rentman-cli 2.0.0

package/.env.example

@@ -0,0 +1,39 @@
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+# Rentman CLI - Environment Variables Template
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+# 
+# 📝 NOTE: CLI uses local Conf storage for user identity
+# These environment variables are OPTIONAL and mainly for CI/CD
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+# Supabase Configuration (Public - safe to include)
+SUPABASE_URL=https://uoekolfgbbmvhzsfkjef.supabase.co
+SUPABASE_ANON_KEY=
+
+# Agent Gateway Endpoint
+# Production:
+AGENT_GATEWAY_URL=https://agent-gateway-1021032187840.us-central1.run.app/v1
+
+# Development (uncomment for local testing):
+# AGENT_GATEWAY_URL=http://localhost:3001/v1
+
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+# Optional: Override Identity Storage
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+# By default, CLI stores identity in ~/.config/rentman/
+# Set these ONLY for CI/CD environments or automation
+
+# RENTMAN_AGENT_ID=your_agent_id
+# RENTMAN_SECRET_KEY=your_secret_key_base64
+
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+# Optional: API Key Authentication (Alternative to NACL)
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+# Use API keys for bots/automation that don't need cryptographic signing
+# RENTMAN_API_KEY=sk_live_your_api_key_here
+
+# Logging
+LOG_LEVEL=info
+
+# Environment
+NODE_ENV=production

package/CLI_PRODUCTION_ANALYSIS.md

@@ -0,0 +1,510 @@
+# CLI Production Readiness - Deep Analysis
+
+## 🚨 CRITICAL SECURITY ISSUES IDENTIFIED
+
+### 1. **SEVERE: Private Keys in Repository**
+**File:** `rentman_identity.json`  
+**Risk Level:** 🔴 **CRITICAL**
+
+```json
+{
+  "agent_id": "55ea7c98-132d-450b-8712-4f369d763261",
+  "public_agent_id": "agent_test_01",
+  "public_key": "gSb/s2pRwPO9puI9U2OnfbHukoAlPogOcqOJtsKgbhA=",
+  "secret_key": "M5v+5WgwJgDZVwpcwOJbmuw/UKeXpIqZ3BiipCY5y2GBJv+zalHA872m4j1TY6d9se6SgCU+iA5yo4m2wqBuEA==",
+  "owner_id": null,
+  "api_url": "https://uoekolfgbbmvhzsfkjef.supabase.co"
+}
+```
+
+**Impact:**
+- Anyone with repo access can impersonate this agent
+- Compromises entire agent identity system
+- Violates cryptographic security principles
+
+**Solution:**
+✅ DELETE this file immediately  
+✅ Move to `~/.config/rentman/identity.json` (user's home)  
+✅ Add `rentman_identity.json` to `.gitignore`  
+✅ Use `Conf` library (already installed) for storage
+
+---
+
+### 2. **SEVERE: Hardcoded Supabase Anon Key**
+**Files:** `init.js`, `listen.js`, `login-v2.js`, `post-mission.js`  
+**Risk Level:** 🔴 **CRITICAL**
+
+Found in **4 files**:
+```javascript
+const SUPABASE_KEY = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...' // 4 instances!
+```
+
+**Impact:**
+- Anon key exposed in public code
+- Cannot rotate keys without code changes
+- All users share same key (no isolation)
+
+**Solution:**
+✅ Move to `.env` file  
+✅ Use environment variables: `process.env.SUPABASE_ANON_KEY`  
+✅ Remove all hardcoded instances  
+✅ Provide `.env.example` template
+
+---
+
+### 3. **HIGH: Insecure Identity Storage**
+**File:** `init.js` line 10  
+**Risk Level:** 🟠 **HIGH**
+
+```javascript
+const IDENTITY_FILE = path.join(process.cwd(), 'rentman_identity.json');
+```
+
+**Impact:**
+- Identity stored in current working directory
+- Easily committed to git by accident
+- Not portable across projects
+
+**Solution:**
+✅ Use OS-specific user directory  
+✅ Leverage `Conf` library (already installed)  
+✅ Store in `~/.config/rentman/` (Linux/Mac) or `AppData` (Windows)
+
+---
+
+## 🏗️ ARCHITECTURAL ISSUES
+
+### 1. **Direct Supabase Access (Bypassing Gateway)**
+**File:** `post-mission.js` line 130  
+**Issue:** CLI talks directly to Supabase instead of Agent Gateway
+
+```javascript
+const supabase = createClient(SUPABASE_URL, supabaseKey);
+const { data, error } = await supabase.from('tasks').insert(taskWithAgent);
+```
+
+**Problems:**
+- Bypasses agent-gateway's authentication
+- No NACL signature validation
+- No rate limiting
+- No audit trail
+- Defeats DMZ architecture
+
+**Solution:**
+✅ Use `apiRequest()` to talk to `/v1/market/tasks`  
+✅ Generate NACL signature for request  
+✅ Let gateway handle database operations  
+✅ Unified architecture (all agents → gateway → database)
+
+---
+
+### 2. **Duplicate Login Commands**
+**Files:** `login.js` and `login-v2.js`  
+**Issue:** Two commands doing similar things
+
+**Problems:**
+- Confusing UX (which one to use?)
+- Code duplication
+- Inconsistent behavior
+
+**Solution:**
+✅ Consolidate into single `init` command  
+✅ Remove redundant login commands  
+✅ Use `init` for KYA + identity generation  
+✅ Use `config` for managing settings
+
+---
+
+### 3. **Missing Legal Compliance**
+**Issue:** No way to view Terms/Privacy Policy from CLI
+
+**Impact:**
+- Non-compliant with app store requirements
+- Users can't access legal docs
+- Inconsistent with mobile/dashboard apps
+
+**Solution:**
+✅ Add `rentman legal` command  
+✅ Link to existing HTML documents  
+✅ Show in terminal or open browser
+
+---
+
+## 📊 CODE QUALITY ANALYSIS
+
+### Current State: **Prototype**
+
+| Aspect | Status | Grade |
+|--------|--------|-------|
+| Security | 🔴 Critical Issues | F |
+| Architecture | 🟠 Needs Refactor | D |
+| UX | 🟡 Usable but confusing | C |
+| Documentation | 🟢 README exists | B |
+| Testing | 🔴 No tests | F |
+| Code Style | 🟡 Inconsistent | C |
+
+---
+
+## 🔧 DETAILED REFACTORING PLAN
+
+### Phase 1: Security Fixes (CRITICAL - 1 day)
+
+#### 1.1 Remove Hardcoded Secrets
+```bash
+# Files to modify:
+- src/commands/init.js
+- src/commands/listen.js
+- src/commands/login-v2.js
+- src/commands/post-mission.js
+- src/lib/config.js
+```
+
+**Changes:**
+```javascript
+// BEFORE (❌ INSECURE):
+const SUPABASE_KEY = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...';
+
+// AFTER (✅ SECURE):
+const SUPABASE_KEY = process.env.SUPABASE_ANON_KEY;
+if (!SUPABASE_KEY) {
+  console.error('ERROR: SUPABASE_ANON_KEY not set');
+  process.exit(1);
+}
+```
+
+#### 1.2 Migrate Identity Storage
+```javascript
+// BEFORE (❌ INSECURE):
+const IDENTITY_FILE = path.join(process.cwd(), 'rentman_identity.json');
+
+// AFTER (✅ SECURE):
+const Conf = require('conf');
+const config = new Conf({ projectName: 'rentman' });
+
+// Save identity
+config.set('agent_id', agentId);
+config.set('secret_key', secretKey);
+config.set('public_key', publicKey);
+
+// Location: ~/.config/rentman/ (Linux/Mac)
+//           AppData/Roaming/rentman/ (Windows)
+```
+
+#### 1.3 Delete Compromised Files
+```bash
+# Remove from repo:
+git rm rentman_identity.json
+git rm --cached rentman_identity.json
+
+# Add to .gitignore:
+echo "rentman_identity.json" >> .gitignore
+echo "*.json" >> .gitignore  # Except package.json
+echo ".env" >> .gitignore
+echo ".env.local" >> .gitignore
+```
+
+---
+
+### Phase 2: Gateway Integration (HIGH - 2 days)
+
+#### 2.1 Refactor `post-mission.js`
+**Current:** Direct Supabase insert  
+**Target:** Agent Gateway API
+
+```javascript
+// BEFORE (❌ BYPASSES GATEWAY):
+const supabase = createClient(url, key);
+const { data } = await supabase.from('tasks').insert(task);
+
+// AFTER (✅ USES GATEWAY):
+const { apiRequest } = require('../lib/api');
+const signature = generateNaclSignature(taskPayload, secretKey);
+
+const response = await apiRequest('/tasks', {
+  method: 'POST',
+  headers: {
+    'x-agent-id': agentId,
+    'x-signature': `nacl:${signature}`
+  },
+  body: JSON.stringify(taskPayload)
+});
+```
+
+#### 2.2 Add Signature Generation
+```javascript
+// src/lib/crypto.js (NEW FILE)
+const nacl = require('tweetnacl');
+const naclUtil = require('tweetnacl-util');
+
+function generateNaclSignature(payload, secretKeyBase64) {
+  const message = JSON.stringify(payload);
+  const messageBytes = naclUtil.decodeUTF8(message);
+  const secretKeyBytes = naclUtil.decodeBase64(secretKeyBase64);
+  
+  const signature = nacl.sign.detached(messageBytes, secretKeyBytes);
+  return naclUtil.encodeBase64(signature);
+}
+
+module.exports = { generateNaclSignature };
+```
+
+#### 2.3 Update API Base URL
+```javascript
+// src/lib/api.js
+// BEFORE:
+const API_BASE = 'https://rentman-api-346436028870.us-central1.run.app/v1/market';
+
+// AFTER (with env variable support):
+const API_BASE = process.env.AGENT_GATEWAY_URL || 
+                 'https://agent-gateway.rentman.app/v1/market';
+```
+
+---
+
+### Phase 3: UX Improvements (MEDIUM - 1 day)
+
+#### 3.1 Consolidate Commands
+**Remove:**
+- `login.js`
+- `login-v2.js`
+
+**Keep/Enhance:**
+- `init.js` - Full KYA setup
+- `config.js` - Manage settings
+
+**File Structure:**
+```
+src/commands/
+├── init.js          # KYA initialization
+├── config.js        # Config management
+├── post-mission.js  # Create tasks
+├── listen.js        # Listen for contracts
+├── task.js          # Task management
+├── guide.js         # Help/docs
+└── legal.js         # NEW - Legal docs
+```
+
+#### 3.2 Add Legal Command
+```javascript
+// src/commands/legal.js (NEW)
+const chalk = require('chalk');
+const open = require('open');
+
+async function legalCommand(type) {
+  console.log(chalk.bold.blue('\n📜 Rentman Legal Documents\n'));
+  
+  const docs = {
+    privacy: 'https://rentman.app/privacy-policy.html',
+    terms: 'https://rentman.app/terms-of-service.html'
+  };
+  
+  if (type === 'privacy' || type === 'terms') {
+    console.log(chalk.green(`Opening ${type}...`));
+    await open(docs[type]);
+  } else {
+    console.log(chalk.white('Available documents:'));
+    console.log(chalk.cyan('  • Privacy Policy: ') + docs.privacy);
+    console.log(chalk.cyan('  • Terms of Service: ') + docs.terms);
+    console.log(chalk.gray('\nUse: rentman legal privacy OR rentman legal terms'));
+  }
+}
+
+module.exports = legalCommand;
+```
+
+#### 3.3 Improve Error Messages
+```javascript
+// Better error handling
+try {
+  const response = await apiRequest('/tasks', options);
+} catch (error) {
+  if (error.message.includes('AUTH_FAILED')) {
+    console.error(chalk.red('\n❌ Authentication failed'));
+    console.log(chalk.yellow('→ Run: rentman init'));
+  } else if (error.message.includes('RATE_LIMIT')) {
+    console.error(chalk.red('\n❌ Rate limit exceeded'));
+    console.log(chalk.yellow('→ Wait before retrying'));
+  } else {
+    console.error(chalk.red(`\n❌ Error: ${error.message}`));
+  }
+  process.exit(1);
+}
+```
+
+---
+
+### Phase 4: Testing & Validation (HIGH - 2 days)
+
+#### 4.1 Add Unit Tests
+```javascript
+// tests/crypto.test.js
+const { generateNaclSignature } = require('../src/lib/crypto');
+const nacl = require('tweetnacl');
+
+describe('NACL Signature Generation', () => {
+  test('generates valid signature', () => {
+    const keyPair = nacl.sign.keyPair();
+    const payload = { title: 'Test Task' };
+    const secretKey = Buffer.from(keyPair.secretKey).toString('base64');
+    
+    const signature = generateNaclSignature(payload, secretKey);
+    expect(signature).toBeDefined();
+    expect(signature.length).toBeGreaterThan(0);
+  });
+});
+```
+
+#### 4.2 Integration Tests
+```javascript
+// tests/integration/post-mission.test.js
+test('posts mission to gateway', async () => {
+  // Mock identity
+  // Mock API response
+  // Verify signature sent
+  // Verify task created
+});
+```
+
+#### 4.3 Manual Test Checklist
+```markdown
+- [ ] rentman init (fresh install)
+- [ ] Identity stored in ~/.config/rentman/
+- [ ] No rentman_identity.json in CWD
+- [ ] rentman post-mission test.json
+- [ ] Task appears in Gateway logs
+- [ ] Signature validated server-side
+- [ ] rentman listen (shows new contracts)
+- [ ] rentman legal privacy (opens browser)
+- [ ] Error handling works correctly
+```
+
+---
+
+## 📋 IMPLEMENTATION PRIORITY
+
+### P0 - CRITICAL (Do First)
+1. ✅ Delete `rentman_identity.json` from repo
+2. ✅ Add to `.gitignore`
+3. ✅ Remove all hardcoded keys
+4. ✅ Add `.env.example`
+5. ✅ Migrate to `Conf` storage
+
+### P1 - HIGH (Do Next)
+1. ✅ Update `post-mission.js` to use Gateway
+2. ✅ Add NACL signature generation
+3. ✅ Update `api.js` with gateway URL
+4. ✅ Remove duplicate login commands
+5. ✅ Add legal command
+
+### P2 - MEDIUM (Nice to Have)
+1. ✅ Improve error messages
+2. ✅ Add input validation
+3. ✅ Better logging
+4. ✅ Progress indicators
+
+### P3 - LOW (Future)
+1. ⏳ MCP integration
+2. ⏳ WebSocket for listen
+3. ⏳ Auto-update notifications
+4. ⏳ Telemetry/analytics
+
+---
+
+## 🎯 SUCCESS METRICS
+
+After refactoring, CLI should:
+
+✅ **Security Score: A**
+- No secrets in code
+- Identity in secure location
+- All requests authenticated
+- Gateway-based architecture
+
+✅ **Code Quality: B+**
+- Tests coverage > 70%
+- No code duplication
+- Consistent error handling
+- TypeScript types (optional)
+
+✅ **UX Score: A**
+- Clear command structure
+- Helpful error messages
+- Legal compliance
+- Good documentation
+
+---
+
+## 📊 COMPARISON: Before vs After
+
+| Aspect | Before (Prototype) | After (Production) |
+|--------|-------------------|-------------------|
+| **Identity Storage** | `./rentman_identity.json` | `~/.config/rentman/` |
+| **Secrets** | Hardcoded in 4 files | Environment variables |
+| **API Access** | Direct Supabase | Agent Gateway |
+| **Authentication** | Anon key only | NACL signatures |
+| **Rate Limiting** | None | Gateway handles |
+| **Audit Trail** | None | Gateway logs all |
+| **Testing** | 0% coverage | 70%+ coverage |
+| **Legal Docs** | No access | `rentman legal` |
+| **Commands** | Duplicate login | Unified `init` |
+
+---
+
+## ⚠️ BREAKING CHANGES
+
+Users will need to:
+1. Re-run `rentman init` (identity migration)
+2. Set environment variables in `.env`
+3. Old `rentman_identity.json` won't work
+4. Use `rentman config` instead of manual JSON editing
+
+**Migration Script Needed:**
+```javascript
+// migrate-identity.js
+const fs = require('fs');
+const Conf = require('conf');
+
+if (fs.existsSync('./rentman_identity.json')) {
+  const oldIdentity = JSON.parse(fs.readFileSync('./rentman_identity.json'));
+  const config = new Conf({ projectName: 'rentman' });
+  
+  config.set('agent_id', oldIdentity.agent_id);
+  config.set('secret_key', oldIdentity.secret_key);
+  config.set('public_key', oldIdentity.public_key);
+  
+  console.log('✅ Identity migrated to secure location');
+  console.log('⚠️  Delete old file: rm rentman_identity.json');
+}
+```
+
+---
+
+## 📚 DOCUMENTATION UPDATES NEEDED
+
+1. **README.md** - Update installation instructions
+2. **SECURITY.md** - Add security best practices
+3. **MIGRATION.md** - Guide for existing users
+4. **API.md** - Document gateway integration
+5. **CONTRIBUTING.md** - Development guidelines
+
+---
+
+## 🔒 SECURITY BEST PRACTICES (Post-Fix)
+
+After implementation:
+
+✅ **Never commit secrets**
+✅ **Use environment variables**
+✅ **Store identity in user directory**
+✅ **All API calls go through Gateway**
+✅ **Sign all requests with NACL**
+✅ **Rotate keys regularly**
+✅ **Audit logs enabled**
+✅ **Rate limiting enforced**
+
+---
+
+**Status:** READY FOR IMPLEMENTATION  
+**Estimated Time:** 5-6 days  
+**Priority:** CRITICAL (Security vulnerabilities)  
+**Dependencies:** Agent Gateway must be deployed first