@wpmoo/toolkit 0.9.24 → 0.9.26

package/dist/audit-log.js

@@ -0,0 +1,78 @@
+import { appendFile, mkdir } from 'node:fs/promises';
+import { dirname, join } from 'node:path';
+const secretFlagNames = new Set([
+    'password',
+    'api-key',
+    'token',
+    'secret',
+    'api_key',
+]);
+function isSecretFlagToken(token) {
+    return token === '--password'
+        ? '--password'
+        : token === '--api-key'
+            ? '--api-key'
+            : token === '--token'
+                ? '--token'
+                : token === '--secret'
+                    ? '--secret'
+                    : undefined;
+}
+function isSecretKVToken(token) {
+    const firstEquals = token.indexOf('=');
+    if (firstEquals < 0) {
+        return undefined;
+    }
+    const [name] = [token.slice(0, firstEquals), token.slice(firstEquals + 1)];
+    return secretFlagNames.has(name.replace(/^--+/, '').toLowerCase()) ? name : undefined;
+}
+function normalizeFlag(flag) {
+    return flag.startsWith('--') ? flag : `--${flag}`;
+}
+/**
+ * Redacts values for common secret-like arguments.
+ */
+export function sanitizeCommandArgs(args) {
+    const sanitized = [];
+    for (let index = 0; index < args.length; index += 1) {
+        const arg = args[index];
+        const secretKV = isSecretKVToken(arg);
+        if (secretKV) {
+            sanitized.push(`${secretKV}=***`);
+            continue;
+        }
+        const secretFlag = isSecretFlagToken(arg);
+        if (secretFlag && index + 1 < args.length && !args[index + 1].startsWith('--')) {
+            sanitized.push(arg);
+            sanitized.push('***');
+            index += 1;
+            continue;
+        }
+        sanitized.push(arg);
+    }
+    return sanitized;
+}
+export function extractApprovedFlags(args, approvedFlagNames) {
+    const present = [];
+    const argsByIndex = args.map((arg) => arg.toLowerCase());
+    approvedFlagNames.forEach((name) => {
+        const normalized = normalizeFlag(name).toLowerCase();
+        if (argsByIndex.some((arg) => arg === normalized || arg.startsWith(`${normalized}=`))) {
+            present.push(name);
+        }
+    });
+    return present;
+}
+export async function appendAuditLog(options) {
+    const logPath = join(options.environmentPath, '.wpmoo', 'audit.log');
+    const event = {
+        timestamp: (options.timestamp ?? new Date()).toISOString(),
+        command: options.command,
+        environment: options.environment,
+        dryRun: options.dryRun,
+        approvedFlags: [...(options.approvedFlags ?? extractApprovedFlags(options.args, options.approvedFlagNames))],
+        args: sanitizeCommandArgs(options.args),
+    };
+    await mkdir(dirname(logPath), { recursive: true });
+    await appendFile(logPath, `${JSON.stringify(event)}\n`, 'utf8');
+}

package/dist/cli.js

@@ -271,7 +271,17 @@ async function showStartup(argv, skipUpdateCheck, details) {
     console.log();
 }
 async function selectCockpitCommandFromMenu(serviceStatus, moduleCount, sourceRepoCount) {
-    const selection = await selectCockpitTopLevelMenu({ serviceStatus, moduleCount, sourceRepoCount });
+    const legacyServiceStatus = serviceStatus.kind === 'services-running' ||
+        serviceStatus.kind === 'db-ready' ||
+        serviceStatus.kind === 'odoo-not-ready' ||
+        serviceStatus.kind === 'fully-ready'
+        ? { kind: 'running' }
+        : serviceStatus;
+    const selection = await selectCockpitTopLevelMenu({
+        serviceStatus: legacyServiceStatus,
+        moduleCount,
+        sourceRepoCount,
+    });
     if (selection.kind === 'exit') {
         return 'exit';
     }

package/dist/cockpit/daily-prompts.js

@@ -83,6 +83,18 @@ async function optionalTextArg(deps, message, fallback) {
         placeholder: fallback,
     }), fallback, deps);
 }
+async function optionalTextArgOrUndefined(deps, message, placeholder) {
+    const value = await deps.text({
+        message: menuPromptMessage(message, 'back'),
+        placeholder,
+    });
+    deps.handleCancel(value, 'back');
+    if (typeof value !== 'string') {
+        return undefined;
+    }
+    const trimmed = value.trim();
+    return trimmed.length === 0 ? undefined : trimmed;
+}
 async function databaseArg(cwd, deps, message, fallback, options = {}) {
     const databaseResult = normalizeDatabaseListResult(await deps.databases(cwd, options));
     const databases = databaseResult.databases;
@@ -139,7 +151,9 @@ export async function collectDailyActionArgs(command, cwd, promptDepsArg = {}) {
         return [];
     }
     if (command === 'logs') {
-        return [await optionalTextArg(deps, 'Service', 'odoo')];
+        const service = await optionalTextArg(deps, 'Service', 'odoo');
+        const tail = await optionalTextArgOrUndefined(deps, 'Tail line count (optional)', '100');
+        return tail ? [service, tail] : [service];
     }
     if (command === 'psql') {
         return [await databaseArg(cwd, deps, 'Database', 'postgres', { includeMaintenance: true })];

package/dist/daily-actions.js

@@ -1,8 +1,12 @@
 import { spawn } from 'node:child_process';
 import { access } from 'node:fs/promises';
 import { join } from 'node:path';
+import { appendAuditLog } from './audit-log.js';
 import { readEnvFile, selectedComposeEnvironment } from './compose-layout.js';
+import { defaultDatabaseSnapshotMaxAgeMs, findDatabaseSnapshots, normalizeDatabaseName } from './databases.js';
+import { evaluateDailyActionPolicy, } from './environment-policy.js';
 import { markerPath } from './environment.js';
+import { scanMigrationRisks } from './migrations.js';
 export const dailyActionCommands = [
     'start',
     'stop',
@@ -49,7 +53,7 @@ function usage(command) {
     if (command === 'stop')
         return 'Usage: wpmoo stop';
     if (command === 'logs')
-        return 'Usage: wpmoo logs [service]';
+        return 'Usage: wpmoo logs [service] [tail-lines]';
     if (command === 'restart')
         return 'Usage: wpmoo restart';
     if (command === 'shell')
@@ -86,7 +90,7 @@ function moduleArgs(command, argv) {
     const [modules, db, ...rest] = argv;
     if (!modules || modules.startsWith('-') || rest.length > 0)
         throw new Error(usage(command));
-    return db ? [modules, db] : [modules];
+    return db ? [modules, normalizeDatabaseName(db)] : [modules];
 }
 function positionalArgs(command, argv, min, max) {
     if (argv.length < min || argv.length > max || argv.some((arg) => arg.startsWith('-'))) {
@@ -94,6 +98,32 @@ function positionalArgs(command, argv, min, max) {
     }
     return argv;
 }
+function logsArgs(argv) {
+    if (argv.length > 2 || argv.some((arg) => arg.startsWith('-'))) {
+        throw new Error(usage('logs'));
+    }
+    const [service = 'odoo', tail] = argv;
+    if (tail === undefined) {
+        return [service];
+    }
+    if (!/^[1-9][0-9]*$/u.test(tail)) {
+        throw new Error('Invalid logs tail count: expected a positive integer.');
+    }
+    return [service, tail];
+}
+function validateDatabaseArg(args, index) {
+    if (args[index] === undefined) {
+        return args;
+    }
+    const nextArgs = [...args];
+    nextArgs[index] = normalizeDatabaseName(nextArgs[index]);
+    return nextArgs;
+}
+function rejectLeadingHyphenDatabaseArg(args) {
+    if (args[0]?.startsWith('-')) {
+        normalizeDatabaseName(args[0]);
+    }
+}
 function restoreSnapshotArgs(argv) {
     const args = [...argv];
     const dryRun = args[0] === '--dry-run';
@@ -103,7 +133,8 @@ function restoreSnapshotArgs(argv) {
     if (args.length < 1 || args.length > 2 || args.some((arg) => arg.startsWith('-'))) {
         throw new Error(usage('restore-snapshot'));
     }
-    return dryRun ? ['--dry-run', ...args] : args;
+    const validatedArgs = args.length === 2 ? validateDatabaseArg(args, 1) : args;
+    return dryRun ? ['--dry-run', ...validatedArgs] : validatedArgs;
 }
 function testArgs(argv) {
     const [modules, ...rest] = argv;
@@ -119,6 +150,9 @@ function testArgs(argv) {
         if (option === '--mode' && value !== 'auto' && value !== 'init' && value !== 'update') {
             throw new Error('Invalid value for --mode: expected auto, init, or update');
         }
+        if (option === '--db') {
+            normalizeDatabaseName(value);
+        }
         index += 1;
     }
     return argv;
@@ -129,88 +163,30 @@ function scriptArgs(command, argv) {
     if (command === 'stop')
         return ensureNoArgs(command, argv);
     if (command === 'logs')
-        return optionalSingleArg(command, argv, 'odoo');
+        return logsArgs(argv);
     if (command === 'restart')
         return ensureNoArgs(command, argv);
     if (command === 'shell')
         return ensureNoArgs(command, argv);
     if (command === 'psql')
-        return optionalSingleArg(command, argv, 'postgres');
+        return optionalSingleArg(command, argv, 'postgres').map(normalizeDatabaseName);
     if (command === 'install' || command === 'update')
         return moduleArgs(command, argv);
     if (command === 'test')
         return testArgs(argv);
-    if (command === 'resetdb')
-        return positionalArgs(command, argv, 0, 2);
-    if (command === 'snapshot')
-        return positionalArgs(command, argv, 0, 2);
+    if (command === 'resetdb') {
+        rejectLeadingHyphenDatabaseArg(argv);
+        return validateDatabaseArg(positionalArgs(command, argv, 0, 2), 0);
+    }
+    if (command === 'snapshot') {
+        rejectLeadingHyphenDatabaseArg(argv);
+        return validateDatabaseArg(positionalArgs(command, argv, 0, 2), 0);
+    }
     if (command === 'restore-snapshot')
         return restoreSnapshotArgs(argv);
     if (command === 'lint')
         return ensureNoArgs(command, argv);
-    return positionalArgs(command, argv, 1, 3);
-}
-function isDestructiveCommand(command, args) {
-    if (command === 'resetdb')
-        return true;
-    return command === 'restore-snapshot' && args[0] !== '--dry-run';
-}
-function isProductionLifecycleCommand(command) {
-    return command === 'install' || command === 'update' || command === 'test';
-}
-function isStageLifecycleCommand(command) {
-    return command === 'install' || command === 'update';
-}
-function destructiveCommandError(command, envName) {
-    return `Refusing destructive command '${command}' in WPMOO_ENV=${envName}. Set WPMOO_ALLOW_DESTRUCTIVE=1 to run it intentionally.`;
-}
-function stageLifecycleCommandError(command) {
-    return `Refusing stage lifecycle command '${command}' in WPMOO_ENV=stage. Set WPMOO_ALLOW_STAGE_LIFECYCLE=1 to run it intentionally.`;
-}
-function productionLifecycleCommandError(command) {
-    return `Refusing production lifecycle command '${command}' in WPMOO_ENV=prod. Set WPMOO_ALLOW_PROD_LIFECYCLE=1 to run it intentionally.`;
-}
-async function assertDestructiveCommandAllowed(command, args, cwd) {
-    if (!isDestructiveCommand(command, args)) {
-        return;
-    }
-    const env = await readEnvFile(cwd);
-    const envName = process.env.WPMOO_ENV?.trim() || selectedComposeEnvironment(env);
-    if (envName !== 'stage' && envName !== 'prod') {
-        return;
-    }
-    const allowDestructive = process.env.WPMOO_ALLOW_DESTRUCTIVE?.trim() || env?.get('WPMOO_ALLOW_DESTRUCTIVE')?.trim();
-    if (allowDestructive !== '1') {
-        throw new Error(destructiveCommandError(command, envName));
-    }
-}
-async function assertProductionLifecycleCommandAllowed(command, cwd) {
-    if (!isProductionLifecycleCommand(command)) {
-        return;
-    }
-    const env = await readEnvFile(cwd);
-    const envName = process.env.WPMOO_ENV?.trim() || selectedComposeEnvironment(env);
-    if (envName !== 'prod') {
-        return;
-    }
-    const allowProdLifecycle = process.env.WPMOO_ALLOW_PROD_LIFECYCLE?.trim() || env?.get('WPMOO_ALLOW_PROD_LIFECYCLE')?.trim();
-    if (allowProdLifecycle !== '1') {
-        throw new Error(productionLifecycleCommandError(command));
-    }
-}
-async function assertStageLifecycleCommandAllowed(command, cwd) {
-    if (!isStageLifecycleCommand(command)) {
-        return;
-    }
-    const env = await readEnvFile(cwd);
-    const envName = process.env.WPMOO_ENV?.trim() || selectedComposeEnvironment(env);
-    if (envName !== 'stage') {
-        return;
-    }
-    const allowStageLifecycle = process.env.WPMOO_ALLOW_STAGE_LIFECYCLE?.trim() || env?.get('WPMOO_ALLOW_STAGE_LIFECYCLE')?.trim();
-    if (allowStageLifecycle !== '1') {
-        throw new Error(stageLifecycleCommandError(command));
-    }
+    return validateDatabaseArg(positionalArgs(command, argv, 1, 3), 1);
 }
 async function assertEnvironmentRoot(cwd) {
     try {
@@ -230,17 +206,121 @@ async function assertScriptExists(cwd, script) {
     }
     return scriptPath;
 }
-export async function dailyActionPlan(command, argv, cwd = process.cwd()) {
+function envValue(env, key) {
+    return process.env[key]?.trim() || env?.get(key)?.trim();
+}
+function flagEnabled(env, key) {
+    return envValue(env, key) === '1';
+}
+function approvedFlags(env) {
+    return [
+        'WPMOO_ALLOW_DESTRUCTIVE',
+        'WPMOO_ALLOW_STAGE_LIFECYCLE',
+        'WPMOO_ALLOW_PROD_LIFECYCLE',
+        'WPMOO_ALLOW_NO_RECENT_SNAPSHOT',
+        'WPMOO_ALLOW_MIGRATIONS',
+    ].filter((key) => flagEnabled(env, key));
+}
+function requiresMigrationApproval(command) {
+    return command === 'install' || command === 'update' || command === 'test';
+}
+function noRecentSnapshotMessage(command, environment) {
+    return `Refusing destructive command '${command}' in WPMOO_ENV=${environment} without a recent database snapshot. Create a snapshot first or set WPMOO_ALLOW_NO_RECENT_SNAPSHOT=1 to run it intentionally.`;
+}
+function migrationRiskMessage(command, environment) {
+    return `Refusing migration-risk command '${command}' in WPMOO_ENV=${environment}. Review detected migration scripts or set WPMOO_ALLOW_MIGRATIONS=1 to run it intentionally.`;
+}
+async function auditDailyActionPreview(preview) {
+    if (preview.environment !== 'prod' || !preview.auditWorthy) {
+        return;
+    }
+    await appendAuditLog({
+        environmentPath: preview.cwd,
+        command: preview.command,
+        environment: preview.environment,
+        dryRun: preview.dryRun,
+        args: preview.args,
+        approvedFlagNames: [],
+        approvedFlags: preview.approvedFlags,
+    });
+}
+export async function dailyActionSafetyPreview(command, argv, cwd = process.cwd()) {
     await assertEnvironmentRoot(cwd);
     const scriptPath = await assertScriptExists(cwd, dailyActionScripts[command]);
     const args = scriptArgs(command, argv);
-    await assertStageLifecycleCommandAllowed(command, cwd);
-    await assertProductionLifecycleCommandAllowed(command, cwd);
-    await assertDestructiveCommandAllowed(command, args, cwd);
+    const env = await readEnvFile(cwd);
+    const envName = envValue(env, 'WPMOO_ENV') || selectedComposeEnvironment(env);
+    const policy = evaluateDailyActionPolicy(command, args, {
+        envName,
+        allowDestructive: envValue(env, 'WPMOO_ALLOW_DESTRUCTIVE'),
+        allowStageLifecycle: envValue(env, 'WPMOO_ALLOW_STAGE_LIFECYCLE'),
+        allowProdLifecycle: envValue(env, 'WPMOO_ALLOW_PROD_LIFECYCLE'),
+    });
+    const warnings = [];
+    const snapshotRequired = policy.isDestructive && (policy.env === 'stage' || policy.env === 'prod');
+    const snapshot = snapshotRequired ? findDatabaseSnapshots(cwd) : undefined;
+    const noRecentSnapshot = snapshotRequired &&
+        snapshot &&
+        (snapshot.newestSnapshotAgeMs === null || snapshot.newestSnapshotAgeMs > defaultDatabaseSnapshotMaxAgeMs) &&
+        !flagEnabled(env, 'WPMOO_ALLOW_NO_RECENT_SNAPSHOT');
+    if (noRecentSnapshot) {
+        warnings.push({
+            kind: 'no-recent-snapshot',
+            requiredFlag: 'WPMOO_ALLOW_NO_RECENT_SNAPSHOT',
+            blocking: true,
+            message: noRecentSnapshotMessage(command, policy.env),
+        });
+    }
+    const migrations = requiresMigrationApproval(command) && (policy.env === 'stage' || policy.env === 'prod')
+        ? await scanMigrationRisks(cwd)
+        : undefined;
+    if (migrations?.risk && !flagEnabled(env, 'WPMOO_ALLOW_MIGRATIONS')) {
+        warnings.push({
+            kind: 'migration-risk',
+            requiredFlag: 'WPMOO_ALLOW_MIGRATIONS',
+            blocking: true,
+            message: migrationRiskMessage(command, policy.env),
+        });
+    }
     return {
         cwd,
         scriptPath,
         args,
+        command,
+        environment: policy.env,
+        dryRun: policy.isDryRunPreview,
+        destructive: policy.isDestructive,
+        auditWorthy: policy.isAuditWorthy,
+        allowed: policy.allowed,
+        deny: policy.allowed ? undefined : { ...policy.deny, message: policy.message },
+        refusalMessage: policy.allowed ? undefined : policy.message,
+        requiredFlag: policy.allowed ? undefined : policy.deny.requiredFlag,
+        warnings,
+        snapshot: snapshot
+            ? {
+                requiredRecent: true,
+                newestSnapshotAgeMs: snapshot.newestSnapshotAgeMs,
+                snapshotPaths: snapshot.snapshotPaths,
+            }
+            : undefined,
+        migrations,
+        approvedFlags: approvedFlags(env),
+    };
+}
+export async function dailyActionPlan(command, argv, cwd = process.cwd()) {
+    const preview = await dailyActionSafetyPreview(command, argv, cwd);
+    await auditDailyActionPreview(preview);
+    if (!preview.allowed) {
+        throw new Error(preview.refusalMessage);
+    }
+    const blockingWarning = preview.warnings.find((warning) => warning.blocking);
+    if (blockingWarning) {
+        throw new Error(blockingWarning.message);
+    }
+    return {
+        cwd: preview.cwd,
+        scriptPath: preview.scriptPath,
+        args: preview.args,
     };
 }
 async function spawnDailyAction(plan) {
@@ -263,6 +343,12 @@ function renderDailyActionOutputLine(line) {
     if (line === "Running as user 'root' is a security risk.") {
         return `${ANSI_DIM_INFO}${line}${ANSI_RESET}`;
     }
+    if (line.includes('psycopg2.OperationalError')) {
+        return [
+            line,
+            `${ANSI_DIM_INFO}NOTE: PostgreSQL connection failed. Check ./moo status, database service readiness, and credentials before retrying.${ANSI_RESET}`,
+        ].join('\n');
+    }
     return line;
 }
 export function renderDailyActionOutput(output) {

package/dist/databases.js

@@ -1,5 +1,38 @@
+import { readdirSync, statSync } from 'node:fs';
+import { join } from 'node:path';
 import { spawn } from 'node:child_process';
+export const defaultDatabaseSnapshotMaxAgeMs = 24 * 60 * 60 * 1000;
+export const databaseSnapshotDirectoryNames = ['backups', 'backup', 'snapshots'];
+export const databaseSnapshotExtensions = ['.dump', '.sql', '.sql.gz', '.zip', '.tar', '.tar.gz'];
+function isDatabaseSnapshotFile(fileName, extensions) {
+    const normalized = fileName.toLowerCase();
+    return extensions.some((extension) => normalized.endsWith(extension));
+}
 const maintenanceDatabases = new Set(['postgres']);
+const databaseNamePattern = /^[A-Za-z0-9_.-]+$/u;
+export function isValidDatabaseName(value) {
+    const normalized = value.trim();
+    return (normalized.length > 0 &&
+        !normalized.startsWith('-') &&
+        databaseNamePattern.test(normalized) &&
+        !/\s/u.test(value));
+}
+export function normalizeDatabaseName(value) {
+    const normalized = value.trim();
+    if (!normalized) {
+        throw new Error('Invalid database name: value is required.');
+    }
+    if (/\s/u.test(value)) {
+        throw new Error('Invalid database name: whitespace is not allowed.');
+    }
+    if (normalized.startsWith('-')) {
+        throw new Error('Invalid database name: leading hyphens are not allowed.');
+    }
+    if (!databaseNamePattern.test(normalized)) {
+        throw new Error('Invalid database name: use letters, digits, underscores, dots, or hyphens without shell metacharacters or path characters.');
+    }
+    return normalized;
+}
 const listDatabasesQuery = [
     'SELECT datname',
     'FROM pg_database',
@@ -22,6 +55,54 @@ export function parseDatabaseListOutput(output, options = {}) {
     }
     return databases;
 }
+export function findDatabaseSnapshots(targetDirectory, options = {}) {
+    const { nowMs = Date.now(), snapshotDirectories = [...databaseSnapshotDirectoryNames], snapshotExtensions = [...databaseSnapshotExtensions], } = options;
+    const snapshots = [];
+    for (const directoryName of snapshotDirectories) {
+        const directory = join(targetDirectory, directoryName);
+        let entries;
+        try {
+            entries = readdirSync(directory, { withFileTypes: true });
+        }
+        catch (error) {
+            if (error.code === 'ENOENT') {
+                continue;
+            }
+            throw error;
+        }
+        for (const entry of entries) {
+            if (!isDatabaseSnapshotFile(entry.name, snapshotExtensions)) {
+                continue;
+            }
+            const path = join(directory, entry.name);
+            let stats;
+            try {
+                stats = statSync(path);
+            }
+            catch {
+                continue;
+            }
+            if (!stats.isFile()) {
+                continue;
+            }
+            const mtimeMs = stats.mtimeMs;
+            const ageMs = Math.max(0, nowMs - mtimeMs);
+            snapshots.push({ path, mtimeMs, ageMs });
+        }
+    }
+    snapshots.sort((a, b) => b.mtimeMs - a.mtimeMs || a.path.localeCompare(b.path));
+    const newestSnapshot = snapshots[0] ?? null;
+    return {
+        snapshots,
+        snapshotPaths: snapshots.map((snapshot) => snapshot.path),
+        newestSnapshotAgeMs: newestSnapshot ? newestSnapshot.ageMs : null,
+    };
+}
+export function hasRecentDatabaseSnapshot(targetDirectory, options = {}) {
+    const { maxAgeMs = defaultDatabaseSnapshotMaxAgeMs, ...scanOptions } = options;
+    const result = findDatabaseSnapshots(targetDirectory, scanOptions);
+    return result.newestSnapshotAgeMs !== null && result.newestSnapshotAgeMs <= maxAgeMs;
+}
 export function normalizeDatabaseListResult(result) {
     if (Array.isArray(result)) {
         return { ok: true, databases: result };