npm - @outputai/cli - Versions diffs - 0.3.3-next.33928d3.0 → 0.3.3-next.6137ea6.0 - Mend

@outputai/cli 0.3.3-next.33928d3.0 → 0.3.3-next.6137ea6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/assets/docker/docker-compose-dev.yml +1 -1
package/dist/commands/credentials/edit.js +7 -0
package/dist/commands/credentials/edit.spec.js +23 -0
package/dist/generated/framework_version.json +1 -1
package/dist/services/credentials_service.integration.test.js +60 -0
package/dist/templates/project/package.json.template +1 -1
package/package.json +4 -4

package/dist/assets/docker/docker-compose-dev.yml CHANGED Viewed

@@ -77,7 +77,7 @@ services:
         condition: service_healthy
       worker:
         condition: service_healthy
-    image: outputai/api:${OUTPUT_API_VERSION:-0.3.3-next.33928d3.0}
+    image: outputai/api:${OUTPUT_API_VERSION:-0.3.3-next.6137ea6.0}
     init: true
     networks:
       - main

package/dist/commands/credentials/edit.js CHANGED Viewed

@@ -48,6 +48,13 @@ export default class CredentialsEdit extends Command {
             const edited = fs.readFileSync(tmpFile, 'utf8');
             // Validate YAML before saving
             parseYaml(edited);
+            // AES-GCM uses a fresh nonce per encrypt, so re-encrypting unchanged
+            // plaintext produces a new ciphertext. Skip the write when nothing
+            // changed to avoid leaving the file dirty in git.
+            if (edited === plaintext) {
+                this.log('No changes detected. Credentials unchanged.');
+                return;
+            }
             writeEncrypted(environment, edited, workflow);
             this.log('Credentials saved successfully.');
         }

package/dist/commands/credentials/edit.spec.js CHANGED Viewed

@@ -1,5 +1,6 @@
 /* eslint-disable @typescript-eslint/no-explicit-any */
 import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import fs from 'node:fs';
 import * as credentialsService from '#services/credentials_service.js';
 import CredentialsEdit from './edit.js';
 vi.mock('#services/credentials_service.js');
@@ -70,4 +71,26 @@ describe('credentials edit command', () => {
             await expect(cmd.run()).rejects.toThrow('No credentials file found');
         });
     });
+    // Regression: OUT-441 — editing without making changes must not re-encrypt
+    // the file. AES-GCM uses a fresh nonce per encrypt, so an unconditional
+    // re-write produces a new ciphertext and leaves the file dirty in git.
+    describe('no-op edit (OUT-441)', () => {
+        it('should NOT call writeEncrypted when the editor returns unchanged plaintext', async () => {
+            const original = 'anthropic:\n  api_key: sk-test\n';
+            vi.mocked(credentialsService.decryptCredentials).mockReturnValue(original);
+            vi.mocked(fs.readFileSync).mockReturnValue(original);
+            const cmd = createTestCommand();
+            await cmd.run();
+            expect(credentialsService.writeEncrypted).not.toHaveBeenCalled();
+        });
+        it('should still call writeEncrypted when the editor returns modified plaintext', async () => {
+            const original = 'anthropic:\n  api_key: sk-test\n';
+            const modified = 'anthropic:\n  api_key: sk-NEW\n';
+            vi.mocked(credentialsService.decryptCredentials).mockReturnValue(original);
+            vi.mocked(fs.readFileSync).mockReturnValue(modified);
+            const cmd = createTestCommand();
+            await cmd.run();
+            expect(credentialsService.writeEncrypted).toHaveBeenCalledWith(undefined, modified, undefined);
+        });
+    });
 });

package/dist/generated/framework_version.json CHANGED Viewed

@@ -1,3 +1,3 @@
 {
-    "framework": "0.3.3-next.33928d3.0"
+    "framework": "0.3.3-next.6137ea6.0"
 }

package/dist/services/credentials_service.integration.test.js CHANGED Viewed

@@ -4,6 +4,7 @@ import path from 'node:path';
 import os from 'node:os';
 import { load as parseYaml } from 'js-yaml';
 import { encrypt, decrypt, generateKey } from '@outputai/credentials';
+import { initCredentials, decryptCredentials, writeEncrypted } from './credentials_service.js';
 describe('credentials service integration', () => {
     const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'output-creds-'));
     afterAll(() => {
@@ -63,4 +64,63 @@ describe('credentials service integration', () => {
             expect(parsed.openai.api_key).toBe('sk-openai-789');
         });
     });
+    // Reproduction: editing the dev credential must not touch the production
+    // credential. Reported as a partial bug report — these tests pin the
+    // cross-environment isolation invariant.
+    describe('multi-environment isolation', () => {
+        const withIsolatedProject = (body) => {
+            const originalCwd = process.cwd();
+            const projectDir = fs.mkdtempSync(path.join(os.tmpdir(), 'output-creds-multi-env-'));
+            process.chdir(projectDir);
+            try {
+                body();
+            }
+            finally {
+                process.chdir(originalCwd);
+                fs.rmSync(projectDir, { recursive: true, force: true });
+            }
+        };
+        it('editing the development credential does not modify the production credential', () => withIsolatedProject(() => {
+            const prod = initCredentials('production');
+            const dev = initCredentials('development');
+            const prodKeyBefore = fs.readFileSync(prod.keyPath);
+            const prodCredBefore = fs.readFileSync(prod.credPath);
+            const devKeyBefore = fs.readFileSync(dev.keyPath);
+            writeEncrypted('development', 'anthropic:\n  api_key: sk-DEV-EDITED\nopenai:\n  api_key: sk-DEV-EDITED-2\n');
+            // Production must be byte-for-byte identical
+            expect(fs.readFileSync(prod.keyPath).equals(prodKeyBefore)).toBe(true);
+            expect(fs.readFileSync(prod.credPath).equals(prodCredBefore)).toBe(true);
+            // Dev key must not have been regenerated
+            expect(fs.readFileSync(dev.keyPath).equals(devKeyBefore)).toBe(true);
+            // Dev credential should now contain the edited plaintext
+            expect(decryptCredentials('development')).toContain('sk-DEV-EDITED');
+            // Production credential should still be the original template (empty values)
+            const prodPlain = decryptCredentials('production');
+            const prodParsed = parseYaml(prodPlain);
+            expect(prodParsed.anthropic.api_key).toBe('');
+            expect(prodParsed.openai.api_key).toBe('');
+        }));
+        it('editing production does not bleed into development', () => withIsolatedProject(() => {
+            const prod = initCredentials('production');
+            const dev = initCredentials('development');
+            const devKeyBefore = fs.readFileSync(dev.keyPath);
+            const devCredBefore = fs.readFileSync(dev.credPath);
+            writeEncrypted('production', 'anthropic:\n  api_key: sk-PROD-EDITED\nopenai:\n  api_key: sk-PROD-EDITED-2\n');
+            expect(fs.readFileSync(dev.keyPath).equals(devKeyBefore)).toBe(true);
+            expect(fs.readFileSync(dev.credPath).equals(devCredBefore)).toBe(true);
+            expect(decryptCredentials('production')).toContain('sk-PROD-EDITED');
+            expect(decryptCredentials('development')).not.toContain('sk-PROD-EDITED');
+            // Sanity: prod and dev still resolved to different paths/keys
+            expect(prod.keyPath).not.toBe(dev.keyPath);
+            expect(prod.credPath).not.toBe(dev.credPath);
+        }));
+        it('initializing a second environment does not mutate the first', () => withIsolatedProject(() => {
+            const prod = initCredentials('production');
+            const prodKeyBytes = fs.readFileSync(prod.keyPath);
+            const prodCredBytes = fs.readFileSync(prod.credPath);
+            initCredentials('development');
+            expect(fs.readFileSync(prod.keyPath).equals(prodKeyBytes)).toBe(true);
+            expect(fs.readFileSync(prod.credPath).equals(prodCredBytes)).toBe(true);
+        }));
+    });
 });

package/dist/templates/project/package.json.template CHANGED Viewed

@@ -23,7 +23,7 @@
   "engines": {
     "node": ">=24.3.0"
   },
-  "output": {
+  "outputai": {
     "hookFiles": ["node_modules/@outputai/credentials/dist/hooks.js"]
   }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@outputai/cli",
-  "version": "0.3.3-next.33928d3.0",
+  "version": "0.3.3-next.6137ea6.0",
   "description": "CLI for Output.ai workflow generation",
   "type": "module",
   "main": "dist/index.js",
@@ -36,9 +36,9 @@
     "semver": "7.7.4",
     "undici": "8.1.0",
     "yaml": "^2.8.3",
-    "@outputai/credentials": "0.3.3-next.33928d3.0",
-    "@outputai/evals": "0.3.3-next.33928d3.0",
-    "@outputai/llm": "0.3.3-next.33928d3.0"
+    "@outputai/evals": "0.3.3-next.6137ea6.0",
+    "@outputai/credentials": "0.3.3-next.6137ea6.0",
+    "@outputai/llm": "0.3.3-next.6137ea6.0"
   },
   "devDependencies": {
     "@types/cli-progress": "3.11.6",