@verentis/cli 0.2.8 → 0.2.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +7 -5
- package/dist/index.js +12 -16
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -28,15 +28,17 @@ Point `VERENTIS_UPDATE_REGISTRY` at a mirror if you install from a private regis
|
|
|
28
28
|
## Sign in
|
|
29
29
|
|
|
30
30
|
```bash
|
|
31
|
-
verentis login
|
|
31
|
+
verentis login
|
|
32
32
|
```
|
|
33
33
|
|
|
34
|
-
|
|
34
|
+
The CLI targets **production** (`https://api.verentis.io`) by default — third-party developers need no
|
|
35
|
+
extra configuration. With no credential flags this starts a **device sign-in**: open the printed URL in any
|
|
36
|
+
browser (works over SSH), confirm the code, done. Non-interactive alternatives:
|
|
35
37
|
|
|
36
38
|
```bash
|
|
37
|
-
verentis login --api-
|
|
38
|
-
verentis login --
|
|
39
|
-
#
|
|
39
|
+
verentis login --api-key vrt_xxx # CI / scripts (create one with `verentis apikey create`)
|
|
40
|
+
verentis login --token <identity token>
|
|
41
|
+
# VERENTIS_API_KEY / VERENTIS_TOKEN env vars also work
|
|
40
42
|
```
|
|
41
43
|
|
|
42
44
|
A device sign-in also stores a **refresh token**, so you stay signed in: when the 1-hour identity token
|
package/dist/index.js
CHANGED
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
#!/usr/bin/env node
|
|
2
|
-
import { Command } from 'commander';
|
|
2
|
+
import { Command, Option } from 'commander';
|
|
3
3
|
import { mkdir, stat, writeFile, readFile, readdir, realpath, mkdtemp, rm, glob } from 'fs/promises';
|
|
4
|
-
import { Agent } from 'https';
|
|
5
4
|
import { tmpdir, homedir } from 'os';
|
|
6
5
|
import { resolve, basename, dirname, posix, join, isAbsolute, extname, relative, sep } from 'path';
|
|
7
6
|
import { spawn, spawnSync } from 'child_process';
|
|
@@ -13,13 +12,16 @@ import { pipeline } from 'stream/promises';
|
|
|
13
12
|
import * as tar from 'tar';
|
|
14
13
|
import { fileURLToPath } from 'url';
|
|
15
14
|
|
|
16
|
-
var insecureAgent = new Agent({ rejectUnauthorized: false });
|
|
17
15
|
function insecureFetchOptions(insecure) {
|
|
18
|
-
|
|
16
|
+
if (insecure) {
|
|
17
|
+
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
|
|
18
|
+
}
|
|
19
|
+
return {};
|
|
19
20
|
}
|
|
20
21
|
var configDir = () => process.env.VERENTIS_CONFIG_DIR ?? join(homedir(), ".verentis");
|
|
21
22
|
var configPath = () => join(configDir(), "config.json");
|
|
22
23
|
var keysDir = () => join(configDir(), "keys");
|
|
24
|
+
var PRODUCTION_API_URL = "https://api.verentis.io";
|
|
23
25
|
async function loadConfig() {
|
|
24
26
|
try {
|
|
25
27
|
return JSON.parse(await readFile(configPath(), "utf8"));
|
|
@@ -32,10 +34,7 @@ async function saveConfig(config) {
|
|
|
32
34
|
await writeFile(configPath(), JSON.stringify(config, null, 2) + "\n", { mode: 384 });
|
|
33
35
|
}
|
|
34
36
|
function requireApiUrl(config) {
|
|
35
|
-
const url = process.env.VERENTIS_API_URL ?? config.apiUrl;
|
|
36
|
-
if (!url) {
|
|
37
|
-
throw new Error("No API URL configured. Run `verentis login --api-url <url>` first (or set VERENTIS_API_URL).");
|
|
38
|
-
}
|
|
37
|
+
const url = process.env.VERENTIS_API_URL ?? config.apiUrl ?? PRODUCTION_API_URL;
|
|
39
38
|
return url.replace(/\/+$/, "");
|
|
40
39
|
}
|
|
41
40
|
|
|
@@ -1992,22 +1991,20 @@ function registerKeygen(program2) {
|
|
|
1992
1991
|
console.log(`Revoked key ${kid}.`);
|
|
1993
1992
|
});
|
|
1994
1993
|
}
|
|
1995
|
-
|
|
1996
|
-
// src/commands/login.ts
|
|
1997
1994
|
function registerLogin(program2) {
|
|
1998
|
-
program2.command("login").description("Sign in to Verentis (browser device flow by default; --api-key/--token for non-interactive use)").
|
|
1995
|
+
program2.command("login").description("Sign in to Verentis (browser device flow by default; --api-key/--token for non-interactive use)").addOption(new Option("--api-url <url>", "Verentis API gateway URL (defaults to production)").hideHelp()).option("--api-key <key>", "Verentis API key (vrt_...)").option("--token <token>", "Verentis identity token (exchanged per request for scoped access tokens)").option("--sealing-key <key>", "the platform's base64 X25519 sealing PUBLIC key (used by `pack --encrypt`)").option("--insecure", "skip TLS certificate verification (for local dev with self-signed certs)").action(async (options) => {
|
|
1999
1996
|
const config = await loadConfig();
|
|
2000
1997
|
if (options.apiUrl) config.apiUrl = options.apiUrl;
|
|
2001
1998
|
if (options.sealingKey) config.sealingPublicKey = options.sealingKey;
|
|
2002
1999
|
if (options.insecure !== void 0) config.insecure = options.insecure;
|
|
2003
|
-
|
|
2000
|
+
const apiUrl = (options.apiUrl ?? process.env.VERENTIS_API_URL ?? config.apiUrl ?? PRODUCTION_API_URL).replace(/\/+$/, "");
|
|
2004
2001
|
if (options.apiKey) {
|
|
2005
2002
|
if (!options.apiKey.startsWith("vrt_")) throw new Error('API keys start with "vrt_".');
|
|
2006
2003
|
config.apiKey = options.apiKey;
|
|
2007
2004
|
delete config.identityToken;
|
|
2008
2005
|
delete config.refreshToken;
|
|
2009
2006
|
await saveConfig(config);
|
|
2010
|
-
console.log(`Configuration saved (API key @ ${
|
|
2007
|
+
console.log(`Configuration saved (API key @ ${apiUrl}).`);
|
|
2011
2008
|
return;
|
|
2012
2009
|
}
|
|
2013
2010
|
if (options.token) {
|
|
@@ -2015,10 +2012,9 @@ function registerLogin(program2) {
|
|
|
2015
2012
|
delete config.apiKey;
|
|
2016
2013
|
delete config.refreshToken;
|
|
2017
2014
|
await saveConfig(config);
|
|
2018
|
-
console.log(`Configuration saved (identity token @ ${
|
|
2015
|
+
console.log(`Configuration saved (identity token @ ${apiUrl}).`);
|
|
2019
2016
|
return;
|
|
2020
2017
|
}
|
|
2021
|
-
const apiUrl = config.apiUrl.replace(/\/+$/, "");
|
|
2022
2018
|
const insecure = config.insecure;
|
|
2023
2019
|
const authorization = await startDeviceAuthorization(apiUrl, insecure);
|
|
2024
2020
|
console.log("To sign in, open this URL in a browser:");
|
|
@@ -2035,7 +2031,7 @@ function registerLogin(program2) {
|
|
|
2035
2031
|
delete config.apiKey;
|
|
2036
2032
|
await saveConfig(config);
|
|
2037
2033
|
const claims = decodeJwtPayload(identity.idToken);
|
|
2038
|
-
console.log(`Signed in as ${claims?.name ?? claims?.email ?? claims?.sub ?? "unknown"} @ ${
|
|
2034
|
+
console.log(`Signed in as ${claims?.name ?? claims?.email ?? claims?.sub ?? "unknown"} @ ${apiUrl}.`);
|
|
2039
2035
|
if (!claims?.account_id) {
|
|
2040
2036
|
console.log("Note: no unambiguous account context \u2014 admin commands may need --account <id>.");
|
|
2041
2037
|
}
|