signet-auth 1.0.0-beta.0

package/src/cli/commands/login.ts

@@ -0,0 +1,94 @@
+import type { AuthDeps } from '../../deps.js';
+import type { ApiKeyCredential, BasicCredential } from '../../core/types.js';
+import type { StrategyName } from '../../config/schema.js';
+import { buildStrategyConfig } from '../../config/validator.js';
+import { isOk } from '../../core/result.js';
+import { formatJson } from '../formatters.js';
+
+export async function runLogin(
+  positionals: string[],
+  flags: Record<string, string | boolean>,
+  deps: AuthDeps,
+): Promise<void> {
+  const url = positionals[0];
+  if (!url) {
+    process.stderr.write('Usage: sig login <url>\n');
+    process.exitCode = 1;
+    return;
+  }
+
+  const baseProvider = deps.authManager.resolveProvider(url);
+
+  const hasOverrides = flags.strategy !== undefined;
+  const provider = hasOverrides
+    ? { ...baseProvider }
+    : baseProvider;
+
+  if (typeof flags.strategy === 'string') {
+    const strategyName = flags.strategy as StrategyName;
+    provider.strategy = strategyName;
+    provider.strategyConfig = buildStrategyConfig(strategyName);
+  }
+
+  if (hasOverrides) {
+    deps.authManager.providerRegistry.register(provider);
+  }
+
+  if (typeof flags.token === 'string') {
+    // Read headerName/headerPrefix from the typed strategy config if api-token
+    const headerName = provider.strategyConfig.strategy === 'api-token'
+      ? provider.strategyConfig.headerName ?? 'Authorization'
+      : 'Authorization';
+    const headerPrefix = provider.strategyConfig.strategy === 'api-token'
+      ? provider.strategyConfig.headerPrefix ?? 'Bearer'
+      : 'Bearer';
+
+    const credential: ApiKeyCredential = {
+      type: 'api-key',
+      key: flags.token,
+      headerName,
+      headerPrefix,
+    };
+    const result = await deps.authManager.setCredential(provider.id, credential);
+    if (!isOk(result)) {
+      process.stderr.write(`Error: ${result.error.message}\n`);
+      process.exitCode = 1;
+      return;
+    }
+    process.stderr.write(`Token stored for "${provider.name}" (${provider.id}).\n`);
+    process.stdout.write(formatJson({ provider: provider.id, type: 'api-key' }) + '\n');
+    return;
+  }
+
+  if (typeof flags.username === 'string' && typeof flags.password === 'string') {
+    const credential: BasicCredential = {
+      type: 'basic',
+      username: flags.username,
+      password: flags.password,
+    };
+    const result = await deps.authManager.setCredential(provider.id, credential);
+    if (!isOk(result)) {
+      process.stderr.write(`Error: ${result.error.message}\n`);
+      process.exitCode = 1;
+      return;
+    }
+    process.stderr.write(`Basic auth credentials stored for "${provider.name}" (${provider.id}).\n`);
+    process.stdout.write(formatJson({ provider: provider.id, type: 'basic' }) + '\n');
+    return;
+  }
+
+  process.stderr.write(`Authenticating with "${provider.name}" via browser...\n`);
+  const result = await deps.authManager.forceReauth(provider.id);
+  if (!isOk(result)) {
+    process.stderr.write(`Authentication failed: ${result.error.message}\n`);
+    process.exit(1);
+  }
+
+  const status = await deps.authManager.getStatus(provider.id);
+  process.stderr.write(`Authenticated with "${provider.name}".\n`);
+  process.stdout.write(formatJson({
+    provider: provider.id,
+    type: result.value.type,
+    ...(status.expiresAt ? { expiresAt: status.expiresAt } : {}),
+  }) + '\n');
+}

package/src/cli/commands/logout.ts

@@ -0,0 +1,17 @@
+import type { AuthDeps } from '../../deps.js';
+
+export async function runLogout(
+  positionals: string[],
+  flags: Record<string, string | boolean>,
+  deps: AuthDeps,
+): Promise<void> {
+  const providerId = positionals[0];
+
+  if (providerId) {
+    await deps.authManager.clearCredentials(providerId);
+    process.stderr.write(`Credentials cleared for "${providerId}".\n`);
+  } else {
+    await deps.authManager.clearAll();
+    process.stderr.write('All credentials cleared.\n');
+  }
+}

package/src/cli/commands/providers.ts

@@ -0,0 +1,39 @@
+import type { AuthDeps } from '../../deps.js';
+import { formatJson, formatTable } from '../formatters.js';
+
+export async function runProviders(
+  positionals: string[],
+  flags: Record<string, string | boolean>,
+  deps: AuthDeps,
+): Promise<void> {
+  const format = (flags.format as string) ?? (process.stdout.isTTY ? 'table' : 'json');
+  const providers = deps.authManager.providerRegistry.list();
+
+  const statuses = await Promise.all(
+    providers.map(p => deps.authManager.getStatus(p.id)),
+  );
+
+  if (format === 'json') {
+    const output = statuses.map(s => ({
+      id: s.id,
+      name: s.name,
+      strategy: s.strategy,
+      configured: s.configured,
+      valid: s.valid,
+      credentialType: s.credentialType ?? null,
+    }));
+    process.stdout.write(formatJson(output) + '\n');
+  } else {
+    if (statuses.length === 0) {
+      process.stderr.write('No providers configured.\n');
+      return;
+    }
+    const rows = statuses.map(s => ({
+      id: s.id,
+      name: s.name,
+      strategy: s.strategy,
+      status: s.valid ? 'authenticated' : 'not authenticated',
+    }));
+    process.stdout.write(formatTable(rows) + '\n');
+  }
+}

package/src/cli/commands/remote.ts

@@ -0,0 +1,71 @@
+import { getRemotes, addRemote, removeRemote } from '../../sync/remote-config.js';
+import type { RemoteConfig } from '../../sync/types.js';
+import { formatJson, formatTable } from '../formatters.js';
+
+export async function runRemote(positionals: string[], flags: Record<string, string | boolean>): Promise<void> {
+  const subcommand = positionals[0];
+
+  switch (subcommand) {
+    case 'add': {
+      const name = positionals[1];
+      const host = positionals[2];
+      if (!name || !host) {
+        process.stderr.write('Usage: sig remote add <name> <host> [--user <user>] [--path <path>] [--ssh-key <key>]\n');
+        process.exitCode = 1;
+        return;
+      }
+      const remote: RemoteConfig = {
+        name,
+        type: 'ssh',
+        host,
+        ...(typeof flags.user === 'string' ? { user: flags.user } : {}),
+        ...(typeof flags.path === 'string' ? { path: flags.path } : {}),
+        ...(typeof flags['ssh-key'] === 'string' ? { sshKey: flags['ssh-key'] } : {}),
+      };
+      await addRemote(remote);
+      process.stderr.write(`Remote "${name}" added (${host})\n`);
+      return;
+    }
+
+    case 'remove': {
+      const name = positionals[1];
+      if (!name) {
+        process.stderr.write('Usage: sig remote remove <name>\n');
+        process.exitCode = 1;
+        return;
+      }
+      const removed = await removeRemote(name);
+      if (removed) {
+        process.stderr.write(`Remote "${name}" removed\n`);
+      } else {
+        process.stderr.write(`Remote "${name}" not found\n`);
+        process.exitCode = 1;
+      }
+      return;
+    }
+
+    case 'list':
+    default: {
+      const remotes = await getRemotes();
+      if (remotes.length === 0) {
+        process.stderr.write('No remotes configured. Use "sig remote add <name> <host>" to add one.\n');
+        return;
+      }
+
+      const format = typeof flags.format === 'string' ? flags.format : 'table';
+      if (format === 'json') {
+        process.stdout.write(formatJson(remotes) + '\n');
+      } else {
+        const rows = remotes.map(r => ({
+          name: r.name,
+          type: r.type,
+          host: r.host,
+          user: r.user ?? '-',
+          path: r.path ?? '~/.signet/credentials',
+        }));
+        process.stdout.write(formatTable(rows) + '\n');
+      }
+      return;
+    }
+  }
+}

package/src/cli/commands/request.ts

@@ -0,0 +1,97 @@
+import type { AuthDeps } from '../../deps.js';
+import { isOk } from '../../core/result.js';
+import { buildUserAgent } from '../../utils/http.js';
+import { formatJson } from '../formatters.js';
+
+export async function runRequest(
+  positionals: string[],
+  flags: Record<string, string | boolean>,
+  deps: AuthDeps,
+): Promise<void> {
+  const url = positionals[0];
+  if (!url) {
+    process.stderr.write('Usage: sig request <url> [--method GET] [--header "Name: Value"] [--body \'{}\']\n');
+    process.exitCode = 1;
+    return;
+  }
+
+  const result = await deps.authManager.getCredentialsByUrl(url);
+  if (!isOk(result)) {
+    process.stderr.write(`Auth error: ${result.error.message}\n`);
+    process.exitCode = 1;
+    return;
+  }
+
+  const { provider, credential } = result.value;
+  const authHeaders = deps.authManager.applyToRequest(provider.id, credential);
+
+  const requestHeaders: Record<string, string> = {
+    'User-Agent': buildUserAgent(),
+    ...authHeaders,
+  };
+
+  // Parse --header flags (may appear multiple times via positionals workaround, or as single value)
+  if (typeof flags.header === 'string') {
+    const idx = flags.header.indexOf(':');
+    if (idx > 0) {
+      requestHeaders[flags.header.slice(0, idx).trim()] = flags.header.slice(idx + 1).trim();
+    }
+  }
+
+  const httpMethod = ((flags.method as string) ?? 'GET').toUpperCase();
+  const fetchOptions: RequestInit = { method: httpMethod, headers: requestHeaders };
+
+  const body = flags.body as string | undefined;
+  if (body && ['POST', 'PUT', 'PATCH'].includes(httpMethod)) {
+    fetchOptions.body = body;
+    if (!requestHeaders['Content-Type']) {
+      requestHeaders['Content-Type'] = 'application/json';
+    }
+  }
+
+  try {
+    const response = await fetch(url, fetchOptions);
+    const responseBody = await response.text();
+
+    let formattedBody: string;
+    try {
+      formattedBody = JSON.stringify(JSON.parse(responseBody), null, 2);
+    } catch {
+      formattedBody = responseBody;
+    }
+
+    const format = (flags.format as string) ?? 'json';
+
+    switch (format) {
+      case 'body':
+        process.stdout.write(formattedBody + '\n');
+        break;
+      case 'headers': {
+        process.stdout.write(`${response.status} ${response.statusText}\n`);
+        response.headers.forEach((value, key) => {
+          process.stdout.write(`${key}: ${value}\n`);
+        });
+        break;
+      }
+      case 'json':
+      default: {
+        const responseHeaders: Record<string, string> = {};
+        response.headers.forEach((value, key) => { responseHeaders[key] = value; });
+        process.stdout.write(formatJson({
+          status: response.status,
+          statusText: response.statusText,
+          headers: responseHeaders,
+          body: formattedBody,
+        }) + '\n');
+        break;
+      }
+    }
+
+    if (!response.ok) {
+      process.exitCode = 1;
+    }
+  } catch (e: unknown) {
+    process.stderr.write(`Request failed: ${(e as Error).message}\n`);
+    process.exitCode = 1;
+  }
+}

package/src/cli/commands/status.ts

@@ -0,0 +1,48 @@
+import type { AuthDeps } from '../../deps.js';
+import { formatJson, formatTable } from '../formatters.js';
+
+export async function runStatus(
+  positionals: string[],
+  flags: Record<string, string | boolean>,
+  deps: AuthDeps,
+): Promise<void> {
+  const providerId = (flags.provider as string) ?? positionals[0];
+  const format = (flags.format as string) ?? (process.stdout.isTTY ? 'table' : 'json');
+
+  if (providerId) {
+    const status = await deps.authManager.getStatus(providerId);
+    if (format === 'json') {
+      process.stdout.write(formatJson(status) + '\n');
+    } else {
+      process.stdout.write(formatTable([{
+        id: status.id,
+        name: status.name,
+        strategy: status.strategy,
+        valid: status.valid ? 'yes' : 'no',
+        type: status.credentialType ?? '-',
+        expires: status.expiresInMinutes !== undefined ? `${status.expiresInMinutes}m` : '-',
+      }]) + '\n');
+    }
+    return;
+  }
+
+  const statuses = await deps.authManager.getAllStatus();
+
+  if (format === 'json') {
+    process.stdout.write(formatJson(statuses) + '\n');
+  } else {
+    if (statuses.length === 0) {
+      process.stderr.write('No providers configured.\n');
+      return;
+    }
+    const rows = statuses.map(s => ({
+      id: s.id,
+      name: s.name,
+      strategy: s.strategy,
+      valid: s.valid ? 'yes' : 'no',
+      type: s.credentialType ?? '-',
+      expires: s.expiresInMinutes !== undefined ? `${s.expiresInMinutes}m` : '-',
+    }));
+    process.stdout.write(formatTable(rows) + '\n');
+  }
+}

package/src/cli/commands/sync.ts

@@ -0,0 +1,71 @@
+import type { AuthDeps } from '../../deps.js';
+import { getRemote, getRemotes } from '../../sync/remote-config.js';
+import { SyncEngine } from '../../sync/sync-engine.js';
+import { formatJson } from '../formatters.js';
+
+export async function runSync(positionals: string[], flags: Record<string, string | boolean>, deps: AuthDeps): Promise<void> {
+  const subcommand = positionals[0];
+
+  if (subcommand !== 'push' && subcommand !== 'pull') {
+    process.stderr.write('Usage: sig sync <push|pull> [remote] [--provider <id>] [--force]\n');
+    process.exitCode = 1;
+    return;
+  }
+
+  // Resolve remote: explicit name or default (if only one configured)
+  const remoteName = positionals[1];
+  let remote;
+
+  if (remoteName) {
+    remote = await getRemote(remoteName);
+    if (!remote) {
+      process.stderr.write(`Remote "${remoteName}" not found. Run "sig remote list" to see configured remotes.\n`);
+      process.exitCode = 4;
+      return;
+    }
+  } else {
+    const remotes = await getRemotes();
+    if (remotes.length === 0) {
+      process.stderr.write('No remotes configured. Run "sig remote add <name> <host>" first.\n');
+      process.exitCode = 4;
+      return;
+    }
+    if (remotes.length > 1) {
+      process.stderr.write('Multiple remotes configured. Specify which one:\n');
+      for (const r of remotes) {
+        process.stderr.write(`  ${r.name} (${r.host})\n`);
+      }
+      process.exitCode = 1;
+      return;
+    }
+    remote = remotes[0];
+  }
+
+  const engine = new SyncEngine(deps.storage, remote);
+  const force = flags.force === true;
+  const provider = typeof flags.provider === 'string' ? [flags.provider] : undefined;
+
+  process.stderr.write(`${subcommand === 'push' ? 'Pushing' : 'Pulling'} credentials ${subcommand === 'push' ? 'to' : 'from'} "${remote.name}" (${remote.host})...\n`);
+
+  const result = subcommand === 'push'
+    ? await engine.push(provider, force)
+    : await engine.pull(provider, force);
+
+  // Report results
+  const synced = subcommand === 'push' ? result.pushed : result.pulled;
+  if (synced.length > 0) {
+    process.stderr.write(`Synced: ${synced.join(', ')}\n`);
+  }
+  if (result.skipped.length > 0) {
+    process.stderr.write(`Skipped (conflict): ${result.skipped.join(', ')} — use --force to overwrite\n`);
+  }
+  if (result.errors.length > 0) {
+    for (const e of result.errors) {
+      process.stderr.write(`Error (${e.providerId}): ${e.error}\n`);
+    }
+    process.exitCode = 4;
+  }
+
+  // JSON output to stdout
+  process.stdout.write(formatJson(result) + '\n');
+}

package/src/cli/formatters.ts

@@ -0,0 +1,31 @@
+export function formatJson(data: unknown): string {
+  return JSON.stringify(data, null, 2);
+}
+
+export function formatTable(rows: Record<string, string>[]): string {
+  if (rows.length === 0) return '';
+
+  const columns = Object.keys(rows[0]);
+  const widths = new Map<string, number>();
+
+  for (const col of columns) {
+    let max = col.length;
+    for (const row of rows) {
+      const len = (row[col] ?? '').length;
+      if (len > max) max = len;
+    }
+    widths.set(col, max);
+  }
+
+  const header = columns.map(c => c.toUpperCase().padEnd(widths.get(c)!)).join('  ');
+  const separator = columns.map(c => '-'.repeat(widths.get(c)!)).join('  ');
+  const body = rows.map(row =>
+    columns.map(c => (row[c] ?? '').padEnd(widths.get(c)!)).join('  ')
+  );
+
+  return [header, separator, ...body].join('\n');
+}
+
+export function formatCredentialHeaders(headers: Record<string, string>): string {
+  return Object.entries(headers).map(([k, v]) => `${k}: ${v}`).join('\n');
+}

package/src/cli/main.ts

@@ -0,0 +1,144 @@
+import { existsSync } from 'node:fs';
+import { loadConfig, getConfigPath } from '../config/loader.js';
+import { createAuthDeps } from '../deps.js';
+import { isOk } from '../core/result.js';
+import type { AuthDeps } from '../deps.js';
+
+import { runGet } from './commands/get.js';
+import { runLogin } from './commands/login.js';
+import { runStatus } from './commands/status.js';
+import { runLogout } from './commands/logout.js';
+import { runProviders } from './commands/providers.js';
+import { runRequest } from './commands/request.js';
+import { runRemote } from './commands/remote.js';
+import { runSync } from './commands/sync.js';
+import { runInit } from './commands/init.js';
+import { runDoctor } from './commands/doctor.js';
+
+interface ParsedArgs {
+  command: string;
+  positionals: string[];
+  flags: Record<string, string | boolean>;
+}
+
+export function parseArgs(args: string[]): ParsedArgs {
+  const firstIsFlag = args[0]?.startsWith('--');
+  const command = firstIsFlag ? 'help' : (args[0] ?? 'help');
+  const positionals: string[] = [];
+  const flags: Record<string, string | boolean> = {};
+
+  let i = firstIsFlag ? 0 : 1;
+  while (i < args.length) {
+    const arg = args[i];
+    if (arg.startsWith('--')) {
+      const key = arg.slice(2);
+      const next = args[i + 1];
+      if (next !== undefined && !next.startsWith('--')) {
+        flags[key] = next;
+        i += 2;
+      } else {
+        flags[key] = true;
+        i += 1;
+      }
+    } else {
+      positionals.push(arg);
+      i += 1;
+    }
+  }
+
+  return { command, positionals, flags };
+}
+
+const HELP = `Usage: sig <command> [options]
+
+Commands:
+  init                   Set up Signet configuration (interactive)
+  get <provider|url>     Get credential headers for a provider or URL
+  login <url>            Authenticate with a system (browser or token)
+  request <url>          Make an authenticated HTTP request
+  status [provider]      Show authentication status
+  logout [provider]      Clear stored credentials
+  providers              List configured providers
+  remote                 Manage remote credential stores
+  sync                   Sync credentials with a remote
+  doctor                 Check environment and configuration
+
+Global options:
+  --format <json|table|header|value|body>   Output format
+  --help                                    Show this help message
+`;
+
+const DEPS_COMMANDS = new Set(['get', 'login', 'status', 'logout', 'providers', 'request', 'sync']);
+
+export async function run(args: string[]): Promise<void> {
+  const { command, positionals, flags } = parseArgs(args);
+
+  if (command === 'help' || flags.help === true) {
+    process.stdout.write(HELP);
+    return;
+  }
+
+  // Commands that don't need deps (run before config exists)
+  if (command === 'init') {
+    await runInit(positionals, flags);
+    return;
+  }
+  if (command === 'doctor') {
+    await runDoctor(positionals, flags);
+    return;
+  }
+
+  let deps: AuthDeps | undefined;
+  if (DEPS_COMMANDS.has(command)) {
+    // First-run detection: check if config file exists before loading
+    const configPath = getConfigPath();
+    if (!existsSync(configPath)) {
+      process.stderr.write(
+        '\nWelcome to Signet!\n\n' +
+        `  No config file found at ${configPath}\n` +
+        '  Run "sig init" to set up your configuration.\n\n',
+      );
+      process.exitCode = 1;
+      return;
+    }
+
+    const configResult = await loadConfig();
+    if (!isOk(configResult)) {
+      process.stderr.write(`Config error: ${configResult.error.message}\n`);
+      process.exitCode = 1;
+      return;
+    }
+    deps = createAuthDeps(configResult.value);
+  }
+
+  switch (command) {
+    case 'get':
+      await runGet(positionals, flags, deps!);
+      break;
+    case 'login':
+      await runLogin(positionals, flags, deps!);
+      break;
+    case 'request':
+      await runRequest(positionals, flags, deps!);
+      break;
+    case 'status':
+      await runStatus(positionals, flags, deps!);
+      break;
+    case 'logout':
+      await runLogout(positionals, flags, deps!);
+      break;
+    case 'providers':
+      await runProviders(positionals, flags, deps!);
+      break;
+    case 'remote':
+      await runRemote(positionals, flags);
+      break;
+    case 'sync':
+      await runSync(positionals, flags, deps!);
+      break;
+    default:
+      process.stderr.write(`Unknown command: ${command}\n\n`);
+      process.stdout.write(HELP);
+      process.exitCode = 1;
+  }
+}