@luquimbo/bi-superpowers 1.2.2 → 2.0.0

package/bin/lib/licensing/storage.js

@@ -1,404 +0,0 @@
-/**
- * License Storage Module
- * ======================
- *
- * Handles license persistence and premium content management.
- * Licenses are stored in ~/.bi-superpowers-license as JSON.
- *
- * @module lib/licensing/storage
- */
-
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-const https = require('https');
-const AdmZip = require('adm-zip');
-
-/** Path to the license file stored in user's home directory */
-const LICENSE_FILE = path.join(os.homedir(), '.bi-superpowers-license');
-
-/** Directory for cached premium content (skills, snippets, themes) */
-const CONTENT_CACHE_DIR = path.join(os.homedir(), '.bi-superpowers');
-
-/** Directory containing skill definition files (.md) */
-const SKILLS_DIR = path.join(CONTENT_CACHE_DIR, '.agents', 'prompts', 'skills');
-
-/**
- * Load saved license from disk
- *
- * Reads the license file from the user's home directory. The license contains:
- * - license: The license key string
- * - email: User's email address
- * - name: User's name (optional)
- * - activatedAt: ISO timestamp of activation
- * - contentVersion: Version when content was last downloaded
- *
- * @returns {Object|null} License data object or null if not found/invalid
- */
-function loadLicense() {
-  try {
-    if (fs.existsSync(LICENSE_FILE)) {
-      const data = JSON.parse(fs.readFileSync(LICENSE_FILE, 'utf8'));
-      return data;
-    }
-  } catch (e) {
-    if (process.env.DEBUG === 'true') {
-      console.error(`[DEBUG] Failed to load license: ${e.message}`);
-    }
-  }
-  return null;
-}
-
-/**
- * Save license to disk
- *
- * Persists license data to ~/.bi-superpowers-license for future sessions.
- *
- * @param {Object} data - License data to save
- * @param {string} data.license - The license key
- * @param {string} data.email - User's email
- * @param {string} [data.name] - User's name
- * @param {string} data.activatedAt - Activation timestamp
- * @param {string} data.contentVersion - Content version
- */
-function saveLicense(data) {
-  try {
-    fs.writeFileSync(LICENSE_FILE, JSON.stringify(data, null, 2));
-  } catch (err) {
-    throw new Error(
-      `No pude guardar la licencia en ${LICENSE_FILE}: ${err.message}. ` +
-        'Revisá los permisos de tu directorio home.'
-    );
-  }
-}
-
-/**
- * Clear saved license from disk
- *
- * Removes the license file, effectively logging out the user.
- * Used when a license becomes invalid or user wants to switch accounts.
- */
-function clearLicense() {
-  try {
-    if (fs.existsSync(LICENSE_FILE)) {
-      fs.unlinkSync(LICENSE_FILE);
-    }
-  } catch (e) {
-    if (process.env.DEBUG === 'true') {
-      console.error(`[DEBUG] Failed to clear license: ${e.message}`);
-    }
-  }
-}
-
-/**
- * Check if premium content is installed
- *
- * Verifies that the skills directory exists and contains at least one .md file.
- * Used to determine if content needs to be downloaded during license validation.
- *
- * @returns {boolean} True if skills directory exists with content
- */
-function isContentInstalled() {
-  return (
-    fs.existsSync(SKILLS_DIR) &&
-    fs.readdirSync(SKILLS_DIR).filter((f) => f.endsWith('.md')).length > 0
-  );
-}
-
-/**
- * Download file from URL to local filesystem
- *
- * Streams the response directly to a file to handle large downloads efficiently.
- * Automatically follows HTTP 301/302 redirects.
- *
- * @param {string} url - URL of the file to download
- * @param {string} destPath - Local path where file will be saved
- * @returns {Promise<void>} Resolves when download is complete
- * @throws {Error} On network errors or non-200 status codes
- */
-function downloadFile(url, destPath) {
-  return downloadFileInternal(url, destPath, 0);
-}
-
-/**
- * Resolve a redirect Location header to an absolute URL.
- *
- * @param {string|URL} currentUrl - The current request URL
- * @param {string} location - The Location header value
- * @returns {string} Absolute URL string
- */
-function resolveRedirectUrl(currentUrl, location) {
-  const baseUrl = currentUrl instanceof URL ? currentUrl : new URL(currentUrl);
-  return new URL(location, baseUrl).toString();
-}
-
-function safeUnlink(filePath) {
-  try {
-    fs.unlinkSync(filePath);
-  } catch (e) {
-    // Ignore missing file or cleanup failures
-  }
-}
-
-function downloadFileInternal(url, destPath, redirectCount) {
-  return new Promise((resolve, reject) => {
-    const urlObj = new URL(url);
-    if (urlObj.protocol !== 'https:') {
-      reject(new Error(`Insecure download URL (HTTPS required): ${url}`));
-      return;
-    }
-
-    const MAX_REDIRECTS = 5;
-    const TIMEOUT_MS = 30000;
-    const REDIRECT_STATUSES = new Set([301, 302, 303, 307, 308]);
-
-    const request = https.get(urlObj, (response) => {
-      const status = response.statusCode || 0;
-
-      // Handle redirects (including relative Location headers)
-      if (REDIRECT_STATUSES.has(status)) {
-        response.resume();
-
-        if (redirectCount >= MAX_REDIRECTS) {
-          reject(new Error(`Download failed: too many redirects (${MAX_REDIRECTS})`));
-          return;
-        }
-
-        const location = response.headers.location;
-        if (!location) {
-          reject(new Error(`Download failed: redirect (${status}) without Location header`));
-          return;
-        }
-
-        const nextUrl = resolveRedirectUrl(urlObj, location);
-        downloadFileInternal(nextUrl, destPath, redirectCount + 1)
-          .then(resolve)
-          .catch(reject);
-        return;
-      }
-
-      if (status !== 200) {
-        response.resume();
-        reject(new Error(`Download failed with status ${status}`));
-        return;
-      }
-
-      // Only create the output file once we know the response is successful.
-      const file = fs.createWriteStream(destPath);
-
-      file.on('error', (err) => {
-        response.destroy();
-        file.close(() => {
-          safeUnlink(destPath);
-          reject(err);
-        });
-      });
-
-      response.on('error', (err) => {
-        file.close(() => {
-          safeUnlink(destPath);
-          reject(err);
-        });
-      });
-
-      response.pipe(file);
-
-      file.on('finish', () => {
-        file.close(() => resolve());
-      });
-    });
-
-    request.setTimeout(TIMEOUT_MS, () => {
-      request.destroy(new Error(`Download request timed out after ${TIMEOUT_MS}ms`));
-    });
-
-    request.on('error', (err) => {
-      safeUnlink(destPath);
-      reject(err);
-    });
-  });
-}
-
-/**
- * Extract ZIP file to destination directory
- * Uses native unzip command (macOS/Linux) or PowerShell (Windows)
- *
- * Security: Uses spawnSync with array arguments to prevent command injection
- *
- * @param {string} zipPath - Path to the ZIP file to extract
- * @param {string} destDir - Destination directory for extraction
- * @returns {Promise<void>} Resolves when extraction is complete
- * @throws {Error} If extraction fails
- */
-function isUnsafeZipEntry(entryName, destRoot) {
-  if (!entryName) return true;
-
-  const normalized = entryName.replace(/\\/g, '/');
-
-  // Disallow absolute paths and Windows drive letters
-  if (normalized.startsWith('/') || normalized.startsWith('\\')) return true;
-  if (/^[A-Za-z]:/.test(normalized)) return true;
-  if (normalized.startsWith('//')) return true;
-
-  const targetPath = path.resolve(destRoot, entryName);
-  const relative = path.relative(destRoot, targetPath);
-
-  return relative.startsWith('..') || path.isAbsolute(relative);
-}
-
-/**
- * Verifica que el archivo tenga los magic bytes de un ZIP válido.
- * Los ZIP empiezan con la signature PK\x03\x04 (o PK\x05\x06 si está vacío).
- * @param {string} zipPath - Ruta al archivo a verificar
- * @throws {Error} Si el archivo no tiene signature de ZIP
- */
-function verifyZipMagicBytes(zipPath) {
-  const header = Buffer.alloc(4);
-  const fd = fs.openSync(zipPath, 'r');
-  try {
-    fs.readSync(fd, header, 0, 4, 0);
-  } finally {
-    fs.closeSync(fd);
-  }
-
-  // ZIP local file header: PK\x03\x04
-  // ZIP empty archive: PK\x05\x06
-  const isLocalFile =
-    header[0] === 0x50 && header[1] === 0x4b && header[2] === 0x03 && header[3] === 0x04;
-  const isEmpty =
-    header[0] === 0x50 && header[1] === 0x4b && header[2] === 0x05 && header[3] === 0x06;
-
-  if (!isLocalFile && !isEmpty) {
-    throw new Error(
-      `El archivo descargado no es un ZIP válido (magic bytes inesperados: ${header.toString('hex')}). ` +
-        'Puede que el servidor haya retornado HTML u otro formato.'
-    );
-  }
-}
-
-function extractZip(zipPath, destDir) {
-  return new Promise((resolve, reject) => {
-    try {
-      // Ensure destination directory exists
-      if (!fs.existsSync(destDir)) {
-        fs.mkdirSync(destDir, { recursive: true });
-      }
-
-      // Verify magic bytes before handing to AdmZip
-      verifyZipMagicBytes(zipPath);
-
-      const destRoot = path.resolve(destDir);
-      const zip = new AdmZip(zipPath);
-      const entries = zip.getEntries();
-
-      for (const entry of entries) {
-        if (isUnsafeZipEntry(entry.entryName, destRoot)) {
-          throw new Error(`Unsafe ZIP entry detected: ${entry.entryName}`);
-        }
-      }
-
-      zip.extractAllTo(destRoot, true);
-
-      resolve();
-    } catch (error) {
-      reject(new Error(`Failed to extract ZIP safely: ${error.message}`));
-    }
-  });
-}
-
-/**
- * Download and install premium content from license server
- *
- * This function:
- * 1. Creates the content cache directory if needed
- * 2. Downloads a ZIP file containing skills, snippets, themes, etc.
- * 3. Extracts the ZIP to ~/.bi-superpowers/
- * 4. Cleans up the temporary ZIP file
- * 5. Verifies the skills directory was created correctly
- *
- * @param {string} downloadUrl - URL provided by license validation API
- * @returns {Promise<boolean>} True if download and extraction succeeded
- */
-async function downloadPremiumContent(downloadUrl) {
-  console.log('Downloading premium content...');
-
-  // Ensure cache directory exists
-  if (!fs.existsSync(CONTENT_CACHE_DIR)) {
-    fs.mkdirSync(CONTENT_CACHE_DIR, { recursive: true });
-  }
-
-  const zipPath = path.join(CONTENT_CACHE_DIR, 'content.zip');
-
-  try {
-    // Download the ZIP file
-    await downloadFile(downloadUrl, zipPath);
-    console.log('✓ Download complete');
-
-    // Extract the ZIP file
-    console.log('Extracting content...');
-    await extractZip(zipPath, CONTENT_CACHE_DIR);
-    console.log('✓ Extraction complete');
-
-    // Clean up ZIP file
-    fs.unlinkSync(zipPath);
-
-    // Verify skills directory exists
-    if (!fs.existsSync(SKILLS_DIR)) {
-      throw new Error('Skills directory not found after extraction');
-    }
-
-    const skillCount = fs.readdirSync(SKILLS_DIR).filter((f) => f.endsWith('.md')).length;
-    console.log(`✓ ${skillCount} skills installed`);
-
-    return true;
-  } catch (error) {
-    console.error('Content download failed:', error.message);
-    // Clean up failed download
-    if (fs.existsSync(zipPath)) {
-      fs.unlinkSync(zipPath);
-    }
-    return false;
-  }
-}
-
-/**
- * Get the content cache directory path
- * @returns {string} Path to content cache
- */
-function getContentCacheDir() {
-  return CONTENT_CACHE_DIR;
-}
-
-/**
- * Get the skills directory path
- * @returns {string} Path to skills directory
- */
-function getSkillsDir() {
-  return SKILLS_DIR;
-}
-
-/**
- * Get the license file path
- * @returns {string} Path to license file
- */
-function getLicenseFile() {
-  return LICENSE_FILE;
-}
-
-module.exports = {
-  loadLicense,
-  saveLicense,
-  clearLicense,
-  isContentInstalled,
-  downloadFile,
-  extractZip,
-  downloadPremiumContent,
-  getContentCacheDir,
-  getSkillsDir,
-  getLicenseFile,
-  _isUnsafeZipEntry: isUnsafeZipEntry,
-  _resolveRedirectUrl: resolveRedirectUrl,
-  LICENSE_FILE,
-  CONTENT_CACHE_DIR,
-  SKILLS_DIR,
-};

package/bin/lib/licensing/storage.test.js

@@ -1,55 +0,0 @@
-const test = require('node:test');
-const assert = require('node:assert/strict');
-const fs = require('fs');
-const os = require('os');
-const path = require('path');
-const AdmZip = require('adm-zip');
-const storage = require('./storage');
-
-function makeTempDir() {
-  return fs.mkdtempSync(path.join(os.tmpdir(), 'bi-superpowers-'));
-}
-
-test('extractZip extracts safe entries', async () => {
-  const dir = makeTempDir();
-  const zipPath = path.join(dir, 'safe.zip');
-  const zip = new AdmZip();
-  zip.addFile('foo.txt', Buffer.from('ok'));
-  zip.writeZip(zipPath);
-
-  const dest = path.join(dir, 'out');
-  await storage.extractZip(zipPath, dest);
-
-  const content = fs.readFileSync(path.join(dest, 'foo.txt'), 'utf8');
-  assert.equal(content, 'ok');
-});
-
-test('rejects path traversal entries', () => {
-  const destRoot = path.resolve(makeTempDir());
-  assert.equal(storage._isUnsafeZipEntry('../evil.txt', destRoot), true);
-  assert.equal(storage._isUnsafeZipEntry('..\\\\evil.txt', destRoot), true);
-});
-
-test('rejects absolute path entries', () => {
-  const destRoot = path.resolve(makeTempDir());
-  assert.equal(storage._isUnsafeZipEntry('/abs.txt', destRoot), true);
-  assert.equal(storage._isUnsafeZipEntry('C:\\\\abs.txt', destRoot), true);
-});
-
-test('downloadFile rejects non-https URLs', async () => {
-  const dir = makeTempDir();
-  const dest = path.join(dir, 'file.zip');
-
-  await assert.rejects(
-    () => storage.downloadFile('http://example.com/file.zip', dest),
-    /HTTPS required/
-  );
-});
-
-test('_resolveRedirectUrl resolves relative redirects', () => {
-  const resolved = storage._resolveRedirectUrl(
-    'https://example.com/path/file.zip',
-    '/downloads/content.zip'
-  );
-  assert.equal(resolved, 'https://example.com/downloads/content.zip');
-});

package/bin/lib/licensing/validator.js

@@ -1,213 +0,0 @@
-/**
- * License Validator Module
- * ========================
- *
- * Handles license validation against the Acadevor API server.
- *
- * @module lib/licensing/validator
- */
-
-const https = require('https');
-const http = require('http');
-
-const storage = require('./storage');
-
-/** Base URL for license validation and content download API */
-const API_BASE_URL = process.env.BIAS_API_URL || 'https://acadevor.com';
-
-/**
- * Make HTTP(S) request with JSON body
- *
- * Generic HTTP client that:
- * - Automatically selects http/https based on URL protocol
- * - Handles JSON serialization/deserialization
- * - Returns both status code and parsed data
- *
- * @param {string} url - Full URL to request
- * @param {Object} options - Node.js http/https request options
- * @param {string} [options.method='GET'] - HTTP method
- * @param {Object} [options.headers] - Request headers
- * @param {Object} [data] - Request body (will be JSON.stringify'd)
- * @returns {Promise<{status: number, data: Object|string}>} Response object
- * @throws {Error} On network errors
- */
-function makeRequest(url, options, data) {
-  return new Promise((resolve, reject) => {
-    const urlObj = new URL(url);
-    const protocol = urlObj.protocol === 'https:' ? https : http;
-
-    const req = protocol.request(url, options, (res) => {
-      let body = '';
-      res.on('data', (chunk) => (body += chunk));
-      res.on('end', () => {
-        try {
-          resolve({
-            status: res.statusCode,
-            data: body ? JSON.parse(body) : null,
-          });
-        } catch (e) {
-          resolve({
-            status: res.statusCode,
-            data: body,
-          });
-        }
-      });
-    });
-
-    req.on('error', reject);
-
-    if (data) {
-      req.write(JSON.stringify(data));
-    }
-
-    req.end();
-  });
-}
-
-/**
- * Validate license with the Acadevor API server
- *
- * Makes a POST request to /api/licenses/validate to check if a license key
- * is valid and active. Returns license metadata and download URL if valid.
- *
- * @param {string} licenseKey - The license key to validate
- * @returns {Promise<Object>} Validation result
- * @returns {boolean} .valid - Whether the license is valid
- * @returns {string} [.email] - User's email if valid
- * @returns {string} [.name] - User's name if valid
- * @returns {string} [.downloadUrl] - URL to download premium content
- * @returns {string} [.error] - Error message if invalid
- */
-async function validateLicense(licenseKey) {
-  // Skip validation in dev mode (requires secret env var)
-  if (process.env.BIAS_DEV_MODE === 'true') {
-    return { valid: true, email: 'developer@local' };
-  }
-
-  try {
-    const response = await makeRequest(
-      `${API_BASE_URL}/api/licenses/validate`,
-      {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-      },
-      { license: licenseKey }
-    );
-
-    return response.data;
-  } catch (error) {
-    console.error('Validation error:', error.message);
-    return { valid: false, error: 'Connection failed' };
-  }
-}
-
-/**
- * Check if license is valid before running premium commands
- *
- * This function acts as a gatekeeper for commands that require premium content.
- * It performs the following checks:
- * 1. Verifies a local license file exists
- * 2. Re-validates the license against the API server
- * 3. Downloads content if not already installed
- *
- * Called by kickoff, recharge, and other premium commands.
- *
- * @param {string} version - Current package version for content versioning
- * @returns {Promise<Object>} Validation result from API
- * @throws {Error} Exits process if license is invalid or content download fails
- */
-async function requireLicense(version) {
-  const license = storage.loadLicense();
-
-  if (!license) {
-    console.log(`
-═══════════════════════════════════════════════════════════════
-  LICENSE REQUIRED
-═══════════════════════════════════════════════════════════════
-
-  BI Agent Superpowers requires a valid license to use.
-
-  To activate your license, run:
-
-    super unlock
-
-  Get your license at: https://acadevor.com/bi-superpowers
-
-═══════════════════════════════════════════════════════════════
-`);
-    process.exit(1);
-  }
-
-  // Re-validate license with server
-  console.log('Verifying license...');
-  const result = await validateLicense(license.license);
-
-  if (!result.valid) {
-    console.log(`\n✗ License no longer valid: ${result.error}`);
-    storage.clearLicense();
-    console.log('\nPlease run "bi-superpowers unlock" with a valid license key.');
-    process.exit(1);
-  }
-
-  console.log(`✓ License valid (${license.email})`);
-
-  const contentInstalled = storage.isContentInstalled();
-
-  // Check if content is installed, download if needed
-  if (!contentInstalled) {
-    console.log('\nPremium content not found. Downloading...');
-    if (result.downloadUrl) {
-      const downloaded = await storage.downloadPremiumContent(result.downloadUrl);
-      if (!downloaded) {
-        console.log('\n✗ Content download failed. Please check your internet connection.');
-        console.log('You can retry with "bi-superpowers unlock"');
-        process.exit(1);
-      }
-      // Persist the content version once we successfully downloaded the content.
-      storage.saveLicense({ ...license, contentVersion: version });
-    } else {
-      console.log('\n✗ No download URL provided. Please re-activate your license.');
-      console.log('Run "bi-superpowers unlock" to download content.');
-      process.exit(1);
-    }
-  } else if (license.contentVersion !== version) {
-    // Best-effort refresh: do not block if the user already has content installed.
-    const previousVersion = license.contentVersion || 'unknown';
-    console.log(
-      `\nPremium content may be outdated (${previousVersion} → ${version}). Refreshing...`
-    );
-
-    if (result.downloadUrl) {
-      const refreshed = await storage.downloadPremiumContent(result.downloadUrl);
-      if (refreshed) {
-        storage.saveLicense({ ...license, contentVersion: version });
-        console.log('✓ Premium content refreshed');
-      } else {
-        console.log('⚠ Premium content refresh failed. Continuing with existing content.');
-      }
-    } else {
-      console.log(
-        '⚠ No download URL provided to refresh premium content. Continuing with existing content.'
-      );
-    }
-  }
-
-  console.log('');
-  return result;
-}
-
-/**
- * Get the API base URL
- * @returns {string} API base URL
- */
-function getApiBaseUrl() {
-  return API_BASE_URL;
-}
-
-module.exports = {
-  makeRequest,
-  validateLicense,
-  requireLicense,
-  getApiBaseUrl,
-  API_BASE_URL,
-};