@postplus/cli 0.1.42 → 0.1.43

package/build/auth-lifecycle.js

@@ -1,7 +1,8 @@
 import { formatAccountBindingLines } from './account-binding-display.js';
 import { refreshRemoteAuthSession } from './auth-session.js';
 import { clearAuthState, generateAuthStatusReport } from './auth.js';
-import { buildPostPlusClientCompatibilityHeaders, formatPostPlusCompatibilityError, } from './client-compatibility.js';
+import { sendAuthedCloudRequest } from './authed-cloud-request.js';
+import { formatPostPlusCompatibilityError } from './client-compatibility.js';
 import { requireHostedBaseUrl } from './hosted-release.js';
 import { resolveCliSessionTokenState } from './local-state.js';
 import { readSubscriptionStatusField } from './subscription-status.js';
@@ -38,17 +39,11 @@ export async function revokeRemoteAuth() {
     if (!cliSessionTokenState.present || !cliSessionTokenState.value) {
         throw new Error('Run `postplus auth login` before revoking PostPlus auth.');
     }
-    const compatibilityHeaders = await buildPostPlusClientCompatibilityHeaders();
-    const response = await fetch(`${apiBaseUrl}/api/postplus-cli/auth/revoke`, {
+    const response = await sendAuthedCloudRequest({
+        auth: { apiBaseUrl, cliSessionToken: cliSessionTokenState.value },
+        body: {},
         method: 'POST',
-        headers: {
-            accept: 'application/json',
-            ...compatibilityHeaders,
-            authorization: `Bearer ${cliSessionTokenState.value}`,
-            'content-type': 'application/json',
-        },
-        body: JSON.stringify({}),
-        signal: AbortSignal.timeout(15000),
+        pathName: '/api/postplus-cli/auth/revoke',
     });
     const payload = (await response.json());
     if (!response.ok) {

package/build/auth-login.js

@@ -1,4 +1,5 @@
 import { execFileSync } from 'node:child_process';
+import { sendAuthedCloudRequest } from './authed-cloud-request.js';
 import { buildPostPlusClientCompatibilityHeaders, formatPostPlusCompatibilityError, writeCurrentCliVersionToLocalConfig, } from './client-compatibility.js';
 import { requireHostedBaseUrl } from './hosted-release.js';
 import { setLocalSession } from './local-state.js';
@@ -127,15 +128,9 @@ export async function pollCloudAuthLogin(input) {
     throw new Error('PostPlus CLI sign-in poll returned incomplete data.');
 }
 export async function validateCliSession(input) {
-    const compatibilityHeaders = await buildPostPlusClientCompatibilityHeaders();
-    const response = await fetch(`${input.apiBaseUrl}/api/postplus-cli/auth/whoami`, {
-        method: 'GET',
-        headers: {
-            accept: 'application/json',
-            ...compatibilityHeaders,
-            authorization: `Bearer ${input.cliSessionToken}`,
-        },
-        signal: AbortSignal.timeout(15000),
+    const response = await sendAuthedCloudRequest({
+        auth: input,
+        pathName: '/api/postplus-cli/auth/whoami',
     });
     const payload = (await response.json());
     if (!response.ok) {

package/build/auth-session.js

@@ -1,4 +1,5 @@
-import { buildPostPlusClientCompatibilityHeaders, formatPostPlusCompatibilityError, writeCurrentCliVersionToLocalConfig, } from './client-compatibility.js';
+import { sendAuthedCloudRequest } from './authed-cloud-request.js';
+import { formatPostPlusCompatibilityError, writeCurrentCliVersionToLocalConfig, } from './client-compatibility.js';
 import { requireHostedBaseUrl } from './hosted-release.js';
 import { resolveCliSessionTokenState, setLocalSession } from './local-state.js';
 export async function resolveFreshRemoteAuth(options = {}) {
@@ -39,17 +40,11 @@ export async function refreshRemoteAuthSession(input) {
     if (!cliSessionToken) {
         throw new Error('Run `postplus auth login` before refreshing PostPlus auth.');
     }
-    const compatibilityHeaders = await buildPostPlusClientCompatibilityHeaders();
-    const response = await fetch(`${apiBaseUrl}/api/postplus-cli/auth/refresh`, {
+    const response = await sendAuthedCloudRequest({
+        auth: { apiBaseUrl, cliSessionToken },
+        body: {},
         method: 'POST',
-        headers: {
-            accept: 'application/json',
-            ...compatibilityHeaders,
-            authorization: `Bearer ${cliSessionToken}`,
-            'content-type': 'application/json',
-        },
-        body: JSON.stringify({}),
-        signal: AbortSignal.timeout(15000),
+        pathName: '/api/postplus-cli/auth/refresh',
     });
     const payload = (await response.json());
     if (!response.ok) {

package/build/auth-validate.js

@@ -1,16 +1,15 @@
 import { formatAccountBindingLines } from './account-binding-display.js';
 import { resolveFreshRemoteAuth } from './auth-session.js';
-import { buildPostPlusClientCompatibilityHeaders, formatPostPlusCompatibilityError, } from './client-compatibility.js';
+import { sendAuthedCloudRequest } from './authed-cloud-request.js';
+import { formatPostPlusCompatibilityError } from './client-compatibility.js';
 import { readSubscriptionStatusField } from './subscription-status.js';
 export async function validateRemoteAuth() {
-    let auth = await resolveFreshRemoteAuth();
-    let response = await fetchWhoami(auth);
-    if (response.status === 401) {
-        auth = await resolveFreshRemoteAuth({
-            forceRefresh: true,
-        });
-        response = await fetchWhoami(auth);
-    }
+    const auth = await resolveFreshRemoteAuth();
+    const response = await sendAuthedCloudRequest({
+        auth,
+        pathName: '/api/postplus-cli/auth/whoami',
+        retryOn401: () => resolveFreshRemoteAuth({ forceRefresh: true }),
+    });
     const payload = (await response.json());
     if (!response.ok) {
         const compatibilityError = formatPostPlusCompatibilityError(payload);
@@ -61,18 +60,6 @@ function readAccountType(payload) {
     }
     return value;
 }
-async function fetchWhoami(input) {
-    const compatibilityHeaders = await buildPostPlusClientCompatibilityHeaders();
-    return fetch(`${input.apiBaseUrl}/api/postplus-cli/auth/whoami`, {
-        method: 'GET',
-        headers: {
-            accept: 'application/json',
-            ...compatibilityHeaders,
-            authorization: `Bearer ${input.cliSessionToken}`,
-        },
-        signal: AbortSignal.timeout(15000),
-    });
-}
 function readRequiredString(payload, fieldName) {
     const value = payload[fieldName];
     if (typeof value !== 'string' || !value.trim()) {

package/build/authed-cloud-request.js

@@ -0,0 +1,42 @@
+import { buildPostPlusClientCompatibilityHeaders } from './client-compatibility.js';
+const DEFAULT_AUTHED_REQUEST_TIMEOUT_MS = 15_000;
+/**
+ * Single transport envelope for every authenticated PostPlus Cloud request:
+ * canonical header set (`accept` + compatibility headers + `Bearer` token +
+ * optional `content-type`), `AbortSignal.timeout`, and an optional once-only
+ * 401-refresh-retry. It returns the raw `Response` so each caller keeps its own
+ * `!ok` interpretation — this is a narrow transport primitive, not a request
+ * framework.
+ */
+export async function sendAuthedCloudRequest(input) {
+    let response = await issueAuthedCloudRequest(input.auth, input);
+    if (response.status === 401 && input.retryOn401) {
+        const refreshedAuth = await input.retryOn401();
+        response = await issueAuthedCloudRequest(refreshedAuth, input);
+    }
+    return response;
+}
+async function issueAuthedCloudRequest(auth, input) {
+    const compatibilityHeaders = await buildPostPlusClientCompatibilityHeaders({
+        skillName: input.skillName ?? null,
+    });
+    const hasBody = input.body !== undefined;
+    const headers = {
+        accept: 'application/json',
+        ...compatibilityHeaders,
+        authorization: `Bearer ${auth.cliSessionToken}`,
+    };
+    if (hasBody) {
+        headers['content-type'] = 'application/json';
+    }
+    const requestUrl = new URL(input.pathName, normalizeBaseUrl(auth.apiBaseUrl));
+    return fetch(requestUrl, {
+        method: input.method ?? 'GET',
+        headers,
+        ...(hasBody ? { body: JSON.stringify(input.body) } : {}),
+        signal: AbortSignal.timeout(input.timeoutMs ?? DEFAULT_AUTHED_REQUEST_TIMEOUT_MS),
+    });
+}
+function normalizeBaseUrl(apiBaseUrl) {
+    return apiBaseUrl.endsWith('/') ? apiBaseUrl : `${apiBaseUrl}/`;
+}

package/build/doctor.js

@@ -1,6 +1,7 @@
 import { formatAccountBindingName } from './account-binding-display.js';
 import { resolveFreshRemoteAuth, } from './auth-session.js';
-import { buildPostPlusClientCompatibilityHeaders, formatPostPlusCompatibilityError, } from './client-compatibility.js';
+import { sendAuthedCloudRequest } from './authed-cloud-request.js';
+import { formatPostPlusCompatibilityError } from './client-compatibility.js';
 import { resolveHostedBaseUrl } from './hosted-release.js';
 import { formatLocalDependencyReport, generateLocalDependencyReport, } from './local-dependencies.js';
 import { loadPublicSkillCatalog, } from './skill-catalog.js';
@@ -136,13 +137,11 @@ function buildDoctorReport(checks, skillId) {
 }
 async function checkRemoteAuth(input) {
     try {
-        let response = await requestWithAuth(input, '/api/postplus-cli/auth/whoami');
-        if (response.status === 401) {
-            const refreshedAuth = await resolveFreshRemoteAuth({
-                forceRefresh: true,
-            });
-            response = await requestWithAuth(refreshedAuth, '/api/postplus-cli/auth/whoami');
-        }
+        const response = await sendAuthedCloudRequest({
+            auth: input,
+            pathName: '/api/postplus-cli/auth/whoami',
+            retryOn401: () => resolveFreshRemoteAuth({ forceRefresh: true }),
+        });
         const payload = (await response.json());
         if (!response.ok) {
             return createFail('remote_auth', 'Remote auth', readErrorMessage(payload, 'PostPlus Cloud rejected the CLI session.'), 'Run `postplus auth login`.');
@@ -172,13 +171,11 @@ async function checkRemoteAuth(input) {
 }
 async function checkHostedCapabilities(input, skillScope) {
     try {
-        let response = await requestWithAuth(input, '/api/postplus-cli/hosted/readiness');
-        if (response.status === 401) {
-            const refreshedAuth = await resolveFreshRemoteAuth({
-                forceRefresh: true,
-            });
-            response = await requestWithAuth(refreshedAuth, '/api/postplus-cli/hosted/readiness');
-        }
+        const response = await sendAuthedCloudRequest({
+            auth: input,
+            pathName: '/api/postplus-cli/hosted/readiness',
+            retryOn401: () => resolveFreshRemoteAuth({ forceRefresh: true }),
+        });
         const payload = (await response.json());
         if (!response.ok) {
             return createFail('hosted_capabilities', 'Hosted capabilities', readErrorMessage(payload, 'PostPlus Cloud hosted readiness check failed.'));
@@ -459,17 +456,6 @@ function readErrorMessage(payload, fallback) {
         ? payload.error
         : fallback;
 }
-async function requestWithAuth(input, path) {
-    const compatibilityHeaders = await buildPostPlusClientCompatibilityHeaders();
-    return fetch(`${input.apiBaseUrl}${path}`, {
-        headers: {
-            accept: 'application/json',
-            ...compatibilityHeaders,
-            authorization: `Bearer ${input.cliSessionToken}`,
-        },
-        signal: AbortSignal.timeout(15000),
-    });
-}
 export function formatDoctorReport(report) {
     const lines = ['PostPlus CLI doctor', ''];
     for (const check of report.checks) {

package/build/hosted-domain-commands.js

@@ -3,9 +3,10 @@ import { createReadStream } from 'node:fs';
 import { mkdir, readFile, stat, writeFile } from 'node:fs/promises';
 import path from 'node:path';
 import { resolveFreshRemoteAuth } from './auth-session.js';
-import { buildPostPlusClientCompatibilityHeaders, formatPostPlusCompatibilityError, } from './client-compatibility.js';
-import { buildHostedRequestSchemaReport, buildMediaGenerationRequestDimensions, } from './hosted-request-schemas.js';
+import { sendAuthedCloudRequest } from './authed-cloud-request.js';
+import { formatPostPlusCompatibilityError } from './client-compatibility.js';
 import { buildVerbTargetIndex, } from './hosted-manifest-index.js';
+import { buildHostedRequestSchemaReport, buildMediaGenerationRequestDimensions, } from './hosted-request-schemas.js';
 import { readLargeCreditQuoteConfirmationChallenge, } from './quote-confirmation.js';
 // Manifest-driven verb grammar indexes (SSOT projected from apps/web +
 // public-skill-metadata via the generated manifest). The verb/flag grammar,
@@ -66,7 +67,9 @@ export async function runHostedDomainCommand(domain, args) {
     if (domain === 'media' && subcommand === 'poll') {
         return runMediaPoll(rest);
     }
-    if (domain === 'media' && subcommand && MEDIA_VERB_ENDPOINTS.has(subcommand)) {
+    if (domain === 'media' &&
+        subcommand &&
+        MEDIA_VERB_ENDPOINTS.has(subcommand)) {
         return runMediaVerb(subcommand, rest);
     }
     // publish: the OPERATION is the subcommand (no separate target positional).
@@ -217,8 +220,7 @@ async function runMediaVerbRequestJson(args) {
     // Runner-managed fields are minted/derived by the CLI; reject them in the body so
     // the agent cannot smuggle in ids, tokens, or billing dimensions.
     for (const field of endpoint.fields) {
-        if (field.class === 'runner-managed' &&
-            Object.hasOwn(input, field.name)) {
+        if (field.class === 'runner-managed' && Object.hasOwn(input, field.name)) {
             throw new Error(`media ${verb} ${endpointKey} input must not include runner-managed field "${field.name}"; the CLI mints or derives it.`);
         }
     }
@@ -308,14 +310,12 @@ async function runVideoAnalysisVerb(args) {
         outputPath,
     });
 }
-// `media-file upload`: the generic local-file -> hosted storageReference verb.
-// Released skills ship no scripts, so any skill that must place a local file
-// behind a hosted reference before a hosted request (e.g. video-analysis before
-// `media analyze`) drives it through this verb. It is capability-generic: it has
-// no knowledge of any one skill's request payload, it only mints an opaque
-// storageReference the agent then embeds in its own hosted request. The runner
-// holds no provider keys — it asks the Web boundary for a signed upload target,
-// PUTs the bytes, and returns the storageReference the Web boundary issued.
+// `media-file upload`: the generic local-file -> hosted media verb. Released
+// skills ship no scripts, so a skill that must place a local file behind hosted
+// media first drives it through this verb. It is capability-generic: it knows no
+// skill request payload. The runner asks the Web boundary for a signed upload
+// target, PUTs bytes outside the JSON envelope, then asks the hosted provider
+// upload operation for the reusable provider-facing result.
 const MEDIA_FILE_MIME_BY_EXTENSION = {
     '.gif': 'image/gif',
     '.jpeg': 'image/jpeg',
@@ -366,6 +366,7 @@ async function runMediaFileUpload(args) {
     }
     const mimeType = flags.values.get('mime') ?? inferUploadMimeType(absolutePath);
     const outputPath = flags.values.get('output') ?? null;
+    const hostedOperationId = flags.values.get('hosted-operation-id') ?? null;
     const body = {
         capability: 'media-file',
         operation: 'create-upload-url',
@@ -374,7 +375,7 @@ async function runMediaFileUpload(args) {
             name: path.basename(absolutePath),
             sizeBytes: fileStat.size,
         },
-        operationId: flags.values.get('hosted-operation-id') ??
+        operationId: hostedOperationId ??
             `postplus-cli:media-file:create-upload-url:${randomUUID()}`,
         quoteConfirmationToken: flags.values.get('quote-confirmation-token') ?? undefined,
     };
@@ -387,8 +388,25 @@ async function runMediaFileUpload(args) {
             });
             const output = readHostedUploadOutput(payload);
             const signedUpload = readSignedUpload(output);
+            const storageReference = readStorageReferenceValue(output);
             await putHostedMediaBytes(signedUpload, absolutePath);
-            return { storageReference: readStorageReferenceValue(output) };
+            return await postHostedJson({
+                body: {
+                    capability: 'media-file',
+                    operation: 'upload',
+                    file: {
+                        mimeType,
+                        name: path.basename(absolutePath),
+                        storageReference,
+                    },
+                    operationId: hostedOperationId
+                        ? `${hostedOperationId}:upload`
+                        : `postplus-cli:media-file:upload:${randomUUID()}`,
+                    quoteConfirmationToken: flags.values.get('quote-confirmation-token') ?? undefined,
+                },
+                pathName: '/api/postplus-cli/hosted/capability',
+                skillName: flags.values.get('skill') ?? null,
+            });
         },
         errorInputLabel: inputFile,
         json: flags.booleans.has('json'),
@@ -581,7 +599,7 @@ async function runResearchCollect(args) {
         const outputPath = flags.values.get('output') ?? null;
         return runHostedCommand({
             request: () => postHostedJson({
-                body: { runHandle },
+                body: { runHandle, runHandleType: 'public-content-collection' },
                 pathName: '/api/postplus-cli/hosted/collection',
                 skillName: null,
             }),
@@ -819,24 +837,16 @@ async function runHostedSchema(domain, args) {
     return 0;
 }
 async function postHostedJson(input) {
-    let auth = await resolveFreshRemoteAuth();
-    let response = await postJson({
-        apiBaseUrl: auth.apiBaseUrl,
+    const auth = await resolveFreshRemoteAuth();
+    const response = await sendAuthedCloudRequest({
+        auth,
         body: input.body,
-        cliSessionToken: auth.cliSessionToken,
+        method: 'POST',
         pathName: input.pathName,
+        retryOn401: () => resolveFreshRemoteAuth({ forceRefresh: true }),
         skillName: input.skillName,
+        timeoutMs: 120000,
     });
-    if (response.status === 401) {
-        auth = await resolveFreshRemoteAuth({ forceRefresh: true });
-        response = await postJson({
-            apiBaseUrl: auth.apiBaseUrl,
-            body: input.body,
-            cliSessionToken: auth.cliSessionToken,
-            pathName: input.pathName,
-            skillName: input.skillName,
-        });
-    }
     const payload = await readJsonResponse(response);
     if (!response.ok) {
         const productError = readHostedProductError(payload);
@@ -895,22 +905,6 @@ async function writeQuoteConfirmationChallenge(error, input) {
     });
     return challengePath;
 }
-async function postJson(input) {
-    const headers = await buildPostPlusClientCompatibilityHeaders({
-        skillName: input.skillName,
-    });
-    return fetch(`${input.apiBaseUrl}${input.pathName}`, {
-        body: JSON.stringify(input.body),
-        headers: {
-            accept: 'application/json',
-            authorization: `Bearer ${input.cliSessionToken}`,
-            ...headers,
-            'content-type': 'application/json',
-        },
-        method: 'POST',
-        signal: AbortSignal.timeout(120000),
-    });
-}
 async function readJsonResponse(response) {
     const text = await response.text();
     if (!text.trim()) {
@@ -1138,7 +1132,9 @@ function printOpaqueTargetHelp(domain, verb, targetKey, resolved) {
         : 'a provider-shaped JSON object of input';
     // publish's operation is both the verb and the target, so the header/usage show
     // it once; research shows `<verb> <target>`.
-    const header = domain === 'publish' ? `publish ${targetKey}` : `research ${verb} ${targetKey}`;
+    const header = domain === 'publish'
+        ? `publish ${targetKey}`
+        : `research ${verb} ${targetKey}`;
     const usage = domain === 'publish'
         ? `    postplus publish ${targetKey} --request <input.json> [--json] [--output <result.json>]`
         : `    postplus research ${verb} ${targetKey} --request <input.json> [--skill <skill-id>] [--max-charge-usd <usd>] [--json] [--output <result.json>]`;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@postplus/cli",
-  "version": "0.1.42",
+  "version": "0.1.43",
   "packageManager": "pnpm@10.30.3+sha512.c961d1e0a2d8e354ecaa5166b822516668b7f44cb5bd95122d590dd81922f606f5473b6d23ec4a5be05e7fcd18e8488d47d978bbe981872f1145d06e9a740017",
   "type": "module",
   "description": "PostPlus CLI for PostPlus Cloud auth, status, and diagnostics.",
@@ -12,6 +12,7 @@
     "build/auth-session.js",
     "build/auth-validate.js",
     "build/auth.js",
+    "build/authed-cloud-request.js",
     "build/client-compatibility.js",
     "build/command-runner.js",
     "build/doctor.js",