@fentz26/envcp 1.0.0

package/dist/utils/http.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.js","sourceRoot":"","sources":["../../src/utils/http.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AAGjC,MAAM,aAAa,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,MAAM;AAEzC,MAAM,UAAU,cAAc,CAAC,GAAwB,EAAE,gBAAwB,WAAW;IAC1F,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,aAAa,CAAC,CAAC;IAC5D,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,iCAAiC,CAAC,CAAC;IACjF,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,6EAA6E,CAAC,CAAC;AAC/H,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,GAAwB,EAAE,MAAc,EAAE,IAAa;IAC9E,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;IAC9D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,GAAyB;IACjD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAI,IAAI,GAAG,EAAE,CAAC;QACd,IAAI,IAAI,GAAG,CAAC,CAAC;QACb,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAC/B,IAAI,IAAI,KAAK,CAAC,MAAM,CAAC;YACrB,IAAI,IAAI,GAAG,aAAa,EAAE,CAAC;gBACzB,GAAG,CAAC,OAAO,EAAE,CAAC;gBACd,MAAM,CAAC,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC,CAAC;gBAC5C,OAAO;YACT,CAAC;YACD,IAAI,IAAI,KAAK,CAAC;QAChB,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACjB,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACxC,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,CAAC,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC,CAAC;YACzC,CAAC;QACH,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,QAA4B,EAAE,QAAgB;IAC3E,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,IAAI,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACtD,OAAO,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC9E,CAAC"}

package/dist/utils/session.d.ts

@@ -0,0 +1,19 @@
+import { Session } from '../types.js';
+export declare class SessionManager {
+    private sessionPath;
+    private session;
+    private password;
+    private timeoutMinutes;
+    private maxExtensions;
+    constructor(sessionPath: string, timeoutMinutes?: number, maxExtensions?: number);
+    init(): Promise<void>;
+    create(password: string): Promise<Session>;
+    load(password?: string): Promise<Session | null>;
+    isValid(): Promise<boolean>;
+    extend(): Promise<Session | null>;
+    destroy(): Promise<void>;
+    getPassword(): string | null;
+    getSession(): Session | null;
+    getRemainingTime(): number;
+}
+//# sourceMappingURL=session.d.ts.map

package/dist/utils/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/utils/session.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,EAAiB,MAAM,aAAa,CAAC;AAGrD,qBAAa,cAAc;IACzB,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,OAAO,CAAwB;IACvC,OAAO,CAAC,QAAQ,CAAuB;IACvC,OAAO,CAAC,cAAc,CAAS;IAC/B,OAAO,CAAC,aAAa,CAAS;gBAElB,WAAW,EAAE,MAAM,EAAE,cAAc,GAAE,MAAW,EAAE,aAAa,GAAE,MAAU;IAMjF,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAIrB,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAyB1C,IAAI,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IA6BhD,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC;IAQ3B,MAAM,IAAI,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IA+BjC,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAS9B,WAAW,IAAI,MAAM,GAAG,IAAI;IAI5B,UAAU,IAAI,OAAO,GAAG,IAAI;IAI5B,gBAAgB,IAAI,MAAM;CAQ3B"}

package/dist/utils/session.js

@@ -0,0 +1,112 @@
+import * as fs from 'fs-extra';
+import * as path from 'path';
+import { SessionSchema } from '../types.js';
+import { generateId, encrypt, decrypt } from './crypto.js';
+export class SessionManager {
+    sessionPath;
+    session = null;
+    password = null;
+    timeoutMinutes;
+    maxExtensions;
+    constructor(sessionPath, timeoutMinutes = 30, maxExtensions = 5) {
+        this.sessionPath = sessionPath;
+        this.timeoutMinutes = timeoutMinutes;
+        this.maxExtensions = maxExtensions;
+    }
+    async init() {
+        await fs.ensureDir(path.dirname(this.sessionPath));
+    }
+    async create(password) {
+        const now = new Date();
+        const expires = new Date(now.getTime() + this.timeoutMinutes * 60 * 1000);
+        this.session = {
+            id: generateId(),
+            created: now.toISOString(),
+            expires: expires.toISOString(),
+            extensions: 0,
+            last_access: now.toISOString(),
+        };
+        this.password = password;
+        const sessionData = JSON.stringify({
+            session: this.session,
+            password: password,
+        });
+        const encrypted = encrypt(sessionData, password);
+        await fs.writeFile(this.sessionPath, encrypted, 'utf8');
+        return this.session;
+    }
+    async load(password) {
+        if (!await fs.pathExists(this.sessionPath)) {
+            return null;
+        }
+        try {
+            const encrypted = await fs.readFile(this.sessionPath, 'utf8');
+            const pwd = password || this.password;
+            if (!pwd) {
+                return null;
+            }
+            const decrypted = decrypt(encrypted, pwd);
+            const data = JSON.parse(decrypted);
+            this.session = SessionSchema.parse(data.session);
+            this.password = data.password;
+            if (new Date() > new Date(this.session.expires)) {
+                await this.destroy();
+                return null;
+            }
+            return this.session;
+        }
+        catch (error) {
+            return null;
+        }
+    }
+    async isValid() {
+        if (!this.session) {
+            return false;
+        }
+        return new Date() < new Date(this.session.expires);
+    }
+    async extend() {
+        if (!this.session || !this.password) {
+            return null;
+        }
+        if (this.session.extensions >= this.maxExtensions) {
+            return null;
+        }
+        if (!await this.isValid()) {
+            return null;
+        }
+        const now = new Date();
+        const expires = new Date(now.getTime() + this.timeoutMinutes * 60 * 1000);
+        this.session.expires = expires.toISOString();
+        this.session.extensions += 1;
+        this.session.last_access = now.toISOString();
+        const sessionData = JSON.stringify({
+            session: this.session,
+            password: this.password,
+        });
+        const encrypted = encrypt(sessionData, this.password);
+        await fs.writeFile(this.sessionPath, encrypted, 'utf8');
+        return this.session;
+    }
+    async destroy() {
+        this.session = null;
+        this.password = null;
+        if (await fs.pathExists(this.sessionPath)) {
+            await fs.unlink(this.sessionPath);
+        }
+    }
+    getPassword() {
+        return this.password;
+    }
+    getSession() {
+        return this.session;
+    }
+    getRemainingTime() {
+        if (!this.session) {
+            return 0;
+        }
+        const remaining = new Date(this.session.expires).getTime() - Date.now();
+        return Math.max(0, Math.floor(remaining / 1000 / 60));
+    }
+}
+//# sourceMappingURL=session.js.map

package/dist/utils/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/utils/session.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,UAAU,CAAC;AAC/B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAW,aAAa,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAE3D,MAAM,OAAO,cAAc;IACjB,WAAW,CAAS;IACpB,OAAO,GAAmB,IAAI,CAAC;IAC/B,QAAQ,GAAkB,IAAI,CAAC;IAC/B,cAAc,CAAS;IACvB,aAAa,CAAS;IAE9B,YAAY,WAAmB,EAAE,iBAAyB,EAAE,EAAE,gBAAwB,CAAC;QACrF,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,cAAc,GAAG,cAAc,CAAC;QACrC,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC;IACrC,CAAC;IAED,KAAK,CAAC,IAAI;QACR,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;IACrD,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,QAAgB;QAC3B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,cAAc,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAE1E,IAAI,CAAC,OAAO,GAAG;YACb,EAAE,EAAE,UAAU,EAAE;YAChB,OAAO,EAAE,GAAG,CAAC,WAAW,EAAE;YAC1B,OAAO,EAAE,OAAO,CAAC,WAAW,EAAE;YAC9B,UAAU,EAAE,CAAC;YACb,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE;SAC/B,CAAC;QAEF,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QAEzB,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC;YACjC,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,QAAQ,EAAE,QAAQ;SACnB,CAAC,CAAC;QAEH,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QACjD,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;QAExD,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,QAAiB;QAC1B,IAAI,CAAC,MAAM,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAC3C,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;YAE9D,MAAM,GAAG,GAAG,QAAQ,IAAI,IAAI,CAAC,QAAQ,CAAC;YACtC,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;YAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YACnC,IAAI,CAAC,OAAO,GAAG,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACjD,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;YAE9B,IAAI,IAAI,IAAI,EAAE,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;gBAChD,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;gBACrB,OAAO,IAAI,CAAC;YACd,CAAC;YAED,OAAO,IAAI,CAAC,OAAO,CAAC;QACtB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,IAAI,IAAI,EAAE,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACrD,CAAC;IAED,KAAK,CAAC,MAAM;QACV,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,IAAI,CAAC,OAAO,CAAC,UAAU,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YAClD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC,MAAM,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,cAAc,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAE1E,IAAI,CAAC,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAC7C,IAAI,CAAC,OAAO,CAAC,UAAU,IAAI,CAAC,CAAC;QAC7B,IAAI,CAAC,OAAO,CAAC,WAAW,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QAE7C,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC;YACjC,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC,CAAC;QAEH,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QACtD,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;QAExD,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACpB,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QAErB,IAAI,MAAM,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAC1C,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IAED,WAAW;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAED,UAAU;QACR,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,gBAAgB;QACd,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO,CAAC,CAAC;QACX,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACxE,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC;IACxD,CAAC;CACF"}

package/package.json

@@ -0,0 +1,50 @@
+{
+  "name": "@fentz26/envcp",
+  "version": "1.0.0",
+  "description": "MCP server for secure environment variable management - Keep your secrets safe from AI agents",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "bin": {
+    "envcp": "dist/cli.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "start": "node dist/index.js",
+    "dev": "ts-node src/index.ts",
+    "test": "jest"
+  },
+  "keywords": [
+    "mcp",
+    "environment-variables",
+    "secrets",
+    "security",
+    "ai",
+    "claude",
+    "model-context-protocol"
+  ],
+  "author": "fentz26",
+  "license": "MIT",
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    "chalk": "^4.1.2",
+    "commander": "^11.1.0",
+
+    "dotenv": "^16.3.1",
+    "fs-extra": "^11.2.0",
+    "inquirer": "^8.2.6",
+    "js-yaml": "^4.1.0",
+    "zod": "^3.22.4"
+  },
+  "devDependencies": {
+
+    "@types/fs-extra": "^11.0.4",
+    "@types/inquirer": "^9.0.7",
+    "@types/js-yaml": "^4.0.9",
+    "@types/node": "^20.10.0",
+    "typescript": "^5.3.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}

package/src/adapters/base.ts

@@ -0,0 +1,411 @@
+import { StorageManager, LogManager } from '../storage/index.js';
+import { EnvCPConfig, Variable, ToolDefinition } from '../types.js';
+import { maskValue } from '../utils/crypto.js';
+import { canAccess, isBlacklisted, canAIActiveCheck, requiresUserReference } from '../config/manager.js';
+import { SessionManager } from '../utils/session.js';
+import * as fs from 'fs-extra';
+import * as path from 'path';
+import * as dotenv from 'dotenv';
+
+export abstract class BaseAdapter {
+  protected storage: StorageManager;
+  protected logs: LogManager;
+  protected sessionManager: SessionManager;
+  protected config: EnvCPConfig;
+  protected projectPath: string;
+  protected tools: Map<string, ToolDefinition>;
+
+  constructor(config: EnvCPConfig, projectPath: string, password?: string) {
+    this.config = config;
+    this.projectPath = projectPath;
+    this.storage = new StorageManager(
+      path.join(projectPath, config.storage.path),
+      config.storage.encrypted
+    );
+
+    this.sessionManager = new SessionManager(
+      path.join(projectPath, config.session?.path || '.envcp/.session'),
+      config.session?.timeout_minutes || 30,
+      config.session?.max_extensions || 5
+    );
+
+    if (password) {
+      this.storage.setPassword(password);
+    }
+
+    this.logs = new LogManager(path.join(projectPath, '.envcp', 'logs'));
+    this.tools = new Map();
+    this.registerTools();
+  }
+
+  protected abstract registerTools(): void;
+
+  async init(): Promise<void> {
+    await this.logs.init();
+    await this.sessionManager.init();
+  }
+
+  protected async ensurePassword(): Promise<void> {
+    const pwd = this.sessionManager.getPassword();
+    if (pwd && await this.sessionManager.isValid()) {
+      this.storage.setPassword(pwd);
+      return;
+    }
+    throw new Error('Session locked. Please unlock first using: envcp unlock');
+  }
+
+  getToolDefinitions(): ToolDefinition[] {
+    return Array.from(this.tools.values());
+  }
+
+  async callTool(name: string, params: Record<string, unknown>): Promise<unknown> {
+    const tool = this.tools.get(name);
+    if (!tool) {
+      throw new Error(`Unknown tool: ${name}`);
+    }
+    await this.ensurePassword();
+    return tool.handler(params);
+  }
+
+  // Shared tool implementations
+  protected async listVariables(args: { tags?: string[] }): Promise<{ variables: string[]; count: number }> {
+    if (!this.config.access.allow_ai_read) {
+      throw new Error('AI read access is disabled');
+    }
+
+    if (!canAIActiveCheck(this.config)) {
+      throw new Error('AI active check is disabled. User must explicitly mention variable names.');
+    }
+
+    const names = await this.storage.list();
+    let filtered = names.filter(n => canAccess(n, this.config) && !isBlacklisted(n, this.config));
+
+    if (args.tags && args.tags.length > 0) {
+      const variables = await this.storage.load();
+      filtered = filtered.filter(name => {
+        const v = variables[name];
+        return v.tags && args.tags!.some(t => v.tags!.includes(t));
+      });
+    }
+
+    await this.logs.log({
+      timestamp: new Date().toISOString(),
+      operation: 'list',
+      source: 'api',
+      success: true,
+      message: `Listed ${filtered.length} variables`,
+    });
+
+    return { variables: filtered, count: filtered.length };
+  }
+
+  protected async getVariable(args: { name: string; show_value?: boolean }): Promise<{
+    name: string;
+    value: string;
+    tags?: string[];
+    description?: string;
+    encrypted: boolean;
+  }> {
+    if (!this.config.access.allow_ai_read) {
+      throw new Error('AI read access is disabled');
+    }
+
+    const variable = await this.storage.get(args.name);
+
+    if (!variable) {
+      throw new Error(`Variable '${args.name}' not found`);
+    }
+
+    if (isBlacklisted(args.name, this.config)) {
+      throw new Error(`Variable '${args.name}' is blacklisted and cannot be accessed`);
+    }
+
+    if (!canAccess(args.name, this.config)) {
+      throw new Error(`Access denied to variable '${args.name}'`);
+    }
+
+    variable.accessed = new Date().toISOString();
+    await this.storage.set(args.name, variable);
+
+    const canReveal = args.show_value && !this.config.access.mask_values && !this.config.access.require_confirmation;
+    const value = canReveal ? variable.value : maskValue(variable.value);
+
+    await this.logs.log({
+      timestamp: new Date().toISOString(),
+      operation: 'get',
+      variable: args.name,
+      source: 'api',
+      success: true,
+      message: canReveal ? 'Value revealed' : 'Value masked',
+    });
+
+    return {
+      name: variable.name,
+      value: value,
+      tags: variable.tags,
+      description: variable.description,
+      encrypted: variable.encrypted,
+    };
+  }
+
+  protected async setVariable(args: {
+    name: string;
+    value: string;
+    tags?: string[];
+    description?: string;
+  }): Promise<{ success: boolean; message: string }> {
+    if (!this.config.access.allow_ai_write) {
+      throw new Error('AI write access is disabled');
+    }
+
+    if (isBlacklisted(args.name, this.config)) {
+      throw new Error(`Variable '${args.name}' is blacklisted`);
+    }
+
+    const existing = await this.storage.get(args.name);
+    const now = new Date().toISOString();
+
+    const variable: Variable = {
+      name: args.name,
+      value: args.value,
+      encrypted: this.config.storage.encrypted,
+      tags: args.tags,
+      description: args.description,
+      created: existing?.created || now,
+      updated: now,
+      sync_to_env: true,
+    };
+
+    await this.storage.set(args.name, variable);
+
+    await this.logs.log({
+      timestamp: new Date().toISOString(),
+      operation: existing ? 'update' : 'add',
+      variable: args.name,
+      source: 'api',
+      success: true,
+      message: `Variable ${existing ? 'updated' : 'created'}`,
+    });
+
+    return { success: true, message: `Variable '${args.name}' ${existing ? 'updated' : 'created'}` };
+  }
+
+  protected async deleteVariable(args: { name: string }): Promise<{ success: boolean; message: string }> {
+    if (!this.config.access.allow_ai_delete) {
+      throw new Error('AI delete access is disabled');
+    }
+
+    const deleted = await this.storage.delete(args.name);
+
+    await this.logs.log({
+      timestamp: new Date().toISOString(),
+      operation: 'delete',
+      variable: args.name,
+      source: 'api',
+      success: deleted,
+      message: deleted ? 'Variable deleted' : 'Variable not found',
+    });
+
+    return {
+      success: deleted,
+      message: deleted ? `Variable '${args.name}' deleted` : `Variable '${args.name}' not found`
+    };
+  }
+
+  protected async syncToEnv(): Promise<{ success: boolean; message: string }> {
+    if (!this.config.access.allow_ai_export) {
+      throw new Error('AI export access is disabled');
+    }
+
+    if (!this.config.sync.enabled) {
+      throw new Error('Sync is disabled in configuration');
+    }
+
+    const variables = await this.storage.load();
+    const lines: string[] = [];
+
+    if (this.config.sync.header) {
+      lines.push(this.config.sync.header);
+    }
+
+    for (const [name, variable] of Object.entries(variables)) {
+      if (isBlacklisted(name, this.config)) {
+        continue;
+      }
+
+      const excluded = this.config.sync.exclude?.some(pattern => {
+        const regex = new RegExp('^' + pattern.replace(/\*/g, '.*') + '$');
+        return regex.test(name);
+      });
+
+      if (excluded || !variable.sync_to_env) {
+        continue;
+      }
+
+      lines.push(`${name}=${variable.value}`);
+    }
+
+    const envPath = path.join(this.projectPath, this.config.sync.target);
+    await fs.writeFile(envPath, lines.join('\n'), 'utf8');
+
+    await this.logs.log({
+      timestamp: new Date().toISOString(),
+      operation: 'sync',
+      source: 'api',
+      success: true,
+      message: `Synced ${lines.length} variables to ${this.config.sync.target}`,
+    });
+
+    return { success: true, message: `Synced ${lines.length} variables to ${this.config.sync.target}` };
+  }
+
+  protected async addToEnv(args: { name: string; env_file?: string }): Promise<{ success: boolean; message: string }> {
+    const variable = await this.storage.get(args.name);
+
+    if (!variable) {
+      throw new Error(`Variable '${args.name}' not found`);
+    }
+
+    if (isBlacklisted(args.name, this.config)) {
+      throw new Error(`Variable '${args.name}' is blacklisted`);
+    }
+
+    const envPath = path.join(this.projectPath, args.env_file || '.env');
+    let content = '';
+
+    if (await fs.pathExists(envPath)) {
+      content = await fs.readFile(envPath, 'utf8');
+    }
+
+    const envVars = dotenv.parse(content);
+
+    if (envVars[args.name]) {
+      const lines = content.split('\n');
+      const newLines = lines.map(line => {
+        if (line.startsWith(`${args.name}=`)) {
+          return `${args.name}=${variable.value}`;
+        }
+        return line;
+      });
+      content = newLines.join('\n');
+    } else {
+      content += `\n${args.name}=${variable.value}`;
+    }
+
+    await fs.writeFile(envPath, content, 'utf8');
+
+    await this.logs.log({
+      timestamp: new Date().toISOString(),
+      operation: 'add',
+      variable: args.name,
+      source: 'api',
+      success: true,
+      message: `Added to ${args.env_file || '.env'}`,
+    });
+
+    return { success: true, message: `Variable '${args.name}' added to ${args.env_file || '.env'}` };
+  }
+
+  protected async checkAccess(args: { name: string }): Promise<{
+    name: string;
+    exists: boolean;
+    accessible: boolean;
+    blacklisted: boolean;
+    message: string;
+  }> {
+    const variable = await this.storage.get(args.name);
+    const exists = !!variable;
+    const blacklisted = isBlacklisted(args.name, this.config);
+    const accessible = exists && !blacklisted && canAccess(args.name, this.config);
+
+    await this.logs.log({
+      timestamp: new Date().toISOString(),
+      operation: 'check_access',
+      variable: args.name,
+      source: 'api',
+      success: true,
+      message: `Access check: ${accessible ? 'granted' : 'denied'}`,
+    });
+
+    return {
+      name: args.name,
+      exists,
+      accessible,
+      blacklisted,
+      message: accessible ? 'Variable exists and can be accessed' : 'Variable cannot be accessed or does not exist',
+    };
+  }
+
+  private parseCommand(command: string): { program: string; args: string[] } {
+    const tokens: string[] = [];
+    let current = '';
+    let inSingle = false;
+    let inDouble = false;
+
+    for (let i = 0; i < command.length; i++) {
+      const ch = command[i];
+      if (ch === "'" && !inDouble) {
+        inSingle = !inSingle;
+      } else if (ch === '"' && !inSingle) {
+        inDouble = !inDouble;
+      } else if (ch === ' ' && !inSingle && !inDouble) {
+        if (current.length > 0) {
+          tokens.push(current);
+          current = '';
+        }
+      } else {
+        current += ch;
+      }
+    }
+    if (current.length > 0) tokens.push(current);
+
+    if (tokens.length === 0) throw new Error('Empty command');
+    return { program: tokens[0], args: tokens.slice(1) };
+  }
+
+  private validateCommand(command: string): void {
+    const shellMetachars = /[;&|`$(){}!><\n\\]/;
+    if (shellMetachars.test(command)) {
+      throw new Error('Command contains disallowed shell metacharacters: ; & | ` $ ( ) { } ! > < \\');
+    }
+  }
+
+  protected async runCommand(args: { command: string; variables: string[] }): Promise<{
+    exitCode: number | null;
+    stdout: string;
+    stderr: string;
+  }> {
+    this.validateCommand(args.command);
+
+    const { spawn } = await import('child_process');
+    const { program, args: cmdArgs } = this.parseCommand(args.command);
+    const env: Record<string, string> = { ...process.env } as Record<string, string>;
+
+    for (const name of args.variables) {
+      if (isBlacklisted(name, this.config)) {
+        continue;
+      }
+      const variable = await this.storage.get(name);
+      if (variable) {
+        env[name] = variable.value;
+      }
+    }
+
+    return new Promise((resolve) => {
+      const proc = spawn(program, cmdArgs, {
+        env,
+        cwd: this.projectPath,
+      });
+
+      let stdout = '';
+      let stderr = '';
+
+      proc.stdout.on('data', (data) => { stdout += data; });
+      proc.stderr.on('data', (data) => { stderr += data; });
+
+      proc.on('close', (code) => {
+        resolve({ exitCode: code, stdout, stderr });
+      });
+    });
+  }
+}