@wacht/bench 0.1.0

package/dist/machine-api.js

@@ -0,0 +1,272 @@
+import { readFile } from 'node:fs/promises';
+import path from 'node:path';
+import { MACHINE_API_URL } from './config.js';
+import { getValidAuth } from './oauth.js';
+import { promptChoice, promptOptionalList, promptText } from './prompts.js';
+import { field, log, printBannerFor, printJson, section } from './ui.js';
+export async function machineRequest(pathname, options = {}) {
+    const auth = await getValidAuth();
+    const url = new URL(pathname, auth.machine_api_url || MACHINE_API_URL);
+    const headers = new Headers(options.headers);
+    headers.set('authorization', `Bearer ${auth.access_token}`);
+    headers.set('accept', 'application/json');
+    const response = await fetch(url, {
+        ...options,
+        headers,
+    });
+    const text = await response.text();
+    if (!response.ok) {
+        throw new Error(`Machine API request failed: HTTP ${response.status}${text ? ` ${text}` : ''}`);
+    }
+    if (!text)
+        return null;
+    return JSON.parse(text);
+}
+function isRecord(value) {
+    return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+export function projectList(response) {
+    const rawProjects = Array.isArray(response)
+        ? response
+        : isRecord(response) && Array.isArray(response.data)
+            ? response.data
+            : [];
+    return rawProjects.filter(isRecord).map((project) => {
+        const deploymentItems = Array.isArray(project.deployments)
+            ? project.deployments
+                .filter(isRecord)
+                .map((deployment) => ({
+                id: String(deployment.id ?? ''),
+                mode: typeof deployment.mode === 'string' ? deployment.mode : 'unknown',
+                backend_host: typeof deployment.backend_host === 'string' ? deployment.backend_host : undefined,
+                frontend_host: typeof deployment.frontend_host === 'string' ? deployment.frontend_host : undefined,
+                updated_at: typeof deployment.updated_at === 'string' ? deployment.updated_at : undefined,
+            }))
+            : [];
+        return {
+            id: String(project.id ?? ''),
+            name: String(project.name ?? 'Untitled project'),
+            created_at: typeof project.created_at === 'string' ? project.created_at : undefined,
+            updated_at: typeof project.updated_at === 'string' ? project.updated_at : undefined,
+            deployments: deploymentItems.length,
+            deployment_modes: deploymentItems.map((deployment) => deployment.mode),
+            deployment_items: deploymentItems,
+        };
+    });
+}
+function shortDate(value) {
+    if (!value)
+        return '-';
+    const date = new Date(value);
+    if (Number.isNaN(date.getTime()))
+        return value;
+    return date.toISOString().slice(0, 10);
+}
+function truncate(value, max) {
+    if (value.length <= max)
+        return value;
+    return `${value.slice(0, Math.max(0, max - 1))}~`;
+}
+function pad(value, width) {
+    return value.padEnd(width, ' ');
+}
+function printProjectTable(ctx, projects) {
+    printBannerFor(ctx);
+    log(ctx, section('Projects'));
+    log(ctx, field('Count', String(projects.length)));
+    log(ctx, '');
+    if (!projects.length) {
+        log(ctx, 'No projects found for this OAuth grant.');
+        return;
+    }
+    const rows = projects.map((project) => ({
+        name: truncate(project.name, 32),
+        id: truncate(project.id, 22),
+        deployments: project.deployment_modes.length
+            ? project.deployment_modes.join(', ')
+            : String(project.deployments),
+        updated: shortDate(project.updated_at),
+    }));
+    const nameWidth = Math.max('Name'.length, ...rows.map((row) => row.name.length));
+    const idWidth = Math.max('ID'.length, ...rows.map((row) => row.id.length));
+    const deploymentWidth = Math.max('Deployments'.length, ...rows.map((row) => row.deployments.length));
+    log(ctx, `${pad('Name', nameWidth)}  ${pad('ID', idWidth)}  ${pad('Deployments', deploymentWidth)}  Updated`);
+    log(ctx, `${'-'.repeat(nameWidth)}  ${'-'.repeat(idWidth)}  ${'-'.repeat(deploymentWidth)}  ----------`);
+    for (const row of rows) {
+        log(ctx, `${pad(row.name, nameWidth)}  ${pad(row.id, idWidth)}  ${pad(row.deployments, deploymentWidth)}  ${row.updated}`);
+    }
+}
+export async function listProjects(ctx) {
+    const response = await machineRequest('/projects');
+    const projects = projectList(response);
+    if (ctx.json) {
+        printJson({
+            ok: true,
+            data: projects,
+            has_more: isRecord(response) && typeof response.has_more === 'boolean' ? response.has_more : undefined,
+        });
+        return;
+    }
+    printProjectTable(ctx, projects);
+}
+export async function getProjects() {
+    return projectList(await machineRequest('/projects'));
+}
+export async function createProject(name, methods) {
+    const form = new FormData();
+    form.append('name', name);
+    for (const method of methods) {
+        form.append('methods', method);
+    }
+    const response = await machineRequest('/project', {
+        method: 'POST',
+        body: form,
+    });
+    const projects = projectList([response]);
+    if (!projects[0]) {
+        throw new Error('Machine API returned an unexpected project response.');
+    }
+    return projects[0];
+}
+export async function createDeployment(projectId, mode, methods, customDomain) {
+    if (mode !== 'staging' && mode !== 'production') {
+        throw new Error('Deployment mode must be staging or production.');
+    }
+    const body = mode === 'production'
+        ? { custom_domain: customDomain, auth_methods: methods }
+        : { auth_methods: methods };
+    const response = await machineRequest(`/project/${projectId}/${mode}-deployment`, {
+        method: 'POST',
+        headers: {
+            'content-type': 'application/json',
+        },
+        body: JSON.stringify(body),
+    });
+    if (!isRecord(response)) {
+        throw new Error('Machine API returned an unexpected deployment response.');
+    }
+    return {
+        id: String(response.id ?? ''),
+        mode: typeof response.mode === 'string' ? response.mode : mode,
+        backend_host: typeof response.backend_host === 'string' ? response.backend_host : undefined,
+        frontend_host: typeof response.frontend_host === 'string' ? response.frontend_host : undefined,
+        updated_at: typeof response.updated_at === 'string' ? response.updated_at : undefined,
+    };
+}
+export function entries(values, flag) {
+    return (values ?? []).map((value) => {
+        const index = value.indexOf('=');
+        if (index <= 0) {
+            throw new Error(`${flag} expects key=value`);
+        }
+        return [value.slice(0, index), value.slice(index + 1)];
+    });
+}
+function stripFileMarker(value) {
+    return value.startsWith('@') ? value.slice(1) : value;
+}
+function hasAny(values) {
+    return !!values && values.length > 0;
+}
+function explicitBodyKind(options) {
+    if (options.body)
+        return 'json';
+    if (hasAny(options.file) || hasAny(options.form))
+        return 'multipart';
+    if (hasAny(options.field))
+        return 'urlencoded';
+    return null;
+}
+async function resolveApiOptions(method, pathname, options, ctx) {
+    const wizard = !method || !pathname;
+    const resolvedMethod = method
+        ? method.toUpperCase()
+        : (await promptChoice(ctx, undefined, ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'], 'HTTP method: ', 'Pass an HTTP method, for example `wacht api GET /projects`.')).toUpperCase();
+    const resolvedPath = await promptText(ctx, pathname, 'API path: ', 'Pass an API path, for example `/projects`.');
+    const headers = options.header && options.header.length
+        ? options.header
+        : wizard
+            ? await promptOptionalList(ctx, undefined, 'Headers, comma separated key=value: ')
+            : [];
+    const nextOptions = { ...options, header: headers };
+    if (explicitBodyKind(nextOptions) || resolvedMethod === 'GET' || resolvedMethod === 'HEAD') {
+        return { method: resolvedMethod, pathname: resolvedPath, options: nextOptions };
+    }
+    const bodyKind = await promptChoice(ctx, undefined, ['none', 'json', 'urlencoded', 'multipart'], 'Request body type: ', 'Pass --body, --field, --form, or --file for request bodies.');
+    if (bodyKind === 'json') {
+        nextOptions.body = await promptText(ctx, undefined, 'JSON body: ', 'Pass --body <json>.');
+    }
+    else if (bodyKind === 'urlencoded') {
+        nextOptions.field = await promptOptionalList(ctx, undefined, 'URL-encoded fields, comma separated key=value: ');
+    }
+    else if (bodyKind === 'multipart') {
+        nextOptions.form = await promptOptionalList(ctx, undefined, 'Multipart text fields, comma separated key=value: ');
+        nextOptions.file = await promptOptionalList(ctx, undefined, 'Multipart file fields, comma separated key=path or key=@path: ');
+    }
+    return { method: resolvedMethod, pathname: resolvedPath, options: nextOptions };
+}
+export async function requestBody(options) {
+    const headers = new Headers();
+    for (const [key, value] of entries(options.header, '--header')) {
+        headers.set(key, value);
+    }
+    if (options.body) {
+        headers.set('content-type', 'application/json');
+        return {
+            body: JSON.stringify(JSON.parse(options.body)),
+            headers,
+        };
+    }
+    const files = entries(options.file, '--file');
+    const rawMultipartFields = entries(options.form, '--form');
+    const multipartFields = rawMultipartFields.filter(([, value]) => !value.startsWith('@'));
+    const multipartFiles = [
+        ...files,
+        ...rawMultipartFields.filter(([, value]) => value.startsWith('@')),
+    ];
+    if (multipartFiles.length || multipartFields.length) {
+        const form = new FormData();
+        for (const [key, value] of multipartFields) {
+            form.append(key, value);
+        }
+        for (const [key, filePath] of multipartFiles) {
+            const absolutePath = path.resolve(stripFileMarker(filePath));
+            const bytes = await readFile(absolutePath);
+            form.append(key, new Blob([bytes]), path.basename(absolutePath));
+        }
+        return { body: form, headers };
+    }
+    const fields = entries(options.field, '--field');
+    if (fields.length) {
+        headers.set('content-type', 'application/x-www-form-urlencoded');
+        return {
+            body: new URLSearchParams(fields),
+            headers,
+        };
+    }
+    return { headers };
+}
+export async function apiCommand(method, pathname, options, ctx) {
+    const resolved = await resolveApiOptions(method, pathname, options, ctx);
+    const { body, headers } = await requestBody(resolved.options);
+    const data = await machineRequest(resolved.pathname, {
+        method: resolved.method,
+        body,
+        headers,
+    });
+    if (ctx.json) {
+        printJson({
+            ok: true,
+            method: resolved.method,
+            path: resolved.pathname,
+            data,
+        });
+        return;
+    }
+    if (typeof data === 'string') {
+        console.log(data);
+    }
+    else {
+        printJson(data);
+    }
+}

package/dist/mcp.js

@@ -0,0 +1,21 @@
+import { MCP_URL } from './config.js';
+export function printMcpConfig(client) {
+    if (client === 'claude') {
+        console.log(JSON.stringify({
+            mcpServers: {
+                'wacht-docs': {
+                    command: 'npx',
+                    args: ['-y', 'mcp-remote', MCP_URL],
+                },
+            },
+        }, null, 2));
+        return;
+    }
+    console.log(JSON.stringify({
+        mcpServers: {
+            'wacht-docs': {
+                url: MCP_URL,
+            },
+        },
+    }, null, 2));
+}

package/dist/oauth-callback.js

@@ -0,0 +1,104 @@
+import { createServer } from 'node:http';
+import { REDIRECT_PORT, REDIRECT_URI } from './config.js';
+const SECURITY_HEADERS = {
+    'cache-control': 'no-store',
+    'content-security-policy': "default-src 'none'; script-src 'unsafe-inline'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'",
+    'referrer-policy': 'no-referrer',
+    'x-content-type-options': 'nosniff',
+};
+function closePage(title) {
+    return `<!doctype html><html><head><meta charset="utf-8"><title>${title}</title><script>window.close();setTimeout(function(){document.body.textContent='You can close this window.'},250);</script></head><body></body></html>`;
+}
+export function startOAuthCallbackServer(expectedState) {
+    let resolveCode;
+    let rejectCode;
+    let settled = false;
+    const code = new Promise((resolve, reject) => {
+        resolveCode = resolve;
+        rejectCode = reject;
+    });
+    const server = createServer((req, res) => {
+        const finish = (error, value) => {
+            if (settled)
+                return;
+            settled = true;
+            try {
+                server.close();
+            }
+            catch {
+                // The server may not have started if binding the callback port failed.
+            }
+            if (error) {
+                rejectCode(error);
+            }
+            else if (value) {
+                resolveCode(value);
+            }
+            else {
+                rejectCode(new Error('OAuth callback did not include a code'));
+            }
+        };
+        const url = new URL(req.url ?? '/', REDIRECT_URI);
+        if (req.method !== 'GET') {
+            res.writeHead(405, {
+                ...SECURITY_HEADERS,
+                allow: 'GET',
+            });
+            res.end();
+            return;
+        }
+        if (url.pathname !== '/callback') {
+            res.writeHead(404, SECURITY_HEADERS);
+            res.end();
+            return;
+        }
+        const error = url.searchParams.get('error');
+        if (error) {
+            res.writeHead(400, {
+                ...SECURITY_HEADERS,
+                'content-type': 'text/html; charset=utf-8',
+            });
+            res.end(closePage('Wacht Bench login failed'));
+            finish(new Error(`OAuth authorization failed: ${error}`));
+            return;
+        }
+        const state = url.searchParams.get('state');
+        if (state !== expectedState) {
+            res.writeHead(400, {
+                ...SECURITY_HEADERS,
+                'content-type': 'text/html; charset=utf-8',
+            });
+            res.end(closePage('Wacht Bench login failed'));
+            finish(new Error('OAuth callback state mismatch'));
+            return;
+        }
+        const authCode = url.searchParams.get('code');
+        if (!authCode) {
+            res.writeHead(400, {
+                ...SECURITY_HEADERS,
+                'content-type': 'text/html; charset=utf-8',
+            });
+            res.end(closePage('Wacht Bench login failed'));
+            finish(new Error('OAuth callback did not include a code'));
+            return;
+        }
+        res.writeHead(200, {
+            ...SECURITY_HEADERS,
+            'content-type': 'text/html; charset=utf-8',
+        });
+        res.end(closePage('Wacht Bench login complete'));
+        finish(null, authCode);
+    });
+    const ready = new Promise((resolve, reject) => {
+        server.once('listening', () => resolve());
+        server.once('error', reject);
+        server.once('error', (error) => {
+            if (!settled) {
+                settled = true;
+                rejectCode(error);
+            }
+        });
+        server.listen(REDIRECT_PORT, '127.0.0.1');
+    });
+    return { ready, code };
+}

package/dist/oauth.js

@@ -0,0 +1,236 @@
+import { openBrowser } from './browser.js';
+import { MACHINE_API_URL, OAUTH_AUTHORIZE_URL, OAUTH_CLIENT_ID, OAUTH_ISSUER, OAUTH_REVOCATION_URL, OAUTH_SCOPES, OAUTH_TOKEN_URL, REDIRECT_URI, } from './config.js';
+import { isOAuthTokenResponse } from './guards.js';
+import { startOAuthCallbackServer } from './oauth-callback.js';
+import { codeChallengeFor, randomToken } from './pkce.js';
+import { clearAuth, readAuth, writeAuth } from './auth-store.js';
+import { clearBenchContext, readBenchContext } from './context-store.js';
+import { command, field, log, printBannerFor, printJson, section, Spinner, success } from './ui.js';
+const TOKEN_EXCHANGE_TIMEOUT_MS = 15_000;
+function tokenExpiresAt(expiresIn) {
+    return Date.now() + Math.max(0, Number(expiresIn ?? 0) - 60) * 1000;
+}
+function scopesFrom(raw) {
+    const scopes = (raw || OAUTH_SCOPES).split(/\s+/).filter(Boolean);
+    return scopes.length ? scopes : OAUTH_SCOPES.split(' ');
+}
+function fetchFailureMessage(error) {
+    if (!(error instanceof Error))
+        return String(error);
+    const cause = error.cause;
+    if (cause instanceof Error && cause.message) {
+        return `${error.message}: ${cause.message}`;
+    }
+    if (cause && typeof cause === 'object' && 'message' in cause) {
+        return `${error.message}: ${String(cause.message)}`;
+    }
+    return error.message;
+}
+function delay(ms) {
+    return new Promise((resolve) => {
+        setTimeout(resolve, ms);
+    });
+}
+async function exchangeToken(body) {
+    let response;
+    try {
+        response = await postToken(body);
+    }
+    catch {
+        await delay(500);
+        try {
+            response = await postToken(body);
+        }
+        catch (secondError) {
+            throw new Error(`OAuth token endpoint was not reachable at ${OAUTH_TOKEN_URL}. ${fetchFailureMessage(secondError)}. Run \`wacht login\` again to request a fresh authorization code.`);
+        }
+    }
+    if (!response.ok) {
+        const text = await response.text();
+        throw new Error(`OAuth token exchange failed: HTTP ${response.status}${text ? ` ${text}` : ''}`);
+    }
+    const token = await response.json();
+    if (!isOAuthTokenResponse(token)) {
+        throw new Error('OAuth token exchange returned an unexpected response.');
+    }
+    return token;
+}
+async function postToken(body) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), TOKEN_EXCHANGE_TIMEOUT_MS);
+    try {
+        return await fetch(OAUTH_TOKEN_URL, {
+            method: 'POST',
+            headers: {
+                'content-type': 'application/x-www-form-urlencoded',
+            },
+            body,
+            signal: controller.signal,
+        });
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}
+export async function refreshAuth(auth) {
+    const body = new URLSearchParams({
+        grant_type: 'refresh_token',
+        refresh_token: auth.refresh_token,
+        client_id: OAUTH_CLIENT_ID,
+    });
+    const token = await exchangeToken(body);
+    const nextAuth = {
+        ...auth,
+        access_token: token.access_token,
+        refresh_token: token.refresh_token,
+        token_type: token.token_type,
+        scope: token.scope,
+        expires_at: tokenExpiresAt(token.expires_in),
+        machine_api_url: MACHINE_API_URL,
+        oauth_issuer: OAUTH_ISSUER,
+    };
+    await writeAuth(nextAuth);
+    return nextAuth;
+}
+export async function getValidAuth() {
+    const auth = await readAuth();
+    if (!auth) {
+        throw new Error('Not logged in. Run `wacht login`.');
+    }
+    if (auth.expires_at > Date.now()) {
+        return auth;
+    }
+    return refreshAuth(auth);
+}
+export async function login(ctx) {
+    printBannerFor(ctx);
+    const state = randomToken(24);
+    const codeVerifier = randomToken(64);
+    const codeChallenge = codeChallengeFor(codeVerifier);
+    const authorizeUrl = new URL(OAUTH_AUTHORIZE_URL);
+    authorizeUrl.search = new URLSearchParams({
+        response_type: 'code',
+        client_id: OAUTH_CLIENT_ID,
+        redirect_uri: REDIRECT_URI,
+        scope: OAUTH_SCOPES,
+        resource: MACHINE_API_URL,
+        state,
+        code_challenge: codeChallenge,
+        code_challenge_method: 'S256',
+    }).toString();
+    const callback = startOAuthCallbackServer(state);
+    await callback.ready;
+    log(ctx, section('Browser Login'));
+    log(ctx, 'Opening Wacht OAuth login in your browser.');
+    log(ctx, field('Callback', REDIRECT_URI));
+    log(ctx, '');
+    log(ctx, 'If the browser does not open, visit:');
+    log(ctx, command(authorizeUrl.toString()));
+    log(ctx, '');
+    openBrowser(authorizeUrl.toString());
+    const authSpinner = new Spinner(ctx, 'Waiting for browser authorization').start();
+    const code = await callback.code;
+    authSpinner.succeed('Browser authorization received');
+    const tokenSpinner = new Spinner(ctx, 'Exchanging authorization code').start();
+    let token;
+    try {
+        token = await exchangeToken(new URLSearchParams({
+            grant_type: 'authorization_code',
+            code,
+            redirect_uri: REDIRECT_URI,
+            client_id: OAUTH_CLIENT_ID,
+            code_verifier: codeVerifier,
+        }));
+    }
+    catch (error) {
+        tokenSpinner.fail('Token exchange failed');
+        throw error;
+    }
+    tokenSpinner.stop();
+    await writeAuth({
+        client_id: OAUTH_CLIENT_ID,
+        access_token: token.access_token,
+        refresh_token: token.refresh_token,
+        token_type: token.token_type,
+        scope: token.scope,
+        expires_at: tokenExpiresAt(token.expires_in),
+        redirect_uri: REDIRECT_URI,
+        machine_api_url: MACHINE_API_URL,
+        oauth_issuer: OAUTH_ISSUER,
+    });
+    if (ctx.json) {
+        printJson({
+            ok: true,
+            state: 'logged_in',
+            scopes: scopesFrom(token.scope),
+            machineApiUrl: MACHINE_API_URL,
+        });
+        return;
+    }
+    log(ctx, success('Logged in to Wacht Bench.'));
+}
+export async function logout(ctx) {
+    printBannerFor(ctx);
+    const auth = await readAuth();
+    if (auth?.refresh_token) {
+        try {
+            await fetch(OAUTH_REVOCATION_URL, {
+                method: 'POST',
+                headers: {
+                    'content-type': 'application/x-www-form-urlencoded',
+                },
+                body: new URLSearchParams({
+                    token: auth.refresh_token,
+                    token_type_hint: 'refresh_token',
+                    client_id: OAUTH_CLIENT_ID,
+                }),
+            });
+        }
+        catch {
+            // Local logout should still succeed if the network is unavailable.
+        }
+    }
+    await clearAuth();
+    await clearBenchContext();
+    if (ctx.json) {
+        printJson({ ok: true, state: 'logged_out' });
+        return;
+    }
+    log(ctx, success('Logged out of Wacht Bench.'));
+}
+export async function authStatus(ctx) {
+    printBannerFor(ctx);
+    const auth = await readAuth();
+    const active = await readBenchContext();
+    if (!auth) {
+        if (ctx.json) {
+            printJson({ loggedIn: false, active });
+            return;
+        }
+        log(ctx, 'Not logged in.');
+        log(ctx, `Run ${command('wacht login')} to connect Bench.`);
+        return;
+    }
+    const expiresAt = new Date(auth.expires_at).toISOString();
+    if (ctx.json) {
+        printJson({
+            loggedIn: true,
+            clientId: auth.client_id,
+            scopes: scopesFrom(auth.scope),
+            machineApiUrl: auth.machine_api_url,
+            accessTokenExpiresAt: expiresAt,
+            active,
+        });
+        return;
+    }
+    log(ctx, section('Auth Status'));
+    log(ctx, field('State', success('logged in')));
+    log(ctx, field('Client ID', auth.client_id));
+    log(ctx, field('Scopes', auth.scope ?? OAUTH_SCOPES));
+    log(ctx, field('Machine API', auth.machine_api_url));
+    log(ctx, field('Access token expires', expiresAt));
+    if (active) {
+        log(ctx, field('Active project', `${active.project_name} (${active.project_id})`));
+        log(ctx, field('Active deployment', `${active.deployment_mode} (${active.deployment_id})`));
+    }
+}