@kitsy/cnos-cli 1.8.1 → 1.8.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +37 -21
- package/package.json +2 -2
package/dist/index.js
CHANGED
|
@@ -802,7 +802,10 @@ async function defineValue(namespace, configPath, rawValue, options = {}) {
|
|
|
802
802
|
};
|
|
803
803
|
}
|
|
804
804
|
async function setSecret(configPath, rawValue, options = {}) {
|
|
805
|
-
const runtime = await createRuntimeService(
|
|
805
|
+
const runtime = await createRuntimeService({
|
|
806
|
+
...options,
|
|
807
|
+
secretResolution: "lazy"
|
|
808
|
+
});
|
|
806
809
|
const workspaceRoot = getSelectedWorkspaceRoot(options, runtime);
|
|
807
810
|
const profile = options.profile ?? runtime.graph.profile;
|
|
808
811
|
const filePath = resolveConfigDocumentPath(workspaceRoot, "secret", configPath, profile);
|
|
@@ -812,7 +815,7 @@ async function setSecret(configPath, rawValue, options = {}) {
|
|
|
812
815
|
if (!vaultDefinition) {
|
|
813
816
|
throw new Error(`Unknown vault "${vault}". Create it first with cnos vault create ${vault}.`);
|
|
814
817
|
}
|
|
815
|
-
const mode = options.mode ?? (vaultDefinition.provider === "local" ? "local" : vaultDefinition.provider === "github-secrets" ? "ref" : "remote");
|
|
818
|
+
const mode = options.mode ?? (vaultDefinition.provider === "local" ? "local" : vaultDefinition.provider === "github-secrets" || vaultDefinition.provider === "environment" ? "ref" : "remote");
|
|
816
819
|
let reference;
|
|
817
820
|
if (mode === "local") {
|
|
818
821
|
const auth = await resolveVaultAuth(vault, vaultDefinition, options.processEnv ?? process.env);
|
|
@@ -843,7 +846,10 @@ async function setSecret(configPath, rawValue, options = {}) {
|
|
|
843
846
|
}
|
|
844
847
|
async function deleteSecret(configPath, options = {}) {
|
|
845
848
|
await assertWritableConfigRoot(`delete secret.${configPath}`, options);
|
|
846
|
-
const runtime = await createRuntimeService(
|
|
849
|
+
const runtime = await createRuntimeService({
|
|
850
|
+
...options,
|
|
851
|
+
secretResolution: "lazy"
|
|
852
|
+
});
|
|
847
853
|
const workspaceRoot = getSelectedWorkspaceRoot(options, runtime);
|
|
848
854
|
const profile = options.profile ?? runtime.graph.profile;
|
|
849
855
|
const filePath = resolveConfigDocumentPath(workspaceRoot, "secret", configPath, profile);
|
|
@@ -1806,7 +1812,7 @@ var COMMANDS = [
|
|
|
1806
1812
|
"cnos vault create local-dev",
|
|
1807
1813
|
"cnos vault auth local-dev",
|
|
1808
1814
|
"cnos secret set app.token super-secret --vault local-dev",
|
|
1809
|
-
"cnos vault create github-ci --provider
|
|
1815
|
+
"cnos vault create github-ci --provider environment --no-passphrase",
|
|
1810
1816
|
"cnos secret set app.token APP_TOKEN --vault github-ci"
|
|
1811
1817
|
]
|
|
1812
1818
|
},
|
|
@@ -1814,21 +1820,21 @@ var COMMANDS = [
|
|
|
1814
1820
|
id: "vault",
|
|
1815
1821
|
summary: "Manage manifest-defined secret vaults.",
|
|
1816
1822
|
usage: "cnos vault [create <name> | list | remove <name>] [options] [global-options]",
|
|
1817
|
-
description: "Creates, lists, and removes vault definitions in .cnos/cnos.yml. Local vaults use encrypted material under ~/.cnos/secrets, while
|
|
1823
|
+
description: "Creates, lists, and removes vault definitions in .cnos/cnos.yml. Local vaults use encrypted material under ~/.cnos/secrets, while environment-backed vaults resolve from process.env in CI and cloud runtimes. github-secrets remains a compatibility alias.",
|
|
1818
1824
|
options: [
|
|
1819
1825
|
{
|
|
1820
|
-
flag: "--provider <local|github-secrets>",
|
|
1826
|
+
flag: "--provider <local|environment|github-secrets>",
|
|
1821
1827
|
description: "Vault provider. Defaults to local."
|
|
1822
1828
|
},
|
|
1823
1829
|
{
|
|
1824
1830
|
flag: "--no-passphrase",
|
|
1825
|
-
description: "Allowed for passwordless providers such as
|
|
1831
|
+
description: "Allowed for passwordless providers such as environment-backed vaults."
|
|
1826
1832
|
}
|
|
1827
1833
|
],
|
|
1828
1834
|
examples: [
|
|
1829
1835
|
"cnos vault create local-dev",
|
|
1830
1836
|
"cnos vault auth local-dev",
|
|
1831
|
-
"cnos vault create github-ci --provider
|
|
1837
|
+
"cnos vault create github-ci --provider environment --no-passphrase",
|
|
1832
1838
|
"cnos vault list",
|
|
1833
1839
|
"cnos vault remove local-dev"
|
|
1834
1840
|
]
|
|
@@ -1836,11 +1842,11 @@ var COMMANDS = [
|
|
|
1836
1842
|
{
|
|
1837
1843
|
id: "vault create",
|
|
1838
1844
|
summary: "Create a manifest-defined vault.",
|
|
1839
|
-
usage: "cnos vault create <name> [--provider <local|github-secrets>] [--no-passphrase] [global-options]",
|
|
1845
|
+
usage: "cnos vault create <name> [--provider <local|environment|github-secrets>] [--no-passphrase] [global-options]",
|
|
1840
1846
|
description: "Creates a vault definition in .cnos/cnos.yml and, for local vaults, initializes the encrypted store under ~/.cnos/secrets. CNOS prompts for a passphrase when one is not already available from env or keychain.",
|
|
1841
1847
|
examples: [
|
|
1842
1848
|
"cnos vault create local-dev",
|
|
1843
|
-
"cnos vault create
|
|
1849
|
+
"cnos vault create firebase-prod --provider environment --no-passphrase"
|
|
1844
1850
|
]
|
|
1845
1851
|
},
|
|
1846
1852
|
{
|
|
@@ -2013,12 +2019,12 @@ var COMMANDS = [
|
|
|
2013
2019
|
id: "secret set",
|
|
2014
2020
|
summary: "Write a secret securely.",
|
|
2015
2021
|
usage: "cnos secret set <path> <value> [--local|--remote|--ref] [--vault <name>] [--provider <name>] [global-options]",
|
|
2016
|
-
description: "Writes a secret reference into the repo. When a local vault is selected, CNOS stores encrypted secret material outside the repo under ~/.cnos/secrets/vaults/<vault>; when
|
|
2022
|
+
description: "Writes a secret reference into the repo. When a local vault is selected, CNOS stores encrypted secret material outside the repo under ~/.cnos/secrets/vaults/<vault>; when an environment-backed vault is selected, CNOS writes an env-backed ref for CI or cloud runtimes.",
|
|
2017
2023
|
examples: [
|
|
2018
2024
|
"cnos vault create db",
|
|
2019
2025
|
"cnos vault auth db",
|
|
2020
2026
|
"cnos secret set app.token super-secret --vault db",
|
|
2021
|
-
"cnos vault create github-ci --provider
|
|
2027
|
+
"cnos vault create github-ci --provider environment --no-passphrase",
|
|
2022
2028
|
"cnos secret set app.token APP_TOKEN --vault github-ci"
|
|
2023
2029
|
]
|
|
2024
2030
|
},
|
|
@@ -2914,7 +2920,10 @@ function toStoredEntry(namespace, entry, filter = {}) {
|
|
|
2914
2920
|
};
|
|
2915
2921
|
}
|
|
2916
2922
|
async function listStoredNamespace(namespace, options) {
|
|
2917
|
-
const runtime = await createRuntimeService(
|
|
2923
|
+
const runtime = await createRuntimeService({
|
|
2924
|
+
...options,
|
|
2925
|
+
...namespace === "secret" ? { secretResolution: "lazy" } : {}
|
|
2926
|
+
});
|
|
2918
2927
|
return Array.from(runtime.graph.entries.values()).filter((entry) => entry.namespace === namespace).map((entry) => {
|
|
2919
2928
|
const stored = toStoredEntry(namespace, entry, options);
|
|
2920
2929
|
if (!stored) {
|
|
@@ -4012,21 +4021,21 @@ async function authenticateVault(name, options = {}) {
|
|
|
4012
4021
|
const auth = await resolveVaultAuth2(vault, definition, options.processEnv ?? process.env);
|
|
4013
4022
|
const storeRoot = resolveSecretStoreRoot2(options.processEnv);
|
|
4014
4023
|
if (definition.provider === "local") {
|
|
4015
|
-
if (!auth.passphrase) {
|
|
4016
|
-
throw new Error(`Vault "${vault}" requires passphrase-based authentication.`);
|
|
4017
|
-
}
|
|
4018
4024
|
const metadata = await readVaultMetadata(storeRoot, vault);
|
|
4019
4025
|
if (!metadata) {
|
|
4020
4026
|
throw new Error(
|
|
4021
4027
|
`Vault "${vault}" has not been initialized yet. Run cnos vault create ${vault} first.`
|
|
4022
4028
|
);
|
|
4023
4029
|
}
|
|
4024
|
-
const derivedKey = deriveVaultKey(auth.passphrase, Buffer.from(metadata.salt, "base64"), metadata.iterations);
|
|
4030
|
+
const derivedKey = auth.derivedKey ?? (auth.passphrase ? deriveVaultKey(auth.passphrase, Buffer.from(metadata.salt, "base64"), metadata.iterations) : void 0);
|
|
4031
|
+
if (!derivedKey) {
|
|
4032
|
+
throw new Error(`Vault "${vault}" requires passphrase-based authentication.`);
|
|
4033
|
+
}
|
|
4025
4034
|
await listLocalSecrets(
|
|
4026
4035
|
storeRoot,
|
|
4027
4036
|
{
|
|
4028
4037
|
derivedKey,
|
|
4029
|
-
method: auth.method,
|
|
4038
|
+
method: auth.derivedKey ? auth.method : "passphrase",
|
|
4030
4039
|
...definition.auth?.config ? { config: definition.auth.config } : {}
|
|
4031
4040
|
},
|
|
4032
4041
|
vault
|
|
@@ -4191,7 +4200,10 @@ async function runSecret(argsOrPath, options = {}) {
|
|
|
4191
4200
|
return runVault(["create", tail[0] ?? "default"], options);
|
|
4192
4201
|
}
|
|
4193
4202
|
if (action === "list") {
|
|
4194
|
-
const runtime2 = await createRuntimeService(
|
|
4203
|
+
const runtime2 = await createRuntimeService({
|
|
4204
|
+
...options,
|
|
4205
|
+
secretResolution: "lazy"
|
|
4206
|
+
});
|
|
4195
4207
|
const prefix = consumeOption(cliArgs, "--prefix");
|
|
4196
4208
|
const vault = consumeOption(cliArgs, "--vault");
|
|
4197
4209
|
const provider = consumeOption(cliArgs, "--provider");
|
|
@@ -4254,12 +4266,16 @@ async function runSecret(argsOrPath, options = {}) {
|
|
|
4254
4266
|
}
|
|
4255
4267
|
return result.deleted ? `deleted secret.${secretPath2} from ${displayPath(result.filePath, root)}` : `no secret.${secretPath2} found in ${displayPath(result.filePath, root)}`;
|
|
4256
4268
|
}
|
|
4257
|
-
const runtime = await createRuntimeService(
|
|
4269
|
+
const runtime = await createRuntimeService({
|
|
4270
|
+
...options,
|
|
4271
|
+
secretResolution: "lazy"
|
|
4272
|
+
});
|
|
4258
4273
|
const secretPath = tail[0] ?? "app.token";
|
|
4259
4274
|
const expectedVault = consumeOption(cliArgs, "--vault");
|
|
4260
4275
|
const reveal = consumeFlag(cliArgs, "--reveal");
|
|
4261
4276
|
const entry = runtime.graph.entries.get(`secret.${secretPath}`);
|
|
4262
4277
|
const secretRef = entry?.winner.metadata?.secretRef;
|
|
4278
|
+
await runtime.refreshSecret(`secret.${secretPath}`);
|
|
4263
4279
|
const value = runtime.secret(secretPath);
|
|
4264
4280
|
if (value === void 0) {
|
|
4265
4281
|
throw new Error(`Missing CNOS secret path: ${secretPath}`);
|
|
@@ -4318,7 +4334,7 @@ async function runValidate(options = {}) {
|
|
|
4318
4334
|
// package.json
|
|
4319
4335
|
var package_default = {
|
|
4320
4336
|
name: "@kitsy/cnos-cli",
|
|
4321
|
-
version: "1.8.
|
|
4337
|
+
version: "1.8.3",
|
|
4322
4338
|
description: "CLI entry point and developer tooling for CNOS.",
|
|
4323
4339
|
type: "module",
|
|
4324
4340
|
main: "./dist/index.js",
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@kitsy/cnos-cli",
|
|
3
|
-
"version": "1.8.
|
|
3
|
+
"version": "1.8.3",
|
|
4
4
|
"description": "CLI entry point and developer tooling for CNOS.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./dist/index.js",
|
|
@@ -37,7 +37,7 @@
|
|
|
37
37
|
},
|
|
38
38
|
"dependencies": {
|
|
39
39
|
"smol-toml": "^1.4.2",
|
|
40
|
-
"@kitsy/cnos": "1.8.
|
|
40
|
+
"@kitsy/cnos": "1.8.3"
|
|
41
41
|
},
|
|
42
42
|
"scripts": {
|
|
43
43
|
"build": "tsup src/index.ts --format esm --dts",
|