tooig 0.1.3__py3-none-any.whl

tooig/__init__.py

@@ -0,0 +1,8 @@
+"""Tooig developer CLI."""
+
+from importlib.metadata import PackageNotFoundError, version
+
+try:
+    __version__ = version("tooig")
+except PackageNotFoundError:  # Source-tree imports during development.
+    __version__ = "0.0.0"

tooig/__main__.py

@@ -0,0 +1,6 @@
+from .cli import main
+
+
+if __name__ == "__main__":
+    main()
+

tooig/api.py

@@ -0,0 +1,166 @@
+from __future__ import annotations
+
+import time
+from dataclasses import dataclass
+from typing import Any, Callable
+from urllib.parse import urljoin, urlsplit
+
+import httpx
+
+from .errors import TooigError
+
+
+def validate_api_url(value: str) -> str:
+    normalized = value.strip().rstrip("/")
+    parsed = urlsplit(normalized)
+    if not parsed.scheme or not parsed.hostname or parsed.username or parsed.password:
+        raise TooigError("The API URL must be an absolute URL without embedded credentials.")
+    is_local = parsed.hostname in {"localhost", "127.0.0.1", "::1"}
+    if parsed.scheme != "https" and not (parsed.scheme == "http" and is_local):
+        raise TooigError("The API URL must use HTTPS (HTTP is allowed only for localhost).")
+    return normalized
+
+
+def _safe_detail(response: httpx.Response) -> str:
+    try:
+        payload = response.json()
+    except ValueError:
+        return f"HTTP {response.status_code}"
+    detail = payload.get("detail") if isinstance(payload, dict) else None
+    if isinstance(detail, str) and detail.strip():
+        return detail.strip()[:240]
+    return f"HTTP {response.status_code}"
+
+
+@dataclass(frozen=True)
+class DeviceAuthorization:
+    authorization_id: str
+    authorization_url: str
+    interval_seconds: float
+    expires_in_seconds: float
+
+
+class ApiClient:
+    def __init__(
+        self,
+        base_url: str,
+        *,
+        client: httpx.Client | None = None,
+        sleep: Callable[[float], None] = time.sleep,
+        monotonic: Callable[[], float] = time.monotonic,
+    ) -> None:
+        self.base_url = validate_api_url(base_url)
+        self._client = client or httpx.Client(timeout=httpx.Timeout(15.0))
+        self._owns_client = client is None
+        self._sleep = sleep
+        self._monotonic = monotonic
+
+    def close(self) -> None:
+        if self._owns_client:
+            self._client.close()
+
+    def _url(self, path: str) -> str:
+        return urljoin(f"{self.base_url}/", path.lstrip("/"))
+
+    def _request(self, method: str, path: str, **kwargs: Any) -> httpx.Response:
+        try:
+            return self._client.request(method, self._url(path), **kwargs)
+        except httpx.TimeoutException as exc:
+            raise TooigError("The Tooig service timed out. Try again shortly.") from exc
+        except httpx.HTTPError as exc:
+            raise TooigError("Could not connect securely to the Tooig service.") from exc
+
+    def signup(self, *, email: str, password: str) -> None:
+        response = self._request(
+            "POST", "auth/signup", json={"email": email, "password": password}
+        )
+        if response.status_code not in {200, 201}:
+            raise TooigError(f"Could not create the developer account: {_safe_detail(response)}")
+
+    def login(self, *, email: str, password: str) -> str:
+        response = self._request(
+            "POST", "auth/login", json={"email": email, "password": password}
+        )
+        if response.status_code != 200:
+            raise TooigError(f"Authentication failed: {_safe_detail(response)}")
+        try:
+            token = response.json().get("access_token", "")
+        except (AttributeError, ValueError) as exc:
+            raise TooigError("Authentication returned an invalid response.") from exc
+        if not isinstance(token, str) or not token:
+            raise TooigError("Authentication did not return an access token.")
+        return token
+
+    def validate_api_key(self, api_key: str) -> None:
+        if len(api_key.strip()) < 16:
+            raise TooigError("The API key is too short.")
+        response = self._request(
+            "GET",
+            "auth/session",
+            headers={"Authorization": f"Bearer {api_key.strip()}"},
+        )
+        if response.status_code != 200:
+            raise TooigError(f"The API key was rejected: {_safe_detail(response)}")
+
+    def begin_device_authorization(self, access_token: str) -> DeviceAuthorization:
+        response = self._request(
+            "POST",
+            "developer/authorizations",
+            headers={"Authorization": f"Bearer {access_token}"},
+            json={"client": "tooig-cli"},
+        )
+        if response.status_code not in {200, 201}:
+            raise TooigError(
+                f"Could not start browser authorization: {_safe_detail(response)}"
+            )
+        try:
+            payload = response.json()
+            authorization = DeviceAuthorization(
+                authorization_id=str(payload["id"]),
+                authorization_url=str(payload["authorization_url"]),
+                interval_seconds=max(1.0, min(float(payload.get("interval", 2)), 10.0)),
+                expires_in_seconds=max(
+                    10.0, min(float(payload.get("expires_in", 300)), 900.0)
+                ),
+            )
+        except (KeyError, TypeError, ValueError) as exc:
+            raise TooigError("Authorization returned an invalid response.") from exc
+        self._validate_authorization_url(authorization.authorization_url)
+        return authorization
+
+    def _validate_authorization_url(self, value: str) -> None:
+        candidate = urlsplit(value)
+        api = urlsplit(self.base_url)
+        if candidate.hostname != api.hostname:
+            raise TooigError("The service returned an authorization link for another host.")
+        is_local = candidate.hostname in {"localhost", "127.0.0.1", "::1"}
+        if candidate.scheme != "https" and not (candidate.scheme == "http" and is_local):
+            raise TooigError("The service returned an insecure authorization link.")
+
+    def wait_for_device_authorization(
+        self, authorization: DeviceAuthorization, access_token: str
+    ) -> str:
+        deadline = self._monotonic() + authorization.expires_in_seconds
+        path = f"developer/authorizations/{authorization.authorization_id}"
+        while self._monotonic() < deadline:
+            response = self._request(
+                "GET", path, headers={"Authorization": f"Bearer {access_token}"}
+            )
+            if response.status_code != 200:
+                raise TooigError(f"Authorization check failed: {_safe_detail(response)}")
+            try:
+                payload = response.json()
+                status = str(payload.get("status", "")).lower()
+            except (AttributeError, ValueError) as exc:
+                raise TooigError("Authorization returned an invalid response.") from exc
+            if status == "approved":
+                api_key = payload.get("api_key", "")
+                if not isinstance(api_key, str) or len(api_key.strip()) < 16:
+                    raise TooigError("Authorization did not return a valid API key.")
+                return api_key.strip()
+            if status in {"denied", "expired", "cancelled"}:
+                raise TooigError(f"Browser authorization was {status}.")
+            if status != "pending":
+                raise TooigError("Authorization returned an unknown status.")
+            self._sleep(authorization.interval_seconds)
+        raise TooigError("Browser authorization expired. Run `tooig developer` again.")

tooig/cli.py

@@ -0,0 +1,68 @@
+from __future__ import annotations
+
+import typer
+
+from . import __version__
+from .api import ApiClient
+from .constants import configured_api_url
+from .errors import CancelledError, TooigError
+from .ui import TerminalUI
+from .workflow import DeveloperSetup
+
+
+app = typer.Typer(
+    add_completion=False,
+    help="Secure setup and SDK installation for Tooig developers.",
+    no_args_is_help=True,
+)
+
+
+def _version_callback(value: bool) -> None:
+    if value:
+        typer.echo(__version__)
+        raise typer.Exit()
+
+
+@app.callback()
+def root(
+    version: bool = typer.Option(
+        False,
+        "--version",
+        callback=_version_callback,
+        is_eager=True,
+        help="Show the installed tooig version and exit.",
+    ),
+) -> None:
+    """Secure setup and SDK installation for Tooig developers."""
+
+
+@app.command()
+def developer(
+    api_url: str = typer.Option(
+        None,
+        "--api-url",
+        help="Tooig API base URL. Defaults to TOOIG_API_URL or the production API.",
+    ),
+    no_open: bool = typer.Option(
+        False, "--no-open", help="Print the authorization link without opening a browser."
+    ),
+) -> None:
+    """Authenticate, authorize this build, and install a Tooig SDK."""
+    ui = TerminalUI()
+    client: ApiClient | None = None
+    try:
+        client = ApiClient(api_url or configured_api_url())
+        DeveloperSetup(api=client, ui=ui, open_browser=not no_open).run()
+    except CancelledError as exc:
+        ui.info(str(exc))
+        raise typer.Exit(code=130) from exc
+    except TooigError as exc:
+        ui.console.print(f"[red]error[/red] {exc}")
+        raise typer.Exit(code=1) from exc
+    finally:
+        if client is not None:
+            client.close()
+
+
+def main() -> None:
+    app()

tooig/constants.py

@@ -0,0 +1,16 @@
+from __future__ import annotations
+
+import os
+
+
+DEVELOPER_DOMAIN = "developer.tooig.com"
+DEFAULT_API_URL = "https://developer.tooig.com/api"
+GET_STARTED_URL = "https://developer.tooig.com/get_started"
+FRAMEWORKS = {
+    "nineth": "nineth",
+    "bridge": "nineth-bridge",
+}
+
+
+def configured_api_url() -> str:
+    return os.getenv("TOOIG_API_URL", DEFAULT_API_URL).strip().rstrip("/")

tooig/credentials.py

@@ -0,0 +1,77 @@
+from __future__ import annotations
+
+import json
+import os
+import tempfile
+from pathlib import Path
+from typing import Any
+
+from platformdirs import user_config_path
+
+from .errors import TooigError
+
+
+def default_credentials_path() -> Path:
+    return user_config_path("tooig", appauthor=False, roaming=True) / "credentials.json"
+
+
+class CredentialStore:
+    """Stores only the long-lived API key, never passwords or login tokens."""
+
+    def __init__(self, path: Path | None = None) -> None:
+        self.path = path or default_credentials_path()
+
+    def save(self, *, email: str, api_key: str, api_base_url: str) -> Path:
+        if not api_key.strip():
+            raise TooigError("The API key is empty and was not stored.")
+        if self.path.is_symlink():
+            raise TooigError(f"Refusing to replace symlinked credential file: {self.path}")
+
+        self.path.parent.mkdir(mode=0o700, parents=True, exist_ok=True)
+        try:
+            os.chmod(self.path.parent, 0o700)
+        except OSError:
+            pass
+
+        payload: dict[str, Any] = {
+            "version": 1,
+            "developer_email": email,
+            "api_base_url": api_base_url,
+            "api_key": api_key.strip(),
+        }
+        temporary_path: Path | None = None
+        try:
+            with tempfile.NamedTemporaryFile(
+                mode="w",
+                encoding="utf-8",
+                dir=self.path.parent,
+                prefix=".credentials-",
+                suffix=".tmp",
+                delete=False,
+            ) as handle:
+                temporary_path = Path(handle.name)
+                os.chmod(temporary_path, 0o600)
+                json.dump(payload, handle, indent=2)
+                handle.write("\n")
+                handle.flush()
+                os.fsync(handle.fileno())
+            os.replace(temporary_path, self.path)
+            os.chmod(self.path, 0o600)
+        except OSError as exc:
+            if temporary_path is not None:
+                temporary_path.unlink(missing_ok=True)
+            raise TooigError(f"Could not store credentials at {self.path}: {exc}") from exc
+        return self.path
+
+    def load(self) -> dict[str, Any] | None:
+        if not self.path.exists():
+            return None
+        if self.path.is_symlink():
+            raise TooigError(f"Refusing to read symlinked credential file: {self.path}")
+        try:
+            data = json.loads(self.path.read_text(encoding="utf-8"))
+        except (OSError, json.JSONDecodeError) as exc:
+            raise TooigError(f"Could not read credentials at {self.path}: {exc}") from exc
+        if not isinstance(data, dict) or data.get("version") != 1:
+            raise TooigError(f"Unsupported credential file format at {self.path}")
+        return data

tooig/errors.py

@@ -0,0 +1,7 @@
+class TooigError(Exception):
+    """A user-facing CLI error that is safe to print."""
+
+
+class CancelledError(TooigError):
+    """The developer cancelled an interactive prompt."""
+

tooig/installer.py

@@ -0,0 +1,31 @@
+from __future__ import annotations
+
+import subprocess
+import sys
+from collections.abc import Callable, Sequence
+
+from .constants import FRAMEWORKS
+from .errors import TooigError
+
+
+class PythonInstaller:
+    def __init__(
+        self,
+        runner: Callable[..., subprocess.CompletedProcess[str]] = subprocess.run,
+    ) -> None:
+        self._runner = runner
+
+    def command_for(self, framework: str) -> list[str]:
+        try:
+            package = FRAMEWORKS[framework]
+        except KeyError as exc:
+            raise TooigError(f"Unsupported framework: {framework}") from exc
+        return [sys.executable, "-m", "pip", "install", "--upgrade", package]
+
+    def install(self, framework: str) -> Sequence[str]:
+        command = self.command_for(framework)
+        try:
+            self._runner(command, check=True)
+        except (OSError, subprocess.CalledProcessError) as exc:
+            raise TooigError(f"Could not install {FRAMEWORKS[framework]}.") from exc
+        return command

tooig/prompts.py

@@ -0,0 +1,87 @@
+from __future__ import annotations
+
+import re
+
+import questionary
+from prompt_toolkit.layout.processors import PasswordProcessor
+from questionary import Choice
+
+from .errors import CancelledError
+
+
+LOCAL_PART = re.compile(r"^[a-z0-9](?:[a-z0-9._-]{0,62}[a-z0-9])?$", re.IGNORECASE)
+
+
+def validate_local_part(value: str) -> bool | str:
+    candidate = value.strip()
+    if not LOCAL_PART.fullmatch(candidate):
+        return "Use 1-64 letters, numbers, dots, underscores, or hyphens."
+    return True
+
+
+class InteractivePrompter:
+    @staticmethod
+    def _required(value: object) -> object:
+        if value is None:
+            raise CancelledError("Setup cancelled.")
+        return value
+
+    def email_local_part(self) -> str:
+        answer = questionary.text(
+            "email: [name]@developer.tooig.com",
+            validate=validate_local_part,
+        ).ask()
+        return str(self._required(answer)).strip().lower()
+
+    def account_action(self) -> str:
+        answer = questionary.select(
+            "developer account",
+            choices=[
+                Choice("Sign in", "signin"),
+                Choice("Create developer account", "signup"),
+            ],
+        ).ask()
+        return str(self._required(answer))
+
+    def password(self, *, creating: bool) -> str:
+        minimum = 12 if creating else 1
+
+        def validate(value: str) -> bool | str:
+            if len(value) < minimum:
+                return f"Use at least {minimum} characters."
+            return True
+
+        answer = questionary.password(
+            "password",
+            validate=validate,
+            input_processors=[PasswordProcessor(char="")],
+        ).ask()
+        return str(self._required(answer))
+
+    def authorization_method(self) -> str:
+        answer = questionary.select(
+            "authorize this build",
+            choices=[
+                Choice("Open a secure authorization link", "browser"),
+                Choice("Use an existing API key", "api_key"),
+            ],
+        ).ask()
+        return str(self._required(answer))
+
+    def api_key(self) -> str:
+        answer = questionary.password(
+            "API key (input hidden)",
+            validate=lambda value: bool(value.strip()) or "Required.",
+            input_processors=[PasswordProcessor(char="")],
+        ).ask()
+        return str(self._required(answer)).strip()
+
+    def framework(self) -> str:
+        answer = questionary.select(
+            "framework",
+            choices=[
+                Choice("nineth", "nineth"),
+                Choice("bridge (nineth-bridge)", "bridge"),
+            ],
+        ).ask()
+        return str(self._required(answer))

tooig/ui.py

@@ -0,0 +1,25 @@
+from __future__ import annotations
+
+from contextlib import contextmanager
+from typing import Iterator
+
+from rich.console import Console
+
+
+class TerminalUI:
+    def __init__(self, console: Console | None = None) -> None:
+        self.console = console or Console()
+
+    def heading(self) -> None:
+        self.console.print("\n[bold]tooig developer[/bold]\n")
+
+    def info(self, message: str) -> None:
+        self.console.print(message)
+
+    def success(self, message: str) -> None:
+        self.console.print(f"[green]ok[/green] {message}")
+
+    @contextmanager
+    def progress(self, message: str) -> Iterator[None]:
+        with self.console.status(message, spinner="dots"):
+            yield

tooig/workflow.py

@@ -0,0 +1,84 @@
+from __future__ import annotations
+
+import webbrowser
+from collections.abc import Callable
+from contextlib import nullcontext
+from typing import Any
+
+from .api import ApiClient
+from .constants import DEVELOPER_DOMAIN, FRAMEWORKS, GET_STARTED_URL
+from .credentials import CredentialStore
+from .installer import PythonInstaller
+from .prompts import InteractivePrompter
+from .ui import TerminalUI
+
+
+class DeveloperSetup:
+    def __init__(
+        self,
+        *,
+        api: ApiClient,
+        prompts: InteractivePrompter | Any | None = None,
+        credentials: CredentialStore | Any | None = None,
+        installer: PythonInstaller | Any | None = None,
+        ui: TerminalUI | Any | None = None,
+        opener: Callable[[str], bool] = lambda url: webbrowser.open(url, new=2),
+        open_browser: bool = True,
+    ) -> None:
+        self.api = api
+        self.prompts = prompts or InteractivePrompter()
+        self.credentials = credentials or CredentialStore()
+        self.installer = installer or PythonInstaller()
+        self.ui = ui or TerminalUI()
+        self.opener = opener
+        self.open_browser = open_browser
+
+    def _progress(self, message: str):
+        progress = getattr(self.ui, "progress", None)
+        return progress(message) if progress else nullcontext()
+
+    def run(self) -> None:
+        self.ui.heading()
+        local_part = self.prompts.email_local_part()
+        email = f"{local_part}@{DEVELOPER_DOMAIN}"
+        action = self.prompts.account_action()
+        password = self.prompts.password(creating=action == "signup")
+
+        if action == "signup":
+            with self._progress("Creating developer account..."):
+                self.api.signup(email=email, password=password)
+            self.ui.success("Developer account created.")
+
+        with self._progress("Authenticating..."):
+            access_token = self.api.login(email=email, password=password)
+        self.ui.success(f"Authenticated as {email}.")
+
+        method = self.prompts.authorization_method()
+        if method == "api_key":
+            api_key = self.prompts.api_key()
+            with self._progress("Validating API key..."):
+                self.api.validate_api_key(api_key)
+        else:
+            with self._progress("Creating a signed authorization request..."):
+                authorization = self.api.begin_device_authorization(access_token)
+            self.ui.info(f"Authorize this build:\n{authorization.authorization_url}")
+            if self.open_browser:
+                self.opener(authorization.authorization_url)
+            with self._progress("Waiting for authorization..."):
+                api_key = self.api.wait_for_device_authorization(
+                    authorization, access_token
+                )
+
+        credential_path = self.credentials.save(
+            email=email, api_key=api_key, api_base_url=self.api.base_url
+        )
+        self.ui.success(f"Authorization stored at {credential_path}.")
+
+        framework = self.prompts.framework()
+        with self._progress(f"Installing {FRAMEWORKS[framework]}..."):
+            self.installer.install(framework)
+        self.ui.success(f"Installed {FRAMEWORKS[framework]}.")
+        self.ui.info(
+            f"\nSetup complete. Start building with {FRAMEWORKS[framework]}.\n"
+            f"Documentation: {GET_STARTED_URL}"
+        )

tooig-0.1.3.dist-info/METADATA

@@ -0,0 +1,282 @@
+Metadata-Version: 2.4
+Name: tooig
+Version: 0.1.3
+Summary: Interactive framework for tooig developer program
+Project-URL: Documentation, https://developer.tooig.com/get_started
+Project-URL: Issues, https://github.com/tooig/developer/issues
+Project-URL: Repository, https://github.com/tooig/developer
+Author-email: "Tooig, Inc" <tooighq@gmail.com>
+License: MIT
+Keywords: cli,developer,nineth,tooig
+Classifier: Development Status :: 3 - Alpha
+Classifier: Environment :: Console
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Requires-Python: >=3.10
+Requires-Dist: httpx<1,>=0.27
+Requires-Dist: platformdirs<5,>=4.2
+Requires-Dist: questionary<3,>=2.1
+Requires-Dist: rich<15,>=13.9
+Requires-Dist: typer<1,>=0.15
+Description-Content-Type: text/markdown
+
+# tooig CLI
+
+`tooig` is the secure setup CLI for Tooig developers. It is published with the same name and version to PyPI and npm. Both distributions implement the same authentication, build authorization, credential-storage, and SDK-installation flow.
+
+## Table of contents
+
+1. [Requirements](#requirements)
+2. [Installation](#installation)
+3. [Developer setup walkthrough](#developer-setup-walkthrough)
+4. [Authentication](#authentication)
+5. [Build authorization](#build-authorization)
+6. [Framework installation](#framework-installation)
+7. [Credential storage](#credential-storage)
+8. [Configuration](#configuration)
+9. [Service contract](#service-contract)
+10. [Security model](#security-model)
+11. [Troubleshooting](#troubleshooting)
+12. [Release process](#release-process)
+
+## Requirements
+
+Use either of these runtimes:
+
+- Python 3.10 or newer and `pip`.
+- Node.js 20 or newer and npm or pnpm.
+
+The selected framework must exist in the same package registry as the installed CLI. The Python CLI installs from PyPI; the Node.js CLI installs from npm.
+
+## Installation
+
+### Python and pip
+
+```console
+python -m pip install --upgrade tooig
+tooig developer
+```
+
+### npm
+
+Install globally:
+
+```console
+npm install --global tooig
+tooig developer
+```
+
+Or run without a permanent global installation:
+
+```console
+npx tooig developer
+```
+
+### pnpm
+
+```console
+pnpm add --global tooig
+tooig developer
+```
+
+Or:
+
+```console
+pnpm dlx tooig developer
+```
+
+`npx install --g tooig` is not a valid npm installation command. Use `npm install --global tooig` or `npx tooig developer` instead.
+
+## Developer setup walkthrough
+
+Run:
+
+```console
+tooig developer
+```
+
+The CLI performs these steps:
+
+1. Prompts for the name portion of the developer email. Enter `ada` for `ada@developer.tooig.com`.
+2. Offers **Sign in** and **Create developer account**.
+3. Reads the password without echoing characters to the terminal.
+4. Authenticates with the Tooig API.
+5. Offers browser authorization or an existing API key.
+6. Validates and stores the resulting API key.
+7. Offers `nineth` and `bridge (nineth-bridge)`.
+8. Installs the selected SDK using the CLI's package ecosystem.
+9. Prints the getting-started URL: <https://developer.tooig.com/get_started>.
+
+Use `--no-open` on remote machines to print the browser authorization URL without launching a browser:
+
+```console
+tooig developer --no-open
+```
+
+## Authentication
+
+The prompt accepts only the local portion of a Tooig developer address:
+
+```text
+email: [name]@developer.tooig.com
+```
+
+The suffix is fixed by the CLI. Local parts are normalized to lowercase and may contain letters, numbers, dots, underscores, and hyphens.
+
+For a new account, select **Create developer account** and use a password of at least 12 characters. The CLI submits the signup and then authenticates. If the account policy requires email verification, verify the address and run `tooig developer` again.
+
+Passwords and short-lived login tokens are held in memory only. They are never written to the credential file or displayed in progress/error output.
+
+## Build authorization
+
+### Secure browser link
+
+The CLI asks the Tooig API to create a signed, short-lived authorization request. The service returns the link; the CLI does not generate or sign authorization links locally.
+
+```text
+https://developer.tooig.com/{server-generated-id}
+```
+
+The link is opened in the default browser unless `--no-open` is set. The CLI polls the service until the request is approved, denied, cancelled, or expired. On approval, the service returns the build API key.
+
+The CLI rejects an authorization URL that changes the configured API host or downgrades HTTPS. Localhost development may use HTTP.
+
+### Existing API key
+
+Select **Use an existing API key**. Input is hidden. Before storing the key, the CLI validates it against the authenticated session endpoint. Invalid or truncated keys are not saved.
+
+## Framework installation
+
+The framework choices and commands are:
+
+| CLI distribution | Selection | Command |
+| --- | --- | --- |
+| PyPI | `nineth` | `python -m pip install --upgrade nineth` |
+| PyPI | `bridge` | `python -m pip install --upgrade nineth-bridge` |
+| npm | `nineth` | `npm install nineth` |
+| npm | `bridge` | `npm install nineth-bridge` |
+| pnpm | `nineth` | `pnpm add nineth` |
+| pnpm | `bridge` | `pnpm add nineth-bridge` |
+
+The Node.js CLI detects pnpm through `npm_config_user_agent`; all other npm/npx invocations use npm. Installer commands use argument arrays and never interpolate user input into a shell command.
+
+## Credential storage
+
+Python and Node.js use the same versioned JSON format so either CLI can reuse the authorization:
+
+| Platform | Default location |
+| --- | --- |
+| Windows | `%APPDATA%\\tooig\\credentials.json` |
+| macOS | `~/Library/Application Support/tooig/credentials.json` |
+| Linux | `${XDG_CONFIG_HOME:-~/.config}/tooig/credentials.json` |
+
+The file contains the developer email, API base URL, and API key. It never contains the password or login token.
+
+Writes use a temporary file followed by an atomic rename. On POSIX systems the directory is mode `0700` and the file is mode `0600`. Both clients refuse to read or replace a symlinked credential file. Do not commit this file or copy it into a project directory.
+
+## Configuration
+
+The production API is used by default:
+
+```text
+https://developer.tooig.com/api
+```
+
+Override it for development with `TOOIG_API_URL` or `--api-url`:
+
+```console
+tooig developer --api-url http://localhost:8000/api
+```
+
+Non-local API URLs must use HTTPS and cannot contain embedded usernames or passwords.
+
+## Service contract
+
+The CLI expects these server endpoints relative to the API base URL:
+
+| Method | Endpoint | Purpose |
+| --- | --- | --- |
+| `POST` | `/auth/signup` | Create a developer account. |
+| `POST` | `/auth/login` | Return a short-lived `access_token`. |
+| `GET` | `/auth/session` | Validate an existing bearer API key. |
+| `POST` | `/developer/authorizations` | Create a signed browser authorization request. |
+| `GET` | `/developer/authorizations/{id}` | Poll `pending`, `approved`, `denied`, `cancelled`, or `expired`. |
+
+The authorization creation response is:
+
+```json
+{
+  "id": "server-generated-id",
+  "authorization_url": "https://developer.tooig.com/server-generated-id",
+  "interval": 2,
+  "expires_in": 300
+}
+```
+
+An approved poll response is:
+
+```json
+{
+  "status": "approved",
+  "api_key": "server-issued-secret"
+}
+```
+
+The repository currently supplies `/auth/signup`, `/auth/login`, and `/auth/session`. Browser authorization requires the `/developer/authorizations` service to be deployed before that option can complete. Existing API-key authorization is usable against the current API.
+
+## Security model
+
+- HTTPS is mandatory except for loopback development.
+- Password and API-key prompts do not echo input.
+- The server signs and issues authorization requests and keys.
+- Authorization URLs are origin-checked before opening.
+- Login tokens are not persisted.
+- Existing keys are validated before persistence.
+- Secrets are not passed as command-line arguments to package managers.
+- Network failures are converted to bounded errors without response dumps.
+- Framework names are selected from a fixed allowlist.
+- Credential writes are atomic and symlink-resistant.
+
+Local credential-file protection is not a substitute for full-disk encryption or a locked operating-system account. Rotate the API key immediately if the workstation or file is compromised.
+
+## Troubleshooting
+
+### Account creation succeeds but login fails
+
+The account may require email verification. Complete verification and rerun `tooig developer` using **Sign in**.
+
+### Browser authorization is unavailable
+
+Use **Use an existing API key** until the browser-authorization service is deployed. For remote or headless environments, use `--no-open` and open the printed link on another trusted device.
+
+### Package installation fails
+
+Check registry access and install the selected package directly using the command in [Framework installation](#framework-installation). The authorization remains stored, so rerunning setup does not expose the password or key.
+
+### PowerShell blocks `npm.ps1`
+
+Use `npm.cmd` in a restricted PowerShell session or adjust the local execution policy according to your organization's policy. The published `tooig` executable itself does not require shell interpolation.
+
+## Release process
+
+Repository versioning is controlled by the first recognized dispatch token in a commit message:
+
+| Dispatch | Version bump | Repository | PyPI/npm `tooig` |
+| --- | --- | --- | --- |
+| `build:` | Major | Bump and GitHub release | No publish |
+| `feat:` | Minor | Bump and GitHub release | No publish |
+| `chore:` | Patch | Bump and GitHub release | No publish |
+| `build[tooig]:` | Major | Bump and GitHub release | Bump, build, validate, publish, release |
+| `feat[tooig]:` | Minor | Bump and GitHub release | Bump, build, validate, publish, release |
+| `chore[tooig]:` | Patch | Bump and GitHub release | Bump, build, validate, publish, release |
+
+The PyPI and npm versions must match before a scoped release. The script updates both manifests and the npm lockfile together. Repository tags use `vX.Y.Z`; package tags use `tooig-vX.Y.Z`.
+
+GitHub Actions requires:
+
+- An npm automation token in the `NPM_TOKEN` repository secret.
+- PyPI Trusted Publishing configured for this repository and workflow.
+- `contents: write` and `id-token: write`, already declared by the workflow.
+
+The repository release reads `.github/release_notes/repository.md`. The package release reads `.github/release_notes/tooig.md`.

tooig-0.1.3.dist-info/RECORD

@@ -0,0 +1,15 @@
+tooig/__init__.py,sha256=l4_tVHkx-y5Km7RN5xMoe7irbWVSJ1t-5g6eR9v4zb0,228
+tooig/__main__.py,sha256=14FfnaF7zY550dRxcOV5XinMWDf5fRBJZkgTBoqeVj8,63
+tooig/api.py,sha256=KShaF1tgfblh3DfTNFRRikCTY-L63_ubJCE8sVOT2Gw,7088
+tooig/cli.py,sha256=KWzxb5Jtmayy5kb6z7MlU15MDjgoW1sMHty2WJjWzmM,1756
+tooig/constants.py,sha256=4ttyFGhL9czemLZlIG4_aT8aXtn6-Pdv1we09rVXTos,383
+tooig/credentials.py,sha256=yIEbnAgGrcDUGF9AZ24C7yS_ecndY_qWGzVerGEfEy8,2769
+tooig/errors.py,sha256=RweSvvi-q9DOHNdiKDKylSnJMeDElmRGb7aFTT3Mxfo,180
+tooig/installer.py,sha256=3Eqoh72w7bfvDbeLd7lSTf9_7XIZ8iKNdnzNbr93-KQ,997
+tooig/prompts.py,sha256=rfdeeYagHBb_Jk2QtudU0MKFB6hhevsir3ZnQzcqB7U,2664
+tooig/ui.py,sha256=1q4Sw0fFlxeuX2iHepdc2NOClaYhcy3nPVRTLhNkEnE,697
+tooig/workflow.py,sha256=jxPgDsU8zMhlvOf3rIozEoz5ywAUMz5RjYSMLvxQpAM,3349
+tooig-0.1.3.dist-info/METADATA,sha256=58vasoZeP9XxJNZK5tsC_hTlrvFekSkt9Tx32dz9CAQ,10485
+tooig-0.1.3.dist-info/WHEEL,sha256=mffPy8wBnZQn2VnJUU5jE99KsxaSfiyMHV9Yt0aLVxs,87
+tooig-0.1.3.dist-info/entry_points.txt,sha256=LFnVRxfJ9kiuHYMQ-lh0JtuRV8bQKB4OrszICYl_hBk,41
+tooig-0.1.3.dist-info/RECORD,,

tooig-0.1.3.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.30.1
+Root-Is-Purelib: true
+Tag: py3-none-any

tooig-0.1.3.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+tooig = tooig.cli:main