@omen.foundation/node-microservice-runtime 0.1.65 → 0.1.68

package/src/cli/index.ts

@@ -1,725 +0,0 @@
-#!/usr/bin/env node
-
-import fs from 'node:fs/promises';
-import path from 'node:path';
-import os from 'node:os';
-import { spawn } from 'node:child_process';
-import readline from 'node:readline';
-import { stdin, stdout, exit } from 'node:process';
-import { fileURLToPath } from 'node:url';
-import dotenv from 'dotenv';
-
-type KeytarModule = typeof import('keytar');
-
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-
-interface TokenRecord {
-  accessToken: string;
-  refreshToken: string;
-  expiresAt?: number;
-}
-
-interface ProfileConfig {
-  id: string;
-  cid: string;
-  pid: string;
-  host: string;
-  apiHost: string;
-  email: string;
-  lastUsed?: number;
-}
-
-interface ConfigFile {
-  profiles: Record<string, ProfileConfig>;
-  lastUsed?: string;
-}
-
-interface LoginOptions {
-  cid: string;
-  pid: string;
-  host: string;
-  email: string;
-  password: string;
-}
-
-interface ProfileSelectionOptions {
-  cid?: string;
-  pid?: string;
-  host?: string;
-  profileId?: string;
-}
-
-const SERVICE_NAME = 'beamo-node';
-const CONFIG_DIR = path.join(os.homedir(), '.beamo-node');
-const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
-const TOKEN_FALLBACK_DIR = path.join(CONFIG_DIR, 'tokens');
-const DEFAULT_SOCKET_HOST = 'wss://api.beamable.com/socket';
-const MIN_TOKEN_BUFFER_MS = 60_000;
-
-class CredentialStore {
-  private keytar?: KeytarModule;
-
-  private constructor(keytar?: KeytarModule) {
-    this.keytar = keytar;
-  }
-
-  static async create(): Promise<CredentialStore> {
-    try {
-      // eslint-disable-next-line @typescript-eslint/consistent-type-imports
-      const keytarModule: KeytarModule = (await import('keytar')).default;
-      return new CredentialStore(keytarModule);
-    } catch (error) {
-      console.warn('[beamo-node] keytar not available, falling back to file-based credential storage.');
-      return new CredentialStore();
-    }
-  }
-
-  async get(account: string): Promise<TokenRecord | undefined> {
-    if (this.keytar) {
-      const payload = await this.keytar.getPassword(SERVICE_NAME, account);
-      if (!payload) {
-        return undefined;
-      }
-      return this.parseTokenPayload(payload);
-    }
-
-    const filePath = this.fallbackPath(account);
-    try {
-      const payload = await fs.readFile(filePath, 'utf8');
-      return this.parseTokenPayload(payload);
-    } catch (error) {
-      if ((error as NodeJS.ErrnoException).code === 'ENOENT') {
-        return undefined;
-      }
-      throw error;
-    }
-  }
-
-  async set(account: string, record: TokenRecord): Promise<void> {
-    const payload = JSON.stringify(record);
-    if (this.keytar) {
-      await this.keytar.setPassword(SERVICE_NAME, account, payload);
-      return;
-    }
-
-    await fs.mkdir(TOKEN_FALLBACK_DIR, { recursive: true });
-    const filePath = this.fallbackPath(account);
-    await fs.writeFile(filePath, payload, { mode: 0o600, encoding: 'utf8' });
-  }
-
-  async clear(account: string): Promise<void> {
-    if (this.keytar) {
-      await this.keytar.deletePassword(SERVICE_NAME, account);
-      return;
-    }
-    try {
-      await fs.unlink(this.fallbackPath(account));
-    } catch (error) {
-      if ((error as NodeJS.ErrnoException).code !== 'ENOENT') {
-        throw error;
-      }
-    }
-  }
-
-  private parseTokenPayload(payload: string): TokenRecord {
-    const parsed = JSON.parse(payload) as Partial<TokenRecord>;
-    if (!parsed || typeof parsed !== 'object') {
-      throw new Error('Stored credentials are malformed.');
-    }
-    if (typeof parsed.accessToken !== 'string' || typeof parsed.refreshToken !== 'string') {
-      throw new Error('Stored credentials missing access or refresh token.');
-    }
-    return {
-      accessToken: parsed.accessToken,
-      refreshToken: parsed.refreshToken,
-      expiresAt: typeof parsed.expiresAt === 'number' ? parsed.expiresAt : undefined,
-    };
-  }
-
-  private fallbackPath(account: string): string {
-    const safe = Buffer.from(account).toString('base64url');
-    return path.join(TOKEN_FALLBACK_DIR, `${safe}.json`);
-  }
-}
-
-class ConfigStore {
-  async load(): Promise<ConfigFile> {
-    try {
-      const payload = await fs.readFile(CONFIG_FILE, 'utf8');
-      const data = JSON.parse(payload) as ConfigFile;
-      return {
-        profiles: data?.profiles ?? {},
-        lastUsed: data?.lastUsed,
-      };
-    } catch (error) {
-      if ((error as NodeJS.ErrnoException).code === 'ENOENT') {
-        return { profiles: {} };
-      }
-      throw error;
-    }
-  }
-
-  async save(config: ConfigFile): Promise<void> {
-    await fs.mkdir(CONFIG_DIR, { recursive: true });
-    const payload = JSON.stringify(config, null, 2);
-    await fs.writeFile(CONFIG_FILE, `${payload}\n`, { encoding: 'utf8', mode: 0o600 });
-  }
-}
-
-class TokenManager {
-  constructor(private readonly store: CredentialStore) {}
-
-  async login(options: LoginOptions): Promise<TokenRecord> {
-    const apiHost = normalizeApiHost(options.host);
-    // Scope should be cid.pid if both are provided (matches official CLI behavior)
-    const scope = options.pid ? `${options.cid}.${options.pid}` : options.cid;
-    // Admin accounts require customerScoped: true (matches C# CLI behavior)
-    // The registry will accept customer-scoped tokens when proper headers are used
-    const customerScoped = true;
-    const response = await fetch(new URL('/basic/auth/token', apiHost), {
-      method: 'POST',
-      headers: {
-        Accept: 'application/json',
-        'Content-Type': 'application/json',
-        ...(scope ? { 'X-BEAM-SCOPE': scope } : {}),
-      },
-      body: JSON.stringify({
-        grant_type: 'password',
-        username: options.email,
-        password: options.password,
-        customerScoped,
-      }),
-    });
-
-    if (!response.ok) {
-      const message = await safeReadError(response);
-      throw new Error(`Login failed (${response.status}): ${message}`);
-    }
-
-    const body = (await response.json()) as Record<string, unknown>;
-    const accessToken = typeof body.access_token === 'string' ? body.access_token : undefined;
-    const refreshToken = typeof body.refresh_token === 'string' ? body.refresh_token : undefined;
-    const expiresIn = typeof body.expires_in === 'number' ? body.expires_in : Number(body.expires_in ?? 0);
-
-    if (!accessToken || !refreshToken) {
-      throw new Error('Login response did not contain access and refresh tokens.');
-    }
-
-    const expiresAt = Number.isFinite(expiresIn) && expiresIn > 0 ? Date.now() + expiresIn * 1000 : undefined;
-    const record: TokenRecord = { accessToken, refreshToken, expiresAt };
-    const account = profileKey({ cid: options.cid, pid: options.pid, apiHost });
-
-    await this.store.set(account, record);
-    return record;
-  }
-
-  async getValidTokens(cid: string, pid: string, host: string, forceRealmScoped = false): Promise<TokenRecord> {
-    const apiHost = normalizeApiHost(host);
-    const account = profileKey({ cid, pid, apiHost });
-
-    const existing = await this.store.get(account);
-    if (!existing) {
-      throw new Error(`No stored credentials for ${cid}.${pid} (${apiHost}). Run "beamo-node login" first.`);
-    }
-
-    // Refresh token if expired or if explicitly requested
-    // Note: If login was done with PID, tokens are already realm-scoped
-    if (forceRealmScoped || isTokenExpired(existing.expiresAt)) {
-      if (process.env.BEAMO_DEBUG === '1' || process.env.BEAMO_NODE_DEBUG === '1') {
-        console.log(`[beamo-node] Refreshing token (forceRealmScoped=${forceRealmScoped}, expired=${isTokenExpired(existing.expiresAt)})`);
-      }
-      const refreshed = await this.refreshToken(existing.refreshToken, cid, pid, apiHost);
-      await this.store.set(account, refreshed);
-      return refreshed;
-    }
-
-    return existing;
-  }
-
-  private async refreshToken(refreshToken: string, cid: string, pid: string, apiHost: string): Promise<TokenRecord> {
-    const scope = pid ? `${cid}.${pid}` : cid;
-    const response = await fetch(new URL('/basic/auth/token', apiHost), {
-      method: 'POST',
-      headers: {
-        Accept: 'application/json',
-        'Content-Type': 'application/json',
-        ...(scope ? { 'X-BEAM-SCOPE': scope } : {}),
-      },
-      body: JSON.stringify({
-        grant_type: 'refresh_token',
-        refresh_token: refreshToken,
-        // Don't include customerScoped - refresh tokens inherit scope from the refresh token itself
-        // Setting X-BEAM-SCOPE header should be enough to get a realm-scoped token
-      }),
-    });
-
-    if (!response.ok) {
-      const message = await safeReadError(response);
-      throw new Error(`Failed to refresh token (${response.status}): ${message}`);
-    }
-
-    const body = (await response.json()) as Record<string, unknown>;
-    const accessToken = typeof body.access_token === 'string' ? body.access_token : undefined;
-    const newRefreshToken = typeof body.refresh_token === 'string' ? body.refresh_token : refreshToken;
-    const expiresIn = typeof body.expires_in === 'number' ? body.expires_in : Number(body.expires_in ?? 0);
-
-    if (!accessToken) {
-      throw new Error('Refresh token response missing access token.');
-    }
-
-    const expiresAt = Number.isFinite(expiresIn) && expiresIn > 0 ? Date.now() + expiresIn * 1000 : undefined;
-    
-    // Verify the refreshed token works with realm scope
-    if (pid && process.env.BEAMO_DEBUG === '1') {
-      try {
-        const testUrl = new URL('/basic/accounts/me', apiHost);
-        const testResponse = await fetch(testUrl, {
-          headers: {
-            Authorization: `Bearer ${accessToken}`,
-            Accept: 'application/json',
-            'X-BEAM-SCOPE': scope,
-          },
-        });
-        if (!testResponse.ok) {
-          console.warn(`[beamo-node] Warning: Refreshed token validation failed (${testResponse.status}). Token may still be customer-scoped.`);
-        }
-      } catch {
-        // Ignore validation errors in debug mode
-      }
-    }
-    
-    return { accessToken, refreshToken: newRefreshToken, expiresAt };
-  }
-}
-
-function parseCommandLine(argv: string[]): { command?: string; args: string[] } {
-  const [command, ...rest] = argv;
-  return { command, args: rest };
-}
-
-function splitArgs(args: string[], recognizedFlags: Set<string>): { flags: Record<string, string | boolean>; forward: string[] } {
-  const flags: Record<string, string | boolean> = {};
-  const forward: string[] = [];
-
-  for (let index = 0; index < args.length; index += 1) {
-    const token = args[index];
-    if (!token.startsWith('-')) {
-      forward.push(token);
-      continue;
-    }
-
-    const key = token.replace(/^--/, '');
-
-    if (recognizedFlags.has(key)) {
-      const next = args[index + 1];
-      if (next !== undefined && !next.startsWith('-')) {
-        flags[key] = next;
-        index += 1;
-      } else {
-        flags[key] = true;
-      }
-    } else {
-      forward.push(token);
-      const next = args[index + 1];
-      if (next !== undefined && !next.startsWith('-')) {
-        forward.push(next);
-        index += 1;
-      }
-    }
-  }
-
-  return { flags, forward };
-}
-
-async function promptInput(question: string, defaultValue?: string): Promise<string> {
-  const rl = readline.createInterface({ input: stdin, output: stdout });
-  return new Promise<string>((resolve) => {
-    rl.question(defaultValue ? `${question} (${defaultValue}): ` : `${question}: `, (answer) => {
-      rl.close();
-      const value = answer.trim();
-      resolve(value === '' && defaultValue !== undefined ? defaultValue : value);
-    });
-  });
-}
-
-async function promptHidden(question: string): Promise<string> {
-  const rl = readline.createInterface({ input: stdin, output: stdout } as readline.ReadLineOptions & { stdoutMuted?: boolean });
-
-  return new Promise<string>((resolve) => {
-    const mutable = rl as readline.Interface & {
-      stdoutMuted?: boolean;
-      _writeToOutput?: (stringToWrite: string) => void;
-      output?: typeof stdout;
-    };
-    mutable.stdoutMuted = true;
-    const originalWrite = mutable._writeToOutput?.bind(mutable);
-    const outputStream = mutable.output ?? stdout;
-    mutable._writeToOutput = (stringToWrite: string) => {
-      if (mutable.stdoutMuted) {
-        outputStream.write('*');
-      } else if (originalWrite) {
-        originalWrite(stringToWrite);
-      } else {
-        outputStream.write(stringToWrite);
-      }
-    };
-
-    mutable.question(`${question}: `, (answer) => {
-      mutable.close();
-      stdout.write(os.EOL);
-      resolve(answer);
-    });
-  });
-}
-
-async function handleLogin(args: string[], configStore: ConfigStore, tokenManager: TokenManager): Promise<void> {
-  const { flags } = splitArgs(args, new Set(['cid', 'pid', 'host', 'email']));
-  const envDefaults = await loadEnvDefaults();
-
-  const cid = typeof flags.cid === 'string' ? flags.cid : await promptInput('CID', envDefaults.cid);
-  const pid = typeof flags.pid === 'string' ? flags.pid : await promptInput('PID', envDefaults.pid);
-  const hostDefault = envDefaults.host ?? DEFAULT_SOCKET_HOST;
-  const host = typeof flags.host === 'string' ? flags.host : await promptInput('Host', hostDefault);
-  const email = typeof flags.email === 'string' ? flags.email : await promptInput('Email');
-  const password = await promptHidden('Password');
-
-  if (!cid || !pid || !host || !email || !password) {
-    throw new Error('CID, PID, host, email, and password are required.');
-  }
-
-  const record = await tokenManager.login({ cid, pid, host, email, password });
-  const config = await configStore.load();
-  const apiHost = normalizeApiHost(host);
-  const id = profileKey({ cid, pid, apiHost });
-
-  config.profiles[id] = {
-    id,
-    cid,
-    pid,
-    host,
-    apiHost,
-    email,
-    lastUsed: Date.now(),
-  };
-  config.lastUsed = id;
-
-  await configStore.save(config);
-
-  console.log(`Login successful for ${email} (${cid}.${pid}).`);
-  if (!record.expiresAt) {
-    console.warn('[beamo-node] Access token does not include an expiration. You may need to re-login if publish fails.');
-  }
-}
-
-async function handlePublish(args: string[], configStore: ConfigStore, tokenManager: TokenManager): Promise<void> {
-  const { flags, forward } = splitArgs(args, new Set(['cid', 'pid', 'host', 'profile']));
-  const profile = await resolveProfile(flags, configStore);
-
-  // Refresh token if expired (customer-scoped tokens work with registry when proper headers are used)
-  // The C# CLI uses the same access token for both registry API calls and Docker registry uploads
-  const tokens = await tokenManager.getValidTokens(profile.cid, profile.pid, profile.host, false);
-  const env = buildCommandEnv(profile, tokens);
-
-  const scriptArgs = buildScriptArgs(forward, profile, true); // publish needs --api-host
-  
-  // Automatically add --env-file .env if .env exists and --env-file wasn't explicitly provided
-  const hasEnvFileFlag = forward.some((arg, i) => arg === '--env-file' || (i > 0 && forward[i - 1] === '--env-file'));
-  if (!hasEnvFileFlag) {
-    const envPath = path.resolve('.env');
-    try {
-      await fs.access(envPath);
-      scriptArgs.push('--env-file', '.env');
-    } catch {
-      // .env file doesn't exist, that's okay
-    }
-  }
-  
-  const scriptPath = path.resolve(__dirname, '../../scripts/publish-service.mjs');
-  await runScript(scriptPath, scriptArgs, env);
-}
-
-async function handleValidate(args: string[], configStore: ConfigStore, tokenManager: TokenManager): Promise<void> {
-  const { flags, forward } = splitArgs(args, new Set(['cid', 'pid', 'host', 'profile']));
-  const profile = await resolveProfile(flags, configStore);
-
-  // Validation does not require tokens, but downstream scripts expect CID/PID/HOST env values.
-  const tokens = await tokenManager.getValidTokens(profile.cid, profile.pid, profile.host);
-  const env = buildCommandEnv(profile, tokens);
-
-  const scriptArgs = buildScriptArgs(forward, profile, false); // validate doesn't need --api-host
-  
-  // Automatically add --env-file .env if .env exists and --env-file wasn't explicitly provided
-  const hasEnvFileFlag = forward.some((arg, i) => arg === '--env-file' || (i > 0 && forward[i - 1] === '--env-file'));
-  if (!hasEnvFileFlag) {
-    const envPath = path.resolve('.env');
-    try {
-      await fs.access(envPath);
-      scriptArgs.push('--env-file', '.env');
-    } catch {
-      // .env file doesn't exist, that's okay
-    }
-  }
-  
-  const scriptPath = path.resolve(__dirname, '../../scripts/validate-service.mjs');
-  await runScript(scriptPath, scriptArgs, env);
-}
-
-async function resolveProfile(flags: Record<string, string | boolean>, configStore: ConfigStore): Promise<ProfileConfig> {
-  const config = await configStore.load();
-
-  if (typeof flags.profile === 'string') {
-    const explicit = config.profiles[flags.profile];
-    if (!explicit) {
-      throw new Error(`Profile "${flags.profile}" not found. Run "beamo-node login" to create it.`);
-    }
-    config.lastUsed = explicit.id;
-    await configStore.save(config);
-    return explicit;
-  }
-
-  const directOptions: ProfileSelectionOptions = {
-    cid: typeof flags.cid === 'string' ? flags.cid : undefined,
-    pid: typeof flags.pid === 'string' ? flags.pid : undefined,
-    host: typeof flags.host === 'string' ? flags.host : undefined,
-  };
-
-  if (directOptions.cid && directOptions.pid && directOptions.host) {
-    const apiHost = normalizeApiHost(directOptions.host);
-    const id = profileKey({ cid: directOptions.cid, pid: directOptions.pid, apiHost });
-    const profile = config.profiles[id];
-    if (!profile) {
-      throw new Error(`No stored credentials for ${directOptions.cid}.${directOptions.pid}. Run "beamo-node login" first.`);
-    }
-    profile.lastUsed = Date.now();
-    config.lastUsed = profile.id;
-    await configStore.save(config);
-    return profile;
-  }
-
-  if (!config.lastUsed) {
-    if (Object.keys(config.profiles).length === 0) {
-      throw new Error('No stored credentials found. Run "beamo-node login" first.');
-    }
-    throw new Error('Multiple profiles found. Specify one with "--profile <id>" or run "beamo-node login" first.');
-  }
-
-  const profile = config.profiles[config.lastUsed];
-  if (!profile) {
-    throw new Error(`Last used profile "${config.lastUsed}" is missing. Run "beamo-node login" to refresh credentials.`);
-  }
-
-  profile.lastUsed = Date.now();
-  config.lastUsed = profile.id;
-  await configStore.save(config);
-  return profile;
-}
-
-function buildScriptArgs(original: string[], profile: ProfileConfig, includeApiHost = true): string[] {
-  const hasFlag = (flag: string) => original.some((token) => token === flag);
-  const args: string[] = [...original];
-  if (!hasFlag('--cid')) {
-    args.push('--cid', profile.cid);
-  }
-  if (!hasFlag('--pid')) {
-    args.push('--pid', profile.pid);
-  }
-  if (!hasFlag('--host')) {
-    args.push('--host', profile.host);
-  }
-  if (includeApiHost && !hasFlag('--api-host')) {
-    args.push('--api-host', profile.apiHost);
-  }
-  return args;
-}
-
-function buildCommandEnv(profile: ProfileConfig, tokens: TokenRecord): NodeJS.ProcessEnv {
-  return {
-    ...process.env,
-    BEAMABLE_TOKEN: tokens.accessToken,
-    ACCESS_TOKEN: tokens.accessToken,
-    BEAMABLE_REFRESH_TOKEN: tokens.refreshToken,
-    REFRESH_TOKEN: tokens.refreshToken,
-    BEAMABLE_CID: profile.cid,
-    CID: profile.cid,
-    BEAMABLE_PID: profile.pid,
-    PID: profile.pid,
-    BEAMABLE_HOST: profile.host,
-    HOST: profile.host,
-    BEAMABLE_API_HOST: profile.apiHost,
-  };
-}
-
-async function runScript(command: string, args: string[], env: NodeJS.ProcessEnv): Promise<void> {
-  const isNodeScript = /\.(mjs|cjs|js)$/i.test(command);
-  const executable = isNodeScript ? process.execPath : command;
-  const finalArgs = isNodeScript ? [command, ...args] : args;
-  const shouldUseShell = process.platform === 'win32' && !isNodeScript;
-  const debug = process.env.BEAMO_DEBUG === '1' || process.env.BEAMO_NODE_DEBUG === '1';
-  if (debug) {
-    console.log(
-      `[beamo-node] command="${command}" exec="${executable}" args=${JSON.stringify(
-        finalArgs,
-      )} shell=${shouldUseShell} cwd=${process.cwd()}`,
-    );
-  }
-
-  await new Promise<void>((resolve, reject) => {
-    const child = spawn(executable, finalArgs, {
-      stdio: 'inherit',
-      env,
-      shell: shouldUseShell,
-    });
-
-    child.on('error', (error) => reject(error));
-    child.on('exit', (code) => {
-      if (code === 0) {
-        resolve();
-      } else {
-        reject(new Error(`Command failed with exit code ${code ?? 'unknown'}.`));
-      }
-    });
-  });
-}
-
-function normalizeApiHost(host: string): string {
-  const trimmed = host.trim();
-  if (trimmed.startsWith('wss://')) {
-    return `https://${trimmed.substring('wss://'.length).replace(/\/socket$/, '')}`;
-  }
-  if (trimmed.startsWith('ws://')) {
-    return `http://${trimmed.substring('ws://'.length).replace(/\/socket$/, '')}`;
-  }
-  let normalized = trimmed.replace(/\/socket$/, '').replace(/\/$/, '');
-  if (!/^https?:\/\//i.test(normalized)) {
-    normalized = `https://${normalized}`;
-  }
-  return normalized;
-}
-
-function profileKey(input: { cid: string; pid: string; apiHost: string }): string {
-  return `${input.cid}.${input.pid}@${input.apiHost}`;
-}
-
-function isTokenExpired(expiresAt?: number): boolean {
-  if (!expiresAt || !Number.isFinite(expiresAt)) {
-    return true;
-  }
-  return Date.now() + MIN_TOKEN_BUFFER_MS >= expiresAt;
-}
-
-async function safeReadError(response: Response): Promise<string> {
-  try {
-    const body = await response.text();
-    if (!body) {
-      return 'No response body';
-    }
-    try {
-      const parsed = JSON.parse(body) as Record<string, unknown>;
-      return typeof parsed.error === 'string'
-        ? parsed.error
-        : typeof parsed.message === 'string'
-        ? parsed.message
-        : body;
-    } catch {
-      return body;
-    }
-  } catch {
-    return 'No response body';
-  }
-}
-
-async function main(): Promise<void> {
-  const [, , ...argv] = process.argv;
-  const { command, args } = parseCommandLine(argv);
-
-  if (!command || command === '--help' || command === '-h') {
-    printHelp();
-    return;
-  }
-
-  const credentialStore = await CredentialStore.create();
-  const tokenManager = new TokenManager(credentialStore);
-  const configStore = new ConfigStore();
-
-  switch (command) {
-    case 'login':
-      await handleLogin(args, configStore, tokenManager);
-      break;
-    case 'publish':
-      await handlePublish(args, configStore, tokenManager);
-      break;
-    case 'validate':
-      await handleValidate(args, configStore, tokenManager);
-      break;
-    case 'profiles':
-      await listProfiles(configStore);
-      break;
-    default:
-      console.error(`Unknown command: ${command}`);
-      printHelp();
-      exit(1);
-  }
-}
-
-async function listProfiles(configStore: ConfigStore): Promise<void> {
-  const config = await configStore.load();
-  const entries = Object.values(config.profiles).sort((a, b) => (b.lastUsed ?? 0) - (a.lastUsed ?? 0));
-  if (entries.length === 0) {
-    console.log('No stored profiles. Run "beamo-node login" to create one.');
-    return;
-  }
-  console.log('Stored profiles:');
-  for (const profile of entries) {
-    const marker = config.lastUsed === profile.id ? '*' : ' ';
-    console.log(` ${marker} ${profile.id}`);
-    console.log(`     CID: ${profile.cid}`);
-    console.log(`     PID: ${profile.pid}`);
-    console.log(`     Host: ${profile.host}`);
-    console.log(`     Email: ${profile.email}`);
-  }
-}
-
-function printHelp(): void {
-  console.log(`beamo-node CLI
-
-Usage:
-  beamo-node login [--cid CID] [--pid PID] [--host HOST] [--email EMAIL]
-  beamo-node publish [--profile ID] [--cid CID --pid PID --host HOST] [-- ...publish flags...]
-  beamo-node validate [--profile ID] [--cid CID --pid PID --host HOST] [-- ...validate flags...]
-  beamo-node profiles
-
-Commands:
-  login      Authenticate with Beamable and store credentials securely.
-  publish    Run the publish pipeline using stored credentials (forwards extra flags to the publish script).
-  validate   Generate OpenAPI docs and validate the project (forwards extra flags).
-  profiles   List stored profiles and indicate the default selection.
-`);
-}
-
-main().catch((error) => {
-  console.error(error instanceof Error ? error.message : error);
-  exit(1);
-});
-
-async function loadEnvDefaults(): Promise<ProfileSelectionOptions> {
-  const envPath = path.resolve('.env');
-  try {
-    const content = await fs.readFile(envPath, 'utf8');
-    const parsed = dotenv.parse(content);
-    const cid = parsed.BEAMABLE_CID ?? parsed.CID ?? undefined;
-    const pid = parsed.BEAMABLE_PID ?? parsed.PID ?? undefined;
-    const host = parsed.BEAMABLE_HOST ?? parsed.HOST ?? undefined;
-    return {
-      cid: cid?.trim() || undefined,
-      pid: pid?.trim() || undefined,
-      host: host?.trim() || undefined,
-    };
-  } catch (error) {
-    if ((error as NodeJS.ErrnoException).code === 'ENOENT') {
-      return {};
-    }
-    throw error;
-  }
-}
-
-