@hasna/configs 0.1.0 → 0.1.2

package/dist/cli/index.js

@@ -2073,7 +2073,7 @@ var {
 import chalk from "chalk";
 import { existsSync as existsSync6, readFileSync as readFileSync4 } from "fs";
 import { homedir as homedir3 } from "os";
-import { join as join5, resolve as resolve6 } from "path";
+import { join as join5, resolve as resolve5 } from "path";
 
 // src/types/index.ts
 class ConfigNotFoundError extends Error {
@@ -2503,138 +2503,303 @@ async function applyConfigs(configs, opts = {}) {
 }
 
 // src/lib/sync.ts
-import { existsSync as existsSync3, readdirSync, readFileSync as readFileSync2, statSync } from "fs";
-import { extname, join as join2, relative } from "path";
+import { existsSync as existsSync3, readdirSync, readFileSync as readFileSync2 } from "fs";
+import { extname, join as join2 } from "path";
 import { homedir as homedir2 } from "os";
-function detectCategory(filePath) {
-  const p = filePath.toLowerCase().replace(homedir2(), "~");
-  if (p.includes("/.claude/rules/") || p.endsWith("claude.md") || p.endsWith("agents.md") || p.endsWith("gemini.md"))
-    return "rules";
-  if (p.includes("/.claude/") || p.includes("/.codex/") || p.includes("/.gemini/") || p.includes("/.cursor/"))
-    return "agent";
-  if (p.includes(".mcp.json") || p.includes("mcp"))
-    return "mcp";
-  if (p.includes(".zshrc") || p.includes(".zprofile") || p.includes(".bashrc") || p.includes(".bash_profile"))
-    return "shell";
-  if (p.includes(".gitconfig") || p.includes(".gitignore"))
-    return "git";
-  if (p.includes(".npmrc") || p.includes("tsconfig") || p.includes("bunfig"))
-    return "tools";
-  if (p.includes(".secrets"))
-    return "secrets_schema";
-  return "tools";
-}
-function detectAgent(filePath) {
-  const p = filePath.toLowerCase().replace(homedir2(), "~");
-  if (p.includes("/.claude/") || p.endsWith("claude.md"))
-    return "claude";
-  if (p.includes("/.codex/") || p.endsWith("agents.md"))
-    return "codex";
-  if (p.includes("/.gemini/") || p.endsWith("gemini.md"))
-    return "gemini";
-  if (p.includes(".zshrc") || p.includes(".zprofile") || p.includes(".bashrc"))
-    return "zsh";
-  if (p.includes(".gitconfig") || p.includes(".gitignore"))
-    return "git";
-  if (p.includes(".npmrc"))
-    return "npm";
-  return "global";
+
+// src/lib/redact.ts
+var SECRET_KEY_PATTERN = /^(.*_?API_?KEY|.*_?TOKEN|.*_?SECRET|.*_?PASSWORD|.*_?PASSWD|.*_?CREDENTIAL|.*_?AUTH(?:_TOKEN|_KEY|ORIZATION)?|.*_?PRIVATE_?KEY|.*_?ACCESS_?KEY|.*_?CLIENT_?SECRET|.*_?SIGNING_?KEY|.*_?ENCRYPTION_?KEY|.*_AUTH_TOKEN)$/i;
+var VALUE_PATTERNS = [
+  { re: /npm_[A-Za-z0-9]{36,}/, reason: "npm token" },
+  { re: /gh[pousr]_[A-Za-z0-9_]{36,}/, reason: "GitHub token" },
+  { re: /sk-ant-[A-Za-z0-9\-_]{40,}/, reason: "Anthropic API key" },
+  { re: /sk-[A-Za-z0-9]{48,}/, reason: "OpenAI API key" },
+  { re: /xoxb-[0-9]+-[A-Za-z0-9\-]+/, reason: "Slack bot token" },
+  { re: /AIza[0-9A-Za-z\-_]{35}/, reason: "Google API key" },
+  { re: /ey[A-Za-z0-9_\-]{20,}\.[A-Za-z0-9_\-]{20,}\./, reason: "JWT token" },
+  { re: /AKIA[0-9A-Z]{16}/, reason: "AWS access key" }
+];
+var MIN_SECRET_VALUE_LEN = 8;
+function redactShell(content) {
+  const redacted = [];
+  const lines = content.split(`
+`);
+  const out = [];
+  for (let i = 0;i < lines.length; i++) {
+    const line = lines[i];
+    const m = line.match(/^(\s*(?:export\s+)?)([A-Z][A-Z0-9_]*)(\s*=\s*)(['"]?)(.+?)\4\s*$/);
+    if (m) {
+      const [, prefix, key, eq, quote, value] = m;
+      if (shouldRedactKeyValue(key, value)) {
+        const reason = reasonFor(key, value);
+        redacted.push({ varName: key, line: i + 1, reason });
+        out.push(`${prefix}${key}${eq}${quote}{{${key}}}${quote}`);
+        continue;
+      }
+    }
+    out.push(line);
+  }
+  return { content: out.join(`
+`), redacted, isTemplate: redacted.length > 0 };
 }
-function detectFormat(filePath) {
-  const ext = extname(filePath).toLowerCase();
-  if (ext === ".json")
-    return "json";
-  if (ext === ".toml")
-    return "toml";
-  if (ext === ".yaml" || ext === ".yml")
-    return "yaml";
-  if (ext === ".md" || ext === ".markdown")
-    return "markdown";
-  if (ext === ".ini" || ext === ".cfg")
-    return "ini";
-  return "text";
+function redactJson(content) {
+  const redacted = [];
+  const lines = content.split(`
+`);
+  const out = [];
+  for (let i = 0;i < lines.length; i++) {
+    const line = lines[i];
+    const m = line.match(/^(\s*"([^"]+)"\s*:\s*)"([^"]+)"(,?)(\s*)$/);
+    if (m) {
+      const [, prefix, key, value, comma, trail] = m;
+      if (shouldRedactKeyValue(key, value)) {
+        const varName = key.toUpperCase().replace(/[^A-Z0-9]/g, "_");
+        redacted.push({ varName, line: i + 1, reason: reasonFor(key, value) });
+        out.push(`${prefix}"{{${varName}}}"${comma}${trail}`);
+        continue;
+      }
+    }
+    let newLine = line;
+    for (const { re, reason } of VALUE_PATTERNS) {
+      newLine = newLine.replace(re, (match) => {
+        const varName = `REDACTED_${reason.toUpperCase().replace(/[^A-Z0-9]/g, "_")}`;
+        redacted.push({ varName, line: i + 1, reason });
+        return `{{${varName}}}`;
+      });
+    }
+    out.push(newLine);
+  }
+  return { content: out.join(`
+`), redacted, isTemplate: redacted.length > 0 };
 }
-var SKIP_PATTERNS = [".db", ".db-shm", ".db-wal", ".log", ".lock", ".DS_Store", "node_modules", ".git"];
-function shouldSkip(p) {
-  return SKIP_PATTERNS.some((pat) => p.includes(pat));
+function redactToml(content) {
+  const redacted = [];
+  const lines = content.split(`
+`);
+  const out = [];
+  for (let i = 0;i < lines.length; i++) {
+    const line = lines[i];
+    const m = line.match(/^(\s*)([a-zA-Z][a-zA-Z0-9_\-]*)(\s*=\s*)(['"]?)(.+?)\4\s*$/);
+    if (m) {
+      const [, indent, key, eq, quote, value] = m;
+      if (shouldRedactKeyValue(key, value)) {
+        const varName = key.toUpperCase().replace(/[^A-Z0-9]/g, "_");
+        redacted.push({ varName, line: i + 1, reason: reasonFor(key, value) });
+        out.push(`${indent}${key}${eq}${quote}{{${varName}}}${quote}`);
+        continue;
+      }
+    }
+    out.push(line);
+  }
+  return { content: out.join(`
+`), redacted, isTemplate: redacted.length > 0 };
 }
-function walkDir(dir, files = []) {
-  const entries = readdirSync(dir, { withFileTypes: true });
-  for (const entry of entries) {
-    const full = join2(dir, entry.name);
-    if (shouldSkip(full))
+function redactIni(content) {
+  const redacted = [];
+  const lines = content.split(`
+`);
+  const out = [];
+  for (let i = 0;i < lines.length; i++) {
+    const line = lines[i];
+    const authM = line.match(/^(\/\/[^:]+:_authToken=)(.+)$/);
+    if (authM) {
+      redacted.push({ varName: "NPM_AUTH_TOKEN", line: i + 1, reason: "npm auth token" });
+      out.push(`${authM[1]}{{NPM_AUTH_TOKEN}}`);
       continue;
-    if (entry.isDirectory()) {
-      walkDir(full, files);
-    } else if (entry.isFile()) {
-      files.push(full);
     }
+    const m = line.match(/^(\s*)([a-zA-Z][a-zA-Z0-9_\-]*)(\s*=\s*)(.+?)\s*$/);
+    if (m) {
+      const [, indent, key, eq, value] = m;
+      if (shouldRedactKeyValue(key, value)) {
+        const varName = key.toUpperCase().replace(/[^A-Z0-9]/g, "_");
+        redacted.push({ varName, line: i + 1, reason: reasonFor(key, value) });
+        out.push(`${indent}${key}${eq}{{${varName}}}`);
+        continue;
+      }
+    }
+    out.push(line);
   }
-  return files;
+  return { content: out.join(`
+`), redacted, isTemplate: redacted.length > 0 };
 }
-async function syncFromDir(dir, opts = {}) {
-  const d = opts.db || getDatabase();
-  const absDir = expandPath(dir);
-  if (!existsSync3(absDir)) {
-    return { added: 0, updated: 0, unchanged: 0, skipped: [`Directory not found: ${absDir}`] };
+function redactGeneric(content) {
+  const redacted = [];
+  const lines = content.split(`
+`);
+  const out = [];
+  for (let i = 0;i < lines.length; i++) {
+    let line = lines[i];
+    for (const { re, reason } of VALUE_PATTERNS) {
+      line = line.replace(re, (match) => {
+        const varName = reason.toUpperCase().replace(/[^A-Z0-9]/g, "_");
+        redacted.push({ varName, line: i + 1, reason });
+        return `{{${varName}}}`;
+      });
+    }
+    out.push(line);
+  }
+  return { content: out.join(`
+`), redacted, isTemplate: redacted.length > 0 };
+}
+function shouldRedactKeyValue(key, value) {
+  if (!value || value.startsWith("{{"))
+    return false;
+  if (value.length < MIN_SECRET_VALUE_LEN)
+    return false;
+  if (/^(true|false|yes|no|on|off|null|undefined|\d+)$/i.test(value))
+    return false;
+  if (SECRET_KEY_PATTERN.test(key))
+    return true;
+  for (const { re } of VALUE_PATTERNS) {
+    if (re.test(value))
+      return true;
   }
-  const files = opts.recursive !== false ? walkDir(absDir) : readdirSync(absDir).map((f) => join2(absDir, f)).filter((f) => statSync(f).isFile());
+  return false;
+}
+function reasonFor(key, value) {
+  if (SECRET_KEY_PATTERN.test(key))
+    return `secret key name: ${key}`;
+  for (const { re, reason } of VALUE_PATTERNS) {
+    if (re.test(value))
+      return reason;
+  }
+  return "secret value pattern";
+}
+function redactContent(content, format) {
+  switch (format) {
+    case "shell":
+      return redactShell(content);
+    case "json":
+      return redactJson(content);
+    case "toml":
+      return redactToml(content);
+    case "ini":
+      return redactIni(content);
+    default:
+      return redactGeneric(content);
+  }
+}
+function scanSecrets(content, format) {
+  const r = redactContent(content, format);
+  return r.redacted;
+}
+
+// src/lib/sync.ts
+var KNOWN_CONFIGS = [
+  { path: "~/.claude/CLAUDE.md", name: "claude-claude-md", category: "rules", agent: "claude", format: "markdown" },
+  { path: "~/.claude/settings.json", name: "claude-settings", category: "agent", agent: "claude", format: "json" },
+  { path: "~/.claude/settings.local.json", name: "claude-settings-local", category: "agent", agent: "claude", format: "json" },
+  { path: "~/.claude/keybindings.json", name: "claude-keybindings", category: "agent", agent: "claude", format: "json" },
+  { path: "~/.claude/rules", name: "claude-rules", category: "rules", agent: "claude", rulesDir: "~/.claude/rules" },
+  { path: "~/.codex/config.toml", name: "codex-config", category: "agent", agent: "codex", format: "toml" },
+  { path: "~/.codex/AGENTS.md", name: "codex-agents-md", category: "rules", agent: "codex", format: "markdown" },
+  { path: "~/.gemini/settings.json", name: "gemini-settings", category: "agent", agent: "gemini", format: "json" },
+  { path: "~/.gemini/GEMINI.md", name: "gemini-gemini-md", category: "rules", agent: "gemini", format: "markdown" },
+  { path: "~/.claude.json", name: "claude-json", category: "mcp", agent: "claude", format: "json", description: "Claude Code global config (includes MCP server entries)" },
+  { path: "~/.zshrc", name: "zshrc", category: "shell", agent: "zsh" },
+  { path: "~/.zprofile", name: "zprofile", category: "shell", agent: "zsh" },
+  { path: "~/.bashrc", name: "bashrc", category: "shell", agent: "zsh" },
+  { path: "~/.bash_profile", name: "bash-profile", category: "shell", agent: "zsh" },
+  { path: "~/.gitconfig", name: "gitconfig", category: "git", agent: "git", format: "ini" },
+  { path: "~/.gitignore_global", name: "gitignore-global", category: "git", agent: "git" },
+  { path: "~/.npmrc", name: "npmrc", category: "tools", agent: "npm", format: "ini" },
+  { path: "~/.bunfig.toml", name: "bunfig", category: "tools", agent: "global", format: "toml" }
+];
+async function syncKnown(opts = {}) {
+  const d = opts.db || getDatabase();
   const result = { added: 0, updated: 0, unchanged: 0, skipped: [] };
+  const home = homedir2();
+  let targets = KNOWN_CONFIGS;
+  if (opts.agent)
+    targets = targets.filter((k) => k.agent === opts.agent);
+  if (opts.category)
+    targets = targets.filter((k) => k.category === opts.category);
   const allConfigs = listConfigs(undefined, d);
-  for (const file of files) {
-    if (shouldSkip(file)) {
-      result.skipped.push(file);
+  for (const known of targets) {
+    if (known.rulesDir) {
+      const absDir = expandPath(known.rulesDir);
+      if (!existsSync3(absDir)) {
+        result.skipped.push(known.rulesDir);
+        continue;
+      }
+      const mdFiles = readdirSync(absDir).filter((f) => f.endsWith(".md"));
+      for (const f of mdFiles) {
+        const abs2 = join2(absDir, f);
+        const targetPath = abs2.replace(home, "~");
+        const raw = readFileSync2(abs2, "utf-8");
+        const { content, isTemplate } = redactContent(raw, "markdown");
+        const name = `claude-rules-${f}`;
+        const slug = name.toLowerCase().replace(/[^a-z0-9]+/g, "-");
+        const existing = allConfigs.find((c) => c.target_path === targetPath || c.slug === slug);
+        if (!existing) {
+          if (!opts.dryRun)
+            createConfig({ name, category: "rules", agent: "claude", format: "markdown", content, target_path: targetPath, is_template: isTemplate }, d);
+          result.added++;
+        } else if (existing.content !== content) {
+          if (!opts.dryRun)
+            updateConfig(existing.id, { content, is_template: isTemplate }, d);
+          result.updated++;
+        } else {
+          result.unchanged++;
+        }
+      }
+      continue;
+    }
+    const abs = expandPath(known.path);
+    if (!existsSync3(abs)) {
+      result.skipped.push(known.path);
       continue;
     }
     try {
-      const content = readFileSync2(file, "utf-8");
-      const targetPath = file.startsWith(homedir2()) ? file.replace(homedir2(), "~") : file;
-      const existing = allConfigs.find((c) => c.target_path === targetPath);
+      const rawContent = readFileSync2(abs, "utf-8");
+      if (rawContent.length > 500000) {
+        result.skipped.push(known.path + " (too large)");
+        continue;
+      }
+      const fmt = known.format ?? detectFormat(abs);
+      const { content, isTemplate } = redactContent(rawContent, fmt);
+      const targetPath = abs.replace(home, "~");
+      const existing = allConfigs.find((c) => c.target_path === targetPath || c.slug === known.name);
       if (!existing) {
         if (!opts.dryRun) {
-          const name = relative(absDir, file);
           createConfig({
-            name,
-            category: detectCategory(file),
-            agent: detectAgent(file),
-            target_path: targetPath,
-            format: detectFormat(file),
-            content
+            name: known.name,
+            category: known.category,
+            agent: known.agent,
+            format: fmt,
+            content,
+            target_path: known.kind === "reference" ? null : targetPath,
+            kind: known.kind ?? "file",
+            description: known.description,
+            is_template: isTemplate
           }, d);
         }
         result.added++;
       } else if (existing.content !== content) {
-        if (!opts.dryRun) {
-          updateConfig(existing.id, { content }, d);
-        }
+        if (!opts.dryRun)
+          updateConfig(existing.id, { content, is_template: isTemplate }, d);
         result.updated++;
       } else {
         result.unchanged++;
       }
     } catch {
-      result.skipped.push(file);
+      result.skipped.push(known.path);
     }
   }
   return result;
 }
-async function syncToDir(dir, opts = {}) {
+async function syncToDisk(opts = {}) {
   const d = opts.db || getDatabase();
-  const absDir = expandPath(dir);
-  const normalizedDir = dir.startsWith("~/") ? dir : absDir.replace(homedir2(), "~");
-  const configs = listConfigs(undefined, d).filter((c) => c.target_path && (c.target_path.startsWith(normalizedDir) || c.target_path.startsWith(absDir)));
   const result = { added: 0, updated: 0, unchanged: 0, skipped: [] };
+  let configs = listConfigs({ kind: "file", ...opts.agent ? { agent: opts.agent } : {}, ...opts.category ? { category: opts.category } : {} }, d);
   for (const config of configs) {
-    if (config.kind === "reference")
+    if (!config.target_path)
       continue;
     try {
       const r = await applyConfig(config, { dryRun: opts.dryRun, db: d });
-      if (r.changed) {
-        existsSync3(expandPath(config.target_path)) ? result.updated++ : result.added++;
-      } else {
-        result.unchanged++;
-      }
+      r.changed ? result.updated++ : result.unchanged++;
     } catch {
-      result.skipped.push(config.target_path || config.id);
+      result.skipped.push(config.target_path);
     }
   }
   return result;
@@ -2656,29 +2821,77 @@ function diffConfig(config) {
   const maxLen = Math.max(stored.length, disk.length);
   for (let i = 0;i < maxLen; i++) {
     const s = stored[i];
-    const d = disk[i];
-    if (s === d) {
+    const dk = disk[i];
+    if (s === dk) {
       if (s !== undefined)
         lines.push(` ${s}`);
     } else {
       if (s !== undefined)
         lines.push(`-${s}`);
-      if (d !== undefined)
-        lines.push(`+${d}`);
+      if (dk !== undefined)
+        lines.push(`+${dk}`);
     }
   }
   return lines.join(`
 `);
 }
+function detectCategory(filePath) {
+  const p = filePath.toLowerCase().replace(homedir2(), "~");
+  if (p.includes("/.claude/rules/") || p.endsWith("claude.md") || p.endsWith("agents.md") || p.endsWith("gemini.md"))
+    return "rules";
+  if (p.includes("/.claude/") || p.includes("/.codex/") || p.includes("/.gemini/") || p.includes("/.cursor/"))
+    return "agent";
+  if (p.includes(".mcp.json") || p.includes("mcp"))
+    return "mcp";
+  if (p.includes(".zshrc") || p.includes(".zprofile") || p.includes(".bashrc") || p.includes(".bash_profile"))
+    return "shell";
+  if (p.includes(".gitconfig") || p.includes(".gitignore"))
+    return "git";
+  if (p.includes(".npmrc") || p.includes("tsconfig") || p.includes("bunfig"))
+    return "tools";
+  if (p.includes(".secrets"))
+    return "secrets_schema";
+  return "tools";
+}
+function detectAgent(filePath) {
+  const p = filePath.toLowerCase().replace(homedir2(), "~");
+  if (p.includes("/.claude/") || p.endsWith("claude.md"))
+    return "claude";
+  if (p.includes("/.codex/") || p.endsWith("agents.md"))
+    return "codex";
+  if (p.includes("/.gemini/") || p.endsWith("gemini.md"))
+    return "gemini";
+  if (p.includes(".zshrc") || p.includes(".zprofile") || p.includes(".bashrc"))
+    return "zsh";
+  if (p.includes(".gitconfig") || p.includes(".gitignore"))
+    return "git";
+  if (p.includes(".npmrc"))
+    return "npm";
+  return "global";
+}
+function detectFormat(filePath) {
+  const ext = extname(filePath).toLowerCase();
+  if (ext === ".json")
+    return "json";
+  if (ext === ".toml")
+    return "toml";
+  if (ext === ".yaml" || ext === ".yml")
+    return "yaml";
+  if (ext === ".md" || ext === ".markdown")
+    return "markdown";
+  if (ext === ".ini" || ext === ".cfg")
+    return "ini";
+  return "text";
+}
 
 // src/lib/export.ts
 import { existsSync as existsSync4, mkdirSync as mkdirSync3, rmSync, writeFileSync as writeFileSync2 } from "fs";
-import { join as join3, resolve as resolve4 } from "path";
+import { join as join3, resolve as resolve3 } from "path";
 import { tmpdir } from "os";
 async function exportConfigs(outputPath, opts = {}) {
   const d = opts.db || getDatabase();
   const configs = listConfigs(opts.filter, d);
-  const absOutput = resolve4(outputPath);
+  const absOutput = resolve3(outputPath);
   const tmpDir = join3(tmpdir(), `configs-export-${Date.now()}`);
   const contentsDir = join3(tmpDir, "contents");
   try {
@@ -2712,12 +2925,12 @@ async function exportConfigs(outputPath, opts = {}) {
 
 // src/lib/import.ts
 import { existsSync as existsSync5, mkdirSync as mkdirSync4, readFileSync as readFileSync3, rmSync as rmSync2 } from "fs";
-import { join as join4, resolve as resolve5 } from "path";
+import { join as join4, resolve as resolve4 } from "path";
 import { tmpdir as tmpdir2 } from "os";
 async function importConfigs(bundlePath, opts = {}) {
   const d = opts.db || getDatabase();
   const conflict = opts.conflict ?? "skip";
-  const absPath = resolve5(bundlePath);
+  const absPath = resolve4(bundlePath);
   const tmpDir = join4(tmpdir2(), `configs-import-${Date.now()}`);
   const result = { created: 0, updated: 0, skipped: 0, errors: [] };
   try {
@@ -2855,12 +3068,14 @@ program.command("show <id>").description("Show a config's content and metadata")
   }
 });
 program.command("add <path>").description("Ingest a file into the config DB").option("-n, --name <name>", "config name (defaults to filename)").option("-c, --category <cat>", "category override").option("-a, --agent <agent>", "agent override").option("-k, --kind <kind>", "kind: file|reference", "file").option("--template", "mark as template (has {{VAR}} placeholders)").action(async (filePath, opts) => {
-  const abs = resolve6(filePath);
+  const abs = resolve5(filePath);
   if (!existsSync6(abs)) {
     console.error(chalk.red(`File not found: ${abs}`));
     process.exit(1);
   }
-  const content = readFileSync4(abs, "utf-8");
+  const rawContent = readFileSync4(abs, "utf-8");
+  const fmt = detectFormat(abs);
+  const { content, redacted, isTemplate } = redactContent(rawContent, fmt);
   const targetPath = abs.startsWith(homedir3()) ? abs.replace(homedir3(), "~") : abs;
   const name = opts.name || filePath.split("/").pop();
   const config = createConfig({
@@ -2869,11 +3084,17 @@ program.command("add <path>").description("Ingest a file into the config DB").op
     category: opts.category ?? detectCategory(abs),
     agent: opts.agent ?? detectAgent(abs),
     target_path: opts.kind === "reference" ? null : targetPath,
-    format: detectFormat(abs),
+    format: fmt,
     content,
-    is_template: opts.template ?? false
+    is_template: (opts.template ?? false) || isTemplate
   });
   console.log(chalk.green("\u2713") + ` Added: ${chalk.bold(config.name)} ${chalk.dim(`(${config.slug})`)}`);
+  if (redacted.length > 0) {
+    console.log(chalk.yellow(`  \u26A0 Redacted ${redacted.length} secret(s):`));
+    for (const r of redacted)
+      console.log(chalk.yellow(`    line ${r.line}: {{${r.varName}}} \u2014 ${r.reason}`));
+    console.log(chalk.dim("  Config stored as a template. Use `configs template vars` to see placeholders."));
+  }
 });
 program.command("apply <id>").description("Apply a config to its target_path on disk").option("--dry-run", "preview without writing").option("--force", "overwrite even if unchanged").action(async (id, opts) => {
   try {
@@ -2897,14 +3118,30 @@ program.command("diff <id>").description("Show diff between stored config and di
     process.exit(1);
   }
 });
-program.command("sync").description("Bulk sync a directory with the DB").option("-d, --dir <dir>", "directory to sync (default: ~/.claude)", "~/.claude").option("--from-disk", "read files from disk into DB (default)").option("--to-disk", "apply DB configs back to disk").option("--dry-run", "preview without writing").action(async (opts) => {
-  const toDisk = opts.toDisk;
-  if (toDisk) {
-    const result = await syncToDir(opts.dir, { dryRun: opts.dryRun });
-    console.log(chalk.green(`\u2713`) + ` Synced to disk: +${result.added} updated:${result.updated} unchanged:${result.unchanged} skipped:${result.skipped.length}`);
+program.command("sync").description("Sync known AI coding configs from disk into DB (claude, codex, gemini, zsh, git, npm)").option("-a, --agent <agent>", "only sync configs for this agent (claude|codex|gemini|zsh|git|npm)").option("-c, --category <cat>", "only sync configs in this category").option("--to-disk", "apply DB configs back to disk instead").option("--dry-run", "preview without writing").option("--list", "show which files would be synced without doing anything").action(async (opts) => {
+  if (opts.list) {
+    const targets = KNOWN_CONFIGS.filter((k) => {
+      if (opts.agent && k.agent !== opts.agent)
+        return false;
+      if (opts.category && k.category !== opts.category)
+        return false;
+      return true;
+    });
+    console.log(chalk.bold(`Known configs (${targets.length}):`));
+    for (const k of targets) {
+      console.log(`  ${chalk.cyan(k.rulesDir ? k.rulesDir + "/*.md" : k.path)} ${chalk.dim(`[${k.category}/${k.agent}]`)}`);
+    }
+    return;
+  }
+  if (opts.toDisk) {
+    const result = await syncToDisk({ dryRun: opts.dryRun, agent: opts.agent, category: opts.category });
+    console.log(chalk.green("\u2713") + ` Written to disk: updated:${result.updated} unchanged:${result.unchanged} skipped:${result.skipped.length}`);
   } else {
-    const result = await syncFromDir(opts.dir, { dryRun: opts.dryRun });
-    console.log(chalk.green(`\u2713`) + ` Synced from disk: +${result.added} updated:${result.updated} unchanged:${result.unchanged} skipped:${result.skipped.length}`);
+    const result = await syncKnown({ dryRun: opts.dryRun, agent: opts.agent, category: opts.category });
+    console.log(chalk.green("\u2713") + ` Synced: +${result.added} updated:${result.updated} unchanged:${result.unchanged} skipped:${result.skipped.length}`);
+    if (result.skipped.length > 0) {
+      console.log(chalk.dim("  skipped (not found): " + result.skipped.join(", ")));
+    }
   }
 });
 program.command("export").description("Export configs as a tar.gz bundle").option("-o, --output <path>", "output file", "./configs-export.tar.gz").option("-c, --category <cat>", "filter by category").action(async (opts) => {
@@ -3083,5 +3320,29 @@ templateCmd.command("vars <id>").description("Show template variables").action(a
     process.exit(1);
   }
 });
+program.command("scan [id]").description("Scan configs for secrets. Omit id to scan all.").option("--fix", "redact found secrets in-place").action(async (id, opts) => {
+  const configs = id ? [getConfig(id)] : listConfigs({ kind: "file" });
+  let total = 0;
+  for (const c of configs) {
+    const secrets = scanSecrets(c.content, c.format);
+    if (secrets.length === 0)
+      continue;
+    total += secrets.length;
+    console.log(chalk.yellow(`\u26A0 ${c.slug}`) + chalk.dim(` \u2014 ${secrets.length} secret(s):`));
+    for (const s of secrets)
+      console.log(`  line ${s.line}: ${chalk.red(s.varName)} \u2014 ${s.reason}`);
+    if (opts.fix) {
+      const { content, isTemplate } = redactContent(c.content, c.format);
+      updateConfig(c.id, { content, is_template: isTemplate });
+      console.log(chalk.green("  \u2713 Redacted and updated."));
+    }
+  }
+  if (total === 0) {
+    console.log(chalk.green("\u2713") + " No secrets detected.");
+  } else if (!opts.fix) {
+    console.log(chalk.yellow(`
+Run with --fix to redact in-place.`));
+  }
+});
 program.version(pkg.version).name("configs");
 program.parse(process.argv);

package/dist/index.d.ts

@@ -6,8 +6,10 @@ export { registerMachine, updateMachineApplied, listMachines, currentHostname, c
 export { getDatabase, resetDatabase, uuid, now, slugify } from "./db/database.js";
 export { applyConfig, applyConfigs, expandPath } from "./lib/apply.js";
 export type { ApplyOptions } from "./lib/apply.js";
-export { syncFromDir, syncToDir, diffConfig, detectCategory, detectAgent, detectFormat } from "./lib/sync.js";
-export type { SyncFromDirOptions, SyncToDirOptions } from "./lib/sync.js";
+export { syncKnown, syncToDisk, diffConfig, detectCategory, detectAgent, detectFormat, KNOWN_CONFIGS } from "./lib/sync.js";
+export { syncFromDir, syncToDir } from "./lib/sync-dir.js";
+export type { SyncKnownOptions, SyncToDiskOptions } from "./lib/sync.js";
+export type { SyncFromDirOptions } from "./lib/sync-dir.js";
 export { exportConfigs } from "./lib/export.js";
 export { importConfigs } from "./lib/import.js";
 export type { ExportOptions } from "./lib/export.js";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,cAAc,kBAAkB,CAAC;AAGjC,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,aAAa,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAGlI,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,WAAW,EAAE,oBAAoB,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAGrH,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAGzK,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,YAAY,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAGnH,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAGlF,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AACvE,YAAY,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAGnD,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,UAAU,EAAE,cAAc,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC9G,YAAY,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAG1E,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,YAAY,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AACrD,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAGnE,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AACvG,YAAY,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,cAAc,kBAAkB,CAAC;AAGjC,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,aAAa,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAGlI,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,WAAW,EAAE,oBAAoB,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAGrH,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAGzK,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,YAAY,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAGnH,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAGlF,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AACvE,YAAY,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAGnD,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,UAAU,EAAE,cAAc,EAAE,WAAW,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC5H,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC3D,YAAY,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AACzE,YAAY,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAG5D,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,YAAY,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AACrD,YAAY,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAGnE,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AACvG,YAAY,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC"}