@lifestreamdynamics/vault-cli 1.0.0

package/dist/lib/credential-manager.js

@@ -0,0 +1,101 @@
+import { createKeychainBackend } from './keychain.js';
+import { createEncryptedConfigBackend } from './encrypted-config.js';
+// Default passphrase for encrypted config when no interactive prompt is available.
+// This provides basic obfuscation — the real security benefit is file permissions (0600)
+// and the fact that credentials aren't in a JSON file that's easy to grep for API keys.
+const DEFAULT_PASSPHRASE = 'lsvault-cli-local-encryption-key';
+export function createCredentialManager(options = {}) {
+    const keychain = options.keychain ?? createKeychainBackend();
+    const encryptedConfig = options.encryptedConfig ?? createEncryptedConfigBackend();
+    const passphrase = options.passphrase ?? DEFAULT_PASSPHRASE;
+    return {
+        async getCredentials() {
+            const result = {};
+            // 1. Environment variables (highest priority)
+            if (process.env.LSVAULT_API_KEY) {
+                result.apiKey = process.env.LSVAULT_API_KEY;
+            }
+            if (process.env.LSVAULT_API_URL) {
+                result.apiUrl = process.env.LSVAULT_API_URL;
+            }
+            // If env fully satisfies, return early
+            if (result.apiKey)
+                return result;
+            // 2. OS Keychain
+            if (await keychain.isAvailable()) {
+                const keychainCreds = await keychain.getCredentials();
+                if (keychainCreds.apiKey && !result.apiKey)
+                    result.apiKey = keychainCreds.apiKey;
+                if (keychainCreds.apiUrl && !result.apiUrl)
+                    result.apiUrl = keychainCreds.apiUrl;
+            }
+            if (result.apiKey)
+                return result;
+            // 3. Encrypted config
+            const encCreds = encryptedConfig.getCredentials(passphrase);
+            if (encCreds) {
+                if (encCreds.apiKey && !result.apiKey)
+                    result.apiKey = encCreds.apiKey;
+                if (encCreds.apiUrl && !result.apiUrl)
+                    result.apiUrl = encCreds.apiUrl;
+            }
+            return result;
+        },
+        async saveCredentials(config) {
+            // Prefer keychain if available
+            if (await keychain.isAvailable()) {
+                await keychain.saveCredentials(config);
+                return;
+            }
+            // Fall back to encrypted config
+            encryptedConfig.saveCredentials(config, passphrase);
+        },
+        async clearCredentials() {
+            // Clear from all backends
+            await keychain.clearCredentials();
+            encryptedConfig.clearCredentials();
+        },
+        async getStorageMethod() {
+            if (process.env.LSVAULT_API_KEY)
+                return 'env';
+            if (await keychain.isAvailable()) {
+                const creds = await keychain.getCredentials();
+                if (creds.apiKey)
+                    return 'keychain';
+            }
+            if (encryptedConfig.hasCredentials()) {
+                const creds = encryptedConfig.getCredentials(passphrase);
+                if (creds?.apiKey)
+                    return 'encrypted-config';
+            }
+            return 'none';
+        },
+        async getVaultKey(vaultId) {
+            // 1. Environment variable: LSVAULT_VAULT_KEY_<vaultId> (hyphens to underscores, uppercase)
+            const envKey = `LSVAULT_VAULT_KEY_${vaultId.replace(/-/g, '_').toUpperCase()}`;
+            if (process.env[envKey]) {
+                return process.env[envKey];
+            }
+            // 2. Encrypted config: vaultKeys map
+            const creds = encryptedConfig.getCredentials(passphrase);
+            const vaultKeys = creds?.vaultKeys;
+            if (vaultKeys?.[vaultId]) {
+                return vaultKeys[vaultId];
+            }
+            return null;
+        },
+        async saveVaultKey(vaultId, keyHex) {
+            // Read existing config, merge vault key, save
+            const existing = encryptedConfig.getCredentials(passphrase) ?? {};
+            const vaultKeys = existing.vaultKeys ?? {};
+            vaultKeys[vaultId] = keyHex;
+            encryptedConfig.saveCredentials({ ...existing, vaultKeys }, passphrase);
+        },
+        async deleteVaultKey(vaultId) {
+            const existing = encryptedConfig.getCredentials(passphrase) ?? {};
+            const vaultKeys = existing.vaultKeys ?? {};
+            delete vaultKeys[vaultId];
+            encryptedConfig.saveCredentials({ ...existing, vaultKeys }, passphrase);
+        },
+    };
+}

package/dist/lib/encrypted-config.d.ts

@@ -0,0 +1,20 @@
+import type { CliConfig } from '../config.js';
+declare const CONFIG_DIR: string;
+declare const ENCRYPTED_FILE: string;
+declare const PBKDF2_ITERATIONS = 600000;
+export interface EncryptedCredentials {
+    version: 1;
+    salt: string;
+    iv: string;
+    authTag: string;
+    ciphertext: string;
+}
+export interface EncryptedConfigBackend {
+    isAvailable(): boolean;
+    getCredentials(passphrase: string): Partial<CliConfig> | null;
+    saveCredentials(config: Partial<CliConfig>, passphrase: string): void;
+    clearCredentials(): void;
+    hasCredentials(): boolean;
+}
+export declare function createEncryptedConfigBackend(): EncryptedConfigBackend;
+export { ENCRYPTED_FILE, CONFIG_DIR, PBKDF2_ITERATIONS };

package/dist/lib/encrypted-config.js

@@ -0,0 +1,102 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import os from 'node:os';
+import crypto from 'node:crypto';
+const CONFIG_DIR = path.join(os.homedir(), '.lsvault');
+const ENCRYPTED_FILE = path.join(CONFIG_DIR, 'credentials.enc');
+const PBKDF2_ITERATIONS = 600_000;
+const SALT_LENGTH = 16;
+const IV_LENGTH = 12;
+const KEY_LENGTH = 32; // AES-256
+const AUTH_TAG_LENGTH = 16;
+function deriveKey(passphrase, salt) {
+    return crypto.pbkdf2Sync(passphrase, salt, PBKDF2_ITERATIONS, KEY_LENGTH, 'sha256');
+}
+function encrypt(plaintext, passphrase) {
+    const salt = crypto.randomBytes(SALT_LENGTH);
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const key = deriveKey(passphrase, salt);
+    const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+    const encrypted = Buffer.concat([
+        cipher.update(plaintext, 'utf8'),
+        cipher.final(),
+    ]);
+    const authTag = cipher.getAuthTag();
+    return {
+        version: 1,
+        salt: salt.toString('hex'),
+        iv: iv.toString('hex'),
+        authTag: authTag.toString('hex'),
+        ciphertext: encrypted.toString('hex'),
+    };
+}
+function decrypt(data, passphrase) {
+    const salt = Buffer.from(data.salt, 'hex');
+    const iv = Buffer.from(data.iv, 'hex');
+    const authTag = Buffer.from(data.authTag, 'hex');
+    const ciphertext = Buffer.from(data.ciphertext, 'hex');
+    const key = deriveKey(passphrase, salt);
+    const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+    decipher.setAuthTag(authTag);
+    const decrypted = Buffer.concat([
+        decipher.update(ciphertext),
+        decipher.final(),
+    ]);
+    return decrypted.toString('utf8');
+}
+export function createEncryptedConfigBackend() {
+    return {
+        isAvailable() {
+            return true; // Node.js crypto is always available
+        },
+        getCredentials(passphrase) {
+            if (!fs.existsSync(ENCRYPTED_FILE))
+                return null;
+            try {
+                const raw = fs.readFileSync(ENCRYPTED_FILE, 'utf-8');
+                const data = JSON.parse(raw);
+                if (data.version !== 1)
+                    return null;
+                const plaintext = decrypt(data, passphrase);
+                return JSON.parse(plaintext);
+            }
+            catch {
+                // Wrong passphrase or corrupt file
+                return null;
+            }
+        },
+        saveCredentials(config, passphrase) {
+            if (!fs.existsSync(CONFIG_DIR)) {
+                fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+            }
+            // Merge with existing credentials if possible
+            let existing = {};
+            if (fs.existsSync(ENCRYPTED_FILE)) {
+                try {
+                    const raw = fs.readFileSync(ENCRYPTED_FILE, 'utf-8');
+                    const data = JSON.parse(raw);
+                    const plaintext = decrypt(data, passphrase);
+                    existing = JSON.parse(plaintext);
+                }
+                catch {
+                    // Can't decrypt existing — overwrite
+                }
+            }
+            const merged = { ...existing, ...config };
+            const encrypted = encrypt(JSON.stringify(merged), passphrase);
+            const tmpFile = ENCRYPTED_FILE + '.tmp.' + crypto.randomBytes(4).toString('hex');
+            fs.writeFileSync(tmpFile, JSON.stringify(encrypted, null, 2) + '\n', { mode: 0o600 });
+            fs.renameSync(tmpFile, ENCRYPTED_FILE);
+        },
+        clearCredentials() {
+            if (fs.existsSync(ENCRYPTED_FILE)) {
+                fs.unlinkSync(ENCRYPTED_FILE);
+            }
+        },
+        hasCredentials() {
+            return fs.existsSync(ENCRYPTED_FILE);
+        },
+    };
+}
+// Export for testing
+export { ENCRYPTED_FILE, CONFIG_DIR, PBKDF2_ITERATIONS };

package/dist/lib/keychain.d.ts

@@ -0,0 +1,8 @@
+import type { CliConfig } from '../config.js';
+export interface KeychainBackend {
+    isAvailable(): Promise<boolean>;
+    getCredentials(): Promise<Partial<CliConfig>>;
+    saveCredentials(config: Partial<CliConfig>): Promise<void>;
+    clearCredentials(): Promise<void>;
+}
+export declare function createKeychainBackend(): KeychainBackend;

package/dist/lib/keychain.js

@@ -0,0 +1,82 @@
+const SERVICE_NAME = 'lifestream-vault-cli';
+const ACCOUNT_API_KEY = 'api-key';
+const ACCOUNT_API_URL = 'api-url';
+/**
+ * Dynamically loads keytar. Returns null if unavailable (not installed or
+ * native module fails to load, e.g. missing libsecret on Linux).
+ */
+async function loadKeytar() {
+    try {
+        return await import('keytar');
+    }
+    catch {
+        return null;
+    }
+}
+export function createKeychainBackend() {
+    let keytarModule;
+    async function getKeytar() {
+        if (keytarModule === undefined) {
+            keytarModule = await loadKeytar();
+        }
+        return keytarModule;
+    }
+    return {
+        async isAvailable() {
+            const kt = await getKeytar();
+            if (!kt)
+                return false;
+            // Verify we can actually use the keychain (libsecret may be missing)
+            try {
+                await kt.getPassword(SERVICE_NAME, '__probe__');
+                return true;
+            }
+            catch {
+                keytarModule = null;
+                return false;
+            }
+        },
+        async getCredentials() {
+            const kt = await getKeytar();
+            if (!kt)
+                return {};
+            const result = {};
+            try {
+                const apiKey = await kt.getPassword(SERVICE_NAME, ACCOUNT_API_KEY);
+                if (apiKey)
+                    result.apiKey = apiKey;
+                const apiUrl = await kt.getPassword(SERVICE_NAME, ACCOUNT_API_URL);
+                if (apiUrl)
+                    result.apiUrl = apiUrl;
+            }
+            catch {
+                // Keychain access failed silently
+            }
+            return result;
+        },
+        async saveCredentials(config) {
+            const kt = await getKeytar();
+            if (!kt)
+                throw new Error('Keychain is not available');
+            if (config.apiKey) {
+                await kt.setPassword(SERVICE_NAME, ACCOUNT_API_KEY, config.apiKey);
+            }
+            if (config.apiUrl) {
+                await kt.setPassword(SERVICE_NAME, ACCOUNT_API_URL, config.apiUrl);
+            }
+        },
+        async clearCredentials() {
+            const kt = await getKeytar();
+            if (!kt)
+                return;
+            try {
+                await kt.deletePassword(SERVICE_NAME, ACCOUNT_API_KEY);
+            }
+            catch { /* ignore */ }
+            try {
+                await kt.deletePassword(SERVICE_NAME, ACCOUNT_API_URL);
+            }
+            catch { /* ignore */ }
+        },
+    };
+}

package/dist/lib/migration.d.ts

@@ -0,0 +1,31 @@
+import type { CliConfig } from '../config.js';
+import type { CredentialManager } from './credential-manager.js';
+declare const CONFIG_DIR: string;
+declare const CONFIG_FILE: string;
+export interface MigrationResult {
+    migrated: boolean;
+    method: string;
+    error?: string;
+}
+/**
+ * Checks if plaintext config contains an API key that should be migrated.
+ */
+export declare function hasPlaintextCredentials(): boolean;
+/**
+ * Reads the plaintext config file.
+ */
+export declare function readPlaintextConfig(): Partial<CliConfig>;
+/**
+ * Removes the apiKey from the plaintext config, keeping other fields (apiUrl).
+ */
+export declare function removePlaintextApiKey(): void;
+/**
+ * Migrates credentials from plaintext config to secure storage.
+ */
+export declare function migrateCredentials(credentialManager: CredentialManager, promptFn?: () => Promise<boolean>): Promise<MigrationResult>;
+/**
+ * Prints migration warnings if plaintext credentials are detected.
+ * Returns true if migration was performed.
+ */
+export declare function checkAndPromptMigration(credentialManager: CredentialManager): Promise<boolean>;
+export { CONFIG_FILE, CONFIG_DIR };

package/dist/lib/migration.js

@@ -0,0 +1,92 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import os from 'node:os';
+import chalk from 'chalk';
+const CONFIG_DIR = path.join(os.homedir(), '.lsvault');
+const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
+/**
+ * Checks if plaintext config contains an API key that should be migrated.
+ */
+export function hasPlaintextCredentials() {
+    if (!fs.existsSync(CONFIG_FILE))
+        return false;
+    try {
+        const raw = fs.readFileSync(CONFIG_FILE, 'utf-8');
+        const config = JSON.parse(raw);
+        return typeof config.apiKey === 'string' && config.apiKey.length > 0;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Reads the plaintext config file.
+ */
+export function readPlaintextConfig() {
+    if (!fs.existsSync(CONFIG_FILE))
+        return {};
+    try {
+        const raw = fs.readFileSync(CONFIG_FILE, 'utf-8');
+        return JSON.parse(raw);
+    }
+    catch {
+        return {};
+    }
+}
+/**
+ * Removes the apiKey from the plaintext config, keeping other fields (apiUrl).
+ */
+export function removePlaintextApiKey() {
+    if (!fs.existsSync(CONFIG_FILE))
+        return;
+    try {
+        const raw = fs.readFileSync(CONFIG_FILE, 'utf-8');
+        const config = JSON.parse(raw);
+        delete config.apiKey;
+        fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2) + '\n');
+    }
+    catch {
+        // ignore errors
+    }
+}
+/**
+ * Migrates credentials from plaintext config to secure storage.
+ */
+export async function migrateCredentials(credentialManager, promptFn) {
+    if (!hasPlaintextCredentials()) {
+        return { migrated: false, method: 'none', error: 'No plaintext credentials found' };
+    }
+    // Ask user for confirmation if prompt function provided
+    if (promptFn) {
+        const confirmed = await promptFn();
+        if (!confirmed) {
+            return { migrated: false, method: 'skipped' };
+        }
+    }
+    const plaintextConfig = readPlaintextConfig();
+    try {
+        await credentialManager.saveCredentials({
+            apiKey: plaintextConfig.apiKey,
+        });
+        // Remove apiKey from plaintext config
+        removePlaintextApiKey();
+        const method = await credentialManager.getStorageMethod();
+        return { migrated: true, method };
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return { migrated: false, method: 'error', error: message };
+    }
+}
+/**
+ * Prints migration warnings if plaintext credentials are detected.
+ * Returns true if migration was performed.
+ */
+export async function checkAndPromptMigration(credentialManager) {
+    if (!hasPlaintextCredentials())
+        return false;
+    console.log(chalk.yellow('\nWarning: API key found in plaintext config (~/.lsvault/config.json)'));
+    console.log(chalk.yellow('Run `lsvault auth migrate` to migrate to secure storage.\n'));
+    return false;
+}
+export { CONFIG_FILE, CONFIG_DIR };

package/dist/lib/profiles.d.ts

@@ -0,0 +1,43 @@
+export interface ProfileConfig {
+    apiUrl?: string;
+    apiKey?: string;
+    [key: string]: string | undefined;
+}
+/**
+ * Returns the path to a named profile's config file.
+ */
+export declare function getProfilePath(name: string): string;
+/**
+ * Returns the name of the currently active profile, or 'default' if none set.
+ */
+export declare function getActiveProfile(): string;
+/**
+ * Sets the active profile name.
+ */
+export declare function setActiveProfile(name: string): void;
+/**
+ * Loads a profile's configuration. Returns an empty object if the profile
+ * does not exist.
+ */
+export declare function loadProfile(name: string): ProfileConfig;
+/**
+ * Saves a value to a profile. Creates the profile directory and file if needed.
+ */
+export declare function setProfileValue(name: string, key: string, value: string): void;
+/**
+ * Gets a single value from a profile.
+ */
+export declare function getProfileValue(name: string, key: string): string | undefined;
+/**
+ * Lists all available profile names (derived from filenames in the profiles dir).
+ */
+export declare function listProfiles(): string[];
+/**
+ * Deletes a profile.
+ */
+export declare function deleteProfile(name: string): boolean;
+/**
+ * Resolves the effective profile name: explicit --profile flag takes precedence,
+ * otherwise the active profile is used.
+ */
+export declare function resolveProfileName(explicitProfile?: string): string;

package/dist/lib/profiles.js

@@ -0,0 +1,104 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import os from 'node:os';
+const CONFIG_DIR = path.join(os.homedir(), '.lsvault');
+const PROFILES_DIR = path.join(CONFIG_DIR, 'profiles');
+const ACTIVE_PROFILE_FILE = path.join(CONFIG_DIR, 'active-profile');
+/**
+ * Returns the path to a named profile's config file.
+ */
+export function getProfilePath(name) {
+    return path.join(PROFILES_DIR, `${name}.json`);
+}
+/**
+ * Returns the name of the currently active profile, or 'default' if none set.
+ */
+export function getActiveProfile() {
+    try {
+        if (fs.existsSync(ACTIVE_PROFILE_FILE)) {
+            return fs.readFileSync(ACTIVE_PROFILE_FILE, 'utf-8').trim() || 'default';
+        }
+    }
+    catch {
+        // Fall through
+    }
+    return 'default';
+}
+/**
+ * Sets the active profile name.
+ */
+export function setActiveProfile(name) {
+    if (!fs.existsSync(CONFIG_DIR)) {
+        fs.mkdirSync(CONFIG_DIR, { recursive: true });
+    }
+    fs.writeFileSync(ACTIVE_PROFILE_FILE, name + '\n');
+}
+/**
+ * Loads a profile's configuration. Returns an empty object if the profile
+ * does not exist.
+ */
+export function loadProfile(name) {
+    const filePath = getProfilePath(name);
+    try {
+        if (fs.existsSync(filePath)) {
+            return JSON.parse(fs.readFileSync(filePath, 'utf-8'));
+        }
+    }
+    catch {
+        // Fall through — treat as empty
+    }
+    return {};
+}
+/**
+ * Saves a value to a profile. Creates the profile directory and file if needed.
+ */
+export function setProfileValue(name, key, value) {
+    if (!fs.existsSync(PROFILES_DIR)) {
+        fs.mkdirSync(PROFILES_DIR, { recursive: true });
+    }
+    const config = loadProfile(name);
+    config[key] = value;
+    fs.writeFileSync(getProfilePath(name), JSON.stringify(config, null, 2) + '\n');
+}
+/**
+ * Gets a single value from a profile.
+ */
+export function getProfileValue(name, key) {
+    const config = loadProfile(name);
+    return config[key];
+}
+/**
+ * Lists all available profile names (derived from filenames in the profiles dir).
+ */
+export function listProfiles() {
+    try {
+        if (!fs.existsSync(PROFILES_DIR)) {
+            return [];
+        }
+        return fs.readdirSync(PROFILES_DIR)
+            .filter(f => f.endsWith('.json'))
+            .map(f => f.replace(/\.json$/, ''))
+            .sort();
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Deletes a profile.
+ */
+export function deleteProfile(name) {
+    const filePath = getProfilePath(name);
+    if (fs.existsSync(filePath)) {
+        fs.unlinkSync(filePath);
+        return true;
+    }
+    return false;
+}
+/**
+ * Resolves the effective profile name: explicit --profile flag takes precedence,
+ * otherwise the active profile is used.
+ */
+export function resolveProfileName(explicitProfile) {
+    return explicitProfile || getActiveProfile();
+}

package/dist/sync/config.d.ts

@@ -0,0 +1,32 @@
+import type { SyncConfig, CreateSyncOptions } from './types.js';
+/**
+ * Read all sync configurations from disk.
+ */
+export declare function loadSyncConfigs(): SyncConfig[];
+/**
+ * Write all sync configurations to disk.
+ */
+export declare function saveSyncConfigs(configs: SyncConfig[]): void;
+/**
+ * Find a sync config by its ID.
+ */
+export declare function getSyncConfig(id: string): SyncConfig | undefined;
+/**
+ * Find a sync config by vault ID.
+ * Returns the first match (a vault should typically only have one sync config).
+ */
+export declare function getSyncConfigByVaultId(vaultId: string): SyncConfig | undefined;
+/**
+ * Create a new sync configuration.
+ * Returns the created config with a generated ID.
+ */
+export declare function createSyncConfig(opts: CreateSyncOptions): SyncConfig;
+/**
+ * Delete a sync configuration by ID.
+ * Returns true if the config was found and deleted.
+ */
+export declare function deleteSyncConfig(id: string): boolean;
+/**
+ * Update the lastSyncAt timestamp for a sync config.
+ */
+export declare function updateLastSync(id: string, timestamp?: string): void;