feat(cli): add execution engine with project, auth, and execute commands

[pyramation]

feat(cli): add execution engine with project, auth, and execute commands

Summary

This PR adds an execution engine to the cnc CLI that enables agents and users to make GraphQL requests against Constructive APIs. The implementation includes:

Config Management (src/config/):

• Uses appstash for standardized config storage at ~/.cnc/
• Project configs store domain, subdomain, and endpoints for all 5 APIs (public, admin, auth, private, app)
• Credentials stored separately with 0o600 file permissions

New Commands:

• cnc project init|list|use|info|delete - Manage project configurations
• cnc auth set-token|status|logout - Manage API tokens per project
• cnc execute - Execute JSON protocol operations with auto-routing to correct API

SDK Client (src/sdk/):

• Uses @constructive-io/graphql-codegen execute function for GraphQL requests
• Uses gql-ast for AST-based query/mutation building (findMany, findFirst, create, update, delete)
• JSON Protocol executor with model-to-API routing (e.g., database → public, membership → admin, user → auth)

Updates since last revision

• Refactored SDK to use existing infrastructure: Replaced custom GraphQL client and manual string concatenation with:
  • @constructive-io/graphql-codegen execute function for GraphQL execution
  • gql-ast for proper AST-based document building
  • Added @0no-co/graphql.web for print and parseType utilities
• Password masking for token input: The cnc auth set-token command now uses type: 'password' instead of type: 'text', so tokens are masked with asterisks while typing.
• Fixed lockfile sync: Updated pnpm-lock.yaml to properly reflect the inquirerer@^4.5.0 dependency.

Review & Testing Checklist for Human

• Verify AST-generated queries are correct - The operations.ts was rewritten to use gql-ast. Verify the generated GraphQL documents match expected structure by testing cnc execute commands.
• Verify model-to-API routing in src/sdk/executor.ts - The MODEL_API_MAP makes assumptions about which models belong to which API. Confirm these mappings match the actual Constructive API structure.
• Verify endpoint URL generation in src/config/types.ts - The generateEndpoints() function assumes URL patterns like https://public-{subdomain}.{domain}/graphql. Confirm this matches production.
• Test credential storage security - Verify that ~/.cnc/config/credentials.json is created with mode 0o600 (owner read/write only).
• Manual test the commands - Run through the basic flow:

  cnc project init my-app --domain constructive.io
  cnc auth set-token  # Should mask input with asterisks
  cnc execute --model database --action findMany --first 5

Recommended Test Plan:

1. Install the CLI locally and run cnc project init to create a project
2. Set a real API token with cnc auth set-token and verify input is masked
3. Try cnc execute against a real Constructive API to verify the GraphQL client works
4. Check ~/.cnc/config/ to verify file structure and permissions

Notes

• No automated tests are included for the new functionality - manual testing is required
• OAuth login flow is not implemented - only manual token setting via cnc auth set-token
• Password masking depends on inquirerer password type from dev-utils PR modules #58

Link to Devin run: https://app.devin.ai/sessions/041b1d6074a549febda2c95195f1e758
Continued in: https://app.devin.ai/sessions/3db8ac553a7641ee811f8da59592f68a
Requested by: Dan Lynch (@pyramation)

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring