passwd-sso-cli 0.4.47 → 0.4.49

package/dist/commands/api-key.js

@@ -7,6 +7,7 @@
  *   revoke — Revoke an API key
  */
 import { apiRequest } from "../lib/api-client.js";
+import { readMainApiErrorBody } from "../lib/api-error-body.js";
 import * as output from "../lib/output.js";
 export async function apiKeyListCommand(options = {}) {
     const res = await apiRequest("/api/api-keys");
@@ -73,8 +74,8 @@ export async function apiKeyCreateCommand(opts) {
         },
     });
     if (!res.ok) {
-        const err = res.data;
-        output.error(`Failed to create API key: ${err.error ?? `HTTP ${res.status}`}`);
+        const err = readMainApiErrorBody(res.data);
+        output.error(`Failed to create API key: ${err?.error ?? `HTTP ${res.status}`}`);
         return;
     }
     if (opts.json) {
@@ -99,12 +100,12 @@ export async function apiKeyCreateCommand(opts) {
 export async function apiKeyRevokeCommand(id, options = {}) {
     const res = await apiRequest(`/api/api-keys/${encodeURIComponent(id)}`, { method: "DELETE" });
     if (!res.ok) {
-        const err = res.data;
+        const err = readMainApiErrorBody(res.data);
         if (options.json) {
-            output.json({ success: false, error: err.error ?? `HTTP ${res.status}` });
+            output.json({ success: false, error: err?.error ?? `HTTP ${res.status}` });
         }
         else {
-            output.error(`Failed to revoke API key: ${err.error ?? `HTTP ${res.status}`}`);
+            output.error(`Failed to revoke API key: ${err?.error ?? `HTTP ${res.status}`}`);
         }
         return;
     }

package/dist/lib/api-error-body.d.ts

@@ -0,0 +1,55 @@
+/**
+ * Typed error-body access for main-API responses.
+ *
+ * Mirrors `src/lib/http/api-response.ts` `MainApiErrorBody` — keep in sync.
+ * The CLI cannot import from the app's `src/` (separate tsconfig / `rootDir`),
+ * so this is a deliberate type duplicate with the same shape and invariants.
+ * See `docs/api/error-handling.md` for the canonical envelope.
+ *
+ * Keep in sync with the other 2 copies:
+ *   - src/lib/http/read-api-error-body.ts (main, canonical)
+ *   - extension/src/lib/api-error-body.ts (browser extension)
+ * CI drift check: scripts/checks/check-api-error-body-drift.sh
+ *
+ * Note: OAuth endpoints (`/api/mcp/token`, `/api/mcp/register`) use the RFC 6749
+ * error envelope (`error`, `error_description`), NOT this shape. Reads from
+ * those endpoints belong in `cli/src/lib/oauth.ts` and are intentionally not
+ * migrated here.
+ */
+export type MainApiErrorBody = {
+    readonly error: string;
+    readonly details?: unknown;
+    readonly lockedUntil?: string | null;
+    readonly currentKeyVersion?: number;
+};
+export declare function readApiErrorBody(res: Response): Promise<MainApiErrorBody | null>;
+/**
+ * Read `details.message` from an already-parsed error body.
+ *
+ * The `apiRequest` wrapper in `api-client.ts` returns `res.data` as the raw
+ * JSON body (success OR error shape). On error paths, callers can pass that
+ * body here after narrowing it via `readMainApiErrorBody`.
+ */
+export declare function getApiErrorMessage(body: MainApiErrorBody | null): string | null;
+/**
+ * Read a single named field from `body.details` with a runtime type guard.
+ *
+ * Mirrors `getApiErrorDetail` in the main copy. See that file for full
+ * rationale.
+ */
+export declare function getApiErrorDetail<T>(body: MainApiErrorBody | null, field: string, guard: (value: unknown) => value is T): T | null;
+/**
+ * Read `details.properties[<field>].errors` from a Zod `treeifyError()` shape.
+ *
+ * Centralizes the per-field Zod-tree access pattern used by validation-error
+ * consumers (slug, url, etc.). Returns the errors array if present, `null`
+ * otherwise.
+ */
+export declare function getApiErrorFieldErrors(body: MainApiErrorBody | null, field: string): readonly unknown[] | null;
+/**
+ * Narrow an unknown value (e.g. `apiRequest`'s `res.data`) to `MainApiErrorBody`.
+ *
+ * Useful at error-path call sites that consume the wrapper's `res.data` rather
+ * than reading the `Response` directly.
+ */
+export declare function readMainApiErrorBody(value: unknown): MainApiErrorBody | null;

package/dist/lib/api-error-body.js

@@ -0,0 +1,90 @@
+/**
+ * Typed error-body access for main-API responses.
+ *
+ * Mirrors `src/lib/http/api-response.ts` `MainApiErrorBody` — keep in sync.
+ * The CLI cannot import from the app's `src/` (separate tsconfig / `rootDir`),
+ * so this is a deliberate type duplicate with the same shape and invariants.
+ * See `docs/api/error-handling.md` for the canonical envelope.
+ *
+ * Keep in sync with the other 2 copies:
+ *   - src/lib/http/read-api-error-body.ts (main, canonical)
+ *   - extension/src/lib/api-error-body.ts (browser extension)
+ * CI drift check: scripts/checks/check-api-error-body-drift.sh
+ *
+ * Note: OAuth endpoints (`/api/mcp/token`, `/api/mcp/register`) use the RFC 6749
+ * error envelope (`error`, `error_description`), NOT this shape. Reads from
+ * those endpoints belong in `cli/src/lib/oauth.ts` and are intentionally not
+ * migrated here.
+ */
+export async function readApiErrorBody(res) {
+    if (res.ok)
+        return null;
+    const json = await res.json().catch(() => null);
+    if (!json ||
+        typeof json !== "object" ||
+        typeof json.error !== "string") {
+        return null;
+    }
+    return json;
+}
+/**
+ * Read `details.message` from an already-parsed error body.
+ *
+ * The `apiRequest` wrapper in `api-client.ts` returns `res.data` as the raw
+ * JSON body (success OR error shape). On error paths, callers can pass that
+ * body here after narrowing it via `readMainApiErrorBody`.
+ */
+export function getApiErrorMessage(body) {
+    if (!body || typeof body.details !== "object" || body.details === null) {
+        return null;
+    }
+    const message = body.details.message;
+    return typeof message === "string" ? message : null;
+}
+/**
+ * Read a single named field from `body.details` with a runtime type guard.
+ *
+ * Mirrors `getApiErrorDetail` in the main copy. See that file for full
+ * rationale.
+ */
+export function getApiErrorDetail(body, field, guard) {
+    if (!body || typeof body.details !== "object" || body.details === null) {
+        return null;
+    }
+    const value = body.details[field];
+    return guard(value) ? value : null;
+}
+/**
+ * Read `details.properties[<field>].errors` from a Zod `treeifyError()` shape.
+ *
+ * Centralizes the per-field Zod-tree access pattern used by validation-error
+ * consumers (slug, url, etc.). Returns the errors array if present, `null`
+ * otherwise.
+ */
+export function getApiErrorFieldErrors(body, field) {
+    if (!body || typeof body.details !== "object" || body.details === null) {
+        return null;
+    }
+    const properties = body.details.properties;
+    if (!properties || typeof properties !== "object")
+        return null;
+    const fieldObj = properties[field];
+    if (!fieldObj || typeof fieldObj !== "object")
+        return null;
+    const errors = fieldObj.errors;
+    return Array.isArray(errors) ? errors : null;
+}
+/**
+ * Narrow an unknown value (e.g. `apiRequest`'s `res.data`) to `MainApiErrorBody`.
+ *
+ * Useful at error-path call sites that consume the wrapper's `res.data` rather
+ * than reading the `Response` directly.
+ */
+export function readMainApiErrorBody(value) {
+    if (!value || typeof value !== "object")
+        return null;
+    if (typeof value.error !== "string")
+        return null;
+    return value;
+}
+//# sourceMappingURL=api-error-body.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "passwd-sso-cli",
-  "version": "0.4.47",
+  "version": "0.4.49",
   "description": "CLI for passwd-sso password manager",
   "type": "module",
   "license": "MIT",