@skillrecordings/cli 0.1.0 → 0.2.1

package/src/commands/auth/decrypt.ts

@@ -1,123 +0,0 @@
-import path from 'path'
-import fs from 'fs/promises'
-import { decrypt } from '../../lib/crypto'
-import { isServiceAccountConfigured, readSecret } from '../../lib/onepassword'
-
-interface DecryptOptions {
-  output?: string
-  identity?: string
-  json?: boolean
-}
-
-/**
- * Decrypt a file with an age private key
- * @param input - Path to encrypted file (.age)
- * @param options - Command options
- */
-export async function decryptAction(
-  input: string,
-  options: DecryptOptions
-): Promise<void> {
-  try {
-    // Resolve identity key using priority: --identity flag > AGE_SECRET_KEY env > 1Password
-    let privateKey: string | undefined
-
-    if (options.identity) {
-      // If starts with AGE-SECRET-KEY, use directly
-      if (options.identity.startsWith('AGE-SECRET-KEY-')) {
-        privateKey = options.identity
-      }
-      // If starts with op://, use 1Password
-      else if (options.identity.startsWith('op://')) {
-        if (isServiceAccountConfigured()) {
-          privateKey = await readSecret(options.identity)
-        } else {
-          const error =
-            '1Password reference provided but OP_SERVICE_ACCOUNT_TOKEN not set'
-          if (options.json) {
-            console.log(JSON.stringify({ success: false, error }))
-          } else {
-            console.error(`Error: ${error}`)
-          }
-          process.exit(1)
-        }
-      }
-      // Otherwise treat as file path
-      else {
-        privateKey = (await fs.readFile(options.identity, 'utf-8')).trim()
-      }
-    }
-
-    // Fall back to AGE_SECRET_KEY env var
-    if (!privateKey) {
-      privateKey = process.env.AGE_SECRET_KEY
-    }
-
-    if (!privateKey) {
-      const error =
-        'No private key specified. Use --identity <key|file|op://ref> or set AGE_SECRET_KEY environment variable.'
-      if (options.json) {
-        console.log(JSON.stringify({ success: false, error }))
-      } else {
-        console.error(`Error: ${error}`)
-      }
-      process.exit(1)
-    }
-
-    // Validate private key format
-    if (!privateKey.startsWith('AGE-SECRET-KEY-')) {
-      const error = `Invalid private key format. Expected AGE-SECRET-KEY-1..., got: ${privateKey.slice(0, 15)}...`
-      if (options.json) {
-        console.log(JSON.stringify({ success: false, error }))
-      } else {
-        console.error(`Error: ${error}`)
-      }
-      process.exit(1)
-    }
-
-    // Read encrypted file
-    const encryptedData = await fs.readFile(input)
-
-    // Decrypt
-    const decrypted = await decrypt(encryptedData, privateKey)
-
-    // Determine output
-    if (options.output) {
-      // Write to file
-      await fs.writeFile(options.output, decrypted, 'utf-8')
-
-      if (options.json) {
-        console.log(
-          JSON.stringify({
-            success: true,
-            input: path.resolve(input),
-            output: path.resolve(options.output),
-          })
-        )
-      } else {
-        console.log(`✓ Decrypted ${input} → ${options.output}`)
-      }
-    } else {
-      // Write to stdout
-      if (options.json) {
-        console.log(
-          JSON.stringify({
-            success: true,
-            input: path.resolve(input),
-            content: decrypted,
-          })
-        )
-      } else {
-        console.log(decrypted)
-      }
-    }
-  } catch (err) {
-    const error = err instanceof Error ? err.message : String(err)
-    if (options.json) {
-      console.log(JSON.stringify({ success: false, error }))
-    } else {
-      console.error(`Error: ${error}`)
-    }
-    process.exit(1)
-  }
-}

package/src/commands/auth/encrypt.ts

@@ -1,81 +0,0 @@
-import path from 'path'
-import fs from 'fs/promises'
-import { encrypt } from '../../lib/crypto'
-
-interface EncryptOptions {
-  output?: string
-  recipient?: string
-  json?: boolean
-}
-
-/**
- * Encrypt a file with an age public key
- * @param input - Path to input file
- * @param options - Command options
- */
-export async function encryptAction(
-  input: string,
-  options: EncryptOptions
-): Promise<void> {
-  try {
-    // Get recipient key from --recipient or AGE_PUBLIC_KEY env
-    const recipientKey = options.recipient || process.env.AGE_PUBLIC_KEY
-
-    if (!recipientKey) {
-      const error =
-        'No recipient key specified. Use --recipient or set AGE_PUBLIC_KEY environment variable.'
-      if (options.json) {
-        console.log(JSON.stringify({ success: false, error }))
-      } else {
-        console.error(`Error: ${error}`)
-      }
-      process.exit(1)
-    }
-
-    // Validate recipient key format (age1...)
-    if (!recipientKey.startsWith('age1')) {
-      const error = `Invalid recipient key format. Expected age1..., got: ${recipientKey.slice(0, 10)}...`
-      if (options.json) {
-        console.log(JSON.stringify({ success: false, error }))
-      } else {
-        console.error(`Error: ${error}`)
-      }
-      process.exit(1)
-    }
-
-    // Read input file
-    const data = await fs.readFile(input, 'utf-8')
-
-    // Encrypt
-    const encrypted = await encrypt(data, recipientKey)
-
-    // Determine output path
-    const outputPath = options.output || `${input}.age`
-
-    // Write encrypted data
-    await fs.writeFile(outputPath, encrypted)
-
-    // Output success
-    if (options.json) {
-      console.log(
-        JSON.stringify({
-          success: true,
-          input: path.resolve(input),
-          output: path.resolve(outputPath),
-          recipientKey: recipientKey.slice(0, 10) + '...',
-        })
-      )
-    } else {
-      console.log(`✓ Encrypted ${input} → ${outputPath}`)
-      console.log(`  Recipient: ${recipientKey.slice(0, 10)}...`)
-    }
-  } catch (err) {
-    const error = err instanceof Error ? err.message : String(err)
-    if (options.json) {
-      console.log(JSON.stringify({ success: false, error }))
-    } else {
-      console.error(`Error: ${error}`)
-    }
-    process.exit(1)
-  }
-}

package/src/commands/auth/index.ts

@@ -1,50 +0,0 @@
-import type { Command } from 'commander'
-import { decryptAction } from './decrypt'
-import { encryptAction } from './encrypt'
-import { keygen } from './keygen'
-import { statusAction } from './status'
-
-/**
- * Register auth commands with Commander
- */
-export function registerAuthCommands(program: Command): void {
-  const auth = program
-    .command('auth')
-    .description('Manage encrypted secrets for CLI distribution')
-
-  auth
-    .command('keygen')
-    .description('Generate age keypair for encryption')
-    .option('--output <path>', 'Write keypair to file')
-    .option('--json', 'Output as JSON')
-    .action(async (options) => {
-      await keygen(options)
-    })
-
-  auth
-    .command('encrypt')
-    .description('Encrypt a file with age public key')
-    .argument('<input>', 'Input file path')
-    .option('--output <path>', 'Output file path (default: <input>.age)')
-    .option('--recipient <key>', 'Age public key (or read from AGE_PUBLIC_KEY)')
-    .option('--json', 'Output as JSON')
-    .action(encryptAction)
-
-  auth
-    .command('decrypt')
-    .description('Decrypt a file with age private key')
-    .argument('<input>', 'Input file path (.age)')
-    .option('--output <path>', 'Output file path (default: stdout)')
-    .option(
-      '--identity <key>',
-      'Age private key, file path, or 1Password ref (op://...)'
-    )
-    .option('--json', 'Output as JSON')
-    .action(decryptAction)
-
-  auth
-    .command('status')
-    .description('Check encryption setup status')
-    .option('--json', 'Output as JSON')
-    .action(statusAction)
-}

package/src/commands/auth/keygen.ts

@@ -1,41 +0,0 @@
-import { writeFileSync } from 'fs'
-import { generateKeypair } from '../../lib/crypto'
-
-interface KeygenOptions {
-  json?: boolean
-  output?: string
-}
-
-/**
- * Generate age keypair for encryption
- */
-export async function keygen(options: KeygenOptions = {}) {
-  const { publicKey, privateKey } = await generateKeypair()
-
-  if (options.json) {
-    // JSON output mode
-    console.log(JSON.stringify({ publicKey, privateKey }, null, 2))
-  } else if (options.output) {
-    // Write to file
-    const content = `# Age keypair generated by skill CLI
-# Public key (share this):
-${publicKey}
-
-# Private key (KEEP SECRET):
-${privateKey}
-`
-    writeFileSync(options.output, content, 'utf-8')
-    console.log(`Keypair written to ${options.output}`)
-    console.error(
-      `\n⚠️  WARNING: Private key written to disk. Keep ${options.output} secure!`
-    )
-  } else {
-    // Normal mode: public to stdout, private to stderr with warning
-    console.log(publicKey)
-    console.error('\n⚠️  Private key (KEEP SECRET):')
-    console.error(privateKey)
-    console.error(
-      '\n⚠️  Store this private key securely. Anyone with it can decrypt your data.'
-    )
-  }
-}

package/src/commands/auth/status.ts

@@ -1,164 +0,0 @@
-import fs from 'node:fs/promises'
-import path from 'node:path'
-import { isServiceAccountConfigured } from '../../lib/onepassword.js'
-
-interface StatusOptions {
-  json?: boolean
-}
-
-interface AuthStatus {
-  envLocal: {
-    exists: boolean
-    path: string
-  }
-  envEncrypted: {
-    exists: boolean
-    path: string
-  }
-  ageSecretKey: {
-    configured: boolean
-    masked?: string
-  }
-  opServiceAccountToken: {
-    configured: boolean
-  }
-  envSource: 'local' | 'encrypted' | 'none'
-}
-
-/**
- * Check if a file exists
- */
-async function fileExists(filePath: string): Promise<boolean> {
-  try {
-    await fs.access(filePath)
-    return true
-  } catch {
-    return false
-  }
-}
-
-/**
- * Mask AGE secret key for display
- * Shows AGE-SECRET-KEY-1XXX...XXX format
- */
-function maskAgeKey(key: string): string {
-  if (!key.startsWith('AGE-SECRET-KEY-1')) {
-    return 'INVALID_FORMAT'
-  }
-  const prefix = key.slice(0, 19) // AGE-SECRET-KEY-1XXX
-  const suffix = key.slice(-3) // XXX
-  return `${prefix}...${suffix}`
-}
-
-/**
- * Determine which env source would be used based on priority
- */
-function determineEnvSource(
-  localExists: boolean,
-  encryptedExists: boolean,
-  ageKeyConfigured: boolean
-): 'local' | 'encrypted' | 'none' {
-  // Priority from env-loader.ts:
-  // 1. Local .env files
-  // 2. Encrypted .env.encrypted (if AGE_SECRET_KEY is set)
-  // 3. None
-
-  if (localExists) {
-    return 'local'
-  }
-
-  if (encryptedExists && ageKeyConfigured) {
-    return 'encrypted'
-  }
-
-  return 'none'
-}
-
-/**
- * Check auth configuration status
- */
-export async function statusAction(options: StatusOptions): Promise<void> {
-  const cliDir = path.resolve(import.meta.dirname, '../../..')
-
-  // Check .env.local
-  const envLocalPath = path.join(cliDir, '.env.local')
-  const envLocalExists = await fileExists(envLocalPath)
-
-  // Check .env.encrypted
-  const envEncryptedPath = path.join(cliDir, '.env.encrypted')
-  const envEncryptedExists = await fileExists(envEncryptedPath)
-
-  // Check AGE_SECRET_KEY
-  const ageSecretKey = process.env.AGE_SECRET_KEY
-  const ageKeyConfigured = Boolean(ageSecretKey)
-
-  // Check OP_SERVICE_ACCOUNT_TOKEN
-  const opConfigured = isServiceAccountConfigured()
-
-  // Determine env source
-  const envSource = determineEnvSource(
-    envLocalExists,
-    envEncryptedExists,
-    ageKeyConfigured
-  )
-
-  const status: AuthStatus = {
-    envLocal: {
-      exists: envLocalExists,
-      path: envLocalPath,
-    },
-    envEncrypted: {
-      exists: envEncryptedExists,
-      path: envEncryptedPath,
-    },
-    ageSecretKey: {
-      configured: ageKeyConfigured,
-      masked:
-        ageKeyConfigured && ageSecretKey ? maskAgeKey(ageSecretKey) : undefined,
-    },
-    opServiceAccountToken: {
-      configured: opConfigured,
-    },
-    envSource,
-  }
-
-  if (options.json) {
-    console.log(JSON.stringify(status, null, 2))
-    return
-  }
-
-  // Human-readable output
-  console.log('Auth Configuration Status\n')
-
-  console.log('Environment Files:')
-  console.log(
-    `  .env.local:     ${envLocalExists ? '✓' : '✗'} ${envLocalExists ? '(exists)' : '(not found)'}`
-  )
-  console.log(`    Path: ${envLocalPath}`)
-  console.log(
-    `  .env.encrypted: ${envEncryptedExists ? '✓' : '✗'} ${envEncryptedExists ? '(exists)' : '(not found)'}`
-  )
-  console.log(`    Path: ${envEncryptedPath}`)
-
-  console.log('\nEnvironment Variables:')
-  console.log(
-    `  AGE_SECRET_KEY:           ${ageKeyConfigured ? '✓' : '✗'} ${ageKeyConfigured ? `(${status.ageSecretKey.masked})` : '(not set)'}`
-  )
-  console.log(
-    `  OP_SERVICE_ACCOUNT_TOKEN: ${opConfigured ? '✓' : '✗'} ${opConfigured ? '(configured)' : '(not set)'}`
-  )
-
-  console.log('\nEnv Source Priority:')
-  if (envSource === 'local') {
-    console.log('  → Using local .env.local file')
-  } else if (envSource === 'encrypted') {
-    console.log('  → Using encrypted .env.encrypted file')
-  } else {
-    console.log('  → No env source available')
-    console.log('\n⚠ No environment configuration found.')
-    console.log('\nOptions:')
-    console.log('  1. Create .env.local with your secrets')
-    console.log('  2. Use encrypted .env.encrypted (requires AGE_SECRET_KEY)')
-    console.log('\nSee docs/ENV.md for setup instructions.')
-  }
-}