@storewright/cli 0.14.0

package/scripts/shopify-access-preflight.mjs

@@ -0,0 +1,432 @@
+#!/usr/bin/env node
+import { spawnSync } from "node:child_process";
+
+const WORKFLOW_SCOPES = [
+  "read_files",
+  "write_files",
+  "read_themes",
+  "write_themes",
+  "read_products",
+  "write_products",
+  "read_publications",
+  "write_publications",
+  "read_content",
+  "write_content",
+  "read_online_store_navigation",
+  "write_online_store_navigation"
+];
+
+const SCOPE_PROBE_QUERY =
+  "query StorewrightScopeProbe { currentAppInstallation { accessScopes { handle } } }";
+
+const SHOP_QUERY = "query StorewrightPreflight { shop { id name myshopifyDomain } }";
+
+const INSTALLER_COMMANDS = {
+  npm: "install -g @shopify/cli@latest",
+  pnpm: "install -g @shopify/cli@latest",
+  yarn: "global add @shopify/cli@latest",
+  brew: "tap shopify/shopify && brew install shopify-cli"
+};
+
+const DEFAULT_COMMAND_TIMEOUT_MS = 60_000;
+const DEFAULT_AUTH_TIMEOUT_MS = 300_000;
+
+function usage() {
+  return "Usage: shopify-access-preflight.mjs --store <myshopify-domain> [--command-timeout-ms <ms>] [--auth-timeout-ms <ms>]";
+}
+
+function parsePositiveInteger(value, name) {
+  if (!/^[1-9]\d*$/.test(String(value ?? ""))) {
+    return { error: `${name} must be a positive integer.` };
+  }
+  const parsed = Number.parseInt(value, 10);
+  if (!Number.isSafeInteger(parsed)) {
+    return { error: `${name} must be a positive integer.` };
+  }
+  return { value: parsed };
+}
+
+function parseArgs(argv) {
+  let store = "";
+  let commandTimeoutMs = DEFAULT_COMMAND_TIMEOUT_MS;
+  let authTimeoutMs = DEFAULT_AUTH_TIMEOUT_MS;
+  for (let i = 0; i < argv.length; i += 1) {
+    const arg = argv[i];
+    if (arg === "--store") {
+      store = argv[i + 1] ?? "";
+      i += 1;
+      continue;
+    }
+    if (arg === "--command-timeout-ms") {
+      const parsed = parsePositiveInteger(argv[i + 1], "--command-timeout-ms");
+      if (parsed.error) return parsed;
+      commandTimeoutMs = parsed.value;
+      i += 1;
+      continue;
+    }
+    if (arg === "--auth-timeout-ms") {
+      const parsed = parsePositiveInteger(argv[i + 1], "--auth-timeout-ms");
+      if (parsed.error) return parsed;
+      authTimeoutMs = parsed.value;
+      i += 1;
+      continue;
+    }
+    if (arg === "-h" || arg === "--help") {
+      return { help: true, store, commandTimeoutMs, authTimeoutMs };
+    }
+    return { error: `Unknown argument: ${arg}` };
+  }
+  if (!store) return { error: "Missing required --store argument." };
+  return { store, commandTimeoutMs, authTimeoutMs };
+}
+
+function parseJson(text) {
+  const raw = String(text ?? "").trim();
+  try {
+    return JSON.parse(raw);
+  } catch {
+    let lastParsed = null;
+    for (let start = 0; start < raw.length; start += 1) {
+      const opener = raw[start];
+      if (opener !== "{" && opener !== "[") continue;
+      const closer = opener === "{" ? "}" : "]";
+      let depth = 0;
+      let inString = false;
+      let escaped = false;
+      for (let index = start; index < raw.length; index += 1) {
+        const char = raw[index];
+        if (inString) {
+          if (escaped) {
+            escaped = false;
+          } else if (char === "\\") {
+            escaped = true;
+          } else if (char === "\"") {
+            inString = false;
+          }
+          continue;
+        }
+        if (char === "\"") {
+          inString = true;
+        } else if (char === opener) {
+          depth += 1;
+        } else if (char === closer) {
+          depth -= 1;
+          if (depth === 0) {
+            try {
+              lastParsed = JSON.parse(raw.slice(start, index + 1));
+            } catch {
+              // Keep scanning for the final valid JSON payload in noisy CLI output.
+            }
+            start = index;
+            break;
+          }
+        }
+      }
+    }
+    return lastParsed;
+  }
+}
+
+function collectScopes(value, scopes = new Set()) {
+  if (Array.isArray(value)) {
+    for (const item of value) collectScopes(item, scopes);
+    return scopes;
+  }
+  if (value && typeof value === "object") {
+    for (const item of Object.values(value)) collectScopes(item, scopes);
+    return scopes;
+  }
+  if (typeof value === "string") {
+    for (const part of value.split(/[,\s]+/)) {
+      if (/^[a-z]+_[a-z_]+$/.test(part)) scopes.add(part);
+    }
+  }
+  return scopes;
+}
+
+function effectiveScopes(rawScopes) {
+  const scopes = new Set(rawScopes);
+  for (const scope of rawScopes) {
+    if (scope.startsWith("write_")) {
+      scopes.add(scope.replace(/^write_/, "read_"));
+    }
+  }
+  return [...scopes].sort();
+}
+
+function runShopify(args, { timeoutMs = DEFAULT_COMMAND_TIMEOUT_MS } = {}) {
+  const result = spawnSync("shopify", args, {
+    encoding: "utf8",
+    timeout: timeoutMs,
+    killSignal: "SIGTERM"
+  });
+  return processResult(["shopify", ...args], result, { timeoutMs });
+}
+
+function runShell(command, { timeoutMs = DEFAULT_COMMAND_TIMEOUT_MS } = {}) {
+  const result = spawnSync("/bin/sh", ["-lc", command], {
+    encoding: "utf8",
+    timeout: timeoutMs,
+    killSignal: "SIGTERM"
+  });
+  return processResult(["/bin/sh", "-lc", command], result, { timeoutMs });
+}
+
+function commandSignals(commandParts, stdout, stderr, timedOut) {
+  const combinedOutput = `${stdout}\n${stderr}`;
+  const commandText = commandParts.join(" ");
+  const blockerHints = [];
+  if (/shopify store auth\b/.test(commandText) && timedOut) {
+    blockerHints.push("shopify-auth-timeout");
+  }
+  if (/Client network socket disconnected|ECONNRESET|ETIMEDOUT|ENOTFOUND|TLS connection/i.test(combinedOutput)) {
+    blockerHints.push("shopify-network-error");
+  }
+  return { blockerHints };
+}
+
+function processResult(commandParts, result, { timeoutMs = DEFAULT_COMMAND_TIMEOUT_MS } = {}) {
+  const timedOut = result.error?.code === "ETIMEDOUT";
+  const exitCode = timedOut ? 1 : result.status ?? 1;
+  const parsedJson = parseJson(result.stdout);
+  const stdout = result.stdout ?? "";
+  const stderr = result.stderr ?? "";
+  const signals = commandSignals(commandParts, stdout, stderr, timedOut);
+  return {
+    command: commandParts.join(" "),
+    exitCode,
+    commandResult: timedOut ? "timeout" : exitCode === 0 ? "ok" : "error",
+    timedOut,
+    signal: result.signal ?? null,
+    timeoutMs,
+    stdout,
+    stderr,
+    parsedJson,
+    blockerHints: signals.blockerHints
+  };
+}
+
+function skippedCommand(command) {
+  return {
+    command,
+    exitCode: null,
+    commandResult: "skipped",
+    stdout: "",
+    stderr: "",
+    parsedJson: null
+  };
+}
+
+function commandSummary(command) {
+  return {
+    command: command.command,
+    exitCode: command.exitCode,
+    commandResult: command.commandResult,
+    timedOut: command.timedOut ?? false,
+    signal: command.signal ?? null,
+    timeoutMs: command.timeoutMs ?? null,
+    stdoutSummary: command.stdout.slice(0, 500),
+    stderrSummary: command.stderr.slice(0, 500),
+    blockerHints: command.blockerHints ?? []
+  };
+}
+
+function detectExecutable(name, { timeoutMs = DEFAULT_COMMAND_TIMEOUT_MS } = {}) {
+  const lookup = runShell(`command -v ${name}`, { timeoutMs });
+  return {
+    name,
+    lookup,
+    path: lookup.commandResult === "ok" ? lookup.stdout.trim() : null
+  };
+}
+
+function createShopifyCliEvidence({ commandTimeoutMs = DEFAULT_COMMAND_TIMEOUT_MS } = {}) {
+  const shopify = detectExecutable("shopify", { timeoutMs: commandTimeoutMs });
+  const version = shopify.path ? runShopify(["version"], { timeoutMs: commandTimeoutMs }) : skippedCommand("shopify version");
+  const installerLookups = ["npm", "pnpm", "yarn", "brew"].map((name) => detectExecutable(name, { timeoutMs: commandTimeoutMs }));
+  const availableInstallers = installerLookups
+    .filter((installer) => installer.path)
+    .map((installer) => ({ name: installer.name, path: installer.path }));
+
+  return {
+    status: shopify.path ? "available" : "missing",
+    path: shopify.path,
+    version: commandSummary(version),
+    availableInstallers,
+    installCandidates: shopify.path
+      ? []
+      : availableInstallers.map((installer) => ({
+        name: installer.name,
+        command: `${installer.path} ${INSTALLER_COMMANDS[installer.name]}`
+      })),
+    commands: [
+      { name: "shopifyCliLookup", ...commandSummary(shopify.lookup) },
+      { name: "shopifyCliVersion", ...commandSummary(version) },
+      ...installerLookups.map((installer) => ({
+        name: `installerLookup:${installer.name}`,
+        ...commandSummary(installer.lookup)
+      }))
+    ]
+  };
+}
+
+function missingScopes(requestedScopes, scopes) {
+  const available = new Set(scopes);
+  return requestedScopes.filter((scope) => !available.has(scope));
+}
+
+function isRetryableScopeProbeFailure(command) {
+  return command.timedOut || /aborted before it completed|timed out|timeout|ECONNRESET|ETIMEDOUT/i.test(command.stderr);
+}
+
+function isAuthRequiredScopeProbeFailure(command) {
+  return /run .*store auth|no stored store auth|authentication required|missing .*scope|requires .*scope|access denied/i.test(command.stderr);
+}
+
+function run({
+  store,
+  requestedScopes = WORKFLOW_SCOPES,
+  commandTimeoutMs = DEFAULT_COMMAND_TIMEOUT_MS,
+  authTimeoutMs = DEFAULT_AUTH_TIMEOUT_MS
+}) {
+  const shopifyCli = createShopifyCliEvidence({ commandTimeoutMs });
+  if (shopifyCli.status === "missing") {
+    return {
+      schemaVersion: "1.0.0",
+      store,
+      requestedScopes,
+      shopifyCli,
+      rawCurrentScopes: [],
+      effectiveCurrentScopes: [],
+      auth: {
+        action: "skipped",
+        commandResult: "skipped",
+        scopeProbeResult: "skipped",
+        rawVerifiedScopes: [],
+        verifiedScopes: [],
+        missingScopes: requestedScopes,
+        missingScopesBeforeAuth: requestedScopes
+      },
+      storeAccess: {
+        commandResult: "skipped",
+        exitCode: null,
+        themeCount: null
+      },
+      adminGraphqlAccess: {
+        commandResult: "skipped",
+        exitCode: null,
+        shop: null
+      },
+      commands: shopifyCli.commands
+    };
+  }
+
+  const currentScopeProbeCommands = [
+    runShopify(["store", "execute", "--store", store, "--query", SCOPE_PROBE_QUERY, "--json"], { timeoutMs: commandTimeoutMs })
+  ];
+  if (isRetryableScopeProbeFailure(currentScopeProbeCommands[0])) {
+    currentScopeProbeCommands.push(
+      runShopify(["store", "execute", "--store", store, "--query", SCOPE_PROBE_QUERY, "--json"], { timeoutMs: commandTimeoutMs })
+    );
+  }
+  const currentScopeProbe = currentScopeProbeCommands.at(-1);
+  const scopeProbeSucceeded = currentScopeProbe.commandResult === "ok";
+  const scopeProbeAuthRequired = !scopeProbeSucceeded && isAuthRequiredScopeProbeFailure(currentScopeProbe);
+  const rawCurrentScopes = scopeProbeSucceeded
+    ? [...collectScopes(currentScopeProbe.parsedJson)].sort()
+    : [];
+  const effectiveCurrentScopes = effectiveScopes(rawCurrentScopes);
+  const missingBeforeAuth = missingScopes(requestedScopes, effectiveCurrentScopes);
+  let authAction = "skipped";
+  let authCommand = null;
+  let rawVerifiedScopes = rawCurrentScopes;
+  let verifiedScopes = effectiveCurrentScopes;
+
+  if (missingBeforeAuth.length > 0 && (scopeProbeSucceeded || scopeProbeAuthRequired)) {
+    authAction = "requested";
+    authCommand = runShopify([
+      "store",
+      "auth",
+      "--store",
+      store,
+      "--scopes",
+      requestedScopes.join(","),
+      "--json"
+    ], { timeoutMs: authTimeoutMs });
+    rawVerifiedScopes = [...collectScopes(authCommand.parsedJson)].sort();
+    verifiedScopes = effectiveScopes(rawVerifiedScopes);
+  }
+
+  const themeList = runShopify(["theme", "list", "--store", store, "--json"], { timeoutMs: commandTimeoutMs });
+  const adminGraphql = runShopify([
+    "store",
+    "execute",
+    "--store",
+    store,
+    "--query",
+    SHOP_QUERY,
+    "--json"
+  ], { timeoutMs: commandTimeoutMs });
+
+  return {
+    schemaVersion: "1.0.0",
+    store,
+    requestedScopes,
+    shopifyCli,
+    rawCurrentScopes,
+    effectiveCurrentScopes,
+    auth: {
+      action: authAction,
+      commandResult: authCommand?.commandResult ?? "skipped",
+      approvalState: authCommand
+        ? authCommand.commandResult === "ok"
+          ? "approved"
+          : authCommand.timedOut
+            ? "timeout"
+            : "unknown"
+        : "not-needed",
+      scopeProbeResult: currentScopeProbe.commandResult,
+      rawVerifiedScopes,
+      verifiedScopes,
+      missingScopes: missingScopes(requestedScopes, verifiedScopes),
+      missingScopesBeforeAuth: missingBeforeAuth
+    },
+    storeAccess: {
+      commandResult: themeList.commandResult,
+      exitCode: themeList.exitCode,
+      themeCount: Array.isArray(themeList.parsedJson) ? themeList.parsedJson.length : null,
+      blockerId: null
+    },
+    adminGraphqlAccess: {
+      commandResult: adminGraphql.commandResult,
+      exitCode: adminGraphql.exitCode,
+      shop: adminGraphql.parsedJson?.data?.shop ?? adminGraphql.parsedJson?.shop ?? null
+    },
+    commands: [
+      ...shopifyCli.commands,
+      ...currentScopeProbeCommands.map((command, index) => ({
+        name: index === 0 ? "currentScopeProbe" : `currentScopeProbeRetry${index}`,
+        ...commandSummary(command)
+      })),
+      ...(authAction === "requested" ? [{ name: "workflowScopeAuth", ...commandSummary(authCommand) }] : []),
+      { name: "themeList", ...commandSummary(themeList) },
+      { name: "adminGraphqlRead", ...commandSummary(adminGraphql) }
+    ]
+  };
+}
+
+const parsed = parseArgs(process.argv.slice(2));
+if (parsed.help) {
+  console.log(usage());
+  process.exit(0);
+}
+if (parsed.error) {
+  console.error(parsed.error);
+  process.exit(2);
+}
+
+process.stdout.write(`${JSON.stringify(run({
+  store: parsed.store,
+  commandTimeoutMs: parsed.commandTimeoutMs,
+  authTimeoutMs: parsed.authTimeoutMs
+}), null, 2)}\n`);