cawplan 0.0.0

package/dist/lib/http.js

@@ -0,0 +1,174 @@
+import { getBaseUrl, getApiKey } from "./config.js";
+import { readCredentials, writeCredentials, isAccessTokenExpired, } from "./credentials.js";
+export class ApiError extends Error {
+    status;
+    body;
+    constructor(message, status, body) {
+        super(message);
+        this.status = status;
+        this.body = body;
+        this.name = "ApiError";
+    }
+}
+function normalizeBaseUrl(base) {
+    let url = base.trim();
+    if (!url.startsWith("http://") && !url.startsWith("https://")) {
+        url = `https://${url}`;
+    }
+    return url.replace(/\/$/, "");
+}
+function normalizePath(path) {
+    const trimmed = path.trim();
+    if (trimmed.startsWith("http://") || trimmed.startsWith("https://")) {
+        throw new Error("path must be relative, not a full URL");
+    }
+    return trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
+}
+async function refreshAccessToken(refreshToken) {
+    const baseUrl = normalizeBaseUrl(getBaseUrl());
+    const url = `${baseUrl}/api/v1/cli/oauth/refresh`;
+    const res = await fetch(url, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ refresh_token: refreshToken }),
+    });
+    const data = await res.json().catch(() => ({}));
+    if (!res.ok) {
+        throw new ApiError("Token expired, run: cawplan auth login", res.status, data);
+    }
+    // BE response: { code, data: { access_token, expire } }
+    // refresh_token is slid server-side; the same token remains valid.
+    const payload = (data.data ?? data);
+    if (!payload.access_token || typeof payload.expire !== "number") {
+        throw new ApiError("Token refresh failed: unexpected response", res.status, data);
+    }
+    return {
+        accessToken: payload.access_token,
+        refreshToken, // unchanged — server slides TTL in place
+        expire: payload.expire,
+    };
+}
+async function refreshStoredAccessToken(credentials) {
+    if (!credentials.refreshToken) {
+        throw new ApiError("Session expired. Run: cawplan auth login", 401);
+    }
+    const refreshed = await refreshAccessToken(credentials.refreshToken);
+    const nextCredentials = {
+        ...credentials,
+        accessToken: refreshed.accessToken,
+        refreshToken: refreshed.refreshToken,
+        expire: refreshed.expire,
+    };
+    await writeCredentials(nextCredentials);
+    return {
+        accessToken: refreshed.accessToken,
+        credentials: nextCredentials,
+    };
+}
+async function resolveAuthContext() {
+    const creds = await readCredentials();
+    // Priority 1: valid access token
+    if (creds?.accessToken && !isAccessTokenExpired(creds)) {
+        return {
+            header: `Bearer ${creds.accessToken}`,
+            kind: "oauth",
+            credentials: creds,
+        };
+    }
+    // Priority 2: expired access token with refresh token -> auto-refresh
+    if (creds?.accessToken && creds.refreshToken && isAccessTokenExpired(creds)) {
+        try {
+            const refreshed = await refreshStoredAccessToken(creds);
+            return {
+                header: `Bearer ${refreshed.accessToken}`,
+                kind: "oauth",
+                credentials: refreshed.credentials,
+            };
+        }
+        catch {
+            // Fall through to API key
+        }
+    }
+    // Priority 3: API key from credentials file or env var
+    const apiKey = creds?.apiKey ?? getApiKey();
+    if (apiKey) {
+        return {
+            header: apiKey,
+            kind: "apiKey",
+            credentials: creds,
+        };
+    }
+    return null;
+}
+async function readResponsePayload(res) {
+    const contentType = res.headers.get("content-type") || "";
+    return contentType.includes("application/json")
+        ? await res.json().catch(() => ({}))
+        : await res.text();
+}
+function responseMessage(payload) {
+    if (typeof payload === "object" && payload !== null) {
+        const body = payload;
+        const message = body.msg ?? body.message ?? body.code;
+        if (typeof message === "string" && message.trim())
+            return message;
+    }
+    return String(payload || "unknown");
+}
+export async function cawplanRequest(options) {
+    const baseUrl = normalizeBaseUrl(getBaseUrl());
+    const url = new URL(`${baseUrl}${normalizePath(options.path)}`);
+    if (options.query) {
+        for (const [key, value] of Object.entries(options.query)) {
+            url.searchParams.set(key, value);
+        }
+    }
+    let auth = await resolveAuthContext();
+    if (!auth) {
+        console.error("Not authenticated. Run: cawplan auth login (or: cawplan auth configure)");
+        process.exit(1);
+    }
+    const method = options.method ?? "GET";
+    const body = options.body !== undefined ? JSON.stringify(options.body) : undefined;
+    const fetchWithAuth = async (authHeader) => {
+        const headers = {
+            Authorization: authHeader,
+            accept: "application/json",
+        };
+        if (options.body !== undefined) {
+            headers["content-type"] = "application/json";
+        }
+        return fetch(url.toString(), { method, headers, body });
+    };
+    let res = await fetchWithAuth(auth.header);
+    let payload = await readResponsePayload(res);
+    if (res.status === 401) {
+        if (auth.kind === "oauth") {
+            try {
+                const refreshed = await refreshStoredAccessToken(auth.credentials ?? {});
+                auth = {
+                    header: `Bearer ${refreshed.accessToken}`,
+                    kind: "oauth",
+                    credentials: refreshed.credentials,
+                };
+                res = await fetchWithAuth(auth.header);
+                payload = await readResponsePayload(res);
+                if (res.status === 401) {
+                    throw new ApiError("Session expired. Run: cawplan auth login", 401, payload);
+                }
+            }
+            catch {
+                throw new ApiError("Session expired. Run: cawplan auth login", 401, payload);
+            }
+        }
+        else {
+            throw new ApiError("API Key invalid. Run: cawplan auth configure", 401, payload);
+        }
+    }
+    if (!res.ok) {
+        const msg = responseMessage(payload);
+        const err = new ApiError(`API error ${res.status}: ${msg}`, res.status, payload);
+        throw err;
+    }
+    return payload;
+}

package/dist/lib/oauth.d.ts

@@ -0,0 +1,20 @@
+import type { Credentials } from "./credentials.js";
+export declare const OAUTH_TIMEOUT_MS: number;
+export declare const OAUTH_TIMEOUT_ERROR = "oauth_timeout";
+export declare const OAUTH_DENIED_ERROR = "access_denied";
+export interface CallbackResult {
+    stateToken?: string;
+    error?: string;
+}
+export interface OAuthLoginOptions {
+    openBrowser?: (url: string) => Promise<void>;
+    callbackTimeoutMs?: number;
+}
+export declare function openBrowser(url: string): Promise<void>;
+export declare function waitForOAuthCallback(host?: string, timeoutMs?: number): Promise<{
+    port: number;
+    result: Promise<CallbackResult>;
+}>;
+export declare function buildConsentUrl(redirectUri: string, state: string): string;
+export declare function exchangeStateToken(stateToken: string): Promise<Credentials>;
+export declare function runOAuthLogin(options?: OAuthLoginOptions): Promise<Credentials>;

package/dist/lib/oauth.js

@@ -0,0 +1,155 @@
+import { execFile } from "node:child_process";
+import { createServer } from "node:http";
+import { promisify } from "node:util";
+import { randomBytes } from "node:crypto";
+import { getBaseUrl } from "./config.js";
+import { getPortalBase } from "./products.js";
+const execFileAsync = promisify(execFile);
+export const OAUTH_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
+export const OAUTH_TIMEOUT_ERROR = "oauth_timeout";
+export const OAUTH_DENIED_ERROR = "access_denied";
+// ─── Browser opener ──────────────────────────────────────────────────────────
+export async function openBrowser(url) {
+    const platform = process.platform;
+    if (platform === "darwin") {
+        await execFileAsync("open", [url]);
+        return;
+    }
+    if (platform === "win32") {
+        await execFileAsync("cmd", ["/c", "start", "", url]);
+        return;
+    }
+    await execFileAsync("xdg-open", [url]);
+}
+// ─── Local callback server ───────────────────────────────────────────────────
+export function waitForOAuthCallback(host = "127.0.0.1", timeoutMs = OAUTH_TIMEOUT_MS) {
+    let resolveCallback;
+    const result = new Promise((resolve) => {
+        resolveCallback = resolve;
+    });
+    return new Promise((resolve, reject) => {
+        let timer;
+        const cleanup = (server) => {
+            if (timer)
+                clearTimeout(timer);
+            server.close();
+        };
+        const server = createServer((req, res) => {
+            if (!req.url?.startsWith("/callback")) {
+                res.statusCode = 404;
+                res.end("Not found");
+                return;
+            }
+            const requestUrl = new URL(req.url, `http://${host}`);
+            const error = requestUrl.searchParams.get("error") ?? undefined;
+            const stateToken = requestUrl.searchParams.get("state_token") ?? undefined;
+            const message = error
+                ? `Authentication failed: ${error}.`
+                : !stateToken
+                    ? "Authentication failed: missing state token."
+                    : "Authentication successful.";
+            res.statusCode = 200;
+            res.setHeader("Content-Type", "text/plain; charset=utf-8");
+            res.setHeader("Connection", "close");
+            res.end(`${message} You can close this tab and return to the terminal.`);
+            cleanup(server);
+            if (error) {
+                resolveCallback({ error });
+                return;
+            }
+            if (!stateToken) {
+                resolveCallback({ error: "missing_state_token" });
+                return;
+            }
+            resolveCallback({ stateToken });
+        });
+        server.once("error", reject);
+        server.listen(0, host, () => {
+            const address = server.address();
+            if (!address || typeof address === "string") {
+                reject(new Error("failed to bind local OAuth callback server"));
+                return;
+            }
+            timer = setTimeout(() => {
+                cleanup(server);
+                resolveCallback({ error: OAUTH_TIMEOUT_ERROR });
+            }, timeoutMs);
+            resolve({ port: address.port, result });
+        });
+    });
+}
+// ─── Consent URL builder ─────────────────────────────────────────────────────
+//
+// Points to the CawPlan web portal's /cli/auth page — NOT the BE API directly.
+// The portal page is already authenticated in the user's browser; it calls
+// POST /api/v1/cli/oauth/consent with the user's JWT, then redirects the browser
+// to the CLI localhost callback with the returned state_token.
+export function buildConsentUrl(redirectUri, state) {
+    const portalBase = getPortalBase().replace(/\/$/, "");
+    const params = new URLSearchParams({
+        client: "cawplan-cli",
+        redirect_uri: redirectUri,
+        state,
+    });
+    return `${portalBase}/cli/auth?${params.toString()}`;
+}
+// ─── Token exchange ───────────────────────────────────────────────────────────
+function responseMessage(body) {
+    const message = body.msg ?? body.message ?? body.code;
+    return typeof message === "string" && message.trim() ? message : "unknown error";
+}
+export async function exchangeStateToken(stateToken) {
+    const base = getBaseUrl().replace(/\/$/, "");
+    const url = `${base}/api/v1/cli/oauth/exchange`;
+    const res = await fetch(url, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ state_token: stateToken }),
+    });
+    const body = await res.json().catch(() => ({}));
+    if (!res.ok) {
+        throw new Error(`Exchange failed (${res.status}): ${responseMessage(body)}`);
+    }
+    const data = (body.data ?? {});
+    const accessToken = data.access_token;
+    const refreshToken = data.refresh_token;
+    const expire = data.expire;
+    const user = data.user;
+    if (!accessToken || !refreshToken || typeof expire !== "number") {
+        throw new Error("Exchange response missing required token fields");
+    }
+    return {
+        accessToken,
+        refreshToken,
+        expire,
+        email: user?.email,
+    };
+}
+// ─── Full login flow ──────────────────────────────────────────────────────────
+export async function runOAuthLogin(options) {
+    const host = "127.0.0.1";
+    const { port, result } = await waitForOAuthCallback(host, options?.callbackTimeoutMs);
+    const redirectUri = `http://${host}:${port}/callback`;
+    const state = randomBytes(16).toString("hex");
+    const consentUrl = buildConsentUrl(redirectUri, state);
+    const open = options?.openBrowser ?? openBrowser;
+    console.error(`Opening browser for authentication...`);
+    console.error(`If the browser does not open, visit:\n  ${consentUrl}`);
+    try {
+        await open(consentUrl);
+    }
+    catch {
+        // Browser open failed — user can still visit the URL manually
+    }
+    const callback = await result;
+    if (callback.error === OAUTH_DENIED_ERROR) {
+        throw new Error("Authentication was denied.");
+    }
+    if (callback.error === OAUTH_TIMEOUT_ERROR) {
+        throw new Error("Authentication timed out (5 minutes). Run: cawplan auth login");
+    }
+    if (callback.error || !callback.stateToken) {
+        throw new Error(`Authentication failed: ${callback.error ?? "missing state token"}`);
+    }
+    return exchangeStateToken(callback.stateToken);
+}

package/dist/lib/output.d.ts

@@ -0,0 +1,3 @@
+export declare function success(msg: string): void;
+export declare function info(msg: string): void;
+export declare function error(msg: string): void;

package/dist/lib/output.js

@@ -0,0 +1,9 @@
+export function success(msg) {
+    console.log(msg);
+}
+export function info(msg) {
+    console.error(msg);
+}
+export function error(msg) {
+    console.error(`Error: ${msg}`);
+}

package/dist/lib/products.d.ts

@@ -0,0 +1,24 @@
+export interface EnvConfig {
+    portalBase: string;
+    apiBase: string;
+}
+export declare function getEnvNames(): string[];
+export declare function getDefaultEnvName(): string;
+export declare function getProductEnvConfig(envName: string): EnvConfig;
+/**
+ * API base URL for the cawplan backend.
+ * Priority: CAWPLAN_BASE_URL env var > CAWPLAN_ENV profile > ~/.cawplan/config.json > products.json.
+ */
+export declare function getApiBase(): string;
+/**
+ * Portal (web app) base URL.
+ * Priority: CAWPLAN_PORTAL_URL env var > CAWPLAN_ENV profile > ~/.cawplan/config.json > products.json.
+ */
+export declare function getPortalBase(): string;
+/**
+ * Normalize a core-product API path for the configured base URL.
+ * Paths are always /api/v1/... relative to the service root (direct BE or gateway .../core-product).
+ */
+export declare function resolveApiPath(path: string): string;
+/** True when apiBase already includes the gateway /core-product suffix. */
+export declare function apiBaseUsesGatewayPrefix(): boolean;

package/dist/lib/products.js

@@ -0,0 +1,87 @@
+import { createRequire } from "node:module";
+import { fileURLToPath } from "node:url";
+import { dirname, resolve } from "node:path";
+import { readUserConfigSync } from "./user-config.js";
+const _require = createRequire(import.meta.url);
+// ─── Loader ───────────────────────────────────────────────────────────────────
+function loadProductConfig() {
+    const __dirname = dirname(fileURLToPath(import.meta.url));
+    const data = _require(resolve(__dirname, "../../config/products.json"));
+    const product = data.products["cawplan"];
+    if (!product)
+        throw new Error("products.json: missing 'cawplan' entry");
+    return product;
+}
+export function getEnvNames() {
+    return Object.keys(loadProductConfig().env);
+}
+export function getDefaultEnvName() {
+    return loadProductConfig().defaultEnv;
+}
+export function getProductEnvConfig(envName) {
+    const product = loadProductConfig();
+    const envConfig = product.env[envName];
+    if (!envConfig)
+        throw new Error(`products.json: unknown env '${envName}'`);
+    return envConfig;
+}
+function getSelectedEnvName() {
+    const product = loadProductConfig();
+    const userConfig = readUserConfigSync();
+    return process.env.CAWPLAN_ENV ?? userConfig?.env ?? product.defaultEnv;
+}
+function loadEnvConfig() {
+    const product = loadProductConfig();
+    const envName = getSelectedEnvName();
+    const envConfig = product.env[envName] ?? product.env[product.defaultEnv];
+    if (!envConfig)
+        throw new Error(`products.json: unknown env '${envName}'`);
+    return envConfig;
+}
+// ─── Public API ───────────────────────────────────────────────────────────────
+/**
+ * API base URL for the cawplan backend.
+ * Priority: CAWPLAN_BASE_URL env var > CAWPLAN_ENV profile > ~/.cawplan/config.json > products.json.
+ */
+export function getApiBase() {
+    const userConfig = readUserConfigSync();
+    if (process.env.CAWPLAN_BASE_URL)
+        return process.env.CAWPLAN_BASE_URL;
+    if (process.env.CAWPLAN_ENV)
+        return loadEnvConfig().apiBase;
+    return userConfig?.baseUrl ?? loadEnvConfig().apiBase;
+}
+/**
+ * Portal (web app) base URL.
+ * Priority: CAWPLAN_PORTAL_URL env var > CAWPLAN_ENV profile > ~/.cawplan/config.json > products.json.
+ */
+export function getPortalBase() {
+    const userConfig = readUserConfigSync();
+    if (process.env.CAWPLAN_PORTAL_URL)
+        return process.env.CAWPLAN_PORTAL_URL;
+    if (process.env.CAWPLAN_ENV)
+        return loadEnvConfig().portalBase;
+    return userConfig?.portalUrl ?? loadEnvConfig().portalBase;
+}
+/**
+ * Normalize a core-product API path for the configured base URL.
+ * Paths are always /api/v1/... relative to the service root (direct BE or gateway .../core-product).
+ */
+export function resolveApiPath(path) {
+    const trimmed = path.trim();
+    if (!trimmed) {
+        throw new Error("API path is required");
+    }
+    let normalized = trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
+    if (normalized.startsWith("/core-product/")) {
+        normalized = normalized.slice("/core-product".length);
+    }
+    if (!normalized.startsWith("/api/v1/")) {
+        throw new Error(`API path must start with /api/v1/: ${path}`);
+    }
+    return normalized;
+}
+/** True when apiBase already includes the gateway /core-product suffix. */
+export function apiBaseUsesGatewayPrefix() {
+    return getApiBase().includes("/core-product");
+}

package/dist/lib/user-config.d.ts

@@ -0,0 +1,10 @@
+export interface UserConfig {
+    env?: string;
+    baseUrl?: string;
+    portalUrl?: string;
+}
+export declare const CONFIG_PATH: string;
+export declare function getConfigPath(): string;
+export declare function readUserConfigSync(): UserConfig | null;
+export declare function readUserConfig(): Promise<UserConfig | null>;
+export declare function writeUserConfig(config: UserConfig): Promise<void>;

package/dist/lib/user-config.js

@@ -0,0 +1,47 @@
+import { chmod, mkdir, readFile, writeFile } from "node:fs/promises";
+import { readFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { homedir } from "node:os";
+const CONFIG_MODE = 0o600;
+export const CONFIG_PATH = join(homedir(), ".cawplan", "config.json");
+export function getConfigPath() {
+    return process.env.CAWPLAN_CONFIG_PATH ?? CONFIG_PATH;
+}
+function normalizeConfig(parsed) {
+    return {
+        env: parsed.env,
+        baseUrl: parsed.baseUrl,
+        portalUrl: parsed.portalUrl,
+    };
+}
+export function readUserConfigSync() {
+    try {
+        const raw = readFileSync(getConfigPath(), "utf8");
+        return normalizeConfig(JSON.parse(raw));
+    }
+    catch (err) {
+        if (err.code === "ENOENT") {
+            return null;
+        }
+        throw err;
+    }
+}
+export async function readUserConfig() {
+    try {
+        const raw = await readFile(getConfigPath(), "utf8");
+        return normalizeConfig(JSON.parse(raw));
+    }
+    catch (err) {
+        if (err.code === "ENOENT") {
+            return null;
+        }
+        throw err;
+    }
+}
+export async function writeUserConfig(config) {
+    const configPath = getConfigPath();
+    await mkdir(dirname(configPath), { recursive: true });
+    const payload = `${JSON.stringify(config, null, 2)}\n`;
+    await writeFile(configPath, payload, { encoding: "utf8", mode: CONFIG_MODE });
+    await chmod(configPath, CONFIG_MODE);
+}

package/package.json

@@ -0,0 +1,49 @@
+{
+  "name": "cawplan",
+  "version": "0.0.0",
+  "description": "CawPlan CLI",
+  "author": "Ubiquiti UID",
+  "license": "MIT",
+  "type": "module",
+  "main": "dist/index.js",
+  "bin": {
+    "cawplan": "dist/index.js"
+  },
+  "files": [
+    "dist",
+    "config"
+  ],
+  "keywords": [
+    "cawplan",
+    "prm",
+    "release-management",
+    "ubiquiti"
+  ],
+  "engines": {
+    "node": ">=20"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Ubiquiti-UID/flow-cawplan-skill.git",
+    "directory": "cli"
+  },
+  "scripts": {
+    "build": "tsc",
+    "postbuild": "chmod +x dist/index.js",
+    "prepublishOnly": "npm run build",
+    "prepack": "node scripts/pack-public-config.mjs prepack",
+    "postpack": "node scripts/pack-public-config.mjs postpack",
+    "cli": "tsx src/index.ts",
+    "test": "vitest run"
+  },
+  "dependencies": {
+    "commander": "^12.0.0",
+    "zod": "^3.24.1"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "tsx": "^4.0.0",
+    "typescript": "^5.0.0",
+    "vitest": "^4.1.8"
+  }
+}