@odla-ai/cli 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md ADDED
@@ -0,0 +1,120 @@
1
+ # @odla-ai/cli
2
+
3
+ Project-neutral provisioning CLI for odla apps. It creates and validates an
4
+ `odla.config.mjs`, then uses that config to register an app, enable services,
5
+ push odla-db schema/rules, configure platform AI, configure Clerk auth, record
6
+ deployment links, and write local runtime credentials.
7
+
8
+ It does not know about any specific app. App identity, environments, services,
9
+ schema, rules, auth, AI provider, and links all come from config.
10
+
11
+ ## Install
12
+
13
+ No install needed — the package ships a single `odla-ai` binary, so npx can run
14
+ it directly:
15
+
16
+ ```bash
17
+ npx @odla-ai/cli init --app-id my-app --name "My App"
18
+ ```
19
+
20
+ For a project you keep working in, install it as a dev dependency so the
21
+ shorter `npx odla-ai` form works and the version is pinned by your lockfile:
22
+
23
+ ```bash
24
+ npm i -D @odla-ai/cli
25
+ ```
26
+
27
+ ## Prerequisites
28
+
29
+ - Node.js 20 or newer (`node --version`).
30
+ - odla apps usually deploy as Cloudflare Workers. If you have never used
31
+ Cloudflare:
32
+ 1. Create a free account at <https://dash.cloudflare.com/sign-up>.
33
+ 2. You do not need to install anything: `npx wrangler login` opens the
34
+ browser once to link your account, `npx wrangler dev` runs a Worker
35
+ locally, and `npx wrangler deploy` ships it.
36
+ 3. The `.dev.vars` file this CLI writes with `provision --write-dev-vars` is
37
+ wrangler's local secrets file — `wrangler dev` picks it up automatically.
38
+ It is chmod `0600` and gitignored; never commit it or paste its contents
39
+ into `wrangler.toml`.
40
+
41
+ ## Commands
42
+
43
+ ```bash
44
+ npx odla-ai init --app-id my-app --name "My App"
45
+ npx odla-ai doctor
46
+ npx odla-ai provision --dry-run
47
+ npx odla-ai provision --write-dev-vars
48
+ npx odla-ai smoke --env dev
49
+ npx odla-ai version
50
+ ```
51
+
52
+ `init` writes:
53
+
54
+ - `odla.config.mjs`
55
+ - `src/odla/schema.mjs`
56
+ - `src/odla/rules.mjs`
57
+ - `.gitignore` entries for local credentials
58
+
59
+ `provision` performs the standard safe setup flow:
60
+
61
+ 1. Gets an `odla_dev_...` token by device handshake, or reuses
62
+ `ODLA_DEV_TOKEN` / `.odla/dev-token.json`.
63
+ In an interactive terminal it opens the approval page in your browser when
64
+ the code is displayed. Pass `--open` to force browser launch from a
65
+ non-interactive shell, or `--no-open` to suppress it. Browser launch is
66
+ best-effort; the printed URL and code always remain the fallback.
67
+ 2. Creates the platform app if needed.
68
+ 3. Enables configured services in every configured environment.
69
+ 4. Mints or reuses each env's odla-db app key.
70
+ 5. Pushes the configured schema and rules.
71
+ 6. Configures platform AI and stores provider keys in the tenant vault when the
72
+ configured key env var is set.
73
+ 7. Writes `.odla/credentials.local.json` with mode `0600`.
74
+
75
+ Pass `--rotate-keys` to mint fresh db keys. Pass `--no-write-credentials` to
76
+ skip writing the local credentials file.
77
+
78
+ `smoke` verifies a provisioned environment from local credentials. It fetches
79
+ the platform public config, checks the configured AI provider, fetches the live
80
+ odla-db schema with the tenant key, compares expected schema entities, and runs
81
+ a count aggregate against the first entity. It fails early with a clear message
82
+ when provisioning has not written `.odla/credentials.local.json`.
83
+
84
+ ## Config
85
+
86
+ ```js
87
+ export default {
88
+ platformUrl: process.env.ODLA_PLATFORM_URL ?? "https://odla.ai",
89
+ dbEndpoint: process.env.ODLA_ENDPOINT ?? process.env.ODLA_DB_ENDPOINT ?? "https://db.odla.ai",
90
+ app: { id: "my-app", name: "My App" },
91
+ envs: ["prod", "dev"],
92
+ services: ["db", "ai"],
93
+ db: {
94
+ schema: "./src/odla/schema.mjs",
95
+ rules: "./src/odla/rules.mjs",
96
+ defaultRules: "deny",
97
+ },
98
+ ai: {
99
+ provider: process.env.ODLA_AI_PROVIDER ?? "anthropic",
100
+ keyEnv: "ANTHROPIC_API_KEY",
101
+ },
102
+ auth: {
103
+ clerk: {
104
+ dev: "$CLERK_PUBLISHABLE_KEY",
105
+ prod: "$CLERK_PUBLISHABLE_KEY",
106
+ },
107
+ },
108
+ links: {
109
+ dev: "https://dev.example.com",
110
+ prod: "https://example.com",
111
+ },
112
+ };
113
+ ```
114
+
115
+ `db.schema` and `db.rules` may be inline objects, JSON files, or JS modules
116
+ exporting `default`, `schema` / `SCHEMA`, or `rules` / `RULES`.
117
+
118
+ If schema is present and rules are omitted, `defaultRules: "deny"` generates
119
+ deny-all rules for every schema entity. That is the safe default for Workers
120
+ that mediate reads and writes with an app key.
@@ -0,0 +1,55 @@
1
+ # CLI Requirements From the Agnacl Rebuild
2
+
3
+ These are requirements for a generic odla-ai npm CLI. They came from rebuilding
4
+ Agnacl, but none should mention or special-case Agnacl.
5
+
6
+ ## Core Contract
7
+
8
+ - A project must declare intent in a checked-in config file:
9
+ app id/name, envs, platform URL, db endpoint, services, schema, rules, auth,
10
+ AI provider/model, deployment links, and local credential paths.
11
+ - The CLI must validate that contract without network calls.
12
+ - The CLI must show a dry-run plan before creating platform state or writing
13
+ credentials.
14
+ - The CLI must treat platform registry and odla-db as separate endpoints. They
15
+ may be the same in some deployments, but generated configs must not imply it.
16
+
17
+ ## Human Approval
18
+
19
+ - Provisioning must default to device-handshake auth, never a platform admin
20
+ secret in chat or config.
21
+ - The approval code must be printed in a copyable URL.
22
+ - Interactive provisioning should launch the browser to the approval page when
23
+ possible. `--open` should force launch; `--no-open` should suppress it.
24
+ - Cached developer tokens must be mode `0600`, gitignored, and reused until
25
+ expiry.
26
+
27
+ ## Safe Provisioning
28
+
29
+ - Re-runs must be idempotent: reuse existing app registration and local db keys.
30
+ - Key rotation must be explicit (`--rotate-keys`).
31
+ - Local runtime files (`.dev.vars`, local credentials) must be gitignored.
32
+ - Schema pushes must be explicit and visible in dry-run.
33
+ - If rules are omitted, schema-derived deny-all rules are the safe default.
34
+
35
+ ## App Scaffolding Gaps
36
+
37
+ - A future `scaffold worker --kg` command should create the generic runtime
38
+ wiring now hand-written in this rebuild:
39
+ `getEnv`, platform public-config fetch, Clerk JWT verification,
40
+ `@odla-ai/db` initialization, `@odla-ai/ai initFromPlatform`, and
41
+ `@odla-ai/kg writeFragment` seed/ingest helpers.
42
+ - `smoke` should verify:
43
+ public-config fetch, db schema presence, a simple db aggregate/query, and AI
44
+ config resolution. Tenant-vault key availability is still a follow-up because
45
+ checking it requires knowing the provider secret name and deliberately
46
+ touching the secret read path.
47
+ - A future `inspect` command should scan an existing app and report likely auth,
48
+ DB, AI, and graph surfaces before migration.
49
+
50
+ ## LLM Ergonomics
51
+
52
+ - Every command must produce machine-readable enough output for an LLM to decide
53
+ the next action from stdout alone.
54
+ - Failures should name the exact config key or external capability missing.
55
+ - The package must ship `llms.txt` so agents can use it without reading source.