@tailor-platform/sdk 1.27.0 → 1.28.0

package/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @tailor-platform/sdk
 
+## 1.28.0
+
+### Minor Changes
+
+- [#776](https://github.com/tailor-platform/sdk/pull/776) [`a2734bf`](https://github.com/tailor-platform/sdk/commit/a2734bfbfb71c06be324d162f2301f2930e3bfa6) Thanks [@toiroakr](https://github.com/toiroakr)! - Add managed vault guard to CLI secret commands and document runtime secret access via defineSecretManager
+
 ## 1.27.0
 
 ### Minor Changes

package/dist/cli/index.mjs

@@ -3,7 +3,7 @@ import "../chunk-Cz-A8uMR.mjs";
 import "../schema-BePzTFBV.mjs";
 import "../brand-GZnI4eYb.mjs";
 import { n as logger, r as styles } from "../logger-CqezTedh.mjs";
-import { C as listCommand$10, E as resumeCommand, F as showCommand, Ft as isValidMigrationNumber, G as listCommand$7, Ht as prompt, I as logBetaWarning, It as loadDiff, Jt as commonArgs, Kt as apiCommand, Mt as getMigrationFilePath, N as generateCommand$1, Nt as getMigrationFiles, O as listCommand$9, Q as listCommand$6, Qt as workspaceArgs, R as removeCommand$1, T as healthCommand, Ut as trnPrefix, V as getCommand$2, Vt as getNamespacesWithMigrations, W as tokenCommand, X as triggerCommand, Xt as deploymentArgs, Y as webhookCommand, Yt as confirmationArgs, Zt as isVerbose, b as createCommand$3, c as listCommand$11, ct as executionsCommand, dt as functionExecutionStatusToString, f as restoreCommand, ft as formatKeyValueTable, g as getCommand$4, gt as executeScript, ht as apply, i as updateCommand$2, it as startCommand, j as truncateCommand, kt as formatMigrationNumber, m as listCommand$12, n as queryCommand, o as removeCommand, ot as getCommand$3, pt as getCommand$1, q as generate, qt as defineAppCommand, r as isCLIError, tt as jobsCommand, u as inviteCommand, v as deleteCommand$3, yt as parseMigrationLabelNumber, z as listCommand$8 } from "../query-CgGbAmUg.mjs";
+import { $t as workspaceArgs, C as listCommand$10, E as resumeCommand, F as showCommand, Ft as isValidMigrationNumber, G as listCommand$7, Ht as prompt, I as logBetaWarning, It as loadDiff, Jt as defineAppCommand, Mt as getMigrationFilePath, N as generateCommand$1, Nt as getMigrationFiles, O as listCommand$9, Q as listCommand$6, Qt as isVerbose, R as removeCommand$1, T as healthCommand, Ut as sdkNameLabelKey, V as getCommand$2, Vt as getNamespacesWithMigrations, W as tokenCommand, Wt as trnPrefix, X as triggerCommand, Xt as confirmationArgs, Y as webhookCommand, Yt as commonArgs, Zt as deploymentArgs, b as createCommand$3, c as listCommand$11, ct as executionsCommand, dt as functionExecutionStatusToString, f as restoreCommand, ft as formatKeyValueTable, g as getCommand$4, gt as executeScript, ht as apply, i as updateCommand$2, it as startCommand, j as truncateCommand, kt as formatMigrationNumber, m as listCommand$12, n as queryCommand, o as removeCommand, ot as getCommand$3, pt as getCommand$1, q as generate, qt as apiCommand, r as isCLIError, tt as jobsCommand, u as inviteCommand, v as deleteCommand$3, yt as parseMigrationLabelNumber, z as listCommand$8 } from "../query-WYq8RvYp.mjs";
 import { A as AuthInvokerSchema, L as PATScope, d as userAgent, i as fetchUserInfo, n as fetchAll, o as initOAuth2Client, s as initOperatorClient, w as FunctionExecution_Type } from "../client-bTbnbQbB.mjs";
 import { t as readPackageJson } from "../package-json-D3x2nBPB.mjs";
 import { S as writePlatformConfig, a as loadConfig, b as loadWorkspaceId, c as ExecutorSchema, g as getDistDir, i as resolveInlineSourcemap, o as WorkflowJobSchema, u as ResolverSchema, v as fetchLatestToken, x as readPlatformConfig, y as loadAccessToken } from "../application-CBJFUKrU.mjs";
@@ -1209,6 +1209,57 @@ const secretValueArgs = {
 	})
 };
 
+//#endregion
+//#region src/cli/commands/secret/check-vault-managed.ts
+/**
+* Check if a vault is managed by defineSecretManager() and warn the user.
+* Returns management status and metadata needed for releasing ownership.
+* @param params - Check parameters
+* @returns Management status, TRN, and existing labels
+*/
+async function checkVaultManaged(params) {
+	const { client, workspaceId, vaultName } = params;
+	const trn = `${trnPrefix(workspaceId)}:vault:${vaultName}`;
+	const notManaged = {
+		isManaged: false,
+		trn,
+		existingLabels: {}
+	};
+	let owner;
+	let allLabels = {};
+	try {
+		const { metadata } = await client.getMetadata({ trn });
+		allLabels = metadata?.labels ?? {};
+		owner = allLabels[sdkNameLabelKey];
+	} catch {
+		return notManaged;
+	}
+	if (!owner) return notManaged;
+	logger.warn(`Vault "${vaultName}" is managed by defineSecretManager() in tailor.config.ts (owner: "${owner}"). Changes made via CLI may conflict with the config on the next apply.`);
+	return {
+		isManaged: true,
+		trn,
+		existingLabels: allLabels
+	};
+}
+/**
+* Release ownership of a managed vault by removing SDK labels from metadata.
+* Call this after the user has confirmed they want to proceed with a CLI operation on a managed vault.
+* @param params - Client, TRN, and existing labels from checkVaultManaged result
+* @param params.client
+* @param params.trn
+* @param params.existingLabels
+*/
+async function releaseVaultOwnership(params) {
+	const { client, trn, existingLabels } = params;
+	const { [sdkNameLabelKey]: _, "sdk-version": __, ...remainingLabels } = existingLabels;
+	await client.setMetadata({
+		trn,
+		labels: remainingLabels
+	});
+	logger.info("Config ownership has been removed from this vault. Remove it from defineSecretManager() in your config to prevent the next apply from re-claiming it.");
+}
+
 //#endregion
 //#region src/cli/commands/secret/create.ts
 const createSecretCommand = defineAppCommand({
@@ -1216,7 +1267,8 @@ const createSecretCommand = defineAppCommand({
 	description: "Create a secret in a vault.",
 	args: z.object({
 		...workspaceArgs,
-		...secretValueArgs
+		...secretValueArgs,
+		...confirmationArgs
 	}).strict(),
 	run: async (args) => {
 		const client = await initOperatorClient(await loadAccessToken({
@@ -1227,6 +1279,17 @@ const createSecretCommand = defineAppCommand({
 			workspaceId: args["workspace-id"],
 			profile: args.profile
 		});
+		const managed = await checkVaultManaged({
+			client,
+			workspaceId,
+			vaultName: args["vault-name"]
+		});
+		if (managed.isManaged && !args.yes) {
+			if (!await prompt.confirm({
+				message: "Do you want to proceed?",
+				default: false
+			})) return;
+		}
 		try {
 			await client.createSecretManagerSecret({
 				workspaceId,
@@ -1241,6 +1304,10 @@ const createSecretCommand = defineAppCommand({
 			}
 			throw error;
 		}
+		if (managed.isManaged) await releaseVaultOwnership({
+			client,
+			...managed
+		});
 		logger.success(`Secret: ${args.name} created in vault: ${args["vault-name"]}`);
 	}
 });
@@ -1264,6 +1331,11 @@ const deleteSecretCommand = defineAppCommand({
 			workspaceId: args["workspace-id"],
 			profile: args.profile
 		});
+		const managed = await checkVaultManaged({
+			client,
+			workspaceId,
+			vaultName: args["vault-name"]
+		});
 		if (!args.yes) {
 			if (await prompt.text({ message: `Enter the secret name to confirm deletion ("${args.name}"):` }) !== args.name) {
 				logger.info("Secret deletion cancelled.");
@@ -1280,6 +1352,10 @@ const deleteSecretCommand = defineAppCommand({
 			if (error instanceof ConnectError && error.code === Code.NotFound) throw new Error(`Secret "${args.name}" not found in vault "${args["vault-name"]}".`);
 			throw error;
 		}
+		if (managed.isManaged) await releaseVaultOwnership({
+			client,
+			...managed
+		});
 		logger.success(`Secret: ${args.name} deleted from vault: ${args["vault-name"]}`);
 	}
 });
@@ -1346,7 +1422,8 @@ const updateSecretCommand = defineAppCommand({
 	description: "Update a secret in a vault.",
 	args: z.object({
 		...workspaceArgs,
-		...secretValueArgs
+		...secretValueArgs,
+		...confirmationArgs
 	}).strict(),
 	run: async (args) => {
 		const client = await initOperatorClient(await loadAccessToken({
@@ -1357,6 +1434,17 @@ const updateSecretCommand = defineAppCommand({
 			workspaceId: args["workspace-id"],
 			profile: args.profile
 		});
+		const managed = await checkVaultManaged({
+			client,
+			workspaceId,
+			vaultName: args["vault-name"]
+		});
+		if (managed.isManaged && !args.yes) {
+			if (!await prompt.confirm({
+				message: "Do you want to proceed?",
+				default: false
+			})) return;
+		}
 		try {
 			await client.updateSecretManagerSecret({
 				workspaceId,
@@ -1368,6 +1456,10 @@ const updateSecretCommand = defineAppCommand({
 			if (error instanceof ConnectError && error.code === Code.NotFound) throw new Error(`Secret "${args.name}" not found in vault "${args["vault-name"]}".`);
 			throw error;
 		}
+		if (managed.isManaged) await releaseVaultOwnership({
+			client,
+			...managed
+		});
 		logger.success(`Secret: ${args.name} updated in vault: ${args["vault-name"]}`);
 	}
 });
@@ -1429,6 +1521,11 @@ const deleteCommand$1 = defineAppCommand({
 			workspaceId: args["workspace-id"],
 			profile: args.profile
 		});
+		const managed = await checkVaultManaged({
+			client,
+			workspaceId,
+			vaultName: args.name
+		});
 		if (!args.yes) {
 			if (await prompt.text({ message: `Enter the vault name to confirm deletion ("${args.name}"):` }) !== args.name) {
 				logger.info("Vault deletion cancelled.");
@@ -1444,6 +1541,7 @@ const deleteCommand$1 = defineAppCommand({
 			if (error instanceof ConnectError && error.code === Code.NotFound) throw new Error(`Vault "${args.name}" not found.`);
 			throw error;
 		}
+		if (managed.isManaged) logger.info("Remove this vault from defineSecretManager() in your config to prevent the next apply from re-creating it.");
 		logger.success(`Vault: ${args.name} deleted`);
 	}
 });