keystone-cli 0.5.0 → 0.6.0

package/src/templates/agents/keystone-architect.md

@@ -15,9 +15,10 @@ You are the Keystone Architect. Your goal is to design and generate high-quality
 - **inputs**: Map of `{ type: 'string'|'number'|'boolean'|'array'|'object', default: any, description: string }` under the `inputs` key.
 - **outputs**: Map of expressions (e.g., `${{ steps.id.output }}`) under the `outputs` key.
 - **env**: (Optional) Map of workflow-level environment variables.
-- **concurrency**: (Optional) Global concurrency limit for the workflow (number or expression).
+- **concurrency**: (Optional) Global concurrency limit for the workflow (must be a positive integer or expression resolving to one).
+- **eval**: (Optional) Configuration for prompt optimization `{ scorer: 'llm'|'script', agent, prompt, run }`.
 - **steps**: Array of step objects. Each step MUST have an `id` and a `type`:
-  - **shell**: `{ id, type: 'shell', run, dir, env, transform }`
+  - **shell**: `{ id, type: 'shell', run, dir, env, allowInsecure, transform }` (Set `allowInsecure: true` to bypass risky command checks)
   - **llm**: `{ id, type: 'llm', agent, prompt, schema, provider, model, tools, maxIterations, useGlobalMcp, allowClarification, mcpServers }`
   - **workflow**: `{ id, type: 'workflow', path, inputs }`
   - **file**: `{ id, type: 'file', path, op: 'read'|'write'|'append', content }`
@@ -25,7 +26,8 @@ You are the Keystone Architect. Your goal is to design and generate high-quality
   - **human**: `{ id, type: 'human', message, inputType: 'confirm'|'text' }` (Note: 'confirm' returns boolean but automatically fallbacks to text if input is not yes/no)
   - **sleep**: `{ id, type: 'sleep', duration }` (duration can be a number or expression string)
   - **script**: `{ id, type: 'script', run, allowInsecure }` (Executes JS in a secure sandbox; set allowInsecure to true to allow fallback to insecure VM)
-- **Common Step Fields**: `needs` (array of IDs), `if` (expression), `timeout` (ms), `retry` (`{ count, backoff: 'linear'|'exponential', baseDelay }`), `foreach`, `concurrency`, `transform`.
+  - **memory**: `{ id, type: 'memory', op: 'search'|'store', query, text, model, metadata, limit }`
+- **Common Step Fields**: `needs` (array of IDs), `if` (expression), `timeout` (ms), `retry` (`{ count, backoff: 'linear'|'exponential', baseDelay }`), `auto_heal` (`{ agent, maxAttempts, model }`), `reflexion` (`{ limit, hint }`), `learn` (boolean, auto-index for few-shot), `foreach`, `concurrency` (positive integer), `transform`.
 - **finally**: Optional array of steps to run at the end of the workflow, regardless of success or failure.
 - **IMPORTANT**: Steps run in **parallel** by default. To ensure sequential execution, a step must explicitly list the previous step's ID in its `needs` array.
 
@@ -41,7 +43,7 @@ Markdown files with YAML frontmatter:
 ## Expression Syntax
 - `${{ inputs.name }}`
 - `${{ steps.id.output }}`
-- `${{ steps.id.status }}`
+- `${{ steps.id.status }}` (e.g., `'pending'`, `'running'`, `'success'`, `'failed'`, `'skipped'`)
 - `${{ args.paramName }}` (used inside agent tools)
 - Standard JS-like expressions: `${{ steps.count > 0 ? 'yes' : 'no' }}`
 

package/src/templates/full-feature-demo.yaml

@@ -27,21 +27,21 @@ steps:
   - id: write_file
     type: file
     op: write
-    path: /tmp/keystone-test.txt
+    path: ./tmp/keystone-test.txt
     content: "Test file created at ${{ steps.get_date.output }}"
 
   # Test file read
   - id: read_file
     type: file
     op: read
-    path: /tmp/keystone-test.txt
+    path: ./tmp/keystone-test.txt
     needs: [write_file]
 
   # Test shell with dependencies
   - id: count_files
     type: shell
     needs: [write_file]
-    run: ls /tmp/keystone-*.txt | wc -l
+    run: ls ./tmp/keystone-*.txt | wc -l
     transform: parseInt(stdout.trim())
 
   # Test conditional execution
@@ -66,4 +66,4 @@ steps:
 finally:
   - id: cleanup
     type: shell
-    run: rm /tmp/keystone-test.txt
+    run: rm ./tmp/keystone-test.txt

package/src/types/assets.d.ts

@@ -0,0 +1,14 @@
+declare module '*.md' {
+  const content: string;
+  export default content;
+}
+
+declare module '*.yaml' {
+  const content: string;
+  export default content;
+}
+
+declare module '*.yml' {
+  const content: string;
+  export default content;
+}

package/src/types/status.ts

@@ -15,7 +15,7 @@ export const StepStatus = {
 export type StepStatusType = (typeof StepStatus)[keyof typeof StepStatus];
 
 export const WorkflowStatus = {
-  COMPLETED: 'completed',
+  SUCCESS: 'success',
   FAILED: 'failed',
   PAUSED: 'paused',
   SUSPENDED: 'suspended',

package/src/ui/dashboard.tsx

@@ -1,5 +1,5 @@
 import { Box, Newline, Text, render, useInput } from 'ink';
-import React, { useState, useEffect, useCallback } from 'react';
+import React, { useState, useEffect, useCallback, useMemo } from 'react';
 import { WorkflowDb } from '../db/workflow-db.ts';
 
 interface Run {
@@ -14,39 +14,49 @@ const Dashboard = () => {
   const [runs, setRuns] = useState<Run[]>([]);
   const [loading, setLoading] = useState(true);
 
-  const fetchData = useCallback(() => {
-    const db = new WorkflowDb();
+  // Reuse database connection instead of creating new one every 2 seconds
+  const db = useMemo(() => new WorkflowDb(), []);
+
+  // Cleanup database connection on unmount
+  useEffect(() => {
+    return () => db.close();
+  }, [db]);
+
+  const fetchData = useCallback(async () => {
     try {
-      const recentRuns = db.listRuns(10) as (Run & { outputs: string | null })[];
-      const runsWithUsage = recentRuns.map((run) => {
-        let total_tokens = 0;
-        try {
-          // Get steps to aggregate tokens if not in outputs (future-proofing)
-          const steps = db.getStepsByRun(run.id);
-          total_tokens = steps.reduce((sum, s) => {
-            if (s.usage) {
-              try {
-                const u = JSON.parse(s.usage);
-                return sum + (u.total_tokens || 0);
-              } catch (e) {
-                return sum;
+      const recentRuns = (await db.listRuns(10)) as (Run & { outputs: string | null })[];
+      const runsWithUsage = await Promise.all(
+        recentRuns.map(async (run) => {
+          let total_tokens = 0;
+          try {
+            // Get steps to aggregate tokens if not in outputs (future-proofing)
+            const steps = await db.getStepsByRun(run.id);
+            total_tokens = steps.reduce((sum, s) => {
+              if (s.usage) {
+                try {
+                  const u = JSON.parse(s.usage);
+                  return sum + (u.total_tokens || 0);
+                } catch (e) {
+                  return sum;
+                }
               }
-            }
-            return sum;
-          }, 0);
-        } catch (e) {
-          // Ignore write error
-        }
-        return { ...run, total_tokens };
-      });
+              return sum;
+            }, 0);
+          } catch (e) {
+            // Ignore read error
+          }
+          return { ...run, total_tokens };
+        })
+      );
       setRuns(runsWithUsage);
     } catch (error) {
+      // Dashboard is UI, console.error is acceptable but let's be consistent if possible.
+      // For now we keep it as is or could use a toast.
       console.error('Failed to fetch runs:', error);
     } finally {
       setLoading(false);
-      db.close();
     }
-  }, []);
+  }, [db]);
 
   useEffect(() => {
     fetchData();
@@ -159,6 +169,7 @@ const Dashboard = () => {
 const getStatusColor = (status: string) => {
   switch (status.toLowerCase()) {
     case 'completed':
+    case 'success':
       return 'green';
     case 'failed':
       return 'red';
@@ -176,6 +187,7 @@ const getStatusColor = (status: string) => {
 const getStatusIcon = (status: string) => {
   switch (status.toLowerCase()) {
     case 'completed':
+    case 'success':
       return '✅';
     case 'failed':
       return '❌';

package/src/utils/auth-manager.ts

@@ -57,8 +57,9 @@ export class AuthManager {
     const path = AuthManager.getAuthPath();
     const current = AuthManager.load();
     try {
-      writeFileSync(path, JSON.stringify({ ...current, ...data }, null, 2));
+      writeFileSync(path, JSON.stringify({ ...current, ...data }, null, 2), { mode: 0o600 });
     } catch (error) {
+      // Use ConsoleLogger as a safe fallback for top-level utility
       console.error(
         'Failed to save auth data:',
         error instanceof Error ? error.message : String(error)
@@ -196,6 +197,7 @@ export class AuthManager {
 
       return data.token;
     } catch (error) {
+      // Use ConsoleLogger as a safe fallback for top-level utility
       console.error('Error refreshing Copilot token:', error);
       return undefined;
     }

package/src/utils/logger.test.ts

@@ -0,0 +1,76 @@
+import { afterEach, beforeEach, describe, expect, it, spyOn } from 'bun:test';
+import { ConsoleLogger, SilentLogger } from './logger';
+
+describe('ConsoleLogger', () => {
+  let logSpy: ReturnType<typeof spyOn>;
+  let warnSpy: ReturnType<typeof spyOn>;
+  let errorSpy: ReturnType<typeof spyOn>;
+  let infoSpy: ReturnType<typeof spyOn>;
+  let debugSpy: ReturnType<typeof spyOn>;
+  const originalDebug = process.env.DEBUG;
+  const originalVerbose = process.env.VERBOSE;
+
+  beforeEach(() => {
+    logSpy = spyOn(console, 'log').mockImplementation(() => {});
+    warnSpy = spyOn(console, 'warn').mockImplementation(() => {});
+    errorSpy = spyOn(console, 'error').mockImplementation(() => {});
+    infoSpy = spyOn(console, 'info').mockImplementation(() => {});
+    debugSpy = spyOn(console, 'debug').mockImplementation(() => {});
+  });
+
+  afterEach(() => {
+    logSpy.mockRestore();
+    warnSpy.mockRestore();
+    errorSpy.mockRestore();
+    infoSpy.mockRestore();
+    debugSpy.mockRestore();
+    if (originalDebug === undefined) {
+      process.env.DEBUG = undefined;
+    } else {
+      process.env.DEBUG = originalDebug;
+    }
+    if (originalVerbose === undefined) {
+      process.env.VERBOSE = undefined;
+    } else {
+      process.env.VERBOSE = originalVerbose;
+    }
+  });
+
+  it('writes to console methods', () => {
+    const logger = new ConsoleLogger();
+    logger.log('log');
+    logger.warn('warn');
+    logger.error('error');
+    logger.info('info');
+
+    expect(logSpy).toHaveBeenCalledWith('log');
+    expect(warnSpy).toHaveBeenCalledWith('warn');
+    expect(errorSpy).toHaveBeenCalledWith('error');
+    expect(infoSpy).toHaveBeenCalledWith('info');
+  });
+
+  it('logs debug only when DEBUG or VERBOSE is set', () => {
+    const logger = new ConsoleLogger();
+
+    process.env.DEBUG = undefined;
+    process.env.VERBOSE = undefined;
+    logger.debug('quiet');
+    expect(debugSpy).not.toHaveBeenCalled();
+
+    process.env.DEBUG = '1';
+    logger.debug('loud');
+    expect(debugSpy).toHaveBeenCalledWith('loud');
+  });
+});
+
+describe('SilentLogger', () => {
+  it('ignores all log calls', () => {
+    const logger = new SilentLogger();
+    logger.log('log');
+    logger.warn('warn');
+    logger.error('error');
+    logger.info('info');
+    logger.debug('debug');
+    expect(true).toBe(true);
+  });
+});

package/src/utils/logger.ts

@@ -0,0 +1,39 @@
+export interface Logger {
+  log(message: string): void;
+  error(message: string): void;
+  warn(message: string): void;
+  info(message: string): void;
+  debug?(message: string): void;
+}
+
+export class ConsoleLogger implements Logger {
+  log(message: string): void {
+    console.log(message);
+  }
+
+  error(message: string): void {
+    console.error(message);
+  }
+
+  warn(message: string): void {
+    console.warn(message);
+  }
+
+  info(message: string): void {
+    console.info(message);
+  }
+
+  debug(message: string): void {
+    if (process.env.DEBUG || process.env.VERBOSE) {
+      console.debug(message);
+    }
+  }
+}
+
+export class SilentLogger implements Logger {
+  log(_message: string): void {}
+  error(_message: string): void {}
+  warn(_message: string): void {}
+  info(_message: string): void {}
+  debug(_message: string): void {}
+}

package/src/utils/prompt.ts

@@ -0,0 +1,75 @@
+/**
+ * Prompts the user for a secret/password input, masking the characters with *.
+ * @param promptText The text to display before the input
+ * @returns The secret string entered by the user
+ */
+export async function promptSecret(promptText: string): Promise<string> {
+  const { stdin, stdout } = process;
+
+  if (!stdin.isTTY) {
+    // Non-interactive mode: just read a line
+    stdout.write(promptText);
+    const readline = require('node:readline');
+    const rl = readline.createInterface({
+      input: stdin,
+      terminal: false,
+    });
+
+    return new Promise((resolve) => {
+      rl.on('line', (line: string) => {
+        rl.close();
+        resolve(line.trim());
+      });
+
+      rl.on('close', () => {
+        resolve('');
+      });
+    });
+  }
+
+  return new Promise((resolve) => {
+    stdout.write(promptText);
+    stdin.setRawMode(true);
+    stdin.resume();
+    stdin.setEncoding('utf8');
+
+    let input = '';
+
+    const handler = (char: string) => {
+      // Ctrl+C (End of Text)
+      if (char === '\u0003') {
+        stdin.setRawMode(false);
+        stdin.pause();
+        stdout.write('\n^C\n');
+        process.exit(130);
+      }
+
+      // Enter (Carriage Return)
+      if (char === '\r' || char === '\n') {
+        stdin.setRawMode(false);
+        stdin.pause();
+        stdin.removeListener('data', handler);
+        stdout.write('\n');
+        resolve(input);
+        return;
+      }
+
+      // Backspace
+      if (char === '\u007f' || char === '\u0008') {
+        if (input.length > 0) {
+          input = input.slice(0, -1);
+          stdout.write('\b \b'); // Move back, overwrite with space, move back again
+        }
+        return;
+      }
+
+      // Normal characters
+      if (char.length === 1 && char.charCodeAt(0) >= 32) {
+        input += char;
+        stdout.write('*');
+      }
+    };
+
+    stdin.on('data', handler);
+  });
+}

package/src/utils/redactor.test.ts

@@ -58,15 +58,97 @@ describe('Redactor', () => {
     expect(redactor.redact(123)).toBe(123);
   });
 
-  it('should ignore secrets shorter than 3 characters', () => {
-    const shortRedactor = new Redactor({ S1: 'a', S2: '12', S3: 'abc' });
+  it('should ignore secrets shorter than 3 characters for sensitive keys', () => {
+    const shortRedactor = new Redactor({ S1: 'a', S2: '12', TOKEN: 'abc' });
     const text = 'a and 12 are safe, but abc is a secret';
     expect(shortRedactor.redact(text)).toBe('a and 12 are safe, but ***REDACTED*** is a secret');
   });
 
   it('should not redact substrings of larger words when using alphanumeric secrets', () => {
-    const wordRedactor = new Redactor({ USER: 'mark' });
-    const text = 'mark went to the marketplace';
+    const wordRedactor = new Redactor({ USER: 'mark-long-enough' });
+    const text = 'mark-long-enough went to the marketplace';
     expect(wordRedactor.redact(text)).toBe('***REDACTED*** went to the marketplace');
   });
+
+  it('should NOT redact common words in the blocklist', () => {
+    const blocklistRedactor = new Redactor({
+      STATUS: 'success',
+      DEBUG: 'true',
+      LEVEL: 'info',
+    });
+    const text = 'Operation was a success with info level and true flag';
+    expect(blocklistRedactor.redact(text)).toBe(text);
+  });
+
+  it('should redact short values only for sensitive keys', () => {
+    const mixedRedactor = new Redactor({
+      PASSWORD: 'abc', // sensitive key, short value
+      OTHER: 'def', // non-sensitive key, short value
+      LONG: 'this-is-long-enough', // non-sensitive, long value
+    });
+    const text = 'pwd: abc, other: def, long: this-is-long-enough';
+    expect(mixedRedactor.redact(text)).toBe(
+      'pwd: ***REDACTED***, other: def, long: ***REDACTED***'
+    );
+  });
+
+  it('should ignore non-sensitive values shorter than 10 characters', () => {
+    const thresholdRedactor = new Redactor({
+      S1: '123456789', // 9 chars
+      S2: '1234567890', // 10 chars
+    });
+    const text = 'S1 is 123456789 and S2 is 1234567890';
+    expect(thresholdRedactor.redact(text)).toBe('S1 is 123456789 and S2 is ***REDACTED***');
+  });
+
+  it('should respect word boundaries for short secrets', () => {
+    const shortRedactor = new Redactor({ TOKEN: 'key' }); // 'key' is < 5 chars but TOKEN is sensitive
+    // Should redact " key " but NOT "keyboard" or "donkey"
+    const text = 'The key is on the keyboard near the donkey.';
+    expect(shortRedactor.redact(text)).toBe(
+      'The ***REDACTED*** is on the keyboard near the donkey.'
+    );
+  });
+});
+
+describe('RedactionBuffer', () => {
+  const redactor = new Redactor({ SECRET: 'super-secret-value' });
+
+  it(' should redact secrets across chunks', () => {
+    const buffer = new (require('./redactor').RedactionBuffer)(redactor);
+    const chunk1 = 'This is sup';
+    const chunk2 = 'er-secret-value in parts.';
+
+    const out1 = buffer.process(chunk1);
+    const out2 = buffer.process(chunk2);
+    const out3 = buffer.flush();
+
+    expect(out1 + out2 + out3).toContain('***REDACTED***');
+    expect(out1 + out2 + out3).not.toContain('super-secret-value');
+  });
+
+  it('should not leak partial secrets in process()', () => {
+    const buffer = new (require('./redactor').RedactionBuffer)(redactor);
+    // Secret is 18 chars long.
+    // 'super-s' is 7 chars.
+    const chunk = 'super-s';
+    const output = buffer.process(chunk);
+
+    // Should not output anything if it could be the start of a secret
+    expect(output).toBe('');
+    expect(buffer.flush()).toBe('super-s');
+  });
+
+  it('should handle multiple secrets in stream', () => {
+    const multiRedactor = new Redactor({ S1: 'secret-one', S2: 'secret-two' });
+    const buffer = new (require('./redactor').RedactionBuffer)(multiRedactor);
+
+    const text = 'S1: secret-one, S2: secret-two';
+    const out1 = buffer.process(text.substring(0, 15));
+    const out2 = buffer.process(text.substring(15));
+    const out3 = buffer.flush();
+
+    const full = out1 + out2 + out3;
+    expect(full).toBe('S1: ***REDACTED***, S2: ***REDACTED***');
+  });
 });

package/src/utils/redactor.ts

@@ -7,6 +7,8 @@
 
 export class Redactor {
   private patterns: RegExp[] = [];
+  private combinedPattern: RegExp | null = null;
+  public readonly maxSecretLength: number;
 
   constructor(secrets: Record<string, string>) {
     // Keys that indicate high sensitivity - always redact their values regardless of length
@@ -28,23 +30,57 @@ export class Redactor {
     // Extract all secret values
     // We filter based on:
     // 1. Value must be a string and not empty
-    // 2. Either the key indicates high sensitivity OR length >= 3
+    // 2. Value must not be in the blocklist of common words
+    // 3. Either the key indicates high sensitivity OR length >= 10 (conservative limit for unknown values)
     const secretsToRedact = new Set<string>();
 
+    const valueBlocklist = new Set([
+      'true',
+      'false',
+      'null',
+      'undefined',
+      'info',
+      'warn',
+      'error',
+      'debug',
+      'success',
+      'pending',
+      'failed',
+      'skipped',
+      'suspended',
+      'default',
+      'public',
+      'private',
+      'protected',
+    ]);
+
     for (const [key, value] of Object.entries(secrets)) {
-      if (!value) continue;
+      if (!value || typeof value !== 'string') continue;
+
+      const lowerValue = value.toLowerCase();
+      if (valueBlocklist.has(lowerValue)) continue;
 
       const lowerKey = key.toLowerCase();
       // Check if key contains any sensitive term
       const isSensitiveKey = Array.from(sensitiveKeys).some((k) => lowerKey.includes(k));
 
-      if (isSensitiveKey || value.length >= 3) {
+      // If it's a sensitive key, redact it even if short (>=3)
+      // Otherwise, only redact if it's long enough to be likely a real secret
+      if (isSensitiveKey) {
+        if (value.length >= 3) {
+          secretsToRedact.add(value);
+        }
+      } else if (value.length >= 10) {
         secretsToRedact.add(value);
       }
     }
 
     const uniqueSecrets = Array.from(secretsToRedact).sort((a, b) => b.length - a.length);
 
+    // Build regex patterns
+    // Optimization: Group secrets into a single combined regex where possible
+    const parts: string[] = [];
+
     for (const secret of uniqueSecrets) {
       // Escape special regex characters in the secret
       const escaped = secret.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
@@ -52,24 +88,23 @@ export class Redactor {
       // Use word boundaries if the secret starts/ends with an alphanumeric character
       // to avoid partial matches (e.g. redacting 'mark' in 'marketplace')
       // BUT only if length is small (< 5), otherwise matching inside strings is desirable
-      let pattern: RegExp;
       if (secret.length < 5) {
         const startBoundary = /^\w/.test(secret) ? '\\b' : '';
         const endBoundary = /\w$/.test(secret) ? '\\b' : '';
-        pattern = new RegExp(`${startBoundary}${escaped}${endBoundary}`, 'g');
+        parts.push(`${startBoundary}${escaped}${endBoundary}`);
       } else {
-        pattern = new RegExp(escaped, 'g');
+        parts.push(escaped);
       }
+    }
 
-      this.patterns.push(pattern);
+    if (parts.length > 0) {
+      this.combinedPattern = new RegExp(parts.join('|'), 'g');
     }
 
     // Capture the maximum length for buffering purposes
     this.maxSecretLength = uniqueSecrets.reduce((max, s) => Math.max(max, s.length), 0);
   }
 
-  public readonly maxSecretLength: number;
-
   /**
    * Redact all secrets from a string
    */
@@ -78,11 +113,11 @@ export class Redactor {
       return text;
     }
 
-    let redacted = text;
-    for (const pattern of this.patterns) {
-      redacted = redacted.replace(pattern, '***REDACTED***');
+    if (!this.combinedPattern) {
+      return text;
     }
-    return redacted;
+
+    return text.replace(this.combinedPattern, '***REDACTED***');
   }
 
   /**