@howlil/ez-agents 3.4.2 → 4.0.0

package/bin/lib/audit-exec.cjs

@@ -0,0 +1,175 @@
+#!/usr/bin/env node
+
+/**
+ * EZ Audit Exec — Command execution with full audit logging
+ * 
+ * Logs all command executions to audit file for security review:
+ * - Timestamp, command, arguments, context
+ * - Duration and result status
+ * - Error details if failed
+ * 
+ * Usage:
+ *   const { auditExec } = require('./audit-exec.cjs');
+ *   const result = await auditExec('git', ['status'], { context: 'my-module' });
+ */
+
+const { execFile } = require('child_process');
+const { promisify } = require('util');
+const { appendFileSync, existsSync, mkdirSync, writeFileSync } = require('fs');
+const { join } = require('path');
+const Logger = require('./logger.cjs');
+const logger = new Logger();
+
+const execFileAsync = promisify(execFile);
+
+// Audit log file path - stored in temp directory (not in .planning/logs)
+let _AUDIT_DIR;
+let _AUDIT_FILE;
+
+function getAuditDir() {
+  if (!_AUDIT_DIR) {
+    // Use temp directory instead of .planning/logs
+    _AUDIT_DIR = join(process.env.TEMP || process.env.TMPDIR || '/tmp', 'ez-agents-audit');
+    if (!existsSync(_AUDIT_DIR)) {
+      mkdirSync(_AUDIT_DIR, { recursive: true });
+    }
+  }
+  return _AUDIT_DIR;
+}
+
+function getAuditFile() {
+  if (!_AUDIT_FILE) {
+    _AUDIT_FILE = join(getAuditDir(), `audit-${new Date().toISOString().split('T')[0]}.jsonl`);
+  }
+  return _AUDIT_FILE;
+}
+
+/**
+ * Write audit log entry
+ * @param {Object} entry - Audit entry
+ */
+function writeAudit(entry) {
+  try {
+    const line = JSON.stringify(entry) + '\n';
+    appendFileSync(getAuditFile(), line, 'utf-8');
+  } catch (err) {
+    // Log audit failures to stderr - never silently ignore
+    // This ensures security issues are visible even if file write fails
+    console.error('AUDIT LOG FAILURE:', err.message);
+    console.error('Audit entry:', JSON.stringify(entry));
+    
+    // In strict mode, throw to prevent execution without audit trail
+    if (process.env.AUDIT_STRICT === 'true') {
+      throw err;
+    }
+  }
+}
+
+/**
+ * Execute command with full audit logging
+ * @param {string} cmd - Command to execute
+ * @param {string[]} args - Command arguments
+ * @param {Object} options - Execution options
+ * @param {string} options.context - Calling context (which module/function)
+ * @param {string} options.user - User identifier
+ * @returns {Promise<string>} - Command stdout
+ */
+async function auditExec(cmd, args = [], options = {}) {
+  const { context = 'unknown', user = 'system', timeout = 30000 } = options;
+  
+  const entry = {
+    timestamp: new Date().toISOString(),
+    cmd,
+    args,
+    context,
+    user,
+    status: 'started'
+  };
+  
+  // Log start
+  writeAudit(entry);
+  logger.info('Audit: command started', { cmd, args: args.join(' '), context });
+  
+  const startTime = Date.now();
+  
+  try {
+    const result = await execFileAsync(cmd, args, {
+      timeout,
+      maxBuffer: 1 * 1024 * 1024 // 1MB buffer (reduced from 10MB for security)
+    });
+
+    const duration = Date.now() - startTime;
+
+    // Log success
+    const successEntry = {
+      ...entry,
+      status: 'success',
+      duration,
+      stdout_length: result.stdout?.length || 0
+    };
+    writeAudit(successEntry);
+
+    logger.debug('Audit: command completed', { cmd, duration, context });
+
+    return result.stdout.trim();
+  } catch (err) {
+    const duration = Date.now() - startTime;
+
+    // Log failure
+    const errorEntry = {
+      ...entry,
+      status: 'error',
+      duration,
+      error: err.message,
+      code: err.code,
+      signal: err.signal
+    };
+    writeAudit(errorEntry);
+
+    logger.error('Audit: command failed', { cmd, error: err.message, duration, context });
+
+    throw err;
+  }
+}
+
+/**
+ * Get today's audit log path
+ * @returns {string} - Audit file path
+ */
+function getAuditFilePath() {
+  return AUDIT_FILE;
+}
+
+/**
+ * Read audit log entries for a specific date
+ * @param {string} date - Date string (YYYY-MM-DD)
+ * @returns {Object[]} - Array of audit entries
+ */
+function readAuditLog(date = new Date().toISOString().split('T')[0]) {
+  const filePath = join(AUDIT_DIR, `audit-${date}.jsonl`);
+  
+  if (!existsSync(filePath)) {
+    return [];
+  }
+  
+  const content = require('fs').readFileSync(filePath, 'utf-8');
+  return content.trim().split('\n').map(line => JSON.parse(line));
+}
+
+/**
+ * Search audit log for specific command
+ * @param {string} cmdFilter - Command to filter by
+ * @param {string} date - Date string
+ * @returns {Object[]} - Matching entries
+ */
+function searchAuditLog(cmdFilter, date) {
+  const entries = readAuditLog(date);
+  return entries.filter(e => e.cmd === cmdFilter);
+}
+
+module.exports = {
+  auditExec,
+  getAuditFilePath,
+  readAuditLog,
+  searchAuditLog
+};

package/bin/lib/auth.cjs

@@ -0,0 +1,176 @@
+#!/usr/bin/env node
+
+/**
+ * EZ Auth — Secure credential storage using system keychain
+ * 
+ * Stores API keys securely using:
+ * - keytar for system keychain (Windows Credential Manager, macOS Keychain, libsecret)
+ * - Fallback to encrypted file storage if keytar unavailable
+ * 
+ * Usage:
+ *   const { saveCredential, loadCredential } = require('./auth.cjs');
+ *   await saveCredential('anthropic', 'sk-...');
+ */
+
+const Logger = require('./logger.cjs');
+const logger = new Logger();
+const path = require('path');
+const fs = require('fs');
+const os = require('os');
+
+const SERVICE_NAME = 'ez-agents';
+
+// Provider account names
+const PROVIDERS = {
+  ANTHROPIC: 'anthropic',
+  MOONSHOT: 'moonshot',
+  ALIBABA: 'alibaba',
+  QWEN: 'qwen',
+  OPENAI: 'openai'
+};
+
+// Fallback storage path
+const FALLBACK_FILE = path.join(os.homedir(), '.ez-credentials.json');
+
+// Try to load keytar
+let keytar = null;
+try {
+  keytar = require('keytar');
+  logger.info('keytar loaded — using system keychain');
+} catch (err) {
+  logger.warn('keytar not available — using fallback storage');
+}
+
+/**
+ * Save credential securely
+ * @param {string} provider - Provider name (anthropic, moonshot, etc.)
+ * @param {string} secret - API key or secret
+ * @returns {Promise<boolean>} - Success status
+ */
+async function saveCredential(provider, secret) {
+  try {
+    if (keytar) {
+      await keytar.setPassword(SERVICE_NAME, provider, secret);
+      logger.info('Credential saved to system keychain', { provider });
+      return true;
+    } else {
+      // Fallback: save to file
+      let credentials = {};
+      if (fs.existsSync(FALLBACK_FILE)) {
+        const content = fs.readFileSync(FALLBACK_FILE, 'utf-8');
+        try {
+          credentials = JSON.parse(content);
+        } catch (e) {
+          credentials = {};
+        }
+      }
+      credentials[provider] = secret;
+      fs.writeFileSync(FALLBACK_FILE, JSON.stringify(credentials, null, 2), 'utf-8');
+      logger.warn('Credential saved to fallback file', { provider, path: FALLBACK_FILE });
+      return true;
+    }
+  } catch (err) {
+    logger.error('Failed to save credential', { provider, error: err.message });
+    return false;
+  }
+}
+
+/**
+ * Load credential securely
+ * @param {string} provider - Provider name
+ * @returns {Promise<string|null>} - API key or null if not found
+ */
+async function loadCredential(provider) {
+  try {
+    if (keytar) {
+      const secret = await keytar.getPassword(SERVICE_NAME, provider);
+      if (secret) {
+        logger.debug('Credential loaded from keychain', { provider });
+      }
+      return secret || null;
+    } else {
+      // Fallback: load from file
+      if (fs.existsSync(FALLBACK_FILE)) {
+        const content = fs.readFileSync(FALLBACK_FILE, 'utf-8');
+        const credentials = JSON.parse(content);
+        return credentials[provider] || null;
+      }
+      return null;
+    }
+  } catch (err) {
+    logger.error('Failed to load credential', { provider, error: err.message });
+    return null;
+  }
+}
+
+/**
+ * Delete credential
+ * @param {string} provider - Provider name
+ * @returns {Promise<boolean>} - Success status
+ */
+async function deleteCredential(provider) {
+  try {
+    if (keytar) {
+      await keytar.deletePassword(SERVICE_NAME, provider);
+      logger.info('Credential deleted from keychain', { provider });
+      return true;
+    } else {
+      // Fallback: remove from file
+      if (fs.existsSync(FALLBACK_FILE)) {
+        const content = fs.readFileSync(FALLBACK_FILE, 'utf-8');
+        const credentials = JSON.parse(content);
+        if (credentials[provider]) {
+          delete credentials[provider];
+          fs.writeFileSync(FALLBACK_FILE, JSON.stringify(credentials, null, 2), 'utf-8');
+          logger.info('Credential deleted from fallback file', { provider });
+          return true;
+        }
+      }
+      return false;
+    }
+  } catch (err) {
+    logger.error('Failed to delete credential', { provider, error: err.message });
+    return false;
+  }
+}
+
+/**
+ * List all stored providers
+ * @returns {Promise<string[]>} - Array of provider names
+ */
+async function listProviders() {
+  const stored = [];
+  
+  if (keytar) {
+    for (const [, name] of Object.entries(PROVIDERS)) {
+      const cred = await keytar.getPassword(SERVICE_NAME, name);
+      if (cred) stored.push(name);
+    }
+  } else {
+    if (fs.existsSync(FALLBACK_FILE)) {
+      const content = fs.readFileSync(FALLBACK_FILE, 'utf-8');
+      const credentials = JSON.parse(content);
+      return Object.keys(credentials);
+    }
+  }
+  
+  return stored;
+}
+
+/**
+ * Check if keytar is available
+ * @returns {boolean} - True if using system keychain
+ */
+function isKeychainAvailable() {
+  return keytar !== null;
+}
+
+module.exports = {
+  saveCredential,
+  loadCredential,
+  deleteCredential,
+  listProviders,
+  isKeychainAvailable,
+  PROVIDERS,
+  SERVICE_NAME
+};