@witchpot/devlog-cli 0.1.0

package/build/auth/auth-flow.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Browser-based Authentication Flow
+ *
+ * Opens the browser to the DevLog app, user signs in via Clerk,
+ * the app generates a DevLog API token and redirects back to a
+ * local callback server.
+ */
+export interface LoginOptions {
+    apiUrl: string;
+    port?: number;
+}
+/**
+ * Perform the full browser-based login flow.
+ *
+ * 1. Start local HTTP server on callback port
+ * 2. Open browser to DevLog auth page
+ * 3. Wait for callback with token
+ * 4. Store token locally
+ */
+export declare function login(options: LoginOptions): Promise<void>;

package/build/auth/auth-flow.js

@@ -0,0 +1,178 @@
+/**
+ * Browser-based Authentication Flow
+ *
+ * Opens the browser to the DevLog app, user signs in via Clerk,
+ * the app generates a DevLog API token and redirects back to a
+ * local callback server.
+ */
+import { createServer, } from "node:http";
+import { randomBytes } from "node:crypto";
+import { execFile } from "node:child_process";
+import { URL } from "node:url";
+import { storeToken, getTokenHash } from "./token-storage.js";
+const DEFAULT_PORT = 9800;
+const MAX_PORT_RETRIES = 10;
+const AUTH_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
+function generateState() {
+    return randomBytes(16).toString("base64url");
+}
+function escapeHtml(s) {
+    return s
+        .replace(/&/g, "&")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;");
+}
+function htmlPage(title, color, message) {
+    return `<!DOCTYPE html><html><head><title>${escapeHtml(title)}</title>
+<style>body{font-family:system-ui,sans-serif;max-width:600px;margin:100px auto;padding:20px;text-align:center}
+h1{color:${color}}p{color:#666}</style></head>
+<body><h1>${escapeHtml(title)}</h1><p>${escapeHtml(message)}</p><p>You can close this window.</p>
+<script>setTimeout(()=>{try{window.close()}catch(e){}},2000)</script></body></html>`;
+}
+function startCallbackServer(port, expectedState, retriesLeft = MAX_PORT_RETRIES) {
+    return new Promise((resolve, reject) => {
+        let resolveCallback;
+        let rejectCallback;
+        const callbackPromise = new Promise((res, rej) => {
+            resolveCallback = res;
+            rejectCallback = rej;
+        });
+        const server = createServer((req, res) => {
+            if (!req.url?.startsWith("/callback")) {
+                res.writeHead(404);
+                res.end("Not Found");
+                return;
+            }
+            try {
+                const url = new URL(req.url, `http://localhost:${port}`);
+                const token = url.searchParams.get("token");
+                const state = url.searchParams.get("state");
+                const error = url.searchParams.get("error");
+                const errorDesc = url.searchParams.get("error_description");
+                if (error) {
+                    res.writeHead(400, {
+                        "Content-Type": "text/html; charset=utf-8",
+                    });
+                    res.end(htmlPage("Authentication Failed", "#ef4444", errorDesc || error));
+                    rejectCallback(new Error(errorDesc || error));
+                    return;
+                }
+                if (state !== expectedState) {
+                    res.writeHead(400, {
+                        "Content-Type": "text/html; charset=utf-8",
+                    });
+                    res.end(htmlPage("Security Error", "#ef4444", "State mismatch - possible CSRF attack."));
+                    rejectCallback(new Error("State mismatch"));
+                    return;
+                }
+                if (!token) {
+                    res.writeHead(400, {
+                        "Content-Type": "text/html; charset=utf-8",
+                    });
+                    res.end(htmlPage("Authentication Error", "#ef4444", "Missing token in callback."));
+                    rejectCallback(new Error("Missing token in callback"));
+                    return;
+                }
+                res.writeHead(200, {
+                    "Content-Type": "text/html; charset=utf-8",
+                });
+                res.end(htmlPage("Authentication Successful!", "#22c55e", "You can close this window and return to your terminal."));
+                server.close();
+                resolveCallback({ token, state });
+            }
+            catch (err) {
+                res.writeHead(500);
+                res.end("Internal Server Error");
+                rejectCallback(err instanceof Error ? err : new Error(String(err)));
+            }
+        });
+        server.listen(port, "127.0.0.1", () => {
+            resolve({ server, callbackPromise, actualPort: port });
+        });
+        server.on("error", (err) => {
+            if (err.code === "EADDRINUSE") {
+                if (retriesLeft <= 0) {
+                    reject(new Error(`All ports ${DEFAULT_PORT}-${port} are in use.`));
+                    return;
+                }
+                console.error(`Port ${port} in use, trying ${port + 1}...`);
+                server.close();
+                startCallbackServer(port + 1, expectedState, retriesLeft - 1)
+                    .then(resolve)
+                    .catch(reject);
+            }
+            else {
+                reject(err);
+            }
+        });
+    });
+}
+function openBrowser(url) {
+    const platform = process.platform;
+    let cmd;
+    let args;
+    if (platform === "darwin") {
+        cmd = "open";
+        args = [url];
+    }
+    else if (platform === "win32") {
+        cmd = "cmd";
+        args = ["/c", "start", "", url];
+    }
+    else {
+        cmd = "xdg-open";
+        args = [url];
+    }
+    const child = execFile(cmd, args);
+    child.unref();
+    child.stdout?.destroy();
+    child.stderr?.destroy();
+}
+/**
+ * Perform the full browser-based login flow.
+ *
+ * 1. Start local HTTP server on callback port
+ * 2. Open browser to DevLog auth page
+ * 3. Wait for callback with token
+ * 4. Store token locally
+ */
+export async function login(options) {
+    const apiUrl = options.apiUrl.replace(/\/$/, "");
+    const port = options.port || DEFAULT_PORT;
+    const state = generateState();
+    console.error("Starting local authentication server...");
+    const { server, callbackPromise, actualPort } = await startCallbackServer(port, state);
+    const callbackUrl = `http://localhost:${actualPort}/callback`;
+    try {
+        const authUrl = new URL("/auth/cli-callback", apiUrl);
+        authUrl.searchParams.set("callback", callbackUrl);
+        authUrl.searchParams.set("state", state);
+        console.error("Opening browser for authentication...");
+        console.error(`URL: ${authUrl.toString()}`);
+        openBrowser(authUrl.toString());
+        console.error("Waiting for authentication (timeout: 5 minutes)...");
+        let timeoutId;
+        const timeoutPromise = new Promise((_, reject) => {
+            timeoutId = setTimeout(() => reject(new Error("Authentication timed out after 5 minutes")), AUTH_TIMEOUT_MS);
+        });
+        try {
+            const { token } = await Promise.race([
+                callbackPromise,
+                timeoutPromise,
+            ]);
+            clearTimeout(timeoutId);
+            storeToken(token, apiUrl);
+            console.error(`\nLogin successful! (token: ${getTokenHash(token)})`);
+            console.error(`API URL: ${apiUrl}`);
+        }
+        catch (err) {
+            clearTimeout(timeoutId);
+            throw err;
+        }
+    }
+    finally {
+        server.close();
+    }
+}
+//# sourceMappingURL=auth-flow.js.map

package/build/auth/token-storage.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Secure Token Storage
+ *
+ * Stores DevLog API tokens encrypted on disk using AES-256-GCM.
+ * Derives encryption key from machine-specific values.
+ */
+export interface StoredToken {
+    token: string;
+    apiUrl: string;
+    createdAt: number;
+}
+/**
+ * Store a DevLog API token securely (AES-256-GCM encrypted).
+ */
+export declare function storeToken(token: string, apiUrl: string): void;
+/**
+ * Read a stored DevLog API token.
+ * Returns null if no token or invalid.
+ */
+export declare function readStoredToken(): StoredToken | null;
+/**
+ * Clear stored token (overwrite with zeros, then delete).
+ */
+export declare function clearStoredToken(): void;
+/**
+ * Get token status info for display.
+ */
+export declare function getTokenInfo(): {
+    exists: boolean;
+    createdAt: Date | null;
+    apiUrl: string | null;
+    tokenPrefix: string | null;
+};
+/**
+ * Get a short hash of a token for display.
+ */
+export declare function getTokenHash(token: string): string;

package/build/auth/token-storage.js

@@ -0,0 +1,115 @@
+/**
+ * Secure Token Storage
+ *
+ * Stores DevLog API tokens encrypted on disk using AES-256-GCM.
+ * Derives encryption key from machine-specific values.
+ */
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync, createHash, } from "node:crypto";
+import { readFileSync, writeFileSync, existsSync, mkdirSync, unlinkSync, statSync, } from "node:fs";
+import { join } from "node:path";
+import { homedir } from "node:os";
+const CONFIG_DIR = join(homedir(), ".devlog-cli");
+const TOKEN_FILE = join(CONFIG_DIR, "token.enc");
+function getEncryptionKey() {
+    const machineId = [
+        homedir(),
+        process.arch,
+        process.platform,
+        "devlog-cli-v1",
+    ].join(":");
+    return scryptSync(machineId, "devlog-cli-salt-v1", 32);
+}
+function ensureConfigDir() {
+    mkdirSync(CONFIG_DIR, { mode: 0o700, recursive: true });
+}
+/**
+ * Store a DevLog API token securely (AES-256-GCM encrypted).
+ */
+export function storeToken(token, apiUrl) {
+    ensureConfigDir();
+    const data = {
+        token,
+        apiUrl,
+        createdAt: Math.floor(Date.now() / 1000),
+    };
+    const key = getEncryptionKey();
+    const iv = randomBytes(16);
+    const cipher = createCipheriv("aes-256-gcm", key, iv);
+    const encrypted = Buffer.concat([
+        cipher.update(JSON.stringify(data), "utf8"),
+        cipher.final(),
+    ]);
+    const authTag = cipher.getAuthTag();
+    // Format: iv (16 bytes) + authTag (16 bytes) + encrypted data
+    const fileContent = Buffer.concat([iv, authTag, encrypted]);
+    writeFileSync(TOKEN_FILE, fileContent, { mode: 0o600 });
+}
+/**
+ * Read a stored DevLog API token.
+ * Returns null if no token or invalid.
+ */
+export function readStoredToken() {
+    if (!existsSync(TOKEN_FILE)) {
+        return null;
+    }
+    try {
+        const fileContent = readFileSync(TOKEN_FILE);
+        if (fileContent.length < 33) {
+            clearStoredToken();
+            return null;
+        }
+        const iv = fileContent.subarray(0, 16);
+        const authTag = fileContent.subarray(16, 32);
+        const encrypted = fileContent.subarray(32);
+        const key = getEncryptionKey();
+        const decipher = createDecipheriv("aes-256-gcm", key, iv);
+        decipher.setAuthTag(authTag);
+        const decrypted = Buffer.concat([
+            decipher.update(encrypted),
+            decipher.final(),
+        ]);
+        const data = JSON.parse(decrypted.toString("utf8"));
+        return data;
+    }
+    catch {
+        clearStoredToken();
+        return null;
+    }
+}
+/**
+ * Clear stored token (overwrite with zeros, then delete).
+ */
+export function clearStoredToken() {
+    if (existsSync(TOKEN_FILE)) {
+        try {
+            const size = statSync(TOKEN_FILE).size;
+            writeFileSync(TOKEN_FILE, Buffer.alloc(size));
+            unlinkSync(TOKEN_FILE);
+        }
+        catch {
+            // Ignore cleanup errors
+        }
+    }
+}
+/**
+ * Get token status info for display.
+ */
+export function getTokenInfo() {
+    const stored = readStoredToken();
+    if (!stored) {
+        return { exists: false, createdAt: null, apiUrl: null, tokenPrefix: null };
+    }
+    return {
+        exists: true,
+        createdAt: new Date(stored.createdAt * 1000),
+        apiUrl: stored.apiUrl,
+        tokenPrefix: stored.token.slice(0, 12) + "...",
+    };
+}
+/**
+ * Get a short hash of a token for display.
+ */
+export function getTokenHash(token) {
+    return createHash("sha256").update(token).digest("hex").substring(0, 8);
+}
+//# sourceMappingURL=token-storage.js.map

package/build/client.d.ts

@@ -0,0 +1,30 @@
+import type { Config } from "./config.js";
+export declare class DevlogClient {
+    private baseUrl;
+    private token;
+    private apiPrefix;
+    constructor(config: Config);
+    private getHeaders;
+    /**
+     * GET request to a CLI API endpoint (prefixed with /api/cli).
+     */
+    get<T>(path: string, params?: Record<string, unknown>): Promise<T>;
+    /**
+     * POST request to a CLI API endpoint.
+     */
+    post<T>(path: string, body: unknown): Promise<T>;
+    /**
+     * PATCH request to a CLI API endpoint.
+     */
+    patch<T>(path: string, body: unknown): Promise<T>;
+    /**
+     * DELETE request to a CLI API endpoint.
+     */
+    delete<T>(path: string, body?: unknown): Promise<T>;
+    /**
+     * GET request to an absolute API path (without /api/cli prefix).
+     * Used for endpoints like /api/steam/search that aren't under the CLI namespace.
+     */
+    getAbsolute<T>(path: string, params?: Record<string, unknown>): Promise<T>;
+    private handleResponse;
+}

package/build/client.js

@@ -0,0 +1,130 @@
+import { ApiError } from "./errors.js";
+export class DevlogClient {
+    baseUrl;
+    token;
+    apiPrefix = "/api/cli";
+    constructor(config) {
+        this.baseUrl = config.apiUrl;
+        if (!config.token) {
+            console.error('Not authenticated. Run "devlog login" first.');
+            process.exit(2);
+        }
+        this.token = config.token;
+    }
+    getHeaders() {
+        return {
+            "Content-Type": "application/json",
+            Accept: "application/json",
+            Authorization: `Bearer ${this.token}`,
+        };
+    }
+    /**
+     * GET request to a CLI API endpoint (prefixed with /api/cli).
+     */
+    async get(path, params) {
+        const url = new URL(`${this.apiPrefix}${path}`, this.baseUrl);
+        if (params) {
+            for (const [key, value] of Object.entries(params)) {
+                if (value !== undefined && value !== null && value !== "") {
+                    if (Array.isArray(value)) {
+                        url.searchParams.set(key, value.join(","));
+                    }
+                    else {
+                        url.searchParams.set(key, String(value));
+                    }
+                }
+            }
+        }
+        const response = await fetch(url.toString(), {
+            method: "GET",
+            headers: this.getHeaders(),
+        });
+        return this.handleResponse(response);
+    }
+    /**
+     * POST request to a CLI API endpoint.
+     */
+    async post(path, body) {
+        const url = new URL(`${this.apiPrefix}${path}`, this.baseUrl);
+        const response = await fetch(url.toString(), {
+            method: "POST",
+            headers: this.getHeaders(),
+            body: JSON.stringify(body),
+        });
+        return this.handleResponse(response);
+    }
+    /**
+     * PATCH request to a CLI API endpoint.
+     */
+    async patch(path, body) {
+        const url = new URL(`${this.apiPrefix}${path}`, this.baseUrl);
+        const response = await fetch(url.toString(), {
+            method: "PATCH",
+            headers: this.getHeaders(),
+            body: JSON.stringify(body),
+        });
+        return this.handleResponse(response);
+    }
+    /**
+     * DELETE request to a CLI API endpoint.
+     */
+    async delete(path, body) {
+        const url = new URL(`${this.apiPrefix}${path}`, this.baseUrl);
+        const response = await fetch(url.toString(), {
+            method: "DELETE",
+            headers: this.getHeaders(),
+            body: body ? JSON.stringify(body) : undefined,
+        });
+        return this.handleResponse(response);
+    }
+    /**
+     * GET request to an absolute API path (without /api/cli prefix).
+     * Used for endpoints like /api/steam/search that aren't under the CLI namespace.
+     */
+    async getAbsolute(path, params) {
+        const url = new URL(path, this.baseUrl);
+        if (params) {
+            for (const [key, value] of Object.entries(params)) {
+                if (value !== undefined && value !== null && value !== "") {
+                    if (Array.isArray(value)) {
+                        url.searchParams.set(key, value.join(","));
+                    }
+                    else {
+                        url.searchParams.set(key, String(value));
+                    }
+                }
+            }
+        }
+        const response = await fetch(url.toString(), {
+            method: "GET",
+            headers: this.getHeaders(),
+        });
+        return this.handleResponse(response);
+    }
+    async handleResponse(response) {
+        const contentType = response.headers.get("content-type") || "";
+        if (!contentType.includes("application/json")) {
+            throw new ApiError(response.status, {
+                message: `Expected JSON but got ${contentType || "unknown content type"} (HTTP ${response.status})`,
+                hint: "Check that the DevLog app is running and the URL is correct",
+            });
+        }
+        if (!response.ok) {
+            let detail;
+            try {
+                const body = await response.json();
+                detail = {
+                    message: body.error || `HTTP ${response.status}: ${response.statusText}`,
+                };
+            }
+            catch {
+                detail = {
+                    message: `HTTP ${response.status}: ${response.statusText}`,
+                };
+            }
+            throw new ApiError(response.status, detail);
+        }
+        return response.json();
+    }
+}
+//# sourceMappingURL=client.js.map

package/build/commands/auth.d.ts

@@ -0,0 +1,12 @@
+/**
+ * devlog login - Authenticate via browser
+ */
+export declare function loginCommand(_args: string[], flags: Record<string, string>): Promise<void>;
+/**
+ * devlog logout - Clear stored token
+ */
+export declare function logoutCommand(): void;
+/**
+ * devlog status - Show current authentication status
+ */
+export declare function statusCommand(): void;

package/build/commands/auth.js

@@ -0,0 +1,36 @@
+import { login } from "../auth/auth-flow.js";
+import { clearStoredToken, getTokenInfo } from "../auth/token-storage.js";
+const DEFAULT_API_URL = "https://devlog.witchpot.com";
+/**
+ * devlog login - Authenticate via browser
+ */
+export async function loginCommand(_args, flags) {
+    const url = flags["url"] || process.env.DEVLOG_URL || DEFAULT_API_URL;
+    const port = flags["port"] ? parseInt(flags["port"], 10) : undefined;
+    await login({ apiUrl: url, port });
+    // Force exit -- callback server and child processes may hold the event loop
+    process.exit(0);
+}
+/**
+ * devlog logout - Clear stored token
+ */
+export function logoutCommand() {
+    clearStoredToken();
+    console.error("Logged out successfully. Token removed.");
+}
+/**
+ * devlog status - Show current authentication status
+ */
+export function statusCommand() {
+    const info = getTokenInfo();
+    if (!info.exists) {
+        console.log("Not logged in.");
+        console.log('Run "devlog login" to authenticate.');
+        return;
+    }
+    console.log("Logged in");
+    console.log(`  URL:     ${info.apiUrl}`);
+    console.log(`  Token:   ${info.tokenPrefix}`);
+    console.log(`  Created: ${info.createdAt.toISOString()}`);
+}
+//# sourceMappingURL=auth.js.map

package/build/commands/bench.d.ts

@@ -0,0 +1,13 @@
+import type { CommandHandler } from "../types.js";
+/**
+ * devlog bench list [projectId] - List benchmark accounts
+ */
+export declare const benchListCommand: CommandHandler;
+/**
+ * devlog bench add [projectId] --platform=<platform> --handle=<handle>
+ */
+export declare const benchAddCommand: CommandHandler;
+/**
+ * devlog bench remove <accountId> --project=<projectId>
+ */
+export declare const benchRemoveCommand: CommandHandler;

package/build/commands/bench.js

@@ -0,0 +1,60 @@
+import { printJson, printTable } from "../output.js";
+import { getActiveProjectId } from "../config.js";
+import { assertSafeId } from "../errors.js";
+/**
+ * devlog bench list [projectId] - List benchmark accounts
+ */
+export const benchListCommand = async (client, args, _flags, format) => {
+    const projectId = args[0] || getActiveProjectId();
+    assertSafeId(projectId, "project ID");
+    const res = await client.get(`/projects/${projectId}/bench`);
+    if (format === "table") {
+        printTable(res.data.map((a) => ({
+            id: a.id.slice(0, 8),
+            platform: a.platform,
+            handle: `@${a.handle}`,
+            source: a.source,
+            developer: a.developer_name ?? "-",
+            game: a.game_name ?? "-",
+            followers: a.follower_count ?? "-",
+        })));
+    }
+    else {
+        printJson(res.data);
+    }
+};
+/**
+ * devlog bench add [projectId] --platform=<platform> --handle=<handle>
+ */
+export const benchAddCommand = async (client, args, flags, _format) => {
+    const projectId = args[0] || getActiveProjectId();
+    const platform = flags["platform"];
+    const handle = flags["handle"];
+    if (!platform) {
+        console.error("Usage: devlog bench add [projectId] --platform=<platform> --handle=<handle>");
+        process.exit(1);
+    }
+    if (!handle) {
+        console.error("--handle is required");
+        process.exit(1);
+    }
+    assertSafeId(projectId, "project ID");
+    const res = await client.post(`/projects/${projectId}/bench`, { platform, handle });
+    printJson(res.data);
+};
+/**
+ * devlog bench remove <accountId> --project=<projectId>
+ */
+export const benchRemoveCommand = async (client, args, flags, _format) => {
+    const accountId = args[0];
+    if (!accountId) {
+        console.error("Usage: devlog bench remove <accountId>");
+        process.exit(1);
+    }
+    const projectId = flags["project"] || getActiveProjectId();
+    assertSafeId(accountId, "account ID");
+    assertSafeId(projectId, "project ID");
+    await client.delete(`/projects/${projectId}/bench`, { accountId });
+    console.error("Benchmark account removed.");
+};
+//# sourceMappingURL=bench.js.map

package/build/commands/context.d.ts

@@ -0,0 +1,6 @@
+import type { CommandHandler } from "../types.js";
+/**
+ * devlog context [projectId] [--section=<name>]
+ * Get full project context as a single JSON blob.
+ */
+export declare const contextCommand: CommandHandler;

package/build/commands/context.js

@@ -0,0 +1,33 @@
+import { printJson } from "../output.js";
+import { getActiveProjectId } from "../config.js";
+import { assertSafeId } from "../errors.js";
+const VALID_SECTIONS = [
+    "project",
+    "games",
+    "repository",
+    "recentHistory",
+    "recentDrafts",
+    "benchAccounts",
+    "upcomingEvents",
+];
+/**
+ * devlog context [projectId] [--section=<name>]
+ * Get full project context as a single JSON blob.
+ */
+export const contextCommand = async (client, args, flags, _format) => {
+    const projectId = args[0] || getActiveProjectId();
+    assertSafeId(projectId, "project ID");
+    const section = flags["section"];
+    const res = await client.get(`/projects/${projectId}/context`);
+    if (section) {
+        if (!VALID_SECTIONS.includes(section)) {
+            console.error(`Invalid section: ${section}\nValid sections: ${VALID_SECTIONS.join(", ")}`);
+            process.exit(1);
+        }
+        printJson(res.data[section]);
+    }
+    else {
+        printJson(res.data);
+    }
+};
+//# sourceMappingURL=context.js.map