@akshxy/envgit 0.5.0 → 0.5.2

package/README.md

@@ -174,6 +174,16 @@ Supports 100+ services out of the box: OpenAI, Anthropic, Groq, Stripe, Supabase
 | `envgit run -- node server.js` | Run a command with env vars injected, nothing written to disk |
 | `envgit import --file .env.local` | Encrypt an existing `.env` file |
 
+### Utilities
+
+
+| Command | Description |
+|---------|-------------|
+| `envgit doctor` | Check everything — key, envs, git safety — in one shot |
+| `envgit audit` | Show which keys are missing across environments |
+| `envgit template` | Generate a `.env.example` with all keys, no values |
+| `envgit template --output .env.example --force` | Overwrite existing file |
+
 ### Status
 
 | Command | Description |
@@ -226,3 +236,75 @@ ENVGIT_KEY=$(cat ~/.config/envgit/keys/<id>.key) envgit run -- node server.js
 - **Relay is blind** — `envgit share` encrypts your key with a one-time passphrase before upload. The relay stores only ciphertext and never sees the passphrase. Even a full relay compromise leaks nothing.
 - **One-time links** — tokens are deleted on first use via a strongly consistent Durable Object. Replay attacks are impossible.
 - **24-hour TTL** — unclaimed tokens are automatically destroyed
+
+---
+
+## Threat model
+
+**What envgit protects against**
+
+| Threat | Protection |
+|--------|-----------|
+| `.env` accidentally committed to git | Encrypted files are safe to commit — plaintext never touches the repo |
+| Secrets shared over Slack, email, chat | `envgit share` uses a blind relay and one-time encrypted links |
+| Teammate's machine is compromised | Key is per-machine — compromise one machine, not all |
+| Relay is breached | Relay stores only AES-256-GCM ciphertext. Passphrase never sent to relay. Useless without the passphrase. |
+| Secrets hardcoded in source | `envgit scan` detects these using pattern matching and entropy analysis |
+
+**What envgit does NOT protect against**
+
+- A compromised machine where the key file is readable — if your machine is owned, the key is accessible
+- Secrets that have already been committed in plaintext to git history — use `git filter-repo` to scrub those
+- An attacker who intercepts both the relay token AND the passphrase at the same time — treat the passphrase like a password
+
+---
+
+## How it works
+
+```
+Your machine                  Relay                    Teammate's machine
+────────────────              ──────────────────       ──────────────────────
+                              (Cloudflare Worker)
+project.key (32 bytes)
+    │
+    ▼
+encrypt with                  ┌──────────────────┐
+one-time passphrase  ──────►  │  ciphertext only │  ──────►  fetch + decrypt
+                              │  deleted on read  │           with passphrase
+    │                         │  TTL: 24 hours   │               │
+    ▼                         └──────────────────┘               ▼
+envgit share                                             envgit join <token>
+prints:                                                  --code <passphrase>
+  token + passphrase                                         │
+                                                             ▼
+                                                     key saved to
+                                                     ~/.config/envgit/keys/
+```
+
+The relay is stateless and blind. It cannot reconstruct the key. Only the machine with the passphrase can decrypt.
+
+---
+
+## Crypto decisions
+
+**Why AES-256-GCM?**
+GCM is an authenticated encryption mode — it detects tampering. If anyone modifies the ciphertext (even one byte), decryption fails loudly rather than silently returning corrupt data. This matters for secrets: you want to know immediately if something has been tampered with.
+
+**Why 32 bytes of entropy?**
+NIST recommends 128-bit minimum for symmetric keys. envgit uses 256-bit (32 bytes) from `crypto.randomBytes`, which reads from the OS CSPRNG. This is the same source used by OpenSSL and Node's TLS stack.
+
+**Why a fresh IV per write?**
+AES-GCM requires a unique IV per (key, message) pair. Reusing an IV with the same key catastrophically breaks confidentiality — an attacker can XOR two ciphertexts to cancel out the keystream. envgit generates a new random IV on every write, making this impossible.
+
+**Why zeroize key bytes after use?**
+Node.js buffers live in V8's heap. Without explicit zeroization, key bytes can persist in memory until GC runs — and could potentially be read from a core dump or swap file. envgit calls `buffer.fill(0)` immediately after the crypto operation completes.
+
+---
+
+## Commands
+
+### Scan
+
+| Command | Description |
+|---------|-------------|
+| `envgit scan` | Scan entire codebase for hardcoded secrets using patterns + entropy |

package/bin/envgit.js

@@ -20,6 +20,10 @@ import { verify } from '../src/commands/verify.js';
 import { rotateKey } from '../src/commands/rotate-key.js';
 import { share } from '../src/commands/share.js';
 import { join } from '../src/commands/join.js';
+import { doctor } from '../src/commands/doctor.js';
+import { audit } from '../src/commands/audit.js';
+import { template } from '../src/commands/template.js';
+import { scan } from '../src/commands/scan.js';
 
 program
   .name('envgit')
@@ -139,6 +143,28 @@ program
   .description('Generate a new key and re-encrypt all environments')
   .action(rotateKey);
 
+program
+  .command('scan')
+  .description('Scan codebase for hardcoded secrets using pattern matching and entropy analysis')
+  .action(scan);
+
+program
+  .command('doctor')
+  .description('Check project health — key, envs, git safety')
+  .action(doctor);
+
+program
+  .command('audit')
+  .description('Show which keys are missing across environments')
+  .action(audit);
+
+program
+  .command('template')
+  .description('Generate a .env.example with all keys but no values')
+  .option('-o, --output <path>', 'output file path', '.env.example')
+  .option('-f, --force', 'overwrite if file already exists')
+  .action(template);
+
 program
   .command('share')
   .description('Encrypt your key and upload it to a one-time link — send the output to a teammate')

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@akshxy/envgit",
-  "version": "0.5.0",
+  "version": "0.5.2",
   "description": "Encrypted per-project environment variable manager",
   "type": "module",
   "bin": {

package/src/commands/audit.js

@@ -0,0 +1,86 @@
+import chalk from 'chalk';
+import { requireProjectRoot, loadKey } from '../keystore.js';
+import { loadConfig } from '../config.js';
+import { readEncEnv } from '../enc.js';
+import { bold, dim, ok } from '../ui.js';
+
+export async function audit() {
+  const projectRoot = requireProjectRoot();
+  const key         = loadKey(projectRoot);
+  const config      = loadConfig(projectRoot);
+
+  if (config.envs.length < 2) {
+    console.log(dim('\n  Need at least 2 environments to audit.\n'));
+    return;
+  }
+
+  // Load all envs
+  const envVars = {};
+  for (const envName of config.envs) {
+    envVars[envName] = readEncEnv(projectRoot, envName, key);
+  }
+
+  // Collect every key across all envs
+  const allKeys = [...new Set(config.envs.flatMap(e => Object.keys(envVars[e])))].sort();
+
+  if (allKeys.length === 0) {
+    console.log(dim('\n  No variables found across any environment.\n'));
+    return;
+  }
+
+  // Find keys that are missing from at least one env
+  const missing = {};   // key → [envs it's missing from]
+  const present = {};   // key → [envs it's in]
+
+  for (const key of allKeys) {
+    missing[key] = config.envs.filter(e => !(key in envVars[e]));
+    present[key] = config.envs.filter(e =>  (key in envVars[e]));
+  }
+
+  const problemKeys = allKeys.filter(k => missing[k].length > 0);
+  const cleanKeys   = allKeys.filter(k => missing[k].length === 0);
+
+  // ── Header ────────────────────────────────────────────────────────────────
+  console.log('');
+  console.log(bold('Audit') + dim(` — ${config.envs.join(', ')}`));
+  console.log('');
+
+  // ── Missing keys ──────────────────────────────────────────────────────────
+  if (problemKeys.length === 0) {
+    ok(`All ${allKeys.length} keys are present in every environment.`);
+    console.log('');
+    return;
+  }
+
+  // Column header
+  const pad = Math.max(...allKeys.map(k => k.length), 4) + 2;
+  const envHeaders = config.envs.map(e => e.padEnd(8)).join('  ');
+  console.log(dim('  ' + 'KEY'.padEnd(pad) + envHeaders));
+  console.log(dim('  ' + '─'.repeat(pad + config.envs.length * 10)));
+
+  for (const key of problemKeys) {
+    const cols = config.envs.map(e => {
+      if (key in envVars[e]) return chalk.green('  ✓'.padEnd(10));
+      return chalk.red('  ✗'.padEnd(10));
+    }).join('');
+    console.log(`  ${chalk.bold(key.padEnd(pad))}${cols}`);
+  }
+
+  if (cleanKeys.length > 0) {
+    console.log(dim(`\n  ${cleanKeys.length} key${cleanKeys.length !== 1 ? 's' : ''} present in all envs (hidden)`));
+  }
+
+  console.log('');
+  console.log(chalk.yellow(bold(`${problemKeys.length} key${problemKeys.length !== 1 ? 's' : ''} missing from one or more environments.`)));
+
+  // Per-env fix hints
+  console.log('');
+  for (const envName of config.envs) {
+    const needed = problemKeys.filter(k => !(k in envVars[envName]));
+    if (needed.length > 0) {
+      console.log(dim(`  Fix ${envName}:  envgit set ${needed.join('=... ')}=... --env ${envName}`));
+    }
+  }
+
+  console.log('');
+}

package/src/commands/doctor.js

@@ -0,0 +1,146 @@
+import { execFileSync } from 'child_process';
+import { existsSync, readFileSync } from 'fs';
+import { join } from 'path';
+import chalk from 'chalk';
+import { findProjectRoot, globalKeyPath } from '../keystore.js';
+import { loadConfig } from '../config.js';
+import { readEncEnv } from '../enc.js';
+import { bold, dim } from '../ui.js';
+
+function pass(msg)      { console.log(chalk.green(`  ✓ ${msg}`)); }
+function fail(msg)      { console.log(chalk.red(`  ✗ ${msg}`)); }
+function warn(msg)      { console.log(chalk.yellow(`  ⚠ ${msg}`)); }
+function section(title) { console.log(`\n${bold(title)}`); }
+
+export async function doctor() {
+  let issues = 0;
+
+  // ── Project ───────────────────────────────────────────────────────────────
+  section('Project');
+
+  const projectRoot = findProjectRoot();
+  if (!projectRoot) {
+    fail('No envgit project found — run envgit init first.');
+    console.log('');
+    process.exit(1);
+  }
+  pass(`Project root: ${dim(projectRoot)}`);
+
+  let config;
+  try {
+    config = loadConfig(projectRoot);
+    pass(`Config loaded ${dim(`(${config.envs.length} env${config.envs.length !== 1 ? 's' : ''}: ${config.envs.join(', ')})`)}`)
+  } catch (e) {
+    fail(`Config unreadable — ${e.message}`);
+    issues++;
+  }
+
+  // ── Key ───────────────────────────────────────────────────────────────────
+  section('Key');
+
+  let key = null;
+  if (process.env.ENVGIT_KEY) {
+    pass('Key loaded from ENVGIT_KEY environment variable');
+    key = process.env.ENVGIT_KEY;
+  } else if (config?.key_id) {
+    const keyPath = globalKeyPath(config.key_id);
+    if (existsSync(keyPath)) {
+      pass(`Key file found ${dim(keyPath)}`);
+      key = readFileSync(keyPath, 'utf8').trim();
+    } else {
+      fail('Key file missing — run: envgit share / envgit join');
+      issues++;
+    }
+  } else {
+    const legacyPath = join(projectRoot, '.envgit.key');
+    if (existsSync(legacyPath)) {
+      warn(`Legacy key file at project root ${dim('(consider migrating)')}`);
+      key = readFileSync(legacyPath, 'utf8').trim();
+    } else {
+      fail('No key found — run: envgit keygen');
+      issues++;
+    }
+  }
+
+  if (key) {
+    const decoded = Buffer.from(key, 'base64');
+    if (decoded.length === 32) {
+      pass('Key length valid (256-bit)');
+    } else {
+      fail(`Key length invalid — got ${decoded.length} bytes, expected 32`);
+      issues++;
+    }
+  }
+
+  // ── Environments ──────────────────────────────────────────────────────────
+  if (config && key) {
+    section('Environments');
+    for (const envName of config.envs) {
+      try {
+        const vars = readEncEnv(projectRoot, envName, key);
+        const count = Object.keys(vars).length;
+        pass(`${envName} decrypts OK ${dim(`(${count} var${count !== 1 ? 's' : ''})`)}`);
+      } catch (e) {
+        fail(`${envName} failed to decrypt — ${e.message}`);
+        issues++;
+      }
+    }
+  }
+
+  // ── Git safety ────────────────────────────────────────────────────────────
+  section('Git safety');
+
+  const gitignorePath = join(projectRoot, '.gitignore');
+  if (existsSync(gitignorePath)) {
+    const gitignore = readFileSync(gitignorePath, 'utf8');
+    const lines = gitignore.split('\n').map(l => l.trim());
+
+    const envIgnored = lines.some(l => l === '.env' || l === '.env.*' || l === '*.env');
+    if (envIgnored) {
+      pass('.env is in .gitignore');
+    } else {
+      warn('.env is not in .gitignore — add it to prevent accidental commits');
+      issues++;
+    }
+
+    if (existsSync(join(projectRoot, '.envgit.key'))) {
+      const keyIgnored = lines.some(l => l === '.envgit.key');
+      if (!keyIgnored) {
+        fail('.envgit.key is not in .gitignore — this would expose your key!');
+        issues++;
+      }
+    }
+  } else {
+    warn('No .gitignore found');
+    issues++;
+  }
+
+  // Check for .env files tracked by git (no shell, no injection)
+  try {
+    const tracked = execFileSync('git', ['ls-files', '.env', '.env.local', '.env.production'], {
+      cwd: projectRoot,
+      stdio: ['pipe', 'pipe', 'pipe'],
+    }).toString().trim();
+
+    if (tracked) {
+      const files = tracked.split('\n').map(f => `    ${f}`).join('\n');
+      fail(`Plaintext .env file tracked by git:\n${files}`);
+      fail('Remove with: git rm --cached .env');
+      issues++;
+    } else {
+      pass('No plaintext .env files tracked by git');
+    }
+  } catch {
+    warn('Not a git repo — skipping git tracking check');
+  }
+
+  // ── Summary ───────────────────────────────────────────────────────────────
+  console.log('');
+  if (issues === 0) {
+    console.log(chalk.green(bold('All checks passed.')));
+  } else {
+    console.log(chalk.red(bold(`${issues} issue${issues !== 1 ? 's' : ''} found.`)));
+    process.exit(1);
+  }
+  console.log('');
+}

package/src/commands/scan.js

@@ -0,0 +1,147 @@
+import { readdirSync, readFileSync } from 'fs';
+import { join, relative, extname } from 'path';
+import chalk from 'chalk';
+import { findProjectRoot } from '../keystore.js';
+import { bold, dim, ok } from '../ui.js';
+
+// ── Known secret patterns ─────────────────────────────────────────────────────
+
+const PATTERNS = [
+  { name: 'AWS Access Key ID',      regex: /\bAKIA[0-9A-Z]{16}\b/ },
+  { name: 'Stripe Secret Key',      regex: /\bsk_live_[0-9a-zA-Z]{24,}\b/ },
+  { name: 'Stripe Restricted Key',  regex: /\brk_live_[0-9a-zA-Z]{24,}\b/ },
+  { name: 'GitHub Token',           regex: /\bghp_[0-9a-zA-Z]{36}\b/ },
+  { name: 'GitHub OAuth Token',     regex: /\bgho_[0-9a-zA-Z]{36}\b/ },
+  { name: 'GitHub App Token',       regex: /\bghs_[0-9a-zA-Z]{36}\b/ },
+  { name: 'GitHub PAT',             regex: /\bgithub_pat_[0-9a-zA-Z_]{82}\b/ },
+  { name: 'OpenAI API Key',         regex: /\bsk-[a-zA-Z0-9]{48}\b/ },
+  { name: 'OpenAI Project Key',     regex: /\bsk-proj-[0-9a-zA-Z_-]{48,}\b/ },
+  { name: 'Anthropic API Key',      regex: /\bsk-ant-[0-9a-zA-Z_-]{80,}\b/ },
+  { name: 'Slack Bot Token',        regex: /\bxoxb-[0-9]{10,13}-[0-9]{10,13}-[0-9a-zA-Z]{24}\b/ },
+  { name: 'Slack User Token',       regex: /\bxoxp-[0-9]{10,13}-[0-9]{10,13}-[0-9a-zA-Z]{24}\b/ },
+  { name: 'SendGrid API Key',       regex: /\bSG\.[0-9a-zA-Z_-]{22}\.[0-9a-zA-Z_-]{43}\b/ },
+  { name: 'Twilio API Key',         regex: /\bSK[0-9a-fA-F]{32}\b/ },
+  { name: 'Private Key Block',      regex: /-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----/ },
+  { name: 'Hardcoded secret',       regex: /(?:secret|password|passwd|api_?key|auth_?token)\s*[:=]\s*["']([^"'$`{]{8,})["']/i },
+];
+
+const SKIP_DIRS = new Set([
+  'node_modules', '.git', '.envgit', 'dist', 'build', 'out',
+  '.next', '.nuxt', 'coverage', '.nyc_output', 'vendor', '.turbo',
+]);
+
+const SKIP_EXTENSIONS = new Set([
+  '.png', '.jpg', '.jpeg', '.gif', '.ico', '.svg', '.webp',
+  '.woff', '.woff2', '.ttf', '.eot', '.otf',
+  '.mp4', '.mp3', '.wav', '.pdf',
+  '.zip', '.tar', '.gz', '.tgz',
+  '.map', '.lock', '.snap',
+]);
+
+const SKIP_FILES = new Set([
+  'package-lock.json', 'yarn.lock', 'pnpm-lock.yaml',
+  '.env.example', '.env.sample', '.env.template',
+]);
+
+// ── Shannon entropy ───────────────────────────────────────────────────────────
+
+function entropy(str) {
+  const freq = {};
+  for (const c of str) freq[c] = (freq[c] ?? 0) + 1;
+  return Object.values(freq).reduce((h, n) => {
+    const p = n / str.length;
+    return h - p * Math.log2(p);
+  }, 0);
+}
+
+const HIGH_ENTROPY_PATTERN = /(?:key|token|secret|password|credential|auth|api)\s*[:=]\s*["']([A-Za-z0-9+/=_\-]{20,})["']/gi;
+const ENTROPY_THRESHOLD = 4.0;
+
+// ── File walker ───────────────────────────────────────────────────────────────
+
+function* walk(dir) {
+  for (const entry of readdirSync(dir, { withFileTypes: true })) {
+    if (SKIP_DIRS.has(entry.name)) continue;
+    const full = join(dir, entry.name);
+    if (entry.isDirectory()) {
+      yield* walk(full);
+    } else if (entry.isFile()) {
+      if (SKIP_EXTENSIONS.has(extname(entry.name).toLowerCase())) continue;
+      if (SKIP_FILES.has(entry.name)) continue;
+      yield full;
+    }
+  }
+}
+
+// ── Main ──────────────────────────────────────────────────────────────────────
+
+export async function scan() {
+  const projectRoot = findProjectRoot() ?? process.cwd();
+  const findings = [];
+
+  for (const filePath of walk(projectRoot)) {
+    let content;
+    try { content = readFileSync(filePath, 'utf8'); }
+    catch { continue; }
+
+    const relPath = relative(projectRoot, filePath);
+    const lines   = content.split('\n');
+
+    for (let i = 0; i < lines.length; i++) {
+      const line    = lines[i];
+      const lineNum = i + 1;
+
+      // Known pattern matching
+      for (const { name, regex } of PATTERNS) {
+        if (regex.test(line)) {
+          findings.push({ file: relPath, line: lineNum, type: name, snippet: line.trim(), how: 'pattern' });
+          break;
+        }
+      }
+
+      // Entropy analysis — catches secrets no pattern knows about
+      const alreadyCaught = () => findings.some(f => f.file === relPath && f.line === lineNum);
+      let match;
+      HIGH_ENTROPY_PATTERN.lastIndex = 0;
+      while ((match = HIGH_ENTROPY_PATTERN.exec(line)) !== null) {
+        if (entropy(match[1]) >= ENTROPY_THRESHOLD && !alreadyCaught()) {
+          findings.push({ file: relPath, line: lineNum, type: 'High-entropy secret', snippet: line.trim(), how: 'entropy' });
+        }
+      }
+    }
+  }
+
+  // ── Output ────────────────────────────────────────────────────────────────
+  console.log('');
+
+  if (findings.length === 0) {
+    ok('No hardcoded secrets detected.');
+    console.log(dim(`  Scanned: ${projectRoot}`));
+    console.log('');
+    return;
+  }
+
+  console.log(chalk.red(bold(`  ${findings.length} potential secret${findings.length !== 1 ? 's' : ''} found\n`)));
+
+  const byFile = {};
+  for (const f of findings) (byFile[f.file] ??= []).push(f);
+
+  for (const [file, hits] of Object.entries(byFile)) {
+    console.log(chalk.cyan(`  ${file}`));
+    for (const hit of hits) {
+      const tag     = hit.how === 'entropy' ? chalk.yellow('[entropy]') : chalk.red(`[${hit.type}]`);
+      const snippet = hit.snippet.length > 80 ? hit.snippet.slice(0, 77) + '...' : hit.snippet;
+      console.log(`    ${dim(`line ${String(hit.line).padEnd(4)}`)} ${tag}`);
+      console.log(`    ${dim(snippet)}`);
+    }
+    console.log('');
+  }
+
+  console.log(chalk.yellow(bold('  What to do:')));
+  console.log(dim('  1. Move these values into envgit:  envgit set KEY=value'));
+  console.log(dim('  2. Replace hardcoded values with:  process.env.KEY'));
+  console.log(dim('  3. Rotate any secrets already in git history'));
+  console.log('');
+
+  process.exit(1);
+}

package/src/commands/template.js

@@ -0,0 +1,53 @@
+import { writeFileSync, existsSync } from 'fs';
+import { join } from 'path';
+import { requireProjectRoot, loadKey } from '../keystore.js';
+import { loadConfig } from '../config.js';
+import { readEncEnv } from '../enc.js';
+import { ok, warn, fatal, bold, dim } from '../ui.js';
+
+export async function template(options) {
+  const projectRoot = requireProjectRoot();
+  const key         = loadKey(projectRoot);
+  const config      = loadConfig(projectRoot);
+
+  // Merge keys from all envs (union), sorted
+  const allKeys = [...new Set(
+    config.envs.flatMap(envName => Object.keys(readEncEnv(projectRoot, envName, key)))
+  )].sort();
+
+  if (allKeys.length === 0) {
+    warn('No variables found — nothing to template.');
+    return;
+  }
+
+  const outPath = join(projectRoot, options.output ?? '.env.example');
+
+  if (existsSync(outPath) && !options.force) {
+    fatal(`${outPath} already exists. Use --force to overwrite.`);
+  }
+
+  const projectName = config.project ?? 'your-project';
+  const envList     = config.envs.join(', ');
+
+  const lines = [
+    `# .env.example — generated by envgit`,
+    `# Project : ${projectName}`,
+    `# Envs    : ${envList}`,
+    `#`,
+    `# Do not put real values here. This file is safe to commit.`,
+    `# To get the real values: envgit join <token> --code <passphrase>`,
+    `#                    then: envgit unpack dev`,
+    ``,
+    ...allKeys.map(k => `${k}=`),
+    ``,
+  ].join('\n');
+
+  writeFileSync(outPath, lines, 'utf8');
+
+  console.log('');
+  ok(`Generated ${dim(outPath)} with ${allKeys.length} key${allKeys.length !== 1 ? 's' : ''}`);
+  console.log(dim(`  Envs scanned: ${envList}`));
+  console.log('');
+  console.log(dim(`  Commit it:  git add ${options.output ?? '.env.example'} && git commit -m "chore: update .env.example"`));
+  console.log('');
+}