npm - @boltic/cli - Versions diffs - 1.0.44-dev1.2 → 1.0.44-dev1.4 - Mend

@boltic/cli 1.0.44-dev1.2 → 1.0.44-dev1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/helper/secure-storage.js +127 -54
package/package.json +1 -1

package/helper/secure-storage.js CHANGED Viewed

@@ -1,11 +1,11 @@
-import keytar from "keytar";
+import fs from "fs";
+import os from "os";
+import path from "path";
 const SERVICE_NAME = "boltic-cli";
 // Mapping from credential keys to environment variable names.
-// In CI/headless environments where keytar (OS keychain) is unavailable,
-// these env vars are used as a fallback so commands like `boltic serverless publish`
-// work without an interactive keychain daemon.
+// Checked last (lowest priority) so explicit login always wins.
 const ENV_VAR_MAP = {
 	token: "BOLTIC_TOKEN",
 	account_id: "BOLTIC_ACCOUNT_ID",
@@ -13,73 +13,133 @@ const ENV_VAR_MAP = {
 	environment: "BOLTIC_ENVIRONMENT",
 };
+// File-based credential store used when keytar (OS keychain) is unavailable.
+// Credentials are stored as plain JSON, readable only by the current user.
+const CRED_FILE = path.join(os.homedir(), ".boltic", "credentials.json");
+const readCredFile = () => {
+	try {
+		return JSON.parse(fs.readFileSync(CRED_FILE, "utf-8"));
+	} catch {
+		return {};
+	}
+};
+const writeCredFile = (data) => {
+	const dir = path.dirname(CRED_FILE);
+	if (!fs.existsSync(dir)) {
+		fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+	}
+	fs.writeFileSync(CRED_FILE, JSON.stringify(data, null, 2), {
+		mode: 0o600,
+	});
+};
+// Lazy-load keytar via dynamic import so that a missing native dependency
+// (e.g. libsecret on Linux CI runners) is caught at call time rather than
+// crashing the process at startup with ERR_DLOPEN_FAILED.
+let _keytar;
+let _keytarAttempted = false;
+const getKeytar = async () => {
+	if (_keytarAttempted) return _keytar;
+	_keytarAttempted = true;
+	try {
+		_keytar = (await import("keytar")).default;
+	} catch {
+		// Native library not available (e.g. libsecret missing on CI runners).
+		_keytar = null;
+	}
+	return _keytar;
+};
 /**
- * Store a secret value securely using keytar.
- * In CI/headless environments where keytar is unavailable, logs a warning
- * instead of throwing so that env-var-based auth can still be used.
- * @param {string} key - The key under which to store the secret
- * @param {string} value - The secret value to store
- * @returns {Promise<void>}
+ * Store a secret value.
+ * Priority: keytar (OS keychain) → file store (~/.boltic/credentials.json)
  */
 export const storeSecret = async (key, value) => {
-	try {
-		await keytar.setPassword(SERVICE_NAME, key, value);
-	} catch (error) {
-		// In headless/CI environments the OS keychain daemon is not available.
-		// Warn instead of throwing so callers can still rely on env var fallback.
-		console.warn(
-			`Warning: Could not store '${key}' in system keychain: ${error.message}`
-		);
-		console.warn(
-			`In CI environments, set credentials via environment variables (e.g. BOLTIC_TOKEN, BOLTIC_ACCOUNT_ID).`
-		);
+	const keytar = await getKeytar();
+	if (keytar) {
+		try {
+			await keytar.setPassword(SERVICE_NAME, key, value);
+			return;
+		} catch {
+			// fall through to file store
+		}
 	}
+	// File-based fallback (CI / headless environments)
+	const data = readCredFile();
+	data[key] = value;
+	writeCredFile(data);
 };
 /**
- * Retrieve a secret value. Tries keytar first; falls back to env vars
- * (BOLTIC_TOKEN, BOLTIC_PAT, BOLTIC_ACCOUNT_ID, etc.) when keytar is unavailable.
- * @param {string} key - The key of the secret to retrieve
- * @returns {Promise<string|null>} The secret value or null if not found
+ * Retrieve a secret value.
+ * Priority: keytar → file store → environment variables
  */
 export const getSecret = async (key) => {
-	try {
-		const val = await keytar.getPassword(SERVICE_NAME, key);
-		if (val !== null) return val;
-	} catch {
-		// keytar unavailable (CI/headless) — fall through to env var
+	const keytar = await getKeytar();
+	if (keytar) {
+		try {
+			const val = await keytar.getPassword(SERVICE_NAME, key);
+			if (val !== null) return val;
+		} catch {
+			// fall through
+		}
 	}
+	// File store fallback
+	const val = readCredFile()[key];
+	if (val != null) return val;
+	// Env var fallback
 	return process.env[ENV_VAR_MAP[key]] || null;
 };
 /**
- * Delete a secret value using keytar
- * @param {string} key - The key of the secret to delete
- * @returns {Promise<boolean>} True if deletion was successful
+ * Delete a secret value.
+ * Priority: keytar → file store
  */
 export const deleteSecret = async (key) => {
-	try {
-		return await keytar.deletePassword(SERVICE_NAME, key);
-	} catch (error) {
-		console.error(`Error deleting secret for ${key}:`, error.message);
-		return false;
+	const keytar = await getKeytar();
+	if (keytar) {
+		try {
+			return await keytar.deletePassword(SERVICE_NAME, key);
+		} catch (error) {
+			console.error(`Error deleting secret for ${key}:`, error.message);
+			return false;
+		}
 	}
+	// File store fallback
+	const data = readCredFile();
+	if (key in data) {
+		delete data[key];
+		writeCredFile(data);
+	}
+	return true;
 };
 /**
- * Retrieve all secrets. Tries keytar first; falls back to env vars when
- * keytar is unavailable (e.g. GitHub Actions, Docker containers).
- * @returns {Promise<Array<{account: string, password: string}>|null>}
+ * Retrieve all secrets.
+ * Priority: keytar → file store → environment variables
  */
 export const getAllSecrets = async () => {
-	try {
-		const keytarSecrets = await keytar.findCredentials(SERVICE_NAME);
-		if (keytarSecrets && keytarSecrets.length > 0) return keytarSecrets;
-	} catch {
-		// keytar unavailable (CI/headless) — fall through to env vars
+	const keytar = await getKeytar();
+	if (keytar) {
+		try {
+			const keytarSecrets = await keytar.findCredentials(SERVICE_NAME);
+			if (keytarSecrets && keytarSecrets.length > 0) return keytarSecrets;
+		} catch {
+			// fall through
+		}
 	}
-	// Build credential list from env vars
+	// File store fallback
+	const fileData = readCredFile();
+	if (Object.keys(fileData).length > 0) {
+		return Object.entries(fileData).map(([account, password]) => ({
+			account,
+			password,
+		}));
+	}
+	// Env var fallback
 	const secrets = [];
 	for (const [key, envVar] of Object.entries(ENV_VAR_MAP)) {
 		if (process.env[envVar]) {
@@ -91,12 +151,25 @@ export const getAllSecrets = async () => {
 export const deleteAllSecrets = async () => {
 	try {
-		const secrets = await getAllSecrets();
-		if (secrets && secrets.length > 0) {
-			const deletionPromises = secrets.map(
-				async ({ account }) => await deleteSecret(account)
-			);
-			await Promise.all(deletionPromises);
+		const keytar = await getKeytar();
+		if (keytar) {
+			try {
+				const secrets = await keytar.findCredentials(SERVICE_NAME);
+				if (secrets && secrets.length > 0) {
+					await Promise.all(
+						secrets.map(({ account }) =>
+							keytar.deletePassword(SERVICE_NAME, account)
+						)
+					);
+					return;
+				}
+			} catch {
+				// fall through to file store
+			}
+		}
+		// File store fallback
+		if (fs.existsSync(CRED_FILE)) {
+			fs.unlinkSync(CRED_FILE);
 		}
 	} catch (error) {
 		console.error(`Error deleting all secrets:`, error.message);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "@boltic/cli",
-	"version": "1.0.44-dev1.2",
+	"version": "1.0.44-dev1.4",
 	"description": "Professional CLI for interacting with the Boltic platform — create, manage, and publish integrations, serverless functions, workflows, MCPs, and more with enterprise-grade features and a seamless developer experience",
 	"main": "index.js",
 	"bin": {