@synth1s/cloak 2.0.2 → 2.1.2

package/.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5

package/.github/workflows/ci.yml

@@ -0,0 +1,30 @@
+name: CI
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [18, 20]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+      - run: npm ci
+      - run: node --test tests/*.test.js
+
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+      - run: npm audit --audit-level=high

package/.github/workflows/publish.yml

@@ -0,0 +1,23 @@
+name: Publish to npm
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          registry-url: https://registry.npmjs.org
+      - run: npm ci
+      - run: node --test tests/*.test.js
+      - run: npm publish --access public --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package/CONTRIBUTING.md

@@ -0,0 +1,48 @@
+# Contributing to @synth1s/cloak
+
+Thanks for your interest in contributing!
+
+## Development
+
+```bash
+git clone https://github.com/synth1s/cloak.git
+cd cloak
+npm install
+npm test
+```
+
+## Methodology
+
+This project follows **strict TDD**. Every change must follow:
+
+1. Write the test first (it must fail)
+2. Implement the minimum code to make it pass
+3. Refactor if needed
+
+## Running tests
+
+```bash
+npm test              # run all tests
+node --test tests/    # same thing
+```
+
+Tests use `node:test` (native Node.js test runner). No external test frameworks.
+
+## Code style
+
+- Node.js ESM (`type: "module"`)
+- All user-facing strings in `src/lib/messages.js`
+- All paths in `src/lib/paths.js`
+- One file per command in `src/commands/`
+- stderr for errors/warnings, stdout for data/success
+
+## Pull requests
+
+- One feature or fix per PR
+- Include tests for new behavior
+- Update documentation if the change affects user-facing behavior
+- Run `npm test` before submitting
+
+## Security
+
+See [SECURITY.md](SECURITY.md) for reporting vulnerabilities.

package/README.md

@@ -1,5 +1,9 @@
 # @synth1s/cloak
 
+[![CI](https://github.com/synth1s/cloak/actions/workflows/ci.yml/badge.svg)](https://github.com/synth1s/cloak/actions/workflows/ci.yml)
+[![npm](https://img.shields.io/npm/v/@synth1s/cloak)](https://www.npmjs.com/package/@synth1s/cloak)
+[![license](https://img.shields.io/npm/l/@synth1s/cloak)](LICENSE)
+
 > Cloak your Claude. Switch identities in seconds.
 
 Every developer wears a different cloak. One for work, one for personal projects, one for that freelance gig. **Cloak** lets you dress your Claude Code in the right identity — and switch between them without breaking a sweat.

package/SECURITY.md

@@ -0,0 +1,31 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in @synth1s/cloak, please report it responsibly.
+
+**Do NOT open a public issue.** Instead, email:
+
+**cloak@synth1s.com.br**
+
+Include:
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+
+You will receive a response within 48 hours. Once confirmed, a fix will be released as a patch version and credited in the changelog (unless you prefer anonymity).
+
+## Scope
+
+This policy covers:
+- The `@synth1s/cloak` npm package
+- The shell integration code emitted by `cloak init`
+- File operations on `~/.cloak/` and shell rc files
+
+## Security Measures
+
+- Account names are validated against `^[a-zA-Z0-9][a-zA-Z0-9_-]{0,63}$` to prevent path traversal
+- Credential files are created with restrictive permissions (0o700 dirs, 0o600 files)
+- Shell eval output is quoted to prevent injection
+- OAuth tokens are never read, logged, or transmitted — only copied as files
+- `.bashrc` modifications include a backup (`.cloak-backup`) and a marker comment

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@synth1s/cloak",
-  "version": "2.0.2",
+  "version": "2.1.2",
   "description": "Cloak your Claude. Switch identities in seconds.",
   "type": "module",
   "bin": {

package/src/commands/create.js

@@ -1,4 +1,4 @@
-import { existsSync, copyFileSync, mkdirSync } from 'fs'
+import { existsSync, copyFileSync, mkdirSync, chmodSync } from 'fs'
 import inquirer from 'inquirer'
 import {
   claudeAuthPath,
@@ -62,13 +62,15 @@ export async function createAccount(name, options = {}) {
 
   ensureProfilesDir()
   const dir = profileDir(name)
-  mkdirSync(dir, { recursive: true })
+  mkdirSync(dir, { recursive: true, mode: 0o700 })
 
   copyFileSync(authSource, profileAuthPath(name))
+  chmodSync(profileAuthPath(name), 0o600)
 
   const settingsSource = claudeSettingsPath()
   if (existsSync(settingsSource)) {
     copyFileSync(settingsSource, profileSettingsPath(name))
+    chmodSync(profileSettingsPath(name), 0o600)
   }
 
   console.log(msg.cloakCreated(name))

package/src/lib/messages.js

@@ -137,7 +137,7 @@ export function wearingCloak(name) {
 // --- Print-env (stdout, no chalk — evaluated by shell) ---
 
 export function printEnvExport(dir) {
-  return `export CLAUDE_CONFIG_DIR=${dir}\n`
+  return `export CLAUDE_CONFIG_DIR="${dir}"\n`
 }
 
 export function printEnvEcho(name) {

package/src/lib/paths.js

@@ -40,7 +40,7 @@ export function profileSettingsPath(name) {
 
 export function ensureProfilesDir() {
   if (!existsSync(PROFILES_DIR)) {
-    mkdirSync(PROFILES_DIR, { recursive: true })
+    mkdirSync(PROFILES_DIR, { recursive: true, mode: 0o700 })
   }
 }
 

package/src/lib/setup.js

@@ -1,7 +1,10 @@
-import { readFileSync, writeFileSync, existsSync } from 'fs'
+import { readFileSync, writeFileSync, copyFileSync, existsSync } from 'fs'
 import { join } from 'path'
 import { homedir } from 'os'
 
+const MARKER = '# Added by @synth1s/cloak'
+const INIT_LINE = 'eval "$(cloak init)"'
+
 function getHome() {
   return process.env.HOME || homedir()
 }
@@ -22,16 +25,21 @@ export function isAlreadyInstalled(rcFilePath) {
 
 export function installToRcFile(rcFilePath) {
   if (!existsSync(rcFilePath)) {
-    writeFileSync(rcFilePath, 'eval "$(cloak init)"\n')
+    writeFileSync(rcFilePath, `${MARKER}\n${INIT_LINE}\n`)
     return
   }
 
-  // Read existing content and remove ALL lines containing 'cloak init'
+  // Backup before modifying
+  copyFileSync(rcFilePath, rcFilePath + '.cloak-backup')
+
+  // Remove ALL lines containing 'cloak init' or the marker
   const content = readFileSync(rcFilePath, 'utf8')
   const lines = content.split('\n')
-  const cleaned = lines.filter(line => !line.includes('cloak init'))
+  const cleaned = lines.filter(line =>
+    !line.includes('cloak init') && line !== MARKER
+  )
   const cleanedContent = cleaned.join('\n').replace(/\n{3,}/g, '\n\n')
 
-  // Write cleaned content + fresh init line
-  writeFileSync(rcFilePath, cleanedContent.trimEnd() + '\neval "$(cloak init)"\n')
+  // Append fresh marker + init line
+  writeFileSync(rcFilePath, cleanedContent.trimEnd() + `\n${MARKER}\n${INIT_LINE}\n`)
 }