feat(cli): add --dapc seed flag for air-gapped OSS admin#8859
Conversation
COMPARE TO
|
| Name | Diff |
|---|---|
| .changeset/ravens-swallows-comet.md | 📈 +230 Bytes |
| packages/cli/src/commands/database/seed/index.ts | 📈 +704 Bytes |
| packages/cli/src/commands/database/seed/options.ts | 📈 +525 Bytes |
| packages/cli/src/commands/database/seed/tables.ts | 📈 +110 Bytes |
| packages/cli/src/commands/install/index.ts | 📈 +595 Bytes |
| packages/cli/src/commands/install/utils.ts | 📈 +170 Bytes |
| packages/schemas/src/seeds/sign-in-experience.test.ts | 📈 +1.36 KB |
| packages/schemas/src/seeds/sign-in-experience.ts | 📈 +945 Bytes |
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a new CLI seed flag that can disable the HaveIBeenPwned (HIBP) password breach check specifically for the admin tenant during DB seeding, aimed at air-gapped/offline OSS deployments.
Changes:
- Extend the admin-tenant sign-in-experience seed to optionally set
passwordPolicy.rejects.pwned = false. - Thread a new CLI flag (
--dapc, alias--disable-admin-pwned-password-check) throughseed→seedByPool→seedTables. - Add Vitest coverage for the new admin-tenant seed behavior and confirm the default seed contract remains unchanged.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/schemas/src/seeds/sign-in-experience.ts | Adds an options type + option-driven override to disable the pwned password check for admin tenant seed. |
| packages/schemas/src/seeds/sign-in-experience.test.ts | Adds tests for default vs. disabled-pwned-check admin seed behavior. |
| packages/cli/src/commands/install/utils.ts | Updates seeding callsite to new seedByPool(pool, { cloud }) signature. |
| packages/cli/src/commands/database/seed/tables.ts | Passes admin seed options through seedTables into createAdminTenantSignInExperience. |
| packages/cli/src/commands/database/seed/index.ts | Switches seedByPool to an options object and wires new --dapc flag into seeding. |
| .changeset/ravens-swallows-comet.md | Announces the new CLI seed option as a minor change. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| darkLogoUrl: 'https://logto.io/logo-dark.svg', | ||
| }, | ||
| passwordPolicy: options.disablePwnedPasswordCheck | ||
| ? { rejects: { pwned: false } } |
| .option('dapc', { | ||
| describe: | ||
| "Seed the admin tenant's sign-in experience with the HaveIBeenPwned (HIBP) " + | ||
| 'password breach check disabled. Use this for air-gapped or offline OSS deployments ' + | ||
| 'where api.pwnedpasswords.com is unreachable, otherwise creating the first admin ' + | ||
| 'user from the Welcome page will hang on the breach check. Scope: admin tenant only ' + | ||
| "— the default tenant's password policy is unaffected and stays admin-controlled " + | ||
| 'via the Admin Console.', | ||
| alias: 'disable-admin-pwned-password-check', | ||
| type: 'boolean', |
| try { | ||
| const pool = await createPoolAndDatabaseIfNeeded(); | ||
| await seedByPool(pool, cloud); | ||
| await seedByPool(pool, { cloud }); |
There was a problem hiding this comment.
seedDatabase was updated to use the new options-bag signature but doesn't accept/forward disablePwnedPasswordCheck. Combined with packages/cli/src/commands/install/index.ts only declaring --skip-seed, the new flag isn't reachable from logto install — the conventional OSS install path. Air-gapped users will still hit the HIBP hang unless they know to run logto install --skip-seed and then logto db seed --dapc as two steps, which defeats the friction this PR is meant to remove.
Suggestion: add an --disable-admin-pwned-password-check / --dapc option to the install command and thread it through seedDatabase → seedByPool. The plumbing change is small now that the options bag exists.
There was a problem hiding this comment.
Good catch — fixed in 23c2cba. The install command now accepts --disable-admin-pwned-password-check (alias --dapc) and threads it through installLogto → seedDatabase → seedByPool, so air-gapped users can do a single logto install --dapc instead of the two-step install --skip-seed + db seed --dapc. Updated the changeset wording to cover both commands.
Thread the flag through `installLogto` → `seedDatabase` → `seedByPool` so air-gapped OSS users can run a single `logto install --dapc` instead of `install --skip-seed` + `db seed --dapc`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
| cloud: boolean; | ||
| du?: string; | ||
| 'disable-admin-pwned-password-check'?: boolean; | ||
| } |
There was a problem hiding this comment.
Yargs's Arguments<T> typing auto-camelCases multi-word kebab keys (disable-admin-pwned-password-check → disableAdminPwnedPasswordCheck) at both type-check and runtime levels — pnpm tsc --noEmit and the build both pass clean. This also matches the existing convention introduced in this PR's same file by @simeng-li (commit da1e015, swe / skip-when-exists + the original disable-admin-pwned-password-check definition in db seed), so keeping the same kebab-in-generic + camelCase-in-handler pattern for consistency.
| }), | ||
| handler: async ({ p, ss, cloud, du }) => { | ||
| await installLogto({ path: p, skipSeed: ss, cloud, downloadUrl: du }); | ||
| handler: async ({ p, ss, cloud, du, disableAdminPwnedPasswordCheck }) => { |
There was a problem hiding this comment.
Yargs's Arguments<T> typing auto-camelCases multi-word kebab keys (disable-admin-pwned-password-check → disableAdminPwnedPasswordCheck) at both type-check and runtime levels — pnpm tsc --noEmit and the build both pass clean. This also matches the existing convention introduced in this PR's same file by @simeng-li (commit da1e015, swe / skip-when-exists + the original disable-admin-pwned-password-check definition in db seed), so keeping the same kebab-in-generic + camelCase-in-handler pattern for consistency.
| test?: boolean; | ||
| 'legacy-test-data'?: boolean; | ||
| 'encrypt-base-role'?: boolean; | ||
| 'disable-admin-pwned-password-check'?: boolean; |
There was a problem hiding this comment.
Yargs's Arguments<T> typing auto-camelCases multi-word kebab keys (disable-admin-pwned-password-check → disableAdminPwnedPasswordCheck) at both type-check and runtime levels — pnpm tsc --noEmit and the build both pass clean. This also matches the existing convention introduced in this PR's same file by @simeng-li (commit da1e015, swe / skip-when-exists + the original disable-admin-pwned-password-check definition in db seed), so keeping the same kebab-in-generic + camelCase-in-handler pattern for consistency.
| test, | ||
| legacyTestData, | ||
| encryptBaseRole, | ||
| disableAdminPwnedPasswordCheck, |
There was a problem hiding this comment.
Yargs's Arguments<T> typing auto-camelCases multi-word kebab keys (disable-admin-pwned-password-check → disableAdminPwnedPasswordCheck) at both type-check and runtime levels — pnpm tsc --noEmit and the build both pass clean. This also matches the existing convention introduced in this PR's same file by @simeng-li (commit da1e015, swe / skip-when-exists + the original disable-admin-pwned-password-check definition in db seed), so keeping the same kebab-in-generic + camelCase-in-handler pattern for consistency.
| 'disable-admin-pwned-password-check': { | ||
| describe: | ||
| "Seed the admin tenant's sign-in experience with the Have I Been Pwned (HIBP) " + | ||
| 'password breach check disabled. Use this for air-gapped or offline OSS deployments ' + | ||
| 'where api.pwnedpasswords.com is unreachable, otherwise creating the first admin ' + | ||
| 'user from the Welcome page will hang on the breach check. Scope: admin tenant only ' + | ||
| "— the default tenant's password policy is unaffected and stays admin-controlled " + | ||
| 'via the Admin Console.', |
There was a problem hiding this comment.
Fixed in 62279c8. Extracted disableAdminPwnedPasswordCheckDescription to packages/cli/src/commands/database/seed/options.ts and imported it from both install and db seed, so the text now lives in one place.
Both `install` and `db seed` declare the same multi-line describe string for `--disable-admin-pwned-password-check`. Move it into `commands/database/seed/options.ts` so future edits only happen once. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Summary
Adds a new
logto db seedflag--disable-admin-pwned-password-check(alias--dapc) that seeds the admin tenant's seeded password policy with the HIBP breach check disabled. This unblocks first-admin sign-up on air-gapped or offline OSS deployments whereapi.pwnedpasswords.comis unreachable; otherwise the Welcome-page interaction sign-up hangs on the Have I Been Pwned (HIBP) breach check.Scope is admin-tenant only. The default tenant's seeded policy is intentionally untouched and remains admin-controlled via the Admin Console after install. No runtime password-validation logic is changed.
A new exported type
AdminSignInExperienceSeedOptionsin@logto/schemascarries the option from the CLI handler throughseedByPoolandseedTablesintocreateAdminTenantSignInExperience.seedByPool's positional booleans are collapsed into an options bag so the public CLI surface gains the new flag without growing the function arity past the repo'smax-paramslint rule. Only in-repo callers in@logto/cliwere updated; the type stays module-local to that package.The admin can re-enable the HIBP check after install via Admin Console -> Sign-in experience -> Password policy.
Companion docs PR
User-facing documentation for this flag lives in logto-io/docs#1417, which adds a new "Seed for air-gapped or offline deployments" section under
Logto OSS > Logto CLIand a cross-reference admonition underDeployment and configuration > Database setup. Reviewers can review both together so the released CLI option and its docs land in sync.Testing
Unit tests
Checklist
.changeset(only when explicitly required)