taskmonkey-cli 0.10.1 → 0.11.1

package/bin/tm.js

@@ -1,6 +1,9 @@
 #!/usr/bin/env node
 
 import { Command } from 'commander';
+import { readFileSync } from 'fs';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
 import { login } from '../src/commands/login.js';
 import { testTool } from '../src/commands/test-tool.js';
 import { sync } from '../src/commands/sync.js';
@@ -15,12 +18,18 @@ import { testChat } from '../src/commands/test-chat.js';
 import { testConversations } from '../src/commands/test-conversations.js';
 import { optimizePrompt } from '../src/commands/optimize-prompt.js';
 
+// Read version from package.json so `tm --version` is always in sync.
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const pkgVersion = JSON.parse(
+  readFileSync(join(__dirname, '..', 'package.json'), 'utf8')
+).version;
+
 const program = new Command();
 
 program
   .name('tm')
   .description('TaskMonkey CLI — Remote dev tools for tenant config')
-  .version('0.1.0');
+  .version(pkgVersion);
 
 program
   .command('login')
@@ -53,7 +62,8 @@ program
 
 program
   .command('watch')
-  .description('Watch for file changes and auto-sync')
+  .description('Watch for file changes and auto-sync (streams server logs by default)')
+  .option('--no-logs', 'Disable live log streaming')
   .action(watch);
 
 program
@@ -71,8 +81,9 @@ program
 
 program
   .command('logs')
-  .description('Stream server logs')
+  .description('Stream server logs (or clear them with --clear)')
   .option('-n, --lines <number>', 'Initial lines to show', '50')
+  .option('--clear', 'Truncate tools.log on the server and exit')
   .action(logs);
 
 program

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "taskmonkey-cli",
-  "version": "0.10.1",
+  "version": "0.11.1",
   "description": "TaskMonkey CLI — Remote dev tools for tenant config editing and tool testing",
   "bin": {
     "tm": "./bin/tm.js",

package/src/commands/logs.js

@@ -1,63 +1,65 @@
 import chalk from 'chalk';
-import EventSource from 'eventsource';
-import { createClient } from '../lib/api.js';
-import { loadConfig } from '../config.js';
+import { createClient, ensureFreshToken } from '../lib/api.js';
+import { streamLogs } from '../lib/log-stream.js';
 
 export async function logs(options) {
-  const config = loadConfig();
-  if (!config) {
-    console.error(chalk.red('Not logged in. Run `tm login` first.'));
+  let config;
+  try {
+    // Refresh the access token proactively before opening the SSE stream.
+    // fetch-based streaming has no retry-on-401 either, so a stale token
+    // would just make the stream fail silently a few minutes in.
+    config = await ensureFreshToken();
+  } catch (err) {
+    console.error(chalk.red(err.message));
     process.exit(1);
   }
 
-  const lines = options.lines || 50;
-  const url = `${config.server}/api/logs/stream?tenant=${config.tenant}&lines=${lines}`;
-
-  console.log(chalk.cyan('📋 Streaming logs'), chalk.gray(`(${config.tenant})`));
-  console.log(chalk.gray('   Ctrl+C to stop\n'));
-
-  const es = new EventSource(url, {
-    headers: { 'Authorization': `Bearer ${config.token}` },
-  });
-
-  es.onmessage = (e) => {
+  if (options.clear) {
     try {
-      const data = JSON.parse(e.data);
-      const line = data.line || '';
-      const type = data.type || 'info';
-
-      switch (type) {
-        case 'error':
-          console.log(chalk.red(line));
-          break;
-        case 'warning':
-          console.log(chalk.yellow(line));
-          break;
-        case 'success':
-          console.log(chalk.green(line));
-          break;
-        default:
-          console.log(chalk.gray(line));
+      const client = createClient();
+      const res = await client.post('/api/logs/clear', {});
+      if (res.cleared) {
+        console.log(chalk.green('✓'), `cleared ${res.path}`);
+      } else {
+        console.log(chalk.gray('(nothing to clear — tools.log does not exist yet)'));
       }
-    } catch {
-      console.log(chalk.gray(e.data));
+    } catch (err) {
+      console.error(chalk.red(`Clear failed: ${err.message}`));
+      process.exit(1);
     }
-  };
+    return;
+  }
 
-  es.addEventListener('init_complete', () => {
-    console.log(chalk.gray('--- live ---\n'));
-  });
+  const lines = parseInt(options.lines || '50', 10);
 
-  es.onerror = (err) => {
-    if (es.readyState === EventSource.CLOSED) {
-      console.log(chalk.gray('\nConnection closed.'));
-      process.exit(0);
-    }
-  };
+  console.log(chalk.cyan('📋 Streaming logs'), chalk.gray(`(${config.tenant})`));
+  console.log(chalk.gray('   Ctrl+C to stop\n'));
 
+  const abort = new AbortController();
   process.on('SIGINT', () => {
-    es.close();
+    abort.abort();
     console.log(chalk.gray('\nStopped.'));
     process.exit(0);
   });
+
+  try {
+    await streamLogs({
+      config,
+      lines,
+      signal: abort.signal,
+      onLine: (line, type) => {
+        switch (type) {
+          case 'error':   console.log(chalk.red(line)); break;
+          case 'warning': console.log(chalk.yellow(line)); break;
+          case 'success': console.log(chalk.green(line)); break;
+          default:        console.log(chalk.gray(line));
+        }
+      },
+      onInitComplete: () => console.log(chalk.gray('--- live ---\n')),
+    });
+  } catch (err) {
+    if (err.name === 'AbortError') return;
+    console.error(chalk.red(`Stream error: ${err.message}`));
+    process.exit(1);
+  }
 }

package/src/commands/monitor.js

@@ -1,6 +1,6 @@
 import chalk from 'chalk';
 import EventSource from 'eventsource';
-import { loadConfig } from '../config.js';
+import { ensureFreshToken } from '../lib/api.js';
 
 const BADGES = {
   running: chalk.bgYellow.black(' RUN  '),
@@ -61,9 +61,13 @@ function renderExecution(exec) {
 }
 
 export async function monitor(options) {
-  const config = loadConfig();
-  if (!config) {
-    console.error(chalk.red('Not logged in. Run `tm login` first.'));
+  let config;
+  try {
+    // Refresh proactively — EventSource cannot retry-on-401, so a stale
+    // token would let the stream die wordlessly after the JWT expires.
+    config = await ensureFreshToken();
+  } catch (err) {
+    console.error(chalk.red(err.message));
     process.exit(1);
   }
 

package/src/commands/pull.js

@@ -336,16 +336,18 @@ Tools können auf drei Arten definiert werden:
         \\$logger = \\$ctx['logger'];
         \\$logger->info("Starte...");
 
-        // Andere Tools aufrufen
+        // Andere Tools aufrufen — DAS ist der richtige Weg, um an externe
+        // Daten zu kommen. Direkter HTTP-Client-Aufruf ist im Sandbox-
+        // Validator blockiert.
         \\$item = \\$ctx['tool']('searchItems', ['searchSku' => \\$args['sku']]);
-
-        // API-Calls via Cake HTTP Client
-        \\$api = \\$ctx['config']['apis']['jtl'];
-        \\$http = new \\Cake\\Http\\Client(['timeout' => 60]);
-        \\$response = \\$http->get(\\$api['base_url'] . '/items', [], ['headers' => \\$api['headers']]);
+        \\$stock = \\$ctx['tool']('getStockBySku', ['sku' => \\$args['sku']]);
 
         \\$logger->success("Fertig");
-        return ['success' => true, 'data' => \\$response->getJson()];
+        return [
+            'success' => true,
+            'item' => \\$item,
+            'stock' => \\$stock,
+        ];
     },
     'parameters' => [
         'type' => 'object',
@@ -378,24 +380,55 @@ Diese PHP-Klassen stehen als Handler zur Verfügung (Referenz: \`[ClassName, 'me
 Jeder Handler bekommt einen Kontext mit:
 
 \`\`\`php
-\\$ctx['config']     // Tenant-Konfiguration (APIs, Tools, etc.)
+\\$ctx['config']     // Tenant-Konfiguration (APIs, Tools, etc.) — read-only
 \\$ctx['tenant']     // Tenant-Code (z.B. "bloomify")
 \\$ctx['logger']     // TaskLogger: ->info(), ->success(), ->error(), ->warning()
-\\$ctx['tool']       // Funktion zum Aufrufen anderer Tools: \\$ctx['tool']('toolName', \\$args)
+\\$ctx['tool']       // Funktion zum Aufrufen anderer Tools: \\$ctx['tool']('name', \\$args)
 \\$ctx['chat_id']    // Chat-Session ID
 \\$ctx['testMode']   // true wenn im Simulationsmodus
+\\$ctx['tmp_path']   // Tenant-eigener tmp/-Schreibpfad für generierte Dateien
+\\$ctx['log_path']   // Tenant-eigener logs/-Pfad (TaskLogger schreibt selbst hierher)
 \`\`\`
 
-## Verfügbare Vendor-Libraries
+## Sandbox / Code-Validator
+
+CLI-synced Handler-Code läuft durch einen Token-basierten Validator
+(\`TenantController::validateCode\`). Folgende Funktionen und Klassen
+sind **blockiert**:
+
+\`\`\`
+shell_exec, exec, system, passthru, popen, proc_open
+eval, assert, create_function, call_user_func, call_user_func_array
+file_get_contents, file_put_contents, fopen, fwrite, unlink, mkdir,
+glob, scandir, rmdir, rename, copy, symlink, chmod
+curl_init, curl_exec, fsockopen
+include, require, include_once, require_once
+new PDO, new mysqli, new SplFileObject, new ZipArchive, new Phar,
+new ReflectionFunction, new ReflectionMethod, new ReflectionClass,
+new \\Cake\\Http\\Client, new \\Cake\\ORM\\TableRegistry,
+new \\Cake\\Datasource\\ConnectionManager
+Variable function calls (\`\\$f(...)\`) — Closure-Subskript wie
+    \`\\$ctx['tool'](...)\` ist erlaubt.
+\`\`\`
+
+Alles, was du davon brauchst, geht über \`\\$ctx['tool']()\`. Wenn dein
+Handler etwas braucht, das nicht über \`\\$ctx\` exposed ist, melde es
+als Bedarf — dann landet die Logik in einem \`_shared/\` Helper-Tool
+auf Server-Seite.
+
+## Erlaubte PHP-Funktionen (Auswahl)
 
 \`\`\`php
-\\Cake\\Http\\Client       // HTTP-Requests (GET, POST, etc.)
-\\Cake\\Cache\\Cache       // Caching (read, write, delete)
-\\Cake\\ORM\\TableRegistry // Datenbank-Zugriff
-\\Cake\\Core\\Configure    // App-Konfiguration lesen
-\\Google_Service_Sheets   // Google Sheets API
-\\Google_Service_Drive    // Google Drive API
-\\GuzzleHttp\\Client       // Alternative HTTP-Library
+// Daten:
+array_*, count, json_encode, json_decode, str_*, preg_*
+// Datum/Zeit:
+date, time, mktime, strtotime, DateTime, DateInterval
+// Bilder (GD-Erweiterung — schreibt nicht über file_put_contents):
+imagepng, imagejpeg, imagecreatetruecolor, imagestring, …
+// File-Inspektion (lesen, nicht schreiben):
+filesize, filemtime, file_exists, is_dir, is_file
+// Math:
+round, floor, ceil, min, max, abs, intval, floatval
 \`\`\`
 
 ## Database Gateway (Remote-SQL)

package/src/commands/sync.js

@@ -1,15 +1,21 @@
-import { readdirSync, readFileSync } from 'fs';
-import { join, relative } from 'path';
+import { readdirSync, readFileSync, mkdirSync, writeFileSync } from 'fs';
+import { join, relative, dirname } from 'path';
 import chalk from 'chalk';
 import ora from 'ora';
 import { loadConfig } from '../config.js';
 import { createClient } from '../lib/api.js';
 
+// Skip runtime dirs and the local CLI metadata when collecting files to upload.
+const SKIP_TOP_LEVEL = new Set(['logs', 'tmp', '.claude', '.git', 'node_modules', 'docs', 'shared']);
+
 function collectFiles(dir, base = dir) {
   const files = {};
   const entries = readdirSync(dir, { withFileTypes: true });
 
   for (const entry of entries) {
+    if (dir === base && SKIP_TOP_LEVEL.has(entry.name)) {
+      continue;
+    }
     const fullPath = join(dir, entry.name);
     if (entry.isDirectory()) {
       Object.assign(files, collectFiles(fullPath, base));
@@ -22,6 +28,55 @@ function collectFiles(dir, base = dir) {
   return files;
 }
 
+/**
+ * Pulls logs/ and tmp/ from the server into the local working copy so the
+ * developer can read them with normal file tools (cat, grep, Claude, etc.).
+ *
+ * Text files come back as utf-8 strings; binary files come back as base64
+ * under `binary_files`. We write both verbatim.
+ *
+ * Failures here are non-fatal — the sync itself was already successful.
+ */
+export async function pullRuntime(tenantDir, { quiet = false } = {}) {
+  const client = createClient();
+  let runtime;
+  try {
+    runtime = await client.get('/api/tenant/runtime');
+  } catch (err) {
+    if (!quiet) {
+      console.log(chalk.gray(`  (runtime pull skipped: ${err.message})`));
+    }
+    return 0;
+  }
+
+  let written = 0;
+  const writeOne = (relPath, content, isBase64) => {
+    const fullPath = join(tenantDir, relPath);
+    mkdirSync(dirname(fullPath), { recursive: true });
+    if (isBase64) {
+      writeFileSync(fullPath, Buffer.from(content, 'base64'));
+    } else {
+      writeFileSync(fullPath, content);
+    }
+    written++;
+  };
+
+  // Some servers serialize empty PHP arrays as JSON [] instead of {}.
+  // Treat plain arrays as empty since they have no path-keyed entries.
+  const asMap = (v) => (v && typeof v === 'object' && !Array.isArray(v)) ? v : {};
+  for (const [relPath, content] of Object.entries(asMap(runtime.files))) {
+    writeOne(relPath, content, false);
+  }
+  for (const [relPath, content] of Object.entries(asMap(runtime.binary_files))) {
+    writeOne(relPath, content, true);
+  }
+
+  if (written > 0 && !quiet) {
+    console.log(chalk.gray(`  ↓ ${written} runtime files (logs/, tmp/)`));
+  }
+  return written;
+}
+
 export async function sync(options = {}) {
   const config = loadConfig();
   if (!config) {
@@ -88,6 +143,9 @@ export async function sync(options = {}) {
         console.log(chalk.red(`  ${err.path}: ${err.error}`));
       }
     }
+
+    // Mirror server-side logs/ and tmp/ into the working copy for debugging.
+    await pullRuntime(tenantDir);
   } catch (err) {
     spinner.fail(err.message);
     process.exit(1);

package/src/commands/watch.js

@@ -1,11 +1,12 @@
 import chokidar from 'chokidar';
 import chalk from 'chalk';
 import { loadConfig } from '../config.js';
-import { createClient } from '../lib/api.js';
+import { createClient, ensureFreshToken } from '../lib/api.js';
 import { sync } from './sync.js';
+import { streamLogs } from '../lib/log-stream.js';
 import { join, relative } from 'path';
 
-export async function watch() {
+export async function watch(options = {}) {
   const config = loadConfig();
   if (!config) {
     console.error(chalk.red('Not logged in. Run `tm login` first.'));
@@ -13,16 +14,30 @@ export async function watch() {
   }
 
   const tenantDir = join(config._configDir, config.tenant_path || '.');
+  const showLogs = options.logs !== false; // on by default; disable with --no-logs
 
   console.log(chalk.cyan('👀 Watching'), tenantDir);
+  if (showLogs) {
+    console.log(chalk.gray('   Live logs: on   (disable with --no-logs)'));
+  }
   console.log(chalk.gray('   Ctrl+C to stop\n'));
 
   let syncTimer = null;
   const pendingDeletes = [];
 
+  // Watch only .php files, and explicitly ignore the runtime dirs that
+  // sync() writes back into the working copy — otherwise pullRuntime would
+  // re-trigger sync in an endless loop.
   const watcher = chokidar.watch(join(tenantDir, '**/*.php'), {
     ignoreInitial: true,
     awaitWriteFinish: { stabilityThreshold: 300 },
+    ignored: [
+      /(^|[\/\\])logs[\/\\]/,
+      /(^|[\/\\])tmp[\/\\]/,
+      /(^|[\/\\])\.claude[\/\\]/,
+      /(^|[\/\\])\.git[\/\\]/,
+      /(^|[\/\\])node_modules[\/\\]/,
+    ],
   });
 
   watcher.on('add', (path) => {
@@ -68,9 +83,84 @@ export async function watch() {
     }, 500);
   }
 
+  // Live log streaming alongside the file watcher. Runs in the background;
+  // reconnects automatically if the server-side 5-minute stream window
+  // expires or the connection drops.
+  let logsAbort = null;
+  if (showLogs) {
+    runLogStreamForever(config).then((ctl) => { logsAbort = ctl; });
+  }
+
   process.on('SIGINT', () => {
     watcher.close();
+    if (logsAbort) logsAbort.abort();
     console.log(chalk.gray('\nStopped.'));
     process.exit(0);
   });
 }
+
+/**
+ * Open the log stream and keep it open for as long as the watcher runs.
+ * Returns an AbortController so the SIGINT handler can tear it down.
+ *
+ * On disconnect we wait 1s and reconnect. On auth failure we refresh the
+ * token via ensureFreshToken() and retry. Errors are printed but never
+ * kill the watcher.
+ */
+async function runLogStreamForever(initialConfig) {
+  const abort = new AbortController();
+  let config = initialConfig;
+  let firstConnect = true;
+
+  (async () => {
+    while (!abort.signal.aborted) {
+      try {
+        // Refresh token before each (re)connect — cheap and prevents
+        // silent auth drops on long-running sessions.
+        config = await ensureFreshToken();
+      } catch (err) {
+        console.error(chalk.red(`  [logs] token refresh failed: ${err.message}`));
+        await sleep(5000);
+        continue;
+      }
+
+      try {
+        await streamLogs({
+          config,
+          lines: firstConnect ? 20 : 0,
+          signal: abort.signal,
+          onLine: (line, type) => {
+            const prefix = chalk.gray('  │ ');
+            switch (type) {
+              case 'error':   console.log(prefix + chalk.red(line)); break;
+              case 'warning': console.log(prefix + chalk.yellow(line)); break;
+              case 'success': console.log(prefix + chalk.green(line)); break;
+              default:        console.log(prefix + chalk.gray(line));
+            }
+          },
+          onInitComplete: () => {
+            if (firstConnect) {
+              console.log(chalk.gray('  │ --- live logs ---'));
+              firstConnect = false;
+            }
+          },
+        });
+      } catch (err) {
+        if (abort.signal.aborted) return;
+        // Server timeouts after 5 min are expected; don't spam.
+        if (!/HTTP 5|fetch failed|terminated|ECONN/i.test(err.message)) {
+          console.error(chalk.yellow(`  [logs] ${err.message}`));
+        }
+      }
+
+      if (abort.signal.aborted) return;
+      await sleep(1000);
+    }
+  })();
+
+  return abort;
+}
+
+function sleep(ms) {
+  return new Promise((r) => setTimeout(r, ms));
+}

package/src/lib/api.js

@@ -99,3 +99,50 @@ export function createClient() {
   }
   return new ApiClient(config);
 }
+
+/**
+ * Returns the current access token, refreshing it first if it appears to be
+ * close to expiry. Used by SSE commands (tm logs, tm monitor) which build
+ * their own EventSource and cannot use the ApiClient retry-on-401 path.
+ *
+ * Returns the (possibly refreshed) config object, with .token guaranteed
+ * fresh enough for at least the next few minutes.
+ */
+export async function ensureFreshToken() {
+  const config = loadConfig();
+  if (!config) {
+    throw new Error('Not logged in. Run `tm login` first.');
+  }
+
+  // JWT exp lives in the payload. Decode without verifying — we just want
+  // to know roughly when it expires so we can refresh proactively.
+  const exp = decodeJwtExp(config.token);
+  const now = Math.floor(Date.now() / 1000);
+  const refreshThreshold = 60; // refresh if less than 60 s remain
+
+  if (exp === null || exp - now > refreshThreshold) {
+    return config;
+  }
+
+  // Try a refresh.
+  const client = new ApiClient(config);
+  const ok = await client._refresh();
+  if (!ok) {
+    throw new Error('Token expired and refresh failed. Run `tm login` again.');
+  }
+  return loadConfig();
+}
+
+function decodeJwtExp(token) {
+  if (!token) return null;
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) return null;
+    // base64url → base64
+    const payload = parts[1].replace(/-/g, '+').replace(/_/g, '/');
+    const decoded = JSON.parse(Buffer.from(payload, 'base64').toString('utf8'));
+    return typeof decoded.exp === 'number' ? decoded.exp : null;
+  } catch {
+    return null;
+  }
+}

package/src/lib/log-stream.js

@@ -0,0 +1,81 @@
+/**
+ * Minimal SSE reader for /api/logs/stream.
+ *
+ * Why not the `eventsource` package: v2 of that package breaks against
+ * HTTP/2 origins (our Apache speaks h2), and v3 has a new API anyway. A
+ * hand-rolled parser is ~40 lines and avoids the dependency entirely.
+ *
+ * Protocol we actually receive:
+ *   data: {"line":"...","type":"info"}\n\n
+ *   event: init_complete\ndata: {}\n\n
+ *   : heartbeat\n\n
+ *
+ * We only care about unnamed data events and the init_complete marker.
+ */
+export async function streamLogs({ config, lines = 50, signal, onLine, onInitComplete }) {
+  const url = `${config.server}/api/logs/stream?tenant=${encodeURIComponent(config.tenant)}&lines=${lines}`;
+
+  const res = await fetch(url, {
+    headers: {
+      Authorization: `Bearer ${config.token}`,
+      Accept: 'text/event-stream',
+    },
+    signal,
+  });
+
+  if (!res.ok) {
+    throw new Error(`HTTP ${res.status} ${res.statusText}`);
+  }
+  if (!res.body) {
+    throw new Error('Response has no body (fetch streaming unsupported?)');
+  }
+
+  const reader = res.body.getReader();
+  const decoder = new TextDecoder('utf-8');
+  let buffer = '';
+
+  while (true) {
+    const { value, done } = await reader.read();
+    if (done) return;
+    buffer += decoder.decode(value, { stream: true });
+
+    // SSE events are separated by a blank line (\n\n). Split off complete
+    // events and leave the partial tail in the buffer.
+    let sep;
+    while ((sep = buffer.indexOf('\n\n')) !== -1) {
+      const raw = buffer.slice(0, sep);
+      buffer = buffer.slice(sep + 2);
+      handleEvent(raw, { onLine, onInitComplete });
+    }
+  }
+}
+
+function handleEvent(raw, { onLine, onInitComplete }) {
+  // Comments (heartbeats) start with ':'
+  if (raw.startsWith(':')) return;
+
+  let event = 'message';
+  const dataLines = [];
+  for (const line of raw.split('\n')) {
+    if (line.startsWith('event:')) {
+      event = line.slice(6).trim();
+    } else if (line.startsWith('data:')) {
+      dataLines.push(line.slice(5).replace(/^ /, ''));
+    }
+  }
+
+  if (event === 'init_complete') {
+    onInitComplete?.();
+    return;
+  }
+
+  if (dataLines.length === 0) return;
+  const data = dataLines.join('\n');
+  try {
+    const parsed = JSON.parse(data);
+    onLine?.(parsed.line ?? '', parsed.type ?? 'info');
+  } catch {
+    // Malformed JSON — pass through as info so nothing is lost.
+    onLine?.(data, 'info');
+  }
+}