Add fetch command

bolt/README.md

@@ -50,6 +50,13 @@ Usage:
       Copy a bolt package to a remote device via SSH and optionally install it via middleware
       --direct            Skip middleware installation and deploy directly to the bolt packages directory
 
+  bolt fetch <package> [--force]
+      Download a bolt package from the configured package store server into the local package store
+      <package> can be a package name (id+version) or file name (id+version.bolt)
+      --force             Replace the package if it already exists in the local package store
+      Package store URL, type and credentials are configured in ~/.bolt/config.json
+      See https://github.com/rdkcentral/bolt-tools/blob/main/bolt/docs/fetch.md
+
   bolt run <remote> <package-name|package-id|package.bolt> [options]
       Execute a bolt package on a remote device.
       If a package ID is provided (without version), the package is always launched via middleware.
@@ -89,6 +96,7 @@ Global options (can be used with any command):
   --verbose     Print detailed output during execution
 ```
 
+A detailed description of the `bolt fetch` command can be found in the [docs/fetch.md](docs/fetch.md) file.
 A detailed description of the `bolt make` command can be found in the [docs/make.md](docs/make.md) file.
 A detailed description of the `bolt push` command can be found in the [docs/push.md](docs/push.md) file.
 A detailed description of the `bolt run` command can be found in the [docs/run.md](docs/run.md) file.
@@ -121,6 +129,7 @@ Supported options:
 |--------|--------------------------------------------------|
 | `key`  | Default path to the RSA private key (PEM format) |
 | `cert` | Default path to the X.509 certificate (PEM format) |
+| `packageStore*` | Package store settings used by `bolt fetch` (`packageStoreURL`, `packageStoreType`, etc.). See [docs/fetch.md](docs/fetch.md) |
 
 Example `~/.bolt/config.json`:
 ```json
@@ -135,7 +144,8 @@ so the example above can be simplified to:
 ```json
 {
   "key": "signing.key.pem",
-  "cert": "signing.cert.pem"
+  "cert": "signing.cert.pem",
+  "packageStoreURL": "https://packages.example.com/bolts"
 }
 ```
 

bolt/docs/fetch.md

@@ -0,0 +1,106 @@
+# bolt fetch Command Overview
+
+## Purpose
+
+The `bolt fetch` command downloads a bolt package from a remote package store server into the
+[local package store](local-package-store.md).
+
+## Usage
+
+```
+bolt fetch <package> [--force]
+```
+
+- `<package>` is the package name (`id+version`) or file name (`id+version.bolt`).
+  It may be prefixed with a sub-directory path (for example an architecture, `arm/<package>`),
+  which is appended to the server URL when downloading.
+
+## Options
+
+| Option      | Description                                                                          |
+|-------------|--------------------------------------------------------------------------------------|
+| --force     | Replace the package if it already exists in the local package store.                 |
+
+## Configuration
+
+The remote server URL and package store type are configured in `~/.bolt/config.json`:
+
+```json
+{
+  "packageStoreURL": "https://packages.example.com/bolts"
+}
+```
+
+| Key                | Description                                                        |
+|--------------------|--------------------------------------------------------------------|
+| `packageStoreURL`  | URL of the remote package store server (required)                  |
+| `packageStoreType` | Package store type: `"basic"` (default) or `"rdk"` (see below)     |
+| `packageStoreUser` | Username for authentication (prompted via stdin if not configured) |
+
+## Package Store Types
+
+### basic (default)
+
+Downloads packages directly from `<packageStoreURL>/<id+version>.bolt` with no authentication.
+The server can be a plain static file server — no special API is required.
+
+### rdk
+
+Downloads packages from an RDK package store server, authenticating with a username and password.
+The password is prompted via stdin on first use and never stored. If `packageStoreUser` is not set
+in the config, the username is also prompted. The session is preserved between invocations; when it
+expires, credentials are prompted again automatically.
+
+Example configuration:
+```json
+{
+  "packageStoreURL": "https://rdk.example.com",
+  "packageStoreType": "rdk",
+  "packageStoreUser": "myuser"
+}
+```
+
+## Custom Package Store Types
+
+Custom types can be implemented as modules placed in `~/.bolt/plugins/`. The module file must be
+named `fetch-<type>.cjs` (e.g., `~/.bolt/plugins/fetch-custom.cjs` for type `"custom"`).
+
+The module exports a factory function that receives a context object and returns an async fetch
+handler:
+
+```js
+module.exports = function(ctx) {
+  return async function(packageStoreURL, packageFileName, options) {
+    await ctx.downloadPackage(`${packageStoreURL}/${packageFileName}`);
+  };
+};
+```
+
+Available helpers on the `ctx` object:
+
+| Method                                      | Description                                               |
+|---------------------------------------------|-----------------------------------------------------------|
+| `ctx.downloadPackage(url, requestOptions?)` | Download a file with progress indicator                   |
+| `ctx.postJSON(url, body)`                   | HTTP POST with JSON body, returns `{statusCode, headers, body}` |
+| `ctx.promptCredentials(username?)`          | Prompt for username/password via stdin                    |
+| `ctx.loadData()`                            | Load saved data. Return `null` if no data                 |
+| `ctx.saveData(data)`                        | Save data                                                 |
+
+## Examples
+
+- Download a package into the local package store:
+```
+bolt fetch com.rdkcentral.base+0.2.0
+```
+- Same, using the file name form:
+```
+bolt fetch com.rdkcentral.base+0.2.0.bolt
+```
+- Download an architecture-specific package from a subdirectory on the server:
+```
+bolt fetch arm/com.rdkcentral.base+0.2.0
+```
+- Re-download, replacing an existing copy:
+```
+bolt fetch com.rdkcentral.base+0.2.0 --force
+```

bolt/docs/local-package-store.md

@@ -5,6 +5,7 @@ It is used by:
 
 - `bolt make` — to resolve [package dependencies](make.md#dependency-handling) and to install
   built packages when `--install` or `--force-install` is used.
+- `bolt fetch` — to [download packages](fetch.md) from a remote package store server.
 - `bolt push` — to [locate packages by name](push.md#locating-the-package) when no file path is
   provided.
 

bolt/src/bolt.cjs

@@ -27,6 +27,7 @@ const { pack, packOptions } = require('./pack.cjs');
 const { push, pushOptions } = require('./push.cjs');
 const { run, runOptions } = require('./run.cjs');
 const { make, makeOptions } = require('./make.cjs');
+const { fetch, fetchOptions } = require('./fetch.cjs');
 
 function help() {
   console.log(`
@@ -53,6 +54,13 @@ Usage:
       Copy a bolt package to a remote device via SSH and optionally install it via middleware
       --direct            Skip middleware installation and deploy directly to the bolt packages directory
 
+  bolt fetch <package> [--force]
+      Download a bolt package from the configured package store server into the local package store
+      <package> can be a package name (id+version) or file name (id+version.bolt)
+      --force             Replace the package if it already exists in the local package store
+      Package store URL, type and credentials are configured in ~/.bolt/config.json
+      See https://github.com/rdkcentral/bolt-tools/blob/main/bolt/docs/fetch.md
+
   bolt run <remote> <package-name|package-id|package.bolt> [options]
       Execute a bolt package on a remote device.
       If a package ID is provided (without version), the package is always launched via middleware.
@@ -102,6 +110,7 @@ const commands = {
   push: { args: 2, handler: push, options: pushOptions },
   run: { args: 2, handler: run, options: runOptions },
   make: { args: 1, handler: make, options: makeOptions },
+  fetch: { args: 1, handler: fetch, options: fetchOptions },
 };
 
 function checkOptions(provided, allowed) {

bolt/src/fetch-basic.cjs

@@ -0,0 +1,24 @@
+/*
+ * If not stated otherwise in this file or this component's LICENSE file the
+ * following copyright and licenses apply:
+ *
+ * Copyright 2026 RDK Management
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+*/
+
+module.exports = function(ctx) {
+  return async function(packageStoreURL, packageFileName) {
+    await ctx.downloadPackage(`${packageStoreURL}/${packageFileName}`);
+  };
+};

bolt/src/fetch-rdk.cjs

@@ -0,0 +1,67 @@
+/*
+ * If not stated otherwise in this file or this component's LICENSE file the
+ * following copyright and licenses apply:
+ *
+ * Copyright 2026 RDK Management
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+*/
+
+async function login(ctx, base, credentials) {
+  const res = await ctx.postJSON(`${base}/auth/login`, {
+    username: credentials.username,
+    password: credentials.password,
+  });
+
+  if (res.statusCode !== 200) {
+    throw new Error(`Authentication failed: HTTP ${res.statusCode}`);
+  }
+
+  const setCookie = res.headers['set-cookie'];
+  if (!setCookie) {
+    throw new Error('Authentication failed: no cookie received from server');
+  }
+
+  const cookieHeader = Array.isArray(setCookie) ? setCookie[0] : setCookie;
+  return cookieHeader.split(';')[0].trim();
+}
+
+module.exports = function(ctx) {
+  return async function(packageStoreURL, packageFileName, options) {
+    const packagePath = packageFileName.includes('/') ? packageFileName : `arm/${packageFileName}`;
+    const url = `${packageStoreURL}/appcatalog/bolts/${packagePath}`;
+    let cookie = ctx.loadData();
+    let prompted = false;
+
+    if (!cookie) {
+      const credentials = await ctx.promptCredentials(options.packageStoreUser);
+      prompted = true;
+      cookie = await login(ctx, packageStoreURL, credentials);
+      ctx.saveData(cookie);
+    }
+
+    try {
+      await ctx.downloadPackage(url, { headers: { Cookie: cookie } });
+    } catch (err) {
+      if ((err.statusCode === 401 || err.statusCode === 403) && !prompted) {
+        console.log('Session expired, re-authenticating...');
+        const credentials = await ctx.promptCredentials(options.packageStoreUser);
+        cookie = await login(ctx, packageStoreURL, credentials);
+        ctx.saveData(cookie);
+        await ctx.downloadPackage(url, { headers: { Cookie: cookie } });
+      } else {
+        throw err;
+      }
+    }
+  };
+};