npm - @eide/foir-cli - Versions diffs - 0.17.0 → 0.18.0 - Mend

@eide/foir-cli 0.17.0 → 0.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/cli.js +221 -0
package/dist/lib/config-helpers.d.ts +34 -1
package/dist/lib/config-helpers.js +4 -0
package/package.json +1 -1

package/dist/cli.js CHANGED Viewed

@@ -9115,7 +9115,9 @@ function classToLabel(n) {
 }
 // src/commands/secrets.ts
+import { existsSync as existsSync6 } from "fs";
 import { promises as fs5 } from "fs";
+import { resolve as resolvePath } from "path";
 function registerSecretsCommands(program2, globalOpts) {
   const secrets = program2.command("secrets").description("Manage vault secrets");
   secrets.command("put").description("Store a new secret and print its ref").option("--label <label>", "Optional human-readable label").option("--app <name>", "Owner: app name (defaults to project-owned)").option("--file <path>", "Read plaintext from file (binary-safe)").option("--value <plaintext>", "Plaintext value (string only; prefer --file for binary)").action(
@@ -9233,6 +9235,110 @@ function registerSecretsCommands(program2, globalOpts) {
       success(`Restored ${ref}`);
     })
   );
+  secrets.command("push").description(
+    "Reconcile foir.secrets.ts against the project vault: create missing secrets, optionally rotate existing ones"
+  ).option("--config <path>", "Path to foir.secrets.ts (default: auto-discover)").option("--plaintext <path>", "Path to local.foir.secrets.ts (default: auto-discover)").option("--rotate", "Rotate plaintext for secrets that already exist").option("--dry-run", "Show what would change without calling PutSecret/RotateSecret").action(
+    withErrorHandler(globalOpts, async (cmdOpts) => {
+      const opts = globalOpts();
+      const resolved = await requireProject2(opts);
+      const configPath = await resolveSecretsConfigPath(
+        typeof cmdOpts.config === "string" ? cmdOpts.config : void 0
+      );
+      const plaintextPath = await resolvePlaintextPath(
+        typeof cmdOpts.plaintext === "string" ? cmdOpts.plaintext : void 0
+      );
+      const declared = await loadConfig(configPath);
+      validateSecretsConfig(declared, configPath);
+      const plaintextSource = plaintextPath ? await loadConfig(plaintextPath) : {};
+      const dryRun = !!cmdOpts["dry-run"];
+      const rotate = !!cmdOpts.rotate;
+      const client = await createPlatformClient(opts);
+      const groups = groupDeclarations(declared.secrets);
+      const planEntries = [];
+      for (const group of groups) {
+        const existing = await client.secrets.list({
+          tenantId: resolved.project.tenantId,
+          projectId: resolved.project.id,
+          ownerKind: group.ownerKind,
+          ownerId: group.ownerId ?? "",
+          includeSoftDeleted: false
+        });
+        const existingByLabel = new Map(
+          existing.filter((s) => s.label).map((s) => [s.label, s])
+        );
+        for (const decl of group.decls) {
+          const remote = existingByLabel.get(decl.label);
+          if (remote && !rotate) {
+            planEntries.push({ decl, action: "skip", existingRef: remote.ref });
+            continue;
+          }
+          if (remote && rotate) {
+            planEntries.push({ decl, action: "rotate", existingRef: remote.ref });
+            continue;
+          }
+          planEntries.push({ decl, action: "create" });
+        }
+      }
+      const needsPlaintext = planEntries.filter(
+        (e) => e.action === "create" || e.action === "rotate"
+      );
+      const missingPlaintext = needsPlaintext.map((e) => e.decl.label).filter((label) => !(label in plaintextSource));
+      if (missingPlaintext.length > 0 && !dryRun) {
+        throw new Error(
+          `Missing plaintext for ${missingPlaintext.length} secret(s) in ${plaintextPath ?? "local.foir.secrets.ts"}: ${missingPlaintext.join(", ")}. Add an entry for each label, or pass --dry-run to preview without resolving plaintext.`
+        );
+      }
+      if (dryRun) {
+        formatPushPlan(planEntries, opts);
+        return;
+      }
+      const results = [];
+      for (const entry of planEntries) {
+        if (entry.action === "skip") {
+          results.push({ ...entry, ref: entry.existingRef });
+          continue;
+        }
+        const raw = plaintextSource[entry.decl.label];
+        if (raw === void 0) {
+          throw new Error(`unreachable: missing plaintext for ${entry.decl.label}`);
+        }
+        const plaintext = toUint8Array(raw);
+        if (entry.action === "create") {
+          const ref = await client.secrets.put({
+            tenantId: resolved.project.tenantId,
+            projectId: resolved.project.id,
+            ownerKind: ownerKindFromString(entry.decl.ownerKind),
+            ownerId: entry.decl.ownerId,
+            label: entry.decl.label,
+            plaintext
+          });
+          results.push({ ...entry, ref });
+        } else {
+          const newRef = await client.secrets.rotate(entry.existingRef, plaintext);
+          results.push({ ...entry, ref: newRef });
+        }
+      }
+      if (opts.json || opts.jsonl) {
+        formatOutput(
+          results.map((r) => ({
+            label: r.decl.label,
+            ownerKind: r.decl.ownerKind,
+            ownerId: r.decl.ownerId,
+            action: r.action,
+            ref: r.ref
+          })),
+          opts
+        );
+        return;
+      }
+      const created = results.filter((r) => r.action === "create").length;
+      const rotated = results.filter((r) => r.action === "rotate").length;
+      const skipped = results.filter((r) => r.action === "skip").length;
+      success(
+        `secrets push: ${created} created, ${rotated} rotated, ${skipped} unchanged`
+      );
+    })
+  );
   secrets.command("purge").description("Drop every soft-deleted secret past its TTL (admin-only)").option("--confirm", "Skip confirmation prompt").action(
     withErrorHandler(globalOpts, async (cmdOpts) => {
       const opts = globalOpts();
@@ -9295,6 +9401,121 @@ function tsToString(t) {
   const nanos = t.nanos ?? 0;
   return new Date(seconds * 1e3 + Math.floor(nanos / 1e6)).toISOString();
 }
+var SECRETS_CONFIG_NAMES = [
+  "foir.secrets.ts",
+  "foir.secrets.js",
+  "foir.secrets.mjs",
+  "foir.secrets.json"
+];
+var PLAINTEXT_CONFIG_NAMES = [
+  "local.foir.secrets.ts",
+  "local.foir.secrets.js",
+  "local.foir.secrets.mjs",
+  "local.foir.secrets.json"
+];
+async function resolveSecretsConfigPath(explicit) {
+  if (explicit) {
+    if (!existsSync6(explicit)) {
+      throw new Error(`Secrets config not found: ${explicit}`);
+    }
+    return resolvePath(explicit);
+  }
+  for (const name of SECRETS_CONFIG_NAMES) {
+    const path3 = resolvePath(process.cwd(), name);
+    if (existsSync6(path3)) return path3;
+  }
+  throw new Error(
+    `No secrets config found. Looked for: ${SECRETS_CONFIG_NAMES.join(", ")}.`
+  );
+}
+async function resolvePlaintextPath(explicit) {
+  if (explicit) {
+    if (!existsSync6(explicit)) {
+      throw new Error(`Plaintext file not found: ${explicit}`);
+    }
+    return resolvePath(explicit);
+  }
+  for (const name of PLAINTEXT_CONFIG_NAMES) {
+    const path3 = resolvePath(process.cwd(), name);
+    if (existsSync6(path3)) return path3;
+  }
+  return null;
+}
+function validateSecretsConfig(cfg, path3) {
+  if (!cfg || !Array.isArray(cfg.secrets)) {
+    throw new Error(`${path3}: default export must be { secrets: [...] }`);
+  }
+  const seen = /* @__PURE__ */ new Set();
+  for (const decl of cfg.secrets) {
+    if (!decl.label) {
+      throw new Error(`${path3}: every secret declaration needs a label`);
+    }
+    if (decl.ownerKind !== "project" && decl.ownerKind !== "app") {
+      throw new Error(
+        `${path3}: ownerKind must be "project" or "app" for label ${decl.label}, got ${decl.ownerKind}`
+      );
+    }
+    if (decl.ownerKind === "app" && !decl.ownerId) {
+      throw new Error(
+        `${path3}: app-owned secret ${decl.label} requires ownerId`
+      );
+    }
+    const dedupeKey = `${decl.ownerKind}|${decl.ownerId ?? ""}|${decl.label}`;
+    if (seen.has(dedupeKey)) {
+      throw new Error(`${path3}: duplicate secret declaration: ${dedupeKey}`);
+    }
+    seen.add(dedupeKey);
+  }
+}
+function groupDeclarations(decls) {
+  const byKey = /* @__PURE__ */ new Map();
+  for (const decl of decls) {
+    const key = `${decl.ownerKind}|${decl.ownerId ?? ""}`;
+    const existing = byKey.get(key);
+    if (existing) {
+      existing.decls.push(decl);
+    } else {
+      byKey.set(key, {
+        ownerKind: ownerKindFromString(decl.ownerKind),
+        ownerId: decl.ownerId,
+        decls: [decl]
+      });
+    }
+  }
+  return Array.from(byKey.values());
+}
+function ownerKindFromString(s) {
+  return s === "app" ? OwnerKind.APP : OwnerKind.PROJECT;
+}
+function toUint8Array(v) {
+  if (v instanceof Uint8Array) return v;
+  return new TextEncoder().encode(v);
+}
+function formatPushPlan(plan, opts) {
+  if (opts.json || opts.jsonl) {
+    formatOutput(
+      plan.map((e) => ({
+        label: e.decl.label,
+        ownerKind: e.decl.ownerKind,
+        ownerId: e.decl.ownerId,
+        action: e.action,
+        existingRef: e.action === "create" ? void 0 : e.existingRef
+      })),
+      opts
+    );
+    return;
+  }
+  if (plan.length === 0) {
+    warn("No secrets declared.");
+    return;
+  }
+  for (const entry of plan) {
+    const owner = entry.decl.ownerKind === "app" ? `app:${entry.decl.ownerId}` : "project";
+    const action = entry.action.padEnd(7);
+    const ref = entry.action === "create" ? "" : entry.existingRef;
+    console.log(`${action}  ${owner.padEnd(24)}  ${entry.decl.label.padEnd(32)}  ${ref}`);
+  }
+}
 // src/cli.ts
 var __filename = fileURLToPath(import.meta.url);

package/dist/lib/config-helpers.d.ts CHANGED Viewed

@@ -354,5 +354,38 @@ declare function defineAuthProvider(provider: ApplyConfigAuthProviderInput): App
 declare function defineHook(hook: ApplyConfigHookInput): ApplyConfigHookInput;
 /** Define an editor placement (sidebar or main-editor tab). */
 declare function definePlacement(placement: ApplyConfigPlacementInput): ApplyConfigPlacementInput;
+type SecretOwnerKind = 'project' | 'app';
+/**
+ * One declared secret. `label` is the human-readable handle the
+ * reconciler uses to look the secret up in the vault — no opaque ref
+ * is committed. `ownerId` is required for app-owned secrets and ignored
+ * for project-owned ones.
+ */
+interface SecretDeclaration {
+    ownerKind: SecretOwnerKind;
+    ownerId?: string;
+    label: string;
+}
+/** Shape of a `foir.secrets.ts` default export. */
+interface FoirSecretsConfig {
+    secrets: SecretDeclaration[];
+}
+/**
+ * Type-safe identity helper for `foir.secrets.ts`:
+ *
+ * ```ts
+ * import { defineSecrets } from '@eide/foir-cli/configs';
+ * export default defineSecrets({
+ *   secrets: [
+ *     { ownerKind: 'project', label: 'deepl_api_key' },
+ *   ],
+ * });
+ * ```
+ *
+ * Plaintext lives in a sibling `local.foir.secrets.ts` (gitignored)
+ * keyed by label, or in env vars. Production never runs the
+ * reconciler — operators set production secrets through the admin UI.
+ */
+declare function defineSecrets(config: FoirSecretsConfig): FoirSecretsConfig;
-export { type AppInput, type AppPlacementFieldChoiceInput, type AppSinkMappingInput, type AppSourceMappingInput, type ApplyConfigApiKeyInput, type ApplyConfigAuthProviderInput, type ApplyConfigHookInput, type ApplyConfigInput, type ApplyConfigModelInput, type ApplyConfigOperationInput, type ApplyConfigPlacementInput, type ApplyConfigProjectInput, type ApplyConfigProjectSettingsInput, type ApplyConfigScheduleInput, type ApplyConfigSegmentInput, type ExpressionPrecondition, type FieldDefinitionInput, type Precondition, type QuotaRule, type SegmentPrecondition, type SelectFieldConfig, type SelectFieldDefinitionInput, defineAuthProvider, defineConfig, defineField, defineHook, defineModel, defineOperation, definePlacement, defineSchedule, defineSegment, defineSelectField };
+export { type AppInput, type AppPlacementFieldChoiceInput, type AppSinkMappingInput, type AppSourceMappingInput, type ApplyConfigApiKeyInput, type ApplyConfigAuthProviderInput, type ApplyConfigHookInput, type ApplyConfigInput, type ApplyConfigModelInput, type ApplyConfigOperationInput, type ApplyConfigPlacementInput, type ApplyConfigProjectInput, type ApplyConfigProjectSettingsInput, type ApplyConfigScheduleInput, type ApplyConfigSegmentInput, type ExpressionPrecondition, type FieldDefinitionInput, type FoirSecretsConfig, type Precondition, type QuotaRule, type SecretDeclaration, type SecretOwnerKind, type SegmentPrecondition, type SelectFieldConfig, type SelectFieldDefinitionInput, defineAuthProvider, defineConfig, defineField, defineHook, defineModel, defineOperation, definePlacement, defineSchedule, defineSecrets, defineSegment, defineSelectField };

package/dist/lib/config-helpers.js CHANGED Viewed

@@ -29,6 +29,9 @@ function defineHook(hook) {
 function definePlacement(placement) {
   return placement;
 }
+function defineSecrets(config) {
+  return config;
+}
 export {
   defineAuthProvider,
   defineConfig,
@@ -38,6 +41,7 @@ export {
   defineOperation,
   definePlacement,
   defineSchedule,
+  defineSecrets,
   defineSegment,
   defineSelectField
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@eide/foir-cli",
-  "version": "0.17.0",
+  "version": "0.18.0",
   "description": "Universal platform CLI for Foir platform",
   "type": "module",
   "publishConfig": {