npm - @onexapis/cli - Versions diffs - 1.1.43 → 1.1.45 - Mend

@onexapis/cli 1.1.43 → 1.1.45

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/index.mjs CHANGED Viewed

@@ -12,8 +12,6 @@ import inquirer from 'inquirer';
 import fs from 'fs-extra';
 import ejs from 'ejs';
 import os from 'os';
-import { PutObjectCommand, GetObjectCommand, S3Client } from '@aws-sdk/client-s3';
-import archiver from 'archiver';
 import AdmZip from 'adm-zip';
 var __defProp = Object.defineProperty;
@@ -1323,8 +1321,8 @@ function validateThemeName(name) {
   return /^[a-z][a-z0-9-]*$/.test(name);
 }
 function pathExists(filePath) {
-  const fs12 = __require("fs-extra");
-  return fs12.existsSync(filePath);
+  const fs11 = __require("fs-extra");
+  return fs11.existsSync(filePath);
 }
 function validateCategory(category) {
   const validCategories = [
@@ -1506,10 +1504,110 @@ async function installDependencies(projectPath, packageManager = "npm") {
   });
 }
 var AUTH_DIR = path8.join(os.homedir(), ".onexthm");
-path8.join(AUTH_DIR, "auth.json");
+var AUTH_FILE = path8.join(AUTH_DIR, "auth.json");
 function getApiUrl() {
   return process.env.ONEXTHM_API_URL || process.env.NEXT_PUBLIC_API_URL || "https://platform-dev.onexeos.com";
 }
+async function saveAuthTokens(tokens) {
+  await fs.ensureDir(AUTH_DIR);
+  const key = getMachineKey();
+  const data = JSON.stringify(tokens);
+  const encrypted = encrypt(data, key);
+  await fs.writeFile(AUTH_FILE, encrypted, "utf-8");
+}
+function loadAuthTokens() {
+  try {
+    if (!fs.existsSync(AUTH_FILE)) return null;
+    const encrypted = fs.readFileSync(AUTH_FILE, "utf-8");
+    const key = getMachineKey();
+    const data = decrypt(encrypted, key);
+    return JSON.parse(data);
+  } catch {
+    return null;
+  }
+}
+async function clearAuthTokens() {
+  try {
+    await fs.remove(AUTH_FILE);
+  } catch {
+  }
+}
+function isTokenExpired(tokens) {
+  return Date.now() / 1e3 > tokens.expiresAt - 60;
+}
+async function getValidTokens() {
+  const tokens = loadAuthTokens();
+  if (!tokens) return null;
+  if (!isTokenExpired(tokens)) return tokens;
+  try {
+    const apiUrl = getApiUrl();
+    const response = await fetch(`${apiUrl}/auth/refresh`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ refresh_token: tokens.refreshToken })
+    });
+    if (!response.ok) {
+      await clearAuthTokens();
+      return null;
+    }
+    const data = await response.json();
+    const body = data.statusCode ? data.body : data;
+    const refreshed = {
+      ...tokens,
+      accessToken: body.AccessToken || tokens.accessToken,
+      idToken: body.IdToken || tokens.idToken,
+      expiresAt: Math.floor(Date.now() / 1e3) + (body.ExpiresIn || 3600)
+    };
+    await saveAuthTokens(refreshed);
+    return refreshed;
+  } catch {
+    await clearAuthTokens();
+    return null;
+  }
+}
+async function authenticatedFetch(url, init) {
+  const tokens = await getValidTokens();
+  if (!tokens) {
+    throw new Error("Not logged in. Run: onexthm login");
+  }
+  const headers = new Headers(init?.headers);
+  headers.set("Authorization", `Bearer ${tokens.idToken}`);
+  headers.set("Content-Type", "application/json");
+  return fetch(url, { ...init, headers });
+}
+function getMachineKey() {
+  let seed;
+  if (process.platform === "darwin") {
+    seed = `onexthm:${os.hostname()}:${os.userInfo().username}`;
+  } else if (process.platform === "linux") {
+    try {
+      seed = `onexthm:${fs.readFileSync("/etc/machine-id", "utf-8").trim()}`;
+    } catch {
+      seed = `onexthm:${os.hostname()}:${os.userInfo().username}`;
+    }
+  } else {
+    seed = `onexthm:${os.hostname()}:${os.userInfo().username}`;
+  }
+  return crypto.createHash("sha256").update(seed).digest();
+}
+function encrypt(text, key) {
+  const iv = crypto.randomBytes(16);
+  const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+  let encrypted = cipher.update(text, "utf-8", "hex");
+  encrypted += cipher.final("hex");
+  const tag = cipher.getAuthTag();
+  return `${iv.toString("hex")}:${tag.toString("hex")}:${encrypted}`;
+}
+function decrypt(text, key) {
+  const [ivHex, tagHex, encrypted] = text.split(":");
+  const iv = Buffer.from(ivHex, "hex");
+  const tag = Buffer.from(tagHex, "hex");
+  const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  let decrypted = decipher.update(encrypted, "hex", "utf-8");
+  decrypted += decipher.final("utf-8");
+  return decrypted;
+}
 // src/commands/init.ts
 async function initCommand(projectName, options = {}) {
@@ -2718,343 +2816,94 @@ function runCommand(command, args, cwd) {
 // src/commands/upload.ts
 init_logger();
-function getS3Client() {
-  const adapterMode = (process.env.ADAPTER_MODE || "aws").trim().toLowerCase();
-  if (adapterMode === "vps") {
-    const endpoint = process.env.MINIO_ENDPOINT || "localhost:9000";
-    const secure = process.env.MINIO_SECURE === "true";
-    const endpointUrl = endpoint.startsWith("http") ? endpoint : `${secure ? "https" : "http"}://${endpoint}`;
-    return new S3Client({
-      endpoint: endpointUrl,
-      region: "us-east-1",
-      credentials: {
-        accessKeyId: process.env.MINIO_ACCESS_KEY || "minioadmin",
-        secretAccessKey: process.env.MINIO_SECRET_KEY || "minioadmin"
-      },
-      forcePathStyle: true
-    });
-  }
-  if (adapterMode === "local") {
-    return new S3Client({
-      endpoint: "http://localhost:4569",
-      region: "ap-southeast-1",
-      credentials: {
-        accessKeyId: "S3RVER",
-        secretAccessKey: "S3RVER"
-      },
-      forcePathStyle: true
-    });
-  }
-  return new S3Client({
-    region: process.env.AWS_REGION || "ap-southeast-1"
-  });
-}
-function getBucketName(env) {
-  if (process.env.BUCKET_NAME) {
-    return process.env.BUCKET_NAME;
-  }
-  const environment = env || process.env.ENVIRONMENT || "staging";
-  return environment === "production" ? "theme-s3-bucket" : "theme-s3-bucket";
-}
-async function findCompiledThemeDir(themeId, version) {
-  const searchPaths = [path8.resolve(process.cwd(), "dist")];
-  for (const dir of searchPaths) {
-    if (await fs.pathExists(dir)) {
-      const hasManifest = await fs.pathExists(path8.join(dir, "manifest.json"));
-      const hasThemeEntry = await fs.pathExists(path8.join(dir, "bundle-entry.js")) || await fs.pathExists(path8.join(dir, "theme.config.js")) || await fs.pathExists(path8.join(dir, "index.js"));
-      if (hasManifest || hasThemeEntry) {
-        return dir;
-      }
-    }
-  }
-  return null;
-}
-async function readManifest() {
-  const manifestTsPath = path8.resolve(process.cwd(), "manifest.ts");
-  if (await fs.pathExists(manifestTsPath)) {
-    try {
-      const module = await import(manifestTsPath);
-      return module.default || module;
-    } catch (error) {
-      logger.warning("Failed to import manifest.ts, trying package.json");
-    }
-  }
-  const packageJsonPath = path8.resolve(process.cwd(), "package.json");
-  if (await fs.pathExists(packageJsonPath)) {
-    const pkg = await fs.readJson(packageJsonPath);
-    return {
-      themeId: pkg.name?.replace("@onex-themes/", "") || "unknown",
-      version: pkg.version || "1.0.0"
-    };
-  }
-  throw new Error(
-    "No manifest.ts or package.json found. Are you in a theme directory?"
+async function uploadCommand(_options) {
+  logger.header("Upload Theme to S3 \u2014 DEPRECATED");
+  console.log();
+  console.log(
+    chalk4.yellow.bold(
+      "`onexthm upload` is deprecated and no longer functional."
+    )
   );
-}
-async function createZipFromDir(sourceDir, outputPath, excludePatterns = []) {
-  return new Promise((resolve, reject) => {
-    const output = fs.createWriteStream(outputPath);
-    const archive = archiver("zip", { zlib: { level: 6 } });
-    output.on("close", () => resolve());
-    archive.on("error", (err) => reject(err));
-    archive.pipe(output);
-    archive.glob("**/*", {
-      cwd: sourceDir,
-      dot: true,
-      ignore: excludePatterns
-    });
-    archive.finalize();
-  });
-}
-async function findSourceDir(themeId, explicitDir) {
-  if (explicitDir) {
-    if (await fs.pathExists(explicitDir)) return explicitDir;
-    return null;
-  }
-  const searchPaths = [
-    process.cwd(),
-    path8.resolve(process.cwd(), `../../themes/${themeId}`),
-    path8.resolve(process.cwd(), `../themes/${themeId}`)
-  ];
-  const markers = ["theme.config.ts", "bundle-entry.ts"];
-  for (const dir of searchPaths) {
-    for (const marker of markers) {
-      if (await fs.pathExists(path8.join(dir, marker))) {
-        return dir;
-      }
-    }
-  }
-  return null;
-}
-async function updateLatestPointer(s3Client, bucket, themeId, version) {
-  const latestData = {
-    version,
-    uploadedAt: (/* @__PURE__ */ new Date()).toISOString()
-  };
-  await s3Client.send(
-    new PutObjectCommand({
-      Bucket: bucket,
-      Key: `themes/${themeId}/latest.json`,
-      Body: JSON.stringify(latestData, null, 2),
-      ContentType: "application/json"
-    })
+  console.log();
+  console.log(
+    "The platform no longer exposes themes via direct S3 access, so this"
   );
-}
-async function uploadCommand(options) {
-  logger.header("Upload Theme to S3");
-  const spinner = ora("Preparing theme upload...").start();
-  try {
-    let themeId;
-    let version;
-    if (options.theme) {
-      themeId = options.theme;
-      version = options.version || "1.0.0";
-    } else {
-      const manifest = await readManifest();
-      themeId = manifest.themeId;
-      version = options.version || manifest.version || "1.0.0";
-    }
-    spinner.text = `Found theme: ${themeId}@${version}`;
-    const bucket = options.bucket || getBucketName(options.environment);
-    const s3Client = getS3Client();
-    const compiledDir = await findCompiledThemeDir(themeId, version);
-    if (!compiledDir) {
-      spinner.fail(
-        chalk4.red(
-          `Compiled theme not found for ${themeId}@${version}. Run 'onexthm build' first.`
-        )
-      );
-      logger.info(chalk4.gray(`Expected location:
-  - ./dist/`));
-      process.exit(1);
-    }
-    spinner.succeed(`Found compiled theme at: ${compiledDir}`);
-    spinner.start("Creating bundle.zip...");
-    const tmpDir = os.tmpdir();
-    const bundleZipPath = path8.join(tmpDir, `${themeId}-${version}-bundle.zip`);
-    await createZipFromDir(compiledDir, bundleZipPath);
-    const bundleZipBuffer = await fs.readFile(bundleZipPath);
-    const bundleSizeMB = (bundleZipBuffer.length / 1024 / 1024).toFixed(2);
-    spinner.succeed(`Created bundle.zip (${bundleSizeMB} MB)`);
-    if (options.dryRun) {
-      spinner.info(chalk4.yellow("Dry run mode \u2014 no files will be uploaded"));
-      console.log();
-      console.log(chalk4.gray(`  bundle.zip: ${bundleSizeMB} MB`));
-      console.log(
-        chalk4.cyan(
-          `  S3 path: s3://${bucket}/themes/${themeId}/${version}/bundle.zip`
-        )
-      );
-      if (!options.skipSource) {
-        const sourceDir = await findSourceDir(themeId, options.sourceDir);
-        if (sourceDir) {
-          console.log(chalk4.gray(`  source dir: ${sourceDir}`));
-          console.log(
-            chalk4.cyan(
-              `  S3 path: s3://${bucket}/themes/${themeId}/${version}/source.zip`
-            )
-          );
-        } else {
-          console.log(
-            chalk4.yellow("  source dir: not found (source.zip will be skipped)")
-          );
-        }
-      }
-      console.log();
-      await fs.remove(bundleZipPath);
-      return;
-    }
-    spinner.start("Uploading bundle.zip to S3...");
-    const bundleS3Key = `themes/${themeId}/${version}/bundle.zip`;
-    await s3Client.send(
-      new PutObjectCommand({
-        Bucket: bucket,
-        Key: bundleS3Key,
-        Body: bundleZipBuffer,
-        ContentType: "application/zip"
-      })
-    );
-    spinner.succeed(
-      `Uploaded bundle.zip ${chalk4.gray(`\u2192 s3://${bucket}/${bundleS3Key}`)}`
-    );
-    await fs.remove(bundleZipPath);
-    let sourceUploaded = false;
-    if (!options.skipSource) {
-      spinner.start("Looking for source directory...");
-      const sourceDir = await findSourceDir(themeId, options.sourceDir);
-      if (sourceDir) {
-        spinner.succeed(`Found source at: ${sourceDir}`);
-        spinner.start("Creating source.zip...");
-        const sourceZipPath = path8.join(
-          tmpDir,
-          `${themeId}-${version}-source.zip`
-        );
-        await createZipFromDir(sourceDir, sourceZipPath, [
-          "node_modules/**",
-          "dist/**",
-          ".git/**",
-          "*.zip",
-          ".next/**",
-          ".turbo/**"
-        ]);
-        const sourceZipBuffer = await fs.readFile(sourceZipPath);
-        const sourceSizeMB = (sourceZipBuffer.length / 1024 / 1024).toFixed(2);
-        spinner.succeed(`Created source.zip (${sourceSizeMB} MB)`);
-        spinner.start("Uploading source.zip to S3...");
-        const sourceS3Key = `themes/${themeId}/${version}/source.zip`;
-        await s3Client.send(
-          new PutObjectCommand({
-            Bucket: bucket,
-            Key: sourceS3Key,
-            Body: sourceZipBuffer,
-            ContentType: "application/zip"
-          })
-        );
-        spinner.succeed(
-          `Uploaded source.zip ${chalk4.gray(`\u2192 s3://${bucket}/${sourceS3Key}`)}`
-        );
-        await fs.remove(sourceZipPath);
-        sourceUploaded = true;
-      } else {
-        spinner.warn(
-          chalk4.yellow("Source directory not found \u2014 skipping source.zip")
-        );
-      }
-    }
-    spinner.start("Updating latest.json pointer...");
-    await updateLatestPointer(s3Client, bucket, themeId, version);
-    spinner.succeed("Updated latest.json pointer");
-    console.log();
-    logger.success(chalk4.green.bold("Theme uploaded successfully!"));
-    console.log();
-    console.log(
-      chalk4.cyan("   Theme:   ") + chalk4.white(`${themeId}@${version}`)
-    );
-    console.log(chalk4.cyan("   Bucket:  ") + chalk4.white(bucket));
-    console.log(
-      chalk4.cyan("   Files:   ") + chalk4.white(`bundle.zip${sourceUploaded ? " + source.zip" : ""}`)
-    );
-    console.log(
-      chalk4.cyan("   Path:    ") + chalk4.gray(`s3://${bucket}/themes/${themeId}/${version}/`)
-    );
-    console.log();
-  } catch (error) {
-    spinner.fail(chalk4.red(`Upload failed: ${error.message}`));
-    logger.error(error.stack || error.message);
-    process.exit(1);
-  }
+  console.log(
+    "command can no longer reach the bucket. Use `onexthm publish` instead:"
+  );
+  console.log();
+  console.log(chalk4.cyan("  cd themes/your-theme"));
+  console.log(chalk4.cyan("  onexthm login          # one-time, refreshes JWT"));
+  console.log(
+    chalk4.cyan("  onexthm publish        # builds + uploads + confirms")
+  );
+  console.log();
+  console.log(
+    "`publish` does everything this command did (build, version bump,"
+  );
+  console.log(
+    "bundle + source upload) plus content-hashed asset upload, security"
+  );
+  console.log("scanning, and atomic version registration in one step.");
+  console.log();
+  process.exit(1);
 }
 // src/commands/download.ts
 init_logger();
-function getS3Client2() {
-  const adapterMode = (process.env.ADAPTER_MODE || "aws").trim().toLowerCase();
-  if (adapterMode === "vps") {
-    const endpoint = process.env.MINIO_ENDPOINT || "localhost:9000";
-    const secure = process.env.MINIO_SECURE === "true";
-    const endpointUrl = endpoint.startsWith("http") ? endpoint : `${secure ? "https" : "http"}://${endpoint}`;
-    return new S3Client({
-      endpoint: endpointUrl,
-      region: "us-east-1",
-      credentials: {
-        accessKeyId: process.env.MINIO_ACCESS_KEY || "minioadmin",
-        secretAccessKey: process.env.MINIO_SECRET_KEY || "minioadmin"
-      },
-      forcePathStyle: true
-    });
-  }
-  if (adapterMode === "local") {
-    return new S3Client({
-      endpoint: "http://localhost:4569",
-      region: "ap-southeast-1",
-      credentials: {
-        accessKeyId: "S3RVER",
-        secretAccessKey: "S3RVER"
-      },
-      forcePathStyle: true
-    });
+function unwrapEnvelope(raw) {
+  if (raw && typeof raw === "object" && "statusCode" in raw && "body" in raw) {
+    return raw.body;
   }
-  return new S3Client({
-    region: process.env.AWS_REGION || "ap-southeast-1"
-  });
+  return raw;
 }
-function getBucketName2(env) {
-  if (process.env.BUCKET_NAME) {
-    return process.env.BUCKET_NAME;
+async function resolveLatestVersion(apiUrl, themeId) {
+  const url = `${apiUrl}/website-api/themes/${encodeURIComponent(themeId)}/versions`;
+  let response;
+  try {
+    response = await fetch(url, { cache: "no-store" });
+  } catch (err) {
+    throw new Error(
+      `Network error contacting ${url}: ${err instanceof Error ? err.message : "unknown"}`
+    );
   }
-  const environment = env || process.env.ENVIRONMENT || "staging";
-  return environment === "production" ? "theme-s3-bucket" : "theme-s3-bucket";
-}
-async function streamToString(stream) {
-  const chunks = [];
-  for await (const chunk of stream) {
-    chunks.push(Buffer.from(chunk));
+  if (!response.ok) {
+    throw new Error(
+      `Version lookup failed for "${themeId}" (HTTP ${response.status})`
+    );
   }
-  return Buffer.concat(chunks).toString("utf-8");
-}
-async function streamToBuffer(stream) {
-  const chunks = [];
-  for await (const chunk of stream) {
-    chunks.push(Buffer.from(chunk));
+  const raw = await response.json();
+  const data = unwrapEnvelope(raw);
+  const latest = data?.latest_version;
+  if (typeof latest !== "string" || latest.length === 0) {
+    throw new Error(
+      `Theme "${themeId}" has no published versions yet (no latest_version in response)`
+    );
   }
-  return Buffer.concat(chunks);
+  return latest;
 }
-async function resolveLatestVersion(s3Client, bucket, themeId) {
-  try {
-    const response = await s3Client.send(
-      new GetObjectCommand({
-        Bucket: bucket,
-        Key: `themes/${themeId}/latest.json`
-      })
-    );
-    const body = await streamToString(response.Body);
-    const data = JSON.parse(body);
-    return data.version;
-  } catch (error) {
+async function downloadBundleZip(apiUrl, themeId, version) {
+  const url = `${apiUrl}/website-api/themes/${encodeURIComponent(themeId)}/${encodeURIComponent(version)}/download`;
+  const response = await fetch(url);
+  if (!response.ok) {
     throw new Error(
-      `Failed to resolve latest version for theme "${themeId}": ${error.message}`
+      `Bundle download failed for "${themeId}@${version}" (HTTP ${response.status})`
     );
   }
+  const contentType = response.headers.get("content-type") || "";
+  if (contentType.includes("application/json")) {
+    const raw = await response.json();
+    const envelope = raw && typeof raw === "object" && "statusCode" in raw ? raw : { body: raw };
+    const body = envelope.body;
+    if (typeof body !== "string") {
+      throw new Error(
+        "Unexpected /download response shape: expected base64 string in body"
+      );
+    }
+    return Buffer.from(body, "base64");
+  }
+  const arrayBuffer = await response.arrayBuffer();
+  return Buffer.from(arrayBuffer);
 }
 async function createCompatibilityFiles(outputDir, manifest) {
   const entryFile = manifest.output?.entry || "bundle-entry.js";
@@ -3078,47 +2927,58 @@ export * from './bundle-entry.js';
   const pkgJsonPath = path8.join(outputDir, "package.json");
   await fs.writeFile(pkgJsonPath, '{\n  "type": "module"\n}\n', "utf-8");
 }
-function showDownloadFailureHelp(themeId, bucket) {
+function showDownloadFailureHelp(themeId, apiUrl) {
   console.log();
   logger.error(chalk4.red.bold("Theme download failed"));
   console.log();
   console.log(chalk4.yellow("Possible reasons:"));
-  console.log(chalk4.gray("  1. Theme not uploaded to S3 yet"));
-  console.log(chalk4.gray("  2. AWS credentials not configured correctly"));
-  console.log(chalk4.gray("  3. Bucket name or region is incorrect"));
-  console.log(chalk4.gray("  4. bundle.zip is missing or corrupted"));
+  console.log(
+    chalk4.gray("  1. Theme has not been published yet (run `onexthm publish`)")
+  );
+  console.log(
+    chalk4.gray(
+      "  2. Theme ID is wrong (typo in --theme-id or THEME_ID env var)"
+    )
+  );
+  console.log(
+    chalk4.gray("  3. API base URL is wrong or the website-api is unreachable")
+  );
   console.log();
   console.log(chalk4.cyan.bold("To fix this:"));
   console.log();
-  console.log(chalk4.white("1. Compile and upload the theme:"));
-  console.log(chalk4.gray(`   cd themes/${themeId}`));
-  console.log(chalk4.gray("   pnpm build"));
-  console.log(chalk4.gray("   onexthm upload"));
-  console.log();
-  console.log(chalk4.white("2. Verify AWS credentials are set:"));
+  console.log(chalk4.white("1. Verify the theme is published:"));
   console.log(
-    chalk4.gray("   - Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY")
+    chalk4.gray(
+      `   curl -s ${apiUrl}/website-api/themes/${themeId}/versions | jq .latest_version`
+    )
   );
-  console.log(chalk4.gray("   - Or use AWS_PROFILE=your-profile"));
-  console.log(chalk4.gray("   - Set AWS_REGION (e.g., ap-southeast-1)"));
   console.log();
-  console.log(chalk4.white("3. Check bucket configuration:"));
-  console.log(chalk4.gray(`   Current bucket: ${bucket}`));
+  console.log(chalk4.white("2. Check API URL configuration:"));
+  console.log(chalk4.gray(`   Current API URL: ${apiUrl}`));
   console.log(
-    chalk4.gray("   Set BUCKET_NAME environment variable if different")
+    chalk4.gray("   Override with NEXT_PUBLIC_API_URL or ONEXTHM_API_URL")
   );
   console.log();
-  console.log(chalk4.white("4. Verify theme exists in S3:"));
-  console.log(chalk4.gray(`   aws s3 ls s3://${bucket}/themes/${themeId}/`));
+  console.log(chalk4.white("3. Pin a specific version (CI/production):"));
+  console.log(
+    chalk4.gray(`   THEME_VERSION=1.2.3 onexthm download --theme-id ${themeId}`)
+  );
   console.log();
 }
 async function downloadCommand(options) {
-  logger.header("Download Theme from S3");
+  logger.header("Download Theme");
   const spinner = ora("Initializing download...").start();
+  if (options.bucket || options.environment) {
+    spinner.stop();
+    logger.warning(
+      "--bucket and --environment are deprecated and ignored. Themes are now served via HTTP from the website-api Lambda."
+    );
+    spinner.start();
+  }
+  const apiUrl = getApiUrl();
   try {
     const themeId = options.themeId || process.env.NEXT_PUBLIC_THEME_ID || process.env.THEME_ID;
-    const version = options.version || process.env.THEME_VERSION || "latest";
-    const bucket = options.bucket || getBucketName2(options.environment);
+    const requestedVersion = options.version || process.env.THEME_VERSION || "latest";
     const outputDir = options.output || "./active-theme";
     if (!themeId) {
       spinner.fail(
@@ -3128,12 +2988,10 @@ async function downloadCommand(options) {
       );
       process.exit(1);
     }
-    spinner.text = `Downloading ${themeId}@${version} from ${bucket}...`;
-    const s3Client = getS3Client2();
-    let resolvedVersion = version;
-    if (version === "latest") {
-      spinner.text = "Resolving latest version...";
-      resolvedVersion = await resolveLatestVersion(s3Client, bucket, themeId);
+    spinner.text = `Resolving ${themeId}@${requestedVersion}...`;
+    let resolvedVersion = requestedVersion;
+    if (requestedVersion === "latest") {
+      resolvedVersion = await resolveLatestVersion(apiUrl, themeId);
       spinner.succeed(
         `Resolved latest version: ${chalk4.cyan(resolvedVersion)}`
       );
@@ -3143,24 +3001,19 @@ async function downloadCommand(options) {
           chalk4.yellow(
             `
   Warning: Resolved "latest" to ${resolvedVersion} in CI environment.
-  For production builds, pin to a specific version:
+  For reproducible builds, pin to a specific version:
     THEME_VERSION=${resolvedVersion}
 `
           )
         );
       }
+    } else {
+      spinner.succeed(`Using version: ${chalk4.cyan(resolvedVersion)}`);
     }
     spinner.start(
       `Downloading bundle.zip for ${themeId}@${resolvedVersion}...`
     );
-    const s3Key = `themes/${themeId}/${resolvedVersion}/bundle.zip`;
-    const response = await s3Client.send(
-      new GetObjectCommand({
-        Bucket: bucket,
-        Key: s3Key
-      })
-    );
-    const zipBuffer = await streamToBuffer(response.Body);
+    const zipBuffer = await downloadBundleZip(apiUrl, themeId, resolvedVersion);
     const sizeMB = (zipBuffer.length / 1024 / 1024).toFixed(2);
     spinner.succeed(`Downloaded bundle.zip (${sizeMB} MB)`);
     spinner.start("Extracting bundle...");
@@ -3179,7 +3032,7 @@ async function downloadCommand(options) {
     console.log(
       chalk4.cyan("   Theme:   ") + chalk4.white(`${themeId}@${resolvedVersion}`)
     );
-    console.log(chalk4.cyan("   Bucket:  ") + chalk4.white(bucket));
+    console.log(chalk4.cyan("   Source:  ") + chalk4.white(apiUrl));
     console.log(chalk4.cyan("   Output:  ") + chalk4.white(outputDir));
     console.log(chalk4.cyan("   Files:   ") + chalk4.white(entries.length));
     if (manifest.counts) {
@@ -3191,82 +3044,70 @@ async function downloadCommand(options) {
   } catch (error) {
     spinner.fail(chalk4.red("Download failed"));
     logger.error(error.message);
-    const themeId = options.themeId || process.env.NEXT_PUBLIC_THEME_ID || "unknown";
-    const bucket = options.bucket || getBucketName2(options.environment);
-    showDownloadFailureHelp(themeId, bucket);
+    const themeId = options.themeId || process.env.NEXT_PUBLIC_THEME_ID || process.env.THEME_ID || "unknown";
+    showDownloadFailureHelp(themeId, apiUrl);
     process.exit(1);
   }
 }
 // src/commands/clone.ts
 init_logger();
-function getS3Client3() {
-  const adapterMode = (process.env.ADAPTER_MODE || "aws").trim().toLowerCase();
-  if (adapterMode === "vps") {
-    const endpoint = process.env.MINIO_ENDPOINT || "localhost:9000";
-    const secure = process.env.MINIO_SECURE === "true";
-    const endpointUrl = endpoint.startsWith("http") ? endpoint : `${secure ? "https" : "http"}://${endpoint}`;
-    return new S3Client({
-      endpoint: endpointUrl,
-      region: "us-east-1",
-      credentials: {
-        accessKeyId: process.env.MINIO_ACCESS_KEY || "minioadmin",
-        secretAccessKey: process.env.MINIO_SECRET_KEY || "minioadmin"
-      },
-      forcePathStyle: true
-    });
-  }
-  if (adapterMode === "local") {
-    return new S3Client({
-      endpoint: "http://localhost:4569",
-      region: "ap-southeast-1",
-      credentials: {
-        accessKeyId: "S3RVER",
-        secretAccessKey: "S3RVER"
-      },
-      forcePathStyle: true
-    });
-  }
-  return new S3Client({
-    region: process.env.AWS_REGION || "ap-southeast-1"
-  });
-}
-function getBucketName3(env) {
-  if (process.env.BUCKET_NAME) {
-    return process.env.BUCKET_NAME;
+function unwrapEnvelope2(raw) {
+  if (raw && typeof raw === "object" && "statusCode" in raw && "body" in raw) {
+    return raw.body;
   }
-  const environment = env || process.env.ENVIRONMENT || "staging";
-  return environment === "production" ? "theme-s3-bucket" : "theme-s3-bucket";
+  return raw;
 }
-async function streamToString2(stream) {
-  const chunks = [];
-  for await (const chunk of stream) {
-    chunks.push(Buffer.from(chunk));
+async function resolveLatestVersion2(apiUrl, themeId) {
+  const url = `${apiUrl}/website-api/themes/${encodeURIComponent(themeId)}/versions`;
+  const response = await fetch(url, { cache: "no-store" });
+  if (!response.ok) {
+    throw new Error(
+      `Version lookup failed for "${themeId}" (HTTP ${response.status})`
+    );
   }
-  return Buffer.concat(chunks).toString("utf-8");
-}
-async function streamToBuffer2(stream) {
-  const chunks = [];
-  for await (const chunk of stream) {
-    chunks.push(Buffer.from(chunk));
+  const raw = await response.json();
+  const data = unwrapEnvelope2(raw);
+  const latest = data?.latest_version;
+  if (typeof latest !== "string" || latest.length === 0) {
+    throw new Error(`Theme "${themeId}" has no published versions yet`);
   }
-  return Buffer.concat(chunks);
+  return latest;
 }
-async function resolveLatestVersion2(s3Client, bucket, themeId) {
-  try {
-    const response = await s3Client.send(
-      new GetObjectCommand({
-        Bucket: bucket,
-        Key: `themes/${themeId}/latest.json`
-      })
+async function fetchSourceZip(apiUrl, themeId, version) {
+  const url = `${apiUrl}/website-api/themes/${encodeURIComponent(themeId)}/source?version=${encodeURIComponent(version)}`;
+  const response = await authenticatedFetch(url, {
+    method: "GET"
+  });
+  if (!response.ok) {
+    if (response.status === 404) {
+      throw new Error(
+        `Source not found for ${themeId}@${version}. The theme may not have been published with source upload enabled.`
+      );
+    }
+    if (response.status === 401 || response.status === 403) {
+      throw new Error(
+        `Not authorized to download source for "${themeId}". Run \`onexthm login\` first.`
+      );
+    }
+    throw new Error(
+      `Source URL request failed for "${themeId}@${version}" (HTTP ${response.status})`
     );
-    const body = await streamToString2(response.Body);
-    return JSON.parse(body).version;
-  } catch (error) {
+  }
+  const raw = await response.json();
+  const data = unwrapEnvelope2(raw);
+  const presignedUrl = data?.download_url;
+  if (typeof presignedUrl !== "string" || presignedUrl.length === 0) {
+    throw new Error("Unexpected /source response shape: missing download_url");
+  }
+  const zipResponse = await fetch(presignedUrl);
+  if (!zipResponse.ok) {
     throw new Error(
-      `Failed to resolve latest version for theme "${themeId}": ${error.message}`
+      `Presigned source download failed (HTTP ${zipResponse.status})`
     );
   }
+  const arrayBuffer = await zipResponse.arrayBuffer();
+  return Buffer.from(arrayBuffer);
 }
 function runInstall(cwd) {
   return new Promise((resolve) => {
@@ -3365,15 +3206,24 @@ async function renameTheme(themeDir, oldName, newName) {
 }
 async function cloneCommand(themeName, options) {
   logger.header("Clone Theme Source");
+  if (options.bucket || options.environment) {
+    logger.warning(
+      "--bucket and --environment are deprecated and ignored. Source is now fetched via HTTP from the website-api Lambda."
+    );
+  }
+  const tokens = await getValidTokens();
+  if (!tokens) {
+    logger.error("Not logged in. Run: onexthm login");
+    process.exit(1);
+  }
   let newName = options.name;
   if (!newName) {
     newName = await promptThemeName(themeName);
   }
   const spinner = ora("Initializing clone...").start();
   try {
-    const bucket = options.bucket || getBucketName3(options.environment);
+    const apiUrl = getApiUrl();
     const outputDir = options.output || path8.resolve(process.cwd(), newName);
-    const s3Client = getS3Client3();
     if (await fs.pathExists(outputDir)) {
       spinner.fail(chalk4.red(`Directory already exists: ${outputDir}`));
       logger.info(
@@ -3386,28 +3236,20 @@ async function cloneCommand(themeName, options) {
     let version = options.version || "latest";
     if (version === "latest") {
       spinner.text = "Resolving latest version...";
-      version = await resolveLatestVersion2(s3Client, bucket, themeName);
+      version = await resolveLatestVersion2(apiUrl, themeName);
       spinner.succeed(`Resolved latest version: ${chalk4.cyan(version)}`);
     }
     spinner.start(`Downloading source.zip for ${themeName}@${version}...`);
-    const s3Key = `themes/${themeName}/${version}/source.zip`;
     let zipBuffer;
     try {
-      const response = await s3Client.send(
-        new GetObjectCommand({
-          Bucket: bucket,
-          Key: s3Key
-        })
-      );
-      zipBuffer = await streamToBuffer2(response.Body);
+      zipBuffer = await fetchSourceZip(apiUrl, themeName, version);
     } catch (error) {
-      spinner.fail(chalk4.red(`Source not found: s3://${bucket}/${s3Key}`));
+      spinner.fail(chalk4.red(error.message));
       console.log();
       console.log(
-        chalk4.yellow("The theme source may not have been uploaded yet.")
-      );
-      console.log(
-        chalk4.gray(`Upload source with: onexthm upload --theme ${themeName}`)
+        chalk4.gray(
+          `Verify the theme is published: curl -s ${apiUrl}/website-api/themes/${themeName}/versions`
+        )
       );
       console.log();
       process.exit(1);