cli4ai 0.8.0

package/src/core/config.ts

@@ -0,0 +1,649 @@
+/**
+ * Global cli4ai configuration (~/.cli4ai/)
+ */
+
+import { readFileSync, writeFileSync, mkdirSync, existsSync, readdirSync, lstatSync, realpathSync } from 'fs';
+import { resolve, join, normalize } from 'path';
+import { homedir } from 'os';
+import { outputError, log } from '../lib/cli.js';
+
+// ═══════════════════════════════════════════════════════════════════════════
+// SECURITY: Symlink validation
+// ═══════════════════════════════════════════════════════════════════════════
+
+/**
+ * Safe directories that symlinks are allowed to point to.
+ * This prevents symlink attacks pointing to sensitive system directories.
+ */
+const SAFE_SYMLINK_PREFIXES = [
+  homedir(),           // User's home directory
+  '/tmp',              // Temp directory
+  '/var/tmp',          // Var temp
+  '/private/tmp',      // macOS temp
+  process.cwd(),       // Current working directory
+];
+
+/**
+ * Validate that a symlink target is within safe boundaries.
+ * Returns the resolved real path if safe, null if unsafe.
+ */
+function validateSymlinkTarget(symlinkPath: string): string | null {
+  try {
+    const stat = lstatSync(symlinkPath);
+    if (!stat.isSymbolicLink()) {
+      // Not a symlink, return the path as-is
+      return symlinkPath;
+    }
+
+    // Resolve the real path (follows all symlinks)
+    const realPath = realpathSync(symlinkPath);
+    const normalizedRealPath = normalize(realPath);
+
+    // Check if the real path is within a safe prefix
+    const isSafe = SAFE_SYMLINK_PREFIXES.some(prefix => {
+      const normalizedPrefix = normalize(prefix);
+      return normalizedRealPath.startsWith(normalizedPrefix + '/') ||
+             normalizedRealPath === normalizedPrefix;
+    });
+
+    if (!isSafe) {
+      console.error(`Warning: Symlink ${symlinkPath} points to ${realPath} which is outside safe directories. Skipping.`);
+      return null;
+    }
+
+    return realPath;
+  } catch (err) {
+    // Broken symlink or permission error
+    return null;
+  }
+}
+
+/**
+ * Check if a path is safe to use (not a malicious symlink)
+ */
+export function isPathSafe(path: string): boolean {
+  return validateSymlinkTarget(path) !== null;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// PATHS
+// ═══════════════════════════════════════════════════════════════════════════
+
+export const CLI4AI_HOME = resolve(homedir(), '.cli4ai');
+export const CONFIG_FILE = resolve(CLI4AI_HOME, 'config.json');
+export const PACKAGES_DIR = resolve(CLI4AI_HOME, 'packages');
+export const CACHE_DIR = resolve(CLI4AI_HOME, 'cache');
+export const ROUTINES_DIR = resolve(CLI4AI_HOME, 'routines');
+export const CREDENTIALS_FILE = resolve(CLI4AI_HOME, 'credentials.json');
+
+// Local project paths
+export const LOCAL_DIR = '.cli4ai';
+export const LOCAL_PACKAGES_DIR = join(LOCAL_DIR, 'packages');
+export const LOCAL_ROUTINES_DIR = join(LOCAL_DIR, 'routines');
+
+// ═══════════════════════════════════════════════════════════════════════════
+// TYPES
+// ═══════════════════════════════════════════════════════════════════════════
+
+export interface Config {
+  // Registry configuration
+  registry: string;
+  localRegistries: string[];
+
+  // Runtime defaults
+  defaultRuntime: 'bun' | 'node';
+
+  // MCP defaults
+  mcp: {
+    transport: 'stdio' | 'http';
+    port: number;
+  };
+
+  // Telemetry (future)
+  telemetry: boolean;
+}
+
+export interface InstalledPackage {
+  name: string;
+  version: string;
+  path: string;
+  source: 'local' | 'registry';
+  installedAt: string;
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// DEFAULT CONFIG
+// ═══════════════════════════════════════════════════════════════════════════
+
+export const DEFAULT_CONFIG: Config = {
+  registry: 'https://registry.cliforai.com',
+  localRegistries: [],
+  defaultRuntime: 'bun',
+  mcp: {
+    transport: 'stdio',
+    port: 3100
+  },
+  telemetry: false
+};
+
+// ═══════════════════════════════════════════════════════════════════════════
+// INITIALIZATION
+// ═══════════════════════════════════════════════════════════════════════════
+
+/**
+ * Ensure ~/.cli4ai directory exists with required subdirectories
+ */
+export function ensureCli4aiHome(): void {
+  const dirs = [CLI4AI_HOME, PACKAGES_DIR, CACHE_DIR, ROUTINES_DIR];
+
+  for (const dir of dirs) {
+    if (!existsSync(dir)) {
+      mkdirSync(dir, { recursive: true });
+    }
+  }
+}
+
+/**
+ * Ensure local .cli4ai directory exists
+ */
+export function ensureLocalDir(projectDir: string): void {
+  const localDir = resolve(projectDir, LOCAL_DIR);
+  const packagesDir = resolve(projectDir, LOCAL_PACKAGES_DIR);
+  const routinesDir = resolve(projectDir, LOCAL_ROUTINES_DIR);
+
+  if (!existsSync(localDir)) {
+    mkdirSync(localDir, { recursive: true });
+  }
+  if (!existsSync(packagesDir)) {
+    mkdirSync(packagesDir, { recursive: true });
+  }
+  if (!existsSync(routinesDir)) {
+    mkdirSync(routinesDir, { recursive: true });
+  }
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// CONFIG FILE
+// ═══════════════════════════════════════════════════════════════════════════
+
+/**
+ * Deep merge two objects, where source values override target values
+ */
+function deepMerge(target: Config, source: Partial<Config>): Config {
+  const result: Config = { ...target };
+
+  // Handle each key explicitly to maintain type safety
+  if (source.registry !== undefined) {
+    result.registry = source.registry;
+  }
+  if (source.localRegistries !== undefined) {
+    result.localRegistries = source.localRegistries;
+  }
+  if (source.defaultRuntime !== undefined) {
+    result.defaultRuntime = source.defaultRuntime;
+  }
+  if (source.telemetry !== undefined) {
+    result.telemetry = source.telemetry;
+  }
+  // Deep merge mcp config
+  if (source.mcp !== undefined) {
+    result.mcp = {
+      transport: source.mcp.transport ?? target.mcp.transport,
+      port: source.mcp.port ?? target.mcp.port
+    };
+  }
+
+  return result;
+}
+
+/**
+ * Load global config, creating defaults if needed
+ */
+export function loadConfig(): Config {
+  ensureCli4aiHome();
+
+  if (!existsSync(CONFIG_FILE)) {
+    saveConfig(DEFAULT_CONFIG);
+    return DEFAULT_CONFIG;
+  }
+
+  try {
+    const content = readFileSync(CONFIG_FILE, 'utf-8');
+    const data = JSON.parse(content);
+    // Deep merge with defaults to handle missing nested fields (e.g., mcp.port)
+    return deepMerge(DEFAULT_CONFIG, data);
+  } catch {
+    log(`Warning: Invalid config file, using defaults`);
+    return DEFAULT_CONFIG;
+  }
+}
+
+/**
+ * Save global config
+ */
+export function saveConfig(config: Config): void {
+  ensureCli4aiHome();
+  writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2) + '\n');
+}
+
+/**
+ * Get a config value
+ */
+export function getConfigValue<K extends keyof Config>(key: K): Config[K] {
+  const config = loadConfig();
+  return config[key];
+}
+
+/**
+ * Set a config value
+ */
+export function setConfigValue<K extends keyof Config>(key: K, value: Config[K]): void {
+  const config = loadConfig();
+  config[key] = value;
+  saveConfig(config);
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// LOCAL REGISTRIES
+// ═══════════════════════════════════════════════════════════════════════════
+
+/**
+ * Directories that should not be used as registries
+ * to prevent accidental exposure of sensitive system files.
+ */
+const UNSAFE_REGISTRY_PATHS = [
+  '/etc',
+  '/usr',
+  '/bin',
+  '/sbin',
+  '/var',
+  '/sys',
+  '/proc',
+  '/dev',
+  '/boot',
+  '/root',
+  '/lib',
+  '/lib64',
+  '/System',           // macOS
+  '/Library',          // macOS
+  '/private/etc',      // macOS
+  '/private/var',      // macOS
+  'C:\\Windows',       // Windows
+  'C:\\Program Files', // Windows
+];
+
+/**
+ * Validate that a registry path is safe to use.
+ */
+function isRegistryPathSafe(registryPath: string): boolean {
+  const normalizedPath = normalize(registryPath);
+
+  // Check against unsafe paths
+  for (const unsafePath of UNSAFE_REGISTRY_PATHS) {
+    const normalizedUnsafe = normalize(unsafePath);
+    if (normalizedPath === normalizedUnsafe ||
+        normalizedPath.startsWith(normalizedUnsafe + '/') ||
+        normalizedPath.startsWith(normalizedUnsafe + '\\')) {
+      return false;
+    }
+  }
+
+  return true;
+}
+
+/**
+ * Add a local registry path
+ */
+export function addLocalRegistry(path: string): void {
+  const config = loadConfig();
+  const absolutePath = resolve(path);
+
+  // SECURITY: Validate registry path is not in sensitive system directories
+  if (!isRegistryPathSafe(absolutePath)) {
+    outputError('INVALID_INPUT', `Registry path is in a protected system directory: ${absolutePath}`, {
+      hint: 'Use a path in your home directory or a project directory'
+    });
+  }
+
+  if (!existsSync(absolutePath)) {
+    outputError('NOT_FOUND', `Directory does not exist: ${absolutePath}`);
+  }
+
+  // SECURITY: Validate symlink target if it's a symlink
+  const safePath = validateSymlinkTarget(absolutePath);
+  if (!safePath) {
+    outputError('INVALID_INPUT', `Registry path points to an unsafe location: ${absolutePath}`, {
+      hint: 'Symlinks must point to directories within safe locations'
+    });
+  }
+
+  if (!config.localRegistries.includes(safePath)) {
+    config.localRegistries.push(safePath);
+    saveConfig(config);
+    log(`Added local registry: ${safePath}`);
+  }
+}
+
+/**
+ * Remove a local registry path
+ */
+export function removeLocalRegistry(path: string): void {
+  const config = loadConfig();
+  const absolutePath = resolve(path);
+  const index = config.localRegistries.indexOf(absolutePath);
+
+  if (index !== -1) {
+    config.localRegistries.splice(index, 1);
+    saveConfig(config);
+    log(`Removed local registry: ${absolutePath}`);
+  }
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// INSTALLED PACKAGES TRACKING
+// ═══════════════════════════════════════════════════════════════════════════
+
+/**
+ * Get list of globally installed packages
+ */
+export function getGlobalPackages(): InstalledPackage[] {
+  ensureCli4aiHome();
+
+  if (!existsSync(PACKAGES_DIR)) {
+    return [];
+  }
+
+  const packages: InstalledPackage[] = [];
+
+  for (const entry of readdirSync(PACKAGES_DIR, { withFileTypes: true })) {
+    if (!entry.isDirectory() && !entry.isSymbolicLink()) continue;
+
+    const pkgPath = resolve(PACKAGES_DIR, entry.name);
+
+    // SECURITY: Validate symlink targets
+    const safePath = validateSymlinkTarget(pkgPath);
+    if (!safePath) continue;
+
+    const manifestPath = resolve(safePath, 'cli4ai.json');
+
+    if (existsSync(manifestPath)) {
+      try {
+        const manifest = JSON.parse(readFileSync(manifestPath, 'utf-8'));
+        packages.push({
+          name: manifest.name,
+          version: manifest.version,
+          path: safePath,
+          source: 'local', // TODO: track actual source
+          installedAt: new Date().toISOString()
+        });
+      } catch {
+        // Skip invalid packages
+      }
+    }
+  }
+
+  return packages;
+}
+
+/**
+ * Get list of locally installed packages (in project)
+ */
+export function getLocalPackages(projectDir: string): InstalledPackage[] {
+  const packagesDir = resolve(projectDir, LOCAL_PACKAGES_DIR);
+
+  if (!existsSync(packagesDir)) {
+    return [];
+  }
+
+  const packages: InstalledPackage[] = [];
+
+  for (const entry of readdirSync(packagesDir, { withFileTypes: true })) {
+    if (!entry.isDirectory() && !entry.isSymbolicLink()) continue;
+
+    const pkgPath = resolve(packagesDir, entry.name);
+
+    // SECURITY: Validate symlink targets
+    const safePath = validateSymlinkTarget(pkgPath);
+    if (!safePath) continue;
+
+    const manifestPath = resolve(safePath, 'cli4ai.json');
+
+    if (existsSync(manifestPath)) {
+      try {
+        const manifest = JSON.parse(readFileSync(manifestPath, 'utf-8'));
+        packages.push({
+          name: manifest.name,
+          version: manifest.version,
+          path: safePath,
+          source: 'local',
+          installedAt: new Date().toISOString()
+        });
+      } catch {
+        // Skip invalid packages
+      }
+    }
+  }
+
+  return packages;
+}
+
+// Cache npm global dir to avoid repeated lookups
+let cachedNpmGlobalDir: string | null | undefined = undefined;
+
+/**
+ * Get npm global packages directory
+ */
+function getNpmGlobalDir(): string | null {
+  if (cachedNpmGlobalDir !== undefined) return cachedNpmGlobalDir;
+
+  // Try common locations first (faster than calling npm)
+  const commonPaths = [
+    resolve(homedir(), '.npm-global', 'lib', 'node_modules'),  // Custom npm prefix
+    '/usr/local/lib/node_modules',                              // macOS/Linux default
+    '/usr/lib/node_modules',                                    // Some Linux distros
+    resolve(homedir(), '.nvm', 'versions', 'node'),            // nvm (check later)
+  ];
+
+  for (const p of commonPaths) {
+    if (existsSync(p)) {
+      cachedNpmGlobalDir = p;
+      return p;
+    }
+  }
+
+  // Fall back to npm config (with timeout)
+  try {
+    const { execSync } = require('child_process');
+    const prefix = execSync('npm config get prefix', {
+      encoding: 'utf-8',
+      timeout: 3000,  // 3 second timeout
+      stdio: ['pipe', 'pipe', 'pipe']
+    }).trim();
+    // On Unix: prefix/lib/node_modules, on Windows: prefix/node_modules
+    const libPath = resolve(prefix, 'lib', 'node_modules');
+    if (existsSync(libPath)) {
+      cachedNpmGlobalDir = libPath;
+      return libPath;
+    }
+    const winPath = resolve(prefix, 'node_modules');
+    if (existsSync(winPath)) {
+      cachedNpmGlobalDir = winPath;
+      return winPath;
+    }
+  } catch {
+    // npm command failed or timed out
+  }
+
+  cachedNpmGlobalDir = null;
+  return null;
+}
+
+/**
+ * Get bun global packages directory
+ */
+function getBunGlobalDir(): string | null {
+  // Bun installs global packages to ~/.bun/install/global/node_modules
+  const bunGlobalDir = resolve(homedir(), '.bun', 'install', 'global', 'node_modules');
+  if (existsSync(bunGlobalDir)) return bunGlobalDir;
+  return null;
+}
+
+/**
+ * Get packages from a global node_modules/@cli4ai directory
+ */
+function getPackagesFromGlobalDir(globalDir: string): InstalledPackage[] {
+  const cli4aiDir = resolve(globalDir, '@cli4ai');
+  if (!existsSync(cli4aiDir)) return [];
+
+  const packages: InstalledPackage[] = [];
+
+  try {
+    for (const entry of readdirSync(cli4aiDir, { withFileTypes: true })) {
+      if (!entry.isDirectory() && !entry.isSymbolicLink()) continue;
+      if (entry.name === 'lib') continue; // Skip @cli4ai/lib
+
+      const pkgPath = resolve(cli4aiDir, entry.name);
+
+      // SECURITY: Validate symlink targets
+      const safePath = validateSymlinkTarget(pkgPath);
+      if (!safePath) continue;
+
+      const pkgJsonPath = resolve(safePath, 'package.json');
+      const cli4aiJsonPath = resolve(safePath, 'cli4ai.json');
+
+      // Try cli4ai.json first, then package.json
+      if (existsSync(cli4aiJsonPath)) {
+        try {
+          const manifest = JSON.parse(readFileSync(cli4aiJsonPath, 'utf-8'));
+          packages.push({
+            name: entry.name,
+            version: manifest.version,
+            path: safePath,
+            source: 'registry',
+            installedAt: new Date().toISOString()
+          });
+          continue;
+        } catch {}
+      }
+
+      if (existsSync(pkgJsonPath)) {
+        try {
+          const pkgJson = JSON.parse(readFileSync(pkgJsonPath, 'utf-8'));
+          packages.push({
+            name: entry.name,
+            version: pkgJson.version,
+            path: safePath,
+            source: 'registry',
+            installedAt: new Date().toISOString()
+          });
+        } catch {}
+      }
+    }
+  } catch {}
+
+  return packages;
+}
+
+/**
+ * Get all global @cli4ai packages (from both npm and bun)
+ */
+export function getNpmGlobalPackages(): InstalledPackage[] {
+  const packages: InstalledPackage[] = [];
+  const seen = new Set<string>();
+
+  // Check npm global first (this is where we install)
+  const npmGlobalDir = getNpmGlobalDir();
+  if (npmGlobalDir) {
+    for (const pkg of getPackagesFromGlobalDir(npmGlobalDir)) {
+      if (!seen.has(pkg.name)) {
+        seen.add(pkg.name);
+        packages.push(pkg);
+      }
+    }
+  }
+
+  // Check bun global (for backwards compat with old installs)
+  const bunGlobalDir = getBunGlobalDir();
+  if (bunGlobalDir) {
+    for (const pkg of getPackagesFromGlobalDir(bunGlobalDir)) {
+      if (!seen.has(pkg.name)) {
+        seen.add(pkg.name);
+        packages.push(pkg);
+      }
+    }
+  }
+
+  return packages;
+}
+
+/**
+ * Try to find a package in a global directory
+ */
+function findPackageInGlobalDir(globalDir: string, name: string): InstalledPackage | null {
+  const scopedPath = resolve(globalDir, '@cli4ai', name);
+  if (!existsSync(scopedPath)) return null;
+
+  const manifestPath = resolve(scopedPath, 'cli4ai.json');
+  if (existsSync(manifestPath)) {
+    try {
+      const manifest = JSON.parse(readFileSync(manifestPath, 'utf-8'));
+      return {
+        name: manifest.name || name,
+        version: manifest.version,
+        path: scopedPath,
+        source: 'registry',
+        installedAt: new Date().toISOString()
+      };
+    } catch {}
+  }
+
+  // Even without cli4ai.json, try package.json
+  const pkgJsonPath = resolve(scopedPath, 'package.json');
+  if (existsSync(pkgJsonPath)) {
+    try {
+      const pkgJson = JSON.parse(readFileSync(pkgJsonPath, 'utf-8'));
+      return {
+        name: name,
+        version: pkgJson.version,
+        path: scopedPath,
+        source: 'registry',
+        installedAt: new Date().toISOString()
+      };
+    } catch {}
+  }
+
+  return null;
+}
+
+/**
+ * Find a package by name (checks local, global cli4ai, bun global, then npm global)
+ */
+export function findPackage(name: string, projectDir?: string): InstalledPackage | null {
+  // Check local packages first
+  if (projectDir) {
+    const localPkgs = getLocalPackages(projectDir);
+    const local = localPkgs.find(p => p.name === name);
+    if (local) return local;
+  }
+
+  // Check cli4ai global packages
+  const globalPkgs = getGlobalPackages();
+  const globalPkg = globalPkgs.find(p => p.name === name);
+  if (globalPkg) return globalPkg;
+
+  // Check npm global packages first (this is where we install)
+  const npmGlobalDir = getNpmGlobalDir();
+  if (npmGlobalDir) {
+    const pkg = findPackageInGlobalDir(npmGlobalDir, name);
+    if (pkg) return pkg;
+  }
+
+  // Check bun global packages (for backwards compat)
+  const bunGlobalDir = getBunGlobalDir();
+  if (bunGlobalDir) {
+    const pkg = findPackageInGlobalDir(bunGlobalDir, name);
+    if (pkg) return pkg;
+  }
+
+  return null;
+}