@uplink-code/cli 0.0.1 → 0.1.0

package/lib/cli/bin.js

@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+var P=Object.defineProperty;var o=(e,n)=>P(e,"name",{value:n,configurable:!0});import{Command as M}from"commander";import{createServer as N}from"node:http";import{randomBytes as R}from"node:crypto";import{exec as T}from"node:child_process";import{homedir as v}from"node:os";import{join as m}from"node:path";import{mkdirSync as x,readFileSync as O,writeFileSync as E,unlinkSync as I,existsSync as g,chmodSync as A}from"node:fs";function k(){let e=process.env.XDG_CONFIG_HOME;return e?m(e,"uplink"):m(v(),".config","uplink")}o(k,"credentialsDir");function d(){return m(k(),"credentials.json")}o(d,"credentialsFile");function y(){let e=d();if(!g(e))return null;let n=O(e,"utf-8"),t;try{t=JSON.parse(n)}catch{return null}return $(t)?t:null}o(y,"readCredentials");function _(e){let n=k();x(n,{recursive:!0,mode:448}),E(d(),JSON.stringify(e,null,2),{mode:384}),A(d(),384)}o(_,"writeCredentials");function w(){let e=d();return g(e)?(I(e),!0):!1}o(w,"clearCredentials");function l(){return d()}o(l,"credentialsPath");function $(e){if(e===null||typeof e!="object")return!1;let n=e;return typeof n.access_token=="string"&&typeof n.refresh_token=="string"&&typeof n.expires_at=="number"&&typeof n.organization_id=="string"&&typeof n.supabase_url=="string"&&typeof n.supabase_anon_key=="string"}o($,"isCredentials");var L="https://console.uplink.build",b=300*1e3;async function h(){let e=process.env.UPLINK_CONSOLE_URL??L,n=R(16).toString("hex"),{port:t,waitForCallback:s,shutdown:i}=await J({state:n}),r=`${e}/cli/login?port=${t}&state=${encodeURIComponent(n)}`;process.stdout.write(`Opening browser to sign in\u2026
+
+If nothing opens, visit:
+  ${r}
+
+`),z(r);try{let a=await s(),p={access_token:a.tokens.access_token,refresh_token:a.tokens.refresh_token,expires_at:a.tokens.expires_at,organization_id:a.organization_id,supabase_url:a.supabase_url,supabase_anon_key:a.supabase_anon_key};_(p),process.stdout.write(`\u2713 Signed in. Credentials saved to ${l()}
+`)}finally{i()}}o(h,"login");function J(e){return new Promise((n,t)=>{let s,i,r=new Promise((c,f)=>{s=c,i=f}),a=N((c,f)=>{U(c,f,e.state,s,i)}),p=setTimeout(()=>{i(new Error(`Timed out after ${b/1e3}s waiting for sign-in. Re-run \`uplink login\`.`))},b);a.listen(0,"127.0.0.1",()=>{let c=a.address();n({port:c.port,waitForCallback:o(()=>r,"waitForCallback"),shutdown:o(()=>{clearTimeout(p),a.close()},"shutdown")})}),a.on("error",t)})}o(J,"startCallbackListener");async function U(e,n,t,s,i){if(n.setHeader("Access-Control-Allow-Origin","*"),n.setHeader("Access-Control-Allow-Methods","POST, OPTIONS"),n.setHeader("Access-Control-Allow-Headers","Content-Type"),e.method==="OPTIONS"){n.statusCode=204,n.end();return}if(e.method!=="POST"||e.url!=="/callback"){n.statusCode=404,n.end();return}try{let r=await F(e);if(!j(r))throw new Error("Malformed callback payload from console.");if(r.state!==t)throw new Error("State mismatch \u2014 refusing to accept tokens.");n.statusCode=200,n.end(JSON.stringify({ok:!0})),s({tokens:r.tokens,organization_id:r.organization_id,supabase_url:r.supabase_url,supabase_anon_key:r.supabase_anon_key})}catch(r){n.statusCode=400,n.end(JSON.stringify({ok:!1,error:r.message})),i(r instanceof Error?r:new Error(String(r)))}}o(U,"handleRequest");function F(e){return new Promise((n,t)=>{let s=[];e.on("data",i=>s.push(i)),e.on("end",()=>{try{n(JSON.parse(Buffer.concat(s).toString("utf-8")))}catch(i){t(i instanceof Error?i:new Error(String(i)))}}),e.on("error",t)})}o(F,"readJsonBody");function j(e){if(e===null||typeof e!="object")return!1;let n=e;if(typeof n.state!="string"||typeof n.organization_id!="string"||typeof n.supabase_url!="string"||typeof n.supabase_anon_key!="string")return!1;let t=n.tokens;if(t===null||typeof t!="object")return!1;let s=t;return typeof s.access_token=="string"&&typeof s.refresh_token=="string"&&typeof s.expires_at=="number"}o(j,"isCallbackPayload");function z(e){let n=process.platform==="darwin"?`open "${e}"`:process.platform==="win32"?`start "" "${e}"`:`xdg-open "${e}"`;T(n,t=>{})}o(z,"openInBrowser");function C(){w()?process.stdout.write(`\u2713 Removed ${l()}
+`):process.stdout.write(`Already logged out.
+`)}o(C,"logout");function S(){let e=y();e||(process.stdout.write("Not logged in. Run `uplink login`.\n"),process.exit(1));let n=H(e.access_token),t=n?.email??"(unknown)",s=n?.sub??"(unknown)",i=new Date(e.expires_at*1e3),r=e.expires_at*1e3<Date.now();process.stdout.write(`Email:   ${t}
+User id: ${s}
+Expires: ${i.toISOString()}${r?" (expired \u2014 refresh on next call)":""}
+Stored:  ${l()}
+`)}o(S,"whoami");function H(e){let n=e.split(".");if(n.length!==3)return null;try{let t=Buffer.from(n[1],"base64url").toString("utf-8");return JSON.parse(t)}catch{return null}}o(H,"decodeJwtPayload");var u=new M;u.name("uplink").description("CLI for the Uplink browser automation platform").version("0.0.1");u.command("login").description("Sign in via the browser and store credentials at ~/.config/uplink/credentials.json").action(()=>{h().catch(e=>{process.stderr.write(`Error: ${e.message}
+`),process.exit(1)})});u.command("logout").description("Remove stored credentials").action(C);u.command("whoami").description("Show the currently signed-in user").action(S);u.parse();

package/lib/cli/index.js

@@ -1,13 +1 @@
-#!/usr/bin/env node
-var C=Object.defineProperty;var i=(e,t)=>C(e,"name",{value:t,configurable:!0});import{Command as L}from"commander";import{homedir as K}from"node:os";import{join as l}from"node:path";import{mkdirSync as A,readFileSync as P,writeFileSync as S,unlinkSync as I,existsSync as d,chmodSync as b}from"node:fs";var c=l(K(),".uplink"),n=l(c,"credentials.json"),u="https://api.uplink.build";function m(){if(!d(n))return null;let e=P(n,"utf-8"),t=JSON.parse(e);if(t===null||typeof t!="object"||typeof t.apiKey!="string")return null;let p=t;return{apiKey:p.apiKey??"",apiUrl:p.apiUrl??u}}i(m,"readCredentials");function f(e){A(c,{recursive:!0,mode:448}),S(n,JSON.stringify(e,null,2),{mode:384}),b(n,384)}i(f,"writeCredentials");function y(){return d(n)?(I(n),!0):!1}i(y,"clearCredentials");function r(){return n}i(r,"credentialsPath");function g(){return u}i(g,"defaultApiUrl");function k(e){e.apiKey||(process.stderr.write(`Error: --api-key is required.
-
-Generate an API key in console (https://console.uplink.build \u2192 Settings \u2192 API Keys) and run:
-  uplink login --api-key <key>
-`),process.exit(1)),f({apiKey:e.apiKey,apiUrl:e.apiUrl??g()}),process.stdout.write(`\u2713 Credentials written to ${r()}
-`)}i(k,"login");function w(){y()?process.stdout.write(`\u2713 Removed ${r()}
-`):process.stdout.write(`Already logged out.
-`)}i(w,"logout");function x(){let e=m();e||(process.stdout.write("Not logged in. Run `uplink login --api-key <key>`.\n"),process.exit(1));let t=e.apiKey.length>8?`${e.apiKey.slice(0,4)}\u2026${e.apiKey.slice(-4)}`:"****";process.stdout.write(`API key: ${t}
-API URL: ${e.apiUrl}
-Stored: ${r()}
-`)}i(x,"whoami");function s(e){process.stderr.write(`\`uplink session ${e}\` is not implemented in v0.0.1. Stay tuned.
-`),process.exit(1)}i(s,"stub");function v(){s("start")}i(v,"start");function h(){s("list")}i(h,"list");function U(){s("resume")}i(U,"resume");var o=new L;o.name("uplink").description("CLI for the Uplink browser automation platform").version("0.0.1");o.command("login").description("Store API credentials at ~/.uplink/credentials.json").requiredOption("--api-key <key>","API key generated in console").option("--api-url <url>","Override the Atomic API base URL").action(e=>{k(e)});o.command("logout").description("Remove stored credentials").action(w);o.command("whoami").description("Show stored credentials (masked)").action(x);var a=o.command("session").description("Manage Uplink sessions (stubbed in v0.0.1)");a.command("start").description("Create a new session").action(v);a.command("list").description("List recent sessions").action(h);a.command("resume <id>").description("Reattach to an existing session").action(U);o.parse();
+var u=Object.defineProperty;var n=(e,r)=>u(e,"name",{value:r,configurable:!0});import{homedir as f}from"node:os";import{join as o}from"node:path";import{mkdirSync as d,readFileSync as _,writeFileSync as k,unlinkSync as y,existsSync as c,chmodSync as g}from"node:fs";function p(){let e=process.env.XDG_CONFIG_HOME;return e?o(e,"uplink"):o(f(),".config","uplink")}n(p,"credentialsDir");function s(){return o(p(),"credentials.json")}n(s,"credentialsFile");var h="https://api.uplink.build";function i(){let e=s();if(!c(e))return null;let r=_(e,"utf-8"),t;try{t=JSON.parse(r)}catch{return null}return b(t)?t:null}n(i,"readCredentials");function a(e){let r=p();d(r,{recursive:!0,mode:448}),k(s(),JSON.stringify(e,null,2),{mode:384}),g(s(),384)}n(a,"writeCredentials");function m(){let e=s();return c(e)?(y(e),!0):!1}n(m,"clearCredentials");function x(){return s()}n(x,"credentialsPath");function C(e){return process.env.UPLINK_API_HOST??e?.api_host??h}n(C,"resolveApiHost");function b(e){if(e===null||typeof e!="object")return!1;let r=e;return typeof r.access_token=="string"&&typeof r.refresh_token=="string"&&typeof r.expires_at=="number"&&typeof r.organization_id=="string"&&typeof r.supabase_url=="string"&&typeof r.supabase_anon_key=="string"}n(b,"isCredentials");async function w(){let e=i();if(!e)throw new Error("No stored credentials. Run `uplink login` from @uplink-code/cli first.");let r=await fetch(`${e.supabase_url}/auth/v1/token?grant_type=refresh_token`,{method:"POST",headers:{"Content-Type":"application/json",apikey:e.supabase_anon_key},body:JSON.stringify({refresh_token:e.refresh_token})});if(!r.ok)throw new Error(`Token refresh failed: ${r.status} ${r.statusText}. Re-run \`uplink login\`.`);let t=await r.json();if(typeof t.access_token!="string"||typeof t.refresh_token!="string"||typeof t.expires_at!="number")throw new Error("Token refresh response was malformed.");let l={...e,access_token:t.access_token,refresh_token:t.refresh_token,expires_at:t.expires_at};return a(l),l}n(w,"refreshAccessToken");export{m as clearCredentials,x as credentialsPath,i as readCredentials,w as refreshAccessToken,C as resolveApiHost,a as writeCredentials};

package/lib/cli/src/bin.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=bin.d.ts.map

package/lib/cli/src/commands/login.d.ts

@@ -1,11 +1,10 @@
-export interface LoginOptions {
-    apiKey?: string;
-    apiUrl?: string;
-}
 /**
- * v0.0.1 supports paste-an-API-key only. Future: OAuth device flow
- * (open browser, receive callback, store token). Doing the simpler
- * thing first unblocks @uplink-code/mcp for developer-mode use.
+ * `uplink login` — opens the browser to the console's `/cli/login`
+ * page, listens on an ephemeral localhost port for a POST containing
+ * the user's Supabase session, and writes the tokens to
+ * `~/.config/uplink/credentials.json`.
+ *
+ * Flow mirrors `gh auth login` / `gcloud auth login`.
  */
-export declare function login(opts: LoginOptions): void;
+export declare function login(): Promise<void>;
 //# sourceMappingURL=login.d.ts.map

package/lib/cli/src/commands/whoami.d.ts

@@ -1,2 +1,8 @@
+/**
+ * `uplink whoami` — decode the stored access_token (base64-url JSON, no
+ * signature verification — we trust the token because we stored it) and
+ * print identity + expiry. Returns non-zero exit if no credentials are
+ * stored.
+ */
 export declare function whoami(): void;
 //# sourceMappingURL=whoami.d.ts.map

package/lib/cli/src/credentials.d.ts

@@ -1,10 +1,40 @@
+/**
+ * Tokens + endpoints needed to talk to the Uplink API and to refresh
+ * the Supabase access token.
+ *
+ * Shape mirrors a subset of `@supabase/supabase-js`'s `Session` plus
+ * the public Supabase project URL + anon key (so MCP can refresh the
+ * access token without an additional config step). All values written
+ * here are non-secret apart from the tokens themselves; the anon key
+ * is the same public key console ships to every browser.
+ */
 export interface Credentials {
-    apiKey: string;
-    apiUrl: string;
+    access_token: string;
+    refresh_token: string;
+    /** Unix epoch seconds. */
+    expires_at: number;
+    /**
+     * Organization ID the user was operating under at login time. The
+     * `/sessions` POST needs this in its body because the token-auth
+     * middleware doesn't pick an org from the JWT alone; persisting at
+     * login time lets MCP send sessions without an extra round-trip.
+     */
+    organization_id: string;
+    /** Public Supabase project URL — used for token refresh. */
+    supabase_url: string;
+    /** Public Supabase anon key — used as `apikey` header on refresh. */
+    supabase_anon_key: string;
+    /** Optional override for the Uplink API host (defaults to prod). */
+    api_host?: string;
 }
 export declare function readCredentials(): Credentials | null;
 export declare function writeCredentials(creds: Credentials): void;
 export declare function clearCredentials(): boolean;
 export declare function credentialsPath(): string;
-export declare function defaultApiUrl(): string;
+/**
+ * Resolve the API host the MCP should hit. Env override wins over the
+ * value persisted in the credentials file; both win over the prod
+ * default.
+ */
+export declare function resolveApiHost(creds: Credentials | null): string;
 //# sourceMappingURL=credentials.d.ts.map

package/lib/cli/src/index.d.ts

@@ -1,2 +1,9 @@
-export {};
+/**
+ * Library entry — what other packages (notably @uplink-code/mcp) import
+ * from this CLI. Pure side-effect-free exports; the actual `uplink`
+ * binary lives in `./bin.ts`.
+ */
+export { readCredentials, writeCredentials, clearCredentials, credentialsPath, resolveApiHost } from './credentials.ts';
+export type { Credentials } from './credentials.ts';
+export { refreshAccessToken } from './refresh.ts';
 //# sourceMappingURL=index.d.ts.map

package/lib/cli/src/refresh.d.ts

@@ -0,0 +1,15 @@
+import { type Credentials } from './credentials.ts';
+/**
+ * Refresh the persisted access token via Supabase Auth's
+ * `/auth/v1/token?grant_type=refresh_token` endpoint, then write the
+ * new tokens back to the credentials file. Returns the refreshed
+ * `Credentials`.
+ *
+ * Callers (e.g. MCP) wrap this around any 401 response: catch, refresh,
+ * retry once.
+ *
+ * @throws if no credentials are stored, the refresh fails, or the
+ *         response doesn't match the expected shape.
+ */
+export declare function refreshAccessToken(): Promise<Credentials>;
+//# sourceMappingURL=refresh.d.ts.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@uplink-code/cli",
-  "version": "0.0.1",
+  "version": "0.1.0",
   "type": "module",
   "exports": {
     ".": {
@@ -10,7 +10,7 @@
     }
   },
   "bin": {
-    "uplink": "./lib/cli/index.js"
+    "uplink": "./lib/cli/bin.js"
   },
   "publishConfig": {
     "access": "public"
@@ -25,7 +25,7 @@
   ],
   "scripts": {
     "build": "npm run build:declarations && npm run build:transpile",
-    "build:transpile": "esbuild src/index.ts --bundle --keep-names --minify --format=esm --platform=node --external:commander --banner:js='#!/usr/bin/env node' --outfile=./lib/cli/index.js",
+    "build:transpile": "esbuild src/index.ts --bundle --keep-names --minify --format=esm --platform=node --outfile=./lib/cli/index.js && esbuild src/bin.ts --bundle --keep-names --minify --format=esm --platform=node --external:commander --banner:js='#!/usr/bin/env node' --outfile=./lib/cli/bin.js",
     "build:declarations": "tsc -b",
     "clean": "rm -rf lib",
     "format:check": "prettier --check src/ package.json tsconfig.json",

package/lib/cli/src/commands/session.d.ts

@@ -1,14 +0,0 @@
-/**
- * Session commands — stubbed in v0.0.1.
- *
- * `start` will POST to the Atomic API to create a session and print
- * an OTP + QR for device pairing. `list` will fetch the user's
- * recent sessions. `resume` reattaches.
- *
- * Implementation lands once we have a shared Atomic API client
- * (likely `@uplink-code/api-client` in this same monorepo).
- */
-export declare function start(): void;
-export declare function list(): void;
-export declare function resume(): void;
-//# sourceMappingURL=session.d.ts.map