@sprigr/cli 0.1.2

package/README.md

@@ -0,0 +1,84 @@
+# @sprigr/cli
+
+Sprigr Team CLI — deploy static sites and Next.js apps to **Sprigr Tenant Hosting** from your terminal.
+
+## Install
+
+```bash
+npm install -g @sprigr/cli
+# or run without installing
+npx @sprigr/cli --help
+```
+
+Requires Node.js **20+**.
+
+## Quick start
+
+```bash
+# 1. Get an API key from https://team.sprigr.com → Settings → API keys
+export SPRIGR_API_KEY=sk_...
+
+# 2. Deploy a static site
+sprigr deploy my-site --dir ./public
+
+# 3. Or deploy a Next.js app (built with @opennextjs/cloudflare)
+sprigr deploy my-app --dir ./.open-next --framework next
+```
+
+## Commands
+
+### `sprigr deploy <siteId> --dir <dir>`
+
+Bundle a directory and deploy it as a new build for the given website.
+
+| Flag | Description | Default |
+| --- | --- | --- |
+| `--dir <path>` | Directory to bundle | required |
+| `--framework <static\|next\|astro\|remix>` | Framework hint | `static` |
+| `--endpoint <url>` | API endpoint override | `https://api.team.sprigr.com` |
+| `--api-key <key>` | API key (overrides env) | from `SPRIGR_API_KEY` |
+
+The CLI streams progress and prints the build id. Use `sprigr builds get` to follow status, or watch the portal's Builds panel.
+
+### `sprigr builds list <siteId>`
+
+List recent builds for a site.
+
+| Flag | Description | Default |
+| --- | --- | --- |
+| `--limit <N>` | Number of rows | `20` |
+
+### `sprigr builds get <siteId> <buildId>`
+
+Fetch a single build's status, including logs once available.
+
+## Environment variables
+
+| Variable | Purpose |
+| --- | --- |
+| `SPRIGR_API_KEY` | Authentication. Create one in the portal. |
+| `SPRIGR_ENDPOINT` | API endpoint. Accepts a full URL, or the shortcuts `staging` / `prod`. |
+
+## How deploys work
+
+1. The CLI tarballs your `--dir` (gzip).
+2. It POSTs to the Sprigr Team **provisioning** worker, which enqueues a build job.
+3. The build farm container picks it up, runs the framework adapter (no-op for `static`, `@opennextjs/cloudflare build` for `next`), and streams output back.
+4. On success the bundle is uploaded to **Workers for Platforms** for SSR sites or to **R2 + website-serve** for static, then the site's production deployment pointer flips atomically.
+
+Static sites are billed by request count; SSR sites are billed by request count + container-seconds during the build. Plan limits (max sites, retention, custom domains) are enforced at deploy time.
+
+## Roadmap
+
+- PKCE login (`sprigr login`) so you don't need to copy an API key from the portal.
+- Binary file support in the bundler (currently text + UTF-8 only).
+- `sprigr logs <buildId> --follow` for live tailing.
+
+## Links
+
+- Sprigr — <https://sprigr.com>
+- Issues — <https://github.com/greben99/sprigr-team/issues>
+
+## License
+
+MIT

package/dist/api.d.ts

@@ -0,0 +1,234 @@
+/**
+ * Thin HTTP client for the Sprigr public API. All routes go through the
+ * gateway (`/api/v1/...`), authenticated by the same `sk_mcp_*` Bearer
+ * token the MCP layer accepts. The gateway resolves the key to a
+ * `companyId` and rewrites the path to `/api/data/...` before forwarding
+ * to the provisioning worker.
+ */
+/**
+ * Wire shape for an individual file in a build manifest. UTF-8 text files
+ * ride as bare strings (back-compat); binary files (images, fonts, etc.)
+ * ride as `{ encoding: 'base64', content }`. The server enforces the same
+ * 5 MiB-per-file cap on decoded bytes regardless of variant.
+ */
+export type SourceFile = string | {
+    encoding: 'base64';
+    content: string;
+};
+export interface ApiClientOptions {
+    endpoint: string;
+    apiKey: string;
+    /** Override the global fetch — useful for tests. */
+    fetchImpl?: typeof fetch;
+}
+export interface BuildSummary {
+    id: string;
+    status: 'pending' | 'running' | 'succeeded' | 'failed' | 'cancelled' | 'timeout';
+    framework: string | null;
+    source: string;
+    deploymentId: string | null;
+    containerSeconds: number | null;
+    durationMs: number | null;
+    errorSummary: string | null;
+    /** R2 key for the captured stdout/stderr. Null for static builds (no
+     *  shell-out) and for early-failure builds where the container never
+     *  responded. Pass through `getBuildLog` to fetch the bytes. */
+    logR2Key: string | null;
+    startedAt: string | null;
+    finishedAt: string | null;
+    createdAt: string;
+}
+export declare class ApiError extends Error {
+    readonly status: number;
+    readonly body?: unknown | undefined;
+    constructor(status: number, message: string, body?: unknown | undefined);
+}
+export declare class ApiClient {
+    private readonly endpoint;
+    private readonly apiKey;
+    private readonly fetchImpl;
+    constructor(opts: ApiClientOptions);
+    /** POST /api/v1/data/websites/:siteId/builds */
+    startBuild(args: {
+        siteId: string;
+        files: Record<string, SourceFile>;
+        framework?: 'static' | 'next' | 'astro' | 'remix';
+        source?: 'upload' | 'cli' | 'agent';
+    }): Promise<{
+        buildId: string;
+        status: string;
+        framework: string;
+        source: string;
+    }>;
+    /**
+     * POST /api/v1/data/marketplace/apps/publish
+     *
+     * Publish a new version of a marketplace app. The body carries the
+     * parsed manifest separately from the bundle so the server doesn't
+     * re-parse the bundle to route the build. Server re-runs all the
+     * validators a second time (defence in depth) and returns the new
+     * version + an optional buildId when SSR builds are queued.
+     */
+    publishMarketplaceApp(args: {
+        manifest: unknown;
+        files: Record<string, SourceFile>;
+    }): Promise<{
+        slug: string;
+        version: string;
+        appId: string;
+        versionId: string;
+        buildId: string | null;
+        /**
+         * Auto-upgrade fan-out outcome. Present on every publish into an existing
+         * app; omitted for the new-app branch (no installs to fan out to). When
+         * `failed > 0` the publisher should expect some installs are pinned to
+         * the new version but still serving the old WFP bundle — recover with
+         * `sprigr app upgrade <slug> --force` on those tenants, or grep
+         * system_logs AE for `marketplace.upgrade.fanout_failed` /
+         * `marketplace.upgrade.fanout_threw` by `app_slug`.
+         */
+        fanout?: {
+            upgraded: number;
+            skipped: number;
+            failed: number;
+            threw?: string;
+        };
+    }>;
+    /**
+     * POST /api/v1/data/apps/:slug/install/upgrade
+     *
+     * Manually upgrade this company's install of `appSlug` to the latest
+     * approved version. Bumps `pinned_version_id` and enqueues a fresh
+     * build via `enqueueBuildForMarketplaceVersion`, so the per-install
+     * WFP script picks up the new bundle. Returns the `buildId` for
+     * status polling.
+     *
+     * Idempotent — returns HTTP 400 "Already on latest version" if the
+     * install is already pinned to current_version (unless `force=true`).
+     * Integration/tool kind only; agent templates use a different update
+     * path.
+     *
+     * Use this to recover from a silent publish-fanout enqueue failure
+     * (the symptom: a fresh version exists but no build with
+     * `triggeredBy: 'publish-fanout'` appears in the install's
+     * website_status after publish). Pass `force=true` when the pin
+     * already moved but no build deployed — the endpoint will re-run
+     * `applyMarketplaceInstallUpgrade` to re-enqueue the build.
+     */
+    upgradeMarketplaceInstall(args: {
+        appSlug: string;
+        /** Bypass the "Already on latest version" guard. See doc above. */
+        force?: boolean;
+    }): Promise<{
+        ok: true;
+        installationId: string;
+        oldVersionId: string | null;
+        newVersionId: string;
+        newVersion: string;
+        buildId: string;
+    }>;
+    /**
+     * DELETE /api/v1/data/apps/:slug
+     *
+     * Hard-deletes a marketplace app + all its versions + any leftover
+     * install rows owned by the publisher. Releases the slug so it can be
+     * republished under a different publisher. Only the current publisher
+     * can call this (server-side check on company_id).
+     *
+     * Use case: migrating an app between publishers (e.g. personal
+     * staging tenant -> sprigr-hq). Walk the runbook at
+     * sprigr-apps/docs/migrate-app-publisher.md; uninstall on every
+     * installer tenant first, THEN delete from the old publisher, THEN
+     * re-publish under the new publisher.
+     *
+     * Returns `{ ok: true }` on success. 403 if the calling profile is
+     * not the current publisher. 404 if the slug doesn't exist.
+     */
+    deleteMarketplaceApp(args: {
+        appSlug: string;
+    }): Promise<{
+        ok: true;
+    }>;
+    /**
+     * POST /api/v1/data/apps/:slug/install
+     *
+     * Install a marketplace app on the calling tenant. Body shape is
+     * snake_case (granted_scopes, install_secrets); camelCase parses but
+     * the server silently ignores unknown keys and then 400s with
+     * "Missing required secrets: ..." — the publisher-migration footgun
+     * documented in sprigr-apps/docs/migrate-app-publisher.md.
+     *
+     * `grantedScopes` MUST be a subset of manifest.permissions.scopes.
+     * `installSecrets` keys MUST appear in manifest.secrets[]; every
+     * `required: true` entry must be present and non-empty.
+     *
+     * Returns the install row id + the per-install website + the
+     * triggered build id (for SSR apps).
+     */
+    /**
+     * POST /api/v1/data/apps/:slug/share
+     *
+     * Generate a share token + auto-bump trust_tier from `private` to
+     * `shared` so other tenants in the same env can install the app
+     * without the publisher's credentials. Publisher-only — 404 if the
+     * caller doesn't own the app.
+     *
+     * Calling again rotates the token (the previous one stops working)
+     * but the trust_tier stays at whatever it already is — only the
+     * private→shared promotion happens automatically.
+     */
+    shareMarketplaceApp(args: {
+        appSlug: string;
+    }): Promise<{
+        share_token: string;
+        share_url: string;
+    }>;
+    installMarketplaceApp(args: {
+        appSlug: string;
+        grantedScopes: string[];
+        installSecrets?: Record<string, string>;
+        agentIds?: string[] | null;
+        config?: Record<string, unknown>;
+    }): Promise<{
+        installation: {
+            id: string;
+            integration_id?: string;
+            website_id?: string | null;
+            website_slug?: string | null;
+            build_id?: string | null;
+        };
+    }>;
+    /**
+     * POST /api/v1/data/apps/:slug/publisher-secrets
+     *
+     * Seed or rotate the publisher-provided secret bag on the app row.
+     * Auth: caller must be the app's publisher. Plaintext values are
+     * never returned — `updated_keys` and `total_keys` confirm what
+     * landed without revealing values.
+     */
+    setMarketplaceAppPublisherSecrets(args: {
+        appSlug: string;
+        secrets: Record<string, string>;
+    }): Promise<{
+        ok: true;
+        updated_keys: string[];
+        total_keys: number;
+    }>;
+    /** GET /api/v1/data/websites/:siteId/builds */
+    listBuilds(siteId: string, limit?: number): Promise<{
+        builds: BuildSummary[];
+    }>;
+    /** GET /api/v1/data/websites/:siteId/builds/:buildId */
+    getBuild(siteId: string, buildId: string): Promise<{
+        build: BuildSummary;
+    }>;
+    /**
+     * GET /api/v1/data/websites/:siteId/builds/:buildId/log
+     *
+     * Returns the captured stdout/stderr as plain text, or `null` when the
+     * server reports no log exists (404). Other failures throw `ApiError`
+     * so the caller can distinguish "no log" from "unreachable".
+     */
+    getBuildLog(siteId: string, buildId: string): Promise<string | null>;
+    private request;
+}

package/dist/api.js

@@ -0,0 +1,220 @@
+/**
+ * Thin HTTP client for the Sprigr public API. All routes go through the
+ * gateway (`/api/v1/...`), authenticated by the same `sk_mcp_*` Bearer
+ * token the MCP layer accepts. The gateway resolves the key to a
+ * `companyId` and rewrites the path to `/api/data/...` before forwarding
+ * to the provisioning worker.
+ */
+export class ApiError extends Error {
+    status;
+    body;
+    constructor(status, message, body) {
+        super(message);
+        this.status = status;
+        this.body = body;
+        this.name = 'ApiError';
+    }
+}
+export class ApiClient {
+    endpoint;
+    apiKey;
+    fetchImpl;
+    constructor(opts) {
+        this.endpoint = opts.endpoint;
+        this.apiKey = opts.apiKey;
+        this.fetchImpl = opts.fetchImpl ?? fetch;
+    }
+    /** POST /api/v1/data/websites/:siteId/builds */
+    async startBuild(args) {
+        return this.request('POST', `/api/v1/data/websites/${encodeURIComponent(args.siteId)}/builds`, {
+            files: args.files,
+            framework: args.framework ?? 'static',
+            source: args.source ?? 'cli',
+        });
+    }
+    /**
+     * POST /api/v1/data/marketplace/apps/publish
+     *
+     * Publish a new version of a marketplace app. The body carries the
+     * parsed manifest separately from the bundle so the server doesn't
+     * re-parse the bundle to route the build. Server re-runs all the
+     * validators a second time (defence in depth) and returns the new
+     * version + an optional buildId when SSR builds are queued.
+     */
+    async publishMarketplaceApp(args) {
+        return this.request('POST', '/api/v1/data/marketplace/apps/publish', {
+            manifest: args.manifest,
+            files: args.files,
+        });
+    }
+    /**
+     * POST /api/v1/data/apps/:slug/install/upgrade
+     *
+     * Manually upgrade this company's install of `appSlug` to the latest
+     * approved version. Bumps `pinned_version_id` and enqueues a fresh
+     * build via `enqueueBuildForMarketplaceVersion`, so the per-install
+     * WFP script picks up the new bundle. Returns the `buildId` for
+     * status polling.
+     *
+     * Idempotent — returns HTTP 400 "Already on latest version" if the
+     * install is already pinned to current_version (unless `force=true`).
+     * Integration/tool kind only; agent templates use a different update
+     * path.
+     *
+     * Use this to recover from a silent publish-fanout enqueue failure
+     * (the symptom: a fresh version exists but no build with
+     * `triggeredBy: 'publish-fanout'` appears in the install's
+     * website_status after publish). Pass `force=true` when the pin
+     * already moved but no build deployed — the endpoint will re-run
+     * `applyMarketplaceInstallUpgrade` to re-enqueue the build.
+     */
+    async upgradeMarketplaceInstall(args) {
+        return this.request('POST', `/api/v1/data/apps/${encodeURIComponent(args.appSlug)}/install/upgrade`, args.force ? { force: true } : {});
+    }
+    /**
+     * DELETE /api/v1/data/apps/:slug
+     *
+     * Hard-deletes a marketplace app + all its versions + any leftover
+     * install rows owned by the publisher. Releases the slug so it can be
+     * republished under a different publisher. Only the current publisher
+     * can call this (server-side check on company_id).
+     *
+     * Use case: migrating an app between publishers (e.g. personal
+     * staging tenant -> sprigr-hq). Walk the runbook at
+     * sprigr-apps/docs/migrate-app-publisher.md; uninstall on every
+     * installer tenant first, THEN delete from the old publisher, THEN
+     * re-publish under the new publisher.
+     *
+     * Returns `{ ok: true }` on success. 403 if the calling profile is
+     * not the current publisher. 404 if the slug doesn't exist.
+     */
+    async deleteMarketplaceApp(args) {
+        return this.request('DELETE', `/api/v1/data/apps/${encodeURIComponent(args.appSlug)}`);
+    }
+    /**
+     * POST /api/v1/data/apps/:slug/install
+     *
+     * Install a marketplace app on the calling tenant. Body shape is
+     * snake_case (granted_scopes, install_secrets); camelCase parses but
+     * the server silently ignores unknown keys and then 400s with
+     * "Missing required secrets: ..." — the publisher-migration footgun
+     * documented in sprigr-apps/docs/migrate-app-publisher.md.
+     *
+     * `grantedScopes` MUST be a subset of manifest.permissions.scopes.
+     * `installSecrets` keys MUST appear in manifest.secrets[]; every
+     * `required: true` entry must be present and non-empty.
+     *
+     * Returns the install row id + the per-install website + the
+     * triggered build id (for SSR apps).
+     */
+    /**
+     * POST /api/v1/data/apps/:slug/share
+     *
+     * Generate a share token + auto-bump trust_tier from `private` to
+     * `shared` so other tenants in the same env can install the app
+     * without the publisher's credentials. Publisher-only — 404 if the
+     * caller doesn't own the app.
+     *
+     * Calling again rotates the token (the previous one stops working)
+     * but the trust_tier stays at whatever it already is — only the
+     * private→shared promotion happens automatically.
+     */
+    async shareMarketplaceApp(args) {
+        return this.request('POST', `/api/v1/data/apps/${encodeURIComponent(args.appSlug)}/share`, {});
+    }
+    async installMarketplaceApp(args) {
+        const body = { granted_scopes: args.grantedScopes };
+        if (args.installSecrets)
+            body.install_secrets = args.installSecrets;
+        if (args.agentIds !== undefined)
+            body.agent_ids = args.agentIds;
+        if (args.config !== undefined)
+            body.config = args.config;
+        return this.request('POST', `/api/v1/data/apps/${encodeURIComponent(args.appSlug)}/install`, body);
+    }
+    /**
+     * POST /api/v1/data/apps/:slug/publisher-secrets
+     *
+     * Seed or rotate the publisher-provided secret bag on the app row.
+     * Auth: caller must be the app's publisher. Plaintext values are
+     * never returned — `updated_keys` and `total_keys` confirm what
+     * landed without revealing values.
+     */
+    async setMarketplaceAppPublisherSecrets(args) {
+        return this.request('POST', `/api/v1/data/apps/${encodeURIComponent(args.appSlug)}/publisher-secrets`, { secrets: args.secrets });
+    }
+    /** GET /api/v1/data/websites/:siteId/builds */
+    async listBuilds(siteId, limit = 20) {
+        return this.request('GET', `/api/v1/data/websites/${encodeURIComponent(siteId)}/builds?limit=${limit}`);
+    }
+    /** GET /api/v1/data/websites/:siteId/builds/:buildId */
+    async getBuild(siteId, buildId) {
+        return this.request('GET', `/api/v1/data/websites/${encodeURIComponent(siteId)}/builds/${encodeURIComponent(buildId)}`);
+    }
+    /**
+     * GET /api/v1/data/websites/:siteId/builds/:buildId/log
+     *
+     * Returns the captured stdout/stderr as plain text, or `null` when the
+     * server reports no log exists (404). Other failures throw `ApiError`
+     * so the caller can distinguish "no log" from "unreachable".
+     */
+    async getBuildLog(siteId, buildId) {
+        const path = `/api/v1/data/websites/${encodeURIComponent(siteId)}/builds/${encodeURIComponent(buildId)}/log`;
+        const res = await this.fetchImpl(`${this.endpoint}${path}`, {
+            method: 'GET',
+            headers: {
+                Authorization: `Bearer ${this.apiKey}`,
+                Accept: 'text/plain, application/json',
+            },
+        });
+        if (res.status === 404)
+            return null;
+        const text = await res.text();
+        if (!res.ok) {
+            let parsed = text;
+            try {
+                parsed = text.length > 0 ? JSON.parse(text) : undefined;
+            }
+            catch { /* keep as text */ }
+            const p = parsed;
+            const message = typeof p === 'object' && p && typeof p.message === 'string'
+                ? p.message
+                : (typeof p === 'object' && p && typeof p.error === 'string'
+                    ? p.error
+                    : `HTTP ${res.status} ${res.statusText}`);
+            throw new ApiError(res.status, message, parsed);
+        }
+        return text;
+    }
+    async request(method, path, body) {
+        const headers = {
+            Authorization: `Bearer ${this.apiKey}`,
+            Accept: 'application/json',
+        };
+        let bodyText;
+        if (body !== undefined) {
+            headers['Content-Type'] = 'application/json';
+            bodyText = JSON.stringify(body);
+        }
+        const res = await this.fetchImpl(`${this.endpoint}${path}`, { method, headers, body: bodyText });
+        const text = await res.text();
+        let parsed;
+        try {
+            parsed = text.length > 0 ? JSON.parse(text) : undefined;
+        }
+        catch {
+            parsed = text;
+        }
+        if (!res.ok) {
+            const p = parsed;
+            const message = typeof p === 'object' && p && typeof p.message === 'string'
+                ? p.message
+                : (typeof p === 'object' && p && typeof p.error === 'string'
+                    ? p.error
+                    : `HTTP ${res.status} ${res.statusText}`);
+            throw new ApiError(res.status, message, parsed);
+        }
+        return parsed;
+    }
+}
+//# sourceMappingURL=api.js.map

package/dist/api.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api.js","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAmCH,MAAM,OAAO,QAAS,SAAQ,KAAK;IACL;IAAiD;IAA7E,YAA4B,MAAc,EAAE,OAAe,EAAkB,IAAc;QACzF,KAAK,CAAC,OAAO,CAAC,CAAC;QADW,WAAM,GAAN,MAAM,CAAQ;QAAmC,SAAI,GAAJ,IAAI,CAAU;QAEzF,IAAI,CAAC,IAAI,GAAG,UAAU,CAAC;IACzB,CAAC;CACF;AAED,MAAM,OAAO,SAAS;IACH,QAAQ,CAAS;IACjB,MAAM,CAAS;IACf,SAAS,CAAe;IAEzC,YAAY,IAAsB;QAChC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC9B,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC1B,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;IAC3C,CAAC;IAED,gDAAgD;IAChD,KAAK,CAAC,UAAU,CAAC,IAKhB;QACC,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,yBAAyB,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE;YAC7F,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,SAAS,EAAE,IAAI,CAAC,SAAS,IAAI,QAAQ;YACrC,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,KAAK;SAC7B,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,qBAAqB,CAAC,IAG3B;QAiBC,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,uCAAuC,EAAE;YACnE,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;;;;;;;;;;;;OAoBG;IACH,KAAK,CAAC,yBAAyB,CAAC,IAI/B;QACC,OAAO,IAAI,CAAC,OAAO,CACjB,MAAM,EACN,qBAAqB,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,kBAAkB,EACvE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAClC,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;;;;;;OAgBG;IACH,KAAK,CAAC,oBAAoB,CAAC,IAAyB;QAClD,OAAO,IAAI,CAAC,OAAO,CACjB,QAAQ,EACR,qBAAqB,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CACxD,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACH;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,mBAAmB,CAAC,IAAyB;QACjD,OAAO,IAAI,CAAC,OAAO,CACjB,MAAM,EACN,qBAAqB,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAC7D,EAAE,CACH,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAC,IAM3B;QASC,MAAM,IAAI,GAA4B,EAAE,cAAc,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC;QAC7E,IAAI,IAAI,CAAC,cAAc;YAAE,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,cAAc,CAAC;QACpE,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS;YAAE,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC;QAChE,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS;YAAE,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QACzD,OAAO,IAAI,CAAC,OAAO,CACjB,MAAM,EACN,qBAAqB,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,EAC/D,IAAI,CACL,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,iCAAiC,CAAC,IAGvC;QACC,OAAO,IAAI,CAAC,OAAO,CACjB,MAAM,EACN,qBAAqB,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,oBAAoB,EACzE,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAC1B,CAAC;IACJ,CAAC;IAED,+CAA+C;IAC/C,KAAK,CAAC,UAAU,CAAC,MAAc,EAAE,KAAK,GAAG,EAAE;QACzC,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,yBAAyB,kBAAkB,CAAC,MAAM,CAAC,iBAAiB,KAAK,EAAE,CAAC,CAAC;IAC1G,CAAC;IAED,wDAAwD;IACxD,KAAK,CAAC,QAAQ,CAAC,MAAc,EAAE,OAAe;QAC5C,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,yBAAyB,kBAAkB,CAAC,MAAM,CAAC,WAAW,kBAAkB,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC1H,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,WAAW,CAAC,MAAc,EAAE,OAAe;QAC/C,MAAM,IAAI,GAAG,yBAAyB,kBAAkB,CAAC,MAAM,CAAC,WAAW,kBAAkB,CAAC,OAAO,CAAC,MAAM,CAAC;QAC7G,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,QAAQ,GAAG,IAAI,EAAE,EAAE;YAC1D,MAAM,EAAE,KAAK;YACb,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,EAAE;gBACtC,MAAM,EAAE,8BAA8B;aACvC;SACF,CAAC,CAAC;QACH,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QACpC,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,IAAI,MAAM,GAAY,IAAI,CAAC;YAC3B,IAAI,CAAC;gBAAC,MAAM,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,kBAAkB,CAAC,CAAC;YAC7F,MAAM,CAAC,GAAG,MAA6C,CAAC;YACxD,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,IAAI,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ;gBACzE,CAAC,CAAC,CAAC,CAAC,OAAO;gBACX,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ;oBACxD,CAAC,CAAC,CAAC,CAAC,KAAK;oBACT,CAAC,CAAC,QAAQ,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;YAChD,MAAM,IAAI,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;QAClD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,KAAK,CAAC,OAAO,CAAI,MAAc,EAAE,IAAY,EAAE,IAAc;QACnE,MAAM,OAAO,GAA2B;YACtC,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,EAAE;YACtC,MAAM,EAAE,kBAAkB;SAC3B,CAAC;QACF,IAAI,QAA4B,CAAC;QACjC,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;YACvB,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;YAC7C,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAClC,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,QAAQ,GAAG,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;QACjG,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,IAAI,MAAe,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAC1D,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,GAAG,IAAI,CAAC;QAChB,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,CAAC,GAAG,MAA6C,CAAC;YACxD,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,IAAI,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ;gBACzE,CAAC,CAAC,CAAC,CAAC,OAAO;gBACX,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,IAAI,OAAO,CAAC,CAAC,KAAK,KAAK,QAAQ;oBACxD,CAAC,CAAC,CAAC,CAAC,KAAK;oBACT,CAAC,CAAC,QAAQ,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;YAChD,MAAM,IAAI,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;QAClD,CAAC;QACD,OAAO,MAAW,CAAC;IACrB,CAAC;CACF"}

package/dist/auth.d.ts

@@ -0,0 +1,103 @@
+/**
+ * Resolve the Sprigr API key.
+ *
+ * Resolution order:
+ *   1. `--api-key <key>` flag
+ *   2. `SPRIGR_API_KEY` env var
+ *   3. Credential file
+ *      - When `profile` is set:      `~/.config/sprigr/credentials/<profile>.json`
+ *      - Otherwise (legacy default):  `~/.config/sprigr/credentials.json`
+ *
+ * If none are set, returns null. Callers must surface a clear "run
+ * `sprigr login` or set SPRIGR_API_KEY" message rather than failing
+ * silently.
+ */
+export declare function resolveApiKey(opts: {
+    flag?: string;
+    profile?: string;
+}): string | null;
+/**
+ * Compute the credentials file path. Honors $XDG_CONFIG_HOME so users
+ * who customize their config layout still land in the right place;
+ * falls back to ~/.config/sprigr otherwise (Linux + macOS convention).
+ *
+ * When `profile` is given (e.g. `--profile staging` or `SPRIGR_PROFILE=...`),
+ * the file lives under `<config>/sprigr/credentials/<profile>.json` so
+ * multiple tenants can be logged in side-by-side without overwriting each
+ * other. When omitted, returns the legacy single-file path so existing
+ * setups keep working unchanged.
+ */
+export declare function credentialsFilePath(profile?: string): string;
+/**
+ * Profile names map to filenames on disk; reject anything that could
+ * escape the credentials directory or look like a path traversal. The
+ * regex below also doubles as a sanity check on length (max 64 chars).
+ */
+export declare function assertValidProfileName(name: string): void;
+/**
+ * Stored credentials. Only `apiKey` is required to authenticate; the
+ * rest is metadata the CLI surfaces to the user (e.g. `sprigr whoami`)
+ * and to make audit-style writes attributable.
+ */
+export interface StoredCredentials {
+    apiKey: string;
+    keyPrefix?: string;
+    keyId?: string;
+    companyId?: string;
+    userId?: string;
+    endpoint?: string;
+    /** ISO 8601 timestamp from when the file was written. */
+    loggedInAt: string;
+    /**
+     * The profile this credential set was saved under. Stamped on write
+     * so `sprigr whoami` can echo it back; never read for authentication
+     * (the disk path is the source of truth for which profile is active).
+     */
+    profile?: string;
+}
+/**
+ * Read the `endpoint` field from the credentials file written by
+ * `sprigr login`. Used by `resolveEndpoint` so a `--endpoint` passed
+ * to `login` sticks for subsequent commands in the same session
+ * without the user having to re-pass it (or export SPRIGR_ENDPOINT).
+ *
+ * Without this, `sprigr login --endpoint https://staging-api-team.sprigr.com`
+ * mints a key against staging, but the next `sprigr app publish` (no
+ * flag) sends that staging key to the prod gateway — which rejects it
+ * 401 because the key row only exists in the staging registry DB.
+ * The CLI then surfaces "HTTP 401 — Unauthorized" with no hint that
+ * the user is talking to the wrong env.
+ */
+export declare function readEndpointFromFileSync(profile?: string): string | null;
+/** Read the full credentials record (used by `whoami`). Returns null on miss. */
+export declare function readCredentialsSync(profile?: string): StoredCredentials | null;
+/**
+ * List every profile we have credentials for. Returns the literal names
+ * (sans .json suffix); when only the legacy single-file credentials exist
+ * the special name `'(default)'` is included so `sprigr whoami --all` can
+ * show it. Returns an empty array if nothing is logged in.
+ */
+export declare function listProfilesSync(): Array<{
+    name: string;
+    isLegacy: boolean;
+}>;
+/**
+ * Write credentials to disk with mode 0600 (owner read/write only).
+ * The directory is created with mode 0700 if it doesn't yet exist —
+ * sibling tools like `vercel`, `gh`, `wrangler` follow the same
+ * convention. Overwrites any existing credentials.
+ *
+ * When `profile` is set the file lives at `<config>/sprigr/credentials/<profile>.json`
+ * (and the parent `credentials/` dir is created at 0700 too). Without a
+ * profile we write the legacy `<config>/sprigr/credentials.json` so
+ * existing setups stay byte-identical.
+ */
+export declare function writeCredentials(creds: StoredCredentials, profile?: string): Promise<string>;
+/**
+ * Delete the credential file. Returns true if a file was removed,
+ * false if no file was there to begin with. Other errors (permission,
+ * etc.) propagate so the caller can surface a useful message.
+ */
+export declare function deleteCredentials(profile?: string): Promise<boolean>;
+/** Friendly message shown when no API key is configured. */
+export declare const MISSING_API_KEY_MESSAGE = "No API key found.\n\nRun `sprigr login` to authenticate via the portal, or set\nSPRIGR_API_KEY in your shell:\n\n  export SPRIGR_API_KEY=sk_mcp_xxxxx\n\nYou can also pass --api-key on the command line. Manage keys at\nteam.sprigr.com under Settings \u2192 API keys.\n\nTo log in to a specific tenant without overwriting another, use a profile:\n\n  sprigr login --profile staging --endpoint staging\n  sprigr login --profile prod    --endpoint prod\n  sprigr --profile staging app publish --dir <dir>\n  SPRIGR_PROFILE=prod sprigr app publish --dir <dir>\n";