@delega-dev/cli 1.0.4 → 1.0.6

package/README.md

@@ -79,31 +79,60 @@ delega stats          # Show usage statistics
 
 ```bash
 --json                # Output raw JSON for any command
---api-url <url>       # Override API URL (for self-hosted instances)
+--api-url <url>       # Override API URL
 --version             # Show version
 --help                # Show help
 ```
 
 ## Configuration
 
-Config is stored in `~/.delega/config.json`:
+Non-secret CLI settings are stored in `~/.delega/config.json`:
 
 ```json
 {
-  "api_key": "dlg_...",
   "api_url": "https://api.delega.dev"
 }
 ```
 
+`delega login` stores API keys in the OS credential store when one is available:
+
+- macOS: Keychain
+- Linux: libsecret keyring via `secret-tool`
+- Windows: DPAPI-protected user storage
+
+Existing `api_key` entries in `~/.delega/config.json` are still read for backward compatibility until the next successful `delega login`.
+
 ## Environment Variables
 
 | Variable | Description |
 |---|---|
-| `DELEGA_API_KEY` | API key (overrides config file) |
+| `DELEGA_API_KEY` | API key (overrides secure storage and config) |
 | `DELEGA_API_URL` | API base URL (overrides config file) |
 
 Environment variables take precedence over the config file.
 
+## Hosted vs Self-Hosted
+
+The CLI defaults to the hosted API at `https://api.delega.dev/v1`.
+
+For self-hosted deployments:
+
+```bash
+export DELEGA_API_URL="http://localhost:18890"
+# or for a remote reverse-proxied instance:
+export DELEGA_API_URL="https://delega.yourcompany.com/api"
+```
+
+Bare localhost URLs automatically use the self-hosted `/api` namespace. For remote self-hosted instances, include `/api` explicitly.
+
+## Security Notes
+
+- `delega login` now hides API key input instead of echoing it back to the terminal.
+- `delega login` stores API keys in the OS credential store instead of plaintext config when secure storage is available.
+- `~/.delega/config.json` is written with owner-only permissions (`0600`), and the config directory is locked to `0700`.
+- Remote API URLs must use `https://`; plain `http://` is only accepted for `localhost` / `127.0.0.1`.
+- On servers that do not expose `/agent/me`, `delega login` and `delega whoami` fall back to generic authentication checks instead of printing hosted account metadata.
+
 ## License
 
 MIT

package/SECURITY.md

@@ -0,0 +1,20 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Do not open a public GitHub issue for security-sensitive reports.
+
+Email `hello@delega.dev` with:
+
+- A clear description of the issue
+- Steps to reproduce it
+- The affected version or commit, if known
+- Any suggested mitigation or fix
+
+Use a subject line like `Security report: delega-cli`.
+
+We will acknowledge receipt and work on triage privately.
+
+## Supported Versions
+
+Security fixes are applied to the latest published release and the current `main` branch.

package/dist/api.d.ts

@@ -2,4 +2,10 @@ export interface ApiError {
     error?: string;
     message?: string;
 }
+export interface ApiResponse<T = unknown> {
+    ok: boolean;
+    status: number;
+    data: T | ApiError;
+}
+export declare function apiRequest<T = unknown>(method: string, path: string, body?: unknown): Promise<ApiResponse<T>>;
 export declare function apiCall<T = unknown>(method: string, path: string, body?: unknown): Promise<T>;

package/dist/api.js

@@ -1,11 +1,20 @@
 import { getApiKey, getApiUrl } from "./config.js";
-export async function apiCall(method, path, body) {
+export async function apiRequest(method, path, body) {
     const apiKey = getApiKey();
     if (!apiKey) {
         console.error("Not authenticated. Run: delega login");
         process.exit(1);
     }
-    const url = getApiUrl() + path;
+    let apiBase;
+    try {
+        apiBase = getApiUrl();
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`Configuration error: ${msg}`);
+        process.exit(1);
+    }
+    const url = apiBase + path;
     const headers = {
         "X-Agent-Key": apiKey,
         "Content-Type": "application/json",
@@ -23,10 +32,6 @@ export async function apiCall(method, path, body) {
         console.error(`Connection error: ${msg}`);
         process.exit(1);
     }
-    if (res.status === 401) {
-        console.error("Authentication failed. Run: delega login");
-        process.exit(1);
-    }
     let data;
     const text = await res.text();
     try {
@@ -35,11 +40,23 @@ export async function apiCall(method, path, body) {
     catch {
         data = { message: text };
     }
-    if (!res.ok) {
-        const errData = data;
-        const msg = errData.error || errData.message || `Request failed (${res.status})`;
+    return {
+        ok: res.ok,
+        status: res.status,
+        data: data,
+    };
+}
+export async function apiCall(method, path, body) {
+    const result = await apiRequest(method, path, body);
+    if (result.status === 401) {
+        console.error("Authentication failed. Run: delega login");
+        process.exit(1);
+    }
+    if (!result.ok) {
+        const errData = result.data;
+        const msg = errData.error || errData.message || `Request failed (${result.status})`;
         console.error(`Error: ${msg}`);
         process.exit(1);
     }
-    return data;
+    return result.data;
 }

package/dist/commands/agents.js

@@ -19,7 +19,7 @@ const agentsList = new Command("list")
     .description("List agents")
     .option("--json", "Output raw JSON")
     .action(async (opts) => {
-    const data = await apiCall("GET", "/v1/agents");
+    const data = await apiCall("GET", "/agents");
     if (opts.json) {
         console.log(JSON.stringify(data, null, 2));
         return;
@@ -47,7 +47,7 @@ const agentsCreate = new Command("create")
     const body = { name };
     if (opts.displayName)
         body.display_name = opts.displayName;
-    const agent = await apiCall("POST", "/v1/agents", body);
+    const agent = await apiCall("POST", "/agents", body);
     if (opts.json) {
         console.log(JSON.stringify(agent, null, 2));
         return;
@@ -73,7 +73,7 @@ const agentsRotate = new Command("rotate")
         console.log("Cancelled.");
         return;
     }
-    const result = await apiCall("POST", `/v1/agents/${id}/rotate-key`);
+    const result = await apiCall("POST", `/agents/${id}/rotate-key`);
     console.log();
     console.log(`  New API Key: ${chalk.cyan.bold(result.api_key)}`);
     console.log(chalk.yellow("  Save this key — it will not be shown again."));

package/dist/commands/login.js

@@ -1,15 +1,26 @@
 import { Command } from "commander";
 import node_readline from "node:readline";
-import { saveConfig, loadConfig } from "../config.js";
+import { saveConfig, loadConfig, normalizeApiUrl, persistApiKey } from "../config.js";
 import { printBanner } from "../ui.js";
-async function prompt(question) {
+async function promptSecret(question) {
+    const mutedOutput = {
+        muted: false,
+        write(chunk) {
+            if (!this.muted || chunk.includes(question)) {
+                process.stdout.write(chunk);
+            }
+        },
+    };
     const rl = node_readline.createInterface({
         input: process.stdin,
-        output: process.stdout,
+        output: mutedOutput,
+        terminal: true,
     });
+    mutedOutput.muted = true;
     return new Promise((resolve) => {
         rl.question(question, (answer) => {
             rl.close();
+            process.stdout.write("\n");
             resolve(answer.trim());
         });
     });
@@ -18,7 +29,7 @@ export const loginCommand = new Command("login")
     .description("Authenticate with the Delega API")
     .action(async () => {
     printBanner();
-    const key = await prompt("Enter your API key (starts with dlg_): ");
+    const key = await promptSecret("Enter your API key (starts with dlg_): ");
     if (!key) {
         console.error("No key provided.");
         process.exit(1);
@@ -29,10 +40,18 @@ export const loginCommand = new Command("login")
     }
     // Validate by calling the API
     const config = loadConfig();
-    const apiUrl = config.api_url || process.env.DELEGA_API_URL || "https://api.delega.dev";
+    let apiUrl;
+    try {
+        apiUrl = normalizeApiUrl(config.api_url || process.env.DELEGA_API_URL || "https://api.delega.dev");
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`Configuration error: ${msg}`);
+        process.exit(1);
+    }
     let res;
     try {
-        res = await fetch(`${apiUrl}/v1/agents`, {
+        res = await fetch(`${apiUrl}/agent/me`, {
             headers: {
                 "X-Agent-Key": key,
                 "Content-Type": "application/json",
@@ -44,23 +63,59 @@ export const loginCommand = new Command("login")
         console.error(`Connection error: ${msg}`);
         process.exit(1);
     }
-    if (!res.ok) {
+    if (!res.ok && res.status !== 404) {
         console.error("Invalid API key. Authentication failed.");
         process.exit(1);
     }
     let agentName = "agent";
-    try {
-        const data = (await res.json());
-        if (Array.isArray(data) && data.length > 0) {
-            agentName = data[0].display_name || data[0].name;
+    let validatedWithoutMetadata = false;
+    if (res.ok) {
+        try {
+            const data = (await res.json());
+            if (data.agent?.name) {
+                agentName = data.agent.display_name || data.agent.name;
+            }
         }
-        else if (!Array.isArray(data) && data.name) {
-            agentName = data.display_name || data.name;
+        catch {
+            // Proceed with default name
+        }
+    }
+    else {
+        try {
+            res = await fetch(`${apiUrl}/tasks?completed=true`, {
+                headers: {
+                    "X-Agent-Key": key,
+                    "Content-Type": "application/json",
+                },
+            });
         }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            console.error(`Connection error: ${msg}`);
+            process.exit(1);
+        }
+        if (!res.ok) {
+            console.error("Invalid API key. Authentication failed.");
+            process.exit(1);
+        }
+        validatedWithoutMetadata = true;
+    }
+    let storageLocation;
+    try {
+        storageLocation = persistApiKey(key);
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(`Unable to store API key securely: ${msg}`);
+        process.exit(1);
     }
-    catch {
-        // Proceed with default name
+    const nextConfig = { ...config };
+    delete nextConfig.api_key;
+    saveConfig(nextConfig);
+    if (validatedWithoutMetadata) {
+        console.log(`\nLogged in. Key saved to ${storageLocation}`);
+        console.log("Current server validated the key but does not expose /agent/me metadata.");
+        return;
     }
-    saveConfig({ ...config, api_key: key });
-    console.log(`\nLogged in as ${agentName}. Key saved to ~/.delega/config.json`);
+    console.log(`\nLogged in as ${agentName}. Key saved to ${storageLocation}`);
 });

package/dist/commands/stats.js

@@ -5,7 +5,7 @@ export const statsCommand = new Command("stats")
     .description("Show usage statistics")
     .option("--json", "Output raw JSON")
     .action(async (opts) => {
-    const data = await apiCall("GET", "/v1/stats");
+    const data = await apiCall("GET", "/stats");
     if (opts.json) {
         console.log(JSON.stringify(data, null, 2));
         return;

package/dist/commands/tasks.js

@@ -20,7 +20,7 @@ const tasksList = new Command("list")
     .option("--limit <n>", "Limit results", parseInt)
     .option("--json", "Output raw JSON")
     .action(async (opts) => {
-    let path = "/v1/tasks";
+    let path = "/tasks";
     const params = [];
     if (opts.completed)
         params.push("completed=true");
@@ -62,7 +62,7 @@ const tasksCreate = new Command("create")
         body.labels = opts.labels.split(",").map((l) => l.trim());
     if (opts.due)
         body.due_date = opts.due;
-    const task = await apiCall("POST", "/v1/tasks", body);
+    const task = await apiCall("POST", "/tasks", body);
     if (opts.json) {
         console.log(JSON.stringify(task, null, 2));
         return;
@@ -80,7 +80,7 @@ const tasksShow = new Command("show")
     .argument("<id>", "Task ID")
     .option("--json", "Output raw JSON")
     .action(async (id, opts) => {
-    const task = await apiCall("GET", `/v1/tasks/${id}`);
+    const task = await apiCall("GET", `/tasks/${id}`);
     if (opts.json) {
         console.log(JSON.stringify(task, null, 2));
         return;
@@ -116,7 +116,7 @@ const tasksComplete = new Command("complete")
     .description("Mark a task as completed")
     .argument("<id>", "Task ID")
     .action(async (id) => {
-    await apiCall("POST", `/v1/tasks/${id}/complete`);
+    await apiCall("POST", `/tasks/${id}/complete`);
     console.log(`Task ${id} completed.`);
 });
 const tasksDelete = new Command("delete")
@@ -128,7 +128,7 @@ const tasksDelete = new Command("delete")
         console.log("Cancelled.");
         return;
     }
-    await apiCall("DELETE", `/v1/tasks/${id}`);
+    await apiCall("DELETE", `/tasks/${id}`);
     console.log(`Task ${id} deleted.`);
 });
 const tasksDelegate = new Command("delegate")
@@ -140,7 +140,7 @@ const tasksDelegate = new Command("delegate")
     const body = { assigned_to_agent_id: agentId };
     if (opts.content)
         body.content = opts.content;
-    await apiCall("POST", `/v1/tasks/${taskId}/delegate`, body);
+    await apiCall("POST", `/tasks/${taskId}/delegate`, body);
     console.log(`Task delegated to ${agentId}.`);
 });
 export const tasksCommand = new Command("tasks")

package/dist/commands/whoami.js

@@ -1,32 +1,39 @@
 import { Command } from "commander";
-import { apiCall } from "../api.js";
+import { apiCall, apiRequest } from "../api.js";
 import { label } from "../ui.js";
 export const whoamiCommand = new Command("whoami")
     .description("Show current authenticated agent")
     .action(async () => {
-    const data = await apiCall("GET", "/v1/agents");
-    let agent;
-    if (Array.isArray(data)) {
-        if (data.length === 0) {
-            console.error("No agent found.");
+    const me = await apiRequest("GET", "/agent/me");
+    if (me.ok) {
+        const payload = me.data;
+        const agent = payload.agent;
+        if (!agent) {
+            console.error("Current server did not return agent details.");
             process.exit(1);
         }
-        agent = data[0];
+        console.log();
+        label("Agent", agent.name);
+        if (agent.display_name) {
+            label("Display Name", agent.display_name);
+        }
+        if (payload.account?.email || agent.user?.email || agent.email) {
+            label("Email", payload.account?.email || agent.user?.email || agent.email || "");
+        }
+        if (payload.account?.plan || agent.user?.plan || agent.plan) {
+            label("Plan", payload.account?.plan || agent.user?.plan || agent.plan || "");
+        }
+        label("Active", agent.active !== false ? "yes" : "no");
+        console.log();
+        return;
     }
-    else {
-        agent = data;
+    if (me.status !== 404) {
+        await apiCall("GET", "/agent/me");
+        return;
     }
+    await apiCall("GET", "/tasks?completed=true");
     console.log();
-    label("Agent", agent.name);
-    if (agent.display_name) {
-        label("Display Name", agent.display_name);
-    }
-    if (agent.user?.email || agent.email) {
-        label("Email", agent.user?.email || agent.email || "");
-    }
-    if (agent.user?.plan || agent.plan) {
-        label("Plan", agent.user?.plan || agent.plan || "");
-    }
-    label("Active", agent.active !== false ? "yes" : "no");
+    label("Authenticated", "yes");
+    label("Server", "Current API does not expose /agent/me");
     console.log();
 });

package/dist/config.d.ts

@@ -4,5 +4,7 @@ export interface DelegaConfig {
 }
 export declare function loadConfig(): DelegaConfig;
 export declare function saveConfig(config: DelegaConfig): void;
+export declare function persistApiKey(apiKey: string): string;
+export declare function normalizeApiUrl(rawUrl: string): string;
 export declare function getApiKey(): string | undefined;
 export declare function getApiUrl(): string;

package/dist/config.js

@@ -1,6 +1,17 @@
 import node_fs from "node:fs";
 import node_path from "node:path";
 import node_os from "node:os";
+import { loadStoredApiKey, storeApiKey } from "./secret-store.js";
+const LOCAL_API_HOSTS = new Set(["localhost", "127.0.0.1", "::1"]);
+function normalizeHost(hostname) {
+    return hostname.replace(/^\[/, "").replace(/\]$/, "").toLowerCase();
+}
+function isLocalApiHost(hostname) {
+    return LOCAL_API_HOSTS.has(normalizeHost(hostname));
+}
+function defaultApiBasePath(hostname) {
+    return isLocalApiHost(hostname) ? "/api" : "/v1";
+}
 function getConfigDir() {
     return node_path.join(node_os.homedir(), ".delega");
 }
@@ -23,15 +34,43 @@ export function loadConfig() {
 export function saveConfig(config) {
     const configDir = getConfigDir();
     if (!node_fs.existsSync(configDir)) {
-        node_fs.mkdirSync(configDir, { recursive: true });
+        node_fs.mkdirSync(configDir, { recursive: true, mode: 0o700 });
+    }
+    node_fs.chmodSync(configDir, 0o700);
+    node_fs.writeFileSync(getConfigPath(), JSON.stringify(config, null, 2) + "\n", { encoding: "utf-8", mode: 0o600 });
+    node_fs.chmodSync(getConfigPath(), 0o600);
+}
+export function persistApiKey(apiKey) {
+    const storeLabel = storeApiKey(apiKey);
+    if (storeLabel) {
+        return storeLabel;
+    }
+    throw new Error("Secure credential storage is unavailable on this system. Set DELEGA_API_KEY manually instead.");
+}
+export function normalizeApiUrl(rawUrl) {
+    let parsed;
+    try {
+        parsed = new URL(rawUrl);
+    }
+    catch {
+        throw new Error("Invalid Delega API URL");
+    }
+    if (parsed.protocol !== "https:" && !isLocalApiHost(parsed.hostname)) {
+        throw new Error("Delega API URL must use HTTPS unless it points to localhost");
     }
-    node_fs.writeFileSync(getConfigPath(), JSON.stringify(config, null, 2) + "\n", "utf-8");
+    parsed.search = "";
+    parsed.hash = "";
+    const normalizedPath = parsed.pathname.replace(/\/+$/, "");
+    parsed.pathname = normalizedPath && normalizedPath !== "/"
+        ? normalizedPath
+        : defaultApiBasePath(parsed.hostname);
+    return parsed.toString().replace(/\/+$/, "");
 }
 export function getApiKey() {
-    return process.env.DELEGA_API_KEY || loadConfig().api_key;
+    return process.env.DELEGA_API_KEY || loadStoredApiKey() || loadConfig().api_key;
 }
 export function getApiUrl() {
-    return (process.env.DELEGA_API_URL ||
+    return normalizeApiUrl(process.env.DELEGA_API_URL ||
         loadConfig().api_url ||
         "https://api.delega.dev");
 }

package/dist/secret-store.d.ts

@@ -0,0 +1,3 @@
+export declare function secureStoreLabel(): string | undefined;
+export declare function loadStoredApiKey(): string | undefined;
+export declare function storeApiKey(apiKey: string): string | undefined;

package/dist/secret-store.js

@@ -0,0 +1,128 @@
+import node_child_process from "node:child_process";
+import node_fs from "node:fs";
+import node_os from "node:os";
+import node_path from "node:path";
+const SERVICE_NAME = "@delega-dev/cli";
+const ACCOUNT_NAME = "default";
+const WINDOWS_SECRET_PATH = node_path.join(node_os.homedir(), ".delega", "api-key.dpapi");
+function ensureConfigDir() {
+    const configDir = node_path.dirname(WINDOWS_SECRET_PATH);
+    if (!node_fs.existsSync(configDir)) {
+        node_fs.mkdirSync(configDir, { recursive: true, mode: 0o700 });
+    }
+}
+function isLinuxSecretToolAvailable() {
+    if (process.platform !== "linux") {
+        return false;
+    }
+    try {
+        node_child_process.execFileSync("sh", ["-lc", "command -v secret-tool >/dev/null 2>&1"], {
+            stdio: "ignore",
+        });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function readMacosKeychain() {
+    try {
+        return node_child_process.execFileSync("security", ["find-generic-password", "-a", ACCOUNT_NAME, "-s", SERVICE_NAME, "-w"], { encoding: "utf-8", stdio: ["ignore", "pipe", "ignore"] }).trim();
+    }
+    catch {
+        return undefined;
+    }
+}
+function writeMacosKeychain(apiKey) {
+    node_child_process.execFileSync("security", ["add-generic-password", "-U", "-a", ACCOUNT_NAME, "-s", SERVICE_NAME, "-w", apiKey], { stdio: "ignore" });
+}
+function readLinuxSecretTool() {
+    if (!isLinuxSecretToolAvailable()) {
+        return undefined;
+    }
+    try {
+        return node_child_process.execFileSync("secret-tool", ["lookup", "service", SERVICE_NAME, "account", ACCOUNT_NAME], { encoding: "utf-8", stdio: ["ignore", "pipe", "ignore"] }).trim();
+    }
+    catch {
+        return undefined;
+    }
+}
+function writeLinuxSecretTool(apiKey) {
+    node_child_process.execFileSync("secret-tool", ["store", "--label", "Delega CLI API key", "service", SERVICE_NAME, "account", ACCOUNT_NAME], { input: apiKey, encoding: "utf-8", stdio: ["pipe", "ignore", "ignore"] });
+}
+function readWindowsProtectedFile() {
+    if (!node_fs.existsSync(WINDOWS_SECRET_PATH)) {
+        return undefined;
+    }
+    try {
+        return node_child_process.execFileSync("powershell.exe", [
+            "-NoProfile",
+            "-NonInteractive",
+            "-Command",
+            "$secure = Get-Content -Raw $env:DELEGA_SECRET_PATH | ConvertTo-SecureString; $cred = [System.Management.Automation.PSCredential]::new('delega', $secure); $cred.GetNetworkCredential().Password",
+        ], {
+            encoding: "utf-8",
+            stdio: ["ignore", "pipe", "ignore"],
+            env: { ...process.env, DELEGA_SECRET_PATH: WINDOWS_SECRET_PATH },
+        }).trim();
+    }
+    catch {
+        return undefined;
+    }
+}
+function writeWindowsProtectedFile(apiKey) {
+    ensureConfigDir();
+    const encrypted = node_child_process.execFileSync("powershell.exe", [
+        "-NoProfile",
+        "-NonInteractive",
+        "-Command",
+        "$secure = ConvertTo-SecureString $env:DELEGA_API_KEY -AsPlainText -Force; $secure | ConvertFrom-SecureString",
+    ], {
+        encoding: "utf-8",
+        stdio: ["ignore", "pipe", "ignore"],
+        env: { ...process.env, DELEGA_API_KEY: apiKey },
+    }).trim();
+    node_fs.writeFileSync(WINDOWS_SECRET_PATH, encrypted + "\n", {
+        encoding: "utf-8",
+        mode: 0o600,
+    });
+}
+export function secureStoreLabel() {
+    if (process.platform === "darwin") {
+        return "macOS Keychain";
+    }
+    if (process.platform === "linux" && isLinuxSecretToolAvailable()) {
+        return "libsecret keyring";
+    }
+    if (process.platform === "win32") {
+        return "Windows user-protected storage";
+    }
+    return undefined;
+}
+export function loadStoredApiKey() {
+    if (process.platform === "darwin") {
+        return readMacosKeychain();
+    }
+    if (process.platform === "linux") {
+        return readLinuxSecretTool();
+    }
+    if (process.platform === "win32") {
+        return readWindowsProtectedFile();
+    }
+    return undefined;
+}
+export function storeApiKey(apiKey) {
+    if (process.platform === "darwin") {
+        writeMacosKeychain(apiKey);
+        return "macOS Keychain";
+    }
+    if (process.platform === "linux" && isLinuxSecretToolAvailable()) {
+        writeLinuxSecretTool(apiKey);
+        return "libsecret keyring";
+    }
+    if (process.platform === "win32") {
+        writeWindowsProtectedFile(apiKey);
+        return "Windows user-protected storage";
+    }
+    return undefined;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@delega-dev/cli",
-  "version": "1.0.4",
+  "version": "1.0.6",
   "description": "CLI for Delega task API",
   "type": "module",
   "bin": {
@@ -24,6 +24,12 @@
     "type": "git",
     "url": "https://github.com/delega-dev/delega-cli"
   },
+  "files": [
+    "dist",
+    "LICENSE",
+    "README.md",
+    "SECURITY.md"
+  ],
   "keywords": [
     "delega",
     "task-management",