@vltpkg/cli-sdk 1.0.0-rc.3 → 1.0.0-rc.30

package/dist/commands/token.d.ts

@@ -0,0 +1,31 @@
+import type { CommandFn, CommandUsage } from '../index.ts';
+export type TokenInfo = {
+    /** The server-side key/id for the token */
+    key: string;
+    /** A truncated prefix of the token value */
+    token: string;
+    /** ISO date when the token was created */
+    created: string;
+    /** Whether this token is read-only */
+    readonly: boolean;
+    /** CIDR whitelist, if any */
+    cidr_whitelist?: string[];
+};
+export type RegistryTokens = {
+    registry: string;
+    alias?: string;
+    /** Masked local keychain token, if stored */
+    localToken?: string;
+    tokens: TokenInfo[];
+    error?: string;
+};
+export type TokenListResult = {
+    identity: string;
+    registries: RegistryTokens[];
+};
+export declare const usage: CommandUsage;
+export declare const views: {
+    readonly human: (r: TokenListResult | void) => string | undefined;
+    readonly json: (r: TokenListResult | void) => TokenListResult | undefined;
+};
+export declare const command: CommandFn<TokenListResult | void>;

package/dist/commands/token.js

@@ -0,0 +1,186 @@
+import { error } from '@vltpkg/error-cause';
+import { deleteToken, getKC, getToken, normalizeRegistryKey, registryBase, RegistryClient, setToken, } from '@vltpkg/registry-client';
+import { commandUsage } from "../config/usage.js";
+import { readPassword } from "../read-password.js";
+export const usage = () => commandUsage({
+    command: 'token',
+    usage: ['list', 'add', 'rm'],
+    description: `Manage registry authentication tokens in the vlt keychain.`,
+    subcommands: {
+        list: {
+            usage: '',
+            description: `List tokens for configured registries. Shows
+                      locally stored auth tokens and queries each
+                      registry's token API for remote token metadata.`,
+        },
+        add: {
+            usage: '',
+            description: `Add a token for the specified registry.
+                      You will be prompted to paste the bearer token.`,
+        },
+        rm: {
+            usage: '',
+            description: `Remove the stored token for the specified registry.`,
+        },
+    },
+    options: {
+        registry: {
+            value: '<url>',
+            description: 'Registry URL to manage tokens for.',
+        },
+        registries: {
+            value: '<alias=url>',
+            description: 'Named registry aliases (used by the list subcommand).',
+        },
+        identity: {
+            value: '<name>',
+            description: 'Identity namespace used to store auth tokens.',
+        },
+    },
+});
+const formatDate = (iso) => {
+    const d = new Date(iso);
+    return d.toLocaleDateString('en-US', {
+        year: 'numeric',
+        month: 'short',
+        day: 'numeric',
+    });
+};
+const maskToken = (token) => {
+    const bare = token.replace(/^(Bearer|Basic)\s+/i, '');
+    if (bare.length <= 8)
+        return bare + '…';
+    return bare.slice(0, 8) + '…';
+};
+const formatTokenEntry = (t) => {
+    const parts = [
+        `key: ${t.key}`,
+        `token: ${t.token}…`,
+        `created: ${formatDate(t.created)}`,
+        `readonly: ${t.readonly ? 'yes' : 'no'}`,
+    ];
+    if (t.cidr_whitelist && t.cidr_whitelist.length > 0) {
+        parts.push(`cidr: ${t.cidr_whitelist.join(', ')}`);
+    }
+    return parts.join(' │ ');
+};
+const formatRegistryTokens = (r) => {
+    const header = r.alias ? `${r.alias} (${r.registry})` : r.registry;
+    const lines = [header];
+    lines.push(`  local: ${r.localToken ? maskToken(r.localToken) : '(none)'}`);
+    if (!r.localToken) {
+        lines.push('  (skipped remote query — no auth token)');
+    }
+    else if (r.error) {
+        lines.push(`  error: ${r.error}`);
+    }
+    else if (r.tokens.length === 0) {
+        lines.push('  (no remote tokens found)');
+    }
+    else {
+        for (const t of r.tokens) {
+            lines.push(`  ${formatTokenEntry(t)}`);
+        }
+    }
+    return lines.join('\n');
+};
+export const views = {
+    human: (r) => {
+        if (!r)
+            return;
+        const header = r.identity ? `identity: ${r.identity}` : 'identity: (default)';
+        return [header, ...r.registries.map(formatRegistryTokens)].join('\n\n');
+    },
+    json: (r) => {
+        if (!r)
+            return;
+        return r;
+    },
+};
+const listTokens = async (rc, registry, identity, alias) => {
+    const localTok = await getToken(normalizeRegistryKey(registry), identity);
+    if (!localTok) {
+        return { registry, alias, tokens: [] };
+    }
+    const tokensUrl = new URL('-/npm/v1/tokens', registryBase(registry));
+    try {
+        const objects = await rc.scroll(tokensUrl, {
+            useCache: false,
+        });
+        return {
+            registry,
+            alias,
+            localToken: localTok,
+            tokens: objects.map(o => ({
+                key: o.key,
+                token: o.token,
+                created: o.created,
+                readonly: o.readonly,
+                cidr_whitelist: o.cidr_whitelist,
+            })),
+        };
+    }
+    catch (err) {
+        return {
+            registry,
+            alias,
+            localToken: localTok,
+            tokens: [],
+            error: err instanceof Error ? err.message : String(err),
+        };
+    }
+};
+export const command = async (conf) => {
+    const reg = normalizeRegistryKey(conf.options.registry);
+    switch (conf.positionals[0]) {
+        case 'list': {
+            const rc = new RegistryClient(conf.options);
+            const identity = conf.options.identity;
+            const registries = [];
+            const seen = new Set();
+            // Always query the default registry first
+            const defaultReg = conf.options.registry;
+            seen.add(normalizeRegistryKey(defaultReg));
+            registries.push(await listTokens(rc, defaultReg, identity, 'default'));
+            // Then query all configured registry aliases
+            const configuredRegistries = conf.options.registries;
+            for (const [alias, registry] of Object.entries(configuredRegistries)) {
+                const key = normalizeRegistryKey(registry);
+                if (!seen.has(key)) {
+                    seen.add(key);
+                    registries.push(await listTokens(rc, registry, identity, alias));
+                }
+            }
+            // Also show any keychain entries for registries not
+            // already covered (e.g. added via `vlt token add --registry`)
+            const kc = getKC(identity);
+            for (const key of await kc.keys()) {
+                if (!seen.has(key)) {
+                    seen.add(key);
+                    const tok = await kc.get(key);
+                    registries.push({
+                        registry: key,
+                        localToken: tok ?? undefined,
+                        tokens: [],
+                    });
+                }
+            }
+            return { identity, registries };
+        }
+        case 'add': {
+            await setToken(reg, `Bearer ${await readPassword('Paste bearer token: ')}`, conf.options.identity);
+            break;
+        }
+        case 'rm': {
+            await deleteToken(reg, conf.options.identity);
+            break;
+        }
+        default: {
+            throw error('Invalid token subcommand', {
+                found: conf.positionals[0],
+                validOptions: ['list', 'add', 'rm'],
+                code: 'EUSAGE',
+            });
+        }
+    }
+};

package/dist/{esm/commands → commands}/uninstall.d.ts

@@ -13,4 +13,3 @@ export declare const views: {
     readonly human: typeof InstallReporter;
 };
 export declare const command: CommandFn<UninstallResult>;
-//# sourceMappingURL=uninstall.d.ts.map

package/dist/{esm/commands → commands}/uninstall.js

@@ -7,14 +7,28 @@ export const usage = () => commandUsage({
     usage: '[package ...]',
     description: `The opposite of \`vlt install\`. Removes deps and updates
                   vlt-lock.json and package.json appropriately.`,
+    options: {
+        workspace: {
+            value: '<path|glob>',
+            description: 'Limit uninstall targets to matching workspaces.',
+        },
+        'workspace-group': {
+            value: '<name>',
+            description: 'Limit uninstall targets to workspace groups.',
+        },
+        'allow-scripts': {
+            value: '<query>',
+            description: 'Filter which packages are allowed to run lifecycle scripts using DSS query syntax.',
+        },
+    },
 });
 export const views = {
     json: i => i.graph.toJSON(),
     human: InstallReporter,
 };
 export const command = async (conf) => {
-    const monorepo = conf.options.monorepo;
-    const { remove } = parseRemoveArgs(conf, monorepo);
+    const { monorepo, scurry } = conf.options;
+    const { remove } = parseRemoveArgs(conf, scurry, monorepo);
     /* c8 ignore start */
     const allowScripts = conf.get('allow-scripts') ?
         String(conf.get('allow-scripts'))
@@ -23,4 +37,3 @@ export const command = async (conf) => {
     const { graph } = await uninstall({ ...conf.options, allowScripts }, remove);
     return { graph };
 };
-//# sourceMappingURL=uninstall.js.map

package/dist/commands/unpublish.d.ts

@@ -0,0 +1,15 @@
+import type { CommandFn, CommandUsage } from '../index.ts';
+export declare const usage: CommandUsage;
+export type CommandResult = {
+    /** The package name */
+    name: string;
+    /** The version that was unpublished, or undefined for entire package */
+    version?: string;
+    /** The registry URL */
+    registry: string;
+};
+export declare const views: {
+    readonly human: (result: CommandResult) => string;
+    readonly json: (r: CommandResult) => CommandResult;
+};
+export declare const command: CommandFn<CommandResult>;

package/dist/commands/unpublish.js

@@ -0,0 +1,200 @@
+import { error } from '@vltpkg/error-cause';
+import { RegistryClient } from '@vltpkg/registry-client';
+import { Spec } from '@vltpkg/spec';
+import { asError } from '@vltpkg/types';
+import { commandUsage } from "../config/usage.js";
+export const usage = () => commandUsage({
+    command: 'unpublish',
+    usage: ['<package>@<version>', '<package> --force'],
+    description: `Remove a package version from the registry.
+
+    To unpublish a single version, specify the package name and version.
+    To unpublish an entire package, specify the package name and use --force.
+
+    ⚠️  Unpublishing is a destructive action that cannot be undone.
+    Consider using \`vlt deprecate\` instead if you want to discourage
+    usage of a package without removing it.`,
+    examples: {
+        'my-package@1.0.0': {
+            description: 'Unpublish a specific version',
+        },
+        '@scope/my-package@1.0.0': {
+            description: 'Unpublish a specific version of a scoped package',
+        },
+        'my-package --force': {
+            description: 'Unpublish an entire package (requires --force)',
+        },
+    },
+    options: {
+        force: {
+            description: 'Required to unpublish an entire package (all versions).',
+        },
+        otp: {
+            description: 'Provide a one-time password for authentication.',
+            value: '<otp>',
+        },
+    },
+});
+export const views = {
+    human: (result) => {
+        if (result.version) {
+            return `⚠️  ${result.name}@${result.version} has been unpublished from ${result.registry}.`;
+        }
+        return `⚠️  ${result.name} (all versions) has been unpublished from ${result.registry}.`;
+    },
+    json: (r) => r,
+};
+export const command = async (conf) => {
+    const specArg = conf.positionals[0];
+    if (!specArg) {
+        throw error('unpublish requires a package spec argument (e.g. pkg@version)', { code: 'EUSAGE' });
+    }
+    const { registry, otp, force } = conf.options;
+    const registryUrl = new URL(registry);
+    const spec = Spec.parseArgs(specArg, conf.options);
+    const name = spec.name;
+    /* c8 ignore start - Spec.parseArgs always produces a name for valid input */
+    if (!name) {
+        throw error('Package name is required', {
+            found: specArg,
+        });
+    }
+    /* c8 ignore stop */
+    const version = spec.bareSpec;
+    // If no version specified, require --force to unpublish the entire package
+    if (!version) {
+        if (!force) {
+            throw error('Refusing to unpublish entire package without --force.\n' +
+                'To unpublish a specific version, use: vlt unpublish <package>@<version>\n' +
+                'To unpublish all versions, use: vlt unpublish <package> --force');
+        }
+    }
+    const rc = new RegistryClient(conf.options);
+    const encodedName = name.startsWith('@') ? name.replace('/', '%2F') : name;
+    if (version) {
+        // Unpublish a specific version:
+        // 1. Fetch the packument
+        // 2. Remove the version from the packument
+        // 3. PUT the updated packument back
+        const packumentUrl = new URL(encodedName, registryUrl);
+        let packumentResponse;
+        try {
+            packumentResponse = await rc.request(packumentUrl, {
+                useCache: false,
+            });
+        }
+        catch (err) {
+            throw error('Failed to fetch package metadata', {
+                cause: asError(err),
+            });
+        }
+        if (packumentResponse.statusCode !== 200) {
+            throw error('Package not found on the registry', {
+                url: packumentUrl,
+                response: packumentResponse,
+            });
+        }
+        const packument = packumentResponse.json();
+        const versions = packument.versions;
+        const distTags = packument['dist-tags'];
+        if (!versions?.[version]) {
+            throw error(`Version ${version} not found in package ${name}`, {
+                found: version,
+                wanted: Object.keys(versions ?? {}),
+            });
+        }
+        // Remove the version
+        delete versions[version];
+        // Remove any dist-tags pointing to this version
+        if (distTags) {
+            for (const [tag, tagVersion] of Object.entries(distTags)) {
+                if (tagVersion === version) {
+                    delete distTags[tag];
+                }
+            }
+        }
+        // Remove the version from the time field if present
+        const time = packument.time;
+        if (time?.[version]) {
+            delete time[version];
+        }
+        // PUT the updated packument
+        const putUrl = new URL(`${encodedName}/-rev/${packument._rev}`, registryUrl);
+        let response;
+        try {
+            response = await rc.request(putUrl, {
+                method: 'PUT',
+                headers: {
+                    'content-type': 'application/json',
+                    'npm-auth-type': 'web',
+                    'npm-command': 'unpublish',
+                },
+                body: JSON.stringify(packument),
+                otp,
+            });
+        }
+        catch (err) {
+            throw error('Failed to unpublish package version', {
+                cause: asError(err),
+            });
+        }
+        if (response.statusCode !== 200 && response.statusCode !== 201) {
+            throw error('Failed to unpublish package version', {
+                url: putUrl,
+                response,
+            });
+        }
+    }
+    else {
+        // Unpublish entire package — DELETE the packument
+        // First fetch the packument to get the _rev
+        const packumentUrl = new URL(encodedName, registryUrl);
+        let packumentResponse;
+        try {
+            packumentResponse = await rc.request(packumentUrl, {
+                useCache: false,
+            });
+        }
+        catch (err) {
+            throw error('Failed to fetch package metadata', {
+                cause: asError(err),
+            });
+        }
+        if (packumentResponse.statusCode !== 200) {
+            throw error('Package not found on the registry', {
+                url: packumentUrl,
+                response: packumentResponse,
+            });
+        }
+        const packument = packumentResponse.json();
+        const deleteUrl = new URL(`${encodedName}/-rev/${packument._rev}`, registryUrl);
+        let response;
+        try {
+            response = await rc.request(deleteUrl, {
+                method: 'DELETE',
+                headers: {
+                    'content-type': 'application/json',
+                    'npm-auth-type': 'web',
+                    'npm-command': 'unpublish',
+                },
+                otp,
+            });
+        }
+        catch (err) {
+            throw error('Failed to unpublish package', {
+                cause: asError(err),
+            });
+        }
+        if (response.statusCode !== 200 && response.statusCode !== 201) {
+            throw error('Failed to unpublish package', {
+                url: deleteUrl,
+                response,
+            });
+        }
+    }
+    return {
+        name,
+        ...(version ? { version } : {}),
+        registry: registryUrl.origin,
+    };
+};

package/dist/{esm/commands → commands}/update.d.ts

@@ -11,4 +11,3 @@ export declare const views: {
     readonly human: typeof InstallReporter;
 };
 export declare const command: CommandFn<InstallResult>;
-//# sourceMappingURL=update.d.ts.map

package/dist/{esm/commands → commands}/update.js

@@ -7,6 +7,12 @@ export const usage = () => commandUsage({
     usage: '',
     description: `Update dependencies to their latest in-range versions.
                   Discards the lockfile and resolves dependencies from scratch.`,
+    options: {
+        'allow-scripts': {
+            value: '<query>',
+            description: 'Filter which packages are allowed to run lifecycle scripts using DSS query syntax.',
+        },
+    },
 });
 export const views = {
     json: i => ({
@@ -38,4 +44,3 @@ export const command = async (conf) => {
     });
     return { buildQueue, graph };
 };
-//# sourceMappingURL=update.js.map

package/dist/{esm/commands → commands}/version.d.ts

@@ -23,4 +23,3 @@ export declare const views: {
     readonly human: (results: CommandResult) => string;
 };
 export declare const command: CommandFn<CommandResult>;
-//# sourceMappingURL=version.d.ts.map

package/dist/{esm/commands → commands}/version.js

@@ -8,6 +8,7 @@ import assert from 'node:assert';
 import { actual } from '@vltpkg/graph';
 import { Query } from '@vltpkg/query';
 import { createHostContextsMap } from "../query-host-contexts.js";
+import { minimatch } from 'minimatch';
 const isValidVersionIncrement = (value) => versionIncrements.includes(value);
 const version = async (conf, increment, cwd, { 
 // Hardcode happy path options for now.
@@ -146,6 +147,23 @@ export const usage = () => {
     The \`<newversion>\` argument should be a valid semver string or a valid increment type (one of patch, minor, major, prepatch, preminor, premajor, prerelease).
 
     If run in a git repository, it will also create a version commit and tag.`,
+        options: {
+            scope: {
+                value: '<query>',
+                description: 'Filter version bump targets using a DSS query.',
+            },
+            workspace: {
+                value: '<path|glob>',
+                description: 'Limit version bump targets to matching workspaces.',
+            },
+            'workspace-group': {
+                value: '<name>',
+                description: 'Limit version bump targets to workspace groups.',
+            },
+            recursive: {
+                description: 'Run version bump across all workspaces in the monorepo.',
+            },
+        },
     });
 };
 export const views = {
@@ -206,6 +224,15 @@ export const command = async (conf) => {
     }
     else if (paths?.length || groups?.length || recursive) {
         for (const workspace of options.monorepo ?? []) {
+            if (paths?.length) {
+                const matches = paths.some((p) => workspace.path === p ||
+                    workspace.name === p ||
+                    workspace.fullpath === p ||
+                    resolve(projectRoot, p) === workspace.fullpath ||
+                    minimatch(workspace.path, p));
+                if (!matches)
+                    continue;
+            }
             locations.push(workspace.fullpath);
         }
     }
@@ -223,4 +250,3 @@ export const command = async (conf) => {
     }
     return results;
 };
-//# sourceMappingURL=version.js.map

package/dist/commands/view.d.ts

@@ -0,0 +1,22 @@
+import type { Manifest, Packument } from '@vltpkg/types';
+import type { PackageReportData } from '@vltpkg/security-archive';
+import type { CommandFn, CommandUsage } from '../index.ts';
+import type { ViewOptions } from '../view.ts';
+export declare const usage: CommandUsage;
+export type ViewResult = {
+    /** The full packument data from the registry */
+    packument: Packument;
+    /** The resolved manifest for the requested version */
+    manifest: Manifest;
+    /** Security report data, if available */
+    security?: PackageReportData;
+    /** The specific field value if a field was requested */
+    fieldValue?: unknown;
+    /** The field path that was requested */
+    fieldPath?: string;
+};
+export declare const views: {
+    readonly human: (result: ViewResult, _options: ViewOptions, _conf: import("../config/index.ts").ParsedConfig) => string;
+    readonly json: (result: ViewResult, _options: ViewOptions, _conf: import("../config/index.ts").ParsedConfig) => unknown;
+};
+export declare const command: CommandFn<ViewResult>;