passwd-sso-cli 0.4.46 → 0.4.48

package/dist/commands/api-key.js

@@ -7,6 +7,7 @@
  *   revoke — Revoke an API key
  */
 import { apiRequest } from "../lib/api-client.js";
+import { readMainApiErrorBody } from "../lib/api-error-body.js";
 import * as output from "../lib/output.js";
 export async function apiKeyListCommand(options = {}) {
     const res = await apiRequest("/api/api-keys");
@@ -73,8 +74,8 @@ export async function apiKeyCreateCommand(opts) {
         },
     });
     if (!res.ok) {
-        const err = res.data;
-        output.error(`Failed to create API key: ${err.error ?? `HTTP ${res.status}`}`);
+        const err = readMainApiErrorBody(res.data);
+        output.error(`Failed to create API key: ${err?.error ?? `HTTP ${res.status}`}`);
         return;
     }
     if (opts.json) {
@@ -99,12 +100,12 @@ export async function apiKeyCreateCommand(opts) {
 export async function apiKeyRevokeCommand(id, options = {}) {
     const res = await apiRequest(`/api/api-keys/${encodeURIComponent(id)}`, { method: "DELETE" });
     if (!res.ok) {
-        const err = res.data;
+        const err = readMainApiErrorBody(res.data);
         if (options.json) {
-            output.json({ success: false, error: err.error ?? `HTTP ${res.status}` });
+            output.json({ success: false, error: err?.error ?? `HTTP ${res.status}` });
         }
         else {
-            output.error(`Failed to revoke API key: ${err.error ?? `HTTP ${res.status}`}`);
+            output.error(`Failed to revoke API key: ${err?.error ?? `HTTP ${res.status}`}`);
         }
         return;
     }

package/dist/commands/env.js

@@ -7,7 +7,7 @@
  * Requires the vault to be unlocked (encryption key in memory) OR
  * an apiKey + PSSO_PASSPHRASE env var for non-interactive mode.
  */
-import { loadSecretsConfig, getPasswordPath } from "../lib/secrets-config.js";
+import { loadSecretsConfig, getPasswordPath, getSecretsServerUrl } from "../lib/secrets-config.js";
 import { getEncryptionKey, getUserId } from "../lib/vault-state.js";
 import { autoUnlockIfNeeded } from "./unlock.js";
 import { getToken } from "../lib/api-client.js";
@@ -22,10 +22,17 @@ export async function envCommand(opts) {
     }
     catch (err) {
         output.error(err instanceof Error ? err.message : "Failed to load config.");
-        return;
+        process.exit(1);
     }
     const useV1 = !!config.apiKey;
-    const baseUrl = config.server.replace(/\/$/, "");
+    let baseUrl;
+    try {
+        baseUrl = getSecretsServerUrl();
+    }
+    catch (err) {
+        output.error(err instanceof Error ? err.message : "Failed to resolve server URL.");
+        process.exit(1);
+    }
     // Determine auth header
     let authHeader;
     if (config.apiKey) {
@@ -35,14 +42,14 @@ export async function envCommand(opts) {
         const token = await getToken();
         if (!token) {
             output.error("Not logged in. Run `passwd-sso login` first, or set apiKey in config.");
-            return;
+            process.exit(1);
         }
         authHeader = `Bearer ${token}`;
     }
     // Auto-unlock with PSSO_PASSPHRASE if needed
     if (!await autoUnlockIfNeeded()) {
         output.error("Vault is not unlocked. Run `passwd-sso unlock` first, or set PSSO_PASSPHRASE.");
-        return;
+        process.exit(1);
     }
     const encryptionKey = getEncryptionKey();
     const userId = getUserId();

package/dist/commands/run.js

@@ -5,7 +5,7 @@
  * Blocks certain dangerous env var names from being overwritten.
  */
 import { spawn } from "node:child_process";
-import { loadSecretsConfig, getPasswordPath } from "../lib/secrets-config.js";
+import { loadSecretsConfig, getPasswordPath, getSecretsServerUrl } from "../lib/secrets-config.js";
 import { getEncryptionKey, getUserId } from "../lib/vault-state.js";
 import { autoUnlockIfNeeded } from "./unlock.js";
 import { getToken } from "../lib/api-client.js";
@@ -27,7 +27,14 @@ export async function runCommand(opts) {
         process.exit(1);
     }
     const useV1 = !!config.apiKey;
-    const baseUrl = config.server.replace(/\/$/, "");
+    let baseUrl;
+    try {
+        baseUrl = getSecretsServerUrl();
+    }
+    catch (err) {
+        output.error(err instanceof Error ? err.message : "Failed to resolve server URL.");
+        process.exit(1);
+    }
     let authHeader;
     if (config.apiKey) {
         authHeader = `Bearer ${config.apiKey}`;

package/dist/lib/api-error-body.d.ts

@@ -0,0 +1,55 @@
+/**
+ * Typed error-body access for main-API responses.
+ *
+ * Mirrors `src/lib/http/api-response.ts` `MainApiErrorBody` — keep in sync.
+ * The CLI cannot import from the app's `src/` (separate tsconfig / `rootDir`),
+ * so this is a deliberate type duplicate with the same shape and invariants.
+ * See `docs/api/error-handling.md` for the canonical envelope.
+ *
+ * Keep in sync with the other 2 copies:
+ *   - src/lib/http/read-api-error-body.ts (main, canonical)
+ *   - extension/src/lib/api-error-body.ts (browser extension)
+ * CI drift check: scripts/checks/check-api-error-body-drift.sh
+ *
+ * Note: OAuth endpoints (`/api/mcp/token`, `/api/mcp/register`) use the RFC 6749
+ * error envelope (`error`, `error_description`), NOT this shape. Reads from
+ * those endpoints belong in `cli/src/lib/oauth.ts` and are intentionally not
+ * migrated here.
+ */
+export type MainApiErrorBody = {
+    readonly error: string;
+    readonly details?: unknown;
+    readonly lockedUntil?: string | null;
+    readonly currentKeyVersion?: number;
+};
+export declare function readApiErrorBody(res: Response): Promise<MainApiErrorBody | null>;
+/**
+ * Read `details.message` from an already-parsed error body.
+ *
+ * The `apiRequest` wrapper in `api-client.ts` returns `res.data` as the raw
+ * JSON body (success OR error shape). On error paths, callers can pass that
+ * body here after narrowing it via `readMainApiErrorBody`.
+ */
+export declare function getApiErrorMessage(body: MainApiErrorBody | null): string | null;
+/**
+ * Read a single named field from `body.details` with a runtime type guard.
+ *
+ * Mirrors `getApiErrorDetail` in the main copy. See that file for full
+ * rationale.
+ */
+export declare function getApiErrorDetail<T>(body: MainApiErrorBody | null, field: string, guard: (value: unknown) => value is T): T | null;
+/**
+ * Read `details.properties[<field>].errors` from a Zod `treeifyError()` shape.
+ *
+ * Centralizes the per-field Zod-tree access pattern used by validation-error
+ * consumers (slug, url, etc.). Returns the errors array if present, `null`
+ * otherwise.
+ */
+export declare function getApiErrorFieldErrors(body: MainApiErrorBody | null, field: string): readonly unknown[] | null;
+/**
+ * Narrow an unknown value (e.g. `apiRequest`'s `res.data`) to `MainApiErrorBody`.
+ *
+ * Useful at error-path call sites that consume the wrapper's `res.data` rather
+ * than reading the `Response` directly.
+ */
+export declare function readMainApiErrorBody(value: unknown): MainApiErrorBody | null;

package/dist/lib/api-error-body.js

@@ -0,0 +1,90 @@
+/**
+ * Typed error-body access for main-API responses.
+ *
+ * Mirrors `src/lib/http/api-response.ts` `MainApiErrorBody` — keep in sync.
+ * The CLI cannot import from the app's `src/` (separate tsconfig / `rootDir`),
+ * so this is a deliberate type duplicate with the same shape and invariants.
+ * See `docs/api/error-handling.md` for the canonical envelope.
+ *
+ * Keep in sync with the other 2 copies:
+ *   - src/lib/http/read-api-error-body.ts (main, canonical)
+ *   - extension/src/lib/api-error-body.ts (browser extension)
+ * CI drift check: scripts/checks/check-api-error-body-drift.sh
+ *
+ * Note: OAuth endpoints (`/api/mcp/token`, `/api/mcp/register`) use the RFC 6749
+ * error envelope (`error`, `error_description`), NOT this shape. Reads from
+ * those endpoints belong in `cli/src/lib/oauth.ts` and are intentionally not
+ * migrated here.
+ */
+export async function readApiErrorBody(res) {
+    if (res.ok)
+        return null;
+    const json = await res.json().catch(() => null);
+    if (!json ||
+        typeof json !== "object" ||
+        typeof json.error !== "string") {
+        return null;
+    }
+    return json;
+}
+/**
+ * Read `details.message` from an already-parsed error body.
+ *
+ * The `apiRequest` wrapper in `api-client.ts` returns `res.data` as the raw
+ * JSON body (success OR error shape). On error paths, callers can pass that
+ * body here after narrowing it via `readMainApiErrorBody`.
+ */
+export function getApiErrorMessage(body) {
+    if (!body || typeof body.details !== "object" || body.details === null) {
+        return null;
+    }
+    const message = body.details.message;
+    return typeof message === "string" ? message : null;
+}
+/**
+ * Read a single named field from `body.details` with a runtime type guard.
+ *
+ * Mirrors `getApiErrorDetail` in the main copy. See that file for full
+ * rationale.
+ */
+export function getApiErrorDetail(body, field, guard) {
+    if (!body || typeof body.details !== "object" || body.details === null) {
+        return null;
+    }
+    const value = body.details[field];
+    return guard(value) ? value : null;
+}
+/**
+ * Read `details.properties[<field>].errors` from a Zod `treeifyError()` shape.
+ *
+ * Centralizes the per-field Zod-tree access pattern used by validation-error
+ * consumers (slug, url, etc.). Returns the errors array if present, `null`
+ * otherwise.
+ */
+export function getApiErrorFieldErrors(body, field) {
+    if (!body || typeof body.details !== "object" || body.details === null) {
+        return null;
+    }
+    const properties = body.details.properties;
+    if (!properties || typeof properties !== "object")
+        return null;
+    const fieldObj = properties[field];
+    if (!fieldObj || typeof fieldObj !== "object")
+        return null;
+    const errors = fieldObj.errors;
+    return Array.isArray(errors) ? errors : null;
+}
+/**
+ * Narrow an unknown value (e.g. `apiRequest`'s `res.data`) to `MainApiErrorBody`.
+ *
+ * Useful at error-path call sites that consume the wrapper's `res.data` rather
+ * than reading the `Response` directly.
+ */
+export function readMainApiErrorBody(value) {
+    if (!value || typeof value !== "object")
+        return null;
+    if (typeof value.error !== "string")
+        return null;
+    return value;
+}
+//# sourceMappingURL=api-error-body.js.map

package/dist/lib/secrets-config.d.ts

@@ -3,7 +3,6 @@
  *
  * Schema:
  * {
- *   "server": "https://...",
  *   "apiKey?": "api_...",         // optional — uses /api/v1/ path
  *   "secrets": {
  *     "ENV_VAR_NAME": { "entry": "<entryId>", "field": "password" }
@@ -19,11 +18,11 @@ export interface SecretMapping {
     field: string;
 }
 export interface SecretsConfig {
-    server: string;
     apiKey?: string;
     secrets: Record<string, SecretMapping>;
 }
 export declare function loadSecretsConfig(configPath?: string): SecretsConfig;
+export declare function getSecretsServerUrl(): string;
 /**
  * Returns the API path for fetching a single password entry.
  * If apiKey is configured, use the public /api/v1/ path.

package/dist/lib/secrets-config.js

@@ -3,7 +3,6 @@
  *
  * Schema:
  * {
- *   "server": "https://...",
  *   "apiKey?": "api_...",         // optional — uses /api/v1/ path
  *   "secrets": {
  *     "ENV_VAR_NAME": { "entry": "<entryId>", "field": "password" }
@@ -16,6 +15,11 @@
  */
 import { readFileSync, existsSync } from "node:fs";
 import { resolve } from "node:path";
+import { loadConfig } from "./config.js";
+import { validateServerUrl } from "./oauth.js";
+function isPlaceholderEntryId(entryId) {
+    return entryId === "dummy-entry-id" || /^<[^>]+>$/.test(entryId);
+}
 export function loadSecretsConfig(configPath) {
     const filePath = configPath
         ? resolve(configPath)
@@ -25,14 +29,41 @@ export function loadSecretsConfig(configPath) {
     }
     const raw = readFileSync(filePath, "utf-8");
     const parsed = JSON.parse(raw);
-    if (!parsed.server || typeof parsed.server !== "string") {
-        throw new Error("Config file must have a 'server' field.");
-    }
     if (!parsed.secrets || typeof parsed.secrets !== "object") {
         throw new Error("Config file must have a 'secrets' field.");
     }
+    for (const [envName, mapping] of Object.entries(parsed.secrets)) {
+        if (!mapping || typeof mapping !== "object") {
+            throw new Error(`Secret mapping for '${envName}' must be an object.`);
+        }
+        const rawMapping = mapping;
+        if (typeof rawMapping.entry !== "string" || rawMapping.entry.trim().length === 0) {
+            throw new Error(`Secret mapping for '${envName}' must have a non-empty 'entry' string.`);
+        }
+        if (typeof rawMapping.field !== "string" || rawMapping.field.trim().length === 0) {
+            throw new Error(`Secret mapping for '${envName}' must have a non-empty 'field' string.`);
+        }
+        const entry = rawMapping.entry.trim();
+        const field = rawMapping.field.trim();
+        if (isPlaceholderEntryId(entry)) {
+            throw new Error(`Secret mapping for '${envName}' uses placeholder entry ID "${entry}". Replace it with a real vault entry ID.`);
+        }
+        // Preserve unknown keys (e.g. user-added comment fields) while normalising entry/field.
+        parsed.secrets[envName] = { ...rawMapping, entry, field };
+    }
     return parsed;
 }
+export function getSecretsServerUrl() {
+    const { serverUrl } = loadConfig();
+    if (!serverUrl) {
+        throw new Error("Server URL not configured. Run `passwd-sso login -s <server-url>` once to configure it.");
+    }
+    // Defense-in-depth: re-validate the persisted URL before issuing a fetch
+    // with a Bearer token. Login validates at write time, but a hand-edited
+    // config file would otherwise reach fetch() unchecked.
+    validateServerUrl(serverUrl);
+    return serverUrl.replace(/\/$/, "");
+}
 /**
  * Returns the API path for fetching a single password entry.
  * If apiKey is configured, use the public /api/v1/ path.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "passwd-sso-cli",
-  "version": "0.4.46",
+  "version": "0.4.48",
   "description": "CLI for passwd-sso password manager",
   "type": "module",
   "license": "MIT",