[Draft] Cli

.gitignore

@@ -35,6 +35,7 @@ go.work
 vendor/
 service/bin/
 agent-manager-service/agent-manager-service
+/am
 
 # IDEs
 .vscode/

Makefile

@@ -1,4 +1,4 @@
-.PHONY: help setup setup-colima setup-k3d setup-openchoreo setup-platform setup-console-local setup-console-local-force dev-up dev-down dev-restart dev-rebuild dev-logs dev-migrate openchoreo-up openchoreo-down openchoreo-status teardown db-connect db-logs service-logs service-shell console-logs port-forward gen-eval-artifacts
+.PHONY: help setup setup-colima setup-k3d setup-openchoreo setup-platform setup-console-local setup-console-local-force dev-up dev-down dev-restart dev-rebuild dev-logs dev-migrate openchoreo-up openchoreo-down openchoreo-status teardown db-connect db-logs service-logs service-shell console-logs port-forward gen-eval-artifacts am-gen-client
 
 # Default target
 help:
@@ -202,6 +202,13 @@ service-shell:
 console-logs:
 	@docker logs -f agent-manager-console
 
+# am CLI client codegen (oapi-codegen against local OpenAPI spec)
+am-gen-client:
+	@command -v oapi-codegen >/dev/null || (echo "Installing oapi-codegen..." && go install github.com/oapi-codegen/oapi-codegen/v2/cmd/oapi-codegen@latest)
+	@oapi-codegen -config internal/am/clients/amsvc/gen/oapi-codegen.yaml agent-manager-service/docs/api_v1_openapi.yaml
+	@oapi-codegen -config internal/am/clients/amsvc/gen/oapi-codegen-client.yaml agent-manager-service/docs/api_v1_openapi.yaml
+	@echo "am client generated successfully"
+
 # Code generation
 gen-eval-artifacts:
 	@echo "Generating evaluator artifacts..."

cmd/am/main.go

@@ -0,0 +1,11 @@
+package main
+
+import (
+	"os"
+
+	"github.com/wso2/agent-manager/internal/am/amcmd"
+)
+
+func main() {
+	os.Exit(amcmd.Main())
+}

deployments/docker-compose.yml

@@ -57,7 +57,7 @@ services:
       # Key Manager / JWT validation configuration
       # Accepts Thunder-issued tokens (client_credentials for publisher)
       - KEY_MANAGER_ISSUER=Agent Management Platform Local,http://thunder.amp.localhost:8080
-      - KEY_MANAGER_AUDIENCE=localhost,amp-publisher-*,amp-api-client,amp-console-client
+      - KEY_MANAGER_AUDIENCE=localhost,amp-publisher-*,amp-api-client,amp-console-client,am-cli
       - AMP_VERSION=v0.8.0
       - OPEN_CHOREO_BASE_URL=http://api.openchoreo.localhost:8195
       # OpenBao/Vault Secret Management Configuration

deployments/helm-charts/wso2-agent-manager/values.yaml

@@ -129,7 +129,7 @@ agentManagerService:
     # Key Manager configuration
     keyManager:
       issuer: "http://thunder.amp.localhost:8080"
-      audience: "amp-console-client,amp-api-client,amp-publisher-*"
+      audience: "amp-console-client,amp-api-client,amp-publisher-*,am-cli"
       jwksUrl: "http://amp-thunder-extension-service.amp-thunder.svc.cluster.local:8090/oauth2/jwks"
 
     # On-premise deployment flag

deployments/helm-charts/wso2-amp-thunder-extension/templates/amp-thunder-bootstrap.yaml

@@ -789,3 +789,116 @@ data:
       echo "Response: ${RESPONSE%???}"
       exit 1
     fi
+
+  57-am-cli-client.sh: |
+    #!/bin/bash
+    set -e
+
+    SCRIPT_DIR="$(dirname "${BASH_SOURCE[0]:-$0}")"
+    source "${SCRIPT_DIR}/common.sh"
+
+    log_info "Checking if application '{{ .Values.thunder.bootstrap.amCliClient.name }}' already exists..."
+
+    # Get the default OU ID
+    RESPONSE=$(thunder_api_call GET "/organization-units/tree/default")
+    HTTP_CODE="${RESPONSE: -3}"
+    BODY="${RESPONSE%???}"
+    if [[ "$HTTP_CODE" != "200" ]]; then
+      log_error "Failed to fetch default organization unit (HTTP $HTTP_CODE)"
+      echo "Response: $BODY"
+      exit 1
+    fi
+    DEFAULT_OU_ID=$(echo "$BODY" | grep -o '"handle":"default"[^}]*"id":"[^"]*"\|"id":"[^"]*"[^}]*"handle":"default"' | grep -o '"id":"[^"]*"' | head -1 | cut -d'"' -f4)
+
+    if [[ -z "$DEFAULT_OU_ID" ]]; then
+      log_error "Could not extract default organization unit ID from response"
+      echo "Response: $BODY"
+      exit 1
+    fi
+    log_info "Using OU ID: $DEFAULT_OU_ID"
+
+    # Look up the default auth flow ID
+    RESPONSE=$(thunder_api_call GET "/flows?flowType=AUTHENTICATION&limit=200")
+    HTTP_CODE="${RESPONSE: -3}"
+    BODY="${RESPONSE%???}"
+    if [[ "$HTTP_CODE" != "200" ]]; then
+      log_error "Failed to fetch authentication flows (HTTP $HTTP_CODE)"
+      echo "Response: $BODY"
+      exit 1
+    fi
+    AUTH_FLOW_ID=$(echo "$BODY" | sed 's/},{/}\n{/g' | grep '"handle":"default-basic-flow"' | grep -o '"id":"[^"]*"' | head -1 | cut -d'"' -f4)
+
+    if [[ -z "$AUTH_FLOW_ID" ]]; then
+      log_error "Could not find default-basic-flow authentication flow"
+      exit 1
+    fi
+    log_info "Using auth flow ID: $AUTH_FLOW_ID"
+
+    # Check existing apps
+    RESPONSE=$(thunder_api_call GET "/applications")
+    HTTP_CODE="${RESPONSE: -3}"
+    BODY="${RESPONSE%???}"
+    if [[ "$HTTP_CODE" != "200" ]]; then
+      log_error "Failed to fetch applications (HTTP $HTTP_CODE)"
+      echo "Response: $BODY"
+      exit 1
+    fi
+
+    APP_PAYLOAD='{
+      "name": "{{ .Values.thunder.bootstrap.amCliClient.name }}",
+      "description": "{{ .Values.thunder.bootstrap.amCliClient.description }}",
+      "ouId": "'${DEFAULT_OU_ID}'",
+      "authFlowId": "'${AUTH_FLOW_ID}'",
+      "allowedUserTypes": {{ .Values.thunder.bootstrap.amCliClient.allowedUserTypes | toJson }},
+      "inboundAuthConfig": [
+        {
+          "type": "oauth2",
+          "config": {
+            "clientId": "{{ .Values.thunder.bootstrap.amCliClient.clientId }}",
+            "redirectUris": {{ .Values.thunder.bootstrap.amCliClient.redirectUris | toJson }},
+            "grantTypes": {{ .Values.thunder.bootstrap.amCliClient.grantTypes | toJson }},
+            "responseTypes": {{ .Values.thunder.bootstrap.amCliClient.responseTypes | toJson }},
+            "tokenEndpointAuthMethod": "{{ .Values.thunder.bootstrap.amCliClient.tokenEndpointAuthMethod }}",
+            "pkceRequired": {{ .Values.thunder.bootstrap.amCliClient.pkceRequired }},
+            "publicClient": {{ .Values.thunder.bootstrap.amCliClient.publicClient }},
+            "token": {
+              "accessToken": {
+                "validityPeriod": {{ .Values.thunder.bootstrap.amCliClient.accessTokenValidityPeriod }},
+                "userAttributes": {{ .Values.thunder.bootstrap.amCliClient.userAttributes | toJson }}
+              },
+              "idToken": {
+                "validityPeriod": {{ .Values.thunder.bootstrap.amCliClient.idTokenValidityPeriod }},
+                "userAttributes": {{ .Values.thunder.bootstrap.amCliClient.userAttributes | toJson }}
+              }
+            }
+          }
+        }
+      ]
+    }'
+
+    if echo "$BODY" | grep -q '"clientId":"{{ .Values.thunder.bootstrap.amCliClient.clientId }}"'; then
+      app_id=$(echo "$BODY" | sed 's/},{/}\n{/g' | grep '"clientId":"{{ .Values.thunder.bootstrap.amCliClient.clientId }}"' | grep -o '"id":"[^"]*"' | head -1 | cut -d'"' -f4)
+      log_info "Application '{{ .Values.thunder.bootstrap.amCliClient.name }}' already exists (id: $app_id), updating..."
+      RESPONSE=$(thunder_api_call PUT "/applications/$app_id" "$APP_PAYLOAD")
+      HTTP_CODE="${RESPONSE: -3}"
+      if [[ "$HTTP_CODE" == "200" ]]; then
+        log_info "Application '{{ .Values.thunder.bootstrap.amCliClient.name }}' updated successfully"
+      else
+        log_error "Failed to update application (HTTP $HTTP_CODE)"
+        echo "Response: ${RESPONSE%???}"
+        exit 1
+      fi
+    else
+      log_info "Application '{{ .Values.thunder.bootstrap.amCliClient.name }}' does not exist, creating..."
+      RESPONSE=$(thunder_api_call POST "/applications" "$APP_PAYLOAD")
+      HTTP_CODE="${RESPONSE: -3}"
+      if [[ "$HTTP_CODE" == "201" ]] || [[ "$HTTP_CODE" == "200" ]]; then
+        log_info "Application '{{ .Values.thunder.bootstrap.amCliClient.name }}' created successfully"
+      elif [[ "$HTTP_CODE" == "409" ]]; then
+        log_info "Application '{{ .Values.thunder.bootstrap.amCliClient.name }}' already exists, skipping"
+      else
+        log_error "Failed to create application (HTTP $HTTP_CODE)"
+        echo "Response: ${RESPONSE%???}"
+        exit 1
+      fi
+    fi

deployments/helm-charts/wso2-amp-thunder-extension/values.yaml

@@ -165,6 +165,7 @@ thunder:
         - 54-observer-resource-reader-app.sh
         - 55-amp-publisher-client.sh
         - 56-amp-system-client.sh
+        - 57-am-cli-client.sh
     # Observer Resource Reader Client configuration (for observability plane to read resources)
     observerResourceReaderClient:
       clientId: "openchoreo-observer-resource-reader-client" # clusterauthzrolebinding is already created with this clientId by openchoreo, so it should not be changed unless the corresponding ClusterAuthzRoleBinding is also updated
@@ -228,6 +229,31 @@ thunder:
       pkceRequired: false
       publicClient: false
       accessTokenValidityPeriod: 3600
+    # AMP CLI Client configuration (public PKCE client for interactive login)
+    amCliClient:
+      clientId: "am-cli"
+      name: "AMP CLI"
+      description: "AMP CLI application for interactive user login"
+      redirectUris:
+        - "http://127.0.0.1:10325/callback"
+      grantTypes:
+        - "authorization_code"
+        - "refresh_token"
+      responseTypes:
+        - "code"
+      allowedUserTypes:
+        - "engineer"
+      tokenEndpointAuthMethod: "none"
+      pkceRequired: true
+      publicClient: true
+      accessTokenValidityPeriod: 3600
+      idTokenValidityPeriod: 3600
+      userAttributes:
+        - "given_name"
+        - "family_name"
+        - "username"
+        - "groups"
+        - "ouId"
     # AMP Console Client configuration
     ampConsoleClient:
       clientId: "amp-console-client"

go.mod

@@ -0,0 +1,19 @@
+module github.com/wso2/agent-manager
+
+go 1.25.7
+
+require (
+	github.com/oapi-codegen/runtime v1.4.0
+	github.com/spf13/cobra v1.10.2
+	golang.org/x/oauth2 v0.36.0
+	golang.org/x/term v0.42.0
+	gopkg.in/yaml.v3 v3.0.1
+)
+
+require (
+	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
+	golang.org/x/sys v0.43.0 // indirect
+)

go.sum

@@ -0,0 +1,39 @@
+github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
+github.com/apapsch/go-jsonmerge/v2 v2.0.0 h1:axGnT1gRIfimI7gJifB699GoE/oq+F2MU7Dml6nw9rQ=
+github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk=
+github.com/bmatcuk/doublestar v1.1.1/go.mod h1:UD6OnuiIn0yFxxA2le/rnRU1G4RaI4UvFv1sNto9p6w=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/juju/gnuflag v0.0.0-20171113085948-2ce1bb71843d/go.mod h1:2PavIy+JPciBPrBUjwbNvtwB6RQlve+hkpll6QSNmOE=
+github.com/oapi-codegen/runtime v1.4.0 h1:KLOSFOp7UzkbS7Cs1ms6NBEKYr0WmH2wZG0KKbd2er4=
+github.com/oapi-codegen/runtime v1.4.0/go.mod h1:5sw5fxCDmnOzKNYmkVNF8d34kyUeejJEY8HNT2WaPec=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
+github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spkg/bom v0.0.0-20160624110644-59b7046e48ad/go.mod h1:qLr4V1qq6nMqFKkMo8ZTx3f+BZEkzsRUY10Xsm2mwU0=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
+golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
+golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

internal/am/amcmd/cmd.go

@@ -0,0 +1,49 @@
+package amcmd
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/wso2/agent-manager/internal/am/clierr"
+	"github.com/wso2/agent-manager/internal/am/cmd"
+	"github.com/wso2/agent-manager/internal/am/cmdutil"
+	"github.com/wso2/agent-manager/internal/am/config"
+	"github.com/wso2/agent-manager/internal/am/iostreams"
+	"github.com/wso2/agent-manager/internal/am/render"
+)
+
+// Main loads config, builds the root command, and executes it. Returns the
+// process exit code.
+func Main() int {
+	io := iostreams.System()
+
+	path, err := config.DefaultPath()
+	if err != nil {
+		_ = render.Error(io, render.Scope{}, clierr.Newf(clierr.ConfigNotLoaded, "%v", err))
+		return 1
+	}
+	cfg, err := config.Load(path)
+	if err != nil {
+		_ = render.Error(io, render.Scope{}, clierr.Newf(clierr.ConfigNotLoaded, "%v", err))
+		return 1
+	}
+
+	root, err := cmd.NewRootCmd(cmdutil.NewFactory(cfg, io))
+	if err != nil {
+		return 1
+	}
+	matched, err := root.ExecuteC()
+	if err != nil {
+		if !render.IsRendered(err) {
+			_ = render.Error(io, render.Scope{}, err)
+			fmt.Fprintln(io.ErrOut)
+			fmt.Fprint(io.ErrOut, matched.UsageString())
+		}
+		var fe *cmdutil.FlagError
+		if errors.As(err, &fe) {
+			return 2
+		}
+		return 1
+	}
+	return 0
+}