@simonfestl/husky-cli 1.16.0 → 1.17.0

package/dist/commands/auth.js

@@ -1,10 +1,28 @@
 import { Command } from "commander";
-import { getConfig, setSessionConfig, clearSessionConfig, getSessionConfig } from "./config.js";
+import { getConfig, setSessionConfig, clearSessionConfig, getSessionConfig, fetchAndCacheRole } from "./config.js";
 import { getPermissions, clearPermissionsCache, getCacheStatus, hasPermission, canAccessKnowledgeBase } from "../lib/permissions-cache.js";
 const API_KEY_ROLES = [
     "admin", "supervisor", "worker", "reviewer", "support",
     "purchasing", "ops", "e2e_agent", "pr_agent"
 ];
+/**
+ * Sanitize error messages to prevent sensitive data leakage.
+ * Truncates long messages and removes potential secrets.
+ */
+function sanitizeErrorMessage(message, maxLength = 200) {
+    if (!message)
+        return "Unknown error";
+    // Remove potential secrets (patterns like API keys, tokens, etc.)
+    let sanitized = message
+        .replace(/[a-zA-Z0-9_-]{32,}/g, "[REDACTED]") // Long alphanumeric strings
+        .replace(/Bearer\s+[^\s]+/gi, "Bearer [REDACTED]") // Bearer tokens
+        .replace(/key[=:]\s*[^\s,}]+/gi, "key=[REDACTED]"); // key=value patterns
+    // Truncate if too long
+    if (sanitized.length > maxLength) {
+        sanitized = sanitized.substring(0, maxLength) + "...";
+    }
+    return sanitized;
+}
 async function apiRequest(path, options = {}) {
     const config = getConfig();
     if (!config.apiUrl || !config.apiKey) {
@@ -21,7 +39,8 @@ async function apiRequest(path, options = {}) {
     });
     if (!res.ok) {
         const error = await res.json().catch(() => ({ error: res.statusText }));
-        throw new Error(error.message || error.error || `HTTP ${res.status}`);
+        const rawMessage = error.message || error.error || `HTTP ${res.status}`;
+        throw new Error(sanitizeErrorMessage(rawMessage));
     }
     return res.json();
 }
@@ -293,6 +312,8 @@ authCommand
         }
         const session = await res.json();
         setSessionConfig(session);
+        // Fetch and cache permissions for the new session role
+        await fetchAndCacheRole();
         if (options.json) {
             console.log(JSON.stringify({
                 success: true,
@@ -418,6 +439,8 @@ authCommand
         }
         const session = await res.json();
         setSessionConfig(session);
+        // Refresh permissions for the session role
+        await fetchAndCacheRole();
         if (options.json) {
             console.log(JSON.stringify({
                 success: true,

package/dist/commands/config.d.ts

@@ -1,5 +1,6 @@
 import { Command } from "commander";
-type AgentRole = "supervisor" | "worker" | "reviewer" | "e2e_agent" | "pr_agent" | "support";
+declare const VALID_ROLES: readonly ["admin", "supervisor", "worker", "reviewer", "e2e_agent", "pr_agent", "support", "devops", "purchasing", "ops"];
+type AgentRole = typeof VALID_ROLES[number];
 interface Config {
     apiUrl?: string;
     apiKey?: string;
@@ -47,7 +48,8 @@ export declare function getConfig(): Config;
 export declare function saveConfig(config: Config): void;
 /**
  * Fetch role and permissions from /api/auth/whoami
- * Caches the result in config for 1 hour
+ * Uses session token (Bearer) if available, otherwise falls back to API key.
+ * Caches the result in config for 1 hour.
  */
 export declare function fetchAndCacheRole(): Promise<{
     role?: AgentRole;
@@ -58,7 +60,9 @@ export declare function fetchAndCacheRole(): Promise<{
  */
 export declare function hasPermission(permission: string): boolean;
 /**
- * Get current role from config (may be undefined if not fetched)
+ * Get current role from config.
+ * Prefers sessionRole (from auth login) over role (from API key) when session is active.
+ * Validates that the role is a known valid role before returning.
  */
 export declare function getRole(): AgentRole | undefined;
 /**
@@ -72,6 +76,7 @@ export declare function setSessionConfig(session: {
     expiresAt: string;
     agent: string;
     role: string;
+    permissions?: string[];
 }): void;
 export declare function clearSessionConfig(): void;
 export declare function getSessionConfig(): {

package/dist/commands/config.js

@@ -1,10 +1,18 @@
 import { Command } from "commander";
-import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { readFileSync, writeFileSync, existsSync, mkdirSync, chmodSync } from "fs";
 import { join } from "path";
 import { homedir } from "os";
 import { ErrorHelpers, errorWithHint, ExplainTopic } from "../lib/error-hints.js";
+// Valid agent roles - used for runtime validation
+const VALID_ROLES = ["admin", "supervisor", "worker", "reviewer", "e2e_agent", "pr_agent", "support", "devops", "purchasing", "ops"];
 const CONFIG_DIR = join(homedir(), ".husky");
 const CONFIG_FILE = join(CONFIG_DIR, "config.json");
+/**
+ * Validate if a string is a valid AgentRole
+ */
+function isValidRole(role) {
+    return VALID_ROLES.includes(role);
+}
 // API Key validation - must be at least 16 characters, alphanumeric + common key chars (base64, JWT, etc.)
 function validateApiKey(key) {
     if (key.length < 16) {
@@ -43,25 +51,67 @@ export function getConfig() {
 }
 export function saveConfig(config) {
     if (!existsSync(CONFIG_DIR)) {
-        mkdirSync(CONFIG_DIR, { recursive: true });
+        mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 }); // rwx------ for directory
+    }
+    writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2), { mode: 0o600 }); // rw------- for file
+    // Ensure permissions are set even if file existed
+    try {
+        chmodSync(CONFIG_FILE, 0o600);
+    }
+    catch {
+        // Ignore chmod errors on Windows
     }
-    writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2));
 }
 /**
  * Fetch role and permissions from /api/auth/whoami
- * Caches the result in config for 1 hour
+ * Uses session token (Bearer) if available, otherwise falls back to API key.
+ * Caches the result in config for 1 hour.
  */
 export async function fetchAndCacheRole() {
     const config = getConfig();
-    // Check if we have cached role that's less than 1 hour old
+    // Check if there's an active session - if so, use session role directly
+    // Session roles are already validated by the server, no need to re-fetch
+    if (config.sessionToken && config.sessionRole && config.sessionExpiresAt) {
+        const expiresAt = new Date(config.sessionExpiresAt);
+        if (expiresAt > new Date()) {
+            // Session is active - fetch permissions for this session role if needed
+            // Check if we have fresh permissions for this session
+            const needsPermissionsFetch = !config.roleLastChecked || !config.permissions;
+            if (needsPermissionsFetch && config.apiUrl) {
+                try {
+                    const url = new URL("/api/auth/whoami", config.apiUrl);
+                    const res = await fetch(url.toString(), {
+                        headers: { Authorization: `Bearer ${config.sessionToken}` },
+                    });
+                    if (res.ok) {
+                        const data = await res.json();
+                        // Update permissions cache (keep sessionRole as source of truth for role)
+                        config.permissions = data.permissions;
+                        config.roleLastChecked = new Date().toISOString();
+                        saveConfig(config);
+                        return { role: config.sessionRole, permissions: data.permissions };
+                    }
+                }
+                catch {
+                    // Fall through to use cached permissions
+                }
+            }
+            // Return session role with cached permissions
+            return { role: config.sessionRole, permissions: config.permissions };
+        }
+    }
+    // No active session - use API key auth
+    // Check if we have cached role that's less than 5 minutes old
+    // Short TTL ensures revoked permissions are detected quickly
+    const PERMISSION_CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
     if (config.role && config.roleLastChecked) {
         const lastChecked = new Date(config.roleLastChecked);
-        const oneHourAgo = new Date(Date.now() - 60 * 60 * 1000);
-        if (lastChecked > oneHourAgo) {
+        const cacheExpiry = new Date(Date.now() - PERMISSION_CACHE_TTL_MS);
+        if (lastChecked > cacheExpiry) {
             return { role: config.role, permissions: config.permissions };
         }
     }
-    // Fetch fresh role/permissions
+    // Fetch fresh role/permissions using API key
     if (!config.apiUrl || !config.apiKey) {
         return {};
     }
@@ -102,10 +152,30 @@ export function hasPermission(permission) {
     return false;
 }
 /**
- * Get current role from config (may be undefined if not fetched)
+ * Get current role from config.
+ * Prefers sessionRole (from auth login) over role (from API key) when session is active.
+ * Validates that the role is a known valid role before returning.
  */
 export function getRole() {
-    return getConfig().role;
+    const config = getConfig();
+    // Check if there's an active (non-expired) session
+    if (config.sessionToken && config.sessionRole && config.sessionExpiresAt) {
+        const expiresAt = new Date(config.sessionExpiresAt);
+        if (expiresAt > new Date()) {
+            // Session is active, validate and use session role
+            if (isValidRole(config.sessionRole)) {
+                return config.sessionRole;
+            }
+            // Invalid role in session - treat as no session
+            console.error(`Warning: Invalid session role '${config.sessionRole}' in config`);
+            return undefined;
+        }
+    }
+    // Fall back to API key role (also validate)
+    if (config.role && isValidRole(config.role)) {
+        return config.role;
+    }
+    return undefined;
 }
 /**
  * Clear the role cache to force a refresh on next fetchAndCacheRole call
@@ -133,6 +203,17 @@ export function setSessionConfig(session) {
     config.sessionExpiresAt = session.expiresAt;
     config.sessionAgent = session.agent;
     config.sessionRole = session.role;
+    // Clear old permissions and role cache to force re-fetch for new session role
+    delete config.roleLastChecked;
+    if (session.permissions) {
+        // If permissions provided, use them directly
+        config.permissions = session.permissions;
+        config.roleLastChecked = new Date().toISOString();
+    }
+    else {
+        // Clear permissions to force re-fetch
+        delete config.permissions;
+    }
     saveConfig(config);
 }
 export function clearSessionConfig() {

package/dist/lib/permissions.d.ts

@@ -4,7 +4,7 @@
  * This module provides permission checking for CLI commands.
  * Permissions are fetched from the API and cached locally.
  */
-export type AgentRole = "admin" | "supervisor" | "worker" | "reviewer" | "e2e_agent" | "pr_agent" | "support" | "devops";
+export type AgentRole = "admin" | "supervisor" | "worker" | "reviewer" | "e2e_agent" | "pr_agent" | "support" | "devops" | "purchasing" | "ops";
 /**
  * Check if current user has a specific permission.
  * Uses cached permissions from config.

package/dist/lib/permissions.js

@@ -37,8 +37,7 @@ const workerPermissionHints = {
  * Use this at the start of command handlers to enforce RBAC.
  */
 export function requirePermission(permission) {
-    const config = getConfig();
-    const role = config.role;
+    const role = getRole(); // Uses session role if active, otherwise API key role
     if (!hasPermission(permission)) {
         console.error(`Error: Permission denied (${permission})`);
         if (role) {
@@ -66,11 +65,11 @@ export function requirePermission(permission) {
 export function requireAnyPermission(permissions) {
     const hasAny = permissions.some((p) => hasPermission(p));
     if (!hasAny) {
-        const config = getConfig();
+        const role = getRole(); // Uses session role if active
         console.error(`Error: Permission denied`);
         console.error(`Required: one of [${permissions.join(", ")}]`);
-        if (config.role) {
-            console.error(`Your role (${config.role}) does not have these permissions.`);
+        if (role) {
+            console.error(`Your role (${role}) does not have these permissions.`);
         }
         console.error(`\n💡 For configuration help: husky explain ${ExplainTopic.CONFIG}`);
         process.exit(1);
@@ -87,15 +86,14 @@ export function getCurrentRole() {
  * Check if current agent has one of the specified roles.
  */
 export function hasRole(...roles) {
-    const config = getConfig();
-    return roles.includes(config.role);
+    const currentRole = getRole(); // Uses session role if active
+    return currentRole ? roles.includes(currentRole) : false;
 }
 /**
  * Require one of the specified roles, exit if not granted.
  */
 export function requireRole(...roles) {
-    const config = getConfig();
-    const currentRole = config.role;
+    const currentRole = getRole(); // Uses session role if active
     if (!currentRole || !roles.includes(currentRole)) {
         console.error(`Error: Role required: ${roles.join(" or ")}`);
         console.error(`Your role: ${currentRole || "not set"}`);
@@ -133,9 +131,10 @@ export async function handleApiResponse(res, operation) {
         console.error(`Permission denied for: ${operation}`);
         console.error("Refreshing permissions...");
         await refreshPermissions();
+        const role = getRole(); // Uses session role if active
         const config = getConfig();
-        if (config.role) {
-            console.error(`Your role (${config.role}) does not have permission for this operation.`);
+        if (role) {
+            console.error(`Your role (${role}) does not have permission for this operation.`);
             if (config.permissions) {
                 console.error(`Current permissions: ${config.permissions.join(", ")}`);
             }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@simonfestl/husky-cli",
-  "version": "1.16.0",
+  "version": "1.17.0",
   "description": "CLI for Huskyv0 Task Orchestration with Claude Agent SDK",
   "type": "module",
   "bin": {