@vertaaux/cli 0.4.0 → 0.5.0

package/dist/app/views/command-runner.js

@@ -0,0 +1,372 @@
+/**
+ * CommandRunnerView — Executes a CLI command within the InteractiveApp canvas.
+ *
+ * Lifecycle:
+ *   1. "collecting" — prompts for required args ON the alt screen using raw-mode
+ *      keyboard input (same system as MenuView). No stdin mode transitions.
+ *   2. "running" — command runs INSIDE the app layout. A renderer override
+ *      captures step states so this view can render them in the canvas.
+ *      Header and footer stay visible throughout.
+ *   3. "done"/"error" — shows result summary in canvas, M returns to menu.
+ *
+ * Each command's handler is called directly (no program.parse()).
+ */
+import { dim, bold, colorize, brand, renderError, setRendererOverride, setKeyboardOverrideActive, renderStepList, getTerminalWidth, getTerminalHeight, } from "@vertaaux/tui";
+import { setOutputBuffer } from "../../output/envelope.js";
+// Command handler imports
+import { handleAudit } from "../../commands/audit/index.js";
+import { handleScan } from "../../commands/scan.js";
+import { handleA11y } from "../../commands/a11y.js";
+import { handleStatus } from "../../commands/status.js";
+import { handleDiff } from "../../commands/diff.js";
+import { handleCompare } from "../../commands/compare.js";
+import { handleTriage } from "../../commands/triage.js";
+import { handleExplain } from "../../commands/explain.js";
+import { handleSuggest } from "../../commands/suggest.js";
+import { handleFix } from "../../commands/fix.js";
+import { handleFixAll } from "../../commands/fix-all.js";
+import { handleFixPlan } from "../../commands/fix-plan.js";
+import { handlePatchReview } from "../../commands/patch-review.js";
+import { handleDoc } from "../../commands/doc.js";
+import { handleComment } from "../../commands/comment.js";
+import { handleReleaseNotes } from "../../commands/release-notes.js";
+import { handleInit } from "../../commands/init.js";
+import { handleBaseline } from "../../commands/baseline.js";
+import { handleUpload } from "../../commands/upload.js";
+import { handleDownload } from "../../commands/download.js";
+import { handleVerify } from "../../commands/verify.js";
+import { handleLogin, handleLogout, handleWhoami } from "../../commands/login.js";
+import { handleDoctor } from "../../commands/doctor.js";
+import { handlePolicy } from "../../commands/policy.js";
+/**
+ * Get the argument definitions for a command.
+ */
+function getArgDefs(cmd) {
+    switch (cmd) {
+        case "audit":
+        case "scan":
+        case "a11y":
+            return [{ label: "Target URL", key: "url" }];
+        case "status":
+            return [{ label: "Job ID", key: "jobId" }];
+        case "fix":
+            return [{ label: "Job ID to fix", key: "jobId" }];
+        case "suggest":
+            return [{ label: "Describe the fix you need", key: "intent" }];
+        case "fix-all":
+            return [
+                { label: "Job ID", key: "jobId" },
+                { label: "File path or content", key: "fileContent" },
+            ];
+        case "download":
+            return [{ label: "Job ID to download", key: "jobId" }];
+        default:
+            return [];
+    }
+}
+/**
+ * A renderer that captures state instead of writing to the terminal.
+ * The CommandRunnerView reads from it in render().
+ */
+class CanvasRenderer {
+    stepStates = [];
+    result = null;
+    finished = false;
+    update(state) {
+        if (state.stepStates) {
+            this.stepStates = [...state.stepStates];
+        }
+    }
+    finish(result) {
+        this.result = result;
+        this.finished = true;
+    }
+    dispose() { }
+    suspend() { }
+    resume() { }
+}
+export class CommandRunnerView {
+    status;
+    statusText = "";
+    commandValue;
+    app;
+    onReturn;
+    // Arg collection state
+    argDefs;
+    collectedArgs = {};
+    currentArgIndex = 0;
+    inputBuffer = "";
+    // Resolve function for the arg collection promise
+    resolveArgCollection = null;
+    // Canvas renderer for capturing step states
+    canvasRenderer = new CanvasRenderer();
+    // Captured command output (from writeOutput during execution)
+    outputBuffer = [];
+    // Scroll position for viewing results
+    scrollOffset = 0;
+    constructor(commandValue, app, onReturn) {
+        this.commandValue = commandValue;
+        this.app = app;
+        this.onReturn = onReturn;
+        this.argDefs = getArgDefs(commandValue);
+        this.status = this.argDefs.length > 0 ? "collecting" : "running";
+    }
+    render() {
+        const lines = [];
+        switch (this.status) {
+            case "collecting": {
+                lines.push(bold(this.commandValue));
+                lines.push("");
+                for (let i = 0; i < this.currentArgIndex; i++) {
+                    const def = this.argDefs[i];
+                    lines.push(dim(`  ${def.label}: `) + this.collectedArgs[def.key]);
+                }
+                const currentDef = this.argDefs[this.currentArgIndex];
+                if (currentDef) {
+                    lines.push(colorize(`  ${currentDef.label}: `, brand.lime) +
+                        this.inputBuffer +
+                        colorize("█", brand.lime));
+                }
+                lines.push("");
+                lines.push(dim("Type your input, then press Enter to confirm"));
+                lines.push(dim("Press Escape to cancel"));
+                break;
+            }
+            case "running": {
+                // Show step-list from the canvas renderer
+                if (this.canvasRenderer.stepStates.length > 0) {
+                    const stepList = renderStepList(this.canvasRenderer.stepStates, this.app.getFrameIndex(), getTerminalWidth());
+                    lines.push(stepList);
+                }
+                else {
+                    lines.push(dim(`Running ${bold(this.commandValue)}...`));
+                }
+                break;
+            }
+            case "done":
+            case "error": {
+                const content = this.status === "error" && this.outputBuffer.length === 0
+                    ? [renderError({ message: this.statusText || "Command failed", suggestion: "vertaa doctor" })]
+                    : this.outputBuffer.length > 0
+                        ? [...this.outputBuffer]
+                        : [colorize("Command completed.", brand.lime)];
+                // Scrollable view: show a window of lines based on scrollOffset
+                // Reserve 2 lines for footer hint
+                const availableHeight = Math.max(3, getTerminalHeight() - 12);
+                const totalLines = content.length;
+                const maxScroll = Math.max(0, totalLines - availableHeight);
+                this.scrollOffset = Math.min(this.scrollOffset, maxScroll);
+                const visible = content.slice(this.scrollOffset, this.scrollOffset + availableHeight);
+                lines.push(...visible);
+                // Scroll indicator
+                if (totalLines > availableHeight) {
+                    const pct = maxScroll > 0 ? Math.round((this.scrollOffset / maxScroll) * 100) : 100;
+                    lines.push("");
+                    lines.push(dim(`↑↓ scroll (${pct}%) | M menu | Q quit`));
+                }
+                else {
+                    lines.push("");
+                    lines.push(dim("M menu | Q quit"));
+                }
+                break;
+            }
+        }
+        return lines.join("\n");
+    }
+    handleKey(key, ctrl, _meta) {
+        if (this.status === "collecting") {
+            if (ctrl && key === "\x03")
+                return false;
+            if (key === "\x1b") {
+                this.onReturn();
+                return true;
+            }
+            if (key === "\r" || key === "\n") {
+                const currentDef = this.argDefs[this.currentArgIndex];
+                if (currentDef && this.inputBuffer.trim().length > 0) {
+                    this.collectedArgs[currentDef.key] = this.inputBuffer.trim();
+                    this.inputBuffer = "";
+                    this.currentArgIndex++;
+                    if (this.currentArgIndex >= this.argDefs.length) {
+                        if (this.resolveArgCollection) {
+                            this.resolveArgCollection();
+                        }
+                    }
+                }
+                return true;
+            }
+            if (key === "\x7f" || key === "\b") {
+                this.inputBuffer = this.inputBuffer.slice(0, -1);
+                return true;
+            }
+            if (key.length === 1 && key >= " ") {
+                this.inputBuffer += key;
+                return true;
+            }
+            return false;
+        }
+        // Done/error state — handle navigation and scroll keys
+        if (this.status === "done" || this.status === "error") {
+            if (key === "m" || key === "M" || key === "\r") {
+                this.onReturn();
+                return true;
+            }
+            if (key === "\x1b") {
+                // Escape — but not arrow key sequences
+                this.onReturn();
+                return true;
+            }
+            if (key === "q" || key === "Q") {
+                process.exit(0);
+            }
+            // Arrow up / k
+            if (key === "\x1b[A" || key === "k") {
+                this.scrollOffset = Math.max(0, this.scrollOffset - 1);
+                return true;
+            }
+            // Arrow down / j
+            if (key === "\x1b[B" || key === "j") {
+                this.scrollOffset++;
+                return true;
+            }
+            // Page up
+            if (key === "\x1b[5~") {
+                this.scrollOffset = Math.max(0, this.scrollOffset - 10);
+                return true;
+            }
+            // Page down
+            if (key === "\x1b[6~") {
+                this.scrollOffset += 10;
+                return true;
+            }
+            // Home
+            if (key === "\x1b[H" || key === "g") {
+                this.scrollOffset = 0;
+                return true;
+            }
+            // End
+            if (key === "\x1b[F" || key === "G") {
+                this.scrollOffset = Infinity; // clamped in render()
+                return true;
+            }
+            return true;
+        }
+        return false;
+    }
+    async onMount() {
+        // If command needs args, wait for collection
+        if (this.argDefs.length > 0) {
+            await new Promise((resolve) => {
+                this.resolveArgCollection = resolve;
+            });
+        }
+        // Set overrides so command handlers use our canvas renderer,
+        // don't steal stdin, and buffer their output instead of writing to stderr.
+        this.status = "running";
+        setRendererOverride(this.canvasRenderer);
+        setKeyboardOverrideActive(true);
+        setOutputBuffer(this.outputBuffer);
+        try {
+            await this.executeCommand();
+            this.status = "done";
+        }
+        catch (err) {
+            this.status = "error";
+            this.statusText = err instanceof Error ? err.message : String(err);
+        }
+        // Restore all overrides
+        setOutputBuffer(null);
+        setRendererOverride(null);
+        setKeyboardOverrideActive(false);
+    }
+    // ── Private ──────────────────────────────────────────────────
+    async executeCommand() {
+        const cmd = this.commandValue;
+        const args = this.collectedArgs;
+        switch (cmd) {
+            case "audit":
+                await handleAudit(args.url, {}, {});
+                break;
+            case "scan":
+                await handleScan(args.url, {});
+                break;
+            case "a11y":
+                await handleA11y(args.url, {});
+                break;
+            case "status":
+                await handleStatus(args.jobId, {});
+                break;
+            case "fix":
+                await handleFix(args.jobId, {});
+                break;
+            case "download":
+                await handleDownload(args.jobId, {});
+                break;
+            case "suggest":
+                await handleSuggest({ intent: args.intent });
+                break;
+            case "fix-all":
+                await handleFixAll({
+                    jobId: args.jobId,
+                    fileContent: args.fileContent,
+                });
+                break;
+            case "diff":
+                await handleDiff({});
+                break;
+            case "compare":
+                await handleCompare({});
+                break;
+            case "triage":
+                await handleTriage({});
+                break;
+            case "explain":
+                await handleExplain({});
+                break;
+            case "fix-plan":
+                await handleFixPlan({});
+                break;
+            case "patch-review":
+                await handlePatchReview({});
+                break;
+            case "doc":
+                await handleDoc({});
+                break;
+            case "comment":
+                await handleComment({});
+                break;
+            case "release-notes":
+                await handleReleaseNotes({});
+                break;
+            case "init":
+                await handleInit({});
+                break;
+            case "baseline":
+                await handleBaseline(undefined, {});
+                break;
+            case "upload":
+                await handleUpload(undefined, {});
+                break;
+            case "verify":
+                await handleVerify({});
+                break;
+            case "login":
+                await handleLogin({});
+                break;
+            case "logout":
+                await handleLogout();
+                break;
+            case "whoami":
+                await handleWhoami({});
+                break;
+            case "doctor":
+                await handleDoctor({});
+                break;
+            case "policy":
+                await handlePolicy("show", {});
+                break;
+            default:
+                throw new Error(`Unknown command: ${cmd}`);
+        }
+    }
+}

package/dist/app/views/help-overlay.d.ts

@@ -0,0 +1,21 @@
+/**
+ * HelpOverlayView — Keyboard shortcuts overlay implementing CommandView.
+ *
+ * Renders a box with context-specific keyboard shortcuts. Pressing H or Esc
+ * dismisses the overlay via the onDismiss callback.
+ */
+import type { CommandView } from "../types.js";
+/**
+ * HelpOverlayView implements CommandView for the keyboard shortcuts overlay.
+ *
+ * @param onDismiss - Callback invoked when user dismisses the overlay (H or Esc)
+ */
+export declare class HelpOverlayView implements CommandView {
+    private readonly onDismiss;
+    constructor(onDismiss: () => void);
+    /** Render the help overlay as a box */
+    render(): string;
+    /** Handle H and Esc to dismiss the overlay */
+    handleKey(key: string, _ctrl: boolean, _meta: boolean): boolean;
+}
+//# sourceMappingURL=help-overlay.d.ts.map

package/dist/app/views/help-overlay.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"help-overlay.d.ts","sourceRoot":"","sources":["../../../src/app/views/help-overlay.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAY/C;;;;GAIG;AACH,qBAAa,eAAgB,YAAW,WAAW;IACjD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAa;gBAE3B,SAAS,EAAE,MAAM,IAAI;IAIjC,uCAAuC;IACvC,MAAM,IAAI,MAAM;IAehB,8CAA8C;IAC9C,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,GAAG,OAAO;CAOhE"}

package/dist/app/views/help-overlay.js

@@ -0,0 +1,45 @@
+/**
+ * HelpOverlayView — Keyboard shortcuts overlay implementing CommandView.
+ *
+ * Renders a box with context-specific keyboard shortcuts. Pressing H or Esc
+ * dismisses the overlay via the onDismiss callback.
+ */
+import { box, bold, dim } from "@vertaaux/tui";
+/** Default shortcuts shown in any context */
+const DEFAULT_SHORTCUTS = [
+    ["↑ / ↓", "Navigate menu items"],
+    ["Enter", "Select / confirm"],
+    ["/", "Start search (or type any character)"],
+    ["Esc", "Clear search / go back"],
+    ["H", "Toggle this help overlay"],
+    ["Ctrl+C", "Exit vertaa"],
+];
+/**
+ * HelpOverlayView implements CommandView for the keyboard shortcuts overlay.
+ *
+ * @param onDismiss - Callback invoked when user dismisses the overlay (H or Esc)
+ */
+export class HelpOverlayView {
+    onDismiss;
+    constructor(onDismiss) {
+        this.onDismiss = onDismiss;
+    }
+    /** Render the help overlay as a box */
+    render() {
+        const rows = DEFAULT_SHORTCUTS.map(([key, description]) => `  ${bold(key.padEnd(12))}  ${dim(description)}`);
+        const content = [
+            bold("Keyboard Shortcuts"),
+            dim("─".repeat(36)),
+            ...rows,
+        ].join("\n");
+        return box(content, { padding: 1 });
+    }
+    /** Handle H and Esc to dismiss the overlay */
+    handleKey(key, _ctrl, _meta) {
+        if (key === "h" || key === "H" || key === "\x1b") {
+            this.onDismiss();
+            return true;
+        }
+        return false;
+    }
+}

package/dist/auth/ci-token.d.ts

@@ -38,16 +38,22 @@ interface TokenValidationResponse {
 /**
  * Validate a CI token against the API.
  *
+ * Uses apiRequest() from client.ts with the token as explicit API key,
+ * so that auth header construction stays centralized in client.ts.
+ *
  * @param token - Token to validate
- * @param apiBase - API base URL (optional)
+ * @param apiBase - API base URL (optional, resolved via resolveApiBase)
  * @returns true if token is valid
  */
 export declare function validateCIToken(token: string, apiBase?: string): Promise<boolean>;
 /**
  * Get token info from the API.
  *
+ * Uses apiRequest() from client.ts with the token as explicit API key,
+ * so that auth header construction stays centralized in client.ts.
+ *
  * @param token - Token to check
- * @param apiBase - API base URL (optional)
+ * @param apiBase - API base URL (optional, resolved via resolveApiBase)
  * @returns Token info or null if invalid/error
  */
 export declare function getTokenInfo(token: string, apiBase?: string): Promise<TokenValidationResponse | null>;

package/dist/auth/ci-token.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ci-token.d.ts","sourceRoot":"","sources":["../../src/auth/ci-token.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAQH;;;;;;GAMG;AACH,wBAAgB,UAAU,IAAI,MAAM,GAAG,IAAI,CAQ1C;AAED;;GAEG;AACH,UAAU,uBAAuB;IAC/B,6BAA6B;IAC7B,KAAK,EAAE,OAAO,CAAC;IACf,8BAA8B;IAC9B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wBAAwB;IACxB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,iBAAiB;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,wBAAwB;IACxB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,wBAAwB;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,8BAA8B;IAC9B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,gCAAgC;IAChC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+BAA+B;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAOD;;;;;;GAMG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,MAAyB,GACjC,OAAO,CAAC,OAAO,CAAC,CAoBlB;AAED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,MAAyB,GACjC,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAkBzC"}
+{"version":3,"file":"ci-token.d.ts","sourceRoot":"","sources":["../../src/auth/ci-token.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAUH;;;;;;GAMG;AACH,wBAAgB,UAAU,IAAI,MAAM,GAAG,IAAI,CAQ1C;AAED;;GAEG;AACH,UAAU,uBAAuB;IAC/B,6BAA6B;IAC7B,KAAK,EAAE,OAAO,CAAC;IACf,8BAA8B;IAC9B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wBAAwB;IACxB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,iBAAiB;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,wBAAwB;IACxB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,wBAAwB;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,8BAA8B;IAC9B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,gCAAgC;IAChC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+BAA+B;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;;;GASG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,OAAO,CAAC,CAclB;AAED;;;;;;;;;GASG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAYzC"}

package/dist/auth/ci-token.js

@@ -4,6 +4,7 @@
  * CI tokens are long-lived API keys used in CI/CD pipelines.
  * They can be passed via environment variables or --token flag.
  */
+import { apiRequest, resolveApiBase } from "../utils/client.js";
 /**
  * Environment variable names for CI tokens.
  * Checked in order of preference.
@@ -25,30 +26,20 @@ export function getCIToken() {
     }
     return null;
 }
-/**
- * Default API base URL.
- */
-const DEFAULT_API_BASE = "https://vertaaux.ai/v1";
 /**
  * Validate a CI token against the API.
  *
+ * Uses apiRequest() from client.ts with the token as explicit API key,
+ * so that auth header construction stays centralized in client.ts.
+ *
  * @param token - Token to validate
- * @param apiBase - API base URL (optional)
+ * @param apiBase - API base URL (optional, resolved via resolveApiBase)
  * @returns true if token is valid
  */
-export async function validateCIToken(token, apiBase = DEFAULT_API_BASE) {
+export async function validateCIToken(token, apiBase) {
     try {
-        const response = await fetch(`${apiBase}/auth/validate`, {
-            method: "GET",
-            headers: {
-                "X-API-Key": token,
-                "Content-Type": "application/json",
-            },
-        });
-        if (!response.ok) {
-            return false;
-        }
-        const data = (await response.json());
+        const base = resolveApiBase(apiBase);
+        const data = await apiRequest(base, "/auth/validate", { method: "GET" }, token);
         return data.valid === true;
     }
     catch {
@@ -59,23 +50,17 @@ export async function validateCIToken(token, apiBase = DEFAULT_API_BASE) {
 /**
  * Get token info from the API.
  *
+ * Uses apiRequest() from client.ts with the token as explicit API key,
+ * so that auth header construction stays centralized in client.ts.
+ *
  * @param token - Token to check
- * @param apiBase - API base URL (optional)
+ * @param apiBase - API base URL (optional, resolved via resolveApiBase)
  * @returns Token info or null if invalid/error
  */
-export async function getTokenInfo(token, apiBase = DEFAULT_API_BASE) {
+export async function getTokenInfo(token, apiBase) {
     try {
-        const response = await fetch(`${apiBase}/auth/validate`, {
-            method: "GET",
-            headers: {
-                "X-API-Key": token,
-                "Content-Type": "application/json",
-            },
-        });
-        if (!response.ok) {
-            return null;
-        }
-        return response.json();
+        const base = resolveApiBase(apiBase);
+        return await apiRequest(base, "/auth/validate", { method: "GET" }, token);
     }
     catch {
         return null;

package/dist/auth/device-flow.d.ts

@@ -59,8 +59,9 @@ export interface DeviceFlowResult {
  *
  * @param clientId - OAuth client ID for the CLI
  * @param authBase - Base URL for auth endpoints (default: https://vertaaux.ai)
+ * @param onMessage - Optional callback for displaying messages (defaults to writeOutput)
  * @returns Device flow result with tokens
  * @throws Error if authorization fails or times out
  */
-export declare function startDeviceFlow(clientId: string, authBase?: string): Promise<DeviceFlowResult>;
+export declare function startDeviceFlow(clientId: string, authBase?: string, onMessage?: (msg: string) => void): Promise<DeviceFlowResult>;
 //# sourceMappingURL=device-flow.d.ts.map

package/dist/auth/device-flow.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"device-flow.d.ts","sourceRoot":"","sources":["../../src/auth/device-flow.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,2BAA2B;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,gBAAgB,EAAE,MAAM,CAAC;IACzB,oDAAoD;IACpD,yBAAyB,CAAC,EAAE,MAAM,CAAC;IACnC,8CAA8C;IAC9C,QAAQ,EAAE,MAAM,CAAC;IACjB,iCAAiC;IACjC,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,mBAAmB;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,oCAAoC;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,oBAAoB;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,iCAAiC;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,sCAAsC;IACtC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,2CAA2C;IAC3C,SAAS,EAAE,MAAM,CAAC;CACnB;AAmCD;;;;;;;;;;;;GAYG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,EAChB,QAAQ,GAAE,MAA0B,GACnC,OAAO,CAAC,gBAAgB,CAAC,CA6B3B"}
+{"version":3,"file":"device-flow.d.ts","sourceRoot":"","sources":["../../src/auth/device-flow.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,+BAA+B;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,2BAA2B;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,gBAAgB,EAAE,MAAM,CAAC;IACzB,oDAAoD;IACpD,yBAAyB,CAAC,EAAE,MAAM,CAAC;IACnC,8CAA8C;IAC9C,QAAQ,EAAE,MAAM,CAAC;IACjB,iCAAiC;IACjC,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,mBAAmB;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,oCAAoC;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,kDAAkD;IAClD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,oBAAoB;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,iCAAiC;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,sCAAsC;IACtC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,2CAA2C;IAC3C,SAAS,EAAE,MAAM,CAAC;CACnB;AAmCD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,EAChB,QAAQ,GAAE,MAA0B,EACpC,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,GAChC,OAAO,CAAC,gBAAgB,CAAC,CA+B3B"}

package/dist/auth/device-flow.js

@@ -7,6 +7,7 @@
  * @see https://datatracker.ietf.org/doc/html/rfc8628
  */
 import { createSpinner, succeedSpinner } from "../ui/spinner.js";
+import { writeOutput } from "../output/envelope.js";
 /**
  * Format remaining time as MM:SS.
  */
@@ -33,24 +34,26 @@ const DEFAULT_TIMEOUT_SECONDS = 300;
  *
  * @param clientId - OAuth client ID for the CLI
  * @param authBase - Base URL for auth endpoints (default: https://vertaaux.ai)
+ * @param onMessage - Optional callback for displaying messages (defaults to writeOutput)
  * @returns Device flow result with tokens
  * @throws Error if authorization fails or times out
  */
-export async function startDeviceFlow(clientId, authBase = DEFAULT_AUTH_BASE) {
+export async function startDeviceFlow(clientId, authBase = DEFAULT_AUTH_BASE, onMessage) {
+    const emit = onMessage ?? ((msg) => writeOutput(msg));
     // Step 1: Request device code
     const deviceCodeResponse = await requestDeviceCode(clientId, authBase);
     // Step 2: Display instructions
-    console.log("\n");
-    console.log("  To authenticate, visit:");
-    console.log(`  ${deviceCodeResponse.verification_uri}`);
-    console.log("\n");
-    console.log(`  Enter code: ${deviceCodeResponse.user_code}`);
-    console.log("\n");
+    emit("\n\n");
+    emit("  To authenticate, visit:\n");
+    emit(`  ${deviceCodeResponse.verification_uri}\n`);
+    emit("\n");
+    emit(`  Enter code: ${deviceCodeResponse.user_code}\n`);
+    emit("\n");
     if (deviceCodeResponse.verification_uri_complete) {
-        console.log(`  Or open: ${deviceCodeResponse.verification_uri_complete}`);
-        console.log("\n");
+        emit(`  Or open: ${deviceCodeResponse.verification_uri_complete}\n`);
+        emit("\n");
     }
-    console.log("  Press Ctrl+C to cancel.\n");
+    emit("  Press Ctrl+C to cancel.\n\n");
     // Step 3: Poll for token with countdown
     const tokens = await pollForToken(clientId, deviceCodeResponse.device_code, deviceCodeResponse.interval, deviceCodeResponse.expires_in, authBase);
     return tokens;

package/dist/auth/token-store.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"token-store.d.ts","sourceRoot":"","sources":["../../src/auth/token-store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAOH;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,yBAAyB;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,mDAAmD;IACnD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,4CAA4C;IAC5C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,uDAAuD;IACvD,IAAI,EAAE,QAAQ,GAAG,IAAI,CAAC;IACtB,2BAA2B;IAC3B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAED;;;;;;;GAOG;AACH,wBAAsB,SAAS,CAAC,KAAK,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAY/D;AAED;;;;GAIG;AACH,wBAAsB,SAAS,IAAI,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAa3D;AAED;;GAEG;AACH,wBAAsB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAMhD;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,SAAS,GAAG,OAAO,CAUxD"}
+{"version":3,"file":"token-store.d.ts","sourceRoot":"","sources":["../../src/auth/token-store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAOH;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,yBAAyB;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,mDAAmD;IACnD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,4CAA4C;IAC5C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,uDAAuD;IACvD,IAAI,EAAE,QAAQ,GAAG,IAAI,CAAC;IACtB,2BAA2B;IAC3B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAED;;;;;;;GAOG;AACH,wBAAsB,SAAS,CAAC,KAAK,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAsB/D;AAED;;;;GAIG;AACH,wBAAsB,SAAS,IAAI,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAkB3D;AAED;;GAEG;AACH,wBAAsB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAMhD;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,SAAS,GAAG,OAAO,CAUxD"}

package/dist/auth/token-store.js

@@ -4,8 +4,8 @@
  * Tokens are stored in ~/.vertaaux/credentials.json with restrictive permissions.
  * This is separate from project config - tokens are user-scoped, not project-scoped.
  */
-import { readFile, writeFile, mkdir, unlink } from "fs/promises";
-import { existsSync } from "fs";
+import { readFile, writeFile, mkdir, unlink, chmod } from "fs/promises";
+import { existsSync, lstatSync } from "fs";
 import { homedir } from "os";
 import { join, dirname } from "path";
 /**
@@ -26,6 +26,10 @@ export function getCredentialsPath() {
 export async function saveToken(token) {
     const credPath = getCredentialsPath();
     const dir = dirname(credPath);
+    // SECVAL-1: Refuse to write if credentials path is a symlink
+    if (existsSync(credPath) && lstatSync(credPath).isSymbolicLink()) {
+        throw new Error(`Security error: ${credPath} is a symlink. Refusing to write credentials.`);
+    }
     // Create directory if needed
     if (!existsSync(dir)) {
         await mkdir(dir, { recursive: true, mode: 0o700 });
@@ -33,6 +37,8 @@ export async function saveToken(token) {
     // Write token with restrictive permissions
     const content = JSON.stringify(token, null, 2);
     await writeFile(credPath, content + "\n", { encoding: "utf-8", mode: 0o600 });
+    // SECVAL-2: Ensure restrictive permissions after write
+    await chmod(credPath, 0o600);
 }
 /**
  * Load token data from credentials file.
@@ -44,6 +50,10 @@ export async function loadToken() {
     if (!existsSync(credPath)) {
         return null;
     }
+    // SECVAL-1: Refuse to read if credentials path is a symlink
+    if (lstatSync(credPath).isSymbolicLink()) {
+        return null;
+    }
     try {
         const content = await readFile(credPath, "utf-8");
         return JSON.parse(content);