lsh-framework 2.3.2 → 3.1.0

package/dist/cli.js

@@ -47,7 +47,7 @@ program
 program
     .option('-v, --verbose', 'Verbose output')
     .option('-d, --debug', 'Debug mode')
-    .action(async (options) => {
+    .action(async (_options) => {
     // No arguments - show secrets-focused help
     console.log('LSH - Encrypted Secrets Manager');
     console.log('');

package/dist/commands/doctor.js

@@ -263,7 +263,7 @@ async function testSupabaseConnection(url, key, verbose) {
 /**
  * Check if in git repository
  */
-async function checkGitRepository(verbose) {
+async function checkGitRepository(_verbose) {
     try {
         const gitPath = path.join(process.cwd(), '.git');
         // Use stat instead of access to avoid TOCTOU race condition

package/dist/commands/init.js

@@ -204,7 +204,7 @@ async function checkExistingConfig() {
 /**
  * Pull secrets after init is complete
  */
-async function pullSecretsAfterInit(encryptionKey, repoName) {
+async function pullSecretsAfterInit(_encryptionKey, _repoName) {
     const spinner = ora('Pulling secrets from cloud...').start();
     try {
         // Dynamically import SecretsManager to avoid circular dependencies
@@ -399,7 +399,7 @@ async function configurePostgres(config, skipTest) {
 /**
  * Configure local-only mode
  */
-async function configureLocal(config) {
+async function configureLocal(_config) {
     console.log(chalk.cyan('\n💾 Local Encryption Mode'));
     console.log(chalk.gray('Secrets will be encrypted locally. No cloud sync available.'));
     console.log('');

package/dist/commands/self.js

@@ -127,7 +127,6 @@ async function checkCIStatus(_version) {
                         const ghData = JSON.parse(data);
                         const runs = ghData.workflow_runs || [];
                         // Find the most recent workflow run for main branch
-                        // eslint-disable-next-line @typescript-eslint/no-explicit-any
                         const mainRuns = runs.filter((run) => run.head_branch === 'main' && run.status === 'completed');
                         if (mainRuns.length > 0) {
                             const latestRun = mainRuns[0];

package/dist/constants/validation.js

@@ -87,6 +87,8 @@ export const DANGEROUS_PATTERNS = [
         riskLevel: RISK_LEVELS.MEDIUM,
     },
     {
+        // Detect null byte injection attacks (legitimate security pattern)
+        // eslint-disable-next-line no-control-regex
         pattern: /\x00/i,
         description: ERRORS.NULL_BYTE,
         riskLevel: RISK_LEVELS.HIGH,

package/dist/daemon/lshd.js

@@ -108,13 +108,15 @@ export class LSHJobDaemon extends EventEmitter {
             await fs.promises.unlink(this.config.pidFile);
         }
         catch (_error) {
-            // Ignore if file doesn\'t exist
+            // Ignore if file doesn't exist
         }
-        // Close log stream
+        // Log before closing stream
+        this.log('INFO', 'Daemon stopped');
+        // Close log stream AFTER logging
         if (this.logStream) {
             this.logStream.end();
+            this.logStream = undefined;
         }
-        this.log('INFO', 'Daemon stopped');
         this.emit('stopped');
     }
     /**
@@ -729,8 +731,23 @@ export class LSHJobDaemon extends EventEmitter {
 }
 // Module-level logger for CLI operations
 const cliLogger = createLogger('LSHDaemonCLI');
+// Helper to check if this module is run directly (ESM-compatible)
+// Uses indirect eval to avoid parse-time errors in CommonJS/Jest environments
+const isMainModule = () => {
+    try {
+        // Use Function constructor to avoid parse-time errors with import.meta
+        // eslint-disable-next-line @typescript-eslint/no-implied-eval, no-new-func
+        const getImportMetaUrl = new Function('return import.meta.url');
+        const metaUrl = getImportMetaUrl();
+        return metaUrl === `file://${process.argv[1]}`;
+    }
+    catch {
+        // Fallback for CommonJS or environments that don't support import.meta
+        return false;
+    }
+};
 // CLI interface for the daemon
-if (import.meta.url === `file://${process.argv[1]}`) {
+if (isMainModule()) {
     const command = process.argv[2];
     const subCommand = process.argv[3];
     const _args = process.argv.slice(4);

package/dist/daemon/saas-api-routes.js

@@ -9,6 +9,7 @@ import { billingService } from '../lib/saas-billing.js';
 import { auditLogger, getIpFromRequest } from '../lib/saas-audit.js';
 import { emailService } from '../lib/saas-email.js';
 import { secretsService } from '../lib/saas-secrets.js';
+import { getErrorMessage, getAuthenticatedUser } from '../lib/saas-types.js'; // eslint-disable-line no-duplicate-imports
 /**
  * Rate Limiters for different endpoint types
  */
@@ -83,7 +84,7 @@ export async function authenticateUser(req, res, next) {
             success: false,
             error: {
                 code: 'UNAUTHORIZED',
-                message: error.message || 'Authentication failed',
+                message: getErrorMessage(error) || 'Authentication failed',
             },
         });
     }
@@ -101,20 +102,26 @@ export async function requireOrganizationMembership(req, res, next) {
                 error: { code: 'INVALID_INPUT', message: 'Organization ID required' },
             });
         }
-        const role = await organizationService.getUserRole(organizationId, req.user.id);
+        if (!req.user) {
+            return res.status(401).json({
+                success: false,
+                error: { code: 'UNAUTHORIZED', message: 'User not authenticated' },
+            });
+        }
+        const role = await organizationService.getUserRole(organizationId, getAuthenticatedUser(req).id);
         if (!role) {
             return res.status(403).json({
                 success: false,
                 error: { code: 'FORBIDDEN', message: 'Not a member of this organization' },
             });
         }
-        req.organizationRole = role;
+        req.organizationId = organizationId;
         next();
     }
     catch (error) {
         return res.status(500).json({
             success: false,
-            error: { code: 'INTERNAL_ERROR', message: error.message },
+            error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
         });
     }
 }
@@ -183,7 +190,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: error.message.includes('ALREADY_EXISTS') ? 'EMAIL_ALREADY_EXISTS' : 'INTERNAL_ERROR', message: error.message },
+                error: { code: getErrorMessage(error).includes('ALREADY_EXISTS') ? 'EMAIL_ALREADY_EXISTS' : 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -215,10 +222,10 @@ export function setupSaaSApiRoutes(app) {
             });
         }
         catch (error) {
-            const statusCode = error.message.includes('EMAIL_NOT_VERIFIED') ? 403 : 401;
+            const statusCode = getErrorMessage(error).includes('EMAIL_NOT_VERIFIED') ? 403 : 401;
             res.status(statusCode).json({
                 success: false,
-                error: { code: error.message || 'INVALID_CREDENTIALS', message: error.message },
+                error: { code: getErrorMessage(error) || 'INVALID_CREDENTIALS', message: getErrorMessage(error) },
             });
         }
     });
@@ -252,7 +259,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INVALID_TOKEN', message: error.message },
+                error: { code: 'INVALID_TOKEN', message: getErrorMessage(error) },
             });
         }
     });
@@ -276,7 +283,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -302,7 +309,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(401).json({
                 success: false,
-                error: { code: 'INVALID_TOKEN', message: error.message },
+                error: { code: 'INVALID_TOKEN', message: getErrorMessage(error) },
             });
         }
     });
@@ -335,7 +342,7 @@ export function setupSaaSApiRoutes(app) {
             const organization = await organizationService.createOrganization({
                 name,
                 slug,
-                ownerId: req.user.id,
+                ownerId: getAuthenticatedUser(req).id,
             });
             res.json({
                 success: true,
@@ -345,7 +352,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -372,7 +379,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -391,7 +398,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -402,7 +409,7 @@ export function setupSaaSApiRoutes(app) {
     app.post('/api/v1/organizations/:organizationId/members', writeLimiter, authenticateUser, requireOrganizationMembership, async (req, res) => {
         try {
             // Check permission
-            const canInvite = await organizationService.hasPermission(req.params.organizationId, req.user.id, 'canInviteMembers');
+            const canInvite = await organizationService.hasPermission(req.params.organizationId, getAuthenticatedUser(req).id, 'canInviteMembers');
             if (!canInvite) {
                 return res.status(403).json({
                     success: false,
@@ -414,7 +421,7 @@ export function setupSaaSApiRoutes(app) {
                 organizationId: req.params.organizationId,
                 userId,
                 role: role || 'member',
-                invitedBy: req.user.id,
+                invitedBy: getAuthenticatedUser(req).id,
             });
             res.json({
                 success: true,
@@ -424,7 +431,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -449,7 +456,7 @@ export function setupSaaSApiRoutes(app) {
                 name,
                 slug,
                 description,
-            }, req.user.id);
+            }, getAuthenticatedUser(req).id);
             res.json({
                 success: true,
                 data: { team },
@@ -458,7 +465,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -477,7 +484,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -505,7 +512,7 @@ export function setupSaaSApiRoutes(app) {
                 description,
                 tags,
                 rotationIntervalDays,
-                createdBy: req.user.id,
+                createdBy: getAuthenticatedUser(req).id,
             });
             res.json({
                 success: true,
@@ -513,10 +520,10 @@ export function setupSaaSApiRoutes(app) {
             });
         }
         catch (error) {
-            const statusCode = error.message.includes('TIER_LIMIT_EXCEEDED') ? 402 : 400;
+            const statusCode = getErrorMessage(error).includes('TIER_LIMIT_EXCEEDED') ? 402 : 400;
             res.status(statusCode).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -541,7 +548,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -574,7 +581,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -590,7 +597,7 @@ export function setupSaaSApiRoutes(app) {
                 description,
                 tags,
                 rotationIntervalDays,
-                updatedBy: req.user.id,
+                updatedBy: getAuthenticatedUser(req).id,
             });
             res.json({
                 success: true,
@@ -600,7 +607,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -610,7 +617,7 @@ export function setupSaaSApiRoutes(app) {
      */
     app.delete('/api/v1/teams/:teamId/secrets/:secretId', writeLimiter, authenticateUser, async (req, res) => {
         try {
-            await secretsService.deleteSecret(req.params.secretId, req.user.id);
+            await secretsService.deleteSecret(req.params.secretId, getAuthenticatedUser(req).id);
             res.json({
                 success: true,
                 data: { message: 'Secret deleted successfully' },
@@ -619,7 +626,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -644,7 +651,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -661,7 +668,7 @@ export function setupSaaSApiRoutes(app) {
                     error: { code: 'INVALID_INPUT', message: 'Environment and content required' },
                 });
             }
-            const result = await secretsService.importFromEnv(req.params.teamId, environment, content, req.user.id);
+            const result = await secretsService.importFromEnv(req.params.teamId, environment, content, getAuthenticatedUser(req).id);
             res.json({
                 success: true,
                 data: result,
@@ -670,7 +677,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -684,7 +691,7 @@ export function setupSaaSApiRoutes(app) {
     app.get('/api/v1/organizations/:organizationId/audit-logs', authenticateUser, requireOrganizationMembership, async (req, res) => {
         try {
             // Check permission
-            const canView = await organizationService.hasPermission(req.params.organizationId, req.user.id, 'canViewAuditLogs');
+            const canView = await organizationService.hasPermission(req.params.organizationId, getAuthenticatedUser(req).id, 'canViewAuditLogs');
             if (!canView) {
                 return res.status(403).json({
                     success: false,
@@ -709,7 +716,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -723,7 +730,7 @@ export function setupSaaSApiRoutes(app) {
     app.post('/api/v1/organizations/:organizationId/billing/checkout', writeLimiter, authenticateUser, requireOrganizationMembership, async (req, res) => {
         try {
             // Check permission
-            const canManage = await organizationService.hasPermission(req.params.organizationId, req.user.id, 'canManageBilling');
+            const canManage = await organizationService.hasPermission(req.params.organizationId, getAuthenticatedUser(req).id, 'canManageBilling');
             if (!canManage) {
                 return res.status(403).json({
                     success: false,
@@ -754,7 +761,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -771,7 +778,7 @@ export function setupSaaSApiRoutes(app) {
         }
         catch (error) {
             console.error('Webhook error:', error);
-            res.status(400).json({ error: error.message });
+            res.status(400).json({ error: getErrorMessage(error) });
         }
     });
     console.log('✅ SaaS API routes registered');

package/dist/daemon/saas-api-server.js

@@ -6,6 +6,7 @@ import express from 'express';
 import cors from 'cors';
 import rateLimit from 'express-rate-limit';
 import { setupSaaSApiRoutes } from './saas-api-routes.js';
+import { getErrorMessage } from '../lib/saas-types.js';
 /**
  * SaaS API Server
  */
@@ -123,19 +124,22 @@ export class SaaSApiServer {
      */
     setupErrorHandlers() {
         // Global error handler
-        this.app.use((err, req, res, _next) => {
+        const errorHandler = (err, _req, res, _next) => {
             console.error('API Error:', err);
             // Don't leak error details in production
             const isDev = process.env.NODE_ENV !== 'production';
-            res.status(err.status || 500).json({
+            const statusCode = err.status || 500;
+            const errorCode = err.code || 'INTERNAL_ERROR';
+            res.status(statusCode).json({
                 success: false,
                 error: {
-                    code: err.code || 'INTERNAL_ERROR',
-                    message: isDev ? err.message : 'Internal server error',
+                    code: errorCode,
+                    message: isDev ? getErrorMessage(err) : 'Internal server error',
                     details: isDev ? err.stack : undefined,
                 },
             });
-        });
+        };
+        this.app.use(errorHandler);
     }
     /**
      * Start the server

package/dist/lib/cron-job-manager.js

@@ -160,6 +160,8 @@ export class CronJobManager extends BaseJobManager {
      */
     async getJobReport(jobId) {
         // Try to get historical data from database if available, otherwise use current job info
+        // Using any[] because getJobHistory returns ShellJob (snake_case properties)
+        // but getJob returns JobSpec (camelCase properties), and this code handles both
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         let jobs = [];
         try {

package/dist/lib/ipfs-secrets-storage.js

@@ -269,13 +269,32 @@ export class IPFSSecretsStorage {
      * Decrypt secrets using AES-256
      */
     decryptSecrets(encryptedData, encryptionKey) {
-        const [ivHex, encrypted] = encryptedData.split(':');
-        const key = crypto.createHash('sha256').update(encryptionKey).digest();
-        const iv = Buffer.from(ivHex, 'hex');
-        const decipher = crypto.createDecipheriv('aes-256-cbc', key, iv);
-        let decrypted = decipher.update(encrypted, 'hex', 'utf8');
-        decrypted += decipher.final('utf8');
-        return JSON.parse(decrypted);
+        try {
+            const [ivHex, encrypted] = encryptedData.split(':');
+            const key = crypto.createHash('sha256').update(encryptionKey).digest();
+            const iv = Buffer.from(ivHex, 'hex');
+            const decipher = crypto.createDecipheriv('aes-256-cbc', key, iv);
+            let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+            decrypted += decipher.final('utf8');
+            return JSON.parse(decrypted);
+        }
+        catch (error) {
+            const err = error;
+            // Catch crypto errors (bad decrypt, wrong block length) AND JSON parse errors
+            // (wrong key can produce garbage that fails JSON.parse)
+            if (err.message.includes('bad decrypt') ||
+                err.message.includes('wrong final block length') ||
+                err.message.includes('Unexpected token') ||
+                err.message.includes('JSON')) {
+                throw new Error('Decryption failed. This usually means:\n' +
+                    '  1. You need to set LSH_SECRETS_KEY environment variable\n' +
+                    '  2. The key must match the one used during encryption\n' +
+                    '  3. Generate a shared key with: lsh secrets key\n' +
+                    '  4. Add it to your .env: LSH_SECRETS_KEY=<key>\n' +
+                    '\nOriginal error: ' + err.message);
+            }
+            throw error;
+        }
     }
     /**
      * Generate IPFS-compatible CID from content

package/dist/lib/job-manager.js

@@ -292,7 +292,6 @@ export class JobManager extends BaseJobManager {
     /**
      * Get job statistics
      */
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
     getJobStats() {
         const jobs = Array.from(this.jobs.values());
         const stats = {

package/dist/lib/lshrc-init.js

@@ -76,7 +76,6 @@ zsh-source${options.importOptions ? ' ' + options.importOptions.join(' ') : ''}
     /**
      * Source .lshrc commands
      */
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
     async source(_executor) {
         if (!this.exists()) {
             return [];

package/dist/lib/saas-audit.js

@@ -173,6 +173,7 @@ export class AuditLogger {
     /**
      * Map database log to AuditLog type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbLogToLog(dbLog) {
         return {
             id: dbLog.id,
@@ -200,9 +201,11 @@ export const auditLogger = new AuditLogger();
  * Helper function to extract IP from request
  */
 export function getIpFromRequest(req) {
-    return (req.headers['x-forwarded-for']?.split(',')[0].trim() ||
-        req.headers['x-real-ip'] ||
-        req.connection?.remoteAddress ||
+    const forwarded = req.headers['x-forwarded-for'];
+    const forwardedIp = typeof forwarded === 'string' ? forwarded.split(',')[0].trim() : undefined;
+    const realIp = req.headers['x-real-ip'];
+    return (forwardedIp ||
+        (typeof realIp === 'string' ? realIp : undefined) ||
         req.socket?.remoteAddress);
 }
 /**

package/dist/lib/saas-auth.js

@@ -82,7 +82,7 @@ export function verifyToken(token) {
             type: decoded.type,
         };
     }
-    catch (error) {
+    catch (_error) {
         throw new Error('Invalid or expired token');
     }
 }
@@ -320,6 +320,7 @@ export class AuthService {
         if (error) {
             throw new Error(`Failed to get user organizations: ${error.message}`);
         }
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB join result
         return (data || []).map((row) => this.mapDbOrgToOrg(row.organizations));
     }
     /**
@@ -337,7 +338,7 @@ export class AuthService {
             return generateToken();
         }
         const resetToken = generateToken();
-        const expiresAt = new Date(Date.now() + 60 * 60 * 1000); // 1 hour
+        const _expiresAt = new Date(Date.now() + 60 * 60 * 1000); // 1 hour (for future use)
         // Store reset token (we'll need a password_reset_tokens table)
         // For now, just return the token
         return resetToken;
@@ -345,7 +346,7 @@ export class AuthService {
     /**
      * Reset password
      */
-    async resetPassword(token, newPassword) {
+    async resetPassword(_token, _newPassword) {
         // TODO: Implement password reset
         // Need to create password_reset_tokens table
         throw new Error('Not implemented');
@@ -378,6 +379,7 @@ export class AuthService {
     /**
      * Map database user to User type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbUserToUser(dbUser) {
         return {
             id: dbUser.id,
@@ -403,6 +405,7 @@ export class AuthService {
     /**
      * Map database organization to Organization type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbOrgToOrg(dbOrg) {
         return {
             id: dbOrg.id,