@socialseal/cli 0.1.12 → 0.1.13

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socialseal/cli",
-  "version": "0.1.12",
+  "version": "0.1.13",
   "private": false,
   "type": "module",
   "description": "SocialSeal CLI (non-interactive)",

package/src/index.js

@@ -1,5 +1,6 @@
 #!/usr/bin/env node
 import { Command } from 'commander';
+import { spawn } from 'node:child_process';
 import fs from 'node:fs';
 import os from 'node:os';
 import path from 'node:path';
@@ -8,6 +9,7 @@ import WebSocket from 'ws';
 
 const DEFAULT_CONFIG_PATH = path.join(os.homedir(), '.config', 'socialseal', 'config.json');
 const DEFAULT_API_BASE = 'https://api.socialseal.co';
+const DEFAULT_WEB_BASE = 'https://app.socialseal.co';
 const CLI_KEY_HEADER = 'X-CLI-Key';
 const WORKSPACE_HEADER = 'X-Workspace-Id';
 const DEFAULT_TIMEOUT_MS = 300000;
@@ -1018,9 +1020,36 @@ function saveConfig(config) {
     Object.entries(config || {}).filter(([, value]) => value !== undefined),
   );
   fs.mkdirSync(path.dirname(configPath), { recursive: true });
-  fs.writeFileSync(configPath, `${JSON.stringify(normalizedConfig, null, 2)}\n`);
+  fs.writeFileSync(configPath, `${JSON.stringify(normalizedConfig, null, 2)}\n`, {
+    mode: 0o600,
+  });
+  fs.chmodSync(configPath, 0o600);
+}
+
+function assertConfigWritable() {
+  const configPath = getConfigPath();
+  const configDir = path.dirname(configPath);
+  fs.mkdirSync(configDir, { recursive: true });
+  const probePath = path.join(configDir, `.socialseal-write-test-${process.pid}-${Date.now()}`);
+  try {
+    fs.writeFileSync(probePath, '', { mode: 0o600 });
+    fs.unlinkSync(probePath);
+  } catch (error) {
+    try {
+      if (fs.existsSync(probePath)) fs.unlinkSync(probePath);
+    } catch {
+      // best effort cleanup only
+    }
+    throw new CliError(`Cannot write SocialSeal config at ${configPath}.`, {
+      code: 'CONFIG_NOT_WRITABLE',
+      exitCode: EXIT_CODES.USAGE,
+      hint: 'Set SOCIALSEAL_CONFIG to a writable path, or set SOCIALSEAL_API_KEY manually.',
+      details: error?.message || String(error),
+    });
+  }
 }
 
+
 function resolveApiKey(opts, config) {
   return opts.apiKey || process.env.SOCIALSEAL_API_KEY || config.apiKey;
 }
@@ -1037,6 +1066,10 @@ function resolveSupabaseUrl(opts, config) {
   return opts.supabaseUrl || process.env.SOCIALSEAL_SUPABASE_URL || config.supabaseUrl;
 }
 
+function resolveWebBase(opts = {}, config = {}) {
+  return opts.webBase || process.env.SOCIALSEAL_WEB_BASE || config.webBase || DEFAULT_WEB_BASE;
+}
+
 function resolveWorkspaceSelection(opts, config) {
   if (typeof opts.workspaceId === 'string' && opts.workspaceId.trim().length > 0) {
     return { workspaceId: opts.workspaceId.trim(), source: 'flag' };
@@ -3149,7 +3182,9 @@ function buildStatusHint(status, context = {}) {
   switch (status) {
     case 401:
     case 403:
-      return 'Check your CLI key and workspace access.';
+      return 'Authentication failed. Run `socialseal login`, or check your CLI key and workspace access.';
+    case 402:
+      return 'Your free credits or quota may be exhausted. Run `socialseal billing` to open billing and credits options.';
     case 404:
       if (context.functionName) {
         if (isLocallyDisabledByDefaultFunction(context.functionName)) {
@@ -3163,6 +3198,9 @@ function buildStatusHint(status, context = {}) {
     case 422:
       return 'Validation error. Review the JSON payload schema. For tracking/group tools, prefer the CLI action aliases or the documented REST semantics.';
     default:
+      if (context.billingRelated) {
+        return 'Run `socialseal billing` to open billing and credits options.';
+      }
       return null;
   }
 }
@@ -3189,7 +3227,9 @@ async function buildHttpError(res, context = {}) {
 
   const label = context.label || 'Request';
   const statusText = res.statusText ? ` ${res.statusText}` : '';
-  const hint = context.hint || buildStatusHint(status, context);
+  const serializedDetails = typeof details === 'string' ? details : JSON.stringify(details);
+  const billingRelated = /\b(credit|credits|quota|billing|entitlement|payment|plan)\b/i.test(serializedDetails || '');
+  const hint = context.hint || buildStatusHint(status, { ...context, billingRelated });
 
   return new CliError(`${label} failed: ${status}${statusText}`.trim(), {
     code: 'HTTP_ERROR',
@@ -3673,9 +3713,10 @@ function coerceCliError(err, fallbackMessage = 'Command failed') {
 function requireApiKey(opts, config) {
   const apiKey = resolveApiKey(opts, config);
   if (!apiKey) {
-    throw new CliError('Missing API key. Set SOCIALSEAL_API_KEY or --api-key.', {
+    throw new CliError('Missing API key. Run `socialseal login` to connect this CLI.', {
       code: 'MISSING_API_KEY',
-      exitCode: EXIT_CODES.USAGE,
+      exitCode: EXIT_CODES.AUTH,
+      hint: 'Run `socialseal login`, or set SOCIALSEAL_API_KEY if you already have a key.',
     });
   }
   return apiKey;
@@ -5229,6 +5270,258 @@ async function handleVideoQueueAnalysis(opts) {
   emitJsonOutput(payload, opts.pretty);
 }
 
+function maskApiKey(apiKey) {
+  const key = typeof apiKey === 'string' ? apiKey.trim() : '';
+  if (!key) return null;
+  return `…${key.slice(-6)}`;
+}
+
+function openBrowser(url, onError) {
+  const platform = process.platform;
+  const command = platform === 'darwin'
+    ? 'open'
+    : platform === 'win32'
+      ? 'cmd'
+      : 'xdg-open';
+  const args = platform === 'win32' ? ['/c', 'start', '', url] : [url];
+  const child = spawn(command, args, {
+    detached: true,
+    stdio: 'ignore',
+  });
+  child.on('error', (error) => {
+    if (typeof onError === 'function') onError(error);
+  });
+  child.unref();
+}
+
+async function callPublicApi({ apiBase, path: requestPath, method = 'POST', body, timeoutMs }) {
+  if (!apiBase) {
+    throw new CliError('Missing API base. Set SOCIALSEAL_API_BASE or --api-base.', {
+      code: 'MISSING_API_BASE',
+      exitCode: EXIT_CODES.USAGE,
+    });
+  }
+  const normalizedMethod = normalizeMethod(method);
+  const url = `${apiBase.replace(/\/$/, '')}${requestPath.startsWith('/') ? requestPath : `/${requestPath}`}`;
+  const hasBody = body !== undefined && normalizedMethod !== 'GET' && normalizedMethod !== 'HEAD';
+  return fetchWithTimeout(url, {
+    method: normalizedMethod,
+    headers: {
+      Accept: 'application/json',
+      ...(hasBody ? { 'Content-Type': 'application/json' } : {}),
+    },
+    body: hasBody ? JSON.stringify(body ?? {}) : undefined,
+  }, timeoutMs ?? DEFAULT_TIMEOUT_MS);
+}
+
+async function readJsonResponse(res, label) {
+  const contentType = res.headers.get('content-type') || '';
+  if (!contentType.includes('application/json')) {
+    throw new CliError(`${label} returned a non-JSON response.`, {
+      code: 'INVALID_RESPONSE',
+      exitCode: EXIT_CODES.SERVER,
+    });
+  }
+  return res.json();
+}
+
+async function handleLogin(opts) {
+  const config = loadConfig();
+  const apiBase = resolveApiBase(opts, config) || DEFAULT_API_BASE;
+  const timeoutMs = resolveTimeoutMs(opts, config);
+  assertConfigWritable();
+  const authorizeRes = await callPublicApi({
+    apiBase,
+    path: '/cli/device/authorize',
+    body: {
+      clientId: '@socialseal/cli',
+      clientName: 'SocialSeal CLI',
+      scopes: { cli: true },
+    },
+    timeoutMs,
+  });
+
+  if (!authorizeRes.ok) {
+    throw await buildHttpError(authorizeRes, { label: 'Device authorization start' });
+  }
+
+  const authorizePayload = await readJsonResponse(authorizeRes, 'Device authorization start');
+  const verificationUrl = authorizePayload.verification_uri_complete || authorizePayload.verification_uri;
+  const deviceCode = authorizePayload.device_code;
+  const userCode = authorizePayload.user_code;
+  if (!verificationUrl || !deviceCode || !userCode) {
+    throw new CliError('Device authorization start returned an incomplete response.', {
+      code: 'INVALID_RESPONSE',
+      exitCode: EXIT_CODES.SERVER,
+    });
+  }
+
+  if (!opts.json) {
+    process.stdout.write(`[socialseal] Open this URL to approve login: ${verificationUrl}\n`);
+    process.stdout.write(`[socialseal] Confirm code: ${userCode}\n`);
+  }
+
+  if (opts.open !== false) {
+    openBrowser(String(verificationUrl), (error) => {
+      if (opts.verbose) {
+        process.stderr.write(`[socialseal] Could not open browser automatically: ${error.message || error}\n`);
+      }
+    });
+  }
+
+  const startedAt = Date.now();
+  let intervalMs = Math.max(1000, Number(authorizePayload.interval || 5) * 1000);
+  if (opts.pollInterval) {
+    intervalMs = parseTimeoutMs(opts.pollInterval, { defaultValue: intervalMs, label: 'poll interval' });
+  }
+
+  while (Date.now() - startedAt < timeoutMs) {
+    await sleep(intervalMs);
+    const tokenRes = await callPublicApi({
+      apiBase,
+      path: '/cli/device/token',
+      body: { device_code: deviceCode },
+      timeoutMs: Math.max(1000, timeoutMs - (Date.now() - startedAt)),
+    });
+    const tokenPayload = await readJsonResponse(tokenRes, 'Device token poll');
+
+    if (tokenRes.ok) {
+      const apiKey = typeof tokenPayload.api_key === 'string' ? tokenPayload.api_key : '';
+      if (!apiKey) {
+        throw new CliError('Device token poll returned no API key.', {
+          code: 'INVALID_RESPONSE',
+          exitCode: EXIT_CODES.SERVER,
+        });
+      }
+
+      const workspaceId = typeof tokenPayload.workspace_id === 'string' ? tokenPayload.workspace_id : config.workspaceId;
+      saveConfig({
+        ...config,
+        apiBase,
+        apiKey,
+        workspaceId,
+      });
+
+      const payload = {
+        success: true,
+        apiBase,
+        keySuffix: apiKey.slice(-6),
+        key: maskApiKey(apiKey),
+        workspaceId: workspaceId || null,
+        configPath: getConfigPath(),
+      };
+      if (opts.json) {
+        process.stdout.write(JSON.stringify(payload, null, opts.pretty ? 2 : 0) + '\n');
+        return;
+      }
+
+      process.stdout.write(`[socialseal] Login complete. Stored key ${maskApiKey(apiKey)} in ${getConfigPath()}\n`);
+      if (workspaceId) {
+        process.stdout.write(`[socialseal] Default workspace set to ${workspaceId}\n`);
+      }
+      return;
+    }
+
+    if (tokenPayload?.error === 'authorization_pending') {
+      if (!opts.json) process.stdout.write('[socialseal] Waiting for browser approval…\n');
+      continue;
+    }
+    if (tokenPayload?.error === 'slow_down') {
+      intervalMs = Math.min(intervalMs + 5000, 60000);
+      continue;
+    }
+
+    throw await buildHttpError(new Response(JSON.stringify(tokenPayload), {
+      status: tokenRes.status,
+      statusText: tokenRes.statusText,
+      headers: { 'Content-Type': 'application/json' },
+    }), { label: 'Device token poll' });
+  }
+
+  throw new CliError('Timed out waiting for browser approval.', {
+    code: 'DEVICE_LOGIN_TIMEOUT',
+    exitCode: EXIT_CODES.AUTH,
+    hint: 'Run `socialseal login` again when you are ready to approve in the browser.',
+  });
+}
+
+function handleLogout(opts) {
+  const config = loadConfig();
+  const hadApiKey = Boolean(resolveApiKey({}, config));
+  const nextConfig = { ...config };
+  delete nextConfig.apiKey;
+  saveConfig(nextConfig);
+
+  const payload = {
+    success: true,
+    removedLocalKey: hadApiKey,
+    configPath: getConfigPath(),
+  };
+  if (opts.json) {
+    process.stdout.write(JSON.stringify(payload, null, opts.pretty ? 2 : 0) + '\n');
+    return;
+  }
+  process.stdout.write('[socialseal] Logged out locally. Any server-side key remains revocable from SocialSeal settings.\n');
+}
+
+async function handleWhoami(opts) {
+  const config = loadConfig();
+  const apiKey = requireApiKey(opts, config);
+  const apiBase = resolveApiBase(opts, config);
+  const { resolvedApiBase } = resolveApiTarget({ apiBase, legacyUrl: null });
+  const timeoutMs = resolveTimeoutMs(opts, config);
+  const directory = await fetchWorkspaceDirectory({
+    apiBase: resolvedApiBase,
+    apiKey,
+    timeoutMs,
+  });
+  const selection = resolveWorkspaceSelection({}, config);
+  const workspaces = Array.isArray(directory.workspaces) ? directory.workspaces : [];
+  const workspace = selection.workspaceId
+    ? workspaces.find((entry) => entry.id === selection.workspaceId) || null
+    : null;
+  const payload = {
+    authenticated: true,
+    apiBase: resolvedApiBase,
+    key: maskApiKey(apiKey),
+    keySuffix: apiKey.slice(-6),
+    effectiveWorkspaceId: selection.workspaceId,
+    effectiveWorkspaceSource: selection.source,
+    workspace,
+    workspaceCount: workspaces.length,
+  };
+
+  if (opts.json) {
+    process.stdout.write(JSON.stringify(payload, null, opts.pretty ? 2 : 0) + '\n');
+    return;
+  }
+
+  process.stdout.write(`[socialseal] Authenticated with key ${maskApiKey(apiKey)}\n`);
+  if (workspace) {
+    process.stdout.write(`[socialseal] Workspace: ${workspace.name} (${workspace.id})\n`);
+  } else if (directory.defaultWorkspaceId) {
+    process.stdout.write(`[socialseal] Suggested workspace: ${directory.defaultWorkspaceId}\n`);
+  }
+}
+
+function handleBilling(opts) {
+  const config = loadConfig();
+  const webBase = resolveWebBase(opts, config);
+  const billingUrl = `${webBase.replace(/\/$/, '')}/settings/billing`;
+  const payload = {
+    billingUrl,
+    note: 'SocialSeal starts on the free tier. Use billing only when credits or quotas are exhausted.',
+  };
+
+  if (opts.json) {
+    process.stdout.write(JSON.stringify(payload, null, opts.pretty ? 2 : 0) + '\n');
+    return;
+  }
+
+  process.stdout.write(`[socialseal] Billing and credits: ${billingUrl}\n`);
+  process.stdout.write('[socialseal] SocialSeal starts on the free tier. Add billing only when you need more capacity.\n');
+}
+
 async function handleWorkspaceList(opts) {
   const config = loadConfig();
   const apiKey = requireApiKey(opts, config);
@@ -5388,7 +5681,47 @@ if (typeof program.showHelpAfterError === 'function') {
 if (typeof program.showSuggestionAfterError === 'function') {
   program.showSuggestionAfterError(true);
 }
-program.addHelpText('after', `\nExamples:\n  socialseal workspace list\n  socialseal workspace use <workspace-id>\n  socialseal agent run --message "ping"\n  socialseal tools list\n  socialseal tools schema --function search-journey-run\n  socialseal tools call --function <tool> --body @payload.json\n  socialseal tools status 6809 --kind google_ai_run\n  socialseal tools status <run-uuid> --kind journey_run --workspace-id <uuid>\n  socialseal video queue-analysis --video-id 734829384 --workspace-id <uuid>\n  socialseal video extract --video-id 734829384 --wait --out-dir ./video-assets\n  socialseal data export-options\n  socialseal data export-tracking --group-id 123 --time-period 30d\n  socialseal data export-search-results --group-ids 123,124 --workspace-id <uuid> --out ranked.csv\n  socialseal data export-group-evidence --group-id 123 --workspace-id <uuid> --out evidence.csv\n`);
+program.addHelpText('after', `\nExamples:\n  socialseal login\n  socialseal whoami\n  socialseal workspace list\n  socialseal workspace use <workspace-id>\n  socialseal agent run --message "ping"\n  socialseal tools list\n  socialseal tools schema --function search-journey-run\n  socialseal tools call --function <tool> --body @payload.json\n  socialseal tools status 6809 --kind google_ai_run\n  socialseal tools status <run-uuid> --kind journey_run --workspace-id <uuid>\n  socialseal video queue-analysis --video-id 734829384 --workspace-id <uuid>\n  socialseal video extract --video-id 734829384 --wait --out-dir ./video-assets\n  socialseal data export-options\n  socialseal data export-tracking --group-id 123 --time-period 30d\n  socialseal data export-search-results --group-ids 123,124 --workspace-id <uuid> --out ranked.csv\n  socialseal data export-group-evidence --group-id 123 --workspace-id <uuid> --out evidence.csv\n`);
+
+program
+  .command('login')
+  .description('Start browser-based device login and store a local CLI key')
+  .option('--api-base <url>', 'API base URL (default https://api.socialseal.co)')
+  .option('--no-open', 'Print the approval URL without opening a browser')
+  .option('--json', 'Emit machine-readable output')
+  .option('--pretty', 'Pretty-print JSON')
+  .option('--timeout <ms>', 'Overall login timeout in milliseconds')
+  .option('--poll-interval <ms>', 'Polling interval in milliseconds')
+  .option('--verbose', 'Show error details')
+  .action((opts) => runCommand(handleLogin, opts));
+
+program
+  .command('logout')
+  .description('Remove the locally stored SocialSeal CLI key')
+  .option('--json', 'Emit machine-readable output')
+  .option('--pretty', 'Pretty-print JSON')
+  .option('--verbose', 'Show error details')
+  .action((opts) => runCommand(handleLogout, opts));
+
+program
+  .command('whoami')
+  .description('Show the current SocialSeal CLI authentication and workspace')
+  .option('--api-base <url>', 'API base URL (default https://api.socialseal.co)')
+  .option('--api-key <key>', 'CLI API key')
+  .option('--json', 'Emit machine-readable output')
+  .option('--pretty', 'Pretty-print JSON')
+  .option('--timeout <ms>', 'Request timeout in milliseconds')
+  .option('--verbose', 'Show error details')
+  .action((opts) => runCommand(handleWhoami, opts));
+
+program
+  .command('billing')
+  .description('Show where to manage SocialSeal billing and credits')
+  .option('--web-base <url>', 'Web app base URL')
+  .option('--json', 'Emit machine-readable output')
+  .option('--pretty', 'Pretty-print JSON')
+  .option('--verbose', 'Show error details')
+  .action((opts) => runCommand(handleBilling, opts));
 
 program
   .command('agent')