@fateforge/archery-cli 1.0.8 → 1.0.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +12 -0
- package/docs/LIVE-SMOKE-EVIDENCE.md +22 -0
- package/package.json +7 -7
- package/skills/archery-cli/SKILL.md +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [1.0.9] - 2026-06-17
|
|
11
|
+
|
|
12
|
+
### Fixed
|
|
13
|
+
|
|
14
|
+
- **`instance list` works for non-DBA users.** It posted to `/instance/list/`, which Archery gates behind the DBA permission `sql.menu_instance_list`, so an ordinary user who can still *query* instances (granted via a resource group) got `403 permission denied` — even though the web SQL-query page lists those instances fine. On 403 the CLI now falls back to the ungated, user-scoped `/group/user_all_instances/` (the endpoint the web query page actually uses), returning the instances the user is authorized to use. That endpoint exposes only `{id, type, db_type, instance_name}` and has no server-side search, so host/port/credentials are omitted (with a stderr note) and `--search`/`--limit` are applied client-side. Verified on a local container with a non-DBA account in a resource group.
|
|
15
|
+
- **`workflow detail` no longer fails to parse executed workflows.** Archery returns `execute_time` (and `sequence`) on a ReviewResult row as a bare JSON number for some workflows and a string for others; the struct hard-typed them as `string`, so a numeric value failed the whole detail parse (`cannot unmarshal number into ... execute_time of type string`) and the SQL content could not be shown. These fields now accept either form. Reproduced and fixed against a real executed workflow.
|
|
16
|
+
- **Response-decode failures are no longer reported as retryable network errors.** A body the CLI received but could not parse (e.g. the `execute_time` mismatch above) surfaced as retryable `E_NETWORK` ("check host URL and network connectivity"); it now maps to non-retryable `E_UNKNOWN`, so an agent fixes the contract mismatch instead of blindly retrying.
|
|
17
|
+
|
|
18
|
+
### Notes
|
|
19
|
+
|
|
20
|
+
- These came out of an endpoint audit cross-referencing every CLI call against the Archery v1.8.5 source (route, permission decorator, request fields, response types). The audit also confirmed that `user list` (`/user/list/`) and `user resource-groups` (`/group/group/`) are `@superuser_required` upstream with no ungated user-scoped session endpoint, so they remain admin-only by Archery's design (the CLI degrades to `E_FORBIDDEN`); and that the workflow list/submit/review gates (`menu_sqlworkflow`, `sql_submit`, `sql_review`, `audit_user`) are legitimate feature permissions.
|
|
21
|
+
|
|
10
22
|
## [1.0.8] - 2026-06-17
|
|
11
23
|
|
|
12
24
|
### Fixed
|
|
@@ -361,6 +361,28 @@ intermittently returned `用户名或密码错误`. Using `http://127.0.0.1:9123
|
|
|
361
361
|
defect; the session login flow itself (GET csrf → POST authenticate → cookie)
|
|
362
362
|
matches the verified curl flow byte-for-byte.
|
|
363
363
|
|
|
364
|
+
## 2026-06-17 — 1.0.9 endpoint audit: instance-list fallback + detail type fixes
|
|
365
|
+
|
|
366
|
+
Triggered by two real-usage reports (a non-DBA account getting 403 on `instance
|
|
367
|
+
list` while the web could list instances, and `workflow detail 42594` failing to
|
|
368
|
+
parse). Method: a **static endpoint audit** cross-referencing every endpoint the
|
|
369
|
+
CLI calls against the `hhyo/archery:v1.8.5` source inside the container (route,
|
|
370
|
+
permission decorator, request fields, response types) — **zero requests to any
|
|
371
|
+
real instance**. Dynamic verification was done **only on the local container**;
|
|
372
|
+
the production instance was never used.
|
|
373
|
+
|
|
374
|
+
| Check | Status | Evidence |
|
|
375
|
+
|-------|--------|----------|
|
|
376
|
+
| `instance list` 403 → user-scoped fallback | live (local container) | PASS — seeded a non-DBA `cliuser` in resource group `pangu_test` granting `pangu_test_redis`; `instance list --db-type redis --search pangu` returned that instance (id 2) via `/group/user_all_instances/` instead of 403, with a stderr note that host/port need DBA permission. |
|
|
377
|
+
| `workflow detail` numeric `execute_time` | unit + earlier real read | PASS — `flexString` accepts number or string; unit test `TestDetail_SessionNumericExecuteTime` encodes the real `0.008516` / numeric `sequence` shape. |
|
|
378
|
+
| Parse failure non-retryable | code review | The decode error now returns a status-less `APIError` → `E_UNKNOWN` (non-retryable), not `E_NETWORK`. |
|
|
379
|
+
| Audit: admin-only endpoints are correct | static | `instance.lists`=`menu_instance_list`, `user.lists`/`resource_group.group`=`@superuser_required`, `data_dictionary.table_list`=`menu_data_dictionary`, workflow gates=`menu_sqlworkflow`/`sql_submit`/`sql_review`/`audit_user`. No ungated user-scoped session alternative for user/group lists, so they stay admin-only by design. |
|
|
380
|
+
|
|
381
|
+
The self-fulfilling test pattern that hid the 2FA and instance-list defects is
|
|
382
|
+
the audit's core lesson: mocks/fixtures were authored from the client's own
|
|
383
|
+
assumptions. New tests encode the **real** Archery contract (numeric field forms,
|
|
384
|
+
403-then-fallback) so a regression flips them red.
|
|
385
|
+
|
|
364
386
|
## 2026-06-17 — 1.0.8 real 2FA login round-trip (closes the prior 2FA gap)
|
|
365
387
|
|
|
366
388
|
The earlier runs could only mock 2FA because the `cli_verify` account had no 2FA
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@fateforge/archery-cli",
|
|
3
|
-
"version": "1.0.
|
|
3
|
+
"version": "1.0.9",
|
|
4
4
|
"description": "Archery SQL audit CLI for AI Agents - manage SQL workflows, queries, instances, diagnostics, and data dictionaries with a machine-readable contract",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"archery",
|
|
@@ -30,12 +30,12 @@
|
|
|
30
30
|
"check-version": "node scripts/check-version.js"
|
|
31
31
|
},
|
|
32
32
|
"optionalDependencies": {
|
|
33
|
-
"@fateforge/archery-cli-darwin-arm64": "1.0.
|
|
34
|
-
"@fateforge/archery-cli-darwin-x64": "1.0.
|
|
35
|
-
"@fateforge/archery-cli-linux-arm64": "1.0.
|
|
36
|
-
"@fateforge/archery-cli-linux-x64": "1.0.
|
|
37
|
-
"@fateforge/archery-cli-win32-arm64": "1.0.
|
|
38
|
-
"@fateforge/archery-cli-win32-x64": "1.0.
|
|
33
|
+
"@fateforge/archery-cli-darwin-arm64": "1.0.9",
|
|
34
|
+
"@fateforge/archery-cli-darwin-x64": "1.0.9",
|
|
35
|
+
"@fateforge/archery-cli-linux-arm64": "1.0.9",
|
|
36
|
+
"@fateforge/archery-cli-linux-x64": "1.0.9",
|
|
37
|
+
"@fateforge/archery-cli-win32-arm64": "1.0.9",
|
|
38
|
+
"@fateforge/archery-cli-win32-x64": "1.0.9"
|
|
39
39
|
},
|
|
40
40
|
"files": [
|
|
41
41
|
"scripts/run.js",
|
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: archery-cli
|
|
3
|
-
version: "1.0.
|
|
3
|
+
version: "1.0.9"
|
|
4
4
|
description: "Archery SQL audit platform CLI for managing SQL workflows, queries, instances, diagnostics. Use when the user asks about SQL审核, database operations, Archery platform management, or needs to submit/review/execute SQL against database instances."
|
|
5
5
|
license: MIT
|
|
6
6
|
user-invocable: true
|
|
7
|
-
metadata: {"requires":{"bins":["archery-cli"],"min_version":"1.0.
|
|
7
|
+
metadata: {"requires":{"bins":["archery-cli"],"min_version":"1.0.9"}}
|
|
8
8
|
---
|
|
9
9
|
|
|
10
10
|
# archery-cli
|