@geekmidas/cli 0.10.0 → 0.12.0

package/src/secrets/__tests__/storage.spec.ts

@@ -0,0 +1,403 @@
+import { existsSync } from 'node:fs';
+import { mkdir, rm } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { afterEach, beforeEach, describe, expect, it } from 'vitest';
+import {
+	getSecretsDir,
+	getSecretsPath,
+	maskPassword,
+	readStageSecrets,
+	secretsExist,
+	setCustomSecret,
+	toEmbeddableSecrets,
+	writeStageSecrets,
+} from '../storage';
+import type { StageSecrets } from '../types';
+
+describe('path utilities', () => {
+	describe('getSecretsDir', () => {
+		it('should return .gkm/secrets relative to cwd', () => {
+			const dir = getSecretsDir('/project');
+			expect(dir).toBe('/project/.gkm/secrets');
+		});
+	});
+
+	describe('getSecretsPath', () => {
+		it('should return path for stage file', () => {
+			const path = getSecretsPath('production', '/project');
+			expect(path).toBe('/project/.gkm/secrets/production.json');
+		});
+
+		it('should handle stage names with special characters', () => {
+			const path = getSecretsPath('dev-local', '/project');
+			expect(path).toBe('/project/.gkm/secrets/dev-local.json');
+		});
+	});
+
+	describe('secretsExist', () => {
+		it('should return false for non-existent secrets', () => {
+			const exists = secretsExist('nonexistent', '/nonexistent-path');
+			expect(exists).toBe(false);
+		});
+	});
+});
+
+describe('file operations', () => {
+	let tempDir: string;
+
+	beforeEach(async () => {
+		tempDir = join(tmpdir(), `gkm-test-${Date.now()}`);
+		await mkdir(tempDir, { recursive: true });
+	});
+
+	afterEach(async () => {
+		if (existsSync(tempDir)) {
+			await rm(tempDir, { recursive: true });
+		}
+	});
+
+	describe('writeStageSecrets / readStageSecrets', () => {
+		it('should write and read secrets', async () => {
+			const secrets: StageSecrets = {
+				stage: 'production',
+				createdAt: '2024-01-01T00:00:00.000Z',
+				updatedAt: '2024-01-01T00:00:00.000Z',
+				services: {
+					postgres: {
+						host: 'postgres',
+						port: 5432,
+						username: 'app',
+						password: 'secret123',
+						database: 'app',
+					},
+				},
+				urls: {
+					DATABASE_URL: 'postgresql://app:secret123@postgres:5432/app',
+				},
+				custom: {},
+			};
+
+			await writeStageSecrets(secrets, tempDir);
+			const read = await readStageSecrets('production', tempDir);
+
+			expect(read).toEqual(secrets);
+		});
+
+		it('should create directory if it does not exist', async () => {
+			const secrets: StageSecrets = {
+				stage: 'staging',
+				createdAt: new Date().toISOString(),
+				updatedAt: new Date().toISOString(),
+				services: {},
+				urls: {},
+				custom: {},
+			};
+
+			await writeStageSecrets(secrets, tempDir);
+
+			expect(existsSync(join(tempDir, '.gkm/secrets'))).toBe(true);
+			expect(existsSync(join(tempDir, '.gkm/secrets/staging.json'))).toBe(true);
+		});
+
+		it('should return null for non-existent stage', async () => {
+			const read = await readStageSecrets('nonexistent', tempDir);
+			expect(read).toBeNull();
+		});
+	});
+
+	describe('secretsExist', () => {
+		it('should return true when secrets file exists', async () => {
+			const secrets: StageSecrets = {
+				stage: 'test',
+				createdAt: new Date().toISOString(),
+				updatedAt: new Date().toISOString(),
+				services: {},
+				urls: {},
+				custom: {},
+			};
+
+			await writeStageSecrets(secrets, tempDir);
+			expect(secretsExist('test', tempDir)).toBe(true);
+		});
+
+		it('should return false when secrets file does not exist', () => {
+			expect(secretsExist('nonexistent', tempDir)).toBe(false);
+		});
+	});
+
+	describe('setCustomSecret', () => {
+		it('should add custom secret to existing secrets', async () => {
+			const secrets: StageSecrets = {
+				stage: 'production',
+				createdAt: new Date().toISOString(),
+				updatedAt: new Date().toISOString(),
+				services: {},
+				urls: {},
+				custom: {},
+			};
+
+			await writeStageSecrets(secrets, tempDir);
+			const updated = await setCustomSecret(
+				'production',
+				'API_KEY',
+				'sk_test_123',
+				tempDir,
+			);
+
+			expect(updated.custom.API_KEY).toBe('sk_test_123');
+		});
+
+		it('should update existing custom secret', async () => {
+			const secrets: StageSecrets = {
+				stage: 'production',
+				createdAt: new Date().toISOString(),
+				updatedAt: new Date().toISOString(),
+				services: {},
+				urls: {},
+				custom: { API_KEY: 'old-value' },
+			};
+
+			await writeStageSecrets(secrets, tempDir);
+			const updated = await setCustomSecret(
+				'production',
+				'API_KEY',
+				'new-value',
+				tempDir,
+			);
+
+			expect(updated.custom.API_KEY).toBe('new-value');
+		});
+
+		it('should update updatedAt timestamp', async () => {
+			const originalTime = '2024-01-01T00:00:00.000Z';
+			const secrets: StageSecrets = {
+				stage: 'production',
+				createdAt: originalTime,
+				updatedAt: originalTime,
+				services: {},
+				urls: {},
+				custom: {},
+			};
+
+			await writeStageSecrets(secrets, tempDir);
+			const updated = await setCustomSecret(
+				'production',
+				'KEY',
+				'value',
+				tempDir,
+			);
+
+			expect(updated.updatedAt).not.toBe(originalTime);
+		});
+
+		it('should throw if secrets do not exist for stage', async () => {
+			await expect(
+				setCustomSecret('nonexistent', 'KEY', 'value', tempDir),
+			).rejects.toThrow('Secrets not found for stage "nonexistent"');
+		});
+
+		it('should persist changes to disk', async () => {
+			const secrets: StageSecrets = {
+				stage: 'production',
+				createdAt: new Date().toISOString(),
+				updatedAt: new Date().toISOString(),
+				services: {},
+				urls: {},
+				custom: {},
+			};
+
+			await writeStageSecrets(secrets, tempDir);
+			await setCustomSecret('production', 'NEW_KEY', 'new-value', tempDir);
+
+			const read = await readStageSecrets('production', tempDir);
+			expect(read!.custom.NEW_KEY).toBe('new-value');
+		});
+	});
+});
+
+describe('toEmbeddableSecrets', () => {
+	it('should include URLs', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {},
+			urls: {
+				DATABASE_URL: 'postgresql://...',
+				REDIS_URL: 'redis://...',
+			},
+			custom: {},
+		};
+
+		const embeddable = toEmbeddableSecrets(secrets);
+
+		expect(embeddable.DATABASE_URL).toBe('postgresql://...');
+		expect(embeddable.REDIS_URL).toBe('redis://...');
+	});
+
+	it('should include custom secrets', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {},
+			urls: {},
+			custom: {
+				API_KEY: 'sk_test_123',
+				WEBHOOK_SECRET: 'whsec_abc',
+			},
+		};
+
+		const embeddable = toEmbeddableSecrets(secrets);
+
+		expect(embeddable.API_KEY).toBe('sk_test_123');
+		expect(embeddable.WEBHOOK_SECRET).toBe('whsec_abc');
+	});
+
+	it('should include postgres service credentials', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {
+				postgres: {
+					host: 'postgres',
+					port: 5432,
+					username: 'app',
+					password: 'secret123',
+					database: 'mydb',
+				},
+			},
+			urls: {},
+			custom: {},
+		};
+
+		const embeddable = toEmbeddableSecrets(secrets);
+
+		expect(embeddable.POSTGRES_USER).toBe('app');
+		expect(embeddable.POSTGRES_PASSWORD).toBe('secret123');
+		expect(embeddable.POSTGRES_DB).toBe('mydb');
+		expect(embeddable.POSTGRES_HOST).toBe('postgres');
+		expect(embeddable.POSTGRES_PORT).toBe('5432');
+	});
+
+	it('should include redis service credentials', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {
+				redis: {
+					host: 'redis',
+					port: 6379,
+					username: 'default',
+					password: 'redis-pass',
+				},
+			},
+			urls: {},
+			custom: {},
+		};
+
+		const embeddable = toEmbeddableSecrets(secrets);
+
+		expect(embeddable.REDIS_PASSWORD).toBe('redis-pass');
+		expect(embeddable.REDIS_HOST).toBe('redis');
+		expect(embeddable.REDIS_PORT).toBe('6379');
+	});
+
+	it('should include rabbitmq service credentials', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {
+				rabbitmq: {
+					host: 'rabbitmq',
+					port: 5672,
+					username: 'app',
+					password: 'rmq-pass',
+					vhost: '/myapp',
+				},
+			},
+			urls: {},
+			custom: {},
+		};
+
+		const embeddable = toEmbeddableSecrets(secrets);
+
+		expect(embeddable.RABBITMQ_USER).toBe('app');
+		expect(embeddable.RABBITMQ_PASSWORD).toBe('rmq-pass');
+		expect(embeddable.RABBITMQ_HOST).toBe('rabbitmq');
+		expect(embeddable.RABBITMQ_PORT).toBe('5672');
+		expect(embeddable.RABBITMQ_VHOST).toBe('/myapp');
+	});
+
+	it('should handle all services and custom secrets together', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {
+				postgres: {
+					host: 'postgres',
+					port: 5432,
+					username: 'app',
+					password: 'pg-pass',
+					database: 'app',
+				},
+				redis: {
+					host: 'redis',
+					port: 6379,
+					username: 'default',
+					password: 'redis-pass',
+				},
+			},
+			urls: {
+				DATABASE_URL: 'postgresql://...',
+				REDIS_URL: 'redis://...',
+			},
+			custom: {
+				API_KEY: 'key123',
+			},
+		};
+
+		const embeddable = toEmbeddableSecrets(secrets);
+
+		// URLs
+		expect(embeddable.DATABASE_URL).toBe('postgresql://...');
+		expect(embeddable.REDIS_URL).toBe('redis://...');
+
+		// Custom
+		expect(embeddable.API_KEY).toBe('key123');
+
+		// Postgres
+		expect(embeddable.POSTGRES_PASSWORD).toBe('pg-pass');
+
+		// Redis
+		expect(embeddable.REDIS_PASSWORD).toBe('redis-pass');
+	});
+});
+
+describe('maskPassword', () => {
+	it('should mask middle characters', () => {
+		const masked = maskPassword('abcdefghijklmnop');
+		expect(masked).toBe('abcd**********op');
+	});
+
+	it('should show first 4 and last 2 characters', () => {
+		const masked = maskPassword('1234567890');
+		expect(masked.slice(0, 4)).toBe('1234');
+		expect(masked.slice(-2)).toBe('90');
+	});
+
+	it('should return all asterisks for short passwords', () => {
+		expect(maskPassword('short')).toBe('********');
+		expect(maskPassword('12345678')).toBe('********');
+	});
+
+	it('should handle exactly 9 character password', () => {
+		const masked = maskPassword('123456789');
+		expect(masked).toBe('1234***89');
+	});
+});

package/src/secrets/encryption.ts

@@ -0,0 +1,91 @@
+import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';
+import type { EmbeddableSecrets, EncryptedPayload } from './types';
+
+/** AES-256-GCM configuration */
+const ALGORITHM = 'aes-256-gcm';
+const KEY_LENGTH = 32; // 256 bits
+const IV_LENGTH = 12; // 96 bits for GCM
+const AUTH_TAG_LENGTH = 16; // 128 bits
+
+/**
+ * Encrypt secrets for embedding in a bundle.
+ * Uses AES-256-GCM with a randomly generated ephemeral key.
+ *
+ * @param secrets - Key-value pairs to encrypt
+ * @returns Encrypted payload with ephemeral master key
+ */
+export function encryptSecrets(secrets: EmbeddableSecrets): EncryptedPayload {
+	// Generate ephemeral key and IV
+	const masterKey = randomBytes(KEY_LENGTH);
+	const iv = randomBytes(IV_LENGTH);
+
+	// Serialize secrets to JSON
+	const plaintext = JSON.stringify(secrets);
+
+	// Encrypt
+	const cipher = createCipheriv(ALGORITHM, masterKey, iv);
+	const ciphertext = Buffer.concat([
+		cipher.update(plaintext, 'utf-8'),
+		cipher.final(),
+	]);
+
+	// Get auth tag
+	const authTag = cipher.getAuthTag();
+
+	// Combine ciphertext + auth tag
+	const combined = Buffer.concat([ciphertext, authTag]);
+
+	return {
+		encrypted: combined.toString('base64'),
+		iv: iv.toString('hex'),
+		masterKey: masterKey.toString('hex'),
+	};
+}
+
+/**
+ * Decrypt secrets from an encrypted payload.
+ * Used at runtime to decrypt embedded credentials.
+ *
+ * @param encrypted - Base64 encoded ciphertext + auth tag
+ * @param iv - Hex encoded IV
+ * @param masterKey - Hex encoded master key
+ * @returns Decrypted secrets
+ */
+export function decryptSecrets(
+	encrypted: string,
+	iv: string,
+	masterKey: string,
+): EmbeddableSecrets {
+	// Decode inputs
+	const key = Buffer.from(masterKey, 'hex');
+	const ivBuffer = Buffer.from(iv, 'hex');
+	const combined = Buffer.from(encrypted, 'base64');
+
+	// Split ciphertext and auth tag
+	const ciphertext = combined.subarray(0, -AUTH_TAG_LENGTH);
+	const authTag = combined.subarray(-AUTH_TAG_LENGTH);
+
+	// Decrypt
+	const decipher = createDecipheriv(ALGORITHM, key, ivBuffer);
+	decipher.setAuthTag(authTag);
+
+	const plaintext = Buffer.concat([
+		decipher.update(ciphertext),
+		decipher.final(),
+	]);
+
+	return JSON.parse(plaintext.toString('utf-8')) as EmbeddableSecrets;
+}
+
+/**
+ * Generate the define options for tsdown/esbuild.
+ * These will be injected at build time.
+ */
+export function generateDefineOptions(
+	payload: EncryptedPayload,
+): Record<string, string> {
+	return {
+		__GKM_ENCRYPTED_CREDENTIALS__: JSON.stringify(payload.encrypted),
+		__GKM_CREDENTIALS_IV__: JSON.stringify(payload.iv),
+	};
+}

package/src/secrets/generator.ts

@@ -0,0 +1,164 @@
+import { randomBytes } from 'node:crypto';
+import type { ComposeServiceName } from '../types';
+import type { ServiceCredentials, StageSecrets } from './types';
+
+/**
+ * Generate a secure random password using URL-safe base64 characters.
+ * @param length Password length (default: 32)
+ */
+export function generateSecurePassword(length = 32): string {
+	return randomBytes(Math.ceil((length * 3) / 4))
+		.toString('base64url')
+		.slice(0, length);
+}
+
+/** Default service configurations */
+const SERVICE_DEFAULTS: Record<
+	ComposeServiceName,
+	Omit<ServiceCredentials, 'password'>
+> = {
+	postgres: {
+		host: 'postgres',
+		port: 5432,
+		username: 'app',
+		database: 'app',
+	},
+	redis: {
+		host: 'redis',
+		port: 6379,
+		username: 'default',
+	},
+	rabbitmq: {
+		host: 'rabbitmq',
+		port: 5672,
+		username: 'app',
+		vhost: '/',
+	},
+};
+
+/**
+ * Generate credentials for a specific service.
+ */
+export function generateServiceCredentials(
+	service: ComposeServiceName,
+): ServiceCredentials {
+	const defaults = SERVICE_DEFAULTS[service];
+	return {
+		...defaults,
+		password: generateSecurePassword(),
+	};
+}
+
+/**
+ * Generate credentials for multiple services.
+ */
+export function generateServicesCredentials(
+	services: ComposeServiceName[],
+): StageSecrets['services'] {
+	const result: StageSecrets['services'] = {};
+
+	for (const service of services) {
+		result[service] = generateServiceCredentials(service);
+	}
+
+	return result;
+}
+
+/**
+ * Generate connection URL for PostgreSQL.
+ */
+export function generatePostgresUrl(creds: ServiceCredentials): string {
+	const { username, password, host, port, database } = creds;
+	return `postgresql://${username}:${encodeURIComponent(password)}@${host}:${port}/${database}`;
+}
+
+/**
+ * Generate connection URL for Redis.
+ */
+export function generateRedisUrl(creds: ServiceCredentials): string {
+	const { password, host, port } = creds;
+	return `redis://:${encodeURIComponent(password)}@${host}:${port}`;
+}
+
+/**
+ * Generate connection URL for RabbitMQ.
+ */
+export function generateRabbitmqUrl(creds: ServiceCredentials): string {
+	const { username, password, host, port, vhost } = creds;
+	const encodedVhost = encodeURIComponent(vhost ?? '/');
+	return `amqp://${username}:${encodeURIComponent(password)}@${host}:${port}/${encodedVhost}`;
+}
+
+/**
+ * Generate connection URLs from service credentials.
+ */
+export function generateConnectionUrls(
+	services: StageSecrets['services'],
+): StageSecrets['urls'] {
+	const urls: StageSecrets['urls'] = {};
+
+	if (services.postgres) {
+		urls.DATABASE_URL = generatePostgresUrl(services.postgres);
+	}
+
+	if (services.redis) {
+		urls.REDIS_URL = generateRedisUrl(services.redis);
+	}
+
+	if (services.rabbitmq) {
+		urls.RABBITMQ_URL = generateRabbitmqUrl(services.rabbitmq);
+	}
+
+	return urls;
+}
+
+/**
+ * Create a new StageSecrets object with generated credentials.
+ */
+export function createStageSecrets(
+	stage: string,
+	services: ComposeServiceName[],
+): StageSecrets {
+	const now = new Date().toISOString();
+	const serviceCredentials = generateServicesCredentials(services);
+	const urls = generateConnectionUrls(serviceCredentials);
+
+	return {
+		stage,
+		createdAt: now,
+		updatedAt: now,
+		services: serviceCredentials,
+		urls,
+		custom: {},
+	};
+}
+
+/**
+ * Rotate password for a specific service.
+ */
+export function rotateServicePassword(
+	secrets: StageSecrets,
+	service: ComposeServiceName,
+): StageSecrets {
+	const currentCreds = secrets.services[service];
+	if (!currentCreds) {
+		throw new Error(`Service "${service}" not configured in secrets`);
+	}
+
+	const newCreds: ServiceCredentials = {
+		...currentCreds,
+		password: generateSecurePassword(),
+	};
+
+	const newServices = {
+		...secrets.services,
+		[service]: newCreds,
+	};
+
+	return {
+		...secrets,
+		updatedAt: new Date().toISOString(),
+		services: newServices,
+		urls: generateConnectionUrls(newServices),
+	};
+}