@phystack/cli 4.3.40-dev

package/dist/utils/docker-credentials.js

@@ -0,0 +1,720 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.setupDockerCredentials = exports.verifyDockerCredentials = exports.createDockerHubRepository = void 0;
+const chalk_1 = __importDefault(require("chalk"));
+const child_process_1 = __importDefault(require("child_process"));
+const inquirer_1 = __importDefault(require("inquirer"));
+const uuid_1 = require("uuid");
+const fs_extra_1 = __importDefault(require("fs-extra"));
+const registry_credentials_1 = require("./registry-credentials");
+/**
+ * Authenticate with Docker Hub API and return a token
+ */
+const getDockerHubToken = async (username, password) => {
+    try {
+        const response = await fetch('https://hub.docker.com/v2/users/login', {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ username, password }),
+        });
+        if (!response.ok) {
+            throw new Error(`Failed to authenticate with Docker Hub: ${response.statusText}`);
+        }
+        const data = await response.json();
+        if (!data.token) {
+            throw new Error('No token returned from Docker Hub authentication');
+        }
+        return data.token;
+    }
+    catch (error) {
+        throw new Error(`Docker Hub API authentication failed: ${error.message}`);
+    }
+};
+/**
+ * Delete a repository from Docker Hub
+ * @param username - The username for authentication
+ * @param password - The password for authentication
+ * @param namespace - The namespace (organization or username)
+ * @param repoName - The repository name
+ */
+const deleteDockerHubRepo = async (username, password, namespace, repoName) => {
+    try {
+        console.log(chalk_1.default.dim(`Deleting test repository ${namespace}/${repoName} from Docker Hub...`));
+        const token = await getDockerHubToken(username, password);
+        const deleteResponse = await fetch(`https://hub.docker.com/v2/repositories/${namespace}/${repoName}/`, {
+            method: 'DELETE',
+            headers: {
+                'Authorization': `Bearer ${token}`,
+            },
+        });
+        if (deleteResponse.ok || deleteResponse.status === 204) {
+            console.log(chalk_1.default.green(`✓ Test repository ${namespace}/${repoName} deleted successfully`));
+        }
+        else {
+            console.log(chalk_1.default.dim(`Note: Could not delete test repository (status ${deleteResponse.status})`));
+        }
+    }
+    catch (error) {
+        console.log(chalk_1.default.dim(`Note: Could not delete test repository: ${error.message}`));
+    }
+};
+/**
+ * Create a repository on Docker Hub if it doesn't exist
+ * @param username - The username for authentication (personal account)
+ * @param password - The password for authentication
+ * @param repoName - The repository name (without organization prefix)
+ * @param namespace - The namespace (organization or username) where the repo should be created
+ * @param isPrivate - Whether the repository should be private (default: false)
+ */
+const createDockerHubRepo = async (username, password, repoName, namespace, isPrivate = false) => {
+    console.log(chalk_1.default.dim(`Checking if repository ${namespace}/${repoName} exists on Docker Hub...`));
+    // Get authentication token using personal credentials
+    const token = await getDockerHubToken(username, password);
+    // Check if repository already exists in the namespace
+    const checkResponse = await fetch(`https://hub.docker.com/v2/repositories/${namespace}/${repoName}/`, {
+        method: 'GET',
+        headers: {
+            'Authorization': `Bearer ${token}`,
+        },
+    });
+    if (checkResponse.ok) {
+        console.log(chalk_1.default.green(`✓ Repository ${namespace}/${repoName} already exists`));
+        return;
+    }
+    // Repository doesn't exist, create it in the namespace
+    const visibility = isPrivate ? 'private' : 'public';
+    console.log(chalk_1.default.dim(`Repository does not exist. Creating ${visibility} repository ${namespace}/${repoName} on Docker Hub...`));
+    const createResponse = await fetch(`https://hub.docker.com/v2/repositories/`, {
+        method: 'POST',
+        headers: {
+            'Authorization': `JWT ${token}`,
+            'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({
+            name: repoName,
+            namespace: namespace,
+            is_private: isPrivate,
+            description: 'Auto-created by phygrid-cli for container deployment',
+        }),
+    });
+    if (!createResponse.ok) {
+        const errorText = await createResponse.text();
+        // Check for specific error conditions
+        if (errorText.includes('private repositories') || errorText.includes('exceeds the limit')) {
+            console.log(chalk_1.default.red(`Failed to create repository: ${createResponse.status} ${createResponse.statusText}`));
+            console.log(chalk_1.default.red(`Error: The number of private repositories in your account exceeds the limit of your current Docker Hub subscription.`));
+            console.log(chalk_1.default.yellow(`Solutions:`));
+            console.log(chalk_1.default.yellow(`  1. Create the repository as public instead`));
+            console.log(chalk_1.default.yellow(`  2. Upgrade your Docker Hub subscription at https://hub.docker.com/billing`));
+            console.log(chalk_1.default.yellow(`  3. Delete unused private repositories`));
+            console.log(chalk_1.default.yellow(`  4. Manually create the repository at https://hub.docker.com/repository/create`));
+            throw new Error(`Docker Hub private repository limit exceeded`);
+        }
+        console.log(chalk_1.default.red(`Failed to create repository: ${createResponse.status} ${createResponse.statusText}`));
+        console.log(chalk_1.default.dim(`Response: ${errorText}`));
+        throw new Error(`Failed to create repository ${namespace}/${repoName}: ${createResponse.statusText} - ${errorText}`);
+    }
+    console.log(chalk_1.default.green(`✓ Repository ${namespace}/${repoName} created successfully on Docker Hub as ${visibility}`));
+};
+/**
+ * Create a Docker Hub repository for the given image if it doesn't exist
+ * This is a public export that extracts the repo name from a full image string
+ * Only works for Docker Hub (docker.io) - silently does nothing for other registries
+ */
+const createDockerHubRepository = async (registry, imageName, username, password, isPrivate = false) => {
+    // Only create repositories for Docker Hub
+    if (registry !== 'docker.io') {
+        return;
+    }
+    try {
+        // Extract repository name and namespace from full image name
+        // Examples:
+        //   docker.io/hassellof/superted82:latest -> namespace=hassellof, repo=superted82
+        //   docker.io/myorg/myapp -> namespace=myorg, repo=myapp
+        //   hassellof/superted82:latest -> namespace=hassellof, repo=superted82
+        let fullPath = imageName;
+        // Remove registry prefix if present
+        if (fullPath.startsWith('docker.io/')) {
+            fullPath = fullPath.substring('docker.io/'.length);
+        }
+        // Remove tag if present (do this before splitting)
+        fullPath = fullPath.split(':')[0];
+        // Split into parts to extract namespace and repo
+        const parts = fullPath.split('/');
+        let namespace;
+        let repoName;
+        if (parts.length >= 2) {
+            // Format: namespace/repo or namespace/sub/repo
+            namespace = parts[0]; // The organization or username
+            repoName = parts[parts.length - 1]; // The repo name (last part)
+        }
+        else {
+            // Format: just repo name, use username as namespace
+            namespace = username;
+            repoName = parts[0];
+        }
+        console.log(chalk_1.default.dim(`Parsed image: namespace=${namespace}, repo=${repoName}`));
+        await createDockerHubRepo(username, password, repoName, namespace, isPrivate);
+    }
+    catch (error) {
+        // Log the error but don't throw - let the build attempt proceed
+        // The push will fail with a clear error if the repo doesn't exist
+        console.log(chalk_1.default.yellow(`Warning: Could not auto-create repository: ${error.message}`));
+        console.log(chalk_1.default.yellow(`You may need to create the repository manually at https://hub.docker.com/repository/create`));
+    }
+};
+exports.createDockerHubRepository = createDockerHubRepository;
+const verifyDockerCredentials = async (registry, pullUsername, pullPassword, pushUsername, pushPassword, customImageName, nonInteractive = false, isPushCredsFromEnv = false) => {
+    // Check if we can skip validation using cached hash
+    if (pullUsername && pullPassword && pushUsername && pushPassword) {
+        const isValid = await (0, registry_credentials_1.isCredentialHashValid)(registry, pullUsername, pullPassword, pushUsername, pushPassword);
+        if (isValid) {
+            const envHash = process.env.PHYGRID_REGISTRY_VALIDATION_HASH;
+            if (envHash) {
+                console.log(chalk_1.default.green('✓ Skipping credential validation - using PHYGRID_REGISTRY_VALIDATION_HASH from environment'));
+            }
+            else {
+                console.log(chalk_1.default.green('✓ Skipping credential validation - using cached validation from previous successful build'));
+            }
+            return {
+                pullUsername,
+                pullPassword,
+                pushUsername,
+                pushPassword,
+            };
+        }
+    }
+    let testPushTag;
+    // Use a consistent image name for easier cleanup
+    const testImageName = 'phygrid-test-image';
+    // Extract organization from custom image name if available
+    let orgName = null;
+    if (customImageName && customImageName.includes('/')) {
+        if (customImageName.startsWith('docker.io/')) {
+            // For docker.io images, organization comes after the docker.io/ prefix
+            const parts = customImageName.split('/');
+            if (parts.length >= 2) {
+                orgName = parts[1];
+            }
+        }
+        else {
+            // For other registries, organization is the first part before the slash
+            orgName = customImageName.split('/')[0];
+        }
+        console.log(chalk_1.default.dim(`Using organization from image: ${orgName}`));
+    }
+    // Pull test image from Docker Hub first
+    console.log(chalk_1.default.dim('Pulling test image...'));
+    try {
+        console.log(chalk_1.default.dim('Running: docker pull hello-world:latest'));
+        child_process_1.default.execSync('docker pull hello-world:latest', {
+            stdio: 'pipe',
+        });
+    }
+    catch (error) {
+        throw new Error('Failed to pull test image from Docker Hub. Verify that Docker is running and check your internet connection.');
+    }
+    // Validate PUSH credentials first (must be able to push)
+    console.log(chalk_1.default.dim('Validating push credentials...'));
+    let pushCredsValid = false;
+    let finalPushUsername = pushUsername;
+    let finalPushPassword = pushPassword;
+    // Explicitly indicate when environment variables are being used
+    if (isPushCredsFromEnv) {
+        console.log(chalk_1.default.green('Using push credentials from PHYGRID_REGISTRY_PUSH_* environment variables'));
+    }
+    else {
+        console.log(chalk_1.default.dim('hint: set the following environment variables:'));
+        console.log(chalk_1.default.dim('  PHYGRID_REGISTRY_PULL_USERNAME - for read-only access'));
+        console.log(chalk_1.default.dim('  PHYGRID_REGISTRY_PULL_PASSWORD - for read-only access'));
+        console.log(chalk_1.default.dim('  PHYGRID_REGISTRY_PUSH_USERNAME - for write access'));
+        console.log(chalk_1.default.dim('  PHYGRID_REGISTRY_PUSH_PASSWORD - for write access'));
+        console.log(chalk_1.default.dim('  PHYGRID_REGISTRY_VALIDATION_HASH - to skip validation in CI (provided after first successful validation)'));
+    }
+    while (!pushCredsValid) {
+        try {
+            // Login with push credentials
+            console.log(chalk_1.default.dim(`Logging in to registry ${registry} with username ${finalPushUsername}`));
+            try {
+                // Don't log the actual command with password to avoid exposing credentials
+                // We're also using stdio: 'pipe' instead of 'inherit' to have better control over the output
+                child_process_1.default.execSync(`docker login ${registry} -u ${finalPushUsername} -p ${finalPushPassword}`, {
+                    stdio: 'pipe',
+                });
+                console.log(chalk_1.default.green('✓ Login successful'));
+            }
+            catch (loginError) {
+                // Create a cleaned error message that doesn't include credentials
+                console.log(chalk_1.default.red(`Error: Docker login to ${registry} with user ${finalPushUsername} failed.`));
+                // Extract just the error response from Docker, not the command with credentials
+                let errorMsg = loginError.message || '';
+                // Look for the pattern of Docker error messages
+                const errorMatch = errorMsg.match(/Error response from daemon: (.*)/);
+                if (errorMatch && errorMatch[1]) {
+                    console.log(chalk_1.default.yellow(`Docker error: ${errorMatch[1]}`));
+                }
+                else {
+                    console.log(chalk_1.default.yellow('Docker authentication failed. Check credentials.'));
+                }
+                throw new Error(`Docker login to ${registry} failed. Authentication error.`);
+            }
+            // Tag the hello-world image for our registry with a unique tag
+            const pushTestTag = `test-${(0, uuid_1.v4)().substring(0, 8)}`;
+            const testImage = registry === 'docker.io'
+                ? `${registry}/${orgName ||
+                    finalPushUsername}/${testImageName}:${pushTestTag}`
+                : `${registry}/${testImageName}:${pushTestTag}`;
+            console.log(chalk_1.default.dim(`Generated test image tag: ${testImage}`));
+            console.log(chalk_1.default.dim(`Registry: ${chalk_1.default.blue(registry)}`));
+            console.log(chalk_1.default.dim(`Username: ${chalk_1.default.blue(finalPushUsername)}`));
+            console.log(chalk_1.default.dim(`Testing with image: ${chalk_1.default.blue(testImage)}`));
+            console.log(chalk_1.default.dim(`Running: docker tag hello-world:latest ${testImage}`));
+            child_process_1.default.execSync(`docker tag hello-world:latest ${testImage}`, {
+                stdio: 'pipe',
+            });
+            // For Docker Hub, ensure the repository exists before pushing
+            if (registry === 'docker.io') {
+                // Use orgName if available, otherwise use username as namespace
+                const namespace = orgName || finalPushUsername;
+                // Test image is always public to avoid wasting private repo slots
+                await createDockerHubRepo(finalPushUsername, finalPushPassword, testImageName, namespace, false);
+            }
+            // Try pushing hello-world to our registry
+            try {
+                console.log(chalk_1.default.dim(`Attempting to push test image to registry: ${chalk_1.default.blue(registry)}`));
+                console.log(chalk_1.default.dim(`Using push credentials: username=${chalk_1.default.blue(finalPushUsername)}`));
+                console.log(chalk_1.default.dim(`Running: docker push ${testImage}`));
+                child_process_1.default.execSync(`docker push ${testImage}`, {
+                    stdio: 'pipe',
+                });
+                console.log(chalk_1.default.green('✓ Push credentials validated'));
+                pushCredsValid = true;
+                // Store the test tag for pull validation
+                testPushTag = pushTestTag;
+            }
+            catch (pushError) {
+                const errorMessage = pushError.message || '';
+                // Check if the error is specifically about repository not existing or access denied
+                if (errorMessage.includes('denied') || errorMessage.includes('requested access to the resource is denied')) {
+                    // For Docker Hub, this might mean the repo doesn't exist
+                    if (registry === 'docker.io') {
+                        console.log(chalk_1.default.yellow('Push failed - this may indicate the repository does not exist or credentials are invalid'));
+                        console.log(chalk_1.default.yellow(`Please verify the repository exists at: https://hub.docker.com/repository/docker/${finalPushUsername}/${testImageName}`));
+                        console.log(chalk_1.default.yellow(`Or create it manually at: https://hub.docker.com/repository/create`));
+                    }
+                }
+                console.log(chalk_1.default.red(`Failed to push test image: ${errorMessage}`));
+                throw new Error(`Failed to push test image: ${errorMessage}`);
+            }
+            finally {
+                // Clean up local tag
+                try {
+                    child_process_1.default.execSync(`docker rmi ${testImage}`, {
+                        stdio: 'pipe',
+                    });
+                }
+                catch (error) {
+                    console.log(chalk_1.default.yellow(`Warning: Failed to remove test image: ${error.message}`));
+                    // Ignore cleanup errors
+                }
+            }
+        }
+        catch (error) {
+            // Create a sanitized error message
+            let safeErrorMessage = 'Unknown error';
+            if (error.message) {
+                // If it's a login failure we created earlier, use it directly
+                if (error.message.includes('Docker login to') && error.message.includes('failed')) {
+                    safeErrorMessage = error.message;
+                }
+                else {
+                    // For other errors, sanitize any command that might contain credentials
+                    safeErrorMessage = error.message.replace(/docker login[^;]*;?/g, 'docker login [credentials hidden];');
+                    // Extract Docker daemon errors if present
+                    const errorMatch = error.message.match(/Error response from daemon: (.*)/);
+                    if (errorMatch && errorMatch[1]) {
+                        safeErrorMessage = `Docker error: ${errorMatch[1]}`;
+                    }
+                }
+            }
+            console.log(chalk_1.default.red('Error: Push credentials are invalid.'));
+            console.log(chalk_1.default.red(`Error details: ${safeErrorMessage}`));
+            // If non-interactive or creds came from ENV, throw error instead of prompting
+            if (nonInteractive || isPushCredsFromEnv) {
+                throw new Error(`Push credentials for registry ${registry} are invalid. Check environment variables or configuration.`);
+            }
+            // Force re-prompt for push credentials (only in interactive mode and if not from ENV)
+            const { inputUsername, inputPassword } = await inquirer_1.default.prompt([
+                {
+                    type: 'input',
+                    name: 'inputUsername',
+                    message: `Please input push username for registry ${registry}:`,
+                    validate: (input) => (input ? true : 'Username cannot be empty.'),
+                },
+                {
+                    type: 'password',
+                    name: 'inputPassword',
+                    message: `Please input push password for registry ${registry}:`,
+                    mask: '*',
+                    validate: (input) => (input ? true : 'Password cannot be empty.'),
+                },
+            ]);
+            finalPushUsername = inputUsername;
+            finalPushPassword = inputPassword;
+        }
+    }
+    // Then validate PULL credentials
+    console.log(chalk_1.default.dim('Validating pull credentials...'));
+    let pullCredsValid = false;
+    let finalPullUsername = pullUsername;
+    let finalPullPassword = pullPassword;
+    // Explicitly indicate when environment variables are being used for pull credentials
+    if (isPushCredsFromEnv) {
+        console.log(chalk_1.default.green('Using pull credentials from PHYGRID_REGISTRY_PULL_* environment variables'));
+    }
+    // If pull credentials are not provided AND we are in interactive mode AND creds are not from ENV, prompt for them
+    if (!finalPullUsername || !finalPullPassword) {
+        if (!nonInteractive && !isPushCredsFromEnv) {
+            console.log(chalk_1.default.yellow('Registry pull credentials not found'));
+            const { inputUsername, inputPassword } = await inquirer_1.default.prompt([
+                {
+                    type: 'input',
+                    name: 'inputUsername',
+                    message: `Please input pull username for registry ${registry} (read-only):`,
+                    validate: (input) => (input ? true : 'Username cannot be empty.'),
+                },
+                {
+                    type: 'password',
+                    name: 'inputPassword',
+                    message: `Please input pull password for registry ${registry} (read-only):`,
+                    mask: '*',
+                    validate: (input) => (input ? true : 'Password cannot be empty.'),
+                },
+            ]);
+            finalPullUsername = inputUsername;
+            finalPullPassword = inputPassword;
+        }
+        else {
+            // In non-interactive mode or if creds from ENV, throw error if pull creds are missing
+            throw new Error(`Pull credentials for registry ${registry} are missing. Check environment variables or configuration.`);
+        }
+    }
+    while (!pullCredsValid) {
+        try {
+            // Login with pull credentials
+            console.log(chalk_1.default.dim(`Logging in to registry ${registry} with pull username ${finalPullUsername}`));
+            try {
+                child_process_1.default.execSync(`docker login ${registry} -u ${finalPullUsername} -p ${finalPullPassword}`, {
+                    stdio: 'pipe',
+                });
+                console.log(chalk_1.default.green('✓ Login successful with pull credentials'));
+            }
+            catch (loginError) {
+                // Create a cleaned error message that doesn't include credentials
+                console.log(chalk_1.default.red(`Error: Docker login to ${registry} with pull user ${finalPullUsername} failed.`));
+                // Extract just the error response from Docker, not the command with credentials
+                let errorMsg = loginError.message || '';
+                // Look for the pattern of Docker error messages
+                const errorMatch = errorMsg.match(/Error response from daemon: (.*)/);
+                if (errorMatch && errorMatch[1]) {
+                    console.log(chalk_1.default.yellow(`Docker error: ${errorMatch[1]}`));
+                }
+                else {
+                    console.log(chalk_1.default.yellow('Docker authentication failed. Check pull credentials.'));
+                }
+                throw new Error(`Docker login to ${registry} with pull credentials failed. Authentication error.`);
+            }
+            // First verify they can pull
+            try {
+                // Try to pull the test image we just pushed
+                const pullTestImage = registry === 'docker.io'
+                    ? `${registry}/${orgName ||
+                        finalPushUsername}/${testImageName}:${testPushTag}`
+                    : `${registry}/${testImageName}:${testPushTag}`;
+                // Remove the image locally first to ensure we're actually testing pull
+                try {
+                    child_process_1.default.execSync(`docker rmi ${pullTestImage}`, {
+                        stdio: 'pipe',
+                    });
+                }
+                catch (error) {
+                    // Ignore errors if image doesn't exist locally
+                }
+                child_process_1.default.execSync(`docker pull ${pullTestImage}`, {
+                    stdio: 'pipe',
+                });
+                // Now verify if they can push (they shouldn't be able to)
+                try {
+                    // Try to push a different tag to properly test push permissions
+                    const pullTestTag = `test-${(0, uuid_1.v4)().substring(0, 8)}`;
+                    const pushTestImage = registry === 'docker.io'
+                        ? `${registry}/${orgName ||
+                            finalPushUsername}/${testImageName}:${pullTestTag}`
+                        : `${registry}/${testImageName}:${pullTestTag}`;
+                    child_process_1.default.execSync(`docker tag ${pullTestImage} ${pushTestImage}`, {
+                        stdio: 'pipe',
+                    });
+                    child_process_1.default.execSync(`docker push ${pushTestImage}`, {
+                        stdio: 'pipe',
+                    });
+                    // If push succeeds, credentials have too many permissions
+                    console.log(chalk_1.default.red('Error: Pull credentials have push permissions. This is a security risk.'));
+                    console.log(chalk_1.default.dim('Please enter different read-only credentials.'));
+                    // If non-interactive or creds from ENV, throw error instead of prompting
+                    if (nonInteractive || isPushCredsFromEnv) {
+                        throw new Error(`Pull credentials for registry ${registry} have push permissions. This is a security risk. Provide read-only credentials.`);
+                    }
+                    // Force re-prompt for pull credentials (only in interactive mode)
+                    const { inputUsername, inputPassword } = await inquirer_1.default.prompt([
+                        {
+                            type: 'input',
+                            name: 'inputUsername',
+                            message: `Please input pull username for registry ${registry} (read-only):`,
+                            validate: (input) => (input ? true : 'Username cannot be empty.'),
+                        },
+                        {
+                            type: 'password',
+                            name: 'inputPassword',
+                            message: `Please input pull password for registry ${registry} (read-only):`,
+                            mask: '*',
+                            validate: (input) => (input ? true : 'Password cannot be empty.'),
+                        },
+                    ]);
+                    finalPullUsername = inputUsername;
+                    finalPullPassword = inputPassword;
+                    // Clean up test images
+                    try {
+                        child_process_1.default.execSync(`docker rmi ${pullTestImage} ${pushTestImage}`, {
+                            stdio: 'pipe',
+                        });
+                    }
+                    catch (error) {
+                        // Ignore cleanup errors
+                    }
+                    continue;
+                }
+                catch (pushError) {
+                    // Push failed as expected for pull-only credentials
+                    console.log(chalk_1.default.green('✓ Pull credentials validated (read-only access confirmed)'));
+                    pullCredsValid = true;
+                }
+                // Clean up the test image
+                try {
+                    child_process_1.default.execSync(`docker rmi ${pullTestImage}`, {
+                        stdio: 'pipe',
+                    });
+                }
+                catch (error) {
+                    // Ignore cleanup errors
+                }
+            }
+            catch (pullError) {
+                console.log(chalk_1.default.red('Error: Pull credentials cannot pull from registry.'));
+                throw new Error('Pull credentials cannot pull');
+            }
+        }
+        catch (error) {
+            if (error.message === 'Pull credentials cannot pull') {
+                // If non-interactive or creds from ENV, throw error instead of prompting
+                if (nonInteractive || isPushCredsFromEnv) {
+                    throw new Error(`Pull credentials for registry ${registry} are invalid or cannot pull. Check environment variables or configuration.`);
+                }
+                // Force re-prompt for pull credentials (only in interactive mode)
+                const { inputUsername, inputPassword } = await inquirer_1.default.prompt([
+                    {
+                        type: 'input',
+                        name: 'inputUsername',
+                        message: `Please input pull username for registry ${registry} (read-only):`,
+                        validate: (input) => (input ? true : 'Username cannot be empty.'),
+                    },
+                    {
+                        type: 'password',
+                        name: 'inputPassword',
+                        message: `Please input pull password for registry ${registry} (read-only):`,
+                        mask: '*',
+                        validate: (input) => (input ? true : 'Password cannot be empty.'),
+                    },
+                ]);
+                finalPullUsername = inputUsername;
+                finalPullPassword = inputPassword;
+            }
+            else {
+                throw error;
+            }
+        }
+    }
+    // Final cleanup - remove the test repository from Docker Hub
+    try {
+        const cleanupImage = registry === 'docker.io'
+            ? `${registry}/${orgName ||
+                finalPushUsername}/${testImageName}:${testPushTag}`
+            : `${registry}/${testImageName}:${testPushTag}`;
+        // Try to remove the local image
+        try {
+            child_process_1.default.execSync(`docker rmi ${cleanupImage}`, {
+                stdio: 'pipe',
+            });
+            console.log(chalk_1.default.dim(`Local test image removed successfully.`));
+        }
+        catch (rmiError) {
+            // Fail gracefully if the image can't be removed locally
+            console.log(chalk_1.default.dim(`Note: Could not remove local test image.`));
+        }
+        // For Docker Hub, delete the entire test repository to avoid wasting private repo slots
+        if (registry === 'docker.io') {
+            const namespace = orgName || finalPushUsername;
+            await deleteDockerHubRepo(finalPushUsername, finalPushPassword, namespace, testImageName);
+        }
+        else {
+            console.log(chalk_1.default.dim(`Note: Test image '${testImageName}' may remain in your registry. You can manually remove it if needed.`));
+        }
+    }
+    catch (error) {
+        // Ignore cleanup errors
+        console.log(chalk_1.default.dim(`Note: Could not perform final cleanup. Test image '${testImageName}' may remain in your registry.`));
+    }
+    // Save the validation hash after successful validation
+    const validationHash = (0, registry_credentials_1.generateCredentialHash)(registry, finalPullUsername, finalPullPassword, finalPushUsername, finalPushPassword);
+    await (0, registry_credentials_1.saveValidationCache)(registry, validationHash, finalPullUsername, finalPushUsername);
+    // Log the hash that can be used for CI
+    console.log(chalk_1.default.green('✓ Credentials validated successfully'));
+    console.log(chalk_1.default.dim(`To skip validation in CI pipelines, set the following environment variable:`));
+    console.log(chalk_1.default.cyan(`PHYGRID_REGISTRY_VALIDATION_HASH=${validationHash}`));
+    console.log(chalk_1.default.dim('This hash verifies that pull credentials are read-only and push credentials have write access.'));
+    return {
+        pullUsername: finalPullUsername,
+        pullPassword: finalPullPassword,
+        pushUsername: finalPushUsername,
+        pushPassword: finalPushPassword,
+    };
+};
+exports.verifyDockerCredentials = verifyDockerCredentials;
+/**
+ * Verify and set up Docker credentials from various sources
+ * Used by both app create and build-container commands
+ */
+const setupDockerCredentials = async (registry, name, packageFile, customImageName, nonInteractive = false) => {
+    console.log(chalk_1.default.dim('Verifying Docker registry credentials'));
+    let pullUsername = null;
+    let pullPassword = null;
+    let pushUsername = null;
+    let pushPassword = null;
+    let isPushCredsFromEnv = false;
+    let isPullCredsFromEnv = false;
+    // 1. First, attempt to resolve pull credentials from package.json
+    if (fs_extra_1.default.existsSync(packageFile)) {
+        try {
+            const packageData = JSON.parse(fs_extra_1.default.readFileSync(packageFile).toString());
+            const dockerCredentials = packageData['docker-credentials'];
+            if (dockerCredentials?.pull?.username && dockerCredentials?.pull?.password) {
+                pullUsername = dockerCredentials.pull.username;
+                pullPassword = dockerCredentials.pull.password;
+                console.log(chalk_1.default.dim('Using pull credentials from package.json'));
+            }
+            // If push credentials are present in package.json, we do NOT use them at this stage
+        }
+        catch (error) {
+            console.warn(chalk_1.default.yellow(`Warning: Could not read credentials from ${packageFile}: ${error.message}`));
+        }
+    }
+    // 2. Next, look for push credentials in environment variables
+    const envPullUser = process.env.PHYGRID_REGISTRY_PULL_USERNAME;
+    const envPullPass = process.env.PHYGRID_REGISTRY_PULL_PASSWORD;
+    const envPushUser = process.env.PHYGRID_REGISTRY_PUSH_USERNAME;
+    const envPushPass = process.env.PHYGRID_REGISTRY_PUSH_PASSWORD;
+    if (envPushUser && envPushPass) {
+        pushUsername = envPushUser;
+        pushPassword = envPushPass;
+        isPushCredsFromEnv = true;
+        console.log(chalk_1.default.dim('Using push credentials from environment variables'));
+    }
+    // For pull credentials, only assign from env if any pull credential is not set
+    if (envPullUser && envPullPass) {
+        const assignedFromEnv = !pullUsername || !pullPassword;
+        pullUsername = pullUsername || envPullUser;
+        pullPassword = pullPassword || envPullPass;
+        if (assignedFromEnv) {
+            isPullCredsFromEnv = true;
+            console.log(chalk_1.default.dim('Using pull credentials from environment variables (fallback)'));
+        }
+    }
+    // 3. Last, use credentials file for any unset pull or push credentials
+    const storedCredentials = await (0, registry_credentials_1.getRegistryCredentials)(registry);
+    if (storedCredentials) {
+        if (!pullUsername && storedCredentials.pull?.username) {
+            pullUsername = storedCredentials.pull.username;
+            console.log(chalk_1.default.dim('Using pull username from stored credentials'));
+        }
+        if (!pullPassword && storedCredentials.pull?.password) {
+            pullPassword = storedCredentials.pull.password;
+            console.log(chalk_1.default.dim('Using pull password from stored credentials'));
+        }
+        if (!pushUsername && storedCredentials.push?.username) {
+            pushUsername = storedCredentials.push.username;
+            console.log(chalk_1.default.dim('Using push username from stored credentials'));
+        }
+        if (!pushPassword && storedCredentials.push?.password) {
+            pushPassword = storedCredentials.push.password;
+            console.log(chalk_1.default.dim('Using push password from stored credentials'));
+        }
+    }
+    // If running non-interactively (e.g., CI) and no credentials found from any source, throw error.
+    if (nonInteractive && (!pullUsername || !pullPassword || !pushUsername || !pushPassword)) {
+        throw new Error('Missing required Docker credentials in non-interactive mode. Please set PHYGRID_REGISTRY_PULL/PUSH_USERNAME/PASSWORD environment variables.');
+    }
+    // Pass the nonInteractive flag and isPushCredsFromEnv flag to verifyDockerCredentials
+    const verifiedCredentials = await (0, exports.verifyDockerCredentials)(registry, pullUsername, pullPassword, pushUsername, pushPassword, customImageName, nonInteractive, // Pass the flag
+    isPushCredsFromEnv);
+    // Store the verified credentials in home directory (only if not from env vars or non-interactive?)
+    // For CI, we might not want to write back to the home dir. Let's skip saving if push creds came from ENV.
+    if (!isPushCredsFromEnv) {
+        await (0, registry_credentials_1.saveRegistryCredentials)(registry, {
+            pull: {
+                username: verifiedCredentials.pullUsername,
+                password: verifiedCredentials.pullPassword,
+            },
+            push: {
+                username: verifiedCredentials.pushUsername,
+                password: verifiedCredentials.pushPassword,
+            },
+        });
+    }
+    // Update package.json with only pull credentials (only if pull creds didn't come from env)
+    // We only want to update package.json if the source wasn't env vars, to avoid overwriting things unintentionally.
+    if (!isPullCredsFromEnv && fs_extra_1.default.existsSync(packageFile)) {
+        try {
+            let packageData = JSON.parse(fs_extra_1.default.readFileSync(packageFile).toString());
+            // Make sure docker-credentials exists
+            if (!packageData['docker-credentials']) {
+                packageData['docker-credentials'] = {};
+            }
+            // Update pull credentials
+            packageData['docker-credentials'].pull = {
+                username: verifiedCredentials.pullUsername,
+                password: verifiedCredentials.pullPassword, // Note: Storing password in package.json is generally discouraged
+            };
+            // Make sure registry is set in docker-credentials
+            if (registry && !packageData['docker-credentials'].registry) {
+                packageData['docker-credentials'].registry = registry;
+            }
+            // If customImageName was provided, make sure it's set in docker-credentials
+            if (customImageName && !packageData['docker-credentials'].image) {
+                packageData['docker-credentials'].image = customImageName;
+            }
+            // Remove container-registry from root if it exists
+            if (packageData['container-registry']) {
+                delete packageData['container-registry'];
+            }
+            fs_extra_1.default.writeFileSync(packageFile, JSON.stringify(packageData, null, 2));
+        }
+        catch (error) {
+            console.warn(chalk_1.default.yellow(`Warning: Could not update credentials in ${packageFile}: ${error.message}`));
+        }
+    }
+    return verifiedCredentials;
+};
+exports.setupDockerCredentials = setupDockerCredentials;
+//# sourceMappingURL=docker-credentials.js.map