@vibe-assurance/cli 1.7.0 → 1.7.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibe-assurance/cli",
-  "version": "1.7.0",
+  "version": "1.7.1",
   "description": "Vibe Assurance CLI - Connect AI coding agents to your governance platform via MCP",
   "main": "src/index.js",
   "bin": {

package/src/commands/env.js

@@ -1,14 +1,16 @@
 /**
  * Environment management commands
  * CR-2026-061: CLI Environment Switching with Production Default
+ *
+ * Security: dev/local environments are restricted to platform admins only.
+ * Regular users can only use production.
  */
 
 const chalk = require('chalk');
 const ora = require('ora');
-const { getEnvironment, setEnvironment } = require('../config/credentials');
+const { getEnvironment, setEnvironment, isAdmin, hasValidCredentials } = require('../config/credentials');
 const {
   ENVIRONMENTS,
-  DEFAULT_ENVIRONMENT,
   getEnvironmentConfig,
   isInternalOnly,
   getEnvironmentNames
@@ -23,6 +25,7 @@ async function showCurrentEnv() {
   try {
     const currentEnv = await getEnvironment();
     const config = getEnvironmentConfig(currentEnv);
+    const userIsAdmin = await isAdmin();
     spinner.stop();
 
     console.log('');
@@ -32,7 +35,7 @@ async function showCurrentEnv() {
     console.log(`  ${chalk.dim(config.url)}`);
 
     if (config.internal) {
-      console.log(`  ${chalk.yellow('⚠ Internal environment')}`);
+      console.log(`  ${chalk.yellow('⚠ Internal environment (admin only)')}`);
     }
 
     // Check if VIBE_API_URL override is active
@@ -52,25 +55,26 @@ async function showCurrentEnv() {
 
 /**
  * CR-2026-061: List all available environments
+ * Only shows internal environments to admins
  */
-async function listEnvironments(options = {}) {
+async function listEnvironments() {
   const currentEnv = await getEnvironment();
-  const showInternal = options.internal || false;
+  const userIsAdmin = await isAdmin();
 
   console.log('');
   console.log(chalk.cyan('Available Environments:'));
   console.log('');
 
   for (const [name, config] of Object.entries(ENVIRONMENTS)) {
-    // Skip internal environments unless --internal flag
-    if (config.internal && !showInternal) {
+    // Only show internal environments to admins
+    if (config.internal && !userIsAdmin) {
       continue;
     }
 
     const isCurrent = name === currentEnv;
     const prefix = isCurrent ? chalk.green('✓') : ' ';
     const envName = isCurrent ? chalk.green.bold(name) : chalk.bold(name);
-    const label = config.internal ? chalk.yellow(' (internal)') : '';
+    const label = config.internal ? chalk.yellow(' (admin only)') : '';
 
     console.log(`  ${prefix} ${envName}${label}`);
     console.log(`    ${chalk.dim(config.description)}`);
@@ -78,35 +82,44 @@ async function listEnvironments(options = {}) {
     console.log('');
   }
 
-  if (!showInternal) {
-    console.log(chalk.dim('  Use --internal to see internal environments'));
+  if (!userIsAdmin) {
+    console.log(chalk.dim('  Only production environment is available.'));
     console.log('');
   }
 }
 
 /**
  * CR-2026-061: Switch to a specific environment
+ * Internal environments require admin role
  * @param {string} envName - Environment name (prod, dev, local)
- * @param {Object} options - Command options
  */
-async function switchEnvironment(envName, options = {}) {
+async function switchEnvironment(envName) {
   const config = getEnvironmentConfig(envName);
 
   if (!config) {
     console.error(chalk.red(`Unknown environment: ${envName}`));
-    console.log(chalk.dim('Available: ' + getEnvironmentNames().join(', ')));
+    console.log(chalk.dim('Available: prod'));
     process.exit(1);
   }
 
-  // Check if internal flag is required
-  if (isInternalOnly(envName) && !options.internal) {
-    console.error(chalk.red(`Environment '${envName}' requires --internal flag`));
-    console.log('');
-    console.log(chalk.yellow('⚠ This environment is for internal development only.'));
-    console.log(chalk.dim('  If you are a Vibe Assurance developer, run:'));
-    console.log(chalk.dim(`  vibe env ${envName} --internal`));
-    console.log('');
-    process.exit(1);
+  // Check if internal environment - require admin
+  if (isInternalOnly(envName)) {
+    // Must be logged in first
+    if (!await hasValidCredentials()) {
+      console.error(chalk.red('You must be logged in to switch environments.'));
+      console.log(chalk.dim('Run `vibe login` first.'));
+      process.exit(1);
+    }
+
+    // Must be admin
+    if (!await isAdmin()) {
+      console.error(chalk.red('Access denied.'));
+      console.log('');
+      console.log(chalk.yellow('Internal environments are restricted to platform administrators.'));
+      console.log(chalk.dim('Contact your administrator if you need access.'));
+      console.log('');
+      process.exit(1);
+    }
   }
 
   const spinner = ora(`Switching to ${config.name}...`).start();
@@ -141,7 +154,7 @@ async function switchEnvironment(envName, options = {}) {
 function registerEnvCommands(program) {
   const env = program
     .command('env')
-    .description('Manage API environment (prod, dev, local)');
+    .description('Manage API environment');
 
   // vibe env (no subcommand) - show current
   env
@@ -161,9 +174,8 @@ function registerEnvCommands(program) {
   env
     .command('list')
     .description('List available environments')
-    .option('--internal', 'Show internal environments (dev, local)')
-    .action(async (options) => {
-      await listEnvironments(options);
+    .action(async () => {
+      await listEnvironments();
     });
 
   // vibe env prod
@@ -171,25 +183,23 @@ function registerEnvCommands(program) {
     .command('prod')
     .description('Switch to production environment')
     .action(async () => {
-      await switchEnvironment('prod', {});
+      await switchEnvironment('prod');
     });
 
-  // vibe env dev
+  // vibe env dev (admin only - not shown in description)
   env
     .command('dev')
-    .description('Switch to development environment (internal only)')
-    .option('--internal', 'Confirm internal environment access')
-    .action(async (options) => {
-      await switchEnvironment('dev', options);
+    .description('Switch to development environment')
+    .action(async () => {
+      await switchEnvironment('dev');
     });
 
-  // vibe env local
+  // vibe env local (admin only - not shown in description)
   env
     .command('local')
-    .description('Switch to local development environment (internal only)')
-    .option('--internal', 'Confirm internal environment access')
-    .action(async (options) => {
-      await switchEnvironment('local', options);
+    .description('Switch to local environment')
+    .action(async () => {
+      await switchEnvironment('local');
     });
 }
 

package/src/commands/login.js

@@ -193,13 +193,14 @@ async function selectProject() {
       }
     });
 
-    const { username, email, projects, defaultProjectId } = response.data;
+    const { username, email, role, projects, defaultProjectId } = response.data;
     spinner.stop();
 
-    // Store and display user info
+    // Store and display user info (CR-2026-061: now includes role for admin checks)
     if (username && email) {
-      await setUserInfo(username, email);
-      console.log(chalk.cyan(`\nSigned in as ${chalk.bold(username)} (${email})`));
+      await setUserInfo(username, email, role || 'user');
+      const roleLabel = role === 'admin' ? chalk.magenta(' [admin]') : '';
+      console.log(chalk.cyan(`\nSigned in as ${chalk.bold(username)} (${email})${roleLabel}`));
     }
 
     if (!projects || projects.length === 0) {

package/src/config/credentials.js

@@ -159,14 +159,15 @@ async function setProjectId(projectId, projectName) {
 
 /**
  * Get stored user info
- * @returns {Promise<{username: string, email: string}|null>} User info or null
+ * @returns {Promise<{username: string, email: string, role: string}|null>} User info or null
  */
 async function getUserInfo() {
   const creds = await getCredentials();
   if (creds?.username && creds?.email) {
     return {
       username: creds.username,
-      email: creds.email
+      email: creds.email,
+      role: creds.role || 'user'
     };
   }
   return null;
@@ -174,21 +175,33 @@ async function getUserInfo() {
 
 /**
  * Set user info (updates existing credentials)
+ * CR-2026-061: Now includes role for admin checks
  * @param {string} username - Username to store
  * @param {string} email - Email to store
+ * @param {string} role - User role ('user' or 'admin')
  * @returns {Promise<void>}
  */
-async function setUserInfo(username, email) {
+async function setUserInfo(username, email, role = 'user') {
   const creds = await getCredentials();
   if (creds) {
     await storeCredentials({
       ...creds,
       username,
-      email
+      email,
+      role
     });
   }
 }
 
+/**
+ * CR-2026-061: Check if user is a platform admin
+ * @returns {Promise<boolean>} True if user is admin
+ */
+async function isAdmin() {
+  const creds = await getCredentials();
+  return creds?.role === 'admin';
+}
+
 /**
  * CR-2026-061: Get stored environment
  * @returns {Promise<string>} Environment name (prod, dev, local)
@@ -228,5 +241,6 @@ module.exports = {
   getUserInfo,
   setUserInfo,
   getEnvironment,    // CR-2026-061
-  setEnvironment     // CR-2026-061
+  setEnvironment,    // CR-2026-061
+  isAdmin            // CR-2026-061
 };