@insforge/cli 0.1.78 → 0.1.79

package/dist/index.js

@@ -1172,7 +1172,7 @@ import * as clack5 from "@clack/prompts";
 
 // src/lib/analytics.ts
 import { PostHog } from "posthog-node";
-var POSTHOG_API_KEY = "";
+var POSTHOG_API_KEY = "phc_ueV1ii62wdBTkH7E70ugyeqHIHu8dFDdjs0qq3TZhJz";
 var POSTHOG_HOST = process.env.POSTHOG_HOST || "https://us.i.posthog.com";
 var client = null;
 function getClient() {
@@ -6961,7 +6961,7 @@ function registerDiagnoseCommands(diagnoseCmd2) {
         const s = !json ? clack15.spinner() : null;
         s?.start("Collecting diagnostic data...");
         const data2 = await collectDiagnosticData(projectId, ossMode, apiUrl);
-        const cliVersion = "0.1.78";
+        const cliVersion = "0.1.79";
         s?.stop("Data collected");
         if (!json) {
           console.log(`
@@ -9190,9 +9190,67 @@ function validateAuth(input) {
     }
     out.allowed_redirect_urls = v;
   }
+  if ("require_email_verification" in obj) {
+    if (typeof obj.require_email_verification !== "boolean") {
+      throw new ConfigValidationError(
+        "auth.require_email_verification",
+        "must be a boolean"
+      );
+    }
+    out.require_email_verification = obj.require_email_verification;
+  }
+  if ("verify_email_method" in obj) {
+    out.verify_email_method = validateVerificationMethod(
+      "auth.verify_email_method",
+      obj.verify_email_method
+    );
+  }
+  if ("reset_password_method" in obj) {
+    out.reset_password_method = validateVerificationMethod(
+      "auth.reset_password_method",
+      obj.reset_password_method
+    );
+  }
+  if ("password" in obj) out.password = validatePassword(obj.password);
   if ("smtp" in obj) out.smtp = validateSmtp(obj.smtp);
   return out;
 }
+function validateVerificationMethod(path6, value) {
+  if (value !== "code" && value !== "link") {
+    throw new ConfigValidationError(path6, 'must be "code" or "link"');
+  }
+  return value;
+}
+function validatePassword(input) {
+  if (input === null || typeof input !== "object" || Array.isArray(input)) {
+    throw new ConfigValidationError("auth.password", "must be a table");
+  }
+  const obj = input;
+  const out = {};
+  if ("min_length" in obj) {
+    if (typeof obj.min_length !== "number" || !Number.isInteger(obj.min_length) || obj.min_length < 4 || obj.min_length > 128) {
+      throw new ConfigValidationError(
+        "auth.password.min_length",
+        "must be an integer between 4 and 128"
+      );
+    }
+    out.min_length = obj.min_length;
+  }
+  for (const key of [
+    "require_number",
+    "require_lowercase",
+    "require_uppercase",
+    "require_special_char"
+  ]) {
+    if (key in obj) {
+      if (typeof obj[key] !== "boolean") {
+        throw new ConfigValidationError(`auth.password.${key}`, "must be a boolean");
+      }
+      out[key] = obj[key];
+    }
+  }
+  return out;
+}
 function validateSmtp(input) {
   if (input === null || typeof input !== "object" || Array.isArray(input)) {
     throw new ConfigValidationError("auth.smtp", "must be a table");
@@ -9275,11 +9333,13 @@ function stringifyConfigToml(config) {
   }
   if (config.auth) {
     lines.push("[auth]");
-    if (config.auth.allowed_redirect_urls !== void 0) {
-      const urls = config.auth.allowed_redirect_urls.map((u) => JSON.stringify(u)).join(", ");
-      lines.push(`allowed_redirect_urls = [${urls}]`);
-    }
+    renderAuthFlatFields(config.auth, lines);
     lines.push("");
+    if (config.auth.password !== void 0) {
+      lines.push("[auth.password]");
+      renderPasswordFields(config.auth.password, lines);
+      lines.push("");
+    }
     if (config.auth.smtp !== void 0) {
       lines.push("[auth.smtp]");
       renderSmtpFields(config.auth.smtp, lines);
@@ -9295,6 +9355,34 @@ function stringifyConfigToml(config) {
   }
   return lines.join("\n").replace(/\n+$/, "\n");
 }
+function renderAuthFlatFields(auth, lines) {
+  if (auth.allowed_redirect_urls !== void 0) {
+    const urls = auth.allowed_redirect_urls.map((u) => JSON.stringify(u)).join(", ");
+    lines.push(`allowed_redirect_urls = [${urls}]`);
+  }
+  if (auth.require_email_verification !== void 0) {
+    lines.push(`require_email_verification = ${auth.require_email_verification}`);
+  }
+  if (auth.verify_email_method !== void 0) {
+    lines.push(`verify_email_method = ${JSON.stringify(auth.verify_email_method)}`);
+  }
+  if (auth.reset_password_method !== void 0) {
+    lines.push(`reset_password_method = ${JSON.stringify(auth.reset_password_method)}`);
+  }
+}
+function renderPasswordFields(pw, lines) {
+  if (pw.min_length !== void 0) lines.push(`min_length = ${pw.min_length}`);
+  if (pw.require_number !== void 0) lines.push(`require_number = ${pw.require_number}`);
+  if (pw.require_lowercase !== void 0) {
+    lines.push(`require_lowercase = ${pw.require_lowercase}`);
+  }
+  if (pw.require_uppercase !== void 0) {
+    lines.push(`require_uppercase = ${pw.require_uppercase}`);
+  }
+  if (pw.require_special_char !== void 0) {
+    lines.push(`require_special_char = ${pw.require_special_char}`);
+  }
+}
 function renderSmtpFields(smtp, lines) {
   if (smtp.enabled !== void 0) lines.push(`enabled = ${smtp.enabled}`);
   if (smtp.host !== void 0) lines.push(`host = ${JSON.stringify(smtp.host)}`);
@@ -9318,6 +9406,132 @@ function renderSmtpFields(smtp, lines) {
   }
 }
 
+// src/lib/config-metadata.ts
+function liveFromMetadata(raw) {
+  const live = { auth: {} };
+  const a = isPlainObject(raw.auth) ? raw.auth : void 0;
+  if (a && "allowedRedirectUrls" in a) {
+    live.auth.allowed_redirect_urls = asStringArray(a.allowedRedirectUrls) ?? [];
+  }
+  if (a && "requireEmailVerification" in a) {
+    live.auth.require_email_verification = a.requireEmailVerification ?? false;
+  }
+  if (a && "verifyEmailMethod" in a && (a.verifyEmailMethod === "code" || a.verifyEmailMethod === "link")) {
+    live.auth.verify_email_method = a.verifyEmailMethod;
+  }
+  if (a && "resetPasswordMethod" in a && (a.resetPasswordMethod === "code" || a.resetPasswordMethod === "link")) {
+    live.auth.reset_password_method = a.resetPasswordMethod;
+  }
+  if (a && ("passwordMinLength" in a || "requireNumber" in a || "requireLowercase" in a || "requireUppercase" in a || "requireSpecialChar" in a)) {
+    live.auth.password = {
+      min_length: a.passwordMinLength ?? 8,
+      require_number: a.requireNumber ?? false,
+      require_lowercase: a.requireLowercase ?? false,
+      require_uppercase: a.requireUppercase ?? false,
+      require_special_char: a.requireSpecialChar ?? false
+    };
+  }
+  if (isPlainObject(a?.smtpConfig)) {
+    const s = a.smtpConfig;
+    live.auth.smtp = {
+      enabled: s.enabled ?? false,
+      host: s.host ?? "",
+      port: s.port ?? 587,
+      username: s.username ?? "",
+      hasPassword: s.hasPassword ?? false,
+      sender_email: s.senderEmail ?? "",
+      sender_name: s.senderName ?? "",
+      min_interval_seconds: s.minIntervalSeconds ?? 60
+    };
+  }
+  const d = isPlainObject(raw.deployments) ? raw.deployments : void 0;
+  if (d) {
+    live.deployments = {
+      subdomain: typeof d.customSlug === "string" && d.customSlug ? d.customSlug : null
+    };
+  }
+  return live;
+}
+function isPlainObject(v) {
+  return v !== null && typeof v === "object" && !Array.isArray(v);
+}
+function asStringArray(v) {
+  return Array.isArray(v) && v.every((x) => typeof x === "string") ? v : null;
+}
+function configFromMetadata(raw) {
+  const config = {};
+  const skipped = [];
+  const a = isPlainObject(raw.auth) ? raw.auth : void 0;
+  if (a && "allowedRedirectUrls" in a) {
+    config.auth = config.auth ?? {};
+    config.auth.allowed_redirect_urls = asStringArray(a.allowedRedirectUrls) ?? [];
+  } else {
+    skipped.push("auth.allowed_redirect_urls");
+  }
+  if (a && "requireEmailVerification" in a) {
+    config.auth = config.auth ?? {};
+    config.auth.require_email_verification = a.requireEmailVerification ?? false;
+  } else {
+    skipped.push("auth.require_email_verification");
+  }
+  if (a && "verifyEmailMethod" in a && (a.verifyEmailMethod === "code" || a.verifyEmailMethod === "link")) {
+    config.auth = config.auth ?? {};
+    config.auth.verify_email_method = a.verifyEmailMethod;
+  } else {
+    skipped.push("auth.verify_email_method");
+  }
+  if (a && "resetPasswordMethod" in a && (a.resetPasswordMethod === "code" || a.resetPasswordMethod === "link")) {
+    config.auth = config.auth ?? {};
+    config.auth.reset_password_method = a.resetPasswordMethod;
+  } else {
+    skipped.push("auth.reset_password_method");
+  }
+  if (a && ("passwordMinLength" in a || "requireNumber" in a || "requireLowercase" in a || "requireUppercase" in a || "requireSpecialChar" in a)) {
+    config.auth = config.auth ?? {};
+    config.auth.password = {};
+    if ("passwordMinLength" in a) config.auth.password.min_length = a.passwordMinLength ?? 8;
+    if ("requireNumber" in a) config.auth.password.require_number = a.requireNumber ?? false;
+    if ("requireLowercase" in a) config.auth.password.require_lowercase = a.requireLowercase ?? false;
+    if ("requireUppercase" in a) config.auth.password.require_uppercase = a.requireUppercase ?? false;
+    if ("requireSpecialChar" in a) {
+      config.auth.password.require_special_char = a.requireSpecialChar ?? false;
+    }
+  } else {
+    skipped.push("auth.password");
+  }
+  if (a && "smtpConfig" in a) {
+    const s = a.smtpConfig;
+    if (isPlainObject(s)) {
+      config.auth = config.auth ?? {};
+      config.auth.smtp = {
+        enabled: s.enabled ?? false,
+        host: s.host ?? "",
+        port: s.port ?? 587,
+        username: s.username ?? "",
+        // When backend has a password set, emit a deterministic env() placeholder
+        // so the user knows which secret to define. We do NOT round-trip the
+        // value (it never leaves the backend). Re-applying this TOML force-resends
+        // from the secrets store — see config-diff.ts for the force-resend rationale.
+        ...s.hasPassword ? { password: "env(SMTP_PASSWORD)" } : {},
+        sender_email: s.senderEmail ?? "",
+        sender_name: s.senderName ?? "",
+        min_interval_seconds: s.minIntervalSeconds ?? 60
+      };
+    }
+  } else {
+    skipped.push("auth.smtp");
+  }
+  const d = isPlainObject(raw.deployments) ? raw.deployments : void 0;
+  if (d) {
+    if (typeof d.customSlug === "string" && d.customSlug) {
+      config.deployments = { subdomain: d.customSlug };
+    }
+  } else {
+    skipped.push("deployments.subdomain");
+  }
+  return { config, skipped };
+}
+
 // src/commands/config/export.ts
 function registerConfigExportCommand(cfg) {
   cfg.command("export").description("Pull live project config and write insforge.toml").option("--out <path>", "output path", "insforge.toml").option("--force", "overwrite without confirmation").action(async (opts, cmd) => {
@@ -9344,44 +9558,7 @@ function registerConfigExportCommand(cfg) {
       }
       const res = await ossFetch("/api/metadata");
       const raw = await res.json();
-      const config = {};
-      const skipped = [];
-      const authSlice = raw?.auth;
-      if (authSlice && typeof authSlice === "object" && "allowedRedirectUrls" in authSlice) {
-        config.auth = config.auth ?? {};
-        config.auth.allowed_redirect_urls = authSlice.allowedRedirectUrls ?? [];
-      } else {
-        skipped.push("auth.allowed_redirect_urls");
-      }
-      if (authSlice && typeof authSlice === "object" && "smtpConfig" in authSlice && authSlice.smtpConfig) {
-        const s = authSlice.smtpConfig;
-        config.auth = config.auth ?? {};
-        config.auth.smtp = {
-          enabled: s.enabled ?? false,
-          host: s.host ?? "",
-          port: s.port ?? 587,
-          username: s.username ?? "",
-          // When backend has a password set, emit a deterministic env()
-          // placeholder so the user knows which secret to define. We do
-          // NOT round-trip the value (it never leaves the backend).
-          // Re-applying this TOML force-resends from the secrets store
-          // — see config-diff.ts for the force-resend rationale.
-          ...s.hasPassword ? { password: "env(SMTP_PASSWORD)" } : {},
-          sender_email: s.senderEmail ?? "",
-          sender_name: s.senderName ?? "",
-          min_interval_seconds: s.minIntervalSeconds ?? 60
-        };
-      } else {
-        skipped.push("auth.smtp");
-      }
-      const deploymentsSlice = raw?.deployments;
-      if (deploymentsSlice && typeof deploymentsSlice === "object") {
-        if (typeof deploymentsSlice.customSlug === "string" && deploymentsSlice.customSlug) {
-          config.deployments = { subdomain: deploymentsSlice.customSlug };
-        }
-      } else {
-        skipped.push("deployments.subdomain");
-      }
+      const { config, skipped } = configFromMetadata(raw);
       const toml = stringifyConfigToml(config);
       writeFileSync9(target, toml, "utf8");
       if (json) {
@@ -9427,6 +9604,48 @@ function diffConfig({ live, file }) {
       });
     }
   }
+  if (fileAuth && "require_email_verification" in fileAuth) {
+    const fromV = liveAuth.require_email_verification ?? false;
+    const toV = fileAuth.require_email_verification ?? false;
+    if (fromV !== toV) {
+      changes.push({
+        section: "auth",
+        op: "modify",
+        key: "require_email_verification",
+        from: fromV,
+        to: toV
+      });
+    }
+  }
+  if (fileAuth && "verify_email_method" in fileAuth && fileAuth.verify_email_method) {
+    const fromV = liveAuth.verify_email_method ?? "code";
+    const toV = fileAuth.verify_email_method;
+    if (fromV !== toV) {
+      changes.push({
+        section: "auth",
+        op: "modify",
+        key: "verify_email_method",
+        from: fromV,
+        to: toV
+      });
+    }
+  }
+  if (fileAuth && "reset_password_method" in fileAuth && fileAuth.reset_password_method) {
+    const fromV = liveAuth.reset_password_method ?? "code";
+    const toV = fileAuth.reset_password_method;
+    if (fromV !== toV) {
+      changes.push({
+        section: "auth",
+        op: "modify",
+        key: "reset_password_method",
+        from: fromV,
+        to: toV
+      });
+    }
+  }
+  if (fileAuth?.password) {
+    diffPassword(liveAuth.password, fileAuth.password, changes);
+  }
   if (fileAuth?.smtp !== void 0) {
     const smtpChange = diffSmtp(liveAuth.smtp, fileAuth.smtp);
     if (smtpChange) changes.push(smtpChange);
@@ -9436,7 +9655,7 @@ function diffConfig({ live, file }) {
   if (fileDeployments && "subdomain" in fileDeployments) {
     const fromV = liveDeployments.subdomain ?? null;
     const rawTo = fileDeployments.subdomain;
-    const toV = rawTo === null || rawTo === "" ? null : rawTo;
+    const toV = rawTo === null || rawTo === void 0 || rawTo === "" ? null : rawTo;
     if (fromV !== toV) {
       changes.push({
         section: "deployments",
@@ -9449,6 +9668,36 @@ function diffConfig({ live, file }) {
   }
   return { changes, summary: summarize(changes) };
 }
+function diffPassword(live, file, changes) {
+  const liveView = live ?? EMPTY_PASSWORD_POLICY;
+  if (file.min_length !== void 0 && liveView.min_length !== file.min_length) {
+    changes.push({
+      section: "auth.password",
+      op: "modify",
+      key: "min_length",
+      from: liveView.min_length,
+      to: file.min_length
+    });
+  }
+  for (const key of [
+    "require_number",
+    "require_lowercase",
+    "require_uppercase",
+    "require_special_char"
+  ]) {
+    const fromV = liveView[key];
+    const toV = file[key];
+    if (toV !== void 0 && fromV !== toV) {
+      changes.push({
+        section: "auth.password",
+        op: "modify",
+        key,
+        from: fromV,
+        to: toV
+      });
+    }
+  }
+}
 function diffSmtp(live, fileSmtp) {
   const livedView = renderLiveSmtp(live);
   const tomlView = renderFileSmtp(fileSmtp);
@@ -9507,6 +9756,13 @@ var EMPTY_SMTP_VIEW = {
   sender_name: "",
   min_interval_seconds: 60
 };
+var EMPTY_PASSWORD_POLICY = {
+  min_length: 8,
+  require_number: false,
+  require_lowercase: false,
+  require_uppercase: false,
+  require_special_char: false
+};
 function summarize(changes) {
   const s = { add: 0, modify: 0, remove: 0, kept: 0 };
   for (const c of changes) {
@@ -9582,10 +9838,22 @@ function formatChange(c) {
 // src/lib/config-capabilities.ts
 function metadataSupports(raw, change) {
   if (change.section === "auth" && change.key === "allowed_redirect_urls") {
-    return raw?.auth !== void 0 && raw.auth !== null && typeof raw.auth === "object" && "allowedRedirectUrls" in raw.auth;
+    return hasAuthKey(raw, "allowedRedirectUrls");
+  }
+  if (change.section === "auth" && change.key === "require_email_verification") {
+    return hasAuthKey(raw, "requireEmailVerification");
+  }
+  if (change.section === "auth" && change.key === "verify_email_method") {
+    return hasAuthKey(raw, "verifyEmailMethod");
+  }
+  if (change.section === "auth" && change.key === "reset_password_method") {
+    return hasAuthKey(raw, "resetPasswordMethod");
+  }
+  if (change.section === "auth.password") {
+    return hasAuthKey(raw, AUTH_PASSWORD_WIRE_KEY[change.key]);
   }
   if (change.section === "auth.smtp") {
-    return raw?.auth !== void 0 && raw.auth !== null && typeof raw.auth === "object" && "smtpConfig" in raw.auth;
+    return hasAuthKey(raw, "smtpConfig");
   }
   if (change.section === "deployments" && change.key === "subdomain") {
     return raw?.deployments !== void 0 && raw.deployments !== null && typeof raw.deployments === "object";
@@ -9594,10 +9862,24 @@ function metadataSupports(raw, change) {
   void _exhaustive;
   return false;
 }
+function hasAuthKey(raw, key) {
+  const auth = raw?.auth;
+  return auth !== void 0 && auth !== null && typeof auth === "object" && key in auth;
+}
+var AUTH_PASSWORD_WIRE_KEY = {
+  min_length: "passwordMinLength",
+  require_number: "requireNumber",
+  require_lowercase: "requireLowercase",
+  require_uppercase: "requireUppercase",
+  require_special_char: "requireSpecialChar"
+};
 function changePath(change) {
   if (change.section === "auth.smtp") return "auth.smtp";
   return `${change.section}.${change.key}`;
 }
+function authPasswordWireKey(key) {
+  return AUTH_PASSWORD_WIRE_KEY[key];
+}
 
 // src/commands/config/plan.ts
 function registerConfigPlanCommand(cfg) {
@@ -9610,9 +9892,7 @@ function registerConfigPlanCommand(cfg) {
       const file = parseConfigToml(tomlSource);
       const res = await ossFetch("/api/metadata");
       const raw = await res.json();
-      const live = {
-        auth: { allowed_redirect_urls: raw.auth?.allowedRedirectUrls ?? [] }
-      };
+      const live = liveFromMetadata(raw);
       const result = diffConfig({ live, file });
       const skipped = result.changes.filter((c) => !metadataSupports(raw, c)).map((c) => changePath(c));
       if (json) {
@@ -9722,29 +10002,6 @@ function registerConfigApplyCommand(cfg) {
     }
   });
 }
-function liveFromMetadata(raw) {
-  const live = { auth: {} };
-  if (raw.auth?.allowedRedirectUrls !== void 0) {
-    live.auth.allowed_redirect_urls = raw.auth.allowedRedirectUrls;
-  }
-  if (raw.auth?.smtpConfig) {
-    const s = raw.auth.smtpConfig;
-    live.auth.smtp = {
-      enabled: s.enabled ?? false,
-      host: s.host ?? "",
-      port: s.port ?? 587,
-      username: s.username ?? "",
-      hasPassword: s.hasPassword ?? false,
-      sender_email: s.senderEmail ?? "",
-      sender_name: s.senderName ?? "",
-      min_interval_seconds: s.minIntervalSeconds ?? 60
-    };
-  }
-  if (raw.deployments) {
-    live.deployments = { subdomain: raw.deployments.customSlug ?? null };
-  }
-  return live;
-}
 async function applyChange(change) {
   if (change.section === "auth" && change.key === "allowed_redirect_urls") {
     await ossFetch("/api/auth/config", {
@@ -9753,6 +10010,35 @@ async function applyChange(change) {
     });
     return;
   }
+  if (change.section === "auth" && change.key === "require_email_verification") {
+    await ossFetch("/api/auth/config", {
+      method: "PUT",
+      body: JSON.stringify({ requireEmailVerification: change.to })
+    });
+    return;
+  }
+  if (change.section === "auth" && change.key === "verify_email_method") {
+    await ossFetch("/api/auth/config", {
+      method: "PUT",
+      body: JSON.stringify({ verifyEmailMethod: change.to })
+    });
+    return;
+  }
+  if (change.section === "auth" && change.key === "reset_password_method") {
+    await ossFetch("/api/auth/config", {
+      method: "PUT",
+      body: JSON.stringify({ resetPasswordMethod: change.to })
+    });
+    return;
+  }
+  if (change.section === "auth.password") {
+    const wireKey = authPasswordWireKey(change.key);
+    await ossFetch("/api/auth/config", {
+      method: "PUT",
+      body: JSON.stringify({ [wireKey]: change.to })
+    });
+    return;
+  }
   if (change.section === "auth.smtp") {
     const to = change.to;
     const body = {