tescmd 0.1.2__py3-none-any.whl → 0.3.1__py3-none-any.whl

tescmd/cli/auth.py

@@ -20,14 +20,20 @@ from tescmd.auth.oauth import (
 )
 from tescmd.auth.token_store import TokenStore
 from tescmd.cli._options import global_options
-from tescmd.models.auth import DEFAULT_SCOPES, PARTNER_SCOPES, TokenData, decode_jwt_scopes
+from tescmd.models.auth import (
+    DEFAULT_SCOPES,
+    PARTNER_SCOPES,
+    TokenData,
+    decode_jwt_payload,
+    decode_jwt_scopes,
+)
 from tescmd.models.config import AppSettings
 
 if TYPE_CHECKING:
     from tescmd.cli.main import AppContext
     from tescmd.output.formatter import OutputFormatter
 
-DEVELOPER_PORTAL_URL = "https://developer.tesla.com"
+DEVELOPER_PORTAL_URL = "https://developer.tesla.com/dashboard"
 
 
 # ---------------------------------------------------------------------------
@@ -43,7 +49,12 @@ auth_group = click.Group("auth", help="Authentication commands")
 
 
 @auth_group.command("login")
-@click.option("--port", type=int, default=8085, help="Local callback port")
+@click.option(
+    "--port",
+    type=int,
+    default=None,
+    help="Local callback port (default: 8085 or TESCMD_OAUTH_PORT)",
+)
 @click.option(
     "--reconsent",
     is_flag=True,
@@ -51,15 +62,20 @@ auth_group = click.Group("auth", help="Authentication commands")
     help="Force Tesla to re-display the scope consent screen.",
 )
 @global_options
-def login_cmd(app_ctx: AppContext, port: int, reconsent: bool) -> None:
+def login_cmd(app_ctx: AppContext, port: int | None, reconsent: bool) -> None:
     """Log in via OAuth2 PKCE flow."""
     run_async(_cmd_login(app_ctx, port, reconsent=reconsent))
 
 
-async def _cmd_login(app_ctx: AppContext, port: int, *, reconsent: bool = False) -> None:
+async def _cmd_login(app_ctx: AppContext, port: int | None, *, reconsent: bool = False) -> None:
+    from tescmd.models.auth import DEFAULT_PORT
+
     formatter = app_ctx.formatter
     settings = AppSettings()
 
+    if port is None:
+        port = DEFAULT_PORT
+
     client_id = settings.client_id
     client_secret = settings.client_secret
 
@@ -182,11 +198,23 @@ async def _cmd_status(app_ctx: AppContext) -> None:
     region: str = meta.get("region", "unknown")
     has_refresh = store.refresh_token is not None
 
-    # Decode the JWT to show the *actual* granted scopes
+    # Decode the JWT to show the *actual* granted scopes and audience
     token_scopes: list[str] | None = None
+    audience: str | None = None
     access_token = store.access_token
     if access_token:
         token_scopes = decode_jwt_scopes(access_token)
+        jwt_payload = decode_jwt_payload(access_token)
+        if jwt_payload is not None:
+            aud_raw = jwt_payload.get("aud")
+            if isinstance(aud_raw, list) and aud_raw:
+                audience = aud_raw[0] if len(aud_raw) == 1 else ", ".join(str(a) for a in aud_raw)
+            elif isinstance(aud_raw, str):
+                audience = aud_raw
+            # Also check for 'ou' (origin URL) — Tesla-specific claim
+            ou = jwt_payload.get("ou")
+            if isinstance(ou, str) and ou:
+                audience = ou
 
     if formatter.format == "json":
         data: dict[str, object] = {
@@ -198,6 +226,8 @@ async def _cmd_status(app_ctx: AppContext) -> None:
         }
         if token_scopes is not None:
             data["token_scopes"] = token_scopes
+        if audience is not None:
+            data["audience"] = audience
         formatter.output(data, command="auth.status")
     else:
         formatter.rich.info("Authenticated: yes")
@@ -211,6 +241,8 @@ async def _cmd_status(app_ctx: AppContext) -> None:
                 formatter.rich.info(
                     f"  [yellow]Warning: requested but not granted: {not_granted}[/yellow]"
                 )
+        if audience is not None:
+            formatter.rich.info(f"Audience: {audience}")
         formatter.rich.info(f"Region: {region}")
         formatter.rich.info(f"Refresh token: {'yes' if has_refresh else 'no'}")
 
@@ -245,11 +277,24 @@ async def _cmd_refresh(app_ctx: AppContext) -> None:
     scopes: list[str] = meta.get("scopes", DEFAULT_SCOPES)
     region: str = meta.get("region", "na")
 
-    token_data = await refresh_access_token(
-        refresh_token=rt,
-        client_id=settings.client_id,
-        client_secret=settings.client_secret,
-    )
+    from tescmd.api.errors import AuthError
+    from tescmd.cli._client import reauth_on_expired_refresh
+
+    try:
+        token_data = await refresh_access_token(
+            refresh_token=rt,
+            client_id=settings.client_id,
+            client_secret=settings.client_secret,
+        )
+    except AuthError as exc:
+        if "login_required" not in str(exc):
+            raise
+        await reauth_on_expired_refresh(store, settings)
+        if formatter.format == "json":
+            formatter.output({"status": "re-authenticated"}, command="auth.refresh")
+        else:
+            formatter.rich.info("")
+        return
 
     store.save(
         access_token=token_data.access_token,
@@ -423,12 +468,17 @@ def _interactive_setup(
     redirect_uri: str,
     *,
     domain: str = "",
+    tailscale_hostname: str = "",
 ) -> tuple[str, str]:
     """Walk the user through first-time Tesla API credential setup.
 
     When *domain* is provided (e.g. from the setup wizard), the developer
     portal instructions show ``https://{domain}`` as the Allowed Origin URL.
     Tesla's Fleet API requires the origin to match the registration domain.
+
+    When *tailscale_hostname* is provided (or auto-detected), the user is
+    offered the chance to start a Tailscale Funnel so Tesla can verify the
+    origin URL when the portal app config is saved.
     """
     info = formatter.rich.info
     origin_url = f"https://{domain}" if domain else f"http://localhost:{port}"
@@ -475,6 +525,47 @@ def _interactive_setup(
     info("  Click Next.")
     info("")
 
+    # Detect Tailscale and offer to start Funnel for origin URL verification
+    ts_hostname = tailscale_hostname
+    ts_funnel_started = False
+    if not ts_hostname:
+        try:
+            from tescmd.deploy.tailscale_serve import is_tailscale_serve_ready
+
+            if run_async(is_tailscale_serve_ready()):
+                from tescmd.telemetry.tailscale import TailscaleManager
+
+                ts_hostname = run_async(TailscaleManager().get_hostname())
+        except Exception:
+            pass
+
+    if ts_hostname:
+        ts_origin = f"https://{ts_hostname}"
+        info("")
+        info(f"[green]Tailscale detected:[/green] {ts_hostname}")
+        info("")
+        info(f"  Adding [cyan]{ts_origin}[/cyan] as an Allowed Origin URL")
+        info("  will let [cyan]tescmd serve[/cyan] stream telemetry without")
+        info("  extra portal changes later.")
+        info("")
+        try:
+            answer = input("Start Tailscale Funnel so Tesla can verify the URL? [Y/n] ").strip()
+        except (EOFError, KeyboardInterrupt):
+            answer = "n"
+
+        if answer.lower() != "n":
+            info("Starting Tailscale Funnel...")
+            try:
+                from tescmd.telemetry.tailscale import TailscaleManager as _TsMgr
+
+                run_async(_TsMgr().enable_funnel())
+                ts_funnel_started = True
+                info(f"[green]Funnel active — {ts_origin} is reachable.[/green]")
+            except Exception as exc:
+                info(f"[yellow]Could not start Funnel: {exc}[/yellow]")
+                info("[dim]You can add the origin URL manually later.[/dim]")
+                ts_hostname = ""
+
     # Step 3 — Client Details
     info("[bold]Step 3 — Client Details[/bold]")
     info(
@@ -482,8 +573,17 @@ def _interactive_setup(
         " Machine-to-Machine[/cyan]  (the default)"
     )
     info(f"  Allowed Origin URL:  [cyan]{origin_url}[/cyan]")
+    if ts_hostname:
+        info(f"  [bold]Also add:[/bold]          [cyan]https://{ts_hostname}[/cyan]")
     info(f"  Allowed Redirect URI: [cyan]{redirect_uri}[/cyan]")
     info("  Allowed Returned URL: (leave empty)")
+    info("")
+    if not ts_hostname:
+        info(
+            "  [dim]For telemetry streaming, add your Tailscale hostname"
+            " as an additional origin:[/dim]"
+        )
+        info("  [dim]  https://<machine>.tailnet.ts.net[/dim]")
     info("  Click Next.")
     info("")
 
@@ -544,6 +644,16 @@ def _interactive_setup(
         _write_env_file(client_id, client_secret)
         info("[green]Credentials saved to .env[/green]")
 
+    # Clean up Tailscale Funnel if we started it during this session
+    if ts_funnel_started:
+        try:
+            from tescmd.telemetry.tailscale import TailscaleManager as _TsMgr
+
+            run_async(_TsMgr._run("tailscale", "funnel", "--bg", "off"))
+        except Exception as exc:
+            info(f"[yellow]Warning: Failed to stop Tailscale Funnel: {exc}[/yellow]")
+            info("[dim]You may need to run 'tailscale funnel --bg off' manually.[/dim]")
+
     info("")
     return (client_id, client_secret)
 

tescmd/cli/energy.py

@@ -9,6 +9,7 @@ import click
 from tescmd._internal.async_utils import run_async
 from tescmd.cli._client import TTL_SLOW, cached_api_call, get_energy_api, invalidate_cache_for_site
 from tescmd.cli._options import global_options
+from tescmd.models.energy import SiteInfo
 
 if TYPE_CHECKING:
     from tescmd.cli.main import AppContext
@@ -66,6 +67,7 @@ async def _cmd_status(app_ctx: AppContext, site_id: int) -> None:
             endpoint="energy.status",
             fetch=lambda: api.site_info(site_id),
             ttl=TTL_SLOW,
+            model_class=SiteInfo,
         )
     finally:
         await client.close()

tescmd/cli/key.py

@@ -25,6 +25,7 @@ from tescmd.models.config import AppSettings
 
 if TYPE_CHECKING:
     from tescmd.cli.main import AppContext
+    from tescmd.output.formatter import OutputFormatter
 
 
 # ---------------------------------------------------------------------------
@@ -95,22 +96,19 @@ async def _cmd_generate(app_ctx: AppContext, force: bool) -> None:
     default=None,
     help="GitHub repo (e.g. user/user.github.io). Auto-detected if omitted.",
 )
+@click.option(
+    "--method",
+    type=click.Choice(["auto", "github", "tailscale"]),
+    default="auto",
+    help="Deployment method (default: auto-detect).",
+)
 @global_options
-def deploy_cmd(app_ctx: AppContext, repo: str | None) -> None:
-    """Deploy the public key to GitHub Pages."""
-    run_async(_cmd_deploy(app_ctx, repo))
-
+def deploy_cmd(app_ctx: AppContext, repo: str | None, method: str) -> None:
+    """Deploy the public key to GitHub Pages or via Tailscale Funnel."""
+    run_async(_cmd_deploy(app_ctx, repo, method=method))
 
-async def _cmd_deploy(app_ctx: AppContext, repo: str | None) -> None:
-    from tescmd.deploy.github_pages import (
-        create_pages_repo,
-        deploy_public_key,
-        get_gh_username,
-        get_pages_domain,
-        is_gh_authenticated,
-        is_gh_available,
-    )
 
+async def _cmd_deploy(app_ctx: AppContext, repo: str | None, *, method: str = "auto") -> None:
     formatter = app_ctx.formatter
     settings = AppSettings()
     key_dir = Path(settings.config_dir).expanduser() / "keys"
@@ -127,6 +125,142 @@ async def _cmd_deploy(app_ctx: AppContext, repo: str | None) -> None:
             formatter.rich.error("No key pair found. Run [cyan]tescmd key generate[/cyan] first.")
         return
 
+    # Resolve method
+    resolved = _resolve_deploy_method(method, settings)
+
+    if resolved == "tailscale":
+        await _cmd_deploy_tailscale(formatter, key_dir)
+    elif resolved == "github":
+        await _cmd_deploy_github(formatter, settings, key_dir, repo)
+    else:
+        if formatter.format == "json":
+            formatter.output_error(
+                code="no_deploy_method",
+                message=(
+                    "No deployment method available. Install 'gh' CLI for GitHub Pages"
+                    " or Tailscale for Funnel hosting."
+                ),
+                command="key.deploy",
+            )
+        else:
+            formatter.rich.error(
+                "No deployment method available. Install [cyan]gh[/cyan] CLI"
+                " (GitHub Pages) or [cyan]tailscale[/cyan] (Funnel hosting)."
+            )
+
+
+def _resolve_deploy_method(method: str, settings: AppSettings) -> str | None:
+    """Resolve 'auto' to a concrete method, or validate explicit choice."""
+    if method in ("tailscale", "github"):
+        return method
+
+    # Auto-detect: GitHub Pages (always-on) > Tailscale (stable hostname)
+    from tescmd.deploy.github_pages import is_gh_authenticated, is_gh_available
+
+    if is_gh_available() and is_gh_authenticated():
+        return "github"
+
+    from tescmd.deploy.tailscale_serve import is_tailscale_serve_ready
+
+    if run_async(is_tailscale_serve_ready()):
+        return "tailscale"
+
+    # Check saved hosting method as last resort
+    if settings.hosting_method == "tailscale":
+        return "tailscale"
+    if settings.hosting_method == "github":
+        return "github"
+
+    return None
+
+
+async def _cmd_deploy_tailscale(
+    formatter: OutputFormatter,
+    key_dir: Path,
+) -> None:
+    """Deploy public key via Tailscale Funnel."""
+    from tescmd.deploy.tailscale_serve import (
+        deploy_public_key_tailscale,
+        get_key_url,
+        is_tailscale_serve_ready,
+        start_key_serving,
+        wait_for_tailscale_deployment,
+    )
+
+    # Verify Tailscale is ready
+    if not await is_tailscale_serve_ready():
+        if formatter.format == "json":
+            formatter.output_error(
+                code="tailscale_not_ready",
+                message=(
+                    "Tailscale is not available or Funnel is not enabled."
+                    " Ensure Tailscale is running and Funnel is enabled in your tailnet ACL."
+                ),
+                command="key.deploy",
+            )
+        else:
+            formatter.rich.error(
+                "Tailscale is not available or Funnel is not enabled.\n"
+                "  Ensure Tailscale is running and Funnel is enabled in your tailnet ACL."
+            )
+        return
+
+    if formatter.format != "json":
+        formatter.rich.info("Deploying public key via Tailscale Funnel...")
+
+    pem = load_public_key_pem(key_dir)
+    await deploy_public_key_tailscale(pem)
+    hostname = await start_key_serving()
+
+    url = get_key_url(hostname)
+    if formatter.format != "json":
+        formatter.rich.info("[green]Tailscale serve + Funnel started.[/green]")
+        formatter.rich.info(f"  URL: {url}")
+        formatter.rich.info("")
+        formatter.rich.info("Waiting for key to become accessible...")
+
+    deployed = await wait_for_tailscale_deployment(hostname)
+
+    if formatter.format == "json":
+        formatter.output(
+            {
+                "status": "deployed" if deployed else "pending",
+                "method": "tailscale",
+                "hostname": hostname,
+                "url": url,
+                "accessible": deployed,
+            },
+            command="key.deploy",
+        )
+    elif deployed:
+        formatter.rich.info("[green]Key is live and accessible.[/green]")
+        formatter.rich.info("")
+        formatter.rich.info(
+            "[yellow]Note:[/yellow] The key is served by the Tailscale daemon."
+            " If your machine is off or Tailscale stops,"
+            " Tesla cannot reach your public key."
+        )
+    else:
+        formatter.rich.info("[yellow]Key deployed but not yet accessible.[/yellow]")
+        formatter.rich.info("  Run [cyan]tescmd key validate[/cyan] to check again later.")
+
+
+async def _cmd_deploy_github(
+    formatter: OutputFormatter,
+    settings: AppSettings,
+    key_dir: Path,
+    repo: str | None,
+) -> None:
+    """Deploy public key via GitHub Pages."""
+    from tescmd.deploy.github_pages import (
+        create_pages_repo,
+        deploy_public_key,
+        get_gh_username,
+        get_pages_domain,
+        is_gh_authenticated,
+        is_gh_available,
+    )
+
     # Check gh CLI
     if not is_gh_available():
         if formatter.format == "json":
@@ -180,7 +314,7 @@ async def _cmd_deploy(app_ctx: AppContext, repo: str | None) -> None:
         formatter.rich.info("[green]Key deployed.[/green]")
         formatter.rich.info(f"  URL: {get_key_url(domain)}")
         formatter.rich.info("")
-        formatter.rich.info("Waiting for GitHub Pages to publish (this may take a few minutes)...")
+        formatter.rich.info("Waiting for GitHub Pages to publish...")
 
     deployed = wait_for_pages_deployment(domain)
 
@@ -188,6 +322,7 @@ async def _cmd_deploy(app_ctx: AppContext, repo: str | None) -> None:
         formatter.output(
             {
                 "status": "deployed" if deployed else "pending",
+                "method": "github",
                 "repo": repo_name,
                 "domain": domain,
                 "url": get_key_url(domain),

tescmd/cli/main.py

@@ -6,6 +6,7 @@ import dataclasses
 import logging
 
 import click
+from dotenv import load_dotenv
 
 from tescmd._internal.async_utils import run_async
 from tescmd.api.errors import (
@@ -15,6 +16,7 @@ from tescmd.api.errors import (
     RegistrationRequiredError,
     SessionError,
     TierError,
+    TunnelError,
     VehicleAsleepError,
 )
 from tescmd.output.formatter import OutputFormatter
@@ -61,6 +63,13 @@ class AppContext:
         return self._formatter
 
 
+# ---------------------------------------------------------------------------
+# Load .env into os.environ before Click resolves any envvar= options.
+# This ensures TESLA_VIN, TESCMD_MCP_CLIENT_ID, etc. from .env files
+# are visible to Click's envvar resolution.
+# ---------------------------------------------------------------------------
+load_dotenv(override=False)
+
 # ---------------------------------------------------------------------------
 # Root Click group
 # ---------------------------------------------------------------------------
@@ -159,11 +168,14 @@ def _register_commands() -> None:
     from tescmd.cli.climate import climate_group
     from tescmd.cli.energy import energy_group
     from tescmd.cli.key import key_group
+    from tescmd.cli.mcp_cmd import mcp_group
     from tescmd.cli.media import media_group
     from tescmd.cli.nav import nav_group
+    from tescmd.cli.openclaw import openclaw_group
     from tescmd.cli.partner import partner_group
     from tescmd.cli.raw import raw_group
     from tescmd.cli.security import security_group
+    from tescmd.cli.serve import serve_cmd
     from tescmd.cli.setup import setup_cmd
     from tescmd.cli.sharing import sharing_group
     from tescmd.cli.software import software_group
@@ -179,11 +191,14 @@ def _register_commands() -> None:
     cli.add_command(climate_group)
     cli.add_command(energy_group)
     cli.add_command(key_group)
+    cli.add_command(mcp_group)
     cli.add_command(media_group)
     cli.add_command(nav_group)
+    cli.add_command(openclaw_group)
     cli.add_command(partner_group)
     cli.add_command(raw_group)
     cli.add_command(security_group)
+    cli.add_command(serve_cmd)
     cli.add_command(setup_cmd)
     cli.add_command(sharing_group)
     cli.add_command(status_cmd)
@@ -287,6 +302,9 @@ def _handle_known_error(
     if isinstance(exc, SessionError):
         _handle_session_error(exc, formatter, cmd_name)
         return True
+    if isinstance(exc, TunnelError):
+        _handle_tunnel_error(exc, formatter, cmd_name)
+        return True
 
     # Keyring failures (e.g. headless Linux with no keyring daemon)
     try:
@@ -559,14 +577,19 @@ def _handle_session_error(
     formatter.rich.error(message)
     formatter.rich.info("")
     formatter.rich.info("Possible causes:")
-    formatter.rich.info("  - Vehicle is temporarily unreachable")
-    formatter.rich.info("  - Local key pair is corrupted")
-    formatter.rich.info("  - Key was re-generated but not re-enrolled")
+    formatter.rich.info("  - Vehicle is temporarily unreachable or asleep")
+    formatter.rich.info("  - Session expired — retry once and a fresh handshake will occur")
+    formatter.rich.info(
+        "  - Local key pair is corrupted or was re-generated without re-enrollment"
+    )
     formatter.rich.info("")
-    formatter.rich.info("Try again, or if the problem persists:")
-    formatter.rich.info("  [cyan]tescmd key generate --force[/cyan]  (regenerate key pair)")
-    formatter.rich.info("  [cyan]tescmd key deploy[/cyan]            (re-deploy public key)")
-    formatter.rich.info("  [cyan]tescmd key enroll[/cyan]            (re-enroll on vehicle)")
+    formatter.rich.info("Try:")
+    formatter.rich.info("  1. Re-run the command (sessions auto-refresh)")
+    formatter.rich.info("  2. Use [cyan]--verbose[/cyan] to see fault codes and signing details")
+    formatter.rich.info("  3. If repeated failures, re-enroll:")
+    formatter.rich.info(
+        "     [cyan]tescmd key generate --force && tescmd key deploy && tescmd key enroll[/cyan]"
+    )
 
 
 def _handle_keyring_error(
@@ -599,3 +622,43 @@ def _handle_keyring_error(
     formatter.rich.info(
         "[dim]Tokens will be stored in plaintext with restricted file permissions.[/dim]"
     )
+
+
+def _handle_tunnel_error(
+    exc: TunnelError,
+    formatter: OutputFormatter,
+    cmd_name: str,
+) -> None:
+    """Show a friendly error for tunnel-related failures.
+
+    Only shows install guidance when no provider is found on PATH.
+    TailscaleError means Tailscale IS installed but hit an operational
+    error — install guidance would be confusing.
+    """
+    message = str(exc) or "No tunnel provider available for telemetry streaming."
+
+    if formatter.format == "json":
+        formatter.output_error(
+            code="tunnel_error",
+            message=message,
+            command=cmd_name,
+        )
+        return
+
+    formatter.rich.error(message)
+
+    # Only show install guidance when no provider was found at all.
+    if "No tunnel provider" not in message:
+        return
+
+    formatter.rich.info("")
+    formatter.rich.info("Telemetry streaming requires Tailscale Funnel:")
+    formatter.rich.info("")
+    formatter.rich.info("  1. Install Tailscale: [cyan]https://tailscale.com/download[/cyan]")
+    formatter.rich.info("  2. Authenticate: [cyan]tailscale up[/cyan]")
+    formatter.rich.info(
+        "  3. Enable Funnel in your tailnet ACL:"
+        " [cyan]https://login.tailscale.com/admin/acls[/cyan]"
+    )
+    formatter.rich.info("")
+    formatter.rich.info("Telemetry deps are included with tescmd.")