npm - @promptcellar/pc - Versions diffs - 0.5.3 → 0.5.5 - Mend

@promptcellar/pc 0.5.3 → 0.5.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/hooks/codex-capture.js +9 -9
package/hooks/gemini-capture.js +5 -9
package/hooks/prompt-capture.js +5 -9
package/package.json +2 -1
package/src/commands/login.js +34 -115
package/src/commands/save.js +5 -2
package/src/lib/api.js +28 -47
package/src/lib/config.js +22 -2
package/src/lib/context.js +14 -59
package/src/lib/crypto.js +1 -39
package/src/lib/device-transfer.js +1 -43
package/src/lib/keychain.js +7 -2
package/tests/config.test.js +29 -0
package/tests/context.test.js +23 -0
package/tests/device-login.test.js +28 -0
package/tests/keychain.test.js +34 -1
package/README.md +0 -114
package/docs/plans/2026-01-30-wa-auth-integration-design.md +0 -118
package/docs/plans/2026-01-30-wa-auth-integration-plan.md +0 -776
package/docs/plans/2026-02-03-multi-prompt-capture-design.md +0 -501

package/tests/context.test.js ADDED Viewed

@@ -0,0 +1,23 @@
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+import { sanitizeGitRemote } from '../src/lib/context.js';
+describe('sanitizeGitRemote', () => {
+  it('strips credentials and query/fragment', () => {
+    const input = 'https://token:secret@github.com/org/repo.git?foo=bar#frag';
+    const output = sanitizeGitRemote(input);
+    assert.equal(output, 'https://github.com/org/repo.git');
+  });
+  it('removes userinfo from https URL', () => {
+    const input = 'https://token@github.com/org/repo.git';
+    const output = sanitizeGitRemote(input);
+    assert.equal(output, 'https://github.com/org/repo.git');
+  });
+  it('leaves scp-style remotes intact', () => {
+    const input = 'git@github.com:org/repo.git';
+    const output = sanitizeGitRemote(input);
+    assert.equal(output, input);
+  });
+});

package/tests/device-login.test.js CHANGED Viewed

@@ -118,4 +118,32 @@ describe('device login helpers', () => {
       assert.equal(exchangeCalled, false);
     });
   });
+  describe('persistLoginState', () => {
+    it('does not persist when validation fails', () => {
+      const { persistLoginState } = login;
+      assert.equal(typeof persistLoginState, 'function', 'persistLoginState should be exported');
+      const calls = [];
+      const normalizeFn = () => {
+        throw new Error('invalid url');
+      };
+      assert.throws(
+        () => persistLoginState({
+          apiUrl: 'http://bad',
+          accountUrl: 'http://bad',
+          apiKey: 'api-key',
+          normalizeFn,
+          setApiUrlFn: () => calls.push('apiUrl'),
+          setAccountUrlFn: () => calls.push('accountUrl'),
+          setApiKeyFn: () => calls.push('apiKey'),
+          setVaultAvailableFn: () => calls.push('vaultAvailable'),
+        }),
+        /invalid url/i,
+      );
+      assert.deepEqual(calls, []);
+    });
+  });
 });

package/tests/keychain.test.js CHANGED Viewed

@@ -1,6 +1,14 @@
-import { describe, it } from 'node:test';
+import { describe, it, mock } from 'node:test';
 import assert from 'node:assert/strict';
+import keytar from 'keytar';
 import * as keychain from '../src/lib/keychain.js';
+import { loadVaultKey, storeVaultKey } from '../src/lib/keychain.js';
+const ORIGINAL_ENV = { ...process.env };
+function resetEnv() {
+  process.env = { ...ORIGINAL_ENV };
+}
 describe('requireVaultKey', () => {
   it('returns key when available', async () => {
@@ -38,3 +46,28 @@ describe('requireVaultKey', () => {
     assert.equal(key, null);
   });
 });
+describe('vault key env handling', () => {
+  it('prefers PC_VAULT_KEY when set', async () => {
+    resetEnv();
+    process.env.PC_VAULT_KEY = 'env-key';
+    mock.method(keytar, 'getPassword', async () => {
+      throw new Error('should not call keytar');
+    });
+    const key = await loadVaultKey();
+    assert.equal(key, 'env-key');
+  });
+  it('throws when keytar fails and fallback disabled', async () => {
+    resetEnv();
+    mock.method(keytar, 'setPassword', async () => {
+      throw new Error('keytar locked');
+    });
+    await assert.rejects(
+      () => storeVaultKey('vault-key'),
+      /keytar locked/i,
+    );
+  });
+});

package/README.md DELETED Viewed

@@ -1,114 +0,0 @@
-# Prompt Cellar CLI
-Command-line tool for capturing, managing, and reusing AI prompts with [Prompt Cellar](https://prompts.weldedanvil.com).
-## Installation
-```bash
-npm install -g @promptcellar/pc
-```
-## Quick Start
-```bash
-# Login via browser authorization
-pc login
-# Set up auto-capture for your AI CLI tools
-pc setup
-# Check status
-pc status
-```
-## Commands
-### Authentication
-```bash
-pc login     # Login via browser authorization
-pc logout    # Remove stored credentials
-pc status    # Show current status and connection info
-```
-### Auto-Capture Setup
-```bash
-pc setup     # Configure auto-capture for CLI tools
-pc unsetup   # Remove auto-capture hooks
-```
-Supported tools (auto-detected during setup):
-- **Claude Code** - via Stop hooks
-- **Codex CLI** - via notify hook
-- **Gemini CLI** - via BeforeAgent hook
-Coming soon:
-- Cursor
-- Windsurf
-- Aider
-### Manual Capture
-```bash
-# Save a prompt manually
-pc save -m "Your prompt text here"
-# Open editor to write prompt
-pc save
-# Specify tool and model
-pc save -m "prompt" -t aider -M gpt-4
-```
-### Push Prompts
-```bash
-# Fetch and display a prompt by slug
-pc push my-project/useful-prompt
-```
-### Configuration
-```bash
-# View/change capture level
-pc config
-# Set capture level directly
-pc config --level minimal   # Tool + timestamp only
-pc config --level standard  # + working directory, git repo/branch
-pc config --level rich      # + session ID, git commit, remote URL
-```
-### Update
-```bash
-pc update    # Update to latest version
-```
-## Capture Levels
-Control how much context is captured with your prompts:
-| Level | Captured Data |
-|-------|--------------|
-| `minimal` | Tool, timestamp |
-| `standard` | + Working directory, git repo, git branch |
-| `rich` | + Session ID, git commit hash, remote URL |
-## Environment
-Configuration is stored in:
-- macOS: `~/Library/Preferences/promptcellar-nodejs/`
-- Linux: `~/.config/promptcellar-nodejs/`
-- Windows: `%APPDATA%/promptcellar-nodejs/`
-## API
-The CLI communicates with your Prompt Cellar instance. Get your API key from:
-Settings > API Keys in your Prompt Cellar dashboard.
-## License
-MIT

package/docs/plans/2026-01-30-wa-auth-integration-design.md DELETED Viewed

@@ -1,118 +0,0 @@
-# wa-auth Integration Design
-## Overview
-Migrate pc-cli authentication from prompt-registry's removed device auth endpoints to wa-auth, and add client-side encryption so captured prompts match prompt-registry's zero-knowledge architecture.
-## Login Flow
-Four stages:
-1. **Device code request** -- CLI calls `POST /device/code` on wa-auth with `{ client_id: "prompts-prod" }`. Gets back `device_code`, `user_code`, and `verification_url`.
-2. **User approval** -- User opens the verification URL in browser, authenticates with their passkey, approves the device. CLI polls `POST /device/poll` with `{ device_code }`.
-3. **JWT received** -- On approval, wa-auth returns `{ status: "approved", access_token: "<JWT>", user_id: "..." }`. The JWT has `aud: "prompts-prod"`, `sub: "<user_id>"`, standard exp/iss claims.
-4. **API key exchange** -- CLI calls `POST /api/v1/auth/device-token` on prompt-registry with `Authorization: Bearer <JWT>` and `{ device_name: "Linux - myhostname" }`. Prompt-registry validates the JWT, auto-revokes any previous key with the same device name, creates a new `pk_*` API key, and returns:
-```json
-{
-  "api_key": "pk_...",
-  "email": "user@example.com",
-  "vault": {
-    "available": true,
-    "encrypted_key": "base64url(...)"
-  }
-}
-```
-If `vault.available` is false, the CLI warns that capture requires vault setup at the web UI.
-## Changes to wa-auth
-Two modifications to the device auth flow:
-1. **`POST /device/code` accepts `client_id`** -- Validates that `client_id` exists in `OIDC_CLIENTS`. Stores `client_id` on the `DeviceAuthRequest` record (new column). Rejects unknown client IDs.
-2. **`POST /device/poll` returns a JWT on approval** -- When status is `approved`, generates a JWT with `sub: user_id`, `aud: client_id` (from the stored device request), `iss: account.weldedanvil.com`, and standard `iat`/`exp`. Returns it as `access_token` alongside `status` and `user_id`.
-The `DeviceAuthRequest` model gets one new field:
-```
-client_id: String(64) -- stored from the initial code request
-```
-No other wa-auth changes needed.
-## Changes to prompt-registry
-One new endpoint:
-**`POST /api/v1/auth/device-token`** -- Exchanges a wa-auth JWT for a `pk_*` API key.
-- Reads JWT from `Authorization: Bearer <jwt>` header
-- Validates with `verify_account_token()` (existing function)
-- Calls `create_or_get_user(sub, email)` to resolve the user
-- Reads `device_name` from the request body
-- Deletes any existing `UserApiKey` with the same `user_id` and `name` (auto-revoke)
-- Creates a new `UserApiKey` with `generate_api_key()`, stores the hash
-- Returns the plaintext key, user email, and vault status
-Vault status is determined by checking if a vault record exists for the user. If it does, returns `encrypted_metadata`. If not, `vault.available` is false.
-No changes to existing endpoints or middleware.
-## Changes to pc-cli
-### `src/commands/login.js` -- Rewritten login flow
-- Calls wa-auth `POST /device/code` with `client_id`
-- Polls wa-auth `POST /device/poll`
-- On approval, exchanges JWT at prompt-registry `POST /api/v1/auth/device-token` with device name
-- Stores API key, vault key, and account URL in config
-- Warns if vault not available
-### `src/lib/config.js` -- New config fields
-- `accountUrl` -- wa-auth base URL (default `https://account.weldedanvil.com`)
-- `vaultKey` -- encrypted vault metadata from login (empty string default)
-- `vaultAvailable` -- boolean, whether capture is enabled
-### `src/lib/crypto.js` -- New file
-- Derives AES-256-GCM key from vault metadata
-- `encryptPrompt(plaintext, key)` returns `{ encrypted_content, content_iv }`
-- Uses Node.js built-in `crypto` module (no new dependencies)
-### Hook scripts -- Updated capture payload
-`hooks/prompt-capture.js`, `codex-capture.js`, `gemini-capture.js`:
-- Check `vaultAvailable` before attempting capture
-- Encrypt prompt content before sending
-- Send `{ encrypted_content, content_iv, context_hash }` instead of plaintext
-### `src/lib/api.js` -- No changes
-Already sends `Authorization: Bearer <key>` which works with `pk_*` keys.
-## Error Handling
-| Scenario | Behavior |
-|----------|----------|
-| Expired JWT during key exchange | 401 from prompt-registry, CLI says re-run `pc login` |
-| Vault not set up | Login succeeds with warning. Hooks silently skip capture. `pc save` shows actionable error. |
-| Vault set up after login | Re-run `pc login` to pick up vault key |
-| API key revoked from web UI | 401 on API calls, existing "Not logged in" error |
-| wa-auth down during login | Connection error, no partial state saved |
-| prompt-registry down during exchange | JWT expires, re-run `pc login` |
-## Out of Scope
-- Search index encryption from CLI (web UI concern)
-- `pc push` decryption (separate effort)
-- Vault creation from CLI (stays in web UI)
-- Token refresh (API keys don't expire)
-- Migration of existing plaintext captures
-- Changes to `pc setup` (hook registration unchanged)