minara 0.2.8 → 0.2.9

package/dist/commands/config.js

@@ -41,7 +41,10 @@ export const configCommand = new Command('config')
                 default: config.baseUrl,
                 validate: (v) => {
                     try {
-                        new URL(v);
+                        const u = new URL(v);
+                        if (u.protocol !== 'https:' && u.hostname !== 'localhost' && u.hostname !== '127.0.0.1') {
+                            return 'Base URL must use HTTPS (HTTP allowed only for localhost)';
+                        }
                         return true;
                     }
                     catch {

package/dist/commands/deposit.js

@@ -53,7 +53,7 @@ async function showSpotDeposit(token) {
     console.log('');
 }
 // ─── moonpay (credit card on-ramp) ───────────────────────────────────────
-const MOONPAY_PK = 'pk_live_yIf64w79W6ufwip4j51PWbymdwGtI';
+const MOONPAY_PK = process.env.MOONPAY_PK ?? 'pk_live_yIf64w79W6ufwip4j51PWbymdwGtI';
 const MOONPAY_CURRENCIES = [
     { name: 'USDC (Base)', code: 'usdc_base', network: 'base' },
     { name: 'USDC (Ethereum)', code: 'usdc', network: 'ethereum' },

package/dist/commands/perps.js

@@ -3,7 +3,7 @@ import { input, select, confirm, number as numberPrompt } from '@inquirer/prompt
 import chalk from 'chalk';
 import * as perpsApi from '../api/perps.js';
 import { requireAuth } from '../config.js';
-import { success, info, warn, spinner, assertApiOk, formatOrderSide, wrapAction, requireTransactionConfirmation } from '../utils.js';
+import { success, info, warn, spinner, assertApiOk, formatOrderSide, wrapAction, requireTransactionConfirmation, validateAddress } from '../utils.js';
 import { requireTouchId } from '../touchid.js';
 import { printTxResult, printTable, printKV, POSITION_COLUMNS, FILL_COLUMNS } from '../formatters.js';
 // ─── deposit ─────────────────────────────────────────────────────────────
@@ -48,7 +48,7 @@ const withdrawCmd = new Command('withdraw')
         : await numberPrompt({ message: 'USDC amount to withdraw:', min: 0.01, required: true });
     const toAddress = opts.to ?? await input({
         message: 'Destination address:',
-        validate: (v) => (v.length > 5 ? true : 'Enter a valid address'),
+        validate: (v) => validateAddress(v, 'arbitrum'),
     });
     console.log(`\n  Withdraw : ${chalk.bold(amount)} USDC → ${chalk.yellow(toAddress)}\n`);
     warn('Withdrawals may take time to process.');

package/dist/commands/transfer.js

@@ -2,7 +2,7 @@ import { Command } from 'commander';
 import { input } from '@inquirer/prompts';
 import { transfer } from '../api/crosschain.js';
 import { requireAuth } from '../config.js';
-import { success, spinner, assertApiOk, selectChain, wrapAction, requireTransactionConfirmation, lookupToken } from '../utils.js';
+import { success, spinner, assertApiOk, selectChain, wrapAction, requireTransactionConfirmation, lookupToken, validateAddress } from '../utils.js';
 import { requireTouchId } from '../touchid.js';
 import { printTxResult } from '../formatters.js';
 export const transferCommand = new Command('transfer')
@@ -33,7 +33,7 @@ export const transferCommand = new Command('transfer')
     // ── 4. Recipient ─────────────────────────────────────────────────────
     const recipient = opts.to ?? await input({
         message: 'Recipient address:',
-        validate: (v) => (v.length > 5 ? true : 'Enter a valid address'),
+        validate: (v) => validateAddress(v, chain),
     });
     // ── 5. Confirm & Touch ID ──────────────────────────────────────────
     if (!opts.yes) {

package/dist/commands/withdraw.js

@@ -3,7 +3,7 @@ import { input } from '@inquirer/prompts';
 import chalk from 'chalk';
 import { transfer, getAssets } from '../api/crosschain.js';
 import { requireAuth } from '../config.js';
-import { success, spinner, assertApiOk, selectChain, wrapAction, requireTransactionConfirmation, lookupToken } from '../utils.js';
+import { success, spinner, assertApiOk, selectChain, wrapAction, requireTransactionConfirmation, lookupToken, validateAddress } from '../utils.js';
 import { requireTouchId } from '../touchid.js';
 import { printTxResult } from '../formatters.js';
 export const withdrawCommand = new Command('withdraw')
@@ -57,7 +57,7 @@ export const withdrawCommand = new Command('withdraw')
     // ── 5. Destination ───────────────────────────────────────────────────
     const recipient = opts.to ?? await input({
         message: 'Destination address (your external wallet):',
-        validate: (v) => (v.length > 5 ? true : 'Enter a valid address'),
+        validate: (v) => validateAddress(v, chain),
     });
     // ── 6. Confirm & Touch ID ──────────────────────────────────────────
     if (!opts.yes) {

package/dist/config.js

@@ -14,8 +14,7 @@ function ensureDir() {
 // ─── Credentials ─────────────────────────────────────────────────────────────
 export function saveCredentials(creds) {
     ensureDir();
-    writeFileSync(CREDENTIALS_FILE, JSON.stringify(creds, null, 2), 'utf-8');
-    chmodSync(CREDENTIALS_FILE, 0o600);
+    writeFileSync(CREDENTIALS_FILE, JSON.stringify(creds, null, 2), { encoding: 'utf-8', mode: 0o600 });
 }
 export function loadCredentials() {
     if (!existsSync(CREDENTIALS_FILE))
@@ -65,7 +64,7 @@ export function saveConfig(config) {
     ensureDir();
     const current = loadConfig();
     const merged = { ...current, ...config };
-    writeFileSync(CONFIG_FILE, JSON.stringify(merged, null, 2), 'utf-8');
+    writeFileSync(CONFIG_FILE, JSON.stringify(merged, null, 2), { encoding: 'utf-8', mode: 0o600 });
 }
 export function getMinaraDir() {
     ensureDir();

package/dist/oauth-server.js

@@ -11,6 +11,15 @@
  */
 import { createServer } from 'node:http';
 import { URL } from 'node:url';
+// ── Helpers ───────────────────────────────────────────────────────────────
+function escapeHtml(str) {
+    return str
+        .replace(/&/g, '&')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#39;');
+}
 // ── HTML responses ────────────────────────────────────────────────────────
 const SUCCESS_HTML = `<!DOCTYPE html>
 <html>
@@ -48,7 +57,7 @@ const ERROR_HTML = (msg) => `<!DOCTYPE html>
 <body>
   <div class="card">
     <h1>✖ Login Failed</h1>
-    <p>${msg}</p>
+    <p>${escapeHtml(msg)}</p>
     <p>Please return to the terminal and try again.</p>
   </div>
 </body>

package/dist/utils.d.ts

@@ -75,5 +75,10 @@ export declare function requireTransactionConfirmation(description: string, toke
     amount?: string;
     destination?: string;
 }): Promise<void>;
+/**
+ * Validate a blockchain address based on the target chain.
+ * Returns `true` on success or an error message string on failure.
+ */
+export declare function validateAddress(address: string, chain?: string): true | string;
 /** Open a URL in the user's default browser (cross-platform). */
 export declare function openBrowser(url: string): void;

package/dist/utils.js

@@ -1,6 +1,6 @@
 import chalk from 'chalk';
 import ora from 'ora';
-import { exec } from 'node:child_process';
+import { execFile } from 'node:child_process';
 import { platform } from 'node:os';
 import { select, confirm } from '@inquirer/prompts';
 import { SUPPORTED_CHAINS } from './types.js';
@@ -340,16 +340,54 @@ export async function requireTransactionConfirmation(description, token, details
         process.exit(0);
     }
 }
+// ─── Address validation ──────────────────────────────────────────────────────
+const SOLANA_ADDR_RE = /^[1-9A-HJ-NP-Za-km-z]{32,44}$/;
+const EVM_ADDR_RE = /^0x[0-9a-fA-F]{40}$/;
+/**
+ * Validate a blockchain address based on the target chain.
+ * Returns `true` on success or an error message string on failure.
+ */
+export function validateAddress(address, chain) {
+    const v = address.trim();
+    if (!v)
+        return 'Address is required';
+    const c = chain?.toLowerCase();
+    if (c === 'solana' || c === 'sol' || c === '101') {
+        if (!SOLANA_ADDR_RE.test(v))
+            return 'Invalid Solana address (expected base58, 32–44 chars)';
+        return true;
+    }
+    if (c && c !== 'solana') {
+        if (!EVM_ADDR_RE.test(v))
+            return 'Invalid EVM address (expected 0x + 40 hex chars)';
+        return true;
+    }
+    // Unknown chain — accept either format
+    if (!SOLANA_ADDR_RE.test(v) && !EVM_ADDR_RE.test(v)) {
+        return 'Invalid address format';
+    }
+    return true;
+}
 // ─── Browser ──────────────────────────────────────────────────────────────────
 /** Open a URL in the user's default browser (cross-platform). */
 export function openBrowser(url) {
     const plat = platform();
-    const cmd = plat === 'darwin' ? 'open' :
-        plat === 'win32' ? 'start ""' :
-            /* linux / others */ 'xdg-open';
-    exec(`${cmd} "${url}"`, (err) => {
+    let cmd;
+    let args;
+    if (plat === 'darwin') {
+        cmd = 'open';
+        args = [url];
+    }
+    else if (plat === 'win32') {
+        cmd = 'cmd';
+        args = ['/c', 'start', '', url];
+    }
+    else {
+        cmd = 'xdg-open';
+        args = [url];
+    }
+    execFile(cmd, args, (err) => {
         if (err) {
-            // Don't crash — the user can manually open the URL
             console.log(chalk.dim(`Could not open browser automatically. Please open this URL manually:`));
             console.log(chalk.cyan(url));
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "minara",
-  "version": "0.2.8",
+  "version": "0.2.9",
   "description": "CLI client for Minara.ai — login, trade, deposit/withdraw, chat and more from your terminal.",
   "type": "module",
   "main": "dist/index.js",