* fix(cli-module-actions): show schema flags in execute --help
When an action ID is provided with --help, fetch the action schema and
display action-specific flags. Falls back to generic help if auth fails.
Signed-off-by: benjdlambert <ben@blam.sh>
* fix(cli-module-actions): show schema flags in execute --help and fix build errors (#33518)
* feat(cli-module-actions): improve CLI output formatting and UX
- Pretty grouped list output with colored headers and action titles
- Custom help rendering for execute --help with markdown descriptions
- Support complex schema types (object, array, union) as JSON flags
- Show server error details instead of generic status codes
- Accept multiple plugin IDs in sources add/remove
Signed-off-by: benjdlambert <ben@blam.sh>
* fix(cli-module-auth): preserve instance metadata on re-login
Signed-off-by: benjdlambert <ben@blam.sh>
* fix: address code review feedback
- Extract triplicated cli() config into showGenericHelp helper
- Strip ANSI escape sequences before rendering server markdown
- Configure marked-terminal extension once via lazy singleton
- Parallelize listGrouped HTTP requests with Promise.all
- Log actual error message in execute help catch block
- Fix marked version in declarations.d.ts comment
- Add tests for sourcesAdd/sourcesRemove batch operations
- Add test for execute JSON parse error path
- Add tests for login metadata preservation on re-auth
Signed-off-by: benjdlambert <ben@blam.sh>
* fix: use RegExp constructor to satisfy no-control-regex lint rule
Signed-off-by: benjdlambert <ben@blam.sh>
* fix: improve ANSI stripping, default info.usage, add renderMarkdown comment
- Extend stripAnsiEscapes to cover OSC, DCS, APC, PM sequences
- Default info.usage to avoid undefined in help output
- Document why marked.use() is called per invocation
Signed-off-by: benjdlambert <ben@blam.sh>
* fix: use strip-ansi, fresh Marked instance, add allOf support
- Replace hand-rolled ANSI stripping with strip-ansi package
- Use fresh Marked instance per call instead of mutating global singleton
- Add allOf to complex type detection alongside anyOf/oneOf
- Add happy-path test for valid JSON complex flag parsing
- Bump changeset to minor for new user-facing capabilities
Signed-off-by: benjdlambert <ben@blam.sh>
* refactor: collapse listGrouped into list on ActionsClient
Signed-off-by: benjdlambert <ben@blam.sh>
* refactor: clean up cli-module-actions structure
- Extract shared pluginSourcesSchema into lib/pluginSources.ts
- Merge schemaToFlags and getComplexKeys into single return value
- Move CleyeFlag-to-FlagInfo conversion into format.ts
- Extract parseArgs and showActionHelp from execute command body
Signed-off-by: benjdlambert <ben@blam.sh>
---------
Signed-off-by: benjdlambert <ben@blam.sh>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Addresses the high severity rollup path traversal vulnerability
(GHSA-mw96-cpmx-2vgc) and the glob security advisory by upgrading
all instances across the monorepo. Updates code that used the legacy
callback-based glob API to use the modern promise/sync API.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Fredrik Adelöw <freben@spotify.com>
Addresses the high severity rollup path traversal vulnerability
(GHSA-mw96-cpmx-2vgc) and the glob security advisory by upgrading
all instances across the monorepo. Updates code that used the legacy
callback-based glob API to use the modern promise/sync API.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Fredrik Adelöw <freben@spotify.com>
Addresses the high severity rollup path traversal vulnerability
(GHSA-mw96-cpmx-2vgc) and the glob security advisory by upgrading
all instances across the monorepo. Updates code that used the legacy
callback-based glob API to use the modern promise/sync API.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Fredrik Adelöw <freben@spotify.com>
- Fix getAllInstances to handle empty instance array without throwing
- Persist updated token expiry timestamps to disk after refresh
- Mark internal httpJson helpers as @internal instead of @public
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
- Replace getConfig<T> with getMetadata/setMetadata on CliAuth, removing
the unsafe type parameter in favor of returning unknown
- Move updateInstanceConfig from cli-module-auth public API to
CliAuth.setMetadata, removing the cross-package dependency
- Rename 'config' to 'metadata' in StoredInstance and storage schemas
- Add zod validation at consumer sites (cli-module-actions) for
type-safe metadata access
- Fix zod imports to use zod/v3 for compatibility with zod v4
- Add proper-lockfile to cli-node for metadata write locking
- Refactor cli-node storage from fs-extra to node:fs
- Remove @backstage/cli-module-auth dependency from cli-module-actions
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
- Convert CliAuth getters to methods (getInstanceName, getBaseUrl) so
options can be added in the future
- Remove StoredInstance from cli-node public API, hiding instance details
- Move secretStore to cli-internal for re-use, refactoring from fs-extra
to node:fs
- Add shared getAuthInstanceService helper in cli-internal for
constructing secret-store service keys
- Define StoredInstance locally in cli-module-auth instead of importing
from cli-node
- Update all consumers and tests for the new method-based API
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
Since cli-module-auth and cli-module-actions are not yet released,
remove deprecated exports instead of keeping them. Also make httpJson
and getSecretStore internal to cli-node, duplicating the small httpJson
wrapper locally in each consuming package.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
Introduces a class-based authentication management API in @backstage/cli-node
that reads the on-disk instance store, transparently refreshes expired tokens,
and provides a convenient surface for other CLI modules to consume.
The split keeps filesystem-based instance selection and writes owned by
cli-module-auth, while reading and consuming the current instance is
available through CliAuth in cli-node.
Migrates cli-module-actions to use the new API and deprecates the ad-hoc
function exports from cli-module-auth.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
Fix argument parsing bugs in the execute command where actionId at index 0
was incorrectly skipped when --instance was absent, and flag values matching
the actionId string were erroneously removed. Add --help support to the
execute command for CLI report generation. Add missing bin script and
cli-report.md for cli-module-actions. Add resolveAuth tests. Bump
backend-defaults changeset to minor for the security-relevant auth change.
Replace cross-fetch with native fetch in cli-module-auth to avoid punycode
deprecation warnings during CLI report generation.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
Adds @backstage/cli-module-actions with commands for listing and executing
actions from the distributed actions registry. Exports auth helpers from
cli-module-auth for cross-module reuse. Relaxes the actions registry auth
check to allow direct user invocations from the CLI.
Signed-off-by: benjdlambert <ben@blam.sh>
The bin scripts already had the full runCliModule logic for the production
path. Inline the same pattern for local dev and drop the intermediate
src/cli.ts files that just duplicated it.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
- Use cli-defaults instead of listing individual CLI modules in
create-app template and root package.json
- Move nodeTransform config files from cli-module-build to cli-node
to avoid cross-module direct imports
- Rename cli-module-create-github-app to cli-module-github
- Start createCliModule init chain with Promise.resolve()
- Deduplicate exitWithError in runCliModule.ts
- Extract shared isCommandNodeHidden to @internal/cli
- Add explanatory comment for fromArray deduplication field
- Restore error for cli role packages missing bin in runCliExtraction
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
Rename all bin entries from `cli-module-*` to `backstage-cli-module-*`
to establish a clear namespace for Backstage CLI tooling.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
Include cli-module role in CLI report generation alongside the
existing cli role. Packages without a bin field are silently skipped.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
Align dependency versions in CLI modules to match the original CLI
package versions. Move dependencies that are only used by modules out
of the main CLI package, and add missing dependencies to the modules
that actually use them. Revert import-to-require conversions in
cli-module-build that were incorrectly introduced during the split.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
- Move runtime dependencies from devDependencies to dependencies in
cli-module-build, cli-module-auth, cli-module-migrate, cli-module-new,
cli-module-test-jest, and cli-module-translations
- Fix relative package.json paths in cli-module-build
- Downgrade rollup in cli-module-build to ^4.27.3 to match the CLI
- Downgrade eslint-webpack-plugin to ^4.2.0 to prevent @types/eslint v9
- Add CLI module packages to create-app version helper
- Add allow-warnings for CLI module packages in API reports
- Generate API report files for all CLI module packages
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
Each CLI module package now includes a bin script and cli.ts entry
point, allowing modules to be executed directly via npx without
being wired into the main @backstage/cli package.
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
Made-with: Cursor
Fredrik Adelöw