firevault 0.2.0-beta.2 → 0.2.0-beta.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +1 -0
- package/dist/commands/doctor.js +7 -3
- package/docs/doctor-design.md +17 -3
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -6,6 +6,7 @@
|
|
|
6
6
|
- Added `firevault doctor` for actionable local setup validation.
|
|
7
7
|
- Added `firevault setup-github-action` to generate a scheduled GitHub Actions workflow for offsite snapshots.
|
|
8
8
|
- Added local workflow detection for generated GitHub Actions snapshot automation.
|
|
9
|
+
- Changed `firevault doctor` to treat service account paths outside `.firevault` as informational rather than a failure.
|
|
9
10
|
|
|
10
11
|
## 0.2.0-beta.0
|
|
11
12
|
|
package/dist/commands/doctor.js
CHANGED
|
@@ -133,7 +133,7 @@ export function runDoctor() {
|
|
|
133
133
|
}
|
|
134
134
|
const serviceAccountDisplayPath = displayPathFromApp(config.workspaceRoot, config.serviceAccountPathAbsolute);
|
|
135
135
|
if (!isInside(config.workspaceRoot, config.serviceAccountPathAbsolute)) {
|
|
136
|
-
addCheck(checks, "
|
|
136
|
+
addCheck(checks, "INFO", "Service account path is outside .firevault", "External credential paths are supported. Ensure the file is securely managed and excluded from Git.");
|
|
137
137
|
}
|
|
138
138
|
else if (existsSync(config.serviceAccountPathAbsolute)) {
|
|
139
139
|
addCheck(checks, "OK", "Service account file present");
|
|
@@ -164,10 +164,14 @@ export function runDoctor() {
|
|
|
164
164
|
addCheck(checks, "WARN", "No Git remote origin configured", "git -C .firevault remote add origin <private-repo-url>");
|
|
165
165
|
}
|
|
166
166
|
workflowChecks(checks, config.workspaceRoot);
|
|
167
|
-
const
|
|
167
|
+
const serviceAccountIsInsideWorkspace = isInside(config.workspaceRoot, config.serviceAccountPathAbsolute);
|
|
168
|
+
const serviceAccountIgnored = workspaceIsGitRepo && serviceAccountIsInsideWorkspace
|
|
168
169
|
? isPathIgnored(config.serviceAccountPath, config.workspaceRoot)
|
|
169
170
|
: undefined;
|
|
170
|
-
if (
|
|
171
|
+
if (!serviceAccountIsInsideWorkspace) {
|
|
172
|
+
addCheck(checks, "INFO", "Service account ignore check skipped for external path");
|
|
173
|
+
}
|
|
174
|
+
else if (serviceAccountIgnored === true || gitignoreContains(config.workspaceRoot, config.serviceAccountPath)) {
|
|
171
175
|
addCheck(checks, "OK", "Service account file ignored");
|
|
172
176
|
}
|
|
173
177
|
else {
|
package/docs/doctor-design.md
CHANGED
|
@@ -45,6 +45,7 @@ Next fixes:
|
|
|
45
45
|
Use clear severity:
|
|
46
46
|
|
|
47
47
|
- `OK`: check passed.
|
|
48
|
+
- `INFO`: supported setup choice or useful context.
|
|
48
49
|
- `WARN`: setup can work locally but recovery posture is weaker.
|
|
49
50
|
- `FAIL`: setup is incomplete or unsafe enough that normal recovery workflows may fail.
|
|
50
51
|
|
|
@@ -54,6 +55,8 @@ Exit codes:
|
|
|
54
55
|
- `1` if warnings are present and no checks fail.
|
|
55
56
|
- `2` if any `FAIL`.
|
|
56
57
|
|
|
58
|
+
`INFO` checks do not affect the exit code.
|
|
59
|
+
|
|
57
60
|
## Checks
|
|
58
61
|
|
|
59
62
|
### Workspace
|
|
@@ -103,16 +106,25 @@ Edit .firevault/config.json or rerun `firevault init --force`
|
|
|
103
106
|
|
|
104
107
|
Checks:
|
|
105
108
|
|
|
106
|
-
- configured `serviceAccountPath`
|
|
107
|
-
- file exists
|
|
109
|
+
- configured `serviceAccountPath` may resolve inside or outside `.firevault`,
|
|
110
|
+
- file exists when the path is inside `.firevault`.
|
|
111
|
+
|
|
112
|
+
External credential paths are supported. A service account file outside `.firevault` is not inherently unsafe because users may keep credentials in secure locations such as `~/.config`, password-manager mounted paths, or shared secret directories.
|
|
108
113
|
|
|
109
114
|
Do not parse the service account JSON in the first version. Parsing is local, but it starts pulling doctor toward credential validation. Save that for a later `--verify` mode.
|
|
110
115
|
|
|
111
116
|
Result:
|
|
112
117
|
|
|
118
|
+
- `INFO Service account path is outside .firevault`
|
|
113
119
|
- `OK Service account file present`
|
|
114
120
|
- `FAIL Service account file missing`
|
|
115
121
|
|
|
122
|
+
Message for external paths:
|
|
123
|
+
|
|
124
|
+
```txt
|
|
125
|
+
External credential paths are supported. Ensure the file is securely managed and excluded from Git.
|
|
126
|
+
```
|
|
127
|
+
|
|
116
128
|
Fix:
|
|
117
129
|
|
|
118
130
|
```txt
|
|
@@ -216,7 +228,9 @@ Review .firevault/.github/workflows/firevault-snapshot.yml or rerun `firevault s
|
|
|
216
228
|
Checks:
|
|
217
229
|
|
|
218
230
|
- `.firevault/.gitignore` exists,
|
|
219
|
-
- configured service account path is ignored by Git
|
|
231
|
+
- configured service account path is ignored by Git when the path is inside `.firevault`.
|
|
232
|
+
|
|
233
|
+
If the configured service account path is outside `.firevault`, skip `.firevault/.gitignore` enforcement and report an informational check instead. External credential paths should be managed by the external location's security and Git ignore policy.
|
|
220
234
|
|
|
221
235
|
Best check:
|
|
222
236
|
|