@vibecodr/cli 0.2.2 → 0.2.3

package/README.md

@@ -12,9 +12,10 @@ This repository is intentionally separate from the PolyForm-licensed server impl
 The CLI is the permissively licensed public client surface for:
 
 - direct CLI OAuth login
-- live MCP tool discovery
-- live MCP tool invocation
-- environment and auth diagnostics
+- live MCP tool discovery
+- live MCP tool invocation
+- direct-to-R2 staged ZIP and image uploads without base64 payloads
+- environment and auth diagnostics
 - thin client install and uninstall adapters
 
 Currently implemented command surface:
@@ -22,9 +23,10 @@ Currently implemented command surface:
 - `login`
 - `logout`
 - `status`
-- `tools`
-- `call`
-- `pulse-setup`
+- `tools`
+- `call`
+- `upload`
+- `pulse-setup`
 - `pulse-publish`
 - `pulse`
 - `doctor`

package/dist/bin/vibecodr-mcp.js

@@ -18,6 +18,7 @@ import { runUninstallCommand } from "../commands/uninstall.js";
 import { runPulseSetupCommand } from "../commands/pulse-setup.js";
 import { runPulsePublishCommand } from "../commands/pulse-publish.js";
 import { runPulseCommand } from "../commands/pulse.js";
+import { runUploadCommand } from "../commands/upload.js";
 function helpText() {
     return [
         "vibecodr <command> [options]",
@@ -29,6 +30,8 @@ function helpText() {
         "  status",
         "  tools [tool-name]",
         "  call <tool-name>",
+        "  upload --zip <path>",
+        "  upload --image <path> [--kind cover_image|avatar_image]",
         "  doctor",
         "  install <client>",
         "  uninstall <client>",
@@ -88,6 +91,9 @@ async function main() {
         case "call":
             await runCallCommand(commandArgs, context);
             return;
+        case "upload":
+            await runUploadCommand(commandArgs, context);
+            return;
         case "doctor":
             await runDoctorCommand(commandArgs, context);
             return;

package/dist/commands/upload.js

@@ -0,0 +1,270 @@
+import { createHash } from "node:crypto";
+import { readFile, stat } from "node:fs/promises";
+import { basename } from "node:path";
+import { CliError, EXIT_CODES } from "../cli/errors.js";
+import { parseFlags } from "../cli/parse.js";
+import { redactForOutput } from "../core/redaction.js";
+import { callToolWithRetry } from "./call.js";
+import { showHelpIfRequested } from "./help.js";
+const CREATE_STAGED_UPLOAD_TOOL_NAME = "create_staged_upload";
+const COMPLETE_STAGED_UPLOAD_TOOL_NAME = "complete_staged_upload";
+const ABORT_STAGED_UPLOAD_TOOL_NAME = "abort_staged_upload";
+const SOURCE_ZIP_CONTENT_TYPE = "application/zip";
+const SOURCE_ZIP_CONTENT_TYPES = new Set(["application/zip", "application/x-zip-compressed"]);
+const COVER_IMAGE_CONTENT_TYPES = new Set(["image/png", "image/jpeg", "image/webp", "image/avif"]);
+const AVATAR_IMAGE_CONTENT_TYPES = new Set(["image/png", "image/jpeg", "image/webp", "image/gif"]);
+const COVER_IMAGE_CONTENT_TYPE_HELP = "image/png, image/jpeg, image/webp, or image/avif";
+const AVATAR_IMAGE_CONTENT_TYPE_HELP = "image/png, image/jpeg, image/webp, or image/gif";
+const IMAGE_CONTENT_TYPE_BY_EXT = new Map([
+    [".png", "image/png"],
+    [".jpg", "image/jpeg"],
+    [".jpeg", "image/jpeg"],
+    [".webp", "image/webp"],
+    [".avif", "image/avif"],
+    [".gif", "image/gif"],
+]);
+function readObject(value, label) {
+    if (!value || typeof value !== "object" || Array.isArray(value)) {
+        throw new CliError("mcp.staged_upload_contract", `${label} was missing from the MCP response.`, EXIT_CODES.protocol);
+    }
+    return value;
+}
+function readString(value) {
+    return typeof value === "string" && value.trim() ? value.trim() : undefined;
+}
+function readNumber(value) {
+    return typeof value === "number" && Number.isFinite(value) ? value : undefined;
+}
+function readHeaders(value) {
+    const raw = readObject(value, "staged upload PUT headers");
+    const headers = {};
+    for (const [key, nested] of Object.entries(raw)) {
+        if (typeof nested === "string")
+            headers[key] = nested;
+    }
+    return headers;
+}
+function readCreateResult(result) {
+    const toolResult = readObject(result, "create_staged_upload result");
+    const structuredContent = readObject(toolResult["structuredContent"], "create_staged_upload structuredContent");
+    const meta = readObject(toolResult["_meta"], "create_staged_upload metadata");
+    const directPut = readObject(meta["stagedUploadDirectPut"], "staged upload direct PUT metadata");
+    const uploadId = readString(structuredContent["uploadId"]);
+    const fileName = readString(structuredContent["fileName"]);
+    const contentType = readString(structuredContent["contentType"]);
+    const sizeBytes = readNumber(structuredContent["sizeBytes"]);
+    const presignedUrl = readString(directPut["presignedUrl"]);
+    if (!uploadId || !fileName || !contentType || sizeBytes === undefined || !presignedUrl) {
+        throw new CliError("mcp.staged_upload_contract", "create_staged_upload returned an incomplete staged upload contract.", EXIT_CODES.protocol);
+    }
+    return {
+        uploadId,
+        fileName,
+        contentType,
+        sizeBytes,
+        directPut: {
+            presignedUrl,
+            headers: readHeaders(directPut["headers"] ?? {}),
+        },
+    };
+}
+function readCompleteResult(result, fallbackUploadId) {
+    const toolResult = readObject(result, "complete_staged_upload result");
+    const structuredContent = readObject(toolResult["structuredContent"], "complete_staged_upload structuredContent");
+    return {
+        uploadId: readString(structuredContent["uploadId"]) ?? fallbackUploadId,
+        status: readString(structuredContent["status"]) ?? "verified",
+        sha256: readString(structuredContent["sha256"]) ?? "",
+    };
+}
+function parseUploadArgs(args) {
+    const { flags, positionals } = parseFlags(args, {
+        valueFlags: ["zip", "image", "file", "kind", "content-type", "idempotency-key", "root-hint", "entry-hint"],
+        booleanFlags: ["no-login"]
+    });
+    const zipPath = readString(flags["zip"]);
+    const imagePath = readString(flags["image"]);
+    if (zipPath && imagePath) {
+        throw new CliError("usage.upload_single_source", "Use either --zip or --image, not both.", EXIT_CODES.usage);
+    }
+    const filePath = zipPath ?? imagePath ?? readString(flags["file"]) ?? readString(positionals[0]);
+    if (!filePath) {
+        throw new CliError("usage.upload_zip_required", "Usage: vibecodr upload --zip <path> or vibecodr upload --image <path> [--kind cover_image|avatar_image]", EXIT_CODES.usage);
+    }
+    if (positionals.length > 1) {
+        throw new CliError("usage.unexpected_argument", `Unexpected argument: ${positionals[1]}`, EXIT_CODES.usage);
+    }
+    const idempotencyKey = readString(flags["idempotency-key"]);
+    const rootHint = readString(flags["root-hint"]);
+    const entryHint = readString(flags["entry-hint"]);
+    const contentType = readString(flags["content-type"]);
+    const rawKind = readString(flags["kind"]);
+    let kind = imagePath ? "cover_image" : "source_zip";
+    if (rawKind) {
+        if (rawKind !== "source_zip" && rawKind !== "cover_image" && rawKind !== "avatar_image") {
+            throw new CliError("usage.upload_kind_invalid", "--kind must be source_zip, cover_image, or avatar_image.", EXIT_CODES.usage);
+        }
+        kind = rawKind;
+    }
+    if (imagePath && kind === "source_zip") {
+        throw new CliError("usage.upload_kind_invalid", "--image must use --kind cover_image or --kind avatar_image.", EXIT_CODES.usage);
+    }
+    return {
+        filePath,
+        kind,
+        ...(contentType ? { contentType } : {}),
+        ...(idempotencyKey ? { idempotencyKey } : {}),
+        ...(rootHint ? { rootHint } : {}),
+        ...(entryHint ? { entryHint } : {}),
+        allowLogin: flags["no-login"] !== true,
+    };
+}
+function sha256Hex(bytes) {
+    return createHash("sha256").update(bytes).digest("hex");
+}
+function normalizeContentType(value) {
+    return value.split(";")[0]?.trim().toLowerCase() || "";
+}
+function assertContentTypeForKind(kind, contentType) {
+    const normalized = normalizeContentType(contentType);
+    if (kind === "source_zip") {
+        if (!SOURCE_ZIP_CONTENT_TYPES.has(normalized)) {
+            throw new CliError("usage.upload_content_type_invalid", "ZIP uploads must use application/zip or application/x-zip-compressed.", EXIT_CODES.usage);
+        }
+        return normalized;
+    }
+    const allowed = kind === "cover_image" ? COVER_IMAGE_CONTENT_TYPES : AVATAR_IMAGE_CONTENT_TYPES;
+    if (!allowed.has(normalized)) {
+        throw new CliError("usage.upload_content_type_invalid", kind === "cover_image"
+            ? `Cover images must use ${COVER_IMAGE_CONTENT_TYPE_HELP}.`
+            : `Avatar images must use ${AVATAR_IMAGE_CONTENT_TYPE_HELP}.`, EXIT_CODES.usage);
+    }
+    return normalized;
+}
+function inferContentType(kind, fileName, override) {
+    if (override)
+        return assertContentTypeForKind(kind, override);
+    if (kind === "source_zip")
+        return assertContentTypeForKind(kind, SOURCE_ZIP_CONTENT_TYPE);
+    const lower = fileName.toLowerCase();
+    for (const [ext, contentType] of IMAGE_CONTENT_TYPE_BY_EXT) {
+        if (lower.endsWith(ext))
+            return assertContentTypeForKind(kind, contentType);
+    }
+    throw new CliError("usage.upload_image_type_required", `Could not infer image content type. Cover images support ${COVER_IMAGE_CONTENT_TYPE_HELP}; avatar images support ${AVATAR_IMAGE_CONTENT_TYPE_HELP}.`, EXIT_CODES.usage);
+}
+function toBlob(bytes, contentType) {
+    const buffer = new ArrayBuffer(bytes.byteLength);
+    new Uint8Array(buffer).set(bytes);
+    return new Blob([buffer], { type: contentType });
+}
+async function abortBestEffort(context, uploadId, allowLogin) {
+    try {
+        await callToolWithRetry(context, ABORT_STAGED_UPLOAD_TOOL_NAME, { uploadId }, allowLogin);
+    }
+    catch {
+        // Best-effort cleanup only. Preserve the upload failure as the surfaced error.
+    }
+}
+async function putBytesToStagedUpload(input) {
+    const response = await fetch(input.directPut.presignedUrl, {
+        method: "PUT",
+        headers: input.directPut.headers,
+        body: toBlob(input.bytes, input.contentType),
+    });
+    if (!response.ok) {
+        throw new CliError("upload.put_failed", `Upload failed for ${input.fileName} with HTTP ${response.status}.`, EXIT_CODES.network, { nextStep: "Retry the command. If this repeats, run vibecodr doctor and check upload service status." });
+    }
+}
+export async function runUploadCommand(args, context) {
+    if (showHelpIfRequested(args, context, "Usage: vibecodr upload --zip <path> [--idempotency-key <key>] [--root-hint <path>] [--entry-hint <path>] [--no-login]\n       vibecodr upload --image <path> [--kind cover_image|avatar_image] [--content-type <mime>] [--no-login]"))
+        return;
+    const input = parseUploadArgs(args);
+    const fileInfo = await stat(input.filePath).catch((error) => {
+        throw new CliError("usage.upload_file_unreadable", `Could not read upload file: ${error instanceof Error ? error.message : String(error)}`, EXIT_CODES.usage);
+    });
+    if (!fileInfo.isFile()) {
+        throw new CliError("usage.upload_file_required", "Upload path must be a file.", EXIT_CODES.usage);
+    }
+    if (fileInfo.size <= 0) {
+        throw new CliError("usage.upload_file_empty", "Upload file must not be empty.", EXIT_CODES.usage);
+    }
+    const bytes = await readFile(input.filePath);
+    const fileName = basename(input.filePath) || (input.kind === "source_zip" ? "source.zip" : "image");
+    const contentType = inferContentType(input.kind, fileName, input.contentType);
+    const hash = sha256Hex(bytes);
+    const { result: createResult } = await callToolWithRetry(context, CREATE_STAGED_UPLOAD_TOOL_NAME, {
+        kind: input.kind,
+        fileName,
+        contentType,
+        sizeBytes: bytes.byteLength,
+        sha256: hash,
+        createdBySurface: input.kind === "source_zip" ? "cli.upload.zip" : "cli.upload.image",
+        ...(input.idempotencyKey ? { idempotencyKey: input.idempotencyKey } : {}),
+    }, input.allowLogin);
+    const created = readCreateResult(createResult);
+    try {
+        await putBytesToStagedUpload({
+            fileName: created.fileName,
+            bytes,
+            contentType: created.contentType,
+            directPut: created.directPut,
+        });
+        const { result: completeResult } = await callToolWithRetry(context, COMPLETE_STAGED_UPLOAD_TOOL_NAME, {
+            uploadId: created.uploadId,
+            sizeBytes: bytes.byteLength,
+            sha256: hash,
+        }, input.allowLogin);
+        const completed = readCompleteResult(completeResult, created.uploadId);
+        const quickPublishPayload = {
+            ...(input.kind === "source_zip"
+                ? {
+                    importMode: "staged_upload",
+                    stagedUpload: {
+                        uploadId: completed.uploadId,
+                        fileName: created.fileName,
+                        async: true,
+                        ...(input.rootHint ? { rootHint: input.rootHint } : {}),
+                        ...(input.entryHint ? { entryHint: input.entryHint } : {}),
+                    },
+                }
+                : input.kind === "cover_image"
+                    ? {
+                        thumbnailStagedUpload: {
+                            uploadId: completed.uploadId,
+                            fileName: created.fileName,
+                        },
+                    }
+                    : {
+                        avatarStagedUpload: {
+                            uploadId: completed.uploadId,
+                            fileName: created.fileName,
+                        },
+                    }),
+        };
+        context.output.success({
+            schemaVersion: 1,
+            upload: {
+                uploadId: completed.uploadId,
+                status: completed.status,
+                kind: input.kind,
+                fileName: created.fileName,
+                contentType: created.contentType,
+                sizeBytes: bytes.byteLength,
+                sha256: completed.sha256 || hash,
+            },
+            quickPublishPayload: redactForOutput(quickPublishPayload),
+        }, [
+            `Uploaded and verified ${created.fileName}.`,
+            input.kind === "source_zip"
+                ? `Use uploadId ${completed.uploadId} with payload.importMode="staged_upload".`
+                : input.kind === "cover_image"
+                    ? `Use uploadId ${completed.uploadId} with thumbnailStagedUpload.uploadId.`
+                    : `Use uploadId ${completed.uploadId} with an avatar image promotion flow.`,
+        ]);
+    }
+    catch (error) {
+        await abortBestEffort(context, created.uploadId, input.allowLogin);
+        throw error;
+    }
+}

package/dist/core/redaction.js

@@ -12,6 +12,8 @@ const SENSITIVE_KEY_PATTERNS = [
     /^private[-_]?key$/i,
     /^refresh[-_]?token$/i,
     /^access[-_]?token$/i,
+    /^presigned[-_]?url$/i,
+    /^signature$/i,
     /^fileBase64$/i,
     /^code$/i,
     /^content$/i,
@@ -19,6 +21,7 @@ const SENSITIVE_KEY_PATTERNS = [
 ];
 const SENSITIVE_STRING_PATTERNS = [
     /\bBearer\s+[A-Za-z0-9._~+/=-]+/i,
+    /[?&]X-Amz-Signature=[^&\s]+/i,
     /\btok_[A-Za-z0-9._-]+/i,
     /\bsk-[A-Za-z0-9._-]+/i,
     /\b(token|secret|api[-_ ]?key)\s*[:=]\s*\S+/i

package/docs/commands.md

@@ -54,9 +54,9 @@ Syntax:
 
 This always reads the live tool catalog from the MCP server.
 
-### `call`
-
-Syntax:
+### `call`
+
+Syntax:
 
 `vibecodr call <tool-name> [--input-json <json>] [--input-file <path>] [--stdin] [--interactive] [--no-login] [--confirm]`
 
@@ -64,9 +64,25 @@ Syntax:
 
 For `quick_publish_creation` with `payload.importMode: "direct_files"`, pass file paths as normal slash-separated project paths such as `src/main.tsx` or `src/server/binding-proof.js`. Do not pre-encode slashes as `%2F`; the hosted MCP gateway encodes each URL segment when it writes files to Vibecodr.
 
-Known mutating tools require explicit confirmation through `--confirm`. The CLI redacts secret, token, source, descriptor, and inline file-content fields from displayed arguments and results; the MCP gateway remains the authority boundary for OAuth, owner checks, confirmation, and output shaping.
-
-### `pulse-setup`
+Known mutating tools require explicit confirmation through `--confirm`. The CLI redacts secret, token, source, descriptor, and inline file-content fields from displayed arguments and results; the MCP gateway remains the authority boundary for OAuth, owner checks, confirmation, and output shaping.
+
+### `upload`
+
+Syntax:
+
+`vibecodr upload --zip <path> [--idempotency-key <key>] [--root-hint <path>] [--entry-hint <path>] [--no-login]`
+
+`vibecodr upload --image <path> [--kind cover_image|avatar_image] [--content-type <mime>] [--no-login]`
+
+Stages a local ZIP or image through Vibecodr's API-owned upload session flow. The CLI asks the MCP gateway for a short-lived direct R2 PUT URL, uploads the bytes directly to R2, completes server-side verification, and prints safe identifiers only.
+
+ZIP uploads print a `quickPublishPayload` snippet using `payload.importMode: "staged_upload"`. Cover image uploads print a `thumbnailStagedUpload` snippet that can be passed to publish metadata tools. Avatar image uploads print an `avatarStagedUpload` identifier for avatar promotion flows.
+
+Cover images support PNG, JPEG, WebP, and AVIF. Avatar images support PNG, JPEG, WebP, and GIF.
+
+The presigned URL is a bearer credential and is never printed in command output. Legacy `zip_import` / `fileBase64` remains a compatibility path for small payloads, not the preferred CLI path for whole repos or launch images.
+
+### `pulse-setup`
 
 Syntax:
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibecodr/cli",
-  "version": "0.2.2",
+  "version": "0.2.3",
   "description": "Vibecodr CLI for login, live MCP tool discovery, and live tool invocation.",
   "license": "Apache-2.0",
   "type": "module",