beachviber 1.0.34

package/dist/image-download.js

@@ -0,0 +1,142 @@
+import { mkdirSync, existsSync, readdirSync, statSync, unlinkSync, writeFileSync } from "fs";
+import { join } from "path";
+import { tmpdir } from "os";
+import { randomUUID } from "crypto";
+import { resolve as dnsResolve } from "dns/promises";
+const IMAGE_DIR = join(tmpdir(), "beachviber-images");
+const ALLOWED_EXTENSIONS = new Set(["png", "jpg", "jpeg", "gif", "webp", "svg", "bmp", "heic"]);
+const ALLOWED_CONTENT_TYPES = new Set([
+    "image/png", "image/jpeg", "image/gif", "image/webp",
+    "image/svg+xml", "image/bmp", "image/heic",
+]);
+function ensureDir() {
+    if (!existsSync(IMAGE_DIR)) {
+        mkdirSync(IMAGE_DIR, { recursive: true });
+    }
+}
+function extFromUrl(url) {
+    try {
+        const pathname = new URL(url).pathname;
+        const match = pathname.match(/\.(\w+)(?:\?|$)/);
+        if (match && ALLOWED_EXTENSIONS.has(match[1].toLowerCase()))
+            return match[1].toLowerCase();
+    }
+    catch { }
+    return "png";
+}
+/** Returns true if an IP address is in a private/reserved range (SSRF targets) */
+function isPrivateIP(ip) {
+    // IPv4 private/reserved ranges
+    if (/^127\./.test(ip))
+        return true; // loopback
+    if (/^10\./.test(ip))
+        return true; // RFC 1918
+    if (/^172\.(1[6-9]|2\d|3[01])\./.test(ip))
+        return true; // RFC 1918
+    if (/^192\.168\./.test(ip))
+        return true; // RFC 1918
+    if (/^169\.254\./.test(ip))
+        return true; // link-local
+    if (/^0\./.test(ip))
+        return true; // current network
+    if (ip === "255.255.255.255")
+        return true; // broadcast
+    // IPv6 private/reserved
+    if (ip === "::1")
+        return true; // loopback
+    if (/^fe80:/i.test(ip))
+        return true; // link-local
+    if (/^f[cd]/i.test(ip))
+        return true; // unique local (fc00::/7)
+    return false;
+}
+const MAX_IMAGE_BYTES = 50 * 1024 * 1024; // 50 MB
+const FETCH_TIMEOUT_MS = 30_000; // 30 seconds
+export async function downloadImage(url) {
+    // Validate URL scheme — HTTPS only
+    const parsed = new URL(url);
+    if (parsed.protocol !== "https:") {
+        throw new Error(`Image download blocked: only HTTPS URLs are allowed (got ${parsed.protocol})`);
+    }
+    // Resolve hostname and block private/reserved IPs to prevent SSRF.
+    // Pin the resolved IP to prevent DNS rebinding between validation and fetch.
+    const hostname = parsed.hostname;
+    let resolvedIP;
+    try {
+        const addresses = await dnsResolve(hostname);
+        for (const addr of addresses) {
+            if (isPrivateIP(addr)) {
+                throw new Error(`Image download blocked: hostname "${hostname}" resolves to private IP ${addr}`);
+            }
+        }
+        resolvedIP = addresses[0];
+    }
+    catch (err) {
+        if (err instanceof Error && err.message.startsWith("Image download blocked"))
+            throw err;
+        throw new Error(`Image download blocked: could not resolve hostname "${hostname}"`);
+    }
+    ensureDir();
+    const ext = extFromUrl(url);
+    const filename = `${randomUUID()}.${ext}`;
+    const filepath = join(IMAGE_DIR, filename);
+    // Fetch using the pinned IP to prevent DNS rebinding.
+    // Replace hostname with the resolved IP and set Host header for TLS/virtual hosting.
+    const pinnedUrl = new URL(url);
+    pinnedUrl.hostname = resolvedIP;
+    const response = await fetch(pinnedUrl.toString(), {
+        signal: AbortSignal.timeout(FETCH_TIMEOUT_MS),
+        headers: { Host: hostname },
+    });
+    if (!response.ok) {
+        throw new Error(`Failed to download image: ${response.status} ${response.statusText}`);
+    }
+    // Validate Content-Type is an image
+    const contentType = (response.headers.get("content-type") || "").split(";")[0].trim().toLowerCase();
+    if (contentType && !ALLOWED_CONTENT_TYPES.has(contentType)) {
+        throw new Error(`Image download blocked: unexpected Content-Type "${contentType}"`);
+    }
+    // Reject if Content-Length exceeds limit (when provided by server)
+    const contentLength = Number(response.headers.get("content-length") || 0);
+    if (contentLength > MAX_IMAGE_BYTES) {
+        throw new Error(`Image too large: ${contentLength} bytes (max ${MAX_IMAGE_BYTES})`);
+    }
+    // Stream the body with a size cap in case Content-Length is missing or wrong
+    const chunks = [];
+    let totalBytes = 0;
+    const reader = response.body?.getReader();
+    if (!reader)
+        throw new Error("No response body");
+    while (true) {
+        const { done, value } = await reader.read();
+        if (done)
+            break;
+        totalBytes += value.byteLength;
+        if (totalBytes > MAX_IMAGE_BYTES) {
+            reader.cancel();
+            throw new Error(`Image too large: exceeded ${MAX_IMAGE_BYTES} bytes during download`);
+        }
+        chunks.push(Buffer.from(value));
+    }
+    writeFileSync(filepath, Buffer.concat(chunks));
+    return filepath;
+}
+export function cleanupOldImages() {
+    if (!existsSync(IMAGE_DIR))
+        return;
+    const now = Date.now();
+    const ONE_HOUR = 60 * 60 * 1000;
+    try {
+        for (const file of readdirSync(IMAGE_DIR)) {
+            const filepath = join(IMAGE_DIR, file);
+            try {
+                const stat = statSync(filepath);
+                if (now - stat.mtimeMs > ONE_HOUR) {
+                    unlinkSync(filepath);
+                }
+            }
+            catch { }
+        }
+    }
+    catch { }
+}

package/dist/index.js

@@ -0,0 +1,208 @@
+#!/usr/bin/env node
+import crypto from "crypto";
+import chalk from "chalk";
+import { state, VERSION, RELAY_URL, setRelayUrl } from "./state.js";
+import { connect, send } from "./connection.js";
+import { enterSetupMode } from "./pairing.js";
+import { discoverProjects } from "./projects.js";
+import { loadConfig, saveConfig, deleteConfig, generateDeviceId, setProfile, getProfile, getProfileSuffix, DEFAULT_RELAY_URL, DEFAULT_API_URL, } from "./config.js";
+import { setApiUrl } from "./api.js";
+import { generateKeyPair, computeSharedSecret, toBase64, fromBase64, loadKeys, saveKeys, importPublicKeyRaw, exportPublicKeyRaw, } from "./crypto.js";
+import { initSessionManager } from "./sessions.js";
+import { startApprovalServer, getSocketPath, getAuthToken } from "./approval-server.js";
+import { installHook } from "./hook-installer.js";
+import { cleanupOldImages } from "./image-download.js";
+import { getActiveBackendName } from "./secret-store.js";
+// Parse --profile before any config loading
+const profileArgs = process.argv.slice(2);
+const profileIdx = profileArgs.indexOf("--profile");
+if (profileIdx !== -1) {
+    const profileName = profileArgs[profileIdx + 1];
+    if (!profileName || profileName.startsWith("--")) {
+        console.error("Error: --profile requires a name argument");
+        process.exit(1);
+    }
+    try {
+        setProfile(profileName);
+    }
+    catch (err) {
+        console.error(`Error: ${err.message}`);
+        process.exit(1);
+    }
+}
+// Handle --help early, before any heavy initialization
+if (process.argv.includes("--help") || process.argv.includes("-h")) {
+    console.log(`
+  ${chalk.bold("BeachViber Desktop")} v${VERSION}
+
+  ${chalk.bold("Usage:")} beachviber [options]
+
+  ${chalk.bold("Options:")}
+    --profile <name>  Use a named profile
+    --reset           Delete config and keys, then exit
+    -v, --version     Show version
+    -h, --help        Show this help
+`);
+    process.exit(0);
+}
+// Handle --version early, before any heavy initialization
+if (process.argv.includes("--version") || process.argv.includes("-v")) {
+    console.log(VERSION);
+    process.exit(0);
+}
+// Handle --reset: delete config (and keychain secret) for the active profile, then exit
+if (process.argv.includes("--reset")) {
+    const profile = getProfile();
+    const label = profile ? `profile "${profile}"` : "default profile";
+    const account = `default${getProfileSuffix()}`;
+    // Remove secret key from OS keychain
+    try {
+        const { removeSecret } = await import("./secret-store.js");
+        removeSecret(account);
+    }
+    catch { /* ignore if not present */ }
+    // Remove config file
+    const deleted = deleteConfig();
+    if (deleted) {
+        console.log(chalk.green(`  Settings reset for ${label}. Config file and keys removed.`));
+    }
+    else {
+        console.log(chalk.yellow(`  No config found for ${label}. Nothing to reset.`));
+    }
+    process.exit(0);
+}
+// Wire up late-bound callback to break circular dependency
+state.enterSetupMode = () => enterSetupMode();
+function initCrypto() {
+    const stored = loadKeys();
+    if (stored) {
+        try {
+            const secretKey = crypto.createPrivateKey({
+                format: 'der',
+                type: 'pkcs8',
+                key: fromBase64(stored.secretKey),
+            });
+            const publicKey = importPublicKeyRaw(fromBase64(stored.publicKey));
+            state.ownKeyPair = { publicKey, secretKey };
+            if (stored.peerPublicKey) {
+                state.peerPublicKey = importPublicKeyRaw(fromBase64(stored.peerPublicKey));
+                state.sharedSecret = computeSharedSecret(state.peerPublicKey, state.ownKeyPair.secretKey);
+                const keyFp = crypto.createHash("sha256").update(state.sharedSecret).digest("hex").slice(0, 12);
+                console.log(chalk.dim(`  Key         ${keyFp} (restored)`));
+            }
+        }
+        catch {
+            // Stored keys are in the old format (pre-v3 raw Curve25519) — regenerate
+            state.ownKeyPair = generateKeyPair();
+            saveKeys({
+                publicKey: toBase64(exportPublicKeyRaw(state.ownKeyPair.publicKey)),
+                secretKey: toBase64(state.ownKeyPair.secretKey.export({ format: 'der', type: 'pkcs8' })),
+            });
+        }
+    }
+    else {
+        state.ownKeyPair = generateKeyPair();
+        saveKeys({
+            publicKey: toBase64(exportPublicKeyRaw(state.ownKeyPair.publicKey)),
+            secretKey: toBase64(state.ownKeyPair.secretKey.export({ format: 'der', type: 'pkcs8' })),
+        });
+    }
+}
+// --- Start ---
+(async () => {
+    // Clean up any stale downloaded images from previous runs
+    cleanupOldImages();
+    // Discover projects from ~/.claude/projects/
+    state.projects = await discoverProjects();
+    // Load or create global config
+    let config = loadConfig();
+    if (!config) {
+        state.deviceId = generateDeviceId();
+        config = {
+            deviceId: state.deviceId,
+            relayUrl: DEFAULT_RELAY_URL,
+            apiUrl: DEFAULT_API_URL,
+        };
+        saveConfig(config);
+    }
+    else {
+        state.deviceId = config.deviceId;
+        // Backfill missing fields into existing configs
+        let updated = false;
+        if (!config.relayUrl) {
+            config.relayUrl = DEFAULT_RELAY_URL;
+            updated = true;
+        }
+        if (!config.apiUrl) {
+            config.apiUrl = DEFAULT_API_URL;
+            updated = true;
+        }
+        if (updated)
+            saveConfig(config);
+    }
+    // Set URLs — env vars take precedence over config
+    setRelayUrl(process.env.RELAY_URL || config?.relayUrl || DEFAULT_RELAY_URL);
+    setApiUrl(process.env.API_URL || config?.apiUrl || DEFAULT_API_URL);
+    // Load the device token
+    // NOTE: BV_DEVICE_TOKEN env var is a dev convenience — may leak via shell history or process listings.
+    // Consider removing in favour of config-file-only loading for production use.
+    state.deviceToken = process.env.BV_DEVICE_TOKEN || config?.deviceToken || "";
+    // Initialize crypto
+    initCrypto();
+    // Determine saved pairing state
+    const hasSavedState = !!(state.deviceToken && state.sharedSecret && state.peerPublicKey);
+    // Print startup banner
+    console.log();
+    console.log(chalk.bold("  BeachViber Agent") + chalk.dim(` v${VERSION}`));
+    if (getProfile()) {
+        console.log(chalk.dim("  Profile   ") + chalk.bold(getProfile()));
+    }
+    console.log();
+    const totalSessions = state.projects.reduce((sum, p) => sum + p.sessionCount, 0);
+    console.log(chalk.dim("  Projects  ") + chalk.bold(String(state.projects.length)) + chalk.dim(` (${totalSessions} sessions)`));
+    for (const p of state.projects) {
+        const branch = p.git.branch !== "unknown" ? chalk.dim(` (${p.git.branch})`) : "";
+        const sessions = chalk.dim(` — ${p.sessionCount} sessions`);
+        console.log(chalk.dim("            ") + p.name + branch + sessions);
+    }
+    console.log(chalk.dim("  Relay     ") + RELAY_URL);
+    const secretBackend = getActiveBackendName();
+    console.log(chalk.dim("  Secrets   ") + (secretBackend ? chalk.green(secretBackend) : chalk.yellow("plaintext (no OS store available)")));
+    if (process.env.RELAY_URL) {
+        console.log(chalk.red("  WARNING   ") + chalk.red("Using non-default relay URL from RELAY_URL env var"));
+    }
+    if (process.env.API_URL) {
+        console.log(chalk.red("  WARNING   ") + chalk.red("Using non-default API URL from API_URL env var"));
+    }
+    if (hasSavedState) {
+        console.log(chalk.dim("  State     ") + chalk.green("Saved pairing found — reconnecting..."));
+    }
+    else if (state.deviceToken) {
+        console.log(chalk.dim("  State     ") + chalk.yellow("Incomplete pairing — re-entering setup"));
+    }
+    else {
+        console.log(chalk.dim("  State     ") + chalk.yellow("New — pairing required"));
+    }
+    console.log();
+    // Initialize session manager and approval server
+    const sessionManager = initSessionManager();
+    startApprovalServer(sessionManager, send);
+    sessionManager.socketPath = getSocketPath();
+    sessionManager.approvalToken = getAuthToken();
+    installHook();
+    // If we have a complete saved state (token + encryption keys), reconnect directly.
+    // If the token exists but keys are incomplete, treat as needing re-pair.
+    // If no token at all, enter setup mode.
+    if (hasSavedState) {
+        console.log(chalk.green("  Reconnecting with saved pairing...") + "              " + chalk.green("[encrypted]"));
+        console.log();
+        connect();
+    }
+    else {
+        // Clear any partial state and start fresh
+        enterSetupMode();
+    }
+})().catch((err) => {
+    console.error(chalk.red(`  Fatal error: ${err}`));
+    process.exit(1);
+});

package/dist/logger.js

@@ -0,0 +1,28 @@
+/**
+ * Lightweight logger with consistent prefix formatting.
+ *
+ * Usage:
+ *   const log = createLogger("sessions");
+ *   log.info("Created session abc");   // → [sessions] Created session abc
+ *   log.warn("Disk full");             // → [sessions] Disk full  (stderr)
+ *   log.error("Crash", err);           // → [sessions] Crash ...  (stderr)
+ */
+export function createLogger(prefix) {
+    const tag = `[${prefix}]`;
+    return {
+        info(msg) {
+            console.log(`${tag} ${msg}`);
+        },
+        warn(msg) {
+            console.warn(`${tag} ${msg}`);
+        },
+        error(msg, err) {
+            if (err !== undefined) {
+                console.error(`${tag} ${msg}`, err);
+            }
+            else {
+                console.error(`${tag} ${msg}`);
+            }
+        },
+    };
+}