ogment 0.2.0 → 0.2.1

package/dist/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAsBH,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,IAAI,EAAE,SAAS,EAAE,CAAC;CACnB;AAiCD,wBAAgB,eAAe,IAAI,iBAAiB,GAAG,IAAI,CAI1D;AASD,wBAAgB,iBAAiB,SAIhC;AAED;;GAEG;AACH,wBAAgB,kBAAkB,sBAMjC;AAoED,wBAAsB,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI,iBAoB7F;AAgID;;;;;;;;GAQG;AACH,wBAAsB,KAAK,+BA8D1B"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAuBH,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,IAAI,EAAE,SAAS,EAAE,CAAC;CACnB;AAiCD,wBAAgB,eAAe,IAAI,iBAAiB,GAAG,IAAI,CAgB1D;AAeD,wBAAgB,iBAAiB,SAIhC;AAED;;GAEG;AACH,wBAAgB,kBAAkB,sBAMjC;AAoED,wBAAsB,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI,iBAoB7F;AA6ID;;;;;;;;GAQG;AACH,wBAAsB,KAAK,+BA6D1B"}

package/dist/auth.js

@@ -11,7 +11,7 @@
  *   7. Store credentials locally
  */
 import { createHash, randomBytes } from 'node:crypto';
-import { existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from 'node:fs';
+import { existsSync, lstatSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from 'node:fs';
 import { createServer } from 'node:http';
 import open from 'open';
 import { CLI_CLIENT_NAME, CLI_REDIRECT_HOST, CONFIG_DIR, CREDENTIALS_PATH, OAUTH_AUTHORIZE_URL, OAUTH_REGISTER_URL, OAUTH_REVOKE_URL, OAUTH_TOKEN_URL, } from './config.js';
@@ -31,10 +31,22 @@ export function loadCredentials() {
     if (!existsSync(CREDENTIALS_PATH))
         return null;
     const raw = readFileSync(CREDENTIALS_PATH, 'utf-8');
-    return JSON.parse(raw);
+    const parsed = JSON.parse(raw);
+    // Basic shape validation — corrupted files are treated as "not logged in"
+    if (typeof parsed.accessToken !== 'string' || !parsed.accessToken ||
+        typeof parsed.clientId !== 'string' || !parsed.clientId ||
+        !Array.isArray(parsed.orgs)) {
+        unlinkSync(CREDENTIALS_PATH);
+        return null;
+    }
+    return parsed;
 }
 function saveCredentials(creds) {
     mkdirSync(CONFIG_DIR, { recursive: true });
+    // Prevent symlink attacks — don't follow symlinks when writing credentials
+    if (existsSync(CREDENTIALS_PATH) && lstatSync(CREDENTIALS_PATH).isSymbolicLink()) {
+        unlinkSync(CREDENTIALS_PATH);
+    }
     writeFileSync(CREDENTIALS_PATH, JSON.stringify(creds, null, 2), {
         mode: 0o600, // owner read/write only
     });
@@ -128,9 +140,26 @@ export async function revokeToken(token, clientId, clientSecret) {
  * Starts a temporary HTTP server on a random port, waits for the OAuth
  * callback, and returns the authorization code.
  */
-function waitForAuthCallback(port) {
+/**
+ * Start a callback server on an OS-assigned port.
+ * Port 0 = OS assigns a free port atomically (no TOCTOU race).
+ */
+function startCallbackServerWithPort() {
+    return new Promise((resolve) => {
+        const server = createServer();
+        server.listen(0, CLI_REDIRECT_HOST, () => {
+            const addr = server.address();
+            resolve({ server, port: addr.port });
+        });
+    });
+}
+/**
+ * Wait for the OAuth callback on an already-listening server.
+ * Returns the authorization code and state.
+ */
+function waitForCallback(server, port) {
     return new Promise((resolve, reject) => {
-        const server = createServer((req, res) => {
+        server.on('request', (req, res) => {
             const url = new URL(req.url ?? '/', `http://${CLI_REDIRECT_HOST}:${port}`);
             if (url.pathname !== '/callback') {
                 res.writeHead(404);
@@ -159,9 +188,6 @@ function waitForAuthCallback(port) {
             server.close();
             resolve({ code, state });
         });
-        server.listen(port, CLI_REDIRECT_HOST, () => {
-            // Server is ready
-        });
         // Timeout after 5 minutes (unref so it doesn't block process exit)
         const timeout = setTimeout(() => {
             server.close();
@@ -170,14 +196,14 @@ function waitForAuthCallback(port) {
         timeout.unref();
     });
 }
-function getRandomPort() {
-    // Use port 0 to let OS assign, but we need to know the port before starting.
-    // Instead, pick from ephemeral range.
-    return 49152 + Math.floor(Math.random() * 16384);
-}
 // ---------------------------------------------------------------------------
-// HTML pages for the callback
+// HTML helpers
 // ---------------------------------------------------------------------------
+function escapeHtml(str) {
+    if (!str)
+        return '';
+    return str.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+}
 function successPage() {
     return `<!DOCTYPE html>
 <html lang="en">
@@ -224,8 +250,8 @@ function errorPage(error, description) {
   <div class="card">
     <div class="icon">&#x26A0;&#xFE0F;</div>
     <h1>Login failed</h1>
-    <p>${description ?? 'Something went wrong during authentication.'}</p>
-    <p class="error">${error}</p>
+    <p>${escapeHtml(description) || 'Something went wrong during authentication.'}</p>
+    <p class="error">${escapeHtml(error)}</p>
   </div>
 </body>
 </html>`;
@@ -247,14 +273,15 @@ export async function login() {
     if (existing?.accessToken) {
         return existing;
     }
-    const port = getRandomPort();
+    // Step 1 — Start callback server (OS assigns port atomically — no race)
+    const { server: callbackServer, port } = await startCallbackServerWithPort();
     const redirectUri = `http://${CLI_REDIRECT_HOST}:${port}/callback`;
-    // Step 1 — Register as OAuth client
+    // Step 2 — Register as OAuth client (needs redirect URI with real port)
     const client = await registerClient(redirectUri);
-    // Step 2 — Generate PKCE pair
+    // Step 3 — Generate PKCE pair
     const codeVerifier = generateCodeVerifier();
     const codeChallenge = generateCodeChallenge(codeVerifier);
-    // Step 3 — Build authorization URL (no resource — server-less login)
+    // Step 4 — Build authorization URL (no resource — server-less login)
     const state = randomBytes(16).toString('hex');
     const authorizeUrl = new URL(OAUTH_AUTHORIZE_URL);
     authorizeUrl.searchParams.set('client_id', client.client_id);
@@ -263,11 +290,10 @@ export async function login() {
     authorizeUrl.searchParams.set('code_challenge', codeChallenge);
     authorizeUrl.searchParams.set('code_challenge_method', 'S256');
     authorizeUrl.searchParams.set('state', state);
-    // Step 4 — Start callback server, then open browser
-    const callbackPromise = waitForAuthCallback(port);
+    // Step 5 — Open browser, wait for callback
+    const codePromise = waitForCallback(callbackServer, port);
     await open(authorizeUrl.toString());
-    // Step 5 — Wait for callback
-    const { code, state: returnedState } = await callbackPromise;
+    const { code, state: returnedState } = await codePromise;
     if (returnedState !== state) {
         throw new Error('OAuth state mismatch — possible CSRF attack.');
     }

package/dist/commands/call.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"call.d.ts","sourceRoot":"","sources":["../../src/commands/call.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH,wBAAsB,WAAW,CAC/B,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,GAAG,SAAS,iBA6B7B"}
+{"version":3,"file":"call.d.ts","sourceRoot":"","sources":["../../src/commands/call.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH,wBAAsB,WAAW,CAC/B,UAAU,EAAE,MAAM,EAClB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,GAAG,SAAS,iBAoC7B"}

package/dist/commands/call.js

@@ -20,7 +20,15 @@ export async function callCommand(serverPath, toolName, argsJson) {
         const available = allServers.map((s) => s.path).join(', ');
         throw new Error(`Server "${serverPath}" not found. Available: ${available || 'none'}`);
     }
-    const args = argsJson ? JSON.parse(argsJson) : {};
+    let args = {};
+    if (argsJson) {
+        try {
+            args = JSON.parse(argsJson);
+        }
+        catch {
+            throw new Error(`Invalid JSON arguments: ${argsJson}`);
+        }
+    }
     const result = await callTool(server.orgSlug, serverPath, creds.accessToken, toolName, args);
     console.log(JSON.stringify(result, null, 2));
 }

package/dist/config.d.ts

@@ -19,5 +19,5 @@ export declare const CONFIG_DIR: string;
 export declare const CREDENTIALS_PATH: string;
 export declare const CLI_CLIENT_NAME = "Ogment CLI";
 export declare const CLI_REDIRECT_HOST = "127.0.0.1";
-export declare const VERSION = "0.1.0";
+export declare const VERSION = "0.2.1";
 //# sourceMappingURL=config.d.ts.map

package/dist/config.js

@@ -33,4 +33,4 @@ export const CLI_REDIRECT_HOST = '127.0.0.1';
 // ---------------------------------------------------------------------------
 // Version
 // ---------------------------------------------------------------------------
-export const VERSION = '0.1.0';
+export const VERSION = '0.2.1';

package/dist/mcp-client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mcp-client.d.ts","sourceRoot":"","sources":["../src/mcp-client.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAQH,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED,UAAU,iBAAiB;IACzB,OAAO,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAC1C,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAiDD,qDAAqD;AACrD,wBAAsB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,sBAKlF;AAED,qDAAqD;AACrD,wBAAsB,QAAQ,CAC5B,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,8BAM9B"}
+{"version":3,"file":"mcp-client.d.ts","sourceRoot":"","sources":["../src/mcp-client.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAQH,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED,UAAU,iBAAiB;IACzB,OAAO,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAC1C,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAmDD,qDAAqD;AACrD,wBAAsB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,sBAKlF;AAED,qDAAqD;AACrD,wBAAsB,QAAQ,CAC5B,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,8BAM9B"}

package/dist/mcp-client.js

@@ -26,7 +26,9 @@ async function mcpRequest(orgSlug, serverPath, token, method, params) {
     });
     if (!res.ok) {
         const text = await res.text();
-        throw new Error(`MCP request failed (${res.status}): ${text}`);
+        // Truncate error bodies to avoid leaking server internals into agent logs
+        const sanitized = text.length > 200 ? text.slice(0, 200) + '…' : text;
+        throw new Error(`MCP request failed (${res.status}): ${sanitized}`);
     }
     const json = (await res.json());
     if ('error' in json && json.error) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ogment",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "Ogment Vault CLI — secure your AI agents' SaaS credentials",
   "type": "module",
   "bin": {