forgexa-cli 1.11.3__tar.gz → 1.11.5__tar.gz

{forgexa_cli-1.11.3 → forgexa_cli-1.11.5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: forgexa-cli
-Version: 1.11.3
+Version: 1.11.5
 Summary: Forgexa CLI — command-line client and AI agent runtime for the Forgexa platform
 Author-email: Jason Sun <dev.winds@gmail.com>
 License: MIT
@@ -100,9 +100,9 @@ forgexa board --project <project-id>
 | `forgexa budget --workspace <id>` | Budget overview |
 | `forgexa daemon start` | Start local daemon (discover agents, run tasks) |
 | `forgexa daemon start -d` | Start daemon in background |
-| `forgexa daemon status` | Show daemon statuses |
+| `forgexa daemon status` | Show your daemon statuses |
 | `forgexa daemon stop` | Stop local daemon |
-| `forgexa runtimes list` | List runtimes |
+| `forgexa runtimes list` | List your runtimes |
 | `forgexa version` | Show CLI version |
 
 ## Configuration
@@ -144,11 +144,20 @@ forgexa-daemon
 ### Other Daemon Commands
 
 ```bash
-# Check daemon status (from server)
+# Check your daemon status (from server)
 forgexa daemon status
 
+# Platform admin: list all runtimes
+forgexa daemon status --all
+
 # Stop background daemon
 forgexa daemon stop
+
+# List your runtimes
+forgexa runtimes list
+
+# Platform admin: list all runtimes
+forgexa runtimes list --all
 ```
 
 ### Supported AI Agents

{forgexa_cli-1.11.3 → forgexa_cli-1.11.5}/README.md

@@ -70,9 +70,9 @@ forgexa board --project <project-id>
 | `forgexa budget --workspace <id>` | Budget overview |
 | `forgexa daemon start` | Start local daemon (discover agents, run tasks) |
 | `forgexa daemon start -d` | Start daemon in background |
-| `forgexa daemon status` | Show daemon statuses |
+| `forgexa daemon status` | Show your daemon statuses |
 | `forgexa daemon stop` | Stop local daemon |
-| `forgexa runtimes list` | List runtimes |
+| `forgexa runtimes list` | List your runtimes |
 | `forgexa version` | Show CLI version |
 
 ## Configuration
@@ -114,11 +114,20 @@ forgexa-daemon
 ### Other Daemon Commands
 
 ```bash
-# Check daemon status (from server)
+# Check your daemon status (from server)
 forgexa daemon status
 
+# Platform admin: list all runtimes
+forgexa daemon status --all
+
 # Stop background daemon
 forgexa daemon stop
+
+# List your runtimes
+forgexa runtimes list
+
+# Platform admin: list all runtimes
+forgexa runtimes list --all
 ```
 
 ### Supported AI Agents

{forgexa_cli-1.11.3 → forgexa_cli-1.11.5}/forgexa_cli/__init__.py

@@ -1,2 +1,2 @@
 """forgexa-cli — Forgexa command-line client."""
-__version__ = "1.11.3"
+__version__ = "1.11.5"

{forgexa_cli-1.11.3 → forgexa_cli-1.11.5}/forgexa_cli/daemon.py

@@ -68,6 +68,42 @@ except ImportError:
 _HTTPX_DEPS_DIR = os.path.join(str(Path.home()), ".forgexa", "daemon", "deps")
 
 
+def _cli_config_path() -> Path:
+    return Path.home() / ".forgexa" / "config"
+
+
+def _load_cli_config() -> dict:
+    path = _cli_config_path()
+    if not path.exists():
+        return {}
+    try:
+        return json.loads(path.read_text())
+    except Exception:
+        return {}
+
+
+def _save_cli_config(data: dict) -> None:
+    path = _cli_config_path()
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(json.dumps(data, indent=2))
+    path.chmod(0o600)
+
+
+def _save_cli_tokens(access_token: str, refresh_token: str | None = None) -> None:
+    cfg = _load_cli_config()
+    cfg["token"] = access_token
+    if refresh_token:
+        cfg["refresh_token"] = refresh_token
+    else:
+        cfg.pop("refresh_token", None)
+    _save_cli_config(cfg)
+
+    token_path = Path.home() / ".forgexa" / "token"
+    token_path.parent.mkdir(parents=True, exist_ok=True)
+    token_path.write_text(access_token)
+    token_path.chmod(0o600)
+
+
 def _try_install_httpx(deps_dir: str) -> tuple[bool, str]:
     """Try to install httpx to a user-writable directory.
 
@@ -438,7 +474,7 @@ except (ImportError, ModuleNotFoundError):
 # DAEMON_VERSION is the protocol/logic version of the daemon code.
 # Kept in sync with pyproject.toml version via bump-version.sh.
 # CLIENT_TYPE identifies which packaging/distribution this daemon runs in.
-DAEMON_VERSION = "1.11.3"
+DAEMON_VERSION = "1.11.5"
 
 
 def _detect_client_type() -> str:
@@ -690,6 +726,100 @@ class TaskResult:
     git: dict = field(default_factory=dict)
 
 
+def _prepare_ai_job_output(
+    *,
+    task_type: str,
+    agent_id: str,
+    raw_output: str,
+    max_content: int,
+) -> tuple[str, list[dict] | None]:
+    """Normalize AIJob output before reporting it back to the server."""
+    normalized_output, scenario_items = _normalize_ai_job_output(
+        task_type=task_type,
+        agent_id=agent_id,
+        raw_output=raw_output,
+    )
+    output_content = normalized_output[-max_content:] if normalized_output else ""
+    return output_content, scenario_items
+
+
+def _normalize_ai_job_output(
+    *,
+    task_type: str,
+    agent_id: str,
+    raw_output: str,
+) -> tuple[str, list[dict] | None]:
+    """Extract agent-specific final text before truncating for transport."""
+    if not raw_output:
+        return "", None
+
+    if task_type not in {"qa_scenario_generate_prompt", "test_script_generate"}:
+        return raw_output, None
+
+    from app.services.ai_execution_strategy import AIExecutionStrategy
+
+    extracted_output = AIExecutionStrategy._extract_agent_output(agent_id, raw_output)
+    if task_type == "test_script_generate":
+        return extracted_output or raw_output, None
+
+    from app.services.qa_ai_assistant import QAAIAssistant
+
+    parsed = QAAIAssistant._extract_json(extracted_output)
+    if isinstance(parsed, list):
+        return json.dumps(parsed), parsed
+    if isinstance(parsed, dict):
+        items = parsed.get("items")
+        if isinstance(items, list):
+            return json.dumps(items), items
+    if extracted_output and extracted_output != raw_output:
+        return extracted_output, None
+    return raw_output, None
+
+
+def _extract_ai_job_scripts(
+    *,
+    output_text: str,
+    scenario_ids: list[str],
+    workspace_path: Path,
+) -> dict[str, str]:
+    scripts: dict[str, str] = {}
+    if not scenario_ids or not output_text:
+        return scripts
+
+    import re as _re
+
+    for sid in scenario_ids:
+        pattern = (
+            r"##\s*SCRIPT_START::" + _re.escape(sid)
+            + r"\s*\n(.*?)\n##\s*SCRIPT_END::" + _re.escape(sid)
+        )
+        match = _re.search(pattern, output_text, _re.DOTALL)
+        if match:
+            scripts[sid] = match.group(1).strip()
+
+    if not scripts and len(scenario_ids) == 1:
+        scripts[scenario_ids[0]] = output_text.strip()
+
+    if scripts:
+        return scripts
+
+    import glob as _glob
+
+    for sid in scenario_ids:
+        test_files = _glob.glob(
+            str(workspace_path / "tests" / "**" / f"*{sid[:8]}*"),
+            recursive=True,
+        )
+        if test_files:
+            try:
+                with open(test_files[0], "r") as f:
+                    scripts[sid] = f.read()
+            except Exception:
+                pass
+
+    return scripts
+
+
 def _resolve_git_author(project: dict) -> tuple[str, str]:
     """Resolve git commit author (name, email) using a 5-tier fallback chain.
 
@@ -1171,6 +1301,20 @@ class WorkspaceManager:
             return None
         return key_content  # Return raw key content, _git will handle it
 
+    @staticmethod
+    def _clone_args(*, branch: str | None = None) -> tuple[str, ...]:
+        """Return the standard clone args for daemon workspaces.
+
+        Runtime workspaces only need the current branch contents. They already
+        avoid tags and non-target branches, so making the clone shallow is
+        consistent and prevents very large repositories from timing out while
+        transferring years of irrelevant history.
+        """
+        args: list[str] = ["clone", "--depth", "1", "--single-branch", "--no-tags"]
+        if branch:
+            args.extend(["--branch", branch])
+        return tuple(args)
+
     async def prepare_workspace(self, project: dict, task: TaskInfo) -> Path:
         """Create or reuse a workspace for the given task.
 
@@ -1916,8 +2060,7 @@ class WorkspaceManager:
         # Ensure _main repo is present and up-to-date
         if not main_repo.exists():
             await self._git(
-                "clone", "--single-branch", "--no-tags",
-                "--branch", default_branch,
+                *self._clone_args(branch=default_branch),
                 repo_url, str(main_repo), timeout=settings.GIT_CLONE_TIMEOUT, project_key=project_key,
             )
         else:
@@ -1947,8 +2090,7 @@ class WorkspaceManager:
                 await self._safe_rmtree_main(main_repo)
                 try:
                     await self._git(
-                        "clone", "--single-branch", "--no-tags",
-                        "--branch", default_branch,
+                        *self._clone_args(branch=default_branch),
                         repo_url, str(main_repo), timeout=settings.GIT_CLONE_TIMEOUT, project_key=project_key,
                     )
                 except Exception:
@@ -1980,8 +2122,7 @@ class WorkspaceManager:
                         await self._safe_rmtree_main(main_repo)
                         try:
                             await self._git(
-                                "clone", "--single-branch", "--no-tags",
-                                "--branch", default_branch,
+                                *self._clone_args(branch=default_branch),
                                 repo_url, str(main_repo), timeout=settings.GIT_CLONE_TIMEOUT,
                                 project_key=project_key,
                             )
@@ -2093,7 +2234,7 @@ class WorkspaceManager:
                     except Exception:
                         ws_path.mkdir(parents=True, exist_ok=True)
                         await self._git(
-                            "clone", "--single-branch", "--no-tags",
+                            *self._clone_args(),
                             repo_url, str(ws_path), timeout=settings.GIT_CLONE_TIMEOUT, project_key=project_key,
                         )
                         # Ensure we're on the correct branch after clone
@@ -2118,7 +2259,7 @@ class WorkspaceManager:
                     # Fallback to simple clone
                     ws_path.mkdir(parents=True, exist_ok=True)
                     await self._git(
-                        "clone", "--single-branch", "--no-tags",
+                        *self._clone_args(),
                         repo_url, str(ws_path), timeout=settings.GIT_CLONE_TIMEOUT, project_key=project_key,
                     )
                     # Ensure we're on the correct branch after clone
@@ -2844,6 +2985,10 @@ class ProcessManager:
                 or (task.input_data or {}).get("output_dir", "")
                 or ""
             )
+        elif task.node_type == "fix":
+            bugfix_doc_path = str((task.input_data or {}).get("bugfix_doc_path", "") or "")
+            bugfix_doc_path = bugfix_doc_path.replace("\\", "/").lstrip("./")
+            return {bugfix_doc_path} if bugfix_doc_path else set()
         else:
             output_dir = str((task.input_data or {}).get("output_dir", "") or "")
         output_dir = output_dir.replace("\\", "/").lstrip("./").rstrip("/")
@@ -3564,6 +3709,50 @@ class ProcessManager:
         result.error = error_clean or result.error
         return result
 
+    @staticmethod
+    def _prepare_copilot_home() -> str:
+        """Prepare a writable Copilot home under ~/.forgexa for sandboxed runs.
+
+        The systemd daemon runs with ProtectSystem=strict and can only write to
+        ~/.forgexa plus the workspace root. Copilot CLI 1.0.64 persists runtime
+        state under ~/.copilot/session-state and its SQLite session store. That
+        causes EROFS failures under the daemon even when interactive shell runs
+        work fine.
+
+        Mirror the user-facing ~/.copilot state into a writable daemon-owned
+        directory, then point COPILOT_HOME there for non-interactive runs.
+        """
+        source_root = Path.home() / ".copilot"
+        target_root = Path.home() / ".forgexa" / "copilot-home"
+        target_root.mkdir(parents=True, exist_ok=True)
+
+        if not source_root.exists():
+            return str(target_root)
+
+        for child in source_root.iterdir():
+            if child.name in {"logs", "session-state"}:
+                continue
+
+            dest = target_root / child.name
+            try:
+                if child.is_dir():
+                    if child.name != "ide":
+                        continue
+                    dest.mkdir(parents=True, exist_ok=True)
+                    for sub in child.iterdir():
+                        if not sub.is_file() or sub.name.endswith(".lock"):
+                            continue
+                        shutil.copy2(sub, dest / sub.name)
+                elif child.is_file():
+                    shutil.copy2(child, dest)
+            except Exception as exc:
+                logger.debug(
+                    "Copilot home mirror skipped %s -> %s: %s",
+                    child, dest, exc,
+                )
+
+        return str(target_root)
+
     async def _run_copilot(
         self, agent: DiscoveredAgent, prompt: str, cwd: Path, timeout: int, task_id: str,
         on_chunk: Any = None,
@@ -3583,6 +3772,7 @@ class ProcessManager:
         """
         env = os.environ.copy()
         env["TERM"] = "dumb"  # suppress TTY-detection that suspends the process
+        env["COPILOT_HOME"] = self._prepare_copilot_home()
 
         model_override = os.environ.get("FACTORY_COPILOT_MODEL")
         reasoning = os.environ.get("FACTORY_COPILOT_REASONING", "medium")
@@ -4646,23 +4836,76 @@ class ServerConnection:
         parsed = urlparse(server_url)
         self.label = parsed.hostname or server_url
 
-    def refresh_token(self) -> bool:
-        """Re-read the user JWT from ~/.forgexa/token and update client headers.
+    def _apply_api_token(self, token: str) -> bool:
+        token = str(token or "").strip()
+        if not token or token == self.api_token:
+            return False
+        self.api_token = token
+        self.client.headers["Authorization"] = f"Bearer {token}"
+        return True
 
-        Returns True if a new token was loaded (different from current).
-        """
+    def _load_token_from_disk(self) -> str:
         token_path = Path.home() / ".forgexa" / "token"
         try:
-            new_token = token_path.read_text().strip() if token_path.exists() else ""
+            return token_path.read_text().strip() if token_path.exists() else ""
         except OSError:
-            new_token = ""
+            return ""
+
+    async def refresh_access_token(self) -> bool:
+        """Refresh the daemon's user session token.
 
-        if new_token and new_token != self.api_token:
-            self.api_token = new_token
-            self.client.headers["Authorization"] = f"Bearer {new_token}"
+        First re-read ~/.forgexa/token in case an interactive CLI login already
+        rotated the access token. If that did not change anything, fall back to
+        ~/.forgexa/config refresh_token and call /api/v1/auth/refresh.
+        """
+        if self._apply_api_token(self._load_token_from_disk()):
             logger.info("[%s] Refreshed daemon token from ~/.forgexa/token", self.label)
             return True
-        return False
+
+        if self.api_token.startswith("pat_"):
+            return False
+
+        cfg = _load_cli_config()
+        refresh_token = str(cfg.get("refresh_token") or "").strip()
+        if not refresh_token:
+            return False
+
+        try:
+            resp = await self.client.post(
+                f"{self.server_url}/api/v1/auth/refresh",
+                json={"refresh_token": refresh_token},
+                headers={"Content-Type": "application/json"},
+                timeout=15,
+            )
+        except Exception as exc:
+            logger.warning("[%s] Token refresh request failed: %s", self.label, exc)
+            return False
+
+        if resp.status_code != 200:
+            logger.warning(
+                "[%s] Token refresh rejected: HTTP %s",
+                self.label,
+                resp.status_code,
+            )
+            return False
+
+        try:
+            data = resp.json()
+        except Exception as exc:
+            logger.warning("[%s] Token refresh payload invalid: %s", self.label, exc)
+            return False
+
+        access_token = str(data.get("access_token") or "").strip()
+        next_refresh_token = str(data.get("refresh_token") or refresh_token).strip()
+        if not access_token:
+            logger.warning("[%s] Token refresh payload missing access_token", self.label)
+            return False
+
+        self.api_token = access_token
+        self.client.headers["Authorization"] = f"Bearer {access_token}"
+        _save_cli_tokens(access_token, next_refresh_token or None)
+        logger.info("[%s] Refreshed daemon token via /auth/refresh", self.label)
+        return True
 
     async def re_register(self, agents: list[DiscoveredAgent], max_concurrent: int):
         """Refresh token and re-register with the server.
@@ -4671,7 +4914,7 @@ class ServerConnection:
         After re-registration, update the runtime_id on heartbeat/poller/reporter
         in case the server assigned a different one.
         """
-        self.refresh_token()
+        await self.refresh_access_token()
         try:
             await self.register(agents, max_concurrent)
             # Sync runtime_id to all services (may change after re-registration)
@@ -4701,8 +4944,8 @@ class ServerConnection:
             }
             for a in agents
         ]
-        try:
-            resp = await self.client.post(
+        async def _register_once():
+            return await self.client.post(
                 f"{self.server_url}/api/v1/runtimes/register",
                 json={
                     "daemon_id": self.daemon_id,
@@ -4722,6 +4965,11 @@ class ServerConnection:
                 },
                 timeout=15,
             )
+
+        try:
+            resp = await _register_once()
+            if resp.status_code == 401 and await self.refresh_access_token():
+                resp = await _register_once()
             resp.raise_for_status()
             data = resp.json()
             self.runtime_id = data["runtime_id"]
@@ -5719,9 +5967,9 @@ class RuntimeDaemon:
                     result.status = "failed"
                     result.failure_code = "all_agents_rate_limited"
 
-            # 4.55 Analysis/design nodes must update their deliverables in THIS run.
+            # 4.55 Analysis/design/fix nodes must update their deliverables in THIS run.
             # Existing files from a prior iteration are not sufficient evidence.
-            if result.status == "success" and task.node_type in ("analysis", "design"):
+            if result.status == "success" and task.node_type in ("analysis", "design", "fix"):
                 committed_git = await self.process_manager._collect_git_info_vs_parent(workspace_path)
                 git_check_passed = self.process_manager._has_required_deliverable_updates(
                     task,
@@ -5770,6 +6018,11 @@ class RuntimeDaemon:
             if result.status == "success" and task.node_type == "design":
                 await self._collect_design_artifacts(workspace_path, task, result)
 
+            # 4.8 For fix nodes: attach the bugfix report inline so knowledge
+            # extraction can use the exact root-cause and verification text.
+            if result.status == "success" and task.node_type == "fix":
+                await self._collect_bugfix_artifacts(workspace_path, task, result)
+
             # 5. Auto-commit and push if changes exist
             if result.status == "success":
                 commit_result = await self._auto_commit(workspace_path, task)
@@ -6257,42 +6510,24 @@ class RuntimeDaemon:
             # 5. Report completion
             # For deliverables: allow up to 200K chars (full document); others: last 20K
             max_content = 200000 if task_type == "deliverable_generate" else 20000
-            output_content = (result.stdout or "")[-max_content:] if result.stdout else ""
-            scripts: dict = {}
-
-            scenario_ids = input_ctx.get("scenario_ids", [])
-            if scenario_ids and output_content:
-                # Primary: extract scripts using structured SCRIPT_START/END markers
-                # inserted by poll_ai_jobs into the multi-scenario prompt.
-                import re as _re
-                for sid in scenario_ids:
-                    pattern = (
-                        r"##\s*SCRIPT_START::" + _re.escape(sid)
-                        + r"\s*\n(.*?)\n##\s*SCRIPT_END::" + _re.escape(sid)
-                    )
-                    m = _re.search(pattern, output_content, _re.DOTALL)
-                    if m:
-                        scripts[sid] = m.group(1).strip()
-
-                # Fallback: if no markers found but only one scenario, treat
-                # the entire output as that scenario's script.
-                if not scripts and len(scenario_ids) == 1:
-                    scripts[scenario_ids[0]] = output_content.strip()
-
-                # Fallback: check workspace for test files named after scenario
-                if not scripts:
-                    import glob as _glob
-                    for sid in scenario_ids:
-                        test_files = _glob.glob(
-                            str(workspace_path / "tests" / "**" / f"*{sid[:8]}*"),
-                            recursive=True,
-                        )
-                        if test_files:
-                            try:
-                                with open(test_files[0], "r") as f:
-                                    scripts[sid] = f.read()
-                            except Exception:
-                                pass
+            normalized_output, scenario_items = _normalize_ai_job_output(
+                task_type=task_type,
+                agent_id=agent.agent_id,
+                raw_output=result.stdout or "",
+            )
+            output_content = normalized_output[-max_content:] if normalized_output else ""
+            scripts = _extract_ai_job_scripts(
+                output_text=normalized_output,
+                scenario_ids=input_ctx.get("scenario_ids", []),
+                workspace_path=workspace_path,
+            )
+            if task_type == "qa_scenario_generate_prompt":
+                output_content, scenario_items = _prepare_ai_job_output(
+                    task_type=task_type,
+                    agent_id=agent.agent_id,
+                    raw_output=result.stdout or "",
+                    max_content=max_content,
+                )
 
             # Preserve all_agents_rate_limited so the server does NOT re-enqueue.
             _failure_code = result.failure_code if result.failure_code else (
@@ -6313,6 +6548,8 @@ class RuntimeDaemon:
                 "error": result.error if result.status != "success" else "",
                 "failure_code": _failure_code,
             }
+            if scenario_items:
+                complete_payload["output_result"]["items"] = scenario_items
 
             await conn.client.post(
                 f"{reporter_url}/complete",
@@ -6547,6 +6784,34 @@ class RuntimeDaemon:
         except Exception as e:
             logger.warning("Failed to read design artifact: %s", e)
 
+    async def _collect_bugfix_artifacts(
+        self, workspace_path: Path, task: TaskInfo, result: TaskResult
+    ) -> None:
+        """Attach the bugfix markdown report as an inline artifact."""
+        bugfix_doc_path = str((task.input_data or {}).get("bugfix_doc_path", "") or "")
+        bugfix_doc_path = bugfix_doc_path.replace("\\", "/").lstrip("./")
+        if not bugfix_doc_path:
+            return
+
+        artifact_paths = {a.get("path", "").replace("\\", "/") for a in result.artifacts}
+        if bugfix_doc_path in artifact_paths:
+            return
+
+        full_path = workspace_path / bugfix_doc_path
+        if not full_path.exists() or full_path.stat().st_size == 0:
+            return
+
+        try:
+            content = full_path.read_text(encoding="utf-8", errors="replace")
+            result.artifacts.append({
+                "path": bugfix_doc_path,
+                "content": content,
+                "type": "text/markdown",
+            })
+            logger.debug("Attached bugfix artifact inline: %s (%d bytes)", bugfix_doc_path, len(content))
+        except Exception as e:
+            logger.warning("Failed to read bugfix artifact %s: %s", bugfix_doc_path, e)
+
     async def _remove_root_scratch_files(
         self, workspace_path: Path, task: TaskInfo, git_status_output: str
     ) -> None:

{forgexa_cli-1.11.3 → forgexa_cli-1.11.5}/forgexa_cli/main.py

@@ -69,6 +69,29 @@ def _save_config(data: dict) -> None:
     p.chmod(0o600)
 
 
+def _save_tokens(
+    access_token: str,
+    refresh_token: str | None = None,
+    *,
+    server_url: str | None = None,
+) -> None:
+    cfg = _load_config()
+    if server_url:
+        cfg["server_url"] = server_url.rstrip("/")
+    cfg["token"] = access_token
+    if refresh_token:
+        cfg["refresh_token"] = refresh_token
+    else:
+        cfg.pop("refresh_token", None)
+    _save_config(cfg)
+
+    token_dir = Path.home() / ".forgexa"
+    token_dir.mkdir(exist_ok=True)
+    token_file = token_dir / "token"
+    token_file.write_text(access_token)
+    token_file.chmod(0o600)
+
+
 def _api_url() -> str:
     """Resolve the server URL using priority chain."""
     if _SERVER_URL_OVERRIDE:
@@ -93,70 +116,111 @@ def _token() -> str | None:
     return cfg.get("token") or None
 
 
-def _headers() -> dict[str, str]:
-    h: dict[str, str] = {"Content-Type": "application/json"}
+def _can_refresh_session() -> bool:
+    if os.environ.get("FORGEXA_TOKEN"):
+        return False
     token = _token()
-    if token:
-        h["Authorization"] = f"Bearer {token}"
-    return h
+    if not token or token.startswith("pat_"):
+        return False
+    cfg = _load_config()
+    return bool(str(cfg.get("refresh_token") or "").strip())
 
 
-def _get(path: str) -> dict | list:
+def _refresh_access_token() -> bool:
+    if not _can_refresh_session():
+        return False
+
+    cfg = _load_config()
+    refresh_token = str(cfg.get("refresh_token") or "").strip()
+    if not refresh_token:
+        return False
+
     import urllib.request
     import urllib.error
 
-    url = f"{_api_url()}/api/v1{path}"
-    req = urllib.request.Request(url, headers=_headers())
+    url = f"{_api_url()}/api/v1/auth/refresh"
+    body = json.dumps({"refresh_token": refresh_token}).encode()
+    req = urllib.request.Request(
+        url,
+        data=body,
+        headers={"Content-Type": "application/json"},
+        method="POST",
+    )
     try:
         with urllib.request.urlopen(req, timeout=15) as resp:
-            return json.loads(resp.read())
-    except urllib.error.HTTPError as e:
-        body = e.read().decode(errors="replace")
-        print(f"Error {e.code}: {body}", file=sys.stderr)
-        sys.exit(1)
-    except urllib.error.URLError as e:
-        print(f"Connection error: {e.reason}\nServer: {_api_url()}", file=sys.stderr)
-        sys.exit(1)
+            payload = json.loads(resp.read())
+    except (urllib.error.HTTPError, urllib.error.URLError, json.JSONDecodeError, OSError):
+        return False
 
+    access_token = str(payload.get("access_token") or "").strip()
+    next_refresh_token = str(payload.get("refresh_token") or refresh_token).strip()
+    if not access_token:
+        return False
 
-def _post(path: str, data: dict | None = None) -> dict:
-    import urllib.request
-    import urllib.error
+    _save_tokens(access_token, next_refresh_token or None)
+    return True
 
-    url = f"{_api_url()}/api/v1{path}"
-    body = json.dumps(data or {}).encode()
-    req = urllib.request.Request(url, data=body, headers=_headers(), method="POST")
-    try:
-        with urllib.request.urlopen(req, timeout=30) as resp:
-            return json.loads(resp.read())
-    except urllib.error.HTTPError as e:
-        body_text = e.read().decode(errors="replace")
-        print(f"Error {e.code}: {body_text}", file=sys.stderr)
-        sys.exit(1)
-    except urllib.error.URLError as e:
-        print(f"Connection error: {e.reason}\nServer: {_api_url()}", file=sys.stderr)
-        sys.exit(1)
 
+def _headers() -> dict[str, str]:
+    h: dict[str, str] = {"Content-Type": "application/json"}
+    token = _token()
+    if token:
+        h["Authorization"] = f"Bearer {token}"
+    return h
 
-def _delete(path: str) -> dict | None:
+
+def _request_json(
+    path: str,
+    *,
+    method: str = "GET",
+    data: dict | None = None,
+    timeout: int = 15,
+    allow_refresh: bool = True,
+) -> dict | list | None:
     import urllib.request
     import urllib.error
 
     url = f"{_api_url()}/api/v1{path}"
-    req = urllib.request.Request(url, headers=_headers(), method="DELETE")
+    body = json.dumps(data).encode() if data is not None else None
+    req = urllib.request.Request(url, data=body, headers=_headers(), method=method)
     try:
-        with urllib.request.urlopen(req, timeout=15) as resp:
+        with urllib.request.urlopen(req, timeout=timeout) as resp:
             content = resp.read()
             return json.loads(content) if content else None
     except urllib.error.HTTPError as e:
-        body = e.read().decode(errors="replace")
-        print(f"Error {e.code}: {body}", file=sys.stderr)
+        body_text = e.read().decode(errors="replace")
+        if e.code == 401 and allow_refresh and _refresh_access_token():
+            return _request_json(
+                path,
+                method=method,
+                data=data,
+                timeout=timeout,
+                allow_refresh=False,
+            )
+        print(f"Error {e.code}: {body_text}", file=sys.stderr)
         sys.exit(1)
     except urllib.error.URLError as e:
         print(f"Connection error: {e.reason}\nServer: {_api_url()}", file=sys.stderr)
         sys.exit(1)
 
 
+def _get(path: str) -> dict | list:
+    result = _request_json(path, method="GET", timeout=15)
+    if result is None:
+        return {}
+    return result
+
+
+def _post(path: str, data: dict | None = None) -> dict:
+    result = _request_json(path, method="POST", data=data or {}, timeout=30)
+    return result if isinstance(result, dict) else {}
+
+
+def _delete(path: str) -> dict | None:
+    result = _request_json(path, method="DELETE", timeout=15)
+    return result if isinstance(result, dict) else None
+
+
 # ── Output helpers ──
 
 _output_format = "table"
@@ -203,20 +267,9 @@ def cmd_login(args: argparse.Namespace) -> None:
     email = args.email or input("Email: ")
     password = args.password or getpass.getpass("Password: ")
     result = _post("/auth/login", {"email": email, "password": password})
-    token = result.get("access_token", "")
-
-    # Save to config file (server_url + token in one place)
-    cfg = _load_config()
-    if server:
-        cfg["server_url"] = _SERVER_URL_OVERRIDE
-    cfg["token"] = token
-    _save_config(cfg)
-
-    # Also keep the legacy token file for backwards compatibility
-    token_dir = Path.home() / ".forgexa"
-    token_dir.mkdir(exist_ok=True)
-    (token_dir / "token").write_text(token)
-    (token_dir / "token").chmod(0o600)
+    token = str(result.get("access_token") or "").strip()
+    refresh_token = str(result.get("refresh_token") or "").strip()
+    _save_tokens(token, refresh_token or None, server_url=_SERVER_URL_OVERRIDE if server else None)
 
     active_server = _api_url()
     print(f"Login successful.")
@@ -233,10 +286,11 @@ def cmd_logout(_args: argparse.Namespace) -> None:
     cfg = _load_config()
     if "token" in cfg:
         del cfg["token"]
+        cfg.pop("refresh_token", None)
         _save_config(cfg)
         cleared = True
     if cleared:
-        print("Logged out. Token removed.")
+        print("Logged out. Tokens removed.")
     else:
         print("No token found.")
 
@@ -255,6 +309,7 @@ def cmd_config_show(_args: argparse.Namespace) -> None:
         source = f"~/.forgexa/config"
     print(f"Server URL : {active_url}  (source: {source})")
     print(f"Auth token : {'set' if token else 'not set'}")
+    print(f"Refresh tok: {'set' if cfg.get('refresh_token') else 'not set'}")
     print(f"Config file: {_config_path()}")
 
 
@@ -273,8 +328,14 @@ def cmd_config_set(args: argparse.Namespace) -> None:
         sys.exit(1)
 
 
-def cmd_daemon_status(_args: argparse.Namespace) -> None:
-    runtimes = _get("/runtimes")
+def _get_runtimes(include_all: bool = False) -> list[dict]:
+    path = "/runtimes" if include_all else "/runtimes/me"
+    runtimes = _get(path)
+    return runtimes if isinstance(runtimes, list) else []
+
+
+def cmd_daemon_status(args: argparse.Namespace) -> None:
+    runtimes = _get_runtimes(include_all=getattr(args, "all", False))
     if not runtimes:
         print("No daemons registered.")
         return
@@ -363,8 +424,8 @@ def cmd_daemon_start(args: argparse.Namespace) -> None:
         main_sync()
 
 
-def cmd_runtimes_list(_args: argparse.Namespace) -> None:
-    runtimes = _get("/runtimes")
+def cmd_runtimes_list(args: argparse.Namespace) -> None:
+    runtimes = _get_runtimes(include_all=getattr(args, "all", False))
     if not runtimes:
         print("No runtimes registered.")
         return
@@ -596,11 +657,11 @@ def main() -> None:
     sub.add_parser("version", help="Show CLI version")
 
     # auth
-    login_p = sub.add_parser("login", help="Login and save access token")
+    login_p = sub.add_parser("login", help="Login and save session tokens")
     login_p.add_argument("--server", metavar="URL", help="Server URL to connect to (saved to ~/.forgexa/config)")
     login_p.add_argument("--email", help="Email address")
     login_p.add_argument("--password", help="Password")
-    sub.add_parser("logout", help="Remove saved access token")
+    sub.add_parser("logout", help="Remove saved session tokens")
 
     # config
     config_p = sub.add_parser("config", help="View or change CLI configuration")
@@ -616,13 +677,15 @@ def main() -> None:
     daemon_start_p = daemon_sub.add_parser("start", help="Start local daemon (discovers and registers AI agents)")
     daemon_start_p.add_argument("-d", "--detach", action="store_true", help="Run in background")
     daemon_start_p.add_argument("--server-url", default=None, help="Server URL to connect to")
-    daemon_sub.add_parser("status", help="Show all daemon statuses (from server)")
+    daemon_status_p = daemon_sub.add_parser("status", help="Show your daemon statuses (from server)")
+    daemon_status_p.add_argument("--all", action="store_true", help="List all runtimes (platform admin only)")
     daemon_sub.add_parser("stop", help="Stop local daemon (sends SIGTERM)")
 
     # runtimes
     rt_p = sub.add_parser("runtimes", help="Runtime management")
     rt_sub = rt_p.add_subparsers(dest="rt_cmd")
-    rt_sub.add_parser("list", help="List all runtimes")
+    rt_list_p = rt_sub.add_parser("list", help="List your runtimes")
+    rt_list_p.add_argument("--all", action="store_true", help="List all runtimes (platform admin only)")
 
     # workspace
     ws_p = sub.add_parser("workspace", help="Workspace management")

{forgexa_cli-1.11.3 → forgexa_cli-1.11.5}/forgexa_cli.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: forgexa-cli
-Version: 1.11.3
+Version: 1.11.5
 Summary: Forgexa CLI — command-line client and AI agent runtime for the Forgexa platform
 Author-email: Jason Sun <dev.winds@gmail.com>
 License: MIT
@@ -100,9 +100,9 @@ forgexa board --project <project-id>
 | `forgexa budget --workspace <id>` | Budget overview |
 | `forgexa daemon start` | Start local daemon (discover agents, run tasks) |
 | `forgexa daemon start -d` | Start daemon in background |
-| `forgexa daemon status` | Show daemon statuses |
+| `forgexa daemon status` | Show your daemon statuses |
 | `forgexa daemon stop` | Stop local daemon |
-| `forgexa runtimes list` | List runtimes |
+| `forgexa runtimes list` | List your runtimes |
 | `forgexa version` | Show CLI version |
 
 ## Configuration
@@ -144,11 +144,20 @@ forgexa-daemon
 ### Other Daemon Commands
 
 ```bash
-# Check daemon status (from server)
+# Check your daemon status (from server)
 forgexa daemon status
 
+# Platform admin: list all runtimes
+forgexa daemon status --all
+
 # Stop background daemon
 forgexa daemon stop
+
+# List your runtimes
+forgexa runtimes list
+
+# Platform admin: list all runtimes
+forgexa runtimes list --all
 ```
 
 ### Supported AI Agents

{forgexa_cli-1.11.3 → forgexa_cli-1.11.5}/forgexa_cli.egg-info/SOURCES.txt

@@ -10,4 +10,5 @@ forgexa_cli.egg-info/SOURCES.txt
 forgexa_cli.egg-info/dependency_links.txt
 forgexa_cli.egg-info/entry_points.txt
 forgexa_cli.egg-info/requires.txt
-forgexa_cli.egg-info/top_level.txt
+forgexa_cli.egg-info/top_level.txt
+tests/test_auth_and_runtime_commands.py

{forgexa_cli-1.11.3 → forgexa_cli-1.11.5}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "forgexa-cli"
-version = "1.11.3"
+version = "1.11.5"
 description = "Forgexa CLI — command-line client and AI agent runtime for the Forgexa platform"
 requires-python = ">=3.9"
 license = { text = "MIT" }

forgexa_cli-1.11.5/tests/test_auth_and_runtime_commands.py

@@ -0,0 +1,236 @@
+from __future__ import annotations
+
+import io
+import json
+from pathlib import Path
+from types import SimpleNamespace
+import urllib.error
+
+import httpx
+import pytest
+
+from forgexa_cli import daemon, main
+
+
+class UrlopenResponse:
+    def __init__(self, payload):
+        self._payload = payload
+
+    def read(self) -> bytes:
+        return json.dumps(self._payload).encode("utf-8")
+
+    def __enter__(self):
+        return self
+
+    def __exit__(self, exc_type, exc, tb):
+        return False
+
+
+class HttpxResponse:
+    def __init__(self, status_code: int, payload: dict):
+        self.status_code = status_code
+        self._payload = payload
+        self.request = httpx.Request("POST", "https://api.example.com/api/v1/runtimes/register")
+
+    def json(self) -> dict:
+        return self._payload
+
+    def raise_for_status(self) -> None:
+        if self.status_code >= 400:
+            raise httpx.HTTPStatusError(
+                f"HTTP {self.status_code}",
+                request=self.request,
+                response=self,
+            )
+
+
+def _http_error(url: str, status_code: int, payload: dict) -> urllib.error.HTTPError:
+    return urllib.error.HTTPError(
+        url,
+        status_code,
+        payload.get("detail", "error"),
+        hdrs=None,
+        fp=io.BytesIO(json.dumps(payload).encode("utf-8")),
+    )
+
+
+def test_login_persists_refresh_token(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setenv("HOME", str(tmp_path))
+    monkeypatch.setattr(main, "_SERVER_URL_OVERRIDE", None)
+    monkeypatch.setattr(
+        main,
+        "_post",
+        lambda path, data=None: {
+            "access_token": "access-1",
+            "refresh_token": "refresh-1",
+        },
+    )
+
+    args = SimpleNamespace(
+        server="https://api.example.com",
+        email="user@example.com",
+        password="secret",
+    )
+    main.cmd_login(args)
+
+    cfg = json.loads((tmp_path / ".forgexa" / "config").read_text())
+    assert cfg["token"] == "access-1"
+    assert cfg["refresh_token"] == "refresh-1"
+    assert cfg["server_url"] == "https://api.example.com"
+    assert (tmp_path / ".forgexa" / "token").read_text() == "access-1"
+
+
+def test_get_retries_once_after_refresh_on_401(
+    tmp_path: Path,
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    monkeypatch.setenv("HOME", str(tmp_path))
+    monkeypatch.setattr(main, "_SERVER_URL_OVERRIDE", None)
+    config_dir = tmp_path / ".forgexa"
+    config_dir.mkdir()
+    (config_dir / "config").write_text(
+        json.dumps(
+            {
+                "server_url": "https://api.example.com",
+                "token": "old-access",
+                "refresh_token": "refresh-1",
+            }
+        )
+    )
+    (config_dir / "token").write_text("old-access")
+
+    import urllib.request
+
+    runtime_called = {"count": 0}
+
+    def fake_urlopen(req, timeout=0):
+        url = req.full_url
+        if url.endswith("/api/v1/runtimes/me"):
+            runtime_called["count"] += 1
+            if runtime_called["count"] == 1:
+                raise _http_error(url, 401, {"detail": "Invalid token"})
+            assert req.headers.get("Authorization") == "Bearer new-access"
+            return UrlopenResponse([
+                {
+                    "id": "12345678",
+                    "daemon_id": "demo-daemon",
+                    "status": "online",
+                }
+            ])
+        if url.endswith("/api/v1/auth/refresh"):
+            assert json.loads(req.data.decode("utf-8")) == {"refresh_token": "refresh-1"}
+            return UrlopenResponse(
+                {
+                    "access_token": "new-access",
+                    "refresh_token": "refresh-2",
+                }
+            )
+        raise AssertionError(f"Unexpected URL: {url}")
+
+    monkeypatch.setattr(urllib.request, "urlopen", fake_urlopen)
+
+    result = main._get("/runtimes/me")
+
+    assert isinstance(result, list)
+    assert runtime_called["count"] == 2
+    cfg = json.loads((config_dir / "config").read_text())
+    assert cfg["token"] == "new-access"
+    assert cfg["refresh_token"] == "refresh-2"
+    assert (config_dir / "token").read_text() == "new-access"
+
+
+def test_runtime_commands_use_user_scope_by_default(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    calls: list[bool] = []
+    monkeypatch.setattr(
+        main,
+        "_get_runtimes",
+        lambda include_all=False: calls.append(include_all) or [],
+    )
+
+    main.cmd_daemon_status(SimpleNamespace(all=False))
+    main.cmd_runtimes_list(SimpleNamespace(all=False))
+    main.cmd_runtimes_list(SimpleNamespace(all=True))
+
+    assert calls == [False, False, True]
+
+
+@pytest.mark.asyncio
+async def test_daemon_refreshes_access_token_from_refresh_token(
+    tmp_path: Path,
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    monkeypatch.setenv("HOME", str(tmp_path))
+    config_dir = tmp_path / ".forgexa"
+    config_dir.mkdir()
+    (config_dir / "config").write_text(
+        json.dumps(
+            {
+                "token": "stale-access",
+                "refresh_token": "refresh-1",
+            }
+        )
+    )
+    (config_dir / "token").write_text("stale-access")
+
+    conn = daemon.ServerConnection("https://api.example.com", "stale-access", "daemon-1")
+    try:
+        async def fake_post(url, json=None, headers=None, timeout=None):
+            assert url.endswith("/api/v1/auth/refresh")
+            assert json == {"refresh_token": "refresh-1"}
+            return HttpxResponse(
+                200,
+                {
+                    "access_token": "fresh-access",
+                    "refresh_token": "refresh-2",
+                },
+            )
+
+        monkeypatch.setattr(conn.client, "post", fake_post)
+
+        refreshed = await conn.refresh_access_token()
+
+        assert refreshed is True
+        assert conn.api_token == "fresh-access"
+        assert conn.client.headers["Authorization"] == "Bearer fresh-access"
+        cfg = json.loads((config_dir / "config").read_text())
+        assert cfg["token"] == "fresh-access"
+        assert cfg["refresh_token"] == "refresh-2"
+        assert (config_dir / "token").read_text() == "fresh-access"
+    finally:
+        await conn.client.aclose()
+
+
+@pytest.mark.asyncio
+async def test_daemon_register_retries_once_after_refresh(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    conn = daemon.ServerConnection("https://api.example.com", "stale-access", "daemon-1")
+    try:
+        async def fake_refresh_access_token() -> bool:
+            conn.api_token = "fresh-access"
+            conn.client.headers["Authorization"] = "Bearer fresh-access"
+            return True
+
+        responses = iter(
+            [
+                HttpxResponse(401, {"detail": "Invalid token"}),
+                HttpxResponse(200, {"runtime_id": "runtime-1"}),
+            ]
+        )
+
+        async def fake_post(url, json=None, headers=None, timeout=None):
+            response = next(responses)
+            if response.status_code == 200:
+                assert json["api_token"] == "fresh-access"
+            return response
+
+        monkeypatch.setattr(conn, "refresh_access_token", fake_refresh_access_token)
+        monkeypatch.setattr(conn.client, "post", fake_post)
+
+        await conn.register([], 2)
+
+        assert conn.runtime_id == "runtime-1"
+    finally:
+        await conn.client.aclose()