@toolrelay/cli 1.0.0

package/README.md

@@ -0,0 +1,461 @@
+# @toolrelay/cli
+
+CLI for [ToolRelay](https://toolrelay.io) — define your API tools in a `toolrelay.json` config file, validate it, serve a local MCP server, and deploy to the cloud. Every tool call produces a detailed audit trace.
+
+## Quick start
+
+```bash
+# Interactive wizard — walks you through app and tools
+npx @toolrelay/cli init
+
+# Or skip prompts with a starter template
+npx @toolrelay/cli init --yes
+
+# Validate config
+npx @toolrelay/cli validate toolrelay.json
+
+# Start a local MCP server for Claude Desktop
+npx @toolrelay/cli serve toolrelay.json
+
+# Deploy to ToolRelay
+npx @toolrelay/cli login
+npx @toolrelay/cli publish toolrelay.json
+```
+
+## Config file format (`toolrelay.json`)
+
+The `init` wizard generates this file for you, or you can create it manually:
+
+```json
+{
+  "app": {
+    "name": "My API",
+    "base_url": "http://localhost:3000",
+    "auth_type": "static_token",
+    "auth_config": { "token": "my-dev-key" }
+  },
+  "tools": [
+    {
+      "name": "get_user",
+      "description": "Get a user by ID",
+      "http_method": "GET",
+      "endpoint_path": "/api/users/{id}",
+      "parameter_mapping": [
+        { "name": "id", "type": "string", "required": true, "target": "path", "description": "The user ID" }
+      ]
+    }
+  ]
+}
+```
+
+> **Tip:** `description` on both tools and parameters is how AI agents understand what your API does. Always include clear descriptions — they directly affect how well agents use your tools.
+
+### Environment variable interpolation
+
+Use `${VAR_NAME}` syntax to reference environment variables in any string field. This keeps secrets out of your config file:
+
+```json
+{
+  "app": {
+    "base_url": "${API_BASE_URL}",
+    "auth_type": "static_token",
+    "auth_config": { "token": "${API_TOKEN}" }
+  }
+}
+```
+
+```bash
+export API_BASE_URL=http://localhost:3000
+export API_TOKEN=my-secret-key
+npx @toolrelay/cli serve toolrelay.json
+```
+
+If a referenced variable is missing, the CLI fails with a clear error listing the missing variable names. This works for `base_url`, `auth_config` values, `headers_template`, and any other string field.
+
+### Auth types
+
+| `auth_type` | `auth_config` fields | Description |
+|---|---|---|
+| `none` | — | No authentication |
+| `static_token` | `{ "token": "..." }` | Bearer token in Authorization header |
+| `api_key_relay` | `{ "header_name": "X-API-Key" }` | Consumer API keys relayed to backend |
+| `custom_header` | `{ "headers": { "X-Custom": "value" } }` | Custom headers with static values |
+| `oauth2` | `{ "authorize_url", "token_url", "client_id"?, "client_secret"?, "scopes"?, "use_pkce"? }` | OAuth 2.0 authorization code flow (see [OAuth2 section](#oauth2-local-testing)) |
+
+### Parameter mapping
+
+Each parameter in `parameter_mapping` specifies:
+
+| Field | Required | Description |
+|---|---|---|
+| `name` | yes | Parameter name (what the AI agent sends) |
+| `type` | yes | `string`, `number`, `boolean`, `object`, or `array` |
+| `required` | yes | Whether the parameter is required |
+| `target` | yes | Where the parameter goes: `path`, `query`, `body`, or `header` |
+| `backend_key` | no | Backend field name if different from `name` |
+| `default` | no | Default value when not provided |
+| `description` | no | Human-readable description (shown to AI agents) |
+
+#### Path parameters
+
+Path parameters replace `{placeholder}` segments in the `endpoint_path`. The parameter `name` (or `backend_key` if set) must match the placeholder name.
+
+```json
+{
+  "name": "create-order",
+  "http_method": "POST",
+  "endpoint_path": "/api/customers/{customer_id}/orders",
+  "parameter_mapping": [
+    { "name": "customer_id", "type": "string", "required": true, "target": "path" }
+  ]
+}
+```
+
+Agent sends `{ "customer_id": "cust_42" }` → request goes to `/api/customers/cust_42/orders`.
+
+#### Query parameters
+
+Query parameters are appended as `?key=value` to the URL. Use `backend_key` when the backend expects a different name than what the agent sends, and `default` for optional filters.
+
+```json
+{
+  "name": "search_products",
+  "http_method": "GET",
+  "endpoint_path": "/api/products",
+  "parameter_mapping": [
+    { "name": "query", "type": "string", "required": true, "target": "query", "backend_key": "q" },
+    { "name": "category", "type": "string", "required": false, "target": "query" },
+    { "name": "page", "type": "number", "required": false, "target": "query", "default": 1 },
+    { "name": "limit", "type": "number", "required": false, "target": "query", "default": 20 }
+  ]
+}
+```
+
+Agent sends `{ "query": "bluetooth speaker", "category": "electronics" }` → request goes to `/api/products?q=bluetooth+speaker&category=electronics&page=1&limit=20`.
+
+#### Body parameters
+
+Body parameters are sent as JSON in the request body. Use dot-notation in `backend_key` to create nested objects (e.g., `address.city` becomes `{ "address": { "city": "..." } }`).
+
+```json
+{
+  "name": "create_contact",
+  "http_method": "POST",
+  "endpoint_path": "/api/contacts",
+  "parameter_mapping": [
+    { "name": "name", "type": "string", "required": true, "target": "body" },
+    { "name": "email", "type": "string", "required": true, "target": "body" },
+    { "name": "phone", "type": "string", "required": false, "target": "body" },
+    { "name": "city", "type": "string", "required": false, "target": "body", "backend_key": "address.city" },
+    { "name": "state", "type": "string", "required": false, "target": "body", "backend_key": "address.state" },
+    { "name": "tags", "type": "array", "required": false, "target": "body", "default": [] }
+  ]
+}
+```
+
+Agent sends `{ "name": "Alice", "email": "alice@example.com", "city": "Austin", "state": "TX" }` → request body becomes:
+
+```json
+{
+  "name": "Alice",
+  "email": "alice@example.com",
+  "address": { "city": "Austin", "state": "TX" },
+  "tags": []
+}
+```
+
+#### Mixing targets
+
+A single tool can combine path, query, body, and header parameters:
+
+```json
+{
+  "name": "update_item",
+  "http_method": "PUT",
+  "endpoint_path": "/api/items/{item_id}",
+  "parameter_mapping": [
+    { "name": "item_id", "type": "string", "required": true, "target": "path" },
+    { "name": "dry_run", "type": "boolean", "required": false, "target": "query", "default": false },
+    { "name": "title", "type": "string", "required": true, "target": "body" },
+    { "name": "price", "type": "number", "required": true, "target": "body" },
+    { "name": "idempotency_key", "type": "string", "required": false, "target": "header", "backend_key": "Idempotency-Key" }
+  ]
+}
+```
+
+Agent sends `{ "item_id": "abc", "title": "Widget", "price": 9.99, "idempotency_key": "req-1" }` → `PUT /api/items/abc?dry_run=false` with body `{ "title": "Widget", "price": 9.99 }` and header `Idempotency-Key: req-1`.
+
+## Commands
+
+### `init` — Generate a config file
+
+```bash
+npx @toolrelay/cli init              # Interactive wizard
+npx @toolrelay/cli init --yes        # Starter template (no prompts)
+```
+
+Walks you through configuring your app (name, base URL, auth type) and defining tools (endpoints, parameters).
+
+### `validate` — Check config
+
+```bash
+npx @toolrelay/cli validate toolrelay.json
+```
+
+Validates the config without making any HTTP calls. Catches:
+
+- **Schema errors**: Missing required fields, invalid enum values, malformed URLs
+- **Path parameter mismatches**: `{placeholder}` in `endpoint_path` without a matching `target: "path"` parameter (and vice versa)
+- **Auth config**: Required fields per auth type (e.g., `token` for `static_token`, `authorize_url` for `oauth2`)
+
+Run this in CI to catch config issues before deploying.
+
+### `serve` — Local MCP server
+
+```bash
+npx @toolrelay/cli serve toolrelay.json
+npx @toolrelay/cli serve toolrelay.json --port 8787
+```
+
+Starts a local MCP Streamable HTTP server that Claude Desktop (or any MCP client) can connect to. Every `tools/call` produces a full audit trace in your terminal.
+
+| Option | Description |
+|---|---|
+| `--base-url <url>` | Override `base_url` from config |
+| `-p, --port <number>` | Port to listen on (default: 8787) |
+| `-v, --verbose` | Show response headers and extra detail |
+
+On startup it prints the Claude Desktop config snippet:
+
+```json
+{
+  "mcpServers": {
+    "my-api": {
+      "url": "http://localhost:8787/mcp"
+    }
+  }
+}
+```
+
+The server implements the full MCP Streamable HTTP protocol (`initialize`, `tools/list`, `tools/call`, `ping`, SSE, session management).
+
+**Endpoints:**
+
+| Endpoint | Description |
+|---|---|
+| `POST /mcp` | MCP JSON-RPC endpoint |
+| `GET /mcp` | SSE stream (with `Mcp-Session-Id` header) |
+| `GET /health` | Health check (tool count, call count, OAuth status) |
+| `GET /timeline` | Call timeline as JSON |
+| `GET /oauth/start` | Trigger OAuth flow (OAuth2 apps only) |
+| `GET /oauth/status` | Check OAuth state (OAuth2 apps only) |
+
+**Call timeline:** Every tool invocation is tracked with sequence numbers, timestamps, arguments, status, latency, and the gap between calls (how long the AI spent "thinking"). On shutdown (Ctrl+C), a formatted timeline and audit summary are printed.
+
+**Session persistence:** Sessions are saved to `.toolrelay/sessions/` on shutdown. Browse them with `toolrelay ui`.
+
+### `ui` — Session viewer
+
+```bash
+npx @toolrelay/cli ui
+npx @toolrelay/cli ui --port 8788 --no-open
+```
+
+Opens a local web UI to browse past `serve` sessions. Inspect call timelines, drill into individual tool calls to see parameter resolution, request/response bodies, diagnostics, and errors.
+
+| Option | Description |
+|---|---|
+| `-p, --port <number>` | Port to listen on (default: 8788) |
+| `--no-open` | Don't auto-open the browser |
+
+### `login` — Authenticate with ToolRelay
+
+```bash
+npx @toolrelay/cli login
+```
+
+Opens your browser to sign in to [toolrelay.io](https://toolrelay.io). On success, your credentials are saved to `~/.toolrelay/credentials.json` (file mode `0600`).
+
+For CI/CD pipelines, set the `TOOLRELAY_DEPLOY_TOKEN` environment variable instead — it takes priority over the credentials file.
+
+### `logout` — Clear saved credentials
+
+```bash
+npx @toolrelay/cli logout
+```
+
+Removes `~/.toolrelay/credentials.json`. Does not revoke the token server-side.
+
+### `whoami` — Show current user
+
+```bash
+npx @toolrelay/cli whoami
+```
+
+Prints the authenticated user's email, name, and account tier. Useful for verifying which account the CLI is using.
+
+### `publish` — Deploy to ToolRelay
+
+```bash
+npx @toolrelay/cli publish toolrelay.json
+npx @toolrelay/cli publish toolrelay.json --dry-run
+npx @toolrelay/cli publish toolrelay.json --prune
+```
+
+Deploys your `toolrelay.json` config to the ToolRelay platform. The command is **idempotent** — it creates the app and tools on first run, then updates only what changed on subsequent runs.
+
+| Option | Description |
+|---|---|
+| `--dry-run` | Show what would change without making any API calls |
+| `--prune` | Delete remote tools that are no longer in the config file |
+
+**How it works:**
+
+1. Validates your config for production readiness (see [Pre-publish checks](#pre-publish-checks) below)
+2. Authenticates using `TOOLRELAY_DEPLOY_TOKEN` (env var) or `~/.toolrelay/credentials.json` (from `login`)
+3. Matches your local app to a remote app by slug (derived from `app.name`)
+4. Creates the app if it doesn't exist, or updates it if the config changed
+5. Syncs tools — creates new ones, updates changed ones, and optionally prunes removed ones
+6. Auto-publishes the app if it hasn't been published yet
+
+**What you get after publishing:**
+
+- A hosted MCP endpoint at `https://proxy.toolrelay.io/mcp/<your-slug>` — connect any AI agent
+- An API portal at `https://toolrelay.io/portal/<your-slug>` — consumers can request API keys
+- Auto-generated OpenAPI spec, SKILL.md, and landing page
+
+**Tier limits** are enforced by the API. If your plan doesn't support the number of apps or tools you're deploying, the command will fail with a clear error message.
+
+#### Pre-publish checks
+
+Before making any API calls, `publish` validates your config to catch common mistakes:
+
+| Check | Severity | Description |
+|---|---|---|
+| Localhost / private IP | Error | `base_url` cannot point to `localhost`, `127.0.0.1`, `192.168.*`, etc. |
+| HTTP base URL | Warning | Production APIs should use HTTPS |
+| Missing tool descriptions | Warning | AI agents rely on descriptions to pick the right tool |
+| OAuth2 required fields | Error | `authorize_url` and `token_url` must be set (`client_id`/`client_secret` are optional for public client PKCE) |
+| OAuth2 localhost URLs | Error | OAuth URLs must be publicly reachable |
+| Missing static token | Error | `static_token` auth requires a `token` in `auth_config` |
+| Duplicate tool names | Error | Each tool must have a unique name |
+
+Errors block the deploy. Warnings are printed but don't prevent publishing.
+
+**Authentication:**
+
+| Method | Use case |
+|---|---|
+| `toolrelay login` | Local development — opens browser, saves credentials to `~/.toolrelay/` |
+| `TOOLRELAY_DEPLOY_TOKEN` | CI/CD — set as environment variable, takes priority over credentials file |
+
+Generate a deploy token at **[toolrelay.io/dashboard/settings](https://toolrelay.io/dashboard/settings)** (Settings > Deploy Tokens). The token is shown once — copy it and store it as a CI secret.
+
+**Environment variables:**
+
+| Variable | Description |
+|---|---|
+| `TOOLRELAY_DEPLOY_TOKEN` | Deploy token for authentication (takes priority over credentials file) |
+| `TOOLRELAY_API_URL` | Override the API endpoint (default: `https://api.toolrelay.io`) |
+
+## OAuth2 local testing
+
+When your app uses `auth_type: "oauth2"`, the `serve` command runs a full browser-based OAuth2 authorization code flow locally.
+
+```json
+{
+  "app": {
+    "name": "My OAuth API",
+    "base_url": "http://localhost:3000",
+    "auth_type": "oauth2",
+    "auth_config": {
+      "authorize_url": "https://provider.com/oauth/authorize",
+      "token_url": "https://provider.com/oauth/token",
+      "client_id": "${OAUTH_CLIENT_ID}",
+      "client_secret": "${OAUTH_CLIENT_SECRET}",
+      "scopes": "read write"
+    }
+  },
+  "tools": [...]
+}
+```
+
+**How it works:**
+
+1. On startup, a temporary HTTP server starts on a random port for the OAuth callback
+2. Your browser opens to the upstream provider's authorize URL (with PKCE by default)
+3. After you authorize, the provider redirects to `http://localhost:<port>/callback`
+4. The CLI exchanges the authorization code for access/refresh tokens
+5. Tokens are stored in memory — every tool call gets `Authorization: Bearer <token>` injected automatically
+6. If the access token expires and a refresh token is available, it's refreshed automatically
+
+**Important:** Register `http://localhost` (any port) as an allowed redirect URI in your OAuth provider's settings.
+
+If the browser can't auto-open (headless environments, SSH), the authorize URL is printed to the terminal. You can also manually trigger the flow at any time via `GET /oauth/start`.
+
+### Disabling PKCE
+
+PKCE (Proof Key for Code Exchange) is enabled by default. Some providers — like AWS Cognito configured as a confidential client, or certain custom OAuth servers — may reject the extra `code_challenge` / `code_verifier` parameters. Set `"use_pkce": false` in `auth_config` to disable it:
+
+```json
+{
+  "app": {
+    "name": "Cognito API",
+    "base_url": "https://api.example.com",
+    "auth_type": "oauth2",
+    "auth_config": {
+      "authorize_url": "https://mypool.auth.us-east-1.amazoncognito.com/oauth2/authorize",
+      "token_url": "https://mypool.auth.us-east-1.amazoncognito.com/oauth2/token",
+      "client_id": "${COGNITO_CLIENT_ID}",
+      "client_secret": "${COGNITO_CLIENT_SECRET}",
+      "scopes": "openid profile",
+      "use_pkce": false
+    }
+  },
+  "tools": [...]
+}
+```
+
+| Provider | PKCE support | Recommendation |
+|---|---|---|
+| Auth0 | Yes | Leave default (`use_pkce: true`) |
+| Supabase | Yes (default since 2024) | Leave default |
+| Okta | Yes | Leave default |
+| Google | Yes | Leave default |
+| AWS Cognito (public client) | Yes | Leave default |
+| AWS Cognito (confidential client) | May reject PKCE | Set `"use_pkce": false` |
+| Custom OAuth servers | Varies | Try default first; set `false` if you get errors about unknown parameters |
+
+## Local to production
+
+The typical workflow:
+
+```
+1. toolrelay init          → Generate toolrelay.json
+2. toolrelay serve         → Test locally with Claude Desktop
+3. (iterate on config)
+4. toolrelay login          → Authenticate with toolrelay.io
+5. toolrelay publish        → Deploy to production
+```
+
+Once published, your app gets:
+
+- **Hosted MCP endpoint** (`/mcp/<slug>`) — any AI agent can connect
+- **Consumer portal** (`/portal/<slug>`) — API key self-service for developers
+- **Auto-generated docs** — OpenAPI spec, SKILL.md, landing page
+- **Usage analytics** — call volume, latency, error rates per tool
+- **Rate limiting and caching** — per-consumer, per-tier controls
+
+Sign up at [toolrelay.io](https://toolrelay.io) to get started.
+
+### File locations
+
+| Path | Purpose |
+|---|---|
+| `toolrelay.json` | Your app + tool config (project root, committed to git) |
+| `.toolrelay/sessions/` | Local MCP session logs (project-local, auto-gitignored) |
+| `~/.toolrelay/credentials.json` | Login credentials (home directory, mode `0600`) |
+
+## License
+
+Proprietary — see LICENSE for details.

package/dist/api-client-7MTO2YNV.js

@@ -0,0 +1,4 @@
+#!/usr/bin/env node
+export { ToolRelayApiClient } from './chunk-3LR6JESE.js';
+//# sourceMappingURL=api-client-7MTO2YNV.js.map
+//# sourceMappingURL=api-client-7MTO2YNV.js.map

package/dist/api-client-7MTO2YNV.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"api-client-7MTO2YNV.js"}

package/dist/auth-flow-VQXXGXIV.js

@@ -0,0 +1,103 @@
+#!/usr/bin/env node
+import { getApiUrl, saveCredentials } from './chunk-CTTPIXB3.js';
+import { ToolRelayApiClient } from './chunk-3LR6JESE.js';
+import { createServer } from 'http';
+import crypto from 'crypto';
+import { exec } from 'child_process';
+
+var BOLD = "\x1B[1m";
+var DIM = "\x1B[2m";
+var RESET = "\x1B[0m";
+var GREEN = "\x1B[32m";
+function openBrowser(url) {
+  const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? 'start ""' : "xdg-open";
+  exec(`${cmd} "${url}"`, (err) => {
+    if (err) {
+      console.log(`
+${DIM}Could not open browser automatically.${RESET}`);
+      console.log(`${DIM}Open this URL in your browser:${RESET}
+`);
+      console.log(`  ${url}
+`);
+    }
+  });
+}
+async function loginFlow() {
+  const apiUrl = getApiUrl();
+  const webUrl = process.env.TOOLRELAY_WEB_URL || apiUrl.replace(/\/\/api\./, "//");
+  return new Promise((resolve, reject) => {
+    const state = crypto.randomBytes(16).toString("hex");
+    let server;
+    const timeout = setTimeout(() => {
+      server?.close();
+      reject(new Error("Login timed out after 5 minutes. Try again."));
+    }, 5 * 60 * 1e3);
+    server = createServer((req, res) => {
+      const url = new URL(req.url ?? "/", `http://localhost`);
+      if (url.pathname === "/callback") {
+        const token = url.searchParams.get("token");
+        const returnedState = url.searchParams.get("state");
+        const error = url.searchParams.get("error");
+        if (error) {
+          res.writeHead(200, { "Content-Type": "text/html" });
+          res.end("<html><body><h2>Login failed</h2><p>You can close this tab.</p></body></html>");
+          clearTimeout(timeout);
+          server.close();
+          reject(new Error(`Login failed: ${error}`));
+          return;
+        }
+        if (!token || returnedState !== state) {
+          res.writeHead(400, { "Content-Type": "text/html" });
+          res.end("<html><body><h2>Invalid callback</h2><p>Missing token or state mismatch.</p></body></html>");
+          return;
+        }
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end("<html><body><h2>Logged in!</h2><p>You can close this tab and return to your terminal.</p></body></html>");
+        clearTimeout(timeout);
+        server.close();
+        verifyAndSave(token, apiUrl).then(resolve).catch(reject);
+      } else {
+        res.writeHead(404);
+        res.end();
+      }
+    });
+    server.listen(0, "127.0.0.1", () => {
+      const port = server.address().port;
+      const callbackUrl = `http://localhost:${port}/callback`;
+      const loginUrl = `${webUrl}/cli-auth?callback=${encodeURIComponent(callbackUrl)}&state=${state}`;
+      console.log(`
+${BOLD}Opening browser to log in...${RESET}
+`);
+      openBrowser(loginUrl);
+      if (!process.stdout.isTTY) {
+        console.log(`${DIM}Open this URL to log in:${RESET}`);
+        console.log(`  ${loginUrl}
+`);
+      }
+      console.log(`${DIM}Waiting for authentication...${RESET}`);
+    });
+    server.on("error", (err) => {
+      clearTimeout(timeout);
+      reject(err);
+    });
+  });
+}
+async function verifyAndSave(token, apiUrl) {
+  const client = new ToolRelayApiClient({ token, api_url: apiUrl, source: "env" });
+  const user = await client.whoami();
+  saveCredentials({
+    token,
+    email: user.email,
+    api_url: apiUrl,
+    created_at: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  console.log(`
+${GREEN}\u2713${RESET} Logged in as ${BOLD}${user.email}${RESET} (${user.tier} tier)`);
+  console.log(`${DIM}Credentials saved to ~/.toolrelay/credentials.json${RESET}
+`);
+  return { email: user.email, token };
+}
+
+export { loginFlow };
+//# sourceMappingURL=auth-flow-VQXXGXIV.js.map
+//# sourceMappingURL=auth-flow-VQXXGXIV.js.map

package/dist/auth-flow-VQXXGXIV.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/auth-flow.ts"],"names":[],"mappings":";;;;;;;AAQA,IAAM,IAAA,GAAO,SAAA;AACb,IAAM,GAAA,GAAM,SAAA;AACZ,IAAM,KAAA,GAAQ,SAAA;AACd,IAAM,KAAA,GAAQ,UAAA;AAKd,SAAS,YAAY,GAAA,EAAmB;AACtC,EAAA,MAAM,GAAA,GACJ,QAAQ,QAAA,KAAa,QAAA,GACjB,SACA,OAAA,CAAQ,QAAA,KAAa,UACnB,UAAA,GACA,UAAA;AAER,EAAA,IAAA,CAAK,GAAG,GAAG,CAAA,EAAA,EAAK,GAAG,CAAA,CAAA,CAAA,EAAK,CAAC,GAAA,KAAQ;AAC/B,IAAA,IAAI,GAAA,EAAK;AACP,MAAA,OAAA,CAAQ,GAAA,CAAI;AAAA,EAAK,GAAG,CAAA,qCAAA,EAAwC,KAAK,CAAA,CAAE,CAAA;AACnE,MAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,EAAG,GAAG,CAAA,8BAAA,EAAiC,KAAK;AAAA,CAAI,CAAA;AAC5D,MAAA,OAAA,CAAQ,GAAA,CAAI,KAAK,GAAG;AAAA,CAAI,CAAA;AAAA,IAC1B;AAAA,EACF,CAAC,CAAA;AACH;AAUA,eAAsB,SAAA,GAAuD;AAC3E,EAAA,MAAM,SAAS,SAAA,EAAU;AAIzB,EAAA,MAAM,SAAS,OAAA,CAAQ,GAAA,CAAI,qBACtB,MAAA,CAAO,OAAA,CAAQ,aAAa,IAAI,CAAA;AAErC,EAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAA,KAAW;AACtC,IAAA,MAAM,QAAQ,MAAA,CAAO,WAAA,CAAY,EAAE,CAAA,CAAE,SAAS,KAAK,CAAA;AACnD,IAAA,IAAI,MAAA;AAEJ,IAAA,MAAM,OAAA,GAAU,WAAW,MAAM;AAC/B,MAAA,MAAA,EAAQ,KAAA,EAAM;AACd,MAAA,MAAA,CAAO,IAAI,KAAA,CAAM,6CAA6C,CAAC,CAAA;AAAA,IACjE,CAAA,EAAG,CAAA,GAAI,EAAA,GAAK,GAAI,CAAA;AAEhB,IAAA,MAAA,GAAS,YAAA,CAAa,CAAC,GAAA,EAAK,GAAA,KAAQ;AAClC,MAAA,MAAM,MAAM,IAAI,GAAA,CAAI,GAAA,CAAI,GAAA,IAAO,KAAK,CAAA,gBAAA,CAAkB,CAAA;AAEtD,MAAA,IAAI,GAAA,CAAI,aAAa,WAAA,EAAa;AAChC,QAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAO,CAAA;AAC1C,QAAA,MAAM,aAAA,GAAgB,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAO,CAAA;AAClD,QAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAO,CAAA;AAE1C,QAAA,IAAI,KAAA,EAAO;AACT,UAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,aAAa,CAAA;AAClD,UAAA,GAAA,CAAI,IAAI,+EAA+E,CAAA;AACvF,UAAA,YAAA,CAAa,OAAO,CAAA;AACpB,UAAA,MAAA,CAAO,KAAA,EAAM;AACb,UAAA,MAAA,CAAO,IAAI,KAAA,CAAM,CAAA,cAAA,EAAiB,KAAK,EAAE,CAAC,CAAA;AAC1C,UAAA;AAAA,QACF;AAEA,QAAA,IAAI,CAAC,KAAA,IAAS,aAAA,KAAkB,KAAA,EAAO;AACrC,UAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,aAAa,CAAA;AAClD,UAAA,GAAA,CAAI,IAAI,4FAA4F,CAAA;AACpG,UAAA;AAAA,QACF;AAEA,QAAA,GAAA,CAAI,SAAA,CAAU,GAAA,EAAK,EAAE,cAAA,EAAgB,aAAa,CAAA;AAClD,QAAA,GAAA,CAAI,IAAI,yGAAyG,CAAA;AAEjH,QAAA,YAAA,CAAa,OAAO,CAAA;AACpB,QAAA,MAAA,CAAO,KAAA,EAAM;AAGb,QAAA,aAAA,CAAc,OAAO,MAAM,CAAA,CACxB,KAAK,OAAO,CAAA,CACZ,MAAM,MAAM,CAAA;AAAA,MACjB,CAAA,MAAO;AACL,QAAA,GAAA,CAAI,UAAU,GAAG,CAAA;AACjB,QAAA,GAAA,CAAI,GAAA,EAAI;AAAA,MACV;AAAA,IACF,CAAC,CAAA;AAED,IAAA,MAAA,CAAO,MAAA,CAAO,CAAA,EAAG,WAAA,EAAa,MAAM;AAClC,MAAA,MAAM,IAAA,GAAQ,MAAA,CAAO,OAAA,EAAQ,CAAuB,IAAA;AACpD,MAAA,MAAM,WAAA,GAAc,oBAAoB,IAAI,CAAA,SAAA,CAAA;AAC5C,MAAA,MAAM,QAAA,GAAW,GAAG,MAAM,CAAA,mBAAA,EAAsB,mBAAmB,WAAW,CAAC,UAAU,KAAK,CAAA,CAAA;AAE9F,MAAA,OAAA,CAAQ,GAAA,CAAI;AAAA,EAAK,IAAI,+BAA+B,KAAK;AAAA,CAAI,CAAA;AAC7D,MAAA,WAAA,CAAY,QAAQ,CAAA;AAEpB,MAAA,IAAI,CAAC,OAAA,CAAQ,MAAA,CAAO,KAAA,EAAO;AACzB,QAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,EAAG,GAAG,CAAA,wBAAA,EAA2B,KAAK,CAAA,CAAE,CAAA;AACpD,QAAA,OAAA,CAAQ,GAAA,CAAI,KAAK,QAAQ;AAAA,CAAI,CAAA;AAAA,MAC/B;AAEA,MAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,EAAG,GAAG,CAAA,6BAAA,EAAgC,KAAK,CAAA,CAAE,CAAA;AAAA,IAC3D,CAAC,CAAA;AAED,IAAA,MAAA,CAAO,EAAA,CAAG,OAAA,EAAS,CAAC,GAAA,KAAQ;AAC1B,MAAA,YAAA,CAAa,OAAO,CAAA;AACpB,MAAA,MAAA,CAAO,GAAG,CAAA;AAAA,IACZ,CAAC,CAAA;AAAA,EACH,CAAC,CAAA;AACH;AAEA,eAAe,aAAA,CAAc,OAAe,MAAA,EAA2D;AACrG,EAAA,MAAM,MAAA,GAAS,IAAI,kBAAA,CAAmB,EAAE,OAAO,OAAA,EAAS,MAAA,EAAQ,MAAA,EAAQ,KAAA,EAAO,CAAA;AAE/E,EAAA,MAAM,IAAA,GAAO,MAAM,MAAA,CAAO,MAAA,EAAO;AAEjC,EAAA,eAAA,CAAgB;AAAA,IACd,KAAA;AAAA,IACA,OAAO,IAAA,CAAK,KAAA;AAAA,IACZ,OAAA,EAAS,MAAA;AAAA,IACT,UAAA,EAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACpC,CAAA;AAED,EAAA,OAAA,CAAQ,GAAA,CAAI;AAAA,EAAK,KAAK,CAAA,MAAA,EAAI,KAAK,CAAA,cAAA,EAAiB,IAAI,CAAA,EAAG,IAAA,CAAK,KAAK,CAAA,EAAG,KAAK,CAAA,EAAA,EAAK,IAAA,CAAK,IAAI,CAAA,MAAA,CAAQ,CAAA;AAC/F,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,EAAG,GAAG,CAAA,kDAAA,EAAqD,KAAK;AAAA,CAAI,CAAA;AAEhF,EAAA,OAAO,EAAE,KAAA,EAAO,IAAA,CAAK,KAAA,EAAO,KAAA,EAAM;AACpC","file":"auth-flow-VQXXGXIV.js","sourcesContent":["import { createServer } from 'node:http';\nimport type { Server } from 'node:http';\nimport crypto from 'node:crypto';\nimport { exec } from 'node:child_process';\nimport { saveCredentials, getApiUrl } from './credentials.js';\nimport { ToolRelayApiClient } from './api-client.js';\n\n// ANSI helpers\nconst BOLD = '\\x1b[1m';\nconst DIM = '\\x1b[2m';\nconst RESET = '\\x1b[0m';\nconst GREEN = '\\x1b[32m';\nconst RED = '\\x1b[31m';\n\n// ─── Browser opener (reused from oauth-handler) ─────────────────────────────\n\nfunction openBrowser(url: string): void {\n  const cmd =\n    process.platform === 'darwin'\n      ? 'open'\n      : process.platform === 'win32'\n        ? 'start \"\"'\n        : 'xdg-open';\n\n  exec(`${cmd} \"${url}\"`, (err) => {\n    if (err) {\n      console.log(`\\n${DIM}Could not open browser automatically.${RESET}`);\n      console.log(`${DIM}Open this URL in your browser:${RESET}\\n`);\n      console.log(`  ${url}\\n`);\n    }\n  });\n}\n\n// ─── Login flow ─────────────────────────────────────────────────────────────\n\n/**\n * Starts a local HTTP server, opens the ToolRelay login page in the browser,\n * and waits for the callback with a JWT token.\n *\n * The web dashboard redirects to: http://localhost:<port>/callback?token=<jwt>\n */\nexport async function loginFlow(): Promise<{ email: string; token: string }> {\n  const apiUrl = getApiUrl();\n  // Derive the web (frontend) URL by stripping the \"api.\" subdomain.\n  // TOOLRELAY_WEB_URL is a dev-only override for local development\n  // where the API runs on a plain localhost port.\n  const webUrl = process.env.TOOLRELAY_WEB_URL\n    || apiUrl.replace(/\\/\\/api\\./, '//');\n\n  return new Promise((resolve, reject) => {\n    const state = crypto.randomBytes(16).toString('hex');\n    let server: Server;\n\n    const timeout = setTimeout(() => {\n      server?.close();\n      reject(new Error('Login timed out after 5 minutes. Try again.'));\n    }, 5 * 60 * 1000);\n\n    server = createServer((req, res) => {\n      const url = new URL(req.url ?? '/', `http://localhost`);\n\n      if (url.pathname === '/callback') {\n        const token = url.searchParams.get('token');\n        const returnedState = url.searchParams.get('state');\n        const error = url.searchParams.get('error');\n\n        if (error) {\n          res.writeHead(200, { 'Content-Type': 'text/html' });\n          res.end('<html><body><h2>Login failed</h2><p>You can close this tab.</p></body></html>');\n          clearTimeout(timeout);\n          server.close();\n          reject(new Error(`Login failed: ${error}`));\n          return;\n        }\n\n        if (!token || returnedState !== state) {\n          res.writeHead(400, { 'Content-Type': 'text/html' });\n          res.end('<html><body><h2>Invalid callback</h2><p>Missing token or state mismatch.</p></body></html>');\n          return;\n        }\n\n        res.writeHead(200, { 'Content-Type': 'text/html' });\n        res.end('<html><body><h2>Logged in!</h2><p>You can close this tab and return to your terminal.</p></body></html>');\n\n        clearTimeout(timeout);\n        server.close();\n\n        // Verify the token works and get user info\n        verifyAndSave(token, apiUrl)\n          .then(resolve)\n          .catch(reject);\n      } else {\n        res.writeHead(404);\n        res.end();\n      }\n    });\n\n    server.listen(0, '127.0.0.1', () => {\n      const port = (server.address() as { port: number }).port;\n      const callbackUrl = `http://localhost:${port}/callback`;\n      const loginUrl = `${webUrl}/cli-auth?callback=${encodeURIComponent(callbackUrl)}&state=${state}`;\n\n      console.log(`\\n${BOLD}Opening browser to log in...${RESET}\\n`);\n      openBrowser(loginUrl);\n\n      if (!process.stdout.isTTY) {\n        console.log(`${DIM}Open this URL to log in:${RESET}`);\n        console.log(`  ${loginUrl}\\n`);\n      }\n\n      console.log(`${DIM}Waiting for authentication...${RESET}`);\n    });\n\n    server.on('error', (err) => {\n      clearTimeout(timeout);\n      reject(err);\n    });\n  });\n}\n\nasync function verifyAndSave(token: string, apiUrl: string): Promise<{ email: string; token: string }> {\n  const client = new ToolRelayApiClient({ token, api_url: apiUrl, source: 'env' });\n\n  const user = await client.whoami();\n\n  saveCredentials({\n    token,\n    email: user.email,\n    api_url: apiUrl,\n    created_at: new Date().toISOString(),\n  });\n\n  console.log(`\\n${GREEN}✓${RESET} Logged in as ${BOLD}${user.email}${RESET} (${user.tier} tier)`);\n  console.log(`${DIM}Credentials saved to ~/.toolrelay/credentials.json${RESET}\\n`);\n\n  return { email: user.email, token };\n}\n"]}

package/dist/chunk-3LR6JESE.js

@@ -0,0 +1,78 @@
+#!/usr/bin/env node
+// src/api-client.ts
+var ToolRelayApiClient = class {
+  baseUrl;
+  token;
+  constructor(auth) {
+    this.baseUrl = auth.api_url.replace(/\/$/, "");
+    this.token = auth.token;
+  }
+  // ─── Auth ───────────────────────────────────────────────────────────
+  async whoami() {
+    return this.request("GET", "/api/auth/me");
+  }
+  // ─── Apps ───────────────────────────────────────────────────────────
+  async listApps() {
+    return this.request("GET", "/api/apps");
+  }
+  async getApp(appId) {
+    return this.request("GET", `/api/apps/${appId}`);
+  }
+  async createApp(body) {
+    return this.request("POST", "/api/apps", body);
+  }
+  async updateApp(appId, body) {
+    return this.request("PUT", `/api/apps/${appId}`, body);
+  }
+  async publishApp(appId) {
+    return this.request("POST", `/api/apps/${appId}/publish`);
+  }
+  // ─── Tools ──────────────────────────────────────────────────────────
+  async listTools(appId) {
+    return this.request("GET", `/api/apps/${appId}/tools`);
+  }
+  async createTool(appId, body) {
+    return this.request("POST", `/api/apps/${appId}/tools`, body);
+  }
+  async updateTool(appId, toolId, body) {
+    return this.request("PUT", `/api/apps/${appId}/tools/${toolId}`, body);
+  }
+  async deleteTool(appId, toolId) {
+    await this.request("DELETE", `/api/apps/${appId}/tools/${toolId}`);
+  }
+  // ─── HTTP ───────────────────────────────────────────────────────────
+  async request(method, path, body) {
+    const url = `${this.baseUrl}${path}`;
+    const headers = {
+      "Authorization": `Bearer ${this.token}`,
+      "Content-Type": "application/json",
+      "User-Agent": "toolrelay-cli/0.1.0"
+    };
+    const response = await fetch(url, {
+      method,
+      headers,
+      body: body ? JSON.stringify(body) : void 0
+    });
+    if (!response.ok) {
+      let errorMessage;
+      try {
+        const errorBody = await response.json();
+        errorMessage = errorBody.error || errorBody.message || response.statusText;
+      } catch {
+        errorMessage = response.statusText;
+      }
+      const err = {
+        status: response.status,
+        message: errorMessage
+      };
+      throw err;
+    }
+    const text = await response.text();
+    if (!text) return {};
+    return JSON.parse(text);
+  }
+};
+
+export { ToolRelayApiClient };
+//# sourceMappingURL=chunk-3LR6JESE.js.map
+//# sourceMappingURL=chunk-3LR6JESE.js.map