npm - @tinycloud/cli - Versions diffs - 0.6.0-beta.9 → 0.6.1-beta.0 - Mend

@tinycloud/cli 0.6.0-beta.9 → 0.6.1-beta.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -680,6 +680,11 @@ function buildAuthUrl(did, options = {}) {
   const base = options.openkeyHost ?? DEFAULT_OPENKEY_HOST;
   return `${base}/delegate?${params.toString()}`;
 }
+function shouldOpenBrowser(options) {
+  if (options.noPopup) return false;
+  const env = process.env.TC_AUTH_NO_POPUP ?? process.env.TC_NO_POPUP;
+  return env !== "1" && env !== "true";
+}
 async function callbackFlow(did, options = {}) {
   return new Promise((resolve3, reject) => {
     let timeout;
@@ -750,16 +755,21 @@ async function callbackFlow(did, options = {}) {
       const port = addr.port;
       const callbackUrl = `http://127.0.0.1:${port}/callback`;
       const authUrl = buildAuthUrl(did, { ...options, callback: callbackUrl });
-      if (isInteractive()) {
+      const openBrowser = shouldOpenBrowser(options);
+      if (openBrowser && isInteractive()) {
         console.error(`Opening browser for authentication...`);
         console.error(`If the browser doesn't open, visit: ${authUrl}`);
+      } else if (!openBrowser || isInteractive()) {
+        console.error(`Open this URL in a browser to authenticate: ${authUrl}`);
       }
-      try {
-        const open = (await import("open")).default;
-        await open(authUrl);
-      } catch {
-        server.close();
-        throw new Error("Failed to open browser");
+      if (openBrowser) {
+        try {
+          const open = (await import("open")).default;
+          await open(authUrl);
+        } catch {
+          server.close();
+          throw new Error("Failed to open browser");
+        }
       }
       if (isInteractive()) {
         console.error(`
@@ -816,7 +826,7 @@ Open this URL in a browser to authenticate:
 // src/commands/init.ts
 function registerInitCommand(program2) {
-  program2.command("init").description("Initialize a new TinyCloud profile").option("--name <profile>", "Profile name", "default").option("--key-only", "Only generate key, skip authentication").option("--host <url>", "TinyCloud node URL").option("--paste", "Use manual paste mode for authentication").action(async (options, cmd) => {
+  program2.command("init").description("Initialize a new TinyCloud profile").option("--name <profile>", "Profile name", "default").option("--key-only", "Only generate key, skip authentication").option("--host <url>", "TinyCloud node URL").option("--paste", "Use manual paste mode for authentication").option("--no-popup", "Print the OpenKey URL without opening a browser").action(async (options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const profileName = options.name;
@@ -857,6 +867,7 @@ function registerInitCommand(program2) {
       }
       const delegationData = await startAuthFlow(did, {
         paste: options.paste,
+        noPopup: options.popup === false,
         jwk,
         host
       });
@@ -1366,7 +1377,7 @@ async function promptAuthMethod() {
 }
 function registerAuthCommand(program2) {
   const auth = program2.command("auth").description("Authentication management");
-  auth.command("login").description("Authenticate with TinyCloud").option("--paste", "Use manual paste mode instead of browser callback").option("--method <method>", "Authentication method: local or openkey").action(async (options, cmd) => {
+  auth.command("login").description("Authenticate with TinyCloud").option("--paste", "Use manual paste mode instead of browser callback").option("--no-popup", "Print the OpenKey URL without opening a browser").option("--method <method>", "Authentication method: local or openkey").action(async (options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
@@ -1386,7 +1397,10 @@ function registerAuthCommand(program2) {
       if (method === "local") {
         await handleLocalAuth(ctx.profile, ctx.host);
       } else {
-        await handleOpenKeyAuth(ctx.profile, ctx.host, options.paste);
+        await handleOpenKeyAuth(ctx.profile, ctx.host, {
+          paste: options.paste,
+          noPopup: options.popup === false
+        });
       }
     } catch (error) {
       handleError(error);
@@ -1402,11 +1416,14 @@ function registerAuthCommand(program2) {
       handleError(error);
     }
   });
-  auth.command("rotate").description("Rotate the active profile session key").option("--paste", "Use manual paste mode instead of browser callback").action(async (options, cmd) => {
+  auth.command("rotate").description("Rotate the active profile session key").option("--paste", "Use manual paste mode instead of browser callback").option("--no-popup", "Print the OpenKey URL without opening a browser").action(async (options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
-      await rotateAuthKey(ctx.profile, ctx.host, { paste: options.paste });
+      await rotateAuthKey(ctx.profile, ctx.host, {
+        paste: options.paste,
+        noPopup: options.popup === false
+      });
     } catch (error) {
       handleError(error);
     }
@@ -1468,7 +1485,7 @@ function registerAuthCommand(program2) {
   ).option("--permission <file>", 'JSON permission request: { "permissions": PermissionEntry[] }').option("--manifest <fileOrBase64>", "Manifest file, base64:<json>, or raw base64 JSON").option(
     "--expiry <duration>",
     `Lifetime of the granted delegation. ms-format string (e.g. "7d", "30m") or raw milliseconds. Defaults to 7d, capped by the active session's expiry.`
-  ).option("--emit [file]", "Emit the request artifact to stdout, or write it to file when provided").option("--grant", "Grant the requested permissions immediately with this owner profile").option("--yes", "Skip local-key TTY confirmation", false).action(async (options, cmd) => {
+  ).option("--emit [file]", "Emit the request artifact to stdout, or write it to file when provided").option("--grant", "Grant the requested permissions immediately with this owner profile").option("--yes", "Skip local-key TTY confirmation", false).option("--no-popup", "Print the OpenKey URL without opening a browser when granting with OpenKey").action(async (options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
@@ -1513,7 +1530,8 @@ function registerAuthCommand(program2) {
             host: ctx.host,
             permissions: group,
             openkeyHost,
-            expiry: expiryOption
+            expiry: expiryOption,
+            noPopup: options.popup === false
           });
           const delegation = portableFromOpenKeyDelegation(delegationData, group, ctx.host);
           const stored = storedAdditionalDelegation(delegation, group);
@@ -1929,7 +1947,7 @@ function normalizePortableDelegation(delegation) {
   return { ...delegation, expiry };
 }
 async function ensureDelegationAuthority(params) {
-  if (params.node.hasRuntimePermissions(params.requested)) return;
+  if (!params.force && params.node.hasRuntimePermissions(params.requested)) return;
   if (params.profile.authMethod === "openkey") {
     const key = await ProfileManager.getKey(params.ctx.profile);
     if (!key) {
@@ -2095,13 +2113,20 @@ function groupPermissionsBySpace(permissions) {
 function isRawPermission(permission) {
   return permission.service === "tinycloud.encryption" && permission.path.startsWith("urn:tinycloud:encryption:");
 }
+function returnedSpaceMatchesExpected(returnedSpace, expectedSpace) {
+  if (returnedSpace === expectedSpace) return true;
+  if (!returnedSpace.startsWith("tinycloud:")) return false;
+  const returnedName = returnedSpace.slice(returnedSpace.lastIndexOf(":") + 1);
+  return returnedName === expectedSpace;
+}
 function portableFromOpenKeyDelegation(data, permissions, host) {
   const primary = permissions.find((permission) => !isRawPermission(permission)) ?? permissions[0];
   const returnedSpace = String(data.spaceId ?? primary.space ?? "encryption");
   const expectedSpaces = new Set(
     permissions.filter((permission) => !isRawPermission(permission)).map((permission) => permission.space)
   );
-  if (expectedSpaces.size > 0 && (expectedSpaces.size !== 1 || !expectedSpaces.has(returnedSpace))) {
+  const matchesExpectedSpace = expectedSpaces.size === 1 && returnedSpaceMatchesExpected(returnedSpace, Array.from(expectedSpaces)[0]);
+  if (expectedSpaces.size > 0 && !matchesExpectedSpace) {
     throw new CLIError(
       "OPENKEY_SCOPE_MISMATCH",
       `OpenKey returned delegation for ${returnedSpace}, expected ${Array.from(expectedSpaces).join(", ")}.`,
@@ -2117,7 +2142,7 @@ function portableFromOpenKeyDelegation(data, permissions, host) {
     actions: primary.actions,
     resources: permissions.map((permission) => ({
       service: permission.service.startsWith("tinycloud.") ? permission.service.slice("tinycloud.".length) : permission.service,
-      space: permission.space,
+      space: isRawPermission(permission) ? permission.space : returnedSpace,
       path: permission.path,
       actions: [...permission.actions]
     })),
@@ -2178,7 +2203,8 @@ async function rotateAuthKey(profileName, host, options = {}) {
     authMethod: "openkey"
   });
   const result = await refreshOpenKeySession(profileName, host, {
-    paste: options.paste
+    paste: options.paste,
+    noPopup: options.noPopup
   });
   outputRotationResult(result.profile, profileName, oldDid, "openkey");
 }
@@ -2278,8 +2304,8 @@ async function handleLocalAuth(profileName, host, options = {}) {
   }
   return { profile: updatedProfile, sessionResult };
 }
-async function handleOpenKeyAuth(profileName, host, paste) {
-  const { profile, delegationData } = await refreshOpenKeySession(profileName, host, { paste });
+async function handleOpenKeyAuth(profileName, host, options = {}) {
+  const { profile, delegationData } = await refreshOpenKeySession(profileName, host, options);
   outputJson({
     authenticated: true,
     profile: profileName,
@@ -2300,6 +2326,7 @@ async function refreshOpenKeySession(profileName, host, options = {}) {
   const profile = await ProfileManager.getProfile(profileName);
   const delegationData = await startAuthFlow(profile.did, {
     paste: options.paste,
+    noPopup: options.noPopup,
     jwk: key,
     host,
     openkeyHost: resolveOpenKeyHost(profile)
@@ -2330,14 +2357,19 @@ async function readStdin2() {
   }
   return Buffer.concat(chunks);
 }
+async function kvHandle(node, spaceInput, profileName) {
+  const spaceUri = await resolveSpaceUri(spaceInput, profileName);
+  return spaceUri ? node.kvForSpace(spaceUri) : node.kv;
+}
 function registerKvCommand(program2) {
   const kv = program2.command("kv").description("Key-value store operations");
-  kv.command("get <key>").description("Get a value by key").option("--raw", "Output raw value (no JSON wrapping)").option("-o, --output <file>", "Write value to file").action(async (key, options, cmd) => {
+  kv.command("get <key>").description("Get a value by key").option("--raw", "Output raw value (no JSON wrapping)").option("-o, --output <file>", "Write value to file").option("--space <name|uri>", "Target a non-primary space (short name or full URI)").action(async (key, options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
       const node = await ensureAuthenticated(ctx);
-      const result = await withSpinner(`Getting ${key}...`, () => node.kv.get(key));
+      const kv2 = await kvHandle(node, options.space, ctx.profile);
+      const result = await withSpinner(`Getting ${key}...`, () => kv2.get(key));
       if (!result.ok) {
         if (result.error.code === "KV_NOT_FOUND" || result.error.code === "NOT_FOUND") {
           throw new CLIError("NOT_FOUND", `Key "${key}" not found`, ExitCode.NOT_FOUND);
@@ -2418,13 +2450,14 @@ function registerKvCommand(program2) {
       handleError(error);
     }
   });
-  kv.command("list").description("List keys").option("--prefix <prefix>", "Filter by key prefix").action(async (options, cmd) => {
+  kv.command("list").description("List keys").option("--prefix <prefix>", "Filter by key prefix").option("--space <name|uri>", "Target a non-primary space (short name or full URI)").action(async (options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
       const node = await ensureAuthenticated(ctx);
+      const kv2 = await kvHandle(node, options.space, ctx.profile);
       const listOptions = options.prefix ? { prefix: options.prefix } : void 0;
-      const result = await withSpinner("Listing keys...", () => node.kv.list(listOptions));
+      const result = await withSpinner("Listing keys...", () => kv2.list(listOptions));
       if (!result.ok) {
         throw new CLIError(result.error.code, result.error.message, ExitCode.ERROR);
       }
@@ -2452,12 +2485,13 @@ function registerKvCommand(program2) {
       handleError(error);
     }
   });
-  kv.command("head <key>").description("Get metadata for a key (no body)").action(async (key, _options, cmd) => {
+  kv.command("head <key>").description("Get metadata for a key (no body)").option("--space <name|uri>", "Target a non-primary space (short name or full URI)").action(async (key, options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
       const node = await ensureAuthenticated(ctx);
-      const result = await withSpinner(`Checking ${key}...`, () => node.kv.head(key));
+      const kv2 = await kvHandle(node, options.space, ctx.profile);
+      const result = await withSpinner(`Checking ${key}...`, () => kv2.head(key));
       if (!result.ok) {
         if (result.error.code === "KV_NOT_FOUND" || result.error.code === "NOT_FOUND") {
           outputJson({ key, exists: false, metadata: {} });
@@ -3372,7 +3406,7 @@ async function ensureSecretsNode(ctx, options) {
   return ensureAuthenticated(ctx, auth);
 }
 async function runSecretOperation(params) {
-  const first = await withSpinner(params.label, params.operation);
+  const first = await runSecretOperationAttempt(params.label, params.operation);
   if (first.ok || !shouldRequestSecretPermissions(first.error)) {
     return first;
   }
@@ -3394,10 +3428,20 @@ async function runSecretOperation(params) {
       node: params.node,
       requested,
       expiryOption: void 0,
-      yes: true
+      yes: true,
+      force: true
     })
   );
-  return withSpinner(params.label, params.operation);
+  return runSecretOperationAttempt(params.label, params.operation);
+}
+async function runSecretOperationAttempt(label, operation) {
+  try {
+    return await withSpinner(label, operation);
+  } catch (error) {
+    const permissionError = thrownPermissionError(error);
+    if (permissionError) return permissionError;
+    throw error;
+  }
 }
 function canRequestOwnerPermissions(profile) {
   const posture = resolveProfilePosture(profile);
@@ -3407,6 +3451,21 @@ function shouldRequestSecretPermissions(error) {
   if (error.code !== "PERMISSION_DENIED") return false;
   return /permission|session expired|autosign|capabilit/i.test(error.message);
 }
+function thrownPermissionError(error) {
+  const record = error;
+  const message = typeof record?.message === "string" ? record.message : String(error);
+  const code = typeof record?.code === "string" ? record.code : "PERMISSION_DENIED";
+  if (code !== "PERMISSION_DENIED" && !/permission|session expired|autosign|capabilit/i.test(message)) {
+    return null;
+  }
+  return {
+    ok: false,
+    error: {
+      code: "PERMISSION_DENIED",
+      message
+    }
+  };
+}
 function isStoredSessionExpired(session) {
   const record = session;
   const direct = parseDate(record.expiresAt ?? record.expiry ?? record.expirationTime);
@@ -3515,7 +3574,7 @@ function registerSecretsCommand(program2) {
       handleError(error);
     }
   });
-  secrets.command("get <name>").description("Get a secret value").option("--scope <scope>", "Logical secret scope").option("--space <scope>", "Deprecated alias for --scope").option("--raw", "Output raw value (no JSON wrapping)").option("-o, --output <file>", "Write value to file").option("--private-key <hex>", "Ethereum private key (or set TC_PRIVATE_KEY)").action(async (name, options, cmd) => {
+  secrets.command("get <name>").description("Get a secret value").option("--scope <scope>", "Logical secret scope").option("--space <scope>", "Deprecated alias for --scope").option("--raw", "Output raw value (no JSON wrapping)").option("--value-only", "Output only the secret value (alias for --raw)").option("-o, --output <file>", "Write value to file").option("--private-key <hex>", "Ethereum private key (or set TC_PRIVATE_KEY)").action(async (name, options, cmd) => {
     try {
       const globalOpts = cmd.optsWithGlobals();
       const ctx = await ProfileManager.resolveContext(globalOpts);
@@ -3542,7 +3601,7 @@ function registerSecretsCommand(program2) {
         outputJson({ name, written: options.output });
         return;
       }
-      if (options.raw) {
+      if (options.raw || options.valueOnly) {
         process.stdout.write(value);
         return;
       }