hereya-cli 0.86.3 → 0.88.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. package/README.md +80 -130
  2. package/dist/backend/index.js +0 -24
  3. package/dist/commands/app/deploy/index.d.ts +0 -2
  4. package/dist/commands/app/deploy/index.js +0 -17
  5. package/dist/commands/app/deployments/index.d.ts +0 -4
  6. package/dist/commands/app/deployments/index.js +1 -20
  7. package/dist/commands/app/destroy/index.d.ts +0 -2
  8. package/dist/commands/app/destroy/index.js +0 -17
  9. package/dist/commands/app/env/index.d.ts +0 -2
  10. package/dist/commands/app/env/index.js +0 -17
  11. package/dist/commands/app/list/index.d.ts +0 -4
  12. package/dist/commands/app/list/index.js +1 -20
  13. package/dist/commands/app/status/index.d.ts +0 -2
  14. package/dist/commands/app/status/index.js +0 -17
  15. package/dist/commands/deploy/index.d.ts +0 -2
  16. package/dist/commands/deploy/index.js +56 -69
  17. package/dist/commands/init/index.d.ts +0 -2
  18. package/dist/commands/init/index.js +1 -18
  19. package/dist/commands/login/index.js +0 -5
  20. package/dist/commands/publish/index.d.ts +0 -2
  21. package/dist/commands/publish/index.js +0 -17
  22. package/dist/commands/run/index.d.ts +0 -2
  23. package/dist/commands/run/index.js +0 -17
  24. package/dist/commands/search/index.d.ts +0 -2
  25. package/dist/commands/search/index.js +21 -38
  26. package/dist/commands/undeploy/index.d.ts +0 -2
  27. package/dist/commands/undeploy/index.js +14 -27
  28. package/dist/commands/up/index.d.ts +0 -2
  29. package/dist/commands/up/index.js +1 -17
  30. package/dist/commands/workspace/executor/install/index.d.ts +0 -2
  31. package/dist/commands/workspace/executor/install/index.js +1 -17
  32. package/dist/commands/workspace/executor/token/index.d.ts +0 -2
  33. package/dist/commands/workspace/executor/token/index.js +0 -17
  34. package/dist/commands/workspace/executor/uninstall/index.d.ts +0 -2
  35. package/dist/commands/workspace/executor/uninstall/index.js +1 -17
  36. package/dist/executor/context.js +15 -12
  37. package/dist/lib/hereya-token.js +11 -10
  38. package/dist/lib/package/index.js +24 -20
  39. package/oclif.manifest.json +3 -133
  40. package/package.json +1 -1
  41. package/dist/lib/active-cloud.d.ts +0 -31
  42. package/dist/lib/active-cloud.js +0 -55
  43. package/dist/lib/ephemeral-token.d.ts +0 -45
  44. package/dist/lib/ephemeral-token.js +0 -89
@@ -241,14 +241,6 @@
241
241
  "allowNo": false,
242
242
  "type": "boolean"
243
243
  },
244
- "token": {
245
- "description": "Ephemeral cloud access token used for this invocation only. Held in memory; never written to the keychain or `~/.hereya/secrets/`. Takes precedence over the HEREYA_TOKEN environment variable.",
246
- "name": "token",
247
- "required": false,
248
- "hasDynamicHelp": false,
249
- "multiple": false,
250
- "type": "option"
251
- },
252
244
  "workspace": {
253
245
  "char": "w",
254
246
  "description": "name of the workspace to deploy the packages for",
@@ -581,14 +573,6 @@
581
573
  "multiple": false,
582
574
  "type": "option"
583
575
  },
584
- "token": {
585
- "description": "Ephemeral cloud access token used for this invocation only. Held in memory; never written to the keychain or `~/.hereya/secrets/`. Takes precedence over the HEREYA_TOKEN environment variable.",
586
- "name": "token",
587
- "required": false,
588
- "hasDynamicHelp": false,
589
- "multiple": false,
590
- "type": "option"
591
- },
592
576
  "workspace": {
593
577
  "char": "w",
594
578
  "description": "workspace to set as default",
@@ -774,14 +758,6 @@
774
758
  "hasDynamicHelp": false,
775
759
  "multiple": false,
776
760
  "type": "option"
777
- },
778
- "token": {
779
- "description": "Ephemeral cloud access token used for this invocation only. Held in memory; never written to the keychain or `~/.hereya/secrets/`. Takes precedence over the HEREYA_TOKEN environment variable.",
780
- "name": "token",
781
- "required": false,
782
- "hasDynamicHelp": false,
783
- "multiple": false,
784
- "type": "option"
785
761
  }
786
762
  },
787
763
  "hasDynamicHelp": false,
@@ -877,14 +853,6 @@
877
853
  "multiple": false,
878
854
  "type": "option"
879
855
  },
880
- "token": {
881
- "description": "Ephemeral cloud access token used for this invocation only. Held in memory; never written to the keychain or `~/.hereya/secrets/`. Takes precedence over the HEREYA_TOKEN environment variable.",
882
- "name": "token",
883
- "required": false,
884
- "hasDynamicHelp": false,
885
- "multiple": false,
886
- "type": "option"
887
- },
888
856
  "workspace": {
889
857
  "char": "w",
890
858
  "description": "name of the workspace to run the command in",
@@ -952,14 +920,6 @@
952
920
  "hasDynamicHelp": false,
953
921
  "multiple": false,
954
922
  "type": "option"
955
- },
956
- "token": {
957
- "description": "Ephemeral cloud access token used for this invocation only. Held in memory; never written to the keychain or `~/.hereya/secrets/`. Takes precedence over the HEREYA_TOKEN environment variable.",
958
- "name": "token",
959
- "required": false,
960
- "hasDynamicHelp": false,
961
- "multiple": false,
962
- "type": "option"
963
923
  }
964
924
  },
965
925
  "hasDynamicHelp": false,
@@ -1045,14 +1005,6 @@
1045
1005
  "allowNo": false,
1046
1006
  "type": "boolean"
1047
1007
  },
1048
- "token": {
1049
- "description": "Ephemeral cloud access token used for this invocation only. Held in memory; never written to the keychain or `~/.hereya/secrets/`. Takes precedence over the HEREYA_TOKEN environment variable.",
1050
- "name": "token",
1051
- "required": false,
1052
- "hasDynamicHelp": false,
1053
- "multiple": false,
1054
- "type": "option"
1055
- },
1056
1008
  "workspace": {
1057
1009
  "char": "w",
1058
1010
  "description": "name of the workspace to undeploy the packages for",
@@ -1175,14 +1127,6 @@
1175
1127
  "multiple": true,
1176
1128
  "type": "option"
1177
1129
  },
1178
- "token": {
1179
- "description": "Ephemeral cloud access token used for this invocation only. Held in memory; never written to the keychain or `~/.hereya/secrets/`. Takes precedence over the HEREYA_TOKEN environment variable.",
1180
- "name": "token",
1181
- "required": false,
1182
- "hasDynamicHelp": false,
1183
- "multiple": false,
1184
- "type": "option"
1185
- },
1186
1130
  "workspace": {
1187
1131
  "char": "w",
1188
1132
  "description": "name of the workspace to install the packages for",
@@ -1280,14 +1224,6 @@
1280
1224
  "multiple": true,
1281
1225
  "type": "option"
1282
1226
  },
1283
- "token": {
1284
- "description": "Ephemeral cloud access token used for this invocation only. Held in memory; never written to the keychain or `~/.hereya/secrets/`. Takes precedence over the HEREYA_TOKEN environment variable.",
1285
- "name": "token",
1286
- "required": false,
1287
- "hasDynamicHelp": false,
1288
- "multiple": false,
1289
- "type": "option"
1290
- },
1291
1227
  "version": {
1292
1228
  "description": "specific app version to deploy (defaults to latest)",
1293
1229
  "name": "version",
@@ -1335,16 +1271,7 @@
1335
1271
  "examples": [
1336
1272
  "<%= config.bin %> <%= command.id %> my-org/my-app"
1337
1273
  ],
1338
- "flags": {
1339
- "token": {
1340
- "description": "Ephemeral cloud access token used for this invocation only. Held in memory; never written to the keychain or `~/.hereya/secrets/`. Takes precedence over the HEREYA_TOKEN environment variable.",
1341
- "name": "token",
1342
- "required": false,
1343
- "hasDynamicHelp": false,
1344
- "multiple": false,
1345
- "type": "option"
1346
- }
1347
- },
1274
+ "flags": {},
1348
1275
  "hasDynamicHelp": false,
1349
1276
  "hiddenAliases": [],
1350
1277
  "id": "app:deployments",
@@ -1399,14 +1326,6 @@
1399
1326
  "multiple": true,
1400
1327
  "type": "option"
1401
1328
  },
1402
- "token": {
1403
- "description": "Ephemeral cloud access token used for this invocation only. Held in memory; never written to the keychain or `~/.hereya/secrets/`. Takes precedence over the HEREYA_TOKEN environment variable.",
1404
- "name": "token",
1405
- "required": false,
1406
- "hasDynamicHelp": false,
1407
- "multiple": false,
1408
- "type": "option"
1409
- },
1410
1329
  "workspace": {
1411
1330
  "char": "w",
1412
1331
  "description": "workspace where the app is currently deployed",
@@ -1454,14 +1373,6 @@
1454
1373
  "<%= config.bin %> <%= command.id %> my-org/my-app -w my-workspace DATABASE_URL"
1455
1374
  ],
1456
1375
  "flags": {
1457
- "token": {
1458
- "description": "Ephemeral cloud access token used for this invocation only. Held in memory; never written to the keychain or `~/.hereya/secrets/`. Takes precedence over the HEREYA_TOKEN environment variable.",
1459
- "name": "token",
1460
- "required": false,
1461
- "hasDynamicHelp": false,
1462
- "multiple": false,
1463
- "type": "option"
1464
- },
1465
1376
  "workspace": {
1466
1377
  "char": "w",
1467
1378
  "description": "workspace to read env outputs from",
@@ -1496,16 +1407,7 @@
1496
1407
  "examples": [
1497
1408
  "<%= config.bin %> <%= command.id %>"
1498
1409
  ],
1499
- "flags": {
1500
- "token": {
1501
- "description": "Ephemeral cloud access token used for this invocation only. Held in memory; never written to the keychain or `~/.hereya/secrets/`. Takes precedence over the HEREYA_TOKEN environment variable.",
1502
- "name": "token",
1503
- "required": false,
1504
- "hasDynamicHelp": false,
1505
- "multiple": false,
1506
- "type": "option"
1507
- }
1508
- },
1410
+ "flags": {},
1509
1411
  "hasDynamicHelp": false,
1510
1412
  "hiddenAliases": [],
1511
1413
  "id": "app:list",
@@ -1587,14 +1489,6 @@
1587
1489
  "<%= config.bin %> <%= command.id %> my-org/my-app -w my-workspace"
1588
1490
  ],
1589
1491
  "flags": {
1590
- "token": {
1591
- "description": "Ephemeral cloud access token used for this invocation only. Held in memory; never written to the keychain or `~/.hereya/secrets/`. Takes precedence over the HEREYA_TOKEN environment variable.",
1592
- "name": "token",
1593
- "required": false,
1594
- "hasDynamicHelp": false,
1595
- "multiple": false,
1596
- "type": "option"
1597
- },
1598
1492
  "workspace": {
1599
1493
  "char": "w",
1600
1494
  "description": "workspace to read deployment status from",
@@ -3217,14 +3111,6 @@
3217
3111
  "allowNo": false,
3218
3112
  "type": "boolean"
3219
3113
  },
3220
- "token": {
3221
- "description": "Ephemeral cloud access token used for this invocation only. Held in memory; never written to the keychain or `~/.hereya/secrets/`. Takes precedence over the HEREYA_TOKEN environment variable.",
3222
- "name": "token",
3223
- "required": false,
3224
- "hasDynamicHelp": false,
3225
- "multiple": false,
3226
- "type": "option"
3227
- },
3228
3114
  "workspace": {
3229
3115
  "char": "w",
3230
3116
  "description": "name of the workspace",
@@ -3258,14 +3144,6 @@
3258
3144
  "args": {},
3259
3145
  "description": "Generate a workspace-scoped executor token for the remote executor",
3260
3146
  "flags": {
3261
- "token": {
3262
- "description": "Ephemeral cloud access token used for this invocation only. Held in memory; never written to the keychain or `~/.hereya/secrets/`. Takes precedence over the HEREYA_TOKEN environment variable.",
3263
- "name": "token",
3264
- "required": false,
3265
- "hasDynamicHelp": false,
3266
- "multiple": false,
3267
- "type": "option"
3268
- },
3269
3147
  "workspace": {
3270
3148
  "char": "w",
3271
3149
  "description": "name of the workspace",
@@ -3305,14 +3183,6 @@
3305
3183
  "allowNo": false,
3306
3184
  "type": "boolean"
3307
3185
  },
3308
- "token": {
3309
- "description": "Ephemeral cloud access token used for this invocation only. Held in memory; never written to the keychain or `~/.hereya/secrets/`. Takes precedence over the HEREYA_TOKEN environment variable.",
3310
- "name": "token",
3311
- "required": false,
3312
- "hasDynamicHelp": false,
3313
- "multiple": false,
3314
- "type": "option"
3315
- },
3316
3186
  "workspace": {
3317
3187
  "char": "w",
3318
3188
  "description": "name of the workspace",
@@ -3342,5 +3212,5 @@
3342
3212
  ]
3343
3213
  }
3344
3214
  },
3345
- "version": "0.86.3"
3215
+ "version": "0.88.0"
3346
3216
  }
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "hereya-cli",
3
3
  "description": "Infrastructure as Package",
4
- "version": "0.86.3",
4
+ "version": "0.88.0",
5
5
  "author": "Hereya Developers",
6
6
  "bin": {
7
7
  "hereya": "./bin/run.js"
@@ -1,31 +0,0 @@
1
- /**
2
- * The active cloud auth credentials for this CLI invocation.
3
- *
4
- * Either sourced from an ephemeral `--token` (in which case `clientId` and
5
- * `refreshToken` are `null` because there is no persisted client identity
6
- * and the token cannot be refreshed) or from the persisted `backend.yaml`
7
- * + keychain credentials.
8
- */
9
- export interface ActiveCloudAuth {
10
- accessToken: string;
11
- clientId: null | string;
12
- cloudUrl: string;
13
- refreshToken: null | string;
14
- }
15
- /**
16
- * Returns the active cloud auth, preferring an in-scope ephemeral `--token`
17
- * over the persisted `backend.yaml` + keychain credentials. Returns `null`
18
- * when neither is available.
19
- *
20
- * **This is the single source of truth for "are we authenticated to
21
- * hereya-cloud right now?"** — every code path that previously read from
22
- * `loadBackendConfig()` + `getCloudCredentials()` directly (and therefore
23
- * silently ignored an ephemeral `--token`) should call this instead.
24
- */
25
- export declare function getActiveCloudAuth(): Promise<ActiveCloudAuth | null>;
26
- /**
27
- * Whether the cloud backend is "active" — either via `hereya login` or via
28
- * an in-scope ephemeral `--token`. Used to decide whether to consult the
29
- * cloud package registry, the remote executor, etc.
30
- */
31
- export declare function isCloudBackendActive(): Promise<boolean>;
@@ -1,55 +0,0 @@
1
- import { getCloudCredentials, loadBackendConfig } from '../backend/config.js';
2
- import { BackendType } from '../backend/index.js';
3
- import { getEphemeralToken } from './ephemeral-token.js';
4
- const DEFAULT_CLOUD_URL = 'https://cloud.hereya.dev';
5
- /**
6
- * Returns the active cloud auth, preferring an in-scope ephemeral `--token`
7
- * over the persisted `backend.yaml` + keychain credentials. Returns `null`
8
- * when neither is available.
9
- *
10
- * **This is the single source of truth for "are we authenticated to
11
- * hereya-cloud right now?"** — every code path that previously read from
12
- * `loadBackendConfig()` + `getCloudCredentials()` directly (and therefore
13
- * silently ignored an ephemeral `--token`) should call this instead.
14
- */
15
- export async function getActiveCloudAuth() {
16
- const ephemeral = getEphemeralToken();
17
- if (ephemeral) {
18
- const cloudUrl = ephemeral.cloudUrl
19
- ?? process.env.HEREYA_CLOUD_URL
20
- ?? (await loadBackendConfig()).cloud?.url
21
- ?? DEFAULT_CLOUD_URL;
22
- return {
23
- accessToken: ephemeral.token,
24
- clientId: null,
25
- cloudUrl,
26
- refreshToken: null,
27
- };
28
- }
29
- const config = await loadBackendConfig();
30
- if (config.current !== BackendType.Cloud || !config.cloud) {
31
- return null;
32
- }
33
- const credentials = await getCloudCredentials(config.cloud.clientId);
34
- if (!credentials) {
35
- return null;
36
- }
37
- return {
38
- accessToken: credentials.accessToken,
39
- clientId: config.cloud.clientId,
40
- cloudUrl: config.cloud.url,
41
- refreshToken: credentials.refreshToken,
42
- };
43
- }
44
- /**
45
- * Whether the cloud backend is "active" — either via `hereya login` or via
46
- * an in-scope ephemeral `--token`. Used to decide whether to consult the
47
- * cloud package registry, the remote executor, etc.
48
- */
49
- export async function isCloudBackendActive() {
50
- if (getEphemeralToken()) {
51
- return true;
52
- }
53
- const config = await loadBackendConfig();
54
- return config.current === BackendType.Cloud;
55
- }
@@ -1,45 +0,0 @@
1
- /**
2
- * In-memory context for an ephemeral, in-memory-only access token.
3
- *
4
- * This is used to support per-invocation tokens (e.g. minted by a separate
5
- * MCP server) without persisting credentials to the user's keychain or
6
- * `~/.hereya/secrets/`. Code that needs to read the active token (e.g. the
7
- * cloud backend factory in `src/backend/index.ts`) calls
8
- * {@link getEphemeralToken} and uses it directly as the bearer for outgoing
9
- * cloud API calls. No exchange via `loginWithToken` happens — that path is
10
- * intentionally avoided because it would mint a long-lived refresh token.
11
- */
12
- export interface EphemeralTokenContext {
13
- cloudUrl?: string;
14
- token: string;
15
- }
16
- /**
17
- * Returns the active ephemeral token context, or `undefined` if no
18
- * `withEphemeralToken` scope is currently in flight.
19
- *
20
- * Falls back to the `HEREYA_EPHEMERAL_TOKEN` env var when no async-local-
21
- * storage context is set — that's how subprocesses (the credential helper
22
- * grandchild, etc.) inherit the ephemeral context across process
23
- * boundaries. The env var is set automatically by `withEphemeralToken`.
24
- */
25
- export declare function getEphemeralToken(): EphemeralTokenContext | undefined;
26
- /**
27
- * Run `fn` inside an ephemeral-token scope. While `fn` is executing,
28
- * `getEphemeralToken()` returns the supplied token (and optional cloudUrl),
29
- * and `process.env.HEREYA_EPHEMERAL_TOKEN` is set so subprocesses inherit
30
- * the same ephemeral context.
31
- *
32
- * Critical guarantees:
33
- * - The token is held in-memory only. It is NEVER passed to the secret
34
- * manager or written to disk.
35
- * - After `fn` returns or throws, `getEphemeralToken()` returns `undefined`
36
- * again and `HEREYA_EPHEMERAL_TOKEN` is restored to its prior value.
37
- * - The cached backend in `src/backend/index.ts` is cleared before and after
38
- * the scope so that a stale, persisted-credential-backed CloudBackend is
39
- * never used while the scope is active, and the scope's in-memory backend
40
- * does not leak to subsequent code that expected the user's regular
41
- * credentials.
42
- */
43
- export declare function withEphemeralToken<T>(token: string, fn: () => Promise<T>, options?: {
44
- cloudUrl?: string;
45
- }): Promise<T>;
@@ -1,89 +0,0 @@
1
- import { AsyncLocalStorage } from 'node:async_hooks';
2
- import { clearBackend } from '../backend/index.js';
3
- const storage = new AsyncLocalStorage();
4
- /**
5
- * Env-var names used to propagate the ephemeral token to **subprocesses**
6
- * (e.g. the `git` invocation that triggers the `hereya credential-helper`
7
- * grandchild). Async-local-storage doesn't cross process boundaries, so we
8
- * also stash the token in the environment for the duration of the scope.
9
- *
10
- * These are deliberately named differently from `HEREYA_TOKEN` because the
11
- * existing `HEREYA_TOKEN` semantics call `loginWithToken()` (exchange +
12
- * keychain persist), which is exactly what ephemeral mode must NOT do.
13
- */
14
- const EPHEMERAL_TOKEN_ENV = 'HEREYA_EPHEMERAL_TOKEN';
15
- const EPHEMERAL_CLOUD_URL_ENV = 'HEREYA_EPHEMERAL_CLOUD_URL';
16
- /**
17
- * Returns the active ephemeral token context, or `undefined` if no
18
- * `withEphemeralToken` scope is currently in flight.
19
- *
20
- * Falls back to the `HEREYA_EPHEMERAL_TOKEN` env var when no async-local-
21
- * storage context is set — that's how subprocesses (the credential helper
22
- * grandchild, etc.) inherit the ephemeral context across process
23
- * boundaries. The env var is set automatically by `withEphemeralToken`.
24
- */
25
- export function getEphemeralToken() {
26
- const fromAsyncStorage = storage.getStore();
27
- if (fromAsyncStorage) {
28
- return fromAsyncStorage;
29
- }
30
- const fromEnv = process.env[EPHEMERAL_TOKEN_ENV];
31
- if (fromEnv) {
32
- return {
33
- cloudUrl: process.env[EPHEMERAL_CLOUD_URL_ENV] || undefined,
34
- token: fromEnv,
35
- };
36
- }
37
- return undefined;
38
- }
39
- /**
40
- * Run `fn` inside an ephemeral-token scope. While `fn` is executing,
41
- * `getEphemeralToken()` returns the supplied token (and optional cloudUrl),
42
- * and `process.env.HEREYA_EPHEMERAL_TOKEN` is set so subprocesses inherit
43
- * the same ephemeral context.
44
- *
45
- * Critical guarantees:
46
- * - The token is held in-memory only. It is NEVER passed to the secret
47
- * manager or written to disk.
48
- * - After `fn` returns or throws, `getEphemeralToken()` returns `undefined`
49
- * again and `HEREYA_EPHEMERAL_TOKEN` is restored to its prior value.
50
- * - The cached backend in `src/backend/index.ts` is cleared before and after
51
- * the scope so that a stale, persisted-credential-backed CloudBackend is
52
- * never used while the scope is active, and the scope's in-memory backend
53
- * does not leak to subsequent code that expected the user's regular
54
- * credentials.
55
- */
56
- export async function withEphemeralToken(token, fn, options) {
57
- // Drop any cached backend so the next getBackend() call sees the ephemeral context.
58
- clearBackend();
59
- // Snapshot existing env-var values so we can restore them on exit.
60
- const priorTokenEnv = process.env[EPHEMERAL_TOKEN_ENV];
61
- const priorCloudUrlEnv = process.env[EPHEMERAL_CLOUD_URL_ENV];
62
- process.env[EPHEMERAL_TOKEN_ENV] = token;
63
- if (options?.cloudUrl) {
64
- process.env[EPHEMERAL_CLOUD_URL_ENV] = options.cloudUrl;
65
- }
66
- else {
67
- delete process.env[EPHEMERAL_CLOUD_URL_ENV];
68
- }
69
- try {
70
- return await storage.run({ cloudUrl: options?.cloudUrl, token }, fn);
71
- }
72
- finally {
73
- // Restore prior env-var state (no leakage between sibling invocations).
74
- if (priorTokenEnv === undefined) {
75
- delete process.env[EPHEMERAL_TOKEN_ENV];
76
- }
77
- else {
78
- process.env[EPHEMERAL_TOKEN_ENV] = priorTokenEnv;
79
- }
80
- if (priorCloudUrlEnv === undefined) {
81
- delete process.env[EPHEMERAL_CLOUD_URL_ENV];
82
- }
83
- else {
84
- process.env[EPHEMERAL_CLOUD_URL_ENV] = priorCloudUrlEnv;
85
- }
86
- // Drop the in-memory backend bound to the ephemeral token before yielding control.
87
- clearBackend();
88
- }
89
- }