@united-robotics/cli 0.4.0 → 0.4.2

package/dist/index.js

@@ -2,9 +2,9 @@
 
 // src/index.ts
 import { Command } from "commander";
-import { mkdirSync, readFileSync, writeFileSync } from "fs";
-import { homedir } from "os";
-import { join } from "path";
+import { chmodSync, mkdirSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from "fs";
+import { homedir, tmpdir } from "os";
+import { basename, join } from "path";
 import { spawnSync } from "child_process";
 var configDir = join(homedir(), ".united-robotics");
 var configPath = join(configDir, "config.json");
@@ -40,27 +40,59 @@ program.command("team").argument("<cmd>").action(async (cmd) => {
 });
 var project = program.command("project");
 project.command("ls").option("--team <teamId>").action(async (opts) => console.log(JSON.stringify(await api(`/api/projects${opts.team ? `?team=${encodeURIComponent(opts.team)}` : ""}`), null, 2)));
-project.command("show").argument("<projectId>").action(async (projectId) => console.log(JSON.stringify({ projectId, repos: await api(`/api/projects/${projectId}/repos`) }, null, 2)));
-project.command("clone").argument("<projectId>").option("--dest <path>").action(async (projectId, opts) => {
-  const repos = await api(`/api/projects/${projectId}/repos`);
+project.command("show").argument("<projectId>").action(async (projectId) => console.log(JSON.stringify({ projectId, repos: await projectRepos(projectId) }, null, 2)));
+project.command("clone").argument("<projectId>").option("--dest <path>").option("--no-submodules", "clone primary repo only").option("--name <name>", "Git user.name for Vercel-compatible commits", "exis[ai]").option("--email <email>", "Git user.email for Vercel-compatible commits", "gotexis@gmail.com").action(async (projectId, opts) => {
+  const repos = await projectRepos(projectId);
   const primary = repos.find((r) => r.kind === "primary") ?? repos[0];
   if (!primary) throw new Error("No repo found");
-  const args = ["clone", "--recurse-submodules", primary.url];
-  if (opts.dest) args.push(opts.dest);
-  const child = spawnSync("git", args, { stdio: "inherit" });
-  process.exit(child.status ?? 1);
+  const token = await projectGithubToken(projectId);
+  const credentials = createGitAskpass(token.token);
+  try {
+    const dest = opts.dest;
+    const cloneArgs = ["clone", primary.url];
+    if (dest) cloneArgs.push(dest);
+    runGit(cloneArgs, { cwd: process.cwd(), env: credentials.env, authHint: true });
+    const worktree = dest ?? repoDirName(primary.url);
+    configureGitIdentity(worktree, opts.name, opts.email, credentials.env);
+    if (opts.submodules) initProjectWorktree(worktree, opts.name, opts.email, credentials.env);
+    printCloneSuccess(projectId, worktree, token);
+  } finally {
+    credentials.cleanup();
+  }
+});
+project.command("init").argument("<projectId>").option("--cwd <path>", "workspace path", process.cwd()).option("--name <name>", "Git user.name for Vercel-compatible commits", "exis[ai]").option("--email <email>", "Git user.email for Vercel-compatible commits", "gotexis@gmail.com").action(async (projectId, opts) => {
+  const token = await projectGithubToken(projectId);
+  const credentials = createGitAskpass(token.token);
+  try {
+    initProjectWorktree(opts.cwd, opts.name, opts.email, credentials.env);
+    console.log(`Initialized ${projectId} workspace at ${opts.cwd}`);
+    printDetachedHeadNotice();
+  } finally {
+    credentials.cleanup();
+  }
 });
 program.command("repo").argument("<cmd>").argument("<projectId>").action(async (cmd, projectId) => {
   if (cmd !== "ls") throw new Error("supported: ur repo ls <projectId>");
-  console.log(JSON.stringify(await api(`/api/projects/${projectId}/repos`), null, 2));
+  console.log(JSON.stringify(await projectRepos(projectId), null, 2));
+});
+var git = program.command("git").description("Git helpers for tenant workspaces");
+git.command("identity").option("--name <name>", "Git user.name", "exis[ai]").option("--email <email>", "Git user.email", "gotexis@gmail.com").option("--global", "write global git config instead of current repo").option("--recursive", "also apply to initialized submodules").action((opts) => {
+  if (opts.global) {
+    runGit(["config", "--global", "user.name", opts.name], { cwd: process.cwd() });
+    runGit(["config", "--global", "user.email", opts.email], { cwd: process.cwd() });
+  } else {
+    configureGitIdentity(process.cwd(), opts.name, opts.email);
+    if (opts.recursive) configureSubmoduleIdentities(process.cwd(), opts.name, opts.email);
+  }
+  console.log(`Configured git committer identity: ${opts.name} <${opts.email}>`);
 });
 var github = program.command("github");
-github.command("token").option("--project <projectId>", "project id", "skinspirit-main").option("--repo <repo>", "repo id, name, full name, or URL within the project").option("--json", "emit full JSON").action(async (opts) => {
+github.command("token").option("--project <projectId>", "project id", "skinspirit-main").option("--repo <repo>", "repo id, name, full name, or URL within the project").option("--json", "emit full JSON").option("--redact", "redact token in JSON output").action(async (opts) => {
   const result = await api(`/api/projects/${opts.project}/github-token`, {
     method: "POST",
     body: JSON.stringify(opts.repo ? { repo: opts.repo } : {})
   });
-  if (opts.json) console.log(JSON.stringify(result, null, 2));
+  if (opts.json) console.log(JSON.stringify(opts.redact ? redactTokenResponse(result) : result, null, 2));
   else console.log(result.token);
 });
 var vercel = program.command("vercel").description("Tenant-scoped Vercel CI/CD status via United Robotics broker");
@@ -77,9 +109,91 @@ program.command("cicd").description("Alias for tenant-scoped CI/CD deployment st
   const params = new URLSearchParams({ limit: opts.limit });
   console.log(JSON.stringify(await api(`/api/projects/${opts.project}/vercel/deployments?${params.toString()}`), null, 2));
 });
-program.command("codex").argument("<cmd>").option("--project <projectId>", "project id", "skinspirit-main").action((cmd, opts) => {
+program.command("codex").argument("<cmd>").option("--project <projectId>", "project id", "skinspirit-main").option("--include-token", "include the currently stored PAT in the generated prompt").action((cmd, opts) => {
   if (cmd !== "onboard") throw new Error("supported: ur codex onboard");
   const cfg = load();
-  console.log(`Establish new agent workspace by globally installing \`@united-robotics/cli\` module (ensuring there is a working node, nvm and git) and authenticate using token "ur login --token ${cfg.token ?? "<TOKEN>"}". Then run \`ur project ls\`, \`ur project clone ${opts.project}\`, and when GitHub write access is needed use \`ur github token --project ${opts.project}\` for a short-lived GitHub App token. Use that project as codex project base from now on, and familiarize yourself.`);
+  const loginToken = opts.includeToken ? cfg.token ?? "<TOKEN>" : "<TOKEN>";
+  console.log(`Establish new agent workspace by globally installing \`@united-robotics/cli\` module (ensuring there is a working node, nvm and git) and authenticate using token "ur login --token ${loginToken}". Then run \`ur project ls\` and \`ur project clone ${opts.project}\`; clone now internally obtains the short-lived project-wide GitHub token, initializes private submodules, and applies the Vercel-compatible git identity. When GitHub write access is needed manually, use \`ur github token --project ${opts.project}\` for a short-lived GitHub App token, but avoid printing that token in logs unless necessary. Use that project as codex project base from now on, and familiarize yourself.`);
 });
 program.parseAsync();
+async function projectRepos(projectId) {
+  return await api(`/api/projects/${projectId}/repos`);
+}
+async function projectGithubToken(projectId) {
+  return await api(`/api/projects/${projectId}/github-token`, { method: "POST", body: JSON.stringify({}) });
+}
+function createGitAskpass(token) {
+  const dir = mkdtempSync(join(tmpdir(), "ur-git-credentials-"));
+  const askpass = join(dir, "askpass.sh");
+  writeFileSync(askpass, `#!/bin/sh
+case "$1" in
+  *Username*) printf '%s\\n' 'x-access-token' ;;
+  *Password*) printf '%s\\n' '${shellSingleQuoteSafe(token)}' ;;
+  *) printf '\\n' ;;
+esac
+`, { mode: 448 });
+  chmodSync(askpass, 448);
+  return {
+    env: { ...process.env, GIT_ASKPASS: askpass, GIT_TERMINAL_PROMPT: "0" },
+    cleanup: () => rmSync(dir, { recursive: true, force: true })
+  };
+}
+function initProjectWorktree(worktree, name, email, env = process.env) {
+  configureGitIdentity(worktree, name, email, env);
+  runGit(["submodule", "sync", "--recursive"], { cwd: worktree, env, authHint: true, allowFailure: true });
+  runGit(["submodule", "update", "--init", "--recursive"], { cwd: worktree, env, authHint: true });
+  configureSubmoduleIdentities(worktree, name, email, env);
+  printDetachedHeadNotice();
+}
+function configureGitIdentity(cwd, name, email, env = process.env) {
+  runGit(["config", "--local", "user.name", name], { cwd, env });
+  runGit(["config", "--local", "user.email", email], { cwd, env });
+}
+function configureSubmoduleIdentities(worktree, name, email, env = process.env) {
+  const result = runGit(["submodule", "foreach", "--recursive", `git config --local user.name '${shellSingleQuoteSafe(name)}' && git config --local user.email '${shellSingleQuoteSafe(email)}'`], { cwd: worktree, env, allowFailure: true });
+  if (result.status !== 0) console.warn("Warning: could not apply git identity to all submodules. Run `ur git identity --recursive` after submodules are initialized.");
+}
+function runGit(args, options = { cwd: process.cwd() }) {
+  const gitArgs = options.authHint ? ["-c", "credential.helper=", "-c", "credential.useHttpPath=true", ...args] : args;
+  const result = spawnSync(gitBin(), gitArgs, { cwd: options.cwd, env: options.env ?? process.env, encoding: "utf8" });
+  if (result.stdout) process.stdout.write(redactSecrets(result.stdout));
+  if (result.stderr) process.stderr.write(redactSecrets(result.stderr));
+  const status = result.status ?? 1;
+  if (status !== 0 && !options.allowFailure) {
+    if (options.authHint && /repository not found|authentication failed|could not read username|terminal prompts disabled/i.test(`${result.stdout}
+${result.stderr}`)) {
+      throw new Error("GitHub authentication failed while accessing a private repo. The repo may exist, but GitHub credentials were unavailable or rejected. Re-run `ur login`, then `ur project clone <projectId>` so the CLI can inject a short-lived GitHub App token internally.");
+    }
+    throw new Error(`git ${safeArgs(args)} failed with exit ${status}`);
+  }
+  return { status, stdout: result.stdout ?? "", stderr: result.stderr ?? "" };
+}
+function gitBin() {
+  return process.env.UR_GIT_BIN || (process.platform === "darwin" ? "/usr/bin/git" : "git");
+}
+function repoDirName(url) {
+  return basename(url.replace(/\.git$/, ""));
+}
+function printCloneSuccess(projectId, worktree, token) {
+  const repoList = token.repos?.length ? ` (${token.repos.join(", ")})` : "";
+  console.log(`Cloned ${projectId} to ${worktree} using an internal short-lived GitHub App token${repoList}.`);
+}
+function printDetachedHeadNotice() {
+  console.log("Note: initialized submodules may be in detached HEAD state. Before editing a submodule repo, run `git switch <branch>` inside that submodule.");
+}
+function redactTokenResponse(result) {
+  return { ...result, token: redactToken(result.token) };
+}
+function redactSecrets(text) {
+  return text.replace(/ghs_[A-Za-z0-9_]+/g, "[REDACTED_GITHUB_TOKEN]").replace(/pat_[A-Za-z0-9_-]+/g, "[REDACTED_PAT]");
+}
+function redactToken(token) {
+  if (!token) return "";
+  return `${token.slice(0, 8)}\u2026redacted`;
+}
+function safeArgs(args) {
+  return args.map((arg) => /token|password|authorization/i.test(arg) ? "***" : JSON.stringify(arg)).join(" ");
+}
+function shellSingleQuoteSafe(value) {
+  return String(value).replace(/'/g, `'"'"'`);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@united-robotics/cli",
-  "version": "0.4.0",
+  "version": "0.4.2",
   "type": "module",
   "bin": {
     "ur": "dist/index.js"