commandmate 0.1.12 → 0.2.1

package/dist/server/src/lib/cli-tools/manager.js

@@ -8,6 +8,8 @@ exports.CLIToolManager = void 0;
 const claude_1 = require("./claude");
 const codex_1 = require("./codex");
 const gemini_1 = require("./gemini");
+const response_poller_1 = require("../response-poller");
+const claude_poller_1 = require("../claude-poller");
 /**
  * CLI Tool Manager (Singleton)
  * Provides centralized access to all CLI tools
@@ -139,5 +141,30 @@ class CLIToolManager {
         const allInfo = await this.getAllToolsInfo();
         return allInfo.filter(info => info.installed);
     }
+    /**
+     * Stop pollers for a specific worktree and CLI tool
+     * T2.4: Abstraction for poller stopping (MF1-001 DIP compliance)
+     *
+     * This method abstracts the poller stopping logic so API layer
+     * doesn't need to know about specific poller implementations.
+     *
+     * @param worktreeId - Worktree ID
+     * @param cliToolId - CLI tool ID
+     *
+     * @example
+     * ```typescript
+     * const manager = CLIToolManager.getInstance();
+     * manager.stopPollers('my-worktree', 'claude');
+     * ```
+     */
+    stopPollers(worktreeId, cliToolId) {
+        // Stop response-poller for all tools
+        (0, response_poller_1.stopPolling)(worktreeId, cliToolId);
+        // claude-poller is Claude-specific
+        if (cliToolId === 'claude') {
+            (0, claude_poller_1.stopPolling)(worktreeId);
+        }
+        // Future: Add other tool-specific pollers here if needed
+    }
 }
 exports.CLIToolManager = CLIToolManager;

package/dist/server/src/lib/cli-tools/types.js

@@ -3,3 +3,10 @@
  * Type definitions and interfaces for CLI tools
  */
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.CLI_TOOL_IDS = void 0;
+/**
+ * CLI Tool IDs constant array
+ * T2.1: Single source of truth for CLI tool IDs
+ * CLIToolType is derived from this constant (DRY principle)
+ */
+exports.CLI_TOOL_IDS = ['claude', 'codex', 'gemini'];

package/dist/server/src/lib/cli-tools/validation.js

@@ -0,0 +1,41 @@
+"use strict";
+/**
+ * Session name validation module
+ * Issue #4: T2.2 - Security validation for session names (MF4-001)
+ *
+ * This module provides validation functions to prevent command injection
+ * attacks through session names used in tmux commands.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SESSION_NAME_PATTERN = void 0;
+exports.validateSessionName = validateSessionName;
+/**
+ * Session name pattern
+ * Only allows alphanumeric characters, underscores, and hyphens
+ * This prevents command injection through shell special characters
+ *
+ * Pattern breakdown:
+ * - ^ : Start of string
+ * - [a-zA-Z0-9_-] : Allowed characters (alphanumeric, underscore, hyphen)
+ * - + : One or more characters (empty strings not allowed)
+ * - $ : End of string
+ */
+exports.SESSION_NAME_PATTERN = /^[a-zA-Z0-9_-]+$/;
+/**
+ * Validate session name format
+ * Throws an error if the session name contains invalid characters
+ *
+ * @param sessionName - Session name to validate
+ * @throws Error if session name is invalid
+ *
+ * @example
+ * ```typescript
+ * validateSessionName('mcbd-claude-test'); // OK
+ * validateSessionName('test;rm -rf'); // Throws Error
+ * ```
+ */
+function validateSessionName(sessionName) {
+    if (!exports.SESSION_NAME_PATTERN.test(sessionName)) {
+        throw new Error(`Invalid session name format: ${sessionName}`);
+    }
+}

package/dist/server/src/lib/db-repository.js

@@ -0,0 +1,482 @@
+"use strict";
+/**
+ * Repository and Clone Job Database Operations
+ * Issue #71: Clone URL registration feature
+ * Issue #190: Repository exclusion on sync
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MAX_DISABLED_REPOSITORIES = void 0;
+exports.createRepository = createRepository;
+exports.getRepositoryByNormalizedUrl = getRepositoryByNormalizedUrl;
+exports.getRepositoryById = getRepositoryById;
+exports.getRepositoryByPath = getRepositoryByPath;
+exports.updateRepository = updateRepository;
+exports.getAllRepositories = getAllRepositories;
+exports.resolveRepositoryPath = resolveRepositoryPath;
+exports.validateRepositoryPath = validateRepositoryPath;
+exports.ensureEnvRepositoriesRegistered = ensureEnvRepositoriesRegistered;
+exports.filterExcludedPaths = filterExcludedPaths;
+exports.registerAndFilterRepositories = registerAndFilterRepositories;
+exports.disableRepository = disableRepository;
+exports.getExcludedRepositoryPaths = getExcludedRepositoryPaths;
+exports.getExcludedRepositories = getExcludedRepositories;
+exports.restoreRepository = restoreRepository;
+exports.createCloneJob = createCloneJob;
+exports.getCloneJob = getCloneJob;
+exports.updateCloneJob = updateCloneJob;
+exports.getActiveCloneJobByUrl = getActiveCloneJobByUrl;
+exports.getCloneJobsByStatus = getCloneJobsByStatus;
+const crypto_1 = require("crypto");
+const path_1 = __importDefault(require("path"));
+const system_directories_1 = require("../config/system-directories");
+/**
+ * Map repository row to Repository model
+ */
+function mapRepositoryRow(row) {
+    return {
+        id: row.id,
+        name: row.name,
+        path: row.path,
+        enabled: row.enabled === 1,
+        cloneUrl: row.clone_url || undefined,
+        normalizedCloneUrl: row.normalized_clone_url || undefined,
+        cloneSource: row.clone_source,
+        isEnvManaged: row.is_env_managed === 1,
+        createdAt: new Date(row.created_at),
+        updatedAt: new Date(row.updated_at),
+    };
+}
+/**
+ * Map clone job row to CloneJobDB model
+ */
+function mapCloneJobRow(row) {
+    return {
+        id: row.id,
+        cloneUrl: row.clone_url,
+        normalizedCloneUrl: row.normalized_clone_url,
+        targetPath: row.target_path,
+        repositoryId: row.repository_id || undefined,
+        status: row.status,
+        pid: row.pid || undefined,
+        progress: row.progress,
+        errorCategory: row.error_category || undefined,
+        errorCode: row.error_code || undefined,
+        errorMessage: row.error_message || undefined,
+        startedAt: row.started_at ? new Date(row.started_at) : undefined,
+        completedAt: row.completed_at ? new Date(row.completed_at) : undefined,
+        createdAt: new Date(row.created_at),
+    };
+}
+// ============================================================
+// Repository Operations
+// ============================================================
+/**
+ * Create a new repository
+ */
+function createRepository(db, data) {
+    const id = (0, crypto_1.randomUUID)();
+    const now = Date.now();
+    const stmt = db.prepare(`
+    INSERT INTO repositories (
+      id, name, path, enabled, clone_url, normalized_clone_url,
+      clone_source, is_env_managed, created_at, updated_at
+    )
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `);
+    stmt.run(id, data.name, data.path, data.enabled !== false ? 1 : 0, data.cloneUrl || null, data.normalizedCloneUrl || null, data.cloneSource, data.isEnvManaged ? 1 : 0, now, now);
+    return {
+        id,
+        name: data.name,
+        path: data.path,
+        enabled: data.enabled !== false,
+        cloneUrl: data.cloneUrl,
+        normalizedCloneUrl: data.normalizedCloneUrl,
+        cloneSource: data.cloneSource,
+        isEnvManaged: data.isEnvManaged || false,
+        createdAt: new Date(now),
+        updatedAt: new Date(now),
+    };
+}
+/**
+ * Get repository by normalized clone URL
+ */
+function getRepositoryByNormalizedUrl(db, normalizedCloneUrl) {
+    const stmt = db.prepare(`
+    SELECT * FROM repositories
+    WHERE normalized_clone_url = ?
+  `);
+    const row = stmt.get(normalizedCloneUrl);
+    return row ? mapRepositoryRow(row) : null;
+}
+/**
+ * Get repository by ID
+ */
+function getRepositoryById(db, id) {
+    const stmt = db.prepare(`
+    SELECT * FROM repositories
+    WHERE id = ?
+  `);
+    const row = stmt.get(id);
+    return row ? mapRepositoryRow(row) : null;
+}
+/**
+ * Get repository by path
+ */
+function getRepositoryByPath(db, path) {
+    const stmt = db.prepare(`
+    SELECT * FROM repositories
+    WHERE path = ?
+  `);
+    const row = stmt.get(path);
+    return row ? mapRepositoryRow(row) : null;
+}
+/**
+ * Update repository
+ */
+function updateRepository(db, id, updates) {
+    const now = Date.now();
+    const assignments = ['updated_at = ?'];
+    const params = [now];
+    if (updates.name !== undefined) {
+        assignments.push('name = ?');
+        params.push(updates.name);
+    }
+    if (updates.enabled !== undefined) {
+        assignments.push('enabled = ?');
+        params.push(updates.enabled ? 1 : 0);
+    }
+    if (updates.cloneUrl !== undefined) {
+        assignments.push('clone_url = ?');
+        params.push(updates.cloneUrl || null);
+    }
+    if (updates.normalizedCloneUrl !== undefined) {
+        assignments.push('normalized_clone_url = ?');
+        params.push(updates.normalizedCloneUrl || null);
+    }
+    params.push(id);
+    const stmt = db.prepare(`
+    UPDATE repositories
+    SET ${assignments.join(', ')}
+    WHERE id = ?
+  `);
+    stmt.run(...params);
+}
+/**
+ * Get all repositories
+ */
+function getAllRepositories(db) {
+    const stmt = db.prepare(`
+    SELECT * FROM repositories
+    ORDER BY name ASC
+  `);
+    const rows = stmt.all();
+    return rows.map(mapRepositoryRow);
+}
+// ============================================================
+// Repository Exclusion Operations (Issue #190)
+// ============================================================
+/**
+ * Maximum number of disabled repositories allowed.
+ * Prevents unlimited record accumulation from malicious or buggy DELETE requests.
+ * SEC-SF-004
+ */
+exports.MAX_DISABLED_REPOSITORIES = 1000;
+/**
+ * Resolve and normalize a repository path.
+ * All path normalization is centralized here to prevent inconsistencies.
+ *
+ * NOTE: path.resolve() removes trailing slashes and resolves relative paths
+ * but does NOT resolve symlinks. For symlink resolution, use fs.realpathSync().
+ * See design policy Section 7 for the symlink handling policy.
+ *
+ * SF-001: DRY - centralized path normalization
+ */
+function resolveRepositoryPath(repoPath) {
+    return path_1.default.resolve(repoPath);
+}
+/**
+ * Validate and resolve a repository path for API requests.
+ * Centralizes all validation checks to avoid duplication across route handlers.
+ *
+ * Checks performed:
+ * 1. Presence and type check (must be non-empty string)
+ * 2. Null byte check (path traversal prevention, SEC-MF-001)
+ * 3. System directory check (prevents operations on /etc, /usr, etc.)
+ *
+ * DRY: Used by DELETE /api/repositories and PUT /api/repositories/restore
+ */
+function validateRepositoryPath(repositoryPath) {
+    if (!repositoryPath || typeof repositoryPath !== 'string') {
+        return { valid: false, error: 'repositoryPath is required' };
+    }
+    if (repositoryPath.includes('\0')) {
+        return { valid: false, error: 'Invalid repository path' };
+    }
+    const resolvedPath = resolveRepositoryPath(repositoryPath);
+    if ((0, system_directories_1.isSystemDirectory)(resolvedPath)) {
+        return { valid: false, error: 'Invalid repository path' };
+    }
+    return { valid: true, resolvedPath };
+}
+/**
+ * Register environment variable repositories to the repositories table.
+ * Idempotent: already registered repositories are skipped (regardless of enabled status).
+ *
+ * NOTE (MF-C01): createRepository() treats enabled as follows:
+ *   - true  -> SQLite 1 (enabled)
+ *   - false -> SQLite 0 (disabled)
+ *   - undefined -> SQLite 1 (enabled, due to `data.enabled !== false ? 1 : 0` logic)
+ * We explicitly pass enabled: true to avoid relying on the implicit default.
+ *
+ * MF-001: SRP - registration logic separated from sync route
+ */
+function ensureEnvRepositoriesRegistered(db, repositoryPaths) {
+    for (const repoPath of repositoryPaths) {
+        const resolvedPath = resolveRepositoryPath(repoPath);
+        const existing = getRepositoryByPath(db, resolvedPath);
+        if (!existing) {
+            createRepository(db, {
+                name: path_1.default.basename(resolvedPath),
+                path: resolvedPath,
+                cloneSource: 'local',
+                isEnvManaged: true,
+                enabled: true, // Explicit: do not rely on undefined -> 1 default
+            });
+        }
+    }
+}
+/**
+ * Filter out excluded repository paths (enabled=0).
+ * Exclusion logic is encapsulated here, so changes to exclusion criteria
+ * (e.g., pattern-based exclusion, temporary exclusion) only affect this function.
+ *
+ * @requires ensureEnvRepositoriesRegistered() must be called before this function
+ *           to ensure all paths exist in the repositories table.
+ *           Without prior registration, unregistered paths will not be filtered correctly.
+ *
+ * NOTE (SEC-SF-002): Array.includes() performs case-sensitive string comparison.
+ * On macOS (case-insensitive filesystem), paths with different casing would not match.
+ * resolveRepositoryPath() normalization on both sides mitigates most cases.
+ * On Linux (case-sensitive filesystem), the behavior is consistent.
+ *
+ * @param db - Database instance
+ * @param repositoryPaths - Array of repository paths to filter
+ * @returns Filtered array excluding disabled repositories
+ *
+ * SF-003: OCP - exclusion logic encapsulated
+ */
+function filterExcludedPaths(db, repositoryPaths) {
+    const excludedPaths = getExcludedRepositoryPaths(db);
+    return repositoryPaths.filter(p => !excludedPaths.includes(resolveRepositoryPath(p)));
+}
+/**
+ * Register environment variable repositories and filter out excluded ones.
+ * Encapsulates the ordering constraint: registration MUST happen before filtering.
+ *
+ * This function combines ensureEnvRepositoriesRegistered() and filterExcludedPaths()
+ * into a single atomic operation to prevent callers from accidentally reversing the order.
+ *
+ * DRY: Used by server.ts initializeWorktrees() and POST /api/repositories/sync
+ *
+ * @param db - Database instance
+ * @param repositoryPaths - Array of repository paths from environment variables
+ * @returns ExclusionSummary with filtered paths, excluded paths, and count
+ */
+function registerAndFilterRepositories(db, repositoryPaths) {
+    // Step 1: Register (must be before filter - see design policy Section 4)
+    ensureEnvRepositoriesRegistered(db, repositoryPaths);
+    // Step 2: Filter
+    const filteredPaths = filterExcludedPaths(db, repositoryPaths);
+    const excludedPaths = repositoryPaths.filter(p => !filteredPaths.includes(p));
+    return {
+        filteredPaths,
+        excludedPaths,
+        excludedCount: excludedPaths.length,
+    };
+}
+/**
+ * Disable a repository by setting enabled=0.
+ * If the repository is not registered, create it with enabled=0.
+ * All internal logic (lookup + update/create) is encapsulated.
+ *
+ * NOTE (MF-C01): Explicitly passes enabled: false to createRepository().
+ * The internal mapping `data.enabled !== false ? 1 : 0` will correctly
+ * store 0 in SQLite. Do NOT pass undefined for enabled.
+ *
+ * NOTE (SEC-SF-004): When creating a new record, checks the count of
+ * disabled repositories against MAX_DISABLED_REPOSITORIES to prevent
+ * unlimited record accumulation from malicious or buggy DELETE requests.
+ *
+ * SF-002: SRP - disable logic encapsulated
+ */
+function disableRepository(db, repositoryPath) {
+    const resolvedPath = resolveRepositoryPath(repositoryPath);
+    const repo = getRepositoryByPath(db, resolvedPath);
+    if (repo) {
+        updateRepository(db, repo.id, { enabled: false });
+    }
+    else {
+        // SEC-SF-004: Check disabled repository count limit before creating new record
+        const disabledCount = db.prepare('SELECT COUNT(*) as count FROM repositories WHERE enabled = 0').get();
+        if (disabledCount.count >= exports.MAX_DISABLED_REPOSITORIES) {
+            throw new Error('Disabled repository limit exceeded');
+        }
+        createRepository(db, {
+            name: path_1.default.basename(resolvedPath),
+            path: resolvedPath,
+            cloneSource: 'local',
+            isEnvManaged: false,
+            enabled: false, // Explicit: do not rely on undefined -> 1 default
+        });
+    }
+}
+/**
+ * Get paths of excluded (enabled=0) repositories
+ */
+function getExcludedRepositoryPaths(db) {
+    const stmt = db.prepare('SELECT path FROM repositories WHERE enabled = 0');
+    const rows = stmt.all();
+    return rows.map(r => r.path);
+}
+/**
+ * Get excluded repositories with full details
+ */
+function getExcludedRepositories(db) {
+    const stmt = db.prepare('SELECT * FROM repositories WHERE enabled = 0 ORDER BY name ASC');
+    const rows = stmt.all();
+    return rows.map(mapRepositoryRow);
+}
+/**
+ * Restore an excluded repository by setting enabled=1
+ *
+ * @returns Restored Repository object, or null if not found
+ */
+function restoreRepository(db, repoPath) {
+    const resolvedPath = resolveRepositoryPath(repoPath);
+    const repo = getRepositoryByPath(db, resolvedPath);
+    if (!repo)
+        return null;
+    updateRepository(db, repo.id, { enabled: true });
+    return { ...repo, enabled: true };
+}
+// ============================================================
+// Clone Job Operations
+// ============================================================
+/**
+ * Create a new clone job
+ */
+function createCloneJob(db, data) {
+    const id = (0, crypto_1.randomUUID)();
+    const now = Date.now();
+    const stmt = db.prepare(`
+    INSERT INTO clone_jobs (
+      id, clone_url, normalized_clone_url, target_path,
+      status, progress, created_at
+    )
+    VALUES (?, ?, ?, ?, 'pending', 0, ?)
+  `);
+    stmt.run(id, data.cloneUrl, data.normalizedCloneUrl, data.targetPath, now);
+    return {
+        id,
+        cloneUrl: data.cloneUrl,
+        normalizedCloneUrl: data.normalizedCloneUrl,
+        targetPath: data.targetPath,
+        status: 'pending',
+        progress: 0,
+        createdAt: new Date(now),
+    };
+}
+/**
+ * Get clone job by ID
+ */
+function getCloneJob(db, id) {
+    const stmt = db.prepare(`
+    SELECT * FROM clone_jobs
+    WHERE id = ?
+  `);
+    const row = stmt.get(id);
+    return row ? mapCloneJobRow(row) : null;
+}
+/**
+ * Update clone job
+ */
+function updateCloneJob(db, id, updates) {
+    const assignments = [];
+    const params = [];
+    if (updates.status !== undefined) {
+        assignments.push('status = ?');
+        params.push(updates.status);
+    }
+    if (updates.pid !== undefined) {
+        assignments.push('pid = ?');
+        params.push(updates.pid);
+    }
+    if (updates.progress !== undefined) {
+        assignments.push('progress = ?');
+        params.push(updates.progress);
+    }
+    if (updates.repositoryId !== undefined) {
+        assignments.push('repository_id = ?');
+        params.push(updates.repositoryId);
+    }
+    if (updates.errorCategory !== undefined) {
+        assignments.push('error_category = ?');
+        params.push(updates.errorCategory);
+    }
+    if (updates.errorCode !== undefined) {
+        assignments.push('error_code = ?');
+        params.push(updates.errorCode);
+    }
+    if (updates.errorMessage !== undefined) {
+        assignments.push('error_message = ?');
+        params.push(updates.errorMessage);
+    }
+    if (updates.startedAt !== undefined) {
+        assignments.push('started_at = ?');
+        params.push(updates.startedAt.getTime());
+    }
+    if (updates.completedAt !== undefined) {
+        assignments.push('completed_at = ?');
+        params.push(updates.completedAt.getTime());
+    }
+    if (assignments.length === 0) {
+        return;
+    }
+    params.push(id);
+    const stmt = db.prepare(`
+    UPDATE clone_jobs
+    SET ${assignments.join(', ')}
+    WHERE id = ?
+  `);
+    stmt.run(...params);
+}
+/**
+ * Get active clone job by normalized URL
+ * Active jobs are those with status 'pending' or 'running'
+ */
+function getActiveCloneJobByUrl(db, normalizedCloneUrl) {
+    const stmt = db.prepare(`
+    SELECT * FROM clone_jobs
+    WHERE normalized_clone_url = ?
+      AND status IN ('pending', 'running')
+    ORDER BY created_at DESC
+    LIMIT 1
+  `);
+    const row = stmt.get(normalizedCloneUrl);
+    return row ? mapCloneJobRow(row) : null;
+}
+/**
+ * Get clone jobs by status
+ */
+function getCloneJobsByStatus(db, status) {
+    const stmt = db.prepare(`
+    SELECT * FROM clone_jobs
+    WHERE status = ?
+    ORDER BY created_at DESC
+  `);
+    const rows = stmt.all(status);
+    return rows.map(mapCloneJobRow);
+}

package/dist/server/src/lib/db.js

@@ -19,6 +19,7 @@ exports.getMessages = getMessages;
 exports.getLastUserMessage = getLastUserMessage;
 exports.getLastMessage = getLastMessage;
 exports.deleteAllMessages = deleteAllMessages;
+exports.deleteMessagesByCliTool = deleteMessagesByCliTool;
 exports.getSessionState = getSessionState;
 exports.updateSessionState = updateSessionState;
 exports.setInProgressMessageId = setInProgressMessageId;
@@ -458,6 +459,28 @@ function deleteAllMessages(db, worktreeId) {
     stmt.run(worktreeId);
     console.log(`[deleteAllMessages] Deleted all messages for worktree: ${worktreeId}`);
 }
+/**
+ * Delete messages for a specific CLI tool in a worktree
+ * Issue #4: T4.2 - Individual CLI tool session termination (MF3-001)
+ *
+ * Used when killing only a specific CLI tool's session to clear its message history
+ * while preserving messages from other CLI tools.
+ * Note: Log files are preserved for historical reference
+ *
+ * @param db - Database instance
+ * @param worktreeId - Worktree ID
+ * @param cliTool - CLI tool ID to delete messages for
+ * @returns Number of deleted messages
+ */
+function deleteMessagesByCliTool(db, worktreeId, cliTool) {
+    const stmt = db.prepare(`
+    DELETE FROM chat_messages
+    WHERE worktree_id = ? AND cli_tool_id = ?
+  `);
+    const result = stmt.run(worktreeId, cliTool);
+    console.log(`[deleteMessagesByCliTool] Deleted ${result.changes} messages for worktree: ${worktreeId}, cliTool: ${cliTool}`);
+    return result.changes;
+}
 /**
  * Get session state for a worktree
  */

package/dist/server/src/lib/env.js

@@ -22,7 +22,6 @@ exports.getDatabasePathWithDeprecationWarning = getDatabasePathWithDeprecationWa
 exports.getLogConfig = getLogConfig;
 exports.getEnv = getEnv;
 exports.validateEnv = validateEnv;
-exports.isAuthRequired = isAuthRequired;
 const path_1 = __importDefault(require("path"));
 const db_path_resolver_1 = require("./db-path-resolver");
 // ============================================================
@@ -37,7 +36,6 @@ exports.ENV_MAPPING = {
     CM_ROOT_DIR: 'MCBD_ROOT_DIR',
     CM_PORT: 'MCBD_PORT',
     CM_BIND: 'MCBD_BIND',
-    CM_AUTH_TOKEN: 'MCBD_AUTH_TOKEN',
     CM_LOG_LEVEL: 'MCBD_LOG_LEVEL',
     CM_LOG_FORMAT: 'MCBD_LOG_FORMAT',
     CM_LOG_DIR: 'MCBD_LOG_DIR',
@@ -160,7 +158,6 @@ function getEnv() {
     const rootDir = getEnvByKey('CM_ROOT_DIR') || process.cwd();
     const port = parseInt(getEnvByKey('CM_PORT') || '3000', 10);
     const bind = getEnvByKey('CM_BIND') || '127.0.0.1';
-    const authToken = getEnvByKey('CM_AUTH_TOKEN');
     // Issue #135: DB path resolution with proper fallback chain
     // Priority: CM_DB_PATH > DATABASE_PATH (deprecated) > getDefaultDbPath()
     const databasePath = getEnvByKey('CM_DB_PATH')
@@ -176,10 +173,6 @@ function getEnv() {
     if (bind !== '127.0.0.1' && bind !== '0.0.0.0' && bind !== 'localhost') {
         throw new Error(`Invalid CM_BIND: ${bind}. Must be '127.0.0.1', '0.0.0.0', or 'localhost'.`);
     }
-    // Require auth token for public binding
-    if (bind === '0.0.0.0' && !authToken) {
-        throw new Error('CM_AUTH_TOKEN (or MCBD_AUTH_TOKEN) is required when CM_BIND=0.0.0.0');
-    }
     // Issue #135: Validate DB path for security (SEC-001)
     let validatedDbPath;
     try {
@@ -195,7 +188,6 @@ function getEnv() {
         CM_ROOT_DIR: path_1.default.resolve(rootDir),
         CM_PORT: port,
         CM_BIND: bind,
-        CM_AUTH_TOKEN: authToken,
         CM_DB_PATH: validatedDbPath,
     };
 }
@@ -217,12 +209,3 @@ function validateEnv() {
         return { valid: false, errors };
     }
 }
-/**
- * Check if authentication is required based on bind address
- *
- * @returns True if authentication is required
- */
-function isAuthRequired() {
-    const env = getEnv();
-    return env.CM_BIND === '0.0.0.0';
-}

package/dist/server/src/lib/logger.js

@@ -35,10 +35,6 @@ const SENSITIVE_PATTERNS = [
     { pattern: /(password|passwd|pwd)[=:]\s*\S+/gi, replacement: '$1=[REDACTED]' },
     // Token/secret related
     { pattern: /(token|secret|api_key|apikey|auth)[=:]\s*\S+/gi, replacement: '$1=[REDACTED]' },
-    // CM_AUTH_TOKEN (new name - Issue #76)
-    { pattern: /CM_AUTH_TOKEN=\S+/gi, replacement: 'CM_AUTH_TOKEN=[REDACTED]' },
-    // MCBD_AUTH_TOKEN (legacy name)
-    { pattern: /MCBD_AUTH_TOKEN=\S+/gi, replacement: 'MCBD_AUTH_TOKEN=[REDACTED]' },
     // Authorization header
     { pattern: /Authorization:\s*\S+/gi, replacement: 'Authorization: [REDACTED]' },
     // SSH key