@occam-scaly/scaly-cli 0.2.7 → 0.2.8

package/bin/scaly.js

@@ -487,28 +487,14 @@ async function sourceLocalEnv() {
 }
 
 async function importHelpers() {
-  const {
-    SecretsManagerClient,
-    GetSecretValueCommand
-  } = require('@aws-sdk/client-secrets-manager');
-  const {
-    CloudWatchLogsClient,
-    DescribeLogStreamsCommand
-  } = require('@aws-sdk/client-cloudwatch-logs');
-  const {
-    ECSClient,
-    ListClustersCommand,
-    ListServicesCommand,
-    DescribeServicesCommand,
-    ListTasksCommand,
-    DescribeTasksCommand
-  } = require('@aws-sdk/client-ecs');
-  const {
-    ElasticLoadBalancingV2Client,
-    DescribeTargetGroupsCommand,
-    DescribeTargetHealthCommand
-  } = require('@aws-sdk/client-elastic-load-balancing-v2');
   const axios = require('axios');
+  const { resolveApiEndpoint } = require('../lib/scaly-api');
+  const { normalizeStage, readAuthStore } = require('../lib/scaly-auth');
+
+  // Ensure API endpoint is set for common commands (db/secrets/etc).
+  if (!process.env.API_ENDPOINT && !process.env.SCALY_API_URL) {
+    process.env.API_ENDPOINT = resolveApiEndpoint();
+  }
 
   const API = () => process.env.API_ENDPOINT;
   const deriveDomain = () => {
@@ -528,12 +514,48 @@ async function importHelpers() {
     })[String(r || '').toUpperCase()] || null;
 
   async function getToken() {
-    // Prefer stored bearer token or env override to avoid aws-vault
+    // Prefer stored bearer token or env override.
     const t = getStoredBearer();
     if (t) return t;
     if (process.env.SCALY_API_BEARER) return process.env.SCALY_API_BEARER;
-    if (!process.env.COGNITO_SECRET) throw new Error('COGNITO_SECRET not set');
+
+    // Prefer a Scaly session token from `scaly auth login`.
+    if (process.env.SCALY_OIDC_TOKEN) return process.env.SCALY_OIDC_TOKEN;
+    const found = readAuthStore();
+    if (found && found.session && found.session.access_token) {
+      const s = found.session;
+      const expMs = typeof s.expires_at === 'number' ? s.expires_at : null;
+      const stage = normalizeStage(
+        s.stage || process.env.SCALY_STAGE || 'prod'
+      );
+      if (!process.env.SCALY_STAGE) process.env.SCALY_STAGE = stage;
+      if (expMs && Date.now() >= expMs) {
+        const e = new Error(
+          `Your Scaly session token expired. Run: scaly auth login --stage ${stage}`
+        );
+        e.code = 'TOKEN_EXPIRED';
+        throw e;
+      }
+      return s.access_token;
+    }
+
+    // Internal-only fallback (dev tooling): Cognito client credentials via AWS Secrets Manager.
+    if (!process.env.COGNITO_SECRET) {
+      const stage = normalizeStage(process.env.SCALY_STAGE || 'prod');
+      const e = new Error(
+        `Not authenticated. Run: scaly auth login --stage ${stage}`
+      );
+      e.code = 'SCALY_AUTH_REQUIRED';
+      throw e;
+    }
     const region = process.env.COGNITO_SECRET_REGION || 'ca-central-1';
+    console.error(
+      '[warn] Using COGNITO_SECRET flow (internal dev only). Prefer: scaly auth login'
+    );
+    const {
+      SecretsManagerClient,
+      GetSecretValueCommand
+    } = require('@aws-sdk/client-secrets-manager');
     const sm = new SecretsManagerClient({ region });
     const res = await sm.send(
       new GetSecretValueCommand({ SecretId: process.env.COGNITO_SECRET })
@@ -571,9 +593,13 @@ async function importHelpers() {
   }
 
   function elbClient(region, creds) {
+    const {
+      ElasticLoadBalancingV2Client
+    } = require('@aws-sdk/client-elastic-load-balancing-v2');
     return new ElasticLoadBalancingV2Client({ region, credentials: creds });
   }
   function ecsClient(region, creds) {
+    const { ECSClient } = require('@aws-sdk/client-ecs');
     return new ECSClient({ region, credentials: creds });
   }
 
@@ -599,6 +625,10 @@ async function importHelpers() {
 
   async function checkCloudwatchLogs(accountId, appId, region) {
     try {
+      const {
+        CloudWatchLogsClient,
+        DescribeLogStreamsCommand
+      } = require('@aws-sdk/client-cloudwatch-logs');
       const cwl = new CloudWatchLogsClient({ region });
       const group = `/scaly/account/${accountId}`;
       const cmd = new DescribeLogStreamsCommand({
@@ -2284,6 +2314,36 @@ async function runSecrets(sub, rest) {
   const json = parseBool(f.json, false);
 
   // OIDC-only for build secrets.
+  try {
+    const { resolveApiEndpoint } = require('../lib/scaly-api');
+    const { normalizeStage, readAuthStore } = require('../lib/scaly-auth');
+    if (!process.env.API_ENDPOINT && !process.env.SCALY_API_URL) {
+      process.env.API_ENDPOINT = resolveApiEndpoint();
+    }
+
+    const found = readAuthStore();
+    if (
+      found &&
+      found.session &&
+      found.session.access_token &&
+      !process.env.SCALY_API_BEARER
+    ) {
+      const expMs =
+        typeof found.session.expires_at === 'number'
+          ? found.session.expires_at
+          : null;
+      const stage = normalizeStage(
+        found.session.stage || process.env.SCALY_STAGE || 'prod'
+      );
+      if (!process.env.SCALY_STAGE) process.env.SCALY_STAGE = stage;
+      if (expMs && Date.now() >= expMs) {
+        // Fall through to error message below.
+      } else {
+        process.env.SCALY_API_BEARER = found.session.access_token;
+      }
+    }
+  } catch {}
+
   try {
     const t = getStoredBearer();
     if (t && !process.env.SCALY_API_BEARER) process.env.SCALY_API_BEARER = t;
@@ -2295,8 +2355,8 @@ async function runSecrets(sub, rest) {
     process.env.API_BEARER;
   if (!bearer || !isProbablyJwt(bearer)) {
     const msg =
-      'secrets commands require a Cognito OIDC access token (JWT). ' +
-      'Run `scaly login --token <access_token_jwt>` first.';
+      'secrets commands require a Scaly session token (JWT). ' +
+      'Run `scaly auth login` first.';
     if (json)
       console.log(JSON.stringify({ ok: false, error: { message: msg } }));
     else console.error(msg);
@@ -2566,7 +2626,7 @@ async function mintDbProxyInfo(rest) {
   const bearer = await getToken();
   if (!isProbablyJwt(bearer)) {
     const e = new Error(
-      'db commands require a Cognito OIDC access token (JWT) in Authorization: Bearer.'
+      'db commands require a Scaly session token (JWT). Run `scaly auth login` first.'
     );
     e.code = 'SCALY_DB_JWT_REQUIRED';
     throw e;
@@ -3059,6 +3119,17 @@ async function runDiagnoseApp(rest) {
     });
     const c = credsRes?.issueAwsCredentials;
     if (c?.accessKeyId) {
+      const {
+        DescribeTargetGroupsCommand,
+        DescribeTargetHealthCommand
+      } = require('@aws-sdk/client-elastic-load-balancing-v2');
+      const {
+        ListClustersCommand,
+        ListServicesCommand,
+        DescribeServicesCommand,
+        ListTasksCommand,
+        DescribeTasksCommand
+      } = require('@aws-sdk/client-ecs');
       const creds = makeCreds(c);
       // Target group heuristic: scaly-<first8-of-stackId>
       const shortId = String(stackId).split('-')[0];

package/lib/scaly-api.js

@@ -140,7 +140,7 @@ function buildHeaders(auth) {
   };
 }
 
-async function graphqlRequest(query, variables) {
+async function graphqlRequest(query, variables, extraHeaders) {
   const endpoint = resolveApiEndpoint();
   const auth = resolveAuth();
   if (!auth) {
@@ -156,7 +156,10 @@ async function graphqlRequest(query, variables) {
     {
       headers: {
         'content-type': 'application/json',
-        ...buildHeaders(auth)
+        ...buildHeaders(auth),
+        ...(extraHeaders && typeof extraHeaders === 'object'
+          ? extraHeaders
+          : {})
       },
       timeout: 60_000
     }
@@ -381,63 +384,111 @@ async function listAddOnsByType({ accountId, type, take = 10 }) {
   return data?.listAddOns || [];
 }
 
-async function createStack({ accountId, name, size, minIdle }) {
-  const data = await graphqlRequest(MUTATIONS.createStack, {
-    data: {
-      name,
-      size,
-      minIdle: typeof minIdle === 'number' ? minIdle : undefined,
-      account: { connect: { id: accountId } }
-    }
-  });
+async function createStack({
+  accountId,
+  name,
+  size,
+  minIdle,
+  executionGroupId
+}) {
+  const data = await graphqlRequest(
+    MUTATIONS.createStack,
+    {
+      data: {
+        name,
+        size,
+        minIdle: typeof minIdle === 'number' ? minIdle : undefined,
+        account: { connect: { id: accountId } }
+      }
+    },
+    executionGroupId
+      ? { 'x-scaly-execution-group-id': executionGroupId }
+      : undefined
+  );
   return data?.createStack;
 }
 
-async function updateStack({ id, name, size, minIdle }) {
-  const data = await graphqlRequest(MUTATIONS.updateStack, {
-    where: { id },
-    data: {
-      name: name || undefined,
-      size: size || undefined,
-      minIdle: typeof minIdle === 'number' ? minIdle : undefined
-    }
-  });
+async function updateStack({ id, name, size, minIdle, executionGroupId }) {
+  const data = await graphqlRequest(
+    MUTATIONS.updateStack,
+    {
+      where: { id },
+      data: {
+        name: name || undefined,
+        size: size || undefined,
+        minIdle: typeof minIdle === 'number' ? minIdle : undefined
+      }
+    },
+    executionGroupId
+      ? { 'x-scaly-execution-group-id': executionGroupId }
+      : undefined
+  );
   return data?.updateStack;
 }
 
-async function createApp({ accountId, stackId, name, minIdle }) {
-  const data = await graphqlRequest(MUTATIONS.createApp, {
-    data: {
-      name,
-      minIdle: typeof minIdle === 'number' ? minIdle : undefined,
-      account: { connect: { id: accountId } },
-      stack: stackId ? { connect: { id: stackId } } : undefined
-    }
-  });
+async function createApp({
+  accountId,
+  stackId,
+  name,
+  minIdle,
+  executionGroupId
+}) {
+  const data = await graphqlRequest(
+    MUTATIONS.createApp,
+    {
+      data: {
+        name,
+        minIdle: typeof minIdle === 'number' ? minIdle : undefined,
+        account: { connect: { id: accountId } },
+        stack: stackId ? { connect: { id: stackId } } : undefined
+      }
+    },
+    executionGroupId
+      ? { 'x-scaly-execution-group-id': executionGroupId }
+      : undefined
+  );
   return data?.createApp;
 }
 
-async function updateApp({ id, stackId, name, minIdle }) {
-  const data = await graphqlRequest(MUTATIONS.updateApp, {
-    where: { id },
-    data: {
-      name: name || undefined,
-      minIdle: typeof minIdle === 'number' ? minIdle : undefined,
-      stack: stackId ? { connect: { id: stackId } } : undefined
-    }
-  });
+async function updateApp({ id, stackId, name, minIdle, executionGroupId }) {
+  const data = await graphqlRequest(
+    MUTATIONS.updateApp,
+    {
+      where: { id },
+      data: {
+        name: name || undefined,
+        minIdle: typeof minIdle === 'number' ? minIdle : undefined,
+        stack: stackId ? { connect: { id: stackId } } : undefined
+      }
+    },
+    executionGroupId
+      ? { 'x-scaly-execution-group-id': executionGroupId }
+      : undefined
+  );
   return data?.updateApp;
 }
 
-async function createAddOn({ accountId, name, type, database }) {
-  const data = await graphqlRequest(MUTATIONS.createAddOn, {
-    data: {
-      name,
-      type,
-      account: { connect: { id: accountId } },
-      addOnDatabase: database ? { create: database } : undefined
-    }
-  });
+async function createAddOn({
+  accountId,
+  name,
+  type,
+  database,
+  executionGroupId
+}) {
+  const data = await graphqlRequest(
+    MUTATIONS.createAddOn,
+    {
+      data: {
+        name,
+        type,
+        account: { connect: { id: accountId } },
+        addOnDatabase: database ? { create: database } : undefined
+      }
+    },
+    executionGroupId
+      ? { 'x-scaly-execution-group-id': executionGroupId }
+      : undefined
+  );
   return data?.createAddOn;
 }
 

package/lib/scaly-apply.js

@@ -1,6 +1,7 @@
 'use strict';
 
 const api = require('./scaly-api');
+const { randomUUID } = require('crypto');
 
 async function applyPlan({ config, plan, autoApprove = false }) {
   const actionable = (plan.operations || []).filter(
@@ -8,6 +9,7 @@ async function applyPlan({ config, plan, autoApprove = false }) {
   );
 
   const results = [];
+  const executionGroupId = randomUUID();
 
   let createdStack = null;
   let stackId = null;
@@ -20,7 +22,8 @@ async function applyPlan({ config, plan, autoApprove = false }) {
         accountId: op.desired.accountId,
         name: op.desired.name,
         size: op.desired.size,
-        minIdle: op.desired.minIdle
+        minIdle: op.desired.minIdle,
+        executionGroupId
       });
       createdStack = res;
       stackId = res?.id || stackId;
@@ -33,7 +36,8 @@ async function applyPlan({ config, plan, autoApprove = false }) {
         id: op.resource.id,
         name: op.desired.name,
         size: op.desired.size,
-        minIdle: op.desired.minIdle
+        minIdle: op.desired.minIdle,
+        executionGroupId
       });
       stackId = res?.id || stackId;
       results.push({ op_id: op.id, ok: true, result: res });
@@ -48,7 +52,8 @@ async function applyPlan({ config, plan, autoApprove = false }) {
       const res = await api.createApp({
         accountId: op.desired.accountId,
         stackId,
-        name: op.desired.name
+        name: op.desired.name,
+        executionGroupId
       });
       results.push({ op_id: op.id, ok: true, result: res });
       continue;
@@ -59,7 +64,8 @@ async function applyPlan({ config, plan, autoApprove = false }) {
         accountId: op.desired.accountId,
         name: op.desired.name,
         type: op.desired.type,
-        database: op.desired.database || undefined
+        database: op.desired.database || undefined,
+        executionGroupId
       });
       results.push({ op_id: op.id, ok: true, result: res });
       continue;
@@ -76,6 +82,7 @@ async function applyPlan({ config, plan, autoApprove = false }) {
   return {
     ok,
     auto_approve: !!autoApprove,
+    execution_group_id: executionGroupId,
     applied: actionable.length,
     results,
     created_stack_id: createdStack?.id || null

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@occam-scaly/scaly-cli",
-  "version": "0.2.7",
+  "version": "0.2.8",
   "description": "Scaly CLI (auth + project config helpers)",
   "bin": {
     "scaly": "./bin/scaly.js"