Lines 30-85javascript
30$blob = [Runtime.InteropServices.Marshal]::AllocHGlobal($bytes.Length)
31[Runtime.InteropServices.Marshal]::Copy($bytes, 0, $blob, $bytes.Length)
32$cred = New-Object Win32.Cred+CREDENTIAL
34$cred.TargetName = '${o}'
35$cred.UserName = '${s}'
36$cred.CredentialBlobSize = $bytes.Length
37$cred.CredentialBlob = $blob
39if (-not [Win32.Cred]::CredWrite([ref]$cred, 0)) {
40 throw "CredWrite failed: $([Runtime.InteropServices.Marshal]::GetLastWin32Error())"
42[Runtime.InteropServices.Marshal]::FreeHGlobal($blob)`)}delete(t,r){try{bt(`[void][Win32.Cred]::CredDelete('${pe(xt(t,r))}', 1, 0)`)}catch{}}};var vt="cdp-cli",K,lr=!1;function Ue(){if(K!==void 0)return K;try{process.platform==="darwin"?K=new qe:process.platform==="linux"?K=new je:process.platform==="win32"?K=new Me:K=null}catch{lr||(process.stderr.write(`warning: OS keychain not accessible \u2014 secrets stored in keychain will not be available
43`),lr=!0),K=null}return K}function Q(e){let t=Ue();if(!t)return null;try{return t.get(vt,e)}catch{return null}}function fe(e,t){let r=Ue();if(!r)return!1;try{return r.set(vt,e,t),!0}catch{return!1}}function me(e){let t=Ue();if(t)try{t.delete(vt,e)}catch{}}function ur(){return Ue()!==null}var F=ir,pr=ar;function te(){if(process.env.CDP_CONFIG_DIR)return process.env.CDP_CONFIG_DIR;if(process.platform==="win32"){let e=process.env.APPDATA??Fe(dr(),"AppData","Roaming");return Fe(e,"cdp")}return Fe(dr(),".config","cdp")}function ge(){return Fe(te(),"config.json")}function W(e,t){if(e.url)return e.ur ...
44`,{mode:384})}function ye(e){return Q(`${e}:wallet`)}function Et(e,t){return fe(`${e}:wallet`,t)}function St(e){me(`${e}:wallet`)}function we(e
45`)),!W(n,r))throw new Error(`no URL for environment "${r}". Set url in config or use a built-in env name`);if(n.key_id&&!n.key_secret)throw new Error(`API key secret for "${r}" is stored in the OS keychain but could not be retrieved. This typically occurs in sandboxed environments (e.g. Codex) \u2014 grant the environment access to the OS keychain.`);if(!n.key_id||!n.key_secret)throw new Error(`no API key for "${r}". Run: cdp env ${r} --key-id=...`);return{name:r,env:n}}var ko=["CDP_KEY_SECRET","CDP_KEY_ID","CDP_WALLET_SECRET"];function We(){let e={...process.env};for(let t of ko)delete e[t];r ...
46Update available: ${e} \u2192 ${t}
47Run: npm i -g ${He}${r}
48`}var _o=1440*60*1e3;function xr(){return te()}function Co(){try{return JSON.parse(Po(hr(xr(),wr),"utf8"))}catch{return null}}function Bo(e){try{
49${Buffer.from(e,"base64").toString("base64").match(/.{1,64}/g)?.join(`
51-----END PRIVATE KEY-----`}function At(e){let t;try{t=Buffer.from(e,"base64")}catch{throw new Error("wallet secret is not valid base64")}if(t.length<100||t.length>300)throw new Error(`wallet secret has unexpected length (${t.length} bytes). Expected a PKCS8 EC key (~138 bytes)`);let r=Pr(e);try{Er("SHA256").sign(r)}catch{throw new Error("wallet secret is not a valid EC private key")}}function Rt(e){return Array.isArray(e)?e.map(Rt):typeof e!="object"||e===null?e:Object.keys(e).sort().reduce((t,r)=>(t[r]=Rt(e[r]),t),{})}function ne(e,t){t.startsWith("/")||(t="/"+t);let r=new URL(e);return r.pat ...
52`);return}let l=Math.max(14,...i.map(c=>c.length));for(let c of i){let u=r.environments[c]??{},d=W(u,c),p=u.key_id?u.key_id.length>40?u.key_id.slice(0,37)+"...":u.key_id:"(no key)"
53`)}return}let n=e[0];if(t.remove){me(n),St(n),delete r.environments[n],r.env===n&&(r.env=""),q(r),process.stderr.write(`Removed ${n}.
54`);return}if(t.removeWalletSecret){St(n),process.stderr.write(`Removed wallet secret for ${n}.
55`);return}let o=r.environments[n]??{},s=t.walletSecret??(t.walletSecretFile?Go(t.walletSecretFile):void 0);if(s){if(!o.key_id&&!Q(n))throw new Error(`environment "${n}" has no API key. Configure one first: cdp env ${n} --key-file <file>`);At(s);let i=!!ye(n);Et(n,s),process.stderr.write(`Wallet secret ${i?"updated":"saved"} for ${n}.
56`);return}if(t.keyFile){let i=Ko(t.keyFile);o.key_id=i.keyId,o.key_secret=i.keySecret,t.url&&(o.url=t.url,he(t.url)||process.stderr.write(`warning: custom URL does not match a known CDP endpoint
57`)),Tt(n,o,t.plaintext),r.environments[n]=o,r.env=n,q(r),process.stderr.write(`Loaded key from ${t.keyFile}. Switched to ${n}.
58`);return}if(t.keyId||t.keySecret||t.url){t.keyId&&(o.key_id=t.keyId),t.keySecret&&(o.key_secret=t.keySecret),t.url&&(o.url=t.url,he(t.url)||process.stderr.write(`warning: custom URL does not match a known CDP endpoint
59`)),Tt(n,o,t.plaintext),r.environments[n]=o,r.env=n,q(r),process.stderr.write(`Saved and switched to ${n}.
60`);return}if(o.key_id&&(o.key_secret||Q(n))){r.env=n,q(r),process.stderr.write(`Switched to ${n}.
61`);return}if(!process.stdout.isTTY)throw new Error(`environment "${n}" needs API keys. Run: cdp env ${n} --key-id=... --key-secret=...`);let a=Ge({input:process.stdin,output:process.stderr});try{if(!o.key_id){let i=await a.question("API Key ID: ");if(!i.trim())throw new Error("API Key ID is required");o.key_id=i.trim()}if(!o.key_secret){a.close();let i=await Rr("API Key Secret: ");if(!i.trim())throw new Error("API Key Secret is required");o.key_secret=i.trim(),a=Ge({input:process.stdin,output:process.stderr})}if(!o.url&&!W(o,n)){let i=await a.question("URL (optional): ");i.trim()&&(o.url=i.tri ...
62`))}if(!o.wallet_secret&&!ye(n)){a.close();let i=await Rr("Wallet Secret (optional, press Enter to skip): ");i.trim()&&(At(i.trim()),o.wallet_secret=i.trim()),a=Ge({input:process.stdin,output:process.stderr})}}finally{a.close()}Tt(n,o),r.environments[n]=o,r.env=n,q(r),process.stderr.write(`Saved. Switched to ${n}.
63`)}function Tt(e,t,r){if(!r&&(t.key_secret||t.wallet_secret)){if(!ur()){let n=process.platform==="linux"?"Install libsecret-tools for keyring support, or ":process.platform==="win32"?"Check Windows Credential Manager access, or ":"Check Keychain access (sandboxed environments may not have access), or ";throw new Error(
64${n}use --plaintext to store in config file.`)}t.key_secret&&fe(e,t.key_secret)&&delete t.key_secret,t.wallet_secret&&Et(e,t.wallet_secret)&&delete t.wallet_secret}}function Rr(e){return process.stderr.write(e),process.stdin.isTTY?new Promise(t=>{let r=process.stdin;r.setRawMode(!0),r.resume(),r.setEncoding("utf8");let n
65`||s==="\r"||s===""?(r.setRawMode(!1),r.pause(),r.removeListener("data",o),process.stderr.write(`
66`),t(n)):s==="\x7F"||s==="\b"?n=n.slice(0,-1):s===""?process.exit(1):n+=s};r.on("data",o)}):new Promise(t=>{
67Run: cdp env <name> --key-id=... --key-secret=... to configure.`),R(n.join(`
CriticalTrigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L50 HighCommand Output Exfiltration
Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.
dist/index.jsView on unpkg · L50 68`))}function Ur(e,t){if(!t)return R("Environment name is required.",!0);let r=Object.keys(e.environments??{});return r.length===0?R("No environments configured. Run: cdp env <name> --key-id=... --key-secret=... to configure.",!0):e.environments[t]?{cfg:{...e,env:t}}:R(`Unknown environment: "${t}". Available environments: ${r.join(", ")}`,!0)}function Fr(e){return Ot(e)}function Wr(e,t,r,n){if(!e||!t)return R("resource and action are required",!0);let o=r.find(p=>p.name===e);if(!o)return R(`Unknown resource: ${e}. Available: ${r.map(p=>p.name).join(", ")}`,!0);let s=o.actions.find(p=>p.name===t ...
69`))}function Qe(e,t){let r={};for(let n of t.flattenBodyParams(e.operation))if(n.oneOf&&n.oneOf.length>0){let o={};for(let s of n.oneOf[0].fields)o[s.name]=It(s);J(r,n.path,o)}else J(r,n.path,n.example
70${JSON.stringify(i,null,2)}
74`)}`)}function as(e,t){return e.FORCE_HYPERLINK==="0"?!1:e.FORCE_HYPERLINK?!0:!t||e.CI?!1:!!(/ghostty|iterm|wezterm|hyper/i.test(e.TERM_PROGRAM||"")||e.WT_SESSION||parseInt(e.VTE_VERSION||"",10)>=5e3)}var Hr=as(process.env,!!process.stdout.isTTY);function _t(e){return e.replace(/\x1b\]8;;[^\x07]*\x07/g,"").replace(/\x1b\[[0-9;]*m/g,"").length}function z(e,t,r,n){let o=n??t.length,s=Math.max(20,(process.stdout.columns||80)-o),a=r.split(" "),i="",l=!0;for(let c of a){let u=_t(c),d=_t(i),p=c.includes("\x1B]8;;");(d+u+1>s||p&&d>0&&d+u+1>s*.6)&&i.length>0&&(e.write((l?t:" ".repeat(o))+i.trimEnd()+`
75`),i="",l=!1),i+=(i?" ":"")+c}i&&e.write((l?t:" ".repeat(o))+i.trimEnd()+`
HighSame File Env Network Execution
A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/index.jsView on unpkg · L65 76`)}function cs(e,t,r){return r?`\x1B]8;;${t}\x07\x1B[4m${e}\x1B[24m\x1B]8;;\x07`:`${e} (${t})`}function et(e,t=Hr){return e.replace(/\[([^\]]+)\]\(([^)]+)\)/g,(r,n,o)=>cs(n,o,t))}function xe(e){return e.replace(/\*\*(.+?)\*\*/g,"$1").replace(/__(.+?)__/g,"$1").replace(/\*(.+?)\*/g,"$1").replace(/_(.+?)_/g,"$1").replace(/\[([^\]]+)\]\([^)]+\)/g,"$1").replace(/^#{1,6}\s+/gm,"")}function tt(e,t){let r=t??process.stdout.columns??100;return e.replace(/\r\n/g,`
78`).flatMap(n=>{n=xe(n).replace(/^\s*\*\s+/," - ").replace(/^\s*(\d+)\.\s+/," $1. ");let o=[];for(;n.length>r;){let s=n.lastIndexOf(" ",r);s<=0&&(s=r),o.push(n.slice(0,s)),n=n.slice(s+1)}return o.push(n),o}).join(`
80`}function Vr(e){let t=B();if(e.length===0)return ls(t);if(e.length===1)return us(t,e[0]);if(e.length===2)return ds(t,e[0],e[1]);throw new Error("usage: cdp api [group | METHOD /path | /path]")}function ls(e){for(let t of e.groups()){let r=Ce(t);process.stdout.write(`${t.name.padEnd(24)} ${String(t.endpoints.length).padStart(2)} endpoints ${r}
81`)}}function us(e,t){let r=e.findEndpoints(t.startsWith("/")?"/v2"+t:t);if(r.length===0)throw new Error(t.startsWith("/")?`no endpoints found for path: ${t}`:`no API group named "${t}". Run: cdp api`);ps(r,e)}function ds(e,t,r){let n=e.findEndpoint(t.toUpperCase(),r.startsWith("/v2")?r:"/v2"+r);if(!n)throw new Error(`no endpoint: ${t} ${r}`);Ct(n,e)}function ps(e,t){for(let r=0;r<e.length;r++){r>0&&process.stdout.write(`
82`);let n=e[r];process.stdout.write(`${n.method.padEnd(5)} ${n.path.replace(/^\/v2/,"").padEnd(45)} ${n.summary}${Y(n.operation?.["x-audience"]??"")}
83`),fs(n,t)}}function ie(e,t,r=!1){if(e.length===0)return;let n=Math.max(...e.map(i=>i.name.length))+1,o=Math.max(...e.map(i=>i.type.length))+1,s=Math.max(...e.map(i=>i.req.length)),a=" ".repeat(t);for(let i of e){let l=`${a}${i.name.padEnd(n)}${i.type.padEnd(o)}${s>0?i.req.padEnd(s)+" ":""}`,c=et(xe(i.desc.replace(/\n/g," ").trim()));if(r)z(process.stdout,l,c);else{let u=Math.max((process.stdout.columns||100)-l.length,20);process.stdout.write(`${l}${c.length>u?c.slice(0,u-3)+"...":c}
84`)}}}function fs(e,t){let r=t.flattenBodyParams(e.operation);r.length>0&&(process.stdout.write(` body:
85`),ie(r.map(i=>({name:i.path,type:i.type,req:i.required?"required":"",desc:i.description})),4));let n=t.getParameters(e.operation),o=e.path??"",s=wt(n.filter(i=>i?.in==="path"),o).map(i=>i.name),a=n.filter(i=>i?.in==="query").map(i=>i.name);s.length>0&&process.stdout.write(` path: ${s.join(", ")}
Long lines were clipped for display.