lsh-framework 3.0.0 → 3.1.0

package/dist/cli.js

@@ -47,7 +47,7 @@ program
 program
     .option('-v, --verbose', 'Verbose output')
     .option('-d, --debug', 'Debug mode')
-    .action(async (options) => {
+    .action(async (_options) => {
     // No arguments - show secrets-focused help
     console.log('LSH - Encrypted Secrets Manager');
     console.log('');

package/dist/commands/doctor.js

@@ -263,7 +263,7 @@ async function testSupabaseConnection(url, key, verbose) {
 /**
  * Check if in git repository
  */
-async function checkGitRepository(verbose) {
+async function checkGitRepository(_verbose) {
     try {
         const gitPath = path.join(process.cwd(), '.git');
         // Use stat instead of access to avoid TOCTOU race condition

package/dist/commands/init.js

@@ -204,7 +204,7 @@ async function checkExistingConfig() {
 /**
  * Pull secrets after init is complete
  */
-async function pullSecretsAfterInit(encryptionKey, repoName) {
+async function pullSecretsAfterInit(_encryptionKey, _repoName) {
     const spinner = ora('Pulling secrets from cloud...').start();
     try {
         // Dynamically import SecretsManager to avoid circular dependencies
@@ -399,7 +399,7 @@ async function configurePostgres(config, skipTest) {
 /**
  * Configure local-only mode
  */
-async function configureLocal(config) {
+async function configureLocal(_config) {
     console.log(chalk.cyan('\n💾 Local Encryption Mode'));
     console.log(chalk.gray('Secrets will be encrypted locally. No cloud sync available.'));
     console.log('');

package/dist/commands/self.js

@@ -127,7 +127,6 @@ async function checkCIStatus(_version) {
                         const ghData = JSON.parse(data);
                         const runs = ghData.workflow_runs || [];
                         // Find the most recent workflow run for main branch
-                        // eslint-disable-next-line @typescript-eslint/no-explicit-any
                         const mainRuns = runs.filter((run) => run.head_branch === 'main' && run.status === 'completed');
                         if (mainRuns.length > 0) {
                             const latestRun = mainRuns[0];

package/dist/constants/validation.js

@@ -87,6 +87,8 @@ export const DANGEROUS_PATTERNS = [
         riskLevel: RISK_LEVELS.MEDIUM,
     },
     {
+        // Detect null byte injection attacks (legitimate security pattern)
+        // eslint-disable-next-line no-control-regex
         pattern: /\x00/i,
         description: ERRORS.NULL_BYTE,
         riskLevel: RISK_LEVELS.HIGH,

package/dist/daemon/lshd.js

@@ -108,13 +108,15 @@ export class LSHJobDaemon extends EventEmitter {
             await fs.promises.unlink(this.config.pidFile);
         }
         catch (_error) {
-            // Ignore if file doesn\'t exist
+            // Ignore if file doesn't exist
         }
-        // Close log stream
+        // Log before closing stream
+        this.log('INFO', 'Daemon stopped');
+        // Close log stream AFTER logging
         if (this.logStream) {
             this.logStream.end();
+            this.logStream = undefined;
         }
-        this.log('INFO', 'Daemon stopped');
         this.emit('stopped');
     }
     /**
@@ -729,8 +731,23 @@ export class LSHJobDaemon extends EventEmitter {
 }
 // Module-level logger for CLI operations
 const cliLogger = createLogger('LSHDaemonCLI');
+// Helper to check if this module is run directly (ESM-compatible)
+// Uses indirect eval to avoid parse-time errors in CommonJS/Jest environments
+const isMainModule = () => {
+    try {
+        // Use Function constructor to avoid parse-time errors with import.meta
+        // eslint-disable-next-line @typescript-eslint/no-implied-eval, no-new-func
+        const getImportMetaUrl = new Function('return import.meta.url');
+        const metaUrl = getImportMetaUrl();
+        return metaUrl === `file://${process.argv[1]}`;
+    }
+    catch {
+        // Fallback for CommonJS or environments that don't support import.meta
+        return false;
+    }
+};
 // CLI interface for the daemon
-if (import.meta.url === `file://${process.argv[1]}`) {
+if (isMainModule()) {
     const command = process.argv[2];
     const subCommand = process.argv[3];
     const _args = process.argv.slice(4);

package/dist/daemon/saas-api-routes.js

@@ -9,6 +9,7 @@ import { billingService } from '../lib/saas-billing.js';
 import { auditLogger, getIpFromRequest } from '../lib/saas-audit.js';
 import { emailService } from '../lib/saas-email.js';
 import { secretsService } from '../lib/saas-secrets.js';
+import { getErrorMessage, getAuthenticatedUser } from '../lib/saas-types.js'; // eslint-disable-line no-duplicate-imports
 /**
  * Rate Limiters for different endpoint types
  */
@@ -83,7 +84,7 @@ export async function authenticateUser(req, res, next) {
             success: false,
             error: {
                 code: 'UNAUTHORIZED',
-                message: error.message || 'Authentication failed',
+                message: getErrorMessage(error) || 'Authentication failed',
             },
         });
     }
@@ -101,20 +102,26 @@ export async function requireOrganizationMembership(req, res, next) {
                 error: { code: 'INVALID_INPUT', message: 'Organization ID required' },
             });
         }
-        const role = await organizationService.getUserRole(organizationId, req.user.id);
+        if (!req.user) {
+            return res.status(401).json({
+                success: false,
+                error: { code: 'UNAUTHORIZED', message: 'User not authenticated' },
+            });
+        }
+        const role = await organizationService.getUserRole(organizationId, getAuthenticatedUser(req).id);
         if (!role) {
             return res.status(403).json({
                 success: false,
                 error: { code: 'FORBIDDEN', message: 'Not a member of this organization' },
             });
         }
-        req.organizationRole = role;
+        req.organizationId = organizationId;
         next();
     }
     catch (error) {
         return res.status(500).json({
             success: false,
-            error: { code: 'INTERNAL_ERROR', message: error.message },
+            error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
         });
     }
 }
@@ -183,7 +190,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: error.message.includes('ALREADY_EXISTS') ? 'EMAIL_ALREADY_EXISTS' : 'INTERNAL_ERROR', message: error.message },
+                error: { code: getErrorMessage(error).includes('ALREADY_EXISTS') ? 'EMAIL_ALREADY_EXISTS' : 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -215,10 +222,10 @@ export function setupSaaSApiRoutes(app) {
             });
         }
         catch (error) {
-            const statusCode = error.message.includes('EMAIL_NOT_VERIFIED') ? 403 : 401;
+            const statusCode = getErrorMessage(error).includes('EMAIL_NOT_VERIFIED') ? 403 : 401;
             res.status(statusCode).json({
                 success: false,
-                error: { code: error.message || 'INVALID_CREDENTIALS', message: error.message },
+                error: { code: getErrorMessage(error) || 'INVALID_CREDENTIALS', message: getErrorMessage(error) },
             });
         }
     });
@@ -252,7 +259,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INVALID_TOKEN', message: error.message },
+                error: { code: 'INVALID_TOKEN', message: getErrorMessage(error) },
             });
         }
     });
@@ -276,7 +283,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -302,7 +309,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(401).json({
                 success: false,
-                error: { code: 'INVALID_TOKEN', message: error.message },
+                error: { code: 'INVALID_TOKEN', message: getErrorMessage(error) },
             });
         }
     });
@@ -335,7 +342,7 @@ export function setupSaaSApiRoutes(app) {
             const organization = await organizationService.createOrganization({
                 name,
                 slug,
-                ownerId: req.user.id,
+                ownerId: getAuthenticatedUser(req).id,
             });
             res.json({
                 success: true,
@@ -345,7 +352,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -372,7 +379,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -391,7 +398,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -402,7 +409,7 @@ export function setupSaaSApiRoutes(app) {
     app.post('/api/v1/organizations/:organizationId/members', writeLimiter, authenticateUser, requireOrganizationMembership, async (req, res) => {
         try {
             // Check permission
-            const canInvite = await organizationService.hasPermission(req.params.organizationId, req.user.id, 'canInviteMembers');
+            const canInvite = await organizationService.hasPermission(req.params.organizationId, getAuthenticatedUser(req).id, 'canInviteMembers');
             if (!canInvite) {
                 return res.status(403).json({
                     success: false,
@@ -414,7 +421,7 @@ export function setupSaaSApiRoutes(app) {
                 organizationId: req.params.organizationId,
                 userId,
                 role: role || 'member',
-                invitedBy: req.user.id,
+                invitedBy: getAuthenticatedUser(req).id,
             });
             res.json({
                 success: true,
@@ -424,7 +431,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -449,7 +456,7 @@ export function setupSaaSApiRoutes(app) {
                 name,
                 slug,
                 description,
-            }, req.user.id);
+            }, getAuthenticatedUser(req).id);
             res.json({
                 success: true,
                 data: { team },
@@ -458,7 +465,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -477,7 +484,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -505,7 +512,7 @@ export function setupSaaSApiRoutes(app) {
                 description,
                 tags,
                 rotationIntervalDays,
-                createdBy: req.user.id,
+                createdBy: getAuthenticatedUser(req).id,
             });
             res.json({
                 success: true,
@@ -513,10 +520,10 @@ export function setupSaaSApiRoutes(app) {
             });
         }
         catch (error) {
-            const statusCode = error.message.includes('TIER_LIMIT_EXCEEDED') ? 402 : 400;
+            const statusCode = getErrorMessage(error).includes('TIER_LIMIT_EXCEEDED') ? 402 : 400;
             res.status(statusCode).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -541,7 +548,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -574,7 +581,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -590,7 +597,7 @@ export function setupSaaSApiRoutes(app) {
                 description,
                 tags,
                 rotationIntervalDays,
-                updatedBy: req.user.id,
+                updatedBy: getAuthenticatedUser(req).id,
             });
             res.json({
                 success: true,
@@ -600,7 +607,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -610,7 +617,7 @@ export function setupSaaSApiRoutes(app) {
      */
     app.delete('/api/v1/teams/:teamId/secrets/:secretId', writeLimiter, authenticateUser, async (req, res) => {
         try {
-            await secretsService.deleteSecret(req.params.secretId, req.user.id);
+            await secretsService.deleteSecret(req.params.secretId, getAuthenticatedUser(req).id);
             res.json({
                 success: true,
                 data: { message: 'Secret deleted successfully' },
@@ -619,7 +626,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -644,7 +651,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -661,7 +668,7 @@ export function setupSaaSApiRoutes(app) {
                     error: { code: 'INVALID_INPUT', message: 'Environment and content required' },
                 });
             }
-            const result = await secretsService.importFromEnv(req.params.teamId, environment, content, req.user.id);
+            const result = await secretsService.importFromEnv(req.params.teamId, environment, content, getAuthenticatedUser(req).id);
             res.json({
                 success: true,
                 data: result,
@@ -670,7 +677,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -684,7 +691,7 @@ export function setupSaaSApiRoutes(app) {
     app.get('/api/v1/organizations/:organizationId/audit-logs', authenticateUser, requireOrganizationMembership, async (req, res) => {
         try {
             // Check permission
-            const canView = await organizationService.hasPermission(req.params.organizationId, req.user.id, 'canViewAuditLogs');
+            const canView = await organizationService.hasPermission(req.params.organizationId, getAuthenticatedUser(req).id, 'canViewAuditLogs');
             if (!canView) {
                 return res.status(403).json({
                     success: false,
@@ -709,7 +716,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -723,7 +730,7 @@ export function setupSaaSApiRoutes(app) {
     app.post('/api/v1/organizations/:organizationId/billing/checkout', writeLimiter, authenticateUser, requireOrganizationMembership, async (req, res) => {
         try {
             // Check permission
-            const canManage = await organizationService.hasPermission(req.params.organizationId, req.user.id, 'canManageBilling');
+            const canManage = await organizationService.hasPermission(req.params.organizationId, getAuthenticatedUser(req).id, 'canManageBilling');
             if (!canManage) {
                 return res.status(403).json({
                     success: false,
@@ -754,7 +761,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -771,7 +778,7 @@ export function setupSaaSApiRoutes(app) {
         }
         catch (error) {
             console.error('Webhook error:', error);
-            res.status(400).json({ error: error.message });
+            res.status(400).json({ error: getErrorMessage(error) });
         }
     });
     console.log('✅ SaaS API routes registered');

package/dist/daemon/saas-api-server.js

@@ -6,6 +6,7 @@ import express from 'express';
 import cors from 'cors';
 import rateLimit from 'express-rate-limit';
 import { setupSaaSApiRoutes } from './saas-api-routes.js';
+import { getErrorMessage } from '../lib/saas-types.js';
 /**
  * SaaS API Server
  */
@@ -123,19 +124,22 @@ export class SaaSApiServer {
      */
     setupErrorHandlers() {
         // Global error handler
-        this.app.use((err, req, res, _next) => {
+        const errorHandler = (err, _req, res, _next) => {
             console.error('API Error:', err);
             // Don't leak error details in production
             const isDev = process.env.NODE_ENV !== 'production';
-            res.status(err.status || 500).json({
+            const statusCode = err.status || 500;
+            const errorCode = err.code || 'INTERNAL_ERROR';
+            res.status(statusCode).json({
                 success: false,
                 error: {
-                    code: err.code || 'INTERNAL_ERROR',
-                    message: isDev ? err.message : 'Internal server error',
+                    code: errorCode,
+                    message: isDev ? getErrorMessage(err) : 'Internal server error',
                     details: isDev ? err.stack : undefined,
                 },
             });
-        });
+        };
+        this.app.use(errorHandler);
     }
     /**
      * Start the server

package/dist/lib/cron-job-manager.js

@@ -160,6 +160,8 @@ export class CronJobManager extends BaseJobManager {
      */
     async getJobReport(jobId) {
         // Try to get historical data from database if available, otherwise use current job info
+        // Using any[] because getJobHistory returns ShellJob (snake_case properties)
+        // but getJob returns JobSpec (camelCase properties), and this code handles both
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         let jobs = [];
         try {

package/dist/lib/ipfs-secrets-storage.js

@@ -269,13 +269,32 @@ export class IPFSSecretsStorage {
      * Decrypt secrets using AES-256
      */
     decryptSecrets(encryptedData, encryptionKey) {
-        const [ivHex, encrypted] = encryptedData.split(':');
-        const key = crypto.createHash('sha256').update(encryptionKey).digest();
-        const iv = Buffer.from(ivHex, 'hex');
-        const decipher = crypto.createDecipheriv('aes-256-cbc', key, iv);
-        let decrypted = decipher.update(encrypted, 'hex', 'utf8');
-        decrypted += decipher.final('utf8');
-        return JSON.parse(decrypted);
+        try {
+            const [ivHex, encrypted] = encryptedData.split(':');
+            const key = crypto.createHash('sha256').update(encryptionKey).digest();
+            const iv = Buffer.from(ivHex, 'hex');
+            const decipher = crypto.createDecipheriv('aes-256-cbc', key, iv);
+            let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+            decrypted += decipher.final('utf8');
+            return JSON.parse(decrypted);
+        }
+        catch (error) {
+            const err = error;
+            // Catch crypto errors (bad decrypt, wrong block length) AND JSON parse errors
+            // (wrong key can produce garbage that fails JSON.parse)
+            if (err.message.includes('bad decrypt') ||
+                err.message.includes('wrong final block length') ||
+                err.message.includes('Unexpected token') ||
+                err.message.includes('JSON')) {
+                throw new Error('Decryption failed. This usually means:\n' +
+                    '  1. You need to set LSH_SECRETS_KEY environment variable\n' +
+                    '  2. The key must match the one used during encryption\n' +
+                    '  3. Generate a shared key with: lsh secrets key\n' +
+                    '  4. Add it to your .env: LSH_SECRETS_KEY=<key>\n' +
+                    '\nOriginal error: ' + err.message);
+            }
+            throw error;
+        }
     }
     /**
      * Generate IPFS-compatible CID from content

package/dist/lib/job-manager.js

@@ -292,7 +292,6 @@ export class JobManager extends BaseJobManager {
     /**
      * Get job statistics
      */
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
     getJobStats() {
         const jobs = Array.from(this.jobs.values());
         const stats = {

package/dist/lib/lshrc-init.js

@@ -76,7 +76,6 @@ zsh-source${options.importOptions ? ' ' + options.importOptions.join(' ') : ''}
     /**
      * Source .lshrc commands
      */
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
     async source(_executor) {
         if (!this.exists()) {
             return [];

package/dist/lib/saas-audit.js

@@ -173,6 +173,7 @@ export class AuditLogger {
     /**
      * Map database log to AuditLog type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbLogToLog(dbLog) {
         return {
             id: dbLog.id,
@@ -200,9 +201,11 @@ export const auditLogger = new AuditLogger();
  * Helper function to extract IP from request
  */
 export function getIpFromRequest(req) {
-    return (req.headers['x-forwarded-for']?.split(',')[0].trim() ||
-        req.headers['x-real-ip'] ||
-        req.connection?.remoteAddress ||
+    const forwarded = req.headers['x-forwarded-for'];
+    const forwardedIp = typeof forwarded === 'string' ? forwarded.split(',')[0].trim() : undefined;
+    const realIp = req.headers['x-real-ip'];
+    return (forwardedIp ||
+        (typeof realIp === 'string' ? realIp : undefined) ||
         req.socket?.remoteAddress);
 }
 /**

package/dist/lib/saas-auth.js

@@ -82,7 +82,7 @@ export function verifyToken(token) {
             type: decoded.type,
         };
     }
-    catch (error) {
+    catch (_error) {
         throw new Error('Invalid or expired token');
     }
 }
@@ -320,6 +320,7 @@ export class AuthService {
         if (error) {
             throw new Error(`Failed to get user organizations: ${error.message}`);
         }
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB join result
         return (data || []).map((row) => this.mapDbOrgToOrg(row.organizations));
     }
     /**
@@ -337,7 +338,7 @@ export class AuthService {
             return generateToken();
         }
         const resetToken = generateToken();
-        const expiresAt = new Date(Date.now() + 60 * 60 * 1000); // 1 hour
+        const _expiresAt = new Date(Date.now() + 60 * 60 * 1000); // 1 hour (for future use)
         // Store reset token (we'll need a password_reset_tokens table)
         // For now, just return the token
         return resetToken;
@@ -345,7 +346,7 @@ export class AuthService {
     /**
      * Reset password
      */
-    async resetPassword(token, newPassword) {
+    async resetPassword(_token, _newPassword) {
         // TODO: Implement password reset
         // Need to create password_reset_tokens table
         throw new Error('Not implemented');
@@ -378,6 +379,7 @@ export class AuthService {
     /**
      * Map database user to User type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbUserToUser(dbUser) {
         return {
             id: dbUser.id,
@@ -403,6 +405,7 @@ export class AuthService {
     /**
      * Map database organization to Organization type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbOrgToOrg(dbOrg) {
         return {
             id: dbOrg.id,

package/dist/lib/saas-billing.js

@@ -155,19 +155,21 @@ export class BillingService {
     /**
      * Verify webhook signature
      */
-    verifyWebhookSignature(payload, signature) {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Stripe event structure
+    verifyWebhookSignature(payload, _signature) {
         // In production, use Stripe's webhook signature verification
         // For now, just parse the payload
         try {
             return JSON.parse(payload);
         }
-        catch (error) {
+        catch (_error) {
             throw new Error('Invalid webhook payload');
         }
     }
     /**
      * Handle checkout completed
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Stripe checkout session object
     async handleCheckoutCompleted(session) {
         const organizationId = session.metadata?.organization_id;
         if (!organizationId) {
@@ -180,6 +182,7 @@ export class BillingService {
     /**
      * Handle subscription updated
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Stripe subscription object
     async handleSubscriptionUpdated(subscription) {
         const organizationId = subscription.metadata?.organization_id;
         if (!organizationId) {
@@ -233,6 +236,7 @@ export class BillingService {
     /**
      * Handle subscription deleted
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Stripe subscription object
     async handleSubscriptionDeleted(subscription) {
         const organizationId = subscription.metadata?.organization_id;
         if (!organizationId) {
@@ -265,6 +269,7 @@ export class BillingService {
     /**
      * Handle invoice paid
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Stripe invoice object
     async handleInvoicePaid(invoice) {
         const organizationId = invoice.subscription_metadata?.organization_id;
         if (!organizationId) {
@@ -287,6 +292,7 @@ export class BillingService {
     /**
      * Handle invoice payment failed
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Stripe invoice object
     async handleInvoicePaymentFailed(invoice) {
         const organizationId = invoice.subscription_metadata?.organization_id;
         if (!organizationId) {
@@ -353,6 +359,7 @@ export class BillingService {
     /**
      * Map database subscription to Subscription type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbSubscriptionToSubscription(dbSub) {
         return {
             id: dbSub.id,
@@ -377,6 +384,7 @@ export class BillingService {
     /**
      * Map database invoice to Invoice type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbInvoiceToInvoice(dbInvoice) {
         return {
             id: dbInvoice.id,

package/dist/lib/saas-encryption.js

@@ -7,7 +7,7 @@ import { getSupabaseClient } from './supabase-client.js';
 const ALGORITHM = 'aes-256-cbc';
 const KEY_LENGTH = 32; // 256 bits
 const IV_LENGTH = 16; // 128 bits
-const SALT_LENGTH = 32;
+const _SALT_LENGTH = 32; // Reserved for future use
 const PBKDF2_ITERATIONS = 100000;
 /**
  * Get master encryption key from environment
@@ -199,6 +199,7 @@ export class EncryptionService {
     /**
      * Map database key to EncryptionKey type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbKeyToKey(dbKey) {
         return {
             id: dbKey.id,

package/dist/lib/saas-organizations.js

@@ -332,6 +332,7 @@ export class OrganizationService {
     /**
      * Map database org to Organization type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbOrgToOrg(dbOrg) {
         return {
             id: dbOrg.id,
@@ -352,6 +353,7 @@ export class OrganizationService {
     /**
      * Map database member to OrganizationMember type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbMemberToMember(dbMember) {
         return {
             id: dbMember.id,
@@ -368,6 +370,7 @@ export class OrganizationService {
     /**
      * Map database member detailed to OrganizationMemberDetailed type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row with joined user data
     mapDbMemberDetailedToMemberDetailed(dbMember) {
         return {
             id: dbMember.id,
@@ -558,6 +561,7 @@ export class TeamService {
     /**
      * Map database team to Team type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbTeamToTeam(dbTeam) {
         return {
             id: dbTeam.id,
@@ -574,6 +578,7 @@ export class TeamService {
     /**
      * Map database team member to TeamMember type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbTeamMemberToTeamMember(dbMember) {
         return {
             id: dbMember.id,

package/dist/lib/saas-secrets.js

@@ -2,6 +2,7 @@
  * LSH SaaS Secrets Management Service
  * Multi-tenant secrets with per-team encryption
  */
+import { getErrorMessage, } from './saas-types.js';
 import { getSupabaseClient } from './supabase-client.js';
 import { encryptionService } from './saas-encryption.js';
 import { auditLogger } from './saas-audit.js';
@@ -216,6 +217,7 @@ export class SecretsService {
         if (error) {
             throw new Error(`Failed to get secrets summary: ${error.message}`);
         }
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row from view
         return (data || []).map((row) => ({
             teamId: row.team_id,
             teamName: row.team_name,
@@ -313,7 +315,7 @@ export class SecretsService {
                 }
             }
             catch (error) {
-                errors.push(`${secret.key}: ${error.message}`);
+                errors.push(`${secret.key}: ${getErrorMessage(error)}`);
             }
         }
         return { created, updated, errors };
@@ -351,6 +353,7 @@ export class SecretsService {
     /**
      * Map database secret to Secret type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbSecretToSecret(dbSecret) {
         return {
             id: dbSecret.id,

package/dist/lib/saas-types.js

@@ -106,3 +106,60 @@ export var ErrorCode;
     ErrorCode["INTERNAL_ERROR"] = "INTERNAL_ERROR";
     ErrorCode["SERVICE_UNAVAILABLE"] = "SERVICE_UNAVAILABLE";
 })(ErrorCode || (ErrorCode = {}));
+/**
+ * Helper to safely extract error message
+ */
+export function getErrorMessage(error) {
+    if (error instanceof Error) {
+        return error.message;
+    }
+    if (typeof error === 'string') {
+        return error;
+    }
+    return 'Unknown error occurred';
+}
+/**
+ * Helper to safely extract error for logging
+ */
+export function getErrorDetails(error) {
+    if (error instanceof Error) {
+        return {
+            message: error.message,
+            stack: error.stack,
+            code: error.code,
+        };
+    }
+    return { message: String(error) };
+}
+/**
+ * Helper to get authenticated user from request.
+ * Use after authenticateUser middleware - throws if user not present.
+ */
+export function getAuthenticatedUser(req) {
+    if (!req.user) {
+        throw new Error('User not authenticated');
+    }
+    return req.user;
+}
+/**
+ * Create a standardized API error response
+ */
+export function createErrorResponse(code, message, details) {
+    return {
+        success: false,
+        error: {
+            code,
+            message,
+            details,
+        },
+    };
+}
+/**
+ * Create a standardized API success response
+ */
+export function createSuccessResponse(data) {
+    return {
+        success: true,
+        data,
+    };
+}

package/dist/lib/secrets-manager.js

@@ -14,15 +14,53 @@ export class SecretsManager {
     storage;
     encryptionKey;
     gitInfo;
-    constructor(userId, encryptionKey, detectGit = true) {
+    globalMode;
+    homeDir;
+    constructor(userIdOrOptions, encryptionKey, detectGit) {
         this.storage = new IPFSSecretsStorage();
+        this.homeDir = process.env.HOME || process.env.USERPROFILE || '';
+        // Handle both legacy and new constructor signatures
+        let options;
+        if (typeof userIdOrOptions === 'object') {
+            options = userIdOrOptions;
+        }
+        else {
+            options = {
+                userId: userIdOrOptions,
+                encryptionKey,
+                detectGit: detectGit ?? true,
+                globalMode: false,
+            };
+        }
+        this.globalMode = options.globalMode ?? false;
         // Use provided key or generate from machine ID + user
-        this.encryptionKey = encryptionKey || this.getDefaultEncryptionKey();
-        // Auto-detect git repo context
-        if (detectGit) {
+        this.encryptionKey = options.encryptionKey || this.getDefaultEncryptionKey();
+        // Auto-detect git repo context (skip if in global mode)
+        if (!this.globalMode && (options.detectGit ?? true)) {
             this.gitInfo = getGitRepoInfo();
         }
     }
+    /**
+     * Check if running in global mode
+     */
+    isGlobalMode() {
+        return this.globalMode;
+    }
+    /**
+     * Get the home directory path
+     */
+    getHomeDir() {
+        return this.homeDir;
+    }
+    /**
+     * Resolve file path - in global mode, resolves relative to $HOME
+     */
+    resolveFilePath(filePath) {
+        if (this.globalMode && !path.isAbsolute(filePath)) {
+            return path.join(this.homeDir, filePath);
+        }
+        return filePath;
+    }
     /**
      * Cleanup resources (stop timers, close connections)
      * Call this when done to allow process to exit
@@ -430,8 +468,13 @@ export class SecretsManager {
     /**
      * Get the default environment name based on context
      * v2.0: In git repo, default is repo name; otherwise 'dev'
+     * Global mode: always returns 'dev' (which resolves to 'global' namespace)
      */
     getDefaultEnvironment() {
+        // Global mode uses simple 'dev' which maps to 'global' namespace
+        if (this.globalMode) {
+            return 'dev';
+        }
         // Check for v1 compatibility mode
         if (process.env.LSH_V1_COMPAT === 'true') {
             return 'dev'; // v1.x behavior
@@ -447,11 +490,19 @@ export class SecretsManager {
      * v2.0: Returns environment name with repo context if in a git repo
      *
      * Behavior:
+     * - Global mode: returns 'global' or 'global_env' (e.g., global_staging)
      * - Empty env in repo: returns just repo name (v2.0 default)
      * - Named env in repo: returns repo_env (e.g., repo_staging)
      * - Any env outside repo: returns env as-is
      */
     getRepoAwareEnvironment(environment) {
+        // Global mode uses 'global' namespace
+        if (this.globalMode) {
+            if (environment === '' || environment === 'default' || environment === 'dev') {
+                return 'global';
+            }
+            return `global_${environment}`;
+        }
         if (this.gitInfo?.repoName) {
             // v2.0: Empty environment means "use repo name only"
             if (environment === '' || environment === 'default') {
@@ -610,8 +661,14 @@ LSH_SECRETS_KEY=${this.encryptionKey}
             // In load mode, suppress all output except the final export commands
             const out = loadMode ? () => { } : console.log;
             out(`\n🔍 Smart sync for: ${displayEnv}\n`);
-            // Show git repo context if detected
-            if (this.gitInfo?.isGitRepo) {
+            // Show workspace context
+            if (this.globalMode) {
+                out('🌐 Global Workspace:');
+                out(`   Location: ${this.homeDir}`);
+                out(`   Namespace: global`);
+                out();
+            }
+            else if (this.gitInfo?.isGitRepo) {
                 out('📁 Git Repository:');
                 out(`   Repo: ${this.gitInfo.repoName || 'unknown'}`);
                 if (this.gitInfo.currentBranch) {

package/dist/lib/supabase-client.js

@@ -4,7 +4,6 @@
  */
 import { createClient } from '@supabase/supabase-js';
 export class SupabaseClient {
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
     client;
     config;
     constructor(config) {
@@ -32,7 +31,7 @@ export class SupabaseClient {
      */
     async testConnection() {
         try {
-            const { _data, error } = await this.client
+            const { error } = await this.client
                 .from('shell_history')
                 .select('count')
                 .limit(1);

package/dist/services/secrets/secrets.js

@@ -14,13 +14,16 @@ export async function init_secrets(program) {
         .description('Push local .env to encrypted cloud storage')
         .option('-f, --file <path>', 'Path to .env file', '.env')
         .option('-e, --env <name>', 'Environment name (dev/staging/prod)', 'dev')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('--force', 'Force push even if destructive changes detected')
         .action(async (options) => {
-        const manager = new SecretsManager();
+        const manager = new SecretsManager({ globalMode: options.global });
         try {
+            // Resolve file path (handles global mode)
+            const filePath = manager.resolveFilePath(options.file);
             // v2.0: Use context-aware default environment
             const env = options.env === 'dev' ? manager.getDefaultEnvironment() : options.env;
-            await manager.push(options.file, env, options.force);
+            await manager.push(filePath, env, options.force);
         }
         catch (error) {
             const err = error;
@@ -38,13 +41,16 @@ export async function init_secrets(program) {
         .description('Pull .env from encrypted cloud storage')
         .option('-f, --file <path>', 'Path to .env file', '.env')
         .option('-e, --env <name>', 'Environment name (dev/staging/prod)', 'dev')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('--force', 'Overwrite without creating backup')
         .action(async (options) => {
-        const manager = new SecretsManager();
+        const manager = new SecretsManager({ globalMode: options.global });
         try {
+            // Resolve file path (handles global mode)
+            const filePath = manager.resolveFilePath(options.file);
             // v2.0: Use context-aware default environment
             const env = options.env === 'dev' ? manager.getDefaultEnvironment() : options.env;
-            await manager.pull(options.file, env, options.force);
+            await manager.pull(filePath, env, options.force);
         }
         catch (error) {
             const err = error;
@@ -62,12 +68,14 @@ export async function init_secrets(program) {
         .alias('ls')
         .description('List secrets in the current local .env file')
         .option('-f, --file <path>', 'Path to .env file', '.env')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('--keys-only', 'Show only keys, not values')
         .option('--format <type>', 'Output format: env, json, yaml, toml, export', 'env')
         .option('--no-mask', 'Show full values (default: auto based on format)')
         .action(async (options) => {
         try {
-            const envPath = path.resolve(options.file);
+            const manager = new SecretsManager({ globalMode: options.global });
+            const envPath = path.resolve(manager.resolveFilePath(options.file));
             if (!fs.existsSync(envPath)) {
                 console.error(`❌ File not found: ${envPath}`);
                 console.log('💡 Tip: Pull from cloud with: lsh pull --env <environment>');
@@ -138,11 +146,12 @@ export async function init_secrets(program) {
     program
         .command('env [environment]')
         .description('List all stored environments or show secrets for specific environment')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('--all-files', 'List all tracked .env files across environments')
         .option('--format <type>', 'Output format: env, json, yaml, toml, export', 'env')
         .action(async (environment, options) => {
         try {
-            const manager = new SecretsManager();
+            const manager = new SecretsManager({ globalMode: options.global });
             // If --all-files flag is set, list all tracked files
             if (options.allFiles) {
                 const files = await manager.listAllFiles();
@@ -269,23 +278,26 @@ API_KEY=
         .description('Automatically set up and synchronize secrets (smart mode)')
         .option('-f, --file <path>', 'Path to .env file', '.env')
         .option('-e, --env <name>', 'Environment name', 'dev')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('--dry-run', 'Show what would be done without executing')
         .option('--legacy', 'Use legacy sync mode (suggestions only)')
         .option('--load', 'Output eval-able export commands for loading secrets')
         .option('--force', 'Force sync even if destructive changes detected')
         .option('--force-rekey', 'Re-encrypt cloud secrets with current local key (use when key mismatch)')
         .action(async (options) => {
-        const manager = new SecretsManager();
+        const manager = new SecretsManager({ globalMode: options.global });
         try {
+            // Resolve file path (handles global mode)
+            const filePath = manager.resolveFilePath(options.file);
             // v2.0: Use context-aware default environment
             const env = options.env === 'dev' ? manager.getDefaultEnvironment() : options.env;
             if (options.legacy) {
                 // Use legacy sync (suggestions only)
-                await manager.sync(options.file, env);
+                await manager.sync(filePath, env);
             }
             else {
                 // Use new smart sync (auto-execute)
-                await manager.smartSync(options.file, env, !options.dryRun, options.load, options.force, options.forceRekey);
+                await manager.smartSync(filePath, env, !options.dryRun, options.load, options.force, options.forceRekey);
             }
         }
         catch (error) {
@@ -304,10 +316,12 @@ API_KEY=
         .description('Get detailed secrets status (JSON output)')
         .option('-f, --file <path>', 'Path to .env file', '.env')
         .option('-e, --env <name>', 'Environment name', 'dev')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .action(async (options) => {
         try {
-            const manager = new SecretsManager();
-            const status = await manager.status(options.file, options.env);
+            const manager = new SecretsManager({ globalMode: options.global });
+            const filePath = manager.resolveFilePath(options.file);
+            const status = await manager.status(filePath, options.env);
             console.log(JSON.stringify(status, null, 2));
         }
         catch (error) {
@@ -322,14 +336,20 @@ API_KEY=
         .description('Show current directory context and tracked environment')
         .option('-f, --file <path>', 'Path to .env file', '.env')
         .option('-e, --env <name>', 'Environment name', 'dev')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .action(async (options) => {
         try {
-            const gitInfo = getGitRepoInfo();
-            const manager = new SecretsManager();
-            const envPath = path.resolve(options.file);
+            const gitInfo = options.global ? null : getGitRepoInfo();
+            const manager = new SecretsManager({ globalMode: options.global });
+            const envPath = path.resolve(manager.resolveFilePath(options.file));
             console.log('\n📍 Current Directory Context\n');
-            // Git Repository Info
-            if (gitInfo.isGitRepo) {
+            // Workspace Info
+            if (options.global) {
+                console.log('🌐 Global Workspace:');
+                console.log(`   Location: ${manager.getHomeDir()}`);
+                console.log('   Mode: Global (not repo-specific)');
+            }
+            else if (gitInfo?.isGitRepo) {
                 console.log('📁 Git Repository:');
                 console.log(`   Root: ${gitInfo.rootPath || 'unknown'}`);
                 console.log(`   Name: ${gitInfo.repoName || 'unknown'}`);
@@ -347,12 +367,22 @@ API_KEY=
             // Environment Tracking
             console.log('🔐 Environment Tracking:');
             // Show the effective environment name used for cloud storage
-            const effectiveEnv = gitInfo.repoName
-                ? `${gitInfo.repoName}_${options.env}`
-                : options.env;
+            let effectiveEnv;
+            if (options.global) {
+                effectiveEnv = options.env === 'dev' ? 'global' : `global_${options.env}`;
+            }
+            else {
+                effectiveEnv = gitInfo?.repoName
+                    ? `${gitInfo.repoName}_${options.env}`
+                    : options.env;
+            }
             console.log(`   Base environment: ${options.env}`);
             console.log(`   Cloud storage name: ${effectiveEnv}`);
-            if (gitInfo.repoName) {
+            if (options.global) {
+                console.log('   Namespace: global');
+                console.log('   ℹ️  Global workspace mode enabled');
+            }
+            else if (gitInfo?.repoName) {
                 console.log(`   Namespace: ${gitInfo.repoName}`);
                 console.log('   ℹ️  Repo-based isolation enabled');
             }
@@ -420,13 +450,15 @@ API_KEY=
         .command('get [key]')
         .description('Get a specific secret value from .env file, or all secrets with --all')
         .option('-f, --file <path>', 'Path to .env file', '.env')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('--all', 'Get all secrets from the file')
         .option('--export', 'Output in export format for shell evaluation (alias for --format export)')
         .option('--format <type>', 'Output format: env, json, yaml, toml, export', 'env')
         .option('--exact', 'Require exact key match (disable fuzzy matching)')
         .action(async (key, options) => {
         try {
-            const envPath = path.resolve(options.file);
+            const manager = new SecretsManager({ globalMode: options.global });
+            const envPath = path.resolve(manager.resolveFilePath(options.file));
             if (!fs.existsSync(envPath)) {
                 console.error(`❌ File not found: ${envPath}`);
                 process.exit(1);
@@ -535,10 +567,12 @@ API_KEY=
         .command('set [key] [value]')
         .description('Set a specific secret value in .env file, or batch upsert from stdin (KEY=VALUE format)')
         .option('-f, --file <path>', 'Path to .env file', '.env')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('--stdin', 'Read KEY=VALUE pairs from stdin (one per line)')
         .action(async (key, value, options) => {
         try {
-            const envPath = path.resolve(options.file);
+            const manager = new SecretsManager({ globalMode: options.global });
+            const envPath = path.resolve(manager.resolveFilePath(options.file));
             // Check if we should read from stdin
             const isStdin = options.stdin || (!key && !value);
             if (isStdin) {
@@ -792,10 +826,12 @@ API_KEY=
         .command('delete')
         .description('Delete .env file (requires confirmation)')
         .option('-f, --file <path>', 'Path to .env file', '.env')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('-y, --yes', 'Skip confirmation prompt')
         .action(async (options) => {
         try {
-            const envPath = path.resolve(options.file);
+            const manager = new SecretsManager({ globalMode: options.global });
+            const envPath = path.resolve(manager.resolveFilePath(options.file));
             // Check if file exists
             if (!fs.existsSync(envPath)) {
                 console.log(`❌ File not found: ${envPath}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lsh-framework",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "description": "Simple, cross-platform encrypted secrets manager with automatic sync, IPFS audit logs, and multi-environment support. Just run lsh sync and start managing your secrets.",
   "main": "dist/app.js",
   "bin": {
@@ -18,7 +18,8 @@
     "build": "tsc",
     "watch": "tsc --watch",
     "test": "node --experimental-vm-modules ./node_modules/.bin/jest",
-    "test:coverage": "node --experimental-vm-modules ./node_modules/.bin/jest --coverage",
+    "test:ci": "node --experimental-vm-modules ./node_modules/.bin/jest --runInBand",
+    "test:coverage": "node --experimental-vm-modules ./node_modules/.bin/jest --coverage --runInBand",
     "clean": "rm -rf ./build; rm -rf ./bin; rm -rf ./dist",
     "lint": "eslint src --ext .js,.ts,.tsx",
     "lint:fix": "eslint src --ext .js,.ts,.tsx --fix",