claude-code-station 0.2.1

package/bin/ccs-preview-session.ts

@@ -0,0 +1,147 @@
+#!/usr/bin/env tsx
+/**
+ * ccs-preview-session.ts - Display conversation history in fzf preview pane
+ * Args: sessionId
+ */
+
+import { readdir, readFile, stat } from "node:fs/promises";
+import { join } from "node:path";
+import { homedir } from "node:os";
+import { maskSecrets } from "./ccs-secrets.ts";
+import {
+  extractText,
+  truncate,
+  MAX_JSONL_SIZE,
+  UUID_RE,
+} from "./ccs-utils.ts";
+
+const PROJECTS_DIR = join(homedir(), ".claude", "projects");
+const MAX_PREVIEW_MESSAGES = 20;
+const MAX_MSG_LEN = 200;
+
+// extractText / truncate / UUID_RE / MAX_JSONL_SIZE come from ccs-utils.ts —
+// shared with the scanner so the preview and topic extraction can no longer
+// drift apart (review A-1/A-2). The preview passes includeToolBlocks below
+// because tool activity is part of the conversation flow it renders.
+
+export async function renderSessionPreview(sessionId: string): Promise<void> {
+  if (!sessionId) {
+    console.log("No session ID provided");
+    return;
+  }
+
+  // UUID validation (injection prevention)
+  if (!UUID_RE.test(sessionId)) {
+    console.log("Invalid session ID format");
+    return;
+  }
+
+  // Find session file
+  let targetFile = "";
+  try {
+    const projDirs = await readdir(PROJECTS_DIR);
+    for (const projDir of projDirs) {
+      const projPath = join(PROJECTS_DIR, projDir);
+      try {
+        const files = await readdir(projPath);
+        const match = files.find((f) => f === `${sessionId}.jsonl`);
+        if (match) {
+          targetFile = join(projPath, match);
+          break;
+        }
+      } catch {
+        continue;
+      }
+    }
+  } catch {
+    console.log("Cannot read projects directory");
+    return;
+  }
+
+  if (!targetFile) {
+    console.log("Session file not found");
+    return;
+  }
+
+  // File size check
+  try {
+    const stats = await stat(targetFile);
+    if (stats.size > MAX_JSONL_SIZE) {
+      console.log(`⚠️ File too large (${Math.round(stats.size / 1024 / 1024)}MB). Skipping preview.`);
+      return;
+    }
+  } catch {
+    console.log("Cannot stat session file");
+    return;
+  }
+
+  const content = await readFile(targetFile, "utf-8");
+  const lines = content.split("\n").filter((l) => l.trim());
+
+  let cwd = "";
+  let gitBranch = "";
+  let version = "";
+  const messages: { role: string; text: string }[] = [];
+
+  for (const line of lines) {
+    try {
+      const entry = JSON.parse(line);
+
+      if (!cwd && entry.cwd) cwd = entry.cwd;
+      if (!gitBranch && entry.gitBranch) gitBranch = entry.gitBranch;
+      if (!version && entry.version) version = entry.version;
+
+      if (
+        (entry.type === "user" || entry.type === "assistant") &&
+        entry.message?.content
+      ) {
+        const text = extractText(entry.message.content, {
+          includeToolBlocks: true,
+        });
+        if (text) {
+          messages.push({
+            role: entry.type === "user" ? "👤" : "🤖",
+            text: maskSecrets(truncate(text, MAX_MSG_LEN)),
+          });
+          // Memory optimization: keep at most 2x display limit
+          if (messages.length > MAX_PREVIEW_MESSAGES * 2) {
+            messages.splice(0, messages.length - MAX_PREVIEW_MESSAGES);
+          }
+        }
+      }
+    } catch {
+      // skip
+    }
+  }
+
+  // Header — cwd/gitBranch/version are untrusted JSONL fields read straight
+  // from disk (NOT the sanitized DB copy), so apply the same two-step
+  // treatment as message text: maskSecrets for credential leakage (audit
+  // M-2), truncate to strip control chars / escape sequences (audit NEW-1).
+  console.log("━━━ Session Info ━━━");
+  console.log(`📁 ${maskSecrets(truncate(cwd, 200))}`);
+  if (gitBranch) console.log(`🌿 ${maskSecrets(truncate(gitBranch, 100))}`);
+  if (version) console.log(`📌 Claude ${maskSecrets(truncate(version, 50))}`);
+  console.log(`💬 ${messages.length} messages`);
+  console.log("━━━ Conversation ━━━");
+  console.log();
+
+  const display = messages.slice(-MAX_PREVIEW_MESSAGES);
+  for (const msg of display) {
+    console.log(`${msg.role} ${msg.text}`);
+    console.log();
+  }
+}
+
+// CLI bootstrap: only run when invoked directly (not when imported)
+if (import.meta.url === `file://${process.argv[1]}`) {
+  const sessionId = process.argv[2];
+  if (!sessionId) {
+    console.log("Usage: ccs-preview-session.ts <session-uuid>");
+    process.exit(1);
+  }
+  renderSessionPreview(sessionId).catch((err) => {
+    console.error(`[ccs-preview-session] fatal: ${err instanceof Error ? err.message : String(err)}`);
+    process.exit(1);
+  });
+}

package/bin/ccs-preview.ts

@@ -0,0 +1,368 @@
+#!/usr/bin/env tsx
+/**
+ * ccs-preview.ts — fzf preview pane dispatcher for ccs v0.2.0
+ *
+ * Invoked by fzf as: tsx bin/ccs-preview.ts <KIND:KEY> <CWD>
+ *   KIND=new     → render repo preview (DB-backed state summary)
+ *   KIND=resume  → delegate to renderSessionPreview (conversation history)
+ *
+ * All errors print to stdout (fzf reads stdout for preview) and exit 0.
+ */
+
+import { existsSync } from "node:fs";
+import { getPaths } from "./ccs-config.ts";
+import { openDb, type DbHandle } from "./ccs-db.ts";
+import { renderSessionPreview } from "./ccs-preview-session.ts";
+import {
+  formatRelativeTime,
+  formatDateTime,
+  truncate,
+} from "./ccs-utils.ts";
+
+// ---------------------------------------------------------------------------
+// ANSI helpers
+// ---------------------------------------------------------------------------
+
+const C = {
+  reset: "\x1b[0m",
+  bold: "\x1b[1m",
+  dim: "\x1b[2m",
+  headerName: "\x1b[1;36m", // bold cyan
+  divider: "\x1b[1;90m",     // bold gray
+};
+
+function hdr(name: string): string {
+  return `${C.headerName}${name}${C.reset}`;
+}
+function dim(s: string): string {
+  return `${C.dim}${s}${C.reset}`;
+}
+function label(s: string): string {
+  return `${C.bold}${s}${C.reset}`;
+}
+function divider(title: string): string {
+  // ─── Title ──── (bold gray)
+  const base = `─── ${title} `;
+  const pad = Math.max(0, 40 - base.length);
+  return `${C.divider}${base}${"─".repeat(pad)}${C.reset}`;
+}
+
+// Time formatting and truncation come from ccs-utils.ts — the single source
+// shared with the list renderer (review A-1/A-3/K-8). Unparseable timestamps
+// render as "-" (the utils default), never as the raw DB string.
+
+// ---------------------------------------------------------------------------
+// DB row types (narrow views)
+// ---------------------------------------------------------------------------
+
+interface RepoView {
+  name: string;
+  path: string;
+  description: string;
+  icon: string;
+  tags_json: string;
+  custom_json: string;
+}
+
+interface StatsView {
+  is_git: number;
+  branch: string | null;
+  last_commit_hash: string | null;
+  last_commit_subject: string | null;
+  last_commit_at: string | null;
+  uncommitted_files: number;
+  uncommitted_insertions: number;
+  uncommitted_deletions: number;
+  handoff_count: number;
+  pending_count: number;
+  claude_room_latest: string | null;
+  claude_room_latest_at: string | null;
+  session_count_total: number;
+  session_last_at: string | null;
+}
+
+interface FileRow {
+  filename: string;
+  mtime: string;
+}
+
+interface SessionRow {
+  last_activity_at: string;
+  topic: string | null;
+}
+
+// ---------------------------------------------------------------------------
+// Integrations rendering
+// ---------------------------------------------------------------------------
+
+const KNOWN_INTEGRATIONS: { key: string; label: string; format?: (v: string) => string }[] = [
+  { key: "plane_project_id", label: "Plane" },
+  { key: "attio_workspace", label: "Attio" },
+  { key: "notion_db", label: "Notion" },
+  { key: "linear_team", label: "Linear" },
+  {
+    key: "slack_channel",
+    label: "Slack",
+    format: (v) => (v.startsWith("#") ? v : `#${v}`),
+  },
+  { key: "github_repo", label: "GitHub" },
+  { key: "figma_file", label: "Figma" },
+];
+const KNOWN_KEYS = new Set(KNOWN_INTEGRATIONS.map((i) => i.key));
+// Secondary keys that exist only to augment known ones — not shown standalone
+const AUX_KEYS = new Set(["plane_url"]);
+
+function renderIntegrations(customJson: string): string[] {
+  let custom: Record<string, unknown>;
+  try {
+    custom = JSON.parse(customJson || "{}");
+  } catch {
+    return [];
+  }
+  const keys = Object.keys(custom).filter((k) => !AUX_KEYS.has(k));
+  if (keys.length === 0) return [];
+
+  const lines: string[] = [];
+  lines.push(divider("🔗 Integrations"));
+
+  for (const { key, label: lbl, format } of KNOWN_INTEGRATIONS) {
+    if (!(key in custom)) continue;
+    const raw = custom[key];
+    if (raw === null || raw === undefined || raw === "") continue;
+    const val = format ? format(String(raw)) : String(raw);
+    lines.push(`  ${label(lbl + ":").padEnd(10)} ✅ ${truncate(val, 50)}`);
+  }
+
+  const unknown = keys.filter((k) => !KNOWN_KEYS.has(k));
+  if (unknown.length > 0) {
+    lines.push(`  ${label("Other:")}`);
+    for (const k of unknown) {
+      const v = custom[k];
+      if (v === null || v === undefined) continue;
+      const vs = typeof v === "string" ? v : JSON.stringify(v);
+      lines.push(`    ${k}: ${truncate(vs, 40)}`);
+    }
+  }
+  return lines;
+}
+
+// ---------------------------------------------------------------------------
+// Repo preview
+// ---------------------------------------------------------------------------
+
+function renderRepoPreview(name: string, cwd: string): void {
+  const paths = getPaths();
+  if (!existsSync(paths.stateDb)) {
+    console.log(`${hdr("📁 " + name)}`);
+    console.log(dim(cwd || ""));
+    console.log("");
+    console.log("No state cache yet — run `ccs --refresh` to scan.");
+    return;
+  }
+
+  let handle: DbHandle | null = null;
+  try {
+    handle = openDb(paths.stateDb, { readonly: true, skipMigrate: true });
+    const db = handle.db;
+
+    const repo = db
+      .prepare(
+        `SELECT name, path, description, icon, tags_json, custom_json
+         FROM repos WHERE name = ?`,
+      )
+      .get(name) as RepoView | undefined;
+
+    if (!repo) {
+      console.log(`${hdr("📁 " + name)}`);
+      console.log(dim(cwd || ""));
+      console.log("");
+      console.log(`Repo "${name}" not found in cache.`);
+      return;
+    }
+
+    const stats = db
+      .prepare(
+        `SELECT is_git, branch, last_commit_hash, last_commit_subject, last_commit_at,
+                uncommitted_files, uncommitted_insertions, uncommitted_deletions,
+                handoff_count, pending_count, claude_room_latest, claude_room_latest_at,
+                session_count_total, session_last_at
+         FROM repo_stats WHERE name = ?`,
+      )
+      .get(name) as StatsView | undefined;
+
+    // --- Header ---
+    console.log(`${hdr(`${repo.icon || "📁"} ${repo.name}`)}`);
+    console.log(dim(repo.path));
+    if (repo.description) console.log(repo.description);
+    console.log("");
+
+    // --- Git ---
+    if (stats && stats.is_git === 1) {
+      console.log(divider("Git"));
+      const branch = stats.branch || "(detached)";
+      console.log(`${label("Branch:".padEnd(14))} ${branch}`);
+      if (stats.last_commit_hash) {
+        const rel = formatRelativeTime(stats.last_commit_at);
+        const shortHash = stats.last_commit_hash.slice(0, 7);
+        const subj = truncate(stats.last_commit_subject || "", 60);
+        console.log(`${label("Last commit:".padEnd(14))} ${rel}`);
+        console.log(`${"".padEnd(14)}   ${shortHash} ${subj}`);
+      }
+      const f = stats.uncommitted_files;
+      if (f === 0 && stats.uncommitted_insertions === 0 && stats.uncommitted_deletions === 0) {
+        console.log(`${label("Uncommitted:".padEnd(14))} clean`);
+      } else {
+        console.log(
+          `${label("Uncommitted:".padEnd(14))} ${f} file(s) (+${stats.uncommitted_insertions} -${stats.uncommitted_deletions})`,
+        );
+      }
+      console.log("");
+    }
+
+    // --- Workspace (handoff / pending / claude-room) ---
+    if (
+      stats &&
+      (stats.handoff_count > 0 ||
+        stats.pending_count > 0 ||
+        stats.claude_room_latest)
+    ) {
+      console.log(divider("Workspace"));
+
+      if (stats.handoff_count > 0) {
+        console.log(`${label("Handoff:".padEnd(14))} ⚠️  ${stats.handoff_count} file(s)`);
+        const rows = db
+          .prepare(
+            `SELECT filename, mtime FROM handoff_files
+             WHERE repo_name = ? ORDER BY mtime DESC LIMIT 3`,
+          )
+          .all(name) as FileRow[];
+        for (const r of rows) {
+          console.log(`  • ${truncate(r.filename, 50)} (${formatRelativeTime(r.mtime)})`);
+        }
+      }
+
+      if (stats.pending_count > 0) {
+        console.log(`${label("Pending:".padEnd(14))} 📝 ${stats.pending_count} item(s)`);
+        const rows = db
+          .prepare(
+            `SELECT filename, mtime FROM pending_items
+             WHERE repo_name = ? ORDER BY mtime DESC LIMIT 3`,
+          )
+          .all(name) as FileRow[];
+        for (const r of rows) {
+          console.log(`  • ${truncate(r.filename, 50)} (${formatRelativeTime(r.mtime)})`);
+        }
+      }
+
+      if (stats.claude_room_latest) {
+        const latest = truncate(stats.claude_room_latest, 40);
+        const when = formatRelativeTime(stats.claude_room_latest_at);
+        console.log(`${label("Claude room:".padEnd(14))} latest: ${latest} (${when})`);
+      }
+      console.log("");
+    }
+
+    // --- Sessions ---
+    console.log(divider("Sessions"));
+    if (!stats || stats.session_count_total === 0) {
+      console.log("No sessions yet — ready to start");
+    } else {
+      console.log(`${label("Total:".padEnd(14))} ${stats.session_count_total} sessions`);
+      console.log(`${label("Last activity:".padEnd(14))} ${formatRelativeTime(stats.session_last_at)}`);
+      // Same population as the Total count above (repo_stats aggregates
+      // WHERE repo_name = ?) — mixing in a cwd fallback here made Total and
+      // Recent disagree (audit logic H-3). Sessions under the repo path are
+      // mapped to repo_name at scan time, including subdirectories.
+      const rows = db
+        .prepare(
+          `SELECT last_activity_at, topic FROM sessions
+           WHERE repo_name = ?
+           ORDER BY last_activity_at DESC LIMIT 3`,
+        )
+        .all(name) as SessionRow[];
+      if (rows.length > 0) {
+        console.log(label("Recent:"));
+        for (const r of rows) {
+          const dt = formatDateTime(r.last_activity_at);
+          const topic = truncate(r.topic || "(no topic)", 50);
+          console.log(`  • ${dt} — ${topic}`);
+        }
+      }
+    }
+    console.log("");
+
+    // --- Integrations ---
+    const intLines = renderIntegrations(repo.custom_json || "{}");
+    if (intLines.length > 0) {
+      for (const line of intLines) console.log(line);
+      console.log("");
+    }
+
+    // --- Tags ---
+    try {
+      const tags = JSON.parse(repo.tags_json || "[]") as unknown;
+      if (Array.isArray(tags) && tags.length > 0) {
+        console.log(divider("Tags"));
+        console.log(tags.map(String).join(", "));
+      }
+    } catch {
+      // ignore
+    }
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.log(`${hdr("📁 " + name)}`);
+    console.log("");
+    console.log(`Preview error: ${msg}`);
+  } finally {
+    try {
+      handle?.close();
+    } catch {
+      // ignore
+    }
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Main dispatcher
+// ---------------------------------------------------------------------------
+
+async function main(): Promise<void> {
+  const kindKey = process.argv[2] || "";
+  const cwd = process.argv[3] || "";
+
+  if (!kindKey) {
+    console.log("Usage: ccs-preview <KIND:KEY> <CWD>");
+    return;
+  }
+
+  const colonIdx = kindKey.indexOf(":");
+  if (colonIdx < 0) {
+    console.log(`Invalid argument: ${kindKey} (expected KIND:KEY)`);
+    return;
+  }
+  const kind = kindKey.slice(0, colonIdx);
+  const key = kindKey.slice(colonIdx + 1);
+
+  try {
+    if (kind === "resume") {
+      await renderSessionPreview(key);
+    } else if (kind === "new") {
+      renderRepoPreview(key, cwd);
+    } else if (kind === "separator") {
+      // Divider row — intentionally blank preview.
+      return;
+    } else {
+      console.log(`Unknown kind: ${kind}`);
+    }
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.log(`Preview error: ${msg}`);
+  }
+}
+
+main().catch((err) => {
+  console.log(
+    `Preview fatal: ${err instanceof Error ? err.message : String(err)}`,
+  );
+  process.exit(0);
+});

package/bin/ccs-sanitize.ts

@@ -0,0 +1,57 @@
+/**
+ * ccs-sanitize.ts — Shared input-sanitization helpers for ccs.
+ *
+ * Single source of truth for the shell-metacharacter policy and control
+ * character stripping. Two consumers:
+ *   - ccs-config.ts: rejects repos.yml fields at load time (trusted-ish input)
+ *   - ccs-scan.ts:   normalizes session JSONL fields at intake (untrusted
+ *     input — any process able to write ~/.claude/projects can plant values)
+ *
+ * Threat model (audit H-1 / NEW-1, 2026-06-12): session `cwd`/`topic` reach
+ * the fzf list, the preview pane, and the Ctrl-Y clipboard command. Shell
+ * metacharacters enable deferred command injection on paste; raw ESC/OSC
+ * sequences enable terminal spoofing (fzf runs with --ansi). Both classes are
+ * neutralized here, at the trust boundary.
+ */
+
+// Shell metacharacters forbidden in path/cwd/command values that are ever
+// interpolated into a shell line (fzf execute bindings, clipboard, final
+// launch in bin/ccs). \x00-\x1f covers TAB, NL, CR, ESC and all other C0
+// control characters, so this single class blocks command injection and
+// terminal-escape injection at once.
+export const SHELL_METACHARS = /[;&|<>$`"'\\\n\r\x00-\x1f]/;
+
+/** True when the value contains any shell metacharacter / control char. */
+export function hasShellMetachars(value: string): boolean {
+  return SHELL_METACHARS.test(value);
+}
+
+// All C0 control characters plus DEL. \n and \t are NOT exempted: every ccs
+// display surface is single-line-per-field (TSV rows, preview lines), and the
+// TSV protocol between ccs-list and fzf breaks on embedded tabs/newlines.
+const CONTROL_CHARS_RE = /[\x00-\x1f\x7f]+/g;
+
+/**
+ * Strip C0 control characters (incl. ESC) and DEL from display text,
+ * collapsing each run into a single space. Defense against terminal-escape
+ * injection (audit NEW-1) for fields that are rendered but never executed:
+ * topic, summary, branch, first_line, commit subjects.
+ */
+export function stripControlChars(text: string): string {
+  return text.replace(CONTROL_CHARS_RE, " ").replace(/\s+/g, " ").trim();
+}
+
+/**
+ * Sanitize a session-provided cwd at intake (audit H-1).
+ *
+ * Unlike display text, cwd is later interpolated into a shell `cd` command
+ * (clipboard via Ctrl-Y, launch via bin/ccs), so a tainted value cannot be
+ * "cleaned" — it must be rejected outright. Returns null when the value is
+ * unusable; callers store the "unknown" sentinel instead.
+ */
+export function sanitizeSessionCwd(cwd: string): string | null {
+  if (cwd.length === 0) return null;
+  if (hasShellMetachars(cwd)) return null;
+  if (!cwd.startsWith("/")) return null;
+  return cwd;
+}