npm - blodemd - Versions diffs - 0.0.3 → 0.0.5 - Mend

blodemd 0.0.3 → 0.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/cli.mjs CHANGED Viewed

@@ -1,12 +1,575 @@
 #!/usr/bin/env node
-import { spawnSync } from "node:child_process";
-import fs from "node:fs/promises";
-import path from "node:path";
-import { styleText } from "node:util";
-import { intro, log, outro, spinner } from "@clack/prompts";
+import { spawn, spawnSync } from "node:child_process";
+import fs, { mkdir, readFile, rm, writeFile } from "node:fs/promises";
+import path, { join } from "node:path";
+import { confirm, intro, isCancel, log, password, spinner } from "@clack/prompts";
+import chalk from "chalk";
 import { Command } from "commander";
+import open from "open";
+import { homedir } from "node:os";
+import { once } from "node:events";
+import { setTimeout as setTimeout$1 } from "node:timers/promises";
+import { fileURLToPath } from "node:url";
+import { createFsSource, loadSiteConfig } from "@repo/previewing";
+import { watch } from "chokidar";
+import { createServer } from "node:http";
+import { createHash, randomBytes } from "node:crypto";
+//#region src/constants.ts
+const CLI_NAME = "blodemd";
+const OAUTH_CLIENT_ID = "6b5f9860-fe96-4a83-b1ad-266260523c91";
+const DEFAULT_OAUTH_CALLBACK_PORT = 8787;
+const DEFAULT_OAUTH_CALLBACK_PATH = "/auth/callback";
+const getDefaultConfigBaseDir = () => {
+	if (process.platform === "win32") return process.env.APPDATA ?? join(homedir(), "AppData", "Roaming");
+	return process.env.XDG_CONFIG_HOME ?? join(homedir(), ".config");
+};
+const CONFIG_DIR = join(getDefaultConfigBaseDir(), CLI_NAME);
+const CREDENTIALS_FILE = join(CONFIG_DIR, "credentials.json");
+//#endregion
+//#region src/jwt.ts
+const parseJwtBase64Url = (input) => {
+	const normalized = input.replaceAll("-", "+").replaceAll("_", "/");
+	const padded = normalized.padEnd(Math.ceil(normalized.length / 4) * 4, "=");
+	return Buffer.from(padded, "base64").toString("utf8");
+};
+const parseJwtClaims = (token) => {
+	const payloadPart = token.split(".").at(1);
+	if (!payloadPart) return null;
+	try {
+		const payload = parseJwtBase64Url(payloadPart);
+		const parsed = JSON.parse(payload);
+		if (typeof parsed !== "object" || parsed === null) return null;
+		const claims = parsed;
+		return {
+			email: typeof claims.email === "string" ? claims.email : void 0,
+			exp: typeof claims.exp === "number" ? claims.exp : void 0,
+			sub: typeof claims.sub === "string" ? claims.sub : void 0
+		};
+	} catch {
+		return null;
+	}
+};
+//#endregion
+//#region src/errors.ts
+const EXIT_CODES = {
+	AUTH_REQUIRED: 4,
+	CANCELLED: 2,
+	ERROR: 1,
+	NETWORK: 5,
+	SUCCESS: 0,
+	VALIDATION: 3
+};
+var CliError = class extends Error {
+	exitCode;
+	hint;
+	constructor(message, exitCode = EXIT_CODES.ERROR, hint) {
+		super(message);
+		this.name = "CliError";
+		this.exitCode = exitCode;
+		this.hint = hint ?? null;
+	}
+};
+const toCliError = (error) => {
+	if (error instanceof CliError) return error;
+	if (error instanceof Error) {
+		if (error instanceof TypeError && error.message.includes("fetch")) return new CliError("Cannot connect to Blode.md API.", EXIT_CODES.NETWORK, "Check your internet connection and API URL configuration.");
+		if (error.name === "TimeoutError" || error.name === "AbortError") return new CliError("Request timed out.", EXIT_CODES.NETWORK, "The API may be unavailable. Try again later.");
+		return new CliError(error.message, EXIT_CODES.ERROR);
+	}
+	return new CliError("Unknown error", EXIT_CODES.ERROR);
+};
+//#endregion
+//#region src/oauth-token.ts
+const postTokenRequest = async (url, body) => {
+	const response = await fetch(url, {
+		body: body.toString(),
+		headers: { "content-type": "application/x-www-form-urlencoded" },
+		method: "POST"
+	});
+	if (!response.ok) {
+		const text = await response.text().catch(() => "");
+		throw new CliError(`OAuth token request failed (${response.status}): ${text}`, EXIT_CODES.AUTH_REQUIRED);
+	}
+	return await response.json();
+};
+const exchangeAuthorizationCode = (config, code, codeVerifier, redirectUri) => {
+	const body = new URLSearchParams({
+		client_id: config.clientId,
+		code,
+		code_verifier: codeVerifier,
+		grant_type: "authorization_code",
+		redirect_uri: redirectUri
+	});
+	return postTokenRequest(config.tokenUrl, body);
+};
+const refreshAccessToken = (config, refreshToken) => {
+	const body = new URLSearchParams({
+		client_id: config.clientId,
+		grant_type: "refresh_token",
+		refresh_token: refreshToken
+	});
+	return postTokenRequest(config.tokenUrl, body);
+};
+//#endregion
+//#region src/storage.ts
+const isRecord = (value) => typeof value === "object" && value !== null;
+const parseStoredAuthSession = (value) => {
+	if (!isRecord(value)) return null;
+	if (typeof value.accessToken !== "string") return null;
+	if (value.refreshToken !== null && typeof value.refreshToken !== "string") return null;
+	if (value.expiresAt !== null && typeof value.expiresAt !== "string") return null;
+	const { user } = value;
+	if (user !== null && (!isRecord(user) || typeof user.id !== "string" || user.email !== null && typeof user.email !== "string")) return null;
+	if (typeof value.createdAt !== "string") return null;
+	const parsedUser = user === null || !isRecord(user) ? null : {
+		email: user.email ?? null,
+		id: user.id
+	};
+	return {
+		accessToken: value.accessToken,
+		createdAt: value.createdAt,
+		expiresAt: value.expiresAt ?? null,
+		refreshToken: value.refreshToken ?? null,
+		user: parsedUser
+	};
+};
+const parseApiKeyCredentials = (value) => {
+	if (!isRecord(value)) return null;
+	if (typeof value.apiKey !== "string") return null;
+	return {
+		apiKey: value.apiKey,
+		type: "api-key"
+	};
+};
+const readAuthFile = async () => {
+	try {
+		const raw = await readFile(CREDENTIALS_FILE, "utf8");
+		const parsed = JSON.parse(raw);
+		if (!isRecord(parsed) || parsed.version !== 1) throw new CliError(`Invalid credentials format in ${CREDENTIALS_FILE}`, EXIT_CODES.ERROR);
+		return {
+			apiKey: parseApiKeyCredentials(parsed.apiKey) ?? void 0,
+			session: parseStoredAuthSession(parsed.session) ?? void 0,
+			version: 1
+		};
+	} catch (error) {
+		if (isRecord(error) && error.code === "ENOENT") return null;
+		if (error instanceof CliError) throw error;
+		return null;
+	}
+};
+const writeAuthFile = async (data) => {
+	await mkdir(CONFIG_DIR, {
+		mode: 448,
+		recursive: true
+	});
+	await writeFile(CREDENTIALS_FILE, `${JSON.stringify(data, null, 2)}\n`, {
+		encoding: "utf8",
+		mode: 384
+	});
+};
+const writeStoredAuthSession = async (session) => {
+	await writeAuthFile({
+		session,
+		version: 1
+	});
+};
+const writeStoredApiKey = async (apiKey) => {
+	await writeAuthFile({
+		apiKey,
+		version: 1
+	});
+};
+const clearStoredCredentials = async () => {
+	await rm(CREDENTIALS_FILE, { force: true });
+};
+//#endregion
+//#region src/supabase.ts
+const resolveSupabaseConfig = () => {
+	return { url: process.env.SUPABASE_URL ?? process.env.NEXT_PUBLIC_SUPABASE_URL ?? "https://bwnxwgkgyklzzmpbzuoz.supabase.co" };
+};
+const buildOAuthUrls = (config) => ({
+	authorizeUrl: `${config.url}/auth/v1/oauth/authorize`,
+	tokenUrl: `${config.url}/auth/v1/oauth/token`
+});
+const tokenResponseToStoredSession = (response) => {
+	const claims = parseJwtClaims(response.access_token);
+	let expiresAt = null;
+	if (typeof claims?.exp === "number") expiresAt = (/* @__PURE__ */ new Date(claims.exp * 1e3)).toISOString();
+	else if (response.expires_in > 0) expiresAt = new Date(Date.now() + response.expires_in * 1e3).toISOString();
+	return {
+		accessToken: response.access_token,
+		createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+		expiresAt,
+		refreshToken: response.refresh_token ?? null,
+		user: claims?.sub || claims?.email ? {
+			email: claims.email ?? null,
+			id: claims.sub ?? "unknown"
+		} : null
+	};
+};
+//#endregion
+//#region src/auth-session.ts
+const expiresInMs = (session) => {
+	if (!session.expiresAt) return null;
+	const expiresAtMs = Date.parse(session.expiresAt);
+	if (Number.isNaN(expiresAtMs)) return null;
+	return expiresAtMs - Date.now();
+};
+const isExpired = (session) => {
+	const ms = expiresInMs(session);
+	return ms !== null && ms <= 0;
+};
+const shouldRefresh = (session) => {
+	const ms = expiresInMs(session);
+	return ms !== null && ms <= 6e4;
+};
+const tokenFromRaw = (token, source) => {
+	const claims = parseJwtClaims(token);
+	return {
+		expiresAt: typeof claims?.exp === "number" ? (/* @__PURE__ */ new Date(claims.exp * 1e3)).toISOString() : null,
+		source,
+		token,
+		user: claims?.sub || claims?.email ? {
+			email: claims.email ?? null,
+			id: claims.sub ?? "unknown"
+		} : null
+	};
+};
+const sessionToResolvedToken = (session) => ({
+	expiresAt: session.expiresAt,
+	source: "stored",
+	token: session.accessToken,
+	user: session.user
+});
+const resolveAuthToken = async (optApiKey) => {
+	const envToken = (optApiKey ?? process.env["BLODEMD_API_KEY"])?.trim();
+	if (envToken) return tokenFromRaw(envToken, optApiKey ? "flag" : "environment");
+	const data = await readAuthFile();
+	const session = data?.session;
+	if (session) {
+		if (!(shouldRefresh(session) || isExpired(session))) return sessionToResolvedToken(session);
+		if (session.refreshToken) try {
+			const { tokenUrl } = buildOAuthUrls(resolveSupabaseConfig());
+			const updatedSession = tokenResponseToStoredSession(await refreshAccessToken({
+				clientId: OAUTH_CLIENT_ID,
+				tokenUrl
+			}, session.refreshToken));
+			await writeStoredAuthSession(updatedSession);
+			return sessionToResolvedToken(updatedSession);
+		} catch {}
+		if (isExpired(session)) {
+			await clearStoredCredentials();
+			return null;
+		}
+		return sessionToResolvedToken(session);
+	}
+	if (data?.apiKey) return {
+		expiresAt: null,
+		source: "stored",
+		token: data.apiKey.apiKey,
+		user: null
+	};
+	return null;
+};
+const resolveTokenStatus = (token) => {
+	if (!token.expiresAt) return {
+		expired: false,
+		expiresInSeconds: null
+	};
+	const expiresAtMs = Date.parse(token.expiresAt);
+	if (Number.isNaN(expiresAtMs)) return {
+		expired: false,
+		expiresInSeconds: null
+	};
+	const expiresInSeconds = Math.floor((expiresAtMs - Date.now()) / 1e3);
+	return {
+		expired: expiresInSeconds <= 0,
+		expiresInSeconds
+	};
+};
+//#endregion
+//#region src/dev/resolve-root.ts
+const CONFIG_FILE$1 = "docs.json";
+const fileExists$2 = async (filePath) => {
+	try {
+		await fs.access(filePath);
+		return true;
+	} catch {
+		return false;
+	}
+};
+const resolveDocsRoot$1 = async (dir) => {
+	if (dir) return path.resolve(process.cwd(), dir);
+	const candidates = [
+		process.cwd(),
+		path.join(process.cwd(), "docs"),
+		path.join(process.cwd(), "apps/docs")
+	];
+	for (const candidate of candidates) if (await fileExists$2(path.join(candidate, CONFIG_FILE$1))) return candidate;
+	return process.cwd();
+};
+const validateDocsRoot = async (root) => {
+	const result = await loadSiteConfig(createFsSource(root));
+	if (!result.ok) throw new CliError(result.errors.join("\n"), EXIT_CODES.VALIDATION, `Make sure ${CONFIG_FILE$1} exists and is valid JSON.`);
+	return result;
+};
+//#endregion
+//#region src/dev/watcher.ts
+const INVALIDATE_ENDPOINT = "/blodemd-dev/invalidate";
+const WATCH_DEBOUNCE_MS = 100;
+const normalizeRelativePath$1 = (root, filePath) => path.relative(root, filePath).split(path.sep).join("/");
+const isDirectoryEvent = (event) => event === "addDir" || event === "unlinkDir";
+const createDevWatcher = ({ port, root }) => {
+	const watcher = watch(root, {
+		ignoreInitial: true,
+		ignored: [
+			"**/.git/**",
+			"**/.next/**",
+			"**/dist/**",
+			"**/node_modules/**"
+		]
+	});
+	let flushTimer = null;
+	let pendingKind = "content";
+	const pendingPaths = /* @__PURE__ */ new Set();
+	const flush = async () => {
+		flushTimer = null;
+		const paths = [...pendingPaths];
+		const kind = pendingKind;
+		pendingPaths.clear();
+		pendingKind = "content";
+		if (!paths.length) return;
+		try {
+			const response = await fetch(`http://127.0.0.1:${port}${INVALIDATE_ENDPOINT}`, {
+				body: JSON.stringify({
+					kind,
+					paths
+				}),
+				headers: { "Content-Type": "application/json" },
+				method: "POST"
+			});
+			if (!response.ok) throw new Error(`HTTP ${response.status}`);
+		} catch (error) {
+			log.error(`Failed to invalidate preview cache: ${error instanceof Error ? error.message : "unknown error"}`);
+		}
+	};
+	watcher.on("all", (event, changedPath) => {
+		if (isDirectoryEvent(event)) return;
+		const relativePath = normalizeRelativePath$1(root, changedPath);
+		pendingPaths.add(relativePath);
+		if (path.basename(changedPath) === "docs.json") pendingKind = "config";
+		if (flushTimer) clearTimeout(flushTimer);
+		flushTimer = setTimeout(() => {
+			flush();
+		}, WATCH_DEBOUNCE_MS);
+	});
+	return { async close() {
+		if (flushTimer) {
+			clearTimeout(flushTimer);
+			await flush();
+		}
+		await watcher.close();
+	} };
+};
+//#endregion
+//#region src/dev/command.ts
+const DEV_READY_ENDPOINT = "/blodemd-dev/version";
+const DEV_READY_TIMEOUT_MS = 45e3;
+const parsePositiveInteger$1 = (value, label) => {
+	const parsed = Number.parseInt(value, 10);
+	if (!Number.isInteger(parsed) || parsed <= 0) throw new CliError(`${label} must be a positive integer.`, EXIT_CODES.VALIDATION);
+	return parsed;
+};
+const fileExists$1 = async (filePath) => {
+	try {
+		await fs.access(filePath);
+		return true;
+	} catch {
+		return false;
+	}
+};
+const findMonorepoRoot = async (start) => {
+	let current = start;
+	while (true) {
+		const packageJsonPath = path.join(current, "package.json");
+		if (await fileExists$1(packageJsonPath)) {
+			const raw = await fs.readFile(packageJsonPath, "utf8");
+			const workspaces = JSON.parse(raw).workspaces ?? [];
+			if (workspaces.includes("apps/*") && workspaces.includes("packages/*")) return current;
+		}
+		const parent = path.dirname(current);
+		if (parent === current) break;
+		current = parent;
+	}
+	throw new CliError("Could not locate the blodemd monorepo root.", EXIT_CODES.ERROR, "The monorepo-only dev server must be run from this repository checkout.");
+};
+const waitForServer = async ({ child, port }) => {
+	const url = `http://localhost:${port}${DEV_READY_ENDPOINT}`;
+	const startedAt = Date.now();
+	while (Date.now() - startedAt < DEV_READY_TIMEOUT_MS) {
+		if (child.exitCode !== null) throw new CliError("The local dev server exited before it became ready.", EXIT_CODES.ERROR);
+		try {
+			if ((await fetch(url, {
+				cache: "no-store",
+				headers: { accept: "application/json" }
+			})).ok) return;
+		} catch {}
+		await setTimeout$1(500);
+	}
+	throw new CliError("Timed out waiting for the local dev server to start.", EXIT_CODES.ERROR);
+};
+const npmCommand = process.platform === "win32" ? "npm.cmd" : "npm";
+const devCommand = async ({ dir, openBrowser, port: portValue }) => {
+	intro(chalk.bold("blodemd dev"));
+	try {
+		const port = parsePositiveInteger$1(portValue, "Port");
+		const root = await resolveDocsRoot$1(dir);
+		await validateDocsRoot(root);
+		const cliFilePath = fileURLToPath(import.meta.url);
+		const repoRoot = await findMonorepoRoot(path.dirname(cliFilePath));
+		const localUrl = `http://localhost:${port}`;
+		log.info(`Docs root: ${chalk.cyan(root)}`);
+		const child = spawn(npmCommand, [
+			"run",
+			"dev",
+			"--workspace=dev-server"
+		], {
+			cwd: repoRoot,
+			env: {
+				...process.env,
+				DOCS_ROOT: root,
+				PORT: String(port)
+			},
+			stdio: "inherit"
+		});
+		let watcher = null;
+		let shuttingDown = false;
+		const closeAll = async () => {
+			if (shuttingDown) return;
+			shuttingDown = true;
+			if (watcher) {
+				await watcher.close();
+				watcher = null;
+			}
+			if (child.exitCode === null && !child.killed) child.kill("SIGTERM");
+		};
+		const onSignal = async () => {
+			await closeAll();
+		};
+		process.once("SIGINT", onSignal);
+		process.once("SIGTERM", onSignal);
+		try {
+			await waitForServer({
+				child,
+				port
+			});
+			watcher = await createDevWatcher({
+				port,
+				root
+			});
+			log.success(`Dev server running at ${chalk.cyan(localUrl)}`);
+			if (openBrowser) await open(localUrl);
+			const [code, signal] = await once(child, "exit");
+			await closeAll();
+			process.removeListener("SIGINT", onSignal);
+			process.removeListener("SIGTERM", onSignal);
+			if (shuttingDown || signal === "SIGINT" || signal === "SIGTERM") return;
+			if (code !== 0) throw new CliError(`The local dev server exited with code ${code ?? "unknown"}.`, EXIT_CODES.ERROR);
+		} catch (error) {
+			await closeAll();
+			process.removeListener("SIGINT", onSignal);
+			process.removeListener("SIGTERM", onSignal);
+			throw error;
+		}
+	} catch (error) {
+		const cliError = toCliError(error);
+		log.error(cliError.message);
+		if (cliError.hint) log.info(cliError.hint);
+		process.exitCode = cliError.exitCode;
+	}
+};
+//#endregion
+//#region src/oauth-callback.ts
+const SUCCESS_HTML = "<!doctype html><html><head><meta charset=\"utf-8\"/><title>Blode.md CLI</title></head><body><h2>Logged in! You can close this tab.</h2></body></html>";
+const escapeHtml = (text) => text.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll("\"", "&quot;");
+const errorHtml = (message) => `<!doctype html><html><head><meta charset="utf-8"/><title>Blode.md CLI</title></head><body><h2>Login failed</h2><p>${escapeHtml(message)}</p></body></html>`;
+const waitForOAuthCode = (options) => {
+	const host = options.redirectUrl.hostname;
+	const port = Number(options.redirectUrl.port);
+	const { pathname } = options.redirectUrl;
+	if (!Number.isInteger(port) || port <= 0) return Promise.reject(new CliError("OAuth redirect URL requires an explicit port", EXIT_CODES.ERROR));
+	return new Promise((resolve, reject) => {
+		let settled = false;
+		const sockets = /* @__PURE__ */ new Set();
+		const settle = (ok, value) => {
+			if (settled) return;
+			settled = true;
+			clearTimeout(timer);
+			httpServer.close(() => {
+				if (ok) resolve(value);
+				else reject(value);
+			});
+			for (const socket of sockets) socket.destroy();
+		};
+		const httpServer = createServer((request, response) => {
+			if (!request.url) {
+				response.writeHead(400, { "content-type": "text/html; charset=utf-8" });
+				response.end(errorHtml("Missing request URL"));
+				settle(false, new CliError("OAuth callback is missing a request URL", EXIT_CODES.ERROR));
+				return;
+			}
+			const url = new URL(request.url, options.redirectUrl.origin);
+			if (url.pathname !== pathname) {
+				response.writeHead(404, { "content-type": "text/html; charset=utf-8" });
+				response.end(errorHtml("Invalid callback path"));
+				return;
+			}
+			const providerError = url.searchParams.get("error");
+			if (providerError) {
+				const description = url.searchParams.get("error_description") ?? providerError;
+				response.writeHead(400, { "content-type": "text/html; charset=utf-8" });
+				response.end(errorHtml(description));
+				settle(false, new CliError(`OAuth provider returned an error: ${description}`, EXIT_CODES.ERROR));
+				return;
+			}
+			if (url.searchParams.get("state") !== options.expectedState) {
+				response.writeHead(400, { "content-type": "text/html; charset=utf-8" });
+				response.end(errorHtml("State verification failed"));
+				settle(false, new CliError("OAuth state verification failed", EXIT_CODES.ERROR));
+				return;
+			}
+			const code = url.searchParams.get("code");
+			if (!code) {
+				response.writeHead(400, { "content-type": "text/html; charset=utf-8" });
+				response.end(errorHtml("Authorization code was missing"));
+				settle(false, new CliError("OAuth callback is missing an authorization code", EXIT_CODES.ERROR));
+				return;
+			}
+			response.writeHead(200, { "content-type": "text/html; charset=utf-8" });
+			response.end(SUCCESS_HTML);
+			settle(true, code);
+		});
+		httpServer.on("connection", (socket) => {
+			sockets.add(socket);
+			socket.once("close", () => sockets.delete(socket));
+		});
+		httpServer.on("error", (error) => {
+			settle(false, new CliError(`Failed to start callback server on ${host}:${port}: ${error.message}`, EXIT_CODES.ERROR));
+		});
+		const timer = setTimeout(() => {
+			settle(false, new CliError("Login timed out. Please try again.", EXIT_CODES.CANCELLED));
+		}, options.timeoutMs);
+		httpServer.listen(port, host);
+	});
+};
+//#endregion
+//#region src/pkce.ts
+const createOAuthState = () => randomBytes(24).toString("hex");
+const createCodeVerifier = () => randomBytes(64).toString("base64url");
+const createCodeChallenge = (verifier) => createHash("sha256").update(verifier).digest().toString("base64url");
+//#endregion
 //#region src/cli.ts
-const CONTENT_CONFIG_FILE = "docs.json";
+const CONFIG_FILE = "docs.json";
 const TEXT_CONTENT_TYPES = {
 	".css": "text/css; charset=utf-8",
 	".html": "text/html; charset=utf-8",
@@ -20,22 +583,34 @@ const TEXT_CONTENT_TYPES = {
 	".yml": "application/yaml; charset=utf-8"
 };
 const ensureFile = async (filePath, content) => {
+	try {
+		await fs.writeFile(filePath, content, { flag: "wx" });
+	} catch {}
+};
+const fileExists = async (filePath) => {
 	try {
 		await fs.access(filePath);
+		return true;
 	} catch {
-		await fs.writeFile(filePath, content);
+		return false;
 	}
 };
-const isMissingFileError = (error) => error instanceof Error && "code" in error && error.code === "ENOENT";
-const validateConfigFile = async (root) => {
-	try {
-		const raw = await fs.readFile(path.join(root, CONTENT_CONFIG_FILE), "utf8");
-		JSON.parse(raw);
-		return CONTENT_CONFIG_FILE;
-	} catch (error) {
-		if (isMissingFileError(error)) throw new Error(`${CONTENT_CONFIG_FILE} not found.`, { cause: error });
-		throw error;
-	}
+const readConfig = async (root) => {
+	const raw = await fs.readFile(path.join(root, CONFIG_FILE), "utf8");
+	return {
+		name: JSON.parse(raw).name,
+		raw
+	};
+};
+const resolveDocsRoot = async (dir) => {
+	if (dir) return path.resolve(process.cwd(), dir);
+	const candidates = [
+		process.cwd(),
+		path.join(process.cwd(), "docs"),
+		path.join(process.cwd(), "apps/docs")
+	];
+	for (const candidate of candidates) if (await fileExists(path.join(candidate, CONFIG_FILE))) return candidate;
+	return process.cwd();
 };
 const readGitValue = (gitArgs) => {
 	const result = spawnSync("git", gitArgs, {
@@ -84,17 +659,197 @@ const requestJson = async (url, init, message) => {
 	}
 	return data;
 };
+const parsePositiveInteger = (value, label) => {
+	const parsed = Number.parseInt(value, 10);
+	if (!Number.isInteger(parsed) || parsed <= 0) throw new CliError(`${label} must be a positive integer.`, EXIT_CODES.VALIDATION);
+	return parsed;
+};
+const reportCommandError = (prefix, error) => {
+	const cliError = toCliError(error);
+	log.error(`${prefix}: ${cliError.message}`);
+	if (cliError.hint) log.info(cliError.hint);
+	log.info("Failed");
+	process.exitCode = cliError.exitCode;
+};
+const fetchUserEmail = async (apiUrl, token) => {
+	try {
+		return (await requestJson(`${apiUrl}/auth/me`, { headers: { Authorization: `Bearer ${token}` } }, "Failed to fetch user info")).email;
+	} catch {
+		return null;
+	}
+};
+const resolvePushConfig = async (config, options) => {
+	const project = options.project ?? process.env["BLODEMD_PROJECT"] ?? config.name;
+	const apiUrl = options.apiUrl ?? process.env["BLODEMD_API_URL"] ?? "https://api.blode.md";
+	const authToken = (await resolveAuthToken(options.apiKey))?.token;
+	const branch = options.branch ?? process.env["BLODEMD_BRANCH"] ?? process.env.GITHUB_REF_NAME ?? readGitValue([
+		"rev-parse",
+		"--abbrev-ref",
+		"HEAD"
+	]) ?? "main";
+	const commitMessage = options.message ?? process.env["BLODEMD_COMMIT_MESSAGE"] ?? readGitValue([
+		"log",
+		"-1",
+		"--pretty=%s"
+	]);
+	if (!project) throw new Error("Missing project slug. Set \"name\" in docs.json, pass --project, or set BLODEMD_PROJECT.");
+	if (!authToken) throw new Error("Missing credentials. Run \"blodemd login\", pass --api-key, or set BLODEMD_API_KEY.");
+	return {
+		apiUrl,
+		authToken,
+		branch,
+		commitMessage,
+		project
+	};
+};
+const autoCreateProject = async (project, apiUrl, headers) => {
+	if (!(await readAuthFile())?.session) throw new Error(`Project "${project}" not found. Create it at blode.md or login with "blodemd login" to auto-create.`);
+	const shouldCreate = await confirm({ message: `Project "${project}" doesn't exist. Create it?` });
+	if (isCancel(shouldCreate) || !shouldCreate) return false;
+	const createResult = await requestJson(new URL("/projects", apiUrl).toString(), {
+		body: JSON.stringify({
+			name: project,
+			slug: project
+		}),
+		headers,
+		method: "POST"
+	}, "Failed to create project");
+	log.success(`Project ${chalk.cyan(createResult.project.slug)} created`);
+	log.info(`API key for CI: ${chalk.dim(createResult.token)}`);
+	return true;
+};
+const uploadFiles = async (files, root, apiPath, deploymentId, headers, s) => {
+	s.start(`Uploading ${files.length} files`);
+	for (const [index, filePath] of files.entries()) {
+		const relativePath = normalizeRelativePath(root, filePath);
+		const content = await fs.readFile(filePath);
+		await requestJson(apiPath(`/${deploymentId}/files`), {
+			body: JSON.stringify({
+				contentBase64: content.toString("base64"),
+				contentType: getContentType(filePath),
+				path: relativePath
+			}),
+			headers,
+			method: "POST"
+		}, `Failed to upload ${relativePath}`);
+		s.message(`Uploading files (${index + 1}/${files.length})`);
+	}
+	s.stop(`Uploaded ${chalk.cyan(String(files.length))} files`);
+};
 const program = new Command();
-program.name("blode-docs").description("Blode Docs CLI").version("0.0.3");
-program.command("init").description("Scaffold a content folder").argument("[dir]", "target directory", "docs").action(async (dir) => {
-	intro(styleText("bold", "blode-docs init"));
+program.name("blodemd").description("Blode.md CLI").version("0.0.3");
+program.command("login").description("Authenticate with Blode.md").option("--token", "Paste an API key instead of using browser login").option("--port <port>", "Loopback callback port", String(DEFAULT_OAUTH_CALLBACK_PORT)).option("--timeout <seconds>", "OAuth timeout in seconds", String(180)).option("--no-open", "Print URL instead of opening the browser").action(async (options) => {
+	intro(chalk.bold("blodemd login"));
+	try {
+		if (options.token) {
+			const apiKey = await password({
+				message: "Enter your API key",
+				validate: (value) => {
+					if (!value) return "API key is required.";
+				}
+			});
+			if (isCancel(apiKey)) {
+				log.warn("Cancelled");
+				return;
+			}
+			await writeStoredApiKey({
+				apiKey,
+				type: "api-key"
+			});
+			const prefix = apiKey.split(".")[0] ?? apiKey.slice(0, 12);
+			log.success(`Authenticated as ${chalk.cyan(prefix)}`);
+			log.info("Done");
+			return;
+		}
+		const { authorizeUrl, tokenUrl } = buildOAuthUrls(resolveSupabaseConfig());
+		const clientId = OAUTH_CLIENT_ID;
+		const port = parsePositiveInteger(options.port, "Port");
+		const timeoutSeconds = parsePositiveInteger(options.timeout, "Timeout");
+		const redirectUrl = new URL(`http://127.0.0.1:${port}${DEFAULT_OAUTH_CALLBACK_PATH}`);
+		const state = createOAuthState();
+		const codeVerifier = createCodeVerifier();
+		const codeChallenge = createCodeChallenge(codeVerifier);
+		const authUrl = new URL(authorizeUrl);
+		authUrl.searchParams.set("response_type", "code");
+		authUrl.searchParams.set("client_id", clientId);
+		authUrl.searchParams.set("redirect_uri", redirectUrl.toString());
+		authUrl.searchParams.set("code_challenge", codeChallenge);
+		authUrl.searchParams.set("code_challenge_method", "S256");
+		authUrl.searchParams.set("state", state);
+		authUrl.searchParams.set("scope", "openid email profile");
+		const callbackPromise = waitForOAuthCode({
+			expectedState: state,
+			redirectUrl,
+			timeoutMs: timeoutSeconds * 1e3
+		});
+		if (options.open) {
+			log.info("Opening browser for authentication...");
+			log.info(`If the browser doesn't open, visit: ${chalk.cyan(authUrl.toString())}`);
+			await open(authUrl.toString());
+		} else {
+			log.info("Open this URL to continue authentication:");
+			log.info(chalk.cyan(authUrl.toString()));
+		}
+		const code = await callbackPromise;
+		const storedSession = tokenResponseToStoredSession(await exchangeAuthorizationCode({
+			clientId,
+			tokenUrl
+		}, code, codeVerifier, redirectUrl.toString()));
+		await writeStoredAuthSession(storedSession);
+		const email = storedSession.user?.email ?? await fetchUserEmail(process.env["BLODEMD_API_URL"] ?? "https://api.blode.md", storedSession.accessToken);
+		if (email) log.success(`Logged in as ${chalk.cyan(email)}`);
+		else log.success("Logged in successfully.");
+		log.info("Done");
+	} catch (error) {
+		reportCommandError("Login failed", error);
+	}
+});
+program.command("logout").description("Remove stored credentials").action(async () => {
+	intro(chalk.bold("blodemd logout"));
+	try {
+		const existing = await readAuthFile();
+		await clearStoredCredentials();
+		if (existing?.session || existing?.apiKey) log.success("Credentials removed.");
+		else log.info("No stored credentials found.");
+		log.info("Done");
+	} catch (error) {
+		reportCommandError("Logout failed", error);
+	}
+});
+program.command("whoami").description("Show current authentication").action(async () => {
+	try {
+		const resolved = await resolveAuthToken();
+		if (!resolved) {
+			log.warn("Not logged in. Run \"blodemd login\" to authenticate.");
+			return;
+		}
+		if (resolved.source === "environment") {
+			log.info("Authenticated via BLODEMD_API_KEY environment variable");
+			return;
+		}
+		if (!resolved.expiresAt && !resolved.user) {
+			const prefix = resolved.token.split(".")[0] ?? resolved.token.slice(0, 12);
+			log.info(`Logged in with API key ${chalk.cyan(prefix)}`);
+			return;
+		}
+		const status = resolveTokenStatus(resolved);
+		const email = resolved.user?.email ?? await fetchUserEmail(process.env["BLODEMD_API_URL"] ?? "https://api.blode.md", resolved.token);
+		if (email) log.info(`Logged in as ${chalk.cyan(email)}`);
+		else log.info("Logged in (could not fetch user details).");
+		if (resolved.expiresAt && status.expired) log.warn("Session has expired. Run \"blodemd login\" to re-authenticate.");
+	} catch (error) {
+		reportCommandError("Whoami failed", error);
+	}
+});
+program.command("init").description("Scaffold a docs folder").argument("[dir]", "target directory", "docs").action(async (dir) => {
+	intro(chalk.bold("blodemd init"));
 	try {
 		const root = path.resolve(process.cwd(), dir);
 		await fs.mkdir(root, { recursive: true });
-		await ensureFile(path.join(root, CONTENT_CONFIG_FILE), `${JSON.stringify({
+		await ensureFile(path.join(root, CONFIG_FILE), `${JSON.stringify({
 			$schema: "https://mintlify.com/docs.json",
 			colors: { primary: "#0D9373" },
-			name: "My Site",
+			name: "my-project",
 			navigation: { groups: [{
 				group: "Getting Started",
 				pages: ["index"]
@@ -102,85 +857,69 @@ program.command("init").description("Scaffold a content folder").argument("[dir]
 			theme: "mint"
 		}, null, 2)}\n`);
 		await ensureFile(path.join(root, "index.mdx"), "---\ntitle: Welcome\n---\n\nStart writing your docs here.\n");
-		log.success(`Docs scaffolded in ${styleText("cyan", root)}`);
-		outro("Done");
+		log.success(`Docs scaffolded in ${chalk.cyan(root)}`);
+		log.info(`Set ${chalk.cyan("name")} in docs.json to your project slug.`);
+		log.info("Done");
 	} catch (error) {
-		log.error(`Init failed: ${error instanceof Error ? error.message : String(error)}`);
-		outro("Failed");
-		process.exitCode = 1;
+		reportCommandError("Init failed", error);
 	}
 });
-program.command("validate").description("Validate docs.json").argument("[dir]", "target directory", "docs").action(async (dir) => {
-	intro(styleText("bold", "blode-docs validate"));
-	const root = path.resolve(process.cwd(), dir);
+program.command("validate").description("Validate docs.json").argument("[dir]", "docs directory").action(async (dir) => {
+	intro(chalk.bold("blodemd validate"));
 	try {
-		const configFile = await validateConfigFile(root);
-		log.success(`${styleText("cyan", configFile)} is valid JSON.`);
-		outro("Done");
+		await readConfig(await resolveDocsRoot(dir));
+		log.success(`${chalk.cyan(CONFIG_FILE)} is valid.`);
+		log.info("Done");
 	} catch (error) {
-		log.error(`Validation failed: ${error instanceof Error ? error.message : String(error)}`);
-		outro("Failed");
-		process.exitCode = 1;
+		reportCommandError("Validation failed", error);
 	}
 });
-program.command("push").description("Publish docs content").argument("[dir]", "target directory", "docs").option("--project <slug>", "project slug (env: BLODE_DOCS_PROJECT)").option("--api-url <url>", "API endpoint URL (env: BLODE_DOCS_API_URL)").option("--api-key <token>", "API authentication token (env: BLODE_DOCS_API_KEY)").option("--branch <name>", "git branch name (env: BLODE_DOCS_BRANCH)").option("--commit-message <message>", "deployment message (env: BLODE_DOCS_COMMIT_MESSAGE)").action(async (dir, options) => {
-	intro(styleText("bold", "blode-docs push"));
+program.command("push").description("Deploy docs").argument("[dir]", "docs directory").option("--project <slug>", "project slug (env: BLODEMD_PROJECT)").option("--api-url <url>", "API URL (env: BLODEMD_API_URL)").option("--api-key <token>", "API key (env: BLODEMD_API_KEY)").option("--branch <name>", "git branch (env: BLODEMD_BRANCH)").option("--message <msg>", "deploy message (env: BLODEMD_COMMIT_MESSAGE)").action(async (dir, options) => {
+	intro(chalk.bold("blodemd push"));
 	const s = spinner();
 	try {
-		const root = path.resolve(process.cwd(), dir);
+		const root = await resolveDocsRoot(dir);
 		s.start("Validating configuration");
-		await validateConfigFile(root);
+		const config = await readConfig(root);
 		s.stop("Configuration valid");
-		const project = options.project ?? process.env.BLODE_DOCS_PROJECT;
-		const apiUrl = options.apiUrl ?? process.env.BLODE_DOCS_API_URL ?? process.env.NEXT_PUBLIC_API_URL ?? "http://localhost:4000";
-		const apiKey = options.apiKey ?? process.env.BLODE_DOCS_API_KEY;
-		const branch = options.branch ?? process.env.BLODE_DOCS_BRANCH ?? process.env.GITHUB_REF_NAME ?? readGitValue([
-			"rev-parse",
-			"--abbrev-ref",
-			"HEAD"
-		]) ?? "main";
-		const commitMessage = options.commitMessage ?? process.env.BLODE_DOCS_COMMIT_MESSAGE ?? readGitValue([
-			"log",
-			"-1",
-			"--pretty=%s"
-		]);
-		if (!project) throw new Error("Missing project slug. Pass --project or set BLODE_DOCS_PROJECT.");
-		if (!apiKey) throw new Error("Missing API key. Pass --api-key or set BLODE_DOCS_API_KEY.");
+		const { project, apiUrl, authToken, branch, commitMessage } = await resolvePushConfig(config, options);
 		s.start("Collecting files");
 		const files = await collectFiles(root);
-		if (files.length === 0) throw new Error("No files found to publish.");
-		s.stop(`Found ${styleText("cyan", String(files.length))} files`);
+		if (files.length === 0) throw new Error("No files found to deploy.");
+		s.stop(`Found ${chalk.cyan(String(files.length))} files`);
 		const headers = {
-			Authorization: `Bearer ${apiKey}`,
+			Authorization: `Bearer ${authToken}`,
 			"Content-Type": "application/json"
 		};
 		const apiPath = (suffix) => new URL(`/projects/slug/${project}/deployments${suffix}`, apiUrl).toString();
+		const createDeploymentBody = JSON.stringify({
+			branch,
+			commitMessage
+		});
 		s.start("Creating deployment");
-		const deployment = await requestJson(apiPath(""), {
-			body: JSON.stringify({
-				branch,
-				commitMessage
-			}),
-			headers,
-			method: "POST"
-		}, "Failed to create deployment");
-		s.stop(`Deployment ${styleText("cyan", deployment.id)} created`);
-		s.start(`Uploading ${files.length} files`);
-		for (const [index, filePath] of files.entries()) {
-			const relativePath = normalizeRelativePath(root, filePath);
-			const content = await fs.readFile(filePath);
-			await requestJson(apiPath(`/${deployment.id}/files`), {
-				body: JSON.stringify({
-					contentBase64: content.toString("base64"),
-					contentType: getContentType(filePath),
-					path: relativePath
-				}),
+		let deployment;
+		try {
+			deployment = await requestJson(apiPath(""), {
+				body: createDeploymentBody,
+				headers,
+				method: "POST"
+			}, "Failed to create deployment");
+		} catch (error) {
+			if (!(error instanceof Error ? error.message : "").includes("404")) throw error;
+			s.stop("Project not found");
+			if (!await autoCreateProject(project, apiUrl, headers)) {
+				log.info("Cancelled");
+				return;
+			}
+			s.start("Creating deployment");
+			deployment = await requestJson(apiPath(""), {
+				body: createDeploymentBody,
 				headers,
 				method: "POST"
-			}, `Failed to upload ${relativePath}`);
-			s.message(`Uploading files (${index + 1}/${files.length})`);
+			}, "Failed to create deployment");
 		}
-		s.stop(`Uploaded ${styleText("cyan", String(files.length))} files`);
+		s.stop(`Deployment ${chalk.cyan(deployment.id)} created`);
+		await uploadFiles(files, root, apiPath, deployment.id, headers, s);
 		s.start("Finalizing deployment");
 		const finalized = await requestJson(apiPath(`/${deployment.id}/finalize`), {
 			body: JSON.stringify({ promote: true }),
@@ -188,23 +927,20 @@ program.command("push").description("Publish docs content").argument("[dir]", "t
 			method: "POST"
 		}, "Failed to finalize deployment");
 		s.stop("Deployment finalized");
-		log.success(`Published deployment ${styleText("cyan", finalized.id)}`);
+		log.success(`Published ${chalk.cyan(finalized.id)}`);
 		if (finalized.manifestUrl) log.info(`Manifest: ${finalized.manifestUrl}`);
 		if (typeof finalized.fileCount === "number") log.info(`Files: ${finalized.fileCount}`);
-		outro("Done");
+		log.info("Done");
 	} catch (error) {
 		s.stop("Failed");
-		log.error(error instanceof Error ? error.message : String(error));
-		outro("Failed");
-		process.exitCode = 1;
+		reportCommandError("Push failed", error);
 	}
 });
-program.command("dev").description("Start the docs dev server").action(() => {
-	intro(styleText("bold", "blode-docs dev"));
-	log.info(`Run ${styleText("cyan", "npm run dev --filter=docs")} from the repo root.`);
-	log.info(`Then open ${styleText("cyan", "http://localhost:3001")} to view the docs site.`);
-	outro("Done");
-});
+program.command("dev").description("Start the local docs dev server").option("-p, --port <port>", "Port number", "3030").option("-d, --dir <dir>", "Docs directory").option("--no-open", "Don't open browser").action(async (options) => await devCommand({
+	dir: options.dir,
+	openBrowser: options.open ?? true,
+	port: options.port
+}));
 program.parse();
 //#endregion
 export {};