@useoneauth/cli

A branded, keyboard-driven operator CLI for OneAuth — an Ink (React-for-terminal) TUI over @useoneauth/sdk-server, with Commander.js still handling one-shot parsing. A single command-spec registry drives three things at once: one-shot parsing, the interactive forms, and shell autocompletion.

Install

npx @useoneauth/cli            # one-off, no install
# or install the `oneauth` binary globally:
npm install -g @useoneauth/cli
oneauth                        # launches the interactive TUI in a terminal

Two modes

Interactive (the default)

pnpm --filter @useoneauth/cli ui      # or just `oneauth` in a TTY

Launches the full-screen app: an Aurora-gradient figlet banner, a searchable, arrow-key command palette grouped by domain (Identity · Credentials · Auth · Tokens · Access · Observability), and a generated form for the selected command (enum → select, secret → masked input, string → text input) with a spinner while it runs and a themed result panel. One long-lived in-memory OneAuthServer backs the session, so multi-step flows (create identity → credential → sign in → whoami) persist.

↑↓ navigate · type to search · ↵ run · esc back · q quit

One-shot (scriptable)

oneauth identity create --type service --name ci
oneauth policy check --subject u1 --action edit --resource-type doc --json
oneauth token verify --jwt <jwt>

One-shot output is plain text (or --json) and pipe-safe — no Ink, no ANSI when not a TTY. Add --json to any command for machine output.

Secrets

Secret flags (--secret, --password, --token) accept indirection so the value never lands in shell history or ps:

oneauth signin --identity i1 --credential c1 --secret env:OA_SECRET   # from an env var
oneauth signin --identity i1 --credential c1 --secret file:/run/secrets/pw  # from a file
printf '%s' "$PW" | oneauth signin --identity i1 --credential c1 --secret -  # from stdin

Passing a literal secret still works but prints a hygiene warning. In the interactive TUI, secret fields are masked on entry and token/secret results are masked by default (press r to reveal).

Commands

| Group | Commands | | --- | --- | | Identity | identity create · identity get · identity link | | Credentials | credential create | | Auth | signin · whoami · session get · signout | | Tokens | token issue · token verify · token refresh | | Access | policy check · trust eval | | Observability | keys list · events list |

Shell autocompletion

# bash  (~/.bashrc):   eval "$(oneauth completion bash)"
# zsh   (~/.zshrc):    eval "$(oneauth completion zsh)"
# fish:                oneauth completion fish | source

Design

• One registry, three consumers — src/registry/commands.ts holds each command's spec (path, group, options, and an run action that returns structured CommandResult data, never formatted text). Commander, the Ink <CommandForm>, and the completion generator all read from it, so they never drift.
• Renderers — renderPlain/renderJson format results for one-shot; the Ink <ResultView> renders them interactively. Ink loads only on the TTY path (dynamic import), keeping one-shot fast and headless-safe.
• Aurora theme — every color lives in src/ui/theme.ts (indigo→cyan gradient, cyan accent) and is applied through @inkjs/ui's ThemeProvider; no other module hardcodes a color.

Command logic + components are covered at ≥90% via ink-testing-library. See the design spec and plan.