@symbo.ls/cli 2.33.36 → 2.33.38

package/bin/login.js

@@ -101,6 +101,11 @@ function extractConfirmToken(data) {
   )
 }
 
+function withCliSessionKeyHeaders(headers, cliSessionKey) {
+  if (!cliSessionKey) return headers
+  return { ...headers, 'X-Symbols-Cli-Session-Key': cliSessionKey }
+}
+
 program
   .command('login')
   .description('Sign in to Symbols')
@@ -111,12 +116,18 @@ program
 
     // Prompt for credentials
     const currentConfig = loadCliConfig()
+    const credManager = new CredentialManager()
+    // If the user selected an active server via `smbls servers -s`, prefer that as the login default.
+    // Env vars should still override everything (useful for CI / debugging).
+    const envApiBaseUrl = process.env.SYMBOLS_API_BASE_URL || process.env.SMBLS_API_URL
+    const defaultApiBaseUrl =
+      envApiBaseUrl || credManager.getCurrentApiBaseUrl() || currentConfig.apiBaseUrl || getApiUrl()
     const first = await inquirer.prompt([
       {
         type: 'input',
         name: 'apiBaseUrl',
         message: 'API Base URL:',
-        default: currentConfig.apiBaseUrl || getApiUrl(),
+        default: defaultApiBaseUrl,
         validate: input => /^https?:\/\//.test(input) || '❌ Please enter a valid URL'
       },
       {
@@ -170,6 +181,21 @@ program
           throw err
         }
       } else if (first.method === 'google_browser' || first.method === 'github_browser') {
+        const defaultCliSessionKey = credManager.getCliSessionKey(apiBaseUrl) || ''
+        const { cliSessionKey } = await inquirer.prompt([
+          {
+            type: 'input',
+            name: 'cliSessionKey',
+            message: 'CLI session key (for long-lived tokens, optional):',
+            default: defaultCliSessionKey,
+            filter: (v) => (v || '').trim()
+          }
+        ])
+
+        // Persist per-server key so users can change it per environment
+        // (empty value clears and disables long-lived token request)
+        credManager.setCliSessionKey(apiBaseUrl, cliSessionKey)
+
         const sessionId = crypto.randomUUID()
         const codeVerifier = randomVerifier(64)
         const codeChallenge = sha256Base64url(codeVerifier)
@@ -177,11 +203,12 @@ program
         console.log(chalk.dim('\nCreating secure sign-in session...'))
         const sessionResp = await fetch(`${apiBaseUrl}/core/auth/session`, {
           method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
+          headers: withCliSessionKeyHeaders({ 'Content-Type': 'application/json' }, cliSessionKey),
           body: JSON.stringify({
             session_id: sessionId,
             code_challenge: codeChallenge,
-            plugin_info: { version: 'cli', figma_env: 'cli' }
+            plugin_info: { version: 'cli', figma_env: 'cli' },
+            ...(cliSessionKey ? { cli_session_key: cliSessionKey } : {})
           })
         })
 
@@ -214,7 +241,8 @@ program
           }
 
           const statusResp = await fetch(
-            `${apiBaseUrl}/core/auth/session/status?session=${encodeURIComponent(sessionId)}`
+            `${apiBaseUrl}/core/auth/session/status?session=${encodeURIComponent(sessionId)}`,
+            { headers: withCliSessionKeyHeaders({}, cliSessionKey) }
           )
           const statusData = await statusResp.json().catch(async () => ({ message: await statusResp.text() }))
 
@@ -235,8 +263,12 @@ program
         console.log(chalk.dim('Confirming session...'))
         const confirmResp = await fetch(`${apiBaseUrl}/core/auth/session/confirm`, {
           method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
-          body: JSON.stringify({ session_id: sessionId, code_verifier: codeVerifier })
+          headers: withCliSessionKeyHeaders({ 'Content-Type': 'application/json' }, cliSessionKey),
+          body: JSON.stringify({
+            session_id: sessionId,
+            code_verifier: codeVerifier,
+            ...(cliSessionKey ? { cli_session_key: cliSessionKey } : {})
+          })
         })
 
         const confirmData = await confirmResp.json().catch(async () => ({ message: await confirmResp.text() }))
@@ -262,7 +294,6 @@ program
       }
 
       // Save credentials
-      const credManager = new CredentialManager()
       credManager.saveCredentials({
         apiBaseUrl,
         authToken: accessToken,

package/bin/push.js

@@ -16,6 +16,7 @@ import { loadSymbolsConfig, resolveDistDir } from '../helpers/symbolsConfig.js'
 import { loadCliConfig, readLock, writeLock, updateLegacySymbolsJson } from '../helpers/config.js'
 import { stripOrderFields } from '../helpers/orderUtils.js'
 import { augmentProjectWithLocalPackageDependencies, findNearestPackageJson } from '../helpers/dependenciesUtils.js'
+import { stringifyFunctionsForTransport } from '../helpers/transportUtils.js'
 
 
 async function buildLocalProject (distDir) {
@@ -153,8 +154,10 @@ export async function pushProjectChanges(options) {
     console.log(chalk.gray('Server state fetched successfully'))
 
     // Calculate coarse local changes vs server snapshot (or base)
-    const base = normalizeKeys(stripOrderFields(serverProject || {}))
-    const changes = computeCoarseChanges(base, stripOrderFields(localProject))
+    // Prepare safe, JSON-serialisable snapshots for diffing & transport (stringify functions)
+    const base = normalizeKeys(stringifyFunctionsForTransport(stripOrderFields(serverProject || {})))
+    const local = normalizeKeys(stringifyFunctionsForTransport(stripOrderFields(localProject)))
+    const changes = computeCoarseChanges(base, local)
 
     if (!changes.length) {
       console.log(chalk.bold.yellow('\nNo changes to push'))
@@ -169,7 +172,7 @@ export async function pushProjectChanges(options) {
     })
 
     // Confirm push
-    const shouldProceed = await confirmChanges(changes, base, localProject)
+    const shouldProceed = await confirmChanges(changes, base, local)
     if (!shouldProceed) {
       console.log(chalk.yellow('Push cancelled'))
       return
@@ -185,7 +188,7 @@ export async function pushProjectChanges(options) {
     const operationId = `cli-${Date.now()}`
     // Derive granular changes against server base and compute orders using local for pending children
     const { granularChanges } = preprocessChanges(base, changes)
-    const orders = computeOrdersForTuples(stripOrderFields(localProject), granularChanges)
+    const orders = computeOrdersForTuples(local, granularChanges)
     const result = await postProjectChanges(projectId, authToken, {
       branch,
       type,

package/bin/sync.js

@@ -17,6 +17,7 @@ import { showAuthRequiredMessages, showBuildErrorMessages } from '../helpers/bui
 import { loadSymbolsConfig, resolveDistDir } from '../helpers/symbolsConfig.js'
 import { loadCliConfig, readLock, writeLock, getConfigPaths, updateLegacySymbolsJson } from '../helpers/config.js'
 import { stripOrderFields } from '../helpers/orderUtils.js'
+import { stringifyFunctionsForTransport } from '../helpers/transportUtils.js'
 import {
   augmentProjectWithLocalPackageDependencies,
   ensureSchemaDependencies,
@@ -227,9 +228,10 @@ export async function syncProjectChanges(options) {
     ensureSchemaDependencies(localProject)
 
     // Generate coarse local and remote changes via simple three-way rebase
-    const base = normalizeKeys(baseSnapshot || {})
-    const local = normalizeKeys(stripOrderFields(localProject || {}))
-    const remote = normalizeKeys(stripOrderFields(serverProject || {}))
+    // Prepare safe, JSON-serialisable snapshots for diffing & transport (stringify functions)
+    const base = normalizeKeys(stringifyFunctionsForTransport(stripOrderFields(baseSnapshot || {})))
+    const local = normalizeKeys(stringifyFunctionsForTransport(stripOrderFields(localProject || {})))
+    const remote = normalizeKeys(stringifyFunctionsForTransport(stripOrderFields(serverProject || {})))
     const { ours, theirs, conflicts, finalChanges } = threeWayRebase(base, local, remote)
 
     const localChanges = ours

package/helpers/credentialManager.js

@@ -4,12 +4,33 @@ import os from 'os'
 
 const RC_FILE = '.smblsrc'
 const DEFAULT_API = 'https://api.symbols.app'
+const DEFAULT_LOCAL_CLI_SESSION_KEY = 'supersecret...change-in-production!!!'
+const DEFAULT_PROD_CLI_SESSION_KEY =
+  'r5jMdknqYjuGeWAsApTvPjaYHjWkdyw70veJye11Mb_vInBmsBZ9RM4GKU2_rm17Z2qvNahbyIV5gQVXY0V9DlUYdflLKd1jYCKSuc9r_xreC9hVEovfbZqmfbOl-JFCN1w1MXEsPNWkWj48nfF6IFfoWH-0hsdQlPBFjW1mv10'
 
 export class CredentialManager {
   constructor() {
     this.rcPath = path.join(os.homedir(), RC_FILE)
   }
 
+  static defaultCliSessionKeyForApiBaseUrl(apiBaseUrl) {
+    const baseUrl = (apiBaseUrl || '').trim()
+    if (!baseUrl) return null
+
+    // Match the environments used by login.js's websiteFromApi:
+    // - production: api.symbols.app -> production session key by default
+    // - everything else (dev/staging/test/local/custom): local key by default
+    try {
+      const u = new URL(baseUrl)
+      if (u.host === 'api.symbols.app') return DEFAULT_PROD_CLI_SESSION_KEY
+      return DEFAULT_LOCAL_CLI_SESSION_KEY
+    } catch (_) {
+      // Best-effort fallback if apiBaseUrl is malformed
+      if (baseUrl.includes('api.symbols.app')) return DEFAULT_PROD_CLI_SESSION_KEY
+      return DEFAULT_LOCAL_CLI_SESSION_KEY
+    }
+  }
+
   // --- Low-level helpers ----------------------------------------------------
 
   loadRaw() {
@@ -89,6 +110,66 @@ export class CredentialManager {
     return state.currentApiBaseUrl || DEFAULT_API
   }
 
+  getCliSessionKey(apiBaseUrl) {
+    // Allow overriding via env (useful for CI / debugging)
+    const envKey =
+      process.env.SYMBOLS_CLI_SESSION_KEY ||
+      process.env.SMBLS_CLI_SESSION_KEY ||
+      process.env.PLUGIN_CLI_SESSION_KEY
+    if (envKey) return envKey
+
+    const state = this.loadState() || {}
+    const baseUrl = apiBaseUrl || state.currentApiBaseUrl || DEFAULT_API
+
+    // Prefer explicit mapping, then per-profile field
+    const mapped = state.cliSessionKeys && typeof state.cliSessionKeys === 'object'
+      ? state.cliSessionKeys[baseUrl]
+      : null
+    if (mapped) return mapped
+
+    const profileKey =
+      state.profiles && typeof state.profiles === 'object'
+        ? state.profiles[baseUrl]?.cliSessionKey
+        : null
+    if (profileKey) return profileKey
+
+    // Fall back to environment defaults (e.g. localhost)
+    return CredentialManager.defaultCliSessionKeyForApiBaseUrl(baseUrl)
+  }
+
+  setCliSessionKey(apiBaseUrl, cliSessionKey) {
+    const state = this.loadState() || {}
+    const baseUrl = apiBaseUrl || state.currentApiBaseUrl || DEFAULT_API
+    const nextKey = (cliSessionKey || '').trim()
+
+    const next = { ...state }
+
+    // Store in a dedicated map keyed by API base URL
+    const prevMap = (state.cliSessionKeys && typeof state.cliSessionKeys === 'object')
+      ? state.cliSessionKeys
+      : {}
+    const nextMap = { ...prevMap }
+
+    if (!nextKey) {
+      delete nextMap[baseUrl]
+    } else {
+      nextMap[baseUrl] = nextKey
+    }
+
+    next.cliSessionKeys = nextMap
+
+    // Also mirror into the profile (handy for humans inspecting ~/.smblsrc)
+    const profiles = (state.profiles && typeof state.profiles === 'object') ? state.profiles : {}
+    const existing = profiles[baseUrl] || {}
+    const updatedProfile = { ...existing }
+    if (!nextKey) delete updatedProfile.cliSessionKey
+    else updatedProfile.cliSessionKey = nextKey
+    next.profiles = { ...profiles, [baseUrl]: updatedProfile }
+
+    this.saveRaw(next)
+    return next
+  }
+
   setCurrentApiBaseUrl(apiBaseUrl) {
     const state = this.loadState()
     const next = { ...state, currentApiBaseUrl: apiBaseUrl || DEFAULT_API }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@symbo.ls/cli",
-  "version": "2.33.36",
+  "version": "2.33.38",
   "description": "Fetch your Symbols configuration",
   "main": "bin/fetch.js",
   "author": "Symbols",
@@ -15,18 +15,18 @@
     "vpatch": "npm version patch && npm publish"
   },
   "dependencies": {
-    "@symbo.ls/fetch": "^2.33.36",
-    "@symbo.ls/init": "^2.33.36",
-    "@symbo.ls/socket": "^2.33.36",
+    "@symbo.ls/fetch": "^2.33.38",
+    "@symbo.ls/init": "^2.33.38",
+    "@symbo.ls/socket": "^2.33.38",
     "chalk": "^5.4.1",
     "chokidar": "^4.0.3",
     "commander": "^13.1.0",
     "diff": "^5.2.0",
-    "esbuild": "^0.25.1",
+    "esbuild": "^0.26.0",
     "inquirer": "^12.9.0",
     "node-fetch": "^3.3.2",
     "socket.io-client": "^4.8.1",
     "v8-compile-cache": "^2.4.0"
   },
-  "gitHead": "c49777e3aee153b8b68f55a2aa9a3a5988483e2f"
+  "gitHead": "7048f2fd761c7aa6a4233019c1b91318d88e64ce"
 }