cli-profile-manager 0.0.1

package/src/commands/publish.js

@@ -0,0 +1,252 @@
+import chalk from 'chalk';
+import ora from 'ora';
+import inquirer from 'inquirer';
+import { existsSync, readFileSync, readdirSync, statSync } from 'fs';
+import { join } from 'path';
+import { getConfig, updateConfig, getProfilePath } from '../utils/config.js';
+import { readProfileMetadata } from '../utils/snapshot.js';
+import {
+  getGitHubToken,
+  getGitHubUsername,
+  createProfilePR,
+  fetchRepoIndex,
+  getCredentialSetupInstructions,
+  authenticateWithDeviceFlow
+} from '../utils/auth.js';
+
+/**
+ * Publish a local profile to the marketplace via a direct PR.
+ * Falls back to OAuth device flow if git credentials lack access.
+ */
+export async function publishProfile(name, options) {
+  const profilePath = getProfilePath(name);
+
+  if (!existsSync(profilePath)) {
+    console.log(chalk.red(`Profile not found: ${name}`));
+    console.log(chalk.dim('  List local profiles with: cpm local'));
+    process.exit(1);
+  }
+
+  const metadata = readProfileMetadata(name);
+
+  if (!metadata) {
+    console.log(chalk.red('Invalid profile: missing metadata'));
+    process.exit(1);
+  }
+
+  const contents = metadata.contents || {};
+  const hasContent = Object.values(contents).some(items => items && items.length > 0);
+  if (!hasContent) {
+    console.log(chalk.red('Profile has no functional content (commands, hooks, skills, etc.)'));
+    console.log(chalk.dim('  Profiles must contain at least one functional customization.'));
+    process.exit(1);
+  }
+
+  console.log('');
+  console.log(chalk.bold('Publish Profile to Marketplace'));
+  console.log(chalk.dim('-'.repeat(50)));
+  console.log('');
+
+  const spinner = ora('Checking GitHub credentials...').start();
+  let token = getGitHubToken();
+  let useFork = false;
+
+  if (!token) {
+    spinner.warn(chalk.yellow('No cached GitHub credentials found.'));
+    console.log(chalk.dim('  Falling back to browser authentication...'));
+    token = await authenticateWithDeviceFlow();
+    useFork = true;
+  } else {
+    spinner.succeed(chalk.green('Found GitHub credentials.'));
+  }
+
+  let author;
+  const userSpinner = ora('Verifying identity...').start();
+  try {
+    author = await getGitHubUsername(token);
+    userSpinner.succeed(chalk.green(`Authenticated as ${chalk.bold(author)}`));
+  } catch (error) {
+    userSpinner.fail(chalk.red(error.message));
+    process.exit(1);
+  }
+
+  console.log('');
+  console.log(chalk.cyan('  Name:    ') + name);
+  console.log(chalk.cyan('  Version: ') + (metadata.version || '1.0.0'));
+  console.log(chalk.cyan('  Files:   ') + (metadata.files || []).length);
+  if (metadata.description) {
+    console.log(chalk.cyan('  Desc:    ') + metadata.description);
+  }
+
+  for (const [category, items] of Object.entries(contents)) {
+    if (items && items.length > 0) {
+      const display = category === 'commands'
+        ? items.map(i => `/${i}`).join(', ')
+        : items.join(', ');
+      console.log(chalk.cyan(`  ${category}: `) + chalk.dim(display));
+    }
+  }
+  console.log('');
+
+  const { confirm } = await inquirer.prompt([{
+    type: 'confirm',
+    name: 'confirm',
+    message: `Publish ${chalk.cyan(author + '/' + name)} to the marketplace?`,
+    default: true
+  }]);
+
+  if (!confirm) {
+    console.log(chalk.yellow('Aborted.'));
+    process.exit(0);
+  }
+
+  const config = await getConfig();
+
+  await attemptPublish(token, config, { author, name, metadata, profilePath, useFork });
+}
+
+/**
+ * Attempt to publish. On 403 (insufficient token scope), fall back to
+ * OAuth device flow and retry with a fork-based PR.
+ */
+async function attemptPublish(token, config, { author, name, metadata, profilePath, useFork }) {
+  const publishSpinner = ora('Creating pull request...').start();
+
+  try {
+    const pr = await doPublish(token, config, { author, name, metadata, profilePath, useFork });
+    publishSpinner.succeed(chalk.green('Pull request created!'));
+    console.log('');
+    console.log(chalk.cyan('  PR: ') + pr.html_url);
+    console.log('');
+    console.log(chalk.dim('A maintainer will review and merge your profile.'));
+    console.log('');
+  } catch (error) {
+    if (error.message.includes('403') && !useFork) {
+      publishSpinner.warn(chalk.yellow('Credentials lack write access to marketplace repo.'));
+      console.log(chalk.dim('  Falling back to browser authentication...'));
+      console.log('');
+
+      const deviceToken = await authenticateWithDeviceFlow();
+
+      const retrySpinner = ora('Retrying with fork-based PR...').start();
+      try {
+        const pr = await doPublish(deviceToken, config, { author, name, metadata, profilePath, useFork: true });
+        retrySpinner.succeed(chalk.green('Pull request created!'));
+        console.log('');
+        console.log(chalk.cyan('  PR: ') + pr.html_url);
+        console.log('');
+        console.log(chalk.dim('A maintainer will review and merge your profile.'));
+        console.log('');
+      } catch (retryError) {
+        retrySpinner.fail(chalk.red(`Publish failed: ${retryError.message}`));
+        process.exit(1);
+      }
+    } else {
+      publishSpinner.fail(chalk.red(`Publish failed: ${error.message}`));
+      process.exit(1);
+    }
+  }
+}
+
+/**
+ * Core publish logic: fetch index, prepare metadata, create PR.
+ */
+async function doPublish(token, config, { author, name, metadata, profilePath, useFork }) {
+  const index = await fetchRepoIndex(token, config.marketplaceRepo);
+
+  const publishMetadata = {
+    ...metadata,
+    author,
+    publishedAt: new Date().toISOString()
+  };
+
+  index.profiles = (index.profiles || []).filter(
+    p => !(p.author === author && p.name === name)
+  );
+  index.profiles.push({
+    name,
+    author,
+    version: publishMetadata.version || '1.0.0',
+    description: publishMetadata.description || '',
+    tags: publishMetadata.tags || [],
+    downloads: 0,
+    stars: 0,
+    createdAt: publishMetadata.publishedAt,
+    contents: publishMetadata.contents || {}
+  });
+  index.lastUpdated = new Date().toISOString();
+
+  const profileFiles = readProfileFiles(profilePath);
+
+  const pr = await createProfilePR(token, config.marketplaceRepo, {
+    author,
+    name,
+    profileJson: JSON.stringify(publishMetadata, null, 2),
+    profileFiles,
+    indexUpdate: JSON.stringify(index, null, 2)
+  }, { useFork });
+
+  return pr;
+}
+
+/**
+ * Read all content files from a profile directory (excluding profile.json).
+ * Returns an array of { path, content } pairs with forward-slash paths.
+ */
+function readProfileFiles(profileDir) {
+  const files = [];
+
+  function walk(dir, relativePath = '') {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (!relativePath && entry === 'profile.json') continue;
+
+      const fullPath = join(dir, entry);
+      const relPath = relativePath ? `${relativePath}/${entry}` : entry;
+      const stat = statSync(fullPath);
+
+      if (stat.isDirectory()) {
+        walk(fullPath, relPath);
+      } else {
+        files.push({ path: relPath, content: readFileSync(fullPath, 'utf-8') });
+      }
+    }
+  }
+
+  walk(profileDir);
+  return files;
+}
+
+/**
+ * Set a custom marketplace repository
+ */
+export async function setRepository(repository) {
+  if (!/^[a-z0-9-]+\/[a-z0-9-]+$/i.test(repository)) {
+    console.log(chalk.red('Invalid repository format. Use: owner/repo'));
+    process.exit(1);
+  }
+
+  const spinner = ora('Validating repository...').start();
+
+  try {
+    const { default: fetch } = await import('node-fetch');
+
+    const response = await fetch(
+      `https://raw.githubusercontent.com/${repository}/main/index.json`
+    );
+
+    if (!response.ok && response.status !== 404) {
+      throw new Error(`Repository not accessible: ${response.status}`);
+    }
+
+    await updateConfig({ marketplaceRepo: repository });
+
+    spinner.succeed(chalk.green(`Repository set to: ${chalk.bold(repository)}`));
+    console.log('');
+    console.log(chalk.dim('Browse profiles with: ') + chalk.cyan('cpm list'));
+
+  } catch (error) {
+    spinner.fail(chalk.red(`Failed to set repository: ${error.message}`));
+    process.exit(1);
+  }
+}

package/src/utils/auth.js

@@ -0,0 +1,403 @@
+import { execSync } from 'child_process';
+import chalk from 'chalk';
+import ora from 'ora';
+
+const GITHUB_API = 'https://api.github.com';
+const HEADERS_BASE = {
+  'Accept': 'application/vnd.github+json',
+  'User-Agent': 'cli-profile-manager'
+};
+
+// TODO: Replace with a new OAuth App client ID registered under brrichards.
+// The current ID is from the original brennanr9 account.
+// Setup (one-time, by the cpm maintainer -- NOT end users):
+//   1. https://github.com/settings/applications/new
+//   2. Enable "Device Flow" on the app settings page
+//   3. Paste the client_id here and publish to npm
+// The client_id is public and safe to ship in source -- no secret needed.
+const OAUTH_CLIENT_ID = 'Ov23liNXmVPsBOt1a3Q9';
+
+function authHeaders(token) {
+  return { ...HEADERS_BASE, 'Authorization': `Bearer ${token}` };
+}
+
+async function getFetch() {
+  const { default: fetch } = await import('node-fetch');
+  return fetch;
+}
+
+/**
+ * Retrieve a GitHub token from Git Credential Manager.
+ * Works cross-platform (Windows, macOS, Linux) -- delegates to
+ * whatever credential helper is configured for git.
+ */
+export function getGitHubToken() {
+  try {
+    const input = 'protocol=https\nhost=github.com\n\n';
+    const output = execSync('git credential fill', {
+      input,
+      encoding: 'utf-8',
+      timeout: 10000,
+      stdio: ['pipe', 'pipe', 'pipe']
+    });
+
+    const creds = {};
+    for (const line of output.trim().split('\n')) {
+      const [key, ...rest] = line.split('=');
+      creds[key] = rest.join('=');
+    }
+
+    return creds.password || null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Authenticate via the GitHub OAuth device flow.
+ * Opens a browser prompt for the user to authorize -- no PAT needed.
+ * Returns a short-lived access token.
+ */
+export async function authenticateWithDeviceFlow() {
+  const fetch = await getFetch();
+
+  // Step 1: Request a device code
+  const codeResponse = await fetch('https://github.com/login/device/code', {
+    method: 'POST',
+    headers: {
+      'Accept': 'application/json',
+      'Content-Type': 'application/json'
+    },
+    body: JSON.stringify({
+      client_id: OAUTH_CLIENT_ID,
+      scope: 'public_repo'
+    })
+  });
+
+  if (!codeResponse.ok) {
+    throw new Error(`Device flow initiation failed: ${codeResponse.status}`);
+  }
+
+  const { device_code, user_code, verification_uri, interval, expires_in } = await codeResponse.json();
+
+  // Step 2: Show the user the code
+  console.log('');
+  console.log(chalk.yellow(`  Open: ${chalk.bold(verification_uri)}`));
+  console.log(chalk.yellow(`  Enter code: ${chalk.bold(user_code)}`));
+  console.log('');
+
+  // Step 3: Poll for authorization
+  const spinner = ora('Waiting for authorization...').start();
+  const pollInterval = (interval || 5) * 1000;
+  const deadline = Date.now() + (expires_in || 900) * 1000;
+
+  while (Date.now() < deadline) {
+    await new Promise(resolve => setTimeout(resolve, pollInterval));
+
+    const tokenResponse = await fetch('https://github.com/login/oauth/access_token', {
+      method: 'POST',
+      headers: {
+        'Accept': 'application/json',
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify({
+        client_id: OAUTH_CLIENT_ID,
+        device_code,
+        grant_type: 'urn:ietf:params:oauth:grant-type:device_code'
+      })
+    });
+
+    const data = await tokenResponse.json();
+
+    if (data.access_token) {
+      spinner.succeed(chalk.green('Authorized.'));
+      return data.access_token;
+    }
+
+    if (data.error === 'authorization_pending') {
+      continue;
+    }
+
+    if (data.error === 'slow_down') {
+      await new Promise(resolve => setTimeout(resolve, 5000));
+      continue;
+    }
+
+    if (data.error === 'expired_token') {
+      spinner.fail('Authorization expired. Please try again.');
+      throw new Error('Device flow expired.');
+    }
+
+    if (data.error === 'access_denied') {
+      spinner.fail('Authorization denied.');
+      throw new Error('User denied authorization.');
+    }
+
+    spinner.fail(`Authorization failed: ${data.error}`);
+    throw new Error(data.error_description || data.error);
+  }
+
+  spinner.fail('Authorization timed out.');
+  throw new Error('Device flow timed out.');
+}
+
+/**
+ * Get the GitHub username associated with a token.
+ */
+export async function getGitHubUsername(token) {
+  const fetch = await getFetch();
+
+  const response = await fetch(`${GITHUB_API}/user`, {
+    headers: authHeaders(token)
+  });
+
+  if (!response.ok) {
+    if (response.status === 401) {
+      throw new Error('GitHub credentials are expired or invalid. Re-authenticate with git and try again.');
+    }
+    throw new Error(`GitHub API error: ${response.status}`);
+  }
+
+  const user = await response.json();
+  return user.login;
+}
+
+/**
+ * Ensure a fork of the marketplace repo exists under the authenticated user.
+ * Returns the full name of the fork (e.g., "username/cli-profile-manager").
+ */
+async function ensureFork(token, upstreamRepo) {
+  const fetch = await getFetch();
+  const headers = { ...authHeaders(token), 'Content-Type': 'application/json' };
+
+  const userResponse = await fetch(`${GITHUB_API}/user`, { headers: authHeaders(token) });
+  const user = await userResponse.json();
+  const repoName = upstreamRepo.split('/')[1];
+  const forkFullName = `${user.login}/${repoName}`;
+
+  // Check if the fork exists
+  const checkResponse = await fetch(`${GITHUB_API}/repos/${forkFullName}`, {
+    headers: authHeaders(token)
+  });
+
+  if (checkResponse.ok) {
+    const fork = await checkResponse.json();
+    if (fork.fork) {
+      return forkFullName;
+    }
+  }
+
+  // Create the fork
+  const forkResponse = await fetch(`${GITHUB_API}/repos/${upstreamRepo}/forks`, {
+    method: 'POST',
+    headers,
+    body: JSON.stringify({ default_branch_only: true })
+  });
+
+  if (!forkResponse.ok) {
+    const err = await forkResponse.json().catch(() => ({}));
+    throw new Error(`Failed to fork ${upstreamRepo}: ${err.message || forkResponse.status}`);
+  }
+
+  const forkData = await forkResponse.json();
+
+  // Wait for the fork to be ready (GitHub creates forks asynchronously)
+  for (let i = 0; i < 30; i++) {
+    await new Promise(resolve => setTimeout(resolve, 2000));
+    const readyCheck = await fetch(`${GITHUB_API}/repos/${forkData.full_name}/git/ref/heads/main`, {
+      headers: authHeaders(token)
+    });
+    if (readyCheck.ok) {
+      return forkData.full_name;
+    }
+  }
+
+  throw new Error('Fork creation timed out. Please try again.');
+}
+
+/**
+ * Create a pull request on the marketplace repo with profile files.
+ *
+ * Uses the Git Data API (blobs -> tree -> commit -> ref -> PR).
+ * If `forkRepo` is provided, writes to the fork and opens a cross-repo PR.
+ */
+export async function createProfilePR(token, repo, { author, name, profileJson, profileFiles, indexUpdate }, { useFork = false } = {}) {
+  const fetch = await getFetch();
+  const targetRepo = useFork ? await ensureFork(token, repo) : repo;
+  const headers = { ...authHeaders(token), 'Content-Type': 'application/json' };
+
+  async function api(method, path, body, apiRepo = targetRepo) {
+    const response = await fetch(`${GITHUB_API}/repos/${apiRepo}${path}`, {
+      method,
+      headers,
+      body: body ? JSON.stringify(body) : undefined
+    });
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}));
+      throw new Error(`GitHub API ${method} ${path} failed (${response.status}): ${errorData.message || 'Unknown error'}`);
+    }
+
+    return response.json();
+  }
+
+  // 1. Get the SHA of the main branch (always from upstream for consistency)
+  const mainRef = await api('GET', '/git/ref/heads/main', null, repo);
+  const baseSha = mainRef.object.sha;
+
+  // 2. Get the base commit's tree
+  const baseCommit = await api('GET', `/git/commits/${baseSha}`, null, repo);
+  const baseTreeSha = baseCommit.tree.sha;
+
+  // 3. Create blobs for each profile file
+  const treeEntries = [];
+
+  // profile.json blob
+  const profileBlob = await api('POST', '/git/blobs', {
+    content: Buffer.from(profileJson).toString('base64'),
+    encoding: 'base64'
+  });
+  treeEntries.push({
+    path: `profiles/${author}/${name}/profile.json`,
+    mode: '100644',
+    type: 'blob',
+    sha: profileBlob.sha
+  });
+
+  // Individual profile files (commands, hooks, skills, CLAUDE.md, etc.)
+  for (const file of profileFiles) {
+    const blob = await api('POST', '/git/blobs', {
+      content: Buffer.from(file.content).toString('base64'),
+      encoding: 'base64'
+    });
+    treeEntries.push({
+      path: `profiles/${author}/${name}/${file.path}`,
+      mode: '100644',
+      type: 'blob',
+      sha: blob.sha
+    });
+  }
+
+  // index.json blob
+  const indexBlob = await api('POST', '/git/blobs', {
+    content: Buffer.from(indexUpdate).toString('base64'),
+    encoding: 'base64'
+  });
+  treeEntries.push({
+    path: 'index.json',
+    mode: '100644',
+    type: 'blob',
+    sha: indexBlob.sha
+  });
+
+  // 4. Create a new tree with all profile files + updated index
+  const tree = await api('POST', '/git/trees', {
+    base_tree: baseTreeSha,
+    tree: treeEntries
+  });
+
+  // 5. Create a commit
+  const commit = await api('POST', '/git/commits', {
+    message: `Add profile: ${author}/${name}`,
+    tree: tree.sha,
+    parents: [baseSha]
+  });
+
+  // 6. Create a branch on the target repo
+  const branchName = `profile-submission/${author}/${name}`;
+  try {
+    await api('POST', '/git/refs', {
+      ref: `refs/heads/${branchName}`,
+      sha: commit.sha
+    });
+  } catch (e) {
+    // Branch exists from a previous attempt -- force update it
+    if (e.message.includes('422')) {
+      await api('PATCH', `/git/refs/heads/${branchName}`, {
+        sha: commit.sha,
+        force: true
+      });
+    } else {
+      throw e;
+    }
+  }
+
+  // 7. Create the pull request (always targets upstream)
+  const prHead = useFork ? `${targetRepo.split('/')[0]}:${branchName}` : branchName;
+  const pr = await api('POST', '/pulls', {
+    title: `Add profile: ${author}/${name}`,
+    body: buildPRBody(author, name, JSON.parse(profileJson)),
+    head: prHead,
+    base: 'main'
+  }, repo);
+
+  return pr;
+}
+
+/**
+ * Fetch the current index.json from the repo.
+ */
+export async function fetchRepoIndex(token, repo) {
+  const fetch = await getFetch();
+
+  const response = await fetch(`${GITHUB_API}/repos/${repo}/contents/index.json`, {
+    headers: authHeaders(token)
+  });
+
+  if (!response.ok) {
+    throw new Error(`Failed to fetch index.json: ${response.status}`);
+  }
+
+  const data = await response.json();
+  return JSON.parse(Buffer.from(data.content, 'base64').toString('utf-8'));
+}
+
+function buildPRBody(author, name, metadata) {
+  const lines = [
+    `## Profile Submission`,
+    '',
+    `Adds profile **${author}/${name}** v${metadata.version || '1.0.0'}`,
+    '',
+    `**Description:** ${metadata.description || 'No description'}`,
+    ''
+  ];
+
+  const contents = metadata.contents || {};
+  if (Object.keys(contents).length > 0) {
+    lines.push('**Contents:**');
+    for (const [cat, items] of Object.entries(contents)) {
+      if (items && items.length > 0) {
+        const display = cat === 'commands' ? items.map(i => `/${i}`).join(', ') : items.join(', ');
+        lines.push(`- ${cat}: ${display}`);
+      }
+    }
+    lines.push('');
+  }
+
+  return lines.join('\n');
+}
+
+/**
+ * Returns setup instructions when no credentials are found.
+ */
+export function getCredentialSetupInstructions() {
+  return [
+    '',
+    'To set up HTTPS credentials for GitHub:',
+    '',
+    '  1. Create a token at: https://github.com/settings/tokens/new',
+    '     (select the "public_repo" scope)',
+    '',
+    '  2. Store it in your git credential manager:',
+    '',
+    '     git credential approve <<EOF',
+    '     protocol=https',
+    '     host=github.com',
+    '     username=YOUR_USERNAME',
+    '     password=YOUR_TOKEN',
+    '     EOF',
+    '',
+    'Then re-run: cpm publish <profile-name>',
+    ''
+  ].join('\n');
+}