i18ntk 2.5.0 → 2.6.0

package/runtime/enhanced.js

@@ -24,6 +24,33 @@ const IV_LENGTH = 16;
 const AUTH_TAG_LENGTH = 16;
 const SALT_LENGTH = 32;
 
+// Track active instances to ensure cleanup is registered only once
+let activeInstances = new Set();
+let processHandlersRegistered = false;
+
+function registerProcessHandlers() {
+  if (processHandlersRegistered) return;
+  processHandlersRegistered = true;
+
+  process.on('exit', () => {
+    for (const instance of activeInstances) {
+      try { instance.cleanup(); } catch (_) { /* best-effort */ }
+    }
+  });
+  process.on('SIGINT', () => {
+    for (const instance of activeInstances) {
+      try { instance.cleanup(); } catch (_) { /* best-effort */ }
+    }
+    process.exit(0);
+  });
+  process.on('uncaughtException', () => {
+    for (const instance of activeInstances) {
+      try { instance.cleanup(); } catch (_) { /* best-effort */ }
+    }
+    process.exit(1);
+  });
+}
+
 class I18nEnhancedRuntime extends EventEmitter {
   constructor() {
     super();
@@ -84,14 +111,14 @@ class I18nEnhancedRuntime extends EventEmitter {
       () => this.checkMemoryUsage(), 
       30000 // Check every 30 seconds
     );
-    
-    // Ensure cleanup on process exit
-    if (process && process.on) {
-      process.on('exit', () => this.cleanup());
-      process.on('SIGINT', () => this.cleanup());
-      process.on('uncaughtException', () => this.cleanup());
+    if (typeof this.memoryCheckInterval.unref === 'function') {
+      this.memoryCheckInterval.unref();
     }
     
+    // Register this instance for process-wide cleanup
+    activeInstances.add(this);
+    registerProcessHandlers();
+    
     // Add default translations namespace
     this.addNamespace('default', {
       en: {
@@ -178,12 +205,32 @@ class I18nEnhancedRuntime extends EventEmitter {
   }
 
   async decryptData(encryptedData, key = this.encryptionKey) {
-    if (!key) throw new Error('Encryption key not set');
+    if (!key) {
+      throw new EncryptionError('Encryption key not set', {
+        operation: 'decrypt',
+        keyType: typeof key
+      });
+    }
     
     try {
-      const data = JSON.parse(encryptedData);
-      const decipher = crypto.createDecipheriv(ALGORITHM, Buffer.from(key, 'hex'), Buffer.from(data.iv, 'hex'));
+      let data;
+      try {
+        data = JSON.parse(encryptedData);
+      } catch (parseError) {
+        throw new EncryptionError('Failed to parse encrypted data', {
+          operation: 'decrypt',
+          error: parseError.message
+        });
+      }
+      
+      if (!data || !data.iv || !data.authTag || !data.encrypted) {
+        throw new EncryptionError('Invalid encrypted data format', {
+          operation: 'decrypt',
+          missingFields: ['iv', 'authTag', 'encrypted'].filter(f => !(f in (data || {})))
+        });
+      }
       
+      const decipher = crypto.createDecipheriv(ALGORITHM, Buffer.from(key, 'hex'), Buffer.from(data.iv, 'hex'));
       decipher.setAuthTag(Buffer.from(data.authTag, 'hex'));
       
       let decrypted = decipher.update(data.encrypted, 'hex', 'utf8');
@@ -191,7 +238,12 @@ class I18nEnhancedRuntime extends EventEmitter {
       
       return decrypted;
     } catch (error) {
-      throw new Error(`Decryption failed: ${error.message}`);
+      if (error instanceof SecureError) throw error;
+      
+      throw new EncryptionError('Decryption failed', {
+        operation: 'decrypt',
+        errorId: crypto.randomBytes(4).toString('hex')
+      });
     }
   }
 
@@ -619,6 +671,8 @@ class I18nEnhancedRuntime extends EventEmitter {
     if (this.config.encryption) {
       this.config.encryption.salt = null;
     }
+    
+    activeInstances.delete(this);
   }
   
   // Add or update a cache entry

package/runtime/i18ntk.d.ts

@@ -447,12 +447,12 @@ export interface I18nRuntime {
  */
 export interface BasicI18nRuntime {
   /**
-   * Translate a key with parameters
+   * Translate a key with parameters (synchronous)
    */
   translate(key: string, params?: TranslationParams): string;
   
   /**
-   * Alias for translate function
+   * Alias for translate function (synchronous)
    */
   t(key: string, params?: TranslationParams): string;
   
@@ -467,7 +467,7 @@ export interface BasicI18nRuntime {
   getLanguage(): string;
   
   /**
-   * Get available languages
+   * Get available languages (synchronous)
    */
   getAvailableLanguages(): string[];
   
@@ -478,16 +478,20 @@ export interface BasicI18nRuntime {
 }
 
 /**
- * Main initialization function
+ * Initialize the enhanced i18ntk runtime (async, returns full I18nRuntime)
  */
 export declare function initI18nRuntime(config: I18nConfig): Promise<I18nRuntime>;
 
 /**
- * Basic initialization function (backward compatibility)
+ * Initialize the basic lightweight runtime (synchronous)
+ * This is the default export from 'i18ntk/runtime'
  */
-export declare function initRuntime(config: {
+export declare function initRuntime(options: {
   baseDir: string;
   language?: string;
+  fallbackLanguage?: string;
+  keySeparator?: string;
+  preload?: boolean;
 }): BasicI18nRuntime;
 
 /**

package/runtime/index.js

@@ -30,7 +30,18 @@ function stripBOMAndComments(s) {
 
 function readJsonSafe(file) {
   const raw = SecurityUtils.safeReadFileSync(file, path.dirname(file), 'utf8');
-  return JSON.parse(stripBOMAndComments(raw));
+  if (raw === null || raw === undefined) {
+    throw new Error(`Unable to read JSON file: ${file}`);
+  }
+  const cleaned = stripBOMAndComments(raw);
+  if (!cleaned) {
+    throw new Error(`Empty JSON file: ${file}`);
+  }
+  try {
+    return JSON.parse(cleaned);
+  } catch (parseError) {
+    throw new Error(`Invalid JSON in file ${file}: ${parseError.message}`);
+  }
 }
 
 function deepMerge(target, source) {
@@ -93,13 +104,17 @@ function listJsonFilesRecursively(dir) {
   while (stack.length) {
     const d = stack.pop();
     if (!SecurityUtils.safeExistsSync(d)) continue;
-    for (const entry of fs.readdirSync(d, { withFileTypes: true })) {
-      const full = path.join(d, entry.name);
-      if (entry.isDirectory()) {
-        stack.push(full);
-      } else if (entry.isFile() && entry.name.toLowerCase().endsWith('.json')) {
-        results.push(full);
+    try {
+      for (const entry of fs.readdirSync(d, { withFileTypes: true })) {
+        const full = path.join(d, entry.name);
+        if (entry.isDirectory()) {
+          stack.push(full);
+        } else if (entry.isFile() && entry.name.toLowerCase().endsWith('.json')) {
+          results.push(full);
+        }
       }
+    } catch (_) {
+      // Skip directories we cannot read
     }
   }
   return results;
@@ -111,7 +126,8 @@ function readLanguageFromBase(baseDir, lang) {
   const langDir = path.join(baseDir, lang);
 
   // Prefer folder if exists, otherwise single file
-  if (SecurityUtils.safeExistsSync(langDir) && fs.statSync(langDir).isDirectory()) {
+  const langDirStat = SecurityUtils.safeStatSync(langDir, path.dirname(langDir));
+  if (langDirStat && langDirStat.isDirectory()) {
     const files = listJsonFilesRecursively(langDir);
     for (const file of files) {
       try {
@@ -121,11 +137,14 @@ function readLanguageFromBase(baseDir, lang) {
         // Skip unreadable/invalid files
       }
     }
-  } else if (SecurityUtils.safeExistsSync(langFile) && fs.statSync(langFile).isFile()) {
-    try {
-      const data = readJsonSafe(langFile);
-      if (data && typeof data === 'object') deepMerge(merged, data);
-    } catch (_) { /* ignore */ }
+  } else {
+    const langFileStat = SecurityUtils.safeStatSync(langFile, path.dirname(langFile));
+    if (langFileStat && langFileStat.isFile()) {
+      try {
+        const data = readJsonSafe(langFile);
+        if (data && typeof data === 'object') deepMerge(merged, data);
+      } catch (_) { /* ignore */ }
+    }
   }
 
   return merged;
@@ -211,16 +230,20 @@ function getAvailableLanguages() {
   const langs = new Set();
   if (!state.baseDir) state.baseDir = resolveBaseDir();
   if (!SecurityUtils.safeExistsSync(state.baseDir)) return ['en'];
-  for (const entry of fs.readdirSync(state.baseDir, { withFileTypes: true })) {
-    if (entry.isFile() && entry.name.toLowerCase().endsWith('.json')) {
-      langs.add(entry.name.replace(/\.json$/i, ''));
-    } else if (entry.isDirectory()) {
-      // language folder convention
-      const lang = entry.name;
-      const idx = path.join(state.baseDir, lang, `${lang}.json`);
-      if (SecurityUtils.safeExistsSync(idx)) langs.add(lang);
-      else langs.add(lang); // be permissive
+  try {
+    for (const entry of fs.readdirSync(state.baseDir, { withFileTypes: true })) {
+      if (entry.isFile() && entry.name.toLowerCase().endsWith('.json')) {
+        langs.add(entry.name.replace(/\.json$/i, ''));
+      } else if (entry.isDirectory()) {
+        const lang = entry.name;
+        const idx = path.join(state.baseDir, lang, `${lang}.json`);
+        if (SecurityUtils.safeExistsSync(idx)) langs.add(lang);
+        else langs.add(lang); // be permissive
+      }
     }
+  } catch (_) {
+    // Unreadable directory
+    return ['en'];
   }
   return Array.from(langs.size ? langs : new Set(['en']));
 }

package/utils/admin-auth.js

@@ -188,14 +188,60 @@ class AdminAuth {
     return crypto.timingSafeEqual(left, right);
   }
 
+  hasUsablePinConfig(config) {
+    return Boolean(
+      config &&
+      config.enabled === true &&
+      typeof config.pinHash === 'string' &&
+      config.pinHash.length > 0 &&
+      typeof config.salt === 'string' &&
+      config.salt.length > 0
+    );
+  }
+
+  logMissingPinConfig(context) {
+    SecurityUtils.logSecurityEvent(
+      'admin_auth_config_invalid',
+      'warning',
+      { message: `Admin PIN is required but not usable during ${context}` }
+    );
+  }
+
+  getSessionExpiryTime(session) {
+    if (!session || typeof session !== 'object') {
+      return NaN;
+    }
+
+    if (Number.isFinite(session.expiresAt)) {
+      return session.expiresAt;
+    }
+
+    if (typeof session.expiresAt === 'string') {
+      const parsedExpiresAt = Date.parse(session.expiresAt);
+      if (Number.isFinite(parsedExpiresAt)) {
+        return parsedExpiresAt;
+      }
+    }
+
+    if (typeof session.expires === 'string') {
+      const parsedExpires = Date.parse(session.expires);
+      if (Number.isFinite(parsedExpires)) {
+        return parsedExpires;
+      }
+    }
+
+    return NaN;
+  }
+
   /**
    * Verify PIN
    */
   async verifyPin(pin) {
     try {
       const config = await this.loadConfig();
-      if (!config || !config.enabled) {
-        return true; // No authentication required if not enabled
+      if (!this.hasUsablePinConfig(config)) {
+        this.logMissingPinConfig('PIN verification');
+        return false;
       }
 
       // Check for lockout
@@ -256,7 +302,7 @@ class AdminAuth {
    */
   async isPinConfigured() {
     const config = await this.loadConfig();
-    return config && config.enabled && config.pinHash;
+    return this.hasUsablePinConfig(config);
   }
 
   /**
@@ -270,7 +316,10 @@ class AdminAuth {
     }
     
     const config = await this.loadConfig();
-    return config && config.enabled;
+    if (!this.hasUsablePinConfig(config)) {
+      this.logMissingPinConfig('auth-required check');
+    }
+    return true;
   }
 
   /**
@@ -283,12 +332,6 @@ class AdminAuth {
       return false;
     }
 
-    // Check if admin PIN is actually configured
-    const config = await this.loadConfig();
-    if (!config || !config.enabled || !config.pinHash) {
-      return false; // Don't require PIN if admin PIN is not configured
-    }
-
     // Check if PIN protection is enabled
     const pinProtection = globalSettings.security?.pinProtection;
     if (!pinProtection || !pinProtection.enabled) {
@@ -297,7 +340,16 @@ class AdminAuth {
 
     // Check if this specific script requires protection
     const protectedScripts = pinProtection.protectedScripts || {};
-    return protectedScripts[scriptName] !== false; // Default to true if not explicitly set
+    if (protectedScripts[scriptName] === false) {
+      return false;
+    }
+
+    const config = await this.loadConfig();
+    if (!this.hasUsablePinConfig(config)) {
+      this.logMissingPinConfig(`script auth-required check for ${scriptName}`);
+    }
+
+    return true; // Default to true if not explicitly set
   }
 
   /**
@@ -322,7 +374,10 @@ class AdminAuth {
       process.exit(0);
     });
     process.on('uncaughtException', (error) => {
-      SecurityUtils.logSecurityEvent('uncaught_exception', 'error', error.message);
+      SecurityUtils.logSecurityEvent('uncaught_exception', 'error', {
+        message: error && error.message ? error.message : 'Unknown uncaught exception',
+        stack: error && error.stack ? String(error.stack).split('\n').slice(0, 3).join('\n') : undefined
+      });
       cleanup();
       process.exit(1);
     });
@@ -336,11 +391,14 @@ class AdminAuth {
       sessionId = this.generateSessionId();
     }
     
+    const now = Date.now();
+    const expiresAt = now + this.sessionTimeout;
     const session = {
       id: sessionId,
-      created: new Date().toISOString(),
-      lastActivity: new Date().toISOString(),
-      expires: new Date(Date.now() + this.sessionTimeout).toISOString()
+      created: new Date(now).toISOString(),
+      lastActivity: new Date(now).toISOString(),
+      expires: new Date(expiresAt).toISOString(),
+      expiresAt
     };
     
     this.activeSessions.set(sessionId, session);
@@ -373,10 +431,10 @@ class AdminAuth {
       return false;
     }
     
-    const now = new Date();
-    const expires = new Date(session.expires);
+    const now = Date.now();
+    const expiresAt = this.getSessionExpiryTime(session);
     
-    if (now > expires) {
+    if (!Number.isFinite(expiresAt) || now > expiresAt) {
       this.activeSessions.delete(sessionId);
       this.clearCurrentSession();
       SecurityUtils.logSecurityEvent(
@@ -388,8 +446,10 @@ class AdminAuth {
     }
     
     // Update last activity
-    session.lastActivity = now.toISOString();
-    session.expires = new Date(now.getTime() + this.sessionTimeout).toISOString();
+    const nextExpiresAt = now + this.sessionTimeout;
+    session.lastActivity = new Date(now).toISOString();
+    session.expires = new Date(nextExpiresAt).toISOString();
+    session.expiresAt = nextExpiresAt;
     this.activeSessions.set(sessionId, session);
     
     return true;
@@ -571,9 +631,13 @@ class AdminAuth {
     let cleaned = 0;
     
     for (const [sessionId, session] of this.activeSessions.entries()) {
-      const expiresAt = session.expiresAt || new Date(session.expires).getTime();
+      const expiresAt = this.getSessionExpiryTime(session);
       if (!Number.isFinite(expiresAt) || now > expiresAt) {
         this.activeSessions.delete(sessionId);
+        if (this.currentSession && this.currentSession.id === sessionId) {
+          this.currentSession = null;
+          this.sessionStartTime = null;
+        }
         cleaned++;
       }
     }

package/utils/config-helper.js

@@ -51,7 +51,9 @@ async function getUnifiedConfig(scriptName, cliArgs = {}) {
       }
       settingsDir = safeConfigDir;
       const configFile = path.join(settingsDir, 'i18ntk-config.json');
-      cfg = SecurityUtils.safeExistsSync(configFile) ? JSON.parse(SecurityUtils.safeReadFileSync(configFile, settingsDir, 'utf8')) : {};
+      const rawConfig = SecurityUtils.safeReadFileSync(configFile, settingsDir, 'utf8');
+      cfg = rawConfig ? SecurityUtils.safeParseJSON(rawConfig) : {};
+      if (!cfg || typeof cfg !== 'object') cfg = {};
       projectRoot = settingsDir;
       cfg.projectRoot = projectRoot;
       cfg.sourceDir = path.resolve(projectRoot, toStr(cfg.sourceDir) || './locales');
@@ -60,11 +62,15 @@ async function getUnifiedConfig(scriptName, cliArgs = {}) {
     } else {
       cfg = configManager.getConfig();
       // Use current working directory instead of hardcoded path
-      const isHardcodedPath = cfg.projectRoot && cfg.projectRoot.includes('i18n-management-toolkit-main');
-      projectRoot = isHardcodedPath ? process.cwd() : path.resolve(cfg.projectRoot || '.');
+      const isSuspiciousPath = cfg.projectRoot && (
+        cfg.projectRoot.includes('i18n-management-toolkit-main') ||
+        cfg.projectRoot.includes('i18ntk-') ||
+        !SecurityUtils.safeExistsSync(cfg.projectRoot, path.dirname(cfg.projectRoot || '.'))
+      );
+      projectRoot = isSuspiciousPath ? process.cwd() : path.resolve(cfg.projectRoot || '.');
       
       // Update config with dynamic project root
-      if (isHardcodedPath) {
+      if (isSuspiciousPath) {
         cfg.projectRoot = '.';
       }
 
@@ -110,7 +116,7 @@ async function getUnifiedConfig(scriptName, cliArgs = {}) {
       }
 
       // Auto-fix i18nDir if missing but sourceDir exists
-      if (!SecurityUtils.safeExistsSync(cfg.i18nDir) && SecurityUtils.safeExistsSync(cfg.sourceDir)) {
+      if (!SecurityUtils.safeExistsSync(cfg.i18nDir, projectRoot) && SecurityUtils.safeExistsSync(cfg.sourceDir, projectRoot)) {
         await configManager.updateConfig({ i18nDir: configManager.toRelative(cfg.sourceDir) });
         cfg.i18nDir = cfg.sourceDir;
       }
@@ -414,8 +420,8 @@ function ensureDirectory(dirPath) {
     // Silently handle undefined or invalid paths to prevent security errors
     return;
   }
-  if (!SecurityUtils.safeExistsSync(dirPath)) {
-    fs.mkdirSync(dirPath, { recursive: true });
+  if (!SecurityUtils.safeExistsSync(dirPath, process.cwd())) {
+    SecurityUtils.safeMkdirSync(dirPath, process.cwd(), { recursive: true });
   }
 }
 
@@ -499,49 +505,49 @@ async function initializeSourceFiles(sourceDir, sourceLang) {
   ensureDirectory(sourceDir);
   
   // Write the default source language file
-  SecurityUtils.safeWriteFileSync(sourceFile, JSON.stringify(defaultContent, null, 2));
+  SecurityUtils.safeWriteFileSync(sourceFile, JSON.stringify(defaultContent, null, 2), sourceDir, 'utf8');
   
   // Create directories for supported languages
   const supportedLanguages = ['es', 'fr', 'de', 'ja', 'ru', 'zh', 'pt'];
   
   supportedLanguages.forEach(lang => {
     const langFile = path.join(sourceDir, `${lang}.json`);
-    if (!SecurityUtils.safeExistsSync(langFile)) {
+    if (!SecurityUtils.safeExistsSync(langFile, sourceDir)) {
       // Create empty object structure for each language
       const emptyStructure = {
         app: {},
         common: {},
         navigation: {}
       };
-      SecurityUtils.safeWriteFileSync(langFile, JSON.stringify(emptyStructure, null, 2));
+      SecurityUtils.safeWriteFileSync(langFile, JSON.stringify(emptyStructure, null, 2), sourceDir, 'utf8');
     }
   });
   
-  // Create v2 project config if it doesn't exist
-  const configFile = '.i18ntk-config';
-  if (!SecurityUtils.safeExistsSync(configFile)) {
-    const version = (() => {
-      try {
-        return require('../package.json').version;
-      } catch {
-        return '2.0.0';
-      }
-    })();
-    const defaultConfig = {
-      version,
-      sourceDir: sourceDir,
-      outputDir: "./i18ntk-reports",
-      defaultLanguage: sourceLang,
-      supportedLanguages: [sourceLang, 'es', 'fr', 'de', 'ja', 'ru', 'zh', 'pt'],
-      setup: {
-        completed: true,
-        completedAt: new Date().toISOString(),
-        version,
-        setupId: `setup_${Date.now()}`
-      },
-      security: {
-        adminPinEnabled: true,
-        sessionTimeout: 1800000,
+  // Create v2 project config if it doesn't exist
+  const configFile = '.i18ntk-config';
+  if (!SecurityUtils.safeExistsSync(configFile, process.cwd())) {
+    const version = (() => {
+      try {
+        return require('../package.json').version;
+      } catch {
+        return '2.0.0';
+      }
+    })();
+    const defaultConfig = {
+      version,
+      sourceDir: sourceDir,
+      outputDir: "./i18ntk-reports",
+      defaultLanguage: sourceLang,
+      supportedLanguages: [sourceLang, 'es', 'fr', 'de', 'ja', 'ru', 'zh', 'pt'],
+      setup: {
+        completed: true,
+        completedAt: new Date().toISOString(),
+        version,
+        setupId: `setup_${Date.now()}`
+      },
+      security: {
+        adminPinEnabled: true,
+        sessionTimeout: 1800000,
         maxFailedAttempts: 3
       },
       performance: {
@@ -550,8 +556,8 @@ async function initializeSourceFiles(sourceDir, sourceLang) {
         batchSize: 1000
       }
     };
-    SecurityUtils.safeWriteFileSync(configFile, JSON.stringify(defaultConfig, null, 2));
-  }
+    SecurityUtils.safeWriteFileSync(configFile, JSON.stringify(defaultConfig, null, 2), process.cwd(), 'utf8');
+  }
 }