subto 8.0.1 → 8.0.2

package/dist/package/README.md

@@ -40,7 +40,7 @@ Commands
 {
   "url": "https://example.com",
   "source": "cli",
-  "client": { "name": "subto-cli", "version": "8.0.1" }
+  "client": { "name": "subto-cli", "version": "8.0.2" }
 }
 ```
 
@@ -98,11 +98,11 @@ Download
 After publishing or packing, a distributable tarball will be available under `./dist/` e.g.:
 
 ```
-./dist/subto-8.0.1.tgz
+./dist/subto-8.0.2.tgz
 ```
 
 You can download that file directly and install locally with:
 
 ```bash
-npm install -g ./dist/subto-8.0.1.tgz
+npm install -g ./dist/subto-8.0.2.tgz
 ```

package/dist/package/index.js

@@ -11,7 +11,7 @@ const chalk = (_chalk && _chalk.default) ? _chalk.default : _chalk;
 const CONFIG_DIR = path.join(os.homedir(), '.subto');
 const CONFIG_PATH = path.join(CONFIG_DIR, 'config.json');
 const DEFAULT_API_BASE = 'https://subto.one';
-const CLIENT_META = { name: 'subto-cli', version: '8.0.1' };
+const CLIENT_META = { name: 'subto-cli', version: '8.0.2' };
 
 function configFilePath() { return CONFIG_PATH; }
 
@@ -61,6 +61,32 @@ async function promptHidden(prompt) {
   });
 }
 
+function isByteStringSafe(s){
+  if (typeof s !== 'string') return false;
+  for (let i = 0; i < s.length; i++) { if (s.charCodeAt(i) > 255) return false; }
+  return true;
+}
+
+function normalizeApiKey(s){
+  if (typeof s !== 'string') return s;
+  let out = s.normalize('NFKC');
+  out = out.replace(/[\u200B\uFEFF]/g, '');
+  out = out.replace(/\u00A0/g, ' ');
+  out = out.replace(/[\u2018\u2019]/g, "'");
+  out = out.replace(/[\u201C\u201D]/g, '"');
+  out = out.replace(/\u2026/g, '...');
+  out = out.replace(/[\u22C5\u00B7]/g, '.');
+  out = out.replace(/\u2022/g, '*');
+  return out.trim();
+}
+
+function askYesNo(promptText){
+  return new Promise(res => {
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    rl.question(promptText + ' ', ans => { rl.close(); res(String(ans||'').trim().toLowerCase().startsWith('y')); });
+  });
+}
+
 function validateUrl(input) {
   try { const u = new URL(input); if (u.protocol !== 'http:' && u.protocol !== 'https:') return false; return true; } catch (err) { return false; }
 }
@@ -69,6 +95,10 @@ async function postScan(url, apiKey) {
   const base = process.env.SUBTO_API_BASE_URL || DEFAULT_API_BASE;
   const endpoint = new URL('/api/v1/scan', base).toString();
   const body = { url, source: 'cli', client: CLIENT_META };
+  // Ensure the provided API key is safe for use in HTTP headers
+  if (!isByteStringSafe(String(apiKey || ''))) {
+    throw new Error('API key contains unsupported characters (non-Latin-1). Re-run `subto login` and paste a plain ASCII API key.');
+  }
   const fetchFn = global.fetch || (function(){ try{ const u = require('undici'); if (u && typeof u.fetch === 'function') { global.fetch = u.fetch; return global.fetch; } } catch(e){} return null; })();
   if (typeof fetchFn !== 'function') throw new Error('Global fetch() is not available in this Node runtime. Install Node 18+ or run `npm install undici`.');
   const res = await fetchFn(endpoint, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${apiKey}`, 'User-Agent': `${CLIENT_META.name}/${CLIENT_META.version}` }, body: JSON.stringify(body) });
@@ -95,10 +125,17 @@ async function run(argv) {
 
   program.command('login').description('Store your API key in ~/.subto/config.json').action(async () => {
     try {
-      const apiKey = await promptHidden('API key: ');
+      let apiKey = await promptHidden('API key: ');
       if (!apiKey || !apiKey.trim()) throw new Error('No API key entered. Aborting.');
       if (apiKey.length < 10) throw new Error('API key looks too short.');
-      await writeConfig({ apiKey: apiKey.trim() });
+      const normalized = normalizeApiKey(apiKey);
+      if (normalized !== apiKey) {
+        console.log(chalk.yellow('Notice: API key contained invisible or fancy characters — it will be sanitized before saving.'));
+        const ok = await askYesNo('Save sanitized key? (Y/n)');
+        if (!ok) { console.log(chalk.yellow('Login aborted.')); process.exit(1); }
+      }
+      if (!isByteStringSafe(normalized)) throw new Error('API key contains unsupported characters (non-Latin-1). Provide a plain ASCII key.');
+      await writeConfig({ apiKey: normalized });
       console.log(chalk.green('API key saved to'), chalk.cyan(configFilePath()));
     } catch (err) { if (err && err.message === 'Aborted') { console.log('\n' + chalk.yellow('Login aborted.')); process.exit(1); } throw err; }
   });

package/index.js

@@ -11,7 +11,7 @@ const chalk = (_chalk && _chalk.default) ? _chalk.default : _chalk;
 const CONFIG_DIR = path.join(os.homedir(), '.subto');
 const CONFIG_PATH = path.join(CONFIG_DIR, 'config.json');
 const DEFAULT_API_BASE = 'https://subto.one/api/v1';
-const CLIENT_META = { name: 'subto-cli', version: '8.0.1' };
+const CLIENT_META = { name: 'subto-cli', version: '8.0.2' };
 const cp = require('child_process');
 
 // Normalize SUBTO API base so callers can set either
@@ -98,6 +98,12 @@ async function storeOpenRouterKeyInteractive(keyArg, modelArg) {
       key = await promptHidden('OpenRouter API key: ');
       if (!key || !key.trim()) { console.log('Aborted.'); return; }
     }
+    const normalized = normalizeApiKey(key);
+    if (normalized !== key) {
+      console.log(chalk.yellow('Notice: OpenRouter key contained invisible or fancy characters — it will be sanitized before saving.'));
+      const ok = await askYesNo('Save sanitized OpenRouter key? (Y/n)');
+      if (!ok) { console.log(chalk.yellow('Aborted.')); return; }
+    }
     const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
     const model = modelArg || await new Promise(res => rl.question('Model (e.g. openai/gpt-oss-120b:free): ', a => { rl.close(); res(a && a.trim()); }));
     const chosenModel = model && model.length ? model : 'openai/gpt-oss-120b:free';
@@ -124,7 +130,7 @@ async function storeOpenRouterKeyInteractive(keyArg, modelArg) {
     }
 
     const cfg = await readConfig() || {};
-    cfg.openrouterKey = String(key).trim();
+    cfg.openrouterKey = String(normalized).trim();
     cfg.openrouterModel = chosenModel;
     await writeConfig(cfg);
     console.log(chalk.green('OpenRouter key and model saved to'), chalk.cyan(configFilePath()));
@@ -139,6 +145,31 @@ async function promptHidden(prompt) {
     }
     return true;
   }
+
+  function normalizeApiKey(s){
+    if (typeof s !== 'string') return s;
+    // Unicode Normalization + common visual substitutions
+    let out = s.normalize('NFKC');
+    // Remove invisible/zero-width marks
+    out = out.replace(/[\u200B\uFEFF]/g, '');
+    // Replace non-breaking spaces with regular space
+    out = out.replace(/\u00A0/g, ' ');
+    // Smart quotes -> ascii
+    out = out.replace(/[\u2018\u2019]/g, "'");
+    out = out.replace(/[\u201C\u201D]/g, '"');
+    // Ellipsis and middle-dots -> simple replacements
+    out = out.replace(/\u2026/g, '...');
+    out = out.replace(/[\u22C5\u00B7]/g, '.');
+    out = out.replace(/\u2022/g, '*');
+    return out.trim();
+  }
+
+  function askYesNo(promptText){
+    return new Promise(res => {
+      const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+      rl.question(promptText + ' ', ans => { rl.close(); res(String(ans||'').trim().toLowerCase().startsWith('y')); });
+    });
+  }
   if (!process.stdin.isTTY) throw new Error('Interactive prompt required');
   return new Promise((resolve, reject) => {
     const stdin = process.stdin;
@@ -492,7 +523,7 @@ async function startChatREPL(scanData){
 
 async function run(argv) {
   const program = new Command();
-  program.name('subto').description('Subto CLI — wrapper around Subto.One API').version(CLIENT_META.version || '8.0.1');
+  program.name('subto').description('Subto CLI — wrapper around Subto.One API').version(CLIENT_META.version || '8.0.2');
   program.option('-v, --verbose', 'Show verbose HTTP logs');
   program.option('--chat', 'Start local AI assistant (no command required)');
   program.option('--no-auto-skip', 'Disable automatic skipping of external APIs when scans appear stuck');
@@ -502,10 +533,17 @@ async function run(argv) {
 
   program.command('login').description('Store your API key in ~/.subto/config.json').action(async () => {
     try {
-      const apiKey = await promptHidden('API key: ');
+      let apiKey = await promptHidden('API key: ');
       if (!apiKey || !apiKey.trim()) throw new Error('No API key entered. Aborting.');
       if (apiKey.length < 10) throw new Error('API key looks too short.');
-      await writeConfig({ apiKey: apiKey.trim() });
+      const normalized = normalizeApiKey(apiKey);
+      if (normalized !== apiKey) {
+        console.log(chalk.yellow('Notice: API key contained invisible or fancy characters — it will be sanitized before saving.'));
+        const ok = await askYesNo('Save sanitized key? (Y/n)');
+        if (!ok) { console.log(chalk.yellow('Login aborted.')); process.exit(1); }
+      }
+      if (!isByteStringSafe(normalized)) throw new Error('API key contains unsupported characters (non-Latin-1). Provide a plain ASCII key.');
+      await writeConfig({ apiKey: normalized });
       console.log(chalk.green('API key saved to'), chalk.cyan(configFilePath()));
     } catch (err) { if (err && err.message === 'Aborted') { console.log('\n' + chalk.yellow('Login aborted.')); process.exit(1); } throw err; }
   });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "subto",
-  "version": "8.0.1",
+  "version": "8.0.2",
   "description": "Subto CLI — thin wrapper around the Subto.One API",
   "bin": {
     "subto": "bin/subto.js"