t1c.dev
1# Tangled CLI – Agent Handoff (Massive Context)
2
3This document is a complete handoff for the next Codex instance working on the Tangled CLI (Rust). It explains what exists, what to build next, where to edit, how to call the APIs, how to persist sessions, how to print output, and how to validate success.
4
5Primary focus for this session: implement authentication (auth login/status/logout) and repository listing (repo list).
6
7--------------------------------------------------------------------------------
8
9## 0) TL;DR – Immediate Actions
10
11- Implement `auth login` using AT Protocol `com.atproto.server.createSession`.
12 - Prompt for handle/password if flags aren’t provided.
13 - POST to `/xrpc/com.atproto.server.createSession` at the configured PDS (default `https://bsky.social`).
14 - Persist `{accessJwt, refreshJwt, did, handle}` via `SessionManager` (keyring-backed).
15 - `auth status` reads keyring and prints handle + did; `auth logout` clears keyring.
16
17- Implement `repo list` using Tangled’s repo list method (tentative `sh.tangled.repo.list`).
18 - GET `/xrpc/sh.tangled.repo.list` with optional params: `user`, `knot`, `starred`.
19 - Include `Authorization: Bearer <accessJwt>` if required.
20 - Print results as table (default) or JSON (`--format json`).
21
22Keep edits minimal and scoped to these features.
23
24--------------------------------------------------------------------------------
25
26## 1) Repository Map (Paths You Will Touch)
27
28- CLI (binary):
29 - `tangled/crates/tangled-cli/src/commands/auth.rs` → implement login/status/logout.
30 - `tangled/crates/tangled-cli/src/commands/repo.rs` → implement list.
31 - `tangled/crates/tangled-cli/src/cli.rs` → already contains arguments and subcommands; no structural changes needed.
32 - `tangled/crates/tangled-cli/src/main.rs` → no change.
33
34- Config + session:
35 - `tangled/crates/tangled-config/src/session.rs` → already provides `Session` + `SessionManager` (keyring).
36 - `tangled/crates/tangled-config/src/config.rs` → optional use for PDS/base URL (MVP can use CLI flags/env vars).
37
38- API client:
39 - `tangled/crates/tangled-api/src/client.rs` → add XRPC helpers and implement `login_with_password` and `list_repos`.
40
41--------------------------------------------------------------------------------
42
43## 2) Current State Snapshot
44
45- Workspace is scaffolded and compiles after wiring dependencies (network needed to fetch crates):
46 - `tangled-cli`: clap CLI with subcommands; commands currently log stubs.
47 - `tangled-config`: TOML config loader/saver; keyring-backed session store.
48 - `tangled-api`: client struct with placeholder methods.
49 - `tangled-git`: stubs for future.
50- Placeholder lexicons in `tangled/lexicons/sh.tangled/*` are not authoritative; use AT Protocol docs and inspect real endpoints later.
51
52Goal: replace CLI stubs with real API calls for auth + repo list.
53
54--------------------------------------------------------------------------------
55
56## 3) Endpoints & Data Shapes
57
58### 3.1 AT Protocol – Create Session
59
60- Method: `com.atproto.server.createSession`
61- HTTP: `POST /xrpc/com.atproto.server.createSession`
62- Request JSON:
63 - `identifier: string` → user handle or email (e.g., `alice.bsky.social`).
64 - `password: string` → password or app password.
65- Response JSON (subset used):
66 - `accessJwt: string`
67 - `refreshJwt: string`
68 - `did: string` (e.g., `did:plc:...`)
69 - `handle: string`
70
71Persist to keyring using `SessionManager`.
72
73### 3.2 Tangled – Repo List (tentative)
74
75- Method: `sh.tangled.repo.list` (subject to change; wire in a constant to adjust easily).
76- HTTP: `GET /xrpc/sh.tangled.repo.list?user=<..>&knot=<..>&starred=<true|false>`
77- Auth: likely required; include `Authorization: Bearer <accessJwt>`.
78- Response JSON (envelope):
79 - `{ "repos": [{ "name": string, "knot": string, "private": bool, ... }] }`
80
81If method name or response shape differs, adapt the client code; keep CLI interface stable.
82
83--------------------------------------------------------------------------------
84
85## 4) Implementation Plan
86
87### 4.1 Add XRPC helpers and methods in `tangled-api`
88
89File: `tangled/crates/tangled-api/src/client.rs`
90
91- Extend `TangledClient` with:
92 - `fn xrpc_url(&self, method: &str) -> String` → combines `base_url` + `/xrpc/` + `method`.
93 - `async fn post_json<TReq: Serialize, TRes: DeserializeOwned>(&self, method, req, bearer) -> Result<TRes>`.
94 - `async fn get_json<TRes: DeserializeOwned>(&self, method, params, bearer) -> Result<TRes>`.
95 - Include `Authorization: Bearer <token>` when `bearer` is provided.
96
97- Implement:
98 - `pub async fn login_with_password(&self, handle: &str, password: &str, pds: &str) -> Result<Session>`
99 - POST to `com.atproto.server.createSession` at `self.base_url` (which should be the PDS base).
100 - Map response to `tangled_config::session::Session` and return it (caller will persist).
101 - `pub async fn list_repos(&self, user: Option<&str>, knot: Option<&str>, starred: bool, bearer: Option<&str>) -> Result<Vec<Repository>>`
102 - GET `sh.tangled.repo.list` with params present only if set.
103 - Return parsed `Vec<Repository>` from an envelope `{ repos: [...] }`.
104
105Error handling: For non-2xx, read the response body, return `anyhow!("{status}: {body}")`.
106
107### 4.2 Wire CLI auth commands
108
109File: `tangled/crates/tangled-cli/src/commands/auth.rs`
110
111- `login`:
112 - Determine PDS: use `--pds` arg if provided, else default `https://bsky.social` (later from config/env).
113 - Prompt for missing handle/password.
114 - `let client = tangled_api::TangledClient::new(&pds);`
115 - `let session = client.login_with_password(&handle, &password, &pds).await?;`
116 - `tangled_config::session::SessionManager::default().save(&session)?;`
117 - Print: `Logged in as '{handle}' ({did})`.
118
119- `status`:
120 - Load `SessionManager::default().load()?`.
121 - If Some: print `Logged in as '{handle}' ({did})`.
122 - Else: print `Not logged in. Run: tangled auth login`.
123
124- `logout`:
125 - `SessionManager::default().clear()?`.
126 - Print `Logged out` if something was cleared; otherwise `No session found` is acceptable.
127
128### 4.3 Wire CLI repo list
129
130File: `tangled/crates/tangled-cli/src/commands/repo.rs`
131
132- Load session; if absent, print `Please login first: tangled auth login` and exit 1 (or 0 with friendly message; choose one and be consistent).
133- Build a client for Tangled API base (for now, default to `https://tangled.org` or allow `TANGLED_API_BASE` env var to override):
134 - `let base = std::env::var("TANGLED_API_BASE").unwrap_or_else(|_| "https://tangled.org".into());`
135 - `let client = tangled_api::TangledClient::new(base);`
136- Call `client.list_repos(args.user.as_deref(), args.knot.as_deref(), args.starred, Some(session.access_jwt.as_str())).await?`.
137- Print:
138 - If `Cli.format == OutputFormat::Json`: `serde_json::to_string_pretty(&repos)`.
139 - Else: simple columns `NAME KNOT PRIVATE` using `println!` formatting for now.
140
141--------------------------------------------------------------------------------
142
143## 5) Code Snippets (Copy/Paste Friendly)
144
145### 5.1 In `tangled-api/src/client.rs`
146
147```rust
148use anyhow::{anyhow, bail, Result};
149use serde::{de::DeserializeOwned, Deserialize, Serialize};
150use tangled_config::session::Session;
151
152#[derive(Clone, Debug)]
153pub struct TangledClient { pub(crate) base_url: String }
154
155impl TangledClient {
156 pub fn new(base_url: impl Into<String>) -> Self { Self { base_url: base_url.into() } }
157 pub fn default() -> Self { Self::new("https://tangled.org") }
158
159 fn xrpc_url(&self, method: &str) -> String {
160 format!("{}/xrpc/{}", self.base_url.trim_end_matches('/'), method)
161 }
162
163 async fn post_json<TReq: Serialize, TRes: DeserializeOwned>(
164 &self,
165 method: &str,
166 req: &TReq,
167 bearer: Option<&str>,
168 ) -> Result<TRes> {
169 let url = self.xrpc_url(method);
170 let client = reqwest::Client::new();
171 let mut reqb = client.post(url).header(reqwest::header::CONTENT_TYPE, "application/json");
172 if let Some(token) = bearer { reqb = reqb.header(reqwest::header::AUTHORIZATION, format!("Bearer {}", token)); }
173 let res = reqb.json(req).send().await?;
174 let status = res.status();
175 if !status.is_success() {
176 let body = res.text().await.unwrap_or_default();
177 return Err(anyhow!("{}: {}", status, body));
178 }
179 Ok(res.json::<TRes>().await?)
180 }
181
182 async fn get_json<TRes: DeserializeOwned>(
183 &self,
184 method: &str,
185 params: &[(&str, String)],
186 bearer: Option<&str>,
187 ) -> Result<TRes> {
188 let url = self.xrpc_url(method);
189 let client = reqwest::Client::new();
190 let mut reqb = client.get(url).query(¶ms);
191 if let Some(token) = bearer { reqb = reqb.header(reqwest::header::AUTHORIZATION, format!("Bearer {}", token)); }
192 let res = reqb.send().await?;
193 let status = res.status();
194 if !status.is_success() {
195 let body = res.text().await.unwrap_or_default();
196 return Err(anyhow!("{}: {}", status, body));
197 }
198 Ok(res.json::<TRes>().await?)
199 }
200
201 pub async fn login_with_password(&self, handle: &str, password: &str, _pds: &str) -> Result<Session> {
202 #[derive(Serialize)]
203 struct Req<'a> { #[serde(rename = "identifier")] identifier: &'a str, #[serde(rename = "password")] password: &'a str }
204 #[derive(Deserialize)]
205 struct Res { #[serde(rename = "accessJwt")] access_jwt: String, #[serde(rename = "refreshJwt")] refresh_jwt: String, did: String, handle: String }
206 let body = Req { identifier: handle, password };
207 let res: Res = self.post_json("com.atproto.server.createSession", &body, None).await?;
208 Ok(Session { access_jwt: res.access_jwt, refresh_jwt: res.refresh_jwt, did: res.did, handle: res.handle, ..Default::default() })
209 }
210
211 pub async fn list_repos(&self, user: Option<&str>, knot: Option<&str>, starred: bool, bearer: Option<&str>) -> Result<Vec<Repository>> {
212 #[derive(Deserialize)]
213 struct Envelope { repos: Vec<Repository> }
214 let mut q = vec![];
215 if let Some(u) = user { q.push(("user", u.to_string())); }
216 if let Some(k) = knot { q.push(("knot", k.to_string())); }
217 if starred { q.push(("starred", true.to_string())); }
218 let env: Envelope = self.get_json("sh.tangled.repo.list", &q, bearer).await?;
219 Ok(env.repos)
220 }
221}
222
223#[derive(Debug, Clone, Serialize, Deserialize, Default)]
224pub struct Repository { pub did: Option<String>, pub rkey: Option<String>, pub name: String, pub knot: Option<String>, pub description: Option<String>, pub private: bool }
225```
226
227### 5.2 In `tangled-cli/src/commands/auth.rs`
228
229```rust
230use anyhow::Result;
231use dialoguer::{Input, Password};
232use tangled_config::session::SessionManager;
233use crate::cli::{AuthCommand, AuthLoginArgs, Cli};
234
235pub async fn run(_cli: &Cli, cmd: AuthCommand) -> Result<()> {
236 match cmd {
237 AuthCommand::Login(args) => login(args).await,
238 AuthCommand::Status => status().await,
239 AuthCommand::Logout => logout().await,
240 }
241}
242
243async fn login(mut args: AuthLoginArgs) -> Result<()> {
244 let handle: String = match args.handle.take() { Some(h) => h, None => Input::new().with_prompt("Handle").interact_text()? };
245 let password: String = match args.password.take() { Some(p) => p, None => Password::new().with_prompt("Password").interact()? };
246 let pds = args.pds.unwrap_or_else(|| "https://bsky.social".to_string());
247 let client = tangled_api::TangledClient::new(&pds);
248 let session = client.login_with_password(&handle, &password, &pds).await?;
249 SessionManager::default().save(&session)?;
250 println!("Logged in as '{}' ({})", session.handle, session.did);
251 Ok(())
252}
253
254async fn status() -> Result<()> {
255 let mgr = SessionManager::default();
256 match mgr.load()? {
257 Some(s) => println!("Logged in as '{}' ({})", s.handle, s.did),
258 None => println!("Not logged in. Run: tangled auth login"),
259 }
260 Ok(())
261}
262
263async fn logout() -> Result<()> {
264 let mgr = SessionManager::default();
265 if mgr.load()?.is_some() { mgr.clear()?; println!("Logged out"); } else { println!("No session found"); }
266 Ok(())
267}
268```
269
270### 5.3 In `tangled-cli/src/commands/repo.rs`
271
272```rust
273use anyhow::{anyhow, Result};
274use tangled_config::session::SessionManager;
275use crate::cli::{Cli, RepoCommand, RepoListArgs};
276
277pub async fn run(_cli: &Cli, cmd: RepoCommand) -> Result<()> {
278 match cmd { RepoCommand::List(args) => list(args).await, _ => Ok(println!("not implemented")) }
279}
280
281async fn list(args: RepoListArgs) -> Result<()> {
282 let mgr = SessionManager::default();
283 let session = mgr.load()?.ok_or_else(|| anyhow!("Please login first: tangled auth login"))?;
284 let base = std::env::var("TANGLED_API_BASE").unwrap_or_else(|_| "https://tangled.org".into());
285 let client = tangled_api::TangledClient::new(base);
286 let repos = client.list_repos(args.user.as_deref(), args.knot.as_deref(), args.starred, Some(session.access_jwt.as_str())).await?;
287 // Simple output: table or JSON to be improved later
288 println!("NAME\tKNOT\tPRIVATE");
289 for r in repos { println!("{}\t{}\t{}", r.name, r.knot.unwrap_or_default(), r.private); }
290 Ok(())
291}
292```
293
294--------------------------------------------------------------------------------
295
296## 6) Configuration, Env Vars, and Security
297
298- PDS base (auth): default `https://bsky.social`. Accept CLI flag `--pds`; later read from config.
299- Tangled API base (repo list): default `https://tangled.org`; allow override via `TANGLED_API_BASE` env var.
300- Do not log passwords or tokens.
301- Store tokens only in keyring (already implemented).
302
303--------------------------------------------------------------------------------
304
305## 7) Testing Plan (MVP)
306
307- Client unit tests with `mockito` for `createSession` and `repo list` endpoints; simulate expected JSON.
308- CLI smoke tests optional for this pass. If added, use `assert_cmd` to check printed output strings.
309- Avoid live network calls in tests.
310
311--------------------------------------------------------------------------------
312
313## 8) Acceptance Criteria
314
315- `tangled auth login`:
316 - Prompts or uses flags; successful call saves session and prints `Logged in as ...`.
317 - On failure, shows HTTP status and short message.
318- `tangled auth status`:
319 - Shows handle + did if session exists; otherwise says not logged in.
320- `tangled auth logout`:
321 - Clears keyring; prints confirmation.
322- `tangled repo list`:
323 - Performs authenticated GET and prints a list (even if empty) without panicking.
324 - JSON output possible later; table output acceptable for now.
325
326--------------------------------------------------------------------------------
327
328## 9) Troubleshooting Notes
329
330- Keyring errors on Linux may indicate no secret service running; suggest enabling GNOME Keyring or KWallet.
331- If `repo list` returns 404, the method name or base URL may be wrong; adjust `sh.tangled.repo.list` or `TANGLED_API_BASE`.
332- If 401, session may be missing/expired; run `auth login` again.
333
334--------------------------------------------------------------------------------
335
336## 10) Non‑Goals for This Pass
337
338- Refresh token flow, device code, OAuth.
339- PRs, issues, knots, spindle implementation.
340- Advanced formatting, paging, completions.
341
342--------------------------------------------------------------------------------
343
344## 11) Future Follow‑ups
345
346- Refresh flow (`com.atproto.server.refreshSession`) and retry once on 401.
347- Persist base URLs and profiles in config; add `tangled config` commands.
348- Proper table/json formatting and shell completions.
349
350--------------------------------------------------------------------------------
351
352## 12) Quick Operator Commands
353
354- Build CLI: `cargo build -p tangled-cli`
355- Help: `cargo run -p tangled-cli -- --help`
356- Login: `cargo run -p tangled-cli -- auth login --handle <handle>`
357- Status: `cargo run -p tangled-cli -- auth status`
358- Repo list: `TANGLED_API_BASE=https://tangled.org cargo run -p tangled-cli -- repo list --user <handle>`
359
360--------------------------------------------------------------------------------
361
362End of handoff. Implement auth login and repo list as described, keeping changes focused and testable.
363
364
365--------------------------------------------------------------------------------
366
367## 13) Tangled Core (../tangled-core) – Practical Notes
368
369This workspace often needs to peek at the Tangled monorepo to confirm XRPC endpoints and shapes. Here are concise tips and findings that informed this CLI implementation.
370
371### Where To Look
372
373- Lexicons (authoritative NSIDs and shapes): `../tangled-core/lexicons/**`
374 - Repo create: `../tangled-core/lexicons/repo/create.json` → `sh.tangled.repo.create`
375 - Repo record schema: `../tangled-core/lexicons/repo/repo.json` → `sh.tangled.repo`
376 - Misc repo queries (tree, log, tags, etc.) under `../tangled-core/lexicons/repo/`
377 - Note: there is no `sh.tangled.repo.list` lexicon in the core right now; listing is done via ATproto records.
378- Knotserver XRPC routes (what requires auth vs open): `../tangled-core/knotserver/xrpc/xrpc.go`
379 - Mutating repo ops (e.g., `sh.tangled.repo.create`) are behind ServiceAuth middleware.
380 - Read-only repo queries (tree, log, etc.) are open.
381- Create repo handler (server-side flow): `../tangled-core/knotserver/xrpc/create_repo.go`
382 - Validates ServiceAuth; expects rkey for the `sh.tangled.repo` record that already exists on the user's PDS.
383- ServiceAuth middleware (how Bearer is validated): `../tangled-core/xrpc/serviceauth/service_auth.go`
384 - Validates a ServiceAuth token with Audience = `did:web:<knot-or-service-host>`.
385- Appview client for ServiceAuth: `../tangled-core/appview/xrpcclient/xrpc.go` (method: `ServerGetServiceAuth`).
386
387### How To Search Quickly (rg examples)
388
389- Find a specific NSID across the repo:
390 - `rg -n "sh\.tangled\.repo\.create" ../tangled-core`
391- See which endpoints are routed and whether they’re behind ServiceAuth:
392 - `rg -n "chi\..*Get\(|chi\..*Post\(" ../tangled-core/knotserver/xrpc`
393 - Then open `xrpc.go` and respective handlers.
394- Discover ServiceAuth usage and audience DID:
395 - `rg -n "ServerGetServiceAuth|VerifyServiceAuth|serviceauth" ../tangled-core`
396- List lexicons by area:
397 - `ls ../tangled-core/lexicons/repo` or `rg -n "\bid\": \"sh\.tangled\..*\"" ../tangled-core/lexicons`
398
399### Repo Listing (client-side pattern)
400
401- There is no `sh.tangled.repo.list` in core. To list a user’s repos:
402 1) Resolve handle → DID if needed via PDS: `GET com.atproto.identity.resolveHandle`.
403 2) List records from the user’s PDS: `GET com.atproto.repo.listRecords` with `collection=sh.tangled.repo`.
404 3) Filter client-side (e.g., by `knot`). “Starred” filtering is not currently defined in core.
405
406### Repo Creation (two-step flow)
407
408- Step 1 (PDS): create the `sh.tangled.repo` record in the user’s repo:
409 - `POST com.atproto.repo.createRecord` with `{ repo: <did>, collection: "sh.tangled.repo", record: { name, knot, description?, createdAt } }`.
410 - Extract `rkey` from the returned `uri` (`at://<did>/<collection>/<rkey>`).
411- Step 2 (Tangled API base): call the server to initialize the bare repo on the knot:
412 - Obtain ServiceAuth: `GET com.atproto.server.getServiceAuth` from PDS with `aud=did:web:<tngl.sh or target-host>`.
413 - `POST sh.tangled.repo.create` on the Tangled API base with `{ rkey, defaultBranch?, source? }` and `Authorization: Bearer <serviceAuth>`.
414 - Server validates token via `xrpc/serviceauth`, confirms actor permissions, and creates the git repo.
415
416### Base URLs, DIDs, and Defaults
417
418- Tangled API base (server): default is `https://tngl.sh`. Do not use the marketing/landing site.
419- PDS base (auth + record ops): default `https://bsky.social` unless a different PDS was chosen on login.
420- ServiceAuth audience DID is `did:web:<host>` where `<host>` is the Tangled API base hostname.
421- CLI stores the PDS URL in the session to keep the CLI stateful.
422
423### Common Errors and Fixes
424
425- `InvalidToken` when listing repos: listing should use the PDS (`com.atproto.repo.listRecords`), not the Tangled API base.
426- 404 on `repo.create`: verify ServiceAuth audience matches the target host and that the rkey exists on the PDS.
427- Keychain issues on Linux: ensure a Secret Service (e.g., GNOME Keyring or KWallet) is running.
428
429### Implementation Pointers (CLI)
430
431- Auth
432 - `com.atproto.server.createSession` against the PDS, save `{accessJwt, refreshJwt, did, handle, pds}` in keyring.
433- List repos
434 - Use session.handle by default; resolve to DID, then `com.atproto.repo.listRecords` on PDS.
435- Create repo
436 - Build the PDS record first; then ServiceAuth → `sh.tangled.repo.create` on `tngl.sh`.
437
438### Testing Hints
439
440- Avoid live calls; use `mockito` to stub both PDS and Tangled API base endpoints.
441- Unit test decoding with minimal JSON envelopes: record lists, createRecord `uri`, and repo.create (empty body or simple ack).