@hyperdrive.bot/sign-cli 0.1.3

package/bin/run.js

@@ -0,0 +1,5 @@
+#!/usr/bin/env node
+
+import {execute} from '@oclif/core'
+
+await execute({dir: import.meta.url})

package/dist/commands/api.d.ts

@@ -0,0 +1,28 @@
+/**
+ * sign api <METHOD> <path> [--body]
+ *
+ * Raw escape hatch — call any API endpoint directly.
+ * Bypasses manifest resolution for 100% endpoint coverage.
+ *
+ * Examples:
+ *   sign api GET /folders
+ *   sign api POST /documents --body '{"name":"test"}'
+ *   sign api DELETE /folders/abc-123
+ */
+import { Command } from '@oclif/core';
+export default class Api extends Command {
+    static description: string;
+    static examples: string[];
+    static args: {
+        method: import("@oclif/core/interfaces").Arg<string, Record<string, unknown>>;
+        path: import("@oclif/core/interfaces").Arg<string, Record<string, unknown>>;
+    };
+    static flags: {
+        body: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        input: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        module: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        table: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        raw: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+    };
+    run(): Promise<void>;
+}

package/dist/commands/api.js

@@ -0,0 +1,82 @@
+/**
+ * sign api <METHOD> <path> [--body]
+ *
+ * Raw escape hatch — call any API endpoint directly.
+ * Bypasses manifest resolution for 100% endpoint coverage.
+ *
+ * Examples:
+ *   sign api GET /folders
+ *   sign api POST /documents --body '{"name":"test"}'
+ *   sign api DELETE /folders/abc-123
+ */
+import { Command, Args, Flags } from '@oclif/core';
+import { createSignClient } from '../lib/sign-api.js';
+import { formatOutput } from '../lib/request.js';
+export default class Api extends Command {
+    static description = 'Execute a raw API request (escape hatch)';
+    static examples = [
+        '<%= config.bin %> api GET /folders',
+        '<%= config.bin %> api POST /documents --body \'{"name":"My Doc"}\'',
+        '<%= config.bin %> api DELETE /folders/abc-123',
+    ];
+    static args = {
+        method: Args.string({
+            description: 'HTTP method',
+            required: true,
+            options: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'],
+        }),
+        path: Args.string({
+            description: 'API path (e.g., /folders, /documents/abc-123)',
+            required: true,
+        }),
+    };
+    static flags = {
+        body: Flags.string({ description: 'Request body (JSON string)', char: 'b' }),
+        input: Flags.string({ description: 'Read body from file', char: 'i' }),
+        module: Flags.string({ description: 'Target module (for API Gateway routing)', char: 'm' }),
+        table: Flags.boolean({ description: 'Format output as table' }),
+        raw: Flags.boolean({ description: 'Raw output (no formatting)' }),
+    };
+    async run() {
+        const { args, flags } = await this.parse(Api);
+        const { method, path } = args;
+        try {
+            const client = createSignClient();
+            // If a module flag is provided, resolve from manifest for correct API Gateway
+            let fullUrl;
+            if (flags.module) {
+                const { getManifest } = await import('../lib/manifest.js');
+                const manifest = await getManifest(client);
+                const resource = Object.values(manifest.resources).find(r => r.module === flags.module);
+                if (resource) {
+                    fullUrl = `${resource.apiGateway}${path}`;
+                }
+            }
+            // Parse body
+            let body;
+            if (flags.body) {
+                body = JSON.parse(flags.body);
+            }
+            else if (flags.input) {
+                const { readFile } = await import('node:fs/promises');
+                body = JSON.parse(await readFile(flags.input, 'utf-8'));
+            }
+            let response;
+            if (fullUrl) {
+                response = await client.request(method, fullUrl, body);
+            }
+            else {
+                // Use the primary API URL (from stored credentials)
+                response = await client.get(path);
+            }
+            this.log(formatOutput(response, flags));
+        }
+        catch (error) {
+            const err = error;
+            if (err.message.includes('Not authenticated') || err.message.includes('auth login')) {
+                this.error('Not authenticated. Run "sign auth login" first.');
+            }
+            this.error(err.message);
+        }
+    }
+}

package/dist/commands/modules/list.d.ts

@@ -0,0 +1,16 @@
+/**
+ * sign modules list
+ *
+ * Displays all discoverable API resources and their available actions.
+ * Fetches the manifest from the backend (or cache).
+ */
+import { Command } from '@oclif/core';
+export default class ModulesList extends Command {
+    static description: string;
+    static examples: string[];
+    static flags: {
+        json: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        refresh: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+    };
+    run(): Promise<void>;
+}

package/dist/commands/modules/list.js

@@ -0,0 +1,48 @@
+/**
+ * sign modules list
+ *
+ * Displays all discoverable API resources and their available actions.
+ * Fetches the manifest from the backend (or cache).
+ */
+import { Command, Flags } from '@oclif/core';
+import { getManifest, listResources } from '../../lib/manifest.js';
+import { createSignClient } from '../../lib/sign-api.js';
+export default class ModulesList extends Command {
+    static description = 'List all available API resources and actions';
+    static examples = [
+        '<%= config.bin %> modules list',
+        '<%= config.bin %> modules list --json',
+        '<%= config.bin %> modules list --refresh',
+    ];
+    static flags = {
+        json: Flags.boolean({ description: 'Output as JSON' }),
+        refresh: Flags.boolean({ description: 'Force refresh the manifest cache' }),
+    };
+    async run() {
+        const { flags } = await this.parse(ModulesList);
+        try {
+            const client = createSignClient();
+            const manifest = await getManifest(client, flags.refresh);
+            const resources = listResources(manifest);
+            if (flags.json) {
+                this.log(JSON.stringify(resources, null, 2));
+                return;
+            }
+            this.log(`\n  Sign CLI — ${resources.length} resources discovered (${manifest.stage}/${manifest.region})\n`);
+            for (const res of resources) {
+                this.log(`  ${res.name} (${res.module}) — ${res.actionCount} actions`);
+                this.log(`    ${res.actions.join(', ')}`);
+                this.log('');
+            }
+            this.log(`  Run "sign <resource> <action>" to execute.`);
+            this.log(`  Run "sign <resource>" to see action details.\n`);
+        }
+        catch (error) {
+            const err = error;
+            if (err.message.includes('Not authenticated') || err.message.includes('auth login')) {
+                this.error('Not authenticated. Run "sign auth login" first.');
+            }
+            this.error(err.message);
+        }
+    }
+}

package/dist/hooks/command-not-found.d.ts

@@ -0,0 +1,18 @@
+/**
+ * command_not_found Hook — Dynamic Command Resolution
+ *
+ * This is the brain of the Sign CLI. When oclif can't find a static command
+ * (e.g., "sign folders list"), this hook intercepts, looks up the manifest,
+ * and executes the matching API call via SigV4.
+ *
+ * Flow:
+ *   1. Parse: "folders list" → resource="folders", action="list"
+ *   2. Load manifest (cached or fresh)
+ *   3. Resolve resource + action → method + path + apiGateway
+ *   4. Substitute path params from positional args
+ *   5. SigV4-sign and execute the request
+ *   6. Print response as JSON
+ */
+import { Hook } from '@oclif/core';
+declare const hook: Hook.CommandNotFound;
+export default hook;

package/dist/hooks/command-not-found.js

@@ -0,0 +1,129 @@
+/**
+ * command_not_found Hook — Dynamic Command Resolution
+ *
+ * This is the brain of the Sign CLI. When oclif can't find a static command
+ * (e.g., "sign folders list"), this hook intercepts, looks up the manifest,
+ * and executes the matching API call via SigV4.
+ *
+ * Flow:
+ *   1. Parse: "folders list" → resource="folders", action="list"
+ *   2. Load manifest (cached or fresh)
+ *   3. Resolve resource + action → method + path + apiGateway
+ *   4. Substitute path params from positional args
+ *   5. SigV4-sign and execute the request
+ *   6. Print response as JSON
+ */
+import { getManifest, resolveAction, listResources } from '../lib/manifest.js';
+import { buildUrl, parseBody, formatOutput } from '../lib/request.js';
+import { createSignClient } from '../lib/sign-api.js';
+const hook = async function (opts) {
+    const parts = opts.id.split(':');
+    const argv = opts.argv ?? [];
+    // Need at least resource:action (oclif uses colons internally for topic:command)
+    if (parts.length < 2) {
+        const resource = parts[0];
+        try {
+            const client = createSignClient();
+            const manifest = await getManifest(client);
+            const res = manifest.resources[resource];
+            if (res) {
+                console.log(`\nResource: ${resource} (module: ${res.module})\n`);
+                console.log('Available actions:');
+                for (const action of res.actions) {
+                    const argsStr = action.args.map(a => `<${a}>`).join(' ');
+                    console.log(`  sign ${resource} ${action.name}${argsStr ? ' ' + argsStr : ''}  [${action.method}]`);
+                }
+                console.log(`\nUse --body '{...}' for POST/PUT/PATCH requests.`);
+                return;
+            }
+        }
+        catch {
+            // Fall through to error
+        }
+        console.error(`Unknown command: sign ${opts.id}`);
+        console.error('Run "sign modules list" to see available resources.');
+        process.exitCode = 1;
+        return;
+    }
+    const [resource, action] = parts;
+    // Remaining colon-separated parts + non-flag argv become positional args
+    const positionalArgs = [...parts.slice(2), ...argv.filter(a => !a.startsWith('-'))];
+    // Parse flags from argv
+    const flags = parseFlags(argv);
+    try {
+        const client = createSignClient();
+        // Handle "manifest refresh" as a special case
+        if (resource === 'manifest' && action === 'refresh') {
+            const { clearManifestCache } = await import('../lib/manifest.js');
+            await clearManifestCache();
+            const manifest = await getManifest(client, true);
+            console.log(`Manifest refreshed: ${Object.keys(manifest.resources).length} resources discovered.`);
+            return;
+        }
+        const manifest = await getManifest(client);
+        const match = resolveAction(manifest, resource, action);
+        if (!match) {
+            const res = manifest.resources[resource];
+            if (res) {
+                console.error(`Unknown action "${action}" for resource "${resource}".`);
+                console.error(`Available actions: ${res.actions.map(a => a.name).join(', ')}`);
+            }
+            else {
+                console.error(`Unknown resource "${resource}".`);
+                const resources = listResources(manifest);
+                console.error(`Available resources: ${resources.map(r => r.name).join(', ')}`);
+            }
+            process.exitCode = 1;
+            return;
+        }
+        // Build the full URL with substituted path params
+        const url = buildUrl(match.resource, match.action, positionalArgs);
+        // Parse request body for POST/PUT/PATCH
+        const needsBody = ['POST', 'PUT', 'PATCH'].includes(match.action.method);
+        const body = needsBody ? await parseBody(flags) : undefined;
+        // Execute the signed request
+        const response = await client.request(match.action.method, url, body ? JSON.parse(body) : undefined);
+        // Output
+        const output = formatOutput(response, flags);
+        console.log(output);
+    }
+    catch (error) {
+        const err = error;
+        if (err.message.includes('Missing required argument')) {
+            const match = resolveAction(await getManifest(createSignClient()), resource, action);
+            const argsStr = match?.action.args.map(a => `<${a}>`).join(' ') || '';
+            console.error(`Error: ${err.message}`);
+            console.error(`Usage: sign ${resource} ${action} ${argsStr}`);
+        }
+        else if (err.message.includes('Not authenticated') || err.message.includes('auth login')) {
+            console.error('Not authenticated. Run "sign auth login" first.');
+        }
+        else {
+            console.error(`Error: ${err.message}`);
+        }
+        process.exitCode = 1;
+    }
+};
+/**
+ * Parse flags from argv
+ */
+function parseFlags(argv) {
+    const flags = {};
+    for (let i = 0; i < argv.length; i++) {
+        const arg = argv[i];
+        if (arg === '--body' && argv[i + 1]) {
+            flags.body = argv[++i];
+        }
+        else if (arg === '--input' && argv[i + 1]) {
+            flags.input = argv[++i];
+        }
+        else if (arg === '--table') {
+            flags.table = true;
+        }
+        else if (arg === '--raw') {
+            flags.raw = true;
+        }
+    }
+    return flags;
+}
+export default hook;

package/dist/index.d.ts

@@ -0,0 +1 @@
+export { run } from '@oclif/core';

package/dist/index.js

@@ -0,0 +1 @@
+export { run } from '@oclif/core';

package/dist/lib/manifest.d.ts

@@ -0,0 +1,50 @@
+/**
+ * Manifest Client
+ *
+ * Fetches and caches the API manifest from the backend.
+ * The manifest contains all discoverable resources + actions.
+ */
+export interface ManifestAction {
+    name: string;
+    method: string;
+    path: string;
+    args: string[];
+}
+export interface ManifestResource {
+    module: string;
+    apiGateway: string;
+    actions: ManifestAction[];
+}
+export interface Manifest {
+    version: string;
+    generatedAt: string;
+    stage: string;
+    region: string;
+    resources: Record<string, ManifestResource>;
+}
+/**
+ * Get the manifest — from cache if fresh, otherwise from the API
+ */
+export declare const getManifest: (apiClient: {
+    get: (path: string) => Promise<unknown>;
+}, forceRefresh?: boolean) => Promise<Manifest>;
+/**
+ * Clear the cached manifest
+ */
+export declare const clearManifestCache: () => Promise<void>;
+/**
+ * Find a matching action in the manifest
+ */
+export declare const resolveAction: (manifest: Manifest, resource: string, action: string) => {
+    resource: ManifestResource;
+    action: ManifestAction;
+} | null;
+/**
+ * List all resources in the manifest
+ */
+export declare const listResources: (manifest: Manifest) => Array<{
+    name: string;
+    module: string;
+    actionCount: number;
+    actions: string[];
+}>;

package/dist/lib/manifest.js

@@ -0,0 +1,109 @@
+/**
+ * Manifest Client
+ *
+ * Fetches and caches the API manifest from the backend.
+ * The manifest contains all discoverable resources + actions.
+ */
+import { readFile, writeFile, mkdir } from 'node:fs/promises';
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+// --- Config ---
+const CACHE_DIR = join(homedir(), '.sign');
+const CACHE_FILE = join(CACHE_DIR, 'manifest.json');
+const CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour
+/**
+ * Get the manifest — from cache if fresh, otherwise from the API
+ */
+export const getManifest = async (apiClient, forceRefresh = false) => {
+    if (!forceRefresh) {
+        const cached = await loadCachedManifest();
+        if (cached)
+            return cached;
+    }
+    const manifest = await fetchManifest(apiClient);
+    await cacheManifest(manifest);
+    return manifest;
+};
+/**
+ * Load manifest from local cache if it exists and is fresh
+ */
+const loadCachedManifest = async () => {
+    try {
+        if (!existsSync(CACHE_FILE))
+            return null;
+        const raw = await readFile(CACHE_FILE, 'utf-8');
+        const cached = JSON.parse(raw);
+        const age = Date.now() - new Date(cached.fetchedAt).getTime();
+        if (age > CACHE_TTL_MS)
+            return null;
+        return cached.manifest;
+    }
+    catch {
+        return null;
+    }
+};
+/**
+ * Fetch manifest from the API
+ */
+const fetchManifest = async (apiClient) => {
+    const response = await apiClient.get('/tenant/manifest');
+    return response;
+};
+/**
+ * Cache manifest to local filesystem
+ */
+const cacheManifest = async (manifest) => {
+    try {
+        if (!existsSync(CACHE_DIR)) {
+            await mkdir(CACHE_DIR, { recursive: true });
+        }
+        const cached = {
+            fetchedAt: new Date().toISOString(),
+            manifest
+        };
+        await writeFile(CACHE_FILE, JSON.stringify(cached, null, 2));
+    }
+    catch {
+        // Cache write failure is non-fatal
+    }
+};
+/**
+ * Clear the cached manifest
+ */
+export const clearManifestCache = async () => {
+    try {
+        if (existsSync(CACHE_FILE)) {
+            const { unlink } = await import('node:fs/promises');
+            await unlink(CACHE_FILE);
+        }
+    }
+    catch {
+        // Non-fatal
+    }
+};
+/**
+ * Find a matching action in the manifest
+ */
+export const resolveAction = (manifest, resource, action) => {
+    const res = manifest.resources[resource];
+    if (!res)
+        return null;
+    const act = res.actions.find(a => a.name === action);
+    if (!act)
+        return null;
+    return { resource: res, action: act };
+};
+/**
+ * List all resources in the manifest
+ */
+export const listResources = (manifest) => {
+    return Object.entries(manifest.resources)
+        .map(([name, res]) => ({
+        name,
+        module: res.module,
+        actionCount: res.actions.length,
+        actions: res.actions.map(a => a.name)
+    }))
+        .sort((a, b) => a.name.localeCompare(b.name));
+};

package/dist/lib/request.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Request Execution
+ *
+ * Executes SigV4-signed HTTP requests against API Gateway endpoints.
+ * Uses cli-auth's SigV4ApiClient under the hood.
+ */
+import type { ManifestAction, ManifestResource } from './manifest.js';
+/**
+ * Build the full URL for an action, substituting path params from positional args
+ */
+export declare const buildUrl: (resource: ManifestResource, action: ManifestAction, positionalArgs: string[]) => string;
+/**
+ * Parse request body from CLI flags
+ * Priority: --body > --input > stdin
+ */
+export declare const parseBody: (flags: {
+    body?: string;
+    input?: string;
+}) => Promise<string | undefined>;
+/**
+ * Format response for output
+ */
+export declare const formatOutput: (data: unknown, flags: {
+    table?: boolean;
+    raw?: boolean;
+}) => string;

package/dist/lib/request.js

@@ -0,0 +1,76 @@
+/**
+ * Request Execution
+ *
+ * Executes SigV4-signed HTTP requests against API Gateway endpoints.
+ * Uses cli-auth's SigV4ApiClient under the hood.
+ */
+import { readFile } from 'node:fs/promises';
+/**
+ * Build the full URL for an action, substituting path params from positional args
+ */
+export const buildUrl = (resource, action, positionalArgs) => {
+    let path = action.path;
+    // Substitute path params in order
+    for (let i = 0; i < action.args.length; i++) {
+        const paramName = action.args[i];
+        const value = positionalArgs[i];
+        if (!value) {
+            throw new Error(`Missing required argument: <${paramName}> (argument ${i + 1})`);
+        }
+        path = path.replace(`{${paramName}}`, value);
+    }
+    return `${resource.apiGateway}${path}`;
+};
+/**
+ * Parse request body from CLI flags
+ * Priority: --body > --input > stdin
+ */
+export const parseBody = async (flags) => {
+    if (flags.body) {
+        return flags.body;
+    }
+    if (flags.input) {
+        return readFile(flags.input, 'utf-8');
+    }
+    // Check if stdin has data (non-TTY = piped input)
+    if (!process.stdin.isTTY) {
+        return new Promise((resolve) => {
+            let data = '';
+            process.stdin.setEncoding('utf-8');
+            process.stdin.on('data', (chunk) => { data += chunk; });
+            process.stdin.on('end', () => { resolve(data || undefined); });
+            // Timeout after 100ms if no data
+            setTimeout(() => { resolve(undefined); }, 100);
+        });
+    }
+    return undefined;
+};
+/**
+ * Format response for output
+ */
+export const formatOutput = (data, flags) => {
+    if (flags.raw) {
+        return typeof data === 'string' ? data : JSON.stringify(data);
+    }
+    if (flags.table && Array.isArray(data)) {
+        return formatTable(data);
+    }
+    return JSON.stringify(data, null, 2);
+};
+/**
+ * Simple table formatter for array responses
+ */
+const formatTable = (data) => {
+    if (data.length === 0)
+        return '(empty)';
+    // Get columns from first item
+    const columns = Object.keys(data[0]);
+    // Calculate column widths
+    const widths = columns.map(col => Math.max(col.length, ...data.map(row => String(row[col] ?? '').length)));
+    // Header
+    const header = columns.map((col, i) => col.padEnd(widths[i])).join('  ');
+    const separator = widths.map(w => '─'.repeat(w)).join('──');
+    // Rows
+    const rows = data.map(row => columns.map((col, i) => String(row[col] ?? '').padEnd(widths[i])).join('  '));
+    return [header, separator, ...rows].join('\n');
+};

package/dist/lib/sign-api.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Sign API Client
+ *
+ * Extends SigV4ApiClient to provide generic request methods
+ * for the Sign CLI's dynamic command resolution.
+ *
+ * Domain-based: user runs "sign auth login --domain acme.vixsign.dev"
+ * and the bootstrap endpoint returns everything needed.
+ */
+import { SigV4ApiClient } from '@hyperdrive.bot/cli-auth';
+export declare class SignApiClient extends SigV4ApiClient {
+    constructor(domain?: string);
+    /**
+     * GET request to the primary API (tenants gateway)
+     */
+    get<T = unknown>(path: string): Promise<T>;
+    /**
+     * Make a signed request to an arbitrary full URL
+     * Used by the dynamic command resolver which already has the full apiGateway URL
+     */
+    request<T = unknown>(method: string, fullUrl: string, body?: Record<string, unknown>): Promise<T>;
+}
+/**
+ * Create a SignApiClient
+ */
+export declare const createSignClient: (domain?: string) => SignApiClient;

package/dist/lib/sign-api.js

@@ -0,0 +1,49 @@
+/**
+ * Sign API Client
+ *
+ * Extends SigV4ApiClient to provide generic request methods
+ * for the Sign CLI's dynamic command resolution.
+ *
+ * Domain-based: user runs "sign auth login --domain acme.vixsign.dev"
+ * and the bootstrap endpoint returns everything needed.
+ */
+import { SigV4ApiClient } from '@hyperdrive.bot/cli-auth';
+const CLI_VERSION = '0.1.0';
+const SIGN_AUTH_CONFIG = {
+    appName: 'sign',
+    defaultRegion: process.env.SIGN_AWS_REGION || 'us-east-1',
+};
+export class SignApiClient extends SigV4ApiClient {
+    constructor(domain) {
+        super({
+            authConfig: SIGN_AUTH_CONFIG,
+            domain,
+            cliName: 'sign',
+            cliVersion: CLI_VERSION,
+            apiUrlOverride: process.env.SIGN_API_URL,
+            regionOverride: process.env.SIGN_AWS_REGION,
+        });
+    }
+    /**
+     * GET request to the primary API (tenants gateway)
+     */
+    async get(path) {
+        return this.makeSignedRequest('GET', path);
+    }
+    /**
+     * Make a signed request to an arbitrary full URL
+     * Used by the dynamic command resolver which already has the full apiGateway URL
+     */
+    async request(method, fullUrl, body) {
+        const url = new URL(fullUrl);
+        const baseUrl = `${url.protocol}//${url.host}`;
+        const path = url.pathname + url.search;
+        return this.makeSignedRequest(method, path, body, baseUrl);
+    }
+}
+/**
+ * Create a SignApiClient
+ */
+export const createSignClient = (domain) => {
+    return new SignApiClient(domain);
+};

package/oclif.manifest.json

@@ -0,0 +1,124 @@
+{
+  "commands": {
+    "api": {
+      "aliases": [],
+      "args": {
+        "method": {
+          "description": "HTTP method",
+          "name": "method",
+          "options": [
+            "GET",
+            "POST",
+            "PUT",
+            "PATCH",
+            "DELETE"
+          ],
+          "required": true
+        },
+        "path": {
+          "description": "API path (e.g., /folders, /documents/abc-123)",
+          "name": "path",
+          "required": true
+        }
+      },
+      "description": "Execute a raw API request (escape hatch)",
+      "examples": [
+        "<%= config.bin %> api GET /folders",
+        "<%= config.bin %> api POST /documents --body '{\"name\":\"My Doc\"}'",
+        "<%= config.bin %> api DELETE /folders/abc-123"
+      ],
+      "flags": {
+        "body": {
+          "char": "b",
+          "description": "Request body (JSON string)",
+          "name": "body",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        },
+        "input": {
+          "char": "i",
+          "description": "Read body from file",
+          "name": "input",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        },
+        "module": {
+          "char": "m",
+          "description": "Target module (for API Gateway routing)",
+          "name": "module",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        },
+        "table": {
+          "description": "Format output as table",
+          "name": "table",
+          "allowNo": false,
+          "type": "boolean"
+        },
+        "raw": {
+          "description": "Raw output (no formatting)",
+          "name": "raw",
+          "allowNo": false,
+          "type": "boolean"
+        }
+      },
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "api",
+      "pluginAlias": "@hyperdrive.bot/sign-cli",
+      "pluginName": "@hyperdrive.bot/sign-cli",
+      "pluginType": "core",
+      "strict": true,
+      "enableJsonFlag": false,
+      "isESM": true,
+      "relativePath": [
+        "dist",
+        "commands",
+        "api.js"
+      ]
+    },
+    "modules:list": {
+      "aliases": [],
+      "args": {},
+      "description": "List all available API resources and actions",
+      "examples": [
+        "<%= config.bin %> modules list",
+        "<%= config.bin %> modules list --json",
+        "<%= config.bin %> modules list --refresh"
+      ],
+      "flags": {
+        "json": {
+          "description": "Output as JSON",
+          "name": "json",
+          "allowNo": false,
+          "type": "boolean"
+        },
+        "refresh": {
+          "description": "Force refresh the manifest cache",
+          "name": "refresh",
+          "allowNo": false,
+          "type": "boolean"
+        }
+      },
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "modules:list",
+      "pluginAlias": "@hyperdrive.bot/sign-cli",
+      "pluginName": "@hyperdrive.bot/sign-cli",
+      "pluginType": "core",
+      "strict": true,
+      "enableJsonFlag": false,
+      "isESM": true,
+      "relativePath": [
+        "dist",
+        "commands",
+        "modules",
+        "list.js"
+      ]
+    }
+  },
+  "version": "0.1.3"
+}

package/package.json

@@ -0,0 +1,66 @@
+{
+  "name": "@hyperdrive.bot/sign-cli",
+  "description": "Sign CLI — runtime-discovered API client for the Sign platform",
+  "version": "0.1.3",
+  "author": "marcelomarra",
+  "bin": {
+    "sign": "./bin/run.js"
+  },
+  "dependencies": {
+    "@hyperdrive.bot/auth-plugin": "^0.1.0",
+    "@hyperdrive.bot/cli-auth": "^1.1.3",
+    "@oclif/core": "^4",
+    "@oclif/plugin-help": "^6",
+    "@oclif/plugin-not-found": "^3.1.8",
+    "chalk": "^5.3.0",
+    "cli-table3": "^0.6.5",
+    "ora": "^8.0.1"
+  },
+  "devDependencies": {
+    "@types/node": "^18",
+    "oclif": "^4",
+    "ts-node": "^10",
+    "typescript": "^5"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "files": [
+    "bin/",
+    "/dist",
+    "/oclif.manifest.json"
+  ],
+  "license": "MIT",
+  "main": "dist/index.js",
+  "type": "module",
+  "oclif": {
+    "bin": "sign",
+    "dirname": "sign",
+    "commands": "./dist/commands",
+    "plugins": [
+      "@oclif/plugin-help",
+      "@oclif/plugin-not-found",
+      "@hyperdrive.bot/auth-plugin"
+    ],
+    "hooks": {
+      "command_not_found": "./dist/hooks/command-not-found"
+    },
+    "authPlugin": {
+      "appName": "sign",
+      "displayName": "Sign",
+      "defaultBootstrapUrl": "https://oo2wp0ax27.execute-api.us-east-1.amazonaws.com/dev/tenant/bootstrap-dev",
+      "envPrefix": "SIGN",
+      "ciTokenPrefix": "sign_sk_",
+      "primaryApiName": "sign"
+    },
+    "topicSeparator": " "
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "clean": "rm -rf dist",
+    "test": "echo 'No tests yet'",
+    "postpack": "rm -f oclif.manifest.json",
+    "prepack": "npm run build && oclif manifest"
+  }
+}