@lizard-build/cli 0.1.0 → 0.3.30

package/src/commands/secrets.ts

@@ -1,28 +1,132 @@
 import chalk from "chalk";
-import { Command } from "commander";
-import { api } from "../lib/api.js";
-import { resolveProjectId } from "../lib/config.js";
-import { success, isJSONMode, printJSON, table } from "../lib/format.js";
+import * as p from "@clack/prompts";
+import { Command, Option } from "commander";
+import { api, withScope, type ResourceScope } from "../lib/api.js";
+import { getProjectLink } from "../lib/config.js";
+import { getActiveService, resolveProjectScope } from "../lib/resolve.js";
+import { success, isJSONMode, printJSON, table, isTTY } from "../lib/format.js";
 
 interface Secret {
   key: string;
   value: string;
 }
 
-export function registerSecrets(program: Command) {
-  const secret = program
-    .command("secret")
-    .description("Manage project secrets");
+/**
+ * `lizard secrets` — secret management. Defaults to the linked service
+ * scope, with --global for project-wide.
+ *
+ * Bare command without subcommand prints the secret list.
+ * `--refs` lists `${{...}}` templates available in this scope.
+ */
+interface Scope {
+  path: string;
+  label: "project" | "service";
+  projectId: string;
+  serviceId?: string;
+  serviceName?: string;
+  scope: ResourceScope;
+}
 
-  secret
-    .command("list")
-    .description("List project secrets")
-    .option("--show", "Reveal secret values")
-    .action(async (opts) => {
-      const projectId = resolveProjectId(program.opts().project);
-      const secrets = await api.get<Secret[]>(
-        `/api/projects/${projectId}/secrets`,
+async function resolveScope(
+  projectFlag: string | undefined,
+  serviceFlag: string | undefined,
+  global: boolean,
+): Promise<Scope> {
+  const { projectId, scope: rs } = await resolveProjectScope(projectFlag);
+
+  if (global) {
+    return {
+      path: withScope(`/api/projects/${projectId}/secrets`, rs),
+      label: "project",
+      projectId,
+      scope: rs,
+    };
+  }
+
+  if (serviceFlag) {
+    const svc = await getActiveService(serviceFlag, projectId);
+    return {
+      path: withScope(`/api/apps/${svc.id}/secrets`, rs),
+      label: "service",
+      projectId,
+      serviceId: svc.id,
+      serviceName: svc.name,
+      scope: rs,
+    };
+  }
+
+  const link = getProjectLink();
+  if (!link?.serviceId) {
+    throw new Error(
+      "No service linked. Pass --service <name>, run `lizard service link <name>`, or use --global.",
+    );
+  }
+  return {
+    path: withScope(`/api/apps/${link.serviceId}/secrets`, rs),
+    label: "service",
+    projectId,
+    serviceId: link.serviceId,
+    serviceName: link.serviceName || link.serviceId,
+    scope: rs,
+  };
+}
+
+async function configApplySecrets(
+  scope: Scope,
+  secrets: Record<string, string | null>,
+): Promise<void> {
+  const payload =
+    scope.label === "project"
+      ? { secrets: { shared: secrets } }
+      : { secrets: { services: { [scope.serviceName!]: secrets } } };
+  await api.post(
+    withScope(`/api/projects/${scope.projectId}/config:apply`, scope.scope),
+    payload,
+  );
+}
+
+function parsePairs(pairs: string[]): Record<string, string> {
+  const out: Record<string, string> = {};
+  for (const pair of pairs) {
+    const eq = pair.indexOf("=");
+    if (eq < 1) {
+      throw new Error(
+        `Invalid format: "${pair}". Use KEY=value (e.g. \`lizard secrets set DATABASE_URL=postgres://...\`).`,
       );
+    }
+    out[pair.slice(0, eq)] = pair.slice(eq + 1);
+  }
+  return out;
+}
+
+export function registerSecrets(program: Command) {
+  const cmd = program
+    .command("secrets")
+    .alias("secret")
+    .description("Manage secrets (default scope: service; --global for project)")
+    .option("--global", "Target the whole project")
+    .option("--show", "Reveal values")
+    .option("--ref", "List reference templates available in this scope")
+    .addOption(new Option("--refs").hideHelp().implies({ ref: true }))
+    .option("-s, --service <name>", "Service to scope to (overrides linked)")
+    .option("-p, --project <id>", "Project to scope to")
+    .addHelpText(
+      "after",
+      `
+Notes:
+  Secrets apply live to running VMs. Keys prefixed with NEXT_PUBLIC_* or VITE_*
+  trigger a redeploy because they're baked into the client bundle at build time.`,
+    )
+    .action(async (opts) => {
+      const scope = await resolveScope(opts.project, opts.service, opts.global);
+
+      // --ref → list reference templates exposed by the platform
+      if (opts.ref) {
+        await printRefs(scope);
+        return;
+      }
+
+      const secrets = await api.get<Secret[]>(scope.path);
 
       if (isJSONMode()) {
         printJSON(
@@ -34,7 +138,9 @@ export function registerSecrets(program: Command) {
       }
 
       if (secrets.length === 0) {
-        console.log("No secrets. Use `lizard secret set KEY=value`.");
+        console.log(
+          `No ${scope.label} secrets. Use \`lizard secrets set KEY=value${opts.global ? " --global" : ""}\`.`,
+        );
         return;
       }
 
@@ -42,134 +148,205 @@ export function registerSecrets(program: Command) {
         ["Key", "Value"],
         secrets.map((s) => [
           s.key,
-          opts.show ? s.value : chalk.dim("•".repeat(Math.min(s.value.length, 20))),
+          opts.show
+            ? s.value
+            : chalk.dim("•".repeat(Math.min(s.value.length, 20))),
         ]),
       );
     });
 
-  secret
-    .command("set")
-    .argument("<pairs...>", "KEY=value pairs")
-    .description("Set one or more secrets")
-    .option("--no-redeploy", "Don't trigger redeploy")
-    .action(async (pairs: string[], opts) => {
-      const projectId = resolveProjectId(program.opts().project);
+  cmd
+    .command("list")
+    .description("List secrets")
+    .option("--global", "Target the whole project")
+    .option("--show", "Reveal values")
+    .option("--ref", "List reference templates available in this scope")
+    .addOption(new Option("--refs").hideHelp().implies({ ref: true }))
+    .option("-s, --service <name>", "Service to scope to (overrides linked)")
+    .option("-p, --project <id>", "Project to scope to")
+    .action(async (opts, sub) => {
+      const inherited = sub.parent?.opts() || {};
+      const scope = await resolveScope(
+        opts.project ?? inherited.project,
+        opts.service ?? inherited.service,
+        opts.global || inherited.global,
+      );
 
-      // Parse KEY=value pairs
-      const newSecrets: Record<string, string> = {};
-      for (const pair of pairs) {
-        const eqIdx = pair.indexOf("=");
-        if (eqIdx < 1) {
-          throw new Error(`Invalid format: "${pair}". Use KEY=value`);
-        }
-        newSecrets[pair.slice(0, eqIdx)] = pair.slice(eqIdx + 1);
+      if (opts.ref) {
+        await printRefs(scope);
+        return;
       }
 
-      // Get existing secrets, merge, update
-      const existing = await api.get<Secret[]>(
-        `/api/projects/${projectId}/secrets`,
-      );
-      const merged: Secret[] = [];
-      const existingKeys = new Set<string>();
-
-      for (const s of existing) {
-        if (newSecrets[s.key] !== undefined) {
-          merged.push({ key: s.key, value: newSecrets[s.key] });
-          existingKeys.add(s.key);
-        } else {
-          merged.push(s);
-        }
+      const secrets = await api.get<Secret[]>(scope.path);
+
+      if (isJSONMode()) {
+        printJSON(
+          opts.show
+            ? secrets
+            : secrets.map((s) => ({ key: s.key, value: "***" })),
+        );
+        return;
       }
-      // Add new keys
-      for (const [key, value] of Object.entries(newSecrets)) {
-        if (!existingKeys.has(key)) {
-          merged.push({ key, value });
-        }
+
+      if (secrets.length === 0) {
+        console.log(`No ${scope.label} secrets.`);
+        return;
       }
 
-      await api.put(`/api/projects/${projectId}/secrets`, merged);
+      table(
+        ["Key", "Value"],
+        secrets.map((s) => [
+          s.key,
+          opts.show
+            ? s.value
+            : chalk.dim("•".repeat(Math.min(s.value.length, 20))),
+        ]),
+      );
+    });
+
+  cmd
+    .command("set")
+    .argument("<pairs...>", "KEY=value pairs")
+    .description("Set one or more secrets")
+    .option("--global", "Target the whole project")
+    .option("-s, --service <name>", "Service to scope to (overrides linked)")
+    .option("-p, --project <id>", "Project to scope to")
+    .action(async (pairs: string[], opts, sub) => {
+      const inherited = sub.parent?.opts() || {};
+      const scope = await resolveScope(
+        opts.project ?? inherited.project,
+        opts.service ?? inherited.service,
+        opts.global || inherited.global,
+      );
+      const newSecrets = parsePairs(pairs);
+      await configApplySecrets(scope, newSecrets);
 
       if (isJSONMode()) {
-        printJSON({ updated: Object.keys(newSecrets) });
+        printJSON({ updated: Object.keys(newSecrets), scope: scope.label });
       } else {
-        success(
-          `${Object.keys(newSecrets).length} secret(s) updated`,
-        );
+        success(`${Object.keys(newSecrets).length} ${scope.label} secret(s) updated`);
       }
     });
 
-  secret
+  cmd
     .command("delete")
+    .alias("rm")
     .argument("<keys...>", "Secret keys to delete")
     .description("Delete one or more secrets")
-    .action(async (keys: string[]) => {
-      const projectId = resolveProjectId(program.opts().project);
-      const existing = await api.get<Secret[]>(
-        `/api/projects/${projectId}/secrets`,
+    .option("--global", "Target the whole project")
+    .option("-y, --yes", "Skip confirmation")
+    .option("-s, --service <name>", "Service to scope to (overrides linked)")
+    .option("-p, --project <id>", "Project to scope to")
+    .action(async (keys: string[], opts, sub) => {
+      const inherited = sub.parent?.opts() || {};
+      const scope = await resolveScope(
+        opts.project ?? inherited.project,
+        opts.service ?? inherited.service,
+        opts.global || inherited.global,
       );
+      const existing = await api.get<Secret[]>(scope.path);
+      const existingKeys = new Set(existing.map((s) => s.key));
+      const notFound = keys.filter((k) => !existingKeys.has(k));
+      if (notFound.length > 0) {
+        throw new Error(`Secret(s) not found: ${notFound.join(", ")}`);
+      }
 
-      const keysSet = new Set(keys);
-      const filtered = existing.filter((s) => !keysSet.has(s.key));
-
-      if (filtered.length === existing.length) {
-        throw new Error(`Secret(s) not found: ${keys.join(", ")}`);
+      if (!opts.yes) {
+        if (!isTTY()) throw new Error("Use -y to confirm in non-interactive mode");
+        const summary = keys.length === 1 ? chalk.bold(keys[0]) : `${keys.length} keys`;
+        const confirm = await p.confirm({
+          message: `Delete ${summary} from ${chalk.bold(scope.label)} scope?`,
+        });
+        if (p.isCancel(confirm) || !confirm) process.exit(5);
       }
 
-      await api.put(`/api/projects/${projectId}/secrets`, filtered);
+      const deletePayload: Record<string, null> = {};
+      keys.forEach((k) => { deletePayload[k] = null; });
+      await configApplySecrets(scope, deletePayload);
 
       if (isJSONMode()) {
-        printJSON({ deleted: keys });
+        printJSON({ deleted: keys, scope: scope.label });
       } else {
-        success(`${keys.length} secret(s) deleted`);
+        success(`${keys.length} ${scope.label} secret(s) deleted`);
       }
     });
 
-  secret
+  cmd
     .command("import")
-    .description("Import secrets from stdin (KEY=value format, one per line)")
-    .option("--no-redeploy", "Don't trigger redeploy")
-    .action(async () => {
-      const projectId = resolveProjectId(program.opts().project);
+    .description("Import secrets from stdin (KEY=value, one per line)")
+    .option("--global", "Target the whole project")
+    .option("-s, --service <name>", "Service to scope to (overrides linked)")
+    .option("-p, --project <id>", "Project to scope to")
+    .action(async (opts, sub) => {
+      const inherited = sub.parent?.opts() || {};
+      const scope = await resolveScope(
+        opts.project ?? inherited.project,
+        opts.service ?? inherited.service,
+        opts.global || inherited.global,
+      );
 
-      // Read stdin
       const chunks: Buffer[] = [];
-      for await (const chunk of process.stdin) {
-        chunks.push(chunk as Buffer);
-      }
+      for await (const chunk of process.stdin) chunks.push(chunk as Buffer);
       const input = Buffer.concat(chunks).toString("utf-8");
 
       const newSecrets: Record<string, string> = {};
       for (const line of input.split("\n")) {
         const trimmed = line.trim();
         if (!trimmed || trimmed.startsWith("#")) continue;
-        const eqIdx = trimmed.indexOf("=");
-        if (eqIdx < 1) continue;
-        newSecrets[trimmed.slice(0, eqIdx)] = trimmed.slice(eqIdx + 1);
-      }
-
-      if (Object.keys(newSecrets).length === 0) {
-        throw new Error("No valid KEY=value pairs found in input");
+        const eq = trimmed.indexOf("=");
+        if (eq < 1) continue;
+        newSecrets[trimmed.slice(0, eq)] = trimmed.slice(eq + 1);
       }
 
-      // Merge with existing
-      const existing = await api.get<Secret[]>(
-        `/api/projects/${projectId}/secrets`,
-      );
-      const existingMap = new Map(existing.map((s) => [s.key, s.value]));
-      for (const [k, v] of Object.entries(newSecrets)) {
-        existingMap.set(k, v);
+      if (!Object.keys(newSecrets).length) {
+        throw new Error("No valid KEY=value pairs in input");
       }
-      const merged = Array.from(existingMap.entries()).map(([key, value]) => ({
-        key,
-        value,
-      }));
 
-      await api.put(`/api/projects/${projectId}/secrets`, merged);
+      await configApplySecrets(scope, newSecrets);
 
       if (isJSONMode()) {
-        printJSON({ imported: Object.keys(newSecrets) });
+        printJSON({ imported: Object.keys(newSecrets), scope: scope.label });
       } else {
-        success(`${Object.keys(newSecrets).length} secret(s) imported`);
+        success(`${Object.keys(newSecrets).length} ${scope.label} secret(s) imported`);
       }
     });
 }
+
+interface VarRef {
+  template: string;
+  description?: string;
+  source?: string;
+}
+
+/**
+ * Fetch the reference manifest from the backend so users know which
+ * `${{...}}` templates are valid (e.g. `${{Postgres.DATABASE_URL}}`,
+ * `${{api.LIZARD_PUBLIC_DOMAIN}}`). Backend endpoint:
+ *   GET /api/projects/<id>/variables:refs
+ *   GET /api/apps/<id>/variables:refs       (for service-scope)
+ *
+ * Returns a flat list of templates ready to copy-paste into secret values.
+ */
+async function printRefs(scope: Scope): Promise<void> {
+  const endpoint =
+    scope.label === "service" && scope.serviceId
+      ? withScope(`/api/apps/${scope.serviceId}/variables:refs`, scope.scope)
+      : withScope(`/api/projects/${scope.projectId}/variables:refs`, scope.scope);
+
+  const refs = await api.get<VarRef[]>(endpoint);
+
+  if (isJSONMode()) {
+    printJSON(refs);
+    return;
+  }
+
+  if (!refs.length) {
+    console.log("No reference variables exposed in this scope.");
+    return;
+  }
+
+  table(
+    ["Template", "Source", "Description"],
+    refs.map((r) => [chalk.cyan(r.template), r.source || "—", r.description || ""]),
+  );
+}