@ishlabs/cli 0.8.1 → 0.8.2

package/dist/lib/profile-sources.d.ts

@@ -0,0 +1,55 @@
+/**
+ * Audience source upload + processing lifecycle.
+ *
+ * Mirrors the frontend flow in ensure-sources-processed.ts and
+ * UploadSection.tsx:
+ *   1. POST /tester-profiles/sources/initiate → signed URL + source_id
+ *   2. PUT  signed_url                         → upload bytes (x-upsert: true)
+ *   3. POST /tester-profiles/sources/{id}/confirm → kick off parse / transcribe
+ *   4. GET  /tester-profiles/sources/{id}      → poll until terminal status
+ *
+ * Distinct from the study upload in upload.ts: different endpoints and a
+ * fourth polling step because text/image are parsed inline but audio is
+ * transcribed by an async worker.
+ */
+import type { ApiClient } from "./api-client.js";
+import type { AudienceSource, SourceKind } from "./types.js";
+/**
+ * Map a local file to the backend's SourceKind enum.
+ * Throws if the extension/MIME isn't recognized — caller can pass an
+ * explicit `kind` to override.
+ */
+export declare function inferSourceKind(filePath: string): SourceKind;
+export declare function isUuid(value: string): boolean;
+/** Poll a source until it reaches a terminal status or the timeout fires. */
+export declare function pollSourceUntilTerminal(client: ApiClient, sourceId: string, timeoutMs?: number): Promise<AudienceSource>;
+export interface UploadAndProcessOpts {
+    productId: string;
+    filePath: string;
+    kind?: SourceKind;
+    description?: string;
+    diarize?: boolean;
+    /** When false, return after confirm without polling. Default true. */
+    wait?: boolean;
+    timeoutMs?: number;
+    /** Print progress lines to stderr. Default true unless quiet. */
+    quiet?: boolean;
+}
+/** Run the full initiate → PUT → confirm → poll cycle for a single file. */
+export declare function uploadAndProcessSource(client: ApiClient, opts: UploadAndProcessOpts): Promise<AudienceSource>;
+export interface ResolveSourceRefOpts {
+    productId: string;
+    description?: string;
+    diarize?: boolean;
+    wait?: boolean;
+    timeoutMs?: number;
+    quiet?: boolean;
+}
+/**
+ * Resolve a `--source` value: a UUID is returned as-is; a local path is
+ * uploaded and the resulting source ID is returned.
+ *
+ * If a UUID-shaped string is provided but turns out not to be a real
+ * source, the backend rejects it on /generate — no need to pre-check.
+ */
+export declare function resolveSourceRef(client: ApiClient, value: string, opts: ResolveSourceRefOpts): Promise<string>;

package/dist/lib/profile-sources.js

@@ -0,0 +1,157 @@
+/**
+ * Audience source upload + processing lifecycle.
+ *
+ * Mirrors the frontend flow in ensure-sources-processed.ts and
+ * UploadSection.tsx:
+ *   1. POST /tester-profiles/sources/initiate → signed URL + source_id
+ *   2. PUT  signed_url                         → upload bytes (x-upsert: true)
+ *   3. POST /tester-profiles/sources/{id}/confirm → kick off parse / transcribe
+ *   4. GET  /tester-profiles/sources/{id}      → poll until terminal status
+ *
+ * Distinct from the study upload in upload.ts: different endpoints and a
+ * fourth polling step because text/image are parsed inline but audio is
+ * transcribed by an async worker.
+ */
+import { readFile } from "node:fs/promises";
+import { basename, extname, resolve as resolvePath } from "node:path";
+import { detectMimeType, validateFile } from "./upload.js";
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+const POLL_INTERVAL_MS = 2_000;
+const DEFAULT_POLL_TIMEOUT_MS = 300_000; // 5 min — matches frontend
+const TERMINAL_STATUSES = new Set(["processed", "failed"]);
+const AUDIO_EXTS = new Set([".mp3", ".wav", ".m4a", ".ogg", ".flac", ".aac"]);
+const IMAGE_EXTS = new Set([".png", ".jpg", ".jpeg", ".gif", ".webp", ".bmp"]);
+const TEXT_EXTS = new Set([
+    ".pdf",
+    ".txt",
+    ".md",
+    ".csv",
+    ".json",
+    ".html",
+    ".htm",
+    ".doc",
+    ".docx",
+]);
+/**
+ * Map a local file to the backend's SourceKind enum.
+ * Throws if the extension/MIME isn't recognized — caller can pass an
+ * explicit `kind` to override.
+ */
+export function inferSourceKind(filePath) {
+    const ext = extname(filePath).toLowerCase();
+    if (AUDIO_EXTS.has(ext))
+        return "audio";
+    if (IMAGE_EXTS.has(ext))
+        return "image";
+    if (TEXT_EXTS.has(ext))
+        return "text_file";
+    // Fallback to MIME type
+    const mime = detectMimeType(filePath);
+    if (mime.startsWith("audio/"))
+        return "audio";
+    if (mime.startsWith("image/"))
+        return "image";
+    if (mime === "application/pdf" ||
+        mime.startsWith("text/") ||
+        mime === "application/json" ||
+        mime.includes("officedocument")) {
+        return "text_file";
+    }
+    throw new Error(`Cannot infer source kind for ${filePath}. Pass --kind text_file|audio|image to override.`);
+}
+export function isUuid(value) {
+    return UUID_RE.test(value);
+}
+/** PUT the file bytes to the Supabase signed URL. */
+async function putFileToSignedUrl(signedUrl, filePath, mime) {
+    const buffer = await readFile(filePath);
+    // Supabase signed-upload endpoint authenticates via the ?token=... query
+    // string already in the URL. Adding Authorization: Bearer here makes
+    // Supabase fall through to JWT validation and 400s on PDFs (see frontend
+    // putAudienceSourceFile comment).
+    const res = await fetch(signedUrl, {
+        method: "PUT",
+        headers: {
+            "Content-Type": mime,
+            "x-upsert": "true",
+        },
+        body: buffer,
+        signal: AbortSignal.timeout(300_000),
+    });
+    if (!res.ok) {
+        const body = await res.text().catch(() => "");
+        throw new Error(`Source upload failed (HTTP ${res.status} ${res.statusText})${body ? ` — ${body.slice(0, 500)}` : ""}`);
+    }
+}
+/** Poll a source until it reaches a terminal status or the timeout fires. */
+export async function pollSourceUntilTerminal(client, sourceId, timeoutMs = DEFAULT_POLL_TIMEOUT_MS) {
+    const deadline = Date.now() + timeoutMs;
+    while (true) {
+        const source = await client.get(`/tester-profiles/sources/${sourceId}`);
+        if (TERMINAL_STATUSES.has(source.status))
+            return source;
+        if (Date.now() >= deadline) {
+            throw new Error(`Timed out after ${Math.round(timeoutMs / 1000)}s waiting for source ${sourceId} (status: ${source.status})`);
+        }
+        await new Promise((r) => setTimeout(r, POLL_INTERVAL_MS));
+    }
+}
+/** Run the full initiate → PUT → confirm → poll cycle for a single file. */
+export async function uploadAndProcessSource(client, opts) {
+    const resolved = resolvePath(opts.filePath);
+    const { mime } = await validateFile(opts.filePath);
+    const fileName = basename(resolved);
+    const kind = opts.kind ?? inferSourceKind(opts.filePath);
+    const log = (msg) => {
+        if (!opts.quiet)
+            process.stderr.write(msg);
+    };
+    log(`Uploading ${fileName}…`);
+    const init = await client.post("/tester-profiles/sources/initiate", {
+        product_id: opts.productId,
+        file_name: fileName,
+        content_type: mime,
+        kind,
+    }, { timeout: 60_000 });
+    await putFileToSignedUrl(init.signed_url, resolved, mime);
+    const confirmed = await client.post(`/tester-profiles/sources/${init.source_id}/confirm`, {
+        diarize: opts.diarize,
+        description: opts.description,
+    }, { timeout: 60_000 });
+    if (opts.wait === false) {
+        log(` ${confirmed.status}.\n`);
+        return confirmed;
+    }
+    if (TERMINAL_STATUSES.has(confirmed.status)) {
+        log(` ${confirmed.status}.\n`);
+        return confirmed;
+    }
+    log(" processing…");
+    const final = await pollSourceUntilTerminal(client, init.source_id, opts.timeoutMs ?? DEFAULT_POLL_TIMEOUT_MS);
+    log(` ${final.status}.\n`);
+    return final;
+}
+/**
+ * Resolve a `--source` value: a UUID is returned as-is; a local path is
+ * uploaded and the resulting source ID is returned.
+ *
+ * If a UUID-shaped string is provided but turns out not to be a real
+ * source, the backend rejects it on /generate — no need to pre-check.
+ */
+export async function resolveSourceRef(client, value, opts) {
+    if (isUuid(value))
+        return value;
+    const source = await uploadAndProcessSource(client, {
+        productId: opts.productId,
+        filePath: value,
+        description: opts.description,
+        diarize: opts.diarize,
+        wait: opts.wait,
+        timeoutMs: opts.timeoutMs,
+        quiet: opts.quiet,
+    });
+    if (source.status === "failed") {
+        throw new Error(`Source ${source.original_filename} failed to process: ${source.error ?? "unknown error"}`);
+    }
+    return source.id;
+}

package/dist/lib/site-access.d.ts

@@ -0,0 +1,80 @@
+/**
+ * Site-access helpers — workspace-level credentials for gated test sites.
+ *
+ * Site-access is stored as product-level secrets with reserved keys. The
+ * backend enforces pair invariants (e.g. BASIC_AUTH_USERNAME and
+ * BASIC_AUTH_PASSWORD must be created together), so new keys must go through
+ * the batch endpoint while updates to existing keys go through PUT.
+ *
+ * Key constants are kept in sync with the frontend at
+ * /ish-frontend/src/lib/site-access/secret-keys.ts.
+ */
+import type { ApiClient } from "./api-client.js";
+import type { Secret, SecretScope, SecretVariableType } from "./types.js";
+export declare const SITE_ACCESS_KEYS: {
+    readonly basicAuthUsername: "BASIC_AUTH_USERNAME";
+    readonly basicAuthPassword: "BASIC_AUTH_PASSWORD";
+    readonly basicAuthOrigin: "BASIC_AUTH_ORIGIN";
+    readonly loginUsername: "LOGIN_USERNAME";
+    readonly loginPassword: "LOGIN_PASSWORD";
+    readonly sessionCookieName: "SESSION_COOKIE_NAME";
+    readonly sessionCookieValue: "SESSION_COOKIE_VALUE";
+    readonly sessionCookieOrigin: "SESSION_COOKIE_ORIGIN";
+    readonly publicAffirmedOrigin: "SITE_ACCESS_PUBLIC_AFFIRMED_ORIGIN";
+};
+export type SiteAccessKey = (typeof SITE_ACCESS_KEYS)[keyof typeof SITE_ACCESS_KEYS];
+/** Bare-origin form (`https://host[:port]`) used for credential binding. */
+export declare function deriveOrigin(url: string | undefined | null): string | null;
+export interface SiteAccessState {
+    /** Indexed view of every site-access secret currently on the product. */
+    byKey: Map<string, Secret>;
+    hasBasicAuth: boolean;
+    hasSessionCookie: boolean;
+    hasLoginCreds: boolean;
+    publicAffirmedOrigin: string | null;
+    basicAuthOrigin: string | null;
+    sessionCookieOrigin: string | null;
+}
+export declare function loadSiteAccess(client: ApiClient, productId: string): Promise<SiteAccessState>;
+export interface WriteItem {
+    key: string;
+    value: string;
+    scope: SecretScope;
+    variable_type: SecretVariableType;
+}
+/**
+ * Apply a set of paired-key writes. Keys that don't yet exist go through the
+ * batch endpoint in one request — the backend's pair invariant is checked
+ * once against the projected union, not per-item where the first POST would
+ * always fail with "missing pair member". Existing keys are updated via PUT.
+ *
+ * Mirrors useSiteAccessSecrets.applySaveInstructions in the frontend.
+ */
+export declare function applySiteAccessWrites(client: ApiClient, productId: string, state: SiteAccessState, items: WriteItem[]): Promise<void>;
+export declare function deleteSiteAccessKeys(client: ApiClient, productId: string, state: SiteAccessState, keys: string[]): Promise<number>;
+/** Methods the user can clear individually. */
+export type SiteAccessMethod = "basic-auth" | "cookie" | "login" | "public" | "all";
+export declare function keysForMethod(method: SiteAccessMethod): string[];
+/**
+ * Saving any credential clears the public-affirmed flag (matches frontend).
+ * Returns true if a flag was actually cleared, false if no flag was set.
+ */
+export declare function clearPublicAffirmation(client: ApiClient, productId: string, state: SiteAccessState): Promise<boolean>;
+export interface SiteAccessSummary {
+    basic_auth: {
+        configured: boolean;
+        origin: string | null;
+    };
+    session_cookie: {
+        configured: boolean;
+        origin: string | null;
+    };
+    login: {
+        configured: boolean;
+    };
+    public_affirmed: {
+        affirmed: boolean;
+        origin: string | null;
+    };
+}
+export declare function summarize(state: SiteAccessState): SiteAccessSummary;

package/dist/lib/site-access.js

@@ -0,0 +1,188 @@
+/**
+ * Site-access helpers — workspace-level credentials for gated test sites.
+ *
+ * Site-access is stored as product-level secrets with reserved keys. The
+ * backend enforces pair invariants (e.g. BASIC_AUTH_USERNAME and
+ * BASIC_AUTH_PASSWORD must be created together), so new keys must go through
+ * the batch endpoint while updates to existing keys go through PUT.
+ *
+ * Key constants are kept in sync with the frontend at
+ * /ish-frontend/src/lib/site-access/secret-keys.ts.
+ */
+export const SITE_ACCESS_KEYS = {
+    basicAuthUsername: "BASIC_AUTH_USERNAME",
+    basicAuthPassword: "BASIC_AUTH_PASSWORD",
+    basicAuthOrigin: "BASIC_AUTH_ORIGIN",
+    loginUsername: "LOGIN_USERNAME",
+    loginPassword: "LOGIN_PASSWORD",
+    sessionCookieName: "SESSION_COOKIE_NAME",
+    sessionCookieValue: "SESSION_COOKIE_VALUE",
+    sessionCookieOrigin: "SESSION_COOKIE_ORIGIN",
+    publicAffirmedOrigin: "SITE_ACCESS_PUBLIC_AFFIRMED_ORIGIN",
+};
+const ALL_SITE_ACCESS_KEYS = Object.values(SITE_ACCESS_KEYS);
+/** Bare-origin form (`https://host[:port]`) used for credential binding. */
+export function deriveOrigin(url) {
+    if (!url || !url.trim())
+        return null;
+    let candidate = url.trim();
+    if (!/^https?:\/\//i.test(candidate)) {
+        candidate = `https://${candidate}`;
+    }
+    try {
+        const parsed = new URL(candidate);
+        if (!parsed.host)
+            return null;
+        return `${parsed.protocol}//${parsed.host}`;
+    }
+    catch {
+        return null;
+    }
+}
+export async function loadSiteAccess(client, productId) {
+    const all = await client.get(`/products/${productId}/secrets`);
+    const byKey = new Map();
+    for (const s of all) {
+        if (ALL_SITE_ACCESS_KEYS.includes(s.key))
+            byKey.set(s.key, s);
+    }
+    const hasBasicAuth = byKey.has(SITE_ACCESS_KEYS.basicAuthUsername) &&
+        byKey.has(SITE_ACCESS_KEYS.basicAuthPassword);
+    const hasSessionCookie = byKey.has(SITE_ACCESS_KEYS.sessionCookieName) &&
+        byKey.has(SITE_ACCESS_KEYS.sessionCookieValue);
+    const hasLoginCreds = byKey.has(SITE_ACCESS_KEYS.loginUsername) &&
+        byKey.has(SITE_ACCESS_KEYS.loginPassword);
+    const publicAffirmed = byKey.get(SITE_ACCESS_KEYS.publicAffirmedOrigin);
+    const basicOrigin = byKey.get(SITE_ACCESS_KEYS.basicAuthOrigin);
+    const cookieOrigin = byKey.get(SITE_ACCESS_KEYS.sessionCookieOrigin);
+    return {
+        byKey,
+        hasBasicAuth,
+        hasSessionCookie,
+        hasLoginCreds,
+        publicAffirmedOrigin: publicAffirmed ? await revealValue(client, productId, publicAffirmed.id) : null,
+        basicAuthOrigin: basicOrigin ? await revealValue(client, productId, basicOrigin.id) : null,
+        sessionCookieOrigin: cookieOrigin ? await revealValue(client, productId, cookieOrigin.id) : null,
+    };
+}
+/**
+ * Origin keys are stored as `variable_type: "variable"` (not secrets), so
+ * revealing them is safe — the frontend `SiteAccessDialog` does the same to
+ * pre-fill the URL field. We only reveal origin keys, never credentials.
+ */
+async function revealValue(client, productId, secretId) {
+    try {
+        const res = await client.get(`/products/${productId}/secrets/${secretId}/reveal`);
+        return res.value ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Apply a set of paired-key writes. Keys that don't yet exist go through the
+ * batch endpoint in one request — the backend's pair invariant is checked
+ * once against the projected union, not per-item where the first POST would
+ * always fail with "missing pair member". Existing keys are updated via PUT.
+ *
+ * Mirrors useSiteAccessSecrets.applySaveInstructions in the frontend.
+ */
+export async function applySiteAccessWrites(client, productId, state, items) {
+    const creates = [];
+    const updates = [];
+    for (const item of items) {
+        const existing = state.byKey.get(item.key);
+        if (existing) {
+            updates.push({ id: existing.id, value: item.value });
+        }
+        else {
+            creates.push({
+                key: item.key,
+                value: item.value,
+                scope: item.scope,
+                variable_type: item.variable_type,
+            });
+        }
+    }
+    if (creates.length > 0) {
+        await client.post(`/products/${productId}/secrets/batch`, { secrets: creates });
+    }
+    for (const u of updates) {
+        await client.put(`/products/${productId}/secrets/${u.id}`, { value: u.value });
+    }
+}
+export async function deleteSiteAccessKeys(client, productId, state, keys) {
+    const ids = [];
+    for (const key of keys) {
+        const existing = state.byKey.get(key);
+        if (!existing)
+            continue;
+        ids.push(existing.id);
+    }
+    if (ids.length === 0)
+        return 0;
+    await client.post(`/products/${productId}/secrets/batch-delete`, {
+        secret_ids: ids,
+    });
+    return ids.length;
+}
+export function keysForMethod(method) {
+    switch (method) {
+        case "basic-auth":
+            return [
+                SITE_ACCESS_KEYS.basicAuthUsername,
+                SITE_ACCESS_KEYS.basicAuthPassword,
+                SITE_ACCESS_KEYS.basicAuthOrigin,
+            ];
+        case "cookie":
+            return [
+                SITE_ACCESS_KEYS.sessionCookieName,
+                SITE_ACCESS_KEYS.sessionCookieValue,
+                SITE_ACCESS_KEYS.sessionCookieOrigin,
+            ];
+        case "login":
+            return [SITE_ACCESS_KEYS.loginUsername, SITE_ACCESS_KEYS.loginPassword];
+        case "public":
+            return [SITE_ACCESS_KEYS.publicAffirmedOrigin];
+        case "all":
+            return [
+                SITE_ACCESS_KEYS.basicAuthUsername,
+                SITE_ACCESS_KEYS.basicAuthPassword,
+                SITE_ACCESS_KEYS.basicAuthOrigin,
+                SITE_ACCESS_KEYS.sessionCookieName,
+                SITE_ACCESS_KEYS.sessionCookieValue,
+                SITE_ACCESS_KEYS.sessionCookieOrigin,
+                SITE_ACCESS_KEYS.loginUsername,
+                SITE_ACCESS_KEYS.loginPassword,
+                SITE_ACCESS_KEYS.publicAffirmedOrigin,
+            ];
+    }
+}
+/**
+ * Saving any credential clears the public-affirmed flag (matches frontend).
+ * Returns true if a flag was actually cleared, false if no flag was set.
+ */
+export async function clearPublicAffirmation(client, productId, state) {
+    const existing = state.byKey.get(SITE_ACCESS_KEYS.publicAffirmedOrigin);
+    if (!existing)
+        return false;
+    await client.del(`/products/${productId}/secrets/${existing.id}`);
+    return true;
+}
+export function summarize(state) {
+    return {
+        basic_auth: {
+            configured: state.hasBasicAuth,
+            origin: state.basicAuthOrigin,
+        },
+        session_cookie: {
+            configured: state.hasSessionCookie,
+            origin: state.sessionCookieOrigin,
+        },
+        login: { configured: state.hasLoginCreds },
+        public_affirmed: {
+            affirmed: state.publicAffirmedOrigin !== null,
+            origin: state.publicAffirmedOrigin,
+        },
+    };
+}

package/dist/lib/skill-content.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Agent Skill content for the `ish` CLI.
+ *
+ * Shipped inline as TypeScript constants so the same content is available
+ * in both `tsc`-compiled npm installs and `bun build --compile` single
+ * binaries (which don't bundle markdown files outside of TS imports).
+ *
+ * Spec: https://agentskills.io/specification (April 2026).
+ *
+ * Distribution model: `ish init` materialises this content as a real
+ * directory tree at the path the user picks. Native consumers:
+ *   - Claude Code           .claude/skills/ish/
+ *   - Codex / Cursor /      .agents/skills/ish/
+ *     Cline / Roo Code
+ */
+export interface SkillFile {
+    /** Path relative to the skill directory root. */
+    relativePath: string;
+    contents: string;
+}
+/** Returns every file that makes up the bundled skill, in stable order. */
+export declare function buildSkillFiles(): SkillFile[];
+/** Convenience: just the SKILL.md content (for `ish init --stdout`). */
+export declare function getSkillMd(): string;
+/** Where each agent product expects skills to live, relative to repo root. */
+export interface SkillTargetSpec {
+    key: "claude" | "agents";
+    path: string;
+    consumers: string[];
+}
+export declare const SKILL_TARGETS: SkillTargetSpec[];