@verentis/cli 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md ADDED
@@ -0,0 +1,157 @@
1
+ # @verentis/cli
2
+
3
+ The Verentis CLI is three tools in one:
4
+
5
+ 1. **Admin** — manage accounts, workspaces, users, invitations, API keys and settings.
6
+ 2. **Marketplace publishing** — pack, sign, publish and install `.vpkg` packages.
7
+ 3. **Developer loop** — build and debug apps and execution engines **against a real workspace from your local machine**: mint scoped tokens, generate the platform's execution context, run scripts locally with full SDK access, stream execution logs, attach a debugger.
8
+
9
+ ```bash
10
+ npm install -g @verentis/cli
11
+ ```
12
+
13
+ ## Sign in
14
+
15
+ ```bash
16
+ verentis login --api-url https://api.verentis.dev
17
+ ```
18
+
19
+ With no credential flags this starts a **device sign-in**: open the printed URL in any browser (works over SSH), confirm the code, done. Non-interactive alternatives:
20
+
21
+ ```bash
22
+ verentis login --api-url … --api-key vrt_xxx # CI / scripts (create one with `verentis apikey create`)
23
+ verentis login --api-url … --token <identity token>
24
+ # VERENTIS_API_URL / VERENTIS_API_KEY / VERENTIS_TOKEN env vars also work
25
+ ```
26
+
27
+ Set defaults once so you can stop repeating flags:
28
+
29
+ ```bash
30
+ verentis use workspace <workspaceId>
31
+ verentis use account <accountId>
32
+ verentis context # show current defaults
33
+ verentis whoami # identity, account, publisher
34
+ ```
35
+
36
+ ## Admin
37
+
38
+ ```bash
39
+ verentis workspace list
40
+ verentis workspace create "My Workspace" --use
41
+ verentis workspace invite create <workspaceId> dev@example.com --role member
42
+ verentis account invite list
43
+ verentis user list --workspace <id>
44
+ verentis user suspend <userId>
45
+ verentis apikey create ci-key --grant node.file.read --grant execution.execution.run
46
+ verentis apikey revoke <apiKeyId>
47
+ verentis settings set my.setting '{"enabled":true}' --workspace <id>
48
+ ```
49
+
50
+ Anything without a dedicated command is one escape hatch away (auth handled for you):
51
+
52
+ ```bash
53
+ verentis api GET /v1/roles --scope security.role.read-all
54
+ verentis api POST /v1/things --body @thing.json --workspace <id> --scope some.scope
55
+ ```
56
+
57
+ ## Workspace files
58
+
59
+ ```bash
60
+ verentis files ls /scripts
61
+ verentis files cat /data/input.json
62
+ verentis files upload ./local-dir /scripts # recursive
63
+ verentis files upload build.zip /apps --extract # server-side archive extraction
64
+ verentis files download /data/report.json
65
+ verentis files mv /a.txt /archive/a.txt
66
+ verentis files rm /tmp-dir --recursive
67
+ ```
68
+
69
+ All file commands take `--branch` (default `main`) and `--workspace`.
70
+
71
+ ## Executions
72
+
73
+ ```bash
74
+ verentis exec run /scripts/transform.py --follow # run remotely, stream logs live
75
+ verentis exec run /scripts/etl.py --arg --verbose --params '{"rows":10}'
76
+ verentis exec list
77
+ verentis exec logs <executionId> --follow # SSE log streaming
78
+ verentis exec cancel <executionId>
79
+ verentis engine list
80
+ verentis engine resolve text/x-python
81
+ ```
82
+
83
+ ## The developer loop
84
+
85
+ Write engine/app scripts locally, but read and write **real workspace files** through the [`verentis-engine-sdk`](https://pypi.org/project/verentis-engine-sdk/) — exactly like a platform run:
86
+
87
+ ```bash
88
+ cd my-engine-project # has an engine.yaml with spec.permissions
89
+
90
+ # Run a local script with a real scoped token + injected context —
91
+ # engine.files / engine.http hit the actual workspace:
92
+ verentis dev run transform.py --workspace <id> --params '{"message":"hi"}'
93
+
94
+ # Debug: waits for your debugger before the first line runs
95
+ verentis dev run transform.py --debug # debugpy on :5678, --wait-for-client
96
+ verentis dev vscode # scaffolds .vscode/launch.json (attach + launch)
97
+ ```
98
+
99
+ Lower-level building blocks:
100
+
101
+ ```bash
102
+ verentis dev token --workspace <id> # scopes from ./engine.yaml spec.permissions
103
+ verentis dev token --scopes node.file.read --boundary /scripts # node-bounded, like platform runs
104
+ verentis dev context --file /scripts/transform.py --out .verentis/context.json
105
+ export VERENTIS_CONTEXT_PATH=$PWD/.verentis/context.json
106
+ python transform.py # SDK auto-loads the context
107
+
108
+ verentis validate engine.yaml # manifest checks before publish
109
+ ```
110
+
111
+ `dev run` writes `.verentis/context.json` (mode 600 — contains a short-lived token; git-ignore `.verentis/`).
112
+
113
+ ## Marketplace publishing
114
+
115
+ ```bash
116
+ verentis publisher create --name acme --display-name "Acme Inc."
117
+ verentis keygen # Ed25519 signing key + register public half
118
+ verentis init my-app --kind application
119
+ verentis pack # signed .vpkg (--encrypt seals the payload)
120
+ verentis publish my-app-0.1.0.vpkg
121
+ verentis package list # your packages
122
+ verentis package versions acme/my-app
123
+ verentis package deprecate my-app --message "use my-app-2"
124
+ verentis package visibility set my-app Private
125
+ verentis package visibility grant my-app <workspaceId>
126
+ verentis package stats my-app
127
+ verentis search "image viewer" --kind Application
128
+ verentis install acme/my-app --workspace <id>
129
+ verentis installs --workspace <id>
130
+ verentis uninstall <installationId> --workspace <id>
131
+ verentis yank my-app 1.0.3
132
+ ```
133
+
134
+ Published versions are `Submitted` for moderation; once approved the marketplace countersigns them and they become installable.
135
+
136
+ ## The `.vpkg` format
137
+
138
+ A gzip tarball: `manifest.yaml` + `files/**` payload + `.verentis/` metadata (package.yaml, sha256 digests, DSSE signatures). Manifest references like `./schemas/x.json` resolve against `files/` — and against the children of the installed manifest node after installation. See the platform docs (`marketplace/packaging`) for the full specification.
139
+
140
+ Packing behaviour:
141
+ - `packaging.files` globs select the payload; without them, applications automatically include every `./…` schema `source` referenced by the manifest.
142
+ - Digests cover every payload entry; the registry rejects tampered packages.
143
+ - With a configured signing key the digests document is DSSE-signed (Ed25519). Publishers with registered keys **must** sign uploads.
144
+ - `pack --encrypt` seals the payload (AES-256-GCM, X25519 key wrapping per recipient — always including the `platform` escrow recipient so Verentis.Node can serve member reads).
145
+
146
+ ## Output & scripting
147
+
148
+ Most read commands accept `--json` for machine-readable output, plus `--page/--page-size/--order-by` on paged listings. Errors render RFC 7807 problem details compactly.
149
+
150
+ ## Development
151
+
152
+ ```bash
153
+ npm install
154
+ npm test # vitest
155
+ npm run build # tsup → dist/
156
+ ```
157
+