@inteeka/task-cli 0.2.15 → 0.2.17

package/dist/cli.js

@@ -247,7 +247,7 @@ import open from "open";
 import ora from "ora";
 
 // src/config/credentials.ts
-import { mkdir, readFile, writeFile, unlink, chmod, stat } from "fs/promises";
+import { mkdir, readFile, writeFile, unlink, chmod, stat, rename } from "fs/promises";
 import { homedir } from "os";
 import { dirname, join } from "path";
 var CONFIG_DIR = join(homedir(), ".config", "task");
@@ -289,8 +289,10 @@ async function readCredentials() {
 }
 async function writeCredentials(creds) {
   await ensureDir(dirname(CREDENTIALS_PATH));
-  await writeFile(CREDENTIALS_PATH, JSON.stringify(creds, null, 2), { mode: 384 });
-  await chmod(CREDENTIALS_PATH, 384);
+  const tmpPath = `${CREDENTIALS_PATH}.${process.pid}.tmp`;
+  await writeFile(tmpPath, JSON.stringify(creds, null, 2), { mode: 384 });
+  await chmod(tmpPath, 384);
+  await rename(tmpPath, CREDENTIALS_PATH);
 }
 async function clearCredentials() {
   try {
@@ -1732,7 +1734,7 @@ async function runProjectTest(args) {
 }
 
 // src/util/progress.ts
-import { mkdir as mkdir6, writeFile as writeFile7, rename, unlink as unlink3, readdir, stat as stat2 } from "fs/promises";
+import { mkdir as mkdir6, writeFile as writeFile7, rename as rename2, unlink as unlink3, readdir, stat as stat2 } from "fs/promises";
 import { tmpdir } from "os";
 import { join as join7 } from "path";
 var PROGRESS_DIR = join7(tmpdir(), "task-progress");
@@ -1788,7 +1790,7 @@ var ProgressWriter = class {
     const tmp = `${this.path}.tmp`;
     try {
       await writeFile7(tmp, body, { encoding: "utf8", mode: 384 });
-      await rename(tmp, this.path);
+      await rename2(tmp, this.path);
     } catch {
       await unlink3(tmp).catch(() => {
       });
@@ -3050,14 +3052,17 @@ async function jsonRequest(url, init) {
   };
 }
 var AutopilotApi = class {
+  creds;
   constructor(opts) {
-    this.opts = opts;
+    this.creds = opts.creds;
+    this.apiUrl = opts.apiUrl;
   }
-  adminHeaders() {
+  apiUrl;
+  async userHeaders() {
+    this.creds = await ensureFreshAccessToken(this.creds);
     return {
       "Content-Type": "application/json",
-      Authorization: `Bearer ${this.opts.apiKey}`,
-      "X-Actor-Email": this.opts.actorEmail,
+      Authorization: `Bearer ${this.creds.access_token}`,
       "User-Agent": "task-cli/scan"
     };
   }
@@ -3070,12 +3075,13 @@ var AutopilotApi = class {
     };
   }
   async listEligibleProjects() {
-    const url = `${this.opts.apiUrl}/api/v1/cli/projects`;
+    const url = `${this.apiUrl}/api/v1/cli/projects`;
     const result = await jsonRequest(url, {
       method: "GET",
-      headers: this.adminHeaders()
+      headers: await this.userHeaders()
     });
     if (!result.ok) {
+      await handleUserAuthFailure(result.code, result.status);
       throw new CliError(
         autopilotExitCode(result.code, result.status),
         `${result.code}: ${result.message}`
@@ -3084,10 +3090,10 @@ var AutopilotApi = class {
     return result.data ?? [];
   }
   async issueSkillToken(args) {
-    const url = `${this.opts.apiUrl}/api/v1/cli/issue-skill-token`;
+    const url = `${this.apiUrl}/api/v1/cli/issue-skill-token`;
     const result = await jsonRequest(url, {
       method: "POST",
-      headers: this.adminHeaders(),
+      headers: await this.userHeaders(),
       body: {
         project_id: args.project_id,
         scope: "fix_prompt_sync",
@@ -3096,6 +3102,7 @@ var AutopilotApi = class {
       }
     });
     if (!result.ok) {
+      await handleUserAuthFailure(result.code, result.status);
       throw new CliError(
         autopilotExitCode(result.code, result.status),
         `${result.code}: ${result.message}`
@@ -3104,7 +3111,7 @@ var AutopilotApi = class {
     return result.data;
   }
   async prepare(skillToken, batchSize, idempotencyKey) {
-    const url = `${this.opts.apiUrl}/api/v1/cli/fix-prompt-sync/prepare`;
+    const url = `${this.apiUrl}/api/v1/cli/fix-prompt-sync/prepare`;
     const result = await jsonRequest(url, {
       method: "POST",
       headers: this.skillHeaders(skillToken, { "Idempotency-Key": idempotencyKey }),
@@ -3122,7 +3129,7 @@ var AutopilotApi = class {
     return result.data;
   }
   async submit(args) {
-    const url = `${this.opts.apiUrl}/api/v1/cli/fix-prompt-sync/submit`;
+    const url = `${this.apiUrl}/api/v1/cli/fix-prompt-sync/submit`;
     const result = await jsonRequest(url, {
       method: "POST",
       headers: this.skillHeaders(args.skillToken, { "X-Prepare-Nonce": args.nonce }),
@@ -3148,7 +3155,7 @@ var AutopilotApi = class {
   }
   async abort(skillToken, ticketIds) {
     if (ticketIds.length === 0) return;
-    const url = `${this.opts.apiUrl}/api/v1/cli/fix-prompt-sync/abort`;
+    const url = `${this.apiUrl}/api/v1/cli/fix-prompt-sync/abort`;
     await jsonRequest(url, {
       method: "POST",
       headers: this.skillHeaders(skillToken),
@@ -3156,7 +3163,7 @@ var AutopilotApi = class {
     }).catch(() => void 0);
   }
   async runSummary(skillToken, summary) {
-    const url = `${this.opts.apiUrl}/api/v1/cli/fix-prompt-sync/run-summary`;
+    const url = `${this.apiUrl}/api/v1/cli/fix-prompt-sync/run-summary`;
     await jsonRequest(url, {
       method: "POST",
       headers: this.skillHeaders(skillToken),
@@ -3164,6 +3171,24 @@ var AutopilotApi = class {
     }).catch(() => void 0);
   }
 };
+async function handleUserAuthFailure(code, status) {
+  if (status === 401 && (code === "UNAUTHORIZED" || code === "TOKEN_EXPIRED")) {
+    await clearCredentials();
+    throw new CliError(
+      CLI_EXIT_CODES.UNAUTHORISED,
+      "Your CLI session is no longer valid",
+      "Run 'task login' to authenticate again."
+    );
+  }
+  if (status === 403 && code === "CLI_ACCESS_REVOKED") {
+    await clearCredentials();
+    throw new CliError(
+      CLI_EXIT_CODES.UNAUTHORISED,
+      "CLI access has been revoked",
+      "Ask a project admin to re-grant access from the Agentic CLI page."
+    );
+  }
+}
 function autopilotExitCode(code, status) {
   if (status === 401 || status === 403) return CLI_EXIT_CODES.UNAUTHORISED;
   if (code === "TIER_LIMIT_EXCEEDED" || code === "NO_GIT_INTEGRATION") {
@@ -3467,7 +3492,7 @@ function registerScan(program2) {
     "Restrict to one project (default: the linked project from .task/config.json, falling back to every visible project if the repo is not linked)"
   ).option(
     "--all-projects",
-    "Override the linked-project default and scan every CLI-eligible project the admin token can see"
+    "Override the linked-project default and scan every CLI-eligible project the signed-in user has cli_access on"
   ).option("--max <n>", "Max submissions per project token", "50").option("--batch <n>", "Tickets per /prepare batch (1-10)", "5").option("--api-url <url>", "Override TASK_API_URL").option("--silent", "Suppress per-ticket progress chrome").action(async (opts) => {
     await runScan(opts);
   });
@@ -3489,25 +3514,18 @@ async function runScan(opts) {
   }
 }
 async function runScanImpl(opts, progress) {
-  const apiKey = process.env["TASK_API_KEY"];
-  if (!apiKey || apiKey.length < 32) {
-    throw new CliError(
-      CLI_EXIT_CODES.MISCONFIGURATION,
-      "TASK_API_KEY is missing or shorter than 32 chars",
-      "Set TASK_API_KEY in your environment. The autopilot loop authenticates with the shared admin secret, not the per-user CLI bearer."
-    );
-  }
-  const actorEmail = process.env["TASK_API_KEY_OWNER_EMAIL"];
-  if (!actorEmail || !/^[^@\s]+@[^@\s]+\.[^@\s]+$/.test(actorEmail)) {
+  let creds = await readCredentials();
+  if (!creds) {
     throw new CliError(
       CLI_EXIT_CODES.MISCONFIGURATION,
-      "TASK_API_KEY_OWNER_EMAIL is not set or not a valid email",
-      "Set TASK_API_KEY_OWNER_EMAIL=<you@example.com>. The server records this on every audit row."
+      "Not signed in",
+      "Run 'task login' to authenticate. The scan autopilot uses the same per-user OAuth bearer as every other CLI command."
     );
   }
+  creds = await ensureFreshAccessToken(creds);
   const localCfg = await readLocalConfig();
   const linkedProject = await readProjectConfig(findRepoRoot());
-  const apiUrl = (opts.apiUrl ?? process.env["TASK_API_URL"] ?? localCfg.api_url ?? linkedProject?.api_url ?? "http://localhost:3400").replace(/\/$/, "");
+  const apiUrl = (opts.apiUrl ?? process.env["TASK_API_URL"] ?? creds.api_url ?? localCfg.api_url ?? linkedProject?.api_url ?? "http://localhost:3400").replace(/\/$/, "");
   const max = clampInt(opts.max, 1, 500, 50);
   const batchSize = clampInt(opts.batch, 1, 10, 5);
   const silent = !!opts.silent || localCfg.silent;
@@ -3526,7 +3544,7 @@ async function runScanImpl(opts, progress) {
     projectFilter = linkedProject.project_id;
     filterSource = "link";
   }
-  const api = new AutopilotApi({ apiUrl, apiKey, actorEmail });
+  const api = new AutopilotApi({ apiUrl, creds });
   if (!silent) process.stdout.write(`${c.dim("Discovering eligible projects\u2026")}
 `);
   const all = await api.listEligibleProjects();
@@ -3542,7 +3560,7 @@ async function runScanImpl(opts, progress) {
       throw new CliError(
         CLI_EXIT_CODES.GENERIC_ERROR,
         `Linked project ${linkedProject.organisation_slug}/${linkedProject.project_slug} has no CLI-eligible tickets right now`,
-        "Mark a ticket as CLI-eligible from the dashboard, or pass --all-projects to scan everything the admin token can see."
+        "Mark a ticket as CLI-eligible from the dashboard, or pass --all-projects to scan every project you have cli_access on."
       );
     }
     throw new CliError(
@@ -4868,26 +4886,37 @@ import { request as request5 } from "undici";
 var ALLOWED_TEST_EXECUTABLES = /* @__PURE__ */ new Set(["pnpm", "npm", "yarn", "bun", "node", "npx"]);
 var DEFAULT_TEST_COMMAND = "pnpm typecheck";
 function registerDoctor(program2) {
-  program2.command("doctor").description("Diagnose your CLI setup").option("--fix", "attempt to auto-remediate fixable problems (e.g. add a typecheck script)").action(async (opts) => {
+  program2.command("doctor").description(
+    "Diagnose your CLI setup \u2014 Identity (who you are signed in as) first, then Setup checks"
+  ).option("--fix", "attempt to auto-remediate fixable problems (e.g. add a typecheck script)").action(async (opts) => {
     const checks = [];
     const creds = await readCredentials();
+    let accessLite = null;
+    if (creds) {
+      accessLite = await fetchAccessLite();
+    }
+    const authDetail = creds ? renderAuthDetail(creds.email, creds.access_expires_at, accessLite) : "not signed in \u2014 run 'task login'";
     checks.push({
+      group: "identity",
       name: "auth",
-      ok: !!creds,
-      detail: creds ? `signed in as ${creds.email ?? "(unknown)"}, expires ${creds.access_expires_at}` : "not signed in \u2014 run 'task login'"
+      ok: !!creds && (accessLite?.has_access ?? true),
+      detail: authDetail,
+      remediation: !creds ? "run 'task login' to authenticate" : accessLite && !accessLite.has_access ? "Your account has no project with cli_access \u2014 ask an admin to grant access on the Agentic CLI page." : void 0
     });
     const root = findRepoRoot();
     const project = await readProjectConfig(root);
     checks.push({
+      group: "identity",
       name: "project link",
       ok: !!project,
       detail: project ? `${project.organisation_slug}/${project.project_slug}` : "no link \u2014 run 'task link'"
     });
     const cfg = await readLocalConfig();
-    checks.push(checkBinary("claude", cfg.claude_path ?? "claude"));
-    checks.push(checkBinary("git", "git"));
+    checks.push({ group: "setup", ...checkBinary("claude", cfg.claude_path ?? "claude") });
+    checks.push({ group: "setup", ...checkBinary("git", "git") });
     const { kind } = getSchedulerAdapter();
     checks.push({
+      group: "setup",
       name: "scheduler",
       ok: kind !== "unsupported",
       detail: kind === "unsupported" ? "unsupported platform" : kind
@@ -4901,12 +4930,14 @@ function registerDoctor(program2) {
       });
       await res.body.dump();
       checks.push({
+        group: "setup",
         name: "api reachable",
         ok: true,
         detail: `${apiUrl} (HTTP ${res.statusCode})`
       });
     } catch (err) {
       checks.push({
+        group: "setup",
         name: "api reachable",
         ok: false,
         detail: `${apiUrl}: ${err.message}`
@@ -4917,6 +4948,7 @@ function registerDoctor(program2) {
       try {
         const exists = remoteBranchExists(root, baseBranch);
         checks.push({
+          group: "setup",
           name: "base branch on origin",
           ok: exists,
           detail: exists ? `origin/${baseBranch} reachable` : `origin has no branch "${baseBranch}"`,
@@ -4924,6 +4956,7 @@ function registerDoctor(program2) {
         });
       } catch (err) {
         checks.push({
+          group: "setup",
           name: "base branch on origin",
           ok: false,
           detail: err instanceof CliError ? err.message : `could not check origin: ${err.message}`,
@@ -4937,41 +4970,57 @@ function registerDoctor(program2) {
         encoding: "utf8"
       }).trim();
       checks.push({
+        group: "setup",
         name: "working tree",
         ok: dirty.length === 0,
         detail: dirty.length === 0 ? "clean" : "has uncommitted changes"
       });
     } catch {
-      checks.push({ name: "working tree", ok: false, detail: "not in a git repo" });
+      checks.push({
+        group: "setup",
+        name: "working tree",
+        ok: false,
+        detail: "not in a git repo"
+      });
     }
     const testCheck = await checkPrePushTest(
       root,
       project?.cli_test_command ?? null,
       opts.fix === true
     );
-    checks.push(testCheck);
+    checks.push({ group: "setup", ...testCheck });
     let inFlight = [];
     if (creds && project) {
       inFlight = await listInFlightTickets(project.project_id, root);
       checks.push({
+        group: "setup",
         name: "in-flight tickets",
         ok: true,
         detail: inFlight.length === 0 ? "none" : `${inFlight.length} ticket(s) waiting to be resumed`
       });
     }
     let allOk = true;
-    for (const check of checks) {
-      const sym = check.ok ? c.ok("\u2713") : c.err("\u2717");
-      process.stdout.write(`${sym} ${check.name.padEnd(20)} ${c.dim(check.detail)}
+    const renderGroup = (label, group) => {
+      const groupChecks = checks.filter((ch) => ch.group === group);
+      if (groupChecks.length === 0) return;
+      process.stdout.write(`${c.bold(label)}
+`);
+      for (const check of groupChecks) {
+        const sym = check.ok ? c.ok("\u2713") : c.err("\u2717");
+        process.stdout.write(`${sym} ${check.name.padEnd(20)} ${c.dim(check.detail)}
 `);
-      if (!check.ok) {
-        allOk = false;
-        if (check.remediation) {
-          process.stdout.write(`  ${c.dim("\u2192 " + check.remediation)}
+        if (!check.ok) {
+          allOk = false;
+          if (check.remediation) {
+            process.stdout.write(`  ${c.dim("\u2192 " + check.remediation)}
 `);
+          }
         }
       }
-    }
+    };
+    renderGroup("Identity", "identity");
+    process.stdout.write("\n");
+    renderGroup("Setup", "setup");
     for (const t of inFlight) {
       const status = t.branchPresent ? c.ok("local branch present") : c.err("local branch missing");
       process.stdout.write(
@@ -4982,6 +5031,24 @@ function registerDoctor(program2) {
     if (!allOk) process.exit(1);
   });
 }
+async function fetchAccessLite() {
+  try {
+    return await apiCallOrThrow("GET", "/api/v1/cli/access");
+  } catch {
+    return null;
+  }
+}
+function renderAuthDetail(email, expiresAt, access2) {
+  const who = `signed in as ${email ?? "(unknown)"}`;
+  const expiry = `expires ${expiresAt}`;
+  if (!access2) return `${who}, ${expiry}`;
+  if (access2.projects.length === 0) {
+    return `${who}, ${expiry}, no cli_access projects`;
+  }
+  const sample = access2.projects.slice(0, 3).map((p) => `${p.organisation_slug}/${p.slug}`).join(", ");
+  const more = access2.projects.length > 3 ? `, +${access2.projects.length - 3} more` : "";
+  return `${who}, ${expiry}, ${access2.projects.length} project${access2.projects.length === 1 ? "" : "s"} (${sample}${more})`;
+}
 async function listInFlightTickets(projectId, cwd) {
   const result = await apiCall(
     "GET",
@@ -5113,7 +5180,7 @@ function checkBinary(name, command) {
 }
 
 // src/commands/version.ts
-var CLI_VERSION = true ? "0.2.15" : "0.0.0-dev";
+var CLI_VERSION = true ? "0.2.17" : "0.0.0-dev";
 function registerVersion(program2) {
   program2.command("version").description("Print the CLI version").action(() => {
     process.stdout.write(CLI_VERSION + "\n");