skrypt-ai 0.4.2 → 0.6.0

package/dist/auth/index.d.ts

@@ -1,4 +1,4 @@
-interface AuthConfig {
+export interface AuthConfig {
     apiKey?: string;
     email?: string;
     plan?: 'free' | 'pro';
@@ -11,9 +11,19 @@ interface PlanCheckResponse {
     expiresAt?: string;
     error?: string;
 }
+/**
+ * Sync auth config reader — checks env var and auth file only (no keychain).
+ * Use getAuthConfigAsync() when keychain access is needed.
+ */
 export declare function getAuthConfig(): AuthConfig;
-export declare function saveAuthConfig(config: AuthConfig): void;
-export declare function clearAuth(): void;
+/**
+ * Async auth config reader — checks env var → keychain → auth file.
+ * This is the preferred method for all command actions.
+ */
+export declare function getAuthConfigAsync(): Promise<AuthConfig>;
+export declare function saveAuthConfig(config: AuthConfig): Promise<void>;
+export declare function clearAuth(): Promise<void>;
+export declare function getKeyStorageMethod(): Promise<'keychain' | 'file' | 'env' | 'none'>;
 export declare function checkPlan(apiKey: string): Promise<PlanCheckResponse>;
 export declare function requirePro(commandName: string): Promise<boolean>;
 export declare const PRO_COMMANDS: string[];

package/dist/auth/index.js

@@ -1,10 +1,57 @@
-import { existsSync, readFileSync, writeFileSync, mkdirSync, chmodSync } from 'fs';
+import { existsSync, readFileSync, writeFileSync, mkdirSync, chmodSync, unlinkSync } from 'fs';
 import { join } from 'path';
 import { homedir } from 'os';
-const CONFIG_DIR = join(homedir(), '.skrypt');
+import { keychainStore, keychainRetrieve, keychainDelete } from './keychain.js';
+const homeDir = homedir();
+if (!homeDir) {
+    throw new Error('Could not determine home directory');
+}
+const CONFIG_DIR = join(homeDir, '.skrypt');
 const AUTH_FILE = join(CONFIG_DIR, 'auth.json');
 const API_BASE = process.env.SKRYPT_API_URL || 'https://api.skrypt.sh';
+/**
+ * Sync auth config reader — checks env var and auth file only (no keychain).
+ * Use getAuthConfigAsync() when keychain access is needed.
+ */
 export function getAuthConfig() {
+    if (process.env.SKRYPT_API_KEY) {
+        const fileMeta = readAuthFile();
+        return {
+            apiKey: process.env.SKRYPT_API_KEY,
+            email: fileMeta.email,
+            plan: fileMeta.plan,
+            expiresAt: fileMeta.expiresAt,
+        };
+    }
+    return readAuthFile();
+}
+/**
+ * Async auth config reader — checks env var → keychain → auth file.
+ * This is the preferred method for all command actions.
+ */
+export async function getAuthConfigAsync() {
+    if (process.env.SKRYPT_API_KEY) {
+        const fileMeta = readAuthFile();
+        return {
+            apiKey: process.env.SKRYPT_API_KEY,
+            email: fileMeta.email,
+            plan: fileMeta.plan,
+            expiresAt: fileMeta.expiresAt,
+        };
+    }
+    const keychainKey = await keychainRetrieve();
+    if (keychainKey) {
+        const fileMeta = readAuthFile();
+        return {
+            apiKey: keychainKey,
+            email: fileMeta.email,
+            plan: fileMeta.plan,
+            expiresAt: fileMeta.expiresAt,
+        };
+    }
+    return readAuthFile();
+}
+function readAuthFile() {
     if (!existsSync(AUTH_FILE)) {
         return {};
     }
@@ -15,16 +62,49 @@ export function getAuthConfig() {
         return {};
     }
 }
-export function saveAuthConfig(config) {
+export async function saveAuthConfig(config) {
     mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
-    writeFileSync(AUTH_FILE, JSON.stringify(config, null, 2));
+    let keyInKeychain = false;
+    if (config.apiKey) {
+        keyInKeychain = await keychainStore(config.apiKey);
+    }
+    // Write metadata to file (omit key if stored in keychain)
+    const fileConfig = {
+        email: config.email,
+        plan: config.plan,
+        expiresAt: config.expiresAt,
+    };
+    if (!keyInKeychain && config.apiKey) {
+        fileConfig.apiKey = config.apiKey;
+    }
+    // Write with restrictive permissions from the start
+    const content = JSON.stringify(fileConfig, null, 2);
+    writeFileSync(AUTH_FILE, content, { mode: 0o600 });
     chmodSync(AUTH_FILE, 0o600);
 }
-export function clearAuth() {
+export async function clearAuth() {
+    await keychainDelete();
     if (existsSync(AUTH_FILE)) {
-        writeFileSync(AUTH_FILE, '{}');
+        try {
+            unlinkSync(AUTH_FILE);
+        }
+        catch {
+            // Fallback: overwrite with empty
+            writeFileSync(AUTH_FILE, '{}', { mode: 0o600 });
+        }
     }
 }
+export async function getKeyStorageMethod() {
+    if (process.env.SKRYPT_API_KEY)
+        return 'env';
+    const keychainKey = await keychainRetrieve();
+    if (keychainKey)
+        return 'keychain';
+    const fileConfig = readAuthFile();
+    if (fileConfig.apiKey)
+        return 'file';
+    return 'none';
+}
 export async function checkPlan(apiKey) {
     try {
         const response = await fetch(`${API_BASE}/v1/plan`, {
@@ -36,14 +116,26 @@ export async function checkPlan(apiKey) {
         if (!response.ok) {
             return { valid: false, plan: 'free', email: '', error: 'Invalid API key' };
         }
-        return await response.json();
+        const data = await response.json();
+        // Validate response shape
+        if (typeof data.valid !== 'boolean' || typeof data.email !== 'string') {
+            return { valid: false, plan: 'free', email: '', error: 'Invalid API response' };
+        }
+        const plan = data.plan === 'pro' ? 'pro' : 'free';
+        return {
+            valid: data.valid,
+            plan,
+            email: data.email,
+            expiresAt: typeof data.expiresAt === 'string' ? data.expiresAt : undefined,
+            error: typeof data.error === 'string' ? data.error : undefined,
+        };
     }
     catch {
         return { valid: false, plan: 'free', email: '', error: 'Failed to connect to API' };
     }
 }
 export async function requirePro(commandName) {
-    const config = getAuthConfig();
+    const config = await getAuthConfigAsync();
     if (!config.apiKey) {
         console.error(`\n  ⚡ ${commandName} requires Skrypt Pro\n`);
         console.error('  Get started:');
@@ -71,7 +163,7 @@ export async function requirePro(commandName) {
         return false;
     }
     // Cache the result for 1 hour
-    saveAuthConfig({
+    await saveAuthConfig({
         ...config,
         plan: result.plan,
         email: result.email,

package/dist/auth/keychain.d.ts

@@ -0,0 +1,5 @@
+export declare function keychainAvailable(): Promise<boolean>;
+export declare function keychainStore(key: string): Promise<boolean>;
+export declare function keychainRetrieve(): Promise<string | null>;
+export declare function keychainDelete(): Promise<boolean>;
+export declare function getKeychainPlatformName(): string;

package/dist/auth/keychain.js

@@ -0,0 +1,82 @@
+const SERVICE_NAME = 'skrypt';
+const ACCOUNT_NAME = 'api-key';
+let keyringLoadPromise = null;
+async function loadKeyring() {
+    // Use a shared promise to prevent race conditions — only one import attempt
+    if (keyringLoadPromise)
+        return keyringLoadPromise;
+    keyringLoadPromise = doLoadKeyring();
+    return keyringLoadPromise;
+}
+async function doLoadKeyring() {
+    try {
+        // Dynamic import — @napi-rs/keyring is an optional dependency.
+        // Using indirect import to avoid TypeScript compile error for missing module.
+        const moduleName = '@napi-rs/keyring';
+        const mod = await import(/* webpackIgnore: true */ moduleName);
+        return mod;
+    }
+    catch {
+        return null;
+    }
+}
+export async function keychainAvailable() {
+    const mod = await loadKeyring();
+    if (!mod)
+        return false;
+    try {
+        const entry = new mod.Entry(SERVICE_NAME, ACCOUNT_NAME);
+        // Actually test that keychain is functional by attempting a read
+        entry.getPassword();
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export async function keychainStore(key) {
+    const mod = await loadKeyring();
+    if (!mod)
+        return false;
+    try {
+        const entry = new mod.Entry(SERVICE_NAME, ACCOUNT_NAME);
+        entry.setPassword(key);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export async function keychainRetrieve() {
+    const mod = await loadKeyring();
+    if (!mod)
+        return null;
+    try {
+        const entry = new mod.Entry(SERVICE_NAME, ACCOUNT_NAME);
+        const password = entry.getPassword();
+        return password || null;
+    }
+    catch {
+        return null;
+    }
+}
+export async function keychainDelete() {
+    const mod = await loadKeyring();
+    if (!mod)
+        return false;
+    try {
+        const entry = new mod.Entry(SERVICE_NAME, ACCOUNT_NAME);
+        entry.deletePassword();
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export function getKeychainPlatformName() {
+    switch (process.platform) {
+        case 'darwin': return 'macOS Keychain';
+        case 'win32': return 'Windows Credential Manager';
+        default: return 'system keyring (libsecret)';
+    }
+}

package/dist/auth/notices.d.ts

@@ -0,0 +1,3 @@
+export declare function hasSeenNotice(id: string): boolean;
+export declare function markNoticeSeen(id: string): void;
+export declare function showSecurityNotice(): void;

package/dist/auth/notices.js

@@ -0,0 +1,42 @@
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+const CONFIG_DIR = join(homedir(), '.skrypt');
+const NOTICES_FILE = join(CONFIG_DIR, 'notices.json');
+function loadNotices() {
+    if (!existsSync(NOTICES_FILE))
+        return { seen: {} };
+    try {
+        return JSON.parse(readFileSync(NOTICES_FILE, 'utf-8'));
+    }
+    catch {
+        return { seen: {} };
+    }
+}
+function saveNotices(state) {
+    mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+    writeFileSync(NOTICES_FILE, JSON.stringify(state, null, 2));
+}
+export function hasSeenNotice(id) {
+    const state = loadNotices();
+    return id in state.seen;
+}
+export function markNoticeSeen(id) {
+    const state = loadNotices();
+    state.seen[id] = new Date().toISOString();
+    saveNotices(state);
+}
+export function showSecurityNotice() {
+    if (hasSeenNotice('security-v1'))
+        return;
+    console.log('');
+    console.log('  \x1b[36m🔒 Security Notice\x1b[0m');
+    console.log('');
+    console.log('  Your API keys are stored locally and never sent to Skrypt.');
+    console.log('  When using your own keys (OPENAI_API_KEY, etc.), LLM calls');
+    console.log('  go directly to the provider — they never touch our servers.');
+    console.log('');
+    console.log('  Run \x1b[1mskrypt security\x1b[0m for full details.');
+    console.log('');
+    markNoticeSeen('security-v1');
+}

package/dist/autofix/index.d.ts

@@ -32,10 +32,6 @@ export interface ValidationResult {
  * Auto-fix a code example using LLM
  */
 export declare function autoFixExample(example: CodeExample, client: LLMClient, options?: AutoFixOptions): Promise<FixResult>;
-/**
- * Batch auto-fix multiple examples
- */
-export declare function autoFixBatch(examples: CodeExample[], client: LLMClient, options?: AutoFixOptions): Promise<Map<number, FixResult>>;
 /**
  * Create a TypeScript validator using tsc
  */

package/dist/autofix/index.js

@@ -137,34 +137,20 @@ function extractCode(response, language) {
     const genericMatch = response.match(/```\w*\n([\s\S]*?)\n```/);
     if (genericMatch?.[1])
         return genericMatch[1].trim();
-    // Try to find code without block
+    // Try to find code without block — only accept if it looks like actual code
     const lines = response.split('\n');
     const codeLines = lines.filter(line => {
         const trimmed = line.trim();
         return trimmed && !trimmed.startsWith('#') && !trimmed.startsWith('//');
     });
-    return codeLines.length > 0 ? codeLines.join('\n') : null;
-}
-/**
- * Batch auto-fix multiple examples
- */
-export async function autoFixBatch(examples, client, options = {}) {
-    const results = new Map();
-    for (let i = 0; i < examples.length; i++) {
-        const example = examples[i];
-        if (!example)
-            continue;
-        console.log(`  [${i + 1}/${examples.length}] Fixing ${example.language} example...`);
-        const result = await autoFixExample(example, client, options);
-        results.set(i, result);
-        if (result.success) {
-            console.log(`    ✓ Fixed in ${result.iterations} iteration(s)`);
-        }
-        else {
-            console.log(`    ✗ Could not fix after ${result.iterations} iteration(s)`);
-        }
-    }
-    return results;
+    if (codeLines.length === 0)
+        return null;
+    const joined = codeLines.join('\n');
+    // Require at least some code-like tokens to avoid returning prose as code
+    const codeTokens = /[=(){}[\];:,]|def |class |function |const |let |var |import |from |return /;
+    if (!codeTokens.test(joined))
+        return null;
+    return joined;
 }
 /**
  * Create a TypeScript validator using tsc
@@ -212,7 +198,7 @@ export function createPythonValidator() {
             const { randomUUID } = await import('crypto');
             // Use crypto.randomUUID() to avoid timestamp collisions
             const tempFile = join(tmpdir(), `autofix_${randomUUID()}.py`);
-            writeFileSync(tempFile, code);
+            writeFileSync(tempFile, code, { mode: 0o600 });
             try {
                 // Use spawnSync with array args to avoid command injection
                 const result = spawnSync('python3', ['-m', 'py_compile', tempFile], {

package/dist/capture/browser.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Playwright wrapper for screenshot capture.
+ *
+ * Dynamically imports Playwright (optional dependency).
+ * Only allows localhost URLs by default for security.
+ */
+import type { ScreenshotDirective, ScreenshotResult, CaptureOptions } from './types.js';
+/**
+ * Capture screenshots for a batch of directives.
+ */
+export declare function captureScreenshots(directives: ScreenshotDirective[], options: CaptureOptions): Promise<ScreenshotResult[]>;

package/dist/capture/browser.js

@@ -0,0 +1,173 @@
+/**
+ * Playwright wrapper for screenshot capture.
+ *
+ * Dynamically imports Playwright (optional dependency).
+ * Only allows localhost URLs by default for security.
+ */
+import { screenshotFilename, darkVariantFilename } from './naming.js';
+import { computeHash } from './diff.js';
+const ALLOWED_HOSTS = new Set(['localhost', '127.0.0.1', '::1']);
+/**
+ * Dynamically import Playwright. Exits with clear instructions if not installed.
+ */
+async function ensurePlaywright() {
+    try {
+        // Dynamic import — playwright is optional
+        const mod = await Function('return import("playwright")')();
+        return mod;
+    }
+    catch {
+        throw new Error('Playwright is required for screenshot capture. Install it: npx playwright install chromium');
+    }
+}
+/**
+ * Validate that a URL is on an allowed host (localhost by default).
+ */
+function validateUrl(url) {
+    try {
+        const parsed = new URL(url);
+        return { valid: ALLOWED_HOSTS.has(parsed.hostname), host: parsed.hostname };
+    }
+    catch {
+        return { valid: false, host: '' };
+    }
+}
+/**
+ * Capture screenshots for a batch of directives.
+ */
+export async function captureScreenshots(directives, options) {
+    const pw = await ensurePlaywright();
+    const results = [];
+    const browser = await pw.chromium.launch({ headless: true });
+    try {
+        // Process with concurrency limit
+        const chunks = [];
+        for (let i = 0; i < directives.length; i += options.concurrency) {
+            chunks.push(directives.slice(i, i + options.concurrency));
+        }
+        for (const chunk of chunks) {
+            const chunkResults = await Promise.all(chunk.map(directive => captureOne(browser, directive, options, pw)));
+            results.push(...chunkResults);
+        }
+    }
+    finally {
+        await browser.close();
+    }
+    return results;
+}
+/**
+ * Capture a single screenshot.
+ */
+async function captureOne(browser, directive, options, pw) {
+    const start = Date.now();
+    const filename = screenshotFilename(directive.url, directive.selector);
+    // Security check
+    const { valid, host } = validateUrl(directive.url);
+    if (!valid) {
+        return {
+            directive,
+            filename,
+            status: 'failed',
+            error: `URL host "${host}" not allowed. Only localhost, 127.0.0.1, and ::1 are permitted.`,
+            duration: Date.now() - start,
+        };
+    }
+    // Build context options
+    const contextOpts = {
+        viewport: options.viewport,
+    };
+    // Device emulation
+    if (options.device) {
+        const device = pw.devices[options.device];
+        if (device) {
+            contextOpts.viewport = device.viewport;
+            contextOpts.userAgent = device.userAgent;
+            contextOpts.deviceScaleFactor = device.deviceScaleFactor;
+            contextOpts.isMobile = device.isMobile;
+            contextOpts.hasTouch = device.hasTouch;
+        }
+    }
+    const context = await browser.newContext(contextOpts);
+    const page = await context.newPage();
+    try {
+        // Navigate
+        await page.goto(directive.url, {
+            waitUntil: 'networkidle',
+            timeout: options.timeout,
+        });
+        // Wait for settle time
+        await page.waitForTimeout(options.wait);
+        // Capture light mode screenshot
+        let buffer;
+        if (directive.selector) {
+            const locator = page.locator(directive.selector);
+            const visible = await locator.isVisible();
+            if (!visible) {
+                return {
+                    directive,
+                    filename,
+                    status: 'failed',
+                    error: `Selector "${directive.selector}" not found or not visible on ${directive.url}`,
+                    duration: Date.now() - start,
+                };
+            }
+            buffer = await locator.screenshot({ type: 'png' });
+        }
+        else {
+            buffer = await page.screenshot({ fullPage: true, type: 'png' });
+        }
+        const hash = computeHash(buffer);
+        const result = {
+            directive,
+            filename,
+            status: 'captured',
+            hash,
+            duration: Date.now() - start,
+        };
+        // Dark mode capture
+        if (options.dark) {
+            try {
+                await page.emulateMedia({ colorScheme: 'dark' });
+                await page.evaluate(() => {
+                    document.documentElement.classList.add('dark');
+                });
+                await page.waitForTimeout(500);
+                let darkBuffer;
+                if (directive.selector) {
+                    darkBuffer = await page.locator(directive.selector).screenshot({ type: 'png' });
+                }
+                else {
+                    darkBuffer = await page.screenshot({ fullPage: true, type: 'png' });
+                }
+                result.darkFilename = darkVariantFilename(filename);
+                result._buffers = {
+                    light: buffer,
+                    dark: darkBuffer,
+                };
+            }
+            catch {
+                // Dark mode capture failed — continue with light only
+            }
+        }
+        // Store light buffer for the orchestrator
+        if (!result._buffers) {
+            ;
+            result._buffer = buffer;
+        }
+        return result;
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return {
+            directive,
+            filename,
+            status: 'failed',
+            error: message,
+            duration: Date.now() - start,
+        };
+    }
+    finally {
+        await page.close();
+        await context.close();
+    }
+}

package/dist/capture/diff.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Hash-based change detection for screenshots.
+ *
+ * Stores SHA-256 hashes in .skrypt/screenshot-hashes.json (project root).
+ * Used with --diff flag to skip re-capturing unchanged screenshots.
+ */
+export type HashStore = Record<string, string>;
+/**
+ * Compute SHA-256 hash of a buffer.
+ */
+export declare function computeHash(buffer: Buffer): string;
+/**
+ * Load the hash store from .skrypt/screenshot-hashes.json in the project directory.
+ */
+export declare function loadHashStore(projectDir: string): HashStore;
+/**
+ * Save the hash store to .skrypt/screenshot-hashes.json in the project directory.
+ */
+export declare function saveHashStore(projectDir: string, store: HashStore): void;
+/**
+ * Check if a screenshot has changed based on its hash.
+ */
+export declare function hasChanged(filename: string, newHash: string, store: HashStore): boolean;

package/dist/capture/diff.js

@@ -0,0 +1,52 @@
+/**
+ * Hash-based change detection for screenshots.
+ *
+ * Stores SHA-256 hashes in .skrypt/screenshot-hashes.json (project root).
+ * Used with --diff flag to skip re-capturing unchanged screenshots.
+ */
+import { createHash } from 'crypto';
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'fs';
+import { join } from 'path';
+const HASH_FILE = 'screenshot-hashes.json';
+const STORE_DIR = '.skrypt';
+/**
+ * Compute SHA-256 hash of a buffer.
+ */
+export function computeHash(buffer) {
+    return createHash('sha256').update(buffer).digest('hex');
+}
+/**
+ * Load the hash store from .skrypt/screenshot-hashes.json in the project directory.
+ */
+export function loadHashStore(projectDir) {
+    const storePath = join(projectDir, STORE_DIR, HASH_FILE);
+    if (!existsSync(storePath)) {
+        return {};
+    }
+    try {
+        const content = readFileSync(storePath, 'utf-8');
+        const parsed = JSON.parse(content);
+        if (typeof parsed === 'object' && parsed !== null && !Array.isArray(parsed)) {
+            return parsed;
+        }
+        return {};
+    }
+    catch {
+        return {};
+    }
+}
+/**
+ * Save the hash store to .skrypt/screenshot-hashes.json in the project directory.
+ */
+export function saveHashStore(projectDir, store) {
+    const storeDir = join(projectDir, STORE_DIR);
+    mkdirSync(storeDir, { recursive: true });
+    const storePath = join(storeDir, HASH_FILE);
+    writeFileSync(storePath, JSON.stringify(store, null, 2), 'utf-8');
+}
+/**
+ * Check if a screenshot has changed based on its hash.
+ */
+export function hasChanged(filename, newHash, store) {
+    return store[filename] !== newHash;
+}

package/dist/capture/index.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Screenshot capture orchestrator.
+ *
+ * Coordinates MDX parsing, browser capture, diff detection, and file output.
+ */
+import type { CaptureOptions, CaptureReport } from './types.js';
+export type { CaptureOptions, CaptureReport } from './types.js';
+/**
+ * Run the screenshot capture pipeline.
+ *
+ * 1. Find all MDX files in docsDir
+ * 2. Parse <Screenshot> directives from each
+ * 3. Validate base URL reachability
+ * 4. Capture screenshots via headless browser
+ * 5. Compare hashes for --diff mode
+ * 6. Write changed files to outputDir
+ * 7. Write manifest and hash store
+ */
+export declare function runCapture(docsDir: string, options: CaptureOptions): Promise<CaptureReport>;
+/**
+ * Print a capture report to stdout.
+ */
+export declare function printCaptureReport(report: CaptureReport): void;