npm - @promptcellar/pc - Versions diffs - 0.5.3 → 0.5.4 - Mend

@promptcellar/pc 0.5.3 → 0.5.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +5 -0
package/package.json +1 -1
package/src/commands/login.js +27 -4
package/src/lib/config.js +22 -2
package/src/lib/context.js +15 -1
package/src/lib/keychain.js +7 -2
package/tests/config.test.js +29 -0
package/tests/context.test.js +23 -0
package/tests/device-login.test.js +28 -0
package/tests/keychain.test.js +34 -1

package/README.md CHANGED Viewed

@@ -103,6 +103,11 @@ Configuration is stored in:
 - Linux: `~/.config/promptcellar-nodejs/`
 - Windows: `%APPDATA%/promptcellar-nodejs/`
+Security flags and requirements:
+- `PC_VAULT_KEY`: overrides the vault key used by the CLI.
+- `PC_VAULT_KEY_FALLBACK=1`: enables file fallback when the keychain is locked.
+- `apiUrl` and `accountUrl` must use HTTPS (`http://localhost` is allowed).
 ## API
 The CLI communicates with your Prompt Cellar instance. Get your API key from:

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@promptcellar/pc",
-  "version": "0.5.3",
+  "version": "0.5.4",
   "description": "CLI for Prompt Cellar - sync prompts between your terminal and the cloud",
   "type": "module",
   "main": "src/index.js",

package/src/commands/login.js CHANGED Viewed

@@ -2,6 +2,7 @@ import { randomBytes } from 'crypto';
 import ora from 'ora';
 import chalk from 'chalk';
 import {
+  normalizeAndValidateUrl,
   setApiKey, setApiUrl, setAccountUrl,
   setVaultAvailable,
   isLoggedIn
@@ -123,6 +124,26 @@ export async function finalizeDeviceLogin({
   return exchangeTokenForApiKeyFn(apiUrl, approval.access_token, deviceName);
 }
+export function persistLoginState({
+  apiUrl,
+  accountUrl,
+  apiKey,
+  vaultAvailable = true,
+  normalizeFn = normalizeAndValidateUrl,
+  setApiUrlFn = setApiUrl,
+  setAccountUrlFn = setAccountUrl,
+  setApiKeyFn = setApiKey,
+  setVaultAvailableFn = setVaultAvailable,
+}) {
+  const normalizedApiUrl = normalizeFn(apiUrl);
+  const normalizedAccountUrl = normalizeFn(accountUrl);
+  setApiUrlFn(normalizedApiUrl);
+  setAccountUrlFn(normalizedAccountUrl);
+  setApiKeyFn(apiKey);
+  setVaultAvailableFn(vaultAvailable);
+}
 function getDeviceName() {
   const os = process.platform;
   const hostname = process.env.HOSTNAME || process.env.COMPUTERNAME || 'CLI';
@@ -181,10 +202,12 @@ export async function login(options) {
     });
     // Step 5: Store credentials
-    setApiKey(result.api_key);
-    setApiUrl(apiUrl);
-    setAccountUrl(accountUrl);
-    setVaultAvailable(true);
+    persistLoginState({
+      apiUrl,
+      accountUrl,
+      apiKey: result.api_key,
+      vaultAvailable: true,
+    });
     spinner.succeed(chalk.green('Logged in successfully!'));
     console.log(`\nWelcome, ${chalk.cyan(result.email)}!`);

package/src/lib/config.js CHANGED Viewed

@@ -50,8 +50,28 @@ export function getApiUrl() {
   return config.get('apiUrl');
 }
+export function normalizeAndValidateUrl(rawUrl) {
+  if (typeof rawUrl !== 'string' || !rawUrl.trim()) {
+    throw new Error('URL is required');
+  }
+  let url;
+  try {
+    url = new URL(rawUrl);
+  } catch {
+    throw new Error('Invalid URL');
+  }
+  if (!['http:', 'https:'].includes(url.protocol)) {
+    throw new Error('URL must be http or https');
+  }
+  const isLocalhost = ['localhost', '127.0.0.1'].includes(url.hostname);
+  if (url.protocol !== 'https:' && !isLocalhost) {
+    throw new Error('URL must use https');
+  }
+  return url.origin;
+}
 export function setApiUrl(url) {
-  config.set('apiUrl', url);
+  config.set('apiUrl', normalizeAndValidateUrl(url));
 }
 export function getCaptureLevel() {
@@ -79,7 +99,7 @@ export function getAccountUrl() {
 }
 export function setAccountUrl(url) {
-  config.set('accountUrl', url);
+  config.set('accountUrl', normalizeAndValidateUrl(url));
 }
 export function isVaultAvailable() {

package/src/lib/context.js CHANGED Viewed

@@ -9,6 +9,20 @@ function execGit(...args) {
   }
 }
+export function sanitizeGitRemote(remote) {
+  if (!remote) return remote;
+  try {
+    const url = new URL(remote);
+    url.username = '';
+    url.password = '';
+    url.search = '';
+    url.hash = '';
+    return `${url.origin}${url.pathname}`;
+  } catch {
+    return remote.replace(/\/\/[^@]+@/, '//');
+  }
+}
 export function getGitContext() {
   const level = getCaptureLevel();
@@ -28,7 +42,7 @@ export function getGitContext() {
   // Rich: add remote URL and commit hash
   if (level === 'rich' && topLevel) {
-    context.git_remote_url = execGit('remote', 'get-url', 'origin');
+    context.git_remote_url = sanitizeGitRemote(execGit('remote', 'get-url', 'origin'));
     context.git_commit = execGit('rev-parse', 'HEAD');
   }

package/src/lib/keychain.js CHANGED Viewed

@@ -43,19 +43,24 @@ export async function storeVaultKey(keyB64url) {
   try {
     await keytar.setPassword(SERVICE, ACCOUNT, keyB64url);
     return;
-  } catch {
-    // Keychain unavailable — use file fallback
+  } catch (err) {
+    if (process.env.PC_VAULT_KEY_FALLBACK !== '1') {
+      throw err;
+    }
   }
   writeFallback(keyB64url);
 }
 export async function loadVaultKey() {
+  const envVaultKey = process.env.PC_VAULT_KEY;
+  if (envVaultKey) return envVaultKey;
   try {
     const val = await keytar.getPassword(SERVICE, ACCOUNT);
     if (val) return val;
   } catch {
     // Keychain unavailable — try file fallback
   }
+  if (process.env.PC_VAULT_KEY_FALLBACK !== '1') return null;
   return readFallback();
 }

package/tests/config.test.js ADDED Viewed

@@ -0,0 +1,29 @@
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+import { normalizeAndValidateUrl } from '../src/lib/config.js';
+describe('normalizeAndValidateUrl', () => {
+  it('accepts https URLs', () => {
+    const url = normalizeAndValidateUrl('https://prompts.weldedanvil.com');
+    assert.equal(url, 'https://prompts.weldedanvil.com');
+  });
+  it('accepts localhost http URLs', () => {
+    const url = normalizeAndValidateUrl('http://localhost:3000');
+    assert.equal(url, 'http://localhost:3000');
+  });
+  it('rejects non-https for non-local hosts', () => {
+    assert.throws(
+      () => normalizeAndValidateUrl('http://example.com'),
+      /https/i,
+    );
+  });
+  it('rejects non-http schemes', () => {
+    assert.throws(
+      () => normalizeAndValidateUrl('ftp://example.com'),
+      /http/i,
+    );
+  });
+});

package/tests/context.test.js ADDED Viewed

@@ -0,0 +1,23 @@
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+import { sanitizeGitRemote } from '../src/lib/context.js';
+describe('sanitizeGitRemote', () => {
+  it('strips credentials and query/fragment', () => {
+    const input = 'https://token:secret@github.com/org/repo.git?foo=bar#frag';
+    const output = sanitizeGitRemote(input);
+    assert.equal(output, 'https://github.com/org/repo.git');
+  });
+  it('removes userinfo from https URL', () => {
+    const input = 'https://token@github.com/org/repo.git';
+    const output = sanitizeGitRemote(input);
+    assert.equal(output, 'https://github.com/org/repo.git');
+  });
+  it('leaves scp-style remotes intact', () => {
+    const input = 'git@github.com:org/repo.git';
+    const output = sanitizeGitRemote(input);
+    assert.equal(output, input);
+  });
+});

package/tests/device-login.test.js CHANGED Viewed

@@ -118,4 +118,32 @@ describe('device login helpers', () => {
       assert.equal(exchangeCalled, false);
     });
   });
+  describe('persistLoginState', () => {
+    it('does not persist when validation fails', () => {
+      const { persistLoginState } = login;
+      assert.equal(typeof persistLoginState, 'function', 'persistLoginState should be exported');
+      const calls = [];
+      const normalizeFn = () => {
+        throw new Error('invalid url');
+      };
+      assert.throws(
+        () => persistLoginState({
+          apiUrl: 'http://bad',
+          accountUrl: 'http://bad',
+          apiKey: 'api-key',
+          normalizeFn,
+          setApiUrlFn: () => calls.push('apiUrl'),
+          setAccountUrlFn: () => calls.push('accountUrl'),
+          setApiKeyFn: () => calls.push('apiKey'),
+          setVaultAvailableFn: () => calls.push('vaultAvailable'),
+        }),
+        /invalid url/i,
+      );
+      assert.deepEqual(calls, []);
+    });
+  });
 });

package/tests/keychain.test.js CHANGED Viewed

@@ -1,6 +1,14 @@
-import { describe, it } from 'node:test';
+import { describe, it, mock } from 'node:test';
 import assert from 'node:assert/strict';
+import keytar from 'keytar';
 import * as keychain from '../src/lib/keychain.js';
+import { loadVaultKey, storeVaultKey } from '../src/lib/keychain.js';
+const ORIGINAL_ENV = { ...process.env };
+function resetEnv() {
+  process.env = { ...ORIGINAL_ENV };
+}
 describe('requireVaultKey', () => {
   it('returns key when available', async () => {
@@ -38,3 +46,28 @@ describe('requireVaultKey', () => {
     assert.equal(key, null);
   });
 });
+describe('vault key env handling', () => {
+  it('prefers PC_VAULT_KEY when set', async () => {
+    resetEnv();
+    process.env.PC_VAULT_KEY = 'env-key';
+    mock.method(keytar, 'getPassword', async () => {
+      throw new Error('should not call keytar');
+    });
+    const key = await loadVaultKey();
+    assert.equal(key, 'env-key');
+  });
+  it('throws when keytar fails and fallback disabled', async () => {
+    resetEnv();
+    mock.method(keytar, 'setPassword', async () => {
+      throw new Error('keytar locked');
+    });
+    await assert.rejects(
+      () => storeVaultKey('vault-key'),
+      /keytar locked/i,
+    );
+  });
+});