@mushi-mushi/core 0.2.1 → 0.3.1

package/CODE_OF_CONDUCT.md

@@ -0,0 +1,51 @@
+<!--
+  AUTO-SYNCED from repo root by scripts/sync-community-files.mjs.
+  Do not edit here — edit the canonical file at the repository root and
+  re-run `node scripts/sync-community-files.mjs` (pre-commit hook does this
+  automatically).
+-->
+
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual
+identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment:
+
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+- Showing empathy towards other community members
+
+Examples of unacceptable behavior:
+
+- The use of sexualized language or imagery, and sexual attention or advances of any kind
+- Trolling, insulting or derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information without explicit permission
+- Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the project team at **security@mushimushi.dev**.
+
+All complaints will be reviewed and investigated promptly and fairly.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org/),
+version 2.1, available at
+https://www.contributor-covenant.org/version/2/1/code_of_conduct.html.

package/CONTRIBUTING.md

@@ -0,0 +1,122 @@
+<!--
+  AUTO-SYNCED from repo root by scripts/sync-community-files.mjs.
+  Do not edit here — edit the canonical file at the repository root and
+  re-run `node scripts/sync-community-files.mjs` (pre-commit hook does this
+  automatically).
+-->
+
+# Contributing to Mushi Mushi
+
+Thanks for wanting to help. Here's everything you need to get started.
+
+## Prerequisites
+
+- **Node.js >= 22** (see `.node-version`)
+- **pnpm >= 10** — install with `corepack enable`
+
+## Setup
+
+```bash
+git clone https://github.com/kensaurus/mushi-mushi.git
+cd mushi-mushi
+pnpm install
+pnpm build
+```
+
+## Development
+
+```bash
+pnpm dev          # Start all dev servers (admin on :6464)
+pnpm test         # Run Vitest across all packages
+pnpm typecheck    # TypeScript checks
+pnpm lint         # ESLint
+pnpm format       # Prettier
+```
+
+### Working on a single package
+
+```bash
+cd packages/core
+pnpm dev          # Watch mode
+pnpm test         # Tests for this package only
+```
+
+## Project Structure
+
+```
+packages/
+  core/          Types, API client, offline queue (MIT)
+  web/           Browser SDK — widget, capture (MIT)
+  react/         React bindings (MIT)
+  vue/           Vue 3 plugin (MIT)
+  svelte/        Svelte SDK (MIT)
+  angular/       Angular SDK (MIT)
+  react-native/  React Native SDK (MIT)
+  cli/           CLI tool (MIT)
+  mcp/           MCP server for coding agents (MIT)
+  server/        Supabase Edge Functions (BSL)
+  agents/        Agentic fix pipeline (BSL)
+  verify/        Fix verification (BSL)
+apps/
+  admin/         Admin dashboard (React + Tailwind)
+  docs/          Documentation site (planned)
+tooling/
+  eslint-config/ Shared ESLint flat config
+  tsconfig/      Shared TypeScript configs
+```
+
+## Making Changes
+
+1. Create a feature branch from `master`
+2. Make your changes
+3. Add tests for new functionality
+4. Run `pnpm typecheck && pnpm lint && pnpm test` to verify
+5. Create a changeset if your change affects published packages:
+   ```bash
+   pnpm changeset
+   ```
+6. Open a pull request
+
+## Changesets
+
+We use [Changesets](https://github.com/changesets/changesets) for versioning. If your PR modifies a published package (`core`, `web`, `react`, `vue`, `svelte`, `angular`, `react-native`, `cli`, `mcp`), add a changeset:
+
+```bash
+pnpm changeset
+```
+
+Select the affected packages, the semver bump type, and write a summary. The changeset file gets committed with your PR.
+
+## Code Style
+
+- **TypeScript strict mode** — no `any` unless absolutely necessary
+- **Prettier** formats everything — run `pnpm format` before committing
+- **ESLint** catches bugs — `pnpm lint` must pass
+- **No default exports** in library packages — use named exports
+- **Dual ESM/CJS** builds via tsup for all SDK packages
+
+## Commit Messages
+
+Use conventional commits:
+
+```
+feat(core): add batch report submission
+fix(web): prevent widget from opening during screenshot
+docs(react): update provider usage example
+chore: bump dependencies
+```
+
+## Tests
+
+- **Framework:** Vitest
+- **Location:** Co-located with source (`src/foo.test.ts`)
+- **Coverage:** Required for `core`, `web`, `react` — encouraged for all packages
+
+## License
+
+- SDK packages are MIT — your contributions will be MIT-licensed
+- Server/agents/verify are BSL 1.1 — contributions to those packages fall under BSL
+
+## Questions?
+
+Open an issue or start a discussion. We're happy to help.

package/SECURITY.md

@@ -0,0 +1,50 @@
+<!--
+  AUTO-SYNCED from repo root by scripts/sync-community-files.mjs.
+  Do not edit here — edit the canonical file at the repository root and
+  re-run `node scripts/sync-community-files.mjs` (pre-commit hook does this
+  automatically).
+-->
+
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| 0.x     | Yes       |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability, please report it responsibly.
+
+**Do NOT open a public GitHub issue.**
+
+Instead, email: **security@mushimushi.dev**
+
+Include:
+- Description of the vulnerability
+- Steps to reproduce
+- Impact assessment
+- Suggested fix (if any)
+
+We will acknowledge receipt within 48 hours and aim to release a patch within 7 days for critical issues.
+
+## Scope
+
+- All `@mushi-mushi/*` npm packages
+- Supabase Edge Functions (server-side)
+- Admin console application
+- CLI tool
+
+## Out of Scope
+
+- Self-hosted deployments configured by the user
+- Third-party integrations (Jira, Linear, PagerDuty)
+- Vulnerabilities requiring physical access
+
+## Security Best Practices for Users
+
+- **Never commit your API keys** — use environment variables
+- **Rotate API keys** regularly via the admin console
+- **Enable SSO** for team projects (Enterprise tier)
+- **Review audit logs** periodically for suspicious activity

package/dist/index.cjs

@@ -350,6 +350,98 @@ var noopLogger = {
   }
 };
 
+// src/queue-crypto.ts
+var KEY_DB = "mushi-mushi-keyring";
+var KEY_STORE = "keys";
+var KEY_RECORD_ID = "offline-queue/v1";
+var cachedKey = null;
+var cachedKeyPromise = null;
+function hasWebCrypto() {
+  return typeof globalThis !== "undefined" && typeof globalThis.crypto !== "undefined" && typeof globalThis.crypto.subtle !== "undefined" && typeof indexedDB !== "undefined";
+}
+function openKeyDb() {
+  return new Promise((resolve, reject) => {
+    const req = indexedDB.open(KEY_DB, 1);
+    req.onupgradeneeded = () => {
+      const db = req.result;
+      if (!db.objectStoreNames.contains(KEY_STORE)) {
+        db.createObjectStore(KEY_STORE);
+      }
+    };
+    req.onsuccess = () => resolve(req.result);
+    req.onerror = () => reject(req.error);
+  });
+}
+async function loadKey() {
+  const db = await openKeyDb();
+  return new Promise((resolve, reject) => {
+    const tx = db.transaction(KEY_STORE, "readonly");
+    const req = tx.objectStore(KEY_STORE).get(KEY_RECORD_ID);
+    req.onsuccess = () => resolve(req.result ?? null);
+    req.onerror = () => reject(req.error);
+  });
+}
+async function storeKey(key) {
+  const db = await openKeyDb();
+  return new Promise((resolve, reject) => {
+    const tx = db.transaction(KEY_STORE, "readwrite");
+    tx.objectStore(KEY_STORE).put(key, KEY_RECORD_ID);
+    tx.oncomplete = () => resolve();
+    tx.onerror = () => reject(tx.error);
+  });
+}
+async function getOfflineQueueKey() {
+  if (cachedKey) return cachedKey;
+  if (cachedKeyPromise) return cachedKeyPromise;
+  if (!hasWebCrypto()) {
+    throw new Error("Web Crypto + IndexedDB required for offline queue encryption");
+  }
+  cachedKeyPromise = (async () => {
+    const existing = await loadKey();
+    if (existing) {
+      cachedKey = existing;
+      return existing;
+    }
+    const key = await crypto.subtle.generateKey(
+      { name: "AES-GCM", length: 256 },
+      false,
+      ["encrypt", "decrypt"]
+    );
+    await storeKey(key);
+    cachedKey = key;
+    return key;
+  })();
+  return cachedKeyPromise;
+}
+function bytesToB64(bytes) {
+  let s = "";
+  for (const b of bytes) s += String.fromCharCode(b);
+  return btoa(s);
+}
+function b64ToBytes(s) {
+  const bin = atob(s);
+  const out = new Uint8Array(new ArrayBuffer(bin.length));
+  for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
+  return out;
+}
+async function encryptJson(plain) {
+  const key = await getOfflineQueueKey();
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const data = new TextEncoder().encode(JSON.stringify(plain));
+  const cipher = new Uint8Array(await crypto.subtle.encrypt({ name: "AES-GCM", iv }, key, data));
+  return { _mme: 1, iv: bytesToB64(iv), ct: bytesToB64(cipher) };
+}
+function isEncryptedPayload(v) {
+  return !!v && typeof v === "object" && v._mme === 1 && typeof v.iv === "string" && typeof v.ct === "string";
+}
+async function decryptJson(payload) {
+  const key = await getOfflineQueueKey();
+  const iv = b64ToBytes(payload.iv);
+  const ct = b64ToBytes(payload.ct);
+  const plain = await crypto.subtle.decrypt({ name: "AES-GCM", iv }, key, ct);
+  return JSON.parse(new TextDecoder().decode(plain));
+}
+
 // src/queue.ts
 var queueLog = createLogger({ scope: "mushi:queue", level: "warn" });
 var DB_NAME = "mushi-mushi";
@@ -359,9 +451,36 @@ var LS_KEY = "mushi_offline_queue";
 var BATCH_SIZE = 10;
 var MAX_BACKOFF_MS = 6e4;
 function createOfflineQueue(config = {}) {
-  const { enabled = true, maxQueueSize = 50, syncOnReconnect = true } = config;
+  const { enabled = true, maxQueueSize = 50, syncOnReconnect = true, encryptAtRest = true } = config;
   let syncCleanup = null;
   let backendType = null;
+  async function wrapForStorage(report) {
+    const queuedAt = (/* @__PURE__ */ new Date()).toISOString();
+    if (!encryptAtRest) {
+      return { ...report, queuedAt };
+    }
+    try {
+      const payload = await encryptJson(report);
+      return { id: report.id, queuedAt, payload };
+    } catch (err) {
+      queueLog.warn("Offline queue: encryption failed, storing plaintext", { err: String(err) });
+      return { ...report, queuedAt };
+    }
+  }
+  async function unwrapForSend(row) {
+    if (isEncryptedRecord(row)) {
+      try {
+        return await decryptJson(row.payload);
+      } catch (err) {
+        queueLog.warn("Offline queue: decrypt failed, dropping row", { err: String(err), id: row.id });
+        return null;
+      }
+    }
+    return row;
+  }
+  function isEncryptedRecord(row) {
+    return !!row.payload && isEncryptedPayload(row.payload);
+  }
   function detectBackend() {
     if (backendType) return backendType;
     if (typeof indexedDB !== "undefined") {
@@ -391,9 +510,10 @@ function createOfflineQueue(config = {}) {
   }
   async function idbEnqueue(report) {
     const db = await openDb();
+    const row = await wrapForStorage(report);
     return new Promise((resolve, reject) => {
       const tx = db.transaction(STORE_NAME, "readwrite");
-      tx.objectStore(STORE_NAME).put({ ...report, queuedAt: (/* @__PURE__ */ new Date()).toISOString() });
+      tx.objectStore(STORE_NAME).put(row);
       tx.oncomplete = () => resolve();
       tx.onerror = () => reject(tx.error);
     });
@@ -442,20 +562,20 @@ function createOfflineQueue(config = {}) {
       return [];
     }
   }
-  function lsWrite(reports) {
+  function lsWrite(rows) {
     try {
-      localStorage.setItem(LS_KEY, JSON.stringify(reports));
+      localStorage.setItem(LS_KEY, JSON.stringify(rows));
     } catch {
     }
   }
-  function lsEnqueue(report) {
-    const reports = lsRead();
-    reports.push({ ...report, queuedAt: (/* @__PURE__ */ new Date()).toISOString() });
-    lsWrite(reports);
+  async function lsEnqueue(report) {
+    const rows = lsRead();
+    rows.push(await wrapForStorage(report));
+    lsWrite(rows);
   }
   function lsDelete(id) {
-    const reports = lsRead().filter((r) => r.id !== id);
-    lsWrite(reports);
+    const rows = lsRead().filter((r) => r.id !== id);
+    lsWrite(rows);
   }
   async function enqueue(report) {
     if (!enabled) return;
@@ -474,7 +594,7 @@ function createOfflineQueue(config = {}) {
       }
     }
     if (backend === "localstorage" || backendType === "localstorage") {
-      lsEnqueue(report);
+      await lsEnqueue(report);
       return;
     }
   }
@@ -486,29 +606,41 @@ function createOfflineQueue(config = {}) {
   }
   async function flush(client) {
     if (!enabled) return { sent: 0, failed: 0 };
-    let reports;
+    let rows;
     const backend = detectBackend();
     if (backend === "indexeddb") {
       try {
-        reports = await idbGetAll();
+        rows = await idbGetAll();
       } catch {
-        reports = lsRead();
+        rows = lsRead();
       }
     } else {
-      reports = lsRead();
+      rows = lsRead();
     }
-    const batch = reports.slice(0, BATCH_SIZE);
+    const batch = rows.slice(0, BATCH_SIZE);
     let sent = 0;
     let failed = 0;
     for (let i = 0; i < batch.length; i++) {
-      const report = batch[i];
+      const row = batch[i];
+      const rowId = row.id;
+      const report = await unwrapForSend(row);
+      if (!report) {
+        try {
+          if (backend === "indexeddb") await idbDelete(rowId);
+          else lsDelete(rowId);
+        } catch {
+          lsDelete(rowId);
+        }
+        failed++;
+        continue;
+      }
       const result = await client.submitReport(report);
       if (result.ok) {
         try {
-          if (backend === "indexeddb") await idbDelete(report.id);
-          else lsDelete(report.id);
+          if (backend === "indexeddb") await idbDelete(rowId);
+          else lsDelete(rowId);
         } catch {
-          lsDelete(report.id);
+          lsDelete(rowId);
         }
         sent++;
       } else {
@@ -742,16 +874,33 @@ function createRateLimiter(config = {}) {
 var ORDERED_PATTERNS = [
   { key: "ssns", regex: /\b\d{3}-\d{2}-\d{4}\b/g, replacement: "[REDACTED_SSN]" },
   { key: "creditCards", regex: /\b(?:\d[ -]*){12,18}\d\b/g, replacement: "[REDACTED_CC]" },
+  // Vendor secret tokens — mirrors packages/server/.../pii-scrubber.ts exactly.
+  { key: "secretTokens", regex: /\b(?:AKIA|ASIA)[0-9A-Z]{16}\b/g, replacement: "[REDACTED_AWS_KEY]" },
+  { key: "secretTokens", regex: /(?:aws_secret_access_key|secret_access_key)["'\s:=]+[A-Za-z0-9/+=]{40}\b/gi, replacement: "aws_secret_access_key=[REDACTED_AWS_SECRET]" },
+  { key: "secretTokens", regex: /\b(?:sk|rk)_(?:live|test)_[A-Za-z0-9]{24,}\b/g, replacement: "[REDACTED_STRIPE_KEY]" },
+  { key: "secretTokens", regex: /\bpk_(?:live|test)_[A-Za-z0-9]{24,}\b/g, replacement: "[REDACTED_STRIPE_PK]" },
+  { key: "secretTokens", regex: /\bxox[abpor]-[A-Za-z0-9-]{10,}\b/g, replacement: "[REDACTED_SLACK_TOKEN]" },
+  { key: "secretTokens", regex: /\bghp_[A-Za-z0-9]{36}\b/g, replacement: "[REDACTED_GITHUB_PAT]" },
+  { key: "secretTokens", regex: /\bgithub_pat_[A-Za-z0-9_]{80,}\b/g, replacement: "[REDACTED_GITHUB_PAT]" },
+  { key: "secretTokens", regex: /\bsk-(?:proj-)?[A-Za-z0-9_-]{20,}\b/g, replacement: "[REDACTED_OPENAI_KEY]" },
+  { key: "secretTokens", regex: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/g, replacement: "[REDACTED_ANTHROPIC_KEY]" },
+  { key: "secretTokens", regex: /\bAIza[0-9A-Za-z_-]{35}\b/g, replacement: "[REDACTED_GOOGLE_KEY]" },
+  { key: "secretTokens", regex: /\beyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/g, replacement: "[REDACTED_JWT]" },
   { key: "emails", regex: /\b[A-Za-z0-9._%+\-]+@[A-Za-z0-9.\-]+\.[A-Za-z]{2,}\b/g, replacement: "[REDACTED_EMAIL]" },
   { key: "phones", regex: /(?:\+\d{1,3}[\s.-])?\(?\d{2,4}\)?[\s.-]\d{3,4}[\s.-]\d{3,4}\b/g, replacement: "[REDACTED_PHONE]" },
-  { key: "ipAddresses", regex: /\b(?:\d{1,3}\.){3}\d{1,3}\b/g, replacement: "[REDACTED_IP]" }
+  { key: "ipAddresses", regex: /\b(?:\d{1,3}\.){3}\d{1,3}\b/g, replacement: "[REDACTED_IP]" },
+  { key: "ipv6", regex: /\b(?:[A-Fa-f0-9]{1,4}:){2,7}[A-Fa-f0-9]{0,4}\b/g, replacement: "[REDACTED_IPV6]" }
 ];
 var DEFAULT_CONFIG = {
   emails: true,
   phones: true,
   creditCards: true,
   ssns: true,
-  ipAddresses: false
+  ipAddresses: false,
+  // Secret tokens default ON — if they leak into a bug report there's no
+  // good reason to ship them to our servers. Cheaper to scrub client-side.
+  secretTokens: true,
+  ipv6: false
 };
 function createPiiScrubber(config = {}) {
   const merged = { ...DEFAULT_CONFIG, ...config };