canopycms 0.0.50 → 0.0.52

package/dist/utils/error.js

@@ -28,6 +28,52 @@ export function getErrorMessage(err) {
     }
     return String(err);
 }
+/**
+ * Redact sensitive material from an error message before sending it to API
+ * clients. Log the ORIGINAL message server-side; send the sanitized one.
+ *
+ * Git/filesystem errors are unbounded (stderr varies by git version, locale,
+ * and hooks can print anything), so enumerating safe messages is not
+ * feasible. Instead, redact the known-sensitive SHAPES that can appear in
+ * any of them:
+ * - credentials embedded in URLs (`https://x-access-token:tok@github.com/…`)
+ * - absolute filesystem paths (workspace roots, EFS mounts, home directories)
+ *
+ * Paths under the current working directory are shortened to relative form
+ * (CMS-internal layout like `.canopy-dev/remote.git` is useful for debugging
+ * and not sensitive); absolute paths outside it are replaced with `<path>`.
+ */
+export function sanitizeErrorMessage(message) {
+    let result = message;
+    // Credentials in URLs: scheme://user:token@host or scheme://token@host.
+    // Anchored on the literal `://` (leaving the scheme untouched) — a `\w+`
+    // scheme prefix would backtrack polynomially on long word-character runs
+    // (CodeQL js/polynomial-redos).
+    result = result.replace(/(:\/\/)[^/\s@]+@/g, '$1***@');
+    // Paths under the project root become relative (split/join avoids regex
+    // escaping issues with arbitrary cwd values). The bare-cwd replacement is
+    // anchored to a token boundary so sibling directories that merely share
+    // the cwd prefix (e.g. `${cwd}-other/…`) stay absolute and get fully
+    // redacted below instead of leaking a mangled remainder.
+    const cwd = process.cwd();
+    if (cwd !== '/') {
+        result = result.split(`${cwd}/`).join('');
+        const cwdPattern = cwd.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+        result = result.replace(new RegExp(`${cwdPattern}(?=[\\s'"),:;]|$)`, 'g'), '.');
+    }
+    // Quoted absolute paths (git quotes most paths in its messages): redact
+    // the whole quoted span, spaces included.
+    result = result.replace(/'\/[^']*'/g, "'<path>'").replace(/"\/[^"]*"/g, '"<path>"');
+    // Remaining absolute POSIX paths (outside cwd, e.g. /mnt/efs/…). The
+    // leading boundary keeps URL slashes (`https://host/…`) untouched. Known
+    // limitation: an UNQUOTED path containing spaces is only redacted up to
+    // the first space — spaces are legal both inside paths and as message
+    // separators, so this is not generally solvable here.
+    result = result.replace(/(^|[\s'"(=])\/(?:[^/\s'")]+\/)+[^/\s'")]*/g, '$1<path>');
+    // Windows drive paths
+    result = result.replace(/[A-Za-z]:\\[^\s'")]+/g, '<path>');
+    return result;
+}
 /**
  * Type guard to check if an error is a Node.js system error with a code property.
  *

package/dist/utils/error.js.map

@@ -1 +1 @@
-{"version":3,"file":"error.js","sourceRoot":"","sources":["../../src/utils/error.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,eAAe,CAAC,GAAY;IAC1C,IAAI,GAAG,YAAY,KAAK,EAAE,CAAC;QACzB,OAAO,GAAG,CAAC,OAAO,CAAA;IACpB,CAAC;IACD,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO,GAAG,CAAA;IACZ,CAAC;IACD,OAAO,MAAM,CAAC,GAAG,CAAC,CAAA;AACpB,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,WAAW,CAAC,GAAY;IACtC,OAAO,GAAG,YAAY,KAAK,IAAI,MAAM,IAAI,GAAG,CAAA;AAC9C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,GAAY;IAC1C,OAAO,WAAW,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAA;AAClD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAY;IAC5C,OAAO,WAAW,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAA;AAClD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAY;IAC5C,OAAO,WAAW,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAA;AAClD,CAAC"}
+{"version":3,"file":"error.js","sourceRoot":"","sources":["../../src/utils/error.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,eAAe,CAAC,GAAY;IAC1C,IAAI,GAAG,YAAY,KAAK,EAAE,CAAC;QACzB,OAAO,GAAG,CAAC,OAAO,CAAA;IACpB,CAAC;IACD,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO,GAAG,CAAA;IACZ,CAAC;IACD,OAAO,MAAM,CAAC,GAAG,CAAC,CAAA;AACpB,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAe;IAClD,IAAI,MAAM,GAAG,OAAO,CAAA;IACpB,wEAAwE;IACxE,yEAAyE;IACzE,yEAAyE;IACzE,gCAAgC;IAChC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,mBAAmB,EAAE,QAAQ,CAAC,CAAA;IACtD,wEAAwE;IACxE,0EAA0E;IAC1E,wEAAwE;IACxE,qEAAqE;IACrE,yDAAyD;IACzD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAA;IACzB,IAAI,GAAG,KAAK,GAAG,EAAE,CAAC;QAChB,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;QACzC,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAA;QAC7D,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,GAAG,UAAU,mBAAmB,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,CAAA;IACjF,CAAC;IACD,wEAAwE;IACxE,0CAA0C;IAC1C,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,OAAO,CAAC,YAAY,EAAE,UAAU,CAAC,CAAA;IACnF,qEAAqE;IACrE,yEAAyE;IACzE,wEAAwE;IACxE,sEAAsE;IACtE,sDAAsD;IACtD,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,4CAA4C,EAAE,UAAU,CAAC,CAAA;IACjF,sBAAsB;IACtB,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,uBAAuB,EAAE,QAAQ,CAAC,CAAA;IAC1D,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,WAAW,CAAC,GAAY;IACtC,OAAO,GAAG,YAAY,KAAK,IAAI,MAAM,IAAI,GAAG,CAAA;AAC9C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,GAAY;IAC1C,OAAO,WAAW,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAA;AAClD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAY;IAC5C,OAAO,WAAW,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAA;AAClD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAY;IAC5C,OAAO,WAAW,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,CAAA;AAClD,CAAC"}

package/dist/utils/git.d.ts

@@ -1,7 +1,28 @@
+import type { OperatingMode } from '../operating-mode';
 /**
  * Detect the current HEAD branch name for a given repository root.
  * Returns the branch name, or the provided fallback (default 'main')
  * if detection fails or HEAD is detached.
  */
 export declare function detectHeadBranch(repoRoot: string, fallback?: string): Promise<string>;
+/**
+ * Resolve the base branch — the fork point for CMS editing branches and the
+ * branch used to seed workspace clones.
+ *
+ * This is the single definition of base-branch behavior (see ARCHITECTURE.md
+ * "Branch Identity"):
+ * - An explicitly configured `defaultBaseBranch` always wins, in both modes.
+ * - In dev mode it is detected from the current git HEAD, so workspaces fork
+ *   from the branch the developer has checked out.
+ * - Otherwise it is 'main'.
+ *
+ * Static deployments never reach git operations, so callers in static paths
+ * must short-circuit before calling this (see createCanopyServices).
+ */
+export declare function resolveBaseBranch(options: {
+    defaultBaseBranch?: string;
+    mode: OperatingMode;
+    /** Repo root used for dev-mode HEAD detection. Defaults to process.cwd(). */
+    detectFrom?: string;
+}): Promise<string>;
 //# sourceMappingURL=git.d.ts.map

package/dist/utils/git.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"git.d.ts","sourceRoot":"","sources":["../../src/utils/git.ts"],"names":[],"mappings":"AAEA;;;;GAIG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,MAAM,EAChB,QAAQ,GAAE,MAAe,GACxB,OAAO,CAAC,MAAM,CAAC,CAQjB"}
+{"version":3,"file":"git.d.ts","sourceRoot":"","sources":["../../src/utils/git.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AAEtD;;;;GAIG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,MAAM,EAChB,QAAQ,GAAE,MAAe,GACxB,OAAO,CAAC,MAAM,CAAC,CAQjB;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,iBAAiB,CAAC,OAAO,EAAE;IAC/C,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,IAAI,EAAE,aAAa,CAAA;IACnB,6EAA6E;IAC7E,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB,GAAG,OAAO,CAAC,MAAM,CAAC,CAMlB"}

package/dist/utils/git.js

@@ -14,4 +14,26 @@ export async function detectHeadBranch(repoRoot, fallback = 'main') {
         return fallback;
     }
 }
+/**
+ * Resolve the base branch — the fork point for CMS editing branches and the
+ * branch used to seed workspace clones.
+ *
+ * This is the single definition of base-branch behavior (see ARCHITECTURE.md
+ * "Branch Identity"):
+ * - An explicitly configured `defaultBaseBranch` always wins, in both modes.
+ * - In dev mode it is detected from the current git HEAD, so workspaces fork
+ *   from the branch the developer has checked out.
+ * - Otherwise it is 'main'.
+ *
+ * Static deployments never reach git operations, so callers in static paths
+ * must short-circuit before calling this (see createCanopyServices).
+ */
+export async function resolveBaseBranch(options) {
+    if (options.defaultBaseBranch)
+        return options.defaultBaseBranch;
+    if (options.mode === 'dev') {
+        return detectHeadBranch(options.detectFrom ?? process.cwd());
+    }
+    return 'main';
+}
 //# sourceMappingURL=git.js.map

package/dist/utils/git.js.map

@@ -1 +1 @@
-{"version":3,"file":"git.js","sourceRoot":"","sources":["../../src/utils/git.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAA;AAEtC;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,QAAgB,EAChB,WAAmB,MAAM;IAEzB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,SAAS,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,CAAA;QAC5C,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,QAAQ,CAAC,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;QAClE,OAAO,IAAI,IAAI,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAA;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,QAAQ,CAAA;IACjB,CAAC;AACH,CAAC"}
+{"version":3,"file":"git.js","sourceRoot":"","sources":["../../src/utils/git.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAA;AAItC;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,QAAgB,EAChB,WAAmB,MAAM;IAEzB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,SAAS,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,CAAA;QAC5C,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,QAAQ,CAAC,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;QAClE,OAAO,IAAI,IAAI,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAA;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,QAAQ,CAAA;IACjB,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,OAKvC;IACC,IAAI,OAAO,CAAC,iBAAiB;QAAE,OAAO,OAAO,CAAC,iBAAiB,CAAA;IAC/D,IAAI,OAAO,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC3B,OAAO,gBAAgB,CAAC,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC,CAAA;IAC9D,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "//": "@codemirror/language, @lezer/highlight: workaround — @mdxeditor/editor uses cm6-theme-basic-light which peer-requires these but mdxeditor doesn't declare them as dependencies",
   "name": "canopycms",
-  "version": "0.0.50",
+  "version": "0.0.52",
   "description": "CanopyCMS core package: schema-driven content, branch-aware editing, and editor UI for Next.js.",
   "license": "MIT",
   "repository": {