@marcusrbrown/infra 0.7.0 → 0.8.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@marcusrbrown/infra",
-  "version": "0.7.0",
+  "version": "0.8.1",
   "description": "Infrastructure management CLI — deploy automation, health checks, and MCP bridge",
   "keywords": [
     "infra",

package/src/__snapshots__/cli.test.ts.snap

@@ -86,11 +86,12 @@ Commands:
     --key [key]                        Existing CLIProxyAPI API key value. When provided, setup skips key creation and reuses this key for GitHub secrets.
     --repo [repo]                      Target GitHub repository in owner/repo format. Skips the repository prompt when provided.
     --harness [harness]                Harness template to configure. Choose opencode, claude-code, or generic. Generic remains interactive-only.
-    --providers [providers]            Comma-separated list of providers to enable. Supported values: anthropic, openai. Example: --providers anthropic,openai
-    --model [model]                    Override the default model. Must be provider-prefixed and lowercase. Examples: anthropic/claude-sonnet-4-6, openai/gpt-4o
+    --providers [providers]            Comma-separated list of providers to enable. Default: anthropic. Supported values: anthropic, openai. Example: --providers anthropic,openai
+    --model [model]                    Override the default model. Must be provider-prefixed and lowercase. Required when multiple providers selected. Examples: anthropic/claude-sonnet-4-6, openai/gpt-4o
     --force                            Overwrite existing GitHub secrets and variables without prompting.
     --dry-run                          Print the plan without applying any changes.
     --verify-smoke                     Run a smoke test against the proxy after setup completes.
+    --ack-key-reuse                    Acknowledge that --key matches the bearer token inside the existing OPENCODE_AUTH_JSON. Required in non-interactive mode when --key is supplied for a repo with existing OPENCODE_AUTH_JSON. (default: false)
 
 
   gateway status                       Show operational health of the gateway deployment via docker compose ps.

package/src/commands/cliproxy/config.ts

@@ -5,11 +5,12 @@ import {chmodSync} from 'node:fs'
 
 import {z} from 'zod'
 
+import {managementHeaders, requestJson} from './shared'
+
 /** Minimal ctx surface consumed by cliproxy config actions. Satisfied by both GokeExecutionContext and CapturedCtx. */
 // ActionCtx imported from lib/action-ctx — single source of truth for action ctx shape
 
 const DEFAULT_CLIPROXY_URL = 'https://cliproxy.fro.bot'
-const HTTP_TIMEOUT_MS = 10_000
 
 function stripTrailingSlash(value: string): string {
   return value.endsWith('/') ? value.slice(0, -1) : value
@@ -29,31 +30,6 @@ export function resolveManagementKey(input?: string): string {
   return key
 }
 
-function managementHeaders(key: string): Headers {
-  const headers = new Headers()
-  headers.set('x-management-key', key)
-  headers.set('content-type', 'application/json')
-  return headers
-}
-
-async function requestJson(endpoint: string, init: RequestInit): Promise<unknown> {
-  const response = await fetch(endpoint, {
-    ...init,
-    signal: AbortSignal.timeout(HTTP_TIMEOUT_MS),
-  })
-
-  if (!response.ok) {
-    const body = await response.text()
-    throw new Error(`${init.method ?? 'GET'} ${endpoint} failed with HTTP ${response.status}: ${body}`)
-  }
-
-  try {
-    return await response.json()
-  } catch {
-    return null
-  }
-}
-
 export function parseBoolean(value: string): boolean {
   const normalized = value.toLowerCase()
   if (normalized === 'true') {

package/src/commands/cliproxy/keys.ts

@@ -4,11 +4,14 @@ import type {ActionCtx} from '../../lib/action-ctx'
 
 import {z} from 'zod'
 
+import {managementHeaders, parseManagementKeyList, requestJson, toStringArray} from './shared'
+
+export {toStringArray} from './shared'
+
 /** Minimal ctx surface consumed by cliproxy keys actions. Satisfied by both GokeExecutionContext and CapturedCtx. */
 // ActionCtx imported from lib/action-ctx — single source of truth for action ctx shape
 
 const DEFAULT_CLIPROXY_URL = 'https://cliproxy.fro.bot'
-const HTTP_TIMEOUT_MS = 10_000
 
 function stripTrailingSlash(value: string): string {
   return value.endsWith('/') ? value.slice(0, -1) : value
@@ -28,47 +31,6 @@ function resolveManagementKey(input?: string): string {
   return key
 }
 
-function managementHeaders(key: string): Headers {
-  const headers = new Headers()
-  headers.set('x-management-key', key)
-  headers.set('content-type', 'application/json')
-  return headers
-}
-
-async function requestJson(endpoint: string, init: RequestInit): Promise<unknown> {
-  const response = await fetch(endpoint, {
-    ...init,
-    signal: AbortSignal.timeout(HTTP_TIMEOUT_MS),
-  })
-
-  if (!response.ok) {
-    const body = await response.text()
-    throw new Error(`${init.method ?? 'GET'} ${endpoint} failed with HTTP ${response.status}: ${body}`)
-  }
-
-  try {
-    return await response.json()
-  } catch {
-    return null
-  }
-}
-
-export function toStringArray(payload: unknown): string[] {
-  if (Array.isArray(payload)) {
-    return payload.filter(item => typeof item === 'string')
-  }
-
-  if (payload && typeof payload === 'object') {
-    const obj = payload as Record<string, unknown>
-    const value = obj['api-keys'] ?? obj.api_keys
-    if (Array.isArray(value)) {
-      return value.filter(item => typeof item === 'string')
-    }
-  }
-
-  return []
-}
-
 export interface KeysListOptions {
   url?: string
   key?: string
@@ -126,7 +88,10 @@ export async function cliproxyKeysAddAction(
       method: 'GET',
       headers: managementHeaders(managementKey),
     })
-    const currentKeys = toStringArray(currentPayload)
+    // Strict parse: a malformed or unexpected GET response must fail closed before the
+    // destructive PUT replaces the entire key list. Permissive parsing would collapse
+    // unknown shapes to [] and overwrite existing keys.
+    const currentKeys = parseManagementKeyList(currentPayload)
 
     if (currentKeys.includes(apiKeyToAdd)) {
       ctx.console.log('Key already present; no update required.')

package/src/commands/cliproxy/setup/gh.test.ts

@@ -0,0 +1,218 @@
+/// <reference types="bun" />
+
+import {afterEach, describe, expect, it, mock, spyOn} from 'bun:test'
+
+import {isGhRateLimitError, withGhRetry} from './gh'
+
+// ─── isGhRateLimitError ──────────────────────────────────────────────────────
+
+describe('isGhRateLimitError', () => {
+  it('returns true when text contains "rate limit"', () => {
+    expect(isGhRateLimitError('API rate limit exceeded')).toBe(true)
+  })
+
+  it('is case-insensitive', () => {
+    expect(isGhRateLimitError('You have exceeded a secondary RATE LIMIT')).toBe(true)
+  })
+
+  it('returns false for unrelated error messages', () => {
+    expect(isGhRateLimitError('Not Found (HTTP 404)')).toBe(false)
+  })
+
+  it('returns false for an empty string', () => {
+    expect(isGhRateLimitError('')).toBe(false)
+  })
+
+  it('returns false for a connection timeout', () => {
+    expect(isGhRateLimitError('connection timeout')).toBe(false)
+  })
+})
+
+// ─── withGhRetry ─────────────────────────────────────────────────────────────
+
+describe('withGhRetry', () => {
+  it('returns the value when fn succeeds immediately', async () => {
+    const result = await withGhRetry('test label', async () => 'ok', false)
+
+    expect(result).toBe('ok')
+  })
+
+  it('re-throws non-rate-limit errors without querying the reset time', async () => {
+    const queryReset = async (): Promise<string> => {
+      throw new Error('queryReset should not have been called')
+    }
+    const err = new Error('some other error')
+
+    await expect(withGhRetry('test label', async () => Promise.reject(err), false, queryReset)).rejects.toThrow(
+      'some other error',
+    )
+  })
+
+  it('re-throws with reset time appended in non-interactive mode on rate limit', async () => {
+    const queryReset = async (): Promise<string> => '2:30 PM'
+
+    await expect(
+      withGhRetry(
+        'test label',
+        async () => {
+          throw new Error('API rate limit exceeded for url')
+        },
+        false,
+        queryReset,
+      ),
+    ).rejects.toThrow('resets at 2:30 PM')
+  })
+})
+
+// ─── applyGhValue stdin-pipe-not-body invariant (PR #102) ────────────────────
+
+describe('applyGhValue', () => {
+  afterEach(() => {
+    mock.restore()
+  })
+
+  it('pipes secret value via stdin — never uses --body flag', async () => {
+    const {applyGhValue} = await import('./gh')
+
+    let capturedArgs: string[] = []
+    let capturedStdin: ReadableStream<Uint8Array> | undefined
+
+    const spawnSpy = spyOn(Bun, 'spawn').mockImplementation(((cmds: string[], opts?: {stdin?: unknown}) => {
+      capturedArgs = cmds
+      capturedStdin = opts?.stdin as ReadableStream<Uint8Array> | undefined
+      // Return a minimal fake child process
+      return {
+        stdout: new Response('').body,
+        stderr: new Response('').body,
+        exited: Promise.resolve(0),
+        stdin: null,
+        pid: 0,
+        killed: false,
+        exitCode: 0,
+        signalCode: null,
+        kill: () => {},
+        ref: () => {},
+        unref: () => {},
+        readable: new Response('').body,
+      }
+    }) as unknown as typeof Bun.spawn)
+
+    await applyGhValue('secret', 'MY_SECRET', 'owner/repo', 'my-value')
+
+    expect(capturedArgs).toContain('gh')
+    expect(capturedArgs).toContain('secret')
+    expect(capturedArgs).toContain('set')
+    expect(capturedArgs).toContain('MY_SECRET')
+    expect(capturedArgs).toContain('--repo')
+    expect(capturedArgs).toContain('owner/repo')
+    // The critical invariant: --body must NOT be in the args
+    expect(capturedArgs).not.toContain('--body')
+    // stdin must be provided (value piped via stdin)
+    expect(capturedStdin).toBeDefined()
+
+    spawnSpy.mockRestore()
+  })
+})
+
+// ─── createManagementApiKey / deleteManagementApiKey toStringArray parity ─────
+
+describe('management API key helpers — response shape handling', () => {
+  afterEach(() => {
+    mock.restore()
+  })
+
+  it('createManagementApiKey handles top-level array response from GET', async () => {
+    const {createManagementApiKey} = await import('./gh')
+
+    const calls: {method: string; body?: string}[] = []
+    globalThis.fetch = mock(async (_url: string, init?: RequestInit) => {
+      const method = init?.method ?? 'GET'
+      calls.push({method, body: init?.body as string | undefined})
+      if (method === 'GET') {
+        // Top-level array response
+        return new Response(JSON.stringify(['existing-key']), {status: 200})
+      }
+      return new Response('{}', {status: 200})
+    }) as unknown as typeof fetch
+
+    await createManagementApiKey('https://cliproxy.fro.bot', 'mgmt-key', 'new-key')
+
+    const putCall = calls.find(c => c.method === 'PUT')
+    expect(putCall).toBeDefined()
+    const body = JSON.parse(putCall?.body ?? '[]') as string[]
+    expect(body).toContain('existing-key')
+    expect(body).toContain('new-key')
+  })
+
+  it('createManagementApiKey handles object-shaped {api-keys:[...]} response from GET', async () => {
+    const {createManagementApiKey} = await import('./gh')
+
+    const calls: {method: string; body?: string}[] = []
+    globalThis.fetch = mock(async (_url: string, init?: RequestInit) => {
+      const method = init?.method ?? 'GET'
+      calls.push({method, body: init?.body as string | undefined})
+      if (method === 'GET') {
+        // Object-shaped response — the form CLIProxyAPI actually returns
+        return new Response(JSON.stringify({'api-keys': ['existing-key']}), {status: 200})
+      }
+      return new Response('{}', {status: 200})
+    }) as unknown as typeof fetch
+
+    await createManagementApiKey('https://cliproxy.fro.bot', 'mgmt-key', 'new-key')
+
+    const putCall = calls.find(c => c.method === 'PUT')
+    expect(putCall).toBeDefined()
+    const body = JSON.parse(putCall?.body ?? '[]') as string[]
+    expect(body).toContain('existing-key')
+    expect(body).toContain('new-key')
+  })
+
+  it('createManagementApiKey THROWS without making a destructive PUT when GET returns unexpected payload shape', async () => {
+    const {createManagementApiKey} = await import('./gh')
+
+    // Mock fetch: GET returns 200 with payload `null` (valid JSON but unexpected shape).
+    // Pre-fix silent-failure path: requestJson would have returned null, toStringArray(null)
+    // would have collapsed to [], the PUT would have replaced the entire key list with
+    // just the new key — deleting all existing repo keys.
+    // Post-fix: parseManagementKeyList throws on null, the PUT is never made.
+    let putCallCount = 0
+    globalThis.fetch = mock(async (_url: string, init?: RequestInit) => {
+      const method = init?.method ?? 'GET'
+      if (method === 'PUT') putCallCount++
+      if (method === 'GET') {
+        return new Response(JSON.stringify(null), {
+          status: 200,
+          headers: {'content-type': 'application/json'},
+        })
+      }
+      return new Response('{}', {status: 200})
+    }) as unknown as typeof fetch
+
+    await expect(createManagementApiKey('https://cliproxy.fro.bot', 'mgmt-key', 'new-key')).rejects.toThrow(
+      /Unexpected management key-list shape/,
+    )
+    expect(putCallCount).toBe(0)
+  })
+
+  it('createManagementApiKey THROWS without PUT when GET returns malformed JSON', async () => {
+    const {createManagementApiKey} = await import('./gh')
+
+    let putCallCount = 0
+    globalThis.fetch = mock(async (_url: string, init?: RequestInit) => {
+      const method = init?.method ?? 'GET'
+      if (method === 'PUT') putCallCount++
+      if (method === 'GET') {
+        return new Response('not-json-content', {
+          status: 200,
+          headers: {'content-type': 'text/plain'},
+        })
+      }
+      return new Response('{}', {status: 200})
+    }) as unknown as typeof fetch
+
+    await expect(createManagementApiKey('https://cliproxy.fro.bot', 'mgmt-key', 'new-key')).rejects.toThrow(
+      /returned malformed JSON/,
+    )
+    expect(putCallCount).toBe(0)
+  })
+})

package/src/commands/cliproxy/setup/gh.ts

@@ -0,0 +1,250 @@
+/// <reference types="bun" />
+
+import type {SpinnerResult} from '@clack/prompts'
+
+import {confirm, log, spinner} from '@clack/prompts'
+
+import {managementHeaders, parseManagementKeyList, requestJson} from '../shared'
+import {cancelAndExit, promptValue} from './prompts'
+
+// ─── Types ────────────────────────────────────────────────────────────────────
+
+export interface CommandResult {
+  stdout: string
+  stderr: string
+  exitCode: number
+}
+
+// ─── Local helpers ────────────────────────────────────────────────────────────
+
+/** Local copy — avoids a circular import with setup.ts (gh → setup → gh). */
+function extractErrorMessage(error: unknown): string {
+  return error instanceof Error ? error.message : String(error)
+}
+
+// ─── Spawn helpers ────────────────────────────────────────────────────────────
+
+export async function withSpinner<T>(message: string, run: (spinnerInstance: SpinnerResult) => Promise<T>): Promise<T> {
+  const spinnerInstance = spinner()
+  spinnerInstance.start(message)
+
+  try {
+    const result = await run(spinnerInstance)
+    spinnerInstance.stop(message)
+    return result
+  } catch (error) {
+    spinnerInstance.error(`${message} failed`)
+    throw error
+  }
+}
+
+async function runCommand(command: string, args: string[]): Promise<CommandResult> {
+  const child = Bun.spawn([command, ...args], {
+    stdout: 'pipe',
+    stderr: 'pipe',
+    env: process.env,
+  })
+
+  const [stdout, stderr, exitCode] = await Promise.all([
+    new Response(child.stdout).text(),
+    new Response(child.stderr).text(),
+    child.exited,
+  ])
+
+  return {stdout, stderr, exitCode}
+}
+
+export async function runGh(args: string[]): Promise<CommandResult> {
+  return runCommand('gh', args)
+}
+
+// ─── Rate-limit helpers ───────────────────────────────────────────────────────
+
+export function isGhRateLimitError(text: string): boolean {
+  return /rate limit/i.test(text)
+}
+
+/**
+ * Query the GitHub API rate limit reset time. The `rate_limit` endpoint is
+ * exempt from rate limiting itself, so this should succeed even when the
+ * primary GraphQL limit is exhausted. Returns a formatted local time string
+ * or a fallback phrase when the endpoint is unreachable.
+ */
+async function queryRateLimitReset(): Promise<string> {
+  try {
+    const result = await runGh(['api', 'rate_limit'])
+    if (result.exitCode === 0) {
+      const parsed = JSON.parse(result.stdout) as {
+        resources?: {graphql?: {reset?: number}; core?: {reset?: number}}
+      }
+      const reset = parsed.resources?.graphql?.reset ?? parsed.resources?.core?.reset
+      if (reset) {
+        return new Date(reset * 1000).toLocaleTimeString([], {hour: '2-digit', minute: '2-digit'})
+      }
+    }
+  } catch {
+    // Fall through to generic phrase
+  }
+  return 'an unknown time'
+}
+
+/**
+ * Run a GitHub API operation wrapped in a spinner, retrying indefinitely on
+ * rate-limit errors when in interactive mode. In non-interactive mode the
+ * error is re-thrown with the reset time appended so the caller can surface
+ * it without prompting.
+ */
+export async function withGhRetry<T>(
+  label: string,
+  fn: (spinnerInstance: SpinnerResult) => Promise<T>,
+  interactive: boolean,
+  queryReset: () => Promise<string> = queryRateLimitReset,
+): Promise<T> {
+  for (;;) {
+    try {
+      return await withSpinner(label, fn)
+    } catch (error) {
+      const message = extractErrorMessage(error)
+      if (!isGhRateLimitError(message)) {
+        throw error
+      }
+      const reset = await queryReset()
+      if (!interactive) {
+        throw new Error(`${message} — GitHub API rate limit resets at ${reset}. Re-run when ready.`)
+      }
+      log.warn(`GitHub API rate limit exceeded. Resets at ${reset}.`)
+      const retry = await promptValue(
+        confirm({
+          message: 'Retry this step when ready?',
+          active: 'retry',
+          inactive: 'abort',
+          initialValue: true,
+        }),
+        'Setup aborted after rate limit.',
+      )
+      if (!retry) {
+        cancelAndExit('Setup aborted after GitHub API rate limit.')
+      }
+    }
+  }
+}
+
+// ─── Preflight assertions ─────────────────────────────────────────────────────
+
+export async function assertGhInstalled(): Promise<void> {
+  if (!Bun.which('gh')) {
+    throw new Error('GitHub CLI is required for cliproxy setup. Install gh first: https://cli.github.com/')
+  }
+}
+
+export async function assertGhAuthenticated(): Promise<void> {
+  const result = await runGh(['auth', 'status'])
+  if (result.exitCode !== 0) {
+    throw new Error(`GitHub CLI is not authenticated. Run "gh auth login" first. ${result.stderr.trim()}`.trim())
+  }
+}
+
+export async function assertRepoAccess(repo: string): Promise<void> {
+  const {z} = await import('zod')
+  const ghRepoViewSchema = z.object({
+    nameWithOwner: z.string(),
+    viewerPermission: z.string(),
+  })
+
+  const result = await runGh(['repo', 'view', repo, '--json', 'nameWithOwner,viewerPermission'])
+  if (result.exitCode !== 0) {
+    throw new Error(`Unable to access ${repo}. ${result.stderr.trim()}`.trim())
+  }
+
+  const parsed = ghRepoViewSchema.parse(JSON.parse(result.stdout))
+  const writePermissions = new Set(['ADMIN', 'MAINTAIN', 'WRITE'])
+
+  if (!writePermissions.has(parsed.viewerPermission)) {
+    throw new Error(
+      `GitHub CLI does not have write access to ${parsed.nameWithOwner}. Current permission: ${parsed.viewerPermission}.`,
+    )
+  }
+}
+
+export async function listExistingGhNames(repo: string, kind: 'secret' | 'variable'): Promise<string[]> {
+  const {z} = await import('zod')
+  const ghNameListSchema = z.array(z.object({name: z.string()}))
+
+  const result = await runGh([kind, 'list', '--repo', repo, '--json', 'name'])
+  if (result.exitCode !== 0) {
+    throw new Error(`Unable to list existing GitHub ${kind}s for ${repo}. ${result.stderr.trim()}`.trim())
+  }
+
+  return ghNameListSchema.parse(JSON.parse(result.stdout)).map(entry => entry.name)
+}
+
+// ─── Management API key helpers ───────────────────────────────────────────────
+
+export async function createManagementApiKey(baseUrl: string, managementKey: string, keyValue: string): Promise<void> {
+  const endpoint = `${baseUrl}/v0/management/api-keys`
+  const currentPayload = await requestJson(endpoint, {
+    method: 'GET',
+    headers: managementHeaders(managementKey),
+  })
+  const currentKeys = parseManagementKeyList(currentPayload)
+
+  if (currentKeys.includes(keyValue)) {
+    return
+  }
+
+  await requestJson(endpoint, {
+    method: 'PUT',
+    headers: managementHeaders(managementKey),
+    body: JSON.stringify([...currentKeys, keyValue]),
+  })
+}
+
+export async function deleteManagementApiKey(baseUrl: string, managementKey: string, keyValue: string): Promise<void> {
+  const endpoint = `${baseUrl}/v0/management/api-keys`
+  const currentPayload = await requestJson(endpoint, {
+    method: 'GET',
+    headers: managementHeaders(managementKey),
+  })
+  const currentKeys = parseManagementKeyList(currentPayload)
+  const filtered = currentKeys.filter(k => k !== keyValue)
+
+  if (filtered.length === currentKeys.length) {
+    return
+  }
+
+  await requestJson(endpoint, {
+    method: 'PUT',
+    headers: managementHeaders(managementKey),
+    body: JSON.stringify(filtered),
+  })
+}
+
+// ─── GitHub value application ─────────────────────────────────────────────────
+
+export async function applyGhValue(
+  kind: 'secret' | 'variable',
+  name: string,
+  repo: string,
+  value: string,
+): Promise<void> {
+  if (kind === 'secret') {
+    const child = Bun.spawn(['gh', 'secret', 'set', name, '--repo', repo], {
+      stdin: new Blob([value]).stream(),
+      stdout: 'pipe',
+      stderr: 'pipe',
+      env: process.env,
+    })
+
+    const [stderr, exitCode] = await Promise.all([new Response(child.stderr).text(), child.exited])
+
+    if (exitCode !== 0) {
+      throw new Error(`gh secret set ${name} failed: ${stderr.trim()}`.trim())
+    }
+    return
+  }
+
+  const result = await runGh([kind, 'set', name, '--repo', repo, '--body', value])
+  if (result.exitCode !== 0) {
+    throw new Error(`gh ${kind} set ${name} failed: ${result.stderr.trim()}`.trim())
+  }
+}