@ouro.bot/cli 0.1.0-alpha.398 → 0.1.0-alpha.399
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/changelog.json
CHANGED
|
@@ -1,6 +1,16 @@
|
|
|
1
1
|
{
|
|
2
2
|
"_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
|
|
3
3
|
"versions": [
|
|
4
|
+
{
|
|
5
|
+
"version": "0.1.0-alpha.399",
|
|
6
|
+
"changes": [
|
|
7
|
+
"Bitwarden-backed credential writes now pipe provider vault item payloads to `bw create item` and `bw edit item` over stdin instead of putting encoded credential JSON in process arguments.",
|
|
8
|
+
"Bitwarden CLI failures are now sanitized before they reach CLI output, so `Command failed: bw ...` argv, encoded payloads, raw provider tokens, and vault item passwords are not printed.",
|
|
9
|
+
"Bitwarden master-password prompts during credential writes now surface as a short locked/expired local session message instead of dumping the failed command invocation.",
|
|
10
|
+
"The nerves redaction audit now looks for credential-shaped text instead of failing on ordinary file paths or branch names that contain words like `secret`, `password`, or `api-key`.",
|
|
11
|
+
"`@ouro.bot/cli` and the `ouro.bot` wrapper are version-synced for the Bitwarden secret redaction release."
|
|
12
|
+
]
|
|
13
|
+
},
|
|
4
14
|
{
|
|
5
15
|
"version": "0.1.0-alpha.398",
|
|
6
16
|
"changes": [
|
|
@@ -12,11 +12,11 @@ exports.REQUIRED_ENVELOPE_FIELDS = [
|
|
|
12
12
|
"meta",
|
|
13
13
|
];
|
|
14
14
|
exports.SENSITIVE_PATTERNS = [
|
|
15
|
-
/\btoken\s*[:=]/i,
|
|
16
|
-
/\bapi[_-]?key\b/i,
|
|
17
|
-
/\bpassword\b/i,
|
|
18
|
-
/\bsecret\b/i,
|
|
19
|
-
/\bauthorization\b/i,
|
|
15
|
+
/\btoken\b["']?\s*[:=]/i,
|
|
16
|
+
/\bapi[_-]?key\b["']?\s*[:=]/i,
|
|
17
|
+
/\bpassword\b["']?\s*[:=]/i,
|
|
18
|
+
/\bsecret\b["']?\s*[:=]/i,
|
|
19
|
+
/\bauthorization\b["']?\s*[:=]/i,
|
|
20
20
|
];
|
|
21
21
|
function eventKey(component, event) {
|
|
22
22
|
return `${component}:${event}`;
|
|
@@ -49,24 +49,44 @@ const bw_installer_1 = require("./bw-installer");
|
|
|
49
49
|
// ---------------------------------------------------------------------------
|
|
50
50
|
// bw CLI wrapper
|
|
51
51
|
// ---------------------------------------------------------------------------
|
|
52
|
-
function
|
|
52
|
+
function sanitizeBwErrorDetail(message) {
|
|
53
|
+
if (/master password/i.test(message)) {
|
|
54
|
+
return "bw CLI requested a master password; the local Bitwarden session is locked or expired";
|
|
55
|
+
}
|
|
56
|
+
const withoutCommandLine = message
|
|
57
|
+
.split(/\r?\n/)
|
|
58
|
+
.filter((line) => !line.trim().startsWith("Command failed:"))
|
|
59
|
+
.join("\n")
|
|
60
|
+
.trim();
|
|
61
|
+
return (withoutCommandLine || "command failed")
|
|
62
|
+
.replace(/[A-Za-z0-9+/=]{80,}/g, "[redacted]")
|
|
63
|
+
.slice(0, 500);
|
|
64
|
+
}
|
|
65
|
+
function formatBwCliError(err, stderr = "") {
|
|
66
|
+
const detail = sanitizeBwErrorDetail(stderr.trim() || err.message);
|
|
67
|
+
return new Error(`bw CLI error: ${detail}`);
|
|
68
|
+
}
|
|
69
|
+
function execBw(args, sessionToken, appDataDir, stdin) {
|
|
53
70
|
const env = {
|
|
54
71
|
...process.env,
|
|
55
72
|
...(sessionToken ? { BW_SESSION: sessionToken } : {}),
|
|
56
73
|
...(appDataDir ? { BITWARDENCLI_APPDATA_DIR: appDataDir } : {}),
|
|
57
74
|
};
|
|
58
75
|
return new Promise((resolve, reject) => {
|
|
59
|
-
(0, node_child_process_1.execFile)("bw", args, { timeout: 30_000, env }, (err, stdout) => {
|
|
76
|
+
const child = (0, node_child_process_1.execFile)("bw", args, { timeout: 30_000, env }, (err, stdout, stderr) => {
|
|
60
77
|
if (err) {
|
|
61
78
|
if (isBwNotInstalled(err)) {
|
|
62
79
|
reject(new Error("bw CLI not found. Install from https://bitwarden.com/help/cli/"));
|
|
63
80
|
return;
|
|
64
81
|
}
|
|
65
|
-
reject(
|
|
82
|
+
reject(formatBwCliError(err, stderr));
|
|
66
83
|
return;
|
|
67
84
|
}
|
|
68
85
|
resolve(stdout);
|
|
69
86
|
});
|
|
87
|
+
if (stdin !== undefined) {
|
|
88
|
+
child?.stdin?.end(stdin);
|
|
89
|
+
}
|
|
70
90
|
});
|
|
71
91
|
}
|
|
72
92
|
/** Check if the error indicates the bw CLI binary is not installed. */
|
|
@@ -275,10 +295,10 @@ class BitwardenCredentialStore {
|
|
|
275
295
|
};
|
|
276
296
|
const encoded = Buffer.from(JSON.stringify(item)).toString("base64");
|
|
277
297
|
if (existing) {
|
|
278
|
-
await execBw(["edit", "item", existing.id
|
|
298
|
+
await execBw(["edit", "item", existing.id], session, this.appDataDir, encoded);
|
|
279
299
|
}
|
|
280
300
|
else {
|
|
281
|
-
await execBw(["create", "item"
|
|
301
|
+
await execBw(["create", "item"], session, this.appDataDir, encoded);
|
|
282
302
|
}
|
|
283
303
|
(0, runtime_1.emitNervesEvent)({
|
|
284
304
|
event: "repertoire.bw_credential_store_end",
|