assistme 0.3.0 → 0.3.2

package/src/credentials/credential-store.test.ts

@@ -0,0 +1,162 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdtempSync, rmSync } from "fs";
+import { join } from "path";
+import { tmpdir } from "os";
+import { CredentialStore } from "./credential-store.js";
+import { resetLocalStore } from "./local-store.js";
+
+describe("CredentialStore", () => {
+  let tempDir: string;
+  let store: CredentialStore;
+
+  beforeEach(() => {
+    resetLocalStore();
+    tempDir = mkdtempSync(join(tmpdir(), "cred-test-"));
+    store = new CredentialStore(tempDir);
+  });
+
+  afterEach(() => {
+    resetLocalStore();
+    rmSync(tempDir, { recursive: true, force: true });
+  });
+
+  describe("save and get", () => {
+    it("saves and retrieves a credential by ID", () => {
+      const meta = store.save("test-key", "api_key", { api_key: "sk-abc123" });
+      expect(meta.name).toBe("test-key");
+      expect(meta.type).toBe("api_key");
+      expect(meta.id).toBeTruthy();
+
+      const cred = store.get(meta.id);
+      expect(cred).not.toBeNull();
+      expect(cred!.data.api_key).toBe("sk-abc123");
+    });
+
+    it("retrieves a credential by name", () => {
+      store.save("my-login", "login", { username: "user", password: "pass" });
+
+      const cred = store.getByName("my-login");
+      expect(cred).not.toBeNull();
+      expect(cred!.data.username).toBe("user");
+      expect(cred!.data.password).toBe("pass");
+    });
+
+    it("updates existing credential if name matches", () => {
+      store.save("my-key", "api_key", { api_key: "old" });
+      store.save("my-key", "api_key", { api_key: "new" });
+
+      const all = store.list();
+      expect(all).toHaveLength(1);
+
+      const cred = store.getByName("my-key");
+      expect(cred!.data.api_key).toBe("new");
+    });
+
+    it("stores with optional skill and tags", () => {
+      const meta = store.save("cred", "secret", { token: "abc" }, {
+        skillName: "my-skill",
+        tags: ["tag1", "tag2"],
+      });
+
+      expect(meta.skillName).toBe("my-skill");
+      expect(meta.tags).toEqual(["tag1", "tag2"]);
+    });
+  });
+
+  describe("update", () => {
+    it("merges data with existing credential", () => {
+      const meta = store.save("test", "custom", { a: "1", b: "2" });
+      store.update(meta.id, { b: "updated", c: "3" });
+
+      const cred = store.get(meta.id);
+      expect(cred!.data).toEqual({ a: "1", b: "updated", c: "3" });
+    });
+
+    it("returns null for non-existent ID", () => {
+      expect(store.update("nonexistent", { key: "val" })).toBeNull();
+    });
+  });
+
+  describe("remove", () => {
+    it("removes a credential by ID", () => {
+      const meta = store.save("to-remove", "secret", { key: "val" });
+      expect(store.remove(meta.id)).toBe(true);
+      expect(store.get(meta.id)).toBeNull();
+      expect(store.list()).toHaveLength(0);
+    });
+
+    it("removes a credential by name", () => {
+      store.save("by-name", "api_key", { key: "val" });
+      expect(store.removeByName("by-name")).toBe(true);
+      expect(store.getByName("by-name")).toBeNull();
+    });
+
+    it("returns false for non-existent credential", () => {
+      expect(store.remove("nonexistent")).toBe(false);
+      expect(store.removeByName("nonexistent")).toBe(false);
+    });
+  });
+
+  describe("query", () => {
+    beforeEach(() => {
+      store.save("amazon-login", "login", { user: "a" }, { skillName: "price-check", tags: ["amazon", "shopping"] });
+      store.save("openai-key", "api_key", { key: "b" }, { skillName: "ai-tools", tags: ["ai"] });
+      store.save("github-token", "oauth_token", { token: "c" }, { skillName: "price-check", tags: ["github"] });
+    });
+
+    it("lists all credentials", () => {
+      expect(store.list()).toHaveLength(3);
+    });
+
+    it("finds by skill", () => {
+      const results = store.findBySkill("price-check");
+      expect(results).toHaveLength(2);
+      expect(results.map((m) => m.name).sort()).toEqual(["amazon-login", "github-token"]);
+    });
+
+    it("finds by tag", () => {
+      const results = store.findByTag("amazon");
+      expect(results).toHaveLength(1);
+      expect(results[0].name).toBe("amazon-login");
+    });
+
+    it("finds by type", () => {
+      const results = store.findByType("login");
+      expect(results).toHaveLength(1);
+      expect(results[0].name).toBe("amazon-login");
+    });
+  });
+
+  describe("bulk operations", () => {
+    it("removes all credentials for a skill", () => {
+      store.save("a", "secret", { x: "1" }, { skillName: "s1" });
+      store.save("b", "secret", { x: "2" }, { skillName: "s1" });
+      store.save("c", "secret", { x: "3" }, { skillName: "s2" });
+
+      const removed = store.removeBySkill("s1");
+      expect(removed).toBe(2);
+      expect(store.list()).toHaveLength(1);
+      expect(store.list()[0].name).toBe("c");
+    });
+
+    it("clears all credentials", () => {
+      store.save("a", "secret", { x: "1" });
+      store.save("b", "secret", { x: "2" });
+
+      store.clear();
+      expect(store.list()).toHaveLength(0);
+    });
+  });
+
+  describe("persistence", () => {
+    it("survives store recreation", () => {
+      store.save("persist-test", "api_key", { key: "persistent-value" });
+
+      // Create new store instance with same DB path (same SQLite file)
+      const store2 = new CredentialStore(tempDir);
+      const cred = store2.getByName("persist-test");
+      expect(cred).not.toBeNull();
+      expect(cred!.data.key).toBe("persistent-value");
+    });
+  });
+});

package/src/credentials/credential-store.ts

@@ -0,0 +1,266 @@
+import { randomUUID } from "crypto";
+import { dirname } from "path";
+import { deriveKey, encrypt, decrypt } from "./encryption.js";
+import { getLocalStore, type LocalStore } from "./local-store.js";
+import { log } from "../utils/logger.js";
+
+// ── Types ───────────────────────────────────────────────────────────
+
+export type CredentialType = "api_key" | "oauth_token" | "login" | "secret" | "custom";
+
+/** Metadata — contains NO secret data. */
+export interface CredentialMeta {
+  id: string;
+  name: string;
+  type: CredentialType;
+  skillName?: string;
+  tags: string[];
+  createdAt: string;
+  updatedAt: string;
+}
+
+/** The actual credential payload (key-value pairs). */
+export type CredentialData = Record<string, string>;
+
+/** Full credential = metadata + secret data. */
+export interface Credential {
+  meta: CredentialMeta;
+  data: CredentialData;
+}
+
+// ── Row shape from SQLite ───────────────────────────────────────────
+
+interface CredentialRow {
+  id: string;
+  name: string;
+  type: string;
+  skill_name: string | null;
+  tags: string;
+  encrypted_data: string;
+  created_at: string;
+  updated_at: string;
+}
+
+// ── Store Implementation ────────────────────────────────────────────
+
+export class CredentialStore {
+  private store: LocalStore;
+  private encryptionKey: Buffer;
+
+  constructor(dbPath?: string) {
+    this.store = getLocalStore(dbPath);
+    this.encryptionKey = deriveKey(dirname(this.store.dbPath));
+  }
+
+  // ── CRUD ────────────────────────────────────────────────────────
+
+  save(
+    name: string,
+    type: CredentialType,
+    data: CredentialData,
+    opts?: { skillName?: string; tags?: string[] },
+  ): CredentialMeta {
+    const db = this.store.getDb();
+    const now = new Date().toISOString();
+    const encryptedData = this.encryptData(data);
+    const tags = JSON.stringify(opts?.tags || []);
+
+    // Upsert: insert or update on name conflict
+    const existing = db.prepare("SELECT id FROM credentials WHERE name = ?").get(name) as { id: string } | undefined;
+
+    if (existing) {
+      db.prepare(`
+        UPDATE credentials
+        SET type = ?, skill_name = ?, tags = ?, encrypted_data = ?, updated_at = ?
+        WHERE id = ?
+      `).run(type, opts?.skillName ?? null, tags, encryptedData, now, existing.id);
+
+      log.debug(`Credential "${name}" updated (${existing.id})`);
+      return this.toMeta({ id: existing.id, name, type, skill_name: opts?.skillName ?? null, tags, encrypted_data: encryptedData, created_at: now, updated_at: now });
+    }
+
+    const id = randomUUID();
+    db.prepare(`
+      INSERT INTO credentials (id, name, type, skill_name, tags, encrypted_data, created_at, updated_at)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(id, name, type, opts?.skillName ?? null, tags, encryptedData, now, now);
+
+    log.debug(`Credential "${name}" saved (${id})`);
+    return { id, name, type, skillName: opts?.skillName, tags: opts?.tags || [], createdAt: now, updatedAt: now };
+  }
+
+  get(id: string): Credential | null {
+    const row = this.store.getDb()
+      .prepare("SELECT * FROM credentials WHERE id = ?")
+      .get(id) as CredentialRow | undefined;
+
+    return row ? this.toCredential(row) : null;
+  }
+
+  getByName(name: string): Credential | null {
+    const row = this.store.getDb()
+      .prepare("SELECT * FROM credentials WHERE name = ?")
+      .get(name) as CredentialRow | undefined;
+
+    return row ? this.toCredential(row) : null;
+  }
+
+  update(id: string, data: Partial<CredentialData>): CredentialMeta | null {
+    const row = this.store.getDb()
+      .prepare("SELECT * FROM credentials WHERE id = ?")
+      .get(id) as CredentialRow | undefined;
+
+    if (!row) return null;
+
+    // Merge with existing data
+    const existing = this.decryptData(row.encrypted_data);
+    const merged: CredentialData = { ...existing };
+    for (const [key, value] of Object.entries(data)) {
+      if (value !== undefined) {
+        merged[key] = value;
+      }
+    }
+
+    const now = new Date().toISOString();
+    const encryptedData = this.encryptData(merged);
+
+    this.store.getDb()
+      .prepare("UPDATE credentials SET encrypted_data = ?, updated_at = ? WHERE id = ?")
+      .run(encryptedData, now, id);
+
+    log.debug(`Credential "${row.name}" updated`);
+    return this.toMeta({ ...row, encrypted_data: encryptedData, updated_at: now });
+  }
+
+  remove(id: string): boolean {
+    const result = this.store.getDb()
+      .prepare("DELETE FROM credentials WHERE id = ?")
+      .run(id);
+
+    if (result.changes > 0) {
+      log.debug(`Credential ${id} removed`);
+      return true;
+    }
+    return false;
+  }
+
+  removeByName(name: string): boolean {
+    const result = this.store.getDb()
+      .prepare("DELETE FROM credentials WHERE name = ?")
+      .run(name);
+
+    if (result.changes > 0) {
+      log.debug(`Credential "${name}" removed`);
+      return true;
+    }
+    return false;
+  }
+
+  // ── Query ───────────────────────────────────────────────────────
+
+  list(): CredentialMeta[] {
+    const rows = this.store.getDb()
+      .prepare("SELECT * FROM credentials ORDER BY updated_at DESC")
+      .all() as CredentialRow[];
+
+    return rows.map((r) => this.toMeta(r));
+  }
+
+  findBySkill(skillName: string): CredentialMeta[] {
+    const rows = this.store.getDb()
+      .prepare("SELECT * FROM credentials WHERE skill_name = ? ORDER BY name")
+      .all(skillName) as CredentialRow[];
+
+    return rows.map((r) => this.toMeta(r));
+  }
+
+  findByTag(tag: string): CredentialMeta[] {
+    // SQLite JSON: search within the tags JSON array (case-insensitive)
+    const rows = this.store.getDb()
+      .prepare("SELECT * FROM credentials WHERE tags LIKE ? ORDER BY name")
+      .all(`%${tag.toLowerCase()}%`) as CredentialRow[];
+
+    // Filter precisely in JS since LIKE is coarse
+    return rows
+      .filter((r) => {
+        const tags: string[] = JSON.parse(r.tags);
+        return tags.some((t) => t.toLowerCase() === tag.toLowerCase());
+      })
+      .map((r) => this.toMeta(r));
+  }
+
+  findByType(type: CredentialType): CredentialMeta[] {
+    const rows = this.store.getDb()
+      .prepare("SELECT * FROM credentials WHERE type = ? ORDER BY name")
+      .all(type) as CredentialRow[];
+
+    return rows.map((r) => this.toMeta(r));
+  }
+
+  // ── Bulk ────────────────────────────────────────────────────────
+
+  removeBySkill(skillName: string): number {
+    const result = this.store.getDb()
+      .prepare("DELETE FROM credentials WHERE skill_name = ?")
+      .run(skillName);
+
+    return result.changes;
+  }
+
+  clear(): void {
+    this.store.getDb().prepare("DELETE FROM credentials").run();
+  }
+
+  // ── Internal ────────────────────────────────────────────────────
+
+  private encryptData(data: CredentialData): string {
+    const payload = encrypt(JSON.stringify(data), this.encryptionKey);
+    return JSON.stringify(payload);
+  }
+
+  private decryptData(encrypted: string): CredentialData {
+    const payload = JSON.parse(encrypted);
+    const decrypted = decrypt(payload, this.encryptionKey);
+    return JSON.parse(decrypted);
+  }
+
+  private toMeta(row: CredentialRow): CredentialMeta {
+    return {
+      id: row.id,
+      name: row.name,
+      type: row.type as CredentialType,
+      skillName: row.skill_name || undefined,
+      tags: JSON.parse(row.tags),
+      createdAt: row.created_at,
+      updatedAt: row.updated_at,
+    };
+  }
+
+  private toCredential(row: CredentialRow): Credential | null {
+    try {
+      return {
+        meta: this.toMeta(row),
+        data: this.decryptData(row.encrypted_data),
+      };
+    } catch (err) {
+      log.debug(`Failed to decrypt credential ${row.id}: ${err}`);
+      return null;
+    }
+  }
+}
+
+// ── Singleton ────────────────────────────────────────────────────────
+
+let _instance: CredentialStore | null = null;
+
+export function getCredentialStore(): CredentialStore {
+  if (!_instance) {
+    _instance = new CredentialStore();
+  }
+  return _instance;
+}
+
+/** Reset singleton (for tests). */
+export function resetCredentialStore(): void {
+  _instance = null;
+}

package/src/credentials/encryption.test.ts

@@ -0,0 +1,98 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdtempSync, rmSync } from "fs";
+import { join } from "path";
+import { tmpdir } from "os";
+import { deriveKey, encrypt, decrypt } from "./encryption.js";
+
+describe("encryption", () => {
+  let tempDir: string;
+
+  beforeEach(() => {
+    tempDir = mkdtempSync(join(tmpdir(), "enc-test-"));
+  });
+
+  afterEach(() => {
+    rmSync(tempDir, { recursive: true, force: true });
+  });
+
+  describe("deriveKey", () => {
+    it("returns a 32-byte key", () => {
+      const key = deriveKey(tempDir);
+      expect(key).toBeInstanceOf(Buffer);
+      expect(key.length).toBe(32);
+    });
+
+    it("returns the same key for the same path", () => {
+      const key1 = deriveKey(tempDir);
+      const key2 = deriveKey(tempDir);
+      expect(key1.equals(key2)).toBe(true);
+    });
+
+    it("returns different keys for different paths", () => {
+      const tempDir2 = mkdtempSync(join(tmpdir(), "enc-test2-"));
+      try {
+        const key1 = deriveKey(tempDir);
+        const key2 = deriveKey(tempDir2);
+        expect(key1.equals(key2)).toBe(false);
+      } finally {
+        rmSync(tempDir2, { recursive: true, force: true });
+      }
+    });
+  });
+
+  describe("encrypt / decrypt", () => {
+    it("round-trips plaintext correctly", () => {
+      const key = deriveKey(tempDir);
+      const plaintext = "my secret api key 12345";
+
+      const encrypted = encrypt(plaintext, key);
+      expect(encrypted.iv).toBeTruthy();
+      expect(encrypted.data).toBeTruthy();
+      expect(encrypted.tag).toBeTruthy();
+
+      const decrypted = decrypt(encrypted, key);
+      expect(decrypted).toBe(plaintext);
+    });
+
+    it("handles unicode and JSON content", () => {
+      const key = deriveKey(tempDir);
+      const plaintext = JSON.stringify({ username: "用户", password: "密码123" });
+
+      const encrypted = encrypt(plaintext, key);
+      const decrypted = decrypt(encrypted, key);
+      expect(decrypted).toBe(plaintext);
+    });
+
+    it("produces different ciphertext for same plaintext (random IV)", () => {
+      const key = deriveKey(tempDir);
+      const plaintext = "same text";
+
+      const enc1 = encrypt(plaintext, key);
+      const enc2 = encrypt(plaintext, key);
+      expect(enc1.iv).not.toBe(enc2.iv);
+      expect(enc1.data).not.toBe(enc2.data);
+    });
+
+    it("fails to decrypt with wrong key", () => {
+      const key1 = deriveKey(tempDir);
+      const tempDir2 = mkdtempSync(join(tmpdir(), "enc-test-wrong-"));
+      const key2 = deriveKey(tempDir2);
+
+      try {
+        const encrypted = encrypt("secret", key1);
+        expect(() => decrypt(encrypted, key2)).toThrow();
+      } finally {
+        rmSync(tempDir2, { recursive: true, force: true });
+      }
+    });
+
+    it("fails if ciphertext is tampered", () => {
+      const key = deriveKey(tempDir);
+      const encrypted = encrypt("secret", key);
+
+      // Tamper with the data
+      const tampered = { ...encrypted, data: encrypted.data.slice(0, -2) + "AA" };
+      expect(() => decrypt(tampered, key)).toThrow();
+    });
+  });
+});

package/src/credentials/encryption.ts

@@ -0,0 +1,82 @@
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync, createHash } from "crypto";
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from "fs";
+import { join } from "path";
+import { homedir, hostname, userInfo } from "os";
+
+const ALGORITHM = "aes-256-gcm";
+const KEY_LENGTH = 32;
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+const SALT_FILE = "encryption.salt";
+
+/**
+ * Derive a stable machine-specific encryption key.
+ *
+ * Uses hostname + username + homedir as a machine identifier,
+ * combined with a random salt persisted to disk. This means:
+ * - Same machine = same key (credentials stay readable)
+ * - Different machine = different key (stolen files are useless)
+ * - Reinstalling the app preserves the salt (it's in ~/.config/assistme/)
+ */
+export function deriveKey(basePath: string): Buffer {
+  const saltPath = join(basePath, SALT_FILE);
+
+  let salt: Buffer;
+  if (existsSync(saltPath)) {
+    salt = readFileSync(saltPath);
+  } else {
+    salt = randomBytes(32);
+    if (!existsSync(basePath)) {
+      mkdirSync(basePath, { recursive: true, mode: 0o700 });
+    }
+    writeFileSync(saltPath, salt, { mode: 0o600 });
+  }
+
+  // Build a stable machine identifier
+  const machineId = createHash("sha256")
+    .update(hostname())
+    .update(userInfo().username)
+    .update(homedir())
+    .digest();
+
+  return scryptSync(machineId, salt, KEY_LENGTH);
+}
+
+export interface EncryptedPayload {
+  /** Base64-encoded IV */
+  iv: string;
+  /** Base64-encoded encrypted data */
+  data: string;
+  /** Base64-encoded GCM auth tag */
+  tag: string;
+}
+
+export function encrypt(plaintext: string, key: Buffer): EncryptedPayload {
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
+
+  const encrypted = Buffer.concat([
+    cipher.update(plaintext, "utf-8"),
+    cipher.final(),
+  ]);
+
+  return {
+    iv: iv.toString("base64"),
+    data: encrypted.toString("base64"),
+    tag: cipher.getAuthTag().toString("base64"),
+  };
+}
+
+export function decrypt(payload: EncryptedPayload, key: Buffer): string {
+  const iv = Buffer.from(payload.iv, "base64");
+  const data = Buffer.from(payload.data, "base64");
+  const tag = Buffer.from(payload.tag, "base64");
+
+  const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
+  decipher.setAuthTag(tag);
+
+  return Buffer.concat([
+    decipher.update(data),
+    decipher.final(),
+  ]).toString("utf-8");
+}

package/src/credentials/index.ts

@@ -0,0 +1,15 @@
+export {
+  CredentialStore,
+  getCredentialStore,
+  resetCredentialStore,
+  type Credential,
+  type CredentialData,
+  type CredentialMeta,
+  type CredentialType,
+} from "./credential-store.js";
+
+export {
+  LocalStore,
+  getLocalStore,
+  resetLocalStore,
+} from "./local-store.js";