@tryfridayai/cli 0.2.1 → 0.2.4

package/src/commands/chat.js

@@ -2,7 +2,7 @@
  * friday chat — Interactive conversation with the agent runtime
  *
  * Spawns the runtime's stdio transport (friday-server.js) as a child process
- * and provides a readline-based REPL with clean, user-friendly output.
+ * and provides a bottom-pinned input bar with clean, user-friendly output.
  *
  * Use --verbose to see raw debug output (session IDs, tool inputs, etc.)
  */
@@ -11,9 +11,7 @@ import { spawn } from 'child_process';
 import fs from 'fs';
 import os from 'os';
 import path from 'path';
-import readline from 'readline';
 import { fileURLToPath } from 'url';
-import { createRequire } from 'module';
 
 // ── Chat modules ─────────────────────────────────────────────────────────
 
@@ -26,20 +24,9 @@ import {
   routeSlashCommand, handleColonCommand, checkPendingResponse,
 } from './chat/slashCommands.js';
 import { checkPreQueryHint, checkPostResponseHint } from './chat/smartAffordances.js';
-
-// ── Resolve runtime ──────────────────────────────────────────────────────
-
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = path.dirname(__filename);
-
-const require = createRequire(import.meta.url);
-let runtimeDir;
-try {
-  const runtimePkg = require.resolve('friday-runtime/package.json');
-  runtimeDir = path.dirname(runtimePkg);
-} catch {
-  runtimeDir = path.resolve(__dirname, '..', '..', '..', 'runtime');
-}
+import { runtimeDir } from '../resolveRuntime.js';
+import { loadApiKeysToEnv } from '../secureKeyStore.js';
+import InputLine from './chat/inputLine.js';
 const serverScript = path.join(runtimeDir, 'friday-server.js');
 
 // ── Tool humanization ────────────────────────────────────────────────────
@@ -99,12 +86,59 @@ function humanizeToolUse(toolName, toolInput) {
   }
 
   const humanized = action.replace(/_/g, ' ').replace(/\b\w/g, (c) => c);
-  if (server) {
-    return `${humanized} (${server})`;
-  }
   return humanized;
 }
 
+/** Humanize a tool name for permission prompts — hide MCP internals */
+function humanizePermission(toolName, description) {
+  // Map tool actions to friendly descriptions
+  const friendlyNames = {
+    'generate_image': 'Generate Image',
+    'generate image': 'Generate Image',
+    'generate_video': 'Generate Video',
+    'generate video': 'Generate Video',
+    'text_to_speech': 'Text to Speech',
+    'text to speech': 'Text to Speech',
+    'speech_to_text': 'Speech to Text',
+    'speech to text': 'Speech to Text',
+    'query_model': 'Query AI Model',
+    'list_voices': 'List Voices',
+    'clone_voice': 'Clone Voice',
+    'execute_command': 'Run Terminal Command',
+    'execute command': 'Run Terminal Command',
+    'start_preview': 'Start Preview Server',
+    'stop_preview': 'Stop Preview Server',
+    'WebSearch': 'Search the Web',
+    'WebFetch': 'Fetch Web Page',
+    'scrape': 'Scrape Web Page',
+    'crawl': 'Crawl Website',
+  };
+
+  if (description) {
+    // Strip MCP server prefixes: "mcp__server__" or "mcp server-name "
+    let cleaned = description
+      .replace(/mcp__[\w-]+__/gi, '')           // mcp__server__tool
+      .replace(/mcp\s+[\w-]+\s+/gi, '')         // mcp server-name tool
+      .replace(/_/g, ' ')
+      .trim();
+
+    // Check if cleaned text matches a friendly name
+    const lowerCleaned = cleaned.toLowerCase();
+    for (const [key, value] of Object.entries(friendlyNames)) {
+      if (lowerCleaned === key.toLowerCase() || lowerCleaned.startsWith(key.toLowerCase())) {
+        return value;
+      }
+    }
+    return cleaned;
+  }
+
+  if (!toolName) return 'use a tool';
+  const parts = toolName.split('__');
+  const action = parts[parts.length - 1];
+
+  return friendlyNames[action] || `Allow Friday to use ${action.replace(/_/g, ' ')}`;
+}
+
 /**
  * Make absolute file paths clickable in terminal output using OSC 8 hyperlinks.
  */
@@ -125,7 +159,7 @@ const SPINNER_FRAMES = ['\u280b', '\u2819', '\u2839', '\u2838', '\u283c', '\u283
 function createSpinner() {
   let interval = null;
   let frameIndex = 0;
-  let currentText = 'Thinking';
+  let currentText = 'Friday is thinking';
   let lineLength = 0;
 
   function clear() {
@@ -144,7 +178,7 @@ function createSpinner() {
   }
 
   return {
-    start(text = 'Thinking') {
+    start(text = 'Friday is thinking') {
       currentText = text;
       frameIndex = 0;
       if (interval) clearInterval(interval);
@@ -254,6 +288,36 @@ export default async function chat(args) {
   );
   fs.mkdirSync(workspacePath, { recursive: true });
 
+  // Load API keys from secure storage (system keychain)
+  // Keys are loaded into process.env for the runtime to access,
+  // but are filtered out before being passed to the agent (see AgentRuntime.js)
+  try {
+    await loadApiKeysToEnv();
+  } catch (err) {
+    if (verbose) {
+      console.log(`${DIM}Note: Could not load from secure storage: ${err.message}${RESET}`);
+    }
+  }
+
+  // Fallback: Also check ~/.friday/.env for legacy keys (will be migrated to keychain)
+  const fridayEnvPath = path.join(os.homedir(), '.friday', '.env');
+  try {
+    if (fs.existsSync(fridayEnvPath)) {
+      const content = fs.readFileSync(fridayEnvPath, 'utf8');
+      for (const line of content.split('\n')) {
+        const trimmed = line.trim();
+        if (trimmed.startsWith('#') || !trimmed.includes('=')) continue;
+        const eqIdx = trimmed.indexOf('=');
+        const key = trimmed.slice(0, eqIdx).trim();
+        const val = trimmed.slice(eqIdx + 1).trim();
+        // Only use .env values if not already set from secure storage
+        if (key && val && !process.env[key]) {
+          process.env[key] = val;
+        }
+      }
+    }
+  } catch { /* ignore */ }
+
   const env = { ...process.env, FRIDAY_WORKSPACE: workspacePath };
 
   if (verbose) {
@@ -281,11 +345,17 @@ export default async function chat(args) {
     process.exit(code ?? 0);
   });
 
-  const rl = readline.createInterface({
-    input: process.stdin,
-    output: process.stdout,
-    prompt: PROMPT_STRING,
-  });
+  // ── InputLine (replaces readline) ──────────────────────────────────────
+
+  const inputLine = new InputLine();
+
+  // Compatibility adapter for slashCommands.js (expects ctx.rl)
+  const rlCompat = {
+    pause()  { inputLine.pause(); },
+    resume() { inputLine.resume(); },
+    prompt() { inputLine.prompt(); },
+    close()  { inputLine.destroy(); },
+  };
 
   let sessionId = null;
   let pendingPermission = null;
@@ -294,6 +364,14 @@ export default async function chat(args) {
   let isStreaming = false;
   let accumulatedResponse = ''; // Track response text for post-response hints
 
+  // ── Permission queue (fixes issues b & c) ──────────────────────────────
+  // Multiple permission_request messages can arrive simultaneously.
+  // We queue them and show only one selectOption at a time, preventing
+  // stacked prompts and the `tool_use ids must be unique` API error.
+
+  const permissionQueue = [];
+  let showingPermission = false;
+
   const spinner = createSpinner();
 
   function writeMessage(payload) {
@@ -319,6 +397,73 @@ export default async function chat(args) {
     }
   }
 
+  /**
+   * Display the next queued permission prompt. Only one is shown at a time.
+   * When the user responds, processNextPermission() is called again to
+   * dequeue the next one (if any).
+   */
+  function processNextPermission() {
+    if (showingPermission) return; // one at a time
+    if (permissionQueue.length === 0) return;
+
+    showingPermission = true;
+    const msg = permissionQueue.shift();
+    pendingPermission = msg;
+
+    if (spinner.active) {
+      spinner.stop();
+    }
+    if (isStreaming) {
+      process.stdout.write('\n');
+      isStreaming = false;
+    }
+
+    console.log('');
+    console.log(`${YELLOW}${BOLD}Permission needed:${RESET} ${humanizePermission(msg.tool_name, msg.description)}`);
+    if (msg.tool_input) {
+      const entries = Object.entries(msg.tool_input);
+      const preview = entries.slice(0, 3).map(([k, v]) => {
+        const val = typeof v === 'string' ? v : JSON.stringify(v);
+        const short = val.length > 70 ? val.slice(0, 67) + '...' : val;
+        return `  ${DIM}${k}: ${short}${RESET}`;
+      });
+      preview.forEach((line) => console.log(line));
+      if (entries.length > 3) {
+        console.log(`  ${DIM}...and ${entries.length - 3} more${RESET}`);
+      }
+    }
+    console.log('');
+    selectOption(
+      [
+        { label: 'Allow', value: 'allow' },
+        { label: 'Allow for this session', value: 'session' },
+        { label: 'Deny', value: 'deny' },
+      ],
+      { rl: rlCompat }
+    ).then((choice) => {
+      showingPermission = false;
+
+      if (!pendingPermission) {
+        // Permission was cancelled while user was choosing
+        inputLine.prompt();
+        processNextPermission();
+        return;
+      }
+      if (choice.value === 'deny') {
+        sendPermissionResponse(false, {});
+      } else {
+        sendPermissionResponse(true, {});
+      }
+
+      // Process next queued permission (if any)
+      if (permissionQueue.length > 0) {
+        processNextPermission();
+      } else {
+        inputLine.prompt();
+      }
+    });
+  }
+
   function showRulePrompt() {
     if (pendingRulePrompt || rulePromptQueue.length === 0) return;
     pendingRulePrompt = rulePromptQueue.shift();
@@ -367,7 +512,7 @@ export default async function chat(args) {
   // ── Slash command context ──────────────────────────────────────────────
 
   const slashCtx = {
-    get rl() { return rl; },
+    get rl() { return rlCompat; },
     get sessionId() { return sessionId; },
     get workspacePath() { return workspacePath; },
     get verbose() { return verbose; },
@@ -412,7 +557,8 @@ export default async function chat(args) {
         case 'ready':
           console.log(renderWelcome());
           console.log('');
-          rl.prompt();
+          inputLine.init();
+          inputLine.prompt();
           break;
 
         case 'session':
@@ -421,7 +567,11 @@ export default async function chat(args) {
 
         case 'thinking':
           if (!spinner.active) {
-            spinner.start('Thinking');
+            if (isStreaming) {
+              process.stdout.write('\n');
+              isStreaming = false;
+            }
+            spinner.start('Friday is thinking');
           }
           break;
 
@@ -434,6 +584,8 @@ export default async function chat(args) {
           }
           if (!isStreaming) {
             isStreaming = true;
+            // Start agent output on a fresh line
+            process.stdout.write('\n');
           }
           {
             const text = msg.text || msg.content || '';
@@ -462,59 +614,20 @@ export default async function chat(args) {
           break;
 
         case 'permission_request':
-          pendingPermission = msg;
-          if (spinner.active) {
-            spinner.stop();
-          }
-          if (isStreaming) {
-            process.stdout.write('\n');
-            isStreaming = false;
-          }
-          console.log('');
-          console.log(`${YELLOW}${BOLD}Permission needed:${RESET} ${msg.description || msg.tool_name}`);
-          if (msg.tool_input) {
-            const entries = Object.entries(msg.tool_input);
-            const preview = entries.slice(0, 3).map(([k, v]) => {
-              const val = typeof v === 'string' ? v : JSON.stringify(v);
-              const short = val.length > 70 ? val.slice(0, 67) + '...' : val;
-              return `  ${DIM}${k}: ${short}${RESET}`;
-            });
-            preview.forEach((line) => console.log(line));
-            if (entries.length > 3) {
-              console.log(`  ${DIM}...and ${entries.length - 3} more${RESET}`);
-            }
-          }
-          console.log('');
-          selectOption(
-            [
-              { label: 'Allow', value: 'allow' },
-              { label: 'Allow for this session', value: 'session' },
-              { label: 'Deny', value: 'deny' },
-            ],
-            { rl }
-          ).then((choice) => {
-            if (choice.value === 'deny') {
-              sendPermissionResponse(false, {});
-            } else {
-              const permissionLevel = choice.value === 'session' ? 'session' : 'once';
-              const response = {
-                type: 'permission_response',
-                permission_id: pendingPermission.permission_id,
-                approved: true,
-                permission_level: permissionLevel,
-              };
-              writeMessage(response);
-              pendingPermission = null;
-              spinner.start('Working');
-            }
-            rl.prompt();
-          });
+          // Queue the permission and process one at a time (fixes issues b & c)
+          permissionQueue.push(msg);
+          processNextPermission();
           break;
 
         case 'permission_cancelled':
           if (pendingPermission && pendingPermission.permission_id === msg.permission_id) {
             pendingPermission = null;
           }
+          // Also remove from queue if still pending
+          const cancelIdx = permissionQueue.findIndex(p => p.permission_id === msg.permission_id);
+          if (cancelIdx !== -1) {
+            permissionQueue.splice(cancelIdx, 1);
+          }
           break;
 
         case 'rule_prompt':
@@ -530,7 +643,7 @@ export default async function chat(args) {
             spinner.stop();
           }
           console.log(`\n${RED}Error: ${msg.message}${RESET}`);
-          rl.prompt();
+          inputLine.prompt();
           break;
 
         case 'complete':
@@ -540,12 +653,15 @@ export default async function chat(args) {
           if (isStreaming) {
             isStreaming = false;
           }
-          // Show cost summary if available
-          if (msg.cost && msg.cost.estimated > 0) {
-            const cost = msg.cost.estimated;
-            const costStr = cost < 0.01 ? `${(cost * 100).toFixed(2)}c` : `$${cost.toFixed(4)}`;
+          // Show chat token usage if available
+          if (msg.cost && msg.cost.tokens) {
             const tokens = msg.cost.tokens;
-            console.log(`\n${DIM}${costStr} \u00b7 ${tokens.input + tokens.output} tokens${RESET}`);
+            const total = tokens.input + tokens.output;
+            if (total > 0) {
+              console.log(`\n${DIM}chat: ${total.toLocaleString()} tokens${RESET}`);
+            } else {
+              console.log('');
+            }
           } else {
             console.log('');
           }
@@ -557,7 +673,7 @@ export default async function chat(args) {
             }
             accumulatedResponse = '';
           }
-          rl.prompt();
+          inputLine.prompt();
           break;
 
         default:
@@ -576,7 +692,8 @@ export default async function chat(args) {
     switch (msg.type) {
       case 'ready':
         console.log('Friday is ready. Type your prompt to begin.');
-        rl.prompt();
+        inputLine.init();
+        inputLine.prompt();
         break;
       case 'session':
         sessionId = msg.session_id;
@@ -592,21 +709,9 @@ export default async function chat(args) {
         process.stdout.write(msg.text || msg.content || '');
         break;
       case 'permission_request':
-        pendingPermission = msg;
-        console.log('\n=== Permission Request ==========================');
-        console.log(`Tool : ${msg.tool_name}`);
-        console.log(`Desc : ${msg.description}`);
-        if (msg.tool_input) {
-          const keys = Object.keys(msg.tool_input);
-          console.log('Input:');
-          keys.slice(0, 5).forEach((key) => {
-            console.log(`  ${key}: ${JSON.stringify(msg.tool_input[key])}`);
-          });
-          if (keys.length > 5) console.log(`  ...and ${keys.length - 5} more`);
-        }
-        console.log('Type :allow or :deny to respond.');
-        console.log('===============================================\n');
-        rl.prompt();
+        // Queue the permission in verbose mode too
+        permissionQueue.push(msg);
+        processNextPermission();
         break;
       case 'permission_cancelled':
         if (pendingPermission && pendingPermission.permission_id === msg.permission_id) {
@@ -623,7 +728,7 @@ export default async function chat(args) {
         break;
       case 'complete':
         console.log('');
-        rl.prompt();
+        inputLine.prompt();
         break;
       default:
         if (msg.type === 'tool_use') {
@@ -650,16 +755,51 @@ export default async function chat(args) {
 
   // ── Input handler ──────────────────────────────────────────────────────
 
-  rl.on('line', async (input) => {
+  // Flag to prevent leaked input from askSecret from being sent as query
+  let processingSlashCommand = false;
+
+  // Safety patterns to detect accidentally leaked API keys
+  const API_KEY_PATTERNS = [
+    /^sk-[a-zA-Z0-9-_]{20,}$/,           // OpenAI/Anthropic style
+    /^sk-ant-[a-zA-Z0-9-_]{20,}$/,       // Anthropic
+    /^sk-proj-[a-zA-Z0-9-_]{20,}$/,      // OpenAI project keys
+    /^AIza[a-zA-Z0-9-_]{30,}$/,          // Google API keys
+    /^[a-f0-9]{32}$/,                     // Generic 32-char hex keys
+  ];
+
+  function looksLikeApiKey(text) {
+    return API_KEY_PATTERNS.some(pattern => pattern.test(text));
+  }
+
+  inputLine.onSubmit(async (input) => {
     const line = input.trim();
     if (!line) {
-      rl.prompt();
+      inputLine.prompt();
+      return;
+    }
+
+    // SECURITY: Silently block any input that looks like an API key
+    // This is a fallback in case askSecret leaks input to readline buffer
+    if (looksLikeApiKey(line)) {
+      // Silently ignore - don't alarm the user, just don't send to agent
+      inputLine.prompt();
+      return;
+    }
+
+    // Ignore input while processing a slash command (e.g., leaked from askSecret)
+    if (processingSlashCommand) {
+      inputLine.prompt();
       return;
     }
 
     // ── Slash commands (/help, /plugins, etc.) ──────────────────────────
     if (line.startsWith('/')) {
-      await routeSlashCommand(line, slashCtx);
+      processingSlashCommand = true;
+      try {
+        await routeSlashCommand(line, slashCtx);
+      } finally {
+        processingSlashCommand = false;
+      }
       return;
     }
 
@@ -679,7 +819,7 @@ export default async function chat(args) {
           console.log(`${ORANGE}Hint:${RESET} ${DIM}Commands now use / prefix. Try ${BOLD}/quit${RESET}`);
           spinner.stop();
           backend.kill();
-          rl.close();
+          inputLine.destroy();
           return;
         case 'new':
           console.log(`${ORANGE}Hint:${RESET} ${DIM}Commands now use / prefix. Try ${BOLD}/new${RESET}`);
@@ -739,7 +879,7 @@ export default async function chat(args) {
             return;
           }
       }
-      rl.prompt();
+      inputLine.prompt();
       return;
     }
 
@@ -750,14 +890,10 @@ export default async function chat(args) {
     }
 
     // ── Send user query ─────────────────────────────────────────────────
+    // Echo user input so it's visible in the scroll region
+    console.log(`\n${PURPLE}▸${RESET} ${BOLD}${line}${RESET}`);
     accumulatedResponse = '';
-    spinner.start('Thinking');
+    spinner.start('Friday is thinking');
     writeMessage({ type: 'query', message: line, session_id: sessionId });
   });
-
-  rl.on('close', () => {
-    spinner.stop();
-    backend.kill('SIGINT');
-    process.exit(0);
-  });
 }

package/src/commands/install.js

@@ -6,17 +6,8 @@
  */
 
 import readline from 'readline';
-import { createRequire } from 'module';
 import path from 'path';
-
-const require = createRequire(import.meta.url);
-let runtimeDir;
-try {
-  const runtimePkg = require.resolve('friday-runtime/package.json');
-  runtimeDir = path.dirname(runtimePkg);
-} catch {
-  runtimeDir = path.resolve(path.dirname(new URL(import.meta.url).pathname), '..', '..', '..', 'runtime');
-}
+import { runtimeDir } from '../resolveRuntime.js';
 
 const DIM = '\x1b[2m';
 const RESET = '\x1b[0m';
@@ -31,6 +22,48 @@ function ask(rl, question) {
   });
 }
 
+function askSecret(rl, prompt) {
+  return new Promise((resolve) => {
+    rl.pause();
+    rl.terminal = false;
+    process.stdout.write(prompt);
+    let input = '';
+    const wasRaw = process.stdin.isRaw;
+    if (process.stdin.isTTY) process.stdin.setRawMode(true);
+    process.stdin.resume();
+    const onData = (data) => {
+      const str = data.toString();
+      for (const char of str) {
+        if (char === '\r' || char === '\n') {
+          process.stdin.removeListener('data', onData);
+          if (process.stdin.isTTY) process.stdin.setRawMode(wasRaw || false);
+          process.stdout.write('\n');
+          rl.terminal = true;
+          rl.resume();
+          resolve(input);
+          return;
+        }
+        if (char === '\x03') {
+          process.stdin.removeListener('data', onData);
+          if (process.stdin.isTTY) process.stdin.setRawMode(wasRaw || false);
+          process.stdout.write('\n');
+          rl.terminal = true;
+          rl.resume();
+          resolve('');
+          return;
+        }
+        if (char === '\x7f' || char === '\b') {
+          if (input.length > 0) { input = input.slice(0, -1); process.stdout.write('\b \b'); }
+          continue;
+        }
+        input += char;
+        process.stdout.write('*');
+      }
+    };
+    process.stdin.on('data', onData);
+  });
+}
+
 function maskValue(value) {
   if (!value || value.length < 8) return '****';
   return value.slice(0, 4) + '...' + value.slice(-4);
@@ -127,15 +160,12 @@ export default async function install(args) {
 
     const requiredTag = field.required ? '' : ` ${DIM}(optional)${RESET}`;
     const prompt = `  ${field.label}${requiredTag}: `;
-    const value = await ask(rl, prompt);
+    const value = field.type === 'secret'
+      ? await askSecret(rl, prompt)
+      : await ask(rl, prompt);
 
     if (value) {
       credentials[field.key] = value;
-      if (field.type === 'secret') {
-        // Clear the line and reprint masked
-        process.stdout.write(`\x1b[1A\x1b[2K`);
-        console.log(`  ${field.label}${requiredTag}: ${DIM}${maskValue(value)}${RESET}`);
-      }
     } else if (field.required) {
       console.log(`  ${YELLOW}Skipped (required). Plugin may not work without this.${RESET}`);
     }

package/src/commands/plugins.js

@@ -2,17 +2,8 @@
  * friday plugins — List installed and available plugins
  */
 
-import { createRequire } from 'module';
 import path from 'path';
-
-const require = createRequire(import.meta.url);
-let runtimeDir;
-try {
-  const runtimePkg = require.resolve('friday-runtime/package.json');
-  runtimeDir = path.dirname(runtimePkg);
-} catch {
-  runtimeDir = path.resolve(path.dirname(new URL(import.meta.url).pathname), '..', '..', '..', 'runtime');
-}
+import { runtimeDir } from '../resolveRuntime.js';
 
 const DIM = '\x1b[2m';
 const RESET = '\x1b[0m';

package/src/commands/schedule.js

@@ -8,17 +8,8 @@
  */
 
 import readline from 'readline';
-import { createRequire } from 'module';
 import path from 'path';
-
-const require = createRequire(import.meta.url);
-let runtimeDir;
-try {
-  const runtimePkg = require.resolve('friday-runtime/package.json');
-  runtimeDir = path.dirname(runtimePkg);
-} catch {
-  runtimeDir = path.resolve(path.dirname(new URL(import.meta.url).pathname), '..', '..', '..', 'runtime');
-}
+import { runtimeDir } from '../resolveRuntime.js';
 
 const DIM = '\x1b[2m';
 const RESET = '\x1b[0m';