@better-update/cli 0.24.2 → 0.25.0

package/dist/index.mjs

@@ -2,7 +2,7 @@
 import { createRequire } from "node:module";
 import { execFile, spawn, spawnSync } from "node:child_process";
 import { defineCommand, runMain } from "citty";
-import { Console, Context, Data, Deferred, Duration, Effect, Either, Layer, Match, Option, ParseResult, Schedule, Schema } from "effect";
+import { Clock, Console, Context, Data, Deferred, Duration, Effect, Either, Layer, Match, Option, ParseResult, Schedule, Schema } from "effect";
 import { Command, FetchHttpClient, FileSystem, Headers as Headers$1, HttpApi, HttpApiClient, HttpApiEndpoint, HttpApiGroup, HttpApiMiddleware, HttpApiSchema, HttpApiSecurity, HttpClient, HttpClientRequest, OpenApi, Path } from "@effect/platform";
 import { NodeContext } from "@effect/platform-node";
 import path from "node:path";
@@ -12,6 +12,7 @@ import { autocomplete, cancel, confirm, isCancel, multiselect, password, select,
 import { open, readFile, writeFile } from "node:fs/promises";
 import { X509Certificate, createHash, createSign, createVerify, randomBytes, randomUUID } from "node:crypto";
 import { accessSync, chmodSync, constants, createReadStream, existsSync, promises, readFileSync, writeFileSync } from "node:fs";
+import { Entry } from "@napi-rs/keyring";
 import { once } from "node:events";
 import { createServer } from "node:http";
 import { maxBy, uniqBy } from "es-toolkit";
@@ -33,7 +34,7 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 //#endregion
 //#region package.json
-var version = "0.24.2";
+var version = "0.25.0";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -2929,6 +2930,81 @@ const UpdateAssetUploaderLive = Layer.effect(UpdateAssetUploader, Effect.gen(fun
 	}) };
 }));
 
+//#endregion
+//#region src/services/vault-cache.ts
+/**
+* "Unlock once, reuse" for the credential vault — the analog of macOS
+* `security unlock-keychain`. The first vault operation in a session prompts for
+* the device passphrase, unwraps the vault key, and stows it in the OS keychain
+* (`@napi-rs/keyring`: macOS Keychain / Windows Credential Manager / Linux
+* libsecret) with a short TTL; subsequent commands read it back and skip the
+* prompt + Argon2id derivation entirely until it expires.
+*
+* What is cached is the unwrapped **vault key**, never the passphrase or the age
+* private key — so the blast radius of a leaked keychain entry is one vault
+* version's credentials, and only until the TTL lapses.
+*/
+/** How long a cached vault key stays valid before a fresh passphrase is required. */
+const VAULT_CACHE_TTL_MS = 900 * 1e3;
+/** Keychain service name; the account is the recipient's public key. */
+const KEYCHAIN_SERVICE = "better-update-vault";
+const isCachedVaultEntry = (value) => isRecord(value) && typeof value["vaultKey"] === "string" && typeof value["vaultVersion"] === "number" && typeof value["keyId"] === "string" && typeof value["exp"] === "number";
+/** Serialize an unlocked vault into a keychain blob, stamping a TTL from `now`. */
+const encodeCacheEntry = (vault, now, ttlMs = VAULT_CACHE_TTL_MS) => JSON.stringify({
+	vaultKey: toBase64(vault.vaultKey),
+	vaultVersion: vault.vaultVersion,
+	keyId: vault.keyId,
+	exp: now + ttlMs
+});
+/**
+* Parse a keychain blob back into an unlocked vault, or `undefined` when it is
+* malformed or has expired as of `now` — so an expired entry reads exactly like
+* a missing one (and is evicted by the caller).
+*/
+const decodeCacheEntry = (raw, now) => {
+	const parsed = safeJsonParse(raw);
+	if (!isCachedVaultEntry(parsed) || now >= parsed.exp) return;
+	return {
+		vault: {
+			vaultKey: fromBase64(parsed.vaultKey),
+			vaultVersion: parsed.vaultVersion,
+			keyId: parsed.keyId
+		},
+		remainingMs: parsed.exp - now
+	};
+};
+var VaultCache = class extends Context.Tag("cli/VaultCache")() {};
+const VaultCacheLive = Layer.effect(VaultCache, Effect.gen(function* () {
+	const runtime = yield* CliRuntime;
+	const cacheDisabled = Effect.gen(function* () {
+		const flag = yield* runtime.getEnv("BETTER_UPDATE_NO_CACHE");
+		return flag !== void 0 && flag.length > 0 && flag !== "0" && flag !== "false";
+	});
+	const readRaw = (publicKey) => Effect.try(() => new Entry(KEYCHAIN_SERVICE, publicKey).getPassword()).pipe(Effect.catchAll(() => Effect.succeed(null)));
+	const writeRaw = (publicKey, blob) => Effect.try(() => {
+		new Entry(KEYCHAIN_SERVICE, publicKey).setPassword(blob);
+	}).pipe(Effect.ignore);
+	const deleteRaw = (publicKey) => Effect.try(() => new Entry(KEYCHAIN_SERVICE, publicKey).deletePassword()).pipe(Effect.ignore);
+	return {
+		get: (publicKey) => Effect.gen(function* () {
+			if (yield* cacheDisabled) return;
+			const raw = yield* readRaw(publicKey);
+			if (raw === null) return;
+			const decoded = decodeCacheEntry(raw, yield* Clock.currentTimeMillis);
+			if (decoded === void 0) {
+				yield* deleteRaw(publicKey);
+				return;
+			}
+			return decoded;
+		}),
+		set: (publicKey, vault) => Effect.gen(function* () {
+			if (yield* cacheDisabled) return;
+			yield* writeRaw(publicKey, encodeCacheEntry(vault, yield* Clock.currentTimeMillis));
+		}),
+		clear: (publicKey) => deleteRaw(publicKey)
+	};
+}));
+
 //#endregion
 //#region src/services/version-check.ts
 const NPM_REGISTRY_URL = "https://registry.npmjs.org/@better-update/cli/latest";
@@ -2979,7 +3055,7 @@ const VersionCheckLive = Layer.effect(VersionCheck, Effect.gen(function* () {
 //#endregion
 //#region src/app-layer.ts
 const CliPlatformLayer = Layer.mergeAll(CliRuntimeLive, NodeContext.layer, FetchHttpClient.layer);
-const CliStoreLayer = Layer.mergeAll(AuthStoreLive, ConfigStoreLive, AppleSessionStoreLive, IdentityStoreLive).pipe(Layer.provide(CliPlatformLayer));
+const CliStoreLayer = Layer.mergeAll(AuthStoreLive, ConfigStoreLive, AppleSessionStoreLive, IdentityStoreLive, VaultCacheLive).pipe(Layer.provide(CliPlatformLayer));
 const CliAdapterDependencies = Layer.mergeAll(CliPlatformLayer, CliStoreLayer);
 const ApiClientLayer = ApiClientLive.pipe(Layer.provide(CliAdapterDependencies));
 const AppleAuthLayer = AppleAuthLive.pipe(Layer.provide(CliAdapterDependencies));
@@ -18373,6 +18449,25 @@ const grantRecipient = (args) => Effect.gen(function* () {
 const resolveVaultPassphrase = Effect.gen(function* () {
 	return (yield* activeRecipient).source === "file" ? yield* promptPassword("Passphrase to unlock this device's identity:") : void 0;
 });
+/**
+* Unlock the org vault key for an interactive command, reusing a cached vault key
+* from the OS keychain when one is present and unexpired — so the device
+* passphrase is prompted at most once per cache TTL rather than on every command
+* (`better-update credentials unlock` / `lock` drive that session explicitly).
+* The CI `BETTER_UPDATE_IDENTITY` key carries no passphrase and is never cached:
+* it skips straight to the raw unwrap. On a cache miss the full unlock runs —
+* prompt, Argon2id, fetch + unwrap — and the result is cached for next time.
+*/
+const unlockVaultKeyInteractive = (api) => Effect.gen(function* () {
+	const recipient = yield* activeRecipient;
+	if (recipient.source !== "file") return yield* unlockVaultKey(api, void 0);
+	const cache = yield* VaultCache;
+	const cached = yield* cache.get(recipient.publicKey);
+	if (cached !== void 0) return cached.vault;
+	const vault = yield* unlockVaultKey(api, yield* promptPassword("Passphrase to unlock this device's identity:"));
+	yield* cache.set(recipient.publicKey, vault);
+	return vault;
+}).pipe(Effect.provide(VaultCacheLive));
 /** Look up a registered recipient by its key id or full `SHA256:` fingerprint. */
 const findRecipient = (api, selector) => Effect.gen(function* () {
 	const { items } = yield* api.userEncryptionKeys.list();
@@ -18420,11 +18515,15 @@ const openVaultSession = (api, passphrase) => Effect.gen(function* () {
 	};
 });
 /**
-* {@link openVaultSession} that first resolves the device passphrase — prompting
-* when the active identity is the on-disk file, none for the CI env key.
+* {@link openVaultSession} that unlocks the vault key interactively — reusing the
+* OS-keychain-cached key when one is live (no prompt), prompting for the device
+* passphrase only on a cache miss, and none at all for the CI env key.
 */
 const openVaultSessionInteractive = (api) => Effect.gen(function* () {
-	return yield* openVaultSession(api, yield* resolveVaultPassphrase);
+	return {
+		orgId: yield* getActiveOrgId(api),
+		vault: yield* unlockVaultKeyInteractive(api)
+	};
 });
 /** Reshape a sealed envelope into the `{ id, …opaque fields }` an upload body carries. */
 const toUploadEnvelope = (envelope) => ({
@@ -26102,13 +26201,11 @@ const currentRecipients = (api) => Effect.gen(function* () {
 //#endregion
 //#region src/commands/credentials/vault-session.ts
 /**
-* Unlock the vault key, prompting for the device passphrase only when the active
-* identity is the on-disk file — the CI `BETTER_UPDATE_IDENTITY` env key is raw
-* and needs none.
+* Unlock the vault key for an interactive command: reuse the OS-keychain-cached
+* key when live, prompt for the device passphrase only on a cache miss, and none
+* at all for the CI `BETTER_UPDATE_IDENTITY` env key.
 */
-const unlockVaultInteractively = (api) => Effect.gen(function* () {
-	return yield* unlockVaultKey(api, yield* resolveVaultPassphrase);
-});
+const unlockVaultInteractively = (api) => unlockVaultKeyInteractive(api);
 /** Resolve a recipient selector (key id or fingerprint) from a flag, prompting if absent. */
 const resolveSelector = (flag, message) => Effect.gen(function* () {
 	if (flag && flag.trim().length > 0) return flag.trim();
@@ -27740,6 +27837,56 @@ const revokeCommand = defineCommand({
 	subCommands: { "distribution-certificate": distributionCertificateCommand }
 });
 
+//#endregion
+//#region src/commands/credentials/session.ts
+/** Whole minutes left, rounded up so "<1 min remaining" still reads as 1. */
+const remainingMinutes = (remainingMs) => Math.max(1, Math.ceil(remainingMs / 6e4));
+const unlockCommand = defineCommand({
+	meta: {
+		name: "unlock",
+		description: "Unlock the credential vault and cache the key in your OS keychain, so later commands don't re-prompt"
+	},
+	run: async () => runEffect(Effect.gen(function* () {
+		const recipient = yield* activeRecipient;
+		if (recipient.source !== "file") {
+			yield* printHuman("Active identity is the BETTER_UPDATE_IDENTITY (CI) key — it has no passphrase and isn't cached.");
+			return;
+		}
+		const api = yield* apiClient;
+		const cache = yield* VaultCache;
+		yield* cache.clear(recipient.publicKey);
+		yield* unlockVaultKeyInteractive(api);
+		const cached = yield* cache.get(recipient.publicKey);
+		yield* printHuman(`Vault unlocked${cached === void 0 ? " (no OS keychain available — commands will keep prompting)" : ` for ~${remainingMinutes(cached.remainingMs)} min; run \`better-update credentials lock\` to clear it`}.`);
+	}))
+});
+const lockCommand = defineCommand({
+	meta: {
+		name: "lock",
+		description: "Forget the cached vault key — the next credential command will prompt again"
+	},
+	run: async () => runEffect(Effect.gen(function* () {
+		const recipient = yield* activeRecipient;
+		yield* (yield* VaultCache).clear(recipient.publicKey);
+		yield* printHuman("Vault locked — the cached key was cleared from your OS keychain.");
+	}))
+});
+const statusCommand$1 = defineCommand({
+	meta: {
+		name: "status",
+		description: "Show whether the vault is currently unlocked (cached) and for how much longer"
+	},
+	run: async () => runEffect(Effect.gen(function* () {
+		const recipient = yield* activeRecipient;
+		if (recipient.source !== "file") {
+			yield* printHuman("Active identity is the BETTER_UPDATE_IDENTITY (CI) key — caching not used.");
+			return;
+		}
+		const cached = yield* (yield* VaultCache).get(recipient.publicKey);
+		yield* printHuman(cached === void 0 ? "Locked — the next credential command will prompt for your passphrase." : `Unlocked — cached vault key expires in ~${remainingMinutes(cached.remainingMs)} min.`);
+	}))
+});
+
 //#endregion
 //#region src/commands/credentials/sync/helpers.ts
 const SYNC_EXIT_EXTRAS = {
@@ -28599,6 +28746,9 @@ const credentialsCommand = defineCommand({
 		identity: identityCommand,
 		access: accessCommand,
 		device: deviceCommand,
+		unlock: unlockCommand,
+		lock: lockCommand,
+		status: statusCommand$1,
 		list: listCommand$3,
 		view: viewCommand$1,
 		download: downloadCommand,