@appfleet-cli/cli 0.1.0

package/dist/prototype-inject.d.ts

@@ -0,0 +1,21 @@
+import { type PrototypeSecretFixture } from "./demo-fixture.ts";
+type ParsedInjectCommand = {
+    project: string;
+    environment: string;
+    command: string;
+    args: string[];
+};
+export type PrototypeInjectResult = {
+    exitCode: number;
+    stdout: string;
+    stderr: string;
+    childStarted: boolean;
+    auditId?: string;
+};
+export type PrototypeInjectOptions = {
+    fixture?: PrototypeSecretFixture;
+    auditPath?: string;
+};
+export declare function parseInjectCommand(argv: string[]): ParsedInjectCommand;
+export declare function runPrototypeInject(argv: string[], options?: PrototypeInjectOptions): Promise<PrototypeInjectResult>;
+export {};

package/dist/prototype-inject.js

@@ -0,0 +1,170 @@
+import { spawn } from "node:child_process";
+import { randomUUID } from "node:crypto";
+import { mkdir, appendFile } from "node:fs/promises";
+import { dirname, resolve } from "node:path";
+import { AppFleetCryptoAuthError, decryptCredentialValue, unwrapWorkspaceVaultKeyWithMasterPassword, } from "@appfleet/crypto";
+import { demoSecretFixture } from "./demo-fixture.js";
+class PrototypeCliError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.code = code;
+        this.name = "PrototypeCliError";
+    }
+}
+const defaultAuditPath = resolve(".appfleet", "prototype-audit.jsonl");
+export function parseInjectCommand(argv) {
+    if (argv[0] !== "secrets" || argv[1] !== "inject") {
+        throw new PrototypeCliError("UnsupportedCommand", "usage: secrets inject <project> --env <env> -- <command> [args...]");
+    }
+    const project = argv[2];
+    const envFlagIndex = argv.indexOf("--env");
+    const separatorIndex = argv.indexOf("--");
+    if (!project || envFlagIndex === -1 || separatorIndex === -1) {
+        throw new PrototypeCliError("InvalidArguments", "usage: secrets inject <project> --env <env> -- <command> [args...]");
+    }
+    if (envFlagIndex + 1 >= separatorIndex) {
+        throw new PrototypeCliError("MissingEnvironment", "--env requires a value");
+    }
+    const environment = argv[envFlagIndex + 1];
+    const command = argv[separatorIndex + 1];
+    const args = argv.slice(separatorIndex + 2);
+    if (!environment || !command) {
+        throw new PrototypeCliError("MissingChildCommand", "-- must be followed by a child command");
+    }
+    return { project, environment, command, args };
+}
+export async function runPrototypeInject(argv, options = {}) {
+    const fixture = options.fixture ?? demoSecretFixture;
+    const auditPath = options.auditPath ?? defaultAuditPath;
+    let parsed;
+    try {
+        parsed = parseInjectCommand(argv);
+        assertFixtureMatchesRequest(parsed, fixture);
+    }
+    catch (error) {
+        return commandError(error);
+    }
+    let secret;
+    try {
+        const workspaceVaultKey = await unwrapWorkspaceVaultKeyWithMasterPassword({
+            envelope: fixture.keyWrapperEnvelope,
+            masterPassword: fixture.masterPassword,
+        });
+        secret = await decryptCredentialValue({
+            envelope: fixture.credentialEnvelope,
+            workspaceVaultKey,
+        });
+    }
+    catch (error) {
+        return commandError(error, "DecryptFailed");
+    }
+    const auditEvent = createAuditEvent(parsed, fixture.alias);
+    try {
+        await writeAuditEvent(auditPath, auditEvent);
+    }
+    catch {
+        return {
+            exitCode: 1,
+            stdout: "",
+            stderr: "AppFleet prototype inject failed: AuditWriteFailed\n",
+            childStarted: false,
+        };
+    }
+    let child;
+    try {
+        child = await runChildProcess(parsed.command, parsed.args, {
+            ...process.env,
+            [fixture.alias]: secret,
+        });
+    }
+    catch {
+        return {
+            exitCode: 1,
+            stdout: redactSecret(`AppFleet prototype inject: project=${parsed.project} env=${parsed.environment} alias=${fixture.alias} auditId=${auditEvent.id}\nAppFleet prototype inject failed: ChildSpawnFailed\n`, secret),
+            stderr: "",
+            childStarted: false,
+            auditId: auditEvent.id,
+        };
+    }
+    const stdout = redactSecret([
+        `AppFleet prototype inject: project=${parsed.project} env=${parsed.environment} alias=${fixture.alias} auditId=${auditEvent.id}`,
+        child.stdout.trimEnd(),
+        `AppFleet prototype inject: childExitCode=${child.exitCode}`,
+    ]
+        .filter(Boolean)
+        .join("\n") + "\n", secret);
+    const stderr = redactSecret(child.stderr, secret);
+    return {
+        exitCode: child.exitCode,
+        stdout,
+        stderr,
+        childStarted: true,
+        auditId: auditEvent.id,
+    };
+}
+async function runChildProcess(command, args, env) {
+    return await new Promise((resolvePromise, reject) => {
+        const child = spawn(command, args, {
+            env,
+            shell: false,
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        const stdoutChunks = [];
+        const stderrChunks = [];
+        child.stdout.on("data", (chunk) => stdoutChunks.push(chunk));
+        child.stderr.on("data", (chunk) => stderrChunks.push(chunk));
+        child.on("error", reject);
+        child.on("close", (code) => {
+            resolvePromise({
+                exitCode: code ?? 1,
+                stdout: Buffer.concat(stdoutChunks).toString("utf8"),
+                stderr: Buffer.concat(stderrChunks).toString("utf8"),
+            });
+        });
+    });
+}
+function createAuditEvent(parsed, alias) {
+    return {
+        id: randomUUID(),
+        action: "secret_injection_attempted",
+        project: parsed.project,
+        environment: parsed.environment,
+        alias,
+        createdAt: new Date().toISOString(),
+    };
+}
+async function writeAuditEvent(path, event) {
+    await mkdir(dirname(path), { recursive: true });
+    await appendFile(path, `${JSON.stringify(event)}\n`, { mode: 0o600 });
+}
+function assertFixtureMatchesRequest(parsed, fixture) {
+    if (parsed.project !== fixture.project || parsed.environment !== fixture.environment) {
+        throw new PrototypeCliError("FixtureNotFound", "no prototype fixture for requested project/environment");
+    }
+}
+function redactSecret(value, secret) {
+    return secret ? value.split(secret).join("[REDACTED_SECRET]") : value;
+}
+function commandError(error, fallbackCode) {
+    const code = fallbackCode ??
+        (error instanceof PrototypeCliError
+            ? error.code
+            : error instanceof AppFleetCryptoAuthError
+                ? "DecryptFailed"
+                : "PrototypeInjectFailed");
+    return {
+        exitCode: 1,
+        stdout: "",
+        stderr: `AppFleet prototype inject failed: ${code}\n`,
+        childStarted: false,
+    };
+}
+if (import.meta.url === `file://${process.argv[1]}`) {
+    const result = await runPrototypeInject(process.argv.slice(2), {
+        auditPath: process.env.APPFLEET_AUDIT_PATH,
+    });
+    process.stdout.write(result.stdout);
+    process.stderr.write(result.stderr);
+    process.exitCode = result.exitCode;
+}

package/dist/provider-integrations.d.ts

@@ -0,0 +1,8 @@
+export type ProviderCommandResult = {
+    exitCode: number;
+    stdout: string;
+    stderr: string;
+};
+export declare function runProviderIntegrationCommand(argv: string[], options?: {
+    now?: () => Date;
+}): ProviderCommandResult;

package/dist/provider-integrations.js

@@ -0,0 +1,197 @@
+import { createGitHubAppInventoryImportContract, createProviderCatalog, createProviderConnectionStatus, createProviderConnectorBoundaries, createProviderDiscoveryContract, createProviderSyncRun, } from "@appfleet/domain";
+export function runProviderIntegrationCommand(argv, options = {}) {
+    const now = options.now ?? (() => new Date());
+    let parsed;
+    try {
+        parsed = parseProviderCommand(argv);
+    }
+    catch (error) {
+        return {
+            exitCode: 1,
+            stdout: "",
+            stderr: `AppFleet provider integrations failed: ${errorMessage(error)}\n`,
+        };
+    }
+    try {
+        const checkedAt = now().toISOString();
+        if (parsed.action === "catalog") {
+            const catalog = createProviderCatalog();
+            const result = {
+                type: "provider_catalog_report",
+                version: 1,
+                workspaceId: parsed.workspaceId,
+                providers: catalog,
+                boundaries: createProviderConnectorBoundaries(catalog),
+                providerApiCallsMade: false,
+                acceptsPlaintextSecrets: false,
+                includesCredentialValues: false,
+                includesProviderPayload: false,
+            };
+            return ok(parsed.outputFormat, result, formatProviderCatalog(result));
+        }
+        if (parsed.action === "status") {
+            const result = createProviderConnectionStatus({
+                workspaceId: parsed.workspaceId,
+                providerId: parsed.providerId,
+                checkedAt,
+            });
+            return ok(parsed.outputFormat, result, formatProviderStatus(result));
+        }
+        if (parsed.action === "sync") {
+            const result = createProviderSyncRun({
+                id: `provider_sync_${parsed.providerId}_${checkedAt.replace(/[^0-9]/g, "")}`,
+                workspaceId: parsed.workspaceId,
+                providerId: parsed.providerId,
+                startedAt: checkedAt,
+                completedAt: checkedAt,
+            });
+            return ok(parsed.outputFormat, result, formatProviderSync(result));
+        }
+        if (parsed.action === "discover") {
+            const result = createProviderDiscoveryContract({
+                workspaceId: parsed.workspaceId,
+                providerId: parsed.providerId,
+                surface: parsed.surface,
+            });
+            return ok(parsed.outputFormat, result, formatProviderDiscovery(result));
+        }
+        const result = createGitHubAppInventoryImportContract({
+            workspaceId: parsed.workspaceId,
+            repositories: parsed.repositories,
+        });
+        return ok(parsed.outputFormat, result, formatGitHubInventoryImport(result));
+    }
+    catch (error) {
+        return {
+            exitCode: 1,
+            stdout: "",
+            stderr: `AppFleet provider integrations failed: ${errorMessage(error)}\n`,
+        };
+    }
+}
+function parseProviderCommand(argv) {
+    const normalizedArgv = argv[0] === "--" ? argv.slice(1) : argv;
+    if (normalizedArgv[0] !== "providers") {
+        throw new Error("usage: providers <catalog|status|sync|discover|github inventory-import> [arguments]");
+    }
+    const outputFormat = hasFlag(normalizedArgv, "--json") ? "json" : "human";
+    const workspaceId = readFlag(normalizedArgv, "--workspace") ?? "workspace_local";
+    const action = normalizedArgv[1];
+    if (action === "catalog") {
+        return { action, workspaceId, outputFormat };
+    }
+    if (action === "status" || action === "sync") {
+        const providerId = parseProviderId(normalizedArgv[2]);
+        return { action, workspaceId, providerId, outputFormat };
+    }
+    if (action === "discover") {
+        const providerId = parseProviderId(normalizedArgv[2]);
+        const surface = parseDiscoverySurface(readFlag(normalizedArgv, "--surface") ?? "projects");
+        return { action, workspaceId, providerId, surface, outputFormat };
+    }
+    if (action === "github" && normalizedArgv[2] === "inventory-import") {
+        return {
+            action: "github-inventory-import",
+            workspaceId,
+            repositories: readRepeatedFlag(normalizedArgv, "--repo").map(parseGitHubRepository),
+            outputFormat,
+        };
+    }
+    throw new Error("usage: providers <catalog|status|sync|discover|github inventory-import> [arguments]");
+}
+function parseProviderId(value) {
+    const providerIds = createProviderCatalog().map((provider) => provider.providerId);
+    if (providerIds.includes(value)) {
+        return value;
+    }
+    throw new Error(`unknown provider "${value ?? ""}"`);
+}
+function parseDiscoverySurface(value) {
+    if (value === "projects" ||
+        value === "environments" ||
+        value === "credential_locations") {
+        return value;
+    }
+    throw new Error(`unsupported provider discovery surface "${value}"`);
+}
+function parseGitHubRepository(input) {
+    const [owner, name] = input.split("/", 2);
+    if (!owner || !name) {
+        throw new Error("--repo must use owner/name metadata");
+    }
+    return { owner, name, installationKnown: true };
+}
+function ok(outputFormat, value, human) {
+    return {
+        exitCode: 0,
+        stdout: outputFormat === "json" ? `${JSON.stringify(value, null, 2)}\n` : human,
+        stderr: "",
+    };
+}
+function formatProviderCatalog(result) {
+    return ([
+        "AppFleet provider integration catalog.",
+        `providers=${result.providers.map((provider) => provider.providerId).join(", ")}`,
+        "providerApiCallsMade=false",
+        "credentialValuesStored=false",
+        "sync=blocked_missing_credentials",
+    ].join("\n") + "\n");
+}
+function formatProviderStatus(result) {
+    return ([
+        `AppFleet provider status: ${result.providerId}`,
+        `workspace=${result.workspaceId}`,
+        `status=${result.status}`,
+        `canSync=${result.canSync}`,
+        "providerApiCallsMade=false",
+    ].join("\n") + "\n");
+}
+function formatProviderSync(result) {
+    return ([
+        `AppFleet provider sync: ${result.providerId}`,
+        `status=${result.status}`,
+        `recordsImported=${result.recordsImported}`,
+        "providerApiCallsMade=false",
+    ].join("\n") + "\n");
+}
+function formatProviderDiscovery(result) {
+    return ([
+        `AppFleet provider discovery: ${result.providerId}`,
+        `surface=${result.surface}`,
+        `status=${result.status}`,
+        `discoveredCount=${result.discoveredCount}`,
+        "providerApiCallsMade=false",
+    ].join("\n") + "\n");
+}
+function formatGitHubInventoryImport(result) {
+    return ([
+        "AppFleet GitHub app inventory import contract.",
+        `repositories=${result.repositories.map((repo) => repo.fullName).join(", ") || "none"}`,
+        `importedProjectIds=${result.importedProjectIds.join(", ") || "none"}`,
+        "providerApiCallsMade=false",
+        "persisted=false",
+    ].join("\n") + "\n");
+}
+function readFlag(argv, flag) {
+    const index = argv.indexOf(flag);
+    if (index === -1) {
+        return undefined;
+    }
+    return argv[index + 1];
+}
+function readRepeatedFlag(argv, flag) {
+    const values = [];
+    for (let index = 0; index < argv.length; index += 1) {
+        if (argv[index] === flag && argv[index + 1]) {
+            values.push(argv[index + 1]);
+            index += 1;
+        }
+    }
+    return values;
+}
+function hasFlag(argv, flag) {
+    return argv.includes(flag);
+}
+function errorMessage(error) {
+    return error instanceof Error ? error.message : String(error);
+}

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@appfleet-cli/cli",
+  "version": "0.1.0",
+  "private": false,
+  "type": "module",
+  "bin": {
+    "appfleet": "dist/appfleet.js"
+  },
+  "exports": {
+    ".": "./dist/appfleet.js",
+    "./package": "./dist/appfleet.js"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "package.json"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "appfleet": "node src/appfleet.ts",
+    "auth": "node src/appfleet.ts auth",
+    "cloud": "node src/appfleet.ts cloud",
+    "projects": "node src/appfleet.ts",
+    "vault": "node src/appfleet.ts",
+    "secrets": "node src/appfleet.ts",
+    "docs:generate": "node src/generate-cli-docs.ts",
+    "docs:check": "node src/generate-cli-docs.ts --check",
+    "prototype:inject": "node src/prototype-inject.ts secrets inject demo-project --env dev -- node -e \"console.log(process.env.APPFLEET_DEMO_SECRET ? 'secret_present=true' : 'secret_present=false')\"",
+    "build": "tsc -p tsconfig.build.json && esbuild src/appfleet.ts --bundle --platform=node --format=esm --outfile=dist/appfleet.js",
+    "pack:dry-run": "pnpm build && pnpm pack --dry-run",
+    "test": "node --test test/*.test.ts",
+    "typecheck": "tsc -p tsconfig.json"
+  },
+  "dependencies": {
+    "libsodium-wrappers-sumo": "^0.7.15"
+  },
+  "devDependencies": {
+    "@appfleet/crypto": "workspace:*",
+    "@appfleet/domain": "workspace:*",
+    "commander": "^15.0.0",
+    "esbuild": "^0.28.1"
+  }
+}