@skillrecordings/cli 0.1.0

package/src/check-apps.ts

@@ -0,0 +1,16 @@
+import '../preload'
+import { database, AppsTable } from '@skillrecordings/database'
+
+async function main() {
+  const apps = await database.select().from(AppsTable)
+  console.log('\n📦 Registered Apps:\n')
+  for (const app of apps) {
+    console.log(`  ${app.slug} (${app.name})`)
+    console.log(`    Instructor: ${app.instructor_teammate_id || '❌ NOT SET'}`)
+    console.log(`    Front Inbox: ${app.front_inbox_id}`)
+    console.log(`    Capabilities: ${JSON.stringify(app.capabilities)}`)
+    console.log()
+  }
+  process.exit(0)
+}
+main()

package/src/commands/auth/decrypt.ts

@@ -0,0 +1,123 @@
+import path from 'path'
+import fs from 'fs/promises'
+import { decrypt } from '../../lib/crypto'
+import { isServiceAccountConfigured, readSecret } from '../../lib/onepassword'
+
+interface DecryptOptions {
+  output?: string
+  identity?: string
+  json?: boolean
+}
+
+/**
+ * Decrypt a file with an age private key
+ * @param input - Path to encrypted file (.age)
+ * @param options - Command options
+ */
+export async function decryptAction(
+  input: string,
+  options: DecryptOptions
+): Promise<void> {
+  try {
+    // Resolve identity key using priority: --identity flag > AGE_SECRET_KEY env > 1Password
+    let privateKey: string | undefined
+
+    if (options.identity) {
+      // If starts with AGE-SECRET-KEY, use directly
+      if (options.identity.startsWith('AGE-SECRET-KEY-')) {
+        privateKey = options.identity
+      }
+      // If starts with op://, use 1Password
+      else if (options.identity.startsWith('op://')) {
+        if (isServiceAccountConfigured()) {
+          privateKey = await readSecret(options.identity)
+        } else {
+          const error =
+            '1Password reference provided but OP_SERVICE_ACCOUNT_TOKEN not set'
+          if (options.json) {
+            console.log(JSON.stringify({ success: false, error }))
+          } else {
+            console.error(`Error: ${error}`)
+          }
+          process.exit(1)
+        }
+      }
+      // Otherwise treat as file path
+      else {
+        privateKey = (await fs.readFile(options.identity, 'utf-8')).trim()
+      }
+    }
+
+    // Fall back to AGE_SECRET_KEY env var
+    if (!privateKey) {
+      privateKey = process.env.AGE_SECRET_KEY
+    }
+
+    if (!privateKey) {
+      const error =
+        'No private key specified. Use --identity <key|file|op://ref> or set AGE_SECRET_KEY environment variable.'
+      if (options.json) {
+        console.log(JSON.stringify({ success: false, error }))
+      } else {
+        console.error(`Error: ${error}`)
+      }
+      process.exit(1)
+    }
+
+    // Validate private key format
+    if (!privateKey.startsWith('AGE-SECRET-KEY-')) {
+      const error = `Invalid private key format. Expected AGE-SECRET-KEY-1..., got: ${privateKey.slice(0, 15)}...`
+      if (options.json) {
+        console.log(JSON.stringify({ success: false, error }))
+      } else {
+        console.error(`Error: ${error}`)
+      }
+      process.exit(1)
+    }
+
+    // Read encrypted file
+    const encryptedData = await fs.readFile(input)
+
+    // Decrypt
+    const decrypted = await decrypt(encryptedData, privateKey)
+
+    // Determine output
+    if (options.output) {
+      // Write to file
+      await fs.writeFile(options.output, decrypted, 'utf-8')
+
+      if (options.json) {
+        console.log(
+          JSON.stringify({
+            success: true,
+            input: path.resolve(input),
+            output: path.resolve(options.output),
+          })
+        )
+      } else {
+        console.log(`✓ Decrypted ${input} → ${options.output}`)
+      }
+    } else {
+      // Write to stdout
+      if (options.json) {
+        console.log(
+          JSON.stringify({
+            success: true,
+            input: path.resolve(input),
+            content: decrypted,
+          })
+        )
+      } else {
+        console.log(decrypted)
+      }
+    }
+  } catch (err) {
+    const error = err instanceof Error ? err.message : String(err)
+    if (options.json) {
+      console.log(JSON.stringify({ success: false, error }))
+    } else {
+      console.error(`Error: ${error}`)
+    }
+    process.exit(1)
+  }
+}

package/src/commands/auth/encrypt.ts

@@ -0,0 +1,81 @@
+import path from 'path'
+import fs from 'fs/promises'
+import { encrypt } from '../../lib/crypto'
+
+interface EncryptOptions {
+  output?: string
+  recipient?: string
+  json?: boolean
+}
+
+/**
+ * Encrypt a file with an age public key
+ * @param input - Path to input file
+ * @param options - Command options
+ */
+export async function encryptAction(
+  input: string,
+  options: EncryptOptions
+): Promise<void> {
+  try {
+    // Get recipient key from --recipient or AGE_PUBLIC_KEY env
+    const recipientKey = options.recipient || process.env.AGE_PUBLIC_KEY
+
+    if (!recipientKey) {
+      const error =
+        'No recipient key specified. Use --recipient or set AGE_PUBLIC_KEY environment variable.'
+      if (options.json) {
+        console.log(JSON.stringify({ success: false, error }))
+      } else {
+        console.error(`Error: ${error}`)
+      }
+      process.exit(1)
+    }
+
+    // Validate recipient key format (age1...)
+    if (!recipientKey.startsWith('age1')) {
+      const error = `Invalid recipient key format. Expected age1..., got: ${recipientKey.slice(0, 10)}...`
+      if (options.json) {
+        console.log(JSON.stringify({ success: false, error }))
+      } else {
+        console.error(`Error: ${error}`)
+      }
+      process.exit(1)
+    }
+
+    // Read input file
+    const data = await fs.readFile(input, 'utf-8')
+
+    // Encrypt
+    const encrypted = await encrypt(data, recipientKey)
+
+    // Determine output path
+    const outputPath = options.output || `${input}.age`
+
+    // Write encrypted data
+    await fs.writeFile(outputPath, encrypted)
+
+    // Output success
+    if (options.json) {
+      console.log(
+        JSON.stringify({
+          success: true,
+          input: path.resolve(input),
+          output: path.resolve(outputPath),
+          recipientKey: recipientKey.slice(0, 10) + '...',
+        })
+      )
+    } else {
+      console.log(`✓ Encrypted ${input} → ${outputPath}`)
+      console.log(`  Recipient: ${recipientKey.slice(0, 10)}...`)
+    }
+  } catch (err) {
+    const error = err instanceof Error ? err.message : String(err)
+    if (options.json) {
+      console.log(JSON.stringify({ success: false, error }))
+    } else {
+      console.error(`Error: ${error}`)
+    }
+    process.exit(1)
+  }
+}

package/src/commands/auth/index.ts

@@ -0,0 +1,50 @@
+import type { Command } from 'commander'
+import { decryptAction } from './decrypt'
+import { encryptAction } from './encrypt'
+import { keygen } from './keygen'
+import { statusAction } from './status'
+
+/**
+ * Register auth commands with Commander
+ */
+export function registerAuthCommands(program: Command): void {
+  const auth = program
+    .command('auth')
+    .description('Manage encrypted secrets for CLI distribution')
+
+  auth
+    .command('keygen')
+    .description('Generate age keypair for encryption')
+    .option('--output <path>', 'Write keypair to file')
+    .option('--json', 'Output as JSON')
+    .action(async (options) => {
+      await keygen(options)
+    })
+
+  auth
+    .command('encrypt')
+    .description('Encrypt a file with age public key')
+    .argument('<input>', 'Input file path')
+    .option('--output <path>', 'Output file path (default: <input>.age)')
+    .option('--recipient <key>', 'Age public key (or read from AGE_PUBLIC_KEY)')
+    .option('--json', 'Output as JSON')
+    .action(encryptAction)
+
+  auth
+    .command('decrypt')
+    .description('Decrypt a file with age private key')
+    .argument('<input>', 'Input file path (.age)')
+    .option('--output <path>', 'Output file path (default: stdout)')
+    .option(
+      '--identity <key>',
+      'Age private key, file path, or 1Password ref (op://...)'
+    )
+    .option('--json', 'Output as JSON')
+    .action(decryptAction)
+
+  auth
+    .command('status')
+    .description('Check encryption setup status')
+    .option('--json', 'Output as JSON')
+    .action(statusAction)
+}

package/src/commands/auth/keygen.ts

@@ -0,0 +1,41 @@
+import { writeFileSync } from 'fs'
+import { generateKeypair } from '../../lib/crypto'
+
+interface KeygenOptions {
+  json?: boolean
+  output?: string
+}
+
+/**
+ * Generate age keypair for encryption
+ */
+export async function keygen(options: KeygenOptions = {}) {
+  const { publicKey, privateKey } = await generateKeypair()
+
+  if (options.json) {
+    // JSON output mode
+    console.log(JSON.stringify({ publicKey, privateKey }, null, 2))
+  } else if (options.output) {
+    // Write to file
+    const content = `# Age keypair generated by skill CLI
+# Public key (share this):
+${publicKey}
+
+# Private key (KEEP SECRET):
+${privateKey}
+`
+    writeFileSync(options.output, content, 'utf-8')
+    console.log(`Keypair written to ${options.output}`)
+    console.error(
+      `\n⚠️  WARNING: Private key written to disk. Keep ${options.output} secure!`
+    )
+  } else {
+    // Normal mode: public to stdout, private to stderr with warning
+    console.log(publicKey)
+    console.error('\n⚠️  Private key (KEEP SECRET):')
+    console.error(privateKey)
+    console.error(
+      '\n⚠️  Store this private key securely. Anyone with it can decrypt your data.'
+    )
+  }
+}

package/src/commands/auth/status.ts

@@ -0,0 +1,164 @@
+import fs from 'node:fs/promises'
+import path from 'node:path'
+import { isServiceAccountConfigured } from '../../lib/onepassword.js'
+
+interface StatusOptions {
+  json?: boolean
+}
+
+interface AuthStatus {
+  envLocal: {
+    exists: boolean
+    path: string
+  }
+  envEncrypted: {
+    exists: boolean
+    path: string
+  }
+  ageSecretKey: {
+    configured: boolean
+    masked?: string
+  }
+  opServiceAccountToken: {
+    configured: boolean
+  }
+  envSource: 'local' | 'encrypted' | 'none'
+}
+
+/**
+ * Check if a file exists
+ */
+async function fileExists(filePath: string): Promise<boolean> {
+  try {
+    await fs.access(filePath)
+    return true
+  } catch {
+    return false
+  }
+}
+
+/**
+ * Mask AGE secret key for display
+ * Shows AGE-SECRET-KEY-1XXX...XXX format
+ */
+function maskAgeKey(key: string): string {
+  if (!key.startsWith('AGE-SECRET-KEY-1')) {
+    return 'INVALID_FORMAT'
+  }
+  const prefix = key.slice(0, 19) // AGE-SECRET-KEY-1XXX
+  const suffix = key.slice(-3) // XXX
+  return `${prefix}...${suffix}`
+}
+
+/**
+ * Determine which env source would be used based on priority
+ */
+function determineEnvSource(
+  localExists: boolean,
+  encryptedExists: boolean,
+  ageKeyConfigured: boolean
+): 'local' | 'encrypted' | 'none' {
+  // Priority from env-loader.ts:
+  // 1. Local .env files
+  // 2. Encrypted .env.encrypted (if AGE_SECRET_KEY is set)
+  // 3. None
+
+  if (localExists) {
+    return 'local'
+  }
+
+  if (encryptedExists && ageKeyConfigured) {
+    return 'encrypted'
+  }
+
+  return 'none'
+}
+
+/**
+ * Check auth configuration status
+ */
+export async function statusAction(options: StatusOptions): Promise<void> {
+  const cliDir = path.resolve(import.meta.dirname, '../../..')
+
+  // Check .env.local
+  const envLocalPath = path.join(cliDir, '.env.local')
+  const envLocalExists = await fileExists(envLocalPath)
+
+  // Check .env.encrypted
+  const envEncryptedPath = path.join(cliDir, '.env.encrypted')
+  const envEncryptedExists = await fileExists(envEncryptedPath)
+
+  // Check AGE_SECRET_KEY
+  const ageSecretKey = process.env.AGE_SECRET_KEY
+  const ageKeyConfigured = Boolean(ageSecretKey)
+
+  // Check OP_SERVICE_ACCOUNT_TOKEN
+  const opConfigured = isServiceAccountConfigured()
+
+  // Determine env source
+  const envSource = determineEnvSource(
+    envLocalExists,
+    envEncryptedExists,
+    ageKeyConfigured
+  )
+
+  const status: AuthStatus = {
+    envLocal: {
+      exists: envLocalExists,
+      path: envLocalPath,
+    },
+    envEncrypted: {
+      exists: envEncryptedExists,
+      path: envEncryptedPath,
+    },
+    ageSecretKey: {
+      configured: ageKeyConfigured,
+      masked:
+        ageKeyConfigured && ageSecretKey ? maskAgeKey(ageSecretKey) : undefined,
+    },
+    opServiceAccountToken: {
+      configured: opConfigured,
+    },
+    envSource,
+  }
+
+  if (options.json) {
+    console.log(JSON.stringify(status, null, 2))
+    return
+  }
+
+  // Human-readable output
+  console.log('Auth Configuration Status\n')
+
+  console.log('Environment Files:')
+  console.log(
+    `  .env.local:     ${envLocalExists ? '✓' : '✗'} ${envLocalExists ? '(exists)' : '(not found)'}`
+  )
+  console.log(`    Path: ${envLocalPath}`)
+  console.log(
+    `  .env.encrypted: ${envEncryptedExists ? '✓' : '✗'} ${envEncryptedExists ? '(exists)' : '(not found)'}`
+  )
+  console.log(`    Path: ${envEncryptedPath}`)
+
+  console.log('\nEnvironment Variables:')
+  console.log(
+    `  AGE_SECRET_KEY:           ${ageKeyConfigured ? '✓' : '✗'} ${ageKeyConfigured ? `(${status.ageSecretKey.masked})` : '(not set)'}`
+  )
+  console.log(
+    `  OP_SERVICE_ACCOUNT_TOKEN: ${opConfigured ? '✓' : '✗'} ${opConfigured ? '(configured)' : '(not set)'}`
+  )
+
+  console.log('\nEnv Source Priority:')
+  if (envSource === 'local') {
+    console.log('  → Using local .env.local file')
+  } else if (envSource === 'encrypted') {
+    console.log('  → Using encrypted .env.encrypted file')
+  } else {
+    console.log('  → No env source available')
+    console.log('\n⚠ No environment configuration found.')
+    console.log('\nOptions:')
+    console.log('  1. Create .env.local with your secrets')
+    console.log('  2. Use encrypted .env.encrypted (requires AGE_SECRET_KEY)')
+    console.log('\nSee docs/ENV.md for setup instructions.')
+  }
+}