@gokiteam/goki-dev 0.2.0

package/bin/secrets-cli.js

@@ -0,0 +1,302 @@
+#!/usr/bin/env node
+import { Command } from 'commander'
+import chalk from 'chalk'
+import { createRequire } from 'module'
+import { SecretsManager } from '../cli/secrets/SecretsManager.js'
+import { SecretInjector } from '../cli/secrets/SecretInjector.js'
+import { SecretsConfig } from '../cli/secrets/SecretsConfig.js'
+import { SecretsDoctor } from '../cli/secrets/SecretsDoctor.js'
+import { BiometricAuth } from '../cli/secrets/BiometricAuth.js'
+
+const require = createRequire(import.meta.url)
+const pkg = require('../package.json')
+
+async function createManager (options = {}) {
+  const manager = await SecretsManager.create({ projectDir: process.cwd() })
+  if (manager.projectName && !options.silent) {
+    console.log(chalk.blue('  \u2139'), `project detected: ${manager.projectName}`)
+  }
+  return manager
+}
+
+const program = new Command()
+
+program
+  .name('goki-secrets')
+  .description('Goki secrets manager \u2014 macOS Keychain-backed credentials')
+  .version(pkg.version)
+  .enablePositionalOptions()
+
+// --- CRUD ---
+
+program
+  .command('set <key> [value]')
+  .description('Set a secret (value prompted if omitted)')
+  .option('--global', 'Force global scope')
+  .option('--description <desc>', 'Optional metadata description')
+  .action(async (key, value, options) => {
+    try {
+      if (!value) {
+        const inquirer = (await import('inquirer')).default
+        const answers = await inquirer.prompt([{
+          type: 'password',
+          name: 'value',
+          message: `Enter value for ${key}:`,
+          mask: '\u25CF'
+        }])
+        value = answers.value
+      }
+      const manager = await createManager()
+      await manager.unlock()
+      const scope = options.global ? 'global' : undefined
+      await manager.set(key, value, { scope, description: options.description })
+      const resolvedScope = options.global ? 'global' : (manager.projectName ? `project: ${manager.projectName}` : 'global')
+      console.log(chalk.green(`  \u2713 set ${key} (${resolvedScope})`))
+    } catch (error) {
+      console.error(chalk.red(`  \u2717 ${error.message}`))
+      process.exit(1)
+    }
+  })
+
+program
+  .command('get <key>')
+  .description('Print secret value to stdout')
+  .option('--global', 'Force global scope')
+  .action(async (key, options) => {
+    try {
+      const manager = await createManager({ silent: true })
+      await manager.unlock()
+      let value
+      if (options.global) {
+        const globalSecrets = manager.getGlobalSecrets()
+        value = globalSecrets[key]
+      } else {
+        value = manager.get(key)
+      }
+      if (value === undefined) {
+        console.error(chalk.red(`  \u2717 secret not found: ${key}`))
+        process.exit(1)
+      }
+      process.stdout.write(value)
+    } catch (error) {
+      console.error(chalk.red(`  \u2717 ${error.message}`))
+      process.exit(1)
+    }
+  })
+
+program
+  .command('delete <key>')
+  .description('Remove secret from keychain and index')
+  .option('--global', 'Force global scope')
+  .action(async (key, options) => {
+    try {
+      const manager = await createManager()
+      await manager.unlock()
+      const scope = options.global ? 'global' : undefined
+      await manager.delete(key, { scope })
+      console.log(chalk.green(`  \u2713 deleted ${key}`))
+    } catch (error) {
+      console.error(chalk.red(`  \u2717 ${error.message}`))
+      process.exit(1)
+    }
+  })
+
+program
+  .command('list')
+  .description('List keys and metadata (never values)')
+  .option('--format <format>', 'Output format: table or json', 'table')
+  .action(async (options) => {
+    try {
+      const manager = await createManager()
+      const entries = manager.list()
+      if (options.format === 'json') {
+        console.log(JSON.stringify(entries, null, 2))
+        return
+      }
+      if (entries.length === 0) {
+        console.log(chalk.dim('  No secrets found'))
+        return
+      }
+      const globalEntries = entries.filter(e => e.scope === 'global')
+      const projectEntries = entries.filter(e => e.scope === 'project')
+      if (globalEntries.length > 0) {
+        console.log()
+        console.log(chalk.bold('  Global'))
+        console.log(chalk.dim('  ' + '-'.repeat(60)))
+        printTable(globalEntries)
+      }
+      if (projectEntries.length > 0) {
+        const projectName = projectEntries[0].project || manager.projectName
+        console.log()
+        console.log(chalk.bold(`  Project: ${projectName}`))
+        console.log(chalk.dim('  ' + '-'.repeat(60)))
+        printTable(projectEntries)
+      }
+      console.log()
+    } catch (error) {
+      console.error(chalk.red(`  \u2717 ${error.message}`))
+      process.exit(1)
+    }
+  })
+
+function printTable (entries) {
+  const keyWidth = Math.max(12, ...entries.map(e => e.key.length)) + 2
+  const descWidth = Math.max(14, ...entries.map(e => (e.description || '').length)) + 2
+  console.log(
+    '  ' +
+    'KEY'.padEnd(keyWidth) +
+    'DESCRIPTION'.padEnd(descWidth) +
+    'UPDATED'
+  )
+  for (const entry of entries) {
+    const updated = entry.updatedAt
+      ? new Date(entry.updatedAt).toLocaleDateString()
+      : '-'
+    console.log(
+      '  ' +
+      entry.key.padEnd(keyWidth) +
+      (entry.description || '-').padEnd(descWidth) +
+      updated
+    )
+  }
+}
+
+// --- Injection ---
+
+program
+  .command('run')
+  .description('Run command with secrets injected as env vars')
+  .option('--verbose', 'Show injected key names')
+  .passThroughOptions()
+  .allowUnknownOption(true)
+  .argument('<command...>', 'Command and arguments to run')
+  .action(async (commandArgs, options) => {
+    try {
+      const manager = await createManager()
+      await manager.unlock()
+      const injector = new SecretInjector(manager)
+      const [cmd, ...args] = commandArgs
+      await injector.run(cmd, args, { verbose: options.verbose })
+    } catch (error) {
+      console.error(chalk.red(`  \u2717 ${error.message}`))
+      process.exit(1)
+    }
+  })
+
+program
+  .command('env')
+  .description('Print secrets as export statements')
+  .option('--format <format>', 'Output format: shell or json', 'shell')
+  .option('--keys <keys>', 'Filter to specific keys (comma-separated)')
+  .action(async (options) => {
+    try {
+      const manager = await createManager({ silent: true })
+      await manager.unlock()
+      const injector = new SecretInjector(manager)
+      const output = injector.formatEnv({
+        format: options.format,
+        keys: options.keys
+      })
+      console.log(output)
+    } catch (error) {
+      console.error(chalk.red(`  \u2717 ${error.message}`))
+      process.exit(1)
+    }
+  })
+
+// --- Project onboarding ---
+
+program
+  .command('setup')
+  .description('Interactive: prompt for missing secrets')
+  .action(async () => {
+    try {
+      const manager = await createManager()
+      await manager.unlock()
+      const config = new SecretsConfig(manager)
+      await config.setup()
+    } catch (error) {
+      console.error(chalk.red(`  \u2717 ${error.message}`))
+      process.exit(1)
+    }
+  })
+
+program
+  .command('check')
+  .description('Non-interactive: verify required secrets exist')
+  .action(async () => {
+    try {
+      const manager = await createManager()
+      await manager.unlock()
+      const config = new SecretsConfig(manager)
+      const ok = await config.check()
+      if (!ok) process.exit(1)
+    } catch (error) {
+      console.error(chalk.red(`  \u2717 ${error.message}`))
+      process.exit(1)
+    }
+  })
+
+// --- Audit ---
+
+program
+  .command('doctor')
+  .description('Scan for plaintext credentials')
+  .option('--fix', 'Interactively migrate plaintext credentials to keychain')
+  .action(async (options) => {
+    try {
+      const doctor = new SecretsDoctor(process.cwd())
+      const findings = await doctor.scan()
+      if (!options.fix) {
+        doctor.report(findings)
+        if (findings.length > 0) process.exit(1)
+        return
+      }
+      doctor.report(findings)
+      if (findings.length === 0) return
+      const manager = await createManager()
+      await manager.unlock()
+      await doctor.interactiveFix(findings, manager)
+    } catch (error) {
+      console.error(chalk.red(`  \u2717 ${error.message}`))
+      process.exit(1)
+    }
+  })
+
+// --- Config ---
+
+program
+  .command('config [setting] [value]')
+  .description('Show or update preferences')
+  .action(async (setting, value) => {
+    try {
+      if (!setting) {
+        const prefs = BiometricAuth.loadPreferences()
+        console.log()
+        console.log(chalk.bold('  Preferences'))
+        console.log(chalk.dim('  ' + '-'.repeat(40)))
+        console.log(`  biometric:  ${prefs.biometric !== false ? chalk.green('on') : chalk.red('off')}`)
+        console.log(`  passphrase: ${prefs.passphraseHash ? chalk.green('set') : chalk.dim('not set')}`)
+        console.log()
+        return
+      }
+      if (setting === 'biometric') {
+        if (value !== 'on' && value !== 'off') {
+          console.error(chalk.red('  \u2717 usage: goki-secrets config biometric on|off'))
+          process.exit(1)
+        }
+        const prefs = BiometricAuth.loadPreferences()
+        prefs.biometric = value === 'on'
+        BiometricAuth.savePreferences(prefs)
+        console.log(chalk.green(`  \u2713 biometric ${value}`))
+        return
+      }
+      console.error(chalk.red(`  \u2717 unknown setting: ${setting}`))
+      process.exit(1)
+    } catch (error) {
+      console.error(chalk.red(`  \u2717 ${error.message}`))
+      process.exit(1)
+    }
+  })
+
+program.parse()

package/cli/ComposeOverrideGenerator.js

@@ -0,0 +1,226 @@
+import fs from 'fs'
+import path from 'path'
+import os from 'os'
+import { parseComposeFile } from './ComposeParser.js'
+import { ensureDir, getPath } from './DevToolsDir.js'
+
+const OVERRIDE_FILE = 'docker-compose.override.yml'
+
+/**
+ * Fixed environment variable overrides per service type
+ * Applied automatically when a service is enabled in config.services
+ */
+const SERVICE_ENV_OVERRIDES = {
+  redis: {
+    REDIS_HOST: 'goki-redis',
+    REDIS_PORT: '6379',
+    RED_LOCK_HOST: 'goki-redis',
+    RED_LOCK_PORT: '6379'
+  },
+  pubsub: {
+    PUBSUB_EMULATOR_HOST: 'goki-pubsub-emulator:8085',
+    PUB_SUB_KEY_FILE_NAME: '',
+    PUB_SUB_PROJECT_ID: 'tipi-development'
+  },
+  firestore: {
+    FIRESTORE_EMULATOR_HOST: 'goki-firestore-emulator:8080',
+    FIRESTORE_KEY_FILE_NAME: '',
+    FIRESTORE_PROJECT_ID: 'tipi-development'
+  },
+  postgres: {
+    POSTGRES_HOST: 'goki-postgres'
+  },
+  elasticsearch: {
+    ELASTIC_CLOUD_ID: '',
+    ELASTIC_NODE: 'http://goki-elasticsearch:9200'
+  },
+  _always: {
+    DEV_TOOLS_URL: 'http://goki-dev-tools-backend:9000'
+  }
+}
+
+/**
+ * Get the path to the override file
+ */
+export function getOverridePath (projectDir) {
+  return getPath(projectDir, OVERRIDE_FILE)
+}
+
+/**
+ * Build environment overrides based on enabled services
+ */
+function buildServiceEnvOverrides (services) {
+  const envOverrides = { ...SERVICE_ENV_OVERRIDES._always }
+  if (!services) return envOverrides
+  for (const [service, enabled] of Object.entries(services)) {
+    if (enabled && SERVICE_ENV_OVERRIDES[service]) {
+      Object.assign(envOverrides, SERVICE_ENV_OVERRIDES[service])
+    }
+  }
+  return envOverrides
+}
+
+/**
+ * Auto-detect Dockerfile.dev in project directory
+ */
+function detectDockerfileDev (projectDir) {
+  const devDockerfile = path.join(projectDir, 'Dockerfile.dev')
+  if (fs.existsSync(devDockerfile)) return 'Dockerfile.dev'
+  return null
+}
+
+/**
+ * Resolve NPM_REGISTRY value for build args
+ * Checks: env var > secretsManager > .npmrc auth token > NPM_TOKEN env var
+ */
+function resolveNpmRegistry (projectDir, secretsManager) {
+  if (process.env.NPM_REGISTRY) return process.env.NPM_REGISTRY
+  // Check keychain via secretsManager (if available)
+  if (secretsManager) {
+    const npmToken = secretsManager.get('NPM_TOKEN')
+    if (npmToken) {
+      return `//registry.npmjs.org/:_authToken=${npmToken}`
+    }
+  }
+  const npmrcPaths = [
+    path.join(projectDir, '.npmrc'),
+    path.join(os.homedir(), '.npmrc')
+  ]
+  for (const npmrcPath of npmrcPaths) {
+    if (!fs.existsSync(npmrcPath)) continue
+    const content = fs.readFileSync(npmrcPath, 'utf-8')
+    for (const line of content.split('\n')) {
+      const trimmed = line.trim()
+      if (!trimmed || trimmed.startsWith('#')) continue
+      const match = trimmed.match(/^(\/\/[^:]+\/:_authToken)=(.+)$/)
+      if (match) {
+        const token = match[2].startsWith('${') ? null : match[2]
+        if (token) return `${match[1]}=${token}`
+      }
+    }
+  }
+  if (process.env.NPM_TOKEN) {
+    return `//registry.npmjs.org/:_authToken=${process.env.NPM_TOKEN}`
+  }
+  return null
+}
+
+/**
+ * Check if a Dockerfile has ARG NPM_REGISTRY
+ */
+function dockerfileNeedsNpmRegistry (projectDir, dockerfile) {
+  const dockerfilePath = path.resolve(projectDir, dockerfile)
+  if (!fs.existsSync(dockerfilePath)) return false
+  const content = fs.readFileSync(dockerfilePath, 'utf-8')
+  return content.split('\n').some(l => /^ARG\s+NPM_REGISTRY\s*$/.test(l))
+}
+
+/**
+ * Generate the combined docker-compose override file
+ *
+ * @param {object} config - The .dev-tools/config.js config object
+ * @param {string} projectDir - Absolute path to the project root
+ * @param {object} options - Additional override data
+ * @param {Array} options.proxyRewrites - HTTP proxy URL rewrites [{key, proxied}]
+ * @param {Array} options.webhookRewrites - Webhook URL rewrites [{key, substituted}]
+ * @param {Array} options.secretKeys - Secret key names to include as key-only entries (values from process env)
+ * @returns {{ overridePath, serviceName, envOverrides, secretKeys }} or null on failure
+ */
+export function generateComposeOverride (config, projectDir, options = {}) {
+  const docker = config.docker || {}
+  const composeFile = docker.composeFile || 'docker-compose.yaml'
+  const composePath = path.join(projectDir, composeFile)
+  // Parse base compose to get service name
+  const { serviceName } = parseComposeFile(composePath)
+  if (!serviceName) {
+    return null
+  }
+  // Determine dockerfile
+  const dockerfile = docker.dockerfile || detectDockerfileDev(projectDir)
+  // Build environment overrides (layered)
+  const envOverrides = {}
+  // 1. Fixed service overrides
+  Object.assign(envOverrides, buildServiceEnvOverrides(config.services))
+  // 2. HTTP proxy rewrites
+  if (options.proxyRewrites?.length) {
+    for (const r of options.proxyRewrites) {
+      envOverrides[r.key] = r.proxied
+    }
+  }
+  // 3. Webhook URL rewrites
+  if (options.webhookRewrites?.length) {
+    for (const r of options.webhookRewrites) {
+      envOverrides[r.key] = r.substituted
+    }
+  }
+  // 4. Project-specific env overrides from config (highest priority)
+  if (docker.environment) {
+    Object.assign(envOverrides, docker.environment)
+  }
+  // Build YAML sections
+  const sections = []
+  // Build section (dockerfile + build args)
+  const buildLines = []
+  if (dockerfile) {
+    buildLines.push('    build:')
+    buildLines.push('      context: .')
+    buildLines.push(`      dockerfile: ${dockerfile}`)
+    // Check if we need NPM_REGISTRY build arg
+    const npmRegistry = resolveNpmRegistry(projectDir, options.secretsManager)
+    const needsNpmRegistry = dockerfile && dockerfileNeedsNpmRegistry(projectDir, dockerfile)
+    if (npmRegistry && needsNpmRegistry) {
+      buildLines.push('      args:')
+      buildLines.push(`        - NPM_REGISTRY=${npmRegistry}`)
+    }
+  }
+  if (buildLines.length) sections.push(buildLines.join('\n'))
+  // Container name
+  if (docker.containerName) {
+    sections.push(`    container_name: ${docker.containerName}`)
+  }
+  // Ports
+  if (docker.ports?.http) {
+    sections.push('    ports:\n      - "${port}:3000"'.replace('${port}', docker.ports.http))
+  }
+  // Volumes
+  if (docker.volumes?.length) {
+    const volumeLines = docker.volumes.map(v => `      - ${v}`)
+    sections.push('    volumes:\n' + volumeLines.join('\n'))
+  }
+  // Network
+  sections.push('    networks:\n      - goki-network')
+  // Environment
+  const envLines = Object.entries(envOverrides).map(([k, v]) => `      - ${k}=${v}`)
+  // Secret keys — key-only entries (values injected via process env at runtime)
+  const secretKeys = options.secretKeys || []
+  const secretLines = secretKeys
+    .filter(k => !(k in envOverrides))
+    .map(k => `      - ${k}`)
+  const allEnvLines = [...envLines, ...secretLines]
+  if (allEnvLines.length) {
+    sections.push('    environment:\n' + allEnvLines.join('\n'))
+  }
+  // Restart policy
+  sections.push('    restart: unless-stopped')
+  // Compose the full override file
+  const overrideContent = `# Auto-generated by goki-dev CLI — DO NOT EDIT
+# Overrides ${composeFile} for local development with dev-tools
+# Regenerated on every start
+
+services:
+  ${serviceName}:
+${sections.join('\n')}
+
+networks:
+  goki-network:
+    name: goki-network
+    external: true
+`
+  // Ensure .dev-tools/ dir exists and write
+  ensureDir(projectDir)
+  const overridePath = getOverridePath(projectDir)
+  fs.writeFileSync(overridePath, overrideContent)
+  return { overridePath, serviceName, envOverrides, secretKeys }
+}
+
+export { SERVICE_ENV_OVERRIDES }

package/cli/ComposeParser.js

@@ -0,0 +1,73 @@
+import fs from 'fs'
+
+/**
+ * Parse a dotenv-style file into key-value pairs
+ * Handles comments, empty lines, and quoted values
+ */
+export function parseEnvFile (filePath) {
+  const vars = {}
+  if (!fs.existsSync(filePath)) return vars
+  const content = fs.readFileSync(filePath, 'utf-8')
+  for (const line of content.split('\n')) {
+    const trimmed = line.trim()
+    if (!trimmed || trimmed.startsWith('#')) continue
+    const eqIndex = trimmed.indexOf('=')
+    if (eqIndex === -1) continue
+    const key = trimmed.substring(0, eqIndex).trim()
+    const value = trimmed.substring(eqIndex + 1).trim()
+    vars[key] = value
+  }
+  return vars
+}
+
+/**
+ * Parse a docker-compose YAML file to extract the first service name
+ * and its environment variables (from environment: section)
+ */
+export function parseComposeFile (composeFilePath) {
+  const result = { serviceName: null, envVars: {} }
+  if (!fs.existsSync(composeFilePath)) return result
+  const content = fs.readFileSync(composeFilePath, 'utf-8')
+  const lines = content.split('\n')
+  let inEnvironment = false
+  let inServices = false
+  for (const line of lines) {
+    const trimmed = line.trim()
+    if (trimmed === 'services:') {
+      inServices = true
+      continue
+    }
+    if (inServices && !result.serviceName && trimmed.endsWith(':') && !trimmed.startsWith('#') && !trimmed.startsWith('-')) {
+      result.serviceName = trimmed.replace(':', '').trim()
+    }
+    if (trimmed === 'environment:') {
+      inEnvironment = true
+      continue
+    }
+    if (inEnvironment) {
+      if (trimmed.startsWith('- ') && trimmed.includes('=')) {
+        const envLine = trimmed.substring(2).trim()
+        const eqIndex = envLine.indexOf('=')
+        const key = envLine.substring(0, eqIndex)
+        const value = envLine.substring(eqIndex + 1)
+        result.envVars[key] = value
+      } else if (!trimmed.startsWith('-') && !trimmed.startsWith('#') && trimmed.length > 0) {
+        inEnvironment = false
+      }
+    }
+  }
+  return result
+}
+
+/**
+ * Collect all environment variables from both env_file and docker-compose environment section
+ * Compose environment overrides env_file values
+ */
+export function collectAllEnvVars (envFilePath, composeFilePath) {
+  const allVars = {}
+  const envFileVars = parseEnvFile(envFilePath)
+  Object.assign(allVars, envFileVars)
+  const { serviceName, envVars: composeVars } = parseComposeFile(composeFilePath)
+  Object.assign(allVars, composeVars)
+  return { allVars, serviceName }
+}