notoken-core 1.0.0

package/dist/parsers/nginxParser.js

@@ -0,0 +1,161 @@
+/**
+ * Nginx config parser.
+ *
+ * Parses nginx.conf and site configs into structured blocks.
+ * Handles: server blocks, location blocks, upstream, directives.
+ */
+/**
+ * Parse nginx config content.
+ */
+export function parseNginx(content) {
+    const lines = content.split("\n");
+    const { directives, blocks } = parseBlock(lines, 0, lines.length);
+    const servers = extractServers(blocks);
+    return { directives, blocks, servers };
+}
+function parseBlock(lines, start, end) {
+    const directives = [];
+    const blocks = [];
+    let i = start;
+    while (i < end) {
+        const line = lines[i].trim();
+        // Skip comments and empty lines
+        if (!line || line.startsWith("#")) {
+            i++;
+            continue;
+        }
+        // Block opening: "server {", "location /api {"
+        if (line.includes("{")) {
+            const beforeBrace = line.split("{")[0].trim();
+            const parts = beforeBrace.split(/\s+/);
+            const blockType = parts[0] ?? "";
+            const blockArgs = parts.slice(1);
+            // Find matching closing brace
+            let depth = 1;
+            let j = i + 1;
+            while (j < end && depth > 0) {
+                const l = lines[j].trim();
+                for (const ch of l) {
+                    if (ch === "{")
+                        depth++;
+                    if (ch === "}")
+                        depth--;
+                }
+                if (depth > 0)
+                    j++;
+                else
+                    break;
+            }
+            // Recursively parse the block content
+            const inner = parseBlock(lines, i + 1, j);
+            blocks.push({
+                type: blockType,
+                args: blockArgs,
+                directives: inner.directives,
+                blocks: inner.blocks,
+                line: i + 1,
+            });
+            i = j + 1;
+            continue;
+        }
+        // Closing brace (shouldn't happen at this level but handle gracefully)
+        if (line === "}") {
+            i++;
+            continue;
+        }
+        // Directive: "worker_processes auto;"
+        if (line.endsWith(";")) {
+            const stripped = line.slice(0, -1).trim();
+            const parts = stripped.split(/\s+/);
+            directives.push({
+                name: parts[0] ?? "",
+                args: parts.slice(1),
+                line: i + 1,
+            });
+        }
+        i++;
+    }
+    return { directives, blocks };
+}
+function extractServers(blocks) {
+    const servers = [];
+    for (const block of blocks) {
+        if (block.type === "http") {
+            servers.push(...extractServers(block.blocks));
+        }
+        if (block.type === "server") {
+            const server = {
+                listen: [],
+                serverName: [],
+                locations: [],
+                ssl: false,
+            };
+            for (const d of block.directives) {
+                switch (d.name) {
+                    case "listen":
+                        server.listen.push(d.args.join(" "));
+                        if (d.args.some((a) => a === "ssl"))
+                            server.ssl = true;
+                        break;
+                    case "server_name":
+                        server.serverName.push(...d.args);
+                        break;
+                    case "root":
+                        server.root = d.args[0];
+                        break;
+                    case "index":
+                        server.index = d.args.join(" ");
+                        break;
+                    case "ssl_certificate":
+                        server.sslCertificate = d.args[0];
+                        server.ssl = true;
+                        break;
+                    case "ssl_certificate_key":
+                        server.sslCertificateKey = d.args[0];
+                        break;
+                }
+            }
+            for (const loc of block.blocks.filter((b) => b.type === "location")) {
+                const location = {
+                    path: loc.args.join(" "),
+                    directives: loc.directives,
+                };
+                for (const d of loc.directives) {
+                    if (d.name === "proxy_pass")
+                        location.proxyPass = d.args[0];
+                    if (d.name === "root")
+                        location.root = d.args[0];
+                    if (d.name === "try_files")
+                        location.tryFiles = d.args.join(" ");
+                }
+                server.locations.push(location);
+            }
+            servers.push(server);
+        }
+    }
+    return servers;
+}
+/**
+ * Format an nginx config summary for display.
+ */
+export function formatNginxSummary(config) {
+    const c = { reset: "\x1b[0m", bold: "\x1b[1m", dim: "\x1b[2m", cyan: "\x1b[36m", green: "\x1b[32m", yellow: "\x1b[33m" };
+    const lines = [];
+    lines.push(`${c.bold}Nginx Config Summary${c.reset}`);
+    lines.push(`  ${config.servers.length} server block(s)\n`);
+    for (const server of config.servers) {
+        const names = server.serverName.join(", ") || "(default)";
+        const listen = server.listen.join(", ");
+        const sslLabel = server.ssl ? ` ${c.green}[SSL]${c.reset}` : "";
+        lines.push(`  ${c.cyan}server${c.reset} ${c.bold}${names}${c.reset}${sslLabel}`);
+        lines.push(`    listen: ${listen}`);
+        if (server.root)
+            lines.push(`    root: ${server.root}`);
+        for (const loc of server.locations) {
+            const proxy = loc.proxyPass ? ` → ${c.yellow}${loc.proxyPass}${c.reset}` : "";
+            lines.push(`    ${c.dim}location${c.reset} ${loc.path}${proxy}`);
+        }
+        lines.push("");
+    }
+    return lines.join("\n");
+}

package/dist/parsers/passwd.d.ts

@@ -0,0 +1,25 @@
+/**
+ * /etc/passwd parser.
+ *
+ * Format: username:password:uid:gid:gecos:home:shell
+ */
+export interface PasswdEntry {
+    username: string;
+    hasPassword: boolean;
+    uid: number;
+    gid: number;
+    gecos: string;
+    home: string;
+    shell: string;
+    isSystem: boolean;
+    isLoginUser: boolean;
+}
+export declare function parsePasswd(content: string): PasswdEntry[];
+/**
+ * Get only real login users (non-system, has a login shell).
+ */
+export declare function getLoginUsers(entries: PasswdEntry[]): PasswdEntry[];
+/**
+ * Find a user by username.
+ */
+export declare function findUser(entries: PasswdEntry[], username: string): PasswdEntry | undefined;

package/dist/parsers/passwd.js

@@ -0,0 +1,41 @@
+/**
+ * /etc/passwd parser.
+ *
+ * Format: username:password:uid:gid:gecos:home:shell
+ */
+export function parsePasswd(content) {
+    return content
+        .split("\n")
+        .filter((line) => line.trim() && !line.startsWith("#"))
+        .map((line) => {
+        const parts = line.split(":");
+        if (parts.length < 7)
+            return null;
+        const uid = Number(parts[2]);
+        const shell = parts[6] ?? "";
+        return {
+            username: parts[0],
+            hasPassword: parts[1] !== "x" && parts[1] !== "*" && parts[1] !== "!",
+            uid,
+            gid: Number(parts[3]),
+            gecos: parts[4] ?? "",
+            home: parts[5] ?? "",
+            shell,
+            isSystem: uid < 1000 && uid !== 0,
+            isLoginUser: !shell.includes("nologin") && !shell.includes("false") && shell !== "/bin/sync",
+        };
+    })
+        .filter((e) => e !== null);
+}
+/**
+ * Get only real login users (non-system, has a login shell).
+ */
+export function getLoginUsers(entries) {
+    return entries.filter((e) => e.isLoginUser && !e.isSystem);
+}
+/**
+ * Find a user by username.
+ */
+export function findUser(entries, username) {
+    return entries.find((e) => e.username === username);
+}

package/dist/parsers/shadow.d.ts

@@ -0,0 +1,23 @@
+/**
+ * /etc/shadow parser.
+ *
+ * Format: username:password:lastchanged:min:max:warn:inactive:expire:reserved
+ *
+ * SECURITY: Never log or store actual password hashes.
+ * This parser only extracts metadata, not the hash itself.
+ */
+export interface ShadowEntry {
+    username: string;
+    hasPassword: boolean;
+    locked: boolean;
+    /** Days since epoch of last password change */
+    lastChanged: number | null;
+    minDays: number | null;
+    maxDays: number | null;
+    warnDays: number | null;
+    inactiveDays: number | null;
+    expireDate: number | null;
+    /** Password hash algorithm (1=MD5, 5=SHA256, 6=SHA512, y=yescrypt) */
+    algorithm: string | null;
+}
+export declare function parseShadow(content: string): ShadowEntry[];

package/dist/parsers/shadow.js

@@ -0,0 +1,50 @@
+/**
+ * /etc/shadow parser.
+ *
+ * Format: username:password:lastchanged:min:max:warn:inactive:expire:reserved
+ *
+ * SECURITY: Never log or store actual password hashes.
+ * This parser only extracts metadata, not the hash itself.
+ */
+export function parseShadow(content) {
+    return content
+        .split("\n")
+        .filter((line) => line.trim() && !line.startsWith("#"))
+        .map((line) => {
+        const parts = line.split(":");
+        if (parts.length < 2)
+            return null;
+        const passwordField = parts[1] ?? "";
+        const locked = passwordField.startsWith("!") || passwordField.startsWith("*");
+        const hasPassword = passwordField.length > 1 && !locked && passwordField !== "!!" && passwordField !== "";
+        // Extract algorithm from $id$salt$hash format
+        let algorithm = null;
+        if (passwordField.startsWith("$")) {
+            const algoMatch = passwordField.match(/^\$(\w+)\$/);
+            if (algoMatch) {
+                const algoMap = {
+                    "1": "MD5",
+                    "5": "SHA-256",
+                    "6": "SHA-512",
+                    "y": "yescrypt",
+                    "2a": "bcrypt",
+                    "2b": "bcrypt",
+                };
+                algorithm = algoMap[algoMatch[1]] ?? algoMatch[1];
+            }
+        }
+        return {
+            username: parts[0],
+            hasPassword,
+            locked,
+            lastChanged: parts[2] ? Number(parts[2]) || null : null,
+            minDays: parts[3] ? Number(parts[3]) || null : null,
+            maxDays: parts[4] ? Number(parts[4]) || null : null,
+            warnDays: parts[5] ? Number(parts[5]) || null : null,
+            inactiveDays: parts[6] ? Number(parts[6]) || null : null,
+            expireDate: parts[7] ? Number(parts[7]) || null : null,
+            algorithm,
+        };
+    })
+        .filter((e) => e !== null);
+}

package/dist/parsers/yamlParser.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Parse YAML content into a JS object.
+ */
+export declare function parseYaml(content: string): unknown;
+/**
+ * Get a nested value from parsed YAML using dot-notation path.
+ * e.g., getYamlValue(data, "server.port") → 8080
+ */
+export declare function getYamlValue(data: unknown, path: string): unknown;
+/**
+ * List all leaf paths in a YAML structure.
+ */
+export declare function listYamlPaths(data: unknown, prefix?: string): string[];

package/dist/parsers/yamlParser.js

@@ -0,0 +1,54 @@
+import YAML from "yaml";
+/**
+ * Parse YAML content into a JS object.
+ */
+export function parseYaml(content) {
+    return YAML.parse(content);
+}
+/**
+ * Get a nested value from parsed YAML using dot-notation path.
+ * e.g., getYamlValue(data, "server.port") → 8080
+ */
+export function getYamlValue(data, path) {
+    const parts = path.split(".");
+    let current = data;
+    for (const part of parts) {
+        if (current === null || current === undefined || typeof current !== "object") {
+            return undefined;
+        }
+        current = current[part];
+    }
+    return current;
+}
+/**
+ * List all leaf paths in a YAML structure.
+ */
+export function listYamlPaths(data, prefix = "") {
+    const paths = [];
+    if (data === null || data === undefined || typeof data !== "object") {
+        return paths;
+    }
+    if (Array.isArray(data)) {
+        for (let i = 0; i < data.length; i++) {
+            const key = prefix ? `${prefix}[${i}]` : `[${i}]`;
+            if (typeof data[i] === "object" && data[i] !== null) {
+                paths.push(...listYamlPaths(data[i], key));
+            }
+            else {
+                paths.push(key);
+            }
+        }
+    }
+    else {
+        for (const [key, value] of Object.entries(data)) {
+            const fullKey = prefix ? `${prefix}.${key}` : key;
+            if (typeof value === "object" && value !== null) {
+                paths.push(...listYamlPaths(value, fullKey));
+            }
+            else {
+                paths.push(fullKey);
+            }
+        }
+    }
+    return paths;
+}

package/dist/policy/confirm.d.ts

@@ -0,0 +1,2 @@
+export declare function askForConfirmation(message: string): Promise<boolean>;
+export declare function askForChoice(message: string, choices: string[]): Promise<string | null>;

package/dist/policy/confirm.js

@@ -0,0 +1,29 @@
+import readline from "node:readline/promises";
+import { stdin as input, stdout as output } from "node:process";
+export async function askForConfirmation(message) {
+    const rl = readline.createInterface({ input, output });
+    try {
+        const answer = await rl.question(`${message} [y/N] `);
+        return /^y(es)?$/i.test(answer.trim());
+    }
+    finally {
+        rl.close();
+    }
+}
+export async function askForChoice(message, choices) {
+    const rl = readline.createInterface({ input, output });
+    try {
+        console.log(message);
+        for (let i = 0; i < choices.length; i++) {
+            console.log(`  ${i + 1}. ${choices[i]}`);
+        }
+        const answer = await rl.question("Choose (number): ");
+        const idx = Number(answer.trim()) - 1;
+        if (idx >= 0 && idx < choices.length)
+            return choices[idx];
+        return null;
+    }
+    finally {
+        rl.close();
+    }
+}

package/dist/policy/safety.d.ts

@@ -0,0 +1,4 @@
+import type { DynamicIntent } from "../types/intent.js";
+export declare function validateIntent(intent: DynamicIntent): string[];
+export declare function isDangerous(intent: DynamicIntent): boolean;
+export declare function getRiskLevel(intent: DynamicIntent): "low" | "medium" | "high";

package/dist/policy/safety.js

@@ -0,0 +1,32 @@
+import { getIntentDef } from "../utils/config.js";
+export function validateIntent(intent) {
+    const def = getIntentDef(intent.intent);
+    if (!def)
+        return [];
+    const errors = [];
+    for (const [fieldName, fieldDef] of Object.entries(def.fields)) {
+        if (fieldDef.required && intent.fields[fieldName] === undefined) {
+            errors.push(`Missing required field: ${fieldName}`);
+        }
+    }
+    // Check allowlist if defined
+    if (def.allowlist && def.allowlist.length > 0) {
+        for (const [fieldName, fieldDef] of Object.entries(def.fields)) {
+            if (fieldDef.type === "service" && intent.fields[fieldName]) {
+                const value = intent.fields[fieldName];
+                if (!def.allowlist.includes(value)) {
+                    errors.push(`${fieldName} "${value}" is not in the allowlist: ${def.allowlist.join(", ")}`);
+                }
+            }
+        }
+    }
+    return errors;
+}
+export function isDangerous(intent) {
+    const def = getIntentDef(intent.intent);
+    return def?.requiresConfirmation ?? false;
+}
+export function getRiskLevel(intent) {
+    const def = getIntentDef(intent.intent);
+    return def?.riskLevel ?? "low";
+}

package/dist/types/intent.d.ts

@@ -0,0 +1,205 @@
+import { z } from "zod";
+export declare const EnvironmentName: z.ZodEnum<["local", "dev", "staging", "prod"]>;
+export type EnvironmentName = z.infer<typeof EnvironmentName>;
+export declare const DynamicIntent: z.ZodObject<{
+    intent: z.ZodString;
+    confidence: z.ZodNumber;
+    rawText: z.ZodString;
+    fields: z.ZodRecord<z.ZodString, z.ZodUnknown>;
+}, "strip", z.ZodTypeAny, {
+    intent: string;
+    confidence: number;
+    rawText: string;
+    fields: Record<string, unknown>;
+}, {
+    intent: string;
+    confidence: number;
+    rawText: string;
+    fields: Record<string, unknown>;
+}>;
+export type DynamicIntent = z.infer<typeof DynamicIntent>;
+export interface ParsedCommand {
+    intent: DynamicIntent;
+    missingFields: string[];
+    ambiguousFields: Array<{
+        field: string;
+        candidates: string[];
+    }>;
+    needsClarification: boolean;
+}
+export declare const FieldDef: z.ZodObject<{
+    type: z.ZodEnum<["string", "number", "service", "environment", "branch"]>;
+    required: z.ZodBoolean;
+    default: z.ZodOptional<z.ZodUnknown>;
+}, "strip", z.ZodTypeAny, {
+    type: "string" | "number" | "service" | "environment" | "branch";
+    required: boolean;
+    default?: unknown;
+}, {
+    type: "string" | "number" | "service" | "environment" | "branch";
+    required: boolean;
+    default?: unknown;
+}>;
+export type FieldDef = z.infer<typeof FieldDef>;
+export declare const IntentDef: z.ZodObject<{
+    name: z.ZodString;
+    description: z.ZodString;
+    synonyms: z.ZodArray<z.ZodString, "many">;
+    fields: z.ZodRecord<z.ZodString, z.ZodObject<{
+        type: z.ZodEnum<["string", "number", "service", "environment", "branch"]>;
+        required: z.ZodBoolean;
+        default: z.ZodOptional<z.ZodUnknown>;
+    }, "strip", z.ZodTypeAny, {
+        type: "string" | "number" | "service" | "environment" | "branch";
+        required: boolean;
+        default?: unknown;
+    }, {
+        type: "string" | "number" | "service" | "environment" | "branch";
+        required: boolean;
+        default?: unknown;
+    }>>;
+    command: z.ZodString;
+    execution: z.ZodEnum<["remote", "local"]>;
+    requiresConfirmation: z.ZodBoolean;
+    riskLevel: z.ZodEnum<["low", "medium", "high"]>;
+    allowlist: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    logPaths: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    fuzzyResolve: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    examples: z.ZodArray<z.ZodString, "many">;
+}, "strip", z.ZodTypeAny, {
+    fields: Record<string, {
+        type: "string" | "number" | "service" | "environment" | "branch";
+        required: boolean;
+        default?: unknown;
+    }>;
+    name: string;
+    description: string;
+    synonyms: string[];
+    command: string;
+    execution: "local" | "remote";
+    requiresConfirmation: boolean;
+    riskLevel: "low" | "medium" | "high";
+    examples: string[];
+    allowlist?: string[] | undefined;
+    logPaths?: Record<string, string> | undefined;
+    fuzzyResolve?: string[] | undefined;
+}, {
+    fields: Record<string, {
+        type: "string" | "number" | "service" | "environment" | "branch";
+        required: boolean;
+        default?: unknown;
+    }>;
+    name: string;
+    description: string;
+    synonyms: string[];
+    command: string;
+    execution: "local" | "remote";
+    requiresConfirmation: boolean;
+    riskLevel: "low" | "medium" | "high";
+    examples: string[];
+    allowlist?: string[] | undefined;
+    logPaths?: Record<string, string> | undefined;
+    fuzzyResolve?: string[] | undefined;
+}>;
+export type IntentDef = z.infer<typeof IntentDef>;
+export declare const IntentsConfig: z.ZodObject<{
+    intents: z.ZodArray<z.ZodObject<{
+        name: z.ZodString;
+        description: z.ZodString;
+        synonyms: z.ZodArray<z.ZodString, "many">;
+        fields: z.ZodRecord<z.ZodString, z.ZodObject<{
+            type: z.ZodEnum<["string", "number", "service", "environment", "branch"]>;
+            required: z.ZodBoolean;
+            default: z.ZodOptional<z.ZodUnknown>;
+        }, "strip", z.ZodTypeAny, {
+            type: "string" | "number" | "service" | "environment" | "branch";
+            required: boolean;
+            default?: unknown;
+        }, {
+            type: "string" | "number" | "service" | "environment" | "branch";
+            required: boolean;
+            default?: unknown;
+        }>>;
+        command: z.ZodString;
+        execution: z.ZodEnum<["remote", "local"]>;
+        requiresConfirmation: z.ZodBoolean;
+        riskLevel: z.ZodEnum<["low", "medium", "high"]>;
+        allowlist: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        logPaths: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+        fuzzyResolve: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        examples: z.ZodArray<z.ZodString, "many">;
+    }, "strip", z.ZodTypeAny, {
+        fields: Record<string, {
+            type: "string" | "number" | "service" | "environment" | "branch";
+            required: boolean;
+            default?: unknown;
+        }>;
+        name: string;
+        description: string;
+        synonyms: string[];
+        command: string;
+        execution: "local" | "remote";
+        requiresConfirmation: boolean;
+        riskLevel: "low" | "medium" | "high";
+        examples: string[];
+        allowlist?: string[] | undefined;
+        logPaths?: Record<string, string> | undefined;
+        fuzzyResolve?: string[] | undefined;
+    }, {
+        fields: Record<string, {
+            type: "string" | "number" | "service" | "environment" | "branch";
+            required: boolean;
+            default?: unknown;
+        }>;
+        name: string;
+        description: string;
+        synonyms: string[];
+        command: string;
+        execution: "local" | "remote";
+        requiresConfirmation: boolean;
+        riskLevel: "low" | "medium" | "high";
+        examples: string[];
+        allowlist?: string[] | undefined;
+        logPaths?: Record<string, string> | undefined;
+        fuzzyResolve?: string[] | undefined;
+    }>, "many">;
+}, "strip", z.ZodTypeAny, {
+    intents: {
+        fields: Record<string, {
+            type: "string" | "number" | "service" | "environment" | "branch";
+            required: boolean;
+            default?: unknown;
+        }>;
+        name: string;
+        description: string;
+        synonyms: string[];
+        command: string;
+        execution: "local" | "remote";
+        requiresConfirmation: boolean;
+        riskLevel: "low" | "medium" | "high";
+        examples: string[];
+        allowlist?: string[] | undefined;
+        logPaths?: Record<string, string> | undefined;
+        fuzzyResolve?: string[] | undefined;
+    }[];
+}, {
+    intents: {
+        fields: Record<string, {
+            type: "string" | "number" | "service" | "environment" | "branch";
+            required: boolean;
+            default?: unknown;
+        }>;
+        name: string;
+        description: string;
+        synonyms: string[];
+        command: string;
+        execution: "local" | "remote";
+        requiresConfirmation: boolean;
+        riskLevel: "low" | "medium" | "high";
+        examples: string[];
+        allowlist?: string[] | undefined;
+        logPaths?: Record<string, string> | undefined;
+        fuzzyResolve?: string[] | undefined;
+    }[];
+}>;
+export type IntentsConfig = z.infer<typeof IntentsConfig>;

package/dist/types/intent.js

@@ -0,0 +1,32 @@
+import { z } from "zod";
+export const EnvironmentName = z.enum(["local", "dev", "staging", "prod"]);
+// Dynamic intent — fields come from config, not hardcoded schemas
+export const DynamicIntent = z.object({
+    intent: z.string(),
+    confidence: z.number().min(0).max(1),
+    rawText: z.string(),
+    fields: z.record(z.unknown()),
+});
+// Intent definition loaded from config/intents.json
+export const FieldDef = z.object({
+    type: z.enum(["string", "number", "service", "environment", "branch"]),
+    required: z.boolean(),
+    default: z.unknown().optional(),
+});
+export const IntentDef = z.object({
+    name: z.string(),
+    description: z.string(),
+    synonyms: z.array(z.string()),
+    fields: z.record(FieldDef),
+    command: z.string(),
+    execution: z.enum(["remote", "local"]),
+    requiresConfirmation: z.boolean(),
+    riskLevel: z.enum(["low", "medium", "high"]),
+    allowlist: z.array(z.string()).optional(),
+    logPaths: z.record(z.string()).optional(),
+    fuzzyResolve: z.array(z.string()).optional(),
+    examples: z.array(z.string()),
+});
+export const IntentsConfig = z.object({
+    intents: z.array(IntentDef),
+});