envspot 0.1.0

package/dist/fly-deploy.js

@@ -0,0 +1,158 @@
+import { existsSync } from "node:fs";
+import { join } from "node:path";
+import { spawn } from "node:child_process";
+import { constants as osConstants } from "node:os";
+import { getStoredToken } from "./auth-store.js";
+import { authRequired, flyctlNotInstalled, flyTomlNotFound } from "./errors.js";
+import * as out from "./output.js";
+import { fetchProjectSecrets, resolveLinkScope } from "./secrets.js";
+import { isHeadlessToken } from "./token-kind.js";
+/**
+ * Parse the tail of `envspot fly deploy …`. `--app`/`--no-secrets` are ours;
+ * every other token forwards verbatim to `flyctl deploy`. `--app` is also
+ * threaded into the secret-staging call so both halves target the same app.
+ */
+export function parseFlyArgs(parts) {
+    if (parts[0] !== "deploy") {
+        return {
+            ok: false,
+            message: "Only `envspot fly deploy` is supported. Example: envspot fly deploy --app my-app",
+        };
+    }
+    let app;
+    let noSecrets = false;
+    const deployArgs = [];
+    let i = 1;
+    while (i < parts.length) {
+        const a = parts[i];
+        if (a === "--no-secrets") {
+            noSecrets = true;
+            i += 1;
+            continue;
+        }
+        if (a === "--app" || a === "-a") {
+            // Capture flyctl's app flag (both forms) so secret-staging and deploy
+            // target the same app; otherwise `-a` would forward to deploy only and
+            // staging would silently hit a different app.
+            const v = parts[i + 1];
+            if (!v?.trim())
+                return { ok: false, message: "`--app` requires an app name." };
+            app = v.trim();
+            i += 2;
+            continue;
+        }
+        if (a.startsWith("--app=") || a.startsWith("-a=")) {
+            const v = a.slice(a.indexOf("=") + 1).trim();
+            if (!v)
+                return { ok: false, message: "`--app` requires a value." };
+            app = v;
+            i += 1;
+            continue;
+        }
+        deployArgs.push(a);
+        i += 1;
+    }
+    return { ok: true, app, noSecrets, deployArgs };
+}
+/** Probe `flyctl version`; ENOENT (not on PATH) resolves false, any spawn that
+ *  starts resolves true regardless of its exit status. */
+function isFlyctlInstalled() {
+    return new Promise((resolve) => {
+        const child = spawn("flyctl", ["version"], {
+            stdio: "ignore",
+            shell: false,
+        });
+        child.on("error", () => resolve(false));
+        child.on("close", () => resolve(true));
+    });
+}
+function spawnFlyctl(args, input) {
+    return new Promise((resolve) => {
+        const child = spawn("flyctl", args, {
+            // Pipe stdin only when feeding secrets; otherwise inherit so flyctl's
+            // interactive prompts and deploy output reach the user's terminal.
+            stdio: [input !== undefined ? "pipe" : "inherit", "inherit", "inherit"],
+            shell: false,
+        });
+        child.on("error", (err) => {
+            console.error(`Failed to run flyctl: ${err.message}`);
+            resolve(1);
+        });
+        child.on("close", (c, signal) => {
+            if (signal) {
+                const signum = osConstants.signals[signal] ?? 0;
+                resolve(signum ? 128 + signum : (c ?? 1));
+            }
+            else {
+                resolve(c ?? 0);
+            }
+        });
+        if (input !== undefined && child.stdin) {
+            // flyctl may exit before draining stdin (bad app, not logged in); an
+            // unhandled EPIPE on the stream would crash the CLI mid-deploy. Swallow
+            // it and let the `close` handler report the real exit code.
+            child.stdin.on("error", () => { });
+            child.stdin.write(input);
+            child.stdin.end();
+        }
+    });
+}
+function defaultFlyTomlExists(cwd) {
+    return existsSync(join(cwd, "fly.toml"));
+}
+/**
+ * `envspot fly deploy` — stage the linked project's secrets onto a Fly app via
+ * `flyctl secrets import --stage` (values go over stdin, never argv), then run
+ * `flyctl deploy`, forwarding any extra args and propagating flyctl's exit code.
+ */
+export async function executeFlyDeploy(parsed, deps = {}) {
+    const checkFlyctl = deps.checkFlyctl ?? isFlyctlInstalled;
+    const runFlyctl = deps.runFlyctl ?? spawnFlyctl;
+    const flyTomlExists = deps.flyTomlExists ?? defaultFlyTomlExists;
+    if (!(await checkFlyctl()))
+        throw flyctlNotInstalled();
+    // flyctl needs an app: either explicit --app, or a fly.toml it reads from cwd.
+    if (!parsed.app && !flyTomlExists(process.cwd()))
+        throw flyTomlNotFound();
+    const appArgs = parsed.app ? ["--app", parsed.app] : [];
+    if (!parsed.noSecrets) {
+        const token = await getStoredToken();
+        if (!token)
+            throw authRequired();
+        // A headless token self-scopes; a session bearer reads the local link.
+        const secrets = isHeadlessToken(token)
+            ? await fetchProjectSecrets(token)
+            : await fetchProjectSecrets(token, resolveLinkScope());
+        const keys = Object.keys(secrets).sort();
+        out.step(`Fetched ${keys.length} secret${keys.length === 1 ? "" : "s"} from EnvSpot`);
+        if (keys.length === 0) {
+            // Likely a wrong env/scope rather than a genuinely empty project — make
+            // the silent "deployed with no secrets" footgun visible.
+            out.warn("No secrets found for this project/env; deploying without setting any. Pass --no-secrets to silence this.");
+        }
+        else {
+            // flyctl's stdin importer is line-based (NAME=VALUE per line), so a value
+            // with an embedded newline can't round-trip. Stage the single-line ones
+            // and skip the rest rather than corrupt them; the user sets those by hand.
+            const importable = [];
+            const skipped = [];
+            for (const k of keys) {
+                (/[\r\n]/.test(secrets[k]) ? skipped : importable).push(k);
+            }
+            if (skipped.length > 0) {
+                out.warn(`Skipping ${skipped.length} secret${skipped.length === 1 ? "" : "s"} with newline values (flyctl can't import these over stdin): ${skipped.join(", ")}. ` +
+                    "Set them manually with `flyctl secrets set`.");
+            }
+            if (importable.length > 0) {
+                const kv = importable.map((k) => `${k}=${secrets[k]}`).join("\n");
+                out.step(`Staging ${importable.length} secret${importable.length === 1 ? "" : "s"} with flyctl`);
+                const importExit = await runFlyctl(["secrets", "import", "--stage", ...appArgs], kv);
+                // A failed stage means deploying would ship stale/missing secrets — stop.
+                if (importExit !== 0)
+                    return importExit;
+            }
+        }
+    }
+    out.step("flyctl deploy");
+    return runFlyctl(["deploy", ...appArgs, ...parsed.deployArgs]);
+}

package/dist/http.js

@@ -0,0 +1,84 @@
+import { apiBase, cliUserAgent, statusPageHint } from "./config.js";
+import { CliError, ERR } from "./errors.js";
+export function apiUrl(path) {
+    const base = apiBase().replace(/\/$/, "");
+    return `${base}${path.startsWith("/") ? path : `/${path}`}`;
+}
+export function isLikelyTransportFailure(err) {
+    if (err instanceof TypeError)
+        return true;
+    if (!(err instanceof Error))
+        return false;
+    const c = err.cause;
+    if (c && typeof c === "object" && "code" in c) {
+        const code = String(c.code);
+        if (/ECONNREFUSED|ENOTFOUND|EAI_AGAIN|ETIMEDOUT|ENETUNREACH|ECONNRESET/.test(code)) {
+            return true;
+        }
+    }
+    return /fetch failed|network/i.test(err.message);
+}
+/** Rethrow a caught error: a typed E0003 when it's a transport fault, else as-is. */
+export function rethrowTransport(err) {
+    if (isLikelyTransportFailure(err)) {
+        throw new CliError(ERR.TRANSPORT, describeTransportFailure(err));
+    }
+    throw err;
+}
+export function describeTransportFailure(err) {
+    const msg = err instanceof Error
+        ? `${err.message}${err.cause instanceof Error ? ` (${err.cause.message})` : ""}`
+        : String(err);
+    return (`Couldn't reach EnvSpot. Check your connection.\n` +
+        `${statusPageHint()}\n` +
+        `  Detail: ${msg}`);
+}
+/** 3× backoff for transport faults (plus first attempt ⇒ 4 tries). */
+export async function backoffTransport(exec) {
+    let lastErr;
+    for (let attempt = 0; attempt < 4; attempt++) {
+        try {
+            return await exec();
+        }
+        catch (e) {
+            lastErr = e;
+            if (attempt === 3)
+                break;
+            const ms = Math.min(3000, 250 * 2 ** attempt);
+            await new Promise((r) => setTimeout(r, ms));
+        }
+    }
+    throw lastErr;
+}
+export async function fetchWithCliHeaders(input, init, bearerToken) {
+    return fetch(input, {
+        ...init,
+        headers: {
+            Accept: "application/json",
+            "User-Agent": cliUserAgent(),
+            ...(bearerToken ? { Authorization: `Bearer ${bearerToken}` } : {}),
+            ...init?.headers,
+        },
+    });
+}
+export async function parseJsonSafely(res) {
+    const text = await res.text();
+    try {
+        return { text, json: JSON.parse(text) };
+    }
+    catch {
+        return { text, json: null };
+    }
+}
+export function reasonFromJson(j) {
+    if (!j)
+        return undefined;
+    const r = j.reason;
+    return typeof r === "string" ? r : undefined;
+}
+export function upgradeUrlFromJson(j) {
+    if (!j)
+        return undefined;
+    const u = j.upgradeUrl;
+    return typeof u === "string" ? u : undefined;
+}

package/dist/index.js

@@ -0,0 +1,295 @@
+#!/usr/bin/env node
+import { stdin as stdinStream } from "node:process";
+import { Command } from "commander";
+import { clearStoredCredential, getStoredToken, resolveToken, setStoredToken, } from "./auth-store.js";
+import { apiBase, appOrigin, packageVersion } from "./config.js";
+import { cliApiError } from "./cli-api-error.js";
+import { runInteractiveDeviceLogin } from "./device-login.js";
+import { apiUrl, backoffTransport, describeTransportFailure, fetchWithCliHeaders, isLikelyTransportFailure, parseJsonSafely, } from "./http.js";
+import { executeDump } from "./dump.js";
+import { runInit } from "./init-flow.js";
+import { CliError, ERR, authRequired, deviceLoginRequired, notLinked, reportCliError, } from "./errors.js";
+import { runLinkInteractive, runLinkWithFlags } from "./link-flow.js";
+import { findEnvspotLink } from "./paths.js";
+import { executeRun, parseRunTailArgs } from "./run-handler.js";
+import { executeWhoami } from "./whoami.js";
+import { executeFlyDeploy, parseFlyArgs } from "./fly-deploy.js";
+import { isHeadlessToken, probePathForToken } from "./token-kind.js";
+function experimentalEnabled() {
+    const v = process.env.ENVSPOT_EXPERIMENTAL?.trim();
+    return v === "1" || v?.toLowerCase() === "true" || v?.toLowerCase() === "yes";
+}
+async function main() {
+    const argv = process.argv;
+    if (argv[2] === "run") {
+        try {
+            const parsed = parseRunTailArgs(argv.slice(3));
+            if (!parsed.ok)
+                throw new CliError(ERR.INVALID_INPUT, parsed.message);
+            process.exit(await executeRun(parsed));
+        }
+        catch (e) {
+            process.exit(reportCliError(e));
+        }
+        return;
+    }
+    // `fly deploy` forwards arbitrary flyctl flags, so it bypasses commander
+    // (which would reject unknown options) the same way `run` does.
+    if (argv[2] === "fly") {
+        try {
+            const parsed = parseFlyArgs(argv.slice(3));
+            if (!parsed.ok)
+                throw new CliError(ERR.INVALID_INPUT, parsed.message);
+            process.exit(await executeFlyDeploy(parsed));
+        }
+        catch (e) {
+            process.exit(reportCliError(e));
+        }
+        return;
+    }
+    const program = new Command();
+    program
+        .name("envspot")
+        .description("Encrypted environment variables for your team.")
+        .version(packageVersion());
+    program.addHelpText("afterAll", `\nExamples:
+  envspot init
+  envspot login
+  envspot link
+  envspot run -- npm start
+`);
+    program
+        .command("init")
+        .description("Create a project from this directory, link it, import your .env, and start your dev server.")
+        .option("--cwd <path>", "Operate against a different directory.")
+        .option("--no-import", "Skip .env discovery and import.")
+        .option("-y, --yes", "Non-interactive: accept defaults, import all .env, auto-run.")
+        .option("--strict", "Fail on unparsable .env lines instead of warning.")
+        .option("--no-run", "Skip the post-init dev-server prompt.")
+        .action(async (opts) => {
+        process.exit(await runInit(opts));
+    });
+    program
+        .command("login")
+        .description("Sign in via browser device pairing (recommended). Optionally store an API key (token login).")
+        .option("--token <key>", "Persist an organization API key (legacy login).")
+        .option("--legacy-api-token <key>", "Alias for --token (deprecated).")
+        .action(async (opts) => {
+        const leg = (opts.token ?? opts.legacyApiToken)?.trim();
+        if (leg) {
+            console.warn("Token login stores an organization API key in your credential store. Prefer device login when possible.\n" +
+                "Tip: run `envspot login` without flags for the device flow.");
+            // An org API key is a headless token (read-only, project-scoped); a
+            // device bearer pasted here is session-kind. Probe the endpoint that
+            // accepts the token's kind so the validity check doesn't false-fail.
+            const probePath = probePathForToken(leg);
+            try {
+                await backoffTransport(async () => {
+                    const res = await fetchWithCliHeaders(apiUrl(probePath), { method: "GET" }, leg);
+                    if (!res.ok) {
+                        const t = await res.text();
+                        throw new Error(`Auth check failed (${res.status}): ${t.slice(0, 380)}`);
+                    }
+                });
+            }
+            catch (e) {
+                if (isLikelyTransportFailure(e)) {
+                    console.error(describeTransportFailure(e));
+                    process.exit(3);
+                }
+                console.error(e instanceof Error ? e.message : String(e));
+                process.exit(1);
+            }
+            await clearStoredCredential();
+            await setStoredToken(leg);
+            console.log("Saved credential (experimental).");
+            return;
+        }
+        await runInteractiveDeviceLogin();
+    });
+    program
+        .command("logout")
+        .description("Remove the stored CLI credential (keychain entry or dev file).")
+        .action(async () => {
+        await clearStoredCredential();
+        console.log("Logged out.");
+    });
+    program
+        .command("link")
+        .description("Write ./.envspot.json (projectId + env). Omit --project for interactive picker.")
+        .option("-p, --project <slugOrId>", "Project slug (Dashboard → Projects) or id.")
+        .option("-e, --env <name>", 'Environment shorthand (default: "development" → stored as dev).', "development")
+        .action(async (opts) => {
+        if (opts.project?.trim()) {
+            await runLinkWithFlags(opts.project.trim(), opts.env ?? "development");
+        }
+        else {
+            await runLinkInteractive();
+        }
+    });
+    program
+        .command("dump")
+        .description("Print the linked project's secrets as KEY=value to stdout (pipe-friendly; nothing is written to disk).")
+        .option("-e, --env <name>", "Override ./.envspot.json environment.")
+        .action(async (opts) => {
+        await executeDump({ env: opts.env });
+    });
+    program
+        .command("status")
+        .description("Print API/app URL and credential/link hints.")
+        .action(async () => {
+        const { token, source } = await resolveToken();
+        const SOURCE_LABEL = {
+            env: "ENVSPOT_TOKEN (env)",
+            "dev-file": "~/.envspot/auth.json (ENVSPOT_DEV_AUTH_JSON)",
+            keychain: "OS keychain (keytar)",
+            none: "none",
+        };
+        console.log(`API base: ${apiBase()}`);
+        console.log(`App origin: ${appOrigin()}`);
+        console.log(`Token source: ${SOURCE_LABEL[source]}`);
+        if (token) {
+            const probePath = probePathForToken(token);
+            try {
+                const res = await fetchWithCliHeaders(apiUrl(probePath), { method: "GET" }, token);
+                console.log(`Token probe: GET ${probePath} → HTTP ${res.status}`);
+            }
+            catch {
+                console.log("Token probe failed (offline).");
+            }
+        }
+        else {
+            console.log("No credential stored.");
+        }
+        const found = findEnvspotLink(process.cwd());
+        console.log("Project link:", found
+            ? `${found.link.projectId} / ${found.link.environment}`
+            : "none (walked cwd → parents).");
+    });
+    program
+        .command("whoami")
+        .description("Show the signed-in user, workspace, and active link or token scope.")
+        .option("--json", "Print the raw JSON response (for scripts/CI).")
+        .action(async (opts) => {
+        await executeWhoami({ json: opts.json });
+    });
+    registerSecretsCommands(program);
+    if (experimentalEnabled())
+        registerExperimentalNoteCommand(program);
+    await program.parseAsync(argv);
+}
+function readStdinUtf8() {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        stdinStream.on("data", (c) => chunks.push(c));
+        stdinStream.on("end", () => {
+            resolve(Buffer.concat(chunks)
+                .toString("utf8")
+                .replace(/\r?\n$/, ""));
+        });
+        stdinStream.on("error", reject);
+    });
+}
+function registerSecretsCommands(program) {
+    program
+        .command("set")
+        .description("POST one secret variable for linked project.")
+        .argument("<key>", "Variable name")
+        .argument("[values...]", "Value; omit on TTY to require piping stdin. Words join with spaces.")
+        .option("-e, --env <name>", "Override ./.envspot.json environment.")
+        .action(async (key, valueParts, opts) => {
+        const token = await getStoredToken();
+        if (!token)
+            throw authRequired();
+        if (isHeadlessToken(token))
+            throw deviceLoginRequired("Setting secrets");
+        const found = findEnvspotLink(process.cwd());
+        if (!found)
+            throw notLinked();
+        const name = key.trim();
+        if (!name || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(name)) {
+            throw new CliError(ERR.INVALID_INPUT, "Invalid key: letters, digits, underscore; must start with letter or underscore.");
+        }
+        const environment = persistEnvForUpsert(opts.env ?? found.link.environment);
+        let value;
+        if (valueParts.length > 0) {
+            value = valueParts.join(" ");
+        }
+        else if (!process.stdin.isTTY) {
+            value = await readStdinUtf8();
+        }
+        else {
+            throw new CliError(ERR.INVALID_INPUT, "Missing value.", 'Example: envspot set MY_KEY "secret"  |  cat key.txt | envspot set MY_KEY');
+        }
+        const res = await fetchWithCliHeaders(apiUrl("/api/cli/secrets"), {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                project: found.link.projectId,
+                environment,
+                secrets: [{ key: name, value }],
+            }),
+        }, token);
+        if (!res.ok) {
+            const { json } = await parseJsonSafely(res);
+            throw await cliApiError(res.status, json, found.link.projectId);
+        }
+        console.log(`Set ${name} for project ${found.link.projectId}.`);
+    });
+    program
+        .command("unset")
+        .description("DELETE one secret variable for linked project.")
+        .argument("<key>", "Variable name")
+        .option("-e, --env <name>", "Override ./.envspot.json environment.")
+        .action(async (key, opts) => {
+        const token = await getStoredToken();
+        if (!token)
+            throw authRequired();
+        if (isHeadlessToken(token))
+            throw deviceLoginRequired("Removing secrets");
+        const found = findEnvspotLink(process.cwd());
+        if (!found)
+            throw notLinked();
+        const name = key.trim();
+        if (!name || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(name)) {
+            throw new CliError(ERR.INVALID_INPUT, "Invalid key: letters, digits, underscore; must start with letter or underscore.");
+        }
+        const environment = persistEnvForUpsert(opts.env ?? found.link.environment);
+        const qp = new URLSearchParams({
+            project: found.link.projectId,
+            env: environment,
+            key: name,
+        });
+        const res = await fetchWithCliHeaders(apiUrl(`/api/cli/secrets?${qp.toString()}`), { method: "DELETE" }, token);
+        if (!res.ok) {
+            const { json } = await parseJsonSafely(res);
+            throw await cliApiError(res.status, json, found.link.projectId);
+        }
+        console.log(`Removed ${name}.`);
+    });
+}
+function registerExperimentalNoteCommand(program) {
+    program
+        .command("_experimental")
+        .description("Print a note about experimental behavior toggles.")
+        .action(async () => {
+        console.warn("[ENVSPOT_EXPERIMENTAL=1 enabled]");
+        console.warn("Note: token login and set/unset are available without this flag.");
+    });
+}
+/** Map stored ./.envspot.json shorthand to API body `environment` field. */
+function persistEnvForUpsert(shorthand) {
+    const s = shorthand.trim().toLowerCase();
+    if (s === "dev" || s === "development" || s === "local")
+        return "development";
+    if (s === "prod" || s === "production")
+        return "production";
+    if (s === "stage" || s === "staging")
+        return "staging";
+    if (s === "custom")
+        return "custom";
+    return shorthand.trim();
+}
+void main().catch((e) => {
+    process.exit(reportCliError(e));
+});