emdash 0.8.0 → 0.9.0

package/dist/cli/index.mjs

@@ -1,22 +1,25 @@
 #!/usr/bin/env node
-import { t as __exportAll } from "../chunk-ClPoSABd.mjs";
+import { i as __exportAll, r as runMigrations, t as getMigrationStatus } from "../runner-C7ADox5q.mjs";
 import { n as createDatabase } from "../connection-2igzM-AT.mjs";
-import { s as listTablesLike } from "../dialect-helpers-DhTzaUxP.mjs";
-import { r as runMigrations, t as getMigrationStatus } from "../runner-tQ7BJ4T7.mjs";
-import { t as ContentRepository } from "../content-BcQPYxdV.mjs";
-import { i as encodeBase64url } from "../base64-MBPo9ozB.mjs";
-import "../types-BIgulNsW.mjs";
-import { t as MediaRepository } from "../media-D8FbNsl0.mjs";
-import { m as TaxonomyRepository, p as OptionsRepository, t as applySeed } from "../apply-x0eMK1lX.mjs";
-import "../redirect-D_pshWdf.mjs";
-import "../byline-Chbr2GoP.mjs";
-import { r as isI18nEnabled } from "../config-BXwuX8Bx.mjs";
-import { n as SchemaRegistry } from "../registry-C3Mr0ODu.mjs";
-import "../loader-CndGj8kM.mjs";
-import "../request-cache-Ci7f5pBb.mjs";
-import { i as pluginManifestSchema } from "../manifest-schema-DH9xhc6t.mjs";
-import { t as validateSeed } from "../validate-CxVsLehf.mjs";
+import { c as listTablesLike } from "../dialect-helpers-BKCvISIQ.mjs";
+import { t as ContentRepository } from "../content-8lOYF0pr.mjs";
+import { i as encodeBase64url } from "../base64-BRICGH2l.mjs";
+import "../types-CRxNbK-Z.mjs";
+import { t as MediaRepository } from "../media-BW32b4gi.mjs";
+import { p as TaxonomyRepository, t as applySeed } from "../apply-BzltprvY.mjs";
+import { t as OptionsRepository } from "../options-BVp3UsTS.mjs";
+import "../redirect-BhUBKRc1.mjs";
+import "../byline-BSaNL1w7.mjs";
+import { r as isI18nEnabled } from "../config-BI0V3ICQ.mjs";
+import { n as SchemaRegistry } from "../registry-Dw70ChxB.mjs";
+import "../loader-CKLbBnhK.mjs";
+import "../request-cache-B-bmkipQ.mjs";
+import { i as pluginManifestSchema } from "../manifest-schema-DqWNC3lM.mjs";
+import { n as isDeprecatedCapability, t as CAPABILITY_RENAMES } from "../types-4fVtCIm0.mjs";
+import { t as validateSeed } from "../validate-Baqf0slj.mjs";
+import { n as fingerprintKey, r as generateEncryptionKey, t as EmDashSecretsError } from "../secrets-CW3reAnU.mjs";
 import { LocalStorage } from "../storage/local.mjs";
+import { o as convertDataForRead } from "../transport-BeMCmin1.mjs";
 import { createHeaderAwareFetch, customHeadersInterceptor, getCachedAccessToken, isAccessRedirect, resolveCustomHeaders, runCloudflaredLogin } from "../client/cf-access.mjs";
 import { EmDashClient } from "../client/index.mjs";
 import { imageSize } from "image-size";
@@ -35,10 +38,24 @@ import { packTar } from "modern-tar/fs";
 
 //#region src/cli/commands/auth.ts
 /**
-* Auth CLI commands
-*/
-/**
-* Generate a cryptographically secure auth secret
+* Auth CLI commands (deprecated)
+*
+* Kept as a deprecated alias for backwards compatibility. The original
+* `emdash auth secret` was documented in published docs and is plausibly
+* scripted in user CI (e.g. `npx emdash auth secret >> .env`). Removing
+* it outright would break those scripts on minor-version upgrade.
+*
+* The command still emits an `EMDASH_AUTH_SECRET=<32-byte-base64url>`
+* line, unchanged. `EMDASH_AUTH_SECRET` itself is now legacy: it's only
+* read as a fallback source for the commenter-IP hash salt so installs
+* upgrading from a prior version keep stable IP hashes (and therefore
+* stable rate-limit buckets). New installs don't need to set it.
+*
+* The deprecation note steers users toward `emdash secrets generate`
+* (which emits a different, versioned `emdash_enc_v1_*` value for
+* `EMDASH_ENCRYPTION_KEY` — used to encrypt plugin secrets at rest).
+*
+* Will be removed in a future minor.
 */
 function generateAuthSecret() {
 	const bytes = new Uint8Array(32);
@@ -48,7 +65,7 @@ function generateAuthSecret() {
 const secretCommand = defineCommand({
 	meta: {
 		name: "secret",
-		description: "Generate a secure auth secret"
+		description: "[DEPRECATED] Generate a value for legacy EMDASH_AUTH_SECRET"
 	},
 	run() {
 		const secret = generateAuthSecret();
@@ -59,12 +76,13 @@ const secretCommand = defineCommand({
 		consola$1.log("");
 		consola$1.log(pc.dim("Add this to your environment variables."));
 		consola$1.log("");
+		process.stderr.write(`${pc.yellow("Note:")} ${pc.bold("emdash auth secret")} is deprecated and will be removed in a future minor. ${pc.cyan("EMDASH_AUTH_SECRET")} itself is now optional — it's only used as a legacy fallback for the commenter-IP hash salt. For encrypting plugin secrets at rest, use ${pc.bold("emdash secrets generate")} (a different secret: ${pc.cyan("EMDASH_ENCRYPTION_KEY")}).\n`);
 	}
 });
 const authCommand = defineCommand({
 	meta: {
 		name: "auth",
-		description: "Authentication utilities"
+		description: "[DEPRECATED] Authentication utilities (use `emdash secrets` for new flows)"
 	},
 	subCommands: { secret: secretCommand }
 });
@@ -134,7 +152,10 @@ function readStore() {
 	return {};
 }
 function writeStore(store) {
-	mkdirSync(getConfigDir(), { recursive: true });
+	mkdirSync(getConfigDir(), {
+		recursive: true,
+		mode: 448
+	});
 	writeFileSync(getCredentialPath(), JSON.stringify(store, null, "	"), {
 		encoding: "utf-8",
 		mode: 384
@@ -483,7 +504,16 @@ const getCommand$3 = defineCommand({
 			});
 			if (!args.published && item.draftRevisionId) {
 				const comparison = await client.compare(args.collection, args.id);
-				if (comparison.hasChanges && comparison.draft) item.data = comparison.draft;
+				if (comparison.hasChanges && comparison.draft) {
+					item.data = comparison.draft;
+					if (!args.raw && item.data) {
+						const fields = (await client.collection(args.collection)).fields.map((f) => ({
+							slug: f.slug,
+							type: f.type
+						}));
+						item.data = convertDataForRead(item.data, fields, false);
+					}
+				}
 			}
 			output(item, args);
 		} catch (error) {
@@ -626,6 +656,7 @@ const deleteCommand$2 = defineCommand({
 		configureOutputMode(args);
 		try {
 			await createClientFromArgs(args).delete(args.collection, args.id);
+			output({ success: true }, args);
 			consola$1.success(`Deleted ${args.collection}/${args.id}`);
 		} catch (error) {
 			consola$1.error(error instanceof Error ? error.message : "Unknown error");
@@ -655,6 +686,7 @@ const publishCommand$1 = defineCommand({
 		configureOutputMode(args);
 		try {
 			await createClientFromArgs(args).publish(args.collection, args.id);
+			output({ success: true }, args);
 			consola$1.success(`Published ${args.collection}/${args.id}`);
 		} catch (error) {
 			consola$1.error(error instanceof Error ? error.message : "Unknown error");
@@ -684,6 +716,7 @@ const unpublishCommand = defineCommand({
 		configureOutputMode(args);
 		try {
 			await createClientFromArgs(args).unpublish(args.collection, args.id);
+			output({ success: true }, args);
 			consola$1.success(`Unpublished ${args.collection}/${args.id}`);
 		} catch (error) {
 			consola$1.error(error instanceof Error ? error.message : "Unknown error");
@@ -718,6 +751,7 @@ const scheduleCommand = defineCommand({
 		configureOutputMode(args);
 		try {
 			await createClientFromArgs(args).schedule(args.collection, args.id, { at: args.at });
+			output({ success: true }, args);
 			consola$1.success(`Scheduled ${args.collection}/${args.id} for ${args.at}`);
 		} catch (error) {
 			consola$1.error(error instanceof Error ? error.message : "Unknown error");
@@ -747,6 +781,7 @@ const restoreCommand = defineCommand({
 		configureOutputMode(args);
 		try {
 			await createClientFromArgs(args).restore(args.collection, args.id);
+			output({ success: true }, args);
 			consola$1.success(`Restored ${args.collection}/${args.id}`);
 		} catch (error) {
 			consola$1.error(error instanceof Error ? error.message : "Unknown error");
@@ -1841,7 +1876,8 @@ const whoamiCommand = defineCommand({
 							})
 						});
 						if (refreshRes.ok) {
-							const refreshed = await refreshRes.json();
+							const json = await refreshRes.json();
+							const refreshed = json.data && typeof json.data === "object" && "access_token" in json.data ? json.data : json;
 							token = refreshed.access_token;
 							saveCredentials(baseUrl, {
 								...cred,
@@ -2125,8 +2161,16 @@ const MAX_SCREENSHOTS = 5;
 const MAX_SCREENSHOT_WIDTH = 1920;
 const MAX_SCREENSHOT_HEIGHT = 1080;
 const ICON_SIZE = 256;
-/** Matches require("node:xxx") / require("xxx") / import("node:xxx") in bundled output */
-const NODE_BUILTIN_IMPORT_RE = /(?:import|require)\s*\(?["'](?:node:)?([a-z_]+)["']\)?/g;
+/**
+* Matches Node.js built-in imports in bundled output:
+* - require("node:xxx") / require("xxx")
+* - import("node:xxx") / import("xxx")
+* - import X from "node:xxx" / import { X } from "node:xxx"
+* - import * as X from "node:xxx"
+* - export { X } from "node:xxx"
+* Captures the base module name (e.g. "fs" from "node:fs/promises").
+*/
+const NODE_BUILTIN_IMPORT_RE = /(?:import|export|require)\s*(?:\(|[^(]*?\bfrom\s+)["'](?:node:)?([a-z_]+)(?:\/[^"']*)?\s*["']\)?/g;
 const LEADING_DOT_SLASH_RE = /^\.\//;
 const DIST_PREFIX_RE = /^dist\//;
 const MJS_EXT_RE = /\.m?js$/;
@@ -2619,8 +2663,18 @@ const bundleCommand = defineCommand({
 					hasErrors = true;
 				}
 			}
-			if (manifest.capabilities.includes("network:fetch:any")) consola.warn("Plugin declares unrestricted network access (network:fetch:any) — it can make requests to any host");
-			else if (manifest.capabilities.includes("network:fetch") && manifest.allowedHosts.length === 0) consola.warn("Plugin declares network:fetch capability but no allowedHosts — all fetch requests will be blocked");
+			const declaresUnrestricted = manifest.capabilities.includes("network:request:unrestricted") || manifest.capabilities.includes("network:fetch:any");
+			const declaresHostRestricted = manifest.capabilities.includes("network:request") || manifest.capabilities.includes("network:fetch");
+			if (declaresUnrestricted) consola.warn("Plugin declares unrestricted network access (network:request:unrestricted) — it can make requests to any host");
+			else if (declaresHostRestricted && manifest.allowedHosts.length === 0) consola.warn("Plugin declares network:request capability but no allowedHosts — all requests will be blocked");
+			const deprecatedCaps = manifest.capabilities.filter(isDeprecatedCapability);
+			if (deprecatedCaps.length > 0) {
+				consola.warn("Plugin uses deprecated capability names. Rename them before publishing:");
+				for (const cap of deprecatedCaps) {
+					const replacement = CAPABILITY_RENAMES[cap];
+					consola.warn(`  ${cap} → ${replacement}`);
+				}
+			}
 			if (resolvedPlugin.admin?.portableTextBlocks && resolvedPlugin.admin.portableTextBlocks.length > 0) consola.warn("Plugin declares portableTextBlocks — these require trusted mode and will be ignored in sandboxed plugins");
 			if (resolvedPlugin.admin?.entry) consola.warn("Plugin declares admin.entry — custom React components require trusted mode. Use Block Kit for sandboxed admin pages");
 			if (resolvedPlugin.hooks["page:fragments"]) consola.warn("Plugin declares page:fragments hook — this is trusted-only and will not work in sandboxed mode");
@@ -3115,6 +3169,16 @@ const publishCommand = defineCommand({
 		if (manifest.capabilities.length > 0) consola.info(`Capabilities: ${manifest.capabilities.join(", ")}`);
 		if (manifest.allowedHosts?.length) consola.info(`Allowed hosts: ${manifest.allowedHosts.join(", ")}`);
 		console.log();
+		const deprecatedCaps = manifest.capabilities.filter(isDeprecatedCapability);
+		if (deprecatedCaps.length > 0) {
+			consola.error("Plugin declares deprecated capability names. Rename them and re-bundle before publishing:");
+			for (const cap of deprecatedCaps) {
+				const replacement = CAPABILITY_RENAMES[cap];
+				consola.error(`  ${cap} → ${replacement}`);
+			}
+			consola.error("See https://emdashcms.com/docs/plugins/overview#capabilities for the full rename table.");
+			process.exit(1);
+		}
 		let token;
 		const envToken = process.env.EMDASH_MARKETPLACE_TOKEN;
 		const stored = !envToken ? getMarketplaceCredential(registryUrl) : null;
@@ -3572,6 +3636,134 @@ const searchCommand = defineCommand({
 	}
 });
 
+//#endregion
+//#region src/cli/commands/secrets.ts
+/**
+* Secrets CLI commands
+*
+* Pure (no-DB) commands for working with EmDash secrets:
+*
+* - `emdash secrets generate` — emits a fresh `EMDASH_ENCRYPTION_KEY`.
+*   Optionally writes it to `.dev.vars` (Workers) or `.env` (Node).
+* - `emdash secrets fingerprint <key>` — prints the kid for a key,
+*   useful in CI for verifying what's been deployed without exposing
+*   the raw value.
+*
+* DB-touching commands (`status`, `migrate`, `rotate`) live elsewhere:
+* the CLI process can't open the production D1/Postgres binding from
+* the operator's machine, so those operations ship as admin HTTP
+* endpoints in a later PR. A thin `--site <url>` wrapper for those
+* endpoints can land alongside.
+*/
+const KEY_VAR_NAME = "EMDASH_ENCRYPTION_KEY";
+/** Matches a populated entry — `KEY=<at least one char>`. */
+const POPULATED_KEY_LINE_PATTERN = /^EMDASH_ENCRYPTION_KEY=.+$/m;
+/**
+* Matches any line starting `KEY=` including `KEY=` with empty value.
+* Used for in-place replacement when the entry exists but has no value.
+*/
+const ANY_KEY_LINE_PATTERN = /^EMDASH_ENCRYPTION_KEY=.*$/m;
+/**
+* Append (or replace) `EMDASH_ENCRYPTION_KEY` in a dotenv-style file.
+*
+* Idempotent: if the entry exists with a populated value, leaves it alone
+* (returns `"skipped"`) unless `force` is set. An entry with an empty
+* value (`EMDASH_ENCRYPTION_KEY=`) is treated as "not set" and gets
+* replaced — placeholder lines aren't a reason to refuse.
+*
+* Always ends the resulting file with a trailing newline. Doesn't touch
+* other variables.
+*
+* Exported for tests.
+*/
+function writeEncryptionKeyToFile(targetPath, value, force) {
+	const existing = existsSync(targetPath) ? readFileSync(targetPath, "utf-8") : "";
+	if (POPULATED_KEY_LINE_PATTERN.test(existing) && !force) return "skipped";
+	const newLine = `${KEY_VAR_NAME}=${value}`;
+	let next;
+	if (ANY_KEY_LINE_PATTERN.test(existing)) {
+		next = existing.replace(ANY_KEY_LINE_PATTERN, newLine);
+		if (!next.endsWith("\n")) next += "\n";
+	} else next = `${existing}${existing.length === 0 ? "" : existing.endsWith("\n") ? "" : "\n"}${newLine}\n`;
+	writeFileSync(targetPath, next);
+	return "wrote";
+}
+const generateCommand = defineCommand({
+	meta: {
+		name: "generate",
+		description: "Generate a new EmDash encryption key"
+	},
+	args: {
+		write: {
+			type: "string",
+			description: "Optional path to write the key to (e.g. .dev.vars or .env). Won't overwrite an existing entry without --force."
+		},
+		force: {
+			type: "boolean",
+			description: "When used with --write, overwrite an existing entry",
+			default: false
+		}
+	},
+	run({ args }) {
+		const value = generateEncryptionKey();
+		if (args.write) {
+			if (writeEncryptionKeyToFile(resolve(process.cwd(), args.write), value, args.force) === "skipped") {
+				consola$1.info(`${KEY_VAR_NAME} already set in ${pc.cyan(args.write)}; leaving it alone. Pass ${pc.bold("--force")} to replace it.`);
+				return;
+			}
+			consola$1.log("");
+			consola$1.log(`${pc.bold("Wrote")} ${pc.cyan(KEY_VAR_NAME)} to ${pc.cyan(args.write)}`);
+			consola$1.log("");
+			consola$1.log(pc.yellow("Keep this file out of version control. Losing the key means losing every secret encrypted with it."));
+			consola$1.log("");
+			return;
+		}
+		process.stdout.write(`${value}\n`);
+		const guidance = [
+			"",
+			pc.bold("EmDash encryption key generated."),
+			"",
+			`Set ${pc.cyan(KEY_VAR_NAME)} in your environment.`,
+			"For Cloudflare deployments, push it to your Worker's secrets.",
+			"For Node deployments, add it to your process environment or .env file.",
+			"",
+			pc.yellow("Keep this value secret. Losing it means losing every secret encrypted with it."),
+			""
+		].join("\n");
+		process.stderr.write(`${guidance}\n`);
+	}
+});
+const fingerprintCommand = defineCommand({
+	meta: {
+		name: "fingerprint",
+		description: "Print the kid (8-char fingerprint) for an encryption key"
+	},
+	args: { key: {
+		type: "positional",
+		description: "The full key value (with the emdash_enc_v1_ prefix)",
+		required: true
+	} },
+	async run({ args }) {
+		try {
+			const kid = await fingerprintKey(args.key);
+			process.stdout.write(`${kid}\n`);
+		} catch (error) {
+			consola$1.error(error instanceof EmDashSecretsError ? error.message : "Failed to fingerprint key");
+			process.exit(1);
+		}
+	}
+});
+const secretsCommand = defineCommand({
+	meta: {
+		name: "secrets",
+		description: "Manage EmDash secrets (generate, inspect)"
+	},
+	subCommands: {
+		generate: generateCommand,
+		fingerprint: fingerprintCommand
+	}
+});
+
 //#endregion
 //#region src/cli/commands/seed.ts
 /**
@@ -3934,7 +4126,8 @@ const typesCommand = defineCommand({
 * - dev: Run dev server with local D1
 * - seed: Apply a seed file to the database
 * - export-seed: Export database schema and content as a seed file
-* - auth: Authentication utilities (secret generation)
+* - secrets: Generate and inspect EmDash secrets (encryption keys, etc.)
+* - auth: [DEPRECATED] Generate auth secret (use `secrets` instead)
 * - login/logout/whoami: Session management
 * - content: Create, read, update, delete content
 * - schema: Manage collections and fields
@@ -3957,6 +4150,7 @@ runMain(defineCommand({
 		doctor: doctorCommand,
 		seed: seedCommand,
 		"export-seed": exportSeedCommand,
+		secrets: secretsCommand,
 		auth: authCommand,
 		login: loginCommand,
 		logout: logoutCommand,