@odeva/cli 0.0.1

package/dist/lib/api.js

@@ -0,0 +1,276 @@
+import { GraphQLClient, ClientError } from "graphql-request";
+import { loadCredentials } from "./credentials.js";
+import { ApiError, NotAuthenticatedError } from "./errors.js";
+import { DEFAULT_API_URL } from "./paths.js";
+class OdevaApi {
+  client;
+  endpoint;
+  authenticated;
+  constructor(opts = {}) {
+    const creds = opts.credentials ?? loadCredentials();
+    const apiUrl = opts.apiUrl ?? creds?.apiUrl ?? DEFAULT_API_URL;
+    this.endpoint = opts.endpoint ?? `${apiUrl.replace(/\/$/, "")}/graphql`;
+    this.authenticated = Boolean(creds?.token);
+    this.client = new GraphQLClient(this.endpoint, {
+      headers: {
+        ...creds?.token ? { authorization: `Bearer ${creds.token}` } : {},
+        ...creds?.organizationId ? { "x-organization-id": creds.organizationId } : {},
+        "user-agent": userAgent()
+      }
+    });
+  }
+  requireAuth() {
+    if (!this.authenticated) throw new NotAuthenticatedError();
+  }
+  async request(query, variables) {
+    try {
+      return await this.client.request(query, variables);
+    } catch (err) {
+      if (err instanceof ClientError) {
+        const gqlErrors = err.response.errors;
+        const first = gqlErrors?.[0]?.message ?? err.message;
+        throw new ApiError(`Odeva API error: ${first}`, {
+          graphqlErrors: gqlErrors
+        });
+      }
+      const message = err instanceof Error ? err.message : String(err);
+      throw new ApiError(`Could not reach ${this.endpoint}: ${message}`, {
+        hint: "Is the Odeva API running? Pass --api-url, or set ODEVA_API_URL."
+      });
+    }
+  }
+  /** Lightweight auth probe — succeeds if the token resolves to a user. */
+  async ping() {
+    this.requireAuth();
+    const data = await this.request(`
+      query OdevaCliWhoami { session { user { email } } }
+    `);
+    return { ok: true, email: data.session?.user?.email ?? null };
+  }
+  async session() {
+    this.requireAuth();
+    const data = await this.request(`
+      query OdevaCliSession {
+        session {
+          user { email }
+          organizations { id slug name }
+        }
+      }
+    `);
+    return {
+      email: data.session?.user?.email ?? null,
+      organizations: data.session?.organizations ?? []
+    };
+  }
+  async cliAuthBegin(hostname) {
+    const data = await this.request(
+      `mutation OdevaCliAuthBegin($hostname: String!) {
+        cliAuthBegin(hostname: $hostname) {
+          deviceCode
+          userCode
+          verificationUri
+          expiresIn
+          interval
+        }
+      }`,
+      { hostname }
+    );
+    return data.cliAuthBegin;
+  }
+  async cliAuthPoll(deviceCode) {
+    const data = await this.request(
+      `mutation OdevaCliAuthPoll($deviceCode: String!) {
+        cliAuthPoll(deviceCode: $deviceCode) {
+          status
+          token
+        }
+      }`,
+      { deviceCode }
+    );
+    return data.cliAuthPoll;
+  }
+  async listDeveloperApps() {
+    const data = await this.request(`
+      query OdevaCliListDeveloperApps {
+        developerApps {
+          id
+          name
+          slug
+          clientId
+          homepageUrl
+          installUrl
+          webhookUrl
+          requestedScopes
+          publicationStatus
+        }
+      }
+    `);
+    return data.developerApps;
+  }
+  async findAppByClientId(clientId) {
+    const apps = await this.listDeveloperApps();
+    return apps.find((a) => a.clientId === clientId) ?? null;
+  }
+  /** Same as findAppByClientId but pulls review-status fields. Requires the
+   *  `reviewNotes` column on App (added 2026-06-04). */
+  async findAppWithReviewByClientId(clientId) {
+    const data = await this.request(`
+      query OdevaCliListDeveloperAppsWithReview {
+        developerApps {
+          id name slug clientId homepageUrl installUrl webhookUrl
+          requestedScopes publicationStatus reviewNotes verifiedAt updatedAt
+        }
+      }
+    `);
+    return data.developerApps.find((a) => a.clientId === clientId) ?? null;
+  }
+  async submitDeveloperApp(id) {
+    const data = await this.request(
+      `mutation OdevaCliSubmitDeveloperApp($id: ID!) {
+        submitDeveloperApp(id: $id) {
+          app {
+            id name slug clientId homepageUrl installUrl webhookUrl
+            requestedScopes publicationStatus reviewNotes verifiedAt updatedAt
+          }
+          errors
+        }
+      }`,
+      { id }
+    );
+    return data.submitDeveloperApp;
+  }
+  async upsertDeveloperApp(input) {
+    const data = await this.request(
+      `
+      mutation OdevaCliUpsertDeveloperApp(
+        $id: ID
+        $name: String!
+        $slug: String!
+        $authorName: String
+        $description: String
+        $homepageUrl: String
+        $installUrl: String
+        $privacyUrl: String
+        $requestedScopes: [String!]
+        $webhookUrl: String
+      ) {
+        upsertDeveloperApp(
+          id: $id
+          name: $name
+          slug: $slug
+          authorName: $authorName
+          description: $description
+          homepageUrl: $homepageUrl
+          installUrl: $installUrl
+          privacyUrl: $privacyUrl
+          requestedScopes: $requestedScopes
+          webhookUrl: $webhookUrl
+        ) {
+          app {
+            id
+            name
+            slug
+            clientId
+            homepageUrl
+            installUrl
+            webhookUrl
+            requestedScopes
+            publicationStatus
+          }
+          rawClientSecret
+          errors
+        }
+      }
+      `,
+      input
+    );
+    const payload = data.upsertDeveloperApp;
+    if (payload.errors?.length) {
+      throw new ApiError(`Could not save app: ${payload.errors.join(", ")}`);
+    }
+    return { app: payload.app, rawClientSecret: payload.rawClientSecret };
+  }
+  async rotateDeveloperAppSecret(id) {
+    const data = await this.request(
+      `mutation OdevaCliRotateDeveloperAppSecret($id: ID!) {
+        rotateDeveloperAppSecret(id: $id) {
+          app {
+            id name slug clientId homepageUrl installUrl webhookUrl
+            requestedScopes publicationStatus
+          }
+          rawClientSecret
+          errors
+        }
+      }`,
+      { id }
+    );
+    const payload = data.rotateDeveloperAppSecret;
+    if (payload.errors?.length || !payload.app || !payload.rawClientSecret) {
+      throw new ApiError(`Could not rotate secret: ${payload.errors.join(", ") || "no secret returned"}`);
+    }
+    return { app: payload.app, rawClientSecret: payload.rawClientSecret };
+  }
+  async webhookEventTypes() {
+    const data = await this.request(`
+      query OdevaCliWebhookEventTypes { webhookEventTypes }
+    `);
+    return data.webhookEventTypes;
+  }
+  async webhookSubscriptions() {
+    const data = await this.request(`
+      query OdevaCliWebhookSubscriptions {
+        webhookSubscriptions {
+          id
+          name
+          endpointUrl
+          eventTypes
+          status
+        }
+      }
+    `);
+    return data.webhookSubscriptions;
+  }
+  async createWebhookSubscription(input) {
+    const data = await this.request(
+      `
+      mutation OdevaCliCreateWebhookSubscription(
+        $name: String!
+        $endpointUrl: String!
+        $eventTypes: [String!]!
+        $appInstallationId: ID
+      ) {
+        createWebhookSubscription(
+          name: $name
+          endpointUrl: $endpointUrl
+          eventTypes: $eventTypes
+          appInstallationId: $appInstallationId
+        ) {
+          webhookSubscription { id name endpointUrl eventTypes status }
+          webhookSecret
+          errors
+        }
+      }
+      `,
+      input
+    );
+    const payload = data.createWebhookSubscription;
+    if (payload.errors?.length) {
+      throw new ApiError(`Could not create webhook subscription: ${payload.errors.join(", ")}`);
+    }
+    return { subscription: payload.webhookSubscription, webhookSecret: payload.webhookSecret };
+  }
+  async deleteWebhookSubscription(id) {
+    await this.request(
+      `mutation OdevaCliDeleteWebhookSubscription($id: ID!) {
+        deleteWebhookSubscription(id: $id) { webhookSubscription { id } }
+      }`,
+      { id }
+    );
+  }
+}
+function userAgent() {
+  return `odeva-cli/0.0.1 (${process.platform}; ${process.arch}; node-${process.versions.node})`;
+}
+export {
+  OdevaApi
+};

package/dist/lib/app-env.js

@@ -0,0 +1,39 @@
+import { existsSync, readFileSync, writeFileSync, chmodSync } from "node:fs";
+import { dirname, join } from "node:path";
+const APP_ENV_FILE = ".odeva.env";
+function loadAppEnv(appConfigPath) {
+  const envPath = join(dirname(appConfigPath), APP_ENV_FILE);
+  if (!existsSync(envPath)) return {};
+  const raw = readFileSync(envPath, "utf8");
+  const result = {};
+  for (const line of raw.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eq = trimmed.indexOf("=");
+    if (eq < 0) continue;
+    const key = trimmed.slice(0, eq).trim();
+    const value = trimmed.slice(eq + 1).trim().replace(/^["']|["']$/g, "");
+    if (key) result[key] = value;
+  }
+  return result;
+}
+function saveAppEnv(appConfigPath, values) {
+  const envPath = join(dirname(appConfigPath), APP_ENV_FILE);
+  const merged = { ...loadAppEnv(appConfigPath), ...values };
+  const body = [
+    "# Auto-managed by `odeva` \u2014 do not commit. Add `.odeva.env` to .gitignore.",
+    ...Object.entries(merged).map(([k, v]) => `${k}=${v}`),
+    ""
+  ].join("\n");
+  writeFileSync(envPath, body, { mode: 384 });
+  try {
+    chmodSync(envPath, 384);
+  } catch {
+  }
+  return envPath;
+}
+export {
+  APP_ENV_FILE,
+  loadAppEnv,
+  saveAppEnv
+};

package/dist/lib/cloudflared.js

@@ -0,0 +1,93 @@
+import { spawn } from "node:child_process";
+import { spawnSync } from "node:child_process";
+import { CliError } from "./errors.js";
+const TRYCLOUDFLARE_RE = /https:\/\/[a-z0-9-]+\.trycloudflare\.com/i;
+function isCloudflaredInstalled() {
+  const result = spawnSync("cloudflared", ["--version"], { stdio: "ignore" });
+  return result.status === 0;
+}
+function startQuickTunnel(localPort, options = {}) {
+  if (!isCloudflaredInstalled()) {
+    throw new CliError("`cloudflared` is not installed or not on PATH.", {
+      hint: "Install it from https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/ (e.g. `brew install cloudflared` on macOS, `apt install cloudflared` on Debian/Ubuntu)."
+    });
+  }
+  return new Promise((resolve, reject) => {
+    const proc = spawn(
+      "cloudflared",
+      ["tunnel", "--no-autoupdate", "--url", `http://localhost:${localPort}`],
+      { stdio: ["ignore", "pipe", "pipe"] }
+    );
+    let resolved = false;
+    const timeoutMs = options.timeoutMs ?? 3e4;
+    const timer = setTimeout(() => {
+      if (resolved) return;
+      cleanup();
+      reject(
+        new CliError(`cloudflared did not produce a tunnel URL within ${timeoutMs / 1e3}s.`, {
+          hint: "Check your network connection or run `cloudflared tunnel --url http://localhost:" + localPort + "` manually."
+        })
+      );
+    }, timeoutMs);
+    const onData = (chunk) => {
+      const text = chunk.toString("utf8");
+      const match = TRYCLOUDFLARE_RE.exec(text);
+      if (match && !resolved) {
+        resolved = true;
+        clearTimeout(timer);
+        resolve({
+          url: match[0],
+          process: proc,
+          stop: () => stopProcess(proc)
+        });
+      }
+    };
+    proc.stdout?.on("data", onData);
+    proc.stderr?.on("data", onData);
+    proc.on("error", (err) => {
+      if (resolved) return;
+      clearTimeout(timer);
+      reject(new CliError(`Failed to start cloudflared: ${err.message}`));
+    });
+    proc.on("exit", (code) => {
+      if (resolved) return;
+      clearTimeout(timer);
+      reject(new CliError(`cloudflared exited with code ${code} before producing a URL.`));
+    });
+    function cleanup() {
+      try {
+        proc.kill("SIGTERM");
+      } catch {
+      }
+    }
+  });
+}
+function stopProcess(proc) {
+  return new Promise((resolve) => {
+    if (proc.exitCode !== null) return resolve();
+    proc.once("exit", () => resolve());
+    try {
+      proc.kill("SIGTERM");
+    } catch {
+      resolve();
+      return;
+    }
+    setTimeout(() => {
+      if (proc.exitCode === null) {
+        try {
+          proc.kill("SIGKILL");
+        } catch {
+        }
+      }
+    }, 2e3);
+  });
+}
+function parseTunnelUrl(text) {
+  const match = TRYCLOUDFLARE_RE.exec(text);
+  return match ? match[0] : null;
+}
+export {
+  isCloudflaredInstalled,
+  parseTunnelUrl,
+  startQuickTunnel
+};

package/dist/lib/config.js

@@ -0,0 +1,51 @@
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { dirname, join, resolve } from "node:path";
+import { parse, stringify } from "smol-toml";
+import { APP_CONFIG_FILE } from "./paths.js";
+import { AppConfigNotFoundError, CliError } from "./errors.js";
+function findAppConfigPath(startDir = process.cwd()) {
+  let dir = resolve(startDir);
+  while (true) {
+    const candidate = join(dir, APP_CONFIG_FILE);
+    if (existsSync(candidate)) return candidate;
+    const parent = dirname(dir);
+    if (parent === dir) return null;
+    dir = parent;
+  }
+}
+function loadAppConfig(startDir = process.cwd()) {
+  const path = findAppConfigPath(startDir);
+  if (!path) throw new AppConfigNotFoundError();
+  const raw = readFileSync(path, "utf8");
+  const parsed = parse(raw);
+  validateConfig(parsed, path);
+  return { config: parsed, path, root: dirname(path) };
+}
+function saveAppConfig(loaded) {
+  validateConfig(loaded.config, loaded.path);
+  writeFileSync(loaded.path, stringify(loaded.config) + "\n", "utf8");
+}
+function writeAppConfigAt(path, config) {
+  validateConfig(config, path);
+  writeFileSync(path, stringify(config) + "\n", "utf8");
+}
+function validateConfig(config, path) {
+  if (!config.name || typeof config.name !== "string") {
+    throw new CliError(`Invalid ${APP_CONFIG_FILE}: missing 'name'.`, { hint: `Edit ${path}` });
+  }
+  if (!config.slug || typeof config.slug !== "string") {
+    throw new CliError(`Invalid ${APP_CONFIG_FILE}: missing 'slug'.`, { hint: `Edit ${path}` });
+  }
+  if (!/^[a-z0-9][a-z0-9-]*$/.test(config.slug)) {
+    throw new CliError(
+      `Invalid 'slug' in ${APP_CONFIG_FILE}: '${config.slug}'. Use lowercase letters, digits, and hyphens.`,
+      { hint: `Edit ${path}` }
+    );
+  }
+}
+export {
+  findAppConfigPath,
+  loadAppConfig,
+  saveAppConfig,
+  writeAppConfigAt
+};

package/dist/lib/credentials.js

@@ -0,0 +1,50 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync, chmodSync, unlinkSync } from "node:fs";
+import { dirname } from "node:path";
+import { CONFIG_DIR, CREDENTIALS_PATH, DEFAULT_API_URL } from "./paths.js";
+import { NotAuthenticatedError } from "./errors.js";
+function loadCredentials() {
+  if (!existsSync(CREDENTIALS_PATH)) return null;
+  try {
+    const raw = readFileSync(CREDENTIALS_PATH, "utf8");
+    const parsed = JSON.parse(raw);
+    if (!parsed.token) return null;
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+function requireCredentials() {
+  const creds = loadCredentials();
+  if (!creds) throw new NotAuthenticatedError();
+  return creds;
+}
+function saveCredentials(partial) {
+  if (!existsSync(CONFIG_DIR)) {
+    mkdirSync(CONFIG_DIR, { recursive: true, mode: 448 });
+  }
+  const existing = loadCredentials();
+  const creds = {
+    apiUrl: DEFAULT_API_URL,
+    ...existing,
+    ...partial,
+    savedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  writeFileSync(CREDENTIALS_PATH, JSON.stringify(creds, null, 2), { mode: 384 });
+  try {
+    chmodSync(CREDENTIALS_PATH, 384);
+    chmodSync(dirname(CREDENTIALS_PATH), 448);
+  } catch {
+  }
+  return creds;
+}
+function clearCredentials() {
+  if (!existsSync(CREDENTIALS_PATH)) return false;
+  unlinkSync(CREDENTIALS_PATH);
+  return true;
+}
+export {
+  clearCredentials,
+  loadCredentials,
+  requireCredentials,
+  saveCredentials
+};

package/dist/lib/dev-runner.js

@@ -0,0 +1,115 @@
+import { spawn } from "node:child_process";
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+async function registerWebhookSubscriptions(api, appName, tunnelUrl, subscriptions) {
+  const created = [];
+  for (const sub of subscriptions) {
+    const fullUrl = joinUrl(tunnelUrl, sub.uri);
+    const { subscription, webhookSecret } = await api.createWebhookSubscription({
+      name: `${appName} (dev) \u2014 ${sub.topic}`,
+      endpointUrl: fullUrl,
+      eventTypes: [sub.topic]
+    });
+    created.push({ config: sub, subscription, secret: webhookSecret, fullUrl });
+  }
+  return created;
+}
+async function cleanupSubscriptions(api, registered) {
+  for (const reg of registered) {
+    try {
+      await api.deleteWebhookSubscription(reg.subscription.id);
+    } catch {
+    }
+  }
+}
+function spawnDevServer(opts) {
+  const command = opts.config.build?.dev ?? "bun run dev";
+  const proc = spawn(command, {
+    cwd: opts.cwd,
+    shell: true,
+    stdio: "inherit",
+    env: {
+      ...process.env,
+      ...opts.env
+    }
+  });
+  return {
+    process: proc,
+    stop: () => stopProcess(proc),
+    waitForExit: () => new Promise((resolve) => {
+      if (proc.exitCode !== null) return resolve(proc.exitCode);
+      proc.once("exit", (code) => resolve(code));
+    })
+  };
+}
+function writeDevEnvFile(cwd, registered) {
+  if (registered.length === 0) return null;
+  const path = join(cwd, ".env.odeva.local");
+  const lines = [
+    "# Auto-generated by `odeva app dev`. Do not commit.",
+    "# Reload your dev server to pick up these values."
+  ];
+  const primary = registered[0];
+  lines.push(`ODEVA_WEBHOOK_SECRET=${primary.secret}`);
+  for (const reg of registered) {
+    lines.push(`# ${reg.config.topic} \u2192 ${reg.fullUrl}`);
+    lines.push(`ODEVA_WEBHOOK_SECRET__${secretEnvKey(reg.config.topic)}=${reg.secret}`);
+  }
+  writeFileSync(path, lines.join("\n") + "\n", { mode: 384 });
+  return path;
+}
+function secretEnvKey(topic) {
+  return topic.toUpperCase().replace(/[^A-Z0-9]+/g, "_");
+}
+function joinUrl(base, path) {
+  const trimmedBase = base.replace(/\/$/, "");
+  const trimmedPath = path.startsWith("/") ? path : `/${path}`;
+  return `${trimmedBase}${trimmedPath}`;
+}
+function stopProcess(proc) {
+  return new Promise((resolve) => {
+    if (proc.exitCode !== null) return resolve();
+    proc.once("exit", () => resolve());
+    try {
+      proc.kill("SIGTERM");
+    } catch {
+      resolve();
+      return;
+    }
+    setTimeout(() => {
+      if (proc.exitCode === null) {
+        try {
+          proc.kill("SIGKILL");
+        } catch {
+        }
+      }
+    }, 2e3);
+  });
+}
+function preflightChecks(cwd) {
+  const warnings = [];
+  if (!existsSync(join(cwd, "node_modules"))) {
+    warnings.push("node_modules/ not found \u2014 run `bun install` first.");
+  }
+  return { warnings };
+}
+function readEnvFile(path) {
+  if (!existsSync(path)) return {};
+  const out = {};
+  for (const line of readFileSync(path, "utf8").split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eq = trimmed.indexOf("=");
+    if (eq === -1) continue;
+    out[trimmed.slice(0, eq)] = trimmed.slice(eq + 1);
+  }
+  return out;
+}
+export {
+  cleanupSubscriptions,
+  preflightChecks,
+  readEnvFile,
+  registerWebhookSubscriptions,
+  spawnDevServer,
+  writeDevEnvFile
+};

package/dist/lib/errors.js

@@ -0,0 +1,41 @@
+class CliError extends Error {
+  exitCode;
+  hint;
+  constructor(message, options = {}) {
+    super(message);
+    this.name = "CliError";
+    this.exitCode = options.exitCode ?? 1;
+    this.hint = options.hint;
+  }
+}
+class NotAuthenticatedError extends CliError {
+  constructor() {
+    super("Not authenticated.", {
+      exitCode: 1,
+      hint: "Run `odeva auth login` first."
+    });
+    this.name = "NotAuthenticatedError";
+  }
+}
+class ApiError extends CliError {
+  graphqlErrors;
+  constructor(message, options = {}) {
+    super(message, { hint: options.hint });
+    this.name = "ApiError";
+    this.graphqlErrors = options.graphqlErrors;
+  }
+}
+class AppConfigNotFoundError extends CliError {
+  constructor() {
+    super("No odeva.app.toml found in this directory or any parent.", {
+      hint: "Run `odeva app init` to scaffold a new app, or cd into an existing one."
+    });
+    this.name = "AppConfigNotFoundError";
+  }
+}
+export {
+  ApiError,
+  AppConfigNotFoundError,
+  CliError,
+  NotAuthenticatedError
+};

package/dist/lib/open-url.js

@@ -0,0 +1,29 @@
+import { spawn } from "node:child_process";
+function openUrl(url) {
+  const platform = process.platform;
+  let command;
+  let args;
+  if (platform === "darwin") {
+    command = "open";
+    args = [url];
+  } else if (platform === "win32") {
+    command = "cmd";
+    args = ["/c", "start", "", url];
+  } else {
+    command = "xdg-open";
+    args = [url];
+  }
+  try {
+    const child = spawn(command, args, {
+      detached: true,
+      stdio: "ignore"
+    });
+    child.unref();
+    return true;
+  } catch {
+    return false;
+  }
+}
+export {
+  openUrl
+};