faux-studio 0.4.0 → 0.4.1

package/dist/index.js

@@ -10414,9 +10414,6 @@ var require_dist = __commonJS({
 });
 
 // src/auth.ts
-import { readFile, writeFile, mkdir } from "fs/promises";
-import { join } from "path";
-import { homedir } from "os";
 import { spawn } from "child_process";
 
 // src/logger.ts
@@ -10448,31 +10445,129 @@ function error(message) {
   send("error", message);
 }
 
-// src/auth.ts
+// src/credential-store.ts
+import { readFile, writeFile, mkdir, unlink } from "fs/promises";
+import { join } from "path";
+import { homedir } from "os";
 var FAUX_DIR = join(homedir(), ".faux");
 var CREDENTIALS_PATH = join(FAUX_DIR, "credentials.json");
-var AUTH_BASE = process.env.FAUX_AUTH_URL || "https://auth.faux.design";
-var POLL_INTERVAL_MS = 2e3;
-var POLL_TIMEOUT_MS = 5 * 60 * 1e3;
-var REFRESH_BUFFER_MS = 5 * 60 * 1e3;
-async function loadCredentials() {
+var KEYCHAIN_SERVICE = "faux-studio";
+var KEYCHAIN_ACCOUNT = "credentials";
+var FileCredentialStore = class {
+  name = "file";
+  async load() {
+    try {
+      const raw = await readFile(CREDENTIALS_PATH, "utf-8");
+      const creds = JSON.parse(raw);
+      if (!creds.jwt || !creds.refreshToken || !creds.user) return null;
+      return creds;
+    } catch {
+      return null;
+    }
+  }
+  async save(creds) {
+    try {
+      await mkdir(FAUX_DIR, { recursive: true });
+      await writeFile(CREDENTIALS_PATH, JSON.stringify(creds, null, 2), { mode: 384 });
+    } catch (err) {
+      warn(`Could not save credentials: ${err instanceof Error ? err.message : err}`);
+    }
+  }
+  async clear() {
+    try {
+      await unlink(CREDENTIALS_PATH);
+    } catch {
+    }
+  }
+};
+var KeychainCredentialStore = class {
+  name = "keychain";
+  entry;
+  constructor(entry) {
+    this.entry = entry;
+  }
+  async load() {
+    try {
+      const raw = await this.entry.getPassword();
+      if (!raw) return null;
+      const creds = JSON.parse(raw);
+      if (!creds.jwt || !creds.refreshToken || !creds.user) return null;
+      return creds;
+    } catch {
+      return null;
+    }
+  }
+  async save(creds) {
+    try {
+      await this.entry.setPassword(JSON.stringify(creds));
+    } catch (err) {
+      warn(`Could not save to keychain: ${err instanceof Error ? err.message : err}`);
+    }
+  }
+  async clear() {
+    try {
+      await this.entry.deletePassword();
+    } catch {
+    }
+  }
+};
+async function tryCreateKeychainStore() {
   try {
-    const raw = await readFile(CREDENTIALS_PATH, "utf-8");
-    const creds = JSON.parse(raw);
-    if (!creds.jwt || !creds.refreshToken || !creds.user) return null;
-    return creds;
-  } catch {
+    const { AsyncEntry } = await import("@napi-rs/keyring");
+    const probe = new AsyncEntry(KEYCHAIN_SERVICE, "__probe__");
+    await probe.setPassword("probe");
+    try {
+      const val = await probe.getPassword();
+      if (val !== "probe") throw new Error("Keychain probe read-back mismatch");
+    } finally {
+      await probe.deletePassword().catch(() => {
+      });
+    }
+    const entry = new AsyncEntry(KEYCHAIN_SERVICE, KEYCHAIN_ACCOUNT);
+    return new KeychainCredentialStore(entry);
+  } catch (err) {
+    warn(
+      `OS keychain not available, using file-based credential storage: ${err instanceof Error ? err.message : err}`
+    );
     return null;
   }
 }
-async function saveCredentials(creds) {
-  try {
-    await mkdir(FAUX_DIR, { recursive: true });
-    await writeFile(CREDENTIALS_PATH, JSON.stringify(creds, null, 2), { mode: 384 });
-  } catch (err) {
-    warn(`Could not save credentials: ${err instanceof Error ? err.message : err}`);
+var initPromise = null;
+function createCredentialStore() {
+  if (!initPromise) {
+    initPromise = initStore();
+  }
+  return initPromise;
+}
+async function initStore() {
+  const fileStore = new FileCredentialStore();
+  const keychainStore = await tryCreateKeychainStore();
+  if (!keychainStore) {
+    return fileStore;
+  }
+  const keychainCreds = await keychainStore.load();
+  if (!keychainCreds) {
+    const fileCreds = await fileStore.load();
+    if (fileCreds) {
+      await keychainStore.save(fileCreds);
+      const verified = await keychainStore.load();
+      if (verified) {
+        await fileStore.clear();
+        log("Credentials migrated to OS keychain");
+      } else {
+        warn("Keychain migration could not be verified \u2014 keeping file-based credentials");
+        return fileStore;
+      }
+    }
   }
+  return keychainStore;
 }
+
+// src/auth.ts
+var AUTH_BASE = process.env.FAUX_AUTH_URL || "https://auth.faux.design";
+var POLL_INTERVAL_MS = 2e3;
+var POLL_TIMEOUT_MS = 5 * 60 * 1e3;
+var REFRESH_BUFFER_MS = 5 * 60 * 1e3;
 function isExpiringSoon(creds) {
   const expiresAt = new Date(creds.expiresAt).getTime();
   return Date.now() > expiresAt - REFRESH_BUFFER_MS;
@@ -10543,7 +10638,7 @@ async function authenticate() {
           expiresAt: new Date(Date.now() + 3600 * 1e3).toISOString(),
           user: data.user
         };
-        await saveCredentials(creds);
+        await (await createCredentialStore()).save(creds);
         return creds;
       }
       if (data.status === "error") {
@@ -10570,7 +10665,8 @@ async function ensureAuth() {
       source: "api-key"
     };
   }
-  const saved = await loadCredentials();
+  const credStore = await createCredentialStore();
+  const saved = await credStore.load();
   if (saved) {
     if (!isExpiringSoon(saved)) {
       log(`Authenticated as ${saved.user.handle}`);
@@ -10584,7 +10680,7 @@ async function ensureAuth() {
     try {
       log("Refreshing authentication...");
       const refreshed = await refreshJwt(saved);
-      await saveCredentials(refreshed);
+      await credStore.save(refreshed);
       log(`Authenticated as ${refreshed.user.handle}`);
       return {
         jwt: refreshed.jwt,
@@ -10607,12 +10703,13 @@ async function ensureAuth() {
 }
 async function refreshIfNeeded(current, force = false) {
   if (current.source === "api-key") return current;
-  const saved = await loadCredentials();
+  const credStore = await createCredentialStore();
+  const saved = await credStore.load();
   if (!saved) return current;
   if (!force && !isExpiringSoon(saved)) return current;
   try {
     const refreshed = await refreshJwt(saved);
-    await saveCredentials(refreshed);
+    await credStore.save(refreshed);
     return {
       jwt: refreshed.jwt,
       refreshToken: refreshed.refreshToken,
@@ -10628,9 +10725,34 @@ async function refreshIfNeeded(current, force = false) {
 import { readFile as readFile2, writeFile as writeFile2, mkdir as mkdir2 } from "fs/promises";
 import { join as join2 } from "path";
 import { homedir as homedir2 } from "os";
+import { subtle } from "crypto";
 var FAUX_DIR2 = join2(homedir2(), ".faux");
 var CACHE_PATH = join2(FAUX_DIR2, "tool-cache.json");
 var API_BASE = process.env.FAUX_API_URL || "https://api.faux.design";
+var _publicKey = null;
+var _cachedVerifyKey = null;
+var _cachedKeyInput = null;
+function getVerifyKey() {
+  return _publicKey;
+}
+async function importPublicKey(jwkJson) {
+  if (_cachedVerifyKey && _cachedKeyInput === jwkJson) return _cachedVerifyKey;
+  const jwk = JSON.parse(jwkJson);
+  _cachedVerifyKey = await subtle.importKey("jwk", jwk, { name: "Ed25519" }, false, ["verify"]);
+  _cachedKeyInput = jwkJson;
+  return _cachedVerifyKey;
+}
+async function verifyScriptSignature(script, signature, keyJwk) {
+  if (signature.length !== 128) return false;
+  try {
+    const key = await importPublicKey(keyJwk);
+    const sigBytes = Uint8Array.from(signature.match(/.{2}/g).map((h) => parseInt(h, 16)));
+    const scriptBytes = new TextEncoder().encode(script);
+    return await subtle.verify("Ed25519", key, sigBytes, scriptBytes);
+  } catch {
+    return false;
+  }
+}
 async function loadCachedTools() {
   try {
     const raw = await readFile2(CACHE_PATH, "utf-8");
@@ -10679,6 +10801,9 @@ async function fetchRemoteTools(jwt2) {
     throw new Error(`Failed to fetch tools (HTTP ${res.status})`);
   }
   const data = await res.json();
+  if (data.signingKey) {
+    _publicKey = data.signingKey;
+  }
   return sanitizeTools(data.tools);
 }
 async function getTools(jwt2) {
@@ -10732,7 +10857,7 @@ async function generateScript(jwt2, toolName, params) {
     throw new Error(body.error || `Script generation failed (HTTP ${res.status})`);
   }
   const data = await res.json();
-  return data.script;
+  return { script: data.script, signature: data.signature };
 }
 
 // node_modules/ws/wrapper.mjs
@@ -25819,7 +25944,7 @@ Resources provide quick read-only access to Figma state without tool calls:
 - Create components for reusable UI patterns.`;
 function createMcpServer(deps) {
   const server2 = new Server(
-    { name: "faux-studio", version: "0.3.12" },
+    { name: "faux-studio", version: "0.4.1" },
     {
       capabilities: { tools: { listChanged: true }, resources: {}, logging: {} },
       instructions: INSTRUCTIONS
@@ -25884,11 +26009,13 @@ function createMcpServer(deps) {
               }) }]
             };
           } catch (err) {
+            const transport = deps.getTransport();
+            const restartHint = transport === "cdp" ? "Please disable and re-enable the faux-studio MCP server in your MCP client settings, then try again." : transport === "plugin" ? "Please close and reopen the faux-studio plugin in Figma, then try again." : "Please restart faux-studio and try again.";
             return {
               content: [{ type: "text", text: JSON.stringify({
                 authenticated: false,
                 error: err instanceof Error ? err.message : "Re-authentication failed",
-                message: "Could not authenticate. Please restart faux-studio."
+                message: `Could not authenticate. ${restartHint}`
               }) }],
               isError: true
             };
@@ -25976,12 +26103,23 @@ function createMcpServer(deps) {
       }
       const message = err instanceof Error ? err.message : String(err);
       const isAuthError = message.includes("auth") || message.includes("401") || message.includes("AUTH_EXPIRED");
+      if (isAuthError) {
+        const transport = deps.getTransport();
+        const reconnectHint = transport === "cdp" ? "If the `login` tool fails, ask the user to disable and re-enable the faux-studio MCP server in their MCP client settings, then try again." : transport === "plugin" ? "If the `login` tool fails, ask the user to close and reopen the faux-studio plugin in Figma, then try again." : "If the `login` tool fails, ask the user to restart faux-studio and try again.";
+        return {
+          content: [{
+            type: "text",
+            text: `Error: ${message}
+
+Run the \`login\` tool to re-authenticate. ${reconnectHint}`
+          }],
+          isError: true
+        };
+      }
       return {
         content: [{
           type: "text",
-          text: isAuthError ? `Error: ${message}
-
-Run the \`login\` tool to re-authenticate.` : `Error: ${message}`
+          text: `Error: ${message}`
         }],
         isError: true
       };
@@ -26112,16 +26250,29 @@ async function recoverCdp(client, script) {
 }
 async function generateWithAuth(toolName, params) {
   auth = await refreshIfNeeded(auth);
+  let result;
   try {
-    return await generateScript(auth.jwt, toolName, params);
+    result = await generateScript(auth.jwt, toolName, params);
   } catch (err) {
     if (err instanceof Error && err.message === "AUTH_EXPIRED") {
       warn("JWT expired during request, refreshing...");
       auth = await refreshIfNeeded(auth, true);
-      return await generateScript(auth.jwt, toolName, params);
+      result = await generateScript(auth.jwt, toolName, params);
+    } else {
+      throw err;
+    }
+  }
+  const verifyKey = getVerifyKey();
+  if (verifyKey && result.signature) {
+    if (!await verifyScriptSignature(result.script, result.signature, verifyKey)) {
+      throw new Error("Script signature verification failed \u2014 possible tampering");
     }
-    throw err;
+  } else if (verifyKey && !result.signature) {
+    throw new Error("Signing key is configured but response is missing a signature \u2014 possible signature stripping attack");
+  } else if (!verifyKey) {
+    warn("No signing key available \u2014 skipping script signature verification");
   }
+  return result.script;
 }
 var PLUGIN_URL = "https://faux.design/plugin";
 var PLUGIN_WAIT_MS = 1e4;
@@ -26303,6 +26454,11 @@ async function main() {
       source: auth.source,
       isApiKey: auth.source === "api-key"
     }),
+    getTransport: () => {
+      if (pluginServer.hasConnections) return "plugin";
+      if (cdpClient?.connected) return "cdp";
+      return "none";
+    },
     setupFigma
   });
   await startServer(server2);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "faux-studio",
-  "version": "0.4.0",
+  "version": "0.4.1",
   "description": "AI-powered Figma design via MCP — connect any AI client to Figma Desktop",
   "type": "module",
   "bin": {
@@ -10,7 +10,7 @@
     "dist"
   ],
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "scripts": {
     "build": "tsup",
@@ -18,6 +18,7 @@
     "build:plugin": "cd plugin && npm run build",
     "build:all": "npm run build && npm run build:plugin",
     "dev": "tsup --watch",
+    "test": "npx tsx --test test/*.test.ts",
     "prepublishOnly": "npm run build"
   },
   "devDependencies": {
@@ -26,6 +27,7 @@
     "@types/node": "^22.0.0",
     "@types/ws": "^8.5.0",
     "tsup": "^8.4.0",
+    "tsx": "^4.19.0",
     "typescript": "^5.8.0"
   },
   "keywords": [
@@ -41,5 +43,8 @@
     "type": "git",
     "url": "https://github.com/uxfreak/faux-studio.git"
   },
-  "homepage": "https://faux.design"
+  "homepage": "https://faux.design",
+  "optionalDependencies": {
+    "@napi-rs/keyring": "^1.2.0"
+  }
 }