@hyperdrive.bot/cli 1.0.6 → 1.0.8

package/dist/commands/stage/revoke.js

@@ -0,0 +1,171 @@
+import { Args, Command, Flags } from '@oclif/core';
+import chalk from 'chalk';
+import inquirer from 'inquirer';
+import { HyperdriveSigV4Service } from '../../services/hyperdrive-sigv4.js';
+export default class StageRevoke extends Command {
+    static args = {
+        stage: Args.string({
+            description: 'Stage name to revoke access from',
+            required: false,
+        }),
+    };
+    static description = 'Revoke access from a stage for a user or CI account';
+    static examples = [
+        // Interactive
+        '<%= config.bin %> <%= command.id %>',
+        '<%= config.bin %> <%= command.id %> develop',
+        // Non-interactive
+        '<%= config.bin %> <%= command.id %> develop --user maria@company.com',
+        '<%= config.bin %> <%= command.id %> develop --ci github-actions',
+    ];
+    static flags = {
+        ci: Flags.string({
+            char: 'c',
+            description: 'CI account name or ID to revoke access from',
+            exclusive: ['user'],
+        }),
+        domain: Flags.string({
+            char: 'd',
+            description: 'Tenant domain (for multi-domain setups)',
+        }),
+        user: Flags.string({
+            char: 'u',
+            description: 'User email to revoke access from',
+            exclusive: ['ci'],
+        }),
+        yes: Flags.boolean({
+            char: 'y',
+            default: false,
+            description: 'Skip confirmation',
+        }),
+    };
+    async run() {
+        const { args, flags } = await this.parse(StageRevoke);
+        this.log(chalk.cyan('\n━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+        this.log(chalk.cyan('🔓 Revoke Stage Access'));
+        this.log(chalk.cyan('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+        this.log('');
+        const service = new HyperdriveSigV4Service(flags.domain);
+        // Step 1: Resolve stage
+        let stageName;
+        if (args.stage) {
+            stageName = args.stage;
+        }
+        else {
+            stageName = await this.promptForStage(service);
+        }
+        // Step 2: Resolve target
+        let targetType;
+        let targetId;
+        let displayName;
+        if (flags.user) {
+            targetType = 'user';
+            targetId = flags.user;
+            displayName = flags.user;
+        }
+        else if (flags.ci) {
+            const ciAccount = await this.findCIAccount(service, flags.ci);
+            if (!ciAccount) {
+                this.error(`CI account '${flags.ci}' not found`);
+            }
+            targetType = 'user';
+            targetId = ciAccount.cognitoUsername;
+            displayName = `CI: ${ciAccount.name}`;
+        }
+        else {
+            // Interactive: show current access and let user select
+            const target = await this.promptForTarget(service, stageName);
+            if (!target) {
+                this.log(chalk.yellow('No access entries to revoke.'));
+                return;
+            }
+            targetType = target.type;
+            targetId = target.id;
+            displayName = target.displayName;
+        }
+        // Step 3: Confirm
+        if (!flags.yes) {
+            const { confirmed } = await inquirer.prompt([{
+                    default: false,
+                    message: chalk.yellow(`Revoke all access from ${displayName} on stage '${stageName}'?`),
+                    name: 'confirmed',
+                    type: 'confirm',
+                }]);
+            if (!confirmed) {
+                this.log(chalk.gray('Cancelled.'));
+                return;
+            }
+        }
+        // Step 4: Revoke
+        try {
+            this.log(chalk.blue(`\n🔄 Revoking access from '${stageName}' for ${displayName}...`));
+            await service.stageAccessRevoke(stageName, targetType, targetId);
+            this.log(chalk.green(`✅ Access revoked for ${displayName} from '${stageName}'`));
+        }
+        catch (error) {
+            const err = error;
+            const message = err.response?.data?.message || err.message;
+            this.error(`Failed to revoke access: ${message}`);
+        }
+        this.log('');
+    }
+    async findCIAccount(service, nameOrId) {
+        try {
+            const accounts = await service.ciAccountList();
+            return accounts.find(a => a.name.toLowerCase() === nameOrId.toLowerCase() ||
+                a.accountId === nameOrId ||
+                a.cognitoUsername.includes(nameOrId)) || null;
+        }
+        catch {
+            return null;
+        }
+    }
+    async promptForStage(service) {
+        this.log(chalk.gray('   Fetching stages...'));
+        const stages = await service.stageList();
+        if (!stages || stages.length === 0) {
+            this.error('No stages found');
+        }
+        const stageChoices = stages.map(s => ({
+            name: s.production
+                ? `${s.name} ${chalk.red('(PROD)')}`
+                : `${s.name} ${chalk.blue('(dev)')}`,
+            value: s.slug || s.name,
+        }));
+        const { stage } = await inquirer.prompt([{
+                choices: stageChoices,
+                message: chalk.yellow('Select a stage:'),
+                name: 'stage',
+                type: 'list',
+            }]);
+        return stage;
+    }
+    async promptForTarget(service, stageName) {
+        this.log(chalk.gray('   Fetching current access...'));
+        try {
+            const accessData = await service.stageAccessGet(stageName);
+            if (!accessData.access || accessData.access.length === 0) {
+                return null;
+            }
+            // Build choices from current access
+            const choices = accessData.access.map(entry => ({
+                name: `${entry.targetId} (${entry.role})`,
+                value: {
+                    displayName: entry.targetId,
+                    id: entry.targetId,
+                    type: entry.targetType,
+                },
+            }));
+            const { target } = await inquirer.prompt([{
+                    choices,
+                    message: chalk.yellow('Select who to revoke access from:'),
+                    name: 'target',
+                    type: 'list',
+                }]);
+            return target;
+        }
+        catch {
+            return null;
+        }
+    }
+}

package/dist/commands/stage/share.d.ts

@@ -0,0 +1,23 @@
+import { Command } from '@oclif/core';
+export default class StageShare extends Command {
+    static args: {
+        stage: import("@oclif/core/interfaces").Arg<string | undefined, Record<string, unknown>>;
+    };
+    static description: string;
+    static examples: string[];
+    static flags: {
+        ci: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        domain: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        group: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        role: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        user: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        yes: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+    };
+    static strict: boolean;
+    run(): Promise<void>;
+    private findCIAccount;
+    private findGroup;
+    private promptForRole;
+    private promptForStages;
+    private promptForTarget;
+}

package/dist/commands/stage/share.js

@@ -0,0 +1,292 @@
+import { Args, Command, Flags } from '@oclif/core';
+import chalk from 'chalk';
+import inquirer from 'inquirer';
+import { HyperdriveSigV4Service } from '../../services/hyperdrive-sigv4.js';
+const ROLE_CHOICES = [
+    {
+        name: 'Deployer - Can deploy to this stage',
+        short: 'Deployer',
+        value: 'deployer',
+    },
+    {
+        name: 'Viewer - Can view stage details and deployments',
+        short: 'Viewer',
+        value: 'viewer',
+    },
+    {
+        name: 'Manager - Full control including access management',
+        short: 'Manager',
+        value: 'manager',
+    },
+];
+export default class StageShare extends Command {
+    static args = {
+        stage: Args.string({
+            description: 'Stage name to share access to',
+            required: false,
+        }),
+    };
+    static description = 'Grant access to a stage for users or CI accounts';
+    static examples = [
+        // Interactive
+        '<%= config.bin %> <%= command.id %>',
+        '<%= config.bin %> <%= command.id %> develop',
+        // Non-interactive
+        '<%= config.bin %> <%= command.id %> develop --user maria@company.com --role deployer',
+        '<%= config.bin %> <%= command.id %> develop --ci github-actions --role deployer',
+        '<%= config.bin %> <%= command.id %> develop --group "CI Accounts" --role deployer',
+        '<%= config.bin %> <%= command.id %> staging production --user dev@company.com --role viewer',
+    ];
+    static flags = {
+        ci: Flags.string({
+            char: 'c',
+            description: 'CI account name or ID to grant access to',
+            exclusive: ['user', 'group'],
+        }),
+        domain: Flags.string({
+            char: 'd',
+            description: 'Tenant domain (for multi-domain setups)',
+        }),
+        group: Flags.string({
+            char: 'g',
+            description: 'Group ID or name to grant access to',
+            exclusive: ['user', 'ci'],
+        }),
+        role: Flags.string({
+            char: 'r',
+            description: 'Role to grant',
+            options: ['viewer', 'deployer', 'manager'],
+        }),
+        user: Flags.string({
+            char: 'u',
+            description: 'User email to grant access to',
+            exclusive: ['ci', 'group'],
+        }),
+        yes: Flags.boolean({
+            char: 'y',
+            default: false,
+            description: 'Skip confirmation for production stages',
+        }),
+    };
+    static strict = false; // Allow multiple stage args
+    async run() {
+        const { argv, flags } = await this.parse(StageShare);
+        const stageArgs = argv;
+        this.log(chalk.cyan('\n━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+        this.log(chalk.cyan('🔐 Share Stage Access'));
+        this.log(chalk.cyan('━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━'));
+        this.log('');
+        const service = new HyperdriveSigV4Service(flags.domain);
+        // Step 1: Resolve stage(s)
+        let stages;
+        if (stageArgs.length > 0) {
+            stages = stageArgs;
+        }
+        else {
+            stages = await this.promptForStages(service);
+        }
+        // Step 2: Resolve target (user, CI, or group)
+        let targetType;
+        let targetId;
+        let displayName;
+        if (flags.group) {
+            // Find group by ID or name
+            const group = await this.findGroup(service, flags.group);
+            if (!group) {
+                this.error(`Group '${flags.group}' not found`);
+            }
+            targetType = 'group';
+            targetId = group.groupId;
+            displayName = `Group: ${group.name}`;
+        }
+        else if (flags.user) {
+            targetType = 'user';
+            targetId = flags.user;
+            displayName = flags.user;
+        }
+        else if (flags.ci) {
+            // For CI accounts, we need to look up the Cognito sub
+            const ciAccount = await this.findCIAccount(service, flags.ci);
+            if (!ciAccount) {
+                this.error(`CI account '${flags.ci}' not found`);
+            }
+            targetType = 'user';
+            // CI accounts use cognitoUsername but we need the sub for Zanzibar
+            // For now, we'll use the cognitoUsername and the backend will resolve it
+            targetId = ciAccount.cognitoUsername;
+            displayName = `CI: ${ciAccount.name}`;
+        }
+        else {
+            const target = await this.promptForTarget(service);
+            targetType = target.type;
+            targetId = target.id;
+            displayName = target.displayName;
+        }
+        // Step 3: Resolve role
+        const role = flags.role || await this.promptForRole();
+        // Step 4: Confirm for production stages
+        const prodStages = stages.filter(s => s.toLowerCase().includes('prod'));
+        if (prodStages.length > 0 && !flags.yes) {
+            const { confirmed } = await inquirer.prompt([{
+                    default: false,
+                    message: chalk.yellow(`⚠️  You're granting access to production stage(s): ${prodStages.join(', ')}. Continue?`),
+                    name: 'confirmed',
+                    type: 'confirm',
+                }]);
+            if (!confirmed) {
+                this.log(chalk.gray('Cancelled.'));
+                return;
+            }
+        }
+        // Step 5: Grant access to each stage
+        this.log('');
+        for (const stage of stages) {
+            try {
+                this.log(chalk.blue(`🔄 Granting ${role} access to '${stage}' for ${displayName}...`));
+                await service.stageAccessGrant(stage, [{
+                        role,
+                        targetId,
+                        targetType,
+                    }]);
+                this.log(chalk.green(`✅ Granted '${role}' access to ${displayName} on '${stage}'`));
+            }
+            catch (error) {
+                const err = error;
+                const message = err.response?.data?.message || err.message;
+                this.log(chalk.red(`❌ Failed to grant access to '${stage}': ${message}`));
+            }
+        }
+        this.log('');
+    }
+    async findCIAccount(service, nameOrId) {
+        try {
+            const accounts = await service.ciAccountList();
+            return accounts.find(a => a.name.toLowerCase() === nameOrId.toLowerCase() ||
+                a.accountId === nameOrId ||
+                a.cognitoUsername.includes(nameOrId)) || null;
+        }
+        catch {
+            return null;
+        }
+    }
+    async findGroup(service, nameOrId) {
+        try {
+            const groups = await service.groupList();
+            return groups.find(g => g.groupId === nameOrId ||
+                g.name.toLowerCase() === nameOrId.toLowerCase()) || null;
+        }
+        catch {
+            return null;
+        }
+    }
+    async promptForRole() {
+        const { role } = await inquirer.prompt([{
+                choices: ROLE_CHOICES,
+                message: chalk.yellow('Select role to grant:'),
+                name: 'role',
+                type: 'list',
+            }]);
+        return role;
+    }
+    async promptForStages(service) {
+        this.log(chalk.gray('   Fetching stages...'));
+        const stagesData = await service.stageList();
+        if (!stagesData || stagesData.length === 0) {
+            this.error('No stages found. Create a stage first with: hd stage create');
+        }
+        const stageChoices = stagesData.map(s => ({
+            name: s.production
+                ? `${s.name} ${chalk.red('(PROD)')}`
+                : `${s.name} ${chalk.blue('(dev)')}`,
+            value: s.slug || s.name,
+        }));
+        const { stages } = await inquirer.prompt([{
+                choices: stageChoices,
+                message: chalk.yellow('Select stage(s) to share:'),
+                name: 'stages',
+                type: 'checkbox',
+                validate: (input) => input.length > 0 || 'Select at least one stage',
+            }]);
+        return stages;
+    }
+    async promptForTarget(service) {
+        // First ask what type of target
+        const { targetType } = await inquirer.prompt([{
+                choices: [
+                    { name: 'User (by email)', value: 'user' },
+                    { name: 'CI Account', value: 'ci' },
+                    { name: 'Group', value: 'group' },
+                ],
+                message: chalk.yellow('Grant access to:'),
+                name: 'targetType',
+                type: 'list',
+            }]);
+        if (targetType === 'group') {
+            // Fetch groups and let user select
+            this.log(chalk.gray('   Fetching groups...'));
+            const groups = await service.groupList();
+            if (!groups || groups.length === 0) {
+                this.error('No groups found. Create a group first or use user/CI account.');
+            }
+            const groupChoices = groups.map(g => ({
+                name: g.isSystemGroup
+                    ? `${g.name} ${chalk.cyan('(system)')}`
+                    : g.name,
+                value: { groupId: g.groupId, name: g.name },
+            }));
+            const { group } = await inquirer.prompt([{
+                    choices: groupChoices,
+                    message: chalk.yellow('Select group:'),
+                    name: 'group',
+                    type: 'list',
+                }]);
+            return {
+                displayName: `Group: ${group.name}`,
+                id: group.groupId,
+                type: 'group',
+            };
+        }
+        if (targetType === 'ci') {
+            // Fetch CI accounts and let user select
+            this.log(chalk.gray('   Fetching CI accounts...'));
+            const ciAccounts = await service.ciAccountList();
+            if (!ciAccounts || ciAccounts.length === 0) {
+                this.error('No CI accounts found. Create one first with: hd ci account create');
+            }
+            const ciChoices = ciAccounts.map(a => ({
+                name: `${a.name} (${a.cognitoUsername.split('@')[0]})`,
+                value: {
+                    cognitoUsername: a.cognitoUsername,
+                    name: a.name,
+                },
+            }));
+            const { ciAccount } = await inquirer.prompt([{
+                    choices: ciChoices,
+                    message: chalk.yellow('Select CI account:'),
+                    name: 'ciAccount',
+                    type: 'list',
+                }]);
+            return {
+                displayName: `CI: ${ciAccount.name}`,
+                id: ciAccount.cognitoUsername,
+                type: 'user',
+            };
+        }
+        // For users, prompt for email
+        const { email } = await inquirer.prompt([{
+                message: chalk.yellow('Enter user email:'),
+                name: 'email',
+                validate: (input) => {
+                    if (!input || !input.includes('@')) {
+                        return 'Please enter a valid email address';
+                    }
+                    return true;
+                },
+            }]);
+        return {
+            displayName: email,
+            id: email,
+            type: 'user',
+        };
+    }
+}

package/dist/commands/test-api.d.ts

@@ -3,7 +3,7 @@ export default class TestApi extends Command {
     static description: string;
     static examples: string[];
     static flags: {
-        domain: import("@oclif/core/lib/interfaces/parser.js").OptionFlag<string | undefined, import("@oclif/core/lib/interfaces/parser.js").CustomOptions>;
+        domain: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
     };
     run(): Promise<void>;
 }

package/dist/services/auth-service.d.ts

@@ -1,84 +1,17 @@
-export interface CognitoTokens {
-    access_token: string;
-    expires_in: number;
-    id_token: string;
-    refresh_token: string;
-    token_type: string;
-}
-export interface AWSCredentials {
-    accessKeyId: string;
-    expiration: Date;
-    secretAccessKey: string;
-    sessionToken: string;
-}
-export interface CognitoConfig {
-    clientId: string;
-    domain: string;
-    identityPoolId: string;
-    userPoolId: string;
-}
-export interface StoredCredentials extends CognitoTokens {
-    apiUrl: string;
-    awsCredentials: AWSCredentials;
-    cognitoConfig?: CognitoConfig;
-    obtainedAt: string;
-    region: string;
-    tenantDomain: string;
-    tenantId: string;
-}
-export declare class AuthService {
-    private readonly cognitoConfig;
-    private readonly credDir;
-    private readonly credPath;
-    private readonly domain?;
+/**
+ * Hyperdrive Authentication Service
+ *
+ * Re-exports from @devsquad/cli-auth with hyperdrive-specific configuration.
+ */
+import { AuthService as BaseAuthService, type AuthServiceConfig, type AWSCredentials, type CognitoConfig, type CognitoTokens, type StoredCredentials } from '@hyperdrive.bot/cli-auth';
+export type { AWSCredentials, CognitoConfig, CognitoTokens, StoredCredentials };
+declare const HYPERDRIVE_AUTH_CONFIG: AuthServiceConfig;
+/**
+ * Hyperdrive-specific AuthService
+ *
+ * Wrapper around @devsquad/cli-auth with hyperdrive defaults.
+ */
+export declare class AuthService extends BaseAuthService {
     constructor(domain?: string);
-    /**
-     * Clear stored credentials
-     */
-    clearCredentials(): void;
-    /**
-     * Ensure credentials are valid, refresh if needed
-     * Returns valid credentials or throws error
-     */
-    ensureValidCredentials(): Promise<StoredCredentials>;
-    /**
-     * Get AWS credentials from Cognito Identity Pool using ID token
-     */
-    getAWSCredentials(idToken: string, region: string, cognitoConfig: CognitoConfig): Promise<AWSCredentials>;
-    /**
-     * Get all domains with stored credentials
-     */
-    getCredentialDomains(): string[];
-    /**
-     * Check if credentials are expired
-     */
-    isExpired(credentials: StoredCredentials): boolean;
-    /**
-     * Load stored credentials from domain-specific path
-     *
-     * Always uses domain-specific credentials (credentials.<domain>)
-     * Domain is either explicitly specified or uses default domain
-     */
-    loadCredentials(): StoredCredentials | null;
-    /**
-     * Check if credentials need refresh
-     * Returns true if AWS credentials expire in less than 5 minutes
-     */
-    needsRefresh(credentials: StoredCredentials): boolean;
-    /**
-     * Refresh Cognito tokens using refresh token
-     */
-    refreshTokens(refreshToken: string, cognitoConfig: CognitoConfig): Promise<CognitoTokens>;
-    /**
-     * Save credentials to ~/.hyperdrive/credentials
-     */
-    saveCredentials(credentials: StoredCredentials): void;
-    /**
-     * Get the credentials file path (always domain-specific)
-     */
-    private getCredentialsPath;
-    /**
-     * Get default domain from TenantService (avoid circular dependency by reading file directly)
-     */
-    private getDefaultDomain;
 }
+export { HYPERDRIVE_AUTH_CONFIG };