toolcraft 0.0.23 → 0.0.25

package/node_modules/@poe-code/task-list/dist/state-machine.js

@@ -59,7 +59,9 @@ export function eventsFromState(machine, fromState) {
     return events;
 }
 export function findEvent(machine, fromState, eventName) {
-    const event = machine.events[eventName];
+    const event = Object.prototype.hasOwnProperty.call(machine.events, eventName)
+        ? machine.events[eventName]
+        : undefined;
     if (event === undefined) {
         return undefined;
     }

package/node_modules/@poe-code/task-list/dist/state.js

@@ -10,6 +10,15 @@ export const defaultStateMachine = {
         archive: { from: "*", to: "archived" }
     }
 };
+Object.freeze(defaultStateMachine.states);
+for (const event of Object.values(defaultStateMachine.events)) {
+    if (event.from !== "*") {
+        Object.freeze(event.from);
+    }
+    Object.freeze(event);
+}
+Object.freeze(defaultStateMachine.events);
+Object.freeze(defaultStateMachine);
 function deriveLegacyTransitions(machine) {
     const transitions = Object.fromEntries(machine.states.map((state) => [state, new Set()]));
     for (const fromState of machine.states) {

package/node_modules/@poe-code/task-list/dist/types.d.ts

@@ -64,15 +64,12 @@ export interface TaskDefaults {
     metadata?: Record<string, unknown>;
 }
 export interface TaskListFs {
+    lstat(path: string): Promise<{
+        isSymbolicLink(): boolean;
+    }>;
     mkdir(path: string, options?: {
         recursive?: boolean;
     }): Promise<void>;
-    open(path: string, flags: string): Promise<{
-        close(): Promise<void>;
-        writeFile(data: string | NodeJS.ArrayBufferView, options?: BufferEncoding | {
-            encoding?: BufferEncoding;
-        }): Promise<void>;
-    }>;
     readFile(path: string, encoding: BufferEncoding): Promise<string>;
     readdir(path: string): Promise<string[]>;
     rename(fromPath: string, toPath: string): Promise<void>;
@@ -88,6 +85,45 @@ export interface TaskListFs {
     }): Promise<void>;
 }
 export type OpenTaskListOptions = OpenMarkdownDirOptions | OpenYamlFileOptions | OpenGhIssuesOptions;
+export type TaskListOptions = OpenTaskListOptions;
+export interface MoveTasksOptions {
+    source: TaskListOptions;
+    target: TaskListOptions;
+    deleteSource?: boolean;
+    limit?: number;
+    rate?: number;
+    dryRun?: boolean;
+    stateMap?: Record<string, string>;
+    onProgress?: (event: MoveProgressEvent) => void;
+}
+export interface MoveResult {
+    created: number;
+    skipped: number;
+    errors: Array<{
+        id: string;
+        error: string;
+    }>;
+}
+export type MoveProgressEvent = {
+    type: "created";
+    id: string;
+    source: Task;
+    target: Task;
+    targetList: string;
+    targetState: string;
+} | {
+    type: "skipped";
+    id: string;
+    source: Task;
+    targetList: string;
+    targetState: string;
+    reason: "dry-run";
+} | {
+    type: "error";
+    id: string;
+    source: Task;
+    error: string;
+};
 export interface OpenMarkdownDirOptions {
     type: "markdown-dir";
     path: string;
@@ -95,8 +131,6 @@ export interface OpenMarkdownDirOptions {
     create?: boolean;
     singleList?: string;
     frontmatterMode?: "strict" | "passthrough";
-    lockStaleMs?: number;
-    lockRetries?: number;
     fs?: TaskListFs;
     stateMachine?: StateMachineDef;
 }
@@ -105,18 +139,21 @@ export interface OpenYamlFileOptions {
     path: string;
     defaults?: TaskDefaults;
     create?: boolean;
-    lockStaleMs?: number;
-    lockRetries?: number;
     fs?: TaskListFs;
     stateMachine?: StateMachineDef;
 }
 export interface OpenGhIssuesOptions {
     type: "gh-issues";
     repo: string;
-    project: {
+    project?: {
         owner: string;
         number: number;
     };
+    filter?: string;
+    state?: {
+        labelPrefix?: string;
+    };
+    stateMachine?: StateMachineDef;
     defaults?: TaskDefaults;
     auth?: {
         token: string;
@@ -128,8 +165,6 @@ export interface BackendDeps {
     defaults: Required<TaskDefaults>;
     singleList?: string;
     frontmatterMode: "strict" | "passthrough";
-    lockStaleMs: number;
-    lockRetries: number;
     create: boolean;
     fs: TaskListFs;
     stateMachine?: StateMachineDef;

package/node_modules/@poe-code/task-list/package.json

@@ -12,7 +12,7 @@
     }
   },
   "scripts": {
-    "build": "tsc",
+    "build": "node ../../scripts/guard-package-dist.mjs && tsc",
     "test": "cd ../.. && vitest run packages/task-list/src",
     "test:unit": "cd ../.. && vitest run packages/task-list/src"
   },
@@ -20,7 +20,6 @@
     "dist"
   ],
   "dependencies": {
-    "@poe-code/file-lock": "*",
     "@poe-code/process-runner": "*",
     "yaml": "*"
   }

package/node_modules/auth-store/dist/create-secret-store.js

@@ -31,5 +31,8 @@ function resolveBackend(input) {
     if (configuredBackend === "keychain") {
         return "keychain";
     }
-    return "file";
+    if (configuredBackend === undefined || configuredBackend === "file") {
+        return "file";
+    }
+    throw new Error(`Unsupported auth store backend: ${configuredBackend}`);
 }

package/node_modules/auth-store/dist/encrypted-file-store.d.ts

@@ -7,10 +7,16 @@ export interface EncryptedFileStoreFileSystem {
     readFile(path: string, encoding: BufferEncoding): Promise<string>;
     writeFile(path: string, data: string | NodeJS.ArrayBufferView, options?: {
         encoding?: BufferEncoding;
+        flag?: string;
+        mode?: number;
     }): Promise<void>;
     mkdir(path: string, options?: {
         recursive?: boolean;
     }): Promise<void | string | undefined>;
+    rename(oldPath: string, newPath: string): Promise<void>;
+    lstat(path: string): Promise<{
+        isSymbolicLink(): boolean;
+    }>;
     unlink(path: string): Promise<void>;
     chmod(path: string, mode: number): Promise<void>;
 }
@@ -27,6 +33,7 @@ export interface EncryptedFileStoreInput {
 export declare class EncryptedFileStore implements SecretStore {
     private readonly fs;
     private readonly filePath;
+    private readonly symbolicLinkCheckStartPath;
     private readonly salt;
     private readonly getMachineIdentity;
     private readonly getRandomBytes;
@@ -35,5 +42,6 @@ export declare class EncryptedFileStore implements SecretStore {
     get(): Promise<string | null>;
     set(value: string): Promise<void>;
     delete(): Promise<void>;
+    private assertRegularCredentialPath;
     private getEncryptionKey;
 }

package/node_modules/auth-store/dist/encrypted-file-store.js

@@ -9,9 +9,11 @@ const ENCRYPTION_KEY_BYTES = 32;
 const ENCRYPTION_IV_BYTES = 12;
 const ENCRYPTION_AUTH_TAG_BYTES = 16;
 const ENCRYPTION_FILE_MODE = 0o600;
+let temporaryFileSequence = 0;
 export class EncryptedFileStore {
     fs;
     filePath;
+    symbolicLinkCheckStartPath;
     salt;
     getMachineIdentity;
     getRandomBytes;
@@ -19,11 +21,21 @@ export class EncryptedFileStore {
     constructor(input) {
         this.fs = input.fs ?? fs;
         this.salt = input.salt;
-        this.filePath = input.filePath ?? path.join((input.getHomeDirectory ?? homedir)(), input.defaultDirectory ?? ".auth-store", input.defaultFileName ?? "credentials.enc");
+        if (input.filePath === undefined) {
+            const homeDirectory = (input.getHomeDirectory ?? homedir)();
+            const defaultDirectory = input.defaultDirectory ?? ".auth-store";
+            this.filePath = path.join(homeDirectory, defaultDirectory, input.defaultFileName ?? "credentials.enc");
+            this.symbolicLinkCheckStartPath = resolveDefaultDirectoryCheckStart(homeDirectory, defaultDirectory);
+        }
+        else {
+            this.filePath = input.filePath;
+            this.symbolicLinkCheckStartPath = null;
+        }
         this.getMachineIdentity = input.getMachineIdentity ?? defaultMachineIdentity;
         this.getRandomBytes = input.getRandomBytes ?? randomBytes;
     }
     async get() {
+        await this.assertRegularCredentialPath();
         let rawDocument;
         try {
             rawDocument = await this.fs.readFile(this.filePath, "utf8");
@@ -57,6 +69,7 @@ export class EncryptedFileStore {
         }
     }
     async set(value) {
+        await this.assertRegularCredentialPath();
         const key = await this.getEncryptionKey();
         const iv = this.getRandomBytes(ENCRYPTION_IV_BYTES);
         const cipher = createCipheriv(ENCRYPTION_ALGORITHM, key, iv);
@@ -72,12 +85,26 @@ export class EncryptedFileStore {
             ciphertext: ciphertext.toString("base64")
         };
         await this.fs.mkdir(path.dirname(this.filePath), { recursive: true });
-        await this.fs.writeFile(this.filePath, JSON.stringify(document), {
-            encoding: "utf8"
-        });
-        await this.fs.chmod(this.filePath, ENCRYPTION_FILE_MODE);
+        await this.assertRegularCredentialPath();
+        const temporaryPath = `${this.filePath}.${process.pid}.${temporaryFileSequence++}.tmp`;
+        try {
+            await this.fs.writeFile(temporaryPath, JSON.stringify(document), {
+                encoding: "utf8",
+                flag: "wx",
+                mode: ENCRYPTION_FILE_MODE
+            });
+            await this.fs.chmod(temporaryPath, ENCRYPTION_FILE_MODE);
+            await this.fs.rename(temporaryPath, this.filePath);
+        }
+        catch (error) {
+            if (!isAlreadyExistsError(error)) {
+                await removeIfPresent(this.fs, temporaryPath).catch(() => undefined);
+            }
+            throw error;
+        }
     }
     async delete() {
+        await this.assertRegularCredentialPath();
         try {
             await this.fs.unlink(this.filePath);
         }
@@ -87,13 +114,77 @@ export class EncryptedFileStore {
             }
         }
     }
+    async assertRegularCredentialPath() {
+        const resolvedPath = path.resolve(this.filePath);
+        const protectedPaths = getProtectedCredentialPaths(resolvedPath, this.symbolicLinkCheckStartPath);
+        for (const currentPath of protectedPaths) {
+            try {
+                const stats = await this.fs.lstat(currentPath);
+                if (stats.isSymbolicLink()) {
+                    throw new Error(`Refusing to use encrypted credential path through symbolic link: ${currentPath}`);
+                }
+            }
+            catch (error) {
+                if (isNotFoundError(error)) {
+                    return;
+                }
+                throw error;
+            }
+        }
+    }
     getEncryptionKey() {
         if (!this.keyPromise) {
-            this.keyPromise = deriveEncryptionKey(this.getMachineIdentity, this.salt);
+            const retryableKeyPromise = deriveEncryptionKey(this.getMachineIdentity, this.salt).catch((error) => {
+                if (this.keyPromise === retryableKeyPromise) {
+                    this.keyPromise = null;
+                }
+                throw error;
+            });
+            this.keyPromise = retryableKeyPromise;
         }
         return this.keyPromise;
     }
 }
+function resolveDefaultDirectoryCheckStart(homeDirectory, defaultDirectory) {
+    const [firstSegment] = defaultDirectory.split(/[\\/]+/).filter(Boolean);
+    return path.resolve(homeDirectory, firstSegment ?? ".");
+}
+function getProtectedCredentialPaths(resolvedPath, symbolicLinkCheckStartPath) {
+    if (symbolicLinkCheckStartPath === null) {
+        return [path.dirname(resolvedPath), resolvedPath];
+    }
+    const resolvedStartPath = path.resolve(symbolicLinkCheckStartPath);
+    if (!isPathInsideOrEqual(resolvedPath, resolvedStartPath)) {
+        return [path.dirname(resolvedPath), resolvedPath];
+    }
+    const protectedPaths = [resolvedStartPath];
+    let currentPath = resolvedStartPath;
+    for (const segment of path.relative(resolvedStartPath, resolvedPath).split(path.sep).filter(Boolean)) {
+        currentPath = path.join(currentPath, segment);
+        protectedPaths.push(currentPath);
+    }
+    return protectedPaths;
+}
+function isPathInsideOrEqual(childPath, parentPath) {
+    const relativePath = path.relative(parentPath, childPath);
+    return relativePath === "" || (!relativePath.startsWith("..") && !path.isAbsolute(relativePath));
+}
+async function removeIfPresent(fileSystem, filePath) {
+    try {
+        await fileSystem.unlink(filePath);
+    }
+    catch (error) {
+        if (!isNotFoundError(error)) {
+            throw error;
+        }
+    }
+}
+function isAlreadyExistsError(error) {
+    return (typeof error === "object" &&
+        error !== null &&
+        "code" in error &&
+        error.code === "EEXIST");
+}
 function defaultMachineIdentity() {
     return {
         hostname: hostname(),
@@ -103,7 +194,7 @@ function defaultMachineIdentity() {
 async function deriveEncryptionKey(getMachineIdentity, salt) {
     const machineIdentity = await getMachineIdentity();
     const secret = `${machineIdentity.hostname}:${machineIdentity.username}`;
-    const cacheKey = `${secret}:${salt}`;
+    const cacheKey = JSON.stringify([machineIdentity.hostname, machineIdentity.username, salt]);
     const cached = derivedKeyCache.get(cacheKey);
     if (cached) {
         return cached;
@@ -118,7 +209,12 @@ async function deriveEncryptionKey(getMachineIdentity, salt) {
         });
     });
     derivedKeyCache.set(cacheKey, keyPromise);
-    return keyPromise;
+    return keyPromise.catch((error) => {
+        if (derivedKeyCache.get(cacheKey) === keyPromise) {
+            derivedKeyCache.delete(cacheKey);
+        }
+        throw error;
+    });
 }
 function parseEncryptedDocument(raw) {
     try {

package/node_modules/auth-store/dist/index.d.ts

@@ -4,4 +4,4 @@ export { KeychainStore } from "./keychain-store.js";
 export { key, MigratingSecretStore } from "./provider-store.js";
 export type { SecretStore, StoreBackend, CreateSecretStoreInput, CreateSecretStoreResult } from "./types.js";
 export type { MachineIdentity, EncryptedFileStoreInput, EncryptedFileStoreFileSystem } from "./encrypted-file-store.js";
-export type { KeychainStoreInput, KeychainCommandRunner, KeychainCommandResult } from "./keychain-store.js";
+export type { KeychainStoreInput, KeychainCommandRunner, KeychainCommandResult, KeychainCommandOptions } from "./keychain-store.js";

package/node_modules/auth-store/dist/keychain-store.d.ts

@@ -4,7 +4,10 @@ export interface KeychainCommandResult {
     stderr: string;
     exitCode: number;
 }
-export type KeychainCommandRunner = (command: string, args: string[]) => Promise<KeychainCommandResult>;
+export interface KeychainCommandOptions {
+    stdin?: string;
+}
+export type KeychainCommandRunner = (command: string, args: string[], options?: KeychainCommandOptions) => Promise<KeychainCommandResult>;
 export interface KeychainStoreInput {
     runCommand?: KeychainCommandRunner;
     service: string;

package/node_modules/auth-store/dist/keychain-store.js

@@ -21,16 +21,18 @@ export class KeychainStore {
         throw createSecurityCliFailure("read secret from macOS Keychain", result);
     }
     async set(value) {
+        if (value.includes("\n") || value.includes("\r")) {
+            throw new Error("Keychain secrets cannot contain line breaks");
+        }
         const result = await this.executeSecurityCommand([
             "add-generic-password",
             "-s",
             this.service,
             "-a",
             this.account,
-            "-w",
-            value,
-            "-U"
-        ], "store secret in macOS Keychain");
+            "-U",
+            "-w"
+        ], "store secret in macOS Keychain", { stdin: value });
         if (result.exitCode !== 0) {
             throw createSecurityCliFailure("store secret in macOS Keychain", result);
         }
@@ -42,9 +44,12 @@ export class KeychainStore {
         }
         throw createSecurityCliFailure("delete secret from macOS Keychain", result);
     }
-    async executeSecurityCommand(args, operation) {
+    async executeSecurityCommand(args, operation, options) {
         try {
-            return await this.runCommand(SECURITY_CLI, args);
+            if (options === undefined) {
+                return await this.runCommand(SECURITY_CLI, args);
+            }
+            return await this.runCommand(SECURITY_CLI, args, options);
         }
         catch (error) {
             const message = error instanceof Error ? error.message : String(error);
@@ -52,10 +57,10 @@ export class KeychainStore {
         }
     }
 }
-function runSecurityCommand(command, args) {
+function runSecurityCommand(command, args, options) {
     return new Promise((resolve) => {
         const child = spawn(command, args, {
-            stdio: ["ignore", "pipe", "pipe"]
+            stdio: [options?.stdin === undefined ? "ignore" : "pipe", "pipe", "pipe"]
         });
         let stdout = "";
         let stderr = "";
@@ -67,6 +72,9 @@ function runSecurityCommand(command, args) {
         child.stderr?.on("data", (chunk) => {
             stderr += chunk.toString();
         });
+        if (options?.stdin !== undefined) {
+            child.stdin?.end(options.stdin);
+        }
         child.on("error", (error) => {
             const message = error instanceof Error ? error.message : String(error ?? "Unknown error");
             resolve({
@@ -79,7 +87,7 @@ function runSecurityCommand(command, args) {
             resolve({
                 stdout,
                 stderr,
-                exitCode: code ?? 0
+                exitCode: code ?? 1
             });
         });
     });
@@ -94,13 +102,7 @@ function stripTrailingLineBreak(value) {
     return value;
 }
 function isKeychainEntryNotFound(result) {
-    if (result.exitCode === KEYCHAIN_ITEM_NOT_FOUND_EXIT_CODE) {
-        return true;
-    }
-    const output = `${result.stderr}\n${result.stdout}`.toLowerCase();
-    return (output.includes("could not be found") ||
-        output.includes("item not found") ||
-        output.includes("errsecitemnotfound"));
+    return result.exitCode === KEYCHAIN_ITEM_NOT_FOUND_EXIT_CODE;
 }
 function createSecurityCliFailure(operation, result) {
     const details = result.stderr.trim() || result.stdout.trim();

package/node_modules/auth-store/dist/provider-store.d.ts

@@ -3,8 +3,12 @@ export declare function key(providerId: string): string;
 export declare class MigratingSecretStore implements SecretStore {
     private readonly store;
     private readonly legacyStore;
+    private pendingMutation;
     constructor(store: SecretStore, legacyStore?: SecretStore | null);
-    get(): Promise<string | null>;
+    get(options?: {
+        readOnly?: boolean;
+    }): Promise<string | null>;
     set(value: string): Promise<void>;
     delete(): Promise<void>;
+    private mutate;
 }

package/node_modules/auth-store/dist/provider-store.js

@@ -4,27 +4,75 @@ export function key(providerId) {
 export class MigratingSecretStore {
     store;
     legacyStore;
+    pendingMutation = Promise.resolve();
     constructor(store, legacyStore = null) {
         this.store = store;
         this.legacyStore = legacyStore;
     }
-    async get() {
+    async get(options = {}) {
         const value = await this.store.get();
         if (value !== null || !this.legacyStore) {
             return value;
         }
         const legacyValue = await this.legacyStore.get();
-        if (legacyValue !== null) {
-            await this.store.set(legacyValue);
+        if (legacyValue !== null && !options.readOnly) {
+            await this.mutate(async () => {
+                if (await this.store.get() === null) {
+                    try {
+                        await this.store.set(legacyValue);
+                    }
+                    catch {
+                        return;
+                    }
+                }
+            });
         }
         return legacyValue;
     }
     async set(value) {
-        await this.store.set(value);
-        await this.legacyStore?.set(value);
+        await this.mutate(async () => {
+            const previousValue = await this.store.get();
+            const previousLegacyValue = await this.legacyStore?.get() ?? null;
+            await this.store.set(value);
+            try {
+                await this.legacyStore?.set(value);
+            }
+            catch (error) {
+                await restore(this.store, previousValue);
+                if (this.legacyStore) {
+                    await restore(this.legacyStore, previousLegacyValue);
+                }
+                throw error;
+            }
+        });
     }
     async delete() {
-        await this.store.delete();
-        await this.legacyStore?.delete();
+        await this.mutate(async () => {
+            const previousValue = await this.store.get();
+            const previousLegacyValue = await this.legacyStore?.get() ?? null;
+            await this.store.delete();
+            try {
+                await this.legacyStore?.delete();
+            }
+            catch (error) {
+                await restore(this.store, previousValue);
+                if (this.legacyStore) {
+                    await restore(this.legacyStore, previousLegacyValue);
+                }
+                throw error;
+            }
+        });
     }
+    async mutate(action) {
+        const operation = this.pendingMutation.then(action, action);
+        this.pendingMutation = operation.catch(() => undefined);
+        await operation;
+    }
+}
+async function restore(store, value) {
+    if (value === null) {
+        await store.delete();
+        return;
+    }
+    await store.set(value);
 }

package/node_modules/auth-store/dist/types.d.ts

@@ -1,7 +1,9 @@
 import type { EncryptedFileStoreInput } from "./encrypted-file-store.js";
 import type { KeychainStoreInput } from "./keychain-store.js";
 export interface SecretStore {
-    get(): Promise<string | null>;
+    get(options?: {
+        readOnly?: boolean;
+    }): Promise<string | null>;
     set(value: string): Promise<void>;
     delete(): Promise<void>;
 }

package/node_modules/auth-store/package.json

@@ -1,6 +1,7 @@
 {
   "name": "auth-store",
   "version": "0.0.1",
+  "private": true,
   "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -11,7 +12,7 @@
     }
   },
   "scripts": {
-    "build": "tsc"
+    "build": "node ../../scripts/guard-package-dist.mjs && tsc"
   },
   "dependencies": {},
   "files": [