sliccy 1.54.0 → 1.55.0

package/README.md

@@ -155,6 +155,12 @@ To use SLICC, you need an LLM provider. SLICC is very much a BYOT (bring your ow
 
 The other providers are in YMMV territory. Please file an issue if you find them working or broken.
 
+## Secrets
+
+SLICC can safely manage API keys, tokens, and credentials with domain-scoped injection. The agent never sees real secret values — only masked placeholders — and secrets are only injected into requests destined for authorized domains. This protects against prompt-injection attacks that try to exfiltrate credentials.
+
+See [docs/secrets.md](docs/secrets.md) for setup instructions.
+
 ## Related projects and lineage
 
 SLICC is part of the [AI Ecoverse](https://github.com/ai-ecoverse), a growing set of AI-native tools and workflows. Its distinctive angle is simple: browser-native, practical, and job-oriented.
@@ -173,5 +179,6 @@ If you want to go deeper, the detailed docs live here:
 - [Architecture](docs/architecture.md)
 - [Testing](docs/testing.md)
 - [Shell reference](docs/shell-reference.md)
+- [Secrets](docs/secrets.md)
 - [Adding features](docs/adding-features.md)
 - [Electron notes](docs/electron.md)

package/dist/node-server/index.js

@@ -14,6 +14,8 @@ import { resolveCliBrowserLaunchUrl } from './launch-url.js';
 import { parseCliRuntimeFlags } from './runtime-flags.js';
 import { FileLogger } from './file-logger.js';
 import { CliLogDedup } from './cli-log-dedup.js';
+import { EnvSecretStore } from './secrets/env-secret-store.js';
+import { SecretProxyManager } from './secrets/proxy-manager.js';
 const __dirname = fileURLToPath(new URL('.', import.meta.url));
 const PROJECT_ROOT = resolve(__dirname, '..', '..');
 const RUNTIME_FLAGS = parseCliRuntimeFlags(process.argv.slice(2));
@@ -483,6 +485,16 @@ async function main() {
         });
     }
     // 3. Set up express app with request logging
+    const secretProxy = new SecretProxyManager();
+    try {
+        await secretProxy.reload();
+        if (secretProxy.hasSecrets()) {
+            console.log(`Loaded ${secretProxy.getMaskedEntries().length} secrets for fetch-proxy injection`);
+        }
+    }
+    catch (err) {
+        console.warn('Failed to load secrets:', err instanceof Error ? err.message : err);
+    }
     const app = express();
     app.use(requestLogger);
     // ---------------------------------------------------------------------------
@@ -755,6 +767,33 @@ async function main() {
         broadcastLickEvent({ type: 'handoff_event', payload });
         res.json({ ok: true });
     });
+    // Secret management API — direct .env file access (no browser needed)
+    const secretStore = new EnvSecretStore(RUNTIME_FLAGS.envFile ?? undefined);
+    app.get('/api/secrets', (_req, res) => {
+        try {
+            const entries = secretStore.list();
+            res.json(entries);
+        }
+        catch (err) {
+            res
+                .status(500)
+                .json({ error: err instanceof Error ? err.message : 'Failed to list secrets' });
+        }
+    });
+    // Masked secrets endpoint — returns name + maskedValue pairs for shell env population.
+    // The browser fetches this at shell init to populate env vars with masked values.
+    // Real values are never exposed; only deterministic session-scoped masks.
+    app.get('/api/secrets/masked', (_req, res) => {
+        try {
+            const entries = secretProxy.getMaskedEntries();
+            res.json(entries);
+        }
+        catch (err) {
+            res
+                .status(500)
+                .json({ error: err instanceof Error ? err.message : 'Failed to get masked secrets' });
+        }
+    });
     // Fetch proxy — forwards cross-origin requests from the browser to bypass CORS.
     // Used by just-bash's curl which calls the browser's fetch() API.
     // Note: express.json() may have already parsed the body, so we check req.body first.
@@ -852,9 +891,37 @@ async function main() {
             // Without this, Cloudflare may Brotli-compress the response, the proxy strips
             // Content-Encoding (line below), and the browser receives compressed garbage.
             headers['accept-encoding'] = 'identity';
+            // --- Secret injection: unmask headers ---
+            let targetHostname;
+            try {
+                targetHostname = new URL(targetUrl).hostname;
+            }
+            catch {
+                targetHostname = '';
+            }
+            if (secretProxy.hasSecrets()) {
+                // Unmask request headers (replace masked values with real, validate domain)
+                const headerResult = secretProxy.unmaskHeaders(headers, targetHostname);
+                if (headerResult.forbidden) {
+                    res.status(403).json({
+                        error: `Secret "${headerResult.forbidden.secretName}" is not allowed for domain "${headerResult.forbidden.hostname}"`,
+                    });
+                    return;
+                }
+            }
             if (Object.keys(headers).length > 0)
                 fetchInit.headers = headers;
             if (rawBody.length > 0 && !['GET', 'HEAD'].includes(req.method)) {
+                // --- Secret injection: unmask request body ---
+                // Body uses unmaskBody: domain mismatches leave the masked value as-is
+                // (safe/meaningless) rather than rejecting. This avoids false 403s when
+                // LLM conversation context contains masked secrets sent to non-matching
+                // domains like Bedrock.
+                if (secretProxy.hasSecrets()) {
+                    const bodyStr = rawBody.toString('utf-8');
+                    const bodyResult = secretProxy.unmaskBody(bodyStr, targetHostname);
+                    rawBody = Buffer.from(bodyResult.text, 'utf-8');
+                }
                 // Buffer extends Uint8Array which is a valid fetch body at runtime.
                 fetchInit.body = rawBody;
             }
@@ -876,16 +943,24 @@ async function main() {
                     lower !== 'www-authenticate' &&
                     lower !== 'set-cookie' &&
                     !lower.startsWith('x-proxy-')) {
-                    res.setHeader(k, v);
+                    // Scrub real secret values from response headers
+                    res.setHeader(k, secretProxy.scrubResponse(v));
                 }
             });
             if (setCookieValues.length > 0) {
-                res.setHeader('X-Proxy-Set-Cookie', JSON.stringify(setCookieValues));
+                res.setHeader('X-Proxy-Set-Cookie', secretProxy.scrubResponse(JSON.stringify(setCookieValues)));
             }
-            // Send body as raw binary - explicitly set content-length and use end()
-            // instead of send() to avoid any Express middleware transformations
+            // Send body — scrub real secret values from response body (text-only)
             const body = await upstream.arrayBuffer();
-            const buffer = Buffer.from(body);
+            let buffer = Buffer.from(body);
+            if (secretProxy.hasSecrets()) {
+                const ct = (upstream.headers.get('content-type') ?? '').toLowerCase();
+                const isText = ct.startsWith('text/') || ct.startsWith('application/json') || ct.includes('charset=');
+                if (isText) {
+                    const scrubbed = secretProxy.scrubResponse(buffer.toString('utf-8'));
+                    buffer = Buffer.from(scrubbed, 'utf-8');
+                }
+            }
             res.setHeader('Content-Length', buffer.length);
             res.end(buffer);
         }

package/dist/node-server/runtime-flags.d.ts

@@ -17,6 +17,8 @@ export interface CliRuntimeFlags {
     logDir: string | null;
     /** Initial prompt to auto-submit when the UI loads */
     prompt: string | null;
+    /** Path to a .env file for secrets */
+    envFile: string | null;
     version: boolean;
 }
 export declare const DEFAULT_CLI_CDP_PORT = 9222;

package/dist/node-server/runtime-flags.js

@@ -20,6 +20,7 @@ export function parseCliRuntimeFlags(argv) {
     let logLevel = 'info';
     let logDir = null;
     let prompt = null;
+    let envFile = null;
     let version = false;
     for (let index = 0; index < argv.length; index += 1) {
         const arg = argv[index];
@@ -66,6 +67,18 @@ export function parseCliRuntimeFlags(argv) {
             }
             continue;
         }
+        if (arg.startsWith('--env-file=')) {
+            envFile = arg.slice('--env-file='.length) || null;
+            continue;
+        }
+        if (arg === '--env-file') {
+            const nextArg = argv[index + 1];
+            if (nextArg && !nextArg.startsWith('--')) {
+                envFile = nextArg;
+                index += 1;
+            }
+            continue;
+        }
         if (arg === '--electron') {
             electron = true;
             const nextArg = argv[index + 1];
@@ -156,6 +169,7 @@ export function parseCliRuntimeFlags(argv) {
         logLevel,
         logDir,
         prompt,
+        envFile,
         version,
     };
 }

package/dist/node-server/secrets/domain-match.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Domain glob matching for secret domain allowlists.
+ *
+ * Supports patterns like:
+ * - `api.github.com` — exact match
+ * - `*.github.com`   — matches any subdomain of github.com
+ * - `*`              — matches any domain
+ */
+/**
+ * Check if a hostname matches a domain glob pattern.
+ *
+ * @param hostname - The hostname to check (e.g., "api.github.com")
+ * @param pattern  - The glob pattern (e.g., "*.github.com")
+ * @returns true if the hostname matches the pattern
+ */
+export declare function matchDomain(hostname: string, pattern: string): boolean;
+/**
+ * Check if a hostname matches any pattern in a list of domain globs.
+ */
+export declare function matchesDomains(hostname: string, patterns: string[]): boolean;

package/dist/node-server/secrets/domain-match.js

@@ -0,0 +1,37 @@
+/**
+ * Domain glob matching for secret domain allowlists.
+ *
+ * Supports patterns like:
+ * - `api.github.com` — exact match
+ * - `*.github.com`   — matches any subdomain of github.com
+ * - `*`              — matches any domain
+ */
+/**
+ * Check if a hostname matches a domain glob pattern.
+ *
+ * @param hostname - The hostname to check (e.g., "api.github.com")
+ * @param pattern  - The glob pattern (e.g., "*.github.com")
+ * @returns true if the hostname matches the pattern
+ */
+export function matchDomain(hostname, pattern) {
+    const h = hostname.toLowerCase();
+    const p = pattern.toLowerCase();
+    // Wildcard matches everything
+    if (p === '*')
+        return true;
+    // Exact match
+    if (h === p)
+        return true;
+    // Glob match: *.example.com matches sub.example.com but not example.com
+    if (p.startsWith('*.')) {
+        const suffix = p.slice(1); // ".example.com"
+        return h.endsWith(suffix) && h.length > suffix.length;
+    }
+    return false;
+}
+/**
+ * Check if a hostname matches any pattern in a list of domain globs.
+ */
+export function matchesDomains(hostname, patterns) {
+    return patterns.some((pattern) => matchDomain(hostname, pattern));
+}

package/dist/node-server/secrets/env-file.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Simple .env parser and writer — no external dependencies.
+ *
+ * Supports:
+ * - KEY=VALUE lines (no quoting required)
+ * - Single- and double-quoted values (quotes stripped)
+ * - Comment lines starting with #
+ * - Blank lines and comments are stripped on round-trip
+ */
+export interface EnvEntry {
+    key: string;
+    value: string;
+}
+/**
+ * Parse .env file content into key-value pairs.
+ * Blank lines and comments are skipped.
+ */
+export declare function parseEnvFile(content: string): EnvEntry[];
+/**
+ * Serialize key-value pairs back to .env format.
+ * Values containing spaces, #, or quotes are double-quoted.
+ */
+export declare function serializeEnvFile(entries: EnvEntry[]): string;

package/dist/node-server/secrets/env-file.js

@@ -0,0 +1,48 @@
+/**
+ * Simple .env parser and writer — no external dependencies.
+ *
+ * Supports:
+ * - KEY=VALUE lines (no quoting required)
+ * - Single- and double-quoted values (quotes stripped)
+ * - Comment lines starting with #
+ * - Blank lines and comments are stripped on round-trip
+ */
+/**
+ * Parse .env file content into key-value pairs.
+ * Blank lines and comments are skipped.
+ */
+export function parseEnvFile(content) {
+    const entries = [];
+    for (const raw of content.split('\n')) {
+        const line = raw.trim();
+        if (line === '' || line.startsWith('#'))
+            continue;
+        const eqIndex = line.indexOf('=');
+        if (eqIndex === -1)
+            continue; // malformed line, skip
+        const key = line.slice(0, eqIndex).trim();
+        let value = line.slice(eqIndex + 1).trim();
+        // Strip matching quotes
+        if ((value.startsWith('"') && value.endsWith('"')) ||
+            (value.startsWith("'") && value.endsWith("'"))) {
+            value = value.slice(1, -1);
+        }
+        if (key) {
+            entries.push({ key, value });
+        }
+    }
+    return entries;
+}
+/**
+ * Serialize key-value pairs back to .env format.
+ * Values containing spaces, #, or quotes are double-quoted.
+ */
+export function serializeEnvFile(entries) {
+    const lines = [];
+    for (const { key, value } of entries) {
+        const needsQuoting = /[\s#"']/.test(value);
+        const serialized = needsQuoting ? `"${value.replace(/"/g, '\\"')}"` : value;
+        lines.push(`${key}=${serialized}`);
+    }
+    return lines.join('\n') + '\n';
+}

package/dist/node-server/secrets/env-secret-store.d.ts

@@ -0,0 +1,19 @@
+/**
+ * SecretStore implementation backed by a .env file.
+ *
+ * Default location: ~/.slicc/secrets.env
+ * Override via SLICC_SECRETS_FILE env var.
+ *
+ * File is created with mode 0600 if it doesn't exist.
+ */
+import type { Secret, SecretEntry, SecretStore } from './types.js';
+export declare class EnvSecretStore implements SecretStore {
+    private readonly filePath;
+    constructor(filePath?: string);
+    get(name: string): Secret | null;
+    set(name: string, value: string, domains: string[]): void;
+    delete(name: string): void;
+    list(): SecretEntry[];
+    private readEntries;
+    private writeEntries;
+}

package/dist/node-server/secrets/env-secret-store.js

@@ -0,0 +1,101 @@
+/**
+ * SecretStore implementation backed by a .env file.
+ *
+ * Default location: ~/.slicc/secrets.env
+ * Override via SLICC_SECRETS_FILE env var.
+ *
+ * File is created with mode 0600 if it doesn't exist.
+ */
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync } from 'node:fs';
+import { dirname, resolve } from 'node:path';
+import { homedir } from 'node:os';
+import { parseEnvFile, serializeEnvFile } from './env-file.js';
+const DOMAINS_SUFFIX = '_DOMAINS';
+const DEFAULT_PATH = resolve(homedir(), '.slicc', 'secrets.env');
+const FILE_MODE = 0o600;
+export class EnvSecretStore {
+    filePath;
+    constructor(filePath) {
+        this.filePath = filePath ?? process.env['SLICC_SECRETS_FILE'] ?? DEFAULT_PATH;
+    }
+    get(name) {
+        const entries = this.readEntries();
+        const valueEntry = entries.find((e) => e.key === name);
+        const domainsEntry = entries.find((e) => e.key === name + DOMAINS_SUFFIX);
+        if (!valueEntry || !domainsEntry)
+            return null;
+        const domains = parseDomains(domainsEntry.value);
+        if (domains.length === 0)
+            return null;
+        return { name, value: valueEntry.value, domains };
+    }
+    set(name, value, domains) {
+        if (domains.length === 0) {
+            throw new Error(`Secret "${name}" must have at least one authorized domain`);
+        }
+        const entries = this.readEntries();
+        const domainsKey = name + DOMAINS_SUFFIX;
+        upsertEntry(entries, name, value);
+        upsertEntry(entries, domainsKey, domains.join(','));
+        this.writeEntries(entries);
+    }
+    delete(name) {
+        const entries = this.readEntries();
+        const domainsKey = name + DOMAINS_SUFFIX;
+        const filtered = entries.filter((e) => e.key !== name && e.key !== domainsKey);
+        this.writeEntries(filtered);
+    }
+    list() {
+        const entries = this.readEntries();
+        const result = [];
+        for (const entry of entries) {
+            if (entry.key.endsWith(DOMAINS_SUFFIX))
+                continue;
+            const domainsEntry = entries.find((e) => e.key === entry.key + DOMAINS_SUFFIX);
+            if (!domainsEntry)
+                continue; // no _DOMAINS → skip (rejected)
+            const domains = parseDomains(domainsEntry.value);
+            if (domains.length > 0) {
+                result.push({ name: entry.key, domains });
+            }
+        }
+        return result;
+    }
+    // -- internal helpers --
+    readEntries() {
+        if (!existsSync(this.filePath))
+            return [];
+        const content = readFileSync(this.filePath, 'utf-8');
+        return parseEnvFile(content);
+    }
+    writeEntries(entries) {
+        const dir = dirname(this.filePath);
+        if (!existsSync(dir)) {
+            mkdirSync(dir, { recursive: true });
+        }
+        const content = serializeEnvFile(entries);
+        writeFileSync(this.filePath, content, { mode: FILE_MODE });
+        // Ensure permissions even if file already existed
+        try {
+            chmodSync(this.filePath, FILE_MODE);
+        }
+        catch {
+            // chmod may fail on some platforms (Windows); best-effort
+        }
+    }
+}
+function parseDomains(value) {
+    return value
+        .split(',')
+        .map((d) => d.trim())
+        .filter((d) => d.length > 0);
+}
+function upsertEntry(entries, key, value) {
+    const idx = entries.findIndex((e) => e.key === key);
+    if (idx >= 0) {
+        entries[idx] = { key, value };
+    }
+    else {
+        entries.push({ key, value });
+    }
+}

package/dist/node-server/secrets/index.d.ts

@@ -0,0 +1,5 @@
+export type { Secret, SecretEntry, SecretStore } from './types.js';
+export { EnvSecretStore } from './env-secret-store.js';
+export { matchDomain, matchesDomains } from './domain-match.js';
+export { parseEnvFile, serializeEnvFile } from './env-file.js';
+export { SecretProxyManager, type MaskedSecret } from './proxy-manager.js';

package/dist/node-server/secrets/index.js

@@ -0,0 +1,4 @@
+export { EnvSecretStore } from './env-secret-store.js';
+export { matchDomain, matchesDomains } from './domain-match.js';
+export { parseEnvFile, serializeEnvFile } from './env-file.js';
+export { SecretProxyManager } from './proxy-manager.js';

package/dist/node-server/secrets/masking.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Secret masking engine for the node-server fetch proxy.
+ *
+ * This is a Node-specific copy of the core masking logic from
+ * packages/webapp/src/core/secret-masking.ts. Both must stay in sync.
+ *
+ * Uses Node's crypto.subtle (available since Node 15).
+ */
+/**
+ * Produce a deterministic, format-preserving masked value.
+ */
+export declare function mask(sessionId: string, secretName: string, realValue: string): Promise<string>;
+export interface SecretPair {
+    realValue: string;
+    maskedValue: string;
+}
+/**
+ * Build a reusable scrubber function that replaces every occurrence
+ * of any `realValue` with its `maskedValue`.
+ */
+export declare function buildScrubber(secrets: SecretPair[]): (text: string) => string;

package/dist/node-server/secrets/masking.js

@@ -0,0 +1,82 @@
+/**
+ * Secret masking engine for the node-server fetch proxy.
+ *
+ * This is a Node-specific copy of the core masking logic from
+ * packages/webapp/src/core/secret-masking.ts. Both must stay in sync.
+ *
+ * Uses Node's crypto.subtle (available since Node 15).
+ */
+import { subtle } from 'node:crypto';
+// ---------- Known token prefixes ----------
+const KNOWN_PREFIXES = [
+    'ghp_',
+    'gho_',
+    'ghu_',
+    'ghs_',
+    'ghr_',
+    'github_pat_',
+    'sk-',
+    'pk-',
+    'xoxb-',
+    'xoxp-',
+    'xoxa-',
+    'xoxs-',
+    'AKIA',
+    'ABIA',
+    'ACCA',
+    'ASIA',
+    'sk-ant-',
+    'Bearer ',
+];
+const SORTED_PREFIXES = [...KNOWN_PREFIXES].sort((a, b) => b.length - a.length);
+function detectPrefix(value) {
+    for (const p of SORTED_PREFIXES) {
+        if (value.startsWith(p))
+            return p;
+    }
+    return '';
+}
+// ---------- HMAC-SHA256 ----------
+async function hmacSha256(key, message) {
+    const enc = new TextEncoder();
+    const cryptoKey = await subtle.importKey('raw', enc.encode(key), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+    const sig = await subtle.sign('HMAC', cryptoKey, enc.encode(message));
+    return new Uint8Array(sig);
+}
+function toHex(bytes) {
+    return Array.from(bytes)
+        .map((b) => b.toString(16).padStart(2, '0'))
+        .join('');
+}
+// ---------- Public API ----------
+/**
+ * Produce a deterministic, format-preserving masked value.
+ */
+export async function mask(sessionId, secretName, realValue) {
+    const prefix = detectPrefix(realValue);
+    const remainder = realValue.slice(prefix.length);
+    const hmac = await hmacSha256(sessionId + secretName, realValue);
+    let hex = toHex(hmac);
+    while (hex.length < remainder.length)
+        hex += hex;
+    const maskedRemainder = hex.slice(0, remainder.length);
+    return prefix + maskedRemainder;
+}
+/**
+ * Build a reusable scrubber function that replaces every occurrence
+ * of any `realValue` with its `maskedValue`.
+ */
+export function buildScrubber(secrets) {
+    if (secrets.length === 0)
+        return (t) => t;
+    const sorted = [...secrets].sort((a, b) => b.realValue.length - a.realValue.length);
+    return (text) => {
+        let result = text;
+        for (const { realValue, maskedValue } of sorted) {
+            if (result.includes(realValue)) {
+                result = result.split(realValue).join(maskedValue);
+            }
+        }
+        return result;
+    };
+}

package/dist/node-server/secrets/proxy-manager.d.ts

@@ -0,0 +1,83 @@
+/**
+ * SecretProxyManager — bridges EnvSecretStore with the masking engine
+ * for the fetch-proxy handler.
+ *
+ * On init: loads all secrets, generates session-scoped masked values,
+ * and builds lookup tables for fast replacement.
+ */
+import { EnvSecretStore } from './env-secret-store.js';
+export interface MaskedSecret {
+    name: string;
+    maskedValue: string;
+    realValue: string;
+    domains: string[];
+}
+export declare class SecretProxyManager {
+    private readonly store;
+    private readonly sessionId;
+    /** maskedValue → MaskedSecret */
+    private maskedToSecret;
+    /** Scrubber that replaces real→masked in response content */
+    private scrubber;
+    constructor(store?: EnvSecretStore, sessionId?: string);
+    /**
+     * Load secrets from the store and generate masked values.
+     * Call once on startup and again whenever secrets change.
+     */
+    reload(): Promise<void>;
+    /**
+     * Check if any secrets are loaded.
+     */
+    hasSecrets(): boolean;
+    /**
+     * Get all masked entries (name + maskedValue + domains) for env population.
+     */
+    getMaskedEntries(): Array<{
+        name: string;
+        maskedValue: string;
+        domains: string[];
+    }>;
+    /**
+     * Unmask a text blob: replace masked values with real values.
+     * Validates each secret against the target hostname.
+     *
+     * @returns { text, forbidden } — forbidden is set if a secret was blocked.
+     */
+    unmask(text: string, targetHostname: string): {
+        text: string;
+        forbidden?: {
+            secretName: string;
+            hostname: string;
+        };
+    };
+    /**
+     * Unmask body text: replace masked values with real values when domain matches.
+     * When domain does NOT match, the masked value is left as-is (not rejected).
+     * This is safe because the masked value is meaningless to the remote service —
+     * it's typically just conversation context sent to an LLM API.
+     */
+    unmaskBody(text: string, targetHostname: string): {
+        text: string;
+    };
+    /**
+     * Unmask headers in-place. Returns forbidden info if blocked.
+     */
+    unmaskHeaders(headers: Record<string, string>, targetHostname: string): {
+        forbidden?: {
+            secretName: string;
+            hostname: string;
+        };
+    };
+    /**
+     * Scrub real secret values from response text → masked values.
+     */
+    scrubResponse(text: string): string;
+    /**
+     * Scrub headers: replace real values with masked in header values.
+     */
+    scrubHeaders(headers: Headers): Record<string, string>;
+    /**
+     * Look up a secret by its masked value.
+     */
+    getByMaskedValue(maskedValue: string): MaskedSecret | undefined;
+}