@technotalim-org/console-cli 1.3.0

package/LICENSE

@@ -0,0 +1,10 @@
+Copyright (c) 2026 TechnoTaLim. All rights reserved.
+
+This software and its source code are proprietary and confidential. No license,
+express or implied, is granted to use, copy, modify, merge, publish, distribute,
+sublicense, or sell copies of this software except with the prior written
+permission of TechnoTaLim.
+
+The npm package "@technotalim/cli" is provided solely to enable customers to
+deploy to TechnoTaLim hosting. Use of the package is subject to the TechnoTaLim
+Terms of Service at https://console.technotalim.com.

package/README.md

@@ -0,0 +1,48 @@
+# @technotalim-org/console-cli
+
+Deploy your [TechnoTaLim](https://console.technotalim.com)-hosted websites from the command line.
+
+```bash
+npm i -g @technotalim-org/console-cli
+
+technotalim login        # authorize this machine in your browser
+technotalim sites:list   # see your hosting sites
+technotalim init         # (coming) write technotalim.json + .technotalimrc
+technotalim deploy        # (coming) ship your site
+```
+
+## Authentication
+
+`technotalim login` uses OAuth 2.0 Authorization Code + PKCE over a loopback
+redirect (RFC 8252) — the same pattern as `gh`, `vercel`, and `firebase`. Your
+browser opens the console, you approve in your real session, and a scoped,
+revocable credential is stored at `~/.technotalim/credentials.json` (mode 600).
+
+For CI/headless use, generate a token in the console under **CLI & API access**
+and pass it via the `TECHNOTALIM_TOKEN` environment variable.
+
+Revoke any credential any time from the console dashboard.
+
+## Commands
+
+| Command | Description |
+|---|---|
+| `technotalim login` | Authorize this machine via the browser (PKCE loopback) |
+| `technotalim login --device` | Headless login (device code) for SSH / no-browser machines |
+| `technotalim logout` | Revoke the token and remove local credentials |
+| `technotalim whoami` | Show the signed-in account |
+| `technotalim sites:list` (`sites`) | List your hosting sites |
+| `technotalim init` | Write `technotalim.json` + `.technotalimrc` |
+| `technotalim deploy` | Build, diff, upload changed files, prune — `--force`, `--dry-run`, `--only`, `-m` |
+| `technotalim rollback [id]` | Restore a previous version (`--only`) |
+| `technotalim deploys:list` (`deploys`) | Show recent deploys (`--only`) |
+
+## Development
+
+```bash
+npm install
+npm run build
+node dist/index.js whoami
+# point at a dev console:
+TECHNOTALIM_API_BASE=http://localhost:3000 node dist/index.js login
+```

package/dist/api.js

@@ -0,0 +1,56 @@
+// Authenticated API client. Mints a short-lived access token from the stored
+// cli_token (or the CI env token) and caches it in-process for its lifetime.
+import { CONFIG } from './config.js';
+import { loadCredentials } from './credentials.js';
+/** CI env token takes precedence over the stored interactive credential. */
+export function resolveCliToken() {
+    const env = process.env[CONFIG.ciTokenEnv];
+    if (env && env.trim())
+        return env.trim();
+    const c = loadCredentials();
+    return c?.cli_token ?? null;
+}
+let cachedAccess = null;
+export async function getAccessToken() {
+    if (cachedAccess && cachedAccess.exp - Date.now() > 30_000)
+        return cachedAccess.token;
+    const cliToken = resolveCliToken();
+    if (!cliToken)
+        throw new Error('Not logged in. Run `technotalim login`.');
+    const res = await fetch(`${CONFIG.apiBase}/api/cli/access`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ cli_token: cliToken }),
+    });
+    if (!res.ok) {
+        const data = (await res.json().catch(() => ({})));
+        throw new Error(data.error || `Could not authenticate (HTTP ${res.status}). Try \`technotalim login\` again.`);
+    }
+    const data = (await res.json());
+    cachedAccess = { token: data.access_token, exp: Date.now() + data.expires_in * 1000 };
+    return data.access_token;
+}
+export async function apiGet(path) {
+    const token = await getAccessToken();
+    const res = await fetch(`${CONFIG.apiBase}${path}`, {
+        headers: { Authorization: `Bearer ${token}` },
+    });
+    if (!res.ok) {
+        const data = (await res.json().catch(() => ({})));
+        throw new Error(data.error || `Request failed (HTTP ${res.status})`);
+    }
+    return (await res.json());
+}
+export async function apiPost(path, body) {
+    const token = await getAccessToken();
+    const res = await fetch(`${CONFIG.apiBase}${path}`, {
+        method: 'POST',
+        headers: { Authorization: `Bearer ${token}`, 'Content-Type': 'application/json' },
+        body: JSON.stringify(body),
+    });
+    if (!res.ok) {
+        const data = (await res.json().catch(() => ({})));
+        throw new Error(data.error || `Request failed (HTTP ${res.status})`);
+    }
+    return (await res.json());
+}

package/dist/commands/deploy.js

@@ -0,0 +1,78 @@
+// `technotalim deploy` — build (predeploy), diff against the server, upload
+// only the changed files, then commit (prune + finalize) atomically.
+import { existsSync } from 'fs';
+import { resolve } from 'path';
+import { spawnSync } from 'child_process';
+import pc from 'picocolors';
+import { loadProject } from '../projectconfig.js';
+import { walkPublicDir } from '../walk.js';
+import { uploadFiles } from '../upload.js';
+import { apiPost } from '../api.js';
+import * as prompt from '../prompt.js';
+import { log, fail } from '../util.js';
+export async function deployCommand(opts) {
+    const project = loadProject();
+    if (!project)
+        return fail('No technotalim.json found. Run `technotalim init` first.');
+    const { config, rc, root } = project;
+    const alias = opts.only || 'default';
+    const websiteId = rc.sites?.[alias];
+    if (!websiteId)
+        return fail(`No site mapped to "${alias}" in .technotalimrc.`);
+    const publicDir = resolve(root, config.hosting.public || '.');
+    if (!existsSync(publicDir))
+        return fail(`Public directory not found: ${config.hosting.public}`);
+    // predeploy hooks (e.g. "npm run build").
+    for (const cmd of config.hosting.predeploy || []) {
+        log.info(pc.dim(`$ ${cmd}`));
+        const r = spawnSync(cmd, { cwd: root, stdio: 'inherit', shell: true });
+        if (r.status !== 0)
+            return fail(`predeploy hook failed: ${cmd}`);
+    }
+    const files = walkPublicDir(publicDir, config.hosting.ignore || []);
+    if (files.length === 0)
+        return fail(`No files found in ${config.hosting.public}.`);
+    if (!files.some((f) => f.rel === 'index.html')) {
+        log.warn('No index.html at the root of your public directory.');
+    }
+    log.info(`Scanned ${files.length} files. Planning…`);
+    const plan = await apiPost('/api/cli/deploy/plan', {
+        websiteId,
+        files: files.map((f) => ({ path: f.rel, sha256: f.sha256, size: f.size })),
+        message: opts.message,
+    });
+    if (plan.rejected?.length)
+        log.warn(`Skipped ${plan.rejected.length} unsafe path(s).`);
+    const toUpload = files.filter((f) => plan.upload.includes(f.rel));
+    log.info(`${pc.bold(String(toUpload.length))} to upload · ${pc.bold(String(plan.delete.length))} to delete · ${plan.unchanged} unchanged`);
+    if (opts.dryRun) {
+        plan.upload.forEach((p) => console.log(pc.green(`  + ${p}`)));
+        plan.delete.forEach((p) => console.log(pc.red(`  - ${p}`)));
+        log.info('Dry run — nothing deployed.');
+        return;
+    }
+    if (toUpload.length === 0 && plan.delete.length === 0) {
+        log.success(`Already up to date → ${plan.url}`);
+        return;
+    }
+    if (!opts.force) {
+        const ok = await prompt.confirm(`Deploy to ${plan.url}?`, true);
+        if (!ok) {
+            log.info('Cancelled.');
+            return;
+        }
+    }
+    if (toUpload.length) {
+        await uploadFiles(plan.uid, websiteId, toUpload, (done, total) => {
+            process.stdout.write(`\r  Uploading ${done}/${total}…   `);
+        });
+        process.stdout.write('\n');
+    }
+    const commit = await apiPost('/api/cli/deploy/commit', {
+        websiteId,
+        deployId: plan.deployId,
+        manifest: files.map((f) => f.rel),
+        spa: !!config.hosting.spa,
+    });
+    log.success(`Deployed ${files.length} files (${toUpload.length} changed, ${commit.pruned} removed) → ${commit.url}`);
+}

package/dist/commands/deploys.js

@@ -0,0 +1,23 @@
+// `technotalim deploys:list` — recent CLI deploys for the linked site.
+import pc from 'picocolors';
+import { apiGet } from '../api.js';
+import { loadProject } from '../projectconfig.js';
+import { log, fail } from '../util.js';
+export async function deploysListCommand(opts) {
+    const project = loadProject();
+    if (!project)
+        return fail('No technotalim.json found. Run this in your project directory.');
+    const websiteId = project.rc.sites?.[opts.only || 'default'];
+    if (!websiteId)
+        return fail(`No site mapped to "${opts.only || 'default'}".`);
+    const { deploys } = await apiGet(`/api/cli/deploys?websiteId=${encodeURIComponent(websiteId)}`);
+    if (!deploys.length) {
+        log.info('No deploys yet.');
+        return;
+    }
+    for (const d of deploys) {
+        const when = d.committedAt ? new Date(d.committedAt).toLocaleString() : '—';
+        const msg = d.message ? `  ${pc.dim(d.message)}` : '';
+        log.info(`${when}   ${pc.green('+' + d.uploaded)} ${pc.red('-' + d.pruned)}${msg}`);
+    }
+}

package/dist/commands/init.js

@@ -0,0 +1,66 @@
+// `technotalim init` — pick a site, detect the public dir, write the project
+// config files.
+import { existsSync, readFileSync } from 'fs';
+import { join } from 'path';
+import { apiGet, resolveCliToken } from '../api.js';
+import { writeProject, defaultIgnore, findUp } from '../projectconfig.js';
+import * as prompt from '../prompt.js';
+import { log } from '../util.js';
+function suggestPublicDir(root) {
+    try {
+        const pkgPath = join(root, 'package.json');
+        if (existsSync(pkgPath)) {
+            const pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
+            const deps = { ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) };
+            if (deps.vite || deps.astro)
+                return 'dist';
+            if (deps['react-scripts'])
+                return 'build';
+            if (deps['@11ty/eleventy'])
+                return '_site';
+            if (deps['gatsby'])
+                return 'public';
+        }
+    }
+    catch {
+        /* ignore */
+    }
+    for (const c of ['dist', 'build', 'out', 'public', '_site']) {
+        if (existsSync(join(root, c)))
+            return c;
+    }
+    return '.';
+}
+export async function initCommand() {
+    if (!resolveCliToken()) {
+        log.error('Not logged in. Run `technotalim login` first.');
+        process.exit(1);
+    }
+    const root = process.cwd();
+    if (findUp('technotalim.json', root)) {
+        const ok = await prompt.confirm('technotalim.json already exists. Overwrite?', false);
+        if (!ok) {
+            log.info('Cancelled.');
+            return;
+        }
+    }
+    const { sites } = await apiGet('/api/cli/sites');
+    if (!sites.length) {
+        log.error('No hosting sites on your account. Create one in the dashboard first.');
+        process.exit(1);
+    }
+    let siteId;
+    if (sites.length === 1) {
+        siteId = sites[0].id;
+        log.info(`Using your only site: ${sites[0].name} (${sites[0].domain || 'no domain'})`);
+    }
+    else {
+        siteId = await prompt.select('Which site do you want to deploy to?', sites.map((s) => ({ label: `${s.name}  ${s.domain || ''}`.trim(), value: s.id })));
+    }
+    const suggested = suggestPublicDir(root);
+    const publicDir = await prompt.text('What directory contains your built site?', suggested);
+    const spa = await prompt.confirm('Single-page app (rewrite all routes to index.html)?', false);
+    writeProject(root, { hosting: { public: publicDir, ignore: defaultIgnore(), spa, cleanUrls: false, predeploy: [] } }, { sites: { default: siteId } });
+    log.success('Wrote technotalim.json and .technotalimrc');
+    log.dim('Run `technotalim deploy` to ship your site.');
+}

package/dist/commands/login.js

@@ -0,0 +1,174 @@
+// `technotalim login` — OAuth 2.0 Authorization Code + PKCE over a loopback
+// redirect (RFC 8252). Opens the browser to the console consent page, captures
+// the one-time code on a temporary 127.0.0.1 listener, and exchanges it (with
+// the PKCE verifier) for the long-lived cli_token.
+import http from 'http';
+import os from 'os';
+import open from 'open';
+import pc from 'picocolors';
+import { CONFIG } from '../config.js';
+import { genVerifier, challengeFor, genState } from '../pkce.js';
+import { saveCredentials, credentialsPath } from '../credentials.js';
+import { log, fail } from '../util.js';
+const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+const SUCCESS_HTML = `<!doctype html><html><head><meta charset="utf-8"><title>TechnoTaLim CLI</title><style>body{font-family:system-ui,-apple-system,sans-serif;background:#0b1020;color:#e2e8f0;display:flex;align-items:center;justify-content:center;height:100vh;margin:0}.c{text-align:center;padding:40px}h1{font-size:20px;margin:0 0 8px}p{color:#94a3b8;margin:0}</style></head><body><div class="c"><h1>&#10003; You're signed in</h1><p>You can close this tab and return to your terminal.</p></div></body></html>`;
+const DENY_HTML = `<!doctype html><html><head><meta charset="utf-8"><title>TechnoTaLim CLI</title></head><body style="font-family:system-ui,sans-serif;text-align:center;padding:60px;color:#334155"><h1>Authorization cancelled</h1><p>You can close this tab.</p></body></html>`;
+export async function loginCommand(opts = {}) {
+    if (opts.device)
+        return deviceLogin();
+    const verifier = genVerifier();
+    const challenge = challengeFor(verifier);
+    const state = genState();
+    const deviceLabel = `${os.userInfo().username}@${os.hostname()}`;
+    // Start the loopback listener on a random free port.
+    const server = http.createServer();
+    const port = await new Promise((resolve) => {
+        server.listen(0, '127.0.0.1', () => resolve(server.address().port));
+    });
+    const redirectUri = `http://127.0.0.1:${port}/callback`;
+    const authorizeUrl = new URL(`${CONFIG.apiBase}/cli-authorize`);
+    authorizeUrl.searchParams.set('client_id', CONFIG.clientId);
+    authorizeUrl.searchParams.set('redirect_uri', redirectUri);
+    authorizeUrl.searchParams.set('scope', CONFIG.scope);
+    authorizeUrl.searchParams.set('state', state);
+    authorizeUrl.searchParams.set('code_challenge', challenge);
+    authorizeUrl.searchParams.set('code_challenge_method', 'S256');
+    authorizeUrl.searchParams.set('device_label', deviceLabel);
+    const codePromise = new Promise((resolve, reject) => {
+        const timer = setTimeout(() => reject(new Error('Login timed out after 5 minutes.')), 5 * 60_000);
+        server.on('request', (req, res) => {
+            try {
+                const u = new URL(req.url || '', redirectUri);
+                if (u.pathname !== '/callback') {
+                    res.statusCode = 404;
+                    res.end('Not found');
+                    return;
+                }
+                const err = u.searchParams.get('error');
+                const returnedState = u.searchParams.get('state');
+                const code = u.searchParams.get('code');
+                if (err) {
+                    res.setHeader('Content-Type', 'text/html');
+                    res.end(DENY_HTML);
+                    clearTimeout(timer);
+                    reject(new Error('Authorization was cancelled in the browser.'));
+                    return;
+                }
+                if (returnedState !== state) {
+                    res.statusCode = 400;
+                    res.end('State mismatch');
+                    clearTimeout(timer);
+                    reject(new Error('State mismatch — possible CSRF. Login aborted.'));
+                    return;
+                }
+                if (!code) {
+                    res.statusCode = 400;
+                    res.end('Missing code');
+                    clearTimeout(timer);
+                    reject(new Error('No authorization code returned.'));
+                    return;
+                }
+                res.setHeader('Content-Type', 'text/html');
+                res.end(SUCCESS_HTML);
+                clearTimeout(timer);
+                resolve(code);
+            }
+            catch (e) {
+                res.statusCode = 500;
+                res.end('Error');
+                clearTimeout(timer);
+                reject(e);
+            }
+        });
+    });
+    log.info('\nOpening your browser to authorize…');
+    log.dim(`If it doesn't open, visit:\n${authorizeUrl.toString()}\n`);
+    try {
+        await open(authorizeUrl.toString());
+    }
+    catch {
+        /* the user can copy the URL above */
+    }
+    let code;
+    try {
+        code = await codePromise;
+    }
+    finally {
+        server.close();
+    }
+    // Exchange the code + PKCE verifier for the cli_token.
+    const res = await fetch(`${CONFIG.apiBase}/api/cli/token`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+            grant_type: 'authorization_code',
+            client_id: CONFIG.clientId,
+            code,
+            code_verifier: verifier,
+            redirect_uri: redirectUri,
+            device_label: deviceLabel,
+        }),
+    });
+    const data = (await res.json().catch(() => ({})));
+    if (!res.ok || !data.cli_token)
+        fail(data.error || 'Token exchange failed.');
+    saveCredentials({
+        cli_token: data.cli_token,
+        apiBase: CONFIG.apiBase,
+        createdAt: Date.now(),
+    });
+    log.success(`Logged in. Credential saved to ${credentialsPath()} (mode 600).`);
+    log.dim('Run `technotalim sites:list` to see your sites, or `technotalim init` in a project.');
+}
+// Headless / no-browser-redirect login (RFC 8628 device authorization grant).
+async function deviceLogin() {
+    const deviceLabel = `${os.userInfo().username}@${os.hostname()}`;
+    const startRes = await fetch(`${CONFIG.apiBase}/api/cli/device/start`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ client_id: CONFIG.clientId, scope: CONFIG.scope, device_label: deviceLabel }),
+    });
+    const start = (await startRes.json().catch(() => ({})));
+    if (!startRes.ok || !start.device_code)
+        fail(start.error || 'Could not start device login.');
+    log.info('\nTo authorize this device, open:');
+    log.info(`  ${pc.bold(start.verification_uri)}`);
+    log.info(`and enter the code:  ${pc.bold(start.user_code)}\n`);
+    try {
+        if (start.verification_uri_complete)
+            await open(start.verification_uri_complete);
+    }
+    catch {
+        /* user can navigate manually */
+    }
+    const deadline = Date.now() + (start.expires_in || 600) * 1000;
+    let interval = (start.interval || 5) * 1000;
+    log.dim('Waiting for approval…');
+    for (;;) {
+        if (Date.now() > deadline)
+            fail('Device login timed out. Run `technotalim login --device` again.');
+        await sleep(interval);
+        const pollRes = await fetch(`${CONFIG.apiBase}/api/cli/device/poll`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ client_id: CONFIG.clientId, device_code: start.device_code }),
+        });
+        const data = (await pollRes.json().catch(() => ({})));
+        if (pollRes.ok && data.cli_token) {
+            saveCredentials({ cli_token: data.cli_token, apiBase: CONFIG.apiBase, createdAt: Date.now() });
+            log.success(`Logged in. Credential saved to ${credentialsPath()} (mode 600).`);
+            return;
+        }
+        if (data.error === 'authorization_pending')
+            continue;
+        if (data.error === 'slow_down') {
+            interval += 5000;
+            continue;
+        }
+        fail(data.error === 'access_denied'
+            ? 'Authorization was denied.'
+            : data.error === 'expired_token'
+                ? 'The code expired. Run `technotalim login --device` again.'
+                : data.error || 'Login failed.');
+    }
+}

package/dist/commands/logout.js

@@ -0,0 +1,24 @@
+// `technotalim logout` — revoke the cli_token server-side and remove the
+// local credential file.
+import { CONFIG } from '../config.js';
+import { loadCredentials, clearCredentials } from '../credentials.js';
+import { log } from '../util.js';
+export async function logoutCommand() {
+    const c = loadCredentials();
+    if (!c) {
+        log.info('Not logged in.');
+        return;
+    }
+    try {
+        await fetch(`${CONFIG.apiBase}/api/cli/logout`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ cli_token: c.cli_token }),
+        });
+    }
+    catch {
+        // best-effort revoke — still wipe the local copy
+    }
+    clearCredentials();
+    log.success('Logged out. Token revoked and local credential removed.');
+}

package/dist/commands/open.js

@@ -0,0 +1,20 @@
+// `technotalim open` — open the linked site's live URL in the browser.
+import open from 'open';
+import { apiGet } from '../api.js';
+import { loadProject } from '../projectconfig.js';
+import { log, fail } from '../util.js';
+export async function openCommand(opts) {
+    const project = loadProject();
+    if (!project)
+        return fail('No technotalim.json found. Run `technotalim init` first.');
+    const websiteId = project.rc.sites?.[opts.only || 'default'];
+    if (!websiteId)
+        return fail(`No site mapped to "${opts.only || 'default'}".`);
+    const { sites } = await apiGet('/api/cli/sites');
+    const site = sites.find((s) => s.id === websiteId);
+    if (!site || !site.domain)
+        return fail('Could not resolve a live URL for this site yet.');
+    const url = `https://${site.domain}`;
+    log.info(`Opening ${url}`);
+    await open(url);
+}

package/dist/commands/rollback.js

@@ -0,0 +1,36 @@
+// `technotalim rollback [snapshotId]` — restore a previous version of the site.
+import pc from 'picocolors';
+import { apiGet, apiPost } from '../api.js';
+import { loadProject } from '../projectconfig.js';
+import * as prompt from '../prompt.js';
+import { log, fail } from '../util.js';
+export async function rollbackCommand(snapshotId, opts) {
+    const project = loadProject();
+    if (!project)
+        return fail('No technotalim.json found. Run this in your project directory.');
+    const websiteId = project.rc.sites?.[opts.only || 'default'];
+    if (!websiteId)
+        return fail(`No site mapped to "${opts.only || 'default'}".`);
+    const { snapshots, rollbackEnabled } = await apiGet(`/api/cli/snapshots?websiteId=${encodeURIComponent(websiteId)}`);
+    if (!rollbackEnabled)
+        return fail("Rollback isn't available on this site's plan.");
+    if (!snapshots.length)
+        return fail('No restore points available yet.');
+    let id = snapshotId;
+    if (!id) {
+        id = await prompt.select('Choose a restore point:', snapshots.map((s) => ({
+            label: `${new Date(s.ts).toLocaleString()}  ${pc.dim(s.trigger)}  ${pc.dim(s.id)}`,
+            value: s.id,
+        })));
+    }
+    else if (!snapshots.some((s) => s.id === id)) {
+        return fail(`No snapshot "${id}" found.`);
+    }
+    const ok = await prompt.confirm(`Restore snapshot ${id}? This replaces the current live files.`, false);
+    if (!ok) {
+        log.info('Cancelled.');
+        return;
+    }
+    const res = await apiPost('/api/cli/rollback', { websiteId, snapshotId: id });
+    log.success(`Restored → ${res.url}`);
+}

package/dist/commands/sites.js

@@ -0,0 +1,16 @@
+// `technotalim sites:list` — list the hosting sites the account can deploy to.
+import pc from 'picocolors';
+import { apiGet } from '../api.js';
+import { log } from '../util.js';
+export async function sitesCommand() {
+    const { sites } = await apiGet('/api/cli/sites');
+    if (!sites.length) {
+        log.info('No hosting sites found on this account.');
+        return;
+    }
+    for (const s of sites) {
+        const domain = s.domain ? pc.cyan(s.domain) : pc.dim('no domain');
+        const status = s.setup ? '' : pc.yellow(' (setup pending)');
+        log.info(`${pc.bold(s.name)}  ${domain}  ${pc.dim(s.id)}${status}`);
+    }
+}

package/dist/commands/whoami.js

@@ -0,0 +1,7 @@
+// `technotalim whoami` — show the account the CLI is acting as.
+import { apiGet } from '../api.js';
+import { log } from '../util.js';
+export async function whoamiCommand() {
+    const me = await apiGet('/api/cli/whoami');
+    log.info(`Logged in as ${me.email}`);
+}

package/dist/config.js

@@ -0,0 +1,11 @@
+// Static configuration for the TechnoTaLim CLI.
+export const CONFIG = {
+    // Override for local testing against a dev console.
+    apiBase: (process.env.TECHNOTALIM_API_BASE || 'https://console.technotalim.com').replace(/\/+$/, ''),
+    // Public OAuth client id (no secret — security comes from PKCE + loopback).
+    clientId: 'technotalim-cli',
+    scope: 'hosting.deploy',
+    // Env var used to pass a CI token in headless environments.
+    ciTokenEnv: 'TECHNOTALIM_TOKEN',
+    version: '1.3.0',
+};

package/dist/credentials.js

@@ -0,0 +1,43 @@
+// Local credential store: ~/.technotalim/credentials.json, mode 0600.
+// Holds the long-lived cli_token. Never world-readable.
+import { homedir } from 'os';
+import { join } from 'path';
+import { mkdirSync, readFileSync, writeFileSync, existsSync, chmodSync, statSync, rmSync, } from 'fs';
+const DIR = join(homedir(), '.technotalim');
+const FILE = join(DIR, 'credentials.json');
+export function credentialsPath() {
+    return FILE;
+}
+export function saveCredentials(c) {
+    mkdirSync(DIR, { recursive: true, mode: 0o700 });
+    writeFileSync(FILE, JSON.stringify(c, null, 2), { mode: 0o600 });
+    // writeFileSync mode is masked by umask on create — enforce explicitly.
+    chmodSync(FILE, 0o600);
+}
+export function loadCredentials() {
+    if (!existsSync(FILE))
+        return null;
+    // Defence: if the file somehow became group/other-readable, tighten it.
+    try {
+        const st = statSync(FILE);
+        if ((st.mode & 0o077) !== 0)
+            chmodSync(FILE, 0o600);
+    }
+    catch {
+        /* ignore */
+    }
+    try {
+        return JSON.parse(readFileSync(FILE, 'utf8'));
+    }
+    catch {
+        return null;
+    }
+}
+export function clearCredentials() {
+    try {
+        rmSync(FILE, { force: true });
+    }
+    catch {
+        /* ignore */
+    }
+}

package/dist/index.js

@@ -0,0 +1,68 @@
+#!/usr/bin/env node
+// TechnoTaLim CLI entry point.
+import { Command } from 'commander';
+import { CONFIG } from './config.js';
+import { loginCommand } from './commands/login.js';
+import { logoutCommand } from './commands/logout.js';
+import { whoamiCommand } from './commands/whoami.js';
+import { sitesCommand } from './commands/sites.js';
+import { initCommand } from './commands/init.js';
+import { deployCommand } from './commands/deploy.js';
+import { rollbackCommand } from './commands/rollback.js';
+import { deploysListCommand } from './commands/deploys.js';
+import { openCommand } from './commands/open.js';
+import { log } from './util.js';
+function run(fn) {
+    return async () => {
+        try {
+            await fn();
+        }
+        catch (e) {
+            log.error(e.message);
+            process.exit(1);
+        }
+    };
+}
+const program = new Command();
+program
+    .name('technotalim')
+    .description('Deploy your TechnoTaLim-hosted websites from the command line.')
+    .version(CONFIG.version);
+program
+    .command('login')
+    .description('Authorize this machine via your browser')
+    .option('--device', 'Use the device-code flow (no local browser redirect; for SSH/headless)')
+    .action((opts) => run(() => loginCommand(opts))());
+program.command('logout').description('Revoke and remove local credentials').action(run(logoutCommand));
+program.command('whoami').description('Show the signed-in account').action(run(whoamiCommand));
+program
+    .command('sites:list')
+    .alias('sites')
+    .description('List your hosting sites')
+    .action(run(sitesCommand));
+program.command('init').description('Set up technotalim.json + .technotalimrc in this project').action(run(initCommand));
+program
+    .command('deploy')
+    .description('Build and deploy your site to TechnoTaLim hosting')
+    .option('--only <alias>', 'Deploy a specific site alias from .technotalimrc')
+    .option('-m, --message <msg>', 'Annotate this deploy')
+    .option('--force', 'Skip the confirmation prompt (for CI)')
+    .option('--dry-run', 'Show the change plan without deploying')
+    .action((opts) => run(() => deployCommand(opts))());
+program
+    .command('rollback [snapshotId]')
+    .description('Restore a previous version of the site')
+    .option('--only <alias>', 'Site alias from .technotalimrc')
+    .action((snapshotId, opts) => run(() => rollbackCommand(snapshotId, opts))());
+program
+    .command('deploys:list')
+    .alias('deploys')
+    .description('Show recent deploys for the linked site')
+    .option('--only <alias>', 'Site alias from .technotalimrc')
+    .action((opts) => run(() => deploysListCommand(opts))());
+program
+    .command('open')
+    .description('Open the linked site in your browser')
+    .option('--only <alias>', 'Site alias from .technotalimrc')
+    .action((opts) => run(() => openCommand(opts))());
+program.parseAsync(process.argv);

package/dist/pkce.js

@@ -0,0 +1,14 @@
+// PKCE (RFC 7636) + CSRF state helpers for the login flow.
+import { randomBytes, createHash } from 'crypto';
+/** 43-char base64url verifier (256 bits). */
+export function genVerifier() {
+    return randomBytes(32).toString('base64url');
+}
+/** S256 challenge = base64url(sha256(verifier)). */
+export function challengeFor(verifier) {
+    return createHash('sha256').update(verifier).digest('base64url');
+}
+/** Random anti-CSRF state nonce. */
+export function genState() {
+    return randomBytes(16).toString('base64url');
+}

package/dist/projectconfig.js

@@ -0,0 +1,35 @@
+// Read/write the project files: technotalim.json (build config) and
+// .technotalimrc (site alias → websiteId).
+import { readFileSync, writeFileSync, existsSync } from 'fs';
+import { join, dirname } from 'path';
+export const CONFIG_FILE = 'technotalim.json';
+export const RC_FILE = '.technotalimrc';
+export function findUp(name, start = process.cwd()) {
+    let dir = start;
+    for (;;) {
+        const p = join(dir, name);
+        if (existsSync(p))
+            return p;
+        const parent = dirname(dir);
+        if (parent === dir)
+            return null;
+        dir = parent;
+    }
+}
+export function loadProject() {
+    const cfgPath = findUp(CONFIG_FILE);
+    if (!cfgPath)
+        return null;
+    const root = dirname(cfgPath);
+    const config = JSON.parse(readFileSync(cfgPath, 'utf8'));
+    const rcPath = join(root, RC_FILE);
+    const rc = existsSync(rcPath) ? JSON.parse(readFileSync(rcPath, 'utf8')) : { sites: {} };
+    return { config, rc, root };
+}
+export function writeProject(root, config, rc) {
+    writeFileSync(join(root, CONFIG_FILE), JSON.stringify(config, null, 2) + '\n');
+    writeFileSync(join(root, RC_FILE), JSON.stringify(rc, null, 2) + '\n');
+}
+export function defaultIgnore() {
+    return ['technotalim.json', '.technotalimrc', 'node_modules', '.git', '.DS_Store', '*.log'];
+}

package/dist/prompt.js

@@ -0,0 +1,26 @@
+// Tiny zero-dependency interactive prompts built on Node's readline.
+import { createInterface } from 'readline';
+function ask(question) {
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    return new Promise((resolve) => rl.question(question, (a) => { rl.close(); resolve(a); }));
+}
+export async function text(message, def) {
+    const a = (await ask(`${message}${def ? ` (${def})` : ''}: `)).trim();
+    return a || def || '';
+}
+export async function confirm(message, def = false) {
+    const a = (await ask(`${message} ${def ? '[Y/n]' : '[y/N]'} `)).trim().toLowerCase();
+    if (!a)
+        return def;
+    return a === 'y' || a === 'yes';
+}
+export async function select(message, options) {
+    console.log(message);
+    options.forEach((o, i) => console.log(`  ${i + 1}) ${o.label}`));
+    for (;;) {
+        const a = (await ask(`Choose [1-${options.length}]: `)).trim();
+        const n = parseInt(a, 10);
+        if (n >= 1 && n <= options.length)
+            return options[n - 1].value;
+    }
+}

package/dist/upload.js

@@ -0,0 +1,51 @@
+// Stream the changed files to the existing hardened upload service
+// (PUT /api/web-host/files/upload → nginx → Go console-upload). Batched to
+// stay under the service's request-size cap. Reuses the access token.
+import { readFileSync } from 'fs';
+import { basename } from 'path';
+import { CONFIG } from './config.js';
+import { getAccessToken } from './api.js';
+const MAX_BATCH_BYTES = 40 * 1024 * 1024; // 40 MB per request
+const MAX_BATCH_FILES = 80;
+export async function uploadFiles(uid, websiteId, files, onProgress) {
+    const token = await getAccessToken();
+    let done = 0;
+    let i = 0;
+    while (i < files.length) {
+        const batch = [];
+        let bytes = 0;
+        while (i < files.length &&
+            batch.length < MAX_BATCH_FILES &&
+            (batch.length === 0 || bytes + files[i].size <= MAX_BATCH_BYTES)) {
+            batch.push(files[i]);
+            bytes += files[i].size;
+            i++;
+        }
+        const fd = new FormData();
+        fd.set('userId', uid);
+        fd.set('websiteId', websiteId);
+        fd.set('path', '');
+        fd.set('replaceExisting', 'true');
+        fd.set('uploadMode', 'project');
+        batch.forEach((f, idx) => {
+            const buf = readFileSync(f.abs);
+            fd.append(`file-${idx}`, new Blob([buf]), basename(f.rel));
+            fd.append(`file-${idx}-path`, f.rel);
+        });
+        const res = await fetch(`${CONFIG.apiBase}/api/web-host/files/upload`, {
+            method: 'PUT',
+            headers: { Authorization: `Bearer ${token}` },
+            body: fd,
+        });
+        if (!res.ok) {
+            const data = (await res.json().catch(() => ({})));
+            throw new Error(data.error || `Upload failed (HTTP ${res.status})`);
+        }
+        const data = (await res.json());
+        if (Array.isArray(data.failedFiles) && data.failedFiles.length) {
+            throw new Error(`Some files were rejected: ${JSON.stringify(data.failedFiles).slice(0, 300)}`);
+        }
+        done += batch.length;
+        onProgress?.(done, files.length);
+    }
+}

package/dist/util.js

@@ -0,0 +1,12 @@
+import pc from 'picocolors';
+export const log = {
+    info: (m) => console.log(m),
+    success: (m) => console.log(pc.green('✓ ') + m),
+    warn: (m) => console.log(pc.yellow('! ') + m),
+    error: (m) => console.error(pc.red('✗ ') + m),
+    dim: (m) => console.log(pc.dim(m)),
+};
+export function fail(msg) {
+    log.error(msg);
+    process.exit(1);
+}

package/dist/walk.js

@@ -0,0 +1,52 @@
+// Walk a public directory into a deploy manifest, honouring ignore rules and
+// refusing to follow symlinks.
+import { readdirSync, readFileSync, lstatSync } from 'fs';
+import { join, relative, sep } from 'path';
+import { createHash } from 'crypto';
+import ignore from 'ignore';
+export function walkPublicDir(publicDir, ignorePatterns) {
+    const ig = ignore().add(ignorePatterns);
+    const files = [];
+    const recurse = (dir) => {
+        let names;
+        try {
+            names = readdirSync(dir);
+        }
+        catch {
+            return;
+        }
+        for (const name of names) {
+            const abs = join(dir, name);
+            let lst;
+            try {
+                lst = lstatSync(abs);
+            }
+            catch {
+                continue;
+            }
+            if (lst.isSymbolicLink())
+                continue; // never deploy symlinks
+            const rel = relative(publicDir, abs).split(sep).join('/');
+            if (!rel)
+                continue;
+            if (lst.isDirectory()) {
+                if (ig.ignores(rel) || ig.ignores(rel + '/'))
+                    continue;
+                recurse(abs);
+            }
+            else if (lst.isFile()) {
+                if (ig.ignores(rel))
+                    continue;
+                const buf = readFileSync(abs);
+                files.push({
+                    rel,
+                    abs,
+                    size: buf.length,
+                    sha256: createHash('sha256').update(buf).digest('hex'),
+                });
+            }
+        }
+    };
+    recurse(publicDir);
+    return files;
+}

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@technotalim-org/console-cli",
+  "version": "1.3.0",
+  "description": "Deploy your TechnoTaLim-hosted websites from the command line.",
+  "type": "module",
+  "bin": {
+    "technotalim": "dist/index.js",
+    "tt": "dist/index.js"
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "keywords": [
+    "technotalim",
+    "hosting",
+    "deploy",
+    "static-site",
+    "cli"
+  ],
+  "homepage": "https://console.technotalim.com",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/TechnoTaLim/technotalim-cli.git"
+  },
+  "bugs": {
+    "url": "https://github.com/TechnoTaLim/technotalim-cli/issues"
+  },
+  "author": "TechnoTaLim",
+  "publishConfig": {
+    "access": "public"
+  },
+  "engines": {
+    "node": ">=22.12.0"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "dev": "tsc -p tsconfig.json --watch",
+    "prepublishOnly": "npm run build"
+  },
+  "dependencies": {
+    "commander": "^15.0.0",
+    "ignore": "^7.0.5",
+    "open": "^11.0.0",
+    "picocolors": "^1.1.1"
+  },
+  "devDependencies": {
+    "@types/node": "^22.10.0",
+    "typescript": "^6.0.3"
+  },
+  "license": "UNLICENSED"
+}