lsh-framework 1.2.0 → 1.3.0

package/dist/constants/index.js

@@ -0,0 +1,28 @@
+/**
+ * LSH Constants
+ *
+ * Centralized location for all hard-coded strings, configuration values,
+ * and magic constants used throughout the LSH codebase.
+ *
+ * This file serves as the single source of truth for all constant values.
+ * Import from this file or its submodules instead of using hard-coded strings.
+ *
+ * @example
+ * ```typescript
+ * import { PATHS, ERRORS, ENV_VARS } from './constants/index.js';
+ *
+ * // Use constants instead of hard-coded strings
+ * const socketPath = PATHS.DAEMON_SOCKET_TEMPLATE.replace('${USER}', process.env.USER);
+ * throw new Error(ERRORS.DAEMON_ALREADY_RUNNING);
+ * const apiKey = process.env[ENV_VARS.LSH_API_KEY];
+ * ```
+ */
+// Export all constants
+export * from './paths.js';
+export * from './errors.js';
+export * from './commands.js';
+export * from './config.js';
+export * from './api.js';
+export * from './ui.js';
+export * from './validation.js';
+export * from './database.js';

package/dist/constants/paths.js

@@ -0,0 +1,28 @@
+/**
+ * File paths and system locations
+ *
+ * All file paths, directories, and system locations used throughout LSH.
+ */
+export const PATHS = {
+    // Package and config files
+    PACKAGE_JSON_RELATIVE: '../package.json',
+    LSHRC_FILENAME: '.lshrc',
+    ROOT_DIR: '/',
+    // History and session files
+    DEFAULT_HISTORY_FILE: '~/.lsh_history',
+    // Daemon files (templates with ${USER} placeholder)
+    DAEMON_SOCKET_TEMPLATE: '/tmp/lsh-job-daemon-${USER}.sock',
+    DAEMON_PID_FILE_TEMPLATE: '/tmp/lsh-job-daemon-${USER}.pid',
+    DAEMON_LOG_FILE_TEMPLATE: '/tmp/lsh-job-daemon-${USER}.log',
+    DAEMON_JOBS_FILE_TEMPLATE: '/tmp/lsh-daemon-jobs-${USER}.json',
+    // Job persistence
+    DEFAULT_JOBS_PERSISTENCE_FILE: '/tmp/lsh-jobs.json',
+};
+export const PREFIXES = {
+    SESSION_ID: 'lsh_',
+    SECRETS_SEED_SUFFIX: 'lsh-secrets',
+};
+export const SYSTEM = {
+    UNKNOWN_USER: 'unknown',
+    DEFAULT_HOSTNAME: 'localhost',
+};

package/dist/constants/ui.js

@@ -0,0 +1,73 @@
+/**
+ * UI strings and console output
+ *
+ * All user-facing messages, prompts, and terminal output strings.
+ */
+export const UI_MESSAGES = {
+    // Help and usage
+    DID_YOU_MEAN: '\nDid you mean one of these?',
+    RUN_HELP_MESSAGE: '\nRun \'lsh --help\' to see available commands.',
+    // Configuration messages
+    CONFIG_EXISTS: 'Configuration file already exists: ${rcFile}',
+    CONFIG_CREATED: '✅ Created configuration file: ${rcFile}',
+    CONFIG_CREATE_FAILED: '❌ Failed to create configuration: ${message}',
+    CONFIG_NOT_FOUND: '❌ Configuration file not found: ${rcFile}',
+    CONFIG_INIT_HINT: 'Run "lsh config --init" to create one.',
+    CONFIG_FILE_DISPLAY: '📄 Configuration file: ${rcFile}',
+    CONFIG_NOT_FOUND_VALIDATE: '❌ Configuration file not found: ${rcFile}',
+    CONFIG_VALID: '✅ Configuration file is valid: ${rcFile}',
+    CONFIG_HAS_ERRORS: '❌ Configuration file has errors: ${rcFile}',
+    // Secrets messages
+    FAILED_PUSH_SECRETS: '❌ Failed to push secrets:',
+    FAILED_PULL_SECRETS: '❌ Failed to pull secrets:',
+    FILE_NOT_FOUND: '❌ File not found: ${envPath}',
+    TIP_PULL_FROM_CLOUD: '💡 Tip: Pull from cloud with: lsh pull --env <environment>',
+    SECRETS_IN_FILE: '\n📋 Secrets in ${file}:\n',
+    TOTAL_SECRETS: '\n  Total: ${count} secrets\n',
+    FAILED_LIST_SECRETS: '❌ Failed to list secrets:',
+    // Version messages
+    CURRENT_VERSION: 'Current version:',
+    CHECKING_UPDATES: 'Checking npm for updates...',
+    FAILED_FETCH_VERSION: '✗ Failed to fetch version information from npm',
+    CHECK_INTERNET: '⚠ Make sure you have internet connectivity',
+    LATEST_VERSION: 'Latest version:',
+    ALREADY_LATEST: '✓ You\'re already on the latest version!',
+    VERSION_NEWER: '✓ Your version (${currentVersion}) is newer than npm',
+    DEV_VERSION_HINT: 'You may be using a development version',
+    UPDATE_AVAILABLE: '⬆ Update available: ${currentVersion} → ${latestVersion}',
+    RUN_UPDATE_HINT: 'ℹ Run \'lsh self update\' to install the update',
+};
+export const LOG_MESSAGES = {
+    // Environment validation
+    VALIDATING_ENV: 'Validating environment configuration',
+    ENV_VALIDATION_FAILED: 'Environment validation failed in production',
+    // Daemon lifecycle
+    DAEMON_STARTING: 'Starting LSH Job Daemon',
+    DAEMON_STARTED: 'Daemon started with PID ${pid}',
+    DAEMON_STOPPING: 'Stopping LSH Job Daemon',
+    DAEMON_STOPPED: 'Daemon stopped',
+    // API server
+    API_SERVER_STARTED: 'API Server started on port ${port}',
+    API_SERVER_STOPPED: 'API Server stopped',
+    // Job operations
+    ADDING_JOB: 'Adding job: ${name}',
+    STARTING_JOB: 'Starting job: ${jobId}',
+    TRIGGERING_JOB: 'Triggering job: ${jobId}',
+    // Scheduler
+    SCHEDULER_STARTING: '📅 Starting job scheduler...',
+    SCHEDULER_STARTED: '✅ Job scheduler started successfully',
+    // Secrets operations
+    WARN_NO_SECRETS_KEY: '⚠️  Warning: No LSH_SECRETS_KEY set. Using machine-derived key.',
+    WARN_GENERATE_KEY_MESSAGE: 'To share secrets across machines, generate a key with: lsh secrets key',
+    PUSHING_SECRETS: 'Pushing ${envFilePath} to Supabase (${environment})...',
+    SECRETS_PUSHED: '✅ Pushed ${count} secrets from ${filename} to Supabase',
+    PULLING_SECRETS: 'Pulling ${filename} (${environment}) from Supabase...',
+    BACKUP_CREATED: 'Backed up existing .env to ${backup}',
+    SECRETS_PULLED: '✅ Pulled ${count} secrets from Supabase',
+};
+export const LOG_LEVELS = {
+    INFO: 'INFO',
+    WARN: 'WARN',
+    ERROR: 'ERROR',
+    DEBUG: 'DEBUG',
+};

package/dist/constants/validation.js

@@ -0,0 +1,124 @@
+/**
+ * Validation patterns and security rules
+ *
+ * All validation patterns, security rules, and dangerous command patterns.
+ */
+import { ERRORS, RISK_LEVELS } from './errors.js';
+export const DANGEROUS_PATTERNS = [
+    // Critical risk - Filesystem destruction
+    {
+        pattern: /rm\s+-rf\s+\/(?!\w)/i,
+        description: ERRORS.DELETE_ROOT,
+        riskLevel: RISK_LEVELS.CRITICAL,
+    },
+    {
+        pattern: /mkfs/i,
+        description: ERRORS.MKFS_DETECTED,
+        riskLevel: RISK_LEVELS.CRITICAL,
+    },
+    {
+        pattern: /dd\s+.*of=/i,
+        description: ERRORS.DD_DETECTED,
+        riskLevel: RISK_LEVELS.CRITICAL,
+    },
+    // High risk - Privilege escalation
+    {
+        pattern: /sudo\s+su/i,
+        description: ERRORS.PRIV_ESCALATION,
+        riskLevel: RISK_LEVELS.HIGH,
+    },
+    {
+        pattern: /sudo\s+.*passwd/i,
+        description: ERRORS.PASSWORD_MOD,
+        riskLevel: RISK_LEVELS.HIGH,
+    },
+    // High risk - Remote code execution
+    {
+        pattern: /curl\s+.*\|\s*bash/i,
+        description: ERRORS.REMOTE_EXEC_CURL,
+        riskLevel: RISK_LEVELS.HIGH,
+    },
+    {
+        pattern: /wget\s+.*\|\s*sh/i,
+        description: ERRORS.REMOTE_EXEC_WGET,
+        riskLevel: RISK_LEVELS.HIGH,
+    },
+    {
+        pattern: /nc\s+.*-e/i,
+        description: ERRORS.REVERSE_SHELL,
+        riskLevel: RISK_LEVELS.HIGH,
+    },
+    // High risk - Sensitive file access
+    {
+        pattern: /cat\s+\/etc\/shadow/i,
+        description: ERRORS.READ_SHADOW,
+        riskLevel: RISK_LEVELS.HIGH,
+    },
+    {
+        pattern: /cat\s+\/etc\/passwd/i,
+        description: ERRORS.READ_PASSWD,
+        riskLevel: RISK_LEVELS.MEDIUM,
+    },
+    {
+        pattern: /\.ssh\/id_rsa/i,
+        description: ERRORS.ACCESS_SSH_KEY,
+        riskLevel: RISK_LEVELS.HIGH,
+    },
+    // High risk - Process killing
+    {
+        pattern: /kill\s+-9\s+1\b/i,
+        description: ERRORS.KILL_INIT,
+        riskLevel: RISK_LEVELS.CRITICAL,
+    },
+    {
+        pattern: /pkill\s+-9\s+.*sshd/i,
+        description: ERRORS.KILL_SSHD,
+        riskLevel: RISK_LEVELS.HIGH,
+    },
+    // Medium risk - Obfuscation attempts
+    {
+        pattern: /\$\(.*base64.*\)/i,
+        description: ERRORS.BASE64_COMMAND,
+        riskLevel: RISK_LEVELS.MEDIUM,
+    },
+    {
+        pattern: /eval.*\$\(/i,
+        description: ERRORS.DYNAMIC_EVAL,
+        riskLevel: RISK_LEVELS.MEDIUM,
+    },
+    {
+        pattern: /\x00/i,
+        description: ERRORS.NULL_BYTE,
+        riskLevel: RISK_LEVELS.HIGH,
+    },
+];
+export const WARNING_PATTERNS = [
+    {
+        pattern: /sudo\s+/i,
+        description: 'Command uses sudo (elevated privileges)',
+    },
+    {
+        pattern: /rm\s+-rf/i,
+        description: 'Force recursive deletion - use with caution',
+    },
+    {
+        pattern: />\s*\/dev\/(sd[a-z]|hd[a-z]|nvme[0-9])/i,
+        description: 'Direct disk device access',
+    },
+    {
+        pattern: /chmod\s+777/i,
+        description: 'Setting world-writable permissions',
+    },
+    {
+        pattern: /curl.*\|/i,
+        description: 'Piping curl output to another command',
+    },
+    {
+        pattern: /wget.*\|/i,
+        description: 'Piping wget output to another command',
+    },
+    {
+        pattern: /exec\s+/i,
+        description: 'Using exec to replace current process',
+    },
+];

package/dist/daemon/lshd.js

@@ -10,10 +10,10 @@ import * as path from 'path';
 import * as net from 'net';
 import { EventEmitter } from 'events';
 import JobManager from '../lib/job-manager.js';
-import { LSHApiServer } from './api-server.js';
 import { validateCommand } from '../lib/command-validator.js';
 import { validateEnvironment, printValidationResults } from '../lib/env-validator.js';
 import { createLogger } from '../lib/logger.js';
+import { getPlatformPaths } from '../lib/platform-utils.js';
 const execAsync = promisify(exec);
 export class LSHJobDaemon extends EventEmitter {
     config;
@@ -21,18 +21,19 @@ export class LSHJobDaemon extends EventEmitter {
     isRunning = false;
     checkTimer;
     logStream;
-    ipcServer; // Unix socket server for communication
+    ipcServer; // IPC server (Unix sockets or Named Pipes)
     lastRunTimes = new Map(); // Track last run time per job
-    apiServer; // API server instance
     logger = createLogger('LSHJobDaemon');
     constructor(config) {
         super();
-        const userSuffix = process.env.USER ? `-${process.env.USER}` : '';
+        // Use cross-platform paths
+        const platformPaths = getPlatformPaths('lsh');
+        const jobsFilePath = path.join(platformPaths.tmpDir, `lsh-daemon-jobs-${platformPaths.user}.json`);
         this.config = {
-            pidFile: `/tmp/lsh-job-daemon${userSuffix}.pid`,
-            logFile: `/tmp/lsh-job-daemon${userSuffix}.log`,
-            jobsFile: `/tmp/lsh-daemon-jobs${userSuffix}.json`,
-            socketPath: `/tmp/lsh-job-daemon${userSuffix}.sock`,
+            pidFile: platformPaths.pidFile,
+            logFile: platformPaths.logFile,
+            jobsFile: jobsFilePath,
+            socketPath: platformPaths.socketPath,
             checkInterval: 2000, // 2 seconds for better cron accuracy
             maxLogSize: 10 * 1024 * 1024, // 10MB
             autoRestart: true,
@@ -74,28 +75,11 @@ export class LSHJobDaemon extends EventEmitter {
             throw new Error('Another daemon instance is already running');
         }
         this.log('INFO', 'Starting LSH Job Daemon');
-        // Write PID file
-        await fs.promises.writeFile(this.config.pidFile, process.pid.toString());
+        // Write PID file with secure permissions (mode 0o600 = rw-------)
+        await fs.promises.writeFile(this.config.pidFile, process.pid.toString(), { mode: 0o600 });
         this.isRunning = true;
         this.startJobScheduler();
         this.startIPCServer();
-        // Start API server if enabled
-        if (this.config.apiEnabled) {
-            try {
-                this.apiServer = new LSHApiServer(this, {
-                    port: this.config.apiPort,
-                    apiKey: this.config.apiKey,
-                    enableWebhooks: this.config.enableWebhooks,
-                    webhookEndpoints: this.config.webhookEndpoints
-                });
-                await this.apiServer.start();
-                this.log('INFO', `API Server started on port ${this.config.apiPort}`);
-            }
-            catch (error) {
-                const err = error;
-                this.log('ERROR', `Failed to start API server: ${err.message}`);
-            }
-        }
         // Setup cleanup handlers
         this.setupSignalHandlers();
         this.log('INFO', `Daemon started with PID ${process.pid}`);
@@ -110,11 +94,6 @@ export class LSHJobDaemon extends EventEmitter {
         }
         this.log('INFO', 'Stopping LSH Job Daemon');
         this.isRunning = false;
-        // Stop API server if running
-        if (this.apiServer) {
-            await this.apiServer.stop();
-            this.log('INFO', 'API Server stopped');
-        }
         if (this.checkTimer) {
             clearInterval(this.checkTimer);
         }

package/dist/lib/daemon-client-helper.js

@@ -3,17 +3,20 @@
  * Provides wrapper utilities to eliminate repetitive daemon client connection boilerplate
  */
 import DaemonClient from './daemon-client.js';
+import { getPlatformPaths } from './platform-utils.js';
 /**
- * Default socket path for the daemon
+ * Default socket path for the daemon (cross-platform)
  */
 export function getDefaultSocketPath() {
-    return `/tmp/lsh-job-daemon-${process.env.USER || 'user'}.sock`;
+    const platformPaths = getPlatformPaths('lsh');
+    return platformPaths.socketPath;
 }
 /**
- * Get default user ID
+ * Get default user ID (cross-platform)
  */
 export function getDefaultUserId() {
-    return process.env.USER || 'user';
+    const platformPaths = getPlatformPaths('lsh');
+    return platformPaths.user;
 }
 /**
  * Execute an operation with a daemon client, handling all connection boilerplate

package/dist/lib/daemon-client.js

@@ -7,6 +7,7 @@ import * as fs from 'fs';
 import { EventEmitter } from 'events';
 import DatabasePersistence from './database-persistence.js';
 import { createLogger } from './logger.js';
+import { getPlatformPaths } from './platform-utils.js';
 export class DaemonClient extends EventEmitter {
     socketPath;
     socket;
@@ -19,8 +20,14 @@ export class DaemonClient extends EventEmitter {
     logger = createLogger('DaemonClient');
     constructor(socketPath, userId) {
         super();
-        // Use user-specific socket path if not provided
-        this.socketPath = socketPath || `/tmp/lsh-job-daemon-${process.env.USER || 'default'}.sock`;
+        // Use cross-platform socket path if not provided
+        if (!socketPath) {
+            const platformPaths = getPlatformPaths('lsh');
+            this.socketPath = platformPaths.socketPath;
+        }
+        else {
+            this.socketPath = socketPath;
+        }
         this.userId = userId;
         this.sessionId = `lsh_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
         if (userId) {

package/dist/lib/format-utils.js

@@ -0,0 +1,163 @@
+/**
+ * Format Utilities for Secret Export
+ * Supports multiple output formats: env, json, yaml, toml, export
+ */
+import yaml from 'js-yaml';
+/**
+ * Mask a secret value showing only first 3 and last 3 characters
+ */
+export function maskSecret(value) {
+    if (value.length <= 6) {
+        return '***';
+    }
+    return `${value.slice(0, 3)}***${value.slice(-3)}`;
+}
+/**
+ * Apply masking to secrets array
+ */
+export function maskSecrets(secrets) {
+    return secrets.map(({ key, value }) => ({
+        key,
+        value: maskSecret(value),
+    }));
+}
+/**
+ * Detect namespaces from key prefixes for TOML grouping
+ * E.g., DATABASE_URL, DATABASE_PORT -> namespace: "database"
+ */
+export function detectNamespaces(secrets) {
+    const namespaces = new Map();
+    const ungrouped = [];
+    // Common prefixes to detect
+    const prefixPattern = /^([A-Z][A-Z0-9]*?)_(.+)$/;
+    for (const secret of secrets) {
+        const match = secret.key.match(prefixPattern);
+        if (match) {
+            const [, prefix, remainder] = match;
+            const namespace = prefix.toLowerCase();
+            // Only create namespace if we have multiple keys with same prefix
+            if (!namespaces.has(namespace)) {
+                namespaces.set(namespace, []);
+            }
+            namespaces.get(namespace).push({
+                key: remainder,
+                value: secret.value,
+            });
+        }
+        else {
+            ungrouped.push(secret);
+        }
+    }
+    // Filter out single-item namespaces (not worth grouping)
+    const filtered = new Map();
+    for (const [ns, entries] of namespaces.entries()) {
+        if (entries.length > 1) {
+            filtered.set(ns, entries);
+        }
+        else {
+            // Move single-entry namespaces back to ungrouped
+            ungrouped.push({
+                key: `${ns.toUpperCase()}_${entries[0].key}`,
+                value: entries[0].value,
+            });
+        }
+    }
+    // Add ungrouped as special namespace if exists
+    if (ungrouped.length > 0) {
+        filtered.set('_root', ungrouped);
+    }
+    return filtered;
+}
+/**
+ * Format secrets as .env file (KEY=value)
+ */
+export function formatAsEnv(secrets) {
+    return secrets.map(({ key, value }) => `${key}=${value}`).join('\n');
+}
+/**
+ * Format secrets as JSON object
+ */
+export function formatAsJSON(secrets) {
+    const obj = {};
+    for (const { key, value } of secrets) {
+        obj[key] = value;
+    }
+    return JSON.stringify(obj, null, 2);
+}
+/**
+ * Format secrets as YAML
+ */
+export function formatAsYAML(secrets) {
+    const obj = {};
+    for (const { key, value } of secrets) {
+        obj[key] = value;
+    }
+    return yaml.dump(obj, {
+        lineWidth: -1, // Don't wrap long lines
+        noRefs: true,
+    });
+}
+/**
+ * Format secrets as TOML with namespace detection
+ */
+export function formatAsTOML(secrets) {
+    const namespaces = detectNamespaces(secrets);
+    const lines = [];
+    // Process root (ungrouped) keys first
+    if (namespaces.has('_root')) {
+        const rootEntries = namespaces.get('_root');
+        for (const { key, value } of rootEntries) {
+            lines.push(`${key} = ${JSON.stringify(value)}`);
+        }
+        namespaces.delete('_root');
+    }
+    // Process namespaced keys
+    for (const [namespace, entries] of namespaces.entries()) {
+        if (lines.length > 0) {
+            lines.push(''); // Blank line before section
+        }
+        lines.push(`[${namespace}]`);
+        for (const { key, value } of entries) {
+            lines.push(`${key} = ${JSON.stringify(value)}`);
+        }
+    }
+    return lines.join('\n');
+}
+/**
+ * Format secrets as shell export statements
+ */
+export function formatAsExport(secrets) {
+    return secrets
+        .map(({ key, value }) => {
+        // Escape single quotes in value
+        const escapedValue = value.replace(/'/g, "'\\''");
+        return `export ${key}='${escapedValue}'`;
+    })
+        .join('\n');
+}
+/**
+ * Format secrets based on specified format
+ *
+ * @param secrets - Array of secret entries
+ * @param format - Output format
+ * @param mask - Whether to mask values (auto-disabled for structured formats unless explicitly set)
+ */
+export function formatSecrets(secrets, format, mask) {
+    // Auto-disable masking for structured formats unless explicitly set to true
+    const shouldMask = mask ?? (format === 'env');
+    const secretsToFormat = shouldMask ? maskSecrets(secrets) : secrets;
+    switch (format) {
+        case 'env':
+            return formatAsEnv(secretsToFormat);
+        case 'json':
+            return formatAsJSON(secretsToFormat);
+        case 'yaml':
+            return formatAsYAML(secretsToFormat);
+        case 'toml':
+            return formatAsTOML(secretsToFormat);
+        case 'export':
+            return formatAsExport(secretsToFormat);
+        default:
+            throw new Error(`Unsupported format: ${format}`);
+    }
+}

package/dist/lib/fuzzy-match.js

@@ -0,0 +1,123 @@
+/**
+ * Fuzzy matching utilities for secret keys
+ */
+/**
+ * Normalize a string for fuzzy matching by removing spaces and special chars
+ */
+function normalizeForMatching(str) {
+    // Remove spaces, hyphens, and convert to lowercase
+    return str.toLowerCase().replace(/[\s-]/g, '');
+}
+/**
+ * Calculate fuzzy match score between search string and key
+ * Returns a score where higher is better, or -1 if no match
+ *
+ * Supports space-separated searches:
+ *  - "stripe api" matches "STRIPE_API_KEY"
+ *  - "stripe secret" matches "STRIPE_SECRET_KEY"
+ */
+export function calculateMatchScore(searchTerm, key) {
+    // Empty search term matches nothing
+    if (!searchTerm || searchTerm.trim() === '') {
+        return -1;
+    }
+    const searchLower = searchTerm.toLowerCase();
+    const keyLower = key.toLowerCase();
+    // Normalize both for space-insensitive matching
+    const searchNormalized = normalizeForMatching(searchTerm);
+    const keyNormalized = normalizeForMatching(key);
+    // Exact match (case sensitive) - highest priority
+    if (searchTerm === key) {
+        return 1100;
+    }
+    // Exact match (case insensitive)
+    if (searchLower === keyLower || searchNormalized === keyNormalized) {
+        return 1000;
+    }
+    // Key starts with search term (case sensitive)
+    if (key.startsWith(searchTerm)) {
+        return 950;
+    }
+    // Key starts with search term (case insensitive, normalized)
+    if (keyLower.startsWith(searchLower) || keyNormalized.startsWith(searchNormalized)) {
+        return 900;
+    }
+    // Check if search with spaces can match multiple words in key
+    // e.g., "stripe api" should match "STRIPE_API_KEY"
+    // Only do multi-word matching if user provided spaces (not underscores)
+    const hasSpaces = /\s/.test(searchTerm);
+    if (hasSpaces) {
+        const searchWords = searchTerm.toLowerCase().split(/[\s_-]+/).filter(w => w.length > 0);
+        const keyWords = key.toLowerCase().split(/[_-]/).filter(w => w.length > 0);
+        if (searchWords.length > 1) {
+            // Try to match all search words in order within key words
+            let matchCount = 0;
+            let lastMatchIndex = -1;
+            for (const searchWord of searchWords) {
+                let found = false;
+                for (let i = lastMatchIndex + 1; i < keyWords.length; i++) {
+                    if (keyWords[i].startsWith(searchWord) || keyWords[i].includes(searchWord)) {
+                        matchCount++;
+                        lastMatchIndex = i;
+                        found = true;
+                        break;
+                    }
+                }
+                if (!found) {
+                    break; // If any word doesn't match, stop
+                }
+            }
+            // If all search words matched, score based on how many matched
+            if (matchCount === searchWords.length) {
+                // Perfect multi-word match - higher than substring matches
+                return 850 - (lastMatchIndex * 10); // Earlier matches score higher
+            }
+            else if (matchCount > 0) {
+                // Partial multi-word match
+                return 300 + (matchCount * 50);
+            }
+        }
+    }
+    // Key contains search term (case insensitive, normalized)
+    // Only apply this for single-word searches (no spaces)
+    if (!hasSpaces && (keyLower.includes(searchLower) || keyNormalized.includes(searchNormalized))) {
+        // Score based on position (earlier is better)
+        const position = keyNormalized.indexOf(searchNormalized);
+        const relativePosition = position / keyNormalized.length;
+        return 500 - (relativePosition * 100);
+    }
+    // Substring match with underscores/boundaries
+    // e.g., "stripe" matches "STRIPE_API_KEY" or "MY_STRIPE_SECRET"
+    const words = keyLower.split('_');
+    for (let i = 0; i < words.length; i++) {
+        if (words[i].startsWith(searchLower)) {
+            // Earlier words get higher scores
+            return 700 - (i * 50);
+        }
+        if (words[i].includes(searchLower)) {
+            return 400 - (i * 50);
+        }
+    }
+    // No match
+    return -1;
+}
+/**
+ * Find fuzzy matches for a search term in a list of key-value pairs
+ * Returns matches sorted by relevance (best match first)
+ */
+export function findFuzzyMatches(searchTerm, secrets) {
+    const results = [];
+    for (const secret of secrets) {
+        const score = calculateMatchScore(searchTerm, secret.key);
+        if (score >= 0) {
+            results.push({
+                key: secret.key,
+                value: secret.value,
+                score,
+            });
+        }
+    }
+    // Sort by score (descending - best match first)
+    results.sort((a, b) => b.score - a.score);
+    return results;
+}

package/dist/lib/job-manager.js

@@ -367,7 +367,8 @@ export class JobManager extends BaseJobManager {
                 const { process: _process, timer: _timer, ...serializable } = job;
                 return serializable;
             });
-            fs.writeFileSync(this.persistenceFile, JSON.stringify(jobs, null, 2));
+            // Write with secure permissions (mode 0o600 = rw-------)
+            fs.writeFileSync(this.persistenceFile, JSON.stringify(jobs, null, 2), { mode: 0o600 });
         }
         catch (error) {
             this.logger.error('Failed to persist jobs', error);