@opice/cli 0.6.0 → 0.7.0

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@opice/cli",
-	"version": "0.6.0",
+	"version": "0.7.0",
 	"description": "CLI for opice — scaffolds projects and wraps `bun test` to stream E2E results to the reporting platform",
 	"type": "module",
 	"bin": {

package/src/cli.ts

@@ -3,8 +3,6 @@ import { failuresCommand } from './commands/failures'
 import { initCommand } from './commands/init'
 import { installSkillsCommand } from './commands/install-skills'
 import { testCommand } from './commands/test'
-import { tokensCommand } from './commands/tokens'
-import { usersCommand } from './commands/users'
 
 const HELP = `opice — AI-driven E2E browser test harness
 
@@ -15,7 +13,7 @@ Commands:
       Scaffold opice.config.json in the current project. Pass
       --with-workflow to also drop a .github/workflows/opice.yml.
 
-  test [--retries=N] [bun test args...]
+  test [--retries=N] [--tier=NAME] [bun test args...]
       Wrapper around 'bun test' that exports OPICE_* env vars from
       opice.config.json + git so the harness reporter streams results
       to the platform. All trailing args pass through to bun test.
@@ -23,6 +21,11 @@ Commands:
       flaky scenario that fails then passes is reported as flaky, not
       failed). Falls back to "retries" in opice.config.json; a
       per-scenario walkthrough/meta retries overrides both.
+      --tier=NAME runs a test tier (critical < standard < extended);
+      selection is a threshold, so --tier=standard runs critical +
+      standard. Scenarios above it are reported "skipped", not run.
+      Falls back to OPICE_TIER, then "tier" in opice.config.json;
+      omit to run everything.
 
   failures <run-url|run-id> [--json]
       Pull a failed run's details (failed scenarios, the failing step,
@@ -30,21 +33,6 @@ Commands:
       Read token comes from the URL's ?token=, OPICE_READ_TOKEN, or
       OPICE_READ_DSN (a read-only project credential).
 
-  tokens create [--project=SLUG] [--capability=read|write] [--label=...] [--expires-days=N]
-  tokens list [--project=SLUG]
-  tokens revoke <token-id>
-      Manage API tokens. Needs the admin token (--admin-token or
-      OPICE_ADMIN_TOKEN) and the platform endpoint (--endpoint,
-      OPICE_ENDPOINT, or opice.config.json). 'create' defaults to a
-      project-scoped read token and prints a ready OPICE_READ_DSN an
-      authoring agent can drop into .env to read results.
-
-  users create <email> [--password=...] [--name=...] [--endpoint=URL] [--admin-token=TOKEN]
-      Create a dashboard login (admin role by default). Needs the bootstrap
-      admin token (--admin-token or OPICE_ADMIN_TOKEN) and the platform endpoint
-      (--endpoint, OPICE_ENDPOINT, or opice.config.json). A password is
-      generated and printed if you don't pass one.
-
   install-skills [--global] [--ref=BRANCH]
       Install opice's Claude Code skills + author agent into this project's
       .claude/ (or ~/.claude with --global), fetched from GitHub. Restart
@@ -63,10 +51,6 @@ async function main(argv: string[]): Promise<number> {
 			return testCommand(rest)
 		case 'failures':
 			return failuresCommand(rest)
-		case 'users':
-			return usersCommand(rest)
-		case 'tokens':
-			return tokensCommand(rest)
 		case 'install-skills':
 			return installSkillsCommand(rest)
 		case 'help':

package/src/commands/failures.ts

@@ -171,7 +171,7 @@ async function resolveTarget(ref: string): Promise<Target | null> {
 }
 
 async function rpc<T>(target: Target, method: string, input: unknown): Promise<T> {
-	const url = `${target.endpoint}/rpc${target.token ? `?token=${target.token}` : ''}`
+	const url = `${target.endpoint}/s/rpc${target.token ? `?token=${target.token}` : ''}`
 	const response = await fetch(url, {
 		method: 'POST',
 		headers: { 'content-type': 'application/json' },

package/src/commands/init.ts

@@ -52,10 +52,16 @@ async function writeWorkflow(cwd: string): Promise<string> {
 
 const WORKFLOW_TEMPLATE = `name: opice browser tests
 
+# Tiered runs: a push runs only the critical core (fast gate), a PR runs the
+# standard suite, and the nightly schedule (or a manual dispatch) runs
+# everything. Scenarios above the selected tier are reported "skipped" on the
+# dashboard, not silently dropped. Tune the triggers + tiers to taste.
 on:
   push:
-    branches: [main]
   pull_request:
+  schedule:
+    - cron: '0 3 * * *'
+  workflow_dispatch:
 
 jobs:
   e2e:
@@ -77,7 +83,7 @@ jobs:
             sleep 1
           done
       - name: Run opice browser tests
-        run: bunx opice test tests/browser/
+        run: bunx opice test tests/browser/ --tier "\${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && 'extended' || github.event_name == 'pull_request' && 'standard' || 'critical' }}"
         env:
           OPICE_DSN: \${{ secrets.OPICE_DSN }}
           PLAYGROUND_URL: http://localhost:5173

package/src/commands/test.ts

@@ -10,6 +10,8 @@ const HANDOFF_DIR = path.join(tmpdir(), 'opice-handoffs')
 
 interface Handoff {
 	endpoint: string
+	/** Project slug — used to build the /api/v1/<project>/runs/<id>/finish URL. */
+	project: string
 	apiKey: string
 	runId: string
 }
@@ -31,6 +33,13 @@ export async function testCommand(args: string[]): Promise<number> {
 		warn('OPICE_API_KEY not set. Tests will run without reporting.')
 	}
 
+	// `--tier=NAME` selects which test tier runs (critical < standard < extended).
+	// CLI flag wins over OPICE_TIER, which wins over opice.config.json's `tier`.
+	// The harness reads OPICE_TIER and skips (and reports as `skipped`) any
+	// scenario above the selected tier.
+	const { tier, rest: afterTier } = extractTier(args)
+	const resolvedTier = tier ?? process.env['OPICE_TIER'] ?? config?.tier
+
 	const git = detectGitMeta()
 	const env: NodeJS.ProcessEnv = {
 		...process.env,
@@ -41,12 +50,13 @@ export async function testCommand(args: string[]): Promise<number> {
 		...(apiKey ? { OPICE_API_KEY: apiKey } : {}),
 		...(git.branch ? { OPICE_BRANCH: git.branch } : {}),
 		...(git.commit ? { OPICE_COMMIT: git.commit } : {}),
+		...(resolvedTier ? { OPICE_TIER: resolvedTier } : {}),
 	}
 
 	// `--retries=N` (opice's spelling) → bun's `--retry=N`, the global default
 	// retry budget for every scenario. CLI flag wins over opice.config.json's
 	// `retries`. A per-scenario `walkthrough`/meta `retries` overrides both.
-	const { retries, rest } = extractRetries(args)
+	const { retries, rest } = extractRetries(afterTier)
 	const resolvedRetries = retries ?? config?.retries
 	const bunArgs = ['test', ...rest]
 	// Don't clobber an explicit `--retry` the caller passed through to bun.
@@ -94,6 +104,33 @@ function extractRetries(args: string[]): { retries: number | undefined; rest: st
 	return { retries, rest }
 }
 
+/**
+ * Pull opice's `--tier=NAME` / `--tier NAME` out of the arg list (it's an opice
+ * concept, not a bun flag) and return the selected tier plus the remaining args.
+ * The value is passed straight through to the harness via OPICE_TIER, which
+ * validates it — so an unrecognized value isn't rejected here.
+ */
+function extractTier(args: string[]): { tier: string | undefined; rest: string[] } {
+	const rest: string[] = []
+	let tier: string | undefined
+	for (let i = 0; i < args.length; i++) {
+		const arg = args[i]
+		if (arg === undefined) continue
+		if (arg.startsWith('--tier=')) {
+			tier = arg.slice('--tier='.length)
+		} else if (arg === '--tier') {
+			const next = args[i + 1]
+			if (next !== undefined) {
+				tier = next
+				i++ // consume the value
+			}
+		} else {
+			rest.push(arg)
+		}
+	}
+	return { tier, rest }
+}
+
 async function finalizeHandoffs(childPid: number | undefined, slug: string | undefined): Promise<void> {
 	let files: string[]
 	try {
@@ -124,7 +161,7 @@ function printRunUrl(handoff: Handoff, slug: string | undefined): void {
 }
 
 async function finishRun(handoff: Handoff): Promise<void> {
-	const url = `${handoff.endpoint}/api/v1/runs/${handoff.runId}/finish`
+	const url = `${handoff.endpoint}/api/v1/${handoff.project}/runs/${handoff.runId}/finish`
 	const response = await fetch(url, {
 		method: 'POST',
 		headers: { authorization: `Bearer ${handoff.apiKey}` },

package/src/config.ts

@@ -11,6 +11,13 @@ export interface OpiceConfig {
 	 * the command line, and by a per-scenario `walkthrough`/meta `retries`.
 	 */
 	retries?: number
+	/**
+	 * Default test tier to run (`critical` < `standard` < `extended`). Selection
+	 * is a threshold — `standard` runs critical + standard. Overridden by `opice
+	 * test --tier=NAME` and the `OPICE_TIER` env var. Omitted ⇒ run everything.
+	 * Scenarios above the selected tier are reported `skipped`, not run.
+	 */
+	tier?: 'critical' | 'standard' | 'extended'
 }
 
 const CONFIG_NAME = 'opice.config.json'

package/src/commands/tokens.ts

@@ -1,201 +0,0 @@
-/**
- * `opice tokens <create|list|revoke>` — manage API tokens from the terminal.
- *
- * Like `opice users create`, these are operator actions: they call the
- * `admin.*` RPCs with the bootstrap admin token as a Bearer credential
- * (--admin-token or OPICE_ADMIN_TOKEN) against the platform endpoint
- * (--endpoint, OPICE_ENDPOINT, or opice.config.json).
- *
- * `create` is the headless counterpart to the dashboard's "new project" read
- * key: mint a project-scoped read token and it prints a ready-to-paste
- * `OPICE_READ_DSN` an authoring agent can drop into `.env` to read results.
- */
-
-import { loadConfig } from '../config'
-import { parseOpiceDsn } from '../dsn'
-
-interface CommonFlags {
-	endpoint?: string
-	adminToken?: string
-}
-
-interface CreateFlags extends CommonFlags {
-	project?: string
-	capability: 'read' | 'write'
-	label?: string
-	expiresInDays?: number
-}
-
-interface TokenSummary {
-	id: string
-	capability: 'read' | 'write' | 'admin'
-	projectSlug: string | null
-	runId: string | null
-	label: string | null
-	createdAt: number
-	expiresAt: number | null
-	lastUsedAt: number | null
-}
-
-const USAGE = `Usage:
-  opice tokens create [--project=SLUG] [--capability=read|write] [--label=...] [--expires-days=N] [--endpoint=URL] [--admin-token=TOKEN]
-  opice tokens list [--project=SLUG] [--endpoint=URL] [--admin-token=TOKEN]
-  opice tokens revoke <token-id> [--endpoint=URL] [--admin-token=TOKEN]`
-
-export async function tokensCommand(args: string[]): Promise<number> {
-	const [sub, ...rest] = args
-	switch (sub) {
-		case 'create':
-			return createToken(rest)
-		case 'list':
-			return listTokens(rest)
-		case 'revoke':
-			return revokeToken(rest)
-		default:
-			console.error(USAGE)
-			return 1
-	}
-}
-
-async function createToken(args: string[]): Promise<number> {
-	const flags = parseCreateFlags(args)
-	const target = await resolveTarget(flags)
-	if (!target) return 1
-
-	if (!flags.project && flags.capability !== 'read') {
-		console.error('A global (project-less) token must be read-only. Pass --project=SLUG for a write token.')
-		return 1
-	}
-
-	const result = await rpc<{ id: string; token: string; expiresAt: number | null }>(target, 'admin.createToken', {
-		...(flags.project ? { projectSlug: flags.project } : {}),
-		capability: flags.capability,
-		...(flags.label ? { label: flags.label } : {}),
-		...(flags.expiresInDays != null ? { expiresInDays: flags.expiresInDays } : {}),
-	})
-	if (!result) return 1
-
-	console.log(`✓ Created ${flags.capability} token ${result.id}`)
-	console.log(`  token: ${result.token}`)
-	if (result.expiresAt != null) console.log(`  expires: ${new Date(result.expiresAt).toISOString()}`)
-	if (flags.project) {
-		const host = new URL(target.endpoint).host
-		const envVar = flags.capability === 'read' ? 'OPICE_READ_DSN' : 'OPICE_DSN'
-		console.log('')
-		console.log(`  ${envVar}=https://${result.token}@${host}/${flags.project}`)
-	}
-	console.log('  (shown once — store it now; only its hash is kept)')
-	return 0
-}
-
-async function listTokens(args: string[]): Promise<number> {
-	const flags = parseCommonFlags(args)
-	const project = flags['project']
-	const target = await resolveTarget(flags)
-	if (!target) return 1
-
-	const tokens = await rpc<TokenSummary[]>(target, 'admin.listTokens', project ? { projectSlug: project } : {})
-	if (!tokens) return 1
-
-	if (tokens.length === 0) {
-		console.log('No tokens.')
-		return 0
-	}
-	for (const t of tokens) {
-		const scope = t.runId ? `run ${t.runId}` : (t.projectSlug ?? 'all projects')
-		const meta = [
-			t.label ?? '(no label)',
-			t.capability,
-			scope,
-			t.expiresAt ? `expires ${new Date(t.expiresAt).toISOString().slice(0, 10)}` : 'no expiry',
-			t.lastUsedAt ? `used ${new Date(t.lastUsedAt).toISOString().slice(0, 10)}` : 'never used',
-		].join(' · ')
-		console.log(`${t.id}  ${meta}`)
-	}
-	return 0
-}
-
-async function revokeToken(args: string[]): Promise<number> {
-	const positional = args.filter((a) => !a.startsWith('--'))
-	const tokenId = positional[0]
-	if (!tokenId) {
-		console.error('Usage: opice tokens revoke <token-id> [--endpoint=URL] [--admin-token=TOKEN]')
-		return 1
-	}
-	const flags = parseCommonFlags(args)
-	const target = await resolveTarget(flags)
-	if (!target) return 1
-
-	const result = await rpc<{ revoked: boolean }>(target, 'admin.revokeToken', { tokenId })
-	if (!result) return 1
-	console.log(result.revoked ? `✓ Revoked ${tokenId}` : `Token not found or already revoked: ${tokenId}`)
-	return 0
-}
-
-interface Target {
-	endpoint: string
-	adminToken: string
-}
-
-async function resolveTarget(flags: CommonFlags | Record<string, string | undefined>): Promise<Target | null> {
-	const endpoint =
-		flags['endpoint'] ?? process.env['OPICE_ENDPOINT'] ?? (await loadConfig())?.endpoint ?? parseOpiceDsn(process.env['OPICE_DSN'])?.endpoint
-	if (!endpoint) {
-		console.error('Could not determine the platform endpoint. Pass --endpoint=URL, set OPICE_ENDPOINT, or run from a project with opice.config.json.')
-		return null
-	}
-	const adminToken = flags['adminToken'] ?? process.env['OPICE_ADMIN_TOKEN']
-	if (!adminToken) {
-		console.error('Missing admin token. Pass --admin-token=TOKEN or set OPICE_ADMIN_TOKEN.')
-		return null
-	}
-	return { endpoint: endpoint.replace(/\/$/, ''), adminToken }
-}
-
-async function rpc<T>(target: Target, method: string, input: unknown): Promise<T | null> {
-	let response: Response
-	try {
-		response = await fetch(`${target.endpoint}/rpc`, {
-			method: 'POST',
-			headers: { 'content-type': 'application/json', authorization: `Bearer ${target.adminToken}` },
-			body: JSON.stringify({ method, input }),
-		})
-	} catch (err) {
-		console.error(`[opice] request failed: ${(err as Error).message}`)
-		return null
-	}
-	const data = (await response.json().catch(() => null)) as { result?: T; error?: { message?: string } } | null
-	if (!response.ok || !data || data.error || data.result === undefined) {
-		const message = data?.error?.message ?? `${response.status} ${response.statusText}`
-		console.error(`[opice] ${method} failed: ${message}`)
-		return null
-	}
-	return data.result as T
-}
-
-function parseCreateFlags(args: string[]): CreateFlags {
-	const flags: CreateFlags = { capability: 'read' }
-	for (const arg of args) {
-		if (arg.startsWith('--project=')) flags.project = arg.slice('--project='.length)
-		else if (arg.startsWith('--capability=')) {
-			const v = arg.slice('--capability='.length)
-			if (v === 'read' || v === 'write') flags.capability = v
-		} else if (arg.startsWith('--label=')) flags.label = arg.slice('--label='.length)
-		else if (arg.startsWith('--expires-days=')) {
-			const n = Number(arg.slice('--expires-days='.length))
-			if (Number.isFinite(n)) flags.expiresInDays = n
-		} else if (arg.startsWith('--endpoint=')) flags.endpoint = arg.slice('--endpoint='.length)
-		else if (arg.startsWith('--admin-token=')) flags.adminToken = arg.slice('--admin-token='.length)
-	}
-	return flags
-}
-
-function parseCommonFlags(args: string[]): Record<string, string | undefined> {
-	const flags: Record<string, string | undefined> = {}
-	for (const arg of args) {
-		if (arg.startsWith('--project=')) flags['project'] = arg.slice('--project='.length)
-		else if (arg.startsWith('--endpoint=')) flags['endpoint'] = arg.slice('--endpoint='.length)
-		else if (arg.startsWith('--admin-token=')) flags['adminToken'] = arg.slice('--admin-token='.length)
-	}
-	return flags
-}

package/src/commands/users.ts

@@ -1,101 +0,0 @@
-/**
- * `opice users create <email>` — create a dashboard login.
- *
- * Self-service signup is disabled on the platform; this is the sanctioned way
- * to mint an account. It calls the `admin.createUser` RPC with the bootstrap
- * admin token as a Bearer credential (--admin-token or OPICE_ADMIN_TOKEN) and
- * the platform endpoint (--endpoint, OPICE_ENDPOINT, or opice.config.json).
- * Accounts are created with the `admin` role by default.
- *
- * If no password is given one is generated and printed once.
- */
-
-import { loadConfig } from '../config'
-import { parseOpiceDsn } from '../dsn'
-
-interface CreateUserFlags {
-	email?: string
-	password?: string
-	name?: string
-	endpoint?: string
-	adminToken?: string
-}
-
-export async function usersCommand(args: string[]): Promise<number> {
-	const [sub, ...rest] = args
-	if (sub !== 'create') {
-		console.error('Usage: opice users create <email> [--password=...] [--name=...] [--endpoint=URL] [--admin-token=TOKEN]')
-		return 1
-	}
-
-	const flags = parseFlags(rest)
-	if (!flags.email) {
-		console.error('Usage: opice users create <email> [--password=...] [--name=...] [--endpoint=URL] [--admin-token=TOKEN]')
-		return 1
-	}
-
-	const endpoint = flags.endpoint ?? process.env['OPICE_ENDPOINT'] ?? (await loadConfig())?.endpoint ?? parseOpiceDsn(process.env['OPICE_DSN'])?.endpoint
-	if (!endpoint) {
-		console.error('Could not determine the platform endpoint. Pass --endpoint=URL, set OPICE_ENDPOINT, or run from a project with opice.config.json.')
-		return 1
-	}
-
-	const adminToken = flags.adminToken ?? process.env['OPICE_ADMIN_TOKEN']
-	if (!adminToken) {
-		console.error('Missing admin token. Pass --admin-token=TOKEN or set OPICE_ADMIN_TOKEN.')
-		return 1
-	}
-
-	const generated = !flags.password
-	const password = flags.password ?? generatePassword()
-
-	let response: Response
-	try {
-		response = await fetch(`${endpoint.replace(/\/$/, '')}/rpc`, {
-			method: 'POST',
-			headers: { 'content-type': 'application/json', authorization: `Bearer ${adminToken}` },
-			body: JSON.stringify({
-				method: 'admin.createUser',
-				input: { email: flags.email, password, ...(flags.name ? { name: flags.name } : {}) },
-			}),
-		})
-	} catch (err) {
-		console.error(`[opice] request failed: ${(err as Error).message}`)
-		return 1
-	}
-
-	const data = (await response.json().catch(() => null)) as
-		| { result?: { email?: string }; error?: { message?: string } }
-		| null
-	if (!response.ok || !data || data.error || !data.result) {
-		const message = data?.error?.message ?? `${response.status} ${response.statusText}`
-		console.error(`[opice] could not create user: ${message}`)
-		return 1
-	}
-
-	console.log(`✓ Created user ${data.result.email ?? flags.email}`)
-	if (generated) {
-		console.log(`  password: ${password}`)
-		console.log('  (shown once — store it in your password manager now)')
-	}
-	return 0
-}
-
-function parseFlags(args: string[]): CreateUserFlags {
-	const flags: CreateUserFlags = {}
-	for (const arg of args) {
-		if (arg.startsWith('--password=')) flags.password = arg.slice('--password='.length)
-		else if (arg.startsWith('--name=')) flags.name = arg.slice('--name='.length)
-		else if (arg.startsWith('--endpoint=')) flags.endpoint = arg.slice('--endpoint='.length)
-		else if (arg.startsWith('--admin-token=')) flags.adminToken = arg.slice('--admin-token='.length)
-		else if (!arg.startsWith('--') && !flags.email) flags.email = arg
-	}
-	return flags
-}
-
-/** A 20-char base64url password — comfortably over the 10-char server minimum. */
-function generatePassword(): string {
-	const bytes = new Uint8Array(15)
-	crypto.getRandomValues(bytes)
-	return btoa(String.fromCharCode(...bytes)).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
-}