meshapi-code 0.3.2__tar.gz → 0.3.3__tar.gz

{meshapi_code-0.3.2 → meshapi_code-0.3.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: meshapi-code
-Version: 0.3.2
+Version: 0.3.3
 Summary: Terminal chat for Mesh API — OpenAI-compatible LLM gateway
 Project-URL: Homepage, https://meshapi.ai
 Project-URL: Documentation, https://docs.meshapi.ai

{meshapi_code-0.3.2 → meshapi_code-0.3.3}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "meshapi-code"
-version = "0.3.2"
+version = "0.3.3"
 description = "Terminal chat for Mesh API — OpenAI-compatible LLM gateway"
 readme = "README.md"
 license = "Apache-2.0"

meshapi_code-0.3.3/src/meshapi/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.3.3"

{meshapi_code-0.3.2 → meshapi_code-0.3.3}/src/meshapi/cli.py

@@ -1,6 +1,7 @@
 """meshapi — terminal chat REPL for Mesh API."""
 import argparse
 import json
+import re
 import sys
 from pathlib import Path
 
@@ -15,7 +16,7 @@ from rich.text import Text
 from . import __version__
 from .client import stream_chat
 from .commands import handle_command
-from .config import CONFIG_FILE, HISTORY_FILE, load_config
+from .config import CONFIG_FILE, HISTORY_FILE, load_config, secure_file
 from .permissions import HINTS, LABELS, Mode, from_str, next_mode
 from .render import (
     BRAND, BRAND_BG, BRAND_BG_FG, BRAND_DIM, console, fmt_usd, pretty_cwd, render_stream,
@@ -34,6 +35,23 @@ MESH_LOGO_LINES = [
 LOGO_WIDTH = 35  # chars per line
 LOGO_GUTTER = 3  # spaces between logo and info column
 
+# Mesh data-plane keys are `rsk_` followed by an opaque token. Prevent these
+# strings from being persisted to the prompt-toolkit history file in case a
+# user pastes one at the prompt by accident.
+_API_KEY_RE = re.compile(r"\brsk_[A-Za-z0-9_-]{8,}\b")
+
+
+class ScrubbedFileHistory(FileHistory):
+    """FileHistory that drops entries containing API-key-shaped strings
+    and tightens file perms to 0600 after every write."""
+
+    def store_string(self, string: str) -> None:
+        if _API_KEY_RE.search(string):
+            return
+        super().store_string(string)
+        secure_file(Path(self.filename))
+
+
 def parse_args(argv=None) -> argparse.Namespace:
     p = argparse.ArgumentParser(prog="meshapi", description="Terminal chat for Mesh API")
     p.add_argument("--version", action="version", version=f"meshapi {__version__}")
@@ -72,10 +90,28 @@ def render_banner(cfg: dict) -> None:
     console.print()
 
 
+def _resolved_path_line(raw: str) -> str:
+    """Render `→ /abs/path` and flag if the path escapes the launch cwd."""
+    try:
+        resolved = Path(raw).expanduser().resolve()
+    except Exception:
+        return f"[dim]→ {raw}[/dim]"
+    cwd = Path.cwd().resolve()
+    try:
+        outside = not resolved.is_relative_to(cwd)
+    except AttributeError:  # is_relative_to is 3.9+, but pyproject pins 3.10+
+        outside = not str(resolved).startswith(str(cwd))
+    if outside:
+        return f"[dim]→[/dim] [bold yellow]{resolved}[/bold yellow]  [bold yellow](outside cwd)[/bold yellow]"
+    return f"[dim]→ {resolved}[/dim]"
+
+
 def confirm_tool_call(name: str, args: dict) -> bool:
     """ASK-mode prompt for a single tool call. Returns True if approved."""
     summary = summarize_call(name, args)
     console.print(f"[bold {BRAND}]⚙ approve tool call?[/bold {BRAND}]  [dim]{summary}[/dim]")
+    if name in ("read_file", "write_file"):
+        console.print(_resolved_path_line(args.get("path") or ""))
     if name == "write_file":
         preview = (args.get("content") or "")[:300]
         console.print(f"[dim]──[/dim]\n{preview}{'…' if len(args.get('content') or '') > 300 else ''}\n[dim]──[/dim]")
@@ -163,8 +199,12 @@ def main() -> None:
             ("ansibrightblack", "shift+tab to cycle"),
         ])
 
+    # Touch the history file with 0600 up front so prompt_toolkit doesn't
+    # create it world-readable on first write.
+    HISTORY_FILE.touch(mode=0o600, exist_ok=True)
+    secure_file(HISTORY_FILE)
     session = PromptSession(
-        history=FileHistory(str(HISTORY_FILE)),
+        history=ScrubbedFileHistory(str(HISTORY_FILE)),
         key_bindings=kb,
         bottom_toolbar=bottom_toolbar,
     )

meshapi_code-0.3.3/src/meshapi/config.py

@@ -0,0 +1,79 @@
+"""Config storage at ~/.meshapi/config.json."""
+import json
+import os
+import stat
+import sys
+from pathlib import Path
+
+CONFIG_DIR = Path.home() / ".meshapi"
+CONFIG_FILE = CONFIG_DIR / "config.json"
+HISTORY_FILE = CONFIG_DIR / "history"
+
+DEFAULT_CONFIG = {
+    "base_url": "https://api.meshapi.ai/v1",
+    "api_key": "",
+    "model": "anthropic/claude-sonnet-4.5",
+    "system": "You are a helpful coding assistant. Be concise.",
+    "route": None,
+}
+
+_DIR_MODE = stat.S_IRWXU                       # 0700
+_FILE_MODE = stat.S_IRUSR | stat.S_IWUSR       # 0600
+
+
+def _secure_dir(path: Path) -> None:
+    path.mkdir(exist_ok=True)
+    try:
+        path.chmod(_DIR_MODE)
+    except OSError:
+        pass  # best-effort on non-POSIX or weird filesystems
+
+
+def secure_file(path: Path) -> None:
+    """Tighten an existing file's permissions to 0600. Public so cli.py
+    can apply it to the prompt_toolkit history file."""
+    try:
+        if path.exists():
+            path.chmod(_FILE_MODE)
+    except OSError:
+        pass
+
+
+def _validate_base_url(url: str) -> str:
+    u = (url or "").strip().rstrip("/")
+    if u.startswith("https://"):
+        return u
+    if u.startswith(("http://localhost", "http://127.0.0.1")):
+        return u  # local dev/proxy is the only http:// allowed
+    print(
+        f"meshapi: refusing to use base_url {url!r} — must be https:// "
+        "(or http://localhost for local dev). The Authorization header "
+        "carries your API key in cleartext otherwise.",
+        file=sys.stderr,
+    )
+    sys.exit(2)
+
+
+def load_config() -> dict:
+    _secure_dir(CONFIG_DIR)
+    if not CONFIG_FILE.exists():
+        CONFIG_FILE.write_text(json.dumps(DEFAULT_CONFIG, indent=2))
+    secure_file(CONFIG_FILE)
+    cfg = {**DEFAULT_CONFIG, **json.loads(CONFIG_FILE.read_text())}
+    # MESH_API_KEY kept as fallback for one release; prefer MESHAPI_API_KEY.
+    cfg["api_key"] = (
+        os.getenv("MESHAPI_API_KEY")
+        or os.getenv("MESH_API_KEY")
+        or cfg.get("api_key", "")
+    )
+    cfg["base_url"] = _validate_base_url(
+        os.getenv("MESHAPI_BASE_URL", cfg["base_url"])
+    )
+    return cfg
+
+
+def save_config(cfg: dict) -> None:
+    _secure_dir(CONFIG_DIR)
+    persisted = {k: v for k, v in cfg.items() if k != "api_key"}
+    CONFIG_FILE.write_text(json.dumps(persisted, indent=2))
+    secure_file(CONFIG_FILE)

meshapi_code-0.3.2/src/meshapi/__init__.py

@@ -1 +0,0 @@
-__version__ = "0.3.2"

meshapi_code-0.3.2/src/meshapi/config.py

@@ -1,37 +0,0 @@
-"""Config storage at ~/.meshapi/config.json."""
-import json
-import os
-from pathlib import Path
-
-CONFIG_DIR = Path.home() / ".meshapi"
-CONFIG_FILE = CONFIG_DIR / "config.json"
-HISTORY_FILE = CONFIG_DIR / "history"
-
-DEFAULT_CONFIG = {
-    "base_url": "https://api.meshapi.ai/v1",
-    "api_key": "",
-    "model": "anthropic/claude-sonnet-4.5",
-    "system": "You are a helpful coding assistant. Be concise.",
-    "route": None,
-}
-
-
-def load_config() -> dict:
-    CONFIG_DIR.mkdir(exist_ok=True)
-    if not CONFIG_FILE.exists():
-        CONFIG_FILE.write_text(json.dumps(DEFAULT_CONFIG, indent=2))
-    cfg = {**DEFAULT_CONFIG, **json.loads(CONFIG_FILE.read_text())}
-    # MESH_API_KEY kept as fallback for one release; prefer MESHAPI_API_KEY.
-    cfg["api_key"] = (
-        os.getenv("MESHAPI_API_KEY")
-        or os.getenv("MESH_API_KEY")
-        or cfg.get("api_key", "")
-    )
-    cfg["base_url"] = os.getenv("MESHAPI_BASE_URL", cfg["base_url"])
-    return cfg
-
-
-def save_config(cfg: dict) -> None:
-    CONFIG_DIR.mkdir(exist_ok=True)
-    persisted = {k: v for k, v in cfg.items() if k != "api_key"}
-    CONFIG_FILE.write_text(json.dumps(persisted, indent=2))