@dreamlogic-ai/cli 1.0.0

package/dist/lib/api-client.js

@@ -0,0 +1,132 @@
+/**
+ * API client — REST-only communication with Skill Server
+ * D-04: CLI uses REST exclusively, no MCP SSE
+ * R1-05: Request timeouts
+ * R1-09: No redirect following
+ * R1-11: Download size limit
+ * R1-14: Runtime response validation
+ */
+import { createHash } from "crypto";
+import { CLI_VERSION } from "../types.js";
+const API_TIMEOUT = 30_000; // 30s for API calls
+const DOWNLOAD_TIMEOUT = 300_000; // 5min for downloads
+const MAX_DOWNLOAD_SIZE = 200 * 1024 * 1024; // 200MB
+export class ApiClient {
+    baseUrl;
+    apiKey;
+    constructor(baseUrl, apiKey) {
+        this.baseUrl = baseUrl;
+        this.apiKey = apiKey;
+    }
+    async request(path, opts = {}) {
+        const url = `${this.baseUrl}${path}`;
+        const headers = {
+            Authorization: `Bearer ${this.apiKey}`,
+            "User-Agent": `dreamlogic-cli/${CLI_VERSION}`,
+            ...(opts.headers || {}),
+        };
+        const res = await fetch(url, {
+            ...opts,
+            headers,
+            redirect: "error", // R1-09: reject redirects
+            signal: AbortSignal.timeout(API_TIMEOUT), // R1-05
+        });
+        if (!res.ok) {
+            let msg = `HTTP ${res.status}`;
+            try {
+                const body = (await res.json());
+                if (body.error)
+                    msg = body.error;
+            }
+            catch { /* ignore parse errors */ }
+            throw new ApiError(msg, res.status);
+        }
+        return res.json();
+    }
+    /** GET /api/me — verify key + get user info */
+    async me() {
+        const data = await this.request("/api/me");
+        // R1-14: Runtime validation
+        if (!data || typeof data.id !== "string" || typeof data.name !== "string") {
+            throw new ApiError("Invalid server response: missing user info", 502);
+        }
+        return data;
+    }
+    /** GET /skills — list available skills with version info */
+    async listSkills() {
+        const data = await this.request("/skills");
+        // R1-14: Runtime validation
+        if (!Array.isArray(data?.skills)) {
+            throw new ApiError("Invalid server response: missing skills array", 502);
+        }
+        return data.skills;
+    }
+    // R2-11: Removed unused getSkill() method
+    /** GET /packages/:filename — download package as buffer (R1-11: size limited) */
+    async downloadPackage(filename, onProgress) {
+        const url = `${this.baseUrl}/packages/${encodeURIComponent(filename)}`;
+        const res = await fetch(url, {
+            headers: {
+                Authorization: `Bearer ${this.apiKey}`,
+                "User-Agent": `dreamlogic-cli/${CLI_VERSION}`,
+            },
+            redirect: "error", // R1-09
+            signal: AbortSignal.timeout(DOWNLOAD_TIMEOUT), // R1-05
+        });
+        if (!res.ok) {
+            throw new ApiError(`Download failed: HTTP ${res.status}`, res.status);
+        }
+        const contentLength = parseInt(res.headers.get("content-length") || "0", 10);
+        // R2-14: Guard against NaN/negative Content-Length
+        if (!Number.isNaN(contentLength) && contentLength > 0 && contentLength > MAX_DOWNLOAD_SIZE) {
+            throw new ApiError(`Package too large: ${contentLength} bytes (max ${MAX_DOWNLOAD_SIZE})`, 413);
+        }
+        const reader = res.body?.getReader();
+        if (!reader)
+            throw new ApiError("No response body", 500);
+        const chunks = [];
+        let downloaded = 0;
+        while (true) {
+            const { done, value } = await reader.read();
+            if (done)
+                break;
+            chunks.push(value);
+            downloaded += value.length;
+            // R1-11: Enforce size limit during streaming
+            if (downloaded > MAX_DOWNLOAD_SIZE) {
+                reader.cancel();
+                throw new ApiError("Package too large", 413);
+            }
+            if (onProgress && contentLength > 0) {
+                onProgress(downloaded, contentLength);
+            }
+        }
+        const buffer = Buffer.concat(chunks);
+        const sha256 = createHash("sha256").update(buffer).digest("hex");
+        return { buffer, sha256 };
+    }
+    /** GET /health — check server connectivity (R2-09: validated) */
+    async health() {
+        const url = `${this.baseUrl}/health`;
+        const res = await fetch(url, {
+            headers: { "User-Agent": `dreamlogic-cli/${CLI_VERSION}` },
+            redirect: "error",
+            signal: AbortSignal.timeout(5000),
+        });
+        if (!res.ok)
+            throw new ApiError("Server unreachable", res.status);
+        const data = await res.json();
+        if (typeof data?.status !== "string" || typeof data?.version !== "string") {
+            throw new ApiError("Invalid health response", 502);
+        }
+        return data;
+    }
+}
+export class ApiError extends Error {
+    status;
+    constructor(message, status) {
+        super(message);
+        this.status = status;
+        this.name = "ApiError";
+    }
+}

package/dist/lib/config.d.ts

@@ -0,0 +1,17 @@
+import { type CliConfig, type InstalledRegistry } from "../types.js";
+export declare function getDefaultInstallDir(): string;
+export declare function ensureConfigDir(): void;
+export declare function loadConfig(): CliConfig | null;
+export declare function saveConfig(config: CliConfig): void;
+/** R1-06: Validate key format from all sources (env, config file) */
+export declare function getApiKey(): string | null;
+/** R1-07: Enforce HTTPS (localhost/127.0.0.1 exempt for dev) */
+export declare function getServer(): string;
+export declare function getInstallDir(): string;
+export declare function loadInstalled(): InstalledRegistry;
+/** R1-08: Write installed.json with restricted permissions too */
+export declare function saveInstalled(registry: InstalledRegistry): void;
+/** R1-13: Zero-fill before overwrite for defense-in-depth */
+export declare function clearConfig(): void;
+/** Mask API key for display: sk-user-ce40...4d42 */
+export declare function maskKey(key: string): string;

package/dist/lib/config.js

@@ -0,0 +1,121 @@
+/**
+ * Configuration manager — reads/writes ~/.dreamlogic/config.json
+ * Key stored with file permissions 600 (owner-only)
+ */
+import { existsSync, mkdirSync, readFileSync, writeFileSync, chmodSync, statSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+import { CONFIG_DIR_NAME, DEFAULT_SERVER, DEFAULT_INSTALL_DIR_NAME, } from "../types.js";
+// R1-06: Key format validation applied everywhere
+const KEY_RE = /^sk-(admin|user)-[a-f0-9]{16,}$/;
+function getConfigDir() {
+    return join(homedir(), CONFIG_DIR_NAME);
+}
+function getConfigPath() {
+    return join(getConfigDir(), "config.json");
+}
+function getInstalledPath() {
+    return join(getConfigDir(), "installed.json");
+}
+export function getDefaultInstallDir() {
+    return join(homedir(), DEFAULT_INSTALL_DIR_NAME);
+}
+export function ensureConfigDir() {
+    const dir = getConfigDir();
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true, mode: 0o700 });
+    }
+}
+export function loadConfig() {
+    const path = getConfigPath();
+    if (!existsSync(path))
+        return null;
+    try {
+        const data = JSON.parse(readFileSync(path, "utf-8"));
+        // R2-13: Basic shape validation
+        if (typeof data !== "object" || data === null)
+            return null;
+        if (data.api_key && typeof data.api_key !== "string")
+            return null;
+        return data;
+    }
+    catch {
+        return null;
+    }
+}
+export function saveConfig(config) {
+    ensureConfigDir();
+    const path = getConfigPath();
+    writeFileSync(path, JSON.stringify(config, null, 2) + "\n", { mode: 0o600 });
+    try {
+        chmodSync(path, 0o600);
+    }
+    catch { /* Windows fallback */ }
+}
+/** R1-06: Validate key format from all sources (env, config file) */
+export function getApiKey() {
+    const key = process.env.DREAMLOGIC_API_KEY || loadConfig()?.api_key || null;
+    if (key && !KEY_RE.test(key)) {
+        console.error("  ❌ Invalid API key format (expected sk-user-xxx or sk-admin-xxx)");
+        return null;
+    }
+    return key;
+}
+/** R1-07: Enforce HTTPS (localhost/127.0.0.1 exempt for dev) */
+export function getServer() {
+    const url = process.env.DREAMLOGIC_SERVER || loadConfig()?.server || DEFAULT_SERVER;
+    // R1-07 + R2-03: HTTPS enforcement (localhost/127.0.0.1 exempt with strict boundary)
+    if (!/^https:\/\//i.test(url) && !/^http:\/\/(localhost|127\.0\.0\.1)(:[0-9]+)?(\/|$)/i.test(url)) {
+        throw new Error("Server URL must use HTTPS (http://localhost allowed for dev)");
+    }
+    return url;
+}
+export function getInstallDir() {
+    if (process.env.DREAMLOGIC_INSTALL_DIR)
+        return process.env.DREAMLOGIC_INSTALL_DIR;
+    const config = loadConfig();
+    return config?.install_dir ?? getDefaultInstallDir();
+}
+export function loadInstalled() {
+    const path = getInstalledPath();
+    if (!existsSync(path))
+        return {};
+    try {
+        const data = JSON.parse(readFileSync(path, "utf-8"));
+        // R2-13: Basic shape validation
+        if (typeof data !== "object" || data === null || Array.isArray(data))
+            return {};
+        return data;
+    }
+    catch {
+        return {};
+    }
+}
+/** R1-08: Write installed.json with restricted permissions too */
+export function saveInstalled(registry) {
+    ensureConfigDir();
+    const path = getInstalledPath();
+    writeFileSync(path, JSON.stringify(registry, null, 2) + "\n", { mode: 0o600 });
+    try {
+        chmodSync(path, 0o600);
+    }
+    catch { /* Windows fallback */ }
+}
+/** R1-13: Zero-fill before overwrite for defense-in-depth */
+export function clearConfig() {
+    const path = getConfigPath();
+    if (existsSync(path)) {
+        try {
+            const size = statSync(path).size;
+            writeFileSync(path, Buffer.alloc(size, 0));
+        }
+        catch { /* best-effort */ }
+        writeFileSync(path, "{}\n", { mode: 0o600 });
+    }
+}
+/** Mask API key for display: sk-user-ce40...4d42 */
+export function maskKey(key) {
+    if (key.length < 12)
+        return "***";
+    return key.slice(0, 12) + "..." + key.slice(-4);
+}

package/dist/lib/installer.d.ts

@@ -0,0 +1,14 @@
+import { type ApiClient } from "./api-client.js";
+/**
+ * Download and install a skill package
+ */
+export declare function installSkill(client: ApiClient, skillId: string, packageFile: string, expectedSha256: string | undefined, expectedVersion: string, opts?: {
+    fromFile?: string;
+}): Promise<{
+    path: string;
+    version: string;
+}>;
+/**
+ * Rollback a skill to its backup (D-13)
+ */
+export declare function rollbackSkill(skillId: string): boolean;

package/dist/lib/installer.js

@@ -0,0 +1,283 @@
+/**
+ * Installer — download, verify, extract, atomic-swap
+ * D-03: Uses yauzl (not adm-zip) for safe ZIP extraction
+ * D-05: Atomic directory replacement via staging + rename
+ * D-14: SHA256 re-verified on every install (no trusted cache)
+ * R1-03: Zip bomb protection (total size + entry count limits)
+ * R1-10: SIGINT/SIGTERM cleanup handler
+ */
+import { createWriteStream, existsSync, mkdirSync, readdirSync, renameSync, rmSync, statSync } from "fs";
+import { join, normalize, resolve as pathResolve } from "path";
+import { pipeline } from "stream/promises";
+import yauzl from "yauzl";
+import { loadInstalled, saveInstalled, getInstallDir } from "./config.js";
+import { ui } from "./ui.js";
+// R1-03: Extraction safety limits
+const MAX_TOTAL_EXTRACT_SIZE = 500 * 1024 * 1024; // 500MB
+const MAX_ENTRY_COUNT = 10_000;
+const MAX_SINGLE_FILE_SIZE = 100 * 1024 * 1024; // 100MB
+// R2-10: Safe skill ID pattern
+const SAFE_SKILL_ID = /^[a-zA-Z0-9][a-zA-Z0-9._-]{0,127}$/;
+/**
+ * Download and install a skill package
+ */
+export async function installSkill(client, skillId, packageFile, expectedSha256, expectedVersion, opts = {}) {
+    const installDir = getInstallDir();
+    mkdirSync(installDir, { recursive: true });
+    // R2-10: Validate skill ID to prevent path traversal via malicious server
+    if (!SAFE_SKILL_ID.test(skillId)) {
+        throw new Error(`Invalid skill ID: ${skillId}`);
+    }
+    const skillDir = join(installDir, skillId);
+    const stagingDir = join(installDir, `.${skillId}-staging-${Date.now()}`);
+    const backupDir = join(installDir, `.${skillId}-backup-${Date.now()}`);
+    let buffer;
+    let actualSha256;
+    if (opts.fromFile) {
+        // D-10: Offline install from local file
+        const { readFileSync } = await import("fs");
+        const { createHash } = await import("crypto");
+        buffer = readFileSync(opts.fromFile);
+        actualSha256 = createHash("sha256").update(buffer).digest("hex");
+        ui.info(`Loaded from file: ${opts.fromFile}`);
+    }
+    else {
+        // Download with progress
+        const spinner = ui.spinner(`Downloading ${skillId} ${expectedVersion}...`);
+        spinner.start();
+        try {
+            const result = await client.downloadPackage(packageFile, (dl, total) => {
+                const pct = Math.round((dl / total) * 100);
+                const bar = "█".repeat(Math.round(pct / 4)) + "░".repeat(25 - Math.round(pct / 4));
+                spinner.text = `  📦 ${bar} ${pct}% | ${ui.fileSize(dl)}`;
+            });
+            buffer = result.buffer;
+            actualSha256 = result.sha256;
+            spinner.succeed(`  Downloaded ${ui.fileSize(buffer.length)}`);
+        }
+        catch (err) {
+            spinner.fail(`  Download failed`);
+            throw err;
+        }
+    }
+    // SHA256 verification
+    if (expectedSha256) {
+        if (actualSha256 !== expectedSha256) {
+            ui.err("SHA256 mismatch! Package may be corrupted or tampered.");
+            ui.line(`  Expected: ${expectedSha256}`);
+            ui.line(`  Actual:   ${actualSha256}`);
+            throw new Error("SHA256 verification failed");
+        }
+        ui.ok("SHA256 verified");
+    }
+    else {
+        ui.warning("No SHA256 hash from server — skipping verification");
+    }
+    // Extract to staging directory (D-05: never extract directly to target)
+    // R1-10 + R2-01/R2-02: Signal cleanup with proper listener management
+    const cleanupAndExit = (signal) => {
+        rmSync(stagingDir, { recursive: true, force: true });
+        // R2-02: Re-raise signal so process actually exits
+        process.removeListener("SIGINT", cleanupAndExit);
+        process.removeListener("SIGTERM", cleanupAndExit);
+        process.kill(process.pid, signal);
+    };
+    process.on("SIGINT", cleanupAndExit);
+    process.on("SIGTERM", cleanupAndExit);
+    // R2-01: try/finally ensures listeners are always removed
+    try {
+        const extractSpinner = ui.spinner("Extracting...");
+        extractSpinner.start();
+        try {
+            mkdirSync(stagingDir, { recursive: true });
+            await extractZip(buffer, stagingDir);
+            extractSpinner.succeed("  Extracted");
+        }
+        catch (err) {
+            extractSpinner.fail("  Extraction failed");
+            rmSync(stagingDir, { recursive: true, force: true });
+            throw err;
+        }
+        // Atomic swap (D-05)
+        try {
+            if (existsSync(skillDir)) {
+                renameSync(skillDir, backupDir);
+                ui.info(`Backed up previous version`);
+            }
+            const extractedRoot = findExtractedRoot(stagingDir);
+            renameSync(extractedRoot, skillDir);
+            if (existsSync(stagingDir)) {
+                rmSync(stagingDir, { recursive: true, force: true });
+            }
+        }
+        catch (err) {
+            if (existsSync(backupDir) && !existsSync(skillDir)) {
+                renameSync(backupDir, skillDir);
+            }
+            rmSync(stagingDir, { recursive: true, force: true });
+            throw err;
+        }
+    }
+    finally {
+        // R2-01: Always remove listeners, even on error
+        process.removeListener("SIGINT", cleanupAndExit);
+        process.removeListener("SIGTERM", cleanupAndExit);
+    }
+    // Update installed registry
+    const installed = loadInstalled();
+    const previousVersion = installed[skillId]?.version;
+    const entry = {
+        version: expectedVersion,
+        installed_at: new Date().toISOString(),
+        path: skillDir,
+        sha256: actualSha256,
+        ...(previousVersion ? { previous_version: previousVersion } : {}),
+    };
+    installed[skillId] = entry;
+    saveInstalled(installed);
+    // R2-12: Clean up old backups (keep only the latest)
+    try {
+        const oldBackups = readdirSync(installDir)
+            .filter((e) => e.startsWith(`.${skillId}-backup-`))
+            .sort()
+            .slice(0, -1); // keep newest
+        for (const b of oldBackups) {
+            rmSync(join(installDir, b), { recursive: true, force: true });
+        }
+    }
+    catch { /* best-effort cleanup */ }
+    if (existsSync(backupDir)) {
+        ui.info(`Rollback available: dreamlogic rollback ${skillId}`);
+    }
+    return { path: skillDir, version: expectedVersion };
+}
+/**
+ * Rollback a skill to its backup (D-13)
+ */
+export function rollbackSkill(skillId) {
+    const installDir = getInstallDir();
+    const skillDir = join(installDir, skillId);
+    let entries;
+    try {
+        entries = readdirSync(installDir);
+    }
+    catch {
+        return false;
+    }
+    const backups = entries
+        .filter((e) => e.startsWith(`.${skillId}-backup-`))
+        .sort()
+        .reverse();
+    if (backups.length === 0)
+        return false;
+    const latestBackup = join(installDir, backups[0]);
+    if (existsSync(skillDir)) {
+        rmSync(skillDir, { recursive: true, force: true });
+    }
+    renameSync(latestBackup, skillDir);
+    // Update installed.json
+    const installed = loadInstalled();
+    if (installed[skillId]?.previous_version) {
+        installed[skillId].version = installed[skillId].previous_version;
+        delete installed[skillId].previous_version;
+        installed[skillId].installed_at = new Date().toISOString();
+        saveInstalled(installed);
+    }
+    return true;
+}
+/**
+ * Find the actual root directory inside extracted ZIP
+ * (handles single-directory-wrapper pattern like suno-cover-v5-v20260406/)
+ */
+function findExtractedRoot(stagingDir) {
+    const entries = readdirSync(stagingDir);
+    // If only one directory entry, use that as root
+    if (entries.length === 1) {
+        const single = join(stagingDir, entries[0]);
+        try {
+            if (statSync(single).isDirectory())
+                return single;
+        }
+        catch { /* fallthrough */ }
+    }
+    return stagingDir;
+}
+/**
+ * Safe ZIP extraction using yauzl (D-03)
+ * Prevents: path traversal, symlinks, oversized files
+ * R1-03: Total size limit + entry count limit (zip bomb protection)
+ */
+function extractZip(buffer, targetDir) {
+    return new Promise((resolve, reject) => {
+        yauzl.fromBuffer(buffer, { lazyEntries: true }, (err, zipfile) => {
+            if (err || !zipfile) {
+                reject(err || new Error("Failed to open ZIP"));
+                return;
+            }
+            let totalExtracted = 0;
+            let entryCount = 0;
+            zipfile.readEntry();
+            zipfile.on("entry", (entry) => {
+                // R1-03: Entry count limit
+                entryCount++;
+                if (entryCount > MAX_ENTRY_COUNT) {
+                    zipfile.close(); // R2-08: Close before reject
+                    reject(new Error(`Too many ZIP entries (>${MAX_ENTRY_COUNT}) — possible zip bomb`));
+                    return;
+                }
+                const entryPath = normalize(entry.fileName);
+                // D-03 / Security: reject path traversal
+                if (entryPath.startsWith("..") || entryPath.includes("/../")) {
+                    zipfile.close(); // R2-08
+                    reject(new Error(`Unsafe path in ZIP: ${entry.fileName}`));
+                    return;
+                }
+                // Reject oversized single files
+                if (entry.uncompressedSize > MAX_SINGLE_FILE_SIZE) {
+                    zipfile.close(); // R2-08
+                    reject(new Error(`File too large in ZIP: ${entry.fileName} (${entry.uncompressedSize} bytes)`));
+                    return;
+                }
+                // R1-03: Cumulative size limit
+                totalExtracted += entry.uncompressedSize;
+                if (totalExtracted > MAX_TOTAL_EXTRACT_SIZE) {
+                    zipfile.close(); // R2-08
+                    reject(new Error(`Total extracted size exceeds ${MAX_TOTAL_EXTRACT_SIZE / 1024 / 1024}MB — possible zip bomb`));
+                    return;
+                }
+                const fullPath = join(targetDir, entryPath);
+                const resolvedPath = pathResolve(fullPath);
+                // R2-04: Trailing separator prevents prefix collision
+                const resolvedTarget = pathResolve(targetDir) + "/";
+                if (!resolvedPath.startsWith(resolvedTarget) && resolvedPath !== pathResolve(targetDir)) {
+                    zipfile.close(); // R2-08
+                    reject(new Error(`Path traversal detected: ${entry.fileName}`));
+                    return;
+                }
+                if (entry.fileName.endsWith("/")) {
+                    // Directory
+                    mkdirSync(fullPath, { recursive: true });
+                    zipfile.readEntry();
+                }
+                else {
+                    // File
+                    mkdirSync(join(fullPath, ".."), { recursive: true });
+                    zipfile.openReadStream(entry, (err, readStream) => {
+                        if (err || !readStream) {
+                            zipfile.close(); // R2-08
+                            reject(err || new Error("Failed to read ZIP entry"));
+                            return;
+                        }
+                        const writeStream = createWriteStream(fullPath);
+                        pipeline(readStream, writeStream).then(() => zipfile.readEntry()).catch((e) => {
+                            zipfile.close(); // R2-08
+                            reject(e);
+                        });
+                    });
+                }
+            });
+            zipfile.on("end", () => resolve());
+            zipfile.on("error", reject);
+        });
+    });
+}

package/dist/lib/ui.d.ts

@@ -0,0 +1,39 @@
+import { type Ora } from "ora";
+export declare const ui: {
+    brand: import("chalk").ChalkInstance;
+    accent: import("chalk").ChalkInstance;
+    success: import("chalk").ChalkInstance;
+    warn: import("chalk").ChalkInstance;
+    error: import("chalk").ChalkInstance;
+    dim: import("chalk").ChalkInstance;
+    /** Print the welcome banner */
+    banner(): void;
+    /** Print a section header */
+    header(text: string): void;
+    /** Print success message */
+    ok(msg: string): void;
+    /** Print warning */
+    warning(msg: string): void;
+    /** Print error */
+    err(msg: string): void;
+    /** Print info line */
+    info(msg: string): void;
+    /** Indented line */
+    line(msg: string): void;
+    /** Create a spinner */
+    spinner(text: string): Ora;
+    /** Format file size */
+    fileSize(bytes: number): string;
+    /** Format a skill for display */
+    skillLine(s: {
+        id: string;
+        name: string;
+        version?: string;
+        description: string;
+        tag?: string;
+    }): string;
+    /** Print a key-value table */
+    table(rows: [string, string][]): void;
+    /** Goodbye message */
+    goodbye(): void;
+};