@lifestreamdynamics/vault-cli 1.2.0 → 1.3.0

package/dist/lib/profiles.js

@@ -29,9 +29,9 @@ export function getActiveProfile() {
  */
 export function setActiveProfile(name) {
     if (!fs.existsSync(CONFIG_DIR)) {
-        fs.mkdirSync(CONFIG_DIR, { recursive: true });
+        fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
     }
-    fs.writeFileSync(ACTIVE_PROFILE_FILE, name + '\n');
+    fs.writeFileSync(ACTIVE_PROFILE_FILE, name + '\n', { mode: 0o600 });
 }
 /**
  * Loads a profile's configuration. Returns an empty object if the profile
@@ -54,11 +54,11 @@ export function loadProfile(name) {
  */
 export function setProfileValue(name, key, value) {
     if (!fs.existsSync(PROFILES_DIR)) {
-        fs.mkdirSync(PROFILES_DIR, { recursive: true });
+        fs.mkdirSync(PROFILES_DIR, { recursive: true, mode: 0o700 });
     }
     const config = loadProfile(name);
     config[key] = value;
-    fs.writeFileSync(getProfilePath(name), JSON.stringify(config, null, 2) + '\n');
+    fs.writeFileSync(getProfilePath(name), JSON.stringify(config, null, 2) + '\n', { mode: 0o600 });
 }
 /**
  * Gets a single value from a profile.

package/dist/sync/config.js

@@ -31,9 +31,9 @@ export function loadSyncConfigs() {
  */
 export function saveSyncConfigs(configs) {
     if (!fs.existsSync(CONFIG_DIR)) {
-        fs.mkdirSync(CONFIG_DIR, { recursive: true });
+        fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
     }
-    fs.writeFileSync(SYNCS_FILE, JSON.stringify(configs, null, 2) + '\n');
+    fs.writeFileSync(SYNCS_FILE, JSON.stringify(configs, null, 2) + '\n', { mode: 0o600 });
 }
 /**
  * Find a sync config by its ID.

package/dist/sync/daemon-worker.js

@@ -8,7 +8,7 @@ import { resolveIgnorePatterns } from './ignore.js';
 import { createWatcher } from './watcher.js';
 import { createRemotePoller } from './remote-poller.js';
 import { removePid } from './daemon.js';
-import { loadConfig } from '../config.js';
+import { loadConfigAsync } from '../config.js';
 import { LifestreamVaultClient } from '@lifestreamdynamics/vault-sdk';
 import { scanLocalFiles, scanRemoteFiles, computePushDiff, computePullDiff, executePush, executePull } from './engine.js';
 import { loadSyncState } from './state.js';
@@ -17,10 +17,17 @@ function log(msg) {
     const ts = new Date().toISOString();
     process.stdout.write(`[${ts}] ${msg}\n`);
 }
-function createClient() {
-    const config = loadConfig();
-    if (!config.apiKey) {
-        throw new Error('No API key configured. Run `lsvault auth login` first.');
+async function createClient() {
+    const config = await loadConfigAsync();
+    if (!config.apiKey && !config.accessToken) {
+        throw new Error('No credentials configured. Run `lsvault auth login` first.');
+    }
+    if (config.accessToken) {
+        return new LifestreamVaultClient({
+            baseUrl: config.apiUrl,
+            accessToken: config.accessToken,
+            refreshToken: config.refreshToken,
+        });
     }
     return new LifestreamVaultClient({
         baseUrl: config.apiUrl,
@@ -36,7 +43,7 @@ async function start() {
         process.exit(0);
     }
     log(`Found ${configs.length} auto-sync configuration(s)`);
-    const client = createClient();
+    const client = await createClient();
     // Startup reconciliation: catch changes made while daemon was stopped
     for (const config of configs) {
         try {

package/dist/sync/daemon.js

@@ -137,7 +137,8 @@ export function startDaemon(logFile) {
     rotateLogIfNeeded(targetLog);
     const logFd = fs.openSync(targetLog, 'a');
     // Spawn the daemon worker as a detached process
-    const workerPath = path.join(import.meta.dirname, 'daemon-worker.js');
+    // Use URL constructor for Node 20.0-20.10 compatibility (import.meta.dirname was added in 20.11).
+    const workerPath = path.join(path.dirname(new URL(import.meta.url).pathname), 'daemon-worker.js');
     const child = spawn(process.execPath, [workerPath], {
         detached: true,
         stdio: ['ignore', logFd, logFd],

package/dist/sync/remote-poller.js

@@ -63,7 +63,9 @@ export function createRemotePoller(client, config, options) {
                         if (resolution === 'remote') {
                             conflictFile = createConflictFile(config.localPath, doc.path, localContent, 'local');
                             onLocalWrite?.(doc.path);
-                            fs.writeFileSync(localFile, content, 'utf-8');
+                            const tmpConflict = localFile + '.tmp';
+                            fs.writeFileSync(tmpConflict, content, 'utf-8');
+                            fs.renameSync(tmpConflict, localFile);
                             log(`Conflict: ${doc.path} — used remote, saved local as ${conflictFile}`);
                         }
                         else {
@@ -80,13 +82,15 @@ export function createRemotePoller(client, config, options) {
                         continue;
                     }
                 }
-                // No conflict — download the file
+                // No conflict — download the file atomically
                 const dir = path.dirname(localFile);
                 if (!fs.existsSync(dir)) {
                     fs.mkdirSync(dir, { recursive: true });
                 }
                 onLocalWrite?.(doc.path);
-                fs.writeFileSync(localFile, content, 'utf-8');
+                const tmpFile = localFile + '.tmp';
+                fs.writeFileSync(tmpFile, content, 'utf-8');
+                fs.renameSync(tmpFile, localFile);
                 log(`Pulled: ${doc.path}`);
                 changes++;
                 state.local[doc.path] = {

package/dist/sync/state.js

@@ -43,10 +43,10 @@ export function loadSyncState(syncId) {
  */
 export function saveSyncState(state) {
     if (!fs.existsSync(STATE_DIR)) {
-        fs.mkdirSync(STATE_DIR, { recursive: true });
+        fs.mkdirSync(STATE_DIR, { recursive: true, mode: 0o700 });
     }
     state.updatedAt = new Date().toISOString();
-    fs.writeFileSync(stateFilePath(state.syncId), JSON.stringify(state, null, 2) + '\n');
+    fs.writeFileSync(stateFilePath(state.syncId), JSON.stringify(state, null, 2) + '\n', { mode: 0o600 });
 }
 /**
  * Delete sync state for a given sync configuration.

package/dist/utils/confirm.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Prompt the user to confirm a destructive action.
+ *
+ * @param message - The confirmation message to display (without " [y/N] " suffix)
+ * @param options.yes - If true, skip the prompt and return true immediately (e.g. --yes flag)
+ * @returns Promise resolving to true if confirmed, false if declined
+ * @throws Error if stdin is not a TTY and --yes was not provided
+ */
+export declare function confirmAction(message: string, options?: {
+    yes?: boolean;
+}): Promise<boolean>;

package/dist/utils/confirm.js

@@ -0,0 +1,23 @@
+import readline from 'node:readline';
+/**
+ * Prompt the user to confirm a destructive action.
+ *
+ * @param message - The confirmation message to display (without " [y/N] " suffix)
+ * @param options.yes - If true, skip the prompt and return true immediately (e.g. --yes flag)
+ * @returns Promise resolving to true if confirmed, false if declined
+ * @throws Error if stdin is not a TTY and --yes was not provided
+ */
+export async function confirmAction(message, options) {
+    if (options?.yes)
+        return true;
+    if (!process.stdin.isTTY) {
+        throw new Error('Cannot prompt for confirmation in non-interactive mode. Use --yes to skip confirmation.');
+    }
+    const rl = readline.createInterface({ input: process.stdin, output: process.stderr });
+    return new Promise((resolve) => {
+        rl.question(`${message} [y/N] `, (answer) => {
+            rl.close();
+            resolve(answer.toLowerCase() === 'y' || answer.toLowerCase() === 'yes');
+        });
+    });
+}

package/dist/utils/format.js

@@ -1,5 +1,5 @@
 export function formatBytes(bytes) {
-    if (bytes === 0)
+    if (bytes <= 0)
         return '0 B';
     const units = ['B', 'KB', 'MB', 'GB', 'TB'];
     const i = Math.floor(Math.log(bytes) / Math.log(1024));

package/dist/utils/output.js

@@ -108,12 +108,15 @@ export class Output {
     list(data, options) {
         if (data.length === 0) {
             if (this.flags.output === 'json') {
-                // empty json array: no output
+                process.stdout.write('[]\n');
                 return;
             }
             if (options?.emptyMessage && !this.flags.quiet) {
                 this.status(options.emptyMessage);
             }
+            else if (!this.flags.quiet && !options?.emptyMessage) {
+                process.stdout.write('No results found.\n');
+            }
             return;
         }
         switch (this.flags.output) {

package/dist/utils/prompt.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Shared interactive prompt utilities.
+ *
+ * These helpers write prompts to stderr so they do not corrupt stdout piping,
+ * and they disable terminal echo so passwords are never visible on screen or
+ * in scroll-back buffers.
+ */
+/**
+ * Prompt for a password from stdin (non-echoing).
+ *
+ * @param prompt - Label written to stderr before the user types (default: "Password: ")
+ * @returns The entered password, or null if stdin is not a TTY (non-interactive).
+ */
+export declare function promptPassword(prompt?: string): Promise<string | null>;
+/**
+ * Read a password from stdin in non-TTY / CI mode (i.e. piped input).
+ *
+ * Reads the first line of stdin and trims whitespace. Callers should
+ * gate this behind a `--password-stdin` flag so the intent is explicit.
+ *
+ * @returns The password string, or null if stdin is empty / already ended.
+ */
+export declare function readPasswordFromStdin(): Promise<string | null>;
+/**
+ * Prompt for an MFA code from stdin (6 digits, non-echoing).
+ *
+ * @returns The entered code, or null if stdin is not a TTY.
+ */
+export declare function promptMfaCode(): Promise<string | null>;

package/dist/utils/prompt.js

@@ -0,0 +1,146 @@
+/**
+ * Shared interactive prompt utilities.
+ *
+ * These helpers write prompts to stderr so they do not corrupt stdout piping,
+ * and they disable terminal echo so passwords are never visible on screen or
+ * in scroll-back buffers.
+ */
+/**
+ * Prompt for a password from stdin (non-echoing).
+ *
+ * @param prompt - Label written to stderr before the user types (default: "Password: ")
+ * @returns The entered password, or null if stdin is not a TTY (non-interactive).
+ */
+export async function promptPassword(prompt = 'Password: ') {
+    if (!process.stdin.isTTY) {
+        return null;
+    }
+    const readline = await import('node:readline');
+    return new Promise((resolve) => {
+        const rl = readline.createInterface({
+            input: process.stdin,
+            output: process.stderr,
+            terminal: true,
+        });
+        process.stderr.write(prompt);
+        process.stdin.setRawMode?.(true);
+        let password = '';
+        const onData = (chunk) => {
+            const char = chunk.toString('utf-8');
+            if (char === '\n' || char === '\r' || char === '\u0004') {
+                process.stderr.write('\n');
+                process.stdin.setRawMode?.(false);
+                process.stdin.removeListener('data', onData);
+                rl.close();
+                resolve(password);
+            }
+            else if (char === '\u0003') {
+                // Ctrl+C
+                process.stderr.write('\n');
+                process.stdin.setRawMode?.(false);
+                process.stdin.removeListener('data', onData);
+                rl.close();
+                resolve(null);
+            }
+            else if (char === '\u007F' || char === '\b') {
+                // Backspace
+                if (password.length > 0) {
+                    password = password.slice(0, -1);
+                }
+            }
+            else {
+                password += char;
+            }
+        };
+        process.stdin.on('data', onData);
+        process.stdin.resume();
+    });
+}
+/**
+ * Read a password from stdin in non-TTY / CI mode (i.e. piped input).
+ *
+ * Reads the first line of stdin and trims whitespace. Callers should
+ * gate this behind a `--password-stdin` flag so the intent is explicit.
+ *
+ * @returns The password string, or null if stdin is empty / already ended.
+ */
+export async function readPasswordFromStdin() {
+    return new Promise((resolve, reject) => {
+        let data = '';
+        const onData = (chunk) => {
+            data += chunk.toString('utf-8');
+            // Stop after the first newline — we only want one line.
+            if (data.includes('\n')) {
+                cleanup();
+                resolve(data.split('\n')[0].trim() || null);
+            }
+        };
+        const onEnd = () => {
+            cleanup();
+            resolve(data.trim() || null);
+        };
+        const onError = (err) => {
+            cleanup();
+            reject(err);
+        };
+        const cleanup = () => {
+            process.stdin.removeListener('data', onData);
+            process.stdin.removeListener('end', onEnd);
+            process.stdin.removeListener('error', onError);
+        };
+        process.stdin.on('data', onData);
+        process.stdin.once('end', onEnd);
+        process.stdin.once('error', onError);
+        process.stdin.resume();
+    });
+}
+/**
+ * Prompt for an MFA code from stdin (6 digits, non-echoing).
+ *
+ * @returns The entered code, or null if stdin is not a TTY.
+ */
+export async function promptMfaCode() {
+    if (!process.stdin.isTTY) {
+        return null;
+    }
+    const readline = await import('node:readline');
+    return new Promise((resolve) => {
+        const rl = readline.createInterface({
+            input: process.stdin,
+            output: process.stderr,
+            terminal: true,
+        });
+        process.stderr.write('MFA code: ');
+        process.stdin.setRawMode?.(true);
+        let code = '';
+        const onData = (chunk) => {
+            const char = chunk.toString('utf-8');
+            if (char === '\n' || char === '\r' || char === '\u0004') {
+                process.stderr.write('\n');
+                process.stdin.setRawMode?.(false);
+                process.stdin.removeListener('data', onData);
+                rl.close();
+                resolve(code);
+            }
+            else if (char === '\u0003') {
+                // Ctrl+C
+                process.stderr.write('\n');
+                process.stdin.setRawMode?.(false);
+                process.stdin.removeListener('data', onData);
+                rl.close();
+                resolve(null);
+            }
+            else if (char === '\u007F' || char === '\b') {
+                // Backspace
+                if (code.length > 0) {
+                    code = code.slice(0, -1);
+                }
+            }
+            else {
+                code += char;
+            }
+        };
+        process.stdin.on('data', onData);
+        process.stdin.resume();
+    });
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lifestreamdynamics/vault-cli",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Command-line interface for Lifestream Vault",
   "engines": {
     "node": ">=20"
@@ -44,7 +44,7 @@
     "prepublishOnly": "npm run build && npm test"
   },
   "dependencies": {
-    "@lifestreamdynamics/vault-sdk": "^1.2.0",
+    "@lifestreamdynamics/vault-sdk": "^2.1.0",
     "chalk": "^5.4.0",
     "chokidar": "^4.0.3",
     "commander": "^13.0.0",