@walkeros/cli 3.4.1 → 3.4.2

package/CHANGELOG.md

@@ -1,5 +1,34 @@
 # @walkeros/cli
 
+## 3.4.2
+
+### Patch Changes
+
+- 2d25eda: Replace `api` mega-tool with four focused management tools: `auth`
+  (device code login), `project_manage`, `flow_manage`, and `deploy_manage`.
+  Enforce strict CLI/MCP separation of concern — MCP no longer reads config
+  files or checks env vars directly. All tools are always registered regardless
+  of auth state.
+
+  CLI exports new functions: `requestDeviceCode`, `pollForToken`,
+  `setDefaultProject`, `getDefaultProject`, `listAllFlows`,
+  `setFeedbackPreference`, `getFeedbackPreference`, `resolveToken`,
+  `deleteConfig`.
+
+  Preview CRUD (`preview_list`, `preview_get`, `preview_create`,
+  `preview_delete`) is now part of `flow_manage` — previews are a flow-scoped
+  concern and belong alongside the flow lifecycle actions rather than in a
+  separate tool.
+
+- cb4c069: Runtime fetchers (`fetchConfig`, `fetchSecrets`) now classify 401/403
+  responses from the app as a typed `RunnerAuthError` with a structured `reason`
+  (`'unauthorised' | 'flow' | 'scope' | 'forbidden'`) and the app's error `code`
+  (`FORBIDDEN_FLOW` / `FORBIDDEN_SCOPE`). Callers can log a specific reason
+  instead of a generic "token may have expired" message, and exit cleanly rather
+  than retry on scope/flow mismatches.
+  - @walkeros/core@3.4.2
+  - @walkeros/server-core@3.4.2
+
 ## 3.4.1
 
 ### Patch Changes

package/dist/cli.js

@@ -665,6 +665,10 @@ function deleteConfig() {
   }
   return false;
 }
+function getDefaultProject() {
+  const config2 = readConfig();
+  return config2?.defaultProjectId ?? null;
+}
 function resolveToken() {
   const envToken = process.env.WALKEROS_TOKEN;
   if (envToken) return { token: envToken, source: "env" };
@@ -1030,8 +1034,11 @@ function resolveRunToken() {
   return resolveDeployToken() ?? resolveToken()?.token ?? null;
 }
 function requireProjectId() {
-  const projectId = process.env.WALKEROS_PROJECT_ID;
-  if (!projectId) throw new Error("WALKEROS_PROJECT_ID not set.");
+  const projectId = process.env.WALKEROS_PROJECT_ID || getDefaultProject();
+  if (!projectId)
+    throw new Error(
+      "No project selected. Set WALKEROS_PROJECT_ID or configure a default project."
+    );
   return projectId;
 }
 var init_auth = __esm({
@@ -18301,6 +18308,101 @@ var init_utils3 = __esm({
   }
 });
 
+// src/commands/projects/index.ts
+async function listProjects() {
+  const client = createApiClient();
+  const { data, error: error48 } = await client.GET("/api/projects");
+  if (error48) throw new Error(error48.error?.message || "Failed to list projects");
+  return data;
+}
+async function getProject(options = {}) {
+  const id = options.projectId ?? requireProjectId();
+  const client = createApiClient();
+  const { data, error: error48 } = await client.GET("/api/projects/{projectId}", {
+    params: { path: { projectId: id } }
+  });
+  if (error48) throw new Error(error48.error?.message || "Failed to get project");
+  return data;
+}
+async function createProject(options) {
+  const client = createApiClient();
+  const { data, error: error48 } = await client.POST("/api/projects", {
+    body: { name: options.name }
+  });
+  if (error48)
+    throw new Error(error48.error?.message || "Failed to create project");
+  return data;
+}
+async function updateProject(options) {
+  const id = options.projectId ?? requireProjectId();
+  const client = createApiClient();
+  const { data, error: error48 } = await client.PATCH("/api/projects/{projectId}", {
+    params: { path: { projectId: id } },
+    body: { name: options.name }
+  });
+  if (error48)
+    throw new Error(error48.error?.message || "Failed to update project");
+  return data;
+}
+async function deleteProject(options = {}) {
+  const id = options.projectId ?? requireProjectId();
+  const client = createApiClient();
+  const { data, error: error48 } = await client.DELETE("/api/projects/{projectId}", {
+    params: { path: { projectId: id } }
+  });
+  if (error48)
+    throw new Error(error48.error?.message || "Failed to delete project");
+  return data ?? { success: true };
+}
+async function handleResult(fn2, options) {
+  try {
+    const result = await fn2();
+    await writeResult(JSON.stringify(result, null, 2), options);
+  } catch (error48) {
+    handleCliError(error48);
+  }
+}
+async function listProjectsCommand(options) {
+  await handleResult(() => listProjects(), options);
+}
+async function getProjectCommand(projectId, options) {
+  await handleResult(
+    () => getProject({ projectId: projectId ?? options.project }),
+    options
+  );
+}
+async function createProjectCommand(name, options) {
+  await handleResult(() => createProject({ name }), options);
+}
+async function updateProjectCommand(projectId, options) {
+  const name = options.name;
+  if (!name) {
+    throw new Error("Missing required option: --name <name>");
+  }
+  await handleResult(
+    () => updateProject({
+      projectId: projectId ?? options.project,
+      name
+    }),
+    options
+  );
+}
+async function deleteProjectCommand(projectId, options) {
+  await handleResult(
+    () => deleteProject({ projectId: projectId ?? options.project }),
+    options
+  );
+}
+var init_projects = __esm({
+  "src/commands/projects/index.ts"() {
+    "use strict";
+    init_api_client();
+    init_api_error();
+    init_auth();
+    init_output();
+  }
+});
+
 // src/commands/flows/index.ts
 async function listFlows(options = {}) {
   const id = options.projectId ?? requireProjectId();
@@ -18459,6 +18561,7 @@ var init_flows = __esm({
     init_auth();
     init_output();
     init_stdin();
+    init_projects();
   }
 });
 
@@ -20039,6 +20142,37 @@ async function resolveBundle(bundleEnv) {
 
 // src/runtime/config-fetcher.ts
 init_http();
+
+// src/runtime/runner-auth-error.ts
+var RunnerAuthError = class extends Error {
+  constructor(status, reason, code, message) {
+    super(message);
+    this.status = status;
+    this.reason = reason;
+    this.code = code;
+    this.name = "RunnerAuthError";
+  }
+};
+function isAppErrorBody(value) {
+  return typeof value === "object" && value !== null && "error" in value && typeof value.error === "object";
+}
+async function throwIfRunnerAuthFailure(res) {
+  if (res.status !== 401 && res.status !== 403) return;
+  let code = null;
+  let message = res.statusText;
+  try {
+    const body = await res.clone().json();
+    if (isAppErrorBody(body) && body.error) {
+      if (typeof body.error.code === "string") code = body.error.code;
+      if (typeof body.error.message === "string") message = body.error.message;
+    }
+  } catch {
+  }
+  const reason = res.status === 401 ? "unauthorised" : code === "FORBIDDEN_FLOW" ? "flow" : code === "FORBIDDEN_SCOPE" ? "scope" : "forbidden";
+  throw new RunnerAuthError(res.status, reason, code, message);
+}
+
+// src/runtime/config-fetcher.ts
 async function fetchConfig(options) {
   const url2 = `${options.appUrl}/api/projects/${options.projectId}/flows/${options.flowId}`;
   const headers = mergeAuthHeaders(
@@ -20052,12 +20186,8 @@ async function fetchConfig(options) {
   if (response.status === 304) {
     return { changed: false };
   }
+  await throwIfRunnerAuthFailure(response);
   if (!response.ok) {
-    if (response.status === 401 || response.status === 403) {
-      throw new Error(
-        `Config fetch failed (${response.status}): token may have expired \u2014 redeploy to rotate`
-      );
-    }
     throw new Error(
       `Config fetch failed: ${response.status} ${response.statusText}`
     );
@@ -20488,6 +20618,7 @@ async function fetchSecrets(options) {
   const res = await fetch(url2, {
     headers: mergeAuthHeaders(token, { "Content-Type": "application/json" })
   });
+  await throwIfRunnerAuthFailure(res);
   if (!res.ok) {
     throw new SecretsHttpError(res.status, res.statusText);
   }
@@ -21611,6 +21742,8 @@ init_cli_logger();
 init_config_file();
 import { hostname as hostname3 } from "os";
 var POLL_TIMEOUT_BUFFER_MS = 5e3;
+var DEFAULT_POLL_TIMEOUT_MS = 6e4;
+var DEFAULT_POLL_INTERVAL_MS = 5e3;
 async function openInBrowser(url2) {
   const { default: open } = await import("open");
   await open(url2);
@@ -21636,25 +21769,143 @@ async function loginCommand(options) {
     process.exit(1);
   }
 }
-async function login(options = {}) {
+async function requestDeviceCode(options = {}) {
   const appUrl = options.url || resolveAppUrl();
   const f2 = options.fetch ?? globalThis.fetch;
-  const codeResponse = await f2(`${appUrl}/api/auth/device/code`, {
+  const response = await f2(`${appUrl}/api/auth/device/code`, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
     body: JSON.stringify({})
   });
-  if (!codeResponse.ok) {
+  if (!response.ok) {
+    throw new Error("Failed to request device code");
+  }
+  const data = await response.json();
+  return {
+    deviceCode: data.deviceCode,
+    userCode: data.userCode,
+    verificationUri: data.verificationUri,
+    verificationUriComplete: data.verificationUriComplete,
+    expiresIn: data.expiresIn,
+    interval: data.interval
+  };
+}
+async function pollForToken(deviceCode, options = {}) {
+  const appUrl = options.url || resolveAppUrl();
+  const f2 = options.fetch ?? globalThis.fetch;
+  const timeoutMs = options.timeoutMs ?? DEFAULT_POLL_TIMEOUT_MS;
+  let intervalMs = options.intervalMs ?? DEFAULT_POLL_INTERVAL_MS;
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    await new Promise((r2) => setTimeout(r2, intervalMs));
+    if (Date.now() >= deadline) break;
+    const remaining = Math.max(1, deadline - Date.now());
+    const controller = new AbortController();
+    const timeoutHandle = setTimeout(() => controller.abort(), remaining);
+    let tokenResponse;
+    try {
+      tokenResponse = await f2(`${appUrl}/api/auth/device/token`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ deviceCode, hostname: hostname3() }),
+        signal: controller.signal
+      });
+    } catch (err) {
+      clearTimeout(timeoutHandle);
+      if (err instanceof Error && err.name === "AbortError") {
+        break;
+      }
+      throw err;
+    } finally {
+      clearTimeout(timeoutHandle);
+    }
+    const data = await safeJsonParse(tokenResponse);
+    if (data === MALFORMED) {
+      return {
+        success: false,
+        status: "error",
+        error: "Server returned malformed response"
+      };
+    }
+    if (tokenResponse.ok) {
+      const token = data.token;
+      const email3 = data.email;
+      if (typeof token === "string" && token.length > 0) {
+        if (typeof email3 !== "string" || email3.length === 0) {
+          return {
+            success: false,
+            status: "error",
+            error: "Server returned malformed response (missing email)"
+          };
+        }
+        writeConfig({ token, email: email3, appUrl });
+        const configPath = getConfigPath();
+        return {
+          success: true,
+          status: "authenticated",
+          email: email3,
+          configPath
+        };
+      }
+      if (token !== void 0) {
+        return {
+          success: false,
+          status: "error",
+          error: "Server returned malformed response (invalid token type)"
+        };
+      }
+      continue;
+    }
+    if (data.error === "authorization_pending") continue;
+    if (data.error === "slow_down") {
+      intervalMs += 5e3;
+      continue;
+    }
+    const errField = data.error;
+    let errorMsg;
+    if (typeof errField === "string") {
+      errorMsg = errField;
+    } else if (errField && typeof errField === "object" && "message" in errField && typeof errField.message === "string") {
+      errorMsg = errField.message;
+    } else {
+      errorMsg = "Authorization failed";
+    }
+    return { success: false, status: "error", error: errorMsg };
+  }
+  return { success: false, status: "pending" };
+}
+var MALFORMED = /* @__PURE__ */ Symbol("malformed-json");
+async function safeJsonParse(response) {
+  try {
+    const parsed = await response.json();
+    if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+      return parsed;
+    }
+    return MALFORMED;
+  } catch {
+    return MALFORMED;
+  }
+}
+async function login(options = {}) {
+  const fetchOption = options.fetch ?? globalThis.fetch;
+  const urlOption = options.url;
+  let codeResult;
+  try {
+    codeResult = await requestDeviceCode({
+      url: urlOption,
+      fetch: fetchOption
+    });
+  } catch {
     return { success: false, error: "Failed to request device code" };
   }
   const {
-    deviceCode,
     userCode,
     verificationUri,
     verificationUriComplete,
     expiresIn,
-    interval
-  } = await codeResponse.json();
+    interval,
+    deviceCode
+  } = codeResult;
   const prompt = (msg) => process.stderr.write(msg + "\n");
   prompt(`
 ! Your one-time code: ${userCode}`);
@@ -21668,30 +21919,95 @@ async function login(options = {}) {
     prompt("  Could not open browser. Visit the URL manually.");
   }
   prompt("  Waiting for authorization... (press Ctrl+C to cancel)\n");
-  const deadline = Date.now() + expiresIn * 1e3 + POLL_TIMEOUT_BUFFER_MS;
-  let pollInterval = (interval ?? 5) * 1e3;
-  const maxAttempts = options.maxPollAttempts ?? Infinity;
-  let attempts = 0;
-  while (Date.now() < deadline && attempts < maxAttempts) {
-    attempts++;
-    await new Promise((r2) => setTimeout(r2, pollInterval));
-    const tokenResponse = await f2(`${appUrl}/api/auth/device/token`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ deviceCode, hostname: hostname3() })
-    });
-    const data = await tokenResponse.json();
-    if (tokenResponse.ok && data.token) {
-      writeConfig({ token: data.token, email: data.email, appUrl });
-      const configPath = getConfigPath();
-      return { success: true, email: data.email, configPath };
-    }
-    if (data.error === "authorization_pending") continue;
-    if (data.error === "slow_down") {
-      pollInterval += 5e3;
-      continue;
+  const timeoutMs = expiresIn * 1e3 + POLL_TIMEOUT_BUFFER_MS;
+  const intervalMs = (interval ?? 5) * 1e3;
+  if (options.maxPollAttempts !== void 0) {
+    const appUrl = urlOption || resolveAppUrl();
+    const f2 = fetchOption;
+    let pollInterval = intervalMs;
+    let attempts = 0;
+    const deadline = Date.now() + timeoutMs;
+    while (Date.now() < deadline && attempts < options.maxPollAttempts) {
+      attempts++;
+      await new Promise((r2) => setTimeout(r2, pollInterval));
+      const remaining = Math.max(1, deadline - Date.now());
+      const controller = new AbortController();
+      const timeoutHandle = setTimeout(() => controller.abort(), remaining);
+      let tokenResponse;
+      try {
+        tokenResponse = await f2(`${appUrl}/api/auth/device/token`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ deviceCode, hostname: hostname3() }),
+          signal: controller.signal
+        });
+      } catch (err) {
+        clearTimeout(timeoutHandle);
+        if (err instanceof Error && err.name === "AbortError") {
+          break;
+        }
+        throw err;
+      } finally {
+        clearTimeout(timeoutHandle);
+      }
+      const data = await safeJsonParse(tokenResponse);
+      if (data === MALFORMED) {
+        return {
+          success: false,
+          error: "Server returned malformed response"
+        };
+      }
+      if (tokenResponse.ok) {
+        const token = data.token;
+        const email3 = data.email;
+        if (typeof token === "string" && token.length > 0) {
+          if (typeof email3 !== "string" || email3.length === 0) {
+            return {
+              success: false,
+              error: "Server returned malformed response (missing email)"
+            };
+          }
+          writeConfig({ token, email: email3, appUrl });
+          const configPath = getConfigPath();
+          return { success: true, email: email3, configPath };
+        }
+        if (token !== void 0) {
+          return {
+            success: false,
+            error: "Server returned malformed response (invalid token type)"
+          };
+        }
+        continue;
+      }
+      if (data.error === "authorization_pending") continue;
+      if (data.error === "slow_down") {
+        pollInterval += 5e3;
+        continue;
+      }
+      const errField = data.error;
+      const errorMsg = typeof errField === "string" ? errField : "Authorization failed";
+      return { success: false, error: errorMsg };
     }
-    return { success: false, error: data.error || "Authorization failed" };
+    return {
+      success: false,
+      error: "Authorization timed out. Please try again."
+    };
+  }
+  const pollResult = await pollForToken(deviceCode, {
+    url: urlOption,
+    fetch: fetchOption,
+    timeoutMs,
+    intervalMs
+  });
+  if (pollResult.success) {
+    return {
+      success: true,
+      email: pollResult.email,
+      configPath: pollResult.configPath
+    };
+  }
+  if (pollResult.status === "error") {
+    return { success: false, error: pollResult.error };
   }
   return {
     success: false,
@@ -21744,97 +22060,8 @@ async function whoamiCommand(options) {
   }
 }
 
-// src/commands/projects/index.ts
-init_api_client();
-init_api_error();
-init_auth();
-init_output();
-async function listProjects() {
-  const client = createApiClient();
-  const { data, error: error48 } = await client.GET("/api/projects");
-  if (error48) throw new Error(error48.error?.message || "Failed to list projects");
-  return data;
-}
-async function getProject(options = {}) {
-  const id = options.projectId ?? requireProjectId();
-  const client = createApiClient();
-  const { data, error: error48 } = await client.GET("/api/projects/{projectId}", {
-    params: { path: { projectId: id } }
-  });
-  if (error48) throw new Error(error48.error?.message || "Failed to get project");
-  return data;
-}
-async function createProject(options) {
-  const client = createApiClient();
-  const { data, error: error48 } = await client.POST("/api/projects", {
-    body: { name: options.name }
-  });
-  if (error48)
-    throw new Error(error48.error?.message || "Failed to create project");
-  return data;
-}
-async function updateProject(options) {
-  const id = options.projectId ?? requireProjectId();
-  const client = createApiClient();
-  const { data, error: error48 } = await client.PATCH("/api/projects/{projectId}", {
-    params: { path: { projectId: id } },
-    body: { name: options.name }
-  });
-  if (error48)
-    throw new Error(error48.error?.message || "Failed to update project");
-  return data;
-}
-async function deleteProject(options = {}) {
-  const id = options.projectId ?? requireProjectId();
-  const client = createApiClient();
-  const { data, error: error48 } = await client.DELETE("/api/projects/{projectId}", {
-    params: { path: { projectId: id } }
-  });
-  if (error48)
-    throw new Error(error48.error?.message || "Failed to delete project");
-  return data ?? { success: true };
-}
-async function handleResult(fn2, options) {
-  try {
-    const result = await fn2();
-    await writeResult(JSON.stringify(result, null, 2), options);
-  } catch (error48) {
-    handleCliError(error48);
-  }
-}
-async function listProjectsCommand(options) {
-  await handleResult(() => listProjects(), options);
-}
-async function getProjectCommand(projectId, options) {
-  await handleResult(
-    () => getProject({ projectId: projectId ?? options.project }),
-    options
-  );
-}
-async function createProjectCommand(name, options) {
-  await handleResult(() => createProject({ name }), options);
-}
-async function updateProjectCommand(projectId, options) {
-  const name = options.name;
-  if (!name) {
-    throw new Error("Missing required option: --name <name>");
-  }
-  await handleResult(
-    () => updateProject({
-      projectId: projectId ?? options.project,
-      name
-    }),
-    options
-  );
-}
-async function deleteProjectCommand(projectId, options) {
-  await handleResult(
-    () => deleteProject({ projectId: projectId ?? options.project }),
-    options
-  );
-}
-
 // src/cli.ts
+init_projects();
 init_flows();
 
 // src/commands/deploy/index.ts