lsh-framework 2.3.2 → 3.1.0

package/dist/lib/saas-billing.js

@@ -155,19 +155,21 @@ export class BillingService {
     /**
      * Verify webhook signature
      */
-    verifyWebhookSignature(payload, signature) {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Stripe event structure
+    verifyWebhookSignature(payload, _signature) {
         // In production, use Stripe's webhook signature verification
         // For now, just parse the payload
         try {
             return JSON.parse(payload);
         }
-        catch (error) {
+        catch (_error) {
             throw new Error('Invalid webhook payload');
         }
     }
     /**
      * Handle checkout completed
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Stripe checkout session object
     async handleCheckoutCompleted(session) {
         const organizationId = session.metadata?.organization_id;
         if (!organizationId) {
@@ -180,6 +182,7 @@ export class BillingService {
     /**
      * Handle subscription updated
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Stripe subscription object
     async handleSubscriptionUpdated(subscription) {
         const organizationId = subscription.metadata?.organization_id;
         if (!organizationId) {
@@ -233,6 +236,7 @@ export class BillingService {
     /**
      * Handle subscription deleted
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Stripe subscription object
     async handleSubscriptionDeleted(subscription) {
         const organizationId = subscription.metadata?.organization_id;
         if (!organizationId) {
@@ -265,6 +269,7 @@ export class BillingService {
     /**
      * Handle invoice paid
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Stripe invoice object
     async handleInvoicePaid(invoice) {
         const organizationId = invoice.subscription_metadata?.organization_id;
         if (!organizationId) {
@@ -287,6 +292,7 @@ export class BillingService {
     /**
      * Handle invoice payment failed
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Stripe invoice object
     async handleInvoicePaymentFailed(invoice) {
         const organizationId = invoice.subscription_metadata?.organization_id;
         if (!organizationId) {
@@ -353,6 +359,7 @@ export class BillingService {
     /**
      * Map database subscription to Subscription type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbSubscriptionToSubscription(dbSub) {
         return {
             id: dbSub.id,
@@ -377,6 +384,7 @@ export class BillingService {
     /**
      * Map database invoice to Invoice type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbInvoiceToInvoice(dbInvoice) {
         return {
             id: dbInvoice.id,

package/dist/lib/saas-encryption.js

@@ -7,7 +7,7 @@ import { getSupabaseClient } from './supabase-client.js';
 const ALGORITHM = 'aes-256-cbc';
 const KEY_LENGTH = 32; // 256 bits
 const IV_LENGTH = 16; // 128 bits
-const SALT_LENGTH = 32;
+const _SALT_LENGTH = 32; // Reserved for future use
 const PBKDF2_ITERATIONS = 100000;
 /**
  * Get master encryption key from environment
@@ -199,6 +199,7 @@ export class EncryptionService {
     /**
      * Map database key to EncryptionKey type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbKeyToKey(dbKey) {
         return {
             id: dbKey.id,

package/dist/lib/saas-organizations.js

@@ -332,6 +332,7 @@ export class OrganizationService {
     /**
      * Map database org to Organization type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbOrgToOrg(dbOrg) {
         return {
             id: dbOrg.id,
@@ -352,6 +353,7 @@ export class OrganizationService {
     /**
      * Map database member to OrganizationMember type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbMemberToMember(dbMember) {
         return {
             id: dbMember.id,
@@ -368,6 +370,7 @@ export class OrganizationService {
     /**
      * Map database member detailed to OrganizationMemberDetailed type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row with joined user data
     mapDbMemberDetailedToMemberDetailed(dbMember) {
         return {
             id: dbMember.id,
@@ -558,6 +561,7 @@ export class TeamService {
     /**
      * Map database team to Team type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbTeamToTeam(dbTeam) {
         return {
             id: dbTeam.id,
@@ -574,6 +578,7 @@ export class TeamService {
     /**
      * Map database team member to TeamMember type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbTeamMemberToTeamMember(dbMember) {
         return {
             id: dbMember.id,

package/dist/lib/saas-secrets.js

@@ -2,6 +2,7 @@
  * LSH SaaS Secrets Management Service
  * Multi-tenant secrets with per-team encryption
  */
+import { getErrorMessage, } from './saas-types.js';
 import { getSupabaseClient } from './supabase-client.js';
 import { encryptionService } from './saas-encryption.js';
 import { auditLogger } from './saas-audit.js';
@@ -216,6 +217,7 @@ export class SecretsService {
         if (error) {
             throw new Error(`Failed to get secrets summary: ${error.message}`);
         }
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row from view
         return (data || []).map((row) => ({
             teamId: row.team_id,
             teamName: row.team_name,
@@ -313,7 +315,7 @@ export class SecretsService {
                 }
             }
             catch (error) {
-                errors.push(`${secret.key}: ${error.message}`);
+                errors.push(`${secret.key}: ${getErrorMessage(error)}`);
             }
         }
         return { created, updated, errors };
@@ -351,6 +353,7 @@ export class SecretsService {
     /**
      * Map database secret to Secret type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbSecretToSecret(dbSecret) {
         return {
             id: dbSecret.id,

package/dist/lib/saas-types.js

@@ -106,3 +106,60 @@ export var ErrorCode;
     ErrorCode["INTERNAL_ERROR"] = "INTERNAL_ERROR";
     ErrorCode["SERVICE_UNAVAILABLE"] = "SERVICE_UNAVAILABLE";
 })(ErrorCode || (ErrorCode = {}));
+/**
+ * Helper to safely extract error message
+ */
+export function getErrorMessage(error) {
+    if (error instanceof Error) {
+        return error.message;
+    }
+    if (typeof error === 'string') {
+        return error;
+    }
+    return 'Unknown error occurred';
+}
+/**
+ * Helper to safely extract error for logging
+ */
+export function getErrorDetails(error) {
+    if (error instanceof Error) {
+        return {
+            message: error.message,
+            stack: error.stack,
+            code: error.code,
+        };
+    }
+    return { message: String(error) };
+}
+/**
+ * Helper to get authenticated user from request.
+ * Use after authenticateUser middleware - throws if user not present.
+ */
+export function getAuthenticatedUser(req) {
+    if (!req.user) {
+        throw new Error('User not authenticated');
+    }
+    return req.user;
+}
+/**
+ * Create a standardized API error response
+ */
+export function createErrorResponse(code, message, details) {
+    return {
+        success: false,
+        error: {
+            code,
+            message,
+            details,
+        },
+    };
+}
+/**
+ * Create a standardized API success response
+ */
+export function createSuccessResponse(data) {
+    return {
+        success: true,
+        data,
+    };
+}

package/dist/lib/secrets-manager.js

@@ -14,15 +14,53 @@ export class SecretsManager {
     storage;
     encryptionKey;
     gitInfo;
-    constructor(userId, encryptionKey, detectGit = true) {
+    globalMode;
+    homeDir;
+    constructor(userIdOrOptions, encryptionKey, detectGit) {
         this.storage = new IPFSSecretsStorage();
+        this.homeDir = process.env.HOME || process.env.USERPROFILE || '';
+        // Handle both legacy and new constructor signatures
+        let options;
+        if (typeof userIdOrOptions === 'object') {
+            options = userIdOrOptions;
+        }
+        else {
+            options = {
+                userId: userIdOrOptions,
+                encryptionKey,
+                detectGit: detectGit ?? true,
+                globalMode: false,
+            };
+        }
+        this.globalMode = options.globalMode ?? false;
         // Use provided key or generate from machine ID + user
-        this.encryptionKey = encryptionKey || this.getDefaultEncryptionKey();
-        // Auto-detect git repo context
-        if (detectGit) {
+        this.encryptionKey = options.encryptionKey || this.getDefaultEncryptionKey();
+        // Auto-detect git repo context (skip if in global mode)
+        if (!this.globalMode && (options.detectGit ?? true)) {
             this.gitInfo = getGitRepoInfo();
         }
     }
+    /**
+     * Check if running in global mode
+     */
+    isGlobalMode() {
+        return this.globalMode;
+    }
+    /**
+     * Get the home directory path
+     */
+    getHomeDir() {
+        return this.homeDir;
+    }
+    /**
+     * Resolve file path - in global mode, resolves relative to $HOME
+     */
+    resolveFilePath(filePath) {
+        if (this.globalMode && !path.isAbsolute(filePath)) {
+            return path.join(this.homeDir, filePath);
+        }
+        return filePath;
+    }
     /**
      * Cleanup resources (stop timers, close connections)
      * Call this when done to allow process to exit
@@ -430,8 +468,13 @@ export class SecretsManager {
     /**
      * Get the default environment name based on context
      * v2.0: In git repo, default is repo name; otherwise 'dev'
+     * Global mode: always returns 'dev' (which resolves to 'global' namespace)
      */
     getDefaultEnvironment() {
+        // Global mode uses simple 'dev' which maps to 'global' namespace
+        if (this.globalMode) {
+            return 'dev';
+        }
         // Check for v1 compatibility mode
         if (process.env.LSH_V1_COMPAT === 'true') {
             return 'dev'; // v1.x behavior
@@ -447,11 +490,19 @@ export class SecretsManager {
      * v2.0: Returns environment name with repo context if in a git repo
      *
      * Behavior:
+     * - Global mode: returns 'global' or 'global_env' (e.g., global_staging)
      * - Empty env in repo: returns just repo name (v2.0 default)
      * - Named env in repo: returns repo_env (e.g., repo_staging)
      * - Any env outside repo: returns env as-is
      */
     getRepoAwareEnvironment(environment) {
+        // Global mode uses 'global' namespace
+        if (this.globalMode) {
+            if (environment === '' || environment === 'default' || environment === 'dev') {
+                return 'global';
+            }
+            return `global_${environment}`;
+        }
         if (this.gitInfo?.repoName) {
             // v2.0: Empty environment means "use repo name only"
             if (environment === '' || environment === 'default') {
@@ -610,8 +661,14 @@ LSH_SECRETS_KEY=${this.encryptionKey}
             // In load mode, suppress all output except the final export commands
             const out = loadMode ? () => { } : console.log;
             out(`\n🔍 Smart sync for: ${displayEnv}\n`);
-            // Show git repo context if detected
-            if (this.gitInfo?.isGitRepo) {
+            // Show workspace context
+            if (this.globalMode) {
+                out('🌐 Global Workspace:');
+                out(`   Location: ${this.homeDir}`);
+                out(`   Namespace: global`);
+                out();
+            }
+            else if (this.gitInfo?.isGitRepo) {
                 out('📁 Git Repository:');
                 out(`   Repo: ${this.gitInfo.repoName || 'unknown'}`);
                 if (this.gitInfo.currentBranch) {

package/dist/lib/supabase-client.js

@@ -4,7 +4,6 @@
  */
 import { createClient } from '@supabase/supabase-js';
 export class SupabaseClient {
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
     client;
     config;
     constructor(config) {
@@ -32,7 +31,7 @@ export class SupabaseClient {
      */
     async testConnection() {
         try {
-            const { _data, error } = await this.client
+            const { error } = await this.client
                 .from('shell_history')
                 .select('count')
                 .limit(1);

package/dist/services/secrets/secrets.js

@@ -14,13 +14,16 @@ export async function init_secrets(program) {
         .description('Push local .env to encrypted cloud storage')
         .option('-f, --file <path>', 'Path to .env file', '.env')
         .option('-e, --env <name>', 'Environment name (dev/staging/prod)', 'dev')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('--force', 'Force push even if destructive changes detected')
         .action(async (options) => {
-        const manager = new SecretsManager();
+        const manager = new SecretsManager({ globalMode: options.global });
         try {
+            // Resolve file path (handles global mode)
+            const filePath = manager.resolveFilePath(options.file);
             // v2.0: Use context-aware default environment
             const env = options.env === 'dev' ? manager.getDefaultEnvironment() : options.env;
-            await manager.push(options.file, env, options.force);
+            await manager.push(filePath, env, options.force);
         }
         catch (error) {
             const err = error;
@@ -38,13 +41,16 @@ export async function init_secrets(program) {
         .description('Pull .env from encrypted cloud storage')
         .option('-f, --file <path>', 'Path to .env file', '.env')
         .option('-e, --env <name>', 'Environment name (dev/staging/prod)', 'dev')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('--force', 'Overwrite without creating backup')
         .action(async (options) => {
-        const manager = new SecretsManager();
+        const manager = new SecretsManager({ globalMode: options.global });
         try {
+            // Resolve file path (handles global mode)
+            const filePath = manager.resolveFilePath(options.file);
             // v2.0: Use context-aware default environment
             const env = options.env === 'dev' ? manager.getDefaultEnvironment() : options.env;
-            await manager.pull(options.file, env, options.force);
+            await manager.pull(filePath, env, options.force);
         }
         catch (error) {
             const err = error;
@@ -62,12 +68,14 @@ export async function init_secrets(program) {
         .alias('ls')
         .description('List secrets in the current local .env file')
         .option('-f, --file <path>', 'Path to .env file', '.env')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('--keys-only', 'Show only keys, not values')
         .option('--format <type>', 'Output format: env, json, yaml, toml, export', 'env')
         .option('--no-mask', 'Show full values (default: auto based on format)')
         .action(async (options) => {
         try {
-            const envPath = path.resolve(options.file);
+            const manager = new SecretsManager({ globalMode: options.global });
+            const envPath = path.resolve(manager.resolveFilePath(options.file));
             if (!fs.existsSync(envPath)) {
                 console.error(`❌ File not found: ${envPath}`);
                 console.log('💡 Tip: Pull from cloud with: lsh pull --env <environment>');
@@ -138,11 +146,12 @@ export async function init_secrets(program) {
     program
         .command('env [environment]')
         .description('List all stored environments or show secrets for specific environment')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('--all-files', 'List all tracked .env files across environments')
         .option('--format <type>', 'Output format: env, json, yaml, toml, export', 'env')
         .action(async (environment, options) => {
         try {
-            const manager = new SecretsManager();
+            const manager = new SecretsManager({ globalMode: options.global });
             // If --all-files flag is set, list all tracked files
             if (options.allFiles) {
                 const files = await manager.listAllFiles();
@@ -269,23 +278,26 @@ API_KEY=
         .description('Automatically set up and synchronize secrets (smart mode)')
         .option('-f, --file <path>', 'Path to .env file', '.env')
         .option('-e, --env <name>', 'Environment name', 'dev')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('--dry-run', 'Show what would be done without executing')
         .option('--legacy', 'Use legacy sync mode (suggestions only)')
         .option('--load', 'Output eval-able export commands for loading secrets')
         .option('--force', 'Force sync even if destructive changes detected')
         .option('--force-rekey', 'Re-encrypt cloud secrets with current local key (use when key mismatch)')
         .action(async (options) => {
-        const manager = new SecretsManager();
+        const manager = new SecretsManager({ globalMode: options.global });
         try {
+            // Resolve file path (handles global mode)
+            const filePath = manager.resolveFilePath(options.file);
             // v2.0: Use context-aware default environment
             const env = options.env === 'dev' ? manager.getDefaultEnvironment() : options.env;
             if (options.legacy) {
                 // Use legacy sync (suggestions only)
-                await manager.sync(options.file, env);
+                await manager.sync(filePath, env);
             }
             else {
                 // Use new smart sync (auto-execute)
-                await manager.smartSync(options.file, env, !options.dryRun, options.load, options.force, options.forceRekey);
+                await manager.smartSync(filePath, env, !options.dryRun, options.load, options.force, options.forceRekey);
             }
         }
         catch (error) {
@@ -304,10 +316,12 @@ API_KEY=
         .description('Get detailed secrets status (JSON output)')
         .option('-f, --file <path>', 'Path to .env file', '.env')
         .option('-e, --env <name>', 'Environment name', 'dev')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .action(async (options) => {
         try {
-            const manager = new SecretsManager();
-            const status = await manager.status(options.file, options.env);
+            const manager = new SecretsManager({ globalMode: options.global });
+            const filePath = manager.resolveFilePath(options.file);
+            const status = await manager.status(filePath, options.env);
             console.log(JSON.stringify(status, null, 2));
         }
         catch (error) {
@@ -322,14 +336,20 @@ API_KEY=
         .description('Show current directory context and tracked environment')
         .option('-f, --file <path>', 'Path to .env file', '.env')
         .option('-e, --env <name>', 'Environment name', 'dev')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .action(async (options) => {
         try {
-            const gitInfo = getGitRepoInfo();
-            const manager = new SecretsManager();
-            const envPath = path.resolve(options.file);
+            const gitInfo = options.global ? null : getGitRepoInfo();
+            const manager = new SecretsManager({ globalMode: options.global });
+            const envPath = path.resolve(manager.resolveFilePath(options.file));
             console.log('\n📍 Current Directory Context\n');
-            // Git Repository Info
-            if (gitInfo.isGitRepo) {
+            // Workspace Info
+            if (options.global) {
+                console.log('🌐 Global Workspace:');
+                console.log(`   Location: ${manager.getHomeDir()}`);
+                console.log('   Mode: Global (not repo-specific)');
+            }
+            else if (gitInfo?.isGitRepo) {
                 console.log('📁 Git Repository:');
                 console.log(`   Root: ${gitInfo.rootPath || 'unknown'}`);
                 console.log(`   Name: ${gitInfo.repoName || 'unknown'}`);
@@ -347,12 +367,22 @@ API_KEY=
             // Environment Tracking
             console.log('🔐 Environment Tracking:');
             // Show the effective environment name used for cloud storage
-            const effectiveEnv = gitInfo.repoName
-                ? `${gitInfo.repoName}_${options.env}`
-                : options.env;
+            let effectiveEnv;
+            if (options.global) {
+                effectiveEnv = options.env === 'dev' ? 'global' : `global_${options.env}`;
+            }
+            else {
+                effectiveEnv = gitInfo?.repoName
+                    ? `${gitInfo.repoName}_${options.env}`
+                    : options.env;
+            }
             console.log(`   Base environment: ${options.env}`);
             console.log(`   Cloud storage name: ${effectiveEnv}`);
-            if (gitInfo.repoName) {
+            if (options.global) {
+                console.log('   Namespace: global');
+                console.log('   ℹ️  Global workspace mode enabled');
+            }
+            else if (gitInfo?.repoName) {
                 console.log(`   Namespace: ${gitInfo.repoName}`);
                 console.log('   ℹ️  Repo-based isolation enabled');
             }
@@ -420,13 +450,15 @@ API_KEY=
         .command('get [key]')
         .description('Get a specific secret value from .env file, or all secrets with --all')
         .option('-f, --file <path>', 'Path to .env file', '.env')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('--all', 'Get all secrets from the file')
         .option('--export', 'Output in export format for shell evaluation (alias for --format export)')
         .option('--format <type>', 'Output format: env, json, yaml, toml, export', 'env')
         .option('--exact', 'Require exact key match (disable fuzzy matching)')
         .action(async (key, options) => {
         try {
-            const envPath = path.resolve(options.file);
+            const manager = new SecretsManager({ globalMode: options.global });
+            const envPath = path.resolve(manager.resolveFilePath(options.file));
             if (!fs.existsSync(envPath)) {
                 console.error(`❌ File not found: ${envPath}`);
                 process.exit(1);
@@ -535,10 +567,12 @@ API_KEY=
         .command('set [key] [value]')
         .description('Set a specific secret value in .env file, or batch upsert from stdin (KEY=VALUE format)')
         .option('-f, --file <path>', 'Path to .env file', '.env')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('--stdin', 'Read KEY=VALUE pairs from stdin (one per line)')
         .action(async (key, value, options) => {
         try {
-            const envPath = path.resolve(options.file);
+            const manager = new SecretsManager({ globalMode: options.global });
+            const envPath = path.resolve(manager.resolveFilePath(options.file));
             // Check if we should read from stdin
             const isStdin = options.stdin || (!key && !value);
             if (isStdin) {
@@ -792,10 +826,12 @@ API_KEY=
         .command('delete')
         .description('Delete .env file (requires confirmation)')
         .option('-f, --file <path>', 'Path to .env file', '.env')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('-y, --yes', 'Skip confirmation prompt')
         .action(async (options) => {
         try {
-            const envPath = path.resolve(options.file);
+            const manager = new SecretsManager({ globalMode: options.global });
+            const envPath = path.resolve(manager.resolveFilePath(options.file));
             // Check if file exists
             if (!fs.existsSync(envPath)) {
                 console.log(`❌ File not found: ${envPath}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lsh-framework",
-  "version": "2.3.2",
+  "version": "3.1.0",
   "description": "Simple, cross-platform encrypted secrets manager with automatic sync, IPFS audit logs, and multi-environment support. Just run lsh sync and start managing your secrets.",
   "main": "dist/app.js",
   "bin": {
@@ -18,7 +18,8 @@
     "build": "tsc",
     "watch": "tsc --watch",
     "test": "node --experimental-vm-modules ./node_modules/.bin/jest",
-    "test:coverage": "node --experimental-vm-modules ./node_modules/.bin/jest --coverage",
+    "test:ci": "node --experimental-vm-modules ./node_modules/.bin/jest --runInBand",
+    "test:coverage": "node --experimental-vm-modules ./node_modules/.bin/jest --coverage --runInBand",
     "clean": "rm -rf ./build; rm -rf ./bin; rm -rf ./dist",
     "lint": "eslint src --ext .js,.ts,.tsx",
     "lint:fix": "eslint src --ext .js,.ts,.tsx --fix",