gitspace 0.2.0-rc.20 → 0.2.0-rc.21

package/src/core/secret-runtime.ts

@@ -1,167 +0,0 @@
-import { existsSync, readFileSync } from 'node:fs';
-import { join } from 'node:path';
-import { getAllProjectNames, getSpacesDir, readProjectConfig } from './config.js';
-import { logger } from '../utils/logger.js';
-import { preloadAllSecrets } from '../utils/secrets.js';
-import { SpacesError } from '../types/errors.js';
-
-interface SecretRuntimeState {
-  ignoreKeychainAndSkipSecrets: boolean;
-  projectsWithSecrets: Set<string>;
-  legacyEntriesDetected: boolean;
-  legacyReminderConsumed: boolean;
-}
-
-export interface SecretMigrationInputs {
-  projectNames: string[];
-  projectSecretKeys: Record<string, string[]>;
-  globalSecretKeys: string[];
-}
-
-function readHostSubdomains(): string[] {
-  const hostPath = join(getSpacesDir(), 'host.json');
-  if (!existsSync(hostPath)) {
-    return [];
-  }
-
-  try {
-    const parsed = JSON.parse(readFileSync(hostPath, 'utf-8')) as {
-      subdomain?: unknown;
-      subdomains?: unknown;
-    };
-
-    const found = new Set<string>();
-    if (typeof parsed.subdomain === 'string' && parsed.subdomain.length > 0) {
-      found.add(parsed.subdomain);
-    }
-
-    if (Array.isArray(parsed.subdomains)) {
-      for (const candidate of parsed.subdomains) {
-        if (typeof candidate === 'string' && candidate.length > 0) {
-          found.add(candidate);
-        }
-      }
-    }
-
-    return [...found];
-  } catch {
-    return [];
-  }
-}
-
-export function getSecretMigrationInputs(): SecretMigrationInputs {
-  const projectNames = getAllProjectNames();
-  const projectSecretKeys: Record<string, string[]> = {};
-  const globalSecretKeys = new Set<string>([
-    'GITSPACE_TOKEN',
-    'linear-api-key',
-    'relay:signingPrivateKey',
-  ]);
-
-  for (const projectName of projectNames) {
-    globalSecretKeys.add(`linear-api-key-${projectName}`);
-
-    try {
-      const config = readProjectConfig(projectName);
-      const keys = [...new Set(config.bundleSecretKeys ?? [])];
-      if (keys.length > 0) {
-        projectSecretKeys[projectName] = keys;
-      }
-    } catch (error) {
-      logger.debug(
-        `[secrets] Failed reading project config for ${projectName}: ${error instanceof Error ? error.message : String(error)}`
-      );
-    }
-  }
-
-  for (const subdomain of readHostSubdomains()) {
-    globalSecretKeys.add(`TUNNEL_TOKEN_${subdomain}`);
-  }
-
-  return {
-    projectNames,
-    projectSecretKeys,
-    globalSecretKeys: [...globalSecretKeys],
-  };
-}
-
-const state: SecretRuntimeState = {
-  ignoreKeychainAndSkipSecrets: false,
-  projectsWithSecrets: new Set<string>(),
-  legacyEntriesDetected: false,
-  legacyReminderConsumed: false,
-};
-
-export interface InitializeSecretRuntimeOptions {
-  ignoreKeychainAndSkipSecrets?: boolean;
-}
-
-export async function initializeSecretRuntime(
-  options: InitializeSecretRuntimeOptions = {}
-): Promise<void> {
-  const ignore = options.ignoreKeychainAndSkipSecrets ?? false;
-  state.ignoreKeychainAndSkipSecrets = ignore;
-  state.legacyEntriesDetected = false;
-  state.legacyReminderConsumed = false;
-
-  const migrationInputs = getSecretMigrationInputs();
-  state.projectsWithSecrets = new Set(Object.keys(migrationInputs.projectSecretKeys));
-
-  if (ignore) {
-    if (state.projectsWithSecrets.size > 0) {
-      logger.warning(
-        'Ignoring keychain and skipping secret-dependent scripts (use with caution).'
-      );
-    }
-    return;
-  }
-
-  try {
-    const preloadResult = await preloadAllSecrets(migrationInputs.projectNames, {
-      projectLegacyKeys: migrationInputs.projectSecretKeys,
-      globalLegacyKeys: migrationInputs.globalSecretKeys,
-    });
-    state.legacyEntriesDetected = preloadResult.legacyEntriesDetected;
-  } catch (error) {
-    const message = error instanceof Error ? error.message : String(error);
-    throw new SpacesError(
-      `Failed to preload keychain secrets at startup: ${message}\n\n` +
-        'Unlock keychain access and retry, or run with --ignore-keychain-and-skip-secrets to continue without secret-dependent scripts.',
-      'USER_ERROR',
-      1
-    );
-  }
-}
-
-export function consumeLegacyCleanupReminderForTui(): string | null {
-  if (!state.legacyEntriesDetected || state.legacyReminderConsumed) {
-    return null;
-  }
-
-  state.legacyReminderConsumed = true;
-  return 'Legacy keychain entries are still present. Run `gssh migrate cleanup-legacy` once you are confident the unified keychain storage is stable.';
-}
-
-export function shouldSkipSecretDependentScripts(
-  projectName: string,
-  configuredSecretKeys?: string[]
-): boolean {
-  if (!state.ignoreKeychainAndSkipSecrets) {
-    return false;
-  }
-
-  if (configuredSecretKeys && configuredSecretKeys.length > 0) {
-    return true;
-  }
-
-  if (state.projectsWithSecrets.has(projectName)) {
-    return true;
-  }
-
-  try {
-    const config = readProjectConfig(projectName);
-    return (config.bundleSecretKeys ?? []).length > 0;
-  } catch {
-    return true;
-  }
-}

package/src/core/shell.ts

@@ -1,117 +0,0 @@
-/**
- * Shell session management - spawns subshells for workspaces
- * Uses tmux-lite for session persistence and management
- */
-
-import { spawn, spawnSync } from 'child_process'
-import { logger } from '../utils/logger.js'
-import { prepareWorkspaceForSession } from './workspace-lifecycle.js'
-import {
-	createSession,
-	isNested,
-} from '../lib/tmux-lite/cli.js'
-import { buildWorkspaceSessionHooks } from '../session/workspace-shell-hooks.js'
-
-/**
- * Print a message to terminal using echo (same mechanism as scripts)
- */
-function printToTerminal(message: string): void {
-	spawnSync('echo', [message], { stdio: 'inherit' })
-}
-
-/**
- * Open a workspace in an interactive subshell
- *
- * Flow:
- * 1. Determine if setup or select scripts should run
- * 2. Run the appropriate scripts in the terminal
- * 3. Spawn an interactive subshell in the workspace directory
- * 4. User gets control of the shell with their environment ready
- *
- * @param sessionName - Custom name for the tmux-lite session (required for new sessions)
- */
-export async function openWorkspaceShell(
-	workspacePath: string,
-	projectName: string,
-	repository: string,
-	noSetup: boolean = false,
-	sessionName?: string
-): Promise<void> {
-	const workspaceId = workspacePath.split('/').pop() || 'workspace'
-
-	const prepareResult = await prepareWorkspaceForSession({
-		projectName,
-		workspacePath,
-		workspaceName: workspaceId,
-		repository,
-		noSetup,
-		interactiveScripts: true,
-		bundleMode: 'prompt-refresh',
-	})
-
-	if (!prepareResult.success) {
-		throw new Error(`Workspace scripts failed during ${prepareResult.phase} phase: ${prepareResult.error}`)
-	}
-
-	printToTerminal('')
-	printToTerminal('💡 Press Ctrl+Esc to detach and return to GitSpace TUI')
-	printToTerminal('')
-
-	// Create or attach to tmux-lite session
-	await openTmuxLiteSession(workspacePath, projectName, workspaceId, sessionName)
-}
-
-/**
- * Build a full session name from components
- */
-function buildSessionName(projectName: string, workspaceId: string, sessionName: string): string {
-	return `${projectName}:${workspaceId}:${sessionName}`
-}
-
-/**
- * Open a tmux-lite session for the workspace
- * Creates a new session or attaches to an existing one
- * @param sessionName - Custom suffix for the session name
- */
-async function openTmuxLiteSession(
-	workspacePath: string,
-	projectName: string,
-	workspaceId: string,
-	sessionName?: string
-): Promise<void> {
-	// Check if we're already in a tmux-lite session
-	if (isNested()) {
-		logger.error('Already inside a tmux-lite session. Detach first with Ctrl+Esc.')
-		return
-	}
-
-	try {
-		const suffix = sessionName && sessionName.trim().length > 0
-			? sessionName
-			: `${Date.now()}`
-		const fullSessionName = buildSessionName(projectName, workspaceId, suffix)
-
-		logger.debug(`Creating tmux-lite session: ${fullSessionName}`)
-
-		// Create new session
-		const session = await createSession(fullSessionName, workspacePath, {
-			hooks: buildWorkspaceSessionHooks(projectName, workspaceId),
-		})
-
-		// Spawn the CLI attach command as a subprocess with inherited stdio
-		// This works better with TUI suspension than direct attach() call
-		const cliPath = new URL('../lib/tmux-lite/cli.ts', import.meta.url).pathname
-		const proc = spawn('bun', ['run', cliPath, 'attach', session.id, '-f'], {
-			stdio: 'inherit',
-			cwd: workspacePath,
-		})
-
-		await new Promise<void>((resolve, reject) => {
-			proc.on('exit', () => resolve())
-			proc.on('error', (err) => reject(err))
-		})
-	} catch (error) {
-		logger.error(`Failed to open tmux-lite session: ${(error as Error).message}`)
-		throw error
-	}
-}

package/src/core/trusted-relays.ts

@@ -1,315 +0,0 @@
-/**
- * Trusted relay management
- *
- * Manages the list of relays this machine trusts for remote connections.
- * Relays are identified by their URL and Ed25519 public key.
- *
- * Storage: ~/.gitspace/.identity/trusted-relays.json
- */
-
-import { existsSync, readFileSync, writeFileSync } from "node:fs";
-import { join } from "node:path";
-import { sha256 } from "@noble/hashes/sha2.js";
-import { getIdentityDir } from "./identity.js";
-
-// ============================================================================
-// Types
-// ============================================================================
-
-/**
- * A trusted relay entry
- */
-export interface TrustedRelay {
-  /** Relay WebSocket URL (e.g., wss://relay.example.com) */
-  url: string;
-  /** Ed25519 signing public key (base64) */
-  publicKey: string;
-  /** Human-readable fingerprint */
-  fingerprint: string;
-  /** Optional label from relay */
-  label?: string;
-  /** When trust was established (Unix ms) */
-  trustedAt: number;
-}
-
-/**
- * Result of checking relay trust status
- */
-export type RelayTrustStatus = "trusted" | "mismatch" | "unknown";
-
-// ============================================================================
-// Constants
-// ============================================================================
-
-const TRUSTED_RELAYS_FILE = "trusted-relays.json";
-
-// ============================================================================
-// Paths
-// ============================================================================
-
-/**
- * Get path to trusted relays file
- */
-function getTrustedRelaysPath(): string {
-  return join(getIdentityDir(), TRUSTED_RELAYS_FILE);
-}
-
-// ============================================================================
-// Fingerprint Computation
-// ============================================================================
-
-/**
- * Compute fingerprint from relay public key
- *
- * Format: "Kx4f:2nB9:mP3q:vR8s" (16 chars with colons)
- */
-export function computeRelayFingerprint(publicKey: string): string {
-  const keyBytes = Buffer.from(publicKey, "base64");
-  const hash = sha256(keyBytes);
-  const b64url = Buffer.from(hash).toString("base64url").substring(0, 16);
-  return b64url.match(/.{1,4}/g)?.join(":") || b64url;
-}
-
-// ============================================================================
-// URL Normalization
-// ============================================================================
-
-/**
- * Normalize a relay URL for consistent comparison
- *
- * Removes trailing slashes and normalizes protocol
- */
-function normalizeUrl(url: string): string {
-  // Normalize the URL
-  let normalized = url.toLowerCase().trim();
-
-  // Remove trailing slashes
-  while (normalized.endsWith("/")) {
-    normalized = normalized.slice(0, -1);
-  }
-
-  // Normalize ws:// to wss:// for non-localhost
-  if (normalized.startsWith("ws://") && !isLocalhostUrl(normalized)) {
-    normalized = "wss://" + normalized.slice(5);
-  }
-
-  return normalized;
-}
-
-/**
- * Check if URL is localhost
- */
-function isLocalhostUrl(url: string): boolean {
-  try {
-    const parsed = new URL(url);
-    const host = parsed.hostname.toLowerCase();
-    return host === "localhost" || host === "127.0.0.1" || host === "::1";
-  } catch {
-    return false;
-  }
-}
-
-// ============================================================================
-// Storage Operations
-// ============================================================================
-
-/**
- * Load trusted relays from disk
- */
-export function getTrustedRelays(): TrustedRelay[] {
-  const path = getTrustedRelaysPath();
-
-  if (!existsSync(path)) {
-    return [];
-  }
-
-  try {
-    const content = readFileSync(path, "utf-8");
-    return JSON.parse(content) as TrustedRelay[];
-  } catch {
-    console.warn("[trusted-relays] Failed to parse trusted relays file");
-    return [];
-  }
-}
-
-/**
- * Save trusted relays to disk
- */
-function saveTrustedRelays(relays: TrustedRelay[]): void {
-  const identityDir = getIdentityDir();
-
-  // Create directory if needed (should already exist from identity setup)
-  if (!existsSync(identityDir)) {
-    const { mkdirSync } = require("node:fs");
-    mkdirSync(identityDir, { recursive: true, mode: 0o700 });
-  }
-
-  writeFileSync(
-    getTrustedRelaysPath(),
-    JSON.stringify(relays, null, 2),
-    { encoding: "utf-8", mode: 0o600 }
-  );
-}
-
-// ============================================================================
-// Trust Management
-// ============================================================================
-
-/**
- * Add a relay to the trusted list
- *
- * If the URL already exists, updates the public key and label.
- *
- * @param url - Relay WebSocket URL
- * @param publicKey - Ed25519 public key (base64)
- * @param label - Optional relay label
- * @returns The created/updated entry
- */
-export function addTrustedRelay(
-  url: string,
-  publicKey: string,
-  label?: string
-): TrustedRelay {
-  const relays = getTrustedRelays();
-  const normalizedUrl = normalizeUrl(url);
-
-  // Check if already exists by URL
-  const existing = relays.find((r) => normalizeUrl(r.url) === normalizedUrl);
-
-  if (existing) {
-    // Update existing entry
-    existing.publicKey = publicKey;
-    existing.fingerprint = computeRelayFingerprint(publicKey);
-    existing.label = label ?? existing.label;
-    existing.trustedAt = Date.now();
-    saveTrustedRelays(relays);
-    return existing;
-  }
-
-  // Create new entry
-  const entry: TrustedRelay = {
-    url: normalizedUrl,
-    publicKey,
-    fingerprint: computeRelayFingerprint(publicKey),
-    label,
-    trustedAt: Date.now(),
-  };
-
-  relays.push(entry);
-  saveTrustedRelays(relays);
-
-  return entry;
-}
-
-/**
- * Remove a relay from the trusted list
- *
- * @param urlOrFingerprint - URL or fingerprint (or prefix) to match
- * @returns The removed entry, or null if not found
- */
-export function removeTrustedRelay(
-  urlOrFingerprint: string
-): TrustedRelay | null {
-  const relays = getTrustedRelays();
-  const searchLower = urlOrFingerprint.toLowerCase();
-
-  const index = relays.findIndex((r) => {
-    const urlLower = normalizeUrl(r.url);
-    const fingerprintLower = r.fingerprint.toLowerCase();
-    const labelLower = r.label?.toLowerCase();
-
-    return (
-      urlLower === searchLower ||
-      urlLower.includes(searchLower) ||
-      fingerprintLower === searchLower ||
-      fingerprintLower.startsWith(searchLower) ||
-      labelLower === searchLower
-    );
-  });
-
-  if (index === -1) {
-    return null;
-  }
-
-  const [removed] = relays.splice(index, 1);
-  saveTrustedRelays(relays);
-
-  return removed;
-}
-
-/**
- * Get a trusted relay by URL
- *
- * @param url - Relay WebSocket URL
- * @returns The relay entry if found, null otherwise
- */
-export function getTrustedRelay(url: string): TrustedRelay | null {
-  const relays = getTrustedRelays();
-  const normalizedUrl = normalizeUrl(url);
-
-  return relays.find((r) => normalizeUrl(r.url) === normalizedUrl) ?? null;
-}
-
-/**
- * Find a trusted relay by fingerprint or label
- *
- * @param fingerprintOrLabel - Fingerprint (or prefix) or label to match
- * @returns The relay entry if found, null otherwise
- */
-export function findTrustedRelay(
-  fingerprintOrLabel: string
-): TrustedRelay | null {
-  const relays = getTrustedRelays();
-  const searchLower = fingerprintOrLabel.toLowerCase();
-
-  return (
-    relays.find((r) => {
-      const fingerprintLower = r.fingerprint.toLowerCase();
-      const labelLower = r.label?.toLowerCase();
-
-      return (
-        fingerprintLower === searchLower ||
-        fingerprintLower.startsWith(searchLower) ||
-        labelLower === searchLower
-      );
-    }) ?? null
-  );
-}
-
-/**
- * Check if a relay is trusted
- *
- * @param url - Relay WebSocket URL
- * @param publicKey - Ed25519 public key (base64) from relay
- * @returns Trust status: 'trusted', 'mismatch', or 'unknown'
- */
-export function isRelayTrusted(
-  url: string,
-  publicKey: string
-): RelayTrustStatus {
-  // Localhost is always auto-trusted
-  if (isLocalhostUrl(url)) {
-    return "trusted";
-  }
-
-  const trustedRelay = getTrustedRelay(url);
-
-  if (!trustedRelay) {
-    return "unknown";
-  }
-
-  // Check if public key matches
-  if (trustedRelay.publicKey === publicKey) {
-    return "trusted";
-  }
-
-  // URL known but key doesn't match - SECURITY WARNING
-  return "mismatch";
-}
-
-/**
- * Check if a URL is localhost (for auto-trust)
- */
-export function isLocalhost(url: string): boolean {
-  return isLocalhostUrl(url);
-}