  const projectId = args.flags["project-id"] ?? process.env.FIXPROMPT_PROJECT_ID;
+  if (!projectId) {
+    console.error(
+      "Missing --project-id (or $FIXPROMPT_PROJECT_ID).\n  Find it in the FixPrompt dashboard URL after picking your project."
+    );
+    process.exit(1);
+  }
+  const adminToken = args.flags["admin-token"] ?? process.env.FIXPROMPT_ADMIN_TOKEN ?? process.env.INTERNAL_ADMIN_TOKEN;
+  if (!adminToken) {
+    console.error(
+      "Missing --admin-token (or $FIXPROMPT_ADMIN_TOKEN / $INTERNAL_ADMIN_TOKEN).\n  Per-user device-code auth lands in a later release; for now this is the\n  broker-wide admin token (single-tenant). Treat it as a root secret."
+    );
+    process.exit(1);
+  }
+  const endpoint = (args.flags.endpoint ?? process.env.FIXPROMPT_ENDPOINT ?? DEFAULT_ENDPOINT).replace(/\/$/, "");
+  const explicit = args.flags.provider;
+  const provider = explicit ?? detectProvider(cwd);
+  if (!provider) {
+    console.error(
+      `Couldn't detect a provider from ${cwd}. Pass --provider <eas|vercel|github-actions>.
+  Detection looks for: app.json/eas.json (EAS), .vercel/project.json (Vercel),
+  .github/workflows/*.yml (GitHub Actions).`
+    );
+    process.exit(1);
+  }
+  const target = {
+    provider,
+    easEnv: args.flags["eas-env"] ?? "production",
+    vercelProjectId: args.flags["vercel-project-id"] ?? void 0,
+    vercelTargets: typeof args.flags["vercel-targets"] === "string" ? args.flags["vercel-targets"].split(",").map((t) => t.trim()) : void 0
+  };
+  const label = args.flags.label ?? `${provider}-${(/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").slice(0, 19)}`;
+  console.log(`fixprompt connect`);
+  console.log(`  provider     : ${provider}`);
+  console.log(`  project_id   : ${projectId}`);
+  console.log(`  endpoint     : ${endpoint}`);
+  console.log(`  label        : ${label}`);
+  if (provider === "eas") console.log(`  eas-env      : ${target.easEnv}`);
+  console.log(`
+\u2022 Minting deploy token via broker\u2026`);
+  const minted = await mintDeployToken({
+    endpoint,
+    adminToken,
+    projectId,
+    label
+  });
+  console.log(`  \u2713 token_id ${minted.token_id} (value hidden \u2014 written to CI store only)`);
+  switch (provider) {
+    case "eas":
+      writeEas(minted.token, target.easEnv);
+      break;
+    case "github-actions":
+      writeGitHubActions(minted.token, cwd);
+      break;
+    case "vercel":
+      await writeVercel(minted.token, target);
+      break;
+  }
+  console.log(`
+\u2713 ${TOKEN_ENV_VAR_NAME} is now set on ${provider}.`);
+  console.log(`  Next deploy can run with no shell paste:`);
+  if (provider === "eas") {
+    console.log(`    npm run release:ota --branch=production --message="..."`);
+  } else if (provider === "github-actions") {
+    console.log(`    Reference \${{ secrets.${TOKEN_ENV_VAR_NAME} }} in your workflow.`);
+  } else {
+    console.log(`    The token is in your Vercel project env for the next deploy.`);
+  }
+  console.log(`
+  To revoke later: dashboard \u2192 Integrations \u2192 Deploy tokens \u2192 ${minted.token_id}.`);
+}
+
 // src/version.ts
 var CLI_NAME = "@fixprompt/cli";
-var CLI_VERSION = "0.0.1";
+var CLI_VERSION = "0.2.0";
 
 // src/cli.ts
-var DEFAULT_ENDPOINT = "https://geosloghub-production.up.railway.app";
+var DEFAULT_ENDPOINT2 = "https://geosloghub-production.up.railway.app";
 function parseArgs(argv) {
   const flags = {};
   const positional = [];
@@ -122,13 +345,29 @@ function helpText() {
   return `${CLI_NAME} v${CLI_VERSION}
 
 Usage:
+  fixprompt connect [options]
   fixprompt deploy-start [options]
   fixprompt help
 
+connect options:
+  --project-id <uuid>        FixPrompt project id (or $FIXPROMPT_PROJECT_ID)
+  --admin-token <fpa_\u2026>      Broker admin token (or $FIXPROMPT_ADMIN_TOKEN)
+  --provider <name>          eas | vercel | github-actions (auto-detected from cwd)
+  --eas-env <env>            EAS env to write to (default: production)
+  --vercel-project-id <id>   Override Vercel project id (default: .vercel/project.json)
+  --vercel-targets <list>    Comma-separated (default: production,preview)
+  --label <text>             Token label (default: <provider>-<timestamp>)
+
+deploy-start auth (pick one):
+  --deploy-token <fpd_...>  Deploy-only token from dashboard (recommended for CI)
+                            (or $FIXPROMPT_DEPLOY_TOKEN env)
+  --key <k_...>             Runtime SDK key, paired with --source
+                            (or $LOGHUB_KEY / $FIXPROMPT_KEY env)
+
 deploy-start options:
-  --source <slug>     LOGHUB_SOURCE (default: $LOGHUB_SOURCE or $FIXPROMPT_SOURCE env)
-  --key <k_...>       LOGHUB_KEY    (default: $LOGHUB_KEY or $FIXPROMPT_KEY env)
-  --endpoint <url>    Broker URL    (default: $FIXPROMPT_ENDPOINT or ${DEFAULT_ENDPOINT})
+  --source <slug>     LOGHUB_SOURCE (required only with --key; optional with --deploy-token)
+                      (default: $LOGHUB_SOURCE or $FIXPROMPT_SOURCE env)
+  --endpoint <url>    Broker URL (default: $FIXPROMPT_ENDPOINT or ${DEFAULT_ENDPOINT2})
   --status <state>    in_progress | success | failed (default: in_progress)
   --commit-sha <sha>  Override auto-detected commit
   --branch <name>     Override auto-detected branch
@@ -137,9 +376,14 @@ deploy-start options:
 Auto-detected CI providers: GitHub Actions, Vercel, Railway.
 `;
 }
-function readSource(flags) {
+function readDeployToken(flags) {
+  const v = flags["deploy-token"] ?? process.env.FIXPROMPT_DEPLOY_TOKEN;
+  return v || null;
+}
+function readSource(flags, required) {
   const v = flags.source ?? process.env.LOGHUB_SOURCE ?? process.env.FIXPROMPT_SOURCE;
   if (!v) {
+    if (!required) return null;
     console.error("Missing --source (or $LOGHUB_SOURCE / $FIXPROMPT_SOURCE)");
     process.exit(1);
   }
@@ -147,19 +391,26 @@ function readSource(flags) {
 }
 function readKey(flags) {
   const v = flags.key ?? process.env.LOGHUB_KEY ?? process.env.FIXPROMPT_KEY;
-  if (!v) {
-    console.error("Missing --key (or $LOGHUB_KEY / $FIXPROMPT_KEY)");
-    process.exit(1);
-  }
-  return v;
+  return v || null;
 }
 function readEndpoint(flags) {
-  const v = flags.endpoint ?? process.env.FIXPROMPT_ENDPOINT ?? DEFAULT_ENDPOINT;
+  const v = flags.endpoint ?? process.env.FIXPROMPT_ENDPOINT ?? DEFAULT_ENDPOINT2;
   return v.replace(/\/$/, "");
 }
 async function deployStart(args) {
-  const source = readSource(args.flags);
-  const key = readKey(args.flags);
+  const deployToken = readDeployToken(args.flags);
+  const key = deployToken ? null : readKey(args.flags);
+  const source = readSource(
+    args.flags,
+    /* required */
+    !deployToken
+  );
+  if (!deployToken && !key) {
+    console.error(
+      "Missing auth: pass --deploy-token (fpd_\u2026) or --key (k_\u2026).\n  $FIXPROMPT_DEPLOY_TOKEN, $LOGHUB_KEY, $FIXPROMPT_KEY env vars are checked."
+    );
+    process.exit(1);
+  }
   const endpoint = readEndpoint(args.flags);
   const status = args.flags.status ?? "in_progress";
   const ctx = detectContext();
@@ -180,14 +431,18 @@ async function deployStart(args) {
     fixprompt_version: CLI_VERSION,
     status
   };
+  const headers = { "Content-Type": "application/json" };
+  if (deployToken) {
+    headers["x-fixprompt-deploy-token"] = deployToken;
+    if (source) headers["x-loghub-source"] = source;
+  } else {
+    headers["x-loghub-source"] = source;
+    headers["x-loghub-key"] = key;
+  }
   const url = `${endpoint}/deployments`;
   const res = await fetch(url, {
     method: "POST",
-    headers: {
-      "Content-Type": "application/json",
-      "x-loghub-source": source,
-      "x-loghub-key": key
-    },
+    headers,
     body: JSON.stringify(payload)
   });
   const text = await res.text();
@@ -209,6 +464,9 @@ async function deployStart(args) {
 async function main() {
   const args = parseArgs(process.argv.slice(2));
   switch (args.command) {
+    case "connect":
+      await connect(args);
+      break;
     case "deploy-start":
       await deployStart(args);
       break;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fixprompt/cli",
-  "version": "0.0.1",
+  "version": "0.2.0",
   "description": "FixPrompt CLI — annotate deployments and ship them to the broker so the dashboard knows what changed.",
   "license": "UNLICENSED",
   "repository": {
@@ -15,7 +15,10 @@
   "bin": {
     "fixprompt": "dist/cli.js"
   },
-  "files": ["dist", "README.md"],
+  "files": [
+    "dist",
+    "README.md"
+  ],
   "scripts": {
     "build": "tsup",
     "dev": "tsup --watch",