@fentz26/envcp 1.0.7 → 1.0.9

package/dist/cli/index.js

@@ -2,11 +2,13 @@ import { Command } from 'commander';
 import inquirer from 'inquirer';
 import chalk from 'chalk';
 import * as path from 'path';
+import * as os from 'os';
 import fs from 'fs-extra';
-import { loadConfig, initConfig, saveConfig, parseEnvFile, registerMcpConfig } from '../config/manager.js';
+import { loadConfig, initConfig, saveConfig, parseEnvFile, registerMcpConfig, isBlacklisted, canAccess } from '../config/manager.js';
 import { StorageManager } from '../storage/index.js';
 import { SessionManager } from '../utils/session.js';
 import { maskValue, validatePassword, encrypt, decrypt, generateRecoveryKey, createRecoveryData, recoverPassword } from '../utils/crypto.js';
+import { KeychainManager } from '../utils/keychain.js';
 async function withSession(fn) {
     const projectPath = process.cwd();
     const config = await loadConfig(projectPath);
@@ -21,14 +23,28 @@ async function withSession(fn) {
     let session = await sessionManager.load();
     let password = '';
     if (!session) {
-        const answer = await inquirer.prompt([
-            { type: 'password', name: 'password', message: 'Enter password:', mask: '*' }
-        ]);
-        password = answer.password;
-        const validation = validatePassword(password, config.password || {});
-        if (!validation.valid) {
-            console.log(chalk.red(validation.error));
-            return;
+        // Try OS keychain first if enabled
+        if (config.keychain?.enabled) {
+            const keychain = new KeychainManager(config.keychain.service || 'envcp');
+            const stored = await keychain.retrievePassword(projectPath);
+            if (stored) {
+                password = stored;
+                console.log(chalk.gray('Password retrieved from OS keychain'));
+            }
+        }
+        if (!password) {
+            const answer = await inquirer.prompt([
+                { type: 'password', name: 'password', message: 'Enter password:', mask: '*' }
+            ]);
+            password = answer.password;
+            const validation = validatePassword(password, config.password || {});
+            if (!validation.valid) {
+                console.log(chalk.red(validation.error));
+                return;
+            }
+            if (validation.warning) {
+                console.log(chalk.yellow(`⚠ ${validation.warning}`));
+            }
         }
         session = await sessionManager.create(password);
     }
@@ -145,7 +161,7 @@ program
     // Generate recovery key for encrypted recoverable mode
     if (securityChoice === 'recoverable' && pwd) {
         const recoveryKey = generateRecoveryKey();
-        const recoveryData = createRecoveryData(pwd, recoveryKey);
+        const recoveryData = await createRecoveryData(pwd, recoveryKey);
         const recoveryPath = path.join(projectPath, config.security.recovery_file);
         await fs.writeFile(recoveryPath, recoveryData, 'utf8');
         console.log('');
@@ -185,6 +201,7 @@ program
     .command('unlock')
     .description('Unlock EnvCP session with password')
     .option('-p, --password <password>', 'Password (will prompt if not provided)')
+    .option('--save-to-keychain', 'Save password to OS keychain for auto-unlock')
     .action(async (options) => {
     const projectPath = process.cwd();
     const config = await loadConfig(projectPath);
@@ -205,6 +222,9 @@ program
         console.log(chalk.red(validation.error));
         return;
     }
+    if (validation.warning) {
+        console.log(chalk.yellow(`⚠ ${validation.warning}`));
+    }
     const sessionManager = new SessionManager(path.join(projectPath, config.session?.path || '.envcp/.session'), config.session?.timeout_minutes || 30, config.session?.max_extensions || 5);
     await sessionManager.init();
     const storage = new StorageManager(path.join(projectPath, config.storage.path), config.storage.encrypted);
@@ -223,7 +243,7 @@ program
             const recoveryPath = path.join(projectPath, config.security.recovery_file || '.envcp/.recovery');
             if (!await fs.pathExists(recoveryPath)) {
                 const recoveryKey = generateRecoveryKey();
-                const recoveryData = createRecoveryData(password, recoveryKey);
+                const recoveryData = await createRecoveryData(password, recoveryKey);
                 await fs.ensureDir(path.dirname(recoveryPath));
                 await fs.writeFile(recoveryPath, recoveryData, 'utf8');
                 console.log('');
@@ -247,6 +267,26 @@ program
     console.log(chalk.gray(`  Expires in: ${config.session?.timeout_minutes || 30} minutes`));
     const maxExt = config.session?.max_extensions || 5;
     console.log(chalk.gray(`  Extensions remaining: ${maxExt - session.extensions}/${maxExt}`));
+    // Save to keychain if requested
+    if (options.saveToKeychain) {
+        const keychain = new KeychainManager(config.keychain?.service || 'envcp');
+        if (await keychain.isAvailable()) {
+            const result = await keychain.storePassword(password, projectPath);
+            if (result.success) {
+                // Enable keychain in config
+                config.keychain = { ...config.keychain, enabled: true };
+                await saveConfig(config, projectPath);
+                console.log(chalk.green(`Password saved to ${keychain.backendName}`));
+                console.log(chalk.gray('  Future sessions will auto-unlock from keychain'));
+            }
+            else {
+                console.log(chalk.red(`Failed to save to keychain: ${result.error}`));
+            }
+        }
+        else {
+            console.log(chalk.red(`OS keychain not available (${keychain.backendName})`));
+        }
+    }
 });
 program
     .command('lock')
@@ -331,7 +371,7 @@ program
     const recoveryData = await fs.readFile(recoveryPath, 'utf8');
     let oldPassword;
     try {
-        oldPassword = recoverPassword(recoveryData, recoveryKey);
+        oldPassword = await recoverPassword(recoveryData, recoveryKey);
     }
     catch {
         console.log(chalk.red('Invalid recovery key.'));
@@ -366,7 +406,7 @@ program
     await storage.save(variables);
     // Update recovery file with new password
     const newRecoveryKey = generateRecoveryKey();
-    const newRecoveryData = createRecoveryData(newPassword, newRecoveryKey);
+    const newRecoveryData = await createRecoveryData(newPassword, newRecoveryKey);
     await fs.writeFile(recoveryPath, newRecoveryData, 'utf8');
     console.log(chalk.green('Password reset successfully!'));
     console.log('');
@@ -452,7 +492,7 @@ program
     .description('List all variables (names only, values hidden)')
     .option('-v, --show-values', 'Show actual values')
     .action(async (options) => {
-    await withSession(async (storage) => {
+    await withSession(async (storage, _password, config) => {
         const variables = await storage.load();
         const names = Object.keys(variables);
         if (names.length === 0) {
@@ -462,7 +502,9 @@ program
         console.log(chalk.blue(`\nVariables (${names.length}):\n`));
         for (const name of names) {
             const v = variables[name];
-            const value = options.showValues ? v.value : maskValue(v.value);
+            const value = config.access?.mask_values && !options.showValues
+                ? maskValue(v.value)
+                : v.value;
             const tags = v.tags ? chalk.gray(` [${v.tags.join(', ')}]`) : '';
             console.log(`  ${chalk.cyan(name)} = ${value}${tags}`);
         }
@@ -472,15 +514,27 @@ program
 program
     .command('get <name>')
     .description('Get a variable value')
-    .action(async (name) => {
-    await withSession(async (storage) => {
+    .option('--show-value', 'Reveal the unmasked value')
+    .action(async (name, options) => {
+    await withSession(async (storage, _password, config) => {
+        if (isBlacklisted(name, config)) {
+            console.log(chalk.red(`Variable '${name}' is blacklisted and cannot be accessed`));
+            return;
+        }
+        if (!canAccess(name, config)) {
+            console.log(chalk.red(`Access denied to variable '${name}'`));
+            return;
+        }
         const variable = await storage.get(name);
         if (!variable) {
             console.log(chalk.red(`Variable '${name}' not found`));
             return;
         }
+        const value = config.access?.mask_values && !options.showValue
+            ? maskValue(variable.value)
+            : variable.value;
         console.log(chalk.cyan(name));
-        console.log(`  Value: ${variable.value}`);
+        console.log(`  Value: ${value}`);
         if (variable.tags)
             console.log(`  Tags: ${variable.tags.join(', ')}`);
         if (variable.description)
@@ -517,6 +571,16 @@ program
             lines.push(config.sync.header);
         }
         for (const [name, variable] of Object.entries(variables)) {
+            if (isBlacklisted(name, config) || !canAccess(name, config))
+                continue;
+            if (!variable.sync_to_env)
+                continue;
+            const excluded = config.sync.exclude?.some((pattern) => {
+                const regex = new RegExp('^' + pattern.replace(/\*/g, '.*') + '$');
+                return regex.test(name);
+            });
+            if (excluded)
+                continue;
             const needsQuoting = /[\s#"'\\]/.test(variable.value);
             const val = needsQuoting ? `"${variable.value.replace(/\\/g, '\\\\').replace(/"/g, '\\"')}"` : variable.value;
             lines.push(`${name}=${val}`);
@@ -532,6 +596,16 @@ program
             const updated = [];
             const removed = [];
             for (const [name, variable] of Object.entries(variables)) {
+                if (isBlacklisted(name, config) || !canAccess(name, config))
+                    continue;
+                if (!variable.sync_to_env)
+                    continue;
+                const excluded = config.sync.exclude?.some((pattern) => {
+                    const regex = new RegExp('^' + pattern.replace(/\*/g, '.*') + '$');
+                    return regex.test(name);
+                });
+                if (excluded)
+                    continue;
                 if (name in existing) {
                     if (existing[name] !== variable.value)
                         updated.push(name);
@@ -613,6 +687,9 @@ program
                 console.log(chalk.red(validation.error));
                 return;
             }
+            if (validation.warning) {
+                console.log(chalk.yellow(`⚠ ${validation.warning}`));
+            }
             session = await sessionManager.create(password);
         }
         password = sessionManager.getPassword() || password;
@@ -640,7 +717,7 @@ program
     console.log(chalk.gray(`  Host: ${host}`));
     console.log(chalk.gray(`  Port: ${port}`));
     if (apiKey)
-        console.log(chalk.gray(`  API Key: ${apiKey.substring(0, 4)}...`));
+        console.log(chalk.gray(`  API Key: ${'*'.repeat(apiKey.length)}`));
     console.log('');
     await server.start();
     console.log(chalk.green(`EnvCP server running at http://${host}:${port}`));
@@ -708,7 +785,7 @@ program
                 meta: { project: config.project, timestamp: new Date().toISOString(), count: Object.keys(variables).length, version: '1.0' },
                 variables,
             }, null, 2);
-            const encrypted = encrypt(exportData, exportPassword);
+            const encrypted = await encrypt(exportData, exportPassword);
             await fs.writeFile(outputPath, encrypted, 'utf8');
             console.log(chalk.green(`Encrypted export saved to: ${outputPath}`));
             console.log(chalk.gray(`  Variables: ${Object.keys(variables).length}`));
@@ -753,7 +830,7 @@ program
         const fileContent = await fs.readFile(file, 'utf8');
         let importData;
         try {
-            const decrypted = decrypt(fileContent, importPassword);
+            const decrypted = await decrypt(fileContent, importPassword);
             importData = JSON.parse(decrypted);
         }
         catch {
@@ -852,7 +929,7 @@ program
             },
             variables,
         }, null, 2);
-        const encrypted = encrypt(backupData, password);
+        const encrypted = await encrypt(backupData, password);
         await fs.ensureDir(path.dirname(outputPath));
         await fs.writeFile(outputPath, encrypted, 'utf8');
         console.log(chalk.green(`Backup created: ${outputPath}`));
@@ -873,7 +950,7 @@ program
         const encrypted = await fs.readFile(file, 'utf8');
         let backupData;
         try {
-            const decrypted = decrypt(encrypted, password);
+            const decrypted = await decrypt(encrypted, password);
             backupData = JSON.parse(decrypted);
         }
         catch {
@@ -925,7 +1002,7 @@ program
         checks.push({ name: 'Config', status: 'pass', detail: `Loaded (project: ${config.project || 'unnamed'})` });
         // 2. Encryption mode
         const encrypted = config.encryption?.enabled !== false;
-        checks.push({ name: 'Encryption', status: 'pass', detail: encrypted ? `Enabled (${config.storage.algorithm})` : 'Disabled (passwordless)' });
+        checks.push({ name: 'Encryption', status: 'pass', detail: encrypted ? 'Enabled (AES-256-GCM)' : 'Disabled (passwordless)' });
         // 3. Security mode
         checks.push({ name: 'Security mode', status: 'pass', detail: config.security?.mode || 'recoverable' });
         // 4. Store file
@@ -1020,5 +1097,145 @@ program
         console.log(chalk.green('All checks passed.'));
     }
 });
+program
+    .command('vault')
+    .description('Manage vault settings')
+    .addCommand(new Command('rename')
+    .description('Rename the current vault (updates project name in config)')
+    .argument('<name>', 'New vault name')
+    .action(async (name) => {
+    const projectPath = process.cwd();
+    try {
+        const config = await loadConfig(projectPath);
+        const old = config.project || path.basename(projectPath);
+        config.project = name;
+        await saveConfig(config, projectPath);
+        console.log(`Vault renamed: ${old} -> ${name}`);
+    }
+    catch (error) {
+        console.error(`Failed to rename vault: ${error.message}`);
+        process.exit(1);
+    }
+}));
+program
+    .command('keychain')
+    .description('Manage OS keychain integration')
+    .addCommand(new Command('status')
+    .description('Check keychain availability and stored credentials')
+    .action(async () => {
+    const projectPath = process.cwd();
+    const config = await loadConfig(projectPath);
+    const keychain = new KeychainManager(config.keychain?.service || 'envcp');
+    const status = await keychain.getStatus(projectPath);
+    console.log(chalk.bold('Keychain Status'));
+    console.log(chalk.gray(`  Backend:    ${status.backend}`));
+    console.log(chalk.gray(`  Available:  ${status.available ? chalk.green('yes') : chalk.red('no')}`));
+    console.log(chalk.gray(`  Stored:     ${status.hasPassword ? chalk.green('yes') : chalk.yellow('no')}`));
+    console.log(chalk.gray(`  Enabled:    ${config.keychain?.enabled ? chalk.green('yes') : chalk.yellow('no')}`));
+    if (!status.available) {
+        console.log('');
+        if (process.platform === 'linux') {
+            console.log(chalk.yellow('Install libsecret: sudo apt install libsecret-tools'));
+        }
+        else if (process.platform === 'darwin') {
+            console.log(chalk.yellow('macOS Keychain should be available by default'));
+        }
+    }
+    else if (!status.hasPassword) {
+        console.log('');
+        console.log(chalk.gray('Run: envcp unlock --save-to-keychain'));
+    }
+}))
+    .addCommand(new Command('save')
+    .description('Save current password to OS keychain')
+    .action(async () => {
+    await withSession(async (storage, password, config, projectPath) => {
+        if (!password) {
+            console.log(chalk.red('No password available (encryption disabled?)'));
+            return;
+        }
+        const keychain = new KeychainManager(config.keychain?.service || 'envcp');
+        if (!await keychain.isAvailable()) {
+            console.log(chalk.red(`OS keychain not available (${keychain.backendName})`));
+            return;
+        }
+        const result = await keychain.storePassword(password, projectPath);
+        if (result.success) {
+            config.keychain = { ...config.keychain, enabled: true };
+            await saveConfig(config, projectPath);
+            console.log(chalk.green(`Password saved to ${keychain.backendName}`));
+            console.log(chalk.gray('  Future sessions will auto-unlock from keychain'));
+        }
+        else {
+            console.log(chalk.red(`Failed: ${result.error}`));
+        }
+    });
+}))
+    .addCommand(new Command('remove')
+    .description('Remove stored password from OS keychain')
+    .action(async () => {
+    const projectPath = process.cwd();
+    const config = await loadConfig(projectPath);
+    const keychain = new KeychainManager(config.keychain?.service || 'envcp');
+    const result = await keychain.removePassword(projectPath);
+    if (result.success) {
+        config.keychain = { ...config.keychain, enabled: false };
+        await saveConfig(config, projectPath);
+        console.log(chalk.green('Password removed from keychain'));
+    }
+    else {
+        console.log(chalk.yellow(`Nothing to remove or error: ${result.error}`));
+    }
+}))
+    .addCommand(new Command('disable')
+    .description('Disable keychain auto-unlock (keeps stored credential)')
+    .action(async () => {
+    const projectPath = process.cwd();
+    const config = await loadConfig(projectPath);
+    config.keychain = { ...config.keychain, enabled: false };
+    await saveConfig(config, projectPath);
+    console.log(chalk.green('Keychain auto-unlock disabled'));
+}));
+// Show welcome screen on first ever run
+const firstRunMarker = path.join(os.homedir(), '.envcp', '.welcomed');
+if (!await fs.pathExists(firstRunMarker)) {
+    await fs.ensureDir(path.dirname(firstRunMarker));
+    await fs.writeFile(firstRunMarker, new Date().toISOString());
+    console.log(`
+   ███████╗███╗   ██╗██╗   ██╗ ██████╗██████╗
+   ██╔════╝████╗  ██║██║   ██║██╔════╝██╔══██╗
+   █████╗  ██╔██╗ ██║██║   ██║██║     ██████╔╝
+   ██╔══╝  ██║╚██╗██║╚██╗ ██╔╝██║     ██╔═══╝
+   ███████╗██║ ╚████║ ╚████╔╝ ╚██████╗██║
+   ╚══════╝╚═╝  ╚═══╝  ╚═══╝   ╚═════╝╚═╝
+
+   Thanks for installing EnvCP!
+   Keep your secrets safe from AI agents.
+
+   ─────────────────────────────────────────────
+
+   Vault location:
+
+     ~/  or  /        ->  Global vault  (shared across all projects)
+     any folder       ->  Project vault (named after the folder)
+                          Rename anytime: envcp vault rename <name>
+
+   ─────────────────────────────────────────────
+
+   Get started:
+
+     Simple (one-time setup):
+       $ envcp init                        # Interactive guided setup
+
+     Advanced (manual config):
+       $ envcp init --advanced             # Full config options
+       $ envcp add [NAME] [VALUE]          # Add a secret manually
+
+     Explore:
+       $ envcp --help                      # See all commands
+
+   Docs: https://github.com/fentz26/EnvCP
+`);
+}
 program.parse();
 //# sourceMappingURL=index.js.map