moflo 4.9.17 → 4.9.19

package/dist/src/cli/spells/credentials/default-store.js

@@ -0,0 +1,126 @@
+/**
+ * Default Credential Store
+ *
+ * Singleton `CredentialAccessor` wired into the runner factory, MCP bridge,
+ * and daemon executor so spells persist secrets between casts.
+ *
+ * Passphrase resolution: `MOFLO_CREDENTIALS_PASSPHRASE` env var, else an
+ * auto-generated `~/.moflo/credentials.key` (32 random bytes hex, mode
+ * 0o600) created on first need. The auto-key gives zero-config at-rest
+ * encryption — the threat model matches `~/.aws/credentials`: filesystem
+ * read by an attacker compromises the store either way.
+ *
+ * Failures degrade to `lockedNoopAccessor` (returns undefined / no-op
+ * persists) so the spell engine never crashes on a missing or unreadable
+ * credentials path.
+ */
+import { randomBytes } from 'node:crypto';
+import { mkdirSync, readFileSync, writeFileSync, chmodSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { CredentialStore, MIN_PASSPHRASE_LENGTH } from './credential-store.js';
+import { mofloHomeDir } from '../../services/moflo-paths.js';
+const KEY_BYTES = 32;
+/** 64 hex chars from `KEY_BYTES`; floor of 16 catches truncation/corruption. */
+const KEY_FILE_MIN_HEX_LENGTH = 16;
+export const DEFAULT_CREDENTIALS_FILE = join(mofloHomeDir(), 'credentials.json');
+export const DEFAULT_CREDENTIALS_KEY_FILE = join(mofloHomeDir(), 'credentials.key');
+let cached = null;
+/**
+ * Resolve the singleton default credential store. Returns an unlocked
+ * `CredentialStore` when a passphrase is available, otherwise a locked
+ * no-op accessor. Never throws.
+ */
+export function getDefaultCredentialStore(options = {}) {
+    if (cached)
+        return cached;
+    const filePath = resolveCredentialFilePath(options.filePath);
+    const passphrase = resolvePassphrase(options.passphrase, options.keyFilePath);
+    let accessor;
+    if (passphrase) {
+        try {
+            accessor = new CredentialStore({ filePath, passphrase });
+        }
+        catch (err) {
+            console.warn(`[moflo:credentials] store unavailable: ${err.message}`);
+            accessor = lockedNoopAccessor;
+        }
+    }
+    else {
+        accessor = lockedNoopAccessor;
+    }
+    cached = accessor;
+    return accessor;
+}
+/** Reset the cached singleton — used by tests and CLI subcommands. */
+export function resetDefaultCredentialStore() {
+    cached = null;
+}
+/** Resolve the credentials JSON path (override → env → default). */
+export function resolveCredentialFilePath(explicit) {
+    return explicit ?? process.env.MOFLO_CREDENTIALS_FILE ?? DEFAULT_CREDENTIALS_FILE;
+}
+/** Resolve the key file path (override → env → default). */
+export function resolveKeyFilePath(explicit) {
+    return explicit ?? process.env.MOFLO_CREDENTIALS_KEY_FILE ?? DEFAULT_CREDENTIALS_KEY_FILE;
+}
+/**
+ * Resolve a passphrase from explicit override, `MOFLO_CREDENTIALS_PASSPHRASE`,
+ * or the auto-generated key file. Returns `undefined` when no path yields a
+ * usable value (locked-store mode).
+ */
+export function resolvePassphrase(explicit, keyFilePathOverride) {
+    if (explicit)
+        return explicit;
+    const envPass = process.env.MOFLO_CREDENTIALS_PASSPHRASE;
+    if (envPass && envPass.length >= MIN_PASSPHRASE_LENGTH)
+        return envPass;
+    return resolveKeyFilePassphrase(keyFilePathOverride);
+}
+function resolveKeyFilePassphrase(override) {
+    const keyPath = resolveKeyFilePath(override);
+    try {
+        let content = null;
+        try {
+            content = readFileSync(keyPath, 'utf-8').trim();
+        }
+        catch (err) {
+            if (err.code !== 'ENOENT')
+                throw err;
+        }
+        if (content !== null) {
+            if (content.length >= KEY_FILE_MIN_HEX_LENGTH)
+                return content;
+            // Refuse to regenerate over a corrupt key when credentials exist —
+            // a fresh key would silently invalidate every stored secret.
+            const credPath = join(dirname(keyPath), 'credentials.json');
+            try {
+                readFileSync(credPath);
+                console.warn(`[moflo:credentials] key file at ${keyPath} is corrupt; refusing to regenerate while ${credPath} exists`);
+                return undefined;
+            }
+            catch (err) {
+                if (err.code !== 'ENOENT')
+                    throw err;
+            }
+        }
+        mkdirSync(dirname(keyPath), { recursive: true });
+        const generated = randomBytes(KEY_BYTES).toString('hex');
+        writeFileSync(keyPath, generated, { encoding: 'utf-8', mode: 0o600 });
+        // chmod after write in case the create mode was masked by umask.
+        try {
+            chmodSync(keyPath, 0o600);
+        }
+        catch { /* best-effort on Windows */ }
+        return generated;
+    }
+    catch (err) {
+        console.warn(`[moflo:credentials] could not read/create key file: ${err.message}`);
+        return undefined;
+    }
+}
+export const lockedNoopAccessor = {
+    async get() { return undefined; },
+    async has() { return false; },
+    async store() { },
+};
+//# sourceMappingURL=default-store.js.map

package/dist/src/cli/spells/credentials/index.js

@@ -0,0 +1,6 @@
+/**
+ * Credentials barrel — public surface of the credential subsystem.
+ */
+export { CredentialStore, CredentialStoreError, MIN_PASSPHRASE_LENGTH, } from './credential-store.js';
+export { getDefaultCredentialStore, resetDefaultCredentialStore, resolveCredentialFilePath, resolveKeyFilePath, resolvePassphrase, lockedNoopAccessor, DEFAULT_CREDENTIALS_FILE, DEFAULT_CREDENTIALS_KEY_FILE, } from './default-store.js';
+//# sourceMappingURL=index.js.map

package/dist/src/cli/spells/factory/runner-bridge.js

@@ -10,6 +10,7 @@
  */
 import { loadSandboxConfigFromProject } from '../core/platform-sandbox.js';
 import { createRunner, runSpellFromContent } from './runner-factory.js';
+import { getDefaultCredentialStore } from '../credentials/default-store.js';
 /**
  * Resolve sandbox config: prefer caller-supplied; fall back to auto-loading
  * from moflo.yaml at projectRoot. Returns undefined when neither is available
@@ -36,13 +37,14 @@ export async function bridgeRunSpell(content, sourceFile, args, options = {}) {
     activeSpells.set(spellId, controller);
     try {
         const sandboxConfig = await resolveSandbox(options.sandboxConfig, options.projectRoot);
+        const credentials = options.credentials ?? getDefaultCredentialStore();
         const result = await runSpellFromContent(content, sourceFile, {
             spellId,
             args,
             dryRun: options.dryRun,
             signal: controller.signal,
             memory: options.memory,
-            credentials: options.credentials,
+            credentials,
             ...(options.projectRoot ? { projectRoot: options.projectRoot } : {}),
             ...(sandboxConfig ? { sandboxConfig } : {}),
         });
@@ -61,7 +63,8 @@ export async function bridgeExecuteSpell(definition, args, options = {}) {
     activeSpells.set(spellId, controller);
     try {
         const sandboxConfig = await resolveSandbox(options.sandboxConfig, options.projectRoot);
-        const runner = createRunner({ memory: options.memory, credentials: options.credentials });
+        const credentials = options.credentials ?? getDefaultCredentialStore();
+        const runner = createRunner({ memory: options.memory, credentials });
         return await runner.run(definition, args, {
             spellId,
             signal: controller.signal,

package/dist/src/cli/spells/factory/runner-factory.js

@@ -14,6 +14,7 @@ import { validateSpellDefinition } from '../schema/validator.js';
 import { SpellConnectorRegistry } from '../registry/connector-registry.js';
 import { loadSandboxConfigFromProject } from '../core/platform-sandbox.js';
 import { errorDetail } from '../../shared/utils/error-detail.js';
+import { getDefaultCredentialStore } from '../credentials/default-store.js';
 // ============================================================================
 // Factory
 // ============================================================================
@@ -33,7 +34,7 @@ export function createRunner(options = {}) {
     if (options.stepDirs?.length) {
         registry.loadFromDirectories(options.stepDirs);
     }
-    const credentials = options.credentials ?? noopCredentials;
+    const credentials = options.credentials ?? getDefaultCredentialStore();
     const memory = options.memory ?? noopMemory;
     // Auto-register shipped connectors into the connector registry
     const connectorRegistry = options.connectorRegistry ?? new SpellConnectorRegistry();
@@ -92,9 +93,10 @@ export async function runSpellFromContent(content, sourceFile, options = {}) {
 // ============================================================================
 // Noop Accessors (for standalone usage without full CLI context)
 // ============================================================================
-const noopCredentials = {
+export const noopCredentials = {
     async get() { return undefined; },
     async has() { return false; },
+    async store() { },
 };
 export const noopMemory = {
     async read() { return null; },

package/dist/src/cli/spells/index.js

@@ -49,7 +49,7 @@ export { buildPausedState, persistPausedState, resumeSpell, cleanupStalePaused,
 // ============================================================================
 // Credential Store
 // ============================================================================
-export { CredentialStore, CredentialStoreError, } from './credentials/credential-store.js';
+export { CredentialStore, CredentialStoreError, getDefaultCredentialStore, resetDefaultCredentialStore, lockedNoopAccessor, } from './credentials/index.js';
 // ============================================================================
 // Spell Registry (abbreviation lookup + list/info)
 // ============================================================================

package/dist/src/cli/version.js

@@ -2,5 +2,5 @@
  * Auto-generated by build. Do not edit manually.
  * Source of truth: root package.json → scripts/sync-version.mjs
  */
-export const VERSION = '4.9.17';
+export const VERSION = '4.9.19';
 //# sourceMappingURL=version.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "moflo",
-  "version": "4.9.17",
+  "version": "4.9.19",
   "description": "MoFlo — AI agent orchestration for Claude Code. A standalone, opinionated toolkit with semantic memory, learned routing, gates, spells, and the /flo issue-execution skill.",
   "main": "dist/src/cli/index.js",
   "type": "module",
@@ -81,7 +81,7 @@
     "@typescript-eslint/eslint-plugin": "^7.18.0",
     "@typescript-eslint/parser": "^7.18.0",
     "eslint": "^8.0.0",
-    "moflo": "^4.9.16",
+    "moflo": "^4.9.18",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3",
     "vitest": "^4.0.0"