@build-astron-co/nimbus 0.2.0 → 0.4.0

package/src/app.ts

@@ -27,12 +27,19 @@ export interface AppContext {
   readonly nimbusDir: string;
 }
 
+/**
+ * Startup warnings collected during initApp() — surfaced as first system
+ * message when the TUI starts (Gap 19).
+ */
+export let startupWarnings: string[] = [];
+
 /**
  * Initialize the Nimbus application.
  *
  * - Ensures the ~/.nimbus directory exists.
  * - Opens (or creates) the local SQLite database via the state module.
  * - Loads config and creates the LLM router instance.
+ * - Runs pre-flight health checks and exits on critical failures (Gap 19).
  *
  * This function is lazy: calling it multiple times returns the same context.
  */
@@ -41,6 +48,49 @@ export async function initApp(): Promise<AppContext> {
     return appContext;
   }
 
+  // Gap 19: Pre-flight startup checks (fast, no network calls)
+  try {
+    const { runStartupChecks } = await import('./commands/doctor');
+    const issues = await runStartupChecks();
+    if (issues.critical.length > 0) {
+      const lines = [
+        '\x1b[31m\x1b[1mNimbus cannot start:\x1b[0m',
+        ...issues.critical.map(i => `  \x1b[31m✗ ${i}\x1b[0m`),
+        '',
+        '\x1b[2mRun `nimbus doctor` for detailed diagnosis.\x1b[0m',
+      ];
+      process.stderr.write(lines.join('\n') + '\n');
+      process.exit(1);
+    }
+    startupWarnings = issues.warnings;
+  } catch {
+    // Startup checks are non-critical — never let them block startup
+  }
+
+  // H2: Warn if no NIMBUS.md found in the current project directory
+  try {
+    const cwd = process.cwd();
+    const nimbusMdPaths = [join(cwd, 'NIMBUS.md'), join(cwd, '.nimbus', 'NIMBUS.md')];
+    if (!nimbusMdPaths.some(p => existsSync(p))) {
+      startupWarnings.push('No NIMBUS.md found — run /init to set up project context for better results.');
+    }
+  } catch {
+    // Non-critical
+  }
+
+  // M3: Load per-project config and surface protected environments as warnings
+  try {
+    const { loadProjectConfig } = await import('./config/types');
+    const projectConfig = loadProjectConfig(process.cwd());
+    if (projectConfig?.protectedEnvironments && projectConfig.protectedEnvironments.length > 0) {
+      startupWarnings.push(
+        `Protected environments: ${projectConfig.protectedEnvironments.join(', ')} — destructive operations require confirmation.`
+      );
+    }
+  } catch {
+    // Non-critical
+  }
+
   // Ensure ~/.nimbus directory exists
   if (!existsSync(NIMBUS_DIR)) {
     mkdirSync(NIMBUS_DIR, { recursive: true });
@@ -112,6 +162,14 @@ export async function shutdownApp(): Promise<void> {
     return;
   }
 
+  // Flush any pending debounced SQLite writes before closing the DB
+  try {
+    const { SessionManager } = await import('./sessions/manager');
+    SessionManager.getInstance().flushAll();
+  } catch {
+    // SessionManager may not have been used — ignore
+  }
+
   try {
     appContext.db.close();
   } catch {

package/src/audit/security-scanner.ts

@@ -594,3 +594,48 @@ export function formatFindings(findings: SecurityFinding[]): string {
 
   return lines.join('\n');
 }
+
+// ---------------------------------------------------------------------------
+// Gap 12: Secret masking for tool output
+// ---------------------------------------------------------------------------
+
+interface SecretPattern {
+  pattern: RegExp;
+  label: string;
+}
+
+/**
+ * Patterns used to detect and redact secrets in tool output.
+ * Applied in order; earlier patterns take precedence.
+ */
+const SECRET_MASK_PATTERNS: SecretPattern[] = [
+  { pattern: /AKIA[0-9A-Z]{16}/g, label: '[AWS_ACCESS_KEY]' },
+  { pattern: /sk-ant-[a-zA-Z0-9\-]{40,}/g, label: '[ANTHROPIC_KEY]' },
+  { pattern: /ghp_[a-zA-Z0-9]{36}/g, label: '[GITHUB_TOKEN]' },
+  { pattern: /gho_[a-zA-Z0-9]{36}/g, label: '[GITHUB_OAUTH]' },
+  { pattern: /sk-[a-zA-Z0-9]{40,}/g, label: '[OPENAI_KEY]' },
+  { pattern: /AIza[0-9A-Za-z\-_]{35}/g, label: '[GOOGLE_API_KEY]' },
+  { pattern: /Bearer [a-zA-Z0-9._\-]{20,}/g, label: 'Bearer [BEARER_TOKEN]' },
+  { pattern: /password[=:\s]["']?[^\s"']{8,}/gi, label: 'password=[REDACTED]' },
+  { pattern: /passwd[=:\s]["']?[^\s"']{8,}/gi, label: 'passwd=[REDACTED]' },
+  { pattern: /token[=:\s]["']?[a-zA-Z0-9._\-]{20,}/gi, label: 'token=[REDACTED]' },
+  { pattern: /secret[=:\s]["']?[a-zA-Z0-9._\-]{16,}/gi, label: 'secret=[REDACTED]' },
+  { pattern: /-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----[\s\S]{0,2048}?-----END (?:RSA |EC |DSA )?PRIVATE KEY-----/g, label: '[PRIVATE_KEY_REDACTED]' },
+];
+
+/**
+ * Replace recognized secret patterns in a text string with safe placeholders.
+ *
+ * Applied to all tool output before it is shown in the TUI or stored in chat
+ * history, preventing accidental leakage of credentials through the UI.
+ *
+ * @param text - Raw tool output string.
+ * @returns The text with known secret patterns replaced by `[REDACTED]` labels.
+ */
+export function maskSecrets(text: string): string {
+  let masked = text;
+  for (const { pattern, label } of SECRET_MASK_PATTERNS) {
+    masked = masked.replace(pattern, label);
+  }
+  return masked;
+}

package/src/auth/keychain.ts

@@ -0,0 +1,82 @@
+/**
+ * OS Keychain Abstraction
+ *
+ * Wraps the optional `keytar` package (native Node addon) to provide
+ * secure OS-level secret storage. If keytar is unavailable the module
+ * silently falls back to the existing machine-fingerprint key derivation.
+ *
+ * On macOS: credentials are stored in the macOS Keychain.
+ * On Linux:  credentials are stored via libsecret (GNOME Keyring / KDE Wallet).
+ * On Windows: credentials are stored in Windows Credential Manager.
+ */
+
+const SERVICE = 'nimbus-ai';
+
+/** Lazy-loaded keytar module. null = checked and unavailable. */
+let keytarModule: {
+  getPassword: (service: string, account: string) => Promise<string | null>;
+  setPassword: (service: string, account: string, password: string) => Promise<void>;
+  deletePassword: (service: string, account: string) => Promise<boolean>;
+} | null | undefined = undefined; // undefined = not yet checked
+
+async function loadKeytar() {
+  if (keytarModule !== undefined) return keytarModule;
+  try {
+    // Dynamic import — keytar is an optional peer dependency
+    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    keytarModule = require('keytar') as typeof keytarModule;
+  } catch {
+    keytarModule = null;
+  }
+  return keytarModule;
+}
+
+/**
+ * Check whether OS keychain integration is available.
+ */
+export async function isKeychainAvailable(): Promise<boolean> {
+  const kt = await loadKeytar();
+  return kt !== null;
+}
+
+/**
+ * Retrieve a secret from the OS keychain.
+ * Returns null if not found or keychain unavailable.
+ */
+export async function keychainGet(account: string): Promise<string | null> {
+  const kt = await loadKeytar();
+  if (!kt) return null;
+  try {
+    return await kt.getPassword(SERVICE, account);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Store a secret in the OS keychain.
+ * No-op if keychain unavailable.
+ */
+export async function keychainSet(account: string, secret: string): Promise<void> {
+  const kt = await loadKeytar();
+  if (!kt) return;
+  try {
+    await kt.setPassword(SERVICE, account, secret);
+  } catch {
+    // Silently ignore keychain errors — caller falls back to file-based storage
+  }
+}
+
+/**
+ * Delete a secret from the OS keychain.
+ * No-op if keychain unavailable.
+ */
+export async function keychainDelete(account: string): Promise<void> {
+  const kt = await loadKeytar();
+  if (!kt) return;
+  try {
+    await kt.deletePassword(SERVICE, account);
+  } catch {
+    /* ignore */
+  }
+}

package/src/auth/oauth.ts

@@ -4,6 +4,12 @@
  * Fallback: Browser-based OAuth with local callback server
  */
 
+import {
+  createServer,
+  type Server as HttpServer,
+  type IncomingMessage,
+  type ServerResponse,
+} from 'node:http';
 import type {
   GitHubDeviceCodeResponse,
   GitHubAccessTokenResponse,
@@ -229,7 +235,7 @@ export async function completeGitHubAuth(accessToken: string): Promise<GitHubIde
  * Creates a temporary local server to receive the OAuth callback
  */
 export class BrowserOAuthServer {
-  private server: ReturnType<typeof Bun.serve> | null = null;
+  private server: HttpServer | null = null;
   private clientId: string;
   private codePromise: Promise<string> | null = null;
   private codeResolve: ((code: string) => void) | null = null;
@@ -250,10 +256,14 @@ export class BrowserOAuthServer {
     });
 
     // Start the server
-    this.server = Bun.serve({
-      port: CALLBACK_PORT,
-      fetch: request => this.handleRequest(request),
+    this.server = createServer((req: IncomingMessage, res: ServerResponse) => {
+      const url = new URL(req.url || '/', `http://localhost:${CALLBACK_PORT}`);
+      const webReq = new Request(url, { method: req.method || 'GET' });
+      const webRes = this.handleRequest(webReq);
+      res.writeHead(webRes.status, Object.fromEntries(webRes.headers.entries()));
+      webRes.text().then(body => res.end(body));
     });
+    this.server.listen(CALLBACK_PORT);
 
     // Build authorization URL
     const params = new URLSearchParams({
@@ -292,7 +302,7 @@ export class BrowserOAuthServer {
    */
   stop(): void {
     if (this.server) {
-      this.server.stop();
+      this.server.close();
       this.server = null;
     }
   }