npm - @akshxy/envgit - Versions diffs - 0.5.1 → 0.5.2 - Mend

@akshxy/envgit 0.5.1 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -176,6 +176,7 @@ Supports 100+ services out of the box: OpenAI, Anthropic, Groq, Stripe, Supabase
 ### Utilities
 | Command | Description |
 |---------|-------------|
 | `envgit doctor` | Check everything — key, envs, git safety — in one shot |
@@ -235,3 +236,75 @@ ENVGIT_KEY=$(cat ~/.config/envgit/keys/<id>.key) envgit run -- node server.js
 - **Relay is blind** — `envgit share` encrypts your key with a one-time passphrase before upload. The relay stores only ciphertext and never sees the passphrase. Even a full relay compromise leaks nothing.
 - **One-time links** — tokens are deleted on first use via a strongly consistent Durable Object. Replay attacks are impossible.
 - **24-hour TTL** — unclaimed tokens are automatically destroyed
+---
+## Threat model
+**What envgit protects against**
+| Threat | Protection |
+|--------|-----------|
+| `.env` accidentally committed to git | Encrypted files are safe to commit — plaintext never touches the repo |
+| Secrets shared over Slack, email, chat | `envgit share` uses a blind relay and one-time encrypted links |
+| Teammate's machine is compromised | Key is per-machine — compromise one machine, not all |
+| Relay is breached | Relay stores only AES-256-GCM ciphertext. Passphrase never sent to relay. Useless without the passphrase. |
+| Secrets hardcoded in source | `envgit scan` detects these using pattern matching and entropy analysis |
+**What envgit does NOT protect against**
+- A compromised machine where the key file is readable — if your machine is owned, the key is accessible
+- Secrets that have already been committed in plaintext to git history — use `git filter-repo` to scrub those
+- An attacker who intercepts both the relay token AND the passphrase at the same time — treat the passphrase like a password
+---
+## How it works
+```
+Your machine                  Relay                    Teammate's machine
+────────────────              ──────────────────       ──────────────────────
+                              (Cloudflare Worker)
+project.key (32 bytes)
+    │
+    ▼
+encrypt with                  ┌──────────────────┐
+one-time passphrase  ──────►  │  ciphertext only │  ──────►  fetch + decrypt
+                              │  deleted on read  │           with passphrase
+    │                         │  TTL: 24 hours   │               │
+    ▼                         └──────────────────┘               ▼
+envgit share                                             envgit join <token>
+prints:                                                  --code <passphrase>
+  token + passphrase                                         │
+                                                             ▼
+                                                     key saved to
+                                                     ~/.config/envgit/keys/
+```
+The relay is stateless and blind. It cannot reconstruct the key. Only the machine with the passphrase can decrypt.
+---
+## Crypto decisions
+**Why AES-256-GCM?**
+GCM is an authenticated encryption mode — it detects tampering. If anyone modifies the ciphertext (even one byte), decryption fails loudly rather than silently returning corrupt data. This matters for secrets: you want to know immediately if something has been tampered with.
+**Why 32 bytes of entropy?**
+NIST recommends 128-bit minimum for symmetric keys. envgit uses 256-bit (32 bytes) from `crypto.randomBytes`, which reads from the OS CSPRNG. This is the same source used by OpenSSL and Node's TLS stack.
+**Why a fresh IV per write?**
+AES-GCM requires a unique IV per (key, message) pair. Reusing an IV with the same key catastrophically breaks confidentiality — an attacker can XOR two ciphertexts to cancel out the keystream. envgit generates a new random IV on every write, making this impossible.
+**Why zeroize key bytes after use?**
+Node.js buffers live in V8's heap. Without explicit zeroization, key bytes can persist in memory until GC runs — and could potentially be read from a core dump or swap file. envgit calls `buffer.fill(0)` immediately after the crypto operation completes.
+---
+## Commands
+### Scan
+| Command | Description |
+|---------|-------------|
+| `envgit scan` | Scan entire codebase for hardcoded secrets using patterns + entropy |

package/bin/envgit.js CHANGED Viewed

@@ -23,6 +23,7 @@ import { join } from '../src/commands/join.js';
 import { doctor } from '../src/commands/doctor.js';
 import { audit } from '../src/commands/audit.js';
 import { template } from '../src/commands/template.js';
+import { scan } from '../src/commands/scan.js';
 program
   .name('envgit')
@@ -142,6 +143,11 @@ program
   .description('Generate a new key and re-encrypt all environments')
   .action(rotateKey);
+program
+  .command('scan')
+  .description('Scan codebase for hardcoded secrets using pattern matching and entropy analysis')
+  .action(scan);
 program
   .command('doctor')
   .description('Check project health — key, envs, git safety')

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@akshxy/envgit",
-  "version": "0.5.1",
+  "version": "0.5.2",
   "description": "Encrypted per-project environment variable manager",
   "type": "module",
   "bin": {

package/src/commands/scan.js ADDED Viewed

@@ -0,0 +1,147 @@
+import { readdirSync, readFileSync } from 'fs';
+import { join, relative, extname } from 'path';
+import chalk from 'chalk';
+import { findProjectRoot } from '../keystore.js';
+import { bold, dim, ok } from '../ui.js';
+// ── Known secret patterns ─────────────────────────────────────────────────────
+const PATTERNS = [
+  { name: 'AWS Access Key ID',      regex: /\bAKIA[0-9A-Z]{16}\b/ },
+  { name: 'Stripe Secret Key',      regex: /\bsk_live_[0-9a-zA-Z]{24,}\b/ },
+  { name: 'Stripe Restricted Key',  regex: /\brk_live_[0-9a-zA-Z]{24,}\b/ },
+  { name: 'GitHub Token',           regex: /\bghp_[0-9a-zA-Z]{36}\b/ },
+  { name: 'GitHub OAuth Token',     regex: /\bgho_[0-9a-zA-Z]{36}\b/ },
+  { name: 'GitHub App Token',       regex: /\bghs_[0-9a-zA-Z]{36}\b/ },
+  { name: 'GitHub PAT',             regex: /\bgithub_pat_[0-9a-zA-Z_]{82}\b/ },
+  { name: 'OpenAI API Key',         regex: /\bsk-[a-zA-Z0-9]{48}\b/ },
+  { name: 'OpenAI Project Key',     regex: /\bsk-proj-[0-9a-zA-Z_-]{48,}\b/ },
+  { name: 'Anthropic API Key',      regex: /\bsk-ant-[0-9a-zA-Z_-]{80,}\b/ },
+  { name: 'Slack Bot Token',        regex: /\bxoxb-[0-9]{10,13}-[0-9]{10,13}-[0-9a-zA-Z]{24}\b/ },
+  { name: 'Slack User Token',       regex: /\bxoxp-[0-9]{10,13}-[0-9]{10,13}-[0-9a-zA-Z]{24}\b/ },
+  { name: 'SendGrid API Key',       regex: /\bSG\.[0-9a-zA-Z_-]{22}\.[0-9a-zA-Z_-]{43}\b/ },
+  { name: 'Twilio API Key',         regex: /\bSK[0-9a-fA-F]{32}\b/ },
+  { name: 'Private Key Block',      regex: /-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----/ },
+  { name: 'Hardcoded secret',       regex: /(?:secret|password|passwd|api_?key|auth_?token)\s*[:=]\s*["']([^"'$`{]{8,})["']/i },
+];
+const SKIP_DIRS = new Set([
+  'node_modules', '.git', '.envgit', 'dist', 'build', 'out',
+  '.next', '.nuxt', 'coverage', '.nyc_output', 'vendor', '.turbo',
+]);
+const SKIP_EXTENSIONS = new Set([
+  '.png', '.jpg', '.jpeg', '.gif', '.ico', '.svg', '.webp',
+  '.woff', '.woff2', '.ttf', '.eot', '.otf',
+  '.mp4', '.mp3', '.wav', '.pdf',
+  '.zip', '.tar', '.gz', '.tgz',
+  '.map', '.lock', '.snap',
+]);
+const SKIP_FILES = new Set([
+  'package-lock.json', 'yarn.lock', 'pnpm-lock.yaml',
+  '.env.example', '.env.sample', '.env.template',
+]);
+// ── Shannon entropy ───────────────────────────────────────────────────────────
+function entropy(str) {
+  const freq = {};
+  for (const c of str) freq[c] = (freq[c] ?? 0) + 1;
+  return Object.values(freq).reduce((h, n) => {
+    const p = n / str.length;
+    return h - p * Math.log2(p);
+  }, 0);
+}
+const HIGH_ENTROPY_PATTERN = /(?:key|token|secret|password|credential|auth|api)\s*[:=]\s*["']([A-Za-z0-9+/=_\-]{20,})["']/gi;
+const ENTROPY_THRESHOLD = 4.0;
+// ── File walker ───────────────────────────────────────────────────────────────
+function* walk(dir) {
+  for (const entry of readdirSync(dir, { withFileTypes: true })) {
+    if (SKIP_DIRS.has(entry.name)) continue;
+    const full = join(dir, entry.name);
+    if (entry.isDirectory()) {
+      yield* walk(full);
+    } else if (entry.isFile()) {
+      if (SKIP_EXTENSIONS.has(extname(entry.name).toLowerCase())) continue;
+      if (SKIP_FILES.has(entry.name)) continue;
+      yield full;
+    }
+  }
+}
+// ── Main ──────────────────────────────────────────────────────────────────────
+export async function scan() {
+  const projectRoot = findProjectRoot() ?? process.cwd();
+  const findings = [];
+  for (const filePath of walk(projectRoot)) {
+    let content;
+    try { content = readFileSync(filePath, 'utf8'); }
+    catch { continue; }
+    const relPath = relative(projectRoot, filePath);
+    const lines   = content.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+      const line    = lines[i];
+      const lineNum = i + 1;
+      // Known pattern matching
+      for (const { name, regex } of PATTERNS) {
+        if (regex.test(line)) {
+          findings.push({ file: relPath, line: lineNum, type: name, snippet: line.trim(), how: 'pattern' });
+          break;
+        }
+      }
+      // Entropy analysis — catches secrets no pattern knows about
+      const alreadyCaught = () => findings.some(f => f.file === relPath && f.line === lineNum);
+      let match;
+      HIGH_ENTROPY_PATTERN.lastIndex = 0;
+      while ((match = HIGH_ENTROPY_PATTERN.exec(line)) !== null) {
+        if (entropy(match[1]) >= ENTROPY_THRESHOLD && !alreadyCaught()) {
+          findings.push({ file: relPath, line: lineNum, type: 'High-entropy secret', snippet: line.trim(), how: 'entropy' });
+        }
+      }
+    }
+  }
+  // ── Output ────────────────────────────────────────────────────────────────
+  console.log('');
+  if (findings.length === 0) {
+    ok('No hardcoded secrets detected.');
+    console.log(dim(`  Scanned: ${projectRoot}`));
+    console.log('');
+    return;
+  }
+  console.log(chalk.red(bold(`  ${findings.length} potential secret${findings.length !== 1 ? 's' : ''} found\n`)));
+  const byFile = {};
+  for (const f of findings) (byFile[f.file] ??= []).push(f);
+  for (const [file, hits] of Object.entries(byFile)) {
+    console.log(chalk.cyan(`  ${file}`));
+    for (const hit of hits) {
+      const tag     = hit.how === 'entropy' ? chalk.yellow('[entropy]') : chalk.red(`[${hit.type}]`);
+      const snippet = hit.snippet.length > 80 ? hit.snippet.slice(0, 77) + '...' : hit.snippet;
+      console.log(`    ${dim(`line ${String(hit.line).padEnd(4)}`)} ${tag}`);
+      console.log(`    ${dim(snippet)}`);
+    }
+    console.log('');
+  }
+  console.log(chalk.yellow(bold('  What to do:')));
+  console.log(dim('  1. Move these values into envgit:  envgit set KEY=value'));
+  console.log(dim('  2. Replace hardcoded values with:  process.env.KEY'));
+  console.log(dim('  3. Rotate any secrets already in git history'));
+  console.log('');
+  process.exit(1);
+}