@opice/cli 0.5.0 → 0.6.0

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@opice/cli",
-	"version": "0.5.0",
+	"version": "0.6.0",
 	"description": "CLI for opice — scaffolds projects and wraps `bun test` to stream E2E results to the reporting platform",
 	"type": "module",
 	"bin": {

package/src/cli.ts

@@ -3,6 +3,7 @@ import { failuresCommand } from './commands/failures'
 import { initCommand } from './commands/init'
 import { installSkillsCommand } from './commands/install-skills'
 import { testCommand } from './commands/test'
+import { tokensCommand } from './commands/tokens'
 import { usersCommand } from './commands/users'
 
 const HELP = `opice — AI-driven E2E browser test harness
@@ -26,8 +27,17 @@ Commands:
   failures <run-url|run-id> [--json]
       Pull a failed run's details (failed scenarios, the failing step,
       error, screenshot URL, and source files) for the re-eval workflow.
-      Read token comes from the URL's ?token= or OPICE_READ_TOKEN (a
-      read-only share link).
+      Read token comes from the URL's ?token=, OPICE_READ_TOKEN, or
+      OPICE_READ_DSN (a read-only project credential).
+
+  tokens create [--project=SLUG] [--capability=read|write] [--label=...] [--expires-days=N]
+  tokens list [--project=SLUG]
+  tokens revoke <token-id>
+      Manage API tokens. Needs the admin token (--admin-token or
+      OPICE_ADMIN_TOKEN) and the platform endpoint (--endpoint,
+      OPICE_ENDPOINT, or opice.config.json). 'create' defaults to a
+      project-scoped read token and prints a ready OPICE_READ_DSN an
+      authoring agent can drop into .env to read results.
 
   users create <email> [--password=...] [--name=...] [--endpoint=URL] [--admin-token=TOKEN]
       Create a dashboard login (admin role by default). Needs the bootstrap
@@ -55,6 +65,8 @@ async function main(argv: string[]): Promise<number> {
 			return failuresCommand(rest)
 		case 'users':
 			return usersCommand(rest)
+		case 'tokens':
+			return tokensCommand(rest)
 		case 'install-skills':
 			return installSkillsCommand(rest)
 		case 'help':

package/src/commands/failures.ts

@@ -5,8 +5,10 @@
  * source test file that produced them (the test is the spec — each step
  * carries its `intent`, so there's no separate scenario file).
  *
- * Reads are token-gated. The token is taken from the URL's `?token=` (when you
- * paste a dashboard link) or from OPICE_READ_TOKEN.
+ * Reads are token-gated. The read token (and endpoint/project) come from, in
+ * order: the URL's `?token=` when you paste a dashboard link, OPICE_READ_TOKEN,
+ * or OPICE_READ_DSN (the self-contained `https://<readKey>@host/slug` the
+ * dashboard hands out at project creation).
  */
 
 import { loadConfig } from '../config'
@@ -144,9 +146,12 @@ function absoluteScreenshot(relativeOrAbsolute: string, target: Target): string
 }
 
 async function resolveTarget(ref: string): Promise<Target | null> {
+	const readDsn = parseOpiceDsn(process.env['OPICE_READ_DSN'])
+	const envToken = process.env['OPICE_READ_TOKEN'] ?? readDsn?.apiKey ?? undefined
+
 	if (/^https?:\/\//.test(ref)) {
 		const url = new URL(ref)
-		const token = url.searchParams.get('token') ?? process.env['OPICE_READ_TOKEN'] ?? undefined
+		const token = url.searchParams.get('token') ?? envToken
 		const match = url.pathname.match(/\/p\/([^/]+)\/r\/([^/]+)/)
 		if (match) {
 			return { endpoint: url.origin, runId: decodeURIComponent(match[2]!), token, slug: decodeURIComponent(match[1]!) }
@@ -158,11 +163,11 @@ async function resolveTarget(ref: string): Promise<Target | null> {
 		return null
 	}
 
-	// Bare run id — endpoint from config/env/DSN, token from env.
+	// Bare run id — endpoint from config/env/DSN, token from env/read DSN.
 	const config = await loadConfig()
-	const endpoint = process.env['OPICE_ENDPOINT'] ?? config?.endpoint ?? parseOpiceDsn(process.env['OPICE_DSN'])?.endpoint
+	const endpoint = process.env['OPICE_ENDPOINT'] ?? config?.endpoint ?? readDsn?.endpoint ?? parseOpiceDsn(process.env['OPICE_DSN'])?.endpoint
 	if (!endpoint) return null
-	return { endpoint, runId: ref, token: process.env['OPICE_READ_TOKEN'] ?? undefined }
+	return { endpoint, runId: ref, token: envToken }
 }
 
 async function rpc<T>(target: Target, method: string, input: unknown): Promise<T> {

package/src/commands/tokens.ts

@@ -0,0 +1,201 @@
+/**
+ * `opice tokens <create|list|revoke>` — manage API tokens from the terminal.
+ *
+ * Like `opice users create`, these are operator actions: they call the
+ * `admin.*` RPCs with the bootstrap admin token as a Bearer credential
+ * (--admin-token or OPICE_ADMIN_TOKEN) against the platform endpoint
+ * (--endpoint, OPICE_ENDPOINT, or opice.config.json).
+ *
+ * `create` is the headless counterpart to the dashboard's "new project" read
+ * key: mint a project-scoped read token and it prints a ready-to-paste
+ * `OPICE_READ_DSN` an authoring agent can drop into `.env` to read results.
+ */
+
+import { loadConfig } from '../config'
+import { parseOpiceDsn } from '../dsn'
+
+interface CommonFlags {
+	endpoint?: string
+	adminToken?: string
+}
+
+interface CreateFlags extends CommonFlags {
+	project?: string
+	capability: 'read' | 'write'
+	label?: string
+	expiresInDays?: number
+}
+
+interface TokenSummary {
+	id: string
+	capability: 'read' | 'write' | 'admin'
+	projectSlug: string | null
+	runId: string | null
+	label: string | null
+	createdAt: number
+	expiresAt: number | null
+	lastUsedAt: number | null
+}
+
+const USAGE = `Usage:
+  opice tokens create [--project=SLUG] [--capability=read|write] [--label=...] [--expires-days=N] [--endpoint=URL] [--admin-token=TOKEN]
+  opice tokens list [--project=SLUG] [--endpoint=URL] [--admin-token=TOKEN]
+  opice tokens revoke <token-id> [--endpoint=URL] [--admin-token=TOKEN]`
+
+export async function tokensCommand(args: string[]): Promise<number> {
+	const [sub, ...rest] = args
+	switch (sub) {
+		case 'create':
+			return createToken(rest)
+		case 'list':
+			return listTokens(rest)
+		case 'revoke':
+			return revokeToken(rest)
+		default:
+			console.error(USAGE)
+			return 1
+	}
+}
+
+async function createToken(args: string[]): Promise<number> {
+	const flags = parseCreateFlags(args)
+	const target = await resolveTarget(flags)
+	if (!target) return 1
+
+	if (!flags.project && flags.capability !== 'read') {
+		console.error('A global (project-less) token must be read-only. Pass --project=SLUG for a write token.')
+		return 1
+	}
+
+	const result = await rpc<{ id: string; token: string; expiresAt: number | null }>(target, 'admin.createToken', {
+		...(flags.project ? { projectSlug: flags.project } : {}),
+		capability: flags.capability,
+		...(flags.label ? { label: flags.label } : {}),
+		...(flags.expiresInDays != null ? { expiresInDays: flags.expiresInDays } : {}),
+	})
+	if (!result) return 1
+
+	console.log(`✓ Created ${flags.capability} token ${result.id}`)
+	console.log(`  token: ${result.token}`)
+	if (result.expiresAt != null) console.log(`  expires: ${new Date(result.expiresAt).toISOString()}`)
+	if (flags.project) {
+		const host = new URL(target.endpoint).host
+		const envVar = flags.capability === 'read' ? 'OPICE_READ_DSN' : 'OPICE_DSN'
+		console.log('')
+		console.log(`  ${envVar}=https://${result.token}@${host}/${flags.project}`)
+	}
+	console.log('  (shown once — store it now; only its hash is kept)')
+	return 0
+}
+
+async function listTokens(args: string[]): Promise<number> {
+	const flags = parseCommonFlags(args)
+	const project = flags['project']
+	const target = await resolveTarget(flags)
+	if (!target) return 1
+
+	const tokens = await rpc<TokenSummary[]>(target, 'admin.listTokens', project ? { projectSlug: project } : {})
+	if (!tokens) return 1
+
+	if (tokens.length === 0) {
+		console.log('No tokens.')
+		return 0
+	}
+	for (const t of tokens) {
+		const scope = t.runId ? `run ${t.runId}` : (t.projectSlug ?? 'all projects')
+		const meta = [
+			t.label ?? '(no label)',
+			t.capability,
+			scope,
+			t.expiresAt ? `expires ${new Date(t.expiresAt).toISOString().slice(0, 10)}` : 'no expiry',
+			t.lastUsedAt ? `used ${new Date(t.lastUsedAt).toISOString().slice(0, 10)}` : 'never used',
+		].join(' · ')
+		console.log(`${t.id}  ${meta}`)
+	}
+	return 0
+}
+
+async function revokeToken(args: string[]): Promise<number> {
+	const positional = args.filter((a) => !a.startsWith('--'))
+	const tokenId = positional[0]
+	if (!tokenId) {
+		console.error('Usage: opice tokens revoke <token-id> [--endpoint=URL] [--admin-token=TOKEN]')
+		return 1
+	}
+	const flags = parseCommonFlags(args)
+	const target = await resolveTarget(flags)
+	if (!target) return 1
+
+	const result = await rpc<{ revoked: boolean }>(target, 'admin.revokeToken', { tokenId })
+	if (!result) return 1
+	console.log(result.revoked ? `✓ Revoked ${tokenId}` : `Token not found or already revoked: ${tokenId}`)
+	return 0
+}
+
+interface Target {
+	endpoint: string
+	adminToken: string
+}
+
+async function resolveTarget(flags: CommonFlags | Record<string, string | undefined>): Promise<Target | null> {
+	const endpoint =
+		flags['endpoint'] ?? process.env['OPICE_ENDPOINT'] ?? (await loadConfig())?.endpoint ?? parseOpiceDsn(process.env['OPICE_DSN'])?.endpoint
+	if (!endpoint) {
+		console.error('Could not determine the platform endpoint. Pass --endpoint=URL, set OPICE_ENDPOINT, or run from a project with opice.config.json.')
+		return null
+	}
+	const adminToken = flags['adminToken'] ?? process.env['OPICE_ADMIN_TOKEN']
+	if (!adminToken) {
+		console.error('Missing admin token. Pass --admin-token=TOKEN or set OPICE_ADMIN_TOKEN.')
+		return null
+	}
+	return { endpoint: endpoint.replace(/\/$/, ''), adminToken }
+}
+
+async function rpc<T>(target: Target, method: string, input: unknown): Promise<T | null> {
+	let response: Response
+	try {
+		response = await fetch(`${target.endpoint}/rpc`, {
+			method: 'POST',
+			headers: { 'content-type': 'application/json', authorization: `Bearer ${target.adminToken}` },
+			body: JSON.stringify({ method, input }),
+		})
+	} catch (err) {
+		console.error(`[opice] request failed: ${(err as Error).message}`)
+		return null
+	}
+	const data = (await response.json().catch(() => null)) as { result?: T; error?: { message?: string } } | null
+	if (!response.ok || !data || data.error || data.result === undefined) {
+		const message = data?.error?.message ?? `${response.status} ${response.statusText}`
+		console.error(`[opice] ${method} failed: ${message}`)
+		return null
+	}
+	return data.result as T
+}
+
+function parseCreateFlags(args: string[]): CreateFlags {
+	const flags: CreateFlags = { capability: 'read' }
+	for (const arg of args) {
+		if (arg.startsWith('--project=')) flags.project = arg.slice('--project='.length)
+		else if (arg.startsWith('--capability=')) {
+			const v = arg.slice('--capability='.length)
+			if (v === 'read' || v === 'write') flags.capability = v
+		} else if (arg.startsWith('--label=')) flags.label = arg.slice('--label='.length)
+		else if (arg.startsWith('--expires-days=')) {
+			const n = Number(arg.slice('--expires-days='.length))
+			if (Number.isFinite(n)) flags.expiresInDays = n
+		} else if (arg.startsWith('--endpoint=')) flags.endpoint = arg.slice('--endpoint='.length)
+		else if (arg.startsWith('--admin-token=')) flags.adminToken = arg.slice('--admin-token='.length)
+	}
+	return flags
+}
+
+function parseCommonFlags(args: string[]): Record<string, string | undefined> {
+	const flags: Record<string, string | undefined> = {}
+	for (const arg of args) {
+		if (arg.startsWith('--project=')) flags['project'] = arg.slice('--project='.length)
+		else if (arg.startsWith('--endpoint=')) flags['endpoint'] = arg.slice('--endpoint='.length)
+		else if (arg.startsWith('--admin-token=')) flags['adminToken'] = arg.slice('--admin-token='.length)
+	}
+	return flags
+}