@elding/cli 0.3.0 → 0.8.1

package/dist/commands/doctor.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.doctor = doctor;
 const config_js_1 = require("../lib/config.js");
 const api_js_1 = require("../lib/api.js");
+const terminal_js_1 = require("../lib/terminal.js");
 async function doctor() {
     const { default: chalk } = await import("chalk");
     const ok = (m) => console.log(`${chalk.green("✓")} ${m}`);
@@ -15,13 +16,13 @@ async function doctor() {
         fail("Non connecté — lancez `elding login`");
         return;
     }
-    ok("Token local présent (~/.elding/config.json)");
+    ok("Token local présent (trousseau OS)");
     // 2. Token valide + utilisateur
     let accessToken;
     try {
         accessToken = await (0, api_js_1.exchangeToken)(config.refreshToken);
         const me = await (0, api_js_1.getMe)(accessToken);
-        ok(`Authentifié : ${me.email}`);
+        ok(`Authentifié : ${(0, terminal_js_1.safeText)(me.email)}`);
     }
     catch {
         fail("Token expiré ou révoqué — relancez `elding login`");
@@ -33,7 +34,7 @@ async function doctor() {
         warn("Aucun set configuré — lancez `elding init` ou `elding use <set>`");
         return;
     }
-    ok(`Set actif : ${project.setName}`);
+    ok(`Set actif : ${(0, terminal_js_1.safeText)(project.setName)}`);
     // 4. Clés + verrouillage host
     try {
         const keys = await (0, api_js_1.listKeys)(accessToken, project.setId);

package/dist/commands/init.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.init = init;
 const config_js_1 = require("../lib/config.js");
 const api_js_1 = require("../lib/api.js");
+const terminal_js_1 = require("../lib/terminal.js");
 async function init() {
     const { default: chalk } = await import("chalk");
     const { default: ora } = await import("ora");
@@ -31,19 +32,41 @@ async function init() {
         process.exit(1);
     }
     if (sets.length === 0) {
-        console.log(chalk.yellow("Aucun set trouvé. Créez-en un sur app.elding.io."));
+        console.log(chalk.yellow("Aucun set trouvé. Créez-en un sur le vault."));
         process.exit(0);
     }
+    // Étape 1 : choisir l'organisation (toujours, pour une approche projet cohérente)
+    const orgs = [...new Map(sets.map((s) => [s.workspaceId, s.workspaceName])).entries()];
+    const { workspaceId } = await inquirer.prompt([
+        {
+            type: "select",
+            name: "workspaceId",
+            message: "Quelle organisation ?",
+            choices: orgs.map(([id, name]) => ({ name: (0, terminal_js_1.safeText)(name), value: id })),
+        },
+    ]);
+    // Étape 2 : choisir le set parmi ceux de l'org (env affiché en français)
+    const ENV_LABELS = { DEV: "Dev", STAGING: "Staging", PROD: "Prod" };
+    const orgSets = sets.filter((s) => s.workspaceId === workspaceId);
     const { setId } = await inquirer.prompt([
         {
-            type: "list",
+            type: "select",
             name: "setId",
             message: "Quel set utiliser pour ce projet ?",
-            choices: sets.map((s) => ({ name: s.name, value: s.id })),
+            choices: orgSets.map((s) => {
+                const env = s.environment ? ENV_LABELS[s.environment] : undefined;
+                return { name: env ? `${(0, terminal_js_1.safeText)(s.name)} (${env})` : (0, terminal_js_1.safeText)(s.name), value: s.id };
+            }),
         },
     ]);
-    const selected = sets.find((s) => s.id === setId);
-    (0, config_js_1.writeProject)({ setId: selected.id, setName: selected.name });
-    console.log(chalk.green(`✓ Set "${selected.name}" configuré dans .elding.json`));
-    console.log(chalk.dim("Ajoutez .elding.json à votre .gitignore si besoin."));
+    const selected = orgSets.find((s) => s.id === setId);
+    const project = {
+        setId: selected.id,
+        setName: selected.name,
+        workspaceId: selected.workspaceId,
+        workspaceName: selected.workspaceName,
+    };
+    (0, config_js_1.writeProject)(project);
+    (0, config_js_1.trustProject)(project);
+    console.log(chalk.green(`✓ Set "${(0, terminal_js_1.safeText)(selected.name)}" (${(0, terminal_js_1.safeText)(selected.workspaceName)}) configuré dans .elding.json`));
 }

package/dist/commands/keys.js

@@ -4,6 +4,7 @@ exports.keys = keys;
 const api_js_1 = require("../lib/api.js");
 const config_js_1 = require("../lib/config.js");
 const session_js_1 = require("../lib/session.js");
+const terminal_js_1 = require("../lib/terminal.js");
 async function keys() {
     const { default: chalk } = await import("chalk");
     const { default: ora } = await import("ora");
@@ -16,15 +17,15 @@ async function keys() {
     const accessToken = await (0, session_js_1.requireAccessToken)();
     const list = await (0, api_js_1.listKeys)(accessToken, project.setId);
     spinner.stop();
-    console.log(chalk.dim(`Set : ${project.setName}`));
+    console.log(chalk.dim(`Set : ${(0, terminal_js_1.safeText)(project.setName)}`));
     if (list.length === 0) {
         console.log(chalk.yellow("Aucune clé dans ce set."));
         return;
     }
     for (const k of list) {
         const host = k.allowedHost
-            ? chalk.dim(` → ${k.allowedHost}`)
+            ? chalk.dim(` → ${(0, terminal_js_1.safeText)(k.allowedHost)}`)
             : chalk.yellow(" → aucun domaine (non verrouillé)");
-        console.log(`  ${k.name}${host}`);
+        console.log(`  ${(0, terminal_js_1.safeText)(k.name)}${host}`);
     }
 }

package/dist/commands/login.js

@@ -7,52 +7,78 @@ exports.login = login;
 const http_1 = __importDefault(require("http"));
 const crypto_1 = __importDefault(require("crypto"));
 const config_js_1 = require("../lib/config.js");
-const BASE_URL = process.env.ELDING_API_URL ?? "https://app.elding.io";
+const api_js_1 = require("../lib/api.js");
+const terminal_js_1 = require("../lib/terminal.js");
 const TIMEOUT_MS = 5 * 60 * 1000;
-function randomPort() {
-    return Math.floor(Math.random() * (65535 - 49152 + 1)) + 49152;
-}
 async function login() {
     const { default: chalk } = await import("chalk");
     const { default: open } = await import("open");
     const { default: ora } = await import("ora");
     const state = crypto_1.default.randomBytes(16).toString("hex");
-    const port = randomPort();
-    const callbackUrl = `http://localhost:${port}`;
-    const authUrl = `${BASE_URL}/cli` +
-        `?state=${encodeURIComponent(state)}` +
-        `&callback=${encodeURIComponent(callbackUrl)}`;
     const spinner = ora("En attente d'autorisation dans le navigateur...").start();
     const token = await new Promise((resolve, reject) => {
         const timeout = setTimeout(() => {
             server.close();
             reject(new Error("Timeout — aucune réponse après 5 minutes"));
         }, TIMEOUT_MS);
-        const server = http_1.default.createServer((req, res) => {
-            const url = new URL(req.url ?? "/", `http://localhost:${port}`);
-            const receivedToken = url.searchParams.get("token");
+        const server = http_1.default.createServer(async (req, res) => {
+            const addr = server.address();
+            const port = typeof addr === "object" && addr ? addr.port : 0;
+            const callbackUrl = `http://127.0.0.1:${port}`;
+            const url = new URL(req.url ?? "/", callbackUrl);
+            const receivedCode = url.searchParams.get("code");
             const receivedState = url.searchParams.get("state");
-            const tokenValid = typeof receivedToken === "string" &&
-                receivedToken.startsWith("eld_rt_") &&
-                receivedToken.length === 7 + 64; // "eld_rt_" + 32 bytes hex
-            if (receivedState !== state || !tokenValid) {
+            const codeValid = typeof receivedCode === "string" &&
+                /^[A-Za-z0-9._~-]{16,512}$/.test(receivedCode);
+            if (receivedState !== state || !codeValid) {
                 res.writeHead(400, { "Content-Type": "text/html; charset=utf-8" });
                 res.end("<p>Paramètres invalides. Fermez cet onglet.</p>");
                 return;
             }
-            res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
-            res.end(`<!DOCTYPE html><html><head><meta charset="utf-8"></head><body style="font-family:sans-serif;padding:2rem">
-        <p>✅ <strong>Authentification réussie.</strong> Vous pouvez fermer cet onglet.</p>
-      </body></html>`);
-            clearTimeout(timeout);
-            server.close();
-            resolve(receivedToken);
+            try {
+                const refreshToken = await (0, api_js_1.exchangeLoginCode)(receivedCode, state, callbackUrl);
+                res.writeHead(200, {
+                    "Content-Type": "text/html; charset=utf-8",
+                    "Referrer-Policy": "no-referrer",
+                    "Cache-Control": "no-store",
+                });
+                res.end(`<!DOCTYPE html><html lang="fr"><head><meta charset="utf-8"><title>Elding</title><script>history.replaceState(null,"","/")</script><style>
+          *{margin:0;padding:0;box-sizing:border-box}
+          html,body{height:100%}
+          body{font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",sans-serif;background:#fff;color:#000;display:flex;align-items:center;justify-content:center;text-align:center}
+          .wrap{display:flex;flex-direction:column;align-items:center;gap:.75rem;padding:2rem}
+          h1{font-size:2.25rem;font-weight:600;letter-spacing:-.02em}
+          p{font-size:1rem;color:#6b7280}
+        </style></head><body>
+          <div class="wrap">
+            <h1>Tout est prêt, codez l'esprit tranquille</h1>
+            <p>Vous êtes connecté à Elding.</p>
+            <p>Vous pouvez maintenant fermer cette fenêtre.</p>
+          </div>
+        </body></html>`);
+                clearTimeout(timeout);
+                server.close();
+                resolve(refreshToken);
+            }
+            catch (err) {
+                res.writeHead(502, { "Content-Type": "text/html; charset=utf-8" });
+                res.end("<p>Impossible de finaliser l'authentification. Fermez cet onglet et relancez le login.</p>");
+                clearTimeout(timeout);
+                server.close();
+                reject(new Error((0, terminal_js_1.safeError)(err)));
+            }
         });
         server.on("error", (err) => {
             clearTimeout(timeout);
             reject(err);
         });
-        server.listen(port, "127.0.0.1", () => {
+        server.listen(0, "127.0.0.1", () => {
+            const addr = server.address();
+            const port = typeof addr === "object" && addr ? addr.port : 0;
+            const callbackUrl = `http://127.0.0.1:${port}`;
+            const authUrl = `${api_js_1.BASE_URL}/cli` +
+                `?state=${encodeURIComponent(state)}` +
+                `&callback=${encodeURIComponent(callbackUrl)}`;
             open(authUrl).catch((err) => {
                 spinner.warn(`Impossible d'ouvrir le navigateur automatiquement.`);
                 console.log(chalk.cyan(`Ouvrez manuellement : ${authUrl}`));
@@ -61,5 +87,5 @@ async function login() {
     });
     (0, config_js_1.writeConfig)({ refreshToken: token });
     spinner.succeed(chalk.green("Connecté avec succès."));
-    console.log(chalk.dim("Token sauvegardé dans ~/.elding/config.json"));
+    console.log(chalk.dim("Token sauvegardé dans le trousseau de votre OS."));
 }

package/dist/commands/proxy.d.ts

@@ -1 +1,6 @@
-export declare function proxy(cmd: string, args: string[], verbose?: boolean): Promise<void>;
+export type ProxyOptions = {
+    verbose?: boolean;
+    reportLogs?: boolean;
+    shell?: boolean;
+};
+export declare function proxy(cmd: string, args: string[], options?: ProxyOptions): Promise<void>;

package/dist/commands/proxy.js

@@ -5,7 +5,10 @@ const child_process_1 = require("child_process");
 const config_js_1 = require("../lib/config.js");
 const api_js_1 = require("../lib/api.js");
 const proxyServer_js_1 = require("../lib/proxyServer.js");
-async function proxy(cmd, args, verbose = false) {
+const logBatcher_js_1 = require("../lib/logBatcher.js");
+const trust_js_1 = require("../lib/trust.js");
+const terminal_js_1 = require("../lib/terminal.js");
+async function proxy(cmd, args, options = {}) {
     const { default: chalk } = await import("chalk");
     const { default: ora } = await import("ora");
     const config = (0, config_js_1.readConfig)();
@@ -18,6 +21,10 @@ async function proxy(cmd, args, verbose = false) {
         console.error(chalk.red("Projet non initialisé. Lancez `elding init` d'abord."));
         process.exit(1);
     }
+    await (0, trust_js_1.ensureProjectTrusted)(project);
+    if (!options.shell && /\s/.test(cmd)) {
+        throw new Error("Commande invalide sans --shell. Passez le binaire et ses arguments separement, ou ajoutez --shell explicitement.");
+    }
     const spinner = ora("Démarrage du proxy...").start();
     let secrets;
     let hosts;
@@ -26,12 +33,17 @@ async function proxy(cmd, args, verbose = false) {
         ({ secrets, hosts } = await (0, api_js_1.fetchSecrets)(accessToken, project.setId));
     }
     catch (err) {
-        spinner.fail(chalk.red(err instanceof Error ? err.message : "Erreur inconnue"));
+        spinner.fail(chalk.red((0, terminal_js_1.safeError)(err)));
         process.exit(1);
     }
-    const server = await (0, proxyServer_js_1.startProxy)(secrets, hosts, verbose);
-    spinner.succeed(chalk.green(`Proxy actif sur ${server.url} — ${Object.keys(secrets).length} secret(s)`));
+    const batcher = options.reportLogs
+        ? (0, logBatcher_js_1.createLogBatcher)(config.refreshToken, project.setId, project.setName)
+        : null;
+    const server = await (0, proxyServer_js_1.startProxy)(secrets, hosts, !!options.verbose, batcher ? (e) => batcher.add(e) : undefined);
+    spinner.succeed(chalk.green(`Proxy actif sur ${server.url} — ${Object.keys(secrets).length} secret(s) pour ${(0, terminal_js_1.safeText)(project.setName)}`));
     console.log(chalk.dim("Les clés restent dans le proxy, jamais dans la mémoire de l'app."));
+    if (!options.reportLogs)
+        console.log(chalk.dim("Logs cloud proxy désactivés. Ajoutez --report-logs pour les envoyer."));
     const child = (0, child_process_1.spawn)(cmd, args, {
         env: {
             ...process.env,
@@ -39,13 +51,17 @@ async function proxy(cmd, args, verbose = false) {
             ELDING_PROXY_TOKEN: server.token,
         },
         stdio: "inherit",
-        shell: true,
+        shell: !!options.shell,
     });
-    const shutdown = () => server.close();
+    const shutdown = async () => {
+        server.close();
+        await batcher?.stop();
+    };
     process.on("SIGINT", shutdown);
     process.on("SIGTERM", shutdown);
-    child.on("exit", (code) => {
+    child.on("exit", async (code) => {
         server.close();
+        await batcher?.stop(); // flush les derniers logs
         process.exit(code ?? 0);
     });
 }

package/dist/commands/run.d.ts

@@ -1 +1,4 @@
-export declare function run(cmd: string, args: string[]): Promise<void>;
+export type RunOptions = {
+    shell?: boolean;
+};
+export declare function run(cmd: string, args: string[], options?: RunOptions): Promise<void>;

package/dist/commands/run.js

@@ -4,7 +4,10 @@ exports.run = run;
 const child_process_1 = require("child_process");
 const config_js_1 = require("../lib/config.js");
 const api_js_1 = require("../lib/api.js");
-async function run(cmd, args) {
+const env_js_1 = require("../lib/env.js");
+const trust_js_1 = require("../lib/trust.js");
+const terminal_js_1 = require("../lib/terminal.js");
+async function run(cmd, args, options = {}) {
     const { default: chalk } = await import("chalk");
     const { default: ora } = await import("ora");
     const config = (0, config_js_1.readConfig)();
@@ -17,22 +20,30 @@ async function run(cmd, args) {
         console.error(chalk.red("Projet non initialisé. Lancez `elding init` d'abord."));
         process.exit(1);
     }
+    await (0, trust_js_1.ensureProjectTrusted)(project);
+    if (!options.shell && /\s/.test(cmd)) {
+        throw new Error("Commande invalide sans --shell. Passez le binaire et ses arguments separement, ou ajoutez --shell explicitement.");
+    }
     const spinner = ora("Récupération des secrets...").start();
     let secrets;
     try {
         const accessToken = await (0, api_js_1.exchangeToken)(config.refreshToken);
         ({ secrets } = await (0, api_js_1.fetchSecrets)(accessToken, project.setId, "run"));
-        spinner.succeed(chalk.green(`${Object.keys(secrets).length} secret(s) chargé(s).`));
+        spinner.succeed(chalk.green(`${Object.keys(secrets).length} secret(s) chargé(s) pour ${(0, terminal_js_1.safeText)(project.setName)}.`));
     }
     catch (err) {
-        spinner.fail(chalk.red(err instanceof Error ? err.message : "Erreur inconnue"));
+        spinner.fail(chalk.red((0, terminal_js_1.safeError)(err)));
         process.exit(1);
     }
-    const env = { ...process.env, ...secrets };
+    const { env: safeSecrets, rejected } = (0, env_js_1.filterSecretsForEnv)(secrets);
+    if (rejected.length > 0) {
+        throw new Error(`Secrets refuses car leurs noms sont dangereux pour l'environnement: ${rejected.map((name) => (0, terminal_js_1.safeText)(name, 80)).join(", ")}`);
+    }
+    const env = { ...process.env, ...safeSecrets };
     const result = (0, child_process_1.spawnSync)(cmd, args, {
         env,
         stdio: "inherit",
-        shell: true,
+        shell: !!options.shell,
     });
     if (result.error) {
         console.error(chalk.red(`Impossible de lancer la commande : ${result.error.message}`));

package/dist/commands/sets.js

@@ -4,6 +4,7 @@ exports.sets = sets;
 const api_js_1 = require("../lib/api.js");
 const config_js_1 = require("../lib/config.js");
 const session_js_1 = require("../lib/session.js");
+const terminal_js_1 = require("../lib/terminal.js");
 async function sets() {
     const { default: chalk } = await import("chalk");
     const { default: ora } = await import("ora");
@@ -18,7 +19,8 @@ async function sets() {
     const activeId = (0, config_js_1.readProject)()?.setId;
     for (const s of list) {
         const marker = s.id === activeId ? chalk.green("●") : chalk.dim("○");
-        const name = s.id === activeId ? chalk.green(s.name) : s.name;
-        console.log(`${marker} ${name} ${chalk.dim(`(${s.id})`)}`);
+        const cleanName = (0, terminal_js_1.safeText)(s.name);
+        const name = s.id === activeId ? chalk.green(cleanName) : cleanName;
+        console.log(`${marker} ${name} ${chalk.dim(`(${(0, terminal_js_1.safeText)(s.workspaceName)})`)}`);
     }
 }

package/dist/commands/status.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.status = status;
 const config_js_1 = require("../lib/config.js");
 const api_js_1 = require("../lib/api.js");
+const terminal_js_1 = require("../lib/terminal.js");
 async function status() {
     const { default: chalk } = await import("chalk");
     const config = (0, config_js_1.readConfig)();
@@ -23,7 +24,7 @@ async function status() {
     const project = (0, config_js_1.readProject)();
     const proxyActive = !!process.env.ELDING_PROXY_URL;
     console.log(chalk.green("● Connecté"));
-    console.log(`  ${chalk.dim("Utilisateur")}  ${user.email}${user.name ? chalk.dim(` (${user.name})`) : ""}`);
-    console.log(`  ${chalk.dim("Set actif")}    ${project ? `${project.setName} ${chalk.dim(`(${project.setId})`)}` : chalk.yellow("aucun — `elding init`")}`);
+    console.log(`  ${chalk.dim("Utilisateur")}  ${(0, terminal_js_1.safeText)(user.email)}${user.name ? chalk.dim(` (${(0, terminal_js_1.safeText)(user.name)})`) : ""}`);
+    console.log(`  ${chalk.dim("Set actif")}    ${project ? `${(0, terminal_js_1.safeText)(project.setName)} ${chalk.dim(`(${(0, terminal_js_1.safeText)(project.setId)})`)}` : chalk.yellow("aucun — `elding init`")}`);
     console.log(`  ${chalk.dim("Proxy")}        ${proxyActive ? chalk.green("actif") : chalk.dim("inactif")}`);
 }

package/dist/commands/use.js

@@ -4,6 +4,7 @@ exports.use = use;
 const api_js_1 = require("../lib/api.js");
 const config_js_1 = require("../lib/config.js");
 const session_js_1 = require("../lib/session.js");
+const terminal_js_1 = require("../lib/terminal.js");
 async function use(nameArg) {
     const { default: chalk } = await import("chalk");
     const { default: ora } = await import("ora");
@@ -15,15 +16,22 @@ async function use(nameArg) {
     const matches = list.filter((s) => s.name.toLowerCase() === query);
     const candidates = matches.length ? matches : list.filter((s) => s.name.toLowerCase().includes(query));
     if (candidates.length === 0) {
-        console.error(chalk.red(`Aucun set nommé "${nameArg}".`) + chalk.dim("  Voir `elding sets`."));
+        console.error(chalk.red(`Aucun set nommé "${(0, terminal_js_1.safeText)(nameArg)}".`) + chalk.dim("  Voir `elding sets`."));
         process.exit(1);
     }
     if (candidates.length > 1) {
-        console.error(chalk.red(`Plusieurs sets correspondent à "${nameArg}" :`));
-        candidates.forEach((s) => console.error(chalk.dim(`  - ${s.name}`)));
+        console.error(chalk.red(`Plusieurs sets correspondent à "${(0, terminal_js_1.safeText)(nameArg)}" :`));
+        candidates.forEach((s) => console.error(chalk.dim(`  - ${(0, terminal_js_1.safeText)(s.name)}`)));
         process.exit(1);
     }
     const set = candidates[0];
-    (0, config_js_1.writeProject)({ setId: set.id, setName: set.name });
-    console.log(chalk.green(`✓ Set actif : "${set.name}"`));
+    const project = {
+        setId: set.id,
+        setName: set.name,
+        workspaceId: set.workspaceId,
+        workspaceName: set.workspaceName,
+    };
+    (0, config_js_1.writeProject)(project);
+    (0, config_js_1.trustProject)(project);
+    console.log(chalk.green(`✓ Set actif : "${(0, terminal_js_1.safeText)(set.name)}"`));
 }

package/dist/commands/whoami.js

@@ -3,9 +3,10 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.whoami = whoami;
 const api_js_1 = require("../lib/api.js");
 const session_js_1 = require("../lib/session.js");
+const terminal_js_1 = require("../lib/terminal.js");
 async function whoami() {
     const { default: chalk } = await import("chalk");
     const accessToken = await (0, session_js_1.requireAccessToken)();
     const me = await (0, api_js_1.getMe)(accessToken);
-    console.log(`${me.email}${me.name ? chalk.dim(` (${me.name})`) : ""}`);
+    console.log(`${(0, terminal_js_1.safeText)(me.email)}${me.name ? chalk.dim(` (${(0, terminal_js_1.safeText)(me.name)})`) : ""}`);
 }

package/dist/index.js

@@ -18,7 +18,7 @@ const program = new commander_1.Command();
 program
     .name("elding")
     .description("Elding CLI — secrets depuis le vault, zéro .env")
-    .version("0.1.0");
+    .version("0.8.1");
 program
     .command("login")
     .description("Authentifier le CLI via le navigateur")
@@ -38,24 +38,29 @@ program
     });
 });
 program
-    .command("run <cmd>")
+    .command("run <cmd> [args...]")
     .description("Lancer une commande avec les secrets injectés en variables d'environnement")
+    .option("--shell", "Executer via le shell systeme (a utiliser seulement si necessaire)")
     .allowUnknownOption()
-    .action(async (cmd, options, command) => {
-    const args = command.args.slice(1);
-    await (0, run_js_1.run)(cmd, args).catch((err) => {
+    .action(async (cmd, args = [], options) => {
+    await (0, run_js_1.run)(cmd, args, { shell: !!options.shell }).catch((err) => {
         console.error(err.message);
         process.exit(1);
     });
 });
 program
-    .command("proxy <cmd>")
+    .command("proxy <cmd> [args...]")
     .description("Lancer une commande derrière un proxy local qui injecte les clés — jamais en mémoire de l'app")
     .option("-v, --verbose", "Logger chaque requête (méthode/host/status/latence)")
+    .option("--report-logs", "Envoyer les metadonnees de requetes proxy au vault")
+    .option("--shell", "Executer via le shell systeme (a utiliser seulement si necessaire)")
     .allowUnknownOption()
-    .action(async (cmd, options, command) => {
-    const args = command.args.slice(1);
-    await (0, proxy_js_1.proxy)(cmd, args, !!options.verbose).catch((err) => {
+    .action(async (cmd, args = [], options) => {
+    await (0, proxy_js_1.proxy)(cmd, args, {
+        verbose: !!options.verbose,
+        reportLogs: !!options.reportLogs,
+        shell: !!options.shell,
+    }).catch((err) => {
         console.error(err.message);
         process.exit(1);
     });

package/dist/lib/api.d.ts

@@ -2,6 +2,9 @@ export declare const BASE_URL: string;
 export type ApiKeySetItem = {
     id: string;
     name: string;
+    environment?: string;
+    workspaceId: string;
+    workspaceName: string;
 };
 export type KeyItem = {
     name: string;
@@ -9,6 +12,8 @@ export type KeyItem = {
 };
 export declare function listKeys(accessToken: string, setId: string): Promise<KeyItem[]>;
 export declare function exchangeToken(refreshToken: string): Promise<string>;
+export declare function exchangeLoginCode(code: string, state: string, callbackUrl: string): Promise<string>;
+export declare function reportProxyLogs(accessToken: string, setId: string, setName: string, entries: unknown[]): Promise<void>;
 export declare function revokeToken(refreshToken: string): Promise<void>;
 export declare function getMe(accessToken: string): Promise<{
     email: string;

package/dist/lib/api.js

@@ -3,65 +3,86 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.BASE_URL = void 0;
 exports.listKeys = listKeys;
 exports.exchangeToken = exchangeToken;
+exports.exchangeLoginCode = exchangeLoginCode;
+exports.reportProxyLogs = reportProxyLogs;
 exports.revokeToken = revokeToken;
 exports.getMe = getMe;
 exports.listSets = listSets;
 exports.fetchSecrets = fetchSecrets;
-exports.BASE_URL = process.env.ELDING_API_URL ?? "https://app.elding.io";
+const apiUrl_js_1 = require("./apiUrl.js");
+const terminal_js_1 = require("./terminal.js");
+exports.BASE_URL = (0, apiUrl_js_1.resolveBaseUrl)();
+const REQUEST_TIMEOUT_MS = 15_000;
+const LOG_TIMEOUT_MS = 5_000;
+const REFRESH_TOKEN = /^eld_rt_[a-f0-9]{64}$/i;
+const LOGIN_CODE = /^[A-Za-z0-9._~-]{16,512}$/;
 async function listKeys(accessToken, setId) {
-    const res = await fetch(`${exports.BASE_URL}/api/cli/keys?setId=${encodeURIComponent(setId)}`, {
+    const body = await requestJson(`/api/cli/keys?setId=${encodeURIComponent(setId)}`, {
         headers: { Authorization: `Bearer ${accessToken}` },
     });
-    if (!res.ok)
-        throw new Error("Impossible de récupérer les clés");
-    const body = (await res.json());
     return Array.isArray(body.keys) ? body.keys : [];
 }
 async function exchangeToken(refreshToken) {
-    const res = await fetch(`${exports.BASE_URL}/api/cli/auth/token`, {
+    if (!REFRESH_TOKEN.test(refreshToken))
+        throw new Error("Token local invalide. Relancez `elding login`.");
+    const body = await requestJson("/api/cli/auth/token", {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({ refreshToken }),
     });
-    const body = (await res.json());
     if (!body.success || !body.accessToken)
-        throw new Error(body.error ?? "Impossible d'obtenir un access token");
+        throw new Error((0, terminal_js_1.safeText)(body.error, 200) || "Impossible d'obtenir un access token");
     return body.accessToken;
 }
+async function exchangeLoginCode(code, state, callbackUrl) {
+    if (!LOGIN_CODE.test(code))
+        throw new Error("Code d'autorisation invalide.");
+    const body = await requestJson("/api/cli/auth/exchange", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ code, state, callbackUrl }),
+    });
+    if (!body.success || !body.refreshToken || !REFRESH_TOKEN.test(body.refreshToken)) {
+        throw new Error((0, terminal_js_1.safeText)(body.error, 200) || "Impossible de finaliser l'authentification.");
+    }
+    return body.refreshToken;
+}
+async function reportProxyLogs(accessToken, setId, setName, entries) {
+    await fetch(`${exports.BASE_URL}/api/cli/proxy-logs`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", Authorization: `Bearer ${accessToken}` },
+        body: JSON.stringify({ setId, setName, entries }),
+        signal: AbortSignal.timeout(LOG_TIMEOUT_MS),
+    }).catch(() => { });
+}
 async function revokeToken(refreshToken) {
+    if (!REFRESH_TOKEN.test(refreshToken))
+        return;
     await fetch(`${exports.BASE_URL}/api/cli/auth/logout`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({ refreshToken }),
+        signal: AbortSignal.timeout(LOG_TIMEOUT_MS),
     }).catch(() => { });
 }
 async function getMe(accessToken) {
-    const res = await fetch(`${exports.BASE_URL}/api/cli/me`, {
+    const body = await requestJson("/api/cli/me", {
         headers: { Authorization: `Bearer ${accessToken}` },
     });
-    if (!res.ok)
-        throw new Error("Impossible de récupérer l'utilisateur");
-    const body = (await res.json());
     if (!body.success || !body.user)
         throw new Error("Réponse invalide");
     return body.user;
 }
 async function listSets(accessToken) {
-    const res = await fetch(`${exports.BASE_URL}/api/cli/sets`, {
+    const body = await requestJson("/api/cli/sets", {
         headers: { Authorization: `Bearer ${accessToken}` },
     });
-    if (!res.ok)
-        throw new Error("Impossible de récupérer les sets");
-    const body = (await res.json());
     return Array.isArray(body.sets) ? body.sets : [];
 }
 async function fetchSecrets(accessToken, setId, mode = "proxy") {
-    const res = await fetch(`${exports.BASE_URL}/api/cli/secrets?setId=${encodeURIComponent(setId)}&mode=${mode}`, { headers: { Authorization: `Bearer ${accessToken}` } });
-    if (!res.ok) {
-        const body = (await res.json().catch(() => ({})));
-        throw new Error(body.error ?? `Erreur ${res.status}`);
-    }
-    const body = (await res.json());
+    const body = await requestJson(`/api/cli/secrets?setId=${encodeURIComponent(setId)}&mode=${mode}`, {
+        headers: { Authorization: `Bearer ${accessToken}` },
+    });
     if (!body.success || !body.secrets || typeof body.secrets !== "object")
         throw new Error("Réponse invalide");
     return {
@@ -76,9 +97,24 @@ function sanitizeSecrets(raw) {
     for (const [name, value] of Object.entries(raw)) {
         if (DANGEROUS_KEYS.has(name))
             continue;
+        if (name.length > 128)
+            continue;
         if (typeof value !== "string")
             continue;
         out[name] = value;
     }
     return out;
 }
+async function requestJson(path, init) {
+    const res = await fetch(`${exports.BASE_URL}${path}`, {
+        ...init,
+        signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
+    });
+    const body = (await res.json().catch(() => null));
+    if (!res.ok) {
+        throw new Error((0, terminal_js_1.safeText)(body?.error, 200) || `Erreur ${res.status}`);
+    }
+    if (!body || typeof body !== "object")
+        throw new Error("Réponse invalide");
+    return body;
+}