npm - @hasna/machines - Versions diffs - 0.0.33 → 0.0.35 - Mend

@hasna/machines 0.0.33 → 0.0.35

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/README.md +53 -36
package/dist/cli/index.js +332 -29
package/dist/commands/doctor.d.ts +23 -2
package/dist/commands/doctor.d.ts.map +1 -1
package/dist/commands/heal-daemon.d.ts.map +1 -1
package/dist/consumer.js +206 -12
package/dist/index.d.ts +1 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +340 -27
package/dist/manifests.d.ts +22 -1
package/dist/manifests.d.ts.map +1 -1
package/dist/mcp/index.js +321 -22
package/dist/redaction.d.ts +11 -0
package/dist/redaction.d.ts.map +1 -0
package/dist/topology.d.ts.map +1 -1
package/dist/types.d.ts +21 -0
package/dist/types.d.ts.map +1 -1
package/package.json +1 -1
package/scripts/consumer-conformance.mjs +3 -2

package/dist/consumer.js CHANGED Viewed

@@ -4186,7 +4186,103 @@ var coerce = {
   date: (arg) => ZodDate.create({ ...arg, coerce: true })
 };
 var NEVER = INVALID;
+// src/redaction.ts
+var REDACTED_VALUE = "[redacted]";
+var SENSITIVE_KEY_PATTERN = /(password|passwd|token|credential|private[_-]?key|privateKey|api[_-]?key|github.*key|pem|secret)/i;
+var SECRET_REFERENCE_KEY_PATTERN = /(secret(ref(erence)?|key)?|secretRef|secretKey)$/i;
+var SENSITIVE_VALUE_PATTERNS = [
+  /-----BEGIN [A-Z ]*PRIVATE KEY-----/,
+  /\bghp_[A-Za-z0-9_]{20,}\b/,
+  /\bgithub_pat_[A-Za-z0-9_]{20,}\b/,
+  /\bxox[baprs]-[A-Za-z0-9-]{20,}\b/,
+  /\bAKIA[0-9A-Z]{16}\b/,
+  /\bsk-[A-Za-z0-9_-]{20,}\b/
+];
+function isSensitiveKey(key) {
+  return SENSITIVE_KEY_PATTERN.test(key);
+}
+function isSecretReferenceKey(key) {
+  return SECRET_REFERENCE_KEY_PATTERN.test(key);
+}
+function looksSensitiveString(value) {
+  return SENSITIVE_VALUE_PATTERNS.some((pattern) => pattern.test(value));
+}
+function isRecord(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function redactPath(value) {
+  return value.replace(/\/home\/[^/\s]+/g, "/home/<user>").replace(/\/Users\/[^/\s]+/g, "/Users/<user>").replace(/[A-Za-z]:\\Users\\[^\\\s]+/g, "C:\\Users\\<user>");
+}
+function redactPrivateRef(value) {
+  const trimmed = value.trim();
+  const scheme = trimmed.match(/^([a-z][a-z0-9+.-]*:\/\/)/i);
+  if (scheme)
+    return `${scheme[1]}<redacted>`;
+  const colon = trimmed.match(/^([a-z][a-z0-9+.-]*):/i);
+  if (colon)
+    return `${colon[1]}:<redacted>`;
+  return "<private-manifest-ref:redacted>";
+}
+function redactIdentifier(value) {
+  return value.replace(/[^a-zA-Z0-9_.-]/g, "_").slice(0, 80) || "adapter";
+}
+function redactSensitiveValue(value, key = "") {
+  if (typeof value === "string") {
+    if (isSensitiveKey(key) && !(isSecretReferenceKey(key) && !looksSensitiveString(value))) {
+      return REDACTED_VALUE;
+    }
+    if (looksSensitiveString(value))
+      return REDACTED_VALUE;
+    return redactPath(value);
+  }
+  if (Array.isArray(value)) {
+    return value.map((entry) => redactSensitiveValue(entry, key));
+  }
+  if (isRecord(value)) {
+    const redacted = {};
+    for (const [entryKey, entryValue] of Object.entries(value)) {
+      redacted[entryKey] = redactSensitiveValue(entryValue, entryKey);
+    }
+    return redacted;
+  }
+  return value;
+}
+function publicMetadataKeys(metadata) {
+  return Object.keys(metadata ?? {}).filter((key) => !isSensitiveKey(key)).sort();
+}
+function redactMetadata(metadata) {
+  return redactSensitiveValue(metadata ?? {});
+}
+function redactManifestForDiagnostics(machine) {
+  const metadata = redactMetadata(machine.metadata);
+  for (const key of ["user", "username", "login"]) {
+    if (typeof metadata[key] === "string")
+      metadata[key] = REDACTED_VALUE;
+  }
+  return {
+    id: machine.id,
+    hostname: machine.hostname ? REDACTED_VALUE : undefined,
+    sshAddress: machine.sshAddress ? REDACTED_VALUE : undefined,
+    tailscaleName: machine.tailscaleName ? REDACTED_VALUE : undefined,
+    platform: machine.platform,
+    connection: machine.connection,
+    workspacePath: redactPath(machine.workspacePath),
+    bunPath: machine.bunPath ? redactPath(machine.bunPath) : undefined,
+    tags: machine.tags ?? [],
+    metadata,
+    packages: machine.packages?.map((pkg) => ({ ...pkg })),
+    apps: machine.apps?.map((app) => ({ ...app })),
+    files: machine.files?.map((file) => ({
+      ...file,
+      source: redactPath(file.source),
+      target: redactPath(file.target)
+    }))
+  };
+}
 // src/manifests.ts
+var PRIVATE_MANIFEST_REF_ENV = "HASNA_MACHINES_PRIVATE_MANIFEST_REF";
+var PRIVATE_MANIFEST_BACKEND_ENV = "HASNA_MACHINES_PRIVATE_MANIFEST_BACKEND";
 var packageSchema = exports_external.object({
   name: exports_external.string(),
   manager: exports_external.enum(["bun", "brew", "apt", "custom"]).optional(),
@@ -4239,6 +4335,42 @@ function normalizePlatform() {
 function normalizeMachines(machines) {
   return [...machines].sort((left, right) => left.id.localeCompare(right.id));
 }
+function inferPrivateBackend(rawRef, explicitBackend) {
+  if (explicitBackend?.trim())
+    return explicitBackend.trim();
+  const scheme = rawRef.trim().match(/^([a-z][a-z0-9+.-]*)(?::\/\/|:)/i);
+  return scheme?.[1] ?? null;
+}
+function fileSourceRef(path) {
+  return {
+    kind: "file",
+    ref: redactPath(path),
+    backend: "file",
+    private: false,
+    publicSafe: true
+  };
+}
+function privateSourceRef(rawRef, backend) {
+  return {
+    kind: "private-ref",
+    ref: redactPrivateRef(rawRef),
+    backend: inferPrivateBackend(rawRef, backend),
+    private: true,
+    publicSafe: true
+  };
+}
+function privateRefFromOptions(options) {
+  const env = options.env ?? process.env;
+  return options.privateRef?.trim() || env[PRIVATE_MANIFEST_REF_ENV]?.trim() || env["MACHINES_PRIVATE_MANIFEST_REF"]?.trim() || null;
+}
+function getManifestSourceRef(options = {}) {
+  const rawPrivateRef = privateRefFromOptions(options);
+  if (rawPrivateRef) {
+    const env = options.env ?? process.env;
+    return privateSourceRef(rawPrivateRef, options.privateBackend ?? env[PRIVATE_MANIFEST_BACKEND_ENV]);
+  }
+  return fileSourceRef(options.path ?? getManifestPath());
+}
 function getDefaultManifest() {
   return {
     version: 1,
@@ -4253,6 +4385,53 @@ function readManifest(path = getManifestPath()) {
   const raw = JSON.parse(readFileSync(path, "utf8"));
   return fleetSchema.parse(raw);
 }
+function readManifestWithSource(options = {}) {
+  const path = options.path ?? getManifestPath();
+  const source = getManifestSourceRef(options);
+  const warnings = [];
+  if (source.kind === "private-ref") {
+    const rawRef = privateRefFromOptions(options);
+    if (rawRef && options.adapter) {
+      try {
+        const manifest2 = options.adapter.readManifest({ source, rawRef });
+        if (manifest2) {
+          return {
+            manifest: fleetSchema.parse(manifest2),
+            info: {
+              source,
+              loadedFrom: "private-ref",
+              warnings
+            }
+          };
+        }
+        warnings.push(`private_manifest_adapter_empty:${redactIdentifier(options.adapter.id)}`);
+      } catch (error) {
+        warnings.push(`private_manifest_adapter_failed:${redactIdentifier(options.adapter.id)}`);
+      }
+    } else {
+      warnings.push("private_manifest_ref_without_adapter");
+    }
+    const fallbackSource = fileSourceRef(path);
+    const manifest = readManifest(path);
+    return {
+      manifest,
+      info: {
+        source,
+        loadedFrom: existsSync2(path) ? "fallback" : "default",
+        fallbackSource,
+        warnings
+      }
+    };
+  }
+  return {
+    manifest: readManifest(path),
+    info: {
+      source,
+      loadedFrom: existsSync2(path) ? "file" : "default",
+      warnings
+    }
+  };
+}
 function validateManifest(path = getManifestPath()) {
   return readManifest(path);
 }
@@ -4487,6 +4666,19 @@ function manifestHostReachable(target) {
     return null;
   return overrides.has(target);
 }
+function userFromSshAddress(address) {
+  if (!address)
+    return null;
+  const at = address.indexOf("@");
+  if (at <= 0)
+    return null;
+  return address.slice(0, at);
+}
+function commandTargetForRoute(target, user) {
+  if (target.kind === "local" || target.target.includes("@") || !user)
+    return target.target;
+  return `${user}@${target.target}`;
+}
 function routeHints(input) {
   const hints = [];
   if (input.machineId === input.localMachineId) {
@@ -4537,6 +4729,7 @@ function buildEntry(input) {
   });
   const selectedRoute = selectRouteHint(hints);
   const route = selectedRoute?.kind === "ssh" ? "ssh" : selectedRoute?.kind ?? "unknown";
+  const routeUser = userFromSshAddress(manifest?.sshAddress) ?? (typeof manifest?.metadata?.user === "string" ? manifest.metadata.user : null);
   return {
     machine_id: input.machineId,
     hostname: manifest?.hostname ?? peer?.HostName ?? null,
@@ -4557,11 +4750,11 @@ function buildEntry(input) {
     ssh: {
       address: manifest?.sshAddress ?? null,
       route,
-      command_target: selectedRoute?.target ?? null
+      command_target: selectedRoute ? commandTargetForRoute(selectedRoute, routeUser) : null
     },
     route_hints: hints,
     tags: manifest?.tags ?? [],
-    metadata: manifest?.metadata ?? {}
+    metadata: redactMetadata(manifest?.metadata)
   };
 }
 function discoverMachineTopology(options = {}) {
@@ -4796,6 +4989,7 @@ function resolveMachineRoute(machineId, options = {}) {
   const local = route === "local" || machine.machine_id === topology.local_machine_id;
   const confidence = routeConfidence({ machine, hint: selectedHint, matchedBy });
   const ok = Boolean(selectedHint?.target);
+  const commandTarget = selectedHint ? commandTargetForRoute(selectedHint, userFromSshAddress(machine.ssh.address) ?? machine.user) : null;
   return {
     schema_version: MACHINES_CONSUMER_CONTRACT_VERSION,
     package: topology.package,
@@ -4806,7 +5000,7 @@ function resolveMachineRoute(machineId, options = {}) {
     route,
     source: route,
     target: selectedHint?.target ?? null,
-    command_target: selectedHint?.target ?? null,
+    command_target: commandTarget,
     confidence,
     local,
     evidence: {
@@ -4829,7 +5023,7 @@ function resolveMachineRoute(machineId, options = {}) {
     warnings
   };
 }
-function isRecord(value) {
+function isRecord2(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
 function metadataString(metadata, keys) {
@@ -4859,13 +5053,13 @@ function metadataStringArray(metadata, keys) {
 function readMappedPath(input) {
   for (const containerName of input.containers) {
     const container = input.metadata[containerName];
-    if (!isRecord(container))
+    if (!isRecord2(container))
       continue;
     for (const key of input.keys) {
       const value = container[key];
       if (typeof value === "string" && value.trim())
         return value.trim();
-      if (isRecord(value)) {
+      if (isRecord2(value)) {
         const path = metadataString(value, ["path", "root", "workspacePath", "workspace_path"]);
         if (path)
           return path;
@@ -5119,7 +5313,7 @@ function primaryMachine(machine, projectId, primaryMachineId) {
   return machine.tags.includes("primary");
 }
 function metadataKeysForDiagnostics(metadata) {
-  return Object.keys(metadata).filter((key) => !/(secret|token|key|password|credential)/i.test(key)).sort();
+  return publicMetadataKeys(metadata);
 }
 function resolveMachineWorkspace(options) {
   const now = options.now ?? new Date;
@@ -5469,21 +5663,21 @@ var MACHINES_CONSUMER_SCHEMA_BUNDLE = {
     }
   }
 };
-function isRecord2(value) {
+function isRecord3(value) {
   return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
 function hasString(value, key) {
   return typeof value[key] === "string" && value[key].length > 0;
 }
 function hasObject(value, key) {
-  return isRecord2(value[key]);
+  return isRecord3(value[key]);
 }
 function hasArray(value, key) {
   return Array.isArray(value[key]);
 }
 function hasCacheability(value, key = "cacheability") {
   const cache = value[key];
-  return isRecord2(cache) && hasString(cache, "observed_at") && typeof cache.cacheable === "boolean" && typeof cache.stale === "boolean" && hasArray(cache, "reasons");
+  return isRecord3(cache) && hasString(cache, "observed_at") && typeof cache.cacheable === "boolean" && typeof cache.stale === "boolean" && hasArray(cache, "reasons");
 }
 function requireFields(value, fields, errors2) {
   for (const field of fields) {
@@ -5496,7 +5690,7 @@ function getMachinesConsumerSchemaBundle() {
 }
 function validateMachinesConsumerEnvelope(envelope, value) {
   const errors2 = [];
-  if (!isRecord2(value)) {
+  if (!isRecord3(value)) {
     return { ok: false, envelope, schema_id: MACHINES_CONSUMER_SCHEMA_URI, errors: ["not_object"] };
   }
   if (value.schema_version !== MACHINES_CONSUMER_CONTRACT_VERSION)
@@ -5584,7 +5778,7 @@ function resolveSshTarget(machineId, options = {}) {
   }
   return {
     machineId: resolved.machine_id ?? machineId,
-    target: resolved.target,
+    target: resolved.command_target ?? resolved.target,
     route: resolved.route,
     confidence: resolved.confidence,
     warnings: resolved.warnings

package/dist/index.d.ts CHANGED Viewed

@@ -3,6 +3,7 @@ export * from "./cross-project-types.js";
 export * from "./paths.js";
 export * from "./db.js";
 export * from "./manifests.js";
+export * from "./redaction.js";
 export * from "./topology.js";
 export * from "./compatibility.js";
 export * from "./agent/runtime.js";

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,0BAA0B,CAAC;AACzC,cAAc,YAAY,CAAC;AAC3B,cAAc,SAAS,CAAC;AACxB,cAAc,gBAAgB,CAAC;AAC/B,cAAc,eAAe,CAAC;AAC9B,cAAc,oBAAoB,CAAC;AACnC,cAAc,oBAAoB,CAAC;AACnC,cAAc,sBAAsB,CAAC;AACrC,cAAc,oBAAoB,CAAC;AACnC,cAAc,oBAAoB,CAAC;AACnC,cAAc,mBAAmB,CAAC;AAClC,cAAc,sBAAsB,CAAC;AACrC,cAAc,wBAAwB,CAAC;AACvC,cAAc,oBAAoB,CAAC;AACnC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,iCAAiC,CAAC;AAChD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,qBAAqB,CAAC;AACpC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,qBAAqB,CAAC;AACpC,cAAc,qBAAqB,CAAC;AACpC,cAAc,mBAAmB,CAAC;AAClC,cAAc,sBAAsB,CAAC;AACrC,cAAc,oBAAoB,CAAC;AACnC,cAAc,sBAAsB,CAAC;AACrC,cAAc,yBAAyB,CAAC;AACxC,cAAc,iBAAiB,CAAC;AAChC,OAAO,EACL,oBAAoB,EACpB,6BAA6B,EAC7B,yBAAyB,EACzB,kCAAkC,EAClC,uBAAuB,EACvB,oBAAoB,EACpB,gBAAgB,EAChB,cAAc,EACd,qBAAqB,EACrB,yBAAyB,EACzB,qBAAqB,EACrB,cAAc,EACd,YAAY,EACZ,gBAAgB,EAChB,cAAc,EACd,kBAAkB,EAClB,aAAa,EACb,oBAAoB,EACpB,WAAW,EACX,WAAW,EACX,WAAW,GACZ,MAAM,cAAc,CAAC;AACtB,YAAY,EAAE,UAAU,EAAE,WAAW,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAU,IAAI,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACtH,cAAc,cAAc,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,0BAA0B,CAAC;AACzC,cAAc,YAAY,CAAC;AAC3B,cAAc,SAAS,CAAC;AACxB,cAAc,gBAAgB,CAAC;AAC/B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,eAAe,CAAC;AAC9B,cAAc,oBAAoB,CAAC;AACnC,cAAc,oBAAoB,CAAC;AACnC,cAAc,sBAAsB,CAAC;AACrC,cAAc,oBAAoB,CAAC;AACnC,cAAc,oBAAoB,CAAC;AACnC,cAAc,mBAAmB,CAAC;AAClC,cAAc,sBAAsB,CAAC;AACrC,cAAc,wBAAwB,CAAC;AACvC,cAAc,oBAAoB,CAAC;AACnC,cAAc,8BAA8B,CAAC;AAC7C,cAAc,iCAAiC,CAAC;AAChD,cAAc,6BAA6B,CAAC;AAC5C,cAAc,qBAAqB,CAAC;AACpC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,qBAAqB,CAAC;AACpC,cAAc,qBAAqB,CAAC;AACpC,cAAc,mBAAmB,CAAC;AAClC,cAAc,sBAAsB,CAAC;AACrC,cAAc,oBAAoB,CAAC;AACnC,cAAc,sBAAsB,CAAC;AACrC,cAAc,yBAAyB,CAAC;AACxC,cAAc,iBAAiB,CAAC;AAChC,OAAO,EACL,oBAAoB,EACpB,6BAA6B,EAC7B,yBAAyB,EACzB,kCAAkC,EAClC,uBAAuB,EACvB,oBAAoB,EACpB,gBAAgB,EAChB,cAAc,EACd,qBAAqB,EACrB,yBAAyB,EACzB,qBAAqB,EACrB,cAAc,EACd,YAAY,EACZ,gBAAgB,EAChB,cAAc,EACd,kBAAkB,EAClB,aAAa,EACb,oBAAoB,EACpB,WAAW,EACX,WAAW,EACX,WAAW,GACZ,MAAM,cAAc,CAAC;AACtB,YAAY,EAAE,UAAU,EAAE,WAAW,EAAE,aAAa,EAAE,QAAQ,EAAE,UAAU,IAAI,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACtH,cAAc,cAAc,CAAC"}