uniweb 0.8.21 → 0.8.22

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "uniweb",
-  "version": "0.8.21",
+  "version": "0.8.22",
   "description": "Create structured Vite + React sites with content/code separation",
   "type": "module",
   "bin": {
@@ -41,12 +41,12 @@
     "js-yaml": "^4.1.0",
     "prompts": "^2.4.2",
     "tar": "^7.0.0",
-    "@uniweb/core": "0.5.14",
-    "@uniweb/kit": "0.7.15",
-    "@uniweb/runtime": "0.6.15"
+    "@uniweb/core": "0.5.15",
+    "@uniweb/kit": "0.7.16",
+    "@uniweb/runtime": "0.6.16"
   },
   "peerDependencies": {
-    "@uniweb/build": "0.8.20",
+    "@uniweb/build": "0.8.21",
     "@uniweb/content-reader": "1.1.4",
     "@uniweb/semantic-parser": "1.1.7"
   },

package/src/commands/login.js

@@ -3,15 +3,21 @@
  *
  * Authenticates with the Uniweb platform. Stores credentials at ~/.uniweb/auth.json.
  *
- * Phase 1: Token-paste flow only.
- * Phase 2: Browser-based OAuth with token-paste fallback.
+ * Flow:
+ *   1. Start a temporary HTTP server on a random port
+ *   2. Open the browser to {backend}/cli-auth.php?action=login&callback=http://localhost:{port}/callback
+ *   3. PHP authenticates the user, signs a JWT, redirects to the callback
+ *   4. CLI receives the token and stores it at ~/.uniweb/auth.json
+ *   5. Falls back to token-paste if browser fails
  *
  * Usage:
  *   uniweb login
+ *   uniweb login --token-paste    # Skip browser, use token paste
  */
 
-import prompts from 'prompts'
+import { createServer } from 'node:http'
 import { writeAuth, readAuth, isExpired } from '../utils/auth.js'
+import { getBackendUrl } from '../utils/config.js'
 
 // Colors for terminal output
 const colors = {
@@ -33,21 +39,119 @@ function error(message) {
 }
 
 /**
- * Main login command handler
+ * Try to open a URL in the default browser.
+ * @param {string} url
+ * @returns {Promise<boolean>} Whether the browser was opened
  */
-export async function login(args = []) {
-  // Check if already logged in
-  const existing = await readAuth()
-  if (existing && !isExpired(existing)) {
-    console.log(`Already logged in as ${colors.bright}${existing.email}${colors.reset}`)
-    console.log(`${colors.dim}Run \`uniweb login\` again to switch accounts.${colors.reset}`)
-    console.log('')
+async function openBrowser(url) {
+  try {
+    const { exec } = await import('node:child_process')
+    const cmd = process.platform === 'darwin'
+      ? `open "${url}"`
+      : process.platform === 'win32'
+        ? `start "" "${url}"`
+        : `xdg-open "${url}"`
+
+    return new Promise((resolve) => {
+      exec(cmd, (err) => resolve(!err))
+    })
+  } catch {
+    return false
   }
+}
+
+/**
+ * Browser-based login flow.
+ *
+ * Starts a temp HTTP server, opens the browser to the PHP login page,
+ * waits for the callback with the JWT token.
+ *
+ * @param {string} backendUrl - PHP backend URL
+ * @param {number} [timeoutMs=120000] - Timeout in ms
+ * @returns {Promise<{ token: string, email: string } | null>}
+ */
+function browserLogin(backendUrl, timeoutMs = 120000) {
+  return new Promise((resolve) => {
+    const server = createServer((req, res) => {
+      const url = new URL(req.url, `http://localhost`)
+      if (url.pathname !== '/callback') {
+        res.writeHead(404)
+        res.end('Not found')
+        return
+      }
+
+      const token = url.searchParams.get('token')
+      const email = url.searchParams.get('email')
+
+      if (!token) {
+        res.writeHead(400, { 'Content-Type': 'text/html' })
+        res.end('<h2>Login failed</h2><p>No token received. Please try again.</p>')
+        cleanup()
+        resolve(null)
+        return
+      }
+
+      res.writeHead(200, { 'Content-Type': 'text/html' })
+      res.end(`
+        <html>
+          <body style="font-family: system-ui, sans-serif; text-align: center; padding: 60px;">
+            <h2 style="color: #16a34a;">Login successful!</h2>
+            <p>You can close this window and return to your terminal.</p>
+          </body>
+        </html>
+      `)
+      cleanup()
+      resolve({ token, email: email || '' })
+    })
+
+    let timeout
+
+    function cleanup() {
+      clearTimeout(timeout)
+      server.close()
+    }
+
+    // Listen on a random port
+    server.listen(0, '127.0.0.1', async () => {
+      const port = server.address().port
+      const callbackUrl = `http://localhost:${port}/callback`
+      const loginUrl = `${backendUrl}/cli-auth.php?action=login&callback=${encodeURIComponent(callbackUrl)}`
+
+      console.log(`${colors.cyan}→${colors.reset} Opening browser for login...`)
+      console.log(`  ${colors.dim}${loginUrl}${colors.reset}`)
+      console.log('')
+
+      const opened = await openBrowser(loginUrl)
+      if (!opened) {
+        console.log(`${colors.yellow}⚠${colors.reset} Could not open browser.`)
+        console.log(`  Open this URL manually: ${colors.cyan}${loginUrl}${colors.reset}`)
+      }
+
+      console.log(`${colors.dim}Waiting for login... (${timeoutMs / 1000}s timeout)${colors.reset}`)
+    })
+
+    // Timeout
+    timeout = setTimeout(() => {
+      server.close()
+      resolve(null)
+    }, timeoutMs)
+
+    server.on('error', () => {
+      resolve(null)
+    })
+  })
+}
 
-  console.log('Log in to your Uniweb account at uniweb.app.')
+/**
+ * Token-paste login flow (fallback).
+ * @returns {Promise<{ token: string, email: string } | null>}
+ */
+async function tokenPasteLogin() {
+  const prompts = (await import('prompts')).default
+
+  console.log('Paste your token from the Uniweb login page.')
   console.log('')
 
-  // Phase 1: token-paste flow
   const response = await prompts([
     {
       type: 'text',
@@ -58,7 +162,7 @@ export async function login(args = []) {
     {
       type: 'password',
       name: 'token',
-      message: 'Token (from uniweb.app/cli-login):',
+      message: 'Token:',
       validate: (v) => (v ? true : 'Token is required'),
     },
   ], {
@@ -69,19 +173,58 @@ export async function login(args = []) {
   })
 
   if (!response.email || !response.token) {
+    return null
+  }
+
+  return { token: response.token, email: response.email }
+}
+
+/**
+ * Main login command handler
+ */
+export async function login(args = []) {
+  const forceTokenPaste = args.includes('--token-paste')
+
+  // Check if already logged in
+  const existing = await readAuth()
+  if (existing && !isExpired(existing)) {
+    console.log(`Already logged in as ${colors.bright}${existing.email}${colors.reset}`)
+    console.log(`${colors.dim}Continuing will replace the existing session.${colors.reset}`)
+    console.log('')
+  }
+
+  const backendUrl = getBackendUrl()
+  let result = null
+
+  if (!forceTokenPaste) {
+    // Try browser-based login
+    result = await browserLogin(backendUrl)
+
+    if (!result) {
+      console.log('')
+      console.log(`${colors.yellow}⚠${colors.reset} Browser login timed out or failed.`)
+      console.log(`  Falling back to token paste...`)
+      console.log('')
+      result = await tokenPasteLogin()
+    }
+  } else {
+    result = await tokenPasteLogin()
+  }
+
+  if (!result) {
     error('Login cancelled.')
     process.exit(1)
   }
 
-  // Store credentials
+  // Store credentials (JWT has 30-day expiry)
   await writeAuth({
-    token: response.token,
-    email: response.email,
+    token: result.token,
+    email: result.email,
     expiresAt: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString(),
   })
 
   console.log('')
-  success(`Logged in as ${colors.bright}${response.email}${colors.reset}`)
+  success(`Logged in as ${colors.bright}${result.email}${colors.reset}`)
 }
 
 export default login

package/src/commands/publish.js

@@ -18,6 +18,7 @@ import { execSync } from 'node:child_process'
 
 import { createLocalRegistry, RemoteRegistry } from '../utils/registry.js'
 import { ensureAuth, readAuth } from '../utils/auth.js'
+import { getRegistryUrl } from '../utils/config.js'
 import { findWorkspaceRoot, findFoundations, findSites, classifyPackage, promptSelect } from '../utils/workspace.js'
 import { isNonInteractive, getCliPrefix } from '../utils/interactive.js'
 
@@ -116,6 +117,17 @@ function parseRegistryUrl(args) {
   return args[idx + 1]
 }
 
+/**
+ * Parse --namespace <handle> from args.
+ * @param {string[]} args
+ * @returns {string|null}
+ */
+function parseNamespace(args) {
+  const idx = args.indexOf('--namespace')
+  if (idx === -1 || !args[idx + 1]) return null
+  return args[idx + 1]
+}
+
 /**
  * Parse --edit-access <policy> from args.
  * @param {string[]} args
@@ -140,6 +152,7 @@ export async function publish(args = []) {
   const isDryRun = args.includes('--dry-run')
   const registryUrl = parseRegistryUrl(args)
   const editAccess = parseEditAccess(args)
+  const namespaceFlag = parseNamespace(args)
 
   // 1. Resolve foundation directory
   const foundationDir = await resolveFoundationDir(args)
@@ -179,15 +192,56 @@ export async function publish(args = []) {
     process.exit(1)
   }
 
-  const name = schema._self?.name
+  const rawName = schema._self?.name
   const version = schema._self?.version
 
-  if (!name || !version) {
+  if (!rawName || !version) {
     error('dist/meta/schema.json missing _self.name or _self.version')
     console.log(`${colors.dim}  Ensure your package.json has "name" and "version" fields.${colors.reset}`)
     process.exit(1)
   }
 
+  // 3b. Resolve namespace (priority: --namespace flag > package.json uniweb.namespace > scoped name)
+  const pkg = JSON.parse(await readFile(join(foundationDir, 'package.json'), 'utf8'))
+  const uniwebNamespace = pkg.uniweb?.namespace
+  const scopedMatch = rawName.match(/^@([a-z0-9_-]+)\//)
+  const namespace = namespaceFlag || uniwebNamespace || scopedMatch?.[1]
+
+  if (!namespace) {
+    error('Namespace is required for publishing.')
+    console.log('')
+    console.log(`  ${colors.dim}Use one of:${colors.reset}`)
+    console.log(`    ${colors.cyan}uniweb publish --namespace <org-handle>${colors.reset}`)
+    console.log(`    ${colors.dim}Add ${colors.reset}"uniweb": { "namespace": "<org-handle>" }${colors.dim} to package.json${colors.reset}`)
+    console.log(`    ${colors.dim}Or use a scoped name: ${colors.reset}"name": "@org/foundation"${colors.dim} in package.json${colors.reset}`)
+    process.exit(1)
+  }
+
+  // Construct scoped name: @namespace/foundationName
+  const foundationName = scopedMatch ? rawName.slice(scopedMatch[0].length) : rawName
+  const name = `@${namespace}/${foundationName}`
+
+  // 3c. Advisory namespace check (Worker enforces — this is for early UX feedback)
+  if (!isLocal) {
+    const auth = await readAuth()
+    if (auth?.token) {
+      try {
+        const payload = JSON.parse(atob(auth.token.split('.')[1]))
+        if (payload.namespaces && !payload.namespaces.includes(namespace)) {
+          error(`You don't have publish access to namespace "${colors.bright}@${namespace}${colors.reset}"`)
+          if (payload.namespaces.length > 0) {
+            console.log(`  ${colors.dim}Your namespaces: ${payload.namespaces.map(n => '@' + n).join(', ')}${colors.reset}`)
+          } else {
+            console.log(`  ${colors.dim}You don't belong to any organizations. Ask an admin to add you.${colors.reset}`)
+          }
+          process.exit(1)
+        }
+      } catch {
+        // JWT decode failed — let the Worker validate
+      }
+    }
+  }
+
   // 4. Create registry (local or remote)
   const isRemote = !isLocal
   let registry
@@ -198,7 +252,7 @@ export async function publish(args = []) {
     // Remote publish — ensure authenticated (inline login if needed)
     const token = await ensureAuth({ command: 'Publishing' })
 
-    const url = registryUrl || process.env.UNIWEB_REGISTRY_URL || 'http://localhost:4001'
+    const url = registryUrl || getRegistryUrl()
     registry = new RemoteRegistry(url, token)
   }
 

package/src/utils/auth.js

@@ -88,63 +88,21 @@ export async function ensureAuth({ command = 'This command' } = {}) {
     return auth.token
   }
 
-  // Need to log in
-  const prompts = (await import('prompts')).default
-
+  // Need to log in — delegate to the login command
   if (auth && isExpired(auth)) {
     console.log(`\x1b[33mSession expired.\x1b[0m ${command} requires a Uniweb account.\n`)
   } else {
     console.log(`${command} requires a Uniweb account.\n`)
   }
 
-  const { action } = await prompts({
-    type: 'select',
-    name: 'action',
-    message: 'What would you like to do?',
-    choices: [
-      { title: 'Log in (paste token from uniweb.app/cli-login)', value: 'login' },
-      { title: 'Cancel', value: 'cancel' },
-    ],
-  }, {
-    onCancel: () => {
-      process.exit(0)
-    },
-  })
-
-  if (action !== 'login') {
-    process.exit(0)
-  }
-
-  const response = await prompts([
-    {
-      type: 'text',
-      name: 'email',
-      message: 'Email:',
-      validate: (v) => (v && v.includes('@') ? true : 'Enter a valid email'),
-    },
-    {
-      type: 'password',
-      name: 'token',
-      message: 'Token:',
-      validate: (v) => (v ? true : 'Token is required'),
-    },
-  ], {
-    onCancel: () => {
-      process.exit(0)
-    },
-  })
+  const { login } = await import('../commands/login.js')
+  await login([])
 
-  if (!response.email || !response.token) {
+  // Re-read auth after login
+  const newAuth = await readAuth()
+  if (!newAuth?.token) {
     process.exit(1)
   }
 
-  await writeAuth({
-    token: response.token,
-    email: response.email,
-    expiresAt: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString(),
-  })
-
-  console.log(`\n\x1b[32m✓\x1b[0m Logged in as \x1b[1m${response.email}\x1b[0m\n`)
-
-  return response.token
+  return newAuth.token
 }

package/src/utils/config.js

@@ -5,12 +5,70 @@
  * Used by both `create` and `add` commands.
  */
 
-import { existsSync } from 'node:fs'
+import { existsSync, readFileSync } from 'node:fs'
 import { readFile, writeFile } from 'node:fs/promises'
 import { join } from 'node:path'
+import { homedir } from 'node:os'
 import yaml from 'js-yaml'
 import { filterCmd } from './pm.js'
 
+// ── Platform URLs ──────────────────────────────────────────────
+
+// Production defaults — regular users get these out of the box
+const PRODUCTION_BACKEND_URL = 'https://uniweb.app'
+const PRODUCTION_REGISTRY_URL = 'https://site-router.uniweb-edge.workers.dev'
+
+/**
+ * Read ~/.uniweb/config.json for persistent URL overrides.
+ * Platform developers use this to point CLI to local servers.
+ *
+ * Example ~/.uniweb/config.json:
+ *   { "backendUrl": "http://127.0.0.1:8002", "registryUrl": "http://localhost:4001" }
+ *
+ * @returns {{ backendUrl?: string, registryUrl?: string }}
+ */
+let _cliConfig = undefined
+function readCliConfig() {
+  if (_cliConfig !== undefined) return _cliConfig
+
+  try {
+    const configPath = join(homedir(), '.uniweb', 'config.json')
+    if (existsSync(configPath)) {
+      _cliConfig = JSON.parse(readFileSync(configPath, 'utf8'))
+      return _cliConfig
+    }
+  } catch {
+    // ignore
+  }
+
+  _cliConfig = {}
+  return _cliConfig
+}
+
+/**
+ * Get the PHP backend URL.
+ *
+ * Priority: env var > ~/.uniweb/config.json > production default
+ * @returns {string}
+ */
+export function getBackendUrl() {
+  return process.env.UNIWEB_BACKEND_URL
+    || readCliConfig().backendUrl
+    || PRODUCTION_BACKEND_URL
+}
+
+/**
+ * Get the registry API URL (Cloudflare Worker or local unicloud).
+ *
+ * Priority: env var > ~/.uniweb/config.json > production default
+ * @returns {string}
+ */
+export function getRegistryUrl() {
+  return process.env.UNIWEB_REGISTRY_URL
+    || readCliConfig().registryUrl
+    || PRODUCTION_REGISTRY_URL
+}
+
 /**
  * Read workspace package globs.
  * Tries pnpm-workspace.yaml first, falls back to package.json workspaces.

package/src/utils/registry.js

@@ -42,7 +42,8 @@ export function getRegistryDir(startDir = process.cwd()) {
  * @returns {string}
  */
 function sanitizeName(name) {
-  return name.replace(/\//g, '__')
+  // Strip leading @ for directory structure: @org/name → org/name
+  return name.startsWith('@') ? name.slice(1) : name
 }
 
 /**
@@ -256,7 +257,7 @@ export class RemoteRegistry {
    * @returns {Promise<Object>}
    */
   async createInvite(foundationName, payload) {
-    const res = await fetch(`${this.apiUrl}/api/foundations/${foundationName}/invites`, {
+    const res = await fetch(`${this.apiUrl}/api/foundations/${encodeURIComponent(foundationName)}/invites`, {
       method: 'POST',
       headers: this._authHeaders(),
       body: JSON.stringify(payload),
@@ -274,7 +275,7 @@ export class RemoteRegistry {
    * @returns {Promise<Array>}
    */
   async listInvites(foundationName) {
-    const res = await fetch(`${this.apiUrl}/api/foundations/${foundationName}/invites`, {
+    const res = await fetch(`${this.apiUrl}/api/foundations/${encodeURIComponent(foundationName)}/invites`, {
       headers: this._authHeaders(),
     })
     const body = await res.json()
@@ -291,7 +292,7 @@ export class RemoteRegistry {
    * @returns {Promise<Object>}
    */
   async revokeInvite(foundationName, inviteId) {
-    const res = await fetch(`${this.apiUrl}/api/foundations/${foundationName}/invites/${inviteId}`, {
+    const res = await fetch(`${this.apiUrl}/api/foundations/${encodeURIComponent(foundationName)}/invites/${inviteId}`, {
       method: 'DELETE',
       headers: this._authHeaders(),
     })
@@ -309,7 +310,7 @@ export class RemoteRegistry {
    * @returns {Promise<Object>}
    */
   async resendInvite(foundationName, inviteId) {
-    const res = await fetch(`${this.apiUrl}/api/foundations/${foundationName}/invites/${inviteId}/resend`, {
+    const res = await fetch(`${this.apiUrl}/api/foundations/${encodeURIComponent(foundationName)}/invites/${inviteId}/resend`, {
       method: 'POST',
       headers: this._authHeaders(),
     })