@uagents/syncenv-cli 0.1.1

package/dist/chunk-JBMZAAVP.js

@@ -0,0 +1,176 @@
+import {
+  deleteConfig,
+  getConfig,
+  setConfig
+} from "./chunk-OVEYHV4C.js";
+
+// src/secure-storage.ts
+var SERVICE_NAME = "syncenv-cli";
+var ACCOUNT_KEK_PASSWORD = "kek-password";
+var keytarModule = null;
+async function getKeytar() {
+  if (keytarModule) return keytarModule;
+  try {
+    keytarModule = await import("keytar");
+    return keytarModule;
+  } catch {
+    return null;
+  }
+}
+async function saveKEKPassword(password) {
+  const keytar = await getKeytar();
+  if (!keytar) {
+    console.warn("Warning: Secure storage not available, using config file");
+    setConfig("kekPassword", password);
+    return;
+  }
+  try {
+    await keytar.setPassword(SERVICE_NAME, ACCOUNT_KEK_PASSWORD, password);
+  } catch {
+    setConfig("kekPassword", password);
+  }
+}
+async function getKEKPassword() {
+  const keytar = await getKeytar();
+  if (!keytar) {
+    return getConfig("kekPassword") || null;
+  }
+  try {
+    return await keytar.getPassword(SERVICE_NAME, ACCOUNT_KEK_PASSWORD);
+  } catch {
+    return getConfig("kekPassword") || null;
+  }
+}
+async function deleteKEKPassword() {
+  const keytar = await getKeytar();
+  if (!keytar) return;
+  try {
+    await keytar.deletePassword(SERVICE_NAME, ACCOUNT_KEK_PASSWORD);
+  } catch {
+  }
+  deleteConfig("kekPassword");
+}
+function saveEncryptedKEK(keys) {
+  setConfig("encryptedUserKek", keys.encryptedUserKek);
+  setConfig("kekIv", keys.kekIv);
+  setConfig("kekSalt", keys.kekSalt);
+  if (keys.version) {
+    setConfig("kekVersion", keys.version);
+  }
+}
+function getEncryptedKEK() {
+  const encryptedUserKek = getConfig("encryptedUserKek");
+  const kekIv = getConfig("kekIv");
+  const kekSalt = getConfig("kekSalt");
+  if (!encryptedUserKek || !kekIv || !kekSalt) {
+    return null;
+  }
+  return {
+    encryptedUserKek,
+    kekIv,
+    kekSalt,
+    version: getConfig("kekVersion") || 1
+  };
+}
+function deleteEncryptedKEK() {
+  deleteConfig("encryptedUserKek");
+  deleteConfig("kekIv");
+  deleteConfig("kekSalt");
+  deleteConfig("kekVersion");
+}
+var memoryKEK = null;
+var kekExpiry = 0;
+var KEK_TTL = 30 * 60 * 1e3;
+function cacheKEKInMemory(kek) {
+  memoryKEK = kek;
+  kekExpiry = Date.now() + KEK_TTL;
+}
+function getCachedKEK() {
+  if (memoryKEK && Date.now() < kekExpiry) {
+    return memoryKEK;
+  }
+  memoryKEK = null;
+  return null;
+}
+function clearCachedKEK() {
+  memoryKEK = null;
+  kekExpiry = 0;
+}
+function isKEKCached() {
+  return !!memoryKEK && Date.now() < kekExpiry;
+}
+function getKEKTimeRemaining() {
+  if (!memoryKEK) return 0;
+  return Math.max(0, kekExpiry - Date.now());
+}
+async function getUserKEK() {
+  const cached = getCachedKEK();
+  if (cached) return cached;
+  const password = await getKEKPassword();
+  const encryptedKeys = getEncryptedKEK();
+  if (password && encryptedKeys) {
+    try {
+      const { unlockUserKEK } = await import("./crypto-X7MZU7DV.js");
+      const kek = await unlockUserKEK(
+        password,
+        encryptedKeys.encryptedUserKek,
+        encryptedKeys.kekIv,
+        encryptedKeys.kekSalt
+      );
+      if (kek) {
+        cacheKEKInMemory(kek);
+        return kek;
+      }
+    } catch {
+      await deleteKEKPassword();
+    }
+  }
+  return null;
+}
+async function unlockAndStoreKEK(password, userKeys, remember = false) {
+  const { unlockUserKEK } = await import("./crypto-X7MZU7DV.js");
+  const kek = await unlockUserKEK(
+    password,
+    userKeys.encryptedUserKek,
+    userKeys.kekIv,
+    userKeys.kekSalt
+  );
+  if (!kek) {
+    throw new Error("Invalid password");
+  }
+  cacheKEKInMemory(kek);
+  saveEncryptedKEK(userKeys);
+  if (remember) {
+    await saveKEKPassword(password);
+  }
+  return kek;
+}
+async function lockKEK(removePassword = false) {
+  clearCachedKEK();
+  if (removePassword) {
+    await deleteKEKPassword();
+  }
+}
+async function canAutoUnlock() {
+  const password = await getKEKPassword();
+  const encryptedKeys = getEncryptedKEK();
+  return !!password && !!encryptedKeys;
+}
+
+export {
+  saveKEKPassword,
+  getKEKPassword,
+  deleteKEKPassword,
+  saveEncryptedKEK,
+  getEncryptedKEK,
+  deleteEncryptedKEK,
+  cacheKEKInMemory,
+  getCachedKEK,
+  clearCachedKEK,
+  isKEKCached,
+  getKEKTimeRemaining,
+  getUserKEK,
+  unlockAndStoreKEK,
+  lockKEK,
+  canAutoUnlock
+};

package/dist/chunk-NV6H5OGL.js

@@ -0,0 +1,218 @@
+// src/crypto/index.ts
+import crypto from "crypto";
+import { promisify } from "util";
+var scrypt = promisify(crypto.scrypt);
+var KEY_LENGTH = 32;
+var SALT_LENGTH = 16;
+var IV_LENGTH = 12;
+var ALGORITHM = "aes-256-gcm";
+var PBKDF2_ITERATIONS = 1e5;
+function base64ToBuffer(base64) {
+  return Buffer.from(base64, "base64");
+}
+function bufferToBase64(buffer) {
+  return buffer.toString("base64");
+}
+async function deriveKEK(password, salt) {
+  return crypto.pbkdf2Sync(password, salt, PBKDF2_ITERATIONS, KEY_LENGTH, "sha256");
+}
+function generateUserKEK() {
+  return crypto.randomBytes(KEY_LENGTH);
+}
+function exportKEK(key) {
+  return bufferToBase64(key);
+}
+function importKEK(data) {
+  return base64ToBuffer(data);
+}
+function encryptUserKEK(userKek, passwordKek) {
+  const iv = crypto.randomBytes(IV_LENGTH);
+  const cipher = crypto.createCipheriv(ALGORITHM, passwordKek, iv);
+  const encrypted = Buffer.concat([cipher.update(userKek), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  const combined = Buffer.concat([encrypted, tag]);
+  return {
+    encrypted: bufferToBase64(combined),
+    iv: bufferToBase64(iv)
+  };
+}
+function decryptUserKEK(encryptedBase64, ivBase64, passwordKek) {
+  const combined = base64ToBuffer(encryptedBase64);
+  const iv = base64ToBuffer(ivBase64);
+  const tag = combined.slice(-16);
+  const encrypted = combined.slice(0, -16);
+  const decipher = crypto.createDecipheriv(ALGORITHM, passwordKek, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(encrypted), decipher.final()]);
+}
+function generateDEK() {
+  return crypto.randomBytes(KEY_LENGTH);
+}
+function exportDEK(key) {
+  return bufferToBase64(key);
+}
+function importDEK(data) {
+  return base64ToBuffer(data);
+}
+function encryptDEK(dek, userKek) {
+  const iv = crypto.randomBytes(IV_LENGTH);
+  const cipher = crypto.createCipheriv(ALGORITHM, userKek, iv);
+  const encrypted = Buffer.concat([cipher.update(dek), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  const combined = Buffer.concat([encrypted, tag]);
+  return {
+    encrypted: bufferToBase64(combined),
+    iv: bufferToBase64(iv)
+  };
+}
+function decryptDEK(encryptedBase64, ivBase64, userKek) {
+  const combined = base64ToBuffer(encryptedBase64);
+  const iv = base64ToBuffer(ivBase64);
+  const tag = combined.slice(-16);
+  const encrypted = combined.slice(0, -16);
+  const decipher = crypto.createDecipheriv(ALGORITHM, userKek, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(encrypted), decipher.final()]);
+}
+function encryptContent(content, dek) {
+  const iv = crypto.randomBytes(IV_LENGTH);
+  const cipher = crypto.createCipheriv(ALGORITHM, dek, iv);
+  const encrypted = Buffer.concat([cipher.update(content, "utf-8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  const combined = Buffer.concat([encrypted, tag]);
+  return {
+    encrypted: bufferToBase64(combined),
+    iv: bufferToBase64(iv)
+  };
+}
+function decryptContent(encryptedBase64, ivBase64, dek) {
+  const combined = base64ToBuffer(encryptedBase64);
+  const iv = base64ToBuffer(ivBase64);
+  const tag = combined.slice(-16);
+  const encrypted = combined.slice(0, -16);
+  const decipher = crypto.createDecipheriv(ALGORITHM, dek, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(encrypted), decipher.final()]).toString("utf-8");
+}
+function generateContentHash(content) {
+  return crypto.createHash("sha256").update(content, "utf-8").digest("hex");
+}
+async function setupUserKEK(password) {
+  const salt = crypto.randomBytes(SALT_LENGTH);
+  const kekSalt = bufferToBase64(salt);
+  const passwordKek = await deriveKEK(password, salt);
+  const userKek = generateUserKEK();
+  const { encrypted, iv } = encryptUserKEK(userKek, passwordKek);
+  return {
+    userKek,
+    encryptedUserKek: encrypted,
+    kekIv: iv,
+    kekSalt
+  };
+}
+async function unlockUserKEK(password, encryptedUserKek, kekIv, kekSalt) {
+  try {
+    const salt = base64ToBuffer(kekSalt);
+    const passwordKek = await deriveKEK(password, salt);
+    const userKek = decryptUserKEK(encryptedUserKek, kekIv, passwordKek);
+    return userKek;
+  } catch (err) {
+    console.error("Failed to unlock User KEK:", err);
+    return null;
+  }
+}
+async function reencryptUserKEK(userKek, newPassword) {
+  const salt = crypto.randomBytes(SALT_LENGTH);
+  const kekSalt = bufferToBase64(salt);
+  const newPasswordKek = await deriveKEK(newPassword, salt);
+  const { encrypted, iv } = encryptUserKEK(userKek, newPasswordKek);
+  return {
+    encryptedUserKek: encrypted,
+    kekIv: iv,
+    kekSalt
+  };
+}
+function generateSalt() {
+  return crypto.randomBytes(SALT_LENGTH);
+}
+async function deriveKeys(masterPassword, salt) {
+  const fullKey = await scrypt(masterPassword, salt, 64);
+  return {
+    kek: fullKey.slice(0, 32),
+    authKey: fullKey.slice(32, 64)
+  };
+}
+function generateDek() {
+  return generateDEK();
+}
+function encryptDek(dek, kek) {
+  const result = encryptDEK(dek, kek);
+  const combined = base64ToBuffer(result.encrypted);
+  const tag = combined.slice(-16);
+  const ciphertext = combined.slice(0, -16);
+  return {
+    ciphertext: bufferToBase64(ciphertext),
+    iv: result.iv,
+    tag: bufferToBase64(tag)
+  };
+}
+function decryptDek(encryptedDek, kek) {
+  const ciphertext = base64ToBuffer(encryptedDek.ciphertext);
+  const tag = base64ToBuffer(encryptedDek.tag);
+  const combined = bufferToBase64(Buffer.concat([ciphertext, tag]));
+  return decryptDEK(combined, encryptedDek.iv, kek);
+}
+function encryptEnvFile(content, dek) {
+  const data = typeof content === "string" ? content : content.toString("utf-8");
+  const contentHash = generateContentHash(data);
+  const encrypted = encryptContent(data, dek);
+  const combined = base64ToBuffer(encrypted.encrypted);
+  const tag = combined.slice(-16);
+  const ciphertext = combined.slice(0, -16);
+  return {
+    ciphertext: bufferToBase64(ciphertext),
+    iv: encrypted.iv,
+    tag: bufferToBase64(tag),
+    contentHash
+  };
+}
+function decryptEnvFile(encryptedData, dek) {
+  const ciphertext = base64ToBuffer(encryptedData.ciphertext);
+  const tag = base64ToBuffer(encryptedData.tag);
+  const combined = bufferToBase64(Buffer.concat([ciphertext, tag]));
+  return decryptContent(combined, encryptedData.iv, dek);
+}
+function hashContent(content) {
+  const data = typeof content === "string" ? content : content.toString("utf-8");
+  return generateContentHash(data);
+}
+
+export {
+  base64ToBuffer,
+  bufferToBase64,
+  deriveKEK,
+  generateUserKEK,
+  exportKEK,
+  importKEK,
+  encryptUserKEK,
+  decryptUserKEK,
+  generateDEK,
+  exportDEK,
+  importDEK,
+  encryptDEK,
+  decryptDEK,
+  encryptContent,
+  decryptContent,
+  generateContentHash,
+  setupUserKEK,
+  unlockUserKEK,
+  reencryptUserKEK,
+  generateSalt,
+  deriveKeys,
+  generateDek,
+  encryptDek,
+  decryptDek,
+  encryptEnvFile,
+  decryptEnvFile,
+  hashContent
+};