@glubean/cli 0.8.4 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (46) hide show
  1. package/README.md +4 -2
  2. package/dist/commands/contracts.d.ts +10 -0
  3. package/dist/commands/contracts.d.ts.map +1 -1
  4. package/dist/commands/contracts.js +199 -60
  5. package/dist/commands/contracts.js.map +1 -1
  6. package/dist/commands/dry-run.d.ts +5 -0
  7. package/dist/commands/dry-run.d.ts.map +1 -1
  8. package/dist/commands/dry-run.js +1 -0
  9. package/dist/commands/dry-run.js.map +1 -1
  10. package/dist/commands/init.d.ts.map +1 -1
  11. package/dist/commands/init.js +22 -0
  12. package/dist/commands/init.js.map +1 -1
  13. package/dist/commands/load.d.ts.map +1 -1
  14. package/dist/commands/load.js +24 -4
  15. package/dist/commands/load.js.map +1 -1
  16. package/dist/commands/run.d.ts.map +1 -1
  17. package/dist/commands/run.js +115 -52
  18. package/dist/commands/run.js.map +1 -1
  19. package/dist/commands/sync.d.ts.map +1 -1
  20. package/dist/commands/sync.js +65 -19
  21. package/dist/commands/sync.js.map +1 -1
  22. package/dist/lib/active_env.d.ts +16 -1
  23. package/dist/lib/active_env.d.ts.map +1 -1
  24. package/dist/lib/active_env.js +46 -1
  25. package/dist/lib/active_env.js.map +1 -1
  26. package/dist/lib/auth.d.ts +7 -0
  27. package/dist/lib/auth.d.ts.map +1 -1
  28. package/dist/lib/auth.js +31 -8
  29. package/dist/lib/auth.js.map +1 -1
  30. package/dist/lib/config.d.ts +47 -0
  31. package/dist/lib/config.d.ts.map +1 -1
  32. package/dist/lib/config.js +139 -2
  33. package/dist/lib/config.js.map +1 -1
  34. package/dist/lib/upload.d.ts +0 -88
  35. package/dist/lib/upload.d.ts.map +1 -1
  36. package/dist/lib/upload.js +15 -3
  37. package/dist/lib/upload.js.map +1 -1
  38. package/dist/main.d.ts.map +1 -1
  39. package/dist/main.js +10 -4
  40. package/dist/main.js.map +1 -1
  41. package/package.json +7 -7
  42. package/templates/demo/gitignore.tpl +3 -0
  43. package/dist/lib/redact-metadata.d.ts +0 -47
  44. package/dist/lib/redact-metadata.d.ts.map +0 -1
  45. package/dist/lib/redact-metadata.js +0 -84
  46. package/dist/lib/redact-metadata.js.map +0 -1
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@glubean/cli",
3
- "version": "0.8.4",
3
+ "version": "0.9.1",
4
4
  "engines": {
5
5
  "node": ">=22"
6
6
  },
@@ -28,12 +28,12 @@
28
28
  "@inquirer/prompts": "^7.0.0",
29
29
  "archiver": "^7.0.0",
30
30
  "dotenv": "^16.4.0",
31
- "tsx": "^4.19.0",
31
+ "tsx": "^4.22.4",
32
32
  "yaml": "^2.7.0",
33
- "@glubean/sdk": "0.8.4",
34
- "@glubean/scanner": "0.8.4",
35
- "@glubean/runner": "0.8.4",
36
- "@glubean/redaction": "0.8.4"
33
+ "@glubean/sdk": "0.9.1",
34
+ "@glubean/scanner": "0.9.1",
35
+ "@glubean/runner": "0.9.1",
36
+ "@glubean/redaction": "0.9.1"
37
37
  },
38
38
  "peerDependencies": {
39
39
  "typescript": "^5.0.0"
@@ -47,7 +47,7 @@
47
47
  "@types/node": "^22.0.0",
48
48
  "@types/archiver": "^6.0.0",
49
49
  "typescript": "^5.9.3",
50
- "@glubean/graphql": "0.8.4"
50
+ "@glubean/graphql": "0.9.1"
51
51
  },
52
52
  "repository": {
53
53
  "type": "git",
@@ -9,5 +9,8 @@ node_modules/
9
9
  .env
10
10
  .env.local
11
11
 
12
+ # Result files (generated by glubean run / VS Code extension)
13
+ *.result.json
14
+
12
15
  *.log
13
16
  .DS_Store
@@ -1,47 +0,0 @@
1
- import type { RedactionConfig } from "@glubean/redaction";
2
- import type { UploadResultPayload } from "./upload.js";
3
- type UploadMetadata = NonNullable<UploadResultPayload["metadata"]>;
4
- /**
5
- * Deep-redact the FULL contract/workflow projection buckets of an upload
6
- * metadata object before it leaves the machine.
7
- *
8
- * Only `contractsProjection` and `workflows` are redacted — they are free-form
9
- * trees that can carry secrets at any path (examples, default headers, gRPC
10
- * metadata, `extensions`/`meta` blobs, literal compare/switch values, assertion
11
- * messages). Everything else is returned untouched; in particular
12
- * `files[].hash` / `rootHash` MUST survive verbatim, since the `hexKeys`
13
- * pattern would otherwise mangle their sha256 hex and corrupt the server's
14
- * test registry + dedup.
15
- *
16
- * Returns a new object when redaction applies; the input is never mutated.
17
- * When neither projection bucket is present the input is returned as-is.
18
- * A generous `maxDepth` keeps nested JSON Schemas / recursive workflow branch
19
- * trees from truncating to a `[REDACTED: too deep]` sentinel.
20
- *
21
- * rootHash consistency (codex 0.6 P2): `workflows` participate in `rootHash`
22
- * (see metadata.ts `computeRootHash`), but `buildMetadata` hashed the
23
- * UNREDACTED workflows. Redacting them here would leave a payload whose
24
- * rootHash no longer matches its own `workflows`, so when workflows are
25
- * present we recompute rootHash over the redacted projection — the uploaded
26
- * payload stays self-consistent for any receiver that verifies it.
27
- * (`contractsProjection` is NOT part of rootHash, so its redaction is moot.)
28
- * This makes the function async.
29
- *
30
- * Redaction model (same engine as event redaction, config-driven):
31
- * - Only SCALARS (string/number) are ever masked. A sensitive key over an
32
- * object/array is RECURSED into, never replaced wholesale — so JSON-Schema
33
- * nodes (`properties.password = { type: "string" }`) keep their shape.
34
- * - A scalar is masked when its own key is sensitive (built-in baseline +
35
- * scope keys + the project's `globalRules.sensitiveKeys`) OR its value
36
- * matches a value pattern (jwt/bearer/email/…).
37
- * - BOUNDARY: a secret nested under a sensitive key but keyed by a
38
- * NON-sensitive inner name (e.g. `authorization: { value: "sk_live…" }`)
39
- * is NOT auto-masked. That is by design — like events, such project-specific
40
- * shapes are declared in the redaction config (`sensitiveKeys` /
41
- * `customPatterns`), not hard-coded here. In practice nested secrets
42
- * usually sit under a sensitive inner key (`token`/`password`/`secret`)
43
- * and ARE caught.
44
- */
45
- export declare function redactMetadataForUpload(metadata: UploadMetadata, redaction: Pick<RedactionConfig, "globalRules" | "replacementFormat">): Promise<UploadMetadata>;
46
- export {};
47
- //# sourceMappingURL=redact-metadata.d.ts.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"redact-metadata.d.ts","sourceRoot":"","sources":["../../src/lib/redact-metadata.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAE1D,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAEvD,KAAK,cAAc,GAAG,WAAW,CAAC,mBAAmB,CAAC,UAAU,CAAC,CAAC,CAAC;AAanE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AACH,wBAAsB,uBAAuB,CAC3C,QAAQ,EAAE,cAAc,EACxB,SAAS,EAAE,IAAI,CAAC,eAAe,EAAE,aAAa,GAAG,mBAAmB,CAAC,GACpE,OAAO,CAAC,cAAc,CAAC,CAsCzB"}
@@ -1,84 +0,0 @@
1
- import { redactValue, BUILTIN_SCOPES } from "@glubean/redaction";
2
- import { computeRootHash } from "../metadata.js";
3
- /**
4
- * Union of every sensitive key declared across the built-in event scopes
5
- * (e.g. `authorization`, `cookie`, `set-cookie`, `x-api-key`). The metadata
6
- * projection has no single event type to scope by, so we apply ALL of them
7
- * (plus the built-in baseline, enabled inside `redactValue`) — ensuring the
8
- * projection is redacted at least as strongly as the events it accompanies.
9
- */
10
- const SCOPE_SENSITIVE_KEYS = [
11
- ...new Set(BUILTIN_SCOPES.flatMap((s) => s.rules?.sensitiveKeys ?? [])),
12
- ];
13
- /**
14
- * Deep-redact the FULL contract/workflow projection buckets of an upload
15
- * metadata object before it leaves the machine.
16
- *
17
- * Only `contractsProjection` and `workflows` are redacted — they are free-form
18
- * trees that can carry secrets at any path (examples, default headers, gRPC
19
- * metadata, `extensions`/`meta` blobs, literal compare/switch values, assertion
20
- * messages). Everything else is returned untouched; in particular
21
- * `files[].hash` / `rootHash` MUST survive verbatim, since the `hexKeys`
22
- * pattern would otherwise mangle their sha256 hex and corrupt the server's
23
- * test registry + dedup.
24
- *
25
- * Returns a new object when redaction applies; the input is never mutated.
26
- * When neither projection bucket is present the input is returned as-is.
27
- * A generous `maxDepth` keeps nested JSON Schemas / recursive workflow branch
28
- * trees from truncating to a `[REDACTED: too deep]` sentinel.
29
- *
30
- * rootHash consistency (codex 0.6 P2): `workflows` participate in `rootHash`
31
- * (see metadata.ts `computeRootHash`), but `buildMetadata` hashed the
32
- * UNREDACTED workflows. Redacting them here would leave a payload whose
33
- * rootHash no longer matches its own `workflows`, so when workflows are
34
- * present we recompute rootHash over the redacted projection — the uploaded
35
- * payload stays self-consistent for any receiver that verifies it.
36
- * (`contractsProjection` is NOT part of rootHash, so its redaction is moot.)
37
- * This makes the function async.
38
- *
39
- * Redaction model (same engine as event redaction, config-driven):
40
- * - Only SCALARS (string/number) are ever masked. A sensitive key over an
41
- * object/array is RECURSED into, never replaced wholesale — so JSON-Schema
42
- * nodes (`properties.password = { type: "string" }`) keep their shape.
43
- * - A scalar is masked when its own key is sensitive (built-in baseline +
44
- * scope keys + the project's `globalRules.sensitiveKeys`) OR its value
45
- * matches a value pattern (jwt/bearer/email/…).
46
- * - BOUNDARY: a secret nested under a sensitive key but keyed by a
47
- * NON-sensitive inner name (e.g. `authorization: { value: "sk_live…" }`)
48
- * is NOT auto-masked. That is by design — like events, such project-specific
49
- * shapes are declared in the redaction config (`sensitiveKeys` /
50
- * `customPatterns`), not hard-coded here. In practice nested secrets
51
- * usually sit under a sensitive inner key (`token`/`password`/`secret`)
52
- * and ARE caught.
53
- */
54
- export async function redactMetadataForUpload(metadata, redaction) {
55
- if (!metadata.contractsProjection && !metadata.workflows)
56
- return metadata;
57
- const redact = (v) => redactValue(v, {
58
- globalRules: redaction.globalRules,
59
- // Built-in baseline (password/token/authorization/…) is enabled by
60
- // default inside redactValue; add the scope-declared keys on top so a
61
- // default config (empty globalRules.sensitiveKeys) still masks
62
- // key-based secrets the value patterns would miss.
63
- sensitiveKeys: SCOPE_SENSITIVE_KEYS,
64
- replacementFormat: redaction.replacementFormat,
65
- maxDepth: 64,
66
- });
67
- const redactedWorkflows = metadata.workflows
68
- ? redact(metadata.workflows)
69
- : undefined;
70
- const result = {
71
- ...metadata,
72
- ...(metadata.contractsProjection
73
- ? { contractsProjection: redact(metadata.contractsProjection) }
74
- : {}),
75
- ...(redactedWorkflows ? { workflows: redactedWorkflows } : {}),
76
- };
77
- // workflows are hashed into rootHash; recompute over the redacted projection
78
- // so the uploaded payload is self-consistent (see the doc comment above).
79
- if (redactedWorkflows && metadata.rootHash !== undefined) {
80
- result.rootHash = await computeRootHash(result.files, result.contracts, redactedWorkflows);
81
- }
82
- return result;
83
- }
84
- //# sourceMappingURL=redact-metadata.js.map
@@ -1 +0,0 @@
1
- {"version":3,"file":"redact-metadata.js","sourceRoot":"","sources":["../../src/lib/redact-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAEjE,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAKjD;;;;;;GAMG;AACH,MAAM,oBAAoB,GAAa;IACrC,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,EAAE,aAAa,IAAI,EAAE,CAAC,CAAC;CACxE,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,QAAwB,EACxB,SAAqE;IAErE,IAAI,CAAC,QAAQ,CAAC,mBAAmB,IAAI,CAAC,QAAQ,CAAC,SAAS;QAAE,OAAO,QAAQ,CAAC;IAE1E,MAAM,MAAM,GAAG,CAAC,CAAU,EAAW,EAAE,CACrC,WAAW,CAAC,CAAC,EAAE;QACb,WAAW,EAAE,SAAS,CAAC,WAAW;QAClC,mEAAmE;QACnE,sEAAsE;QACtE,+DAA+D;QAC/D,mDAAmD;QACnD,aAAa,EAAE,oBAAoB;QACnC,iBAAiB,EAAE,SAAS,CAAC,iBAAiB;QAC9C,QAAQ,EAAE,EAAE;KACb,CAAC,CAAC;IAEL,MAAM,iBAAiB,GAAG,QAAQ,CAAC,SAAS;QAC1C,CAAC,CAAE,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAe;QAC3C,CAAC,CAAC,SAAS,CAAC;IAEd,MAAM,MAAM,GAAmB;QAC7B,GAAG,QAAQ;QACX,GAAG,CAAC,QAAQ,CAAC,mBAAmB;YAC9B,CAAC,CAAC,EAAE,mBAAmB,EAAE,MAAM,CAAC,QAAQ,CAAC,mBAAmB,CAAc,EAAE;YAC5E,CAAC,CAAC,EAAE,CAAC;QACP,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC/D,CAAC;IAEF,6EAA6E;IAC7E,0EAA0E;IAC1E,IAAI,iBAAiB,IAAI,QAAQ,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;QACzD,MAAM,CAAC,QAAQ,GAAG,MAAM,eAAe,CACrC,MAAM,CAAC,KAA8C,EACrD,MAAM,CAAC,SAAS,EAChB,iBAAiB,CAClB,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}