@tinycloud/cli 0.6.0-beta.8 → 0.6.0

package/dist/index.js

@@ -680,6 +680,11 @@ function buildAuthUrl(did, options = {}) {
   const base = options.openkeyHost ?? DEFAULT_OPENKEY_HOST;
   return `${base}/delegate?${params.toString()}`;
 }
+function shouldOpenBrowser(options) {
+  if (options.noPopup) return false;
+  const env = process.env.TC_AUTH_NO_POPUP ?? process.env.TC_NO_POPUP;
+  return env !== "1" && env !== "true";
+}
 async function callbackFlow(did, options = {}) {
   return new Promise((resolve3, reject) => {
     let timeout;
@@ -750,16 +755,21 @@ async function callbackFlow(did, options = {}) {
       const port = addr.port;
       const callbackUrl = `http://127.0.0.1:${port}/callback`;
       const authUrl = buildAuthUrl(did, { ...options, callback: callbackUrl });
-      if (isInteractive()) {
+      const openBrowser = shouldOpenBrowser(options);
+      if (openBrowser && isInteractive()) {
         console.error(`Opening browser for authentication...`);
         console.error(`If the browser doesn't open, visit: ${authUrl}`);
+      } else if (!openBrowser || isInteractive()) {
+        console.error(`Open this URL in a browser to authenticate: ${authUrl}`);
       }
-      try {
-        const open = (await import("open")).default;
-        await open(authUrl);
-      } catch {
-        server.close();
-        throw new Error("Failed to open browser");
+      if (openBrowser) {
+        try {
+          const open = (await import("open")).default;
+          await open(authUrl);
+        } catch {
+          server.close();
+          throw new Error("Failed to open browser");
+        }
       }
       if (isInteractive()) {
         console.error(`
@@ -816,7 +826,7 @@ Open this URL in a browser to authenticate:
 
 // src/commands/init.ts
 function registerInitCommand(program2) {
-  program2.command("init").description("Initialize a new TinyCloud profile").option("--name <profile>", "Profile name", "default").option("--key-only", "Only generate key, skip authentication").option("--host <url>", "TinyCloud node URL").option("--paste", "Use manual paste mode for authentication").action(async (options, cmd) => {
+  program2.command("init").description("Initialize a new TinyCloud profile").option("--name <profile>", "Profile name", "default").option("--key-only", "Only generate key, skip authentication").option("--host <url>", "TinyCloud node URL").option("--paste", "Use manual paste mode for authentication").option("--no-popup", "Print the OpenKey URL without opening a browser").action(async (options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const profileName = options.name;
@@ -857,6 +867,7 @@ function registerInitCommand(program2) {
       }
       const delegationData = await startAuthFlow(did, {
         paste: options.paste,
+        noPopup: options.popup === false,
         jwk,
         host
       });
@@ -1366,7 +1377,7 @@ async function promptAuthMethod() {
 }
 function registerAuthCommand(program2) {
   const auth = program2.command("auth").description("Authentication management");
-  auth.command("login").description("Authenticate with TinyCloud").option("--paste", "Use manual paste mode instead of browser callback").option("--method <method>", "Authentication method: local or openkey").action(async (options, cmd) => {
+  auth.command("login").description("Authenticate with TinyCloud").option("--paste", "Use manual paste mode instead of browser callback").option("--no-popup", "Print the OpenKey URL without opening a browser").option("--method <method>", "Authentication method: local or openkey").action(async (options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
@@ -1386,7 +1397,10 @@ function registerAuthCommand(program2) {
       if (method === "local") {
         await handleLocalAuth(ctx.profile, ctx.host);
       } else {
-        await handleOpenKeyAuth(ctx.profile, ctx.host, options.paste);
+        await handleOpenKeyAuth(ctx.profile, ctx.host, {
+          paste: options.paste,
+          noPopup: options.popup === false
+        });
       }
     } catch (error) {
       handleError(error);
@@ -1402,6 +1416,18 @@ function registerAuthCommand(program2) {
       handleError(error);
     }
   });
+  auth.command("rotate").description("Rotate the active profile session key").option("--paste", "Use manual paste mode instead of browser callback").option("--no-popup", "Print the OpenKey URL without opening a browser").action(async (options, cmd) => {
+    try {
+      const globalOpts = cmd.optsWithGlobals();
+      const ctx = await ProfileManager.resolveContext(globalOpts);
+      await rotateAuthKey(ctx.profile, ctx.host, {
+        paste: options.paste,
+        noPopup: options.popup === false
+      });
+    } catch (error) {
+      handleError(error);
+    }
+  });
   auth.command("status").description("Show current authentication state").action(async (_options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
@@ -1459,7 +1485,7 @@ function registerAuthCommand(program2) {
   ).option("--permission <file>", 'JSON permission request: { "permissions": PermissionEntry[] }').option("--manifest <fileOrBase64>", "Manifest file, base64:<json>, or raw base64 JSON").option(
     "--expiry <duration>",
     `Lifetime of the granted delegation. ms-format string (e.g. "7d", "30m") or raw milliseconds. Defaults to 7d, capped by the active session's expiry.`
-  ).option("--emit [file]", "Emit the request artifact to stdout, or write it to file when provided").option("--grant", "Grant the requested permissions immediately with this owner profile").option("--yes", "Skip local-key TTY confirmation", false).action(async (options, cmd) => {
+  ).option("--emit [file]", "Emit the request artifact to stdout, or write it to file when provided").option("--grant", "Grant the requested permissions immediately with this owner profile").option("--yes", "Skip local-key TTY confirmation", false).option("--no-popup", "Print the OpenKey URL without opening a browser when granting with OpenKey").action(async (options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
@@ -1504,7 +1530,8 @@ function registerAuthCommand(program2) {
             host: ctx.host,
             permissions: group,
             openkeyHost,
-            expiry: expiryOption
+            expiry: expiryOption,
+            noPopup: options.popup === false
           });
           const delegation = portableFromOpenKeyDelegation(delegationData, group, ctx.host);
           const stored = storedAdditionalDelegation(delegation, group);
@@ -1920,7 +1947,7 @@ function normalizePortableDelegation(delegation) {
   return { ...delegation, expiry };
 }
 async function ensureDelegationAuthority(params) {
-  if (params.node.hasRuntimePermissions(params.requested)) return;
+  if (!params.force && params.node.hasRuntimePermissions(params.requested)) return;
   if (params.profile.authMethod === "openkey") {
     const key = await ProfileManager.getKey(params.ctx.profile);
     if (!key) {
@@ -2086,13 +2113,20 @@ function groupPermissionsBySpace(permissions) {
 function isRawPermission(permission) {
   return permission.service === "tinycloud.encryption" && permission.path.startsWith("urn:tinycloud:encryption:");
 }
+function returnedSpaceMatchesExpected(returnedSpace, expectedSpace) {
+  if (returnedSpace === expectedSpace) return true;
+  if (!returnedSpace.startsWith("tinycloud:")) return false;
+  const returnedName = returnedSpace.slice(returnedSpace.lastIndexOf(":") + 1);
+  return returnedName === expectedSpace;
+}
 function portableFromOpenKeyDelegation(data, permissions, host) {
   const primary = permissions.find((permission) => !isRawPermission(permission)) ?? permissions[0];
   const returnedSpace = String(data.spaceId ?? primary.space ?? "encryption");
   const expectedSpaces = new Set(
     permissions.filter((permission) => !isRawPermission(permission)).map((permission) => permission.space)
   );
-  if (expectedSpaces.size > 0 && (expectedSpaces.size !== 1 || !expectedSpaces.has(returnedSpace))) {
+  const matchesExpectedSpace = expectedSpaces.size === 1 && returnedSpaceMatchesExpected(returnedSpace, Array.from(expectedSpaces)[0]);
+  if (expectedSpaces.size > 0 && !matchesExpectedSpace) {
     throw new CLIError(
       "OPENKEY_SCOPE_MISMATCH",
       `OpenKey returned delegation for ${returnedSpace}, expected ${Array.from(expectedSpaces).join(", ")}.`,
@@ -2108,7 +2142,7 @@ function portableFromOpenKeyDelegation(data, permissions, host) {
     actions: primary.actions,
     resources: permissions.map((permission) => ({
       service: permission.service.startsWith("tinycloud.") ? permission.service.slice("tinycloud.".length) : permission.service,
-      space: permission.space,
+      space: isRawPermission(permission) ? permission.space : returnedSpace,
       path: permission.path,
       actions: [...permission.actions]
     })),
@@ -2127,16 +2161,75 @@ function inferDelegationExpiry(data) {
   }
   return new Date(Date.now() + 60 * 60 * 1e3);
 }
-async function handleLocalAuth(profileName, host) {
+async function rotateAuthKey(profileName, host, options = {}) {
+  const profile = await ProfileManager.getProfile(profileName);
+  const posture = resolveProfilePosture(profile);
+  const oldDid = profile.sessionDid ?? profile.did;
+  if (posture === "delegate-session") {
+    throw new CLIError(
+      "ROTATE_DELEGATE_SESSION_UNSUPPORTED",
+      `Profile "${profileName}" is a delegated session. Request or import a new owner delegation instead of rotating it locally.`,
+      ExitCode.PERMISSION_DENIED
+    );
+  }
+  if (profile.authMethod === "local" || posture === "local-owner-key") {
+    if (!profile.privateKey) {
+      throw new CLIError(
+        "LOCAL_OWNER_KEY_REQUIRED",
+        `Profile "${profileName}" does not have a local owner private key. Run \`tc auth login --method local\` first.`,
+        ExitCode.AUTH_REQUIRED
+      );
+    }
+    await ProfileManager.clearSession(profileName);
+    const result2 = await handleLocalAuth(profileName, host, {
+      emitOutput: false,
+      forceSessionKey: true
+    });
+    outputRotationResult(result2.profile, profileName, oldDid, "local");
+    return;
+  }
+  const { jwk, did } = await withSpinner("Generating session key...", async () => {
+    return generateKey();
+  });
+  await ProfileManager.setKey(profileName, jwk);
+  await ProfileManager.clearSession(profileName);
+  await ProfileManager.setProfile(profileName, {
+    ...profile,
+    host,
+    did,
+    sessionDid: did,
+    posture: profile.posture ?? "owner-openkey",
+    operatorType: profile.operatorType ?? "human",
+    authMethod: "openkey"
+  });
+  const result = await refreshOpenKeySession(profileName, host, {
+    paste: options.paste,
+    noPopup: options.noPopup
+  });
+  outputRotationResult(result.profile, profileName, oldDid, "openkey");
+}
+function outputRotationResult(profile, profileName, oldDid, authMethod) {
+  outputJson({
+    rotated: true,
+    profile: profileName,
+    oldDid,
+    did: profile.did,
+    sessionDid: profile.sessionDid ?? null,
+    authMethod,
+    spaceId: profile.spaceId ?? null
+  });
+}
+async function handleLocalAuth(profileName, host, options = {}) {
   const profile = await ProfileManager.getProfile(profileName).catch(() => null);
+  const posture = profile ? resolveProfilePosture(profile) : null;
   let privateKey;
   let address;
   let did;
   let sessionDid = profile?.sessionDid;
-  if (profile?.authMethod === "local" && profile.privateKey && profile.address) {
+  if ((profile?.authMethod === "local" || posture === "local-owner-key") && profile.privateKey) {
     privateKey = profile.privateKey;
-    address = profile.address;
-    did = profile.did;
+    address = profile.address ?? await deriveAddress(privateKey);
+    did = profile.did.startsWith("did:pkh:") ? profile.did : addressToDID(address, profile.chainId ?? DEFAULT_CHAIN_ID);
     if (isInteractive()) {
       process.stderr.write(theme.muted("Using existing local key") + "\n");
       process.stderr.write(formatField("Address", address) + "\n");
@@ -2155,7 +2248,7 @@ async function handleLocalAuth(profileName, host) {
     }
   }
   const hasKey = await ProfileManager.getKey(profileName);
-  if (!hasKey) {
+  if (options.forceSessionKey || !hasKey) {
     const { jwk, did: generatedSessionDid } = await withSpinner("Generating session key...", async () => {
       return generateKey();
     });
@@ -2180,7 +2273,7 @@ async function handleLocalAuth(profileName, host) {
     signature: sessionResult.signature
   });
   sessionDid = sessionResult.verificationMethod;
-  await ProfileManager.setProfile(profileName, {
+  const updatedProfile = {
     ...profile,
     name: profileName,
     host,
@@ -2196,19 +2289,23 @@ async function handleLocalAuth(profileName, host) {
     authMethod: "local",
     privateKey,
     address
-  });
-  outputJson({
-    authenticated: true,
-    profile: profileName,
-    did,
-    sessionDid,
-    address,
-    spaceId: sessionResult.spaceId,
-    authMethod: "local"
-  });
+  };
+  await ProfileManager.setProfile(profileName, updatedProfile);
+  if (options.emitOutput ?? true) {
+    outputJson({
+      authenticated: true,
+      profile: profileName,
+      did,
+      sessionDid,
+      address,
+      spaceId: sessionResult.spaceId,
+      authMethod: "local"
+    });
+  }
+  return { profile: updatedProfile, sessionResult };
 }
-async function handleOpenKeyAuth(profileName, host, paste) {
-  const { profile, delegationData } = await refreshOpenKeySession(profileName, host, { paste });
+async function handleOpenKeyAuth(profileName, host, options = {}) {
+  const { profile, delegationData } = await refreshOpenKeySession(profileName, host, options);
   outputJson({
     authenticated: true,
     profile: profileName,
@@ -2229,6 +2326,7 @@ async function refreshOpenKeySession(profileName, host, options = {}) {
   const profile = await ProfileManager.getProfile(profileName);
   const delegationData = await startAuthFlow(profile.did, {
     paste: options.paste,
+    noPopup: options.noPopup,
     jwk: key,
     host,
     openkeyHost: resolveOpenKeyHost(profile)
@@ -2259,14 +2357,19 @@ async function readStdin2() {
   }
   return Buffer.concat(chunks);
 }
+async function kvHandle(node, spaceInput, profileName) {
+  const spaceUri = await resolveSpaceUri(spaceInput, profileName);
+  return spaceUri ? node.kvForSpace(spaceUri) : node.kv;
+}
 function registerKvCommand(program2) {
   const kv = program2.command("kv").description("Key-value store operations");
-  kv.command("get <key>").description("Get a value by key").option("--raw", "Output raw value (no JSON wrapping)").option("-o, --output <file>", "Write value to file").action(async (key, options, cmd) => {
+  kv.command("get <key>").description("Get a value by key").option("--raw", "Output raw value (no JSON wrapping)").option("-o, --output <file>", "Write value to file").option("--space <name|uri>", "Target a non-primary space (short name or full URI)").action(async (key, options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
       const node = await ensureAuthenticated(ctx);
-      const result = await withSpinner(`Getting ${key}...`, () => node.kv.get(key));
+      const kv2 = await kvHandle(node, options.space, ctx.profile);
+      const result = await withSpinner(`Getting ${key}...`, () => kv2.get(key));
       if (!result.ok) {
         if (result.error.code === "KV_NOT_FOUND" || result.error.code === "NOT_FOUND") {
           throw new CLIError("NOT_FOUND", `Key "${key}" not found`, ExitCode.NOT_FOUND);
@@ -2347,13 +2450,14 @@ function registerKvCommand(program2) {
       handleError(error);
     }
   });
-  kv.command("list").description("List keys").option("--prefix <prefix>", "Filter by key prefix").action(async (options, cmd) => {
+  kv.command("list").description("List keys").option("--prefix <prefix>", "Filter by key prefix").option("--space <name|uri>", "Target a non-primary space (short name or full URI)").action(async (options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
       const node = await ensureAuthenticated(ctx);
+      const kv2 = await kvHandle(node, options.space, ctx.profile);
       const listOptions = options.prefix ? { prefix: options.prefix } : void 0;
-      const result = await withSpinner("Listing keys...", () => node.kv.list(listOptions));
+      const result = await withSpinner("Listing keys...", () => kv2.list(listOptions));
       if (!result.ok) {
         throw new CLIError(result.error.code, result.error.message, ExitCode.ERROR);
       }
@@ -2381,12 +2485,13 @@ function registerKvCommand(program2) {
       handleError(error);
     }
   });
-  kv.command("head <key>").description("Get metadata for a key (no body)").action(async (key, _options, cmd) => {
+  kv.command("head <key>").description("Get metadata for a key (no body)").option("--space <name|uri>", "Target a non-primary space (short name or full URI)").action(async (key, options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
       const node = await ensureAuthenticated(ctx);
-      const result = await withSpinner(`Checking ${key}...`, () => node.kv.head(key));
+      const kv2 = await kvHandle(node, options.space, ctx.profile);
+      const result = await withSpinner(`Checking ${key}...`, () => kv2.head(key));
       if (!result.ok) {
         if (result.error.code === "KV_NOT_FOUND" || result.error.code === "NOT_FOUND") {
           outputJson({ key, exists: false, metadata: {} });
@@ -2978,7 +3083,7 @@ _tc_completions() {
   commands="init auth kv space delegation share node profile completion"
 
   case "\${COMP_WORDS[1]}" in
-    auth) subcommands="login logout status whoami" ;;
+    auth) subcommands="login logout rotate status whoami" ;;
     kv) subcommands="get put delete list head" ;;
     space) subcommands="list create info switch" ;;
     delegation) subcommands="create list info revoke" ;;
@@ -3028,7 +3133,7 @@ _tc() {
       ;;
     args)
       case $words[1] in
-        auth) _values 'subcommand' login logout status whoami ;;
+        auth) _values 'subcommand' login logout rotate status whoami ;;
         kv) _values 'subcommand' get put delete list head ;;
         space) _values 'subcommand' list create info switch ;;
         delegation) _values 'subcommand' create list info revoke ;;
@@ -3063,7 +3168,7 @@ complete -c tc -n "not __fish_seen_subcommand_from $commands" -a profile -d "Pro
 complete -c tc -n "not __fish_seen_subcommand_from $commands" -a completion -d "Generate shell completions"
 
 # Subcommands
-complete -c tc -n "__fish_seen_subcommand_from auth" -a "login logout status whoami"
+complete -c tc -n "__fish_seen_subcommand_from auth" -a "login logout rotate status whoami"
 complete -c tc -n "__fish_seen_subcommand_from kv" -a "get put delete list head"
 complete -c tc -n "__fish_seen_subcommand_from space" -a "list create info switch"
 complete -c tc -n "__fish_seen_subcommand_from delegation" -a "create list info revoke"
@@ -3262,6 +3367,12 @@ import {
   resolveSecretPath
 } from "@tinycloud/node-sdk";
 var SECRETS_SPACE = "secrets";
+var SECRET_KV_ABILITIES = {
+  get: "tinycloud.kv/get",
+  put: "tinycloud.kv/put",
+  del: "tinycloud.kv/del",
+  list: "tinycloud.kv/list"
+};
 async function readStdin4() {
   const chunks = [];
   for await (const chunk of process.stdin) {
@@ -3295,7 +3406,7 @@ async function ensureSecretsNode(ctx, options) {
   return ensureAuthenticated(ctx, auth);
 }
 async function runSecretOperation(params) {
-  const first = await withSpinner(params.label, params.operation);
+  const first = await runSecretOperationAttempt(params.label, params.operation);
   if (first.ok || !shouldRequestSecretPermissions(first.error)) {
     return first;
   }
@@ -3317,10 +3428,20 @@ async function runSecretOperation(params) {
       node: params.node,
       requested,
       expiryOption: void 0,
-      yes: true
+      yes: true,
+      force: true
     })
   );
-  return withSpinner(params.label, params.operation);
+  return runSecretOperationAttempt(params.label, params.operation);
+}
+async function runSecretOperationAttempt(label, operation) {
+  try {
+    return await withSpinner(label, operation);
+  } catch (error) {
+    const permissionError = thrownPermissionError(error);
+    if (permissionError) return permissionError;
+    throw error;
+  }
 }
 function canRequestOwnerPermissions(profile) {
   const posture = resolveProfilePosture(profile);
@@ -3330,6 +3451,21 @@ function shouldRequestSecretPermissions(error) {
   if (error.code !== "PERMISSION_DENIED") return false;
   return /permission|session expired|autosign|capabilit/i.test(error.message);
 }
+function thrownPermissionError(error) {
+  const record = error;
+  const message = typeof record?.message === "string" ? record.message : String(error);
+  const code = typeof record?.code === "string" ? record.code : "PERMISSION_DENIED";
+  if (code !== "PERMISSION_DENIED" && !/permission|session expired|autosign|capabilit/i.test(message)) {
+    return null;
+  }
+  return {
+    ok: false,
+    error: {
+      code: "PERMISSION_DENIED",
+      message
+    }
+  };
+}
 function isStoredSessionExpired(session) {
   const record = session;
   const direct = parseDate(record.expiresAt ?? record.expiry ?? record.expirationTime);
@@ -3347,20 +3483,23 @@ function parseDate(value) {
   const date = new Date(value);
   return Number.isNaN(date.getTime()) ? null : date;
 }
+function secretKvAbility(action) {
+  return SECRET_KV_ABILITIES[action];
+}
 function secretPermissionEntries(params) {
   const path = params.action === "list" ? resolveSecretListPrefix(params.options) : resolveSecretPath(params.name ?? "", params.options).permissionPaths.vault;
   const permissions = [{
     service: "tinycloud.kv",
     space: SECRETS_SPACE,
     path,
-    actions: [params.action],
+    actions: [secretKvAbility(params.action)],
     skipPrefix: true
   }];
   if (params.action === "get") {
     permissions.push({
       service: "tinycloud.encryption",
       path: params.node.getDefaultEncryptionNetworkId(),
-      actions: ["decrypt"],
+      actions: ["tinycloud.encryption/decrypt"],
       skipPrefix: true
     });
   }
@@ -3435,7 +3574,7 @@ function registerSecretsCommand(program2) {
       handleError(error);
     }
   });
-  secrets.command("get <name>").description("Get a secret value").option("--scope <scope>", "Logical secret scope").option("--space <scope>", "Deprecated alias for --scope").option("--raw", "Output raw value (no JSON wrapping)").option("-o, --output <file>", "Write value to file").option("--private-key <hex>", "Ethereum private key (or set TC_PRIVATE_KEY)").action(async (name, options, cmd) => {
+  secrets.command("get <name>").description("Get a secret value").option("--scope <scope>", "Logical secret scope").option("--space <scope>", "Deprecated alias for --scope").option("--raw", "Output raw value (no JSON wrapping)").option("--value-only", "Output only the secret value (alias for --raw)").option("-o, --output <file>", "Write value to file").option("--private-key <hex>", "Ethereum private key (or set TC_PRIVATE_KEY)").action(async (name, options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
@@ -3462,7 +3601,7 @@ function registerSecretsCommand(program2) {
         outputJson({ name, written: options.output });
         return;
       }
-      if (options.raw) {
+      if (options.raw || options.valueOnly) {
         process.stdout.write(value);
         return;
       }