sealos-cli 0.1.0

package/src/lib/config.ts

@@ -0,0 +1,134 @@
+import { homedir } from 'node:os'
+import { join } from 'node:path'
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'node:fs'
+import type { SealosConfig, Context } from '../types/index.ts'
+
+const CONFIG_DIR = join(homedir(), '.sealos')
+const CONFIG_FILE = join(CONFIG_DIR, 'config.json')
+
+/**
+ * Ensure config directory exists
+ */
+export function ensureConfigDir (): void {
+  if (!existsSync(CONFIG_DIR)) {
+    mkdirSync(CONFIG_DIR, { recursive: true })
+  }
+}
+
+/**
+ * Read config file
+ */
+export function readConfig (): SealosConfig {
+  ensureConfigDir()
+
+  if (!existsSync(CONFIG_FILE)) {
+    const defaultConfig: SealosConfig = {
+      currentContext: '',
+      contexts: []
+    }
+    return defaultConfig
+  }
+
+  try {
+    const content = readFileSync(CONFIG_FILE, 'utf-8')
+    return JSON.parse(content) as SealosConfig
+  } catch (error) {
+    throw new Error(`Failed to read config file: ${error}`)
+  }
+}
+
+/**
+ * Write config file
+ */
+export function writeConfig (config: SealosConfig): void {
+  ensureConfigDir()
+
+  try {
+    writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2), 'utf-8')
+  } catch (error) {
+    throw new Error(`Failed to write config file: ${error}`)
+  }
+}
+
+/**
+ * Get current context
+ */
+export function getCurrentContext (): Context | null {
+  const config = readConfig()
+  if (!config.currentContext) {
+    return null
+  }
+
+  const context = config.contexts.find(ctx => ctx.name === config.currentContext)
+  return context || null
+}
+
+/**
+ * Set current context
+ */
+export function setCurrentContext (name: string): void {
+  const config = readConfig()
+  const context = config.contexts.find(ctx => ctx.name === name)
+
+  if (!context) {
+    throw new Error(`Context "${name}" not found`)
+  }
+
+  config.currentContext = name
+  writeConfig(config)
+}
+
+/**
+ * Add or update context
+ */
+export function upsertContext (context: Context): void {
+  const config = readConfig()
+  const existingIndex = config.contexts.findIndex(ctx => ctx.name === context.name)
+
+  if (existingIndex >= 0) {
+    config.contexts[existingIndex] = context
+  } else {
+    config.contexts.push(context)
+  }
+
+  // If this is the first context, set it as current automatically
+  if (!config.currentContext) {
+    config.currentContext = context.name
+  }
+
+  writeConfig(config)
+}
+
+/**
+ * Remove context
+ */
+export function removeContext (name: string): void {
+  const config = readConfig()
+  config.contexts = config.contexts.filter(ctx => ctx.name !== name)
+
+  // If removing current context, clear currentContext
+  if (config.currentContext === name) {
+    config.currentContext = config.contexts[0]?.name || ''
+  }
+
+  writeConfig(config)
+}
+
+/**
+ * Get config value
+ */
+export function getConfigValue (key: string): string | undefined {
+  const config = readConfig()
+  // TODO: Implement nested key access, e.g. "contexts.0.name"
+  return (config as unknown as Record<string, unknown>)[key] as string | undefined
+}
+
+/**
+ * Set config value
+ */
+export function setConfigValue (key: string, value: string): void {
+  const config = readConfig()
+  // TODO: Implement nested key setting
+  ;(config as unknown as Record<string, unknown>)[key] = value
+  writeConfig(config)
+}

package/src/lib/constants.ts

@@ -0,0 +1 @@
+export const CLIENT_ID = 'af993c98-d19d-4bdc-b338-79b80dc4f8bf'

package/src/lib/errors.ts

@@ -0,0 +1,105 @@
+import chalk from 'chalk'
+
+/**
+ * CLI error base class
+ */
+export class CliError extends Error {
+  constructor (message: string, public exitCode: number = 1) {
+    super(message)
+    this.name = 'CliError'
+  }
+}
+
+/**
+ * Authentication error
+ */
+export class AuthError extends CliError {
+  constructor (message: string = 'Authentication required. Please run "sealos login" first.') {
+    super(message, 1)
+    this.name = 'AuthError'
+  }
+}
+
+/**
+ * Configuration error
+ */
+export class ConfigError extends CliError {
+  constructor (message: string) {
+    super(message, 1)
+    this.name = 'ConfigError'
+  }
+}
+
+/**
+ * Standard API error response body
+ */
+export interface ApiErrorBody {
+  error?: {
+    type?: string
+    code?: string
+    message?: string
+    details?: Array<{ field: string; message: string }> | string
+  }
+}
+
+/**
+ * API error
+ */
+export class ApiError extends CliError {
+  constructor (
+    message: string,
+    public statusCode?: number,
+    public code?: string,
+    public details?: Array<{ field: string; message: string }> | string
+  ) {
+    super(message, 1)
+    this.name = 'ApiError'
+  }
+}
+
+/**
+ * Map an API error response to the appropriate CliError.
+ * Supports the unified error format: { error: { type, code, message, details? } }
+ */
+export function mapApiError (status: number, body?: ApiErrorBody): CliError {
+  const message = body?.error?.message || `API request failed with status ${status}`
+  if (status === 401) {
+    return new AuthError(message)
+  }
+  return new ApiError(message, status, body?.error?.code, body?.error?.details)
+}
+
+/**
+ * Unified error handling
+ */
+export function handleError (error: unknown): never {
+  if (error instanceof ApiError) {
+    console.error(chalk.red('Error:'), error.message)
+    if (error.details) {
+      if (Array.isArray(error.details)) {
+        for (const d of error.details) {
+          console.error(chalk.yellow(`  ${d.field}:`), d.message)
+        }
+      } else {
+        console.error(chalk.yellow('  Details:'), error.details)
+      }
+    }
+    process.exit(error.exitCode)
+  }
+
+  if (error instanceof CliError) {
+    console.error(chalk.red('Error:'), error.message)
+    process.exit(error.exitCode)
+  }
+
+  if (error instanceof Error) {
+    console.error(chalk.red('Error:'), error.message)
+    if (process.env.DEBUG) {
+      console.error(error.stack)
+    }
+    process.exit(1)
+  }
+
+  console.error(chalk.red('Error:'), 'An unknown error occurred')
+  process.exit(1)
+}

package/src/lib/oauth.ts

@@ -0,0 +1,197 @@
+import { execSync } from 'node:child_process'
+import { platform } from 'node:os'
+import type { Ora } from 'ora'
+import chalk from 'chalk'
+import { CLIENT_ID } from './constants.ts'
+
+interface DeviceAuthResponse {
+  device_code: string
+  user_code: string
+  verification_uri: string
+  verification_uri_complete?: string
+  expires_in: number
+  interval?: number
+}
+
+interface TokenResponse {
+  access_token: string
+  token_type: string
+}
+
+function sleep (ms: number): Promise<void> {
+  return new Promise(resolve => setTimeout(resolve, ms))
+}
+
+/**
+ * POST /api/auth/oauth2/device to start device authorization.
+ */
+export async function requestDeviceAuthorization (region: string): Promise<DeviceAuthResponse> {
+  const res = await fetch(`${region}/api/auth/oauth2/device`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: new URLSearchParams({
+      client_id: CLIENT_ID,
+      grant_type: 'urn:ietf:params:oauth:grant-type:device_code'
+    })
+  })
+
+  if (!res.ok) {
+    const contentType = res.headers.get('content-type') || ''
+    if (res.status === 404) {
+      throw new Error(
+        'OAuth2 device grant not supported on this host.\n' +
+        `'${region}' does not have the device authorization endpoint.`
+      )
+    }
+    const body = contentType.includes('text/html')
+      ? ''
+      : await res.text().catch(() => '')
+    throw new Error(`Device authorization request failed (${res.status}): ${body || res.statusText}`)
+  }
+
+  return res.json() as Promise<DeviceAuthResponse>
+}
+
+/**
+ * Poll POST /api/auth/oauth2/token until the user authorizes.
+ * Handles: authorization_pending, slow_down (+5s per RFC 8628 §3.5),
+ * access_denied, expired_token. Hard cap at 10 minutes.
+ */
+export async function pollForToken (
+  region: string,
+  deviceCode: string,
+  interval: number,
+  expiresIn: number
+): Promise<TokenResponse> {
+  const maxWait = Math.min(expiresIn, 600) * 1000
+  const deadline = Date.now() + maxWait
+  let pollInterval = interval * 1000
+
+  while (Date.now() < deadline) {
+    await sleep(pollInterval)
+
+    const res = await fetch(`${region}/api/auth/oauth2/token`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        client_id: CLIENT_ID,
+        grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+        device_code: deviceCode
+      })
+    })
+
+    if (res.ok) {
+      return res.json() as Promise<TokenResponse>
+    }
+
+    const body = await res.json().catch(() => ({})) as { error?: string }
+
+    switch (body.error) {
+      case 'authorization_pending':
+        break
+
+      case 'slow_down':
+        pollInterval += 5000
+        break
+
+      case 'access_denied':
+        throw new Error('Authorization denied by user')
+
+      case 'expired_token':
+        throw new Error('Device code expired. Please run login again.')
+
+      default:
+        throw new Error(`Token request failed: ${body.error || res.statusText}`)
+    }
+  }
+
+  throw new Error('Authorization timed out (10 minutes). Please run login again.')
+}
+
+/**
+ * Exchange an OAuth access token for a Sealos kubeconfig.
+ */
+export async function exchangeForKubeconfig (region: string, accessToken: string): Promise<string> {
+  const res = await fetch(`${region}/api/auth/getDefaultKubeconfig`, {
+    method: 'POST',
+    headers: {
+      Authorization: accessToken,
+      'Content-Type': 'application/json'
+    }
+  })
+
+  if (!res.ok) {
+    const body = await res.text().catch(() => '')
+    throw new Error(`Kubeconfig exchange failed (${res.status}): ${body || res.statusText}`)
+  }
+
+  const data = await res.json() as { data?: { kubeconfig?: string } }
+  const kubeconfig = data.data?.kubeconfig
+
+  if (!kubeconfig) {
+    throw new Error('API response missing data.kubeconfig field')
+  }
+
+  return kubeconfig
+}
+
+/**
+ * Open a URL in the user's default browser. Swallows errors silently.
+ */
+export function openBrowser (url: string): void {
+  try {
+    const os = platform()
+    const cmd = os === 'darwin' ? 'open' : os === 'win32' ? 'start' : 'xdg-open'
+    execSync(`${cmd} "${url}"`, { stdio: 'ignore' })
+  } catch {
+    // Silently ignore — user can open manually
+  }
+}
+
+/**
+ * Orchestrate the full OAuth2 Device Grant login flow.
+ */
+export async function deviceGrantLogin (
+  region: string,
+  spinner: Ora
+): Promise<{ kubeconfig: string; region: string }> {
+  // Step 1: Request device authorization
+  spinner.stop()
+  const deviceAuth = await requestDeviceAuthorization(region)
+
+  const {
+    device_code: deviceCode,
+    user_code: userCode,
+    verification_uri: verificationUri,
+    verification_uri_complete: verificationUriComplete,
+    expires_in: expiresIn,
+    interval = 5
+  } = deviceAuth
+
+  // Step 2: Display verification info
+  const url = verificationUriComplete || verificationUri
+  console.log()
+  console.log(chalk.bold('  Open this URL to authorize:'))
+  console.log(`  ${chalk.cyan(url)}`)
+  console.log()
+  console.log(`  Code: ${chalk.bold.yellow(userCode)}`)
+  console.log()
+
+  // Step 3: Auto-open browser
+  openBrowser(url)
+
+  // Step 4: Poll for token
+  spinner.start('Waiting for authorization...')
+  const tokenResponse = await pollForToken(region, deviceCode, interval, expiresIn)
+  const accessToken = tokenResponse.access_token
+
+  if (!accessToken) {
+    throw new Error('Token response missing access_token')
+  }
+
+  // Step 5: Exchange for kubeconfig
+  spinner.text = 'Exchanging for kubeconfig...'
+  const kubeconfig = await exchangeForKubeconfig(region, accessToken)
+
+  return { kubeconfig, region }
+}

package/src/lib/output.ts

@@ -0,0 +1,93 @@
+import chalk from 'chalk'
+import { table } from 'table'
+import ora, { type Ora } from 'ora'
+
+/**
+ * Output JSON format
+ */
+export function outputJson (data: any): void {
+  console.log(JSON.stringify(data, null, 2))
+}
+
+/**
+ * Output YAML format
+ */
+export function outputYaml (data: any): void {
+  // TODO: Use yaml library to implement
+  console.log('YAML output not implemented yet')
+  console.log(data)
+}
+
+/**
+ * Output table
+ */
+export function outputTable (data: string[][]): void {
+  console.log(table(data))
+}
+
+/**
+ * Format output
+ */
+export function formatOutput (data: any, format: 'json' | 'yaml' | 'table' = 'table'): void {
+  switch (format) {
+    case 'json':
+      outputJson(data)
+      break
+    case 'yaml':
+      outputYaml(data)
+      break
+    case 'table':
+      if (Array.isArray(data)) {
+        outputTable(data)
+      } else {
+        console.log(data)
+      }
+      break
+    default:
+      console.log(data)
+  }
+}
+
+/**
+ * Success message
+ */
+export function success (message: string): void {
+  console.log(chalk.green('✓'), message)
+}
+
+/**
+ * Error message
+ */
+export function error (message: string): void {
+  console.error(chalk.red('✗'), message)
+}
+
+/**
+ * Warning message
+ */
+export function warn (message: string): void {
+  console.warn(chalk.yellow('⚠'), message)
+}
+
+/**
+ * Info message
+ */
+export function info (message: string): void {
+  console.log(chalk.blue('ℹ'), message)
+}
+
+/**
+ * Create loading spinner
+ */
+export function spinner (text: string): Ora {
+  return ora(text).start()
+}
+
+/**
+ * Confirmation prompt
+ */
+export async function confirm (message: string): Promise<boolean> {
+  // TODO: Use inquirer or other interactive library
+  console.log(chalk.yellow('?'), message)
+  return true
+}

package/src/lib/with-auth.ts

@@ -0,0 +1,56 @@
+import type { Ora } from 'ora'
+import { spinner } from './output.ts'
+import { requireAuth } from './auth.ts'
+import { handleError } from './errors.ts'
+
+interface AuthContext {
+  auth: { Authorization: string }
+  spinner: Ora
+}
+
+interface ErrorHandlingContext {
+  spinner: Ora
+}
+
+interface WithAuthOptions {
+  spinnerText: string
+}
+
+/**
+ * Wraps a command handler that requires authentication.
+ * Handles: auth check + spinner + try/catch + error handling
+ */
+export function withAuth<T extends any[]> (
+  options: WithAuthOptions,
+  fn: (ctx: AuthContext, ...args: T) => Promise<void>
+): (...args: T) => Promise<void> {
+  return async (...args: T) => {
+    const spin = spinner(options.spinnerText)
+    try {
+      const auth = requireAuth()
+      await fn({ auth, spinner: spin }, ...args)
+    } catch (error) {
+      spin.fail()
+      handleError(error)
+    }
+  }
+}
+
+/**
+ * Wraps a command handler that does NOT require authentication.
+ * Handles: spinner + try/catch + error handling
+ */
+export function withErrorHandling<T extends any[]> (
+  options: WithAuthOptions,
+  fn: (ctx: ErrorHandlingContext, ...args: T) => Promise<void>
+): (...args: T) => Promise<void> {
+  return async (...args: T) => {
+    const spin = spinner(options.spinnerText)
+    try {
+      await fn({ spinner: spin }, ...args)
+    } catch (error) {
+      spin.fail()
+      handleError(error)
+    }
+  }
+}

package/src/main.ts

@@ -0,0 +1,51 @@
+#!/usr/bin/env node
+import { Command } from 'commander'
+import { registerAuthCommands } from './commands/auth/index.ts'
+import { createWorkspaceCommand } from './commands/workspace/index.ts'
+import { createDevboxCommand } from './commands/devbox/index.ts'
+import { createS3Command } from './commands/s3/index.ts'
+import { createDatabaseCommand } from './commands/database/index.ts'
+import { createTemplateCommand } from './commands/template/index.ts'
+import { createQuotaCommand } from './commands/quota/index.ts'
+import { createAppCommand } from './commands/app/index.ts'
+import { createConfigCommand } from './commands/config/index.ts'
+import { handleError } from './lib/errors.ts'
+
+export function createProgram (): Command {
+  const program = new Command()
+
+  program
+    .name('sealos')
+    .description('Official CLI tool for Sealos Cloud - Manage devbox, applications, databases, and object storage')
+    .version('0.0.1')
+
+  // Register all command modules
+  registerAuthCommands(program)
+  program.addCommand(createWorkspaceCommand())
+  program.addCommand(createDevboxCommand())
+  program.addCommand(createS3Command())
+  program.addCommand(createDatabaseCommand())
+  program.addCommand(createTemplateCommand())
+  program.addCommand(createQuotaCommand())
+  program.addCommand(createAppCommand())
+  program.addCommand(createConfigCommand())
+
+  return program
+}
+
+export function runCLI (): void {
+  const program = createProgram()
+
+  // Global error handling
+  program.exitOverride()
+
+  try {
+    program.parse(process.argv)
+  } catch (error) {
+    if (error instanceof Error && 'code' in error &&
+      typeof error.code === 'string' && error.code.startsWith('commander.')) {
+      process.exit(0)
+    }
+    handleError(error)
+  }
+}

package/src/types/index.ts

@@ -0,0 +1,56 @@
+// Core type definitions
+
+export interface SealosConfig {
+  currentContext: string
+  contexts: Context[]
+}
+
+export interface Context {
+  name: string
+  host: string
+  token: string
+  workspace: string
+}
+
+export interface DevboxConfig {
+  name?: string
+  template: string
+  resources: {
+    cpu: string
+    memory: string
+    storage?: string
+  }
+  ports?: number[]
+  env?: Record<string, string>
+}
+
+export interface OutputOptions {
+  format: 'json' | 'yaml' | 'table'
+}
+
+export interface ApiResponse<T = any> {
+  success: boolean
+  data?: T
+  error?: string
+}
+
+export interface SealosWorkspace {
+  uid?: string
+  id?: string
+  teamName?: string
+  role?: string
+  nstype?: string
+}
+
+export interface SealosAuthData {
+  region: string
+  access_token?: string
+  regional_token?: string
+  authenticated_at?: string
+  auth_method?: string
+  current_workspace?: {
+    uid?: string
+    id?: string
+    teamName?: string
+  }
+}