subto 8.0.5 → 9.0.0

package/dist/package/index.js

@@ -11,7 +11,7 @@ const chalk = (_chalk && _chalk.default) ? _chalk.default : _chalk;
 const CONFIG_DIR = path.join(os.homedir(), '.subto');
 const CONFIG_PATH = path.join(CONFIG_DIR, 'config.json');
 const DEFAULT_API_BASE = 'https://subto.one';
-const CLIENT_META = { name: 'subto-cli', version: '8.0.3' };
+const CLIENT_META = { name: 'subto-cli', version: '9.0.0' };
 
 function configFilePath() { return CONFIG_PATH; }
 

package/index.js

@@ -11,7 +11,7 @@ const chalk = (_chalk && _chalk.default) ? _chalk.default : _chalk;
 const CONFIG_DIR = path.join(os.homedir(), '.subto');
 const CONFIG_PATH = path.join(CONFIG_DIR, 'config.json');
 const DEFAULT_API_BASE = 'https://subto.one/api/v1';
-const CLIENT_META = { name: 'subto-cli', version: '8.0.5' };
+const CLIENT_META = { name: 'subto-cli', version: '9.0.0' };
 const cp = require('child_process');
 
 // Normalize SUBTO API base so callers can set either
@@ -217,7 +217,10 @@ async function _maskHeaders(obj){
 
 async function postScan(url, apiKey, debug=false) {
   // Use normalized API base
-  const endpoint = new URL('scan', SUBTO_API_BASE_SLASH).toString();
+  const endpointObj = new URL('scan', SUBTO_API_BASE_SLASH);
+  // API key is sent via headers only — never in query strings to prevent
+  // leakage via server logs, proxy logs, and Referer headers.
+  const endpoint = endpointObj.toString();
   const body = { url, source: 'cli', client: CLIENT_META };
     const fetchFn = global.fetch; 
       if (typeof fetchFn !== 'function') throw new Error('Global fetch() is not available in this Node runtime. Use Node 18+'); 
@@ -398,12 +401,12 @@ async function printFullReport(data) {
 function copyToClipboard(text){
   try{
     if (process.platform === 'darwin'){
-      const p = cp.spawnSync('pbcopy');
-      p.stdin && p.stdin.end(String(text));
+      cp.spawnSync('pbcopy', { input: String(text) });
       return true;
     }
     if (process.platform === 'win32'){
-      const p = cp.spawnSync('clip'); p.stdin && p.stdin.end(String(text)); return true;
+      cp.spawnSync('clip', { input: String(text) });
+      return true;
     }
   }catch(e){}
   return false;
@@ -429,6 +432,8 @@ async function callOpenAI(prompt){
   const fetchFn = global.fetch;
   if(typeof fetchFn !== 'function') throw new Error('Global fetch() is not available in this Node runtime. Use Node 18+');
   
+  // Try OpenAI first if key is available
+  if (openaiKey) {
     const model = process.env.AI_MODEL || process.env.OPENAI_MODEL || 'gpt-4o-mini';
     const body = {
       model,
@@ -444,7 +449,8 @@ async function callOpenAI(prompt){
       // Avoid including response bodies in errors to prevent accidental leakage of sensitive data
       throw new Error(`OpenAI API error ${res.status}: ${res.statusText || 'request failed'}`);
     }
-    const j = await res.json();
+    let j;
+    try { j = await res.json(); } catch (_) { throw new Error('OpenAI returned non-JSON response'); }
     const msg = j && j.choices && j.choices[0] && (j.choices[0].message && j.choices[0].message.content || j.choices[0].text);
     return String(msg || '').trim();
   }
@@ -466,7 +472,8 @@ async function callOpenAI(prompt){
       // Avoid including response bodies in errors to prevent accidental leakage of sensitive data
       throw new Error(`OpenRouter API error ${res.status}: ${res.statusText || 'request failed'}`);
     }
-    const j = await res.json();
+    let j;
+    try { j = await res.json(); } catch (_) { throw new Error('OpenRouter returned non-JSON response'); }
     // OpenRouter responses mimic OpenAI shape (choices[0].message.content)
     const msg = j && j.choices && j.choices[0] && (j.choices[0].message && j.choices[0].message.content || j.choices[0].text);
     return String(msg || '').trim();
@@ -570,7 +577,7 @@ async function startChatREPL(scanData){
 
 async function run(argv) {
   const program = new Command();
-  program.name('subto').description('Subto CLI — wrapper around Subto.One API').version(CLIENT_META.version || '8.0.5');
+  program.name('subto').description('Subto CLI — wrapper around Subto.One API').version(CLIENT_META.version || '9.0.0');
   program.option('-v, --verbose', 'Show verbose HTTP logs');
   program.option('--debug', 'Show debug HTTP headers and responses');
   program.option('--chat', 'Start local AI assistant (no command required)');
@@ -888,7 +895,14 @@ async function run(argv) {
           let recheckedAfterTerminal = false;
           let data = null;
           startSpinner();
+          const MAX_POLL_ITERATIONS = 900; // ~30 min at 2s interval
+          let pollIteration = 0;
           while (true) {
+              if (++pollIteration > MAX_POLL_ITERATIONS) {
+                stopSpinner();
+                console.error(chalk.red('Polling timed out after ' + MAX_POLL_ITERATIONS + ' iterations. The scan may still be running on the server.'));
+                process.exit(1);
+              }
               const statusUrl = new URL(`scan/${scanId}`, SUBTO_API_BASE_SLASH).toString();
             const r = await fetchWithKey(statusUrl, { headers: { 'Accept': 'application/json' } }, cfg.apiKey, DEBUG);
 
@@ -1150,7 +1164,7 @@ async function run(argv) {
         const endpoint = new URL('/api/v1/upload', base).toString();
         const fetchFn = global.fetch; if (typeof fetchFn !== 'function') throw new Error('Global fetch() is not available in this Node runtime. Use Node 18+');
         const body = { files: samples, meta: { collected: collected.length, totalBytes } };
-        const r = await fetchWithKey(endpoint, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(body) }, cfg.apiKey, DEBUG);
+        const r = await fetchWithKey(endpoint, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(body) }, cfg.apiKey, Boolean(program.opts && program.opts().debug));
         if (!r.ok) {
           const txt = await r.text().catch(()=>null);
           console.error(chalk.red('Upload failed:'), r.status, txt || r.statusText);
@@ -1162,13 +1176,14 @@ async function run(argv) {
           } catch (e) { /* ignore */ }
           process.exit(1);
         }
-        const j = await r.json(); console.log(chalk.green('Upload queued:'), j.uploadId, 'scanId:', j.scanId, 'expiresAt:', new Date(j.expiresAt).toString());
+        let j; try { j = await r.json(); } catch (_) { console.error(chalk.red('Server returned non-JSON response')); process.exit(1); }
+        console.log(chalk.green('Upload queued:'), j.uploadId, 'scanId:', j.scanId, 'expiresAt:', j.expiresAt ? new Date(j.expiresAt).toString() : 'N/A');
         if (opts.wait) {
           // Poll the scan resource until completed (reuse existing polling behavior)
           const statusUrl = new URL(`scan/${j.scanId}`, SUBTO_API_BASE_SLASH).toString();
           const sleep = ms => new Promise(r=>setTimeout(r,ms));
           while (true) {
-            const s = await fetchWithKey(statusUrl, { headers: { 'Accept': 'application/json' } }, cfg.apiKey, DEBUG);
+            const s = await fetchWithKey(statusUrl, { headers: { 'Accept': 'application/json' } }, cfg.apiKey, Boolean(program.opts && program.opts().debug));
             if (!s.ok) { console.error(chalk.red('Failed to fetch scan status:', s.status)); break; }
             const data = await s.json(); if (data.status && ['completed','done','finished','success'].includes(String(data.status).toLowerCase())) { console.log(chalk.green('Scan complete.')); await printFullReport(data); break; }
             console.log(chalk.dim('Scan status:'), data.status || 'queued', '— polling again in 4s'); await sleep(4000);
@@ -1202,7 +1217,7 @@ async function run(argv) {
           const statusUrl = new URL(`scan/${scanId}`, SUBTO_API_BASE_SLASH).toString();
           const r = await fetchWithKey(statusUrl, { headers: { 'Accept': 'application/json' } }, cfg.apiKey, DEBUG);
           if (!r.ok) { throw new Error(`Failed to fetch scan ${scanId}: ${r.status}`); }
-          scanData = await r.json();
+          try { scanData = await r.json(); } catch (_) { throw new Error('Server returned non-JSON response for scan ' + scanId); }
         }
 
         if (!scanData) { console.error(chalk.red('No scan data available.')); return; }
@@ -1379,7 +1394,7 @@ async function run(argv) {
         const endpoint = new URL(`video/${scanId}/debug`, serverBase).toString();
         const res = await fetchFn(endpoint, { headers: { 'Accept': 'application/json' } });
         if (!res.ok) throw new Error(`Server returned ${res.status}`);
-        const json = await res.json();
+        let json; try { json = await res.json(); } catch (_) { throw new Error('Server returned non-JSON response'); }
         console.log(chalk.bold('\nVideo diagnostic for:'), scanId);
         if (json && json.scan) {
           console.log('  URL:', json.scan.url || '(unknown)');
@@ -1417,9 +1432,9 @@ async function run(argv) {
         const base = SUBTO_HOST_BASE; const fetchFn = global.fetch;
         if (typeof fetchFn !== 'function') throw new Error('Global fetch() is not available in this Node runtime. Use Node 18+');
           const statusUrl = new URL(`scan/${answer}`, SUBTO_API_BASE_SLASH).toString();
-          const r = await fetchWithKey(statusUrl, { headers: { 'Accept': 'application/json' } }, cfg.apiKey, DEBUG);
+          const r = await fetchWithKey(statusUrl, { headers: { 'Accept': 'application/json' } }, cfg.apiKey, false);
         if (!r.ok) throw new Error(`Failed to fetch scan ${answer}: ${r.status}`);
-        scanData = await r.json();
+        try { scanData = await r.json(); } catch (_) { throw new Error('Server returned non-JSON response'); }
       }
       await startChatREPL(scanData);
       return;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "subto",
-  "version": "8.0.5",
+  "version": "9.0.0",
   "description": "Subto CLI — thin wrapper around the Subto.One API",
   "bin": {
     "subto": "bin/subto.js"