@haystackeditor/cli 0.2.0 → 0.3.0

package/README.md

@@ -1,105 +1,81 @@
 # @haystackeditor/cli
 
-Unified CLI for Haystack verification, fixtures, and sandboxes.
+Set up Haystack verification for your project. When PRs are opened, an AI agent spins up your app in a sandbox and verifies changes work correctly.
 
-## Installation
+## Quick Start
 
 ```bash
-# Global install
-npm install -g @haystackeditor/cli
-
-# Or run directly with npx
 npx @haystackeditor/cli init
 ```
 
+This auto-detects your framework, package manager, and ports, then creates:
+- `.haystack.yml` - Configuration for the verification agent
+- `.agents/skills/haystack.md` - Skill file for AI agent discovery
+
 ## Commands
 
 ### `haystack init`
 
-Interactive setup wizard to create `.haystack.yml` configuration:
+Interactive setup wizard:
 
 ```bash
-haystack init              # Interactive wizard
-haystack init -y           # Accept all defaults
+npx @haystackeditor/cli init       # Interactive wizard
+npx @haystackeditor/cli init -y    # Accept all defaults
 ```
 
-### `haystack login`
+### `haystack status`
 
-Authenticate with Haystack via GitHub OAuth:
+Check if your project is configured:
 
 ```bash
-haystack login             # Opens browser for GitHub OAuth
-haystack login --token     # Use existing GitHub token
-haystack logout            # Clear stored credentials
+npx @haystackeditor/cli status
 ```
 
-### `haystack secrets`
+### `haystack login`
 
-Manage secrets for fixtures and integrations:
+Authenticate with GitHub (required for secrets management):
 
 ```bash
-haystack secrets list                # List all secrets
-haystack secrets set KEY value       # Set a secret
-haystack secrets delete KEY          # Delete a secret
+npx @haystackeditor/cli login
 ```
 
-Secrets are stored securely in the Haystack platform and referenced in `.haystack.yml` using `$VARIABLE` syntax.
-
-### `haystack record`
-
-Record API responses as fixtures:
+This uses GitHub's device flow - you'll get a code to enter at github.com/login/device.
 
 ```bash
-haystack record https://api.example.com/data
-haystack record https://api.example.com/data --output fixtures/data.json
+# Log out (removes stored credentials)
+npx @haystackeditor/cli logout
 ```
 
-### `haystack verify`
+### `haystack secrets`
 
-Run verification commands from `.haystack.yml`:
+Manage secrets that will be injected into your sandbox environment:
 
 ```bash
-haystack verify                # Run all verification commands
-haystack verify -c build       # Run specific command
-haystack verify --dry-run      # Show commands without running
-```
+# List all secrets (keys only, values are never shown)
+npx @haystackeditor/cli secrets list
 
-### `haystack dev`
+# Set a secret
+npx @haystackeditor/cli secrets set OPENAI_API_KEY sk-xxx
 
-Start dev server with fixtures enabled:
-
-```bash
-haystack dev                   # Start dev server
-haystack dev -s frontend       # Start specific service (monorepo)
-haystack dev --no-fixtures     # Start without fixture loading
+# Delete a secret
+npx @haystackeditor/cli secrets delete OPENAI_API_KEY
 ```
 
-### `haystack sandbox`
+Secrets are encrypted and stored securely. They're automatically injected as environment variables when the sandbox runs your app.
 
-Manage Haystack sandboxes:
+**Scopes**: By default, secrets are user-scoped. You can also scope to an org or repo:
 
 ```bash
-haystack sandbox create        # Create sandbox for current branch
-haystack sandbox status        # Check sandbox status
-haystack sandbox open          # Open sandbox in browser
-haystack sandbox logs          # Stream sandbox logs
-haystack sandbox destroy       # Destroy sandbox
-```
-
-### `haystack mcp`
+# Org-scoped (available to all repos in the org)
+npx @haystackeditor/cli secrets set API_KEY xxx --scope org --scope-id myorg
 
-Run as MCP server for Claude Code integration:
-
-```bash
-# Add to Claude Code
-claude mcp add haystack -- npx @haystackeditor/cli mcp
+# Repo-scoped (available only to this repo)
+npx @haystackeditor/cli secrets set API_KEY xxx --scope repo --scope-id owner/repo
 ```
 
 ## Configuration
 
-Create `.haystack.yml` in your project root:
-
-### Simple Project
+The `init` command creates `.haystack.yml`:
 
 ```yaml
 version: "1"
@@ -118,84 +94,27 @@ verification:
       run: pnpm build
     - name: lint
       run: pnpm lint
-    - name: typecheck
-      run: pnpm tsc --noEmit
-```
-
-### Monorepo
-
-```yaml
-version: "1"
-name: my-monorepo
-
-services:
-  frontend:
-    command: pnpm dev
-    port: 3000
-    ready_pattern: "Local:"
-    env:
-      SKIP_AUTH: "true"
-
-  api:
-    root: packages/api
-    command: pnpm dev
-    port: 8080
-    ready_pattern: "listening"
-
-  worker:
-    root: infra/worker
-    command: pnpm dev
-    ready_pattern: "Ready"
-
-  analysis:
-    root: packages/analysis
-    type: batch
-    command: pnpm start
-
-verification:
-  commands:
-    - name: build
-      run: pnpm build
-    - name: test
-      run: pnpm test
-
-  fixtures:
-    "*/api/github/*":
-      source: file://fixtures/github-api.json
-
-    "*/api/analysis/*":
-      source: pr://haystackeditor/example-repo/42
 ```
 
-## Fixtures
-
-Fixtures mock external API responses during development and testing. Sources:
-
-| Prefix | Description |
-|--------|-------------|
-| `file://` | Local JSON file |
-| `https://` | Remote URL (cached) |
-| `s3://` | AWS S3 bucket |
-| `r2://` | Cloudflare R2 bucket |
-| `pr://owner/repo/number` | Haystack PR analysis data |
-| `recorded://id` | Previously recorded fixture |
-| `passthrough` | Don't intercept, let request through |
+### Customizing After Init
 
-### Using Secrets in Fixtures
+| If your app has... | Add this |
+|-------------------|----------|
+| Login/authentication | Auth bypass env var in `dev_server.env` |
+| Key user journeys | Flows describing what to verify |
+| API calls needing auth | Fixtures to mock responses |
 
-```yaml
-fixtures:
-  "*/api/private/*":
-    source: s3://my-bucket/fixtures/data.json
-    headers:
-      Authorization: Bearer $AWS_TOKEN
-```
+See the generated `.agents/skills/haystack.md` for full documentation on flows, fixtures, and monorepo configuration.
 
-Set the secret:
+## How It Works
 
-```bash
-haystack secrets set AWS_TOKEN "your-token-here"
-```
+1. You run `npx @haystackeditor/cli init` and commit the config
+2. When a PR is opened, Haystack's AI agent:
+   - Spins up your app in a Modal sandbox
+   - Reads the flows to understand what to verify
+   - Navigates the app autonomously
+   - Captures screenshots and evidence
+   - Reports results on the PR
 
 ## License
 

package/dist/commands/login.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Login command - GitHub OAuth device flow
+ */
+/**
+ * Load token from disk
+ */
+export declare function loadToken(): Promise<string | null>;
+export declare function loginCommand(): Promise<void>;
+export declare function logoutCommand(): Promise<void>;

package/dist/commands/login.js

@@ -0,0 +1,162 @@
+/**
+ * Login command - GitHub OAuth device flow
+ */
+import chalk from 'chalk';
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import * as os from 'os';
+const GITHUB_CLIENT_ID = 'Ov23liW3JE38D3gZWa85'; // Haystack GitHub OAuth App
+const CONFIG_DIR = path.join(os.homedir(), '.haystack');
+const TOKEN_FILE = path.join(CONFIG_DIR, 'credentials.json');
+/**
+ * Start device flow and get user code
+ */
+async function startDeviceFlow() {
+    const response = await fetch('https://github.com/login/device/code', {
+        method: 'POST',
+        headers: {
+            'Accept': 'application/json',
+            'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({
+            client_id: GITHUB_CLIENT_ID,
+            scope: 'read:user read:org repo',
+        }),
+    });
+    if (!response.ok) {
+        throw new Error(`Failed to start device flow: ${response.status}`);
+    }
+    return response.json();
+}
+/**
+ * Poll for access token
+ */
+async function pollForToken(deviceCode, interval) {
+    while (true) {
+        await new Promise(resolve => setTimeout(resolve, interval * 1000));
+        const response = await fetch('https://github.com/login/oauth/access_token', {
+            method: 'POST',
+            headers: {
+                'Accept': 'application/json',
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({
+                client_id: GITHUB_CLIENT_ID,
+                device_code: deviceCode,
+                grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+            }),
+        });
+        const data = await response.json();
+        if (data.access_token) {
+            return data.access_token;
+        }
+        if (data.error === 'authorization_pending') {
+            // Still waiting for user
+            continue;
+        }
+        if (data.error === 'slow_down') {
+            // Increase interval
+            interval += 5;
+            continue;
+        }
+        if (data.error === 'expired_token') {
+            throw new Error('Authorization timed out. Please try again.');
+        }
+        if (data.error === 'access_denied') {
+            throw new Error('Authorization denied by user.');
+        }
+        throw new Error(`OAuth error: ${data.error}`);
+    }
+}
+/**
+ * Save token to disk
+ */
+async function saveToken(token) {
+    await fs.mkdir(CONFIG_DIR, { recursive: true });
+    const credentials = {
+        github_token: token,
+        created_at: new Date().toISOString(),
+    };
+    await fs.writeFile(TOKEN_FILE, JSON.stringify(credentials, null, 2), {
+        mode: 0o600, // Owner read/write only
+    });
+}
+/**
+ * Load token from disk
+ */
+export async function loadToken() {
+    try {
+        const content = await fs.readFile(TOKEN_FILE, 'utf-8');
+        const credentials = JSON.parse(content);
+        return credentials.github_token;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Verify token is valid by calling GitHub API
+ */
+async function verifyToken(token) {
+    try {
+        const response = await fetch('https://api.github.com/user', {
+            headers: {
+                'Authorization': `Bearer ${token}`,
+                'User-Agent': 'Haystack-CLI',
+            },
+        });
+        if (!response.ok) {
+            return null;
+        }
+        return response.json();
+    }
+    catch {
+        return null;
+    }
+}
+export async function loginCommand() {
+    console.log(chalk.bold('\nHaystack Login\n'));
+    // Check if already logged in
+    const existingToken = await loadToken();
+    if (existingToken) {
+        const user = await verifyToken(existingToken);
+        if (user) {
+            console.log(chalk.green(`Already logged in as ${chalk.bold(user.login)}`));
+            console.log(chalk.dim('Run `haystack logout` to sign out.\n'));
+            return;
+        }
+    }
+    console.log('Authenticating with GitHub...\n');
+    try {
+        // Start device flow
+        const deviceFlow = await startDeviceFlow();
+        console.log(chalk.yellow('Open this URL in your browser:\n'));
+        console.log(`  ${chalk.bold(deviceFlow.verification_uri)}\n`);
+        console.log(chalk.yellow('And enter this code:\n'));
+        console.log(`  ${chalk.bold.cyan(deviceFlow.user_code)}\n`);
+        console.log(chalk.dim('Waiting for authorization...'));
+        // Poll for token
+        const token = await pollForToken(deviceFlow.device_code, deviceFlow.interval);
+        // Verify and save
+        const user = await verifyToken(token);
+        if (!user) {
+            throw new Error('Failed to verify token');
+        }
+        await saveToken(token);
+        console.log(chalk.green(`\nLogged in as ${chalk.bold(user.login)}`));
+        console.log(chalk.dim('Credentials saved to ~/.haystack/credentials.json\n'));
+    }
+    catch (error) {
+        console.error(chalk.red(`\nLogin failed: ${error.message}\n`));
+        process.exit(1);
+    }
+}
+export async function logoutCommand() {
+    try {
+        await fs.unlink(TOKEN_FILE);
+        console.log(chalk.green('\nLogged out successfully.\n'));
+    }
+    catch {
+        console.log(chalk.yellow('\nNot logged in.\n'));
+    }
+}

package/dist/commands/secrets.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Secrets commands - manage secrets stored on Haystack Platform
+ */
+/**
+ * List all secrets (keys only, not values)
+ */
+export declare function listSecrets(): Promise<void>;
+/**
+ * Set a secret
+ */
+export declare function setSecret(key: string, value: string, options: {
+    scope?: string;
+    scopeId?: string;
+}): Promise<void>;
+/**
+ * Delete a secret
+ */
+export declare function deleteSecret(key: string): Promise<void>;

package/dist/commands/secrets.js

@@ -0,0 +1,133 @@
+/**
+ * Secrets commands - manage secrets stored on Haystack Platform
+ */
+import chalk from 'chalk';
+import { loadToken } from './login.js';
+const API_BASE = 'https://haystackeditor.com/api/secrets';
+async function requireAuth() {
+    const token = await loadToken();
+    if (!token) {
+        console.error(chalk.red('\nNot logged in. Run `haystack login` first.\n'));
+        process.exit(1);
+    }
+    return token;
+}
+async function apiRequest(method, path, token, body) {
+    const url = `${API_BASE}${path}`;
+    const response = await fetch(url, {
+        method,
+        headers: {
+            'Authorization': `Bearer ${token}`,
+            'Content-Type': 'application/json',
+            'User-Agent': 'Haystack-CLI',
+        },
+        body: body ? JSON.stringify(body) : undefined,
+    });
+    return response;
+}
+/**
+ * List all secrets (keys only, not values)
+ */
+export async function listSecrets() {
+    const token = await requireAuth();
+    console.log(chalk.dim('\nFetching secrets...\n'));
+    try {
+        const response = await apiRequest('GET', '', token);
+        if (!response.ok) {
+            if (response.status === 401) {
+                console.error(chalk.red('Session expired. Run `haystack login` again.\n'));
+                process.exit(1);
+            }
+            throw new Error(`Failed to list secrets: ${response.status}`);
+        }
+        const data = await response.json();
+        const secrets = data.secrets || [];
+        if (secrets.length === 0) {
+            console.log(chalk.yellow('No secrets found.\n'));
+            console.log(chalk.dim('Set a secret with: haystack secrets set KEY VALUE\n'));
+            return;
+        }
+        console.log(chalk.bold('Your secrets:\n'));
+        for (const secret of secrets) {
+            const scope = secret.scope === 'user' ? '' : chalk.dim(` (${secret.scope}: ${secret.scopeId})`);
+            console.log(`  ${chalk.cyan(secret.key)}${scope}`);
+        }
+        console.log();
+    }
+    catch (error) {
+        console.error(chalk.red(`\nError: ${error.message}\n`));
+        process.exit(1);
+    }
+}
+/**
+ * Set a secret
+ */
+export async function setSecret(key, value, options) {
+    const token = await requireAuth();
+    if (!key || !value) {
+        console.error(chalk.red('\nUsage: haystack secrets set KEY VALUE\n'));
+        process.exit(1);
+    }
+    // Validate key format
+    if (!/^[A-Z][A-Z0-9_]*$/.test(key)) {
+        console.error(chalk.red('\nSecret key must be uppercase with underscores (e.g., MY_API_KEY)\n'));
+        process.exit(1);
+    }
+    console.log(chalk.dim(`\nSetting secret ${key}...`));
+    try {
+        const body = {
+            key,
+            plaintextValue: value, // Server will encrypt
+        };
+        if (options.scope) {
+            body.scope = options.scope;
+        }
+        if (options.scopeId) {
+            body.scopeId = options.scopeId;
+        }
+        const response = await apiRequest('POST', '', token, body);
+        if (!response.ok) {
+            if (response.status === 401) {
+                console.error(chalk.red('Session expired. Run `haystack login` again.\n'));
+                process.exit(1);
+            }
+            const error = await response.json().catch(() => ({}));
+            throw new Error(error.error || `Failed to set secret: ${response.status}`);
+        }
+        console.log(chalk.green(`\nSecret ${chalk.bold(key)} saved.\n`));
+    }
+    catch (error) {
+        console.error(chalk.red(`\nError: ${error.message}\n`));
+        process.exit(1);
+    }
+}
+/**
+ * Delete a secret
+ */
+export async function deleteSecret(key) {
+    const token = await requireAuth();
+    if (!key) {
+        console.error(chalk.red('\nUsage: haystack secrets delete KEY\n'));
+        process.exit(1);
+    }
+    console.log(chalk.dim(`\nDeleting secret ${key}...`));
+    try {
+        const response = await apiRequest('DELETE', `/${encodeURIComponent(key)}`, token);
+        if (!response.ok) {
+            if (response.status === 401) {
+                console.error(chalk.red('Session expired. Run `haystack login` again.\n'));
+                process.exit(1);
+            }
+            if (response.status === 404) {
+                console.error(chalk.yellow(`\nSecret ${key} not found.\n`));
+                process.exit(1);
+            }
+            throw new Error(`Failed to delete secret: ${response.status}`);
+        }
+        console.log(chalk.green(`\nSecret ${chalk.bold(key)} deleted.\n`));
+    }
+    catch (error) {
+        console.error(chalk.red(`\nError: ${error.message}\n`));
+        process.exit(1);
+    }
+}

package/dist/index.d.ts

@@ -6,7 +6,9 @@
  * This enables AI agents to spin up sandboxes of your app for testing.
  *
  * Usage:
- *   npx @haystackeditor/cli init    # Set up .haystack.yml
- *   npx @haystackeditor/cli status  # Check configuration
+ *   npx @haystackeditor/cli init           # Set up .haystack.yml
+ *   npx @haystackeditor/cli status         # Check configuration
+ *   npx @haystackeditor/cli login          # Authenticate with GitHub
+ *   npx @haystackeditor/cli secrets list   # List stored secrets
  */
 export {};

package/dist/index.js

@@ -6,17 +6,21 @@
  * This enables AI agents to spin up sandboxes of your app for testing.
  *
  * Usage:
- *   npx @haystackeditor/cli init    # Set up .haystack.yml
- *   npx @haystackeditor/cli status  # Check configuration
+ *   npx @haystackeditor/cli init           # Set up .haystack.yml
+ *   npx @haystackeditor/cli status         # Check configuration
+ *   npx @haystackeditor/cli login          # Authenticate with GitHub
+ *   npx @haystackeditor/cli secrets list   # List stored secrets
  */
 import { Command } from 'commander';
 import { statusCommand } from './commands/status.js';
 import { initCommand } from './commands/init.js';
+import { loginCommand, logoutCommand } from './commands/login.js';
+import { listSecrets, setSecret, deleteSecret } from './commands/secrets.js';
 const program = new Command();
 program
     .name('haystack')
     .description('Set up Haystack verification for your project')
-    .version('0.2.0');
+    .version('0.3.0');
 program
     .command('init')
     .description('Create .haystack.yml configuration')
@@ -34,6 +38,34 @@ program
     .command('status')
     .description('Check if .haystack.yml exists and is valid')
     .action(statusCommand);
+program
+    .command('login')
+    .description('Authenticate with GitHub')
+    .action(loginCommand);
+program
+    .command('logout')
+    .description('Remove stored credentials')
+    .action(logoutCommand);
+// Secrets subcommands
+const secrets = program
+    .command('secrets')
+    .description('Manage secrets for sandbox environments');
+secrets
+    .command('list')
+    .description('List all secrets (keys only)')
+    .action(listSecrets);
+secrets
+    .command('set <key> <value>')
+    .description('Set a secret')
+    .option('--scope <scope>', 'Scope: user, org, or repo (default: user)')
+    .option('--scope-id <id>', 'Scope ID (org name or owner/repo)')
+    .action((key, value, options) => {
+    setSecret(key, value, options);
+});
+secrets
+    .command('delete <key>')
+    .description('Delete a secret')
+    .action(deleteSecret);
 // Show help if no command provided
 if (process.argv.length === 2) {
     program.help();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@haystackeditor/cli",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "Set up Haystack verification for your project",
   "type": "module",
   "bin": {