perplexity-user-mcp 0.8.36

package/dist/chunk-HMKLWVXB.mjs

@@ -0,0 +1,109 @@
+// src/redact.js
+var SECRET_PATTERNS = Object.freeze([
+  // OAuth / local prefixes come FIRST so a value like `"bearer":"pplx_at_…"`
+  // gets the specific oauth-access tag instead of the generic daemon-bearer
+  // one from the bearer-json catchall below.
+  { name: "oauth-access", kind: "oauth-access", re: /pplx_at_[A-Za-z0-9_\-]{10,}/g },
+  { name: "oauth-refresh", kind: "oauth-refresh", re: /pplx_rt_[A-Za-z0-9_\-]{10,}/g },
+  { name: "oauth-code", kind: "oauth-code", re: /pplx_ac_[A-Za-z0-9_\-]{10,}/g },
+  { name: "local-bearer", kind: "local-bearer", re: /pplx_local_[a-z0-9-]+_[A-Za-z0-9_\-]{10,}/g },
+  { name: "daemon-bearer-json", kind: "daemon-bearer", re: /"bearerToken"\s*:\s*"[A-Za-z0-9_\-]{30,}"/g },
+  // Matches the `"bearer":"..."` shape used by daemon:bearer:reveal:response
+  // so reveal-payload logs stay leak-free. Value is only required to be
+  // 20+ safe-identifier chars — covers both raw daemon bearers and future
+  // short-lived tokens.
+  { name: "bearer-json", kind: "daemon-bearer", re: /"bearer"\s*:\s*"[A-Za-z0-9_\-]{20,}"/g },
+  { name: "authorization-header", kind: "bearer-header", re: /[Aa]uthorization\s*:\s*Bearer\s+[A-Za-z0-9_\-\.]{20,}/g },
+  { name: "ngrok-authtoken", kind: "ngrok-authtoken", re: /"authtoken"\s*:\s*"\d+[A-Za-z0-9]{20,}"/g },
+  { name: "jwt", kind: "jwt", re: /eyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+/g },
+  { name: "cf-clearance", kind: "cf-clearance", re: /cf_clearance=[^;\s]+/g },
+  { name: "perplexity-session", kind: "perplexity-session", re: /__Secure-next-auth\.session-token=[^;\s]+/g }
+]);
+function redactSecrets(input) {
+  if (typeof input !== "string") return input;
+  let out = input;
+  for (const { re, kind } of SECRET_PATTERNS) {
+    out = out.replace(re, (match) => {
+      if (match.startsWith('"bearerToken"')) return `"bearerToken":"<redacted:${kind}>"`;
+      if (match.startsWith('"bearer"')) return `"bearer":"<redacted:${kind}>"`;
+      if (/^[Aa]uthorization\s*:/i.test(match)) return match.replace(/Bearer\s+[A-Za-z0-9_\-\.]{20,}/, `Bearer <redacted:${kind}>`);
+      if (match.startsWith('"authtoken"')) return `"authtoken":"<redacted:${kind}>"`;
+      if (match.startsWith("cf_clearance=")) return `cf_clearance=<redacted:${kind}>`;
+      if (match.startsWith("__Secure-next-auth.session-token=")) return `__Secure-next-auth.session-token=<redacted:${kind}>`;
+      return `<redacted:${kind}>`;
+    });
+  }
+  return out;
+}
+var PATTERNS = [
+  // Emails: RFC 5322 subset. Must come before generic token rules because
+  // emails contain characters that other rules would catch.
+  {
+    re: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/g,
+    replace: "<email>"
+  },
+  // Perplexity user IDs: user_ followed by hex/alphanum (>=8 chars).
+  {
+    re: /\buser_[A-Fa-f0-9]{8,}\b/g,
+    replace: "<userId>"
+  },
+  // Home directory paths. Must replace before the "long opaque token" rule
+  // because long path segments would otherwise trip it.
+  {
+    re: /(\/Users\/|\/home\/)[^/\s]+/g,
+    replace: "<home>"
+  },
+  {
+    re: /([A-Z]:)\\Users\\[^\\]+/g,
+    replace: "<home>"
+  },
+  // IPv4
+  {
+    re: /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/g,
+    replace: "<ip>"
+  },
+  // IPv6. Three alternations cover: (1) full 8-group addresses, (2) :: compressed
+  // forms with at least one prefix group (e.g. 2001:db8::1, fe80::1), (3) leading-::
+  // forms like ::1 and ::. A function filter then requires hex letters (a-f/A-F) OR
+  // a double-colon so that pure-digit colon-separated strings like "23:59:59"
+  // (HH:MM:SS wall-clock) and ISO timestamps are left untouched.
+  {
+    re: /\b(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}\b|\b(?:[0-9a-fA-F]{1,4}:){1,7}:(?:[0-9a-fA-F]{1,4}(?::[0-9a-fA-F]{1,4}){0,6})?\b|(?<!\w)::(?:[0-9a-fA-F]{1,4}(?::[0-9a-fA-F]{1,4}){0,6})?(?!\w)/g,
+    replace: (match) => {
+      const hasHex = /[a-fA-F]/.test(match);
+      const hasDoubleColon = /::/.test(match);
+      return hasHex || hasDoubleColon ? "<ip>" : match;
+    }
+  },
+  // Long opaque tokens (base64 / hex, >=20 chars). Applied last so more
+  // specific rules win first. Captures key=value and replaces only the value.
+  {
+    re: /=([A-Za-z0-9+/=]{20,})/g,
+    replace: "=<redacted>"
+  }
+];
+function redact(value, _seen) {
+  if (value == null) return value;
+  if (typeof value === "string") return redactString(value);
+  if (typeof value !== "object") return value;
+  const seen = _seen ?? /* @__PURE__ */ new WeakSet();
+  if (seen.has(value)) return "<circular>";
+  seen.add(value);
+  if (Array.isArray(value)) return value.map((v) => redact(v, seen));
+  const out = {};
+  for (const [k, v] of Object.entries(value)) out[k] = redact(v, seen);
+  return out;
+}
+function redactString(s) {
+  let out = redactSecrets(s);
+  for (const { re, replace } of PATTERNS) {
+    out = out.replace(re, replace);
+  }
+  return out;
+}
+
+export {
+  SECRET_PATTERNS,
+  redactSecrets,
+  redact
+};

package/dist/chunk-HTUAQRKH.mjs

@@ -0,0 +1,125 @@
+import {
+  safeAtomicWriteFileSync
+} from "./chunk-MTDFKNXX.mjs";
+import {
+  getConfigDir
+} from "./chunk-XKSWCEGI.mjs";
+
+// src/daemon/token.ts
+import { randomBytes } from "crypto";
+import { spawnSync } from "child_process";
+import { chmodSync, existsSync, mkdirSync, readFileSync } from "fs";
+import { dirname, join } from "path";
+function getTokenPath(configDir = getConfigDir()) {
+  return join(configDir, "daemon.token");
+}
+function generateBearerToken() {
+  return randomBytes(32).toString("base64url");
+}
+function readToken(options = {}) {
+  const tokenPath = options.tokenPath ?? getTokenPath();
+  if (!existsSync(tokenPath)) {
+    return null;
+  }
+  const parsed = JSON.parse(readFileSync(tokenPath, "utf8"));
+  return normalizeRecord(parsed);
+}
+function ensureToken(options = {}) {
+  const existing = readToken(options);
+  if (existing) {
+    return existing;
+  }
+  const now = (options.now ?? defaultNow)();
+  const record = {
+    bearerToken: generateBearerToken(),
+    version: 1,
+    createdAt: now,
+    rotatedAt: now
+  };
+  writeToken(record, options);
+  return record;
+}
+function rotateToken(options = {}) {
+  const previous = readToken(options);
+  const now = (options.now ?? defaultNow)();
+  const record = {
+    bearerToken: generateBearerToken(),
+    version: (previous?.version ?? 0) + 1,
+    createdAt: previous?.createdAt ?? now,
+    rotatedAt: now
+  };
+  writeToken(record, options);
+  return record;
+}
+function writeToken(record, options = {}) {
+  const tokenPath = options.tokenPath ?? getTokenPath();
+  const normalized = normalizeRecord(record);
+  mkdirSync(dirname(tokenPath), { recursive: true });
+  safeAtomicWriteFileSync(tokenPath, JSON.stringify(normalized, null, 2) + "\n", { encoding: "utf8", mode: 384 });
+  applyPrivatePermissions(tokenPath);
+}
+function normalizeRecord(value) {
+  if (!value || typeof value !== "object") {
+    throw new Error("Daemon token file must contain a JSON object.");
+  }
+  const record = value;
+  if (typeof record.bearerToken !== "string" || record.bearerToken.length === 0) {
+    throw new Error("Daemon token file field 'bearerToken' must be a non-empty string.");
+  }
+  if (!Number.isInteger(record.version) || Number(record.version) <= 0) {
+    throw new Error("Daemon token file field 'version' must be a positive integer.");
+  }
+  if (typeof record.createdAt !== "string" || record.createdAt.length === 0) {
+    throw new Error("Daemon token file field 'createdAt' must be a non-empty string.");
+  }
+  if (typeof record.rotatedAt !== "string" || record.rotatedAt.length === 0) {
+    throw new Error("Daemon token file field 'rotatedAt' must be a non-empty string.");
+  }
+  return {
+    bearerToken: record.bearerToken,
+    version: Number(record.version),
+    createdAt: record.createdAt,
+    rotatedAt: record.rotatedAt
+  };
+}
+function applyPrivatePermissions(tokenPath) {
+  if (process.platform === "win32") {
+    restrictWindowsAcl(tokenPath);
+    return;
+  }
+  chmodSync(tokenPath, 384);
+}
+function restrictWindowsAcl(tokenPath) {
+  const username = getWindowsUserName();
+  const grantTarget = `${username}:(R,W)`;
+  const result = spawnSync("icacls", [tokenPath, "/inheritance:r", "/grant:r", grantTarget], {
+    encoding: "utf8",
+    windowsHide: true
+  });
+  if (result.status !== 0) {
+    const detail = [result.stdout, result.stderr].filter(Boolean).join("\n").trim();
+    throw new Error(`Failed to restrict daemon token ACL via icacls.${detail ? ` ${detail}` : ""}`);
+  }
+}
+function getWindowsUserName() {
+  const username = process.env.USERNAME;
+  const domain = process.env.USERDOMAIN;
+  if (domain && username) {
+    return `${domain}\\${username}`;
+  }
+  if (username) {
+    return username;
+  }
+  throw new Error("Unable to resolve Windows username for daemon token ACL.");
+}
+function defaultNow() {
+  return (/* @__PURE__ */ new Date()).toISOString();
+}
+
+export {
+  getTokenPath,
+  generateBearerToken,
+  readToken,
+  ensureToken,
+  rotateToken
+};

package/dist/chunk-HU5B4FXS.mjs

@@ -0,0 +1,139 @@
+// src/session-metadata.js
+var API_VERSION_QUERY = "version=2.18&source=default";
+function buildRuntimeEndpoints(origin) {
+  const base = origin.replace(/\/+$/, "");
+  return {
+    session: `${base}/api/auth/session?${API_VERSION_QUERY}`,
+    csrf: `${base}/api/auth/csrf?${API_VERSION_QUERY}`,
+    signInEmail: `${base}/api/auth/signin/email?${API_VERSION_QUERY}`,
+    otpRedirectLink: `${base}/api/auth/otp-redirect-link`,
+    ssoDetails: `${base}/rest/enterprise/organization/login/details?${API_VERSION_QUERY}`,
+    models: `${base}/rest/models/config?config_schema=v1&${API_VERSION_QUERY}`,
+    asi: `${base}/rest/billing/asi-access-decision?${API_VERSION_QUERY}`,
+    rateLimits: `${base}/rest/rate-limit/status?${API_VERSION_QUERY}`,
+    experiments: `${base}/rest/experiments/attributes?${API_VERSION_QUERY}`,
+    userInfo: `${base}/rest/user/info?${API_VERSION_QUERY}`
+  };
+}
+async function pageRequest(page, url, init = {}) {
+  return page.evaluate(async ({ url: target, init: requestInit }) => {
+    try {
+      const response = await fetch(target, {
+        credentials: "include",
+        ...requestInit
+      });
+      const contentType = response.headers.get("content-type") ?? "";
+      let json = null;
+      let text = null;
+      try {
+        if (contentType.includes("json")) json = await response.json();
+        else text = (await response.text()).slice(0, 500);
+      } catch {
+      }
+      return {
+        ok: response.ok,
+        status: response.status,
+        redirected: response.redirected,
+        url: response.url,
+        contentType,
+        json,
+        text
+      };
+    } catch (error) {
+      return {
+        ok: false,
+        status: 0,
+        redirected: false,
+        url: target,
+        contentType: "",
+        json: null,
+        text: null,
+        error: error?.message ?? String(error)
+      };
+    }
+  }, { url, init });
+}
+async function pollSession(page, sessionUrl, { timeoutMs = 1e4, intervalMs = 500 } = {}) {
+  const started = Date.now();
+  while (Date.now() - started < timeoutMs) {
+    const sessionResp = await pageRequest(page, sessionUrl);
+    if (sessionResp.ok && sessionResp.json?.user?.id) {
+      return sessionResp.json;
+    }
+    await page.waitForTimeout(intervalMs);
+  }
+  return null;
+}
+function deriveAccountFlags({ experiments, userInfo, asi }) {
+  const isEnterprise = userInfo?.is_enterprise === true || experiments?.server_is_enterprise === true;
+  const isMax = experiments?.server_is_max === true;
+  const canUseComputer = asi?.can_use_computer ?? false;
+  const isPro = experiments?.server_is_pro === true || canUseComputer && !isMax && !isEnterprise;
+  return { isPro, isMax, isEnterprise, canUseComputer };
+}
+function deriveTier(payload) {
+  const { isPro, isMax, isEnterprise } = deriveAccountFlags(payload);
+  if (isMax) return "Max";
+  if (isEnterprise) return "Enterprise";
+  if (isPro) return "Pro";
+  return "Authenticated";
+}
+async function collectSessionMetadata(page, origin, opts = {}) {
+  const endpoints = buildRuntimeEndpoints(origin);
+  const sessionData = opts.sessionData ?? await pollSession(page, endpoints.session, { timeoutMs: opts.sessionTimeoutMs ?? 1e4 });
+  if (!sessionData?.user?.id) {
+    return {
+      sessionData: null,
+      models: null,
+      asi: null,
+      rateLimits: null,
+      experiments: null,
+      userInfo: null,
+      tier: "Authenticated",
+      cache: {
+        modelsConfig: null,
+        rateLimits: null,
+        isPro: false,
+        isMax: false,
+        isEnterprise: false,
+        canUseComputer: false
+      }
+    };
+  }
+  const [modelsResp, asiResp, rateResp, expResp, userInfoResp] = await Promise.all([
+    pageRequest(page, endpoints.models),
+    pageRequest(page, endpoints.asi),
+    pageRequest(page, endpoints.rateLimits),
+    pageRequest(page, endpoints.experiments),
+    pageRequest(page, endpoints.userInfo)
+  ]);
+  const payload = {
+    experiments: expResp.ok ? expResp.json : null,
+    userInfo: userInfoResp.ok ? userInfoResp.json : null,
+    asi: asiResp.ok ? asiResp.json : null
+  };
+  const flags = deriveAccountFlags(payload);
+  return {
+    sessionData,
+    models: modelsResp.ok ? modelsResp.json : null,
+    asi: asiResp.ok ? asiResp.json : null,
+    rateLimits: rateResp.ok ? rateResp.json : null,
+    experiments: expResp.ok ? expResp.json : null,
+    userInfo: userInfoResp.ok ? userInfoResp.json : null,
+    tier: deriveTier(payload),
+    cache: {
+      modelsConfig: modelsResp.ok ? modelsResp.json : null,
+      rateLimits: rateResp.ok ? rateResp.json : null,
+      isPro: flags.isPro,
+      isMax: flags.isMax,
+      isEnterprise: flags.isEnterprise,
+      canUseComputer: flags.canUseComputer
+    }
+  };
+}
+
+export {
+  buildRuntimeEndpoints,
+  pageRequest,
+  collectSessionMetadata
+};