@meshxdata/fops 0.0.5 → 0.0.6

package/src/plugins/bundled/fops-plugin-1password/index.js

@@ -0,0 +1,239 @@
+import fs from "node:fs";
+import path from "node:path";
+import chalk from "chalk";
+import { opVersion, opWhoami, opSignin } from "./lib/op.js";
+import { discoverTemplates } from "./lib/env.js";
+import { syncSecrets } from "./lib/sync.js";
+import { runSetupWizard } from "./lib/setup.js";
+
+/**
+ * Find the Foundation project root by walking up from cwd,
+ * looking for docker-compose.yaml + Makefile.
+ */
+function findRoot() {
+  let dir = process.cwd();
+  while (dir) {
+    const hasCompose =
+      fs.existsSync(path.join(dir, "docker-compose.yaml")) ||
+      fs.existsSync(path.join(dir, "docker-compose.yml"));
+    if (hasCompose && fs.existsSync(path.join(dir, "Makefile"))) return dir;
+    const parent = path.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return null;
+}
+
+export function register(api) {
+  const config = api.config;
+
+  // ── Command: fops 1password ────────────────────────
+  api.registerCommand((program) => {
+    const cmd = program
+      .command("1password")
+      .alias("1p")
+      .description("Manage secrets with 1Password");
+
+    // fops 1password setup
+    cmd
+      .command("setup")
+      .description("Interactive setup wizard for 1Password integration")
+      .action(async () => {
+        const root = findRoot();
+        if (!root) {
+          console.log(chalk.red("Not a Foundation project. Run from foundation-compose directory."));
+          process.exit(1);
+        }
+        await runSetupWizard(root);
+      });
+
+    // fops 1password sync
+    cmd
+      .command("sync")
+      .description("Pull secrets from 1Password into .env files")
+      .action(async () => {
+        const root = findRoot();
+        if (!root) {
+          console.log(chalk.red("Not a Foundation project. Run from foundation-compose directory."));
+          process.exit(1);
+        }
+        console.log(chalk.bold.cyan("\n  1Password Sync\n"));
+
+        const whoami = await opWhoami();
+        if (!whoami.authenticated) {
+          console.log(chalk.red("  Not signed in to 1Password. Run: fops 1password setup"));
+          process.exit(1);
+        }
+
+        const { synced, errors } = await syncSecrets(root);
+        console.log("");
+        if (errors.length > 0) {
+          console.log(chalk.yellow(`  ${synced} synced, ${errors.length} error(s)`));
+          process.exit(1);
+        } else if (synced > 0) {
+          console.log(chalk.green(`  Done — ${synced} file(s) synced.`));
+        } else {
+          console.log(chalk.dim("  Nothing to sync."));
+        }
+        console.log("");
+      });
+
+    // fops 1password status
+    cmd
+      .command("status")
+      .description("Show 1Password integration status")
+      .action(async () => {
+        console.log(chalk.bold.cyan("\n  1Password Status\n"));
+
+        // op CLI version
+        const version = await opVersion();
+        if (version) {
+          console.log(chalk.green(`  ✓ op CLI v${version}`));
+        } else {
+          console.log(chalk.red("  ✗ op CLI not installed"));
+        }
+
+        // Auth status
+        const whoami = await opWhoami();
+        if (whoami.authenticated) {
+          console.log(chalk.green(`  ✓ Signed in as ${whoami.email}`));
+        } else {
+          console.log(chalk.yellow("  ⚠ Not signed in"));
+        }
+
+        // Config
+        if (config.defaultVault) {
+          console.log(chalk.green(`  ✓ Default vault: ${config.defaultVault}`));
+        } else {
+          console.log(chalk.dim("  · No default vault configured"));
+        }
+        console.log(chalk.dim(`  · Auto-sync: ${config.autoSync ? "enabled" : "disabled"}`));
+
+        // Templates
+        const root = findRoot();
+        if (root) {
+          const templates = discoverTemplates(root);
+          if (templates.length > 0) {
+            console.log(chalk.green(`  ✓ ${templates.length} template(s) found:`));
+            for (const t of templates) {
+              const rel = t.dir === root ? "." : t.dir.replace(root + "/", "");
+              console.log(chalk.dim(`    · ${rel}/.env.1password`));
+            }
+          } else {
+            console.log(chalk.yellow("  ⚠ No .env.1password templates found"));
+          }
+        }
+        console.log("");
+      });
+  });
+
+  // ── Doctor check ───────────────────────────────────
+  api.registerDoctorCheck({
+    name: "1Password CLI",
+    fn: async (ok, warn, fail) => {
+      const version = await opVersion();
+      if (!version) {
+        warn("1Password CLI (op) not installed", "optional — run: brew install --cask 1password-cli");
+        return;
+      }
+      ok(`1Password CLI v${version}`);
+
+      const whoami = await opWhoami();
+      if (whoami.authenticated) {
+        ok(`1Password signed in`, whoami.email);
+      } else if (whoami.hasAccount) {
+        ok(`1Password configured`, `${whoami.email} — session will unlock on next use`);
+      } else {
+        warn("1Password not signed in", "enable CLI integration in 1Password app", async () => {
+          await opSignin();
+        });
+      }
+    },
+  });
+
+  // ── Hook: before:up — auto-sync secrets ────────────
+  api.registerHook("before:up", async () => {
+    if (!config.autoSync) return;
+
+    const root = findRoot();
+    if (!root) return;
+
+    const templates = discoverTemplates(root);
+    if (templates.length === 0) return;
+
+    const whoami = await opWhoami();
+    if (!whoami.authenticated) {
+      console.log(chalk.yellow("  ⚠ 1Password: not signed in — skipping secret sync"));
+      return;
+    }
+
+    console.log(chalk.blue("  1Password: syncing secrets..."));
+    const { errors } = await syncSecrets(root);
+    if (errors.length > 0) {
+      console.log(chalk.yellow(`  ⚠ 1Password: ${errors.length} sync error(s) — check with: fops 1password status`));
+    }
+  });
+
+  // ── Hook: after:setup — remind about 1password ─────
+  api.registerHook("after:setup", async () => {
+    const root = findRoot();
+    if (!root) return;
+
+    const templates = discoverTemplates(root);
+    if (templates.length > 0) {
+      const whoami = await opWhoami();
+      if (whoami.authenticated) {
+        console.log(chalk.blue("\n  1Password templates detected — syncing secrets..."));
+        await syncSecrets(root);
+      } else {
+        console.log(chalk.yellow("\n  1Password templates found. Run: fops 1password setup"));
+      }
+    }
+  });
+
+  // ── Knowledge source ───────────────────────────────
+  api.registerKnowledgeSource({
+    name: "1Password Secrets",
+    description: "1Password integration for .env secret injection",
+    search(query) {
+      const keywords = ["1password", "op://", "secret", "vault", ".env.1password", "op inject"];
+      const q = query.toLowerCase();
+      const match = keywords.some((kw) => q.includes(kw));
+      if (!match) return [];
+
+      return [
+        {
+          title: "1Password Plugin",
+          content: [
+            "## 1Password Secret Sync",
+            "",
+            "The 1Password plugin resolves `op://` secret references from `.env.1password` templates into `.env` files.",
+            "",
+            "### Commands",
+            "- `fops 1password setup` — Interactive wizard: install op CLI, sign in, pick vault, scaffold templates",
+            "- `fops 1password sync` — Pull secrets from 1Password and merge into .env files",
+            "- `fops 1password status` — Show op version, auth status, vault, discovered templates",
+            "- `fops 1p ...` — Shorthand alias",
+            "",
+            "### Template Format (.env.1password)",
+            "```",
+            "BEARER_TOKEN=op://Foundation/auth0-dev/bearer-token",
+            "DB_PASSWORD=op://Foundation/postgres-dev/password",
+            "```",
+            "",
+            "### Config (~/.fops.json)",
+            "```json",
+            '{ "plugins": { "entries": { "fops-plugin-1password": { "config": { "defaultVault": "Foundation", "autoSync": true } } } } }',
+            "```",
+            "",
+            "### Troubleshooting",
+            "- `op signin` — Sign in to 1Password",
+            "- `op whoami` — Check auth status",
+            "- Ensure the op:// vault/item/field path matches your 1Password items",
+          ].join("\n"),
+          score: 0.9,
+        },
+      ];
+    },
+  });
+}

package/src/plugins/bundled/fops-plugin-1password/lib/env.js

@@ -0,0 +1,100 @@
+import fs from "node:fs";
+import path from "node:path";
+
+/**
+ * Parse a .env file content string into a Map of key→value pairs.
+ * Skips blank lines and comments.
+ */
+export function parseEnv(content) {
+  const env = new Map();
+  for (const line of content.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const idx = trimmed.indexOf("=");
+    if (idx === -1) continue;
+    const key = trimmed.slice(0, idx).trim();
+    const value = trimmed.slice(idx + 1).trim();
+    env.set(key, value);
+  }
+  return env;
+}
+
+/**
+ * Merge resolved secrets into an existing .env file content string.
+ * - Overwrites matching keys in-place
+ * - Appends new keys at the end under a 1Password section header
+ * - Preserves comments, blank lines, and ordering
+ */
+export function mergeEnv(existingContent, secrets) {
+  if (!secrets || secrets.size === 0) return existingContent;
+
+  const remaining = new Map(secrets);
+  const lines = existingContent.split("\n");
+  const result = [];
+
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) {
+      result.push(line);
+      continue;
+    }
+    const idx = trimmed.indexOf("=");
+    if (idx === -1) {
+      result.push(line);
+      continue;
+    }
+    const key = trimmed.slice(0, idx).trim();
+    if (remaining.has(key)) {
+      result.push(`${key}=${remaining.get(key)}`);
+      remaining.delete(key);
+    } else {
+      result.push(line);
+    }
+  }
+
+  // Append any new keys not already in the file
+  if (remaining.size > 0) {
+    result.push("");
+    result.push("# 1Password secrets (auto-synced)");
+    for (const [key, value] of remaining) {
+      result.push(`${key}=${value}`);
+    }
+  }
+
+  return result.join("\n");
+}
+
+/**
+ * Discover .env.1password template files in a project root.
+ * Scans root and immediate subdirectories.
+ * Returns array of { templatePath, envPath, dir }.
+ */
+export function discoverTemplates(root) {
+  const templates = [];
+
+  function checkDir(dir) {
+    const templatePath = path.join(dir, ".env.1password");
+    if (fs.existsSync(templatePath)) {
+      templates.push({
+        templatePath,
+        envPath: path.join(dir, ".env"),
+        dir,
+      });
+    }
+  }
+
+  checkDir(root);
+
+  try {
+    const entries = fs.readdirSync(root, { withFileTypes: true });
+    for (const entry of entries) {
+      if (!entry.isDirectory()) continue;
+      if (entry.name.startsWith(".") || entry.name === "node_modules") continue;
+      checkDir(path.join(root, entry.name));
+    }
+  } catch {
+    // ignore read errors
+  }
+
+  return templates;
+}

package/src/plugins/bundled/fops-plugin-1password/lib/op.js

@@ -0,0 +1,111 @@
+import { execa } from "execa";
+
+/**
+ * Get the installed op CLI version.
+ * Returns version string or null if not installed.
+ */
+export async function opVersion() {
+  try {
+    const { stdout } = await execa("op", ["--version"], { timeout: 5000 });
+    return stdout.trim() || null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Check current 1Password auth status.
+ * Returns { authenticated: true, email, account }
+ *      or { authenticated: false, hasAccount: true/false }.
+ *
+ * `hasAccount: true` means an account is configured but the session needs
+ * a biometric/unlock prompt — this is normal and not a real error.
+ */
+export async function opWhoami() {
+  try {
+    const { stdout } = await execa("op", ["whoami", "--format", "json"], { timeout: 10000 });
+    const info = JSON.parse(stdout);
+    return {
+      authenticated: true,
+      email: info.email || info.user_email || "",
+      account: info.url || info.account || "",
+    };
+  } catch {
+    // whoami failed — check if an account is at least configured
+    try {
+      const { stdout } = await execa("op", ["account", "list", "--format", "json"], { timeout: 5000 });
+      const accounts = JSON.parse(stdout);
+      if (accounts.length > 0) {
+        return {
+          authenticated: false,
+          hasAccount: true,
+          email: accounts[0].email || "",
+          account: accounts[0].url || "",
+        };
+      }
+    } catch {}
+    return { authenticated: false, hasAccount: false, email: "", account: "" };
+  }
+}
+
+/**
+ * Run `op inject` with a template string as stdin.
+ * Resolves op:// references and returns the output with real values.
+ */
+export async function opInject(template) {
+  const { stdout } = await execa("op", ["inject"], {
+    input: template,
+    timeout: 30000,
+  });
+  return stdout;
+}
+
+/**
+ * List available 1Password vaults.
+ * Returns array of { id, name }.
+ */
+export async function opListVaults() {
+  const { stdout } = await execa("op", ["vault", "list", "--format", "json"], { timeout: 10000 });
+  const vaults = JSON.parse(stdout);
+  return vaults.map((v) => ({ id: v.id, name: v.name }));
+}
+
+/**
+ * Trigger 1Password sign-in.
+ * First tries biometric unlock via desktop app integration.
+ * If that fails, opens 1Password developer settings and waits for user to enable CLI integration.
+ */
+export async function opSignin() {
+  // Try biometric/app integration first
+  try {
+    await execa("op", ["signin", "-f"], {
+      env: { ...process.env, OP_BIOMETRIC_UNLOCK_ENABLED: "true" },
+      timeout: 10000,
+    });
+    // Check if it actually worked
+    const check = await execa("op", ["whoami", "--format", "json"], {
+      env: { ...process.env, OP_BIOMETRIC_UNLOCK_ENABLED: "true" },
+      reject: false, timeout: 5000,
+    });
+    if (check.exitCode === 0) return;
+  } catch {}
+
+  // Desktop app integration not enabled — open settings and wait
+  if (process.platform === "darwin") {
+    console.log("  Opening 1Password Developer settings...");
+    console.log("  Enable \"Integrate with 1Password CLI\", then come back.\n");
+    await execa("open", ["onepassword://settings/developer"], { reject: false, timeout: 5000 });
+
+    // Poll until the user enables it (up to 60s)
+    const deadline = Date.now() + 60_000;
+    while (Date.now() < deadline) {
+      await new Promise((r) => setTimeout(r, 2000));
+      try {
+        const { exitCode } = await execa("op", ["whoami"], { reject: false, timeout: 5000 });
+        if (exitCode === 0) return;
+      } catch {}
+    }
+  }
+
+  throw new Error("1Password CLI integration not enabled");
+}

package/src/plugins/bundled/fops-plugin-1password/lib/setup.js

@@ -0,0 +1,235 @@
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import chalk from "chalk";
+import inquirer from "inquirer";
+import { opVersion, opWhoami, opSignin, opListVaults } from "./op.js";
+import { discoverTemplates } from "./env.js";
+
+// Patterns that indicate a key is likely a secret
+const SECRET_PATTERNS = [
+  /password/i, /secret/i, /token/i, /key/i, /bearer/i,
+  /credential/i, /auth/i, /api_key/i, /apikey/i,
+];
+
+function isSecretKey(key) {
+  return SECRET_PATTERNS.some((p) => p.test(key));
+}
+
+/**
+ * Read ~/.fops.json config (full file).
+ */
+function readFopsConfig() {
+  const configPath = path.join(os.homedir(), ".fops.json");
+  try {
+    if (fs.existsSync(configPath)) {
+      return JSON.parse(fs.readFileSync(configPath, "utf8"));
+    }
+  } catch {
+    // ignore
+  }
+  return {};
+}
+
+/**
+ * Save ~/.fops.json config (merge into existing).
+ */
+function saveFopsConfig(updates) {
+  const configPath = path.join(os.homedir(), ".fops.json");
+  const existing = readFopsConfig();
+  const merged = { ...existing, ...updates };
+  // Deep merge plugins.entries
+  if (updates.plugins) {
+    merged.plugins = { ...existing.plugins, ...updates.plugins };
+    merged.plugins.entries = {
+      ...existing?.plugins?.entries,
+      ...updates.plugins.entries,
+    };
+  }
+  fs.writeFileSync(configPath, JSON.stringify(merged, null, 2) + "\n");
+}
+
+async function ask(message, defaultValue = true) {
+  const { answer } = await inquirer.prompt([{
+    type: "confirm", name: "answer", message, default: defaultValue,
+  }]);
+  return answer;
+}
+
+async function choose(message, choices) {
+  const { answer } = await inquirer.prompt([{
+    type: "list", name: "answer", message, choices,
+  }]);
+  return answer;
+}
+
+/**
+ * Interactive setup wizard for the 1Password plugin.
+ */
+export async function runSetupWizard(root) {
+  console.log(chalk.bold.cyan("\n  1Password Plugin Setup\n"));
+
+  // Step 1: Check op CLI
+  console.log(chalk.dim("  Checking 1Password CLI..."));
+  let version = await opVersion();
+  if (!version) {
+    console.log(chalk.red("  ✗ 1Password CLI (op) not found."));
+    const install = await ask("Install via Homebrew?", true);
+    if (install) {
+      console.log(chalk.cyan("  ▶ brew install --cask 1password-cli"));
+      const { execa: execaFn } = await import("execa");
+      try {
+        await execaFn("brew", ["install", "--cask", "1password-cli"], { stdio: "inherit", timeout: 120000 });
+        version = await opVersion();
+      } catch (err) {
+        console.log(chalk.red(`  Install failed: ${err.message}`));
+        console.log(chalk.dim("  Install manually: https://developer.1password.com/docs/cli/get-started/"));
+        return;
+      }
+    } else {
+      console.log(chalk.dim("  Install manually: https://developer.1password.com/docs/cli/get-started/"));
+      return;
+    }
+  }
+  console.log(chalk.green(`  ✓ op CLI v${version}`));
+
+  // Step 2: Sign in automatically
+  console.log(chalk.dim("\n  Checking authentication..."));
+  let whoami = await opWhoami();
+  if (!whoami.authenticated) {
+    console.log(chalk.yellow("  Not signed in to 1Password. Signing in..."));
+    try {
+      await opSignin();
+      whoami = await opWhoami();
+    } catch {
+      console.log(chalk.red("  Sign-in failed. Enable CLI integration in 1Password > Settings > Developer"));
+      return;
+    }
+  }
+  if (whoami.authenticated) {
+    console.log(chalk.green(`  ✓ Signed in as ${whoami.email}`));
+  }
+
+  // Step 3: Pick vault
+  console.log(chalk.dim("\n  Loading vaults..."));
+  let vaults;
+  try {
+    vaults = await opListVaults();
+  } catch (err) {
+    console.log(chalk.red(`  Could not list vaults: ${err.message}`));
+    return;
+  }
+
+  if (vaults.length === 0) {
+    console.log(chalk.yellow("  No vaults found."));
+    return;
+  }
+
+  let defaultVault;
+  if (vaults.length === 1) {
+    defaultVault = vaults[0].name;
+    console.log(chalk.green(`  ✓ Using vault: ${defaultVault}`));
+  } else {
+    const choices = vaults.map((v) => ({ name: v.name, value: v.name }));
+    defaultVault = await choose("Select default vault for secrets:", choices);
+    console.log(chalk.green(`  ✓ Vault: ${defaultVault}`));
+  }
+
+  // Step 4: Auto-sync preference
+  const autoSync = await ask("Auto-sync secrets before `fops up`?", true);
+
+  // Step 5: Scaffold .env.1password templates
+  console.log(chalk.dim("\n  Scanning for .env.example files..."));
+  const existingTemplates = discoverTemplates(root);
+  const existingTemplateDirs = new Set(existingTemplates.map((t) => t.dir));
+
+  let scaffolded = 0;
+  const exampleFiles = findEnvExamples(root);
+  for (const { examplePath, dir } of exampleFiles) {
+    if (existingTemplateDirs.has(dir)) continue; // already has template
+
+    const content = fs.readFileSync(examplePath, "utf8");
+    const secretLines = [];
+    for (const line of content.split("\n")) {
+      const trimmed = line.trim();
+      if (!trimmed || trimmed.startsWith("#")) continue;
+      const idx = trimmed.indexOf("=");
+      if (idx === -1) continue;
+      const key = trimmed.slice(0, idx).trim();
+      const value = trimmed.slice(idx + 1).trim();
+      // Only include keys that look like secrets and have empty/placeholder values
+      if (isSecretKey(key) && (!value || value === '""' || value === "''")) {
+        secretLines.push(`${key}=op://${defaultVault}/ITEM_NAME/${key.toLowerCase()}`);
+      }
+    }
+
+    if (secretLines.length > 0) {
+      const relDir = dir === root ? "." : dir.replace(root + "/", "");
+      const scaffold = await ask(`Scaffold ${relDir}/.env.1password (${secretLines.length} secrets)?`, true);
+      if (scaffold) {
+        const templateContent = [
+          "# 1Password secret references — edit op:// paths to match your vault items",
+          `# Format: KEY=op://<vault>/<item>/<field>`,
+          "",
+          ...secretLines,
+          "",
+        ].join("\n");
+        fs.writeFileSync(path.join(dir, ".env.1password"), templateContent);
+        console.log(chalk.green(`  ✓ Created ${relDir}/.env.1password`));
+        scaffolded++;
+      }
+    }
+  }
+
+  if (scaffolded === 0 && existingTemplates.length === 0) {
+    console.log(chalk.dim("  No secret-looking keys found in .env.example files."));
+  }
+
+  // Step 6: Save config
+  saveFopsConfig({
+    plugins: {
+      entries: {
+        "fops-plugin-1password": {
+          enabled: true,
+          config: {
+            defaultVault,
+            autoSync,
+          },
+        },
+      },
+    },
+  });
+  console.log(chalk.green("\n  ✓ Config saved to ~/.fops.json"));
+  console.log(chalk.dim(`    defaultVault: ${defaultVault}`));
+  console.log(chalk.dim(`    autoSync: ${autoSync}`));
+  console.log(chalk.bold.green("\n  Setup complete! Run: fops 1password sync\n"));
+}
+
+/**
+ * Find .env.example files in root + immediate subdirectories.
+ */
+function findEnvExamples(root) {
+  const results = [];
+
+  function checkDir(dir) {
+    const examplePath = path.join(dir, ".env.example");
+    if (fs.existsSync(examplePath)) {
+      results.push({ examplePath, dir });
+    }
+  }
+
+  checkDir(root);
+
+  try {
+    const entries = fs.readdirSync(root, { withFileTypes: true });
+    for (const entry of entries) {
+      if (!entry.isDirectory()) continue;
+      if (entry.name.startsWith(".") || entry.name === "node_modules") continue;
+      checkDir(path.join(root, entry.name));
+    }
+  } catch {
+    // ignore
+  }
+
+  return results;
+}