@delega-dev/cli 1.0.4 → 1.0.5

package/.github/workflows/ci.yml

@@ -10,9 +10,9 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 22
           cache: npm

package/.github/workflows/publish.yml

@@ -12,11 +12,11 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 22
           cache: npm

package/README.md

@@ -104,6 +104,12 @@ Config is stored in `~/.delega/config.json`:
 
 Environment variables take precedence over the config file.
 
+## Security Notes
+
+- `delega login` now hides API key input instead of echoing it back to the terminal.
+- `~/.delega/config.json` is written with owner-only permissions (`0600`), and the config directory is locked to `0700`.
+- Remote API URLs must use `https://`; plain `http://` is only accepted for `localhost` / `127.0.0.1`.
+
 ## License
 
 MIT

package/dist/api.js

@@ -5,7 +5,16 @@ export async function apiCall(method, path, body) {
         console.error("Not authenticated. Run: delega login");
         process.exit(1);
     }
-    const url = getApiUrl() + path;
+    let apiBase;
+    try {
+        apiBase = getApiUrl();
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`Configuration error: ${msg}`);
+        process.exit(1);
+    }
+    const url = apiBase + path;
     const headers = {
         "X-Agent-Key": apiKey,
         "Content-Type": "application/json",

package/dist/commands/login.js

@@ -1,15 +1,26 @@
 import { Command } from "commander";
 import node_readline from "node:readline";
-import { saveConfig, loadConfig } from "../config.js";
+import { saveConfig, loadConfig, normalizeApiUrl } from "../config.js";
 import { printBanner } from "../ui.js";
-async function prompt(question) {
+async function promptSecret(question) {
+    const mutedOutput = {
+        muted: false,
+        write(chunk) {
+            if (!this.muted || chunk.includes(question)) {
+                process.stdout.write(chunk);
+            }
+        },
+    };
     const rl = node_readline.createInterface({
         input: process.stdin,
-        output: process.stdout,
+        output: mutedOutput,
+        terminal: true,
     });
+    mutedOutput.muted = true;
     return new Promise((resolve) => {
         rl.question(question, (answer) => {
             rl.close();
+            process.stdout.write("\n");
             resolve(answer.trim());
         });
     });
@@ -18,7 +29,7 @@ export const loginCommand = new Command("login")
     .description("Authenticate with the Delega API")
     .action(async () => {
     printBanner();
-    const key = await prompt("Enter your API key (starts with dlg_): ");
+    const key = await promptSecret("Enter your API key (starts with dlg_): ");
     if (!key) {
         console.error("No key provided.");
         process.exit(1);
@@ -29,10 +40,18 @@ export const loginCommand = new Command("login")
     }
     // Validate by calling the API
     const config = loadConfig();
-    const apiUrl = config.api_url || process.env.DELEGA_API_URL || "https://api.delega.dev";
+    let apiUrl;
+    try {
+        apiUrl = normalizeApiUrl(config.api_url || process.env.DELEGA_API_URL || "https://api.delega.dev");
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`Configuration error: ${msg}`);
+        process.exit(1);
+    }
     let res;
     try {
-        res = await fetch(`${apiUrl}/v1/agents`, {
+        res = await fetch(`${apiUrl}/v1/agent/me`, {
             headers: {
                 "X-Agent-Key": key,
                 "Content-Type": "application/json",
@@ -51,11 +70,8 @@ export const loginCommand = new Command("login")
     let agentName = "agent";
     try {
         const data = (await res.json());
-        if (Array.isArray(data) && data.length > 0) {
-            agentName = data[0].display_name || data[0].name;
-        }
-        else if (!Array.isArray(data) && data.name) {
-            agentName = data.display_name || data.name;
+        if (data.agent?.name) {
+            agentName = data.agent.display_name || data.agent.name;
         }
     }
     catch {

package/dist/config.d.ts

@@ -4,5 +4,6 @@ export interface DelegaConfig {
 }
 export declare function loadConfig(): DelegaConfig;
 export declare function saveConfig(config: DelegaConfig): void;
+export declare function normalizeApiUrl(rawUrl: string): string;
 export declare function getApiKey(): string | undefined;
 export declare function getApiUrl(): string;

package/dist/config.js

@@ -1,6 +1,7 @@
 import node_fs from "node:fs";
 import node_path from "node:path";
 import node_os from "node:os";
+const LOCAL_API_HOSTS = new Set(["localhost", "127.0.0.1"]);
 function getConfigDir() {
     return node_path.join(node_os.homedir(), ".delega");
 }
@@ -23,15 +24,30 @@ export function loadConfig() {
 export function saveConfig(config) {
     const configDir = getConfigDir();
     if (!node_fs.existsSync(configDir)) {
-        node_fs.mkdirSync(configDir, { recursive: true });
+        node_fs.mkdirSync(configDir, { recursive: true, mode: 0o700 });
     }
-    node_fs.writeFileSync(getConfigPath(), JSON.stringify(config, null, 2) + "\n", "utf-8");
+    node_fs.chmodSync(configDir, 0o700);
+    node_fs.writeFileSync(getConfigPath(), JSON.stringify(config, null, 2) + "\n", { encoding: "utf-8", mode: 0o600 });
+    node_fs.chmodSync(getConfigPath(), 0o600);
+}
+export function normalizeApiUrl(rawUrl) {
+    let parsed;
+    try {
+        parsed = new URL(rawUrl);
+    }
+    catch {
+        throw new Error("Invalid Delega API URL");
+    }
+    if (parsed.protocol !== "https:" && !LOCAL_API_HOSTS.has(parsed.hostname)) {
+        throw new Error("Delega API URL must use HTTPS unless it points to localhost");
+    }
+    return rawUrl.replace(/\/+$/, "");
 }
 export function getApiKey() {
     return process.env.DELEGA_API_KEY || loadConfig().api_key;
 }
 export function getApiUrl() {
-    return (process.env.DELEGA_API_URL ||
+    return normalizeApiUrl(process.env.DELEGA_API_URL ||
         loadConfig().api_url ||
         "https://api.delega.dev");
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@delega-dev/cli",
-  "version": "1.0.4",
+  "version": "1.0.5",
   "description": "CLI for Delega task API",
   "type": "module",
   "bin": {

package/src/api.ts

@@ -16,7 +16,16 @@ export async function apiCall<T = unknown>(
     process.exit(1);
   }
 
-  const url = getApiUrl() + path;
+  let apiBase: string;
+  try {
+    apiBase = getApiUrl();
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.error(`Configuration error: ${msg}`);
+    process.exit(1);
+  }
+
+  const url = apiBase + path;
 
   const headers: Record<string, string> = {
     "X-Agent-Key": apiKey,

package/src/commands/login.ts

@@ -1,6 +1,6 @@
 import { Command } from "commander";
 import node_readline from "node:readline";
-import { saveConfig, loadConfig } from "../config.js";
+import { saveConfig, loadConfig, normalizeApiUrl } from "../config.js";
 import { printBanner } from "../ui.js";
 
 interface Agent {
@@ -9,14 +9,28 @@ interface Agent {
   display_name?: string;
 }
 
-async function prompt(question: string): Promise<string> {
+async function promptSecret(question: string): Promise<string> {
+  const mutedOutput = {
+    muted: false,
+    write(chunk: string) {
+      if (!this.muted || chunk.includes(question)) {
+        process.stdout.write(chunk);
+      }
+    },
+  };
+
   const rl = node_readline.createInterface({
     input: process.stdin,
-    output: process.stdout,
+    output: mutedOutput as unknown as NodeJS.WritableStream,
+    terminal: true,
   });
+
+  mutedOutput.muted = true;
+
   return new Promise((resolve) => {
     rl.question(question, (answer) => {
       rl.close();
+      process.stdout.write("\n");
       resolve(answer.trim());
     });
   });
@@ -27,7 +41,7 @@ export const loginCommand = new Command("login")
   .action(async () => {
     printBanner();
 
-    const key = await prompt("Enter your API key (starts with dlg_): ");
+    const key = await promptSecret("Enter your API key (starts with dlg_): ");
 
     if (!key) {
       console.error("No key provided.");
@@ -41,11 +55,20 @@ export const loginCommand = new Command("login")
 
     // Validate by calling the API
     const config = loadConfig();
-    const apiUrl = config.api_url || process.env.DELEGA_API_URL || "https://api.delega.dev";
+    let apiUrl: string;
+    try {
+      apiUrl = normalizeApiUrl(
+        config.api_url || process.env.DELEGA_API_URL || "https://api.delega.dev",
+      );
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(`Configuration error: ${msg}`);
+      process.exit(1);
+    }
 
     let res: Response;
     try {
-      res = await fetch(`${apiUrl}/v1/agents`, {
+      res = await fetch(`${apiUrl}/v1/agent/me`, {
         headers: {
           "X-Agent-Key": key,
           "Content-Type": "application/json",
@@ -64,11 +87,9 @@ export const loginCommand = new Command("login")
 
     let agentName = "agent";
     try {
-      const data = (await res.json()) as Agent | Agent[];
-      if (Array.isArray(data) && data.length > 0) {
-        agentName = data[0].display_name || data[0].name;
-      } else if (!Array.isArray(data) && data.name) {
-        agentName = data.display_name || data.name;
+      const data = (await res.json()) as { agent?: Agent };
+      if (data.agent?.name) {
+        agentName = data.agent.display_name || data.agent.name;
       }
     } catch {
       // Proceed with default name

package/src/config.ts

@@ -7,6 +7,8 @@ export interface DelegaConfig {
   api_url?: string;
 }
 
+const LOCAL_API_HOSTS = new Set(["localhost", "127.0.0.1"]);
+
 function getConfigDir(): string {
   return node_path.join(node_os.homedir(), ".delega");
 }
@@ -31,13 +33,30 @@ export function loadConfig(): DelegaConfig {
 export function saveConfig(config: DelegaConfig): void {
   const configDir = getConfigDir();
   if (!node_fs.existsSync(configDir)) {
-    node_fs.mkdirSync(configDir, { recursive: true });
+    node_fs.mkdirSync(configDir, { recursive: true, mode: 0o700 });
   }
+  node_fs.chmodSync(configDir, 0o700);
   node_fs.writeFileSync(
     getConfigPath(),
     JSON.stringify(config, null, 2) + "\n",
-    "utf-8",
+    { encoding: "utf-8", mode: 0o600 },
   );
+  node_fs.chmodSync(getConfigPath(), 0o600);
+}
+
+export function normalizeApiUrl(rawUrl: string): string {
+  let parsed: URL;
+  try {
+    parsed = new URL(rawUrl);
+  } catch {
+    throw new Error("Invalid Delega API URL");
+  }
+
+  if (parsed.protocol !== "https:" && !LOCAL_API_HOSTS.has(parsed.hostname)) {
+    throw new Error("Delega API URL must use HTTPS unless it points to localhost");
+  }
+
+  return rawUrl.replace(/\/+$/, "");
 }
 
 export function getApiKey(): string | undefined {
@@ -45,7 +64,7 @@ export function getApiKey(): string | undefined {
 }
 
 export function getApiUrl(): string {
-  return (
+  return normalizeApiUrl(
     process.env.DELEGA_API_URL ||
     loadConfig().api_url ||
     "https://api.delega.dev"