npm - @outputai/cli - Versions diffs - 0.6.1-next.65cd087.0 → 0.6.1-next.83742db.0 - Mend

@outputai/cli 0.6.1-next.65cd087.0 → 0.6.1-next.83742db.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/assets/docker/docker-compose-dev.yml +1 -1
package/dist/commands/credentials/edit.d.ts +1 -0
package/dist/commands/credentials/edit.js +14 -2
package/dist/commands/credentials/edit.spec.js +24 -2
package/dist/commands/credentials/set.d.ts +1 -0
package/dist/commands/credentials/set.js +14 -2
package/dist/commands/credentials/set.spec.js +23 -2
package/dist/generated/framework_version.json +1 -1
package/dist/services/credentials_service.d.ts +3 -0
package/dist/services/credentials_service.integration.test.js +35 -1
package/dist/services/credentials_service.js +19 -0
package/package.json +4 -4

package/dist/assets/docker/docker-compose-dev.yml CHANGED Viewed

@@ -80,7 +80,7 @@ services:
         condition: service_healthy
       worker:
         condition: service_healthy
-    image: outputai/api:${OUTPUT_API_VERSION:-0.6.1-next.65cd087.0}
+    image: outputai/api:${OUTPUT_API_VERSION:-0.6.1-next.83742db.0}
     init: true
     networks:
       - main

package/dist/commands/credentials/edit.d.ts CHANGED Viewed

@@ -5,6 +5,7 @@ export default class CredentialsEdit extends Command {
     static flags: {
         environment: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
         workflow: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
+        force: import("@oclif/core/interfaces").BooleanFlag<boolean>;
     };
     run(): Promise<void>;
 }

package/dist/commands/credentials/edit.js CHANGED Viewed

@@ -4,7 +4,7 @@ import os from 'node:os';
 import path from 'node:path';
 import { spawnSync } from 'node:child_process';
 import { load as parseYaml } from 'js-yaml';
-import { decryptCredentials, writeEncrypted, credentialsExist, resolveCredentialsPath } from '#services/credentials_service.js';
+import { decryptCredentials, writeEncrypted, credentialsExist, resolveCredentialsPath, checkKeyMatchesCredentials, reEncryptKeyMismatchMessage } from '#services/credentials_service.js';
 export default class CredentialsEdit extends Command {
     static description = 'Edit encrypted credentials in your $EDITOR';
     static examples = [
@@ -20,6 +20,11 @@ export default class CredentialsEdit extends Command {
         workflow: Flags.string({
             char: 'w',
             description: 'Target a specific workflow directory'
+        }),
+        force: Flags.boolean({
+            char: 'f',
+            description: 'Edit on an empty file and re-encrypt with the current key when it cannot decrypt the existing file (discards existing values)',
+            default: false
         })
     };
     async run() {
@@ -32,9 +37,16 @@ export default class CredentialsEdit extends Command {
         if (!credentialsExist(environment, workflow)) {
             this.error(`No credentials file found at ${resolveCredentialsPath(environment, workflow)}. Run "output credentials init" first.`);
         }
+        const keyMismatch = checkKeyMatchesCredentials(environment, workflow) === 'mismatch';
+        if (keyMismatch && !flags.force) {
+            this.error(reEncryptKeyMismatchMessage(resolveCredentialsPath(environment, workflow)));
+        }
+        if (keyMismatch) {
+            this.warn(reEncryptKeyMismatchMessage(resolveCredentialsPath(environment, workflow)));
+        }
         const editorEnv = process.env.EDITOR || process.env.VISUAL || 'vi';
         const [editorCmd, ...editorArgs] = editorEnv.split(/\s+/);
-        const plaintext = decryptCredentials(environment, workflow);
+        const plaintext = keyMismatch ? '' : decryptCredentials(environment, workflow);
         const tmpFile = path.join(os.tmpdir(), `output-credentials-${Date.now()}.yml`);
         try {
             fs.writeFileSync(tmpFile, plaintext, { mode: 0o600 });

package/dist/commands/credentials/edit.spec.js CHANGED Viewed

@@ -23,6 +23,8 @@ describe('credentials edit command', () => {
     beforeEach(() => {
         vi.clearAllMocks();
         vi.mocked(credentialsService.credentialsExist).mockReturnValue(true);
+        vi.mocked(credentialsService.checkKeyMatchesCredentials).mockReturnValue('match');
+        vi.mocked(credentialsService.reEncryptKeyMismatchMessage).mockReturnValue('KEY_MISMATCH_WARNING');
         vi.mocked(credentialsService.decryptCredentials).mockReturnValue('anthropic:\n  api_key: sk-test\n');
     });
     afterEach(() => {
@@ -31,13 +33,14 @@ describe('credentials edit command', () => {
     const createTestCommand = (flags = {}) => {
         const cmd = new CredentialsEdit([], {});
         cmd.log = vi.fn();
+        cmd.warn = vi.fn();
         cmd.error = vi.fn((msg) => {
             throw new Error(msg);
         });
         Object.defineProperty(cmd, 'parse', {
             value: vi.fn().mockResolvedValue({
                 args: {},
-                flags: { environment: undefined, workflow: undefined, ...flags }
+                flags: { environment: undefined, workflow: undefined, force: false, ...flags }
             }),
             configurable: true
         });
@@ -47,9 +50,10 @@ describe('credentials edit command', () => {
         it('should have correct description', () => {
             expect(CredentialsEdit.description).toContain('Edit');
         });
-        it('should have environment and workflow flags', () => {
+        it('should have environment, workflow, and force flags', () => {
             expect(CredentialsEdit.flags.environment).toBeDefined();
             expect(CredentialsEdit.flags.workflow).toBeDefined();
+            expect(CredentialsEdit.flags.force).toBeDefined();
         });
     });
     describe('command execution', () => {
@@ -71,6 +75,24 @@ describe('credentials edit command', () => {
             await expect(cmd.run()).rejects.toThrow('No credentials file found');
         });
     });
+    describe('key mismatch handling', () => {
+        it('should error and not decrypt when the key cannot decrypt and --force is absent', async () => {
+            vi.mocked(credentialsService.checkKeyMatchesCredentials).mockReturnValue('mismatch');
+            const cmd = createTestCommand();
+            await expect(cmd.run()).rejects.toThrow('KEY_MISMATCH_WARNING');
+            expect(credentialsService.decryptCredentials).not.toHaveBeenCalled();
+            expect(credentialsService.writeEncrypted).not.toHaveBeenCalled();
+        });
+        it('should warn, edit from empty, and re-encrypt when --force is passed', async () => {
+            vi.mocked(credentialsService.checkKeyMatchesCredentials).mockReturnValue('mismatch');
+            vi.mocked(fs.readFileSync).mockReturnValue('edited: content\n');
+            const cmd = createTestCommand({ force: true });
+            await cmd.run();
+            expect(cmd.warn).toHaveBeenCalledWith('KEY_MISMATCH_WARNING');
+            expect(credentialsService.decryptCredentials).not.toHaveBeenCalled();
+            expect(credentialsService.writeEncrypted).toHaveBeenCalledWith(undefined, 'edited: content\n', undefined);
+        });
+    });
     // Regression: OUT-441 — editing without making changes must not re-encrypt
     // the file. AES-GCM uses a fresh nonce per encrypt, so an unconditional
     // re-write produces a new ciphertext and leaves the file dirty in git.

package/dist/commands/credentials/set.d.ts CHANGED Viewed

@@ -10,6 +10,7 @@ export default class CredentialsSet extends Command {
         environment: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
         workflow: import("@oclif/core/interfaces").OptionFlag<string | undefined, import("@oclif/core/interfaces").CustomOptions>;
         yes: import("@oclif/core/interfaces").BooleanFlag<boolean>;
+        force: import("@oclif/core/interfaces").BooleanFlag<boolean>;
     };
     private confirmOverwrite;
     run(): Promise<void>;

package/dist/commands/credentials/set.js CHANGED Viewed

@@ -2,7 +2,7 @@ import { Args, Command, Flags } from '@oclif/core';
 import { confirm } from '@inquirer/prompts';
 import { load as parseYaml, dump as stringifyYaml } from 'js-yaml';
 import { getErrorMessage } from '#utils/error_utils.js';
-import { decryptCredentials, credentialsExist, writeEncrypted, resolveCredentialsPath } from '#services/credentials_service.js';
+import { decryptCredentials, credentialsExist, writeEncrypted, resolveCredentialsPath, checkKeyMatchesCredentials, reEncryptKeyMismatchMessage } from '#services/credentials_service.js';
 const isPlainObject = (value) => typeof value === 'object' && value !== null && !Array.isArray(value);
 const detectPathConflict = (obj, dotPath) => {
     const parts = dotPath.split('.');
@@ -77,6 +77,11 @@ export default class CredentialsSet extends Command {
             char: 'y',
             description: 'Skip confirmation prompts when overwriting a value of a different shape',
             default: false
+        }),
+        force: Flags.boolean({
+            char: 'f',
+            description: 'Re-encrypt with the current key even if it cannot decrypt the existing file (discards existing values)',
+            default: false
         })
     };
     async confirmOverwrite(conflict, newPath) {
@@ -100,8 +105,15 @@ export default class CredentialsSet extends Command {
         if (!credentialsExist(environment, workflow)) {
             this.error(`No credentials file found at ${resolveCredentialsPath(environment, workflow)}. Run "output credentials init" first.`);
         }
+        const keyMismatch = checkKeyMatchesCredentials(environment, workflow) === 'mismatch';
+        if (keyMismatch && !flags.force) {
+            this.error(reEncryptKeyMismatchMessage(resolveCredentialsPath(environment, workflow)));
+        }
         try {
-            const plaintext = decryptCredentials(environment, workflow);
+            if (keyMismatch) {
+                this.warn(reEncryptKeyMismatchMessage(resolveCredentialsPath(environment, workflow)));
+            }
+            const plaintext = keyMismatch ? '' : decryptCredentials(environment, workflow);
             const data = (parseYaml(plaintext) || {});
             const conflict = detectPathConflict(data, args.path);
             if (conflict && !flags.yes) {

package/dist/commands/credentials/set.spec.js CHANGED Viewed

@@ -26,6 +26,8 @@ describe('credentials set command', () => {
     beforeEach(() => {
         vi.clearAllMocks();
         vi.mocked(credentialsService.credentialsExist).mockReturnValue(true);
+        vi.mocked(credentialsService.checkKeyMatchesCredentials).mockReturnValue('match');
+        vi.mocked(credentialsService.reEncryptKeyMismatchMessage).mockReturnValue('KEY_MISMATCH_WARNING');
         vi.mocked(credentialsService.decryptCredentials).mockReturnValue('anthropic:\n  api_key: sk-existing\n');
         vi.mocked(credentialsService.writeEncrypted).mockImplementation(() => { });
         vi.mocked(confirm).mockResolvedValue(true);
@@ -43,7 +45,7 @@ describe('credentials set command', () => {
         Object.defineProperty(cmd, 'parse', {
             value: vi.fn().mockResolvedValue({
                 args: { path: 'anthropic.api_key', value: 'sk-new-key', ...parsedArgs },
-                flags: { environment: undefined, workflow: undefined, yes: false, ...flags }
+                flags: { environment: undefined, workflow: undefined, yes: false, force: false, ...flags }
             }),
             configurable: true
         });
@@ -59,10 +61,11 @@ describe('credentials set command', () => {
             expect(CredentialsSet.args.value).toBeDefined();
             expect(CredentialsSet.args.value.required).toBe(true);
         });
-        it('should have environment, workflow, and yes flags', () => {
+        it('should have environment, workflow, yes, and force flags', () => {
             expect(CredentialsSet.flags.environment).toBeDefined();
             expect(CredentialsSet.flags.workflow).toBeDefined();
             expect(CredentialsSet.flags.yes).toBeDefined();
+            expect(CredentialsSet.flags.force).toBeDefined();
         });
     });
     describe('command execution', () => {
@@ -121,6 +124,24 @@ describe('credentials set command', () => {
             await expect(cmd.run()).rejects.toThrow('Failed to update credentials: Permission denied');
         });
     });
+    describe('key mismatch handling', () => {
+        it('should error and not write when the key cannot decrypt and --force is absent', async () => {
+            vi.mocked(credentialsService.checkKeyMatchesCredentials).mockReturnValue('mismatch');
+            const cmd = createTestCommand();
+            await expect(cmd.run()).rejects.toThrow('KEY_MISMATCH_WARNING');
+            expect(credentialsService.decryptCredentials).not.toHaveBeenCalled();
+            expect(credentialsService.writeEncrypted).not.toHaveBeenCalled();
+        });
+        it('should warn, skip decryption, and re-encrypt from empty when --force is passed', async () => {
+            vi.mocked(credentialsService.checkKeyMatchesCredentials).mockReturnValue('mismatch');
+            const cmd = createTestCommand({}, { force: true });
+            await cmd.run();
+            expect(cmd.warn).toHaveBeenCalledWith('KEY_MISMATCH_WARNING');
+            expect(credentialsService.decryptCredentials).not.toHaveBeenCalled();
+            expect(credentialsService.writeEncrypted).toHaveBeenCalledTimes(1);
+            expect(cmd.log).toHaveBeenCalledWith('Set anthropic.api_key');
+        });
+    });
     describe('shape-change confirmation', () => {
         it('should prompt before converting a primitive value into an object', async () => {
             vi.mocked(credentialsService.decryptCredentials).mockReturnValue('__PRIMITIVE_AT_X_Y__');

package/dist/generated/framework_version.json CHANGED Viewed

@@ -1,3 +1,3 @@
 {
-    "framework": "0.6.1-next.65cd087.0"
+    "framework": "0.6.1-next.83742db.0"
 }

package/dist/services/credentials_service.d.ts CHANGED Viewed

@@ -4,6 +4,9 @@ export declare const resolveCredentialsPath: (environment: CredentialsEnvironmen
 export declare const resolveKeyPath: (environment: CredentialsEnvironment, workflow?: WorkflowTarget) => string;
 export declare const resolveKey: (environment: CredentialsEnvironment, workflow?: WorkflowTarget) => string;
 export declare const credentialsExist: (environment: CredentialsEnvironment, workflow?: WorkflowTarget) => boolean;
+export type KeyMatch = 'no_file' | 'match' | 'mismatch';
+export declare const checkKeyMatchesCredentials: (environment: CredentialsEnvironment, workflow?: WorkflowTarget) => KeyMatch;
+export declare const reEncryptKeyMismatchMessage: (credPath: string) => string;
 export declare const decryptCredentials: (environment: CredentialsEnvironment, workflow?: WorkflowTarget) => string;
 export declare const writeEncrypted: (environment: CredentialsEnvironment, plaintext: string, workflow?: WorkflowTarget) => void;
 export declare const initCredentials: (environment: CredentialsEnvironment, workflow?: WorkflowTarget) => {

package/dist/services/credentials_service.integration.test.js CHANGED Viewed

@@ -4,7 +4,7 @@ import path from 'node:path';
 import os from 'node:os';
 import { load as parseYaml } from 'js-yaml';
 import { encrypt, decrypt, generateKey } from '@outputai/credentials';
-import { initCredentials, decryptCredentials, writeEncrypted } from './credentials_service.js';
+import { initCredentials, decryptCredentials, writeEncrypted, checkKeyMatchesCredentials } from './credentials_service.js';
 describe('credentials service integration', () => {
     const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'output-creds-'));
     afterAll(() => {
@@ -123,4 +123,38 @@ describe('credentials service integration', () => {
             expect(fs.readFileSync(prod.credPath).equals(prodCredBytes)).toBe(true);
         }));
     });
+    describe('checkKeyMatchesCredentials', () => {
+        const withIsolatedProject = (body) => {
+            const originalCwd = process.cwd();
+            const originalKey = process.env.OUTPUT_CREDENTIALS_KEY;
+            delete process.env.OUTPUT_CREDENTIALS_KEY;
+            const projectDir = fs.mkdtempSync(path.join(os.tmpdir(), 'output-creds-keymatch-'));
+            process.chdir(projectDir);
+            try {
+                body();
+            }
+            finally {
+                process.chdir(originalCwd);
+                if (originalKey === undefined) {
+                    delete process.env.OUTPUT_CREDENTIALS_KEY;
+                }
+                else {
+                    process.env.OUTPUT_CREDENTIALS_KEY = originalKey;
+                }
+                fs.rmSync(projectDir, { recursive: true, force: true });
+            }
+        };
+        it('returns "no_file" when no credentials file exists', () => withIsolatedProject(() => {
+            expect(checkKeyMatchesCredentials(undefined)).toBe('no_file');
+        }));
+        it('returns "match" when the current key decrypts the file', () => withIsolatedProject(() => {
+            initCredentials(undefined);
+            expect(checkKeyMatchesCredentials(undefined)).toBe('match');
+        }));
+        it('returns "mismatch" when the key cannot decrypt the file', () => withIsolatedProject(() => {
+            const { keyPath } = initCredentials(undefined);
+            fs.writeFileSync(keyPath, generateKey(), { mode: 0o600 });
+            expect(checkKeyMatchesCredentials(undefined)).toBe('mismatch');
+        }));
+    });
 });

package/dist/services/credentials_service.js CHANGED Viewed

@@ -33,6 +33,25 @@ export const resolveKey = (environment, workflow) => {
     throw new Error(`No key found. Set ${envVar} env var or create ${keyPath}.`);
 };
 export const credentialsExist = (environment, workflow) => fs.existsSync(resolveCredentialsPath(environment, workflow));
+export const checkKeyMatchesCredentials = (environment, workflow) => {
+    const credPath = resolveCredentialsPath(environment, workflow);
+    if (!fs.existsSync(credPath)) {
+        return 'no_file';
+    }
+    try {
+        const key = resolveKey(environment, workflow);
+        const ciphertext = fs.readFileSync(credPath, 'utf8').trim();
+        decrypt(ciphertext, key);
+        return 'match';
+    }
+    catch {
+        return 'mismatch';
+    }
+};
+export const reEncryptKeyMismatchMessage = (credPath) => `The current credentials key cannot decrypt ${credPath}. ` +
+    'Continuing will re-encrypt the file with a different key — the wrong key ' +
+    '(OUTPUT_CREDENTIALS_KEY env var or key file) may be in use, and the existing values will be discarded. ' +
+    'Re-run with --force to proceed anyway.';
 export const decryptCredentials = (environment, workflow) => {
     const key = resolveKey(environment, workflow);
     const credPath = resolveCredentialsPath(environment, workflow);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@outputai/cli",
-  "version": "0.6.1-next.65cd087.0",
+  "version": "0.6.1-next.83742db.0",
   "description": "CLI for Output.ai workflow generation",
   "type": "module",
   "main": "dist/index.js",
@@ -36,9 +36,9 @@
     "semver": "7.7.4",
     "undici": "8.1.0",
     "yaml": "^2.8.3",
-    "@outputai/evals": "0.6.1-next.65cd087.0",
-    "@outputai/credentials": "0.6.1-next.65cd087.0",
-    "@outputai/llm": "0.6.1-next.65cd087.0"
+    "@outputai/credentials": "0.6.1-next.83742db.0",
+    "@outputai/evals": "0.6.1-next.83742db.0",
+    "@outputai/llm": "0.6.1-next.83742db.0"
   },
   "devDependencies": {
     "@types/cli-progress": "3.11.6",