@openparachute/vault 0.3.3 → 0.4.3

package/src/oauth.test.ts

@@ -280,6 +280,28 @@ describe("OAuth authorization", () => {
     expect(location.searchParams.get("state")).toBe("mystate");
   });
 
+  test("POST authorize without scope is rejected (no silent default to 'full', #197)", async () => {
+    const ownerToken = createOwnerToken();
+    const clientId = await registerClient();
+    const { codeChallenge } = generatePkce();
+    const req = makeRequest("https://vault.test/oauth/authorize", {
+      method: "POST",
+      body: new URLSearchParams({
+        action: "authorize",
+        client_id: clientId,
+        redirect_uri: "https://example.com/callback",
+        code_challenge: codeChallenge,
+        code_challenge_method: "S256",
+        // No scope field — pre-#197 this silently consented to "full".
+        owner_token: ownerToken,
+      }),
+    });
+    const res = await handleAuthorizePost(req, db);
+    expect(res.status).toBe(400);
+    const body = (await res.json()) as { error?: string };
+    expect(body.error).toBe("invalid_request");
+  });
+
   test("POST authorize (deny) redirects with error", async () => {
     const clientId = await registerClient();
     const { codeChallenge } = generatePkce();
@@ -1809,3 +1831,326 @@ describe("OAuth Phase 0: PARACHUTE_HUB_ORIGIN", () => {
     });
   });
 });
+
+// ---------------------------------------------------------------------------
+// Per-vault rate limiter + memory cap (#93)
+// ---------------------------------------------------------------------------
+
+describe("OAuth consent — per-vault rate limiting (#93)", () => {
+  test("getAuthorizeRateLimiter returns the same instance for the same vault name", async () => {
+    const { getAuthorizeRateLimiter, resetVaultAuthorizeRateLimiters } =
+      await import("./owner-auth.ts");
+    resetVaultAuthorizeRateLimiters();
+    const a1 = getAuthorizeRateLimiter("alpha");
+    const a2 = getAuthorizeRateLimiter("alpha");
+    expect(a1).toBe(a2);
+  });
+
+  test("getAuthorizeRateLimiter returns distinct instances per vault", async () => {
+    const { getAuthorizeRateLimiter, resetVaultAuthorizeRateLimiters } =
+      await import("./owner-auth.ts");
+    resetVaultAuthorizeRateLimiters();
+    const work = getAuthorizeRateLimiter("work");
+    const personal = getAuthorizeRateLimiter("personal");
+    expect(work).not.toBe(personal);
+  });
+
+  test("a lockout on one vault's limiter does not lock the same IP on another vault's limiter", async () => {
+    const { getAuthorizeRateLimiter, resetVaultAuthorizeRateLimiters } =
+      await import("./owner-auth.ts");
+    resetVaultAuthorizeRateLimiters();
+    const ip = "192.0.2.55";
+    const work = getAuthorizeRateLimiter("work");
+    // Pump enough failures on `work` to trip the default 10-failure threshold.
+    for (let i = 0; i < 10; i++) work.recordFailure(ip);
+    expect(work.check(ip).allowed).toBe(false);
+    // The unrelated vault's limiter should still allow this IP.
+    const personal = getAuthorizeRateLimiter("personal");
+    expect(personal.check(ip).allowed).toBe(true);
+  });
+
+  test("entry count is hard-capped — oldest IP is evicted FIFO when full", async () => {
+    const { RateLimiter } = await import("./owner-auth.ts");
+    // Tiny cap (3) so we don't have to hammer the limiter to prove eviction.
+    const limiter = new RateLimiter(10, 60_000, 60_000, 3);
+    limiter.recordFailure("10.0.0.1");
+    limiter.recordFailure("10.0.0.2");
+    limiter.recordFailure("10.0.0.3");
+    expect(limiter.size()).toBe(3);
+    // Adding a 4th IP must evict the oldest (10.0.0.1) to stay at the cap.
+    limiter.recordFailure("10.0.0.4");
+    expect(limiter.size()).toBe(3);
+    // The evicted IP is treated as untracked → fresh check is allowed.
+    expect(limiter.check("10.0.0.1").allowed).toBe(true);
+    // Newer entries remain locked into their failure state.
+    expect(limiter.check("10.0.0.4").allowed).toBe(true); // still under threshold
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Server-bound scope at /authorize, subset enforcement at /token (#94)
+// ---------------------------------------------------------------------------
+
+describe("OAuth scope binding (#94, RFC 6749 §3.3 / §6)", () => {
+  test("/authorize floors selected scope to requested — form cannot smuggle a broader scope", async () => {
+    const ownerToken = createOwnerToken();
+    const clientId = await registerClient();
+    const { codeChallenge } = generatePkce();
+    const redirectUri = "https://example.com/callback";
+
+    const authRes = await handleAuthorizePost(
+      makeRequest("https://vault.test/oauth/authorize", {
+        method: "POST",
+        body: new URLSearchParams({
+          action: "authorize",
+          client_id: clientId,
+          redirect_uri: redirectUri,
+          code_challenge: codeChallenge,
+          code_challenge_method: "S256",
+          scope: "read",            // requested = read
+          selected_scope: "full",   // smuggled broader value
+          owner_token: ownerToken,
+        }),
+      }),
+      db,
+      { vaultName: "default" },
+    );
+    expect(authRes.status).toBe(302);
+    const code = new URL(authRes.headers.get("location")!).searchParams.get("code")!;
+
+    // The bound scope on the issued auth code must be the narrower of the two.
+    const row = db
+      .prepare("SELECT scope FROM oauth_codes WHERE code = ?")
+      .get(code) as { scope: string };
+    expect(row.scope).toBe("read");
+  });
+
+  test("/token rejects requested scope broader than bound (read → full)", async () => {
+    const ownerToken = createOwnerToken();
+    const clientId = await registerClient();
+    const { codeVerifier, codeChallenge } = generatePkce();
+    const redirectUri = "https://example.com/callback";
+
+    const authRes = await handleAuthorizePost(
+      makeRequest("https://vault.test/oauth/authorize", {
+        method: "POST",
+        body: new URLSearchParams({
+          action: "authorize",
+          client_id: clientId,
+          redirect_uri: redirectUri,
+          code_challenge: codeChallenge,
+          code_challenge_method: "S256",
+          scope: "read",
+          owner_token: ownerToken,
+        }),
+      }),
+      db,
+      { vaultName: "default" },
+    );
+    const code = new URL(authRes.headers.get("location")!).searchParams.get("code")!;
+
+    const tokenRes = await handleToken(
+      makeRequest("https://vault.test/oauth/token", {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          grant_type: "authorization_code",
+          code,
+          code_verifier: codeVerifier,
+          client_id: clientId,
+          redirect_uri: redirectUri,
+          scope: "full", // attempt to broaden
+        }).toString(),
+      }),
+      db,
+      "default",
+    );
+    expect(tokenRes.status).toBe(400);
+    const body = (await tokenRes.json()) as { error?: string };
+    expect(body.error).toBe("invalid_scope");
+  });
+
+  test("/token accepts a narrower requested scope (full → read) and reflects it on the token", async () => {
+    const ownerToken = createOwnerToken();
+    const clientId = await registerClient();
+    const { codeVerifier, codeChallenge } = generatePkce();
+    const redirectUri = "https://example.com/callback";
+
+    const authRes = await handleAuthorizePost(
+      makeRequest("https://vault.test/oauth/authorize", {
+        method: "POST",
+        body: new URLSearchParams({
+          action: "authorize",
+          client_id: clientId,
+          redirect_uri: redirectUri,
+          code_challenge: codeChallenge,
+          code_challenge_method: "S256",
+          scope: "full",
+          owner_token: ownerToken,
+        }),
+      }),
+      db,
+      { vaultName: "default" },
+    );
+    const code = new URL(authRes.headers.get("location")!).searchParams.get("code")!;
+
+    const tokenRes = await handleToken(
+      makeRequest("https://vault.test/oauth/token", {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          grant_type: "authorization_code",
+          code,
+          code_verifier: codeVerifier,
+          client_id: clientId,
+          redirect_uri: redirectUri,
+          scope: "read", // narrower than bound
+        }).toString(),
+      }),
+      db,
+      "default",
+    );
+    expect(tokenRes.status).toBe(200);
+    const body = (await tokenRes.json()) as { scope?: string };
+    expect(body.scope).toBe("vault:read");
+  });
+
+  test("/token treats whitespace-only scope as absent and falls through to bound scope (#196)", async () => {
+    // Guard at oauth.ts checks `scope !== null && scope.trim().length > 0`.
+    // A client sending `scope=   ` is the same as omitting `scope` — we
+    // must not run subset enforcement against the whitespace string and
+    // reject it as invalid.
+    const ownerToken = createOwnerToken();
+    const clientId = await registerClient();
+    const { codeVerifier, codeChallenge } = generatePkce();
+    const redirectUri = "https://example.com/callback";
+
+    const authRes = await handleAuthorizePost(
+      makeRequest("https://vault.test/oauth/authorize", {
+        method: "POST",
+        body: new URLSearchParams({
+          action: "authorize",
+          client_id: clientId,
+          redirect_uri: redirectUri,
+          code_challenge: codeChallenge,
+          code_challenge_method: "S256",
+          scope: "read",
+          owner_token: ownerToken,
+        }),
+      }),
+      db,
+      { vaultName: "default" },
+    );
+    const code = new URL(authRes.headers.get("location")!).searchParams.get("code")!;
+
+    const tokenRes = await handleToken(
+      makeRequest("https://vault.test/oauth/token", {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          grant_type: "authorization_code",
+          code,
+          code_verifier: codeVerifier,
+          client_id: clientId,
+          redirect_uri: redirectUri,
+          scope: "   ", // whitespace only — should fall through to bound
+        }).toString(),
+      }),
+      db,
+      "default",
+    );
+    expect(tokenRes.status).toBe(200);
+    const body = (await tokenRes.json()) as { scope?: string };
+    expect(body.scope).toBe("vault:read");
+  });
+
+  test("/token rejects unknown scope strings even when the bound scope is broad", async () => {
+    const ownerToken = createOwnerToken();
+    const clientId = await registerClient();
+    const { codeVerifier, codeChallenge } = generatePkce();
+    const redirectUri = "https://example.com/callback";
+
+    const authRes = await handleAuthorizePost(
+      makeRequest("https://vault.test/oauth/authorize", {
+        method: "POST",
+        body: new URLSearchParams({
+          action: "authorize",
+          client_id: clientId,
+          redirect_uri: redirectUri,
+          code_challenge: codeChallenge,
+          code_challenge_method: "S256",
+          scope: "full",
+          owner_token: ownerToken,
+        }),
+      }),
+      db,
+      { vaultName: "default" },
+    );
+    const code = new URL(authRes.headers.get("location")!).searchParams.get("code")!;
+
+    const tokenRes = await handleToken(
+      makeRequest("https://vault.test/oauth/token", {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          grant_type: "authorization_code",
+          code,
+          code_verifier: codeVerifier,
+          client_id: clientId,
+          redirect_uri: redirectUri,
+          scope: "vault:admin", // not in the consent vocabulary
+        }).toString(),
+      }),
+      db,
+      "default",
+    );
+    expect(tokenRes.status).toBe(400);
+    const body = (await tokenRes.json()) as { error?: string };
+    expect(body.error).toBe("invalid_scope");
+  });
+
+  test("/token uses the bound scope when no scope param is sent (regression)", async () => {
+    const ownerToken = createOwnerToken();
+    const clientId = await registerClient();
+    const { codeVerifier, codeChallenge } = generatePkce();
+    const redirectUri = "https://example.com/callback";
+
+    const authRes = await handleAuthorizePost(
+      makeRequest("https://vault.test/oauth/authorize", {
+        method: "POST",
+        body: new URLSearchParams({
+          action: "authorize",
+          client_id: clientId,
+          redirect_uri: redirectUri,
+          code_challenge: codeChallenge,
+          code_challenge_method: "S256",
+          scope: "read",
+          owner_token: ownerToken,
+        }),
+      }),
+      db,
+      { vaultName: "default" },
+    );
+    const code = new URL(authRes.headers.get("location")!).searchParams.get("code")!;
+
+    const tokenRes = await handleToken(
+      makeRequest("https://vault.test/oauth/token", {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          grant_type: "authorization_code",
+          code,
+          code_verifier: codeVerifier,
+          client_id: clientId,
+          redirect_uri: redirectUri,
+          // no scope param
+        }).toString(),
+      }),
+      db,
+      "default",
+    );
+    expect(tokenRes.status).toBe(200);
+    const body = (await tokenRes.json()) as { scope?: string };
+    expect(body.scope).toBe("vault:read");
+  });
+});

package/src/oauth.ts

@@ -46,6 +46,37 @@ export interface AuthorizePostOptions {
 // Helpers
 // ---------------------------------------------------------------------------
 
+/**
+ * Today the consent page binds one of two scope strings — "read" or "full" —
+ * with `read ⊂ full`. `narrowerScope` picks the more-restrictive of two
+ * inputs (used to floor `selected` by `requested` at /oauth/authorize),
+ * `isScopeSubset` checks an inbound /oauth/token scope against the bound
+ * scope. Both default to "full" only if **both** inputs allow "full",
+ * otherwise narrow to "read". When the consent vocabulary expands beyond
+ * read/full, both helpers should switch to vault:read|write|admin and the
+ * inheritance rules in scopes.ts (`hasScope`).
+ */
+function normalizeConsentScope(s: string | null | undefined): "read" | "full" {
+  return s === "read" ? "read" : "full";
+}
+
+function narrowerScope(a: string, b: string): "read" | "full" {
+  return normalizeConsentScope(a) === "read" || normalizeConsentScope(b) === "read"
+    ? "read"
+    : "full";
+}
+
+function isScopeSubset(requested: string, bound: string): boolean {
+  // Strict: only "read" / "full" are acceptable on the wire today. Unknown
+  // scope strings are rejected as out-of-bounds rather than silently
+  // normalized — otherwise `scope=vault:admin` would coast through when
+  // bound is "full".
+  if (requested !== "read" && requested !== "full") return false;
+  const bnd = normalizeConsentScope(bound);
+  if (bnd === "full") return requested === "read" || requested === "full";
+  return requested === "read";
+}
+
 /**
  * Public-facing base URL of the server. Honors `x-forwarded-*` headers so a
  * Cloudflare Tunnel / Tailscale Funnel / reverse-proxied deployment advertises
@@ -351,7 +382,7 @@ export async function handleAuthorizePost(
   const { vaultName, clientIp, ownerPasswordHash, totpSecret, rateLimiter = authorizeRateLimit } = opts;
   const totpEnrolled = typeof totpSecret === "string" && totpSecret.length > 0;
 
-  let form: FormData;
+  let form: Awaited<ReturnType<typeof req.formData>>;
   try {
     form = await req.formData();
   } catch {
@@ -363,13 +394,12 @@ export async function handleAuthorizePost(
   const redirectUri = form.get("redirect_uri") as string;
   const codeChallenge = form.get("code_challenge") as string;
   const codeChallengeMethod = form.get("code_challenge_method") as string || "S256";
-  // Requested scope (from hidden field, carried from GET) and selected scope
-  // (from radio button on the consent page). Default selected to requested.
-  const requestedScope = form.get("scope") as string || "full";
+  // Requested scope is carried from the GET via a hidden field on the consent
+  // page; the user's radio-button choice arrives in `selected_scope`. The
+  // required-ness check runs *after* the deny short-circuit below — a deny
+  // POST doesn't mint anything and shouldn't need scope to refuse.
+  const requestedScopeRaw = form.get("scope");
   const selectedScopeRaw = form.get("selected_scope") as string | null;
-  const selectedScope = selectedScopeRaw === "read" || selectedScopeRaw === "full"
-    ? selectedScopeRaw
-    : (requestedScope === "read" ? "read" : "full");
   const state = form.get("state") as string || "";
 
   if (!clientId || !redirectUri || !codeChallenge) {
@@ -404,6 +434,20 @@ export async function handleAuthorizePost(
     return Response.redirect(redirect.toString(), 302);
   }
 
+  // Past this point we're processing consent — scope must be explicitly
+  // present. Defaulting absent scope to "full" would silently cement a
+  // grant the user never confirmed (#197).
+  if (typeof requestedScopeRaw !== "string" || requestedScopeRaw.length === 0) {
+    return Response.json(
+      { error: "invalid_request", error_description: "scope is required" },
+      { status: 400 },
+    );
+  }
+  const requestedScope = requestedScopeRaw;
+  const selectedScope = selectedScopeRaw === "read" || selectedScopeRaw === "full"
+    ? selectedScopeRaw
+    : (requestedScope === "read" ? "read" : "full");
+
   // Rate-limit the owner-auth step. Applied before any credential check so
   // brute-force attempts are capped regardless of which path (password or
   // legacy token) is being used.
@@ -483,7 +527,13 @@ export async function handleAuthorizePost(
 
   if (clientIp) rateLimiter.recordSuccess(clientIp);
 
-  // Generate auth code — persist the user-selected scope (not the requested one)
+  // Generate auth code — bind the NARROWER of (requested, selected). The
+  // user can shrink the requested scope at consent time (e.g. flip "full"
+  // to "read"); they cannot broaden it. Without this floor, a malicious
+  // form could smuggle `selected_scope=full` even when /authorize?scope=read
+  // was the original ask, escalating beyond what the client requested at
+  // authorize time (#94, RFC 6749 §3.3).
+  const boundScope = narrowerScope(requestedScope, selectedScope);
   const code = crypto.randomBytes(32).toString("base64url");
   const expiresAt = new Date(Date.now() + 10 * 60 * 1000).toISOString(); // 10 minutes
 
@@ -492,7 +542,7 @@ export async function handleAuthorizePost(
   db.prepare(`
     INSERT INTO oauth_codes (code, client_id, code_challenge, code_challenge_method, scope, redirect_uri, expires_at, created_at, vault_name)
     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
-  `).run(code, clientId, codeChallenge, codeChallengeMethod, selectedScope, redirectUri, expiresAt, new Date().toISOString(), vaultName ?? null);
+  `).run(code, clientId, codeChallenge, codeChallengeMethod, boundScope, redirectUri, expiresAt, new Date().toISOString(), vaultName ?? null);
 
   redirect.searchParams.set("code", code);
   return Response.redirect(redirect.toString(), 302);
@@ -607,14 +657,35 @@ export async function handleToken(
     return Response.json({ error: "invalid_grant", error_description: "PKCE verification failed" }, { status: 400 });
   }
 
+  // RFC 6749 §3.3 / §6: a `scope` parameter at /oauth/token, if present,
+  // must equal or be a subset of the scope bound to the auth code at
+  // /oauth/authorize. Reject expansion attempts as `invalid_scope` rather
+  // than silently honoring the bound scope (#94). Absent param → use bound.
+  const requestedTokenScopeRaw = params.get("scope");
+  let effectiveScope = authCode.scope;
+  if (requestedTokenScopeRaw !== null && requestedTokenScopeRaw.trim().length > 0) {
+    const requested = requestedTokenScopeRaw.trim();
+    if (!isScopeSubset(requested, authCode.scope)) {
+      return Response.json(
+        {
+          error: "invalid_scope",
+          error_description:
+            "Requested scope exceeds the scope bound at authorization time.",
+        },
+        { status: 400 },
+      );
+    }
+    effectiveScope = requested;
+  }
+
   // Mark code as used
   db.prepare("UPDATE oauth_codes SET used = 1 WHERE code = ?").run(code);
 
-  // Translate the consent-time selected scope into both the legacy permission
-  // column and the OAuth-standard scope list we now persist on the token row.
-  // The consent page only offers read vs full today; full becomes the
-  // admin-inheriting scope set so hub admin operations keep working.
-  const permission: TokenPermission = authCode.scope === "read" ? "read" : "full";
+  // Translate the (possibly-narrowed) effective scope into both the legacy
+  // permission column and the OAuth-standard scope list we persist on the
+  // token row. The consent page only offers read vs full today; full becomes
+  // the admin-inheriting scope set so hub admin operations keep working.
+  const permission: TokenPermission = effectiveScope === "read" ? "read" : "full";
   const scopes = legacyPermissionToScopes(permission);
   const scopeString = serializeScopes(scopes);
 

package/src/owner-auth.ts

@@ -88,6 +88,9 @@ interface RateLimitEntry {
  *   - Up to MAX_FAILURES failed attempts within WINDOW_MS → lockout
  *   - Lockout lasts LOCKOUT_MS
  *   - A successful attempt clears the IP's counter
+ *   - Hard cap on entry count — when full, the oldest insertion is evicted
+ *     before a new one is recorded. Prevents memory exhaustion via IP /
+ *     client_id enumeration (#93).
  */
 export class RateLimiter {
   private entries = new Map<string, RateLimitEntry>();
@@ -96,6 +99,7 @@ export class RateLimiter {
     private readonly maxFailures = 10,
     private readonly windowMs = 60_000,
     private readonly lockoutMs = 15 * 60_000,
+    private readonly maxEntries = 10_000,
   ) {}
 
   /**
@@ -130,6 +134,7 @@ export class RateLimiter {
     const entry = this.entries.get(ip);
 
     if (!entry || now - entry.firstFailureAt > this.windowMs) {
+      this.evictIfFull();
       this.entries.set(ip, {
         failures: 1,
         firstFailureAt: now,
@@ -153,7 +158,58 @@ export class RateLimiter {
   reset(): void {
     this.entries.clear();
   }
+
+  /** Current entry count — exposed for tests + observability. */
+  size(): number {
+    return this.entries.size;
+  }
+
+  /**
+   * Evict the oldest insertion(s) until size < maxEntries. Map preserves
+   * insertion order, so `keys().next().value` is the oldest. We re-insert
+   * on window-rollover (delete + new set), so insertion order tracks
+   * recency-of-failure closely enough for FIFO eviction.
+   */
+  private evictIfFull(): void {
+    while (this.entries.size >= this.maxEntries) {
+      const oldest = this.entries.keys().next().value;
+      if (oldest === undefined) break;
+      this.entries.delete(oldest);
+    }
+  }
 }
 
-/** Singleton rate limiter for the OAuth consent endpoint. */
+/**
+ * Singleton rate limiter — kept for back-compat with callers that don't pass
+ * through per-vault routing. Fresh callers should prefer
+ * `getAuthorizeRateLimiter(vaultName)` so traffic on one vault's consent flow
+ * doesn't lock out IPs on another vault's consent flow (#93).
+ *
+ * @deprecated Use `getAuthorizeRateLimiter(vaultName)` instead. The singleton
+ * cross-pollutes per-vault consent traffic — one vault under brute-force can
+ * lock out IPs on every other vault's consent page.
+ */
 export const authorizeRateLimit = new RateLimiter();
+
+/**
+ * Per-vault rate limiter registry. The vault count is admin-bounded (vaults
+ * are created via CLI, not by clients) so this Map can grow only with operator
+ * action — no attacker-driven growth path. Each instance carries the
+ * default 10,000-entry IP cap, scoped to its vault (#93).
+ */
+const vaultAuthorizeRateLimiters = new Map<string, RateLimiter>();
+
+/** Lazily get-or-create the rate limiter for a given vault. */
+export function getAuthorizeRateLimiter(vaultName: string): RateLimiter {
+  let limiter = vaultAuthorizeRateLimiters.get(vaultName);
+  if (!limiter) {
+    limiter = new RateLimiter();
+    vaultAuthorizeRateLimiters.set(vaultName, limiter);
+  }
+  return limiter;
+}
+
+/** For tests: drop all per-vault limiters. */
+export function resetVaultAuthorizeRateLimiters(): void {
+  vaultAuthorizeRateLimiters.clear();
+}

package/src/prompt.ts

@@ -141,17 +141,18 @@ export async function askPassword(question: string): Promise<string> {
 export async function choose(question: string, options: { label: string; value: string; description?: string }[]): Promise<string> {
   console.log(question);
   for (let i = 0; i < options.length; i++) {
-    const desc = options[i].description ? ` — ${options[i].description}` : "";
-    console.log(`  ${i + 1}) ${options[i].label}${desc}`);
+    const opt = options[i]!;
+    const desc = opt.description ? ` — ${opt.description}` : "";
+    console.log(`  ${i + 1}) ${opt.label}${desc}`);
   }
   process.stdout.write(`  Choice [1]: `);
 
   for await (const line of console) {
     const answer = line.trim();
-    if (answer === "") return options[0].value;
+    if (answer === "") return options[0]!.value;
     const idx = parseInt(answer, 10) - 1;
-    if (idx >= 0 && idx < options.length) return options[idx].value;
+    if (idx >= 0 && idx < options.length) return options[idx]!.value;
     process.stdout.write(`  Please enter 1-${options.length}: `);
   }
-  return options[0].value;
+  return options[0]!.value;
 }