@occam-scaly/scaly-cli 0.1.0

package/lib/scaly-auth.js

@@ -0,0 +1,411 @@
+'use strict';
+
+const crypto = require('crypto');
+const fs = require('fs');
+const http = require('http');
+const os = require('os');
+const path = require('path');
+const { spawnSync } = require('child_process');
+
+function normalizeStage(stage) {
+  const s = String(stage || '')
+    .trim()
+    .toLowerCase();
+  if (!s) return 'prod';
+  if (s === 'production') return 'prod';
+  if (s === 'staging') return 'qa';
+  return s;
+}
+
+function resolveScalyDomain(stage) {
+  const s = normalizeStage(stage);
+  if (s === 'prod') return 'scalyapps.io';
+  return `${s}.scalyapps.io`;
+}
+
+function getConfigDir() {
+  const base =
+    process.env.SCALY_CONFIG_DIR ||
+    process.env.XDG_CONFIG_HOME ||
+    path.join(os.homedir(), '.config');
+  return path.join(base, 'scaly');
+}
+
+function getAuthStorePath() {
+  return path.join(getConfigDir(), 'auth.json');
+}
+
+function decodeBase64Url(input) {
+  const padLen = (4 - (input.length % 4)) % 4;
+  const padded =
+    input.replace(/-/g, '+').replace(/_/g, '/') + '='.repeat(padLen);
+  return Buffer.from(padded, 'base64').toString('utf8');
+}
+
+function tryGetJwtExpMs(token) {
+  if (!token || typeof token !== 'string') return null;
+  const parts = token.split('.');
+  if (parts.length !== 3) return null;
+  try {
+    const payloadJson = decodeBase64Url(parts[1] || '');
+    const payload = JSON.parse(payloadJson);
+    const exp = payload && payload.exp;
+    return typeof exp === 'number' ? exp * 1000 : null;
+  } catch {
+    return null;
+  }
+}
+
+function safeJsonParse(text) {
+  try {
+    return JSON.parse(text);
+  } catch {
+    return null;
+  }
+}
+
+function readAuthStore() {
+  const p = process.env.SCALY_AUTH_STORE_PATH || getAuthStorePath();
+  try {
+    const text = fs.readFileSync(p, 'utf8');
+    const obj = safeJsonParse(text);
+    if (!obj || typeof obj !== 'object') return null;
+    if (!obj.access_token || typeof obj.access_token !== 'string') return null;
+    return { path: p, session: obj };
+  } catch {
+    return null;
+  }
+}
+
+function ensureFilePerms0600(p) {
+  try {
+    fs.chmodSync(p, 0o600);
+  } catch {}
+}
+
+function writeAuthStore(session) {
+  const dir = getConfigDir();
+  const p = process.env.SCALY_AUTH_STORE_PATH || getAuthStorePath();
+  fs.mkdirSync(dir, { recursive: true });
+  fs.writeFileSync(p, JSON.stringify(session, null, 2));
+  ensureFilePerms0600(p);
+  return p;
+}
+
+function clearAuthStore() {
+  const p = process.env.SCALY_AUTH_STORE_PATH || getAuthStorePath();
+  try {
+    fs.unlinkSync(p);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function openUrl(url) {
+  const plat = process.platform;
+  const trySpawn = (cmd, args) => {
+    const res = spawnSync(cmd, args, { stdio: 'ignore', shell: false });
+    return res && res.status === 0;
+  };
+  if (plat === 'darwin') return trySpawn('open', [url]);
+  if (plat === 'win32') return trySpawn('cmd', ['/c', 'start', '', url]);
+  return trySpawn('xdg-open', [url]);
+}
+
+function base64UrlEncode(buf) {
+  return Buffer.from(buf)
+    .toString('base64')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/g, '');
+}
+
+function createPkcePair() {
+  const verifier = base64UrlEncode(crypto.randomBytes(32));
+  const challenge = base64UrlEncode(
+    crypto.createHash('sha256').update(verifier).digest()
+  );
+  return { verifier, challenge };
+}
+
+async function fetchScalyOidcConfig({ stage, domainOverride }) {
+  const axios = require('axios');
+  const stageNorm = normalizeStage(stage);
+  const domain = domainOverride || resolveScalyDomain(stageNorm);
+  const url = `https://${domain}/.well-known/scaly-oidc.json`;
+  const res = await axios.get(url, {
+    timeout: 15_000,
+    validateStatus: () => true
+  });
+  if (res.status !== 200 || !res.data || typeof res.data !== 'object') {
+    const e = new Error(`Failed to fetch ${url} (HTTP ${res.status})`);
+    e.code = 'SCALY_OIDC_CONFIG_FETCH_FAILED';
+    throw e;
+  }
+  return { domain, stage: stageNorm, config: res.data };
+}
+
+function pick(obj, keys) {
+  const out = {};
+  for (const k of keys) {
+    if (obj && Object.prototype.hasOwnProperty.call(obj, k)) out[k] = obj[k];
+  }
+  return out;
+}
+
+async function oauthPkceLogin({
+  authorizationEndpoint,
+  tokenEndpoint,
+  clientId,
+  redirectUri,
+  scopes,
+  noOpen
+}) {
+  const axios = require('axios');
+  const { verifier, challenge } = createPkcePair();
+  const state = base64UrlEncode(crypto.randomBytes(16));
+
+  const authUrl = new URL(authorizationEndpoint);
+  authUrl.searchParams.set('response_type', 'code');
+  authUrl.searchParams.set('client_id', clientId);
+  authUrl.searchParams.set('redirect_uri', redirectUri);
+  authUrl.searchParams.set('scope', scopes.join(' '));
+  authUrl.searchParams.set('state', state);
+  authUrl.searchParams.set('code_challenge', challenge);
+  authUrl.searchParams.set('code_challenge_method', 'S256');
+
+  const redirect = new URL(redirectUri);
+  const expectedPath = redirect.pathname || '/';
+  const expectedPort = Number(redirect.port || '80');
+
+  const code = await new Promise((resolve, reject) => {
+    const server = http.createServer((req, res) => {
+      try {
+        const reqUrl = new URL(req.url || '/', redirectUri);
+        if (reqUrl.pathname !== expectedPath) {
+          res.statusCode = 404;
+          res.end('Not found');
+          return;
+        }
+        const gotState = reqUrl.searchParams.get('state');
+        const gotCode = reqUrl.searchParams.get('code');
+        const gotErr = reqUrl.searchParams.get('error');
+        if (gotErr) {
+          res.statusCode = 400;
+          res.end(`Login failed: ${gotErr}`);
+          reject(new Error(`OAuth error: ${gotErr}`));
+          server.close();
+          return;
+        }
+        if (!gotCode || gotState !== state) {
+          res.statusCode = 400;
+          res.end('Invalid OAuth callback');
+          reject(new Error('Invalid OAuth callback (missing code or state)'));
+          server.close();
+          return;
+        }
+        res.statusCode = 200;
+        res.setHeader('content-type', 'text/plain');
+        res.end('Scaly CLI login complete. You can close this tab.');
+        resolve(gotCode);
+        server.close();
+      } catch (e) {
+        reject(e);
+        try {
+          server.close();
+        } catch {}
+      }
+    });
+
+    server.listen(expectedPort, redirect.hostname, () => {
+      if (noOpen) {
+        console.log(authUrl.toString());
+      } else {
+        const opened = openUrl(authUrl.toString());
+        if (!opened) console.log(authUrl.toString());
+      }
+    });
+
+    server.on('error', (e) => reject(e));
+  });
+
+  const tokenRes = await axios.post(
+    tokenEndpoint,
+    new URLSearchParams({
+      grant_type: 'authorization_code',
+      client_id: clientId,
+      code,
+      redirect_uri: redirectUri,
+      code_verifier: verifier
+    }).toString(),
+    {
+      headers: { 'content-type': 'application/x-www-form-urlencoded' },
+      timeout: 30_000,
+      validateStatus: () => true
+    }
+  );
+
+  if (tokenRes.status !== 200 || !tokenRes.data) {
+    const e = new Error(`Token exchange failed (HTTP ${tokenRes.status})`);
+    e.code = 'SCALY_OIDC_TOKEN_EXCHANGE_FAILED';
+    e.details = tokenRes.data;
+    throw e;
+  }
+
+  const data = tokenRes.data;
+  const accessToken = data.access_token;
+  if (!accessToken)
+    throw new Error('Token exchange did not return access_token');
+
+  const expiresInSec =
+    typeof data.expires_in === 'number'
+      ? data.expires_in
+      : Number(data.expires_in || 0) || null;
+  const jwtExpMs = tryGetJwtExpMs(accessToken);
+  const expiresAt =
+    jwtExpMs || (expiresInSec ? Date.now() + expiresInSec * 1000 : null);
+
+  return {
+    access_token: accessToken,
+    refresh_token: data.refresh_token || null,
+    id_token: data.id_token || null,
+    token_type: data.token_type || 'Bearer',
+    expires_at: expiresAt
+  };
+}
+
+async function runAuthLogin(flags) {
+  const stage = normalizeStage(
+    flags.stage || process.env.SCALY_STAGE || 'prod'
+  );
+  const domainOverride = flags.domain || null;
+  const noOpen = String(flags['no-open'] || '').toLowerCase() === 'true';
+
+  const { domain, config } = await fetchScalyOidcConfig({
+    stage,
+    domainOverride
+  });
+
+  const oauth = config.oauth || {};
+  const clientId = config.client_id;
+  const redirectUri = config.redirect_uri;
+  const scopes = Array.isArray(config.scopes)
+    ? config.scopes
+    : ['openid', 'profile', 'email'];
+
+  if (
+    !clientId ||
+    !redirectUri ||
+    !oauth.authorization_endpoint ||
+    !oauth.token_endpoint
+  ) {
+    const e = new Error(
+      'Incomplete OIDC config from Scaly. Missing client_id/redirect_uri/oauth endpoints.'
+    );
+    e.code = 'SCALY_OIDC_CONFIG_INVALID';
+    e.details = pick(config, ['client_id', 'redirect_uri', 'oauth']);
+    throw e;
+  }
+
+  const tokens = await oauthPkceLogin({
+    authorizationEndpoint: oauth.authorization_endpoint,
+    tokenEndpoint: oauth.token_endpoint,
+    clientId,
+    redirectUri,
+    scopes,
+    noOpen
+  });
+
+  const session = {
+    version: 1,
+    stage,
+    domain,
+    client_id: clientId,
+    scopes,
+    issued_at: Date.now(),
+    expires_at: tokens.expires_at,
+    access_token: tokens.access_token,
+    refresh_token: tokens.refresh_token,
+    id_token: tokens.id_token
+  };
+
+  const p = writeAuthStore(session);
+  console.log(`Saved Scaly session to ${p}`);
+  return 0;
+}
+
+function runAuthStatus(flags) {
+  const found = readAuthStore();
+  const json = String(flags.json || '').toLowerCase() === 'true';
+  if (!found) {
+    if (json) console.log(JSON.stringify({ authenticated: false }));
+    else console.log('Not authenticated. Run: scaly auth login');
+    return 1;
+  }
+
+  const s = found.session;
+  const expMs =
+    typeof s.expires_at === 'number'
+      ? s.expires_at
+      : tryGetJwtExpMs(s.access_token) || null;
+  const expiresInSec = expMs
+    ? Math.max(0, Math.floor((expMs - Date.now()) / 1000))
+    : null;
+
+  const out = {
+    authenticated: true,
+    stage: s.stage || null,
+    domain: s.domain || null,
+    expires_in_seconds: expiresInSec,
+    expired_at:
+      expMs && expMs <= Date.now() ? new Date(expMs).toISOString() : null,
+    store_path: found.path
+  };
+
+  if (json) console.log(JSON.stringify(out));
+  else {
+    console.log(
+      `Authenticated (${out.stage || 'unknown'}). Expires in ${
+        out.expires_in_seconds === null
+          ? 'unknown'
+          : `${out.expires_in_seconds}s`
+      }.`
+    );
+  }
+
+  return 0;
+}
+
+function runAuthLogout(flags) {
+  const json = String(flags.json || '').toLowerCase() === 'true';
+  const ok = clearAuthStore();
+  if (json) console.log(JSON.stringify({ ok }));
+  else console.log(ok ? 'Logged out.' : 'No auth session found.');
+  return ok ? 0 : 1;
+}
+
+async function runAuth(sub, flags) {
+  const action = String(sub || '')
+    .trim()
+    .toLowerCase();
+  if (!action || action === 'help' || action === '--help' || action === '-h') {
+    console.log(
+      `Usage:\n  scaly auth login [--stage prod|dev|qa] [--no-open]\n  scaly auth status [--json]\n  scaly auth logout [--json]\n`
+    );
+    return 0;
+  }
+  if (action === 'login') return await runAuthLogin(flags);
+  if (action === 'status') return runAuthStatus(flags);
+  if (action === 'logout') return runAuthLogout(flags);
+  console.error(`Unknown auth command: ${action}`);
+  return 2;
+}
+
+module.exports = {
+  normalizeStage,
+  resolveScalyDomain,
+  getAuthStorePath,
+  readAuthStore,
+  runAuth
+};

package/lib/scaly-deploy.js

@@ -0,0 +1,137 @@
+'use strict';
+
+const api = require('./scaly-api');
+
+const GET_APP = `
+  query GetApp($where: AppWhereUniqueInput!) {
+    getApp(where: $where) {
+      id
+      name
+      accountId
+      stackId
+    }
+  }
+`;
+
+const GET_APP_GIT_SOURCE = `
+  query GetAppGitSource($appId: String!) {
+    getAppGitSource(appId: $appId) {
+      id
+      provider
+      repoFullName
+      branch
+      path
+      autoDeploy
+    }
+  }
+`;
+
+const TRIGGER_GIT_DEPLOY = `
+  mutation TriggerGitDeploy($appId: String!) {
+    triggerGitDeploy(appId: $appId) {
+      id
+      status
+      triggeredAt
+    }
+  }
+`;
+
+const LIST_GIT_DEPLOYMENTS = `
+  query ListGitDeployments($appId: String!, $limit: Int) {
+    listGitDeployments(appId: $appId, limit: $limit) {
+      id
+      status
+      trigger
+      branch
+      commitSha
+      commitMessage
+      commitAuthor
+      triggeredAt
+      startedAt
+      finishedAt
+      errorMessage
+      deploymentId
+    }
+  }
+`;
+
+const RESTART_STACK_SERVICES = `
+  mutation RestartStackServices($stackId: String!) {
+    restartStackServices(stackId: $stackId) {
+      id
+      status
+      step
+      progressPct
+      errorCode
+      errorMessage
+      remediationHint
+      queuedAt
+      startedAt
+      finishedAt
+      updatedAt
+    }
+  }
+`;
+
+const GET_DEPLOYMENT = `
+  query GetDeployment($where: DeploymentWhereUniqueInput!) {
+    getDeployment(where: $where) {
+      id
+      status
+      step
+      progressPct
+      errorCode
+      errorMessage
+      remediationHint
+      queuedAt
+      startedAt
+      finishedAt
+      updatedAt
+    }
+  }
+`;
+
+async function getAppBasic(appId) {
+  const data = await api.graphqlRequest(GET_APP, { where: { id: appId } });
+  return data?.getApp || null;
+}
+
+async function getAppGitSource(appId) {
+  try {
+    const data = await api.graphqlRequest(GET_APP_GIT_SOURCE, { appId });
+    return data?.getAppGitSource || null;
+  } catch {
+    return null;
+  }
+}
+
+async function triggerGitDeploy(appId) {
+  const data = await api.graphqlRequest(TRIGGER_GIT_DEPLOY, { appId });
+  return data?.triggerGitDeploy || null;
+}
+
+async function listGitDeployments(appId, limit = 10) {
+  const data = await api.graphqlRequest(LIST_GIT_DEPLOYMENTS, { appId, limit });
+  return data?.listGitDeployments || [];
+}
+
+async function restartStackServices(stackId) {
+  const data = await api.graphqlRequest(RESTART_STACK_SERVICES, { stackId });
+  return data?.restartStackServices || null;
+}
+
+async function getDeployment(deploymentId) {
+  const data = await api.graphqlRequest(GET_DEPLOYMENT, {
+    where: { id: deploymentId }
+  });
+  return data?.getDeployment || null;
+}
+
+module.exports = {
+  getAppBasic,
+  getAppGitSource,
+  triggerGitDeploy,
+  listGitDeployments,
+  restartStackServices,
+  getDeployment
+};

package/lib/scaly-logs.js

@@ -0,0 +1,110 @@
+'use strict';
+
+const api = require('./scaly-api');
+
+const GET_APP = `
+  query GetApp($where: AppWhereUniqueInput!) {
+    getApp(where: $where) {
+      id
+      name
+      accountId
+      stackId
+    }
+  }
+`;
+
+const GET_UNIFIED_LOGS = `
+  query GetUnifiedLogs($where: UnifiedLogsWhereInput!) {
+    getUnifiedLogs(where: $where) {
+      truncated
+      nextToken
+      cursorStart
+      cursorEnd
+      diagnosticsBundleUrl
+      events {
+        id
+        ts
+        message
+        level
+        source
+        appId
+        appName
+        stackId
+        stackName
+        deploymentId
+        logStreamName
+        ingestionTime
+        jsonPayload
+      }
+    }
+  }
+`;
+
+function parseTimeRangeToLookbackHours(timeRange) {
+  const m = String(timeRange || '')
+    .trim()
+    .match(/^(\d+)([smhd])$/i);
+  if (!m) return null;
+  const value = Number(m[1]);
+  const unit = m[2].toLowerCase();
+  if (!Number.isFinite(value) || value <= 0) return null;
+  switch (unit) {
+    case 's':
+      return value / 3600;
+    case 'm':
+      return value / 60;
+    case 'h':
+      return value;
+    case 'd':
+      return value * 24;
+    default:
+      return null;
+  }
+}
+
+function mapLevel(level) {
+  const l = String(level || 'all').toLowerCase();
+  if (l === 'all') return undefined;
+  if (l === 'error') return ['Error'];
+  if (l === 'warn') return ['Warn'];
+  if (l === 'info') return ['Info'];
+  if (l === 'debug') return ['Debug'];
+  return undefined;
+}
+
+async function getAppBasic(appId) {
+  const data = await api.graphqlRequest(GET_APP, { where: { id: appId } });
+  return data?.getApp || null;
+}
+
+async function getUnifiedLogs({
+  accountId,
+  appIds,
+  lookbackHours,
+  liveFromTs,
+  limit,
+  q,
+  level,
+  pageToken
+}) {
+  const where = {
+    accountId,
+    appIds,
+    lookbackHours,
+    liveFromTs,
+    limit,
+    q,
+    pageToken
+  };
+  const levels = mapLevel(level);
+  if (levels) where.levels = levels;
+
+  const data = await api.graphqlRequest(GET_UNIFIED_LOGS, { where });
+  return data?.getUnifiedLogs || null;
+}
+
+module.exports = {
+  parseTimeRangeToLookbackHours,
+  getAppBasic,
+  getUnifiedLogs
+};