xenfra 0.2.4__py3-none-any.whl → 0.2.5__py3-none-any.whl

xenfra/commands/projects.py

@@ -1,6 +1,7 @@
 """
 Project management commands for Xenfra CLI.
 """
+
 import click
 from rich.console import Console
 from rich.table import Table
@@ -8,6 +9,12 @@ from xenfra_sdk import XenfraClient
 from xenfra_sdk.exceptions import XenfraAPIError, XenfraError
 
 from ..utils.auth import API_BASE_URL, get_auth_token
+from ..utils.validation import (
+    validate_project_id,
+    validate_project_name,
+    validate_region,
+    validate_size_slug,
+)
 
 console = Console()
 
@@ -50,14 +57,18 @@ def list():
             table.add_column("Cost/Month", style="red")
 
             for project in projects_list:
-                cost = f"${project.estimated_monthly_cost:.2f}" if project.estimated_monthly_cost else "N/A"
+                cost = (
+                    f"${project.estimated_monthly_cost:.2f}"
+                    if project.estimated_monthly_cost
+                    else "N/A"
+                )
                 table.add_row(
                     str(project.id),
                     project.name,
                     project.status,
                     project.region,
                     project.ip_address or "N/A",
-                    cost
+                    cost,
                 )
 
             console.print(table)
@@ -71,9 +82,15 @@ def list():
 
 
 @projects.command()
-@click.argument('project_id', type=int)
+@click.argument("project_id", type=int)
 def show(project_id):
     """Show details for a specific project."""
+    # Validate project ID
+    is_valid, error_msg = validate_project_id(project_id)
+    if not is_valid:
+        console.print(f"[bold red]Invalid project ID: {error_msg}[/bold red]")
+        raise click.Abort()
+
     try:
         with get_client() as client:
             project = client.projects.show(project_id)
@@ -92,7 +109,7 @@ def show(project_id):
             panel = Panel(
                 details,
                 title=f"[bold green]Project {project.id}[/bold green]",
-                border_style="green"
+                border_style="green",
             )
             console.print(panel)
 
@@ -105,10 +122,16 @@ def show(project_id):
 
 
 @projects.command()
-@click.argument('project_id', type=int)
-@click.confirmation_option(prompt='Are you sure you want to delete this project?')
+@click.argument("project_id", type=int)
+@click.confirmation_option(prompt="Are you sure you want to delete this project?")
 def delete(project_id):
     """Delete a project."""
+    # Validate project ID
+    is_valid, error_msg = validate_project_id(project_id)
+    if not is_valid:
+        console.print(f"[bold red]Invalid project ID: {error_msg}[/bold red]")
+        raise click.Abort()
+
     try:
         with get_client() as client:
             client.projects.delete(str(project_id))
@@ -123,11 +146,31 @@ def delete(project_id):
 
 
 @projects.command()
-@click.argument('name')
-@click.option('--region', default='nyc3', help='DigitalOcean region (default: nyc3)')
-@click.option('--size', 'size_slug', default='s-1vcpu-1gb', help='Droplet size (default: s-1vcpu-1gb)')
+@click.argument("name")
+@click.option("--region", default="nyc3", help="DigitalOcean region (default: nyc3)")
+@click.option(
+    "--size", "size_slug", default="s-1vcpu-1gb", help="Droplet size (default: s-1vcpu-1gb)"
+)
 def create(name, region, size_slug):
     """Create a new project."""
+    # Validate project name
+    is_valid, error_msg = validate_project_name(name)
+    if not is_valid:
+        console.print(f"[bold red]Invalid project name: {error_msg}[/bold red]")
+        raise click.Abort()
+
+    # Validate region
+    is_valid, error_msg = validate_region(region)
+    if not is_valid:
+        console.print(f"[bold red]Invalid region: {error_msg}[/bold red]")
+        raise click.Abort()
+
+    # Validate size slug
+    is_valid, error_msg = validate_size_slug(size_slug)
+    if not is_valid:
+        console.print(f"[bold red]Invalid size slug: {error_msg}[/bold red]")
+        raise click.Abort()
+
     try:
         with get_client() as client:
             console.print(f"[cyan]Creating project '{name}'...[/cyan]")
@@ -136,7 +179,7 @@ def create(name, region, size_slug):
             project = client.projects.create(name=name, region=region, size_slug=size_slug)
 
             # Display success message
-            console.print(f"[bold green]✓[/bold green] Project created successfully!")
+            console.print("[bold green]✓[/bold green] Project created successfully!")
 
             # Show project details
             from rich.panel import Panel
@@ -149,9 +192,7 @@ def create(name, region, size_slug):
 [cyan]Estimated Cost:[/cyan] ${project.estimated_monthly_cost:.2f}/month"""
 
             panel = Panel(
-                details,
-                title="[bold green]New Project[/bold green]",
-                border_style="green"
+                details, title="[bold green]New Project[/bold green]", border_style="green"
             )
             console.print(panel)
 

xenfra/commands/security_cmd.py

@@ -1,6 +1,7 @@
 """
 Security configuration commands for Xenfra CLI.
 """
+
 import os
 
 import click
@@ -8,12 +9,7 @@ from rich.console import Console
 from rich.panel import Panel
 from rich.table import Table
 
-from ..utils.security import (
-    ALLOWED_DOMAINS,
-    display_security_info,
-    security_config,
-    validate_and_get_api_url,
-)
+from ..utils.security import ALLOWED_DOMAINS, security_config, validate_and_get_api_url
 
 console = Console()
 
@@ -41,7 +37,9 @@ def check():
 
     # Environment
     env_color = "green" if security_config.is_production() else "yellow"
-    console.print(f"[bold]Environment:[/bold] [{env_color}]{security_config.environment}[/{env_color}]")
+    console.print(
+        f"[bold]Environment:[/bold] [{env_color}]{security_config.environment}[/{env_color}]"
+    )
 
     console.print()
 
@@ -55,22 +53,22 @@ def check():
         (
             "HTTPS Enforcement",
             "✅ Enabled" if security_config.enforce_https else "⚠️  Disabled",
-            "Blocks HTTP connections (except localhost)"
+            "Blocks HTTP connections (except localhost)",
         ),
         (
             "Domain Whitelist",
             "✅ Enforced" if security_config.enforce_whitelist else "⚠️  Warning Only",
-            "Restricts connections to approved domains"
+            "Restricts connections to approved domains",
         ),
         (
             "HTTP Warning",
             "✅ Enabled" if security_config.warn_on_http else "❌ Disabled",
-            "Warns when using insecure HTTP"
+            "Warns when using insecure HTTP",
         ),
         (
             "Certificate Pinning",
             "✅ Enabled" if security_config.enable_cert_pinning else "❌ Disabled",
-            "Validates SSL certificate fingerprints"
+            "Validates SSL certificate fingerprints",
         ),
     ]
 
@@ -113,7 +111,7 @@ def check():
                 "2. Use HTTPS API URL\n"
                 "3. All security features will auto-enable",
                 title="Recommendation",
-                border_style="yellow"
+                border_style="yellow",
             )
         )
     else:
@@ -123,23 +121,23 @@ def check():
                 "All security features are active.\n"
                 "Your credentials and data are protected.",
                 title="Status",
-                border_style="green"
+                border_style="green",
             )
         )
 
 
 @security.command()
-@click.argument('url')
+@click.argument("url")
 def validate(url):
     """Validate an API URL against security policies."""
     console.print(f"\n[cyan]Validating URL:[/cyan] {url}\n")
 
     try:
         validated_url = validate_and_get_api_url(url)
-        console.print(f"[bold green]✅ URL is valid and passed all security checks![/bold green]")
+        console.print("[bold green]✅ URL is valid and passed all security checks![/bold green]")
         console.print(f"[dim]Validated URL: {validated_url}[/dim]")
     except click.Abort:
-        console.print(f"[bold red]❌ URL failed security validation[/bold red]")
+        console.print("[bold red]❌ URL failed security validation[/bold red]")
     except Exception as e:
         console.print(f"[bold red]❌ Validation error: {e}[/bold red]")
 
@@ -202,7 +200,7 @@ XENFRA_ENV
   Default: development
 
 XENFRA_API_URL
-  Default: http://localhost:8000 (dev), https://api.xenfra.com (prod)
+  Default: http://localhost:8000 (dev), https://api.xenfra.tech (prod)
 
 XENFRA_ENFORCE_HTTPS
   Values: true | false
@@ -229,7 +227,7 @@ XENFRA_WARN_ON_HTTP
 5. Use environment-specific configurations
 6. Enable all features for production deployments
 
-[dim]For more information: https://docs.xenfra.com/security[/dim]
+[dim]For more information: https://docs.xenfra.tech/security[/dim]
 """
 
     console.print(Panel(docs_text, border_style="cyan", padding=(1, 2)))

xenfra/main.py

@@ -3,6 +3,7 @@ Xenfra CLI - Main entry point.
 
 A modern, AI-powered CLI for deploying Python apps to DigitalOcean.
 """
+
 import os
 
 import click

xenfra/utils/auth.py

@@ -2,13 +2,19 @@
 Authentication utilities for Xenfra CLI.
 Handles OAuth2 PKCE flow and token management.
 """
-import os
+
 from http.server import BaseHTTPRequestHandler, HTTPServer
 from urllib.parse import parse_qs, urlparse
 
 import httpx
 import keyring
 from rich.console import Console
+from tenacity import (
+    retry,
+    stop_after_attempt,
+    wait_exponential,
+    retry_if_exception_type,
+)
 
 from .security import validate_and_get_api_url
 
@@ -24,6 +30,9 @@ CLI_REDIRECT_PATH = "/auth/callback"
 CLI_LOCAL_SERVER_START_PORT = 8001
 CLI_LOCAL_SERVER_END_PORT = 8005
 
+# HTTP request timeout (30 seconds)
+HTTP_TIMEOUT = 30.0
+
 # Global storage for OAuth callback data
 oauth_data = {"code": None, "state": None, "error": None}
 
@@ -76,6 +85,39 @@ def run_local_oauth_server(port: int, redirect_path: str):
     console.print("[dim]Local OAuth server shut down.[/dim]")
 
 
+@retry(
+    stop=stop_after_attempt(3),
+    wait=wait_exponential(multiplier=1, min=2, max=10),
+    retry=retry_if_exception_type((httpx.TimeoutException, httpx.NetworkError)),
+    reraise=True,
+)
+def _refresh_token_with_retry(refresh_token: str) -> dict:
+    """
+    Refresh access token with retry logic.
+
+    Returns token data dictionary.
+    """
+    with httpx.Client(timeout=HTTP_TIMEOUT) as client:
+        response = client.post(
+            f"{API_BASE_URL}/auth/refresh",
+            data={"refresh_token": refresh_token, "client_id": CLI_CLIENT_ID},
+            headers={"Accept": "application/json"},
+        )
+        response.raise_for_status()
+
+        # Safe JSON parsing with content-type check
+        content_type = response.headers.get("content-type", "")
+        if "application/json" not in content_type:
+            raise ValueError(f"Expected JSON response, got {content_type}")
+
+        try:
+            token_data = response.json()
+        except (ValueError, TypeError) as e:
+            raise ValueError(f"Failed to parse JSON response: {e}")
+
+        return token_data
+
+
 def get_auth_token() -> str | None:
     """
     Retrieve a valid access token, refreshing it if necessary.
@@ -83,8 +125,12 @@ def get_auth_token() -> str | None:
     Returns:
         Valid access token or None if not authenticated
     """
-    access_token = keyring.get_password(SERVICE_ID, "access_token")
-    refresh_token = keyring.get_password(SERVICE_ID, "refresh_token")
+    try:
+        access_token = keyring.get_password(SERVICE_ID, "access_token")
+        refresh_token = keyring.get_password(SERVICE_ID, "refresh_token")
+    except keyring.errors.KeyringError as e:
+        console.print(f"[yellow]Warning: Could not access keyring: {e}[/yellow]")
+        return None
 
     if not access_token:
         return None
@@ -105,35 +151,65 @@ def get_auth_token() -> str | None:
     if not claims and refresh_token:
         console.print("[dim]Access token expired. Attempting to refresh...[/dim]")
         try:
-            with httpx.Client() as client:
-                response = client.post(
-                    f"{API_BASE_URL}/auth/refresh",
-                    data={"refresh_token": refresh_token, "client_id": CLI_CLIENT_ID},
-                )
-                response.raise_for_status()
-                token_data = response.json()
-                new_access_token = token_data.get("access_token")
-                new_refresh_token = token_data.get("refresh_token")
+            token_data = _refresh_token_with_retry(refresh_token)
+            new_access_token = token_data.get("access_token")
+            new_refresh_token = token_data.get("refresh_token")
 
-                if new_access_token:
+            if new_access_token:
+                try:
                     keyring.set_password(SERVICE_ID, "access_token", new_access_token)
                     if new_refresh_token:
                         keyring.set_password(SERVICE_ID, "refresh_token", new_refresh_token)
                     console.print("[bold green]Token refreshed successfully.[/bold green]")
                     return new_access_token
-                else:
-                    console.print("[bold red]Failed to get new access token.[/bold red]")
-                    return None
+                except keyring.errors.KeyringError as e:
+                    console.print(
+                        f"[yellow]Warning: Could not save refreshed token to keyring: {e}[/yellow]"
+                    )
+                    # Return the token anyway, but warn user
+                    return new_access_token
+            else:
+                console.print("[bold red]Failed to get new access token.[/bold red]")
+                return None
+
+        except httpx.TimeoutException:
+            console.print("[bold red]Token refresh failed: Request timed out.[/bold red]")
+            return None
+        except httpx.NetworkError:
+            console.print("[bold red]Token refresh failed: Network error.[/bold red]")
+            return None
         except httpx.HTTPStatusError as exc:
             if exc.response.status_code == 400:
                 console.print("[bold red]Refresh token expired. Please log in again.[/bold red]")
             else:
-                console.print(f"[bold red]Token refresh failed: {exc.response.status_code}[/bold red]")
-            keyring.delete_password(SERVICE_ID, "access_token")
-            keyring.delete_password(SERVICE_ID, "refresh_token")
+                error_detail = "Unknown error"
+                try:
+                    if exc.response.content:
+                        content_type = exc.response.headers.get("content-type", "")
+                        if "application/json" in content_type:
+                            error_data = exc.response.json()
+                            error_detail = error_data.get("detail", str(error_data))
+                except Exception:
+                    error_detail = exc.response.text[:200] if exc.response.text else "Unknown error"
+
+                console.print(
+                    f"[bold red]Token refresh failed: {exc.response.status_code} - {error_detail}[/bold red]"
+                )
+
+            # Clear tokens on refresh failure
+            try:
+                keyring.delete_password(SERVICE_ID, "access_token")
+                keyring.delete_password(SERVICE_ID, "refresh_token")
+            except keyring.errors.KeyringError:
+                pass  # Ignore errors when clearing
             return None
-        except httpx.RequestError as exc:
-            console.print(f"[bold red]Token refresh failed: {exc}[/bold red]")
+        except ValueError as e:
+            console.print(f"[bold red]Token refresh failed: {e}[/bold red]")
+            return None
+        except Exception as e:
+            console.print(
+                f"[bold red]Token refresh failed: Unexpected error - {type(e).__name__}[/bold red]"
+            )
             return None
 
     return access_token
@@ -146,3 +222,5 @@ def clear_tokens():
         keyring.delete_password(SERVICE_ID, "refresh_token")
     except keyring.errors.PasswordDeleteError:
         pass  # Tokens already cleared
+    except keyring.errors.KeyringError as e:
+        console.print(f"[yellow]Warning: Could not clear tokens from keyring: {e}[/yellow]")

xenfra/utils/codebase.py

@@ -1,6 +1,7 @@
 """
 Codebase scanning utilities for AI-powered project initialization.
 """
+
 import os
 from pathlib import Path
 
@@ -9,6 +10,26 @@ def scan_codebase(max_files: int = 10, max_size: int = 50000) -> dict[str, str]:
     """
     Scan current directory for important code files.
 
+    Args:
+        max_files: Maximum number of files to include (validated: 1-100)
+        max_size: Maximum file size in bytes (validated: 1KB-10MB)
+
+    Returns:
+        Dictionary of filename -> content for AI analysis
+    """
+    # Validate limits
+    from .validation import validate_codebase_scan_limits
+
+    is_valid, error_msg = validate_codebase_scan_limits(max_files, max_size)
+    if not is_valid:
+        raise ValueError(f"Invalid scan limits: {error_msg}")
+
+    # Ensure limits are within bounds
+    max_files = max(1, min(100, max_files))
+    max_size = max(1024, min(10 * 1024 * 1024, max_size))
+    """
+    Scan current directory for important code files.
+
     Args:
         max_files: Maximum number of files to include
         max_size: Maximum file size in bytes (default 50KB)
@@ -21,15 +42,25 @@ def scan_codebase(max_files: int = 10, max_size: int = 50000) -> dict[str, str]:
     # Priority files to scan (in order)
     important_files = [
         # Python entry points
-        'main.py', 'app.py', 'wsgi.py', 'asgi.py', 'manage.py',
+        "main.py",
+        "app.py",
+        "wsgi.py",
+        "asgi.py",
+        "manage.py",
         # Configuration files
-        'requirements.txt', 'pyproject.toml', 'Pipfile', 'setup.py',
+        "requirements.txt",
+        "pyproject.toml",
+        "Pipfile",
+        "setup.py",
         # Django/Flask specific
-        'settings.py', 'config.py',
+        "settings.py",
+        "config.py",
         # Docker
-        'Dockerfile', 'docker-compose.yml',
+        "Dockerfile",
+        "docker-compose.yml",
         # Xenfra config
-        'xenfra.yaml', 'xenfra.yml',
+        "xenfra.yaml",
+        "xenfra.yml",
     ]
 
     # Scan for important files in current directory
@@ -43,26 +74,29 @@ def scan_codebase(max_files: int = 10, max_size: int = 50000) -> dict[str, str]:
                 if file_size > max_size:
                     continue
 
-                with open(filename, 'r', encoding='utf-8') as f:
+                with open(filename, "r", encoding="utf-8") as f:
                     content = f.read(max_size)
                     code_snippets[filename] = content
-            except (IOError, UnicodeDecodeError):
-                # Skip files that can't be read
+            except (IOError, OSError, PermissionError, UnicodeDecodeError) as e:
+                # Skip files that can't be read (log but don't crash)
+                import logging
+                logger = logging.getLogger(__name__)
+                logger.debug(f"Skipping file {filename}: {type(e).__name__}")
                 continue
 
     # If we haven't found enough files, look for Python files in common locations
     if len(code_snippets) < 3:
         search_patterns = [
-            'src/**/*.py',
-            'app/**/*.py',
-            '*.py',
+            "src/**/*.py",
+            "app/**/*.py",
+            "*.py",
         ]
 
         for pattern in search_patterns:
             if len(code_snippets) >= max_files:
                 break
 
-            for filepath in Path('.').glob(pattern):
+            for filepath in Path(".").glob(pattern):
                 if len(code_snippets) >= max_files:
                     break
 
@@ -72,10 +106,14 @@ def scan_codebase(max_files: int = 10, max_size: int = 50000) -> dict[str, str]:
                         if file_size > max_size:
                             continue
 
-                        with open(filepath, 'r', encoding='utf-8') as f:
+                        with open(filepath, "r", encoding="utf-8") as f:
                             content = f.read(max_size)
                             code_snippets[str(filepath)] = content
-                    except (IOError, UnicodeDecodeError):
+                    except (IOError, OSError, PermissionError, UnicodeDecodeError) as e:
+                        # Skip files that can't be read
+                        import logging
+                        logger = logging.getLogger(__name__)
+                        logger.debug(f"Skipping file {filepath}: {type(e).__name__}")
                         continue
 
     return code_snippets
@@ -83,4 +121,4 @@ def scan_codebase(max_files: int = 10, max_size: int = 50000) -> dict[str, str]:
 
 def has_xenfra_config() -> bool:
     """Check if xenfra.yaml already exists."""
-    return os.path.exists('xenfra.yaml') or os.path.exists('xenfra.yml')
+    return os.path.exists("xenfra.yaml") or os.path.exists("xenfra.yml")