sunpeak 0.13.12 → 0.14.3

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "sunpeak",
-  "version": "0.13.12",
-  "description": "The ChatGPT App framework. Quickstart, build, & test your ChatGPT App locally!",
+  "version": "0.14.3",
+  "description": "Local-first MCP Apps framework. Quickstart, build, test, and ship your Claude or ChatGPT App!",
   "type": "module",
   "main": "./dist/index.cjs",
   "module": "./dist/index.js",

package/template/README.md

@@ -15,16 +15,11 @@ That's it! Edit the resource files in [./src/resources/](./src/resources/) to bu
 ## Commands
 
 ```bash
-# Core commands:
 pnpm test              # Run tests with Vitest.
 pnpm test:e2e          # Run end-to-end tests with Playwright.
 sunpeak dev            # Start dev server + MCP endpoint.
 sunpeak build          # Build all resources for production.
-
-# sunpeak repository (think ECR for MCP Apps):
-sunpeak login          # Authenticate with the sunpeak repository.
-sunpeak push           # Push built resources to the sunpeak repository.
-sunpeak pull           # Pull built resources from the sunpeak repository (for your prod MCP server).
+sunpeak upgrade        # Upgrade sunpeak to latest version.
 ```
 
 The template includes a minimal test setup with Vitest. You can add additional tooling (linting, formatting, type-checking) as needed for your project.
@@ -54,7 +49,7 @@ Test your app directly in ChatGPT using the built-in MCP endpoint (starts automa
 sunpeak dev
 
 # In another terminal, run a tunnel. For example:
-ngrok http 6766
+ngrok http 8000
 ```
 
 You can then connect to the tunnel forwarding URL at the `/mcp` path from ChatGPT **in developer mode** to see your UI in action: `User > Settings > Apps & Connectors > Create`
@@ -88,7 +83,6 @@ Each resource folder contains:
 - **`.json` file**: Resource metadata (extracted from the `resource` export in your `.tsx` file) with a generated `uri` for cache-busting
 
 Host these files and reference them as resources in your production MCP server.
-Use the sunpeak resource repository for built-in resource hosting.
 
 ## Add a new UI (Resource)
 
@@ -105,6 +99,14 @@ Only the resource file (`.tsx`) is required to generate a production build and s
 
 Create the simulation file(s) in `tests/simulations/` if you want to preview your resource in `sunpeak dev`.
 
+## Coding Agent Skill
+
+Install the `create-sunpeak-app` skill to give your coding agent built-in knowledge of sunpeak patterns, hooks, simulation files, and testing conventions:
+
+```bash
+npx skills add Sunpeak-AI/sunpeak@create-sunpeak-app
+```
+
 ## Resources
 
 - [sunpeak](https://github.com/Sunpeak-AI/sunpeak)

package/bin/commands/deploy.mjs

@@ -1,141 +0,0 @@
-#!/usr/bin/env node
-import { join } from 'path';
-import { push, findResources, defaultDeps as pushDefaultDeps } from './push.mjs';
-
-/**
- * Default dependencies (real implementations)
- */
-export const defaultDeps = {
-  ...pushDefaultDeps,
-};
-
-/**
- * Deploy command - same as push but with tag="prod"
- * @param {string} projectRoot - Project root directory
- * @param {Object} options - Command options (same as push, but tag defaults to "prod")
- * @param {Object} deps - Dependencies (for testing). Uses defaultDeps if not provided.
- */
-export async function deploy(projectRoot = process.cwd(), options = {}, deps = defaultDeps) {
-  const d = { ...defaultDeps, ...deps };
-
-  // Handle help flag
-  if (options.help) {
-    d.console.log(`
-sunpeak deploy - Push resources to production (push with "prod" tag)
-
-Usage:
-  sunpeak deploy [directory] [options]
-
-Options:
-  -r, --repository <owner/repo>  Repository name (defaults to git remote origin)
-  -t, --tag <name>               Additional tag(s) to assign (always includes "prod")
-  --no-simulations               Skip pushing simulations, only push resources
-  -h, --help                     Show this help message
-
-Arguments:
-  directory                      Optional resource directory to deploy (e.g., dist/carousel)
-                                 If not provided, looks for resources in current
-                                 directory first, then falls back to dist/
-
-Examples:
-  sunpeak deploy                 Deploy all resources with "prod" tag
-  sunpeak deploy dist/carousel   Deploy a single resource
-  sunpeak deploy -r myorg/my-app Deploy to "myorg/my-app" repository
-  sunpeak deploy -t v1.0         Deploy with "prod" and "v1.0" tags
-  sunpeak deploy --no-simulations Deploy without simulations
-
-This command is equivalent to: sunpeak push --tag prod
-`);
-    return;
-  }
-
-  // Always include "prod" tag, supplemented by any additional tags
-  const additionalTags = options.tags?.filter((t) => t !== 'prod') ?? [];
-  const deployOptions = {
-    ...options,
-    tags: ['prod', ...additionalTags],
-  };
-
-  d.console.log('Deploying to production...');
-  d.console.log();
-
-  // If no specific directory provided, check current directory first, then dist/
-  if (!deployOptions.dir) {
-    const cwdResources = findResources(projectRoot, join(projectRoot, 'tests/simulations'), d);
-    if (cwdResources.length > 0) {
-      // Found resources in current directory, push each one
-      for (const resource of cwdResources) {
-        await push(projectRoot, { ...deployOptions, dir: resource.dir }, d);
-      }
-      return;
-    }
-    // Fall back to dist/ directory (handled by push)
-  }
-
-  await push(projectRoot, deployOptions, d);
-}
-
-/**
- * Parse command line arguments
- */
-export function parseArgs(args) {
-  const options = { tags: [] };
-  let i = 0;
-
-  while (i < args.length) {
-    const arg = args[i];
-
-    if (arg === '--repository' || arg === '-r') {
-      options.repository = args[++i];
-    } else if (arg === '--tag' || arg === '-t') {
-      options.tags.push(args[++i]);
-    } else if (arg === '--no-simulations') {
-      options.noSimulations = true;
-    } else if (arg === '--help' || arg === '-h') {
-      console.log(`
-sunpeak deploy - Deploy resources to production (push with "prod" tag)
-
-Usage:
-  sunpeak deploy [directory] [options]
-
-Options:
-  -r, --repository <owner/repo>  Repository name (defaults to git remote origin)
-  -t, --tag <name>               Additional tag(s) to assign (always includes "prod")
-  --no-simulations               Skip pushing simulations, only push resources
-  -h, --help                     Show this help message
-
-Arguments:
-  directory                      Optional resource directory to deploy (e.g., dist/carousel)
-                                 If not provided, looks for resources in current
-                                 directory first, then falls back to dist/
-
-Examples:
-  sunpeak deploy                 Deploy all resources with "prod" tag
-  sunpeak deploy dist/carousel   Deploy a single resource
-  sunpeak deploy -r myorg/my-app Deploy to "myorg/my-app" repository
-  sunpeak deploy -t v1.0         Deploy with "prod" and "v1.0" tags
-  sunpeak deploy --no-simulations Deploy without simulations
-
-This command is equivalent to: sunpeak push --tag prod
-`);
-      process.exit(0);
-    } else if (!arg.startsWith('-')) {
-      // Positional argument - treat as directory path
-      options.dir = arg;
-    }
-
-    i++;
-  }
-
-  return options;
-}
-
-// Allow running directly
-if (import.meta.url === `file://${process.argv[1]}`) {
-  const args = process.argv.slice(2);
-  const options = parseArgs(args);
-  deploy(process.cwd(), options).catch((error) => {
-    console.error('Error:', error.message);
-    process.exit(1);
-  });
-}

package/bin/commands/login.mjs

@@ -1,235 +0,0 @@
-#!/usr/bin/env node
-import { existsSync, mkdirSync, writeFileSync, readFileSync } from 'fs';
-import { join } from 'path';
-import { homedir, platform } from 'os';
-import { exec } from 'child_process';
-
-const SUNPEAK_API_URL = process.env.SUNPEAK_API_URL || 'https://app.sunpeak.ai';
-const CREDENTIALS_DIR = join(homedir(), '.sunpeak');
-const CREDENTIALS_FILE = join(CREDENTIALS_DIR, 'credentials.json');
-
-// Polling configuration
-const POLL_INTERVAL_MS = 2500; // 2.5 seconds between polls.
-const MAX_POLL_DURATION_MS = 2 * 60 * 1000; // 2 minutes max.
-
-/**
- * Load existing credentials if present
- */
-function loadCredentialsImpl() {
-  if (!existsSync(CREDENTIALS_FILE)) {
-    return null;
-  }
-  try {
-    return JSON.parse(readFileSync(CREDENTIALS_FILE, 'utf-8'));
-  } catch {
-    return null;
-  }
-}
-
-/**
- * Save credentials to disk
- */
-function saveCredentialsImpl(credentials) {
-  if (!existsSync(CREDENTIALS_DIR)) {
-    mkdirSync(CREDENTIALS_DIR, { recursive: true, mode: 0o700 });
-  }
-  writeFileSync(CREDENTIALS_FILE, JSON.stringify(credentials, null, 2), { mode: 0o600 });
-}
-
-/**
- * Open a URL in the default browser
- * Returns true if successful, false otherwise
- */
-function openBrowserImpl(url) {
-  return new Promise((resolve) => {
-    const os = platform();
-    let command;
-
-    // Platform-specific commands to open URLs
-    if (os === 'darwin') {
-      command = `open "${url}"`;
-    } else if (os === 'win32') {
-      command = `start "" "${url}"`;
-    } else {
-      // Linux and other Unix-like systems
-      command = `xdg-open "${url}"`;
-    }
-
-    exec(command, (error) => {
-      resolve(!error);
-    });
-  });
-}
-
-function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}
-
-/**
- * Default dependencies (real implementations)
- */
-export const defaultDeps = {
-  fetch: globalThis.fetch,
-  loadCredentials: loadCredentialsImpl,
-  saveCredentials: saveCredentialsImpl,
-  openBrowser: openBrowserImpl,
-  console,
-  sleep,
-  apiUrl: SUNPEAK_API_URL,
-  pollIntervalMs: POLL_INTERVAL_MS,
-  maxPollDurationMs: MAX_POLL_DURATION_MS,
-};
-
-/**
- * Request a device code from the authorization server
- */
-async function requestDeviceCode(deps) {
-  const response = await deps.fetch(`${deps.apiUrl}/oauth/device_authorization`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-  });
-
-  if (!response.ok) {
-    const text = await response.text();
-    throw new Error(`Failed to request device code: ${response.status} ${text}`);
-  }
-
-  return response.json();
-}
-
-/**
- * Poll for the access token
- */
-async function pollForToken(deviceCode, deps) {
-  const startTime = Date.now();
-
-  while (Date.now() - startTime < deps.maxPollDurationMs) {
-    let response;
-    try {
-      response = await deps.fetch(`${deps.apiUrl}/oauth/token`, {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-        body: new URLSearchParams({
-          grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
-          device_code: deviceCode,
-        }),
-      });
-    } catch (err) {
-      // Network error - wait and retry
-      await deps.sleep(deps.pollIntervalMs);
-      continue;
-    }
-
-    let data;
-    let responseText;
-    try {
-      responseText = await response.text();
-      data = JSON.parse(responseText);
-    } catch {
-      // Non-JSON response - this is unexpected, throw with details
-      throw new Error(
-        `Server returned unexpected response (${response.status}): ${responseText?.slice(0, 200) || 'empty response'}`
-      );
-    }
-
-    if (response.ok && data.access_token) {
-      return data;
-    }
-
-    // Handle standard OAuth 2.0 device flow errors (expected during polling)
-    if (data.error === 'authorization_pending') {
-      // User hasn't authorized yet, keep polling
-      await deps.sleep(deps.pollIntervalMs);
-      continue;
-    }
-
-    if (data.error === 'slow_down') {
-      // Server asking us to slow down, increase interval
-      await deps.sleep(deps.pollIntervalMs * 2);
-      continue;
-    }
-
-    if (data.error === 'access_denied') {
-      throw new Error('Authorization denied by user');
-    }
-
-    if (data.error === 'expired_token') {
-      throw new Error('Device code expired. Please try again.');
-    }
-
-    // If response was OK but no access_token, something is wrong with the response
-    if (response.ok) {
-      throw new Error('Invalid token response from server');
-    }
-
-    // Unknown error - include status code for debugging
-    const errorMessage = data.error_description || data.error || 'Unknown error';
-    throw new Error(`Authorization failed (${response.status}): ${errorMessage}`);
-  }
-
-  throw new Error('Authorization timed out. Please try again.');
-}
-
-/**
- * Main login command
- * @param {Object} deps - Dependencies (for testing). Uses defaultDeps if not provided.
- */
-export async function login(deps = defaultDeps) {
-  const d = { ...defaultDeps, ...deps };
-
-  // Check if already logged in
-  const existing = d.loadCredentials();
-  if (existing?.access_token) {
-    d.console.log('Already logged in. Run "sunpeak logout" first to switch accounts.');
-    return;
-  }
-
-  d.console.log('Starting device authorization flow...\n');
-
-  // Step 1: Request device code
-  const deviceAuth = await requestDeviceCode(d);
-
-  // Step 2: Open browser and display instructions
-  // Prefer verification_uri_complete which has the code pre-filled
-  const authUrl =
-    deviceAuth.verification_uri_complete ||
-    `${deviceAuth.verification_uri}?user_code=${encodeURIComponent(deviceAuth.user_code)}`;
-
-  const browserOpened = await d.openBrowser(authUrl);
-
-  if (browserOpened) {
-    d.console.log('Opening browser for authentication...\n');
-    d.console.log(`If the browser didn't open, visit: ${deviceAuth.verification_uri}`);
-    d.console.log(`And enter code: ${deviceAuth.user_code}`);
-  } else {
-    d.console.log('To complete login, please:');
-    d.console.log(`  1. Visit: ${deviceAuth.verification_uri}`);
-    d.console.log(`  2. Enter code: ${deviceAuth.user_code}`);
-  }
-  d.console.log('\nWaiting for authorization...');
-
-  // Step 3: Poll for token
-  const tokenResponse = await pollForToken(deviceAuth.device_code, d);
-
-  // Step 4: Save credentials
-  const credentials = {
-    access_token: tokenResponse.access_token,
-    token_type: tokenResponse.token_type || 'Bearer',
-    expires_at: tokenResponse.expires_in
-      ? Date.now() + tokenResponse.expires_in * 1000
-      : null,
-    created_at: Date.now(),
-  };
-
-  d.saveCredentials(credentials);
-
-  d.console.log('\n✓ Successfully logged in to Sunpeak!');
-}
-
-// Allow running directly
-if (import.meta.url === `file://${process.argv[1]}`) {
-  login().catch((error) => {
-    console.error('Error:', error.message);
-    process.exit(1);
-  });
-}

package/bin/commands/logout.mjs

@@ -1,101 +0,0 @@
-#!/usr/bin/env node
-import { existsSync, readFileSync, unlinkSync } from 'fs';
-import { join } from 'path';
-import { homedir } from 'os';
-
-const SUNPEAK_API_URL = process.env.SUNPEAK_API_URL || 'https://app.sunpeak.ai';
-const CREDENTIALS_DIR = join(homedir(), '.sunpeak');
-const CREDENTIALS_FILE = join(CREDENTIALS_DIR, 'credentials.json');
-
-/**
- * Load existing credentials if present
- */
-function loadCredentialsImpl() {
-  if (!existsSync(CREDENTIALS_FILE)) {
-    return null;
-  }
-  try {
-    return JSON.parse(readFileSync(CREDENTIALS_FILE, 'utf-8'));
-  } catch {
-    return null;
-  }
-}
-
-/**
- * Delete credentials file
- */
-function deleteCredentialsImpl() {
-  if (existsSync(CREDENTIALS_FILE)) {
-    unlinkSync(CREDENTIALS_FILE);
-  }
-}
-
-/**
- * Default dependencies (real implementations)
- */
-export const defaultDeps = {
-  fetch: globalThis.fetch,
-  loadCredentials: loadCredentialsImpl,
-  deleteCredentials: deleteCredentialsImpl,
-  console,
-  apiUrl: SUNPEAK_API_URL,
-};
-
-/**
- * Revoke the access token on the server
- */
-async function revokeToken(accessToken, deps) {
-  try {
-    const response = await deps.fetch(`${deps.apiUrl}/oauth/revoke`, {
-      method: 'POST',
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-        'Content-Type': 'application/json',
-      },
-    });
-
-    // 200 OK means success, but we also accept other success codes
-    return response.ok;
-  } catch {
-    // Network error - token may still be valid on server
-    // but we'll clean up locally anyway
-    return false;
-  }
-}
-
-/**
- * Main logout command
- * @param {Object} deps - Dependencies (for testing). Uses defaultDeps if not provided.
- */
-export async function logout(deps = defaultDeps) {
-  const d = { ...defaultDeps, ...deps };
-
-  const credentials = d.loadCredentials();
-
-  if (!credentials?.access_token) {
-    d.console.log('Not logged in.');
-    return;
-  }
-
-  d.console.log('Logging out...');
-
-  // Revoke token on server
-  const revoked = await revokeToken(credentials.access_token, d);
-
-  // Always delete local credentials regardless of revocation result
-  d.deleteCredentials();
-
-  if (revoked) {
-    d.console.log('✓ Successfully logged out of Sunpeak.');
-  } else {
-    d.console.log('✓ Logged out locally. (Server token revocation may have failed)');
-  }
-}
-
-// Allow running directly
-if (import.meta.url === `file://${process.argv[1]}`) {
-  logout().catch((error) => {
-    console.error('Error:', error.message);
-    process.exit(1);
-  });
-}