wispy-cli 2.7.9 → 2.7.11

package/core/secrets.mjs

@@ -0,0 +1,251 @@
+/**
+ * core/secrets.mjs — Secrets Manager for Wispy
+ *
+ * Resolution chain: env var → macOS Keychain → encrypted secrets.json → null
+ * Encryption: AES-256-GCM with machine-derived key (hostname + username)
+ * Scrubbing: never logs actual secret values
+ */
+
+import os from "node:os";
+import path from "node:path";
+import { readFile, writeFile, mkdir } from "node:fs/promises";
+import { existsSync } from "node:fs";
+import { createHash, createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
+
+const ALGORITHM = "aes-256-gcm";
+const KEY_LENGTH = 32;
+const IV_LENGTH = 12;
+const TAG_LENGTH = 16;
+
+/**
+ * Derive a deterministic encryption key from machine identity.
+ * Uses hostname + username hash — not cryptographically perfect but
+ * provides at-rest protection from casual disk reads.
+ */
+function deriveMachineKey() {
+  const machineId = `${os.hostname()}::${os.userInfo().username}`;
+  return createHash("sha256").update(machineId).digest(); // 32 bytes
+}
+
+export class SecretsManager {
+  constructor(options = {}) {
+    this.wispyDir = options.wispyDir ?? path.join(os.homedir(), ".wispy");
+    this.secretsFile = path.join(this.wispyDir, "secrets.json");
+    this._cache = new Map();
+    this._machineKey = deriveMachineKey();
+  }
+
+  /**
+   * Resolution chain: env var → macOS Keychain → encrypted secrets.json → null
+   *
+   * @param {string} key - e.g. "OPENAI_API_KEY"
+   * @returns {Promise<string|null>}
+   */
+  async resolve(key) {
+    if (!key) return null;
+
+    // 1. Environment variable (always takes priority — can be overridden at runtime)
+    if (process.env[key]) {
+      this._cache.set(key, process.env[key]);
+      return process.env[key];
+    }
+
+    // 2. In-memory cache (from previous keychain/secrets.json lookup)
+    if (this._cache.has(key)) return this._cache.get(key);
+
+    // 3. macOS Keychain — try common service name patterns
+    const keychainValue = await this._fromKeychain(key, null);
+    if (keychainValue) {
+      this._cache.set(key, keychainValue);
+      return keychainValue;
+    }
+
+    // 4. Encrypted secrets.json
+    const stored = await this._fromSecretsFile(key);
+    if (stored) {
+      this._cache.set(key, stored);
+      return stored;
+    }
+
+    return null;
+  }
+
+  /**
+   * Store a secret (encrypts before writing to secrets.json)
+   */
+  async set(key, value) {
+    if (!key || value === undefined || value === null) {
+      throw new Error("key and value are required");
+    }
+
+    // Update cache
+    this._cache.set(key, value);
+
+    // Load existing secrets
+    const secrets = await this._loadSecretsFile();
+
+    // Encrypt and store
+    secrets[key] = this._encrypt(value);
+
+    await this._saveSecretsFile(secrets);
+    return { key, stored: true };
+  }
+
+  /**
+   * Delete a secret from cache + secrets.json
+   */
+  async delete(key) {
+    this._cache.delete(key);
+
+    const secrets = await this._loadSecretsFile();
+    if (!(key in secrets)) {
+      return { success: false, key, error: "Key not found" };
+    }
+
+    delete secrets[key];
+    await this._saveSecretsFile(secrets);
+    return { success: true, key };
+  }
+
+  /**
+   * List stored secret keys (not values)
+   */
+  async list() {
+    const secrets = await this._loadSecretsFile();
+    return Object.keys(secrets);
+  }
+
+  /**
+   * macOS Keychain integration
+   * Tries common wispy service names, then the key itself as service name
+   */
+  async _fromKeychain(service, account) {
+    if (process.platform !== "darwin") return null;
+
+    try {
+      const { execFile } = await import("node:child_process");
+      const { promisify } = await import("node:util");
+      const exec = promisify(execFile);
+
+      // Map common env var names to keychain service names
+      const serviceMap = {
+        OPENAI_API_KEY: "openai-api-key",
+        ANTHROPIC_API_KEY: "anthropic-api-key",
+        GOOGLE_AI_KEY: "google-ai-key",
+        GOOGLE_GENERATIVE_AI_KEY: "google-ai-key",
+        GEMINI_API_KEY: "google-ai-key",
+        GROQ_API_KEY: "groq-api-key",
+        DEEPSEEK_API_KEY: "deepseek-api-key",
+      };
+
+      const keychainService = serviceMap[service] ?? service.toLowerCase().replace(/_/g, "-");
+      const accounts = account ? [account] : ["wispy", "poropo"];
+
+      for (const acc of accounts) {
+        try {
+          const { stdout } = await exec(
+            "security",
+            ["find-generic-password", "-s", keychainService, "-a", acc, "-w"],
+            { timeout: 2000 }
+          );
+          const val = stdout.trim();
+          if (val) return val;
+        } catch { /* try next */ }
+      }
+
+      // Fallback: no account filter
+      try {
+        const { stdout } = await exec(
+          "security",
+          ["find-generic-password", "-s", keychainService, "-w"],
+          { timeout: 2000 }
+        );
+        const val = stdout.trim();
+        if (val) return val;
+      } catch { /* not found */ }
+    } catch { /* keychain unavailable */ }
+
+    return null;
+  }
+
+  // ── Encryption helpers ───────────────────────────────────────────────────────
+
+  /**
+   * Encrypt plaintext → base64 string (iv:tag:ciphertext)
+   */
+  _encrypt(plaintext) {
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, this._machineKey, iv);
+    const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    // Encode as hex parts joined by ":"
+    return `${iv.toString("hex")}:${tag.toString("hex")}:${encrypted.toString("hex")}`;
+  }
+
+  /**
+   * Decrypt iv:tag:ciphertext → plaintext string
+   */
+  _decrypt(ciphertext) {
+    const [ivHex, tagHex, encHex] = ciphertext.split(":");
+    if (!ivHex || !tagHex || !encHex) throw new Error("Invalid ciphertext format");
+
+    const iv = Buffer.from(ivHex, "hex");
+    const tag = Buffer.from(tagHex, "hex");
+    const enc = Buffer.from(encHex, "hex");
+
+    const decipher = createDecipheriv(ALGORITHM, this._machineKey, iv);
+    decipher.setAuthTag(tag);
+    return decipher.update(enc) + decipher.final("utf8");
+  }
+
+  // ── File helpers ─────────────────────────────────────────────────────────────
+
+  async _loadSecretsFile() {
+    try {
+      const raw = await readFile(this.secretsFile, "utf8");
+      return JSON.parse(raw);
+    } catch {
+      return {};
+    }
+  }
+
+  async _saveSecretsFile(secrets) {
+    await mkdir(this.wispyDir, { recursive: true });
+    await writeFile(this.secretsFile, JSON.stringify(secrets, null, 2) + "\n", "utf8");
+  }
+
+  async _fromSecretsFile(key) {
+    const secrets = await this._loadSecretsFile();
+    if (!(key in secrets)) return null;
+    try {
+      return this._decrypt(secrets[key]);
+    } catch {
+      return null; // Corrupted entry — skip
+    }
+  }
+
+  /**
+   * Scrub secret values from an object (for logging/audit)
+   * Replaces any value that looks like a key we know about with "***"
+   */
+  scrub(obj) {
+    if (typeof obj !== "object" || obj === null) return obj;
+    const knownKeys = new Set([...this._cache.keys()]);
+    const result = {};
+    for (const [k, v] of Object.entries(obj)) {
+      if (knownKeys.has(k) || /key|token|secret|password|credential/i.test(k)) {
+        result[k] = "***";
+      } else {
+        result[k] = v;
+      }
+    }
+    return result;
+  }
+}
+
+/** Singleton factory — reuse across modules */
+let _instance = null;
+export function getSecretsManager(options = {}) {
+  if (!_instance) _instance = new SecretsManager(options);
+  return _instance;
+}

package/core/session.mjs

@@ -5,6 +5,9 @@
  *   - create({ workstream?, channel?, chatId? }) → Session
  *   - get(id) → Session
  *   - list(filter?) → Session[]
+ *   - listSessions(options?) → metadata array (from disk)
+ *   - loadSession(id) → full session with messages (alias for load)
+ *   - forkSession(id) → new session copied from existing
  *   - addMessage(id, message) → void
  *   - clear(id) → void
  *   - save(id) → void
@@ -16,7 +19,7 @@
 
 import os from "node:os";
 import path from "node:path";
-import { readFile, writeFile, mkdir, readdir } from "node:fs/promises";
+import { readFile, writeFile, mkdir, readdir, stat } from "node:fs/promises";
 import { SESSIONS_DIR } from "./config.mjs";
 
 export class Session {

package/core/tts.mjs

@@ -0,0 +1,194 @@
+/**
+ * core/tts.mjs — Text-to-Speech Manager for Wispy
+ *
+ * Auto-detects available TTS provider:
+ *   1. OpenAI TTS API (best quality, requires OPENAI_API_KEY)
+ *   2. macOS native `say` command (free, always available on macOS)
+ *
+ * Usage:
+ *   const tts = new TTSManager(secretsManager);
+ *   const result = await tts.speak("Hello world");
+ *   // result.path → audio file path
+ */
+
+import os from "node:os";
+import path from "node:path";
+import { writeFile } from "node:fs/promises";
+
+export class TTSManager {
+  constructor(secretsManager) {
+    this.secrets = secretsManager;
+    this._provider = null; // cached auto-detected provider
+  }
+
+  /**
+   * Auto-detect available TTS provider.
+   * Order: OpenAI (best quality) → macOS say (free) → null
+   */
+  async detectProvider() {
+    if (this._provider) return this._provider;
+
+    const openaiKey = await this.secrets.resolve("OPENAI_API_KEY");
+    if (openaiKey) {
+      this._provider = "openai";
+      return "openai";
+    }
+
+    if (process.platform === "darwin") {
+      this._provider = "macos";
+      return "macos";
+    }
+
+    return null;
+  }
+
+  /**
+   * Generate speech from text.
+   *
+   * @param {string} text - Text to speak
+   * @param {object} options
+   * @param {string} [options.provider] - "openai" | "macos" | "auto"
+   * @param {string} [options.voice] - Voice name
+   * @param {string} [options.model] - OpenAI TTS model
+   * @param {string} [options.format] - Output format (openai: mp3/opus/aac/flac, macos: aiff)
+   * @param {number} [options.rate] - Speech rate (macOS only)
+   * @returns {Promise<{provider, path, format, voice}|{error}>}
+   */
+  async speak(text, options = {}) {
+    const providerOpt = options.provider ?? "auto";
+    const provider = providerOpt === "auto"
+      ? await this.detectProvider()
+      : providerOpt;
+
+    switch (provider) {
+      case "openai":
+        return this._openaiTTS(text, options);
+      case "macos":
+        return this._macosTTS(text, options);
+      default:
+        return { error: "No TTS provider available. Set OPENAI_API_KEY or use macOS." };
+    }
+  }
+
+  /**
+   * OpenAI TTS API
+   * https://platform.openai.com/docs/api-reference/audio/createSpeech
+   */
+  async _openaiTTS(text, {
+    voice = "alloy",
+    model = "tts-1",
+    format = "mp3",
+  } = {}) {
+    const apiKey = await this.secrets.resolve("OPENAI_API_KEY");
+    if (!apiKey) {
+      return { error: "OPENAI_API_KEY not found" };
+    }
+
+    const response = await fetch("https://api.openai.com/v1/audio/speech", {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${apiKey}`,
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        model,
+        input: text,
+        voice,
+        response_format: format,
+      }),
+    });
+
+    if (!response.ok) {
+      const errText = await response.text().catch(() => "unknown error");
+      return { error: `OpenAI TTS failed: ${response.status} ${errText}` };
+    }
+
+    const buffer = Buffer.from(await response.arrayBuffer());
+    const outputPath = path.join(os.tmpdir(), `wispy-tts-${Date.now()}.${format}`);
+    await writeFile(outputPath, buffer);
+
+    return { provider: "openai", path: outputPath, format, voice };
+  }
+
+  /**
+   * macOS native TTS using `say` command
+   */
+  async _macosTTS(text, {
+    voice = "Samantha",
+    rate = 200,
+  } = {}) {
+    if (process.platform !== "darwin") {
+      return { error: "macOS TTS is only available on macOS" };
+    }
+
+    const outputPath = path.join(os.tmpdir(), `wispy-tts-${Date.now()}.aiff`);
+
+    const { execFile } = await import("node:child_process");
+    const { promisify } = await import("node:util");
+    const exec = promisify(execFile);
+
+    try {
+      await exec("say", ["-v", voice, "-r", String(rate), "-o", outputPath, text], {
+        timeout: 30000,
+      });
+    } catch (err) {
+      return { error: `macOS TTS failed: ${err.message}` };
+    }
+
+    return { provider: "macos", path: outputPath, format: "aiff", voice };
+  }
+
+  /**
+   * List available macOS voices
+   */
+  async listMacOSVoices() {
+    if (process.platform !== "darwin") return [];
+    try {
+      const { execFile } = await import("node:child_process");
+      const { promisify } = await import("node:util");
+      const exec = promisify(execFile);
+      const { stdout } = await exec("say", ["-v", "?"], { timeout: 5000 });
+      return stdout.trim().split("\n").map(line => {
+        const parts = line.trim().split(/\s+/);
+        return { name: parts[0], locale: parts[1] };
+      });
+    } catch {
+      return [];
+    }
+  }
+}
+
+/**
+ * Tool definition for ToolRegistry integration
+ */
+export const TTS_TOOL_DEFINITION = {
+  name: "text_to_speech",
+  description: "Convert text to speech audio file. Returns the path to the generated audio file.",
+  parameters: {
+    type: "object",
+    properties: {
+      text: {
+        type: "string",
+        description: "Text to convert to speech",
+      },
+      voice: {
+        type: "string",
+        description: "Voice name (openai: alloy/echo/fable/onyx/nova/shimmer, macos: Samantha/Alex/Victoria/etc)",
+      },
+      provider: {
+        type: "string",
+        enum: ["openai", "macos", "auto"],
+        description: "TTS provider to use (default: auto-detect)",
+      },
+      model: {
+        type: "string",
+        description: "TTS model (OpenAI only: tts-1 or tts-1-hd)",
+      },
+      rate: {
+        type: "number",
+        description: "Speech rate in words per minute (macOS only, default: 200)",
+      },
+    },
+    required: ["text"],
+  },
+};

package/lib/jsonl-emitter.mjs

@@ -0,0 +1,101 @@
+/**
+ * lib/jsonl-emitter.mjs — Structured JSONL event emitter for CI/pipeline integration
+ *
+ * When --json flag is used, all events are emitted as newline-delimited JSON
+ * to stdout. Event types: start, user_message, assistant_message,
+ * tool_call, tool_result, error, done.
+ */
+
+export class JsonlEmitter {
+  /**
+   * Emit a raw event object as a JSON line to stdout.
+   * @param {object} event
+   */
+  emit(event) {
+    process.stdout.write(JSON.stringify(event) + "\n");
+  }
+
+  /**
+   * Emit a "start" event with session metadata.
+   * @param {{ model?: string, session_id?: string, [key: string]: any }} meta
+   */
+  start(meta) {
+    this.emit({ type: "start", ...meta, timestamp: new Date().toISOString() });
+  }
+
+  /**
+   * Emit a "tool_call" event.
+   * @param {string} name - Tool name
+   * @param {object} args - Tool arguments
+   */
+  toolCall(name, args) {
+    this.emit({ type: "tool_call", name, args, timestamp: new Date().toISOString() });
+  }
+
+  /**
+   * Emit a "tool_result" event.
+   * @param {string} name - Tool name
+   * @param {string|object} result - Tool result
+   * @param {number} durationMs - Duration in milliseconds
+   */
+  toolResult(name, result, durationMs) {
+    this.emit({
+      type: "tool_result",
+      name,
+      result: typeof result === "string" ? result.slice(0, 1000) : result,
+      duration_ms: durationMs,
+    });
+  }
+
+  /**
+   * Emit a user_message or assistant_message event.
+   * @param {"user"|"assistant"} role
+   * @param {string} content
+   */
+  message(role, content) {
+    this.emit({ type: `${role}_message`, content, timestamp: new Date().toISOString() });
+  }
+
+  /**
+   * Emit an "error" event.
+   * @param {Error|string} err
+   */
+  error(err) {
+    this.emit({
+      type: "error",
+      message: err?.message ?? String(err),
+      timestamp: new Date().toISOString(),
+    });
+  }
+
+  /**
+   * Emit a "done" event with final stats.
+   * @param {{ tokens?: { input: number, output: number }, duration_ms?: number, [key: string]: any }} stats
+   */
+  done(stats) {
+    this.emit({ type: "done", ...stats, timestamp: new Date().toISOString() });
+  }
+}
+
+/**
+ * A no-op emitter used when --json flag is not set.
+ * All methods are silent.
+ */
+export class NullEmitter {
+  emit() {}
+  start() {}
+  toolCall() {}
+  toolResult() {}
+  message() {}
+  error() {}
+  done() {}
+}
+
+/**
+ * Create the appropriate emitter based on whether JSON mode is active.
+ * @param {boolean} jsonMode
+ * @returns {JsonlEmitter|NullEmitter}
+ */
+export function createEmitter(jsonMode) {
+  return jsonMode ? new JsonlEmitter() : new NullEmitter();
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wispy-cli",
-  "version": "2.7.9",
+  "version": "2.7.11",
   "description": "🌿 Wispy — AI workspace assistant with trustworthy execution (harness, receipts, approvals, diffs)",
   "license": "MIT",
   "author": "Minseo & Poropo",