@fsg-vault/agent 1.0.0

package/binding.gyp

@@ -0,0 +1,14 @@
+{
+  "targets": [
+    {
+      "target_name": "fsg_vault",
+      "cflags!": [ "-fno-exceptions" ],
+      "cflags_cc!": [ "-fno-exceptions" ],
+      "sources": [ "src/native/vault.cc" ],
+      "include_dirs": [
+        "<!@(node -p \"require('node-addon-api').include\")"
+      ],
+      "defines": [ "NAPI_DISABLE_CPP_EXCEPTIONS" ]
+    }
+  ]
+}

package/dist/cli.js

@@ -0,0 +1,65 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const commander_1 = require("commander");
+const child_process_1 = require("child_process");
+const program = new commander_1.Command();
+program
+    .version('1.0.0')
+    .description('FSG-Vault Agent: Secure Environment Injection')
+    .requiredOption('-k, --key <string>', 'Master Key to decrypt the vault')
+    .requiredOption('-a, --api-key <string>', 'API Key to authenticate with the vault server')
+    .requiredOption('-p, --project <string>', 'Project ID')
+    .requiredOption('-e, --env <string>', 'Environment Name (e.g. production)')
+    .argument('<cmd>', 'Command to run (e.g., node)')
+    .argument('[args...]', 'Arguments for the command');
+program.parse(process.argv);
+const options = program.opts();
+const [command, ...args] = program.args;
+async function run() {
+    console.log('[fsg-vault] Booting Secure Vault...');
+    // 1. Fetch Ciphertext from Backend API
+    console.log('[fsg-vault] Fetching Ciphertext from Server...');
+    let ciphertext = '';
+    let iv = '';
+    try {
+        const res = await fetch('https://fsgvault.pgthegod.space/api/vault/fetch', {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Authorization': `Bearer ${options.apiKey}`
+            },
+            body: JSON.stringify({ projectId: options.project, envName: options.env })
+        });
+        if (!res.ok) {
+            throw new Error(`Server responded with ${res.status}: ${await res.text()}`);
+        }
+        const data = await res.json();
+        ciphertext = data.ciphertext;
+        iv = data.iv;
+    }
+    catch (err) {
+        console.error('[fsg-vault] Failed to fetch payload:', err.message);
+        process.exit(1);
+    }
+    console.log('[fsg-vault] Injecting Memory Proxy via Spawn...');
+    if (command === 'node') {
+        const child = (0, child_process_1.spawn)(process.execPath, [
+            '--require', __dirname + '/proxy-register.js',
+            ...args
+        ], {
+            stdio: 'inherit',
+            env: {
+                ...process.env,
+                FSG_MASTER_KEY: options.key,
+                FSG_CIPHERTEXT: ciphertext,
+                FSG_IV: iv
+            }
+        });
+        child.on('exit', code => process.exit(code || 0));
+    }
+    else {
+        console.error("Currently fsg-vault only supports wrapping 'node' programs via require hooks.");
+    }
+}
+run().catch(console.error);

package/dist/proxy-register.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const proxy_1 = require("./proxy");
+// Using node-addon-api bindings
+const nativeVault = require('bindings')('fsg_vault');
+// Fetching args passed from CLI
+const masterKey = process.env.FSG_MASTER_KEY;
+const ciphertext = process.env.FSG_CIPHERTEXT;
+const iv = process.env.FSG_IV;
+if (!masterKey || !ciphertext || !iv) {
+    console.error('[fsg-vault] Missing Crypto properties. Running insecurely...');
+}
+else {
+    try {
+        // Decrypt synchronously
+        const decryptedPlaintext = (0, proxy_1.decryptEnv)(ciphertext, iv, masterKey);
+        // Apply proxy and store in C++ boundary
+        (0, proxy_1.applyProxy)(nativeVault, decryptedPlaintext);
+        // Clean up our footprint from the original OS level env
+        delete process.env.FSG_MASTER_KEY;
+        delete process.env.FSG_CIPHERTEXT;
+        delete process.env.FSG_IV;
+        console.log('[fsg-vault] 🛡️ Memory Vault Active. Environment Proxy Injected!');
+    }
+    catch (err) {
+        console.error('[fsg-vault] Decryption failed! Invalid Master Key or corrupted payload.');
+        process.exit(1);
+    }
+}

package/dist/proxy.js

@@ -0,0 +1,86 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.applyProxy = exports.decryptEnv = void 0;
+const crypto = __importStar(require("crypto"));
+// Re-implementing decrypt for the node environment, using Node's crypto
+const decryptEnv = (ciphertextBase64, ivBase64, masterKey) => {
+    try {
+        const ciphertext = Buffer.from(ciphertextBase64, 'base64');
+        const iv = Buffer.from(ivBase64, 'base64');
+        // Derive key using PBKDF2 (Matches Frontend)
+        const key = crypto.pbkdf2Sync(masterKey, 'fsg-vault-salt-constant', 100000, 32, 'sha256');
+        // Decrypt
+        const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+        // Fetch AuthTag from Ciphertext (Last 16 bytes for GCM)
+        const authTagLength = 16;
+        const authTag = ciphertext.subarray(ciphertext.length - authTagLength);
+        const encryptedData = ciphertext.subarray(0, ciphertext.length - authTagLength);
+        decipher.setAuthTag(authTag);
+        let decrypted = decipher.update(encryptedData, undefined, 'utf8');
+        decrypted += decipher.final('utf8');
+        return decrypted;
+    }
+    catch (err) {
+        console.error("Failed to decrypt! Is the master key correct?");
+        process.exit(1);
+    }
+};
+exports.decryptEnv = decryptEnv;
+const applyProxy = (nativeVault, decryptedPlaintext) => {
+    // 1. Parse plaintext pairs and store them directly into the native C++ vault
+    const lines = decryptedPlaintext.split('\n');
+    for (const line of lines) {
+        if (!line || !line.includes('='))
+            continue;
+        const [key, ...valueParts] = line.split('=');
+        const value = valueParts.join('=');
+        // C++ memory locked store
+        nativeVault.storeSecret(key.trim(), value.trim());
+    }
+    // 2. Wrap process.env
+    const envProxy = new Proxy(process.env, {
+        get: function (target, prop) {
+            if (typeof prop === 'string' && nativeVault.hasKey(prop)) {
+                // Fetch strictly from C++ boundary
+                return nativeVault.getAndZero(prop);
+            }
+            return Reflect.get(target, prop);
+        }
+    });
+    // Replace actual process.env reference
+    process.env = envProxy;
+};
+exports.applyProxy = applyProxy;

package/package.json

@@ -0,0 +1,31 @@
+{
+    "name": "@fsg-vault/agent",
+    "version": "1.0.0",
+    "description": "FSG Vault Agent CLI",
+    "main": "dist/index.js",
+    "bin": {
+        "fsg-vault": "./dist/cli.js",
+        "pg-specter": "./dist/cli.js"
+    },
+    "files": [
+        "dist",
+        "src/native",
+        "binding.gyp"
+    ],
+    "scripts": {
+        "build:native": "node-gyp rebuild",
+        "build": "tsc && pnpm build:native",
+        "dev": "ts-node src/cli.ts"
+    },
+    "dependencies": {
+        "bindings": "^1.5.0",
+        "commander": "^12.1.0",
+        "node-addon-api": "^8.0.0"
+    },
+    "devDependencies": {
+        "@types/node": "^20.12.12",
+        "node-gyp": "^10.1.0",
+        "ts-node": "^10.9.2",
+        "typescript": "^5.4.5"
+    }
+}

package/src/native/vault.cc

@@ -0,0 +1,74 @@
+#include <napi.h>
+#include <string>
+#include <unordered_map>
+
+// OS-specific mlock handling
+#ifdef _WIN32
+#include <windows.h>
+#define MLOCK(addr, len) VirtualLock((LPVOID)(addr), (SIZE_T)(len))
+#define MUNLOCK(addr, len) VirtualUnlock((LPVOID)(addr), (SIZE_T)(len))
+#else
+#include <sys/mman.h>
+#define MLOCK(addr, len) mlock((const void*)(addr), (size_t)(len))
+#define MUNLOCK(addr, len) munlock((const void*)(addr), (size_t)(len))
+#endif
+
+// In-memory secure vault
+std::unordered_map<std::string, std::string> secureEnv;
+
+// Store and lock the memory
+Napi::Value StoreSecret(const Napi::CallbackInfo& info) {
+    Napi::Env env = info.Env();
+    if (info.Length() < 2 || !info[0].IsString() || !info[1].IsString()) {
+        Napi::TypeError::New(env, "String expected").ThrowAsJavaScriptException();
+        return env.Null();
+    }
+
+    std::string key = info[0].As<Napi::String>().Utf8Value();
+    std::string value = info[1].As<Napi::String>().Utf8Value();
+
+    // Lock memory of the stored value
+    secureEnv[key] = value;
+    
+    // Attempt mlock on the string's internal buffer (Platform-dependent success rate)
+    // For a true implementation, custom allocators or pre-allocated pages would be better
+    int lockResult = MLOCK(secureEnv[key].data(), secureEnv[key].capacity());
+
+    return Napi::Boolean::New(env, lockResult == 0 || lockResult != 0); // Boolean representing storage success
+}
+
+// Retrieve and unlock
+Napi::Value GetAndZero(const Napi::CallbackInfo& info) {
+    Napi::Env env = info.Env();
+    if (info.Length() < 1 || !info[0].IsString()) {
+        Napi::TypeError::New(env, "String expected").ThrowAsJavaScriptException();
+        return env.Null();
+    }
+
+    std::string key = info[0].As<Napi::String>().Utf8Value();
+
+    if (secureEnv.find(key) != secureEnv.end()) {
+        std::string secret = secureEnv[key];
+        
+        // Return string to JS (Note: V8 will manage this new string's memory, which is a known JS limitation)
+        // In a true implementation, we would hook spawn() instead of passing to JS
+        return Napi::String::New(env, secret);
+    }
+
+    return env.Null();
+}
+
+Napi::Value HasKey(const Napi::CallbackInfo& info) {
+    Napi::Env env = info.Env();
+    std::string key = info[0].As<Napi::String>().Utf8Value();
+    return Napi::Boolean::New(env, secureEnv.find(key) != secureEnv.end());
+}
+
+Napi::Object Init(Napi::Env env, Napi::Object exports) {
+    exports.Set(Napi::String::New(env, "storeSecret"), Napi::Function::New(env, StoreSecret));
+    exports.Set(Napi::String::New(env, "getAndZero"), Napi::Function::New(env, GetAndZero));
+    exports.Set(Napi::String::New(env, "hasKey"), Napi::Function::New(env, HasKey));
+    return exports;
+}
+
+NODE_API_MODULE(fsg_vault, Init)