@hyperdrive.bot/cli 1.0.6 → 1.0.7

package/dist/commands/stage/share.js

@@ -0,0 +1,292 @@
+import { Args, Command, Flags } from '@oclif/core';
+import chalk from 'chalk';
+import inquirer from 'inquirer';
+import { HyperdriveSigV4Service } from '../../services/hyperdrive-sigv4.js';
+const ROLE_CHOICES = [
+    {
+        name: 'Deployer - Can deploy to this stage',
+        short: 'Deployer',
+        value: 'deployer',
+    },
+    {
+        name: 'Viewer - Can view stage details and deployments',
+        short: 'Viewer',
+        value: 'viewer',
+    },
+    {
+        name: 'Manager - Full control including access management',
+        short: 'Manager',
+        value: 'manager',
+    },
+];
+export default class StageShare extends Command {
+    static args = {
+        stage: Args.string({
+            description: 'Stage name to share access to',
+            required: false,
+        }),
+    };
+    static description = 'Grant access to a stage for users or CI accounts';
+    static examples = [
+        // Interactive
+        '<%= config.bin %> <%= command.id %>',
+        '<%= config.bin %> <%= command.id %> develop',
+        // Non-interactive
+        '<%= config.bin %> <%= command.id %> develop --user maria@company.com --role deployer',
+        '<%= config.bin %> <%= command.id %> develop --ci github-actions --role deployer',
+        '<%= config.bin %> <%= command.id %> develop --group "CI Accounts" --role deployer',
+        '<%= config.bin %> <%= command.id %> staging production --user dev@company.com --role viewer',
+    ];
+    static flags = {
+        ci: Flags.string({
+            char: 'c',
+            description: 'CI account name or ID to grant access to',
+            exclusive: ['user', 'group'],
+        }),
+        domain: Flags.string({
+            char: 'd',
+            description: 'Tenant domain (for multi-domain setups)',
+        }),
+        group: Flags.string({
+            char: 'g',
+            description: 'Group ID or name to grant access to',
+            exclusive: ['user', 'ci'],
+        }),
+        role: Flags.string({
+            char: 'r',
+            description: 'Role to grant',
+            options: ['viewer', 'deployer', 'manager'],
+        }),
+        user: Flags.string({
+            char: 'u',
+            description: 'User email to grant access to',
+            exclusive: ['ci', 'group'],
+        }),
+        yes: Flags.boolean({
+            char: 'y',
+            default: false,
+            description: 'Skip confirmation for production stages',
+        }),
+    };
+    static strict = false; // Allow multiple stage args
+    async run() {
+        const { argv, flags } = await this.parse(StageShare);
+        const stageArgs = argv;
+        this.log(chalk.cyan('\n━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+        this.log(chalk.cyan('🔐 Share Stage Access'));
+        this.log(chalk.cyan('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+        this.log('');
+        const service = new HyperdriveSigV4Service(flags.domain);
+        // Step 1: Resolve stage(s)
+        let stages;
+        if (stageArgs.length > 0) {
+            stages = stageArgs;
+        }
+        else {
+            stages = await this.promptForStages(service);
+        }
+        // Step 2: Resolve target (user, CI, or group)
+        let targetType;
+        let targetId;
+        let displayName;
+        if (flags.group) {
+            // Find group by ID or name
+            const group = await this.findGroup(service, flags.group);
+            if (!group) {
+                this.error(`Group '${flags.group}' not found`);
+            }
+            targetType = 'group';
+            targetId = group.groupId;
+            displayName = `Group: ${group.name}`;
+        }
+        else if (flags.user) {
+            targetType = 'user';
+            targetId = flags.user;
+            displayName = flags.user;
+        }
+        else if (flags.ci) {
+            // For CI accounts, we need to look up the Cognito sub
+            const ciAccount = await this.findCIAccount(service, flags.ci);
+            if (!ciAccount) {
+                this.error(`CI account '${flags.ci}' not found`);
+            }
+            targetType = 'user';
+            // CI accounts use cognitoUsername but we need the sub for Zanzibar
+            // For now, we'll use the cognitoUsername and the backend will resolve it
+            targetId = ciAccount.cognitoUsername;
+            displayName = `CI: ${ciAccount.name}`;
+        }
+        else {
+            const target = await this.promptForTarget(service);
+            targetType = target.type;
+            targetId = target.id;
+            displayName = target.displayName;
+        }
+        // Step 3: Resolve role
+        const role = flags.role || await this.promptForRole();
+        // Step 4: Confirm for production stages
+        const prodStages = stages.filter(s => s.toLowerCase().includes('prod'));
+        if (prodStages.length > 0 && !flags.yes) {
+            const { confirmed } = await inquirer.prompt([{
+                    default: false,
+                    message: chalk.yellow(`⚠️  You're granting access to production stage(s): ${prodStages.join(', ')}. Continue?`),
+                    name: 'confirmed',
+                    type: 'confirm',
+                }]);
+            if (!confirmed) {
+                this.log(chalk.gray('Cancelled.'));
+                return;
+            }
+        }
+        // Step 5: Grant access to each stage
+        this.log('');
+        for (const stage of stages) {
+            try {
+                this.log(chalk.blue(`🔄 Granting ${role} access to '${stage}' for ${displayName}...`));
+                await service.stageAccessGrant(stage, [{
+                        role,
+                        targetId,
+                        targetType,
+                    }]);
+                this.log(chalk.green(`✅ Granted '${role}' access to ${displayName} on '${stage}'`));
+            }
+            catch (error) {
+                const err = error;
+                const message = err.response?.data?.message || err.message;
+                this.log(chalk.red(`❌ Failed to grant access to '${stage}': ${message}`));
+            }
+        }
+        this.log('');
+    }
+    async findCIAccount(service, nameOrId) {
+        try {
+            const accounts = await service.ciAccountList();
+            return accounts.find(a => a.name.toLowerCase() === nameOrId.toLowerCase() ||
+                a.accountId === nameOrId ||
+                a.cognitoUsername.includes(nameOrId)) || null;
+        }
+        catch {
+            return null;
+        }
+    }
+    async findGroup(service, nameOrId) {
+        try {
+            const groups = await service.groupList();
+            return groups.find(g => g.groupId === nameOrId ||
+                g.name.toLowerCase() === nameOrId.toLowerCase()) || null;
+        }
+        catch {
+            return null;
+        }
+    }
+    async promptForRole() {
+        const { role } = await inquirer.prompt([{
+                choices: ROLE_CHOICES,
+                message: chalk.yellow('Select role to grant:'),
+                name: 'role',
+                type: 'list',
+            }]);
+        return role;
+    }
+    async promptForStages(service) {
+        this.log(chalk.gray('   Fetching stages...'));
+        const stagesData = await service.stageList();
+        if (!stagesData || stagesData.length === 0) {
+            this.error('No stages found. Create a stage first with: hd stage create');
+        }
+        const stageChoices = stagesData.map(s => ({
+            name: s.production
+                ? `${s.name} ${chalk.red('(PROD)')}`
+                : `${s.name} ${chalk.blue('(dev)')}`,
+            value: s.slug || s.name,
+        }));
+        const { stages } = await inquirer.prompt([{
+                choices: stageChoices,
+                message: chalk.yellow('Select stage(s) to share:'),
+                name: 'stages',
+                type: 'checkbox',
+                validate: (input) => input.length > 0 || 'Select at least one stage',
+            }]);
+        return stages;
+    }
+    async promptForTarget(service) {
+        // First ask what type of target
+        const { targetType } = await inquirer.prompt([{
+                choices: [
+                    { name: 'User (by email)', value: 'user' },
+                    { name: 'CI Account', value: 'ci' },
+                    { name: 'Group', value: 'group' },
+                ],
+                message: chalk.yellow('Grant access to:'),
+                name: 'targetType',
+                type: 'list',
+            }]);
+        if (targetType === 'group') {
+            // Fetch groups and let user select
+            this.log(chalk.gray('   Fetching groups...'));
+            const groups = await service.groupList();
+            if (!groups || groups.length === 0) {
+                this.error('No groups found. Create a group first or use user/CI account.');
+            }
+            const groupChoices = groups.map(g => ({
+                name: g.isSystemGroup
+                    ? `${g.name} ${chalk.cyan('(system)')}`
+                    : g.name,
+                value: { groupId: g.groupId, name: g.name },
+            }));
+            const { group } = await inquirer.prompt([{
+                    choices: groupChoices,
+                    message: chalk.yellow('Select group:'),
+                    name: 'group',
+                    type: 'list',
+                }]);
+            return {
+                displayName: `Group: ${group.name}`,
+                id: group.groupId,
+                type: 'group',
+            };
+        }
+        if (targetType === 'ci') {
+            // Fetch CI accounts and let user select
+            this.log(chalk.gray('   Fetching CI accounts...'));
+            const ciAccounts = await service.ciAccountList();
+            if (!ciAccounts || ciAccounts.length === 0) {
+                this.error('No CI accounts found. Create one first with: hd ci account create');
+            }
+            const ciChoices = ciAccounts.map(a => ({
+                name: `${a.name} (${a.cognitoUsername.split('@')[0]})`,
+                value: {
+                    cognitoUsername: a.cognitoUsername,
+                    name: a.name,
+                },
+            }));
+            const { ciAccount } = await inquirer.prompt([{
+                    choices: ciChoices,
+                    message: chalk.yellow('Select CI account:'),
+                    name: 'ciAccount',
+                    type: 'list',
+                }]);
+            return {
+                displayName: `CI: ${ciAccount.name}`,
+                id: ciAccount.cognitoUsername,
+                type: 'user',
+            };
+        }
+        // For users, prompt for email
+        const { email } = await inquirer.prompt([{
+                message: chalk.yellow('Enter user email:'),
+                name: 'email',
+                validate: (input) => {
+                    if (!input || !input.includes('@')) {
+                        return 'Please enter a valid email address';
+                    }
+                    return true;
+                },
+            }]);
+        return {
+            displayName: email,
+            id: email,
+            type: 'user',
+        };
+    }
+}

package/dist/commands/test-api.d.ts

@@ -3,7 +3,7 @@ export default class TestApi extends Command {
     static description: string;
     static examples: string[];
     static flags: {
-        domain: import("@oclif/core/lib/interfaces/parser.js").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces/parser.js").CustomOptions>;
+        domain: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
     };
     run(): Promise<void>;
 }

package/dist/services/auth-service.d.ts

@@ -1,84 +1,17 @@
-export interface CognitoTokens {
-    access_token: string;
-    expires_in: number;
-    id_token: string;
-    refresh_token: string;
-    token_type: string;
-}
-export interface AWSCredentials {
-    accessKeyId: string;
-    expiration: Date;
-    secretAccessKey: string;
-    sessionToken: string;
-}
-export interface CognitoConfig {
-    clientId: string;
-    domain: string;
-    identityPoolId: string;
-    userPoolId: string;
-}
-export interface StoredCredentials extends CognitoTokens {
-    apiUrl: string;
-    awsCredentials: AWSCredentials;
-    cognitoConfig?: CognitoConfig;
-    obtainedAt: string;
-    region: string;
-    tenantDomain: string;
-    tenantId: string;
-}
-export declare class AuthService {
-    private readonly cognitoConfig;
-    private readonly credDir;
-    private readonly credPath;
-    private readonly domain?;
+/**
+ * Hyperdrive Authentication Service
+ *
+ * Re-exports from @devsquad/cli-auth with hyperdrive-specific configuration.
+ */
+import { AuthService as BaseAuthService, type AuthServiceConfig, type AWSCredentials, type CognitoConfig, type CognitoTokens, type StoredCredentials } from '@hyperdrive.bot/cli-auth';
+export type { AWSCredentials, CognitoConfig, CognitoTokens, StoredCredentials };
+declare const HYPERDRIVE_AUTH_CONFIG: AuthServiceConfig;
+/**
+ * Hyperdrive-specific AuthService
+ *
+ * Wrapper around @devsquad/cli-auth with hyperdrive defaults.
+ */
+export declare class AuthService extends BaseAuthService {
     constructor(domain?: string);
-    /**
-     * Clear stored credentials
-     */
-    clearCredentials(): void;
-    /**
-     * Ensure credentials are valid, refresh if needed
-     * Returns valid credentials or throws error
-     */
-    ensureValidCredentials(): Promise<StoredCredentials>;
-    /**
-     * Get AWS credentials from Cognito Identity Pool using ID token
-     */
-    getAWSCredentials(idToken: string, region: string, cognitoConfig: CognitoConfig): Promise<AWSCredentials>;
-    /**
-     * Get all domains with stored credentials
-     */
-    getCredentialDomains(): string[];
-    /**
-     * Check if credentials are expired
-     */
-    isExpired(credentials: StoredCredentials): boolean;
-    /**
-     * Load stored credentials from domain-specific path
-     *
-     * Always uses domain-specific credentials (credentials.<domain>)
-     * Domain is either explicitly specified or uses default domain
-     */
-    loadCredentials(): StoredCredentials | null;
-    /**
-     * Check if credentials need refresh
-     * Returns true if AWS credentials expire in less than 5 minutes
-     */
-    needsRefresh(credentials: StoredCredentials): boolean;
-    /**
-     * Refresh Cognito tokens using refresh token
-     */
-    refreshTokens(refreshToken: string, cognitoConfig: CognitoConfig): Promise<CognitoTokens>;
-    /**
-     * Save credentials to ~/.hyperdrive/credentials
-     */
-    saveCredentials(credentials: StoredCredentials): void;
-    /**
-     * Get the credentials file path (always domain-specific)
-     */
-    private getCredentialsPath;
-    /**
-     * Get default domain from TenantService (avoid circular dependency by reading file directly)
-     */
-    private getDefaultDomain;
 }
+export { HYPERDRIVE_AUTH_CONFIG };

package/dist/services/auth-service.js

@@ -1,240 +1,27 @@
-import { CognitoIdentityClient, GetCredentialsForIdentityCommand, GetIdCommand } from '@aws-sdk/client-cognito-identity';
-import axios from 'axios';
-import { existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from 'fs';
-import { homedir } from 'os';
-import { join } from 'path';
-export class AuthService {
-    cognitoConfig = {
-        clientId: process.env.HYPERDRIVE_COGNITO_CLIENT_ID || '',
-        domain: process.env.HYPERDRIVE_COGNITO_DOMAIN || 'hyperdrive.auth.us-east-1.amazoncognito.com',
-        identityPoolId: process.env.HYPERDRIVE_COGNITO_IDENTITY_POOL_ID || '',
-        region: process.env.HYPERDRIVE_AWS_REGION || 'us-east-1',
-        userPoolId: process.env.HYPERDRIVE_COGNITO_USER_POOL_ID || '',
-    };
-    credDir;
-    credPath;
-    domain;
+/**
+ * Hyperdrive Authentication Service
+ *
+ * Re-exports from @devsquad/cli-auth with hyperdrive-specific configuration.
+ */
+import { AuthService as BaseAuthService, } from '@hyperdrive.bot/cli-auth';
+// Hyperdrive-specific configuration
+const HYPERDRIVE_AUTH_CONFIG = {
+    appName: 'hyperdrive',
+    defaultCognitoClientId: process.env.HYPERDRIVE_COGNITO_CLIENT_ID || '',
+    defaultCognitoDomain: process.env.HYPERDRIVE_COGNITO_DOMAIN || 'hyperdrive.auth.us-east-1.amazoncognito.com',
+    defaultIdentityPoolId: process.env.HYPERDRIVE_COGNITO_IDENTITY_POOL_ID || '',
+    defaultUserPoolId: process.env.HYPERDRIVE_COGNITO_USER_POOL_ID || '',
+    defaultRegion: process.env.HYPERDRIVE_AWS_REGION || 'us-east-1',
+};
+/**
+ * Hyperdrive-specific AuthService
+ *
+ * Wrapper around @devsquad/cli-auth with hyperdrive defaults.
+ */
+export class AuthService extends BaseAuthService {
     constructor(domain) {
-        this.credDir = join(homedir(), '.hyperdrive');
-        this.domain = domain;
-        this.credPath = this.getCredentialsPath();
-    }
-    /**
-     * Clear stored credentials
-     */
-    clearCredentials() {
-        if (existsSync(this.credPath)) {
-            unlinkSync(this.credPath);
-        }
-    }
-    /**
-     * Ensure credentials are valid, refresh if needed
-     * Returns valid credentials or throws error
-     */
-    async ensureValidCredentials() {
-        const credentials = this.loadCredentials();
-        if (!credentials) {
-            throw new Error('Not authenticated. Please run "hd auth login" first.');
-        }
-        // Auto-refresh if needed
-        if (this.needsRefresh(credentials)) {
-            if (!credentials.cognitoConfig) {
-                throw new Error('Cognito configuration not found. Please run "hd auth login" again.');
-            }
-            console.log('⏳ Credentials expiring soon, refreshing...');
-            const newTokens = await this.refreshTokens(credentials.refresh_token, credentials.cognitoConfig);
-            const newAwsCredentials = await this.getAWSCredentials(newTokens.id_token, credentials.region, credentials.cognitoConfig);
-            const updatedCredentials = {
-                ...newTokens,
-                apiUrl: credentials.apiUrl,
-                awsCredentials: newAwsCredentials,
-                cognitoConfig: credentials.cognitoConfig,
-                obtainedAt: new Date().toISOString(),
-                region: credentials.region,
-                tenantDomain: credentials.tenantDomain,
-                tenantId: credentials.tenantId,
-            };
-            this.saveCredentials(updatedCredentials);
-            console.log('✅ Credentials refreshed automatically');
-            return updatedCredentials;
-        }
-        return credentials;
-    }
-    /**
-     * Get AWS credentials from Cognito Identity Pool using ID token
-     */
-    async getAWSCredentials(idToken, region, cognitoConfig) {
-        const client = new CognitoIdentityClient({ region });
-        try {
-            // Step 1: Get Identity ID
-            const getIdResponse = await client.send(new GetIdCommand({
-                IdentityPoolId: cognitoConfig.identityPoolId,
-                Logins: {
-                    [`cognito-idp.${region}.amazonaws.com/${cognitoConfig.userPoolId}`]: idToken,
-                },
-            }));
-            if (!getIdResponse.IdentityId) {
-                throw new Error('Failed to get Identity ID from Cognito');
-            }
-            // Step 2: Get temporary AWS credentials
-            const getCredentialsResponse = await client.send(new GetCredentialsForIdentityCommand({
-                IdentityId: getIdResponse.IdentityId,
-                Logins: {
-                    [`cognito-idp.${region}.amazonaws.com/${cognitoConfig.userPoolId}`]: idToken,
-                },
-            }));
-            if (!getCredentialsResponse.Credentials) {
-                throw new Error('Failed to get AWS credentials from Cognito');
-            }
-            const { AccessKeyId, Expiration, SecretKey, SessionToken } = getCredentialsResponse.Credentials;
-            if (!AccessKeyId || !SecretKey || !SessionToken || !Expiration) {
-                throw new Error('Incomplete AWS credentials received from Cognito');
-            }
-            return {
-                accessKeyId: AccessKeyId,
-                expiration: Expiration,
-                secretAccessKey: SecretKey,
-                sessionToken: SessionToken,
-            };
-        }
-        catch (error) {
-            if (error instanceof Error) {
-                throw new Error(`Failed to obtain AWS credentials: ${error.message}`);
-            }
-            throw error;
-        }
-    }
-    /**
-     * Get all domains with stored credentials
-     */
-    getCredentialDomains() {
-        try {
-            if (!existsSync(this.credDir)) {
-                return [];
-            }
-            const files = require('fs').readdirSync(this.credDir);
-            const domains = [];
-            for (const file of files) {
-                // Match files like "credentials.example.com"
-                const match = file.match(/^credentials\.(.+)$/);
-                if (match) {
-                    domains.push(match[1]);
-                }
-            }
-            return domains;
-        }
-        catch (error) {
-            return [];
-        }
-    }
-    /**
-     * Check if credentials are expired
-     */
-    isExpired(credentials) {
-        const expiration = new Date(credentials.awsCredentials.expiration);
-        return new Date() >= expiration;
-    }
-    /**
-     * Load stored credentials from domain-specific path
-     *
-     * Always uses domain-specific credentials (credentials.<domain>)
-     * Domain is either explicitly specified or uses default domain
-     */
-    loadCredentials() {
-        try {
-            if (!existsSync(this.credPath)) {
-                return null;
-            }
-            const data = readFileSync(this.credPath, 'utf8');
-            const credentials = JSON.parse(data);
-            // Convert expiration string back to Date object
-            credentials.awsCredentials.expiration = new Date(credentials.awsCredentials.expiration);
-            return credentials;
-        }
-        catch (error) {
-            console.error('Failed to load credentials:', error);
-            return null;
-        }
-    }
-    /**
-     * Check if credentials need refresh
-     * Returns true if AWS credentials expire in less than 5 minutes
-     */
-    needsRefresh(credentials) {
-        const expiration = new Date(credentials.awsCredentials.expiration);
-        const now = new Date();
-        const timeUntilExpiry = expiration.getTime() - now.getTime();
-        const fiveMinutes = 5 * 60 * 1000;
-        return timeUntilExpiry < fiveMinutes;
-    }
-    /**
-     * Refresh Cognito tokens using refresh token
-     */
-    async refreshTokens(refreshToken, cognitoConfig) {
-        try {
-            const response = await axios.post(`https://${cognitoConfig.domain}/oauth2/token`, new URLSearchParams({
-                client_id: cognitoConfig.clientId,
-                grant_type: 'refresh_token',
-                refresh_token: refreshToken,
-            }), {
-                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-            });
-            // Cognito doesn't return a new refresh token on refresh, so we need to keep the old one
-            return {
-                ...response.data,
-                refresh_token: refreshToken, // Preserve original refresh token
-            };
-        }
-        catch (error) {
-            if (axios.isAxiosError(error)) {
-                throw new Error(`Token refresh failed: ${error.response?.data?.error_description || error.message}`);
-            }
-            throw error;
-        }
-    }
-    /**
-     * Save credentials to ~/.hyperdrive/credentials
-     */
-    saveCredentials(credentials) {
-        // Prevent saving test/mock credentials to production path
-        const testPatterns = ['test-client-id', 'us-east-1_TEST', 'test-identity', 'test.auth.amazoncognito'];
-        const credString = JSON.stringify(credentials);
-        for (const pattern of testPatterns) {
-            if (credString.includes(pattern)) {
-                throw new Error(`Refusing to save credentials containing test value: "${pattern}". This looks like test data.`);
-            }
-        }
-        // Ensure directory exists
-        if (!existsSync(this.credDir)) {
-            mkdirSync(this.credDir, { recursive: true });
-        }
-        // Write with secure permissions (owner read/write only)
-        writeFileSync(this.credPath, JSON.stringify(credentials, null, 2), { mode: 0o600 });
-    }
-    /**
-     * Get the credentials file path (always domain-specific)
-     */
-    getCredentialsPath() {
-        const domain = this.domain || this.getDefaultDomain();
-        if (!domain) {
-            throw new Error('No domain specified and no default domain configured');
-        }
-        // Domain-specific credentials: ~/.hyperdrive/credentials.{domain}
-        return join(this.credDir, `credentials.${domain}`);
-    }
-    /**
-     * Get default domain from TenantService (avoid circular dependency by reading file directly)
-     */
-    getDefaultDomain() {
-        try {
-            const defaultDomainPath = join(this.credDir, 'default-domain');
-            if (!existsSync(defaultDomainPath)) {
-                return null;
-            }
-            return readFileSync(defaultDomainPath, 'utf8').trim();
-        }
-        catch (error) {
-            return null;
-        }
+        super(HYPERDRIVE_AUTH_CONFIG, domain);
     }
 }
+// Export config for use by HyperdriveSigV4Service
+export { HYPERDRIVE_AUTH_CONFIG };