@vltpkg/cli-sdk 1.0.0-rc.29 → 1.0.0-rc.30

package/dist/commands/publish.js

@@ -1,5 +1,5 @@
 import { error } from '@vltpkg/error-cause';
-import { RegistryClient, oidc } from '@vltpkg/registry-client';
+import { RegistryClient, oidc, registryBase, } from '@vltpkg/registry-client';
 import { run } from '@vltpkg/run';
 import { commandUsage } from "../config/usage.js";
 import { packTarball } from "../pack-tarball.js";
@@ -146,14 +146,26 @@ export const command = async (conf) => {
     }
     return results;
 };
+const getPublishConfig = (manifest) => {
+    const pc = manifest
+        .publishConfig;
+    if (pc && typeof pc === 'object') {
+        return pc;
+    }
+    return undefined;
+};
 const commandSingle = async (location, conf) => {
     const manifestPath = conf.options.packageJson.find(location);
     assert(manifestPath, 'No package.json found');
     const manifestDir = dirname(manifestPath);
     const manifest = conf.options.packageJson.read(manifestDir);
     assert(!manifest.private, error('Package has been marked as private'));
-    const { tag, access, registry, 'dry-run': dry = false, otp, } = conf.options;
-    const registryUrl = new URL(registry);
+    const { 'dry-run': dry = false, otp } = conf.options;
+    const publishConfig = getPublishConfig(manifest);
+    const tag = publishConfig?.tag ?? conf.options.tag;
+    const access = publishConfig?.access ?? conf.options.access;
+    const registry = publishConfig?.registry ?? conf.options.registry;
+    const registryUrl = new URL(registryBase(registry));
     const runOptions = {
         cwd: manifestDir,
         projectRoot: conf.projectRoot,
@@ -251,8 +263,10 @@ const commandSingle = async (location, conf) => {
         }
         if (response.statusCode !== 200 && response.statusCode !== 201) {
             let extraMsg = '';
-            // special case 404 errors to provide a better hint to the user
-            if (response.statusCode === 404) {
+            if (response.statusCode === 409) {
+                extraMsg = `.\n⚠️ ${name}@${version} already exists in the registry. Bump the version and try again.`;
+            }
+            else if (response.statusCode === 404) {
                 extraMsg =
                     ".\n⚠️ Make sure you're logged in and have access to publish the package.";
             }

package/dist/commands/token.d.ts

@@ -14,10 +14,15 @@ export type TokenInfo = {
 export type RegistryTokens = {
     registry: string;
     alias?: string;
+    /** Masked local keychain token, if stored */
+    localToken?: string;
     tokens: TokenInfo[];
     error?: string;
 };
-export type TokenListResult = RegistryTokens[];
+export type TokenListResult = {
+    identity: string;
+    registries: RegistryTokens[];
+};
 export declare const usage: CommandUsage;
 export declare const views: {
     readonly human: (r: TokenListResult | void) => string | undefined;

package/dist/commands/token.js

@@ -1,5 +1,5 @@
 import { error } from '@vltpkg/error-cause';
-import { deleteToken, normalizeRegistryKey, RegistryClient, setToken, } from '@vltpkg/registry-client';
+import { deleteToken, getKC, getToken, normalizeRegistryKey, registryBase, RegistryClient, setToken, } from '@vltpkg/registry-client';
 import { commandUsage } from "../config/usage.js";
 import { readPassword } from "../read-password.js";
 export const usage = () => commandUsage({
@@ -9,10 +9,9 @@ export const usage = () => commandUsage({
     subcommands: {
         list: {
             usage: '',
-            description: `List all tokens for configured registries.
-                      Queries each registry's token API and displays
-                      token metadata including key, creation date,
-                      and permissions.`,
+            description: `List tokens for configured registries. Shows
+                      locally stored auth tokens and queries each
+                      registry's token API for remote token metadata.`,
         },
         add: {
             usage: '',
@@ -47,6 +46,12 @@ const formatDate = (iso) => {
         day: 'numeric',
     });
 };
+const maskToken = (token) => {
+    const bare = token.replace(/^(Bearer|Basic)\s+/i, '');
+    if (bare.length <= 8)
+        return bare + '…';
+    return bare.slice(0, 8) + '…';
+};
 const formatTokenEntry = (t) => {
     const parts = [
         `key: ${t.key}`,
@@ -61,20 +66,30 @@ const formatTokenEntry = (t) => {
 };
 const formatRegistryTokens = (r) => {
     const header = r.alias ? `${r.alias} (${r.registry})` : r.registry;
-    if (r.error)
-        return `${header}\n  error: ${r.error}`;
-    if (r.tokens.length === 0)
-        return `${header}\n  (no tokens found)`;
-    return [
-        header,
-        ...r.tokens.map(t => `  ${formatTokenEntry(t)}`),
-    ].join('\n');
+    const lines = [header];
+    lines.push(`  local: ${r.localToken ? maskToken(r.localToken) : '(none)'}`);
+    if (!r.localToken) {
+        lines.push('  (skipped remote query — no auth token)');
+    }
+    else if (r.error) {
+        lines.push(`  error: ${r.error}`);
+    }
+    else if (r.tokens.length === 0) {
+        lines.push('  (no remote tokens found)');
+    }
+    else {
+        for (const t of r.tokens) {
+            lines.push(`  ${formatTokenEntry(t)}`);
+        }
+    }
+    return lines.join('\n');
 };
 export const views = {
     human: (r) => {
         if (!r)
             return;
-        return r.map(formatRegistryTokens).join('\n\n');
+        const header = r.identity ? `identity: ${r.identity}` : 'identity: (default)';
+        return [header, ...r.registries.map(formatRegistryTokens)].join('\n\n');
     },
     json: (r) => {
         if (!r)
@@ -82,8 +97,12 @@ export const views = {
         return r;
     },
 };
-const listTokens = async (rc, registry, alias) => {
-    const tokensUrl = new URL('-/npm/v1/tokens', registry);
+const listTokens = async (rc, registry, identity, alias) => {
+    const localTok = await getToken(normalizeRegistryKey(registry), identity);
+    if (!localTok) {
+        return { registry, alias, tokens: [] };
+    }
+    const tokensUrl = new URL('-/npm/v1/tokens', registryBase(registry));
     try {
         const objects = await rc.scroll(tokensUrl, {
             useCache: false,
@@ -91,6 +110,7 @@ const listTokens = async (rc, registry, alias) => {
         return {
             registry,
             alias,
+            localToken: localTok,
             tokens: objects.map(o => ({
                 key: o.key,
                 token: o.token,
@@ -104,6 +124,7 @@ const listTokens = async (rc, registry, alias) => {
         return {
             registry,
             alias,
+            localToken: localTok,
             tokens: [],
             error: err instanceof Error ? err.message : String(err),
         };
@@ -114,18 +135,37 @@ export const command = async (conf) => {
     switch (conf.positionals[0]) {
         case 'list': {
             const rc = new RegistryClient(conf.options);
-            const results = [];
+            const identity = conf.options.identity;
+            const registries = [];
+            const seen = new Set();
             // Always query the default registry first
-            results.push(await listTokens(rc, conf.options.registry, 'default'));
+            const defaultReg = conf.options.registry;
+            seen.add(normalizeRegistryKey(defaultReg));
+            registries.push(await listTokens(rc, defaultReg, identity, 'default'));
             // Then query all configured registry aliases
-            const registries = conf.options.registries;
-            for (const [alias, registry] of Object.entries(registries)) {
-                // Skip if it's the same as the default registry
-                if (registry !== conf.options.registry) {
-                    results.push(await listTokens(rc, registry, alias));
+            const configuredRegistries = conf.options.registries;
+            for (const [alias, registry] of Object.entries(configuredRegistries)) {
+                const key = normalizeRegistryKey(registry);
+                if (!seen.has(key)) {
+                    seen.add(key);
+                    registries.push(await listTokens(rc, registry, identity, alias));
+                }
+            }
+            // Also show any keychain entries for registries not
+            // already covered (e.g. added via `vlt token add --registry`)
+            const kc = getKC(identity);
+            for (const key of await kc.keys()) {
+                if (!seen.has(key)) {
+                    seen.add(key);
+                    const tok = await kc.get(key);
+                    registries.push({
+                        registry: key,
+                        localToken: tok ?? undefined,
+                        tokens: [],
+                    });
                 }
             }
-            return results;
+            return { identity, registries };
         }
         case 'add': {
             await setToken(reg, `Bearer ${await readPassword('Paste bearer token: ')}`, conf.options.identity);

package/dist/pack-tarball.d.ts

@@ -13,6 +13,19 @@ export type PackTarballResult = {
     /** The manifest used for packing (may differ from input when publishConfig.directory is set). */
     resolvedManifest: NormalizedManifest;
 };
+/**
+ * Build the tar filter function for packing.
+ *
+ * Follows npm's precedence rules:
+ *   1. `files` field in package.json → allowlist (ignore files are not read)
+ *   2. `.npmignore` → denylist (`.gitignore` is NOT read)
+ *   3. `.gitignore` → fallback denylist when no `.npmignore` exists
+ *
+ * Regardless of mode, always-excluded files (lockfiles, .git, node_modules,
+ * .npmrc, vlt.json, etc.) are excluded and always-included files (package.json,
+ * README, LICENSE, etc.) are included.
+ */
+export declare const buildPackFilter: (manifest: NormalizedManifest, packDir: string) => ((path: string) => boolean);
 /**
  * Create a tarball from a package directory
  * @param {NormalizedManifest} manifest - The manifest of the package to pack

package/dist/pack-tarball.js

@@ -3,10 +3,11 @@ import { minimatch } from 'minimatch';
 import { error } from '@vltpkg/error-cause';
 import * as ssri from 'ssri';
 import assert from 'node:assert';
-import { existsSync, statSync } from 'node:fs';
+import { existsSync, readFileSync, statSync } from 'node:fs';
 import { Spec } from '@vltpkg/spec';
 import { join } from 'node:path';
 import { parse, stringify } from 'polite-json';
+import ignore from 'ignore';
 /**
  * Replace workspace: and catalog: specs with actual versions
  * @param {NormalizedManifest} manifest_ - The manifest to process
@@ -82,6 +83,121 @@ const replaceWorkspaceAndCatalogSpecs = (manifest_, config) => {
     }
     return manifest;
 };
+const alwaysExcludePatterns = [
+    /^\.?\/?\.git(\/|$)/,
+    /^\.?\/?node_modules(\/|$)/,
+    /^\.?\/?\.nyc_output(\/|$)/,
+    /^\.?\/?coverage(\/|$)/,
+    /^\.?\/?\.vscode(\/|$)/,
+    /^\.?\/?\.idea(\/|$)/,
+    /^\.?\/?\.DS_Store$/,
+    /^\.?\/?\.npmrc$/,
+    /^\.?\/?\.gitignore$/,
+    /^\.?\/?\.npmignore$/,
+    /^\.?\/?\.editorconfig$/,
+    /^\.?\/?package-lock\.json$/,
+    /^\.?\/?yarn\.lock$/,
+    /^\.?\/?pnpm-lock\.yaml$/,
+    /^\.?\/?bun\.lockb$/,
+    /^\.?\/?bun\.lock$/,
+    /^\.?\/?vlt-lock\.json$/,
+    /^\.?\/?vlt\.json$/,
+    /~$/,
+    /\.swp$/,
+    /\.tgz$/,
+];
+const alwaysIncludePatterns = [
+    /^README(\..*)?$/i,
+    /^CHANGELOG(\..*)?$/i,
+    /^HISTORY(\..*)?$/i,
+    /^LICENSE(\..*)?$/i,
+    /^LICENCE(\..*)?$/i,
+];
+/**
+ * Read an ignore file (.npmignore or .gitignore) and return its contents,
+ * or undefined if the file does not exist.
+ */
+const readIgnoreFile = (dir, name) => {
+    const filePath = join(dir, name);
+    if (!existsSync(filePath))
+        return undefined;
+    return readFileSync(filePath, 'utf8');
+};
+/**
+ * Build the tar filter function for packing.
+ *
+ * Follows npm's precedence rules:
+ *   1. `files` field in package.json → allowlist (ignore files are not read)
+ *   2. `.npmignore` → denylist (`.gitignore` is NOT read)
+ *   3. `.gitignore` → fallback denylist when no `.npmignore` exists
+ *
+ * Regardless of mode, always-excluded files (lockfiles, .git, node_modules,
+ * .npmrc, vlt.json, etc.) are excluded and always-included files (package.json,
+ * README, LICENSE, etc.) are included.
+ */
+export const buildPackFilter = (manifest, packDir) => {
+    const manifestWithFiles = manifest;
+    const hasFilesField = Array.isArray(manifestWithFiles.files) &&
+        manifestWithFiles.files.length > 0;
+    const hasEmptyFilesField = Array.isArray(manifestWithFiles.files) &&
+        manifestWithFiles.files.length === 0;
+    // Build ignore matcher from .npmignore or .gitignore (only when no files field)
+    let ig;
+    if (!hasFilesField && !hasEmptyFilesField) {
+        const npmignoreContent = readIgnoreFile(packDir, '.npmignore');
+        if (npmignoreContent !== undefined) {
+            ig = ignore().add(npmignoreContent);
+        }
+        else {
+            const gitignoreContent = readIgnoreFile(packDir, '.gitignore');
+            if (gitignoreContent !== undefined) {
+                ig = ignore().add(gitignoreContent);
+            }
+        }
+    }
+    return (path) => {
+        const normalizedPath = path.replace(/^\.\//, '');
+        if (path === '.' || normalizedPath === '') {
+            return true;
+        }
+        if (alwaysExcludePatterns.some(pattern => pattern.test(normalizedPath))) {
+            return false;
+        }
+        if (alwaysIncludePatterns.some(pattern => pattern.test(normalizedPath))) {
+            return true;
+        }
+        if (normalizedPath === 'package.json') {
+            return true;
+        }
+        // files field: allowlist mode
+        if (hasEmptyFilesField) {
+            return false;
+        }
+        if (hasFilesField && manifestWithFiles.files) {
+            return manifestWithFiles.files.some((pattern) => {
+                if (pattern.endsWith('/')) {
+                    const dirName = pattern.slice(0, -1);
+                    const globPattern = pattern.replace(/\/$/, '/**');
+                    const matchesDir = normalizedPath === dirName;
+                    const matchesContents = minimatch(normalizedPath, globPattern, { dot: true });
+                    return matchesDir || matchesContents;
+                }
+                const directMatch = minimatch(normalizedPath, pattern, {
+                    dot: true,
+                });
+                const isParentDir = pattern.includes('/') &&
+                    pattern.startsWith(normalizedPath + '/');
+                const isChildOfPattern = minimatch(normalizedPath, pattern + '/**', { dot: true });
+                return directMatch || isParentDir || isChildOfPattern;
+            });
+        }
+        // Ignore-file mode: apply .npmignore or .gitignore deny patterns
+        if (ig?.ignores(normalizedPath)) {
+            return false;
+        }
+        return true;
+    };
+};
 /**
  * Create a tarball from a package directory
  * @param {NormalizedManifest} manifest - The manifest of the package to pack
@@ -117,94 +233,13 @@ export const packTarball = async (manifest, dir, config) => {
     const tarballName = `${manifest.name}-${manifest.version}.tgz`;
     try {
         config.options.packageJson.write(packDir, processedManifest);
+        const packFilter = buildPackFilter(manifest, packDir);
         const tarballData = await tarCreate({
             cwd: packDir,
             gzip: true,
             portable: true,
             prefix: 'package/',
-            filter: (path) => {
-                // Normalize path - remove leading './'
-                const normalizedPath = path.replace(/^\.\//, '');
-                // Always include root directory
-                if (path === '.' || normalizedPath === '') {
-                    return true;
-                }
-                // Always exclude certain files/directories
-                const alwaysExcludePatterns = [
-                    /^\.?\/?\.git(\/|$)/,
-                    /^\.?\/?node_modules(\/|$)/,
-                    /^\.?\/?\.nyc_output(\/|$)/,
-                    /^\.?\/?coverage(\/|$)/,
-                    /^\.?\/?\.DS_Store$/,
-                    /^\.?\/?\.npmrc$/,
-                    /^\.?\/?package-lock\.json$/,
-                    /^\.?\/?yarn\.lock$/,
-                    /^\.?\/?pnpm-lock\.yaml$/,
-                    /^\.?\/?bun\.lockb$/,
-                    /^\.?\/?bun\.lock$/,
-                    /^\.?\/?vlt-lock\.json$/,
-                    /~$/,
-                    /\.swp$/,
-                    /\.tgz$/,
-                ];
-                if (alwaysExcludePatterns.some(pattern => pattern.test(normalizedPath))) {
-                    return false;
-                }
-                // Always include certain files
-                const alwaysIncludePatterns = [
-                    /^README(\..*)?$/i,
-                    /^CHANGELOG(\..*)?$/i,
-                    /^HISTORY(\..*)?$/i,
-                    /^LICENSE(\..*)?$/i,
-                    /^LICENCE(\..*)?$/i,
-                ];
-                if (alwaysIncludePatterns.some(pattern => pattern.test(normalizedPath))) {
-                    return true;
-                }
-                // Always include package.json
-                if (normalizedPath === 'package.json') {
-                    return true;
-                }
-                // If files field is specified in package.json, use it for inclusion
-                const manifestWithFiles = manifest;
-                if (manifestWithFiles.files &&
-                    Array.isArray(manifestWithFiles.files)) {
-                    // Empty files array means exclude everything except always-included files
-                    if (manifestWithFiles.files.length === 0) {
-                        return false;
-                    }
-                    return manifestWithFiles.files.some((pattern) => {
-                        if (pattern.endsWith('/')) {
-                            const dirName = pattern.slice(0, -1);
-                            const globPattern = pattern.replace(/\/$/, '/**');
-                            const matchesDir = normalizedPath === dirName;
-                            const matchesContents = minimatch(normalizedPath, globPattern, {
-                                dot: true,
-                            });
-                            return matchesDir || matchesContents;
-                        }
-                        const directMatch = minimatch(normalizedPath, pattern, {
-                            dot: true,
-                        });
-                        // Check if this path is a parent directory of the pattern
-                        const isParentDir = pattern.includes('/') &&
-                            pattern.startsWith(normalizedPath + '/');
-                        // Check if this path is inside a directory matched by the pattern
-                        // (e.g. files: ["dist"] should include dist/index.js)
-                        const isChildOfPattern = minimatch(normalizedPath, pattern + '/**', { dot: true });
-                        return directMatch || isParentDir || isChildOfPattern;
-                    });
-                }
-                // Default behavior when no files field - exclude common development files
-                const defaultExcludePatterns = [
-                    /^\.?\/?\.vscode(\/|$)/,
-                    /^\.?\/?\.idea(\/|$)/,
-                    /^\.?\/?\.gitignore$/,
-                    /^\.?\/?\.npmignore$/,
-                    /^\.?\/?\.editorconfig$/,
-                ];
-                return !defaultExcludePatterns.some(pattern => pattern.test(normalizedPath));
-            },
+            filter: packFilter,
         }, ['.']).concat();
         let unpackedSize = 0;
         const files = [];

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@vltpkg/cli-sdk",
   "description": "The source for the vlt CLI",
-  "version": "1.0.0-rc.29",
+  "version": "1.0.0-rc.30",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/vltpkg/vltpkg.git",
@@ -14,34 +14,35 @@
   },
   "dependencies": {
     "@resvg/resvg-wasm": "^2.6.2",
-    "@vltpkg/config": "1.0.0-rc.29",
-    "@vltpkg/dep-id": "1.0.0-rc.29",
-    "@vltpkg/dot-prop": "1.0.0-rc.29",
-    "@vltpkg/error-cause": "1.0.0-rc.29",
-    "@vltpkg/git": "1.0.0-rc.29",
-    "@vltpkg/graph": "1.0.0-rc.29",
-    "@vltpkg/graph-run": "1.0.0-rc.29",
-    "@vltpkg/init": "1.0.0-rc.29",
-    "@vltpkg/output": "1.0.0-rc.29",
-    "@vltpkg/package-info": "1.0.0-rc.29",
-    "@vltpkg/package-json": "1.0.0-rc.29",
-    "@vltpkg/promise-spawn": "1.0.0-rc.29",
-    "@vltpkg/query": "1.0.0-rc.29",
-    "@vltpkg/registry-client": "1.0.0-rc.29",
-    "@vltpkg/rollback-remove": "1.0.0-rc.29",
-    "@vltpkg/run": "1.0.0-rc.29",
-    "@vltpkg/security-archive": "1.0.0-rc.29",
-    "@vltpkg/spec": "1.0.0-rc.29",
-    "@vltpkg/types": "1.0.0-rc.29",
-    "@vltpkg/url-open": "1.0.0-rc.29",
-    "@vltpkg/vlt-json": "1.0.0-rc.29",
-    "@vltpkg/vlx": "1.0.0-rc.29",
-    "@vltpkg/workspaces": "1.0.0-rc.29",
-    "@vltpkg/xdg": "1.0.0-rc.29",
+    "@vltpkg/config": "1.0.0-rc.30",
+    "@vltpkg/dep-id": "1.0.0-rc.30",
+    "@vltpkg/dot-prop": "1.0.0-rc.30",
+    "@vltpkg/error-cause": "1.0.0-rc.30",
+    "@vltpkg/git": "1.0.0-rc.30",
+    "@vltpkg/graph": "1.0.0-rc.30",
+    "@vltpkg/graph-run": "1.0.0-rc.30",
+    "@vltpkg/init": "1.0.0-rc.30",
+    "@vltpkg/output": "1.0.0-rc.30",
+    "@vltpkg/package-info": "1.0.0-rc.30",
+    "@vltpkg/package-json": "1.0.0-rc.30",
+    "@vltpkg/promise-spawn": "1.0.0-rc.30",
+    "@vltpkg/query": "1.0.0-rc.30",
+    "@vltpkg/registry-client": "1.0.0-rc.30",
+    "@vltpkg/rollback-remove": "1.0.0-rc.30",
+    "@vltpkg/run": "1.0.0-rc.30",
+    "@vltpkg/security-archive": "1.0.0-rc.30",
+    "@vltpkg/spec": "1.0.0-rc.30",
+    "@vltpkg/types": "1.0.0-rc.30",
+    "@vltpkg/url-open": "1.0.0-rc.30",
+    "@vltpkg/vlt-json": "1.0.0-rc.30",
+    "@vltpkg/vlx": "1.0.0-rc.30",
+    "@vltpkg/workspaces": "1.0.0-rc.30",
+    "@vltpkg/xdg": "1.0.0-rc.30",
     "ansi-to-pre": "^1.0.6",
     "beautiful-mermaid": "^1.1.3",
     "chalk": "^5.6.2",
     "hosted-git-info": "^9.0.2",
+    "ignore": "^7.0.5",
     "ink": "^6.5.1",
     "ink-spinner": "^5.0.0",
     "jackspeak": "^4.1.1",