feat(sync): wire CLI login + resilient sync engine

StackMemory Bot (CLI) · StackMemory Bot (CLI) · commit aae7ca7594d6 · 2026-05-05T18:37:04.000-04:00
- `stackmemory login &lt;email&gt; [--reset]` creates/resets workspace + saves key
- Sync config reads from env vars (PROVENANT_API_KEY) or ~/.stackmemory/config.json
- CloudSyncEngine: auto-create sync tables, skip missing tables gracefully
- DB path resolution: check project-local first, fall back to ~/.stackmemory/
- Add /v1/setup/reset endpoint to Provenant API worker
- Replace dead login.ts interactive flow with Provenant key-based login
diff --git a/packages/provenant-api/src/index.js b/packages/provenant-api/src/index.js
@@ -45,6 +45,9 @@ export default {
       if (path === '/v1/setup' && request.method === 'POST') {
         return await handleSetup(request, sql);
       }
+      if (path === '/v1/setup/reset' && request.method === 'POST') {
+        return await handleSetupReset(request, sql);
+      }
 
       // All other endpoints require auth
       const authResult = await authenticate(
@@ -215,6 +218,61 @@ async function handleSetup(request, sql) {
   );
 }
 
+/**
+ * POST /v1/setup/reset
+ * Revoke all existing keys and issue a new one.
+ * No auth — verified by workspace ownership (email match).
+ */
+async function handleSetupReset(request, sql) {
+  const body = await request.json();
+  const { email } = body;
+
+  if (!email) {
+    return json({ error: 'email is required' }, 400, request);
+  }
+
+  // Find workspace owned by this email
+  const ws = await sql`
+    SELECT w.id as workspace_id, p.id as project_id
+    FROM workspaces w
+    JOIN projects p ON p.workspace_id = w.id
+    WHERE w.owner_email = ${email}
+    LIMIT 1
+  `;
+
+  if (ws.length === 0) {
+    return json({ error: 'No workspace found for this email' }, 404, request);
+  }
+
+  const { workspace_id: workspaceId, project_id: projectId } = ws[0];
+
+  // Revoke all existing keys
+  await sql`
+    UPDATE api_keys SET revoked_at = NOW()
+    WHERE workspace_id = ${workspaceId} AND revoked_at IS NULL
+  `;
+
+  // Generate new key
+  const rawKey = `smk_${randomBytes(32).toString('hex')}`;
+  const keyHash = createHash('sha256').update(rawKey).digest('hex');
+
+  await sql`
+    INSERT INTO api_keys (key_hash, user_email, project_id, workspace_id, name)
+    VALUES (${keyHash}, ${email}, ${projectId}, ${workspaceId}, 'default')
+  `;
+
+  return json(
+    {
+      workspaceId,
+      projectId,
+      apiKey: rawKey,
+      message: 'All previous keys revoked. Save this new key.',
+    },
+    201,
+    request
+  );
+}
+
 /**
  * POST /v1/workspaces/:id/keys
  * Create a new API key for the workspace.
diff --git a/src/cli/commands/sync.ts b/src/cli/commands/sync.ts
@@ -13,44 +13,165 @@ import Database from 'better-sqlite3';
 import { CloudSyncEngine } from '../../core/storage/cloud-sync.js';
 import type { CloudSyncConfig } from '../../core/storage/cloud-sync-types.js';
 
+const DEFAULT_ENDPOINT = 'https://provenant-api.jpwu03.workers.dev';
+
 function loadSyncConfig(projectDir: string): CloudSyncConfig | null {
+  // Try env vars first (CI / advanced users)
+  const envKey = process.env['PROVENANT_API_KEY'];
+  const envProject = process.env['PROVENANT_PROJECT_ID'];
+  if (envKey) {
+    return buildConfig(
+      envKey,
+      envProject ||
+        createHash('sha256').update(projectDir).digest('hex').slice(0, 16),
+      process.env['PROVENANT_API_URL'] || DEFAULT_ENDPOINT,
+      projectDir
+    );
+  }
+
+  // Fall back to config file
   const cfgPath = join(homedir(), '.stackmemory', 'config.json');
   if (!existsSync(cfgPath)) return null;
 
   try {
     const cfg = JSON.parse(readFileSync(cfgPath, 'utf8'));
     if (!cfg.auth?.apiKey) return null;
 
-    return {
-      enabled: true,
-      endpoint: cfg.auth?.apiUrl || 'https://api.stackmemory.ai',
-      apiKey: cfg.auth.apiKey,
-      projectId: createHash('sha256')
-        .update(projectDir)
-        .digest('hex')
-        .slice(0, 16),
-      clientId: createHash('sha256')
-        .update(hostname() + projectDir)
-        .digest('hex')
-        .slice(0, 16),
-      batchSize: 100,
-      conflictResolution: 'newest_wins',
-      generationalPolicy: {
-        youngMaxAgeDays: 1,
-        matureMaxAgeDays: 7,
-      },
-      timeoutMs: 30000,
-      retryAttempts: 3,
-      retryBaseDelayMs: 1000,
-    };
+    return buildConfig(
+      cfg.auth.apiKey,
+      cfg.auth.projectId ||
+        createHash('sha256').update(projectDir).digest('hex').slice(0, 16),
+      cfg.auth.apiUrl || DEFAULT_ENDPOINT,
+      projectDir
+    );
   } catch {
     return null;
   }
 }
 
+function buildConfig(
+  apiKey: string,
+  projectId: string,
+  endpoint: string,
+  projectDir: string
+): CloudSyncConfig {
+  return {
+    enabled: true,
+    endpoint,
+    apiKey,
+    projectId,
+    clientId: createHash('sha256')
+      .update(hostname() + projectDir)
+      .digest('hex')
+      .slice(0, 16),
+    batchSize: 100,
+    conflictResolution: 'newest_wins',
+    generationalPolicy: {
+      youngMaxAgeDays: 1,
+      matureMaxAgeDays: 7,
+    },
+    timeoutMs: 30000,
+    retryAttempts: 3,
+    retryBaseDelayMs: 1000,
+  };
+}
+
 function getDbPath(projectDir: string): string {
-  const smDir = join(projectDir, '.stackmemory');
-  return join(smDir, 'stackmemory.db');
+  // Check project-local first, then ~/.stackmemory/
+  const localDb = join(projectDir, '.stackmemory', 'stackmemory.db');
+  if (existsSync(localDb)) return localDb;
+  return join(homedir(), '.stackmemory', 'stackmemory.db');
+}
+
+export function createLoginCommand(): Command {
+  const cmd = new Command('login')
+    .description('Connect to Provenant cloud sync')
+    .argument('<email>', 'Your email address')
+    .option('--workspace <name>', 'Workspace name (for new accounts)')
+    .option('--reset', 'Reset API key (revokes existing keys)')
+    .action(
+      async (
+        email: string,
+        options: { workspace?: string; reset?: boolean }
+      ) => {
+        const endpoint = process.env['PROVENANT_API_URL'] || DEFAULT_ENDPOINT;
+
+        try {
+          const path = options.reset ? '/v1/setup/reset' : '/v1/setup';
+          const body: Record<string, string> = { email };
+          if (!options.reset) {
+            body['workspaceName'] = options.workspace ?? email.split('@')[0];
+          }
+
+          const res = await fetch(`${endpoint}${path}`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify(body),
+          });
+
+          const data = (await res.json()) as {
+            apiKey?: string;
+            workspaceId?: string;
+            projectId?: string;
+            error?: string;
+          };
+
+          if (res.status === 409 && !options.reset) {
+            // Workspace exists — suggest --reset
+            console.log(
+              chalk.yellow('Workspace already exists for this email.')
+            );
+            console.log(chalk.dim('  Run: stackmemory login <email> --reset'));
+            console.log(chalk.dim(`  Workspace ID: ${data.workspaceId}`));
+            console.log(chalk.dim(`  Project ID:   ${data.projectId}`));
+            return;
+          }
+
+          if (!res.ok || !data.apiKey) {
+            console.error(
+              chalk.red(`Login failed: ${data.error || res.statusText}`)
+            );
+            process.exit(1);
+          }
+
+          // Save to ~/.stackmemory/config.json
+          const smDir = join(homedir(), '.stackmemory');
+          const cfgPath = join(smDir, 'config.json');
+          let cfg: Record<string, unknown> = {};
+          if (existsSync(cfgPath)) {
+            try {
+              cfg = JSON.parse(readFileSync(cfgPath, 'utf8'));
+            } catch {}
+          }
+
+          cfg['auth'] = {
+            apiKey: data.apiKey,
+            apiUrl: endpoint,
+            projectId: data.projectId,
+            workspaceId: data.workspaceId,
+            email,
+          };
+
+          const { writeFileSync, mkdirSync } = await import('fs');
+          mkdirSync(smDir, { recursive: true });
+          writeFileSync(cfgPath, JSON.stringify(cfg, null, 2) + '\n');
+
+          console.log(chalk.green('Logged in to Provenant cloud sync.'));
+          console.log(chalk.dim(`  Workspace: ${data.workspaceId}`));
+          console.log(chalk.dim(`  Project:   ${data.projectId}`));
+          console.log(chalk.dim(`  Config:    ${cfgPath}`));
+        } catch (err) {
+          console.error(
+            chalk.red(
+              `Login failed: ${err instanceof Error ? err.message : err}`
+            )
+          );
+          process.exit(1);
+        }
+      }
+    );
+
+  return cmd;
 }
 
 export function createSyncCommand(): Command {
diff --git a/src/cli/index.ts b/src/cli/index.ts
@@ -48,9 +48,8 @@ import {
 } from './commands/decision.js';
 import clearCommand from './commands/clear.js';
 import serviceCommand from './commands/service.js';
-import { registerLoginCommand } from './commands/login.js';
 import { registerSignupCommand } from './commands/signup.js';
-import { createSyncCommand } from './commands/sync.js';
+import { createSyncCommand, createLoginCommand } from './commands/sync.js';
 import { registerLogoutCommand, registerDbCommands } from './commands/db.js';
 import { createHooksCommand } from './commands/hooks.js';
 import { createDaemonCommand } from './commands/daemon.js';
@@ -669,7 +668,7 @@ program
 // Register command modules
 registerOnboardingCommand(program);
 registerSignupCommand(program);
-registerLoginCommand(program);
+program.addCommand(createLoginCommand());
 registerLogoutCommand(program);
 registerDbCommands(program);
 registerProjectCommands(program);
diff --git a/src/core/storage/cloud-sync.ts b/src/core/storage/cloud-sync.ts
@@ -349,6 +349,8 @@ export class CloudSyncEngine {
    * Get current sync status
    */
   status(): CloudSyncStatusResponse {
+    this.ensureSyncTables();
+
     const pendingPush = this.db
       .prepare(
         `SELECT COUNT(*) as count FROM cloud_sync_state WHERE sync_status = 'pending'`
@@ -376,6 +378,7 @@ export class CloudSyncEngine {
     // Count rows not yet tracked in cloud_sync_state (never pushed)
     let untrackedCount = 0;
     for (const table of SYNCABLE_TABLES) {
+      if (!this.tableExists(table)) continue;
       const pk = PK_COLUMN[table];
       const row = this.db
         .prepare(
@@ -400,12 +403,45 @@ export class CloudSyncEngine {
     };
   }
 
+  // --- Internal: Table helpers ---
+
+  private tableExists(name: string): boolean {
+    const row = this.db
+      .prepare(`SELECT 1 FROM sqlite_master WHERE type='table' AND name=?`)
+      .get(name) as unknown;
+    return !!row;
+  }
+
+  private ensureSyncTables(): void {
+    this.db.exec(`
+      CREATE TABLE IF NOT EXISTS cloud_sync_state (
+        table_name TEXT NOT NULL,
+        row_id TEXT NOT NULL,
+        last_pushed_at INTEGER,
+        last_pushed_version INTEGER,
+        last_pulled_at INTEGER,
+        last_pulled_version INTEGER,
+        sync_status TEXT NOT NULL DEFAULT 'pending',
+        push_error TEXT,
+        push_attempts INTEGER NOT NULL DEFAULT 0,
+        PRIMARY KEY (table_name, row_id)
+      );
+      CREATE TABLE IF NOT EXISTS cloud_sync_cursors (
+        direction TEXT NOT NULL PRIMARY KEY,
+        cursor_value TEXT NOT NULL,
+        updated_at INTEGER NOT NULL
+      );
+    `);
+  }
+
   // --- Internal: Collect pending entities ---
 
   private collectPendingEntities(): SyncEntity[] {
+    this.ensureSyncTables();
     const entities: SyncEntity[] = [];
 
     for (const table of SYNCABLE_TABLES) {
+      if (!this.tableExists(table)) continue;
       const pk = PK_COLUMN[table];
       const versionCol = VERSION_COLUMN[table];
 
