kubeagent 0.1.30 → 0.1.32

package/dist/cli.js

@@ -25,6 +25,7 @@ import { scanCluster } from "./onboard/cluster-scan.js";
 import { formatProjectMarkdown } from "./onboard/code-scan.js";
 import { writeProjectKb, ensureKbDir } from "./kb/writer.js";
 import { checkForUpdate } from "./update-notifier.js";
+import { enforceMinVersion } from "./version-check.js";
 import { sendTelemetry } from "./telemetry.js";
 const program = new Command();
 program
@@ -530,6 +531,16 @@ program
         }
     }
 });
+// Mandatory version check — runs before each action so users on
+// API-incompatible CLI versions can't proceed. The hook fires AFTER arg
+// parsing, so `kubeagent login --server <url>` validates against the
+// requested server, not the default. Cached per-server for 24h; network
+// failure with no cache falls through silently (see version-check.ts).
+program.hook("preAction", async (_thisCommand, actionCommand) => {
+    const opts = actionCommand.opts();
+    const serverUrl = opts.server ?? loadAuth()?.serverUrl ?? DEFAULT_SERVER;
+    await enforceMinVersion(version, serverUrl);
+});
 program.parse();
 // Non-blocking update check — runs after command completes
 checkForUpdate();

package/dist/version-check.d.ts

@@ -0,0 +1,14 @@
+export declare function isBelow(version: string, floor: string): boolean;
+/**
+ * Verifies that the running CLI is still supported by the server at
+ * `serverUrl`.
+ *
+ * Behaviour:
+ *   - Fetches the server's `minSupported` version (cached per-server for 24h).
+ *   - If the running version is strictly below the floor, prints a mandatory-
+ *     update message and exits the process with code 1.
+ *   - On network failure with no cached value, returns silently — we don't
+ *     want to lock users out when the server is unreachable for transient
+ *     reasons. A stale cache is preferred over no cache when offline.
+ */
+export declare function enforceMinVersion(currentVersion: string, serverUrl: string): Promise<void>;

package/dist/version-check.js

@@ -0,0 +1,108 @@
+import chalk from "chalk";
+import { readFileSync, writeFileSync, mkdirSync } from "node:fs";
+import { join } from "node:path";
+import { homedir } from "node:os";
+const CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
+const FETCH_TIMEOUT_MS = 3000;
+function cacheFilePath() {
+    return join(homedir(), ".kubeagent", "version-check.json");
+}
+function readCache() {
+    try {
+        const data = JSON.parse(readFileSync(cacheFilePath(), "utf-8"));
+        if (!data || typeof data !== "object")
+            return {};
+        // Reject the legacy single-entry shape ({checkedAt, minSupported}) — we
+        // can't know which server it came from, so a refresh is safer than
+        // potentially applying it to the wrong server.
+        if ("checkedAt" in data && "minSupported" in data)
+            return {};
+        return data;
+    }
+    catch {
+        return {};
+    }
+}
+function writeCache(cache) {
+    try {
+        mkdirSync(join(homedir(), ".kubeagent"), { recursive: true });
+        writeFileSync(cacheFilePath(), JSON.stringify(cache), "utf-8");
+    }
+    catch {
+        // Non-fatal
+    }
+}
+// Returns true when `version` is strictly older than `floor` (semver-like, 3 parts).
+export function isBelow(version, floor) {
+    const parse = (v) => v.replace(/^v/, "").split(".").map((n) => parseInt(n, 10));
+    const [vMaj, vMin, vPatch] = parse(version);
+    const [fMaj, fMin, fPatch] = parse(floor);
+    if (vMaj !== fMaj)
+        return vMaj < fMaj;
+    if (vMin !== fMin)
+        return vMin < fMin;
+    return vPatch < fPatch;
+}
+async function fetchMinSupported(serverUrl) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+    try {
+        const res = await fetch(`${serverUrl}/v1/version`, { signal: controller.signal });
+        if (!res.ok)
+            return undefined;
+        const data = (await res.json());
+        return data.minSupported;
+    }
+    catch {
+        return undefined;
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}
+/**
+ * Verifies that the running CLI is still supported by the server at
+ * `serverUrl`.
+ *
+ * Behaviour:
+ *   - Fetches the server's `minSupported` version (cached per-server for 24h).
+ *   - If the running version is strictly below the floor, prints a mandatory-
+ *     update message and exits the process with code 1.
+ *   - On network failure with no cached value, returns silently — we don't
+ *     want to lock users out when the server is unreachable for transient
+ *     reasons. A stale cache is preferred over no cache when offline.
+ */
+export async function enforceMinVersion(currentVersion, serverUrl) {
+    const now = Date.now();
+    const cache = readCache();
+    const cached = cache[serverUrl];
+    let minSupported;
+    if (cached && now - cached.checkedAt < CACHE_TTL_MS) {
+        minSupported = cached.minSupported;
+    }
+    else {
+        minSupported = await fetchMinSupported(serverUrl);
+        if (minSupported) {
+            cache[serverUrl] = { checkedAt: now, minSupported };
+            writeCache(cache);
+        }
+        else {
+            // Network error or bad response — fall back to whatever was last cached
+            // for THIS server. Floors from other servers must not leak across.
+            minSupported = cached?.minSupported;
+        }
+    }
+    if (!minSupported)
+        return;
+    if (!isBelow(currentVersion, minSupported))
+        return;
+    console.error("\n" +
+        chalk.red(`  This CLI version (${currentVersion}) is no longer supported.`) +
+        "\n" +
+        chalk.red(`  Minimum supported version is ${minSupported}.`) +
+        "\n\n" +
+        chalk.dim("  Run ") +
+        chalk.cyan("npm install -g kubeagent@latest") +
+        chalk.dim(" to update.\n"));
+    process.exit(1);
+}

package/dist/version-check.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/version-check.test.js

@@ -0,0 +1,179 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import { mkdtempSync, rmSync, writeFileSync, mkdirSync, existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+// Mock chalk to return plain strings
+vi.mock("chalk", () => {
+    const identity = (s) => s;
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const handler = {
+        get: () => new Proxy(identity, handler),
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        apply: (_t, _this, args) => args[0],
+    };
+    return { default: new Proxy(identity, handler) };
+});
+let tmpHome;
+let originalHome;
+beforeEach(() => {
+    tmpHome = mkdtempSync(join(tmpdir(), "kubeagent-version-test-"));
+    originalHome = process.env.HOME;
+    process.env.HOME = tmpHome;
+});
+afterEach(() => {
+    if (originalHome !== undefined)
+        process.env.HOME = originalHome;
+    else
+        delete process.env.HOME;
+    rmSync(tmpHome, { recursive: true, force: true });
+    vi.restoreAllMocks();
+});
+describe("isBelow", () => {
+    it("returns true when current is older", async () => {
+        const { isBelow } = await import("./version-check.js");
+        expect(isBelow("0.1.5", "0.2.0")).toBe(true);
+        expect(isBelow("0.1.5", "0.1.6")).toBe(true);
+        expect(isBelow("0.0.9", "1.0.0")).toBe(true);
+    });
+    it("returns false when current is equal or newer", async () => {
+        const { isBelow } = await import("./version-check.js");
+        expect(isBelow("0.2.0", "0.2.0")).toBe(false);
+        expect(isBelow("0.2.1", "0.2.0")).toBe(false);
+        expect(isBelow("1.0.0", "0.9.99")).toBe(false);
+    });
+    it("strips a leading v", async () => {
+        const { isBelow } = await import("./version-check.js");
+        expect(isBelow("v0.1.0", "0.2.0")).toBe(true);
+        expect(isBelow("0.1.0", "v0.2.0")).toBe(true);
+    });
+});
+describe("enforceMinVersion", () => {
+    it("exits with code 1 when current version is below min", async () => {
+        globalThis.fetch = vi.fn().mockResolvedValue({
+            ok: true,
+            json: () => Promise.resolve({ minSupported: "0.5.0" }),
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        });
+        const errSpy = vi.spyOn(console, "error").mockImplementation(() => { });
+        const exitSpy = vi.spyOn(process, "exit").mockImplementation(((_code) => {
+            throw new Error("__exit__");
+        }));
+        const { enforceMinVersion } = await import("./version-check.js");
+        await expect(enforceMinVersion("0.1.0", "https://api.example.com")).rejects.toThrow("__exit__");
+        expect(exitSpy).toHaveBeenCalledWith(1);
+        const output = errSpy.mock.calls.map((c) => c.join(" ")).join("\n");
+        expect(output).toContain("no longer supported");
+        expect(output).toContain("0.5.0");
+    });
+    it("does nothing when current version meets the floor", async () => {
+        globalThis.fetch = vi.fn().mockResolvedValue({
+            ok: true,
+            json: () => Promise.resolve({ minSupported: "0.1.0" }),
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        });
+        const errSpy = vi.spyOn(console, "error").mockImplementation(() => { });
+        const exitSpy = vi.spyOn(process, "exit").mockImplementation((() => { }));
+        const { enforceMinVersion } = await import("./version-check.js");
+        await enforceMinVersion("0.1.0", "https://api.example.com");
+        expect(exitSpy).not.toHaveBeenCalled();
+        expect(errSpy).not.toHaveBeenCalled();
+    });
+    it("falls back to stale cache on network error", async () => {
+        // Seed an older cached floor for THIS server URL that already proved
+        // this version stale.
+        const url = "https://api.example.com";
+        mkdirSync(join(tmpHome, ".kubeagent"), { recursive: true });
+        writeFileSync(join(tmpHome, ".kubeagent", "version-check.json"), JSON.stringify({
+            [url]: {
+                // checkedAt > 24h ago so we attempt a refetch
+                checkedAt: Date.now() - 48 * 60 * 60 * 1000,
+                minSupported: "0.5.0",
+            },
+        }), "utf-8");
+        globalThis.fetch = vi.fn().mockRejectedValue(new Error("offline"));
+        const errSpy = vi.spyOn(console, "error").mockImplementation(() => { });
+        const exitSpy = vi.spyOn(process, "exit").mockImplementation(((_code) => {
+            throw new Error("__exit__");
+        }));
+        const { enforceMinVersion } = await import("./version-check.js");
+        await expect(enforceMinVersion("0.1.0", url)).rejects.toThrow("__exit__");
+        expect(exitSpy).toHaveBeenCalledWith(1);
+        expect(errSpy).toHaveBeenCalled();
+    });
+    it("returns silently with no cache and a network error", async () => {
+        globalThis.fetch = vi.fn().mockRejectedValue(new Error("offline"));
+        const errSpy = vi.spyOn(console, "error").mockImplementation(() => { });
+        const exitSpy = vi.spyOn(process, "exit").mockImplementation((() => { }));
+        const { enforceMinVersion } = await import("./version-check.js");
+        await enforceMinVersion("0.1.0", "https://api.example.com");
+        expect(exitSpy).not.toHaveBeenCalled();
+        expect(errSpy).not.toHaveBeenCalled();
+    });
+    it("uses cached value within 24h without refetching", async () => {
+        const url = "https://api.example.com";
+        mkdirSync(join(tmpHome, ".kubeagent"), { recursive: true });
+        writeFileSync(join(tmpHome, ".kubeagent", "version-check.json"), JSON.stringify({ [url]: { checkedAt: Date.now(), minSupported: "0.2.0" } }), "utf-8");
+        const fetchSpy = vi.fn();
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        globalThis.fetch = fetchSpy;
+        const exitSpy = vi.spyOn(process, "exit").mockImplementation(((_code) => {
+            throw new Error("__exit__");
+        }));
+        vi.spyOn(console, "error").mockImplementation(() => { });
+        const { enforceMinVersion } = await import("./version-check.js");
+        await expect(enforceMinVersion("0.1.0", url)).rejects.toThrow("__exit__");
+        expect(fetchSpy).not.toHaveBeenCalled();
+        expect(exitSpy).toHaveBeenCalledWith(1);
+    });
+    it("writes cache after a successful fetch", async () => {
+        globalThis.fetch = vi.fn().mockResolvedValue({
+            ok: true,
+            json: () => Promise.resolve({ minSupported: "0.1.0" }),
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        });
+        vi.spyOn(process, "exit").mockImplementation((() => { }));
+        vi.spyOn(console, "error").mockImplementation(() => { });
+        const { enforceMinVersion } = await import("./version-check.js");
+        await enforceMinVersion("0.1.5", "https://api.example.com");
+        const cachePath = join(tmpHome, ".kubeagent", "version-check.json");
+        expect(existsSync(cachePath)).toBe(true);
+        const cache = JSON.parse(readFileSync(cachePath, "utf-8"));
+        expect(cache["https://api.example.com"].minSupported).toBe("0.1.0");
+    });
+    it("does not apply a floor cached for a different server URL", async () => {
+        const otherUrl = "https://other-server.example.com";
+        mkdirSync(join(tmpHome, ".kubeagent"), { recursive: true });
+        writeFileSync(join(tmpHome, ".kubeagent", "version-check.json"), JSON.stringify({
+            [otherUrl]: { checkedAt: Date.now(), minSupported: "99.0.0" },
+        }), "utf-8");
+        // Target server returns a permissive floor; other-server's strict floor
+        // must NOT be applied here.
+        globalThis.fetch = vi.fn().mockResolvedValue({
+            ok: true,
+            json: () => Promise.resolve({ minSupported: "0.1.0" }),
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        });
+        const exitSpy = vi.spyOn(process, "exit").mockImplementation((() => { }));
+        vi.spyOn(console, "error").mockImplementation(() => { });
+        const { enforceMinVersion } = await import("./version-check.js");
+        await enforceMinVersion("0.1.0", "https://api.example.com");
+        expect(exitSpy).not.toHaveBeenCalled();
+    });
+    it("ignores the legacy single-entry cache shape", async () => {
+        // Old format: {checkedAt, minSupported} at the root. Should be discarded
+        // since we don't know which server it came from.
+        mkdirSync(join(tmpHome, ".kubeagent"), { recursive: true });
+        writeFileSync(join(tmpHome, ".kubeagent", "version-check.json"), JSON.stringify({ checkedAt: Date.now(), minSupported: "99.0.0" }), "utf-8");
+        globalThis.fetch = vi.fn().mockResolvedValue({
+            ok: true,
+            json: () => Promise.resolve({ minSupported: "0.1.0" }),
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        });
+        const exitSpy = vi.spyOn(process, "exit").mockImplementation((() => { }));
+        vi.spyOn(console, "error").mockImplementation(() => { });
+        const { enforceMinVersion } = await import("./version-check.js");
+        await enforceMinVersion("0.1.0", "https://api.example.com");
+        // Legacy floor (99.0.0) ignored, fresh fetch (0.1.0) applied — no exit.
+        expect(exitSpy).not.toHaveBeenCalled();
+    });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kubeagent",
-  "version": "0.1.30",
+  "version": "0.1.32",
   "description": "AI-powered Kubernetes management CLI",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",
@@ -33,6 +33,14 @@
     "zod": "^3.24.0",
     "zod-to-json-schema": "^3.25.2"
   },
+  "fallow": {
+    "ignoreDependencies": [
+      "bcrypt",
+      "drizzle-orm",
+      "hono",
+      "jose"
+    ]
+  },
   "devDependencies": {
     "@kubeagent/shared": "*",
     "@types/js-yaml": "^4.0.9",