@omen.foundation/node-microservice-runtime 0.1.0

package/dist/cli/index.js

@@ -0,0 +1,588 @@
+#!/usr/bin/env node
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import os from 'node:os';
+import { spawn } from 'node:child_process';
+import readline from 'node:readline';
+import { stdin, stdout, exit } from 'node:process';
+import { fileURLToPath } from 'node:url';
+import dotenv from 'dotenv';
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const SERVICE_NAME = 'beamo-node';
+const CONFIG_DIR = path.join(os.homedir(), '.beamo-node');
+const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
+const TOKEN_FALLBACK_DIR = path.join(CONFIG_DIR, 'tokens');
+const DEFAULT_SOCKET_HOST = 'wss://api.beamable.com/socket';
+const MIN_TOKEN_BUFFER_MS = 60_000;
+class CredentialStore {
+    keytar;
+    constructor(keytar) {
+        this.keytar = keytar;
+    }
+    static async create() {
+        try {
+            // eslint-disable-next-line @typescript-eslint/consistent-type-imports
+            const keytarModule = (await import('keytar')).default;
+            return new CredentialStore(keytarModule);
+        }
+        catch (error) {
+            console.warn('[beamo-node] keytar not available, falling back to file-based credential storage.');
+            return new CredentialStore();
+        }
+    }
+    async get(account) {
+        if (this.keytar) {
+            const payload = await this.keytar.getPassword(SERVICE_NAME, account);
+            if (!payload) {
+                return undefined;
+            }
+            return this.parseTokenPayload(payload);
+        }
+        const filePath = this.fallbackPath(account);
+        try {
+            const payload = await fs.readFile(filePath, 'utf8');
+            return this.parseTokenPayload(payload);
+        }
+        catch (error) {
+            if (error.code === 'ENOENT') {
+                return undefined;
+            }
+            throw error;
+        }
+    }
+    async set(account, record) {
+        const payload = JSON.stringify(record);
+        if (this.keytar) {
+            await this.keytar.setPassword(SERVICE_NAME, account, payload);
+            return;
+        }
+        await fs.mkdir(TOKEN_FALLBACK_DIR, { recursive: true });
+        const filePath = this.fallbackPath(account);
+        await fs.writeFile(filePath, payload, { mode: 0o600, encoding: 'utf8' });
+    }
+    async clear(account) {
+        if (this.keytar) {
+            await this.keytar.deletePassword(SERVICE_NAME, account);
+            return;
+        }
+        try {
+            await fs.unlink(this.fallbackPath(account));
+        }
+        catch (error) {
+            if (error.code !== 'ENOENT') {
+                throw error;
+            }
+        }
+    }
+    parseTokenPayload(payload) {
+        const parsed = JSON.parse(payload);
+        if (!parsed || typeof parsed !== 'object') {
+            throw new Error('Stored credentials are malformed.');
+        }
+        if (typeof parsed.accessToken !== 'string' || typeof parsed.refreshToken !== 'string') {
+            throw new Error('Stored credentials missing access or refresh token.');
+        }
+        return {
+            accessToken: parsed.accessToken,
+            refreshToken: parsed.refreshToken,
+            expiresAt: typeof parsed.expiresAt === 'number' ? parsed.expiresAt : undefined,
+        };
+    }
+    fallbackPath(account) {
+        const safe = Buffer.from(account).toString('base64url');
+        return path.join(TOKEN_FALLBACK_DIR, `${safe}.json`);
+    }
+}
+class ConfigStore {
+    async load() {
+        try {
+            const payload = await fs.readFile(CONFIG_FILE, 'utf8');
+            const data = JSON.parse(payload);
+            return {
+                profiles: data?.profiles ?? {},
+                lastUsed: data?.lastUsed,
+            };
+        }
+        catch (error) {
+            if (error.code === 'ENOENT') {
+                return { profiles: {} };
+            }
+            throw error;
+        }
+    }
+    async save(config) {
+        await fs.mkdir(CONFIG_DIR, { recursive: true });
+        const payload = JSON.stringify(config, null, 2);
+        await fs.writeFile(CONFIG_FILE, `${payload}\n`, { encoding: 'utf8', mode: 0o600 });
+    }
+}
+class TokenManager {
+    store;
+    constructor(store) {
+        this.store = store;
+    }
+    async login(options) {
+        const apiHost = normalizeApiHost(options.host);
+        // Scope should be cid.pid if both are provided (matches official CLI behavior)
+        const scope = options.pid ? `${options.cid}.${options.pid}` : options.cid;
+        // Admin accounts require customerScoped: true (matches C# CLI behavior)
+        // The registry will accept customer-scoped tokens when proper headers are used
+        const customerScoped = true;
+        const response = await fetch(new URL('/basic/auth/token', apiHost), {
+            method: 'POST',
+            headers: {
+                Accept: 'application/json',
+                'Content-Type': 'application/json',
+                ...(scope ? { 'X-BEAM-SCOPE': scope } : {}),
+            },
+            body: JSON.stringify({
+                grant_type: 'password',
+                username: options.email,
+                password: options.password,
+                customerScoped,
+            }),
+        });
+        if (!response.ok) {
+            const message = await safeReadError(response);
+            throw new Error(`Login failed (${response.status}): ${message}`);
+        }
+        const body = (await response.json());
+        const accessToken = typeof body.access_token === 'string' ? body.access_token : undefined;
+        const refreshToken = typeof body.refresh_token === 'string' ? body.refresh_token : undefined;
+        const expiresIn = typeof body.expires_in === 'number' ? body.expires_in : Number(body.expires_in ?? 0);
+        if (!accessToken || !refreshToken) {
+            throw new Error('Login response did not contain access and refresh tokens.');
+        }
+        const expiresAt = Number.isFinite(expiresIn) && expiresIn > 0 ? Date.now() + expiresIn * 1000 : undefined;
+        const record = { accessToken, refreshToken, expiresAt };
+        const account = profileKey({ cid: options.cid, pid: options.pid, apiHost });
+        await this.store.set(account, record);
+        return record;
+    }
+    async getValidTokens(cid, pid, host, forceRealmScoped = false) {
+        const apiHost = normalizeApiHost(host);
+        const account = profileKey({ cid, pid, apiHost });
+        const existing = await this.store.get(account);
+        if (!existing) {
+            throw new Error(`No stored credentials for ${cid}.${pid} (${apiHost}). Run "beamo-node login" first.`);
+        }
+        // Refresh token if expired or if explicitly requested
+        // Note: If login was done with PID, tokens are already realm-scoped
+        if (forceRealmScoped || isTokenExpired(existing.expiresAt)) {
+            if (process.env.BEAMO_DEBUG === '1' || process.env.BEAMO_NODE_DEBUG === '1') {
+                console.log(`[beamo-node] Refreshing token (forceRealmScoped=${forceRealmScoped}, expired=${isTokenExpired(existing.expiresAt)})`);
+            }
+            const refreshed = await this.refreshToken(existing.refreshToken, cid, pid, apiHost);
+            await this.store.set(account, refreshed);
+            return refreshed;
+        }
+        return existing;
+    }
+    async refreshToken(refreshToken, cid, pid, apiHost) {
+        const scope = pid ? `${cid}.${pid}` : cid;
+        const response = await fetch(new URL('/basic/auth/token', apiHost), {
+            method: 'POST',
+            headers: {
+                Accept: 'application/json',
+                'Content-Type': 'application/json',
+                ...(scope ? { 'X-BEAM-SCOPE': scope } : {}),
+            },
+            body: JSON.stringify({
+                grant_type: 'refresh_token',
+                refresh_token: refreshToken,
+                // Don't include customerScoped - refresh tokens inherit scope from the refresh token itself
+                // Setting X-BEAM-SCOPE header should be enough to get a realm-scoped token
+            }),
+        });
+        if (!response.ok) {
+            const message = await safeReadError(response);
+            throw new Error(`Failed to refresh token (${response.status}): ${message}`);
+        }
+        const body = (await response.json());
+        const accessToken = typeof body.access_token === 'string' ? body.access_token : undefined;
+        const newRefreshToken = typeof body.refresh_token === 'string' ? body.refresh_token : refreshToken;
+        const expiresIn = typeof body.expires_in === 'number' ? body.expires_in : Number(body.expires_in ?? 0);
+        if (!accessToken) {
+            throw new Error('Refresh token response missing access token.');
+        }
+        const expiresAt = Number.isFinite(expiresIn) && expiresIn > 0 ? Date.now() + expiresIn * 1000 : undefined;
+        // Verify the refreshed token works with realm scope
+        if (pid && process.env.BEAMO_DEBUG === '1') {
+            try {
+                const testUrl = new URL('/basic/accounts/me', apiHost);
+                const testResponse = await fetch(testUrl, {
+                    headers: {
+                        Authorization: `Bearer ${accessToken}`,
+                        Accept: 'application/json',
+                        'X-BEAM-SCOPE': scope,
+                    },
+                });
+                if (!testResponse.ok) {
+                    console.warn(`[beamo-node] Warning: Refreshed token validation failed (${testResponse.status}). Token may still be customer-scoped.`);
+                }
+            }
+            catch {
+                // Ignore validation errors in debug mode
+            }
+        }
+        return { accessToken, refreshToken: newRefreshToken, expiresAt };
+    }
+}
+function parseCommandLine(argv) {
+    const [command, ...rest] = argv;
+    return { command, args: rest };
+}
+function splitArgs(args, recognizedFlags) {
+    const flags = {};
+    const forward = [];
+    for (let index = 0; index < args.length; index += 1) {
+        const token = args[index];
+        if (!token.startsWith('-')) {
+            forward.push(token);
+            continue;
+        }
+        const key = token.replace(/^--/, '');
+        if (recognizedFlags.has(key)) {
+            const next = args[index + 1];
+            if (next !== undefined && !next.startsWith('-')) {
+                flags[key] = next;
+                index += 1;
+            }
+            else {
+                flags[key] = true;
+            }
+        }
+        else {
+            forward.push(token);
+            const next = args[index + 1];
+            if (next !== undefined && !next.startsWith('-')) {
+                forward.push(next);
+                index += 1;
+            }
+        }
+    }
+    return { flags, forward };
+}
+async function promptInput(question, defaultValue) {
+    const rl = readline.createInterface({ input: stdin, output: stdout });
+    return new Promise((resolve) => {
+        rl.question(defaultValue ? `${question} (${defaultValue}): ` : `${question}: `, (answer) => {
+            rl.close();
+            const value = answer.trim();
+            resolve(value === '' && defaultValue !== undefined ? defaultValue : value);
+        });
+    });
+}
+async function promptHidden(question) {
+    const rl = readline.createInterface({ input: stdin, output: stdout });
+    return new Promise((resolve) => {
+        const mutable = rl;
+        mutable.stdoutMuted = true;
+        const originalWrite = mutable._writeToOutput?.bind(mutable);
+        const outputStream = mutable.output ?? stdout;
+        mutable._writeToOutput = (stringToWrite) => {
+            if (mutable.stdoutMuted) {
+                outputStream.write('*');
+            }
+            else if (originalWrite) {
+                originalWrite(stringToWrite);
+            }
+            else {
+                outputStream.write(stringToWrite);
+            }
+        };
+        mutable.question(`${question}: `, (answer) => {
+            mutable.close();
+            stdout.write(os.EOL);
+            resolve(answer);
+        });
+    });
+}
+async function handleLogin(args, configStore, tokenManager) {
+    const { flags } = splitArgs(args, new Set(['cid', 'pid', 'host', 'email']));
+    const envDefaults = await loadEnvDefaults();
+    const cid = typeof flags.cid === 'string' ? flags.cid : await promptInput('CID', envDefaults.cid);
+    const pid = typeof flags.pid === 'string' ? flags.pid : await promptInput('PID', envDefaults.pid);
+    const hostDefault = envDefaults.host ?? DEFAULT_SOCKET_HOST;
+    const host = typeof flags.host === 'string' ? flags.host : await promptInput('Host', hostDefault);
+    const email = typeof flags.email === 'string' ? flags.email : await promptInput('Email');
+    const password = await promptHidden('Password');
+    if (!cid || !pid || !host || !email || !password) {
+        throw new Error('CID, PID, host, email, and password are required.');
+    }
+    const record = await tokenManager.login({ cid, pid, host, email, password });
+    const config = await configStore.load();
+    const apiHost = normalizeApiHost(host);
+    const id = profileKey({ cid, pid, apiHost });
+    config.profiles[id] = {
+        id,
+        cid,
+        pid,
+        host,
+        apiHost,
+        email,
+        lastUsed: Date.now(),
+    };
+    config.lastUsed = id;
+    await configStore.save(config);
+    console.log(`Login successful for ${email} (${cid}.${pid}).`);
+    if (!record.expiresAt) {
+        console.warn('[beamo-node] Access token does not include an expiration. You may need to re-login if publish fails.');
+    }
+}
+async function handlePublish(args, configStore, tokenManager) {
+    const { flags, forward } = splitArgs(args, new Set(['cid', 'pid', 'host', 'profile']));
+    const profile = await resolveProfile(flags, configStore);
+    // Refresh token if expired (customer-scoped tokens work with registry when proper headers are used)
+    // The C# CLI uses the same access token for both registry API calls and Docker registry uploads
+    const tokens = await tokenManager.getValidTokens(profile.cid, profile.pid, profile.host, false);
+    const env = buildCommandEnv(profile, tokens);
+    const scriptArgs = buildScriptArgs(forward, profile, true); // publish needs --api-host
+    const scriptPath = path.resolve(__dirname, '../../scripts/publish-service.mjs');
+    await runScript(scriptPath, scriptArgs, env);
+}
+async function handleValidate(args, configStore, tokenManager) {
+    const { flags, forward } = splitArgs(args, new Set(['cid', 'pid', 'host', 'profile']));
+    const profile = await resolveProfile(flags, configStore);
+    // Validation does not require tokens, but downstream scripts expect CID/PID/HOST env values.
+    const tokens = await tokenManager.getValidTokens(profile.cid, profile.pid, profile.host);
+    const env = buildCommandEnv(profile, tokens);
+    const scriptArgs = buildScriptArgs(forward, profile, false); // validate doesn't need --api-host
+    const scriptPath = path.resolve(__dirname, '../../scripts/validate-service.mjs');
+    await runScript(scriptPath, scriptArgs, env);
+}
+async function resolveProfile(flags, configStore) {
+    const config = await configStore.load();
+    if (typeof flags.profile === 'string') {
+        const explicit = config.profiles[flags.profile];
+        if (!explicit) {
+            throw new Error(`Profile "${flags.profile}" not found. Run "beamo-node login" to create it.`);
+        }
+        config.lastUsed = explicit.id;
+        await configStore.save(config);
+        return explicit;
+    }
+    const directOptions = {
+        cid: typeof flags.cid === 'string' ? flags.cid : undefined,
+        pid: typeof flags.pid === 'string' ? flags.pid : undefined,
+        host: typeof flags.host === 'string' ? flags.host : undefined,
+    };
+    if (directOptions.cid && directOptions.pid && directOptions.host) {
+        const apiHost = normalizeApiHost(directOptions.host);
+        const id = profileKey({ cid: directOptions.cid, pid: directOptions.pid, apiHost });
+        const profile = config.profiles[id];
+        if (!profile) {
+            throw new Error(`No stored credentials for ${directOptions.cid}.${directOptions.pid}. Run "beamo-node login" first.`);
+        }
+        profile.lastUsed = Date.now();
+        config.lastUsed = profile.id;
+        await configStore.save(config);
+        return profile;
+    }
+    if (!config.lastUsed) {
+        if (Object.keys(config.profiles).length === 0) {
+            throw new Error('No stored credentials found. Run "beamo-node login" first.');
+        }
+        throw new Error('Multiple profiles found. Specify one with "--profile <id>" or run "beamo-node login" first.');
+    }
+    const profile = config.profiles[config.lastUsed];
+    if (!profile) {
+        throw new Error(`Last used profile "${config.lastUsed}" is missing. Run "beamo-node login" to refresh credentials.`);
+    }
+    profile.lastUsed = Date.now();
+    config.lastUsed = profile.id;
+    await configStore.save(config);
+    return profile;
+}
+function buildScriptArgs(original, profile, includeApiHost = true) {
+    const hasFlag = (flag) => original.some((token) => token === flag);
+    const args = [...original];
+    if (!hasFlag('--cid')) {
+        args.push('--cid', profile.cid);
+    }
+    if (!hasFlag('--pid')) {
+        args.push('--pid', profile.pid);
+    }
+    if (!hasFlag('--host')) {
+        args.push('--host', profile.host);
+    }
+    if (includeApiHost && !hasFlag('--api-host')) {
+        args.push('--api-host', profile.apiHost);
+    }
+    return args;
+}
+function buildCommandEnv(profile, tokens) {
+    return {
+        ...process.env,
+        BEAMABLE_TOKEN: tokens.accessToken,
+        ACCESS_TOKEN: tokens.accessToken,
+        BEAMABLE_REFRESH_TOKEN: tokens.refreshToken,
+        REFRESH_TOKEN: tokens.refreshToken,
+        BEAMABLE_CID: profile.cid,
+        CID: profile.cid,
+        BEAMABLE_PID: profile.pid,
+        PID: profile.pid,
+        BEAMABLE_HOST: profile.host,
+        HOST: profile.host,
+        BEAMABLE_API_HOST: profile.apiHost,
+    };
+}
+async function runScript(command, args, env) {
+    const isNodeScript = /\.(mjs|cjs|js)$/i.test(command);
+    const executable = isNodeScript ? process.execPath : command;
+    const finalArgs = isNodeScript ? [command, ...args] : args;
+    const shouldUseShell = process.platform === 'win32' && !isNodeScript;
+    const debug = process.env.BEAMO_DEBUG === '1' || process.env.BEAMO_NODE_DEBUG === '1';
+    if (debug) {
+        console.log(`[beamo-node] command="${command}" exec="${executable}" args=${JSON.stringify(finalArgs)} shell=${shouldUseShell} cwd=${process.cwd()}`);
+    }
+    await new Promise((resolve, reject) => {
+        const child = spawn(executable, finalArgs, {
+            stdio: 'inherit',
+            env,
+            shell: shouldUseShell,
+        });
+        child.on('error', (error) => reject(error));
+        child.on('exit', (code) => {
+            if (code === 0) {
+                resolve();
+            }
+            else {
+                reject(new Error(`Command failed with exit code ${code ?? 'unknown'}.`));
+            }
+        });
+    });
+}
+function normalizeApiHost(host) {
+    const trimmed = host.trim();
+    if (trimmed.startsWith('wss://')) {
+        return `https://${trimmed.substring('wss://'.length).replace(/\/socket$/, '')}`;
+    }
+    if (trimmed.startsWith('ws://')) {
+        return `http://${trimmed.substring('ws://'.length).replace(/\/socket$/, '')}`;
+    }
+    let normalized = trimmed.replace(/\/socket$/, '').replace(/\/$/, '');
+    if (!/^https?:\/\//i.test(normalized)) {
+        normalized = `https://${normalized}`;
+    }
+    return normalized;
+}
+function profileKey(input) {
+    return `${input.cid}.${input.pid}@${input.apiHost}`;
+}
+function isTokenExpired(expiresAt) {
+    if (!expiresAt || !Number.isFinite(expiresAt)) {
+        return true;
+    }
+    return Date.now() + MIN_TOKEN_BUFFER_MS >= expiresAt;
+}
+async function safeReadError(response) {
+    try {
+        const body = await response.text();
+        if (!body) {
+            return 'No response body';
+        }
+        try {
+            const parsed = JSON.parse(body);
+            return typeof parsed.error === 'string'
+                ? parsed.error
+                : typeof parsed.message === 'string'
+                    ? parsed.message
+                    : body;
+        }
+        catch {
+            return body;
+        }
+    }
+    catch {
+        return 'No response body';
+    }
+}
+async function main() {
+    const [, , ...argv] = process.argv;
+    const { command, args } = parseCommandLine(argv);
+    if (!command || command === '--help' || command === '-h') {
+        printHelp();
+        return;
+    }
+    const credentialStore = await CredentialStore.create();
+    const tokenManager = new TokenManager(credentialStore);
+    const configStore = new ConfigStore();
+    switch (command) {
+        case 'login':
+            await handleLogin(args, configStore, tokenManager);
+            break;
+        case 'publish':
+            await handlePublish(args, configStore, tokenManager);
+            break;
+        case 'validate':
+            await handleValidate(args, configStore, tokenManager);
+            break;
+        case 'profiles':
+            await listProfiles(configStore);
+            break;
+        default:
+            console.error(`Unknown command: ${command}`);
+            printHelp();
+            exit(1);
+    }
+}
+async function listProfiles(configStore) {
+    const config = await configStore.load();
+    const entries = Object.values(config.profiles).sort((a, b) => (b.lastUsed ?? 0) - (a.lastUsed ?? 0));
+    if (entries.length === 0) {
+        console.log('No stored profiles. Run "beamo-node login" to create one.');
+        return;
+    }
+    console.log('Stored profiles:');
+    for (const profile of entries) {
+        const marker = config.lastUsed === profile.id ? '*' : ' ';
+        console.log(` ${marker} ${profile.id}`);
+        console.log(`     CID: ${profile.cid}`);
+        console.log(`     PID: ${profile.pid}`);
+        console.log(`     Host: ${profile.host}`);
+        console.log(`     Email: ${profile.email}`);
+    }
+}
+function printHelp() {
+    console.log(`beamo-node CLI
+
+Usage:
+  beamo-node login [--cid CID] [--pid PID] [--host HOST] [--email EMAIL]
+  beamo-node publish [--profile ID] [--cid CID --pid PID --host HOST] [-- ...publish flags...]
+  beamo-node validate [--profile ID] [--cid CID --pid PID --host HOST] [-- ...validate flags...]
+  beamo-node profiles
+
+Commands:
+  login      Authenticate with Beamable and store credentials securely.
+  publish    Run the publish pipeline using stored credentials (forwards extra flags to the publish script).
+  validate   Generate OpenAPI docs and validate the project (forwards extra flags).
+  profiles   List stored profiles and indicate the default selection.
+`);
+}
+main().catch((error) => {
+    console.error(error instanceof Error ? error.message : error);
+    exit(1);
+});
+async function loadEnvDefaults() {
+    const envPath = path.resolve('.env');
+    try {
+        const content = await fs.readFile(envPath, 'utf8');
+        const parsed = dotenv.parse(content);
+        const cid = parsed.BEAMABLE_CID ?? parsed.CID ?? undefined;
+        const pid = parsed.BEAMABLE_PID ?? parsed.PID ?? undefined;
+        const host = parsed.BEAMABLE_HOST ?? parsed.HOST ?? undefined;
+        return {
+            cid: cid?.trim() || undefined,
+            pid: pid?.trim() || undefined,
+            host: host?.trim() || undefined,
+        };
+    }
+    catch (error) {
+        if (error.code === 'ENOENT') {
+            return {};
+        }
+        throw error;
+    }
+}
+//# sourceMappingURL=index.js.map