npm - codiedev - Versions diffs - 0.7.9 → 0.7.10 - Mend

codiedev 0.7.9 → 0.7.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/connect.js CHANGED Viewed

@@ -42,11 +42,73 @@ const connectFlow_1 = require("./connectFlow");
 const version_1 = require("./version");
 const upgradeNudge_1 = require("./upgradeNudge");
 const BACKEND_URL = process.env.CODIEDEV_URL || "https://judicious-falcon-861.convex.site";
-function prompt(rl, question) {
+/**
+ * Reads a line from stdin without echoing the typed/pasted characters —
+ * for tokens, passwords, anything that shouldn't end up in terminal
+ * scrollback or screenshots. Echoes `*` per character so the user gets
+ * visual feedback that input is being received.
+ *
+ * Falls back to the regular `prompt()` if stdin isn't a TTY (e.g., piped
+ * input in CI). Without a TTY there's no echo to suppress anyway, and
+ * raw mode would error.
+ */
+function promptHidden(question) {
     return new Promise((resolve) => {
-        rl.question(question, (answer) => {
-            resolve(answer.trim());
-        });
+        const stdin = process.stdin;
+        const stdout = process.stdout;
+        if (!stdin.isTTY) {
+            // CI / piped input — no terminal to mute. Fall back to readline.
+            const rl = readline.createInterface({ input: stdin, output: stdout });
+            rl.question(question, (answer) => {
+                rl.close();
+                resolve(answer.trim());
+            });
+            return;
+        }
+        stdout.write(question);
+        let buf = "";
+        const cleanup = () => {
+            stdin.removeListener("data", onData);
+            stdin.setRawMode(false);
+            stdin.pause();
+        };
+        const onData = (chunk) => {
+            const key = chunk.toString("utf8");
+            // Iterate so a single `chunk` containing a multi-char paste still
+            // masks each character individually.
+            for (const ch of key) {
+                // Ctrl+C — abort like a normal terminal interrupt.
+                if (ch === "") {
+                    cleanup();
+                    stdout.write("\n");
+                    process.exit(130);
+                }
+                // Enter — finalize.
+                if (ch === "\r" || ch === "\n") {
+                    cleanup();
+                    stdout.write("\n");
+                    resolve(buf.trim());
+                    return;
+                }
+                // Backspace / DEL — erase one masked char.
+                if (ch === "" || ch === "\b") {
+                    if (buf.length > 0) {
+                        buf = buf.slice(0, -1);
+                        stdout.write("\b \b");
+                    }
+                    continue;
+                }
+                // Ignore other control bytes (escape sequences from arrow keys, etc.)
+                if (ch.charCodeAt(0) < 0x20)
+                    continue;
+                buf += ch;
+                stdout.write("*");
+            }
+        };
+        stdin.setRawMode(true);
+        stdin.resume();
+        stdin.setEncoding("utf8");
+        stdin.on("data", onData);
     });
 }
 function postJson(url, body) {
@@ -109,16 +171,9 @@ async function runConnect(args = []) {
         console.log(`Reusing API token from ~/.codiedev/config.json (run with --force to use a new one).\n`);
     }
     else {
-        const rl = readline.createInterface({
-            input: process.stdin,
-            output: process.stdout,
-        });
-        try {
-            token = await prompt(rl, "Enter your CodieDev API token: ");
-        }
-        finally {
-            rl.close();
-        }
+        // Hidden prompt — masks the token with `*` as it's typed/pasted so it
+        // doesn't end up in terminal scrollback or screenshots.
+        token = await promptHidden("Enter your CodieDev API token: ");
         if (!token) {
             console.error("Error: API token is required.");
             process.exit(1);

package/dist/secret.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export declare function maskToken(token: string \| null \| undefined): string;

package/dist/secret.js ADDED Viewed

@@ -0,0 +1,14 @@
+"use strict";
+// Display helpers for credential-shaped strings. Use anywhere a token /
+// secret might end up in user-visible output (logs, success lines, error
+// messages) so a stray `console.log` can't leak the full value.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.maskToken = maskToken;
+const PREFIX_LEN = 12;
+function maskToken(token) {
+    if (typeof token !== "string" || token.length === 0)
+        return "";
+    if (token.length <= PREFIX_LEN)
+        return token;
+    return `${token.slice(0, PREFIX_LEN)}...`;
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "codiedev",
-  "version": "0.7.9",
+  "version": "0.7.10",
   "description": "Connect Claude Code, Codex, Cursor, or VS Code Copilot to CodieDev for org-wide session capture and artifact collaboration",
   "bin": {
     "codiedev": "dist/cli.js",