sealcode 0.1.0

package/src/cli-auth.js

@@ -0,0 +1,233 @@
+'use strict';
+
+/**
+ * `sealcode login` / `sealcode signout` / `sealcode whoami`.
+ *
+ * Login flow is OAuth-style device pairing:
+ *   1. POST /api/v1/cli/pair/start with hostname/platform/cliVersion.
+ *   2. Print the verification URL + user code.
+ *   3. POST /api/v1/cli/pair/poll every few seconds until status is terminal.
+ *   4. On `approved`, persist the returned bearer token to
+ *      ~/.sealcode/credentials.json (0600), then verify with GET /cli/me.
+ *
+ * The user can ctrl-C at any time; we never leave a half-finished credential
+ * on disk.
+ */
+
+const {
+  ApiError,
+  clientInfo,
+  clearCreds,
+  defaultApiUrl,
+  getApiUrl,
+  readCreds,
+  request,
+  writeCreds,
+} = require('./api');
+const ui = require('./ui');
+
+function sleep(ms) {
+  return new Promise((r) => setTimeout(r, ms));
+}
+
+async function runLogin({ apiUrl } = {}) {
+  const baseUrl = apiUrl || process.env.SEALCODE_API_URL || defaultApiUrl();
+  const existing = readCreds();
+  if (existing && existing.token) {
+    process.stdout.write(
+      `Already logged in as ${existing.email || existing.userId} at ${existing.apiUrl}.\n`
+        + 'Run `sealcode signout` first if you want to switch accounts.\n',
+    );
+    return;
+  }
+
+  const info = clientInfo();
+  let start;
+  try {
+    start = await request('POST', '/api/v1/cli/pair/start', {
+      body: info,
+      apiUrl: baseUrl,
+    });
+  } catch (err) {
+    rethrow('start pairing', err);
+  }
+
+  if (!start || !start.deviceCode || !start.verifyUrl) {
+    throw new Error('Server returned an unexpected pairing response.');
+  }
+
+  const verifyUrl = start.verifyUrl;
+  const userCode = start.userCode;
+  const pollIntervalMs = Math.max(1000, (start.pollIntervalSeconds || 3) * 1000);
+  const expiresAt = start.expiresAt ? Date.parse(start.expiresAt) : Date.now() + 10 * 60 * 1000;
+
+  ui.box('Pair this device', [
+    ui.c.dim('Open this URL in a browser where you are logged in to sealcode:'),
+    '',
+    `  ${ui.c.cyan(verifyUrl)}`,
+    '',
+    `${ui.c.dim('pairing code:')}  ${ui.c.bold(userCode)}`,
+  ]);
+
+  const sp = new ui.Spinner('Waiting for approval').start();
+  let token = null;
+  while (Date.now() < expiresAt) {
+    const remainingSec = Math.max(0, Math.floor((expiresAt - Date.now()) / 1000));
+    const mm = Math.floor(remainingSec / 60);
+    const ss = String(remainingSec % 60).padStart(2, '0');
+    sp.update(`Waiting for approval ${ui.c.dim(`(${mm}:${ss} left)`)}`);
+    await sleep(pollIntervalMs);
+
+    let poll;
+    try {
+      poll = await request('POST', '/api/v1/cli/pair/poll', {
+        body: { deviceCode: start.deviceCode },
+        apiUrl: baseUrl,
+      });
+    } catch (err) {
+      // Transient network blips shouldn't kill the whole login; rate-limits
+      // and 5xx are worth surfacing immediately though.
+      if (err instanceof ApiError && err.status === 429) {
+        await sleep(2000);
+        continue;
+      }
+      if (err instanceof ApiError && err.status >= 500) {
+        sp.fail('Server error while polling');
+        rethrow('poll pairing', err);
+      }
+      if (err instanceof ApiError && err.status === 0) {
+        await sleep(2000);
+        continue;
+      }
+      sp.fail('Polling failed');
+      rethrow('poll pairing', err);
+    }
+
+    if (poll.status === 'pending') continue;
+    if (poll.status === 'denied') {
+      sp.fail('Pairing was denied');
+      return;
+    }
+    if (poll.status === 'expired') {
+      sp.fail('Pairing code expired — run `sealcode login` again');
+      return;
+    }
+    if (poll.status === 'approved') {
+      if (!poll.token) {
+        sp.fail('Approved on the server but token already consumed — run `sealcode login` again');
+        return;
+      }
+      token = poll.token;
+      sp.succeed('Approved');
+      break;
+    }
+  }
+
+  if (!token) {
+    sp.fail('Pairing timed out — run `sealcode login` again');
+    return;
+  }
+
+  // Persist the token before calling /me — that way a network blip after we
+  // got the token doesn't lose it.
+  writeCreds({
+    apiUrl: baseUrl,
+    token,
+    userId: null,
+    email: null,
+    name: null,
+    createdAt: new Date().toISOString(),
+  });
+
+  let me;
+  try {
+    me = await ui.withSpinner('Fetching profile', () =>
+      request('GET', '/api/v1/cli/me', { auth: true, apiUrl: baseUrl }),
+    );
+  } catch (err) {
+    // Don't wipe the token just because /me hiccuped; the token is good.
+    if (err instanceof ApiError && err.status === 0) {
+      ui.ok(`Logged in. ${ui.c.dim(`(could not fetch profile: ${err.message})`)}`);
+      return;
+    }
+    rethrow('fetch profile', err);
+  }
+
+  const user = (me && me.user) || {};
+  writeCreds({
+    apiUrl: baseUrl,
+    token,
+    userId: user.id || null,
+    email: user.email || null,
+    name: user.name || null,
+    createdAt: new Date().toISOString(),
+  });
+
+  ui.ok(`Logged in as ${ui.c.bold(user.email || user.id || 'unknown')} ${ui.c.dim(`at ${baseUrl}`)}`);
+}
+
+async function runSignout() {
+  const creds = readCreds();
+  if (!creds || !creds.token) {
+    process.stdout.write('Not logged in.\n');
+    return;
+  }
+  // Best-effort server-side revoke. We still clear the local token even if
+  // the server says no, so `signout` is never useless.
+  try {
+    await request('POST', '/api/v1/cli/logout', { auth: true });
+  } catch (err) {
+    process.stderr.write(
+      `(warning: server revoke failed: ${err.message || err}. Clearing local credentials anyway.)\n`,
+    );
+  }
+  clearCreds();
+  ui.ok('Signed out.');
+}
+
+async function runWhoami({ verbose = false } = {}) {
+  const creds = readCreds();
+  if (!creds || !creds.token) {
+    process.stdout.write('Not logged in. Run `sealcode login`.\n');
+    process.exitCode = 1;
+    return;
+  }
+  // If we can talk to the server, prefer fresh data; otherwise fall back to
+  // the cached creds so `whoami` works offline.
+  let user = null;
+  let online = true;
+  try {
+    const me = await request('GET', '/api/v1/cli/me', { auth: true });
+    user = me.user || null;
+  } catch (err) {
+    online = false;
+    if (verbose) {
+      process.stderr.write(`(offline: ${err.message || err})\n`);
+    }
+    if (err instanceof ApiError && err.status === 401) {
+      process.stdout.write(
+        '✗ The server rejected your token (revoked or deleted). Run `sealcode login`.\n',
+      );
+      process.exitCode = 1;
+      return;
+    }
+  }
+
+  const email = (user && user.email) || creds.email || '(unknown email)';
+  const id = (user && user.id) || creds.userId || '(unknown id)';
+  process.stdout.write(`logged in as ${email}\n`);
+  if (verbose) {
+    process.stdout.write(`  user id:   ${id}\n`);
+    process.stdout.write(`  api url:   ${getApiUrl()}\n`);
+    process.stdout.write(`  status:    ${online ? 'online' : 'offline (cached)'}\n`);
+  }
+}
+
+function rethrow(stage, err) {
+  if (err instanceof ApiError) {
+    throw new Error(`Could not ${stage} (${err.status} ${err.apiCode}): ${err.message}`);
+  }
+  throw err;
+}
+
+module.exports = { runLogin, runSignout, runWhoami };

package/src/cli-grants.js

@@ -0,0 +1,185 @@
+'use strict';
+
+/**
+ * Temporary access codes from the CLI.
+ *
+ *   sealcode share    → POST /api/v1/projects/:id/grants    (owner side)
+ *   sealcode grants   → GET  /api/v1/projects/:id/grants    (owner side)
+ *   sealcode revoke   → DELETE /api/v1/grants/:id           (owner side)
+ *   sealcode redeem   → POST /api/v1/access/redeem          (recipient side)
+ *
+ * `share` and `revoke` require the project to be linked first
+ * (`sealcode link <projectId>`); `redeem` is the only command in this file
+ * that doesn't need auth — it's used by the developer receiving the code.
+ */
+
+const { ApiError, clientInfo, request } = require('./api');
+const { getLink } = require('./link-state');
+const ui = require('./ui');
+
+function requireLink(projectRoot) {
+  const link = getLink(projectRoot);
+  if (!link) {
+    throw new Error(
+      'This project is not linked. Run `sealcode link <projectId>` first.',
+    );
+  }
+  return link;
+}
+
+function formatRemaining(ms) {
+  if (ms <= 0) return 'expired';
+  const sec = Math.floor(ms / 1000);
+  if (sec < 60) return `${sec}s`;
+  const min = Math.floor(sec / 60);
+  if (min < 60) return `${min}m`;
+  const hr = Math.floor(min / 60);
+  if (hr < 48) return `${hr}h ${min % 60}m`;
+  return `${Math.floor(hr / 24)}d ${hr % 24}h`;
+}
+
+async function runShare({
+  projectRoot,
+  hours,
+  email,
+  label,
+  autoLock = true,
+  autoLockOffsetMinutes = 0,
+  strict = false,
+  heartbeatSec = 300,
+  offlineGraceSec = 1800,
+  json = false,
+}) {
+  const link = requireLink(projectRoot);
+  const body = {
+    developerEmail: email || '',
+    developerLabel: label || '',
+    expiresInHours: hours,
+    autoLockEnabled: !!autoLock,
+    autoLockOffsetMinutes: Math.max(0, Math.floor(autoLockOffsetMinutes || 0)),
+    strictMode: !!strict,
+    heartbeatIntervalSeconds: Math.max(30, Math.floor(heartbeatSec)),
+    offlineGraceSeconds: Math.max(60, Math.floor(offlineGraceSec)),
+  };
+
+  let res;
+  try {
+    res = await request(
+      'POST',
+      `/api/v1/projects/${encodeURIComponent(link.projectId)}/grants`,
+      { auth: true, body },
+    );
+  } catch (err) {
+    if (err instanceof ApiError && err.status === 402) {
+      throw new Error(
+        'Temporary access codes are a Pro feature. Upgrade in Billing on the dashboard.',
+      );
+    }
+    throw err;
+  }
+
+  const g = res.grant;
+  if (json) {
+    process.stdout.write(
+      JSON.stringify(
+        {
+          id: g.id,
+          code: g.code,
+          codePrefix: g.codePrefix,
+          projectId: g.projectId,
+          expiresAt: g.expiresAt,
+        },
+        null,
+        2,
+      ) + '\n',
+    );
+    return;
+  }
+
+  const meta = [
+    `${ui.c.dim('project   ')} ${ui.c.bold(link.projectName || link.projectId)}`,
+    `${ui.c.dim('expires   ')} ${g.expiresAt}`,
+  ];
+  if (g.autoLockAt) meta.push(`${ui.c.dim('auto-lock ')} ${g.autoLockAt}`);
+  if (email) meta.push(`${ui.c.dim('email     ')} ${email}`);
+
+  ui.box('Access code — copy now, shown only once', [
+    `  ${ui.c.bold(ui.c.green(g.code))}`,
+    '',
+    ...meta,
+  ], { tone: 'green' });
+
+  ui.hint('Share it with the developer over a secure channel. They redeem with:');
+  process.stdout.write(`    ${ui.c.cyan(`sealcode redeem ${g.code}`)}\n\n`);
+}
+
+async function runGrants({ projectRoot, json = false }) {
+  const link = requireLink(projectRoot);
+  const res = await request(
+    'GET',
+    `/api/v1/projects/${encodeURIComponent(link.projectId)}/grants`,
+    { auth: true },
+  );
+  const grants = res.grants || [];
+  if (json) {
+    process.stdout.write(JSON.stringify({ grants }, null, 2) + '\n');
+    return;
+  }
+  if (grants.length === 0) {
+    process.stdout.write('No access codes yet. Create one with `sealcode share`.\n');
+    return;
+  }
+  process.stdout.write(`\n${link.projectName || link.projectId}: ${grants.length} grant(s)\n`);
+  for (const g of grants) {
+    const state = g.state.padEnd(8);
+    const remaining =
+      g.state === 'active' ? formatRemaining(g.remainingMs) : g.state;
+    const who = g.developerEmail || g.developerLabel || '(no label)';
+    process.stdout.write(
+      `  ${state}  ${g.codePrefix.padEnd(12)}  ${remaining.padEnd(10)}  ${who}  id=${g.id}\n`,
+    );
+  }
+  process.stdout.write('\n');
+}
+
+async function runRevoke({ grantId }) {
+  if (!grantId) throw new Error('Usage: sealcode revoke <grantId>');
+  const res = await request(
+    'DELETE',
+    `/api/v1/grants/${encodeURIComponent(grantId)}`,
+    { auth: true },
+  );
+  if (res.alreadyTerminal) {
+    process.stdout.write(`(grant was already ${res.status}, nothing to do)\n`);
+    return;
+  }
+  process.stdout.write(`✓ revoked grant ${grantId}\n`);
+}
+
+async function runRedeem({ code, json = false }) {
+  if (!code) throw new Error('Usage: sealcode redeem <CODE>');
+  const trimmed = code.trim();
+  const res = await request('POST', '/api/v1/access/redeem', {
+    body: { code: trimmed, client: clientInfo() },
+  });
+  const g = res.grant;
+  if (json) {
+    process.stdout.write(JSON.stringify({ grant: g }, null, 2) + '\n');
+    return;
+  }
+  process.stdout.write(`\n✓ access code accepted\n`);
+  process.stdout.write(`  project:     ${g.projectName} (${g.projectId})\n`);
+  process.stdout.write(`  fingerprint: ${g.projectFingerprint}\n`);
+  process.stdout.write(`  expires:     ${g.expiresAt}\n`);
+  if (g.autoLockAt) process.stdout.write(`  auto-lock:   ${g.autoLockAt}\n`);
+  process.stdout.write(`  strict:      ${g.strictMode ? 'yes' : 'no'}\n`);
+  process.stdout.write(
+    `  heartbeat:   every ${g.heartbeatIntervalSeconds}s, ${g.offlineGraceSeconds}s offline grace\n\n`,
+  );
+  process.stdout.write(
+    'Next step (when the owner shares the unlocked vault with you):\n'
+      + '  sealcode unlock\n\n',
+  );
+}
+
+module.exports = { runShare, runGrants, runRevoke, runRedeem };

package/src/cli-link.js

@@ -0,0 +1,90 @@
+'use strict';
+
+/**
+ * `sealcode link <projectId>` / `sealcode unlink`.
+ *
+ * Associates the current project on disk with a dashboard project record so
+ * `sealcode share` knows which project to mint a grant against. We hit
+ * GET /api/v1/projects/:id to validate the link before persisting — that way
+ * a typo / wrong-account mistake fails before it touches the config.
+ */
+
+const { ApiError, getApiUrl, request } = require('./api');
+const { getLink, setLink, clearLink } = require('./link-state');
+
+async function runLink({ projectRoot, projectId }) {
+  if (!projectId || typeof projectId !== 'string') {
+    throw new Error('Usage: sealcode link <projectId>');
+  }
+
+  let res;
+  try {
+    res = await request('GET', `/api/v1/projects/${encodeURIComponent(projectId)}`, {
+      auth: true,
+    });
+  } catch (err) {
+    if (err instanceof ApiError && err.status === 404) {
+      throw new Error(
+        `No project ${projectId} on this account. Check the project ID in your dashboard.`,
+      );
+    }
+    if (err instanceof ApiError && err.status === 401) {
+      throw new Error(
+        'Not logged in (or your token was revoked). Run `sealcode login` first.',
+      );
+    }
+    throw err;
+  }
+
+  const project = res.project;
+  setLink(projectRoot, {
+    apiUrl: getApiUrl(),
+    projectId: project.id,
+    projectName: project.name,
+    fingerprint: project.fingerprint,
+    linkedAt: new Date().toISOString(),
+  });
+
+  process.stdout.write(
+    `✓ Linked ${projectRoot} to project “${project.name}” (${project.id}).\n`,
+  );
+}
+
+function runUnlink({ projectRoot }) {
+  const existing = getLink(projectRoot);
+  if (!existing) {
+    process.stdout.write('No link to remove.\n');
+    return;
+  }
+  clearLink(projectRoot);
+  process.stdout.write(
+    `✓ Unlinked ${projectRoot} from project ${existing.projectId}.\n`,
+  );
+}
+
+function runLinkInfo({ projectRoot, json = false }) {
+  const link = getLink(projectRoot);
+  if (!link) {
+    if (json) {
+      process.stdout.write(JSON.stringify({ linked: false }) + '\n');
+    } else {
+      process.stdout.write('This project is not linked. Run `sealcode link <projectId>`.\n');
+    }
+    return;
+  }
+  if (json) {
+    process.stdout.write(JSON.stringify({ linked: true, ...link }) + '\n');
+    return;
+  }
+  process.stdout.write(
+    [
+      `linked:        yes`,
+      `project id:    ${link.projectId}`,
+      `project name:  ${link.projectName || '(unknown)'}`,
+      `api url:       ${link.apiUrl}`,
+      `linked at:     ${link.linkedAt || '(unknown)'}`,
+    ].join('\n') + '\n',
+  );
+}
+
+module.exports = { runLink, runUnlink, runLinkInfo };