@p0security/cli 0.3.0

package/dist/drivers/api.js

@@ -0,0 +1,69 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchCommand = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const env_1 = require("../drivers/env");
+const path = __importStar(require("node:path"));
+const commandUrl = (tenant) => `${env_1.config.appUrl}/o/${tenant}/command/`;
+const fetchCommand = (authn, args, argv) => __awaiter(void 0, void 0, void 0, function* () {
+    const token = yield authn.userCredential.user.getIdToken();
+    const response = yield fetch(commandUrl(authn.identity.org.slug), {
+        method: "POST",
+        headers: {
+            authorization: `Bearer ${token}`,
+            "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+            argv,
+            scriptName: path.basename(args.$0),
+        }),
+    });
+    const text = yield response.text();
+    const data = JSON.parse(text);
+    if ("error" in data) {
+        throw data.error;
+    }
+    return data;
+});
+exports.fetchCommand = fetchCommand;

package/dist/drivers/auth.d.ts

@@ -0,0 +1,11 @@
+import { Authn, Identity } from "../types/identity";
+export declare const IDENTITY_FILE_PATH: string;
+export declare const cached: <T>(name: string, loader: () => Promise<T>, options: {
+    duration: number;
+}) => Promise<T>;
+export declare const loadCredentials: (options?: {
+    noRefresh?: boolean;
+}) => Promise<Identity>;
+export declare const authenticate: (options?: {
+    noRefresh?: boolean;
+}) => Promise<Authn>;

package/dist/drivers/auth.js

@@ -0,0 +1,122 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authenticate = exports.loadCredentials = exports.cached = exports.IDENTITY_FILE_PATH = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const login_1 = require("../commands/login");
+const util_1 = require("../util");
+const firestore_1 = require("./firestore");
+const stdio_1 = require("./stdio");
+const auth_1 = require("firebase/auth");
+const fs = __importStar(require("fs/promises"));
+const path = __importStar(require("path"));
+exports.IDENTITY_FILE_PATH = path.join(util_1.P0_PATH, "identity.json");
+const cached = (name, loader, options) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a;
+    const cachePath = path.join(path.dirname(exports.IDENTITY_FILE_PATH), "cache");
+    // Following lines sanitize input
+    // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
+    const loc = path.resolve(path.join(cachePath, `${name}.json`));
+    if (!loc.startsWith(cachePath)) {
+        throw new Error("Illegal path traversal");
+    }
+    const loadCache = () => __awaiter(void 0, void 0, void 0, function* () {
+        const data = yield loader();
+        if (!data)
+            throw `Could not load credentials for "${name}"`;
+        yield fs.mkdir(path.dirname(loc), { recursive: true, mode: "700" });
+        yield fs.writeFile(loc, JSON.stringify(data), { mode: "600" });
+        return data;
+    });
+    try {
+        const stat = yield fs.stat(loc);
+        if (stat.mtime.getTime() < Date.now() - options.duration) {
+            yield fs.rm(loc);
+            return yield loadCache();
+        }
+        const data = yield fs.readFile(loc);
+        return JSON.parse(data.toString("utf-8"));
+    }
+    catch (error) {
+        if ((error === null || error === void 0 ? void 0 : error.code) !== "ENOENT")
+            (0, stdio_1.print2)(`Could not load credentials "${name}" from cache: ${(_a = error.message) !== null && _a !== void 0 ? _a : error}`);
+        return yield loadCache();
+    }
+});
+exports.cached = cached;
+const loadCredentials = (options) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        const buffer = yield fs.readFile(exports.IDENTITY_FILE_PATH);
+        const identity = JSON.parse(buffer.toString());
+        if (!(options === null || options === void 0 ? void 0 : options.noRefresh) &&
+            identity.credential.expires_at < Date.now() * 1e-3) {
+            yield (0, login_1.login)({ org: identity.org.slug }, { skipAuthenticate: true });
+            (0, stdio_1.print2)("\u200B"); // Force a new line
+            return (0, exports.loadCredentials)({ noRefresh: true });
+        }
+        return identity;
+    }
+    catch (error) {
+        if ((error === null || error === void 0 ? void 0 : error.code) === "ENOENT") {
+            throw "Please run `p0 login <organization>` to use the P0 CLI.";
+        }
+        throw error;
+    }
+});
+exports.loadCredentials = loadCredentials;
+const authenticate = (options) => __awaiter(void 0, void 0, void 0, function* () {
+    const identity = yield (0, exports.loadCredentials)(options);
+    const { credential } = identity;
+    // TODO: Move to map lookup
+    const provider = new auth_1.OAuthProvider(identity.org.ssoProvider === "google"
+        ? auth_1.SignInMethod.GOOGLE
+        : identity.org.providerId);
+    const firebaseCredential = provider.credential({
+        accessToken: credential.access_token,
+        idToken: credential.id_token,
+    });
+    firestore_1.auth.tenantId = identity.org.tenantId;
+    const userCredential = yield (0, auth_1.signInWithCredential)(firestore_1.auth, firebaseCredential);
+    return { userCredential, identity };
+});
+exports.authenticate = authenticate;

package/dist/drivers/env.d.ts

@@ -0,0 +1,15 @@
+export declare const config: {
+    fs: {
+        apiKey: string;
+        authDomain: string;
+        projectId: string;
+        storageBucket: string;
+        messagingSenderId: string;
+        appId: string;
+    };
+    google: {
+        clientId: string;
+        clientSecret: string;
+    };
+    appUrl: string;
+};

package/dist/drivers/env.js

@@ -0,0 +1,38 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+var _a, _b, _c, _d, _e, _f, _g, _h, _j;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.config = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const dotenv_1 = __importDefault(require("dotenv"));
+dotenv_1.default.config();
+const { env } = process;
+exports.config = {
+    fs: {
+        // Falls back to public production Firestore credentials
+        apiKey: (_a = env.P0_FS_API_KEY) !== null && _a !== void 0 ? _a : "AIzaSyCaL-Ik_l_5tdmgNUNZ4Nv6NuR4o5_PPfs",
+        authDomain: (_b = env.P0_FS_AUTH_DOMAIN) !== null && _b !== void 0 ? _b : "p0-prod.firebaseapp.com",
+        projectId: (_c = env.P0_FS_PROJECT_ID) !== null && _c !== void 0 ? _c : "p0-prod",
+        storageBucket: (_d = env.P0_FS_STORAGE_BUCKET) !== null && _d !== void 0 ? _d : "p0-prod.appspot.com",
+        messagingSenderId: (_e = env.P0_FS_MESSAGING_SENDER_ID) !== null && _e !== void 0 ? _e : "228132571547",
+        appId: (_f = env.P0_FS_APP_ID) !== null && _f !== void 0 ? _f : "1:228132571547:web:4da03aeb78add86fe6b93e",
+    },
+    google: {
+        clientId: (_g = env.P0_GOOGLE_OIDC_CLIENT_ID) !== null && _g !== void 0 ? _g : "228132571547-kilcq1er15hlbl6mitghttnacp7u58l8.apps.googleusercontent.com",
+        // Despite the name, this is not actually "secret" in any sense of the word.
+        // Instead, the client is protected by requiring PKCE and defining the redirect URIs.
+        clientSecret: (_h = env.P0_GOOGLE_OIDC_CLIENT_SECRET) !== null && _h !== void 0 ? _h : "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",
+    },
+    appUrl: (_j = env.P0_APP_URL) !== null && _j !== void 0 ? _j : "https://api.p0.app",
+};

package/dist/drivers/firestore.d.ts

@@ -0,0 +1,10 @@
+import { CollectionReference, DocumentReference } from "firebase/firestore";
+export declare const FIRESTORE: import("@firebase/firestore").Firestore;
+export declare const auth: import("@firebase/auth").Auth;
+export declare const collection: <T>(path: string, ...pathSegments: string[]) => CollectionReference<T, import("@firebase/firestore").DocumentData>;
+export declare const doc: <T>(path: string) => DocumentReference<T, import("@firebase/firestore").DocumentData>;
+/** Ensures that Firestore is shutdown at command termination
+ *
+ * This prevents Firestore from holding the command on execution completion or failure.
+ */
+export declare const guard: <P, T>(cb: (args: P) => Promise<T>) => (args: P) => Promise<void>;

package/dist/drivers/firestore.js

@@ -0,0 +1,53 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.guard = exports.doc = exports.collection = exports.auth = exports.FIRESTORE = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const env_1 = require("./env");
+const app_1 = require("firebase/app");
+const auth_1 = require("firebase/auth");
+const firestore_1 = require("firebase/firestore");
+// Your web app's Firebase configuration
+const firebaseConfig = env_1.config.fs;
+// Initialize Firebase
+const app = (0, app_1.initializeApp)(firebaseConfig);
+exports.FIRESTORE = (0, firestore_1.getFirestore)(app);
+exports.auth = (0, auth_1.getAuth)();
+const collection = (path, ...pathSegments) => {
+    return (0, firestore_1.collection)(exports.FIRESTORE, path, ...pathSegments);
+};
+exports.collection = collection;
+const doc = (path) => {
+    return (0, firestore_1.doc)(exports.FIRESTORE, path);
+};
+exports.doc = doc;
+/** Ensures that Firestore is shutdown at command termination
+ *
+ * This prevents Firestore from holding the command on execution completion or failure.
+ */
+const guard = (cb) => (args) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        yield cb(args);
+    }
+    finally {
+        void (0, firestore_1.terminate)(exports.FIRESTORE);
+    }
+});
+exports.guard = guard;

package/dist/drivers/stdio.d.ts

@@ -0,0 +1,25 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+/** Used to output machine-readable text to stdout
+ *
+ * In general this should not be used for text meant to be consumed
+ * only by humans.
+ */
+export declare function print1(message: any): void;
+/** Output human-consumable text to stderr
+ *
+ * In general this should not be used for machine-consumed text.
+ */
+export declare function print2(message: any): void;
+export declare const Ansi: {
+    readonly Reset: string;
+    readonly Dim: string;
+};

package/dist/drivers/stdio.js

@@ -0,0 +1,44 @@
+"use strict";
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Ansi = exports.print2 = exports.print1 = void 0;
+/** Functions to handle stdio
+ *
+ * These are essentially wrappers around console.foo, but allow for
+ * - Better testing
+ * - Later redirection / duplication
+ */
+const lodash_1 = require("lodash");
+/** Used to output machine-readable text to stdout
+ *
+ * In general this should not be used for text meant to be consumed
+ * only by humans.
+ */
+function print1(message) {
+    // eslint-disable-next-line no-console
+    console.log(message);
+}
+exports.print1 = print1;
+/** Output human-consumable text to stderr
+ *
+ * In general this should not be used for machine-consumed text.
+ */
+function print2(message) {
+    // eslint-disable-next-line no-console
+    console.error(message);
+}
+exports.print2 = print2;
+const AnsiCodes = {
+    Reset: "00",
+    Dim: "02",
+};
+exports.Ansi = (0, lodash_1.mapValues)(AnsiCodes, (v) => `\u001b[${v}m`);

package/dist/index.d.ts

@@ -0,0 +1 @@
+export declare const main: () => void;

package/dist/index.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.main = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const commands_1 = require("./commands");
+const lodash_1 = require("lodash");
+const main = () => {
+    // We can suppress output here, as .fail() already print1 errors
+    void commands_1.cli.parse().catch(lodash_1.noop);
+};
+exports.main = main;
+if (require.main === module) {
+    (0, exports.main)();
+}

package/dist/middlewares/version.d.ts

@@ -0,0 +1,8 @@
+import yargs from "yargs";
+/** Checks if there is a new version of the CLI
+ *
+ * If there is, prints an upgrade banner.
+ *
+ * If there is no new version, or if version lookup errors, just pass silently.
+ */
+export declare const checkVersion: (_yargs: yargs.ArgumentsCamelCase) => Promise<void>;

package/dist/middlewares/version.js

@@ -0,0 +1,77 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkVersion = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const stdio_1 = require("../drivers/stdio");
+const util_1 = require("../util");
+const promises_1 = __importDefault(require("node:fs/promises"));
+const node_path_1 = __importDefault(require("node:path"));
+const semver_1 = __importDefault(require("semver"));
+const LATEST_VERSION_FILE = "last-version-check";
+// We don't want to add any significant overhead to p0 commands with the version check,
+// so just give up if it takes too long.
+const VERSION_CHECK_TIMEOUT_MILLIS = 1e3;
+const VERSION_CHECK_INTERVAL_MILLIS = 86400e3; // 1 day
+/** Checks if there is a new version of the CLI
+ *
+ * If there is, prints an upgrade banner.
+ *
+ * If there is no new version, or if version lookup errors, just pass silently.
+ */
+const checkVersion = (_yargs) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        const latestFile = node_path_1.default.join(util_1.P0_PATH, LATEST_VERSION_FILE);
+        try {
+            const stat = yield promises_1.default.stat(latestFile);
+            if (Date.now() - stat.mtime.getTime() <= VERSION_CHECK_INTERVAL_MILLIS)
+                return;
+        }
+        catch (error) {
+            if (error.code !== "ENOENT")
+                throw error;
+        }
+        // Write the version-check file first to avoid retrying errors
+        yield promises_1.default.writeFile(latestFile, "");
+        // Note that package.json is installed one level above "dist"
+        // We can't require package.json as it is outside the TypeScript root
+        const { name, version } = JSON.parse((yield promises_1.default.readFile(`${__dirname}/../../package.json`)).toString("utf-8"));
+        const npmResult = (0, util_1.exec)("npm", ["view", name, "--json"], { check: true });
+        const npmPackage = yield (0, util_1.timeout)(npmResult, VERSION_CHECK_TIMEOUT_MILLIS);
+        const { "dist-tags": { latest }, } = JSON.parse(npmPackage.stdout);
+        if (semver_1.default.lt(version, latest)) {
+            (0, stdio_1.print2)(`╔══════════════════════════════════════╗
+║ A new version of P0 CLI is available ║
+║                                      ║
+║ To install, run                      ║
+║   npm -g update ${name.padEnd(20)} ║
+╚══════════════════════════════════════╝
+`);
+        }
+    }
+    catch (error) {
+        // Silently pass errors
+        // TODO: log to ~/.p0
+    }
+});
+exports.checkVersion = checkVersion;

package/dist/plugins/__mocks__/login.d.ts

@@ -0,0 +1,14 @@
+/// <reference types="jest" />
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+export declare const pluginLoginMap: {
+    google: jest.Mock<any, any, any>;
+};

package/dist/plugins/__mocks__/login.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.pluginLoginMap = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+exports.pluginLoginMap = {
+    google: jest.fn().mockResolvedValue({
+        access_token: "test-access-token",
+        id_token: "test-id-token",
+        token_type: "oidc",
+        scope: "oidc",
+        expires_in: 3600,
+        refresh_token: "test-refresh-token",
+        device_secret: "test-device-secret",
+    }),
+};

package/dist/plugins/aws/__mocks__/assumeRole.d.ts

@@ -0,0 +1,12 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { AwsCredentials } from "../types";
+export declare const assumeRoleWithSaml: () => Promise<AwsCredentials>;

package/dist/plugins/aws/__mocks__/assumeRole.js

@@ -0,0 +1,20 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assumeRoleWithSaml = void 0;
+const assumeRoleWithSaml = () => __awaiter(void 0, void 0, void 0, function* () {
+    return ({
+        AWS_ACCESS_KEY_ID: "test-access-key-id",
+        AWS_SECRET_ACCESS_KEY: "test-secret-access-key",
+        AWS_SESSION_TOKEN: "test-session-token",
+    });
+});
+exports.assumeRoleWithSaml = assumeRoleWithSaml;

package/dist/plugins/aws/api.d.ts

@@ -0,0 +1,12 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+export declare const AWS_API_VERSION = "2011-06-15";
+export declare const arnPrefix: (account: string) => string;

package/dist/plugins/aws/api.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.arnPrefix = exports.AWS_API_VERSION = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+exports.AWS_API_VERSION = "2011-06-15";
+const arnPrefix = (account) => `arn:aws:iam::${account}`;
+exports.arnPrefix = arnPrefix;

package/dist/plugins/aws/assumeRole.d.ts

@@ -0,0 +1,14 @@
+import { AwsCredentials } from "./types";
+/** Assumes an AWS role via SAML login */
+export declare const assumeRoleWithSaml: (args: {
+    /** An AWS account identifier */
+    account: string;
+    /** The account-specific role name requested */
+    role: string;
+    saml: {
+        /** The SAML Identity Provider name in AWS IAM */
+        providerName: string;
+        /** A base64-encoded SAML response document */
+        response: string;
+    };
+}) => Promise<AwsCredentials>;