UNPKG

@xec-sh/cli

Version:

Xec: The Universal Shell for TypeScript

xec.sh

xec-sh/xec

186 lines 6.71 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
import * as os from 'os'; import * as path from 'path'; import { existsSync } from 'fs'; import * as fs from 'fs/promises'; import { getCachedMachineId } from '../machine-id.js'; import { encode, decode, encrypt, decrypt, hashKey, createFingerprint } from '../crypto.js'; import { SecretError } from '../types.js'; export class LocalSecretProvider { constructor(config) { this.initialized = false; const baseDir = config?.['storageDir'] || path.join(os.homedir(), '.xec', 'secrets'); this.storageDir = path.resolve(baseDir); this.passphrase = config?.['passphrase']; } async initialize() { if (this.initialized) return; await fs.mkdir(this.storageDir, { recursive: true, mode: 0o700 }); const indexPath = this.getIndexPath(); if (!existsSync(indexPath)) { await this.writeIndex({}); } try { await fs.access(this.storageDir, fs.constants.R_OK | fs.constants.W_OK); } catch (error) { throw new SecretError(`Cannot access secret storage directory: ${this.storageDir}`, 'STORAGE_ACCESS_ERROR'); } this.initialized = true; } async get(key) { await this.ensureInitialized(); try { const secretPath = this.getSecretPath(key); if (!existsSync(secretPath)) { return null; } const data = await fs.readFile(secretPath, 'utf8'); const encryptedSecret = JSON.parse(data); const machineId = await getCachedMachineId(); const dataWithSalt = JSON.parse(data); const decrypted = await decrypt(decode(encryptedSecret.encrypted), decode(dataWithSalt.salt), decode(encryptedSecret.iv), decode(encryptedSecret.authTag), machineId, this.passphrase); return decrypted; } catch (error) { if (error.code === 'ENOENT') { return null; } throw new SecretError(`Failed to get secret: ${error instanceof Error ? error.message : 'Unknown error'}`, 'GET_ERROR', key); } } async set(key, value) { await this.ensureInitialized(); try { const machineId = await getCachedMachineId(); const { encrypted, salt, iv, authTag } = await encrypt(value, machineId, this.passphrase); const encryptedSecret = { version: 1, encrypted: encode(encrypted), iv: encode(iv), authTag: encode(authTag), algorithm: 'aes-256-gcm', metadata: { key, createdAt: new Date(), updatedAt: new Date() } }; const dataWithSalt = { ...encryptedSecret, salt: encode(salt) }; const secretPath = this.getSecretPath(key); await fs.writeFile(secretPath, JSON.stringify(dataWithSalt, null, 2), { mode: 0o600 }); await this.updateIndex(key, { hashedKey: hashKey(key), createdAt: encryptedSecret.metadata.createdAt, updatedAt: encryptedSecret.metadata.updatedAt, fingerprint: createFingerprint(encrypted) }); } catch (error) { throw new SecretError(`Failed to set secret: ${error instanceof Error ? error.message : 'Unknown error'}`, 'SET_ERROR', key); } } async delete(key) { await this.ensureInitialized(); try { const secretPath = this.getSecretPath(key); await fs.unlink(secretPath); await this.removeFromIndex(key); } catch (error) { if (error.code === 'ENOENT') { return; } throw new SecretError(`Failed to delete secret: ${error instanceof Error ? error.message : 'Unknown error'}`, 'DELETE_ERROR', key); } } async list() { await this.ensureInitialized(); try { const index = await this.readIndex(); return Object.keys(index); } catch (error) { throw new SecretError(`Failed to list secrets: ${error instanceof Error ? error.message : 'Unknown error'}`, 'LIST_ERROR'); } } async has(key) { await this.ensureInitialized(); const secretPath = this.getSecretPath(key); return existsSync(secretPath); } async changePassphrase(oldPassphrase, newPassphrase) { await this.ensureInitialized(); const keys = await this.list(); const tempProvider = new LocalSecretProvider({ storageDir: this.storageDir, passphrase: oldPassphrase }); for (const key of keys) { const value = await tempProvider.get(key); if (value !== null) { this.passphrase = newPassphrase; await this.set(key, value); } } } async export() { await this.ensureInitialized(); const keys = await this.list(); const secrets = {}; for (const key of keys) { const value = await this.get(key); if (value !== null) { secrets[key] = value; } } return secrets; } async import(secrets) { await this.ensureInitialized(); for (const [key, value] of Object.entries(secrets)) { await this.set(key, value); } } async ensureInitialized() { if (!this.initialized) { await this.initialize(); } } getSecretPath(key) { const hashedKey = hashKey(key); return path.join(this.storageDir, `${hashedKey}.secret`); } getIndexPath() { return path.join(this.storageDir, '.index.json'); } async readIndex() { try { const data = await fs.readFile(this.getIndexPath(), 'utf8'); return JSON.parse(data); } catch (error) { if (error.code === 'ENOENT') { return {}; } throw error; } } async writeIndex(index) { await fs.writeFile(this.getIndexPath(), JSON.stringify(index, null, 2), { mode: 0o600 }); } async updateIndex(key, metadata) { const index = await this.readIndex(); index[key] = metadata; await this.writeIndex(index); } async removeFromIndex(key) { const index = await this.readIndex(); delete index[key]; await this.writeIndex(index); } } //# sourceMappingURL=local.js.map