@aurora-foundation/obsidian-next 0.4.7 → 0.4.9

package/dist/chunk-S6GNETVE.js

@@ -0,0 +1,438 @@
+// src/core/keyManager.ts
+import { exec } from "child_process";
+import { promisify } from "util";
+import fs from "fs/promises";
+import path from "path";
+import os from "os";
+import crypto from "crypto";
+var execAsync = promisify(exec);
+var ROTATION_CHECK_INTERVAL = 4 * 60 * 60 * 1e3;
+var DEFAULT_SERVICE = "obsidian-next";
+var DEFAULT_ACCOUNT = "anthropic-api-key";
+var KeyManager = class {
+  keyCache = /* @__PURE__ */ new Map();
+  encryptedFilePath;
+  machineId = null;
+  constructor() {
+    this.encryptedFilePath = path.join(os.homedir(), ".obsidian", ".keystore");
+  }
+  getCacheKey(service, account) {
+    return `${service}:${account}`;
+  }
+  /**
+   * Load API key from the most secure available backend
+   */
+  async loadKey(options = {}) {
+    const service = options.service || DEFAULT_SERVICE;
+    const account = options.account || DEFAULT_ACCOUNT;
+    const cacheKey = this.getCacheKey(service, account);
+    const cached = this.keyCache.get(cacheKey);
+    if (cached && !this.shouldRotate(cached)) {
+      return cached.key;
+    }
+    let key = null;
+    let backend = "env";
+    if (account === DEFAULT_ACCOUNT) {
+      key = process.env.ANTHROPIC_API_KEY || null;
+    }
+    if (key) {
+      backend = "env";
+    }
+    if (!key && process.platform === "darwin") {
+      key = await this.loadFromKeychain(service, account);
+      if (key) backend = "keychain";
+    }
+    if (!key && process.platform === "linux") {
+      key = await this.loadFromSecretTool(service, account);
+      if (key) backend = "secret-tool";
+    }
+    if (!key) {
+      key = await this.loadFromEncryptedFile(service, account);
+      if (key) backend = "encrypted-file";
+    }
+    if (key) {
+      this.keyCache.set(cacheKey, {
+        key,
+        loadedAt: Date.now(),
+        backend
+      });
+    }
+    return key;
+  }
+  /**
+   * Store API key in the most secure available backend
+   */
+  async storeKey(key, options = {}) {
+    const service = options.service || DEFAULT_SERVICE;
+    const account = options.account || DEFAULT_ACCOUNT;
+    const cacheKey = this.getCacheKey(service, account);
+    if (process.platform === "darwin") {
+      const result2 = await this.storeInKeychain(key, service, account);
+      if (result2.success) {
+        this.keyCache.set(cacheKey, {
+          key,
+          loadedAt: Date.now(),
+          backend: "keychain"
+        });
+        return { success: true, backend: "keychain" };
+      }
+    }
+    if (process.platform === "linux") {
+      const result2 = await this.storeInSecretTool(key, service, account);
+      if (result2.success) {
+        this.keyCache.set(cacheKey, {
+          key,
+          loadedAt: Date.now(),
+          backend: "secret-tool"
+        });
+        return { success: true, backend: "secret-tool" };
+      }
+    }
+    const result = await this.storeInEncryptedFile(key, service, account);
+    if (result.success) {
+      this.keyCache.set(cacheKey, {
+        key,
+        loadedAt: Date.now(),
+        backend: "encrypted-file"
+      });
+      return { success: true, backend: "encrypted-file" };
+    }
+    return { success: false, backend: "env", error: result.error };
+  }
+  /**
+   * Delete stored key from all backends
+   */
+  async deleteKey(options = {}) {
+    const service = options.service || DEFAULT_SERVICE;
+    const account = options.account || DEFAULT_ACCOUNT;
+    const cacheKey = this.getCacheKey(service, account);
+    this.keyCache.delete(cacheKey);
+    if (process.platform === "darwin") {
+      await this.deleteFromKeychain(service, account);
+    }
+    if (process.platform === "linux") {
+      await this.deleteFromSecretTool(service, account);
+    }
+    await this.deleteFromEncryptedFile(service, account);
+  }
+  /**
+   * Check if key should be rotated (for long-running sessions)
+   */
+  shouldRotate(config = this.keyCache.get(
+    this.getCacheKey(DEFAULT_SERVICE, DEFAULT_ACCOUNT)
+  )) {
+    if (!config) return true;
+    return Date.now() - config.loadedAt > ROTATION_CHECK_INTERVAL;
+  }
+  /**
+   * Force reload key from backend
+   */
+  async refreshKey(options = {}) {
+    const service = options.service || DEFAULT_SERVICE;
+    const account = options.account || DEFAULT_ACCOUNT;
+    this.keyCache.delete(this.getCacheKey(service, account));
+    return this.loadKey(options);
+  }
+  /**
+   * Get current backend being used
+   */
+  getBackend(options = {}) {
+    const service = options.service || DEFAULT_SERVICE;
+    const account = options.account || DEFAULT_ACCOUNT;
+    return this.keyCache.get(this.getCacheKey(service, account))?.backend || null;
+  }
+  // ==================== macOS Keychain ====================
+  async loadFromKeychain(service, account) {
+    try {
+      const { stdout } = await execAsync(
+        `security find-generic-password -s "${service}" -a "${account}" -w 2>/dev/null`
+      );
+      return stdout.trim() || null;
+    } catch {
+      return null;
+    }
+  }
+  async storeInKeychain(key, service, account) {
+    try {
+      await this.deleteFromKeychain(service, account);
+      await execAsync(
+        `security add-generic-password -s "${service}" -a "${account}" -w "${key}" -U`
+      );
+      return { success: true };
+    } catch (error) {
+      return { success: false, error: error.message };
+    }
+  }
+  async deleteFromKeychain(service, account) {
+    try {
+      await execAsync(
+        `security delete-generic-password -s "${service}" -a "${account}" 2>/dev/null`
+      );
+    } catch {
+    }
+  }
+  // ==================== Linux secret-tool ====================
+  async loadFromSecretTool(service, account) {
+    try {
+      const { stdout } = await execAsync(
+        `secret-tool lookup service "${service}" account "${account}" 2>/dev/null`
+      );
+      return stdout.trim() || null;
+    } catch {
+      return null;
+    }
+  }
+  async storeInSecretTool(key, service, account) {
+    try {
+      await execAsync(
+        `echo -n "${key}" | secret-tool store --label="Obsidian Next API Key" service "${service}" account "${account}"`
+      );
+      return { success: true };
+    } catch (error) {
+      return { success: false, error: error.message };
+    }
+  }
+  async deleteFromSecretTool(service, account) {
+    try {
+      await execAsync(
+        `secret-tool clear service "${service}" account "${account}" 2>/dev/null`
+      );
+    } catch {
+    }
+  }
+  // ==================== Encrypted File ====================
+  async getMachineId() {
+    if (this.machineId) return this.machineId;
+    const components = [
+      os.hostname(),
+      os.userInfo().username,
+      os.platform(),
+      os.arch()
+    ];
+    if (process.platform === "darwin") {
+      try {
+        const { stdout } = await execAsync(
+          "ioreg -rd1 -c IOPlatformExpertDevice | grep IOPlatformUUID"
+        );
+        const match = stdout.match(/"IOPlatformUUID" = "([^"]+)"/);
+        if (match) components.push(match[1]);
+      } catch {
+      }
+    } else if (process.platform === "linux") {
+      try {
+        const machineId = await fs.readFile("/etc/machine-id", "utf-8");
+        components.push(machineId.trim());
+      } catch {
+      }
+    }
+    this.machineId = crypto.createHash("sha256").update(components.join(":")).digest("hex");
+    return this.machineId;
+  }
+  async deriveEncryptionKey() {
+    const machineId = await this.getMachineId();
+    return crypto.pbkdf2Sync(
+      machineId,
+      "obsidian-next-salt",
+      1e5,
+      32,
+      "sha256"
+    );
+  }
+  async loadFromEncryptedFile(service, account) {
+    try {
+      const encrypted = await fs.readFile(this.encryptedFilePath, "utf-8");
+      const data = JSON.parse(encrypted);
+      const key = await this.deriveEncryptionKey();
+      const iv = Buffer.from(data.iv, "hex");
+      const authTag = Buffer.from(data.tag, "hex");
+      const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+      decipher.setAuthTag(authTag);
+      let decrypted = decipher.update(data.encrypted, "hex", "utf-8");
+      decrypted += decipher.final("utf-8");
+      try {
+        const keyMap = JSON.parse(decrypted);
+        return keyMap[this.getCacheKey(service, account)] || null;
+      } catch {
+        if (service === DEFAULT_SERVICE && account === DEFAULT_ACCOUNT) {
+          return decrypted;
+        }
+        return null;
+      }
+    } catch {
+      return null;
+    }
+  }
+  async storeInEncryptedFile(apiKey, service, account) {
+    try {
+      const key = await this.deriveEncryptionKey();
+      const iv = crypto.randomBytes(16);
+      let keyMap = {};
+      try {
+        const existingEncrypted = await fs.readFile(
+          this.encryptedFilePath,
+          "utf-8"
+        );
+        const data2 = JSON.parse(existingEncrypted);
+        const exDecipher = crypto.createDecipheriv(
+          "aes-256-gcm",
+          key,
+          Buffer.from(data2.iv, "hex")
+        );
+        exDecipher.setAuthTag(Buffer.from(data2.tag, "hex"));
+        let exDecrypted = exDecipher.update(data2.encrypted, "hex", "utf-8");
+        exDecrypted += exDecipher.final("utf-8");
+        try {
+          keyMap = JSON.parse(exDecrypted);
+        } catch {
+          keyMap[this.getCacheKey(DEFAULT_SERVICE, DEFAULT_ACCOUNT)] = exDecrypted;
+        }
+      } catch {
+      }
+      keyMap[this.getCacheKey(service, account)] = apiKey;
+      const contentToEncrypt = JSON.stringify(keyMap);
+      const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+      let encrypted = cipher.update(contentToEncrypt, "utf-8", "hex");
+      encrypted += cipher.final("hex");
+      const authTag = cipher.getAuthTag();
+      const data = {
+        encrypted,
+        iv: iv.toString("hex"),
+        tag: authTag.toString("hex"),
+        version: 1
+      };
+      await fs.mkdir(path.dirname(this.encryptedFilePath), { recursive: true });
+      await fs.writeFile(this.encryptedFilePath, JSON.stringify(data), {
+        mode: 384
+      });
+      return { success: true };
+    } catch (error) {
+      return { success: false, error: error.message };
+    }
+  }
+  async deleteFromEncryptedFile(service, account) {
+    try {
+      const key = await this.deriveEncryptionKey();
+      const existingEncrypted = await fs.readFile(
+        this.encryptedFilePath,
+        "utf-8"
+      );
+      const data = JSON.parse(existingEncrypted);
+      const exDecipher = crypto.createDecipheriv(
+        "aes-256-gcm",
+        key,
+        Buffer.from(data.iv, "hex")
+      );
+      exDecipher.setAuthTag(Buffer.from(data.tag, "hex"));
+      let exDecrypted = exDecipher.update(data.encrypted, "hex", "utf-8");
+      exDecrypted += exDecipher.final("utf-8");
+      let keyMap = {};
+      try {
+        keyMap = JSON.parse(exDecrypted);
+      } catch {
+        if (service === DEFAULT_SERVICE && account === DEFAULT_ACCOUNT) {
+          await fs.unlink(this.encryptedFilePath);
+          return;
+        }
+      }
+      delete keyMap[this.getCacheKey(service, account)];
+      if (Object.keys(keyMap).length === 0) {
+        await fs.unlink(this.encryptedFilePath);
+        return;
+      }
+      const iv = crypto.randomBytes(16);
+      const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+      let encrypted = cipher.update(JSON.stringify(keyMap), "utf-8", "hex");
+      encrypted += cipher.final("hex");
+      const authTag = cipher.getAuthTag();
+      const newData = {
+        encrypted,
+        iv: iv.toString("hex"),
+        tag: authTag.toString("hex"),
+        version: 2
+        // Upgraded version
+      };
+      await fs.writeFile(this.encryptedFilePath, JSON.stringify(newData), {
+        mode: 384
+      });
+    } catch {
+    }
+  }
+  /**
+   * Clear key from memory (call when done with sensitive operations)
+   */
+  clearFromMemory() {
+    this.keyCache.clear();
+  }
+  /**
+   * Check if key exists in any backend (without loading it)
+   */
+  async hasKey(options = {}) {
+    const service = options.service || DEFAULT_SERVICE;
+    const account = options.account || DEFAULT_ACCOUNT;
+    if (account === DEFAULT_ACCOUNT && process.env.ANTHROPIC_API_KEY)
+      return true;
+    if (process.platform === "darwin") {
+      const key2 = await this.loadFromKeychain(service, account);
+      if (key2) return true;
+    }
+    if (process.platform === "linux") {
+      const key2 = await this.loadFromSecretTool(service, account);
+      if (key2) return true;
+    }
+    const key = await this.loadFromEncryptedFile(service, account);
+    return !!key;
+  }
+  /**
+   * Migrate key from environment variable to secure storage
+   * Returns true if migration was successful
+   */
+  async migrateFromEnv() {
+    const envKey = process.env.ANTHROPIC_API_KEY;
+    if (!envKey) {
+      return {
+        migrated: false,
+        error: "No ANTHROPIC_API_KEY found in environment"
+      };
+    }
+    const cached = this.keyCache.get(
+      this.getCacheKey(DEFAULT_SERVICE, DEFAULT_ACCOUNT)
+    );
+    if (cached && cached.backend !== "env") {
+      return { migrated: false, error: "Key already in secure storage" };
+    }
+    const result = await this.storeKey(envKey);
+    if (result.success) {
+      return { migrated: true, backend: result.backend };
+    }
+    return { migrated: false, error: result.error };
+  }
+  /**
+   * Validate an API key by making a test request
+   */
+  async validateKey(key) {
+    if (!key.startsWith("sk-ant-")) {
+      return false;
+    }
+    if (key.length < 50 || key.length > 200) {
+      return false;
+    }
+    return true;
+  }
+};
+async function detectEnvFile(workspaceRoot) {
+  const envPath = path.join(workspaceRoot, ".env");
+  try {
+    const content = await fs.readFile(envPath, "utf-8");
+    if (content.includes("ANTHROPIC_API_KEY")) {
+      return { found: true, path: envPath };
+    }
+  } catch {
+  }
+  return { found: false };
+}
+var keyManager = new KeyManager();
+
+export {
+  detectEnvFile,
+  keyManager
+};

package/dist/chunk-SDT2ZE2R.js

@@ -0,0 +1,133 @@
+import {
+  history,
+  session,
+  tasks
+} from "./chunk-OHP5LD3Y.js";
+import {
+  context
+} from "./chunk-DPNIQWKZ.js";
+import {
+  bus
+} from "./chunk-WQM6FFSD.js";
+
+// src/commands/resume.ts
+import path from "path";
+var resumeCommand = async (args) => {
+  if (args[0] === "--delete" || args[0] === "-d") {
+    const sessionId = args[1];
+    if (!sessionId) {
+      bus.emitAgent({
+        type: "error",
+        message: "Usage: /resume --delete <session_id>"
+      });
+      return;
+    }
+    const deleted = await session.delete(sessionId);
+    if (deleted) {
+      bus.emitAgent({
+        type: "done",
+        summary: `Session ${sessionId} deleted.`
+      });
+    } else {
+      bus.emitAgent({
+        type: "error",
+        message: `Session ${sessionId} not found.`
+      });
+    }
+    return;
+  }
+  if (args[0] === "--last" || args[0] === "-l") {
+    const sessions = await session.list();
+    if (sessions.length === 0) {
+      bus.emitAgent({
+        type: "error",
+        message: "No saved sessions found."
+      });
+      return;
+    }
+    args[0] = sessions[0].id;
+  }
+  if (!args[0]) {
+    const sessions = await session.list();
+    if (sessions.length === 0) {
+      bus.emitAgent({
+        type: "thought",
+        content: "No saved sessions found.\n\nSessions are created when you run /exit."
+      });
+      bus.emitAgent({
+        type: "done",
+        summary: "No sessions available."
+      });
+      return;
+    }
+    const content2 = [
+      "Saved Session Registry",
+      ...sessions.slice(0, 10).map((s) => {
+        const date = new Date(s.savedAt);
+        const dateStr = date.toLocaleDateString();
+        const timeStr = date.toLocaleTimeString([], {
+          hour: "2-digit",
+          minute: "2-digit"
+        });
+        const workspaceName = path.basename(s.workspace);
+        return [
+          `   \u23BF  [${s.id}]`,
+          `      \u23BF  Date      ${dateStr} ${timeStr}`,
+          `      \u23BF  Workspace ${workspaceName}`,
+          s.task ? `      \u23BF  Task      ${s.task}` : null,
+          `      \u23BF  Activity  ${s.filesModified} files handled`,
+          ""
+        ].filter(Boolean).join("\n");
+      }),
+      sessions.length > 10 ? `   ... and ${sessions.length - 10} more sessions
+` : "",
+      "   [Usage]",
+      "   \u23BF  /resume <id>      Restore session",
+      "   \u23BF  /resume --last    Restore latest",
+      ""
+    ].join("\n");
+    bus.emitAgent({
+      type: "thought",
+      content: content2
+    });
+    bus.emitAgent({
+      type: "done",
+      summary: `${sessions.length} session(s) available.`
+    });
+    return;
+  }
+  const sessionIdArg = args[0];
+  const result = await session.restore(sessionIdArg);
+  if (!result.success) {
+    bus.emitAgent({
+      type: "error",
+      message: result.error || "Failed to restore session"
+    });
+    return;
+  }
+  const currentTask = tasks.get();
+  const currentContext = context.get();
+  const content = [
+    "Session Restored Successfully",
+    `   \u23BF  ID          ${sessionIdArg}`,
+    `   \u23BF  Root        ${path.basename(process.cwd())}`,
+    "",
+    "   [Restored State]",
+    `   \u23BF  Context     ${currentContext.files_read.length} files in set`,
+    `   \u23BF  History     ${(await history.load()).length} events rehydrated`,
+    `   \u23BF  Task        ${currentTask?.title || "None"}`,
+    ""
+  ].join("\n");
+  bus.emitAgent({
+    type: "thought",
+    content
+  });
+  bus.emitAgent({
+    type: "done",
+    summary: `Session ${sessionIdArg} restored.`
+  });
+};
+
+export {
+  resumeCommand
+};