@simonfestl/husky-cli 1.2.0 → 1.3.0

package/dist/commands/vm.js

@@ -4,6 +4,7 @@ import * as readline from "readline";
 import * as fs from "fs";
 import * as path from "path";
 import { DEFAULT_AGENT_CONFIGS, generateStartupScript, listDefaultAgentTypes, getDefaultAgentConfig, } from "../lib/agent-templates.js";
+import { requirePermission } from "../lib/permissions.js";
 export const vmCommand = new Command("vm").description("Manage VM sessions");
 // Helper: Ensure API is configured
 function ensureConfig() {
@@ -80,7 +81,7 @@ vmCommand
     .description("List all VM sessions")
     .option("--json", "Output as JSON")
     .option("--status <status>", "Filter by status (pending, starting, running, completed, failed, terminated)")
-    .option("--agent <agent>", "Filter by agent type (claude-code, gemini-cli, aider, custom)")
+    .option("--agent <agent>", "Filter by agent type (claude-code, gemini-cli, custom)")
     .action(async (options) => {
     const config = ensureConfig();
     try {
@@ -117,7 +118,7 @@ vmCommand
     .command("create <name>")
     .description("Create a new VM session")
     .option("-p, --prompt <prompt>", "Initial prompt for the agent")
-    .option("--agent <agent>", "Agent type (claude-code, gemini-cli, aider, custom)", "gemini-cli")
+    .option("--agent <agent>", "Agent type (claude-code, gemini-cli, custom)", "gemini-cli")
     .option("-t, --type <type>", "Business agent type (support, accounting, marketing, research)")
     .option("--config <configId>", "VM config to use")
     .option("--project <projectId>", "Link to project")
@@ -128,6 +129,8 @@ vmCommand
     .option("--zone <zone>", "GCP zone", "europe-west1-b")
     .option("--json", "Output as JSON")
     .action(async (name, options) => {
+    // RBAC: Only supervisor and devops can create VMs
+    requirePermission("vm:create");
     const config = ensureConfig();
     const validBusinessTypes = [
         "support",
@@ -356,6 +359,8 @@ vmCommand
     .description("Start/provision the VM")
     .option("--json", "Output as JSON")
     .action(async (id, options) => {
+    // RBAC: Only supervisor and devops can start VMs
+    requirePermission("vm:manage");
     const config = ensureConfig();
     console.log("Starting VM provisioning...");
     console.log("This may take a few minutes...\n");

package/dist/index.js

@@ -21,6 +21,7 @@ import { worktreeCommand } from "./commands/worktree.js";
 import { workerCommand } from "./commands/worker.js";
 import { bizCommand } from "./commands/biz.js";
 import { printLLMContext, llmCommand } from "./commands/llm-context.js";
+import { agentMsgCommand } from "./commands/agent-msg.js";
 import { runInteractiveMode } from "./commands/interactive.js";
 import { serviceAccountCommand } from "./commands/service-account.js";
 import { chatCommand } from "./commands/chat.js";
@@ -59,6 +60,7 @@ program.addCommand(chatCommand);
 program.addCommand(previewCommand);
 program.addCommand(llmCommand);
 program.addCommand(initCommand);
+program.addCommand(agentMsgCommand);
 // Handle --llm flag specially
 if (process.argv.includes("--llm")) {
     printLLMContext();

package/dist/lib/biz/gotess.d.ts

@@ -0,0 +1,97 @@
+/**
+ * Gotess Accounting Client
+ *
+ * Interfaces with Gotess (Supabase-based) for:
+ * - Authentication with SMS 2FA
+ * - Transaction management
+ * - Invoice matching
+ */
+export interface GotessTransaction {
+    id: string;
+    value_date: string;
+    amount: number;
+    currency: string;
+    purpose?: string;
+    counterpart_name?: string;
+    transaction_status?: string;
+    invoice_id?: string;
+    account_id?: number;
+    book_id: string;
+}
+export interface GotessInvoice {
+    id: string;
+    invoice_id?: string;
+    invoice_date?: string;
+    amount?: number;
+    sender_name?: string;
+    filename?: string;
+    s3_uri?: string;
+    book_id: string;
+}
+export interface GotessBook {
+    id: string;
+    name: string;
+    company_name?: string;
+}
+export interface GotessAccount {
+    finapi_account_id: number;
+    account_name?: string;
+    iban?: string;
+    account_type?: string;
+}
+export interface LoginResult {
+    access_token: string;
+    refresh_token: string;
+    user: {
+        id: string;
+        email: string;
+        factors?: Array<{
+            id: string;
+            factor_type: string;
+            phone?: string;
+        }>;
+    };
+}
+export interface MfaChallengeResult {
+    id: string;
+    type: string;
+    expires_at: number;
+}
+export declare class GotessClient {
+    private accessToken?;
+    private bookId?;
+    constructor(accessToken?: string, bookId?: string);
+    static fromConfig(): GotessClient;
+    private get headers();
+    login(email: string, password: string): Promise<LoginResult>;
+    startMfaChallenge(factorId: string): Promise<MfaChallengeResult>;
+    verifyMfa(factorId: string, challengeId: string, code: string): Promise<LoginResult>;
+    listBooks(): Promise<GotessBook[]>;
+    listAccounts(): Promise<GotessAccount[]>;
+    listTransactions(options?: {
+        bookId?: string;
+        status?: string;
+        limit?: number;
+    }): Promise<GotessTransaction[]>;
+    getMissingInvoices(bookId?: string): Promise<GotessTransaction[]>;
+    listInvoices(options?: {
+        bookId?: string;
+        limit?: number;
+        search?: string;
+    }): Promise<GotessInvoice[]>;
+    linkInvoice(transactionId: string, invoiceId: string): Promise<void>;
+    markProofless(transactionId: string): Promise<void>;
+    autoMatch(bookId?: string): Promise<{
+        matched: Array<{
+            transaction: GotessTransaction;
+            invoice: GotessInvoice;
+        }>;
+        unmatched: GotessTransaction[];
+    }>;
+    private findMatchingInvoice;
+    setAccessToken(token: string): void;
+    setBookId(id: string): void;
+    getAccessToken(): string | undefined;
+    getBookId(): string | undefined;
+}
+export default GotessClient;

package/dist/lib/biz/gotess.js

@@ -0,0 +1,202 @@
+/**
+ * Gotess Accounting Client
+ *
+ * Interfaces with Gotess (Supabase-based) for:
+ * - Authentication with SMS 2FA
+ * - Transaction management
+ * - Invoice matching
+ */
+import { getConfig } from '../../commands/config.js';
+const SUPABASE_URL = "https://jysklqhrdqrqedomvwjg.supabase.co";
+const SUPABASE_ANON_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Imp5c2tscWhyZHFycWVkb212d2pnIiwicm9sZSI6ImFub24iLCJpYXQiOjE3MTQ3MzExNTUsImV4cCI6MjAzMDMwNzE1NX0.eS0x3eYcPMWSm0beZQOqtu0-ENueOdb2ktOM04AjxXY";
+export class GotessClient {
+    accessToken;
+    bookId;
+    constructor(accessToken, bookId) {
+        this.accessToken = accessToken;
+        this.bookId = bookId;
+    }
+    static fromConfig() {
+        const config = getConfig();
+        const accessToken = config.gotessToken;
+        const bookId = config.gotessBookId;
+        return new GotessClient(accessToken, bookId);
+    }
+    get headers() {
+        return {
+            'apikey': SUPABASE_ANON_KEY,
+            'Authorization': `Bearer ${this.accessToken || SUPABASE_ANON_KEY}`,
+            'Content-Type': 'application/json',
+        };
+    }
+    async login(email, password) {
+        const res = await fetch(`${SUPABASE_URL}/auth/v1/token?grant_type=password`, {
+            method: 'POST',
+            headers: { 'apikey': SUPABASE_ANON_KEY, 'Content-Type': 'application/json' },
+            body: JSON.stringify({ email, password }),
+        });
+        if (!res.ok) {
+            const err = await res.json();
+            throw new Error(err.error_description || err.msg || 'Login failed');
+        }
+        const data = await res.json();
+        this.accessToken = data.access_token;
+        return data;
+    }
+    async startMfaChallenge(factorId) {
+        const res = await fetch(`${SUPABASE_URL}/auth/v1/factors/${factorId}/challenge`, {
+            method: 'POST',
+            headers: this.headers,
+            body: JSON.stringify({}),
+        });
+        if (!res.ok) {
+            const err = await res.json();
+            throw new Error(err.msg || 'MFA challenge failed');
+        }
+        return res.json();
+    }
+    async verifyMfa(factorId, challengeId, code) {
+        const res = await fetch(`${SUPABASE_URL}/auth/v1/factors/${factorId}/verify`, {
+            method: 'POST',
+            headers: this.headers,
+            body: JSON.stringify({ challenge_id: challengeId, code }),
+        });
+        if (!res.ok) {
+            const err = await res.json();
+            throw new Error(err.msg || 'MFA verification failed');
+        }
+        const data = await res.json();
+        this.accessToken = data.access_token;
+        return data;
+    }
+    async listBooks() {
+        const res = await fetch(`${SUPABASE_URL}/rest/v1/Books?select=id,name,company_name`, {
+            headers: this.headers,
+        });
+        if (!res.ok)
+            throw new Error('Failed to fetch books');
+        return res.json();
+    }
+    async listAccounts() {
+        const res = await fetch(`${SUPABASE_URL}/rest/v1/FinapiAccounts?select=finapi_account_id,account_name,iban,account_type`, {
+            headers: this.headers,
+        });
+        if (!res.ok)
+            throw new Error('Failed to fetch accounts');
+        return res.json();
+    }
+    async listTransactions(options = {}) {
+        const bid = options.bookId || this.bookId;
+        if (!bid)
+            throw new Error('Book ID required');
+        let url = `${SUPABASE_URL}/rest/v1/Transactions?book_id=eq.${bid}&select=id,value_date,amount,currency,purpose,counterpart_name,transaction_status,invoice_id,account_id,book_id&order=value_date.desc&limit=${options.limit || 50}`;
+        if (options.status) {
+            url += `&transaction_status=eq.${options.status}`;
+        }
+        const res = await fetch(url, { headers: this.headers });
+        if (!res.ok)
+            throw new Error('Failed to fetch transactions');
+        return res.json();
+    }
+    async getMissingInvoices(bookId) {
+        return this.listTransactions({ bookId, status: 'invoice_missing' });
+    }
+    async listInvoices(options = {}) {
+        const bid = options.bookId || this.bookId;
+        if (!bid)
+            throw new Error('Book ID required');
+        let url = `${SUPABASE_URL}/rest/v1/Invoices?book_id=eq.${bid}&select=id,invoice_id,invoice_date,amount,sender_name,filename,s3_uri,book_id&order=invoice_date.desc&limit=${options.limit || 50}`;
+        if (options.search) {
+            url += `&or=(sender_name.ilike.*${options.search}*,filename.ilike.*${options.search}*)`;
+        }
+        const res = await fetch(url, { headers: this.headers });
+        if (!res.ok)
+            throw new Error('Failed to fetch invoices');
+        return res.json();
+    }
+    async linkInvoice(transactionId, invoiceId) {
+        const res = await fetch(`${SUPABASE_URL}/rest/v1/Transactions?id=eq.${transactionId}`, {
+            method: 'PATCH',
+            headers: { ...this.headers, 'Prefer': 'return=minimal' },
+            body: JSON.stringify({
+                invoice_id: invoiceId,
+                transaction_status: 'invoice_linked',
+            }),
+        });
+        if (!res.ok)
+            throw new Error('Failed to link invoice');
+    }
+    async markProofless(transactionId) {
+        const res = await fetch(`${SUPABASE_URL}/rest/v1/Transactions?id=eq.${transactionId}`, {
+            method: 'PATCH',
+            headers: { ...this.headers, 'Prefer': 'return=minimal' },
+            body: JSON.stringify({
+                transaction_status: 'proofless_auto',
+            }),
+        });
+        if (!res.ok)
+            throw new Error('Failed to mark proofless');
+    }
+    async autoMatch(bookId) {
+        const bid = bookId || this.bookId;
+        if (!bid)
+            throw new Error('Book ID required');
+        const [missing, invoices] = await Promise.all([
+            this.getMissingInvoices(bid),
+            this.listInvoices({ bookId: bid, limit: 200 }),
+        ]);
+        const matched = [];
+        const unmatched = [];
+        for (const tx of missing) {
+            const invoice = this.findMatchingInvoice(tx, invoices);
+            if (invoice) {
+                matched.push({ transaction: tx, invoice });
+            }
+            else {
+                unmatched.push(tx);
+            }
+        }
+        return { matched, unmatched };
+    }
+    findMatchingInvoice(tx, invoices) {
+        const txAmount = Math.abs(tx.amount);
+        const txDate = new Date(tx.value_date);
+        const txName = (tx.counterpart_name || '').toLowerCase();
+        for (const inv of invoices) {
+            if (!inv.amount)
+                continue;
+            const amountMatch = Math.abs(inv.amount - txAmount) < 0.02;
+            if (!amountMatch)
+                continue;
+            if (inv.invoice_date) {
+                const invDate = new Date(inv.invoice_date);
+                const daysDiff = Math.abs((txDate.getTime() - invDate.getTime()) / (1000 * 60 * 60 * 24));
+                if (daysDiff > 14)
+                    continue;
+            }
+            const invName = (inv.sender_name || inv.filename || '').toLowerCase();
+            if (txName && invName) {
+                const txWords = txName.split(/\s+/).filter(w => w.length > 3);
+                const nameMatch = txWords.some(word => invName.includes(word));
+                if (nameMatch)
+                    return inv;
+            }
+            if (amountMatch)
+                return inv;
+        }
+        return null;
+    }
+    setAccessToken(token) {
+        this.accessToken = token;
+    }
+    setBookId(id) {
+        this.bookId = id;
+    }
+    getAccessToken() {
+        return this.accessToken;
+    }
+    getBookId() {
+        return this.bookId;
+    }
+}
+export default GotessClient;

package/dist/lib/permissions.d.ts

@@ -0,0 +1,78 @@
+/**
+ * RBAC Permission utilities for Husky CLI
+ *
+ * This module provides permission checking for CLI commands.
+ * Permissions are fetched from the API and cached locally.
+ */
+export type AgentRole = "supervisor" | "worker" | "reviewer" | "e2e_agent" | "pr_agent" | "support";
+/**
+ * Check if current user has a specific permission.
+ * Uses cached permissions from config.
+ */
+export declare function checkPermission(permission: string): boolean;
+/**
+ * Require a specific permission, exit with error if not granted.
+ * Use this at the start of command handlers to enforce RBAC.
+ */
+export declare function requirePermission(permission: string): void;
+/**
+ * Require one of several permissions.
+ * Useful for commands that can be accessed by multiple permission types.
+ */
+export declare function requireAnyPermission(permissions: string[]): void;
+/**
+ * Get the current agent role.
+ * Returns undefined if role hasn't been fetched yet.
+ */
+export declare function getCurrentRole(): AgentRole | undefined;
+/**
+ * Ensure permissions are loaded (fetches from API if needed).
+ * Call this at CLI startup or before first permission check.
+ */
+export declare function ensurePermissionsLoaded(): Promise<void>;
+/**
+ * Force refresh permissions from the API.
+ * Clears the cache and fetches fresh permissions.
+ */
+export declare function refreshPermissions(): Promise<void>;
+/**
+ * Handle API response - refreshes permissions on 403 and shows error.
+ * Use this when making API calls that might fail due to permission issues.
+ *
+ * @returns true if response is ok, false if handled error (exits on 403)
+ */
+export declare function handleApiResponse(res: Response, operation: string): Promise<boolean>;
+/**
+ * Role-based command group guards.
+ * These can be used with commander's preAction hooks.
+ */
+export declare const guards: {
+    /**
+     * Guard for task:done permission
+     */
+    taskDone: () => void;
+    /**
+     * Guard for task:start permission
+     */
+    taskStart: () => void;
+    /**
+     * Guard for task:complete permission
+     */
+    taskComplete: () => void;
+    /**
+     * Guard for any biz permission
+     */
+    bizAccess: () => void;
+    /**
+     * Guard for VM management
+     */
+    vmManage: () => void;
+    /**
+     * Guard for PR operations
+     */
+    prAccess: () => void;
+    /**
+     * Guard for deployment operations
+     */
+    deployAccess: () => void;
+};

package/dist/lib/permissions.js

@@ -0,0 +1,139 @@
+/**
+ * RBAC Permission utilities for Husky CLI
+ *
+ * This module provides permission checking for CLI commands.
+ * Permissions are fetched from the API and cached locally.
+ */
+import { getConfig, hasPermission, getRole, fetchAndCacheRole, clearRoleCache } from "../commands/config.js";
+/**
+ * Check if current user has a specific permission.
+ * Uses cached permissions from config.
+ */
+export function checkPermission(permission) {
+    return hasPermission(permission);
+}
+/**
+ * Require a specific permission, exit with error if not granted.
+ * Use this at the start of command handlers to enforce RBAC.
+ */
+export function requirePermission(permission) {
+    const config = getConfig();
+    const role = config.role;
+    if (!hasPermission(permission)) {
+        console.error(`Error: Permission denied (${permission})`);
+        if (role) {
+            console.error(`Your role (${role}) does not have this permission.`);
+        }
+        else {
+            console.error("Run 'husky config test' to refresh your role and permissions.");
+        }
+        process.exit(1);
+    }
+}
+/**
+ * Require one of several permissions.
+ * Useful for commands that can be accessed by multiple permission types.
+ */
+export function requireAnyPermission(permissions) {
+    const hasAny = permissions.some((p) => hasPermission(p));
+    if (!hasAny) {
+        const config = getConfig();
+        console.error(`Error: Permission denied`);
+        console.error(`Required: one of [${permissions.join(", ")}]`);
+        if (config.role) {
+            console.error(`Your role (${config.role}) does not have these permissions.`);
+        }
+        process.exit(1);
+    }
+}
+/**
+ * Get the current agent role.
+ * Returns undefined if role hasn't been fetched yet.
+ */
+export function getCurrentRole() {
+    return getRole();
+}
+/**
+ * Ensure permissions are loaded (fetches from API if needed).
+ * Call this at CLI startup or before first permission check.
+ */
+export async function ensurePermissionsLoaded() {
+    await fetchAndCacheRole();
+}
+/**
+ * Force refresh permissions from the API.
+ * Clears the cache and fetches fresh permissions.
+ */
+export async function refreshPermissions() {
+    // Clear the cache timestamp to force a refresh
+    clearRoleCache();
+    // fetchAndCacheRole will now fetch fresh data
+    await fetchAndCacheRole();
+}
+/**
+ * Handle API response - refreshes permissions on 403 and shows error.
+ * Use this when making API calls that might fail due to permission issues.
+ *
+ * @returns true if response is ok, false if handled error (exits on 403)
+ */
+export async function handleApiResponse(res, operation) {
+    if (res.ok)
+        return true;
+    if (res.status === 403) {
+        // Refresh permissions to get latest role info
+        console.error(`Permission denied for: ${operation}`);
+        console.error("Refreshing permissions...");
+        await refreshPermissions();
+        const config = getConfig();
+        if (config.role) {
+            console.error(`Your role (${config.role}) does not have permission for this operation.`);
+            if (config.permissions) {
+                console.error(`Current permissions: ${config.permissions.join(", ")}`);
+            }
+        }
+        else {
+            console.error("Could not determine your role. Check your API key.");
+        }
+        process.exit(1);
+    }
+    if (res.status === 401) {
+        console.error("Authentication failed. Check your API key with: husky config test");
+        process.exit(1);
+    }
+    // Return false for other errors to let caller handle
+    return false;
+}
+/**
+ * Role-based command group guards.
+ * These can be used with commander's preAction hooks.
+ */
+export const guards = {
+    /**
+     * Guard for task:done permission
+     */
+    taskDone: () => requirePermission("task:done"),
+    /**
+     * Guard for task:start permission
+     */
+    taskStart: () => requirePermission("task:start"),
+    /**
+     * Guard for task:complete permission
+     */
+    taskComplete: () => requirePermission("task:complete"),
+    /**
+     * Guard for any biz permission
+     */
+    bizAccess: () => requireAnyPermission(["biz:tickets", "biz:orders", "biz:customers", "biz:*"]),
+    /**
+     * Guard for VM management
+     */
+    vmManage: () => requireAnyPermission(["vm:create", "vm:manage", "vm:*"]),
+    /**
+     * Guard for PR operations
+     */
+    prAccess: () => requireAnyPermission(["pr:create", "pr:merge", "pr:*"]),
+    /**
+     * Guard for deployment operations
+     */
+    deployAccess: () => requireAnyPermission(["deploy:preview", "deploy:sandbox", "deploy:*"]),
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@simonfestl/husky-cli",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "CLI for Huskyv0 Task Orchestration with Claude Agent SDK",
   "type": "module",
   "bin": {