@rockcarver/frodo-cli 4.0.0-11 → 4.0.0-12

package/CHANGELOG.md

@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [4.0.0-11] - 2026-02-24
+
 ## [4.0.0-10] - 2026-02-23
 
 ## [4.0.0-9] - 2026-02-23
@@ -2183,7 +2185,8 @@ Frodo CLI 2.x automatically refreshes session and access tokens before they expi
 - Fixed problem with adding connection profiles
 - Miscellaneous bug fixes
 
-[unreleased]: https://github.com/rockcarver/frodo-cli/compare/v4.0.0-10...HEAD
+[unreleased]: https://github.com/rockcarver/frodo-cli/compare/v4.0.0-11...HEAD
+[4.0.0-11]: https://github.com/rockcarver/frodo-cli/compare/v4.0.0-10...v4.0.0-11
 [4.0.0-10]: https://github.com/rockcarver/frodo-cli/compare/v4.0.0-9...v4.0.0-10
 [4.0.0-9]: https://github.com/rockcarver/frodo-cli/compare/v4.0.0-8...v4.0.0-9
 [4.0.0-8]: https://github.com/rockcarver/frodo-cli/compare/v4.0.0-7...v4.0.0-8

package/dist/app.cjs

@@ -28757,6 +28757,12 @@ var require_Client = __commonJS2({
       async _downloadFromWorkingDir(localDirPath) {
         await ensureLocalDirectory(localDirPath);
         for (const file of await this.list()) {
+          const hasInvalidName = !file.name || (0, path_1.basename)(file.name) !== file.name;
+          if (hasInvalidName) {
+            const safeName = JSON.stringify(file.name);
+            this.ftp.log(`Invalid filename from server listing, will skip file. (${safeName})`);
+            continue;
+          }
           const localPath = (0, path_1.join)(localDirPath, file.name);
           if (file.isDirectory) {
             await this.cd(file.name);
@@ -141687,54 +141693,70 @@ var AVAILABLE_SCOPES = {
   AMIntrospectAllTokensAnyRealm: "am-introspect-all-tokens-any-realm",
   OpenIdScope: "openid",
   ProfileScope: "profile",
-  // All Access Management APIs
   AmFullScope: "fr:am:*",
-  // All Auto Access APIs
+  //                                                All Access Management APIs
   AutoAccessFullScope: "fr:autoaccess:*",
-  // All Analytics APIs
+  //                                All Auto Access APIs
   AnalyticsFullScope: "fr:idc:analytics:*",
-  // All TLS certificate APIs
+  //                              All Analytics APIs
   CertificateFullScope: "fr:idc:certificate:*",
-  // Read TLS certificates
+  //                          All TLS certificate APIs
   CertificateReadScope: "fr:idc:certificate:read",
-  // All content security policy APIs
+  //                       Read TLS certificates
   ContentSecurityPolicyFullScope: "fr:idc:content-security-policy:*",
-  // All cookie domain APIs
+  //    All content security policy APIs
+  ContentSecurityPolicyReadScope: "fr:idc:content-security-policy:read",
+  // Read content security policy
   CookieDomainsFullScope: "fr:idc:cookie-domain:*",
-  // All custom domain APIs
+  //                      All cookie domain APIs
+  CookieDomainsReadScope: "fr:idc:cookie-domain:read",
+  //                   Read cookie domain APIs
   CustomDomainFullScope: "fr:idc:custom-domain:*",
-  // All dataset deletion APIs
+  //                       All custom domain APIs
+  CustomDomainReadScope: "fr:idc:custom-domain:read",
+  //                    Read custom domain configuration
   DatasetDeletionFullScope: "fr:idc:dataset:*",
-  // All ESV APIs
+  //                          All dataset deletion APIs
+  DatasetDeletionReadScope: "fr:idc:dataset:read",
+  //                       Read dataset deletion configuration
   ESVFullScope: "fr:idc:esv:*",
-  // Read ESVs, excluding values of secrets
+  //                                          All ESV APIs
   ESVReadScope: "fr:idc:esv:read",
-  // Create, modify, and delete ESVs
+  //                                       Read ESVs, excluding values of secrets
   ESVUpdateScope: "fr:idc:esv:update",
-  // Restart workloads that consume ESVs
+  //                                   Create, modify, and delete ESVs
   ESVRestartScope: "fr:idc:esv:restart",
-  // Create, modify, and delete Admin Federation configuration
+  //                                 Restart workloads that consume ESVs
   AdminFederationFullScope: "fr:idc:federation:*",
-  // Read Admin Federation configuration
+  //                       Create, modify, and delete Admin Federation configuration
   AdminFederationReadScope: "fr:idc:federation:read",
-  // All mTLS APIs
+  //                    Read Admin Federation configuration
   MTLSFullScope: "fr:idc:mtls:*",
-  // All configuration promotion APIs
+  //                                        All mTLS APIs
   PromotionScope: "fr:idc:promotion:*",
-  // All Proxy Connect APIs
+  //                                  All configuration promotion APIs
+  PromotionReadScope: "fr:idc:promotion:read",
+  //                           Read configuration promotion configuration
   ProxyConnectFullScope: "fr:idc:proxy-connect:*",
-  // Read Proxy Connect configuration
+  //                       All Proxy Connect APIs
   ProxyConnectReadScope: "fr:idc:proxy-connect:read",
-  // Create and update Proxy Connect configuration
+  //                    Read Proxy Connect configuration
   ProxyConnectWriteScope: "fr:idc:proxy-connect:write",
-  // All product release APIs
+  //                  Create and update Proxy Connect configuration
   ReleaseFullScope: "fr:idc:release:*",
-  // All SSO cookie APIs
+  //                                  All product release APIs
+  ReleaseReadScope: "fr:idc:release:read",
+  //                               Read product release information
   SSOCookieFullScope: "fr:idc:sso-cookie:*",
-  // All Identity Management APIs
+  //                             All SSO cookie APIs
+  SSOCookieReadScope: "fr:idc:sso-cookie:read",
+  //                          Read SSO cookie configuration
+  WSFedAdminScope: "fr:idc:ws:admin",
+  //                                    All PingFederate APIs
   IdmFullScope: "fr:idm:*",
-  // All Governance APIs
+  //                                              All Identity Management APIs
   IGAFullScope: "fr:iga:*"
+  //                                              All Governance APIs
 };
 var RETRY_EVERYTHING_KEY = "everything";
 var RETRY_NETWORK_KEY = "network";
@@ -142000,7 +142022,7 @@ function stringify(obj) {
 }
 var package_default = {
   name: "@rockcarver/frodo-lib",
-  version: "4.0.0-11",
+  version: "4.0.0-12",
   type: "commonjs",
   main: "./dist/index.js",
   module: "./dist/index.mjs",
@@ -142256,6 +142278,12 @@ var State_default = (initialState) => {
     getAuthenticationService() {
       return state2.authenticationService || process.env.FRODO_AUTHENTICATION_SERVICE;
     },
+    setConfigurationHeaderOverrides(overrides) {
+      state2.configurationHeaderOverrides = overrides;
+    },
+    getConfigurationHeaderOverrides() {
+      return state2.configurationHeaderOverrides;
+    },
     setServiceAccountId(uuid) {
       state2.serviceAccountId = uuid;
     },
@@ -142501,6 +142529,7 @@ var logger = import_winston.default.createLogger({
 });
 var globalState = {
   authenticationHeaderOverrides: {},
+  configurationHeaderOverrides: {},
   printHandler: (message) => {
     if (!message) return;
     if (typeof message === "object") {
@@ -160550,6 +160579,57 @@ function generateAmApi({
   resource,
   requestOverride = {},
   state: state2
+}) {
+  const headers2 = {
+    "User-Agent": userAgent,
+    "X-ForgeRock-TransactionId": transactionId,
+    "Content-Type": "application/json",
+    // only add API version if we have it
+    ...resource.apiVersion && { "Accept-API-Version": resource.apiVersion },
+    // only send session cookie if we know its name and value and we are not instructed to use the bearer token for AM APIs
+    ...!state2.getUseBearerTokenForAmApis() && state2.getCookieName() && state2.getCookieValue() && {
+      Cookie: `${state2.getCookieName()}=${state2.getCookieValue()}`
+    },
+    // only add authorization header if we have a bearer token and are instructed to use it for AM APIs
+    ...state2.getUseBearerTokenForAmApis() && state2.getBearerToken() && {
+      Authorization: `Bearer ${state2.getBearerToken()}`
+    }
+  };
+  const requestConfig = mergeDeep(
+    {
+      // baseURL: `${storage.session.getTenant()}/json`,
+      timeout: timeout3,
+      headers: {
+        ...headers2,
+        ...state2.getAuthenticationHeaderOverrides(),
+        ...state2.getConfigurationHeaderOverrides()
+      },
+      ...process.env.FRODO_MOCK !== "record" && process.env.FRODO_POLLY_MODE !== "record" && {
+        httpAgent: getHttpAgent(),
+        httpsAgent: getHttpsAgent(state2.getAllowInsecureConnection())
+      },
+      proxy: getProxy()
+    },
+    requestOverride
+  );
+  debugMessage({
+    message: `Generating AM API client for resource with request headers ${JSON.stringify(
+      requestConfig.headers,
+      null,
+      2
+    )}`,
+    state: state2
+  });
+  const request = createAxiosInstance(state2, requestConfig);
+  if (state2.getCurlirize()) {
+    curlirize(request, state2);
+  }
+  return request;
+}
+function generateAmAuthApi({
+  resource,
+  requestOverride = {},
+  state: state2
 }) {
   const headers2 = {
     "User-Agent": userAgent,
@@ -160659,6 +160739,7 @@ function generateIdmApi({
         "X-ForgeRock-TransactionId": transactionId,
         "Content-Type": "application/json",
         ...state2.getAuthenticationHeaderOverrides(),
+        ...state2.getConfigurationHeaderOverrides(),
         // only add authorization header if we have a bearer token
         ...state2.getBearerToken() && {
           Authorization: `Bearer ${state2.getBearerToken()}`
@@ -160831,6 +160912,7 @@ function generateGovernanceApi({
     "User-Agent": userAgent,
     "Content-Type": "application/json",
     ...state2.getAuthenticationHeaderOverrides(),
+    ...state2.getConfigurationHeaderOverrides(),
     // only add API version if we have it
     ...resource.apiVersion && { "Accept-API-Version": resource.apiVersion },
     // only add authorization header if we have a bearer token
@@ -161744,7 +161826,7 @@ async function step({
     state2.getHost(),
     getRealmPath(realm2)
   );
-  const { data: data2 } = await generateAmApi({
+  const { data: data2 } = await generateAmAuthApi({
     resource: getApiConfig2(),
     state: state2
   }).post(urlString, body2, config4);
@@ -174607,7 +174689,7 @@ var getServerVersionApiConfig = () => ({
 });
 async function getServerInfo({ state: state2 }) {
   const urlString = _util2.default.format(serverInfoUrlTemplate, state2.getHost(), "*");
-  const { data: data2 } = await generateAmApi({
+  const { data: data2 } = await generateAmAuthApi({
     resource: getServerInfoApiConfig(),
     requestOverride: {},
     state: state2
@@ -174620,7 +174702,7 @@ async function getServerVersionInfo({ state: state2 }) {
     state2.getHost(),
     "version"
   );
-  const { data: data2 } = await generateAmApi({
+  const { data: data2 } = await generateAmAuthApi({
     resource: getServerVersionApiConfig(),
     requestOverride: {},
     state: state2
@@ -174810,6 +174892,7 @@ var SERVICE_ACCOUNT_ALLOWED_SCOPES = [
   s2.CertificateReadScope,
   s2.ContentSecurityPolicyFullScope,
   s2.CustomDomainFullScope,
+  s2.DatasetDeletionFullScope,
   s2.ESVFullScope,
   s2.ESVReadScope,
   s2.ESVRestartScope,
@@ -174822,7 +174905,8 @@ var SERVICE_ACCOUNT_ALLOWED_SCOPES = [
   s2.ProxyConnectFullScope,
   s2.ProxyConnectReadScope,
   s2.ProxyConnectWriteScope,
-  s2.CookieDomainsFullScope
+  s2.CookieDomainsFullScope,
+  s2.WSFedAdminScope
 ];
 var SERVICE_ACCOUNT_DEFAULT_SCOPES = [
   s2.AmFullScope,
@@ -174832,13 +174916,15 @@ var SERVICE_ACCOUNT_DEFAULT_SCOPES = [
   s2.ContentSecurityPolicyFullScope,
   s2.CookieDomainsFullScope,
   s2.CustomDomainFullScope,
+  s2.DatasetDeletionFullScope,
   s2.ESVFullScope,
   s2.IdmFullScope,
   s2.IGAFullScope,
   s2.PromotionScope,
   s2.ReleaseFullScope,
   s2.SSOCookieFullScope,
-  s2.ProxyConnectFullScope
+  s2.ProxyConnectFullScope,
+  s2.WSFedAdminScope
 ];
 async function isServiceAccountsFeatureAvailable({
   state: state2
@@ -175227,6 +175313,7 @@ Specify a sub-string uniquely identifying a single connection profile host URL.`
       logApiSecret: profiles[0].encodedLogApiSecret ? await dataProtection.decrypt(profiles[0].encodedLogApiSecret) : null,
       authenticationService: profiles[0].authenticationService ? profiles[0].authenticationService : null,
       authenticationHeaderOverrides: profiles[0].authenticationHeaderOverrides ? profiles[0].authenticationHeaderOverrides : {},
+      configurationHeaderOverrides: profiles[0].configurationHeaderOverrides ? profiles[0].configurationHeaderOverrides : {},
       adminClientId: profiles[0].adminClientId ? profiles[0].adminClientId : null,
       adminClientRedirectUri: profiles[0].adminClientRedirectUri ? profiles[0].adminClientRedirectUri : null,
       svcacctName: profiles[0].svcacctName ? profiles[0].svcacctName : null,
@@ -175278,6 +175365,14 @@ async function loadConnectionProfileByHost({
       )
     );
   }
+  if (conn.configurationHeaderOverrides) {
+    state2.setConfigurationHeaderOverrides(
+      mergeDeep(
+        state2.getConfigurationHeaderOverrides(),
+        conn.configurationHeaderOverrides
+      )
+    );
+  }
   state2.setServiceAccountId(conn.svcacctId);
   state2.setServiceAccountJwk(conn.svcacctJwk);
   state2.setServiceAccountScope(conn.svcacctScope);
@@ -175424,6 +175519,19 @@ async function saveConnectionProfile({
         state: state2
       });
     }
+    if (state2.getConfigurationHeaderOverrides() && Object.entries(state2.getConfigurationHeaderOverrides()).length) {
+      profile.configurationHeaderOverrides = state2.getConfigurationHeaderOverrides();
+      printMessage({
+        message: "Advanced setting: Configuration Header Overrides: ",
+        type: "info",
+        state: state2
+      });
+      printMessage({
+        message: state2.getConfigurationHeaderOverrides(),
+        type: "info",
+        state: state2
+      });
+    }
     delete profile.tenant;
     profiles[state2.getHost()] = profile;
     const orderedProfiles = Object.keys(profiles).sort().reduce((obj, key) => {
@@ -175626,7 +175734,7 @@ async function getSessionInfo({
     state2.getHost(),
     getCurrentRealmPath(state2)
   );
-  const { data: data2 } = await generateAmApi({
+  const { data: data2 } = await generateAmAuthApi({
     resource: getApiConfig15(),
     state: state2
   }).post(
@@ -176313,7 +176421,8 @@ var CLOUD_ADMIN_DEFAULT_SCOPES = [
   s3.PromotionScope,
   s3.ReleaseFullScope,
   s3.SSOCookieFullScope,
-  s3.ProxyConnectFullScope
+  s3.ProxyConnectFullScope,
+  s3.WSFedAdminScope
 ];
 var FORGEOPS_ADMIN_DEFAULT_SCOPES = [s3.IdmFullScope, s3.OpenIdScope];
 var forgeopsAdminScopes = FORGEOPS_ADMIN_DEFAULT_SCOPES.join(" ");
@@ -212460,7 +212569,12 @@ function setup120() {
   ).addOption(
     new Option(
       "--authentication-header-overrides [headers]",
-      'Map of headers: {"host":"am.example.com:8081"}.'
+      'Map of headers: {"host":"am.example.com:8081"}. These headers are sent with all requests and can be used to override default behavior, for example to set a custom host header for Proxy Connect-protected PingOne Advanced Identity Cloud environments.'
+    )
+  ).addOption(
+    new Option(
+      "--configuration-header-overrides [headers]",
+      'Map of headers: {"X-Custom-Configuration":"critical"}. These headers are sent with all configuration requests and can be used to override default behavior, for example to set a custom configuration header for mutable PingOne Advanced Identity Cloud environments.'
     )
   ).addOption(
     new Option("--alias [name]", "Alias name for this connection profile.")
@@ -212483,6 +212597,10 @@ function setup120() {
 ` + `  $ frodo conn save --authentication-header-overrides '{"MY-SECRET-HEADER": "proxyconnect secret header value"}' ${amBaseUrl} ${username} '${password}'
 `["brightCyan"] + `  Update an existing connection profile with a custom header override for a freshly Proxy Connect-protected PingOne Advanced Identity Cloud environment:
 ` + `  $ frodo conn save --authentication-header-overrides '{"MY-SECRET-HEADER": "proxyconnect secret header value"}' ${connId}
+`["brightCyan"] + `  Save a connection profile for a mutable PingOne Advanced Identity Cloud environment:
+` + `  $ frodo conn save --configuration-header-overrides '{"X-Configuration-Type": "mutable"}' ${amBaseUrl} ${username} '${password}'
+`["brightCyan"] + `  Update an existing connection profile with a configuration header override for a freshly mutable PingOne Advanced Identity Cloud environment:
+` + `  $ frodo conn save --configuration-header-overrides '{"X-Configuration-Type": "mutable"}' ${connId}
 `["brightCyan"] + `  Update an existing connection profile to use Amster private key credentials with a custom Amster journey (PingAM classic deployments only):
 ` + `  $ frodo conn save --private-key ${amsterPrivateKey} --authentication-service ${customAmsterService} ${classicConnId}
 `["brightCyan"]
@@ -212506,6 +212624,11 @@ function setup120() {
           JSON.parse(options.authenticationHeaderOverrides)
         );
       }
+      if (options.configurationHeaderOverrides) {
+        state.setConfigurationHeaderOverrides(
+          JSON.parse(options.configurationHeaderOverrides)
+        );
+      }
       const needAmsterLogin = !!options.privateKey;
       const needSa = options.sa && !state.getServiceAccountId() && !state.getServiceAccountJwk();
       const needLogApiKey = options.logApi && !state.getLogApiKey() && !state.getLogApiSecret() && needSa;
@@ -226656,7 +226779,7 @@ var compareVersions = (v12, v2) => {
 // package.json
 var package_default2 = {
   name: "@rockcarver/frodo-cli",
-  version: "4.0.0-11",
+  version: "4.0.0-12",
   type: "module",
   description: "A command line interface to manage ForgeRock Identity Cloud tenants, ForgeOps deployments, and classic deployments.",
   keywords: [
@@ -226751,7 +226874,7 @@ var package_default2 = {
     ]
   },
   devDependencies: {
-    "@rockcarver/frodo-lib": "4.0.0-11",
+    "@rockcarver/frodo-lib": "4.0.0-12",
     "@types/colors": "^1.2.1",
     "@types/fs-extra": "^11.0.1",
     "@types/jest": "^29.2.3",