@toast-ninja/toast-cli 0.1.1 → 0.1.3

package/README.md

@@ -22,25 +22,38 @@ npm install -g ./packages/toast-cli
 ## Review CI Auth
 
 ```bash
-toast review-ci auth --repo toast-ninja/backend
+toast auth
 ```
 
 The default auth flow opens a browser, completes GitHub auth through Toast, and
-stores a repo-scoped Toast token after the localhost callback returns.
+stores an org-scoped Toast token after the localhost callback returns. When run
+inside a GitHub checkout, `toast auth` infers the org from `origin`.
+
+Use `--org` when authenticating outside a repo or when you need an explicit
+scope:
+
+```bash
+toast auth --org toast-ninja
+```
 
 If browser auth is not available, use GitHub device auth explicitly:
 
 ```bash
-toast review-ci auth --repo toast-ninja/backend --device
+toast auth --device
 ```
 
 For automation or local debugging with an existing GitHub token:
 
 ```bash
-toast review-ci auth --repo toast-ninja/backend --github-token "$GITHUB_TOKEN"
+toast auth --org toast-ninja --github-token "$GITHUB_TOKEN"
 ```
 
-That token must be a user token that can prove active membership in the repo owner org. GitHub Actions' repository `GITHUB_TOKEN` is not a user login token; use `TOAST_TOKEN` in CI.
+That token must be a user token that can prove active membership in the org.
+GitHub Actions' repository `GITHUB_TOKEN` is not a user login token; use
+`TOAST_TOKEN` in CI.
+
+The older `toast review-ci auth --repo OWNER/REPO` command still works as a
+compatibility alias.
 
 ## Review CI
 

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@toast-ninja/toast-cli",
-	"version": "0.1.1",
+	"version": "0.1.3",
 	"description": "Toast CLI for agent CI workflows",
 	"bin": {
 		"toast": "bin/toast.js"

package/src/cli.js

@@ -26,6 +26,7 @@ const REVIEW_CI_SKILL_PATH = path.join(
 	'SKILL.md',
 )
 const REVIEW_CI_COMMANDS = new Set(['review-ci'])
+const AUTH_COMMANDS = new Set(['auth', 'login'])
 
 const sleepDefault = ms =>
 	new Promise(resolve => {
@@ -58,13 +59,107 @@ const parseArgs = args => {
 }
 
 const parseRepo = repoFullName => {
-	const [owner, repo] = String(repoFullName || '').split('/')
+	if (repoFullName === true) throw new Error('Missing --repo')
 
-	if (!owner || !repo) throw new Error('--repo must be OWNER/REPO')
+	const parts = String(repoFullName || '').split('/')
+	const [owner, repo] = parts
+
+	if (parts.length !== 2 || !owner || !repo) {
+		throw new Error('--repo must be OWNER/REPO')
+	}
 
 	return { owner, repo, fullName: `${owner}/${repo}` }
 }
 
+const parseOrg = org => {
+	if (org === true) throw new Error('Missing --org')
+
+	const normalizedOrg = String(org || '').trim()
+
+	if (!normalizedOrg || normalizedOrg.includes('/')) {
+		throw new Error('--org must be a GitHub organization or owner name')
+	}
+
+	return normalizedOrg
+}
+
+const parseGithubRemoteUrl = remoteUrl => {
+	const value = String(remoteUrl || '').trim()
+	const sshMatch = value.match(/^git@github\.com:([^/]+)\/([^/]+?)(?:\.git)?$/)
+
+	if (sshMatch) return parseRepo(`${sshMatch[1]}/${sshMatch[2]}`)
+
+	try {
+		const url = new URL(value)
+
+		if (url.hostname !== 'github.com') return null
+
+		const parts = url.pathname
+			.replace(/^\/+/, '')
+			.replace(/\/+$/, '')
+			.replace(/\.git$/, '')
+			.split('/')
+
+		if (parts.length !== 2) return null
+
+		return parseRepo(`${parts[0]}/${parts[1]}`)
+	} catch (e) {
+		return null
+	}
+}
+
+const getGitRemoteUrlDefault = () =>
+	childProcess
+		.execFileSync('git', ['remote', 'get-url', 'origin'], {
+			encoding: 'utf8',
+			stdio: ['ignore', 'pipe', 'ignore'],
+		})
+		.trim()
+
+const getAuthScope = ({ options, getGitRemoteUrl }) => {
+	const explicitOrg = options.org ? parseOrg(options.org) : null
+	const explicitRepo = options.repo ? parseRepo(options.repo) : null
+
+	if (explicitOrg && explicitRepo && explicitOrg !== explicitRepo.owner) {
+		throw new Error('--org must match --repo owner')
+	}
+
+	if (explicitOrg) {
+		return {
+			org: explicitOrg,
+			...(explicitRepo ? { repo: explicitRepo.fullName } : {}),
+		}
+	}
+
+	if (explicitRepo) {
+		return {
+			org: explicitRepo.owner,
+			repo: explicitRepo.fullName,
+		}
+	}
+
+	let inferredRepo = null
+
+	try {
+		inferredRepo = parseGithubRemoteUrl(getGitRemoteUrl())
+	} catch (e) {
+		inferredRepo = null
+	}
+
+	if (!inferredRepo) {
+		throw new Error('Missing --org (or run from a GitHub repo with origin set)')
+	}
+
+	return {
+		org: inferredRepo.owner,
+	}
+}
+
+const getAuthScopeBody = scope => ({
+	org: scope.org,
+	...(scope.repo ? { repo: scope.repo } : {}),
+})
+
 const requireOption = (options, key) => {
 	if (!options[key]) throw new Error(`Missing --${key}`)
 
@@ -114,12 +209,18 @@ const parseBrowserCallbackAuth = ({ requestUrl, expectedState }) => {
 		token_type: callbackUrl.searchParams.get('token_type'),
 		expires_in: Number(callbackUrl.searchParams.get('expires_in')),
 		github_login: callbackUrl.searchParams.get('github_login'),
+		org: callbackUrl.searchParams.get('org'),
 		repo: callbackUrl.searchParams.get('repo'),
 	}
 
 	if (auth.code) return { code: auth.code }
 
-	if (!auth.token || !auth.github_login || !auth.repo || !auth.expires_in) {
+	if (
+		!auth.token ||
+		!auth.github_login ||
+		(!auth.org && !auth.repo) ||
+		!auth.expires_in
+	) {
 		throw new Error('Review CI auth callback was missing credentials')
 	}
 
@@ -236,9 +337,7 @@ const requestReviewState = async ({
 	const token = getToken({ options, env, config })
 
 	if (!token)
-		throw new Error(
-			'Missing Toast token. Run `toast review-ci auth` or set TOAST_TOKEN.',
-		)
+		throw new Error('Missing Toast token. Run `toast auth` or set TOAST_TOKEN.')
 
 	const requestOptions = {
 		method: 'GET',
@@ -334,9 +433,12 @@ const handleWait = async context => {
 	if (options.interval) parseDurationMs(options.interval)
 	const startedAt = toMillis(context.now())
 
-	while (toMillis(context.now()) - startedAt <= timeoutMs) {
+	while (true) {
 		const elapsedMs = toMillis(context.now()) - startedAt
 		const remainingMs = timeoutMs - elapsedMs
+
+		if (remainingMs <= 0) break
+
 		const waitTimeoutSeconds = Math.max(
 			1,
 			Math.min(DEFAULT_WAIT_REQUEST_SECONDS, Math.ceil(remainingMs / 1000)),
@@ -367,7 +469,12 @@ const handleWait = async context => {
 }
 
 const completeLogin = ({ context, auth, apiUrl }) => {
-	const existingConfig = context.readConfig()
+	const existingConfig = { ...context.readConfig() }
+	const org = auth.org || (auth.repo ? parseRepo(auth.repo).owner : null)
+
+	if (!org) throw new Error('Login response was missing org')
+	delete existingConfig.repo
+
 	const expiresAt = new Date(
 		toMillis(context.now()) + auth.expires_in * 1000,
 	).toISOString()
@@ -375,18 +482,18 @@ const completeLogin = ({ context, auth, apiUrl }) => {
 	context.writeConfig({
 		...existingConfig,
 		apiUrl,
-		repo: auth.repo,
+		org,
 		token: auth.token,
 		githubLogin: auth.github_login,
 		expiresAt,
 	})
-	context.stdout.write(`Authenticated ${auth.github_login} for ${auth.repo}\n`)
+	context.stdout.write(`Authenticated ${auth.github_login} for ${org}\n`)
 	context.stdout.write(
 		'Agent setup: run `toast review-ci instructions --install-codex` to install Review CI guidance.\n',
 	)
 }
 
-const exchangeGithubToken = async ({ context, options, apiUrl, repo }) => {
+const exchangeGithubToken = async ({ context, options, apiUrl, scope }) => {
 	const githubToken =
 		options['github-token'] === true
 			? context.env.GITHUB_TOKEN
@@ -398,7 +505,7 @@ const exchangeGithubToken = async ({ context, options, apiUrl, repo }) => {
 		method: 'POST',
 		url: `${apiUrl}/api/review-ci/auth/github`,
 		body: {
-			repo: repo.fullName,
+			...getAuthScopeBody(scope),
 			github_access_token: githubToken,
 		},
 	})
@@ -410,13 +517,11 @@ const exchangeGithubToken = async ({ context, options, apiUrl, repo }) => {
 	return response.body
 }
 
-const runDeviceLogin = async ({ context, apiUrl, repo }) => {
+const runDeviceLogin = async ({ context, apiUrl, scope }) => {
 	const startResponse = await context.request({
 		method: 'POST',
 		url: `${apiUrl}/api/review-ci/auth/github/device/start`,
-		body: {
-			repo: repo.fullName,
-		},
+		body: getAuthScopeBody(scope),
 	})
 
 	if (startResponse.statusCode >= 400) {
@@ -437,7 +542,7 @@ const runDeviceLogin = async ({ context, apiUrl, repo }) => {
 			method: 'POST',
 			url: `${apiUrl}/api/review-ci/auth/github/device/complete`,
 			body: {
-				repo: repo.fullName,
+				...getAuthScopeBody(scope),
 				device_code: device.device_code,
 			},
 		})
@@ -456,7 +561,7 @@ const runDeviceLogin = async ({ context, apiUrl, repo }) => {
 	throw new Error('Device login timed out')
 }
 
-const runBrowserLogin = async ({ context, apiUrl, repo }) => {
+const runBrowserLogin = async ({ context, apiUrl, scope }) => {
 	const callback = await context.createBrowserCallbackServer()
 
 	try {
@@ -464,9 +569,7 @@ const runBrowserLogin = async ({ context, apiUrl, repo }) => {
 			method: 'POST',
 			url: `${apiUrl}/api/review-ci/auth/github/browser/start`,
 			body: {
-				repo: repo.fullName,
-				owner: repo.owner,
-				repository: repo.repo,
+				...getAuthScopeBody(scope),
 				redirect_uri: callback.redirectUri,
 				state: callback.state,
 			},
@@ -502,6 +605,7 @@ const runBrowserLogin = async ({ context, apiUrl, repo }) => {
 			url: `${apiUrl}/api/review-ci/auth/github/browser/complete`,
 			body: {
 				code: callbackAuth.code,
+				...getAuthScopeBody(scope),
 			},
 		})
 
@@ -520,16 +624,19 @@ const runBrowserLogin = async ({ context, apiUrl, repo }) => {
 const handleAuth = async context => {
 	const config = context.readConfig()
 	const { options } = parseArgs(context.commandArgs || context.argv.slice(3))
-	const repo = parseRepo(requireOption(options, 'repo'))
+	const scope = getAuthScope({
+		options,
+		getGitRemoteUrl: context.getGitRemoteUrl,
+	})
 	const apiUrl = getApiUrl({ options, env: context.env, config })
 	let auth
 
 	if (options['github-token']) {
-		auth = await exchangeGithubToken({ context, options, apiUrl, repo })
+		auth = await exchangeGithubToken({ context, options, apiUrl, scope })
 	} else if (options.device) {
-		auth = await runDeviceLogin({ context, apiUrl, repo })
+		auth = await runDeviceLogin({ context, apiUrl, scope })
 	} else {
-		auth = await runBrowserLogin({ context, apiUrl, repo })
+		auth = await runBrowserLogin({ context, apiUrl, scope })
 	}
 
 	completeLogin({ context, auth, apiUrl })
@@ -569,6 +676,7 @@ const handleInstructions = async context => {
 
 const printHelp = stdout => {
 	stdout.write(`Usage:
+  toast auth [--org ORG] [--device|--github-token TOKEN]
   toast review-ci auth --repo OWNER/REPO [--device|--github-token TOKEN]
   toast review-ci status --repo OWNER/REPO --pr NUMBER --head SHA
   toast review-ci next --repo OWNER/REPO --pr NUMBER --head SHA
@@ -598,6 +706,7 @@ const main = async ({
 	now = () => new Date(),
 	createBrowserCallbackServer = createBrowserCallbackServerDefault,
 	openBrowser = openBrowserDefault,
+	getGitRemoteUrl = getGitRemoteUrlDefault,
 	stdout = process.stdout,
 	stderr = process.stderr,
 }) => {
@@ -611,12 +720,13 @@ const main = async ({
 		now,
 		createBrowserCallbackServer,
 		openBrowser,
+		getGitRemoteUrl,
 		stdout,
 		stderr,
 	}
 
 	try {
-		if (argv[2] === 'login') {
+		if (AUTH_COMMANDS.has(argv[2])) {
 			return await handleAuth({ ...context, commandArgs: argv.slice(3) })
 		}