@andocorp/cli 0.1.3 → 0.3.0

package/dist/config-keyring.js

@@ -0,0 +1,61 @@
+import { createHash } from "node:crypto";
+import path from "node:path";
+const KEYRING_SERVICE = "ando-cli";
+export async function readKeyringCredential(account, configRoot) {
+    const { Entry } = await loadKeyringModule();
+    try {
+        return new Entry(KEYRING_SERVICE, getKeyringAccount(configRoot, account)).getPassword();
+    }
+    catch (error) {
+        throw new Error("Failed to read Ando credentials from the system keyring. Set ANDO_KEYRING=0 to use file-based auth instead.", { cause: error });
+    }
+}
+export async function writeKeyringCredential(account, apiKey, configRoot) {
+    const { Entry } = await loadKeyringModule();
+    try {
+        new Entry(KEYRING_SERVICE, getKeyringAccount(configRoot, account)).setPassword(apiKey);
+    }
+    catch (error) {
+        throw new Error("Failed to save Ando credentials to the system keyring. Set ANDO_KEYRING=0 to use file-based auth instead.", { cause: error });
+    }
+}
+export async function deleteKeyringCredentialsForProfile(configRoot) {
+    const { Entry, findCredentials } = await loadKeyringModule();
+    const accountPrefix = `${getKeyringProfileId(configRoot)}:`;
+    let removed = false;
+    for (const credential of findCredentials(KEYRING_SERVICE)) {
+        if (!credential.account.startsWith(accountPrefix)) {
+            continue;
+        }
+        removed = new Entry(KEYRING_SERVICE, credential.account).deletePassword() || removed;
+    }
+    return removed;
+}
+export async function readKeyringCredentialsForProfile(configRoot) {
+    const { findCredentials } = await loadKeyringModule();
+    const accountPrefix = `${getKeyringProfileId(configRoot)}:`;
+    return findCredentials(KEYRING_SERVICE)
+        .filter((credential) => {
+        return (credential.account.startsWith(accountPrefix) &&
+            typeof credential.password === "string" &&
+            credential.password.trim() !== "");
+    })
+        .map((credential) => ({
+        account: credential.account.slice(accountPrefix.length),
+        apiKey: credential.password,
+    }));
+}
+async function loadKeyringModule() {
+    try {
+        return await import("@napi-rs/keyring");
+    }
+    catch (error) {
+        throw new Error("Ando keyring storage is unavailable. Set ANDO_KEYRING=0 to use file-based auth instead.", { cause: error });
+    }
+}
+function getKeyringProfileId(configRoot) {
+    return createHash("sha256").update(path.resolve(configRoot)).digest("hex").slice(0, 32);
+}
+function getKeyringAccount(configRoot, account) {
+    return `${getKeyringProfileId(configRoot)}:${account}`;
+}

package/dist/config-logout-credentials.js

@@ -0,0 +1,171 @@
+import { readFile } from "node:fs/promises";
+import path from "node:path";
+import { getCredentialMetadataKey, readCredentialMetadataMap, readCredentialSource, } from "./config-credential-metadata.js";
+import { readKeyringCredentialsForProfile } from "./config-keyring.js";
+import { getAuthPath, getConfigReadPaths } from "./config-paths.js";
+import { DEFAULT_CREDENTIAL_ACCOUNT, } from "./config-types.js";
+function isRecord(value) {
+    return value != null && typeof value === "object" && !Array.isArray(value);
+}
+function getNonEmptyString(source, key) {
+    const value = isRecord(source) ? source[key] : null;
+    return typeof value === "string" && value.trim() !== "" ? value.trim() : null;
+}
+function readConfigCredential(source) {
+    if (!isRecord(source) || !isRecord(source["credential"])) {
+        return null;
+    }
+    const account = getNonEmptyString(source["credential"], "account");
+    const storage = getNonEmptyString(source["credential"], "storage");
+    const sourceType = readCredentialSource(source["credential"]);
+    return account == null || (storage !== "keyring" && storage !== "file")
+        ? null
+        : { account, source: sourceType, storage };
+}
+function readConfigMetadata(parsed) {
+    const credential = readConfigCredential(parsed);
+    return {
+        apiHost: getNonEmptyString(parsed, "apiHost") ?? undefined,
+        baseUrl: getNonEmptyString(parsed, "baseUrl") ?? undefined,
+        credentialAccount: credential?.account,
+        credentialSource: credential?.source,
+        credentialStorage: credential?.storage,
+        defaultWorkspaceId: getNonEmptyString(parsed, "defaultWorkspaceId") ?? undefined,
+        defaultWorkspaceMembershipId: getNonEmptyString(parsed, "defaultWorkspaceMembershipId") ?? undefined,
+        realtimeHost: getNonEmptyString(parsed, "realtimeHost") ?? undefined,
+        savedCredentials: readCredentialMetadataMap(parsed),
+    };
+}
+function getKnownMetadata(configFile, credential) {
+    const metadata = readConfigMetadata(configFile.parsed);
+    const savedMetadata = metadata.savedCredentials.get(getCredentialMetadataKey(credential.storage, credential.account));
+    if (savedMetadata != null) {
+        return savedMetadata;
+    }
+    if (credential.account !== metadata.credentialAccount ||
+        credential.storage !== metadata.credentialStorage) {
+        return null;
+    }
+    return {
+        apiHost: metadata.apiHost,
+        baseUrl: metadata.baseUrl,
+        credentialAccount: metadata.credentialAccount,
+        credentialStorage: metadata.credentialStorage,
+        defaultWorkspaceId: metadata.defaultWorkspaceId,
+        defaultWorkspaceMembershipId: metadata.defaultWorkspaceMembershipId,
+        realtimeHost: metadata.realtimeHost,
+        source: metadata.credentialSource,
+    };
+}
+async function readConfigFile(configPath) {
+    try {
+        const parsed = JSON.parse(await readFile(configPath, "utf8"));
+        return {
+            parsed: isRecord(parsed) ? parsed : null,
+            root: path.dirname(configPath),
+        };
+    }
+    catch {
+        return {
+            parsed: null,
+            root: path.dirname(configPath),
+        };
+    }
+}
+async function readAuthFile(configRoot) {
+    try {
+        const parsed = JSON.parse(await readFile(getAuthPath(configRoot), "utf8"));
+        return isRecord(parsed) ? parsed : null;
+    }
+    catch {
+        return null;
+    }
+}
+function readFileCredentials(authFile) {
+    const credentials = [];
+    if (authFile == null) {
+        return credentials;
+    }
+    if (typeof authFile.apiKey === "string" && authFile.apiKey.trim() !== "") {
+        credentials.push({
+            account: DEFAULT_CREDENTIAL_ACCOUNT,
+            apiKey: authFile.apiKey,
+            storage: "file",
+        });
+    }
+    if (isRecord(authFile.credentials)) {
+        for (const [account, credential] of Object.entries(authFile.credentials)) {
+            if (isRecord(credential) && typeof credential["apiKey"] === "string") {
+                const apiKey = credential["apiKey"].trim();
+                if (apiKey !== "") {
+                    credentials.push({ account, apiKey, storage: "file" });
+                }
+            }
+        }
+    }
+    return credentials;
+}
+async function readKeyringCredentials(configRoot) {
+    try {
+        return (await readKeyringCredentialsForProfile(configRoot)).map((credential) => ({
+            ...credential,
+            storage: "keyring",
+        }));
+    }
+    catch {
+        return [];
+    }
+}
+function buildSavedConfig(configFile, credential) {
+    const metadata = getKnownMetadata(configFile, credential);
+    return {
+        apiKey: credential.apiKey,
+        apiHost: metadata?.apiHost,
+        baseUrl: metadata?.baseUrl,
+        credentialSource: metadata?.source,
+        defaultWorkspaceId: metadata?.defaultWorkspaceId,
+        defaultWorkspaceMembershipId: metadata?.defaultWorkspaceMembershipId,
+        realtimeHost: metadata?.realtimeHost,
+        revokeOnLogout: metadata?.source === "browser_login",
+    };
+}
+function readLegacyConfigCredential(configFile) {
+    const apiKey = getNonEmptyString(configFile.parsed, "apiKey");
+    return apiKey == null
+        ? null
+        : {
+            apiKey,
+            apiHost: getNonEmptyString(configFile.parsed, "apiHost") ?? undefined,
+            baseUrl: getNonEmptyString(configFile.parsed, "baseUrl") ?? undefined,
+            defaultWorkspaceId: getNonEmptyString(configFile.parsed, "defaultWorkspaceId") ?? undefined,
+            defaultWorkspaceMembershipId: getNonEmptyString(configFile.parsed, "defaultWorkspaceMembershipId") ??
+                undefined,
+            realtimeHost: getNonEmptyString(configFile.parsed, "realtimeHost") ?? undefined,
+            revokeOnLogout: false,
+        };
+}
+export async function readSavedConfigsForLogout() {
+    const configs = new Map();
+    function addConfig(config) {
+        const cacheKey = `${config.baseUrl ?? ""}\0${config.apiKey}`;
+        const existing = configs.get(cacheKey);
+        if (existing == null || (!existing.revokeOnLogout && config.revokeOnLogout)) {
+            configs.set(cacheKey, config);
+        }
+    }
+    for (const configPath of getConfigReadPaths()) {
+        const configFile = await readConfigFile(configPath);
+        const credentials = [
+            ...(await readKeyringCredentials(configFile.root)),
+            ...readFileCredentials(await readAuthFile(configFile.root)),
+        ];
+        for (const credential of credentials) {
+            addConfig(buildSavedConfig(configFile, credential));
+        }
+        const legacyConfig = readLegacyConfigCredential(configFile);
+        if (legacyConfig != null) {
+            addConfig(legacyConfig);
+        }
+    }
+    return [...configs.values()];
+}

package/dist/config-paths.js

@@ -0,0 +1,41 @@
+import os from "node:os";
+import path from "node:path";
+function getNonEmptyEnv(name) {
+    const value = process.env[name];
+    return value == null || value.trim() === "" ? null : value.trim();
+}
+function getConfigRootPath(platform = process.platform) {
+    const andoHome = getNonEmptyEnv("ANDO_HOME");
+    if (andoHome != null) {
+        return andoHome;
+    }
+    const xdgConfigHome = getNonEmptyEnv("XDG_CONFIG_HOME");
+    if (xdgConfigHome != null) {
+        return path.join(xdgConfigHome, "ando");
+    }
+    if (platform === "win32") {
+        return path.join(getNonEmptyEnv("APPDATA") ?? path.join(os.homedir(), "AppData", "Roaming"), "ando");
+    }
+    return path.join(os.homedir(), ".config", "ando");
+}
+function getLegacyConfigPath() {
+    return path.join(os.homedir(), ".config", "ando", "config.json");
+}
+export function getConfigReadPaths() {
+    const configPath = getConfigPath();
+    if (getNonEmptyEnv("ANDO_HOME") != null) {
+        return [configPath];
+    }
+    const legacyConfigPath = getLegacyConfigPath();
+    return configPath === legacyConfigPath ? [configPath] : [configPath, legacyConfigPath];
+}
+export function getConfigPath() {
+    return path.join(getConfigRootPath(), "config.json");
+}
+export function getAuthPath(configRoot = getConfigRootPath()) {
+    return path.join(configRoot, "auth.json");
+}
+export function isFileCredentialStorageEnabled() {
+    const value = getNonEmptyEnv("ANDO_KEYRING")?.toLowerCase();
+    return value === "0" || value === "false" || value === "off" || value === "no";
+}

package/dist/config-types.js

@@ -0,0 +1 @@
+export const DEFAULT_CREDENTIAL_ACCOUNT = "default";

package/dist/config.js

@@ -0,0 +1,333 @@
+import { mkdir, readFile, rm, writeFile } from "node:fs/promises";
+import path from "node:path";
+import { deleteKeyringCredentialsForProfile, readKeyringCredential, writeKeyringCredential, } from "./config-keyring.js";
+import { getAuthPath, getConfigPath, getConfigReadPaths, isFileCredentialStorageEnabled, } from "./config-paths.js";
+import { DEFAULT_CREDENTIAL_ACCOUNT, } from "./config-types.js";
+import { buildSavedConfigMetadata, getCredentialMetadataKey, getSaveCredentialMetadata, readCredentialMetadataMap, readCredentialSource, } from "./config-credential-metadata.js";
+export { getConfigPath } from "./config-paths.js";
+function isRecord(value) {
+    return value != null && typeof value === "object" && !Array.isArray(value);
+}
+function getNonEmptyString(source, key) {
+    const value = isRecord(source) ? source[key] : null;
+    return typeof value === "string" && value.trim() !== "" ? value.trim() : null;
+}
+function getErrorCode(error) {
+    return error instanceof Error && "code" in error ? error.code : undefined;
+}
+function buildConfigJsonFile(configPath, parsed, error) {
+    return { error, path: configPath, parsed, root: path.dirname(configPath) };
+}
+async function readJsonFile(pathname) {
+    try {
+        return JSON.parse(await readFile(pathname, "utf8"));
+    }
+    catch (error) {
+        if (getErrorCode(error) === "ENOENT") {
+            return null;
+        }
+        throw error;
+    }
+}
+async function readConfigJsonFile(options = {}) {
+    for (const configPath of getConfigReadPaths()) {
+        let parsed;
+        try {
+            parsed = await readJsonFile(configPath);
+        }
+        catch (error) {
+            if (options.returnInvalid === true) {
+                return buildConfigJsonFile(configPath, null, error instanceof Error ? error.message : String(error));
+            }
+            if (options.ignoreInvalid === true) {
+                continue;
+            }
+            throw error;
+        }
+        if (parsed == null) {
+            continue;
+        }
+        return buildConfigJsonFile(configPath, parsed);
+    }
+    return null;
+}
+async function readConfigJsonFiles() {
+    return await Promise.all(getConfigReadPaths().map(readConfigJsonFileForCleanup));
+}
+async function readConfigJsonFileForCleanup(configPath) {
+    try {
+        return buildConfigJsonFile(configPath, await readJsonFile(configPath));
+    }
+    catch (error) {
+        return buildConfigJsonFile(configPath, null, error instanceof Error ? error.message : String(error));
+    }
+}
+function readCredentialConfig(source) {
+    if (!isRecord(source) || !isRecord(source["credential"])) {
+        return null;
+    }
+    const account = getNonEmptyString(source["credential"], "account");
+    const storage = getNonEmptyString(source["credential"], "storage");
+    if (account == null || (storage !== "keyring" && storage !== "file")) {
+        return null;
+    }
+    return {
+        account,
+        source: readCredentialSource(source["credential"]),
+        storage,
+    };
+}
+function readKeyringAccounts(source) {
+    const accounts = new Set();
+    if (isRecord(source) && Array.isArray(source["keyringAccounts"])) {
+        for (const account of source["keyringAccounts"]) {
+            if (typeof account === "string" && account.trim() !== "") {
+                accounts.add(account.trim());
+            }
+        }
+    }
+    const credential = readCredentialConfig(source);
+    if (credential?.storage === "keyring") {
+        accounts.add(DEFAULT_CREDENTIAL_ACCOUNT);
+        accounts.add(credential.account);
+    }
+    return [...accounts].sort();
+}
+function getSaveCredentialConfig(config) {
+    return {
+        account: config.defaultWorkspaceId ?? DEFAULT_CREDENTIAL_ACCOUNT,
+        source: config.credentialSource,
+        storage: isFileCredentialStorageEnabled() ? "file" : "keyring",
+    };
+}
+function getReadCredentialConfig(parsed) {
+    const credential = readCredentialConfig(parsed);
+    if (credential == null) {
+        return null;
+    }
+    return {
+        ...credential,
+        storage: isFileCredentialStorageEnabled() ? "file" : credential.storage,
+    };
+}
+async function readAuthFile(configRoot) {
+    const parsed = await readJsonFile(getAuthPath(configRoot));
+    return isRecord(parsed) ? parsed : null;
+}
+function readFileCredentialFromAuth(authFile, account) {
+    if (authFile == null) {
+        return null;
+    }
+    const credential = authFile.credentials?.[account];
+    if (credential != null && typeof credential.apiKey === "string") {
+        return credential.apiKey.trim() === "" ? null : credential.apiKey;
+    }
+    return typeof authFile.apiKey === "string" && authFile.apiKey.trim() !== ""
+        ? authFile.apiKey
+        : null;
+}
+async function readFileCredential(account, configRoot) {
+    return readFileCredentialFromAuth(await readAuthFile(configRoot), account);
+}
+async function writeFileCredential(account, apiKey, configRoot) {
+    const authPath = getAuthPath(configRoot);
+    const savedAt = new Date().toISOString();
+    const existing = await readAuthFile(configRoot);
+    const credentials = isRecord(existing?.credentials)
+        ? Object.fromEntries(Object.entries(existing.credentials).filter((entry) => {
+            return isRecord(entry[1]) && typeof entry[1]["apiKey"] === "string";
+        }))
+        : {};
+    credentials[account] = { apiKey, savedAt };
+    await mkdir(path.dirname(authPath), { recursive: true });
+    await writeFile(authPath, JSON.stringify({ credentials, savedAt, version: 1 }, null, 2), { mode: 0o600 });
+}
+async function deleteFileCredential(account, configRoot) {
+    const authPath = getAuthPath(configRoot);
+    let existing;
+    try {
+        existing = await readAuthFile(configRoot);
+    }
+    catch {
+        await rm(authPath, { force: true });
+        return true;
+    }
+    if (existing == null) {
+        return false;
+    }
+    const credentials = isRecord(existing.credentials)
+        ? Object.fromEntries(Object.entries(existing.credentials).filter((entry) => {
+            return (entry[0] !== account &&
+                isRecord(entry[1]) &&
+                typeof entry[1]["apiKey"] === "string");
+        }))
+        : {};
+    const hasOtherCredentials = Object.keys(credentials).length > 0;
+    if (!hasOtherCredentials) {
+        await rm(authPath, { force: true });
+        return readFileCredentialFromAuth(existing, account) != null;
+    }
+    await writeFile(authPath, JSON.stringify({ credentials, savedAt: new Date().toISOString(), version: 1 }, null, 2), { mode: 0o600 });
+    return true;
+}
+async function readCredential(credential, configRoot) {
+    if (credential == null) {
+        return null;
+    }
+    return credential.storage === "file"
+        ? await readFileCredential(credential.account, configRoot)
+        : await readKeyringCredential(credential.account, configRoot);
+}
+async function writeCredential(credential, apiKey, configRoot) {
+    if (credential.storage === "file") {
+        await writeFileCredential(credential.account, apiKey, configRoot);
+        return;
+    }
+    await writeKeyringCredential(credential.account, apiKey, configRoot);
+}
+async function deleteKeyringCredentials(configRoot, required) {
+    try {
+        return await deleteKeyringCredentialsForProfile(configRoot);
+    }
+    catch (error) {
+        if (required) {
+            throw error;
+        }
+        return false;
+    }
+}
+async function deleteCredentials(parsed, configRoot, forceKeyringCleanup = false) {
+    const credential = readCredentialConfig(parsed);
+    let removedCredential = false;
+    removedCredential =
+        (await deleteKeyringCredentials(configRoot, forceKeyringCleanup || credential?.storage === "keyring")) || removedCredential;
+    if (credential?.storage === "file") {
+        removedCredential =
+            (await deleteFileCredential(credential.account, configRoot)) || removedCredential;
+    }
+    return removedCredential;
+}
+function setOptionalString(payload, key, value) {
+    if (typeof value === "string" && value.trim() !== "") {
+        payload[key] = value;
+    }
+}
+export async function readSavedConfig() {
+    const configFile = await readConfigJsonFile();
+    if (configFile == null || !isRecord(configFile.parsed)) {
+        return null;
+    }
+    const credential = getReadCredentialConfig(configFile.parsed);
+    const storedApiKey = await readCredential(credential, configFile.root);
+    const legacyApiKey = getNonEmptyString(configFile.parsed, "apiKey");
+    const apiKey = storedApiKey ?? legacyApiKey;
+    if (apiKey == null) {
+        return null;
+    }
+    return {
+        apiKey,
+        ...buildSavedConfigMetadata(configFile.parsed),
+    };
+}
+export async function readSavedConfigMetadata() {
+    const configFile = await readConfigJsonFile();
+    return configFile != null && isRecord(configFile.parsed)
+        ? buildSavedConfigMetadata(configFile.parsed)
+        : null;
+}
+export async function inspectSavedConfig() {
+    const configFile = await readConfigJsonFile({ returnInvalid: true });
+    const configPath = configFile?.path ?? getConfigPath();
+    const configRoot = configFile?.root ?? path.dirname(configPath);
+    const authPath = getAuthPath(configRoot);
+    if (configFile == null || !isRecord(configFile.parsed)) {
+        return {
+            authPath,
+            configError: configFile?.error,
+            configPath,
+            credentialError: configFile?.error,
+            hasConfig: configFile != null,
+            hasCredential: false,
+            hasLegacyCredential: false,
+        };
+    }
+    const credential = getReadCredentialConfig(configFile.parsed);
+    const legacyApiKey = getNonEmptyString(configFile.parsed, "apiKey");
+    let hasCredential = false;
+    let credentialError;
+    if (credential != null) {
+        try {
+            hasCredential = (await readCredential(credential, configRoot)) != null;
+        }
+        catch (error) {
+            credentialError = error instanceof Error ? error.message : String(error);
+        }
+    }
+    return {
+        authPath,
+        configPath,
+        configError: configFile.error,
+        credentialAccount: credential?.account,
+        credentialError,
+        credentialStorage: credential?.storage,
+        hasConfig: true,
+        hasCredential,
+        hasLegacyCredential: legacyApiKey != null,
+    };
+}
+export async function clearSavedConfig() {
+    const targets = await readConfigJsonFiles();
+    let removedCredential = false;
+    for (const configFile of targets) {
+        removedCredential =
+            (await deleteCredentials(configFile.parsed, configFile.root, configFile.error != null)) || removedCredential;
+        await rm(configFile.path, { force: true });
+        await rm(getAuthPath(configFile.root), { force: true });
+    }
+    const firstTarget = targets[0] ?? {
+        path: getConfigPath(),
+        root: path.dirname(getConfigPath()),
+    };
+    return {
+        authPath: getAuthPath(firstTarget.root),
+        configPath: firstTarget.path,
+        removedCredential,
+    };
+}
+export async function saveConfig(config) {
+    const configPath = getConfigPath();
+    const configRoot = path.dirname(configPath);
+    const savedAt = new Date().toISOString();
+    const credential = getSaveCredentialConfig(config);
+    const existingConfig = await readConfigJsonFile({ ignoreInvalid: true });
+    const keyringAccounts = new Set(existingConfig?.root === configRoot ? readKeyringAccounts(existingConfig.parsed) : []);
+    const credentialMetadata = existingConfig?.root === configRoot
+        ? readCredentialMetadataMap(existingConfig.parsed)
+        : new Map();
+    if (credential.storage === "keyring") {
+        keyringAccounts.add(DEFAULT_CREDENTIAL_ACCOUNT);
+        keyringAccounts.add(credential.account);
+    }
+    credentialMetadata.set(getCredentialMetadataKey(credential.storage, credential.account), getSaveCredentialMetadata(config));
+    await writeCredential(credential, config.apiKey, configRoot);
+    const payload = {
+        credential,
+        savedAt,
+        version: 1,
+    };
+    if (keyringAccounts.size > 0) {
+        payload.keyringAccounts = [...keyringAccounts].sort();
+    }
+    if (credentialMetadata.size > 0) {
+        payload.credentialMetadata = Object.fromEntries(credentialMetadata);
+    }
+    setOptionalString(payload, "apiHost", config.apiHost);
+    setOptionalString(payload, "baseUrl", config.baseUrl);
+    setOptionalString(payload, "defaultWorkspaceId", config.defaultWorkspaceId);
+    setOptionalString(payload, "defaultWorkspaceMembershipId", config.defaultWorkspaceMembershipId);
+    setOptionalString(payload, "realtimeHost", config.realtimeHost);
+    await mkdir(path.dirname(configPath), { recursive: true });
+    await writeFile(configPath, JSON.stringify(payload, null, 2), {
+        mode: 0o600,
+    });
+}