@simonfestl/husky-cli 1.10.0 → 1.12.0

package/README.md

@@ -143,6 +143,76 @@ husky e2e list --task <id>               # List artifacts
 husky e2e clean --older-than 7           # Clean old artifacts
 ```
 
+### PR Management (PR Agent)
+
+```bash
+husky pr list                          # List open PRs
+husky pr get <pr-number>               # Get PR details
+husky pr review <pr-number>            # Start review
+husky pr approve <pr-number>           # Approve PR
+husky pr request-changes <pr-number> --comment "..."
+husky pr merge <pr-number>             # Merge PR
+husky pr close <pr-number>             # Close PR
+```
+
+### Infrastructure (DevOps)
+
+```bash
+husky infra status                     # Overall infra status
+husky infra vms                        # List all VMs
+husky infra services                   # Cloud Run services
+husky infra logs <service>             # Service logs
+husky infra metrics                    # Resource metrics
+```
+
+### YouTube Summarization
+
+```bash
+husky youtube <url>                    # Summarize video with Gemini AI
+husky youtube <url> --remember         # Also store in Second Brain
+husky youtube <url> --json             # JSON output
+```
+
+### Image Generation
+
+```bash
+husky image "a futuristic city"        # Generate image with Imagen 3
+husky image "..." --output ./image.png # Save to file
+husky image "..." --aspect 16:9        # Aspect ratio
+```
+
+### Mermaid Diagrams
+
+```bash
+husky mermaid validate <file>          # Validate Mermaid syntax
+husky mermaid validate --stdin         # Validate from stdin
+```
+
+### Service Accounts
+
+```bash
+husky sa list                          # List service accounts
+husky sa create <name> --role worker   # Create service account
+husky sa get <id>                      # Get details
+husky sa delete <id>                   # Delete service account
+```
+
+### Agent Messaging
+
+```bash
+husky agent-msg send <to> "message"    # Send to another agent
+husky agent-msg inbox                  # Check inbox
+husky agent-msg read <id>              # Read message
+```
+
+### Preview Deployments
+
+```bash
+husky preview list                     # List PR previews
+husky preview get <pr-number>          # Get preview URL
+husky preview logs <pr-number>         # Preview logs
+```
+
 ### Business Strategy
 
 ```bash
@@ -249,6 +319,41 @@ husky config list
 husky config test
 ```
 
+### Authentication (Session Tokens)
+
+Session tokens provide short-lived JWT authentication for agents. They are created using `HUSKY_API_KEY` and auto-refresh when expired.
+
+```bash
+# Login (creates 1-hour session token)
+husky auth login --agent supervisor
+husky auth login --agent husky-worker-1
+
+# Check session status
+husky auth session
+husky auth session --json
+
+# Refresh token manually
+husky auth refresh
+husky auth refresh --agent supervisor
+
+# Logout (clear session)
+husky auth logout
+```
+
+**VM Startup Pattern:**
+```bash
+#!/bin/bash
+VM_NAME=$(hostname)
+husky auth login --agent "$VM_NAME"
+# All subsequent commands use Bearer token
+```
+
+**How it works:**
+1. `HUSKY_API_KEY` is used once to create a session token
+2. All subsequent API calls use `Authorization: Bearer <token>`
+3. Token auto-refreshes when expired or within 5 minutes of expiry
+4. Falls back to `x-api-key` if refresh fails
+
 ### Help & Documentation
 
 ```bash
@@ -328,6 +433,27 @@ husky --version
 
 ## Changelog
 
+### v1.12.0 (2026-01-12) - Session Token Authentication
+
+**New Features:**
+- `husky auth login --agent <name>` - Create session token from HUSKY_API_KEY
+- `husky auth logout` - Clear session token
+- `husky auth session` - Show session status (agent, role, expiry)
+- `husky auth refresh` - Manually refresh token
+
+**Improvements:**
+- All API calls now use Bearer token authentication (auto-refresh)
+- Token auto-refreshes when expired or within 5 minutes of expiry
+- Falls back to x-api-key for backwards compatibility
+- JWT_SECRET now required in production (fail-fast)
+
+**Documentation:**
+- Added missing command sections: pr, infra, youtube, image, mermaid, sa, agent-msg, preview
+- Updated architecture docs with session token flow
+
+**Code Quality:**
+- Removed `as any` type suppression in sop.ts
+
 ### v1.7.0 (2026-01-11) - E2E Agent Production Ready
 
 **New Features:**

package/dist/commands/auth.js

@@ -1,5 +1,5 @@
 import { Command } from "commander";
-import { getConfig } from "./config.js";
+import { getConfig, setSessionConfig, clearSessionConfig, getSessionConfig } from "./config.js";
 import { getPermissions, clearPermissionsCache, getCacheStatus, hasPermission, canAccessKnowledgeBase } from "../lib/permissions-cache.js";
 const API_KEY_ROLES = [
     "admin", "supervisor", "worker", "reviewer", "support",
@@ -260,3 +260,178 @@ authCommand
         process.exit(1);
     }
 });
+authCommand
+    .command("login")
+    .description("Create a session token for this agent")
+    .requiredOption("--agent <name>", "Agent name (must be registered in Firestore)")
+    .option("--json", "Output as JSON")
+    .action(async (options) => {
+    try {
+        const config = getConfig();
+        if (!config.apiUrl || !config.apiKey) {
+            console.error("API not configured. Run: husky config set api-url <url> && husky config set api-key <key>");
+            process.exit(1);
+        }
+        const url = new URL("/api/auth/session", config.apiUrl);
+        const res = await fetch(url.toString(), {
+            method: "POST",
+            headers: {
+                "x-api-key": config.apiKey,
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify({ agent: options.agent }),
+        });
+        if (!res.ok) {
+            const error = await res.json().catch(() => ({ error: res.statusText }));
+            if (res.status === 404) {
+                console.error(`Agent '${options.agent}' not found. Register the agent first.`);
+            }
+            else {
+                console.error(`Login failed: ${error.message || error.error || `HTTP ${res.status}`}`);
+            }
+            process.exit(1);
+        }
+        const session = await res.json();
+        setSessionConfig(session);
+        if (options.json) {
+            console.log(JSON.stringify({
+                success: true,
+                agent: session.agent,
+                role: session.role,
+                expiresAt: session.expiresAt,
+            }, null, 2));
+            return;
+        }
+        const expiresAt = new Date(session.expiresAt);
+        console.log("\n✅ Session created");
+        console.log("─".repeat(40));
+        console.log(`Agent:    ${session.agent}`);
+        console.log(`Role:     ${session.role}`);
+        console.log(`Expires:  ${expiresAt.toLocaleString()}`);
+        console.log("");
+        console.log("All API calls will now use this session token.");
+    }
+    catch (error) {
+        console.error(`Error: ${error instanceof Error ? error.message : "Unknown error"}`);
+        process.exit(1);
+    }
+});
+authCommand
+    .command("logout")
+    .description("Clear the current session token")
+    .option("--json", "Output as JSON")
+    .action(async (options) => {
+    const session = getSessionConfig();
+    if (!session) {
+        if (options.json) {
+            console.log(JSON.stringify({ success: false, message: "No active session" }));
+        }
+        else {
+            console.log("No active session to clear.");
+        }
+        return;
+    }
+    clearSessionConfig();
+    if (options.json) {
+        console.log(JSON.stringify({ success: true, agent: session.agent }));
+        return;
+    }
+    console.log(`✅ Session cleared for agent '${session.agent}'`);
+});
+authCommand
+    .command("session")
+    .description("Show current session status")
+    .option("--json", "Output as JSON")
+    .action(async (options) => {
+    const session = getSessionConfig();
+    if (!session || !session.token) {
+        if (options.json) {
+            console.log(JSON.stringify({ active: false }));
+        }
+        else {
+            console.log("No active session. Run: husky auth login --agent <name>");
+        }
+        return;
+    }
+    const expiresAt = session.expiresAt ? new Date(session.expiresAt) : null;
+    const now = new Date();
+    const isExpired = expiresAt ? expiresAt < now : true;
+    const expiresInMs = expiresAt ? expiresAt.getTime() - now.getTime() : 0;
+    const expiresInMinutes = Math.max(0, Math.floor(expiresInMs / 60000));
+    if (options.json) {
+        console.log(JSON.stringify({
+            active: !isExpired,
+            agent: session.agent,
+            role: session.role,
+            expiresAt: session.expiresAt,
+            expired: isExpired,
+            expiresInMinutes,
+        }, null, 2));
+        return;
+    }
+    console.log("\n🔐 Session Status");
+    console.log("─".repeat(40));
+    console.log(`Agent:    ${session.agent || "(unknown)"}`);
+    console.log(`Role:     ${session.role || "(unknown)"}`);
+    if (isExpired) {
+        console.log(`Status:   🔴 EXPIRED`);
+        console.log(`Expired:  ${expiresAt?.toLocaleString() || "(unknown)"}`);
+        console.log("");
+        console.log("Run: husky auth refresh --agent <name>");
+    }
+    else {
+        console.log(`Status:   🟢 ACTIVE`);
+        console.log(`Expires:  ${expiresAt?.toLocaleString()} (${expiresInMinutes} minutes)`);
+    }
+});
+authCommand
+    .command("refresh")
+    .description("Refresh the session token")
+    .option("--agent <name>", "Agent name (uses current session agent if not specified)")
+    .option("--json", "Output as JSON")
+    .action(async (options) => {
+    try {
+        const config = getConfig();
+        if (!config.apiUrl || !config.apiKey) {
+            console.error("API not configured. Run: husky config set api-url <url> && husky config set api-key <key>");
+            process.exit(1);
+        }
+        const currentSession = getSessionConfig();
+        const agentName = options.agent || currentSession?.agent;
+        if (!agentName) {
+            console.error("No agent specified and no active session. Use: husky auth refresh --agent <name>");
+            process.exit(1);
+        }
+        const url = new URL("/api/auth/session", config.apiUrl);
+        const res = await fetch(url.toString(), {
+            method: "POST",
+            headers: {
+                "x-api-key": config.apiKey,
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify({ agent: agentName }),
+        });
+        if (!res.ok) {
+            const error = await res.json().catch(() => ({ error: res.statusText }));
+            console.error(`Refresh failed: ${error.message || error.error || `HTTP ${res.status}`}`);
+            process.exit(1);
+        }
+        const session = await res.json();
+        setSessionConfig(session);
+        if (options.json) {
+            console.log(JSON.stringify({
+                success: true,
+                agent: session.agent,
+                role: session.role,
+                expiresAt: session.expiresAt,
+            }, null, 2));
+            return;
+        }
+        const expiresAt = new Date(session.expiresAt);
+        console.log(`✅ Session refreshed for '${session.agent}' (expires: ${expiresAt.toLocaleString()})`);
+    }
+    catch (error) {
+        console.error(`Error: ${error instanceof Error ? error.message : "Unknown error"}`);
+        process.exit(1);
+    }
+});

package/dist/commands/config.d.ts

@@ -3,6 +3,10 @@ type AgentRole = "supervisor" | "worker" | "reviewer" | "e2e_agent" | "pr_agent"
 interface Config {
     apiUrl?: string;
     apiKey?: string;
+    sessionToken?: string;
+    sessionExpiresAt?: string;
+    sessionAgent?: string;
+    sessionRole?: string;
     workerId?: string;
     workerName?: string;
     role?: AgentRole;
@@ -28,8 +32,12 @@ interface Config {
     nocodbApiToken?: string;
     nocodbBaseUrl?: string;
     nocodbWorkspaceId?: string;
+    skuterzoneUsername?: string;
+    skuterzonePassword?: string;
+    skuterzoneBaseUrl?: string;
 }
 export declare function getConfig(): Config;
+export declare function saveConfig(config: Config): void;
 /**
  * Fetch role and permissions from /api/auth/whoami
  * Caches the result in config for 1 hour
@@ -52,5 +60,18 @@ export declare function getRole(): AgentRole | undefined;
 export declare function clearRoleCache(): void;
 export declare function setConfig(key: "apiUrl" | "apiKey" | "workerId" | "workerName", value: string): void;
 export declare function setGotessConfig(token: string, bookId: string): void;
+export declare function setSessionConfig(session: {
+    token: string;
+    expiresAt: string;
+    agent: string;
+    role: string;
+}): void;
+export declare function clearSessionConfig(): void;
+export declare function getSessionConfig(): {
+    token?: string;
+    expiresAt?: string;
+    agent?: string;
+    role?: string;
+} | null;
 export declare const configCommand: Command;
 export {};

package/dist/commands/config.js

@@ -41,7 +41,7 @@ export function getConfig() {
         return {};
     }
 }
-function saveConfig(config) {
+export function saveConfig(config) {
     if (!existsSync(CONFIG_DIR)) {
         mkdirSync(CONFIG_DIR, { recursive: true });
     }
@@ -127,6 +127,33 @@ export function setGotessConfig(token, bookId) {
     config.gotessBookId = bookId;
     saveConfig(config);
 }
+export function setSessionConfig(session) {
+    const config = getConfig();
+    config.sessionToken = session.token;
+    config.sessionExpiresAt = session.expiresAt;
+    config.sessionAgent = session.agent;
+    config.sessionRole = session.role;
+    saveConfig(config);
+}
+export function clearSessionConfig() {
+    const config = getConfig();
+    delete config.sessionToken;
+    delete config.sessionExpiresAt;
+    delete config.sessionAgent;
+    delete config.sessionRole;
+    saveConfig(config);
+}
+export function getSessionConfig() {
+    const config = getConfig();
+    if (!config.sessionToken)
+        return null;
+    return {
+        token: config.sessionToken,
+        expiresAt: config.sessionExpiresAt,
+        agent: config.sessionAgent,
+        role: config.sessionRole,
+    };
+}
 export const configCommand = new Command("config")
     .description("Manage CLI configuration");
 // husky config set <key> <value>
@@ -166,6 +193,10 @@ configCommand
         "nocodb-api-token": "nocodbApiToken",
         "nocodb-base-url": "nocodbBaseUrl",
         "nocodb-workspace-id": "nocodbWorkspaceId",
+        // Skuterzone
+        "skuterzone-username": "skuterzoneUsername",
+        "skuterzone-password": "skuterzonePassword",
+        "skuterzone-base-url": "skuterzoneBaseUrl",
     };
     const configKey = keyMappings[key];
     if (!configKey) {
@@ -180,6 +211,7 @@ configCommand
         console.log("  Gotess:   gotess-token, gotess-book-id");
         console.log("  Gemini:   gemini-api-key");
         console.log("  NocoDB:   nocodb-api-token, nocodb-base-url, nocodb-workspace-id");
+        console.log("  Skuterzone: skuterzone-username, skuterzone-password, skuterzone-base-url");
         console.log("  Brain:    agent-type");
         console.error("\n💡 For configuration help: husky explain config");
         process.exit(1);
@@ -201,7 +233,7 @@ configCommand
     config[configKey] = value;
     saveConfig(config);
     // Mask sensitive values in output
-    const sensitiveKeys = ["api-key", "billbee-api-key", "billbee-password", "zendesk-api-token", "seatable-api-token", "gotess-token", "gemini-api-key", "nocodb-api-token"];
+    const sensitiveKeys = ["api-key", "billbee-api-key", "billbee-password", "zendesk-api-token", "seatable-api-token", "gotess-token", "gemini-api-key", "nocodb-api-token", "skuterzone-username", "skuterzone-password"];
     const displayValue = sensitiveKeys.includes(key) ? "***" : value;
     console.log(`✓ Set ${key} = ${displayValue}`);
 });

package/dist/commands/task.js

@@ -829,12 +829,14 @@ taskCommand
                 throw new Error(`API error: ${res.status}`);
             }
             const data = await res.json();
-            if (data.status === "approved") {
+            if (data.approved === true && data.pending === false) {
                 console.log("✓ Plan approved!");
                 process.exit(0);
             }
-            else if (data.status === "rejected") {
+            else if (data.approved === false && data.rejected === true) {
                 console.log("✗ Plan rejected");
+                if (data.reason)
+                    console.log(`Reason: ${data.reason}`);
                 process.exit(1);
             }
             // Still pending, wait and poll again

package/dist/index.js

@@ -34,6 +34,7 @@ import { e2eCommand } from "./commands/e2e.js";
 import { prCommand } from "./commands/pr.js";
 import { youtubeCommand } from "./commands/youtube.js";
 import { imageCommand } from "./commands/image.js";
+import { authCommand } from "./commands/auth.js";
 // Read version from package.json
 const require = createRequire(import.meta.url);
 const packageJson = require("../package.json");
@@ -75,6 +76,7 @@ program.addCommand(e2eCommand);
 program.addCommand(prCommand);
 program.addCommand(youtubeCommand);
 program.addCommand(imageCommand);
+program.addCommand(authCommand);
 // Handle --llm flag specially
 if (process.argv.includes("--llm")) {
     printLLMContext();

package/dist/lib/api-client.d.ts

@@ -0,0 +1,13 @@
+export interface ApiRequestOptions {
+    method?: string;
+    body?: unknown;
+    skipAuth?: boolean;
+}
+export declare function apiRequest<T>(path: string, options?: ApiRequestOptions): Promise<T>;
+export declare function getApiClient(): {
+    get: <T>(path: string) => Promise<T>;
+    post: <T>(path: string, body?: unknown) => Promise<T>;
+    put: <T>(path: string, body?: unknown) => Promise<T>;
+    patch: <T>(path: string, body?: unknown) => Promise<T>;
+    delete: <T>(path: string) => Promise<T>;
+};

package/dist/lib/api-client.js

@@ -0,0 +1,117 @@
+import { getConfig, getSessionConfig, setSessionConfig, clearSessionConfig } from "../commands/config.js";
+const REFRESH_THRESHOLD_MS = 5 * 60 * 1000;
+let refreshInProgress = null;
+function isSessionExpired(expiresAt) {
+    if (!expiresAt)
+        return true;
+    return new Date(expiresAt).getTime() < Date.now();
+}
+function isSessionExpiringSoon(expiresAt) {
+    if (!expiresAt)
+        return true;
+    return new Date(expiresAt).getTime() - Date.now() < REFRESH_THRESHOLD_MS;
+}
+async function doRefresh(agentName) {
+    const config = getConfig();
+    if (!config.apiUrl || !config.apiKey)
+        return null;
+    try {
+        const url = new URL("/api/auth/session", config.apiUrl);
+        const res = await fetch(url.toString(), {
+            method: "POST",
+            headers: {
+                "x-api-key": config.apiKey,
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify({ agent: agentName }),
+        });
+        if (!res.ok)
+            return null;
+        const session = await res.json();
+        setSessionConfig(session);
+        return session;
+    }
+    catch {
+        return null;
+    }
+}
+async function refreshSession(agentName) {
+    if (refreshInProgress) {
+        return refreshInProgress;
+    }
+    refreshInProgress = doRefresh(agentName).finally(() => {
+        refreshInProgress = null;
+    });
+    return refreshInProgress;
+}
+async function doFetch(url, method, authHeader, body) {
+    return fetch(url.toString(), {
+        method,
+        headers: {
+            ...authHeader,
+            "Content-Type": "application/json",
+        },
+        body: body ? JSON.stringify(body) : undefined,
+    });
+}
+async function getAuthHeader(session, apiKey) {
+    if (session?.token && session.expiresAt) {
+        if (isSessionExpired(session.expiresAt)) {
+            if (session.agent) {
+                const newSession = await refreshSession(session.agent);
+                if (newSession) {
+                    return { "Authorization": `Bearer ${newSession.token}` };
+                }
+            }
+            clearSessionConfig();
+            if (apiKey) {
+                return { "x-api-key": apiKey };
+            }
+            throw new Error("Session expired and no API key available for refresh");
+        }
+        if (isSessionExpiringSoon(session.expiresAt) && session.agent) {
+            refreshSession(session.agent).catch(() => { });
+        }
+        return { "Authorization": `Bearer ${session.token}` };
+    }
+    if (apiKey) {
+        return { "x-api-key": apiKey };
+    }
+    throw new Error("No authentication configured. Run: husky auth login --agent <name> or husky config set api-key <key>");
+}
+export async function apiRequest(path, options = {}) {
+    const config = getConfig();
+    if (!config.apiUrl) {
+        throw new Error("API URL not configured. Run: husky config set api-url <url>");
+    }
+    const session = getSessionConfig();
+    const method = options.method || "GET";
+    const url = new URL(path, config.apiUrl);
+    const authHeader = options.skipAuth
+        ? {}
+        : await getAuthHeader(session, config.apiKey);
+    const res = await doFetch(url, method, authHeader, options.body);
+    if (!res.ok) {
+        if (res.status === 401 && session?.token && session.agent) {
+            const newSession = await refreshSession(session.agent);
+            if (newSession) {
+                const retryRes = await doFetch(url, method, { "Authorization": `Bearer ${newSession.token}` }, options.body);
+                if (retryRes.ok) {
+                    return retryRes.json();
+                }
+            }
+        }
+        const error = await res.json().catch(() => ({ error: res.statusText }));
+        throw new Error(error.message || error.error || `HTTP ${res.status}`);
+    }
+    return res.json();
+}
+export function getApiClient() {
+    return {
+        get: (path) => apiRequest(path),
+        post: (path, body) => apiRequest(path, { method: "POST", body }),
+        put: (path, body) => apiRequest(path, { method: "PUT", body }),
+        patch: (path, body) => apiRequest(path, { method: "PATCH", body }),
+        delete: (path) => apiRequest(path, { method: "DELETE" }),
+    };
+}

package/dist/lib/biz/sop.js

@@ -282,21 +282,8 @@ export class SOPService {
         };
     }
     async scrollPoints(collection, options) {
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        const qdrantAny = this.qdrant;
         try {
-            const response = await qdrantAny.request(`/collections/${collection}/points/scroll`, {
-                method: 'POST',
-                body: JSON.stringify({
-                    filter: options.filter,
-                    limit: options.limit || 50,
-                    with_payload: options.with_payload ?? true,
-                }),
-            });
-            return response.result.points.map((p) => ({
-                id: p.id,
-                payload: p.payload || {},
-            }));
+            return await this.qdrant.scroll(collection, options);
         }
         catch (error) {
             console.error('Scroll failed:', error);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@simonfestl/husky-cli",
-  "version": "1.10.0",
+  "version": "1.12.0",
   "description": "CLI for Huskyv0 Task Orchestration with Claude Agent SDK",
   "type": "module",
   "bin": {
@@ -25,6 +25,7 @@
     "@inquirer/prompts": "^8.1.0",
     "commander": "^12.1.0",
     "firebase-admin": "^13.6.0",
+    "playwright": "^1.57.0",
     "sharp": "^0.34.5",
     "youtube-transcript": "^1.2.1",
     "zod": "^4.3.5"