@sqaoss/flowy 1.6.1 → 1.7.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sqaoss/flowy",
-  "version": "1.6.1",
+  "version": "1.7.0",
   "description": "Agentic persistent planning",
   "type": "module",
   "bin": {

package/src/commands/key.test.ts

@@ -17,10 +17,17 @@ beforeEach(() => {
   mockOutput = vi.fn()
   mockOutputError = vi.fn()
 
-  vi.doMock('../util/config.ts', () => ({
-    loadConfig: mockLoadConfig,
-    saveConfig: mockSaveConfig,
-  }))
+  vi.doMock('../util/config.ts', async () => {
+    const actual =
+      await vi.importActual<typeof import('../util/config.ts')>(
+        '../util/config.ts',
+      )
+    return {
+      loadConfig: mockLoadConfig,
+      saveConfig: mockSaveConfig,
+      fingerprintKey: actual.fingerprintKey,
+    }
+  })
 
   vi.doMock('../util/format.ts', () => ({
     output: mockOutput,
@@ -46,7 +53,7 @@ describe('key command', () => {
     expect(keyCommand.commands).toHaveLength(1)
   })
 
-  test('rotate calls rotateApiKey mutation, saves new key to config, and outputs result', async () => {
+  test('rotate calls rotateApiKey mutation, saves new key to config, and outputs a fingerprint (not the secret)', async () => {
     const mockGraphql = vi.fn().mockResolvedValue({
       rotateApiKey: {
         user: {
@@ -74,12 +81,43 @@ describe('key command', () => {
         apiKey: 'flowy_new_key_456',
       }),
     )
-    expect(mockOutput).toHaveBeenCalledWith(
+
+    // Default output must NOT leak the full secret.
+    const outputArg = mockOutput.mock.calls[0]![0]
+    expect(JSON.stringify(outputArg)).not.toContain('flowy_new_key_456')
+    expect(outputArg).toEqual(
       expect.objectContaining({
         user: expect.objectContaining({ email: 'test@example.com' }),
-        apiKey: 'flowy_new_key_456',
+        keyFingerprint: expect.stringMatching(/sha256:[0-9a-f]{12}/),
       }),
     )
+    expect(outputArg).not.toHaveProperty('apiKey')
+  })
+
+  test('rotate --show-key reveals the full secret', async () => {
+    const mockGraphql = vi.fn().mockResolvedValue({
+      rotateApiKey: {
+        user: {
+          id: 'user_1',
+          email: 'test@example.com',
+          tier: 'free',
+          createdAt: '2025-01-01T00:00:00Z',
+          graceEndsAt: null,
+        },
+        apiKey: 'flowy_new_key_456',
+      },
+    })
+    vi.doMock('../util/client.ts', () => ({
+      graphql: mockGraphql,
+    }))
+
+    const { keyCommand } = await import('./key.ts')
+    await keyCommand.parseAsync(['rotate', '--show-key'], { from: 'user' })
+
+    const outputArg = mockOutput.mock.calls[0]![0]
+    expect(outputArg).toEqual(
+      expect.objectContaining({ apiKey: 'flowy_new_key_456' }),
+    )
   })
 
   test('rotate saves the exact new apiKey to config', async () => {

package/src/commands/key.ts

@@ -1,6 +1,6 @@
 import { Command } from 'commander'
 import { graphql } from '../util/client.ts'
-import { loadConfig, saveConfig } from '../util/config.ts'
+import { fingerprintKey, loadConfig, saveConfig } from '../util/config.ts'
 import { output, outputError } from '../util/format.ts'
 
 export const keyCommand = new Command('key').description('API key management')
@@ -8,7 +8,11 @@ export const keyCommand = new Command('key').description('API key management')
 keyCommand
   .command('rotate')
   .description('Rotate API key')
-  .action(async () => {
+  .option(
+    '--show-key',
+    'Print the full API key instead of a non-reversible fingerprint',
+  )
+  .action(async (opts) => {
     try {
       const data = await graphql<{
         rotateApiKey: {
@@ -30,11 +34,17 @@ keyCommand
         }`,
       )
 
+      const { user, apiKey } = data.rotateApiKey
       const config = loadConfig()
-      config.apiKey = data.rotateApiKey.apiKey
+      config.apiKey = apiKey
       saveConfig(config)
 
-      output(data.rotateApiKey)
+      // Default output never leaks the secret; --show-key opts in (F35).
+      output(
+        opts.showKey
+          ? { user, apiKey }
+          : { user, keyFingerprint: fingerprintKey(apiKey) },
+      )
     } catch (error) {
       outputError(error)
     }

package/src/commands/setup.test.ts

@@ -19,10 +19,17 @@ beforeEach(() => {
   mockOutputError = vi.fn()
   mockSpawnSync = vi.fn()
 
-  vi.doMock('../util/config.ts', () => ({
-    loadConfig: mockLoadConfig,
-    saveConfig: mockSaveConfig,
-  }))
+  vi.doMock('../util/config.ts', async () => {
+    const actual =
+      await vi.importActual<typeof import('../util/config.ts')>(
+        '../util/config.ts',
+      )
+    return {
+      loadConfig: mockLoadConfig,
+      saveConfig: mockSaveConfig,
+      fingerprintKey: actual.fingerprintKey,
+    }
+  })
 
   vi.doMock('../util/format.ts', () => ({
     output: mockOutput,
@@ -230,17 +237,51 @@ describe('setup command', () => {
         apiKey: 'flowy_test_key_123',
       }),
     )
-    expect(mockOutput).toHaveBeenCalledWith(
+    // Default output surfaces a fingerprint, never the raw secret (F35).
+    const outputArg = mockOutput.mock.calls[0]![0]
+    expect(JSON.stringify(outputArg)).not.toContain('flowy_test_key_123')
+    expect(outputArg).toEqual(
       expect.objectContaining({
         user: expect.objectContaining({
           email: 'test@example.com',
           tier: 'explorer',
           graceEndsAt: '2026-04-13T00:00:00Z',
         }),
-        apiKey: 'flowy_test_key_123',
+        keyFingerprint: expect.stringMatching(/sha256:[0-9a-f]{12}/),
         checkoutUrl: 'https://checkout.stripe.com/session_123',
       }),
     )
+    expect(outputArg).not.toHaveProperty('apiKey')
+  })
+
+  test('setup remote --show-key reveals the full API key', async () => {
+    const mockGraphql = vi.fn().mockResolvedValue({
+      register: {
+        user: {
+          id: 'user_1',
+          email: 'test@example.com',
+          tier: 'explorer',
+          createdAt: '2026-03-30T00:00:00Z',
+          graceEndsAt: null,
+        },
+        apiKey: 'flowy_test_key_123',
+        checkoutUrl: null,
+      },
+    })
+    vi.doMock('../util/client.ts', () => ({
+      graphql: mockGraphql,
+    }))
+    mockSpawnSync.mockReturnValue({ status: 0, stdout: Buffer.from('') })
+
+    const { setupCommand } = await import('./setup.ts')
+    await setupCommand.parseAsync(
+      ['remote', '--email', 'test@example.com', '--show-key'],
+      { from: 'user' },
+    )
+
+    expect(mockOutput).toHaveBeenCalledWith(
+      expect.objectContaining({ apiKey: 'flowy_test_key_123' }),
+    )
   })
 
   test('setup local warns when the skill install fails', async () => {

package/src/commands/setup.ts

@@ -1,6 +1,6 @@
 import { spawnSync } from 'node:child_process'
 import { Command, Option } from 'commander'
-import { loadConfig, saveConfig } from '../util/config.ts'
+import { fingerprintKey, loadConfig, saveConfig } from '../util/config.ts'
 import { output, outputError } from '../util/format.ts'
 import { pinnedInstallSpec } from './serve.ts'
 
@@ -69,6 +69,10 @@ setupCommand
   .command('remote')
   .description('Connect to the hosted Flowy service')
   .option('--email <email>', 'Email address for registration')
+  .option(
+    '--show-key',
+    'Print the full API key instead of a non-reversible fingerprint',
+  )
   .addOption(
     new Option(
       '--tier <tier>',
@@ -116,7 +120,13 @@ setupCommand
 
       installSkill()
 
-      output(data.register)
+      const { user, apiKey, checkoutUrl } = data.register
+      // Default output never leaks the secret; --show-key opts in (F35).
+      output(
+        opts.showKey
+          ? { user, apiKey, checkoutUrl }
+          : { user, keyFingerprint: fingerprintKey(apiKey), checkoutUrl },
+      )
     } catch (error) {
       outputError(error)
     }

package/src/commands/whoami.test.ts

@@ -3,10 +3,18 @@ import { afterEach, beforeEach, describe, expect, test, vi } from 'vitest'
 let mockGraphql: ReturnType<typeof vi.fn>
 let mockOutput: ReturnType<typeof vi.fn>
 let mockOutputError: ReturnType<typeof vi.fn>
+let mockLoadConfig: ReturnType<typeof vi.fn>
 
 beforeEach(() => {
   mockOutput = vi.fn()
   mockOutputError = vi.fn()
+  mockLoadConfig = vi.fn(() => ({
+    mode: 'saas',
+    apiUrl: 'https://flowy-ai.fly.dev/graphql',
+    apiKey: 'flowy_secret_abcdef0123456789',
+    client: { name: '' },
+    projects: {},
+  }))
   mockGraphql = vi.fn().mockResolvedValue({
     whoami: {
       id: 'user_1',
@@ -25,6 +33,17 @@ beforeEach(() => {
   vi.doMock('../util/client.ts', () => ({
     graphql: mockGraphql,
   }))
+
+  vi.doMock('../util/config.ts', async () => {
+    const actual =
+      await vi.importActual<typeof import('../util/config.ts')>(
+        '../util/config.ts',
+      )
+    return {
+      loadConfig: mockLoadConfig,
+      fingerprintKey: actual.fingerprintKey,
+    }
+  })
 })
 
 afterEach(() => {
@@ -33,7 +52,7 @@ afterEach(() => {
 })
 
 describe('whoami command', () => {
-  test('whoami outputs user data from query', async () => {
+  test('whoami outputs user data plus a non-reversible key fingerprint', async () => {
     const userData = {
       id: '1',
       email: 'a@b.com',
@@ -46,7 +65,17 @@ describe('whoami command', () => {
     const { whoamiCommand } = await import('./whoami.ts')
     await whoamiCommand.parseAsync([], { from: 'user' })
 
-    expect(mockOutput).toHaveBeenCalledWith(userData)
+    const outputArg = mockOutput.mock.calls[0]![0]
+    expect(outputArg).toEqual(
+      expect.objectContaining({
+        ...userData,
+        keyFingerprint: expect.stringMatching(/sha256:[0-9a-f]{12}/),
+      }),
+    )
+    // Fingerprint must not leak the configured secret.
+    expect(JSON.stringify(outputArg)).not.toContain(
+      'flowy_secret_abcdef0123456789',
+    )
   })
 
   test('whoami outputs error when query fails', async () => {

package/src/commands/whoami.ts

@@ -1,19 +1,25 @@
 import { Command } from 'commander'
 import { graphql } from '../util/client.ts'
+import { fingerprintKey, loadConfig } from '../util/config.ts'
 import { output, outputError } from '../util/format.ts'
 
 export const whoamiCommand = new Command('whoami')
   .description('Show current user info')
   .action(async () => {
     try {
-      const data = await graphql<{ whoami: unknown }>(
+      const data = await graphql<{ whoami: Record<string, unknown> }>(
         `query Whoami {
           whoami {
             id email tier createdAt graceEndsAt
           }
         }`,
       )
-      output(data.whoami)
+      // Surface a non-reversible fingerprint of the configured key so a human
+      // can confirm *which* credential is active without exposing it (F35).
+      output({
+        ...data.whoami,
+        keyFingerprint: fingerprintKey(loadConfig().apiKey),
+      })
     } catch (error) {
       outputError(error)
     }

package/src/util/config.test.ts

@@ -1,5 +1,12 @@
-import { existsSync, readFileSync, rmSync, writeFileSync } from 'node:fs'
-import { homedir } from 'node:os'
+import {
+  chmodSync,
+  existsSync,
+  readFileSync,
+  rmSync,
+  statSync,
+  writeFileSync,
+} from 'node:fs'
+import { homedir, platform } from 'node:os'
 import { resolve } from 'node:path'
 import {
   afterAll,
@@ -12,6 +19,8 @@ import {
   vi,
 } from 'vitest'
 
+const isWindows = platform() === 'win32'
+
 const CONFIG_PATH = resolve(homedir(), '.config', 'flowy', 'config.json')
 
 describe('config', () => {
@@ -70,6 +79,45 @@ describe('config', () => {
     expect(reloaded.client.name).toBe('Test Client')
   })
 
+  test.skipIf(isWindows)(
+    'saveConfig writes config with 0600 mode',
+    async () => {
+      const { saveConfig, loadConfig } = await import('./config.ts')
+      saveConfig(loadConfig())
+      const mode = statSync(CONFIG_PATH).mode & 0o777
+      expect(mode).toBe(0o600)
+    },
+  )
+
+  test.skipIf(isWindows)(
+    'saveConfig corrects a pre-existing 0644 config to 0600',
+    async () => {
+      const { saveConfig, loadConfig } = await import('./config.ts')
+      // Simulate a config written by an older CLI (world-readable).
+      writeFileSync(CONFIG_PATH, JSON.stringify(loadConfig(), null, 2))
+      chmodSync(CONFIG_PATH, 0o644)
+      expect(statSync(CONFIG_PATH).mode & 0o777).toBe(0o644)
+
+      saveConfig(loadConfig())
+      expect(statSync(CONFIG_PATH).mode & 0o777).toBe(0o600)
+    },
+  )
+
+  test('fingerprintKey is deterministic and non-reversible', async () => {
+    const { fingerprintKey } = await import('./config.ts')
+    const key = 'flowy_secret_abcdef0123456789'
+    const fp = fingerprintKey(key)
+    expect(fingerprintKey(key)).toBe(fp)
+    expect(fp).not.toContain(key)
+    expect(fp).not.toContain('abcdef0123456789')
+    expect(fp).toMatch(/sha256:[0-9a-f]{12}/)
+  })
+
+  test('fingerprintKey returns a placeholder for an empty key', async () => {
+    const { fingerprintKey } = await import('./config.ts')
+    expect(fingerprintKey('')).toBe('(none)')
+  })
+
   test('resolveProject returns null when no project configured', async () => {
     const { resolveProject } = await import('./config.ts')
     expect(resolveProject()).toBeNull()

package/src/util/config.ts

@@ -1,10 +1,34 @@
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'
-import { homedir } from 'node:os'
+import { createHash } from 'node:crypto'
+import {
+  chmodSync,
+  existsSync,
+  mkdirSync,
+  readFileSync,
+  writeFileSync,
+} from 'node:fs'
+import { homedir, platform } from 'node:os'
 import { resolve } from 'node:path'
 
 const CONFIG_DIR = resolve(homedir(), '.config', 'flowy')
 const CONFIG_PATH = resolve(CONFIG_DIR, 'config.json')
 
+// Owner-only modes for the config dir/file, which hold the FLOWY_API_KEY.
+// POSIX-only; chmod is a no-op on Windows so we skip it to avoid surprises.
+const DIR_MODE = 0o700
+const FILE_MODE = 0o600
+const isWindows = platform() === 'win32'
+
+/**
+ * Non-reversible fingerprint of an API key, safe to print to stdout/logs.
+ * A short SHA-256 prefix lets a human confirm *which* key is configured
+ * without exposing the secret itself (F35).
+ */
+export function fingerprintKey(apiKey: string): string {
+  if (!apiKey) return '(none)'
+  const digest = createHash('sha256').update(apiKey).digest('hex')
+  return `sha256:${digest.slice(0, 12)}`
+}
+
 export function loadConfig() {
   if (!existsSync(CONFIG_PATH)) {
     return {
@@ -19,8 +43,17 @@ export function loadConfig() {
 }
 
 export function saveConfig(config: ReturnType<typeof loadConfig>): void {
-  mkdirSync(CONFIG_DIR, { recursive: true })
-  writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2))
+  mkdirSync(CONFIG_DIR, { recursive: true, mode: DIR_MODE })
+  // `mode` on writeFileSync only applies to *newly created* files and is
+  // masked by umask, so an explicit chmod afterward both corrects a
+  // pre-existing world-readable (0644) config and survives a tight umask.
+  writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), {
+    mode: FILE_MODE,
+  })
+  if (!isWindows) {
+    chmodSync(CONFIG_DIR, DIR_MODE)
+    chmodSync(CONFIG_PATH, FILE_MODE)
+  }
 }
 
 export interface ProjectConfig {