@sprigr/cli 0.1.2

package/dist/bundler.js

@@ -0,0 +1,123 @@
+import { promises as fs } from 'node:fs';
+import path from 'node:path';
+const MAX_FILES = 500;
+const MAX_FILE_BYTES = 5 * 1024 * 1024;
+const DEFAULT_IGNORES = [
+    'node_modules',
+    '.git',
+    '.DS_Store',
+    '.sprigrignore',
+    'dist',
+    '.next',
+    '.turbo',
+];
+export async function bundleDirectory(rootDir, framework = 'static') {
+    const errors = [];
+    const files = {};
+    let totalBytes = 0;
+    let binaryCount = 0;
+    const stat = await fs.stat(rootDir).catch(() => null);
+    if (!stat) {
+        return { errors: [`Directory not found: ${rootDir}`] };
+    }
+    if (!stat.isDirectory()) {
+        return { errors: [`${rootDir} is not a directory`] };
+    }
+    const ignorePatterns = await loadIgnore(rootDir);
+    async function walk(currentDir, relPrefix) {
+        const entries = await fs.readdir(currentDir, { withFileTypes: true });
+        for (const entry of entries) {
+            const relPath = relPrefix ? `${relPrefix}/${entry.name}` : entry.name;
+            if (shouldIgnore(entry.name, relPath, ignorePatterns))
+                continue;
+            const absPath = path.join(currentDir, entry.name);
+            if (entry.isDirectory()) {
+                await walk(absPath, relPath);
+                continue;
+            }
+            if (!entry.isFile())
+                continue; // skip symlinks, sockets, etc.
+            const buf = await fs.readFile(absPath);
+            if (buf.byteLength > MAX_FILE_BYTES) {
+                errors.push(`${relPath}: exceeds 5 MiB limit (${(buf.byteLength / 1024 / 1024).toFixed(2)} MiB)`);
+                continue;
+            }
+            // Re-encode round-trip detects non-UTF-8: utf8 decode is lossy on
+            // invalid bytes (replaced with U+FFFD), so byte-length comparison
+            // catches binaries unambiguously. UTF-8 round-trip is what tells us
+            // whether to ship the bare string or the tagged base64 envelope.
+            const utf8 = buf.toString('utf8');
+            if (Buffer.byteLength(utf8, 'utf8') === buf.byteLength) {
+                files[relPath] = utf8;
+            }
+            else {
+                files[relPath] = { encoding: 'base64', content: buf.toString('base64') };
+                binaryCount++;
+            }
+            totalBytes += buf.byteLength;
+        }
+    }
+    await walk(rootDir, '');
+    const fileCount = Object.keys(files).length;
+    if (fileCount === 0)
+        errors.push('No files to upload after applying ignores');
+    if (fileCount > MAX_FILES)
+        errors.push(`Too many files (${fileCount}) — maximum 500 per build`);
+    // Framework-aware root-file check.
+    // - static: the bundle IS the deployment, so index.html is mandatory.
+    // - next/astro/remix: the bundle is the SOURCE, the build produces
+    //   index.html. We require package.json instead so the user catches
+    //   "wrong directory" mistakes before round-tripping a doomed build.
+    if (framework === 'static') {
+        if (!('index.html' in files)) {
+            errors.push('Missing index.html — every static deployment must include an index.html at the bundle root');
+        }
+    }
+    else {
+        if (!('package.json' in files)) {
+            errors.push(`Missing package.json — ${framework} builds need a package.json at the bundle root (you may have pointed --dir at a build output instead of the source tree)`);
+        }
+    }
+    if (errors.length > 0)
+        return { errors };
+    return { files, totalBytes, fileCount, binaryCount };
+}
+async function loadIgnore(rootDir) {
+    const patterns = [...DEFAULT_IGNORES];
+    try {
+        const raw = await fs.readFile(path.join(rootDir, '.sprigrignore'), 'utf8');
+        for (const line of raw.split('\n')) {
+            const trimmed = line.trim();
+            if (!trimmed || trimmed.startsWith('#'))
+                continue;
+            patterns.push(trimmed);
+        }
+    }
+    catch {
+        // No ignore file — defaults only.
+    }
+    return patterns;
+}
+/**
+ * Match an entry name and its full relative path against the ignore list.
+ * Patterns can be:
+ *   - bare names ("node_modules") — match anywhere in the tree
+ *   - rooted paths ("dist/cache") — match exact segment
+ *   - leading-dot literals (".env.local") — match by name
+ * Glob support is intentionally minimal in MVP.
+ */
+function shouldIgnore(name, relPath, patterns) {
+    for (const p of patterns) {
+        if (p === name)
+            return true;
+        if (p === relPath)
+            return true;
+        if (relPath.startsWith(`${p}/`))
+            return true;
+    }
+    // Top-level dotfiles default-hidden so secrets in .env etc. don't ship.
+    if (!relPath.includes('/') && name.startsWith('.'))
+        return true;
+    return false;
+}
+//# sourceMappingURL=bundler.js.map

package/dist/bundler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bundler.js","sourceRoot":"","sources":["../src/bundler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,IAAI,MAAM,WAAW,CAAC;AAiD7B,MAAM,SAAS,GAAG,GAAG,CAAC;AACtB,MAAM,cAAc,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;AAEvC,MAAM,eAAe,GAAG;IACtB,cAAc;IACd,MAAM;IACN,WAAW;IACX,eAAe;IACf,MAAM;IACN,OAAO;IACP,QAAQ;CACT,CAAC;AAIF,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,OAAe,EACf,YAA6B,QAAQ;IAErC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,KAAK,GAA+B,EAAE,CAAC;IAC7C,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,IAAI,WAAW,GAAG,CAAC,CAAC;IAEpB,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACtD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,EAAE,MAAM,EAAE,CAAC,wBAAwB,OAAO,EAAE,CAAC,EAAE,CAAC;IACzD,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;QACxB,OAAO,EAAE,MAAM,EAAE,CAAC,GAAG,OAAO,qBAAqB,CAAC,EAAE,CAAC;IACvD,CAAC;IAED,MAAM,cAAc,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC,CAAC;IAEjD,KAAK,UAAU,IAAI,CAAC,UAAkB,EAAE,SAAiB;QACvD,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QACtE,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC,GAAG,SAAS,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC;YAEtE,IAAI,YAAY,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,cAAc,CAAC;gBAAE,SAAS;YAEhE,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YAClD,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;gBACxB,MAAM,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;gBAC7B,SAAS;YACX,CAAC;YACD,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE;gBAAE,SAAS,CAAC,+BAA+B;YAE9D,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YACvC,IAAI,GAAG,CAAC,UAAU,GAAG,cAAc,EAAE,CAAC;gBACpC,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,0BAA0B,CAAC,GAAG,CAAC,UAAU,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;gBAClG,SAAS;YACX,CAAC;YAED,kEAAkE;YAClE,kEAAkE;YAClE,oEAAoE;YACpE,iEAAiE;YACjE,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAClC,IAAI,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE,MAAM,CAAC,KAAK,GAAG,CAAC,UAAU,EAAE,CAAC;gBACvD,KAAK,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC;YACxB,CAAC;iBAAM,CAAC;gBACN,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACzE,WAAW,EAAE,CAAC;YAChB,CAAC;YACD,UAAU,IAAI,GAAG,CAAC,UAAU,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,MAAM,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAExB,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC;IAC5C,IAAI,SAAS,KAAK,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;IAC9E,IAAI,SAAS,GAAG,SAAS;QAAE,MAAM,CAAC,IAAI,CAAC,mBAAmB,SAAS,2BAA2B,CAAC,CAAC;IAEhG,mCAAmC;IACnC,sEAAsE;IACtE,mEAAmE;IACnE,oEAAoE;IACpE,qEAAqE;IACrE,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;QAC3B,IAAI,CAAC,CAAC,YAAY,IAAI,KAAK,CAAC,EAAE,CAAC;YAC7B,MAAM,CAAC,IAAI,CAAC,4FAA4F,CAAC,CAAC;QAC5G,CAAC;IACH,CAAC;SAAM,CAAC;QACN,IAAI,CAAC,CAAC,cAAc,IAAI,KAAK,CAAC,EAAE,CAAC;YAC/B,MAAM,CAAC,IAAI,CAAC,0BAA0B,SAAS,0HAA0H,CAAC,CAAC;QAC7K,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,CAAC;IACzC,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC;AACvD,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,OAAe;IACvC,MAAM,QAAQ,GAAG,CAAC,GAAG,eAAe,CAAC,CAAC;IACtC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,eAAe,CAAC,EAAE,MAAM,CAAC,CAAC;QAC3E,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACnC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YAClD,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,kCAAkC;IACpC,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,YAAY,CAAC,IAAY,EAAE,OAAe,EAAE,QAAkB;IACrE,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAC5B,IAAI,CAAC,KAAK,OAAO;YAAE,OAAO,IAAI,CAAC;QAC/B,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IAC/C,CAAC;IACD,wEAAwE;IACxE,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAChE,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/commands/app.d.ts

@@ -0,0 +1,223 @@
+/**
+ * `sprigr app publish` and `sprigr app validate`.
+ *
+ * Phase 2.1b of the ASCS platform implementation plan.
+ *
+ *   sprigr app publish --dir <bundle-dir> [--manifest <path>]
+ *     Reads the manifest, runs publish-time validation locally, bundles
+ *     the directory the same way `sprigr deploy` does, and POSTs to
+ *     /api/v1/data/marketplace/apps/publish. The server re-validates +
+ *     stores the version + triggers the build-runner. We intentionally
+ *     run validation client-side too — the publish API is slow (uploads
+ *     a bundle to R2) so a clear local error beats a server round-trip.
+ *
+ *   sprigr app validate --dir <bundle-dir> [--manifest <path>]
+ *     Same validation as publish, no upload. Suitable for CI / local dev.
+ *
+ * Manifest format note (v1):
+ *   The plan calls for sprigr-app.yaml. The CLI v1 ships with JSON
+ *   support only (sprigr-app.json) so the npm-published bundle stays
+ *   dependency-light. YAML support is a follow-up that adds the `yaml`
+ *   package and detects sprigr-app.yaml in addition to sprigr-app.json.
+ *   Server-side handling is unchanged either way — the wire payload is
+ *   always JSON.
+ *
+ * Why the manifest is read separately from the bundle dir:
+ *   The bundler walks the dir and uploads every file under it, so the
+ *   manifest naturally lands in the bundle too — but we ALSO need the
+ *   parsed manifest object to validate locally and to send as a separate
+ *   field on the publish payload (the server reads it from there to
+ *   route the build, not by parsing the bundle). Hence a separate read.
+ */
+import { type AppManifest } from '../manifest.js';
+export interface RunAppPublishArgs {
+    dir: string;
+    manifestPath?: string;
+    endpoint: string;
+    apiKey: string;
+    /** Replace the default fetch (test seam). */
+    fetchImpl?: typeof fetch;
+}
+export interface RunAppValidateArgs {
+    dir: string;
+    manifestPath?: string;
+}
+export interface AppCommandResult {
+    exitCode: 0 | 1 | 2;
+}
+/**
+ * Read + parse the manifest. Defaults to `<dir>/sprigr-app.json`. Returns
+ * a structured error object on failure so the caller can surface a clean
+ * message rather than a stack trace.
+ */
+export declare function loadManifest(args: {
+    dir: string;
+    manifestPath?: string;
+}): Promise<{
+    manifest: AppManifest;
+    resolvedPath: string;
+} | {
+    error: string;
+}>;
+/**
+ * Run the publish-time validators against a parsed manifest. Mirrors
+ * the server's validateManifest in workers/provisioning so that local
+ * `app validate` produces the same verdict the publish API would. The
+ * legacy fields (sprigr_app, metadata, etc.) are checked here too —
+ * the shared package's per-field validators only cover the new
+ * marketplace-hosting fields.
+ */
+export declare function validateManifestLocally(manifest: AppManifest): string | null;
+/**
+ * Per-framework filesystem checks (#1022). Runs after manifest validation
+ * and BEFORE bundle upload, so authors hear about missing required files
+ * locally instead of after the round-trip through publish → build → install
+ * → failure. Currently only Next.js has a checkable contract; other
+ * frameworks return null.
+ *
+ * Async because the check stats the customer's bundle dir for the
+ * required config files. Returns null on success or an error message
+ * suitable for stderr.
+ */
+export declare function validateFrameworkFiles(manifest: AppManifest, dir: string): Promise<string | null>;
+export declare function runAppValidate(args: RunAppValidateArgs): Promise<AppCommandResult>;
+export declare function runAppPublish(args: RunAppPublishArgs): Promise<AppCommandResult>;
+export interface RunAppUpgradeArgs {
+    /** Marketplace app slug to upgrade this company's install of. */
+    slug: string;
+    endpoint: string;
+    apiKey: string;
+    /**
+     * Bypass the server-side "Already on latest version" guard. Re-runs the
+     * upgrade flow even when `pinned_version_id` already matches the current
+     * approved version. Use when the previous publish-fanout silently dropped
+     * the build enqueue (the pin moved but no build deployed).
+     */
+    force?: boolean;
+    /** Override fetch (tests). */
+    fetchImpl?: typeof fetch;
+}
+/**
+ * `sprigr app upgrade <slug>` — manually bump this company's install of
+ * a marketplace app to the latest approved version. Hits
+ * POST /api/v1/data/apps/:slug/install/upgrade which:
+ *   1. Bumps `pinned_version_id` to current_version
+ *   2. Refreshes the integration row's snapshot manifest
+ *   3. Syncs the company's integration KV cache + reinits agent DOs
+ *   4. Enqueues a fresh build via `enqueueBuildForMarketplaceVersion`
+ *
+ * Returns the buildId for status polling. Idempotent — returns HTTP 400
+ * "Already on latest version" if the install is already pinned to the
+ * current version.
+ *
+ * Use this to recover from a silent publish-fanout enqueue failure (the
+ * symptom: a fresh version exists in `current_version` but no
+ * publish-fanout build appears in website_status after the publish).
+ */
+export declare function runAppUpgrade(args: RunAppUpgradeArgs): Promise<AppCommandResult>;
+export interface RunAppDeleteArgs {
+    slug?: string;
+    endpoint: string;
+    apiKey: string;
+    /** Skip the interactive "are you sure" confirmation prompt. Required when
+     *  running non-interactively (CI, scripts) since the prompt would hang. */
+    yes?: boolean;
+    /** Override fetch (tests). */
+    fetchImpl?: typeof fetch;
+}
+/**
+ * `sprigr app delete <slug>` — hard-delete a marketplace app + all its
+ * versions + any leftover install rows owned by the publisher. Releases
+ * the slug for re-publication.
+ *
+ * Use this when migrating an app between publishers (personal staging
+ * → sprigr-hq, etc.). The runbook lives at
+ * sprigr-apps/docs/migrate-app-publisher.md — uninstall on every
+ * installer tenant first, THEN delete from the old publisher, THEN
+ * re-publish under the new publisher.
+ *
+ * The endpoint hard-deletes everything: all marketplace_app_versions
+ * rows, R2 bundle objects, any orphaned app_installations. Only the
+ * current publisher can call it (403 otherwise).
+ *
+ * Pass --yes to skip the confirmation prompt. CI / non-interactive
+ * callers must always pass --yes.
+ */
+export declare function runAppDelete(args: RunAppDeleteArgs): Promise<AppCommandResult>;
+export interface RunAppShareArgs {
+    slug?: string;
+    endpoint: string;
+    apiKey: string;
+    /** Override fetch (tests). */
+    fetchImpl?: typeof fetch;
+}
+/**
+ * `sprigr app share <slug>` — generate a share token + auto-bump
+ * trust_tier from `private` to `shared`.
+ *
+ * Publisher-only. Lets other tenants in the same env install the app
+ * via their own CLI/MCP/portal without sharing the publisher's
+ * credentials. Calling again rotates the token but the trust tier
+ * stays at whatever it already is.
+ *
+ * The share URL prints to stdout (paste into a tenant browser to
+ * install via the share-link flow), but the more common path post-
+ * share is `sprigr app install <slug> --profile <other-tenant>` since
+ * trust_tier='shared' allows any tenant to install.
+ */
+export declare function runAppShare(args: RunAppShareArgs): Promise<AppCommandResult>;
+export interface RunAppInstallArgs {
+    slug?: string;
+    endpoint: string;
+    apiKey: string;
+    /** Comma-separated scope list (e.g. "tools:register,knowledge:read").
+     *  Must be a subset of manifest.permissions.scopes. */
+    scopes?: string;
+    /** Per-install secret values: repeatable --secret KEY=VALUE. Each KEY
+     *  must appear in manifest.secrets[]. */
+    secrets?: Record<string, string>;
+    /** Override fetch (tests). */
+    fetchImpl?: typeof fetch;
+}
+/**
+ * `sprigr app install <slug> --scopes ... [--secret KEY=VALUE ...]`
+ *
+ * Install a marketplace app on the calling tenant. Publisher-migration
+ * step 5 from sprigr-apps/docs/migrate-app-publisher.md.
+ *
+ * Body shape gotcha (documented at the runbook level too): the API is
+ * snake_case (granted_scopes, install_secrets). Sending camelCase
+ * silently parses + ignores the unknown keys → 400 "Missing required
+ * secrets". The CLI passes the right shape so callers don't have to
+ * remember.
+ */
+export declare function runAppInstall(args: RunAppInstallArgs): Promise<AppCommandResult>;
+export interface RunAppSetPublisherSecretsArgs {
+    slug?: string;
+    endpoint: string;
+    apiKey: string;
+    /** Plaintext map of secret key → value. Keys must match
+     *  manifest.secrets[].key entries marked publisher_provides=true. */
+    secrets: Record<string, string>;
+    /** Override fetch (tests). */
+    fetchImpl?: typeof fetch;
+}
+/**
+ * `sprigr app set-publisher-secrets <slug> --secrets '<json>'`
+ *
+ * Seed or rotate the publisher-provided secret bag on the app row.
+ * The publisher's OAuth-app credentials (SHOPIFY_CLIENT_ID,
+ * SHOPIFY_CLIENT_SECRET, etc.) flow through this command — every
+ * install of the app picks them up automatically at install time.
+ *
+ * Auth: caller must be the app's publisher (the API checks
+ * publisher_company_id matches the calling tenant). Errors:
+ *   - 404: caller doesn't own the app, OR slug doesn't exist
+ *   - 400: a key isn't declared / isn't `publisher_provides: true` /
+ *     value isn't a non-empty string
+ *   - 500: WEBSITE_SECRETS_MASTER_KEY not bound on the platform
+ *
+ * No value is ever returned in plaintext from the API. Rotation =
+ * "set a new value"; there's no "show me the current value" path.
+ */
+export declare function runAppSetPublisherSecrets(args: RunAppSetPublisherSecretsArgs): Promise<AppCommandResult>;