lsh-framework 3.1.1 → 3.1.3

package/dist/commands/config.js

@@ -5,11 +5,12 @@
 import { spawn } from 'child_process';
 import { getConfigManager, loadGlobalConfig } from '../lib/config-manager.js';
 import * as fs from 'fs/promises';
+import { ENV_VARS } from '../constants/index.js';
 /**
  * Get user's preferred editor
  */
 function getEditor() {
-    return process.env.VISUAL || process.env.EDITOR || 'vi';
+    return process.env[ENV_VARS.VISUAL] || process.env[ENV_VARS.EDITOR] || 'vi';
 }
 /**
  * Open config file in user's editor

package/dist/commands/self.js

@@ -9,6 +9,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 import chalk from 'chalk';
 import { fileURLToPath } from 'url';
+import { ENV_VARS } from '../constants/index.js';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 const selfCommand = new Command('self');
@@ -300,9 +301,9 @@ selfCommand
     console.log();
     // Environment
     console.log(chalk.yellow('Environment:'));
-    console.log('  NODE_ENV:', process.env.NODE_ENV || 'not set');
-    console.log('  HOME:', process.env.HOME || 'not set');
-    console.log('  USER:', process.env.USER || 'not set');
+    console.log('  NODE_ENV:', process.env[ENV_VARS.NODE_ENV] || 'not set');
+    console.log('  HOME:', process.env[ENV_VARS.HOME] || 'not set');
+    console.log('  USER:', process.env[ENV_VARS.USER] || 'not set');
     console.log();
     // Configuration
     const envFile = path.join(process.cwd(), '.env');

package/dist/constants/api.js

@@ -7,7 +7,7 @@ export const ENDPOINTS = {
     // Health and status
     HEALTH: '/health',
     ROOT: '/',
-    // Authentication
+    // Authentication (legacy)
     AUTH: '/api/auth',
     AUTH_REGISTER: '/auth/register',
     AUTH_LOGIN: '/auth/login',
@@ -48,6 +48,39 @@ export const ENDPOINTS = {
     API_ANALYTICS_PREDICTIONS: '/api/analytics/predictions',
     API_ANALYTICS_COSTS: '/api/analytics/costs',
     API_ANALYTICS_BOTTLENECKS: '/api/analytics/bottlenecks',
+    // SaaS API v1 - Authentication
+    API_V1_AUTH_SIGNUP: '/api/v1/auth/signup',
+    API_V1_AUTH_LOGIN: '/api/v1/auth/login',
+    API_V1_AUTH_VERIFY_EMAIL: '/api/v1/auth/verify-email',
+    API_V1_AUTH_RESEND_VERIFICATION: '/api/v1/auth/resend-verification',
+    API_V1_AUTH_REFRESH: '/api/v1/auth/refresh',
+    API_V1_AUTH_ME: '/api/v1/auth/me',
+    // SaaS API v1 - Organizations
+    API_V1_ORGANIZATIONS: '/api/v1/organizations',
+    API_V1_ORGANIZATION: '/api/v1/organizations/:organizationId',
+    API_V1_ORGANIZATION_MEMBERS: '/api/v1/organizations/:organizationId/members',
+    API_V1_ORGANIZATION_TEAMS: '/api/v1/organizations/:organizationId/teams',
+    API_V1_ORGANIZATION_AUDIT: '/api/v1/organizations/:organizationId/audit',
+    API_V1_ORGANIZATION_BILLING_SUBSCRIPTION: '/api/v1/organizations/:organizationId/billing/subscription',
+    API_V1_ORGANIZATION_BILLING_CHECKOUT: '/api/v1/organizations/:organizationId/billing/checkout',
+    // SaaS API v1 - Teams
+    API_V1_TEAM_SECRETS: '/api/v1/teams/:teamId/secrets',
+    API_V1_TEAM_SECRET: '/api/v1/teams/:teamId/secrets/:secretId',
+    API_V1_TEAM_SECRET_RETRIEVE: '/api/v1/teams/:teamId/secrets/:secretId/retrieve',
+    API_V1_TEAM_SECRETS_EXPORT: '/api/v1/teams/:teamId/secrets/export/env',
+    API_V1_TEAM_SECRETS_IMPORT: '/api/v1/teams/:teamId/secrets/import/env',
+    // SaaS API v1 - Webhooks
+    API_V1_WEBHOOKS_STRIPE: '/api/v1/webhooks/stripe',
+    API_V1_BILLING_WEBHOOKS: '/api/v1/billing/webhooks',
+    API_V1_ORGANIZATION_AUDIT_LOGS: '/api/v1/organizations/:organizationId/audit-logs',
+    // API Info/Documentation (patterns)
+    API_V1_ROOT: '/api/v1',
+    API_V1_AUTH_WILDCARD: '/api/v1/auth/*',
+    API_V1_ORGANIZATIONS_WILDCARD: '/api/v1/organizations/*',
+    API_V1_ORG_TEAMS_WILDCARD: '/api/v1/organizations/:id/teams/*',
+    API_V1_TEAMS_SECRETS_WILDCARD: '/api/v1/teams/:id/secrets/*',
+    API_V1_ORG_BILLING_WILDCARD: '/api/v1/organizations/:id/billing/*',
+    API_V1_ORG_AUDIT_LOGS: '/api/v1/organizations/:id/audit-logs',
 };
 export const HTTP_HEADERS = {
     // Standard headers

package/dist/constants/config.js

@@ -8,14 +8,37 @@ export const ENV_VARS = {
     NODE_ENV: 'NODE_ENV',
     USER: 'USER',
     HOSTNAME: 'HOSTNAME',
+    HOME: 'HOME',
+    SHELL: 'SHELL',
+    EDITOR: 'EDITOR',
+    VISUAL: 'VISUAL',
+    // Platform-specific
+    USERPROFILE: 'USERPROFILE',
+    APPDATA: 'APPDATA',
+    LOCALAPPDATA: 'LOCALAPPDATA',
+    COMSPEC: 'COMSPEC',
     // LSH API configuration
     LSH_API_ENABLED: 'LSH_API_ENABLED',
     LSH_API_PORT: 'LSH_API_PORT',
     LSH_API_KEY: 'LSH_API_KEY',
     LSH_JWT_SECRET: 'LSH_JWT_SECRET',
     LSH_ALLOW_DANGEROUS_COMMANDS: 'LSH_ALLOW_DANGEROUS_COMMANDS',
+    // LSH SaaS API
+    LSH_SAAS_API_PORT: 'LSH_SAAS_API_PORT',
+    LSH_SAAS_API_HOST: 'LSH_SAAS_API_HOST',
+    LSH_CORS_ORIGINS: 'LSH_CORS_ORIGINS',
     // Secrets management
     LSH_SECRETS_KEY: 'LSH_SECRETS_KEY',
+    LSH_MASTER_KEY: 'LSH_MASTER_KEY',
+    // Feature flags
+    LSH_LOCAL_STORAGE_QUIET: 'LSH_LOCAL_STORAGE_QUIET',
+    LSH_V1_COMPAT: 'LSH_V1_COMPAT',
+    LSH_STORACHA_ENABLED: 'LSH_STORACHA_ENABLED',
+    DISABLE_IPFS_SYNC: 'DISABLE_IPFS_SYNC',
+    // Logging
+    LSH_LOG_LEVEL: 'LSH_LOG_LEVEL',
+    LSH_LOG_FORMAT: 'LSH_LOG_FORMAT',
+    NO_COLOR: 'NO_COLOR',
     // Webhooks
     LSH_ENABLE_WEBHOOKS: 'LSH_ENABLE_WEBHOOKS',
     WEBHOOK_PORT: 'WEBHOOK_PORT',
@@ -29,28 +52,72 @@ export const ENV_VARS = {
     REDIS_URL: 'REDIS_URL',
     // Monitoring
     MONITORING_API_PORT: 'MONITORING_API_PORT',
+    // Stripe billing
+    STRIPE_SECRET_KEY: 'STRIPE_SECRET_KEY',
+    STRIPE_WEBHOOK_SECRET: 'STRIPE_WEBHOOK_SECRET',
+    STRIPE_PRICE_PRO_MONTHLY: 'STRIPE_PRICE_PRO_MONTHLY',
+    STRIPE_PRICE_PRO_YEARLY: 'STRIPE_PRICE_PRO_YEARLY',
+    STRIPE_PRICE_ENTERPRISE_MONTHLY: 'STRIPE_PRICE_ENTERPRISE_MONTHLY',
+    STRIPE_PRICE_ENTERPRISE_YEARLY: 'STRIPE_PRICE_ENTERPRISE_YEARLY',
+    // Email (Resend)
+    RESEND_API_KEY: 'RESEND_API_KEY',
+    EMAIL_FROM: 'EMAIL_FROM',
+    BASE_URL: 'BASE_URL',
 };
 export const DEFAULTS = {
     // Version
     VERSION: '0.5.1',
     // Ports
     API_PORT: 3030,
+    SAAS_API_PORT: 3031,
     WEBHOOK_PORT: 3033,
     MONITORING_API_PORT: 3031,
+    MONITORING_PORT: 3000,
+    // Hosts
+    DEFAULT_HOST: '0.0.0.0',
+    DEFAULT_CORS_ORIGINS: ['*'],
     // URLs
     REDIS_URL: 'redis://localhost:6379',
     DATABASE_URL: 'postgresql://localhost:5432/cicd',
-    // Timeouts and intervals
+    STRIPE_API_URL: 'https://api.stripe.com/v1',
+    RESEND_API_URL: 'https://api.resend.com/emails',
+    LSH_APP_URL: 'https://app.lsh.dev',
+    LSH_DOCS_URL: 'https://docs.lsh.dev',
+    KUBO_RELEASES_URL: 'https://api.github.com/repos/ipfs/kubo/releases/latest',
+    // Email defaults
+    DEFAULT_EMAIL_FROM: 'noreply@lsh.dev',
+    // Timeouts and intervals (in milliseconds)
     CHECK_INTERVAL_MS: 2000,
     REQUEST_TIMEOUT_MS: 10000,
+    DAEMON_RESTART_DELAY_MS: 1000,
+    JOB_TIMEOUT_1H_MS: 3600000,
+    JOB_TIMEOUT_5M_MS: 300000,
+    JOB_TIMEOUT_1M_MS: 60000,
+    JOB_TIMEOUT_2H_MS: 7200000,
     // Sizes
     MAX_BUFFER_SIZE_BYTES: 1024 * 1024, // 1MB
     MAX_LOG_SIZE_BYTES: 10 * 1024 * 1024, // 10MB
     MAX_COMMAND_LENGTH: 10000,
+    SOCKET_BUFFER_SIZE: 1024,
+    MAX_EVENTS_LIMIT: 100,
+    // History limits
+    MAX_HISTORY_SIZE: 10000,
+    HISTORY_SAVE_INTERVAL_MS: 30000,
     // Limits
     MAX_COMMAND_CHAINS: 5,
     MAX_PIPE_USAGE: 3,
     // Cache and retention
     REDIS_CACHE_EXPIRY_SECONDS: 3600, // 1 hour
     METRICS_RETENTION_SECONDS: 30 * 24 * 60 * 60, // 30 days
+    // Cloud sync intervals
+    CLOUD_CONFIG_SYNC_INTERVAL_MS: 60000, // 1 minute
+    HISTORY_SYNC_INTERVAL_MS: 30000, // 30 seconds
+    // Job registry
+    MAX_RECORDS_PER_JOB: 1000,
+    MAX_TOTAL_RECORDS: 50000,
+    METRICS_RETENTION_DAYS: 90,
+    // Shell defaults
+    DEFAULT_SHELL_UNIX: '/bin/sh',
+    DEFAULT_SHELL_WIN: 'cmd.exe',
+    DEFAULT_EDITOR: 'vi',
 };

package/dist/constants/database.js

@@ -14,8 +14,38 @@ export const TABLES = {
     SHELL_COMPLETIONS: 'shell_completions',
     // CI/CD tables
     PIPELINE_EVENTS: 'pipeline_events',
+    // SaaS tables - Users and Authentication
+    USERS: 'users',
+    USER_SESSIONS: 'user_sessions',
+    // SaaS tables - Organizations and Teams
+    ORGANIZATIONS: 'organizations',
+    ORGANIZATION_MEMBERS: 'organization_members',
+    TEAMS: 'teams',
+    TEAM_MEMBERS: 'team_members',
+    // SaaS tables - Secrets
+    SECRETS: 'secrets',
+    SECRET_ACCESS_LOGS: 'secret_access_logs',
+    SECRET_VERSIONS: 'secret_versions',
+    // SaaS tables - Audit
+    AUDIT_LOGS: 'audit_logs',
+    // SaaS tables - Billing
+    SUBSCRIPTIONS: 'subscriptions',
+    INVOICES: 'invoices',
+    // SaaS tables - Encryption
+    ENCRYPTION_KEYS: 'encryption_keys',
+    // LSH Secrets (legacy name)
+    LSH_SECRETS: 'lsh_secrets',
     // Trading/ML tables (legacy)
     TRADING_DISCLOSURES: 'trading_disclosures',
     POLITICIANS: 'politicians',
     DATA_PULL_JOBS: 'data_pull_jobs',
+    // ML tables
+    ML_TRAINING_JOBS: 'ml_training_jobs',
+    ML_MODELS: 'ml_models',
+    ML_FEATURES: 'ml_features',
+    // Views (read-only aggregations)
+    ORGANIZATION_MEMBERS_DETAILED: 'organization_members_detailed',
+    ORGANIZATION_USAGE_SUMMARY: 'organization_usage_summary',
+    TEAM_MEMBERS_DETAILED: 'team_members_detailed',
+    SECRETS_SUMMARY: 'secrets_summary',
 };

package/dist/constants/errors.js

@@ -77,3 +77,27 @@ export const RISK_LEVELS = {
     MEDIUM: 'medium',
     LOW: 'low',
 };
+/**
+ * API Error Codes
+ *
+ * Standard error codes used across the SaaS API and services.
+ */
+export const ERROR_CODES = {
+    // Authentication errors
+    UNAUTHORIZED: 'UNAUTHORIZED',
+    INVALID_CREDENTIALS: 'INVALID_CREDENTIALS',
+    INVALID_TOKEN: 'INVALID_TOKEN',
+    EMAIL_NOT_VERIFIED: 'EMAIL_NOT_VERIFIED',
+    EMAIL_ALREADY_EXISTS: 'EMAIL_ALREADY_EXISTS',
+    // Authorization errors
+    FORBIDDEN: 'FORBIDDEN',
+    // Validation errors
+    INVALID_INPUT: 'INVALID_INPUT',
+    NOT_FOUND: 'NOT_FOUND',
+    ALREADY_EXISTS: 'ALREADY_EXISTS',
+    // Payment errors
+    PAYMENT_REQUIRED: 'PAYMENT_REQUIRED',
+    TIER_LIMIT_EXCEEDED: 'TIER_LIMIT_EXCEEDED',
+    // Server errors
+    INTERNAL_ERROR: 'INTERNAL_ERROR',
+};

package/dist/constants/paths.js

@@ -17,6 +17,9 @@ export const PATHS = {
     DAEMON_JOBS_FILE_TEMPLATE: '/tmp/lsh-daemon-jobs-${USER}.json',
     // Job persistence
     DEFAULT_JOBS_PERSISTENCE_FILE: '/tmp/lsh-jobs.json',
+    // Job registry files
+    JOB_REGISTRY_FILE: '/tmp/lsh-job-registry.json',
+    JOB_LOGS_DIR: '/tmp/lsh-job-logs',
 };
 export const PREFIXES = {
     SESSION_ID: 'lsh_',

package/dist/constants/ui.js

@@ -71,3 +71,83 @@ export const LOG_LEVELS = {
     ERROR: 'ERROR',
     DEBUG: 'DEBUG',
 };
+/**
+ * Emoji prefixes for consistent UI output
+ */
+export const EMOJI = {
+    SUCCESS: '✅',
+    ERROR: '❌',
+    WARNING: '⚠️',
+    INFO: 'ℹ️',
+    TIP: '💡',
+    KEY: '🔑',
+    FILE: '📄',
+    FOLDER: '📁',
+    LIST: '📋',
+    SEARCH: '🔍',
+    LOCATION: '📍',
+    UP: '⬆️',
+    DOWN: '⬇️',
+    CALENDAR: '📅',
+    GEAR: '⚙️',
+};
+/**
+ * Status messages with emoji
+ */
+export const STATUS_MESSAGES = {
+    // Success messages
+    SUCCESS: '✅',
+    SUCCESS_GENERIC: '✅ Success',
+    CONNECTION_SUCCESS: '✅ Connection successful!',
+    CONFIG_SAVED: '✅ Configuration saved',
+    SECRETS_PULLED: '✅ Secrets pulled successfully!',
+    IPFS_INSTALLED: '✅ IPFS client installed',
+    // Error messages
+    ERROR: '❌',
+    ERROR_GENERIC: '❌ Error',
+    CONNECTION_FAILED: '❌ Connection failed',
+    CONFIG_SAVE_FAILED: '❌ Failed to save configuration',
+    PULL_FAILED: '❌ Failed to pull secrets',
+    // Warning messages
+    WARNING: '⚠️',
+    WARNING_GENERIC: '⚠️ Warning',
+    IPFS_NOT_INSTALLED: '⚠️  IPFS client not installed',
+    NOT_GIT_REPO: 'ℹ️  Not in a git repository',
+    // Info messages
+    INFO: 'ℹ️',
+    RECOMMENDATIONS: '💡 Recommendations:',
+    CURRENT_REPO: '📁 Current Repository:',
+};
+/**
+ * Doctor/diagnostic messages
+ */
+export const DOCTOR_MESSAGES = {
+    CHECKING: '🔍 Checking:',
+    ALL_PASSED: '✅ All checks passed!',
+    ISSUES_FOUND: '❌ Issues found',
+    RECOMMENDATIONS: '💡 Recommendations:',
+};
+/**
+ * Init/setup messages
+ */
+export const INIT_MESSAGES = {
+    WELCOME: '🚀 Welcome to LSH Setup',
+    STEP_COMPLETE: '✅ Step complete',
+    SETUP_COMPLETE: '✅ Setup complete!',
+    CONNECTION_TEST_SKIPPED: '⚠️  Connection test skipped. Run "lsh doctor" after setup to verify.',
+};
+/**
+ * Migration messages
+ */
+export const MIGRATION_MESSAGES = {
+    SCANNING: '🔍 Scanning for Firebase references...',
+    MIGRATING: '🔄 Migrating...',
+    COMPLETE: '✅ Migration complete',
+    NO_CHANGES: 'ℹ️  No changes needed',
+};
+/**
+ * Deprecation warnings
+ */
+export const DEPRECATION_WARNINGS = {
+    LIB_COMMANDS: '\x1b[33m⚠️  WARNING: "lsh lib" commands are deprecated as of v1.0.0\x1b[0m',
+};

package/dist/daemon/job-registry.js

@@ -11,6 +11,7 @@ import * as os from 'os';
 import { exec } from 'child_process';
 import { BaseJobManager } from '../lib/base-job-manager.js';
 import MemoryJobStorage from '../lib/job-storage-memory.js';
+import { ENV_VARS, DEFAULTS, PATHS } from '../constants/index.js';
 export class JobRegistry extends BaseJobManager {
     config;
     records = new Map(); // jobId -> execution records
@@ -19,12 +20,12 @@ export class JobRegistry extends BaseJobManager {
     constructor(config) {
         super(new MemoryJobStorage(), 'JobRegistry');
         this.config = {
-            registryFile: '/tmp/lsh-job-registry.json',
-            maxRecordsPerJob: 1000,
-            maxTotalRecords: 50000,
+            registryFile: PATHS.JOB_REGISTRY_FILE,
+            maxRecordsPerJob: DEFAULTS.MAX_RECORDS_PER_JOB,
+            maxTotalRecords: DEFAULTS.MAX_TOTAL_RECORDS,
             compressionEnabled: true,
-            metricsRetentionDays: 90,
-            outputLogDir: '/tmp/lsh-job-logs',
+            metricsRetentionDays: DEFAULTS.METRICS_RETENTION_DAYS,
+            outputLogDir: PATHS.JOB_LOGS_DIR,
             indexingEnabled: true,
             ...config
         };
@@ -47,7 +48,7 @@ export class JobRegistry extends BaseJobManager {
             outputSize: 0,
             environment: { ...(job.env || {}) },
             workingDirectory: job.cwd || process.cwd(),
-            user: job.user || process.env.USER || 'unknown',
+            user: job.user || process.env[ENV_VARS.USER] || 'unknown',
             hostname: os.hostname(),
             tags: [...(job.tags || [])],
             priority: job.priority || 5,

package/dist/daemon/lshd.js

@@ -14,6 +14,7 @@ import { validateCommand } from '../lib/command-validator.js';
 import { validateEnvironment, printValidationResults } from '../lib/env-validator.js';
 import { createLogger } from '../lib/logger.js';
 import { getPlatformPaths } from '../lib/platform-utils.js';
+import { ENV_VARS, DEFAULTS, ERRORS } from '../constants/index.js';
 const execAsync = promisify(exec);
 export class LSHJobDaemon extends EventEmitter {
     config;
@@ -34,13 +35,13 @@ export class LSHJobDaemon extends EventEmitter {
             logFile: platformPaths.logFile,
             jobsFile: jobsFilePath,
             socketPath: platformPaths.socketPath,
-            checkInterval: 2000, // 2 seconds for better cron accuracy
-            maxLogSize: 10 * 1024 * 1024, // 10MB
+            checkInterval: DEFAULTS.CHECK_INTERVAL_MS,
+            maxLogSize: DEFAULTS.MAX_LOG_SIZE_BYTES,
             autoRestart: true,
-            apiEnabled: process.env.LSH_API_ENABLED === 'true' || false,
-            apiPort: parseInt(process.env.LSH_API_PORT || '3030'),
-            apiKey: process.env.LSH_API_KEY,
-            enableWebhooks: process.env.LSH_ENABLE_WEBHOOKS === 'true',
+            apiEnabled: process.env[ENV_VARS.LSH_API_ENABLED] === 'true' || false,
+            apiPort: parseInt(process.env[ENV_VARS.LSH_API_PORT] || String(DEFAULTS.API_PORT)),
+            apiKey: process.env[ENV_VARS.LSH_API_KEY],
+            enableWebhooks: process.env[ENV_VARS.LSH_ENABLE_WEBHOOKS] === 'true',
             ...config
         };
         this.jobManager = new JobManager(this.config.jobsFile);
@@ -62,9 +63,9 @@ export class LSHJobDaemon extends EventEmitter {
             printValidationResults(envValidation, false);
         }
         // Fail fast in production if validation fails
-        if (!envValidation.isValid && process.env.NODE_ENV === 'production') {
+        if (!envValidation.isValid && process.env[ENV_VARS.NODE_ENV] === 'production') {
             this.log('ERROR', 'Environment validation failed in production');
-            throw new Error('Invalid environment configuration. Check logs for details.');
+            throw new Error(ERRORS.INVALID_ENV_CONFIG);
         }
         // Log warnings even in development
         if (envValidation.warnings.length > 0) {
@@ -124,7 +125,7 @@ export class LSHJobDaemon extends EventEmitter {
      */
     async restart() {
         await this.stop();
-        await new Promise(resolve => setTimeout(resolve, 1000)); // Wait 1 second
+        await new Promise(resolve => setTimeout(resolve, DEFAULTS.DAEMON_RESTART_DELAY_MS));
         await this.start();
     }
     /**
@@ -181,8 +182,8 @@ export class LSHJobDaemon extends EventEmitter {
             }
             // Validate command for security issues
             const validation = validateCommand(job.command, {
-                allowDangerousCommands: process.env.LSH_ALLOW_DANGEROUS_COMMANDS === 'true',
-                maxLength: 10000
+                allowDangerousCommands: process.env[ENV_VARS.LSH_ALLOW_DANGEROUS_COMMANDS] === 'true',
+                maxLength: DEFAULTS.MAX_COMMAND_LENGTH
             });
             if (!validation.isValid) {
                 const errorMsg = `Command validation failed: ${validation.errors.join(', ')}`;
@@ -298,8 +299,7 @@ export class LSHJobDaemon extends EventEmitter {
                 return sanitizedJobs.slice(0, limit);
             }
             // Default limit to prevent oversized responses
-            const defaultLimit = 100;
-            return sanitizedJobs.slice(0, defaultLimit);
+            return sanitizedJobs.slice(0, DEFAULTS.MAX_EVENTS_LIMIT);
         }
         catch (error) {
             this.log('ERROR', `Failed to list jobs: ${error.message}`);
@@ -736,7 +736,6 @@ const cliLogger = createLogger('LSHDaemonCLI');
 const isMainModule = () => {
     try {
         // Use Function constructor to avoid parse-time errors with import.meta
-        // eslint-disable-next-line @typescript-eslint/no-implied-eval, no-new-func
         const getImportMetaUrl = new Function('return import.meta.url');
         const metaUrl = getImportMetaUrl();
         return metaUrl === `file://${process.argv[1]}`;
@@ -774,7 +773,7 @@ if (isMainModule()) {
                     schedule: { interval: 0 }, // Run once
                     env: process.env,
                     cwd: process.cwd(),
-                    user: process.env.USER,
+                    user: process.env[ENV_VARS.USER],
                     priority: 5,
                     tags: ['manual'],
                     maxRetries: 0,

package/dist/daemon/saas-api-server.js

@@ -7,6 +7,8 @@ import cors from 'cors';
 import rateLimit from 'express-rate-limit';
 import { setupSaaSApiRoutes } from './saas-api-routes.js';
 import { getErrorMessage } from '../lib/saas-types.js';
+import { ENV_VARS, DEFAULTS } from '../constants/index.js';
+import { ERROR_CODES } from '../constants/errors.js';
 /**
  * SaaS API Server
  */
@@ -16,11 +18,11 @@ export class SaaSApiServer {
     server;
     constructor(config) {
         this.config = {
-            port: config?.port || parseInt(process.env.LSH_SAAS_API_PORT || '3031'),
-            host: config?.host || process.env.LSH_SAAS_API_HOST || '0.0.0.0',
-            corsOrigins: config?.corsOrigins || (process.env.LSH_CORS_ORIGINS?.split(',') || ['*']),
+            port: config?.port || parseInt(process.env[ENV_VARS.LSH_SAAS_API_PORT] || String(DEFAULTS.SAAS_API_PORT)),
+            host: config?.host || process.env[ENV_VARS.LSH_SAAS_API_HOST] || DEFAULTS.DEFAULT_HOST,
+            corsOrigins: config?.corsOrigins || (process.env[ENV_VARS.LSH_CORS_ORIGINS]?.split(',') || [...DEFAULTS.DEFAULT_CORS_ORIGINS]),
             rateLimitWindowMs: config?.rateLimitWindowMs || 15 * 60 * 1000, // 15 minutes
-            rateLimitMax: config?.rateLimitMax || 100, // Max 100 requests per windowMs
+            rateLimitMax: config?.rateLimitMax || DEFAULTS.MAX_EVENTS_LIMIT, // Max 100 requests per windowMs
         };
         this.app = express();
         this.setupMiddleware();
@@ -113,7 +115,7 @@ export class SaaSApiServer {
             res.status(404).json({
                 success: false,
                 error: {
-                    code: 'NOT_FOUND',
+                    code: ERROR_CODES.NOT_FOUND,
                     message: `Endpoint ${req.method} ${req.path} not found`,
                 },
             });
@@ -127,9 +129,9 @@ export class SaaSApiServer {
         const errorHandler = (err, _req, res, _next) => {
             console.error('API Error:', err);
             // Don't leak error details in production
-            const isDev = process.env.NODE_ENV !== 'production';
+            const isDev = process.env[ENV_VARS.NODE_ENV] !== 'production';
             const statusCode = err.status || 500;
-            const errorCode = err.code || 'INTERNAL_ERROR';
+            const errorCode = err.code || ERROR_CODES.INTERNAL_ERROR;
             res.status(statusCode).json({
                 success: false,
                 error: {

package/dist/lib/base-job-manager.js

@@ -11,6 +11,7 @@
  */
 import { EventEmitter } from 'events';
 import { createLogger } from './logger.js';
+import { ENV_VARS } from '../constants/index.js';
 /**
  * Abstract base class for job managers
  */
@@ -54,7 +55,7 @@ export class BaseJobManager extends EventEmitter {
             createdAt: new Date(),
             env: spec.env,
             cwd: spec.cwd || process.cwd(),
-            user: spec.user || process.env.USER,
+            user: spec.user || process.env[ENV_VARS.USER],
             schedule: spec.schedule,
             tags: spec.tags || [],
             description: spec.description,

package/dist/lib/cloud-config-manager.js

@@ -6,6 +6,7 @@ import DatabasePersistence from './database-persistence.js';
 import * as fs from 'fs';
 import * as path from 'path';
 import * as os from 'os';
+import { DEFAULTS } from '../constants/index.js';
 export class CloudConfigManager {
     databasePersistence;
     options;
@@ -17,7 +18,7 @@ export class CloudConfigManager {
             userId: undefined,
             enableCloudSync: true,
             localConfigPath: path.join(os.homedir(), '.lshrc'),
-            syncInterval: 60000, // 1 minute
+            syncInterval: DEFAULTS.CLOUD_CONFIG_SYNC_INTERVAL_MS,
             ...options,
         };
         this.databasePersistence = new DatabasePersistence(this.options.userId);

package/dist/lib/cron-job-manager.js

@@ -8,6 +8,7 @@ import { BaseJobManager, } from './base-job-manager.js';
 import DatabaseJobStorage from './job-storage-database.js';
 import DaemonClient from './daemon-client.js';
 import DatabasePersistence from './database-persistence.js';
+import { DEFAULTS } from '../constants/index.js';
 export class CronJobManager extends BaseJobManager {
     daemonClient;
     databasePersistence;
@@ -36,7 +37,7 @@ export class CronJobManager extends BaseJobManager {
                 workingDirectory: '/backups',
                 priority: 8,
                 maxRetries: 3,
-                timeout: 3600000, // 1 hour
+                timeout: DEFAULTS.JOB_TIMEOUT_1H_MS,
             },
             {
                 id: 'log-cleanup',
@@ -48,7 +49,7 @@ export class CronJobManager extends BaseJobManager {
                 tags: ['logs', 'cleanup', 'weekly'],
                 priority: 3,
                 maxRetries: 2,
-                timeout: 300000, // 5 minutes
+                timeout: DEFAULTS.JOB_TIMEOUT_5M_MS,
             },
             {
                 id: 'disk-monitor',
@@ -60,7 +61,7 @@ export class CronJobManager extends BaseJobManager {
                 tags: ['monitoring', 'disk', 'alert'],
                 priority: 7,
                 maxRetries: 1,
-                timeout: 60000, // 1 minute
+                timeout: DEFAULTS.JOB_TIMEOUT_1M_MS,
             },
             {
                 id: 'data-sync',
@@ -73,7 +74,7 @@ export class CronJobManager extends BaseJobManager {
                 workingDirectory: '/data',
                 priority: 6,
                 maxRetries: 5,
-                timeout: 7200000, // 2 hours
+                timeout: DEFAULTS.JOB_TIMEOUT_2H_MS,
             },
         ];
         templates.forEach(template => {

package/dist/lib/daemon-client.js

@@ -8,6 +8,7 @@ import { EventEmitter } from 'events';
 import DatabasePersistence from './database-persistence.js';
 import { createLogger } from './logger.js';
 import { getPlatformPaths } from './platform-utils.js';
+import { ENV_VARS, DEFAULTS } from '../constants/index.js';
 export class DaemonClient extends EventEmitter {
     socketPath;
     socket;
@@ -66,7 +67,7 @@ export class DaemonClient extends EventEmitter {
                 resolve(true);
             });
             let buffer = '';
-            const MAX_BUFFER_SIZE = 1024 * 1024; // 1MB limit
+            const MAX_BUFFER_SIZE = DEFAULTS.MAX_BUFFER_SIZE_BYTES;
             this.socket.on('data', (data) => {
                 try {
                     buffer += data.toString();
@@ -253,7 +254,7 @@ export class DaemonClient extends EventEmitter {
             schedule: jobSpec.schedule,
             env: jobSpec.environment || {},
             cwd: jobSpec.workingDirectory || process.cwd(),
-            user: jobSpec.user || process.env.USER,
+            user: jobSpec.user || process.env[ENV_VARS.USER],
             priority: jobSpec.priority || 0,
             tags: jobSpec.tags || [],
             enabled: jobSpec.enabled !== false,

package/dist/lib/database-persistence.js

@@ -5,6 +5,7 @@
 import { supabaseClient, isSupabaseConfigured } from './supabase-client.js';
 import * as os from 'os';
 import { LocalStorageAdapter } from './local-storage-adapter.js';
+import { ENV_VARS } from '../constants/index.js';
 export class DatabasePersistence {
     client;
     localStorage;
@@ -16,7 +17,7 @@ export class DatabasePersistence {
         if (this.useLocalStorage) {
             // Using local storage is normal when Supabase is not configured
             // Only show this message once per session to avoid noise
-            if (!process.env.LSH_LOCAL_STORAGE_QUIET) {
+            if (!process.env[ENV_VARS.LSH_LOCAL_STORAGE_QUIET]) {
                 console.log('ℹ️  Using local storage (Supabase not configured)');
             }
             this.localStorage = new LocalStorageAdapter(userId);

package/dist/lib/enhanced-history-system.js

@@ -6,6 +6,7 @@ import HistorySystem from './history-system.js';
 import DatabasePersistence from './database-persistence.js';
 import * as os from 'os';
 import * as path from 'path';
+import { DEFAULTS } from '../constants/index.js';
 export class EnhancedHistorySystem extends HistorySystem {
     databasePersistence;
     enhancedConfig;
@@ -13,7 +14,7 @@ export class EnhancedHistorySystem extends HistorySystem {
     pendingSync = false;
     constructor(config = {}) {
         const defaultConfig = {
-            maxSize: 10000,
+            maxSize: DEFAULTS.MAX_HISTORY_SIZE,
             filePath: path.join(os.homedir(), '.lsh_history'),
             shareHistory: true,
             ignoreDups: true,
@@ -21,7 +22,7 @@ export class EnhancedHistorySystem extends HistorySystem {
             expireDuplicatesFirst: true,
             enableCloudSync: true,
             userId: undefined,
-            syncInterval: 30000, // 30 seconds
+            syncInterval: DEFAULTS.HISTORY_SYNC_INTERVAL_MS,
             ...config,
         };
         super(defaultConfig);

package/dist/lib/history-system.js

@@ -5,6 +5,7 @@
 import * as fs from 'fs';
 import * as path from 'path';
 import * as os from 'os';
+import { DEFAULTS } from '../constants/index.js';
 export class HistorySystem {
     entries = [];
     currentIndex = -1;
@@ -12,7 +13,7 @@ export class HistorySystem {
     isEnabled = true;
     constructor(config) {
         this.config = {
-            maxSize: 10000,
+            maxSize: DEFAULTS.MAX_HISTORY_SIZE,
             filePath: path.join(os.homedir(), '.lsh_history'),
             shareHistory: false,
             ignoreDups: true,

package/dist/lib/ipfs-secrets-storage.js

@@ -8,6 +8,7 @@ import * as os from 'os';
 import * as crypto from 'crypto';
 import { createLogger } from './logger.js';
 import { getStorachaClient } from './storacha-client.js';
+import { ENV_VARS } from '../constants/index.js';
 const logger = createLogger('IPFSSecretsStorage');
 /**
  * IPFS Secrets Storage
@@ -25,7 +26,7 @@ export class IPFSSecretsStorage {
     metadataPath;
     metadata;
     constructor() {
-        const homeDir = process.env.HOME || os.homedir();
+        const homeDir = process.env[ENV_VARS.HOME] || os.homedir();
         const lshDir = path.join(homeDir, '.lsh');
         this.cacheDir = path.join(lshDir, 'secrets-cache');
         this.metadataPath = path.join(lshDir, 'secrets-metadata.json');

package/dist/lib/ipfs-sync-logger.js

@@ -7,6 +7,7 @@ import * as path from 'path';
 import * as os from 'os';
 import * as crypto from 'crypto';
 import { getGitRepoInfo } from './git-utils.js';
+import { ENV_VARS } from '../constants/index.js';
 /**
  * IPFS Sync Logger
  *
@@ -36,7 +37,7 @@ export class IPFSSyncLogger {
      * Check if IPFS sync is enabled
      */
     isEnabled() {
-        return process.env.DISABLE_IPFS_SYNC !== 'true';
+        return process.env[ENV_VARS.DISABLE_IPFS_SYNC] !== 'true';
     }
     /**
      * Record a sync operation to IPFS
@@ -195,7 +196,7 @@ export class IPFSSyncLogger {
      * Get encryption key fingerprint
      */
     getKeyFingerprint() {
-        const key = process.env.LSH_SECRETS_KEY || 'default';
+        const key = process.env[ENV_VARS.LSH_SECRETS_KEY] || 'default';
         return `sha256:${crypto.createHash('sha256').update(key).digest('hex').substring(0, 16)}`;
     }
     /**

package/dist/lib/logger.js

@@ -3,6 +3,7 @@
  * Centralized logging utility with support for different log levels,
  * structured logging, and environment-based configuration.
  */
+import { ENV_VARS } from '../constants/index.js';
 export var LogLevel;
 (function (LogLevel) {
     LogLevel[LogLevel["DEBUG"] = 0] = "DEBUG";
@@ -41,7 +42,7 @@ const colors = {
  * Get log level from environment variable
  */
 function getLogLevelFromEnv() {
-    const level = process.env.LSH_LOG_LEVEL?.toUpperCase();
+    const level = process.env[ENV_VARS.LSH_LOG_LEVEL]?.toUpperCase();
     switch (level) {
         case 'DEBUG':
             return LogLevel.DEBUG;
@@ -54,7 +55,7 @@ function getLogLevelFromEnv() {
         case 'NONE':
             return LogLevel.NONE;
         default:
-            return process.env.NODE_ENV === 'production' ? LogLevel.INFO : LogLevel.DEBUG;
+            return process.env[ENV_VARS.NODE_ENV] === 'production' ? LogLevel.INFO : LogLevel.DEBUG;
     }
 }
 /**
@@ -66,8 +67,8 @@ export class Logger {
         this.config = {
             level: config?.level ?? getLogLevelFromEnv(),
             enableTimestamp: config?.enableTimestamp ?? true,
-            enableColors: config?.enableColors ?? (!process.env.NO_COLOR && process.stdout.isTTY),
-            enableJSON: config?.enableJSON ?? (process.env.LSH_LOG_FORMAT === 'json'),
+            enableColors: config?.enableColors ?? (!process.env[ENV_VARS.NO_COLOR] && process.stdout.isTTY),
+            enableJSON: config?.enableJSON ?? (process.env[ENV_VARS.LSH_LOG_FORMAT] === 'json'),
             context: config?.context,
         };
     }

package/dist/lib/lsh-config.js

@@ -10,6 +10,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 import * as os from 'os';
 import { logger } from './logger.js';
+import { ENV_VARS } from '../constants/index.js';
 export class LshConfigManager {
     configPath;
     config;
@@ -66,7 +67,7 @@ export class LshConfigManager {
             return this.config.keys[repoName].key;
         }
         // Fall back to environment variables
-        const envKey = process.env.LSH_SECRETS_KEY || process.env.LSH_MASTER_KEY;
+        const envKey = process.env[ENV_VARS.LSH_SECRETS_KEY] || process.env[ENV_VARS.LSH_MASTER_KEY];
         if (envKey) {
             logger.debug(`Using encryption key from environment for ${repoName}`);
             return envKey;

package/dist/lib/lshrc-init.js

@@ -6,13 +6,14 @@ import * as fs from 'fs';
 import * as path from 'path';
 import * as os from 'os';
 import { fileURLToPath } from 'url';
+import { ENV_VARS } from '../constants/index.js';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 export class LshrcManager {
     lshrcPath;
     constructor(lshrcPath) {
-        // Use process.env.HOME if set (for testability), fallback to os.homedir()
-        const homeDir = process.env.HOME || os.homedir();
+        // Use process.env[ENV_VARS.HOME] if set (for testability), fallback to os.homedir()
+        const homeDir = process.env[ENV_VARS.HOME] || os.homedir();
         this.lshrcPath = lshrcPath || path.join(homeDir, '.lshrc');
     }
     /**

package/dist/lib/platform-utils.js

@@ -4,6 +4,7 @@
  */
 import * as path from 'path';
 import * as os from 'os';
+import { ENV_VARS } from '../constants/index.js';
 /**
  * Get platform-specific paths
  * Handles differences between Windows, macOS, and Linux
@@ -31,7 +32,7 @@ export function getPlatformPaths(appName = 'lsh') {
     // Linux: ~/.config/lsh
     let configDir;
     if (isWindows) {
-        configDir = path.join(process.env.APPDATA || path.join(homeDir, 'AppData', 'Roaming'), appName);
+        configDir = path.join(process.env[ENV_VARS.APPDATA] || path.join(homeDir, 'AppData', 'Roaming'), appName);
     }
     else if (isMac) {
         configDir = path.join(homeDir, 'Library', 'Application Support', appName);
@@ -45,7 +46,7 @@ export function getPlatformPaths(appName = 'lsh') {
     // Linux: ~/.local/share/lsh
     let dataDir;
     if (isWindows) {
-        dataDir = path.join(process.env.LOCALAPPDATA || path.join(homeDir, 'AppData', 'Local'), appName);
+        dataDir = path.join(process.env[ENV_VARS.LOCALAPPDATA] || path.join(homeDir, 'AppData', 'Local'), appName);
     }
     else if (isMac) {
         dataDir = path.join(homeDir, 'Library', 'Application Support', appName);
@@ -134,9 +135,9 @@ export async function ensureDir(dirPath) {
  */
 export function getDefaultShell() {
     if (isWindows()) {
-        return process.env.COMSPEC || 'cmd.exe';
+        return process.env[ENV_VARS.COMSPEC] || 'cmd.exe';
     }
-    return process.env.SHELL || '/bin/sh';
+    return process.env[ENV_VARS.SHELL] || '/bin/sh';
 }
 /**
  * Get path separator for current platform

package/dist/lib/saas-auth.js

@@ -6,6 +6,7 @@ import { randomBytes } from 'crypto';
 import bcrypt from 'bcrypt';
 import jwt from 'jsonwebtoken';
 import { getSupabaseClient } from './supabase-client.js';
+import { ENV_VARS } from '../constants/index.js';
 const BCRYPT_ROUNDS = 12;
 const TOKEN_EXPIRY = 7 * 24 * 60 * 60; // 7 days in seconds
 const REFRESH_TOKEN_EXPIRY = 30 * 24 * 60 * 60; // 30 days
@@ -32,7 +33,7 @@ export async function verifyPassword(password, hash) {
  * Generate JWT access token
  */
 export function generateAccessToken(userId, email) {
-    const secret = process.env.LSH_JWT_SECRET;
+    const secret = process.env[ENV_VARS.LSH_JWT_SECRET];
     if (!secret) {
         throw new Error('LSH_JWT_SECRET is not set');
     }
@@ -50,7 +51,7 @@ export function generateAccessToken(userId, email) {
  * Generate JWT refresh token
  */
 export function generateRefreshToken(userId) {
-    const secret = process.env.LSH_JWT_SECRET;
+    const secret = process.env[ENV_VARS.LSH_JWT_SECRET];
     if (!secret) {
         throw new Error('LSH_JWT_SECRET is not set');
     }
@@ -67,7 +68,7 @@ export function generateRefreshToken(userId) {
  * Verify and decode JWT token
  */
 export function verifyToken(token) {
-    const secret = process.env.LSH_JWT_SECRET;
+    const secret = process.env[ENV_VARS.LSH_JWT_SECRET];
     if (!secret) {
         throw new Error('LSH_JWT_SECRET is not set');
     }

package/dist/lib/saas-billing.js

@@ -4,22 +4,23 @@
  */
 import { getSupabaseClient } from './supabase-client.js';
 import { auditLogger } from './saas-audit.js';
+import { ENV_VARS } from '../constants/index.js';
 /**
  * Stripe Pricing IDs (set via environment variables)
  */
 export const STRIPE_PRICE_IDS = {
-    pro_monthly: process.env.STRIPE_PRICE_PRO_MONTHLY || '',
-    pro_yearly: process.env.STRIPE_PRICE_PRO_YEARLY || '',
-    enterprise_monthly: process.env.STRIPE_PRICE_ENTERPRISE_MONTHLY || '',
-    enterprise_yearly: process.env.STRIPE_PRICE_ENTERPRISE_YEARLY || '',
+    pro_monthly: process.env[ENV_VARS.STRIPE_PRICE_PRO_MONTHLY] || '',
+    pro_yearly: process.env[ENV_VARS.STRIPE_PRICE_PRO_YEARLY] || '',
+    enterprise_monthly: process.env[ENV_VARS.STRIPE_PRICE_ENTERPRISE_MONTHLY] || '',
+    enterprise_yearly: process.env[ENV_VARS.STRIPE_PRICE_ENTERPRISE_YEARLY] || '',
 };
 /**
  * Billing Service
  */
 export class BillingService {
     supabase = getSupabaseClient();
-    stripeSecretKey = process.env.STRIPE_SECRET_KEY || '';
-    stripeWebhookSecret = process.env.STRIPE_WEBHOOK_SECRET || '';
+    stripeSecretKey = process.env[ENV_VARS.STRIPE_SECRET_KEY] || '';
+    stripeWebhookSecret = process.env[ENV_VARS.STRIPE_WEBHOOK_SECRET] || '';
     stripeApiUrl = 'https://api.stripe.com/v1';
     /**
      * Create Stripe customer

package/dist/lib/saas-email.js

@@ -2,6 +2,7 @@
  * LSH SaaS Email Service
  * Email sending using Resend API
  */
+import { ENV_VARS } from '../constants/index.js';
 /**
  * Email Service
  */
@@ -10,10 +11,10 @@ export class EmailService {
     resendApiUrl = 'https://api.resend.com/emails';
     constructor(config) {
         this.config = {
-            apiKey: config?.apiKey || process.env.RESEND_API_KEY || '',
-            fromEmail: config?.fromEmail || process.env.EMAIL_FROM || 'noreply@lsh.dev',
+            apiKey: config?.apiKey || process.env[ENV_VARS.RESEND_API_KEY] || '',
+            fromEmail: config?.fromEmail || process.env[ENV_VARS.EMAIL_FROM] || 'noreply@lsh.dev',
             fromName: config?.fromName || 'LSH Secrets Manager',
-            baseUrl: config?.baseUrl || process.env.BASE_URL || 'https://app.lsh.dev',
+            baseUrl: config?.baseUrl || process.env[ENV_VARS.BASE_URL] || 'https://app.lsh.dev',
         };
         if (!this.config.apiKey) {
             console.warn('RESEND_API_KEY not set - emails will not be sent');

package/dist/lib/saas-encryption.js

@@ -4,6 +4,7 @@
  */
 import { randomBytes, createCipheriv, createDecipheriv, createHash, pbkdf2Sync } from 'crypto';
 import { getSupabaseClient } from './supabase-client.js';
+import { ENV_VARS } from '../constants/index.js';
 const ALGORITHM = 'aes-256-cbc';
 const KEY_LENGTH = 32; // 256 bits
 const IV_LENGTH = 16; // 128 bits
@@ -14,7 +15,7 @@ const PBKDF2_ITERATIONS = 100000;
  * This key is used to encrypt/decrypt team encryption keys
  */
 function getMasterKey() {
-    const masterKeyHex = process.env.LSH_MASTER_KEY || process.env.LSH_SECRETS_KEY;
+    const masterKeyHex = process.env[ENV_VARS.LSH_MASTER_KEY] || process.env[ENV_VARS.LSH_SECRETS_KEY];
     if (!masterKeyHex) {
         throw new Error('LSH_MASTER_KEY or LSH_SECRETS_KEY environment variable must be set for encryption');
     }

package/dist/lib/saas-organizations.js

@@ -4,6 +4,7 @@
  */
 import { getSupabaseClient } from './supabase-client.js';
 import { auditLogger } from './saas-audit.js';
+import { TABLES } from '../constants/index.js';
 /**
  * Generate URL-friendly slug from name
  */
@@ -232,7 +233,7 @@ export class OrganizationService {
      */
     async getOrganizationMembers(organizationId) {
         const { data, error } = await this.supabase
-            .from('organization_members_detailed')
+            .from(TABLES.ORGANIZATION_MEMBERS_DETAILED)
             .select('*')
             .eq('organization_id', organizationId);
         if (error) {
@@ -270,7 +271,7 @@ export class OrganizationService {
      */
     async getUsageSummary(organizationId) {
         const { data, error } = await this.supabase
-            .from('organization_usage_summary')
+            .from(TABLES.ORGANIZATION_USAGE_SUMMARY)
             .select('*')
             .eq('organization_id', organizationId)
             .single();
@@ -550,7 +551,7 @@ export class TeamService {
      */
     async getTeamMembers(teamId) {
         const { data, error } = await this.supabase
-            .from('team_members_detailed')
+            .from(TABLES.TEAM_MEMBERS_DETAILED)
             .select('*')
             .eq('team_id', teamId);
         if (error) {

package/dist/lib/saas-secrets.js

@@ -7,6 +7,7 @@ import { getSupabaseClient } from './supabase-client.js';
 import { encryptionService } from './saas-encryption.js';
 import { auditLogger } from './saas-audit.js';
 import { organizationService } from './saas-organizations.js';
+import { TABLES } from '../constants/index.js';
 /**
  * Secrets Service
  */
@@ -211,7 +212,7 @@ export class SecretsService {
      */
     async getSecretsSummary(teamId) {
         const { data, error } = await this.supabase
-            .from('secrets_summary')
+            .from(TABLES.SECRETS_SUMMARY)
             .select('*')
             .eq('team_id', teamId);
         if (error) {

package/dist/lib/secrets-manager.js

@@ -9,6 +9,7 @@ import { createLogger, LogLevel } from './logger.js';
 import { getGitRepoInfo, hasEnvExample, ensureEnvInGitignore } from './git-utils.js';
 import { IPFSSyncLogger } from './ipfs-sync-logger.js';
 import { IPFSSecretsStorage } from './ipfs-secrets-storage.js';
+import { ENV_VARS } from '../constants/index.js';
 const logger = createLogger('SecretsManager');
 export class SecretsManager {
     storage;
@@ -18,7 +19,7 @@ export class SecretsManager {
     homeDir;
     constructor(userIdOrOptions, encryptionKey, detectGit) {
         this.storage = new IPFSSecretsStorage();
-        this.homeDir = process.env.HOME || process.env.USERPROFILE || '';
+        this.homeDir = process.env[ENV_VARS.HOME] || process.env[ENV_VARS.USERPROFILE] || '';
         // Handle both legacy and new constructor signatures
         let options;
         if (typeof userIdOrOptions === 'object') {
@@ -73,12 +74,13 @@ export class SecretsManager {
      */
     getDefaultEncryptionKey() {
         // Check for explicit key
-        if (process.env.LSH_SECRETS_KEY) {
-            return process.env.LSH_SECRETS_KEY;
+        const envKey = process.env[ENV_VARS.LSH_SECRETS_KEY];
+        if (envKey) {
+            return envKey;
         }
         // Generate from machine ID and user
-        const machineId = process.env.HOSTNAME || 'localhost';
-        const user = process.env.USER || 'unknown';
+        const machineId = process.env[ENV_VARS.HOSTNAME] || 'localhost';
+        const user = process.env[ENV_VARS.USER] || 'unknown';
         const seed = `${machineId}-${user}-lsh-secrets`;
         // Create deterministic key
         return crypto.createHash('sha256').update(seed).digest('hex');
@@ -242,7 +244,7 @@ export class SecretsManager {
         // Get the effective environment name (repo-aware)
         const effectiveEnv = this.getRepoAwareEnvironment(environment);
         // Warn if using default key
-        if (!process.env.LSH_SECRETS_KEY) {
+        if (!process.env[ENV_VARS.LSH_SECRETS_KEY]) {
             logger.warn('⚠️  Warning: No LSH_SECRETS_KEY set. Using machine-specific key.');
             logger.warn('   To share secrets across machines, generate a key with: lsh key');
             logger.warn('   Then add LSH_SECRETS_KEY=<key> to your .env on all machines');
@@ -428,7 +430,7 @@ export class SecretsManager {
             cloudExists: false,
             cloudKeys: 0,
             cloudModified: undefined,
-            keySet: !!process.env.LSH_SECRETS_KEY,
+            keySet: !!process.env[ENV_VARS.LSH_SECRETS_KEY],
             keyMatches: undefined,
             suggestions: [],
         };
@@ -476,7 +478,7 @@ export class SecretsManager {
             return 'dev';
         }
         // Check for v1 compatibility mode
-        if (process.env.LSH_V1_COMPAT === 'true') {
+        if (process.env[ENV_VARS.LSH_V1_COMPAT] === 'true') {
             return 'dev'; // v1.x behavior
         }
         // v2.0 behavior: use repo name as default in git repos
@@ -516,7 +518,7 @@ export class SecretsManager {
      * Generate encryption key if not set
      */
     async ensureEncryptionKey() {
-        if (process.env.LSH_SECRETS_KEY) {
+        if (process.env[ENV_VARS.LSH_SECRETS_KEY]) {
             return true; // Key already set
         }
         logger.warn('⚠️  No encryption key found. Generating a new key...');
@@ -540,7 +542,7 @@ export class SecretsManager {
             }
             fs.writeFileSync(envPath, content, 'utf8');
             // Set in current process
-            process.env.LSH_SECRETS_KEY = key;
+            process.env[ENV_VARS.LSH_SECRETS_KEY] = key;
             this.encryptionKey = key;
             logger.info('✅ Generated and saved encryption key to .env');
             logger.info('💡 Load it now: export LSH_SECRETS_KEY=' + key.substring(0, 8) + '...');
@@ -677,7 +679,7 @@ LSH_SECRETS_KEY=${this.encryptionKey}
                 out();
             }
             // Step 1: Ensure encryption key exists
-            if (!process.env.LSH_SECRETS_KEY) {
+            if (!process.env[ENV_VARS.LSH_SECRETS_KEY]) {
                 logger.info('🔑 No encryption key found...');
                 await this.ensureEncryptionKey();
                 out();

package/dist/lib/storacha-client.js

@@ -7,6 +7,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 import { homedir } from 'os';
 import { logger } from './logger.js';
+import { ENV_VARS } from '../constants/index.js';
 export class StorachaClient {
     client = null;
     configPath;
@@ -35,7 +36,7 @@ export class StorachaClient {
             logger.warn('Failed to load Storacha config, using defaults');
         }
         // Default to enabled unless explicitly disabled
-        const envDisabled = process.env.LSH_STORACHA_ENABLED === 'false';
+        const envDisabled = process.env[ENV_VARS.LSH_STORACHA_ENABLED] === 'false';
         return {
             enabled: !envDisabled,
         };
@@ -57,7 +58,7 @@ export class StorachaClient {
      */
     isEnabled() {
         // Explicitly disabled via env var
-        if (process.env.LSH_STORACHA_ENABLED === 'false') {
+        if (process.env[ENV_VARS.LSH_STORACHA_ENABLED] === 'false') {
             return false;
         }
         // Use config setting (defaults to true)

package/dist/lib/supabase-client.js

@@ -3,13 +3,14 @@
  * Provides database connectivity for LSH features
  */
 import { createClient } from '@supabase/supabase-js';
+import { ENV_VARS } from '../constants/index.js';
 export class SupabaseClient {
     client;
     config;
     constructor(config) {
-        const url = config?.url || process.env.SUPABASE_URL;
-        const anonKey = config?.anonKey || process.env.SUPABASE_ANON_KEY;
-        const databaseUrl = config?.databaseUrl || process.env.DATABASE_URL;
+        const url = config?.url || process.env[ENV_VARS.SUPABASE_URL];
+        const anonKey = config?.anonKey || process.env[ENV_VARS.SUPABASE_ANON_KEY];
+        const databaseUrl = config?.databaseUrl || process.env[ENV_VARS.DATABASE_URL];
         if (!url || !anonKey) {
             throw new Error('Supabase configuration missing. Please set SUPABASE_URL and SUPABASE_ANON_KEY environment variables.');
         }
@@ -76,7 +77,7 @@ function getDefaultClient() {
  * Check if Supabase is configured and available
  */
 export function isSupabaseConfigured() {
-    return !!(process.env.SUPABASE_URL && process.env.SUPABASE_ANON_KEY);
+    return !!(process.env[ENV_VARS.SUPABASE_URL] && process.env[ENV_VARS.SUPABASE_ANON_KEY]);
 }
 export const supabaseClient = {
     getClient() {
@@ -114,8 +115,8 @@ export const supabaseClient = {
  * @throws {Error} If SUPABASE_URL or SUPABASE_ANON_KEY are not set
  */
 export function getSupabaseClient() {
-    const url = process.env.SUPABASE_URL;
-    const key = process.env.SUPABASE_ANON_KEY;
+    const url = process.env[ENV_VARS.SUPABASE_URL];
+    const key = process.env[ENV_VARS.SUPABASE_ANON_KEY];
     if (!url || !key) {
         throw new Error('Supabase configuration missing. Please set SUPABASE_URL and SUPABASE_ANON_KEY environment variables.');
     }

package/dist/services/secrets/secrets.js

@@ -7,6 +7,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 import * as readline from 'readline';
 import { getGitRepoInfo } from '../../lib/git-utils.js';
+import { ENV_VARS } from '../../constants/index.js';
 export async function init_secrets(program) {
     // Push secrets to cloud
     program
@@ -892,7 +893,7 @@ API_KEY=
         .option('-y, --yes', 'Skip confirmation prompts')
         .action(async (options) => {
         try {
-            const lshDir = path.join(process.env.HOME || process.env.USERPROFILE || '', '.lsh');
+            const lshDir = path.join(process.env[ENV_VARS.HOME] || process.env[ENV_VARS.USERPROFILE] || '', '.lsh');
             const metadataPath = path.join(lshDir, 'secrets-metadata.json');
             const cacheDir = path.join(lshDir, 'secrets-cache');
             // Determine what we're clearing

package/dist/services/supabase/supabase-registrar.js

@@ -7,6 +7,7 @@ import { supabaseClient } from '../../lib/supabase-client.js';
 import DatabasePersistence from '../../lib/database-persistence.js';
 import CloudConfigManager from '../../lib/cloud-config-manager.js';
 import { CREATE_TABLES_SQL } from '../../lib/database-schema.js';
+import { TABLES } from '../../constants/index.js';
 export class SupabaseCommandRegistrar extends BaseCommandRegistrar {
     constructor() {
         super('SupabaseService');
@@ -259,7 +260,7 @@ export class SupabaseCommandRegistrar extends BaseCommandRegistrar {
                 const opts = options;
                 if (opts.list) {
                     let query = supabaseClient.getClient()
-                        .from('ml_training_jobs')
+                        .from(TABLES.ML_TRAINING_JOBS)
                         .select('*')
                         .order('created_at', { ascending: false });
                     if (opts.status) {
@@ -315,7 +316,7 @@ export class SupabaseCommandRegistrar extends BaseCommandRegistrar {
                 const opts = options;
                 if (opts.list) {
                     let query = supabaseClient.getClient()
-                        .from('ml_models')
+                        .from(TABLES.ML_MODELS)
                         .select('*')
                         .order('created_at', { ascending: false });
                     if (opts.deployed) {
@@ -351,7 +352,7 @@ export class SupabaseCommandRegistrar extends BaseCommandRegistrar {
                 const opts = options;
                 if (opts.list) {
                     const { data: features, error } = await supabaseClient.getClient()
-                        .from('ml_features')
+                        .from(TABLES.ML_FEATURES)
                         .select('*')
                         .order('created_at', { ascending: false })
                         .limit(20);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lsh-framework",
-  "version": "3.1.1",
+  "version": "3.1.3",
   "description": "Simple, cross-platform encrypted secrets manager with automatic sync, IPFS audit logs, and multi-environment support. Just run lsh sync and start managing your secrets.",
   "main": "dist/app.js",
   "bin": {