@genex-ai/cli-demo 0.1.0

package/src/index.ts

@@ -0,0 +1,238 @@
+#!/usr/bin/env node
+import { readFileSync } from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { runInit, type InitOptions } from "./commands/init.ts";
+import { runPublish, type PublishOptions } from "./commands/publish.ts";
+import { DEFAULT_API_URL, DEFAULT_AUTH_URL } from "./config.ts";
+import { createLogger } from "./utils/logger.ts";
+import { c } from "./utils/colors.ts";
+
+type CliOptions = InitOptions & PublishOptions;
+
+function getVersion(): string {
+  try {
+    const here = path.dirname(fileURLToPath(import.meta.url));
+    const pkg = JSON.parse(
+      readFileSync(path.resolve(here, "..", "package.json"), "utf8"),
+    ) as { version?: string };
+    return pkg.version ?? "0.0.0";
+  } catch {
+    return "0.0.0";
+  }
+}
+
+const HELP = `${c.bold("genex")} — set up your ~/.claude workspace, authorize, and publish 3D games.
+
+${c.bold("Usage")}
+  genex init [<name>] [options]      Scaffold + authorize + create the draft project.
+  genex publish [options]            Push the built game and list it in the gallery.
+
+${c.bold("Options for `init`")}
+  <name>               Project name (positional; default: current directory name).
+  --name <name>        Same as the positional name.
+  --dir <path>         Destination workspace (default: ~/.claude).
+  --env <path>         Token env file (default: ~/.genex/env).
+  --auth-url <url>     Override the auth site (default: ${DEFAULT_AUTH_URL}).
+  --api-url <url>      Override the API base URL (default: ${DEFAULT_API_URL}).
+  --colyseus-url <url> Override the multiplayer URL (stored in project metadata).
+  --no-auth            Only scaffold templates; skip authorization.
+  --force              Overwrite existing files (default: never overwrite).
+  --timeout <seconds>  How long to wait for the auth redirect (default: 300).
+
+${c.bold("Options for `publish`")}
+  --no-push            Skip the git push; only flip the gallery flag.
+  --title <title>      Gallery title.
+  --description <text> Gallery description.
+  --api-url <url>      Override the API base URL.
+  --env <path>         Token env file (default: ~/.genex/env).
+
+${c.bold("Global")}
+  --quiet              Reduce output.
+  -h, --help           Show this help.
+  -v, --version        Show the version.
+
+${c.bold("Environment")}
+  GENEX_AUTH_URL       Overrides the default auth site URL.
+  GENEX_API_URL        Overrides the default API base URL.
+  GENEX_COLYSEUS_URL   Overrides the default multiplayer URL.
+  GENEX_BROWSER        Command used to open the browser (falls back to BROWSER).
+
+${c.bold("Examples")}
+  genex init my-game
+  genex init my-game --api-url http://localhost:3000 --auth-url http://localhost:5173
+  genex publish
+  genex publish --no-push --title "My Game"
+`;
+
+interface ParsedArgs {
+  command: string | undefined;
+  options: CliOptions;
+  help: boolean;
+  version: boolean;
+  error?: string;
+}
+
+function parseArgs(argv: string[]): ParsedArgs {
+  const parsed: ParsedArgs = {
+    command: undefined,
+    options: {},
+    help: false,
+    version: false,
+  };
+
+  // The value-taking flags and where they land on the options object.
+  const needsValue = new Set([
+    "--dir",
+    "--env",
+    "--auth-url",
+    "--api-url",
+    "--colyseus-url",
+    "--name",
+    "--title",
+    "--description",
+    "--timeout",
+  ]);
+
+  let i = 0;
+  while (i < argv.length) {
+    const arg = argv[i++];
+    if (arg === undefined) break;
+
+    switch (arg) {
+      case "-h":
+      case "--help":
+        parsed.help = true;
+        break;
+      case "-v":
+      case "--version":
+        parsed.version = true;
+        break;
+      case "--no-auth":
+        parsed.options.noAuth = true;
+        break;
+      case "--no-push":
+        parsed.options.noPush = true;
+        break;
+      case "--force":
+        parsed.options.force = true;
+        break;
+      case "--quiet":
+        parsed.options.quiet = true;
+        break;
+      default: {
+        if (needsValue.has(arg)) {
+          const value = argv[i++];
+          if (value === undefined) {
+            parsed.error = `Missing value for ${arg}`;
+            return parsed;
+          }
+          applyValueFlag(parsed.options, arg, value);
+        } else if (arg.startsWith("-")) {
+          parsed.error = `Unknown option: ${arg}`;
+          return parsed;
+        } else if (parsed.command === undefined) {
+          parsed.command = arg;
+        } else if (parsed.options.name === undefined) {
+          // Second positional → project name (e.g. `genex init my-game`).
+          parsed.options.name = arg;
+        } else {
+          parsed.error = `Unexpected argument: ${arg}`;
+          return parsed;
+        }
+        break;
+      }
+    }
+  }
+
+  return parsed;
+}
+
+function applyValueFlag(
+  options: CliOptions,
+  flag: string,
+  value: string,
+): void {
+  switch (flag) {
+    case "--dir":
+      options.dir = value;
+      break;
+    case "--env":
+      options.envPath = value;
+      break;
+    case "--auth-url":
+      options.authUrl = value;
+      break;
+    case "--api-url":
+      options.apiUrl = value;
+      break;
+    case "--colyseus-url":
+      options.colyseusUrl = value;
+      break;
+    case "--name":
+      options.name = value;
+      break;
+    case "--title":
+      options.title = value;
+      break;
+    case "--description":
+      options.description = value;
+      break;
+    case "--timeout": {
+      const n = Number(value);
+      if (!Number.isFinite(n) || n <= 0) {
+        throw new Error(`Invalid --timeout value: ${value}`);
+      }
+      options.timeoutSec = n;
+      break;
+    }
+  }
+}
+
+async function main(): Promise<void> {
+  const log = createLogger();
+  let parsed: ParsedArgs;
+  try {
+    parsed = parseArgs(process.argv.slice(2));
+  } catch (err) {
+    log.error(err instanceof Error ? err.message : String(err));
+    process.exitCode = 1;
+    return;
+  }
+
+  if (parsed.error) {
+    log.error(parsed.error);
+    log.plain(`Run ${c.cyan("genex --help")} for usage.`);
+    process.exitCode = 1;
+    return;
+  }
+
+  if (parsed.version) {
+    log.plain(getVersion());
+    return;
+  }
+
+  if (parsed.help || parsed.command === undefined) {
+    log.plain(HELP);
+    return;
+  }
+
+  switch (parsed.command) {
+    case "init":
+      await runInit(parsed.options);
+      break;
+    case "publish":
+      await runPublish(parsed.options);
+      break;
+    default:
+      log.error(`Unknown command: ${parsed.command}`);
+      log.plain(`Run ${c.cyan("genex --help")} for usage.`);
+      process.exitCode = 1;
+  }
+}
+
+main().catch((err: unknown) => {
+  const log = createLogger();
+  log.error(err instanceof Error ? err.message : String(err));
+  process.exitCode = 1;
+});

package/src/lib/auth.ts

@@ -0,0 +1,365 @@
+import http from "node:http";
+import crypto from "node:crypto";
+import readline from "node:readline";
+import { spawn } from "node:child_process";
+import { URL } from "node:url";
+import type { AddressInfo } from "node:net";
+import type { Logger } from "../utils/logger.ts";
+
+export interface AuthorizeOptions {
+  log: Logger;
+  /** How long to wait for the redirect before giving up. Default 5 minutes. */
+  timeoutMs?: number;
+  /**
+   * Opens a URL in the user's browser and returns whether the attempt was made.
+   * `onError` is invoked if the launch fails asynchronously (e.g. the opener
+   * binary is missing). Injectable for testing; defaults to a cross-platform
+   * opener.
+   */
+  open?: (url: string, onError: () => void) => boolean;
+  /**
+   * Whether to also accept a token pasted into the terminal (handy over SSH or
+   * when the browser can't reach localhost). Defaults to true when stdin is a TTY.
+   */
+  interactive?: boolean;
+}
+
+const SUCCESS_HTML = `<!doctype html><html><head><meta charset="utf-8"><title>Genex</title>
+<style>body{font-family:system-ui,sans-serif;background:#0b0b0f;color:#eaeaea;display:grid;place-items:center;height:100vh;margin:0}
+.card{text-align:center;padding:2rem 3rem;border:1px solid #26262e;border-radius:14px;background:#13131a}
+h1{font-size:1.3rem;margin:0 0 .5rem}p{color:#9a9aa6;margin:0}</style></head>
+<body><div class="card"><h1>✓ Authorized</h1><p>You can close this tab and return to your terminal.</p></div></body></html>`;
+
+const ERROR_HTML = `<!doctype html><html><head><meta charset="utf-8"><title>Genex</title></head>
+<body style="font-family:system-ui,sans-serif"><h1>Authorization failed</h1>
+<p>No token was provided. Please return to your terminal and try again.</p></body></html>`;
+
+/**
+ * Run the interactive authorization flow and resolve with the auth token.
+ *
+ * Spins up a temporary loopback HTTP server, opens the browser to the auth
+ * site (passing the local `redirect_uri` and a CSRF `state`), and waits for the
+ * site to hand the token back — either by redirecting to the callback with a
+ * `?token=` query, or by POSTing `{ token }` (JSON or form-encoded) to it.
+ *
+ * If the browser can't be opened, the URL is printed for the user to open
+ * manually. When `interactive`, a pasted token is also accepted as a fallback.
+ */
+export async function authorize(
+  authBaseUrl: string,
+  options: AuthorizeOptions,
+): Promise<string> {
+  const {
+    log,
+    timeoutMs = 5 * 60 * 1000,
+    open = openBrowser,
+    interactive = Boolean(process.stdin.isTTY),
+  } = options;
+
+  const state = crypto.randomBytes(16).toString("hex");
+  const server = http.createServer();
+
+  return await new Promise<string>((resolve, reject) => {
+    let settled = false;
+    let timer: NodeJS.Timeout | undefined;
+    let rl: readline.Interface | undefined;
+
+    const cleanup = (): void => {
+      if (timer) clearTimeout(timer);
+      if (rl) rl.close();
+      server.close();
+    };
+
+    const succeed = (token: string): void => {
+      if (settled) return;
+      settled = true;
+      cleanup();
+      resolve(token);
+    };
+
+    const fail = (err: Error): void => {
+      if (settled) return;
+      settled = true;
+      cleanup();
+      reject(err);
+    };
+
+    server.on("request", (req, res) => {
+      handleCallback(req, res, state, log)
+        .then((token) => {
+          if (token) succeed(token);
+        })
+        .catch((err: unknown) => {
+          // A single bad request must not abort a legitimate pending auth, but
+          // we must always end the response so the client isn't left hanging.
+          log.dim(`callback error: ${String(err)}`);
+          if (!res.writableEnded) {
+            res.writeHead(500);
+            res.end();
+          }
+        });
+    });
+
+    server.on("error", (err) => fail(err as Error));
+
+    // Port 0 → OS assigns a free ephemeral port on loopback.
+    server.listen(0, "127.0.0.1", () => {
+      const { port } = server.address() as AddressInfo;
+      const redirectUri = `http://127.0.0.1:${port}/callback`;
+      const authUrl = buildAuthUrl(authBaseUrl, redirectUri, state);
+
+      log.step("Opening your browser to authorize…");
+      log.dim(authUrl);
+
+      let warned = false;
+      const warnManual = (): void => {
+        if (warned || settled) return;
+        warned = true;
+        log.warn(
+          "Couldn't open a browser automatically. Open the URL above manually to continue.",
+        );
+      };
+
+      const opened = open(authUrl, warnManual);
+      if (!opened) warnManual();
+
+      if (interactive) {
+        rl = readline.createInterface({
+          input: process.stdin,
+          output: process.stdout,
+        });
+        rl.question(
+          "\nWaiting for the browser redirect… or paste your token here and press Enter:\n> ",
+          (answer) => {
+            const token = answer.trim();
+            if (token) succeed(token);
+          },
+        );
+      }
+
+      timer = setTimeout(() => {
+        fail(
+          new Error(
+            "Timed out waiting for authorization. Re-run the command to try again.",
+          ),
+        );
+      }, timeoutMs);
+    });
+  });
+}
+
+function buildAuthUrl(
+  authBaseUrl: string,
+  redirectUri: string,
+  state: string,
+): string {
+  const url = new URL(`${authBaseUrl}/cli/auth`);
+  url.searchParams.set("redirect_uri", redirectUri);
+  url.searchParams.set("state", state);
+  return url.toString();
+}
+
+/**
+ * Handle a request to the loopback server. Returns the token when the callback
+ * carried one (and the state matched), otherwise `null`.
+ */
+async function handleCallback(
+  req: http.IncomingMessage,
+  res: http.ServerResponse,
+  expectedState: string,
+  log: Logger,
+): Promise<string | null> {
+  // Permit the auth site's https origin to POST to our loopback server.
+  res.setHeader("Access-Control-Allow-Origin", "*");
+  res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+  res.setHeader("Access-Control-Allow-Headers", "Content-Type");
+
+  const reqUrl = new URL(req.url ?? "/", "http://127.0.0.1");
+
+  if (req.method === "OPTIONS") {
+    res.writeHead(204);
+    res.end();
+    return null;
+  }
+
+  if (reqUrl.pathname !== "/callback") {
+    res.writeHead(404);
+    res.end();
+    return null;
+  }
+
+  let token: string | null = null;
+  let state: string | null = null;
+
+  if (req.method === "GET") {
+    token = reqUrl.searchParams.get("token");
+    state = reqUrl.searchParams.get("state");
+  } else if (req.method === "POST") {
+    let parsed: ParsedBody;
+    try {
+      parsed = await readBody(req);
+    } catch (err) {
+      // Malformed / oversized body — reject this request but keep waiting.
+      log.dim(`ignoring malformed callback body: ${String(err)}`);
+      res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+      res.end(ERROR_HTML);
+      return null;
+    }
+    token = parsed.token;
+    state = parsed.state ?? reqUrl.searchParams.get("state");
+  } else {
+    res.writeHead(405);
+    res.end();
+    return null;
+  }
+
+  // Guard against cross-site request forgery on the loopback callback. The
+  // state is mandatory: a missing state (null) must fail just like a mismatch.
+  if (state !== expectedState) {
+    log.dim("ignoring callback with missing or mismatched state");
+    res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+    res.end(ERROR_HTML);
+    return null;
+  }
+
+  if (!token) {
+    res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
+    res.end(ERROR_HTML);
+    return null;
+  }
+
+  res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+  res.end(SUCCESS_HTML);
+  return token;
+}
+
+interface ParsedBody {
+  token: string | null;
+  state: string | null;
+}
+
+async function readBody(req: http.IncomingMessage): Promise<ParsedBody> {
+  const chunks: Buffer[] = [];
+  let total = 0;
+  const MAX = 1024 * 1024; // 1 MB cap — tokens are tiny; reject anything huge.
+
+  for await (const chunk of req) {
+    const buf = chunk as Buffer;
+    total += buf.length;
+    if (total > MAX) {
+      throw new Error("request body too large");
+    }
+    chunks.push(buf);
+  }
+
+  const raw = Buffer.concat(chunks).toString("utf8").trim();
+  if (!raw) return { token: null, state: null };
+
+  const contentType = req.headers["content-type"] ?? "";
+
+  if (contentType.includes("application/json")) {
+    try {
+      const obj = JSON.parse(raw) as Record<string, unknown>;
+      return {
+        token: typeof obj.token === "string" ? obj.token : null,
+        state: typeof obj.state === "string" ? obj.state : null,
+      };
+    } catch {
+      return { token: null, state: null };
+    }
+  }
+
+  // Fall back to form-encoded (application/x-www-form-urlencoded).
+  const params = new URLSearchParams(raw);
+  return {
+    token: params.get("token"),
+    state: params.get("state"),
+  };
+}
+
+/**
+ * Best-effort cross-platform browser opener. Returns false if we couldn't even
+ * launch the platform's open command.
+ */
+export function openBrowser(url: string, onError: () => void = () => {}): boolean {
+  let command: string;
+  let args: string[];
+
+  // Respect an explicit opener override (the conventional BROWSER variable, or
+  // our own GENEX_BROWSER which takes precedence). Tokenized like a shell
+  // command so both arguments (`open -a Safari`) and quoted paths containing
+  // spaces (`"/Applications/My Browser.app/.../My Browser"`) work. The URL is
+  // appended as the final argument.
+  const custom = (process.env.GENEX_BROWSER || process.env.BROWSER)?.trim();
+  const customParts = custom ? tokenizeCommand(custom) : [];
+
+  if (customParts.length > 0) {
+    command = customParts[0] as string;
+    args = [...customParts.slice(1), url];
+  } else {
+    switch (process.platform) {
+      case "darwin":
+        command = "open";
+        args = [url];
+        break;
+      case "win32":
+        command = "cmd";
+        // `start` needs an empty title arg so a quoted URL isn't taken as one.
+        args = ["/c", "start", "", url];
+        break;
+      default:
+        command = "xdg-open";
+        args = [url];
+        break;
+    }
+  }
+
+  try {
+    const child = spawn(command, args, {
+      stdio: "ignore",
+      detached: true,
+    });
+    // If the binary is missing, 'error' fires asynchronously — surface it so the
+    // caller can tell the user to open the URL manually, but don't let the
+    // unhandled error crash the process.
+    child.on("error", () => onError());
+    child.unref();
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Split a command string into argv, honoring single/double quotes so that
+ * arguments and quoted paths-with-spaces both survive. This is a deliberately
+ * small tokenizer — not a full shell parser (no escapes, globs, or variable
+ * expansion) — which is all an opener command needs.
+ */
+export function tokenizeCommand(input: string): string[] {
+  const tokens: string[] = [];
+  let current = "";
+  let quote: '"' | "'" | null = null;
+  let inToken = false;
+
+  for (const ch of input) {
+    if (quote) {
+      if (ch === quote) quote = null;
+      else current += ch;
+    } else if (ch === '"' || ch === "'") {
+      quote = ch;
+      inToken = true;
+    } else if (/\s/.test(ch)) {
+      if (inToken) {
+        tokens.push(current);
+        current = "";
+        inToken = false;
+      }
+    } else {
+      current += ch;
+      inToken = true;
+    }
+  }
+  if (inToken) tokens.push(current);
+  return tokens;
+}

package/src/lib/copy-templates.ts

@@ -0,0 +1,81 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+
+export interface CopyResult {
+  /** Files written, as paths relative to the source root. */
+  copied: string[];
+  /** Files left untouched because they already existed at the destination. */
+  skipped: string[];
+}
+
+export interface CopyOptions {
+  /**
+   * Overwrite files that already exist at the destination. Defaults to `false`,
+   * which is the whole point of this helper: never clobber the user's files.
+   */
+  force?: boolean;
+}
+
+/**
+ * Recursively copy everything from `srcDir` into `destDir`, merging into any
+ * existing directory tree.
+ *
+ * Existing files at the destination are **never overwritten** unless
+ * `force` is set — they are reported in `skipped` instead. Directories are
+ * created as needed. Symlinks in the source are ignored for safety.
+ */
+export async function copyTemplates(
+  srcDir: string,
+  destDir: string,
+  opts: CopyOptions = {},
+): Promise<CopyResult> {
+  const result: CopyResult = { copied: [], skipped: [] };
+  await walk(srcDir, srcDir, destDir, opts, result);
+  return result;
+}
+
+async function walk(
+  rootSrc: string,
+  src: string,
+  dest: string,
+  opts: CopyOptions,
+  result: CopyResult,
+): Promise<void> {
+  const entries = await fs.readdir(src, { withFileTypes: true });
+
+  for (const entry of entries) {
+    const srcPath = path.join(src, entry.name);
+    const destPath = path.join(dest, entry.name);
+    const rel = path.relative(rootSrc, srcPath);
+
+    if (entry.isDirectory()) {
+      // Create the directory up front so empty directories are mirrored too.
+      await fs.mkdir(destPath, { recursive: true });
+      await walk(rootSrc, srcPath, destPath, opts, result);
+      continue;
+    }
+
+    if (!entry.isFile()) {
+      // Skip symlinks, sockets, fifos, etc.
+      continue;
+    }
+
+    if (!opts.force && (await exists(destPath))) {
+      result.skipped.push(rel);
+      continue;
+    }
+
+    await fs.mkdir(path.dirname(destPath), { recursive: true });
+    await fs.copyFile(srcPath, destPath);
+    result.copied.push(rel);
+  }
+}
+
+async function exists(p: string): Promise<boolean> {
+  try {
+    await fs.access(p);
+    return true;
+  } catch {
+    return false;
+  }
+}