gitarsenal-cli 1.2.3 → 1.2.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "gitarsenal-cli",
-  "version": "1.2.3",
+  "version": "1.2.5",
   "description": "CLI tool for creating Modal sandboxes with GitHub repositories",
   "main": "index.js",
   "bin": {

package/python/README.md

@@ -18,12 +18,15 @@ The GitArsenal CLI integrates with Modal for creating sandboxes and SSH containe
 For enhanced security, GitArsenal CLI now automatically cleans up Modal tokens after SSH containers are created. This ensures that your Modal token is not left in the environment or on disk after the container is started.
 
 The cleanup process:
-1. Removes Modal token environment variables (MODAL_TOKEN_ID, MODAL_TOKEN, MODAL_TOKEN_SECRET)
-2. Deletes Modal token files (.modal/token.json, .modal/token_alt.json, .modalconfig)
-3. Runs automatically after SSH container creation
-4. Runs on service shutdown via signal handlers
-
-This prevents potential token leakage when containers are shared or when the service is stopped.
+1. Removes real Modal token environment variables (MODAL_TOKEN_ID, MODAL_TOKEN, MODAL_TOKEN_SECRET)
+2. Deletes real Modal token files (.modal/token.json, .modal/token_alt.json, .modalconfig)
+3. Invalidates Modal sessions by removing session files and directories
+4. Sets invalid Modal tokens using the `modal token set` command with a dedicated profile
+5. Falls back to manually setting placeholder tokens if the command fails
+6. Runs automatically after SSH container creation
+7. Runs on service shutdown via signal handlers
+
+This prevents potential token leakage when containers are shared or when the service is stopped, while still allowing users to run basic Modal CLI commands. Any operations requiring authentication will fail, effectively logging the user out from Modal.
 
 ## Usage
 

package/python/modal_proxy_service.py

@@ -215,7 +215,7 @@ def cleanup_modal_token():
     logger.info("🧹 Cleaning up Modal token for security...")
     
     try:
-        # Remove token from environment variables
+        # Remove real token from environment variables
         if "MODAL_TOKEN_ID" in os.environ:
             del os.environ["MODAL_TOKEN_ID"]
             logger.info("✅ Removed MODAL_TOKEN_ID from environment")
@@ -250,6 +250,92 @@ def cleanup_modal_token():
             modalconfig_file.unlink()
             logger.info(f"✅ Deleted .modalconfig file at {modalconfig_file}")
             
+        # Try to invalidate Modal sessions
+        try:
+            logger.info("🔑 Invalidating Modal sessions...")
+            
+            # Try to directly modify Modal's session files
+            try:
+                # Check for session files in .modal directory
+                session_dir = modal_dir / "sessions"
+                if session_dir.exists():
+                    import shutil
+                    shutil.rmtree(session_dir)
+                    logger.info(f"✅ Removed Modal sessions directory at {session_dir}")
+                    
+                # Also check for any other potential session files
+                for file in os.listdir(modal_dir) if modal_dir.exists() else []:
+                    if "session" in file.lower() or "auth" in file.lower():
+                        file_path = modal_dir / file
+                        if file_path.is_file():
+                            file_path.unlink()
+                            logger.info(f"✅ Removed Modal session file: {file_path}")
+            except Exception as e:
+                logger.warning(f"⚠️ Error removing Modal sessions: {e}")
+                
+        except Exception as e:
+            logger.warning(f"⚠️ Error during Modal session invalidation: {e}")
+            
+        # Set invalid Modal tokens using the Modal CLI
+        try:
+            logger.info("🔄 Setting invalid Modal tokens...")
+            
+            # Use modal token set command with invalid credentials
+            invalid_token_id = "ak-invalid-token-not-valid"
+            invalid_token_secret = "as-invalid-secret-not-valid"
+            profile = "gitarsenal"
+            
+            # Run the modal token set command
+            result = subprocess.run(
+                ["modal", "token", "set", 
+                 "--token-id", invalid_token_id, 
+                 "--token-secret", invalid_token_secret,
+                 f"--profile={profile}"],
+                capture_output=True,
+                text=True
+            )
+            
+            if result.returncode == 0:
+                logger.info(f"✅ Successfully set invalid Modal tokens with profile '{profile}'")
+            else:
+                logger.warning(f"⚠️ Error setting invalid Modal tokens: {result.stderr}")
+                
+                # Fall back to manually setting placeholder tokens
+                logger.info("🔄 Falling back to manually setting placeholder tokens...")
+                
+                # Create .modal directory if it doesn't exist
+                if not modal_dir.exists():
+                    modal_dir.mkdir(parents=True)
+                    logger.info(f"✅ Created Modal directory at {modal_dir}")
+                
+                # Set placeholder tokens in token.json
+                placeholder_token_id = "ak-placeholder-token-not-valid"
+                placeholder_token_secret = "as-placeholder-secret-not-valid"
+                
+                # Create token.json with placeholder values
+                token_file = modal_dir / "token.json"
+                with open(token_file, 'w') as f:
+                    import json
+                    json.dump({
+                        "token_id": placeholder_token_id,
+                        "token_secret": placeholder_token_secret
+                    }, f)
+                logger.info(f"✅ Created placeholder token file at {token_file}")
+                
+                # Create .modalconfig file with placeholder values
+                with open(modalconfig_file, 'w') as f:
+                    f.write(f"token_id = {placeholder_token_id}\n")
+                    f.write(f"token_secret = {placeholder_token_secret}\n")
+                logger.info(f"✅ Created placeholder .modalconfig file at {modalconfig_file}")
+                
+                # Set placeholder values in environment variables
+                os.environ["MODAL_TOKEN_ID"] = placeholder_token_id
+                os.environ["MODAL_TOKEN_SECRET"] = placeholder_token_secret
+                logger.info("✅ Set placeholder tokens in environment variables")
+            
+        except Exception as e:
+            logger.warning(f"⚠️ Error setting invalid Modal tokens: {e}")
+            
         logger.info("✅ Modal token cleanup completed successfully")
     except Exception as e:
         logger.error(f"❌ Error during Modal token cleanup: {e}")

package/python/test_modalSandboxScript.py

@@ -3298,7 +3298,7 @@ def cleanup_modal_token():
     print("🧹 Cleaning up Modal token for security...")
     
     try:
-        # Remove token from environment variables
+        # Remove real token from environment variables
         if "MODAL_TOKEN_ID" in os.environ:
             del os.environ["MODAL_TOKEN_ID"]
             print("✅ Removed MODAL_TOKEN_ID from environment")
@@ -3333,6 +3333,94 @@ def cleanup_modal_token():
             os.remove(modalconfig_file)
             print(f"✅ Deleted .modalconfig file at {modalconfig_file}")
             
+        # Try to invalidate Modal sessions
+        try:
+            print("🔑 Invalidating Modal sessions...")
+            
+            # Try to directly modify Modal's session files
+            try:
+                # Check for session files in .modal directory
+                session_dir = os.path.join(modal_dir, "sessions")
+                if os.path.exists(session_dir):
+                    import shutil
+                    shutil.rmtree(session_dir)
+                    print(f"✅ Removed Modal sessions directory at {session_dir}")
+                    
+                # Also check for any other potential session files
+                for file in os.listdir(modal_dir) if os.path.exists(modal_dir) else []:
+                    if "session" in file.lower() or "auth" in file.lower():
+                        file_path = os.path.join(modal_dir, file)
+                        if os.path.isfile(file_path):
+                            os.remove(file_path)
+                            print(f"✅ Removed Modal session file: {file_path}")
+            except Exception as e:
+                print(f"⚠️ Error removing Modal sessions: {e}")
+                
+        except Exception as e:
+            print(f"⚠️ Error during Modal session invalidation: {e}")
+            
+        # Set invalid Modal tokens using the Modal CLI
+        try:
+            print("🔄 Setting invalid Modal tokens...")
+            import subprocess
+            
+            # Use modal token set command with invalid credentials
+            invalid_token_id = "ak-invalid-token-not-valid"
+            invalid_token_secret = "as-invalid-secret-not-valid"
+            profile = "gitarsenal"
+            
+            # Run the modal token set command
+            result = subprocess.run(
+                ["modal", "token", "set", 
+                 "--token-id", invalid_token_id, 
+                 "--token-secret", invalid_token_secret,
+                 f"--profile={profile}"],
+                capture_output=True,
+                text=True
+            )
+            
+            if result.returncode == 0:
+                print(f"✅ Successfully set invalid Modal tokens with profile '{profile}'")
+            else:
+                print(f"⚠️ Error setting invalid Modal tokens: {result.stderr}")
+                
+                # Fall back to manually setting placeholder tokens
+                print("🔄 Falling back to manually setting placeholder tokens...")
+                
+                # Create .modal directory if it doesn't exist
+                if not os.path.exists(modal_dir):
+                    os.makedirs(modal_dir)
+                    print(f"✅ Created Modal directory at {modal_dir}")
+                
+                # Set placeholder tokens in token.json
+                placeholder_token_id = "ak-placeholder-token-not-valid"
+                placeholder_token_secret = "as-placeholder-secret-not-valid"
+                
+                # Create token.json with placeholder values
+                token_file = os.path.join(modal_dir, "token.json")
+                with open(token_file, 'w') as f:
+                    import json
+                    json.dump({
+                        "token_id": placeholder_token_id,
+                        "token_secret": placeholder_token_secret
+                    }, f)
+                print(f"✅ Created placeholder token file at {token_file}")
+                
+                # Create .modalconfig file with placeholder values
+                modalconfig_file = os.path.join(home_dir, ".modalconfig")
+                with open(modalconfig_file, 'w') as f:
+                    f.write(f"token_id = {placeholder_token_id}\n")
+                    f.write(f"token_secret = {placeholder_token_secret}\n")
+                print(f"✅ Created placeholder .modalconfig file at {modalconfig_file}")
+                
+                # Set placeholder values in environment variables
+                os.environ["MODAL_TOKEN_ID"] = placeholder_token_id
+                os.environ["MODAL_TOKEN_SECRET"] = placeholder_token_secret
+                print("✅ Set placeholder tokens in environment variables")
+            
+        except Exception as e:
+            print(f"⚠️ Error setting invalid Modal tokens: {e}")
+            
         print("✅ Modal token cleanup completed successfully")
     except Exception as e:
         print(f"❌ Error during Modal token cleanup: {e}")

package/python/test_token_cleanup.py

@@ -108,40 +108,122 @@ def verify_token_cleaned_up():
     """Verify that the test token has been cleaned up"""
     print("🔍 Verifying token cleanup...")
     
-    # Check environment variables
+    # Check that the original token is not in environment variables
     env_token_id = os.environ.get("MODAL_TOKEN_ID")
     env_token = os.environ.get("MODAL_TOKEN")
     env_token_secret = os.environ.get("MODAL_TOKEN_SECRET")
     
-    if env_token_id:
-        print(f"❌ MODAL_TOKEN_ID still exists: '{env_token_id}'")
+    # Check that original tokens are removed or replaced with invalid tokens
+    if env_token_id and not ("invalid" in env_token_id or "placeholder" in env_token_id):
+        print(f"❌ Original MODAL_TOKEN_ID still exists: '{env_token_id}'")
         return False
     
-    if env_token:
-        print(f"❌ MODAL_TOKEN still exists: '{env_token}'")
+    if env_token and not ("invalid" in env_token or "placeholder" in env_token):
+        print(f"❌ Original MODAL_TOKEN still exists: '{env_token}'")
         return False
     
-    if env_token_secret:
-        print(f"❌ MODAL_TOKEN_SECRET still exists: '{env_token_secret}'")
+    if env_token_secret and not ("invalid" in env_token_secret or "placeholder" in env_token_secret):
+        print(f"❌ Original MODAL_TOKEN_SECRET still exists: '{env_token_secret}'")
         return False
     
     # Check token files
     modal_dir = Path.home() / ".modal"
     token_file = modal_dir / "token.json"
-    if token_file.exists():
-        print(f"❌ Token file still exists at {token_file}")
-        return False
     
-    token_alt_file = modal_dir / "token_alt.json"
-    if token_alt_file.exists():
-        print(f"❌ Alternative token file still exists at {token_alt_file}")
+    # Check if token.json contains invalid values
+    if token_file.exists():
+        try:
+            import json
+            with open(token_file, 'r') as f:
+                token_data = json.load(f)
+                
+            if "token_id" in token_data:
+                if not ("invalid" in token_data["token_id"] or "placeholder" in token_data["token_id"]):
+                    print(f"❌ Token file contains original token_id: {token_data['token_id']}")
+                    return False
+                print(f"✅ Token file contains invalid token_id: {token_data['token_id']}")
+            else:
+                print("❌ Token file does not contain token_id")
+                return False
+                
+            if "token_secret" in token_data:
+                if not ("invalid" in token_data["token_secret"] or "placeholder" in token_data["token_secret"]):
+                    print(f"❌ Token file contains original token_secret")
+                    return False
+                print(f"✅ Token file contains invalid token_secret")
+            else:
+                print("❌ Token file does not contain token_secret")
+                return False
+        except Exception as e:
+            print(f"❌ Error reading token file: {e}")
+            return False
+    else:
+        print("❌ Token file does not exist")
         return False
     
+    # Check .modalconfig file
     modalconfig_file = Path.home() / ".modalconfig"
     if modalconfig_file.exists():
-        print(f"❌ .modalconfig file still exists at {modalconfig_file}")
+        try:
+            with open(modalconfig_file, 'r') as f:
+                config_content = f.read()
+                
+            if not ("invalid" in config_content or "placeholder" in config_content):
+                print("❌ .modalconfig file does not contain invalid tokens")
+                return False
+                
+            print("✅ .modalconfig file contains invalid tokens")
+        except Exception as e:
+            print(f"❌ Error reading .modalconfig file: {e}")
+            return False
+    else:
+        print("❌ .modalconfig file does not exist")
         return False
     
+    # Check if Modal sessions directory exists
+    session_dir = modal_dir / "sessions"
+    if session_dir.exists():
+        print(f"❌ Modal sessions directory still exists at {session_dir}")
+        return False
+    
+    # Check for any session or auth files
+    if modal_dir.exists():
+        for file in os.listdir(modal_dir):
+            if "session" in file.lower() or "auth" in file.lower():
+                print(f"❌ Modal session/auth file still exists: {modal_dir / file}")
+                return False
+    
+    # Check if Modal CLI works with invalid tokens
+    try:
+        import subprocess
+        result = subprocess.run(
+            ["modal", "--help"],
+            capture_output=True,
+            text=True
+        )
+        if result.returncode == 0:
+            print("✅ Modal CLI works with invalid tokens")
+        else:
+            print("❌ Modal CLI does not work with invalid tokens")
+            print(f"Output: {result.stdout}")
+            print(f"Error: {result.stderr}")
+            return False
+            
+        # Check that operations requiring authentication fail
+        result = subprocess.run(
+            ["modal", "app", "list"],
+            capture_output=True,
+            text=True
+        )
+        if result.returncode != 0 or "unauthorized" in result.stderr.lower() or "error" in result.stderr.lower():
+            print("✅ Modal operations requiring authentication fail as expected")
+        else:
+            print("❌ Modal operations requiring authentication still work")
+            print(f"Output: {result.stdout}")
+            return False
+    except Exception as e:
+        print(f"⚠️ Error checking Modal CLI status: {e}")
+    
     print("✅ Token has been cleaned up successfully")
     return True