@inteeka/task-cli 0.2.20 → 0.2.22

package/dist/cli.js

@@ -3232,6 +3232,15 @@ async function jsonRequest(url, init) {
     return { ok: true, status: res.statusCode, data: env?.data ?? body, nonce: nonceStr };
   }
   const errBody = body;
+  if (res.statusCode === 401 || res.statusCode === 403) {
+    const reqId = errBody?.error?.request_id ?? "";
+    const code = errBody?.error?.code ?? `HTTP_${res.statusCode}`;
+    const msg = errBody?.error?.message ?? "(no message)";
+    process.stderr.write(
+      `[scan/api] ${res.statusCode} on ${url} \u2014 code=${code} request_id=${reqId} message=${msg}
+`
+    );
+  }
   return {
     ok: false,
     status: res.statusCode,
@@ -3239,18 +3248,48 @@ async function jsonRequest(url, init) {
     message: errBody?.error?.message ?? `Request failed with status ${res.statusCode}`
   };
 }
+var FRESH_CRED_CACHE_MS = 5e3;
 var AutopilotApi = class {
-  creds;
+  /**
+   * @deprecated retained only to satisfy the constructor signature for
+   * callers passing an initial snapshot. NEVER read this in any method —
+   * always go through `getFreshCreds()` so an on-disk rotation triggered
+   * by the listener heartbeat or another CLI process during a long-running
+   * scan is observed before the next user-bearer call.
+   */
+  initialCreds;
+  cachedCreds = null;
+  cachedAt = 0;
   constructor(opts) {
-    this.creds = opts.creds;
+    this.initialCreds = opts.creds;
+    this.cachedCreds = opts.creds;
+    this.cachedAt = Date.now();
     this.apiUrl = opts.apiUrl;
   }
   apiUrl;
+  /**
+   * Returns a credentials object that's been re-read from disk (and
+   * refreshed via the file-locked HTTP path if expired) within the last
+   * FRESH_CRED_CACHE_MS. Replaces the previous "cached at construction
+   * time" model which produced UNAUTHORIZED 401s mid-scan when the
+   * listener heartbeat rotated the on-disk pair under us.
+   */
+  async getFreshCreds() {
+    if (this.cachedCreds && Date.now() - this.cachedAt < FRESH_CRED_CACHE_MS) {
+      return this.cachedCreds;
+    }
+    const onDisk = await readCredentials();
+    const base = onDisk ?? this.cachedCreds ?? this.initialCreds;
+    const fresh = await ensureFreshAccessToken(base);
+    this.cachedCreds = fresh;
+    this.cachedAt = Date.now();
+    return fresh;
+  }
   async userHeaders() {
-    this.creds = await ensureFreshAccessToken(this.creds);
+    const creds = await this.getFreshCreds();
     return {
       "Content-Type": "application/json",
-      Authorization: `Bearer ${this.creds.access_token}`,
+      Authorization: `Bearer ${creds.access_token}`,
       "User-Agent": "task-cli/scan"
     };
   }
@@ -3842,6 +3881,7 @@ ${c.bold(`${project.organisation_slug}/${project.project_slug}`)} ${c.dim(`(${pr
   let fatal = null;
   try {
     while (!args.isInterrupted()) {
+      if (agg.submitted >= maxSubmits) break;
       let prepared;
       try {
         prepared = await api.prepare(skillToken, batchSize, randomUUID2());
@@ -3894,6 +3934,7 @@ ${c.bold(`${project.organisation_slug}/${project.project_slug}`)} ${c.dim(`(${pr
             spinner?.succeed(`#${ticket.sequence_number} ready`);
           }
           inFlight.delete(ticket.ticket_id);
+          if (agg.submitted >= maxSubmits) break;
         } catch (err) {
           agg.failed += 1;
           spinner?.fail(`#${ticket.sequence_number} ${err.message.slice(0, 200)}`);
@@ -5617,7 +5658,7 @@ function checkBinary(name, command) {
 }
 
 // src/commands/version.ts
-var CLI_VERSION = true ? "0.2.20" : "0.0.0-dev";
+var CLI_VERSION = true ? "0.2.22" : "0.0.0-dev";
 function registerVersion(program2) {
   program2.command("version").description("Print the CLI version").action(() => {
     process.stdout.write(CLI_VERSION + "\n");