@eide/foir-cli 0.13.1 → 0.14.1

package/dist/cli.js

@@ -472,6 +472,7 @@ import { HooksService as HooksService2 } from "@eide/foir-proto-ts/hooks/v1/hook
 import { NotificationsService as NotificationsService2 } from "@eide/foir-proto-ts/notifications/v1/notifications_pb";
 import { SchedulesService as SchedulesService2 } from "@eide/foir-proto-ts/schedules/v1/schedules_pb";
 import { AppsService as AppsService2 } from "@eide/foir-proto-ts/apps/v1/apps_service_pb";
+import { SecretsService as SecretsService2 } from "@eide/foir-proto-ts/secrets/v1/secrets_pb";
 
 // src/lib/rpc/identity.ts
 import { create } from "@bufbuild/protobuf";
@@ -1447,21 +1448,12 @@ import {
   ListScheduledPublishesRequestSchema,
   ListDraftVersionsRequestSchema,
   BatchPublishVersionsRequestSchema,
-  CreatePublishBatchRequestSchema,
-  UpdatePublishBatchRequestSchema,
-  CancelPublishBatchRequestSchema,
-  RollbackPublishBatchRequestSchema,
-  RetryFailedBatchItemsRequestSchema,
-  AddItemsToPublishBatchRequestSchema,
-  RemoveItemsFromPublishBatchRequestSchema,
-  ListPublishBatchesRequestSchema,
-  GetPublishBatchRequestSchema,
   GlobalSearchRequestSchema,
   GetEmbeddingStatsRequestSchema,
   GetRecordEmbeddingsRequestSchema,
   FindSimilarRecordsRequestSchema
 } from "@eide/foir-proto-ts/records/v1/records_pb";
-import { RecordType, BatchStatus } from "@eide/foir-proto-ts/records/v1/records_pb";
+import { RecordType } from "@eide/foir-proto-ts/records/v1/records_pb";
 function sanitizeData(obj) {
   const result = {};
   for (const [key, value] of Object.entries(obj)) {
@@ -1770,103 +1762,6 @@ function createRecordsMethods(client) {
         publishedCount: resp.publishedCount
       };
     },
-    // ── Publish Batches ───────────────────────────────────────
-    async createPublishBatch(params) {
-      const resp = await client.createPublishBatch(
-        create4(CreatePublishBatchRequestSchema, {
-          name: params.name,
-          versionIds: params.versionIds,
-          scheduledAt: params.scheduledAt ? {
-            seconds: BigInt(
-              Math.floor(params.scheduledAt.getTime() / 1e3)
-            ),
-            nanos: 0
-          } : void 0
-        })
-      );
-      return resp.batch ?? null;
-    },
-    async updatePublishBatch(params) {
-      const resp = await client.updatePublishBatch(
-        create4(UpdatePublishBatchRequestSchema, {
-          batchId: params.batchId,
-          name: params.name,
-          scheduledAt: params.scheduledAt ? {
-            seconds: BigInt(
-              Math.floor(params.scheduledAt.getTime() / 1e3)
-            ),
-            nanos: 0
-          } : void 0
-        })
-      );
-      return resp.batch ?? null;
-    },
-    async cancelPublishBatch(batchId) {
-      const resp = await client.cancelPublishBatch(
-        create4(CancelPublishBatchRequestSchema, { batchId })
-      );
-      return resp.batch ?? null;
-    },
-    async rollbackPublishBatch(batchId) {
-      const resp = await client.rollbackPublishBatch(
-        create4(RollbackPublishBatchRequestSchema, { batchId })
-      );
-      return resp.batch ?? null;
-    },
-    async retryFailedBatchItems(batchId) {
-      const resp = await client.retryFailedBatchItems(
-        create4(RetryFailedBatchItemsRequestSchema, { batchId })
-      );
-      return {
-        batch: resp.batch ?? null,
-        retriedCount: resp.retriedCount
-      };
-    },
-    async addItemsToPublishBatch(batchId, versionIds) {
-      const resp = await client.addItemsToPublishBatch(
-        create4(AddItemsToPublishBatchRequestSchema, { batchId, versionIds })
-      );
-      return resp.batch ?? null;
-    },
-    async removeItemsFromPublishBatch(batchId, versionIds) {
-      const resp = await client.removeItemsFromPublishBatch(
-        create4(RemoveItemsFromPublishBatchRequestSchema, {
-          batchId,
-          versionIds
-        })
-      );
-      return resp.batch ?? null;
-    },
-    async listPublishBatches(params) {
-      const resp = await client.listPublishBatches(
-        create4(ListPublishBatchesRequestSchema, {
-          status: params?.status,
-          from: params?.from ? {
-            seconds: BigInt(Math.floor(params.from.getTime() / 1e3)),
-            nanos: 0
-          } : void 0,
-          to: params?.to ? {
-            seconds: BigInt(Math.floor(params.to.getTime() / 1e3)),
-            nanos: 0
-          } : void 0,
-          limit: params?.limit ?? 50,
-          offset: params?.offset ?? 0
-        })
-      );
-      return {
-        items: resp.batches ?? [],
-        total: resp.total
-      };
-    },
-    async getPublishBatch(batchId) {
-      const resp = await client.getPublishBatch(
-        create4(GetPublishBatchRequestSchema, { batchId })
-      );
-      return {
-        batch: resp.batch ?? null,
-        versions: resp.versions ?? []
-      };
-    },
     // ── Search & Embeddings ──────────────────────────────────
     async globalSearch(params) {
       const resp = await client.globalSearch(
@@ -3241,6 +3136,74 @@ function createCronSchedulesMethods(client) {
   };
 }
 
+// src/lib/rpc/secrets.ts
+import { create as create14 } from "@bufbuild/protobuf";
+import {
+  PutSecretRequestSchema,
+  GetSecretRequestSchema,
+  ListSecretsRequestSchema,
+  RotateSecretRequestSchema,
+  DeleteSecretRequestSchema,
+  RestoreSecretRequestSchema,
+  PurgeSoftDeletedRequestSchema,
+  OwnerKind
+} from "@eide/foir-proto-ts/secrets/v1/secrets_pb";
+function createSecretsMethods(client) {
+  return {
+    async put(args) {
+      const resp = await client.putSecret(
+        create14(PutSecretRequestSchema, {
+          tenantId: args.tenantId,
+          projectId: args.projectId,
+          ownerKind: args.ownerKind,
+          ownerId: args.ownerId ?? "",
+          label: args.label ?? "",
+          plaintext: args.plaintext
+        })
+      );
+      return resp.ref;
+    },
+    async get(ref, purpose) {
+      return client.getSecret(
+        create14(GetSecretRequestSchema, { ref, purpose: purpose ?? "" })
+      );
+    },
+    async list(args) {
+      const resp = await client.listSecrets(
+        create14(ListSecretsRequestSchema, {
+          tenantId: args.tenantId,
+          projectId: args.projectId,
+          ownerKind: args.ownerKind ?? OwnerKind.UNSPECIFIED,
+          ownerId: args.ownerId ?? "",
+          includeSoftDeleted: args.includeSoftDeleted ?? false
+        })
+      );
+      return resp.secrets;
+    },
+    async rotate(ref, plaintext) {
+      const resp = await client.rotateSecret(
+        create14(RotateSecretRequestSchema, { ref, plaintext })
+      );
+      return resp.newRef;
+    },
+    async delete(ref) {
+      await client.deleteSecret(create14(DeleteSecretRequestSchema, { ref }));
+    },
+    async restore(ref) {
+      await client.restoreSecret(create14(RestoreSecretRequestSchema, { ref }));
+    },
+    async purge(args = {}) {
+      const resp = await client.purgeSoftDeleted(
+        create14(PurgeSoftDeletedRequestSchema, {
+          tenantId: args.tenantId ?? "",
+          projectId: args.projectId ?? ""
+        })
+      );
+      return resp.purgedCount;
+    }
+  };
+}
+
 // src/lib/client.ts
 async function createPlatformClient(options) {
   const apiUrl = getApiUrl(options);
@@ -3300,7 +3263,8 @@ async function createPlatformClient(options) {
     cronSchedules: createCronSchedulesMethods(
       createRpcClient(SchedulesService2, transport)
     ),
-    apps: createAppsMethods(createRpcClient(AppsService2, transport))
+    apps: createAppsMethods(createRpcClient(AppsService2, transport)),
+    secrets: createSecretsMethods(createRpcClient(SecretsService2, transport))
   };
 }
 function createPlatformClientWithHeaders(apiUrl, headers) {
@@ -3336,7 +3300,8 @@ function createPlatformClientWithHeaders(apiUrl, headers) {
     cronSchedules: createCronSchedulesMethods(
       createRpcClient(SchedulesService2, transport)
     ),
-    apps: createAppsMethods(createRpcClient(AppsService2, transport))
+    apps: createAppsMethods(createRpcClient(AppsService2, transport)),
+    secrets: createSecretsMethods(createRpcClient(SecretsService2, transport))
   };
 }
 async function getStorageAuth(options) {
@@ -8758,6 +8723,188 @@ function classToLabel(n) {
   }
 }
 
+// src/commands/secrets.ts
+import { promises as fs5 } from "fs";
+function registerSecretsCommands(program2, globalOpts) {
+  const secrets = program2.command("secrets").description("Manage vault secrets");
+  secrets.command("put").description("Store a new secret and print its ref").option("--label <label>", "Optional human-readable label").option("--app <name>", "Owner: app name (defaults to project-owned)").option("--file <path>", "Read plaintext from file (binary-safe)").option("--value <plaintext>", "Plaintext value (string only; prefer --file for binary)").action(
+    withErrorHandler(globalOpts, async (cmdOpts) => {
+      const opts = globalOpts();
+      const resolved = await requireProject2(opts);
+      const plaintext = await readPlaintext(cmdOpts);
+      const client = await createPlatformClient(opts);
+      const ownerKind = cmdOpts.app ? OwnerKind.APP : OwnerKind.PROJECT;
+      const ref = await client.secrets.put({
+        tenantId: resolved.project.tenantId,
+        projectId: resolved.project.id,
+        ownerKind,
+        ownerId: cmdOpts.app,
+        label: cmdOpts.label,
+        plaintext
+      });
+      if (opts.json || opts.jsonl) {
+        formatOutput({ ref }, opts);
+      } else if (opts.quiet) {
+        console.log(ref);
+      } else {
+        success(`Stored secret`);
+        console.log(`  ref:   ${ref}`);
+        if (cmdOpts.label) console.log(`  label: ${cmdOpts.label}`);
+        if (cmdOpts.app) console.log(`  app:   ${cmdOpts.app}`);
+      }
+    })
+  );
+  secrets.command("list").description("List secrets metadata (no plaintext)").option("--app <name>", "List app-owned secrets for this app").option("--include-soft-deleted", "Include soft-deleted entries").action(
+    withErrorHandler(globalOpts, async (cmdOpts) => {
+      const opts = globalOpts();
+      const resolved = await requireProject2(opts);
+      const client = await createPlatformClient(opts);
+      const ownerKind = cmdOpts.app ? OwnerKind.APP : OwnerKind.PROJECT;
+      const items = await client.secrets.list({
+        tenantId: resolved.project.tenantId,
+        projectId: resolved.project.id,
+        ownerKind,
+        ownerId: typeof cmdOpts.app === "string" ? cmdOpts.app : "",
+        includeSoftDeleted: !!cmdOpts.includeSoftDeleted
+      });
+      if (opts.json || opts.jsonl) {
+        formatOutput(
+          items.map((s) => ({
+            ref: s.ref,
+            label: s.label,
+            ownerKind: ownerKindToString(s.ownerKind),
+            ownerId: s.ownerId,
+            createdAt: tsToString(s.createdAt),
+            lastReadAt: tsToString(s.lastReadAt),
+            softDeletedAt: tsToString(s.softDeletedAt)
+          })),
+          opts
+        );
+        return;
+      }
+      if (items.length === 0) {
+        warn("No secrets found.");
+        return;
+      }
+      for (const s of items) {
+        const owner = s.ownerKind === OwnerKind.APP ? `app:${s.ownerId}` : "project";
+        const deleted = s.softDeletedAt ? "  [soft-deleted]" : "";
+        console.log(`${s.ref}  ${owner.padEnd(24)}  ${s.label ?? ""}${deleted}`);
+      }
+    })
+  );
+  secrets.command("rotate <ref>").description("Replace plaintext for an existing ref; returns new ref").option("--file <path>", "Read plaintext from file (binary-safe)").option("--value <plaintext>", "Plaintext value (string only; prefer --file for binary)").option("--confirm", "Skip confirmation prompt").action(
+    withErrorHandler(globalOpts, async (ref, cmdOpts) => {
+      const opts = globalOpts();
+      const confirmed = await confirmAction(
+        `Rotate secret ${ref}? Every record pointing at it will be updated to the new ref.`,
+        { confirm: !!cmdOpts.confirm }
+      );
+      if (!confirmed) {
+        console.log("Aborted.");
+        return;
+      }
+      const plaintext = await readPlaintext(cmdOpts);
+      const client = await createPlatformClient(opts);
+      const newRef = await client.secrets.rotate(ref, plaintext);
+      if (opts.json || opts.jsonl) {
+        formatOutput({ oldRef: ref, newRef }, opts);
+      } else if (opts.quiet) {
+        console.log(newRef);
+      } else {
+        success(`Rotated`);
+        console.log(`  old: ${ref}`);
+        console.log(`  new: ${newRef}`);
+      }
+    })
+  );
+  secrets.command("delete <ref>").description("Soft-delete a secret (recoverable until purged)").option("--confirm", "Skip confirmation prompt").action(
+    withErrorHandler(globalOpts, async (ref, cmdOpts) => {
+      const opts = globalOpts();
+      const confirmed = await confirmAction(
+        `Soft-delete secret ${ref}? Refuses if the secret is still referenced.`,
+        { confirm: !!cmdOpts.confirm }
+      );
+      if (!confirmed) {
+        console.log("Aborted.");
+        return;
+      }
+      const client = await createPlatformClient(opts);
+      await client.secrets.delete(ref);
+      success(`Deleted ${ref}`);
+    })
+  );
+  secrets.command("restore <ref>").description("Undo a soft-delete (only valid before purge_after passes)").action(
+    withErrorHandler(globalOpts, async (ref) => {
+      const opts = globalOpts();
+      const client = await createPlatformClient(opts);
+      await client.secrets.restore(ref);
+      success(`Restored ${ref}`);
+    })
+  );
+  secrets.command("purge").description("Drop every soft-deleted secret past its TTL (admin-only)").option("--confirm", "Skip confirmation prompt").action(
+    withErrorHandler(globalOpts, async (cmdOpts) => {
+      const opts = globalOpts();
+      const confirmed = await confirmAction(
+        `Purge soft-deleted secrets? Cannot be undone.`,
+        { confirm: !!cmdOpts.confirm }
+      );
+      if (!confirmed) {
+        console.log("Aborted.");
+        return;
+      }
+      const resolved = await requireProject2(opts);
+      const client = await createPlatformClient(opts);
+      const count = await client.secrets.purge({
+        tenantId: resolved.project.tenantId,
+        projectId: resolved.project.id
+      });
+      success(`Purged ${count} secret(s)`);
+    })
+  );
+}
+async function requireProject2(opts) {
+  const resolved = await resolveProjectContext(opts);
+  if (!resolved) {
+    throw new Error(
+      "No project selected. Run `foir select-project` or set FOIR_PROJECT."
+    );
+  }
+  return resolved;
+}
+async function readPlaintext(cmdOpts) {
+  const file = typeof cmdOpts.file === "string" ? cmdOpts.file : "";
+  const value = typeof cmdOpts.value === "string" ? cmdOpts.value : "";
+  if (file && value) {
+    throw new Error("Pass either --file or --value, not both.");
+  }
+  if (!file && !value) {
+    throw new Error("One of --file or --value is required.");
+  }
+  if (file) {
+    return fs5.readFile(file);
+  }
+  return new TextEncoder().encode(value);
+}
+function ownerKindToString(k) {
+  switch (k) {
+    case OwnerKind.PROJECT:
+      return "project";
+    case OwnerKind.APP:
+      return "app";
+    case OwnerKind.CUSTOMER:
+      return "customer";
+    default:
+      return "";
+  }
+}
+function tsToString(t) {
+  if (!t || t.seconds === void 0 && t.nanos === void 0) return "";
+  const seconds = Number(t.seconds ?? 0n);
+  const nanos = t.nanos ?? 0;
+  return new Date(seconds * 1e3 + Math.floor(nanos / 1e6)).toISOString();
+}
+
 // src/cli.ts
 var __filename = fileURLToPath(import.meta.url);
 var __dirname = dirname4(__filename);
@@ -8807,4 +8954,5 @@ registerNotesCommands(program, getGlobalOpts);
 registerNotificationsCommands(program, getGlobalOpts);
 registerConfigsCommands(program, getGlobalOpts);
 registerAppsCommands(program, getGlobalOpts);
+registerSecretsCommands(program, getGlobalOpts);
 program.parse();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eide/foir-cli",
-  "version": "0.13.1",
+  "version": "0.14.1",
   "description": "Universal platform CLI for Foir platform",
   "type": "module",
   "publishConfig": {
@@ -50,7 +50,7 @@
     "@bufbuild/protovalidate": "^1.1.1",
     "@connectrpc/connect": "^2.0.0",
     "@connectrpc/connect-node": "^2.0.0",
-    "@eide/foir-proto-ts": "^0.31.0",
+    "@eide/foir-proto-ts": "^0.40.0",
     "chalk": "^5.3.0",
     "commander": "^12.1.0",
     "dotenv": "^16.4.5",