@geekmidas/cli 0.10.0 → 0.13.0

package/src/secrets/storage.ts

@@ -0,0 +1,192 @@
+import { existsSync } from 'node:fs';
+import { mkdir, readFile, writeFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import type { EmbeddableSecrets, StageSecrets } from './types';
+
+/** Default secrets directory relative to project root */
+const SECRETS_DIR = '.gkm/secrets';
+
+/**
+ * Get the secrets directory path.
+ */
+export function getSecretsDir(cwd = process.cwd()): string {
+	return join(cwd, SECRETS_DIR);
+}
+
+/**
+ * Get the secrets file path for a stage.
+ */
+export function getSecretsPath(stage: string, cwd = process.cwd()): string {
+	return join(getSecretsDir(cwd), `${stage}.json`);
+}
+
+/**
+ * Check if secrets exist for a stage.
+ */
+export function secretsExist(stage: string, cwd = process.cwd()): boolean {
+	return existsSync(getSecretsPath(stage, cwd));
+}
+
+/**
+ * Read secrets for a stage.
+ * @returns StageSecrets or null if not found
+ */
+export async function readStageSecrets(
+	stage: string,
+	cwd = process.cwd(),
+): Promise<StageSecrets | null> {
+	const path = getSecretsPath(stage, cwd);
+
+	if (!existsSync(path)) {
+		return null;
+	}
+
+	const content = await readFile(path, 'utf-8');
+	return JSON.parse(content) as StageSecrets;
+}
+
+/**
+ * Write secrets for a stage.
+ */
+export async function writeStageSecrets(
+	secrets: StageSecrets,
+	cwd = process.cwd(),
+): Promise<void> {
+	const dir = getSecretsDir(cwd);
+	const path = getSecretsPath(secrets.stage, cwd);
+
+	// Ensure directory exists
+	await mkdir(dir, { recursive: true });
+
+	// Write with pretty formatting
+	await writeFile(path, JSON.stringify(secrets, null, 2), 'utf-8');
+}
+
+/**
+ * Convert StageSecrets to embeddable format (flat key-value pairs).
+ * This is what gets encrypted and embedded in the bundle.
+ */
+export function toEmbeddableSecrets(secrets: StageSecrets): EmbeddableSecrets {
+	return {
+		...secrets.urls,
+		...secrets.custom,
+		// Also include individual service credentials if needed
+		...(secrets.services.postgres && {
+			POSTGRES_USER: secrets.services.postgres.username,
+			POSTGRES_PASSWORD: secrets.services.postgres.password,
+			POSTGRES_DB: secrets.services.postgres.database ?? 'app',
+			POSTGRES_HOST: secrets.services.postgres.host,
+			POSTGRES_PORT: String(secrets.services.postgres.port),
+		}),
+		...(secrets.services.redis && {
+			REDIS_PASSWORD: secrets.services.redis.password,
+			REDIS_HOST: secrets.services.redis.host,
+			REDIS_PORT: String(secrets.services.redis.port),
+		}),
+		...(secrets.services.rabbitmq && {
+			RABBITMQ_USER: secrets.services.rabbitmq.username,
+			RABBITMQ_PASSWORD: secrets.services.rabbitmq.password,
+			RABBITMQ_HOST: secrets.services.rabbitmq.host,
+			RABBITMQ_PORT: String(secrets.services.rabbitmq.port),
+			RABBITMQ_VHOST: secrets.services.rabbitmq.vhost ?? '/',
+		}),
+	};
+}
+
+/**
+ * Update a custom secret in the secrets file.
+ */
+export async function setCustomSecret(
+	stage: string,
+	key: string,
+	value: string,
+	cwd = process.cwd(),
+): Promise<StageSecrets> {
+	const secrets = await readStageSecrets(stage, cwd);
+
+	if (!secrets) {
+		throw new Error(
+			`Secrets not found for stage "${stage}". Run "gkm secrets:init --stage ${stage}" first.`,
+		);
+	}
+
+	const updated: StageSecrets = {
+		...secrets,
+		updatedAt: new Date().toISOString(),
+		custom: {
+			...secrets.custom,
+			[key]: value,
+		},
+	};
+
+	await writeStageSecrets(updated, cwd);
+	return updated;
+}
+
+/**
+ * Mask a password for display (show first 4 and last 2 chars).
+ */
+export function maskPassword(password: string): string {
+	if (password.length <= 8) {
+		return '********';
+	}
+	return `${password.slice(0, 4)}${'*'.repeat(password.length - 6)}${password.slice(-2)}`;
+}
+
+/**
+ * Result of environment variable validation.
+ */
+export interface EnvValidationResult {
+	/** Whether all required environment variables are present */
+	valid: boolean;
+	/** List of missing environment variable names */
+	missing: string[];
+	/** List of environment variables that are provided */
+	provided: string[];
+	/** List of environment variables that were required */
+	required: string[];
+}
+
+/**
+ * Validate that all required environment variables are present in secrets.
+ *
+ * @param requiredVars - Array of environment variable names required by the application
+ * @param secrets - Stage secrets to validate against
+ * @returns Validation result with missing and provided variables
+ *
+ * @example
+ * ```typescript
+ * const required = ['DATABASE_URL', 'API_KEY', 'JWT_SECRET'];
+ * const secrets = await readStageSecrets('production');
+ * const result = validateEnvironmentVariables(required, secrets);
+ *
+ * if (!result.valid) {
+ *   console.error(`Missing environment variables: ${result.missing.join(', ')}`);
+ * }
+ * ```
+ */
+export function validateEnvironmentVariables(
+	requiredVars: string[],
+	secrets: StageSecrets,
+): EnvValidationResult {
+	const embeddable = toEmbeddableSecrets(secrets);
+	const availableVars = new Set(Object.keys(embeddable));
+
+	const missing: string[] = [];
+	const provided: string[] = [];
+
+	for (const varName of requiredVars) {
+		if (availableVars.has(varName)) {
+			provided.push(varName);
+		} else {
+			missing.push(varName);
+		}
+	}
+
+	return {
+		valid: missing.length === 0,
+		missing: missing.sort(),
+		provided: provided.sort(),
+		required: [...requiredVars].sort(),
+	};
+}

package/src/secrets/types.ts

@@ -0,0 +1,53 @@
+import type { ComposeServiceName } from '../types';
+
+/** Credentials for a specific service */
+export interface ServiceCredentials {
+	host: string;
+	port: number;
+	username: string;
+	password: string;
+	/** Database name (for postgres) */
+	database?: string;
+	/** Virtual host (for rabbitmq) */
+	vhost?: string;
+}
+
+/** Stage secrets configuration */
+export interface StageSecrets {
+	/** Stage name (e.g., 'production', 'staging') */
+	stage: string;
+	/** ISO timestamp when secrets were created */
+	createdAt: string;
+	/** ISO timestamp when secrets were last updated */
+	updatedAt: string;
+	/** Service-specific credentials */
+	services: {
+		postgres?: ServiceCredentials;
+		redis?: ServiceCredentials;
+		rabbitmq?: ServiceCredentials;
+	};
+	/** Generated connection URLs */
+	urls: {
+		DATABASE_URL?: string;
+		REDIS_URL?: string;
+		RABBITMQ_URL?: string;
+	};
+	/** Custom user-defined secrets */
+	custom: Record<string, string>;
+}
+
+/** Encrypted payload for build-time injection */
+export interface EncryptedPayload {
+	/** Base64 encoded encrypted data (ciphertext + auth tag) */
+	encrypted: string;
+	/** Hex encoded IV */
+	iv: string;
+	/** Hex encoded ephemeral master key (for deployment) */
+	masterKey: string;
+}
+
+/** Secrets that get encrypted and embedded in the bundle */
+export type EmbeddableSecrets = Record<string, string>;
+
+/** Services that support automatic credential generation */
+export type SecretServiceName = ComposeServiceName;