flowstash-cli 0.7.3__tar.gz → 0.8.0__tar.gz

{flowstash_cli-0.7.3 → flowstash_cli-0.8.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: flowstash-cli
-Version: 0.7.3
+Version: 0.8.0
 Summary: CLI for the flowstash Managed Platform
 Author: juraj.bezdek@gmail.com
 Author-email: juraj.bezdek@gmail.com
@@ -9,7 +9,7 @@ Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
-Requires-Dist: flowstash-runtime (>=0.7.3,<0.8.0)
+Requires-Dist: flowstash-runtime (>=0.8.0,<0.9.0)
 Requires-Dist: httpx (>=0.27.0)
 Requires-Dist: keyring (>=25.0.0)
 Requires-Dist: libcst (>=1.1.0)

{flowstash_cli-0.7.3 → flowstash_cli-0.8.0}/pyproject.toml

@@ -1,11 +1,11 @@
 [project]
 name = "flowstash-cli"
-version = "0.7.3"
+version = "0.8.0"
 description = "CLI for the flowstash Managed Platform"
 authors = [{name = "juraj.bezdek@gmail.com", email = "juraj.bezdek@gmail.com"}]
 requires-python = ">=3.11"
 dependencies = [
-    "flowstash-runtime>=0.7.3,<0.8.0",
+    "flowstash-runtime>=0.8.0,<0.9.0",
     "typer[all]>=0.12.0",
     "httpx>=0.27.0",
     "pyyaml>=6.0.1",

{flowstash_cli-0.7.3 → flowstash_cli-0.8.0}/src/flowstash/cli/commands/apikey.py

@@ -24,7 +24,7 @@ from rich.prompt import Prompt
 from rich.table import Table
 
 from ..core.api_client import APIClient
-from ..core.config import get_access_token
+from ..core.config import get_access_token, resolve_credentials
 
 app = typer.Typer(
     name="api-keys",
@@ -103,9 +103,10 @@ def _create_key(
     label: Optional[str],
     scope: Optional[str],
     env: Optional[str],
+    user: Optional[str] = None,
 ):
     """Shared implementation for 'new' and 'create'."""
-    token = get_access_token()
+    token = resolve_credentials(user=user)
     if not token:
         console.print("[red]Not logged in. Run 'flowstash login' first.[/red]")
         raise typer.Exit(code=1)
@@ -138,7 +139,7 @@ def _create_key(
         )
 
     async def _create():
-        api = APIClient()
+        api = APIClient(token=token)
         return await api.post("/v1/api-keys", json={"label": label, "scopes": [scope]})
 
     try:
@@ -175,9 +176,12 @@ def apikey_new(
     env: Optional[str] = typer.Option(
         None, "--env", "-e", help="Write key to this environment's .env file"
     ),
+    user: Optional[str] = typer.Option(
+        None, "--user", "-u", help="Account to use (default: project-linked or current)"
+    ),
 ):
     """Create a new API key and optionally write it to an environment .env file."""
-    _create_key(label=label, scope=scope, env=env)
+    _create_key(label=label, scope=scope, env=env, user=user)
 
 
 @app.command("create")
@@ -191,21 +195,28 @@ def apikey_create(
     env: Optional[str] = typer.Option(
         None, "--env", "-e", help="Write key to this environment's .env file"
     ),
+    user: Optional[str] = typer.Option(
+        None, "--user", "-u", help="Account to use (default: project-linked or current)"
+    ),
 ):
     """Create a new API key (alias for 'new')."""
-    _create_key(label=label, scope=scope, env=env)
+    _create_key(label=label, scope=scope, env=env, user=user)
 
 
 @app.command("list")
-def apikey_list():
+def apikey_list(
+    user: Optional[str] = typer.Option(
+        None, "--user", "-u", help="Account to use (default: project-linked or current)"
+    ),
+):
     """List all active API keys for the current tenant."""
-    token = get_access_token()
+    token = resolve_credentials(user=user)
     if not token:
         console.print("[red]Not logged in. Run 'flowstash login' first.[/red]")
         raise typer.Exit(code=1)
 
     async def _list():
-        api = APIClient()
+        api = APIClient(token=token)
         return await api.get("/v1/api-keys")
 
     try:
@@ -244,9 +255,12 @@ def apikey_list():
 def apikey_revoke(
     key_id: str = typer.Argument(..., help="Key ID to revoke (e.g. key-a3b2c1d4)"),
     yes: bool = typer.Option(False, "--yes", "-y", help="Skip confirmation prompt"),
+    user: Optional[str] = typer.Option(
+        None, "--user", "-u", help="Account to use (default: project-linked or current)"
+    ),
 ):
     """Revoke an API key immediately."""
-    token = get_access_token()
+    token = resolve_credentials(user=user)
     if not token:
         console.print("[red]Not logged in. Run 'flowstash login' first.[/red]")
         raise typer.Exit(code=1)
@@ -261,7 +275,7 @@ def apikey_revoke(
             return
 
     async def _revoke():
-        api = APIClient()
+        api = APIClient(token=token)
         return await api.delete(f"/v1/api-keys/{key_id}")
 
     try:

flowstash_cli-0.8.0/src/flowstash/cli/commands/auth.py

@@ -0,0 +1,286 @@
+from typing import Optional
+import typer
+import webbrowser
+import secrets
+from rich.console import Console
+from rich.table import Table
+import asyncio
+import httpx
+from ..core.auth_server import start_callback_server, find_available_port
+from ..core.api_client import APIClient
+from ..core.config import (
+    load_global_config,
+    get_access_token,
+    delete_access_token,
+    load_project_config,
+    save_project_config,
+    register_user,
+    resolve_credentials,
+    get_token_for_user,
+    ProjectConfig,
+)
+
+app = typer.Typer()
+console = Console()
+import os
+
+API_URL = os.getenv("FLOWSTASH_API_URL", "https://api.flowstash.dev")
+
+
+async def _fetch_user_info(token: str) -> Optional[dict]:
+    """Fetch /v1/auth/me using an explicit token (used right after login)."""
+    try:
+        async with httpx.AsyncClient(timeout=10.0) as client:
+            resp = await client.get(
+                f"{API_URL}/v1/auth/me",
+                headers={"Authorization": f"Bearer {token}"},
+            )
+            resp.raise_for_status()
+            return resp.json()
+    except Exception:
+        return None
+
+
+@app.command()
+def login(
+    username: Optional[str] = typer.Option(
+        None, "--username", "-u", help="Username / email for manual login"
+    ),
+    password: Optional[str] = typer.Option(
+        None, "--password", "-p", help="Password for manual login"
+    ),
+):
+    """Log in to the flowstash Managed Platform.
+
+    Multiple accounts are supported — logging in as a new user does NOT
+    log out existing sessions.  Use [bold]flowstash accounts[/bold] to see
+    all active sessions.
+    """
+    # ── Existing-account check ──────────────────────────────────────────────
+    global_config = load_global_config()
+    if global_config.accounts:
+        console.print("[bold]You already have logged-in accounts:[/bold]")
+        for i, acc in enumerate(global_config.accounts, 1):
+            label = (
+                f"{acc.display_name} ({acc.email})" if acc.display_name else acc.email
+            )
+            console.print(f"  {i}. {label}")
+        new_idx = len(global_config.accounts) + 1
+        console.print(f"  {new_idx}. Login as a new user")
+
+        raw = typer.prompt("Select an option", default=str(new_idx))
+        try:
+            choice = int(raw)
+        except ValueError:
+            choice = new_idx
+
+        if 1 <= choice <= len(global_config.accounts):
+            selected = global_config.accounts[choice - 1]
+            project_config = load_project_config() or ProjectConfig()
+            project_config.linked_user = selected.email
+            save_project_config(project_config)
+            console.print(
+                f"[green]Project account set to: [bold]{selected.email}[/bold][/green]"
+            )
+            return
+        # else: fall through to normal login flow
+
+    if username and password:
+        console.print(f"Logging in to {API_URL} as {username}...")
+
+        async def do_login():
+            async with httpx.AsyncClient() as client:
+                try:
+                    resp = await client.post(
+                        f"{API_URL}/v1/auth/login",
+                        json={"email": username, "password": password},
+                    )
+                    resp.raise_for_status()
+                    return resp.json()
+                except Exception as e:
+                    console.print(f"[red]Login failed: {e}[/red]")
+                    return None
+
+        result = asyncio.run(do_login())
+        if not result:
+            raise typer.Exit(code=1)
+
+        access_token = result.get("access_token")
+        if not access_token:
+            console.print("[red]No access token in response.[/red]")
+            raise typer.Exit(code=1)
+
+        # Resolve the canonical email from the API (may differ from what was typed)
+        user_info = asyncio.run(_fetch_user_info(access_token))
+        email = (
+            (user_info.get("email") or user_info.get("username") or username)
+            if user_info
+            else username
+        )
+        tenant_id = (user_info or result).get("tenant_id")
+        display_name = user_info.get("name") if user_info else None
+
+        register_user(
+            email, access_token, display_name=display_name, tenant_id=tenant_id
+        )
+        console.print(
+            f"[green]Logged in as: [bold]{email}[/bold] (tenant: {tenant_id})[/green]"
+        )
+        return
+
+    # Browser / OAuth login
+    state = secrets.token_urlsafe(16)
+    try:
+        port = find_available_port(8500)
+    except RuntimeError as exc:
+        console.print(f"[red]{exc}[/red]")
+        raise typer.Exit(code=1)
+    callback_url = f"http://localhost:{port}/callback"
+    login_url = (
+        API_URL.replace("api", "app")
+        + f"/cli-login?redirect_uri={callback_url}&state={state}"
+    )
+
+    console.print("Opening your browser to authenticate...")
+    console.print(
+        f"If the browser doesn't open, visit: [link={login_url}]{login_url}[/link]"
+    )
+
+    webbrowser.open(login_url)
+
+    console.print("Waiting for authentication...")
+    result = start_callback_server(port)
+
+    if not result:
+        console.print("[red]Authentication timed out or failed.[/red]")
+        raise typer.Exit(code=1)
+
+    if result.get("state") != state:
+        console.print(
+            "[red]Invalid state received. Auth session might be compromised.[/red]"
+        )
+        raise typer.Exit(code=1)
+
+    access_token = result.get("access_token")
+    if not access_token:
+        console.print("[red]No access token received.[/red]")
+        raise typer.Exit(code=1)
+
+    user_info = asyncio.run(_fetch_user_info(access_token))
+    email = user_info.get("email") or user_info.get("username") if user_info else None
+    tenant_id = (user_info or result).get("tenant_id")
+    display_name = user_info.get("name") if user_info else None
+
+    if not email:
+        print(user_info)
+        console.print(
+            "[red]Could not determine account email from server response.[/red]"
+        )
+        raise typer.Exit(code=1)
+
+    register_user(email, access_token, display_name=display_name, tenant_id=tenant_id)
+    console.print(
+        f"[green]Logged in as: [bold]{email}[/bold] (tenant: {tenant_id})[/green]"
+    )
+
+
+@app.command()
+def logout(
+    user: Optional[str] = typer.Option(
+        None, "--user", "-u", help="Account email to log out (default: current user)"
+    ),
+):
+    """Log out from the flowstash Managed Platform.
+
+    Pass [bold]--user[/bold] to log out a specific account while keeping
+    other sessions active.
+    """
+    delete_access_token(email=user)
+    label = f" ({user})" if user else ""
+    console.print(f"[yellow]Logged out{label} successfully.[/yellow]")
+
+
+@app.command()
+def accounts():
+    """List all logged-in accounts."""
+    config = load_global_config()
+    if not config.accounts:
+        console.print("No accounts logged in. Run [bold]flowstash login[/bold] first.")
+        return
+
+    table = Table(
+        title="Logged-in Accounts", show_header=True, header_style="bold cyan"
+    )
+    table.add_column("Email")
+    table.add_column("Display Name")
+    table.add_column("Tenant")
+    table.add_column("Active", justify="center")
+
+    for acc in config.accounts:
+        is_current = "[green]✓[/green]" if acc.email == config.current_user else ""
+        table.add_row(
+            acc.email,
+            acc.display_name or "[dim]—[/dim]",
+            acc.tenant_id or "[dim]—[/dim]",
+            is_current,
+        )
+
+    console.print(table)
+
+
+def _fetch_current_user(token: Optional[str] = None) -> Optional[dict]:
+    try:
+        client = APIClient(token=token) if token else APIClient()
+        return asyncio.run(client.get("/v1/auth/me"))
+    except Exception:
+        return None
+
+
+@app.command()
+def whoami(
+    user: Optional[str] = typer.Option(
+        None, "--user", "-u", help="Show status for a specific account"
+    ),
+):
+    """Show current login status."""
+    token = resolve_credentials(user=user)
+    global_config = load_global_config()
+    project_config = load_project_config()
+
+    if token:
+        console.print(f"API URL: {global_config.api_url}")
+        user_info = _fetch_current_user(token=token)
+        login = None
+        tenant_id = None
+
+        if user_info:
+            login = (
+                user_info.get("email")
+                or user_info.get("username")
+                or user_info.get("login")
+            )
+            tenant_id = user_info.get("tenant_id")
+        elif project_config:
+            login = project_config.user_email
+            tenant_id = project_config.tenant_id
+
+        if login:
+            console.print(f"Logged in as: [bold]{login}[/bold]")
+        if tenant_id:
+            console.print(f"Tenant: [bold]{tenant_id}[/bold]")
+
+        if project_config:
+            console.print(f"Current Project: [bold]{project_config.project_id}[/bold]")
+            if project_config.linked_user:
+                console.print(
+                    f"Project Account: [bold]{project_config.linked_user}[/bold]"
+                )
+        elif not user_info:
+            console.print("Logged in, but no project context found in this directory.")
+
+        # Show all sessions summary
+        if global_config.accounts and len(global_config.accounts) > 1:
+            other = [a.email for a in global_config.accounts if a.email != login]
+            console.print(f"[dim]Other active sessions: {', '.join(other)}[/dim]")
+    else:
+        console.print("Not logged in.")

{flowstash_cli-0.7.3 → flowstash_cli-0.8.0}/src/flowstash/cli/commands/build.py

@@ -1,3 +1,4 @@
+from typing import Optional
 import typer
 import asyncio
 import time
@@ -5,7 +6,7 @@ from pathlib import Path
 from rich.console import Console
 from rich.progress import Progress, SpinnerColumn, TextColumn
 from ..core.api_client import APIClient
-from ..core.config import load_project_config
+from ..core.config import load_project_config, resolve_credentials
 from ..core.builder import bundle_source
 
 import subprocess
@@ -21,7 +22,7 @@ from ..core.docker_utils import (
 )
 
 
-async def run_managed_build(tag: str = "latest"):
+async def run_managed_build(tag: str = "latest", user: Optional[str] = None):
     project_config = load_project_config()
     if not project_config or not project_config.project_id:
         console.print(
@@ -29,7 +30,12 @@ async def run_managed_build(tag: str = "latest"):
         )
         raise typer.Exit(code=1)
 
-    api = APIClient()
+    token = resolve_credentials(user=user)
+    if not token:
+        console.print("[red]Not logged in. Run 'flowstash login' first.[/red]")
+        raise typer.Exit(code=1)
+
+    api = APIClient(token=token)
     # ... rest of existing managed build logic ...
     # (I'll keep the existing implementation but wrap it)
 
@@ -38,6 +44,9 @@ async def run_managed_build(tag: str = "latest"):
 def build(
     env: str = typer.Argument(..., help="Environment to build"),
     tag: str = typer.Option("latest", "--tag", "-t", help="Tag for the image"),
+    user: Optional[str] = typer.Option(
+        None, "--user", "-u", help="Account to use (default: project-linked or current)"
+    ),
 ):
     """Build project artifacts/images for the specified environment."""
     project_config = load_project_config()
@@ -51,7 +60,7 @@ def build(
                 break
 
     if is_managed:
-        result = asyncio.run(run_build_flow(tag))
+        result = asyncio.run(run_build_flow(tag, user=user))
         console.print(f"[green]Managed build completed successfully![/green]")
         console.print(f"Artifact ID: [bold]{result['artifact_id']}[/bold]")
     else:
@@ -82,11 +91,15 @@ def build(
             raise typer.Exit(code=1)
 
 
-async def run_build_flow(tag: str = "latest"):
+async def run_build_flow(tag: str = "latest", user: Optional[str] = None):
     # (Moved existing run_build_flow logic here for completeness in the file)
     project_config = load_project_config()
     project_id = project_config.project_id
-    api = APIClient()
+    token = resolve_credentials(user=user)
+    if not token:
+        console.print("[red]Not logged in. Run 'flowstash login' first.[/red]")
+        raise typer.Exit(code=1)
+    api = APIClient(token=token)
 
     try:
         with Progress(

{flowstash_cli-0.7.3 → flowstash_cli-0.8.0}/src/flowstash/cli/commands/deploy.py

@@ -5,7 +5,7 @@ from pathlib import Path
 from rich.console import Console
 from rich.progress import Progress, SpinnerColumn, TextColumn
 from ..core.api_client import APIClient
-from ..core.config import load_project_config
+from ..core.config import load_project_config, resolve_credentials
 from .build import run_build_flow
 import flowstash.runtime
 
@@ -26,7 +26,9 @@ _STATUS_LABELS = {
 _TERMINAL_STATUSES = {"DEPLOYED", "FAILED"}
 
 
-async def run_deploy_flow(env: str, artifact_id: Optional[str] = None):
+async def run_deploy_flow(
+    env: str, artifact_id: Optional[str] = None, user: Optional[str] = None
+):
     project_config = load_project_config()
     if not project_config:
         console.print(
@@ -39,12 +41,17 @@ async def run_deploy_flow(env: str, artifact_id: Optional[str] = None):
         console.print("[red]project_id not found in .flowstash[/red]")
         raise typer.Exit(code=1)
 
-    api = APIClient()
+    token = resolve_credentials(user=user)
+    if not token:
+        console.print("[red]Not logged in. Run 'flowstash login' first.[/red]")
+        raise typer.Exit(code=1)
+
+    api = APIClient(token=token)
 
     # 1. If artifact_id is not provided, run build first
     if not artifact_id:
         console.print("No artifact ID provided. Building first...")
-        build_result = await run_build_flow()
+        build_result = await run_build_flow(user=user)
         artifact_id = build_result["artifact_id"]
         console.print(f"Build finished. Deploying artifact: [bold]{artifact_id}[/bold]")
 
@@ -97,6 +104,9 @@ def deploy(
         None, "--artifact", "-a", help="Artifact ID to deploy"
     ),
     yes: bool = typer.Option(False, "--yes", "-y", help="Do not ask for confirmation"),
+    user: Optional[str] = typer.Option(
+        None, "--user", "-u", help="Account to use (default: project-linked or current)"
+    ),
 ):
     """Deploy an artifact to the managed platform for a specified environment."""
     project_config = load_project_config()
@@ -140,7 +150,7 @@ def deploy(
             ):
                 from .project import _link_project
 
-                _link_project(project_config)
+                _link_project(project_config, user=user)
                 project_id = project_config.project_id
 
         if not project_id:
@@ -149,7 +159,7 @@ def deploy(
             )
             raise typer.Exit(code=1)
 
-    result = asyncio.run(run_deploy_flow(env, artifact))
+    result = asyncio.run(run_deploy_flow(env, artifact, user=user))
 
     api_url = result.get("api_url", "")
     console.print(f"[green]✓ Deployment complete![/green]")

{flowstash_cli-0.7.3 → flowstash_cli-0.8.0}/src/flowstash/cli/commands/project.py

@@ -11,6 +11,7 @@ import questionary
 from ..core.api_client import APIClient
 from ..core.config import (
     get_access_token,
+    resolve_credentials,
     load_project_config,
     save_project_config,
     ProjectConfig,
@@ -714,15 +715,15 @@ def init(
     console.print("[green]Initialization/Repair complete![/green]")
 
 
-def _link_project(config: ProjectConfig):
-    token = get_access_token()
+def _link_project(config: ProjectConfig, user: Optional[str] = None):
+    token = resolve_credentials(user=user)
     if not token:
         console.print(
             "[yellow]Not logged in. Use 'flowstash login' to link to a managed project.[/yellow]"
         )
         return
 
-    api = APIClient()
+    api = APIClient(token=token)
     try:
         projects_data = asyncio.run(api.get("/v1/projects"))
         projects = projects_data.get("projects", [])
@@ -756,7 +757,8 @@ def _link_project(config: ProjectConfig):
         user_info = asyncio.run(api.get("/v1/auth/me"))
         config.tenant_id = user_info["tenant_id"]
         config.user_email = user_info.get("email")
-    except:
+        config.linked_user = user_info.get("email")  # pin project to this account
+    except Exception:
         config.tenant_id = "default"
 
     config.project_id = project_id

{flowstash_cli-0.7.3 → flowstash_cli-0.8.0}/src/flowstash/cli/core/api_client.py

@@ -4,13 +4,14 @@ from .config import load_global_config, get_access_token
 
 
 class APIClient:
-    def __init__(self):
+    def __init__(self, token: Optional[str] = None):
         self.config = load_global_config()
         self.base_url = self.config.api_url.rstrip("/")
+        self._token = token  # explicit token takes priority over resolved one
 
     def _get_headers(self) -> Dict[str, str]:
         headers = {}
-        token = get_access_token()
+        token = self._token if self._token is not None else get_access_token()
         if token:
             headers["Authorization"] = f"Bearer {token}"
         return headers
@@ -23,7 +24,9 @@ class APIClient:
             response.raise_for_status()
             return response.json()
 
-    async def post(self, path: str, json: Optional[Dict[str, Any]] = None, timeout: float = 30.0):
+    async def post(
+        self, path: str, json: Optional[Dict[str, Any]] = None, timeout: float = 30.0
+    ):
         async with httpx.AsyncClient(timeout=timeout) as client:
             response = await client.post(
                 f"{self.base_url}{path}", json=json, headers=self._get_headers()

{flowstash_cli-0.7.3 → flowstash_cli-0.8.0}/src/flowstash/cli/core/auth_server.py

@@ -1,6 +1,7 @@
 from typing import Dict, Optional
 import threading
 import queue
+import socket
 from http.server import HTTPServer, BaseHTTPRequestHandler
 from urllib.parse import urlparse, parse_qs
 
@@ -30,6 +31,21 @@ class CallbackHandler(BaseHTTPRequestHandler):
         # Suppress logging
         pass
 
+def find_available_port(start: int = 8500, max_attempts: int = 10) -> int:
+    """Return the first free TCP port starting from *start*, trying up to *max_attempts* ports."""
+    for offset in range(max_attempts):
+        port = start + offset
+        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
+            try:
+                s.bind(("127.0.0.1", port))
+                return port
+            except OSError:
+                continue
+    raise RuntimeError(
+        f"No available port found in range {start}–{start + max_attempts - 1}"
+    )
+
+
 def start_callback_server(port: int = 8888) -> Dict[str, str]:
     server = HTTPServer(('127.0.0.1', port), CallbackHandler)
     thread = threading.Thread(target=server.serve_forever, daemon=True)

flowstash_cli-0.8.0/src/flowstash/cli/core/config.py

@@ -0,0 +1,200 @@
+from typing import List
+from pydantic import Field
+import os
+from pathlib import Path
+from typing import Optional, Dict, Any
+import yaml
+import keyring
+from pydantic import BaseModel
+
+flowstash_DIR = Path.home() / ".flowstash"
+GLOBAL_CONFIG_FILE = flowstash_DIR / "config.yaml"
+PROJECT_CONFIG_FILE = ".flowstash"
+
+SERVICE_NAME = "flowstash"
+TOKEN_KEY = "access_token"  # legacy key – kept for migration only
+
+
+class UserAccount(BaseModel):
+    email: str
+    display_name: Optional[str] = None
+    tenant_id: Optional[str] = None
+
+
+class GlobalConfig(BaseModel):
+    api_url: str = os.getenv("FLOWSTASH_API_URL", "https://api.flowstash.dev")
+    accounts: List[UserAccount] = Field(default_factory=list)
+    current_user: Optional[str] = None  # email of last-used account
+
+
+class EnvironmentMode(BaseModel):
+    name: str
+    managed: bool = False
+    options: Dict[str, str] = Field(default_factory=dict)
+
+
+class ProjectConfig(BaseModel):
+    project_name: Optional[str] = None
+    project_id: Optional[str] = None
+    tenant_id: Optional[str] = None
+    user_email: Optional[str] = None
+    linked_user: Optional[str] = None  # email pinned to this project
+    environments: List[EnvironmentMode] = Field(default_factory=list)
+
+
+def load_global_config() -> GlobalConfig:
+    if not GLOBAL_CONFIG_FILE.exists():
+        return GlobalConfig()
+
+    try:
+        with open(GLOBAL_CONFIG_FILE, "r") as f:
+            data = yaml.safe_load(f) or {}
+            return GlobalConfig(**data)
+    except Exception:
+        return GlobalConfig()
+
+
+def save_global_config(config: GlobalConfig):
+    flowstash_DIR.mkdir(parents=True, exist_ok=True)
+    with open(GLOBAL_CONFIG_FILE, "w") as f:
+        yaml.safe_dump(config.model_dump(), f)
+
+
+# ---------------------------------------------------------------------------
+# Per-user token helpers
+# ---------------------------------------------------------------------------
+
+
+def _user_token_key(email: str) -> str:
+    return f"token:{email}"
+
+
+def set_token_for_user(email: str, token: str) -> None:
+    keyring.set_password(SERVICE_NAME, _user_token_key(email), token)
+
+
+def get_token_for_user(email: str) -> Optional[str]:
+    return keyring.get_password(SERVICE_NAME, _user_token_key(email))
+
+
+def delete_token_for_user(email: str) -> None:
+    try:
+        keyring.delete_password(SERVICE_NAME, _user_token_key(email))
+    except keyring.errors.PasswordDeleteError:
+        pass
+
+
+def register_user(
+    email: str,
+    token: str,
+    display_name: Optional[str] = None,
+    tenant_id: Optional[str] = None,
+) -> None:
+    """Persist a new (or updated) login session without evicting other users."""
+    set_token_for_user(email, token)
+    config = load_global_config()
+    existing = next((a for a in config.accounts if a.email == email), None)
+    if existing:
+        if display_name:
+            existing.display_name = display_name
+        if tenant_id:
+            existing.tenant_id = tenant_id
+    else:
+        config.accounts.append(
+            UserAccount(email=email, display_name=display_name, tenant_id=tenant_id)
+        )
+    config.current_user = email
+    save_global_config(config)
+
+
+def resolve_credentials(user: Optional[str] = None) -> Optional[str]:
+    """
+    Resolve an access token using the priority chain:
+      1. Explicit user (--user flag)
+      2. Project-linked user (.flowstash linked_user)
+      3. Global current_user (last logged-in)
+      4. Legacy 'access_token' keyring key (backward compat)
+      5. FLOWSTASH_USER env var acts as implicit --user when set
+    """
+    # env-var override (useful for CI)
+    effective_user = user or os.getenv("FLOWSTASH_USER")
+    if effective_user:
+        return get_token_for_user(effective_user)
+
+    project_config = load_project_config()
+    if project_config and project_config.linked_user:
+        token = get_token_for_user(project_config.linked_user)
+        if token:
+            return token
+
+    global_config = load_global_config()
+    if global_config.current_user:
+        token = get_token_for_user(global_config.current_user)
+        if token:
+            return token
+
+    # Legacy migration path
+    return keyring.get_password(SERVICE_NAME, TOKEN_KEY)
+
+
+# ---------------------------------------------------------------------------
+# Legacy helpers (kept for backward compat / tests)
+# ---------------------------------------------------------------------------
+
+
+def get_access_token() -> Optional[str]:
+    """Backward-compatible accessor. Prefer resolve_credentials() for new code."""
+    return resolve_credentials()
+
+
+def set_access_token(token: str) -> None:
+    """Legacy setter – stores under the old single-token key only."""
+    keyring.set_password(SERVICE_NAME, TOKEN_KEY, token)
+
+
+def delete_access_token(email: Optional[str] = None) -> None:
+    """Log out one user (or the current user when email is None)."""
+    if not email:
+        config = load_global_config()
+        email = config.current_user
+
+    if email:
+        delete_token_for_user(email)
+        config = load_global_config()
+        config.accounts = [a for a in config.accounts if a.email != email]
+        if config.current_user == email:
+            config.current_user = config.accounts[-1].email if config.accounts else None
+        save_global_config(config)
+    else:
+        # Legacy fallback
+        try:
+            keyring.delete_password(SERVICE_NAME, TOKEN_KEY)
+        except keyring.errors.PasswordDeleteError:
+            pass
+
+
+def load_project_config() -> Optional[ProjectConfig]:
+    path = Path(PROJECT_CONFIG_FILE)
+    if not path.exists():
+        return None
+
+    try:
+        with open(path, "r") as f:
+            data = yaml.safe_load(f) or {}
+            return ProjectConfig(**data)
+    except Exception:
+        return None
+
+
+def save_project_config(config: ProjectConfig):
+    with open(PROJECT_CONFIG_FILE, "w") as f:
+        yaml.safe_dump(config.model_dump(), f)
+
+
+# Legacy aliases
+def load_config() -> GlobalConfig:
+    return load_global_config()
+
+
+def save_config(config: GlobalConfig):
+    save_global_config(config)

{flowstash_cli-0.7.3 → flowstash_cli-0.8.0}/src/flowstash/cli/main.py

@@ -242,6 +242,9 @@ def build(
     env: str = typer.Argument("dev", help="Environment to build (default: local)"),
     tag: str = typer.Option("latest", "--tag", "-t", help="Tag for the image"),
     yes: bool = typer.Option(False, "--yes", "-y", help="Skip confirmation prompts"),
+    user: Optional[str] = typer.Option(
+        None, "--user", "-u", help="Account to use (default: project-linked or current)"
+    ),
 ):
     """
     [bold yellow]Build[/bold yellow] project artifacts/images.
@@ -276,7 +279,7 @@ def build(
                 console.print(f"[red]Environment '{env}' not found.[/red]")
                 raise typer.Exit(code=1)
 
-    build_cmds.build(env=env, tag=tag)
+    build_cmds.build(env=env, tag=tag, user=user)
 
 
 @app.command()
@@ -287,6 +290,9 @@ def deploy(
         None, "--artifact", "-a", help="Artifact ID to deploy"
     ),
     yes: bool = typer.Option(False, "--yes", "-y", help="Skip confirmation prompts"),
+    user: Optional[str] = typer.Option(
+        None, "--user", "-u", help="Account to use (default: project-linked or current)"
+    ),
 ):
     """
     [bold cyan]Deploy[/bold cyan] your project to the flowstash Managed Platform.
@@ -347,25 +353,43 @@ def deploy(
             )
             raise typer.Exit(code=1)
 
-    deploy_cmds.deploy(env=env, artifact=artifact, yes=yes)
+    deploy_cmds.deploy(env=env, artifact=artifact, yes=yes, user=user)
 
 
 @app.command()
-def whoami():
+def whoami(
+    user: Optional[str] = typer.Option(
+        None, "--user", "-u", help="Show status for a specific account"
+    ),
+):
     """Show current login status."""
-    auth_cmds.whoami()
+    auth_cmds.whoami(user=user)
 
 
 @app.command("logged-in")
-def logged_in():
+def logged_in(
+    user: Optional[str] = typer.Option(
+        None, "--user", "-u", help="Show status for a specific account"
+    ),
+):
     """Show who is currently logged in."""
-    auth_cmds.whoami()
+    auth_cmds.whoami(user=user)
 
 
 @app.command()
-def logout():
+def logout(
+    user: Optional[str] = typer.Option(
+        None, "--user", "-u", help="Account email to log out (default: current user)"
+    ),
+):
     """Log out from the platform."""
-    auth_cmds.logout()
+    auth_cmds.logout(user=user)
+
+
+@app.command()
+def accounts():
+    """List all logged-in accounts."""
+    auth_cmds.accounts()
 
 
 @app.command()

flowstash_cli-0.7.3/src/flowstash/cli/commands/auth.py

@@ -1,151 +0,0 @@
-from typing import Optional
-import typer
-import webbrowser
-import uuid
-import secrets
-from rich.console import Console
-import asyncio
-import httpx
-from ..core.auth_server import start_callback_server
-from ..core.api_client import APIClient
-from ..core.config import (
-    load_global_config,
-    set_access_token,
-    get_access_token,
-    delete_access_token,
-    load_project_config,
-)
-
-app = typer.Typer()
-console = Console()
-import os
-
-API_URL = os.getenv("FLOWSTASH_API_URL", "https://api.flowstash.dev")
-
-
-@app.command()
-def login(
-    username: Optional[str] = typer.Option(
-        None, "--username", "-u", help="Username for manual login"
-    ),
-    password: Optional[str] = typer.Option(
-        None, "--password", "-p", help="Password for manual login"
-    ),
-):
-    """Log in to the flowstash Managed Platform."""
-    if username and password:
-        # Manual login
-        console.print(f"Logging in to {API_URL} as {username}...")
-
-        async def do_login():
-            async with httpx.AsyncClient() as client:
-                try:
-                    resp = await client.post(
-                        f"{API_URL}/v1/auth/login",
-                        json={"email": username, "password": password},
-                    )
-                    resp.raise_for_status()
-                    return resp.json()
-                except Exception as e:
-                    console.print(f"[red]Login failed: {e}[/red]")
-                    return None
-
-        result = asyncio.run(do_login())
-        if not result:
-            raise typer.Exit(code=1)
-
-        access_token = result.get("access_token")
-        tenant_id = result.get("tenant_id")
-
-        set_access_token(access_token)
-        console.print(f"[green]Successfully logged in as tenant: {tenant_id}[/green]")
-        return
-
-    # Browser login
-    state = secrets.token_urlsafe(16)
-    port = 8888
-    callback_url = f"http://localhost:{port}/callback"
-
-    login_url = f"{API_URL}/cli-login?redirect_uri={callback_url}&state={state}"
-
-    console.print(f"Opening your browser to authenticate...")
-    console.print(
-        f"If the browser doesn't open, visit: [link={login_url}]{login_url}[/link]"
-    )
-
-    webbrowser.open(login_url)
-
-    console.print("Waiting for authentication...")
-    result = start_callback_server(port)
-
-    if not result:
-        console.print("[red]Authentication timed out or failed.[/red]")
-        raise typer.Exit(code=1)
-
-    if result.get("state") != state:
-        console.print(
-            "[red]Invalid state received. Auth session might be compromised.[/red]"
-        )
-        raise typer.Exit(code=1)
-
-    access_token = result.get("access_token")
-    tenant_id = result.get("tenant_id")
-
-    if not access_token:
-        console.print("[red]No access token received.[/red]")
-        raise typer.Exit(code=1)
-
-    set_access_token(access_token)
-
-    console.print(f"[green]Successfully logged in as tenant: {tenant_id}[/green]")
-
-
-@app.command()
-def logout():
-    """Log out from the flowstash Managed Platform."""
-    delete_access_token()
-    console.print("[yellow]Logged out successfully.[/yellow]")
-
-
-def _fetch_current_user() -> Optional[dict]:
-    try:
-        return asyncio.run(APIClient().get("/v1/auth/me"))
-    except Exception:
-        return None
-
-
-@app.command()
-def whoami():
-    """Show current login status."""
-    token = get_access_token()
-    global_config = load_global_config()
-    project_config = load_project_config()
-
-    if token:
-        console.print(f"API URL: {global_config.api_url}")
-        user_info = _fetch_current_user()
-        login = None
-        tenant_id = None
-
-        if user_info:
-            login = (
-                user_info.get("email")
-                or user_info.get("username")
-                or user_info.get("login")
-            )
-            tenant_id = user_info.get("tenant_id")
-        elif project_config:
-            login = project_config.user_email
-            tenant_id = project_config.tenant_id
-
-        if login:
-            console.print(f"Logged in as: [bold]{login}[/bold]")
-        if tenant_id:
-            console.print(f"Tenant: [bold]{tenant_id}[/bold]")
-
-        if project_config:
-            console.print(f"Current Project: [bold]{project_config.project_id}[/bold]")
-        elif not user_info:
-            console.print("Logged in, but no project context found in this directory.")
-    else:
-        console.print("Not logged in.")

flowstash_cli-0.7.3/src/flowstash/cli/core/config.py

@@ -1,81 +0,0 @@
-from typing import List
-from pydantic import Field
-import os
-from pathlib import Path
-from typing import Optional, Dict, Any
-import yaml
-import keyring
-from pydantic import BaseModel
-
-flowstash_DIR = Path.home() / ".flowstash"
-GLOBAL_CONFIG_FILE = flowstash_DIR / "config.yaml"
-PROJECT_CONFIG_FILE = ".flowstash"
-
-SERVICE_NAME = "flowstash"
-TOKEN_KEY = "access_token"
-
-class GlobalConfig(BaseModel):
-    api_url: str = os.getenv("FLOWSTASH_API_URL", "https://api.flowstash.dev")  # Default to managed platform
-
-class EnvironmentMode(BaseModel):
-    name: str
-    managed: bool = False
-    options: Dict[str, str] = Field(default_factory=dict)
-
-class ProjectConfig(BaseModel):
-    project_name: Optional[str] = None
-    project_id: Optional[str] = None
-    tenant_id: Optional[str] = None
-    user_email: Optional[str] = None
-    environments: List[EnvironmentMode] = Field(default_factory=list)
-
-def load_global_config() -> GlobalConfig:
-    if not GLOBAL_CONFIG_FILE.exists():
-        return GlobalConfig()
-    
-    try:
-        with open(GLOBAL_CONFIG_FILE, "r") as f:
-            data = yaml.safe_load(f) or {}
-            return GlobalConfig(**data)
-    except Exception:
-        return GlobalConfig()
-
-def save_global_config(config: GlobalConfig):
-    flowstash_DIR.mkdir(parents=True, exist_ok=True)
-    with open(GLOBAL_CONFIG_FILE, "w") as f:
-        yaml.safe_dump(config.model_dump(), f)
-
-def get_access_token() -> Optional[str]:
-    return keyring.get_password(SERVICE_NAME, TOKEN_KEY)
-
-def set_access_token(token: str):
-    keyring.set_password(SERVICE_NAME, TOKEN_KEY, token)
-
-def delete_access_token():
-    try:
-        keyring.delete_password(SERVICE_NAME, TOKEN_KEY)
-    except keyring.errors.PasswordDeleteError:
-        pass
-
-def load_project_config() -> Optional[ProjectConfig]:
-    path = Path(PROJECT_CONFIG_FILE)
-    if not path.exists():
-        return None
-    
-    try:
-        with open(path, "r") as f:
-            data = yaml.safe_load(f) or {}
-            return ProjectConfig(**data)
-    except Exception:
-        return None
-
-def save_project_config(config: ProjectConfig):
-    with open(PROJECT_CONFIG_FILE, "w") as f:
-        yaml.safe_dump(config.model_dump(), f)
-
-# Legacy aliases for compatibility if needed, though we should update callers
-def load_config() -> GlobalConfig:
-    return load_global_config()
-
-def save_config(config: GlobalConfig):
-    save_global_config(config)