npm - @leeguoo/wrangler-accounts - Versions diffs - 1.1.1 → 1.2.0 - Mend

@leeguoo/wrangler-accounts 1.1.1 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/bin/wrangler-accounts.js +87 -6
package/lib/isolation.js +6 -1
package/package.json +1 -1
package/skills/wrangler-accounts/SKILL.md +6 -1

package/bin/wrangler-accounts.js CHANGED Viewed

@@ -236,6 +236,8 @@ function parseArgs(argv) {
       opts.backup = false;
     } else if (arg === "--unset") {
       opts.unset = true;
+    } else if (arg === "--deep" || arg === "--verify") {
+      opts.deep = true;
     } else if (arg === "--config" || arg === "-c") {
       opts.config = argv[i + 1];
       if (!opts.config) die("Missing value for --config");
@@ -451,9 +453,59 @@ function main() {
         status,
         expirationTime: session.expirationTime,
         identity,
+        verified: null,
+        verifyError: null,
       };
     });
+    // --deep: actually run `wrangler whoami` inside a shadow HOME for
+    // each profile. This is the only authoritative check — the fast
+    // status column above is derived purely from the saved
+    // expiration_time, which does not tell us whether the refresh token
+    // still works or whether Cloudflare has revoked the session.
+    if (opts.deep) {
+      if (entries.length > 0 && !opts.json) {
+        process.stderr.write(
+          `[wrangler-accounts] running deep check (wrangler whoami) for ${entries.length} profile(s)...\n`,
+        );
+      }
+      const cloudflaredPath = findCloudflared();
+      for (const e of entries) {
+        const profileCfg = path.join(profilesDir, e.name, "config.toml");
+        try {
+          const r = runIsolated({
+            profile: e.name,
+            profileCfg,
+            realHome: os.homedir(),
+            command: "wrangler",
+            args: ["whoami"],
+            baseEnv: process.env,
+            captureStdout: true,
+            cloudflaredPath,
+          });
+          const output = `${r.stdout || ""}\n${r.stderr || ""}`;
+          if (r.exitCode === 0) {
+            const live = parseWranglerWhoamiOutput(output);
+            if (live) {
+              e.verified = true;
+              e.liveIdentity = live;
+            } else {
+              e.verified = false;
+              e.verifyError = "could not parse wrangler whoami output";
+            }
+          } else {
+            e.verified = false;
+            e.verifyError = /not logged in/i.test(output)
+              ? "not logged in (refresh token may be revoked)"
+              : `wrangler whoami exit ${r.exitCode}`;
+          }
+        } catch (err) {
+          e.verified = false;
+          e.verifyError = err.message;
+        }
+      }
+    }
     if (opts.plain) {
       // --plain keeps the v1.0 contract: one name per line, scriptable.
       if (entries.length) console.log(entries.map((e) => e.name).join("\n"));
@@ -479,22 +531,51 @@ function main() {
         : e.status === "valid" ? "valid"
         : "unknown",
       expires: formatExpiry(e.expirationTime),
+      verified:
+        e.verified === true ? "✓ ok"
+        : e.verified === false ? `✗ ${e.verifyError || "failed"}`
+        : "—",
       identity: e.identity ? describeIdentity(e.identity) : "(no identity)",
     }));
     const nameW = Math.max(4, ...rows.map((r) => r.name.length));
     const statusW = Math.max(6, ...rows.map((r) => r.status.length));
     const expiresW = Math.max(7, ...rows.map((r) => r.expires.length));
-    const header = `  ${"NAME".padEnd(nameW)}  ${"STATUS".padEnd(statusW)}  ${"EXPIRES".padEnd(expiresW)}  IDENTITY`;
+    const verifiedW = Math.max(8, ...rows.map((r) => r.verified.length));
+    let header;
+    if (opts.deep) {
+      header = `  ${"NAME".padEnd(nameW)}  ${"STATUS".padEnd(statusW)}  ${"EXPIRES".padEnd(expiresW)}  ${"VERIFIED".padEnd(verifiedW)}  IDENTITY`;
+    } else {
+      header = `  ${"NAME".padEnd(nameW)}  ${"STATUS".padEnd(statusW)}  ${"EXPIRES".padEnd(expiresW)}  IDENTITY`;
+    }
     console.log(header);
     for (const r of rows) {
+      if (opts.deep) {
+        console.log(
+          `${r.marker} ${r.name.padEnd(nameW)}  ${r.status.padEnd(statusW)}  ${r.expires.padEnd(expiresW)}  ${r.verified.padEnd(verifiedW)}  ${r.identity}`,
+        );
+      } else {
+        console.log(
+          `${r.marker} ${r.name.padEnd(nameW)}  ${r.status.padEnd(statusW)}  ${r.expires.padEnd(expiresW)}  ${r.identity}`,
+        );
+      }
+    }
+    console.log();
+    if (opts.deep) {
+      console.log(
+        "Legend: * = default profile, VERIFIED ✓ = wrangler whoami succeeded in shadow HOME, ✗ = authoritative failure",
+      );
+    } else {
       console.log(
-        `${r.marker} ${r.name.padEnd(nameW)}  ${r.status.padEnd(statusW)}  ${r.expires.padEnd(expiresW)}  ${r.identity}`,
+        "Legend: * = default profile, EXPIRED = access token past expiration_time (wrangler may still auto-refresh)",
+      );
+      console.log(
+        "        STATUS is derived from the saved file only. For a live check that runs 'wrangler whoami' against Cloudflare,",
+      );
+      console.log(
+        "        pass --deep (slower, makes network calls).",
       );
     }
-    console.log();
-    console.log(
-      `Legend: * = default profile, EXPIRED = OAuth session needs 'wrangler-accounts login <name>'`,
-    );
     return;
   }

package/lib/isolation.js CHANGED Viewed

@@ -150,8 +150,13 @@ function runIsolated({
   let result;
   try {
+    // captureStdout mode is used for non-interactive checks (e.g.
+    // background `wrangler whoami` during `list --deep`), so we close
+    // stdin on the child rather than letting it read from the user's
+    // terminal. Normal inherit mode keeps stdin attached for interactive
+    // flows like `login` and `exec`.
     result = spawnSync(command, args, {
-      stdio: captureStdout ? ['inherit', 'pipe', 'pipe'] : 'inherit',
+      stdio: captureStdout ? ['ignore', 'pipe', 'pipe'] : 'inherit',
       env,
       encoding: 'utf8',
     });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@leeguoo/wrangler-accounts",
-  "version": "1.1.1",
+  "version": "1.2.0",
   "description": "AWS-style multi-account convenience for Cloudflare Wrangler — per-invocation OAuth isolation via shadow HOME.",
   "license": "MIT",
   "bin": {

package/skills/wrangler-accounts/SKILL.md CHANGED Viewed

@@ -76,10 +76,15 @@ Use `--json` for structured output.
 ### List and inspect profiles
-- `wrangler-accounts list` / `list --json` / `list --plain`
+- `wrangler-accounts list` — text table with NAME / STATUS / EXPIRES / IDENTITY columns
+- `wrangler-accounts list --json` — structured: array of `{name, isDefault, isActive, status, expirationTime, identity}`
+- `wrangler-accounts list --plain` — one profile name per line (scriptable)
+- `wrangler-accounts list --deep` — **authoritative** check: spawns `wrangler whoami` in a shadow HOME for every profile and reports whether Cloudflare actually accepts the credentials. Slower (makes network calls), but the only way to catch revoked refresh tokens or broken profile files.
 - `wrangler-accounts status` / `status --json`
 - Pass `--include-backups` to show hidden backup profiles.
+**Accuracy note:** the `STATUS` column without `--deep` is derived purely from the saved `expiration_time` and tells you *when the access token will expire*, not whether the profile is actually usable. Wrangler auto-refreshes access tokens via the refresh token, so an `EXPIRED` access token is often fine in practice. When the user needs a real verdict, suggest `wrangler-accounts list --deep`.
 ### Save, sync, login, remove
 - `wrangler-accounts save <name>` — snapshot current Wrangler config as a profile