@freecodecamp/universe-cli 0.2.0 → 0.3.0

package/dist/index.js

@@ -53,7 +53,7 @@ var staticSchema = z.object({
   bucket: z.string().min(1).default("gxy-static-1"),
   rclone_remote: z.string().min(1).default("gxy-static"),
   region: z.string().min(1).default("auto")
-}).default({});
+}).prefault({});
 var domainSchema = z.object({
   production: z.string().min(1),
   preview: z.string().min(1)
@@ -125,7 +125,19 @@ function loadConfig(options = {}) {
     throw err;
   }
   const parsed = parseYaml(raw);
-  const yamlValidated = platformSchema.parse(parsed);
+  const parseResult = platformSchema.safeParse(parsed);
+  if (!parseResult.success) {
+    const issues = parseResult.error.issues.map((issue) => {
+      const path = issue.path.length > 0 ? issue.path.join(".") : "(root)";
+      return `  - ${path}: ${issue.message}`;
+    }).join("\n");
+    throw new ConfigError(
+      `platform.yaml is invalid:
+${issues}
+See STAFF-GUIDE.md for the required format.`
+    );
+  }
+  const yamlValidated = parseResult.data;
   const envOverrides = readEnvOverrides();
   const flagOverrides = readFlagOverrides(options.flags);
   const merged = {
@@ -144,11 +156,13 @@ function loadConfig(options = {}) {
 import { execSync } from "child_process";
 
 // src/output/redact.ts
-var AKIA_PATTERN = /AKIA[A-Z0-9]{12,}/g;
+var AWS_KEY_PREFIX_PATTERN = /(?:AKIA|ASIA|AROA|AIDA|ACCA|ANPA|ABIA|AGPA)[A-Z0-9]{12,}/g;
 var URL_CREDS_PATTERN = /https?:\/\/[^@\s]+@/g;
-var CREDENTIAL_CONTEXT_PATTERN = /(?:secret|password|token|key|credential|auth)[=:]\s*([A-Za-z0-9/+=]{21,})/gi;
-var HEX_CREDENTIAL_CONTEXT_PATTERN = /(?:secret|password|token|key|credential|auth|access_key_id|secret_access_key)[=:]\s*([a-f0-9]{32,})/gi;
-function maskAkia(match) {
+var CREDENTIAL_CONTEXT_PATTERN = /(?:access_key_id|secret_access_key|accessKeyId|secretAccessKey|secret|password|token|key|credential|auth)\s*[=:]\s*([A-Za-z0-9/+=]{21,})/gi;
+var HEX_CREDENTIAL_CONTEXT_PATTERN = /(?:secret|password|token|key|credential|auth|access_key_id|secret_access_key)\s*[=:]\s*([a-f0-9]{32,})/gi;
+var JSON_CREDENTIAL_PATTERN = /"(?:secret|password|token|key|credential|auth|access_key_id|secret_access_key|accessKeyId|secretAccessKey)"\s*:\s*"[^"]+"/gi;
+var BEARER_PATTERN = /\bBearer\s+[A-Za-z0-9._~+/=-]+/gi;
+function maskAwsKey(match) {
   return match.slice(0, 4) + "****" + match.slice(-4);
 }
 function maskUrlCreds(match) {
@@ -159,7 +173,12 @@ function maskUrlCreds(match) {
 function redact(value) {
   let result = value;
   result = result.replace(URL_CREDS_PATTERN, maskUrlCreds);
-  result = result.replace(AKIA_PATTERN, maskAkia);
+  result = result.replace(AWS_KEY_PREFIX_PATTERN, maskAwsKey);
+  result = result.replace(BEARER_PATTERN, "Bearer ****");
+  result = result.replace(JSON_CREDENTIAL_PATTERN, (match) => {
+    const colonIndex = match.indexOf(":");
+    return match.slice(0, colonIndex + 1) + '"****"';
+  });
   result = result.replace(
     CREDENTIAL_CONTEXT_PATTERN,
     (_match, _secret, _offset, _full) => {
@@ -181,6 +200,30 @@ function redact(value) {
 }
 
 // src/credentials/resolver.ts
+var LOCAL_HOSTS = /* @__PURE__ */ new Set(["localhost", "127.0.0.1", "[::1]", "::1"]);
+function validateEndpoint(endpoint) {
+  let url;
+  try {
+    url = new URL(endpoint);
+  } catch {
+    throw new CredentialError(`S3_ENDPOINT is not a valid URL: ${endpoint}`);
+  }
+  if (url.username !== "" || url.password !== "") {
+    throw new CredentialError(
+      "S3_ENDPOINT must not contain credentials in the URL (user:pass@host). Use S3_ACCESS_KEY_ID / S3_SECRET_ACCESS_KEY instead."
+    );
+  }
+  if (url.protocol !== "https:" && url.protocol !== "http:") {
+    throw new CredentialError(
+      `S3_ENDPOINT must use http or https, got: ${url.protocol}`
+    );
+  }
+  if (url.protocol === "http:" && !LOCAL_HOSTS.has(url.hostname)) {
+    throw new CredentialError(
+      `S3_ENDPOINT must use https for non-localhost hosts. Plaintext http is only allowed for localhost/127.0.0.1. Got: ${endpoint}`
+    );
+  }
+}
 function tryEnvCredentials() {
   const key = process.env.S3_ACCESS_KEY_ID;
   const secret = process.env.S3_SECRET_ACCESS_KEY;
@@ -189,6 +232,7 @@ function tryEnvCredentials() {
   const present = [key, secret, endpoint].filter(Boolean);
   if (present.length === 0) return "none";
   if (present.length < 3) return "partial";
+  validateEndpoint(endpoint);
   const creds = {
     accessKeyId: key,
     secretAccessKey: secret,
@@ -872,7 +916,7 @@ async function rollback(options) {
 }
 
 // src/cli.ts
-var version = true ? "0.1.0" : "0.0.0";
+var version = true ? "0.3.0" : "0.0.0";
 function handleActionError(command, json, err) {
   const ctx = { json, command };
   const message = err instanceof Error ? err.message : "unknown error";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@freecodecamp/universe-cli",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "main": "dist/index.js",
   "scripts": {
     "test": "vitest run",
@@ -27,11 +27,11 @@
   "dependencies": {
     "@aws-sdk/client-s3": "^3.1029.0",
     "@clack/prompts": "^1.2.0",
-    "cac": "^6.7.14",
+    "cac": "^7.0.0",
     "mrmime": "^2.0.1",
-    "p-limit": "^6.2.0",
+    "p-limit": "^7.3.0",
     "yaml": "^2.8.3",
-    "zod": "^3.25.76"
+    "zod": "^4.3.6"
   },
   "devDependencies": {
     "@smithy/util-stream": "^4.5.22",
@@ -43,5 +43,21 @@
     "typescript": "^5.9.3",
     "vitest": "^3.2.4"
   },
-  "packageManager": "pnpm@10.28.0"
+  "packageManager": "pnpm@10.33.0",
+  "engines": {
+    "node": ">=22.11.0"
+  },
+  "description": "Static site deployment CLI for the freeCodeCamp Universe platform",
+  "homepage": "https://github.com/freeCodeCamp-Universe/universe-cli#readme",
+  "bugs": {
+    "url": "https://github.com/freeCodeCamp-Universe/universe-cli/issues"
+  },
+  "keywords": [
+    "cli",
+    "s3",
+    "cloudflare-r2",
+    "static-site",
+    "deployment",
+    "freecodecamp"
+  ]
 }