npm - @mutmutco/cli - Versions diffs - 2.9.0 → 2.10.0 - Mend

@mutmutco/cli 2.9.0 → 2.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.cjs +51 -4
package/package.json +1 -1

package/dist/index.cjs CHANGED Viewed

@@ -5566,9 +5566,10 @@ async function buildTrainApplyContext(deps) {
   const [owner, name] = repo.split("/");
   if (!owner || !name) throw new Error(`repo must be owner/name, got ${repo}`);
   const login = requireValue(clean(await deps.run("gh", ["api", "user", "--jq", ".login"])), "GitHub login");
-  const role = clean(await deps.run("gh", ["api", `orgs/${owner}/memberships/${login}`, "--jq", ".role"]));
-  if (role !== "admin") {
-    throw new Error(`${commandAuthorityLabel(owner)} is master-admin only; @${login} is ${role || "not an org admin"}`);
+  const verdict = await deps.trainAuthority(repo);
+  if (!verdict.ok) throw new Error(`${commandAuthorityLabel(owner)}: train authority could not be verified (${verdict.error})`);
+  if (!verdict.train) {
+    throw new Error(`${commandAuthorityLabel(owner)}: @${login} is ${verdict.role} \u2014 no train authority on ${repo}`);
   }
   return {
     repo,
@@ -6391,6 +6392,25 @@ var PROJECTS_ENVELOPE_KEY = "projects";
 // src/registry-client.ts
 var DEFAULT_TIMEOUT_MS = 8e3;
+async function fetchTrainAuthority(repo, deps) {
+  if (!deps.baseUrl) return { ok: false, error: "Hub API URL not configured" };
+  const token = await deps.token();
+  if (!token) return { ok: false, error: "no GitHub token (gh auth login)" };
+  const doFetch = deps.fetch ?? fetch;
+  try {
+    const res = await doFetch(`${deps.baseUrl.replace(/\/$/, "")}/train-authority?repo=${encodeURIComponent(repo)}`, {
+      method: "GET",
+      headers: { Authorization: `Bearer ${token}` },
+      signal: AbortSignal.timeout(deps.timeoutMs ?? DEFAULT_TIMEOUT_MS)
+    });
+    if (!res.ok) return { ok: false, error: `train-authority HTTP ${res.status}` };
+    const body = await res.json();
+    if (typeof body?.train !== "boolean" || !body.role) return { ok: false, error: "malformed train-authority response" };
+    return { ok: true, authority: body };
+  } catch (e) {
+    return { ok: false, error: e.message };
+  }
+}
 async function fetchProjectsList(deps) {
   if (!deps.baseUrl) return null;
   const token = await deps.token();
@@ -8845,7 +8865,11 @@ for (const commandName of ["rcand", "release", "hotfix"]) {
       try {
         const result = await runTrainApply(commandName, {
           run: async (file, args) => (await execFileP3(file, args, { timeout: file === "gh" ? 3e4 : GIT_TIMEOUT_MS })).stdout,
-          runSelf: async (args) => (await execFileP3(process.execPath, [process.argv[1], ...args], { timeout: 3e4 })).stdout
+          runSelf: async (args) => (await execFileP3(process.execPath, [process.argv[1], ...args], { timeout: 3e4 })).stdout,
+          trainAuthority: async (repo) => {
+            const verdict = await fetchTrainAuthority(repo, registryClientDeps(await loadConfig()));
+            return verdict.ok ? { ok: true, role: verdict.authority.role, train: verdict.authority.train } : verdict;
+          }
         });
         const message = `mmi-cli ${commandName}: applied ${result.repo} ${result.stage} train at ${result.tag} [${result.deployModel}]; ${result.dispatch}`;
         return printLine(o.json ? JSON.stringify(result, null, 2) : message);
@@ -9011,6 +9035,29 @@ LIVE apply to ${repo}:
   }
 });
 var access = program2.command("access").description("org access audit (read-only)");
+access.command("role [repo]").description("D14 train authority for a repo (server-side Hub check): master | project-admin | developer").option("--json", "machine-readable output").action(async (repoArg) => {
+  const o = { json: rawFlag("--json") };
+  const repo = repoArg ?? await resolveRepo();
+  if (!repo) return fail("access role: pass <owner/repo> or run inside a repo checkout");
+  const cfg = await loadConfig();
+  const verdict = await fetchTrainAuthority(repo, registryClientDeps(cfg));
+  if (!verdict.ok) {
+    if (o.json) {
+      console.log(JSON.stringify({ repo, train: false, error: verdict.error }));
+      process.exitCode = 1;
+      return;
+    }
+    return fail(`access role: ${verdict.error}`);
+  }
+  const a = verdict.authority;
+  if (o.json) {
+    console.log(JSON.stringify(a));
+    if (!a.train) process.exitCode = 1;
+    return;
+  }
+  console.log(`${a.repo}: @${a.login} is ${a.role} \u2014 train ${a.train ? "AUTHORIZED" : "not authorized"}${a.hubTrainMasterOnly ? " (Hub train is master-only)" : ""}`);
+  if (!a.train) process.exitCode = 1;
+});
 access.command("audit").description("audit collaborator roles + train-branch push allowlists vs the locked state; read-only, emits gh remediation, never applies").option("--json", "machine-readable output").option("--repo <owner/repo>", "audit a single repo instead of the whole org").option("--class <class>", "repo class for --repo (deployable | content)", "deployable").action(async () => {
   const o = { json: rawFlag("--json"), repo: rawValue("--repo", ""), class: rawValue("--class", "deployable") };
   const deps = { gh: async (args) => execFileP3("gh", args, { timeout: 2e4 }) };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@mutmutco/cli",
-  "version": "2.9.0",
+  "version": "2.10.0",
   "description": "MMI Future CLI — delivers the org rules (whole-file), plus saga and KB access. The cross-IDE engine the plugin's SessionStart hook drives.",
   "type": "module",
   "license": "UNLICENSED",