commandmate 0.1.12 → 0.2.1

package/dist/cli/commands/init.js

@@ -15,6 +15,7 @@ const preflight_1 = require("../utils/preflight");
 const env_setup_1 = require("../utils/env-setup");
 const prompt_1 = require("../utils/prompt");
 const security_logger_1 = require("../utils/security-logger");
+const security_messages_1 = require("../config/security-messages");
 const logger = new logger_1.CLILogger();
 /**
  * Create default configuration (non-interactive mode)
@@ -66,15 +67,12 @@ async function promptForConfig() {
         default: false,
     });
     let bind = env_setup_1.ENV_DEFAULTS.CM_BIND;
-    let authToken;
     if (enableExternal) {
         bind = '0.0.0.0';
-        const envSetup = new env_setup_1.EnvSetup();
-        authToken = envSetup.generateAuthToken();
         logger.blank();
         logger.success('External access enabled');
         logger.info(`  Bind address: 0.0.0.0`);
-        logger.info(`  Auth token generated: ${authToken.substring(0, 8)}...`);
+        console.log(security_messages_1.REVERSE_PROXY_WARNING);
     }
     // CM_DB_PATH - Issue #135: Use getDefaultDbPath() for absolute path
     const defaultDbPath = (0, env_setup_1.getDefaultDbPath)();
@@ -86,7 +84,6 @@ async function promptForConfig() {
         CM_ROOT_DIR: rootDir,
         CM_PORT: port,
         CM_BIND: bind,
-        CM_AUTH_TOKEN: authToken,
         CM_DB_PATH: dbPath,
         CM_LOG_LEVEL: env_setup_1.ENV_DEFAULTS.CM_LOG_LEVEL,
         CM_LOG_FORMAT: env_setup_1.ENV_DEFAULTS.CM_LOG_FORMAT,
@@ -105,18 +102,10 @@ function displayConfigSummary(config, envPath) {
     logger.info(`  CM_ROOT_DIR:  ${config.CM_ROOT_DIR}`);
     logger.info(`  CM_PORT:      ${config.CM_PORT}`);
     logger.info(`  CM_BIND:      ${config.CM_BIND}`);
-    if (config.CM_AUTH_TOKEN) {
-        logger.info(`  CM_AUTH_TOKEN: ${config.CM_AUTH_TOKEN.substring(0, 8)}... (generated)`);
-    }
     logger.info(`  CM_DB_PATH:   ${config.CM_DB_PATH}`);
     logger.blank();
     logger.info(`  Config file:  ${envPath}`);
     logger.blank();
-    if (config.CM_AUTH_TOKEN) {
-        logger.warn('IMPORTANT: Save your auth token securely!');
-        logger.info(`  Token: ${config.CM_AUTH_TOKEN}`);
-        logger.blank();
-    }
 }
 /**
  * Execute init command

package/dist/cli/commands/start.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"start.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/start.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,EAAE,YAAY,EAA6B,MAAM,UAAU,CAAC;AAYnE;;;;GAIG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAoMvE"}
+{"version":3,"file":"start.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/start.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,EAAE,YAAY,EAA6B,MAAM,UAAU,CAAC;AAanE;;;;GAIG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA8LvE"}

package/dist/cli/commands/start.js

@@ -17,6 +17,7 @@ const daemon_1 = require("../utils/daemon");
 const security_logger_1 = require("../utils/security-logger");
 const paths_1 = require("../utils/paths");
 const env_setup_1 = require("../utils/env-setup");
+const security_messages_1 = require("../config/security-messages");
 const input_validators_1 = require("../utils/input-validators");
 const port_allocator_1 = require("../utils/port-allocator");
 const resource_resolvers_1 = require("../utils/resource-resolvers");
@@ -139,15 +140,10 @@ async function startCommand(options) {
         if (dbPath) {
             env.CM_DB_PATH = dbPath;
         }
-        // Issue #125: Security warnings for external access
+        // Issue #179: Security warning for external access - recommend reverse proxy
         const bindAddress = env.CM_BIND || '127.0.0.1';
-        const authToken = env.CM_AUTH_TOKEN;
         if (bindAddress === '0.0.0.0') {
-            logger.warn('WARNING: Server is accessible from external networks (CM_BIND=0.0.0.0)');
-            if (!authToken) {
-                logger.warn('SECURITY WARNING: No authentication token configured. External access is not recommended without CM_AUTH_TOKEN.');
-                logger.info('Run "commandmate init" to configure a secure authentication token.');
-            }
+            console.log(security_messages_1.REVERSE_PROXY_WARNING);
         }
         // Use package installation directory, not current working directory
         const packageRoot = (0, paths_1.getPackageRoot)();

package/dist/cli/config/security-messages.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Security Messages
+ * Issue #179: Reverse proxy authentication recommendation
+ * Shared warning constants for CLI commands (DRY principle)
+ */
+/**
+ * Warning message displayed when CM_BIND=0.0.0.0
+ * Used by: init.ts, start.ts, daemon.ts
+ */
+export declare const REVERSE_PROXY_WARNING = "\n\u001B[1m\u001B[31mWARNING: Server is exposed to external networks without authentication\u001B[0m\n\nExposing the server without reverse proxy authentication\nis a serious security risk.\n\n\u001B[1mRisks:\u001B[0m\n  File read/write/delete and command execution\n  become accessible to third parties.\n\n\u001B[1mRecommended authentication methods:\u001B[0m\n  - Nginx + Basic Auth\n  - Cloudflare Access\n  - Tailscale\n\nDetails: https://github.com/Kewton/CommandMate/blob/main/docs/security-guide.md\n";
+//# sourceMappingURL=security-messages.d.ts.map

package/dist/cli/config/security-messages.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-messages.d.ts","sourceRoot":"","sources":["../../../src/cli/config/security-messages.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;GAGG;AACH,eAAO,MAAM,qBAAqB,igBAgBjC,CAAC"}

package/dist/cli/config/security-messages.js

@@ -0,0 +1,29 @@
+"use strict";
+/**
+ * Security Messages
+ * Issue #179: Reverse proxy authentication recommendation
+ * Shared warning constants for CLI commands (DRY principle)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.REVERSE_PROXY_WARNING = void 0;
+/**
+ * Warning message displayed when CM_BIND=0.0.0.0
+ * Used by: init.ts, start.ts, daemon.ts
+ */
+exports.REVERSE_PROXY_WARNING = `
+\x1b[1m\x1b[31mWARNING: Server is exposed to external networks without authentication\x1b[0m
+
+Exposing the server without reverse proxy authentication
+is a serious security risk.
+
+\x1b[1mRisks:\x1b[0m
+  File read/write/delete and command execution
+  become accessible to third parties.
+
+\x1b[1mRecommended authentication methods:\x1b[0m
+  - Nginx + Basic Auth
+  - Cloudflare Access
+  - Tailscale
+
+Details: https://github.com/Kewton/CommandMate/blob/main/docs/security-guide.md
+`;

package/dist/cli/types/index.d.ts

@@ -120,7 +120,6 @@ export interface EnvConfig {
     CM_ROOT_DIR: string;
     CM_PORT: number;
     CM_BIND: string;
-    CM_AUTH_TOKEN?: string;
     CM_DB_PATH: string;
     CM_LOG_LEVEL: string;
     CM_LOG_FORMAT: string;

package/dist/cli/types/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cli/types/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;GAGG;AACH,oBAAY,QAAQ;IAClB,OAAO,IAAI;IACX,gBAAgB,IAAI;IACpB,YAAY,IAAI;IAChB,YAAY,IAAI;IAChB,WAAW,IAAI;IACf,gBAAgB,KAAK;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,2CAA2C;IAC3C,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,uCAAuC;IACvC,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,gCAAgC;IAChC,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,wBAAwB;IACxB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,2BAA2B;IAC3B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,4DAA4D;IAC5D,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,8DAA8D;IAC9D,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,2BAA2B;IAC3B,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,uDAAuD;IACvD,GAAG,CAAC,EAAE,OAAO,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,oCAAoC;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,8BAA8B;IAC9B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,+BAA+B;IAC/B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qCAAqC;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4CAA4C;IAC5C,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,mBAAmB;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,uBAAuB;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,8BAA8B;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,QAAQ,EAAE,OAAO,CAAC;IAClB,iCAAiC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,sBAAsB;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,mBAAmB;IACnB,MAAM,EAAE,IAAI,GAAG,SAAS,GAAG,kBAAkB,CAAC;IAC9C,sCAAsC;IACtC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,sDAAsD;IACtD,OAAO,EAAE,OAAO,CAAC;IACjB,oCAAoC;IACpC,OAAO,EAAE,gBAAgB,EAAE,CAAC;CAC7B;AAED;;;GAGG;AACH,MAAM,WAAW,SAAS;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,oCAAoC;IACpC,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,0CAA0C;IAC1C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mEAAmE;IACnE,QAAQ,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC;CAC7C;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,gEAAgE;IAChE,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAKtD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/cli/types/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;GAGG;AACH,oBAAY,QAAQ;IAClB,OAAO,IAAI;IACX,gBAAgB,IAAI;IACpB,YAAY,IAAI;IAChB,YAAY,IAAI;IAChB,WAAW,IAAI;IACf,gBAAgB,KAAK;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,2CAA2C;IAC3C,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,uCAAuC;IACvC,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B,gCAAgC;IAChC,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,wBAAwB;IACxB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,2BAA2B;IAC3B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,4DAA4D;IAC5D,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,8DAA8D;IAC9D,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,2BAA2B;IAC3B,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,6DAA6D;IAC7D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,uDAAuD;IACvD,GAAG,CAAC,EAAE,OAAO,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,oCAAoC;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,8BAA8B;IAC9B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,+BAA+B;IAC/B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qCAAqC;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4CAA4C;IAC5C,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,mBAAmB;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,uBAAuB;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,8BAA8B;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,QAAQ,EAAE,OAAO,CAAC;IAClB,iCAAiC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,sBAAsB;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,mBAAmB;IACnB,MAAM,EAAE,IAAI,GAAG,SAAS,GAAG,kBAAkB,CAAC;IAC9C,sCAAsC;IACtC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,sDAAsD;IACtD,OAAO,EAAE,OAAO,CAAC;IACjB,oCAAoC;IACpC,OAAO,EAAE,gBAAgB,EAAE,CAAC;CAC7B;AAED;;;GAGG;AACH,MAAM,WAAW,SAAS;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,oCAAoC;IACpC,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,0CAA0C;IAC1C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mEAAmE;IACnE,QAAQ,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC;CAC7C;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,gEAAgE;IAChE,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAKtD"}

package/dist/cli/utils/daemon.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"daemon.d.ts","sourceRoot":"","sources":["../../../src/cli/utils/daemon.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAMtD;;GAEG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,MAAM,CAAY;gBAEd,WAAW,EAAE,MAAM;IAK/B;;;;;OAKG;IACG,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC;IAmFnD;;;;OAIG;IACG,IAAI,CAAC,KAAK,GAAE,OAAe,GAAG,OAAO,CAAC,OAAO,CAAC;IA8BpD;;;OAGG;IACG,SAAS,IAAI,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IA6B/C;;OAEG;IACG,SAAS,IAAI,OAAO,CAAC,OAAO,CAAC;IAInC;;OAEG;YACW,WAAW;CAiB1B"}
+{"version":3,"file":"daemon.d.ts","sourceRoot":"","sources":["../../../src/cli/utils/daemon.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAOtD;;GAEG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,MAAM,CAAY;gBAEd,WAAW,EAAE,MAAM;IAK/B;;;;;OAKG;IACG,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC;IA6EnD;;;;OAIG;IACG,IAAI,CAAC,KAAK,GAAE,OAAe,GAAG,OAAO,CAAC,OAAO,CAAC;IA8BpD;;;OAGG;IACG,SAAS,IAAI,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;IA6B/C;;OAEG;IACG,SAAS,IAAI,OAAO,CAAC,OAAO,CAAC;IAInC;;OAEG;YACW,WAAW;CAiB1B"}

package/dist/cli/utils/daemon.js

@@ -12,6 +12,7 @@ const dotenv_1 = require("dotenv");
 const pid_manager_1 = require("./pid-manager");
 const paths_1 = require("./paths");
 const env_setup_1 = require("./env-setup");
+const security_messages_1 = require("../config/security-messages");
 const logger_1 = require("./logger");
 /**
  * Daemon manager for background server process
@@ -60,16 +61,11 @@ class DaemonManager {
         if (options.dbPath) {
             env.CM_DB_PATH = options.dbPath;
         }
-        // Issue #125: Security warnings for external access (Stage 4 review: MF-2)
+        // Issue #179: Security warning for external access - recommend reverse proxy
         const bindAddress = env.CM_BIND || '127.0.0.1';
-        const authToken = env.CM_AUTH_TOKEN;
         const port = env.CM_PORT || '3000';
         if (bindAddress === '0.0.0.0') {
-            this.logger.warn('WARNING: Server is accessible from external networks (CM_BIND=0.0.0.0)');
-            if (!authToken) {
-                this.logger.warn('SECURITY WARNING: No authentication token configured. External access is not recommended without CM_AUTH_TOKEN.');
-                this.logger.info('Run "commandmate init" to configure a secure authentication token.');
-            }
+            console.log(security_messages_1.REVERSE_PROXY_WARNING);
         }
         // Log startup with accurate settings (Stage 4 review: MF-2)
         this.logger.info(`Starting server at http://${bindAddress}:${port}`);

package/dist/cli/utils/env-setup.d.ts

@@ -105,10 +105,6 @@ export declare class EnvSetup {
      * Backup existing .env file
      */
     backupExisting(): Promise<string | null>;
-    /**
-     * Generate secure authentication token
-     */
-    generateAuthToken(): string;
     /**
      * Validate configuration
      */

package/dist/cli/utils/env-setup.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"env-setup.d.ts","sourceRoot":"","sources":["../../../src/cli/utils/env-setup.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAaH,OAAO,EACL,SAAS,EACT,eAAe,EACf,gBAAgB,EACjB,MAAM,UAAU,CAAC;AASlB,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAElE;;;;;;GAMG;AACH,eAAO,MAAM,YAAY;;;;;CAMf,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,gBAAgB,QAA2B,CAAC;AAEzD;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAOzC;AAED;;;;;;;;GAQG;AACH,wBAAgB,UAAU,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,CAwBnD;AAED;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,CASpF;AAKD;;;;;GAKG;AACH,wBAAgB,UAAU,IAAI,MAAM,CAGnC;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,CAYvD;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAGnD;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAGlD;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAMlD;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAUpD;AAED;;GAEG;AACH,qBAAa,QAAQ;IACnB,OAAO,CAAC,OAAO,CAAS;gBAEZ,OAAO,CAAC,EAAE,MAAM;IAI5B;;;OAGG;IACG,aAAa,CACjB,MAAM,EAAE,SAAS,EACjB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,IAAI,CAAC;IAiChB;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAY9C;;OAEG;IACH,iBAAiB,IAAI,MAAM;IAI3B;;OAEG;IACH,cAAc,CAAC,MAAM,EAAE,SAAS,GAAG,gBAAgB;CAoCpD"}
+{"version":3,"file":"env-setup.d.ts","sourceRoot":"","sources":["../../../src/cli/utils/env-setup.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAYH,OAAO,EACL,SAAS,EACT,eAAe,EACf,gBAAgB,EACjB,MAAM,UAAU,CAAC;AASlB,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAElE;;;;;;GAMG;AACH,eAAO,MAAM,YAAY;;;;;CAMf,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,gBAAgB,QAA2B,CAAC;AAEzD;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAOzC;AAED;;;;;;;;GAQG;AACH,wBAAgB,UAAU,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,CAwBnD;AAED;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,CASpF;AAKD;;;;;GAKG;AACH,wBAAgB,UAAU,IAAI,MAAM,CAGnC;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,CAYvD;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAGnD;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAGlD;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAMlD;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAUpD;AAED;;GAEG;AACH,qBAAa,QAAQ;IACnB,OAAO,CAAC,OAAO,CAAS;gBAEZ,OAAO,CAAC,EAAE,MAAM;IAI5B;;;OAGG;IACG,aAAa,CACjB,MAAM,EAAE,SAAS,EACjB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,IAAI,CAAC;IA6BhB;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAY9C;;OAEG;IACH,cAAc,CAAC,MAAM,EAAE,SAAS,GAAG,gBAAgB;CA+BpD"}

package/dist/cli/utils/env-setup.js

@@ -18,7 +18,6 @@ exports.validatePort = validatePort;
 exports.escapeEnvValue = escapeEnvValue;
 const fs_1 = require("fs");
 const path_1 = require("path");
-const crypto_1 = require("crypto");
 const os_1 = require("os");
 // Issue #136: Import from install-context.ts to avoid circular imports
 // Re-export for backward compatibility
@@ -210,9 +209,6 @@ class EnvSetup {
             `CM_LOG_LEVEL=${config.CM_LOG_LEVEL}`,
             `CM_LOG_FORMAT=${config.CM_LOG_FORMAT}`,
         ];
-        if (config.CM_AUTH_TOKEN) {
-            lines.push(`CM_AUTH_TOKEN=${config.CM_AUTH_TOKEN}`);
-        }
         lines.push('');
         const content = lines.join('\n');
         // Write with secure permissions
@@ -232,12 +228,6 @@ class EnvSetup {
         (0, fs_1.copyFileSync)(this.envPath, backupPath);
         return backupPath;
     }
-    /**
-     * Generate secure authentication token
-     */
-    generateAuthToken() {
-        return (0, crypto_1.randomBytes)(32).toString('hex');
-    }
     /**
      * Validate configuration
      */
@@ -252,10 +242,6 @@ class EnvSetup {
         if (!validBinds.includes(config.CM_BIND)) {
             errors.push(`Invalid bind address: must be one of ${validBinds.join(', ')}`);
         }
-        // Require auth token for external access
-        if (config.CM_BIND === '0.0.0.0' && !config.CM_AUTH_TOKEN) {
-            errors.push('auth token is required when binding to 0.0.0.0');
-        }
         // Validate log level
         const validLogLevels = ['debug', 'info', 'warn', 'error'];
         if (!validLogLevels.includes(config.CM_LOG_LEVEL)) {

package/dist/cli/utils/security-logger.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"security-logger.d.ts","sourceRoot":"","sources":["../../../src/cli/utils/security-logger.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,oBAAoB;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,uCAAuC;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,oBAAoB;IACpB,MAAM,EAAE,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;IAC1C,yBAAyB;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAaD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI,CAU3D;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAc/E"}
+{"version":3,"file":"security-logger.d.ts","sourceRoot":"","sources":["../../../src/cli/utils/security-logger.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,oBAAoB;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,uCAAuC;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,oBAAoB;IACpB,MAAM,EAAE,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;IAC1C,yBAAyB;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAaD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI,CAU3D;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAY/E"}

package/dist/cli/utils/security-logger.js

@@ -43,9 +43,8 @@ function maskSensitiveData(input) {
     if (!input) {
         return input;
     }
-    // Mask CM_AUTH_TOKEN values
-    let result = input.replace(/CM_AUTH_TOKEN=\S+/g, 'CM_AUTH_TOKEN=***masked***');
     // Mask any token-like strings (12+ hex/alphanumeric characters after "token:")
+    let result = input;
     result = result.replace(/(?:token|Token)[:\s]+([a-zA-Z0-9]{12,})/gi, (_match, token) => {
         return _match.replace(token, '***');
     });

package/dist/server/server.js

@@ -37,6 +37,8 @@ const response_poller_1 = require("./src/lib/response-poller");
 const auto_yes_manager_1 = require("./src/lib/auto-yes-manager");
 const db_migrations_1 = require("./src/lib/db-migrations");
 const env_1 = require("./src/lib/env");
+const db_repository_1 = require("./src/lib/db-repository");
+const db_1 = require("./src/lib/db");
 const dev = process.env.NODE_ENV !== 'production';
 const hostname = (0, env_1.getEnvByKey)('CM_BIND') || '127.0.0.1';
 const port = parseInt((0, env_1.getEnvByKey)('CM_PORT') || '3000', 10);
@@ -76,8 +78,29 @@ app.prepare().then(() => {
             repositoryPaths.forEach((path, i) => {
                 console.log(`  ${i + 1}. ${path}`);
             });
-            // Scan all repositories
-            const worktrees = await (0, worktrees_1.scanMultipleRepositories)(repositoryPaths);
+            // Issue #202: Register environment variable repositories and filter out excluded ones
+            // registerAndFilterRepositories() encapsulates the ordering constraint:
+            // registration MUST happen before filtering (see design policy Section 4)
+            const { filteredPaths, excludedPaths, excludedCount } = (0, db_repository_1.registerAndFilterRepositories)(db, repositoryPaths);
+            if (excludedCount > 0) {
+                console.log(`Excluded repositories: ${excludedCount}, Active repositories: ${filteredPaths.length}`);
+                // SF-SEC-003: Log excluded repository paths for audit/troubleshooting
+                excludedPaths.forEach(p => {
+                    console.log(`  [excluded] ${p}`);
+                });
+                // Issue #202: Remove worktrees of excluded repositories from DB
+                // Without this, worktree records remain in DB and appear in the UI
+                for (const excludedPath of excludedPaths) {
+                    const resolvedPath = (0, db_repository_1.resolveRepositoryPath)(excludedPath);
+                    const worktreeIds = (0, db_1.getWorktreeIdsByRepository)(db, resolvedPath);
+                    if (worktreeIds.length > 0) {
+                        const result = (0, db_1.deleteWorktreesByIds)(db, worktreeIds);
+                        console.log(`  Removed ${result.deletedCount} worktree(s) from excluded repository: ${resolvedPath}`);
+                    }
+                }
+            }
+            // Scan filtered repositories (excluded repos are skipped)
+            const worktrees = await (0, worktrees_1.scanMultipleRepositories)(filteredPaths);
             // Sync to database
             (0, worktrees_1.syncWorktreesToDB)(db, worktrees);
             console.log(`✓ Total: ${worktrees.length} worktree(s) synced to database`);

package/dist/server/src/lib/auto-yes-manager.js

@@ -9,7 +9,7 @@
  * auto-yes responses when browser tabs are in background.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.MAX_CONCURRENT_POLLERS = exports.MAX_CONSECUTIVE_ERRORS = exports.MAX_BACKOFF_MS = exports.POLLING_INTERVAL_MS = void 0;
+exports.THINKING_CHECK_LINE_COUNT = exports.MAX_CONCURRENT_POLLERS = exports.MAX_CONSECUTIVE_ERRORS = exports.MAX_BACKOFF_MS = exports.POLLING_INTERVAL_MS = void 0;
 exports.isValidWorktreeId = isValidWorktreeId;
 exports.calculateBackoffInterval = calculateBackoffInterval;
 exports.isAutoYesExpired = isAutoYesExpired;
@@ -41,6 +41,16 @@ exports.MAX_CONSECUTIVE_ERRORS = 5;
 exports.MAX_CONCURRENT_POLLERS = 50;
 /** Timeout duration: 1 hour in milliseconds */
 const AUTO_YES_TIMEOUT_MS = 3600000;
+/**
+ * Number of lines from the end to check for thinking indicators (Issue #191)
+ * Matches detectPrompt()'s multiple_choice scan range (50 lines in prompt-detector.ts)
+ * to ensure Issue #161 Layer 1 defense covers the same scope as prompt detection.
+ *
+ * IMPORTANT: This value is semantically coupled to the hardcoded 50 in
+ * prompt-detector.ts detectMultipleChoicePrompt() (L268: Math.max(0, lines.length - 50)).
+ * See SF-001 in Stage 1 review. A cross-reference test validates this coupling.
+ */
+exports.THINKING_CHECK_LINE_COUNT = 50;
 /** Worktree ID validation pattern (security: prevent command injection) */
 const WORKTREE_ID_PATTERN = /^[a-zA-Z0-9_-]+$/;
 /** In-memory storage for auto-yes states (globalThis for hot reload persistence) */
@@ -205,32 +215,111 @@ async function pollAutoYes(worktreeId, cliToolId) {
     try {
         // 1. Capture tmux output
         const output = await (0, cli_session_1.captureSessionOutput)(worktreeId, cliToolId, 5000);
-        // 2. Strip ANSI codes and detect prompt
+        // 2. Strip ANSI codes
         const cleanOutput = (0, cli_patterns_1.stripAnsi)(output);
-        const promptDetection = (0, prompt_detector_1.detectPrompt)(cleanOutput);
+        // 2.5. Skip prompt detection during thinking state (Issue #161, Layer 1)
+        // This prevents false positive detection of numbered lists in CLI output
+        // while Claude is actively processing (thinking/planning).
+        //
+        // Issue #191: Apply windowing to detectThinking() to prevent stale thinking
+        // summary lines (e.g., "· Simmering…") from blocking prompt detection.
+        // Window size matches detectPrompt()'s multiple_choice scan range (50 lines).
+        //
+        // Safety: Claude CLI does not emit prompts during thinking, so narrowing
+        // the window cannot cause false auto-responses (see IA-003 in design doc).
+        //
+        // Processing order: stripAnsi -> split -> slice -> join
+        // stripAnsi is applied BEFORE split to ensure ANSI escape sequences spanning
+        // line boundaries do not affect line counting (IA-002).
+        //
+        // Boundary case: if buffer has fewer than 50 lines, slice(-50) returns the
+        // entire array (Array.prototype.slice specification), which is safe degradation
+        // equivalent to pre-fix behavior (IA-001).
+        const recentLines = cleanOutput.split('\n').slice(-exports.THINKING_CHECK_LINE_COUNT).join('\n');
+        if ((0, cli_patterns_1.detectThinking)(cliToolId, recentLines)) {
+            scheduleNextPoll(worktreeId, cliToolId);
+            return;
+        }
+        // 3. Detect prompt
+        const promptOptions = (0, cli_patterns_1.buildDetectPromptOptions)(cliToolId);
+        const promptDetection = (0, prompt_detector_1.detectPrompt)(cleanOutput, promptOptions);
         if (!promptDetection.isPrompt || !promptDetection.promptData) {
             // No prompt detected, schedule next poll
             scheduleNextPoll(worktreeId, cliToolId);
             return;
         }
-        // 3. Resolve auto answer
+        // 4. Resolve auto answer
         const answer = (0, auto_yes_resolver_1.resolveAutoAnswer)(promptDetection.promptData);
         if (answer === null) {
             // Cannot auto-answer this prompt
             scheduleNextPoll(worktreeId, cliToolId);
             return;
         }
-        // 4. Send answer to tmux
+        // 5. Send answer to tmux
         const manager = manager_1.CLIToolManager.getInstance();
         const cliTool = manager.getTool(cliToolId);
         const sessionName = cliTool.getSessionName(worktreeId);
-        // Send answer followed by Enter
-        await (0, tmux_1.sendKeys)(sessionName, answer, false);
-        await new Promise(resolve => setTimeout(resolve, 100));
-        await (0, tmux_1.sendKeys)(sessionName, '', true);
-        // 5. Update timestamp
+        // Issue #193: Claude Code AskUserQuestion uses cursor-based navigation
+        // (Arrow/Space/Enter), not number input. Detect multi-choice and send
+        // appropriate key sequence instead of typing the number.
+        const isClaudeMultiChoice = cliToolId === 'claude'
+            && promptDetection.promptData?.type === 'multiple_choice'
+            && /^\d+$/.test(answer);
+        if (isClaudeMultiChoice && promptDetection.promptData?.type === 'multiple_choice') {
+            const targetNum = parseInt(answer, 10);
+            const mcOptions = promptDetection.promptData.options;
+            const defaultOption = mcOptions.find(o => o.isDefault);
+            const defaultNum = defaultOption?.number ?? 1;
+            const offset = targetNum - defaultNum;
+            // Detect multi-select (checkbox) prompts by checking for [ ] in option labels.
+            const isMultiSelect = mcOptions.some(o => /^\[[ x]\] /.test(o.label));
+            if (isMultiSelect) {
+                // Multi-select: toggle checkbox, then navigate to "Next" and submit
+                const checkboxCount = mcOptions.filter(o => /^\[[ x]\] /.test(o.label)).length;
+                const keys = [];
+                // 1. Navigate to target option
+                if (offset > 0) {
+                    for (let i = 0; i < offset; i++)
+                        keys.push('Down');
+                }
+                else if (offset < 0) {
+                    for (let i = 0; i < Math.abs(offset); i++)
+                        keys.push('Up');
+                }
+                // 2. Space to toggle checkbox
+                keys.push('Space');
+                // 3. Navigate to "Next" button (positioned right after all checkbox options)
+                const downToNext = checkboxCount - targetNum + 1;
+                for (let i = 0; i < downToNext; i++)
+                    keys.push('Down');
+                // 4. Enter to submit
+                keys.push('Enter');
+                await (0, tmux_1.sendSpecialKeys)(sessionName, keys);
+            }
+            else {
+                // Single-select: navigate and Enter to select
+                const keys = [];
+                if (offset > 0) {
+                    for (let i = 0; i < offset; i++)
+                        keys.push('Down');
+                }
+                else if (offset < 0) {
+                    for (let i = 0; i < Math.abs(offset); i++)
+                        keys.push('Up');
+                }
+                keys.push('Enter');
+                await (0, tmux_1.sendSpecialKeys)(sessionName, keys);
+            }
+        }
+        else {
+            // Standard CLI prompt: send text + Enter (y/n, Approve?, etc.)
+            await (0, tmux_1.sendKeys)(sessionName, answer, false);
+            await new Promise(resolve => setTimeout(resolve, 100));
+            await (0, tmux_1.sendKeys)(sessionName, '', true);
+        }
+        // 6. Update timestamp
         updateLastServerResponseTimestamp(worktreeId, Date.now());
-        // 6. Reset error count on success
+        // 7. Reset error count on success
         resetErrorCount(worktreeId);
         // Log success (without sensitive content)
         console.info(`[Auto-Yes Poller] Sent response for worktree: ${worktreeId}`);