teleportation-cli 1.0.0 → 1.0.1

package/lib/remote/vault-client.js

@@ -0,0 +1,478 @@
+/**
+ * Mech Vault Client for secure credential management
+ *
+ * Handles:
+ * - Storing/retrieving secrets for remote sessions
+ * - SSH key generation for remote machine access
+ * - Environment file management
+ * - Deployment credential bundling
+ */
+
+import {
+  createVaultErrorFromResponse,
+  wrapNetworkError,
+  VaultRetryExhaustedError,
+  VaultValidationError,
+  SecretNotFoundError,
+} from '../utils/vault-errors.js';
+
+export class VaultClient {
+  constructor(config = {}) {
+    this.apiUrl = config.apiUrl || process.env.MECH_VAULT_URL || 'https://vault.mechdna.net/api';
+    this.apiKey = config.apiKey || process.env.MECH_API_KEY;
+    this.appId = config.appId || process.env.MECH_APP_ID;
+    this.maxRetries = config.maxRetries || 3;
+
+    // Support environment variable override for retry delays
+    const defaultRetries = process.env.VAULT_RETRY_DELAYS
+      ? process.env.VAULT_RETRY_DELAYS.split(',').map(Number)
+      : [1000, 2000, 4000]; // Exponential backoff
+    this.retryDelays = config.retryDelays || defaultRetries;
+
+    this.timeout = config.timeout || 30000; // 30 second default timeout
+    this.debug = config.debug ?? (process.env.VAULT_DEBUG === 'true');
+
+    if (!this.apiKey || !this.appId) {
+      throw new Error('MECH_API_KEY and MECH_APP_ID are required');
+    }
+  }
+
+  /**
+   * Create common headers for all requests
+   */
+  _headers() {
+    return {
+      'Content-Type': 'application/json',
+      'X-API-Key': this.apiKey,
+      'X-App-ID': this.appId,
+    };
+  }
+
+  /**
+   * Fetch with timeout support
+   * @private
+   * @param {string} url - URL to fetch
+   * @param {Object} options - Fetch options
+   * @returns {Promise<Response>} Fetch response
+   * @throws {Error} If request times out or fails
+   */
+  async _fetchWithTimeout(url, options = {}) {
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+
+    try {
+      const response = await fetch(url, {
+        ...options,
+        signal: controller.signal,
+      });
+      clearTimeout(timeoutId);
+      return response;
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error.name === 'AbortError') {
+        throw new Error(`Request timed out after ${this.timeout}ms: ${url}`);
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Log debug messages if debug mode is enabled
+   * @private
+   * @param {string} message - Message to log
+   */
+  _log(message) {
+    if (this.debug) {
+      console.error(`[VaultClient] ${message}`);
+    }
+  }
+
+  /**
+   * Validate namespace format (alphanumeric, dots, dashes, underscores)
+   */
+  _validateNamespace(namespace) {
+    if (!namespace || namespace.trim() === '') {
+      throw new VaultValidationError('namespace is required');
+    }
+    const trimmed = namespace.trim();
+    const normalized = trimmed
+      .replace(/[^a-zA-Z0-9-]+/g, '-')
+      .replace(/-+/g, '-')
+      .replace(/^-+/, '')
+      .replace(/-+$/, '');
+
+    if (this.debug && normalized && normalized !== trimmed) {
+      this._log(`Normalizing namespace from "${trimmed}" to "${normalized}"`);
+    }
+
+    if (!normalized) {
+      throw new VaultValidationError('namespace is required');
+    }
+
+    if (!/^[a-zA-Z0-9-]+$/.test(normalized)) {
+      throw new VaultValidationError(
+        'Invalid namespace format: must contain only alphanumeric characters and dashes'
+      );
+    }
+
+    return normalized;
+  }
+
+  /**
+   * Validate secret name format (alphanumeric, dashes, underscores)
+   */
+  _validateName(name) {
+    if (!name || name.trim() === '') {
+      throw new VaultValidationError('name is required');
+    }
+    const trimmed = name.trim();
+    if (!/^[a-zA-Z0-9_-]+$/.test(trimmed)) {
+      throw new VaultValidationError(
+        'Invalid name format: must contain only alphanumeric characters, dashes, and underscores'
+      );
+    }
+    return trimmed;
+  }
+
+  /**
+   * Validate secret value is not empty
+   */
+  _validateValue(value) {
+    if (!value || value.trim() === '') {
+      throw new VaultValidationError('value is required');
+    }
+    return value;
+  }
+
+  /**
+   * Validate secretId is not empty
+   */
+  _validateSecretId(secretId) {
+    if (!secretId || secretId.trim() === '') {
+      throw new VaultValidationError('secretId is required');
+    }
+    return secretId;
+  }
+
+  /**
+   * Validate expiresAt is in the future
+   */
+  _validateExpiresAt(expiresAt) {
+    if (expiresAt) {
+      const expiryDate = new Date(expiresAt);
+      if (expiryDate <= new Date()) {
+        throw new VaultValidationError('expiresAt must be in the future');
+      }
+    }
+  }
+
+  /**
+   * Execute fetch with retry logic and exponential backoff
+   */
+  async _fetchWithRetry(url, options, retryCount = 0) {
+    try {
+      const response = await this._fetchWithTimeout(url, options);
+
+      // Don't retry on client errors (4xx)
+      if (!response.ok && response.status >= 400 && response.status < 500) {
+        let responseBody;
+        try {
+          responseBody = await response.text();
+        } catch {
+          responseBody = undefined;
+        }
+        throw createVaultErrorFromResponse(response, { url, responseBody });
+      }
+
+      // Retry on server errors (5xx)
+      if (!response.ok && response.status >= 500) {
+        let responseBody;
+        try {
+          responseBody = await response.text();
+        } catch {
+          responseBody = undefined;
+        }
+        const serverError = createVaultErrorFromResponse(response, { url, responseBody });
+        if (retryCount < this.maxRetries - 1) {
+          const delay = this.retryDelays[retryCount] || 4000;
+          this._log(`Retry attempt ${retryCount + 1} after ${delay}ms due to ${response.status} ${response.statusText}`);
+          await this._delay(delay);
+          return this._fetchWithRetry(url, options, retryCount + 1);
+        }
+        throw serverError;
+      }
+
+      return response;
+    } catch (error) {
+      // Check if error is a VaultError by checking if it has our custom properties
+      // VaultErrors have a code property (VAULT_*, SECRET_*, etc.)
+      const isVaultError = error.code && typeof error.statusCode === 'number';
+
+      // Don't retry client errors (4xx) - they won't succeed on retry
+      if (isVaultError && error.statusCode >= 400 && error.statusCode < 500) {
+        throw error;
+      }
+
+      // Retry server errors (5xx)
+      if (isVaultError && error.statusCode >= 500) {
+        if (retryCount < this.maxRetries - 1) {
+          const delay = this.retryDelays[retryCount] || 4000;
+          this._log(`Retry attempt ${retryCount + 1} after ${delay}ms due to server error`);
+          await this._delay(delay);
+          return this._fetchWithRetry(url, options, retryCount + 1);
+        }
+        // Max retries reached for server error
+        throw error;
+      }
+
+      // Network errors (not VaultErrors) - retry with exponential backoff
+      if (!isVaultError) {
+        if (retryCount < this.maxRetries - 1) {
+          const delay = this.retryDelays[retryCount] || 4000;
+          this._log(`Retry attempt ${retryCount + 1} after ${delay}ms due to: ${error.message}`);
+          await this._delay(delay);
+          return this._fetchWithRetry(url, options, retryCount + 1);
+        }
+
+        // Exhausted retries - wrap network error
+        const networkError = wrapNetworkError(error, { url, vaultUrl: this.apiUrl });
+        throw new VaultRetryExhaustedError(networkError, this.maxRetries);
+      }
+
+      // Other errors - don't retry
+      throw error;
+    }
+  }
+
+  /**
+   * Delay helper for exponential backoff
+   */
+  _delay(ms) {
+    return new Promise(resolve => setTimeout(resolve, ms));
+  }
+
+  /**
+   * Store a secret for a remote session
+   * @param {string} namespace - e.g., "teleportation.remote.session-abc123"
+   * @param {string} name - Secret name (e.g., "github_token")
+   * @param {string} value - Secret value
+   * @param {Object} options - { description, tags, expiresAt, metadata }
+   */
+  async storeSecret(namespace, name, value, options = {}) {
+    // Validate inputs
+    const validNamespace = this._validateNamespace(namespace);
+    const validName = this._validateName(name);
+    const validValue = this._validateValue(value);
+    this._validateExpiresAt(options.expiresAt);
+
+    const response = await this._fetchWithRetry(`${this.apiUrl}/secrets`, {
+      method: 'POST',
+      headers: this._headers(),
+      body: JSON.stringify({
+        namespace: validNamespace,
+        name: validName,
+        value: validValue,
+        description: options.description,
+        tags: options.tags || [],
+        expiresAt: options.expiresAt, // ISO 8601 date
+        metadata: options.metadata || {},
+      }),
+    });
+
+    return response.json();
+  }
+
+  /**
+   * Retrieve a secret value (triggers audit log)
+   */
+  async getSecretValue(secretId) {
+    const validSecretId = this._validateSecretId(secretId);
+
+    const response = await this._fetchWithRetry(`${this.apiUrl}/secrets/${validSecretId}/value`, {
+      method: 'GET',
+      headers: this._headers(),
+    });
+
+    return response.json();
+  }
+
+  /**
+   * List secrets by namespace
+   */
+  async listSecrets(namespace, options = {}) {
+    const validNamespace = this._validateNamespace(namespace);
+
+    const params = new URLSearchParams({
+      namespace: validNamespace,
+      ...options, // page, limit, tags
+    });
+
+    const response = await this._fetchWithRetry(`${this.apiUrl}/secrets?${params}`, {
+      method: 'GET',
+      headers: this._headers(),
+    });
+
+    return response.json();
+  }
+
+  /**
+   * Generate SSH key pair for remote machine access
+   * @param {string} keyType - "ed25519" or "rsa"
+   * @param {Object} metadata - Session info
+   */
+  async generateSSHKey(keyType = 'ed25519', metadata = {}) {
+    const {
+      namespace,
+      name,
+      metadata: _explicitMetadata,
+      ..._metadataFields
+    } = metadata && typeof metadata === 'object' ? metadata : {};
+
+    const sanitizeAlphaNumeric = (value, fallback) => {
+      const raw = typeof value === 'string' && value.trim() ? value.trim() : fallback;
+      const cleaned = String(raw).replace(/[^a-zA-Z0-9]/g, '');
+      return cleaned || String(fallback).replace(/[^a-zA-Z0-9]/g, '') || 'teleportation';
+    };
+
+    const requestNamespace = sanitizeAlphaNumeric(namespace, 'teleportationremote');
+    const requestName = sanitizeAlphaNumeric(name, `session${Date.now()}`);
+
+    const response = await this._fetchWithRetry(`${this.apiUrl}/ssh-keys/generate`, {
+      method: 'POST',
+      headers: this._headers(),
+      body: JSON.stringify({
+        keyType,
+        namespace: requestNamespace,
+        name: requestName,
+      }),
+    });
+
+    return response.json();
+  }
+
+  /**
+   * Get public key only (for adding to remote machine)
+   */
+  async getPublicKey(keyId) {
+    const validKeyId = this._validateSecretId(keyId);
+
+    const response = await this._fetchWithRetry(`${this.apiUrl}/ssh-keys/${validKeyId}/public-key`, {
+      method: 'GET',
+      headers: this._headers(),
+    });
+
+    return response.json();
+  }
+
+  /**
+   * Bundle all secrets needed for deployment
+   * @param {string[]} secretIds - Array of secret IDs
+   */
+  async bundleDeploymentSecrets(secretIds) {
+    if (!Array.isArray(secretIds)) {
+      throw new VaultValidationError('secretIds must be an array');
+    }
+    if (secretIds.length === 0) {
+      throw new VaultValidationError('secretIds cannot be empty');
+    }
+
+    const response = await this._fetchWithRetry(`${this.apiUrl}/deployment/secrets`, {
+      method: 'POST',
+      headers: this._headers(),
+      body: JSON.stringify({ secretIds }),
+    });
+
+    return response.json();
+  }
+
+  /**
+   * Export secrets as environment file for remote machine
+   * @param {string} namespace - Namespace to export
+   * @param {string} format - "env" or "json"
+   */
+  async exportEnvFile(namespace, format = 'env') {
+    const validNamespace = this._validateNamespace(namespace);
+
+    const response = await this._fetchWithRetry(`${this.apiUrl}/env-files/export`, {
+      method: 'POST',
+      headers: this._headers(),
+      body: JSON.stringify({
+        namespace: validNamespace,
+        format,
+      }),
+    });
+
+    return response.text(); // Returns .env file content
+  }
+
+  /**
+   * Import local .env file to vault
+   * @param {string} envFileContent - Contents of .env file
+   * @param {string} namespace - Target namespace
+   */
+  async importEnvFile(envFileContent, namespace) {
+    if (!envFileContent || envFileContent.trim() === '') {
+      throw new VaultValidationError('envFileContent is required');
+    }
+    const validNamespace = this._validateNamespace(namespace);
+
+    const response = await this._fetchWithRetry(`${this.apiUrl}/env-files/import`, {
+      method: 'POST',
+      headers: this._headers(),
+      body: JSON.stringify({
+        content: envFileContent,
+        namespace: validNamespace,
+      }),
+    });
+
+    return response.json();
+  }
+
+  /**
+   * Delete secret (cleanup after session ends)
+   */
+  async deleteSecret(secretId) {
+    const validSecretId = this._validateSecretId(secretId);
+
+    try {
+      await this._fetchWithRetry(`${this.apiUrl}/secrets/${validSecretId}`, {
+        method: 'DELETE',
+        headers: this._headers(),
+      });
+
+      return true;
+    } catch (error) {
+      // Handle 404 gracefully - secret already deleted
+      if (error instanceof SecretNotFoundError || error.statusCode === 404) {
+        return false;
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Get access logs for audit
+   */
+  async getAccessLogs(secretId) {
+    const validSecretId = this._validateSecretId(secretId);
+
+    const response = await this._fetchWithRetry(`${this.apiUrl}/secrets/${validSecretId}/access-logs`, {
+      method: 'GET',
+      headers: this._headers(),
+    });
+
+    return response.json();
+  }
+
+  /**
+   * Cleanup expired secrets
+   */
+  async cleanup() {
+    const response = await this._fetchWithRetry(`${this.apiUrl}/admin/cleanup`, {
+      method: 'POST',
+      headers: this._headers(),
+    });
+
+    return response.json();
+  }
+}

package/lib/session/metadata.js

@@ -4,28 +4,51 @@
  * Extracts project information, git status, and other context
  */
 
-import { execSync } from 'child_process';
-import { basename, dirname, join } from 'path';
+import { execFileSync } from 'child_process';
+import { existsSync } from 'fs';
+import { basename, join } from 'path';
 import { homedir, hostname, userInfo } from 'os';
-import { stat, readFile } from 'fs/promises';
+import { readFile } from 'fs/promises';
+
+function getGitEnv() {
+  const env = { ...process.env };
+  // Prevent ambient git env vars (from other tests/processes) from changing behavior.
+  delete env.GIT_DIR;
+  delete env.GIT_WORK_TREE;
+  delete env.GIT_COMMON_DIR;
+  delete env.GIT_INDEX_FILE;
+  delete env.GIT_OBJECT_DIRECTORY;
+  delete env.GIT_ALTERNATE_OBJECT_DIRECTORIES;
+  delete env.GIT_CEILING_DIRECTORIES;
+  return env;
+}
+
+function gitExec(cwd, args) {
+  return execFileSync('git', args, {
+    cwd,
+    env: getGitEnv(),
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'ignore']
+  }).trim();
+}
 
 /**
  * Extract project name from git repository or fall back to directory name
  */
 export async function getProjectName(cwd) {
   try {
+    if (!isGitRepo(cwd)) {
+      return basename(cwd);
+    }
+
     // Try to get git remote URL
-    const gitRemote = execSync('git config --get remote.origin.url', {
-      cwd,
-      encoding: 'utf8',
-      stdio: ['ignore', 'pipe', 'ignore']
-    }).trim();
+    const gitRemote = gitExec(cwd, ['config', '--get', 'remote.origin.url']);
     
     if (gitRemote) {
-      // Extract repo name from URL (handles both SSH and HTTPS)
-      const match = gitRemote.match(/(?:.*\/)?([^\/]+?)(?:\.git)?$/);
-      if (match && match[1]) {
-        return match[1];
+      const cleaned = gitRemote.replace(/\/+$/, '');
+      const lastPart = cleaned.split(/[\/:]/).pop();
+      if (lastPart) {
+        return lastPart.replace(/\.git$/, '');
       }
     }
   } catch (e) {
@@ -41,11 +64,10 @@ export async function getProjectName(cwd) {
  */
 export function getCurrentBranch(cwd) {
   try {
-    const branch = execSync('git rev-parse --abbrev-ref HEAD', {
-      cwd,
-      encoding: 'utf8',
-      stdio: ['ignore', 'pipe', 'ignore']
-    }).trim();
+    if (!isGitRepo(cwd)) {
+      return null;
+    }
+    const branch = gitExec(cwd, ['rev-parse', '--abbrev-ref', 'HEAD']);
     return branch || null;
   } catch (e) {
     return null;
@@ -57,11 +79,10 @@ export function getCurrentBranch(cwd) {
  */
 export function getCommitHash(cwd) {
   try {
-    const hash = execSync('git rev-parse --short HEAD', {
-      cwd,
-      encoding: 'utf8',
-      stdio: ['ignore', 'pipe', 'ignore']
-    }).trim();
+    if (!isGitRepo(cwd)) {
+      return null;
+    }
+    const hash = gitExec(cwd, ['rev-parse', '--short', 'HEAD']);
     return hash || null;
   } catch (e) {
     return null;
@@ -73,12 +94,12 @@ export function getCommitHash(cwd) {
  */
 export function getLastEditedFile(cwd) {
   try {
+    if (!isGitRepo(cwd)) {
+      return null;
+    }
+
     // Get modified files from git status
-    const status = execSync('git status --porcelain', {
-      cwd,
-      encoding: 'utf8',
-      stdio: ['ignore', 'pipe', 'ignore']
-    }).trim();
+    const status = gitExec(cwd, ['status', '--porcelain']);
     
     if (status) {
       // Get the first modified file
@@ -106,15 +127,25 @@ export function getLastEditedFile(cwd) {
       }
     }
     
-    // Try to get the most recently modified file from git log
-    const lastFile = execSync('git diff --name-only HEAD~1 HEAD 2>/dev/null || git ls-files -m | head -1', {
-      cwd,
-      encoding: 'utf8',
-      stdio: ['ignore', 'pipe', 'ignore'],
-      shell: true
-    }).trim();
-    
-    return lastFile || null;
+    // Try to get the most recently modified file from git diff
+    try {
+      const diffNames = gitExec(cwd, ['diff', '--name-only', 'HEAD~1', 'HEAD']);
+      const first = diffNames.split('\n').find(Boolean);
+      if (first) {
+        return first.trim();
+      }
+    } catch (_) {
+      // Ignore
+    }
+
+    // Fallback: any modified tracked file
+    try {
+      const modified = gitExec(cwd, ['ls-files', '-m']);
+      const first = modified.split('\n').find(Boolean);
+      return first ? first.trim() : null;
+    } catch (_) {
+      return null;
+    }
   } catch (e) {
     return null;
   }
@@ -125,19 +156,19 @@ export function getLastEditedFile(cwd) {
  */
 export function getRecentCommits(cwd, count = 3) {
   try {
-    const log = execSync(`git log -${count} --pretty=format:"%h|%s"`, {
-      cwd,
-      encoding: 'utf8',
-      stdio: ['ignore', 'pipe', 'ignore']
-    }).trim();
+    if (!isGitRepo(cwd)) {
+      return [];
+    }
+
+    const log = gitExec(cwd, ['log', '-n', String(count), '--pretty=format:%h%x1f%s']);
     
     if (!log) return [];
     
     return log.split('\n').map(line => {
-      const [hash, ...messageParts] = line.split('|');
+      const [hash, ...messageParts] = line.split('\x1f');
       return {
         hash: hash || '',
-        message: messageParts.join('|') || ''
+        message: messageParts.join('\x1f') || ''
       };
     });
   } catch (e) {
@@ -176,12 +207,12 @@ export function getCurrentTask(cwd) {
  */
 export function isGitRepo(cwd) {
   try {
-    execSync('git rev-parse --git-dir', {
-      cwd,
-      encoding: 'utf8',
-      stdio: ['ignore', 'pipe', 'ignore']
-    });
-    return true;
+    // Avoid discovering a parent repo by requiring a .git marker in this directory.
+    if (!existsSync(join(cwd, '.git'))) {
+      return false;
+    }
+    const inside = gitExec(cwd, ['rev-parse', '--is-inside-work-tree']);
+    return inside === 'true';
   } catch (e) {
     return false;
   }

package/lib/session/mute-checker.js

@@ -6,7 +6,8 @@
 
 // Simple in-memory cache for mute status
 // Key: session_id, Value: { muted: boolean, timestamp: number }
-const muteCache = new Map();
+const MUTE_CACHE_KEY = Symbol.for('teleportation.session.muteCache');
+const muteCache = globalThis[MUTE_CACHE_KEY] || (globalThis[MUTE_CACHE_KEY] = new Map());
 const CACHE_TTL = 60000; // 1 minute cache TTL
 
 /**