feat: auto-configure .npmrc for private beta packages#19
Merged
Conversation
The thatopen CLI now sets up authenticated access to the private @thatopen-platform/*-beta packages instead of asking users to configure an npm token by hand: - EngineServicesClient.getNpmCredentials() fetches the read-only Founders token from GET /api/npm-registry/credentials (gated to FOUNDING members). - setupNpmrc() writes the returned .npmrc; create --beta runs it before npm install, and login refreshes it inside a beta project (token rotation). - .npmrc added to the scaffold .gitignore (it carries a credential). Non-Founding accounts get a clear message and the scaffold still completes.
- swap --beta now writes an authenticated .npmrc before install (was only printing a manual-token hint), matching create --beta. - Extract the shared resolve-config + write-.npmrc glue into configureBetaNpmrc(); create and swap both use it. - Document beta libraries in the README.
smoratino-apogea
approved these changes
Jun 16, 2026
smoratino-apogea
approved these changes
Jun 16, 2026
| ): Promise<NpmrcResult> { | ||
| try { | ||
| const creds = await client.getNpmCredentials(); | ||
| writeFileSync(join(dir, '.npmrc'), creds.npmrc, { mode: 0o600 }); |
Contributor
There was a problem hiding this comment.
Should we make sure that .npmrc is included in .gitignore before entering the token here? In swap/login for existing projects, it might not be included (only the create command covers it by default), and we could end up pushing the credentials to the repo.
Addresses Sergio's review on #19: create covers .npmrc via the scaffold template, but swap/login write into existing projects whose .gitignore we don't own — risking a committed credential. ensureNpmrcIgnored() now adds .npmrc to the project .gitignore (creating it if absent) at the single write chokepoint, so all three flows are covered.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Makes
thatopen create --betaset up authenticated access to the private@thatopen-platform/*-betapackages automatically, instead of telling users to configure an npm token by hand.Changes
EngineServicesClient.getNpmCredentials()— fetches the read-only Founders token fromGET /api/npm-registry/credentials(gated to FOUNDING members; non-Founding accounts get a 403).setupNpmrc()helper writes the returned.npmrc.create --betaruns it beforenpm install;loginrefreshes it inside a beta project so a rotated token propagates..npmrcadded to the scaffold.gitignore(it carries a credential).NpmCredentialstype; adds a changeset.Non-Founding members get a clear message and the scaffold still completes.
Backend counterpart: platform_backend-api#202 (the gated endpoint).