@wacht/bench 0.1.0

package/dist/config-workflow.js

@@ -0,0 +1,474 @@
+import { readFile, writeFile } from 'node:fs/promises';
+import { PLATFORM_OPENAPI_URL } from './config.js';
+import { readBenchContext } from './context-store.js';
+import { machineRequest } from './machine-api.js';
+import { loadOpenApiSpec } from './openapi.js';
+import { field, log, printBannerFor, printJson, section, success, warning } from './ui.js';
+const DEFAULT_CONFIG_FILE = 'wacht.config.json';
+const CONFIG_SCHEMA_URL = 'https://wacht.dev/schemas/wacht.config.schema.json';
+const METADATA_KEYS = new Set(['id', 'deployment_id', 'created_at', 'updated_at', 'deleted_at']);
+const SETTINGS_SECTIONS = ['auth', 'display', 'b2b', 'restrictions'];
+const AUTH_UPDATE_KEYS = new Set([
+    'email',
+    'phone',
+    'username',
+    'password',
+    'name',
+    'authentication_factors',
+    'second_factor_policy',
+    'first_factor',
+    'backup_code',
+    'web3_wallet',
+    'multi_session_support',
+    'session_token_lifetime',
+    'session_validity_period',
+    'session_inactive_timeout',
+]);
+const DISPLAY_UPDATE_KEYS = new Set([
+    'app_name',
+    'tos_page_url',
+    'sign_in_page_url',
+    'sign_up_page_url',
+    'after_sign_out_one_page_url',
+    'after_sign_out_all_page_url',
+    'favicon_image_url',
+    'logo_image_url',
+    'privacy_policy_url',
+    'signup_terms_statement',
+    'signup_terms_statement_shown',
+    'light_mode_settings',
+    'dark_mode_settings',
+    'after_logo_click_url',
+    'organization_profile_url',
+    'create_organization_url',
+    'default_user_profile_image_url',
+    'default_organization_profile_image_url',
+    'default_workspace_profile_image_url',
+    'use_initials_for_user_profile_image',
+    'use_initials_for_organization_profile_image',
+    'after_signup_redirect_url',
+    'after_signin_redirect_url',
+    'user_profile_url',
+    'after_create_organization_redirect_url',
+    'waitlist_page_url',
+    'support_page_url',
+]);
+const B2B_UPDATE_KEYS = new Set([
+    'organizations_enabled',
+    'workspaces_enabled',
+    'ip_allowlist_per_org_enabled',
+    'ip_allowlist_per_workspace_enabled',
+    'enforce_mfa_per_org_enabled',
+    'enforce_mfa_per_workspace_enabled',
+    'enterprise_sso_enabled',
+    'allow_users_to_create_orgs',
+    'max_allowed_org_members',
+    'max_allowed_workspace_members',
+    'allow_org_deletion',
+    'allow_workspace_deletion',
+    'custom_org_role_enabled',
+    'custom_workspace_role_enabled',
+    'default_workspace_creator_role_id',
+    'default_workspace_member_role_id',
+    'default_org_creator_role_id',
+    'default_org_member_role_id',
+    'limit_org_creation_per_user',
+    'limit_workspace_creation_per_org',
+    'org_creation_per_user_count',
+    'workspaces_per_org_count',
+    'workspace_permissions',
+    'organization_permissions',
+    'workspace_permission_catalog',
+    'organization_permission_catalog',
+]);
+const RESTRICTIONS_UPDATE_KEYS = new Set([
+    'allowlist_enabled',
+    'blocklist_enabled',
+    'block_subaddresses',
+    'block_disposable_emails',
+    'block_voip_numbers',
+    'country_restrictions',
+    'banned_keywords',
+    'allowlisted_resources',
+    'blocklisted_resources',
+    'sign_up_mode',
+    'waitlist_collect_names',
+]);
+function isRecord(value) {
+    return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+function asJsonObject(value, label) {
+    if (!isRecord(value))
+        throw new Error(`${label} must be an object.`);
+    return value;
+}
+function removeMetadata(value) {
+    const source = asJsonObject(value ?? {}, 'settings section');
+    const next = {};
+    for (const [key, entry] of Object.entries(source)) {
+        if (!METADATA_KEYS.has(key))
+            next[key] = entry;
+    }
+    return next;
+}
+function pickKeys(value, allowed) {
+    const source = removeMetadata(value);
+    const next = {};
+    for (const [key, entry] of Object.entries(source)) {
+        if (allowed.has(key))
+            next[key] = entry;
+    }
+    return next;
+}
+function validateKeys(sectionName, value, allowed) {
+    if (!value)
+        return undefined;
+    const unsupported = Object.keys(value).filter((key) => !allowed.has(key));
+    if (unsupported.length) {
+        throw new Error(`Unsupported settings.${sectionName} key(s): ${unsupported.join(', ')}.`);
+    }
+    return value;
+}
+function authToPatch(value) {
+    if (!isRecord(value))
+        return undefined;
+    const auth = removeMetadata(value);
+    const next = {};
+    if (auth.email_address !== undefined)
+        next.email = auth.email_address;
+    if (auth.phone_number !== undefined)
+        next.phone = auth.phone_number;
+    if (auth.username !== undefined)
+        next.username = auth.username;
+    if (auth.password !== undefined)
+        next.password = auth.password;
+    if (auth.backup_code !== undefined)
+        next.backup_code = auth.backup_code;
+    if (auth.web3_wallet !== undefined)
+        next.web3_wallet = auth.web3_wallet;
+    if (auth.first_name !== undefined || auth.last_name !== undefined) {
+        const first = isRecord(auth.first_name) ? auth.first_name : {};
+        const last = isRecord(auth.last_name) ? auth.last_name : {};
+        next.name = {
+            first_name_enabled: first.enabled,
+            first_name_required: first.required,
+            last_name_enabled: last.enabled,
+            last_name_required: last.required,
+        };
+    }
+    if (auth.auth_factors_enabled !== undefined || auth.magic_link !== undefined || auth.passkey !== undefined) {
+        const factors = isRecord(auth.auth_factors_enabled) ? auth.auth_factors_enabled : {};
+        next.authentication_factors = {
+            email_password_enabled: factors.email_password,
+            username_password_enabled: factors.username_password,
+            sso_enabled: factors.sso,
+            web3_wallet_enabled: factors.web3_wallet,
+            email_otp_enabled: factors.email_otp,
+            phone_otp_enabled: factors.phone_otp,
+            second_factor_authenticator_enabled: factors.authenticator,
+            second_factor_backup_code_enabled: factors.backup_code,
+            magic_link: auth.magic_link,
+            passkey: auth.passkey,
+        };
+    }
+    for (const key of ['second_factor_policy', 'first_factor', 'multi_session_support', 'session_token_lifetime', 'session_validity_period', 'session_inactive_timeout']) {
+        if (auth[key] !== undefined)
+            next[key] = auth[key];
+    }
+    return pruneUndefined(next);
+}
+function pruneUndefined(value) {
+    if (Array.isArray(value)) {
+        return value.map((item) => pruneUndefined(item)).filter((item) => item !== undefined);
+    }
+    if (isRecord(value)) {
+        const next = {};
+        for (const [key, entry] of Object.entries(value)) {
+            const pruned = pruneUndefined(entry);
+            if (pruned !== undefined)
+                next[key] = pruned;
+        }
+        return next;
+    }
+    return value;
+}
+function configFromDeployment(deployment, fallback) {
+    const source = asJsonObject(deployment, 'deployment settings response');
+    const settings = {};
+    const auth = authToPatch(source.auth_settings);
+    if (auth && Object.keys(auth).length)
+        settings.auth = auth;
+    if (source.ui_settings !== undefined)
+        settings.display = removeMetadata(source.ui_settings);
+    if (source.b2b_settings !== undefined)
+        settings.b2b = pickKeys(source.b2b_settings, B2B_UPDATE_KEYS);
+    if (source.restrictions !== undefined)
+        settings.restrictions = removeMetadata(source.restrictions);
+    return {
+        $schema: CONFIG_SCHEMA_URL,
+        version: 1,
+        deployment: {
+            id: String(source.id ?? fallback.id ?? ''),
+            mode: typeof source.mode === 'string' ? source.mode : fallback.mode,
+            project_id: fallback.project_id,
+            project_name: fallback.project_name,
+        },
+        settings,
+    };
+}
+function normalizeConfig(value) {
+    const source = asJsonObject(value, 'config file');
+    if (source.version !== 1)
+        throw new Error('Config file version must be 1.');
+    const settings = asJsonObject(source.settings, 'config settings');
+    const unknown = Object.keys(settings).filter((key) => !SETTINGS_SECTIONS.includes(key));
+    if (unknown.length) {
+        throw new Error(`Unsupported config section(s): ${unknown.join(', ')}.`);
+    }
+    return {
+        $schema: typeof source.$schema === 'string' ? source.$schema : CONFIG_SCHEMA_URL,
+        version: 1,
+        deployment: isRecord(source.deployment) ? {
+            id: typeof source.deployment.id === 'string' ? source.deployment.id : undefined,
+            mode: typeof source.deployment.mode === 'string' ? source.deployment.mode : undefined,
+            project_id: typeof source.deployment.project_id === 'string' ? source.deployment.project_id : undefined,
+            project_name: typeof source.deployment.project_name === 'string' ? source.deployment.project_name : undefined,
+        } : undefined,
+        settings: {
+            auth: validateKeys('auth', settings.auth === undefined ? undefined : pruneUndefined(asJsonObject(settings.auth, 'settings.auth')), AUTH_UPDATE_KEYS),
+            display: validateKeys('display', settings.display === undefined ? undefined : pruneUndefined(asJsonObject(settings.display, 'settings.display')), DISPLAY_UPDATE_KEYS),
+            b2b: validateKeys('b2b', settings.b2b === undefined ? undefined : pruneUndefined(asJsonObject(settings.b2b, 'settings.b2b')), B2B_UPDATE_KEYS),
+            restrictions: validateKeys('restrictions', settings.restrictions === undefined ? undefined : pruneUndefined(asJsonObject(settings.restrictions, 'settings.restrictions')), RESTRICTIONS_UPDATE_KEYS),
+        },
+    };
+}
+function sorted(value) {
+    if (Array.isArray(value))
+        return value.map((item) => sorted(item));
+    if (isRecord(value)) {
+        const next = {};
+        for (const key of Object.keys(value).sort()) {
+            next[key] = sorted(value[key]);
+        }
+        return next;
+    }
+    return value;
+}
+function jsonEqual(a, b) {
+    return JSON.stringify(sorted(a)) === JSON.stringify(sorted(b));
+}
+function diffValues(section, path, before, after, changes) {
+    if (jsonEqual(before, after))
+        return;
+    if (isRecord(before) && isRecord(after) && !Array.isArray(before) && !Array.isArray(after)) {
+        const keys = new Set([...Object.keys(before), ...Object.keys(after)]);
+        for (const key of [...keys].sort()) {
+            diffValues(section, path ? `${path}.${key}` : key, before[key], after[key], changes);
+        }
+        return;
+    }
+    changes.push({ section, path, before, after });
+}
+function diffConfigs(current, desired) {
+    const changes = [];
+    for (const sectionName of SETTINGS_SECTIONS) {
+        diffValues(sectionName, sectionName, current.settings[sectionName], desired.settings[sectionName], changes);
+    }
+    return changes;
+}
+function sectionChanges(changes) {
+    return [...new Set(changes.map((change) => change.section))];
+}
+function configSchema(openApiSchemas = {}) {
+    return {
+        $schema: 'https://json-schema.org/draft/2020-12/schema',
+        $id: CONFIG_SCHEMA_URL,
+        type: 'object',
+        additionalProperties: false,
+        required: ['version', 'settings'],
+        properties: {
+            $schema: { type: 'string' },
+            version: { const: 1 },
+            deployment: {
+                type: 'object',
+                additionalProperties: false,
+                properties: {
+                    id: { type: 'string' },
+                    mode: { enum: ['staging', 'production'] },
+                    project_id: { type: 'string' },
+                    project_name: { type: 'string' },
+                },
+            },
+            settings: {
+                type: 'object',
+                additionalProperties: false,
+                properties: {
+                    auth: openApiSchemas.DeploymentAuthSettingsUpdates ?? { type: 'object' },
+                    display: openApiSchemas.DeploymentDisplaySettingsUpdates ?? { type: 'object' },
+                    b2b: openApiSchemas.DeploymentB2bSettingsUpdates ?? { type: 'object' },
+                    restrictions: openApiSchemas.DeploymentRestrictionsUpdates ?? { type: 'object' },
+                },
+            },
+        },
+        $defs: openApiSchemas,
+    };
+}
+async function readDesiredConfig(filePath) {
+    return normalizeConfig(JSON.parse(await readFile(filePath, 'utf8')));
+}
+async function deploymentTarget(options, desired) {
+    const context = await readBenchContext();
+    const id = options.deployment ?? desired?.deployment?.id ?? context?.deployment_id;
+    if (!id)
+        throw new Error('Select an active deployment first, pass --deployment <id>, or include deployment.id in the config file.');
+    return {
+        id,
+        mode: desired?.deployment?.mode ?? context?.deployment_mode,
+        project_id: desired?.deployment?.project_id ?? context?.project_id,
+        project_name: desired?.deployment?.project_name ?? context?.project_name,
+    };
+}
+async function pullConfigForTarget(ctx, target) {
+    const data = await machineRequest(`/deployments/${target.id}`);
+    return configFromDeployment(data, target);
+}
+function assertCanApply(target, options) {
+    if (target.mode === 'production') {
+        if (!options.production) {
+            throw new Error('Refusing to apply config to production without --production.');
+        }
+        if (options.confirm !== target.id) {
+            throw new Error(`Refusing to apply config to production without --confirm ${target.id}.`);
+        }
+    }
+    if (!options.yes) {
+        throw new Error('Refusing to apply config without --yes. Use --dry-run to preview changes.');
+    }
+}
+function printChanges(ctx, changes) {
+    if (!changes.length) {
+        log(ctx, 'No config changes.');
+        return;
+    }
+    for (const change of changes) {
+        log(ctx, `${change.path}:`);
+        log(ctx, `  before: ${JSON.stringify(change.before)}`);
+        log(ctx, `  after:  ${JSON.stringify(change.after)}`);
+    }
+}
+async function applySection(deploymentId, sectionName, payload) {
+    const routes = {
+        auth: { method: 'PATCH', path: '/settings/auth' },
+        display: { method: 'PATCH', path: '/settings/display' },
+        b2b: { method: 'PATCH', path: '/settings/b2b' },
+        restrictions: { method: 'PATCH', path: '/settings/restrictions' },
+    };
+    const route = routes[sectionName];
+    if (!route)
+        throw new Error(`Unsupported config section: ${sectionName}`);
+    await machineRequest(`/deployments/${deploymentId}${route.path}`, {
+        method: route.method,
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify(payload),
+    });
+}
+export async function configPull(ctx, options) {
+    const target = await deploymentTarget(options);
+    const config = await pullConfigForTarget(ctx, target);
+    if (ctx.json) {
+        printJson({ ok: true, config });
+        return;
+    }
+    const filePath = options.file ?? DEFAULT_CONFIG_FILE;
+    await writeFile(filePath, `${JSON.stringify(config, null, 2)}\n`, 'utf8');
+    printBannerFor(ctx);
+    log(ctx, section('Config Pulled'));
+    log(ctx, field('Deployment', `${config.deployment?.mode ?? 'unknown'} (${config.deployment?.id ?? target.id})`));
+    log(ctx, field('File', filePath));
+    log(ctx, warning('Secrets and provider credentials are not written to config.'));
+}
+export async function configSchemaCommand(ctx, options) {
+    const loaded = await loadOpenApiSpec(ctx, { refresh: options.refresh });
+    const schemas = isRecord(loaded.spec.components) && isRecord(loaded.spec.components.schemas)
+        ? loaded.spec.components.schemas
+        : {};
+    printJson(configSchema(schemas));
+}
+export async function configDiff(ctx, options) {
+    const filePath = options.file ?? DEFAULT_CONFIG_FILE;
+    const desired = await readDesiredConfig(filePath);
+    const target = await deploymentTarget(options, desired);
+    const current = await pullConfigForTarget(ctx, target);
+    const changes = diffConfigs(current, desired);
+    if (ctx.json) {
+        printJson({ ok: true, deployment: target, file: filePath, changes });
+        return;
+    }
+    printBannerFor(ctx);
+    log(ctx, section('Config Diff'));
+    log(ctx, field('Deployment', `${target.mode ?? 'unknown'} (${target.id})`));
+    log(ctx, field('File', filePath));
+    log(ctx, '');
+    printChanges(ctx, changes);
+}
+export async function configApply(ctx, options) {
+    const filePath = options.file ?? DEFAULT_CONFIG_FILE;
+    const desired = await readDesiredConfig(filePath);
+    const target = await deploymentTarget(options, desired);
+    const current = await pullConfigForTarget(ctx, target);
+    const changes = diffConfigs(current, desired);
+    const changedSections = sectionChanges(changes);
+    if (options.dryRun) {
+        if (ctx.json) {
+            printJson({ ok: true, dryRun: true, deployment: target, file: filePath, changedSections, changes });
+            return;
+        }
+        printBannerFor(ctx);
+        log(ctx, section('Config Apply Dry Run'));
+        log(ctx, field('Deployment', `${target.mode ?? 'unknown'} (${target.id})`));
+        log(ctx, field('File', filePath));
+        log(ctx, '');
+        printChanges(ctx, changes);
+        return;
+    }
+    assertCanApply(target, options);
+    for (const sectionName of changedSections) {
+        const payload = desired.settings[sectionName];
+        if (payload)
+            await applySection(target.id, sectionName, payload);
+    }
+    if (ctx.json) {
+        printJson({ ok: true, dryRun: false, deployment: target, file: filePath, changedSections, changes });
+        return;
+    }
+    printBannerFor(ctx);
+    log(ctx, section('Config Applied'));
+    log(ctx, field('Deployment', `${target.mode ?? 'unknown'} (${target.id})`));
+    log(ctx, field('Sections', changedSections.length ? changedSections.join(', ') : 'none'));
+    log(ctx, success('Wacht config is up to date.'));
+}
+export function printConfigTemplate(ctx) {
+    const template = {
+        $schema: CONFIG_SCHEMA_URL,
+        version: 1,
+        deployment: {
+            id: '',
+            mode: 'staging',
+        },
+        settings: {
+            display: {
+                app_name: 'My App',
+                sign_in_page_url: '/sign-in',
+                sign_up_page_url: '/sign-up',
+            },
+            restrictions: {
+                sign_up_mode: 'public',
+            },
+        },
+    };
+    if (ctx.json) {
+        printJson({ ok: true, template, openApiUrl: PLATFORM_OPENAPI_URL });
+        return;
+    }
+    printJson(template);
+}

package/dist/config.js

@@ -0,0 +1,18 @@
+import os from 'node:os';
+import path from 'node:path';
+export const MCP_URL = 'https://wacht.dev/docs/mcp';
+export const SKILLS_SOURCE = 'wacht-platform/bench';
+export const OAUTH_CLIENT_ID = 'oc_SCoNL5oNiIiELWFhknqQsUvQ9FDrfMBC';
+export const OAUTH_AUTHORIZE_URL = 'https://m2ma.wacht.dev/oauth/authorize';
+export const OAUTH_TOKEN_URL = 'https://m2ma.wacht.dev/oauth/token';
+export const OAUTH_REVOCATION_URL = 'https://m2ma.wacht.dev/oauth/revoke';
+export const OAUTH_ISSUER = 'https://m2ma.wacht.dev';
+export const OAUTH_SCOPES = 'read write';
+export const MACHINE_API_URL = 'https://machine.wacht.dev';
+export const PLATFORM_OPENAPI_URL = 'https://wacht.dev/docs/openapi/platform-api.json';
+export const REDIRECT_PORT = 37819;
+export const REDIRECT_URI = `http://127.0.0.1:${REDIRECT_PORT}/callback`;
+export const AUTH_DIR = path.join(os.homedir(), '.wacht');
+export const AUTH_FILE = path.join(AUTH_DIR, 'bench-auth.json');
+export const CONTEXT_FILE = path.join(AUTH_DIR, 'bench-context.json');
+export const OPENAPI_CACHE_FILE = path.join(AUTH_DIR, 'platform-api.openapi.json');

package/dist/context-store.js

@@ -0,0 +1,28 @@
+import { mkdir, readFile, rm, writeFile } from 'node:fs/promises';
+import { AUTH_DIR, CONTEXT_FILE } from './config.js';
+function isStoredBenchContext(value) {
+    if (typeof value !== 'object' || value === null || Array.isArray(value))
+        return false;
+    const record = value;
+    return typeof record.project_id === 'string'
+        && typeof record.project_name === 'string'
+        && typeof record.deployment_id === 'string'
+        && typeof record.deployment_mode === 'string'
+        && typeof record.updated_at === 'number';
+}
+export async function readBenchContext() {
+    try {
+        const parsed = JSON.parse(await readFile(CONTEXT_FILE, 'utf8'));
+        return isStoredBenchContext(parsed) ? parsed : null;
+    }
+    catch {
+        return null;
+    }
+}
+export async function writeBenchContext(context) {
+    await mkdir(AUTH_DIR, { recursive: true });
+    await writeFile(CONTEXT_FILE, `${JSON.stringify(context, null, 2)}\n`, { mode: 0o600 });
+}
+export async function clearBenchContext() {
+    await rm(CONTEXT_FILE, { force: true });
+}