@better-update/cli 0.29.0 → 0.29.1

package/dist/index.mjs

@@ -34,7 +34,7 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 //#endregion
 //#region package.json
-var version = "0.29.0";
+var version = "0.29.1";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -18926,15 +18926,6 @@ const grantRecipient = (args) => Effect.gen(function* () {
 	} });
 });
 /**
-* Resolve the passphrase needed to unlock the active identity before a crypto
-* operation: prompt for it when the identity is the on-disk file, or return
-* `undefined` when the raw `BETTER_UPDATE_IDENTITY` env key is in use (CI). The
-* resolved value is threaded into {@link unlockVaultKey} by the cipher helpers.
-*/
-const resolveVaultPassphrase = Effect.gen(function* () {
-	return (yield* activeRecipient).source === "file" ? yield* promptPassword("Passphrase to unlock this device's identity:") : void 0;
-});
-/**
 * Unlock the org vault key for an interactive command, reusing a cached vault key
 * from the OS keychain when one is present and unexpired — so the device
 * passphrase is prompted at most once per cache TTL rather than on every command
@@ -18942,6 +18933,12 @@ const resolveVaultPassphrase = Effect.gen(function* () {
 * The CI `BETTER_UPDATE_IDENTITY` key carries no passphrase and is never cached:
 * it skips straight to the raw unwrap. On a cache miss the full unlock runs —
 * prompt, Argon2id, fetch + unwrap — and the result is cached for next time.
+*
+* The cached key is the unwrapped vault key, which both unwraps (decrypt/read)
+* and wraps (encrypt/write) DEKs — so this single entry point backs every vault
+* operation: download/build-resolve reads, seal-for-upload + generate writes, and
+* rotation. There is no read-only cache: an unlock makes the next write seamless
+* too.
 */
 const unlockVaultKeyInteractive = (api) => Effect.gen(function* () {
 	const recipient = yield* activeRecipient;
@@ -18953,6 +18950,17 @@ const unlockVaultKeyInteractive = (api) => Effect.gen(function* () {
 	yield* cache.set(recipient.publicKey, vault);
 	return vault;
 }).pipe(Effect.provide(VaultCacheLive));
+/**
+* Forget the active recipient's cached vault key. Called after a rotation re-keys
+* the vault: the cached key + version are now stale, so leaving them would make
+* the next seal upload a key/version the server CAS-rejects (and the next decrypt
+* fail integrity). Clearing forces a fresh unlock at the new version next time —
+* which also correctly locks out a device that just revoked its own access.
+*/
+const forgetCachedVaultKey = Effect.gen(function* () {
+	const recipient = yield* activeRecipient;
+	yield* (yield* VaultCache).clear(recipient.publicKey);
+}).pipe(Effect.provide(VaultCacheLive));
 /** Look up a registered recipient by its key id or full `SHA256:` fingerprint. */
 const findRecipient = (api, selector) => Effect.gen(function* () {
 	const { items } = yield* api.userEncryptionKeys.list();
@@ -18992,13 +19000,6 @@ const getActiveOrgId = (api) => Effect.gen(function* () {
 	if (me.activeOrganization === null) return yield* new IdentityError({ message: "No active organization for this token." });
 	return me.activeOrganization.id;
 });
-/** Resolve the active org id and unlock this device's vault key — the once-per-command I/O. */
-const openVaultSession = (api, passphrase) => Effect.gen(function* () {
-	return {
-		orgId: yield* getActiveOrgId(api),
-		vault: yield* unlockVaultKey(api, passphrase)
-	};
-});
 /**
 * {@link openVaultSession} that unlocks the vault key interactively — reusing the
 * OS-keychain-cached key when one is live (no prompt), prompting for the device
@@ -19610,7 +19611,7 @@ const generateAndUploadKeystore = (api, input) => Effect.scoped(Effect.gen(funct
 		...compact({ validityDays: input.validityDays })
 	});
 	const bytes = yield* fs.readFile(keystorePath);
-	const session = yield* openVaultSession(api, input.passphrase ?? (yield* resolveVaultPassphrase));
+	const session = yield* openVaultSessionInteractive(api);
 	const metadata = { keyAlias: input.keyAlias };
 	const envelope = yield* sealForUpload({
 		session,
@@ -19661,7 +19662,7 @@ const generateAndUploadDistributionCertificate = (api, input) => Effect.gen(func
 		step: "p12-build",
 		message: cause.message
 	})));
-	const session = yield* openVaultSession(api, input.passphrase ?? (yield* resolveVaultPassphrase));
+	const session = yield* openVaultSessionInteractive(api);
 	const metadata = {
 		serialNumber: bundle.metadata.serialNumber,
 		appleTeamIdentifier: bundle.metadata.appleTeamId,
@@ -20667,7 +20668,7 @@ const generateAndUploadDistributionCertificateViaAppleId = (api, input) => Effec
 		step: "parse-p12",
 		message: cause.message
 	})));
-	const session = yield* openVaultSession(api, yield* resolveVaultPassphrase);
+	const session = yield* openVaultSessionInteractive(api);
 	const envelopeMetadata = {
 		serialNumber: metadata.serialNumber,
 		appleTeamIdentifier: metadata.appleTeamId,
@@ -21065,14 +21066,12 @@ const isMissingResolveError = (cause) => hasTag(cause) && (cause._tag === "NotFo
 const randomKeystoreSecret = () => randomBytes(24).toString("base64url");
 const generateKeystoreAuto = (api, applicationIdentifier) => Effect.gen(function* () {
 	yield* Console.log("Generating a new Android Keystore...");
-	const passphrase = yield* resolveVaultPassphrase;
 	return (yield* generateAndUploadKeystore(api, {
 		keyAlias: "upload",
 		storePassword: randomKeystoreSecret(),
 		keyPassword: randomKeystoreSecret(),
 		commonName: applicationIdentifier,
-		organization: "better-update",
-		...compact({ passphrase })
+		organization: "better-update"
 	})).id;
 });
 const generateKeystoreInteractive = (api) => Effect.gen(function* () {
@@ -21081,15 +21080,13 @@ const generateKeystoreInteractive = (api) => Effect.gen(function* () {
 	const keyPassword = yield* promptPassword("Key password");
 	const commonName = yield* promptText("Common name (CN)", { placeholder: "Your App" });
 	const organization = yield* promptText("Organization (O)", { placeholder: "Your Company" });
-	const passphrase = yield* resolveVaultPassphrase;
 	yield* Console.log("Generating keystore with keytool...");
 	return (yield* generateAndUploadKeystore(api, {
 		keyAlias: alias,
 		storePassword,
 		keyPassword,
 		commonName,
-		organization,
-		...compact({ passphrase })
+		organization
 	})).id;
 });
 const pickExistingKeystore = (api) => Effect.gen(function* () {
@@ -21112,6 +21109,25 @@ const resolveAndroidAppId = (api, input) => Effect.gen(function* () {
 	})).id;
 });
 const resolveAndroidKeystoreId = (api, choice) => choice === "generate" ? generateKeystoreInteractive(api) : pickExistingKeystore(api);
+const bindAndroidKeystore = (api, appId, keystoreId) => Effect.gen(function* () {
+	const existing = yield* api.androidBuildCredentials.list({ path: { applicationIdentifierId: appId } });
+	const target = existing.items.find((group) => group.isDefault) ?? existing.items.at(0);
+	if (target === void 0) {
+		yield* api.androidBuildCredentials.create({
+			path: { applicationIdentifierId: appId },
+			payload: {
+				name: "Default",
+				isDefault: true,
+				androidUploadKeystoreId: keystoreId
+			}
+		});
+		return;
+	}
+	yield* api.androidBuildCredentials.update({
+		path: { id: target.id },
+		payload: { androidUploadKeystoreId: keystoreId }
+	});
+});
 const setupAndroidInteractive = (api, input) => Effect.gen(function* () {
 	yield* Console.log("");
 	yield* Console.log(`No Android build credentials configured for ${input.applicationIdentifier}.`);
@@ -21134,15 +21150,7 @@ const setupAndroidInteractive = (api, input) => Effect.gen(function* () {
 		message: `Build aborted — no keystore bound to ${input.applicationIdentifier}.`,
 		hint: "Run `better-update credentials generate keystore` or upload via the dashboard."
 	});
-	const keystoreId = yield* choice === "generate" ? generateKeystoreAuto(api, input.applicationIdentifier) : pickExistingKeystore(api);
-	yield* api.androidBuildCredentials.create({
-		path: { applicationIdentifierId: appId },
-		payload: {
-			name: "Default",
-			isDefault: true,
-			androidUploadKeystoreId: keystoreId
-		}
-	});
+	yield* bindAndroidKeystore(api, appId, yield* choice === "generate" ? generateKeystoreAuto(api, input.applicationIdentifier) : pickExistingKeystore(api));
 	yield* Console.log("Android build credentials configured.");
 });
 const ensureAndroidCredentialsAvailable = (api, input) => api.buildCredentials.resolve({
@@ -26049,7 +26057,7 @@ const uploadIosDistributionCertificate = (api, input, bytes) => Effect.gen(funct
 		validUntil: info.expiresAt.toISOString()
 	};
 	const envelope = yield* sealForUpload({
-		session: yield* openVaultSession(api, input.passphrase),
+		session: yield* openVaultSessionInteractive(api),
 		credentialType: "distribution-certificate",
 		metadata,
 		secret: {
@@ -26075,7 +26083,7 @@ const uploadIosPushKey = (api, input, bytes) => Effect.gen(function* () {
 		appleTeamIdentifier: input.appleTeamIdentifier
 	};
 	const envelope = yield* sealForUpload({
-		session: yield* openVaultSession(api, input.passphrase),
+		session: yield* openVaultSessionInteractive(api),
 		credentialType: "push-key",
 		metadata,
 		secret: { p8Pem: toUtf8(bytes) }
@@ -26100,7 +26108,7 @@ const uploadIosAscApiKey = (api, input, bytes) => Effect.gen(function* () {
 		appleTeamIdentifier: input.appleTeamIdentifier
 	});
 	const envelope = yield* sealForUpload({
-		session: yield* openVaultSession(api, input.passphrase),
+		session: yield* openVaultSessionInteractive(api),
 		credentialType: "asc-api-key",
 		metadata,
 		secret: { p8Pem: toUtf8(bytes) }
@@ -26134,7 +26142,7 @@ const uploadAndroidKeystore = (api, input, bytes) => Effect.gen(function* () {
 		keyPassword: input.keyPassword
 	})).keyAlias };
 	const envelope = yield* sealForUpload({
-		session: yield* openVaultSession(api, input.passphrase),
+		session: yield* openVaultSessionInteractive(api),
 		credentialType: "keystore",
 		metadata,
 		secret: {
@@ -26162,7 +26170,7 @@ const uploadAndroidGoogleServiceAccountKey = (api, input, bytes) => Effect.gen(f
 		googleProjectId: parsed.googleProjectId
 	};
 	const envelope = yield* sealForUpload({
-		session: yield* openVaultSession(api, input.passphrase),
+		session: yield* openVaultSessionInteractive(api),
 		credentialType: "google-service-account-key",
 		metadata,
 		secret: { json }
@@ -26191,10 +26199,7 @@ const uploadCredential = (api, input) => Effect.gen(function* () {
 	const hasKey = (candidate) => Object.hasOwn(uploadHandlers, candidate);
 	const handler = hasKey(key) ? uploadHandlers[key] : void 0;
 	if (!handler) return yield* new CredentialValidationError({ message: `Unsupported credential combination: platform=${input.platform} type=${input.type}` });
-	return yield* handler(api, input.type === "provisioning-profile" || input.passphrase !== void 0 ? input : {
-		...input,
-		...compact({ passphrase: yield* resolveVaultPassphrase })
-	}, bytes);
+	return yield* handler(api, input, bytes);
 });
 const deleteCredential = (api, input) => {
 	const path = { id: input.id };
@@ -27185,10 +27190,14 @@ const runCredentialsManager = Effect.gen(function* () {
 * one, re-wrap the new vault key to each recipient, then submit the rotation
 * atomically (the server CAS-guards on the current version and requires a
 * recovery recipient in the set). Drops every recipient not in `recipients`.
+*
+* Unlocks via the cache-aware path (reusing a live `credentials unlock` session),
+* then drops that cached key once the re-key lands — it is now stale, so the next
+* operation must re-unlock at the new version.
 */
 const rotateVaultTo = (args) => Effect.gen(function* () {
 	const orgId = yield* getActiveOrgId(args.api);
-	const current = yield* unlockVaultKey(args.api, args.passphrase);
+	const current = yield* unlockVaultKeyInteractive(args.api);
 	const newVaultKey = generateVaultKey();
 	const newVersion = current.vaultVersion + 1;
 	const { deks } = yield* args.api.orgVault.listCredentialDeks();
@@ -27226,11 +27235,13 @@ const rotateVaultTo = (args) => Effect.gen(function* () {
 			recipient: recipient.publicKey
 		}))
 	})), { concurrency: "unbounded" });
-	return yield* args.api.orgVault.rotate({ payload: {
+	const rotated = yield* args.api.orgVault.rotate({ payload: {
 		fromVersion: current.vaultVersion,
 		recipientWraps,
 		credentialDeks
 	} });
+	yield* forgetCachedVaultKey;
+	return rotated;
 });
 /** The encryption keys currently holding the vault key, joined with their public keys. */
 const currentRecipients = (api) => Effect.gen(function* () {
@@ -27365,7 +27376,6 @@ const rotateCommand = defineCommand({
 		yield* confirmRecipients(recipients, args.yes === true);
 		const rotated = yield* rotateVaultTo({
 			api,
-			passphrase: yield* resolveVaultPassphrase,
 			recipients: recipients.map(toRotationRecipient)
 		});
 		yield* printHuman(`Rotated the vault to version ${String(rotated.vaultVersion)} (${String(recipients.length)} recipients).`);
@@ -27401,7 +27411,6 @@ const revokeCommand$1 = defineCommand({
 		yield* confirmRecipients(surviving, args.yes === true);
 		const rotated = yield* rotateVaultTo({
 			api,
-			passphrase: yield* resolveVaultPassphrase,
 			recipients: surviving.map(toRotationRecipient)
 		});
 		yield* printHuman(`Revoked ${target.label} and rotated the vault to version ${String(rotated.vaultVersion)}.`);
@@ -27487,7 +27496,6 @@ const recoveryCommand = defineCommand({
 			yield* confirmRecipients(surviving, args.yes === true);
 			const rotated = yield* rotateVaultTo({
 				api,
-				passphrase: yield* resolveVaultPassphrase,
 				recipients: [...surviving.map(toRotationRecipient), {
 					userEncryptionKeyId: registered.id,
 					publicKey: newRecovery.publicKey