spck 0.3.1

package/dist/config/credentials.js

@@ -0,0 +1,259 @@
+/**
+ * Firebase credentials management
+ * Handles user-level credential storage in ~/.spck-editor/.credentials.json
+ */
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+import { getProjectFilePath } from '../utils/project-dir.js';
+import { logAuth } from '../utils/logger.js';
+import { t } from '../i18n/index.js';
+/**
+ * Get the user-level credentials directory
+ */
+export function getCredentialsDir() {
+    return path.join(os.homedir(), '.spck-editor');
+}
+/**
+ * Get the credentials file path
+ */
+export function getCredentialsPath() {
+    return path.join(getCredentialsDir(), '.credentials.json');
+}
+/**
+ * Get the global config file path
+ */
+export function getGlobalConfigPath() {
+    return path.join(getCredentialsDir(), 'global.config');
+}
+/**
+ * Load global config from user-level storage
+ */
+export function loadGlobalConfig() {
+    const configPath = getGlobalConfigPath();
+    if (!fs.existsSync(configPath)) {
+        return { knownDeviceIds: [] };
+    }
+    try {
+        const data = fs.readFileSync(configPath, 'utf8');
+        const parsed = JSON.parse(data);
+        return {
+            knownDeviceIds: Array.isArray(parsed.knownDeviceIds) ? parsed.knownDeviceIds : [],
+        };
+    }
+    catch {
+        return { knownDeviceIds: [] };
+    }
+}
+/**
+ * Save global config to user-level storage
+ */
+export function saveGlobalConfig(config) {
+    const credentialsDir = getCredentialsDir();
+    const configPath = getGlobalConfigPath();
+    if (!fs.existsSync(credentialsDir)) {
+        fs.mkdirSync(credentialsDir, { recursive: true, mode: 0o700 });
+    }
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2), { encoding: 'utf8', mode: 0o600 });
+}
+/**
+ * Get the connection settings file path (project-level)
+ * This uses the symlinked project directory
+ */
+export function getConnectionSettingsPath() {
+    return getProjectFilePath(process.cwd(), 'connection-settings.json');
+}
+/**
+ * Load stored credentials from user-level storage
+ * Returns only refreshToken + userId; firebaseToken is generated on demand
+ * @throws {Error} with code 'CORRUPTED' if file is corrupted
+ */
+export function loadCredentials() {
+    const credentialsPath = getCredentialsPath();
+    if (!fs.existsSync(credentialsPath)) {
+        return null;
+    }
+    try {
+        const data = fs.readFileSync(credentialsPath, 'utf8');
+        const credentials = JSON.parse(data);
+        // Validate required fields for stored credentials
+        if (!credentials.refreshToken || !credentials.userId) {
+            const error = new Error('Invalid credentials format - missing refreshToken or userId');
+            error.code = 'CORRUPTED';
+            error.path = credentialsPath;
+            throw error;
+        }
+        // Return only the stored fields (refreshToken + userId + optional proxyServerUrl)
+        const result = {
+            refreshToken: credentials.refreshToken,
+            userId: credentials.userId,
+            proxyServerUrl: credentials.proxyServerUrl
+        };
+        return result;
+    }
+    catch (error) {
+        // JSON parse error or validation error
+        if (error instanceof SyntaxError || error.code === 'CORRUPTED') {
+            logAuth('credentials_corrupted', {
+                path: credentialsPath,
+                error: error.message
+            }, 'error');
+            console.warn(`⚠️  ${t('credentials.corrupted', { path: credentialsPath })}`);
+            console.warn(`   ${t('credentials.corruptedHint')}\n`);
+            const corruptedError = new Error('Credentials file is corrupted');
+            corruptedError.code = 'CORRUPTED';
+            corruptedError.path = credentialsPath;
+            corruptedError.originalError = error;
+            throw corruptedError;
+        }
+        // Other errors (permission, etc.)
+        throw error;
+    }
+}
+/**
+ * Save stored credentials to user-level storage
+ * Only persists refreshToken + userId (not firebaseToken or expiry)
+ * @throws {Error} with code 'EACCES' for permission errors
+ * @throws {Error} with code 'ENOSPC' for disk full errors
+ */
+export function saveCredentials(credentials) {
+    const credentialsDir = getCredentialsDir();
+    const credentialsPath = getCredentialsPath();
+    try {
+        // Ensure directory exists
+        if (!fs.existsSync(credentialsDir)) {
+            fs.mkdirSync(credentialsDir, { recursive: true, mode: 0o700 });
+        }
+        // Persist refreshToken + userId + optional proxyServerUrl
+        const storedData = {
+            refreshToken: credentials.refreshToken,
+            userId: credentials.userId
+        };
+        if (credentials.proxyServerUrl) {
+            storedData.proxyServerUrl = credentials.proxyServerUrl;
+        }
+        // Write credentials file with restricted permissions
+        fs.writeFileSync(credentialsPath, JSON.stringify(storedData, null, 2), { encoding: 'utf8', mode: 0o600 });
+    }
+    catch (error) {
+        // Add context to error
+        error.path = error.path || credentialsPath;
+        error.operation = 'save credentials';
+        throw error;
+    }
+}
+/**
+ * Clear credentials (logout)
+ */
+export function clearCredentials() {
+    const credentialsPath = getCredentialsPath();
+    if (fs.existsSync(credentialsPath)) {
+        fs.unlinkSync(credentialsPath);
+    }
+}
+/**
+ * Load connection settings from project-level storage
+ * @throws {Error} with code 'CORRUPTED' if file is corrupted
+ */
+export function loadConnectionSettings() {
+    const settingsPath = getConnectionSettingsPath();
+    if (!fs.existsSync(settingsPath)) {
+        return null;
+    }
+    try {
+        const data = fs.readFileSync(settingsPath, 'utf8');
+        const settings = JSON.parse(data);
+        // Validate basic structure
+        if (!settings.serverToken || !settings.clientId || !settings.secret) {
+            const error = new Error('Invalid connection settings format - missing required fields');
+            error.code = 'CORRUPTED';
+            error.path = settingsPath;
+            throw error;
+        }
+        return settings;
+    }
+    catch (error) {
+        // JSON parse error or validation error
+        if (error instanceof SyntaxError || error.code === 'CORRUPTED') {
+            logAuth('connection_settings_corrupted', {
+                path: settingsPath,
+                error: error.message
+            }, 'error');
+            console.warn(`⚠️  ${t('credentials.settingsCorrupted', { path: settingsPath })}`);
+            console.warn(`   ${t('credentials.settingsCorruptedHint')}\n`);
+            const corruptedError = new Error('Connection settings file is corrupted');
+            corruptedError.code = 'CORRUPTED';
+            corruptedError.path = settingsPath;
+            corruptedError.originalError = error;
+            throw corruptedError;
+        }
+        // Other errors (permission, etc.)
+        throw error;
+    }
+}
+/**
+ * Save connection settings to project-level storage
+ * @throws {Error} with code 'EACCES' for permission errors
+ * @throws {Error} with code 'ENOSPC' for disk full errors
+ */
+export function saveConnectionSettings(settings) {
+    const settingsDir = path.dirname(getConnectionSettingsPath());
+    const settingsPath = getConnectionSettingsPath();
+    try {
+        // Ensure directory exists with restricted permissions
+        if (!fs.existsSync(settingsDir)) {
+            fs.mkdirSync(settingsDir, { recursive: true, mode: 0o700 });
+        }
+        // Write settings file with restricted permissions (owner read/write only)
+        fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2), { encoding: 'utf8', mode: 0o600 });
+    }
+    catch (error) {
+        // Add context to error
+        error.path = error.path || settingsPath;
+        error.operation = 'save connection settings';
+        throw error;
+    }
+}
+/**
+ * Clear connection settings
+ */
+export function clearConnectionSettings() {
+    const settingsPath = getConnectionSettingsPath();
+    if (fs.existsSync(settingsPath)) {
+        fs.unlinkSync(settingsPath);
+    }
+}
+/**
+ * Load saved proxy server preference from user-level credentials
+ */
+export function loadServerPreference() {
+    try {
+        const credentials = loadCredentials();
+        return credentials?.proxyServerUrl || null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Save proxy server preference to user-level credentials
+ */
+export function saveServerPreference(proxyServerUrl) {
+    const credentials = loadCredentials();
+    if (credentials) {
+        credentials.proxyServerUrl = proxyServerUrl;
+        saveCredentials(credentials);
+    }
+}
+/**
+ * Check if server JWT is expired
+ */
+export function isServerTokenExpired(settings) {
+    if (!settings || !settings.serverTokenExpiry) {
+        return true;
+    }
+    // Add 5-minute buffer for safety
+    const expiryWithBuffer = settings.serverTokenExpiry - (5 * 60 * 1000);
+    return Date.now() > expiryWithBuffer;
+}
+//# sourceMappingURL=credentials.js.map

package/dist/config/server-selection.d.ts

@@ -0,0 +1,40 @@
+/**
+ * CLI Server Selection
+ * Fetches available relay servers, checks ping, and auto-selects the best one
+ */
+export interface CLIServer {
+    label: Record<string, string>;
+    url: string;
+    locale: Record<string, number>;
+}
+/**
+ * Validate that a server URL belongs to spck.io (any subdomain).
+ * Rejects bare IPs, other domains, and URLs with protocols.
+ */
+export declare function isValidDomain(url: string): boolean;
+/**
+ * Get the hardcoded default server list
+ */
+export declare function getDefaultServerList(): CLIServer[];
+/**
+ * Fetch the list of available CLI servers from the closest relay server.
+ * Tries servers sorted by locale proximity, falls back to hardcoded list.
+ */
+export declare function fetchServerList(): Promise<CLIServer[]>;
+/**
+ * Check ping to a server by making 4 parallel HTTP calls to /health
+ * and averaging the latency
+ */
+export declare function checkServerPing(serverUrl: string): Promise<number>;
+/**
+ * Ping all servers in parallel and select the one with the lowest latency
+ */
+export declare function selectBestServer(servers: CLIServer[]): Promise<{
+    server: CLIServer;
+    ping: number;
+}>;
+/**
+ * Display ping results for all servers
+ */
+export declare function displayServerPings(servers: CLIServer[]): Promise<Map<string, number>>;
+//# sourceMappingURL=server-selection.d.ts.map

package/dist/config/server-selection.js

@@ -0,0 +1,130 @@
+/**
+ * CLI Server Selection
+ * Fetches available relay servers, checks ping, and auto-selects the best one
+ */
+import { t } from '../i18n/index.js';
+import { getLocale } from '../i18n/index.js';
+/**
+ * Hardcoded default server list — used as fallback when no server responds
+ */
+const DEFAULT_SERVERS = [
+    {
+        label: { en: 'Europe', es: 'Europa', fr: 'Europe', de: 'Europa', pt: 'Europa', ru: '\u0415\u0432\u0440\u043e\u043f\u0430', ja: '\u30e8\u30fc\u30ed\u30c3\u30d1', ko: '\uc720\ub7fd', zh: '\u6b27\u6d32', zhTW: '\u6b50\u6d32', id: 'Eropa' },
+        url: 'cli-eu-1.spck.io',
+        locale: { en: 3, es: 2, fr: 1, de: 1, pt: 2, ru: 1, ja: 3, ko: 3, zh: 3, zhTW: 3, id: 3 }
+    },
+    {
+        label: { en: 'North America', es: 'Am\u00e9rica del Norte', fr: 'Am\u00e9rique du Nord', de: 'Nordamerika', pt: 'Am\u00e9rica do Norte', ru: '\u0421\u0435\u0432\u0435\u0440\u043d\u0430\u044f \u0410\u043c\u0435\u0440\u0438\u043a\u0430', ja: '\u5317\u30a2\u30e1\u30ea\u30ab', ko: '\ubd81\uc544\uba54\ub9ac\uce74', zh: '\u5317\u7f8e\u6d32', zhTW: '\u5317\u7f8e\u6d32', id: 'Amerika Utara' },
+        url: 'cli-na-1.spck.io',
+        locale: { en: 1, es: 1, fr: 2, de: 2, pt: 1, ru: 2, ja: 4, ko: 4, zh: 4, zhTW: 4, id: 4 }
+    },
+    {
+        label: { en: 'South Asia', es: 'Asia del Sur', fr: 'Asie du Sud', de: 'S\u00fcdasien', pt: '\u00c1sia Meridional', ru: '\u042e\u0436\u043d\u0430\u044f \u0410\u0437\u0438\u044f', ja: '\u5357\u30a2\u30b8\u30a2', ko: '\ub0a8\uc544\uc2dc\uc544', zh: '\u5357\u4e9a', zhTW: '\u5357\u4e9e', id: 'Asia Selatan' },
+        url: 'cli-sas-1.spck.io',
+        locale: { en: 2, es: 4, fr: 4, de: 4, pt: 4, ru: 4, ja: 2, ko: 2, zh: 2, zhTW: 2, id: 1 }
+    },
+    {
+        label: { en: 'East Asia', es: 'Asia Oriental', fr: 'Asie de l\u2019Est', de: 'Ostasien', pt: '\u00c1sia Oriental', ru: '\u0412\u043e\u0441\u0442\u043e\u0447\u043d\u0430\u044f \u0410\u0437\u0438\u044f', ja: '\u6771\u30a2\u30b8\u30a2', ko: '\ub3d9\uc544\uc2dc\uc544', zh: '\u4e1c\u4e9a', zhTW: '\u6771\u4e9e', id: 'Asia Timur' },
+        url: 'cli-ea-1.spck.io',
+        locale: { en: 4, es: 3, fr: 3, de: 3, pt: 3, ru: 3, ja: 1, ko: 1, zh: 1, zhTW: 1, id: 2 }
+    }
+];
+/**
+ * Validate that a server URL belongs to spck.io (any subdomain).
+ * Rejects bare IPs, other domains, and URLs with protocols.
+ */
+export function isValidDomain(url) {
+    return /^([a-zA-Z0-9-]+\.)*spck\.io$/.test(url);
+}
+/**
+ * Get the hardcoded default server list
+ */
+export function getDefaultServerList() {
+    return DEFAULT_SERVERS;
+}
+/**
+ * Fetch the list of available CLI servers from the closest relay server.
+ * Tries servers sorted by locale proximity, falls back to hardcoded list.
+ */
+export async function fetchServerList() {
+    // Race all servers in parallel — first successful response wins
+    try {
+        return await Promise.any(DEFAULT_SERVERS.map(async (server) => {
+            const response = await fetch(`https://${server.url}/servers`, {
+                signal: AbortSignal.timeout(5000),
+            });
+            if (!response.ok)
+                throw new Error(`${response.status}`);
+            const list = await response.json();
+            // Reject any server whose URL is not a *.spck.io domain
+            return list.filter(s => isValidDomain(s.url));
+        }));
+    }
+    catch {
+        // All servers failed — fall back to hardcoded list
+        return DEFAULT_SERVERS;
+    }
+}
+/**
+ * Check ping to a server by making 4 parallel HTTP calls to /health
+ * and averaging the latency
+ */
+export async function checkServerPing(serverUrl) {
+    const shortestTime = await Promise.any(Array.from({ length: 4 }, async () => {
+        const start = Date.now();
+        try {
+            const response = await fetch(`https://${serverUrl}/health`, {
+                signal: AbortSignal.timeout(5000),
+            });
+            if (!response.ok)
+                return Infinity;
+        }
+        catch {
+            return Infinity;
+        }
+        return Date.now() - start;
+    }));
+    return Math.round(shortestTime);
+}
+/**
+ * Ping all servers in parallel and select the one with the lowest latency
+ */
+export async function selectBestServer(servers) {
+    const results = await Promise.all(servers.map(async (server) => {
+        try {
+            const ping = await checkServerPing(server.url);
+            return { server, ping };
+        }
+        catch {
+            return { server, ping: Infinity };
+        }
+    }));
+    results.sort((a, b) => a.ping - b.ping);
+    return results[0];
+}
+/**
+ * Display ping results for all servers
+ */
+export async function displayServerPings(servers) {
+    console.log('\n   ' + t('server.checkingLatency') + '\n');
+    const pingResults = new Map();
+    const results = await Promise.all(servers.map(async (server) => {
+        try {
+            const ping = await checkServerPing(server.url);
+            return { server, ping };
+        }
+        catch {
+            return { server, ping: Infinity };
+        }
+    }));
+    const locale = getLocale();
+    for (const { server, ping } of results) {
+        const label = server.label[locale] || server.label.en || server.url;
+        const pingStr = ping === Infinity ? t('server.unreachable') : `${ping}ms`;
+        console.log(`   ${label}: ${pingStr}`);
+        pingResults.set(server.url, ping);
+    }
+    console.log('');
+    return pingResults;
+}
+//# sourceMappingURL=server-selection.js.map

package/dist/connection/__tests__/firebase-auth.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=firebase-auth.test.d.ts.map

package/dist/connection/__tests__/firebase-auth.test.js

@@ -0,0 +1,96 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+// Mock all external dependencies before importing the module
+vi.mock('open', () => ({ default: vi.fn() }));
+vi.mock('qrcode-terminal', () => ({ default: { generate: vi.fn() } }));
+vi.mock('jsonwebtoken', () => ({ default: { decode: vi.fn() } }));
+vi.mock('../../config/credentials.js', () => ({
+    saveCredentials: vi.fn(),
+}));
+vi.mock('../../utils/logger.js', () => ({
+    logAuth: vi.fn(),
+}));
+vi.mock('../../i18n/index.js', () => ({
+    t: (key) => key,
+}));
+// Import after mocks are set up
+import { refreshFirebaseToken } from '../firebase-auth.js';
+describe('refreshFirebaseToken()', () => {
+    const mockStoredCredentials = {
+        refreshToken: 'mock-refresh-token',
+        userId: 'user-123',
+    };
+    beforeEach(() => {
+        vi.clearAllMocks();
+    });
+    afterEach(() => {
+        vi.restoreAllMocks();
+    });
+    it('should use expires_in value of 0 without falling back to default', async () => {
+        const now = Date.now();
+        vi.spyOn(Date, 'now').mockReturnValue(now);
+        // Firebase returns expires_in: "0"
+        const mockResponse = {
+            ok: true,
+            json: vi.fn().mockResolvedValue({
+                id_token: 'new-id-token',
+                refresh_token: 'new-refresh-token',
+                expires_in: '0',
+                user_id: 'user-123',
+            }),
+        };
+        vi.stubGlobal('fetch', vi.fn().mockResolvedValue(mockResponse));
+        const result = await refreshFirebaseToken(mockStoredCredentials);
+        // With the bug (|| 3600), this would be now + 3600000
+        // With the fix (isNaN check), expires_in=0 means token expires immediately
+        expect(result.firebaseTokenExpiry).toBe(now);
+    });
+    it('should use the actual expires_in from the response', async () => {
+        const now = Date.now();
+        vi.spyOn(Date, 'now').mockReturnValue(now);
+        const mockResponse = {
+            ok: true,
+            json: vi.fn().mockResolvedValue({
+                id_token: 'new-id-token',
+                refresh_token: 'new-refresh-token',
+                expires_in: '7200',
+                user_id: 'user-123',
+            }),
+        };
+        vi.stubGlobal('fetch', vi.fn().mockResolvedValue(mockResponse));
+        const result = await refreshFirebaseToken(mockStoredCredentials);
+        expect(result.firebaseTokenExpiry).toBe(now + 7200 * 1000);
+    });
+    it('should default to 3600 when expires_in is missing', async () => {
+        const now = Date.now();
+        vi.spyOn(Date, 'now').mockReturnValue(now);
+        const mockResponse = {
+            ok: true,
+            json: vi.fn().mockResolvedValue({
+                id_token: 'new-id-token',
+                refresh_token: 'new-refresh-token',
+                user_id: 'user-123',
+                // expires_in is missing
+            }),
+        };
+        vi.stubGlobal('fetch', vi.fn().mockResolvedValue(mockResponse));
+        const result = await refreshFirebaseToken(mockStoredCredentials);
+        expect(result.firebaseTokenExpiry).toBe(now + 3600 * 1000);
+    });
+    it('should default to 3600 when expires_in is non-numeric', async () => {
+        const now = Date.now();
+        vi.spyOn(Date, 'now').mockReturnValue(now);
+        const mockResponse = {
+            ok: true,
+            json: vi.fn().mockResolvedValue({
+                id_token: 'new-id-token',
+                refresh_token: 'new-refresh-token',
+                expires_in: 'invalid',
+                user_id: 'user-123',
+            }),
+        };
+        vi.stubGlobal('fetch', vi.fn().mockResolvedValue(mockResponse));
+        const result = await refreshFirebaseToken(mockStoredCredentials);
+        expect(result.firebaseTokenExpiry).toBe(now + 3600 * 1000);
+    });
+});
+//# sourceMappingURL=firebase-auth.test.js.map

package/dist/connection/__tests__/hmac.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=hmac.test.d.ts.map