Skip to content

feat(cli): scaffold greenfield Akua CLI prototype#14

Merged
robinbraemer merged 5 commits into
mainfrom
firstmate/akua-cli-greenfield-prototype
Jul 9, 2026
Merged

feat(cli): scaffold greenfield Akua CLI prototype#14
robinbraemer merged 5 commits into
mainfrom
firstmate/akua-cli-greenfield-prototype

Conversation

@robinbraemer

Copy link
Copy Markdown
Member

Intent

Start the greenfield Akua Cloud CLI spec/prototype work in akua-dev/cli. Replace the old CNAP-era Go build surface with a Bun/TypeScript scaffold for the canonical akua binary, with no cnap or github.com/cnap-tech/cli compatibility requirement. Include a polished architecture/spec, a mise task to fetch the production OpenAPI spec from https://api.akua.dev/v1/openapi.json, an operationId-driven public command registry generator, adaptive AXI-style output mode detection and rendering for coding agents versus humans, structured errors and deterministic exit codes, focused tests, and a self-contained Bun binary packaging path. Keep API execution intentionally narrow/stubbed for this first PR, expose public API commands only, avoid live infrastructure mutations beyond read-only spec fetch, open a PR but do not merge.

What Changed

  • Replaced the legacy CNAP Go CLI surface with a Bun/TypeScript akua CLI scaffold, including runtime mode detection, adaptive rendering, structured errors, deterministic exit codes, and generated public command routing.
  • Added production OpenAPI spec fetching and operationId-driven command generation, with the public spec checked in under openapi/ and generated command metadata under src/generated/.
  • Updated project docs, CI/release workflows, packaging, and focused Bun tests around generation, rendering, mode parsing, CLI filters, and binary execution.

Risk Assessment

⚠️ Medium: This is a broad greenfield replacement of the prior Go CLI surface, but the implemented runtime and generator paths are intentionally narrow/stubbed and I did not find any remaining material issues in the changed code.

Testing

Inspected the change scope, ran the Bun test suite and registry generation check, fetched the production OpenAPI spec read-only into the evidence directory and confirmed it matches the checked-in snapshot, then exercised the CLI as an end user in human, agent, JSON, stub-error, and compiled-binary modes; all checks passed and no actionable issues were found.

Evidence: CLI human commands transcript
$ env -u AKUA_OUTPUT bun src/bin/akua.ts --output human commands --resource workspaces --limit 3
3 of 227 public operations shown.
operation_id                       command                              method  path                                         summary                           
---------------------------------  -----------------------------------  ------  -------------------------------------------  ----------------------------------
workspaces.addMember               workspaces add-member                POST    /v1/workspaces/{id}/members                  Add workspace member              
workspaces.cancelSubscription      workspaces cancel-subscription       POST    /v1/workspaces/{id}/subscription:cancel      Cancel workspace subscription     
workspaces.changeSubscriptionTier  workspaces change-subscription-tier  POST    /v1/workspaces/{id}/subscription:changeTier  Change workspace subscription tier

Next steps:
  akua commands --resource workspaces
  akua commands --operation-id <operation_id>
exit_code=0
Evidence: CLI agent commands transcript
$ env -u AKUA_OUTPUT CODEX_CLI=1 bun src/bin/akua.ts commands --limit 2
status: ok
command: akua commands
observations[1]:
  2 of 227 public operations shown.
data[2]{operation_id,command,method,path,summary}:
  accessDecisions.explain,access-decisions explain,POST,/v1/access_decisions,Explain an access decision
  agentEvents.list,agent-events list,GET,/v1/agent_events,List agent events
next_steps[2]{command}:
  akua commands --resource workspaces
  akua commands --operation-id <operation_id>
exit_code=0
Evidence: CLI JSON filter transcript
$ env -u AKUA_OUTPUT bun src/bin/akua.ts commands --operation-id workspaces.list --json
{
  "status": "ok",
  "command": "akua commands",
  "observations": [
    "1 of 227 public operations shown."
  ],
  "data": [
    {
      "operation_id": "workspaces.list",
      "command": "workspaces list",
      "method": "GET",
      "path": "/v1/workspaces",
      "summary": "List workspaces"
    }
  ],
  "next_steps": [
    {
      "command": "akua commands --resource workspaces"
    },
    {
      "command": "akua commands --operation-id <operation_id>"
    }
  ]
}
exit_code=0
Evidence: CLI stubbed command error transcript
$ env -u AKUA_OUTPUT bun src/bin/akua.ts workspaces list --json
{
  "error": {
    "type": "not_implemented",
    "code": "AKUA_COMMAND_NOT_IMPLEMENTED",
    "message": "Operation workspaces.list is registered but command execution is not implemented yet.",
    "next_steps": [
      {
        "command": "akua commands"
      },
      {
        "command": "akua commands --operation-id workspaces.list"
      }
    ]
  }
}
exit_code=2
Evidence: Compiled binary version transcript
$ ./dist/akua --output json --version
{
  "status": "ok",
  "command": "akua --version",
  "observations": [
    "0.0.0"
  ],
  "data": {
    "version": "0.0.0"
  }
}
exit_code=0
Evidence: Live OpenAPI fetch summary

{"url":"https://api.akua.dev/v1/openapi.json","openapi":"3.1.0","path_count":215,"snapshot_matches_live":true}

{
  "url": "https://api.akua.dev/v1/openapi.json",
  "openapi": "3.1.0",
  "path_count": 215,
  "snapshot_matches_live": true
}
Evidence: Fetched live OpenAPI document
{
  "openapi": "3.1.0",
  "info": {
    "title": "Akua API",
    "version": "1.0.0",
    "description": "Public API for managing Akua workspaces, clusters, products, and installs.\n\nAuthenticate with a workspace API token via the `Authorization: Bearer sk_akua_...` header.\n\nA workspace-owned token implies its workspace. Broad tokens select the active workspace via the optional `Akua-Context` header.",
    "contact": {
      "name": "Akua API support",
      "email": "support@akua.dev",
      "url": "https://akua.dev/docs"
    }
  },
  "servers": [
    {
      "url": "https://api.akua.dev/v1",
      "description": "Production"
    }
  ],
  "tags": [
    {
      "name": "Auth",
      "description": "Authentication and token management."
    },
    {
      "name": "Agents",
      "description": "Agent identities and configuration."
    },
    {
      "name": "Agent sessions",
      "description": "Durable agent conversations and tasks."
    },
    {
      "name": "Agent turns",
      "description": "Submitted agent work and event emission."
    },
    {
      "name": "Agent events",
      "description": "Normalized agent event history and streams."
    },
    {
      "name": "Custom domains",
      "description": "Workspace custom domains and routing targets."
    },
    {
      "name": "Cloudflare",
      "description": "Cloudflare account credentials and gateway control."
    },
    {
      "name": "Clusters",
      "description": "Kubernetes clusters and cluster access operations."
    },
    {
      "name": "ComputeConfigs",
      "description": "Workspace compute provider configurations."
    },
    {
      "name": "Entitlements",
      "description": "Effective workspace capabilities and limits."
    },
    {
      "name": "Dashboards",
      "description": "Dashboard and widget resources."
    },
    {
      "name": "Installs",
      "description": "Product installation and render operations."
    },
    {
      "name": "Machines",
      "description": "Compute machines and lifecycle events."
    },
    {
      "name": "Notifications",
      "description": "User notification state."
    },
    {
      "name": "Offer Channels",
      "description": "Private offer channels and policy versions."
    },
    {
      "name": "Offers",
      "description": "Marketplace offers and redemption tracking."
    },
    {
      "name": "Operations",
      "description": "Long-running operation status and controls."
    },
    {
      "name": "Order Drafts",
      "description": "Draft checkout orders and checkout sessions."
    },
    {
      "name": "Organizations",
      "description": "Organizations, memberships, and managed workspaces."
    },
    {
      "name": "Packages",
      "description": "Software packages, versions, and input schemas."
    },
    {
      "name": "Products",
      "description": "Marketplace product catalog resources."
    },
    {
      "name": "Preview hostnames",
      "description": "Install preview hostnames and routing state."
    },
    {
      "name": "Quotas",
      "description": "Workspace quota limits and usage."
    },
    {
      "name": "Regions",
      "description": "Available deployment regions."
    },
    {
      "name": "Registry",
      "description": "Container registry credentials and repositories."
    },
    {
      "name": "Repository change requests",
      "description": "Fork-backed repository change reviews and lifecycle actions."
    },
    {
      "name": "Repositories",
      "description": "Source repositories available to the workspace."
    },
    {
      "name": "Secrets",
      "description": "Workspace secrets and secret versions."
    },
    {
      "name": "Snippets",
      "description": "Reusable snippets and snippet runs."
    },
    {
      "name": "Workspace subdomains",
      "description": "Workspace subdomain identity."
    },
    {
      "name": "Workspaces",
      "description": "Workspace resources, members, and billing state."
    }
  ],
  "components": {
    "securitySchemes": {
      "BearerAuth": {
        "type": "http",
        "scheme": "bearer",
        "description": "workspace API token (sk_akua_...) or OAuth2 JWT. Create tokens at https://akua.dev/developers/api-tokens"
      }
    },
    "schemas": {
      "ComputeMachine": {
        "type": "object",
        "properties": {
          "provider_id": {
            "type": "string",
            "example": "compute://abc123"
          },
          "node_name": {
            "type": "string",
            "example": "worker-xl8r2"
          },
          "status": {
            "type": "string",
            "example": "provisioning"
          }
        },
        "required": [
          "provider_id",
          "node_name",
          "status"
        ]
      },
      "ApiErrorResponse": {
        "type": "object",
        "properties": {
          "success": {
            "type": "boolean",
            "enum": [
              false
            ]
          },
          "errors": {
            "type": "array",
            "items": {
              "$ref": "#/components/schemas/ApiErrorEntry"
            }
          },
          "result": {
            "type": "object",
            "properties": {},
            "description": "Always empty for error responses"
          }
        },
        "required": [
          "success",
          "errors",
          "result"
        ]
      },
      "ApiErrorEntry": {
        "type": "object",
        "properties": {
          "code": {
            "type": "integer",
            "example": 7002,
            "description": "Machine-readable error code"
          },
          "message": {
            "type": "string",
            "example": "Resource not found",
            "description": "Human-readable error message"
          },
          "path": {
            "type": "array",
            "items": {
              "type": "string"
            },
            "example": [
              "body",
              "name"
            ],
            "description": "Field path that caused the error, when applicable"
          },
          "metadata": {
            "type": "object",
            "additionalProperties": {
              "type": "string"
            }
          }
        },
        "required": [
          "code",
          "message"
        ]
      },
      "ComputeError": {
        "type": "object",
        "properties": {
          "type": {
            "type": "string",
            "example": "InsufficientCapacity",
            "description": "Machine-readable error type (e.g., InsufficientCapacity, NodeClaimNotFound)"
          },
          "message": {
            "type": "string",
            "example": "cpx31 out of stock in fsn1"
          }
        },
        "required": [
          "type",
          "message"
        ]
      },
      "InstanceType": {
        "type": "object",
        "properties": {
          "name": {
            "type": "string",
            "example": "cpx31"
          },
          "arch": {
            "type": "string",
            "example": "amd64"
          },
          "cpu": {
            "type": "number",
            "example": 4
          },
          "memory_mib": {
            "type": "number",
            "example": 8192
          },
          "storage_mib": {
            "type": "number",
            "example": 163840
          },
          "price_per_hour": {
            "type": "number",
            "example": 0.0208
          },
          "available": {
            "type": "boolean",
            "example": true
          },
          "zone": {
            "type": "string",
            "example": "fsn1"
          },
          "capacity_type": {
            "type": "string",
            "example": "on-demand"
          }
        },
        "required": [
          "name",
          "arch",
          "cpu",
          "memory_mib",
          "storage_mib",
          "price_per_hour",
          "available"
        ]
      },
      "DriftResult": {
        "type": "object",
        "properties": {
          "drifted": {
            "type": "boolean"
          },
          "reason": {
            "type": "string"
          }
        },


... [1366500 bytes truncated] ...

ss override",
        "description": "Marks an admin access override as revoked while preserving audit history.",
        "security": [
          {
            "BearerAuth": []
          }
        ],
        "parameters": [
          {
            "schema": {
              "type": "string",
              "minLength": 1,
              "maxLength": 128
            },
            "required": true,
            "name": "id",
            "in": "path"
          }
        ],
        "responses": {
          "200": {
            "description": "Revoked admin access override",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/AdminAccessOverride"
                }
              }
            }
          },
          "401": {
            "description": "Unauthorized",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/ApiErrorResponse"
                }
              }
            }
          },
          "403": {
            "description": "Forbidden",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/ApiErrorResponse"
                }
              }
            }
          },
          "404": {
            "description": "Not found",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/ApiErrorResponse"
                }
              }
            }
          }
        }
      }
    },
    "/v1/admin/quota_overrides": {
      "get": {
        "x-platform-visibility": "ADMIN",
        "operationId": "adminAccess.listQuotaOverrides",
        "tags": [
          "Admin Access"
        ],
        "summary": "List admin quota overrides",
        "description": "Returns active user and workspace quota overrides visible to platform admins.",
        "security": [
          {
            "BearerAuth": []
          }
        ],
        "parameters": [
          {
            "schema": {
              "type": "string",
              "minLength": 1,
              "maxLength": 256
            },
            "required": false,
            "name": "metric",
            "in": "query"
          },
          {
            "schema": {
              "type": "string",
              "enum": [
                "user",
                "workspace"
              ]
            },
            "required": false,
            "name": "scope",
            "in": "query"
          },
          {
            "schema": {
              "type": "string",
              "minLength": 1
            },
            "required": false,
            "name": "user_id",
            "in": "query"
          },
          {
            "schema": {
              "type": "string",
              "minLength": 1,
              "maxLength": 53
            },
            "required": false,
            "name": "workspace_id",
            "in": "query"
          },
          {
            "schema": {
              "type": "integer",
              "minimum": 1,
              "maximum": 100,
              "default": 50
            },
            "required": false,
            "name": "limit",
            "in": "query"
          },
          {
            "schema": {
              "type": "string",
              "nullable": true
            },
            "required": false,
            "name": "cursor",
            "in": "query"
          }
        ],
        "responses": {
          "200": {
            "description": "Admin quota override list",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/AdminQuotaOverrideList"
                }
              }
            }
          },
          "401": {
            "description": "Unauthorized",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/ApiErrorResponse"
                }
              }
            }
          },
          "403": {
            "description": "Forbidden",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/ApiErrorResponse"
                }
              }
            }
          }
        }
      },
      "post": {
        "x-platform-visibility": "ADMIN",
        "operationId": "adminAccess.setQuotaOverride",
        "tags": [
          "Admin Access"
        ],
        "summary": "Set an admin quota override",
        "description": "Creates or updates a user or workspace quota override with an admin reason.",
        "security": [
          {
            "BearerAuth": []
          }
        ],
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/SetAdminQuotaOverrideBody"
              }
            }
          }
        },
        "responses": {
          "200": {
            "description": "Admin quota override",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/AdminQuotaOverride"
                }
              }
            }
          },
          "401": {
            "description": "Unauthorized",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/ApiErrorResponse"
                }
              }
            }
          },
          "403": {
            "description": "Forbidden",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/ApiErrorResponse"
                }
              }
            }
          },
          "422": {
            "description": "Unprocessable entity",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/ApiErrorResponse"
                }
              }
            }
          }
        }
      }
    },
    "/v1/admin/quota_overrides/{id}": {
      "delete": {
        "x-platform-visibility": "ADMIN",
        "operationId": "adminAccess.removeQuotaOverride",
        "tags": [
          "Admin Access"
        ],
        "summary": "Remove an admin quota override",
        "description": "Revokes an active user or workspace quota override and keeps its audit history.",
        "security": [
          {
            "BearerAuth": []
          }
        ],
        "parameters": [
          {
            "schema": {
              "type": "string",
              "minLength": 1,
              "maxLength": 54
            },
            "required": true,
            "name": "id",
            "in": "path"
          }
        ],
        "responses": {
          "200": {
            "description": "Removed admin quota override",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/AdminQuotaOverride"
                }
              }
            }
          },
          "401": {
            "description": "Unauthorized",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/ApiErrorResponse"
                }
              }
            }
          },
          "403": {
            "description": "Forbidden",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/ApiErrorResponse"
                }
              }
            }
          },
          "404": {
            "description": "Not found",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/ApiErrorResponse"
                }
              }
            }
          }
        }
      }
    }
  }
}

Pipeline

Updates from git push no-mistakes

✅ **intent** - passed

✅ No issues found.

✅ **Rebase** - passed

✅ No issues found.

🔧 **Review** - 2 issues found → auto-fixed (3) ✅
  • ⚠️ src/runtime/mode.ts:78 - Invalid or missing --output values are silently ignored, then stripped before routing, so commands like akua --output yaml --version exit 0 with non-requested output instead of a usage error. This breaks the deterministic local-argument contract for automation that explicitly requests an output mode.
  • ⚠️ src/bin/akua.ts:59 - commands filter flags are not validated for required value/type: akua commands --operation-id lists the default first page, and akua commands --limit banana --json exits 0 with the default limit. These should fail as usage errors so scripts do not treat malformed filters as successful filtered queries.

🔧 Fix: Validate CLI output and command filters
1 warning still open:

  • ⚠️ src/bin/akua.ts:134 - commands ignores unexpected positional arguments, so malformed invocations like akua commands workspaces --json or akua commands --limit 5 extra --json still exit 0 with the default/listed results instead of failing as usage errors. Reject non-flag tokens after values consumed by known filters so typos do not look like successful filtered queries.

🔧 Fix: Reject unexpected commands arguments
1 warning still open:

  • ⚠️ src/runtime/mode.ts:110 - parseOutputMode still accepts the undocumented value toon, so akua --output toon --version and AKUA_OUTPUT=toon succeed even though help/errors advertise only human|agent|json|quiet. Remove the alias or make it an explicitly documented/tested mode; otherwise invalid output validation remains incomplete.

🔧 Fix: Reject undocumented output alias
✅ Re-checked - no issues remain.

✅ **Test** - passed

✅ No issues found.

  • git diff --stat e4e6472620226d1a10947fdefeaef9395322381e...0e84bc8822353d7ad04b2cefc07a9a87c88989b2
  • bun test
  • bun run generate:check
  • bun -e 'const out="/var/folders/1y/cjgf53nj31n_dxsspqnjfjvc0000gn/T/no-mistakes-evidence/01KX302NYK1R9AJ7K9G8NRW6NF/openapi-live.json"; const mod=await import("./scripts/fetch-openapi.ts"); const url=mod.resolveSpecUrl(undefined); await mod.fetchOpenApi(url,out); const spec=await Bun.file(out).json(); console.log(JSON.stringify({url:url.href, openapi:spec.openapi, path_count:Object.keys(spec.paths).length}, null, 2));'
  • cmp -s openapi/public.json /var/folders/1y/cjgf53nj31n_dxsspqnjfjvc0000gn/T/no-mistakes-evidence/01KX302NYK1R9AJ7K9G8NRW6NF/openapi-live.json
  • bun run build:binary
  • env -u AKUA_OUTPUT bun src/bin/akua.ts --output human commands --resource workspaces --limit 3
  • env -u AKUA_OUTPUT CODEX_CLI=1 bun src/bin/akua.ts commands --limit 2
  • env -u AKUA_OUTPUT bun src/bin/akua.ts commands --operation-id workspaces.list --json
  • env -u AKUA_OUTPUT bun src/bin/akua.ts workspaces list --json
  • ./dist/akua --output json --version
  • rm -f dist/akua && git status --short
✅ **Document** - passed

✅ No issues found.

✅ **Lint** - passed

✅ No issues found.

✅ **Push** - passed

✅ No issues found.

@robinbraemer robinbraemer merged commit aada3af into main Jul 9, 2026
1 check passed
@robinbraemer robinbraemer deleted the firstmate/akua-cli-greenfield-prototype branch July 9, 2026 09:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant