@better-update/cli 0.29.0 → 0.29.2

package/dist/index.mjs

@@ -34,7 +34,7 @@ var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
 //#endregion
 //#region package.json
-var version = "0.29.0";
+var version = "0.29.2";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -18926,15 +18926,6 @@ const grantRecipient = (args) => Effect.gen(function* () {
 	} });
 });
 /**
-* Resolve the passphrase needed to unlock the active identity before a crypto
-* operation: prompt for it when the identity is the on-disk file, or return
-* `undefined` when the raw `BETTER_UPDATE_IDENTITY` env key is in use (CI). The
-* resolved value is threaded into {@link unlockVaultKey} by the cipher helpers.
-*/
-const resolveVaultPassphrase = Effect.gen(function* () {
-	return (yield* activeRecipient).source === "file" ? yield* promptPassword("Passphrase to unlock this device's identity:") : void 0;
-});
-/**
 * Unlock the org vault key for an interactive command, reusing a cached vault key
 * from the OS keychain when one is present and unexpired — so the device
 * passphrase is prompted at most once per cache TTL rather than on every command
@@ -18942,6 +18933,12 @@ const resolveVaultPassphrase = Effect.gen(function* () {
 * The CI `BETTER_UPDATE_IDENTITY` key carries no passphrase and is never cached:
 * it skips straight to the raw unwrap. On a cache miss the full unlock runs —
 * prompt, Argon2id, fetch + unwrap — and the result is cached for next time.
+*
+* The cached key is the unwrapped vault key, which both unwraps (decrypt/read)
+* and wraps (encrypt/write) DEKs — so this single entry point backs every vault
+* operation: download/build-resolve reads, seal-for-upload + generate writes, and
+* rotation. There is no read-only cache: an unlock makes the next write seamless
+* too.
 */
 const unlockVaultKeyInteractive = (api) => Effect.gen(function* () {
 	const recipient = yield* activeRecipient;
@@ -18953,6 +18950,17 @@ const unlockVaultKeyInteractive = (api) => Effect.gen(function* () {
 	yield* cache.set(recipient.publicKey, vault);
 	return vault;
 }).pipe(Effect.provide(VaultCacheLive));
+/**
+* Forget the active recipient's cached vault key. Called after a rotation re-keys
+* the vault: the cached key + version are now stale, so leaving them would make
+* the next seal upload a key/version the server CAS-rejects (and the next decrypt
+* fail integrity). Clearing forces a fresh unlock at the new version next time —
+* which also correctly locks out a device that just revoked its own access.
+*/
+const forgetCachedVaultKey = Effect.gen(function* () {
+	const recipient = yield* activeRecipient;
+	yield* (yield* VaultCache).clear(recipient.publicKey);
+}).pipe(Effect.provide(VaultCacheLive));
 /** Look up a registered recipient by its key id or full `SHA256:` fingerprint. */
 const findRecipient = (api, selector) => Effect.gen(function* () {
 	const { items } = yield* api.userEncryptionKeys.list();
@@ -18992,13 +19000,6 @@ const getActiveOrgId = (api) => Effect.gen(function* () {
 	if (me.activeOrganization === null) return yield* new IdentityError({ message: "No active organization for this token." });
 	return me.activeOrganization.id;
 });
-/** Resolve the active org id and unlock this device's vault key — the once-per-command I/O. */
-const openVaultSession = (api, passphrase) => Effect.gen(function* () {
-	return {
-		orgId: yield* getActiveOrgId(api),
-		vault: yield* unlockVaultKey(api, passphrase)
-	};
-});
 /**
 * {@link openVaultSession} that unlocks the vault key interactively — reusing the
 * OS-keychain-cached key when one is live (no prompt), prompting for the device
@@ -19129,6 +19130,43 @@ const openFromDownload = (args) => {
 //#region src/lib/android-keystore.ts
 const DEFAULT_KEYSTORE_VALIDITY_DAYS = 1e4;
 const renderDistinguishedName = (params) => `CN=${params.commonName}, O=${params.organization}`;
+const FINGERPRINT_PATTERNS = {
+	md5: /MD5:\s*(?<value>[0-9A-F:]+)/iu,
+	sha1: /SHA-?1:\s*(?<value>[0-9A-F:]+)/iu,
+	sha256: /SHA-?256:\s*(?<value>[0-9A-F:]+)/iu
+};
+/**
+* Parse certificate fingerprints out of `keytool -list -v` output. The fingerprint
+* labels (`MD5:`, `SHA1:`, `SHA256:`) are stable across keytool locales — only the
+* surrounding prose is translated — so label-anchored regexes are robust. MD5 is
+* absent on modern JDKs (dropped from `-v` output); that field stays `undefined`.
+* keytool already emits the canonical uppercase, colon-separated form the dashboard
+* displays verbatim, so no normalization is needed.
+*/
+const parseKeystoreFingerprints = (output) => ({
+	md5: output.match(FINGERPRINT_PATTERNS.md5)?.groups?.["value"],
+	sha1: output.match(FINGERPRINT_PATTERNS.sha1)?.groups?.["value"],
+	sha256: output.match(FINGERPRINT_PATTERNS.sha256)?.groups?.["value"]
+});
+/**
+* Run `keytool -list -v` against an on-disk keystore and extract its certificate
+* fingerprints. Only the store password is required to read a certificate. Used at
+* upload/generate time to populate the public, server-visible fingerprint metadata
+* the dashboard renders.
+*/
+const extractKeystoreFingerprints = (params) => Command.string(Command.make("keytool", "-list", "-v", "-keystore", params.keystorePath, "-alias", params.keyAlias, "-storepass", params.storePassword).pipe(Command.env({ LC_ALL: "C" }))).pipe(Effect.mapError((cause) => new BuildFailedError({
+	step: "extract keystore fingerprints",
+	exitCode: 1,
+	message: `keytool -list failed to run (is the JDK installed?): ${String(cause)}`
+})), Effect.flatMap((output) => {
+	const fingerprints = parseKeystoreFingerprints(output);
+	if (fingerprints.sha1 === void 0 && fingerprints.sha256 === void 0) return Effect.fail(new BuildFailedError({
+		step: "extract keystore fingerprints",
+		exitCode: 1,
+		message: "keytool produced no SHA-1/SHA-256 fingerprints — verify the key alias and keystore password"
+	}));
+	return Effect.succeed(fingerprints);
+}));
 const generateAndroidKeystore = (input) => Command.exitCode(Command.make("keytool", "-genkeypair", "-v", "-storetype", "JKS", "-keystore", input.outputPath, "-alias", input.keyAlias, "-keyalg", "RSA", "-keysize", "2048", "-validity", String(input.validityDays ?? DEFAULT_KEYSTORE_VALIDITY_DAYS), "-storepass", input.storePassword, "-keypass", input.keyPassword, "-dname", renderDistinguishedName({
 	commonName: input.commonName,
 	organization: input.organization
@@ -19610,8 +19648,18 @@ const generateAndUploadKeystore = (api, input) => Effect.scoped(Effect.gen(funct
 		...compact({ validityDays: input.validityDays })
 	});
 	const bytes = yield* fs.readFile(keystorePath);
-	const session = yield* openVaultSession(api, input.passphrase ?? (yield* resolveVaultPassphrase));
-	const metadata = { keyAlias: input.keyAlias };
+	const fingerprints = yield* extractKeystoreFingerprints({
+		keystorePath,
+		keyAlias: input.keyAlias,
+		storePassword: input.storePassword
+	});
+	const session = yield* openVaultSessionInteractive(api);
+	const metadata = compact({
+		keyAlias: input.keyAlias,
+		md5Fingerprint: fingerprints.md5,
+		sha1Fingerprint: fingerprints.sha1,
+		sha256Fingerprint: fingerprints.sha256
+	});
 	const envelope = yield* sealForUpload({
 		session,
 		credentialType: "keystore",
@@ -19661,7 +19709,7 @@ const generateAndUploadDistributionCertificate = (api, input) => Effect.gen(func
 		step: "p12-build",
 		message: cause.message
 	})));
-	const session = yield* openVaultSession(api, input.passphrase ?? (yield* resolveVaultPassphrase));
+	const session = yield* openVaultSessionInteractive(api);
 	const metadata = {
 		serialNumber: bundle.metadata.serialNumber,
 		appleTeamIdentifier: bundle.metadata.appleTeamId,
@@ -20667,7 +20715,7 @@ const generateAndUploadDistributionCertificateViaAppleId = (api, input) => Effec
 		step: "parse-p12",
 		message: cause.message
 	})));
-	const session = yield* openVaultSession(api, yield* resolveVaultPassphrase);
+	const session = yield* openVaultSessionInteractive(api);
 	const envelopeMetadata = {
 		serialNumber: metadata.serialNumber,
 		appleTeamIdentifier: metadata.appleTeamId,
@@ -21065,14 +21113,12 @@ const isMissingResolveError = (cause) => hasTag(cause) && (cause._tag === "NotFo
 const randomKeystoreSecret = () => randomBytes(24).toString("base64url");
 const generateKeystoreAuto = (api, applicationIdentifier) => Effect.gen(function* () {
 	yield* Console.log("Generating a new Android Keystore...");
-	const passphrase = yield* resolveVaultPassphrase;
 	return (yield* generateAndUploadKeystore(api, {
 		keyAlias: "upload",
 		storePassword: randomKeystoreSecret(),
 		keyPassword: randomKeystoreSecret(),
 		commonName: applicationIdentifier,
-		organization: "better-update",
-		...compact({ passphrase })
+		organization: "better-update"
 	})).id;
 });
 const generateKeystoreInteractive = (api) => Effect.gen(function* () {
@@ -21081,15 +21127,13 @@ const generateKeystoreInteractive = (api) => Effect.gen(function* () {
 	const keyPassword = yield* promptPassword("Key password");
 	const commonName = yield* promptText("Common name (CN)", { placeholder: "Your App" });
 	const organization = yield* promptText("Organization (O)", { placeholder: "Your Company" });
-	const passphrase = yield* resolveVaultPassphrase;
 	yield* Console.log("Generating keystore with keytool...");
 	return (yield* generateAndUploadKeystore(api, {
 		keyAlias: alias,
 		storePassword,
 		keyPassword,
 		commonName,
-		organization,
-		...compact({ passphrase })
+		organization
 	})).id;
 });
 const pickExistingKeystore = (api) => Effect.gen(function* () {
@@ -21112,6 +21156,25 @@ const resolveAndroidAppId = (api, input) => Effect.gen(function* () {
 	})).id;
 });
 const resolveAndroidKeystoreId = (api, choice) => choice === "generate" ? generateKeystoreInteractive(api) : pickExistingKeystore(api);
+const bindAndroidKeystore = (api, appId, keystoreId) => Effect.gen(function* () {
+	const existing = yield* api.androidBuildCredentials.list({ path: { applicationIdentifierId: appId } });
+	const target = existing.items.find((group) => group.isDefault) ?? existing.items.at(0);
+	if (target === void 0) {
+		yield* api.androidBuildCredentials.create({
+			path: { applicationIdentifierId: appId },
+			payload: {
+				name: "Default",
+				isDefault: true,
+				androidUploadKeystoreId: keystoreId
+			}
+		});
+		return;
+	}
+	yield* api.androidBuildCredentials.update({
+		path: { id: target.id },
+		payload: { androidUploadKeystoreId: keystoreId }
+	});
+});
 const setupAndroidInteractive = (api, input) => Effect.gen(function* () {
 	yield* Console.log("");
 	yield* Console.log(`No Android build credentials configured for ${input.applicationIdentifier}.`);
@@ -21134,15 +21197,7 @@ const setupAndroidInteractive = (api, input) => Effect.gen(function* () {
 		message: `Build aborted — no keystore bound to ${input.applicationIdentifier}.`,
 		hint: "Run `better-update credentials generate keystore` or upload via the dashboard."
 	});
-	const keystoreId = yield* choice === "generate" ? generateKeystoreAuto(api, input.applicationIdentifier) : pickExistingKeystore(api);
-	yield* api.androidBuildCredentials.create({
-		path: { applicationIdentifierId: appId },
-		payload: {
-			name: "Default",
-			isDefault: true,
-			androidUploadKeystoreId: keystoreId
-		}
-	});
+	yield* bindAndroidKeystore(api, appId, yield* choice === "generate" ? generateKeystoreAuto(api, input.applicationIdentifier) : pickExistingKeystore(api));
 	yield* Console.log("Android build credentials configured.");
 });
 const ensureAndroidCredentialsAvailable = (api, input) => api.buildCredentials.resolve({
@@ -25896,8 +25951,9 @@ const detectFormat = (bytes) => {
 /**
 * Validate keystore bytes + alias/passwords locally before sealing. Mirrors the
 * old server check: magic-byte format detection + required-field validation.
-* Fingerprints are not derived from the bytes (keytool never surfaced them here
-* either) — they remain optional, user-supplied metadata.
+* Fingerprints cannot be derived from the raw bytes; they are extracted separately
+* via keytool (`extractKeystoreFingerprints` in ./android-keystore) at upload/generate
+* time and attached to the public metadata.
 */
 const validateAndroidKeystore = (params) => Effect.gen(function* () {
 	if (params.bytes.byteLength < 16) return yield* new CredentialValidationError({ message: "Keystore file too small" });
@@ -26049,7 +26105,7 @@ const uploadIosDistributionCertificate = (api, input, bytes) => Effect.gen(funct
 		validUntil: info.expiresAt.toISOString()
 	};
 	const envelope = yield* sealForUpload({
-		session: yield* openVaultSession(api, input.passphrase),
+		session: yield* openVaultSessionInteractive(api),
 		credentialType: "distribution-certificate",
 		metadata,
 		secret: {
@@ -26075,7 +26131,7 @@ const uploadIosPushKey = (api, input, bytes) => Effect.gen(function* () {
 		appleTeamIdentifier: input.appleTeamIdentifier
 	};
 	const envelope = yield* sealForUpload({
-		session: yield* openVaultSession(api, input.passphrase),
+		session: yield* openVaultSessionInteractive(api),
 		credentialType: "push-key",
 		metadata,
 		secret: { p8Pem: toUtf8(bytes) }
@@ -26100,7 +26156,7 @@ const uploadIosAscApiKey = (api, input, bytes) => Effect.gen(function* () {
 		appleTeamIdentifier: input.appleTeamIdentifier
 	});
 	const envelope = yield* sealForUpload({
-		session: yield* openVaultSession(api, input.passphrase),
+		session: yield* openVaultSessionInteractive(api),
 		credentialType: "asc-api-key",
 		metadata,
 		secret: { p8Pem: toUtf8(bytes) }
@@ -26127,14 +26183,25 @@ const uploadAndroidKeystore = (api, input, bytes) => Effect.gen(function* () {
 	if (input.password === void 0) return yield* missing("password");
 	if (!input.keyAlias) return yield* missing("key-alias");
 	if (!input.keyPassword) return yield* missing("key-password");
-	const metadata = { keyAlias: (yield* validateAndroidKeystore({
+	const parsed = yield* validateAndroidKeystore({
 		bytes,
 		keyAlias: input.keyAlias,
 		keystorePassword: input.password,
 		keyPassword: input.keyPassword
-	})).keyAlias };
+	});
+	const fingerprints = yield* extractKeystoreFingerprints({
+		keystorePath: input.filePath,
+		keyAlias: parsed.keyAlias,
+		storePassword: input.password
+	});
+	const metadata = compact({
+		keyAlias: parsed.keyAlias,
+		md5Fingerprint: fingerprints.md5,
+		sha1Fingerprint: fingerprints.sha1,
+		sha256Fingerprint: fingerprints.sha256
+	});
 	const envelope = yield* sealForUpload({
-		session: yield* openVaultSession(api, input.passphrase),
+		session: yield* openVaultSessionInteractive(api),
 		credentialType: "keystore",
 		metadata,
 		secret: {
@@ -26162,7 +26229,7 @@ const uploadAndroidGoogleServiceAccountKey = (api, input, bytes) => Effect.gen(f
 		googleProjectId: parsed.googleProjectId
 	};
 	const envelope = yield* sealForUpload({
-		session: yield* openVaultSession(api, input.passphrase),
+		session: yield* openVaultSessionInteractive(api),
 		credentialType: "google-service-account-key",
 		metadata,
 		secret: { json }
@@ -26191,10 +26258,7 @@ const uploadCredential = (api, input) => Effect.gen(function* () {
 	const hasKey = (candidate) => Object.hasOwn(uploadHandlers, candidate);
 	const handler = hasKey(key) ? uploadHandlers[key] : void 0;
 	if (!handler) return yield* new CredentialValidationError({ message: `Unsupported credential combination: platform=${input.platform} type=${input.type}` });
-	return yield* handler(api, input.type === "provisioning-profile" || input.passphrase !== void 0 ? input : {
-		...input,
-		...compact({ passphrase: yield* resolveVaultPassphrase })
-	}, bytes);
+	return yield* handler(api, input, bytes);
 });
 const deleteCredential = (api, input) => {
 	const path = { id: input.id };
@@ -27185,10 +27249,14 @@ const runCredentialsManager = Effect.gen(function* () {
 * one, re-wrap the new vault key to each recipient, then submit the rotation
 * atomically (the server CAS-guards on the current version and requires a
 * recovery recipient in the set). Drops every recipient not in `recipients`.
+*
+* Unlocks via the cache-aware path (reusing a live `credentials unlock` session),
+* then drops that cached key once the re-key lands — it is now stale, so the next
+* operation must re-unlock at the new version.
 */
 const rotateVaultTo = (args) => Effect.gen(function* () {
 	const orgId = yield* getActiveOrgId(args.api);
-	const current = yield* unlockVaultKey(args.api, args.passphrase);
+	const current = yield* unlockVaultKeyInteractive(args.api);
 	const newVaultKey = generateVaultKey();
 	const newVersion = current.vaultVersion + 1;
 	const { deks } = yield* args.api.orgVault.listCredentialDeks();
@@ -27226,11 +27294,13 @@ const rotateVaultTo = (args) => Effect.gen(function* () {
 			recipient: recipient.publicKey
 		}))
 	})), { concurrency: "unbounded" });
-	return yield* args.api.orgVault.rotate({ payload: {
+	const rotated = yield* args.api.orgVault.rotate({ payload: {
 		fromVersion: current.vaultVersion,
 		recipientWraps,
 		credentialDeks
 	} });
+	yield* forgetCachedVaultKey;
+	return rotated;
 });
 /** The encryption keys currently holding the vault key, joined with their public keys. */
 const currentRecipients = (api) => Effect.gen(function* () {
@@ -27365,7 +27435,6 @@ const rotateCommand = defineCommand({
 		yield* confirmRecipients(recipients, args.yes === true);
 		const rotated = yield* rotateVaultTo({
 			api,
-			passphrase: yield* resolveVaultPassphrase,
 			recipients: recipients.map(toRotationRecipient)
 		});
 		yield* printHuman(`Rotated the vault to version ${String(rotated.vaultVersion)} (${String(recipients.length)} recipients).`);
@@ -27401,7 +27470,6 @@ const revokeCommand$1 = defineCommand({
 		yield* confirmRecipients(surviving, args.yes === true);
 		const rotated = yield* rotateVaultTo({
 			api,
-			passphrase: yield* resolveVaultPassphrase,
 			recipients: surviving.map(toRotationRecipient)
 		});
 		yield* printHuman(`Revoked ${target.label} and rotated the vault to version ${String(rotated.vaultVersion)}.`);
@@ -27487,7 +27555,6 @@ const recoveryCommand = defineCommand({
 			yield* confirmRecipients(surviving, args.yes === true);
 			const rotated = yield* rotateVaultTo({
 				api,
-				passphrase: yield* resolveVaultPassphrase,
 				recipients: [...surviving.map(toRotationRecipient), {
 					userEncryptionKeyId: registered.id,
 					publicKey: newRecovery.publicKey