@hyperdrive.bot/cli 1.0.5 → 1.0.7

package/dist/services/hyperdrive-sigv4.d.ts

@@ -1,3 +1,10 @@
+/**
+ * Hyperdrive API Service with AWS SigV4 authentication
+ *
+ * This service extends @devsquad/cli-auth SigV4ApiClient to provide
+ * hyperdrive-specific API methods with AWS Signature V4 signing.
+ */
+import { SigV4ApiClient, type OutdatedRoleErrorResponse } from '@hyperdrive.bot/cli-auth';
 import { LoggingConfig } from './log-tailer.js';
 interface DeploymentCheckResponse {
     commit?: string;
@@ -131,16 +138,9 @@ interface GitAuthInitiateResponse {
 }
 /**
  * Hyperdrive API Service with AWS SigV4 authentication
- *
- * This service signs all API requests using AWS Signature Version 4,
- * which allows both CLI and web frontend to use the same endpoints
- * with unified AWS IAM authentication via Cognito.
  */
-export declare class HyperdriveSigV4Service {
-    private apiUrl;
-    private authService;
-    private region;
-    private tenantDomain;
+export declare class HyperdriveSigV4Service extends SigV4ApiClient {
+    private readonly userGroupsApiUrl?;
     constructor(domain?: string);
     accountAdd(params: {
         accountId: string;
@@ -268,9 +268,6 @@ export declare class HyperdriveSigV4Service {
         };
         success: boolean;
     }>;
-    /**
-     * Test API connection
-     */
     makeTestRequest(): Promise<Record<string, unknown>>;
     moduleAnalyze(slug: string): Promise<{
         jobId: string;
@@ -433,17 +430,33 @@ export declare class HyperdriveSigV4Service {
         name: string;
     }): Promise<StageResponse>;
     stageList(): Promise<StageResponse[]>;
-    private handleError;
-    private handleOutdatedCLI;
-    private handleOutdatedRole;
-    private handleResponse;
-    /**
-     * Make a signed API request
-     */
-    private makeSignedRequest;
-    /**
-     * Sign an HTTP request using AWS Signature V4
-     */
-    private signRequest;
+    stageAccessGet(stageName: string): Promise<{
+        access: Array<{
+            role: string;
+            targetId: string;
+            targetType: 'user' | 'group';
+        }>;
+        stageId: string;
+        stageName: string;
+    }>;
+    stageAccessGrant(stageName: string, access: Array<{
+        role: 'viewer' | 'deployer' | 'manager';
+        targetId: string;
+        targetType: 'user' | 'group';
+    }>): Promise<{
+        added: number;
+        message: string;
+    }>;
+    stageAccessRevoke(stageName: string, targetType: 'user' | 'group', targetId: string): Promise<{
+        message: string;
+    }>;
+    groupList(): Promise<Array<{
+        groupId: string;
+        name: string;
+        description?: string;
+        memberCount: number;
+        isSystemGroup: boolean;
+    }>>;
+    protected handleOutdatedRole(errorData: OutdatedRoleErrorResponse): Promise<void>;
 }
 export {};

package/dist/services/hyperdrive-sigv4.js

@@ -1,72 +1,45 @@
-import { Sha256 } from '@aws-crypto/sha256-js';
-import { HttpRequest } from '@smithy/protocol-http';
-import { SignatureV4 } from '@smithy/signature-v4';
-import axios from 'axios';
+/**
+ * Hyperdrive API Service with AWS SigV4 authentication
+ *
+ * This service extends @devsquad/cli-auth SigV4ApiClient to provide
+ * hyperdrive-specific API methods with AWS Signature V4 signing.
+ */
+import { SigV4ApiClient, } from '@hyperdrive.bot/cli-auth';
 import { readFileSync } from 'fs';
 import { dirname, join } from 'path';
 import { fileURLToPath } from 'url';
-import { AuthService } from './auth-service.js';
+import { HYPERDRIVE_AUTH_CONFIG } from './auth-service.js';
 // Get CLI version from package.json
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 const packageJson = JSON.parse(readFileSync(join(__dirname, '../../package.json'), 'utf-8'));
 const CLI_VERSION = packageJson.version;
-// Type guards
-function isOutdatedCLIError(data) {
-    return (data &&
-        data.code === 'OUTDATED_CLI_VERSION' &&
-        data.data &&
-        typeof data.data.currentVersion === 'string' &&
-        typeof data.data.requiredVersion === 'string' &&
-        typeof data.data.updateCommand === 'string');
-}
-function isOutdatedRoleError(data) {
-    return (data &&
-        data.code === 'OUTDATED_ROLE_VERSION' &&
-        data.data &&
-        typeof data.data.accountId === 'string' &&
-        typeof data.data.currentVersion === 'string' &&
-        typeof data.data.requiredVersion === 'string' &&
-        typeof data.data.quickCreateUrl === 'string');
-}
 /**
  * Hyperdrive API Service with AWS SigV4 authentication
- *
- * This service signs all API requests using AWS Signature Version 4,
- * which allows both CLI and web frontend to use the same endpoints
- * with unified AWS IAM authentication via Cognito.
  */
-export class HyperdriveSigV4Service {
-    apiUrl;
-    authService;
-    region;
-    tenantDomain;
+export class HyperdriveSigV4Service extends SigV4ApiClient {
+    userGroupsApiUrl;
     constructor(domain) {
-        this.authService = new AuthService(domain);
-        // Load credentials to get API URL and region
-        const credentials = this.authService.loadCredentials();
-        if (!credentials) {
-            const domainMsg = domain ? ` for domain "${domain}"` : '';
-            throw new Error(`Not authenticated${domainMsg}. Please run "hd auth login${domain ? ' --domain ' + domain : ''}" first.`);
-        }
-        // Use environment variable override if set, otherwise use from credentials
-        this.apiUrl = process.env.HYPERDRIVE_API_URL || credentials.apiUrl;
-        this.region = process.env.HYPERDRIVE_AWS_REGION || credentials.region;
-        this.tenantDomain = credentials.tenantDomain;
-        if (!this.apiUrl) {
-            throw new Error('Hyperdrive API URL not configured.\n' +
-                'Please re-authenticate with "hd auth login".');
-        }
+        super({
+            authConfig: HYPERDRIVE_AUTH_CONFIG,
+            domain,
+            cliName: 'hyperdrive-cli',
+            cliVersion: CLI_VERSION,
+            apiUrlOverride: process.env.HYPERDRIVE_API_URL,
+            regionOverride: process.env.HYPERDRIVE_AWS_REGION,
+        });
+        // Get user groups API URL from credentials
+        this.userGroupsApiUrl = this.getAdditionalApiUrl('userGroupsApiUrl');
     }
+    // ============================================================================
+    // AWS Account Methods
+    // ============================================================================
     async accountAdd(params) {
         return this.makeSignedRequest('POST', '/cloud-account/aws/account', params);
     }
     async accountGet(params) {
         return this.makeSignedRequest('GET', `/cloud-account/aws/account/${params.accountId}`);
     }
-    // ============================================================================
-    // Public API Methods
-    // ============================================================================
     async accountList() {
         return this.makeSignedRequest('GET', '/cloud-account/aws/accounts');
     }
@@ -76,6 +49,9 @@ export class HyperdriveSigV4Service {
     async accountVerify(params) {
         return this.makeSignedRequest('POST', `/cloud-account/aws/account/${params.accountId}/verify`);
     }
+    // ============================================================================
+    // CI Account Methods
+    // ============================================================================
     async ciAccountCreate(params) {
         return this.makeSignedRequest('POST', '/ci/accounts', params);
     }
@@ -85,6 +61,9 @@ export class HyperdriveSigV4Service {
     async ciAccountList() {
         return this.makeSignedRequest('GET', '/ci/accounts');
     }
+    // ============================================================================
+    // Deployment Methods
+    // ============================================================================
     async deploymentCheck(params) {
         return this.makeSignedRequest('POST', '/deployments/check', params);
     }
@@ -97,6 +76,9 @@ export class HyperdriveSigV4Service {
     async deploymentList(params) {
         return this.makeSignedRequest('GET', `/deployments?projectSlug=${params.projectSlug}&stage=${params.stage}`);
     }
+    // ============================================================================
+    // Git Integration Methods
+    // ============================================================================
     async gitAuthInitiate(provider) {
         return this.makeSignedRequest('POST', `/git/${provider}/auth/initiate`);
     }
@@ -119,12 +101,15 @@ export class HyperdriveSigV4Service {
         });
         return this.makeSignedRequest('GET', `/git/repos?${queryParams}`);
     }
+    // ============================================================================
+    // Jira Integration Methods
+    // ============================================================================
     async jiraPreRegister(params) {
         return this.makeSignedRequest('POST', '/hyperdrive/jira/pre-register', params);
     }
-    /**
-     * Test API connection
-     */
+    // ============================================================================
+    // Module Methods
+    // ============================================================================
     async makeTestRequest() {
         return this.makeSignedRequest('GET', '/');
     }
@@ -145,16 +130,12 @@ export class HyperdriveSigV4Service {
             return await this.makeSignedRequest('GET', `/modules/${slug}/dockerfile`);
         }
         catch (error) {
-            // Return null if 404 (not found)
             if (error?.response?.status === 404) {
                 return null;
             }
             throw error;
         }
     }
-    // ============================================================================
-    // AWS Account Methods
-    // ============================================================================
     async moduleLink(params) {
         return this.makeSignedRequest('POST', '/modules/link', params);
     }
@@ -168,12 +149,12 @@ export class HyperdriveSigV4Service {
         const { slug, ...updateData } = params;
         return this.makeSignedRequest('PUT', `/modules/${slug}`, updateData);
     }
+    // ============================================================================
+    // Parameter Methods
+    // ============================================================================
     async parameterAdd(params) {
         return this.makeSignedRequest('POST', '/parameters', params);
     }
-    // ============================================================================
-    // Git Integration Methods
-    // ============================================================================
     async parameterBackfill(params) {
         return this.makeSignedRequest('POST', '/parameters/backfill', params);
     }
@@ -189,15 +170,9 @@ export class HyperdriveSigV4Service {
     async parameterSync(params) {
         return this.makeSignedRequest('POST', '/parameters/sync', params);
     }
-    // ============================================================================
-    // Jira Integration Methods
-    // ============================================================================
     async parameterSyncStatus(params) {
         return this.makeSignedRequest('GET', `/parameters/sync/${params.taskId}`);
     }
-    // ============================================================================
-    // CI Account Methods
-    // ============================================================================
     async parameterUpdate(params) {
         return this.makeSignedRequest('PUT', `/parameters/${params.key}`, {
             accountId: params.accountId,
@@ -207,59 +182,39 @@ export class HyperdriveSigV4Service {
             stage: params.stage
         });
     }
+    // ============================================================================
+    // Stage Methods
+    // ============================================================================
     async stageCreate(params) {
         return this.makeSignedRequest('POST', '/stages', params);
     }
     async stageGet(params) {
         return this.makeSignedRequest('GET', `/stages/${params.name}`);
     }
-    // ============================================================================
-    // Dockerfile Discovery Methods
-    // ============================================================================
     async stageList() {
         return this.makeSignedRequest('GET', '/stages');
     }
-    async handleError(error) {
-        const axiosError = error;
-        if (axiosError.response) {
-            const data = axiosError.response.data;
-            // Handle outdated CLI version error with type safety
-            if (axiosError.response.status === 426 && isOutdatedCLIError(data)) {
-                await this.handleOutdatedCLI(data);
-            }
-            // Handle outdated role version error with type safety
-            if (axiosError.response.status === 426 && isOutdatedRoleError(data)) {
-                await this.handleOutdatedRole(data);
-            }
-            console.error('Error response:', axiosError.response.data);
-            console.error('Error status:', axiosError.response.status);
-            console.error('Error headers:', axiosError.response.headers);
-        }
-        else if (axiosError.request) {
-            console.error('Error request:', axiosError.request);
-        }
-        else {
-            console.error('Error message:', axiosError.message);
-        }
-        throw axiosError;
+    // ============================================================================
+    // Stage Access Methods
+    // ============================================================================
+    async stageAccessGet(stageName) {
+        return this.makeSignedRequest('GET', `/stages/${stageName}/access`);
     }
-    async handleOutdatedCLI(errorData) {
-        const { data } = errorData;
-        console.error('\n❌ Your Hyperdrive CLI is outdated\n');
-        console.error(`Current version: ${data.currentVersion}`);
-        console.error(`Required version: ${data.requiredVersion}\n`);
-        console.error('To update:');
-        console.error('  npm install -g hyperdrive.bot@latest');
-        console.error('  # or');
-        console.error('  hd update\n');
-        // Throw error to be caught by top-level handler
-        const error = new Error('CLI_OUTDATED');
-        error.code = 'OUTDATED_CLI_VERSION';
-        error.data = data;
-        throw error;
+    async stageAccessGrant(stageName, access) {
+        return this.makeSignedRequest('PUT', `/stages/${stageName}/access`, { access });
+    }
+    async stageAccessRevoke(stageName, targetType, targetId) {
+        return this.makeSignedRequest('DELETE', `/stages/${stageName}/access/${targetType}/${targetId}`);
     }
     // ============================================================================
-    // Helper Methods
+    // User Groups Methods
+    // ============================================================================
+    async groupList() {
+        const response = await this.makeSignedRequest('GET', '/groups', undefined, this.userGroupsApiUrl);
+        return Array.isArray(response) ? response : [];
+    }
+    // ============================================================================
+    // Override error handling for hyperdrive-specific behavior
     // ============================================================================
     async handleOutdatedRole(errorData) {
         const { data } = errorData;
@@ -284,92 +239,6 @@ export class HyperdriveSigV4Service {
             console.error('\nUpdate URL (copy and paste):');
             console.error(`  ${data.quickCreateUrl}\n`);
         }
-        // Exit gracefully - user needs to update their role first
         process.exit(1);
     }
-    handleResponse(response) {
-        return response.data;
-    }
-    /**
-     * Make a signed API request
-     */
-    async makeSignedRequest(method, path, data) {
-        try {
-            // Ensure we have valid credentials (auto-refreshes if needed)
-            const credentials = await this.authService.ensureValidCredentials();
-            // Sign the request
-            const signedRequest = await this.signRequest(method, path, credentials.awsCredentials, data);
-            // Convert signed request to axios config
-            // Build URL with query string if present
-            let url = `${signedRequest.protocol}//${signedRequest.hostname}${signedRequest.path}`;
-            if (signedRequest.query && Object.keys(signedRequest.query).length > 0) {
-                const queryString = new URLSearchParams(signedRequest.query).toString();
-                url += `?${queryString}`;
-            }
-            const response = await axios({
-                data: signedRequest.body,
-                headers: signedRequest.headers,
-                method: signedRequest.method,
-                url,
-            });
-            return this.handleResponse(response);
-        }
-        catch (error) {
-            return this.handleError(error);
-        }
-    }
-    /**
-     * Sign an HTTP request using AWS Signature V4
-     */
-    async signRequest(method, path, credentials, body) {
-        // Parse API URL
-        const url = new URL(this.apiUrl);
-        const hostname = url.hostname;
-        const protocol = url.protocol.replace(':', '');
-        const basePath = url.pathname.replace(/\/$/, ''); // Remove trailing slash
-        // Parse query string from path if present
-        let pathWithoutQuery = path;
-        let query;
-        const queryIndex = path.indexOf('?');
-        if (queryIndex !== -1) {
-            pathWithoutQuery = path.substring(0, queryIndex);
-            const queryString = path.substring(queryIndex + 1);
-            query = {};
-            const params = new URLSearchParams(queryString);
-            for (const [key, value] of params) {
-                query[key] = value;
-            }
-        }
-        // Combine base path with request path (without query string)
-        const fullPath = basePath + pathWithoutQuery;
-        // Create signer
-        const signer = new SignatureV4({
-            credentials: {
-                accessKeyId: credentials.accessKeyId,
-                secretAccessKey: credentials.secretAccessKey,
-                sessionToken: credentials.sessionToken,
-            },
-            region: this.region,
-            service: 'execute-api',
-            sha256: Sha256,
-        });
-        // Prepare request
-        const request = new HttpRequest({
-            body: body ? JSON.stringify(body) : undefined,
-            headers: {
-                'Content-Type': 'application/json',
-                'User-Agent': `hyperdrive-cli/${CLI_VERSION}`,
-                'X-Tenant-Domain': this.tenantDomain,
-                host: hostname,
-            },
-            hostname,
-            method: method.toUpperCase(),
-            path: fullPath,
-            protocol,
-            query,
-        });
-        // Sign the request
-        const signedRequest = await signer.sign(request);
-        return signedRequest;
-    }
 }

package/dist/services/tenant-service.d.ts

@@ -8,6 +8,7 @@ export interface TenantConfig {
     region: string;
     tenantDomain: string;
     tenantId: string;
+    userGroupsApiUrl?: string;
 }
 export interface CLIConfig {
     apiUrl?: string;
@@ -87,6 +88,11 @@ export declare class TenantService {
      * Get API URL for a region
      */
     private getApiUrl;
+    /**
+     * Get User Groups API URL from bootstrap config
+     * Returns undefined if not available (optional module)
+     */
+    private getUserGroupsApiUrl;
     /**
      * Get bootstrap URL with fallback chain:
      * 1. Environment variable

package/dist/services/tenant-service.js

@@ -85,6 +85,7 @@ export class TenantService {
                 region,
                 tenantDomain: domain,
                 tenantId: bootstrap.tenantId,
+                userGroupsApiUrl: this.getUserGroupsApiUrl(bootstrap.amplifyConfig.API),
             };
             // Cache the tenant domain for future use
             this.saveTenantDomainToConfig(domain);
@@ -269,6 +270,18 @@ export class TenantService {
             chalk.yellow('This tenant does not have access to Hyperdrive.\n') +
             chalk.gray('Please contact your administrator to enable the Hyperdrive module.'));
     }
+    /**
+     * Get User Groups API URL from bootstrap config
+     * Returns undefined if not available (optional module)
+     */
+    getUserGroupsApiUrl(apiConfig) {
+        // Check for user-groups endpoint in bootstrap
+        if (apiConfig?.REST?.['user-groups']?.endpoint) {
+            console.log(chalk.gray(`✓ Using user-groups API endpoint from bootstrap: ${apiConfig.REST['user-groups'].endpoint}`));
+            return apiConfig.REST['user-groups'].endpoint;
+        }
+        return undefined;
+    }
     /**
      * Get bootstrap URL with fallback chain:
      * 1. Environment variable

package/dist/utils/auth-flow.d.ts

@@ -55,6 +55,7 @@ export interface StoredCredentials extends CognitoTokens {
     region: string;
     tenantDomain: string;
     tenantId: string;
+    userGroupsApiUrl?: string;
 }
 /**
  * Generate PKCE code verifier (random base64url string)

package/dist/utils/auth-flow.js

@@ -333,6 +333,7 @@ export async function executeAuthFlow(options) {
             region: tenantConfig.region,
             tenantDomain: tenantConfig.tenantDomain,
             tenantId: tenantConfig.tenantId,
+            userGroupsApiUrl: tenantConfig.userGroupsApiUrl,
         }, tenantConfig.tenantDomain);
         return { success: true };
     }
@@ -420,6 +421,7 @@ export async function executeCIAuthFlow(options) {
             tenantDomain: tenantConfig.tenantDomain,
             tenantId: tenantConfig.tenantId,
             token_type: authResult.TokenType || 'Bearer',
+            userGroupsApiUrl: tenantConfig.userGroupsApiUrl,
         }, tenantConfig.tenantDomain);
         return { success: true };
     }

package/dist/utils/table.d.ts

@@ -0,0 +1,17 @@
+interface ColumnConfig<T> {
+    header: string;
+    minWidth?: number;
+    get?: (row: T) => string;
+}
+type TableColumns<T> = Record<string, ColumnConfig<T>>;
+/**
+ * Print data in a table format using cli-table3
+ * Replacement for oclif's deprecated ux.table
+ */
+export declare function printTable<T extends Record<string, unknown>>(data: T[], columns: TableColumns<T>, logger: (msg: string) => void): void;
+/**
+ * Print a styled header
+ * Replacement for oclif's deprecated ux.styledHeader
+ */
+export declare function printHeader(text: string, logger: (msg: string) => void): void;
+export {};

package/dist/utils/table.js

@@ -0,0 +1,41 @@
+import Table from 'cli-table3';
+import chalk from 'chalk';
+/**
+ * Print data in a table format using cli-table3
+ * Replacement for oclif's deprecated ux.table
+ */
+export function printTable(data, columns, logger) {
+    const columnKeys = Object.keys(columns);
+    const headers = columnKeys.map(key => chalk.bold(columns[key].header));
+    const colWidths = columnKeys.map(key => columns[key].minWidth ?? null);
+    const hasColWidths = colWidths.some(w => w !== null);
+    const tableOptions = {
+        head: headers,
+        style: { head: [], border: [] },
+    };
+    if (hasColWidths) {
+        tableOptions.colWidths = colWidths;
+    }
+    const table = new Table(tableOptions);
+    for (const row of data) {
+        const rowData = columnKeys.map(key => {
+            const col = columns[key];
+            if (col.get) {
+                return col.get(row);
+            }
+            const value = row[key];
+            return value !== undefined && value !== null ? String(value) : '';
+        });
+        table.push(rowData);
+    }
+    logger(table.toString());
+}
+/**
+ * Print a styled header
+ * Replacement for oclif's deprecated ux.styledHeader
+ */
+export function printHeader(text, logger) {
+    logger('');
+    logger(chalk.bold(text));
+    logger(chalk.gray('─'.repeat(Math.min(text.length + 10, 60))));
+}