skrypt-ai 0.4.1 → 0.5.0

package/dist/commands/login.js

@@ -1,5 +1,6 @@
 import { Command } from 'commander';
-import { saveAuthConfig, getAuthConfig, clearAuth, checkPlan } from '../auth/index.js';
+import { saveAuthConfig, getAuthConfigAsync, clearAuth, checkPlan, getKeyStorageMethod } from '../auth/index.js';
+import { getKeychainPlatformName } from '../auth/keychain.js';
 import * as readline from 'readline';
 function prompt(question) {
     const rl = readline.createInterface({
@@ -33,7 +34,7 @@ export const loginCommand = new Command('login')
         console.error(`\n  Error: ${result.error || 'Invalid API key'}`);
         process.exit(1);
     }
-    saveAuthConfig({
+    await saveAuthConfig({
         apiKey,
         email: result.email,
         plan: result.plan,
@@ -41,6 +42,16 @@ export const loginCommand = new Command('login')
     });
     console.log(`\n  ✓ Logged in as ${result.email}`);
     console.log(`  Plan: ${result.plan.toUpperCase()}\n`);
+    // Trust signals
+    const storageMethod = await getKeyStorageMethod();
+    if (storageMethod === 'keychain') {
+        console.log(`  🔒 API key stored in ${getKeychainPlatformName()}`);
+    }
+    else if (storageMethod === 'file') {
+        console.log('  🔒 API key stored in ~/.skrypt/auth.json (0600 permissions)');
+    }
+    console.log('  Your key is hashed (SHA-256) on our servers — never stored in plaintext');
+    console.log('');
     if (result.plan === 'free') {
         console.log('  Upgrade to Pro: https://skrypt.sh/pro\n');
     }
@@ -48,13 +59,13 @@ export const loginCommand = new Command('login')
 export const logoutCommand = new Command('logout')
     .description('Logout from Skrypt')
     .action(async () => {
-    clearAuth();
+    await clearAuth();
     console.log('  Logged out successfully\n');
 });
 export const whoamiCommand = new Command('whoami')
     .description('Show current login status')
     .action(async () => {
-    const config = getAuthConfig();
+    const config = await getAuthConfigAsync();
     if (!config.apiKey) {
         console.log('  Not logged in');
         console.log('  Run: skrypt login\n');

package/dist/commands/review-pr.js

@@ -21,10 +21,20 @@ export const reviewPRCommand = new Command('review-pr')
         console.error('Error: Could not parse owner/repo/PR number from URL');
         process.exit(1);
     }
+    // Validate owner/repo contain only safe characters (prevent API path injection)
+    const safeNamePattern = /^[a-zA-Z0-9._-]+$/;
+    if (!safeNamePattern.test(owner) || !safeNamePattern.test(repo)) {
+        console.error('Error: Invalid characters in owner/repo name');
+        process.exit(1);
+    }
     console.log('skrypt review-pr');
     console.log(`  repo:   ${owner}/${repo}`);
     console.log(`  PR:     #${pullNumber}`);
     console.log('');
+    if (options.token) {
+        console.warn('  Warning: Passing tokens via CLI arguments exposes them in shell history.');
+        console.warn('  Prefer: GITHUB_TOKEN env var\n');
+    }
     const token = options.token || process.env.GITHUB_TOKEN;
     if (!token) {
         console.error('Error: GITHUB_TOKEN environment variable or --token required');

package/dist/commands/security.d.ts

@@ -0,0 +1,2 @@
+import { Command } from 'commander';
+export declare const securityCommand: Command;

package/dist/commands/security.js

@@ -0,0 +1,103 @@
+import { Command } from 'commander';
+import { existsSync, statSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { getAuthConfigAsync, getKeyStorageMethod } from '../auth/index.js';
+import { keychainAvailable, getKeychainPlatformName } from '../auth/keychain.js';
+export const securityCommand = new Command('security')
+    .description('Show security and key storage details')
+    .action(async () => {
+    console.log('skrypt security\n');
+    const configDir = join(homedir(), '.skrypt');
+    const authFile = join(configDir, 'auth.json');
+    // 1. Key Storage
+    console.log('  \x1b[1mKey Storage\x1b[0m');
+    const method = await getKeyStorageMethod();
+    const hasKeychain = await keychainAvailable();
+    if (method === 'env') {
+        console.log('  ✓ Using SKRYPT_API_KEY environment variable');
+    }
+    else if (method === 'keychain') {
+        console.log(`  ✓ API key stored in ${getKeychainPlatformName()}`);
+        console.log('    Hardware-backed encryption (Secure Enclave on macOS)');
+    }
+    else if (method === 'file') {
+        console.log(`  ● API key stored in ${authFile}`);
+        console.log('    File permissions: 0600 (owner read/write only)');
+        if (!hasKeychain) {
+            console.log('    \x1b[33mTip: Install @napi-rs/keyring for OS keychain storage\x1b[0m');
+        }
+    }
+    else {
+        console.log('  ○ No API key configured');
+        console.log('    Run: skrypt login');
+    }
+    console.log('');
+    // 2. Data Flow
+    console.log('  \x1b[1mData Flow\x1b[0m');
+    const envKeys = {
+        OPENAI_API_KEY: !!process.env.OPENAI_API_KEY,
+        ANTHROPIC_API_KEY: !!process.env.ANTHROPIC_API_KEY,
+        GOOGLE_API_KEY: !!process.env.GOOGLE_API_KEY,
+        DEEPSEEK_API_KEY: !!process.env.DEEPSEEK_API_KEY,
+    };
+    const hasBYOK = Object.values(envKeys).some(Boolean);
+    if (hasBYOK) {
+        const providers = Object.entries(envKeys)
+            .filter(([, v]) => v)
+            .map(([k]) => k.replace('_API_KEY', '').toLowerCase());
+        console.log(`  ✓ BYOK mode: LLM calls go directly to ${providers.join(', ')}`);
+        console.log('    Your keys never touch Skrypt servers');
+    }
+    else {
+        const config = await getAuthConfigAsync();
+        if (config.apiKey) {
+            console.log('  ● Proxy mode: LLM calls routed through Skrypt API');
+            console.log('    Your Skrypt key authenticates requests');
+        }
+        else {
+            console.log('  ○ No provider keys or Skrypt key configured');
+        }
+    }
+    console.log('');
+    // 3. Server-Side Security
+    console.log('  \x1b[1mServer-Side Security\x1b[0m');
+    console.log('  • API keys hashed with SHA-256 — never stored in plaintext');
+    console.log('  • Encrypted at rest with AES-256 via AWS KMS');
+    console.log('  • TLS 1.3 for all API communication');
+    console.log('');
+    // 4. Permissions
+    console.log('  \x1b[1mPermissions\x1b[0m');
+    if (existsSync(configDir)) {
+        try {
+            const dirStat = statSync(configDir);
+            const dirMode = (dirStat.mode & 0o777).toString(8);
+            console.log(`  ~/.skrypt/         ${dirMode} (${dirMode === '700' ? '✓' : '⚠ expected 700'})`);
+        }
+        catch {
+            console.log('  ~/.skrypt/         unable to read');
+        }
+        if (existsSync(authFile)) {
+            try {
+                const fileStat = statSync(authFile);
+                const fileMode = (fileStat.mode & 0o777).toString(8);
+                console.log(`  ~/.skrypt/auth.json ${fileMode} (${fileMode === '600' ? '✓' : '⚠ expected 600'})`);
+            }
+            catch {
+                console.log('  ~/.skrypt/auth.json unable to read');
+            }
+        }
+    }
+    else {
+        console.log('  ~/.skrypt/ does not exist yet');
+    }
+    console.log('');
+    // 5. Environment
+    console.log('  \x1b[1mEnvironment\x1b[0m');
+    console.log(`  Platform:         ${process.platform}`);
+    console.log(`  OS keychain:      ${hasKeychain ? '✓ available' : '✗ not available'}`);
+    console.log(`  SKRYPT_API_KEY:   ${process.env.SKRYPT_API_KEY ? '✓ set' : '○ not set'}`);
+    console.log(`  OPENAI_API_KEY:   ${process.env.OPENAI_API_KEY ? '✓ set' : '○ not set'}`);
+    console.log(`  ANTHROPIC_API_KEY: ${process.env.ANTHROPIC_API_KEY ? '✓ set' : '○ not set'}`);
+    console.log('');
+});

package/dist/config/loader.js

@@ -36,7 +36,7 @@ function parseConfigFile(filepath) {
     }
     catch (err) {
         throw new Error(`Could not read config file: ${filepath}. ` +
-            (err instanceof Error ? err.message : String(err)));
+            (err instanceof Error ? err.message : String(err)), { cause: err });
     }
     let parsed;
     try {
@@ -45,7 +45,7 @@ function parseConfigFile(filepath) {
     catch (err) {
         throw new Error(`Config file has invalid YAML: ${filepath}. ` +
             `Please check the syntax and try again. ` +
-            (err instanceof Error ? err.message : String(err)));
+            (err instanceof Error ? err.message : String(err)), { cause: err });
     }
     if (parsed === null || parsed === undefined || typeof parsed !== 'object') {
         throw new Error(`Config file is empty or not a valid YAML object: ${filepath}. ` +

package/dist/generator/writer.js

@@ -1,5 +1,5 @@
 import { mkdir, writeFile } from 'fs/promises';
-import { dirname, join, basename, relative } from 'path';
+import { dirname, join, basename, relative, resolve, sep } from 'path';
 import { formatAsMarkdown } from './generator.js';
 import { organizeByTopic, detectCrossReferences, getCrossRefsForElement } from './organizer.js';
 import { slugify } from '../utils/files.js';
@@ -88,6 +88,12 @@ export async function writeDocsToDirectory(results, outputDir, sourceDir) {
         }
         const docFileName = relPath.replace(/\.[^.]+$/, '.md');
         const outputPath = join(outputDir, docFileName);
+        // Double-check resolved path stays within output directory
+        const resolvedOutput = resolve(outputPath);
+        if (!resolvedOutput.startsWith(resolve(outputDir) + sep) && resolvedOutput !== resolve(outputDir)) {
+            console.warn(`Skipping file outside output directory: ${result.filePath}`);
+            continue;
+        }
         // Create subdirectories if needed
         await mkdir(dirname(outputPath), { recursive: true });
         // Generate markdown content
@@ -174,9 +180,12 @@ export async function writeDocsByTopic(docs, outputDir) {
  */
 function formatTopicMarkdown(topic, allCrossRefs) {
     // MDX frontmatter (standard across doc platforms)
+    const safeTitle = topic.name.replace(/\\/g, '\\\\').replace(/"/g, '\\"').replace(/\n/g, ' ');
+    const rawDesc = topic.description || `API reference for ${topic.name}`;
+    const safeDesc = rawDesc.replace(/\\/g, '\\\\').replace(/"/g, '\\"').replace(/\n/g, ' ');
     let content = `---
-title: "${topic.name}"
-description: "${topic.description || `API reference for ${topic.name}`}"
+title: "${safeTitle}"
+description: "${safeDesc}"
 ---
 
 `;

package/dist/importers/confluence.d.ts

@@ -0,0 +1,5 @@
+import type { ImportResult } from './types.js';
+/**
+ * Import Confluence HTML space export.
+ */
+export declare function importConfluence(dir: string, name?: string): ImportResult;

package/dist/importers/confluence.js

@@ -0,0 +1,137 @@
+import { readFileSync, existsSync, readdirSync, statSync } from 'fs';
+import { join, relative, basename, extname } from 'path';
+import { transformConfluenceCallouts, transformConfluenceHtml, normalizeFrontmatter, } from './transform.js';
+/**
+ * Import Confluence HTML space export.
+ */
+export function importConfluence(dir, name) {
+    const result = createEmptyResult(name);
+    const stats = { callouts: 0, tabs: 0, codeGroups: 0, steps: 0, accordions: 0, images: 0, other: 0 };
+    // Find all HTML files
+    const htmlFiles = findHtmlFiles(dir);
+    if (htmlFiles.length === 0) {
+        result.warnings.push('No .html files found in Confluence export');
+        return result;
+    }
+    const pages = [];
+    for (const filePath of htmlFiles) {
+        // Skip index.html (usually a listing page)
+        if (basename(filePath) === 'index.html')
+            continue;
+        const page = processConfluencePage(dir, filePath, stats, result);
+        if (page)
+            pages.push(page);
+    }
+    if (pages.length > 0) {
+        result.navigation.push({ group: name || 'Documentation', pages });
+    }
+    // Copy attachments
+    const attachmentsDir = join(dir, 'attachments');
+    if (existsSync(attachmentsDir)) {
+        collectAttachments(attachmentsDir, result, stats);
+    }
+    result.stats = {
+        pages: result.files.size,
+        groups: result.navigation.length,
+        transforms: stats,
+    };
+    return result;
+}
+function findHtmlFiles(dir) {
+    const files = [];
+    try {
+        for (const entry of readdirSync(dir)) {
+            const fullPath = join(dir, entry);
+            try {
+                const stat = statSync(fullPath);
+                if (stat.isFile() && extname(entry) === '.html') {
+                    files.push(fullPath);
+                }
+                else if (stat.isDirectory() && !entry.startsWith('.') && entry !== 'attachments') {
+                    files.push(...findHtmlFiles(fullPath));
+                }
+            }
+            catch {
+                continue;
+            }
+        }
+    }
+    catch { /* skip */ }
+    return files;
+}
+function processConfluencePage(dir, filePath, stats, result) {
+    const rawContent = readFileSync(filePath, 'utf-8');
+    let content = rawContent;
+    // Extract body content
+    const bodyMatch = content.match(/<body[^>]*>([\s\S]*)<\/body>/i);
+    if (bodyMatch)
+        content = bodyMatch[1];
+    // Extract title from <title> tag or <h1> (use rawContent to search full HTML)
+    let title = '';
+    const titleMatch = rawContent.match(/<title>([^<]+)<\/title>/i);
+    if (titleMatch)
+        title = titleMatch[1].trim();
+    if (!title) {
+        const h1Match = content.match(/<h1[^>]*>([\s\S]*?)<\/h1>/i);
+        if (h1Match)
+            title = h1Match[1].replace(/<[^>]+>/g, '').trim();
+    }
+    if (!title)
+        title = basename(filePath, '.html').replace(/[-_]/g, ' ').replace(/\b\w/g, c => c.toUpperCase());
+    const originalContent = content;
+    // Apply transforms: callouts first, then general HTML conversion
+    content = transformConfluenceCallouts(content);
+    content = transformConfluenceHtml(content);
+    content = normalizeFrontmatter(content, { title });
+    stats.callouts += countNew(originalContent, content, '<Callout');
+    stats.accordions += countNew(originalContent, content, '<Accordion');
+    const rel = relative(dir, filePath);
+    const slug = basename(filePath, '.html').toLowerCase().replace(/[^a-z0-9]+/g, '-').replace(/^-|-$/g, '');
+    const outputPath = `content/docs/${slug}.mdx`;
+    result.files.set(outputPath, content);
+    return { title, slug, sourcePath: rel, content };
+}
+function collectAttachments(attachmentsDir, result, stats) {
+    const imgExts = new Set(['.png', '.jpg', '.jpeg', '.gif', '.svg', '.webp']);
+    function walk(dir) {
+        try {
+            for (const entry of readdirSync(dir)) {
+                const fullPath = join(dir, entry);
+                try {
+                    const stat = statSync(fullPath);
+                    if (stat.isDirectory()) {
+                        walk(fullPath);
+                    }
+                    else if (imgExts.has(extname(entry).toLowerCase())) {
+                        const dest = `public/images/${entry}`;
+                        result.assets.set(dest, fullPath);
+                        stats.images++;
+                    }
+                }
+                catch {
+                    continue;
+                }
+            }
+        }
+        catch { /* skip */ }
+    }
+    walk(attachmentsDir);
+}
+function countNew(original, transformed, marker) {
+    const escaped = marker.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    const origCount = (original.match(new RegExp(escaped, 'g')) || []).length;
+    const newCount = (transformed.match(new RegExp(escaped, 'g')) || []).length;
+    return Math.max(0, newCount - origCount);
+}
+function createEmptyResult(name) {
+    return {
+        navigation: [],
+        name: name || 'Documentation',
+        description: 'Imported from Confluence',
+        files: new Map(),
+        assets: new Map(),
+        warnings: [],
+        stats: { pages: 0, groups: 0, transforms: { callouts: 0, tabs: 0, codeGroups: 0, steps: 0, accordions: 0, images: 0, other: 0 } },
+        sourceFormat: 'confluence',
+    };
+}

package/dist/importers/detect.d.ts

@@ -0,0 +1,20 @@
+import type { ImportFormat } from './types.js';
+/**
+ * Auto-detect documentation format from a directory by checking marker files.
+ * First match wins (priority order).
+ */
+export declare function detectFormat(dir: string): ImportFormat;
+/**
+ * Check if a string is a GitHub URL
+ */
+export declare function isGitHubUrl(input: string): boolean;
+/**
+ * Parse a GitHub URL into components
+ * Supports: https://github.com/owner/repo/tree/branch/path
+ */
+export declare function parseGitHubUrl(url: string): {
+    owner: string;
+    repo: string;
+    path: string;
+    ref: string;
+};

package/dist/importers/detect.js

@@ -0,0 +1,121 @@
+import { existsSync, readdirSync, readFileSync } from 'fs';
+import { join, extname } from 'path';
+/**
+ * Auto-detect documentation format from a directory by checking marker files.
+ * First match wins (priority order).
+ */
+export function detectFormat(dir) {
+    // 1. Mintlify: mint.json or docs.json with Mintlify structure
+    if (existsSync(join(dir, 'mint.json')))
+        return 'mintlify';
+    if (existsSync(join(dir, 'docs.json'))) {
+        try {
+            const content = JSON.parse(readFileSync(join(dir, 'docs.json'), 'utf-8'));
+            // Mintlify docs.json has navigation with group/pages AND one of: anchors, tabs, topbarCtaButton
+            if (content.navigation && Array.isArray(content.navigation) &&
+                (content.anchors || content.tabs || content.topbarCtaButton || content.topbarLinks)) {
+                return 'mintlify';
+            }
+        }
+        catch { /* not mintlify */ }
+    }
+    // 2. Docusaurus: docusaurus.config.js or .ts
+    if (existsSync(join(dir, 'docusaurus.config.js')) || existsSync(join(dir, 'docusaurus.config.ts'))) {
+        return 'docusaurus';
+    }
+    // 3. GitBook: SUMMARY.md or .gitbook.yaml
+    if (existsSync(join(dir, 'SUMMARY.md')) || existsSync(join(dir, '.gitbook.yaml'))) {
+        return 'gitbook';
+    }
+    // 4. ReadMe: files with [block: syntax or _order.yaml
+    if (hasReadmeMarkers(dir))
+        return 'readme';
+    // 5. Notion: files with <aside> + 32-char hex UUID filenames
+    if (hasNotionMarkers(dir))
+        return 'notion';
+    // 6. Confluence: .html files with <ac:structured-macro
+    if (hasConfluenceMarkers(dir))
+        return 'confluence';
+    // 7. MkDocs (handled by markdown importer)
+    if (existsSync(join(dir, 'mkdocs.yml')))
+        return 'markdown';
+    // 8. Fallback: any .md/.mdx files present
+    return 'markdown';
+}
+function hasReadmeMarkers(dir) {
+    try {
+        const entries = readdirSync(dir, { recursive: true });
+        for (const entry of entries) {
+            const fullPath = join(dir, entry);
+            if (entry === '_order.yaml' || entry.endsWith('/_order.yaml'))
+                return true;
+            if (extname(entry) === '.md') {
+                try {
+                    const content = readFileSync(fullPath, 'utf-8');
+                    if (content.includes('[block:'))
+                        return true;
+                }
+                catch { /* skip */ }
+            }
+        }
+    }
+    catch { /* skip */ }
+    return false;
+}
+function hasNotionMarkers(dir) {
+    const UUID_PATTERN = /[0-9a-f]{32}/;
+    try {
+        const entries = readdirSync(dir);
+        for (const entry of entries) {
+            if (extname(entry) === '.md' && UUID_PATTERN.test(entry)) {
+                try {
+                    const content = readFileSync(join(dir, entry), 'utf-8');
+                    if (content.includes('<aside>'))
+                        return true;
+                }
+                catch { /* skip */ }
+            }
+        }
+    }
+    catch { /* skip */ }
+    return false;
+}
+function hasConfluenceMarkers(dir) {
+    try {
+        const entries = readdirSync(dir);
+        for (const entry of entries) {
+            if (extname(entry) === '.html') {
+                try {
+                    const content = readFileSync(join(dir, entry), 'utf-8');
+                    if (content.includes('<ac:structured-macro'))
+                        return true;
+                }
+                catch { /* skip */ }
+            }
+        }
+    }
+    catch { /* skip */ }
+    return false;
+}
+/**
+ * Check if a string is a GitHub URL
+ */
+export function isGitHubUrl(input) {
+    return /^https?:\/\/(www\.)?github\.com\//.test(input);
+}
+/**
+ * Parse a GitHub URL into components
+ * Supports: https://github.com/owner/repo/tree/branch/path
+ */
+export function parseGitHubUrl(url) {
+    const match = url.match(/^https?:\/\/(www\.)?github\.com\/([^/]+)\/([^/]+)(?:\/tree\/([^/]+)(?:\/(.*))?)?/);
+    if (!match) {
+        throw new Error(`Invalid GitHub URL: ${url}`);
+    }
+    return {
+        owner: match[2],
+        repo: match[3],
+        ref: match[4] || 'main',
+        path: match[5] || '',
+    };
+}

package/dist/importers/docusaurus.d.ts

@@ -0,0 +1,5 @@
+import type { ImportResult } from './types.js';
+/**
+ * Import Docusaurus documentation.
+ */
+export declare function importDocusaurus(dir: string, name?: string): ImportResult;