@better-update/cli 0.43.0 → 0.44.0

package/dist/index.mjs

@@ -35,7 +35,7 @@ var __require = /* #__PURE__ */ (() => createRequire(import.meta.url))();
 
 //#endregion
 //#region package.json
-var version = "0.43.0";
+var version = "0.44.0";
 
 //#endregion
 //#region src/lib/interactive-mode.ts
@@ -549,10 +549,32 @@ const VaultWrapInput = Schema.Struct({
 	wrappedKey: Schema.String.pipe(Schema.minLength(1))
 });
 /**
-* Bootstrap the org vault on the first upload: the initial wrap rows, which must
-* include the uploader's own recipient and the offline recovery recipient.
+* An env-vault recipient kind. Superset of the credentials-vault recipient kinds
+* plus `account` — the per-user account key the browser unwraps the env vault
+* with. `recipientId` references `user_encryption_keys.id` for the first three and
+* `account_keys.id` for `account` (polymorphic; see migration 0071). Defined here
+* (alongside `VaultWrapInput`) rather than in `env-vault.ts` so `BootstrapVaultBody`
+* can carry env wraps without a circular import (`env-vault.ts` → `org-vault.ts`).
 */
-const BootstrapVaultBody = Schema.Struct({ wraps: Schema.Array(VaultWrapInput).pipe(Schema.minItems(1)) });
+const EnvVaultRecipientKind = Schema.Literal("device", "recovery", "machine", "account");
+/** One recipient's env-vault wrap row in a bootstrap / cutover / grant / rotate submission (age blob, base64). */
+const EnvVaultWrapInput = Schema.Struct({
+	recipientKind: EnvVaultRecipientKind,
+	recipientId: Id,
+	wrappedKey: Schema.String.pipe(Schema.minLength(1))
+});
+/**
+* Bootstrap the org vault: the initial credential-vault wrap rows AND the initial
+* env-vault wrap rows, each of which must include the uploader's own recipient and
+* the offline recovery recipient. Orgs are "born forked" — the env vault is set up
+* at bootstrap (server stamps the cutover + env version), so a separate
+* `env-vault migrate` step is never needed. `envWraps` is required: a client that
+* cannot produce them is too old to bootstrap.
+*/
+const BootstrapVaultBody = Schema.Struct({
+	wraps: Schema.Array(VaultWrapInput).pipe(Schema.minItems(1)),
+	envWraps: Schema.Array(EnvVaultWrapInput).pipe(Schema.minItems(1))
+});
 /**
 * Add a single wrap row at the current vault version (grant another user, or
 * self-link your own device). Authz is enforced server-side; the wrap itself is
@@ -1936,13 +1958,6 @@ var EnvVarsGroup = class extends HttpApiGroup.make("env-vars").add(HttpApiEndpoi
 
 //#endregion
 //#region ../../packages/api/src/domain/env-vault.ts
-/**
-* An env-vault recipient kind. Superset of the credentials-vault recipient kinds
-* plus `account` — the per-user account key the browser unwraps the env vault
-* with. `recipientId` references `user_encryption_keys.id` for the first three and
-* `account_keys.id` for `account` (polymorphic; see migration 0071).
-*/
-const EnvVaultRecipientKind = Schema.Literal("device", "recovery", "machine", "account");
 /** One wrap of the env-vault key to a recipient (an opaque `age` blob). */
 var OrgEnvVaultKeyWrap = class extends Schema.Class("OrgEnvVaultKeyWrap")({
 	organizationId: Id,
@@ -1968,12 +1983,6 @@ const EnvVaultRecipients = Schema.Struct({
 	envVaultVersion: VaultVersion,
 	recipients: Schema.Array(EnvVaultRecipientRef)
 });
-/** One recipient's wrap row in a cutover / grant / rotate submission (age blob, base64). */
-const EnvVaultWrapInput = Schema.Struct({
-	recipientKind: EnvVaultRecipientKind,
-	recipientId: Id,
-	wrappedKey: Schema.String.pipe(Schema.minLength(1))
-});
 /** Add a single env wrap at the current env version (grant or self-link). */
 const AddEnvVaultWrapBody = Schema.Struct({
 	envVaultVersion: VaultVersion,
@@ -29379,8 +29388,8 @@ const createCommand$3 = defineCommand({
 			accountKeyId: registered.id,
 			agePublicKey: registered.agePublicKey
 		});
-		yield* printKeyValue([["Account key fingerprint", registered.fingerprint], ["Env access", cutOver ? "granted (self-linked)" : "pending env-vault migration"]]);
-		yield* printHuman(cutOver ? "Account key enrolled. You can now unlock env values from the browser after a 2FA step-up." : "Account key enrolled. It gains env access once an admin runs `better-update credentials env-vault migrate`.");
+		yield* printKeyValue([["Account key fingerprint", registered.fingerprint], ["Env access", cutOver ? "granted (self-linked)" : "pending — vault not initialized"]]);
+		yield* printHuman(cutOver ? "Account key enrolled. You can now unlock env values from the browser after a 2FA step-up." : "Account key enrolled. It gains env access once the org vault is initialized (`better-update credentials identity init`).");
 		return {
 			fingerprint: registered.fingerprint,
 			envAccess: cutOver
@@ -29396,7 +29405,7 @@ const linkCommand$1 = defineCommand({
 		const api = yield* apiClient;
 		const own = yield* findOwnAccountKey(api);
 		if (own === null) return yield* new IdentityError({ message: "No account key enrolled. Run `better-update credentials account create` first." });
-		if (!(yield* orgHasCutOver(api))) return yield* new IdentityError({ message: "This organization has no env vault yet. An admin must run `better-update credentials env-vault migrate` first." });
+		if (!(yield* orgHasCutOver(api))) return yield* new IdentityError({ message: "This organization's vault is not initialized. Run `better-update credentials identity init` first." });
 		yield* linkAccountKeyToEnv(api, {
 			accountKeyId: own.id,
 			agePublicKey: own.agePublicKey
@@ -30223,76 +30232,6 @@ const wrapEnvKeyToRecipients = (evKey, recipients) => Effect.forEach(recipients,
 	}))
 })), { concurrency: "unbounded" });
 
-//#endregion
-//#region src/application/env-vault-cutover.ts
-/**
-* Every recipient the env key is wrapped to at cutover: the credentials vault's
-* device/recovery/machine recipients (so upgraded CLIs keep env access via their
-* device key) PLUS every member's account key (so the browser can unlock env). New
-* account keys enrolled later self-link via `credentials account create`.
-*/
-const collectEnvRecipients = (api) => Effect.gen(function* () {
-	const cvRecipients = yield* currentRecipients(api);
-	const { items: accounts } = yield* api.accountKeys.list();
-	return [...cvRecipients.map((key) => ({
-		recipientKind: key.kind,
-		recipientId: key.id,
-		recipient: key.publicKey
-	})), ...accounts.map((account) => ({
-		recipientKind: "account",
-		recipientId: account.id,
-		recipient: account.agePublicKey
-	}))];
-});
-/**
-* Re-key every env DEK from the credentials vault key to the new env key. Env
-* values live in the credentials vault until cutover, so the source set comes from
-* `orgVault.listCredentialDeks` filtered to env rows (`credentialType` ===
-* `envVarValue`); each is unwrapped under the credentials key and re-wrapped under
-* the env key at version 1.
-*/
-const rekeyEnvDeksToEnvVault = (api, params) => Effect.gen(function* () {
-	const { deks } = yield* api.orgVault.listCredentialDeks();
-	return yield* Effect.forEach(deks.filter((dek) => dek.credentialType === "envVarValue"), (dek) => Effect.try({
-		try: () => rekeyEnvDek({
-			orgId: params.orgId,
-			credentialId: dek.credentialId,
-			wrappedDek: dek.wrappedDek,
-			from: params.cvKey,
-			fromVersion: dek.vaultVersion,
-			fromKind: "credentials",
-			to: params.evKey,
-			toVersion: 1,
-			toKind: "env"
-		}),
-		catch: () => new IdentityError({ message: "Failed to re-key an env value during the migration — re-unlock the vault and retry." })
-	}), { concurrency: "unbounded" });
-});
-/**
-* One-shot cutover: fork the org's env values into a separate env vault. Generate
-* a fresh env key, wrap it to every recipient, re-key every env DEK from the
-* credentials key to the env key, and submit it all atomically. The server
-* compare-and-swaps on the cutover sentinel, so a re-run after a partial failure is
-* safe (a second cutover is rejected `Conflict`). The credentials vault — and
-* every signing credential — is untouched.
-*/
-const cutoverEnvVault = (api) => Effect.gen(function* () {
-	const orgId = yield* getActiveOrgId(api);
-	if ((yield* api.orgVault.get().pipe(Effect.catchTag("NotFound", () => new IdentityError({ message: "This organization has no credential vault yet. Run `better-update credentials identity init` first." })))).envVaultCutoverAt !== null) return yield* new IdentityError({ message: "This organization's env vault is already migrated." });
-	const current = yield* unlockVaultKeyInteractive(api);
-	const evKey = generateVaultKey();
-	const wraps = yield* wrapEnvKeyToRecipients(evKey, yield* collectEnvRecipients(api));
-	const envDeks = yield* rekeyEnvDeksToEnvVault(api, {
-		orgId,
-		cvKey: current.vaultKey,
-		evKey
-	});
-	return yield* api.envVault.cutover({ payload: {
-		wraps,
-		envDeks
-	} });
-});
-
 //#endregion
 //#region src/application/env-vault-rotation.ts
 /**
@@ -30343,7 +30282,7 @@ const rekeyEnvDeksForRotation = (api, params) => Effect.gen(function* () {
 */
 const rotateEnvVault = (api) => Effect.gen(function* () {
 	const orgId = yield* getActiveOrgId(api);
-	if ((yield* api.orgVault.get().pipe(Effect.catchTag("NotFound", () => new IdentityError({ message: "This organization has no credential vault yet." })))).envVaultCutoverAt === null) return yield* new IdentityError({ message: "This organization has no env vault yet — run `better-update credentials env-vault migrate` first." });
+	if ((yield* api.orgVault.get().pipe(Effect.catchTag("NotFound", () => new IdentityError({ message: "This organization has no credential vault yet." })))).envVaultCutoverAt === null) return yield* new IdentityError({ message: "This organization's env vault is not initialized." });
 	const current = yield* unlockEnvVaultKeyInteractive(api);
 	const toVersion = current.vaultVersion + 1;
 	const newEvKey = generateVaultKey();
@@ -30365,33 +30304,6 @@ const rotateEnvVault = (api) => Effect.gen(function* () {
 
 //#endregion
 //#region src/commands/credentials/env-vault.ts
-const migrateCommand = defineCommand({
-	meta: {
-		name: "migrate",
-		description: "Fork env values into a separate env vault so they can be unlocked from the browser (one-time, admin)"
-	},
-	args: { yes: {
-		type: "boolean",
-		description: "Skip the confirmation prompt"
-	} },
-	run: async ({ args }) => runEffect(Effect.gen(function* () {
-		const api = yield* apiClient;
-		yield* printHuman("Migrating splits env values into their own end-to-end-encrypted vault, wrapped to every device and account key.");
-		yield* printHuman("⚠  This is one-shot per organization. Until they upgrade, older CLIs can no longer READ env values (credentials are unaffected).");
-		yield* printHuman("⚠  Avoid env-var writes (set/push/import/update) elsewhere while this runs — a value written mid-migration may need re-setting afterwards.");
-		if (!(args.yes === true || (yield* promptConfirm("Migrate this organization's env values to a separate vault now?", { initialValue: false })))) {
-			yield* printHuman("Aborted — no changes made.");
-			return { migrated: false };
-		}
-		const vault = yield* cutoverEnvVault(api);
-		yield* printHuman(`✓ Env vault created (version ${String(vault.envVaultVersion)}).`);
-		yield* printHuman("Members enroll browser access with `better-update credentials account create`.");
-		return {
-			migrated: true,
-			envVaultVersion: vault.envVaultVersion
-		};
-	}), { json: "value" })
-});
 const rotateCommand = defineCommand({
 	meta: {
 		name: "rotate",
@@ -30432,10 +30344,9 @@ const statusCommand$2 = defineCommand({
 const envVaultCommand = defineCommand({
 	meta: {
 		name: "env-vault",
-		description: "Manage the organization's separate env-vault (migrate, rotate, status)"
+		description: "Manage the organization's env-vault (rotate, status)"
 	},
 	subCommands: {
-		migrate: migrateCommand,
 		rotate: rotateCommand,
 		status: statusCommand$2
 	},
@@ -30956,13 +30867,16 @@ const RECOVERY_LABEL = "Offline recovery key";
 /**
 * Bootstrap the org vault on first use: generate the org vault key locally, mint
 * an offline recovery recipient, wrap the vault key to BOTH the caller's device
-* and the recovery key, and POST the two initial wrap rows. The server requires
-* the bootstrap to include a `recovery` recipient (break-glass), so both wraps go
-* up together. Returns the unlocked vault key plus the recovery private key for a
-* one-time, offline-only display.
+* and the recovery key, and POST the initial wrap rows. The org is "born forked" —
+* a second, INDEPENDENT env-vault key is generated and wrapped to the same device +
+* recovery recipients in the same call, so the env vault is the default and
+* `env-vault migrate` is never needed. The server requires both a `recovery`
+* recipient (break-glass) and the env wraps. Returns the unlocked vault key plus
+* the recovery private key for a one-time, offline-only display.
 */
 const bootstrapVault = (args) => Effect.gen(function* () {
 	const vaultKey = generateVaultKey();
+	const envVaultKey = generateVaultKey();
 	const recovery = yield* Effect.promise(async () => generateIdentity());
 	const recoveryKey = yield* args.api.userEncryptionKeys.register({ payload: {
 		kind: "recovery",
@@ -30977,15 +30891,27 @@ const bootstrapVault = (args) => Effect.gen(function* () {
 		vaultKey,
 		recipient: recovery.publicKey
 	}))]);
+	const envWraps = yield* wrapEnvKeyToRecipients(envVaultKey, [{
+		recipientKind: "device",
+		recipientId: args.deviceKeyId,
+		recipient: args.deviceRecipient
+	}, {
+		recipientKind: "recovery",
+		recipientId: recoveryKey.id,
+		recipient: recovery.publicKey
+	}]);
 	return {
 		vaultKey,
-		vaultVersion: (yield* args.api.orgVault.bootstrap({ payload: { wraps: [{
-			userEncryptionKeyId: args.deviceKeyId,
-			wrappedKey: toBase64(deviceWrap)
-		}, {
-			userEncryptionKeyId: recoveryKey.id,
-			wrappedKey: toBase64(recoveryWrap)
-		}] } })).vaultVersion,
+		vaultVersion: (yield* args.api.orgVault.bootstrap({ payload: {
+			wraps: [{
+				userEncryptionKeyId: args.deviceKeyId,
+				wrappedKey: toBase64(deviceWrap)
+			}, {
+				userEncryptionKeyId: recoveryKey.id,
+				wrappedKey: toBase64(recoveryWrap)
+			}],
+			envWraps
+		} })).vaultVersion,
 		keyId: args.deviceKeyId,
 		recoveryPrivateKey: recovery.privateKey,
 		recoveryFingerprint: recovery.fingerprint