@keywaysh/cli 0.0.13 → 0.0.14

package/README.md

@@ -162,19 +162,20 @@ keyway logout
 Keyway is designed to be **simple and secure** — a major upgrade from Slack or Notion, without the complexity of Hashicorp Vault or AWS Secrets Manager.
 
 **What we do:**
-- AES-256-GCM encryption server-side
-- TLS everywhere
+- AES-256-GCM encryption server-side and client-side token storage
+- TLS everywhere (HTTPS enforced)
 - GitHub read-only permissions
 - No access to your code
 - Secrets stored encrypted at rest
 - No analytics on secret values (only metadata)
+- Encrypted token storage with file permissions
 
 **What we don't do:**
 - No zero-trust enterprise model
 - No access to your cloud infrastructure
 - No access to your production deployment keys
 
-More details: [keyway.sh/security](https://keyway.sh/security)
+For detailed security information, see [SECURITY.md](./SECURITY.md) and [keyway.sh/security](https://keyway.sh/security)
 
 ## Who is this for?
 
@@ -293,7 +294,7 @@ Your team stays perfectly in sync.
 ## Support
 
 - **Issues**: [github.com/keywaysh/cli/issues](https://github.com/keywaysh/cli/issues)
-- **Email**: unlock@keyway.sh
+- **Email**: hello@keyway.sh
 - **Website**: [keyway.sh](https://keyway.sh)
 
 ## License

package/dist/cli.js

@@ -66,10 +66,10 @@ var INTERNAL_API_URL = "https://api.keyway.sh";
 var INTERNAL_POSTHOG_KEY = "phc_duG0qqI5z8LeHrS9pNxR5KaD4djgD0nmzUxuD3zP0ov";
 var INTERNAL_POSTHOG_HOST = "https://eu.i.posthog.com";
 
-// package.json with { type: 'json' }
+// package.json
 var package_default = {
   name: "@keywaysh/cli",
-  version: "0.0.13",
+  version: "0.0.14",
   description: "One link to all your secrets",
   type: "module",
   bin: {
@@ -132,6 +132,26 @@ var package_default = {
 // src/utils/api.ts
 var API_BASE_URL = process.env.KEYWAY_API_URL || INTERNAL_API_URL;
 var USER_AGENT = `keyway-cli/${package_default.version}`;
+function validateApiUrl(url) {
+  const parsed = new URL(url);
+  if (parsed.protocol !== "https:") {
+    const isLocalhost = parsed.hostname === "localhost" || parsed.hostname === "127.0.0.1" || parsed.hostname === "0.0.0.0";
+    if (!isLocalhost) {
+      throw new Error(
+        `Insecure API URL detected: ${url}
+HTTPS is required for security. If this is a development server, use localhost or configure HTTPS.`
+      );
+    }
+    if (!process.env.KEYWAY_DISABLE_SECURITY_WARNINGS) {
+      console.warn(
+        `\u26A0\uFE0F  WARNING: Using insecure HTTP connection to ${url}
+This should only be used for local development.
+Set KEYWAY_DISABLE_SECURITY_WARNINGS=1 to suppress this warning.`
+      );
+    }
+  }
+}
+validateApiUrl(API_BASE_URL);
 var APIError = class extends Error {
   constructor(statusCode, error, message, upgradeUrl) {
     super(message);
@@ -279,71 +299,6 @@ import crypto from "crypto";
 import path from "path";
 import os from "os";
 import fs from "fs";
-
-// package.json
-var package_default2 = {
-  name: "@keywaysh/cli",
-  version: "0.0.13",
-  description: "One link to all your secrets",
-  type: "module",
-  bin: {
-    keyway: "./dist/cli.js"
-  },
-  main: "./dist/cli.js",
-  files: [
-    "dist"
-  ],
-  scripts: {
-    dev: "pnpm exec tsx src/cli.ts",
-    build: "pnpm exec tsup",
-    "build:watch": "pnpm exec tsup --watch",
-    prepublishOnly: "pnpm run build",
-    test: "pnpm exec vitest run",
-    "test:watch": "pnpm exec vitest",
-    release: "npm version patch && git push && git push --tags",
-    "release:minor": "npm version minor && git push && git push --tags",
-    "release:major": "npm version major && git push && git push --tags"
-  },
-  keywords: [
-    "secrets",
-    "env",
-    "keyway",
-    "cli",
-    "devops"
-  ],
-  author: "Nicolas Ritouet",
-  license: "MIT",
-  homepage: "https://keyway.sh",
-  repository: {
-    type: "git",
-    url: "https://github.com/keywaysh/cli.git"
-  },
-  bugs: {
-    url: "https://github.com/keywaysh/cli/issues"
-  },
-  packageManager: "pnpm@10.6.1",
-  engines: {
-    node: ">=18.0.0"
-  },
-  dependencies: {
-    chalk: "^4.1.2",
-    commander: "^14.0.0",
-    conf: "^15.0.2",
-    open: "^11.0.0",
-    "posthog-node": "^3.5.0",
-    prompts: "^2.4.2"
-  },
-  devDependencies: {
-    "@types/node": "^24.2.0",
-    "@types/prompts": "^2.4.9",
-    tsup: "^8.5.0",
-    tsx: "^4.20.3",
-    typescript: "^5.9.2",
-    vitest: "^3.2.4"
-  }
-};
-
-// src/utils/analytics.ts
 var posthog = null;
 var distinctId = null;
 var CONFIG_DIR = path.join(os.homedir(), ".config", "keyway");
@@ -400,7 +355,7 @@ function trackEvent(event, properties) {
         source: "cli",
         platform: process.platform,
         nodeVersion: process.version,
-        version: package_default2.version,
+        version: package_default.version,
         ci: CI
       }
     });
@@ -444,33 +399,86 @@ import prompts from "prompts";
 
 // src/utils/auth.ts
 import Conf from "conf";
+import { createCipheriv, createDecipheriv, randomBytes, scrypt } from "crypto";
+import { promisify } from "util";
 var store = new Conf({
   projectName: "keyway",
   configName: "config",
   fileMode: 384
 });
+var scryptAsync = promisify(scrypt);
+async function getEncryptionKey() {
+  const machineId = process.env.USER || process.env.USERNAME || "keyway-user";
+  let salt = store.get("salt");
+  if (!salt) {
+    salt = randomBytes(16).toString("hex");
+    store.set("salt", salt);
+  }
+  const key = await scryptAsync(machineId, salt, 32);
+  return key;
+}
+async function encryptToken(token) {
+  const key = await getEncryptionKey();
+  const iv = randomBytes(16);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const encrypted = Buffer.concat([
+    cipher.update(token, "utf8"),
+    cipher.final()
+  ]);
+  const authTag = cipher.getAuthTag();
+  return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted.toString("hex")}`;
+}
+async function decryptToken(encryptedData) {
+  const key = await getEncryptionKey();
+  const parts = encryptedData.split(":");
+  if (parts.length !== 3) {
+    throw new Error("Invalid encrypted token format");
+  }
+  const iv = Buffer.from(parts[0], "hex");
+  const authTag = Buffer.from(parts[1], "hex");
+  const encrypted = Buffer.from(parts[2], "hex");
+  const decipher = createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(authTag);
+  const decrypted = Buffer.concat([
+    decipher.update(encrypted),
+    decipher.final()
+  ]);
+  return decrypted.toString("utf8");
+}
 function isExpired(auth) {
   if (!auth.expiresAt) return false;
   const expires = Date.parse(auth.expiresAt);
   if (Number.isNaN(expires)) return false;
   return expires <= Date.now();
 }
-function getStoredAuth() {
-  const auth = store.get("auth");
-  if (auth && isExpired(auth)) {
+async function getStoredAuth() {
+  const encryptedData = store.get("auth");
+  if (!encryptedData) {
+    return null;
+  }
+  try {
+    const decrypted = await decryptToken(encryptedData);
+    const auth = JSON.parse(decrypted);
+    if (isExpired(auth)) {
+      clearAuth();
+      return null;
+    }
+    return auth;
+  } catch (error) {
+    console.error("Failed to decrypt stored auth, clearing...");
     clearAuth();
     return null;
   }
-  return auth ?? null;
 }
-function saveAuthToken(token, meta) {
+async function saveAuthToken(token, meta) {
   const auth = {
     keywayToken: token,
     githubLogin: meta?.githubLogin,
     expiresAt: meta?.expiresAt,
     createdAt: (/* @__PURE__ */ new Date()).toISOString()
   };
-  store.set("auth", auth);
+  const encrypted = await encryptToken(JSON.stringify(auth));
+  store.set("auth", encrypted);
 }
 function clearAuth() {
   store.delete("auth");
@@ -528,7 +536,7 @@ async function runLoginFlow() {
       continue;
     }
     if (result.status === "approved" && result.keywayToken) {
-      saveAuthToken(result.keywayToken, {
+      await saveAuthToken(result.keywayToken, {
         githubLogin: result.githubLogin,
         expiresAt: result.expiresAt
       });
@@ -550,7 +558,7 @@ async function ensureLogin(options = {}) {
   if (envToken) {
     return envToken;
   }
-  const stored = getStoredAuth();
+  const stored = await getStoredAuth();
   if (stored?.keywayToken) {
     return stored.keywayToken;
   }
@@ -603,7 +611,7 @@ async function runTokenLogin() {
     throw new Error("Token must start with github_pat_.");
   }
   const validation = await validateToken(trimmedToken);
-  saveAuthToken(trimmedToken, {
+  await saveAuthToken(trimmedToken, {
     githubLogin: validation.username
   });
   trackEvent(AnalyticsEvents.CLI_LOGIN, {
@@ -1280,7 +1288,7 @@ async function checkSystemClock() {
   try {
     const controller = new AbortController();
     const timeout = setTimeout(() => controller.abort(), 2e3);
-    const response = await fetch("https://api.keyway.sh/v1/health", {
+    const response = await fetch(API_HEALTH_URL, {
       method: "HEAD",
       signal: controller.signal
     });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@keywaysh/cli",
-  "version": "0.0.13",
+  "version": "0.0.14",
   "description": "One link to all your secrets",
   "type": "module",
   "bin": {