natureco-cli 2.23.28 → 2.23.30

package/src/commands/security.js

@@ -3,18 +3,128 @@ const fs = require('fs');
 const path = require('path');
 const os = require('os');
 const { getConfig, CONFIG_FILE, CONFIG_DIR } = require('../utils/config');
+const { listSecretRefs, resolveSecretRef, coerceSecretRef } = require('../utils/secrets');
+const { NatureCoError, handleError } = require('../utils/errors');
 
 async function security(args) {
   const [action, ...params] = (args || []);
 
   if (!action || action === 'audit') return audit(args);
 
+  if (action === 'allowlist') return allowlistAction(args);
+
+  if (action === 'policy') return policyAction(args);
+
+  if (action === 'secrets') return scanSecrets(args);
+
   console.log(chalk.red(`\n  ❌ Bilinmeyen komut: ${action}\n`));
-  console.log(chalk.gray('  Kullanım: natureco security [audit]\n'));
+  console.log(chalk.gray('  Kullanım: natureco security [audit|allowlist|policy|secrets]\n'));
   process.exit(1);
 }
 
+async function allowlistAction(args) {
+  const { loadApprovals, addAllowlistEntry, listAllowlist, removeAllowlistEntry } = require('../utils/approvals');
+  const sub = args[1];
+
+  if (!sub || sub === 'list') {
+    const entries = listAllowlist('default');
+    console.log('');
+    console.log(chalk.cyan.bold('\n  Exec Allowlist\n'));
+    if (entries.length === 0) {
+      console.log(chalk.gray('  No entries. Add with: natureco security allowlist add "<command>"'));
+    } else {
+      entries.forEach((e, i) => {
+        console.log(chalk.gray(`  ${i + 1}. `) + chalk.white(e.lastUsedCommand || e.pattern));
+        console.log(chalk.gray(`     id: ${e.id} · source: ${e.source || 'manual'}`));
+      });
+    }
+    console.log('');
+    return;
+  }
+
+  if (sub === 'add' && args[2]) {
+    addAllowlistEntry('default', args.slice(2).join(' '));
+    console.log(chalk.green('\n  ✓ Command added to allowlist\n'));
+    return;
+  }
+
+  if (sub === 'remove' && args[2]) {
+    const removed = removeAllowlistEntry('default', args[2]);
+    if (removed) {
+      console.log(chalk.green('\n  ✓ Entry removed from allowlist\n'));
+    } else {
+      console.log(chalk.yellow('\n  ⚠️  Entry not found\n'));
+    }
+    return;
+  }
+
+  console.log(chalk.gray('\n  Kullanım:'));
+  console.log(chalk.gray('    natureco security allowlist list'));
+  console.log(chalk.gray('    natureco security allowlist add "<command>"'));
+  console.log(chalk.gray('    natureco security allowlist remove <id>\n'));
+}
+
+async function policyAction(args) {
+  const { setSecurityPolicy } = require('../utils/approvals');
+  const sub = args[1];
+
+  if (sub === 'set' && args[2]) {
+    const value = args[2];
+    if (['deny', 'allowlist', 'full'].includes(value)) {
+      setSecurityPolicy('default', { security: value });
+      console.log(chalk.green(`\n  ✓ Security policy set to: ${value}\n`));
+    } else {
+      console.log(chalk.red(`\n  ❌ Invalid policy: ${value}. Use: deny, allowlist, full\n`));
+    }
+    return;
+  }
+
+  console.log(chalk.gray('\n  Kullanım:'));
+  console.log(chalk.gray('    natureco security policy set deny|allowlist|full'));
+  console.log(chalk.gray('\n  Policy levels:'));
+  console.log(chalk.gray('    deny       - Block all command execution'));
+  console.log(chalk.gray('    allowlist  - Only allowlisted commands'));
+  console.log(chalk.gray('    full       - Allow all commands (default)\n'));
+}
+
+async function scanSecrets(args) {
+  const config = getConfig();
+  const refs = listSecretRefs(config);
+  const fix = args.includes('--fix');
+
+  console.log('');
+  console.log(chalk.cyan.bold('\n  Secret Reference Scan\n'));
+
+  if (refs.length === 0) {
+    console.log(chalk.green('  ✓ No secret references found in config\n'));
+    return;
+  }
+
+  let resolved = 0;
+  let unresolved = 0;
+
+  for (const ref of refs) {
+    try {
+      const value = resolveSecretRef(ref.ref, { throwOnMissing: true });
+      console.log(chalk.green(`  ✓ ${ref.path} → resolved (${ref.ref.source}:${ref.ref.id})`));
+      resolved++;
+    } catch {
+      console.log(chalk.yellow(`  ⚠️  ${ref.path} → ${ref.ref.source}:${ref.ref.id} (unresolved)`));
+      unresolved++;
+    }
+  }
+
+  console.log('');
+  console.log(chalk.gray(`  ${resolved} resolved · ${unresolved} unresolved`));
+
+  if (unresolved > 0) {
+    console.log(chalk.gray('\n  Set environment variables or use .env file to resolve secrets.\n'));
+  }
+  console.log('');
+}
+
 async function audit(args) {
+  const { DANGEROUS_PATTERNS, loadApprovals } = require('../utils/approvals');
   const fix = args.includes('--fix');
   const json = args.includes('--json');
 
@@ -90,6 +200,44 @@ async function audit(args) {
     }
   }
 
+  // 7. Secret refs in config
+  const secretRefs = listSecretRefs(config);
+  if (secretRefs.length > 0) {
+    let unresolvedCount = 0;
+    for (const ref of secretRefs) {
+      try {
+        resolveSecretRef(ref.ref, { throwOnMissing: true });
+      } catch {
+        unresolvedCount++;
+      }
+    }
+    if (unresolvedCount > 0) {
+      warnings.push({ id: 'unresolved-secrets', msg: `${unresolvedCount}/${secretRefs.length} secret reference(s) unresolved` });
+    } else {
+      ok.push('Secret references resolvable');
+    }
+  }
+
+  // 8. Exec approvals policy
+  const approvals = loadApprovals();
+  if (approvals.defaults?.security === 'deny') {
+    warnings.push({ id: 'deny-policy', msg: 'Exec approvals: all commands denied' });
+  } else if (approvals.defaults?.security === 'allowlist') {
+    const entries = Object.values(approvals.agents || {}).reduce((a, ag) => a + (ag.allowlist?.length || 0), 0);
+    ok.push(`Exec approvals: allowlist mode (${entries} entries)`);
+  } else {
+    ok.push('Exec approvals: full mode');
+  }
+
+  // 9. Config backup status
+  const { listBackups } = require('../utils/config');
+  const backups = listBackups();
+  if (backups.length > 0) {
+    ok.push(`Config backups: ${backups.length} available`);
+  } else {
+    warnings.push({ id: 'no-backups', msg: 'No config backups found. Backups are created automatically on config changes.' });
+  }
+
   if (json) {
     console.log(JSON.stringify({ ok, warnings: warnings.map(w => w.msg), issues: issues.map(i => i.msg) }, null, 2));
     return;

package/src/commands/setup.js

@@ -41,6 +41,12 @@ const LANG = {
       WhatsApp:  'natureco whatsapp connect',
       Discord:   'natureco discord connect',
       Slack:     'natureco slack connect',
+      Signal:    'natureco signal connect',
+      IRC:       'natureco irc connect',
+      Mattermost:'natureco mattermost connect',
+      iMessage:  'natureco imessage connect',
+      SMS:       'natureco sms connect',
+      Webhooks:  'natureco webhooks connect',
     },
     // Adım 5
     gatewayTitle:   'Gateway',
@@ -99,6 +105,12 @@ const LANG = {
       WhatsApp:  'natureco whatsapp connect',
       Discord:   'natureco discord connect',
       Slack:     'natureco slack connect',
+      Signal:    'natureco signal connect',
+      IRC:       'natureco irc connect',
+      Mattermost:'natureco mattermost connect',
+      iMessage:  'natureco imessage connect',
+      SMS:       'natureco sms connect',
+      Webhooks:  'natureco webhooks connect',
     },
     // Step 5
     gatewayTitle:   'Gateway',
@@ -360,6 +372,12 @@ async function setup() {
       { name: 'WhatsApp', value: 'WhatsApp' },
       { name: 'Discord',  value: 'Discord' },
       { name: 'Slack',    value: 'Slack' },
+      { name: 'Signal',   value: 'Signal' },
+      { name: 'IRC',      value: 'IRC' },
+      { name: 'Mattermost', value: 'Mattermost' },
+      { name: 'iMessage', value: 'iMessage' },
+      { name: 'SMS (Twilio)', value: 'SMS' },
+      { name: 'Webhooks', value: 'Webhooks' },
     ],
   }]);
 
@@ -425,14 +443,86 @@ async function setup() {
     printDone(L, 'Discord');
   }
 
+  if (integrations.includes('Signal')) {
+    console.log('');
+    console.log(chalk.cyan('  Signal kurulumu (signal-cli REST API):'));
+    const { sigUrl, sigAccount } = await inquirer.prompt([
+      { type: 'input', name: 'sigUrl', message: lang === 'tr' ? '  signal-cli REST API URL (örn: http://localhost:8080):' : '  signal-cli REST API URL (e.g. http://localhost:8080):', validate: v => v.trim() ? true : (lang === 'tr' ? 'Gerekli' : 'Required') },
+      { type: 'input', name: 'sigAccount', message: lang === 'tr' ? '  Signal hesap numarası:' : '  Signal account number:', validate: v => v.trim() ? true : (lang === 'tr' ? 'Gerekli' : 'Required') },
+    ]);
+    const sigBotId = `signal_${Date.now()}`;
+    integConfig.signalHttpUrl = sigUrl.trim();
+    integConfig.signalAccount = sigAccount.trim();
+    integConfig.signalBotId = sigBotId;
+    printDone(L, 'Signal');
+  }
+
+  if (integrations.includes('IRC')) {
+    console.log('');
+    console.log(chalk.cyan('  IRC kurulumu:'));
+    const { ircHost, ircPort, ircNick } = await inquirer.prompt([
+      { type: 'input', name: 'ircHost', message: lang === 'tr' ? '  IRC sunucusu (örn: irc.libera.chat):' : '  IRC server (e.g. irc.libera.chat):', validate: v => v.trim() ? true : (lang === 'tr' ? 'Gerekli' : 'Required') },
+      { type: 'input', name: 'ircPort', message: lang === 'tr' ? '  Port:' : '  Port:', default: '6697' },
+      { type: 'input', name: 'ircNick', message: lang === 'tr' ? '  Nick:' : '  Nick:', validate: v => v.trim() ? true : (lang === 'tr' ? 'Gerekli' : 'Required') },
+    ]);
+    integConfig.ircHost = ircHost.trim();
+    integConfig.ircPort = parseInt(ircPort) || 6697;
+    integConfig.ircNick = ircNick.trim();
+    integConfig.ircBotId = `irc_${Date.now()}`;
+    printDone(L, 'IRC');
+  }
+
+  if (integrations.includes('Mattermost')) {
+    console.log('');
+    console.log(chalk.cyan('  Mattermost kurulumu:'));
+    const { mmUrl, mmToken } = await inquirer.prompt([
+      { type: 'input', name: 'mmUrl', message: lang === 'tr' ? '  Mattermost sunucu URL:' : '  Mattermost server URL:', validate: v => v.trim() ? true : (lang === 'tr' ? 'Gerekli' : 'Required') },
+      { type: 'password', name: 'mmToken', message: lang === 'tr' ? '  Bot token:' : '  Bot token:', mask: '*', validate: v => v.trim() ? true : (lang === 'tr' ? 'Gerekli' : 'Required') },
+    ]);
+    integConfig.mattermostBaseUrl = mmUrl.trim().replace(/\/$/, '');
+    integConfig.mattermostToken = mmToken.trim();
+    integConfig.mattermostBotId = `mattermost_${Date.now()}`;
+    printDone(L, 'Mattermost');
+  }
+
+  if (integrations.includes('iMessage')) {
+    console.log('');
+    console.log(chalk.cyan(lang === 'tr' ? '  iMessage (sadece macOS):' : '  iMessage (macOS only):'));
+    const { imCliPath } = await inquirer.prompt([{ type: 'input', name: 'imCliPath', message: lang === 'tr' ? '  imsg CLI yolu (opsiyonel):' : '  imsg CLI path (optional):' }]);
+    integConfig.imessageCliPath = imCliPath.trim() || '';
+    integConfig.imessageBotId = `imessage_${Date.now()}`;
+    printDone(L, 'iMessage');
+  }
+
+  if (integrations.includes('SMS')) {
+    console.log('');
+    console.log(chalk.cyan('  SMS (Twilio) kurulumu:'));
+    const { smsSid, smsToken, smsFrom } = await inquirer.prompt([
+      { type: 'input', name: 'smsSid', message: '  Twilio Account SID:', validate: v => v.trim() ? true : 'Required' },
+      { type: 'password', name: 'smsToken', message: '  Twilio Auth Token:', mask: '*', validate: v => v.trim() ? true : 'Required' },
+      { type: 'input', name: 'smsFrom', message: '  Twilio telefon numarası (E.164):', validate: v => v.trim() ? true : 'Required' },
+    ]);
+    integConfig.smsAccountSid = smsSid.trim();
+    integConfig.smsAuthToken = smsToken.trim();
+    integConfig.smsFromNumber = smsFrom.trim();
+    integConfig.smsBotId = `sms_${Date.now()}`;
+    printDone(L, 'SMS');
+  }
+
+  if (integrations.includes('Webhooks')) {
+    printDone(L, 'Webhooks');
+    console.log(chalk.gray(lang === 'tr'
+      ? '  → Webhook eklemek için: natureco webhooks connect'
+      : '  → To add a webhook: natureco webhooks connect'));
+  }
+
   if (integrations.length > 0) {
-    if (!integrations.includes('Telegram') && !integrations.includes('WhatsApp') && !integrations.includes('Discord')) {
+    const subflowChannels = ['Telegram', 'WhatsApp', 'Discord', 'Signal', 'IRC', 'Mattermost', 'iMessage', 'SMS', 'Webhooks'];
+    const hasSubflow = subflowChannels.some(ch => integrations.includes(ch));
+    if (!hasSubflow) {
       printDone(L, integrations.join(', '));
     }
     console.log('');
-    if (integrations.includes('Slack')) {
-      console.log(chalk.gray(`  → natureco slack connect`));
-    }
   } else {
     printDone(L, L.integSkip);
   }
@@ -454,17 +544,31 @@ async function setup() {
     language: lang,
     providerUrl,
     providerApiKey: providerApiKey.trim(),
-    providerModel,
-    apiKey: providerApiKey.trim(), // login bypass — chat doğrudan çalışsın
-    botName: safeBotName,
+    botName: safeBotName,
     userName: userName.trim(),
     debug: existingConfig.debug || false,
     skills: existingConfig.skills || { enabled: true, list: [] },
     mcpServers: existingConfig.mcpServers || {},
     // Entegrasyon config'leri
-    ...(integConfig.telegramToken  && { telegramToken:  integConfig.telegramToken }),
-    ...(integConfig.telegramChatId && { telegramChatId: integConfig.telegramChatId }),
-    ...(integConfig.discordToken   && { discordToken:   integConfig.discordToken }),
+    ...(integConfig.telegramToken      && { telegramToken:      integConfig.telegramToken }),
+    ...(integConfig.telegramChatId     && { telegramChatId:     integConfig.telegramChatId }),
+    ...(integConfig.discordToken       && { discordToken:       integConfig.discordToken }),
+    ...(integConfig.signalHttpUrl      && { signalHttpUrl:      integConfig.signalHttpUrl }),
+    ...(integConfig.signalAccount      && { signalAccount:      integConfig.signalAccount }),
+    ...(integConfig.signalBotId        && { signalBotId:        integConfig.signalBotId }),
+    ...(integConfig.ircHost            && { ircHost:            integConfig.ircHost }),
+    ...(integConfig.ircPort            && { ircPort:            integConfig.ircPort }),
+    ...(integConfig.ircNick            && { ircNick:            integConfig.ircNick }),
+    ...(integConfig.ircBotId           && { ircBotId:           integConfig.ircBotId }),
+    ...(integConfig.mattermostBaseUrl  && { mattermostBaseUrl:  integConfig.mattermostBaseUrl }),
+    ...(integConfig.mattermostToken    && { mattermostToken:    integConfig.mattermostToken }),
+    ...(integConfig.mattermostBotId    && { mattermostBotId:    integConfig.mattermostBotId }),
+    ...(integConfig.imessageCliPath    && { imessageCliPath:    integConfig.imessageCliPath }),
+    ...(integConfig.imessageBotId      && { imessageBotId:      integConfig.imessageBotId }),
+    ...(integConfig.smsAccountSid      && { smsAccountSid:      integConfig.smsAccountSid }),
+    ...(integConfig.smsAuthToken       && { smsAuthToken:       integConfig.smsAuthToken }),
+    ...(integConfig.smsFromNumber      && { smsFromNumber:      integConfig.smsFromNumber }),
+    ...(integConfig.smsBotId           && { smsBotId:           integConfig.smsBotId }),
   };
 
   saveConfig(config);