@chriscode/hush 2.1.0 → 2.3.0

package/dist/commands/keys.js

@@ -0,0 +1,136 @@
+import { existsSync, readFileSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import pc from 'picocolors';
+import { stringify as yamlStringify } from 'yaml';
+import { loadConfig } from '../config/loader.js';
+import { opAvailable, opGetKey, opStoreKey, opListKeys } from '../lib/onepassword.js';
+import { ageAvailable, ageGenerate, agePublicFromPrivate, keyExists, keySave, keyLoad, keysList, keyPath } from '../lib/age.js';
+function getProject(root) {
+    const config = loadConfig(root);
+    if (config.project)
+        return config.project;
+    const pkgPath = join(root, 'package.json');
+    if (existsSync(pkgPath)) {
+        const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+        if (typeof pkg.repository === 'string') {
+            const match = pkg.repository.match(/github\.com[/:]([\w-]+\/[\w-]+)/);
+            if (match)
+                return match[1];
+        }
+        if (pkg.repository?.url) {
+            const match = pkg.repository.url.match(/github\.com[/:]([\w-]+\/[\w-]+)/);
+            if (match)
+                return match[1];
+        }
+    }
+    console.error(pc.red('No project identifier found.'));
+    console.error(pc.dim('Add "project: my-project" to hush.yaml'));
+    process.exit(1);
+}
+export async function keysCommand(options) {
+    const { root, subcommand, vault, force } = options;
+    switch (subcommand) {
+        case 'setup': {
+            const project = getProject(root);
+            console.log(pc.blue(`Setting up keys for ${pc.cyan(project)}...`));
+            if (keyExists(project)) {
+                console.log(pc.green('Key already exists locally.'));
+                return;
+            }
+            if (opAvailable()) {
+                const priv = opGetKey(project, vault);
+                if (priv) {
+                    const pub = agePublicFromPrivate(priv);
+                    keySave(project, { private: priv, public: pub });
+                    console.log(pc.green('Pulled key from 1Password.'));
+                    return;
+                }
+            }
+            console.log(pc.yellow('No key found. Run "hush keys generate" to create one.'));
+            break;
+        }
+        case 'generate': {
+            if (!ageAvailable()) {
+                console.error(pc.red('age not installed. Run: brew install age'));
+                process.exit(1);
+            }
+            const project = getProject(root);
+            if (keyExists(project) && !force) {
+                console.error(pc.yellow(`Key exists for ${project}. Use --force to overwrite.`));
+                process.exit(1);
+            }
+            console.log(pc.blue(`Generating key for ${pc.cyan(project)}...`));
+            const key = ageGenerate();
+            keySave(project, key);
+            console.log(pc.green(`Saved to ${keyPath(project)}`));
+            console.log(pc.dim(`Public: ${key.public}`));
+            if (opAvailable()) {
+                try {
+                    opStoreKey(project, key.private, key.public, vault);
+                    console.log(pc.green('Stored in 1Password.'));
+                }
+                catch (e) {
+                    console.warn(pc.yellow(`Could not store in 1Password: ${e.message}`));
+                }
+            }
+            const sopsPath = join(root, '.sops.yaml');
+            if (!existsSync(sopsPath)) {
+                writeFileSync(sopsPath, yamlStringify({ creation_rules: [{ encrypted_regex: '.*', age: key.public }] }));
+                console.log(pc.green('Created .sops.yaml'));
+            }
+            else {
+                console.log(pc.yellow('.sops.yaml exists. Add this public key:'));
+                console.log(`  ${key.public}`);
+            }
+            break;
+        }
+        case 'pull': {
+            if (!opAvailable()) {
+                console.error(pc.red('1Password CLI not available or not signed in.'));
+                process.exit(1);
+            }
+            const project = getProject(root);
+            const priv = opGetKey(project, vault);
+            if (!priv) {
+                console.error(pc.red(`No key in 1Password for ${project}`));
+                process.exit(1);
+            }
+            const pub = agePublicFromPrivate(priv);
+            keySave(project, { private: priv, public: pub });
+            console.log(pc.green(`Pulled and saved to ${keyPath(project)}`));
+            break;
+        }
+        case 'push': {
+            if (!opAvailable()) {
+                console.error(pc.red('1Password CLI not available or not signed in.'));
+                process.exit(1);
+            }
+            const project = getProject(root);
+            const key = keyLoad(project);
+            if (!key) {
+                console.error(pc.red(`No local key for ${project}`));
+                process.exit(1);
+            }
+            opStoreKey(project, key.private, key.public, vault);
+            console.log(pc.green('Pushed to 1Password.'));
+            break;
+        }
+        case 'list': {
+            console.log(pc.blue('Local keys:'));
+            for (const k of keysList()) {
+                console.log(`  ${pc.cyan(k.project)} ${pc.dim(k.public.slice(0, 20))}...`);
+            }
+            if (opAvailable()) {
+                console.log(pc.blue('\n1Password keys:'));
+                for (const project of opListKeys(vault)) {
+                    console.log(`  ${pc.cyan(project)}`);
+                }
+            }
+            break;
+        }
+        default:
+            console.error(pc.red(`Unknown: hush keys ${subcommand}`));
+            console.log(pc.dim('Commands: setup, generate, pull, push, list'));
+            process.exit(1);
+    }
+}

package/dist/commands/run.d.ts

@@ -0,0 +1,3 @@
+import type { RunOptions } from '../types.js';
+export declare function runCommand(options: RunOptions): Promise<void>;
+//# sourceMappingURL=run.d.ts.map

package/dist/commands/run.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.d.ts","sourceRoot":"","sources":["../../src/commands/run.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,UAAU,EAAmC,MAAM,aAAa,CAAC;AAoC/E,wBAAsB,UAAU,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAkDnE"}

package/dist/commands/run.js

@@ -0,0 +1,77 @@
+import { spawnSync } from 'node:child_process';
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import pc from 'picocolors';
+import { loadConfig } from '../config/loader.js';
+import { filterVarsForTarget } from '../core/filter.js';
+import { interpolateVars, getUnresolvedVars } from '../core/interpolate.js';
+import { mergeVars } from '../core/merge.js';
+import { parseEnvContent } from '../core/parse.js';
+import { decrypt as sopsDecrypt } from '../core/sops.js';
+function getEncryptedPath(sourcePath) {
+    return sourcePath + '.encrypted';
+}
+function getDecryptedSecrets(root, env, config) {
+    const sharedEncrypted = join(root, getEncryptedPath(config.sources.shared));
+    const envEncrypted = join(root, getEncryptedPath(config.sources[env]));
+    const localEncrypted = join(root, getEncryptedPath(config.sources.local));
+    const varSources = [];
+    if (existsSync(sharedEncrypted)) {
+        const content = sopsDecrypt(sharedEncrypted);
+        varSources.push(parseEnvContent(content));
+    }
+    if (existsSync(envEncrypted)) {
+        const content = sopsDecrypt(envEncrypted);
+        varSources.push(parseEnvContent(content));
+    }
+    if (existsSync(localEncrypted)) {
+        const content = sopsDecrypt(localEncrypted);
+        varSources.push(parseEnvContent(content));
+    }
+    if (varSources.length === 0) {
+        throw new Error(`No encrypted files found. Expected: ${sharedEncrypted}`);
+    }
+    const merged = mergeVars(...varSources);
+    return interpolateVars(merged);
+}
+export async function runCommand(options) {
+    const { root, env, target, command } = options;
+    if (!command || command.length === 0) {
+        console.error(pc.red('Usage: hush run -- <command>'));
+        console.error(pc.dim('Example: hush run -- npm start'));
+        console.error(pc.dim('         hush run -e production -- npm run build'));
+        console.error(pc.dim('         hush run --target api -- wrangler dev'));
+        process.exit(1);
+    }
+    const config = loadConfig(root);
+    let vars = getDecryptedSecrets(root, env, config);
+    if (target) {
+        const targetConfig = config.targets.find(t => t.name === target);
+        if (!targetConfig) {
+            console.error(pc.red(`Target "${target}" not found in hush.yaml`));
+            console.error(pc.dim(`Available targets: ${config.targets.map(t => t.name).join(', ')}`));
+            process.exit(1);
+        }
+        vars = filterVarsForTarget(vars, targetConfig);
+    }
+    const unresolved = getUnresolvedVars(vars);
+    if (unresolved.length > 0) {
+        console.warn(pc.yellow(`Warning: ${unresolved.length} vars have unresolved references`));
+    }
+    const childEnv = {
+        ...process.env,
+        ...Object.fromEntries(vars.map(v => [v.key, v.value])),
+    };
+    const [cmd, ...args] = command;
+    const result = spawnSync(cmd, args, {
+        stdio: 'inherit',
+        env: childEnv,
+        shell: true,
+        cwd: root,
+    });
+    if (result.error) {
+        console.error(pc.red(`Failed to execute: ${result.error.message}`));
+        process.exit(1);
+    }
+    process.exit(result.status ?? 1);
+}

package/dist/commands/set.d.ts

@@ -0,0 +1,3 @@
+import type { SetOptions } from '../types.js';
+export declare function setCommand(options: SetOptions): Promise<void>;
+//# sourceMappingURL=set.d.ts.map

package/dist/commands/set.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"set.d.ts","sourceRoot":"","sources":["../../src/commands/set.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAyF9C,wBAAsB,UAAU,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CnE"}

package/dist/commands/set.js

@@ -0,0 +1,120 @@
+import { execSync } from 'node:child_process';
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { platform } from 'node:os';
+import pc from 'picocolors';
+import { loadConfig } from '../config/loader.js';
+import { setKey } from '../core/sops.js';
+function promptViaMacOSDialog(key) {
+    try {
+        const script = `display dialog "Enter value for ${key}:" default answer "" with hidden answer with title "Hush - Set Secret"`;
+        const result = execSync(`osascript -e '${script}' -e 'text returned of result'`, {
+            encoding: 'utf-8',
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        return result.trim();
+    }
+    catch {
+        return null;
+    }
+}
+function promptViaTTY(key) {
+    return new Promise((resolve, reject) => {
+        process.stdout.write(`Enter value for ${pc.cyan(key)}: `);
+        const stdin = process.stdin;
+        stdin.setRawMode(true);
+        stdin.resume();
+        stdin.setEncoding('utf8');
+        let value = '';
+        const onData = (char) => {
+            switch (char) {
+                case '\n':
+                case '\r':
+                case '\u0004':
+                    stdin.setRawMode(false);
+                    stdin.pause();
+                    stdin.removeListener('data', onData);
+                    process.stdout.write('\n');
+                    resolve(value);
+                    break;
+                case '\u0003':
+                    stdin.setRawMode(false);
+                    stdin.pause();
+                    stdin.removeListener('data', onData);
+                    process.stdout.write('\n');
+                    reject(new Error('Cancelled'));
+                    break;
+                case '\u007F':
+                case '\b':
+                    if (value.length > 0) {
+                        value = value.slice(0, -1);
+                        process.stdout.write('\b \b');
+                    }
+                    break;
+                default:
+                    value += char;
+                    process.stdout.write('\u2022');
+            }
+        };
+        stdin.on('data', onData);
+    });
+}
+async function promptForValue(key, forceGui) {
+    if (forceGui && platform() === 'darwin') {
+        console.log(pc.dim('Opening dialog for secret input...'));
+        const value = promptViaMacOSDialog(key);
+        if (value !== null) {
+            return value;
+        }
+        throw new Error('Dialog cancelled or failed');
+    }
+    if (process.stdin.isTTY) {
+        return promptViaTTY(key);
+    }
+    if (platform() === 'darwin') {
+        console.log(pc.dim('Opening dialog for secret input...'));
+        const value = promptViaMacOSDialog(key);
+        if (value !== null) {
+            return value;
+        }
+        throw new Error('Dialog cancelled or failed');
+    }
+    throw new Error('Interactive input requires a terminal (TTY) or macOS');
+}
+export async function setCommand(options) {
+    const { root, file, key, gui } = options;
+    const config = loadConfig(root);
+    const fileKey = file ?? 'shared';
+    const sourcePath = config.sources[fileKey];
+    const encryptedPath = join(root, sourcePath + '.encrypted');
+    if (!key) {
+        console.error(pc.red('Usage: hush set <KEY> [-e environment]'));
+        console.error(pc.dim('Example: hush set DATABASE_URL'));
+        console.error(pc.dim('         hush set API_KEY -e production'));
+        console.error(pc.dim('\nTo edit all secrets in an editor, use: hush edit'));
+        process.exit(1);
+    }
+    if (!existsSync(encryptedPath) && !existsSync(join(root, '.sops.yaml'))) {
+        console.error(pc.red('Hush is not initialized in this directory'));
+        console.error(pc.dim('Run "hush init" first, then "hush encrypt"'));
+        process.exit(1);
+    }
+    try {
+        const value = await promptForValue(key, gui ?? false);
+        if (!value) {
+            console.error(pc.yellow('No value entered, aborting'));
+            process.exit(1);
+        }
+        setKey(encryptedPath, key, value);
+        const envLabel = fileKey === 'shared' ? '' : ` in ${fileKey}`;
+        console.log(pc.green(`\n${key} set${envLabel} (${value.length} chars, encrypted)`));
+    }
+    catch (error) {
+        const err = error;
+        if (err.message === 'Cancelled') {
+            console.log(pc.yellow('Cancelled'));
+            process.exit(1);
+        }
+        throw err;
+    }
+}

package/dist/commands/skill.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"skill.d.ts","sourceRoot":"","sources":["../../src/commands/skill.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAg9BhD,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CvE"}
+{"version":3,"file":"skill.d.ts","sourceRoot":"","sources":["../../src/commands/skill.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAwhChD,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CvE"}