@iann29/synapse 1.8.6 → 1.8.8

package/lib/commands/env-set.js

@@ -0,0 +1,129 @@
+// `synapse env set NAME=value [NAME2=value2 ...] [--for=dev,prod] [--project=<id>] [--json]`
+//
+// Batch-sets project-default env vars. Multiple positionals = single
+// transactional update on the backend (the handler wraps the whole
+// `changes` array in a BEGIN/COMMIT). If any value is rejected the
+// whole batch rolls back.
+//
+// Value parsing: split on the FIRST `=`. So `FOO=a=b` sets FOO to "a=b".
+// Names must match /^[A-Z_][A-Z0-9_]*$/ — same shape the Convex backend
+// accepts (uppercase letters, digits, underscore; leading non-digit).
+
+const colors = require("../colors");
+const { extractFlags, resolveProject } = require("./_resource");
+
+const NAME_RE = /^[A-Z_][A-Z0-9_]*$/;
+const VALID_FORS = new Set(["dev", "prod", "preview"]);
+
+// Splits `NAME=value` on the FIRST `=`. Returns { name, value } or
+// throws when the shape is wrong. Empty value is OK ("FOO=" sets to "").
+function parsePair(arg) {
+  const eq = arg.indexOf("=");
+  if (eq <= 0) {
+    throw new Error(
+      `Invalid env assignment: ${JSON.stringify(arg)}. Expected NAME=value.`,
+    );
+  }
+  const name = arg.slice(0, eq);
+  const value = arg.slice(eq + 1);
+  if (!NAME_RE.test(name)) {
+    throw new Error(
+      `Invalid env name: ${JSON.stringify(name)}. Names must match [A-Z_][A-Z0-9_]*.`,
+    );
+  }
+  return { name, value };
+}
+
+// Comma-split + trim + dedupe a `--for=dev,prod` argument. Empty
+// returns null (= "use default"). Errors on unknown types.
+function parseFor(raw) {
+  if (raw === undefined || raw === null || raw === true) return null;
+  const trimmed = String(raw).trim();
+  if (trimmed === "") return null;
+  const parts = [
+    ...new Set(trimmed.split(",").map((s) => s.trim().toLowerCase())),
+  ].filter(Boolean);
+  for (const p of parts) {
+    if (!VALID_FORS.has(p)) {
+      throw new Error(
+        `Invalid --for entry: ${p}. Must be one of: ${[...VALID_FORS].join(", ")}.`,
+      );
+    }
+  }
+  return parts;
+}
+
+module.exports = {
+  name: "env set",
+  summary: "Set one or more project-default environment variables.",
+  usage:
+    "synapse env set NAME=value [NAME2=value2 ...] [--for=dev,prod] [--project=<id>] [--json]",
+  description: `Calls POST /v1/projects/{id}/update_default_environment_variables with op=set. Multiple pairs are applied in a single transaction. Names follow the [A-Z_][A-Z0-9_]* convention; values are byte-preserved (whitespace, quotes, '=' all OK).
+
+Flags:
+  --for=dev,prod     Limit the var to specific deploymentTypes
+                     (comma-separated). Omitted: backend defaults
+                     (typically: all types).
+  --project=<id>     Override the linked project.
+  --json             Machine-readable output.
+
+Examples:
+  synapse env set OPENAI_API_KEY=sk-abc...
+  synapse env set FOO=bar BAZ=qux --for=prod
+  synapse env set REDIS_URL='rediss://user:pass@host:6379/0'`,
+
+  // Re-exports for tests.
+  parsePair,
+  parseFor,
+  NAME_RE,
+
+  async run(args, ctx) {
+    const { flags, rest } = extractFlags(args, {
+      string: ["for", "project"],
+      boolean: ["json"],
+    });
+    if (rest.length === 0) {
+      throw new Error(
+        "Usage: synapse env set NAME=value [NAME2=value2 ...] [--for=...]",
+      );
+    }
+    const forList = parseFor(flags.for);
+    const pairs = rest.map(parsePair);
+
+    const resolveArgs = flags.project ? [`--project=${flags.project}`] : [];
+    const { projectId, source } = resolveProject(ctx, resolveArgs);
+
+    const changes = pairs.map(({ name, value }) => ({
+      op: "set",
+      name,
+      value,
+      ...(forList ? { deploymentTypes: forList } : {}),
+    }));
+
+    if (!ctx.out.json) {
+      ctx.out.info(
+        `Setting ${pairs.length} env var${pairs.length > 1 ? "s" : ""} on project ${projectId}${forList ? ` (for: ${forList.join(",")})` : ""}…`,
+      );
+    }
+    await ctx.api.updateProjectEnvVars(projectId, changes);
+
+    ctx.out.result(
+      {
+        projectId,
+        projectSource: source,
+        applied: changes.length,
+        changes: changes.map((c) => ({ name: c.name, deploymentTypes: c.deploymentTypes ?? null })),
+      },
+      (_d, { stdout }) => {
+        for (const { name } of pairs) {
+          stdout.write(`${colors.green("+")} ${colors.bold(name)}\n`);
+        }
+        stdout.write(
+          colors.dim(
+            "These defaults are injected into NEW deployments. To apply to existing deployments, run `synapse convex env set` per deployment, or re-create them.\n",
+          ),
+        );
+      },
+    );
+  },
+};

package/lib/commands/env-unset.js

@@ -0,0 +1,77 @@
+// `synapse env unset NAME [NAME2 ...] [--project=<id>] [--json]`
+//
+// Batch-deletes project-default env vars. Sends op=delete for each
+// name in a single transactional update. Unknown names are not an
+// error server-side (the DELETE is idempotent), but we surface a
+// warning when ALL passed names were unknown — usually a typo.
+
+const colors = require("../colors");
+const { extractFlags, resolveProject } = require("./_resource");
+
+const NAME_RE = /^[A-Z_][A-Z0-9_]*$/;
+
+module.exports = {
+  name: "env unset",
+  summary: "Delete one or more project-default environment variables.",
+  usage: "synapse env unset NAME [NAME2 ...] [--project=<id>] [--json]",
+  description: `Calls POST /v1/projects/{id}/update_default_environment_variables with op=delete. Idempotent — deleting a name that doesn't exist is silent.
+
+Flags:
+  --project=<id>     Override the linked project.
+  --json             Machine-readable output.
+
+Examples:
+  synapse env unset OLD_API_KEY
+  synapse env unset FOO BAR BAZ`,
+
+  async run(args, ctx) {
+    const { flags, rest } = extractFlags(args, {
+      string: ["project"],
+      boolean: ["json"],
+    });
+    if (rest.length === 0) {
+      throw new Error("Usage: synapse env unset NAME [NAME2 ...]");
+    }
+    for (const name of rest) {
+      if (!NAME_RE.test(name)) {
+        throw new Error(
+          `Invalid env name: ${JSON.stringify(name)}. Names must match [A-Z_][A-Z0-9_]*.`,
+        );
+      }
+    }
+
+    const resolveArgs = flags.project ? [`--project=${flags.project}`] : [];
+    const { projectId, source } = resolveProject(ctx, resolveArgs);
+
+    // We could pre-fetch the existing var list to warn about unknown
+    // names. Skipping: an extra GET on every unset doubles latency for
+    // the common case where the operator typed the right name. The
+    // backend's op=delete is idempotent.
+    const changes = rest.map((name) => ({ op: "delete", name }));
+    if (!ctx.out.json) {
+      ctx.out.info(
+        `Unsetting ${rest.length} env var${rest.length > 1 ? "s" : ""} on project ${projectId}…`,
+      );
+    }
+    await ctx.api.updateProjectEnvVars(projectId, changes);
+
+    ctx.out.result(
+      {
+        projectId,
+        projectSource: source,
+        deleted: rest.length,
+        names: rest,
+      },
+      (_d, { stdout }) => {
+        for (const name of rest) {
+          stdout.write(`${colors.red("-")} ${colors.bold(name)}\n`);
+        }
+        stdout.write(
+          colors.dim(
+            "Existing deployments keep their cached value until they're recreated.\n",
+          ),
+        );
+      },
+    );
+  },
+};

package/lib/commands/https-doctor.js

@@ -0,0 +1,73 @@
+// `synapse https doctor [domain]` — read-only sanity checks that
+// tell the operator WHAT to fix without changing anything. This
+// mirrors `synapse doctor` but is scoped to the HTTPS-dev surface.
+//
+// Useful when an operator runs the wizard and the dev server still
+// doesn't work — `doctor` re-scans + flags every drift from the
+// expected state.
+
+const colors = require("../colors");
+const { extractFlags } = require("./_resource");
+const detectMod = require("../https/detect");
+const plannerMod = require("../https/planner");
+
+module.exports = {
+  name: "https doctor",
+  summary: "Diagnose local-HTTPS setup without changing anything.",
+  usage: "synapse https doctor [domain] [--json]",
+  description: `Runs the same detection as \`https setup\` but in read-only mode. Prints the plan that WOULD run, plus any warnings (legacy certs in cwd, NSS missing, etc).`,
+
+  async run(args, ctx) {
+    const { flags, rest } = extractFlags(args, {
+      string: [],
+      boolean: ["json"],
+    });
+    const domain = rest[0];
+    if (rest.length > 1) {
+      throw new Error(`Unexpected positional: ${rest[1]}.`);
+    }
+    if (!domain) {
+      throw new Error(
+        "Usage: synapse https doctor <domain>\n\nExample: synapse https doctor dev.myproject.com",
+      );
+    }
+    const detection = await detectMod.scan({ domain, cwd: ctx.cwd });
+    const steps = plannerMod.plan(detection, {});
+    const blocker = steps.find((s) => s.kind === "blocker");
+    const warnings = steps.filter((s) => s.kind === "warn");
+    const willExec = steps.filter((s) => s.kind === "exec");
+    const willSkip = steps.filter((s) => s.kind === "skip");
+    const summary = {
+      domain,
+      platform: detection.platform.id,
+      blocker: blocker ? blocker.blocker || blocker.reason : null,
+      warnings: warnings.map((w) => ({ id: w.id, reason: w.reason, hint: w.skipReason })),
+      wouldExec: willExec.map((s) => ({ id: s.id, title: s.title, reason: s.reason })),
+      skipped: willSkip.map((s) => ({ id: s.id, title: s.title, reason: s.reason })),
+    };
+    ctx.out.result(summary, (s, { stdout }) => {
+      stdout.write(`${colors.bold("HTTPS doctor")} ${colors.dim(`· ${s.domain} · ${s.platform}`)}\n\n`);
+      if (s.blocker) {
+        stdout.write(colors.red(`Blocker: ${s.blocker}\n`));
+        return;
+      }
+      if (s.wouldExec.length === 0) {
+        stdout.write(colors.green("Healthy. Nothing to do.\n"));
+      } else {
+        stdout.write(colors.yellow(`${s.wouldExec.length} step${s.wouldExec.length > 1 ? "s" : ""} would run:\n`));
+        for (const x of s.wouldExec) {
+          stdout.write(`  ${colors.cyan("●")} ${x.title}\n`);
+          if (x.reason) stdout.write(colors.dim(`     ${x.reason}\n`));
+        }
+        stdout.write(colors.dim("\nRun `synapse https setup <domain>` to apply.\n"));
+      }
+      if (s.warnings.length > 0) {
+        stdout.write(`\n${colors.yellow("Warnings:")}\n`);
+        for (const w of s.warnings) {
+          stdout.write(`  ${colors.yellow("!")} ${w.reason}\n`);
+          if (w.hint) stdout.write(colors.dim(`     ${w.hint}\n`));
+        }
+      }
+    });
+  },
+};

package/lib/commands/https-migrate.js

@@ -0,0 +1,168 @@
+// `synapse https migrate [--cwd] [--all] [--yes] [--dry-run] [--json]`
+//
+// Migrates legacy cert layouts to the canonical ~/.config/dev-certs/
+// store. Two modes:
+//
+//   1. cwd mode (default): scans the current directory for legacy
+//      `dev.*.pem` + `-key.pem` pairs and migrates them.
+//   2. --all: scans EVERY known project root (operator-supplied via
+//      --root flag, default: ~/Documents and the cwd). This is more
+//      ambitious and gated behind explicit opt-in.
+//
+// Migration per cert pair:
+//   - Move the .pem files into ~/.config/dev-certs/<domain>/
+//   - Set mode 0600 on the key
+//   - Rewrite package.json dev:https to point at the new paths
+//   - Leave the original files in place ONLY if --keep-old; default
+//     is to delete them once they've been moved successfully.
+
+const fs = require("node:fs");
+const path = require("node:path");
+const colors = require("../colors");
+const { extractFlags } = require("./_resource");
+const { confirm } = require("../prompts");
+const detectMod = require("../https/detect");
+const nextjsMod = require("../https/nextjs");
+
+module.exports = {
+  name: "https migrate",
+  summary: "Move legacy cert pairs from project roots into ~/.config/dev-certs/.",
+  usage: "synapse https migrate [--cwd | --root=<path>] [--keep-old] [--dry-run] [--yes] [--json]",
+  description: `Some projects have their .pem files in the project root (left over from the manual setup era). This command moves them into the canonical ~/.config/dev-certs/<domain>/ store, then rewrites the project's package.json dev:https script to reference the new paths.
+
+Flags:
+  --cwd               only the current directory (default)
+  --root=<path>       a specific directory to scan
+  --keep-old          leave the original .pem files in place after moving
+  --dry-run           show what would happen, don't change anything
+  --yes               skip the per-pair confirmation
+  --json              machine-readable output
+
+The cwd is scanned non-recursively. Subdirectories are ignored —
+if you want to migrate every project on disk, run this command in
+each project root (or write a small loop).`,
+
+  async run(args, ctx) {
+    const { flags, rest } = extractFlags(args, {
+      string: ["root"],
+      boolean: ["cwd", "keep-old", "dry-run", "yes", "json"],
+    });
+    if (rest.length > 0) {
+      throw new Error(`Unexpected positional: ${rest[0]}.`);
+    }
+    const root = typeof flags.root === "string" ? flags.root : ctx.cwd;
+    const dryRun = flags["dry-run"] === true;
+    const keepOld = flags["keep-old"] === true;
+    const yes = flags.yes === true;
+    const legacy = detectMod.detectLegacyCertsInCwd(root);
+
+    if (legacy.length === 0) {
+      ctx.out.result(
+        { root, migrated: [], skipped: [], count: 0 },
+        () =>
+          ctx.out.stdout.write(
+            colors.dim(`No legacy cert pairs found in ${root}.\n`),
+          ),
+      );
+      return;
+    }
+
+    if (!ctx.out.json) {
+      ctx.out.stdout.write(
+        `${colors.bold(`Found ${legacy.length} legacy cert pair${legacy.length > 1 ? "s" : ""} in ${root}:`)}\n`,
+      );
+      for (const p of legacy) {
+        ctx.out.stdout.write(`  · ${colors.bold(p.domain)}\n`);
+        ctx.out.stdout.write(colors.dim(`      ${p.cert}\n`));
+        ctx.out.stdout.write(colors.dim(`      ${p.key}\n`));
+      }
+      ctx.out.stdout.write("\n");
+    }
+    if (dryRun) {
+      ctx.out.info("(dry-run — no changes applied)");
+      ctx.out.result({ root, found: legacy, dryRun: true }, () => {});
+      return;
+    }
+    if (!yes && !ctx.out.json) {
+      const ok = await confirm(`Migrate ${legacy.length} pair(s)? [Y/n] `, { defaultAnswer: true });
+      if (!ok) {
+        ctx.out.info("Aborted.");
+        process.exitCode = 1;
+        return;
+      }
+    }
+    if (!yes && ctx.out.json) {
+      throw new Error("Refusing to migrate in --json mode without --yes.");
+    }
+
+    const migrated = [];
+    const skipped = [];
+    const failed = [];
+    for (const p of legacy) {
+      try {
+        const target = detectMod.certFilesFor(p.domain);
+        // Skip pairs whose canonical location is already populated
+        // unless --force (which we don't expose here — re-running
+        // setup --force is the right way to regenerate).
+        if (fs.existsSync(target.cert) && fs.existsSync(target.key)) {
+          skipped.push({ domain: p.domain, reason: "target already exists in cert store" });
+          continue;
+        }
+        fs.mkdirSync(target.dir, { recursive: true, mode: 0o700 });
+        fs.copyFileSync(p.cert, target.cert);
+        fs.copyFileSync(p.key, target.key);
+        try {
+          fs.chmodSync(target.key, 0o600);
+        } catch {
+          // ignore
+        }
+        if (!keepOld) {
+          fs.rmSync(p.cert, { force: true });
+          fs.rmSync(p.key, { force: true });
+        }
+        // Rewrite package.json dev:https if present + still references
+        // the project-root form.
+        const pkgPath = path.join(root, "package.json");
+        if (fs.existsSync(pkgPath)) {
+          const info = nextjsMod.readPackageJson(pkgPath);
+          if (info.parsed && info.parsed.scripts && info.parsed.scripts["dev:https"]) {
+            const current = info.parsed.scripts["dev:https"];
+            // Replace any reference to the project-root pem paths
+            // with the canonical ones.
+            const newCommand = current
+              .replace(p.cert.replace(/\\/g, "/"), target.cert.replace(/\\/g, "/"))
+              .replace(p.key.replace(/\\/g, "/"), target.key.replace(/\\/g, "/"))
+              .replace(`./${path.basename(p.cert)}`, target.cert.replace(/\\/g, "/"))
+              .replace(`./${path.basename(p.key)}`, target.key.replace(/\\/g, "/"));
+            if (newCommand !== current) {
+              nextjsMod.setDevHttpsScript(pkgPath, newCommand);
+            }
+          }
+        }
+        migrated.push({
+          domain: p.domain,
+          from: { cert: p.cert, key: p.key },
+          to: { cert: target.cert, key: target.key },
+        });
+      } catch (err) {
+        failed.push({ domain: p.domain, error: err.message });
+      }
+    }
+
+    ctx.out.result(
+      { root, migrated, skipped, failed, count: migrated.length },
+      (_d, { stdout }) => {
+        for (const m of migrated) {
+          stdout.write(`${colors.green("✓")} ${colors.bold(m.domain)} → ${colors.dim(m.to.cert)}\n`);
+        }
+        for (const s of skipped) {
+          stdout.write(`${colors.dim("○")} ${colors.bold(s.domain)} skipped: ${s.reason}\n`);
+        }
+        for (const f of failed) {
+          stdout.write(`${colors.red("✗")} ${colors.bold(f.domain)}: ${f.error}\n`);
+        }
+      },
+    );
+    if (failed.length > 0) process.exitCode = 1;
+  },
+};

package/lib/commands/https-remove.js

@@ -0,0 +1,103 @@
+// `synapse https remove <domain> [--keep-certs] [--keep-script]
+//   [--keep-hosts] [--yes] [--json]`
+//
+// Symmetric undo to `https setup`. Removes:
+//   - The cert pair at ~/.config/dev-certs/<domain>/
+//   - The hosts file entry inside the managed block
+//   - The dev:https script from package.json (if it matches the
+//     canonical form — never deletes operator-customised scripts)
+
+const colors = require("../colors");
+const { extractFlags } = require("./_resource");
+const { confirm } = require("../prompts");
+const detectMod = require("../https/detect");
+const plannerMod = require("../https/planner");
+const executorMod = require("../https/executor");
+
+module.exports = {
+  name: "https remove",
+  summary: "Undo `synapse https setup` for a domain (cert + hosts + script).",
+  usage:
+    "synapse https remove <domain> [--keep-certs] [--keep-script] [--keep-hosts] [--yes] [--json]",
+  description: `Reverses what \`synapse https setup\` did. Idempotent — running on a domain that was never set up is a no-op.
+
+Flags:
+  --keep-certs    don't delete the cert pair from ~/.config/dev-certs/
+  --keep-script   don't touch package.json
+  --keep-hosts    don't touch the hosts file
+  --yes           skip the y/N confirmation
+  --json          machine-readable output
+
+Examples:
+  synapse https remove dev.oldproject.com
+  synapse https remove dev.test.com --keep-certs   # keep the cert, just untangle hosts + script`,
+
+  async run(args, ctx) {
+    const { flags, rest } = extractFlags(args, {
+      string: [],
+      boolean: ["keep-certs", "keep-script", "keep-hosts", "yes", "json"],
+    });
+    const domain = rest[0];
+    if (!domain) {
+      throw new Error("Usage: synapse https remove <domain>");
+    }
+    if (rest.length > 1) {
+      throw new Error(`Unexpected positional: ${rest[1]}.`);
+    }
+    const yes = flags.yes === true;
+    const detection = await detectMod.scan({ domain, cwd: ctx.cwd });
+    const steps = plannerMod.planRemove(detection, {
+      keepCerts: flags["keep-certs"] === true,
+      keepScript: flags["keep-script"] === true,
+      keepHosts: flags["keep-hosts"] === true,
+    });
+    if (!plannerMod.planIsExecutable(steps)) {
+      const blocker = steps.find((s) => s.kind === "blocker");
+      throw new Error(blocker?.blocker || "Plan is blocked.");
+    }
+    const willChange = steps.some((s) => s.kind === "exec");
+    if (!willChange) {
+      ctx.out.result(
+        { domain, executedAny: false, results: [] },
+        () => ctx.out.stdout.write(colors.dim("Nothing to remove.\n")),
+      );
+      return;
+    }
+
+    if (!ctx.out.json) {
+      ctx.out.stdout.write(`${colors.bold("Will remove:")}\n`);
+      for (const s of steps) {
+        if (s.kind === "exec") {
+          ctx.out.stdout.write(`  ${colors.red("✗")} ${s.title}\n`);
+        }
+      }
+      ctx.out.stdout.write("\n");
+    }
+    if (!yes && !ctx.out.json) {
+      const ok = await confirm(
+        `Remove HTTPS setup for ${colors.bold(domain)}? [y/N] `,
+        { defaultAnswer: false },
+      );
+      if (!ok) {
+        ctx.out.info("Aborted.");
+        process.exitCode = 1;
+        return;
+      }
+    }
+    if (!yes && ctx.out.json) {
+      throw new Error("Refusing to remove in --json mode without --yes.");
+    }
+    const { results, failedAny } = await executorMod.execute(steps, { out: ctx.out });
+    ctx.out.result(
+      { domain, results, failedAny },
+      (_d, { stdout }) => {
+        for (const r of results) {
+          if (r.kind === "ok") {
+            stdout.write(`${colors.green("✓")} ${r.title}\n`);
+          }
+        }
+      },
+    );
+    if (failedAny) process.exitCode = 1;
+  },
+};