pgai 1.0.5 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c81f465309361fb42b7e4aea543ede08db3cb5b837eda96f8ae4098e7473fa47
-  data.tar.gz: 0cae5222ce64fbef6e8257a36ecc54bfb3904d14634cf61eb95dc4cdb66b0018
+  metadata.gz: decf99fdd8015349a1f8ee139ac98a2e1abcbf2ea8c34c286158c72bb4cb9832
+  data.tar.gz: 3a4e095f9edb679451766b4ce0cb7f33be94855f0ea680c93782b8c4668168ec
 SHA512:
-  metadata.gz: a8ab5b17cd0c5db154b83a1ff07c37bbfdc69633b4dbd405354d8c95c72c9a0c71eafd854990bfaaccb02293893bd4c960a64c46c41b0b97a4044578cb61bdc8
-  data.tar.gz: ec64d232240c2a94ca05d3b24c21de321812e9e3296597c93e722750b979c4c831a6a84e3c012da1501ffbaf6d5088a627d0e583ee6835f50b898d1fc0d70b3b
+  metadata.gz: e9148734a065833aa71abc9f51c477339d442e3669021fd97aed5bf83ea590a49be7a88a4270944540921b7be1d898c6b85bbc5feb3f44cbdda78c682e5a7572
+  data.tar.gz: aaa8d36528923b16bf13156be9f87056d102ae4616fd60f939bb8143363ea8b4f010646ab66abdedcb6db946a5faa309f802e7a7aa8990081d394fef1f97e0e5

data/README.md

@@ -80,6 +80,15 @@ pgai use -o ci -v -- bin/rails c -e test
 - The environment ID serves as the proxy host and the database name can be configured per environment.
 - Environments can share the same remote port value.
 
+## Upgrading to 1.1.0 and above
+
+pgai now integrates with 1password to encrypt the token and clone details. Run these commands to migrate to the encrypted store:
+
+```shell
+pgai enc keygen
+pgai enc migrate
+```
+
 ## Contributing
 
 Bug reports and pull requests are welcome on GitLab at https://gitlab.com/mbobin/pgai.

data/lib/pgai/cli/enc.rb

@@ -0,0 +1,53 @@
+module Pgai::Cli
+  class Enc < Base
+    desc "keygen", "Generate a new encryption key and save it to 1Password"
+    def keygen
+      encryption_key = build_encryption_key
+      key = encryption_key.generate
+
+      say "Generated new encryption key", :green
+      say ""
+
+      reference = encryption_key.save(key)
+
+      say ""
+      say "✓ Key saved to 1Password", :green
+      say "  Reference: #{reference}", :cyan
+    end
+
+    desc "migrate", "Migrate from unencrypted to encrypted store"
+    def migrate
+      migrator = build_migrator
+
+      unless migrator.migration_needed?
+        say "No migration needed. Already using encrypted store.", :green
+        return
+      end
+
+      say "Starting migration from unencrypted to encrypted store...", :cyan
+
+      result = migrator.migrate
+
+      say ""
+      say "✓ Migration complete!", :green
+      say "  Migrated #{result[:count]} record types", :cyan
+      say "  Legacy store backed up to: #{result[:backup_path]}", :cyan
+      say "  Remove it if the migration was successful", :cyan
+    end
+
+    private
+
+    def build_encryption_key
+      Pgai::Encryption::Key.new(
+        prompter: Pgai::Encryption::Prompter.new(shell: self)
+      )
+    end
+
+    def build_migrator
+      Pgai::Encryption::Migrator.new(
+        key: Pgai::Encryption::Key.new.read,
+        config_dir: Pgai.config_dir
+      )
+    end
+  end
+end

data/lib/pgai/cli/main.rb

@@ -42,6 +42,9 @@ module Pgai::Cli
     desc "env", "Manage environments"
     subcommand "env", Pgai::Cli::Env
 
+    desc "enc", "Manage encryption keys"
+    subcommand "enc", Pgai::Cli::Enc
+
     private
 
     def with_env(name, &block)

data/lib/pgai/client.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "excon"
-
 module Pgai
   class Client
     def initialize(token:, host: "http://127.0.0.1:2355")

data/lib/pgai/commander.rb

@@ -1,9 +1,5 @@
 # frozen_string_literal: true
 
-require "tty-logger"
-require "singleton"
-require "forwardable"
-
 module Pgai
   class Commander
     include Singleton
@@ -29,7 +25,7 @@ module Pgai
     end
 
     def store
-      @store ||= Pgai::Store.new
+      @store ||= Pgai::Store.new(key: Pgai::Encryption::Key.new.read)
     end
 
     def config

data/lib/pgai/create_clone_service.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "tty-progressbar"
-
 module Pgai
   class CreateCloneService
     HOSTNAME = "127.0.0.1"

data/lib/pgai/encryption/key.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Pgai
+  module Encryption
+    class Key
+      ENV_VAR_NAME = "PGAI_MASTER_KEY"
+
+      def initialize(op_client: OnePasswordClient.new, reference_store: ReferenceStore.new, prompter: Prompter.new)
+        @op_client = op_client
+        @reference_store = reference_store
+        @prompter = prompter
+      end
+
+      def generate
+        Lockbox.generate_key
+      end
+
+      def save(key)
+        config = @prompter.prompt_for_config
+        reference = @op_client.create_item(key: key, **config)
+
+        @reference_store.write(reference)
+        reference
+      end
+
+      def read
+        ENV.fetch(ENV_VAR_NAME) { read_from_one_password }
+      end
+
+      private
+
+      def read_from_one_password
+        reference = @reference_store.read
+        return nil unless reference
+
+        @op_client.read_item(reference)
+      end
+    end
+  end
+end

data/lib/pgai/encryption/migrator.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+module Pgai
+  module Encryption
+    class Migrator
+      def initialize(key:, config_dir: Pgai.config_dir)
+        @key = key
+        @config_dir = config_dir
+      end
+
+      def migration_needed?
+        legacy_store_path.exist? && !encrypted_store_path.exist?
+      end
+
+      def migrate
+        validate_prerequisites!
+
+        record_types = read_legacy_data
+        write_encrypted_data(record_types)
+        backup_legacy_store
+
+        {count: record_types.size, backup_path: backup_path}
+      end
+
+      private
+
+      def validate_prerequisites!
+        raise Pgai::CliError, "Encryption key not found. Run 'pgai enc keygen' first." unless @key
+        raise Pgai::CliError, "Legacy store not found at #{legacy_store_path}" unless legacy_store_path.exist?
+        raise Pgai::CliError, "Encrypted store already exists at #{encrypted_store_path}" if encrypted_store_path.exist?
+      end
+
+      def read_legacy_data
+        legacy_store = PStore.new(legacy_store_path)
+        record_types = {}
+
+        legacy_store.transaction(true) do
+          legacy_store.roots.each do |root|
+            record_types[root] = legacy_store[root]
+          end
+        end
+
+        record_types
+      end
+
+      def write_encrypted_data(record_types)
+        encrypted_store = Encryption::Store.new(encrypted_store_path, key: @key)
+
+        encrypted_store.transaction do
+          record_types.each do |type, data|
+            encrypted_store[type] = data
+          end
+        end
+      end
+
+      def backup_legacy_store
+        FileUtils.mv(legacy_store_path, backup_path)
+      end
+
+      def legacy_store_path
+        @legacy_store_path ||= @config_dir.join(Pgai::Store::LEGACY_STORE_NAME)
+      end
+
+      def encrypted_store_path
+        @encrypted_store_path ||= @config_dir.join(Pgai::Store::STORE_NAME)
+      end
+
+      def backup_path
+        @backup_path ||= @config_dir.join("#{Pgai::Store::LEGACY_STORE_NAME}.backup")
+      end
+    end
+  end
+end

data/lib/pgai/encryption/one_password_client.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module Pgai
+  module Encryption
+    class OnePasswordClient
+      class CommandError < StandardError; end
+
+      FIELD_NAME = "master_key"
+
+      def create_item(key:, vault:, title:, category:)
+        item_json = JSON.generate({
+          title: title,
+          fields: [
+            {
+              id: FIELD_NAME,
+              type: "CONCEALED",
+              label: FIELD_NAME,
+              value: key
+            }
+          ]
+        })
+
+        output = run_command(
+          "op", "item", "create",
+          "--vault", vault,
+          "--category", category,
+          "--format", "json",
+          "-",
+          stdin_data: item_json
+        )
+
+        build_reference_from(output)
+      end
+
+      def read_item(reference)
+        run_command("op", "read", reference).strip
+      end
+
+      private
+
+      def run_command(*args, stdin_data: "")
+        stdout, stderr, status = Open3.capture3(*args, stdin_data: stdin_data)
+
+        raise CommandError, "1Password CLI error: #{stderr}" unless status.success?
+
+        stdout
+      end
+
+      def build_reference_from(json_output)
+        item = JSON.parse(json_output)
+        vault_name = item.dig("vault", "name")
+        item_id = item.fetch("id")
+
+        "op://#{vault_name}/#{item_id}/#{FIELD_NAME}"
+      end
+    end
+  end
+end

data/lib/pgai/encryption/prompter.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Pgai
+  module Encryption
+    class Prompter
+      DEFAULTS = {
+        vault: "employee",
+        category: "API Credential",
+        title: "pgai master key"
+      }.freeze
+
+      def initialize(shell: Thor::Shell::Basic.new)
+        @shell = shell
+      end
+
+      def prompt_for_config
+        {
+          vault: ask_with_default("Vault", DEFAULTS[:vault]),
+          category: ask_with_default("Category", DEFAULTS[:category]),
+          title: ask_with_default("Title", DEFAULTS[:title])
+        }
+      end
+
+      private
+
+      def ask_with_default(prompt, default)
+        response = @shell.ask("#{prompt} [#{default}]:")
+        response.to_s.strip.empty? ? default : response
+      end
+    end
+  end
+end

data/lib/pgai/encryption/reference_store.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Pgai
+  module Encryption
+    class ReferenceStore
+      def initialize(path: nil)
+        path ||= Pgai.config_dir.join("op_ref")
+        @path = File.expand_path(path)
+      end
+
+      def write(reference)
+        ensure_directory_exists
+        File.write(@path, reference)
+      end
+
+      def read
+        return nil unless File.exist?(@path)
+
+        File.read(@path).strip
+      end
+
+      def exists?
+        File.exist?(@path) && !read.empty?
+      end
+
+      attr_reader :path
+
+      private
+
+      def ensure_directory_exists
+        FileUtils.mkdir_p(File.dirname(@path))
+      end
+    end
+  end
+end

data/lib/pgai/encryption/store.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Pgai
+  module Encryption
+    class Store < PStore
+      def initialize(file_path, key:, thread_safe: false)
+        @lockbox = Lockbox.new(key: key, encode: true)
+        super(file_path, thread_safe)
+      end
+
+      private
+
+      def dump(table)
+        data = Marshal.dump(table)
+        @lockbox.encrypt(data)
+      end
+
+      def load(content)
+        content = content.read if content.is_a?(File)
+        decrypted = @lockbox.decrypt(content)
+
+        Marshal.load(decrypted)
+      end
+    end
+  end
+end

data/lib/pgai/port/allocator.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "socket"
-
 module Pgai
   module Port
     class Allocator

data/lib/pgai/port/forwarder.rb

@@ -1,8 +1,5 @@
 # frozen_string_literal: true
 
-require "socket"
-require "net/ssh"
-
 module Pgai
   module Port
     class Forwarder

data/lib/pgai/port/manager.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "concurrent-ruby"
-
 module Pgai
   module Port
     class Manager

data/lib/pgai/resources/attributes.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "date"
-
 module Pgai
   module Resources
     module Attributes

data/lib/pgai/resources/local/base_record.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "forwardable"
-
 module Pgai
   module Resources
     module Local

data/lib/pgai/resources/remote/db_object.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "securerandom"
-
 module Pgai
   module Resources
     module Remote

data/lib/pgai/store.rb

@@ -1,49 +1,61 @@
 # frozen_string_literal: true
 
-require "pathname"
-require "pstore"
-require "fileutils"
-
 module Pgai
   class Store
-    STORE_PATH = "~/.config/pgai/config.pstore"
+    STORE_NAME = "config.enc.pstore"
+    LEGACY_STORE_NAME = "config.pstore"
+
+    def initialize(key: nil, config_dir: Pgai.config_dir)
+      @key = key
+      @config_dir = config_dir
+    end
 
     def all(record_type)
-      store.transaction(true) do
-        store[record_type]&.values || {}
+      backend.transaction(true) do
+        backend[record_type]&.values || {}
       end
     end
 
     def find(record_type, id)
-      store.transaction(true) do
-        (store[record_type] || {})[id]
+      backend.transaction(true) do
+        (backend[record_type] || {})[id]
       end
     end
 
     def delete(record_type, id)
-      store.transaction do
-        store[record_type] ||= {}
-        store[record_type] = store[record_type].except(id)
+      backend.transaction do
+        backend[record_type] ||= {}
+        backend[record_type] = backend[record_type].except(id)
       end
     end
 
     def save(record_type, attributes, key: :id)
-      store.transaction do
-        store[record_type] ||= {}
-        store[record_type].merge!(attributes[key] => attributes)
+      backend.transaction do
+        backend[record_type] ||= {}
+        backend[record_type].merge!(attributes[key] => attributes)
       end
     end
 
+    def encrypted?
+      backend.is_a?(Encryption::Store)
+    end
+
     private
 
-    def store
-      @store ||= PStore.new(store_path)
+    def backend
+      @backend ||= if pstore_path.exist? || !legacy_pstore_path.exist?
+        Encryption::Store.new(pstore_path, key: @key)
+      else
+        PStore.new(legacy_pstore_path)
+      end
     end
 
-    def store_path
-      @store_path ||= Pathname(STORE_PATH).expand_path.tap do |path|
-        FileUtils.mkdir_p File.dirname(path)
-      end
+    def pstore_path
+      @pstore_path ||= @config_dir.join(STORE_NAME)
+    end
+
+    def legacy_pstore_path
+      @legacy_pstore_path ||= @config_dir.join(LEGACY_STORE_NAME)
     end
   end
 end

data/lib/pgai/version.rb

@@ -1,3 +1,3 @@
 module Pgai
-  VERSION = "1.0.5"
+  VERSION = "1.1.0"
 end

data/lib/pgai.rb

@@ -1,12 +1,27 @@
 # frozen_string_literal: true
 
+require "pathname"
+require "fileutils"
+require "date"
+require "securerandom"
+require "forwardable"
+require "singleton"
+require "json"
+require "pstore"
+require "lockbox"
+require "thor"
+require "open3"
+require "socket"
+require "net/ssh"
+require "concurrent-ruby"
+require "excon"
+require "tty-logger"
+require "tty-progressbar"
 require "zeitwerk"
 
 loader = Zeitwerk::Loader.for_gem
 loader.setup
 
-require "thor"
-
 module Pgai
   class Error < StandardError; end
 
@@ -17,4 +32,14 @@ module Pgai
   class UnauthorizedError < CliError; end
 
   class BadRequestError < CliError; end
+
+  CONFIG_DIR = "~/.config/pgai/"
+
+  class << self
+    attr_writer :config_dir
+
+    def config_dir
+      @config_dir ||= Pathname(CONFIG_DIR).expand_path
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pgai
 version: !ruby/object:Gem::Version
-  version: 1.0.5
+  version: 1.1.0
 platform: ruby
 authors:
 - Marius Bobin
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-12-03 00:00:00.000000000 Z
+date: 2026-01-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -172,6 +172,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.2.3
+- !ruby/object:Gem::Dependency
+  name: lockbox
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -241,12 +269,19 @@ files:
 - bin/pgai
 - lib/pgai.rb
 - lib/pgai/cli/base.rb
+- lib/pgai/cli/enc.rb
 - lib/pgai/cli/env.rb
 - lib/pgai/cli/main.rb
 - lib/pgai/client.rb
 - lib/pgai/clone_manager.rb
 - lib/pgai/commander.rb
 - lib/pgai/create_clone_service.rb
+- lib/pgai/encryption/key.rb
+- lib/pgai/encryption/migrator.rb
+- lib/pgai/encryption/one_password_client.rb
+- lib/pgai/encryption/prompter.rb
+- lib/pgai/encryption/reference_store.rb
+- lib/pgai/encryption/store.rb
 - lib/pgai/external_command_manager.rb
 - lib/pgai/port/allocator.rb
 - lib/pgai/port/forwarder.rb