@promptcellar/pc 0.5.2 → 0.5.4

package/README.md

@@ -1,6 +1,6 @@
-# PromptCellar CLI
+# Prompt Cellar CLI
 
-Command-line tool for capturing, managing, and reusing AI prompts with [PromptCellar](https://prompts.weldedanvil.com).
+Command-line tool for capturing, managing, and reusing AI prompts with [Prompt Cellar](https://prompts.weldedanvil.com).
 
 ## Installation
 
@@ -103,11 +103,16 @@ Configuration is stored in:
 - Linux: `~/.config/promptcellar-nodejs/`
 - Windows: `%APPDATA%/promptcellar-nodejs/`
 
+Security flags and requirements:
+- `PC_VAULT_KEY`: overrides the vault key used by the CLI.
+- `PC_VAULT_KEY_FALLBACK=1`: enables file fallback when the keychain is locked.
+- `apiUrl` and `accountUrl` must use HTTPS (`http://localhost` is allowed).
+
 ## API
 
-The CLI communicates with your PromptCellar instance. Get your API key from:
+The CLI communicates with your Prompt Cellar instance. Get your API key from:
 
-Settings > API Keys in your PromptCellar dashboard.
+Settings > API Keys in your Prompt Cellar dashboard.
 
 ## License
 

package/bin/pc.js

@@ -16,12 +16,12 @@ const pkg = require('../package.json');
 
 program
   .name('pc')
-  .description('PromptCellar CLI - sync prompts between your terminal and the cloud')
+  .description('Prompt Cellar CLI - sync prompts between your terminal and the cloud')
   .version(pkg.version);
 
 program
   .command('login')
-  .description('Authenticate with PromptCellar via browser')
+  .description('Authenticate with Prompt Cellar via browser')
   .option('-u, --url <url>', 'API URL (for self-hosted instances)')
   .option('-a, --account-url <url>', 'Account URL (for self-hosted instances)')
   .option('-c, --client-id <id>', 'OIDC client ID (default: prompts-prod)')

package/hooks/codex-capture.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 /**
- * Codex CLI notify hook for capturing prompts to PromptCellar.
+ * Codex CLI notify hook for capturing prompts to Prompt Cellar.
  *
  * Codex calls this script with a JSON argument containing:
  * - type: event type (e.g., 'agent-turn-complete')

package/hooks/gemini-capture.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 /**
- * Gemini CLI BeforeAgent hook for capturing prompts to PromptCellar.
+ * Gemini CLI BeforeAgent hook for capturing prompts to Prompt Cellar.
  *
  * Gemini hooks receive JSON via stdin with:
  * - hook_event_name: the hook event (e.g., 'BeforeAgent')

package/hooks/prompt-capture.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 /**
- * Claude Code UserPromptSubmit hook for capturing prompts to PromptCellar.
+ * Claude Code UserPromptSubmit hook for capturing prompts to Prompt Cellar.
  *
  * This script is called by Claude Code on every user prompt submission.
  * UserPromptSubmit hooks receive JSON via stdin with:

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@promptcellar/pc",
-  "version": "0.5.2",
-  "description": "CLI for PromptCellar - sync prompts between your terminal and the cloud",
+  "version": "0.5.4",
+  "description": "CLI for Prompt Cellar - sync prompts between your terminal and the cloud",
   "type": "module",
   "main": "src/index.js",
   "bin": {

package/src/commands/login.js

@@ -2,6 +2,7 @@ import { randomBytes } from 'crypto';
 import ora from 'ora';
 import chalk from 'chalk';
 import {
+  normalizeAndValidateUrl,
   setApiKey, setApiUrl, setAccountUrl,
   setVaultAvailable,
   isLoggedIn
@@ -123,6 +124,26 @@ export async function finalizeDeviceLogin({
   return exchangeTokenForApiKeyFn(apiUrl, approval.access_token, deviceName);
 }
 
+export function persistLoginState({
+  apiUrl,
+  accountUrl,
+  apiKey,
+  vaultAvailable = true,
+  normalizeFn = normalizeAndValidateUrl,
+  setApiUrlFn = setApiUrl,
+  setAccountUrlFn = setAccountUrl,
+  setApiKeyFn = setApiKey,
+  setVaultAvailableFn = setVaultAvailable,
+}) {
+  const normalizedApiUrl = normalizeFn(apiUrl);
+  const normalizedAccountUrl = normalizeFn(accountUrl);
+
+  setApiUrlFn(normalizedApiUrl);
+  setAccountUrlFn(normalizedAccountUrl);
+  setApiKeyFn(apiKey);
+  setVaultAvailableFn(vaultAvailable);
+}
+
 function getDeviceName() {
   const os = process.platform;
   const hostname = process.env.HOSTNAME || process.env.COMPUTERNAME || 'CLI';
@@ -145,7 +166,7 @@ export async function login(options) {
     return;
   }
 
-  console.log(chalk.bold('\nPromptCellar CLI Login\n'));
+  console.log(chalk.bold('\nPrompt Cellar CLI Login\n'));
 
   const spinner = ora('Connecting...').start();
 
@@ -181,10 +202,12 @@ export async function login(options) {
     });
 
     // Step 5: Store credentials
-    setApiKey(result.api_key);
-    setApiUrl(apiUrl);
-    setAccountUrl(accountUrl);
-    setVaultAvailable(true);
+    persistLoginState({
+      apiUrl,
+      accountUrl,
+      apiKey: result.api_key,
+      vaultAvailable: true,
+    });
 
     spinner.succeed(chalk.green('Logged in successfully!'));
     console.log(`\nWelcome, ${chalk.cyan(result.email)}!`);

package/src/commands/setup.js

@@ -133,7 +133,7 @@ function saveGeminiSettings(settings) {
 }
 
 export async function setup() {
-  console.log(chalk.bold('\nPromptCellar CLI Setup\n'));
+  console.log(chalk.bold('\nPrompt Cellar CLI Setup\n'));
 
   const installedTools = detectInstalledTools();
 
@@ -178,7 +178,7 @@ export async function setup() {
   }
 
   console.log(chalk.green('\nSetup complete!'));
-  console.log('Your prompts will be automatically captured to PromptCellar.\n');
+  console.log('Your prompts will be automatically captured to Prompt Cellar.\n');
 }
 
 async function setupClaudeCode() {
@@ -261,7 +261,7 @@ async function setupCodex() {
 
     // Remove existing notify line and comment
     config = config.split('\n')
-      .filter(line => !line.includes('pc-codex-capture') && !line.includes('# PromptCellar capture hook'))
+      .filter(line => !line.includes('pc-codex-capture') && !line.includes('# Prompt Cellar capture hook'))
       .join('\n');
   }
 
@@ -278,10 +278,10 @@ async function setupCodex() {
       const insertPos = firstTableMatch.index;
       const before = config.slice(0, insertPos).trimEnd();
       const after = config.slice(insertPos);
-      config = before + '\n\n# PromptCellar capture hook\n' + notifyLine + '\n\n' + after;
+      config = before + '\n\n# Prompt Cellar capture hook\n' + notifyLine + '\n\n' + after;
     } else {
       // No table sections — safe to append
-      config = config.trimEnd() + '\n\n# PromptCellar capture hook\n' + notifyLine + '\n';
+      config = config.trimEnd() + '\n\n# Prompt Cellar capture hook\n' + notifyLine + '\n';
     }
   }
 
@@ -339,7 +339,7 @@ async function setupGemini() {
 }
 
 export async function unsetup() {
-  console.log(chalk.bold('\nRemoving PromptCellar hooks...\n'));
+  console.log(chalk.bold('\nRemoving Prompt Cellar hooks...\n'));
 
   let removed = false;
 
@@ -366,7 +366,7 @@ export async function unsetup() {
   let codexConfig = getCodexConfig();
   if (isCodexHookInstalled(codexConfig)) {
     codexConfig = codexConfig.split('\n')
-      .filter(line => !line.includes('pc-codex-capture') && !line.includes('# PromptCellar capture hook'))
+      .filter(line => !line.includes('pc-codex-capture') && !line.includes('# Prompt Cellar capture hook'))
       .join('\n');
     // Clean up extra blank lines left behind
     codexConfig = codexConfig.replace(/\n{3,}/g, '\n\n');

package/src/commands/status.js

@@ -5,7 +5,7 @@ import { getGitContext } from '../lib/context.js';
 import { loadVaultKey } from '../lib/keychain.js';
 
 export async function status() {
-  console.log(chalk.bold('\nPromptCellar CLI Status\n'));
+  console.log(chalk.bold('\nPrompt Cellar CLI Status\n'));
 
   // Auth status
   if (isLoggedIn()) {

package/src/index.js

@@ -1,4 +1,4 @@
-// PromptCellar CLI - Main exports
+// Prompt Cellar CLI - Main exports
 
 export { login } from './commands/login.js';
 export { logout } from './commands/logout.js';

package/src/lib/config.js

@@ -50,8 +50,28 @@ export function getApiUrl() {
   return config.get('apiUrl');
 }
 
+export function normalizeAndValidateUrl(rawUrl) {
+  if (typeof rawUrl !== 'string' || !rawUrl.trim()) {
+    throw new Error('URL is required');
+  }
+  let url;
+  try {
+    url = new URL(rawUrl);
+  } catch {
+    throw new Error('Invalid URL');
+  }
+  if (!['http:', 'https:'].includes(url.protocol)) {
+    throw new Error('URL must be http or https');
+  }
+  const isLocalhost = ['localhost', '127.0.0.1'].includes(url.hostname);
+  if (url.protocol !== 'https:' && !isLocalhost) {
+    throw new Error('URL must use https');
+  }
+  return url.origin;
+}
+
 export function setApiUrl(url) {
-  config.set('apiUrl', url);
+  config.set('apiUrl', normalizeAndValidateUrl(url));
 }
 
 export function getCaptureLevel() {
@@ -79,7 +99,7 @@ export function getAccountUrl() {
 }
 
 export function setAccountUrl(url) {
-  config.set('accountUrl', url);
+  config.set('accountUrl', normalizeAndValidateUrl(url));
 }
 
 export function isVaultAvailable() {

package/src/lib/context.js

@@ -9,6 +9,20 @@ function execGit(...args) {
   }
 }
 
+export function sanitizeGitRemote(remote) {
+  if (!remote) return remote;
+  try {
+    const url = new URL(remote);
+    url.username = '';
+    url.password = '';
+    url.search = '';
+    url.hash = '';
+    return `${url.origin}${url.pathname}`;
+  } catch {
+    return remote.replace(/\/\/[^@]+@/, '//');
+  }
+}
+
 export function getGitContext() {
   const level = getCaptureLevel();
 
@@ -28,7 +42,7 @@ export function getGitContext() {
 
   // Rich: add remote URL and commit hash
   if (level === 'rich' && topLevel) {
-    context.git_remote_url = execGit('remote', 'get-url', 'origin');
+    context.git_remote_url = sanitizeGitRemote(execGit('remote', 'get-url', 'origin'));
     context.git_commit = execGit('rev-parse', 'HEAD');
   }
 

package/src/lib/keychain.js

@@ -43,19 +43,24 @@ export async function storeVaultKey(keyB64url) {
   try {
     await keytar.setPassword(SERVICE, ACCOUNT, keyB64url);
     return;
-  } catch {
-    // Keychain unavailable — use file fallback
+  } catch (err) {
+    if (process.env.PC_VAULT_KEY_FALLBACK !== '1') {
+      throw err;
+    }
   }
   writeFallback(keyB64url);
 }
 
 export async function loadVaultKey() {
+  const envVaultKey = process.env.PC_VAULT_KEY;
+  if (envVaultKey) return envVaultKey;
   try {
     const val = await keytar.getPassword(SERVICE, ACCOUNT);
     if (val) return val;
   } catch {
     // Keychain unavailable — try file fallback
   }
+  if (process.env.PC_VAULT_KEY_FALLBACK !== '1') return null;
   return readFallback();
 }
 

package/src/lib/websocket.js

@@ -37,7 +37,7 @@ export function connect(tool, onPromptReceived) {
   });
 
   socket.on('registered', (data) => {
-    console.log(`Connected to PromptCellar (session: ${data.session_id})`);
+    console.log(`Connected to Prompt Cellar (session: ${data.session_id})`);
   });
 
   socket.on('prompt_pushed', (data) => {

package/tests/config.test.js

@@ -0,0 +1,29 @@
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+import { normalizeAndValidateUrl } from '../src/lib/config.js';
+
+describe('normalizeAndValidateUrl', () => {
+  it('accepts https URLs', () => {
+    const url = normalizeAndValidateUrl('https://prompts.weldedanvil.com');
+    assert.equal(url, 'https://prompts.weldedanvil.com');
+  });
+
+  it('accepts localhost http URLs', () => {
+    const url = normalizeAndValidateUrl('http://localhost:3000');
+    assert.equal(url, 'http://localhost:3000');
+  });
+
+  it('rejects non-https for non-local hosts', () => {
+    assert.throws(
+      () => normalizeAndValidateUrl('http://example.com'),
+      /https/i,
+    );
+  });
+
+  it('rejects non-http schemes', () => {
+    assert.throws(
+      () => normalizeAndValidateUrl('ftp://example.com'),
+      /http/i,
+    );
+  });
+});

package/tests/context.test.js

@@ -0,0 +1,23 @@
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+import { sanitizeGitRemote } from '../src/lib/context.js';
+
+describe('sanitizeGitRemote', () => {
+  it('strips credentials and query/fragment', () => {
+    const input = 'https://token:secret@github.com/org/repo.git?foo=bar#frag';
+    const output = sanitizeGitRemote(input);
+    assert.equal(output, 'https://github.com/org/repo.git');
+  });
+
+  it('removes userinfo from https URL', () => {
+    const input = 'https://token@github.com/org/repo.git';
+    const output = sanitizeGitRemote(input);
+    assert.equal(output, 'https://github.com/org/repo.git');
+  });
+
+  it('leaves scp-style remotes intact', () => {
+    const input = 'git@github.com:org/repo.git';
+    const output = sanitizeGitRemote(input);
+    assert.equal(output, input);
+  });
+});

package/tests/device-login.test.js

@@ -118,4 +118,32 @@ describe('device login helpers', () => {
       assert.equal(exchangeCalled, false);
     });
   });
+
+  describe('persistLoginState', () => {
+    it('does not persist when validation fails', () => {
+      const { persistLoginState } = login;
+      assert.equal(typeof persistLoginState, 'function', 'persistLoginState should be exported');
+
+      const calls = [];
+      const normalizeFn = () => {
+        throw new Error('invalid url');
+      };
+
+      assert.throws(
+        () => persistLoginState({
+          apiUrl: 'http://bad',
+          accountUrl: 'http://bad',
+          apiKey: 'api-key',
+          normalizeFn,
+          setApiUrlFn: () => calls.push('apiUrl'),
+          setAccountUrlFn: () => calls.push('accountUrl'),
+          setApiKeyFn: () => calls.push('apiKey'),
+          setVaultAvailableFn: () => calls.push('vaultAvailable'),
+        }),
+        /invalid url/i,
+      );
+
+      assert.deepEqual(calls, []);
+    });
+  });
 });

package/tests/keychain.test.js

@@ -1,6 +1,14 @@
-import { describe, it } from 'node:test';
+import { describe, it, mock } from 'node:test';
 import assert from 'node:assert/strict';
+import keytar from 'keytar';
 import * as keychain from '../src/lib/keychain.js';
+import { loadVaultKey, storeVaultKey } from '../src/lib/keychain.js';
+
+const ORIGINAL_ENV = { ...process.env };
+
+function resetEnv() {
+  process.env = { ...ORIGINAL_ENV };
+}
 
 describe('requireVaultKey', () => {
   it('returns key when available', async () => {
@@ -38,3 +46,28 @@ describe('requireVaultKey', () => {
     assert.equal(key, null);
   });
 });
+
+describe('vault key env handling', () => {
+  it('prefers PC_VAULT_KEY when set', async () => {
+    resetEnv();
+    process.env.PC_VAULT_KEY = 'env-key';
+    mock.method(keytar, 'getPassword', async () => {
+      throw new Error('should not call keytar');
+    });
+
+    const key = await loadVaultKey();
+    assert.equal(key, 'env-key');
+  });
+
+  it('throws when keytar fails and fallback disabled', async () => {
+    resetEnv();
+    mock.method(keytar, 'setPassword', async () => {
+      throw new Error('keytar locked');
+    });
+
+    await assert.rejects(
+      () => storeVaultKey('vault-key'),
+      /keytar locked/i,
+    );
+  });
+});