@simonfestl/husky-cli 1.15.1 → 1.17.0

package/dist/commands/auth.js

@@ -1,10 +1,28 @@
 import { Command } from "commander";
-import { getConfig, setSessionConfig, clearSessionConfig, getSessionConfig } from "./config.js";
+import { getConfig, setSessionConfig, clearSessionConfig, getSessionConfig, fetchAndCacheRole } from "./config.js";
 import { getPermissions, clearPermissionsCache, getCacheStatus, hasPermission, canAccessKnowledgeBase } from "../lib/permissions-cache.js";
 const API_KEY_ROLES = [
     "admin", "supervisor", "worker", "reviewer", "support",
     "purchasing", "ops", "e2e_agent", "pr_agent"
 ];
+/**
+ * Sanitize error messages to prevent sensitive data leakage.
+ * Truncates long messages and removes potential secrets.
+ */
+function sanitizeErrorMessage(message, maxLength = 200) {
+    if (!message)
+        return "Unknown error";
+    // Remove potential secrets (patterns like API keys, tokens, etc.)
+    let sanitized = message
+        .replace(/[a-zA-Z0-9_-]{32,}/g, "[REDACTED]") // Long alphanumeric strings
+        .replace(/Bearer\s+[^\s]+/gi, "Bearer [REDACTED]") // Bearer tokens
+        .replace(/key[=:]\s*[^\s,}]+/gi, "key=[REDACTED]"); // key=value patterns
+    // Truncate if too long
+    if (sanitized.length > maxLength) {
+        sanitized = sanitized.substring(0, maxLength) + "...";
+    }
+    return sanitized;
+}
 async function apiRequest(path, options = {}) {
     const config = getConfig();
     if (!config.apiUrl || !config.apiKey) {
@@ -21,7 +39,8 @@ async function apiRequest(path, options = {}) {
     });
     if (!res.ok) {
         const error = await res.json().catch(() => ({ error: res.statusText }));
-        throw new Error(error.message || error.error || `HTTP ${res.status}`);
+        const rawMessage = error.message || error.error || `HTTP ${res.status}`;
+        throw new Error(sanitizeErrorMessage(rawMessage));
     }
     return res.json();
 }
@@ -293,6 +312,8 @@ authCommand
         }
         const session = await res.json();
         setSessionConfig(session);
+        // Fetch and cache permissions for the new session role
+        await fetchAndCacheRole();
         if (options.json) {
             console.log(JSON.stringify({
                 success: true,
@@ -418,6 +439,8 @@ authCommand
         }
         const session = await res.json();
         setSessionConfig(session);
+        // Refresh permissions for the session role
+        await fetchAndCacheRole();
         if (options.json) {
             console.log(JSON.stringify({
                 success: true,

package/dist/commands/config.d.ts

@@ -1,5 +1,6 @@
 import { Command } from "commander";
-type AgentRole = "supervisor" | "worker" | "reviewer" | "e2e_agent" | "pr_agent" | "support";
+declare const VALID_ROLES: readonly ["admin", "supervisor", "worker", "reviewer", "e2e_agent", "pr_agent", "support", "devops", "purchasing", "ops"];
+type AgentRole = typeof VALID_ROLES[number];
 interface Config {
     apiUrl?: string;
     apiKey?: string;
@@ -47,7 +48,8 @@ export declare function getConfig(): Config;
 export declare function saveConfig(config: Config): void;
 /**
  * Fetch role and permissions from /api/auth/whoami
- * Caches the result in config for 1 hour
+ * Uses session token (Bearer) if available, otherwise falls back to API key.
+ * Caches the result in config for 1 hour.
  */
 export declare function fetchAndCacheRole(): Promise<{
     role?: AgentRole;
@@ -58,7 +60,9 @@ export declare function fetchAndCacheRole(): Promise<{
  */
 export declare function hasPermission(permission: string): boolean;
 /**
- * Get current role from config (may be undefined if not fetched)
+ * Get current role from config.
+ * Prefers sessionRole (from auth login) over role (from API key) when session is active.
+ * Validates that the role is a known valid role before returning.
  */
 export declare function getRole(): AgentRole | undefined;
 /**
@@ -72,6 +76,7 @@ export declare function setSessionConfig(session: {
     expiresAt: string;
     agent: string;
     role: string;
+    permissions?: string[];
 }): void;
 export declare function clearSessionConfig(): void;
 export declare function getSessionConfig(): {

package/dist/commands/config.js

@@ -1,10 +1,18 @@
 import { Command } from "commander";
-import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { readFileSync, writeFileSync, existsSync, mkdirSync, chmodSync } from "fs";
 import { join } from "path";
 import { homedir } from "os";
 import { ErrorHelpers, errorWithHint, ExplainTopic } from "../lib/error-hints.js";
+// Valid agent roles - used for runtime validation
+const VALID_ROLES = ["admin", "supervisor", "worker", "reviewer", "e2e_agent", "pr_agent", "support", "devops", "purchasing", "ops"];
 const CONFIG_DIR = join(homedir(), ".husky");
 const CONFIG_FILE = join(CONFIG_DIR, "config.json");
+/**
+ * Validate if a string is a valid AgentRole
+ */
+function isValidRole(role) {
+    return VALID_ROLES.includes(role);
+}
 // API Key validation - must be at least 16 characters, alphanumeric + common key chars (base64, JWT, etc.)
 function validateApiKey(key) {
     if (key.length < 16) {
@@ -43,25 +51,67 @@ export function getConfig() {
 }
 export function saveConfig(config) {
     if (!existsSync(CONFIG_DIR)) {
-        mkdirSync(CONFIG_DIR, { recursive: true });
+        mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 }); // rwx------ for directory
+    }
+    writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2), { mode: 0o600 }); // rw------- for file
+    // Ensure permissions are set even if file existed
+    try {
+        chmodSync(CONFIG_FILE, 0o600);
+    }
+    catch {
+        // Ignore chmod errors on Windows
     }
-    writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2));
 }
 /**
  * Fetch role and permissions from /api/auth/whoami
- * Caches the result in config for 1 hour
+ * Uses session token (Bearer) if available, otherwise falls back to API key.
+ * Caches the result in config for 1 hour.
  */
 export async function fetchAndCacheRole() {
     const config = getConfig();
-    // Check if we have cached role that's less than 1 hour old
+    // Check if there's an active session - if so, use session role directly
+    // Session roles are already validated by the server, no need to re-fetch
+    if (config.sessionToken && config.sessionRole && config.sessionExpiresAt) {
+        const expiresAt = new Date(config.sessionExpiresAt);
+        if (expiresAt > new Date()) {
+            // Session is active - fetch permissions for this session role if needed
+            // Check if we have fresh permissions for this session
+            const needsPermissionsFetch = !config.roleLastChecked || !config.permissions;
+            if (needsPermissionsFetch && config.apiUrl) {
+                try {
+                    const url = new URL("/api/auth/whoami", config.apiUrl);
+                    const res = await fetch(url.toString(), {
+                        headers: { Authorization: `Bearer ${config.sessionToken}` },
+                    });
+                    if (res.ok) {
+                        const data = await res.json();
+                        // Update permissions cache (keep sessionRole as source of truth for role)
+                        config.permissions = data.permissions;
+                        config.roleLastChecked = new Date().toISOString();
+                        saveConfig(config);
+                        return { role: config.sessionRole, permissions: data.permissions };
+                    }
+                }
+                catch {
+                    // Fall through to use cached permissions
+                }
+            }
+            // Return session role with cached permissions
+            return { role: config.sessionRole, permissions: config.permissions };
+        }
+    }
+    // No active session - use API key auth
+    // Check if we have cached role that's less than 5 minutes old
+    // Short TTL ensures revoked permissions are detected quickly
+    const PERMISSION_CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
     if (config.role && config.roleLastChecked) {
         const lastChecked = new Date(config.roleLastChecked);
-        const oneHourAgo = new Date(Date.now() - 60 * 60 * 1000);
-        if (lastChecked > oneHourAgo) {
+        const cacheExpiry = new Date(Date.now() - PERMISSION_CACHE_TTL_MS);
+        if (lastChecked > cacheExpiry) {
             return { role: config.role, permissions: config.permissions };
         }
     }
-    // Fetch fresh role/permissions
+    // Fetch fresh role/permissions using API key
     if (!config.apiUrl || !config.apiKey) {
         return {};
     }
@@ -102,10 +152,30 @@ export function hasPermission(permission) {
     return false;
 }
 /**
- * Get current role from config (may be undefined if not fetched)
+ * Get current role from config.
+ * Prefers sessionRole (from auth login) over role (from API key) when session is active.
+ * Validates that the role is a known valid role before returning.
  */
 export function getRole() {
-    return getConfig().role;
+    const config = getConfig();
+    // Check if there's an active (non-expired) session
+    if (config.sessionToken && config.sessionRole && config.sessionExpiresAt) {
+        const expiresAt = new Date(config.sessionExpiresAt);
+        if (expiresAt > new Date()) {
+            // Session is active, validate and use session role
+            if (isValidRole(config.sessionRole)) {
+                return config.sessionRole;
+            }
+            // Invalid role in session - treat as no session
+            console.error(`Warning: Invalid session role '${config.sessionRole}' in config`);
+            return undefined;
+        }
+    }
+    // Fall back to API key role (also validate)
+    if (config.role && isValidRole(config.role)) {
+        return config.role;
+    }
+    return undefined;
 }
 /**
  * Clear the role cache to force a refresh on next fetchAndCacheRole call
@@ -133,6 +203,17 @@ export function setSessionConfig(session) {
     config.sessionExpiresAt = session.expiresAt;
     config.sessionAgent = session.agent;
     config.sessionRole = session.role;
+    // Clear old permissions and role cache to force re-fetch for new session role
+    delete config.roleLastChecked;
+    if (session.permissions) {
+        // If permissions provided, use them directly
+        config.permissions = session.permissions;
+        config.roleLastChecked = new Date().toISOString();
+    }
+    else {
+        // Clear permissions to force re-fetch
+        delete config.permissions;
+    }
     saveConfig(config);
 }
 export function clearSessionConfig() {

package/dist/commands/interactive/auth.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Interactive Mode: Auth Module
+ *
+ * Provides menu-based authentication and API key management.
+ */
+export declare function authMenu(): Promise<void>;

package/dist/commands/interactive/auth.js

@@ -0,0 +1,227 @@
+/**
+ * Interactive Mode: Auth Module
+ *
+ * Provides menu-based authentication and API key management.
+ */
+import { select, input, confirm } from "@inquirer/prompts";
+import { getConfig, setConfig, setSessionConfig, clearSessionConfig } from "../config.js";
+import { pressEnterToContinue } from "./utils.js";
+export async function authMenu() {
+    console.log("\n  AUTH");
+    console.log("  " + "-".repeat(50));
+    console.log("  API keys and session management");
+    console.log("");
+    const menuItems = [
+        { name: "🔑 Login (Create Session)", value: "login" },
+        { name: "📊 Session Status", value: "session" },
+        { name: "🔄 Refresh Token", value: "refresh" },
+        { name: "🚪 Logout", value: "logout" },
+        { name: "🔐 Show API Key", value: "show-key" },
+        { name: "✏️  Set API Key", value: "set-key" },
+        { name: "← Back", value: "back" },
+    ];
+    const choice = await select({
+        message: "Auth Action:",
+        choices: menuItems,
+    });
+    switch (choice) {
+        case "login":
+            await login();
+            break;
+        case "session":
+            await sessionStatus();
+            break;
+        case "refresh":
+            await refreshToken();
+            break;
+        case "logout":
+            await logout();
+            break;
+        case "show-key":
+            await showApiKey();
+            break;
+        case "set-key":
+            await setApiKey();
+            break;
+        case "back":
+            return;
+    }
+}
+async function login() {
+    try {
+        const config = getConfig();
+        if (!config.apiUrl) {
+            console.error("\n  Error: API URL not configured. Run 'husky config set api-url <url>' first.\n");
+            await pressEnterToContinue();
+            return;
+        }
+        const agentName = await input({
+            message: "Agent name:",
+            default: "interactive-cli",
+            validate: (v) => (v.length > 0 ? true : "Agent name is required"),
+        });
+        console.log("\n  Creating session...");
+        const res = await fetch(`${config.apiUrl}/api/auth/session`, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                ...(config.apiKey ? { "x-api-key": config.apiKey } : {}),
+            },
+            body: JSON.stringify({ agent: agentName }),
+        });
+        if (!res.ok) {
+            const error = await res.text();
+            console.error(`\n  Error: ${error}\n`);
+        }
+        else {
+            const data = await res.json();
+            // Save session token
+            setSessionConfig({
+                token: data.token,
+                expiresAt: data.expiresAt,
+                agent: agentName,
+                role: data.role || "",
+            });
+            console.log("\n  Session created!");
+            console.log(`  Agent: ${agentName}`);
+            console.log(`  Expires: ${new Date(data.expiresAt).toLocaleString()}`);
+            console.log("");
+        }
+        await pressEnterToContinue();
+    }
+    catch (error) {
+        console.error("\n  Error creating session:", error);
+        await pressEnterToContinue();
+    }
+}
+async function sessionStatus() {
+    try {
+        const config = getConfig();
+        console.log("\n  SESSION STATUS");
+        console.log("  " + "-".repeat(50));
+        if (!config.sessionToken) {
+            console.log("  No active session.");
+            console.log("  Use 'Login' to create a new session.");
+        }
+        else {
+            const expiresAt = config.sessionExpiresAt ? new Date(config.sessionExpiresAt) : null;
+            const isExpired = expiresAt ? expiresAt < new Date() : true;
+            console.log(`  Agent: ${config.sessionAgent || "unknown"}`);
+            console.log(`  Token: ${config.sessionToken.substring(0, 20)}...`);
+            console.log(`  Expires: ${expiresAt ? expiresAt.toLocaleString() : "unknown"}`);
+            console.log(`  Status: ${isExpired ? "❌ EXPIRED" : "✅ VALID"}`);
+        }
+        console.log("");
+        await pressEnterToContinue();
+    }
+    catch (error) {
+        console.error("\n  Error checking session:", error);
+        await pressEnterToContinue();
+    }
+}
+async function refreshToken() {
+    try {
+        const config = getConfig();
+        if (!config.apiUrl) {
+            console.error("\n  Error: API URL not configured.\n");
+            await pressEnterToContinue();
+            return;
+        }
+        if (!config.sessionToken) {
+            console.error("\n  Error: No active session to refresh.\n");
+            await pressEnterToContinue();
+            return;
+        }
+        console.log("\n  Refreshing token...");
+        const res = await fetch(`${config.apiUrl}/api/auth/refresh`, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${config.sessionToken}`,
+            },
+        });
+        if (!res.ok) {
+            const error = await res.text();
+            console.error(`\n  Error: ${error}\n`);
+        }
+        else {
+            const data = await res.json();
+            const currentConfig = getConfig();
+            setSessionConfig({
+                token: data.token,
+                expiresAt: data.expiresAt,
+                agent: currentConfig.sessionAgent || "",
+                role: data.role || currentConfig.sessionRole || "",
+            });
+            console.log("\n  Token refreshed!");
+            console.log(`  New expiry: ${new Date(data.expiresAt).toLocaleString()}`);
+            console.log("");
+        }
+        await pressEnterToContinue();
+    }
+    catch (error) {
+        console.error("\n  Error refreshing token:", error);
+        await pressEnterToContinue();
+    }
+}
+async function logout() {
+    try {
+        const config = getConfig();
+        if (!config.sessionToken) {
+            console.log("\n  No active session.\n");
+            await pressEnterToContinue();
+            return;
+        }
+        const confirmed = await confirm({
+            message: "Are you sure you want to logout?",
+            default: true,
+        });
+        if (!confirmed) {
+            console.log("\n  Cancelled.\n");
+            await pressEnterToContinue();
+            return;
+        }
+        // Clear session from config
+        clearSessionConfig();
+        console.log("\n  Logged out successfully!\n");
+        await pressEnterToContinue();
+    }
+    catch (error) {
+        console.error("\n  Error logging out:", error);
+        await pressEnterToContinue();
+    }
+}
+async function showApiKey() {
+    const config = getConfig();
+    console.log("\n  API KEY");
+    console.log("  " + "-".repeat(50));
+    if (!config.apiKey) {
+        console.log("  No API key configured.");
+    }
+    else {
+        const masked = config.apiKey.substring(0, 8) + "..." + config.apiKey.substring(config.apiKey.length - 4);
+        console.log(`  API Key: ${masked}`);
+        console.log(`  Length: ${config.apiKey.length} characters`);
+    }
+    console.log("");
+    await pressEnterToContinue();
+}
+async function setApiKey() {
+    try {
+        const key = await input({
+            message: "New API Key:",
+            validate: (v) => {
+                if (v.length < 16)
+                    return "API key must be at least 16 characters";
+                return true;
+            },
+        });
+        setConfig("apiKey", key);
+        console.log("\n  API Key saved!\n");
+        await pressEnterToContinue();
+    }
+    catch (error) {
+        console.error("\n  Error setting API key:", error);
+        await pressEnterToContinue();
+    }
+}

package/dist/commands/interactive/brain.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Interactive Mode: Brain Module
+ *
+ * Provides menu-based agent memory and learning management.
+ */
+export declare function brainMenu(): Promise<void>;