npm - lsh-framework - Versions diffs - 3.0.0 → 3.1.1 - Mend

lsh-framework 3.0.0 → 3.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/dist/cli.js +1 -1
package/dist/commands/doctor.js +32 -15
package/dist/commands/init.js +31 -12
package/dist/commands/self.js +0 -1
package/dist/constants/validation.js +2 -0
package/dist/daemon/lshd.js +21 -4
package/dist/daemon/saas-api-routes.js +44 -37
package/dist/daemon/saas-api-server.js +9 -5
package/dist/lib/cron-job-manager.js +2 -0
package/dist/lib/ipfs-secrets-storage.js +26 -7
package/dist/lib/job-manager.js +0 -1
package/dist/lib/lshrc-init.js +0 -1
package/dist/lib/saas-audit.js +6 -3
package/dist/lib/saas-auth.js +6 -3
package/dist/lib/saas-billing.js +10 -2
package/dist/lib/saas-encryption.js +2 -1
package/dist/lib/saas-organizations.js +5 -0
package/dist/lib/saas-secrets.js +4 -1
package/dist/lib/saas-types.js +57 -0
package/dist/lib/secrets-manager.js +63 -6
package/dist/lib/supabase-client.js +1 -2
package/dist/services/secrets/secrets.js +63 -24
package/package.json +4 -3

package/dist/cli.js CHANGED Viewed

@@ -47,7 +47,7 @@ program
 program
     .option('-v, --verbose', 'Verbose output')
     .option('-d, --debug', 'Debug mode')
-    .action(async (options) => {
+    .action(async (_options) => {
     // No arguments - show secrets-focused help
     console.log('LSH - Encrypted Secrets Manager');
     console.log('');

package/dist/commands/doctor.js CHANGED Viewed

@@ -8,6 +8,7 @@ import * as path from 'path';
 import { createClient } from '@supabase/supabase-js';
 import { getPlatformPaths, getPlatformInfo } from '../lib/platform-utils.js';
 import { IPFSClientManager } from '../lib/ipfs-client-manager.js';
+import * as os from 'os';
 /**
  * Register doctor commands
  */
@@ -15,6 +16,7 @@ export function registerDoctorCommands(program) {
     program
         .command('doctor')
         .description('Health check and troubleshooting')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('-v, --verbose', 'Show detailed information')
         .option('--json', 'Output results as JSON')
         .action(async (options) => {
@@ -28,12 +30,25 @@ export function registerDoctorCommands(program) {
         }
     });
 }
+/**
+ * Get the base directory for .env files
+ */
+function getBaseDir(globalMode) {
+    return globalMode ? os.homedir() : process.cwd();
+}
 /**
  * Run comprehensive health check
  */
 async function runHealthCheck(options) {
+    const baseDir = getBaseDir(options.global);
     if (!options.json) {
-        console.log(chalk.bold.cyan('\n🏥 LSH Health Check'));
+        if (options.global) {
+            console.log(chalk.bold.cyan('\n🏥 LSH Health Check (Global Workspace)'));
+            console.log(chalk.yellow(`   Location: ${baseDir}`));
+        }
+        else {
+            console.log(chalk.bold.cyan('\n🏥 LSH Health Check'));
+        }
         console.log(chalk.gray('━'.repeat(50)));
         console.log('');
     }
@@ -41,18 +56,20 @@ async function runHealthCheck(options) {
     // Platform check
     checks.push(await checkPlatform(options.verbose));
     // .env file check
-    checks.push(await checkEnvFile(options.verbose));
+    checks.push(await checkEnvFile(options.verbose, baseDir));
     // Encryption key check
-    checks.push(await checkEncryptionKey(options.verbose));
+    checks.push(await checkEncryptionKey(options.verbose, baseDir));
     // Storage backend check
-    const storageChecks = await checkStorageBackend(options.verbose);
+    const storageChecks = await checkStorageBackend(options.verbose, baseDir);
     checks.push(...storageChecks);
-    // Git repository check
-    checks.push(await checkGitRepository(options.verbose));
+    // Git repository check (skip for global mode)
+    if (!options.global) {
+        checks.push(await checkGitRepository(options.verbose));
+    }
     // IPFS client check
     checks.push(await checkIPFSClient(options.verbose));
     // Permissions check
-    checks.push(await checkPermissions(options.verbose));
+    checks.push(await checkPermissions(options.verbose, baseDir));
     // Display results
     if (options.json) {
         console.log(JSON.stringify({ checks, summary: getSummary(checks) }, null, 2));
@@ -86,9 +103,9 @@ async function checkPlatform(verbose) {
 /**
  * Check .env file
  */
-async function checkEnvFile(verbose) {
+async function checkEnvFile(verbose, baseDir) {
     try {
-        const envPath = path.join(process.cwd(), '.env');
+        const envPath = path.join(baseDir || process.cwd(), '.env');
         // Read file directly without access check to avoid TOCTOU race condition
         const content = await fs.readFile(envPath, 'utf-8');
         const lines = content.split('\n').filter(l => l.trim() && !l.startsWith('#'));
@@ -111,9 +128,9 @@ async function checkEnvFile(verbose) {
 /**
  * Check encryption key
  */
-async function checkEncryptionKey(verbose) {
+async function checkEncryptionKey(verbose, baseDir) {
     try {
-        const envPath = path.join(process.cwd(), '.env');
+        const envPath = path.join(baseDir || process.cwd(), '.env');
         const content = await fs.readFile(envPath, 'utf-8');
         const match = content.match(/^LSH_SECRETS_KEY=(.+)$/m);
         if (!match) {
@@ -163,10 +180,10 @@ async function checkEncryptionKey(verbose) {
 /**
  * Check storage backend configuration
  */
-async function checkStorageBackend(verbose) {
+async function checkStorageBackend(verbose, baseDir) {
     const checks = [];
     try {
-        const envPath = path.join(process.cwd(), '.env');
+        const envPath = path.join(baseDir || process.cwd(), '.env');
         const content = await fs.readFile(envPath, 'utf-8');
         const supabaseUrl = content.match(/^SUPABASE_URL=(.+)$/m)?.[1]?.trim();
         const supabaseKey = content.match(/^SUPABASE_ANON_KEY=(.+)$/m)?.[1]?.trim();
@@ -263,7 +280,7 @@ async function testSupabaseConnection(url, key, verbose) {
 /**
  * Check if in git repository
  */
-async function checkGitRepository(verbose) {
+async function checkGitRepository(_verbose) {
     try {
         const gitPath = path.join(process.cwd(), '.git');
         // Use stat instead of access to avoid TOCTOU race condition
@@ -332,7 +349,7 @@ async function checkIPFSClient(verbose) {
 /**
  * Check file permissions
  */
-async function checkPermissions(verbose) {
+async function checkPermissions(verbose, _baseDir) {
     try {
         const paths = getPlatformPaths();
         // Check if we can write to temp directory with secure permissions

package/dist/commands/init.js CHANGED Viewed

@@ -11,6 +11,7 @@ import { createClient } from '@supabase/supabase-js';
 import ora from 'ora';
 import { getPlatformPaths } from '../lib/platform-utils.js';
 import { getGitRepoInfo } from '../lib/git-utils.js';
+import * as os from 'os';
 /**
  * Register init commands
  */
@@ -18,6 +19,7 @@ export function registerInitCommands(program) {
     program
         .command('init')
         .description('Interactive setup wizard (first-time configuration)')
+        .option('-g, --global', 'Use global workspace ($HOME)')
         .option('--local', 'Use local-only encryption (no cloud sync)')
         .option('--storacha', 'Use Storacha IPFS network sync (recommended)')
         .option('--supabase', 'Use Supabase cloud storage')
@@ -34,15 +36,30 @@ export function registerInitCommands(program) {
         }
     });
 }
+/**
+ * Get the base directory for .env files
+ */
+function getBaseDir(globalMode) {
+    return globalMode ? os.homedir() : process.cwd();
+}
 /**
  * Run the interactive setup wizard
  */
 async function runSetupWizard(options) {
-    console.log(chalk.bold.cyan('\n🔐 LSH Secrets Manager - Setup Wizard'));
-    console.log(chalk.gray('━'.repeat(50)));
+    const globalMode = options.global ?? false;
+    const baseDir = getBaseDir(globalMode);
+    if (globalMode) {
+        console.log(chalk.bold.cyan('\n🔐 LSH Secrets Manager - Global Setup Wizard'));
+        console.log(chalk.gray('━'.repeat(50)));
+        console.log(chalk.yellow(`\n🌐 Global Mode: Using $HOME (${baseDir})`));
+    }
+    else {
+        console.log(chalk.bold.cyan('\n🔐 LSH Secrets Manager - Setup Wizard'));
+        console.log(chalk.gray('━'.repeat(50)));
+    }
     console.log('');
     // Check if already configured
-    const existingConfig = await checkExistingConfig();
+    const existingConfig = await checkExistingConfig(baseDir);
     if (existingConfig) {
         const { overwrite } = await inquirer.prompt([
             {
@@ -181,16 +198,16 @@ async function runSetupWizard(options) {
         }
     }
     // Save configuration
-    await saveConfiguration(config);
+    await saveConfiguration(config, baseDir, globalMode);
     // Show success message
     showSuccessMessage(config);
 }
 /**
  * Check if LSH is already configured
  */
-async function checkExistingConfig() {
+async function checkExistingConfig(baseDir) {
     try {
-        const envPath = path.join(process.cwd(), '.env');
+        const envPath = path.join(baseDir, '.env');
         // Read file directly without access check to avoid TOCTOU race condition
         const content = await fs.readFile(envPath, 'utf-8');
         return content.includes('LSH_SECRETS_KEY') ||
@@ -204,7 +221,7 @@ async function checkExistingConfig() {
 /**
  * Pull secrets after init is complete
  */
-async function pullSecretsAfterInit(encryptionKey, repoName) {
+async function pullSecretsAfterInit(_encryptionKey, _repoName) {
     const spinner = ora('Pulling secrets from cloud...').start();
     try {
         // Dynamically import SecretsManager to avoid circular dependencies
@@ -399,7 +416,7 @@ async function configurePostgres(config, skipTest) {
 /**
  * Configure local-only mode
  */
-async function configureLocal(config) {
+async function configureLocal(_config) {
     console.log(chalk.cyan('\n💾 Local Encryption Mode'));
     console.log(chalk.gray('Secrets will be encrypted locally. No cloud sync available.'));
     console.log('');
@@ -417,10 +434,10 @@ function generateEncryptionKey() {
 /**
  * Save configuration to .env file
  */
-async function saveConfiguration(config) {
+async function saveConfiguration(config, baseDir, globalMode) {
     const spinner = ora('Saving configuration...').start();
     try {
-        const envPath = path.join(process.cwd(), '.env');
+        const envPath = path.join(baseDir, '.env');
         let envContent = '';
         // Try to read existing .env
         try {
@@ -461,8 +478,10 @@ async function saveConfiguration(config) {
         }
         // Write .env file
         await fs.writeFile(envPath, envContent, 'utf-8');
-        // Update .gitignore
-        await updateGitignore();
+        // Update .gitignore (skip for global mode since it's in $HOME)
+        if (!globalMode) {
+            await updateGitignore();
+        }
         spinner.succeed(chalk.green('✅ Configuration saved'));
     }
     catch (error) {

package/dist/commands/self.js CHANGED Viewed

@@ -127,7 +127,6 @@ async function checkCIStatus(_version) {
                         const ghData = JSON.parse(data);
                         const runs = ghData.workflow_runs || [];
                         // Find the most recent workflow run for main branch
-                        // eslint-disable-next-line @typescript-eslint/no-explicit-any
                         const mainRuns = runs.filter((run) => run.head_branch === 'main' && run.status === 'completed');
                         if (mainRuns.length > 0) {
                             const latestRun = mainRuns[0];

package/dist/constants/validation.js CHANGED Viewed

@@ -87,6 +87,8 @@ export const DANGEROUS_PATTERNS = [
         riskLevel: RISK_LEVELS.MEDIUM,
     },
     {
+        // Detect null byte injection attacks (legitimate security pattern)
+        // eslint-disable-next-line no-control-regex
         pattern: /\x00/i,
         description: ERRORS.NULL_BYTE,
         riskLevel: RISK_LEVELS.HIGH,

package/dist/daemon/lshd.js CHANGED Viewed

@@ -108,13 +108,15 @@ export class LSHJobDaemon extends EventEmitter {
             await fs.promises.unlink(this.config.pidFile);
         }
         catch (_error) {
-            // Ignore if file doesn\'t exist
+            // Ignore if file doesn't exist
         }
-        // Close log stream
+        // Log before closing stream
+        this.log('INFO', 'Daemon stopped');
+        // Close log stream AFTER logging
         if (this.logStream) {
             this.logStream.end();
+            this.logStream = undefined;
         }
-        this.log('INFO', 'Daemon stopped');
         this.emit('stopped');
     }
     /**
@@ -729,8 +731,23 @@ export class LSHJobDaemon extends EventEmitter {
 }
 // Module-level logger for CLI operations
 const cliLogger = createLogger('LSHDaemonCLI');
+// Helper to check if this module is run directly (ESM-compatible)
+// Uses indirect eval to avoid parse-time errors in CommonJS/Jest environments
+const isMainModule = () => {
+    try {
+        // Use Function constructor to avoid parse-time errors with import.meta
+        // eslint-disable-next-line @typescript-eslint/no-implied-eval, no-new-func
+        const getImportMetaUrl = new Function('return import.meta.url');
+        const metaUrl = getImportMetaUrl();
+        return metaUrl === `file://${process.argv[1]}`;
+    }
+    catch {
+        // Fallback for CommonJS or environments that don't support import.meta
+        return false;
+    }
+};
 // CLI interface for the daemon
-if (import.meta.url === `file://${process.argv[1]}`) {
+if (isMainModule()) {
     const command = process.argv[2];
     const subCommand = process.argv[3];
     const _args = process.argv.slice(4);

package/dist/daemon/saas-api-routes.js CHANGED Viewed

@@ -9,6 +9,7 @@ import { billingService } from '../lib/saas-billing.js';
 import { auditLogger, getIpFromRequest } from '../lib/saas-audit.js';
 import { emailService } from '../lib/saas-email.js';
 import { secretsService } from '../lib/saas-secrets.js';
+import { getErrorMessage, getAuthenticatedUser } from '../lib/saas-types.js'; // eslint-disable-line no-duplicate-imports
 /**
  * Rate Limiters for different endpoint types
  */
@@ -83,7 +84,7 @@ export async function authenticateUser(req, res, next) {
             success: false,
             error: {
                 code: 'UNAUTHORIZED',
-                message: error.message || 'Authentication failed',
+                message: getErrorMessage(error) || 'Authentication failed',
             },
         });
     }
@@ -101,20 +102,26 @@ export async function requireOrganizationMembership(req, res, next) {
                 error: { code: 'INVALID_INPUT', message: 'Organization ID required' },
             });
         }
-        const role = await organizationService.getUserRole(organizationId, req.user.id);
+        if (!req.user) {
+            return res.status(401).json({
+                success: false,
+                error: { code: 'UNAUTHORIZED', message: 'User not authenticated' },
+            });
+        }
+        const role = await organizationService.getUserRole(organizationId, getAuthenticatedUser(req).id);
         if (!role) {
             return res.status(403).json({
                 success: false,
                 error: { code: 'FORBIDDEN', message: 'Not a member of this organization' },
             });
         }
-        req.organizationRole = role;
+        req.organizationId = organizationId;
         next();
     }
     catch (error) {
         return res.status(500).json({
             success: false,
-            error: { code: 'INTERNAL_ERROR', message: error.message },
+            error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
         });
     }
 }
@@ -183,7 +190,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: error.message.includes('ALREADY_EXISTS') ? 'EMAIL_ALREADY_EXISTS' : 'INTERNAL_ERROR', message: error.message },
+                error: { code: getErrorMessage(error).includes('ALREADY_EXISTS') ? 'EMAIL_ALREADY_EXISTS' : 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -215,10 +222,10 @@ export function setupSaaSApiRoutes(app) {
             });
         }
         catch (error) {
-            const statusCode = error.message.includes('EMAIL_NOT_VERIFIED') ? 403 : 401;
+            const statusCode = getErrorMessage(error).includes('EMAIL_NOT_VERIFIED') ? 403 : 401;
             res.status(statusCode).json({
                 success: false,
-                error: { code: error.message || 'INVALID_CREDENTIALS', message: error.message },
+                error: { code: getErrorMessage(error) || 'INVALID_CREDENTIALS', message: getErrorMessage(error) },
             });
         }
     });
@@ -252,7 +259,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INVALID_TOKEN', message: error.message },
+                error: { code: 'INVALID_TOKEN', message: getErrorMessage(error) },
             });
         }
     });
@@ -276,7 +283,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -302,7 +309,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(401).json({
                 success: false,
-                error: { code: 'INVALID_TOKEN', message: error.message },
+                error: { code: 'INVALID_TOKEN', message: getErrorMessage(error) },
             });
         }
     });
@@ -335,7 +342,7 @@ export function setupSaaSApiRoutes(app) {
             const organization = await organizationService.createOrganization({
                 name,
                 slug,
-                ownerId: req.user.id,
+                ownerId: getAuthenticatedUser(req).id,
             });
             res.json({
                 success: true,
@@ -345,7 +352,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -372,7 +379,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -391,7 +398,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -402,7 +409,7 @@ export function setupSaaSApiRoutes(app) {
     app.post('/api/v1/organizations/:organizationId/members', writeLimiter, authenticateUser, requireOrganizationMembership, async (req, res) => {
         try {
             // Check permission
-            const canInvite = await organizationService.hasPermission(req.params.organizationId, req.user.id, 'canInviteMembers');
+            const canInvite = await organizationService.hasPermission(req.params.organizationId, getAuthenticatedUser(req).id, 'canInviteMembers');
             if (!canInvite) {
                 return res.status(403).json({
                     success: false,
@@ -414,7 +421,7 @@ export function setupSaaSApiRoutes(app) {
                 organizationId: req.params.organizationId,
                 userId,
                 role: role || 'member',
-                invitedBy: req.user.id,
+                invitedBy: getAuthenticatedUser(req).id,
             });
             res.json({
                 success: true,
@@ -424,7 +431,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -449,7 +456,7 @@ export function setupSaaSApiRoutes(app) {
                 name,
                 slug,
                 description,
-            }, req.user.id);
+            }, getAuthenticatedUser(req).id);
             res.json({
                 success: true,
                 data: { team },
@@ -458,7 +465,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -477,7 +484,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -505,7 +512,7 @@ export function setupSaaSApiRoutes(app) {
                 description,
                 tags,
                 rotationIntervalDays,
-                createdBy: req.user.id,
+                createdBy: getAuthenticatedUser(req).id,
             });
             res.json({
                 success: true,
@@ -513,10 +520,10 @@ export function setupSaaSApiRoutes(app) {
             });
         }
         catch (error) {
-            const statusCode = error.message.includes('TIER_LIMIT_EXCEEDED') ? 402 : 400;
+            const statusCode = getErrorMessage(error).includes('TIER_LIMIT_EXCEEDED') ? 402 : 400;
             res.status(statusCode).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -541,7 +548,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -574,7 +581,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -590,7 +597,7 @@ export function setupSaaSApiRoutes(app) {
                 description,
                 tags,
                 rotationIntervalDays,
-                updatedBy: req.user.id,
+                updatedBy: getAuthenticatedUser(req).id,
             });
             res.json({
                 success: true,
@@ -600,7 +607,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -610,7 +617,7 @@ export function setupSaaSApiRoutes(app) {
      */
     app.delete('/api/v1/teams/:teamId/secrets/:secretId', writeLimiter, authenticateUser, async (req, res) => {
         try {
-            await secretsService.deleteSecret(req.params.secretId, req.user.id);
+            await secretsService.deleteSecret(req.params.secretId, getAuthenticatedUser(req).id);
             res.json({
                 success: true,
                 data: { message: 'Secret deleted successfully' },
@@ -619,7 +626,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -644,7 +651,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -661,7 +668,7 @@ export function setupSaaSApiRoutes(app) {
                     error: { code: 'INVALID_INPUT', message: 'Environment and content required' },
                 });
             }
-            const result = await secretsService.importFromEnv(req.params.teamId, environment, content, req.user.id);
+            const result = await secretsService.importFromEnv(req.params.teamId, environment, content, getAuthenticatedUser(req).id);
             res.json({
                 success: true,
                 data: result,
@@ -670,7 +677,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -684,7 +691,7 @@ export function setupSaaSApiRoutes(app) {
     app.get('/api/v1/organizations/:organizationId/audit-logs', authenticateUser, requireOrganizationMembership, async (req, res) => {
         try {
             // Check permission
-            const canView = await organizationService.hasPermission(req.params.organizationId, req.user.id, 'canViewAuditLogs');
+            const canView = await organizationService.hasPermission(req.params.organizationId, getAuthenticatedUser(req).id, 'canViewAuditLogs');
             if (!canView) {
                 return res.status(403).json({
                     success: false,
@@ -709,7 +716,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(500).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -723,7 +730,7 @@ export function setupSaaSApiRoutes(app) {
     app.post('/api/v1/organizations/:organizationId/billing/checkout', writeLimiter, authenticateUser, requireOrganizationMembership, async (req, res) => {
         try {
             // Check permission
-            const canManage = await organizationService.hasPermission(req.params.organizationId, req.user.id, 'canManageBilling');
+            const canManage = await organizationService.hasPermission(req.params.organizationId, getAuthenticatedUser(req).id, 'canManageBilling');
             if (!canManage) {
                 return res.status(403).json({
                     success: false,
@@ -754,7 +761,7 @@ export function setupSaaSApiRoutes(app) {
         catch (error) {
             res.status(400).json({
                 success: false,
-                error: { code: 'INTERNAL_ERROR', message: error.message },
+                error: { code: 'INTERNAL_ERROR', message: getErrorMessage(error) },
             });
         }
     });
@@ -771,7 +778,7 @@ export function setupSaaSApiRoutes(app) {
         }
         catch (error) {
             console.error('Webhook error:', error);
-            res.status(400).json({ error: error.message });
+            res.status(400).json({ error: getErrorMessage(error) });
         }
     });
     console.log('✅ SaaS API routes registered');

package/dist/daemon/saas-api-server.js CHANGED Viewed

@@ -6,6 +6,7 @@ import express from 'express';
 import cors from 'cors';
 import rateLimit from 'express-rate-limit';
 import { setupSaaSApiRoutes } from './saas-api-routes.js';
+import { getErrorMessage } from '../lib/saas-types.js';
 /**
  * SaaS API Server
  */
@@ -123,19 +124,22 @@ export class SaaSApiServer {
      */
     setupErrorHandlers() {
         // Global error handler
-        this.app.use((err, req, res, _next) => {
+        const errorHandler = (err, _req, res, _next) => {
             console.error('API Error:', err);
             // Don't leak error details in production
             const isDev = process.env.NODE_ENV !== 'production';
-            res.status(err.status || 500).json({
+            const statusCode = err.status || 500;
+            const errorCode = err.code || 'INTERNAL_ERROR';
+            res.status(statusCode).json({
                 success: false,
                 error: {
-                    code: err.code || 'INTERNAL_ERROR',
-                    message: isDev ? err.message : 'Internal server error',
+                    code: errorCode,
+                    message: isDev ? getErrorMessage(err) : 'Internal server error',
                     details: isDev ? err.stack : undefined,
                 },
             });
-        });
+        };
+        this.app.use(errorHandler);
     }
     /**
      * Start the server