@vibecodemax/cli 0.1.7 → 0.1.8

package/dist/cli.js

@@ -2,6 +2,7 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
 import { spawnSync } from "node:child_process";
+import { randomBytes } from "node:crypto";
 import { checkS3Context, setupS3Storage } from "./storageS3.js";
 const SETUP_STATE_PATH = path.join(".vibecodemax", "setup-state.json");
 const SETUP_CONFIG_PATH = path.join(".vibecodemax", "setup-config.json");
@@ -23,6 +24,26 @@ const STORAGE_MIME_TYPES_BY_CATEGORY = {
     video: ["video/mp4", "video/webm", "video/quicktime"],
 };
 const STORAGE_DEFAULT_MIME_CATEGORIES = ["images"];
+const STRIPE_EVENTS = [
+    "checkout.session.completed",
+    "customer.subscription.created",
+    "customer.subscription.updated",
+    "customer.subscription.deleted",
+    "invoice.payment_succeeded",
+    "invoice.payment_failed",
+];
+const LEMON_EVENTS = [
+    "order_created",
+    "subscription_created",
+    "subscription_updated",
+    "subscription_cancelled",
+    "subscription_resumed",
+    "subscription_expired",
+    "subscription_paused",
+    "subscription_unpaused",
+    "subscription_payment_failed",
+    "subscription_payment_success",
+];
 function printJson(value) {
     process.stdout.write(`${JSON.stringify(value)}\n`);
 }
@@ -48,7 +69,7 @@ function parseArgs(argv) {
     let subcommand;
     const flags = {};
     let index = 0;
-    if ((command === "admin" || command === "storage") && rest[0] && !rest[0].startsWith("--")) {
+    if ((command === "admin" || command === "storage" || command === "payments") && rest[0] && !rest[0].startsWith("--")) {
         subcommand = rest[0];
         index = 1;
     }
@@ -973,6 +994,388 @@ async function setupSupabaseStorage(flags) {
         envWritten: ["SUPABASE_PUBLIC_BUCKET", "SUPABASE_PRIVATE_BUCKET"],
     });
 }
+function normalizePaymentsMode(value) {
+    return value === "production" ? "production" : "test";
+}
+function isStripePublishableKey(value) {
+    return isNonEmptyString(value) && /^pk_(test|live)_[A-Za-z0-9_]+$/.test(value.trim());
+}
+function isStripeSecretKey(value) {
+    return isNonEmptyString(value) && /^sk_(test|live)_[A-Za-z0-9_]+$/.test(value.trim());
+}
+function isStripeWebhookSecret(value) {
+    return isNonEmptyString(value) && /^whsec_[A-Za-z0-9]+$/.test(value.trim());
+}
+function isNumericStoreId(value) {
+    return isNonEmptyString(value) && /^\d+$/.test(value.trim());
+}
+function requireWebhookUrl(value, expectedPath, provider) {
+    const trimmed = value.trim();
+    if (!trimmed) {
+        fail("INVALID_WEBHOOK_URL", `${provider} webhook URL is required.`);
+    }
+    try {
+        const parsed = new URL(trimmed);
+        if (parsed.protocol !== "https:" || parsed.pathname !== expectedPath) {
+            fail("INVALID_WEBHOOK_URL", `${provider} webhook URL must be an https URL ending in ${expectedPath}.`);
+        }
+    }
+    catch {
+        fail("INVALID_WEBHOOK_URL", `${provider} webhook URL must be a valid https URL ending in ${expectedPath}.`);
+    }
+    return trimmed;
+}
+function formEncode(value, prefix = "") {
+    const entries = [];
+    if (Array.isArray(value)) {
+        value.forEach((item, index) => {
+            entries.push(...formEncode(item, `${prefix}[${index}]`));
+        });
+        return entries;
+    }
+    if (value && typeof value === "object") {
+        for (const [key, nested] of Object.entries(value)) {
+            entries.push(...formEncode(nested, prefix ? `${prefix}[${key}]` : key));
+        }
+        return entries;
+    }
+    if (value === null || value === undefined)
+        return entries;
+    entries.push([prefix, String(value)]);
+    return entries;
+}
+async function stripeRequest(params) {
+    const url = new URL(`https://api.stripe.com${params.path}`);
+    if (params.query) {
+        for (const [key, value] of formEncode(params.query)) {
+            url.searchParams.append(key, value);
+        }
+    }
+    const headers = {
+        Authorization: `Bearer ${params.secretKey}`,
+    };
+    let body;
+    if (params.body) {
+        headers["Content-Type"] = "application/x-www-form-urlencoded";
+        body = new URLSearchParams(formEncode(params.body));
+    }
+    const response = await fetch(url.toString(), {
+        method: params.method,
+        headers,
+        body,
+    });
+    const json = await response.json().catch(() => null);
+    if (!response.ok) {
+        const message = extractErrorMessage(json?.error) || extractErrorMessage(json) || `Stripe returned ${response.status}`;
+        fail("STRIPE_API_ERROR", message, 1, { status: response.status });
+    }
+    return json;
+}
+async function lemonRequest(params) {
+    const url = new URL(`https://api.lemonsqueezy.com/v1${params.path}`);
+    if (params.query) {
+        for (const [key, value] of Object.entries(params.query)) {
+            url.searchParams.set(key, value);
+        }
+    }
+    const response = await fetch(url.toString(), {
+        method: params.method,
+        headers: {
+            Accept: "application/vnd.api+json",
+            Authorization: `Bearer ${params.apiKey}`,
+            ...(params.body ? { "Content-Type": "application/vnd.api+json" } : {}),
+        },
+        body: params.body ? JSON.stringify(params.body) : undefined,
+    });
+    const json = await response.json().catch(() => null);
+    if (!response.ok) {
+        const detail = Array.isArray(json?.errors)
+            ? (json.errors[0]?.detail)
+            : null;
+        const message = isNonEmptyString(detail) ? detail : (extractErrorMessage(json) || `Lemon Squeezy returned ${response.status}`);
+        fail("LEMONSQUEEZY_API_ERROR", message, 1, { status: response.status });
+    }
+    return json;
+}
+function checkStripeKeys(flags) {
+    const { values } = loadLocalEnv();
+    const mode = normalizePaymentsMode(readStringFlag(flags, "mode"));
+    const publishableKey = values.NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY;
+    const secretKey = values.STRIPE_SECRET_KEY;
+    const expectedPublishablePrefix = mode === "test" ? "pk_test_" : "pk_live_";
+    const expectedSecretPrefix = mode === "test" ? "sk_test_" : "sk_live_";
+    const missingKeys = [];
+    const invalidKeys = [];
+    const mistakes = [];
+    if (!isNonEmptyString(publishableKey)) {
+        missingKeys.push("NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY");
+    }
+    else if (!isStripePublishableKey(publishableKey)) {
+        invalidKeys.push("NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY");
+    }
+    else if (!publishableKey.startsWith(expectedPublishablePrefix)) {
+        mistakes.push(`NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY does not match ${mode} mode.`);
+    }
+    if (!isNonEmptyString(secretKey)) {
+        missingKeys.push("STRIPE_SECRET_KEY");
+    }
+    else if (!isStripeSecretKey(secretKey)) {
+        invalidKeys.push("STRIPE_SECRET_KEY");
+    }
+    else if (!secretKey.startsWith(expectedSecretPrefix)) {
+        mistakes.push(`STRIPE_SECRET_KEY does not match ${mode} mode.`);
+    }
+    if (isNonEmptyString(publishableKey) && isNonEmptyString(secretKey)) {
+        if (publishableKey.startsWith("pk_live_") && secretKey.startsWith("sk_test_")) {
+            mistakes.push("Publishable and secret keys are from different Stripe modes (pk_live with sk_test).");
+        }
+        if (publishableKey.startsWith("pk_test_") && secretKey.startsWith("sk_live_")) {
+            mistakes.push("Publishable and secret keys are from different Stripe modes (pk_test with sk_live).");
+        }
+    }
+    if (missingKeys.length > 0 || invalidKeys.length > 0 || mistakes.length > 0) {
+        fail("INVALID_PAYMENTS_ENV", "Stripe keys are missing, malformed, or inconsistent with the selected mode.", 1, { missingKeys, invalidKeys, mistakes });
+    }
+    printJson({
+        ok: true,
+        command: "payments check-stripe-keys",
+        mode,
+        verified: true,
+        presentKeys: ["NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY", "STRIPE_SECRET_KEY"],
+        checks: ["presence", "format", "mode_consistency"],
+    });
+}
+function checkLemonKeys(flags) {
+    const { values } = loadLocalEnv();
+    const mode = normalizePaymentsMode(readStringFlag(flags, "mode"));
+    const apiKey = values.LEMONSQUEEZY_API_KEY;
+    const storeId = values.LEMONSQUEEZY_STORE_ID;
+    const missingKeys = [];
+    const invalidKeys = [];
+    if (!isNonEmptyString(apiKey)) {
+        missingKeys.push("LEMONSQUEEZY_API_KEY");
+    }
+    if (!isNonEmptyString(storeId)) {
+        missingKeys.push("LEMONSQUEEZY_STORE_ID");
+    }
+    else if (!isNumericStoreId(storeId)) {
+        invalidKeys.push("LEMONSQUEEZY_STORE_ID");
+    }
+    if (missingKeys.length > 0 || invalidKeys.length > 0) {
+        fail("INVALID_PAYMENTS_ENV", "Lemon Squeezy API key or store ID is missing or malformed.", 1, { missingKeys, invalidKeys });
+    }
+    printJson({
+        ok: true,
+        command: "payments check-lemonsqueezy-keys",
+        mode,
+        verified: true,
+        presentKeys: ["LEMONSQUEEZY_API_KEY", "LEMONSQUEEZY_STORE_ID"],
+        checks: ["presence", "store_id_format"],
+    });
+}
+async function createStripeWebhook(flags) {
+    const { envLocalPath, values } = loadLocalEnv();
+    const mode = normalizePaymentsMode(readStringFlag(flags, "mode"));
+    const webhookUrl = requireWebhookUrl(readStringFlag(flags, "webhook-url"), "/api/webhooks/stripe", "Stripe");
+    const secretKey = values.STRIPE_SECRET_KEY;
+    if (!isStripeSecretKey(secretKey)) {
+        fail("INVALID_PAYMENTS_ENV", "STRIPE_SECRET_KEY is missing or malformed in .env.local.");
+    }
+    const listed = await stripeRequest({
+        secretKey,
+        method: "GET",
+        path: "/v1/webhook_endpoints",
+        query: { limit: 100 },
+    });
+    const existing = Array.isArray(listed.data)
+        ? listed.data.find((endpoint) => {
+            const url = typeof endpoint.url === "string" ? endpoint.url : "";
+            const events = Array.isArray(endpoint.enabled_events) ? endpoint.enabled_events : [];
+            return url === webhookUrl && JSON.stringify([...events].sort()) === JSON.stringify([...STRIPE_EVENTS].sort());
+        })
+        : null;
+    if (existing && isStripeWebhookSecret(values.STRIPE_WEBHOOK_SECRET)) {
+        printJson({
+            ok: true,
+            command: "payments create-stripe-webhook",
+            mode,
+            created: false,
+            reused: true,
+            endpointId: typeof existing.id === "string" ? existing.id : null,
+            webhookUrl,
+            enabledEvents: STRIPE_EVENTS,
+            envWritten: [],
+        });
+        return;
+    }
+    const created = await stripeRequest({
+        secretKey,
+        method: "POST",
+        path: "/v1/webhook_endpoints",
+        body: {
+            url: webhookUrl,
+            enabled_events: STRIPE_EVENTS,
+            description: "VibeCodeMax payments webhook",
+        },
+    });
+    if (!isStripeWebhookSecret(created.secret)) {
+        fail("STRIPE_WEBHOOK_CREATE_FAILED", "Stripe did not return a webhook signing secret.");
+    }
+    mergeEnvFile(envLocalPath, {
+        STRIPE_WEBHOOK_SECRET: created.secret.trim(),
+    });
+    printJson({
+        ok: true,
+        command: "payments create-stripe-webhook",
+        mode,
+        created: true,
+        reused: false,
+        endpointId: typeof created.id === "string" ? created.id : null,
+        webhookUrl: typeof created.url === "string" ? created.url : webhookUrl,
+        enabledEvents: STRIPE_EVENTS,
+        envWritten: ["STRIPE_WEBHOOK_SECRET"],
+    });
+}
+function checkStripeWebhookSecret(flags) {
+    const { values } = loadLocalEnv();
+    const mode = normalizePaymentsMode(readStringFlag(flags, "mode"));
+    const webhookUrl = requireWebhookUrl(readStringFlag(flags, "webhook-url"), "/api/webhooks/stripe", "Stripe");
+    const missingKeys = [];
+    const invalidKeys = [];
+    if (!isNonEmptyString(values.STRIPE_WEBHOOK_SECRET)) {
+        missingKeys.push("STRIPE_WEBHOOK_SECRET");
+    }
+    else if (!isStripeWebhookSecret(values.STRIPE_WEBHOOK_SECRET)) {
+        invalidKeys.push("STRIPE_WEBHOOK_SECRET");
+    }
+    if (missingKeys.length > 0 || invalidKeys.length > 0) {
+        fail("INVALID_PAYMENTS_ENV", "Stripe webhook secret is missing or malformed in .env.local.", 1, { missingKeys, invalidKeys });
+    }
+    printJson({
+        ok: true,
+        command: "payments check-stripe-webhook-secret",
+        mode,
+        verified: true,
+        webhookUrl,
+        presentKeys: ["STRIPE_WEBHOOK_SECRET"],
+        checks: ["presence", "format", "webhook_url_format"],
+    });
+}
+async function createLemonWebhook(flags) {
+    const { envLocalPath, values } = loadLocalEnv();
+    const mode = normalizePaymentsMode(readStringFlag(flags, "mode"));
+    const webhookUrl = requireWebhookUrl(readStringFlag(flags, "webhook-url"), "/api/webhooks/lemonsqueezy", "Lemon Squeezy");
+    const apiKey = values.LEMONSQUEEZY_API_KEY;
+    const storeId = values.LEMONSQUEEZY_STORE_ID;
+    if (!isNonEmptyString(apiKey)) {
+        fail("INVALID_PAYMENTS_ENV", "LEMONSQUEEZY_API_KEY is missing in .env.local.");
+    }
+    if (!isNumericStoreId(storeId)) {
+        fail("INVALID_PAYMENTS_ENV", "LEMONSQUEEZY_STORE_ID is missing or malformed in .env.local.");
+    }
+    const listed = await lemonRequest({
+        apiKey,
+        method: "GET",
+        path: "/webhooks",
+        query: {
+            "filter[store_id]": storeId.trim(),
+            "page[size]": "100",
+        },
+    });
+    const existing = Array.isArray(listed.data)
+        ? listed.data.find((endpoint) => {
+            const attrs = endpoint.attributes && typeof endpoint.attributes === "object"
+                ? endpoint.attributes
+                : {};
+            const relationships = endpoint.relationships && typeof endpoint.relationships === "object"
+                ? endpoint.relationships
+                : {};
+            const endpointStoreId = typeof relationships.store?.data?.id === "string"
+                ? (relationships.store.data.id)
+                : "";
+            const events = Array.isArray(attrs.events) ? attrs.events : [];
+            return String(attrs.url || "") === webhookUrl
+                && endpointStoreId === storeId.trim()
+                && JSON.stringify([...events].sort()) === JSON.stringify([...LEMON_EVENTS].sort());
+        })
+        : null;
+    if (existing && isNonEmptyString(values.LEMONSQUEEZY_WEBHOOK_SECRET)) {
+        printJson({
+            ok: true,
+            command: "payments create-lemonsqueezy-webhook",
+            mode,
+            created: false,
+            reused: true,
+            endpointId: typeof existing.id === "string" ? existing.id : null,
+            webhookUrl,
+            storeId: storeId.trim(),
+            enabledEvents: LEMON_EVENTS,
+            envWritten: [],
+        });
+        return;
+    }
+    const generatedSecret = randomBytes(24).toString("hex");
+    const created = await lemonRequest({
+        apiKey,
+        method: "POST",
+        path: "/webhooks",
+        body: {
+            data: {
+                type: "webhooks",
+                attributes: {
+                    url: webhookUrl,
+                    events: LEMON_EVENTS,
+                    secret: generatedSecret,
+                    test_mode: mode === "test",
+                },
+                relationships: {
+                    store: {
+                        data: {
+                            type: "stores",
+                            id: storeId.trim(),
+                        },
+                    },
+                },
+            },
+        },
+    });
+    mergeEnvFile(envLocalPath, {
+        LEMONSQUEEZY_WEBHOOK_SECRET: generatedSecret,
+    });
+    printJson({
+        ok: true,
+        command: "payments create-lemonsqueezy-webhook",
+        mode,
+        created: true,
+        reused: false,
+        endpointId: typeof created.data?.id === "string" ? created.data.id : null,
+        webhookUrl: typeof created.data?.attributes?.url === "string" ? created.data.attributes.url : webhookUrl,
+        storeId: storeId.trim(),
+        enabledEvents: LEMON_EVENTS,
+        envWritten: ["LEMONSQUEEZY_WEBHOOK_SECRET"],
+    });
+}
+function checkLemonWebhookSecret(flags) {
+    const { values } = loadLocalEnv();
+    const mode = normalizePaymentsMode(readStringFlag(flags, "mode"));
+    const webhookUrl = requireWebhookUrl(readStringFlag(flags, "webhook-url"), "/api/webhooks/lemonsqueezy", "Lemon Squeezy");
+    const missingKeys = [];
+    if (!isNonEmptyString(values.LEMONSQUEEZY_WEBHOOK_SECRET)) {
+        missingKeys.push("LEMONSQUEEZY_WEBHOOK_SECRET");
+    }
+    if (missingKeys.length > 0) {
+        fail("INVALID_PAYMENTS_ENV", "Lemon Squeezy webhook secret is missing in .env.local.", 1, { missingKeys });
+    }
+    printJson({
+        ok: true,
+        command: "payments check-lemonsqueezy-webhook-secret",
+        mode,
+        verified: true,
+        webhookUrl,
+        presentKeys: ["LEMONSQUEEZY_WEBHOOK_SECRET"],
+        checks: ["presence", "webhook_url_format"],
+    });
+}
 async function main() {
     const { command, subcommand, flags } = parseArgs(process.argv.slice(2));
     if (!command || command === "--help" || command === "help") {
@@ -985,6 +1388,12 @@ async function main() {
                 "storage setup-supabase",
                 "storage check-s3-context",
                 "storage setup-s3",
+                "payments check-stripe-keys",
+                "payments create-stripe-webhook",
+                "payments check-stripe-webhook-secret",
+                "payments check-lemonsqueezy-keys",
+                "payments create-lemonsqueezy-webhook",
+                "payments check-lemonsqueezy-webhook-secret",
                 "configure-site-redirects",
                 "configure-email-password",
                 "enable-google-provider",
@@ -1011,6 +1420,18 @@ async function main() {
         return checkS3Context(flags);
     if (command === "storage" && subcommand === "setup-s3")
         return setupS3Storage(flags);
+    if (command === "payments" && subcommand === "check-stripe-keys")
+        return checkStripeKeys(flags);
+    if (command === "payments" && subcommand === "create-stripe-webhook")
+        return createStripeWebhook(flags);
+    if (command === "payments" && subcommand === "check-stripe-webhook-secret")
+        return checkStripeWebhookSecret(flags);
+    if (command === "payments" && subcommand === "check-lemonsqueezy-keys")
+        return checkLemonKeys(flags);
+    if (command === "payments" && subcommand === "create-lemonsqueezy-webhook")
+        return createLemonWebhook(flags);
+    if (command === "payments" && subcommand === "check-lemonsqueezy-webhook-secret")
+        return checkLemonWebhookSecret(flags);
     if (command === "configure-site-redirects")
         return configureSiteRedirects(flags);
     if (command === "configure-email-password")

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibecodemax/cli",
-  "version": "0.1.7",
+  "version": "0.1.8",
   "description": "VibeCodeMax CLI — local provider setup for bootstrap and project configuration",
   "type": "module",
   "bin": {