@sqaoss/flowy 1.6.1 → 1.8.0

package/src/commands/setup.test.ts

@@ -8,7 +8,7 @@ let mockSpawnSync: ReturnType<typeof vi.fn>
 
 beforeEach(() => {
   mockLoadConfig = vi.fn(() => ({
-    mode: 'saas',
+    mode: 'remote',
     apiUrl: 'https://flowy-ai.fly.dev/graphql',
     apiKey: '',
     client: { name: '' },
@@ -19,10 +19,17 @@ beforeEach(() => {
   mockOutputError = vi.fn()
   mockSpawnSync = vi.fn()
 
-  vi.doMock('../util/config.ts', () => ({
-    loadConfig: mockLoadConfig,
-    saveConfig: mockSaveConfig,
-  }))
+  vi.doMock('../util/config.ts', async () => {
+    const actual =
+      await vi.importActual<typeof import('../util/config.ts')>(
+        '../util/config.ts',
+      )
+    return {
+      loadConfig: mockLoadConfig,
+      saveConfig: mockSaveConfig,
+      fingerprintKey: actual.fingerprintKey,
+    }
+  })
 
   vi.doMock('../util/format.ts', () => ({
     output: mockOutput,
@@ -230,17 +237,51 @@ describe('setup command', () => {
         apiKey: 'flowy_test_key_123',
       }),
     )
-    expect(mockOutput).toHaveBeenCalledWith(
+    // Default output surfaces a fingerprint, never the raw secret (F35).
+    const outputArg = mockOutput.mock.calls[0]![0]
+    expect(JSON.stringify(outputArg)).not.toContain('flowy_test_key_123')
+    expect(outputArg).toEqual(
       expect.objectContaining({
         user: expect.objectContaining({
           email: 'test@example.com',
           tier: 'explorer',
           graceEndsAt: '2026-04-13T00:00:00Z',
         }),
-        apiKey: 'flowy_test_key_123',
+        keyFingerprint: expect.stringMatching(/sha256:[0-9a-f]{12}/),
         checkoutUrl: 'https://checkout.stripe.com/session_123',
       }),
     )
+    expect(outputArg).not.toHaveProperty('apiKey')
+  })
+
+  test('setup remote --show-key reveals the full API key', async () => {
+    const mockGraphql = vi.fn().mockResolvedValue({
+      register: {
+        user: {
+          id: 'user_1',
+          email: 'test@example.com',
+          tier: 'explorer',
+          createdAt: '2026-03-30T00:00:00Z',
+          graceEndsAt: null,
+        },
+        apiKey: 'flowy_test_key_123',
+        checkoutUrl: null,
+      },
+    })
+    vi.doMock('../util/client.ts', () => ({
+      graphql: mockGraphql,
+    }))
+    mockSpawnSync.mockReturnValue({ status: 0, stdout: Buffer.from('') })
+
+    const { setupCommand } = await import('./setup.ts')
+    await setupCommand.parseAsync(
+      ['remote', '--email', 'test@example.com', '--show-key'],
+      { from: 'user' },
+    )
+
+    expect(mockOutput).toHaveBeenCalledWith(
+      expect.objectContaining({ apiKey: 'flowy_test_key_123' }),
+    )
   })
 
   test('setup local warns when the skill install fails', async () => {
@@ -274,6 +315,53 @@ describe('setup command', () => {
     errSpy.mockRestore()
   })
 
+  test('setup remote persists the API key before any later step (save-after-register)', async () => {
+    const mockGraphql = vi.fn().mockResolvedValue({
+      register: {
+        user: {
+          id: 'user_1',
+          email: 'a@b.com',
+          tier: null,
+          createdAt: '2026-06-13T00:00:00Z',
+          graceEndsAt: null,
+        },
+        apiKey: 'flowy_key_persisted',
+        checkoutUrl: null,
+      },
+    })
+    vi.doMock('../util/client.ts', () => ({ graphql: mockGraphql }))
+
+    // The skill install (a step AFTER the key is obtained) blows up hard.
+    // The key must already be on disk by then so the user is never stranded.
+    let keySavedBeforeSkillInstall = false
+    mockSaveConfig.mockImplementation((cfg: { apiKey?: string }) => {
+      if (cfg.apiKey === 'flowy_key_persisted')
+        keySavedBeforeSkillInstall = true
+    })
+    mockSpawnSync.mockImplementation((cmd: string) => {
+      if (cmd === 'npx') {
+        // By the time the (post-register) skill install runs, the key is saved.
+        expect(keySavedBeforeSkillInstall).toBe(true)
+        throw new Error('npx exploded')
+      }
+      return { status: 0, stdout: Buffer.from('') }
+    })
+    const errSpy = vi.spyOn(console, 'error').mockImplementation(() => {})
+
+    const { setupCommand } = await import('./setup.ts')
+    await setupCommand.parseAsync(['remote', '--email', 'a@b.com'], {
+      from: 'user',
+    })
+
+    // The key was saved at least once with the real value before the failure.
+    expect(
+      mockSaveConfig.mock.calls.some(
+        (c) => (c[0] as { apiKey?: string }).apiKey === 'flowy_key_persisted',
+      ),
+    ).toBe(true)
+    errSpy.mockRestore()
+  })
+
   test('setup remote warns when the skill install fails', async () => {
     const mockGraphql = vi.fn().mockResolvedValue({
       register: {

package/src/commands/setup.ts

@@ -1,7 +1,8 @@
 import { spawnSync } from 'node:child_process'
 import { Command, Option } from 'commander'
-import { loadConfig, saveConfig } from '../util/config.ts'
+import { fingerprintKey, loadConfig, saveConfig } from '../util/config.ts'
 import { output, outputError } from '../util/format.ts'
+import { REGISTER } from '../util/operations.ts'
 import { pinnedInstallSpec } from './serve.ts'
 
 export const setupCommand = new Command('setup').description(
@@ -69,6 +70,10 @@ setupCommand
   .command('remote')
   .description('Connect to the hosted Flowy service')
   .option('--email <email>', 'Email address for registration')
+  .option(
+    '--show-key',
+    'Print the full API key instead of a non-reversible fingerprint',
+  )
   .addOption(
     new Option(
       '--tier <tier>',
@@ -100,23 +105,20 @@ setupCommand
           apiKey: string
           checkoutUrl: string
         }
-      }>(
-        `mutation Register($email: String!, $tier: String) {
-          register(email: $email, tier: $tier) {
-            user { id email tier createdAt graceEndsAt }
-            apiKey
-            checkoutUrl
-          }
-        }`,
-        { email: opts.email, tier: opts.tier },
-      )
+      }>(REGISTER, { email: opts.email, tier: opts.tier })
 
       config.apiKey = data.register.apiKey
       saveConfig(config)
 
       installSkill()
 
-      output(data.register)
+      const { user, apiKey, checkoutUrl } = data.register
+      // Default output never leaks the secret; --show-key opts in (F35).
+      output(
+        opts.showKey
+          ? { user, apiKey, checkoutUrl }
+          : { user, keyFingerprint: fingerprintKey(apiKey), checkoutUrl },
+      )
     } catch (error) {
       outputError(error)
     }

package/src/commands/status.ts

@@ -1,6 +1,7 @@
 import { Command } from 'commander'
 import { graphql } from '../util/client.ts'
 import { output, outputError } from '../util/format.ts'
+import { UPDATE_STATUS } from '../util/operations.ts'
 
 export const statusCommand = new Command('status')
   .description('Update a node status (shorthand)')
@@ -11,14 +12,10 @@ export const statusCommand = new Command('status')
   )
   .action(async (id: string, status: string) => {
     try {
-      const data = await graphql<{ updateNode: unknown }>(
-        `mutation UpdateStatus($id: String!, $status: String) {
-          updateNode(id: $id, status: $status) {
-            id type title status updatedAt
-          }
-        }`,
-        { id, status },
-      )
+      const data = await graphql<{ updateNode: unknown }>(UPDATE_STATUS, {
+        id,
+        status,
+      })
       output(data.updateNode)
     } catch (error) {
       outputError(error)

package/src/commands/task.ts

@@ -3,6 +3,19 @@ import { graphql } from '../util/client.ts'
 import { requireFeature, resolveProject } from '../util/config.ts'
 import { resolveDescription } from '../util/description.ts'
 import { output, outputError } from '../util/format.ts'
+import {
+  ALL_TASKS,
+  BLOCK_TASK,
+  CREATE_TASK,
+  DELETE_NODE,
+  LINK_TASK,
+  LIST_TASKS,
+  READY_TASKS,
+  SHOW_TASK,
+  TASK_DEPS,
+  UNBLOCK_TASK,
+  UPDATE_NODE,
+} from '../util/operations.ts'
 
 export const taskCommand = new Command('task').description(
   'Manage tasks in the active feature',
@@ -27,23 +40,17 @@ taskCommand
         description: opts.description,
         descriptionFile: opts.descriptionFile,
       })
-      const data = await graphql<{ createNode: { id: string } }>(
-        `mutation CreateTask($type: String!, $title: String!, $description: String) {
-          createNode(type: $type, title: $title, description: $description) {
-            id type title description status createdAt
-          }
-        }`,
-        { type: 'task', title: opts.title, description },
-      )
+      const data = await graphql<{ createNode: { id: string } }>(CREATE_TASK, {
+        type: 'task',
+        title: opts.title,
+        description,
+      })
       const taskId = data.createNode.id
-      await graphql(
-        `mutation LinkTask($sourceId: String!, $targetId: String!, $relation: String!) {
-          createEdge(sourceId: $sourceId, targetId: $targetId, relation: $relation) {
-            sourceId targetId relation
-          }
-        }`,
-        { sourceId: taskId, targetId: featureId, relation: 'part_of' },
-      )
+      await graphql(LINK_TASK, {
+        sourceId: taskId,
+        targetId: featureId,
+        relation: 'part_of',
+      })
       output(data.createNode)
     } catch (error) {
       outputError(error)
@@ -67,40 +74,27 @@ taskCommand
       if (opts.ready) {
         const projectId =
           opts.project ?? (opts.all ? undefined : resolveProject()?.id)
-        const data = await graphql<{ readyTasks: unknown[] }>(
-          `query ReadyTasks($projectId: String) {
-            readyTasks(projectId: $projectId) {
-              id type title status createdAt
-            }
-          }`,
-          { projectId: projectId ?? null },
-        )
+        const data = await graphql<{ readyTasks: unknown[] }>(READY_TASKS, {
+          projectId: projectId ?? null,
+        })
         output(data.readyTasks)
         return
       }
 
       if (opts.all) {
-        const data = await graphql<{ nodes: unknown[] }>(
-          `query AllTasks($type: String!) {
-            nodes(type: $type) {
-              id type title status createdAt
-            }
-          }`,
-          { type: 'task' },
-        )
+        const data = await graphql<{ nodes: unknown[] }>(ALL_TASKS, {
+          type: 'task',
+        })
         output(data.nodes)
         return
       }
 
       const featureId = requireFeature()
-      const data = await graphql<{ descendants: unknown[] }>(
-        `query ListTasks($nodeId: String!, $relation: String!, $maxDepth: Int) {
-          descendants(nodeId: $nodeId, relation: $relation, maxDepth: $maxDepth) {
-            id type title status createdAt
-          }
-        }`,
-        { nodeId: featureId, relation: 'part_of', maxDepth: 1 },
-      )
+      const data = await graphql<{ descendants: unknown[] }>(LIST_TASKS, {
+        nodeId: featureId,
+        relation: 'part_of',
+        maxDepth: 1,
+      })
       const tasks = data.descendants.filter(
         (n: unknown) => (n as { type: string }).type === 'task',
       )
@@ -120,20 +114,7 @@ taskCommand
         node: Record<string, unknown>
         blockedBy: unknown[]
         blocks: unknown[]
-      }>(
-        `query ShowTask($id: String!) {
-          node(id: $id) {
-            id type title description status metadata createdAt updatedAt
-          }
-          blockedBy: edges(nodeId: $id, relation: "blocks", direction: "incoming") {
-            id type title status
-          }
-          blocks: edges(nodeId: $id, relation: "blocks", direction: "outgoing") {
-            id type title status
-          }
-        }`,
-        { id },
-      )
+      }>(SHOW_TASK, { id })
       output({
         ...data.node,
         blockedBy: data.blockedBy,
@@ -170,11 +151,7 @@ taskCommand
       }
       if (opts.metadata != null) variables.metadata = opts.metadata
       const data = await graphql<{ updateNode: unknown }>(
-        `mutation UpdateNode($id: String!, $title: String, $description: String, $metadata: String) {
-          updateNode(id: $id, title: $title, description: $description, metadata: $metadata) {
-            id type title description status metadata createdAt updatedAt
-          }
-        }`,
+        UPDATE_NODE,
         variables,
       )
       output(data.updateNode)
@@ -189,12 +166,7 @@ taskCommand
   .argument('<id>', 'Task ID')
   .action(async (id: string) => {
     try {
-      const data = await graphql<{ deleteNode: boolean }>(
-        `mutation DeleteNode($id: String!) {
-          deleteNode(id: $id)
-        }`,
-        { id },
-      )
+      const data = await graphql<{ deleteNode: boolean }>(DELETE_NODE, { id })
       output({ deleted: data.deleteNode })
     } catch (error) {
       outputError(error)
@@ -208,14 +180,11 @@ taskCommand
   .argument('<id2>', 'Blocked task ID')
   .action(async (id1: string, id2: string) => {
     try {
-      const data = await graphql<{ createEdge: unknown }>(
-        `mutation BlockTask($sourceId: String!, $targetId: String!, $relation: String!) {
-          createEdge(sourceId: $sourceId, targetId: $targetId, relation: $relation) {
-            sourceId targetId relation createdAt
-          }
-        }`,
-        { sourceId: id1, targetId: id2, relation: 'blocks' },
-      )
+      const data = await graphql<{ createEdge: unknown }>(BLOCK_TASK, {
+        sourceId: id1,
+        targetId: id2,
+        relation: 'blocks',
+      })
       output(data.createEdge)
     } catch (error) {
       outputError(error)
@@ -229,12 +198,11 @@ taskCommand
   .argument('<id2>', 'Blocked task ID')
   .action(async (id1: string, id2: string) => {
     try {
-      const data = await graphql<{ removeEdge: boolean }>(
-        `mutation UnblockTask($sourceId: String!, $targetId: String!, $relation: String!) {
-          removeEdge(sourceId: $sourceId, targetId: $targetId, relation: $relation)
-        }`,
-        { sourceId: id1, targetId: id2, relation: 'blocks' },
-      )
+      const data = await graphql<{ removeEdge: boolean }>(UNBLOCK_TASK, {
+        sourceId: id1,
+        targetId: id2,
+        relation: 'blocks',
+      })
       output({ removed: data.removeEdge })
     } catch (error) {
       outputError(error)
@@ -248,14 +216,7 @@ taskCommand
   .action(async (id: string) => {
     try {
       const data = await graphql<{ blockedBy: unknown[]; blocks: unknown[] }>(
-        `query TaskDeps($id: String!) {
-          blockedBy: edges(nodeId: $id, relation: "blocks", direction: "incoming") {
-            id type title status
-          }
-          blocks: edges(nodeId: $id, relation: "blocks", direction: "outgoing") {
-            id type title status
-          }
-        }`,
+        TASK_DEPS,
         { id },
       )
       output({ id, blockedBy: data.blockedBy, blocks: data.blocks })

package/src/commands/tree.ts

@@ -1,6 +1,7 @@
 import { Command } from 'commander'
 import { graphql } from '../util/client.ts'
 import { output, outputError } from '../util/format.ts'
+import { SUBTREE } from '../util/operations.ts'
 
 export const treeCommand = new Command('tree')
   .description('Show subtree from any entity')
@@ -8,14 +9,10 @@ export const treeCommand = new Command('tree')
   .option('--depth <n>', 'Max depth', '10')
   .action(async (id: string, opts) => {
     try {
-      const data = await graphql<{ subtree: unknown[] }>(
-        `query Subtree($nodeId: String!, $maxDepth: Int) {
-          subtree(nodeId: $nodeId, maxDepth: $maxDepth) {
-            id type title status
-          }
-        }`,
-        { nodeId: id, maxDepth: Number.parseInt(opts.depth, 10) },
-      )
+      const data = await graphql<{ subtree: unknown[] }>(SUBTREE, {
+        nodeId: id,
+        maxDepth: Number.parseInt(opts.depth, 10),
+      })
       output(data.subtree)
     } catch (error) {
       outputError(error)

package/src/commands/whoami.test.ts

@@ -3,10 +3,18 @@ import { afterEach, beforeEach, describe, expect, test, vi } from 'vitest'
 let mockGraphql: ReturnType<typeof vi.fn>
 let mockOutput: ReturnType<typeof vi.fn>
 let mockOutputError: ReturnType<typeof vi.fn>
+let mockLoadConfig: ReturnType<typeof vi.fn>
 
 beforeEach(() => {
   mockOutput = vi.fn()
   mockOutputError = vi.fn()
+  mockLoadConfig = vi.fn(() => ({
+    mode: 'remote',
+    apiUrl: 'https://flowy-ai.fly.dev/graphql',
+    apiKey: 'flowy_secret_abcdef0123456789',
+    client: { name: '' },
+    projects: {},
+  }))
   mockGraphql = vi.fn().mockResolvedValue({
     whoami: {
       id: 'user_1',
@@ -25,6 +33,27 @@ beforeEach(() => {
   vi.doMock('../util/client.ts', () => ({
     graphql: mockGraphql,
   }))
+
+  vi.doMock('../util/config.ts', async () => {
+    const actual =
+      await vi.importActual<typeof import('../util/config.ts')>(
+        '../util/config.ts',
+      )
+    return {
+      loadConfig: mockLoadConfig,
+      fingerprintKey: actual.fingerprintKey,
+      requireRemoteMode: (commandName: string) => {
+        const cfg = (mockLoadConfig as unknown as () => { mode: string })()
+        if (cfg.mode === 'local') {
+          const err = new Error(
+            `"flowy ${commandName}" is only available in remote mode. The active mode is local mode.`,
+          ) as Error & { code?: string }
+          err.code = 'LOCAL_MODE'
+          throw err
+        }
+      },
+    }
+  })
 })
 
 afterEach(() => {
@@ -33,7 +62,7 @@ afterEach(() => {
 })
 
 describe('whoami command', () => {
-  test('whoami outputs user data from query', async () => {
+  test('whoami outputs user data plus a non-reversible key fingerprint', async () => {
     const userData = {
       id: '1',
       email: 'a@b.com',
@@ -46,7 +75,17 @@ describe('whoami command', () => {
     const { whoamiCommand } = await import('./whoami.ts')
     await whoamiCommand.parseAsync([], { from: 'user' })
 
-    expect(mockOutput).toHaveBeenCalledWith(userData)
+    const outputArg = mockOutput.mock.calls[0]![0]
+    expect(outputArg).toEqual(
+      expect.objectContaining({
+        ...userData,
+        keyFingerprint: expect.stringMatching(/sha256:[0-9a-f]{12}/),
+      }),
+    )
+    // Fingerprint must not leak the configured secret.
+    expect(JSON.stringify(outputArg)).not.toContain(
+      'flowy_secret_abcdef0123456789',
+    )
   })
 
   test('whoami outputs error when query fails', async () => {
@@ -71,4 +110,27 @@ describe('whoami command', () => {
     const query = mockGraphql.mock.calls[0]?.[0] as string
     expect(query).toContain('graceEndsAt')
   })
+
+  test('whoami errors cleanly in local mode without hitting the server', async () => {
+    mockLoadConfig.mockReturnValue({
+      mode: 'local',
+      apiUrl: 'http://localhost:4000/graphql',
+      apiKey: '',
+      client: { name: '' },
+      projects: {},
+    })
+
+    const { whoamiCommand } = await import('./whoami.ts')
+    await whoamiCommand.parseAsync([], { from: 'user' })
+
+    // No GraphQL call against the local server.
+    expect(mockGraphql).not.toHaveBeenCalled()
+    expect(mockOutput).not.toHaveBeenCalled()
+    expect(mockOutputError).toHaveBeenCalledWith(
+      expect.objectContaining({
+        message: expect.stringMatching(/local mode/i),
+        code: 'LOCAL_MODE',
+      }),
+    )
+  })
 })

package/src/commands/whoami.ts

@@ -1,19 +1,25 @@
 import { Command } from 'commander'
 import { graphql } from '../util/client.ts'
+import {
+  fingerprintKey,
+  loadConfig,
+  requireRemoteMode,
+} from '../util/config.ts'
 import { output, outputError } from '../util/format.ts'
+import { WHOAMI } from '../util/operations.ts'
 
 export const whoamiCommand = new Command('whoami')
   .description('Show current user info')
   .action(async () => {
     try {
-      const data = await graphql<{ whoami: unknown }>(
-        `query Whoami {
-          whoami {
-            id email tier createdAt graceEndsAt
-          }
-        }`,
-      )
-      output(data.whoami)
+      requireRemoteMode('whoami')
+      const data = await graphql<{ whoami: Record<string, unknown> }>(WHOAMI)
+      // Surface a non-reversible fingerprint of the configured key so a human
+      // can confirm *which* credential is active without exposing it (F35).
+      output({
+        ...data.whoami,
+        keyFingerprint: fingerprintKey(loadConfig().apiKey),
+      })
     } catch (error) {
       outputError(error)
     }