@aion0/forge 0.2.11 → 0.2.12

package/lib/init.ts

@@ -7,19 +7,51 @@
 import { ensureRunnerStarted } from './task-manager';
 import { startTelegramBot, stopTelegramBot } from './telegram-bot';
 import { startWatcherLoop } from './session-watcher';
-import { getPassword } from './password';
-import { loadSettings } from './settings';
+import { getAdminPassword } from './password';
+import { loadSettings, saveSettings } from './settings';
 import { startTunnel } from './cloudflared';
+import { isEncrypted, SECRET_FIELDS } from './crypto';
 import { spawn } from 'node:child_process';
 import { join } from 'node:path';
 
 const initKey = Symbol.for('mw-initialized');
 const gInit = globalThis as any;
 
+/** Migrate plaintext secrets to encrypted on first run */
+function migrateSecrets() {
+  try {
+    const { existsSync, readFileSync } = require('node:fs');
+    const { homedir } = require('node:os');
+    const YAML = require('yaml');
+    const dataDir = process.env.FORGE_DATA_DIR || join(homedir(), '.forge');
+    const file = join(dataDir, 'settings.yaml');
+    if (!existsSync(file)) return;
+    const raw = YAML.parse(readFileSync(file, 'utf-8')) || {};
+    let needsSave = false;
+    for (const field of SECRET_FIELDS) {
+      if (raw[field] && typeof raw[field] === 'string' && !isEncrypted(raw[field])) {
+        needsSave = true;
+        break;
+      }
+    }
+    if (needsSave) {
+      // loadSettings returns decrypted, saveSettings encrypts
+      const settings = loadSettings();
+      saveSettings(settings);
+      console.log('[init] Migrated plaintext secrets to encrypted storage');
+    }
+  } catch (e) {
+    console.error('[init] Secret migration error:', e);
+  }
+}
+
 export function ensureInitialized() {
   if (gInit[initKey]) return;
   gInit[initKey] = true;
 
+  // Migrate plaintext secrets on startup
+  migrateSecrets();
+
   // Task runner is safe in every worker (DB-level coordination)
   ensureRunnerStarted();
 
@@ -28,17 +60,23 @@ export function ensureInitialized() {
 
   // If services are managed externally (forge-server), skip
   if (process.env.FORGE_EXTERNAL_SERVICES === '1') {
-    // Password display only once
-    const password = getPassword();
-    console.log(`[init] Login password: ${password} (valid today)`);
-    console.log('[init] Forgot? Run: forge password');
+    // Password display
+    const admin = getAdminPassword();
+    if (admin) {
+      console.log(`[init] Admin password: configured`);
+    } else {
+      console.log('[init] No admin password set — configure in Settings');
+    };
     return;
   }
 
   // Standalone mode (pnpm dev without forge-server) — start everything here
-  const password = getPassword();
-  console.log(`[init] Login password: ${password} (valid today)`);
-  console.log('[init] Forgot? Run: forge password');
+  const admin2 = getAdminPassword();
+  if (admin2) {
+    console.log(`[init] Admin password: configured`);
+  } else {
+    console.log('[init] No admin password set — configure in Settings');
+  }
 
   startTelegramBot(); // registers task event listener only
   startTerminalProcess();

package/lib/password.ts

@@ -1,77 +1,97 @@
 /**
- * Auto-generated login password.
- * Rotates daily. Saved to ~/.forge/password.json with date.
- * CLI can read it via `forge password`.
+ * Password management.
+ *
+ * - Admin password: set in Settings, encrypted in settings.yaml
+ *   Used for: local login, tunnel start, secret changes, Telegram commands
+ * - Session code: random 8-digit numeric, generated each time tunnel starts
+ *   Used for: remote login 2FA (admin password + session code)
+ *
+ * Local login: admin password only
+ * Remote login (tunnel): admin password + session code
  */
 
 import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { join, dirname } from 'node:path';
-import { randomBytes } from 'node:crypto';
+import { randomInt } from 'node:crypto';
 
-const PASSWORD_FILE = join(homedir(), '.forge', 'password.json');
+const DATA_DIR = process.env.FORGE_DATA_DIR || join(homedir(), '.forge');
+const SESSION_CODE_FILE = join(DATA_DIR, 'session-code.json');
 
-function generatePassword(): string {
-  // 8-char alphanumeric, easy to type
-  return randomBytes(6).toString('base64url').slice(0, 8);
+/** Generate a random 8-digit numeric code */
+function generateSessionCode(): string {
+  return String(randomInt(10000000, 99999999));
 }
 
-function todayStr(): string {
-  return new Date().toISOString().slice(0, 10); // YYYY-MM-DD
+function readSessionCode(): string {
+  try {
+    if (!existsSync(SESSION_CODE_FILE)) return '';
+    const data = JSON.parse(readFileSync(SESSION_CODE_FILE, 'utf-8'));
+    return data?.code || '';
+  } catch {
+    return '';
+  }
 }
 
-interface PasswordData {
-  password: string;
-  date: string;
+function saveSessionCode(code: string) {
+  const dir = dirname(SESSION_CODE_FILE);
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+  writeFileSync(SESSION_CODE_FILE, JSON.stringify({ code }), { mode: 0o600 });
 }
 
-function readPasswordData(): PasswordData | null {
+/** Get the admin password from settings */
+export function getAdminPassword(): string {
   try {
-    if (!existsSync(PASSWORD_FILE)) return null;
-    return JSON.parse(readFileSync(PASSWORD_FILE, 'utf-8'));
+    const { loadSettings } = require('./settings');
+    const settings = loadSettings();
+    return settings.telegramTunnelPassword || '';
   } catch {
-    return null;
+    return '';
   }
 }
 
-function savePasswordData(data: PasswordData) {
-  const dir = dirname(PASSWORD_FILE);
-  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
-  writeFileSync(PASSWORD_FILE, JSON.stringify(data), { mode: 0o600 });
+/** Get current session code (empty if none) */
+export function getSessionCode(): string {
+  return readSessionCode();
+}
+
+/** Generate new session code. Called on tunnel start. */
+export function rotateSessionCode(): string {
+  const code = generateSessionCode();
+  saveSessionCode(code);
+  console.log(`[password] New session code: ${code}`);
+  return code;
 }
 
 /**
- * Get the current password. Priority:
- * 1. MW_PASSWORD env var (user explicitly set, never rotates)
- * 2. Saved password file if still valid today
- * 3. Generate new one, save with today's date
+ * Verify login credentials.
+ * @param password - admin password
+ * @param sessionCode - session code (required for remote, empty for local)
+ * @param isRemote - true if accessing via tunnel
  */
-export function getPassword(): string {
-  // If user explicitly set MW_PASSWORD, use it (no rotation)
-  if (process.env.MW_PASSWORD && process.env.MW_PASSWORD !== 'auto') {
-    return process.env.MW_PASSWORD;
-  }
+export function verifyLogin(password: string, sessionCode?: string, isRemote?: boolean): boolean {
+  if (!password) return false;
 
-  const today = todayStr();
-  const saved = readPasswordData();
+  const admin = getAdminPassword();
+  if (!admin) return false;
+  if (password !== admin) return false;
 
-  // Valid for today
-  if (saved && saved.date === today && saved.password) {
-    return saved.password;
+  // Remote access requires session code as 2FA
+  if (isRemote) {
+    const currentCode = readSessionCode();
+    if (!currentCode || sessionCode !== currentCode) return false;
   }
 
-  // Expired or missing — generate new
-  const password = generatePassword();
-  savePasswordData({ password, date: today });
-  console.log(`[password] New daily password generated for ${today}`);
-  return password;
+  return true;
 }
 
-/** Read password from file (for CLI use) */
-export function readPasswordFile(): string | null {
-  const data = readPasswordData();
-  if (!data) return null;
-  // Only return if still valid today
-  if (data.date !== todayStr()) return null;
-  return data.password;
+/**
+ * Verify admin password for privileged operations
+ * (tunnel start, secret changes, Telegram commands).
+ */
+export function verifyAdmin(input: string): boolean {
+  if (!input) return false;
+  const admin = getAdminPassword();
+  return admin ? input === admin : false;
 }
+

package/lib/settings.ts

@@ -2,6 +2,7 @@ import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { join, dirname } from 'node:path';
 import YAML from 'yaml';
+import { encryptSecret, decryptSecret, isEncrypted, SECRET_FIELDS } from './crypto';
 
 const DATA_DIR = process.env.FORGE_DATA_DIR || join(homedir(), '.forge');
 const SETTINGS_FILE = join(DATA_DIR, 'settings.yaml');
@@ -15,7 +16,7 @@ export interface Settings {
   notifyOnComplete: boolean;    // Notify when task completes
   notifyOnFailure: boolean;     // Notify when task fails
   tunnelAutoStart: boolean;     // Auto-start Cloudflare Tunnel on startup
-  telegramTunnelPassword: string; // Password for getting login password via Telegram
+  telegramTunnelPassword: string; // Admin password (encrypted) — for login, tunnel, secrets, Telegram
   taskModel: string;              // Model for tasks (default: sonnet)
   pipelineModel: string;          // Model for pipelines (default: sonnet)
   telegramModel: string;          // Model for Telegram AI features (default: sonnet)
@@ -38,18 +39,52 @@ const defaults: Settings = {
   skipPermissions: false,
 };
 
+/** Load settings with secrets decrypted (for internal use) */
 export function loadSettings(): Settings {
   if (!existsSync(SETTINGS_FILE)) return { ...defaults };
   try {
     const raw = readFileSync(SETTINGS_FILE, 'utf-8');
-    return { ...defaults, ...YAML.parse(raw) };
+    const parsed = { ...defaults, ...YAML.parse(raw) };
+    // Decrypt secret fields
+    for (const field of SECRET_FIELDS) {
+      if (parsed[field] && isEncrypted(parsed[field])) {
+        parsed[field] = decryptSecret(parsed[field]);
+      }
+    }
+    return parsed;
   } catch {
     return { ...defaults };
   }
 }
 
+/** Load settings with secrets masked (for API response to frontend) */
+export function loadSettingsMasked(): Settings & { _secretStatus: Record<string, boolean> } {
+  const settings = loadSettings();
+  const status: Record<string, boolean> = {};
+  for (const field of SECRET_FIELDS) {
+    status[field] = !!settings[field];
+    settings[field] = settings[field] ? '••••••••' : '';
+  }
+  return { ...settings, _secretStatus: status };
+}
+
+/** Save settings, encrypting secret fields */
 export function saveSettings(settings: Settings) {
   const dir = dirname(SETTINGS_FILE);
   if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
-  writeFileSync(SETTINGS_FILE, YAML.stringify(settings), 'utf-8');
+  // Encrypt secret fields before saving
+  const toSave = { ...settings };
+  for (const field of SECRET_FIELDS) {
+    if (toSave[field] && !isEncrypted(toSave[field])) {
+      toSave[field] = encryptSecret(toSave[field]);
+    }
+  }
+  writeFileSync(SETTINGS_FILE, YAML.stringify(toSave), 'utf-8');
+}
+
+/** Verify a secret field's current value */
+export function verifySecret(field: string, value: string): boolean {
+  const settings = loadSettings();
+  const current = (settings as any)[field] || '';
+  return current === value;
 }

package/lib/telegram-bot.ts

@@ -13,7 +13,7 @@ import { scanProjects } from './projects';
 import { listClaudeSessions, getSessionFilePath, readSessionEntries } from './claude-sessions';
 import { listWatchers, createWatcher, deleteWatcher, toggleWatcher } from './session-watcher';
 import { startTunnel, stopTunnel, getTunnelStatus } from './cloudflared';
-import { getPassword } from './password';
+// Password verification is done via require() in handler functions
 import type { Task, TaskLogEntry } from '@/src/types';
 
 // Persist state across hot-reloads
@@ -260,13 +260,13 @@ async function handleMessage(msg: any) {
         await handleTunnelStatus(chatId);
         break;
       case '/tunnel_start':
-        await handleTunnelStart(chatId);
+        await handleTunnelStart(chatId, args[0]);
         break;
       case '/tunnel_stop':
         await handleTunnelStop(chatId);
         break;
-      case '/tunnel_password':
-        await handleTunnelPassword(chatId, args[0], msg.message_id);
+      case '/tunnel_code':
+        await handleTunnelCode(chatId, args[0], msg.message_id);
         break;
       default:
         await send(chatId, `Unknown command: ${cmd}\nUse /help to see available commands.`);
@@ -308,7 +308,7 @@ async function sendHelp(chatId: number) {
     `/projects — list projects\n\n` +
     `🌐 /tunnel — status\n` +
     `/tunnel_start / /tunnel_stop\n` +
-    `/tunnel_password <pw> — get login password\n\n` +
+    `/tunnel_code <admin_pw> — get session code\n\n` +
     `Reply number to select`
   );
 }
@@ -892,10 +892,21 @@ async function handleTunnelStatus(chatId: number) {
   }
 }
 
-async function handleTunnelStart(chatId: number) {
+async function handleTunnelStart(chatId: number, password?: string) {
   const settings = loadSettings();
   if (String(chatId) !== settings.telegramChatId) { await send(chatId, '⛔ Unauthorized'); return; }
 
+  // Require admin password
+  if (!password) {
+    await send(chatId, '🔑 Usage: /tunnel_start <password>');
+    return;
+  }
+  const { verifyAdmin } = require('./password');
+  if (!verifyAdmin(password)) {
+    await send(chatId, '⛔ Wrong password');
+    return;
+  }
+
   // Check if tunnel is already running and still reachable
   const status = getTunnelStatus();
   if (status.status === 'running' && status.url) {
@@ -936,36 +947,36 @@ async function handleTunnelStop(chatId: number) {
   await send(chatId, '🛑 Tunnel stopped');
 }
 
-async function handleTunnelPassword(chatId: number, password?: string, userMsgId?: number) {
+async function handleTunnelCode(chatId: number, password?: string, userMsgId?: number) {
   const settings = loadSettings();
   if (String(chatId) !== settings.telegramChatId) {
     await send(chatId, '⛔ Unauthorized');
     return;
   }
 
-  if (!settings.telegramTunnelPassword) {
-    await send(chatId, '⚠️ Telegram tunnel password not configured.\nSet it in Settings → Remote Access → Telegram tunnel password');
-    return;
-  }
-
   if (!password) {
-    await send(chatId, 'Usage: /tunnel_password <your-password>');
+    await send(chatId, 'Usage: /tunnel_code <admin-password>');
     return;
   }
 
   // Immediately delete user's message containing password
   if (userMsgId) deleteMessageLater(chatId, userMsgId, 0);
 
-  if (password !== settings.telegramTunnelPassword) {
+  const { verifyAdmin, getSessionCode } = require('./password');
+  if (!verifyAdmin(password)) {
     await send(chatId, '⛔ Wrong password');
     return;
   }
 
-  const loginPassword = getPassword();
+  // Show the session code (for remote login 2FA)
+  const code = getSessionCode();
   const status = getTunnelStatus();
-  // Send password as code block, auto-delete after 30s
-  const labelId = await send(chatId, '🔑 Login password (auto-deletes in 30s):');
-  const pwId = await sendHtml(chatId, `<code>${loginPassword}</code>`);
+  if (!code) {
+    await send(chatId, '⚠️ No session code. Start tunnel first to generate one.');
+    return;
+  }
+  const labelId = await send(chatId, '🔑 Session code for remote login (auto-deletes in 30s):');
+  const pwId = await sendHtml(chatId, `<code>${code}</code>`);
   if (labelId) deleteMessageLater(chatId, labelId);
   if (pwId) deleteMessageLater(chatId, pwId);
   if (status.status === 'running' && status.url) {
@@ -1182,6 +1193,7 @@ async function sendNoteToDocsClaude(chatId: number, content: string) {
   const { join } = require('path');
   const { homedir } = require('os');
   const SESSION_NAME = 'mw-docs-claude';
+  const docRoot = docRoots[0];
 
   // Check if the docs tmux session exists
   let sessionExists = false;
@@ -1190,9 +1202,22 @@ async function sendNoteToDocsClaude(chatId: number, content: string) {
     sessionExists = true;
   } catch {}
 
+  // Auto-create session if it doesn't exist
   if (!sessionExists) {
-    await send(chatId, '⚠️ Docs Claude session not running. Open the Docs tab first to start it.');
-    return;
+    try {
+      execSync(`tmux new-session -d -s ${SESSION_NAME} -x 120 -y 30`, { timeout: 5000 });
+      // Wait for shell to initialize
+      await new Promise(r => setTimeout(r, 500));
+      // cd to doc root and start claude
+      const sf = settings.skipPermissions ? ' --dangerously-skip-permissions' : '';
+      spawnSync('tmux', ['send-keys', '-t', SESSION_NAME, `cd "${docRoot}" && claude --resume${sf}`, 'Enter'], { timeout: 5000 });
+      // Wait for Claude to start up
+      await new Promise(r => setTimeout(r, 3000));
+      await send(chatId, '🚀 Auto-started Docs Claude session.');
+    } catch (err) {
+      await send(chatId, '❌ Failed to create Docs Claude session.');
+      return;
+    }
   }
 
   // Check if Claude is the active process (not shell)
@@ -1201,9 +1226,17 @@ async function sendNoteToDocsClaude(chatId: number, content: string) {
     paneCmd = execSync(`tmux display-message -p -t ${SESSION_NAME} '#{pane_current_command}'`, { encoding: 'utf-8', timeout: 2000 }).trim();
   } catch {}
 
+  // If Claude is not running, start it
   if (paneCmd === 'zsh' || paneCmd === 'bash' || paneCmd === 'fish' || !paneCmd) {
-    await send(chatId, '⚠️ Claude is not running in the Docs session. Open the Docs tab and start Claude first.');
-    return;
+    try {
+      const sf = settings.skipPermissions ? ' --dangerously-skip-permissions' : '';
+      spawnSync('tmux', ['send-keys', '-t', SESSION_NAME, `cd "${docRoot}" && claude --resume${sf}`, 'Enter'], { timeout: 5000 });
+      await new Promise(r => setTimeout(r, 3000));
+      await send(chatId, '🚀 Auto-started Claude in Docs session.');
+    } catch {
+      await send(chatId, '❌ Failed to start Claude in Docs session.');
+      return;
+    }
   }
 
   // Write content to a temp file, then use tmux to send a prompt referencing it
@@ -1357,7 +1390,7 @@ async function setBotCommands(token: string) {
           { command: 'tunnel', description: 'Tunnel status' },
           { command: 'tunnel_start', description: 'Start tunnel' },
           { command: 'tunnel_stop', description: 'Stop tunnel' },
-          { command: 'tunnel_password', description: 'Get login password' },
+          { command: 'tunnel_code', description: 'Get session code for remote login' },
           { command: 'help', description: 'Show help' },
         ],
       }),

package/lib/telegram-standalone.ts

@@ -5,7 +5,6 @@
  */
 
 import { loadSettings } from './settings';
-import { getPassword } from './password';
 
 const settings = loadSettings();
 if (!settings.telegramBotToken || !settings.telegramChatId) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aion0/forge",
-  "version": "0.2.11",
+  "version": "0.2.12",
   "description": "Unified AI workflow platform — multi-model task orchestration, persistent sessions, web terminal, remote access",
   "type": "module",
   "scripts": {