paymongo-cli 1.4.6 → 1.4.8

package/AGENTS.md

@@ -2,9 +2,9 @@
 
 ## Project Overview
 
-PayMongo CLI is a developer-first command-line tool for PayMongo payment integration with local webhook forwarding. It uses **ESM modules** with Commander.js for CLI commands and provides both terminal and web-based interfaces.
+PayMongo CLI is a developer-first command-line tool for PayMongo payment integration with local webhook forwarding. It uses **ESM modules** with Commander.js for CLI commands and provides a terminal-first interface.
 
-**Tech Stack**: TypeScript, Node.js 18+, Express, Socket.io, ngrok, Axios, Zod, Winston, Jest
+**Tech Stack**: TypeScript, Node.js 20+, Commander.js, built-in `http`, `undici`, ngrok, Zod, Jest
 
 ---
 
@@ -134,8 +134,10 @@ src/
 ├── services/         # Business logic
 │   ├── api/         # PayMongo API client
 │   ├── config/      # Configuration management
-│   ├── web/         # Express + Socket.io server
-│   └── github/      # GitHub integration
+│   ├── dev/         # Local dev server + process management
+│   ├── analytics/   # Local webhook analytics
+│   ├── payments/    # Payment simulation helpers
+│   └── team/        # Team key-sharing workflows
 ├── types/           # TypeScript definitions + Zod schemas
 ├── utils/           # Shared utilities
 └── index.ts         # CLI entry point
@@ -174,8 +176,8 @@ tests/
 Use `jest.unstable_mockModule()` before dynamic imports:
 
 ```typescript
-jest.unstable_mockModule('axios', () => ({
-  default: mockAxios,
+jest.unstable_mockModule('undici', () => ({
+  request: mockRequest,
 }));
 
 const { ApiClient } = await import('../../src/services/api/client.js');

package/CHANGELOG.md

@@ -7,6 +7,57 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.4.8] - 2026-03-08
+
+### Changed
+
+- **Command Modularization** - Refactored the large `config`, `payments`, `webhooks`, and `trigger` command files into focused helper/action modules to improve maintainability and make future changes safer.
+- **Test Execution** - Reworked CLI entry/config integration tests to avoid subprocess spawning in restricted environments while preserving end-to-end behavior checks.
+- **Documentation Alignment** - Updated README, installation, user guide, troubleshooting, testing, and contributor guidance to match the current Node 20+ runtime, `undici` network layer, ngrok token handling, and local team key-sharing workflow.
+
+### Fixed
+
+- **Config Validation Drift** - Added `rateLimiting` to the Zod configuration schema so runtime validation matches the declared config type and command behavior.
+- **CLI Test Reliability** - Eliminated environment-specific `EPERM` failures in spawn-based tests by switching to sandbox-friendly execution patterns.
+- **Release Metadata** - Synchronized package metadata by updating the npm package version and lockfile version fields to the current release line.
+
+### Security
+
+- **Webhook Verification Defaults** - New configs now enable webhook signature verification by default, and the dev server now rejects requests when verification is enabled but no webhook secret is configured.
+- **Secret Messaging** - Clarified CLI messaging around webhook secret storage to describe the actual `.paymongo` storage location.
+
+## [1.4.7] - 2026-02-27
+
+### Changed
+
+- **Error Handling** - Replaced all 60 `process.exit(1)` calls across 10 command files with a `CommandError` throw pattern and centralized global error handler in `index.ts`.
+- **CLI Version** - Version string is now dynamically read from `package.json` instead of being hardcoded, keeping User-Agent headers and `--version` output always in sync.
+- **Magic Numbers** - Extracted hardcoded cache TTL, rate limit thresholds, and API base URL into named constants in `constants.ts`.
+- **Async File I/O** - Converted synchronous `fs` operations to `fs/promises` in dev-mode hot paths:
+  - `webhook-store.ts`: Lazy async directory creation, all read/write operations non-blocking.
+  - `analytics/service.ts`: Async persistence with `_ready` promise to prevent constructor race conditions.
+  - `process-manager.ts`: All static methods async; updated 13 call sites across dev subcommands.
+- **Deduplicated ValidationError** - Removed duplicate `ValidationError` class from `validator.ts`; single definition now lives in `errors.ts` and is re-exported.
+- **DevServer Logging** - Replaced raw `console.log`/`console.error` calls in `DevServer` with structured `Logger` instance for consistent, controllable output.
+
+### Fixed
+
+- **Input Sanitization** - Enhanced `validateWebhookUrl()` with max URL length (2048 chars), automatic whitespace trimming, and rejection of URLs containing embedded credentials.
+- **Race Condition** - Fixed analytics service race where `loadEvents()` could overwrite in-memory state written by `recordEvent()` before async load completed.
+- **Unhandled Promises** - `recordEvent()` calls in `DevServer` are now properly awaited via extracted `processWebhookBody()` method, preventing silent failures.
+- **Bulk Import Errors** - `importWebhooks()` and `importPayments()` now catch file-not-found and malformed JSON errors, throwing descriptive `PayMongoError` instead of raw stack traces.
+
+### Added
+
+- **Unit Tests** - Added 62 new tests across 3 previously-uncovered modules:
+  - `BulkOperations` (19 tests): export/import, file errors, JSON validation, filename generation.
+  - `DevProcessManager` (22 tests): state persistence, process detection, log management, uptime formatting.
+  - `TeamService` (21 tests): key bundles, member management, serialization, team operations.
+
+### Security
+
+- Webhook URL validation now blocks URLs with embedded `user:pass@` credentials to prevent credential leakage.
+
 ## [1.4.6] - 2026-02-03
 
 ### Changed
@@ -315,6 +366,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 | Version | Release Date | Highlights                                                           |
 | ------- | ------------ | -------------------------------------------------------------------- |
+| [1.4.7] | 2026-02-27   | CommandError pattern, dynamic version, async FS, input sanitization  |
+| [1.4.6] | 2026-02-03   | Config validation, webhook signatures, lazy loading                  |
+| [1.4.5] | 2026-02-01   | AES-256-GCM encryption, .gitignore handling                          |
+| [1.4.4] | 2026-01-27   | Codebase modularization, integration testing                         |
 | [1.4.3] | 2026-01-26   | Enhanced error handling, test output cleanup, API client consolidation |
 | [1.4.1] | 2026-01-26   | Test coverage completion, ESLint compliance, documentation updates   |
 | [1.4.0] | 2026-01-26   | Code generation, HTTP client migration, GUI removal, performance optimization |
@@ -326,6 +381,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ---
 
 ## Upgrade Guide
+### Upgrading to 1.4.7
+
+```bash
+npm install -g paymongo-cli@latest
+```
+
+**Breaking Changes:** None. This is a backward-compatible patch release.
+
+**Improvements:**
+- All `process.exit(1)` calls replaced with structured error handling — CLI now exits cleanly through global error handlers
+- Sync file I/O in dev-mode hot paths converted to async for better event loop performance
+- Webhook URL validation hardened against credential leakage and oversized inputs
+- CLI version always matches `package.json` — no more stale User-Agent strings
+- Duplicate `ValidationError` class consolidated to single definition
+- DevServer uses structured Logger instead of raw console output
+- Bulk import operations now produce user-friendly error messages
+- 62 new unit tests covering BulkOperations, DevProcessManager, and TeamService
+
 ### Upgrading to 1.4.3
 
 ```bash
@@ -417,7 +490,10 @@ npm install -g paymongo-cli
 - [Issue Tracker](https://github.com/leodyversemilla07/paymongo-cli/issues)
 - [PayMongo API Documentation](https://developers.paymongo.com/)
 
-[Unreleased]: https://github.com/leodyversemilla07/paymongo-cli/compare/v1.4.4...HEAD
+[Unreleased]: https://github.com/leodyversemilla07/paymongo-cli/compare/v1.4.7...HEAD
+[1.4.7]: https://github.com/leodyversemilla07/paymongo-cli/compare/v1.4.6...v1.4.7
+[1.4.6]: https://github.com/leodyversemilla07/paymongo-cli/compare/v1.4.5...v1.4.6
+[1.4.5]: https://github.com/leodyversemilla07/paymongo-cli/compare/v1.4.4...v1.4.5
 [1.4.4]: https://github.com/leodyversemilla07/paymongo-cli/compare/v1.4.3...v1.4.4
 [1.4.3]: https://github.com/leodyversemilla07/paymongo-cli/compare/v1.4.1...v1.4.3
 [1.4.1]: https://github.com/leodyversemilla07/paymongo-cli/compare/v1.4.0...v1.4.1

package/README.md

@@ -17,10 +17,10 @@ PayMongo CLI is the official-feel command-line tool designed to streamline your
 - **Payment Testing**: Create and monitor payment intents and payments directly from your terminal.
 - **Real-time Monitoring**: Watch webhook events as they happen with formatted terminal logs.
 - **Privacy-First Analytics**: Optional local webhook event tracking to improve your development workflow (opt-in only).
-- **Team Collaboration**: Sync configurations across your team using GitHub integration.
+- **Team Collaboration**: Share API key bundles with teammates for test/live environments.
 - **Bulk Operations**: Import/export payments and webhooks for easy migration between environments.
 - **Rate Limiting Protection**: Built-in API abuse prevention with configurable limits and automatic backoff.
-- **Secure Management**: Encrypted storage for your API keys.
+- **Secure Management**: Local credential encryption for stored login sessions.
 
 ---
 
@@ -43,10 +43,12 @@ To use the `dev` server with webhook forwarding, you need an ngrok authtoken:
 
 1. Sign up at [ngrok.com](https://ngrok.com)
 2. Copy your authtoken from the [ngrok dashboard](https://dashboard.ngrok.com/get-started/your-authtoken)
-3. Configure it in the CLI:
+3. Configure it via environment variable or pass it at runtime:
 
 ```bash
-paymongo config set ngrok.authtoken YOUR_AUTHTOKEN
+export NGROK_AUTHTOKEN=YOUR_AUTHTOKEN
+# or
+paymongo dev --ngrok-token YOUR_AUTHTOKEN
 ```
 
 ---
@@ -168,7 +170,7 @@ Analytics data helps you:
 | `paymongo config`            | View and modify CLI configuration.                      |
 | `paymongo config analytics`  | Configure webhook analytics settings.                   |
 | `paymongo config rate-limit` | Configure rate limiting settings.                       |
-| `paymongo team`              | Sync configurations with your team via GitHub.          |
+| `paymongo team`              | Share API key bundles with your team.                   |
 | `paymongo trigger`           | Simulate webhook events locally for testing.            |
 
 > Use `paymongo <command> --help` for detailed information on any command.

package/TESTING.md

@@ -4,12 +4,12 @@
 
 This document tracks the progress of improving test coverage for the PayMongo CLI project from the initial ~12% to the target 80-85%.
 
-## Current Status (2026-01-25)
+## Current Status (2026-03-08)
 
-- **Overall Coverage**: ~65-70% statements (estimated post-all command testing completion)
+- **Overall Coverage**: strong command and service coverage with full green suite
 - **Target**: ≥80% statements/branches/functions/lines
 - **Progress**: API client, init command, config command, login command, dev command, env command, trigger command, webhooks command, CLI entry point, and payments command testing completed
-- **Total Tests**: 380 passing tests across 23 test suites
+- **Total Tests**: 459 passing tests across 29 test suites
 
 ## Completed Work
 
@@ -79,9 +79,8 @@ This document tracks the progress of improving test coverage for the PayMongo CL
   - Resolved testing challenges: crypto timingSafeEqual mocking, HTTP request/response simulation, ESM module mocking for complex dependencies
 
 - **CLI Entry Point Testing**: ✅ **COMPLETED**
-  - Created integration tests in `tests/unit/index.test.ts` with 3 test cases
   - Tests verify CLI initialization, help display, version information, and error handling
-  - Uses subprocess spawning to test actual CLI behavior rather than complex module mocking
+  - Uses in-process execution instead of subprocess spawning for sandbox-friendly test runs
 
 - **Payments Command Testing**: ✅ **COMPLETED**
   - Created comprehensive test file `tests/unit/payments-command.test.ts` with 20 test cases achieving 100% coverage
@@ -195,7 +194,7 @@ This document tracks the progress of improving test coverage for the PayMongo CL
 
 1. **ESM Mocking Complexity**: Required careful setup of `jest.unstable_mockModule()` for modern ES modules
 2. **Interceptor Testing**: Needed to test interceptor functions directly rather than through full API calls
-3. **Error Handler Mocking**: Complex to mock axios.isAxiosError in interceptor context
+3. **Network Layer Mocking**: `undici` request/response behavior requires careful ESM mocking
 4. **Commander.js Testing**: Resolved by extracting command action logic to separate exported function for direct testing
 5. **Console Mocking**: Required global.console usage for reliable spy functionality across test suites
 6. **ESM Module Resolution**: Fixed import path issues in tests by using '../../src/' prefix for consistency
@@ -219,4 +218,4 @@ This document tracks the progress of improving test coverage for the PayMongo CL
 
 ---
 
-_Last updated: 2026-01-25_
+_Last updated: 2026-03-08_