@xera-ai/core 0.12.0 → 0.12.2

package/bin/internal.ts

@@ -1,11 +1,34 @@
 #!/usr/bin/env bun
-import { config } from 'dotenv';
+import { existsSync, readFileSync } from 'node:fs';
+import { config, parse } from 'dotenv';
 import { run } from '../src/bin-internal/index';
 
-// Load .env.local (secrets, gitignored) then .env (defaults) so every
-// xera-internal subcommand has access to credentials without requiring
-// the caller to pre-load env.
-config({ path: '.env.local' });
+// xera canonicalizes on `.env` (gitignored; see `xera init`, `xera doctor`,
+// scaffolded `.gitignore`). The Bun runtime auto-loads dotenv files BEFORE
+// this script runs, and Bun's precedence puts `.env.local` ahead of `.env` —
+// so a stale value in `.env.local` would silently override the canonical
+// value in `.env` (issue #92, post-#103 followup).
+//
+// Mitigation: warn when `.env.local` exists AND surgically force `.env`'s
+// values to win for any key present in both files. We touch only keys
+// already in `.env.local` so shell-injected and CI-injected env vars
+// (which the user did not put in `.env.local`) stay untouched.
+if (existsSync('.env.local')) {
+  console.error(
+    '\nwarning: .env.local detected — xera uses .env as the canonical source. ' +
+      'Values in .env will be forced to win for any key in both files; ' +
+      'merge values into .env and delete .env.local to silence this warning.\n',
+  );
+  if (existsSync('.env')) {
+    const localKeys = Object.keys(parse(readFileSync('.env.local')));
+    const envValues = parse(readFileSync('.env'));
+    for (const k of localKeys) {
+      const v = envValues[k];
+      if (v !== undefined) process.env[k] = v;
+    }
+  }
+}
+// Safety net for non-Bun invocations (Bun already auto-loaded `.env`).
 config();
 
 const code = await run(process.argv.slice(2));

package/dist/bin/internal.js

@@ -8559,6 +8559,7 @@ var init_graph_backfill = __esm(() => {
 
 // bin/internal.ts
 var import_dotenv = __toESM(require_main(), 1);
+import { existsSync as existsSync33, readFileSync as readFileSync29 } from "fs";
 
 // src/bin-internal/ac-coverage-backfill-finalize.ts
 init_store();
@@ -8797,7 +8798,7 @@ var CoverageSchema = z3.object({
   criticalAreas: z3.array(z3.string().regex(/^[a-z0-9-]+$/)).default([]),
   autoSnapshotOnCoverage: z3.boolean().default(true)
 }).prefault({});
-var XeraConfigSchema = z3.object({
+var XeraConfigSchema = z3.strictObject({
   jira: JiraSchema,
   web: WebSchema.optional(),
   http: HttpSchema.optional(),
@@ -8852,6 +8853,46 @@ async function authSetupCmd(argv) {
   }
   const mod = await import(pathToFileURL2(authSetupScript).href);
   let exitCode = 0;
+  const shapeRequestsWeb = opts.shape === "all" || opts.shape === "web";
+  const shapeRequestsHttp = opts.shape === "all" || opts.shape === "http";
+  const explicit = opts.shape !== "all";
+  if (shapeRequestsWeb && config.web && typeof mod.web !== "function") {
+    console.error(`[xera:auth-setup] web adapter is configured in xera.config.ts but shared/auth-setup.ts is missing the \`web\` export.
+` + `                  Add: \`export const web = defineAuthSetup(async (page, role, creds) => { ... })\` \u2014 see docs/CONFIGURATION.md`);
+    exitCode = 1;
+  }
+  if (shapeRequestsHttp && config.http && typeof mod.http !== "function") {
+    console.error(`[xera:auth-setup] http adapter is configured in xera.config.ts but shared/auth-setup.ts is missing the \`http\` export.
+` + `                  Add: \`export const http = defineHttpAuthSetup(async (request, role, creds) => { ... })\` \u2014 see docs/CONFIGURATION.md`);
+    exitCode = 1;
+  }
+  if (explicit && opts.shape === "web" && !config.web) {
+    console.error(`[xera:auth-setup] --shape web requested, but xera.config.ts has no \`web\` block. Add a web: {...} block or use --shape http/all.`);
+    exitCode = 1;
+  }
+  if (explicit && opts.shape === "http" && !config.http) {
+    console.error(`[xera:auth-setup] --shape http requested, but xera.config.ts has no \`http\` block. Add an http: {...} block or use --shape web/all.`);
+    exitCode = 1;
+  }
+  if (!config.web && !config.http) {
+    console.error(`[xera:auth-setup] no \`web\` or \`http\` block found in xera.config.ts \u2014 nothing to authenticate.`);
+    exitCode = 1;
+  }
+  if (opts.role !== undefined) {
+    const webRoles = shapeRequestsWeb && config.web ? Object.keys(config.web.auth.roles) : [];
+    const httpRoles = shapeRequestsHttp && config.http ? Object.keys(config.http.auth.roles) : [];
+    const allRoles = Array.from(new Set([...webRoles, ...httpRoles]));
+    if (allRoles.length > 0 && !allRoles.includes(opts.role)) {
+      const detail = [];
+      if (webRoles.length > 0)
+        detail.push(`web roles: ${webRoles.join(", ")}`);
+      if (httpRoles.length > 0)
+        detail.push(`http roles: ${httpRoles.join(", ")}`);
+      console.error(`[xera:auth-setup] unknown role '${opts.role}' \u2014 configured roles: ${allRoles.join(", ")}
+                  (${detail.join("; ")})`);
+      return 1;
+    }
+  }
   if ((opts.shape === "all" || opts.shape === "web") && config.web && typeof mod.web === "function") {
     const webConfig = config.web;
     const envName = process.env.XERA_ENV ?? webConfig.defaultEnv;
@@ -13313,7 +13354,20 @@ Commands: ${Object.keys(COMMANDS).join(", ")}`);
 }
 
 // bin/internal.ts
-import_dotenv.config({ path: ".env.local" });
+if (existsSync33(".env.local")) {
+  console.error(`
+warning: .env.local detected \u2014 xera uses .env as the canonical source. ` + "Values in .env will be forced to win for any key in both files; " + `merge values into .env and delete .env.local to silence this warning.
+`);
+  if (existsSync33(".env")) {
+    const localKeys = Object.keys(import_dotenv.parse(readFileSync29(".env.local")));
+    const envValues = import_dotenv.parse(readFileSync29(".env"));
+    for (const k of localKeys) {
+      const v = envValues[k];
+      if (v !== undefined)
+        process.env[k] = v;
+    }
+  }
+}
 import_dotenv.config();
 var code = await run(process.argv.slice(2));
 process.exit(code);

package/dist/src/index.js

@@ -401,7 +401,7 @@ var CoverageSchema = z4.object({
   criticalAreas: z4.array(z4.string().regex(/^[a-z0-9-]+$/)).default([]),
   autoSnapshotOnCoverage: z4.boolean().default(true)
 }).prefault({});
-var XeraConfigSchema = z4.object({
+var XeraConfigSchema = z4.strictObject({
   jira: JiraSchema,
   web: WebSchema.optional(),
   http: HttpSchema.optional(),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@xera-ai/core",
-  "version": "0.12.0",
+  "version": "0.12.2",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -31,8 +31,8 @@
   },
   "dependencies": {
     "zod": "4.4.3",
-    "@xera-ai/web": "^0.12.0",
-    "@xera-ai/http": "^0.12.0",
+    "@xera-ai/web": "^0.12.2",
+    "@xera-ai/http": "^0.12.2",
     "@playwright/test": "1.60.0",
     "dotenv": "^16.0.0",
     "fflate": "0.8.3",

package/src/bin-internal/auth-setup.ts

@@ -44,6 +44,66 @@ export async function authSetupCmd(argv: string[]): Promise<number> {
 
   let exitCode = 0;
 
+  // Pre-flight: detect requested-but-impossible shapes before we silently no-op.
+  // This is the issue #93 fix: previously `--shape http` against a project where
+  // shared/auth-setup.ts only exports `web` would print nothing and exit 0,
+  // leaving the user in an infinite "doctor says run auth-setup" loop.
+  const shapeRequestsWeb = opts.shape === 'all' || opts.shape === 'web';
+  const shapeRequestsHttp = opts.shape === 'all' || opts.shape === 'http';
+  const explicit = opts.shape !== 'all';
+
+  if (shapeRequestsWeb && config.web && typeof mod.web !== 'function') {
+    console.error(
+      `[xera:auth-setup] web adapter is configured in xera.config.ts but shared/auth-setup.ts is missing the \`web\` export.\n` +
+        `                  Add: \`export const web = defineAuthSetup(async (page, role, creds) => { ... })\` — see docs/CONFIGURATION.md`,
+    );
+    exitCode = 1;
+  }
+  if (shapeRequestsHttp && config.http && typeof mod.http !== 'function') {
+    console.error(
+      `[xera:auth-setup] http adapter is configured in xera.config.ts but shared/auth-setup.ts is missing the \`http\` export.\n` +
+        `                  Add: \`export const http = defineHttpAuthSetup(async (request, role, creds) => { ... })\` — see docs/CONFIGURATION.md`,
+    );
+    exitCode = 1;
+  }
+  if (explicit && opts.shape === 'web' && !config.web) {
+    console.error(
+      `[xera:auth-setup] --shape web requested, but xera.config.ts has no \`web\` block. Add a web: {...} block or use --shape http/all.`,
+    );
+    exitCode = 1;
+  }
+  if (explicit && opts.shape === 'http' && !config.http) {
+    console.error(
+      `[xera:auth-setup] --shape http requested, but xera.config.ts has no \`http\` block. Add an http: {...} block or use --shape web/all.`,
+    );
+    exitCode = 1;
+  }
+  if (!config.web && !config.http) {
+    console.error(
+      `[xera:auth-setup] no \`web\` or \`http\` block found in xera.config.ts — nothing to authenticate.`,
+    );
+    exitCode = 1;
+  }
+
+  // Unknown-role detection (#98): without this, a typoed --role silently
+  // matches no iteration of the per-adapter loops and we exit 0 — leaving
+  // the user wondering why `xera doctor` still reports the auth file missing.
+  if (opts.role !== undefined) {
+    const webRoles = shapeRequestsWeb && config.web ? Object.keys(config.web.auth.roles) : [];
+    const httpRoles = shapeRequestsHttp && config.http ? Object.keys(config.http.auth.roles) : [];
+    const allRoles = Array.from(new Set([...webRoles, ...httpRoles]));
+    if (allRoles.length > 0 && !allRoles.includes(opts.role)) {
+      const detail: string[] = [];
+      if (webRoles.length > 0) detail.push(`web roles: ${webRoles.join(', ')}`);
+      if (httpRoles.length > 0) detail.push(`http roles: ${httpRoles.join(', ')}`);
+      console.error(
+        `[xera:auth-setup] unknown role '${opts.role}' — configured roles: ${allRoles.join(', ')}\n` +
+          `                  (${detail.join('; ')})`,
+      );
+      return 1;
+    }
+  }
+
   // Web roles
   if (
     (opts.shape === 'all' || opts.shape === 'web') &&

package/src/config/schema.ts

@@ -120,7 +120,7 @@ const CoverageSchema = z
   .prefault({});
 
 export const XeraConfigSchema = z
-  .object({
+  .strictObject({
     jira: JiraSchema,
     web: WebSchema.optional(),
     http: HttpSchema.optional(),