npm - @barekey/cli - Versions diffs - 0.1.0 - Mend

@barekey/cli 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

package/LICENSE +28 -0
package/README.md +36 -0
package/dist/auth-provider.d.ts +6 -0
package/dist/auth-provider.js +58 -0
package/dist/command-utils.d.ts +23 -0
package/dist/command-utils.js +78 -0
package/dist/commands/auth.d.ts +2 -0
package/dist/commands/auth.js +186 -0
package/dist/commands/env.d.ts +2 -0
package/dist/commands/env.js +295 -0
package/dist/commands/typegen.d.ts +2 -0
package/dist/commands/typegen.js +25 -0
package/dist/constants.d.ts +4 -0
package/dist/constants.js +4 -0
package/dist/credentials-store.d.ts +7 -0
package/dist/credentials-store.js +199 -0
package/dist/http.d.ts +22 -0
package/dist/http.js +66 -0
package/dist/index.d.ts +2 -0
package/dist/index.js +17 -0
package/dist/runtime-config.d.ts +10 -0
package/dist/runtime-config.js +49 -0
package/dist/typegen.d.ts +20 -0
package/dist/typegen.js +14 -0
package/dist/types.d.ts +13 -0
package/dist/types.js +1 -0
package/package.json +37 -0
package/src/auth-provider.ts +86 -0
package/src/command-utils.ts +118 -0
package/src/commands/auth.ts +247 -0
package/src/commands/env.ts +496 -0
package/src/commands/typegen.ts +38 -0
package/src/constants.ts +4 -0
package/src/credentials-store.ts +243 -0
package/src/http.ts +86 -0
package/src/index.ts +21 -0
package/src/runtime-config.ts +66 -0
package/src/types.ts +14 -0
package/tsconfig.json +13 -0

package/LICENSE ADDED Viewed

@@ -0,0 +1,28 @@
+BSD 3-Clause License
+Copyright (c) 2026, Barekey Inc.
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

package/README.md ADDED Viewed

@@ -0,0 +1,36 @@
+# @barekey/cli
+CLI for logging into Barekey, managing environment variables, and pulling resolved values into local workflows.
+## Install
+```bash
+npm install -g @barekey/cli
+```
+## Quickstart
+```bash
+barekey auth login
+barekey env list --org acme --project api --stage development
+barekey env get DATABASE_URL --org acme --project api --stage development
+barekey env pull --org acme --project api --stage development --out .env
+```
+## Common commands
+```bash
+barekey auth whoami
+barekey env new FEATURE_FLAG true --type boolean --org acme --project api --stage development
+barekey env set CHECKOUT_COPY original --ab redesign --chance 0.25 --org acme --project api --stage development
+barekey env delete FEATURE_FLAG --yes --org acme --project api --stage development
+barekey env get-many --names DATABASE_URL,FEATURE_FLAG --org acme --project api --stage development
+```
+## Development
+```bash
+npm install
+npm run build
+npm run typecheck
+```

package/dist/auth-provider.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+type CliAuthProvider = {
+    getAccessToken(): Promise<string>;
+    onAuthError?(): Promise<void>;
+};
+export declare function createCliAuthProvider(): CliAuthProvider;
+export {};

package/dist/auth-provider.js ADDED Viewed

@@ -0,0 +1,58 @@
+import { postJson } from "./http.js";
+import { loadConfig, loadCredentials, saveCredentials } from "./credentials-store.js";
+export function createCliAuthProvider() {
+    let cachedCredentials = null;
+    let forceRefresh = false;
+    async function readCurrentCredentials() {
+        const config = await loadConfig();
+        if (config === null) {
+            throw new Error("Not logged in. Run barekey login first.");
+        }
+        const credentials = await loadCredentials(config.activeAccountId);
+        if (credentials === null) {
+            throw new Error("CLI credentials are missing. Run barekey login again.");
+        }
+        cachedCredentials = credentials;
+        return {
+            baseUrl: config.baseUrl,
+            accountId: config.activeAccountId,
+            credentials,
+        };
+    }
+    async function refreshIfNeeded() {
+        const { baseUrl, accountId, credentials } = await readCurrentCredentials();
+        const now = Date.now();
+        if (!forceRefresh && credentials.accessTokenExpiresAtMs > now + 10_000) {
+            return credentials;
+        }
+        const refreshed = await postJson({
+            baseUrl,
+            path: "/v1/cli/token/refresh",
+            payload: {
+                refreshToken: credentials.refreshToken,
+            },
+        });
+        const nextCredentials = {
+            accessToken: refreshed.accessToken,
+            refreshToken: refreshed.refreshToken,
+            accessTokenExpiresAtMs: refreshed.accessTokenExpiresAtMs,
+            refreshTokenExpiresAtMs: refreshed.refreshTokenExpiresAtMs,
+            clerkUserId: refreshed.clerkUserId,
+            orgId: refreshed.orgId,
+            orgSlug: refreshed.orgSlug,
+        };
+        await saveCredentials(accountId, nextCredentials);
+        cachedCredentials = nextCredentials;
+        forceRefresh = false;
+        return nextCredentials;
+    }
+    return {
+        async getAccessToken() {
+            const credentials = await refreshIfNeeded();
+            return credentials.accessToken;
+        },
+        async onAuthError() {
+            forceRefresh = true;
+        },
+    };
+}

package/dist/command-utils.d.ts ADDED Viewed

@@ -0,0 +1,23 @@
+import { Command } from "commander";
+import type { CliCredentials } from "./types.js";
+export type LocalSession = {
+    baseUrl: string;
+    accountId: string;
+    credentials: CliCredentials;
+};
+export type EnvTargetOptions = {
+    project?: string;
+    stage?: string;
+    org?: string;
+};
+export declare function toJsonOutput(enabled: boolean, value: unknown): void;
+export declare function resolveBaseUrl(explicit: string | undefined): Promise<string>;
+export declare function requireLocalSession(): Promise<LocalSession>;
+export declare function resolveTarget(options: EnvTargetOptions, local: LocalSession): Promise<{
+    projectSlug: string;
+    stageSlug: string;
+    orgSlug?: string;
+}>;
+export declare function parseChance(value: string | undefined): number;
+export declare function dotenvEscape(value: string): string;
+export declare function addTargetOptions(command: Command): Command;

package/dist/command-utils.js ADDED Viewed

@@ -0,0 +1,78 @@
+import { loadConfig, loadCredentials } from "./credentials-store.js";
+import { DEFAULT_BAREKEY_API_URL } from "./constants.js";
+import { loadRuntimeConfig } from "./runtime-config.js";
+export function toJsonOutput(enabled, value) {
+    if (!enabled) {
+        return;
+    }
+    console.log(JSON.stringify(value, null, 2));
+}
+export async function resolveBaseUrl(explicit) {
+    const explicitUrl = explicit?.trim();
+    if (explicitUrl && explicitUrl.length > 0) {
+        return explicitUrl.replace(/\/$/, "");
+    }
+    const envUrl = process.env.BAREKEY_API_URL?.trim();
+    if (envUrl && envUrl.length > 0) {
+        return envUrl.replace(/\/$/, "");
+    }
+    const config = await loadConfig();
+    if (config && config.baseUrl.length > 0) {
+        return config.baseUrl.replace(/\/$/, "");
+    }
+    return DEFAULT_BAREKEY_API_URL;
+}
+export async function requireLocalSession() {
+    const config = await loadConfig();
+    if (config === null) {
+        throw new Error("Not logged in. Run barekey auth login first.");
+    }
+    const credentials = await loadCredentials(config.activeAccountId);
+    if (credentials === null) {
+        throw new Error("Saved credentials not found. Run barekey auth login again.");
+    }
+    return {
+        baseUrl: config.baseUrl,
+        accountId: config.activeAccountId,
+        credentials,
+    };
+}
+export async function resolveTarget(options, local) {
+    const runtime = await loadRuntimeConfig();
+    const projectSlug = options.project?.trim() || runtime?.config.project || "";
+    const stageSlug = options.stage?.trim() || runtime?.config.environment || "";
+    const orgSlug = options.org?.trim() || runtime?.config.org || local.credentials.orgSlug;
+    if (projectSlug.length === 0 || stageSlug.length === 0) {
+        const hint = runtime
+            ? `Found ${runtime.path} but project/environment is incomplete.`
+            : "No barekey.json found in current directory tree.";
+        throw new Error(`${hint} Pass --project/--stage, or create barekey.json with {"organization":"...","project":"...","environment":"..."}.`);
+    }
+    return {
+        projectSlug,
+        stageSlug,
+        orgSlug: orgSlug.length > 0 ? orgSlug : undefined,
+    };
+}
+export function parseChance(value) {
+    if (value === undefined) {
+        throw new Error("--chance is required when using --ab.");
+    }
+    const parsed = Number(value);
+    if (!Number.isFinite(parsed) || parsed < 0 || parsed > 1) {
+        throw new Error("--chance must be a number between 0 and 1.");
+    }
+    return parsed;
+}
+export function dotenvEscape(value) {
+    if (/^[A-Za-z0-9_./:-]+$/.test(value)) {
+        return value;
+    }
+    return JSON.stringify(value);
+}
+export function addTargetOptions(command) {
+    return command
+        .option("--project <slug>", "Project slug")
+        .option("--stage <slug>", "Stage slug")
+        .option("--org <slug>", "Organization slug");
+}

package/dist/commands/auth.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import { Command } from "commander";
2	+ export declare function registerAuthCommands(program: Command): void;

package/dist/commands/auth.js ADDED Viewed

@@ -0,0 +1,186 @@
+import os from "node:os";
+import { setTimeout as wait } from "node:timers/promises";
+import { intro, outro, spinner } from "@clack/prompts";
+import pc from "picocolors";
+import open from "open";
+import { createCliAuthProvider } from "../auth-provider.js";
+import { clearConfig, deleteCredentials, saveConfig, saveCredentials, } from "../credentials-store.js";
+import { getJson, postJson } from "../http.js";
+import { requireLocalSession, resolveBaseUrl, toJsonOutput } from "../command-utils.js";
+function resolveClientName() {
+    const configured = process.env.BAREKEY_CLIENT_NAME?.trim() ||
+        process.env.COMPUTERNAME?.trim() ||
+        process.env.HOSTNAME?.trim() ||
+        os.hostname().trim();
+    if (configured.length === 0) {
+        return undefined;
+    }
+    return configured.slice(0, 120);
+}
+function resolveVerificationUri(baseUrl, verificationUri) {
+    try {
+        const resolvedBaseUrl = new URL(baseUrl);
+        const resolvedVerificationUrl = new URL(verificationUri);
+        const isConvexHost = resolvedVerificationUrl.host.endsWith(".convex.site") ||
+            resolvedVerificationUrl.host.endsWith(".convex.cloud");
+        const usesPublicApiHost = resolvedBaseUrl.host.startsWith("api.");
+        if (isConvexHost && usesPublicApiHost) {
+            return new URL(`${resolvedVerificationUrl.pathname}${resolvedVerificationUrl.search}`, `${resolvedBaseUrl.protocol}//${resolvedBaseUrl.host.replace(/^api\./, "")}`).toString();
+        }
+    }
+    catch {
+        return verificationUri;
+    }
+    return verificationUri;
+}
+async function runLogin(options) {
+    const baseUrl = await resolveBaseUrl(options.baseUrl);
+    intro("Barekey CLI login");
+    const loading = spinner();
+    loading.start("Starting device authorization");
+    let loadingActive = true;
+    let pollSpinner = null;
+    let pollActive = false;
+    try {
+        const started = await postJson({
+            baseUrl,
+            path: "/v1/cli/device/start",
+            payload: {
+                clientName: resolveClientName(),
+            },
+        });
+        const verificationUri = resolveVerificationUri(baseUrl, started.verificationUri);
+        loading.stop("Authorization initialized");
+        loadingActive = false;
+        console.log(`${pc.bold("Open")}: ${verificationUri}`);
+        console.log(`${pc.bold("Code")}: ${started.userCode}`);
+        try {
+            await open(verificationUri);
+        }
+        catch {
+            // Browser-open can fail in headless environments.
+        }
+        const startedAtMs = Date.now();
+        const expiresAtMs = startedAtMs + started.expiresInSec * 1000;
+        pollSpinner = spinner();
+        pollSpinner.start("Waiting for approval in browser");
+        pollActive = true;
+        while (Date.now() < expiresAtMs) {
+            const poll = await postJson({
+                baseUrl,
+                path: "/v1/cli/device/poll",
+                payload: {
+                    deviceCode: started.deviceCode,
+                },
+            });
+            if (poll.status === "pending") {
+                await wait(Math.max(1, poll.intervalSec) * 1000);
+                continue;
+            }
+            const accountId = `${poll.orgSlug}:${poll.clerkUserId}`;
+            await saveCredentials(accountId, {
+                accessToken: poll.accessToken,
+                refreshToken: poll.refreshToken,
+                accessTokenExpiresAtMs: poll.accessTokenExpiresAtMs,
+                refreshTokenExpiresAtMs: poll.refreshTokenExpiresAtMs,
+                clerkUserId: poll.clerkUserId,
+                orgId: poll.orgId,
+                orgSlug: poll.orgSlug,
+            });
+            await saveConfig({
+                baseUrl,
+                activeAccountId: accountId,
+            });
+            pollSpinner.stop("Login approved");
+            pollActive = false;
+            outro(`Logged in as ${pc.bold(poll.clerkUserId)} in ${pc.bold(poll.orgSlug)}.`);
+            return;
+        }
+        pollSpinner.stop("Timed out");
+        pollActive = false;
+        throw new Error("Login timed out before device approval completed.");
+    }
+    catch (error) {
+        if (loadingActive) {
+            loading.stop("Authorization failed");
+        }
+        if (pollSpinner && pollActive) {
+            pollSpinner.stop("Login failed");
+        }
+        throw error;
+    }
+}
+async function runLogout() {
+    const local = await requireLocalSession();
+    await postJson({
+        baseUrl: local.baseUrl,
+        path: "/v1/cli/logout",
+        payload: {
+            refreshToken: local.credentials.refreshToken,
+        },
+    });
+    await deleteCredentials(local.accountId);
+    await clearConfig();
+    console.log("Logged out.");
+}
+async function runWhoami(options) {
+    const local = await requireLocalSession();
+    const authProvider = createCliAuthProvider();
+    const accessToken = await authProvider.getAccessToken();
+    const session = await getJson({
+        baseUrl: local.baseUrl,
+        path: "/v1/cli/session",
+        accessToken,
+    });
+    if (options.json) {
+        toJsonOutput(true, session);
+        return;
+    }
+    console.log(`${pc.bold("User")}: ${session.clerkUserId}`);
+    console.log(`${pc.bold("Org")}: ${session.orgSlug}`);
+    console.log(`${pc.bold("Source")}: ${session.source}`);
+}
+export function registerAuthCommands(program) {
+    const auth = program.command("auth").description("Authentication commands");
+    auth
+        .command("login")
+        .description("Authenticate this machine using browser device flow")
+        .option("--base-url <url>", "Barekey API base URL")
+        .action(async (options) => {
+        await runLogin(options);
+    });
+    auth
+        .command("logout")
+        .description("Revoke local CLI session")
+        .action(async () => {
+        await runLogout();
+    });
+    auth
+        .command("whoami")
+        .description("Show active CLI auth context")
+        .option("--json", "Machine-readable output", false)
+        .action(async (options) => {
+        await runWhoami(options);
+    });
+    // Backward-compatible top-level auth aliases.
+    program
+        .command("login")
+        .description("Alias for barekey auth login")
+        .option("--base-url <url>", "Barekey API base URL")
+        .action(async (options) => {
+        await runLogin(options);
+    });
+    program
+        .command("logout")
+        .description("Alias for barekey auth logout")
+        .action(async () => {
+        await runLogout();
+    });
+    program
+        .command("whoami")
+        .description("Alias for barekey auth whoami")
+        .option("--json", "Machine-readable output", false)
+        .action(async (options) => {
+        await runWhoami(options);
+    });
+}

package/dist/commands/env.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import { Command } from "commander";
2	+ export declare function registerEnvCommands(program: Command): void;