commandmate 0.1.12 → 0.2.0

package/dist/cli/commands/init.js

@@ -15,6 +15,7 @@ const preflight_1 = require("../utils/preflight");
 const env_setup_1 = require("../utils/env-setup");
 const prompt_1 = require("../utils/prompt");
 const security_logger_1 = require("../utils/security-logger");
+const security_messages_1 = require("../config/security-messages");
 const logger = new logger_1.CLILogger();
 /**
  * Create default configuration (non-interactive mode)
@@ -66,15 +67,12 @@ async function promptForConfig() {
         default: false,
     });
     let bind = env_setup_1.ENV_DEFAULTS.CM_BIND;
-    let authToken;
     if (enableExternal) {
         bind = '0.0.0.0';
-        const envSetup = new env_setup_1.EnvSetup();
-        authToken = envSetup.generateAuthToken();
         logger.blank();
         logger.success('External access enabled');
         logger.info(`  Bind address: 0.0.0.0`);
-        logger.info(`  Auth token generated: ${authToken.substring(0, 8)}...`);
+        console.log(security_messages_1.REVERSE_PROXY_WARNING);
     }
     // CM_DB_PATH - Issue #135: Use getDefaultDbPath() for absolute path
     const defaultDbPath = (0, env_setup_1.getDefaultDbPath)();
@@ -86,7 +84,6 @@ async function promptForConfig() {
         CM_ROOT_DIR: rootDir,
         CM_PORT: port,
         CM_BIND: bind,
-        CM_AUTH_TOKEN: authToken,
         CM_DB_PATH: dbPath,
         CM_LOG_LEVEL: env_setup_1.ENV_DEFAULTS.CM_LOG_LEVEL,
         CM_LOG_FORMAT: env_setup_1.ENV_DEFAULTS.CM_LOG_FORMAT,
@@ -105,18 +102,10 @@ function displayConfigSummary(config, envPath) {
     logger.info(`  CM_ROOT_DIR:  ${config.CM_ROOT_DIR}`);
     logger.info(`  CM_PORT:      ${config.CM_PORT}`);
     logger.info(`  CM_BIND:      ${config.CM_BIND}`);
-    if (config.CM_AUTH_TOKEN) {
-        logger.info(`  CM_AUTH_TOKEN: ${config.CM_AUTH_TOKEN.substring(0, 8)}... (generated)`);
-    }
     logger.info(`  CM_DB_PATH:   ${config.CM_DB_PATH}`);
     logger.blank();
     logger.info(`  Config file:  ${envPath}`);
     logger.blank();
-    if (config.CM_AUTH_TOKEN) {
-        logger.warn('IMPORTANT: Save your auth token securely!');
-        logger.info(`  Token: ${config.CM_AUTH_TOKEN}`);
-        logger.blank();
-    }
 }
 /**
  * Execute init command

package/dist/cli/commands/start.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"start.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/start.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,EAAE,YAAY,EAA6B,MAAM,UAAU,CAAC;AAYnE;;;;GAIG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAoMvE"}
+{"version":3,"file":"start.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/start.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,EAAE,YAAY,EAA6B,MAAM,UAAU,CAAC;AAanE;;;;GAIG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA8LvE"}

package/dist/cli/commands/start.js

@@ -17,6 +17,7 @@ const daemon_1 = require("../utils/daemon");
 const security_logger_1 = require("../utils/security-logger");
 const paths_1 = require("../utils/paths");
 const env_setup_1 = require("../utils/env-setup");
+const security_messages_1 = require("../config/security-messages");
 const input_validators_1 = require("../utils/input-validators");
 const port_allocator_1 = require("../utils/port-allocator");
 const resource_resolvers_1 = require("../utils/resource-resolvers");
@@ -139,15 +140,10 @@ async function startCommand(options) {
         if (dbPath) {
             env.CM_DB_PATH = dbPath;
         }
-        // Issue #125: Security warnings for external access
+        // Issue #179: Security warning for external access - recommend reverse proxy
         const bindAddress = env.CM_BIND || '127.0.0.1';
-        const authToken = env.CM_AUTH_TOKEN;
         if (bindAddress === '0.0.0.0') {
-            logger.warn('WARNING: Server is accessible from external networks (CM_BIND=0.0.0.0)');
-            if (!authToken) {
-                logger.warn('SECURITY WARNING: No authentication token configured. External access is not recommended without CM_AUTH_TOKEN.');
-                logger.info('Run "commandmate init" to configure a secure authentication token.');
-            }
+            console.log(security_messages_1.REVERSE_PROXY_WARNING);
         }
         // Use package installation directory, not current working directory
         const packageRoot = (0, paths_1.getPackageRoot)();

package/dist/cli/config/security-messages.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Security Messages
+ * Issue #179: Reverse proxy authentication recommendation
+ * Shared warning constants for CLI commands (DRY principle)
+ */
+/**
+ * Warning message displayed when CM_BIND=0.0.0.0
+ * Used by: init.ts, start.ts, daemon.ts
+ */
+export declare const REVERSE_PROXY_WARNING = "\n\u001B[1m\u001B[31mWARNING: Server is exposed to external networks without authentication\u001B[0m\n\nExposing the server without reverse proxy authentication\nis a serious security risk.\n\n\u001B[1mRisks:\u001B[0m\n  File read/write/delete and command execution\n  become accessible to third parties.\n\n\u001B[1mRecommended authentication methods:\u001B[0m\n  - Nginx + Basic Auth\n  - Cloudflare Access\n  - Tailscale\n\nDetails: https://github.com/Kewton/CommandMate/blob/main/docs/security-guide.md\n";
+//# sourceMappingURL=security-messages.d.ts.map

package/dist/cli/config/security-messages.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-messages.d.ts","sourceRoot":"","sources":["../../../src/cli/config/security-messages.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;GAGG;AACH,eAAO,MAAM,qBAAqB,igBAgBjC,CAAC"}

package/dist/cli/config/security-messages.js

@@ -0,0 +1,29 @@
+"use strict";
+/**
+ * Security Messages
+ * Issue #179: Reverse proxy authentication recommendation
+ * Shared warning constants for CLI commands (DRY principle)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.REVERSE_PROXY_WARNING = void 0;
+/**
+ * Warning message displayed when CM_BIND=0.0.0.0
+ * Used by: init.ts, start.ts, daemon.ts
+ */
+exports.REVERSE_PROXY_WARNING = `
+\x1b[1m\x1b[31mWARNING: Server is exposed to external networks without authentication\x1b[0m
+
+Exposing the server without reverse proxy authentication
+is a serious security risk.
+
+\x1b[1mRisks:\x1b[0m
+  File read/write/delete and command execution
+  become accessible to third parties.
+
+\x1b[1mRecommended authentication methods:\x1b[0m
+  - Nginx + Basic Auth
+  - Cloudflare Access
+  - Tailscale
+
+Details: https://github.com/Kewton/CommandMate/blob/main/docs/security-guide.md
+`;

package/dist/cli/types/index.d.ts

@@ -120,7 +120,6 @@ export interface EnvConfig {
     CM_ROOT_DIR: string;
     CM_PORT: number;
     CM_BIND: string;
-    CM_AUTH_TOKEN?: string;
     CM_DB_PATH: string;
     CM_LOG_LEVEL: string;
     CM_LOG_FORMAT: string;

package/dist/cli/types/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cli/types/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;GAGG;AACH,oBAAY,QAAQ;IAClB,OAAO,IAAI;IACX,gBAAgB,IAAI;IACpB,YAAY,IAAI;IAChB,YAAY,IAAI;IAChB,WAAW,IAAI;IACf,gBAAgB,KAAK;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,2CAA2C;IAC3C,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,uCAAuC;IACvC,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,gCAAgC;IAChC,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,wBAAwB;IACxB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,2BAA2B;IAC3B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,4DAA4D;IAC5D,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,8DAA8D;IAC9D,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,2BAA2B;IAC3B,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,uDAAuD;IACvD,GAAG,CAAC,EAAE,OAAO,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,oCAAoC;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,8BAA8B;IAC9B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,+BAA+B;IAC/B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qCAAqC;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4CAA4C;IAC5C,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,mBAAmB;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,uBAAuB;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,8BAA8B;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,QAAQ,EAAE,OAAO,CAAC;IAClB,iCAAiC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,sBAAsB;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,mBAAmB;IACnB,MAAM,EAAE,IAAI,GAAG,SAAS,GAAG,kBAAkB,CAAC;IAC9C,sCAAsC;IACtC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,sDAAsD;IACtD,OAAO,EAAE,OAAO,CAAC;IACjB,oCAAoC;IACpC,OAAO,EAAE,gBAAgB,EAAE,CAAC;CAC7B;AAED;;;GAGG;AACH,MAAM,WAAW,SAAS;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,oCAAoC;IACpC,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,0CAA0C;IAC1C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mEAAmE;IACnE,QAAQ,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC;CAC7C;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,gEAAgE;IAChE,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAKtD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cli/types/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;GAGG;AACH,oBAAY,QAAQ;IAClB,OAAO,IAAI;IACX,gBAAgB,IAAI;IACpB,YAAY,IAAI;IAChB,YAAY,IAAI;IAChB,WAAW,IAAI;IACf,gBAAgB,KAAK;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,2CAA2C;IAC3C,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,uCAAuC;IACvC,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,gCAAgC;IAChC,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,wBAAwB;IACxB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,2BAA2B;IAC3B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,4DAA4D;IAC5D,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,8DAA8D;IAC9D,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,2BAA2B;IAC3B,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,uDAAuD;IACvD,GAAG,CAAC,EAAE,OAAO,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,oCAAoC;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,8BAA8B;IAC9B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,+BAA+B;IAC/B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qCAAqC;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4CAA4C;IAC5C,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,mBAAmB;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,uBAAuB;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,8BAA8B;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,QAAQ,EAAE,OAAO,CAAC;IAClB,iCAAiC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,sBAAsB;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,mBAAmB;IACnB,MAAM,EAAE,IAAI,GAAG,SAAS,GAAG,kBAAkB,CAAC;IAC9C,sCAAsC;IACtC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,sDAAsD;IACtD,OAAO,EAAE,OAAO,CAAC;IACjB,oCAAoC;IACpC,OAAO,EAAE,gBAAgB,EAAE,CAAC;CAC7B;AAED;;;GAGG;AACH,MAAM,WAAW,SAAS;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,oCAAoC;IACpC,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,0CAA0C;IAC1C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mEAAmE;IACnE,QAAQ,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC;CAC7C;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,gEAAgE;IAChE,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAKtD"}

package/dist/cli/utils/daemon.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"daemon.d.ts","sourceRoot":"","sources":["../../../src/cli/utils/daemon.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAMtD;;GAEG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,MAAM,CAAY;gBAEd,WAAW,EAAE,MAAM;IAK/B;;;;;OAKG;IACG,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC;IAmFnD;;;;OAIG;IACG,IAAI,CAAC,KAAK,GAAE,OAAe,GAAG,OAAO,CAAC,OAAO,CAAC;IA8BpD;;;OAGG;IACG,SAAS,IAAI,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IA6B/C;;OAEG;IACG,SAAS,IAAI,OAAO,CAAC,OAAO,CAAC;IAInC;;OAEG;YACW,WAAW;CAiB1B"}
+{"version":3,"file":"daemon.d.ts","sourceRoot":"","sources":["../../../src/cli/utils/daemon.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAOtD;;GAEG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,MAAM,CAAY;gBAEd,WAAW,EAAE,MAAM;IAK/B;;;;;OAKG;IACG,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC;IA6EnD;;;;OAIG;IACG,IAAI,CAAC,KAAK,GAAE,OAAe,GAAG,OAAO,CAAC,OAAO,CAAC;IA8BpD;;;OAGG;IACG,SAAS,IAAI,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IA6B/C;;OAEG;IACG,SAAS,IAAI,OAAO,CAAC,OAAO,CAAC;IAInC;;OAEG;YACW,WAAW;CAiB1B"}

package/dist/cli/utils/daemon.js

@@ -12,6 +12,7 @@ const dotenv_1 = require("dotenv");
 const pid_manager_1 = require("./pid-manager");
 const paths_1 = require("./paths");
 const env_setup_1 = require("./env-setup");
+const security_messages_1 = require("../config/security-messages");
 const logger_1 = require("./logger");
 /**
  * Daemon manager for background server process
@@ -60,16 +61,11 @@ class DaemonManager {
         if (options.dbPath) {
             env.CM_DB_PATH = options.dbPath;
         }
-        // Issue #125: Security warnings for external access (Stage 4 review: MF-2)
+        // Issue #179: Security warning for external access - recommend reverse proxy
         const bindAddress = env.CM_BIND || '127.0.0.1';
-        const authToken = env.CM_AUTH_TOKEN;
         const port = env.CM_PORT || '3000';
         if (bindAddress === '0.0.0.0') {
-            this.logger.warn('WARNING: Server is accessible from external networks (CM_BIND=0.0.0.0)');
-            if (!authToken) {
-                this.logger.warn('SECURITY WARNING: No authentication token configured. External access is not recommended without CM_AUTH_TOKEN.');
-                this.logger.info('Run "commandmate init" to configure a secure authentication token.');
-            }
+            console.log(security_messages_1.REVERSE_PROXY_WARNING);
         }
         // Log startup with accurate settings (Stage 4 review: MF-2)
         this.logger.info(`Starting server at http://${bindAddress}:${port}`);

package/dist/cli/utils/env-setup.d.ts

@@ -105,10 +105,6 @@ export declare class EnvSetup {
      * Backup existing .env file
      */
     backupExisting(): Promise<string | null>;
-    /**
-     * Generate secure authentication token
-     */
-    generateAuthToken(): string;
     /**
      * Validate configuration
      */

package/dist/cli/utils/env-setup.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"env-setup.d.ts","sourceRoot":"","sources":["../../../src/cli/utils/env-setup.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAaH,OAAO,EACL,SAAS,EACT,eAAe,EACf,gBAAgB,EACjB,MAAM,UAAU,CAAC;AASlB,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAElE;;;;;;GAMG;AACH,eAAO,MAAM,YAAY;;;;;CAMf,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,gBAAgB,QAA2B,CAAC;AAEzD;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAOzC;AAED;;;;;;;;GAQG;AACH,wBAAgB,UAAU,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,CAwBnD;AAED;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,CASpF;AAKD;;;;;GAKG;AACH,wBAAgB,UAAU,IAAI,MAAM,CAGnC;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,CAYvD;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAGnD;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAGlD;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAMlD;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAUpD;AAED;;GAEG;AACH,qBAAa,QAAQ;IACnB,OAAO,CAAC,OAAO,CAAS;gBAEZ,OAAO,CAAC,EAAE,MAAM;IAI5B;;;OAGG;IACG,aAAa,CACjB,MAAM,EAAE,SAAS,EACjB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,IAAI,CAAC;IAiChB;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAY9C;;OAEG;IACH,iBAAiB,IAAI,MAAM;IAI3B;;OAEG;IACH,cAAc,CAAC,MAAM,EAAE,SAAS,GAAG,gBAAgB;CAoCpD"}
+{"version":3,"file":"env-setup.d.ts","sourceRoot":"","sources":["../../../src/cli/utils/env-setup.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAYH,OAAO,EACL,SAAS,EACT,eAAe,EACf,gBAAgB,EACjB,MAAM,UAAU,CAAC;AASlB,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAElE;;;;;;GAMG;AACH,eAAO,MAAM,YAAY;;;;;CAMf,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,gBAAgB,QAA2B,CAAC;AAEzD;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAOzC;AAED;;;;;;;;GAQG;AACH,wBAAgB,UAAU,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,CAwBnD;AAED;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,CASpF;AAKD;;;;;GAKG;AACH,wBAAgB,UAAU,IAAI,MAAM,CAGnC;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,CAYvD;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAGnD;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAGlD;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAMlD;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAUpD;AAED;;GAEG;AACH,qBAAa,QAAQ;IACnB,OAAO,CAAC,OAAO,CAAS;gBAEZ,OAAO,CAAC,EAAE,MAAM;IAI5B;;;OAGG;IACG,aAAa,CACjB,MAAM,EAAE,SAAS,EACjB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,IAAI,CAAC;IA6BhB;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAY9C;;OAEG;IACH,cAAc,CAAC,MAAM,EAAE,SAAS,GAAG,gBAAgB;CA+BpD"}

package/dist/cli/utils/env-setup.js

@@ -18,7 +18,6 @@ exports.validatePort = validatePort;
 exports.escapeEnvValue = escapeEnvValue;
 const fs_1 = require("fs");
 const path_1 = require("path");
-const crypto_1 = require("crypto");
 const os_1 = require("os");
 // Issue #136: Import from install-context.ts to avoid circular imports
 // Re-export for backward compatibility
@@ -210,9 +209,6 @@ class EnvSetup {
             `CM_LOG_LEVEL=${config.CM_LOG_LEVEL}`,
             `CM_LOG_FORMAT=${config.CM_LOG_FORMAT}`,
         ];
-        if (config.CM_AUTH_TOKEN) {
-            lines.push(`CM_AUTH_TOKEN=${config.CM_AUTH_TOKEN}`);
-        }
         lines.push('');
         const content = lines.join('\n');
         // Write with secure permissions
@@ -232,12 +228,6 @@ class EnvSetup {
         (0, fs_1.copyFileSync)(this.envPath, backupPath);
         return backupPath;
     }
-    /**
-     * Generate secure authentication token
-     */
-    generateAuthToken() {
-        return (0, crypto_1.randomBytes)(32).toString('hex');
-    }
     /**
      * Validate configuration
      */
@@ -252,10 +242,6 @@ class EnvSetup {
         if (!validBinds.includes(config.CM_BIND)) {
             errors.push(`Invalid bind address: must be one of ${validBinds.join(', ')}`);
         }
-        // Require auth token for external access
-        if (config.CM_BIND === '0.0.0.0' && !config.CM_AUTH_TOKEN) {
-            errors.push('auth token is required when binding to 0.0.0.0');
-        }
         // Validate log level
         const validLogLevels = ['debug', 'info', 'warn', 'error'];
         if (!validLogLevels.includes(config.CM_LOG_LEVEL)) {

package/dist/cli/utils/security-logger.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"security-logger.d.ts","sourceRoot":"","sources":["../../../src/cli/utils/security-logger.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,oBAAoB;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,uCAAuC;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,oBAAoB;IACpB,MAAM,EAAE,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;IAC1C,yBAAyB;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAaD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI,CAU3D;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAc/E"}
+{"version":3,"file":"security-logger.d.ts","sourceRoot":"","sources":["../../../src/cli/utils/security-logger.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,oBAAoB;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,uCAAuC;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,oBAAoB;IACpB,MAAM,EAAE,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;IAC1C,yBAAyB;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAaD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI,CAU3D;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAY/E"}

package/dist/cli/utils/security-logger.js

@@ -43,9 +43,8 @@ function maskSensitiveData(input) {
     if (!input) {
         return input;
     }
-    // Mask CM_AUTH_TOKEN values
-    let result = input.replace(/CM_AUTH_TOKEN=\S+/g, 'CM_AUTH_TOKEN=***masked***');
     // Mask any token-like strings (12+ hex/alphanumeric characters after "token:")
+    let result = input;
     result = result.replace(/(?:token|Token)[:\s]+([a-zA-Z0-9]{12,})/gi, (_match, token) => {
         return _match.replace(token, '***');
     });

package/dist/server/src/lib/auto-yes-manager.js

@@ -205,22 +205,30 @@ async function pollAutoYes(worktreeId, cliToolId) {
     try {
         // 1. Capture tmux output
         const output = await (0, cli_session_1.captureSessionOutput)(worktreeId, cliToolId, 5000);
-        // 2. Strip ANSI codes and detect prompt
+        // 2. Strip ANSI codes
         const cleanOutput = (0, cli_patterns_1.stripAnsi)(output);
+        // 2.5. Skip prompt detection during thinking state (Issue #161, Layer 1)
+        // This prevents false positive detection of numbered lists in CLI output
+        // while Claude is actively processing (thinking/planning).
+        if ((0, cli_patterns_1.detectThinking)(cliToolId, cleanOutput)) {
+            scheduleNextPoll(worktreeId, cliToolId);
+            return;
+        }
+        // 3. Detect prompt
         const promptDetection = (0, prompt_detector_1.detectPrompt)(cleanOutput);
         if (!promptDetection.isPrompt || !promptDetection.promptData) {
             // No prompt detected, schedule next poll
             scheduleNextPoll(worktreeId, cliToolId);
             return;
         }
-        // 3. Resolve auto answer
+        // 4. Resolve auto answer
         const answer = (0, auto_yes_resolver_1.resolveAutoAnswer)(promptDetection.promptData);
         if (answer === null) {
             // Cannot auto-answer this prompt
             scheduleNextPoll(worktreeId, cliToolId);
             return;
         }
-        // 4. Send answer to tmux
+        // 5. Send answer to tmux
         const manager = manager_1.CLIToolManager.getInstance();
         const cliTool = manager.getTool(cliToolId);
         const sessionName = cliTool.getSessionName(worktreeId);
@@ -228,9 +236,9 @@ async function pollAutoYes(worktreeId, cliToolId) {
         await (0, tmux_1.sendKeys)(sessionName, answer, false);
         await new Promise(resolve => setTimeout(resolve, 100));
         await (0, tmux_1.sendKeys)(sessionName, '', true);
-        // 5. Update timestamp
+        // 6. Update timestamp
         updateLastServerResponseTimestamp(worktreeId, Date.now());
-        // 6. Reset error count on success
+        // 7. Reset error count on success
         resetErrorCount(worktreeId);
         // Log success (without sensitive content)
         console.info(`[Auto-Yes Poller] Sent response for worktree: ${worktreeId}`);

package/dist/server/src/lib/claude-poller.js

@@ -0,0 +1,337 @@
+"use strict";
+/**
+ * Claude response polling
+ * Periodically checks tmux sessions for Claude responses
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startPolling = startPolling;
+exports.stopPolling = stopPolling;
+exports.stopAllPolling = stopAllPolling;
+exports.getActivePollers = getActivePollers;
+const claude_session_1 = require("./claude-session");
+const db_instance_1 = require("./db-instance");
+const db_1 = require("./db");
+const ws_server_1 = require("./ws-server");
+const prompt_detector_1 = require("./prompt-detector");
+const conversation_logger_1 = require("./conversation-logger");
+/**
+ * Polling interval in milliseconds (default: 2 seconds)
+ */
+const POLLING_INTERVAL = 2000;
+/**
+ * Maximum polling duration in milliseconds (default: 5 minutes)
+ */
+const MAX_POLLING_DURATION = 5 * 60 * 1000;
+/**
+ * Active pollers map: worktreeId -> NodeJS.Timeout
+ */
+const activePollers = new Map();
+/**
+ * Polling start times map: worktreeId -> timestamp
+ */
+const pollingStartTimes = new Map();
+/**
+ * Extract Claude response from tmux output
+ * Detects when Claude has completed a response by looking for the prompt
+ *
+ * @param output - Full tmux output
+ * @param lastCapturedLine - Number of lines previously captured
+ * @returns Extracted response or null if incomplete
+ */
+function extractClaudeResponse(output, lastCapturedLine) {
+    // Trim trailing empty lines from the output before processing
+    // This prevents the "last 20 lines" from being all empty due to tmux buffer padding
+    const rawLines = output.split('\n');
+    let trimmedLength = rawLines.length;
+    while (trimmedLength > 0 && rawLines[trimmedLength - 1].trim() === '') {
+        trimmedLength--;
+    }
+    const lines = rawLines.slice(0, trimmedLength);
+    const totalLines = lines.length;
+    // No new output (with buffer to handle newline inconsistencies)
+    if (totalLines < lastCapturedLine - 5) {
+        return null;
+    }
+    // Always check the last 20 lines for completion pattern (more robust than tracking line numbers)
+    const checkLineCount = 20;
+    const startLine = Math.max(0, totalLines - checkLineCount);
+    const linesToCheck = lines.slice(startLine);
+    const outputToCheck = linesToCheck.join('\n');
+    // Check if Claude has returned to prompt (indicated by the prompt symbols)
+    // Claude shows "> " or "❯ " or "─────" when waiting for input
+    // Supports both legacy '>' and new '❯' (U+276F) prompt characters
+    // Issue #132: Also matches prompts with recommended commands (e.g., "❯ /work-plan")
+    const promptPattern = /^[>❯](\s*$|\s+\S)/m;
+    const separatorPattern = /^─{50,}$/m;
+    // Check for thinking/processing indicators
+    // Claude shows various animations while thinking: ✻ Herding…, · Choreographing…, ∴ Thinking…, ✢ Doing…, ✳ Cascading…, etc.
+    // Match lines that contain: symbol + word + … OR just the symbol alone
+    const thinkingPattern = /[✻✽⏺·∴✢✳]/m;
+    const hasPrompt = promptPattern.test(outputToCheck);
+    const hasSeparator = separatorPattern.test(outputToCheck);
+    const isThinking = thinkingPattern.test(outputToCheck);
+    // Only consider complete if we have prompt + separator AND Claude is NOT thinking
+    if (hasPrompt && hasSeparator && !isThinking) {
+        // Claude has completed response
+        // Extract the response content from lastCapturedLine to the separator (not just last 20 lines)
+        const responseLines = [];
+        // Handle tmux buffer scrolling: if lastCapturedLine >= totalLines, the buffer has scrolled
+        // In this case, we need to find the response in the current visible buffer
+        let startIndex;
+        if (lastCapturedLine >= totalLines - 5) {
+            // Buffer may have scrolled - look for the start of the new response
+            // Find the last user input prompt ("> ...") to identify where the response starts
+            let foundUserPrompt = -1;
+            for (let i = totalLines - 1; i >= Math.max(0, totalLines - 50); i--) {
+                // Look for user input line (starts with "> " or "❯ " followed by content)
+                if (/^[>❯]\s+\S/.test(lines[i])) {
+                    foundUserPrompt = i;
+                    break;
+                }
+            }
+            // Start extraction from after the user prompt, or from a safe earlier point
+            startIndex = foundUserPrompt >= 0 ? foundUserPrompt + 1 : Math.max(0, totalLines - 40);
+        }
+        else {
+            // Normal case: start from lastCapturedLine
+            startIndex = Math.max(0, lastCapturedLine);
+        }
+        for (let i = startIndex; i < totalLines; i++) {
+            const line = lines[i];
+            // Skip separator lines
+            if (/^─{50,}$/.test(line)) {
+                continue;
+            }
+            // Stop at new prompt (supports both '>' and '❯')
+            if (/^[>❯]\s*$/.test(line)) {
+                break;
+            }
+            // Skip thinking/processing status lines (spinner char + activity text ending with …)
+            // Note: ⏺ is also used as a response marker, so we only skip if it looks like a thinking line
+            // Thinking line example: "✳ UIからジョブ再実行中… (esc to interrupt · 33m 44s · thinking)"
+            // Response line example: "⏺ 何かお手伝いできることはありますか？" (should NOT be skipped)
+            if (/[✻✽·∴✢✳⦿◉●○◌◎⊙⊚⠋⠙⠹⠸⠼⠴⠦⠧⠇⠏]\s*\S+…/.test(line) || /to interrupt\)/.test(line)) {
+                continue;
+            }
+            // Skip tip lines and decoration lines
+            if (/^\s*[⎿⏋]\s+Tip:/.test(line) || /^\s*Tip:/.test(line)) {
+                continue;
+            }
+            responseLines.push(line);
+        }
+        const response = responseLines.join('\n').trim();
+        // Additional check: ensure response doesn't contain thinking indicators
+        // This prevents saving intermediate states as final responses
+        if (thinkingPattern.test(response)) {
+            console.warn(`[Poller] Response contains thinking indicators, treating as incomplete`);
+            return {
+                response: '',
+                isComplete: false,
+                lineCount: totalLines,
+            };
+        }
+        return {
+            response,
+            isComplete: true,
+            lineCount: totalLines,
+        };
+    }
+    // Check if this is an interactive prompt (yes/no or multiple choice)
+    // Interactive prompts don't have the ">" prompt and separator, so we need to detect them separately
+    if (!isThinking) {
+        const fullOutput = lines.join('\n');
+        const promptDetection = (0, prompt_detector_1.detectPrompt)(fullOutput);
+        if (promptDetection.isPrompt) {
+            // This is an interactive prompt - consider it complete
+            return {
+                response: fullOutput,
+                isComplete: true,
+                lineCount: totalLines,
+            };
+        }
+    }
+    // Response not yet complete
+    return {
+        response: '',
+        isComplete: false,
+        lineCount: totalLines,
+    };
+}
+/**
+ * Check for Claude response once
+ *
+ * @param worktreeId - Worktree ID
+ * @returns True if response was found and processed
+ */
+async function checkForResponse(worktreeId) {
+    const db = (0, db_instance_1.getDbInstance)();
+    try {
+        // Get worktree to retrieve CLI tool ID
+        const worktree = (0, db_1.getWorktreeById)(db, worktreeId);
+        if (!worktree) {
+            console.error(`Worktree ${worktreeId} not found, stopping poller`);
+            stopPolling(worktreeId);
+            return false;
+        }
+        const cliToolId = worktree.cliToolId || 'claude';
+        // Check if Claude session is running
+        const running = await (0, claude_session_1.isClaudeRunning)(worktreeId);
+        if (!running) {
+            console.log(`Claude session not running for ${worktreeId}, stopping poller`);
+            stopPolling(worktreeId);
+            return false;
+        }
+        // Get session state (last captured line count)
+        const sessionState = (0, db_1.getSessionState)(db, worktreeId, cliToolId);
+        const lastCapturedLine = sessionState?.lastCapturedLine || 0;
+        // Capture current output
+        const output = await (0, claude_session_1.captureClaudeOutput)(worktreeId, 10000);
+        // Extract response
+        const result = extractClaudeResponse(output, lastCapturedLine);
+        if (!result) {
+            // No new output
+            return false;
+        }
+        if (!result.isComplete) {
+            return false;
+        }
+        // Response is complete! Check if it's a prompt
+        const promptDetection = (0, prompt_detector_1.detectPrompt)(result.response);
+        if (promptDetection.isPrompt) {
+            // This is a prompt - save as prompt message
+            console.log(`✓ Detected prompt for ${worktreeId}:`, promptDetection.promptData?.question);
+            const message = (0, db_1.createMessage)(db, {
+                worktreeId,
+                role: 'assistant',
+                content: promptDetection.cleanContent,
+                messageType: 'prompt',
+                promptData: promptDetection.promptData,
+                timestamp: new Date(),
+                cliToolId,
+            });
+            // Update session state
+            (0, db_1.updateSessionState)(db, worktreeId, cliToolId, result.lineCount);
+            // Broadcast to WebSocket
+            (0, ws_server_1.broadcastMessage)('message', {
+                worktreeId,
+                message,
+            });
+            console.log(`✓ Saved prompt message for ${worktreeId}`);
+            // Stop polling - waiting for user response
+            stopPolling(worktreeId);
+            return true;
+        }
+        // Normal response (not a prompt)
+        console.log(`✓ Detected Claude response for ${worktreeId}`);
+        // Validate response content is not empty
+        if (!result.response || result.response.trim() === '') {
+            console.warn(`⚠ Empty response detected for ${worktreeId}, continuing polling...`);
+            // Update session state but don't save the message
+            // Continue polling in case a prompt appears next
+            (0, db_1.updateSessionState)(db, worktreeId, cliToolId, result.lineCount);
+            return false;
+        }
+        // Create Markdown log file for the conversation pair
+        if (result.response) {
+            await (0, conversation_logger_1.recordClaudeConversation)(db, worktreeId, result.response, 'claude');
+        }
+        // Create Claude message in database
+        const message = (0, db_1.createMessage)(db, {
+            worktreeId,
+            role: 'assistant',
+            content: result.response,
+            messageType: 'normal',
+            timestamp: new Date(),
+            cliToolId,
+        });
+        // Update session state
+        (0, db_1.updateSessionState)(db, worktreeId, cliToolId, result.lineCount);
+        // Broadcast message to WebSocket clients
+        (0, ws_server_1.broadcastMessage)('message', {
+            worktreeId,
+            message,
+        });
+        console.log(`✓ Saved Claude response for ${worktreeId}`);
+        // Stop polling since we got the response
+        stopPolling(worktreeId);
+        return true;
+    }
+    catch (error) {
+        const errorMessage = error instanceof Error ? error.message : String(error);
+        console.error(`Error checking for response (${worktreeId}):`, errorMessage);
+        return false;
+    }
+}
+/**
+ * Start polling for Claude response
+ *
+ * @param worktreeId - Worktree ID
+ *
+ * @example
+ * ```typescript
+ * startPolling('feature-foo');
+ * ```
+ */
+function startPolling(worktreeId) {
+    // Stop existing poller if any
+    stopPolling(worktreeId);
+    console.log(`Starting poller for ${worktreeId}`);
+    // Record start time
+    pollingStartTimes.set(worktreeId, Date.now());
+    // Start polling
+    const interval = setInterval(async () => {
+        console.log(`[Poller] Checking for response: ${worktreeId}`);
+        const startTime = pollingStartTimes.get(worktreeId);
+        // Check if max duration exceeded
+        if (startTime && Date.now() - startTime > MAX_POLLING_DURATION) {
+            console.log(`Polling timeout for ${worktreeId}, stopping`);
+            stopPolling(worktreeId);
+            return;
+        }
+        // Check for response
+        try {
+            await checkForResponse(worktreeId);
+        }
+        catch (error) {
+            console.error(`[Poller] Error in checkForResponse:`, error);
+        }
+    }, POLLING_INTERVAL);
+    activePollers.set(worktreeId, interval);
+}
+/**
+ * Stop polling for a worktree
+ *
+ * @param worktreeId - Worktree ID
+ *
+ * @example
+ * ```typescript
+ * stopPolling('feature-foo');
+ * ```
+ */
+function stopPolling(worktreeId) {
+    const interval = activePollers.get(worktreeId);
+    if (interval) {
+        clearInterval(interval);
+        activePollers.delete(worktreeId);
+        pollingStartTimes.delete(worktreeId);
+        console.log(`Stopped poller for ${worktreeId}`);
+    }
+}
+/**
+ * Stop all active pollers
+ * Used for cleanup on server shutdown
+ */
+function stopAllPolling() {
+    console.log(`Stopping all pollers (${activePollers.size} active)`);
+    for (const worktreeId of activePollers.keys()) {
+        stopPolling(worktreeId);
+    }
+}
+/**
+ * Get list of active pollers
+ *
+ * @returns Array of worktree IDs currently being polled
+ */
+function getActivePollers() {
+    return Array.from(activePollers.keys());
+}