npm - @grainulation/harvest - Versions diffs - 1.0.2 → 1.1.0 - Mend

@grainulation/harvest 1.0.2 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -3,7 +3,7 @@
 </p>
 <p align="center">
-  <a href="https://www.npmjs.com/package/@grainulation/harvest"><img src="https://img.shields.io/npm/v/@grainulation/harvest" alt="npm version"></a> <a href="https://www.npmjs.com/package/@grainulation/harvest"><img src="https://img.shields.io/npm/dm/@grainulation/harvest" alt="npm downloads"></a> <a href="https://github.com/grainulation/harvest/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-MIT-green" alt="license"></a> <a href="https://nodejs.org"><img src="https://img.shields.io/node/v/@grainulation/harvest" alt="node"></a> <a href="https://github.com/grainulation/harvest/actions"><img src="https://github.com/grainulation/harvest/actions/workflows/ci.yml/badge.svg" alt="CI"></a>
+  <a href="https://www.npmjs.com/package/@grainulation/harvest"><img src="https://img.shields.io/npm/v/@grainulation/harvest?label=%40grainulation%2Fharvest" alt="npm version"></a> <a href="https://www.npmjs.com/package/@grainulation/harvest"><img src="https://img.shields.io/npm/dm/@grainulation/harvest" alt="npm downloads"></a> <a href="https://github.com/grainulation/harvest/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-MIT-green" alt="license"></a> <a href="https://nodejs.org"><img src="https://img.shields.io/node/v/@grainulation/harvest" alt="node"></a> <a href="https://github.com/grainulation/harvest/actions"><img src="https://github.com/grainulation/harvest/actions/workflows/ci.yml/badge.svg" alt="CI"></a>
   <a href="https://deepwiki.com/grainulation/harvest"><img src="https://deepwiki.com/badge.svg" alt="Explore on DeepWiki"></a>
 </p>

package/lib/farmer.js CHANGED Viewed

@@ -5,13 +5,27 @@ const path = require("node:path");
 const http = require("node:http");
 const https = require("node:https");
+/** Track whether we have already warned about missing token */
+let _warnedNoToken = false;
 /**
  * POST an activity event to farmer.
  * Graceful failure -- catch and warn, never crash.
  * @param {string} farmerUrl - Base URL of farmer (e.g. http://localhost:9090)
  * @param {object} event - Event object (e.g. { type: "analyze", data: {...} })
+ * @param {object} [opts] - Options
+ * @param {string} [opts.token] - Bearer token for Authorization header
  */
-function notify(farmerUrl, event) {
+function notify(farmerUrl, event, opts) {
+  const token = (opts && opts.token) || null;
+  if (!token && !_warnedNoToken) {
+    _warnedNoToken = true;
+    process.stderr.write(
+      "[harvest] no farmer token configured -- requests are unauthenticated\n",
+    );
+  }
   return new Promise((resolve) => {
     try {
       const payload = JSON.stringify({
@@ -23,16 +37,21 @@ function notify(farmerUrl, event) {
       const url = new URL(`${farmerUrl}/hooks/activity`);
       const transport = url.protocol === "https:" ? https : http;
+      const headers = {
+        "Content-Type": "application/json",
+        "Content-Length": Buffer.byteLength(payload),
+      };
+      if (token) {
+        headers["Authorization"] = `Bearer ${token}`;
+      }
       const req = transport.request(
         {
           hostname: url.hostname,
           port: url.port,
           path: url.pathname,
           method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-            "Content-Length": Buffer.byteLength(payload),
-          },
+          headers,
           timeout: 5000,
         },
         (res) => {
@@ -76,7 +95,7 @@ async function connect(targetDir, args) {
   const subcommand = args[0];
   if (subcommand !== "farmer") {
     console.error(
-      "Usage: harvest connect farmer [--url http://localhost:9090]",
+      "Usage: harvest connect farmer --url http://localhost:9090 [--token <t>]",
     );
     process.exit(1);
   }
@@ -86,16 +105,30 @@ async function connect(targetDir, args) {
   const urlIdx = args.indexOf("--url");
   if (urlIdx !== -1 && args[urlIdx + 1]) {
     const url = args[urlIdx + 1];
-    const config = { url };
+    // Read optional --token flag
+    const tokenIdx = args.indexOf("--token");
+    const token =
+      tokenIdx !== -1 && args[tokenIdx + 1] ? args[tokenIdx + 1] : null;
+    const config = token ? { url, token } : { url };
     fs.writeFileSync(configPath, JSON.stringify(config, null, 2), "utf8");
     console.log(`Farmer connection saved to ${configPath}`);
     console.log(`  URL: ${url}`);
+    if (token) {
+      console.log("  Token: configured");
+    } else {
+      console.log(
+        "  Token: not configured (use --token <t> to enable authenticated requests)",
+      );
+    }
     // Test the connection
-    const result = await notify(url, {
-      type: "connect",
-      data: { tool: "harvest" },
-    });
+    const result = await notify(
+      url,
+      { type: "connect", data: { tool: "harvest" } },
+      { token },
+    );
     if (result.ok) {
       console.log("  Connection test: OK");
     } else {
@@ -113,11 +146,47 @@ async function connect(targetDir, args) {
   if (fs.existsSync(configPath)) {
     const config = JSON.parse(fs.readFileSync(configPath, "utf8"));
     console.log(`Farmer connection: ${config.url}`);
+    if (config.token) {
+      console.log("  Token: configured");
+    } else {
+      console.log("  Token: not configured");
+    }
     console.log(`Config: ${configPath}`);
   } else {
     console.log("No farmer connection configured.");
-    console.log("Usage: harvest connect farmer --url http://localhost:9090");
+    console.log(
+      "Usage: harvest connect farmer --url http://localhost:9090 [--token <t>]",
+    );
+  }
+}
+/**
+ * Read .farmer.json from a directory.
+ * @param {string} dir - Directory containing .farmer.json
+ * @returns {{ url: string, token?: string } | null}
+ */
+function loadConfig(dir) {
+  const configPath = path.join(dir, ".farmer.json");
+  if (!fs.existsSync(configPath)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(configPath, "utf8"));
+  } catch {
+    return null;
+  }
+}
+/**
+ * Convenience: read .farmer.json and notify with auth if token exists.
+ * @param {string} dir - Directory containing .farmer.json
+ * @param {object} event - Event object
+ * @returns {Promise<{ok: boolean, status?: number, body?: string, error?: string}>}
+ */
+function notifyFromConfig(dir, event) {
+  const config = loadConfig(dir);
+  if (!config || !config.url) {
+    return Promise.resolve({ ok: false, error: "no farmer configured" });
   }
+  return notify(config.url, event, { token: config.token || null });
 }
-module.exports = { connect, notify };
+module.exports = { connect, notify, loadConfig, notifyFromConfig };

package/lib/server.js CHANGED Viewed

@@ -556,6 +556,14 @@ ${ROUTES.map((r) => "<tr><td><code>" + r.method + "</code></td><td><code>" + r.p
   let filePath = url.pathname;
   filePath = join(PUBLIC_DIR, filePath);
+  // Prevent directory traversal
+  const resolved = resolve(filePath);
+  if (!resolved.startsWith(PUBLIC_DIR + "/") && resolved !== PUBLIC_DIR) {
+    res.writeHead(403);
+    res.end("Forbidden");
+    return;
+  }
   if (existsSync(filePath) && !statSync(filePath).isDirectory()) {
     const ext = extname(filePath);
     const mime = MIME[ext] || "application/octet-stream";

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@grainulation/harvest",
-  "version": "1.0.2",
+  "version": "1.1.0",
   "description": "Analytics and retrospective layer for research sprints -- learn from every decision you've made",
   "main": "lib/analyzer.js",
   "exports": {
@@ -33,7 +33,6 @@
   ],
   "author": "grainulation contributors",
   "license": "MIT",
-  "type": "module",
   "files": [
     "bin/",
     "lib/",