@plexor-dev/claude-code-plugin-staging 0.1.0-beta.2 → 0.1.0-beta.20

package/commands/plexor-login.js

@@ -13,28 +13,79 @@ const path = require('path');
 const https = require('https');
 const http = require('http');
 
-// Import settings manager for automatic Claude Code configuration
-const { settingsManager } = require('../lib/settings-manager');
+// Import centralized constants with HOME directory validation
+const { PLEXOR_DIR, CONFIG_PATH, DEFAULT_API_URL } = require('../lib/constants');
 
-const CONFIG_PATH = path.join(process.env.HOME, '.plexor', 'config.json');
-const PLEXOR_DIR = path.join(process.env.HOME, '.plexor');
-// STAGING PACKAGE - uses staging API
-const DEFAULT_API_URL = 'https://staging.api.plexor.dev';
+// Import settings manager with error handling for missing lib
+let settingsManager;
+try {
+  settingsManager = require('../lib/settings-manager').settingsManager;
+} catch (err) {
+  if (err.code === 'MODULE_NOT_FOUND') {
+    console.error('Error: Plexor plugin files are missing or corrupted.');
+    console.error('       Please reinstall: npm install @plexor-dev/claude-code-plugin-staging');
+    process.exit(1);
+  }
+  throw err;
+}
 
 function loadConfig() {
   try {
+    if (!fs.existsSync(CONFIG_PATH)) {
+      return { version: 1, auth: {}, settings: {} };
+    }
     const data = fs.readFileSync(CONFIG_PATH, 'utf8');
-    return JSON.parse(data);
-  } catch {
+    if (!data || data.trim() === '') {
+      return { version: 1, auth: {}, settings: {} };
+    }
+    const config = JSON.parse(data);
+    if (typeof config !== 'object' || config === null) {
+      return { version: 1, auth: {}, settings: {} };
+    }
+    return config;
+  } catch (err) {
+    if (err instanceof SyntaxError) {
+      console.warn('Warning: Config file is corrupted, will be overwritten');
+    }
     return { version: 1, auth: {}, settings: {} };
   }
 }
 
 function saveConfig(config) {
-  if (!fs.existsSync(PLEXOR_DIR)) {
-    fs.mkdirSync(PLEXOR_DIR, { recursive: true, mode: 0o700 });
+  try {
+    if (!fs.existsSync(PLEXOR_DIR)) {
+      fs.mkdirSync(PLEXOR_DIR, { recursive: true, mode: 0o700 });
+    }
+
+    // Atomic write: write to temp file, then rename
+    const crypto = require('crypto');
+    const tempId = crypto.randomBytes(8).toString('hex');
+    const tempPath = path.join(PLEXOR_DIR, `.config.${tempId}.tmp`);
+
+    fs.writeFileSync(tempPath, JSON.stringify(config, null, 2), { mode: 0o600 });
+    fs.renameSync(tempPath, CONFIG_PATH);
+    return true;
+  } catch (err) {
+    if (err.code === 'EACCES' || err.code === 'EPERM') {
+      console.error('Error: Cannot write to ~/.plexor/config.json');
+      console.error('       Check file permissions or run with appropriate access.');
+    } else {
+      console.error('Failed to save config:', err.message);
+    }
+    return false;
+  }
+}
+
+function isPlexorApiKey(token) {
+  return typeof token === 'string' && token.startsWith('plx_') && token.length >= 20;
+}
+
+function isJwtToken(token) {
+  if (typeof token !== 'string' || !token.startsWith('eyJ')) {
+    return false;
   }
-  fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), { mode: 0o600 });
+  const parts = token.split('.');
+  return parts.length === 3 && parts.every(part => part.length > 0);
 }
 
 function validateApiKey(apiUrl, apiKey) {
@@ -80,23 +131,112 @@ function validateApiKey(apiUrl, apiKey) {
   });
 }
 
-async function promptForApiKey() {
-  const rl = readline.createInterface({
-    input: process.stdin,
-    output: process.stdout
+function validateJwtToken(apiUrl, jwtToken) {
+  return new Promise((resolve, reject) => {
+    const url = new URL(`${apiUrl}/v1/auth/me`);
+    const isHttps = url.protocol === 'https:';
+    const lib = isHttps ? https : http;
+
+    const options = {
+      hostname: url.hostname,
+      port: url.port || (isHttps ? 443 : 80),
+      path: url.pathname,
+      method: 'GET',
+      headers: {
+        'Authorization': `Bearer ${jwtToken}`
+      }
+    };
+
+    const req = lib.request(options, (res) => {
+      let data = '';
+      res.on('data', chunk => data += chunk);
+      res.on('end', () => {
+        if (res.statusCode === 200) {
+          try {
+            resolve(JSON.parse(data));
+          } catch {
+            reject(new Error('Invalid response from server'));
+          }
+        } else if (res.statusCode === 401) {
+          reject(new Error('Invalid login token'));
+        } else {
+          reject(new Error(`Server error: ${res.statusCode}`));
+        }
+      });
+    });
+
+    req.on('error', (err) => reject(new Error(`Connection failed: ${err.message}`)));
+    req.setTimeout(10000, () => {
+      req.destroy();
+      reject(new Error('Connection timeout'));
+    });
+    req.end();
   });
+}
+
+function validateCredential(apiUrl, credential) {
+  if (isJwtToken(credential)) {
+    return validateJwtToken(apiUrl, credential);
+  }
+  return validateApiKey(apiUrl, credential);
+}
 
-  return new Promise((resolve) => {
-    rl.question('Enter your Plexor API key: ', (answer) => {
-      rl.close();
-      resolve(answer.trim());
+/**
+ * Read API key from stdin (for piped input)
+ * @returns {Promise<string>} The API key read from stdin
+ */
+function readFromStdin() {
+  return new Promise((resolve, reject) => {
+    let data = '';
+    const timeout = setTimeout(() => {
+      reject(new Error('Timeout reading from stdin'));
+    }, 5000);
+
+    process.stdin.setEncoding('utf8');
+    process.stdin.on('data', (chunk) => {
+      data += chunk;
+    });
+    process.stdin.on('end', () => {
+      clearTimeout(timeout);
+      resolve(data.trim());
+    });
+    process.stdin.on('error', (err) => {
+      clearTimeout(timeout);
+      reject(err);
     });
+    process.stdin.resume();
   });
 }
 
 async function main() {
   const args = process.argv.slice(2);
-  let apiKey = args[0];
+  let apiKey = null;
+  let keySource = null;
+
+  // SECURITY FIX: Check for API key in order of preference
+  // 1. Environment variable (most secure for scripts/CI)
+  // 2. Stdin pipe (secure for interactive use)
+  // 3. Command line argument (warns about security risk)
+
+  // Check environment variable first (most secure)
+  if (process.env.PLEXOR_API_KEY) {
+    apiKey = process.env.PLEXOR_API_KEY;
+    keySource = 'environment';
+  }
+  // Check if stdin has data (piped input)
+  else if (!process.stdin.isTTY && args.length === 0) {
+    try {
+      apiKey = await readFromStdin();
+      keySource = 'stdin';
+    } catch {
+      // Stdin read failed, continue to check args
+    }
+  }
+  // Check command line argument (least secure - shows in ps)
+  else if (args[0]) {
+    apiKey = args[0];
+    keySource = 'argument';
+  }
 
   // Check for existing login
   const config = loadConfig();
@@ -107,31 +247,46 @@ async function main() {
     console.log(`│  Already Logged In                          │`);
     console.log(`├─────────────────────────────────────────────┤`);
     console.log(`│  API Key: ${(existingKey.substring(0, 8) + '...').padEnd(33)}│`);
-    console.log(`│  To re-login, provide a new key:            │`);
-    console.log(`│    /plexor-login <api-key>                  │`);
-    console.log(`│  To logout:                                 │`);
-    console.log(`│    /plexor-logout                           │`);
+    console.log(`│  Human setup path: /plexor-setup            │`);
+    console.log(`│  Automation path: /plexor-login <key>       │`);
+    console.log(`│  To logout: /plexor-logout                  │`);
     console.log(`└─────────────────────────────────────────────┘`);
     return;
   }
 
-  // If no key provided, prompt for it
+  // If no key provided, show secure usage options
   if (!apiKey) {
     console.log(`┌─────────────────────────────────────────────┐`);
-    console.log(`│  Plexor Login                               │`);
+    console.log(`│  Plexor Login (Advanced)                    │`);
+    console.log(`├─────────────────────────────────────────────┤`);
+    console.log(`│  Human first-run: /plexor-setup             │`);
     console.log(`├─────────────────────────────────────────────┤`);
     console.log(`│  Get your API key at:                       │`);
     console.log(`│  https://plexor.dev/dashboard/api-keys      │`);
     console.log(`├─────────────────────────────────────────────┤`);
-    console.log(`│  Usage: /plexor-login <api-key>             │`);
+    console.log(`│  Secure usage (recommended):                │`);
+    console.log(`│    echo "plx_..." | /plexor-login           │`);
+    console.log(`│    PLEXOR_API_KEY=plx_... /plexor-login     │`);
+    console.log(`├─────────────────────────────────────────────┤`);
+    console.log(`│  Direct usage (visible in ps):              │`);
+    console.log(`│    /plexor-login <api-key>                  │`);
     console.log(`└─────────────────────────────────────────────┘`);
     return;
   }
 
-  // Validate key format
-  if (!apiKey.startsWith('plx_') || apiKey.length < 20) {
-    console.error(`Error: Invalid API key format`);
-    console.error(`API keys start with "plx_" and are at least 20 characters`);
+  // Warn if API key was passed as command line argument
+  if (keySource === 'argument') {
+    console.log(`⚠ Security note: API key passed as argument is visible in`);
+    console.log(`  process list (ps aux). For better security, use:`);
+    console.log(`    echo "plx_..." | /plexor-login`);
+    console.log(`    PLEXOR_API_KEY=plx_... /plexor-login`);
+    console.log('');
+  }
+
+  // Validate credential format (Plexor API key OR login JWT)
+  if (!isPlexorApiKey(apiKey) && !isJwtToken(apiKey)) {
+    console.error(`Error: Invalid credential format`);
+    console.error(`Expected Plexor API key ("plx_...") or login token ("eyJ...")`);
     process.exit(1);
   }
 
@@ -140,38 +295,52 @@ async function main() {
   console.log('Validating API key...');
 
   try {
-    const user = await validateApiKey(apiUrl, apiKey);
+    const user = await validateCredential(apiUrl, apiKey);
 
     config.auth = config.auth || {};
     config.auth.api_key = apiKey;
     config.settings = config.settings || {};
     config.settings.enabled = true;
-    saveConfig(config);
+    if (!saveConfig(config)) {
+      process.exit(1);
+    }
 
-    // AUTO-CONFIGURE CLAUDE CODE ROUTING
-    // This is the key feature: automatically set ANTHROPIC_BASE_URL and ANTHROPIC_AUTH_TOKEN
-    // in ~/.claude/settings.json so ALL Claude Code sessions route through Plexor
+    // Automation path: save credentials and activate routing.
+    // Guided human setup should go through /plexor-setup, which also verifies the route.
     const useStaging = apiUrl.includes('staging');
     const routingEnabled = settingsManager.enablePlexorRouting(apiKey, { useStaging });
 
+    config.health = {
+      installed: true,
+      connected: true,
+      routing_active: routingEnabled,
+      verified: false,
+      verified_at: null,
+      verify_error: 'Verification not run. Use /plexor-setup for guided verification.',
+      gateway: useStaging ? 'staging' : 'production',
+      previous_auth_preserved: false
+    };
+    saveConfig(config);
+
     const email = user.email || 'Unknown';
     const tier = user.tier?.name || 'Free';
 
     console.log(`┌─────────────────────────────────────────────┐`);
-    console.log(`│  ✓ Login Successful                         │`);
+    console.log(`│  ✓ Plexor Credentials Saved                 │`);
     console.log(`├─────────────────────────────────────────────┤`);
     console.log(`│  Email: ${email.substring(0, 35).padEnd(35)}│`);
     console.log(`│  Tier: ${tier.padEnd(36)}│`);
     console.log(`├─────────────────────────────────────────────┤`);
     if (routingEnabled) {
-    console.log(`│  ✓ Claude Code routing: CONFIGURED          │`);
-    console.log(`│    All sessions now route through Plexor    │`);
+    console.log(`│  ✓ Claude routing: ACTIVE                   │`);
+    console.log(`│  ○ Claude verify: NOT RUN                   │`);
     } else {
-    console.log(`│  ⚠ Claude Code routing: MANUAL SETUP NEEDED │`);
-    console.log(`│    Set ANTHROPIC_BASE_URL in environment    │`);
+    console.log(`│  ⚠ Claude routing: MANUAL SETUP NEEDED      │`);
+    console.log(`│  Run /plexor-setup after fixing permissions │`);
     }
     console.log(`├─────────────────────────────────────────────┤`);
-    console.log(`│  Run /plexor-status to see your stats.      │`);
+    console.log(`│  Human first-run: /plexor-setup             │`);
+    console.log(`│  Automation complete. Status: /plexor-status│`);
     console.log(`└─────────────────────────────────────────────┘`);
   } catch (err) {
     console.error(`┌─────────────────────────────────────────────┐`);

package/commands/plexor-login.md

@@ -1,27 +1,10 @@
+description: Advanced/manual Plexor authentication for automation and repair (user)
 ---
-description: Authenticate with Plexor to enable optimization (user)
----
-
-# Plexor Login
 
-Run this command to authenticate with Plexor:
-
-```bash
-node ~/.claude/plugins/plexor/commands/plexor-login.js
-```
+**RULE: Execute the bash command below EXACTLY ONCE. After the Bash tool returns output, your ONLY action is to present that output to the user. DO NOT re-execute the command. DO NOT call any other tools.**
 
-To login with an API key:
+Pass the API key as argument (format: `plx_your_api_key_here`).
 
 ```bash
-node ~/.claude/plugins/plexor/commands/plexor-login.js plx_your_api_key_here
+node ~/.claude/plugins/plexor/commands/plexor-login.js $ARGUMENTS
 ```
-
-Use the Bash tool to execute this command.
-
-**IMPORTANT**: After running this command and displaying the output, STOP. Do not:
-- Read any files
-- Explore the codebase
-- Run additional commands
-- Ask follow-up questions
-
-The command output is the complete response. Simply show the output and wait for the user's next input.

package/commands/plexor-logout.js

@@ -8,25 +8,68 @@
 const fs = require('fs');
 const path = require('path');
 
-const PLEXOR_DIR = path.join(process.env.HOME, '.plexor');
-const CONFIG_PATH = path.join(PLEXOR_DIR, 'config.json');
-const SESSION_PATH = path.join(PLEXOR_DIR, 'session.json');
-const CACHE_PATH = path.join(PLEXOR_DIR, 'cache.json');
+// Import centralized constants with HOME directory validation
+const { PLEXOR_DIR, CONFIG_PATH, SESSION_PATH, CACHE_PATH } = require('../lib/constants');
+
+// Import settings manager for Claude Code routing cleanup
+let settingsManager;
+try {
+  const lib = require('../lib/settings-manager');
+  settingsManager = lib.settingsManager;
+} catch (err) {
+  if (err.code === 'MODULE_NOT_FOUND') {
+    console.error('Error: Plexor plugin files are missing or corrupted.');
+    console.error('       Please reinstall: npm install @plexor-dev/claude-code-plugin-staging');
+    process.exit(1);
+  }
+  throw err;
+}
 
 function loadConfig() {
   try {
+    if (!fs.existsSync(CONFIG_PATH)) {
+      return null;
+    }
     const data = fs.readFileSync(CONFIG_PATH, 'utf8');
-    return JSON.parse(data);
-  } catch {
+    if (!data || data.trim() === '') {
+      return null;
+    }
+    const config = JSON.parse(data);
+    if (typeof config !== 'object' || config === null) {
+      return null;
+    }
+    return config;
+  } catch (err) {
+    if (err instanceof SyntaxError) {
+      console.warn('Warning: Config file is corrupted');
+    }
     return null;
   }
 }
 
 function saveConfig(config) {
-  if (!fs.existsSync(PLEXOR_DIR)) {
-    fs.mkdirSync(PLEXOR_DIR, { recursive: true, mode: 0o700 });
+  try {
+    if (!fs.existsSync(PLEXOR_DIR)) {
+      fs.mkdirSync(PLEXOR_DIR, { recursive: true, mode: 0o700 });
+    }
+
+    // Atomic write: write to temp file, then rename
+    const crypto = require('crypto');
+    const tempId = crypto.randomBytes(8).toString('hex');
+    const tempPath = path.join(PLEXOR_DIR, `.config.${tempId}.tmp`);
+
+    fs.writeFileSync(tempPath, JSON.stringify(config, null, 2), { mode: 0o600 });
+    fs.renameSync(tempPath, CONFIG_PATH);
+    return true;
+  } catch (err) {
+    if (err.code === 'EACCES' || err.code === 'EPERM') {
+      console.error('Error: Cannot write to ~/.plexor/config.json');
+      console.error('       Check file permissions or run with appropriate access.');
+    } else {
+      console.error('Failed to save config:', err.message);
+    }
+    return false;
   }
-  fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), { mode: 0o600 });
 }
 
 function deleteFile(filePath) {
@@ -47,21 +90,34 @@ function main() {
 
   if (!config || !config.auth?.api_key) {
     console.log(`┌─────────────────────────────────────────────┐`);
-    console.log(`│  Not Logged In                              │`);
+    console.log(`│  Plexor Is Not Active                       │`);
     console.log(`├─────────────────────────────────────────────┤`);
     console.log(`│  No active Plexor session found.            │`);
-    console.log(`│  Run /plexor-login to authenticate.         │`);
+    console.log(`│  Run /plexor-setup to connect Plexor.       │`);
     console.log(`└─────────────────────────────────────────────┘`);
     return;
   }
 
   const clearCache = args.includes('--clear-cache') || args.includes('-c');
+  const currentSettings = settingsManager.load();
+  const hadPriorAuth = Boolean(
+    currentSettings.env?.PLEXOR_PREVIOUS_ANTHROPIC_API_KEY ||
+    currentSettings.env?.PLEXOR_PREVIOUS_ANTHROPIC_AUTH_TOKEN
+  );
 
   // Clear credentials
   delete config.auth.api_key;
   config.settings = config.settings || {};
   config.settings.enabled = false;
-  saveConfig(config);
+  delete config.health;
+  if (!saveConfig(config)) {
+    process.exit(1);
+  }
+
+  // CRITICAL FIX: Disable Claude Code routing in ~/.claude/settings.json
+  // This removes ANTHROPIC_BASE_URL and ANTHROPIC_AUTH_TOKEN so Claude Code
+  // no longer tries to route through Plexor with removed credentials
+  const routingDisabled = settingsManager.disablePlexorRouting();
 
   // Clear session
   deleteFile(SESSION_PATH);
@@ -76,13 +132,15 @@ function main() {
   console.log(`│  ✓ Logged Out                               │`);
   console.log(`├─────────────────────────────────────────────┤`);
   console.log(`│  ✓ API key removed                          │`);
-  console.log(`│  ✓ Plexor proxy disabled                    │`);
+  console.log(`│  ${routingDisabled ? '✓' : '○'} Claude Code routing disabled             │`);
+  console.log(`│  ${hadPriorAuth ? '✓' : '○'} Prior Claude auth restored                │`);
   console.log(`│  ✓ Session cleared                          │`);
   if (clearCache) {
     console.log(`│  ${cacheCleared ? '✓' : '○'} Cache cleared                            │`);
   }
   console.log(`├─────────────────────────────────────────────┤`);
-  console.log(`│  Run /plexor-login to re-authenticate.      │`);
+  console.log(`│  Claude Code now connects directly.         │`);
+  console.log(`│  Run /plexor-setup to reconnect Plexor.     │`);
   if (!clearCache) {
     console.log(`│  Use --clear-cache to also clear cache.     │`);
   }

package/commands/plexor-logout.md

@@ -2,26 +2,8 @@
 description: Log out from Plexor and clear credentials (user)
 ---
 
-# Plexor Logout
-
-Run this command to log out and clear credentials:
-
-```bash
-node ~/.claude/plugins/plexor/commands/plexor-logout.js
-```
-
-To also clear the cache:
+**RULE: Execute the bash command below EXACTLY ONCE. After the Bash tool returns output, your ONLY action is to present that output to the user. DO NOT re-execute the command. DO NOT call any other tools.**
 
 ```bash
-node ~/.claude/plugins/plexor/commands/plexor-logout.js --clear-cache
+node ~/.claude/plugins/plexor/commands/plexor-logout.js $ARGUMENTS
 ```
-
-Use the Bash tool to execute this command.
-
-**IMPORTANT**: After running this command and displaying the output, STOP. Do not:
-- Read any files
-- Explore the codebase
-- Run additional commands
-- Ask follow-up questions
-
-The command output is the complete response. Simply show the output and wait for the user's next input.