@ishlabs/cli 0.8.1 → 0.8.2

package/dist/commands/workspace.js

@@ -1,14 +1,22 @@
 /**
  * ish workspace — Manage workspaces (API: /products).
  */
-import { withClient, getWebUrl, terminalLink } from "../lib/command-helpers.js";
+import { withClient, getWebUrl, terminalLink, resolveWorkspace } from "../lib/command-helpers.js";
 import { resolveId, tagAlias, ALIAS_PREFIX } from "../lib/alias-store.js";
 import { loadConfig, saveConfig } from "../config.js";
-import { formatWorkspaceList, formatWorkspaceDetail, output } from "../lib/output.js";
+import { formatWorkspaceList, formatWorkspaceDetail, formatSiteAccessStatus, output } from "../lib/output.js";
+import { SITE_ACCESS_KEYS, applySiteAccessWrites, clearPublicAffirmation, deleteSiteAccessKeys, deriveOrigin, keysForMethod, loadSiteAccess, summarize, } from "../lib/site-access.js";
 export function registerWorkspaceCommands(program) {
     const workspace = program
         .command("workspace")
-        .description("Manage workspaces");
+        .description("Manage workspaces")
+        .addHelpText("after", `
+A workspace is the top-level container — one per product. Studies, asks, profiles, sources,
+and configs all belong to exactly one workspace. \`ish workspace site-access\` configures
+credentials for gated study URLs (basic auth, session cookie, or login form).
+
+Concept pages: ish docs get-page concepts/workspace
+                ish docs get-page concepts/site-access`);
     workspace
         .command("list")
         .description("List all workspaces")
@@ -37,7 +45,7 @@ export function registerWorkspaceCommands(program) {
             const result = data;
             if (result.id)
                 result.alias = tagAlias(ALIAS_PREFIX.workspace, String(result.id));
-            formatWorkspaceDetail(result, globals.json);
+            formatWorkspaceDetail(result, globals.json, { writePath: true });
             if (!globals.json && data.id) {
                 const url = getWebUrl(globals, `/${data.id}`);
                 console.error(`\n  ${terminalLink(url, "Open in browser ↗")}\n`);
@@ -88,7 +96,7 @@ export function registerWorkspaceCommands(program) {
             const result = data;
             if (result.id)
                 result.alias = tagAlias(ALIAS_PREFIX.workspace, String(result.id));
-            formatWorkspaceDetail(result, globals.json);
+            formatWorkspaceDetail(result, globals.json, { writePath: true });
         });
     });
     workspace
@@ -98,10 +106,12 @@ export function registerWorkspaceCommands(program) {
         .addHelpText("after", "\nExamples:\n  $ ish workspace delete <id>")
         .action(async (id, _opts, cmd) => {
         await withClient(cmd, async (client, globals) => {
-            await client.del(`/products/${resolveId(id)}`);
-            output({ message: "Workspace deleted" }, globals.json);
+            const rid = resolveId(id);
+            await client.del(`/products/${rid}`);
+            output({ id: rid, alias: tagAlias(ALIAS_PREFIX.workspace, rid), message: "Workspace deleted" }, globals.json, { writePath: true });
         });
     });
+    registerSiteAccessCommands(workspace);
     workspace
         .command("use")
         .description("Set the active workspace (saved to ~/.ish/config.json)")
@@ -131,3 +141,179 @@ export function registerWorkspaceCommands(program) {
         });
     });
 }
+// ---------------------------------------------------------------------------
+// site-access — workspace-level credentials for gated test sites.
+// Stored as product secrets with reserved keys (see src/lib/site-access.ts).
+// ---------------------------------------------------------------------------
+/** Read a flag value, treating "-" as "read from stdin" (whitespace stripped). */
+async function readSecretFlag(raw) {
+    if (raw !== "-")
+        return raw;
+    if (process.stdin.isTTY) {
+        throw new Error('Use "-" only when piping the value on stdin.');
+    }
+    return await new Promise((resolve, reject) => {
+        let data = "";
+        process.stdin.setEncoding("utf-8");
+        process.stdin.on("data", (chunk) => { data += chunk; });
+        process.stdin.on("end", () => resolve(data.replace(/\r?\n$/, "")));
+        process.stdin.on("error", reject);
+    });
+}
+async function resolveOriginForWriting(client, workspaceId, explicit) {
+    if (explicit) {
+        const derived = deriveOrigin(explicit);
+        if (!derived) {
+            throw new Error(`Invalid --origin: "${explicit}". Provide a URL like https://example.com.`);
+        }
+        return derived;
+    }
+    const product = await client.get(`/products/${workspaceId}`);
+    const derived = deriveOrigin(product.base_url);
+    if (!derived) {
+        throw new Error('No --origin provided and the workspace has no base_url set. ' +
+            'Run `ish workspace update <id> --base-url https://your-site.com` first, or pass --origin explicitly.');
+    }
+    return derived;
+}
+function registerSiteAccessCommands(workspace) {
+    const sa = workspace
+        .command("site-access")
+        .description("Manage credentials for gated test sites (basic auth, session cookie, login form)");
+    sa
+        .command("status")
+        .description("Show which site-access methods are configured")
+        .option("--workspace <id>", "Workspace ID; defaults to active workspace")
+        .addHelpText("after", "\nExamples:\n  $ ish workspace site-access status\n  $ ish workspace site-access status --json")
+        .action(async (opts, cmd) => {
+        await withClient(cmd, async (client, globals) => {
+            const wid = resolveWorkspace(opts.workspace);
+            const state = await loadSiteAccess(client, wid);
+            formatSiteAccessStatus(summarize(state), globals.json);
+        });
+    });
+    sa
+        .command("basic-auth")
+        .description("Set HTTP basic auth credentials")
+        .requiredOption("--username <u>", 'Username (or "-" to read from stdin)')
+        .requiredOption("--password <p>", 'Password (or "-" to read from stdin)')
+        .option("--origin <url>", "Origin to bind credentials to; defaults to workspace base_url")
+        .option("--workspace <id>", "Workspace ID; defaults to active workspace")
+        .addHelpText("after", '\nExamples:\n  $ ish workspace site-access basic-auth --username alice --password hunter2\n  $ printf %s "$PW" | ish workspace site-access basic-auth --username alice --password -\n\nRequires either --origin or a workspace base_url (set with `ish workspace update --base-url ...`).')
+        .action(async (opts, cmd) => {
+        await withClient(cmd, async (client, globals) => {
+            const wid = resolveWorkspace(opts.workspace);
+            const username = await readSecretFlag(opts.username);
+            const password = await readSecretFlag(opts.password);
+            const origin = await resolveOriginForWriting(client, wid, opts.origin);
+            const state = await loadSiteAccess(client, wid);
+            await applySiteAccessWrites(client, wid, state, [
+                { key: SITE_ACCESS_KEYS.basicAuthUsername, value: username, scope: "project", variable_type: "secret" },
+                { key: SITE_ACCESS_KEYS.basicAuthPassword, value: password, scope: "project", variable_type: "secret" },
+                { key: SITE_ACCESS_KEYS.basicAuthOrigin, value: origin, scope: "project", variable_type: "variable" },
+            ]);
+            const clearedAffirmation = await clearPublicAffirmation(client, wid, state);
+            output({
+                message: "Basic auth credentials saved",
+                origin,
+                cleared_public_affirmation: clearedAffirmation,
+            }, globals.json);
+        });
+    });
+    sa
+        .command("cookie")
+        .description("Set a session cookie for sites that gate on a token (Vercel preview, Lovable, etc.)")
+        .requiredOption("--name <n>", "Cookie name")
+        .requiredOption("--value <v>", 'Cookie value (or "-" to read from stdin)')
+        .option("--origin <url>", "Origin to bind cookie to; defaults to workspace base_url")
+        .option("--workspace <id>", "Workspace ID; defaults to active workspace")
+        .addHelpText("after", "\nExamples:\n  $ ish workspace site-access cookie --name session --value abc123\n\nRequires either --origin or a workspace base_url (set with `ish workspace update --base-url ...`).")
+        .action(async (opts, cmd) => {
+        await withClient(cmd, async (client, globals) => {
+            const wid = resolveWorkspace(opts.workspace);
+            const value = await readSecretFlag(opts.value);
+            const origin = await resolveOriginForWriting(client, wid, opts.origin);
+            const state = await loadSiteAccess(client, wid);
+            await applySiteAccessWrites(client, wid, state, [
+                { key: SITE_ACCESS_KEYS.sessionCookieName, value: opts.name, scope: "project", variable_type: "variable" },
+                { key: SITE_ACCESS_KEYS.sessionCookieValue, value, scope: "project", variable_type: "secret" },
+                { key: SITE_ACCESS_KEYS.sessionCookieOrigin, value: origin, scope: "project", variable_type: "variable" },
+            ]);
+            const clearedAffirmation = await clearPublicAffirmation(client, wid, state);
+            output({
+                message: "Session cookie saved",
+                origin,
+                cleared_public_affirmation: clearedAffirmation,
+            }, globals.json);
+        });
+    });
+    sa
+        .command("login")
+        .description("Set login form credentials a tester will type into the site")
+        .requiredOption("--username <u>", 'Username (or "-" to read from stdin)')
+        .requiredOption("--password <p>", 'Password (or "-" to read from stdin)')
+        .option("--workspace <id>", "Workspace ID; defaults to active workspace")
+        .addHelpText("after", "\nExamples:\n  $ ish workspace site-access login --username demo --password demo")
+        .action(async (opts, cmd) => {
+        await withClient(cmd, async (client, globals) => {
+            const wid = resolveWorkspace(opts.workspace);
+            const username = await readSecretFlag(opts.username);
+            const password = await readSecretFlag(opts.password);
+            const state = await loadSiteAccess(client, wid);
+            await applySiteAccessWrites(client, wid, state, [
+                { key: SITE_ACCESS_KEYS.loginUsername, value: username, scope: "agent", variable_type: "secret" },
+                { key: SITE_ACCESS_KEYS.loginPassword, value: password, scope: "agent", variable_type: "secret" },
+            ]);
+            const clearedAffirmation = await clearPublicAffirmation(client, wid, state);
+            output({
+                message: "Login credentials saved",
+                cleared_public_affirmation: clearedAffirmation,
+            }, globals.json);
+        });
+    });
+    sa
+        .command("affirm-public")
+        .description("Mark the site as not requiring credentials")
+        .option("--origin <url>", "Origin to mark public; defaults to workspace base_url")
+        .option("--workspace <id>", "Workspace ID; defaults to active workspace")
+        .addHelpText("after", "\nExamples:\n  $ ish workspace site-access affirm-public\n\nRequires either --origin or a workspace base_url (set with `ish workspace update --base-url ...`).")
+        .action(async (opts, cmd) => {
+        await withClient(cmd, async (client, globals) => {
+            const wid = resolveWorkspace(opts.workspace);
+            const origin = await resolveOriginForWriting(client, wid, opts.origin);
+            const state = await loadSiteAccess(client, wid);
+            await applySiteAccessWrites(client, wid, state, [
+                { key: SITE_ACCESS_KEYS.publicAffirmedOrigin, value: origin, scope: "project", variable_type: "variable" },
+            ]);
+            output({ message: "Site marked public", origin }, globals.json);
+        });
+    });
+    sa
+        .command("clear")
+        .description("Clear configured site-access credentials")
+        .argument("<method>", "basic-auth | cookie | login | public | all")
+        .option("--workspace <id>", "Workspace ID; defaults to active workspace")
+        .addHelpText("after", "\nExamples:\n  $ ish workspace site-access clear cookie\n  $ ish workspace site-access clear all")
+        .action(async (method, opts, cmd) => {
+        const valid = ["basic-auth", "cookie", "login", "public", "all"];
+        if (!valid.includes(method)) {
+            throw new Error(`Invalid method "${method}". Use one of: ${valid.join(", ")}.`);
+        }
+        await withClient(cmd, async (client, globals) => {
+            const wid = resolveWorkspace(opts.workspace);
+            const state = await loadSiteAccess(client, wid);
+            const keys = keysForMethod(method);
+            const deleted = await deleteSiteAccessKeys(client, wid, state, keys);
+            if (deleted === 0) {
+                output({ deleted: 0, message: "Nothing to clear", method }, globals.json);
+            }
+            else {
+                output({
+                    deleted,
+                    message: `Cleared ${deleted} secret${deleted === 1 ? "" : "s"}`,
+                    method,
+                }, globals.json);
+            }
+        });
+    });
+}

package/dist/config.d.ts

@@ -1,5 +1,6 @@
 /**
- * Config persistence for ~/.ish/config.json
+ * Config persistence. Default state dir is ~/.ish; override via the
+ * ISH_HOME env var (see src/lib/paths.ts).
  */
 export interface IshConfig {
     access_token?: string;
@@ -7,6 +8,7 @@ export interface IshConfig {
     token?: string;
     workspace?: string;
     study?: string;
+    ask?: string;
     [key: string]: string | undefined;
 }
 export declare function loadConfig(): IshConfig;

package/dist/config.js

@@ -1,15 +1,14 @@
 /**
- * Config persistence for ~/.ish/config.json
+ * Config persistence. Default state dir is ~/.ish; override via the
+ * ISH_HOME env var (see src/lib/paths.ts).
  */
 import * as fs from "node:fs";
-import * as path from "node:path";
-import * as os from "node:os";
-const CONFIG_DIR = path.join(os.homedir(), ".ish");
-const CONFIG_FILE = path.join(CONFIG_DIR, "config.json");
+import { ishDir, configPath } from "./lib/paths.js";
 export function loadConfig() {
     try {
-        if (fs.existsSync(CONFIG_FILE)) {
-            return JSON.parse(fs.readFileSync(CONFIG_FILE, "utf-8"));
+        const file = configPath();
+        if (fs.existsSync(file)) {
+            return JSON.parse(fs.readFileSync(file, "utf-8"));
         }
     }
     catch {
@@ -18,8 +17,9 @@ export function loadConfig() {
     return {};
 }
 export function saveConfig(config) {
-    fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
-    const tmp = CONFIG_FILE + ".tmp";
+    fs.mkdirSync(ishDir(), { recursive: true, mode: 0o700 });
+    const file = configPath();
+    const tmp = file + ".tmp";
     fs.writeFileSync(tmp, JSON.stringify(config, null, 2) + "\n", { mode: 0o600 });
-    fs.renameSync(tmp, CONFIG_FILE);
+    fs.renameSync(tmp, file);
 }

package/dist/connect.d.ts

@@ -1,4 +1,7 @@
 /**
  * Localhost connect CLI — wraps cloudflared and registers with Ish backend.
  */
-export declare function runTunnel(port: number, tokenArg?: string, apiUrlArg?: string): Promise<void>;
+export declare function runTunnel(port: number, tokenArg?: string, apiUrlArg?: string, tokenFileArg?: string, outputOpts?: {
+    json?: boolean;
+    quiet?: boolean;
+}): Promise<void>;