npm - @better-update/cli - Versions diffs - 0.24.1 → 0.25.0 - Mend

@better-update/cli 0.24.1 → 0.25.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.mjs CHANGED Viewed

@@ -2,7 +2,7 @@
 import { createRequire } from "node:module";
 import { execFile, spawn, spawnSync } from "node:child_process";
 import { defineCommand, runMain } from "citty";
-import { Console, Context, Data, Deferred, Duration, Effect, Either, Layer, Match, Option, ParseResult, Schedule, Schema } from "effect";
+import { Clock, Console, Context, Data, Deferred, Duration, Effect, Either, Layer, Match, Option, ParseResult, Schedule, Schema } from "effect";
 import { Command, FetchHttpClient, FileSystem, Headers as Headers$1, HttpApi, HttpApiClient, HttpApiEndpoint, HttpApiGroup, HttpApiMiddleware, HttpApiSchema, HttpApiSecurity, HttpClient, HttpClientRequest, OpenApi, Path } from "@effect/platform";
 import { NodeContext } from "@effect/platform-node";
 import path from "node:path";
@@ -12,6 +12,7 @@ import { autocomplete, cancel, confirm, isCancel, multiselect, password, select,
 import { open, readFile, writeFile } from "node:fs/promises";
 import { X509Certificate, createHash, createSign, createVerify, randomBytes, randomUUID } from "node:crypto";
 import { accessSync, chmodSync, constants, createReadStream, existsSync, promises, readFileSync, writeFileSync } from "node:fs";
+import { Entry } from "@napi-rs/keyring";
 import { once } from "node:events";
 import { createServer } from "node:http";
 import { maxBy, uniqBy } from "es-toolkit";
@@ -33,7 +34,7 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 //#endregion
 //#region package.json
-var version = "0.24.1";
+var version = "0.25.0";
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -67,7 +68,7 @@ const cookieSecurity = HttpApiSecurity.apiKey({
 	in: "cookie"
 });
 var Authentication = class extends HttpApiMiddleware.Tag()("api/Authentication", {
-	failure: Unauthorized,
+	failure: Schema.Union(Unauthorized, Forbidden),
 	provides: AuthContext,
 	security: {
 		bearer: bearerSecurity,
@@ -130,6 +131,52 @@ const UploadHeaders = Schema.Record({
 	value: Schema.String
 });
+//#endregion
+//#region ../../packages/api/src/domain/admin.ts
+/**
+* A platform user as seen by a superadmin on the dashboard `/admin` page.
+* `role` is the GLOBAL Better Auth admin-plugin role (e.g. "admin"), distinct
+* from per-organization membership roles. `approved` is the dev-phase gate.
+*/
+const AdminUser = Schema.Struct({
+	id: Schema.String,
+	name: Schema.String,
+	email: Schema.String,
+	role: Schema.NullOr(Schema.String),
+	approved: Schema.Boolean,
+	banned: Schema.Boolean,
+	createdAt: DateTimeString
+});
+const AdminUserStatus = Schema.Literal("all", "pending", "approved");
+const ListAdminUsersParams = Schema.Struct({
+	search: Schema.optional(Schema.String),
+	status: Schema.optional(AdminUserStatus),
+	...PaginationParams.fields
+});
+//#endregion
+//#region ../../packages/api/src/groups/admin.ts
+const userIdParam = HttpApiSchema.param("userId", Schema.String);
+/**
+* Platform administration, restricted to superadmins (Better Auth admin-plugin
+* `role = "admin"`). The dev-phase approval gate lives here: superadmins list
+* users and approve/revoke their access. All endpoints fail `Forbidden` for
+* non-superadmins.
+*/
+var AdminGroup = class extends HttpApiGroup.make("admin").add(HttpApiEndpoint.get("listUsers", "/api/admin/users").setUrlParams(ListAdminUsersParams).addSuccess(pageResult(AdminUser)).annotateContext(OpenApi.annotations({
+	title: "List users",
+	description: "List platform users with approval status (superadmin only)"
+}))).add(HttpApiEndpoint.post("approveUser")`/api/admin/users/${userIdParam}/approve`.addSuccess(AdminUser).annotateContext(OpenApi.annotations({
+	title: "Approve user",
+	description: "Grant a user access to the app (superadmin only)"
+}))).add(HttpApiEndpoint.post("revokeUser")`/api/admin/users/${userIdParam}/revoke`.addSuccess(AdminUser).annotateContext(OpenApi.annotations({
+	title: "Revoke user approval",
+	description: "Revoke a user's access to the app (superadmin only)"
+}))).addError(Forbidden).addError(NotFound).annotateContext(OpenApi.annotations({
+	title: "Admin",
+	description: "Superadmin platform administration"
+})) {};
 //#endregion
 //#region ../../packages/api/src/domain/analytics.ts
 const PeriodLiteral = Schema.Literal("1d", "7d", "30d", "90d");
@@ -2108,7 +2155,7 @@ var WebhooksGroup = class extends HttpApiGroup.make("webhooks").add(HttpApiEndpo
 //#endregion
 //#region ../../packages/api/src/api.ts
-var ManagementApi = class extends HttpApi.make("management-api").add(ProjectsGroup).add(BranchesGroup).add(ChannelsGroup).add(UpdatesGroup).add(AssetsGroup).add(AnalyticsGroup).add(BuildsGroup).add(EnvVarsGroup).add(FingerprintsGroup).add(AuditLogsGroup).add(DevicesGroup).add(AppleTeamsGroup).add(AppleDistributionCertificatesGroup).add(ApplePushKeysGroup).add(AscApiKeysGroup).add(AppleProvisioningProfilesGroup).add(GoogleServiceAccountKeysGroup).add(IosBundleConfigurationsGroup).add(IosAppMetadataGroup).add(SubmissionsGroup).add(AndroidApplicationIdentifiersGroup).add(AndroidUploadKeystoresGroup).add(AndroidBuildCredentialsGroup).add(BuildCredentialsGroup).add(UserEncryptionKeysGroup).add(OrgVaultGroup).add(MeGroup).add(WebhooksGroup).middleware(Authentication).annotateContext(OpenApi.annotations({
+var ManagementApi = class extends HttpApi.make("management-api").add(ProjectsGroup).add(BranchesGroup).add(ChannelsGroup).add(UpdatesGroup).add(AssetsGroup).add(AnalyticsGroup).add(BuildsGroup).add(EnvVarsGroup).add(FingerprintsGroup).add(AuditLogsGroup).add(DevicesGroup).add(AppleTeamsGroup).add(AppleDistributionCertificatesGroup).add(ApplePushKeysGroup).add(AscApiKeysGroup).add(AppleProvisioningProfilesGroup).add(GoogleServiceAccountKeysGroup).add(IosBundleConfigurationsGroup).add(IosAppMetadataGroup).add(SubmissionsGroup).add(AndroidApplicationIdentifiersGroup).add(AndroidUploadKeystoresGroup).add(AndroidBuildCredentialsGroup).add(BuildCredentialsGroup).add(UserEncryptionKeysGroup).add(OrgVaultGroup).add(MeGroup).add(WebhooksGroup).add(AdminGroup).middleware(Authentication).annotateContext(OpenApi.annotations({
 	title: "Better Update Management API",
 	version: "1.0.0",
 	description: "Management API for OTA update publishing, deployment, and analytics"
@@ -2883,6 +2930,81 @@ const UpdateAssetUploaderLive = Layer.effect(UpdateAssetUploader, Effect.gen(fun
 	}) };
 }));
+//#endregion
+//#region src/services/vault-cache.ts
+/**
+* "Unlock once, reuse" for the credential vault — the analog of macOS
+* `security unlock-keychain`. The first vault operation in a session prompts for
+* the device passphrase, unwraps the vault key, and stows it in the OS keychain
+* (`@napi-rs/keyring`: macOS Keychain / Windows Credential Manager / Linux
+* libsecret) with a short TTL; subsequent commands read it back and skip the
+* prompt + Argon2id derivation entirely until it expires.
+*
+* What is cached is the unwrapped **vault key**, never the passphrase or the age
+* private key — so the blast radius of a leaked keychain entry is one vault
+* version's credentials, and only until the TTL lapses.
+*/
+/** How long a cached vault key stays valid before a fresh passphrase is required. */
+const VAULT_CACHE_TTL_MS = 900 * 1e3;
+/** Keychain service name; the account is the recipient's public key. */
+const KEYCHAIN_SERVICE = "better-update-vault";
+const isCachedVaultEntry = (value) => isRecord(value) && typeof value["vaultKey"] === "string" && typeof value["vaultVersion"] === "number" && typeof value["keyId"] === "string" && typeof value["exp"] === "number";
+/** Serialize an unlocked vault into a keychain blob, stamping a TTL from `now`. */
+const encodeCacheEntry = (vault, now, ttlMs = VAULT_CACHE_TTL_MS) => JSON.stringify({
+	vaultKey: toBase64(vault.vaultKey),
+	vaultVersion: vault.vaultVersion,
+	keyId: vault.keyId,
+	exp: now + ttlMs
+});
+/**
+* Parse a keychain blob back into an unlocked vault, or `undefined` when it is
+* malformed or has expired as of `now` — so an expired entry reads exactly like
+* a missing one (and is evicted by the caller).
+*/
+const decodeCacheEntry = (raw, now) => {
+	const parsed = safeJsonParse(raw);
+	if (!isCachedVaultEntry(parsed) || now >= parsed.exp) return;
+	return {
+		vault: {
+			vaultKey: fromBase64(parsed.vaultKey),
+			vaultVersion: parsed.vaultVersion,
+			keyId: parsed.keyId
+		},
+		remainingMs: parsed.exp - now
+	};
+};
+var VaultCache = class extends Context.Tag("cli/VaultCache")() {};
+const VaultCacheLive = Layer.effect(VaultCache, Effect.gen(function* () {
+	const runtime = yield* CliRuntime;
+	const cacheDisabled = Effect.gen(function* () {
+		const flag = yield* runtime.getEnv("BETTER_UPDATE_NO_CACHE");
+		return flag !== void 0 && flag.length > 0 && flag !== "0" && flag !== "false";
+	});
+	const readRaw = (publicKey) => Effect.try(() => new Entry(KEYCHAIN_SERVICE, publicKey).getPassword()).pipe(Effect.catchAll(() => Effect.succeed(null)));
+	const writeRaw = (publicKey, blob) => Effect.try(() => {
+		new Entry(KEYCHAIN_SERVICE, publicKey).setPassword(blob);
+	}).pipe(Effect.ignore);
+	const deleteRaw = (publicKey) => Effect.try(() => new Entry(KEYCHAIN_SERVICE, publicKey).deletePassword()).pipe(Effect.ignore);
+	return {
+		get: (publicKey) => Effect.gen(function* () {
+			if (yield* cacheDisabled) return;
+			const raw = yield* readRaw(publicKey);
+			if (raw === null) return;
+			const decoded = decodeCacheEntry(raw, yield* Clock.currentTimeMillis);
+			if (decoded === void 0) {
+				yield* deleteRaw(publicKey);
+				return;
+			}
+			return decoded;
+		}),
+		set: (publicKey, vault) => Effect.gen(function* () {
+			if (yield* cacheDisabled) return;
+			yield* writeRaw(publicKey, encodeCacheEntry(vault, yield* Clock.currentTimeMillis));
+		}),
+		clear: (publicKey) => deleteRaw(publicKey)
+	};
+}));
 //#endregion
 //#region src/services/version-check.ts
 const NPM_REGISTRY_URL = "https://registry.npmjs.org/@better-update/cli/latest";
@@ -2933,7 +3055,7 @@ const VersionCheckLive = Layer.effect(VersionCheck, Effect.gen(function* () {
 //#endregion
 //#region src/app-layer.ts
 const CliPlatformLayer = Layer.mergeAll(CliRuntimeLive, NodeContext.layer, FetchHttpClient.layer);
-const CliStoreLayer = Layer.mergeAll(AuthStoreLive, ConfigStoreLive, AppleSessionStoreLive, IdentityStoreLive).pipe(Layer.provide(CliPlatformLayer));
+const CliStoreLayer = Layer.mergeAll(AuthStoreLive, ConfigStoreLive, AppleSessionStoreLive, IdentityStoreLive, VaultCacheLive).pipe(Layer.provide(CliPlatformLayer));
 const CliAdapterDependencies = Layer.mergeAll(CliPlatformLayer, CliStoreLayer);
 const ApiClientLayer = ApiClientLive.pipe(Layer.provide(CliAdapterDependencies));
 const AppleAuthLayer = AppleAuthLive.pipe(Layer.provide(CliAdapterDependencies));
@@ -18327,6 +18449,25 @@ const grantRecipient = (args) => Effect.gen(function* () {
 const resolveVaultPassphrase = Effect.gen(function* () {
 	return (yield* activeRecipient).source === "file" ? yield* promptPassword("Passphrase to unlock this device's identity:") : void 0;
 });
+/**
+* Unlock the org vault key for an interactive command, reusing a cached vault key
+* from the OS keychain when one is present and unexpired — so the device
+* passphrase is prompted at most once per cache TTL rather than on every command
+* (`better-update credentials unlock` / `lock` drive that session explicitly).
+* The CI `BETTER_UPDATE_IDENTITY` key carries no passphrase and is never cached:
+* it skips straight to the raw unwrap. On a cache miss the full unlock runs —
+* prompt, Argon2id, fetch + unwrap — and the result is cached for next time.
+*/
+const unlockVaultKeyInteractive = (api) => Effect.gen(function* () {
+	const recipient = yield* activeRecipient;
+	if (recipient.source !== "file") return yield* unlockVaultKey(api, void 0);
+	const cache = yield* VaultCache;
+	const cached = yield* cache.get(recipient.publicKey);
+	if (cached !== void 0) return cached.vault;
+	const vault = yield* unlockVaultKey(api, yield* promptPassword("Passphrase to unlock this device's identity:"));
+	yield* cache.set(recipient.publicKey, vault);
+	return vault;
+}).pipe(Effect.provide(VaultCacheLive));
 /** Look up a registered recipient by its key id or full `SHA256:` fingerprint. */
 const findRecipient = (api, selector) => Effect.gen(function* () {
 	const { items } = yield* api.userEncryptionKeys.list();
@@ -18374,11 +18515,15 @@ const openVaultSession = (api, passphrase) => Effect.gen(function* () {
 	};
 });
 /**
-* {@link openVaultSession} that first resolves the device passphrase — prompting
-* when the active identity is the on-disk file, none for the CI env key.
+* {@link openVaultSession} that unlocks the vault key interactively — reusing the
+* OS-keychain-cached key when one is live (no prompt), prompting for the device
+* passphrase only on a cache miss, and none at all for the CI env key.
 */
 const openVaultSessionInteractive = (api) => Effect.gen(function* () {
-	return yield* openVaultSession(api, yield* resolveVaultPassphrase);
+	return {
+		orgId: yield* getActiveOrgId(api),
+		vault: yield* unlockVaultKeyInteractive(api)
+	};
 });
 /** Reshape a sealed envelope into the `{ id, …opaque fields }` an upload body carries. */
 const toUploadEnvelope = (envelope) => ({
@@ -26056,13 +26201,11 @@ const currentRecipients = (api) => Effect.gen(function* () {
 //#endregion
 //#region src/commands/credentials/vault-session.ts
 /**
-* Unlock the vault key, prompting for the device passphrase only when the active
-* identity is the on-disk file — the CI `BETTER_UPDATE_IDENTITY` env key is raw
-* and needs none.
+* Unlock the vault key for an interactive command: reuse the OS-keychain-cached
+* key when live, prompt for the device passphrase only on a cache miss, and none
+* at all for the CI `BETTER_UPDATE_IDENTITY` env key.
 */
-const unlockVaultInteractively = (api) => Effect.gen(function* () {
-	return yield* unlockVaultKey(api, yield* resolveVaultPassphrase);
-});
+const unlockVaultInteractively = (api) => unlockVaultKeyInteractive(api);
 /** Resolve a recipient selector (key id or fingerprint) from a flag, prompting if absent. */
 const resolveSelector = (flag, message) => Effect.gen(function* () {
 	if (flag && flag.trim().length > 0) return flag.trim();
@@ -27694,6 +27837,56 @@ const revokeCommand = defineCommand({
 	subCommands: { "distribution-certificate": distributionCertificateCommand }
 });
+//#endregion
+//#region src/commands/credentials/session.ts
+/** Whole minutes left, rounded up so "<1 min remaining" still reads as 1. */
+const remainingMinutes = (remainingMs) => Math.max(1, Math.ceil(remainingMs / 6e4));
+const unlockCommand = defineCommand({
+	meta: {
+		name: "unlock",
+		description: "Unlock the credential vault and cache the key in your OS keychain, so later commands don't re-prompt"
+	},
+	run: async () => runEffect(Effect.gen(function* () {
+		const recipient = yield* activeRecipient;
+		if (recipient.source !== "file") {
+			yield* printHuman("Active identity is the BETTER_UPDATE_IDENTITY (CI) key — it has no passphrase and isn't cached.");
+			return;
+		}
+		const api = yield* apiClient;
+		const cache = yield* VaultCache;
+		yield* cache.clear(recipient.publicKey);
+		yield* unlockVaultKeyInteractive(api);
+		const cached = yield* cache.get(recipient.publicKey);
+		yield* printHuman(`Vault unlocked${cached === void 0 ? " (no OS keychain available — commands will keep prompting)" : ` for ~${remainingMinutes(cached.remainingMs)} min; run \`better-update credentials lock\` to clear it`}.`);
+	}))
+});
+const lockCommand = defineCommand({
+	meta: {
+		name: "lock",
+		description: "Forget the cached vault key — the next credential command will prompt again"
+	},
+	run: async () => runEffect(Effect.gen(function* () {
+		const recipient = yield* activeRecipient;
+		yield* (yield* VaultCache).clear(recipient.publicKey);
+		yield* printHuman("Vault locked — the cached key was cleared from your OS keychain.");
+	}))
+});
+const statusCommand$1 = defineCommand({
+	meta: {
+		name: "status",
+		description: "Show whether the vault is currently unlocked (cached) and for how much longer"
+	},
+	run: async () => runEffect(Effect.gen(function* () {
+		const recipient = yield* activeRecipient;
+		if (recipient.source !== "file") {
+			yield* printHuman("Active identity is the BETTER_UPDATE_IDENTITY (CI) key — caching not used.");
+			return;
+		}
+		const cached = yield* (yield* VaultCache).get(recipient.publicKey);
+		yield* printHuman(cached === void 0 ? "Locked — the next credential command will prompt for your passphrase." : `Unlocked — cached vault key expires in ~${remainingMinutes(cached.remainingMs)} min.`);
+	}))
+});
 //#endregion
 //#region src/commands/credentials/sync/helpers.ts
 const SYNC_EXIT_EXTRAS = {
@@ -28553,6 +28746,9 @@ const credentialsCommand = defineCommand({
 		identity: identityCommand,
 		access: accessCommand,
 		device: deviceCommand,
+		unlock: unlockCommand,
+		lock: lockCommand,
+		status: statusCommand$1,
 		list: listCommand$3,
 		view: viewCommand$1,
 		download: downloadCommand,