@agentuity/cli 0.0.41 → 0.0.43

package/src/cmd/secret/pull.ts

@@ -0,0 +1,91 @@
+import { z } from 'zod';
+import { join } from 'node:path';
+import { createSubcommand } from '../../types';
+import * as tui from '../../tui';
+import { projectGet } from '@agentuity/server';
+import { getAPIBaseURL, APIClient } from '../../api';
+import { loadProjectConfig } from '../../config';
+import {
+	findEnvFile,
+	findExistingEnvFile,
+	readEnvFile,
+	writeEnvFile,
+	mergeEnvVars,
+} from '../../env-util';
+
+export const pullSubcommand = createSubcommand({
+	name: 'pull',
+	description: 'Pull secrets from cloud to local .env.production file',
+	requiresAuth: true,
+	schema: {
+		options: z.object({
+			dir: z.string().optional().describe('project directory (default: current directory)'),
+			force: z.boolean().default(false).describe('overwrite local values with cloud values'),
+		}),
+	},
+
+	async handler(ctx) {
+		const { opts, config } = ctx;
+		const dir = opts?.dir ?? process.cwd();
+
+		// Load project config to get project ID
+		const projectConfig = await loadProjectConfig(dir);
+		if (!projectConfig) {
+			tui.fatal(`No Agentuity project found in ${dir}. Missing agentuity.json`);
+		}
+
+		const apiUrl = getAPIBaseURL(config);
+		const client = new APIClient(apiUrl, config);
+
+		// Fetch project with unmasked secrets
+		const project = await tui.spinner('Pulling secrets from cloud', () => {
+			return projectGet(client, { id: projectConfig.projectId, mask: false });
+		});
+
+		const cloudSecrets = project.secrets || {};
+
+		// Read current local env from existing file (.env.production or .env)
+		const existingEnvPath = await findExistingEnvFile(dir);
+		const localEnv = await readEnvFile(existingEnvPath);
+
+		// Target file is always .env.production
+		const targetEnvPath = await findEnvFile(dir);
+
+		// Merge: cloud values override local if force=true, otherwise keep local
+		let mergedEnv: Record<string, string>;
+		if (opts?.force) {
+			// Cloud values take priority
+			mergedEnv = mergeEnvVars(localEnv, cloudSecrets);
+		} else {
+			// Local values take priority (only add new keys from cloud)
+			mergedEnv = mergeEnvVars(cloudSecrets, localEnv);
+		}
+
+		// Write to .env.production (skip AGENTUITY_ keys)
+		await writeEnvFile(targetEnvPath, mergedEnv, {
+			skipKeys: Object.keys(mergedEnv).filter((k) => k.startsWith('AGENTUITY_')),
+		});
+
+		// Write AGENTUITY_SDK_KEY to .env if present and missing locally
+		if (project.api_key) {
+			const dotEnvPath = join(dir, '.env');
+			const dotEnv = await readEnvFile(dotEnvPath);
+
+			if (!dotEnv.AGENTUITY_SDK_KEY) {
+				dotEnv.AGENTUITY_SDK_KEY = project.api_key;
+				await writeEnvFile(dotEnvPath, dotEnv, {
+					addComment: (key) => {
+						if (key === 'AGENTUITY_SDK_KEY') {
+							return 'AGENTUITY_SDK_KEY is a sensitive value and should not be committed to version control.';
+						}
+						return null;
+					},
+				});
+				tui.info(`Wrote AGENTUITY_SDK_KEY to ${dotEnvPath}`);
+			}
+		}
+
+		const count = Object.keys(cloudSecrets).length;
+		tui.success(`Pulled ${count} secret${count !== 1 ? 's' : ''} to ${targetEnvPath}`);
+	},
+});

package/src/cmd/secret/push.ts

@@ -0,0 +1,55 @@
+import { z } from 'zod';
+import { createSubcommand } from '../../types';
+import * as tui from '../../tui';
+import { projectEnvUpdate } from '@agentuity/server';
+import { getAPIBaseURL, APIClient } from '../../api';
+import { loadProjectConfig } from '../../config';
+import { findEnvFile, readEnvFile, filterAgentuitySdkKeys } from '../../env-util';
+
+export const pushSubcommand = createSubcommand({
+	name: 'push',
+	description: 'Push secrets from local .env.production file to cloud',
+	requiresAuth: true,
+	schema: {
+		options: z.object({
+			dir: z.string().optional().describe('project directory (default: current directory)'),
+		}),
+	},
+
+	async handler(ctx) {
+		const { opts, config } = ctx;
+		const dir = opts?.dir ?? process.cwd();
+
+		// Load project config to get project ID
+		const projectConfig = await loadProjectConfig(dir);
+		if (!projectConfig) {
+			tui.fatal(`No Agentuity project found in ${dir}. Missing agentuity.json`);
+		}
+
+		// Read local env file
+		const envFilePath = await findEnvFile(dir);
+		const localEnv = await readEnvFile(envFilePath);
+
+		// Filter out AGENTUITY_ prefixed keys (don't push SDK keys)
+		const filteredSecrets = filterAgentuitySdkKeys(localEnv);
+
+		if (Object.keys(filteredSecrets).length === 0) {
+			tui.warning('No secrets to push');
+			return;
+		}
+
+		const apiUrl = getAPIBaseURL(config);
+		const client = new APIClient(apiUrl, config);
+
+		// Push to cloud (using secrets field)
+		await tui.spinner('Pushing secrets to cloud', () => {
+			return projectEnvUpdate(client, {
+				id: projectConfig.projectId,
+				secrets: filteredSecrets,
+			});
+		});
+
+		const count = Object.keys(filteredSecrets).length;
+		tui.success(`Pushed ${count} secret${count !== 1 ? 's' : ''} to cloud`);
+	},
+});

package/src/cmd/secret/set.ts

@@ -0,0 +1,60 @@
+import { z } from 'zod';
+import { createSubcommand } from '../../types';
+import * as tui from '../../tui';
+import { projectEnvUpdate } from '@agentuity/server';
+import { getAPIBaseURL, APIClient } from '../../api';
+import { loadProjectConfig } from '../../config';
+import { findEnvFile, readEnvFile, writeEnvFile, filterAgentuitySdkKeys } from '../../env-util';
+
+export const setSubcommand = createSubcommand({
+	name: 'set',
+	description: 'Set a secret',
+	requiresAuth: true,
+	schema: {
+		args: z.object({
+			key: z.string().min(1, 'key must not be empty').describe('the secret key'),
+			value: z.string().min(1, 'value must not be empty').describe('the secret value'),
+		}),
+		options: z.object({
+			dir: z.string().optional().describe('project directory (default: current directory)'),
+		}),
+	},
+
+	async handler(ctx) {
+		const { args, opts, config } = ctx;
+		const dir = opts?.dir ?? process.cwd();
+
+		// Validate key doesn't start with AGENTUITY_
+		if (args.key.startsWith('AGENTUITY_')) {
+			tui.fatal('Cannot set AGENTUITY_ prefixed variables. These are reserved for system use.');
+		}
+
+		// Load project config to get project ID
+		const projectConfig = await loadProjectConfig(dir);
+		if (!projectConfig) {
+			tui.fatal(`No Agentuity project found in ${dir}. Missing agentuity.json`);
+		}
+
+		const apiUrl = getAPIBaseURL(config);
+		const client = new APIClient(apiUrl, config);
+
+		// Set in cloud (using secrets field)
+		await tui.spinner('Setting secret in cloud', () => {
+			return projectEnvUpdate(client, {
+				id: projectConfig.projectId,
+				secrets: { [args.key]: args.value },
+			});
+		});
+
+		// Update local .env.production file
+		const envFilePath = await findEnvFile(dir);
+		const currentEnv = await readEnvFile(envFilePath);
+		currentEnv[args.key] = args.value;
+
+		// Filter out AGENTUITY_ keys before writing
+		const filteredEnv = filterAgentuitySdkKeys(currentEnv);
+		await writeEnvFile(envFilePath, filteredEnv);
+
+		tui.success(`Secret '${args.key}' set successfully (cloud + ${envFilePath})`);
+	},
+});

package/src/cmd/version/index.ts

@@ -1,6 +1,6 @@
 import { createCommand } from '../../types';
 import { getVersion } from '../../version';
-import { logger } from '../../logger';
+import { createLogger } from '@agentuity/server';
 
 export const command = createCommand({
 	name: 'version',
@@ -10,6 +10,7 @@ export const command = createCommand({
 		try {
 			console.log(getVersion());
 		} catch (error) {
+			const logger = createLogger();
 			logger.fatal('Failed to retrieve version: %s', error);
 		}
 	},

package/src/config.ts

@@ -1,9 +1,9 @@
 import { YAML } from 'bun';
-import { join, extname, basename } from 'node:path';
+import { join, extname, basename, resolve, normalize } from 'node:path';
 import { homedir } from 'node:os';
 import { mkdir, readdir, readFile, writeFile, chmod } from 'node:fs/promises';
 import type { Config, Profile, AuthData } from './types';
-import { ConfigSchema, ProjectSchema } from './types';
+import { ConfigSchema, ProjectSchema, BuildMetadataSchema, type BuildMetadata } from './types';
 import * as tui from './tui';
 import { z } from 'zod';
 
@@ -189,8 +189,18 @@ export async function saveConfig(config: Config, customPath?: string): Promise<v
 	await chmod(configPath, 0o600);
 }
 
+async function getOrInitConfig(): Promise<Config> {
+	const config = await loadConfig();
+	if (config) {
+		return config;
+	}
+	const profilePath = await getProfile();
+	const name = basename(profilePath, '.yaml');
+	return { name };
+}
+
 export async function saveAuth(auth: AuthData): Promise<void> {
-	const config = (await loadConfig()) || { name: 'default' };
+	const config = await getOrInitConfig();
 	config.auth = {
 		api_key: auth.apiKey,
 		user_id: auth.userId,
@@ -202,7 +212,7 @@ export async function saveAuth(auth: AuthData): Promise<void> {
 }
 
 export async function clearAuth(): Promise<void> {
-	const config = (await loadConfig()) || { name: 'default' };
+	const config = await getOrInitConfig();
 	config.auth = {
 		api_key: '',
 		user_id: '',
@@ -213,6 +223,21 @@ export async function clearAuth(): Promise<void> {
 	await saveConfig(config);
 }
 
+export async function saveProjectDir(projectDir: string): Promise<void> {
+	const config = await getOrInitConfig();
+	config.preferences = config.preferences || {};
+	const normalized = resolve(normalize(projectDir));
+	(config.preferences as Record<string, unknown>).project_dir = normalized;
+	await saveConfig(config);
+}
+
+export async function saveOrgId(orgId: string): Promise<void> {
+	const config = await getOrInitConfig();
+	config.preferences = config.preferences || {};
+	(config.preferences as Record<string, unknown>).orgId = orgId;
+	await saveConfig(config);
+}
+
 export async function getAuth(): Promise<AuthData | null> {
 	const config = await loadConfig();
 	if (!config) return null;
@@ -350,11 +375,39 @@ type InitialProjectConfig = ProjectConfig & {
 };
 
 export async function createProjectConfig(dir: string, config: InitialProjectConfig) {
+	// Create a sanitized config without the apiKey for agentuity.json
+	const { apiKey, ...sanitizedConfig } = config;
+
 	const configPath = join(dir, 'agentuity.json');
 	const configFile = Bun.file(configPath);
-	await configFile.write(JSON.stringify(config, null, 2));
+	await configFile.write(JSON.stringify(sanitizedConfig, null, 2));
 
+	// Write SDK key to .env with comment
 	const envPath = join(dir, '.env');
-	const envFile = Bun.file(envPath);
-	await envFile.write(`AGENTUITY_SDK_KEY=${config.apiKey}`);
+	const comment =
+		'# AGENTUITY_SDK_KEY is a sensitive value and should not be committed to version control.';
+	const content = `${comment}\nAGENTUITY_SDK_KEY=${apiKey}\n`;
+	await Bun.write(envPath, content);
+	// Set restrictive permissions (owner read/write only) to protect sensitive key
+	await chmod(envPath, 0o600);
+}
+
+export async function loadBuildMetadata(dir: string): Promise<BuildMetadata> {
+	const filename = join(dir, 'agentuity.metadata.json');
+	const file = Bun.file(filename);
+	if (!(await file.exists())) {
+		throw new Error(`couldn't find ${filename}`);
+	}
+	const buffer = await file.text();
+	const config = JSON.parse(buffer);
+	const result = BuildMetadataSchema.safeParse(config);
+	if (!result.success) {
+		tui.error(`Invalid build metadata at ${filename}:`);
+		for (const issue of result.error.issues) {
+			const path = issue.path.length > 0 ? issue.path.join('.') : 'root';
+			tui.bullet(`${path}: ${issue.message}`);
+		}
+		process.exit(1);
+	}
+	return result.data;
 }

package/src/env-util.test.ts

@@ -0,0 +1,194 @@
+import { describe, test, expect } from 'bun:test';
+import { looksLikeSecret } from './env-util';
+
+describe('looksLikeSecret', () => {
+	describe('key name patterns', () => {
+		test('detects _SECRET suffix', () => {
+			expect(looksLikeSecret('API_SECRET', 'value')).toBe(true);
+			expect(looksLikeSecret('DB_SECRET', 'value')).toBe(true);
+		});
+
+		test('detects _KEY suffix', () => {
+			expect(looksLikeSecret('API_KEY', 'value')).toBe(true);
+			expect(looksLikeSecret('STRIPE_KEY', 'value')).toBe(true);
+		});
+
+		test('detects _TOKEN suffix', () => {
+			expect(looksLikeSecret('AUTH_TOKEN', 'value')).toBe(true);
+			expect(looksLikeSecret('GITHUB_TOKEN', 'value')).toBe(true);
+		});
+
+		test('detects _PASSWORD suffix', () => {
+			expect(looksLikeSecret('DB_PASSWORD', 'value')).toBe(true);
+			expect(looksLikeSecret('ADMIN_PASSWORD', 'value')).toBe(true);
+		});
+
+		test('detects _PRIVATE suffix', () => {
+			expect(looksLikeSecret('SSH_PRIVATE', 'value')).toBe(true);
+		});
+
+		test('detects _CERT and _CERTIFICATE suffixes', () => {
+			expect(looksLikeSecret('SSL_CERT', 'value')).toBe(true);
+			expect(looksLikeSecret('SSL_CERTIFICATE', 'value')).toBe(true);
+		});
+
+		test('detects SECRET_ prefix', () => {
+			expect(looksLikeSecret('SECRET_VALUE', 'value')).toBe(true);
+		});
+
+		test('detects APIKEY and API_KEY patterns', () => {
+			expect(looksLikeSecret('APIKEY', 'value')).toBe(true);
+			expect(looksLikeSecret('API_KEY', 'value')).toBe(true);
+		});
+
+		test('detects JWT prefix', () => {
+			expect(looksLikeSecret('JWT_SECRET', 'value')).toBe(true);
+			expect(looksLikeSecret('JWT', 'value')).toBe(true);
+		});
+
+		test('detects PASSWORD in key name', () => {
+			expect(looksLikeSecret('DATABASE_PASSWORD', 'value')).toBe(true);
+			expect(looksLikeSecret('PASSWORD', 'value')).toBe(true);
+		});
+
+		test('detects CREDENTIAL in key name', () => {
+			expect(looksLikeSecret('AWS_CREDENTIALS', 'value')).toBe(true);
+		});
+
+		test('detects AUTH.*KEY pattern', () => {
+			expect(looksLikeSecret('AUTH_API_KEY', 'value')).toBe(true);
+			expect(looksLikeSecret('AUTHKEY', 'value')).toBe(true);
+		});
+
+		test('is case insensitive for key patterns', () => {
+			expect(looksLikeSecret('api_secret', 'value')).toBe(true);
+			expect(looksLikeSecret('Api_Key', 'value')).toBe(true);
+			expect(looksLikeSecret('AUTH_token', 'value')).toBe(true);
+		});
+	});
+
+	describe('value patterns', () => {
+		test('detects JWT tokens', () => {
+			const jwt =
+				'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c';
+			expect(looksLikeSecret('TOKEN', jwt)).toBe(true);
+			expect(looksLikeSecret('SOME_VAR', jwt)).toBe(true);
+		});
+
+		test('detects Bearer tokens', () => {
+			expect(looksLikeSecret('AUTH', 'Bearer abc123def456ghi789jkl012mno345pqr')).toBe(true);
+		});
+
+		test('detects AWS access keys', () => {
+			expect(looksLikeSecret('AWS', 'AKIAIOSFODNN7EXAMPLE')).toBe(true);
+			expect(looksLikeSecret('AWS', 'ASIAIOSFODNN7EXAMPLE')).toBe(true);
+		});
+
+		test('detects GitHub tokens', () => {
+			expect(looksLikeSecret('GH', 'ghp_1234567890abcdefghijklmnopqrstuvwxyz')).toBe(true);
+			expect(looksLikeSecret('GH', 'ghs_1234567890abcdefghijklmnopqrstuvwxyz')).toBe(true);
+		});
+
+		test('detects long alphanumeric strings (API keys)', () => {
+			// 32+ characters, mixed alphanumeric
+			expect(
+				looksLikeSecret('KEY', 'sk_test_51A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6Q7R8S9T0U1V2W3X4Y5Z6')
+			).toBe(true);
+			expect(looksLikeSecret('KEY', 'abc123def456ghi789jkl012mno345pqr678stu901vwx234yz')).toBe(
+				true
+			);
+		});
+
+		test('does not flag numeric-only long strings', () => {
+			expect(looksLikeSecret('ID', '12345678901234567890123456789012')).toBe(false);
+		});
+
+		test('detects PEM certificates', () => {
+			expect(looksLikeSecret('CERT', '-----BEGIN CERTIFICATE-----\nMIIC...')).toBe(true);
+			expect(looksLikeSecret('CERT', '-----BEGIN PRIVATE KEY-----\nMIIC...')).toBe(true);
+			expect(looksLikeSecret('CERT', '-----BEGIN RSA PRIVATE KEY-----\nMIIC...')).toBe(true);
+		});
+
+		test('does not flag short values', () => {
+			expect(looksLikeSecret('VAR', 'short')).toBe(false);
+			expect(looksLikeSecret('VAR', '1234567')).toBe(false);
+		});
+
+		test('does not flag empty values', () => {
+			expect(looksLikeSecret('VAR', '')).toBe(false);
+		});
+	});
+
+	describe('non-secret patterns', () => {
+		test('regular environment variables are not flagged', () => {
+			expect(looksLikeSecret('NODE_ENV', 'production')).toBe(false);
+			expect(looksLikeSecret('PORT', '3000')).toBe(false);
+			expect(looksLikeSecret('HOST', 'localhost')).toBe(false);
+			expect(looksLikeSecret('DATABASE_URL', 'postgres://localhost:5432/mydb')).toBe(false);
+		});
+
+		test('configuration values are not flagged', () => {
+			expect(looksLikeSecret('LOG_LEVEL', 'debug')).toBe(false);
+			expect(looksLikeSecret('CACHE_TTL', '3600')).toBe(false);
+			expect(looksLikeSecret('MAX_CONNECTIONS', '100')).toBe(false);
+		});
+
+		test('URLs without secrets are not flagged', () => {
+			expect(looksLikeSecret('API_URL', 'https://api.example.com')).toBe(false);
+			expect(looksLikeSecret('WEBHOOK_URL', 'https://example.com/webhook')).toBe(false);
+		});
+
+		test('paths are not flagged', () => {
+			expect(looksLikeSecret('DATA_PATH', '/var/data/app')).toBe(false);
+			expect(looksLikeSecret('CONFIG_FILE', '/etc/app/config.json')).toBe(false);
+		});
+	});
+
+	describe('edge cases', () => {
+		test('handles mixed key and value patterns', () => {
+			// Key pattern triggers detection
+			expect(looksLikeSecret('API_KEY', 'simple')).toBe(true);
+
+			// Value pattern triggers detection even without key pattern
+			const jwt =
+				'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c';
+			expect(looksLikeSecret('CONFIG', jwt)).toBe(true);
+		});
+
+		test('real-world API key formats', () => {
+			// Stripe (contains underscore, 32+ chars)
+			expect(looksLikeSecret('STRIPE', 'sk_test_51HqL7xAbCdEfGhIjK12345678901234567890')).toBe(
+				true
+			);
+
+			// Long API key format (32+ alphanumeric)
+			expect(looksLikeSecret('OPENAI', 'sk-proj-1234567890abcdefghijklmnopqrstuvwxyz')).toBe(
+				true
+			);
+
+			// Contains dots (periods not in our pattern, but key name helps)
+			expect(
+				looksLikeSecret(
+					'SENDGRID_API_KEY',
+					'SG.1234567890abcdefghijklmnopqrstuvwxyz.1234567890abcdefghijklmnopqrstuvwxyz'
+				)
+			).toBe(true);
+		});
+
+		test('UUIDs are correctly identified as non-secrets', () => {
+			// Standard UUID format should not be flagged
+			expect(looksLikeSecret('REQUEST_ID', '550e8400-e29b-41d4-a716-446655440000')).toBe(false);
+			expect(looksLikeSecret('USER_ID', '123e4567-e89b-12d3-a456-426614174000')).toBe(false);
+		});
+
+		test('hex hashes are flagged (better safe than sorry)', () => {
+			// 32+ character hex strings could be secrets or hashes - we flag them
+			// Users can confirm they're just hashes if needed
+			expect(looksLikeSecret('BUILD_HASH', 'a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6')).toBe(true);
+
+			// But with context that clearly indicates it's not a secret, the key name won't trigger
+			// So short hex strings without secret-like key names won't be flagged
+			expect(looksLikeSecret('COMMIT', 'abc123def')).toBe(false);
+		});
+	});
+});