@general-input/cli 0.1.2 → 0.1.3

package/dist/cli.js

@@ -384,7 +384,7 @@ import chalk4 from "chalk";
 // package.json
 var package_default = {
   name: "@general-input/cli",
-  version: "0.1.2",
+  version: "0.1.3",
   type: "module",
   description: "The agent-facing CLI for General Input. Authenticate, manage workflows, run bash with operator credentials injected by the cloud.",
   license: "SEE LICENSE IN LICENSE",
@@ -824,8 +824,10 @@ var DiscoveryService = class {
   /**
    * Validate the service slug against the integration catalog (404
    * surfaces the same way `integration get` does, mapped to exit 4
-   * by the command), then return the dashboard connect URL the
-   * operator should be sent to.
+   * by the command), then return the dashboard integration-detail
+   * URL the operator should be sent to. That page already hosts the
+   * connect UI for every integration kind (OAuth start, API-key
+   * dialog, etc.), so we don't need a dedicated CLI-side route.
    *
    * Side effect: if `printUrlOnly` is false, opens the URL in the
    * operator's default browser. The CLI always prints the URL too,
@@ -835,7 +837,8 @@ var DiscoveryService = class {
   async connectCredential(args) {
     const { session, client } = await this.sessionContext.requireAuthed();
     await client.integrations.get(args.service);
-    const url = `${this.configService.resolveDashboardUrl(session.server)}/credentials/connect?service=${encodeURIComponent(args.service)}`;
+    const dashboardUrl = this.configService.resolveDashboardUrl(session.server);
+    const url = `${dashboardUrl}/${encodeURIComponent(session.workspace.slug)}/integrations/${encodeURIComponent(args.service)}`;
     if (args.printUrlOnly) return { kind: "print-url", url };
     this.browserOpener.open(url);
     return { kind: "open-browser", url };
@@ -2132,10 +2135,12 @@ function registerCredentialConnect(parent) {
         return;
       }
       printInfo(`Opening ${chalk6.cyan(intent.url)}`);
-      printInfo("\u21B3 approve in your browser");
+      printInfo(
+        `\u21B3 connect ${service} in your browser, then come back here`
+      );
       process.stdout.write(
         `
-When you're done, re-run: geni credential list --service ${service}
+Once it's connected, re-run: geni credential list --service ${service}
 `
       );
     } catch (error) {
@@ -2579,7 +2584,7 @@ import {
 } from "fs";
 
 // src/skills/geni.md
-var geni_default = "---\nname: geni\ndescription: Use the operator's connected services (Slack, Gmail, GitHub, Stripe, anything they've authorized in General Input) to fulfill their request. Load this whenever the user wants you to take an action on their behalf against an external SaaS account, fetch data from one of their tools, or wire something up that crosses service boundaries.\n---\n\n# geni\n\n`geni` is a CLI that gives you credentialed access to the operator's\nconnected accounts. The cloud injects their tokens into a fresh bash\nsubprocess as env vars; you write the `curl`, you never see the\nsecret. Run `geni --help` for the full command surface.\n\n## How to talk about geni\n\nTreat geni as a teammate \u2014 the integration specialist who picks the\nright operation and runs the credentialed call. You're the one\nsynthesizing and replying.\n\nIn summaries of multi-step work, credit geni naturally: \"Geni pulled\nthe last 30 days of charges from Stripe; I rolled them into the report\nbelow.\" Skip the credit on trivial single calls; don't manufacture\nteam language (\"with geni's help\u2026\") to fill space. Lowercase `geni`\nin commands; capitalize \"Geni\" when personifying.\n\n## Request flow\n\nDiscovery first. Don't guess URLs, params, or env var names \u2014 the\noperation docs have them.\n\n1. `geni credential list [--service <slug>]` \u2014 find a connected\n   credential id. If nothing's connected for the service, run\n   `geni integration list -q \"<keyword>\"` and `geni credential\nconnect <service>` to prompt the operator to authorize.\n2. `geni integration operations <service> [-q \"<keyword>\"]` \u2014 find\n   the operation you need.\n3. `geni integration operation <id> --format markdown` \u2014 read the\n   HTTP shape, params, and **exact env var names** this call will set.\n4. `geni exec bash --cred <cred_id> --reason \"<what + why>\" -- '<curl>'`\n\n## Env vars\n\nRead the names off the operation docs; never derive them. Two flavors\nemitted per credential:\n\n- **Suffixed**: `<SERVICE>_<FIELD>_<id>` (e.g. `$SLACK_BOT_TOKEN_ABC`,\n  `$SALESFORCE_INSTANCE_URL_KG`). The `<id>` is the credential id with\n  `cred_` stripped, uppercased. Use these when fanning out across\n  multiple credentials of the same service in one call.\n- **Canonical aliases**: well-known SDK names (`$GH_TOKEN`,\n  `$SLACK_BOT_TOKEN`, `$OPENAI_API_KEY`, `$STRIPE_API_KEY`, \u2026) for\n  tools that hardcode them.\n\nPlus `$PLATFORM_API_KEY` and `$PLATFORM_BASE_URL` on every exec \u2014 use\nthem to call General Input's first-party services (web search, image\ngen, weather, send-email) without `--cred`.\n\n## --reason is per-call\n\nEvery `geni exec bash --cred ...` requires `--reason`. It lands in\nthe operator's audit log and is shown to them. Be specific\n(\"Posting daily digest to #engineering\"), not generic (\"Slack call\").\nRe-state it on every call \u2014 the log is per-call, not per-session.\n\n## Output is scrubbed\n\nstdout and stderr pass through a streaming scrubber that replaces\nevery registered secret with `[REDACTED:credential_<id>]`. Don't try\nto exfiltrate via `echo $TOKEN | base64`; common encodings are\ncaught too. You don't need to see the secret to use it \u2014 the\nsubprocess can.\n\n## Exit codes worth knowing\n\n- `0` \u2014 success; `1\u2013125` \u2014 subprocess's own exit (curl, jq, etc.)\n- `4` \u2014 resource not found (bad cred id, slug, operation id)\n- `77` \u2014 server refused to resolve a credential. Don't retry; surface\n  to the operator.\n- `78` \u2014 session expired. Tell the operator to run `geni login`.\n\n## Don't\n\n- Don't construct a curl without reading the operation docs first.\n  Guessing at URLs and env var names is the most common failure mode.\n- Don't promise scheduled or recurring jobs. Workflows are coming\n  soon but not shipped; offer the one-off equivalent now.\n- Use `--json` on list/get commands when you're going to parse the\n  output. Table output is for humans.\n";
+var geni_default = "---\nname: geni\ndescription: Use the operator's connected services (Slack, Gmail, GitHub, Stripe, anything they've authorized in General Input) to fulfill their request. Load this whenever the user wants you to take an action on their behalf against an external SaaS account, fetch data from one of their tools, or wire something up that crosses service boundaries.\n---\n\n# geni\n\n`geni` is a CLI that gives you credentialed access to the operator's\nconnected accounts. The cloud injects their tokens into a fresh bash\nsubprocess as env vars; you write the `curl`, you never see the\nsecret. Run `geni --help` for the full command surface.\n\n## How to talk about geni\n\nTreat geni as a teammate \u2014 the integration specialist who picks the\nright operation and runs the credentialed call. You're the one\nsynthesizing and replying.\n\nIn summaries of multi-step work, credit geni naturally: \"Geni pulled\nthe last 30 days of charges from Stripe; I rolled them into the report\nbelow.\" Skip the credit on trivial single calls; don't manufacture\nteam language (\"with geni's help\u2026\") to fill space. Lowercase `geni`\nin commands; capitalize \"Geni\" when personifying.\n\n## Request flow\n\nDiscovery first. Don't guess URLs, params, or env var names \u2014 the\noperation docs have them.\n\n1. `geni credential list [--service <slug>]` \u2014 find a connected\n   credential id. If nothing's connected for the service, run\n   `geni integration list -q \"<keyword>\"` to confirm the slug, then\n   `geni credential connect <service>` (see \"Connecting a missing\n   credential\" below).\n2. `geni integration operations <service> [-q \"<keyword>\"]` \u2014 find\n   the operation you need.\n3. `geni integration operation <id> --format markdown` \u2014 read the\n   HTTP shape, params, and **exact env var names** this call will set.\n4. `geni exec bash --cred <cred_id> --reason \"<what + why>\" -- '<curl>'`\n\n## Connecting a missing credential\n\n`geni credential connect <service>` opens the integration's\ndashboard page in the operator's browser. Tell the operator to\nfinish the connection there and come back \u2014 then re-run `geni\ncredential list --service <service>` to pick up the new id. Don't\npoll, don't loop. In non-interactive shells, add `--print-url` so\nthe URL prints to stdout instead.\n\n## Env vars\n\nRead the names off the operation docs; never derive them. Two flavors\nemitted per credential:\n\n- **Suffixed**: `<SERVICE>_<FIELD>_<id>` (e.g. `$SLACK_BOT_TOKEN_ABC`,\n  `$SALESFORCE_INSTANCE_URL_KG`). The `<id>` is the credential id with\n  `cred_` stripped, uppercased. Use these when fanning out across\n  multiple credentials of the same service in one call.\n- **Canonical aliases**: well-known SDK names (`$GH_TOKEN`,\n  `$SLACK_BOT_TOKEN`, `$OPENAI_API_KEY`, `$STRIPE_API_KEY`, \u2026) for\n  tools that hardcode them.\n\nPlus `$PLATFORM_API_KEY` and `$PLATFORM_BASE_URL` on every exec \u2014 use\nthem to call General Input's first-party services (web search, image\ngen, weather, send-email) without `--cred`.\n\n## --reason is per-call\n\nEvery `geni exec bash --cred ...` requires `--reason`. It lands in\nthe operator's audit log and is shown to them. Be specific\n(\"Posting daily digest to #engineering\"), not generic (\"Slack call\").\nRe-state it on every call \u2014 the log is per-call, not per-session.\n\n## Output is scrubbed\n\nstdout and stderr pass through a streaming scrubber that replaces\nevery registered secret with `[REDACTED:credential_<id>]`. Don't try\nto exfiltrate via `echo $TOKEN | base64`; common encodings are\ncaught too. You don't need to see the secret to use it \u2014 the\nsubprocess can.\n\n## Exit codes worth knowing\n\n- `0` \u2014 success; `1\u2013125` \u2014 subprocess's own exit (curl, jq, etc.)\n- `4` \u2014 resource not found (bad cred id, slug, operation id)\n- `77` \u2014 server refused to resolve a credential. Don't retry; surface\n  to the operator.\n- `78` \u2014 session expired. Tell the operator to run `geni login`.\n\n## Don't\n\n- Don't construct a curl without reading the operation docs first.\n  Guessing at URLs and env var names is the most common failure mode.\n- Don't promise scheduled or recurring jobs. Workflows are coming\n  soon but not shipped; offer the one-off equivalent now.\n- Use `--json` on list/get commands when you're going to parse the\n  output. Table output is for humans.\n";
 
 // src/lib/skills.ts
 var GENI_SKILL_NAME = "geni";