@opice/cli 0.6.1 → 0.8.0

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@opice/cli",
-	"version": "0.6.1",
+	"version": "0.8.0",
 	"description": "CLI for opice — scaffolds projects and wraps `bun test` to stream E2E results to the reporting platform",
 	"type": "module",
 	"bin": {

package/src/cli.ts

@@ -3,8 +3,6 @@ import { failuresCommand } from './commands/failures'
 import { initCommand } from './commands/init'
 import { installSkillsCommand } from './commands/install-skills'
 import { testCommand } from './commands/test'
-import { tokensCommand } from './commands/tokens'
-import { usersCommand } from './commands/users'
 
 const HELP = `opice — AI-driven E2E browser test harness
 
@@ -15,7 +13,7 @@ Commands:
       Scaffold opice.config.json in the current project. Pass
       --with-workflow to also drop a .github/workflows/opice.yml.
 
-  test [--retries=N] [bun test args...]
+  test [--retries=N] [--tier=NAME] [--fail-on-report-error] [bun test args...]
       Wrapper around 'bun test' that exports OPICE_* env vars from
       opice.config.json + git so the harness reporter streams results
       to the platform. All trailing args pass through to bun test.
@@ -23,6 +21,16 @@ Commands:
       flaky scenario that fails then passes is reported as flaky, not
       failed). Falls back to "retries" in opice.config.json; a
       per-scenario walkthrough/meta retries overrides both.
+      --tier=NAME runs a test tier (critical < standard < extended);
+      selection is a threshold, so --tier=standard runs critical +
+      standard. Scenarios above it are reported "skipped", not run.
+      Falls back to OPICE_TIER, then "tier" in opice.config.json;
+      omit to run everything.
+      --fail-on-report-error exits non-zero if reporting to the platform
+      fails (default: reporting is best-effort and never reddens CI).
+      Use it so a bad token / unreachable endpoint can't leave CI green
+      while nothing reaches the dashboard. Falls back to
+      OPICE_REPORT_STRICT, then "failOnReportError" in opice.config.json.
 
   failures <run-url|run-id> [--json]
       Pull a failed run's details (failed scenarios, the failing step,
@@ -30,21 +38,6 @@ Commands:
       Read token comes from the URL's ?token=, OPICE_READ_TOKEN, or
       OPICE_READ_DSN (a read-only project credential).
 
-  tokens create [--project=SLUG] [--capability=read|write] [--label=...] [--expires-days=N]
-  tokens list [--project=SLUG]
-  tokens revoke <token-id>
-      Manage API tokens. Needs the admin token (--admin-token or
-      OPICE_ADMIN_TOKEN) and the platform endpoint (--endpoint,
-      OPICE_ENDPOINT, or opice.config.json). 'create' defaults to a
-      project-scoped read token and prints a ready OPICE_READ_DSN an
-      authoring agent can drop into .env to read results.
-
-  users create <email> [--password=...] [--name=...] [--endpoint=URL] [--admin-token=TOKEN]
-      Create a dashboard login (admin role by default). Needs the bootstrap
-      admin token (--admin-token or OPICE_ADMIN_TOKEN) and the platform endpoint
-      (--endpoint, OPICE_ENDPOINT, or opice.config.json). A password is
-      generated and printed if you don't pass one.
-
   install-skills [--global] [--ref=BRANCH]
       Install opice's Claude Code skills + author agent into this project's
       .claude/ (or ~/.claude with --global), fetched from GitHub. Restart
@@ -63,10 +56,6 @@ async function main(argv: string[]): Promise<number> {
 			return testCommand(rest)
 		case 'failures':
 			return failuresCommand(rest)
-		case 'users':
-			return usersCommand(rest)
-		case 'tokens':
-			return tokensCommand(rest)
 		case 'install-skills':
 			return installSkillsCommand(rest)
 		case 'help':

package/src/commands/failures.ts

@@ -5,10 +5,11 @@
  * source test file that produced them (the test is the spec — each step
  * carries its `intent`, so there's no separate scenario file).
  *
- * Reads are token-gated. The read token (and endpoint/project) come from, in
- * order: the URL's `?token=` when you paste a dashboard link, OPICE_READ_TOKEN,
- * or OPICE_READ_DSN (the self-contained `https://<readKey>@host/slug` the
- * dashboard hands out at project creation).
+ * Two read modes:
+ *   - SERVICE TOKEN (OPICE_READ_DSN): a propustka service-token principal → REST
+ *     GET /api/v1/<slug>/… with the CF-Access-Client-* headers.
+ *   - CAPABILITY SHARE: a pasted dashboard link's `?token=` (or OPICE_READ_TOKEN)
+ *     → the anonymous read RPC at /s/rpc.
  */
 
 import { loadConfig } from '../config'
@@ -45,10 +46,18 @@ interface Step {
 interface Target {
 	endpoint: string
 	runId: string
-	token: string | undefined
 	slug?: string
+	// Exactly one auth mode: a pasted share link / OPICE_READ_TOKEN is a capability on /s/rpc;
+	// OPICE_READ_DSN is a service token (CF-Access-Client-*) on /api/v1.
+	shareToken?: string
+	service?: { clientId: string; clientSecret: string }
 }
 
+type ReadOp =
+	| { kind: 'run'; runId: string }
+	| { kind: 'scenarios'; runId: string }
+	| { kind: 'steps'; scenarioId: string }
+
 export async function failuresCommand(args: string[]): Promise<number> {
 	const asJson = args.includes('--json')
 	const positional = args.filter((a) => !a.startsWith('--'))
@@ -67,8 +76,8 @@ export async function failuresCommand(args: string[]): Promise<number> {
 	let run: Run
 	let scenarios: Scenario[]
 	try {
-		run = await rpc<Run>(target, 'runs.get', { runId: target.runId })
-		scenarios = await rpc<Scenario[]>(target, 'runs.scenarios', { runId: target.runId })
+		run = await read<Run>(target, { kind: 'run', runId: target.runId })
+		scenarios = await read<Scenario[]>(target, { kind: 'scenarios', runId: target.runId })
 	} catch (err) {
 		console.error(`[opice] ${(err as Error).message}`)
 		return 1
@@ -78,7 +87,7 @@ export async function failuresCommand(args: string[]): Promise<number> {
 	const detailed = await Promise.all(
 		failed.map(async (s) => ({
 			scenario: s,
-			steps: await rpc<Step[]>(target, 'scenarios.steps', { scenarioId: s.id }).catch(() => [] as Step[]),
+			steps: await read<Step[]>(target, { kind: 'steps', scenarioId: s.id }).catch(() => [] as Step[]),
 		})),
 	)
 
@@ -141,37 +150,68 @@ function printDigest(run: Run, detailed: { scenario: Scenario; steps: Step[] }[]
 
 function absoluteScreenshot(relativeOrAbsolute: string, target: Target): string {
 	const base = relativeOrAbsolute.startsWith('http') ? relativeOrAbsolute : `${target.endpoint}${relativeOrAbsolute}`
-	if (!target.token) return base
-	return `${base}${base.includes('?') ? '&' : '?'}token=${target.token}`
+	// A share link can carry its token in the URL; a service token needs headers, so leave it bare.
+	if (!target.shareToken) return base
+	return `${base}${base.includes('?') ? '&' : '?'}token=${target.shareToken}`
 }
 
 async function resolveTarget(ref: string): Promise<Target | null> {
 	const readDsn = parseOpiceDsn(process.env['OPICE_READ_DSN'])
-	const envToken = process.env['OPICE_READ_TOKEN'] ?? readDsn?.apiKey ?? undefined
+	const service = readDsn ? { clientId: readDsn.clientId, clientSecret: readDsn.clientSecret } : undefined
+	const envShareToken = process.env['OPICE_READ_TOKEN']
 
 	if (/^https?:\/\//.test(ref)) {
 		const url = new URL(ref)
-		const token = url.searchParams.get('token') ?? envToken
+		const urlToken = url.searchParams.get('token')
 		const match = url.pathname.match(/\/p\/([^/]+)\/r\/([^/]+)/)
-		if (match) {
-			return { endpoint: url.origin, runId: decodeURIComponent(match[2]!), token, slug: decodeURIComponent(match[1]!) }
-		}
-		// Fall back to the last path segment as the run id.
-		const segments = url.pathname.split('/').filter(Boolean)
-		const runId = segments[segments.length - 1]
-		if (runId) return { endpoint: url.origin, runId, token }
-		return null
+		const slug = match ? decodeURIComponent(match[1]!) : (process.env['OPICE_PROJECT'] ?? readDsn?.project)
+		const runId = match ? decodeURIComponent(match[2]!) : url.pathname.split('/').filter(Boolean).pop()
+		if (!runId) return null
+		// A pasted share link (?token=) or OPICE_READ_TOKEN → capability; otherwise the read DSN.
+		const shareToken = urlToken ?? envShareToken
+		if (shareToken) return { endpoint: url.origin, runId, slug, shareToken }
+		return { endpoint: url.origin, runId, slug, service }
 	}
 
-	// Bare run id — endpoint from config/env/DSN, token from env/read DSN.
+	// Bare run id — endpoint + slug from config/env/DSN, auth from the read DSN or OPICE_READ_TOKEN.
 	const config = await loadConfig()
 	const endpoint = process.env['OPICE_ENDPOINT'] ?? config?.endpoint ?? readDsn?.endpoint ?? parseOpiceDsn(process.env['OPICE_DSN'])?.endpoint
 	if (!endpoint) return null
-	return { endpoint, runId: ref, token: envToken }
+	const slug = process.env['OPICE_PROJECT'] ?? config?.project ?? readDsn?.project
+	if (envShareToken) return { endpoint, runId: ref, slug, shareToken: envShareToken }
+	return { endpoint, runId: ref, slug, service }
 }
 
-async function rpc<T>(target: Target, method: string, input: unknown): Promise<T> {
-	const url = `${target.endpoint}/rpc${target.token ? `?token=${target.token}` : ''}`
+/**
+ * Read one resource, routed by the target's auth mode: a service token → REST GET on /api/v1
+ * (which needs the project slug); a capability share token → the /s/rpc read RPC.
+ */
+async function read<T>(target: Target, op: ReadOp): Promise<T> {
+	if (target.service) {
+		if (!target.slug) {
+			throw new Error('reading via OPICE_READ_DSN needs the project slug — paste a full run URL or set OPICE_PROJECT')
+		}
+		const path = op.kind === 'run'
+			? `runs/${op.runId}`
+			: op.kind === 'scenarios'
+				? `runs/${op.runId}/scenarios`
+				: `scenarios/${op.scenarioId}/steps`
+		const response = await fetch(`${target.endpoint}/api/v1/${target.slug}/${path}`, {
+			headers: {
+				'cf-access-client-id': target.service.clientId,
+				'cf-access-client-secret': target.service.clientSecret,
+			},
+		})
+		if (!response.ok) {
+			throw new Error(`${op.kind}: ${response.status} ${response.statusText}`)
+		}
+		return (await response.json()) as T
+	}
+
+	// Capability share → the anonymous read RPC.
+	const method = op.kind === 'run' ? 'runs.get' : op.kind === 'scenarios' ? 'runs.scenarios' : 'scenarios.steps'
+	const input = op.kind === 'steps' ? { scenarioId: op.scenarioId } : { runId: op.runId }
+	const url = `${target.endpoint}/s/rpc${target.shareToken ? `?token=${target.shareToken}` : ''}`
 	const response = await fetch(url, {
 		method: 'POST',
 		headers: { 'content-type': 'application/json' },

package/src/commands/init.ts

@@ -52,10 +52,16 @@ async function writeWorkflow(cwd: string): Promise<string> {
 
 const WORKFLOW_TEMPLATE = `name: opice browser tests
 
+# Tiered runs: a push runs only the critical core (fast gate), a PR runs the
+# standard suite, and the nightly schedule (or a manual dispatch) runs
+# everything. Scenarios above the selected tier are reported "skipped" on the
+# dashboard, not silently dropped. Tune the triggers + tiers to taste.
 on:
   push:
-    branches: [main]
   pull_request:
+  schedule:
+    - cron: '0 3 * * *'
+  workflow_dispatch:
 
 jobs:
   e2e:
@@ -77,7 +83,7 @@ jobs:
             sleep 1
           done
       - name: Run opice browser tests
-        run: bunx opice test tests/browser/
+        run: bunx opice test tests/browser/ --tier "\${{ (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && 'extended' || github.event_name == 'pull_request' && 'standard' || 'critical' }}"
         env:
           OPICE_DSN: \${{ secrets.OPICE_DSN }}
           PLAYGROUND_URL: http://localhost:5173

package/src/commands/test.ts

@@ -10,7 +10,11 @@ const HANDOFF_DIR = path.join(tmpdir(), 'opice-handoffs')
 
 interface Handoff {
 	endpoint: string
-	apiKey: string
+	/** Project slug — used to build the /api/v1/<project>/runs/<id>/finish URL. */
+	project: string
+	/** Service-token credentials for the CF-Access-Client-* headers on POST /finish. */
+	clientId: string
+	clientSecret: string
 	runId: string
 }
 
@@ -19,7 +23,8 @@ export async function testCommand(args: string[]): Promise<number> {
 	const dsn = parseOpiceDsn(process.env['OPICE_DSN'])
 	const project = process.env['OPICE_PROJECT'] ?? config?.project ?? dsn?.project
 	const endpoint = process.env['OPICE_ENDPOINT'] ?? config?.endpoint ?? dsn?.endpoint
-	const apiKey = process.env['OPICE_API_KEY'] ?? dsn?.apiKey
+	const clientId = process.env['OPICE_CLIENT_ID'] ?? dsn?.clientId
+	const clientSecret = process.env['OPICE_CLIENT_SECRET'] ?? dsn?.clientSecret
 
 	if (!project) {
 		warn('OPICE_PROJECT not set and no opice.config.json found. Run `opice init` or set the env var.')
@@ -27,26 +32,44 @@ export async function testCommand(args: string[]): Promise<number> {
 	if (!endpoint) {
 		warn('OPICE_ENDPOINT not set and no opice.config.json found. Tests will run without reporting.')
 	}
-	if (!apiKey) {
-		warn('OPICE_API_KEY not set. Tests will run without reporting.')
+	if (!clientId || !clientSecret) {
+		warn('OPICE_CLIENT_ID / OPICE_CLIENT_SECRET not set (the OPICE_DSN userinfo). Tests will run without reporting.')
 	}
 
+	// `--tier=NAME` selects which test tier runs (critical < standard < extended).
+	// CLI flag wins over OPICE_TIER, which wins over opice.config.json's `tier`.
+	// The harness reads OPICE_TIER and skips (and reports as `skipped`) any
+	// scenario above the selected tier.
+	const { tier, rest: afterTier } = extractTier(args)
+	const resolvedTier = tier ?? process.env['OPICE_TIER'] ?? config?.tier
+
+	// `--fail-on-report-error` turns a swallowed reporting failure into a non-zero
+	// exit (default is best-effort: reporting never reddens CI). CLI flag wins over
+	// OPICE_REPORT_STRICT, which wins over opice.config.json's `failOnReportError`.
+	// We propagate it to the harness via OPICE_REPORT_STRICT (it fails the run from
+	// a scenario's afterAll) AND honour it here for the POST /finish finalize.
+	const { strict: strictFlag, rest: afterStrict } = extractStrict(afterTier)
+	const strict = strictFlag || isTruthy(process.env['OPICE_REPORT_STRICT']) || config?.failOnReportError === true
+
 	const git = detectGitMeta()
 	const env: NodeJS.ProcessEnv = {
 		...process.env,
 		...(project ? { OPICE_PROJECT: project } : {}),
 		...(endpoint ? { OPICE_ENDPOINT: endpoint } : {}),
-		// Resolve the api key (incl. from a DSN) into the explicit var the
+		// Resolve the service-token pair (incl. from a DSN) into the explicit vars the
 		// harness reporter reads, so a bare OPICE_DSN is enough to report.
-		...(apiKey ? { OPICE_API_KEY: apiKey } : {}),
+		...(clientId ? { OPICE_CLIENT_ID: clientId } : {}),
+		...(clientSecret ? { OPICE_CLIENT_SECRET: clientSecret } : {}),
 		...(git.branch ? { OPICE_BRANCH: git.branch } : {}),
 		...(git.commit ? { OPICE_COMMIT: git.commit } : {}),
+		...(resolvedTier ? { OPICE_TIER: resolvedTier } : {}),
+		...(strict ? { OPICE_REPORT_STRICT: '1' } : {}),
 	}
 
 	// `--retries=N` (opice's spelling) → bun's `--retry=N`, the global default
 	// retry budget for every scenario. CLI flag wins over opice.config.json's
 	// `retries`. A per-scenario `walkthrough`/meta `retries` overrides both.
-	const { retries, rest } = extractRetries(args)
+	const { retries, rest } = extractRetries(afterStrict)
 	const resolvedRetries = retries ?? config?.retries
 	const bunArgs = ['test', ...rest]
 	// Don't clobber an explicit `--retry` the caller passed through to bun.
@@ -62,7 +85,16 @@ export async function testCommand(args: string[]): Promise<number> {
 
 	// After bun test exits, look for handoff files the reporter wrote and
 	// POST /finish for each run so it leaves "running" state.
-	await finalizeHandoffs(child.pid, project)
+	const finalizeFailed = await finalizeHandoffs(child.pid, project)
+
+	// Under strict reporting, a failed finalize (POST /finish) reddens an
+	// otherwise-green run — the same contract the harness enforces for in-test
+	// reports. Don't mask a real test failure: only escalate when bun itself was
+	// green. (An in-test report failure already failed bun via the harness.)
+	if (exitCode === 0 && strict && finalizeFailed) {
+		warn('reporting failed and --fail-on-report-error is set — exiting non-zero.')
+		return 1
+	}
 
 	return exitCode
 }
@@ -94,14 +126,65 @@ function extractRetries(args: string[]): { retries: number | undefined; rest: st
 	return { retries, rest }
 }
 
-async function finalizeHandoffs(childPid: number | undefined, slug: string | undefined): Promise<void> {
+/**
+ * Pull opice's `--tier=NAME` / `--tier NAME` out of the arg list (it's an opice
+ * concept, not a bun flag) and return the selected tier plus the remaining args.
+ * The value is passed straight through to the harness via OPICE_TIER, which
+ * validates it — so an unrecognized value isn't rejected here.
+ */
+function extractTier(args: string[]): { tier: string | undefined; rest: string[] } {
+	const rest: string[] = []
+	let tier: string | undefined
+	for (let i = 0; i < args.length; i++) {
+		const arg = args[i]
+		if (arg === undefined) continue
+		if (arg.startsWith('--tier=')) {
+			tier = arg.slice('--tier='.length)
+		} else if (arg === '--tier') {
+			const next = args[i + 1]
+			if (next !== undefined) {
+				tier = next
+				i++ // consume the value
+			}
+		} else {
+			rest.push(arg)
+		}
+	}
+	return { tier, rest }
+}
+
+/** Returns true if finalizing any run failed (so strict mode can escalate). */
+/**
+ * Pull opice's `--fail-on-report-error` boolean flag out of the arg list (it's
+ * an opice concept, not a bun flag) and return whether it was present plus the
+ * remaining args.
+ */
+function extractStrict(args: string[]): { strict: boolean; rest: string[] } {
+	const rest: string[] = []
+	let strict = false
+	for (const arg of args) {
+		if (arg === '--fail-on-report-error') strict = true
+		else rest.push(arg)
+	}
+	return { strict, rest }
+}
+
+function isTruthy(value: string | undefined): boolean {
+	if (!value) return false
+	const v = value.toLowerCase()
+	return v === '1' || v === 'true' || v === 'yes' || v === 'on'
+}
+
+/** Returns true if finalizing any run failed (so strict mode can escalate). */
+async function finalizeHandoffs(childPid: number | undefined, slug: string | undefined): Promise<boolean> {
 	let files: string[]
 	try {
 		files = await fs.readdir(HANDOFF_DIR)
 	} catch {
-		return // no handoff dir → no runs reported, nothing to finalize
+		return false // no handoff dir → no runs reported, nothing to finalize
 	}
 	const matching = childPid ? files.filter((f) => f === `${childPid}.json`) : files
+	let failed = false
 	for (const file of matching) {
 		const full = path.join(HANDOFF_DIR, file)
 		try {
@@ -109,11 +192,13 @@ async function finalizeHandoffs(childPid: number | undefined, slug: string | und
 			await finishRun(handoff)
 			printRunUrl(handoff, slug)
 		} catch (err) {
+			failed = true
 			warn(`Failed to finalize run from ${file}: ${(err as Error).message}`)
 		} finally {
 			await fs.unlink(full).catch(() => {})
 		}
 	}
+	return failed
 }
 
 function printRunUrl(handoff: Handoff, slug: string | undefined): void {
@@ -124,10 +209,13 @@ function printRunUrl(handoff: Handoff, slug: string | undefined): void {
 }
 
 async function finishRun(handoff: Handoff): Promise<void> {
-	const url = `${handoff.endpoint}/api/v1/runs/${handoff.runId}/finish`
+	const url = `${handoff.endpoint}/api/v1/${handoff.project}/runs/${handoff.runId}/finish`
 	const response = await fetch(url, {
 		method: 'POST',
-		headers: { authorization: `Bearer ${handoff.apiKey}` },
+		headers: {
+			'cf-access-client-id': handoff.clientId,
+			'cf-access-client-secret': handoff.clientSecret,
+		},
 	})
 	if (!response.ok) {
 		throw new Error(`${response.status} ${await response.text()}`)

package/src/config.ts

@@ -11,6 +11,21 @@ export interface OpiceConfig {
 	 * the command line, and by a per-scenario `walkthrough`/meta `retries`.
 	 */
 	retries?: number
+	/**
+	 * Default test tier to run (`critical` < `standard` < `extended`). Selection
+	 * is a threshold — `standard` runs critical + standard. Overridden by `opice
+	 * test --tier=NAME` and the `OPICE_TIER` env var. Omitted ⇒ run everything.
+	 * Scenarios above the selected tier are reported `skipped`, not run.
+	 */
+	tier?: 'critical' | 'standard' | 'extended'
+	/**
+	 * Fail the run if reporting to the platform fails (default best-effort: a
+	 * reporting failure is logged but never reddens CI). When set, a failed report
+	 * during the test (harness) or a failed `POST /finish` (this CLI) exits
+	 * non-zero. Overridden by `opice test --fail-on-report-error` and the
+	 * `OPICE_REPORT_STRICT` env var.
+	 */
+	failOnReportError?: boolean
 }
 
 const CONFIG_NAME = 'opice.config.json'

package/src/dsn.ts

@@ -1,18 +1,20 @@
 /**
  * An opice DSN packs everything a project needs to report into one string:
  *
- *   OPICE_DSN=https://<apiKey>@<host>/<slug>
+ *   OPICE_DSN=https://<clientId>:<clientSecret>@<host>/<slug>
  *
- * The api key rides in the userinfo, the host is the platform endpoint, and
- * the first path segment is the project slug. The individual `OPICE_*` vars
- * (and opice.config.json) still win when present — the DSN is a convenience
- * fallback so the dashboard can hand out a single value to drop into `.env`.
+ * The DSN is a Cloudflare Access SERVICE TOKEN: the client id + secret ride in the
+ * userinfo (sent as `CF-Access-Client-Id` / `CF-Access-Client-Secret`), the host is
+ * the platform endpoint, and the first path segment is the project slug. The
+ * individual `OPICE_*` vars (and opice.config.json) still win when present — the DSN
+ * is a convenience fallback so the dashboard can hand out a single value.
  *
  * Kept in sync with `@opice/harness`'s copy; duplicated to avoid a CLI→harness
  * dependency.
  */
 export interface OpiceDsn {
-	apiKey: string
+	clientId: string
+	clientSecret: string
 	endpoint: string
 	project: string
 }
@@ -25,8 +27,9 @@ export function parseOpiceDsn(raw: string | undefined | null): OpiceDsn | null {
 	} catch {
 		return null
 	}
-	const apiKey = decodeURIComponent(url.username)
+	const clientId = decodeURIComponent(url.username)
+	const clientSecret = decodeURIComponent(url.password)
 	const project = url.pathname.replace(/^\/+/, '').split('/')[0] ?? ''
-	if (!apiKey || !project) return null
-	return { apiKey, endpoint: `${url.protocol}//${url.host}`, project }
+	if (!clientId || !clientSecret || !project) return null
+	return { clientId, clientSecret, endpoint: `${url.protocol}//${url.host}`, project }
 }

package/src/commands/tokens.ts

@@ -1,201 +0,0 @@
-/**
- * `opice tokens <create|list|revoke>` — manage API tokens from the terminal.
- *
- * Like `opice users create`, these are operator actions: they call the
- * `admin.*` RPCs with the bootstrap admin token as a Bearer credential
- * (--admin-token or OPICE_ADMIN_TOKEN) against the platform endpoint
- * (--endpoint, OPICE_ENDPOINT, or opice.config.json).
- *
- * `create` is the headless counterpart to the dashboard's "new project" read
- * key: mint a project-scoped read token and it prints a ready-to-paste
- * `OPICE_READ_DSN` an authoring agent can drop into `.env` to read results.
- */
-
-import { loadConfig } from '../config'
-import { parseOpiceDsn } from '../dsn'
-
-interface CommonFlags {
-	endpoint?: string
-	adminToken?: string
-}
-
-interface CreateFlags extends CommonFlags {
-	project?: string
-	capability: 'read' | 'write'
-	label?: string
-	expiresInDays?: number
-}
-
-interface TokenSummary {
-	id: string
-	capability: 'read' | 'write' | 'admin'
-	projectSlug: string | null
-	runId: string | null
-	label: string | null
-	createdAt: number
-	expiresAt: number | null
-	lastUsedAt: number | null
-}
-
-const USAGE = `Usage:
-  opice tokens create [--project=SLUG] [--capability=read|write] [--label=...] [--expires-days=N] [--endpoint=URL] [--admin-token=TOKEN]
-  opice tokens list [--project=SLUG] [--endpoint=URL] [--admin-token=TOKEN]
-  opice tokens revoke <token-id> [--endpoint=URL] [--admin-token=TOKEN]`
-
-export async function tokensCommand(args: string[]): Promise<number> {
-	const [sub, ...rest] = args
-	switch (sub) {
-		case 'create':
-			return createToken(rest)
-		case 'list':
-			return listTokens(rest)
-		case 'revoke':
-			return revokeToken(rest)
-		default:
-			console.error(USAGE)
-			return 1
-	}
-}
-
-async function createToken(args: string[]): Promise<number> {
-	const flags = parseCreateFlags(args)
-	const target = await resolveTarget(flags)
-	if (!target) return 1
-
-	if (!flags.project && flags.capability !== 'read') {
-		console.error('A global (project-less) token must be read-only. Pass --project=SLUG for a write token.')
-		return 1
-	}
-
-	const result = await rpc<{ id: string; token: string; expiresAt: number | null }>(target, 'admin.createToken', {
-		...(flags.project ? { projectSlug: flags.project } : {}),
-		capability: flags.capability,
-		...(flags.label ? { label: flags.label } : {}),
-		...(flags.expiresInDays != null ? { expiresInDays: flags.expiresInDays } : {}),
-	})
-	if (!result) return 1
-
-	console.log(`✓ Created ${flags.capability} token ${result.id}`)
-	console.log(`  token: ${result.token}`)
-	if (result.expiresAt != null) console.log(`  expires: ${new Date(result.expiresAt).toISOString()}`)
-	if (flags.project) {
-		const host = new URL(target.endpoint).host
-		const envVar = flags.capability === 'read' ? 'OPICE_READ_DSN' : 'OPICE_DSN'
-		console.log('')
-		console.log(`  ${envVar}=https://${result.token}@${host}/${flags.project}`)
-	}
-	console.log('  (shown once — store it now; only its hash is kept)')
-	return 0
-}
-
-async function listTokens(args: string[]): Promise<number> {
-	const flags = parseCommonFlags(args)
-	const project = flags['project']
-	const target = await resolveTarget(flags)
-	if (!target) return 1
-
-	const tokens = await rpc<TokenSummary[]>(target, 'admin.listTokens', project ? { projectSlug: project } : {})
-	if (!tokens) return 1
-
-	if (tokens.length === 0) {
-		console.log('No tokens.')
-		return 0
-	}
-	for (const t of tokens) {
-		const scope = t.runId ? `run ${t.runId}` : (t.projectSlug ?? 'all projects')
-		const meta = [
-			t.label ?? '(no label)',
-			t.capability,
-			scope,
-			t.expiresAt ? `expires ${new Date(t.expiresAt).toISOString().slice(0, 10)}` : 'no expiry',
-			t.lastUsedAt ? `used ${new Date(t.lastUsedAt).toISOString().slice(0, 10)}` : 'never used',
-		].join(' · ')
-		console.log(`${t.id}  ${meta}`)
-	}
-	return 0
-}
-
-async function revokeToken(args: string[]): Promise<number> {
-	const positional = args.filter((a) => !a.startsWith('--'))
-	const tokenId = positional[0]
-	if (!tokenId) {
-		console.error('Usage: opice tokens revoke <token-id> [--endpoint=URL] [--admin-token=TOKEN]')
-		return 1
-	}
-	const flags = parseCommonFlags(args)
-	const target = await resolveTarget(flags)
-	if (!target) return 1
-
-	const result = await rpc<{ revoked: boolean }>(target, 'admin.revokeToken', { tokenId })
-	if (!result) return 1
-	console.log(result.revoked ? `✓ Revoked ${tokenId}` : `Token not found or already revoked: ${tokenId}`)
-	return 0
-}
-
-interface Target {
-	endpoint: string
-	adminToken: string
-}
-
-async function resolveTarget(flags: CommonFlags | Record<string, string | undefined>): Promise<Target | null> {
-	const endpoint =
-		flags['endpoint'] ?? process.env['OPICE_ENDPOINT'] ?? (await loadConfig())?.endpoint ?? parseOpiceDsn(process.env['OPICE_DSN'])?.endpoint
-	if (!endpoint) {
-		console.error('Could not determine the platform endpoint. Pass --endpoint=URL, set OPICE_ENDPOINT, or run from a project with opice.config.json.')
-		return null
-	}
-	const adminToken = flags['adminToken'] ?? process.env['OPICE_ADMIN_TOKEN']
-	if (!adminToken) {
-		console.error('Missing admin token. Pass --admin-token=TOKEN or set OPICE_ADMIN_TOKEN.')
-		return null
-	}
-	return { endpoint: endpoint.replace(/\/$/, ''), adminToken }
-}
-
-async function rpc<T>(target: Target, method: string, input: unknown): Promise<T | null> {
-	let response: Response
-	try {
-		response = await fetch(`${target.endpoint}/rpc`, {
-			method: 'POST',
-			headers: { 'content-type': 'application/json', authorization: `Bearer ${target.adminToken}` },
-			body: JSON.stringify({ method, input }),
-		})
-	} catch (err) {
-		console.error(`[opice] request failed: ${(err as Error).message}`)
-		return null
-	}
-	const data = (await response.json().catch(() => null)) as { result?: T; error?: { message?: string } } | null
-	if (!response.ok || !data || data.error || data.result === undefined) {
-		const message = data?.error?.message ?? `${response.status} ${response.statusText}`
-		console.error(`[opice] ${method} failed: ${message}`)
-		return null
-	}
-	return data.result as T
-}
-
-function parseCreateFlags(args: string[]): CreateFlags {
-	const flags: CreateFlags = { capability: 'read' }
-	for (const arg of args) {
-		if (arg.startsWith('--project=')) flags.project = arg.slice('--project='.length)
-		else if (arg.startsWith('--capability=')) {
-			const v = arg.slice('--capability='.length)
-			if (v === 'read' || v === 'write') flags.capability = v
-		} else if (arg.startsWith('--label=')) flags.label = arg.slice('--label='.length)
-		else if (arg.startsWith('--expires-days=')) {
-			const n = Number(arg.slice('--expires-days='.length))
-			if (Number.isFinite(n)) flags.expiresInDays = n
-		} else if (arg.startsWith('--endpoint=')) flags.endpoint = arg.slice('--endpoint='.length)
-		else if (arg.startsWith('--admin-token=')) flags.adminToken = arg.slice('--admin-token='.length)
-	}
-	return flags
-}
-
-function parseCommonFlags(args: string[]): Record<string, string | undefined> {
-	const flags: Record<string, string | undefined> = {}
-	for (const arg of args) {
-		if (arg.startsWith('--project=')) flags['project'] = arg.slice('--project='.length)
-		else if (arg.startsWith('--endpoint=')) flags['endpoint'] = arg.slice('--endpoint='.length)
-		else if (arg.startsWith('--admin-token=')) flags['adminToken'] = arg.slice('--admin-token='.length)
-	}
-	return flags
-}

package/src/commands/users.ts

@@ -1,101 +0,0 @@
-/**
- * `opice users create <email>` — create a dashboard login.
- *
- * Self-service signup is disabled on the platform; this is the sanctioned way
- * to mint an account. It calls the `admin.createUser` RPC with the bootstrap
- * admin token as a Bearer credential (--admin-token or OPICE_ADMIN_TOKEN) and
- * the platform endpoint (--endpoint, OPICE_ENDPOINT, or opice.config.json).
- * Accounts are created with the `admin` role by default.
- *
- * If no password is given one is generated and printed once.
- */
-
-import { loadConfig } from '../config'
-import { parseOpiceDsn } from '../dsn'
-
-interface CreateUserFlags {
-	email?: string
-	password?: string
-	name?: string
-	endpoint?: string
-	adminToken?: string
-}
-
-export async function usersCommand(args: string[]): Promise<number> {
-	const [sub, ...rest] = args
-	if (sub !== 'create') {
-		console.error('Usage: opice users create <email> [--password=...] [--name=...] [--endpoint=URL] [--admin-token=TOKEN]')
-		return 1
-	}
-
-	const flags = parseFlags(rest)
-	if (!flags.email) {
-		console.error('Usage: opice users create <email> [--password=...] [--name=...] [--endpoint=URL] [--admin-token=TOKEN]')
-		return 1
-	}
-
-	const endpoint = flags.endpoint ?? process.env['OPICE_ENDPOINT'] ?? (await loadConfig())?.endpoint ?? parseOpiceDsn(process.env['OPICE_DSN'])?.endpoint
-	if (!endpoint) {
-		console.error('Could not determine the platform endpoint. Pass --endpoint=URL, set OPICE_ENDPOINT, or run from a project with opice.config.json.')
-		return 1
-	}
-
-	const adminToken = flags.adminToken ?? process.env['OPICE_ADMIN_TOKEN']
-	if (!adminToken) {
-		console.error('Missing admin token. Pass --admin-token=TOKEN or set OPICE_ADMIN_TOKEN.')
-		return 1
-	}
-
-	const generated = !flags.password
-	const password = flags.password ?? generatePassword()
-
-	let response: Response
-	try {
-		response = await fetch(`${endpoint.replace(/\/$/, '')}/rpc`, {
-			method: 'POST',
-			headers: { 'content-type': 'application/json', authorization: `Bearer ${adminToken}` },
-			body: JSON.stringify({
-				method: 'admin.createUser',
-				input: { email: flags.email, password, ...(flags.name ? { name: flags.name } : {}) },
-			}),
-		})
-	} catch (err) {
-		console.error(`[opice] request failed: ${(err as Error).message}`)
-		return 1
-	}
-
-	const data = (await response.json().catch(() => null)) as
-		| { result?: { email?: string }; error?: { message?: string } }
-		| null
-	if (!response.ok || !data || data.error || !data.result) {
-		const message = data?.error?.message ?? `${response.status} ${response.statusText}`
-		console.error(`[opice] could not create user: ${message}`)
-		return 1
-	}
-
-	console.log(`✓ Created user ${data.result.email ?? flags.email}`)
-	if (generated) {
-		console.log(`  password: ${password}`)
-		console.log('  (shown once — store it in your password manager now)')
-	}
-	return 0
-}
-
-function parseFlags(args: string[]): CreateUserFlags {
-	const flags: CreateUserFlags = {}
-	for (const arg of args) {
-		if (arg.startsWith('--password=')) flags.password = arg.slice('--password='.length)
-		else if (arg.startsWith('--name=')) flags.name = arg.slice('--name='.length)
-		else if (arg.startsWith('--endpoint=')) flags.endpoint = arg.slice('--endpoint='.length)
-		else if (arg.startsWith('--admin-token=')) flags.adminToken = arg.slice('--admin-token='.length)
-		else if (!arg.startsWith('--') && !flags.email) flags.email = arg
-	}
-	return flags
-}
-
-/** A 20-char base64url password — comfortably over the 10-char server minimum. */
-function generatePassword(): string {
-	const bytes = new Uint8Array(15)
-	crypto.getRandomValues(bytes)
-	return btoa(String.fromCharCode(...bytes)).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
-}