Token Management CLI Commands (#77)

Add complete token lifecycle management with commands for creation, listing, and revocation:
- create: Generate auth tokens with custom expiry (supports day notation like "30d") and optional descriptions
- create-setup: Generate short-lived setup codes for secure token distribution
- list: Display tokens with filtering by name prefix and expired token inclusion
- revoke: Invalidate tokens by UUID with confirmation prompts

Extend time utilities with ParseDuration for day notation support and FormatRelativeTime 
for human-readable timestamps with appropriate granularity (minutes/hours/days).

Co-authored-by: construct-agent <noreply@construct.sh>

Author: Furisto

frontend/cli/cmd/daemon.go

@@ -15,5 +15,6 @@ func NewDaemonCmd() *cobra.Command {
 	cmd.AddCommand(NewDaemonInstallCmd())
 	cmd.AddCommand(NewDaemonUninstallCmd())
 	cmd.AddCommand(NewDaemonStopCmd())
+	cmd.AddCommand(NewDaemonTokenCmd())
 	return cmd
 }

frontend/cli/cmd/daemon_token.go

@@ -0,0 +1,61 @@
+package cmd
+
+import (
+	v1 "github.com/furisto/construct/api/go/v1"
+	"github.com/spf13/cobra"
+)
+
+func NewDaemonTokenCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "token",
+		Short: "Manage authentication tokens",
+		Long: `Manage authentication tokens for remote daemon access.
+
+Tokens provide secure authentication for connecting to remote Construct daemons
+over HTTPS. Each token has a name, optional description, and expiration time.
+
+Token management requires admin privileges (local Unix socket connection).`,
+	}
+
+	cmd.AddCommand(NewDaemonTokenCreateCmd())
+	cmd.AddCommand(NewDaemonTokenCreateSetupCmd())
+	cmd.AddCommand(NewDaemonTokenListCmd())
+	cmd.AddCommand(NewDaemonTokenRevokeCmd())
+
+	return cmd
+}
+
+type TokenDisplay struct {
+	ID      string `json:"id" detail:"default"`
+	Name    string `json:"name" detail:"default"`
+	Created string `json:"created" detail:"default"`
+	Expires string `json:"expires" detail:"default"`
+	Status  string `json:"status" detail:"default"`
+}
+
+func ConvertTokenInfoToDisplay(token *v1.TokenInfo) *TokenDisplay {
+	status := "Active"
+	if !token.IsActive {
+		status = "Expired"
+	}
+
+	return &TokenDisplay{
+		ID:      token.Id,
+		Name:    token.Name,
+		Created: FormatRelativeTime(token.CreatedAt.AsTime()),
+		Expires: FormatRelativeTime(token.ExpiresAt.AsTime()),
+		Status:  status,
+	}
+}
+
+type TokenCreateDisplay struct {
+	Name      string `json:"name" yaml:"name"`
+	Token     string `json:"token" yaml:"token"`
+	ExpiresAt string `json:"expires_at" yaml:"expires_at"`
+}
+
+type SetupCodeDisplay struct {
+	TokenName string `json:"token_name" yaml:"token_name"`
+	SetupCode string `json:"setup_code" yaml:"setup_code"`
+	ExpiresAt string `json:"expires_at" yaml:"expires_at"`
+}

frontend/cli/cmd/daemon_token_create.go

@@ -0,0 +1,99 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"time"
+
+	"connectrpc.com/connect"
+	v1 "github.com/furisto/construct/api/go/v1"
+	"github.com/spf13/cobra"
+	"google.golang.org/protobuf/types/known/durationpb"
+)
+
+type tokenCreateOptions struct {
+	Description   string
+	Expires       string
+	RenderOptions RenderOptions
+}
+
+func NewDaemonTokenCreateCmd() *cobra.Command {
+	var options tokenCreateOptions
+
+	cmd := &cobra.Command{
+		Use:   "create <name> [flags]",
+		Short: "Generate a new API token for remote daemon authentication",
+		Args:  cobra.ExactArgs(1),
+		Long: `Generate a new API token for remote daemon authentication.
+
+The token is displayed once and cannot be retrieved again. Store it securely
+in a password manager or system keyring.
+
+Tokens are used to authenticate CLI commands against remote daemon instances
+over HTTPS. Configure a context with the token using 'construct context add'.`,
+		Example: `  # Create token with default 90-day expiry
+  construct daemon token create laptop-token
+
+  # Create token with custom expiry and description
+  construct daemon token create ci-pipeline \
+    --description "GitHub Actions pipeline token" \
+    --expires 30d
+
+  # Create token with JSON output for scripting
+  construct daemon token create automation --output json`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			name := args[0]
+
+			expiresDuration, err := ParseDuration(options.Expires)
+			if err != nil {
+				return fmt.Errorf("invalid expiry duration: %w", err)
+			}
+
+			if err := ValidateTokenExpiry(expiresDuration); err != nil {
+				return err
+			}
+
+			client := getAPIClient(cmd.Context())
+
+			req := &connect.Request[v1.CreateTokenRequest]{
+				Msg: &v1.CreateTokenRequest{
+					Name:      name,
+					ExpiresIn: durationpb.New(expiresDuration),
+				},
+			}
+
+			if options.Description != "" {
+				req.Msg.Description = &options.Description
+			}
+
+			resp, err := client.Auth().CreateToken(cmd.Context(), req)
+			if err != nil {
+				return fmt.Errorf("failed to create token: %w", err)
+			}
+
+			display := &TokenCreateDisplay{
+				Name:      name,
+				Token:     resp.Msg.Token,
+				ExpiresAt: resp.Msg.ExpiresAt.AsTime().Format(time.RFC3339),
+			}
+
+			if err := getRenderer(cmd.Context()).Render(display, &options.RenderOptions); err != nil {
+				return err
+			}
+
+			if options.RenderOptions.Format == OutputFormatCard || options.RenderOptions.Format == "" {
+				fmt.Fprintln(os.Stderr, "")
+				fmt.Fprintln(os.Stderr, "⚠️  Save this token securely - it cannot be retrieved again.")
+			}
+
+			return nil
+		},
+	}
+
+	cmd.Flags().StringVar(&options.Description, "description", "", "Optional description of token purpose")
+	cmd.Flags().StringVar(&options.Expires, "expires", "90d", "Token lifetime (default: 90d, max: 365d)")
+	addRenderOptions(cmd, &options.RenderOptions)
+	WithCardFormat(&options.RenderOptions)
+
+	return cmd
+}

frontend/cli/cmd/daemon_token_create_setup.go

@@ -0,0 +1,112 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"time"
+
+	"connectrpc.com/connect"
+	v1 "github.com/furisto/construct/api/go/v1"
+	"github.com/spf13/cobra"
+	"google.golang.org/protobuf/types/known/durationpb"
+)
+
+type tokenCreateSetupOptions struct {
+	CodeExpires   string
+	TokenExpires  string
+	RenderOptions RenderOptions
+}
+
+func NewDaemonTokenCreateSetupCmd() *cobra.Command {
+	var options tokenCreateSetupOptions
+
+	cmd := &cobra.Command{
+		Use:   "create-setup <token-name> [flags]",
+		Short: "Generate a short-lived setup code for secure token distribution",
+		Args:  cobra.ExactArgs(1),
+		Long: `Generate a short-lived setup code for secure token distribution.
+
+Setup codes provide a secure way to distribute tokens to remote clients without
+sending the token itself over insecure channels. The code expires quickly and
+can only be used once.
+
+The client exchanges the setup code for a token using:
+  construct context add <name> --endpoint <url> --setup-code <code>`,
+		Example: `  # Create setup code with default settings
+  construct daemon token create-setup remote-laptop
+
+  # Create setup code with custom expiry times
+  construct daemon token create-setup staging-server \
+    --code-expires 1h \
+    --token-expires 30d
+
+  # Create setup code with JSON output
+  construct daemon token create-setup prod-api --output json`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			tokenName := args[0]
+
+			codeExpiresDuration, err := ParseDuration(options.CodeExpires)
+			if err != nil {
+				return fmt.Errorf("invalid code expiry duration: %w", err)
+			}
+
+			if err := ValidateSetupCodeExpiry(codeExpiresDuration); err != nil {
+				return err
+			}
+
+			tokenExpiresDuration, err := ParseDuration(options.TokenExpires)
+			if err != nil {
+				return fmt.Errorf("invalid token expiry duration: %w", err)
+			}
+
+			if err := ValidateTokenExpiry(tokenExpiresDuration); err != nil {
+				return err
+			}
+
+			client := getAPIClient(cmd.Context())
+
+			req := &connect.Request[v1.CreateSetupCodeRequest]{
+				Msg: &v1.CreateSetupCodeRequest{
+					TokenName:      tokenName,
+					ExpiresIn:      durationpb.New(codeExpiresDuration),
+					TokenExpiresIn: durationpb.New(tokenExpiresDuration),
+				},
+			}
+
+			resp, err := client.Auth().CreateSetupCode(cmd.Context(), req)
+			if err != nil {
+				return fmt.Errorf("failed to create setup code: %w", err)
+			}
+
+			display := &SetupCodeDisplay{
+				TokenName: tokenName,
+				SetupCode: resp.Msg.SetupCode,
+				ExpiresAt: resp.Msg.ExpiresAt.AsTime().Format(time.RFC3339),
+			}
+
+			if err := getRenderer(cmd.Context()).Render(display, &options.RenderOptions); err != nil {
+				return err
+			}
+
+			if options.RenderOptions.Format == OutputFormatCard || options.RenderOptions.Format == "" {
+				fmt.Fprintln(os.Stderr, "")
+				fmt.Fprintln(os.Stderr, "Share this code securely with the user. They can exchange it for a token using:")
+				fmt.Fprintln(os.Stderr, "")
+				fmt.Fprintf(os.Stderr, "  construct context add <name> \\\n")
+				fmt.Fprintf(os.Stderr, "    --endpoint <daemon-url> \\\n")
+				fmt.Fprintf(os.Stderr, "    --setup-code %s\n", resp.Msg.SetupCode)
+				fmt.Fprintln(os.Stderr, "")
+				fmt.Fprintln(os.Stderr, "⚠️  This code can only be used once and expires in", FormatRelativeTime(resp.Msg.ExpiresAt.AsTime()))
+			}
+
+			return nil
+		},
+	}
+
+	cmd.Flags().StringVar(&options.CodeExpires, "code-expires", "5m", "Setup code lifetime (default: 5m, max: 72h)")
+	cmd.Flags().StringVar(&options.TokenExpires, "token-expires", "90d", "Resulting token lifetime (default: 90d, max: 365d)")
+	addRenderOptions(cmd, &options.RenderOptions)
+	WithCardFormat(&options.RenderOptions)
+
+	return cmd
+}

frontend/cli/cmd/daemon_token_list.go

@@ -0,0 +1,71 @@
+package cmd
+
+import (
+	"fmt"
+
+	"connectrpc.com/connect"
+	v1 "github.com/furisto/construct/api/go/v1"
+	"github.com/spf13/cobra"
+)
+
+type tokenListOptions struct {
+	NamePrefix     string
+	IncludeExpired bool
+	RenderOptions  RenderOptions
+}
+
+func NewDaemonTokenListCmd() *cobra.Command {
+	var options tokenListOptions
+
+	cmd := &cobra.Command{
+		Use:     "list [flags]",
+		Short:   "List all tokens with metadata",
+		Aliases: []string{"ls"},
+		Long: `List all tokens with metadata.
+
+Displays token ID, name, creation time, expiration time, and status. Token
+values are never shown - only metadata. Use filters to narrow results.`,
+		Example: `  # List all active tokens
+  construct daemon token list
+
+  # Filter by name prefix
+  construct daemon token list --name-prefix prod
+
+  # Include expired tokens
+  construct daemon token list --include-expired
+
+  # JSON output for scripting
+  construct daemon token ls --output json`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			client := getAPIClient(cmd.Context())
+
+			req := &connect.Request[v1.ListTokensRequest]{
+				Msg: &v1.ListTokensRequest{
+					IncludeExpired: options.IncludeExpired,
+				},
+			}
+
+			if options.NamePrefix != "" {
+				req.Msg.NamePrefix = options.NamePrefix
+			}
+
+			resp, err := client.Auth().ListTokens(cmd.Context(), req)
+			if err != nil {
+				return fmt.Errorf("failed to list tokens: %w", err)
+			}
+
+			displayTokens := make([]*TokenDisplay, len(resp.Msg.Tokens))
+			for i, token := range resp.Msg.Tokens {
+				displayTokens[i] = ConvertTokenInfoToDisplay(token)
+			}
+
+			return getRenderer(cmd.Context()).Render(displayTokens, &options.RenderOptions)
+		},
+	}
+
+	cmd.Flags().StringVar(&options.NamePrefix, "name-prefix", "", "Filter by name prefix")
+	cmd.Flags().BoolVar(&options.IncludeExpired, "include-expired", false, "Include expired tokens in results")
+	addRenderOptions(cmd, &options.RenderOptions)
+
+	return cmd
+}