@webmate-studio/cli 0.3.62 → 0.4.0

package/src/utils/component-files.js

@@ -0,0 +1,195 @@
+import { readdirSync, readFileSync, statSync, writeFileSync, mkdirSync, existsSync, rmSync } from 'fs';
+import { dirname, join, posix, relative, sep } from 'path';
+import crypto from 'crypto';
+
+const ALWAYS_TEXT_EXT = new Set([
+	'.html', '.htm', '.json', '.js', '.mjs', '.cjs', '.jsx', '.ts', '.tsx',
+	'.svelte', '.vue', '.css', '.scss', '.sass', '.less', '.svg', '.md',
+	'.markdown', '.txt', '.xml', '.yaml', '.yml', '.toml'
+]);
+
+const ALWAYS_BINARY_EXT = new Set([
+	'.jpg', '.jpeg', '.png', '.gif', '.webp', '.avif', '.ico', '.bmp',
+	'.tiff', '.tif', '.pdf', '.woff', '.woff2', '.ttf', '.otf', '.eot',
+	'.mp3', '.mp4', '.webm', '.ogg', '.wav', '.zip', '.gz'
+]);
+
+const EXCLUDED_DIRS = new Set([
+	'node_modules', '.git', '.svn', '.hg', '.DS_Store', 'dist', 'build',
+	'.cache', '.turbo', '.next', '.svelte-kit', '.wm-cache', '.webmate'
+]);
+
+const EXCLUDED_FILES = new Set([
+	'.webmate.json', '.DS_Store', '.gitignore', '.npmignore', 'package-lock.json',
+	'yarn.lock', 'pnpm-lock.yaml'
+]);
+
+function extensionOf(filename) {
+	const dot = filename.lastIndexOf('.');
+	return dot < 0 ? '' : filename.slice(dot).toLowerCase();
+}
+
+function isBinaryExtension(ext) {
+	if (ALWAYS_BINARY_EXT.has(ext)) return true;
+	if (ALWAYS_TEXT_EXT.has(ext)) return false;
+	return false;
+}
+
+function isProbablyBinaryBuffer(buf, sampleSize = 512) {
+	const len = Math.min(buf.length, sampleSize);
+	for (let i = 0; i < len; i++) {
+		const b = buf[i];
+		if (b === 0) return true;
+		if (b < 7 && b !== 0) return true;
+	}
+	return false;
+}
+
+function toPosixPath(p) {
+	return p.split(sep).join(posix.sep);
+}
+
+// Canonicalise text content before hashing so editor defaults
+// ("Insert Final Newline", CRLF on Windows) don't manifest as a
+// false-positive "modified" state. The file on disk stays untouched —
+// only the hash sees the normalised form. Binary files bypass this and
+// stay byte-exact.
+function normalizeTextForHash(text) {
+	if (text === '') return '';
+	let s = text.replace(/\r\n/g, '\n');
+	if (!s.endsWith('\n')) s += '\n';
+	return s;
+}
+
+export function walkComponent(rootDir) {
+	if (!existsSync(rootDir)) {
+		throw new Error(`Component directory not found: ${rootDir}`);
+	}
+
+	const results = [];
+
+	function recurse(absDir, relDir) {
+		const entries = readdirSync(absDir, { withFileTypes: true });
+		for (const entry of entries) {
+			if (EXCLUDED_DIRS.has(entry.name)) continue;
+			if (entry.isDirectory()) {
+				recurse(join(absDir, entry.name), relDir ? `${relDir}/${entry.name}` : entry.name);
+				continue;
+			}
+			if (!entry.isFile()) continue;
+			if (EXCLUDED_FILES.has(entry.name)) continue;
+			const relPath = relDir ? `${relDir}/${entry.name}` : entry.name;
+			results.push({
+				absPath: join(absDir, entry.name),
+				relPath: toPosixPath(relPath)
+			});
+		}
+	}
+
+	recurse(rootDir, '');
+	results.sort((a, b) => (a.relPath < b.relPath ? -1 : a.relPath > b.relPath ? 1 : 0));
+	return results;
+}
+
+export function readComponentFiles(rootDir) {
+	const entries = walkComponent(rootDir);
+	const files = {};
+	const fileHashes = {};
+
+	for (const { absPath, relPath } of entries) {
+		const buf = readFileSync(absPath);
+		const ext = extensionOf(relPath);
+		const binary = isBinaryExtension(ext) || (!ALWAYS_TEXT_EXT.has(ext) && isProbablyBinaryBuffer(buf));
+		if (binary) {
+			fileHashes[relPath] = sha256Hex(buf);
+			files[relPath] = `base64:${buf.toString('base64')}`;
+		} else {
+			const text = buf.toString('utf-8');
+			fileHashes[relPath] = sha256Hex(normalizeTextForHash(text));
+			files[relPath] = text;
+		}
+	}
+
+	return { files, fileHashes };
+}
+
+export function sha256Hex(input) {
+	return crypto.createHash('sha256').update(input).digest('hex');
+}
+
+export function computeFileHashesFromMap(filesMap) {
+	const out = {};
+	for (const [relPath, content] of Object.entries(filesMap)) {
+		if (content.startsWith('base64:')) {
+			out[relPath] = sha256Hex(Buffer.from(content.slice(7), 'base64'));
+		} else {
+			out[relPath] = sha256Hex(normalizeTextForHash(content));
+		}
+	}
+	return out;
+}
+
+export function writeComponentFiles(rootDir, filesMap, { clean = false } = {}) {
+	if (!existsSync(rootDir)) {
+		mkdirSync(rootDir, { recursive: true });
+	}
+
+	if (clean) {
+		const existing = walkComponent(rootDir);
+		const incomingPaths = new Set(Object.keys(filesMap));
+		for (const { absPath, relPath } of existing) {
+			if (!incomingPaths.has(relPath)) {
+				rmSync(absPath, { force: true });
+			}
+		}
+	}
+
+	for (const [relPath, content] of Object.entries(filesMap)) {
+		const absPath = join(rootDir, ...relPath.split('/'));
+		mkdirSync(dirname(absPath), { recursive: true });
+		if (content.startsWith('base64:')) {
+			writeFileSync(absPath, Buffer.from(content.slice(7), 'base64'));
+		} else {
+			writeFileSync(absPath, content, 'utf-8');
+		}
+	}
+}
+
+export function diffHashes(localHashes, baseHashes) {
+	const added = [];
+	const modified = [];
+	const removed = [];
+	const baseKeys = new Set(Object.keys(baseHashes));
+	for (const [path, hash] of Object.entries(localHashes)) {
+		if (!baseKeys.has(path)) {
+			added.push(path);
+		} else if (baseHashes[path] !== hash) {
+			modified.push(path);
+		}
+		baseKeys.delete(path);
+	}
+	for (const path of baseKeys) {
+		removed.push(path);
+	}
+	return { added, modified, removed };
+}
+
+export function getComponentId(rootDir) {
+	const componentJsonPath = join(rootDir, 'component.json');
+	if (!existsSync(componentJsonPath)) {
+		throw new Error(`component.json not found in ${rootDir}`);
+	}
+	const raw = readFileSync(componentJsonPath, 'utf-8');
+	let data;
+	try {
+		data = JSON.parse(raw);
+	} catch (err) {
+		throw new Error(`Invalid component.json in ${rootDir}: ${err.message}`);
+	}
+	if (!data?.id) {
+		throw new Error(`component.json in ${rootDir} is missing the "id" field`);
+	}
+	return { id: data.id, displayName: data.displayName ?? null, raw: data };
+}
+
+export { toPosixPath, extensionOf };

package/src/utils/device-flow.js

@@ -0,0 +1,111 @@
+function buildUrl(baseUrl, path) {
+	const base = baseUrl.replace(/\/+$/, '');
+	return `${base}${path.startsWith('/') ? path : `/${path}`}`;
+}
+
+export async function startDeviceAuthorization(baseUrl) {
+	const response = await fetch(buildUrl(baseUrl, '/api/auth/device-authorize'), {
+		method: 'POST',
+		headers: { 'Content-Type': 'application/json', Accept: 'application/json' }
+	});
+
+	if (!response.ok) {
+		const body = await response.json().catch(() => null);
+		throw new Error(
+			`Device authorization failed (HTTP ${response.status}): ${body?.error ?? response.statusText}`
+		);
+	}
+
+	const data = await response.json();
+	// Server quirk: `deviceCode` actually contains the user-facing code (XXXX-XXXX)
+	const userCode = data.deviceCode;
+	if (!userCode || !data.verificationUrl) {
+		throw new Error('Malformed response from device-authorize endpoint');
+	}
+
+	return {
+		userCode,
+		verificationUrl: data.verificationUrl,
+		expiresIn: data.expiresIn ?? 900,
+		pollInterval: Math.max(2, data.pollInterval ?? 5)
+	};
+}
+
+function sleep(ms) {
+	return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+export class DeviceFlowError extends Error {
+	constructor(message, code) {
+		super(message);
+		this.name = 'DeviceFlowError';
+		this.code = code;
+	}
+}
+
+export async function pollForDeviceToken(baseUrl, userCode, opts = {}) {
+	const {
+		intervalSeconds = 5,
+		expiresInSeconds = 900,
+		onTick,
+		signal
+	} = opts;
+
+	const deadline = Date.now() + expiresInSeconds * 1000;
+	const url = buildUrl(
+		baseUrl,
+		`/api/auth/device-token?code=${encodeURIComponent(userCode)}`
+	);
+
+	while (Date.now() < deadline) {
+		if (signal?.aborted) {
+			throw new DeviceFlowError('Aborted by user', 'aborted');
+		}
+
+		let response;
+		try {
+			response = await fetch(url, { headers: { Accept: 'application/json' } });
+		} catch (err) {
+			// transient network error — back off and retry
+			onTick?.({ status: 'network-error', error: err });
+			await sleep(intervalSeconds * 1000);
+			continue;
+		}
+
+		const body = await response.json().catch(() => null);
+
+		if (response.status === 202 && body?.status === 'pending') {
+			onTick?.({ status: 'pending' });
+			await sleep(intervalSeconds * 1000);
+			continue;
+		}
+
+		if (response.status === 200 && body?.status === 'approved') {
+			return body;
+		}
+
+		if (response.status === 403 || body?.status === 'denied') {
+			throw new DeviceFlowError('Authorization was denied in the browser', 'denied');
+		}
+
+		if (response.status === 410) {
+			throw new DeviceFlowError(
+				body?.error === 'code_already_used'
+					? 'Device code already used. Run `wm login` again.'
+					: 'Device code expired. Run `wm login` again.',
+				body?.error ?? 'expired'
+			);
+		}
+
+		if (response.status === 404) {
+			throw new DeviceFlowError('Device code not recognized by server', 'invalid_device_code');
+		}
+
+		throw new DeviceFlowError(
+			`Unexpected response while polling (HTTP ${response.status}): ${body?.error ?? response.statusText}`,
+			'unknown'
+		);
+	}
+
+	throw new DeviceFlowError('Timed out waiting for browser authorization', 'expired');
+}

package/src/utils/git-snapshot.js

@@ -0,0 +1,63 @@
+import { existsSync } from 'fs';
+import { execFile } from 'child_process';
+import { join, dirname } from 'path';
+import { promisify } from 'util';
+
+const execFileAsync = promisify(execFile);
+
+// Sucht aufsteigend nach einem .git-Verzeichnis. Sonst greift der Snapshot
+// nicht, wenn `wm push` aus einem Komponenten-Unterordner kommt während
+// das echte Repo im Workspace-Root liegt — der häufige Fall.
+export function hasGitRepo(rootDir) {
+	let current = rootDir;
+	while (true) {
+		if (existsSync(join(current, '.git'))) return true;
+		const parent = dirname(current);
+		if (parent === current) return false;
+		current = parent;
+	}
+}
+
+async function git(rootDir, args, { allowFail = false } = {}) {
+	try {
+		const { stdout, stderr } = await execFileAsync('git', args, {
+			cwd: rootDir,
+			env: { ...process.env, GIT_TERMINAL_PROMPT: '0' },
+			maxBuffer: 32 * 1024 * 1024
+		});
+		return { stdout: stdout.trim(), stderr: stderr.trim(), code: 0 };
+	} catch (err) {
+		if (allowFail) {
+			return { stdout: '', stderr: err.stderr ?? err.message, code: err.code ?? 1 };
+		}
+		throw err;
+	}
+}
+
+export async function autoSnapshot(rootDir, message, opts = {}) {
+	if (!hasGitRepo(rootDir)) {
+		return { skipped: true, reason: 'no-git' };
+	}
+	if (opts.skip) {
+		return { skipped: true, reason: 'flag' };
+	}
+
+	const status = await git(rootDir, ['status', '--porcelain'], { allowFail: true });
+	if (!status.stdout) {
+		return { skipped: true, reason: 'no-changes' };
+	}
+
+	await git(rootDir, ['add', '-A'], { allowFail: true });
+
+	const commit = await git(
+		rootDir,
+		['-c', 'commit.gpgsign=false', 'commit', '-m', message, '--no-verify'],
+		{ allowFail: true }
+	);
+	if (commit.code !== 0) {
+		return { skipped: false, committed: false, error: commit.stderr };
+	}
+
+	const rev = await git(rootDir, ['rev-parse', '--short', 'HEAD'], { allowFail: true });
+	return { skipped: false, committed: true, sha: rev.stdout };
+}

package/src/utils/tenant-api.js

@@ -0,0 +1,103 @@
+/**
+ * Tenant-API-Routing für den Komponenten-Refactor.
+ *
+ * Ab Phase 5 lebt der Component-Push/Pull nicht mehr unter
+ * `<base>/api/organization/components/...` (app.*-Subdomain), sondern
+ * unter `<sub>.cms.<basedomain>/api/tenant-components/...`. Da der CLI-
+ * Login die app.*-Base liefert (`auth.baseUrl`), brauchen wir einen
+ * Helper, der die cms-URL pro Tenant ableitet und für tenant-Endpoints
+ * die `baseUrl` im apiFetch-Call überschreibt.
+ *
+ * Übergangslogik: `tenantSubdomain` ist optional in `.webmate.json`.
+ * - Wenn gesetzt: tenant-Modus (neue Endpoints, cms.*-Subdomain)
+ * - Wenn nicht: Legacy-Modus (alte org-Endpoints, unverändert)
+ *
+ * Per env-Variable `WEBMATE_TENANT_SUBDOMAIN` lässt sich der Modus
+ * auch ohne meta-Datei aktivieren (CI/Scripts).
+ */
+
+import { apiFetch } from './api-client.js';
+import { resolveAuth, requireAuth } from './auth-resolver.js';
+
+/**
+ * Liefert den effektiven Tenant-Subdomain aus meta oder env. null wenn
+ * keiner gesetzt ist (= Legacy-Modus).
+ */
+export function resolveTenantSubdomain(meta) {
+	const fromEnv = (process.env.WEBMATE_TENANT_SUBDOMAIN || '').trim();
+	if (fromEnv) return fromEnv;
+	if (meta?.tenantSubdomain) return String(meta.tenantSubdomain).trim() || null;
+	return null;
+}
+
+/**
+ * Baut die cms-Subdomain-URL aus der App-Basis-URL.
+ * Beispiel:
+ *   https://app.webmate-studio.io  + "zak-staging"
+ *   → https://zak-staging.cms.webmate-studio.io
+ *
+ * Akzeptiert optional schon eine cms.*-URL — dann wird nur der Subdomain
+ * neu gesetzt. Damit funktioniert der Helper sowohl wenn der User
+ * gegen app.* als auch wenn er gegen cms.* eingeloggt ist.
+ */
+export function buildTenantBaseUrl(appBaseUrl, tenantSubdomain) {
+	if (!tenantSubdomain) return null;
+	let url;
+	try {
+		url = new URL(appBaseUrl);
+	} catch {
+		throw new Error(`Ungültige baseUrl: ${appBaseUrl}`);
+	}
+	// host = "app.webmate-studio.io" oder "zak.cms.webmate-studio.io" o.ä.
+	const host = url.host;
+	const parts = host.split('.');
+	// Erkenne app.* / cms.* prefix
+	let baseDomain;
+	if (parts[0] === 'app') {
+		baseDomain = parts.slice(1).join('.');
+	} else if (parts.length >= 2 && parts[1] === 'cms') {
+		// schon cms.* → ersetze ersten Teil
+		baseDomain = parts.slice(2).join('.');
+	} else {
+		// fallback: nimm alles ab erstem Punkt
+		baseDomain = parts.slice(1).join('.') || host;
+	}
+	const port = url.port ? `:${url.port}` : '';
+	return `${url.protocol}//${tenantSubdomain}.cms.${baseDomain}${port}`;
+}
+
+/**
+ * Wrapper um apiFetch, der bei vorhandenem tenantSubdomain auf die
+ * cms-Subdomain umroutet. Sonst durchgereicht.
+ *
+ * Aufruf-Beispiel:
+ *   await tenantApiFetch('/api/tenant-components', { method: 'GET' }, meta)
+ */
+export async function tenantApiFetch(path, opts = {}, meta = null) {
+	const sub = resolveTenantSubdomain(meta);
+	if (!sub) {
+		return apiFetch(path, opts);
+	}
+	const auth = opts.baseUrl ? null : requireAuth();
+	const appBase = opts.baseUrl || auth.baseUrl;
+	const tenantBase = buildTenantBaseUrl(appBase, sub);
+	return apiFetch(path, { ...opts, baseUrl: tenantBase });
+}
+
+/**
+ * Convenience: Liefert ein Objekt mit baseUrl + Token, mit dem ein
+ * Caller eigene fetch-Logik bauen kann (z.B. für Streaming oder
+ * Multipart-Uploads, die apiFetch nicht abdeckt).
+ */
+export function resolveTenantBase(meta = null) {
+	const auth = resolveAuth();
+	if (!auth) return null;
+	const sub = resolveTenantSubdomain(meta);
+	if (!sub) return { baseUrl: auth.baseUrl, token: auth.token, mode: 'legacy' };
+	return {
+		baseUrl: buildTenantBaseUrl(auth.baseUrl, sub),
+		token: auth.token,
+		mode: 'tenant',
+		tenantSubdomain: sub
+	};
+}

package/src/utils/webmate-meta.js

@@ -0,0 +1,75 @@
+import { existsSync, readFileSync, writeFileSync } from 'fs';
+import { join } from 'path';
+
+const META_FILENAME = '.webmate.json';
+
+export function getMetaPath(rootDir) {
+	return join(rootDir, META_FILENAME);
+}
+
+export function readMeta(rootDir) {
+	const p = getMetaPath(rootDir);
+	if (!existsSync(p)) return null;
+	try {
+		const raw = readFileSync(p, 'utf-8');
+		const data = JSON.parse(raw);
+		if (!data?.componentId) return null;
+		return data;
+	} catch {
+		return null;
+	}
+}
+
+export function writeMeta(rootDir, meta) {
+	if (!meta?.componentId) {
+		throw new Error('writeMeta requires componentId');
+	}
+	const existing = readMeta(rootDir) ?? {};
+	// `??` would coerce explicit `null` back to the existing value,
+	// which is wrong: callers that want to *reset* a field (e.g. the
+	// deleted-upstream recovery path wiping baseVersion + fileHashes
+	// to flip the component back to never-pushed) need null to mean
+	// "set to null". We distinguish "field present in meta" (use it,
+	// even if null) from "field omitted" (fall through to existing).
+	const pick = (key, deflt) =>
+		key in meta ? meta[key] : (existing[key] ?? deflt);
+	const merged = {
+		...existing,
+		componentId: meta.componentId,
+		baseVersion: pick('baseVersion', null),
+		version: pick('version', null),
+		pulledAt: pick('pulledAt', new Date().toISOString()),
+		fileHashes: pick('fileHashes', {}),
+		// Records which ComponentRepository this meta was last synced
+		// against. The scanner uses it to tell a real upstream deletion
+		// (origin == current workspace repo) apart from a cross-workspace
+		// copy (origin != current). Legacy metas without the field stay
+		// classified as 'deleted-upstream' for safety.
+		originRepositoryId: pick('originRepositoryId', null),
+		// Tenant-Routing: wenn gesetzt, geht jeder push/pull/status
+		// gegen die cms.<sub>.<basedomain>/api/tenant-components/...
+		// Endpunkte. Legacy-Metas ohne das Feld bleiben am alten
+		// /api/organization/components/... Pfad — Phase 6 entfernt den.
+		tenantSubdomain: pick('tenantSubdomain', null)
+	};
+	if (existing.filesHash !== undefined && meta.filesHash === undefined) {
+		merged.filesHash = existing.filesHash;
+	} else if (meta.filesHash !== undefined) {
+		merged.filesHash = meta.filesHash;
+	}
+
+	writeFileSync(getMetaPath(rootDir), JSON.stringify(merged, null, 2) + '\n', 'utf-8');
+	return merged;
+}
+
+export function requireMeta(rootDir) {
+	const meta = readMeta(rootDir);
+	if (!meta) {
+		const err = new Error(
+			`No .webmate.json found in ${rootDir}. Run \`wm pull\` first or check that you are in the component directory.`
+		);
+		err.code = 'WM_NO_META';
+		throw err;
+	}
+	return meta;
+}