@zuplo/cli 6.70.14 → 6.70.16

package/dist/ca-certificate/create/handler.d.ts

@@ -0,0 +1,3 @@
+import { CreateArguments } from "../models.js";
+export declare function create(argv: CreateArguments): Promise<void>;
+//# sourceMappingURL=handler.d.ts.map

package/dist/ca-certificate/create/handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../src/ca-certificate/create/handler.ts"],"names":[],"mappings":"AAQA,OAAO,EAAiB,eAAe,EAAE,MAAM,cAAc,CAAC;AAO9D,wBAAsB,MAAM,CAAC,IAAI,EAAE,eAAe,iBAwDjD"}

package/dist/ca-certificate/create/handler.js

@@ -0,0 +1,46 @@
+import { readFileSync } from "node:fs";
+import { createApiClient } from "../../common/api/client.js";
+import { logger } from "../../common/logger.js";
+import { printDiagnosticsToConsole, printJsonToConsoleAndExitGracefully, printResultToConsole, } from "../../common/output.js";
+import { isValidationError, parseAndValidateCaCertificate, validateName, } from "../validation.js";
+export async function create(argv) {
+    const { account } = argv;
+    const nameError = validateName(argv.name);
+    if (nameError) {
+        printDiagnosticsToConsole(`Error: --name is invalid. ${nameError.message}`);
+        return;
+    }
+    let certificate;
+    try {
+        certificate = readFileSync(argv.cert, "utf-8");
+    }
+    catch (error) {
+        logger.error(error, "Failed to read CA certificate file");
+        printDiagnosticsToConsole(`Error: Failed to read CA certificate file at ${argv.cert}`, error instanceof Error ? error.message : String(error));
+        return;
+    }
+    const parsed = parseAndValidateCaCertificate(certificate);
+    if (isValidationError(parsed)) {
+        printDiagnosticsToConsole(`Error: ${argv.cert} is not a valid CA certificate. ${parsed.message}`, parsed.hint);
+        return;
+    }
+    const client = createApiClient({ authToken: argv.authToken });
+    const cert = await client.post(`/v1/accounts/${account}/client-mtls-ca-certificates`, {
+        operation: "Failed to create CA certificate",
+        errorMessage: "Error: Failed to create CA certificate. Check the arguments.",
+        body: {
+            name: argv.name,
+            certificate,
+        },
+    });
+    if (argv.output === "json") {
+        await printJsonToConsoleAndExitGracefully(cert);
+        return;
+    }
+    const subject = cert.certificateInfo.subject.replace(/\n/g, ", ");
+    printResultToConsole(`CA certificate '${cert.name}' (${cert.id}) created successfully\n` +
+        `  Subject: ${subject}\n` +
+        `  Valid from: ${cert.certificateInfo.validFrom}\n` +
+        `  Valid to: ${cert.certificateInfo.validTo}`);
+}
+//# sourceMappingURL=handler.js.map

package/dist/ca-certificate/create/handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.js","sourceRoot":"","sources":["../../../src/ca-certificate/create/handler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EACL,yBAAyB,EACzB,mCAAmC,EACnC,oBAAoB,GACrB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,iBAAiB,EACjB,6BAA6B,EAC7B,YAAY,GACb,MAAM,kBAAkB,CAAC;AAE1B,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,IAAqB;IAChD,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAEzB,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1C,IAAI,SAAS,EAAE,CAAC;QACd,yBAAyB,CAAC,6BAA6B,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC;QAC5E,OAAO;IACT,CAAC;IAED,IAAI,WAAmB,CAAC;IACxB,IAAI,CAAC;QACH,WAAW,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACjD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,oCAAoC,CAAC,CAAC;QAC1D,yBAAyB,CACvB,gDAAgD,IAAI,CAAC,IAAI,EAAE,EAC3D,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CACvD,CAAC;QACF,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,6BAA6B,CAAC,WAAW,CAAC,CAAC;IAC1D,IAAI,iBAAiB,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9B,yBAAyB,CACvB,UAAU,IAAI,CAAC,IAAI,mCAAmC,MAAM,CAAC,OAAO,EAAE,EACtE,MAAM,CAAC,IAAI,CACZ,CAAC;QACF,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,eAAe,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;IAC9D,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,IAAI,CAC5B,gBAAgB,OAAO,8BAA8B,EACrD;QACE,SAAS,EAAE,iCAAiC;QAC5C,YAAY,EACV,8DAA8D;QAChE,IAAI,EAAE;YACJ,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,WAAW;SACZ;KACF,CACF,CAAC;IAEF,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC3B,MAAM,mCAAmC,CAAC,IAAI,CAAC,CAAC;QAChD,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAClE,oBAAoB,CAClB,mBAAmB,IAAI,CAAC,IAAI,MAAM,IAAI,CAAC,EAAE,0BAA0B;QACjE,cAAc,OAAO,IAAI;QACzB,iBAAiB,IAAI,CAAC,eAAe,CAAC,SAAS,IAAI;QACnD,eAAe,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,CAChD,CAAC;AACJ,CAAC","sourcesContent":["import { readFileSync } from \"node:fs\";\nimport { createApiClient } from \"../../common/api/client.js\";\nimport { logger } from \"../../common/logger.js\";\nimport {\n  printDiagnosticsToConsole,\n  printJsonToConsoleAndExitGracefully,\n  printResultToConsole,\n} from \"../../common/output.js\";\nimport { CaCertificate, CreateArguments } from \"../models.js\";\nimport {\n  isValidationError,\n  parseAndValidateCaCertificate,\n  validateName,\n} from \"../validation.js\";\n\nexport async function create(argv: CreateArguments) {\n  const { account } = argv;\n\n  const nameError = validateName(argv.name);\n  if (nameError) {\n    printDiagnosticsToConsole(`Error: --name is invalid. ${nameError.message}`);\n    return;\n  }\n\n  let certificate: string;\n  try {\n    certificate = readFileSync(argv.cert, \"utf-8\");\n  } catch (error) {\n    logger.error(error, \"Failed to read CA certificate file\");\n    printDiagnosticsToConsole(\n      `Error: Failed to read CA certificate file at ${argv.cert}`,\n      error instanceof Error ? error.message : String(error)\n    );\n    return;\n  }\n\n  const parsed = parseAndValidateCaCertificate(certificate);\n  if (isValidationError(parsed)) {\n    printDiagnosticsToConsole(\n      `Error: ${argv.cert} is not a valid CA certificate. ${parsed.message}`,\n      parsed.hint\n    );\n    return;\n  }\n\n  const client = createApiClient({ authToken: argv.authToken });\n  const cert = await client.post<CaCertificate>(\n    `/v1/accounts/${account}/client-mtls-ca-certificates`,\n    {\n      operation: \"Failed to create CA certificate\",\n      errorMessage:\n        \"Error: Failed to create CA certificate. Check the arguments.\",\n      body: {\n        name: argv.name,\n        certificate,\n      },\n    }\n  );\n\n  if (argv.output === \"json\") {\n    await printJsonToConsoleAndExitGracefully(cert);\n    return;\n  }\n\n  const subject = cert.certificateInfo.subject.replace(/\\n/g, \", \");\n  printResultToConsole(\n    `CA certificate '${cert.name}' (${cert.id}) created successfully\\n` +\n      `  Subject: ${subject}\\n` +\n      `  Valid from: ${cert.certificateInfo.validFrom}\\n` +\n      `  Valid to: ${cert.certificateInfo.validTo}`\n  );\n}\n"]}

package/dist/ca-certificate/delete/handler.d.ts

@@ -0,0 +1,3 @@
+import { DeleteArguments } from "../models.js";
+export declare function deleteCommand(argv: DeleteArguments): Promise<void>;
+//# sourceMappingURL=handler.d.ts.map

package/dist/ca-certificate/delete/handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../src/ca-certificate/delete/handler.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAE/C,wBAAsB,aAAa,CAAC,IAAI,EAAE,eAAe,iBAoBxD"}

package/dist/ca-certificate/delete/handler.js

@@ -0,0 +1,18 @@
+import { createApiClient } from "../../common/api/client.js";
+import { printJsonToConsoleAndExitGracefully, printResultToConsole, } from "../../common/output.js";
+export async function deleteCommand(argv) {
+    const { account } = argv;
+    const certId = argv["cert-id"];
+    const client = createApiClient({ authToken: argv.authToken });
+    await client.delete(`/v1/accounts/${account}/client-mtls-ca-certificates/${encodeURIComponent(certId)}`, {
+        operation: "Failed to delete CA certificate",
+        errorMessage: "Error: Failed to delete CA certificate.",
+        emptyResponse: true,
+    });
+    if (argv.output === "json") {
+        await printJsonToConsoleAndExitGracefully({ id: certId, deleted: true });
+        return;
+    }
+    printResultToConsole(`CA certificate ${certId} deleted successfully`);
+}
+//# sourceMappingURL=handler.js.map

package/dist/ca-certificate/delete/handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.js","sourceRoot":"","sources":["../../../src/ca-certificate/delete/handler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EACL,mCAAmC,EACnC,oBAAoB,GACrB,MAAM,wBAAwB,CAAC;AAGhC,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,IAAqB;IACvD,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IACzB,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC;IAE/B,MAAM,MAAM,GAAG,eAAe,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;IAC9D,MAAM,MAAM,CAAC,MAAM,CACjB,gBAAgB,OAAO,gCAAgC,kBAAkB,CAAC,MAAM,CAAC,EAAE,EACnF;QACE,SAAS,EAAE,iCAAiC;QAC5C,YAAY,EAAE,yCAAyC;QACvD,aAAa,EAAE,IAAI;KACpB,CACF,CAAC;IAEF,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC3B,MAAM,mCAAmC,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QACzE,OAAO;IACT,CAAC;IAED,oBAAoB,CAAC,kBAAkB,MAAM,uBAAuB,CAAC,CAAC;AACxE,CAAC","sourcesContent":["import { createApiClient } from \"../../common/api/client.js\";\nimport {\n  printJsonToConsoleAndExitGracefully,\n  printResultToConsole,\n} from \"../../common/output.js\";\nimport { DeleteArguments } from \"../models.js\";\n\nexport async function deleteCommand(argv: DeleteArguments) {\n  const { account } = argv;\n  const certId = argv[\"cert-id\"];\n\n  const client = createApiClient({ authToken: argv.authToken });\n  await client.delete(\n    `/v1/accounts/${account}/client-mtls-ca-certificates/${encodeURIComponent(certId)}`,\n    {\n      operation: \"Failed to delete CA certificate\",\n      errorMessage: \"Error: Failed to delete CA certificate.\",\n      emptyResponse: true,\n    }\n  );\n\n  if (argv.output === \"json\") {\n    await printJsonToConsoleAndExitGracefully({ id: certId, deleted: true });\n    return;\n  }\n\n  printResultToConsole(`CA certificate ${certId} deleted successfully`);\n}\n"]}

package/dist/ca-certificate/describe/handler.d.ts

@@ -0,0 +1,3 @@
+import { DescribeArguments } from "../models.js";
+export declare function describe(argv: DescribeArguments): Promise<void>;
+//# sourceMappingURL=handler.d.ts.map

package/dist/ca-certificate/describe/handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../src/ca-certificate/describe/handler.ts"],"names":[],"mappings":"AAMA,OAAO,EAA6B,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAK5E,wBAAsB,QAAQ,CAAC,IAAI,EAAE,iBAAiB,iBAuCrD"}

package/dist/ca-certificate/describe/handler.js

@@ -0,0 +1,32 @@
+import { createApiClient } from "../../common/api/client.js";
+import { printDiagnosticsToConsole, printJsonToConsoleAndExitGracefully, printResultToConsole, } from "../../common/output.js";
+export async function describe(argv) {
+    const { account } = argv;
+    const certId = argv["cert-id"];
+    const client = createApiClient({ authToken: argv.authToken });
+    const response = await client.get(`/v1/accounts/${account}/client-mtls-ca-certificates`, {
+        operation: "Failed to describe CA certificate",
+        errorMessage: "Error: Failed to describe CA certificate.",
+    });
+    const cert = response.data.find((c) => c.id === certId);
+    if (!cert) {
+        printDiagnosticsToConsole(`Error: CA certificate with ID '${certId}' not found in account '${account}'`);
+        return;
+    }
+    if (argv.output === "json") {
+        await printJsonToConsoleAndExitGracefully(cert);
+        return;
+    }
+    const subject = cert.certificateInfo.subject.replace(/\n/g, ", ");
+    const issuer = cert.certificateInfo.issuer.replace(/\n/g, ", ");
+    printResultToConsole(`  ID: ${cert.id}\n` +
+        `  Name: ${cert.name}\n` +
+        `  Subject: ${subject}\n` +
+        `  Issuer: ${issuer}\n` +
+        `  Serial: ${cert.certificateInfo.serialNumber}\n` +
+        `  Valid from: ${cert.certificateInfo.validFrom}\n` +
+        `  Valid to: ${cert.certificateInfo.validTo}\n` +
+        `  Created: ${cert.createdOn}\n` +
+        `  Updated: ${cert.updatedOn}`);
+}
+//# sourceMappingURL=handler.js.map

package/dist/ca-certificate/describe/handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.js","sourceRoot":"","sources":["../../../src/ca-certificate/describe/handler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EACL,yBAAyB,EACzB,mCAAmC,EACnC,oBAAoB,GACrB,MAAM,wBAAwB,CAAC;AAMhC,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,IAAuB;IACpD,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IACzB,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC;IAE/B,MAAM,MAAM,GAAG,eAAe,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;IAC9D,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,GAAG,CAC/B,gBAAgB,OAAO,8BAA8B,EACrD;QACE,SAAS,EAAE,mCAAmC;QAC9C,YAAY,EAAE,2CAA2C;KAC1D,CACF,CAAC;IAEF,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,MAAM,CAAC,CAAC;IACxD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,yBAAyB,CACvB,kCAAkC,MAAM,2BAA2B,OAAO,GAAG,CAC9E,CAAC;QACF,OAAO;IACT,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC3B,MAAM,mCAAmC,CAAC,IAAI,CAAC,CAAC;QAChD,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAClE,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAChE,oBAAoB,CAClB,SAAS,IAAI,CAAC,EAAE,IAAI;QAClB,WAAW,IAAI,CAAC,IAAI,IAAI;QACxB,cAAc,OAAO,IAAI;QACzB,aAAa,MAAM,IAAI;QACvB,aAAa,IAAI,CAAC,eAAe,CAAC,YAAY,IAAI;QAClD,iBAAiB,IAAI,CAAC,eAAe,CAAC,SAAS,IAAI;QACnD,eAAe,IAAI,CAAC,eAAe,CAAC,OAAO,IAAI;QAC/C,cAAc,IAAI,CAAC,SAAS,IAAI;QAChC,cAAc,IAAI,CAAC,SAAS,EAAE,CACjC,CAAC;AACJ,CAAC","sourcesContent":["import { createApiClient } from \"../../common/api/client.js\";\nimport {\n  printDiagnosticsToConsole,\n  printJsonToConsoleAndExitGracefully,\n  printResultToConsole,\n} from \"../../common/output.js\";\nimport { CaCertificateListResponse, DescribeArguments } from \"../models.js\";\n\n// developer-api does not currently expose GET /client-mtls-ca-certificates/{id},\n// so we fetch the list and filter client-side. Switch to a direct GET when the\n// route is added.\nexport async function describe(argv: DescribeArguments) {\n  const { account } = argv;\n  const certId = argv[\"cert-id\"];\n\n  const client = createApiClient({ authToken: argv.authToken });\n  const response = await client.get<CaCertificateListResponse>(\n    `/v1/accounts/${account}/client-mtls-ca-certificates`,\n    {\n      operation: \"Failed to describe CA certificate\",\n      errorMessage: \"Error: Failed to describe CA certificate.\",\n    }\n  );\n\n  const cert = response.data.find((c) => c.id === certId);\n  if (!cert) {\n    printDiagnosticsToConsole(\n      `Error: CA certificate with ID '${certId}' not found in account '${account}'`\n    );\n    return;\n  }\n\n  if (argv.output === \"json\") {\n    await printJsonToConsoleAndExitGracefully(cert);\n    return;\n  }\n\n  const subject = cert.certificateInfo.subject.replace(/\\n/g, \", \");\n  const issuer = cert.certificateInfo.issuer.replace(/\\n/g, \", \");\n  printResultToConsole(\n    `  ID: ${cert.id}\\n` +\n      `  Name: ${cert.name}\\n` +\n      `  Subject: ${subject}\\n` +\n      `  Issuer: ${issuer}\\n` +\n      `  Serial: ${cert.certificateInfo.serialNumber}\\n` +\n      `  Valid from: ${cert.certificateInfo.validFrom}\\n` +\n      `  Valid to: ${cert.certificateInfo.validTo}\\n` +\n      `  Created: ${cert.createdOn}\\n` +\n      `  Updated: ${cert.updatedOn}`\n  );\n}\n"]}

package/dist/ca-certificate/list/handler.d.ts

@@ -0,0 +1,3 @@
+import { ListArguments } from "../models.js";
+export declare function list(argv: ListArguments): Promise<void>;
+//# sourceMappingURL=handler.d.ts.map

package/dist/ca-certificate/list/handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../src/ca-certificate/list/handler.ts"],"names":[],"mappings":"AAKA,OAAO,EAA6B,aAAa,EAAE,MAAM,cAAc,CAAC;AAExE,wBAAsB,IAAI,CAAC,IAAI,EAAE,aAAa,iBAkC7C"}

package/dist/ca-certificate/list/handler.js

@@ -0,0 +1,28 @@
+import { createApiClient } from "../../common/api/client.js";
+import { printJsonToConsoleAndExitGracefully, printResultToConsole, } from "../../common/output.js";
+export async function list(argv) {
+    const { account } = argv;
+    const client = createApiClient({ authToken: argv.authToken });
+    const response = await client.get(`/v1/accounts/${account}/client-mtls-ca-certificates`, {
+        operation: "Failed to list CA certificates",
+        errorMessage: "Error: Failed to list CA certificates.",
+    });
+    if (argv.output === "json") {
+        await printJsonToConsoleAndExitGracefully(response);
+        return;
+    }
+    if (response.data.length === 0) {
+        printResultToConsole("No CA certificates found");
+        return;
+    }
+    printResultToConsole(`Found ${response.data.length} CA certificate(s):\n`);
+    for (const cert of response.data) {
+        const subject = cert.certificateInfo.subject.replace(/\n/g, ", ");
+        printResultToConsole(`  ID: ${cert.id}\n` +
+            `  Name: ${cert.name}\n` +
+            `  Subject: ${subject}\n` +
+            `  Valid from: ${cert.certificateInfo.validFrom}\n` +
+            `  Valid to: ${cert.certificateInfo.validTo}\n`);
+    }
+}
+//# sourceMappingURL=handler.js.map

package/dist/ca-certificate/list/handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.js","sourceRoot":"","sources":["../../../src/ca-certificate/list/handler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EACL,mCAAmC,EACnC,oBAAoB,GACrB,MAAM,wBAAwB,CAAC;AAGhC,MAAM,CAAC,KAAK,UAAU,IAAI,CAAC,IAAmB;IAC5C,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAEzB,MAAM,MAAM,GAAG,eAAe,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;IAC9D,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,GAAG,CAC/B,gBAAgB,OAAO,8BAA8B,EACrD;QACE,SAAS,EAAE,gCAAgC;QAC3C,YAAY,EAAE,wCAAwC;KACvD,CACF,CAAC;IAEF,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC3B,MAAM,mCAAmC,CAAC,QAAQ,CAAC,CAAC;QACpD,OAAO;IACT,CAAC;IAED,IAAI,QAAQ,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,oBAAoB,CAAC,0BAA0B,CAAC,CAAC;QACjD,OAAO;IACT,CAAC;IAED,oBAAoB,CAAC,SAAS,QAAQ,CAAC,IAAI,CAAC,MAAM,uBAAuB,CAAC,CAAC;IAE3E,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;QACjC,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAClE,oBAAoB,CAClB,SAAS,IAAI,CAAC,EAAE,IAAI;YAClB,WAAW,IAAI,CAAC,IAAI,IAAI;YACxB,cAAc,OAAO,IAAI;YACzB,iBAAiB,IAAI,CAAC,eAAe,CAAC,SAAS,IAAI;YACnD,eAAe,IAAI,CAAC,eAAe,CAAC,OAAO,IAAI,CAClD,CAAC;IACJ,CAAC;AACH,CAAC","sourcesContent":["import { createApiClient } from \"../../common/api/client.js\";\nimport {\n  printJsonToConsoleAndExitGracefully,\n  printResultToConsole,\n} from \"../../common/output.js\";\nimport { CaCertificateListResponse, ListArguments } from \"../models.js\";\n\nexport async function list(argv: ListArguments) {\n  const { account } = argv;\n\n  const client = createApiClient({ authToken: argv.authToken });\n  const response = await client.get<CaCertificateListResponse>(\n    `/v1/accounts/${account}/client-mtls-ca-certificates`,\n    {\n      operation: \"Failed to list CA certificates\",\n      errorMessage: \"Error: Failed to list CA certificates.\",\n    }\n  );\n\n  if (argv.output === \"json\") {\n    await printJsonToConsoleAndExitGracefully(response);\n    return;\n  }\n\n  if (response.data.length === 0) {\n    printResultToConsole(\"No CA certificates found\");\n    return;\n  }\n\n  printResultToConsole(`Found ${response.data.length} CA certificate(s):\\n`);\n\n  for (const cert of response.data) {\n    const subject = cert.certificateInfo.subject.replace(/\\n/g, \", \");\n    printResultToConsole(\n      `  ID: ${cert.id}\\n` +\n        `  Name: ${cert.name}\\n` +\n        `  Subject: ${subject}\\n` +\n        `  Valid from: ${cert.certificateInfo.validFrom}\\n` +\n        `  Valid to: ${cert.certificateInfo.validTo}\\n`\n    );\n  }\n}\n"]}

package/dist/ca-certificate/models.d.ts

@@ -0,0 +1,51 @@
+export interface CaCertificateInfo {
+  subject: string;
+  issuer: string;
+  validFrom: string;
+  validTo: string;
+  serialNumber: string;
+}
+export interface CaCertificate {
+  id: string;
+  name: string;
+  certificateInfo: CaCertificateInfo;
+  createdOn: string;
+  updatedOn: string;
+}
+export interface CaCertificateListResponse {
+  data: CaCertificate[];
+  offset: number;
+  limit: number;
+}
+export interface CreateArguments {
+  account: string;
+  authToken: string;
+  name: string;
+  cert: string;
+  output?: "default" | "json";
+}
+export interface ListArguments {
+  account: string;
+  authToken: string;
+  output?: "default" | "json";
+}
+export interface UpdateArguments {
+  account: string;
+  authToken: string;
+  "cert-id": string;
+  name: string;
+  output?: "default" | "json";
+}
+export interface DeleteArguments {
+  account: string;
+  authToken: string;
+  "cert-id": string;
+  output?: "default" | "json";
+}
+export interface DescribeArguments {
+  account: string;
+  authToken: string;
+  "cert-id": string;
+  output?: "default" | "json";
+}
+//# sourceMappingURL=models.d.ts.map

package/dist/ca-certificate/models.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"models.d.ts","sourceRoot":"","sources":["../../src/ca-certificate/models.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,eAAe,EAAE,iBAAiB,CAAC;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,yBAAyB;IACxC,IAAI,EAAE,aAAa,EAAE,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,SAAS,GAAG,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,SAAS,GAAG,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,SAAS,GAAG,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,SAAS,GAAG,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,SAAS,GAAG,MAAM,CAAC;CAC7B"}

package/dist/ca-certificate/models.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=models.js.map

package/dist/ca-certificate/models.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"models.js","sourceRoot":"","sources":["../../src/ca-certificate/models.ts"],"names":[],"mappings":"","sourcesContent":["export interface CaCertificateInfo {\n  subject: string;\n  issuer: string;\n  validFrom: string;\n  validTo: string;\n  serialNumber: string;\n}\n\nexport interface CaCertificate {\n  id: string;\n  name: string;\n  certificateInfo: CaCertificateInfo;\n  createdOn: string;\n  updatedOn: string;\n}\n\nexport interface CaCertificateListResponse {\n  data: CaCertificate[];\n  offset: number;\n  limit: number;\n}\n\nexport interface CreateArguments {\n  account: string;\n  authToken: string;\n  name: string;\n  cert: string;\n  output?: \"default\" | \"json\";\n}\n\nexport interface ListArguments {\n  account: string;\n  authToken: string;\n  output?: \"default\" | \"json\";\n}\n\nexport interface UpdateArguments {\n  account: string;\n  authToken: string;\n  \"cert-id\": string;\n  name: string;\n  output?: \"default\" | \"json\";\n}\n\nexport interface DeleteArguments {\n  account: string;\n  authToken: string;\n  \"cert-id\": string;\n  output?: \"default\" | \"json\";\n}\n\nexport interface DescribeArguments {\n  account: string;\n  authToken: string;\n  \"cert-id\": string;\n  output?: \"default\" | \"json\";\n}\n"]}

package/dist/ca-certificate/update/handler.d.ts

@@ -0,0 +1,3 @@
+import { UpdateArguments } from "../models.js";
+export declare function update(argv: UpdateArguments): Promise<void>;
+//# sourceMappingURL=handler.d.ts.map

package/dist/ca-certificate/update/handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../../../src/ca-certificate/update/handler.ts"],"names":[],"mappings":"AAMA,OAAO,EAAiB,eAAe,EAAE,MAAM,cAAc,CAAC;AAG9D,wBAAsB,MAAM,CAAC,IAAI,EAAE,eAAe,iBA8BjD"}

package/dist/ca-certificate/update/handler.js

@@ -0,0 +1,26 @@
+import { createApiClient } from "../../common/api/client.js";
+import { printDiagnosticsToConsole, printJsonToConsoleAndExitGracefully, printResultToConsole, } from "../../common/output.js";
+import { validateName } from "../validation.js";
+export async function update(argv) {
+    const { account } = argv;
+    const certId = argv["cert-id"];
+    const nameError = validateName(argv.name);
+    if (nameError) {
+        printDiagnosticsToConsole(`Error: --name is invalid. ${nameError.message}`);
+        return;
+    }
+    const client = createApiClient({ authToken: argv.authToken });
+    const cert = await client.patch(`/v1/accounts/${account}/client-mtls-ca-certificates/${encodeURIComponent(certId)}`, {
+        operation: "Failed to update CA certificate",
+        errorMessage: "Error: Failed to update CA certificate.",
+        body: {
+            name: argv.name,
+        },
+    });
+    if (argv.output === "json") {
+        await printJsonToConsoleAndExitGracefully(cert);
+        return;
+    }
+    printResultToConsole(`CA certificate '${cert.name}' (${cert.id}) updated successfully`);
+}
+//# sourceMappingURL=handler.js.map

package/dist/ca-certificate/update/handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.js","sourceRoot":"","sources":["../../../src/ca-certificate/update/handler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAC7D,OAAO,EACL,yBAAyB,EACzB,mCAAmC,EACnC,oBAAoB,GACrB,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAEhD,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,IAAqB;IAChD,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IACzB,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC;IAE/B,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1C,IAAI,SAAS,EAAE,CAAC;QACd,yBAAyB,CAAC,6BAA6B,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC;QAC5E,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,eAAe,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;IAC9D,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,KAAK,CAC7B,gBAAgB,OAAO,gCAAgC,kBAAkB,CAAC,MAAM,CAAC,EAAE,EACnF;QACE,SAAS,EAAE,iCAAiC;QAC5C,YAAY,EAAE,yCAAyC;QACvD,IAAI,EAAE;YACJ,IAAI,EAAE,IAAI,CAAC,IAAI;SAChB;KACF,CACF,CAAC;IAEF,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC3B,MAAM,mCAAmC,CAAC,IAAI,CAAC,CAAC;QAChD,OAAO;IACT,CAAC;IAED,oBAAoB,CAClB,mBAAmB,IAAI,CAAC,IAAI,MAAM,IAAI,CAAC,EAAE,wBAAwB,CAClE,CAAC;AACJ,CAAC","sourcesContent":["import { createApiClient } from \"../../common/api/client.js\";\nimport {\n  printDiagnosticsToConsole,\n  printJsonToConsoleAndExitGracefully,\n  printResultToConsole,\n} from \"../../common/output.js\";\nimport { CaCertificate, UpdateArguments } from \"../models.js\";\nimport { validateName } from \"../validation.js\";\n\nexport async function update(argv: UpdateArguments) {\n  const { account } = argv;\n  const certId = argv[\"cert-id\"];\n\n  const nameError = validateName(argv.name);\n  if (nameError) {\n    printDiagnosticsToConsole(`Error: --name is invalid. ${nameError.message}`);\n    return;\n  }\n\n  const client = createApiClient({ authToken: argv.authToken });\n  const cert = await client.patch<CaCertificate>(\n    `/v1/accounts/${account}/client-mtls-ca-certificates/${encodeURIComponent(certId)}`,\n    {\n      operation: \"Failed to update CA certificate\",\n      errorMessage: \"Error: Failed to update CA certificate.\",\n      body: {\n        name: argv.name,\n      },\n    }\n  );\n\n  if (argv.output === \"json\") {\n    await printJsonToConsoleAndExitGracefully(cert);\n    return;\n  }\n\n  printResultToConsole(\n    `CA certificate '${cert.name}' (${cert.id}) updated successfully`\n  );\n}\n"]}

package/dist/ca-certificate/validation.d.ts

@@ -0,0 +1,21 @@
+export interface ValidationError {
+  message: string;
+  hint?: string;
+}
+export declare function validateName(name: string): ValidationError | null;
+export interface PemCertificateDetails {
+  subject: string;
+  issuer: string;
+  validFrom: string;
+  validTo: string;
+  serialNumber: string;
+  isCa: boolean;
+}
+export declare function parseAndValidateCaCertificate(
+  pem: string,
+  now?: Date
+): PemCertificateDetails | ValidationError;
+export declare function isValidationError(
+  result: PemCertificateDetails | ValidationError
+): result is ValidationError;
+//# sourceMappingURL=validation.d.ts.map

package/dist/ca-certificate/validation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../../src/ca-certificate/validation.ts"],"names":[],"mappings":"AAwDA,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAID,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAmBjE;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,OAAO,CAAC;CACf;AAMD,wBAAgB,6BAA6B,CAC3C,GAAG,EAAE,MAAM,EACX,GAAG,GAAE,IAAiB,GACrB,qBAAqB,GAAG,eAAe,CAsEzC;AAED,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,qBAAqB,GAAG,eAAe,GAC9C,MAAM,IAAI,eAAe,CAE3B"}

package/dist/ca-certificate/validation.js

@@ -0,0 +1,135 @@
+import crypto from "node:crypto";
+const MAX_NAME_LENGTH = 120;
+const PEM_BEGIN = "-----BEGIN CERTIFICATE-----";
+const PEM_END = "-----END CERTIFICATE-----";
+const JS_VARIABLE_REGEX = /^[a-zA-Z_$][a-zA-Z0-9_$]*$/;
+const JS_RESERVED_KEYWORDS = new Set([
+    "break",
+    "case",
+    "catch",
+    "class",
+    "const",
+    "continue",
+    "debugger",
+    "default",
+    "delete",
+    "do",
+    "else",
+    "export",
+    "extends",
+    "finally",
+    "for",
+    "function",
+    "if",
+    "import",
+    "in",
+    "instanceof",
+    "let",
+    "new",
+    "return",
+    "super",
+    "switch",
+    "this",
+    "throw",
+    "try",
+    "typeof",
+    "var",
+    "void",
+    "while",
+    "with",
+    "yield",
+    "enum",
+    "implements",
+    "interface",
+    "package",
+    "private",
+    "protected",
+    "public",
+    "static",
+    "await",
+]);
+export function validateName(name) {
+    if (name.length === 0) {
+        return { message: "Name cannot be empty" };
+    }
+    if (name.length > MAX_NAME_LENGTH) {
+        return {
+            message: `Name must be ${MAX_NAME_LENGTH} characters or fewer (got ${name.length})`,
+        };
+    }
+    if (!JS_VARIABLE_REGEX.test(name)) {
+        return {
+            message: "Name must be a valid JavaScript variable name (start with a letter, _, or $, and contain only letters, digits, _, or $)",
+        };
+    }
+    if (JS_RESERVED_KEYWORDS.has(name.toLowerCase())) {
+        return { message: "Name cannot be a JavaScript reserved keyword" };
+    }
+    return null;
+}
+export function parseAndValidateCaCertificate(pem, now = new Date()) {
+    if (!pem.includes(PEM_BEGIN) || !pem.includes(PEM_END)) {
+        if (/-----BEGIN [A-Z0-9 ]*PRIVATE KEY-----/.test(pem)) {
+            return {
+                message: "File is a private key, not a certificate",
+                hint: "The `--cert` flag expects the public CA certificate, not a private key. " +
+                    "CA certs only contain the public half; the private key stays with your PKI. " +
+                    "If your CA is bundled in a single PEM file, pass it as-is — the certificate block will be picked up.",
+            };
+        }
+        if (/-----BEGIN CERTIFICATE REQUEST-----/.test(pem)) {
+            return {
+                message: "File is a certificate signing request (CSR), not a certificate",
+                hint: "A CSR is the request you send to a CA to get a certificate issued. Pass the issued CA certificate instead.",
+            };
+        }
+        if (/-----BEGIN [A-Z0-9 ]+-----/.test(pem)) {
+            return {
+                message: "File is a PEM block but not a certificate",
+                hint: `Expected a PEM block starting with "${PEM_BEGIN}".`,
+            };
+        }
+        return {
+            message: "File does not appear to be a PEM-encoded certificate",
+            hint: `Expected to find "${PEM_BEGIN}" and "${PEM_END}" in the file.\n` +
+                "If you have a DER-encoded certificate, convert it with:\n" +
+                "  openssl x509 -in <file> -inform der -out cert.pem",
+        };
+    }
+    let cert;
+    try {
+        cert = new crypto.X509Certificate(pem);
+    }
+    catch (err) {
+        return {
+            message: "Failed to parse certificate",
+            hint: err instanceof Error ? err.message : String(err),
+        };
+    }
+    if (!cert.ca) {
+        return {
+            message: "The certificate is not a CA certificate",
+            hint: "Expected a certificate with the CA basic constraint set to TRUE " +
+                "(typically the root or intermediate CA that signs your client certs), " +
+                "not a leaf/client certificate.",
+        };
+    }
+    const validTo = new Date(cert.validTo);
+    if (!Number.isNaN(validTo.getTime()) && validTo < now) {
+        return {
+            message: `Certificate has already expired (validTo=${cert.validTo})`,
+        };
+    }
+    return {
+        subject: cert.subject,
+        issuer: cert.issuer,
+        validFrom: cert.validFrom,
+        validTo: cert.validTo,
+        serialNumber: cert.serialNumber,
+        isCa: cert.ca,
+    };
+}
+export function isValidationError(result) {
+    return "message" in result;
+}
+//# sourceMappingURL=validation.js.map

package/dist/ca-certificate/validation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation.js","sourceRoot":"","sources":["../../src/ca-certificate/validation.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,MAAM,eAAe,GAAG,GAAG,CAAC;AAC5B,MAAM,SAAS,GAAG,6BAA6B,CAAC;AAChD,MAAM,OAAO,GAAG,2BAA2B,CAAC;AAC5C,MAAM,iBAAiB,GAAG,4BAA4B,CAAC;AAKvD,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC;IACnC,OAAO;IACP,MAAM;IACN,OAAO;IACP,OAAO;IACP,OAAO;IACP,UAAU;IACV,UAAU;IACV,SAAS;IACT,QAAQ;IACR,IAAI;IACJ,MAAM;IACN,QAAQ;IACR,SAAS;IACT,SAAS;IACT,KAAK;IACL,UAAU;IACV,IAAI;IACJ,QAAQ;IACR,IAAI;IACJ,YAAY;IACZ,KAAK;IACL,KAAK;IACL,QAAQ;IACR,OAAO;IACP,QAAQ;IACR,MAAM;IACN,OAAO;IACP,KAAK;IACL,QAAQ;IACR,KAAK;IACL,MAAM;IACN,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,YAAY;IACZ,WAAW;IACX,SAAS;IACT,SAAS;IACT,WAAW;IACX,QAAQ;IACR,QAAQ;IACR,OAAO;CACR,CAAC,CAAC;AASH,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,EAAE,OAAO,EAAE,sBAAsB,EAAE,CAAC;IAC7C,CAAC;IACD,IAAI,IAAI,CAAC,MAAM,GAAG,eAAe,EAAE,CAAC;QAClC,OAAO;YACL,OAAO,EAAE,gBAAgB,eAAe,6BAA6B,IAAI,CAAC,MAAM,GAAG;SACpF,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAClC,OAAO;YACL,OAAO,EACL,yHAAyH;SAC5H,CAAC;IACJ,CAAC;IACD,IAAI,oBAAoB,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QACjD,OAAO,EAAE,OAAO,EAAE,8CAA8C,EAAE,CAAC;IACrE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAeD,MAAM,UAAU,6BAA6B,CAC3C,GAAW,EACX,MAAY,IAAI,IAAI,EAAE;IAEtB,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAGvD,IAAI,uCAAuC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACtD,OAAO;gBACL,OAAO,EAAE,0CAA0C;gBACnD,IAAI,EACF,0EAA0E;oBAC1E,8EAA8E;oBAC9E,sGAAsG;aACzG,CAAC;QACJ,CAAC;QACD,IAAI,qCAAqC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACpD,OAAO;gBACL,OAAO,EACL,gEAAgE;gBAClE,IAAI,EAAE,4GAA4G;aACnH,CAAC;QACJ,CAAC;QACD,IAAI,4BAA4B,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YAC3C,OAAO;gBACL,OAAO,EAAE,2CAA2C;gBACpD,IAAI,EAAE,uCAAuC,SAAS,IAAI;aAC3D,CAAC;QACJ,CAAC;QACD,OAAO;YACL,OAAO,EAAE,sDAAsD;YAC/D,IAAI,EACF,qBAAqB,SAAS,UAAU,OAAO,kBAAkB;gBACjE,2DAA2D;gBAC3D,qDAAqD;SACxD,CAAC;IACJ,CAAC;IAED,IAAI,IAA4B,CAAC;IACjC,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,OAAO,EAAE,6BAA6B;YACtC,IAAI,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SACvD,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,OAAO;YACL,OAAO,EAAE,yCAAyC;YAClD,IAAI,EACF,kEAAkE;gBAClE,wEAAwE;gBACxE,gCAAgC;SACnC,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,IAAI,OAAO,GAAG,GAAG,EAAE,CAAC;QACtD,OAAO;YACL,OAAO,EAAE,4CAA4C,IAAI,CAAC,OAAO,GAAG;SACrE,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,IAAI,EAAE,IAAI,CAAC,EAAE;KACd,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,MAA+C;IAE/C,OAAO,SAAS,IAAI,MAAM,CAAC;AAC7B,CAAC","sourcesContent":["import crypto from \"node:crypto\";\n\nconst MAX_NAME_LENGTH = 120;\nconst PEM_BEGIN = \"-----BEGIN CERTIFICATE-----\";\nconst PEM_END = \"-----END CERTIFICATE-----\";\nconst JS_VARIABLE_REGEX = /^[a-zA-Z_$][a-zA-Z0-9_$]*$/;\n\n// Kept in sync with tenant-api's reservedKeywords list in\n// apps/tenant-api/src/utils/certificate-validation.ts. Updating one without\n// the other lets bad names slip past the CLI and fail on the server.\nconst JS_RESERVED_KEYWORDS = new Set([\n  \"break\",\n  \"case\",\n  \"catch\",\n  \"class\",\n  \"const\",\n  \"continue\",\n  \"debugger\",\n  \"default\",\n  \"delete\",\n  \"do\",\n  \"else\",\n  \"export\",\n  \"extends\",\n  \"finally\",\n  \"for\",\n  \"function\",\n  \"if\",\n  \"import\",\n  \"in\",\n  \"instanceof\",\n  \"let\",\n  \"new\",\n  \"return\",\n  \"super\",\n  \"switch\",\n  \"this\",\n  \"throw\",\n  \"try\",\n  \"typeof\",\n  \"var\",\n  \"void\",\n  \"while\",\n  \"with\",\n  \"yield\",\n  \"enum\",\n  \"implements\",\n  \"interface\",\n  \"package\",\n  \"private\",\n  \"protected\",\n  \"public\",\n  \"static\",\n  \"await\",\n]);\n\nexport interface ValidationError {\n  message: string;\n  hint?: string;\n}\n\n// Mirrors tenant-api's validateCertificateName so the CLI rejects bad names\n// before a network round trip.\nexport function validateName(name: string): ValidationError | null {\n  if (name.length === 0) {\n    return { message: \"Name cannot be empty\" };\n  }\n  if (name.length > MAX_NAME_LENGTH) {\n    return {\n      message: `Name must be ${MAX_NAME_LENGTH} characters or fewer (got ${name.length})`,\n    };\n  }\n  if (!JS_VARIABLE_REGEX.test(name)) {\n    return {\n      message:\n        \"Name must be a valid JavaScript variable name (start with a letter, _, or $, and contain only letters, digits, _, or $)\",\n    };\n  }\n  if (JS_RESERVED_KEYWORDS.has(name.toLowerCase())) {\n    return { message: \"Name cannot be a JavaScript reserved keyword\" };\n  }\n  return null;\n}\n\nexport interface PemCertificateDetails {\n  subject: string;\n  issuer: string;\n  validFrom: string;\n  validTo: string;\n  serialNumber: string;\n  isCa: boolean;\n}\n\n// Mirrors tenant-api's parseCertificateWithDetails. Returns the parsed\n// certificate details or a ValidationError that the CLI can surface directly,\n// avoiding a round trip when the input is obviously wrong.\n// `now` is injectable for testing the expiry branch portably.\nexport function parseAndValidateCaCertificate(\n  pem: string,\n  now: Date = new Date()\n): PemCertificateDetails | ValidationError {\n  if (!pem.includes(PEM_BEGIN) || !pem.includes(PEM_END)) {\n    // Detect common PEM header variants so the hint actually matches the\n    // mistake the user made.\n    if (/-----BEGIN [A-Z0-9 ]*PRIVATE KEY-----/.test(pem)) {\n      return {\n        message: \"File is a private key, not a certificate\",\n        hint:\n          \"The `--cert` flag expects the public CA certificate, not a private key. \" +\n          \"CA certs only contain the public half; the private key stays with your PKI. \" +\n          \"If your CA is bundled in a single PEM file, pass it as-is — the certificate block will be picked up.\",\n      };\n    }\n    if (/-----BEGIN CERTIFICATE REQUEST-----/.test(pem)) {\n      return {\n        message:\n          \"File is a certificate signing request (CSR), not a certificate\",\n        hint: \"A CSR is the request you send to a CA to get a certificate issued. Pass the issued CA certificate instead.\",\n      };\n    }\n    if (/-----BEGIN [A-Z0-9 ]+-----/.test(pem)) {\n      return {\n        message: \"File is a PEM block but not a certificate\",\n        hint: `Expected a PEM block starting with \"${PEM_BEGIN}\".`,\n      };\n    }\n    return {\n      message: \"File does not appear to be a PEM-encoded certificate\",\n      hint:\n        `Expected to find \"${PEM_BEGIN}\" and \"${PEM_END}\" in the file.\\n` +\n        \"If you have a DER-encoded certificate, convert it with:\\n\" +\n        \"  openssl x509 -in <file> -inform der -out cert.pem\",\n    };\n  }\n\n  let cert: crypto.X509Certificate;\n  try {\n    cert = new crypto.X509Certificate(pem);\n  } catch (err) {\n    return {\n      message: \"Failed to parse certificate\",\n      hint: err instanceof Error ? err.message : String(err),\n    };\n  }\n\n  if (!cert.ca) {\n    return {\n      message: \"The certificate is not a CA certificate\",\n      hint:\n        \"Expected a certificate with the CA basic constraint set to TRUE \" +\n        \"(typically the root or intermediate CA that signs your client certs), \" +\n        \"not a leaf/client certificate.\",\n    };\n  }\n\n  const validTo = new Date(cert.validTo);\n  if (!Number.isNaN(validTo.getTime()) && validTo < now) {\n    return {\n      message: `Certificate has already expired (validTo=${cert.validTo})`,\n    };\n  }\n\n  return {\n    subject: cert.subject,\n    issuer: cert.issuer,\n    validFrom: cert.validFrom,\n    validTo: cert.validTo,\n    serialNumber: cert.serialNumber,\n    isCa: cert.ca,\n  };\n}\n\nexport function isValidationError(\n  result: PemCertificateDetails | ValidationError\n): result is ValidationError {\n  return \"message\" in result;\n}\n"]}

package/dist/ca-certificate/validation.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=validation.test.d.ts.map

package/dist/ca-certificate/validation.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation.test.d.ts","sourceRoot":"","sources":["../../src/ca-certificate/validation.test.ts"],"names":[],"mappings":""}

package/dist/ca-certificate/validation.test.js

@@ -0,0 +1,131 @@
+import assert from "node:assert";
+import { describe, it } from "node:test";
+import { isValidationError, parseAndValidateCaCertificate, validateName, } from "./validation.js";
+const CA_PEM = `-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIUB4s5BPjuGshWHSZKkNIJJ7W7alkwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHVGVzdCBjYTAgFw0yNjA1MTMwMDA1NDFaGA8yMTI2MDQx
+OTAwMDU0MVowEjEQMA4GA1UEAwwHVGVzdCBjYTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAK+8kcIOYXC5SKCnnEmddLKiVSon8NoLn8RABel0op+5i3J2
+pnDBBWOy2nT5qWRI2N0tTK4tQn/jaGeiBP0BUu4z+Y/pcglveexyFWhtFstHyyUr
+yiwhBhX3NEWHZGr/VShriKxojnTwWONpgQwq7On7k+We3JK7IEASvKLxhC1+hcch
+CwP67zGDF6qJrfjBfdPSRoW8OomioTRyb7MyrWvRpKm/0rj9NYc7MxMYbgVffE6y
+IVQ4UCsVw74DdebfdzBSJOwNa+2Fe8AwQ3QMVbzfE3qs6+nviQ1EJA/h0kWgIrCI
+3JvGpJinI0kDXEYx/4BTHVNfg1UdCOqPxxdrS18CAwEAAaMyMDAwDwYDVR0TAQH/
+BAUwAwEB/zAdBgNVHQ4EFgQUuku+yW29ASY8vCZ7fBVA6L3r28YwDQYJKoZIhvcN
+AQELBQADggEBAFaYAde91xdpST+LlokhbWanr8xiUr7jdHemjxGvBi/Zxs2VQIj2
++1Bh0dpxGk670nSc/Bq8jcivoiGoaRxT5rFVhtQOpYLgo+wKqNoYfEoEPrIrT4PO
+seBrdMa9cduhs/Nx11Vgf5N56KomRO1a4AaIcvh6uGxrf1jfaCjaAKWTNNd9luzo
+/IsRikl4QN0pZ1lIxdOdVMFhCp8V/+oEO6aw2FhFZlZKA+XLELHQzPBpuubQocuT
+9dLovPbpFD2UwgvpjXQYjpr5btZx+iupHfiXq7WI6EI3eG5UgTuOpK8g9rLDiX9f
+ArcSyj6/ZV+MDtaEHyEJBdsp//aT6Kfpoek=
+-----END CERTIFICATE-----
+`;
+const LEAF_PEM = `-----BEGIN CERTIFICATE-----
+MIIC5zCCAc+gAwIBAgIUFG0P6P6J4YoBLyRH2pjt7RdV9sAwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJVGVzdCBsZWFmMCAXDTI2MDUxMzAwMDU0MVoYDzIxMjYw
+NDE5MDAwNTQxWjAUMRIwEAYDVQQDDAlUZXN0IGxlYWYwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDc1H+Z9qbmSsTR1tDVEvMN94ayec1UZ/17eIDY55ho
+N5UA3Blho2xLeXvWWpKpo6wTXONzpNak8qhccIGsuIogpparkYYPBG+86cofnGDC
+m/T9wa8eLTvyrIyPfUjkYVU7Gfmsq08pF/GZHIHcJg/xdTOLKE8WgJi15zwi1ZOE
+z/OtpGKlX2pnM7aq6mzUqamWo2WBPpFdtdLfCBtnUkoNtxWmn98Xj/AaoiBR0UAI
+C8UQAEAv3yaZ8pBZoLLn68kFgkOdNAPnX2zi6B6uk7LWA90JUneL+fPb/89muxl+
+uQ4NGgWINtG23OtELLtUIuNiZxEFEO0mxf+0pIYa/1VTAgMBAAGjLzAtMAwGA1Ud
+EwEB/wQCMAAwHQYDVR0OBBYEFP5YdepOBrpmYPdem5awTb3ByLZ7MA0GCSqGSIb3
+DQEBCwUAA4IBAQBZ9Bl8IcQ9VYxTQgO1U9wB+LcHJ2WXqVSQTlz+qwd+tyfnv0PM
+O5/ouSYiCj3IBQ42N3z+QhLgZgvfGcC6qFvG67A1WV7n7ZV5D7Yb9CqE+NPUbx3V
+3GFBkIAv7U+4TKYPSK2YPXCb/D3rtel2j31tcMtODoT0LrHbwaOCGd8G+15rxBjP
+dfHuC/nYYeKsplDhcdfemel73WbNzuqGNliQhEqhtlpGOhciHpd1Zlm7OgUINmCr
+rfRfSGvBGDkuNRQIEhnFZXYhD0iCM/6D56/VykaqaQz+bPr04d0e0KvusFGsmapN
+zC0Ztm1aNp0wB0vPNoEJrpQEmkB80cR1DXVR
+-----END CERTIFICATE-----
+`;
+describe("validateName", () => {
+    it("accepts valid names", () => {
+        assert.strictEqual(validateName("my_ca"), null);
+        assert.strictEqual(validateName("CA1"), null);
+        assert.strictEqual(validateName("$abc"), null);
+        assert.strictEqual(validateName("_underscore"), null);
+    });
+    it("rejects empty names", () => {
+        const result = validateName("");
+        assert.ok(result);
+        assert.match(result.message, /empty/i);
+    });
+    it("rejects names over 120 characters", () => {
+        const result = validateName("a".repeat(121));
+        assert.ok(result);
+        assert.match(result.message, /120 characters/);
+    });
+    it("rejects names starting with a digit", () => {
+        const result = validateName("1ca");
+        assert.ok(result);
+        assert.match(result.message, /JavaScript variable name/);
+    });
+    it("rejects names with hyphens or spaces", () => {
+        assert.ok(validateName("my-ca"));
+        assert.ok(validateName("my ca"));
+        assert.ok(validateName("ca.example"));
+    });
+    it("rejects JavaScript reserved keywords", () => {
+        for (const keyword of ["class", "delete", "import", "return", "await"]) {
+            const result = validateName(keyword);
+            assert.ok(result, `expected ${keyword} to be rejected`);
+            assert.match(result.message, /reserved keyword/);
+        }
+    });
+    it("rejects reserved keywords case-insensitively", () => {
+        assert.ok(validateName("CLASS"));
+        assert.ok(validateName("Delete"));
+    });
+});
+describe("parseAndValidateCaCertificate", () => {
+    it("rejects garbage input", () => {
+        const result = parseAndValidateCaCertificate("not a certificate");
+        assert.ok(isValidationError(result));
+        assert.match(result.message, /PEM-encoded/);
+        assert.match(result.hint ?? "", /openssl x509.*-inform der/);
+    });
+    it("rejects a PKCS#8 private key with a key-specific hint", () => {
+        const pem = `-----BEGIN PRIVATE KEY-----\nfoo\n-----END PRIVATE KEY-----`;
+        const result = parseAndValidateCaCertificate(pem);
+        assert.ok(isValidationError(result));
+        assert.match(result.message, /private key/i);
+        assert.match(result.hint ?? "", /public CA certificate/);
+    });
+    it("rejects an RSA private key with a key-specific hint", () => {
+        const pem = `-----BEGIN RSA PRIVATE KEY-----\nfoo\n-----END RSA PRIVATE KEY-----`;
+        const result = parseAndValidateCaCertificate(pem);
+        assert.ok(isValidationError(result));
+        assert.match(result.message, /private key/i);
+    });
+    it("rejects a CSR with a CSR-specific hint", () => {
+        const pem = `-----BEGIN CERTIFICATE REQUEST-----\nfoo\n-----END CERTIFICATE REQUEST-----`;
+        const result = parseAndValidateCaCertificate(pem);
+        assert.ok(isValidationError(result));
+        assert.match(result.message, /CSR|signing request/i);
+    });
+    it("rejects a PEM-shaped but corrupt certificate", () => {
+        const pem = `-----BEGIN CERTIFICATE-----\nnot-real-base64\n-----END CERTIFICATE-----`;
+        const result = parseAndValidateCaCertificate(pem);
+        assert.ok(isValidationError(result));
+        assert.match(result.message, /Failed to parse/);
+    });
+    it("accepts a valid CA certificate", () => {
+        const result = parseAndValidateCaCertificate(CA_PEM);
+        assert.ok(!isValidationError(result), JSON.stringify(result));
+        assert.strictEqual(result.isCa, true);
+        assert.match(result.subject, /Test ca/i);
+    });
+    it("rejects a leaf (non-CA) certificate", () => {
+        const result = parseAndValidateCaCertificate(LEAF_PEM);
+        assert.ok(isValidationError(result));
+        assert.match(result.message, /not a CA certificate/);
+    });
+    it("rejects a CA certificate that is expired relative to `now`", () => {
+        const farFuture = new Date("2200-01-01T00:00:00Z");
+        const result = parseAndValidateCaCertificate(CA_PEM, farFuture);
+        assert.ok(isValidationError(result));
+        assert.match(result.message, /expired/);
+    });
+});
+//# sourceMappingURL=validation.test.js.map