@primitivedotdev/cli 0.26.2 → 0.26.3

package/dist/oclif/commands/functions-redeploy.js

@@ -1,240 +0,0 @@
-import { Command, Flags } from "@oclif/core";
-import { PrimitiveApiClient, setFunctionSecret, updateFunction, } from "@primitivedotdev/sdk/api";
-import { extractErrorPayload, readTextFileFlag, removeStaleSavedCredentialOnUnauthorized, runWithTiming, TIME_FLAG_DESCRIPTION, writeErrorWithHints, } from "../api-command.js";
-import { resolveCliAuth } from "../auth.js";
-import { emitRawSendMailFetchWarning } from "../lint/raw-send-mail-fetch.js";
-import { parseSecretFlags, SECRET_FLAG_SECURITY_NOTE, } from "../secret-flags.js";
-// Pure-ish orchestration of (optional secrets +) update-function.
-// Writes every secret first, then re-deploys with the new bundle so
-// a single updateFunction call refreshes every binding the user
-// wrote. Pulled out as a named export so the unit test can drive
-// every branch with a fake RedeployApiSurface, without spinning up
-// a real client or the oclif command lifecycle.
-export async function runRedeployWithSecrets(api, params) {
-    const writtenSecrets = [];
-    const succeededKeys = [];
-    for (let i = 0; i < params.secrets.length; i++) {
-        const pair = params.secrets[i];
-        // Pre-compute the keys that come AFTER the current pair so a
-        // set-secret failure can surface every key that was never
-        // attempted, not just the one that failed.
-        const pendingKeys = params.secrets.slice(i + 1).map((p) => p.key);
-        const setResult = await api.setSecret({
-            id: params.id,
-            key: pair.key,
-            value: pair.value,
-        });
-        if (setResult.error) {
-            return {
-                failedKey: pair.key,
-                kind: "error",
-                payload: extractErrorPayload(setResult.error),
-                pendingKeys,
-                stage: "set-secret",
-                succeededKeys,
-            };
-        }
-        const secret = setResult.data?.data;
-        if (!secret) {
-            return {
-                failedKey: pair.key,
-                kind: "error",
-                payload: {
-                    code: "client_error",
-                    message: "Secret write returned no data",
-                },
-                pendingKeys,
-                stage: "set-secret",
-                succeededKeys,
-            };
-        }
-        writtenSecrets.push(secret);
-        succeededKeys.push(pair.key);
-    }
-    const updateResult = await api.updateFunction({
-        code: params.code,
-        id: params.id,
-        ...(params.sourceMap !== undefined ? { sourceMap: params.sourceMap } : {}),
-    });
-    if (updateResult.error) {
-        return {
-            kind: "error",
-            payload: extractErrorPayload(updateResult.error),
-            stage: "redeploy",
-            succeededKeys,
-        };
-    }
-    const redeployed = updateResult.data?.data;
-    if (!redeployed) {
-        return {
-            kind: "error",
-            payload: {
-                code: "client_error",
-                message: "Redeploy returned no data",
-            },
-            stage: "redeploy",
-            succeededKeys,
-        };
-    }
-    return {
-        kind: "ok",
-        result: {
-            redeploy: redeployed,
-            ...(writtenSecrets.length > 0 ? { secrets: writtenSecrets } : {}),
-        },
-    };
-}
-class FunctionsRedeployCommand extends Command {
-    static description = `Update or redeploy a function from a bundled handler file. Agent-grade shortcut for functions:update-function.
-
-  Use to push a new bundle OR to refresh secret bindings into the
-  running handler. The same file is fine for both: the deploy reads
-  the bindings table fresh on every call, so passing the existing
-  bundle picks up any secret writes since the last deploy.
-
-  Pass --secret KEY=VALUE (repeatable) to write secrets BEFORE the
-  redeploy fires; one update-function call then refreshes every new
-  binding. Keys must match \`^[A-Z_][A-Z0-9_]*$\` (uppercase letters,
-  digits, underscores; first character is a letter or underscore).
-  With one or more --secret flags the redeploy fans out to multiple
-  API calls (set-secret per pair, then update-function).`;
-    static summary = "Redeploy a function from a bundled handler file";
-    static examples = [
-        "<%= config.bin %> functions:redeploy --id <fn-id> --file ./bundle.js",
-        "<%= config.bin %> functions:redeploy --id <fn-id> --file ./bundle.js --source-map-file ./bundle.js.map",
-        "<%= config.bin %> functions:redeploy --id <fn-id> --file ./bundle.js --secret OPENAI_KEY=sk-... --secret OWNER_EMAIL=me@example.com",
-    ];
-    static flags = {
-        "api-key": Flags.string({
-            description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
-            env: "PRIMITIVE_API_KEY",
-        }),
-        "api-base-url-1": Flags.string({
-            description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-            env: "PRIMITIVE_API_BASE_URL_1",
-            hidden: true,
-        }),
-        "api-base-url-2": Flags.string({
-            description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-            env: "PRIMITIVE_API_BASE_URL_2",
-            hidden: true,
-        }),
-        id: Flags.string({
-            description: "Function id (UUID). The function must already exist.",
-            required: true,
-        }),
-        file: Flags.string({
-            description: "Path to the bundled ESM handler file. Loaded as the `code` body field.",
-            required: true,
-        }),
-        "source-map-file": Flags.string({
-            description: "Optional path to a source map for the bundle. Used to symbolicate stack traces in the function's logs.",
-        }),
-        secret: Flags.string({
-            description: `Secret KEY=VALUE to write on the function before the redeploy fires. Repeatable. KEY must match \`^[A-Z_][A-Z0-9_]*$\`; VALUE may contain \`=\` (only the first \`=\` is treated as a delimiter). Each KEY may only appear once per command. Passing one or more --secret flags fans out to set-secret per pair then a single update-function call so the new bindings land in the same redeploy. ${SECRET_FLAG_SECURITY_NOTE}`,
-            multiple: true,
-        }),
-        time: Flags.boolean({
-            description: TIME_FLAG_DESCRIPTION,
-        }),
-    };
-    async run() {
-        const { flags } = await this.parse(FunctionsRedeployCommand);
-        await runWithTiming(flags.time, async () => {
-            // Validate --secret pairs BEFORE any disk read or API call so
-            // a malformed input fails fast with a clear error and zero
-            // side effects. The fast path (no --secret flags) skips the
-            // secret-write loop entirely.
-            const rawSecrets = flags.secret ?? [];
-            const parsedSecrets = parseSecretFlags(rawSecrets);
-            if (parsedSecrets.kind === "error") {
-                process.stderr.write(`${parsedSecrets.message}\n`);
-                process.exitCode = 1;
-                return;
-            }
-            // Reads inside the timed block: --time captures disk I/O too,
-            // which is the latency the flag is meant to surface.
-            const code = readTextFileFlag(flags.file, "--file");
-            const sourceMap = flags["source-map-file"]
-                ? readTextFileFlag(flags["source-map-file"], "--source-map-file")
-                : undefined;
-            // Non-blocking deploy-time lint: if the bundle has a raw
-            // fetch(...) call against /send-mail, nudge the author toward
-            // `createPrimitiveClient` from `@primitivedotdev/sdk/api`.
-            // Same check as functions:deploy; warning goes to stderr and
-            // the deploy continues regardless.
-            emitRawSendMailFetchWarning(code, (chunk) => process.stderr.write(chunk));
-            const baseUrlOverridden = flags["api-base-url-1"] !== undefined ||
-                flags["api-base-url-2"] !== undefined;
-            const auth = resolveCliAuth({
-                apiKey: flags["api-key"],
-                apiBaseUrl1: flags["api-base-url-1"],
-                apiBaseUrl2: flags["api-base-url-2"],
-                configDir: this.config.configDir,
-            });
-            const apiClient = new PrimitiveApiClient({
-                apiKey: auth.apiKey,
-                apiBaseUrl1: auth.apiBaseUrl1,
-                apiBaseUrl2: auth.apiBaseUrl2,
-            });
-            const authFailureContext = {
-                auth,
-                baseUrlOverridden,
-                configDir: this.config.configDir,
-            };
-            // Adapter: thin wrappers around the generated SDK calls,
-            // routed through host 1 (apiClient.client). The function
-            // CRUD and secrets endpoints are not on host 2.
-            const apiSurface = {
-                setSecret: (p) => setFunctionSecret({
-                    body: { value: p.value },
-                    client: apiClient.client,
-                    path: { id: p.id, key: p.key },
-                    responseStyle: "fields",
-                }),
-                updateFunction: (p) => updateFunction({
-                    body: {
-                        code: p.code,
-                        ...(p.sourceMap !== undefined ? { sourceMap: p.sourceMap } : {}),
-                    },
-                    client: apiClient.client,
-                    path: { id: p.id },
-                    responseStyle: "fields",
-                }),
-            };
-            const outcome = await runRedeployWithSecrets(apiSurface, {
-                code,
-                id: flags.id,
-                secrets: parsedSecrets.secrets,
-                ...(sourceMap !== undefined ? { sourceMap } : {}),
-            });
-            if (outcome.kind === "error") {
-                if (outcome.stage === "set-secret") {
-                    const succeeded = outcome.succeededKeys.length > 0
-                        ? outcome.succeededKeys.join(", ")
-                        : "(none)";
-                    const pending = outcome.pendingKeys.length > 0
-                        ? outcome.pendingKeys.join(", ")
-                        : "(none)";
-                    const allMissing = [outcome.failedKey, ...outcome.pendingKeys].join(", ");
-                    process.stderr.write(`Writing secret ${outcome.failedKey} failed before the redeploy; succeeded keys so far: ${succeeded}; keys not yet attempted: ${pending}. The new bundle has NOT been deployed. Re-run \`primitive functions:set-secret\` for each of [${allMissing}], then \`primitive functions:redeploy --id ${flags.id} --file <bundle>\` to push them live.\n`);
-                }
-                else if (outcome.stage === "redeploy") {
-                    const succeeded = outcome.succeededKeys.length > 0
-                        ? outcome.succeededKeys.join(", ")
-                        : "(none)";
-                    process.stderr.write(`Secrets [${succeeded}] were written, but the redeploy step failed; the new bindings are NOT yet live. Re-run \`primitive functions:redeploy --id ${flags.id} --file <bundle>\` once the cause is fixed.\n`);
-                }
-                writeErrorWithHints(outcome.payload);
-                removeStaleSavedCredentialOnUnauthorized({
-                    ...authFailureContext,
-                    payload: outcome.payload,
-                });
-                process.exitCode = 1;
-                return;
-            }
-            this.log(JSON.stringify(outcome.result.redeploy, null, 2));
-        });
-    }
-}
-export default FunctionsRedeployCommand;

package/dist/oclif/commands/functions-set-secret.js

@@ -1,212 +0,0 @@
-import { Command, Flags } from "@oclif/core";
-import { getFunction, PrimitiveApiClient, setFunctionSecret, updateFunction, } from "@primitivedotdev/sdk/api";
-import { extractErrorPayload, removeStaleSavedCredentialOnUnauthorized, runWithTiming, TIME_FLAG_DESCRIPTION, writeErrorWithHints, } from "../api-command.js";
-import { resolveCliAuth } from "../auth.js";
-// Pure-ish orchestration of the set-secret + optional redeploy
-// flow. Pulled out as a named export so the unit test can drive
-// both the happy path and each error stage with a fake API
-// surface, without spinning up a real client or the oclif
-// command lifecycle.
-//
-// The redeploy step uses the function's CURRENT code (fetched via
-// getFunction) as the new bundle. This is the documented way to
-// "refresh secret bindings without changing the handler": the
-// server-side deploy reads the secrets table fresh on every call,
-// so re-deploying the same code picks up the secret we just wrote.
-export async function runSetSecret(api, params) {
-    const setResult = await api.setSecret({
-        id: params.id,
-        key: params.key,
-        value: params.value,
-    });
-    if (setResult.error) {
-        return {
-            kind: "error",
-            payload: extractErrorPayload(setResult.error),
-            stage: "set-secret",
-        };
-    }
-    const secret = setResult.data?.data;
-    if (!secret) {
-        // Server returned 2xx with no `data` body. Treat as an error
-        // so we don't fabricate a success payload; this should not
-        // happen in practice but the shape forces us to handle it.
-        return {
-            kind: "error",
-            payload: {
-                code: "client_error",
-                message: "Secret write returned no data",
-            },
-            stage: "set-secret",
-        };
-    }
-    if (!params.redeploy) {
-        return { kind: "ok", result: { secret } };
-    }
-    const fnResult = await api.getFunction({ id: params.id });
-    if (fnResult.error) {
-        return {
-            kind: "error",
-            payload: extractErrorPayload(fnResult.error),
-            stage: "get-function",
-        };
-    }
-    const fn = fnResult.data?.data;
-    if (!fn) {
-        return {
-            kind: "error",
-            payload: {
-                code: "client_error",
-                message: "Could not read current function code for redeploy",
-            },
-            stage: "get-function",
-        };
-    }
-    const updateResult = await api.updateFunction({
-        code: fn.code,
-        id: params.id,
-    });
-    if (updateResult.error) {
-        return {
-            kind: "error",
-            payload: extractErrorPayload(updateResult.error),
-            stage: "redeploy",
-        };
-    }
-    const redeployed = updateResult.data?.data;
-    if (!redeployed) {
-        return {
-            kind: "error",
-            payload: {
-                code: "client_error",
-                message: "Redeploy returned no data",
-            },
-            stage: "redeploy",
-        };
-    }
-    return { kind: "ok", result: { redeploy: redeployed, secret } };
-}
-class FunctionsSetSecretCommand extends Command {
-    static description = `Write a function secret and optionally redeploy so the new value lands in the running handler. Agent-grade shortcut for functions:set-function-secret + functions:redeploy.
-
-  Without --redeploy this is a plain secret upsert: the value is
-  encrypted at rest but is NOT visible to the running handler until
-  the next deploy. Pass --redeploy to re-run the deploy with the
-  function's current code in the same call, which refreshes the
-  binding set with the value you just wrote.
-
-  Keys must match \`^[A-Z_][A-Z0-9_]*$\` (uppercase letters, digits,
-  underscores; first character is a letter or underscore). System-
-  managed keys are reserved and rejected.`;
-    static summary = "Write a function secret (optionally redeploying to push it live)";
-    static examples = [
-        "<%= config.bin %> functions:set-secret --id <fn-id> --key API_TOKEN --value abc123",
-        "<%= config.bin %> functions:set-secret --id <fn-id> --key API_TOKEN --value abc123 --redeploy",
-    ];
-    static flags = {
-        "api-key": Flags.string({
-            description: "Primitive API key (defaults to PRIMITIVE_API_KEY or saved `primitive login` credentials)",
-            env: "PRIMITIVE_API_KEY",
-        }),
-        "api-base-url-1": Flags.string({
-            description: "Override the primary API base URL. Internal testing only; not documented to customers.",
-            env: "PRIMITIVE_API_BASE_URL_1",
-            hidden: true,
-        }),
-        "api-base-url-2": Flags.string({
-            description: "Override the attachments-supporting send host base URL. Internal testing only; not documented to customers.",
-            env: "PRIMITIVE_API_BASE_URL_2",
-            hidden: true,
-        }),
-        id: Flags.string({
-            description: "Function id (UUID). The function must already exist.",
-            required: true,
-        }),
-        key: Flags.string({
-            description: "Secret key. Uppercase letters, digits, underscores; must start with a letter or underscore. System-managed keys are reserved.",
-            required: true,
-        }),
-        value: Flags.string({
-            description: "Secret value (up to 4096 UTF-8 bytes). Encrypted at rest.",
-            required: true,
-        }),
-        redeploy: Flags.boolean({
-            description: "Also redeploy the function with its current code so the new value lands in the running handler. Without this, the secret is written but not visible to the handler until the next deploy. Note: source maps are stored only on the runtime side and getFunction does not return them, so this redeploy drops any previously-uploaded source map. If preserving stack-trace symbolication matters, use `functions:redeploy --file <bundle.js> --source-map-file <bundle.js.map>` instead.",
-        }),
-        time: Flags.boolean({
-            description: TIME_FLAG_DESCRIPTION,
-        }),
-    };
-    async run() {
-        const { flags } = await this.parse(FunctionsSetSecretCommand);
-        await runWithTiming(flags.time, async () => {
-            const baseUrlOverridden = flags["api-base-url-1"] !== undefined ||
-                flags["api-base-url-2"] !== undefined;
-            const auth = resolveCliAuth({
-                apiKey: flags["api-key"],
-                apiBaseUrl1: flags["api-base-url-1"],
-                apiBaseUrl2: flags["api-base-url-2"],
-                configDir: this.config.configDir,
-            });
-            const apiClient = new PrimitiveApiClient({
-                apiKey: auth.apiKey,
-                apiBaseUrl1: auth.apiBaseUrl1,
-                apiBaseUrl2: auth.apiBaseUrl2,
-            });
-            const authFailureContext = {
-                auth,
-                baseUrlOverridden,
-                configDir: this.config.configDir,
-            };
-            // Adapter: thin wrappers around the generated SDK calls,
-            // routed through host 1 (apiClient.client). The secrets and
-            // function-detail endpoints are not on host 2.
-            const apiSurface = {
-                getFunction: (p) => getFunction({
-                    client: apiClient.client,
-                    path: { id: p.id },
-                    responseStyle: "fields",
-                }),
-                setSecret: (p) => setFunctionSecret({
-                    body: { value: p.value },
-                    client: apiClient.client,
-                    path: { id: p.id, key: p.key },
-                    responseStyle: "fields",
-                }),
-                updateFunction: (p) => updateFunction({
-                    body: { code: p.code },
-                    client: apiClient.client,
-                    path: { id: p.id },
-                    responseStyle: "fields",
-                }),
-            };
-            const outcome = await runSetSecret(apiSurface, {
-                id: flags.id,
-                key: flags.key,
-                redeploy: flags.redeploy === true,
-                value: flags.value,
-            });
-            if (outcome.kind === "error") {
-                // Stage-specific framing on stderr so callers can tell
-                // whether the secret landed before a failed redeploy. The
-                // JSON envelope still goes through writeErrorWithHints so
-                // any actionable hint (e.g. unauthorized) is surfaced.
-                if (outcome.stage === "get-function") {
-                    process.stderr.write("Secret was written, but reading current function code for redeploy failed; the secret is NOT yet live. Re-run with --redeploy, or call `primitive functions:redeploy --id <id> --file <bundle>` once you have the bundle.\n");
-                }
-                else if (outcome.stage === "redeploy") {
-                    process.stderr.write("Secret was written, but the redeploy step failed; the secret is NOT yet live. Inspect the function's deploy_error and re-run `primitive functions:redeploy --id <id> --file <bundle>` once the cause is fixed.\n");
-                }
-                writeErrorWithHints(outcome.payload);
-                removeStaleSavedCredentialOnUnauthorized({
-                    ...authFailureContext,
-                    payload: outcome.payload,
-                });
-                process.exitCode = 1;
-                return;
-            }
-            this.log(JSON.stringify(outcome.result, null, 2));
-        });
-    }
-}
-export default FunctionsSetSecretCommand;