instant-cli 1.0.22 → 1.0.23-branch-cli-codex-update.25390498340.1

package/src/index.ts

@@ -29,6 +29,7 @@ import { PACKAGE_ALIAS_AND_FULL_NAMES } from './context/projectInfo.ts';
 import { authClientAddCmd } from './commands/auth/client/add.ts';
 import { authClientListCmd } from './commands/auth/client/list.ts';
 import { authClientDeleteCmd } from './commands/auth/client/delete.ts';
+import { authClientUpdateCmd } from './commands/auth/client/update.ts';
 import { authOriginListCmd } from './commands/auth/origin/list.ts';
 import { authOriginDeleteCmd } from './commands/auth/origin/delete.ts';
 import { authOriginAddCmd } from './commands/auth/origin/add.ts';
@@ -109,28 +110,29 @@ export const authClientAddDef = authClient
     `
 Provider Specific Options:
   Google:
-   --app-type       web|ios|android|button-for-web
-   --client-id
-   --client-secret                      (web only)
-   --custom-redirect-uri      (optional, web only)
+   --app-type             web|ios|android|button-for-web
+   --dev-credentials      (optional, web only)
+   --client-id            (required unless using dev credentials)
+   --client-secret        (web only, unless using dev credentials)
+   --custom-redirect-uri  (optional, web only)
   GitHub:
    --client-id
    --client-secret
-   --custom-redirect-uri      (optional)
+   --custom-redirect-uri  (optional)
   Apple:
-   --services-id              (Services ID from ${link('https://developer.apple.com', 'developer.apple.com')})
-   --team-id                  (optional, required for web redirect flow)
-   --key-id                   (optional, required for web redirect flow)
-   --private-key-file         (optional, path to .p8 PEM; required for web redirect flow)
-   --custom-redirect-uri      (optional, web redirect flow only)
+   --services-id          (Services ID from ${link('https://developer.apple.com', 'developer.apple.com')})
+   --team-id              (optional, required for web redirect flow)
+   --key-id               (optional, required for web redirect flow)
+   --private-key-file     (optional, path to .p8 PEM; required for web redirect flow)
+   --custom-redirect-uri  (optional, web redirect flow only)
   LinkedIn:
    --client-id
    --client-secret
-   --custom-redirect-uri      (optional)
+   --custom-redirect-uri  (optional)
   Clerk:
-   --publishable-key    (Publishable Key from ${link('https://dashboard.clerk.com', 'dashboard.clerk.com')})
+   --publishable-key      (Publishable Key from ${link('https://dashboard.clerk.com', 'dashboard.clerk.com')})
   Firebase:
-   --project-id         (Project ID from ${link('https://console.firebase.google.com', 'console.firebase.google.com')})
+   --project-id           (Project ID from ${link('https://console.firebase.google.com', 'console.firebase.google.com')})
 `,
   )
   .action((opts) => {
@@ -197,6 +199,65 @@ export const authClientDeleteDef = authClient
     );
   });
 
+export const authClientUpdateDef = authClient
+  .command('update')
+  .description('Update an OAuth client')
+  .allowExcessArguments(true)
+  .allowUnknownOption(true)
+  .option('--id <client-id>', 'Client ID to update')
+  .option('--name <client-name>', 'Client name to update')
+  .option(
+    '-a --app <app-id>',
+    'App ID to update a client in. Defaults to *_INSTANT_APP_ID in .env',
+  )
+  .addHelpText(
+    'after',
+    `
+Provider Specific Options:
+  Google:
+   --dev-credentials          (web only)
+   --client-id
+   --client-secret            (web only)
+   --custom-redirect-uri      (optional, web only)
+  GitHub:
+   --client-id
+   --client-secret
+   --custom-redirect-uri      (optional)
+  Apple:
+   --services-id
+   --team-id                  (web redirect flow)
+   --key-id                   (web redirect flow)
+   --private-key-file         (web redirect flow)
+   --custom-redirect-uri      (optional, web redirect flow only)
+  LinkedIn:
+   --client-id
+   --client-secret
+   --custom-redirect-uri      (optional)
+  Clerk:
+   --publishable-key
+  Firebase:
+   --project-id
+`,
+  )
+  .action((opts) => {
+    opts = {
+      ...opts,
+      ...minimist(process.argv),
+    };
+
+    return runCommandEffect(
+      authClientUpdateCmd(opts).pipe(
+        Effect.provide(
+          WithAppLayer({
+            coerce: false,
+            appId: opts.app,
+            allowAdminToken: true,
+          }),
+        ),
+      ),
+    );
+  });
+
 const authOrigin = auth.command('origin');
 export const authOriginListDef = authOrigin
   .command('list')

package/src/lib/oauth.ts

@@ -32,10 +32,30 @@ export const OAuthServiceProvider = Schema.Struct({
   provider_name: Schema.String,
 });
 
+export const GoogleAppTypeSchema = Schema.Literal(
+  'web',
+  'ios',
+  'android',
+  'button-for-web',
+);
+
 const NullableString = Schema.Union(Schema.String, Schema.Null).pipe(
   Schema.optional,
 );
 
+const NullableBoolean = Schema.Union(Schema.Boolean, Schema.Null).pipe(
+  Schema.optional,
+);
+
+const OAuthClientMeta = Schema.Struct({
+  // Currently the CLI only reads Google app type from meta. Other providers store
+  // different meta shapes, so keep the rest open until we have a clean
+  // top-level discriminator for a full provider-specific union.
+  appType: GoogleAppTypeSchema.pipe(Schema.optional),
+}).pipe(
+  Schema.extend(Schema.Record({ key: Schema.String, value: Schema.Any })),
+);
+
 export const OAuthClient = Schema.Struct({
   id: Schema.String,
   client_name: Schema.String,
@@ -45,7 +65,8 @@ export const OAuthClient = Schema.Struct({
   token_endpoint: NullableString,
   discovery_endpoint: NullableString,
   redirect_to: NullableString,
-  meta: Schema.Any.pipe(Schema.optional),
+  meta: Schema.Union(OAuthClientMeta, Schema.Null).pipe(Schema.optional),
+  use_shared_credentials: NullableBoolean,
 });
 
 export const AddOAuthProviderResponse = Schema.Struct({
@@ -111,6 +132,7 @@ export const addOAuthClient = Effect.fn(function* (params: {
   discoveryEndpoint?: string;
   redirectTo?: string;
   meta?: unknown;
+  useSharedCredentials?: boolean;
 }) {
   const http = (yield* InstantHttpAuthed).pipe(withCommand('auth'));
   const targetAppId = params.appId ?? (yield* CurrentApp).appId;
@@ -127,6 +149,35 @@ export const addOAuthClient = Effect.fn(function* (params: {
         discovery_endpoint: params.discoveryEndpoint,
         redirect_to: params.redirectTo,
         meta: params.meta,
+        use_shared_credentials: params.useSharedCredentials,
+      }),
+    })
+    .pipe(
+      Effect.flatMap(HttpClientResponse.schemaBodyJson(AddOAuthClientResponse)),
+    );
+});
+
+export const updateOAuthClient = Effect.fn(function* (params: {
+  oauthClientId: string;
+  clientId?: string | null;
+  clientSecret?: string | null;
+  discoveryEndpoint?: string | null;
+  redirectTo?: string | null;
+  meta?: unknown;
+  useSharedCredentials?: boolean | null;
+}) {
+  const http = (yield* InstantHttpAuthed).pipe(withCommand('auth'));
+  const targetAppId = (yield* CurrentApp).appId;
+
+  return yield* http
+    .post(`/dash/apps/${targetAppId}/oauth_clients/${params.oauthClientId}`, {
+      body: HttpBody.unsafeJson({
+        client_id: params.clientId,
+        client_secret: params.clientSecret,
+        discovery_endpoint: params.discoveryEndpoint,
+        redirect_to: params.redirectTo,
+        meta: params.meta,
+        use_shared_credentials: params.useSharedCredentials,
       }),
     })
     .pipe(
@@ -236,6 +287,37 @@ export const getClientNameAndProvider = Effect.fn(function* (
   return { provider, clientName };
 });
 
+export const findClientByIdOrName = Effect.fn(function* (params: {
+  id?: string;
+  name?: string;
+}) {
+  if (params.id && params.name) {
+    return yield* BadArgsError.make({
+      message: 'Cannot specify both --id and --name',
+    });
+  }
+  if (!params.id && !params.name) {
+    return yield* BadArgsError.make({
+      message: 'Must specify --id or --name',
+    });
+  }
+
+  const auth = yield* getAppsAuth();
+  const clients = auth.oauth_clients ?? [];
+  const client = params.id
+    ? clients.find((entry) => entry.id === params.id)
+    : clients.find((entry) => entry.client_name === params.name);
+
+  if (!client) {
+    const lookup = params.id ? `id ${params.id}` : `name ${params.name}`;
+    return yield* BadArgsError.make({
+      message: `OAuth client not found: ${lookup}`,
+    });
+  }
+
+  return { auth, client };
+});
+
 export const removeAuthorizedOrigin = Effect.fn(function* (originId: string) {
   const http = (yield* InstantHttpAuthed).pipe(
     withCommand('auth origin delete'),