shiva-code 0.7.7 → 0.7.10

package/dist/{chunk-RQ75X32M.js → chunk-4OT4OY7L.js}

@@ -1,6 +1,7 @@
 import {
+  colors,
   log
-} from "./chunk-Z6NXFC4Q.js";
+} from "./chunk-UABU5VVI.js";
 import {
   formatContextAsMarkdown,
   generateGitHubContext,
@@ -1318,7 +1319,7 @@ function removeShivaHooks(eventHooks) {
   );
 }
 var hookCommand = new Command("hook").description("Claude Code Hook Integration verwalten");
-hookCommand.command("install").description("SHIVA Hooks in Claude Code installieren").option("--github", "GitHub Context Injection aktivieren").option("--sync", "Cloud Sync Hooks aktivieren (Standard)").option("--scan", "Package Security Scanning aktivieren").option("--all", "Alle Hooks aktivieren").action((options) => {
+hookCommand.command("install").description("SHIVA Hooks in Claude Code installieren").option("--github", "GitHub Context Injection aktivieren").option("--sync", "Cloud Sync Hooks aktivieren (Standard)").option("--scan", "Package Security Scanning aktivieren").option("--token-protection", "Token-Schutz aktivieren (erkennt & sch\xFCtzt Secrets)").option("--all", "Alle Hooks aktivieren").action((options) => {
   log.brand();
   const claudePath = join(homedir(), ".claude");
   if (!existsSync(claudePath)) {
@@ -1334,12 +1335,14 @@ hookCommand.command("install").description("SHIVA Hooks in Claude Code installie
   if (!settings.hooks) {
     settings.hooks = {};
   }
-  const installSync = options.sync || options.all || !options.github && !options.scan;
+  const installSync = options.sync || options.all || !options.github && !options.scan && !options.tokenProtection;
   const installGithub = options.github || options.all;
   const installScan = options.scan || options.all;
+  const installTokenProtection = options.tokenProtection || options.all;
   const hasSyncHooks = hasShivaHook(settings.hooks, "SessionStart") || hasShivaHook(settings.hooks, "Stop");
   const hasGithubHook = hasShivaContextHook(settings.hooks);
   const hasScanHook = hasShivaScanHook(settings.hooks);
+  const hasTokenHook = hasShivaTokenHook(settings.hooks);
   if (hasSyncHooks && installSync && !installGithub && !installScan) {
     log.warn("SHIVA Sync Hooks sind bereits installiert");
     log.newline();
@@ -1412,6 +1415,21 @@ hookCommand.command("install").description("SHIVA Hooks in Claude Code installie
     });
     installedSomething = true;
   }
+  if (installTokenProtection && !hasTokenHook) {
+    if (!settings.hooks.Stop) {
+      settings.hooks.Stop = [];
+    }
+    settings.hooks.Stop.push({
+      hooks: [
+        {
+          type: "command",
+          command: "shiva hook scan-session --quiet",
+          timeout: 30
+        }
+      ]
+    });
+    installedSomething = true;
+  }
   if (!installedSomething) {
     log.warn("Alle ausgew\xE4hlten Hooks sind bereits installiert");
     log.newline();
@@ -1432,6 +1450,9 @@ hookCommand.command("install").description("SHIVA Hooks in Claude Code installie
   if (installScan || hasScanHook) {
     log.tree.item("PreToolUse: Package Security Scanning");
   }
+  if (installTokenProtection || hasTokenHook) {
+    log.tree.item("Stop: Token-Schutz (Secrets erkennen & sch\xFCtzen)");
+  }
   log.newline();
   log.dim("Claude Code wird nun automatisch mit SHIVA integriert.");
   log.newline();
@@ -1452,6 +1473,13 @@ function hasShivaScanHook(hooks) {
     (entry) => entry.matcher === "Bash" && entry.hooks?.some((h) => h.command?.includes("shiva hook scan-command"))
   );
 }
+function hasShivaTokenHook(hooks) {
+  if (!hooks || !hooks.Stop) return false;
+  const eventHooks = hooks.Stop;
+  return eventHooks.some(
+    (entry) => entry.hooks?.some((h) => h.command?.includes("shiva hook scan-session"))
+  );
+}
 hookCommand.command("uninstall").description("SHIVA Hooks aus Claude Code entfernen").action(() => {
   log.brand();
   const settings = getClaudeSettings();
@@ -1503,6 +1531,7 @@ hookCommand.command("status").description("Hook-Status anzeigen").action(() => {
   const hasStop = hasShivaHook(settings.hooks, "Stop");
   const hasGithub = hasShivaContextHook(settings.hooks);
   const hasScan = hasShivaScanHook(settings.hooks);
+  const hasToken = hasShivaTokenHook(settings.hooks);
   log.plain("Cloud Sync:");
   if (hasSessionStart) {
     log.listItem("SessionStart: Memories laden", "synced");
@@ -1528,8 +1557,13 @@ hookCommand.command("status").description("Hook-Status anzeigen").action(() => {
   } else {
     log.listItem("Package Scanning: nicht aktiv", "pending");
   }
+  if (hasToken) {
+    log.listItem("Stop: Token-Schutz (Secrets erkennen)", "synced");
+  } else {
+    log.listItem("Token-Schutz: nicht aktiv", "pending");
+  }
   log.newline();
-  const allInstalled = hasSessionStart && hasStop && hasGithub && hasScan;
+  const allInstalled = hasSessionStart && hasStop && hasGithub && hasScan && hasToken;
   const syncInstalled = hasSessionStart && hasStop;
   const anyInstalled = hasSessionStart || hasStop || hasGithub || hasScan;
   if (allInstalled) {
@@ -1659,7 +1693,7 @@ hookCommand.command("scan-command").description("Scanne Bash-Befehle auf Package
   }
 });
 hookCommand.command("push").description("Hooks in Cloud sichern").action(async () => {
-  const { api } = await import("./client-RPSJP4Z5.js");
+  const { api } = await import("./client-H3JXPT5B.js");
   const { isAuthenticated } = await import("./config-FGMZONWV.js");
   if (!isAuthenticated()) {
     log.error("Nicht angemeldet");
@@ -1679,7 +1713,7 @@ hookCommand.command("push").description("Hooks in Cloud sichern").action(async (
   }
 });
 hookCommand.command("pull").description("Hooks aus Cloud laden").option("-f, --force", "Lokale Hooks \xFCberschreiben").action(async (options) => {
-  const { api } = await import("./client-RPSJP4Z5.js");
+  const { api } = await import("./client-H3JXPT5B.js");
   const { isAuthenticated } = await import("./config-FGMZONWV.js");
   if (!isAuthenticated()) {
     log.error("Nicht angemeldet");
@@ -1711,7 +1745,7 @@ hookCommand.command("pull").description("Hooks aus Cloud laden").option("-f, --f
   }
 });
 hookCommand.command("sync").description("Hooks mit Cloud synchronisieren").action(async () => {
-  const { api } = await import("./client-RPSJP4Z5.js");
+  const { api } = await import("./client-H3JXPT5B.js");
   const { isAuthenticated } = await import("./config-FGMZONWV.js");
   if (!isAuthenticated()) {
     log.error("Nicht angemeldet");
@@ -1738,9 +1772,9 @@ hookCommand.command("sync").description("Hooks mit Cloud synchronisieren").actio
   }
 });
 hookCommand.command("cloud-list").description("Cloud-Hooks auflisten").option("--event <type>", "Nach Event-Typ filtern").option("--json", "JSON Output").action(async (options) => {
-  const { api } = await import("./client-RPSJP4Z5.js");
+  const { api } = await import("./client-H3JXPT5B.js");
   const { isAuthenticated } = await import("./config-FGMZONWV.js");
-  const { colors } = await import("./logger-E7SC5KUO.js");
+  const { colors: colors2 } = await import("./logger-VVWOD6AA.js");
   if (!isAuthenticated()) {
     log.error("Nicht angemeldet");
     log.info("Anmelden mit: shiva login");
@@ -1762,8 +1796,8 @@ hookCommand.command("cloud-list").description("Cloud-Hooks auflisten").option("-
       return;
     }
     log.newline();
-    console.log(colors.orange.bold("Cloud Hooks"));
-    console.log(colors.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+    console.log(colors2.orange.bold("Cloud Hooks"));
+    console.log(colors2.dim("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
     log.newline();
     if (!hooks || Array.isArray(hooks) && hooks.length === 0) {
       log.dim("Keine Cloud-Hooks konfiguriert");
@@ -1771,14 +1805,14 @@ hookCommand.command("cloud-list").description("Cloud-Hooks auflisten").option("-
     }
     const hooksArray = Array.isArray(hooks) ? hooks : Object.values(hooks).flat();
     for (const hook of hooksArray) {
-      const enabledIcon = hook.enabled !== false ? colors.green("\u25CF") : colors.dim("\u25CB");
-      console.log(`  ${enabledIcon} ${colors.bold(hook.id || hook.event)}`);
-      console.log(`    ${colors.dim("Event:")} ${hook.event}`);
+      const enabledIcon = hook.enabled !== false ? colors2.green("\u25CF") : colors2.dim("\u25CB");
+      console.log(`  ${enabledIcon} ${colors2.bold(hook.id || hook.event)}`);
+      console.log(`    ${colors2.dim("Event:")} ${hook.event}`);
       if (hook.matcher) {
-        console.log(`    ${colors.dim("Matcher:")} ${hook.matcher}`);
+        console.log(`    ${colors2.dim("Matcher:")} ${hook.matcher}`);
       }
-      console.log(`    ${colors.dim("Type:")} ${hook.type}`);
-      console.log(`    ${colors.dim("Command:")} ${hook.command}`);
+      console.log(`    ${colors2.dim("Type:")} ${hook.type}`);
+      console.log(`    ${colors2.dim("Command:")} ${hook.command}`);
       log.newline();
     }
   } catch (error) {
@@ -1787,7 +1821,7 @@ hookCommand.command("cloud-list").description("Cloud-Hooks auflisten").option("-
   }
 });
 hookCommand.command("cloud-create").description("Neuen Cloud-Hook erstellen").requiredOption("--event <event>", "Event-Typ (PreToolUse, PostToolUse, etc.)").requiredOption("--command <cmd>", "Auszuf\xFChrender Befehl").option("--matcher <pattern>", "Tool-Matcher Pattern").option("--type <type>", "Hook-Typ (command, script)", "command").option("--timeout <ms>", "Timeout in Millisekunden").action(async (options) => {
-  const { api } = await import("./client-RPSJP4Z5.js");
+  const { api } = await import("./client-H3JXPT5B.js");
   const { isAuthenticated } = await import("./config-FGMZONWV.js");
   if (!isAuthenticated()) {
     log.error("Nicht angemeldet");
@@ -1815,9 +1849,9 @@ hookCommand.command("cloud-create").description("Neuen Cloud-Hook erstellen").re
   }
 });
 hookCommand.command("cloud-test").description("Cloud-Hook testen").argument("<hook-id>", "Hook ID").action(async (hookId) => {
-  const { api } = await import("./client-RPSJP4Z5.js");
+  const { api } = await import("./client-H3JXPT5B.js");
   const { isAuthenticated } = await import("./config-FGMZONWV.js");
-  const { colors } = await import("./logger-E7SC5KUO.js");
+  const { colors: colors2 } = await import("./logger-VVWOD6AA.js");
   if (!isAuthenticated()) {
     log.error("Nicht angemeldet");
     log.info("Anmelden mit: shiva login");
@@ -1833,15 +1867,15 @@ hookCommand.command("cloud-test").description("Cloud-Hook testen").argument("<ho
       log.success(`Hook erfolgreich (${result.duration}ms)`);
       if (result.output) {
         log.newline();
-        console.log(colors.dim("Output:"));
+        console.log(colors2.dim("Output:"));
         console.log(result.output);
       }
     } else {
       log.error(`Hook fehlgeschlagen (${result.duration}ms)`);
       if (result.error) {
         log.newline();
-        console.log(colors.dim("Error:"));
-        console.log(colors.red(result.error));
+        console.log(colors2.dim("Error:"));
+        console.log(colors2.red(result.error));
       }
     }
   } catch (error) {
@@ -1850,7 +1884,7 @@ hookCommand.command("cloud-test").description("Cloud-Hook testen").argument("<ho
   }
 });
 hookCommand.command("cloud-delete").description("Cloud-Hook l\xF6schen").argument("<hook-id>", "Hook ID").option("-y, --yes", "Ohne Best\xE4tigung").action(async (hookId, options) => {
-  const { api } = await import("./client-RPSJP4Z5.js");
+  const { api } = await import("./client-H3JXPT5B.js");
   const { isAuthenticated } = await import("./config-FGMZONWV.js");
   if (!isAuthenticated()) {
     log.error("Nicht angemeldet");
@@ -1885,7 +1919,7 @@ hookCommand.command("cloud-delete").description("Cloud-Hook l\xF6schen").argumen
   }
 });
 hookCommand.command("cloud-toggle").description("Cloud-Hook aktivieren/deaktivieren").argument("<hook-id>", "Hook ID").option("--enable", "Hook aktivieren").option("--disable", "Hook deaktivieren").action(async (hookId, options) => {
-  const { api } = await import("./client-RPSJP4Z5.js");
+  const { api } = await import("./client-H3JXPT5B.js");
   const { isAuthenticated } = await import("./config-FGMZONWV.js");
   if (!isAuthenticated()) {
     log.error("Nicht angemeldet");
@@ -1911,6 +1945,122 @@ hookCommand.command("cloud-toggle").description("Cloud-Hook aktivieren/deaktivie
     log.error(error instanceof Error ? error.message : "Unbekannter Fehler");
   }
 });
+hookCommand.command("scan-session").description("Session nach sensiblen Tokens scannen (f\xFCr Stop Hook)").option("--quiet", "Keine Ausgabe (f\xFCr Hook)").option("--redact", "Tokens in Session-History maskieren").option("--path <path>", "Session-Datei Pfad").action(async (options) => {
+  const { detectTokens, redactTokens, maskToken } = await import("./token-detection-K6KCIWAU.js");
+  const { api } = await import("./client-H3JXPT5B.js");
+  const { isAuthenticated } = await import("./config-FGMZONWV.js");
+  const { existsSync: existsSync2, readFileSync: readFileSync2, writeFileSync: writeFileSync2, readdirSync, statSync } = await import("fs");
+  const { join: join2 } = await import("path");
+  const { homedir: homedir2 } = await import("os");
+  const quiet = options.quiet;
+  try {
+    let autoRedact = options.redact || false;
+    let autoStore = false;
+    if (isAuthenticated()) {
+      try {
+        const settings = await api.getUserSettings();
+        if (settings.settings?.tokenProtection) {
+          autoRedact = settings.settings.tokenProtection.autoRedact ?? autoRedact;
+          autoStore = settings.settings.tokenProtection.autoStore ?? false;
+        }
+      } catch {
+      }
+    }
+    const claudeProjectsPath = join2(homedir2(), ".claude", "projects");
+    let sessionFiles = [];
+    if (options.path) {
+      sessionFiles = [options.path];
+    } else if (existsSync2(claudeProjectsPath)) {
+      const oneHourAgo = Date.now() - 60 * 60 * 1e3;
+      try {
+        const projects = readdirSync(claudeProjectsPath);
+        for (const project of projects) {
+          const projectPath = join2(claudeProjectsPath, project);
+          const stat = statSync(projectPath);
+          if (!stat.isDirectory()) continue;
+          const files = readdirSync(projectPath);
+          for (const file of files) {
+            if (!file.endsWith(".jsonl")) continue;
+            const filePath = join2(projectPath, file);
+            const fileStat = statSync(filePath);
+            if (fileStat.mtime.getTime() > oneHourAgo) {
+              sessionFiles.push(filePath);
+            }
+          }
+        }
+      } catch {
+      }
+    }
+    let totalTokensFound = 0;
+    let totalFilesScanned = 0;
+    let totalTokensRedacted = 0;
+    const detectedTokens = [];
+    for (const sessionFile of sessionFiles) {
+      if (!existsSync2(sessionFile)) continue;
+      try {
+        const content = readFileSync2(sessionFile, "utf-8");
+        const tokens = detectTokens(content);
+        if (tokens.length > 0) {
+          totalTokensFound += tokens.length;
+          for (const t of tokens) {
+            detectedTokens.push({
+              file: sessionFile,
+              token: t.token,
+              service: t.pattern.service
+            });
+            if (autoStore && isAuthenticated()) {
+              try {
+                const secretKey = `${t.pattern.name.toUpperCase()}_TOKEN`;
+                await api.addSecret({
+                  key: secretKey,
+                  value: t.token,
+                  description: `Auto-detected ${t.pattern.description}`
+                });
+              } catch {
+              }
+            }
+          }
+          if (autoRedact) {
+            const redactedContent = redactTokens(content);
+            writeFileSync2(sessionFile, redactedContent);
+            totalTokensRedacted += tokens.length;
+          }
+        }
+        totalFilesScanned++;
+      } catch {
+      }
+    }
+    if (quiet) {
+      process.exit(0);
+    } else {
+      log.newline();
+      if (totalTokensFound === 0) {
+        log.success(`Keine sensiblen Tokens gefunden (${totalFilesScanned} Dateien gescannt)`);
+      } else {
+        console.log(colors.red.bold(`\u26A0\uFE0F  ${totalTokensFound} sensible Tokens gefunden!`));
+        log.newline();
+        for (const t of detectedTokens) {
+          console.log(`  ${colors.red("!")} ${t.service}: ${colors.dim(maskToken(t.token))}`);
+        }
+        log.newline();
+        if (totalTokensRedacted > 0) {
+          log.success(`${totalTokensRedacted} Tokens in Session-History maskiert`);
+        } else {
+          log.warn("Tokens NICHT maskiert. Verwende --redact oder aktiviere auto-redact in Einstellungen.");
+        }
+        log.newline();
+        log.info("Sichere Tokens mit: shiva secure-token");
+      }
+      log.newline();
+    }
+  } catch (error) {
+    if (quiet) {
+      process.exit(0);
+    } else {
+      log.error(error instanceof Error ? error.message : "Fehler beim Scannen");
+    }
+  }
+});
 
 export {
   packageScanner,

package/dist/chunk-GGNOX6DN.js

@@ -0,0 +1,195 @@
+// src/utils/token-detection.ts
+var TOKEN_PATTERNS = [
+  // NPM
+  {
+    name: "npm",
+    service: "NPM Registry",
+    pattern: /npm_[A-Za-z0-9]{36}/g,
+    configCommand: (token) => ["npm", "config", "set", "//registry.npmjs.org/:_authToken", token],
+    description: "NPM Access Token"
+  },
+  // GitHub
+  {
+    name: "github",
+    service: "GitHub",
+    pattern: /ghp_[A-Za-z0-9]{36}/g,
+    description: "GitHub Personal Access Token"
+  },
+  {
+    name: "github_pat",
+    service: "GitHub",
+    pattern: /github_pat_[A-Za-z0-9_]{80,}/g,
+    description: "GitHub Fine-grained Personal Access Token"
+  },
+  // OpenAI
+  {
+    name: "openai",
+    service: "OpenAI",
+    pattern: /sk-[A-Za-z0-9]{48}/g,
+    description: "OpenAI API Key"
+  },
+  {
+    name: "openai_proj",
+    service: "OpenAI",
+    pattern: /sk-proj-[A-Za-z0-9_-]{80,}/g,
+    description: "OpenAI Project API Key"
+  },
+  // Anthropic
+  {
+    name: "anthropic",
+    service: "Anthropic",
+    pattern: /sk-ant-[A-Za-z0-9_-]{80,}/g,
+    description: "Anthropic API Key"
+  },
+  // AWS
+  {
+    name: "aws_access_key",
+    service: "AWS",
+    pattern: /AKIA[A-Z0-9]{16}/g,
+    description: "AWS Access Key ID"
+  },
+  {
+    name: "aws_secret",
+    service: "AWS",
+    pattern: /(?<![A-Za-z0-9\/+])[A-Za-z0-9\/+=]{40}(?![A-Za-z0-9\/+=])/g,
+    description: "AWS Secret Access Key (potential)"
+  },
+  // Google Cloud
+  {
+    name: "gcp",
+    service: "Google Cloud",
+    pattern: /AIza[A-Za-z0-9_-]{35}/g,
+    description: "Google Cloud API Key"
+  },
+  // Stripe
+  {
+    name: "stripe_secret",
+    service: "Stripe",
+    pattern: /sk_live_[A-Za-z0-9]{24,}/g,
+    description: "Stripe Secret Key (Live)"
+  },
+  {
+    name: "stripe_test",
+    service: "Stripe",
+    pattern: /sk_test_[A-Za-z0-9]{24,}/g,
+    description: "Stripe Secret Key (Test)"
+  },
+  // Slack
+  {
+    name: "slack_bot",
+    service: "Slack",
+    pattern: /xoxb-[A-Za-z0-9-]{50,}/g,
+    description: "Slack Bot Token"
+  },
+  {
+    name: "slack_user",
+    service: "Slack",
+    pattern: /xoxp-[A-Za-z0-9-]{50,}/g,
+    description: "Slack User Token"
+  },
+  // Discord
+  {
+    name: "discord",
+    service: "Discord",
+    pattern: /[MN][A-Za-z0-9]{23,}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27,}/g,
+    description: "Discord Bot Token"
+  },
+  // Twilio
+  {
+    name: "twilio",
+    service: "Twilio",
+    pattern: /SK[a-f0-9]{32}/g,
+    description: "Twilio API Key"
+  },
+  // SendGrid
+  {
+    name: "sendgrid",
+    service: "SendGrid",
+    pattern: /SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/g,
+    description: "SendGrid API Key"
+  },
+  // Mailchimp
+  {
+    name: "mailchimp",
+    service: "Mailchimp",
+    pattern: /[a-f0-9]{32}-us[0-9]{1,2}/g,
+    description: "Mailchimp API Key"
+  },
+  // Heroku
+  {
+    name: "heroku",
+    service: "Heroku",
+    pattern: /[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/g,
+    description: "Heroku API Key (UUID format)"
+  },
+  // Generic JWT (potential sensitive)
+  {
+    name: "jwt",
+    service: "JWT",
+    pattern: /eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/g,
+    description: "JSON Web Token"
+  },
+  // Private Keys
+  {
+    name: "private_key",
+    service: "Private Key",
+    pattern: /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/g,
+    description: "Private Key Header"
+  }
+];
+function detectTokens(text) {
+  const detected = [];
+  for (const pattern of TOKEN_PATTERNS) {
+    pattern.pattern.lastIndex = 0;
+    let match;
+    while ((match = pattern.pattern.exec(text)) !== null) {
+      detected.push({
+        token: match[0],
+        pattern,
+        startIndex: match.index,
+        endIndex: match.index + match[0].length
+      });
+    }
+  }
+  return detected.sort((a, b) => a.startIndex - b.startIndex).filter((item, index, array) => {
+    if (index === 0) return true;
+    const prev = array[index - 1];
+    return item.startIndex >= prev.endIndex;
+  });
+}
+function containsTokens(text) {
+  return detectTokens(text).length > 0;
+}
+function redactTokens(text, replacement = "****REDACTED****") {
+  const tokens = detectTokens(text);
+  if (tokens.length === 0) return text;
+  let result = text;
+  for (let i = tokens.length - 1; i >= 0; i--) {
+    const { startIndex, endIndex, pattern } = tokens[i];
+    const redacted = `[${pattern.service}:${replacement}]`;
+    result = result.slice(0, startIndex) + redacted + result.slice(endIndex);
+  }
+  return result;
+}
+function maskToken(token) {
+  if (token.length <= 12) {
+    return "****";
+  }
+  return `${token.slice(0, 6)}...${token.slice(-4)}`;
+}
+function getPatternByName(name) {
+  return TOKEN_PATTERNS.find((p) => p.name === name);
+}
+function getSupportedServices() {
+  return [...new Set(TOKEN_PATTERNS.map((p) => p.name))];
+}
+
+export {
+  TOKEN_PATTERNS,
+  detectTokens,
+  containsTokens,
+  redactTokens,
+  maskToken,
+  getPatternByName,
+  getSupportedServices
+};

package/dist/{chunk-KW3LP3K3.js → chunk-IWDZCN4S.js}

@@ -1,10 +1,10 @@
 import {
   colors,
   log
-} from "./chunk-Z6NXFC4Q.js";
+} from "./chunk-UABU5VVI.js";
 import {
   api
-} from "./chunk-J5IS642F.js";
+} from "./chunk-KB6M24M3.js";
 import {
   clearAuth,
   getConfig,
@@ -414,44 +414,18 @@ async function loginWithOtp(email) {
       }
     ]);
     const authResponse = await api.verifyOtp(otpResponse.token, otp);
+    if (authResponse.requires2FA && authResponse.tempToken) {
+      log.newline();
+      log.info("2FA ist aktiviert. Bitte verifiziere dich.");
+      log.newline();
+      const result = await handle2FALoginFlow(authResponse.tempToken, authResponse.email || email);
+      return result;
+    }
     if (!authResponse.success || !authResponse.token || !authResponse.user) {
       log.error(authResponse.message || "Ung\xFCltiger Code");
       return false;
     }
     setAuth(authResponse.token, authResponse.user);
-    try {
-      const tfaStatus = await twoFactorService.getStatus();
-      if (tfaStatus.enabled) {
-        log.newline();
-        log.info("2FA ist aktiviert. Bitte verifiziere dich.");
-        log.newline();
-        const isDeviceTrusted = await deviceTrustService.isDeviceTrusted();
-        if (!isDeviceTrusted) {
-          const verified = await prompt2FAVerification();
-          if (!verified) {
-            clearAuth();
-            log.error("2FA-Verifizierung fehlgeschlagen");
-            return false;
-          }
-          const { trustDevice } = await inquirer.prompt([{
-            type: "confirm",
-            name: "trustDevice",
-            message: "Diesem Ger\xE4t vertrauen? (Kein 2FA bei zuk\xFCnftigen Logins)",
-            default: true
-          }]);
-          if (trustDevice) {
-            try {
-              await deviceTrustService.trustDevice();
-              log.success("Ger\xE4t als vertrauensw\xFCrdig markiert");
-            } catch {
-            }
-          }
-        } else {
-          log.dim("Ger\xE4t ist vertrauensw\xFCrdig - 2FA \xFCbersprungen");
-        }
-      }
-    } catch {
-    }
     log.newline();
     log.success(`Angemeldet als ${authResponse.user.email} (${authResponse.user.tier.toUpperCase()})`);
     return true;
@@ -461,6 +435,58 @@ async function loginWithOtp(email) {
     return false;
   }
 }
+async function handle2FALoginFlow(tempToken, email) {
+  const MAX_ATTEMPTS = 3;
+  for (let attempt = 1; attempt <= MAX_ATTEMPTS; attempt++) {
+    const { code } = await inquirer.prompt([{
+      type: "input",
+      name: "code",
+      message: "2FA-Code (6 Ziffern oder Backup-Code):",
+      validate: (input) => {
+        if (/^\d{6}$/.test(input) || /^[A-Za-z0-9-]+$/.test(input)) {
+          return true;
+        }
+        return "Bitte gib einen g\xFCltigen Code ein";
+      }
+    }]);
+    const { rememberDevice } = await inquirer.prompt([{
+      type: "confirm",
+      name: "rememberDevice",
+      message: "Diesem Ger\xE4t vertrauen?",
+      default: true
+    }]);
+    try {
+      const result = await api.validate2FALogin({
+        tempToken,
+        code,
+        rememberDevice
+      });
+      if (result.success && result.token && result.user) {
+        setAuth(result.token, result.user);
+        if (result.method === "backup" && result.backupCodesRemaining !== void 0) {
+          log.warn(`Backup-Code verwendet. Noch ${result.backupCodesRemaining} Codes \xFCbrig.`);
+        }
+        log.newline();
+        log.success(`Angemeldet als ${result.user.email} (${result.user.tier.toUpperCase()})`);
+        return true;
+      }
+      if (attempt < MAX_ATTEMPTS) {
+        log.error(`Ung\xFCltiger Code. Noch ${MAX_ATTEMPTS - attempt} Versuche.`);
+      }
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Verifizierung fehlgeschlagen";
+      if (message.includes("expired") || message.includes("abgelaufen")) {
+        log.error("2FA-Token abgelaufen. Bitte erneut anmelden.");
+        return false;
+      }
+      if (attempt < MAX_ATTEMPTS) {
+        log.error(`${message}. Noch ${MAX_ATTEMPTS - attempt} Versuche.`);
+      }
+    }
+  }
+  log.error("2FA-Verifizierung fehlgeschlagen");
+  return false;
+}
 async function findAvailablePort() {
   for (let port = PORT_RANGE_START; port <= PORT_RANGE_END; port++) {
     const isAvailable = await checkPort(port);

package/dist/{chunk-J5IS642F.js → chunk-KB6M24M3.js}

@@ -71,6 +71,16 @@ var ApiClient = class {
       body: JSON.stringify({ token, otp })
     });
   }
+  /**
+   * Validate 2FA code during login
+   * Used when initial login returns requires2FA: true
+   */
+  async validate2FALogin(data) {
+    return this.request("/auth/2fa/login-validate", {
+      method: "POST",
+      body: JSON.stringify(data)
+    });
+  }
   async getCurrentUser() {
     return this.request("/auth/me");
   }