lsh-framework 3.0.0 → 3.1.1

package/dist/lib/cron-job-manager.js

@@ -160,6 +160,8 @@ export class CronJobManager extends BaseJobManager {
      */
     async getJobReport(jobId) {
         // Try to get historical data from database if available, otherwise use current job info
+        // Using any[] because getJobHistory returns ShellJob (snake_case properties)
+        // but getJob returns JobSpec (camelCase properties), and this code handles both
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         let jobs = [];
         try {

package/dist/lib/ipfs-secrets-storage.js

@@ -269,13 +269,32 @@ export class IPFSSecretsStorage {
      * Decrypt secrets using AES-256
      */
     decryptSecrets(encryptedData, encryptionKey) {
-        const [ivHex, encrypted] = encryptedData.split(':');
-        const key = crypto.createHash('sha256').update(encryptionKey).digest();
-        const iv = Buffer.from(ivHex, 'hex');
-        const decipher = crypto.createDecipheriv('aes-256-cbc', key, iv);
-        let decrypted = decipher.update(encrypted, 'hex', 'utf8');
-        decrypted += decipher.final('utf8');
-        return JSON.parse(decrypted);
+        try {
+            const [ivHex, encrypted] = encryptedData.split(':');
+            const key = crypto.createHash('sha256').update(encryptionKey).digest();
+            const iv = Buffer.from(ivHex, 'hex');
+            const decipher = crypto.createDecipheriv('aes-256-cbc', key, iv);
+            let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+            decrypted += decipher.final('utf8');
+            return JSON.parse(decrypted);
+        }
+        catch (error) {
+            const err = error;
+            // Catch crypto errors (bad decrypt, wrong block length) AND JSON parse errors
+            // (wrong key can produce garbage that fails JSON.parse)
+            if (err.message.includes('bad decrypt') ||
+                err.message.includes('wrong final block length') ||
+                err.message.includes('Unexpected token') ||
+                err.message.includes('JSON')) {
+                throw new Error('Decryption failed. This usually means:\n' +
+                    '  1. You need to set LSH_SECRETS_KEY environment variable\n' +
+                    '  2. The key must match the one used during encryption\n' +
+                    '  3. Generate a shared key with: lsh secrets key\n' +
+                    '  4. Add it to your .env: LSH_SECRETS_KEY=<key>\n' +
+                    '\nOriginal error: ' + err.message);
+            }
+            throw error;
+        }
     }
     /**
      * Generate IPFS-compatible CID from content

package/dist/lib/job-manager.js

@@ -292,7 +292,6 @@ export class JobManager extends BaseJobManager {
     /**
      * Get job statistics
      */
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
     getJobStats() {
         const jobs = Array.from(this.jobs.values());
         const stats = {

package/dist/lib/lshrc-init.js

@@ -76,7 +76,6 @@ zsh-source${options.importOptions ? ' ' + options.importOptions.join(' ') : ''}
     /**
      * Source .lshrc commands
      */
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
     async source(_executor) {
         if (!this.exists()) {
             return [];

package/dist/lib/saas-audit.js

@@ -173,6 +173,7 @@ export class AuditLogger {
     /**
      * Map database log to AuditLog type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbLogToLog(dbLog) {
         return {
             id: dbLog.id,
@@ -200,9 +201,11 @@ export const auditLogger = new AuditLogger();
  * Helper function to extract IP from request
  */
 export function getIpFromRequest(req) {
-    return (req.headers['x-forwarded-for']?.split(',')[0].trim() ||
-        req.headers['x-real-ip'] ||
-        req.connection?.remoteAddress ||
+    const forwarded = req.headers['x-forwarded-for'];
+    const forwardedIp = typeof forwarded === 'string' ? forwarded.split(',')[0].trim() : undefined;
+    const realIp = req.headers['x-real-ip'];
+    return (forwardedIp ||
+        (typeof realIp === 'string' ? realIp : undefined) ||
         req.socket?.remoteAddress);
 }
 /**

package/dist/lib/saas-auth.js

@@ -82,7 +82,7 @@ export function verifyToken(token) {
             type: decoded.type,
         };
     }
-    catch (error) {
+    catch (_error) {
         throw new Error('Invalid or expired token');
     }
 }
@@ -320,6 +320,7 @@ export class AuthService {
         if (error) {
             throw new Error(`Failed to get user organizations: ${error.message}`);
         }
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB join result
         return (data || []).map((row) => this.mapDbOrgToOrg(row.organizations));
     }
     /**
@@ -337,7 +338,7 @@ export class AuthService {
             return generateToken();
         }
         const resetToken = generateToken();
-        const expiresAt = new Date(Date.now() + 60 * 60 * 1000); // 1 hour
+        const _expiresAt = new Date(Date.now() + 60 * 60 * 1000); // 1 hour (for future use)
         // Store reset token (we'll need a password_reset_tokens table)
         // For now, just return the token
         return resetToken;
@@ -345,7 +346,7 @@ export class AuthService {
     /**
      * Reset password
      */
-    async resetPassword(token, newPassword) {
+    async resetPassword(_token, _newPassword) {
         // TODO: Implement password reset
         // Need to create password_reset_tokens table
         throw new Error('Not implemented');
@@ -378,6 +379,7 @@ export class AuthService {
     /**
      * Map database user to User type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbUserToUser(dbUser) {
         return {
             id: dbUser.id,
@@ -403,6 +405,7 @@ export class AuthService {
     /**
      * Map database organization to Organization type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbOrgToOrg(dbOrg) {
         return {
             id: dbOrg.id,

package/dist/lib/saas-billing.js

@@ -155,19 +155,21 @@ export class BillingService {
     /**
      * Verify webhook signature
      */
-    verifyWebhookSignature(payload, signature) {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Stripe event structure
+    verifyWebhookSignature(payload, _signature) {
         // In production, use Stripe's webhook signature verification
         // For now, just parse the payload
         try {
             return JSON.parse(payload);
         }
-        catch (error) {
+        catch (_error) {
             throw new Error('Invalid webhook payload');
         }
     }
     /**
      * Handle checkout completed
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Stripe checkout session object
     async handleCheckoutCompleted(session) {
         const organizationId = session.metadata?.organization_id;
         if (!organizationId) {
@@ -180,6 +182,7 @@ export class BillingService {
     /**
      * Handle subscription updated
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Stripe subscription object
     async handleSubscriptionUpdated(subscription) {
         const organizationId = subscription.metadata?.organization_id;
         if (!organizationId) {
@@ -233,6 +236,7 @@ export class BillingService {
     /**
      * Handle subscription deleted
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Stripe subscription object
     async handleSubscriptionDeleted(subscription) {
         const organizationId = subscription.metadata?.organization_id;
         if (!organizationId) {
@@ -265,6 +269,7 @@ export class BillingService {
     /**
      * Handle invoice paid
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Stripe invoice object
     async handleInvoicePaid(invoice) {
         const organizationId = invoice.subscription_metadata?.organization_id;
         if (!organizationId) {
@@ -287,6 +292,7 @@ export class BillingService {
     /**
      * Handle invoice payment failed
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Stripe invoice object
     async handleInvoicePaymentFailed(invoice) {
         const organizationId = invoice.subscription_metadata?.organization_id;
         if (!organizationId) {
@@ -353,6 +359,7 @@ export class BillingService {
     /**
      * Map database subscription to Subscription type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbSubscriptionToSubscription(dbSub) {
         return {
             id: dbSub.id,
@@ -377,6 +384,7 @@ export class BillingService {
     /**
      * Map database invoice to Invoice type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbInvoiceToInvoice(dbInvoice) {
         return {
             id: dbInvoice.id,

package/dist/lib/saas-encryption.js

@@ -7,7 +7,7 @@ import { getSupabaseClient } from './supabase-client.js';
 const ALGORITHM = 'aes-256-cbc';
 const KEY_LENGTH = 32; // 256 bits
 const IV_LENGTH = 16; // 128 bits
-const SALT_LENGTH = 32;
+const _SALT_LENGTH = 32; // Reserved for future use
 const PBKDF2_ITERATIONS = 100000;
 /**
  * Get master encryption key from environment
@@ -199,6 +199,7 @@ export class EncryptionService {
     /**
      * Map database key to EncryptionKey type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbKeyToKey(dbKey) {
         return {
             id: dbKey.id,

package/dist/lib/saas-organizations.js

@@ -332,6 +332,7 @@ export class OrganizationService {
     /**
      * Map database org to Organization type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbOrgToOrg(dbOrg) {
         return {
             id: dbOrg.id,
@@ -352,6 +353,7 @@ export class OrganizationService {
     /**
      * Map database member to OrganizationMember type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbMemberToMember(dbMember) {
         return {
             id: dbMember.id,
@@ -368,6 +370,7 @@ export class OrganizationService {
     /**
      * Map database member detailed to OrganizationMemberDetailed type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row with joined user data
     mapDbMemberDetailedToMemberDetailed(dbMember) {
         return {
             id: dbMember.id,
@@ -558,6 +561,7 @@ export class TeamService {
     /**
      * Map database team to Team type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbTeamToTeam(dbTeam) {
         return {
             id: dbTeam.id,
@@ -574,6 +578,7 @@ export class TeamService {
     /**
      * Map database team member to TeamMember type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbTeamMemberToTeamMember(dbMember) {
         return {
             id: dbMember.id,

package/dist/lib/saas-secrets.js

@@ -2,6 +2,7 @@
  * LSH SaaS Secrets Management Service
  * Multi-tenant secrets with per-team encryption
  */
+import { getErrorMessage, } from './saas-types.js';
 import { getSupabaseClient } from './supabase-client.js';
 import { encryptionService } from './saas-encryption.js';
 import { auditLogger } from './saas-audit.js';
@@ -216,6 +217,7 @@ export class SecretsService {
         if (error) {
             throw new Error(`Failed to get secrets summary: ${error.message}`);
         }
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row from view
         return (data || []).map((row) => ({
             teamId: row.team_id,
             teamName: row.team_name,
@@ -313,7 +315,7 @@ export class SecretsService {
                 }
             }
             catch (error) {
-                errors.push(`${secret.key}: ${error.message}`);
+                errors.push(`${secret.key}: ${getErrorMessage(error)}`);
             }
         }
         return { created, updated, errors };
@@ -351,6 +353,7 @@ export class SecretsService {
     /**
      * Map database secret to Secret type
      */
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- DB row type varies by schema
     mapDbSecretToSecret(dbSecret) {
         return {
             id: dbSecret.id,

package/dist/lib/saas-types.js

@@ -106,3 +106,60 @@ export var ErrorCode;
     ErrorCode["INTERNAL_ERROR"] = "INTERNAL_ERROR";
     ErrorCode["SERVICE_UNAVAILABLE"] = "SERVICE_UNAVAILABLE";
 })(ErrorCode || (ErrorCode = {}));
+/**
+ * Helper to safely extract error message
+ */
+export function getErrorMessage(error) {
+    if (error instanceof Error) {
+        return error.message;
+    }
+    if (typeof error === 'string') {
+        return error;
+    }
+    return 'Unknown error occurred';
+}
+/**
+ * Helper to safely extract error for logging
+ */
+export function getErrorDetails(error) {
+    if (error instanceof Error) {
+        return {
+            message: error.message,
+            stack: error.stack,
+            code: error.code,
+        };
+    }
+    return { message: String(error) };
+}
+/**
+ * Helper to get authenticated user from request.
+ * Use after authenticateUser middleware - throws if user not present.
+ */
+export function getAuthenticatedUser(req) {
+    if (!req.user) {
+        throw new Error('User not authenticated');
+    }
+    return req.user;
+}
+/**
+ * Create a standardized API error response
+ */
+export function createErrorResponse(code, message, details) {
+    return {
+        success: false,
+        error: {
+            code,
+            message,
+            details,
+        },
+    };
+}
+/**
+ * Create a standardized API success response
+ */
+export function createSuccessResponse(data) {
+    return {
+        success: true,
+        data,
+    };
+}

package/dist/lib/secrets-manager.js

@@ -14,15 +14,53 @@ export class SecretsManager {
     storage;
     encryptionKey;
     gitInfo;
-    constructor(userId, encryptionKey, detectGit = true) {
+    globalMode;
+    homeDir;
+    constructor(userIdOrOptions, encryptionKey, detectGit) {
         this.storage = new IPFSSecretsStorage();
+        this.homeDir = process.env.HOME || process.env.USERPROFILE || '';
+        // Handle both legacy and new constructor signatures
+        let options;
+        if (typeof userIdOrOptions === 'object') {
+            options = userIdOrOptions;
+        }
+        else {
+            options = {
+                userId: userIdOrOptions,
+                encryptionKey,
+                detectGit: detectGit ?? true,
+                globalMode: false,
+            };
+        }
+        this.globalMode = options.globalMode ?? false;
         // Use provided key or generate from machine ID + user
-        this.encryptionKey = encryptionKey || this.getDefaultEncryptionKey();
-        // Auto-detect git repo context
-        if (detectGit) {
+        this.encryptionKey = options.encryptionKey || this.getDefaultEncryptionKey();
+        // Auto-detect git repo context (skip if in global mode)
+        if (!this.globalMode && (options.detectGit ?? true)) {
             this.gitInfo = getGitRepoInfo();
         }
     }
+    /**
+     * Check if running in global mode
+     */
+    isGlobalMode() {
+        return this.globalMode;
+    }
+    /**
+     * Get the home directory path
+     */
+    getHomeDir() {
+        return this.homeDir;
+    }
+    /**
+     * Resolve file path - in global mode, resolves relative to $HOME
+     */
+    resolveFilePath(filePath) {
+        if (this.globalMode && !path.isAbsolute(filePath)) {
+            return path.join(this.homeDir, filePath);
+        }
+        return filePath;
+    }
     /**
      * Cleanup resources (stop timers, close connections)
      * Call this when done to allow process to exit
@@ -430,8 +468,13 @@ export class SecretsManager {
     /**
      * Get the default environment name based on context
      * v2.0: In git repo, default is repo name; otherwise 'dev'
+     * Global mode: always returns 'dev' (which resolves to 'global' namespace)
      */
     getDefaultEnvironment() {
+        // Global mode uses simple 'dev' which maps to 'global' namespace
+        if (this.globalMode) {
+            return 'dev';
+        }
         // Check for v1 compatibility mode
         if (process.env.LSH_V1_COMPAT === 'true') {
             return 'dev'; // v1.x behavior
@@ -447,11 +490,19 @@ export class SecretsManager {
      * v2.0: Returns environment name with repo context if in a git repo
      *
      * Behavior:
+     * - Global mode: returns 'global' or 'global_env' (e.g., global_staging)
      * - Empty env in repo: returns just repo name (v2.0 default)
      * - Named env in repo: returns repo_env (e.g., repo_staging)
      * - Any env outside repo: returns env as-is
      */
     getRepoAwareEnvironment(environment) {
+        // Global mode uses 'global' namespace
+        if (this.globalMode) {
+            if (environment === '' || environment === 'default' || environment === 'dev') {
+                return 'global';
+            }
+            return `global_${environment}`;
+        }
         if (this.gitInfo?.repoName) {
             // v2.0: Empty environment means "use repo name only"
             if (environment === '' || environment === 'default') {
@@ -610,8 +661,14 @@ LSH_SECRETS_KEY=${this.encryptionKey}
             // In load mode, suppress all output except the final export commands
             const out = loadMode ? () => { } : console.log;
             out(`\n🔍 Smart sync for: ${displayEnv}\n`);
-            // Show git repo context if detected
-            if (this.gitInfo?.isGitRepo) {
+            // Show workspace context
+            if (this.globalMode) {
+                out('🌐 Global Workspace:');
+                out(`   Location: ${this.homeDir}`);
+                out(`   Namespace: global`);
+                out();
+            }
+            else if (this.gitInfo?.isGitRepo) {
                 out('📁 Git Repository:');
                 out(`   Repo: ${this.gitInfo.repoName || 'unknown'}`);
                 if (this.gitInfo.currentBranch) {

package/dist/lib/supabase-client.js

@@ -4,7 +4,6 @@
  */
 import { createClient } from '@supabase/supabase-js';
 export class SupabaseClient {
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
     client;
     config;
     constructor(config) {
@@ -32,7 +31,7 @@ export class SupabaseClient {
      */
     async testConnection() {
         try {
-            const { _data, error } = await this.client
+            const { error } = await this.client
                 .from('shell_history')
                 .select('count')
                 .limit(1);