@promptcellar/pc 0.4.0 → 0.5.0

package/hooks/gemini-capture.js

@@ -1,21 +1,25 @@
 #!/usr/bin/env node
 
 /**
- * Gemini CLI AfterAgent hook for capturing prompts to PromptCellar.
+ * Gemini CLI BeforeAgent hook for capturing prompts to PromptCellar.
  *
  * Gemini hooks receive JSON via stdin with:
- * - event_type: the hook event (e.g., 'AfterAgent')
+ * - hook_event_name: the hook event (e.g., 'BeforeAgent')
  * - prompt: the user's prompt
- * - prompt_response: the agent's response (for AfterAgent)
  * - session_id: session identifier
- * - working_directory: current working directory
+ * - cwd: working directory
+ * - transcript_path: path to session transcript
+ * - timestamp: event timestamp
  *
  * The hook must output valid JSON to stdout.
+ * Return {} for pass-through, or { decision: "block", reason: "..." } to block.
  */
 
 import { capturePrompt } from '../src/lib/api.js';
 import { getFullContext } from '../src/lib/context.js';
-import { isLoggedIn } from '../src/lib/config.js';
+import { isLoggedIn, isVaultAvailable } from '../src/lib/config.js';
+import { encryptPrompt } from '../src/lib/crypto.js';
+import { requireVaultKey } from '../src/lib/keychain.js';
 
 async function readStdin() {
   return new Promise((resolve) => {
@@ -29,13 +33,9 @@ async function readStdin() {
   });
 }
 
-function respond(success = true) {
-  // Gemini expects JSON output
-  const response = {
-    action: 'continue',
-    success
-  };
-  console.log(JSON.stringify(response));
+function respond() {
+  // Gemini expects JSON output; empty object means pass-through
+  console.log('{}');
 }
 
 async function main() {
@@ -43,26 +43,31 @@ async function main() {
     const input = await readStdin();
 
     if (!input.trim()) {
-      respond(true);
+      respond();
       process.exit(0);
     }
 
     if (!isLoggedIn()) {
-      respond(true);
+      respond();
+      process.exit(0);
+    }
+
+    if (!isVaultAvailable()) {
+      respond();
       process.exit(0);
     }
 
     const event = JSON.parse(input);
 
-    // Only capture AfterAgent events with a prompt
-    if (event.event_type !== 'AfterAgent' || !event.prompt) {
-      respond(true);
+    // Extract the user's prompt
+    if (!event.prompt) {
+      respond();
       process.exit(0);
     }
 
     const content = event.prompt.trim();
     if (!content) {
-      respond(true);
+      respond();
       process.exit(0);
     }
 
@@ -70,22 +75,30 @@ async function main() {
     const context = getFullContext('gemini');
 
     // Override with event data if available
-    if (event.working_directory) {
-      context.working_directory = event.working_directory;
+    if (event.cwd) {
+      context.working_directory = event.cwd;
     }
     if (event.session_id) {
       context.session_id = event.session_id;
     }
 
+    const vaultKey = await requireVaultKey({ silent: true });
+    if (!vaultKey) {
+      respond();
+      process.exit(0);
+    }
+    const { encrypted_content, content_iv } = encryptPrompt(content, vaultKey);
+
     await capturePrompt({
-      content,
-      ...context
+      ...context,
+      encrypted_content,
+      content_iv
     });
 
-    respond(true);
+    respond();
   } catch (error) {
     // Still respond successfully to not block Gemini
-    respond(true);
+    respond();
   }
 }
 

package/hooks/prompt-capture.js

@@ -1,21 +1,20 @@
 #!/usr/bin/env node
 
 /**
- * Claude Code Stop hook for capturing prompts to PromptCellar.
+ * Claude Code UserPromptSubmit hook for capturing prompts to PromptCellar.
  *
- * This script is called by Claude Code when a session ends.
- * Claude Code Stop hooks receive JSON via stdin with:
- * - transcript_path: path to the session JSONL transcript
+ * This script is called by Claude Code on every user prompt submission.
+ * UserPromptSubmit hooks receive JSON via stdin with:
  * - session_id: session identifier
+ * - prompt: the user's prompt text
  * - cwd: working directory
- *
- * It reads the transcript file and extracts the initial user prompt to capture.
  */
 
-import { readFileSync, existsSync } from 'fs';
 import { capturePrompt } from '../src/lib/api.js';
 import { getFullContext } from '../src/lib/context.js';
-import { isLoggedIn } from '../src/lib/config.js';
+import { isLoggedIn, isVaultAvailable } from '../src/lib/config.js';
+import { encryptPrompt } from '../src/lib/crypto.js';
+import { requireVaultKey } from '../src/lib/keychain.js';
 
 async function readStdin() {
   return new Promise((resolve) => {
@@ -41,38 +40,22 @@ async function main() {
       process.exit(0);
     }
 
-    const event = JSON.parse(input);
-    const transcriptPath = event.transcript_path;
-
-    if (!transcriptPath || !existsSync(transcriptPath)) {
+    if (!isVaultAvailable()) {
       process.exit(0);
     }
 
-    const content = readFileSync(transcriptPath, 'utf8');
-    const lines = content.split('\n').filter(line => line.trim());
-
-    // Parse JSONL format
-    const messages = [];
-    for (const line of lines) {
-      try {
-        const entry = JSON.parse(line);
-        if (entry.type === 'human' && entry.message?.content) {
-          messages.push({
-            content: entry.message.content,
-            timestamp: entry.timestamp
-          });
-        }
-      } catch {
-        // Skip invalid JSON lines
-      }
+    const event = JSON.parse(input);
+
+    // UserPromptSubmit provides the prompt directly
+    if (!event.prompt) {
+      process.exit(0);
     }
 
-    if (messages.length === 0) {
+    const promptContent = event.prompt.trim();
+    if (!promptContent) {
       process.exit(0);
     }
 
-    // Capture the first user message (initial prompt)
-    const initialPrompt = messages[0];
     const context = getFullContext('claude-code');
 
     // Override with event data if available
@@ -83,10 +66,16 @@ async function main() {
       context.session_id = event.session_id;
     }
 
+    const vaultKey = await requireVaultKey({ silent: true });
+    if (!vaultKey) {
+      process.exit(0);
+    }
+    const { encrypted_content, content_iv } = encryptPrompt(promptContent, vaultKey);
+
     await capturePrompt({
-      content: initialPrompt.content,
       ...context,
-      captured_at: initialPrompt.timestamp
+      encrypted_content,
+      content_iv
     });
 
   } catch {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@promptcellar/pc",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "CLI for PromptCellar - sync prompts between your terminal and the cloud",
   "type": "module",
   "main": "src/index.js",
@@ -11,7 +11,7 @@
     "pc-gemini-capture": "hooks/gemini-capture.js"
   },
   "scripts": {
-    "test": "echo \"Error: no test specified\" && exit 1"
+    "test": "node --test"
   },
   "keywords": [
     "promptcellar",
@@ -39,6 +39,7 @@
     "chalk": "^5.3.0",
     "ora": "^8.0.0",
     "inquirer": "^9.2.0",
+    "keytar": "^7.9.0",
     "socket.io-client": "^4.6.0"
   }
 }

package/src/commands/login.js

@@ -1,68 +1,132 @@
+import { randomBytes } from 'crypto';
 import ora from 'ora';
 import chalk from 'chalk';
-import { setApiKey, setApiUrl, isLoggedIn } from '../lib/config.js';
+import {
+  setApiKey, setApiUrl, setAccountUrl,
+  setVaultAvailable,
+  isLoggedIn
+} from '../lib/config.js';
+import { generateTransferKeyPair, decryptTransfer } from '../lib/device-transfer.js';
+import { b64urlEncode } from '../lib/crypto.js';
+import { storeVaultKey } from '../lib/keychain.js';
 
 const DEFAULT_API_URL = 'https://prompts.weldedanvil.com';
+const DEFAULT_ACCOUNT_URL = 'https://account.weldedanvil.com';
+let clientId = 'prompts-prod';
 
-async function initiateDeviceAuth(apiUrl) {
-  const response = await fetch(`${apiUrl}/auth/device`, {
+export function setClientId(id) { clientId = id; }
+
+export async function requestDeviceCode(accountUrl, transferPublicKey) {
+  const payload = { client_id: clientId };
+  if (transferPublicKey) {
+    payload.transfer_public_key = transferPublicKey;
+  }
+
+  const response = await fetch(`${accountUrl}/device/code`, {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({ device_name: getDeviceName() })
+    body: JSON.stringify(payload),
   });
 
   if (!response.ok) {
-    throw new Error('Failed to initiate device authentication');
+    const data = await response.json().catch(() => ({}));
+    throw new Error(data.error || 'Failed to request device code');
   }
 
   return response.json();
 }
 
-async function pollForApproval(apiUrl, deviceCode, interval, expiresIn) {
-  const startTime = Date.now();
-  const expiresAt = startTime + (expiresIn * 1000);
+async function pollForApproval(accountUrl, deviceCode, expiresIn) {
+  const expiresAt = Date.now() + (expiresIn || 600) * 1000;
+  const interval = 5000;
 
   while (Date.now() < expiresAt) {
-    await sleep(interval * 1000);
+    await sleep(interval);
 
-    const response = await fetch(`${apiUrl}/auth/device/poll`, {
+    const response = await fetch(`${accountUrl}/device/poll`, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ device_code: deviceCode })
+      body: JSON.stringify({ device_code: deviceCode }),
     });
 
     const data = await response.json();
 
-    if (response.ok && data.access_token) {
+    if (data.status === 'approved' && data.access_token) {
       return data;
     }
 
-    if (data.error === 'authorization_pending') {
-      continue;
-    }
-
-    if (data.error === 'expired_token') {
+    if (data.status === 'expired') {
       throw new Error('Authorization request expired. Please try again.');
     }
 
-    if (data.error === 'access_denied') {
-      throw new Error('Authorization denied.');
+    if (data.status === 'rejected') {
+      const error = data.error || 'unknown';
+      if (error.startsWith('vault_missing')) {
+        throw new Error(`Vault error: ${error}`);
+      }
+      if (error === 'missing_transfer_key') {
+        throw new Error('Transfer key missing. Please try again.');
+      }
+      throw new Error(`Authorization rejected: ${error}`);
     }
+
+    // status === 'pending' -- keep polling
   }
 
   throw new Error('Authorization request timed out. Please try again.');
 }
 
+async function exchangeTokenForApiKey(apiUrl, jwt, deviceName) {
+  const response = await fetch(`${apiUrl}/api/v1/auth/device-token`, {
+    method: 'POST',
+    headers: {
+      'Authorization': `Bearer ${jwt}`,
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({ device_name: deviceName }),
+  });
+
+  if (!response.ok) {
+    const data = await response.json().catch(() => ({}));
+    throw new Error(data.error || 'Failed to exchange token');
+  }
+
+  return response.json();
+}
+
+export async function finalizeDeviceLogin({
+  approval,
+  privateKeyPem,
+  apiUrl,
+  deviceName,
+  decryptTransferFn = decryptTransfer,
+  storeVaultKeyFn = storeVaultKey,
+  exchangeTokenForApiKeyFn = exchangeTokenForApiKey,
+}) {
+  if (!approval?.vault_transfer) {
+    throw new Error('Vault transfer missing. Please reauthorize.');
+  }
+
+  if (!approval?.access_token) {
+    throw new Error('Missing access token. Please reauthorize.');
+  }
+
+  let masterKeyB64;
+  if (approval.vault_transfer === 'cli_generate') {
+    // No browser extensions available — generate master key locally
+    masterKeyB64 = b64urlEncode(randomBytes(32));
+  } else {
+    masterKeyB64 = decryptTransferFn(approval.vault_transfer, privateKeyPem);
+  }
+  await storeVaultKeyFn(masterKeyB64);
+
+  return exchangeTokenForApiKeyFn(apiUrl, approval.access_token, deviceName);
+}
+
 function getDeviceName() {
   const os = process.platform;
   const hostname = process.env.HOSTNAME || process.env.COMPUTERNAME || 'CLI';
-
-  const osNames = {
-    darwin: 'macOS',
-    linux: 'Linux',
-    win32: 'Windows'
-  };
-
+  const osNames = { darwin: 'macOS', linux: 'Linux', win32: 'Windows' };
   return `${osNames[os] || os} - ${hostname}`;
 }
 
@@ -72,6 +136,8 @@ function sleep(ms) {
 
 export async function login(options) {
   const apiUrl = options?.url || DEFAULT_API_URL;
+  const accountUrl = options?.accountUrl || DEFAULT_ACCOUNT_URL;
+  if (options?.clientId) setClientId(options.clientId);
 
   if (isLoggedIn()) {
     console.log(chalk.yellow('Already logged in.'));
@@ -84,33 +150,51 @@ export async function login(options) {
   const spinner = ora('Connecting...').start();
 
   try {
-    // Step 1: Request device code
-    const authData = await initiateDeviceAuth(apiUrl);
+    // Step 1: Request device code from wa-auth
+    const { publicKeySpkiB64url, privateKeyPem } = await generateTransferKeyPair();
+    const authData = await requestDeviceCode(accountUrl, publicKeySpkiB64url);
     spinner.stop();
 
-    // Step 2: Show login URL and code
-    const verifyUrl = `${authData.verification_url}?code=${authData.user_code}`;
-
+    // Step 2: Show login URL
+    const code = authData.user_code;
+    const displayCode = code.length === 8
+      ? `${code.slice(0, 4)}-${code.slice(4)}`.toUpperCase()
+      : code.toUpperCase();
+    const verifyUrl = `${authData.verification_url}?code=${code}`;
     console.log('Open this URL in your browser to log in:\n');
     console.log(chalk.cyan.bold(`  ${verifyUrl}\n`));
-    console.log(chalk.dim(`Or go to ${authData.verification_url} and enter code: ${authData.user_code}\n`));
+    console.log(chalk.dim(`Or go to ${authData.verification_url}`));
+    console.log(chalk.dim(`and enter code: `) + chalk.white.bold(displayCode) + '\n');
 
     // Step 3: Poll for approval
     spinner.start('Waiting for you to authorize in browser...');
-
-    const result = await pollForApproval(
+    const approval = await pollForApproval(accountUrl, authData.device_code, authData.expires_in);
+    spinner.text = 'Securing vault key...';
+
+    // Step 4: Decrypt vault transfer and store key before exchanging JWT
+    const deviceName = getDeviceName();
+    const result = await finalizeDeviceLogin({
+      approval,
+      privateKeyPem,
       apiUrl,
-      authData.device_code,
-      authData.interval,
-      authData.expires_in
-    );
+      deviceName,
+    });
 
-    // Step 4: Save credentials
-    setApiKey(result.access_token);
+    // Step 5: Store credentials
+    setApiKey(result.api_key);
     setApiUrl(apiUrl);
+    setAccountUrl(accountUrl);
+    setVaultAvailable(true);
 
     spinner.succeed(chalk.green('Logged in successfully!'));
-    console.log(`\nWelcome, ${chalk.cyan(result.user_email)}!`);
+    console.log(`\nWelcome, ${chalk.cyan(result.email)}!`);
+
+    if (result.vault && result.vault.available) {
+      console.log(chalk.green('\nVault ready — prompts will be encrypted end-to-end.'));
+    } else {
+      console.log(chalk.dim('\nSet up your vault at: ' + `${apiUrl}/dashboard/settings`));
+    }
+
     console.log('\nRun ' + chalk.cyan('pc setup') + ' to configure auto-capture for your CLI tools.\n');
 
   } catch (error) {

package/src/commands/logout.js

@@ -1,5 +1,6 @@
 import chalk from 'chalk';
 import { clearApiKey, isLoggedIn } from '../lib/config.js';
+import { clearVaultKey } from '../lib/keychain.js';
 
 export async function logout() {
   if (!isLoggedIn()) {
@@ -7,6 +8,11 @@ export async function logout() {
     return;
   }
 
+  try {
+    await clearVaultKey();
+  } catch (error) {
+    console.log(chalk.yellow('Warning: failed to clear vault key.'));
+  }
   clearApiKey();
   console.log(chalk.green('Logged out successfully.'));
 }

package/src/commands/push.js

@@ -1,7 +1,6 @@
 import ora from 'ora';
 import chalk from 'chalk';
 import { getPrompt } from '../lib/api.js';
-import { connect, disconnect } from '../lib/websocket.js';
 import { isLoggedIn } from '../lib/config.js';
 
 export async function push(slug, options) {
@@ -14,42 +13,15 @@ export async function push(slug, options) {
 
   try {
     const prompt = await getPrompt(slug);
-    spinner.text = 'Connecting to session...';
 
-    const socket = connect(options.tool || 'claude');
-
-    // Wait for connection
-    await new Promise((resolve, reject) => {
-      const timeout = setTimeout(() => {
-        reject(new Error('Connection timeout'));
-      }, 10000);
-
-      socket.on('registered', () => {
-        clearTimeout(timeout);
-        resolve();
-      });
-
-      socket.on('error', (err) => {
-        clearTimeout(timeout);
-        reject(new Error(err.message));
-      });
-    });
-
-    spinner.text = 'Pushing prompt...';
-
-    // Push the prompt to ourselves (for now, just copy to clipboard simulation)
+    spinner.succeed(chalk.green('Prompt fetched!'));
     console.log('\n' + chalk.cyan('Prompt content:'));
     console.log(chalk.dim('─'.repeat(50)));
     console.log(prompt.content);
     console.log(chalk.dim('─'.repeat(50)));
-
-    spinner.succeed(chalk.green('Prompt fetched!'));
     console.log('\nCopy the prompt above to use it in your session.');
-
-    disconnect();
   } catch (error) {
     spinner.fail(chalk.red('Failed: ' + error.message));
-    disconnect();
   }
 }
 

package/src/commands/save.js

@@ -3,7 +3,9 @@ import ora from 'ora';
 import chalk from 'chalk';
 import { capturePrompt } from '../lib/api.js';
 import { getFullContext } from '../lib/context.js';
-import { isLoggedIn } from '../lib/config.js';
+import { isLoggedIn, isVaultAvailable, getApiUrl } from '../lib/config.js';
+import { encryptPrompt } from '../lib/crypto.js';
+import { requireVaultKey } from '../lib/keychain.js';
 
 export async function save(options) {
   if (!isLoggedIn()) {
@@ -11,6 +13,12 @@ export async function save(options) {
     return;
   }
 
+  if (!isVaultAvailable()) {
+    console.log(chalk.red('Vault not set up.') + ' Prompt capture requires a vault.');
+    console.log('Set up your vault at: ' + chalk.cyan(`${getApiUrl()}/dashboard/settings`));
+    return;
+  }
+
   let content = options.message;
 
   if (!content) {
@@ -31,8 +39,19 @@ export async function save(options) {
   const spinner = ora('Saving prompt...').start();
 
   try {
+    let vaultKey;
+    try {
+      vaultKey = await requireVaultKey();
+    } catch (error) {
+      spinner.stop();
+      console.log(chalk.red(error.message));
+      return;
+    }
+    const { encrypted_content, content_iv } = encryptPrompt(content.trim(), vaultKey);
+
     const result = await capturePrompt({
-      content: content.trim(),
+      encrypted_content,
+      content_iv,
       ...context
     });