@0dai-dev/cli 2.3.1 → 2.5.0

package/bin/0dai.js

@@ -7,7 +7,7 @@ const fs = require("fs");
 const path = require("path");
 const os = require("os");
 
-const VERSION = "2.3.0";
+const VERSION = "2.5.0";
 const API_URL = process.env.ODAI_API_URL || "https://api.0dai.dev";
 const T = process.stdout.isTTY ? "\x1b[38;2;45;212;168m" : ""; // teal
 const R = process.stdout.isTTY ? "\x1b[0m" : ""; // reset
@@ -259,22 +259,299 @@ async function cmdDetect(target) {
   console.log(`clis: ${(result.available_clis || []).join(",")}`);
 }
 
+function cmdAudit(target) {
+  const W = process.stdout.isTTY ? "\x1b[33m" : "";   // yellow
+  const RE = process.stdout.isTTY ? "\x1b[31m" : "";  // red
+  const G = process.stdout.isTTY ? "\x1b[32m" : "";   // green
+
+  // Secret patterns: [label, regex, severity]
+  const PATTERNS = [
+    ["Anthropic API key",  /sk-ant-api[0-9A-Za-z_-]{20,}/g,         "critical"],
+    ["OpenAI API key",     /sk-[A-Za-z0-9]{20,}/g,                   "critical"],
+    ["GitHub PAT (ghp)",   /ghp_[A-Za-z0-9]{36}/g,                   "critical"],
+    ["GitHub PAT (gho)",   /gho_[A-Za-z0-9]{36}/g,                   "critical"],
+    ["GitHub fine-grained",/github_pat_[A-Za-z0-9_]{59}/g,           "critical"],
+    ["AWS access key",     /AKIA[0-9A-Z]{16}/g,                       "critical"],
+    ["AWS secret key",     /aws_secret_access_key\s*[=:]\s*\S{20,}/gi,"critical"],
+    ["Google API key",     /AIza[0-9A-Za-z_-]{35}/g,                  "high"],
+    ["Bearer token",       /Bearer\s+[A-Za-z0-9_-]{32,}/g,           "high"],
+    ["Private key block",  /-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY/g, "critical"],
+    ["Generic secret var", /(?:secret|password|passwd|pwd)\s*[=:]\s*["']?[A-Za-z0-9+/=_-]{12,}["']?/gi, "medium"],
+  ];
+
+  // Files to scan
+  const SCAN_FILES = [
+    "CLAUDE.md", "AGENTS.md", "GEMINI.md", ".cursorrules",
+    ".codex/config.md", ".codex/instructions.md",
+    "opencode.json", ".mcp.json",
+  ];
+
+  // Walk a directory recursively, return all file paths
+  function walk(dir, maxDepth = 6, _depth = 0) {
+    if (_depth > maxDepth) return [];
+    let results = [];
+    try {
+      for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+        if (entry.name.startsWith(".git") || entry.name === "node_modules") continue;
+        const full = path.join(dir, entry.name);
+        if (entry.isDirectory()) results = results.concat(walk(full, maxDepth, _depth + 1));
+        else results.push(full);
+      }
+    } catch { /* skip unreadable */ }
+    return results;
+  }
+
+  const findings = []; // {file, line, label, severity, excerpt}
+
+  function scanContent(filePath, content) {
+    const lines = content.split("\n");
+    for (const [label, regex, severity] of PATTERNS) {
+      regex.lastIndex = 0;
+      for (let i = 0; i < lines.length; i++) {
+        let m;
+        regex.lastIndex = 0;
+        while ((m = regex.exec(lines[i])) !== null) {
+          const val = m[0];
+          // Redact: show first 6 + ... + last 4 chars
+          const excerpt = val.length > 14 ? val.slice(0, 6) + "..." + val.slice(-4) : val.slice(0, 4) + "...";
+          findings.push({ file: filePath, line: i + 1, label, severity, excerpt });
+        }
+      }
+    }
+  }
+
+  // Collect files to scan
+  const toScan = new Set();
+
+  for (const rel of SCAN_FILES) {
+    const p = path.join(target, rel);
+    if (fs.existsSync(p)) toScan.add(p);
+  }
+
+  const aiDir = path.join(target, "ai");
+  if (fs.existsSync(aiDir)) {
+    for (const f of walk(aiDir)) {
+      if (/\.(md|json|yaml|yml|txt|toml)$/.test(f)) toScan.add(f);
+    }
+  }
+
+  // Warn about .env files (don't scan content, just flag existence)
+  const envFiles = [".env", ".env.local", ".env.production", ".env.development"];
+  const foundEnv = envFiles.filter(e => fs.existsSync(path.join(target, e)));
+
+  console.log(`\n  ${T}0dai audit${R} — scanning for leaked secrets\n`);
+  console.log(`  ${D}target: ${target}${R}`);
+  console.log(`  ${D}files:  ${toScan.size} scanned${R}\n`);
+
+  for (const filePath of toScan) {
+    try {
+      const content = fs.readFileSync(filePath, "utf8");
+      scanContent(filePath, content);
+    } catch { /* skip */ }
+  }
+
+  if (foundEnv.length > 0) {
+    console.log(`  ${W}WARN${R}  .env files detected — ensure they are in .gitignore`);
+    for (const e of foundEnv) console.log(`         ${D}${e}${R}`);
+    console.log();
+  }
+
+  if (findings.length === 0) {
+    console.log(`  ${G}✓ No secrets found${R} in scanned files\n`);
+    return;
+  }
+
+  const critical = findings.filter(f => f.severity === "critical");
+  const high = findings.filter(f => f.severity === "high");
+  const medium = findings.filter(f => f.severity === "medium");
+
+  const colorFor = (s) => s === "critical" ? RE : s === "high" ? W : D;
+
+  for (const f of findings) {
+    const c = colorFor(f.severity);
+    const rel = path.relative(target, f.file);
+    console.log(`  ${c}${f.severity.toUpperCase().padEnd(8)}${R} ${rel}:${f.line}`);
+    console.log(`           ${D}${f.label}: ${f.excerpt}${R}`);
+  }
+
+  console.log();
+  if (critical.length > 0) console.log(`  ${RE}${critical.length} critical${R} · ${W}${high.length} high${R} · ${D}${medium.length} medium${R}\n`);
+  else console.log(`  ${W}${high.length} high${R} · ${D}${medium.length} medium${R}\n`);
+
+  console.log(`  ${D}Tip: add secrets to .gitignore or use env vars, not plaintext files${R}\n`);
+
+  if (critical.length > 0) process.exit(1);
+}
+
 function cmdDoctor(target) {
   const ai = path.join(target, "ai");
   if (!fs.existsSync(ai)) { log("no ai/ layer. Run '0dai init' first."); return; }
-  let v = "?";
+  let v = "?", stack = "generic";
   try { v = fs.readFileSync(path.join(ai, "VERSION"), "utf8").trim(); } catch {}
-  const checks = {
-    "ai/VERSION": fs.existsSync(path.join(ai, "VERSION")),
-    "ai/manifest/project.yaml": fs.existsSync(path.join(ai, "manifest", "project.yaml")),
-    "ai/manifest/commands.yaml": fs.existsSync(path.join(ai, "manifest", "commands.yaml")),
-    "ai/manifest/discovery.json": fs.existsSync(path.join(ai, "manifest", "discovery.json")),
-    ".claude/settings.json": fs.existsSync(path.join(target, ".claude", "settings.json")),
-    "AGENTS.md": fs.existsSync(path.join(target, "AGENTS.md")),
+  try { stack = JSON.parse(fs.readFileSync(path.join(ai, "manifest", "discovery.json"), "utf8")).stack || "generic"; } catch {}
+
+  const W = process.stdout.isTTY ? "\x1b[33m" : "";  // yellow
+  const E = process.stdout.isTTY ? "\x1b[31m" : "";  // red
+  const G = process.stdout.isTTY ? "\x1b[32m" : "";  // green
+  const R2 = process.stdout.isTTY ? "\x1b[0m" : "";
+
+  // --- ai/ layer checks ---
+  const layerChecks = {
+    "ai/VERSION":                  { path: path.join(ai, "VERSION"),                   sev: "error" },
+    "ai/manifest/project.yaml":    { path: path.join(ai, "manifest", "project.yaml"),  sev: "error" },
+    "ai/manifest/commands.yaml":   { path: path.join(ai, "manifest", "commands.yaml"), sev: "warn"  },
+    "ai/manifest/discovery.json":  { path: path.join(ai, "manifest", "discovery.json"),sev: "warn"  },
+    ".claude/settings.json":       { path: path.join(target, ".claude", "settings.json"), sev: "warn" },
+    "AGENTS.md":                   { path: path.join(target, "AGENTS.md"),             sev: "warn"  },
   };
-  const ok = Object.values(checks).every(Boolean);
-  log(`v${v} — ${ok ? "healthy" : "issues found"}`);
-  for (const [name, exists] of Object.entries(checks)) console.log(`  ${exists ? "ok" : "MISSING"}: ${name}`);
+
+  // --- credentials checklist ---
+  const credChecks = [
+    { name: "ANTHROPIC_API_KEY",  env: "ANTHROPIC_API_KEY",  needed: true,  sev: "error", hint: "Required for Claude Code — get at console.anthropic.com" },
+    { name: "OPENAI_API_KEY",     env: "OPENAI_API_KEY",     needed: false, sev: "warn",  hint: "Required for Codex CLI — get at platform.openai.com" },
+    { name: "GITHUB_TOKEN",       env: "GITHUB_TOKEN",       needed: false, sev: "warn",  hint: "Needed for gh CLI, PR creation, swarm delegation" },
+  ];
+
+  // Stack-specific creds
+  if (stack.includes("vercel") || stack.includes("next")) {
+    credChecks.push({ name: "VERCEL_TOKEN", env: "VERCEL_TOKEN", needed: false, sev: "warn", hint: "Required for Vercel deployments — get at vercel.com/account/tokens" });
+  }
+  if (stack.includes("aws") || stack.includes("lambda") || stack.includes("cdk")) {
+    credChecks.push({ name: "AWS_ACCESS_KEY_ID", env: "AWS_ACCESS_KEY_ID", needed: false, sev: "warn", hint: "Required for AWS deployments" });
+  }
+  if (stack.includes("gcp") || stack.includes("firebase") || stack.includes("flutter")) {
+    credChecks.push({ name: "GOOGLE_APPLICATION_CREDENTIALS", env: "GOOGLE_APPLICATION_CREDENTIALS", needed: false, sev: "warn", hint: "Required for GCP/Firebase deployments" });
+  }
+
+  // --- run checks ---
+  let errors = 0, warnings = 0;
+  log(`v${v} | stack: ${stack}\n`);
+
+  console.log("  ai/ layer:");
+  for (const [name, { path: p, sev }] of Object.entries(layerChecks)) {
+    const exists = fs.existsSync(p);
+    if (!exists) sev === "error" ? errors++ : warnings++;
+    const mark = exists ? `${G}ok${R2}` : sev === "error" ? `${E}MISSING${R2}` : `${W}missing${R2}`;
+    console.log(`    ${mark.padEnd(22)} ${name}`);
+  }
+
+  console.log("\n  credentials:");
+  for (const c of credChecks) {
+    const present = !!process.env[c.env];
+    if (!present) c.sev === "error" ? errors++ : warnings++;
+    const mark = present ? `${G}set${R2}` : c.sev === "error" ? `${E}NOT SET${R2}` : `${W}not set${R2}`;
+    console.log(`    ${mark.padEnd(22)} ${c.name}${!present ? `\n      ${D}→ ${c.hint}${R2}` : ""}`);
+  }
+
+  // --- swarm check ---
+  const swarmDir = path.join(ai, "swarm");
+  const countDir = (d) => { try { return fs.readdirSync(d).filter(f => f.endsWith(".json")).length; } catch { return 0; } };
+  const qCount = countDir(path.join(swarmDir, "queue"));
+  const dCount = countDir(path.join(swarmDir, "done"));
+  if (qCount || dCount) {
+    console.log(`\n  swarm: ${qCount} queued, ${dCount} done`);
+    if (qCount) console.log(`    ${W}→ run '0dai reflect' to review pending tasks${R2}`);
+  }
+
+  const summary = errors ? `${E}${errors} error(s)${R2}` : warnings ? `${W}${warnings} warning(s)${R2}` : `${G}healthy${R2}`;
+  console.log(`\n  status: ${summary}`);
+  if (errors) process.exitCode = 1;
+}
+
+// --- Session reflection --- (dogfood feedback #36)
+function cmdReflect(target, args) {
+  const ai = path.join(target, "ai");
+  const W = process.stdout.isTTY ? "\x1b[33m" : "";
+  const G = process.stdout.isTTY ? "\x1b[32m" : "";
+  const R2 = process.stdout.isTTY ? "\x1b[0m" : "";
+  const B = process.stdout.isTTY ? "\x1b[1m" : "";
+
+  // Collect swarm done tasks
+  const doneDir = path.join(ai, "swarm", "done");
+  const queueDir = path.join(ai, "swarm", "queue");
+  const activeDir = path.join(ai, "swarm", "active");
+  const doneTasks = [], queueTasks = [];
+
+  // -- how many days to look back (default 7)
+  const daysArg = args.find((_, i) => args[i - 1] === "--days");
+  const days = parseInt(daysArg || "7");
+  const since = Date.now() - days * 24 * 60 * 60 * 1000;
+
+  const readJsonDir = (dir) => {
+    const out = [];
+    try {
+      for (const f of fs.readdirSync(dir).filter(f => f.endsWith(".json"))) {
+        try { out.push(JSON.parse(fs.readFileSync(path.join(dir, f), "utf8"))); } catch {}
+      }
+    } catch {}
+    return out;
+  };
+
+  const allDone = readJsonDir(doneDir).filter(t => {
+    const ts = t.completed_at || t.created_at;
+    return !ts || new Date(ts).getTime() >= since;
+  });
+  const allQueue = readJsonDir(queueDir);
+  const allActive = readJsonDir(activeDir);
+
+  // Aggregate by agent
+  const byAgent = {};
+  for (const t of allDone) {
+    const a = t.assigned_to || t.agent || "unknown";
+    if (!byAgent[a]) byAgent[a] = { done: 0, tasks: [] };
+    byAgent[a].done++;
+    byAgent[a].tasks.push(t.title || t.id || "?");
+  }
+
+  // Session data
+  let sessionGoal = "?";
+  try {
+    const active = JSON.parse(fs.readFileSync(path.join(ai, "sessions", "active.json"), "utf8"));
+    sessionGoal = (active.task || {}).goal || "?";
+  } catch {}
+
+  console.log(`\n  ${B}${T}0dai reflect${R2}${R} — last ${days} days\n`);
+
+  // Goal
+  if (sessionGoal !== "?") console.log(`  ${B}Goal${R2}      ${sessionGoal}`);
+
+  // Delegation stats
+  const totalDone = allDone.length;
+  const totalPending = allQueue.length + allActive.length;
+  const successRate = totalDone + totalPending > 0
+    ? Math.round((totalDone / (totalDone + totalPending)) * 100)
+    : null;
+
+  console.log(`  ${B}Delivered${R2}  ${G}${totalDone}${R2} tasks completed`);
+  if (totalPending) console.log(`  ${B}Remaining${R2}  ${W}${totalPending}${R2} tasks still pending`);
+  if (successRate !== null) console.log(`  ${B}Rate${R2}       ${successRate >= 80 ? G : W}${successRate}%${R2} delegation success rate`);
+
+  // By agent breakdown
+  if (Object.keys(byAgent).length) {
+    console.log(`\n  ${B}By agent:${R2}`);
+    for (const [agent, data] of Object.entries(byAgent).sort((a, b) => b[1].done - a[1].done)) {
+      const bar = "█".repeat(Math.min(data.done, 20));
+      console.log(`    ${(agent + " ").padEnd(14)} ${G}${bar}${R2} ${data.done}`);
+    }
+  }
+
+  // Remaining blockers
+  if (allQueue.length) {
+    console.log(`\n  ${B}Blockers / queue:${R2}`);
+    for (const t of allQueue.slice(0, 8)) {
+      const agent = t.assigned_to ? ` → ${t.assigned_to}` : "";
+      console.log(`    ${W}•${R2} ${(t.title || t.id || "?").slice(0, 60)}${agent}`);
+    }
+    if (allQueue.length > 8) console.log(`    ${D}… and ${allQueue.length - 8} more${R2}`);
+  }
+
+  // No data
+  if (!totalDone && !totalPending) {
+    console.log(`  ${D}No swarm tasks found in the last ${days} days.${R2}`);
+    console.log(`  ${D}Use '0dai swarm add --task "..." --to codex' to delegate tasks.${R2}`);
+  }
+
+  console.log();
 }
 
 function cmdStatus(target) {
@@ -671,10 +948,12 @@ async function main() {
   checkVersion();
 
   switch (cmd) {
+    case "audit": cmdAudit(target); break;
     case "init": await cmdInit(target); break;
     case "sync": await cmdSync(target); break;
     case "detect": await cmdDetect(target); break;
     case "doctor": cmdDoctor(target); break;
+    case "reflect": cmdReflect(target, args); break;
     case "status": cmdStatus(target); break;
     case "auth":
       if (sub === "login") await cmdAuthLogin();
@@ -713,10 +992,12 @@ async function main() {
     case "help": case "--help": case "-h":
       console.log(`\n  ${T}0dai${R} v${VERSION} — One config for 5 AI agent CLIs\n`);
       console.log("Commands:");
+      console.log("  audit          Scan ai/ and agent configs for leaked secrets");
       console.log("  init           Initialize ai/ layer (via API)");
       console.log("  sync           Update ai/ layer (via API)");
       console.log("  detect         Show detected stack");
-      console.log("  doctor         Check health");
+      console.log("  doctor         Check health + credentials checklist");
+      console.log("  reflect        Session reflection: delivered, delegation rate, blockers");
       console.log("  status         Show maturity, swarm, session");
       console.log("  session save   Save session for roaming");
       console.log("  swarm status   Task queue & delegation");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@0dai-dev/cli",
-  "version": "2.3.1",
+  "version": "2.5.0",
   "description": "One config layer for 5 AI agent CLIs — Claude Code, Codex, OpenCode, Gemini, Aider",
   "bin": {
     "0dai": "./bin/0dai.js"