@geekmidas/cli 0.18.0 → 0.19.0

package/src/init/versions.ts

@@ -0,0 +1,47 @@
+import { createRequire } from 'node:module';
+
+const require = createRequire(import.meta.url);
+// Path is ../package.json from dist/ (bundled output is flat)
+const pkg = require('../package.json') as { version: string };
+
+/**
+ * CLI version from package.json (used for scaffolded projects)
+ */
+export const CLI_VERSION = `~${pkg.version}`;
+
+/**
+ * Current released versions of @geekmidas packages
+ * Update these when publishing new versions
+ * Note: CLI version is read from package.json via CLI_VERSION
+ */
+export const GEEKMIDAS_VERSIONS = {
+	'@geekmidas/audit': '~0.2.0',
+	'@geekmidas/auth': '~0.2.0',
+	'@geekmidas/cache': '~0.2.0',
+	'@geekmidas/cli': CLI_VERSION,
+	'@geekmidas/client': '~0.5.0',
+	'@geekmidas/cloud': '~0.2.0',
+	'@geekmidas/constructs': '~0.6.0',
+	'@geekmidas/db': '~0.3.0',
+	'@geekmidas/emailkit': '~0.2.0',
+	'@geekmidas/envkit': '~0.4.0',
+	'@geekmidas/errors': '~0.1.0',
+	'@geekmidas/events': '~0.2.0',
+	'@geekmidas/logger': '~0.4.0',
+	'@geekmidas/rate-limit': '~0.3.0',
+	'@geekmidas/schema': '~0.1.0',
+	'@geekmidas/services': '~0.2.0',
+	'@geekmidas/storage': '~0.1.0',
+	'@geekmidas/studio': '~0.4.0',
+	'@geekmidas/telescope': '~0.4.0',
+	'@geekmidas/testkit': '~0.6.0',
+};
+
+export type GeekmidasPackage = keyof typeof GEEKMIDAS_VERSIONS;
+
+/**
+ * Get the version for a @geekmidas package
+ */
+export function getPackageVersion(pkg: GeekmidasPackage): string {
+	return GEEKMIDAS_VERSIONS[pkg]!;
+}

package/src/secrets/keystore.ts

@@ -0,0 +1,144 @@
+import { randomBytes } from 'node:crypto';
+import { existsSync } from 'node:fs';
+import { chmod, mkdir, readFile, rm, writeFile } from 'node:fs/promises';
+import { homedir } from 'node:os';
+import { basename, join } from 'node:path';
+
+/** Key length for AES-256 encryption */
+const KEY_LENGTH = 32; // 256 bits
+
+/**
+ * Get the keystore directory for a project.
+ * Keys are stored at ~/.gkm/{project-name}/
+ *
+ * @param projectName - Name of the project (defaults to current directory name)
+ * @returns Path to the keystore directory
+ */
+export function getKeystoreDir(projectName?: string): string {
+	const name = projectName ?? basename(process.cwd());
+	return join(homedir(), '.gkm', name);
+}
+
+/**
+ * Get the path to a stage's encryption key.
+ *
+ * @param stage - Stage name (e.g., 'development', 'production')
+ * @param projectName - Name of the project (defaults to current directory name)
+ * @returns Path to the key file
+ */
+export function getKeyPath(stage: string, projectName?: string): string {
+	return join(getKeystoreDir(projectName), `${stage}.key`);
+}
+
+/**
+ * Check if a key exists for a stage.
+ */
+export function keyExists(stage: string, projectName?: string): boolean {
+	return existsSync(getKeyPath(stage, projectName));
+}
+
+/**
+ * Generate a new encryption key for a stage.
+ * The key is stored at ~/.gkm/{project-name}/{stage}.key with restricted permissions.
+ *
+ * @param stage - Stage name
+ * @param projectName - Project name (defaults to current directory name)
+ * @returns The generated key as a hex string
+ */
+export async function generateKey(
+	stage: string,
+	projectName?: string,
+): Promise<string> {
+	const keyDir = getKeystoreDir(projectName);
+	const keyPath = getKeyPath(stage, projectName);
+
+	// Ensure keystore directory exists with restricted permissions
+	await mkdir(keyDir, { recursive: true, mode: 0o700 });
+
+	// Generate random key
+	const key = randomBytes(KEY_LENGTH).toString('hex');
+
+	// Write key with restricted permissions (owner read/write only)
+	await writeFile(keyPath, key, { mode: 0o600, encoding: 'utf-8' });
+
+	// Ensure permissions are set correctly (in case file existed)
+	await chmod(keyPath, 0o600);
+
+	return key;
+}
+
+/**
+ * Read an encryption key for a stage.
+ *
+ * @param stage - Stage name
+ * @param projectName - Project name (defaults to current directory name)
+ * @returns The key as a hex string, or null if not found
+ */
+export async function readKey(
+	stage: string,
+	projectName?: string,
+): Promise<string | null> {
+	const keyPath = getKeyPath(stage, projectName);
+
+	if (!existsSync(keyPath)) {
+		return null;
+	}
+
+	const key = await readFile(keyPath, 'utf-8');
+	return key.trim();
+}
+
+/**
+ * Read an encryption key for a stage, throwing if not found.
+ */
+export async function requireKey(
+	stage: string,
+	projectName?: string,
+): Promise<string> {
+	const key = await readKey(stage, projectName);
+
+	if (!key) {
+		const name = projectName ?? basename(process.cwd());
+		throw new Error(
+			`Encryption key not found for stage "${stage}" in project "${name}". ` +
+				`Expected key at: ${getKeyPath(stage, projectName)}`,
+		);
+	}
+
+	return key;
+}
+
+/**
+ * Delete a key for a stage.
+ */
+export async function deleteKey(
+	stage: string,
+	projectName?: string,
+): Promise<void> {
+	const keyPath = getKeyPath(stage, projectName);
+
+	if (existsSync(keyPath)) {
+		await rm(keyPath);
+	}
+}
+
+/**
+ * Get or create a key for a stage.
+ * If the key already exists, it is returned. Otherwise, a new key is generated.
+ *
+ * @param stage - Stage name
+ * @param projectName - Project name (defaults to current directory name)
+ * @returns The key as a hex string
+ */
+export async function getOrCreateKey(
+	stage: string,
+	projectName?: string,
+): Promise<string> {
+	const existingKey = await readKey(stage, projectName);
+
+	if (existingKey) {
+		return existingKey;
+	}
+
+	return generateKey(stage, projectName);
+}

package/src/secrets/storage.ts

@@ -1,11 +1,28 @@
+import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';
 import { existsSync } from 'node:fs';
 import { mkdir, readFile, writeFile } from 'node:fs/promises';
-import { join } from 'node:path';
+import { basename, join } from 'node:path';
+import { getOrCreateKey, readKey } from './keystore';
 import type { EmbeddableSecrets, StageSecrets } from './types';
 
 /** Default secrets directory relative to project root */
 const SECRETS_DIR = '.gkm/secrets';
 
+/** AES-256-GCM configuration */
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12; // 96 bits for GCM
+const AUTH_TAG_LENGTH = 16; // 128 bits
+
+/** Encrypted secrets file structure */
+interface EncryptedSecretsFile {
+	/** Version for future format changes */
+	version: 1;
+	/** Base64 encoded encrypted data (ciphertext + auth tag) */
+	encrypted: string;
+	/** Hex encoded IV */
+	iv: string;
+}
+
 /**
  * Get the secrets directory path.
  */
@@ -43,7 +60,69 @@ export function initStageSecrets(stage: string): StageSecrets {
 }
 
 /**
- * Read secrets for a stage.
+ * Encrypt secrets using a key.
+ */
+function encryptSecretsData(
+	secrets: StageSecrets,
+	keyHex: string,
+): EncryptedSecretsFile {
+	const key = Buffer.from(keyHex, 'hex');
+	const iv = randomBytes(IV_LENGTH);
+
+	// Serialize secrets to JSON
+	const plaintext = JSON.stringify(secrets);
+
+	// Encrypt
+	const cipher = createCipheriv(ALGORITHM, key, iv);
+	const ciphertext = Buffer.concat([
+		cipher.update(plaintext, 'utf-8'),
+		cipher.final(),
+	]);
+
+	// Get auth tag
+	const authTag = cipher.getAuthTag();
+
+	// Combine ciphertext + auth tag
+	const combined = Buffer.concat([ciphertext, authTag]);
+
+	return {
+		version: 1,
+		encrypted: combined.toString('base64'),
+		iv: iv.toString('hex'),
+	};
+}
+
+/**
+ * Decrypt secrets using a key.
+ */
+function decryptSecretsData(
+	data: EncryptedSecretsFile,
+	keyHex: string,
+): StageSecrets {
+	const key = Buffer.from(keyHex, 'hex');
+	const ivBuffer = Buffer.from(data.iv, 'hex');
+	const combined = Buffer.from(data.encrypted, 'base64');
+
+	// Split ciphertext and auth tag
+	const ciphertext = combined.subarray(0, -AUTH_TAG_LENGTH);
+	const authTag = combined.subarray(-AUTH_TAG_LENGTH);
+
+	// Decrypt
+	const decipher = createDecipheriv(ALGORITHM, key, ivBuffer);
+	decipher.setAuthTag(authTag);
+
+	const plaintext = Buffer.concat([
+		decipher.update(ciphertext),
+		decipher.final(),
+	]);
+
+	return JSON.parse(plaintext.toString('utf-8')) as StageSecrets;
+}
+
+/**
+ * Read secrets for a stage (encrypted).
+ * Requires the decryption key to be present at ~/.gkm/{project}/{stage}.key
+ *
  * @returns StageSecrets or null if not found
  */
 export async function readStageSecrets(
@@ -57,11 +136,30 @@ export async function readStageSecrets(
 	}
 
 	const content = await readFile(path, 'utf-8');
-	return JSON.parse(content) as StageSecrets;
+	const data = JSON.parse(content);
+
+	// Check if this is an encrypted file (has version field)
+	if (data.version === 1 && data.encrypted && data.iv) {
+		const projectName = basename(cwd);
+		const key = await readKey(stage, projectName);
+
+		if (!key) {
+			throw new Error(
+				`Decryption key not found for stage "${stage}". ` +
+					`Expected key at: ~/.gkm/${projectName}/${stage}.key`,
+			);
+		}
+
+		return decryptSecretsData(data as EncryptedSecretsFile, key);
+	}
+
+	// Legacy: unencrypted format (for backwards compatibility)
+	return data as StageSecrets;
 }
 
 /**
- * Write secrets for a stage.
+ * Write secrets for a stage (encrypted).
+ * Creates or uses existing encryption key at ~/.gkm/{project}/{stage}.key
  */
 export async function writeStageSecrets(
 	secrets: StageSecrets,
@@ -69,12 +167,17 @@ export async function writeStageSecrets(
 ): Promise<void> {
 	const dir = getSecretsDir(cwd);
 	const path = getSecretsPath(secrets.stage, cwd);
+	const projectName = basename(cwd);
 
 	// Ensure directory exists
 	await mkdir(dir, { recursive: true });
 
-	// Write with pretty formatting
-	await writeFile(path, JSON.stringify(secrets, null, 2), 'utf-8');
+	// Get or create encryption key
+	const key = await getOrCreateKey(secrets.stage, projectName);
+
+	// Encrypt and write
+	const encrypted = encryptSecretsData(secrets, key);
+	await writeFile(path, JSON.stringify(encrypted, null, 2), 'utf-8');
 }
 
 /**

package/src/test/index.ts

@@ -0,0 +1,97 @@
+import { spawn } from 'node:child_process';
+import { readStageSecrets, toEmbeddableSecrets } from '../secrets/storage';
+
+export interface TestOptions {
+	/** Stage to load secrets from (default: development) */
+	stage?: string;
+	/** Run tests once without watch mode */
+	run?: boolean;
+	/** Enable watch mode */
+	watch?: boolean;
+	/** Generate coverage report */
+	coverage?: boolean;
+	/** Open Vitest UI */
+	ui?: boolean;
+	/** Pattern to filter tests */
+	pattern?: string;
+}
+
+/**
+ * Run tests with secrets loaded from the specified stage.
+ * Secrets are decrypted and injected into the environment.
+ */
+export async function testCommand(options: TestOptions = {}): Promise<void> {
+	const stage = options.stage ?? 'development';
+
+	console.log(`\n🧪 Running tests with ${stage} secrets...\n`);
+
+	// Load and decrypt secrets
+	let envVars: Record<string, string> = {};
+	try {
+		const secrets = await readStageSecrets(stage);
+		if (secrets) {
+			envVars = toEmbeddableSecrets(secrets);
+			console.log(
+				`  Loaded ${Object.keys(envVars).length} secrets from ${stage}\n`,
+			);
+		} else {
+			console.log(`  No secrets found for ${stage}, running without secrets\n`);
+		}
+	} catch (error) {
+		if (error instanceof Error && error.message.includes('key not found')) {
+			console.log(
+				`  Decryption key not found for ${stage}, running without secrets\n`,
+			);
+		} else {
+			throw error;
+		}
+	}
+
+	// Build vitest args
+	const args: string[] = [];
+
+	if (options.run) {
+		args.push('run');
+	} else if (options.watch) {
+		args.push('--watch');
+	}
+
+	if (options.coverage) {
+		args.push('--coverage');
+	}
+
+	if (options.ui) {
+		args.push('--ui');
+	}
+
+	if (options.pattern) {
+		args.push(options.pattern);
+	}
+
+	// Run vitest with secrets in environment
+	const vitestProcess = spawn('npx', ['vitest', ...args], {
+		cwd: process.cwd(),
+		stdio: 'inherit',
+		env: {
+			...process.env,
+			...envVars,
+			// Ensure NODE_ENV is set to test
+			NODE_ENV: 'test',
+		},
+	});
+
+	// Wait for vitest to complete
+	return new Promise((resolve, reject) => {
+		vitestProcess.on('close', (code) => {
+			if (code === 0) {
+				resolve();
+			} else {
+				reject(new Error(`Tests failed with exit code ${code}`));
+			}
+		});
+
+		vitestProcess.on('error', (error) => {
+			reject(error);
+		});
+	});
+}