npm - circleinbox - Versions diffs - 0.1.0 - Mend

circleinbox 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md +210 -0
package/circleinbox-cli.cjs +1626 -0
package/lib/cli/cli-fixes.test.cjs +242 -0
package/package.json +39 -0

package/lib/cli/cli-fixes.test.cjs ADDED Viewed

@@ -0,0 +1,242 @@
+// Tests for the 6 critical/major fixes in circleinbox-cli.cjs
+// Run with: node --test cli/lib/cli/cli-fixes.test.cjs
+const { describe, it } = require('node:test');
+const assert = require('node:assert/strict');
+const fs = require('node:fs');
+const path = require('node:path');
+// Read the CLI source to verify structural fixes
+const cliSource = fs.readFileSync(
+  path.join(__dirname, '..', '..', 'circleinbox-cli.cjs'),
+  'utf8'
+);
+describe('Fix 1: --api-url must not persist to disk', () => {
+  it('should NOT call saveConfig when --api-url is set', () => {
+    // The old code had: saveConfig(config); after setting api-url
+    // The new code should set globalFlags.apiUrlOverride instead
+    const apiUrlBlock = cliSource.match(
+      /if \(gf\['api-url'\]\)[\s\S]*?}/
+    )?.[0];
+    assert.ok(apiUrlBlock, 'api-url handling block exists');
+    assert.ok(
+      !apiUrlBlock.includes('saveConfig'),
+      'saveConfig must not be called in api-url block'
+    );
+    assert.ok(
+      apiUrlBlock.includes('apiUrlOverride'),
+      'should set apiUrlOverride in memory'
+    );
+  });
+  it('getClient should use apiUrlOverride', () => {
+    const getClientBlock = cliSource.match(
+      /function getClient\(\)[\s\S]*?^}/m
+    )?.[0];
+    assert.ok(getClientBlock, 'getClient function exists');
+    assert.ok(
+      getClientBlock.includes('apiUrlOverride'),
+      'getClient must check globalFlags.apiUrlOverride'
+    );
+  });
+});
+describe('Fix 2: readline rl.close() ordering', () => {
+  it('inboxDelete should close rl inside the question callback', () => {
+    const inboxDeleteBlock = cliSource.match(
+      /async function inboxDelete[\s\S]*?^}/m
+    )?.[0];
+    assert.ok(inboxDeleteBlock, 'inboxDelete function exists');
+    // rl.close() must appear INSIDE the callback, not after rl.question
+    // The pattern should be: rl.question('...', (answer) => { rl.close(); resolve(...) })
+    // NOT: rl.question('...', resolve); rl.close();
+    assert.ok(
+      !inboxDeleteBlock.match(/rl\.question\([^)]+,\s*resolve\s*\)\s*;\s*\n\s*rl\.close/),
+      'rl.close() must NOT be on the line after rl.question with bare resolve'
+    );
+    // Positive check: rl.close() appears inside a callback with resolve
+    assert.ok(
+      inboxDeleteBlock.includes('rl.close();\n      resolve('),
+      'rl.close() should be inside the callback before resolve'
+    );
+  });
+  it('commandReset password prompt should close rl inside the callback', () => {
+    // Find the commandReset function's readline usage
+    const resetBlock = cliSource.match(
+      /async function commandReset[\s\S]*?^}/m
+    )?.[0];
+    assert.ok(resetBlock, 'commandReset function exists');
+    // Should NOT have the pattern: rl.question('...', resolve); rl.close();
+    assert.ok(
+      !resetBlock.match(/rl\.question\([^)]+,\s*resolve\s*\)\s*;\s*\n\s*rl\.close/),
+      'rl.close() must NOT be after rl.question with bare resolve in commandReset'
+    );
+  });
+});
+describe('Fix 3: response.json() crash on non-JSON', () => {
+  it('should use response.text() + JSON.parse instead of response.json()', () => {
+    const requestBlock = cliSource.match(
+      /async request\(method[\s\S]*?^\s{2}}/m
+    )?.[0];
+    assert.ok(requestBlock, 'request method exists');
+    assert.ok(
+      !requestBlock.includes('response.json()'),
+      'must NOT use response.json() directly'
+    );
+    assert.ok(
+      requestBlock.includes('response.text()'),
+      'must use response.text() first'
+    );
+    assert.ok(
+      requestBlock.includes('JSON.parse(text)'),
+      'must use JSON.parse on text'
+    );
+  });
+  it('should handle parse failures gracefully', () => {
+    const requestBlock = cliSource.match(
+      /async request\(method[\s\S]*?^\s{2}}/m
+    )?.[0];
+    // Should have error handling around JSON.parse
+    assert.ok(
+      requestBlock.includes("catch") && requestBlock.includes("INVALID_RESPONSE"),
+      'should catch parse errors and throw with INVALID_RESPONSE code'
+    );
+  });
+});
+describe('Fix 4: fetch timeout with AbortController', () => {
+  it('ApiClient.request should use AbortController with 30s timeout', () => {
+    const requestBlock = cliSource.match(
+      /async request\(method[\s\S]*?^\s{2}}/m
+    )?.[0];
+    assert.ok(requestBlock, 'request method exists');
+    assert.ok(
+      requestBlock.includes('AbortController'),
+      'must create AbortController'
+    );
+    assert.ok(
+      requestBlock.includes('30000'),
+      'must set 30s timeout'
+    );
+    assert.ok(
+      requestBlock.includes('signal: controller.signal'),
+      'must pass signal to fetch'
+    );
+    assert.ok(
+      requestBlock.includes('clearTimeout'),
+      'must clear timeout after fetch'
+    );
+  });
+  it('resetClearAuth fetch calls should also have timeouts', () => {
+    const resetBlock = cliSource.match(
+      /async function resetClearAuth[\s\S]*?^}/m
+    )?.[0];
+    assert.ok(resetBlock, 'resetClearAuth function exists');
+    // Should have AbortController for both fetch calls
+    const controllerMatches = resetBlock.match(/new AbortController/g);
+    assert.ok(
+      controllerMatches && controllerMatches.length >= 2,
+      'resetClearAuth must have at least 2 AbortControllers (one per fetch)'
+    );
+  });
+});
+describe('Fix 5: subArgs no longer uses fragile indexOf', () => {
+  it('should not use allArgs.indexOf(command) for subArgs', () => {
+    const mainBlock = cliSource.match(
+      /\/\/ Main[\s\S]*$/
+    )?.[0];
+    assert.ok(mainBlock, 'main block exists');
+    assert.ok(
+      !mainBlock.includes('allArgs.indexOf(command)'),
+      'must NOT use allArgs.indexOf(command)'
+    );
+  });
+  it('should track command position by iterating and skipping global flags', () => {
+    const mainBlock = cliSource.match(
+      /\/\/ Main[\s\S]*$/
+    )?.[0];
+    assert.ok(mainBlock, 'main block exists');
+    assert.ok(
+      mainBlock.includes('commandIndex'),
+      'should use a commandIndex variable'
+    );
+    assert.ok(
+      mainBlock.includes('GLOBAL_FLAGS'),
+      'should define known global flags to skip'
+    );
+  });
+});
+describe('Fix 6: HTTPS validation for credentials', () => {
+  it('resetClearAuth should refuse HTTP URLs', () => {
+    const resetBlock = cliSource.match(
+      /async function resetClearAuth[\s\S]*?^}/m
+    )?.[0];
+    assert.ok(resetBlock, 'resetClearAuth function exists');
+    assert.ok(
+      resetBlock.includes("startsWith('https://')"),
+      'must check for https:// protocol'
+    );
+    assert.ok(
+      resetBlock.includes('insecure HTTP') || resetBlock.includes('Refusing'),
+      'must show error about insecure connection'
+    );
+  });
+});
+// ============================================================================
+// PR #22 Review Fixes
+// ============================================================================
+describe('Fix 7: Generic password reset flow must also validate HTTPS', () => {
+  it('commandReset generic flow should check for HTTPS before proceeding', () => {
+    const resetBlock = cliSource.match(
+      /async function commandReset[\s\S]*?^}/m
+    )?.[0];
+    assert.ok(resetBlock, 'commandReset function exists');
+    // The generic flow starts after the ClearAuth branch (if flags.clearauth)
+    // It should have its own HTTPS check before the generic flow logic
+    const genericFlowSection = resetBlock.split('flags.clearauth')[1];
+    assert.ok(genericFlowSection, 'generic flow section exists after clearauth branch');
+    assert.ok(
+      genericFlowSection.includes("startsWith('https://')") ||
+      genericFlowSection.includes('startsWith("https://")'),
+      'generic flow must check for https:// protocol on serviceUrl'
+    );
+    assert.ok(
+      genericFlowSection.includes('insecure') || genericFlowSection.includes('HTTPS'),
+      'generic flow must warn about insecure connections'
+    );
+  });
+});
+describe('Fix 8: Retry jitter to prevent thundering herd', () => {
+  it('ApiClient.request should add jitter to retry delays', () => {
+    const requestBlock = cliSource.match(
+      /async request\(method[\s\S]*?^\s{2}}/m
+    )?.[0];
+    assert.ok(requestBlock, 'request method exists');
+    assert.ok(
+      requestBlock.includes('Math.random()'),
+      'retry delay must include random jitter via Math.random()'
+    );
+  });
+});

package/package.json ADDED Viewed

@@ -0,0 +1,39 @@
+{
+  "name": "circleinbox",
+  "version": "0.1.0",
+  "description": "CLI for CircleInbox email infrastructure — manage inboxes, send email, store credentials, and more",
+  "type": "module",
+  "main": "circleinbox-cli.cjs",
+  "bin": {
+    "circleinbox": "./circleinbox-cli.cjs"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "license": "MIT",
+  "author": "Dundas",
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "test": "node --test lib/**/*.test.cjs"
+  },
+  "files": [
+    "lib/",
+    "circleinbox-cli.cjs",
+    "README.md",
+    "LICENSE"
+  ],
+  "keywords": [
+    "circleinbox",
+    "email",
+    "inbox",
+    "cli",
+    "credentials",
+    "vault",
+    "mailbox",
+    "agent",
+    "developer-tools"
+  ],
+  "dependencies": {}
+}