@haystackeditor/cli 0.2.0

package/dist/types.d.ts

@@ -0,0 +1,177 @@
+/**
+ * Haystack CLI Types
+ *
+ * These types define the .haystack.yml schema that sandbox.py reads.
+ */
+/**
+ * Main configuration file schema (.haystack.yml)
+ */
+export interface HaystackConfig {
+    /** Schema version - must be "1" */
+    version: '1';
+    /** Project name for display */
+    name?: string;
+    /** Package manager (auto-detected if not specified) */
+    package_manager?: 'npm' | 'pnpm' | 'yarn' | 'bun';
+    /**
+     * Single dev server configuration.
+     * Use this for simple projects with one service.
+     * Mutually exclusive with `services`.
+     */
+    dev_server?: DevServer;
+    /**
+     * Multiple services configuration.
+     * Use this for monorepos with multiple services.
+     * Mutually exclusive with `dev_server`.
+     */
+    services?: Record<string, Service>;
+    /** Verification configuration */
+    verification?: VerificationConfig;
+}
+/**
+ * Dev server configuration (simple mode)
+ */
+export interface DevServer {
+    /** Command to start the dev server (e.g., "pnpm dev") */
+    command: string;
+    /** Port the server runs on */
+    port: number;
+    /** Pattern in stdout indicating server is ready (e.g., "Local:") */
+    ready_pattern?: string;
+    /** Environment variables to set (e.g., { SKIP_AUTH: "true" }) */
+    env?: Record<string, string>;
+}
+/**
+ * Service configuration (monorepo mode)
+ */
+export interface Service {
+    /** Directory relative to repo root (e.g., "infra/api-worker") */
+    root?: string;
+    /** Command to start the service */
+    command: string;
+    /** Port the service runs on (omit for batch jobs) */
+    port?: number;
+    /** Pattern in stdout indicating service is ready */
+    ready_pattern?: string;
+    /** Service type: "server" (default) or "batch" */
+    type?: 'server' | 'batch';
+    /** Environment variables to set */
+    env?: Record<string, string>;
+}
+/**
+ * Verification configuration
+ */
+export interface VerificationConfig {
+    /** Commands to run during sandbox creation */
+    commands?: VerificationCommand[];
+    /** Fixture definitions - array of pattern/source pairs */
+    fixtures?: Fixture[];
+}
+/**
+ * Fixture definition - pattern to match and source to load from
+ */
+export interface Fixture {
+    /** URL pattern to match (e.g., "/api/github/repos/*") */
+    pattern: string;
+    /**
+     * Source to load data from. Supports environment variable substitution:
+     * - $VAR, ${VAR}, ${VAR:-default}
+     *
+     * Source types:
+     * - file://path/to/file.json - Local file
+     * - https://staging.example.com/api/... - Remote URL (e.g., staging server)
+     * - https://${STAGING_HOST}/api/... - Remote URL with env var
+     * - s3://bucket/key - AWS S3 (uses AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
+     * - r2://bucket/key - Cloudflare R2 (uses R2_ACCOUNT_ID, R2_ACCESS_KEY_ID)
+     * - passthrough - Don't intercept, let request through to real API
+     *
+     * @example
+     * // Pull from staging with auth
+     * source: "https://${STAGING_URL:-staging.example.com}/api/users"
+     *
+     * @example
+     * // S3 with region override
+     * source: "s3://my-bucket/fixtures/data.json"
+     */
+    source: string;
+    /**
+     * Headers for remote sources.
+     * Supports environment variable substitution: $VAR, ${VAR}, ${VAR:-default}
+     *
+     * @example
+     * headers:
+     *   Authorization: "Bearer $STAGING_API_TOKEN"
+     *   Cookie: "$STAGING_SESSION_COOKIE"
+     *   X-Api-Key: "${API_KEY:-test-key}"
+     */
+    headers?: Record<string, string>;
+}
+/**
+ * A verification command (e.g., build, lint, typecheck)
+ */
+export interface VerificationCommand {
+    /** Human-readable name */
+    name: string;
+    /** Shell command to run */
+    run: string;
+}
+/**
+ * @deprecated Use Fixture interface instead. This is kept for backwards compatibility.
+ */
+export interface FixtureEntry {
+    source: string;
+    headers?: Record<string, string>;
+}
+/**
+ * Project detection results
+ */
+export interface DetectedProject {
+    /** Detected framework */
+    framework?: 'vite' | 'nextjs' | 'remix' | 'nuxt' | 'sveltekit' | 'astro' | 'cra' | 'cloudflare-worker';
+    /** Detected package manager */
+    packageManager: 'npm' | 'pnpm' | 'yarn' | 'bun';
+    /** Whether this is a monorepo */
+    isMonorepo: boolean;
+    /** Monorepo tool if detected */
+    monorepoTool?: 'pnpm-workspaces' | 'lerna' | 'nx' | 'turborepo' | 'rush';
+    /** Detected services in monorepo */
+    services?: DetectedService[];
+    /** Suggested dev command */
+    suggestedDevCommand?: string;
+    /** Suggested port */
+    suggestedPort?: number;
+    /** Suggested ready pattern */
+    suggestedReadyPattern?: string;
+    /** Suggested auth bypass env var */
+    suggestedAuthBypass?: string;
+}
+/**
+ * Detected service in a monorepo
+ */
+export interface DetectedService {
+    name: string;
+    root: string;
+    type: 'server' | 'batch';
+    framework?: string;
+    suggestedCommand?: string;
+    suggestedPort?: number;
+}
+/**
+ * Auth credentials stored in Haystack
+ */
+export interface HaystackCredentials {
+    /** GitHub access token */
+    token: string;
+    /** Token expiration (ISO string) */
+    expiresAt?: string;
+    /** Associated GitHub username */
+    username?: string;
+}
+/**
+ * Stored secrets (in Haystack platform)
+ */
+export interface StoredSecret {
+    key: string;
+    createdAt: string;
+    updatedAt: string;
+}

package/dist/types.js

@@ -0,0 +1,6 @@
+/**
+ * Haystack CLI Types
+ *
+ * These types define the .haystack.yml schema that sandbox.py reads.
+ */
+export {};

package/dist/utils/config.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Configuration file utilities
+ */
+import type { HaystackConfig } from '../types.js';
+/**
+ * Find the config file by walking up the directory tree
+ */
+export declare function findConfigPath(startDir?: string): Promise<string | null>;
+/**
+ * Load and parse the config file
+ */
+export declare function loadConfig(configPath?: string): Promise<HaystackConfig | null>;
+/**
+ * Save config to file
+ */
+export declare function saveConfig(config: HaystackConfig, configPath?: string): Promise<string>;
+/**
+ * Check if config exists
+ */
+export declare function configExists(startDir?: string): Promise<boolean>;
+/**
+ * Get the project root (directory containing .haystack.yml or current dir)
+ */
+export declare function getProjectRoot(): Promise<string>;

package/dist/utils/config.js

@@ -0,0 +1,74 @@
+/**
+ * Configuration file utilities
+ */
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import * as yaml from 'yaml';
+const CONFIG_FILENAME = '.haystack.yml';
+/**
+ * Find the config file by walking up the directory tree
+ */
+export async function findConfigPath(startDir = process.cwd()) {
+    let dir = startDir;
+    while (true) {
+        const configPath = path.join(dir, CONFIG_FILENAME);
+        try {
+            await fs.access(configPath);
+            return configPath;
+        }
+        catch {
+            // Not found, try parent
+        }
+        const parent = path.dirname(dir);
+        if (parent === dir) {
+            // Reached root
+            return null;
+        }
+        dir = parent;
+    }
+}
+/**
+ * Load and parse the config file
+ */
+export async function loadConfig(configPath) {
+    const resolvedPath = configPath || (await findConfigPath());
+    if (!resolvedPath) {
+        return null;
+    }
+    try {
+        const content = await fs.readFile(resolvedPath, 'utf-8');
+        return yaml.parse(content);
+    }
+    catch (err) {
+        throw new Error(`Failed to parse ${resolvedPath}: ${err.message}`);
+    }
+}
+/**
+ * Save config to file
+ */
+export async function saveConfig(config, configPath) {
+    const resolvedPath = configPath || path.join(process.cwd(), CONFIG_FILENAME);
+    const content = yaml.stringify(config, {
+        indent: 2,
+        lineWidth: 0, // Don't wrap lines
+    });
+    await fs.writeFile(resolvedPath, content, 'utf-8');
+    return resolvedPath;
+}
+/**
+ * Check if config exists
+ */
+export async function configExists(startDir) {
+    const configPath = await findConfigPath(startDir);
+    return configPath !== null;
+}
+/**
+ * Get the project root (directory containing .haystack.yml or current dir)
+ */
+export async function getProjectRoot() {
+    const configPath = await findConfigPath();
+    if (configPath) {
+        return path.dirname(configPath);
+    }
+    return process.cwd();
+}

package/dist/utils/detect.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Project detection utilities
+ *
+ * Auto-detects framework, package manager, monorepo structure, and services.
+ */
+import type { DetectedProject } from '../types.js';
+/**
+ * Detect project configuration
+ */
+export declare function detectProject(rootDir?: string): Promise<DetectedProject>;

package/dist/utils/detect.js

@@ -0,0 +1,306 @@
+/**
+ * Project detection utilities
+ *
+ * Auto-detects framework, package manager, monorepo structure, and services.
+ */
+import * as fs from 'fs/promises';
+import * as path from 'path';
+/**
+ * Detect project configuration
+ */
+export async function detectProject(rootDir = process.cwd()) {
+    const result = {
+        packageManager: await detectPackageManager(rootDir),
+        isMonorepo: false,
+    };
+    // Detect monorepo
+    const monorepo = await detectMonorepo(rootDir);
+    if (monorepo) {
+        result.isMonorepo = true;
+        result.monorepoTool = monorepo.tool;
+        result.services = await detectServices(rootDir, monorepo.workspaces);
+    }
+    // Detect framework
+    result.framework = await detectFramework(rootDir);
+    // Set suggestions based on framework
+    setSuggestions(result);
+    // Detect auth bypass from .env.example
+    result.suggestedAuthBypass = await detectAuthBypass(rootDir);
+    return result;
+}
+/**
+ * Detect package manager from lockfiles
+ */
+async function detectPackageManager(rootDir) {
+    const checks = [
+        { file: 'pnpm-lock.yaml', manager: 'pnpm' },
+        { file: 'yarn.lock', manager: 'yarn' },
+        { file: 'bun.lockb', manager: 'bun' },
+        { file: 'package-lock.json', manager: 'npm' },
+    ];
+    for (const { file, manager } of checks) {
+        try {
+            await fs.access(path.join(rootDir, file));
+            return manager;
+        }
+        catch {
+            // Not found, continue
+        }
+    }
+    return 'npm'; // Default
+}
+/**
+ * Detect monorepo structure
+ */
+async function detectMonorepo(rootDir) {
+    // Check pnpm workspaces
+    try {
+        const pnpmWorkspace = await fs.readFile(path.join(rootDir, 'pnpm-workspace.yaml'), 'utf-8');
+        const match = pnpmWorkspace.match(/packages:\s*\n([\s\S]*?)(?:\n\w|$)/);
+        if (match) {
+            const workspaces = match[1]
+                .split('\n')
+                .map((line) => line.trim().replace(/^-\s*['"]?|['"]?$/g, ''))
+                .filter(Boolean);
+            return { tool: 'pnpm-workspaces', workspaces };
+        }
+    }
+    catch {
+        // Not found
+    }
+    // Check package.json workspaces (yarn/npm)
+    try {
+        const pkgJson = JSON.parse(await fs.readFile(path.join(rootDir, 'package.json'), 'utf-8'));
+        if (pkgJson.workspaces) {
+            const workspaces = Array.isArray(pkgJson.workspaces)
+                ? pkgJson.workspaces
+                : pkgJson.workspaces.packages || [];
+            return { tool: 'pnpm-workspaces', workspaces };
+        }
+    }
+    catch {
+        // Not found
+    }
+    // Check for nx.json
+    try {
+        await fs.access(path.join(rootDir, 'nx.json'));
+        return { tool: 'nx', workspaces: ['packages/*', 'apps/*'] };
+    }
+    catch {
+        // Not found
+    }
+    // Check for turbo.json
+    try {
+        await fs.access(path.join(rootDir, 'turbo.json'));
+        return { tool: 'turborepo', workspaces: ['packages/*', 'apps/*'] };
+    }
+    catch {
+        // Not found
+    }
+    // Check for lerna.json
+    try {
+        await fs.access(path.join(rootDir, 'lerna.json'));
+        return { tool: 'lerna', workspaces: ['packages/*'] };
+    }
+    catch {
+        // Not found
+    }
+    return null;
+}
+/**
+ * Detect services in a monorepo
+ */
+async function detectServices(rootDir, workspacePatterns) {
+    const services = [];
+    const glob = await import('fast-glob');
+    for (const pattern of workspacePatterns) {
+        const matches = await glob.default(pattern, {
+            cwd: rootDir,
+            onlyDirectories: true,
+            ignore: ['node_modules'],
+        });
+        for (const match of matches) {
+            const service = await detectService(rootDir, match);
+            if (service) {
+                services.push(service);
+            }
+        }
+    }
+    // Also check common directories
+    const commonDirs = ['infra', 'services', 'apps', 'packages'];
+    for (const dir of commonDirs) {
+        try {
+            const entries = await fs.readdir(path.join(rootDir, dir), {
+                withFileTypes: true,
+            });
+            for (const entry of entries) {
+                if (entry.isDirectory()) {
+                    const servicePath = path.join(dir, entry.name);
+                    // Skip if already detected
+                    if (services.some((s) => s.root === servicePath))
+                        continue;
+                    const service = await detectService(rootDir, servicePath);
+                    if (service) {
+                        services.push(service);
+                    }
+                }
+            }
+        }
+        catch {
+            // Directory doesn't exist
+        }
+    }
+    return services;
+}
+/**
+ * Detect a single service
+ */
+async function detectService(rootDir, servicePath) {
+    const fullPath = path.join(rootDir, servicePath);
+    // Check for package.json
+    let pkgJson = null;
+    try {
+        pkgJson = JSON.parse(await fs.readFile(path.join(fullPath, 'package.json'), 'utf-8'));
+    }
+    catch {
+        return null; // No package.json, not a service
+    }
+    const name = pkgJson?.name?.replace(/^@[^/]+\//, '') || path.basename(servicePath);
+    const scripts = pkgJson?.scripts || {};
+    // Detect if it's a Cloudflare Worker
+    const isWorker = await hasFile(fullPath, 'wrangler.toml') ||
+        await hasFile(fullPath, 'wrangler.jsonc') ||
+        await hasFile(fullPath, 'wrangler.json');
+    // Detect framework
+    let framework;
+    let suggestedCommand;
+    let suggestedPort;
+    if (isWorker) {
+        framework = 'cloudflare-worker';
+        suggestedCommand = 'pnpm wrangler dev --local';
+        suggestedPort = 8787;
+    }
+    else if (await hasFile(fullPath, 'vite.config.ts') || await hasFile(fullPath, 'vite.config.js')) {
+        framework = 'vite';
+        suggestedCommand = 'pnpm dev';
+        suggestedPort = 5173;
+    }
+    else if (await hasFile(fullPath, 'next.config.js') || await hasFile(fullPath, 'next.config.ts')) {
+        framework = 'nextjs';
+        suggestedCommand = 'pnpm dev';
+        suggestedPort = 3000;
+    }
+    else if (scripts.dev) {
+        suggestedCommand = 'pnpm dev';
+        suggestedPort = 3000;
+    }
+    else if (scripts.start) {
+        suggestedCommand = 'pnpm start';
+    }
+    // Determine if it's a batch job or server
+    const type = name.includes('analysis') || name.includes('batch') || name.includes('job')
+        ? 'batch'
+        : 'server';
+    return {
+        name,
+        root: servicePath,
+        type,
+        framework,
+        suggestedCommand,
+        suggestedPort: type === 'server' ? suggestedPort : undefined,
+    };
+}
+/**
+ * Detect framework from config files
+ */
+async function detectFramework(rootDir) {
+    const checks = [
+        { files: ['vite.config.ts', 'vite.config.js'], framework: 'vite' },
+        { files: ['next.config.js', 'next.config.ts', 'next.config.mjs'], framework: 'nextjs' },
+        { files: ['remix.config.js', 'remix.config.ts'], framework: 'remix' },
+        { files: ['nuxt.config.ts', 'nuxt.config.js'], framework: 'nuxt' },
+        { files: ['svelte.config.js', 'svelte.config.ts'], framework: 'sveltekit' },
+        { files: ['astro.config.mjs', 'astro.config.ts'], framework: 'astro' },
+        { files: ['wrangler.toml', 'wrangler.jsonc'], framework: 'cloudflare-worker' },
+    ];
+    for (const { files, framework } of checks) {
+        for (const file of files) {
+            if (await hasFile(rootDir, file)) {
+                return framework;
+            }
+        }
+    }
+    // Check for CRA
+    try {
+        const pkgJson = JSON.parse(await fs.readFile(path.join(rootDir, 'package.json'), 'utf-8'));
+        if (pkgJson.dependencies?.['react-scripts']) {
+            return 'cra';
+        }
+    }
+    catch {
+        // Not found
+    }
+    return undefined;
+}
+/**
+ * Detect auth bypass env var from .env.example
+ */
+async function detectAuthBypass(rootDir) {
+    const envFiles = ['.env.example', '.env.local.example', '.env.development'];
+    for (const file of envFiles) {
+        try {
+            const content = await fs.readFile(path.join(rootDir, file), 'utf-8');
+            // Common patterns
+            const patterns = [
+                /^(SKIP_AUTH)=/m,
+                /^(BYPASS_AUTH)=/m,
+                /^(AUTH_DISABLED)=/m,
+                /^(MOCK_AUTH)=/m,
+                /^(NEXT_PUBLIC_MOCK_AUTH)=/m,
+                /^(VITE_MOCK_AUTH)=/m,
+                /^(VITE_SKIP_AUTH)=/m,
+            ];
+            for (const pattern of patterns) {
+                const match = content.match(pattern);
+                if (match) {
+                    return `${match[1]}=true`;
+                }
+            }
+        }
+        catch {
+            // File not found
+        }
+    }
+    return 'SKIP_AUTH=true'; // Default suggestion
+}
+/**
+ * Set suggestions based on detected framework
+ */
+function setSuggestions(result) {
+    const frameworkDefaults = {
+        vite: { command: 'pnpm dev', port: 5173, ready: 'Local:' },
+        nextjs: { command: 'pnpm dev', port: 3000, ready: 'Ready' },
+        remix: { command: 'pnpm dev', port: 3000, ready: 'started' },
+        nuxt: { command: 'pnpm dev', port: 3000, ready: 'Local:' },
+        sveltekit: { command: 'pnpm dev', port: 5173, ready: 'Local:' },
+        astro: { command: 'pnpm dev', port: 4321, ready: 'Local:' },
+        cra: { command: 'pnpm start', port: 3000, ready: 'Compiled' },
+        'cloudflare-worker': { command: 'pnpm wrangler dev', port: 8787, ready: 'Ready' },
+    };
+    const defaults = result.framework ? frameworkDefaults[result.framework] : null;
+    result.suggestedDevCommand = defaults?.command || `${result.packageManager} dev`;
+    result.suggestedPort = defaults?.port || 3000;
+    result.suggestedReadyPattern = defaults?.ready || 'ready|started|listening|Local:';
+}
+/**
+ * Check if a file exists
+ */
+async function hasFile(dir, file) {
+    try {
+        await fs.access(path.join(dir, file));
+        return true;
+    }
+    catch {
+        return false;
+    }
+}

package/dist/utils/secrets.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Secret Scanning & Validation
+ *
+ * Detects potential hardcoded secrets in configuration files
+ * before they can be committed to version control.
+ *
+ * Based on patterns from:
+ * - GitHub secret scanning
+ * - detect-secrets
+ * - truffleHog
+ */
+/**
+ * Detected secret finding
+ */
+export interface SecretFinding {
+    pattern: string;
+    description: string;
+    severity: 'high' | 'medium' | 'low';
+    line: number;
+    column: number;
+    match: string;
+    file: string;
+}
+/**
+ * Scan content for potential secrets
+ */
+export declare function scanForSecrets(content: string, filename: string): SecretFinding[];
+/**
+ * Scan a file for secrets
+ */
+export declare function scanFile(filePath: string): Promise<SecretFinding[]>;
+/**
+ * Scan .haystack.yml specifically for secrets
+ */
+export declare function scanHaystackConfig(configPath: string): Promise<SecretFinding[]>;
+/**
+ * Validate that a config doesn't contain hardcoded secrets
+ * Returns true if safe, false if secrets detected
+ */
+export declare function validateConfigSecurity(configPath: string): Promise<{
+    safe: boolean;
+    findings: SecretFinding[];
+}>;
+/**
+ * Get a security report string for display
+ */
+export declare function formatSecurityReport(findings: SecretFinding[]): string;