@nesalia/cli 1.0.0

package/dist/lib/auth/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/client.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;;qBAQ61R,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBAAD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBAAD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qBAAyxK,CAAC;;;;;;;;;;qBAAqa,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBAAp8Q,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qBAAq4I,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;qBAAm9M,CAAC;;;;;;;;;;qBAAqa,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBAA2gI,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAA/4S,CAAC;qCAAqB,CAAC;kCAAoC,CAAC;0CAAwB,CAAC;wCAAwC,CAAC;sCAAsC,CAAC;yCAAyC,CAAC;sCAAsC,CAAC;4CAA4C,CAAC;+CAA+C,CAAC;wCAAwC,CAAC;qCAAqC,CAAC;;;;sCAA+F,CAAC;oCAAoE,CAAC;kCAAkE,CAAC;uCAAyF,CAAC;mCAA0G,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;wCAAv3W,CAAC;;;;;wCAAkG,CAAC;;;;;wCAAsG,CAAC;;;;;wCAAgG,CAAC;;;;;wCAA4G,CAAC;;;;;;;;;;;;;;;;;;;;;;qCAAohO,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iCAAD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iCAAD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yBAAD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;qBAAD,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6BAAvpP,CAAC;iBAAe,CAAC;;;;;;;;;;;;;;;;;;;;gBAA6hC,CAAC,EAAC,eAAgB;aAAuB,CAAC,EAAC,YAAa;mBAA6B,CAAC,EAAC,kBAAmB;eAAa,CAAC,GAAG,WAAW,IAAI,WAAW;;;;;iBAAkT,CAAC;iBAAmC,CAAC;;YAAmD,CAAC,EAAC,WAAY;gBAA0B,CAAC,EAAC,eAAgB;gBAA0B,CAAC;sBAAwC,CAAC,EAAC,cAAe;cAAwB,CAAC;cAA8C,CAAC;eAA+B,CAAC;mBAAyG,CAAC;yBAAuB,CAAC;;eAAyC,CAAC;;;aAA0G,CAAC;YAA+B,CAAC;;;;;;;;;;;;YAA+e,CAAC;aAAgB,CAAC;cAAiB,CAAC;cAAiB,CAAC;;aAA8F,CAAC;oBAAiE,CAAC;cAAgC,CAAC;mBAAkG,CAAC;yBAA0E,CAAC;qBAAwC,CAAC;;;uBAAkF,CAAC;+GAAuL,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAF/hJ,CAAC;AAEH,MAAM,MAAM,UAAU,GAAG,OAAO,UAAU,CAAC"}

package/dist/lib/auth/client.js

@@ -0,0 +1,11 @@
+import { createAuthClient } from "better-auth/client";
+import { deviceAuthorizationClient, organizationClient } from "better-auth/client/plugins";
+const BASE_URL = process.env.CLI_AUTH_API_URL ?? process.env.NEXT_PUBLIC_BASE_URL ?? "http://localhost:3000";
+export const authClient = createAuthClient({
+    baseURL: BASE_URL,
+    plugins: [
+        deviceAuthorizationClient(),
+        organizationClient(),
+    ],
+});
+//# sourceMappingURL=client.js.map

package/dist/lib/auth/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/lib/auth/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,yBAAyB,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAE3F,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,uBAAuB,CAAC;AAE7G,MAAM,CAAC,MAAM,UAAU,GAAG,gBAAgB,CAAC;IACzC,OAAO,EAAE,QAAQ;IACjB,OAAO,EAAE;QACP,yBAAyB,EAAE;QAC3B,kBAAkB,EAAE;KACrB;CACF,CAAC,CAAC"}

package/dist/lib/auth/device-flow/config.d.ts

@@ -0,0 +1,5 @@
+export declare const CLIENT_ID: string;
+export declare const POLL_TIMEOUT_MS: number;
+export declare const SCOPE = "openid profile email";
+export declare const MAX_NETWORK_RETRIES = 3;
+//# sourceMappingURL=config.d.ts.map

package/dist/lib/auth/device-flow/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../../../src/lib/auth/device-flow/config.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,SAAS,QAA0C,CAAC;AACjE,eAAO,MAAM,eAAe,QAAiB,CAAC;AAC9C,eAAO,MAAM,KAAK,yBAAyB,CAAC;AAC5C,eAAO,MAAM,mBAAmB,IAAI,CAAC"}

package/dist/lib/auth/device-flow/config.js

@@ -0,0 +1,5 @@
+export const CLIENT_ID = process.env.CLI_AUTH_CLIENT_ID ?? "cli";
+export const POLL_TIMEOUT_MS = 30 * 60 * 1000; // 30 min max (matches server default expiresIn)
+export const SCOPE = "openid profile email";
+export const MAX_NETWORK_RETRIES = 3;
+//# sourceMappingURL=config.js.map

package/dist/lib/auth/device-flow/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../../src/lib/auth/device-flow/config.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,KAAK,CAAC;AACjE,MAAM,CAAC,MAAM,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,gDAAgD;AAC/F,MAAM,CAAC,MAAM,KAAK,GAAG,sBAAsB,CAAC;AAC5C,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC"}

package/dist/lib/auth/device-flow/device-code.d.ts

@@ -0,0 +1,10 @@
+import type { AuthClient } from "../client.js";
+export interface DeviceCodeResult {
+    deviceCode: string;
+    userCode: string;
+    verificationUri: string;
+    interval: number;
+}
+export declare const requestDeviceCode: (client: AuthClient) => Promise<DeviceCodeResult>;
+export declare const openBrowser: (uri: string) => Promise<void>;
+//# sourceMappingURL=device-code.d.ts.map

package/dist/lib/auth/device-flow/device-code.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-code.d.ts","sourceRoot":"","sources":["../../../../src/lib/auth/device-flow/device-code.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAI/C,MAAM,WAAW,gBAAgB;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,eAAO,MAAM,iBAAiB,GAAU,QAAQ,UAAU,KAAG,OAAO,CAAC,gBAAgB,CAmBpF,CAAC;AAEF,eAAO,MAAM,WAAW,GAAU,KAAK,MAAM,KAAG,OAAO,CAAC,IAAI,CAI3D,CAAC"}

package/dist/lib/auth/device-flow/device-code.js

@@ -0,0 +1,27 @@
+import { log } from "@clack/prompts";
+import open from "open";
+import { CLIENT_ID, SCOPE } from "./config.js";
+import { AuthFlowError } from "./errors.js";
+export const requestDeviceCode = async (client) => {
+    log.info("Requesting device authorization...");
+    const { data, error } = await client.device.code({
+        client_id: CLIENT_ID,
+        scope: SCOPE,
+    });
+    if (error || !data) {
+        const msg = error?.error_description ?? "Failed to get device code";
+        throw new AuthFlowError(msg);
+    }
+    return {
+        deviceCode: data.device_code,
+        userCode: data.user_code,
+        verificationUri: data.verification_uri_complete,
+        interval: data.interval ?? 5,
+    };
+};
+export const openBrowser = async (uri) => {
+    await open(uri).catch(() => {
+        // Non-fatal: browser may fail to open, user can still use the URL
+    });
+};
+//# sourceMappingURL=device-code.js.map

package/dist/lib/auth/device-flow/device-code.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-code.js","sourceRoot":"","sources":["../../../../src/lib/auth/device-flow/device-code.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AACrC,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAS5C,MAAM,CAAC,MAAM,iBAAiB,GAAG,KAAK,EAAE,MAAkB,EAA6B,EAAE;IACvF,GAAG,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;IAE/C,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;QAC/C,SAAS,EAAE,SAAS;QACpB,KAAK,EAAE,KAAK;KACb,CAAC,CAAC;IAEH,IAAI,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;QACnB,MAAM,GAAG,GAAG,KAAK,EAAE,iBAAiB,IAAI,2BAA2B,CAAC;QACpE,MAAM,IAAI,aAAa,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC;IAED,OAAO;QACL,UAAU,EAAE,IAAI,CAAC,WAAW;QAC5B,QAAQ,EAAE,IAAI,CAAC,SAAS;QACxB,eAAe,EAAE,IAAI,CAAC,yBAAyB;QAC/C,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,CAAC;KAC7B,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,WAAW,GAAG,KAAK,EAAE,GAAW,EAAiB,EAAE;IAC9D,MAAM,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;QACzB,kEAAkE;IACpE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC"}

package/dist/lib/auth/device-flow/errors.d.ts

@@ -0,0 +1,8 @@
+export declare const TRANSIENT_ERROR_CODES: Set<string>;
+export declare const isTransientError: (error: unknown) => boolean;
+export declare class AuthFlowError extends Error {
+    readonly isNetwork: boolean;
+    constructor(message: string, isNetwork?: boolean);
+    static network: (msg: string) => AuthFlowError;
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/lib/auth/device-flow/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../../../src/lib/auth/device-flow/errors.ts"],"names":[],"mappings":"AACA,eAAO,MAAM,qBAAqB,aAMhC,CAAC;AAEH,eAAO,MAAM,gBAAgB,GAAI,OAAO,OAAO,KAAG,OAMjD,CAAC;AAGF,qBAAa,aAAc,SAAQ,KAAK;aAGpB,SAAS;gBADzB,OAAO,EAAE,MAAM,EACC,SAAS,UAAQ;IAMnC,MAAM,CAAC,OAAO,GAAI,KAAK,MAAM,KAAG,aAAa,CAAiC;CAC/E"}

package/dist/lib/auth/device-flow/errors.js

@@ -0,0 +1,26 @@
+// Transient network error codes from Node.js
+export const TRANSIENT_ERROR_CODES = new Set([
+    "ETIMEDOUT",
+    "ECONNRESET",
+    "ECONNREFUSED",
+    "ENOTFOUND",
+    "ENETUNREACH",
+]);
+export const isTransientError = (error) => {
+    if (error && typeof error === "object") {
+        const code = error.code;
+        if (code && TRANSIENT_ERROR_CODES.has(code))
+            return true;
+    }
+    return false;
+};
+// Generic auth flow error (network or oauth)
+export class AuthFlowError extends Error {
+    constructor(message, isNetwork = false) {
+        super(message);
+        this.isNetwork = isNetwork;
+        this.name = "AuthFlowError";
+    }
+}
+AuthFlowError.network = (msg) => new AuthFlowError(msg, true);
+//# sourceMappingURL=errors.js.map

package/dist/lib/auth/device-flow/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../../../src/lib/auth/device-flow/errors.ts"],"names":[],"mappings":"AAAA,6CAA6C;AAC7C,MAAM,CAAC,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IAC3C,WAAW;IACX,YAAY;IACZ,cAAc;IACd,WAAW;IACX,aAAa;CACd,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,KAAc,EAAW,EAAE;IAC1D,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACvC,MAAM,IAAI,GAAI,KAA2B,CAAC,IAAI,CAAC;QAC/C,IAAI,IAAI,IAAI,qBAAqB,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;IAC3D,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC,CAAC;AAEF,6CAA6C;AAC7C,MAAM,OAAO,aAAc,SAAQ,KAAK;IACtC,YACE,OAAe,EACC,YAAY,KAAK;QAEjC,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,cAAS,GAAT,SAAS,CAAQ;QAGjC,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;IAC9B,CAAC;;AAEM,qBAAO,GAAG,CAAC,GAAW,EAAiB,EAAE,CAAC,IAAI,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC"}

package/dist/lib/auth/device-flow/index.d.ts

@@ -0,0 +1,3 @@
+import type { AuthFlowResult } from "./types.js";
+export declare const startDeviceFlow: () => Promise<AuthFlowResult>;
+//# sourceMappingURL=index.d.ts.map

package/dist/lib/auth/device-flow/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/lib/auth/device-flow/index.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEjD,eAAO,MAAM,eAAe,QAAa,OAAO,CAAC,cAAc,CAY9D,CAAA"}

package/dist/lib/auth/device-flow/index.js

@@ -0,0 +1,13 @@
+import { log } from "@clack/prompts";
+import { authClient } from "../client.js";
+import { requestDeviceCode, openBrowser } from "./device-code.js";
+import { pollForToken } from "./polling.js";
+export const startDeviceFlow = async () => {
+    const { deviceCode, userCode, verificationUri, interval } = await requestDeviceCode(authClient);
+    log.message(`Open this URL in your browser:\n  ${verificationUri}\n` +
+        `Or enter the code: ${userCode}`);
+    await openBrowser(verificationUri);
+    log.info(`Waiting for authorization... (polling every ${interval}s)`);
+    return pollForToken(authClient, deviceCode, interval);
+};
+//# sourceMappingURL=index.js.map

package/dist/lib/auth/device-flow/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/lib/auth/device-flow/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AACrC,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAClE,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAG5C,MAAM,CAAC,MAAM,eAAe,GAAG,KAAK,IAA6B,EAAE;IACjE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG,MAAM,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAEhG,GAAG,CAAC,OAAO,CACT,qCAAqC,eAAe,IAAI;QACxD,sBAAsB,QAAQ,EAAE,CACjC,CAAC;IAEF,MAAM,WAAW,CAAC,eAAe,CAAC,CAAC;IACnC,GAAG,CAAC,IAAI,CAAC,+CAA+C,QAAQ,IAAI,CAAC,CAAC;IAEtE,OAAO,YAAY,CAAC,UAAU,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;AACxD,CAAC,CAAA"}

package/dist/lib/auth/device-flow/polling.d.ts

@@ -0,0 +1,4 @@
+import type { AuthClient } from "../client.js";
+import type { AuthFlowResult } from "./types.js";
+export declare const pollForToken: (client: AuthClient, deviceCode: string, intervalSeconds: number, startedAt?: number, networkRetries?: number) => Promise<AuthFlowResult>;
+//# sourceMappingURL=polling.d.ts.map

package/dist/lib/auth/device-flow/polling.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"polling.d.ts","sourceRoot":"","sources":["../../../../src/lib/auth/device-flow/polling.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAG/C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAmBjD,eAAO,MAAM,YAAY,GACvB,QAAQ,UAAU,EAClB,YAAY,MAAM,EAClB,iBAAiB,MAAM,EACvB,kBAAsB,EACtB,uBAAkB,KACjB,OAAO,CAAC,cAAc,CA6DxB,CAAC"}

package/dist/lib/auth/device-flow/polling.js

@@ -0,0 +1,75 @@
+import { log } from "@clack/prompts";
+import { CLIENT_ID, POLL_TIMEOUT_MS, MAX_NETWORK_RETRIES } from "./config.js";
+import { isTransientError } from "./errors.js";
+const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+const resolveUser = async (client, accessToken) => {
+    const response = await client.getSession({
+        fetchOptions: {
+            headers: { Authorization: `Bearer ${accessToken}` },
+        },
+    });
+    const user = response?.data?.user;
+    if (!user) {
+        throw new Error("Could not retrieve user session.");
+    }
+    return { id: user.id, name: user.name, email: user.email, image: user.image ?? undefined };
+};
+export const pollForToken = async (client, deviceCode, intervalSeconds, startedAt = Date.now(), networkRetries = 0) => {
+    if (Date.now() - startedAt > POLL_TIMEOUT_MS) {
+        throw new Error("Authorization timed out. Please try again.");
+    }
+    let data;
+    let error;
+    try {
+        const result = await client.device.token({
+            grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+            device_code: deviceCode,
+            client_id: CLIENT_ID,
+        });
+        data = result.data;
+        error = result.error;
+    }
+    catch (err) {
+        if (isTransientError(err)) {
+            const retries = networkRetries + 1;
+            if (retries > MAX_NETWORK_RETRIES) {
+                throw new Error(`Network error after ${MAX_NETWORK_RETRIES} retries. Check your connection.`);
+            }
+            log.warn(`Network error during polling — retry ${retries}/${MAX_NETWORK_RETRIES}.`);
+            await sleep(intervalSeconds * 1000);
+            return pollForToken(client, deviceCode, intervalSeconds, startedAt, retries);
+        }
+        throw err;
+    }
+    if (data?.access_token) {
+        log.success("Authorization successful!");
+        const user = await resolveUser(client, data.access_token);
+        if (!user.id) {
+            throw new Error("Could not retrieve user information. Please try again.");
+        }
+        log.success(`Connected as ${user.name || user.email || "user"}`);
+        return { accessToken: data.access_token, user };
+    }
+    if (error) {
+        switch (error.error) {
+            case "authorization_pending":
+                await sleep(intervalSeconds * 1000);
+                return pollForToken(client, deviceCode, intervalSeconds, startedAt);
+            case "slow_down":
+                const newInterval = intervalSeconds + 5;
+                log.warn(`Slowing down polling to ${newInterval}s`);
+                await sleep(newInterval * 1000);
+                return pollForToken(client, deviceCode, newInterval, startedAt);
+            case "access_denied":
+                throw new Error("Authorization was denied.");
+            case "expired_token":
+                throw new Error("The code expired. Please try again.");
+            default:
+                throw new Error(error.error_description ?? `Unexpected error: ${error.error}`);
+        }
+    }
+    // No data and no error — should not happen, but guard anyway
+    await sleep(intervalSeconds * 1000);
+    return pollForToken(client, deviceCode, intervalSeconds, startedAt);
+};
+//# sourceMappingURL=polling.js.map

package/dist/lib/auth/device-flow/polling.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"polling.js","sourceRoot":"","sources":["../../../../src/lib/auth/device-flow/polling.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AAErC,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAG/C,MAAM,KAAK,GAAG,CAAC,EAAU,EAAiB,EAAE,CAC1C,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAEpD,MAAM,WAAW,GAAG,KAAK,EAAE,MAAkB,EAAE,WAAmB,EAAmC,EAAE;IACrG,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC;QACvC,YAAY,EAAE;YACZ,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE;SACpD;KACF,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC;IAClC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,SAAS,EAAE,CAAC;AAC7F,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,YAAY,GAAG,KAAK,EAC/B,MAAkB,EAClB,UAAkB,EAClB,eAAuB,EACvB,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EACtB,cAAc,GAAG,CAAC,EACO,EAAE;IAC3B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,eAAe,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IAED,IAAI,IAAgE,CAAC;IACrE,IAAI,KAAkE,CAAC;IAEvE,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;YACvC,UAAU,EAAE,8CAA8C;YAC1D,WAAW,EAAE,UAAU;YACvB,SAAS,EAAE,SAAS;SACrB,CAAC,CAAC;QACH,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QACnB,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;IACvB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,gBAAgB,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,OAAO,GAAG,cAAc,GAAG,CAAC,CAAC;YACnC,IAAI,OAAO,GAAG,mBAAmB,EAAE,CAAC;gBAClC,MAAM,IAAI,KAAK,CAAC,uBAAuB,mBAAmB,kCAAkC,CAAC,CAAC;YAChG,CAAC;YACD,GAAG,CAAC,IAAI,CAAC,wCAAwC,OAAO,IAAI,mBAAmB,GAAG,CAAC,CAAC;YACpF,MAAM,KAAK,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC;YACpC,OAAO,YAAY,CAAC,MAAM,EAAE,UAAU,EAAE,eAAe,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;QAC/E,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,IAAI,IAAI,EAAE,YAAY,EAAE,CAAC;QACvB,GAAG,CAAC,OAAO,CAAC,2BAA2B,CAAC,CAAC;QACzC,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAC1D,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;QAC5E,CAAC;QACD,GAAG,CAAC,OAAO,CAAC,gBAAgB,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,IAAI,MAAM,EAAE,CAAC,CAAC;QACjE,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC;IAClD,CAAC;IAED,IAAI,KAAK,EAAE,CAAC;QACV,QAAQ,KAAK,CAAC,KAAK,EAAE,CAAC;YACpB,KAAK,uBAAuB;gBAC1B,MAAM,KAAK,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC;gBACpC,OAAO,YAAY,CAAC,MAAM,EAAE,UAAU,EAAE,eAAe,EAAE,SAAS,CAAC,CAAC;YACtE,KAAK,WAAW;gBACd,MAAM,WAAW,GAAG,eAAe,GAAG,CAAC,CAAC;gBACxC,GAAG,CAAC,IAAI,CAAC,2BAA2B,WAAW,GAAG,CAAC,CAAC;gBACpD,MAAM,KAAK,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;gBAChC,OAAO,YAAY,CAAC,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC;YAClE,KAAK,eAAe;gBAClB,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;YAC/C,KAAK,eAAe;gBAClB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;YACzD;gBACE,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,iBAAiB,IAAI,qBAAqB,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;IAED,6DAA6D;IAC7D,MAAM,KAAK,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC;IACpC,OAAO,YAAY,CAAC,MAAM,EAAE,UAAU,EAAE,eAAe,EAAE,SAAS,CAAC,CAAC;AACtE,CAAC,CAAC"}

package/dist/lib/auth/device-flow/types.d.ts

@@ -0,0 +1,10 @@
+export type AuthFlowResult = {
+    accessToken: string;
+    user: {
+        id: string;
+        name: string;
+        email: string;
+        image?: string;
+    };
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/lib/auth/device-flow/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/lib/auth/device-flow/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,cAAc,GAAG;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE;QACJ,EAAE,EAAE,MAAM,CAAC;QACX,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,EAAE,MAAM,CAAC;QACd,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CACH,CAAC"}

package/dist/lib/auth/device-flow/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/lib/auth/device-flow/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/lib/auth/device-flow/types.ts"],"names":[],"mappings":""}

package/dist/lib/auth/index.d.ts

@@ -0,0 +1,12 @@
+export { authClient } from "./client.js";
+export type { AuthClient } from "./client.js";
+export { startDeviceFlow } from "./device-flow/index.js";
+export type { AuthFlowResult } from "./device-flow/types.js";
+export { saveCredentials, loadCredentials, clearCredentials, isExpired, requireAuth, type StoredCredentials, } from "./storage.js";
+import { type StoredCredentials } from "./storage.js";
+/**
+ * HOF - wraps an async operation requiring authentication.
+ * Checks credentials before execution, exits with error message if not authed.
+ */
+export declare function withAuth<T>(fn: (credentials: StoredCredentials) => Promise<T>): Promise<T>;
+//# sourceMappingURL=index.d.ts.map

package/dist/lib/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,YAAY,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9C,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,YAAY,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAE7D,OAAO,EACL,eAAe,EACf,eAAe,EACf,gBAAgB,EAChB,SAAS,EACT,WAAW,EACX,KAAK,iBAAiB,GACvB,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAgD,KAAK,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAEpG;;;GAGG;AACH,wBAAsB,QAAQ,CAAC,CAAC,EAC9B,EAAE,EAAE,CAAC,WAAW,EAAE,iBAAiB,KAAK,OAAO,CAAC,CAAC,CAAC,GACjD,OAAO,CAAC,CAAC,CAAC,CAeZ"}

package/dist/lib/auth/index.js

@@ -0,0 +1,24 @@
+// Re-export everything from submodules
+export { authClient } from "./client.js";
+export { startDeviceFlow } from "./device-flow/index.js";
+export { saveCredentials, loadCredentials, clearCredentials, isExpired, requireAuth, } from "./storage.js";
+import { log } from "@clack/prompts";
+import { loadCredentials, clearCredentials, isExpired } from "./storage.js";
+/**
+ * HOF - wraps an async operation requiring authentication.
+ * Checks credentials before execution, exits with error message if not authed.
+ */
+export async function withAuth(fn) {
+    const credentials = loadCredentials();
+    if (!credentials) {
+        log.error("Not logged in. Run 'auth login' first.");
+        process.exit(1);
+    }
+    if (isExpired(credentials)) {
+        log.error("Session expired. Run 'auth login' again.");
+        clearCredentials();
+        process.exit(1);
+    }
+    return fn(credentials);
+}
+//# sourceMappingURL=index.js.map

package/dist/lib/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/lib/auth/index.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGzC,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAGzD,OAAO,EACL,eAAe,EACf,eAAe,EACf,gBAAgB,EAChB,SAAS,EACT,WAAW,GAEZ,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AACrC,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,SAAS,EAA0B,MAAM,cAAc,CAAC;AAEpG;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,EAAkD;IAElD,MAAM,WAAW,GAAG,eAAe,EAAE,CAAC;IAEtC,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,GAAG,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;QACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,SAAS,CAAC,WAAW,CAAC,EAAE,CAAC;QAC3B,GAAG,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;QACtD,gBAAgB,EAAE,CAAC;QACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,EAAE,CAAC,WAAW,CAAC,CAAC;AACzB,CAAC"}

package/dist/lib/auth/storage.d.ts

@@ -0,0 +1,20 @@
+import Conf from "conf";
+export type StoredCredentials = {
+    accessToken: string;
+    user: {
+        id: string;
+        email: string;
+        name: string;
+        image?: string;
+    };
+    expiresAt: number;
+};
+export declare const storage: Conf<{
+    credentials: StoredCredentials | null;
+}>;
+export declare function saveCredentials(credentials: StoredCredentials): void;
+export declare function loadCredentials(): StoredCredentials | null;
+export declare function clearCredentials(): void;
+export declare function isExpired(credentials: StoredCredentials): boolean;
+export declare function requireAuth(): StoredCredentials;
+//# sourceMappingURL=storage.d.ts.map

package/dist/lib/auth/storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../../src/lib/auth/storage.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAC;AAGxB,MAAM,MAAM,iBAAiB,GAAG;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE;QACJ,EAAE,EAAE,MAAM,CAAC;QACX,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;IACF,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAKF,eAAO,MAAM,OAAO;iBAA2B,iBAAiB,GAAG,IAAI;EAOrE,CAAC;AAEH,wBAAgB,eAAe,CAAC,WAAW,EAAE,iBAAiB,GAAG,IAAI,CAEpE;AAED,wBAAgB,eAAe,IAAI,iBAAiB,GAAG,IAAI,CAgB1D;AAED,wBAAgB,gBAAgB,IAAI,IAAI,CAEvC;AAED,wBAAgB,SAAS,CAAC,WAAW,EAAE,iBAAiB,GAAG,OAAO,CAEjE;AAED,wBAAgB,WAAW,IAAI,iBAAiB,CAY/C"}

package/dist/lib/auth/storage.js

@@ -0,0 +1,48 @@
+import Conf from "conf";
+import { log } from "@clack/prompts";
+// Support test configuration via environment variable
+const configPath = process.env.CLI_AUTH_CONFIG_PATH;
+export const storage = new Conf({
+    projectName: "complete-web-template",
+    configName: "auth",
+    cwd: configPath, // Use custom path if set (for tests)
+    defaults: {
+        credentials: null,
+    },
+});
+export function saveCredentials(credentials) {
+    storage.set("credentials", credentials);
+}
+export function loadCredentials() {
+    const raw = storage.get("credentials");
+    // Guard against corrupted storage (e.g., old version, partial write)
+    if (!raw ||
+        typeof raw !== "object" ||
+        !("accessToken" in raw) ||
+        !("user" in raw) ||
+        !("expiresAt" in raw)) {
+        clearCredentials();
+        return null;
+    }
+    return raw;
+}
+export function clearCredentials() {
+    storage.delete("credentials");
+}
+export function isExpired(credentials) {
+    return Date.now() > credentials.expiresAt;
+}
+export function requireAuth() {
+    const credentials = loadCredentials();
+    if (!credentials) {
+        log.error("Not logged in. Run 'auth login' first.");
+        process.exit(1);
+    }
+    if (isExpired(credentials)) {
+        log.error("Session expired. Run 'auth login' again.");
+        clearCredentials();
+        process.exit(1);
+    }
+    return credentials;
+}
+//# sourceMappingURL=storage.js.map

package/dist/lib/auth/storage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.js","sourceRoot":"","sources":["../../../src/lib/auth/storage.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAC;AAarC,sDAAsD;AACtD,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;AAEpD,MAAM,CAAC,MAAM,OAAO,GAAG,IAAI,IAAI,CAA4C;IACzE,WAAW,EAAE,uBAAuB;IACpC,UAAU,EAAE,MAAM;IAClB,GAAG,EAAE,UAAU,EAAE,qCAAqC;IACtD,QAAQ,EAAE;QACR,WAAW,EAAE,IAAI;KAClB;CACF,CAAC,CAAC;AAEH,MAAM,UAAU,eAAe,CAAC,WAA8B;IAC5D,OAAO,CAAC,GAAG,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,eAAe;IAC7B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAEvC,qEAAqE;IACrE,IACE,CAAC,GAAG;QACJ,OAAO,GAAG,KAAK,QAAQ;QACvB,CAAC,CAAC,aAAa,IAAI,GAAG,CAAC;QACvB,CAAC,CAAC,MAAM,IAAI,GAAG,CAAC;QAChB,CAAC,CAAC,WAAW,IAAI,GAAG,CAAC,EACrB,CAAC;QACD,gBAAgB,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,GAAwB,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,WAA8B;IACtD,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,WAAW;IACzB,MAAM,WAAW,GAAG,eAAe,EAAE,CAAC;IACtC,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,GAAG,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;QACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,IAAI,SAAS,CAAC,WAAW,CAAC,EAAE,CAAC;QAC3B,GAAG,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;QACtD,gBAAgB,EAAE,CAAC;QACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC"}

package/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "@nesalia/cli",
+  "version": "1.0.0",
+  "type": "module",
+  "description": "Nesalia CLI — Manage your account and organizations",
+  "license": "MIT",
+  "bin": {
+    "nesalia": "./dist/index.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "typecheck": "tsc --noEmit",
+    "lint": "echo 'skip'",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:ui": "vitest --ui"
+  },
+  "dependencies": {
+    "@clack/prompts": "^0.8.0",
+    "@trpc/client": "^11.17.0",
+    "better-auth": "1.6.6",
+    "commander": "^13.0.0",
+    "conf": "^12.0.0",
+    "open": "^10.0.0"
+  },
+  "devDependencies": {
+    "@complete-web-template/api": "workspace:*",
+    "@complete-web-template/test-utils": "workspace:*",
+    "@types/node": "^22.0.0",
+    "vitest": "^4.1.7"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}

package/src/CLAUDE.md

@@ -0,0 +1,83 @@
+# CLAUDE.md — @nesalia/cli
+
+## Overview
+
+The CLI is a standalone Node.js binary for managing account authentication. It uses OAuth 2.0 Device Authorization Grant (RFC 8628) via Better Auth's `deviceAuthorizationClient` plugin.
+
+## Commands
+
+```
+nesalia auth login   — Start device authorization flow
+nesalia auth status  — Check authentication status
+nesalia auth logout  — Clear stored credentials
+```
+
+Commands are defined with [Commander](https://www.npmjs.com/package/commander). Each command is a separate file under `src/commands/auth/`.
+
+## Architecture
+
+```
+src/
+├── index.ts               # Commander entry point — routes to commands
+└── commands/
+    ├── index.ts           # Barrel: re-exports login, status, logout
+    └── auth/
+        ├── index.ts       # Barrel: re-exports from login/status/logout
+        ├── login.ts       # login command
+        ├── status.ts     # status command
+        └── logout.ts     # logout command
+
+src/lib/auth/
+├── client.ts      # authClient singleton (createAuthClient + deviceAuthorizationClient)
+├── device-flow.ts # startDeviceFlow() — handles the OAuth2 device flow
+└── storage.ts    # saveCredentials / loadCredentials / clearCredentials (conf package)
+```
+
+## Auth client
+
+The client is a singleton exported from `lib/auth/client.ts`. It is created once at module load time with the base URL from environment variables.
+
+```typescript
+import { authClient } from "./lib/auth/client.js";
+```
+
+No factory function — export directly. The client is used by:
+- `device-flow.ts` → for `device.code()` and `device.token()` polling
+- `status.ts` → for `getSession()` to verify the stored token
+
+## Environment Variables
+
+| Variable | Default | Purpose |
+|----------|---------|---------|
+| `CLI_AUTH_API_URL` | `http://localhost:3000` | Auth server base URL |
+| `CLI_AUTH_CLIENT_ID` | `"nesalia"` | OAuth client identifier |
+| `CLI_AUTH_CONFIG_PATH` | OS default | Path for `conf` storage (tests only) |
+
+## Output
+
+All output uses `@clack/prompts` (`log.info`, `log.success`, `log.warn`, `log.error`). Never use `console.log` / `console.error`.
+
+## Development
+
+```bash
+pnpm --filter @nesalia/cli build   # Compile TypeScript
+pnpm --filter @nesalia/cli test   # Run tests (Vitest)
+```
+
+Tests mock `@clack/prompts` at the top level. Each test re-imports `log` dynamically to access the mock:
+
+```typescript
+vi.mock("@clack/prompts", () => ({
+  log: { info: vi.fn(), success: vi.fn(), ... },
+}));
+
+const { log } = await import("@clack/prompts");
+expect(log.info).toHaveBeenCalledWith("...");
+```
+
+## Key Conventions
+
+- **Commands are `const` arrow functions** — not `async function`.
+- **`startDeviceFlow()` takes no arguments** — it reads `baseURL` from the `authClient` singleton.
+- **Polling has a 30-minute timeout** — throws if the user never approves.
+- **Never hardcode credentials** — all auth state flows through `storage.ts`.

package/src/commands/auth/index.ts

@@ -0,0 +1,3 @@
+export { login } from "./login.js";
+export { status } from "./status.js";
+export { logout } from "./logout.js";

package/src/commands/auth/login.ts

@@ -0,0 +1,20 @@
+import { log } from "@clack/prompts";
+import { saveCredentials, type StoredCredentials, startDeviceFlow } from "../../lib/auth/index.js";
+
+export const login = async (): Promise<void> => {
+  try {
+    const result = await startDeviceFlow();
+
+    const credentials: StoredCredentials = {
+      accessToken: result.accessToken,
+      user: result.user,
+      expiresAt: Date.now() + 30 * 24 * 60 * 60 * 1000, // 30 days
+    };
+
+    saveCredentials(credentials);
+    log.success("Successfully logged in!");
+  } catch (error) {
+    log.error(error instanceof Error ? error.message : "Unknown error");
+    process.exit(1);
+  }
+};

package/src/commands/auth/logout.ts

@@ -0,0 +1,25 @@
+import { log } from "@clack/prompts";
+import { loadCredentials, clearCredentials, authClient } from "../../lib/auth/index.js";
+
+export const logout = async (): Promise<void> => {
+  const credentials = loadCredentials();
+
+  if (!credentials) {
+    log.info("Not logged in.");
+    return;
+  }
+
+  // Invalidate token on the server (best effort)
+  try {
+    await authClient.signOut({
+      fetchOptions: {
+        headers: { Authorization: `Bearer ${credentials.accessToken}` },
+      },
+    });
+  } catch {
+    // Non-fatal: the token might already be expired or revoked
+  }
+
+  clearCredentials();
+  log.success("Successfully logged out.");
+};

package/src/commands/auth/status.ts

@@ -0,0 +1,37 @@
+import { log } from "@clack/prompts";
+import { loadCredentials, clearCredentials, isExpired, authClient } from "../../lib/auth/index.js";
+
+export const status = async (): Promise<void> => {
+  const credentials = loadCredentials();
+
+  if (!credentials) {
+    log.info("Not logged in. Run 'auth login' to authenticate.");
+    return;
+  }
+
+  if (isExpired(credentials)) {
+    log.warn("Session expired. Run 'auth login' to authenticate again.");
+    clearCredentials();
+    return;
+  }
+
+  // Verify the session with the server
+  try {
+    const response = await authClient.getSession({
+      fetchOptions: {
+        headers: { Authorization: `Bearer ${credentials.accessToken}` },
+      },
+    });
+
+    if (response?.data?.user) {
+      const { name, email } = response.data.user;
+      log.success(`Logged in as ${name} (${email})`);
+      return;
+    }
+  } catch (error) {
+    log.warn(`Could not verify session with server — using cached credentials.`);
+  }
+
+  // Fall back to local credentials
+  log.success(`Logged in as ${credentials.user.name} (${credentials.user.email})`);
+};

package/src/commands/index.ts

@@ -0,0 +1 @@
+export { login, status, logout } from "./auth/index.js";