@gjsify/cli 0.4.35 → 0.4.37

package/lib/utils/prompt.js

@@ -0,0 +1,92 @@
+// Minimal interactive prompts for `gjsify login` — a visible line prompt and a
+// hidden (no-echo) password prompt. Cross-runtime: `process.stdin.setRawMode`
+// is provided by Node and by `@gjsify/process` (terminal-native) under GJS.
+//
+// Non-TTY stdin (piped input, CI) is supported: both helpers read a single line
+// without raw-mode masking, so `printf 'user\npass\n' | gjsify login` works for
+// automation.
+const CTRL_C = String.fromCharCode(3); // ETX (Ctrl-C)
+const DEL = String.fromCharCode(127); // DEL (Backspace on most terminals)
+const BACKSPACE = String.fromCharCode(8); // BS
+/** Print a question and read one line from stdin (visible). */
+export async function promptLine(question) {
+    process.stdout.write(question);
+    return readLine();
+}
+/**
+ * Print a question and read one line WITHOUT echoing it (passwords). Uses raw
+ * mode + manual key handling on a TTY; falls back to a plain line read when
+ * stdin is not a TTY (piped). Ctrl-C aborts the process.
+ */
+export async function promptHidden(question) {
+    process.stdout.write(question);
+    const stdin = process.stdin;
+    if (!stdin.isTTY || typeof stdin.setRawMode !== 'function') {
+        // Non-interactive: read a line as-is (no masking possible/needed).
+        return readLine();
+    }
+    return new Promise((resolve) => {
+        let buf = '';
+        stdin.setRawMode(true);
+        stdin.resume();
+        stdin.setEncoding('utf-8');
+        const onData = (chunk) => {
+            for (const ch of chunk) {
+                if (ch === '\r' || ch === '\n') {
+                    cleanup();
+                    process.stdout.write('\n');
+                    resolve(buf);
+                    return;
+                }
+                else if (ch === CTRL_C) {
+                    cleanup();
+                    process.stdout.write('\n');
+                    process.exit(130);
+                }
+                else if (ch === DEL || ch === BACKSPACE) {
+                    if (buf.length > 0) {
+                        buf = buf.slice(0, -1);
+                        process.stdout.write('\b \b');
+                    }
+                }
+                else if (ch >= ' ') {
+                    buf += ch;
+                    process.stdout.write('*');
+                }
+            }
+        };
+        const cleanup = () => {
+            stdin.setRawMode(false);
+            stdin.removeListener('data', onData);
+            stdin.pause();
+        };
+        stdin.on('data', onData);
+    });
+}
+/** Read a single line from stdin (shared by both prompts on non-TTY). */
+function readLine() {
+    return new Promise((resolve) => {
+        let buf = '';
+        const onData = (chunk) => {
+            buf += typeof chunk === 'string' ? chunk : chunk.toString('utf-8');
+            const nl = buf.indexOf('\n');
+            if (nl >= 0) {
+                cleanup();
+                resolve(buf.slice(0, nl).replace(/\r$/, ''));
+            }
+        };
+        const onEnd = () => {
+            cleanup();
+            resolve(buf.replace(/\r$/, '').trim());
+        };
+        const cleanup = () => {
+            process.stdin.removeListener('data', onData);
+            process.stdin.removeListener('end', onEnd);
+        };
+        process.stdin.setEncoding('utf-8');
+        if (typeof process.stdin.isPaused === 'function' && process.stdin.isPaused())
+            process.stdin.resume();
+        process.stdin.on('data', onData);
+        process.stdin.once('end', onEnd);
+    });
+}

package/lib/utils/publish-diagnose.d.ts

@@ -0,0 +1,38 @@
+import { type NpmrcConfig } from '@gjsify/npm-registry';
+export type Diagnose404Reason = 'dead-token' | 'live-token-404' | 'unknown';
+export interface Diagnose404Result {
+    /** Discriminant — drives the JSON shape + exit-code path in the caller. */
+    reason: Diagnose404Reason;
+    /** Username from `/-/whoami` when reason === 'live-token-404'. */
+    username?: string;
+    /** Multi-line, human-friendly hint ready for stderr emission. */
+    message: string;
+}
+interface Diagnose404Input {
+    /** Full package name including scope, e.g. `@gjsify/abort-controller`. */
+    packageName: string;
+    /** Pinned version we tried to publish. */
+    version: string;
+    /** Registry URL (with or without trailing slash). */
+    registry: string;
+    /** Parsed .npmrc — used to derive Authorization on the whoami probe. */
+    npmrc: NpmrcConfig | undefined;
+}
+/**
+ * Probe `/-/whoami` to disambiguate the 404 cause. Best-effort: any thrown
+ * error / non-2xx falls through to `reason: 'unknown'` so the caller's
+ * generic error path runs untouched.
+ *
+ * Pure async I/O — no side effects, no process.exit, no console writes.
+ * The caller owns presentation (stderr vs stdout, plain vs JSON).
+ */
+export declare function diagnose404(input: Diagnose404Input): Promise<Diagnose404Result>;
+/**
+ * Heuristic: is the 404 body the "dead-token-or-missing-package" shape?
+ * npm's PUT returns plain text `Not Found` (sometimes empty body). We trigger
+ * the diagnostic for both, plus for the JSON `{"error":"Not Found"}` shape
+ * just in case. Other 404 bodies (e.g. with a structured npm error code)
+ * keep the generic error path.
+ */
+export declare function is404DiagnosticCandidate(body: string): boolean;
+export {};

package/lib/utils/publish-diagnose.js

@@ -0,0 +1,103 @@
+// Dead-token vs new-package diagnostic for `gjsify publish`.
+//
+// When the publish PUT returns `404 Not Found` (body `"Not Found"` or empty)
+// it is ambiguous between two very different situations:
+//
+//   1. The `_authToken` in ~/.npmrc has been revoked / expired. The npm
+//      registry's 404 is its way of saying "we don't recognize this
+//      bearer". Easy to mistake for a missing-package error and send the
+//      user down the wrong path (Trusted-Publisher-bootstrap setup).
+//   2. The scoped `@gjsify/<pkg>` genuinely doesn't exist on npm yet —
+//      the first-publish bootstrap step from AGENTS.md.
+//
+// `GET /-/whoami` with the SAME Authorization header disambiguates: a live
+// token returns `{"username": "..."}`, a dead token returns `{}` (status 200
+// in both cases — the empty body is npm's signal).
+//
+// `npm publish` from npm-cli handles dead tokens with `401 EOTP` + a clear
+// "one-time-password or refresh the token" hint. The 404 path is npm's
+// PUT-specific shape and `gjsify publish` previously just printed the
+// opaque body. This helper closes the diagnostic gap.
+import { whoami } from '@gjsify/npm-registry';
+/**
+ * Probe `/-/whoami` to disambiguate the 404 cause. Best-effort: any thrown
+ * error / non-2xx falls through to `reason: 'unknown'` so the caller's
+ * generic error path runs untouched.
+ *
+ * Pure async I/O — no side effects, no process.exit, no console writes.
+ * The caller owns presentation (stderr vs stdout, plain vs JSON).
+ */
+export async function diagnose404(input) {
+    const { packageName, version, registry, npmrc } = input;
+    let probe = {};
+    try {
+        probe = await whoami(registry, npmrc);
+    }
+    catch {
+        return { reason: 'unknown', message: formatUnknown(packageName, version) };
+    }
+    if (probe.username && probe.username.length > 0) {
+        return {
+            reason: 'live-token-404',
+            username: probe.username,
+            message: formatLiveToken404(packageName, version, probe.username),
+        };
+    }
+    return { reason: 'dead-token', message: formatDeadToken(packageName, version) };
+}
+function formatDeadToken(name, version) {
+    return [
+        `gjsify publish: ${name}@${version} — 404 Not Found`,
+        '',
+        'The npm token in ~/.npmrc appears to be revoked or expired (the /-/whoami probe',
+        'returned {} instead of {"username": "..."}). The 404 is npm\'s response to a PUT',
+        'authenticated with an invalid bearer token.',
+        '',
+        'To refresh:',
+        '  npm login',
+        '  # or, future: gjsify login (tracked as project_gjsify_login_goal)',
+        '',
+        'Then verify before publishing:',
+        '  curl -s -H "Authorization: Bearer $(grep registry.npmjs.org ~/.npmrc | sed \'s|.*=||\')" \\',
+        '       https://registry.npmjs.org/-/whoami',
+        '  # Healthy: {"username":"<you>"}',
+        '  # Dead:    {}',
+    ].join('\n');
+}
+function formatLiveToken404(name, version, username) {
+    return [
+        `gjsify publish: ${name}@${version} — 404 Not Found`,
+        '',
+        `Authenticated as: ${username}`,
+        '',
+        `Your token authenticates, so this is NOT a dead-token problem. The package`,
+        `${name} is not (yet) on npmjs.com. Two cases:`,
+        '',
+        '  1. First publish of a brand-new scoped package — do the one-time bootstrap',
+        '     (see AGENTS.md > "New @gjsify/* package: first-publish + Trusted',
+        '     Publisher bootstrap"). The npm registry can also 404 *transiently*',
+        '     while provisioning a brand-new package: simply re-run, or do the very',
+        '     first publish with `npm publish` (then configure the Trusted Publisher).',
+        '  2. You lack publish access to the scope — verify with `npm access ls-packages`.',
+    ].join('\n');
+}
+function formatUnknown(name, version) {
+    return `gjsify publish: ${name}@${version} — 404 Not Found`;
+}
+/**
+ * Heuristic: is the 404 body the "dead-token-or-missing-package" shape?
+ * npm's PUT returns plain text `Not Found` (sometimes empty body). We trigger
+ * the diagnostic for both, plus for the JSON `{"error":"Not Found"}` shape
+ * just in case. Other 404 bodies (e.g. with a structured npm error code)
+ * keep the generic error path.
+ */
+export function is404DiagnosticCandidate(body) {
+    const trimmed = body.trim();
+    if (trimmed.length === 0)
+        return true;
+    if (/^not found$/i.test(trimmed))
+        return true;
+    if (/"error"\s*:\s*"Not Found"/i.test(trimmed))
+        return true;
+    return false;
+}

package/lib/utils/resolve-npm-package.d.ts

@@ -0,0 +1,21 @@
+export interface ResolveNpmPackageOptions {
+    /** Anchor directory to search from (typically the caller's cwd). */
+    cwd?: string;
+    /**
+     * Bundle path or module URL to anchor the bundle-side createRequire
+     * at. Pass `import.meta.url` from the call site so the bundle's
+     * own node_modules chain stays reachable even when the CLI is
+     * invoked from an unrelated cwd.
+     */
+    bundleUrl?: string;
+}
+/**
+ * Resolve a bare npm specifier through multiple createRequire anchors.
+ * Returns the absolute filesystem path of the resolved module, or null
+ * if no anchor succeeded.
+ *
+ * Each anchor is tried in priority order — `GJSIFY_NODE_PATH` (highest)
+ * → caller cwd → workspace root → bundle URL → parent-dir walk from
+ * cwd. The first anchor whose `require.resolve()` succeeds wins.
+ */
+export declare function resolveNpmPackage(specifier: string, opts?: ResolveNpmPackageOptions): string | null;

package/lib/utils/resolve-npm-package.js

@@ -0,0 +1,121 @@
+// Multi-anchor npm-package resolver for the GJS-bundled CLI.
+//
+// GJS's native ESM loader has no node_modules walker — a bare
+// `await import('rolldown')` from inside the bundle throws
+// `ImportError: Module not found: rolldown` even when the package is
+// physically present in a node_modules above the caller's cwd.
+//
+// `createRequire(import.meta.url)` works when invoked under Node, and
+// when invoked under GJS *with* `@gjsify/module`'s polyfill it walks the
+// node_modules chain from the URL it was anchored at. But it walks
+// only ONE chain — the one rooted at the anchor's parent. When the
+// bundle lives at `<install>/dist/cli.gjs.mjs` and the user runs
+// `gjs -m <install>/dist/cli.gjs.mjs build …` from a completely
+// unrelated cwd (`/tmp/sandbox/`) whose `node_modules` is the only
+// place rolldown is present, anchoring on the bundle URL misses it.
+//
+// This helper resolves a bare specifier against multiple anchors in
+// order — the first one that resolves wins:
+//
+//   1. `GJSIFY_NODE_PATH` env override (colon-separated dir list,
+//      matches Node's NODE_PATH semantics — each entry is treated as a
+//      synthetic `node_modules` parent).
+//   2. Caller-supplied anchor dir (typically process.cwd()).
+//   3. Workspace root from `findWorkspaceRoot(anchorDir)` — finds the
+//      monorepo top when invoked from a sub-package directory.
+//   4. Bundle path's parent chain (`import.meta.url` of THIS module).
+//   5. Parent dirs of the anchor (fallback for nested-without-workspace
+//      setups — matches `oxc-resolve.ts`'s walker).
+//
+// Returns the absolute path on success (the caller usually wraps it in
+// `pathToFileURL().href` before passing to dynamic `import(...)`).
+// Returns null when every anchor failed.
+//
+// Reference: `packages/infra/cli/src/commands/tsc.ts` (workspace-root +
+// cwd anchoring precedent) and `packages/infra/cli/src/utils/oxc-resolve.ts`
+// (parent-dir walker precedent).
+import { createRequire } from 'node:module';
+import { pathToFileURL } from 'node:url';
+import { join, resolve } from 'node:path';
+import { findWorkspaceRoot } from './workspace-root.js';
+/**
+ * Resolve a bare npm specifier through multiple createRequire anchors.
+ * Returns the absolute filesystem path of the resolved module, or null
+ * if no anchor succeeded.
+ *
+ * Each anchor is tried in priority order — `GJSIFY_NODE_PATH` (highest)
+ * → caller cwd → workspace root → bundle URL → parent-dir walk from
+ * cwd. The first anchor whose `require.resolve()` succeeds wins.
+ */
+export function resolveNpmPackage(specifier, opts = {}) {
+    const cwd = opts.cwd ?? process.cwd();
+    // 1. GJSIFY_NODE_PATH env override (NODE_PATH-like) — each entry is
+    //    treated as a directory whose own `node_modules` participates
+    //    in the lookup. Mirrors Node's NODE_PATH semantics.
+    const envPath = process.env['GJSIFY_NODE_PATH'];
+    if (envPath) {
+        for (const dir of envPath.split(':').filter(Boolean)) {
+            const hit = tryResolveFromDir(specifier, resolve(dir));
+            if (hit)
+                return hit;
+        }
+    }
+    // 2. Caller cwd → walk up for nearest node_modules/<pkg>.
+    const fromCwd = tryResolveFromDir(specifier, cwd);
+    if (fromCwd)
+        return fromCwd;
+    // 3. Workspace root (monorepo top, if any).
+    const wsRoot = findWorkspaceRoot(cwd);
+    if (wsRoot && wsRoot !== cwd) {
+        const fromWsRoot = tryResolveFromDir(specifier, wsRoot);
+        if (fromWsRoot)
+            return fromWsRoot;
+    }
+    // 4. Bundle path's own parent chain — anchored at the bundle URL
+    //    so the install-time node_modules layout (e.g.
+    //    `<install>/node_modules/rolldown` next to the CLI bundle)
+    //    is reachable even when the user runs the bundle directly from
+    //    an unrelated cwd.
+    if (opts.bundleUrl) {
+        try {
+            const req = createRequire(opts.bundleUrl);
+            return req.resolve(specifier);
+        }
+        catch {
+            // Fall through.
+        }
+    }
+    // 5. Parent-dir walk from cwd as a last resort (nested
+    //    package layouts without a workspace marker). Capped at 8
+    //    levels to avoid runaway filesystem walks on pathological
+    //    layouts. Matches the depth `oxc-resolve.ts` uses for its
+    //    equivalent walker.
+    let dir = resolve(cwd, '..');
+    for (let i = 0; i < 8; i++) {
+        const hit = tryResolveFromDir(specifier, dir);
+        if (hit)
+            return hit;
+        const parent = resolve(dir, '..');
+        if (parent === dir)
+            break;
+        dir = parent;
+    }
+    return null;
+}
+/**
+ * Attempt to resolve `specifier` as if a fictional source file at
+ * `<dir>/__gjsify_resolve__.js` were doing the lookup. createRequire's
+ * algorithm walks up from the anchor's parent for `node_modules/<pkg>`
+ * so seeding it inside `<dir>` makes `<dir>/node_modules/<pkg>` the
+ * first hit.
+ */
+function tryResolveFromDir(specifier, dir) {
+    try {
+        const sentinel = pathToFileURL(join(dir, '__gjsify_resolve__.js')).href;
+        const req = createRequire(sentinel);
+        return req.resolve(specifier);
+    }
+    catch {
+        return null;
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@gjsify/cli",
-    "version": "0.4.35",
+    "version": "0.4.37",
     "description": "CLI for Gjsify",
     "type": "module",
     "main": "lib/index.js",
@@ -120,35 +120,46 @@
         "cli"
     ],
     "dependencies": {
-        "@gjsify/buffer": "^0.4.35",
-        "@gjsify/create-app": "^0.4.35",
-        "@gjsify/node-globals": "^0.4.35",
-        "@gjsify/node-polyfills": "^0.4.35",
-        "@gjsify/npm-registry": "^0.4.35",
-        "@gjsify/resolve-npm": "^0.4.35",
-        "@gjsify/rolldown-plugin-gjsify": "^0.4.35",
-        "@gjsify/rolldown-plugin-pnp": "^0.4.35",
-        "@gjsify/semver": "^0.4.35",
-        "@gjsify/tar": "^0.4.35",
-        "@gjsify/web-polyfills": "^0.4.35",
-        "@gjsify/workspace": "^0.4.35",
+        "@gjsify/buffer": "^0.4.37",
+        "@gjsify/create-app": "^0.4.37",
+        "@gjsify/node-globals": "^0.4.37",
+        "@gjsify/node-polyfills": "^0.4.37",
+        "@gjsify/npm-registry": "^0.4.37",
+        "@gjsify/resolve-npm": "^0.4.37",
+        "@gjsify/rolldown-plugin-gjsify": "^0.4.37",
+        "@gjsify/rolldown-plugin-pnp": "^0.4.37",
+        "@gjsify/semver": "^0.4.37",
+        "@gjsify/tar": "^0.4.37",
+        "@gjsify/tsc": "^0.4.37",
+        "@gjsify/web-polyfills": "^0.4.37",
+        "@gjsify/workspace": "^0.4.37",
         "cosmiconfig": "^9.0.1",
         "get-tsconfig": "^4.14.0",
         "pkg-types": "^2.3.1",
-        "rolldown": "^1.0.0",
+        "rolldown": "^1.0.3",
         "yargs": "^18.0.0"
     },
     "devDependencies": {
-        "@gjsify/unit": "^0.4.35",
+        "@gjsify/unit": "^0.4.37",
         "@types/yargs": "^17.0.35",
-        "typescript": "^6.0.3"
+        "typescript": "^5.9.3"
     },
     "peerDependencies": {
-        "@gjsify/rolldown-native": "^0.4.35"
+        "@gjsify/rolldown-native": "^0.4.37"
     },
     "peerDependenciesMeta": {
         "@gjsify/rolldown-native": {
             "optional": true
         }
-    }
+    },
+    "license": "MIT",
+    "repository": {
+        "type": "git",
+        "url": "git+https://github.com/gjsify/gjsify.git",
+        "directory": "packages/infra/cli"
+    },
+    "bugs": {
+        "url": "https://github.com/gjsify/gjsify/issues"
+    },
+    "homepage": "https://github.com/gjsify/gjsify/tree/main/packages/infra/cli#readme"
 }