@vellumai/assistant 0.4.35 → 0.4.37

package/src/security/keychain-to-encrypted-migration.ts

@@ -1,66 +0,0 @@
-/**
- * One-time migration: copies existing macOS keychain items into the
- * encrypted file store so the daemon can stop using the keychain CLI.
- * Runs once on first startup after the change, then skips via a marker key.
- */
-
-import { API_KEY_PROVIDERS } from "../config/loader.js";
-import { getLogger } from "../util/logger.js";
-import { isMacOS } from "../util/platform.js";
-import * as encryptedStore from "./encrypted-store.js";
-import * as keychain from "./keychain.js";
-
-const log = getLogger("keychain-migration");
-const MIGRATION_MARKER = "keychain-to-encrypted-migrated";
-
-/** Known credential keys that the daemon may have stored in the keychain. */
-const CREDENTIAL_KEYS = [
-  "credential:twilio:account_sid",
-  "credential:twilio:auth_token",
-  "credential:twilio:phone_number",
-  "credential:twilio:user_phone_number",
-  "credential:telegram:bot_token",
-  "credential:telegram:webhook_secret",
-  "credential:elevenlabs:api_key",
-  "credential:integration:gmail:access_token",
-  "credential:integration:gmail:refresh_token",
-  "credential:integration:twitter:access_token",
-  "credential:integration:twitter:refresh_token",
-  "credential:integration:slack:access_token",
-  "credential:integration:slack:refresh_token",
-];
-
-export function migrateKeychainToEncrypted(): void {
-  if (!isMacOS()) return;
-  if (encryptedStore.getKey(MIGRATION_MARKER) === "true") return;
-
-  let migrated = 0;
-  let hadErrors = false;
-  const allKeys = [...API_KEY_PROVIDERS, ...CREDENTIAL_KEYS];
-
-  for (const account of allKeys) {
-    try {
-      const value = keychain.getKey(account);
-      if (value != null && !encryptedStore.getKey(account)) {
-        encryptedStore.setKey(account, value);
-        migrated++;
-      }
-    } catch {
-      hadErrors = true;
-      log.warn({ account }, "Keychain read failed during migration");
-    }
-  }
-
-  if (hadErrors) {
-    log.warn("Skipping migration marker — will retry on next startup");
-    return;
-  }
-
-  encryptedStore.setKey(MIGRATION_MARKER, "true");
-  if (migrated > 0) {
-    log.info(
-      { count: migrated },
-      "Migrated keys from keychain to encrypted store",
-    );
-  }
-}

package/src/security/keychain.ts

@@ -1,490 +0,0 @@
-/**
- * OS keychain abstraction — platform-agnostic secure credential storage.
- *
- * - macOS: uses the `security` CLI to interact with Keychain
- * - Linux: uses `secret-tool` (libsecret) for GNOME/KDE keyrings
- *
- * Sync variants (getKey, setKey, deleteKey) match the config loader's sync API.
- * Async variants (getKeyAsync, setKeyAsync, deleteKeyAsync) avoid blocking
- * the event loop and should be preferred for non-startup code paths.
- *
- * Callers should check `isKeychainAvailable()` before use and fall back
- * to encrypted-at-rest storage when the keychain is not accessible.
- */
-
-import { execFile, execFileSync } from "node:child_process";
-import { promisify } from "node:util";
-
-import { getLogger } from "../util/logger.js";
-import { isLinux, isMacOS } from "../util/platform.js";
-
-const log = getLogger("keychain");
-const execFileAsync = promisify(execFile);
-
-const SERVICE_NAME = "vellum-assistant";
-
-// ---------------------------------------------------------------------------
-// Injectable deps — avoids process-global mock.module for testing
-// ---------------------------------------------------------------------------
-
-const deps = {
-  execFileSync: execFileSync as typeof execFileSync,
-  isMacOS,
-  isLinux,
-};
-
-/** @internal test-only — override deps to avoid mock.module conflicts */
-export function _overrideDeps(overrides: Partial<typeof deps>): void {
-  Object.assign(deps, overrides);
-}
-
-/** @internal test-only — restore original deps */
-export function _resetDeps(): void {
-  deps.execFileSync = execFileSync;
-  deps.isMacOS = isMacOS;
-  deps.isLinux = isLinux;
-}
-
-/** Check if the OS keychain is available on this system. */
-export function isKeychainAvailable(): boolean {
-  try {
-    if (deps.isMacOS()) {
-      // Verify `security` CLI exists and can list keychains
-      deps.execFileSync("security", ["list-keychains"], {
-        stdio: ["ignore", "ignore", "ignore"],
-        timeout: 5000,
-      });
-      return true;
-    }
-
-    if (deps.isLinux()) {
-      // Verify `secret-tool` exists
-      deps.execFileSync("which", ["secret-tool"], {
-        stdio: ["ignore", "ignore", "ignore"],
-        timeout: 5000,
-      });
-      return true;
-    }
-
-    return false;
-  } catch {
-    return false;
-  }
-}
-
-/** Async version of `isKeychainAvailable` — probes without blocking the event loop. */
-export async function isKeychainAvailableAsync(): Promise<boolean> {
-  try {
-    if (deps.isMacOS()) {
-      await execFileAsync("security", ["list-keychains"], {
-        timeout: 5000,
-      });
-      return true;
-    }
-
-    if (deps.isLinux()) {
-      await execFileAsync("which", ["secret-tool"], {
-        timeout: 5000,
-      });
-      return true;
-    }
-
-    return false;
-  } catch {
-    return false;
-  }
-}
-
-/**
- * Retrieve a secret from the OS keychain.
- * Returns `null` if the key doesn't exist.
- * Throws on runtime errors (keychain unavailable, locked, etc.).
- */
-export function getKey(account: string): string | null {
-  if (deps.isMacOS()) {
-    return macosGetKey(account);
-  }
-  if (deps.isLinux()) {
-    return linuxGetKey(account);
-  }
-  return null;
-}
-
-/**
- * Store a secret in the OS keychain.
- * Returns true on success, false on failure.
- */
-export function setKey(account: string, value: string): boolean {
-  try {
-    if (deps.isMacOS()) {
-      return macosSetKey(account, value);
-    }
-    if (deps.isLinux()) {
-      return linuxSetKey(account, value);
-    }
-    return false;
-  } catch (err) {
-    log.warn({ err, account }, "Failed to write to keychain");
-    return false;
-  }
-}
-
-/**
- * Delete a secret from the OS keychain.
- * Returns true on success, false if not found or on failure.
- */
-export function deleteKey(account: string): boolean {
-  try {
-    if (deps.isMacOS()) {
-      return macosDeleteKey(account);
-    }
-    if (deps.isLinux()) {
-      return linuxDeleteKey(account);
-    }
-    return false;
-  } catch (err) {
-    log.debug({ err, account }, "Failed to delete from keychain");
-    return false;
-  }
-}
-
-// ---------------------------------------------------------------------------
-// macOS Keychain via `security` CLI
-// ---------------------------------------------------------------------------
-
-function macosGetKey(account: string): string | null {
-  try {
-    const result = deps.execFileSync(
-      "security",
-      [
-        "find-generic-password",
-        "-s",
-        SERVICE_NAME,
-        "-a",
-        account,
-        "-w", // output password only
-      ],
-      {
-        stdio: ["ignore", "pipe", "ignore"],
-        timeout: 5000,
-        encoding: "utf-8",
-      },
-    );
-    // Strip only the trailing newline added by the security CLI
-    return result.replace(/\n$/, "") || null;
-  } catch (err: unknown) {
-    // Exit code 44 = item not found — return null.
-    // All other errors are runtime failures — re-throw.
-    if (
-      err &&
-      typeof err === "object" &&
-      "status" in err &&
-      (err as { status: number }).status === 44
-    ) {
-      return null;
-    }
-    throw err;
-  }
-}
-
-function macosSetKey(account: string, value: string): boolean {
-  // -U flag handles update-if-exists, no need to delete first.
-  // macOS `security` requires the password as the argument to -w;
-  // it does NOT read from stdin. Using `-w` without a value causes
-  // the next flag to be consumed as the password.
-  try {
-    deps.execFileSync(
-      "security",
-      [
-        "add-generic-password",
-        "-s",
-        SERVICE_NAME,
-        "-a",
-        account,
-        "-w",
-        value,
-        "-U", // update if exists
-      ],
-      {
-        stdio: ["ignore", "ignore", "ignore"],
-        timeout: 5000,
-      },
-    );
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-function macosDeleteKey(account: string): boolean {
-  try {
-    deps.execFileSync(
-      "security",
-      ["delete-generic-password", "-s", SERVICE_NAME, "-a", account],
-      {
-        stdio: ["ignore", "ignore", "ignore"],
-        timeout: 5000,
-      },
-    );
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-// ---------------------------------------------------------------------------
-// Linux via `secret-tool` (libsecret)
-// ---------------------------------------------------------------------------
-
-function linuxGetKey(account: string): string | null {
-  try {
-    const result = deps.execFileSync(
-      "secret-tool",
-      ["lookup", "service", SERVICE_NAME, "account", account],
-      {
-        stdio: ["ignore", "pipe", "pipe"],
-        timeout: 5000,
-        encoding: "utf-8",
-      },
-    );
-    // Strip only the trailing newline added by secret-tool
-    return result.replace(/\n$/, "") || null;
-  } catch (err: unknown) {
-    // secret-tool exits with code 1 for BOTH "not found" and runtime errors
-    // (D-Bus failures, keyring locked, etc.). Distinguish by checking stderr:
-    // empty stderr → key not found; non-empty stderr → runtime error.
-    if (
-      err &&
-      typeof err === "object" &&
-      "status" in err &&
-      (err as { status: number }).status === 1
-    ) {
-      const stderr = String((err as { stderr?: unknown }).stderr ?? "").trim();
-      if (stderr.length > 0) {
-        throw err;
-      }
-      return null;
-    }
-    throw err;
-  }
-}
-
-function linuxSetKey(account: string, value: string): boolean {
-  try {
-    deps.execFileSync(
-      "secret-tool",
-      [
-        "store",
-        "--label",
-        `${SERVICE_NAME}: ${account}`,
-        "service",
-        SERVICE_NAME,
-        "account",
-        account,
-      ],
-      {
-        input: value,
-        stdio: ["pipe", "ignore", "ignore"],
-        timeout: 5000,
-      },
-    );
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-function linuxDeleteKey(account: string): boolean {
-  try {
-    deps.execFileSync(
-      "secret-tool",
-      ["clear", "service", SERVICE_NAME, "account", account],
-      {
-        stdio: ["ignore", "ignore", "ignore"],
-        timeout: 5000,
-      },
-    );
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-// ---------------------------------------------------------------------------
-// Async variants — non-blocking alternatives to the sync functions above.
-// Preferred for non-startup code paths to avoid blocking the event loop.
-// ---------------------------------------------------------------------------
-
-/**
- * Async version of `getKey` — retrieve a secret without blocking the event loop.
- * Returns `null` if the key doesn't exist.
- * Throws on runtime errors (keychain unavailable, locked, etc.).
- */
-export async function getKeyAsync(account: string): Promise<string | null> {
-  if (deps.isMacOS()) return macosGetKeyAsync(account);
-  if (deps.isLinux()) return linuxGetKeyAsync(account);
-  return null;
-}
-
-/**
- * Async version of `setKey` — store a secret without blocking the event loop.
- * Returns true on success, false on failure.
- */
-export async function setKeyAsync(
-  account: string,
-  value: string,
-): Promise<boolean> {
-  try {
-    if (deps.isMacOS()) return await macosSetKeyAsync(account, value);
-    if (deps.isLinux()) return await linuxSetKeyAsync(account, value);
-    return false;
-  } catch (err) {
-    log.warn({ err, account }, "Failed to write to keychain");
-    return false;
-  }
-}
-
-/**
- * Async version of `deleteKey` — delete a secret without blocking the event loop.
- * Returns true on success, false if not found or on failure.
- */
-export async function deleteKeyAsync(account: string): Promise<boolean> {
-  try {
-    if (deps.isMacOS()) return await macosDeleteKeyAsync(account);
-    if (deps.isLinux()) return await linuxDeleteKeyAsync(account);
-    return false;
-  } catch (err) {
-    log.debug({ err, account }, "Failed to delete from keychain");
-    return false;
-  }
-}
-
-// ---------------------------------------------------------------------------
-// Async macOS Keychain
-// ---------------------------------------------------------------------------
-
-async function macosGetKeyAsync(account: string): Promise<string | null> {
-  try {
-    const { stdout } = await execFileAsync(
-      "security",
-      ["find-generic-password", "-s", SERVICE_NAME, "-a", account, "-w"],
-      { timeout: 5000 },
-    );
-    return stdout.replace(/\n$/, "") || null;
-  } catch (err: unknown) {
-    // Exit code 44 = item not found — return null.
-    if (
-      err &&
-      typeof err === "object" &&
-      "code" in err &&
-      (err as { code: number }).code === 44
-    ) {
-      return null;
-    }
-    throw err;
-  }
-}
-
-async function macosSetKeyAsync(
-  account: string,
-  value: string,
-): Promise<boolean> {
-  try {
-    await execFileAsync(
-      "security",
-      [
-        "add-generic-password",
-        "-s",
-        SERVICE_NAME,
-        "-a",
-        account,
-        "-w",
-        value,
-        "-U",
-      ],
-      { timeout: 5000 },
-    );
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-async function macosDeleteKeyAsync(account: string): Promise<boolean> {
-  try {
-    await execFileAsync(
-      "security",
-      ["delete-generic-password", "-s", SERVICE_NAME, "-a", account],
-      { timeout: 5000 },
-    );
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-// ---------------------------------------------------------------------------
-// Async Linux via `secret-tool`
-// ---------------------------------------------------------------------------
-
-async function linuxGetKeyAsync(account: string): Promise<string | null> {
-  try {
-    const { stdout } = await execFileAsync(
-      "secret-tool",
-      ["lookup", "service", SERVICE_NAME, "account", account],
-      { timeout: 5000 },
-    );
-    return stdout.replace(/\n$/, "") || null;
-  } catch (err: unknown) {
-    if (
-      err &&
-      typeof err === "object" &&
-      "code" in err &&
-      (err as { code: number }).code === 1
-    ) {
-      const stderr = String((err as { stderr?: unknown }).stderr ?? "").trim();
-      if (stderr.length > 0) throw err;
-      return null;
-    }
-    throw err;
-  }
-}
-
-async function linuxSetKeyAsync(
-  account: string,
-  value: string,
-): Promise<boolean> {
-  // secret-tool reads the secret from stdin
-  return new Promise<boolean>((resolve) => {
-    const child = execFile(
-      "secret-tool",
-      [
-        "store",
-        "--label",
-        `${SERVICE_NAME}: ${account}`,
-        "service",
-        SERVICE_NAME,
-        "account",
-        account,
-      ],
-      { timeout: 5000 },
-      (err) => {
-        resolve(!err);
-      },
-    );
-    child.stdin?.end(value);
-  });
-}
-
-async function linuxDeleteKeyAsync(account: string): Promise<boolean> {
-  try {
-    await execFileAsync(
-      "secret-tool",
-      ["clear", "service", SERVICE_NAME, "account", account],
-      { timeout: 5000 },
-    );
-    return true;
-  } catch {
-    return false;
-  }
-}