@lanonasis/cli 3.6.7 → 3.7.0

package/README.md

@@ -1,4 +1,4 @@
-# @lanonasis/cli v3.4.15 - Enhanced MCP & Interactive CLI Experience
+# @lanonasis/cli v3.7.0 - Enterprise Security & MCP Experience
 
 [![NPM Version](https://img.shields.io/npm/v/@lanonasis/cli)](https://www.npmjs.com/package/@lanonasis/cli)
 [![Downloads](https://img.shields.io/npm/dt/@lanonasis/cli)](https://www.npmjs.com/package/@lanonasis/cli)
@@ -53,7 +53,24 @@ memory list
 maas memory list
 ```
 
-## 🔐 Authentication Methods
+## 🔐 Security & Authentication
+
+### Enterprise-Grade SHA-256 Security (v3.7.0+)
+
+All API keys are now secured with SHA-256 cryptographic hashing:
+
+- ✅ **Automatic Hash Normalization**: Keys are automatically hashed before transmission
+- ✅ **Double-Hash Prevention**: Smart detection prevents re-hashing already hashed keys
+- ✅ **Cross-Platform Compatibility**: Works seamlessly across Node.js and browser environments
+- ✅ **Zero Configuration**: Security is automatic and transparent
+
+```typescript
+// Hash utilities are built-in and automatic
+// Your vendor keys are automatically secured
+onasis login --vendor-key pk_xxxxx.sk_xxxxx  // ✅ Automatically hashed
+```
+
+### Authentication Methods
 
 ### 1. Vendor Key Authentication (Recommended)
 

package/dist/commands/auth.js

@@ -5,6 +5,7 @@ import open from 'open';
 import crypto from 'crypto';
 import http from 'http';
 import url from 'url';
+import axios from 'axios';
 import { apiClient } from '../utils/api.js';
 import { CLIConfig } from '../utils/config.js';
 // Color scheme
@@ -242,16 +243,40 @@ function createCallbackServer(port = 8888) {
 /**
  * Exchange authorization code for OAuth2 tokens
  */
-async function exchangeCodeForTokens(code, verifier, authBase) {
+async function exchangeCodeForTokens(code, verifier, authBase, redirectUri) {
     const tokenEndpoint = `${authBase}/oauth/token`;
-    const response = await apiClient.post(tokenEndpoint, {
-        grant_type: 'authorization_code',
-        code,
-        code_verifier: verifier,
-        client_id: 'lanonasis-cli',
-        redirect_uri: 'http://localhost:8888/callback'
-    });
-    return response;
+    try {
+        // Use axios directly to have full control over error handling
+        const response = await axios.post(tokenEndpoint, {
+            grant_type: 'authorization_code',
+            code,
+            code_verifier: verifier,
+            client_id: 'lanonasis-cli',
+            redirect_uri: redirectUri
+        }, {
+            headers: {
+                'Content-Type': 'application/json',
+            }
+        });
+        return response.data;
+    }
+    catch (error) {
+        // Extract detailed error information from axios error response
+        if (error.response) {
+            const errorData = error.response.data || {};
+            const status = error.response.status;
+            const errorMessage = errorData.error_description || errorData.error || error.message || `Request failed with status code ${status}`;
+            const details = errorData.details;
+            const enhancedError = new Error(errorMessage);
+            enhancedError.response = error.response;
+            enhancedError.status = status;
+            enhancedError.details = details;
+            enhancedError.errorData = errorData;
+            throw enhancedError;
+        }
+        // If it's not an axios error, just rethrow
+        throw error;
+    }
 }
 /**
  * Refresh OAuth2 access token using refresh token
@@ -618,10 +643,11 @@ async function handleOAuthFlow(config) {
         console.log(chalk.gray(`   ✓ Started local callback server on port ${callbackPort}`));
         // Build OAuth2 authorization URL
         const authBase = config.getDiscoveredApiUrl();
+        const redirectUri = `http://localhost:${callbackPort}/callback`;
         const authUrl = new URL(`${authBase}/oauth/authorize`);
         authUrl.searchParams.set('response_type', 'code');
         authUrl.searchParams.set('client_id', 'lanonasis-cli');
-        authUrl.searchParams.set('redirect_uri', `http://localhost:${callbackPort}/callback`);
+        authUrl.searchParams.set('redirect_uri', redirectUri);
         authUrl.searchParams.set('scope', 'read write offline_access');
         authUrl.searchParams.set('code_challenge', pkce.challenge);
         authUrl.searchParams.set('code_challenge_method', 'S256');
@@ -639,7 +665,14 @@ async function handleOAuthFlow(config) {
         // Exchange code for tokens
         spinner.text = 'Exchanging code for access tokens...';
         spinner.start();
-        const tokens = await exchangeCodeForTokens(code, pkce.verifier, authBase);
+        // Debug logging in verbose mode
+        if (process.env.CLI_VERBOSE === 'true') {
+            console.log(chalk.dim(`   Code length: ${code.length}`));
+            console.log(chalk.dim(`   Verifier length: ${pkce.verifier.length}`));
+            console.log(chalk.dim(`   Redirect URI: ${redirectUri}`));
+            console.log(chalk.dim(`   Token endpoint: ${authBase}/oauth/token`));
+        }
+        const tokens = await exchangeCodeForTokens(code, pkce.verifier, authBase, redirectUri);
         spinner.succeed('Access tokens received');
         // Store tokens
         await config.setToken(tokens.access_token);
@@ -653,8 +686,49 @@ async function handleOAuthFlow(config) {
     }
     catch (error) {
         console.error(chalk.red('✖ OAuth2 authentication failed'));
+        // Display detailed error information
         const errorMessage = error instanceof Error ? error.message : 'Unknown error';
         console.error(chalk.gray(`   ${errorMessage}`));
+        // Show validation details if available
+        if (error.details) {
+            console.error(chalk.yellow('\n   Validation errors:'));
+            for (const [field, messages] of Object.entries(error.details)) {
+                const msgArray = Array.isArray(messages) ? messages : [messages];
+                msgArray.forEach((msg) => {
+                    console.error(chalk.gray(`     • ${field}: ${msg}`));
+                });
+            }
+        }
+        // Show error data if available
+        if (error.errorData) {
+            const errorData = error.errorData;
+            if (errorData.error) {
+                console.error(chalk.yellow(`\n   Error: ${errorData.error}`));
+            }
+            if (errorData.error_description) {
+                console.error(chalk.gray(`   ${errorData.error_description}`));
+            }
+            // Show details if not already shown above
+            if (!error.details && errorData.details) {
+                console.error(chalk.yellow('\n   Details:'));
+                console.error(chalk.gray(JSON.stringify(errorData.details, null, 2)));
+            }
+        }
+        // Show full error response in verbose mode
+        if (process.env.CLI_VERBOSE === 'true') {
+            if (error.response?.data) {
+                console.error(chalk.dim('\n   Full error response:'));
+                console.error(chalk.dim(JSON.stringify(error.response.data, null, 2)));
+            }
+            if (error.response?.config) {
+                console.error(chalk.dim('\n   Request config:'));
+                console.error(chalk.dim(JSON.stringify({
+                    url: error.response.config.url,
+                    method: error.response.config.method,
+                    data: error.response.config.data
+                }, null, 2)));
+            }
+        }
         process.exit(1);
     }
 }

package/dist/commands/mcp.js

@@ -178,6 +178,50 @@ export function mcpCommands(program) {
         // Reload config from disk to get latest preference
         await client.init();
         const status = client.getConnectionStatus();
+        // Also perform a lightweight live health check against the MCP HTTP endpoint
+        const config = new CLIConfig();
+        await config.init();
+        let healthLabel = chalk.gray('Unknown');
+        let healthDetails;
+        try {
+            const axios = (await import('axios')).default;
+            // Derive MCP health URL from discovered REST base (e.g. https://mcp.lanonasis.com/api/v1 -> https://mcp.lanonasis.com/health)
+            const restUrl = config.getMCPRestUrl();
+            const rootBase = restUrl.replace(/\/api\/v1$/, '');
+            const healthUrl = `${rootBase}/health`;
+            const token = config.getToken();
+            const vendorKey = config.getVendorKey();
+            const headers = {};
+            if (vendorKey) {
+                headers['X-API-Key'] = vendorKey;
+                headers['X-Auth-Method'] = 'vendor_key';
+            }
+            else if (token) {
+                headers['Authorization'] = `Bearer ${token}`;
+                headers['X-Auth-Method'] = 'jwt';
+            }
+            const response = await axios.get(healthUrl, {
+                headers,
+                timeout: 5000
+            });
+            const overallStatus = String(response.data?.status ?? '').toLowerCase();
+            const ok = response.status === 200 && (!overallStatus || overallStatus === 'healthy');
+            if (ok) {
+                healthLabel = chalk.green('Reachable');
+            }
+            else {
+                healthLabel = chalk.yellow('Degraded');
+            }
+        }
+        catch (error) {
+            healthLabel = chalk.red('Unreachable');
+            if (error instanceof Error) {
+                healthDetails = error.message;
+            }
+            else if (error !== null && error !== undefined) {
+                healthDetails = String(error);
+            }
+        }
         console.log(chalk.cyan('\n📊 MCP Connection Status'));
         console.log(chalk.cyan('========================'));
         console.log(`Status: ${status.connected ? chalk.green('Connected') : chalk.red('Disconnected')}`);
@@ -198,6 +242,10 @@ export function mcpCommands(program) {
         }
         console.log(`Mode: ${modeDisplay}`);
         console.log(`Server: ${status.server}`);
+        console.log(`Health: ${healthLabel}`);
+        if (healthDetails && process.env.CLI_VERBOSE === 'true') {
+            console.log(chalk.gray(`Health details: ${healthDetails}`));
+        }
         if (status.connected) {
             if (status.mode === 'remote') {
                 console.log(`\n${chalk.cyan('Features:')}`);

package/dist/mcp/client/enhanced-client.js

@@ -128,11 +128,7 @@ export class EnhancedMCPClient extends EventEmitter {
             name: `lanonasis-cli-${config.name}`,
             version: '3.0.1'
         }, {
-            capabilities: {
-                tools: {},
-                resources: {},
-                prompts: {}
-            }
+            capabilities: {}
         });
         await client.connect(transport);
         return client;

package/dist/utils/api.js

@@ -2,6 +2,7 @@ import axios from 'axios';
 import chalk from 'chalk';
 import { randomUUID } from 'crypto';
 import { CLIConfig } from './config.js';
+import { ensureApiKeyHash } from './hash-utils.js';
 export class APIClient {
     client;
     config;
@@ -30,7 +31,7 @@ export class APIClient {
             const vendorKey = this.config.getVendorKey();
             if (vendorKey) {
                 // Vendor key authentication (validated server-side)
-                config.headers['X-API-Key'] = vendorKey;
+                config.headers['X-API-Key'] = ensureApiKeyHash(vendorKey);
                 config.headers['X-Auth-Method'] = 'vendor_key';
             }
             else if (token) {

package/dist/utils/hash-utils.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Local Hash Utilities for CLI
+ * Copied from shared/hash-utils.ts to avoid TypeScript rootDir issues
+ */
+/**
+ * Determine if the provided value is already a SHA-256 hex digest
+ */
+export declare function isSha256Hash(value: string): boolean;
+/**
+ * Hash an API key with SHA-256
+ * Used for: Database storage, validation, lookups
+ *
+ * @param apiKey - The raw API key to hash
+ * @returns SHA-256 hash as hex string (64 characters)
+ */
+export declare function hashApiKey(apiKey: string): string;
+/**
+ * Normalize any API key input to a SHA-256 hex digest
+ * Leaves an existing 64-char hex hash untouched to prevent double hashing
+ */
+export declare function ensureApiKeyHash(apiKey: string): string;
+export type ApiKeyHash = string;
+export type ApiKey = string;

package/dist/utils/hash-utils.js

@@ -0,0 +1,37 @@
+/**
+ * Local Hash Utilities for CLI
+ * Copied from shared/hash-utils.ts to avoid TypeScript rootDir issues
+ */
+import crypto from 'crypto';
+/**
+ * Determine if the provided value is already a SHA-256 hex digest
+ */
+export function isSha256Hash(value) {
+    return typeof value === 'string' && /^[a-f0-9]{64}$/i.test(value.trim());
+}
+/**
+ * Hash an API key with SHA-256
+ * Used for: Database storage, validation, lookups
+ *
+ * @param apiKey - The raw API key to hash
+ * @returns SHA-256 hash as hex string (64 characters)
+ */
+export function hashApiKey(apiKey) {
+    if (!apiKey || typeof apiKey !== 'string') {
+        throw new Error('API key must be a non-empty string');
+    }
+    return crypto
+        .createHash('sha256')
+        .update(apiKey)
+        .digest('hex');
+}
+/**
+ * Normalize any API key input to a SHA-256 hex digest
+ * Leaves an existing 64-char hex hash untouched to prevent double hashing
+ */
+export function ensureApiKeyHash(apiKey) {
+    if (isSha256Hash(apiKey)) {
+        return apiKey.toLowerCase();
+    }
+    return hashApiKey(apiKey);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lanonasis/cli",
-  "version": "3.6.7",
+  "version": "3.7.0",
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",