windmill-cli 1.696.0 → 1.696.2

package/esm/main.js

@@ -16440,6 +16440,48 @@ var init_login = __esm(async () => {
   ]);
 });
 
+// src/utils/http_guards.ts
+async function detectAuthGatewayChallenge(response, url) {
+  const contentType = (response.headers.get("content-type") ?? "").toLowerCase();
+  const cfMitigated = response.headers.get("cf-mitigated") ?? undefined;
+  const looksHtml = contentType.includes("text/html");
+  if (!looksHtml && cfMitigated !== "challenge")
+    return;
+  let snippet = "";
+  try {
+    snippet = (await response.clone().text()).slice(0, 256);
+  } catch {}
+  const isChallenge = cfMitigated === "challenge" || ACCESS_TITLE.test(snippet) || looksHtml && HTML_DOCTYPE.test(snippet);
+  if (!isChallenge)
+    return;
+  throw new AuthGatewayChallengeError(url || response.url || "(unknown)", response.headers.get("cf-ray") ?? undefined, cfMitigated, response.status, snippet);
+}
+var ACCESS_TITLE, HTML_DOCTYPE, AuthGatewayChallengeError;
+var init_http_guards = __esm(() => {
+  ACCESS_TITLE = /<title>\s*Sign in[^<]*Cloudflare Access\s*<\/title>/i;
+  HTML_DOCTYPE = /^\s*<(!doctype|html)/i;
+  AuthGatewayChallengeError = class AuthGatewayChallengeError extends Error {
+    url;
+    cfRay;
+    cfMitigated;
+    status;
+    bodySnippet;
+    name = "AuthGatewayChallengeError";
+    constructor(url, cfRay, cfMitigated, status, bodySnippet) {
+      const cfPart = [
+        cfRay ? `cf-ray=${cfRay}` : null,
+        cfMitigated ? `cf-mitigated=${cfMitigated}` : null
+      ].filter(Boolean).join(", ");
+      super(`Got an HTML response from ${url} (status ${status}${cfPart ? `, ${cfPart}` : ""}). ` + `The request was intercepted by an upstream auth gateway (likely Cloudflare Access) ` + `before reaching Windmill. Verify the runner is on the right network or pass service-token headers via the HEADERS env var ` + `(e.g. HEADERS="CF-Access-Client-Id: <id>, CF-Access-Client-Secret: <secret>"). ` + `Body starts with: ${JSON.stringify(bodySnippet.slice(0, 120))}`);
+      this.url = url;
+      this.cfRay = cfRay;
+      this.cfMitigated = cfMitigated;
+      this.status = status;
+      this.bodySnippet = bodySnippet;
+    }
+  };
+});
+
 // windmill-utils-internal/src/config/config.ts
 import { stat as stat2, mkdir } from "node:fs/promises";
 function getEnv2(key) {
@@ -16710,7 +16752,7 @@ var init_OpenAPI = __esm(() => {
     PASSWORD: undefined,
     TOKEN: getEnv3("WM_TOKEN"),
     USERNAME: undefined,
-    VERSION: "1.696.0",
+    VERSION: "1.696.2",
     WITH_CREDENTIALS: true,
     interceptors: {
       request: new Interceptors,
@@ -28116,7 +28158,12 @@ async function fetchVersion(baseUrl2) {
       requestHeaders.set(key, value);
     }
   }
-  const response = await fetch(new URL(new URL(baseUrl2).origin + "/api/version"), { headers: requestHeaders, method: "GET" });
+  const versionUrl = new URL(new URL(baseUrl2).origin + "/api/version");
+  const response = await fetch(versionUrl, {
+    headers: requestHeaders,
+    method: "GET"
+  });
+  await detectAuthGatewayChallenge(response, versionUrl.toString());
   if (!response.ok) {
     await response.text();
     throw new Error(`Failed to fetch version: ${response.status} ${response.statusText}`);
@@ -28149,6 +28196,7 @@ var init_context = __esm(async () => {
   init_colors2();
   init_log();
   init_mod6();
+  init_http_guards();
   init_git();
   init_levenshtein_distance();
   await __promiseAll([
@@ -33636,23 +33684,23 @@ async function logQueueStatus(workspace, jobId, label = "Job ") {
   try {
     const job = await getJob({ workspace, id: jobId });
     if (!job)
-      return;
+      return false;
     if (job.running === true) {
       info(colors.gray(`${label}${jobId}: running, waiting for completion...`));
-      return;
+      return true;
     }
     if (typeof job.running !== "boolean") {
-      return;
+      return false;
     }
     const scheduledFor = job.scheduled_for;
     if (!scheduledFor) {
       info(colors.gray(`${label}${jobId}: queued, waiting for executor...`));
-      return;
+      return true;
     }
     const scheduledForMs = new Date(scheduledFor).getTime();
     if (!Number.isFinite(scheduledForMs)) {
       info(colors.gray(`${label}${jobId}: queued, waiting for executor...`));
-      return;
+      return true;
     }
     try {
       const pos = await getQueuePosition({
@@ -33665,10 +33713,14 @@ async function logQueueStatus(workspace, jobId, label = "Job ") {
       } else {
         info(colors.gray(`${label}${jobId}: queued, waiting for executor...`));
       }
+      return true;
     } catch {
       info(colors.gray(`${label}${jobId}: queued, waiting for executor...`));
+      return true;
     }
-  } catch {}
+  } catch {
+    return false;
+  }
 }
 async function pollJobWithQueueLogging(workspace, jobId, options) {
   const fastPollIntervalMs = options?.fastPollIntervalMs ?? DEFAULT_FAST_POLL_INTERVAL_MS;
@@ -33677,6 +33729,7 @@ async function pollJobWithQueueLogging(workspace, jobId, options) {
   const label = options?.label ? `[${options.label}] ` : "Job ";
   const startedAt = Date.now();
   let lastQueueLogAt = Date.now();
+  let lastHeartbeatAt = Date.now();
   let consecutiveErrors = 0;
   while (true) {
     try {
@@ -33692,19 +33745,26 @@ async function pollJobWithQueueLogging(workspace, jobId, options) {
     } catch (err) {
       consecutiveErrors++;
       warn(colors.yellow(`${label}${jobId}: error checking job status (${consecutiveErrors}/${MAX_CONSECUTIVE_POLL_ERRORS}): ${err?.message ?? err}`));
+      lastHeartbeatAt = Date.now();
       if (consecutiveErrors >= MAX_CONSECUTIVE_POLL_ERRORS) {
         throw new Error(`Giving up polling job ${jobId} after ${MAX_CONSECUTIVE_POLL_ERRORS} consecutive errors. Last error: ${err?.message ?? err}`);
       }
     }
     if (Date.now() - lastQueueLogAt >= QUEUE_LOG_INTERVAL_MS) {
       lastQueueLogAt = Date.now();
-      await logQueueStatus(workspace, jobId, label);
+      const logged = await logQueueStatus(workspace, jobId, label);
+      if (logged)
+        lastHeartbeatAt = Date.now();
+    }
+    if (Date.now() - lastHeartbeatAt >= HEARTBEAT_INTERVAL_MS) {
+      lastHeartbeatAt = Date.now();
+      info(colors.gray(`${label}${jobId}: still polling, queue status unavailable...`));
     }
     const delayMs = Date.now() - startedAt < fastPollDurationMs ? fastPollIntervalMs : slowPollIntervalMs;
     await new Promise((resolve6) => setTimeout(resolve6, delayMs));
   }
 }
-var DEFAULT_FAST_POLL_INTERVAL_MS = 100, DEFAULT_FAST_POLL_DURATION_MS = 2000, DEFAULT_SLOW_POLL_INTERVAL_MS = 2000, QUEUE_LOG_INTERVAL_MS = 5000, MAX_CONSECUTIVE_POLL_ERRORS = 10;
+var DEFAULT_FAST_POLL_INTERVAL_MS = 100, DEFAULT_FAST_POLL_DURATION_MS = 2000, DEFAULT_SLOW_POLL_INTERVAL_MS = 2000, QUEUE_LOG_INTERVAL_MS = 5000, HEARTBEAT_INTERVAL_MS = 60000, MAX_CONSECUTIVE_POLL_ERRORS = 10;
 var init_job_polling = __esm(() => {
   init_services_gen();
   init_log();
@@ -46847,6 +46907,7 @@ async function downloadZip(workspace, plainSecrets, skipVariables, skipResources
   const baseUrl2 = workspace.remote + "api/w/" + workspace.workspaceId + "/workspaces/tarball?";
   const zipUrl = baseUrl2 + "archive_type=zip" + baseParams;
   const zipResponse = await fetch(zipUrl, { headers: requestHeaders, method: "GET" });
+  await detectAuthGatewayChallenge(zipResponse, zipUrl);
   if (zipResponse.ok) {
     debug("Downloaded zip archive successfully");
     const blob = await zipResponse.blob();
@@ -46857,6 +46918,7 @@ async function downloadZip(workspace, plainSecrets, skipVariables, skipResources
     debug("Zip archive not supported by backend, falling back to tar");
     const tarUrl = baseUrl2 + "archive_type=tar" + baseParams;
     const tarResponse = await fetch(tarUrl, { headers: requestHeaders, method: "GET" });
+    await detectAuthGatewayChallenge(tarResponse, tarUrl);
     if (tarResponse.ok) {
       debug("Downloaded tar archive successfully");
       return await parseTarResponse(tarResponse);
@@ -46885,6 +46947,7 @@ var init_pull = __esm(async () => {
   init_mod3();
   init_log();
   init_tar_stream();
+  init_http_guards();
   await init_utils();
   import_jszip = __toESM(require_lib3(), 1);
   command3 = new Command().description("Pull all definitions in the current workspace from the API and write them to disk.").arguments("<dir:string>").action(stub);
@@ -64542,6 +64605,7 @@ async function updateFlow2(workspace, flow_value, remotePath, rawWorkspaceDepend
     },
     body: JSON.stringify(body)
   });
+  await detectAuthGatewayChallenge(queueResponse, `${workspace.remote}api/w/${workspace.workspaceId}/jobs/run/flow_dependencies_async`);
   if (!queueResponse.ok) {
     let bodyText = "";
     try {
@@ -64569,6 +64633,7 @@ var init_flow_metadata = __esm(async () => {
   init_log();
   init_extractor();
   init_path_assigner();
+  init_http_guards();
   init_script_common();
   init_job_polling();
   await __promiseAll([
@@ -68151,6 +68216,7 @@ async function fetchScriptLock(workspace, scriptContent, language, remotePath, r
       temp_script_refs: tempScriptRefs && Object.keys(tempScriptRefs).length > 0 ? tempScriptRefs : null
     })
   });
+  await detectAuthGatewayChallenge(queueResponse, `${workspace.remote}api/w/${workspace.workspaceId}/jobs/run/dependencies_async`);
   if (!queueResponse.ok) {
     let bodyText = "";
     try {
@@ -68635,6 +68701,7 @@ var init_metadata = __esm(async () => {
   init_script_bootstrap();
   init_script_common();
   init_script_common();
+  init_http_guards();
   init_parse_schema();
   init_job_polling();
   await __promiseAll([
@@ -69336,6 +69403,7 @@ async function generateInlineScriptLock(workspace, content, language, scriptPath
       ...tempScriptRefs && Object.keys(tempScriptRefs).length > 0 ? { temp_script_refs: tempScriptRefs } : {}
     })
   });
+  await detectAuthGatewayChallenge(queueResponse, `${workspace.remote}api/w/${workspace.workspaceId}/jobs/run/dependencies_async`);
   if (!queueResponse.ok) {
     const text = await queueResponse.text();
     throw new Error(`Dependency generation failed: ${queueResponse.status} ${queueResponse.statusText}
@@ -69516,6 +69584,7 @@ var init_app_metadata = __esm(async () => {
   init_colors2();
   init_log();
   init_script_common();
+  init_http_guards();
   init_path_assigner();
   init_job_polling();
   await __promiseAll([
@@ -78615,6 +78684,7 @@ var dev_default2 = command25;
 
 // src/main.ts
 init_gen();
+init_http_guards();
 await __promiseAll([
   init_utils(),
   init_conf()
@@ -89017,7 +89087,7 @@ var config_default = command35;
 
 // src/main.ts
 await init_context();
-var VERSION = "1.696.0";
+var VERSION = "1.696.2";
 async function checkVersionSafe(cmd) {
   const mainCommand = cmd.getMainCommand();
   const upgradeCommand = mainCommand.getCommand("upgrade");
@@ -89099,6 +89169,10 @@ async function main2() {
     if (extraHeaders) {
       OpenAPI.HEADERS = extraHeaders;
     }
+    OpenAPI.interceptors.response.use(async (response) => {
+      await detectAuthGatewayChallenge(response);
+      return response;
+    });
     await command36.parse(args);
   } catch (e) {
     if (e && typeof e === "object" && "name" in e && e.name === "ApiError") {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "windmill-cli",
-  "version": "1.696.0",
+  "version": "1.696.2",
   "description": "CLI for Windmill",
   "license": "Apache 2.0",
   "type": "module",