archive-labs 1.0.8 → 1.0.9

package/dist/cli.js

@@ -1074,12 +1074,65 @@ const resolveEnvironmentAuthSession = () => {
     };
 };
 const authSecretStoreService = "archive-labs-cli";
+const authSecretChunkManifestFormat = "archive-cli-auth-secret-chunks-v1";
+const defaultAuthSecretChunkSize = 1000;
+const maxAuthSecretChunks = 64;
 const resolveTestSecretStoreDir = () => process.env.ARCHIVE_CLI_TEST_SECRET_STORE_DIR?.trim() || null;
 const isTestSecretStoreUnavailable = () => /^(1|true|yes)$/i.test(String(process.env.ARCHIVE_CLI_TEST_SECRET_STORE_UNAVAILABLE ?? ""));
+const resolveAuthSecretChunkSize = () => {
+    const configured = Number.parseInt(process.env.ARCHIVE_CLI_AUTH_SECRET_CHUNK_SIZE ?? "", 10);
+    return Number.isInteger(configured) && configured >= 256 && configured <= 1800
+        ? configured
+        : defaultAuthSecretChunkSize;
+};
 const authSecretFilePath = (accountId) => {
     const encoded = Buffer.from(accountId).toString("base64url");
     return path.join(resolveTestSecretStoreDir() ?? "", `${encoded}.json`);
 };
+const authSecretChunkAccountId = (accountId, index) => `${accountId}__chunk_${index}`;
+const parseAuthSecretChunkManifest = (raw) => {
+    try {
+        const parsed = JSON.parse(raw);
+        if (parsed?.format !== authSecretChunkManifestFormat ||
+            typeof parsed.chunkCount !== "number" ||
+            !Number.isInteger(parsed.chunkCount) ||
+            parsed.chunkCount <= 0 ||
+            parsed.chunkCount > maxAuthSecretChunks) {
+            return null;
+        }
+        return { chunkCount: parsed.chunkCount };
+    }
+    catch {
+        return null;
+    }
+};
+const readAuthSecretEntry = async (accountId) => {
+    const testDir = resolveTestSecretStoreDir();
+    return testDir
+        ? await readFile(authSecretFilePath(accountId), "utf8")
+        : new Entry(authSecretStoreService, accountId).getPassword();
+};
+const writeAuthSecretEntry = async (accountId, value) => {
+    const testDir = resolveTestSecretStoreDir();
+    if (testDir) {
+        await mkdir(testDir, { mode: 0o700, recursive: true });
+        await writeFile(authSecretFilePath(accountId), value, "utf8");
+        if (process.platform !== "win32") {
+            await Promise.allSettled([chmod(testDir, 0o700), chmod(authSecretFilePath(accountId), 0o600)]);
+        }
+        return;
+    }
+    new Entry(authSecretStoreService, accountId).setPassword(value);
+};
+const deleteAuthSecretEntry = async (accountId) => {
+    const testDir = resolveTestSecretStoreDir();
+    if (testDir) {
+        const { rm } = await import("node:fs/promises");
+        await rm(authSecretFilePath(accountId), { force: true });
+        return;
+    }
+    new Entry(authSecretStoreService, accountId).deletePassword();
+};
 const createCredentialStoreUnavailableError = (operation, error) => createCliError({
     category: "setup",
     code: "credential_store_unavailable",
@@ -1109,15 +1162,16 @@ const readAuthSecrets = async (accountId) => {
     if (isTestSecretStoreUnavailable()) {
         throw createCredentialStoreUnavailableError("read");
     }
-    const testDir = resolveTestSecretStoreDir();
     try {
-        const raw = testDir
-            ? await readFile(authSecretFilePath(accountId), "utf8")
-            : new Entry(authSecretStoreService, accountId).getPassword();
+        const raw = await readAuthSecretEntry(accountId);
         if (!raw) {
             return null;
         }
-        return validateAuthSecretPayload(JSON.parse(raw));
+        const manifest = parseAuthSecretChunkManifest(raw);
+        const secretPayload = manifest
+            ? await Promise.all(Array.from({ length: manifest.chunkCount }, (_, index) => readAuthSecretEntry(authSecretChunkAccountId(accountId, index)))).then((chunks) => chunks.join(""))
+            : raw;
+        return validateAuthSecretPayload(JSON.parse(secretPayload));
     }
     catch (error) {
         if (error?.code === "ENOENT") {
@@ -1132,16 +1186,28 @@ const writeAuthSecrets = async (accountId, secrets) => {
     }
     try {
         const raw = JSON.stringify(secrets);
-        const testDir = resolveTestSecretStoreDir();
-        if (testDir) {
-            await mkdir(testDir, { mode: 0o700, recursive: true });
-            await writeFile(authSecretFilePath(accountId), raw, "utf8");
-            if (process.platform !== "win32") {
-                await Promise.allSettled([chmod(testDir, 0o700), chmod(authSecretFilePath(accountId), 0o600)]);
-            }
+        const chunkSize = resolveAuthSecretChunkSize();
+        if (raw.length <= chunkSize) {
+            await writeAuthSecretEntry(accountId, raw);
+            await Promise.allSettled(Array.from({ length: maxAuthSecretChunks }, (_, index) => deleteAuthSecretEntry(authSecretChunkAccountId(accountId, index))));
             return;
         }
-        new Entry(authSecretStoreService, accountId).setPassword(raw);
+        const chunks = raw.match(new RegExp(`.{1,${chunkSize}}`, "g")) ?? [];
+        if (chunks.length > maxAuthSecretChunks) {
+            throw new Error("Archive login token payload is too large for this credential store.");
+        }
+        try {
+            await Promise.all(chunks.map((chunk, index) => writeAuthSecretEntry(authSecretChunkAccountId(accountId, index), chunk)));
+            await writeAuthSecretEntry(accountId, JSON.stringify({
+                chunkCount: chunks.length,
+                format: authSecretChunkManifestFormat,
+            }));
+            await Promise.allSettled(Array.from({ length: maxAuthSecretChunks - chunks.length }, (_, offset) => deleteAuthSecretEntry(authSecretChunkAccountId(accountId, chunks.length + offset))));
+        }
+        catch (error) {
+            await Promise.allSettled(chunks.map((_, index) => deleteAuthSecretEntry(authSecretChunkAccountId(accountId, index))));
+            throw error;
+        }
     }
     catch (error) {
         throw createCredentialStoreUnavailableError("store", error);
@@ -1155,13 +1221,19 @@ const deleteAuthSecrets = async (accountId) => {
         throw createCredentialStoreUnavailableError("delete");
     }
     try {
-        const testDir = resolveTestSecretStoreDir();
-        if (testDir) {
-            const { rm } = await import("node:fs/promises");
-            await rm(authSecretFilePath(accountId), { force: true });
-            return;
+        let chunkCount = maxAuthSecretChunks;
+        try {
+            const raw = await readAuthSecretEntry(accountId);
+            const manifest = raw ? parseAuthSecretChunkManifest(raw) : null;
+            if (manifest) {
+                chunkCount = manifest.chunkCount;
+            }
+        }
+        catch {
+            // Best-effort cleanup below also covers missing or unreadable manifests.
         }
-        new Entry(authSecretStoreService, accountId).deletePassword();
+        await Promise.allSettled(Array.from({ length: chunkCount }, (_, index) => deleteAuthSecretEntry(authSecretChunkAccountId(accountId, index))));
+        await deleteAuthSecretEntry(accountId);
     }
     catch (error) {
         if (error?.code !== "ENOENT") {

package/package.json

@@ -1,15 +1,15 @@
 {
   "name": "archive-labs",
-  "version": "1.0.8",
+  "version": "1.0.9",
   "description": "Terminal CLI for Archive that manages login, repository status, sync, checks, impact analysis, and release risk.",
   "license": "Apache-2.0",
   "preferGlobal": true,
   "packageManager": "pnpm@10.33.0",
   "type": "module",
-  "bin": {
-    "archive": "./dist/cli.js",
-    "archive-labs": "./dist/cli.js"
-  },
+  "bin": {
+    "archive": "dist/cli.js",
+    "archive-labs": "dist/cli.js"
+  },
   "files": [
     "dist",
     "logo.png",