npm - @promptbook/cli - Versions diffs - 0.104.0-2 → 0.104.0-3 - Mend

@promptbook/cli 0.104.0-2 → 0.104.0-3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/apps/agents-server/src/utils/auth.ts CHANGED Viewed

@@ -1,33 +1,133 @@
-import { randomBytes, scrypt, timingSafeEqual } from 'crypto';
+import { createHash, randomBytes, scrypt, timingSafeEqual } from 'crypto';
 import { promisify } from 'util';
+import { PASSWORD_SECURITY_CONFIG } from '../../../../security.config';
 const scryptAsync = promisify(scrypt);
 /**
- * Hashes a password using scrypt
- *
- * @param password The plain text password
+ * Validates password input to prevent edge cases and DoS attacks
+ *
+ * @param password The password to validate
+ * @throws Error if password is invalid
+ */
+function validatePasswordInput(password: string): void {
+    if (typeof password !== 'string') {
+        throw new Error('Password must be a string');
+    }
+    if (password.length === 0) {
+        throw new Error('Password cannot be empty');
+    }
+    if (password.length < PASSWORD_SECURITY_CONFIG.MIN_PASSWORD_LENGTH) {
+        throw new Error(`Password must be at least ${PASSWORD_SECURITY_CONFIG.MIN_PASSWORD_LENGTH} characters`);
+    }
+    // Note: No hard max limit - long passwords are compacted via compactPassword()
+}
+/**
+ * Compacts a password for secure processing
+ *
+ * If the password is within MAX_PASSWORD_LENGTH, it is returned as-is.
+ * If longer, the password is split at MAX_PASSWORD_LENGTH and the second part
+ * is hashed with SHA256 before being appended to the first part.
+ *
+ * This prevents DoS attacks via extremely long passwords while still utilizing
+ * the full entropy of longer passwords.
+ *
+ * @param password The password to compact
+ * @returns The compacted password
+ */
+function compactPassword(password: string): string {
+    if (password.length <= PASSWORD_SECURITY_CONFIG.MAX_PASSWORD_LENGTH) {
+        return password;
+    }
+    const firstPart = password.slice(0, PASSWORD_SECURITY_CONFIG.MAX_PASSWORD_LENGTH);
+    const secondPart = password.slice(PASSWORD_SECURITY_CONFIG.MAX_PASSWORD_LENGTH);
+    // Hash the overflow part with SHA256 to bound its length while preserving entropy
+    const secondPartHash = createHash('sha256').update(secondPart, 'utf8').digest('hex');
+    return firstPart + secondPartHash;
+}
+/**
+ * Hashes a password using scrypt with secure parameters
+ *
+ * @param password The plain text password (minimum 8 characters, no maximum - long passwords are compacted)
  * @returns The salt and hash formatted as "salt:hash"
+ * @throws Error if password validation fails
  */
 export async function hashPassword(password: string): Promise<string> {
-    const salt = randomBytes(16).toString('hex');
-    const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;
+    validatePasswordInput(password);
+    // Compact long passwords to prevent DoS while preserving entropy
+    const compactedPassword = compactPassword(password);
+    const salt = randomBytes(PASSWORD_SECURITY_CONFIG.SALT_LENGTH).toString('hex');
+    const derivedKey = (await scryptAsync(compactedPassword, salt, PASSWORD_SECURITY_CONFIG.KEY_LENGTH)) as Buffer;
+    // Clear password from memory as soon as possible (best effort)
+    // Note: JavaScript strings are immutable, so this is limited in effectiveness
     return `${salt}:${derivedKey.toString('hex')}`;
 }
 /**
- * Verifies a password against a stored hash
- *
- * @param password The plain text password
+ * Verifies a password against a stored hash using constant-time comparison
+ *
+ * @param password The plain text password to verify
  * @param storedHash The stored hash in format "salt:hash"
- * @returns True if the password matches
+ * @returns True if the password matches, false otherwise
  */
 export async function verifyPassword(password: string, storedHash: string): Promise<boolean> {
-    const [salt, key] = storedHash.split(':');
-    if (!salt || !key) return false;
-    const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;
-    const keyBuffer = Buffer.from(key, 'hex');
-    return timingSafeEqual(derivedKey, keyBuffer);
+    // Validate inputs
+    if (typeof password !== 'string' || typeof storedHash !== 'string') {
+        return false;
+    }
+    if (password.length === 0) {
+        return false;
+    }
+    // Compact long passwords the same way as during hashing
+    const compactedPassword = compactPassword(password);
+    const parts = storedHash.split(':');
+    if (parts.length !== 2) {
+        return false;
+    }
+    const [salt, key] = parts;
+    if (!salt || !key) {
+        return false;
+    }
+    // Validate salt and key format (should be hex strings of expected length)
+    const expectedSaltLength = PASSWORD_SECURITY_CONFIG.SALT_LENGTH * 2; // hex encoding doubles length
+    const expectedKeyLength = PASSWORD_SECURITY_CONFIG.KEY_LENGTH * 2;
+    if (salt.length !== expectedSaltLength || key.length !== expectedKeyLength) {
+        return false;
+    }
+    // Validate hex format
+    const hexRegex = /^[0-9a-fA-F]+$/;
+    if (!hexRegex.test(salt) || !hexRegex.test(key)) {
+        return false;
+    }
+    try {
+        const derivedKey = (await scryptAsync(compactedPassword, salt, PASSWORD_SECURITY_CONFIG.KEY_LENGTH)) as Buffer;
+        const keyBuffer = Buffer.from(key, 'hex');
+        // Ensure buffers are same length before timing-safe comparison
+        // This should always be true given our validation, but defense in depth
+        if (derivedKey.length !== keyBuffer.length) {
+            return false;
+        }
+        return timingSafeEqual(derivedKey, keyBuffer);
+    } catch {
+        // Any error during verification should return false, not leak information
+        return false;
+    }
 }

package/apps/agents-server/src/utils/getUserIdFromRequest.ts CHANGED Viewed

@@ -1,9 +1,12 @@
 import { NextRequest } from 'next/server';
+import { keepUnused } from '../../../../src/utils/organization/keepUnused';
 import { $getTableName } from '../database/$getTableName';
 import { $provideSupabaseForServer } from '../database/$provideSupabaseForServer';
 import { getSession } from './session';
 export async function getUserIdFromRequest(request: NextRequest): Promise<number | null> {
+    keepUnused(request); // Unused because we get user from session cookie for now
     try {
         // 1. Try to get user from session (cookie)
         const session = await getSession();
@@ -24,7 +27,6 @@ export async function getUserIdFromRequest(request: NextRequest): Promise<number
         // TODO: [🧠] Implement linking API keys to users if needed
         // const authHeader = request.headers.get('authorization');
         // ...
     } catch (error) {
         console.error('Error getting user ID from request:', error);
     }

package/apps/agents-server/src/utils/handleChatCompletion.ts CHANGED Viewed

@@ -3,12 +3,11 @@ import { $provideSupabaseForServer } from '@/src/database/$provideSupabaseForSer
 import { $provideAgentCollectionForServer } from '@/src/tools/$provideAgentCollectionForServer';
 import { $provideOpenAiAssistantExecutionToolsForServer } from '@/src/tools/$provideOpenAiAssistantExecutionToolsForServer';
 import { Agent, computeAgentHash, parseAgentSource, PROMPTBOOK_ENGINE_VERSION } from '@promptbook-local/core';
-import { OpenAiAssistantExecutionTools } from '@promptbook-local/openai';
 import { ChatMessage, ChatPromptResult, Prompt, string_book, TODO_any } from '@promptbook-local/types';
 import { computeHash } from '@promptbook-local/utils';
 import { NextRequest, NextResponse } from 'next/server';
-import { validateApiKey } from './validateApiKey';
 import { isAgentDeleted } from '../app/agents/[agentName]/_utils';
+import { validateApiKey } from './validateApiKey';
 export async function handleChatCompletion(
     request: NextRequest,
@@ -125,7 +124,9 @@ export async function handleChatCompletion(
         let openAiAssistantExecutionTools = await $provideOpenAiAssistantExecutionToolsForServer();
         if (assistantCache?.assistantId) {
-            console.log(`[🐱‍🚀] Reusing assistant ${assistantCache.assistantId} for agent ${agentName} (hash: ${agentHash})`);
+            console.log(
+                `[🐱‍🚀] Reusing assistant ${assistantCache.assistantId} for agent ${agentName} (hash: ${agentHash})`,
+            );
             openAiAssistantExecutionTools = openAiAssistantExecutionTools.getAssistant(assistantCache.assistantId);
         } else {
             console.log(`[🐱‍🚀] Creating NEW assistant for agent ${agentName} (hash: ${agentHash})`);
@@ -138,7 +139,9 @@ export async function handleChatCompletion(
             // Note: Append context to instructions
             const contextLines = agentSource.split('\n').filter((line) => line.startsWith('CONTEXT '));
             const contextInstructions = contextLines.join('\n');
-            const instructions = contextInstructions ? `${baseInstructions}\n\n${contextInstructions}` : baseInstructions;
+            const instructions = contextInstructions
+                ? `${baseInstructions}\n\n${contextInstructions}`
+                : baseInstructions;
             // Create assistant
             const newAssistantTools = await openAiAssistantExecutionTools.createNewAssistant({
@@ -182,8 +185,9 @@ export async function handleChatCompletion(
         const previousMessages = threadMessages.slice(0, -1);
         const thread: ChatMessage[] = previousMessages.map((msg: TODO_any, index: number) => ({
+            // channel: 'PROMPTBOOK_CHAT',
             id: `msg-${index}`, // Placeholder ID
-            from: msg.role === 'assistant' ? 'agent' : 'user', // Mapping standard OpenAI roles
+            sender: msg.role === 'assistant' ? 'agent' : 'user', // Mapping standard OpenAI roles
             content: msg.content,
             isComplete: true,
             date: new Date(), // We don't have the real date, using current

package/apps/agents-server/src/utils/validateApiKey.ts CHANGED Viewed

@@ -1,17 +1,7 @@
 import { createClient } from '@supabase/supabase-js';
 import { NextRequest } from 'next/server';
-import { SERVERS, SUPABASE_TABLE_PREFIX } from '../../config';
 import { $getTableName } from '../database/$getTableName';
-// Note: Re-implementing normalizeTo_PascalCase to avoid importing from @promptbook-local/utils which might have Node.js dependencies
-function normalizeTo_PascalCase(text: string): string {
-    return text
-        .replace(/(?:^\w|[A-Z]|\b\w)/g, (word) => {
-            return word.toUpperCase();
-        })
-        .replace(/\s+/g, '');
-}
 export type ApiKeyValidationResult = {
     isValid: boolean;
     token?: string;
@@ -63,10 +53,14 @@ export async function validateApiKey(request: NextRequest): Promise<ApiKeyValida
         };
     }
+    /*
+    Note: [🐔] This code was commented out because results of it are unused
     // Determine the table prefix based on the host
     const host = request.headers.get('host');
     let tablePrefix = SUPABASE_TABLE_PREFIX;
     if (host && SERVERS && SERVERS.length > 0) {
         if (SERVERS.some((server) => server === host)) {
             let serverName = host;
@@ -75,6 +69,7 @@ export async function validateApiKey(request: NextRequest): Promise<ApiKeyValida
             tablePrefix = `server_${serverName}_`;
         }
     }
+    */
     const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
     const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY || process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;

package/esm/index.es.js CHANGED Viewed

@@ -47,7 +47,7 @@ const BOOK_LANGUAGE_VERSION = '2.0.0';
  * @generated
  * @see https://github.com/webgptorg/promptbook
  */
-const PROMPTBOOK_ENGINE_VERSION = '0.104.0-2';
+const PROMPTBOOK_ENGINE_VERSION = '0.104.0-3';
 /**
  * TODO: string_promptbook_version should be constrained to the all versions of Promptbook engine
  * Note: [💞] Ignore a discrepancy between file name and entity name
@@ -19448,7 +19448,7 @@ class OpenAiCompatibleExecutionTools {
         let threadMessages = [];
         if ('thread' in prompt && Array.isArray(prompt.thread)) {
             threadMessages = prompt.thread.map((msg) => ({
-                role: msg.role === 'assistant' ? 'assistant' : 'user',
+                role: msg.sender === 'assistant' ? 'assistant' : 'user',
                 content: msg.content,
             }));
         }
@@ -26114,17 +26114,64 @@ function parseAgentSourceWithCommitments(agentSource) {
         };
     }
     const lines = agentSource.split('\n');
-    const agentName = (((_a = lines[0]) === null || _a === void 0 ? void 0 : _a.trim()) || null);
+    let agentName = null;
+    let agentNameLineIndex = -1;
+    // Find the agent name: first non-empty line that is not a commitment and not a horizontal line
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if (line === undefined) {
+            continue;
+        }
+        const trimmed = line.trim();
+        if (!trimmed) {
+            continue;
+        }
+        const isHorizontal = HORIZONTAL_LINE_PATTERN.test(line);
+        if (isHorizontal) {
+            continue;
+        }
+        let isCommitment = false;
+        for (const definition of COMMITMENT_REGISTRY) {
+            const typeRegex = definition.createTypeRegex();
+            const match = typeRegex.exec(trimmed);
+            if (match && ((_a = match.groups) === null || _a === void 0 ? void 0 : _a.type)) {
+                isCommitment = true;
+                break;
+            }
+        }
+        if (!isCommitment) {
+            agentName = trimmed;
+            agentNameLineIndex = i;
+            break;
+        }
+    }
     const commitments = [];
     const nonCommitmentLines = [];
-    // Always add the first line (agent name) to non-commitment lines
-    if (lines[0] !== undefined) {
-        nonCommitmentLines.push(lines[0]);
+    // Add lines before agentName that are horizontal lines (they are non-commitment)
+    for (let i = 0; i < agentNameLineIndex; i++) {
+        const line = lines[i];
+        if (line === undefined) {
+            continue;
+        }
+        const trimmed = line.trim();
+        if (!trimmed) {
+            continue;
+        }
+        const isHorizontal = HORIZONTAL_LINE_PATTERN.test(line);
+        if (isHorizontal) {
+            nonCommitmentLines.push(line);
+        }
+        // Note: Commitments before agentName are not added to nonCommitmentLines
+    }
+    // Add the agent name line to non-commitment lines
+    if (agentNameLineIndex >= 0) {
+        nonCommitmentLines.push(lines[agentNameLineIndex]);
     }
     // Parse commitments with multiline support
     let currentCommitment = null;
-    // Process lines starting from the second line (skip agent name)
-    for (let i = 1; i < lines.length; i++) {
+    // Process lines starting from after the agent name line
+    const startIndex = agentNameLineIndex >= 0 ? agentNameLineIndex + 1 : 0;
+    for (let i = startIndex; i < lines.length; i++) {
         const line = lines[i];
         if (line === undefined) {
             continue;