salesforce
diff --git a/‎Gemfile‎
Lines changed: 4 additions & 1 deletion b/‎Gemfile‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎Gemfile.lock‎
Lines changed: 7 additions & 6 deletions b/‎Gemfile.lock‎
Lines changed: 7 additions & 6 deletions
diff --git a/‎README.md‎
Lines changed: 10 additions & 1 deletion b/‎README.md‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎app/controllers/api_tokens_controller.rb‎
Lines changed: 13 additions & 0 deletions b/‎app/controllers/api_tokens_controller.rb‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎app/controllers/cli_auth_controller.rb‎
Lines changed: 91 additions & 0 deletions b/‎app/controllers/cli_auth_controller.rb‎
Lines changed: 91 additions & 0 deletions
diff --git a/‎app/models/api_token.rb‎
Lines changed: 21 additions & 0 deletions b/‎app/models/api_token.rb‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎app/models/user.rb‎
Lines changed: 13 additions & 0 deletions b/‎app/models/user.rb‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎app/policies/cli_auth_policy.rb‎
Lines changed: 12 additions & 0 deletions b/‎app/policies/cli_auth_policy.rb‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎app/views/api_tokens/_api_token.html.erb‎
Lines changed: 19 additions & 0 deletions b/‎app/views/api_tokens/_api_token.html.erb‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎app/views/api_tokens/index.html.erb‎
Lines changed: 28 additions & 4 deletions b/‎app/views/api_tokens/index.html.erb‎
Lines changed: 28 additions & 4 deletions
@@ -89,7 +89,10 @@ gem 'pgvector'
 
 gem 'dotenv-rails', groups: %i[development test]
 
-gem 'httparty'
+gem 'httparty', '>= 0.24.0'
+
+# Security: Fix CVE-2026-25765 (SSRF vulnerability)
+gem 'faraday', '>= 2.14.1', '< 3.0'
 
 # Markdown renderer
 gem 'redcarpet'
 
@@ -83,7 +83,7 @@ GEM
     base64 (0.3.0)
     bcrypt (3.1.20)
     benchmark (0.4.1)
-    bigdecimal (3.2.2)
+    bigdecimal (4.0.1)
     bindex (0.8.1)
     bootsnap (1.18.6)
       msgpack (~> 1.2)
@@ -136,7 +136,7 @@ GEM
       railties (>= 6.1.0)
     faker (3.5.2)
       i18n (>= 1.8.11, < 2)
-    faraday (2.13.2)
+    faraday (2.14.1)
       faraday-net_http (>= 2.0, < 3.5)
       json
       logger
@@ -189,7 +189,7 @@ GEM
       builder (>= 2.1.2)
       rexml (~> 3.0)
     hashie (5.0.0)
-    httparty (0.23.1)
+    httparty (0.24.2)
       csv
       mini_mime (>= 1.0.0)
       multi_xml (>= 0.5.2)
@@ -246,8 +246,8 @@ GEM
     minitest (5.25.5)
     msgpack (1.8.0)
     multi_json (1.16.0)
-    multi_xml (0.7.2)
-      bigdecimal (~> 3.1)
+    multi_xml (0.8.1)
+      bigdecimal (>= 3.1, < 5)
     multipart-post (2.4.1)
     mutex_m (0.3.0)
     neighbor (0.6.0)
@@ -550,9 +550,10 @@ DEPENDENCIES
   dotenv-rails
   factory_bot_rails
   faker
+  faraday (>= 2.14.1, < 3.0)
   google-api-client
   googleauth
-  httparty
+  httparty (>= 0.24.0)
   importmap-rails
   jbuilder
   kaminari
 
@@ -1147,9 +1147,18 @@ The library allows document owners to keep their documents separate from each ot
 Get the id of the library from the URL.
 
 ### 2. Get an API Token
-1. Open /api_tokens in the ui.
+
+**Option A: Web UI**
+1. Open /api_tokens in the UI.
 2. Create a token.
 
+**Option B: CLI Authentication (Recommended)**
+1. Run `ruby scripts/cli_login.rb` from the project directory.
+2. Your browser will open to authorize the CLI.
+3. Token is automatically saved to `~/.fack/credentials`.
+
+For more details, see [CLI Authentication Guide](docs/CLI_AUTHENTICATION.md).
+
 ### 3. Locate the Directory with your Documents
 You can clone your doc repo or have an directory anywhere on your computer.
 
 
@@ -6,6 +6,18 @@ class ApiTokensController < ApplicationController
   # GET /api_tokens or /api_tokens.json
   def index
     @api_tokens = policy_scope(ApiToken).order(last_used: :desc)
+    
+    # Filter by source if provided
+    case params[:source]
+    when 'cli'
+      @api_tokens = @api_tokens.cli_tokens
+    when 'web'
+      @api_tokens = @api_tokens.web_tokens
+    # when 'mobile'
+    #   @api_tokens = @api_tokens.where(source: 'mobile')
+    # 'all' or nil shows all tokens
+    end
+    
     authorize ApiToken
   end
 
@@ -41,6 +53,7 @@ def edit
   def create
     @api_token = ApiToken.new(api_token_params)
     @api_token.user_id = current_user.id if @api_token.user_id.nil?
+    @api_token.source = 'web' # Mark as web-created token
     authorize @api_token
 
     respond_to do |format|
 
@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+class CliAuthController < ApplicationController
+  skip_before_action :verify_authenticity_token, only: [:create]
+
+  # GET /cli/authorize?state=RANDOM&port=9090
+  def new
+    # User must be logged in to authorize CLI
+    unless current_user
+      session[:return_to] = request.original_url
+      redirect_to new_session_path, notice: 'Please login to authorize CLI'
+      return
+    end
+
+    authorize :cli_auth, :new?
+
+    @state = params[:state]
+    @port = params[:port] || '9090'
+
+    # Validate state parameter exists
+    unless @state.present?
+      render plain: 'Error: Missing state parameter', status: :bad_request
+      return
+    end
+
+    # Validate port
+    unless valid_port?(@port)
+      render plain: 'Error: Invalid port number', status: :bad_request
+      return
+    end
+
+    # Show authorization page
+  end
+
+  # POST /cli/authorize
+  def create
+    authorize :cli_auth, :create?
+
+    @state = params[:state]
+    @port = params[:port] || '9090'
+
+    # Validate state parameter exists
+    unless @state.present?
+      render plain: 'Error: Missing state parameter', status: :bad_request
+      return
+    end
+
+    # Validate state format (should be alphanumeric/hex, prevent injection)
+    unless valid_state?(@state)
+      render plain: 'Error: Invalid state parameter format', status: :bad_request
+      return
+    end
+
+    # Validate port
+    unless valid_port?(@port)
+      render plain: 'Error: Invalid port number', status: :bad_request
+      return
+    end
+
+    # Create new API token for CLI
+    @api_token = ApiToken.new(
+      user: current_user,
+      name: "CLI Token - #{Time.current.strftime('%Y-%m-%d %H:%M')}",
+      source: 'cli'
+    )
+
+    if @api_token.save
+      # Redirect to localhost with token
+      # URL encode state and token to prevent injection
+      redirect_url = "http://127.0.0.1:#{@port}/callback?token=#{CGI.escape(@api_token.token)}&state=#{CGI.escape(@state)}"
+      redirect_to redirect_url, allow_other_host: true
+    else
+      error_message = @api_token.errors.full_messages.first || 'Failed to create token'
+      flash[:error] = error_message
+      render :new, status: :unprocessable_entity
+    end
+  end
+
+  private
+
+  def valid_port?(port)
+    # Only allow ports between 1024 and 65535 (non-privileged ports)
+    port.to_i.between?(1024, 65535)
+  end
+
+  def valid_state?(state)
+    # State should be alphanumeric/hex string, reasonable length (32-128 chars typical)
+    # Prevents URL injection attacks
+    state.present? && state.match?(/\A[a-zA-Z0-9]+\z/) && state.length.between?(16, 256)
+  end
+end
@@ -1,18 +1,39 @@
 # frozen_string_literal: true
 
 class ApiToken < ApplicationRecord
+  MAX_TOKENS_PER_USER = 2
+
   validates :token, presence: true, uniqueness: true
   validates :name, presence: true
+  validate :user_token_limit, on: :create
 
   before_validation :generate_token, on: :create
 
   belongs_to :user
   # encrypts :token, deterministic: true
 
+  # Source tracking: where was this token created?
+  enum :source, { web: 'web', cli: 'cli', mobile: 'mobile' }, prefix: true
+
+  # Scopes for filtering
+  scope :cli_tokens, -> { where(source: 'cli') }
+  scope :web_tokens, -> { where(source: 'web') }
+
   private
 
   def generate_token
     self.token = Digest::MD5.hexdigest(SecureRandom.hex)
     self.active = true
   end
+
+  def user_token_limit
+    return unless user_id.present?
+    # Only apply limit to CLI tokens
+    return unless source == 'cli'
+
+    active_cli_token_count = user.api_tokens.where(active: true, source: 'cli').count
+    if active_cli_token_count >= MAX_TOKENS_PER_USER
+      errors.add(:base, "Maximum of #{MAX_TOKENS_PER_USER} active CLI tokens allowed. Please delete an existing CLI token first.")
+    end
+  end
 end
@@ -16,6 +16,7 @@ class User < ApplicationRecord
   has_many :assistant_users
   has_many :assistants, through: :assistant_users
   has_many :comments, dependent: :destroy
+  has_many :api_tokens, dependent: :destroy
 
   # Recently viewed items feature
   has_many :viewed_items, dependent: :destroy
@@ -55,6 +56,18 @@ def recently_viewed(viewable_type:, limit: 5)
                  .limit(limit)
   end
 
+  # Returns CLI tokens for this user
+  # @return [ActiveRecord::Relation<ApiToken>] the CLI tokens
+  def cli_tokens
+    api_tokens.cli_tokens
+  end
+
+  # Returns web tokens for this user
+  # @return [ActiveRecord::Relation<ApiToken>] the web tokens
+  def web_tokens
+    api_tokens.web_tokens
+  end
+
   private
 
   def password_strength
 
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class CliAuthPolicy < ApplicationPolicy
+  # Anyone who is authenticated can authorize CLI access
+  def new?
+    user.present?
+  end
+
+  def create?
+    user.present?
+  end
+end
@@ -22,6 +22,25 @@
         <span class="text-stone-600"><%= api_token.user.email %></span>
       <% end %>
 
+      <%= render 'shared/labelled_field', label: "Source" do %>
+        <% if api_token.source_cli? %>
+          <span class="inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-medium bg-blue-100 text-blue-800">
+            <svg xmlns="http://www.w3.org/2000/svg" class="h-3 w-3 mr-1" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M8 9l3 3-3 3m5 0h3M5 20h14a2 2 0 002-2V6a2 2 0 00-2-2H5a2 2 0 00-2 2v12a2 2 0 002 2z" />
+            </svg>
+            CLI
+          </span>
+        <% elsif api_token.source_mobile? %>
+          <span class="inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-medium bg-green-100 text-green-800">
+            Mobile
+          </span>
+        <% else %>
+          <span class="inline-flex items-center px-2.5 py-0.5 rounded-full text-xs font-medium bg-gray-100 text-gray-800">
+            Web
+          </span>
+        <% end %>
+      <% end %>
+
       <%= render 'shared/labelled_field', label: "Last used" do %>
         <span class="<%= 'font-bold text-green-500' if api_token.last_used && api_token.last_used > 7.days.ago %>">
           <% if api_token.last_used %>
 
@@ -6,15 +6,25 @@
       <%= render partial: 'shared/button_group', locals: { buttons: { "New" => new_api_token_path } } %>
     <% end %>
   </div>
+  <div class="flex justify-start items-center mb-3">
+    <div class="flex items-center">
+      <% source_filter = params[:source] %>
+      <%= link_to 'All', api_tokens_path, class: "p-3 mr-4 pb-1 border-b-2 hover:border-sky-500 #{'border-sky-500' if source_filter.blank?}" %>
+      <%= link_to 'CLI', api_tokens_path(source: 'cli'), class: "p-3 mr-4 pb-1 border-b-2 hover:border-sky-500 #{'border-sky-500' if source_filter == 'cli'}" %>
+      <%= link_to 'Web', api_tokens_path(source: 'web'), class: "p-3 mr-4 pb-1 border-b-2 hover:border-sky-500 #{'border-sky-500' if source_filter == 'web'}" %>
+    </div>
+  </div>
   <ul id="api_tokens" class="min-w-full list-none p-0">
-    <li class="font-bold grid grid-cols-1 sm:grid-cols-4 text-xs text-stone-800 bg-stone-200 py-2 rounded-t-lg">
-      <!-- Use grid-cols-1 for mobile and sm:grid-cols-5 for small screens and up -->
+    <li class="font-bold grid grid-cols-1 sm:grid-cols-5 text-xs text-stone-800 bg-stone-200 py-2 rounded-t-lg">
       <div class="p-2">
         NAME
       </div>
       <div class="p-2">
         USER
       </div>
+      <div class="p-2">
+        SOURCE
+      </div>
       <div class="p-2">
         LAST USED
       </div>
@@ -23,14 +33,28 @@
       </div>
     </li>
     <% @api_tokens.each_with_index do |api_token, index| %>
-      <li class="<%= 'border-t border-stone-300' unless index == 0 %> font-light grid grid-cols-1 sm:grid-cols-4 justify-between py-2 text-sm bg-white hover:bg-stone-100 <%= 'rounded-b-lg' if index == @api_tokens.length - 1 %>">
-        <!-- Adjustments here similar to the header row -->
+      <li class="<%= 'border-t border-stone-300' unless index == 0 %> font-light grid grid-cols-1 sm:grid-cols-5 justify-between py-2 text-sm bg-white hover:bg-stone-100 <%= 'rounded-b-lg' if index == @api_tokens.length - 1 %>">
         <div class="p-2">
           <%= link_to api_token.name, api_token_path(api_token), class: "text-sky-600 font-light" %>
         </div>
         <div class="p-2">
           <span class="text-stone-500 text-sm"><%= api_token.user.email %></span>
         </div>
+        <div class="p-2">
+          <% if api_token.source_cli? %>
+            <span class="inline-flex items-center px-2 py-0.5 rounded text-xs font-medium bg-blue-100 text-blue-800">
+              CLI
+            </span>
+          <% elsif api_token.source_mobile? %>
+            <span class="inline-flex items-center px-2 py-0.5 rounded text-xs font-medium bg-green-100 text-green-800">
+              Mobile
+            </span>
+          <% else %>
+            <span class="inline-flex items-center px-2 py-0.5 rounded text-xs font-medium bg-gray-100 text-gray-800">
+              Web
+            </span>
+          <% end %>
+        </div>
         <div class="p-2 <%= 'font-bold text-green-500' if api_token.last_used && api_token.last_used > 7.days.ago %>">
           <% if api_token.last_used %>
             <%= time_ago_in_words(api_token.last_used) %> ago