npm - @elding/cli - Versions diffs - 0.2.0 → 0.3.0 - Mend

@elding/cli 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/dist/commands/doctor.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export declare function doctor(): Promise<void>;

package/dist/commands/doctor.js ADDED Viewed

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.doctor = doctor;
+const config_js_1 = require("../lib/config.js");
+const api_js_1 = require("../lib/api.js");
+async function doctor() {
+    const { default: chalk } = await import("chalk");
+    const ok = (m) => console.log(`${chalk.green("✓")} ${m}`);
+    const warn = (m) => console.log(`${chalk.yellow("!")} ${m}`);
+    const fail = (m) => console.log(`${chalk.red("✗")} ${m}`);
+    console.log(chalk.dim(`API : ${api_js_1.BASE_URL}\n`));
+    // 1. Token local
+    const config = (0, config_js_1.readConfig)();
+    if (!config) {
+        fail("Non connecté — lancez `elding login`");
+        return;
+    }
+    ok("Token local présent (~/.elding/config.json)");
+    // 2. Token valide + utilisateur
+    let accessToken;
+    try {
+        accessToken = await (0, api_js_1.exchangeToken)(config.refreshToken);
+        const me = await (0, api_js_1.getMe)(accessToken);
+        ok(`Authentifié : ${me.email}`);
+    }
+    catch {
+        fail("Token expiré ou révoqué — relancez `elding login`");
+        return;
+    }
+    // 3. Set du projet
+    const project = (0, config_js_1.readProject)();
+    if (!project) {
+        warn("Aucun set configuré — lancez `elding init` ou `elding use <set>`");
+        return;
+    }
+    ok(`Set actif : ${project.setName}`);
+    // 4. Clés + verrouillage host
+    try {
+        const keys = await (0, api_js_1.listKeys)(accessToken, project.setId);
+        if (keys.length === 0)
+            warn("Le set ne contient aucune clé");
+        else {
+            const locked = keys.filter((k) => k.allowedHost).length;
+            ok(`${keys.length} clé(s) — ${locked} verrouillée(s) sur un domaine`);
+            if (locked < keys.length)
+                warn(`${keys.length - locked} clé(s) sans domaine : exfiltrables via le proxy`);
+        }
+    }
+    catch {
+        fail("Impossible de lire les clés du set");
+    }
+    // 5. Proxy
+    if (process.env.ELDING_PROXY_URL)
+        ok(`Proxy actif : ${process.env.ELDING_PROXY_URL}`);
+    else
+        console.log(chalk.dim("○ Proxy inactif (normal hors `elding proxy`)"));
+}

package/dist/commands/keys.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export declare function keys(): Promise<void>;

package/dist/commands/keys.js ADDED Viewed

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.keys = keys;
+const api_js_1 = require("../lib/api.js");
+const config_js_1 = require("../lib/config.js");
+const session_js_1 = require("../lib/session.js");
+async function keys() {
+    const { default: chalk } = await import("chalk");
+    const { default: ora } = await import("ora");
+    const project = (0, config_js_1.readProject)();
+    if (!project) {
+        console.error(chalk.red("Projet non initialisé. Lancez `elding init` ou `elding use <set>`."));
+        process.exit(1);
+    }
+    const spinner = ora("Récupération des clés...").start();
+    const accessToken = await (0, session_js_1.requireAccessToken)();
+    const list = await (0, api_js_1.listKeys)(accessToken, project.setId);
+    spinner.stop();
+    console.log(chalk.dim(`Set : ${project.setName}`));
+    if (list.length === 0) {
+        console.log(chalk.yellow("Aucune clé dans ce set."));
+        return;
+    }
+    for (const k of list) {
+        const host = k.allowedHost
+            ? chalk.dim(` → ${k.allowedHost}`)
+            : chalk.yellow(" → aucun domaine (non verrouillé)");
+        console.log(`  ${k.name}${host}`);
+    }
+}

package/dist/commands/open.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export declare function open(): Promise<void>;

package/dist/commands/open.js ADDED Viewed

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.open = open;
+const api_js_1 = require("../lib/api.js");
+async function open() {
+    const { default: chalk } = await import("chalk");
+    const { default: openUrl } = await import("open");
+    const url = `${api_js_1.BASE_URL}/vault`;
+    await openUrl(url).catch(() => {
+        console.log(chalk.cyan(`Ouvrez manuellement : ${url}`));
+    });
+    console.log(chalk.dim(`Vault ouvert : ${url}`));
+}

package/dist/commands/proxy.d.ts CHANGED Viewed

	@@ -1 +1 @@
1	- export declare function proxy(cmd: string, args: string[]): Promise<void>;
1	+ export declare function proxy(cmd: string, args: string[], verbose?: boolean): Promise<void>;

package/dist/commands/proxy.js CHANGED Viewed

@@ -5,7 +5,7 @@ const child_process_1 = require("child_process");
 const config_js_1 = require("../lib/config.js");
 const api_js_1 = require("../lib/api.js");
 const proxyServer_js_1 = require("../lib/proxyServer.js");
-async function proxy(cmd, args) {
+async function proxy(cmd, args, verbose = false) {
     const { default: chalk } = await import("chalk");
     const { default: ora } = await import("ora");
     const config = (0, config_js_1.readConfig)();
@@ -29,7 +29,7 @@ async function proxy(cmd, args) {
         spinner.fail(chalk.red(err instanceof Error ? err.message : "Erreur inconnue"));
         process.exit(1);
     }
-    const server = await (0, proxyServer_js_1.startProxy)(secrets, hosts);
+    const server = await (0, proxyServer_js_1.startProxy)(secrets, hosts, verbose);
     spinner.succeed(chalk.green(`Proxy actif sur ${server.url} — ${Object.keys(secrets).length} secret(s)`));
     console.log(chalk.dim("Les clés restent dans le proxy, jamais dans la mémoire de l'app."));
     const child = (0, child_process_1.spawn)(cmd, args, {

package/dist/commands/run.js CHANGED Viewed

@@ -21,7 +21,7 @@ async function run(cmd, args) {
     let secrets;
     try {
         const accessToken = await (0, api_js_1.exchangeToken)(config.refreshToken);
-        ({ secrets } = await (0, api_js_1.fetchSecrets)(accessToken, project.setId));
+        ({ secrets } = await (0, api_js_1.fetchSecrets)(accessToken, project.setId, "run"));
         spinner.succeed(chalk.green(`${Object.keys(secrets).length} secret(s) chargé(s).`));
     }
     catch (err) {

package/dist/commands/sets.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export declare function sets(): Promise<void>;

package/dist/commands/sets.js ADDED Viewed

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sets = sets;
+const api_js_1 = require("../lib/api.js");
+const config_js_1 = require("../lib/config.js");
+const session_js_1 = require("../lib/session.js");
+async function sets() {
+    const { default: chalk } = await import("chalk");
+    const { default: ora } = await import("ora");
+    const spinner = ora("Récupération des sets...").start();
+    const accessToken = await (0, session_js_1.requireAccessToken)();
+    const list = await (0, api_js_1.listSets)(accessToken);
+    spinner.stop();
+    if (list.length === 0) {
+        console.log(chalk.yellow("Aucun set. Créez-en un sur le vault."));
+        return;
+    }
+    const activeId = (0, config_js_1.readProject)()?.setId;
+    for (const s of list) {
+        const marker = s.id === activeId ? chalk.green("●") : chalk.dim("○");
+        const name = s.id === activeId ? chalk.green(s.name) : s.name;
+        console.log(`${marker} ${name} ${chalk.dim(`(${s.id})`)}`);
+    }
+}

package/dist/commands/use.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export declare function use(nameArg: string): Promise<void>;

package/dist/commands/use.js ADDED Viewed

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.use = use;
+const api_js_1 = require("../lib/api.js");
+const config_js_1 = require("../lib/config.js");
+const session_js_1 = require("../lib/session.js");
+async function use(nameArg) {
+    const { default: chalk } = await import("chalk");
+    const { default: ora } = await import("ora");
+    const spinner = ora("Récupération des sets...").start();
+    const accessToken = await (0, session_js_1.requireAccessToken)();
+    const list = await (0, api_js_1.listSets)(accessToken);
+    spinner.stop();
+    const query = nameArg.trim().toLowerCase();
+    const matches = list.filter((s) => s.name.toLowerCase() === query);
+    const candidates = matches.length ? matches : list.filter((s) => s.name.toLowerCase().includes(query));
+    if (candidates.length === 0) {
+        console.error(chalk.red(`Aucun set nommé "${nameArg}".`) + chalk.dim("  Voir `elding sets`."));
+        process.exit(1);
+    }
+    if (candidates.length > 1) {
+        console.error(chalk.red(`Plusieurs sets correspondent à "${nameArg}" :`));
+        candidates.forEach((s) => console.error(chalk.dim(`  - ${s.name}`)));
+        process.exit(1);
+    }
+    const set = candidates[0];
+    (0, config_js_1.writeProject)({ setId: set.id, setName: set.name });
+    console.log(chalk.green(`✓ Set actif : "${set.name}"`));
+}

package/dist/commands/whoami.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export declare function whoami(): Promise<void>;

package/dist/commands/whoami.js ADDED Viewed

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.whoami = whoami;
+const api_js_1 = require("../lib/api.js");
+const session_js_1 = require("../lib/session.js");
+async function whoami() {
+    const { default: chalk } = await import("chalk");
+    const accessToken = await (0, session_js_1.requireAccessToken)();
+    const me = await (0, api_js_1.getMe)(accessToken);
+    console.log(`${me.email}${me.name ? chalk.dim(` (${me.name})`) : ""}`);
+}

package/dist/index.js CHANGED Viewed

@@ -8,6 +8,12 @@ const run_js_1 = require("./commands/run.js");
 const proxy_js_1 = require("./commands/proxy.js");
 const logout_js_1 = require("./commands/logout.js");
 const status_js_1 = require("./commands/status.js");
+const sets_js_1 = require("./commands/sets.js");
+const use_js_1 = require("./commands/use.js");
+const keys_js_1 = require("./commands/keys.js");
+const doctor_js_1 = require("./commands/doctor.js");
+const open_js_1 = require("./commands/open.js");
+const whoami_js_1 = require("./commands/whoami.js");
 const program = new commander_1.Command();
 program
     .name("elding")
@@ -45,10 +51,11 @@ program
 program
     .command("proxy <cmd>")
     .description("Lancer une commande derrière un proxy local qui injecte les clés — jamais en mémoire de l'app")
+    .option("-v, --verbose", "Logger chaque requête (méthode/host/status/latence)")
     .allowUnknownOption()
     .action(async (cmd, options, command) => {
     const args = command.args.slice(1);
-    await (0, proxy_js_1.proxy)(cmd, args).catch((err) => {
+    await (0, proxy_js_1.proxy)(cmd, args, !!options.verbose).catch((err) => {
         console.error(err.message);
         process.exit(1);
     });
@@ -71,4 +78,58 @@ program
         process.exit(1);
     });
 });
+program
+    .command("sets")
+    .description("Lister les sets accessibles")
+    .action(async () => {
+    await (0, sets_js_1.sets)().catch((err) => {
+        console.error(err.message);
+        process.exit(1);
+    });
+});
+program
+    .command("use <name>")
+    .description("Changer le set actif du projet")
+    .action(async (name) => {
+    await (0, use_js_1.use)(name).catch((err) => {
+        console.error(err.message);
+        process.exit(1);
+    });
+});
+program
+    .command("keys")
+    .description("Lister les noms de clés du set actif (jamais les valeurs)")
+    .action(async () => {
+    await (0, keys_js_1.keys)().catch((err) => {
+        console.error(err.message);
+        process.exit(1);
+    });
+});
+program
+    .command("doctor")
+    .description("Diagnostiquer la configuration (connexion, set, clés, proxy)")
+    .action(async () => {
+    await (0, doctor_js_1.doctor)().catch((err) => {
+        console.error(err.message);
+        process.exit(1);
+    });
+});
+program
+    .command("open")
+    .description("Ouvrir le vault dans le navigateur")
+    .action(async () => {
+    await (0, open_js_1.open)().catch((err) => {
+        console.error(err.message);
+        process.exit(1);
+    });
+});
+program
+    .command("whoami")
+    .description("Afficher l'utilisateur connecté")
+    .action(async () => {
+    await (0, whoami_js_1.whoami)().catch((err) => {
+        console.error(err.message);
+        process.exit(1);
+    });
+});
 program.parse();

package/dist/lib/api.d.ts CHANGED Viewed

@@ -1,7 +1,13 @@
+export declare const BASE_URL: string;
 export type ApiKeySetItem = {
     id: string;
     name: string;
 };
+export type KeyItem = {
+    name: string;
+    allowedHost: string | null;
+};
+export declare function listKeys(accessToken: string, setId: string): Promise<KeyItem[]>;
 export declare function exchangeToken(refreshToken: string): Promise<string>;
 export declare function revokeToken(refreshToken: string): Promise<void>;
 export declare function getMe(accessToken: string): Promise<{
@@ -13,4 +19,4 @@ export type SecretsResult = {
     secrets: Record<string, string>;
     hosts: Record<string, string>;
 };
-export declare function fetchSecrets(accessToken: string, setId: string): Promise<SecretsResult>;
+export declare function fetchSecrets(accessToken: string, setId: string, mode?: "run" | "proxy"): Promise<SecretsResult>;

package/dist/lib/api.js CHANGED Viewed

@@ -1,13 +1,24 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.BASE_URL = void 0;
+exports.listKeys = listKeys;
 exports.exchangeToken = exchangeToken;
 exports.revokeToken = revokeToken;
 exports.getMe = getMe;
 exports.listSets = listSets;
 exports.fetchSecrets = fetchSecrets;
-const BASE_URL = process.env.ELDING_API_URL ?? "https://app.elding.io";
+exports.BASE_URL = process.env.ELDING_API_URL ?? "https://app.elding.io";
+async function listKeys(accessToken, setId) {
+    const res = await fetch(`${exports.BASE_URL}/api/cli/keys?setId=${encodeURIComponent(setId)}`, {
+        headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (!res.ok)
+        throw new Error("Impossible de récupérer les clés");
+    const body = (await res.json());
+    return Array.isArray(body.keys) ? body.keys : [];
+}
 async function exchangeToken(refreshToken) {
-    const res = await fetch(`${BASE_URL}/api/cli/auth/token`, {
+    const res = await fetch(`${exports.BASE_URL}/api/cli/auth/token`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({ refreshToken }),
@@ -18,14 +29,14 @@ async function exchangeToken(refreshToken) {
     return body.accessToken;
 }
 async function revokeToken(refreshToken) {
-    await fetch(`${BASE_URL}/api/cli/auth/logout`, {
+    await fetch(`${exports.BASE_URL}/api/cli/auth/logout`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({ refreshToken }),
     }).catch(() => { });
 }
 async function getMe(accessToken) {
-    const res = await fetch(`${BASE_URL}/api/cli/me`, {
+    const res = await fetch(`${exports.BASE_URL}/api/cli/me`, {
         headers: { Authorization: `Bearer ${accessToken}` },
     });
     if (!res.ok)
@@ -36,7 +47,7 @@ async function getMe(accessToken) {
     return body.user;
 }
 async function listSets(accessToken) {
-    const res = await fetch(`${BASE_URL}/api/cli/sets`, {
+    const res = await fetch(`${exports.BASE_URL}/api/cli/sets`, {
         headers: { Authorization: `Bearer ${accessToken}` },
     });
     if (!res.ok)
@@ -44,10 +55,8 @@ async function listSets(accessToken) {
     const body = (await res.json());
     return Array.isArray(body.sets) ? body.sets : [];
 }
-async function fetchSecrets(accessToken, setId) {
-    const res = await fetch(`${BASE_URL}/api/cli/secrets?setId=${encodeURIComponent(setId)}`, {
-        headers: { Authorization: `Bearer ${accessToken}` },
-    });
+async function fetchSecrets(accessToken, setId, mode = "proxy") {
+    const res = await fetch(`${exports.BASE_URL}/api/cli/secrets?setId=${encodeURIComponent(setId)}&mode=${mode}`, { headers: { Authorization: `Bearer ${accessToken}` } });
     if (!res.ok) {
         const body = (await res.json().catch(() => ({})));
         throw new Error(body.error ?? `Erreur ${res.status}`);

package/dist/lib/proxyServer.d.ts CHANGED Viewed

@@ -3,4 +3,4 @@ export type ProxyServer = {
     token: string;
     close: () => void;
 };
-export declare function startProxy(secrets: Record<string, string>, hosts?: Record<string, string>): Promise<ProxyServer>;
+export declare function startProxy(secrets: Record<string, string>, hosts?: Record<string, string>, verbose?: boolean): Promise<ProxyServer>;

package/dist/lib/proxyServer.js CHANGED Viewed

@@ -27,8 +27,22 @@ function isBlockedHost(hostname) {
     return false;
 }
 // hosts: map nom_secret -> domaine autorisé. Si défini, le secret ne peut être envoyé qu'à ce host.
-function startProxy(secrets, hosts = {}) {
+function startProxy(secrets, hosts = {}, verbose = false) {
     const token = (0, crypto_1.randomBytes)(24).toString("hex");
+    // Log une ligne par requête — jamais les valeurs, seulement les placeholders référencés
+    const log = (method, host, path, status, ms, note = "") => {
+        if (!verbose)
+            return;
+        const code = status === "BLOCKED" ? "BLOCKED" : String(status);
+        console.error(`[elding] ${method} ${host}${path}  → ${code}  ${ms}ms${note ? "  " + note : ""}`);
+    };
+    const placeholdersIn = (headers) => {
+        const names = new Set();
+        for (const v of Object.values(headers))
+            for (const m of v.matchAll(PLACEHOLDER))
+                names.add(m[1]);
+        return names.size ? `{{${[...names].join(",")}}}` : "";
+    };
     // Vérifie que chaque placeholder utilisé est autorisé pour ce host. Retourne le nom fautif, ou null.
     const findHostViolation = (val, targetHost) => {
         for (const m of val.matchAll(PLACEHOLDER)) {
@@ -41,6 +55,7 @@ function startProxy(secrets, hosts = {}) {
     };
     const substitute = (val) => val.replace(PLACEHOLDER, (_, name) => secrets[name] ?? "");
     const server = http_1.default.createServer(async (req, res) => {
+        const started = Date.now();
         try {
             if (req.headers["x-elding-token"] !== token) {
                 res.writeHead(401);
@@ -68,6 +83,7 @@ function startProxy(secrets, hosts = {}) {
                 return;
             }
             if (isBlockedHost(targetUrl.hostname)) {
+                log(req.method ?? "?", targetUrl.hostname, req.url ?? "/", "BLOCKED", Date.now() - started, "host bloqué");
                 res.writeHead(403);
                 res.end("blocked host");
                 return;
@@ -81,20 +97,24 @@ function startProxy(secrets, hosts = {}) {
                     continue;
                 const bad = findHostViolation(v, targetUrl.hostname);
                 if (bad) {
+                    log(req.method ?? "?", targetUrl.hostname, upstream.pathname, "BLOCKED", Date.now() - started, `${bad} non autorisé`);
                     res.writeHead(403);
                     res.end(`secret "${bad}" non autorisé pour ${targetUrl.hostname}`);
                     return;
                 }
             }
             const headers = {};
+            const rawHeaders = {};
             for (const [k, v] of Object.entries(req.headers)) {
                 const lk = k.toLowerCase();
                 if (lk.startsWith("x-elding-"))
                     continue;
                 if (lk === "host" || lk === "connection" || lk === "content-length")
                     continue;
-                if (typeof v === "string")
+                if (typeof v === "string") {
+                    rawHeaders[k] = v;
                     headers[k] = substitute(v);
+                }
             }
             const chunks = [];
             for await (const c of req)
@@ -105,6 +125,7 @@ function startProxy(secrets, hosts = {}) {
                 headers,
                 body: hasBody ? Buffer.concat(chunks) : undefined,
             });
+            log(req.method ?? "?", targetUrl.hostname, upstream.pathname, upstreamRes.status, Date.now() - started, placeholdersIn(rawHeaders));
             res.writeHead(upstreamRes.status, Object.fromEntries(upstreamRes.headers));
             if (upstreamRes.body) {
                 const reader = upstreamRes.body.getReader();

package/dist/lib/session.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export declare function requireAccessToken(): Promise<string>;

package/dist/lib/session.js ADDED Viewed

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requireAccessToken = requireAccessToken;
+const config_js_1 = require("./config.js");
+const api_js_1 = require("./api.js");
+// Lit le token local, l'échange contre un access token. Lève une erreur claire sinon.
+async function requireAccessToken() {
+    const config = (0, config_js_1.readConfig)();
+    if (!config)
+        throw new Error("Non connecté. Lancez `elding login` d'abord.");
+    try {
+        return await (0, api_js_1.exchangeToken)(config.refreshToken);
+    }
+    catch {
+        throw new Error("Token expiré ou révoqué. Relancez `elding login`.");
+    }
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@elding/cli",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "Elding CLI — zero .env, secrets from vault",
   "bin": {
     "elding": "./dist/index.js"