@hyperdrive.bot/cli 1.0.13 → 1.0.17

package/dist/services/tenant-service.js

@@ -1,396 +0,0 @@
-import axios from 'axios';
-import chalk from 'chalk';
-import { existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from 'fs';
-import { homedir } from 'os';
-import { join } from 'path';
-/**
- * Tenant Service for CLI
- *
- * Handles tenant resolution and Cognito configuration discovery via bootstrap endpoint.
- * Supports environment variables and config file overrides.
- */
-export class TenantService {
-    configDir;
-    configPath;
-    defaultBootstrapUrl = 'https://api.hyperdrive.bot/tenant/bootstrap';
-    defaultDomainPath;
-    domain;
-    constructor(domain) {
-        this.configDir = join(homedir(), '.hyperdrive');
-        this.configPath = join(this.configDir, 'config.json');
-        this.defaultDomainPath = join(this.configDir, 'default-domain');
-        this.domain = domain;
-    }
-    /**
-     * Clear cached tenant configuration
-     */
-    clearCache() {
-        const config = this.loadConfigFile();
-        if (config) {
-            // Remove tenant-specific settings but keep custom URLs
-            const { tenantDomain, ...rest } = config;
-            this.saveConfig(rest);
-        }
-    }
-    /**
-     * Fetch tenant configuration from bootstrap endpoint
-     */
-    async fetchTenantConfig(tenantDomain) {
-        const domain = tenantDomain || this.getTenantDomain();
-        if (!domain) {
-            throw new Error('Tenant not configured. Run `hd init` to set up your environment.');
-        }
-        const bootstrapUrl = this.getBootstrapUrl();
-        try {
-            console.log(chalk.gray(`🔗 Fetching tenant config for: ${domain}`));
-            console.log(chalk.gray(`📍 Using bootstrap endpoint: ${bootstrapUrl}`));
-            const response = await axios.get(bootstrapUrl, {
-                headers: {
-                    'Accept': 'application/json',
-                    'X-Tenant-Domain': domain,
-                },
-            });
-            const bootstrap = response.data;
-            if (!bootstrap.amplifyConfig) {
-                throw new Error('Tenant authentication not configured');
-            }
-            const { Cognito } = bootstrap.amplifyConfig.Auth;
-            const region = Cognito.region;
-            // Extract Cognito domain from OAuth config or construct from tenant ID
-            // The bootstrap response may provide either:
-            // - Just the prefix (e.g., "api-tenants-dev-semana-43-a1c4ea06")
-            // - Full domain (e.g., "api-tenants-dev-devsquad-804677f8.auth.sa-east-1.amazoncognito.com")
-            let cognitoDomain;
-            if (Cognito.loginWith?.oauth?.domain) {
-                const oauthDomain = Cognito.loginWith.oauth.domain;
-                // Check if domain already includes amazoncognito.com (full domain provided)
-                if (oauthDomain.includes('.amazoncognito.com')) {
-                    cognitoDomain = oauthDomain;
-                }
-                else {
-                    cognitoDomain = `${oauthDomain}.auth.${region}.amazoncognito.com`;
-                }
-            }
-            else {
-                // Fallback: construct from tenant ID
-                cognitoDomain = `${bootstrap.tenantId}.auth.${region}.amazoncognito.com`;
-            }
-            // Extract all additional API URLs from bootstrap (services self-serve by key)
-            const additionalApiUrls = this.extractAdditionalApiUrls(bootstrap.amplifyConfig.API);
-            const config = {
-                apiUrl: this.getApiUrl(region, bootstrap.amplifyConfig.API, domain),
-                cognitoClientId: Cognito.userPoolClientId,
-                cognitoDomain,
-                cognitoIdentityPoolId: Cognito.identityPoolId || '',
-                cognitoUserPoolId: Cognito.userPoolId,
-                displayName: bootstrap.displayName,
-                region,
-                tenantDomain: domain,
-                tenantId: bootstrap.tenantId,
-                additionalApiUrls: Object.keys(additionalApiUrls).length > 0 ? additionalApiUrls : undefined,
-            };
-            // Cache the tenant domain for future use
-            this.saveTenantDomainToConfig(domain);
-            // Set as default domain if no default exists
-            if (!this.getDefaultDomain()) {
-                this.setDefaultDomain(domain);
-            }
-            return config;
-        }
-        catch (error) {
-            if (axios.isAxiosError(error)) {
-                if (error.response?.status === 404) {
-                    throw new Error(`Tenant not found: ${domain}`);
-                }
-                throw new Error(`Failed to fetch tenant config: ${error.response?.data?.message || error.message}`);
-            }
-            throw error;
-        }
-    }
-    /**
-     * Get all configured domains
-     */
-    getConfiguredDomains() {
-        const config = this.loadConfigFile();
-        const domains = new Set();
-        // Add legacy single domain if exists
-        if (config?.tenantDomain) {
-            domains.add(config.tenantDomain);
-        }
-        // Add multi-domain entries
-        if (config?.domains) {
-            Object.keys(config.domains).forEach(d => domains.add(d));
-        }
-        return Array.from(domains);
-    }
-    /**
-     * Get current tenant configuration (from cache or fetch)
-     */
-    async getCurrentTenant() {
-        return this.fetchTenantConfig();
-    }
-    /**
-     * Get default domain from file
-     */
-    getDefaultDomain() {
-        try {
-            if (!existsSync(this.defaultDomainPath)) {
-                return null;
-            }
-            return readFileSync(this.defaultDomainPath, 'utf8').trim();
-        }
-        catch (error) {
-            return null;
-        }
-    }
-    /**
-     * Get tenant domain with fallback chain:
-     * 1. Constructor domain parameter (from --domain flag)
-     * 2. Environment variable
-     * 3. Default domain file
-     * 4. Legacy single domain from config
-     * 5. Return null (caller should prompt user interactively)
-     */
-    getTenantDomain() {
-        // Priority 1: Explicit domain parameter (from --domain flag)
-        if (this.domain) {
-            return this.domain;
-        }
-        // Priority 2: Environment variable
-        if (process.env.HYPERDRIVE_TENANT_DOMAIN) {
-            return process.env.HYPERDRIVE_TENANT_DOMAIN;
-        }
-        // Priority 3: Default domain file
-        const defaultDomain = this.getDefaultDomain();
-        if (defaultDomain) {
-            return defaultDomain;
-        }
-        // Priority 4: Legacy single domain from config file
-        const config = this.loadConfigFile();
-        if (config?.tenantDomain) {
-            return config.tenantDomain;
-        }
-        // Priority 5: Return null to trigger interactive prompt
-        return null;
-    }
-    /**
-     * Save CLI configuration to file
-     */
-    saveConfig(config) {
-        try {
-            if (!existsSync(this.configDir)) {
-                mkdirSync(this.configDir, { recursive: true });
-            }
-            writeFileSync(this.configPath, JSON.stringify(config, null, 2), { mode: 0o600 });
-            console.log(chalk.gray(`✓ Configuration saved to ${this.configPath}`));
-        }
-        catch (error) {
-            console.error(chalk.red('Failed to save configuration:'), error);
-        }
-    }
-    /**
-     * Clear the default domain file
-     */
-    clearDefaultDomain() {
-        try {
-            if (existsSync(this.defaultDomainPath)) {
-                unlinkSync(this.defaultDomainPath);
-            }
-        }
-        catch (error) {
-            console.error(chalk.red('Failed to clear default domain:'), error);
-        }
-    }
-    /**
-     * Remove a specific domain from config.json domains map
-     */
-    removeDomainConfig(domain) {
-        const config = this.loadConfigFile();
-        if (!config)
-            return;
-        if (config.domains?.[domain]) {
-            delete config.domains[domain];
-        }
-        // If this was the legacy tenantDomain, clear it too
-        if (config.tenantDomain === domain) {
-            delete config.tenantDomain;
-        }
-        this.saveConfig(config);
-    }
-    /**
-     * Remove the entire config file and default-domain file
-     */
-    clearAllConfig() {
-        try {
-            if (existsSync(this.configPath)) {
-                unlinkSync(this.configPath);
-            }
-            this.clearDefaultDomain();
-        }
-        catch (error) {
-            console.error(chalk.red('Failed to clear config:'), error);
-        }
-    }
-    /**
-     * Set default domain
-     */
-    setDefaultDomain(domain) {
-        try {
-            if (!existsSync(this.configDir)) {
-                mkdirSync(this.configDir, { recursive: true });
-            }
-            writeFileSync(this.defaultDomainPath, domain, { mode: 0o600 });
-            console.log(chalk.gray(`✓ Default domain set to ${domain}`));
-        }
-        catch (error) {
-            console.error(chalk.red('Failed to set default domain:'), error);
-        }
-    }
-    /**
-     * Set tenant domain in config file
-     *
-     * Public method for init wizard to persist tenant domain configuration.
-     * Creates config directory if needed and applies 0o600 permissions.
-     *
-     * @param domain - The tenant domain to save
-     */
-    setTenantDomain(domain) {
-        this.saveTenantDomainToConfig(domain);
-    }
-    /**
-     * Display current configuration
-     */
-    showConfig() {
-        const config = this.loadConfigFile();
-        const tenantDomain = this.getTenantDomain();
-        const bootstrapUrl = this.getBootstrapUrl();
-        console.log(chalk.blue('🔧 Current Configuration'));
-        console.log('');
-        console.log(chalk.white('Bootstrap URL:'), chalk.cyan(bootstrapUrl));
-        console.log(chalk.white('Source:'), process.env.HYPERDRIVE_BOOTSTRAP_URL
-            ? chalk.yellow('ENV')
-            : config?.bootstrapUrl
-                ? chalk.green('Config File')
-                : chalk.gray('Default'));
-        console.log('');
-        console.log(chalk.white('Tenant Domain:'), tenantDomain ? chalk.cyan(tenantDomain) : chalk.gray('Not set'));
-        if (tenantDomain) {
-            console.log(chalk.white('Source:'), process.env.HYPERDRIVE_TENANT_DOMAIN
-                ? chalk.yellow('ENV')
-                : config?.tenantDomain
-                    ? chalk.green('Config File')
-                    : chalk.gray('Unknown'));
-        }
-        console.log('');
-        console.log(chalk.gray('Config file: ' + this.configPath));
-    }
-    /**
-     * Get API URL for a region
-     */
-    getApiUrl(region, apiConfig, domain) {
-        // Priority 1: Environment variable (for testing/override)
-        if (process.env.HYPERDRIVE_API_URL) {
-            console.log(chalk.gray(`✓ Using API endpoint from environment: ${process.env.HYPERDRIVE_API_URL}`));
-            return process.env.HYPERDRIVE_API_URL;
-        }
-        // Priority 2: Domain-specific config (for multi-domain setups)
-        const config = this.loadConfigFile();
-        if (domain && config?.domains?.[domain]?.apiUrl) {
-            const domainApiUrl = config.domains[domain].apiUrl;
-            console.log(chalk.gray(`✓ Using API endpoint from domain config: ${domainApiUrl}`));
-            return domainApiUrl;
-        }
-        // Priority 3: Legacy global config file (for manual override)
-        if (config?.apiUrl) {
-            console.log(chalk.gray(`✓ Using API endpoint from config: ${config.apiUrl}`));
-            return config.apiUrl;
-        }
-        // Priority 4: From bootstrap API config (REQUIRED - no fallback)
-        if (apiConfig?.REST?.hyperdrive?.endpoint) {
-            console.log(chalk.gray(`✓ Using API endpoint from bootstrap: ${apiConfig.REST.hyperdrive.endpoint}`));
-            return apiConfig.REST.hyperdrive.endpoint;
-        }
-        // No hyperdrive endpoint found - user doesn't have access
-        throw new Error('Hyperdrive API not available for this tenant.\n\n' +
-            chalk.yellow('This tenant does not have access to Hyperdrive.\n') +
-            chalk.gray('Please contact your administrator to enable the Hyperdrive module.'));
-    }
-    /**
-     * Extract all additional API URLs from bootstrap REST config.
-     * Returns a map of module name → endpoint URL for every REST API
-     * beyond the primary 'hyperdrive' endpoint. Services self-serve
-     * by looking up the key they need (e.g., 'hyperdrive-projects', 'user-groups').
-     */
-    extractAdditionalApiUrls(apiConfig) {
-        const urls = {};
-        if (!apiConfig?.REST)
-            return urls;
-        for (const [apiName, config] of Object.entries(apiConfig.REST)) {
-            if (apiName !== 'hyperdrive' && config.endpoint) {
-                console.log(chalk.gray(`✓ Discovered API endpoint: ${apiName} → ${config.endpoint}`));
-                urls[apiName] = config.endpoint;
-            }
-        }
-        return urls;
-    }
-    /**
-     * Get bootstrap URL with fallback chain:
-     * 1. Environment variable
-     * 2. Config file
-     * 3. Construct from tenant domain
-     * 4. Default URL
-     */
-    getBootstrapUrl() {
-        // Priority 1: Environment variable
-        if (process.env.HYPERDRIVE_BOOTSTRAP_URL) {
-            return process.env.HYPERDRIVE_BOOTSTRAP_URL;
-        }
-        // Priority 2: Config file
-        const config = this.loadConfigFile();
-        if (config?.bootstrapUrl) {
-            return config.bootstrapUrl;
-        }
-        // Priority 3: Construct from tenant domain if configured
-        const tenantDomain = this.getTenantDomain();
-        if (tenantDomain) {
-            return `https://${tenantDomain}/tenant/bootstrap`;
-        }
-        // Priority 4: Default
-        return this.defaultBootstrapUrl;
-    }
-    /**
-     * Load CLI configuration from file
-     */
-    loadConfigFile() {
-        try {
-            if (!existsSync(this.configPath)) {
-                return null;
-            }
-            const data = readFileSync(this.configPath, 'utf8');
-            return JSON.parse(data);
-        }
-        catch (error) {
-            console.error(chalk.yellow('⚠️  Failed to load config file, using defaults'));
-            return null;
-        }
-    }
-    /**
-     * Save tenant domain to config file for future use
-     */
-    saveTenantDomainToConfig(tenantDomain) {
-        const existingConfig = this.loadConfigFile() || {};
-        // Initialize domains object if it doesn't exist
-        if (!existingConfig.domains) {
-            existingConfig.domains = {};
-        }
-        // Add this domain to the domains map (even if just an empty object for now)
-        if (!existingConfig.domains[tenantDomain]) {
-            existingConfig.domains[tenantDomain] = {};
-        }
-        // Also keep legacy tenantDomain for backward compatibility
-        this.saveConfig({
-            ...existingConfig,
-            tenantDomain,
-        });
-    }
-}

package/dist/utils/auth-flow.d.ts

@@ -1,147 +0,0 @@
-import { TenantConfig } from '../services/tenant-service.js';
-/**
- * Options for executing the OAuth PKCE authentication flow
- */
-export interface AuthFlowOptions {
-    callbackPort?: number;
-    logger?: (message: string) => void;
-    tenantDomain: string;
-    timeout?: number;
-}
-/**
- * Result of the authentication flow
- */
-export interface AuthResult {
-    error?: string;
-    skipped?: boolean;
-    success: boolean;
-}
-/**
- * Cognito tokens received from OAuth token exchange
- */
-export interface CognitoTokens {
-    access_token: string;
-    expires_in: number;
-    id_token: string;
-    refresh_token: string;
-    token_type: string;
-}
-/**
- * AWS credentials obtained from Cognito Identity Pool
- */
-export interface AWSCredentials {
-    accessKeyId: string;
-    expiration: Date;
-    secretAccessKey: string;
-    sessionToken: string;
-}
-/**
- * Cognito configuration for storing with credentials
- */
-export interface CognitoConfig {
-    clientId: string;
-    domain: string;
-    identityPoolId: string;
-    userPoolId: string;
-}
-/**
- * Complete stored credentials including tokens and AWS credentials
- */
-export interface StoredCredentials extends CognitoTokens {
-    additionalApiUrls?: Record<string, string>;
-    apiUrl: string;
-    awsCredentials: AWSCredentials;
-    cognitoConfig: CognitoConfig;
-    obtainedAt: string;
-    region: string;
-    tenantDomain: string;
-    tenantId: string;
-}
-/**
- * Generate PKCE code verifier (random base64url string)
- */
-export declare function generateCodeVerifier(): string;
-/**
- * Generate PKCE code challenge (SHA256 hash of verifier)
- */
-export declare function generateCodeChallenge(verifier: string): string;
-/**
- * Build Cognito authorization URL with PKCE parameters
- */
-export declare function buildAuthUrl(tenantConfig: TenantConfig, codeChallenge: string, port: number): string;
-/**
- * Start local HTTP server to receive OAuth callback
- * Returns a promise that resolves with the authorization code
- */
-export declare function startCallbackServer(port: number, timeout: number): Promise<string>;
-/**
- * Exchange authorization code for Cognito tokens
- */
-export declare function exchangeCodeForTokens(tenantConfig: TenantConfig, code: string, codeVerifier: string, port: number): Promise<CognitoTokens>;
-/**
- * Get AWS credentials from Cognito Identity Pool
- */
-export declare function getAWSCredentials(tenantConfig: TenantConfig, idToken: string): Promise<AWSCredentials>;
-/**
- * Save credentials to domain-specific path (always required)
- */
-export declare function saveCredentials(credentials: StoredCredentials, domain: string): void;
-/**
- * Get the path to the credentials file for a domain
- */
-export declare function getCredentialsPath(domain: string): string;
-/**
- * Execute the complete OAuth PKCE authentication flow
- *
- * This function orchestrates the entire authentication flow:
- * 1. Bootstrap tenant to get Cognito config
- * 2. Generate PKCE codes
- * 3. Start callback server
- * 4. Open browser for authentication
- * 5. Wait for callback with timeout
- * 6. Exchange code for tokens
- * 7. Get AWS credentials from Identity Pool
- * 8. Save credentials to file
- *
- * @param options - Configuration options for the auth flow
- * @returns AuthResult indicating success or failure
- */
-export declare function executeAuthFlow(options: AuthFlowOptions): Promise<AuthResult>;
-/**
- * Options for CI authentication flow
- */
-export interface CIAuthOptions {
-    logger?: (message: string) => void;
-    password: string;
-    tenantDomain: string;
-    username: string;
-}
-/**
- * Execute CI authentication flow using USER_PASSWORD_AUTH
- *
- * This is for non-interactive CI/CD environments where browser-based
- * OAuth is not possible. Uses Cognito's USER_PASSWORD_AUTH flow.
- *
- * @param options - CI authentication options
- * @returns AuthResult indicating success or failure
- */
-export declare function executeCIAuthFlow(options: CIAuthOptions): Promise<AuthResult>;
-/**
- * Check if running in a CI environment
- */
-export declare function isCI(): boolean;
-/**
- * Decode a CI token into username and password
- * Token format: hd_sk_{base64url(username:password)}
- */
-export declare function decodeToken(token: string): {
-    password: string;
-    username: string;
-} | null;
-/**
- * Get CI credentials from HD_TOKEN environment variable
- */
-export declare function getCICredentials(): {
-    password: string;
-    username: string;
-} | null;