npm - beakcrypt - Versions diffs - 0.0.1 - Mend

beakcrypt 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js ADDED Viewed

@@ -0,0 +1,1370 @@
+#!/usr/bin/env node
+// src/index.ts
+import { Command } from "commander";
+// src/lib/errors.ts
+import pc from "picocolors";
+var CliError = class extends Error {
+  constructor(message, hint) {
+    super(message);
+    this.hint = hint;
+    this.name = "CliError";
+  }
+};
+function handleResultError(result) {
+  throw new CliError(result.error, `Error code: ${result.code}`);
+}
+function unwrapResult(result) {
+  if (!result.ok) {
+    handleResultError(result);
+  }
+  return result.data;
+}
+function handleError(error) {
+  if (error instanceof CliError) {
+    console.error(`
+${pc.red("Error:")} ${error.message}`);
+    if (error.hint) {
+      console.error(`${pc.dim(error.hint)}`);
+    }
+  } else if (error instanceof Error) {
+    console.error(`
+${pc.red("Error:")} ${error.message}`);
+  } else {
+    console.error(`
+${pc.red("Error:")} An unexpected error occurred.`);
+  }
+  process.exit(1);
+}
+// src/commands/login.ts
+import { api } from "@beakcrypt/convex";
+// src/lib/global-config.ts
+import { mkdir, readFile, writeFile, rm } from "fs/promises";
+import { existsSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+var CONFIG_DIR = join(homedir(), ".beakcrypt");
+var AUTH_FILE = join(CONFIG_DIR, "auth.json");
+function getConfigDir() {
+  return CONFIG_DIR;
+}
+async function ensureConfigDir() {
+  await mkdir(CONFIG_DIR, { recursive: true });
+}
+async function getAuthConfig() {
+  if (!existsSync(AUTH_FILE)) return null;
+  try {
+    const data = await readFile(AUTH_FILE, "utf-8");
+    return JSON.parse(data);
+  } catch {
+    return null;
+  }
+}
+async function saveAuthConfig(config) {
+  await ensureConfigDir();
+  await writeFile(AUTH_FILE, JSON.stringify(config, null, 2), { mode: 384 });
+}
+async function clearAllConfig() {
+  if (existsSync(CONFIG_DIR)) {
+    await rm(CONFIG_DIR, { recursive: true });
+  }
+}
+function isLoggedIn() {
+  return existsSync(AUTH_FILE);
+}
+// src/lib/auth.ts
+import {
+  createServer
+} from "http";
+import { URL } from "url";
+import open from "open";
+import ora from "ora";
+import pc3 from "picocolors";
+// src/lib/output.ts
+import pc2 from "picocolors";
+function success(message) {
+  console.log(`${pc2.green("\u2713")} ${message}`);
+}
+function info(message) {
+  console.log(`${pc2.blue("\u2139")} ${message}`);
+}
+function warn(message) {
+  console.log(`${pc2.yellow("\u26A0")} ${message}`);
+}
+function dim(message) {
+  return pc2.dim(message);
+}
+function bold(message) {
+  return pc2.bold(message);
+}
+function link(url) {
+  return pc2.cyan(pc2.underline(url));
+}
+function table(rows, headers) {
+  const allRows = headers ? [headers, ...rows] : rows;
+  const colWidths = [];
+  for (const row of allRows) {
+    for (let i = 0; i < row.length; i++) {
+      colWidths[i] = Math.max(colWidths[i] ?? 0, (row[i] ?? "").length);
+    }
+  }
+  for (let i = 0; i < allRows.length; i++) {
+    const row = allRows[i];
+    const line = row.map((cell, j) => (cell ?? "").padEnd(colWidths[j] ?? 0)).join("  ");
+    if (i === 0 && headers) {
+      console.log(pc2.bold(line));
+      console.log(colWidths.map((w) => "\u2500".repeat(w)).join("\u2500\u2500"));
+    } else {
+      console.log(line);
+    }
+  }
+}
+// src/lib/auth.ts
+function startCallbackServer() {
+  return new Promise((resolve3, reject) => {
+    let resolveToken;
+    const tokenPromise = new Promise((res) => {
+      resolveToken = res;
+    });
+    const server = createServer((req, res) => {
+      const url = new URL(req.url ?? "/", `http://localhost`);
+      if (url.pathname === "/callback") {
+        const sessionToken = url.searchParams.get("session_token");
+        if (sessionToken) {
+          res.writeHead(200, { "Content-Type": "text/html" });
+          res.end(`
+						<html>
+							<body style="display:flex;justify-content:center;align-items:center;height:100vh;font-family:system-ui;background:#0a0a0a;color:#fafafa">
+								<div style="text-align:center">
+									<h1>Authenticated!</h1>
+									<p>You can close this tab and return to the terminal.</p>
+								</div>
+							</body>
+						</html>
+					`);
+          resolveToken({ sessionToken });
+          setTimeout(() => server.close(), 500);
+        } else {
+          res.writeHead(400, { "Content-Type": "text/plain" });
+          res.end("Missing session_token parameter");
+        }
+      } else {
+        res.writeHead(404, { "Content-Type": "text/plain" });
+        res.end("Not found");
+      }
+    });
+    server.listen(0, "127.0.0.1", () => {
+      const addr = server.address();
+      if (!addr || typeof addr === "string") {
+        reject(new Error("Failed to start callback server"));
+        return;
+      }
+      resolve3({
+        port: addr.port,
+        waitForToken: () => tokenPromise
+      });
+    });
+    server.on("error", reject);
+  });
+}
+async function loginFlow(siteUrl, convexUrl, convexSiteUrl) {
+  const { port, waitForToken } = await startCallbackServer();
+  const callbackUrl = `http://localhost:${port}/callback`;
+  const loginUrl = `${siteUrl}/auth/cli?callback=${encodeURIComponent(callbackUrl)}`;
+  const isTTY = process.stdin.isTTY;
+  if (isTTY) {
+    info(`Opening browser to log in...`);
+    console.log(`${pc3.dim("If the browser doesn't open, visit:")}`);
+    console.log(`${link(loginUrl)}
+`);
+    try {
+      await open(loginUrl);
+    } catch {
+    }
+  } else {
+    console.log(`Visit this URL to log in:
+${link(loginUrl)}
+`);
+  }
+  const spinner = ora("Waiting for authentication...").start();
+  const result = await waitForToken();
+  spinner.stop();
+  const config = {
+    sessionToken: result.sessionToken,
+    convexUrl,
+    convexSiteUrl,
+    siteUrl
+  };
+  await saveAuthConfig(config);
+  return config;
+}
+function getDefaultUrls() {
+  return {
+    siteUrl: process.env.BEAKCRYPT_SITE_URL ?? "https://app.beakcrypt.com",
+    convexUrl: process.env.BEAKCRYPT_CONVEX_URL ?? "",
+    convexSiteUrl: process.env.BEAKCRYPT_CONVEX_SITE_URL ?? ""
+  };
+}
+function validateUrls(urls) {
+  if (!urls.convexUrl) {
+    throw new CliError(
+      "BEAKCRYPT_CONVEX_URL is not configured.",
+      "Set the BEAKCRYPT_CONVEX_URL environment variable or configure it in ~/.beakcrypt/auth.json"
+    );
+  }
+  if (!urls.convexSiteUrl) {
+    throw new CliError(
+      "BEAKCRYPT_CONVEX_SITE_URL is not configured.",
+      "Set the BEAKCRYPT_CONVEX_SITE_URL environment variable or configure it in ~/.beakcrypt/auth.json"
+    );
+  }
+}
+// src/lib/convex-client.ts
+import { ConvexHttpClient } from "convex/browser";
+var clientInstance = null;
+var cachedAuth = null;
+async function getConvexToken(auth) {
+  const url = `${auth.convexSiteUrl}/api/auth/convex/token`;
+  const res = await fetch(url, {
+    method: "GET",
+    headers: {
+      Authorization: `Bearer ${auth.sessionToken}`
+    }
+  });
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    console.error(`Token exchange failed: ${res.status} ${res.statusText}`);
+    console.error(`URL: ${url}`);
+    if (body) console.error(`Body: ${body}`);
+    throw new CliError("Session expired. Please run `beakcrypt login` again.");
+  }
+  const data = await res.json();
+  return data.token;
+}
+async function getClient() {
+  const auth = await getAuthConfig();
+  if (!auth) {
+    throw new CliError("Not logged in. Run `beakcrypt login` first.");
+  }
+  cachedAuth = auth;
+  if (!clientInstance) {
+    clientInstance = new ConvexHttpClient(auth.convexUrl);
+  }
+  const token = await getConvexToken(auth);
+  clientInstance.setAuth(token);
+  return clientInstance;
+}
+async function query(fn, args) {
+  const client = await getClient();
+  return client.query(fn, args);
+}
+async function mutation(fn, args) {
+  const client = await getClient();
+  return client.mutation(fn, args);
+}
+function getSessionToken() {
+  return cachedAuth?.sessionToken ?? null;
+}
+function getSiteUrl() {
+  if (!cachedAuth) throw new CliError("Not logged in.");
+  return cachedAuth.siteUrl;
+}
+// src/commands/login.ts
+async function loginCommand() {
+  const existing = await getAuthConfig();
+  if (existing) {
+    info("Already logged in. Refreshing session...");
+  }
+  const urls = existing ? {
+    siteUrl: existing.siteUrl,
+    convexUrl: existing.convexUrl,
+    convexSiteUrl: existing.convexSiteUrl
+  } : getDefaultUrls();
+  validateUrls(urls);
+  await loginFlow(urls.siteUrl, urls.convexUrl, urls.convexSiteUrl);
+  try {
+    const user = await query(api.auth.getCurrentUser, {});
+    if (user) {
+      success(`Logged in as ${bold(user.email)}`);
+    } else {
+      success("Logged in successfully.");
+    }
+  } catch {
+    success("Logged in successfully.");
+  }
+}
+// src/lib/interactive.ts
+import prompts from "prompts";
+function isInteractive() {
+  return Boolean(process.stdin.isTTY);
+}
+function requireInteractive(command) {
+  if (!isInteractive()) {
+    throw new CliError(
+      `Cannot run interactive prompts in non-interactive mode.`,
+      `Run \`beakcrypt ${command}\` in an interactive terminal, or provide required flags.`
+    );
+  }
+}
+async function select(opts) {
+  const { value } = await prompts(
+    {
+      type: "select",
+      name: "value",
+      message: opts.message,
+      choices: opts.choices
+    },
+    { onCancel: () => process.exit(0) }
+  );
+  return value;
+}
+async function confirm(message, initial = false) {
+  const { value } = await prompts(
+    {
+      type: "confirm",
+      name: "value",
+      message,
+      initial
+    },
+    { onCancel: () => process.exit(0) }
+  );
+  return value;
+}
+async function text(opts) {
+  const { value } = await prompts(
+    {
+      type: "text",
+      name: "value",
+      message: opts.message,
+      ...opts.placeholder ? { initial: opts.placeholder } : {},
+      validate: opts.validate ? (v) => {
+        const result = opts.validate(v);
+        return result === true ? true : result;
+      } : void 0
+    },
+    { onCancel: () => process.exit(0) }
+  );
+  return value;
+}
+// src/commands/logout.ts
+async function logoutCommand(opts) {
+  if (!isLoggedIn()) {
+    info("Not currently logged in.");
+    return;
+  }
+  if (!opts.yes) {
+    const confirmed = await confirm(
+      "This will remove all credentials and device keys. Continue?"
+    );
+    if (!confirmed) return;
+  }
+  await clearAllConfig();
+  success("Logged out. All credentials and keys removed.");
+}
+// src/commands/whoami.ts
+import { api as api3 } from "@beakcrypt/convex";
+// src/lib/context.ts
+import { api as api2 } from "@beakcrypt/convex";
+// src/lib/project-config.ts
+import { mkdir as mkdir2, readFile as readFile2, writeFile as writeFile2, appendFile } from "fs/promises";
+import { existsSync as existsSync2 } from "fs";
+import { join as join2, dirname } from "path";
+var CONFIG_DIR_NAME = ".beakcrypt";
+var CONFIG_FILE_NAME = "project.json";
+function findProjectConfigDir(startDir) {
+  let dir = startDir ?? process.cwd();
+  const root = dirname(dir) === dir ? dir : "/";
+  while (true) {
+    const configPath = join2(dir, CONFIG_DIR_NAME, CONFIG_FILE_NAME);
+    if (existsSync2(configPath)) {
+      return join2(dir, CONFIG_DIR_NAME);
+    }
+    const parent = dirname(dir);
+    if (parent === dir || dir === root) break;
+    dir = parent;
+  }
+  return null;
+}
+async function getProjectConfig(startDir) {
+  const configDir = findProjectConfigDir(startDir);
+  if (!configDir) return null;
+  try {
+    const data = await readFile2(join2(configDir, CONFIG_FILE_NAME), "utf-8");
+    return JSON.parse(data);
+  } catch {
+    return null;
+  }
+}
+async function saveProjectConfig(config, dir) {
+  const baseDir = dir ?? process.cwd();
+  const configDir = join2(baseDir, CONFIG_DIR_NAME);
+  await mkdir2(configDir, { recursive: true });
+  await writeFile2(
+    join2(configDir, CONFIG_FILE_NAME),
+    JSON.stringify(config, null, 2)
+  );
+  await ensureGitignore(baseDir);
+  return configDir;
+}
+async function ensureGitignore(baseDir) {
+  const gitignorePath = join2(baseDir, ".gitignore");
+  if (existsSync2(gitignorePath)) {
+    const content = await readFile2(gitignorePath, "utf-8");
+    if (content.includes(CONFIG_DIR_NAME)) return;
+    const suffix = content.endsWith("\n") ? "" : "\n";
+    await appendFile(
+      gitignorePath,
+      `${suffix}
+# Beakcrypt CLI
+${CONFIG_DIR_NAME}
+`
+    );
+  } else {
+    await writeFile2(gitignorePath, `# Beakcrypt CLI
+${CONFIG_DIR_NAME}
+`);
+  }
+}
+// src/lib/context.ts
+async function ensureAuth() {
+  const auth = await getAuthConfig();
+  if (auth) return;
+  if (!isInteractive()) {
+    throw new CliError("Not logged in. Run `beakcrypt login` first.");
+  }
+  const shouldLogin = await confirm(
+    "You're not logged in. Log in now?",
+    true
+  );
+  if (!shouldLogin) process.exit(0);
+  await loginCommand();
+}
+async function resolveContext(flags) {
+  await ensureAuth();
+  const projectConfig = await getProjectConfig();
+  const orgId = flags.org ? await resolveOrgBySlug(flags.org) : projectConfig?.orgId;
+  const orgSlug = flags.org ?? projectConfig?.orgSlug;
+  const projectId = flags.project ? await resolveProjectByName(orgId, flags.project) : projectConfig?.projectId;
+  const projectName = flags.project ?? projectConfig?.projectName;
+  const envName = flags.env ?? projectConfig?.defaultEnv;
+  if (!orgId || !projectId || !envName || !orgSlug || !projectName) {
+    if (!isInteractive()) {
+      throw new CliError(
+        "No project linked in this directory.",
+        "Run `beakcrypt link` to connect this directory to a project."
+      );
+    }
+    const config = await interactiveLink();
+    const envId2 = await resolveEnvId(
+      config.projectId,
+      flags.env ?? config.defaultEnv
+    );
+    return {
+      orgId: config.orgId,
+      orgSlug: config.orgSlug,
+      projectId: config.projectId,
+      projectName: config.projectName,
+      envName: flags.env ?? config.defaultEnv,
+      environmentId: envId2
+    };
+  }
+  const envId = await resolveEnvId(projectId, envName);
+  return {
+    orgId,
+    orgSlug,
+    projectId,
+    projectName,
+    envName,
+    environmentId: envId
+  };
+}
+async function resolveOrgBySlug(slug) {
+  const result = await query(api2.organizations.getBySlug, { slug });
+  const org2 = unwrapResult(result);
+  return org2._id;
+}
+async function resolveProjectByName(orgId, name) {
+  const result = await query(api2.projects.getByName, {
+    orgId,
+    name
+  });
+  const project = unwrapResult(result);
+  return project._id;
+}
+async function resolveEnvId(projectId, envName) {
+  if (envName === "local") {
+    await mutation(api2.environments.ensurePersonalLocal, {
+      projectId,
+      syncFromDev: false
+    });
+  }
+  const result = await query(api2.environments.list, {
+    projectId
+  });
+  const envs = unwrapResult(result);
+  const env2 = envs.find((e) => e.name === envName);
+  if (!env2) {
+    throw new CliError(`Environment "${envName}" not found.`);
+  }
+  return env2._id;
+}
+async function interactiveLink() {
+  requireInteractive("link");
+  const orgsResult = await query(api2.organizations.list, {});
+  const orgs = unwrapResult(orgsResult);
+  if (orgs.length === 0) {
+    throw new CliError("You don't belong to any organizations.");
+  }
+  const orgId = await select({
+    message: "Select an organization:",
+    choices: orgs.map((o) => ({
+      title: `${o.name} (${o.slug})`,
+      value: o._id
+    }))
+  });
+  const selectedOrg = orgs.find((o) => o._id === orgId);
+  const action = await select({
+    message: "What would you like to do?",
+    choices: [
+      { title: "Link to an existing project", value: "link" },
+      { title: "Create a new project", value: "create" }
+    ]
+  });
+  let projectId;
+  let projectName;
+  if (action === "create") {
+    const name = await text({
+      message: "Enter project name:",
+      validate: (v) => v.trim().length > 0 ? true : "Project name is required"
+    });
+    const createResult = await mutation(api2.projects.create, {
+      name: name.trim(),
+      orgId
+    });
+    const project = unwrapResult(createResult);
+    projectId = project._id;
+    projectName = project.name;
+    success(`Created project "${projectName}" in ${selectedOrg.name}`);
+  } else {
+    const projectsResult = await query(api2.projects.list, {
+      orgId
+    });
+    const projects = unwrapResult(projectsResult);
+    if (projects.length === 0) {
+      throw new CliError("No projects in this organization. Create one first.");
+    }
+    projectId = await select({
+      message: "Select a project:",
+      choices: projects.map((p) => ({
+        title: p.name,
+        value: p._id
+      }))
+    });
+    const selectedProject = projects.find(
+      (p) => p._id === projectId
+    );
+    projectName = selectedProject.name;
+  }
+  await mutation(api2.environments.ensurePersonalLocal, {
+    projectId,
+    syncFromDev: false
+  });
+  const envsResult = await query(api2.environments.list, {
+    projectId
+  });
+  const envs = unwrapResult(envsResult);
+  const defaultEnv = await select({
+    message: "Select a default environment:",
+    choices: envs.map(
+      (e) => ({
+        title: e.isPersonal ? `${e.name} (personal)` : e.name,
+        value: e.name
+      })
+    )
+  });
+  const config = {
+    orgId,
+    orgSlug: selectedOrg.slug,
+    projectId,
+    projectName,
+    defaultEnv
+  };
+  const configDir = await saveProjectConfig(config);
+  success(
+    `Linked to ${selectedOrg.slug}/${projectName} (${defaultEnv})`
+  );
+  info(`Created ${configDir}/project.json`);
+  info(`Added .beakcrypt to .gitignore`);
+  return config;
+}
+// src/commands/whoami.ts
+async function whoamiCommand() {
+  await ensureAuth();
+  const user = await query(api3.auth.getCurrentUser, {});
+  if (!user) {
+    throw new CliError(
+      "Could not retrieve user info. Try `beakcrypt login` again."
+    );
+  }
+  console.log();
+  console.log(`  ${bold("Email:")}  ${user.email}`);
+  console.log(`  ${bold("Name:")}   ${user.name}`);
+  console.log();
+}
+// src/lib/key-manager.ts
+import ora2 from "ora";
+import open2 from "open";
+// ../crypto/src/core.ts
+var RSA_ALGORITHM = {
+  name: "RSA-OAEP",
+  modulusLength: 4096,
+  publicExponent: new Uint8Array([1, 0, 1]),
+  hash: "SHA-256"
+};
+var AES_ALGORITHM = "AES-GCM";
+var AES_KEY_LENGTH = 256;
+var IV_BYTE_LENGTH = 12;
+async function generateKeyPair() {
+  const keyPair = await crypto.subtle.generateKey(RSA_ALGORITHM, true, [
+    "wrapKey",
+    "unwrapKey"
+  ]);
+  const [publicKey, privateKey] = await Promise.all([
+    crypto.subtle.exportKey("jwk", keyPair.publicKey),
+    crypto.subtle.exportKey("jwk", keyPair.privateKey)
+  ]);
+  return { publicKey, privateKey };
+}
+async function unwrapOrgKey(wrappedKeyBase64, privateKeyJwk) {
+  const privateKey = await crypto.subtle.importKey(
+    "jwk",
+    privateKeyJwk,
+    RSA_ALGORITHM,
+    false,
+    ["unwrapKey"]
+  );
+  const orgKey = await crypto.subtle.unwrapKey(
+    "raw",
+    base64ToBuffer(wrappedKeyBase64),
+    privateKey,
+    { name: "RSA-OAEP" },
+    { name: AES_ALGORITHM, length: AES_KEY_LENGTH },
+    true,
+    ["encrypt", "decrypt"]
+  );
+  const raw = await crypto.subtle.exportKey("raw", orgKey);
+  return bufferToBase64(raw);
+}
+async function encryptSecret(plaintext, orgKeyBase64) {
+  const key = await crypto.subtle.importKey(
+    "raw",
+    base64ToBuffer(orgKeyBase64),
+    { name: AES_ALGORITHM },
+    false,
+    ["encrypt"]
+  );
+  const iv = crypto.getRandomValues(new Uint8Array(IV_BYTE_LENGTH));
+  const encoded = new TextEncoder().encode(plaintext);
+  const ciphertext = await crypto.subtle.encrypt(
+    { name: AES_ALGORITHM, iv },
+    key,
+    encoded
+  );
+  return `${bufferToBase64(iv.buffer)}:${bufferToBase64(ciphertext)}`;
+}
+async function decryptSecret(encryptedValue, orgKeyBase64) {
+  const [ivBase64, ciphertextBase64] = encryptedValue.split(":");
+  if (!ivBase64 || !ciphertextBase64) {
+    throw new Error(
+      "Invalid encrypted value format \u2014 expected 'iv:ciphertext'"
+    );
+  }
+  const key = await crypto.subtle.importKey(
+    "raw",
+    base64ToBuffer(orgKeyBase64),
+    { name: AES_ALGORITHM },
+    false,
+    ["decrypt"]
+  );
+  const decrypted = await crypto.subtle.decrypt(
+    { name: AES_ALGORITHM, iv: base64ToBuffer(ivBase64) },
+    key,
+    base64ToBuffer(ciphertextBase64)
+  );
+  return new TextDecoder().decode(decrypted);
+}
+function bufferToBase64(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let binary = "";
+  for (let i = 0; i < bytes.byteLength; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary);
+}
+function base64ToBuffer(base64) {
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes.buffer;
+}
+// src/lib/key-manager.ts
+import { api as api4 } from "@beakcrypt/convex";
+// src/lib/key-store.ts
+import { mkdir as mkdir3, readFile as readFile3, writeFile as writeFile3, rm as rm2 } from "fs/promises";
+import { existsSync as existsSync3 } from "fs";
+import { join as join3 } from "path";
+function getKeysDir() {
+  return join3(getConfigDir(), "keys");
+}
+function getKeyFile(orgId) {
+  return join3(getKeysDir(), `${orgId}.json`);
+}
+async function getStoredKey(orgId) {
+  const file = getKeyFile(orgId);
+  if (!existsSync3(file)) return null;
+  try {
+    const data = await readFile3(file, "utf-8");
+    return JSON.parse(data);
+  } catch {
+    return null;
+  }
+}
+async function saveKey(orgId, data) {
+  const dir = getKeysDir();
+  await mkdir3(dir, { recursive: true });
+  await writeFile3(getKeyFile(orgId), JSON.stringify(data, null, 2), {
+    mode: 384
+  });
+}
+async function updateWrappedOrgKey(orgId, wrappedOrgKey) {
+  const existing = await getStoredKey(orgId);
+  if (!existing) throw new Error(`No key stored for org ${orgId}`);
+  existing.wrappedOrgKey = wrappedOrgKey;
+  await saveKey(orgId, existing);
+}
+// src/lib/key-manager.ts
+async function ensureOrgKey(orgId) {
+  const stored = await getStoredKey(orgId);
+  if (stored?.wrappedOrgKey) {
+    return await unwrapOrgKey(stored.wrappedOrgKey, stored.privateKey);
+  }
+  if (stored?.keyId) {
+    const keyResult = await query(api4.keys.getMyKey, {
+      orgId,
+      publicKey: JSON.stringify(stored.publicKey)
+    });
+    const keyRecord = unwrapResult(keyResult);
+    if (keyRecord?.status === "active" && keyRecord.wrappedOrgKey) {
+      await updateWrappedOrgKey(orgId, keyRecord.wrappedOrgKey);
+      return await unwrapOrgKey(
+        keyRecord.wrappedOrgKey,
+        stored.privateKey
+      );
+    }
+    if (keyRecord?.status === "pending") {
+      return await waitForApproval(orgId, stored);
+    }
+    throw new Error(
+      "Device key is not active. An admin may need to approve this device."
+    );
+  }
+  return await registerNewDevice(orgId);
+}
+async function registerNewDevice(orgId) {
+  const sessionToken = getSessionToken();
+  if (!sessionToken) throw new Error("Not logged in");
+  const spinner = ora2("Generating device keys...").start();
+  let keyPair;
+  let keyRecord;
+  try {
+    keyPair = await generateKeyPair();
+    spinner.text = "Registering device with organization...";
+    const result = await mutation(api4.keys.registerKey, {
+      orgId,
+      publicKey: JSON.stringify(keyPair.publicKey),
+      sessionToken
+    });
+    keyRecord = unwrapResult(result);
+    spinner.stop();
+  } catch (err) {
+    spinner.fail("Device registration failed.");
+    throw err;
+  }
+  const stored = {
+    publicKey: keyPair.publicKey,
+    privateKey: keyPair.privateKey,
+    keyId: keyRecord._id,
+    wrappedOrgKey: keyRecord.wrappedOrgKey
+  };
+  await saveKey(orgId, stored);
+  if (keyRecord.status === "active" && keyRecord.wrappedOrgKey) {
+    success("Device registered and activated.");
+    return await unwrapOrgKey(
+      keyRecord.wrappedOrgKey,
+      keyPair.privateKey
+    );
+  }
+  return await waitForApproval(orgId, stored);
+}
+async function waitForApproval(orgId, stored) {
+  try {
+    const projectConfig = await getProjectConfig();
+    if (projectConfig?.orgSlug && stored.keyId) {
+      const siteUrl = getSiteUrl();
+      const approveUrl = `${siteUrl}/${projectConfig.orgSlug}/sessions?approveSession=${stored.keyId}`;
+      info("Opening browser to approve this device...");
+      console.log(`${dim("If the browser doesn't open, visit:")}`);
+      console.log(`${link(approveUrl)}
+`);
+      try {
+        await open2(approveUrl);
+      } catch {
+      }
+    }
+  } catch {
+  }
+  const spinner = ora2("Waiting for device to be approved...").start();
+  spinner.indent = 2;
+  while (true) {
+    await new Promise((r) => setTimeout(r, 5e3));
+    const result = await query(api4.keys.getMyKey, {
+      orgId,
+      publicKey: JSON.stringify(stored.publicKey)
+    });
+    const keyRecord = unwrapResult(result);
+    if (keyRecord?.status === "active" && keyRecord.wrappedOrgKey) {
+      spinner.stop();
+      await updateWrappedOrgKey(orgId, keyRecord.wrappedOrgKey);
+      success("Device approved!");
+      return await unwrapOrgKey(
+        keyRecord.wrappedOrgKey,
+        stored.privateKey
+      );
+    }
+    if (keyRecord?.status === "revoked") {
+      spinner.stop();
+      throw new Error("Device key was revoked. Re-run `beakcrypt login`.");
+    }
+  }
+}
+// src/commands/link.ts
+async function linkCommand() {
+  await ensureAuth();
+  const config = await interactiveLink();
+  await ensureOrgKey(config.orgId);
+}
+// src/commands/pull.ts
+import { resolve } from "path";
+import ora3 from "ora";
+import { api as api5 } from "@beakcrypt/convex";
+// src/lib/env-file.ts
+import { readFile as readFile4, writeFile as writeFile4 } from "fs/promises";
+import { existsSync as existsSync4 } from "fs";
+function parseEnvFile(content) {
+  const env2 = {};
+  for (const line of content.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eqIndex = trimmed.indexOf("=");
+    if (eqIndex === -1) continue;
+    const key = trimmed.slice(0, eqIndex).trim();
+    let value = trimmed.slice(eqIndex + 1).trim();
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1);
+    }
+    if (key) {
+      env2[key] = value;
+    }
+  }
+  return env2;
+}
+function serializeEnvFile(env2) {
+  const lines = [
+    "# Generated by Beakcrypt CLI",
+    `# ${(/* @__PURE__ */ new Date()).toISOString()}`,
+    ""
+  ];
+  const sorted = Object.entries(env2).sort(([a], [b]) => a.localeCompare(b));
+  for (const [key, value] of sorted) {
+    if (/[\s#]/.test(value)) {
+      lines.push(`${key}="${value}"`);
+    } else {
+      lines.push(`${key}=${value}`);
+    }
+  }
+  lines.push("");
+  return lines.join("\n");
+}
+async function readEnvFile(filePath) {
+  if (!existsSync4(filePath)) {
+    return {};
+  }
+  const content = await readFile4(filePath, "utf-8");
+  return parseEnvFile(content);
+}
+async function writeEnvFile(filePath, env2) {
+  await writeFile4(filePath, serializeEnvFile(env2));
+}
+// src/commands/pull.ts
+async function pullCommand(file, opts) {
+  const filePath = resolve(file ?? ".env.local");
+  const ctx = await resolveContext(opts);
+  const spinner = ora3("Pulling secrets...").start();
+  const orgKey = await ensureOrgKey(ctx.orgId);
+  const secretsResult = await query(api5.secrets.list, {
+    environmentId: ctx.environmentId
+  });
+  const secrets2 = unwrapResult(secretsResult);
+  const decrypted = {};
+  for (const secret of secrets2) {
+    decrypted[secret.key] = await decryptSecret(secret.encryptedValue, orgKey);
+  }
+  await writeEnvFile(filePath, decrypted);
+  spinner.stop();
+  success(
+    `Pulled ${secrets2.length} secret${secrets2.length === 1 ? "" : "s"} to ${file ?? ".env.local"}`
+  );
+}
+// src/commands/push.ts
+import { resolve as resolve2 } from "path";
+import { existsSync as existsSync5 } from "fs";
+import ora4 from "ora";
+import { api as api6 } from "@beakcrypt/convex";
+async function pushCommand(file, opts) {
+  const filePath = resolve2(file ?? ".env.local");
+  if (!existsSync5(filePath)) {
+    throw new CliError(`File not found: ${filePath}`);
+  }
+  const ctx = await resolveContext(opts);
+  const env2 = await readEnvFile(filePath);
+  const keys = Object.keys(env2);
+  if (keys.length === 0) {
+    info("No secrets found in file.");
+    return;
+  }
+  if (!opts.yes) {
+    info(
+      `Pushing ${keys.length} secret${keys.length === 1 ? "" : "s"} to ${ctx.orgSlug}/${ctx.projectName} (${ctx.envName})`
+    );
+    const confirmed = await confirm("Continue?", true);
+    if (!confirmed) return;
+  }
+  const spinner = ora4("Encrypting and pushing secrets...").start();
+  const orgKey = await ensureOrgKey(ctx.orgId);
+  const encryptedSecrets = [];
+  for (const [key, value] of Object.entries(env2)) {
+    const encrypted = await encryptSecret(value, orgKey);
+    encryptedSecrets.push({ key, encryptedValue: encrypted });
+  }
+  const result = await mutation(api6.secrets.bulkCreate, {
+    environmentId: ctx.environmentId,
+    secrets: encryptedSecrets,
+    overwrite: true
+  });
+  const summary = unwrapResult(result);
+  spinner.stop();
+  success(
+    `Pushed ${summary.created} created, ${summary.updated} updated, ${summary.skipped} skipped`
+  );
+}
+// src/commands/run.ts
+import { spawn } from "child_process";
+import ora5 from "ora";
+import { api as api7 } from "@beakcrypt/convex";
+async function runCommand(args, opts) {
+  if (args.length === 0) {
+    throw new CliError(
+      "No command provided. Usage: beakcrypt run -- <command>"
+    );
+  }
+  const ctx = await resolveContext(opts);
+  const spinner = ora5("Loading secrets...").start();
+  const orgKey = await ensureOrgKey(ctx.orgId);
+  const secretsResult = await query(api7.secrets.list, {
+    environmentId: ctx.environmentId
+  });
+  const secrets2 = unwrapResult(secretsResult);
+  const decrypted = {};
+  for (const secret of secrets2) {
+    decrypted[secret.key] = await decryptSecret(secret.encryptedValue, orgKey);
+  }
+  spinner.stop();
+  const [command, ...commandArgs] = args;
+  const child = spawn(command, commandArgs, {
+    stdio: "inherit",
+    env: { ...process.env, ...decrypted }
+  });
+  child.on("close", (code) => {
+    process.exit(code ?? 0);
+  });
+  child.on("error", (err) => {
+    throw new CliError(`Failed to run command: ${err.message}`);
+  });
+}
+// src/commands/secrets/list.ts
+import { api as api8 } from "@beakcrypt/convex";
+async function secretsListCommand(opts) {
+  const ctx = await resolveContext(opts);
+  const result = await query(api8.secrets.list, {
+    environmentId: ctx.environmentId
+  });
+  const secrets2 = unwrapResult(result);
+  if (secrets2.length === 0) {
+    info(
+      `No secrets in ${ctx.orgSlug}/${ctx.projectName} (${ctx.envName})`
+    );
+    return;
+  }
+  console.log(
+    `
+${bold(`${ctx.orgSlug}/${ctx.projectName}`)} ${dim(`(${ctx.envName})`)}
+`
+  );
+  table(
+    secrets2.map((s) => [s.key, "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022"]),
+    ["Key", "Value"]
+  );
+  console.log(
+    `
+${dim(`${secrets2.length} secret${secrets2.length === 1 ? "" : "s"}`)}
+`
+  );
+}
+// src/commands/secrets/set.ts
+import ora6 from "ora";
+import { api as api9 } from "@beakcrypt/convex";
+async function secretsSetCommand(pairs, opts) {
+  if (pairs.length === 0) {
+    throw new CliError(
+      "No key=value pairs provided. Usage: beakcrypt secrets set KEY=VALUE"
+    );
+  }
+  const parsed = [];
+  for (const pair of pairs) {
+    const eqIndex = pair.indexOf("=");
+    if (eqIndex === -1) {
+      throw new CliError(`Invalid format: "${pair}". Use KEY=VALUE.`);
+    }
+    parsed.push({
+      key: pair.slice(0, eqIndex),
+      value: pair.slice(eqIndex + 1)
+    });
+  }
+  const ctx = await resolveContext(opts);
+  const spinner = ora6("Setting secrets...").start();
+  const orgKey = await ensureOrgKey(ctx.orgId);
+  const encryptedSecrets = [];
+  for (const { key, value } of parsed) {
+    const encrypted = await encryptSecret(value, orgKey);
+    encryptedSecrets.push({ key, encryptedValue: encrypted });
+  }
+  const result = await mutation(api9.secrets.bulkCreate, {
+    environmentId: ctx.environmentId,
+    secrets: encryptedSecrets,
+    overwrite: true
+  });
+  unwrapResult(result);
+  spinner.stop();
+  success(
+    `Set ${parsed.length} secret${parsed.length === 1 ? "" : "s"} in ${ctx.envName}`
+  );
+}
+// src/commands/secrets/remove.ts
+import ora7 from "ora";
+import { api as api10 } from "@beakcrypt/convex";
+async function secretsRemoveCommand(keys, opts) {
+  if (keys.length === 0) {
+    throw new CliError(
+      "No keys provided. Usage: beakcrypt secrets remove KEY [KEY2...]"
+    );
+  }
+  const ctx = await resolveContext(opts);
+  const spinner = ora7("Removing secrets...").start();
+  const secretsResult = await query(api10.secrets.list, {
+    environmentId: ctx.environmentId
+  });
+  const secrets2 = unwrapResult(secretsResult);
+  let removed = 0;
+  const notFound = [];
+  for (const key of keys) {
+    const secret = secrets2.find((s) => s.key === key);
+    if (secret) {
+      const result = await mutation(api10.secrets.remove, {
+        id: secret._id
+      });
+      unwrapResult(result);
+      removed++;
+    } else {
+      notFound.push(key);
+    }
+  }
+  spinner.stop();
+  if (removed > 0) {
+    success(
+      `Removed ${removed} secret${removed === 1 ? "" : "s"} from ${ctx.envName}`
+    );
+  }
+  if (notFound.length > 0) {
+    warn(`Not found: ${notFound.join(", ")}`);
+  }
+}
+// src/commands/secrets/clear.ts
+import ora8 from "ora";
+import { api as api11 } from "@beakcrypt/convex";
+async function secretsClearCommand(opts) {
+  const ctx = await resolveContext(opts);
+  if (!opts.yes) {
+    const confirmed = await confirm(
+      `Delete ALL secrets in ${ctx.orgSlug}/${ctx.projectName} (${ctx.envName})?`
+    );
+    if (!confirmed) return;
+  }
+  const spinner = ora8("Clearing secrets...").start();
+  const result = await mutation(api11.secrets.removeAll, {
+    environmentId: ctx.environmentId
+  });
+  const summary = unwrapResult(result);
+  spinner.stop();
+  success(
+    `Deleted ${summary.deleted} secret${summary.deleted === 1 ? "" : "s"}`
+  );
+}
+// src/commands/org/list.ts
+import { api as api12 } from "@beakcrypt/convex";
+async function orgListCommand() {
+  await ensureAuth();
+  const result = await query(api12.organizations.list, {});
+  const orgs = unwrapResult(result);
+  if (orgs.length === 0) {
+    info("You don't belong to any organizations.");
+    return;
+  }
+  console.log();
+  table(
+    orgs.map((o) => [o.name, o.slug]),
+    ["Name", "Slug"]
+  );
+  console.log();
+}
+// src/commands/env/list.ts
+import { api as api13 } from "@beakcrypt/convex";
+async function envListCommand(opts) {
+  const ctx = await resolveContext({ ...opts, env: "development" });
+  const result = await query(api13.environments.list, {
+    projectId: ctx.projectId
+  });
+  const envs = unwrapResult(result);
+  if (envs.length === 0) {
+    info("No environments found.");
+    return;
+  }
+  console.log(
+    `
+${bold(`${ctx.orgSlug}/${ctx.projectName}`)} environments:
+`
+  );
+  table(
+    envs.map((e) => [
+      e.name,
+      e.isPersonal ? "personal" : "shared"
+    ]),
+    ["Name", "Type"]
+  );
+  console.log();
+}
+// src/interactive-mode.ts
+import pc4 from "picocolors";
+async function interactiveMode() {
+  requireInteractive("(no args)");
+  console.log(`
+${pc4.bold("Beakcrypt")} ${pc4.dim("v0.1.0")}
+`);
+  const auth = await getAuthConfig();
+  if (!auth) {
+    const shouldLogin = await confirm(
+      "You're not logged in. Log in now?",
+      true
+    );
+    if (!shouldLogin) process.exit(0);
+    await loginCommand();
+  }
+  const config = await getProjectConfig();
+  if (!config) {
+    info("No project linked in this directory.");
+    const shouldLink = await confirm(
+      "Link to a project now?",
+      true
+    );
+    if (!shouldLink) process.exit(0);
+    await linkCommand();
+    return;
+  }
+  console.log(
+    `Linked to ${bold(`${config.orgSlug}/${config.projectName}`)} ${dim(`(${config.defaultEnv}`)})`
+  );
+  console.log();
+  const action = await select({
+    message: "What would you like to do?",
+    choices: [
+      { title: "Pull secrets (.env.local)", value: "pull" },
+      { title: "Push secrets (.env.local)", value: "push" },
+      { title: "List secrets", value: "list" },
+      { title: "Change project link", value: "link" }
+    ]
+  });
+  switch (action) {
+    case "pull":
+      await pullCommand(void 0, {});
+      break;
+    case "push":
+      await pushCommand(void 0, {});
+      break;
+    case "list":
+      await secretsListCommand({});
+      break;
+    case "link":
+      await linkCommand();
+      break;
+  }
+}
+// src/index.ts
+var program = new Command();
+program.name("beakcrypt").description("Secure environment variable management with E2E encryption").version("0.1.0").action(async () => {
+  try {
+    await interactiveMode();
+  } catch (err) {
+    handleError(err);
+  }
+});
+program.command("login").description("Log in to Beakcrypt via GitHub OAuth").action(async () => {
+  try {
+    await loginCommand();
+  } catch (err) {
+    handleError(err);
+  }
+});
+program.command("logout").description("Log out and remove all credentials").option("-y, --yes", "Skip confirmation prompt").action(async (opts) => {
+  try {
+    await logoutCommand(opts);
+  } catch (err) {
+    handleError(err);
+  }
+});
+program.command("whoami").description("Show current user info").action(async () => {
+  try {
+    await whoamiCommand();
+  } catch (err) {
+    handleError(err);
+  }
+});
+program.command("link").description("Link this directory to a Beakcrypt project").action(async () => {
+  try {
+    await linkCommand();
+  } catch (err) {
+    handleError(err);
+  }
+});
+program.command("pull [file]").description("Pull secrets to a local .env file").option("-o, --org <slug>", "Organization slug").option("-p, --project <name>", "Project name").option("-e, --env <name>", "Environment name").action(async (file, opts) => {
+  try {
+    await pullCommand(file, opts);
+  } catch (err) {
+    handleError(err);
+  }
+});
+program.command("push [file]").description("Push secrets from a local .env file").option("-o, --org <slug>", "Organization slug").option("-p, --project <name>", "Project name").option("-e, --env <name>", "Environment name").option("-y, --yes", "Skip confirmation prompt").action(async (file, opts) => {
+  try {
+    await pushCommand(file, opts);
+  } catch (err) {
+    handleError(err);
+  }
+});
+program.command("run").description("Run a command with injected secrets").option("-o, --org <slug>", "Organization slug").option("-p, --project <name>", "Project name").option("-e, --env <name>", "Environment name").allowUnknownOption().action(async (opts, cmd) => {
+  try {
+    await runCommand(cmd.args, opts);
+  } catch (err) {
+    handleError(err);
+  }
+});
+var secrets = program.command("secrets").description("Manage secrets");
+secrets.command("list").description("List secrets (values masked)").option("-o, --org <slug>", "Organization slug").option("-p, --project <name>", "Project name").option("-e, --env <name>", "Environment name").action(async (opts) => {
+  try {
+    await secretsListCommand(opts);
+  } catch (err) {
+    handleError(err);
+  }
+});
+secrets.command("set <pairs...>").description("Set secrets (KEY=VALUE)").option("-o, --org <slug>", "Organization slug").option("-p, --project <name>", "Project name").option("-e, --env <name>", "Environment name").action(async (pairs, opts) => {
+  try {
+    await secretsSetCommand(pairs, opts);
+  } catch (err) {
+    handleError(err);
+  }
+});
+secrets.command("remove <keys...>").description("Remove secrets by key").option("-o, --org <slug>", "Organization slug").option("-p, --project <name>", "Project name").option("-e, --env <name>", "Environment name").action(async (keys, opts) => {
+  try {
+    await secretsRemoveCommand(keys, opts);
+  } catch (err) {
+    handleError(err);
+  }
+});
+secrets.command("clear").description("Delete all secrets in an environment").option("-o, --org <slug>", "Organization slug").option("-p, --project <name>", "Project name").option("-e, --env <name>", "Environment name").option("-y, --yes", "Skip confirmation prompt").action(async (opts) => {
+  try {
+    await secretsClearCommand(opts);
+  } catch (err) {
+    handleError(err);
+  }
+});
+var org = program.command("org").description("Manage organizations");
+org.command("list").description("List your organizations").action(async () => {
+  try {
+    await orgListCommand();
+  } catch (err) {
+    handleError(err);
+  }
+});
+var env = program.command("env").description("Manage environments");
+env.command("list").description("List environments for the linked project").option("-o, --org <slug>", "Organization slug").option("-p, --project <name>", "Project name").action(async (opts) => {
+  try {
+    await envListCommand(opts);
+  } catch (err) {
+    handleError(err);
+  }
+});
+program.parse();
+//# sourceMappingURL=index.js.map