npm - bgit-cli - Versions diffs - 2.0.0 - Mend

bgit-cli 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/.claude/settings.local.json +19 -0
package/.env.local +2 -0
package/CLAUDE_PLAN.md +621 -0
package/IMPLEMENTATION_REPORT.md +1690 -0
package/README.md +277 -0
package/UNIVERSAL_PLAN.md +31 -0
package/handcash.js +36 -0
package/index.js +158 -0
package/index.js.backup +69 -0
package/lib/auth.js +273 -0
package/lib/banner.js +17 -0
package/lib/command-router.js +191 -0
package/lib/commands.js +157 -0
package/lib/config.js +438 -0
package/lib/constants.js +57 -0
package/lib/crypto.js +164 -0
package/lib/oauth-server.js +300 -0
package/lib/payment.js +287 -0
package/lib/token-manager.js +179 -0
package/package.json +45 -0

package/lib/config.js ADDED Viewed

@@ -0,0 +1,438 @@
+/**
+ * bgit Configuration Management
+ *
+ * Manages encrypted token storage in ~/.bgit/config.json
+ * Uses machine-specific encryption key derived from hostname + username
+ *
+ * Security features:
+ * - Machine-specific encryption (token only works on same machine)
+ * - File permissions: 700 for directory, 600 for files
+ * - Random salt per machine
+ * - Automatic config validation and repair
+ */
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const crypto = require('crypto');
+const { generateSalt, deriveKey, encrypt, decrypt } = require('./crypto');
+const {
+  CONFIG_DIR_NAME,
+  CONFIG_FILE_NAME,
+  SALT_FILE_NAME,
+  DIR_PERMISSIONS,
+  FILE_PERMISSIONS
+} = require('./constants');
+/**
+ * Get the config directory path (~/.bgit)
+ * @returns {string} Absolute path to config directory
+ */
+function getConfigDir() {
+  return path.join(os.homedir(), CONFIG_DIR_NAME);
+}
+/**
+ * Get the config file path (~/.bgit/config.json)
+ * @returns {string} Absolute path to config file
+ */
+function getConfigPath() {
+  return path.join(getConfigDir(), CONFIG_FILE_NAME);
+}
+/**
+ * Get the salt file path (~/.bgit/.salt)
+ * @returns {string} Absolute path to salt file
+ */
+function getSaltPath() {
+  return path.join(getConfigDir(), SALT_FILE_NAME);
+}
+/**
+ * Ensure config directory exists with correct permissions
+ * Creates directory if it doesn't exist
+ * @throws {Error} If directory creation fails
+ */
+function ensureConfigDir() {
+  const configDir = getConfigDir();
+  try {
+    if (!fs.existsSync(configDir)) {
+      fs.mkdirSync(configDir, { mode: DIR_PERMISSIONS, recursive: true });
+      console.log(`Created config directory: ${configDir}`);
+    }
+    // Verify and fix permissions if needed
+    const stats = fs.statSync(configDir);
+    const currentMode = stats.mode & 0o777;
+    if (currentMode !== DIR_PERMISSIONS) {
+      fs.chmodSync(configDir, DIR_PERMISSIONS);
+      console.warn(`Fixed config directory permissions: ${configDir}`);
+    }
+  } catch (error) {
+    throw new Error(`Failed to create config directory: ${error.message}`);
+  }
+}
+/**
+ * Generate machine-specific identifier
+ * Combines hostname and username for uniqueness
+ * @returns {string} SHA-256 hash of machine identifiers
+ */
+function getMachineId() {
+  try {
+    const hostname = os.hostname();
+    const username = os.userInfo().username;
+    return crypto.createHash('sha256')
+      .update(hostname)
+      .update(username)
+      .digest('hex');
+  } catch (error) {
+    throw new Error(`Failed to generate machine ID: ${error.message}`);
+  }
+}
+/**
+ * Get or create encryption key for this machine
+ * Key is derived from machine ID + salt using PBKDF2
+ * @returns {Buffer} 32-byte encryption key
+ * @throws {Error} If key generation fails
+ */
+function getMachineKey() {
+  ensureConfigDir();
+  const saltPath = getSaltPath();
+  let salt;
+  try {
+    if (fs.existsSync(saltPath)) {
+      // Load existing salt
+      salt = fs.readFileSync(saltPath);
+      if (salt.length !== 32) {
+        throw new Error('Invalid salt file (corrupted)');
+      }
+    } else {
+      // Generate new salt
+      salt = generateSalt();
+      fs.writeFileSync(saltPath, salt, { mode: FILE_PERMISSIONS });
+      console.log(`Generated encryption salt: ${saltPath}`);
+    }
+    // Verify salt file permissions
+    const stats = fs.statSync(saltPath);
+    const currentMode = stats.mode & 0o777;
+    if (currentMode !== FILE_PERMISSIONS) {
+      fs.chmodSync(saltPath, FILE_PERMISSIONS);
+      console.warn(`Fixed salt file permissions: ${saltPath}`);
+    }
+    // Derive key from machine ID + salt
+    const machineId = getMachineId();
+    return deriveKey(machineId, salt);
+  } catch (error) {
+    throw new Error(`Failed to get machine key: ${error.message}`);
+  }
+}
+/**
+ * Save auth token to encrypted config file
+ * @param {string} authToken - HandCash auth token to save
+ * @throws {Error} If save fails
+ */
+function saveToken(authToken) {
+  if (!authToken || typeof authToken !== 'string') {
+    throw new Error('Auth token must be a non-empty string');
+  }
+  ensureConfigDir();
+  try {
+    const key = getMachineKey();
+    const encrypted = encrypt(authToken, key);
+    const config = {
+      version: '2.0',
+      encrypted: encrypted,
+      createdAt: new Date().toISOString(),
+      machineId: getMachineId() // Store for validation
+    };
+    const configPath = getConfigPath();
+    fs.writeFileSync(
+      configPath,
+      JSON.stringify(config, null, 2),
+      { mode: FILE_PERMISSIONS }
+    );
+    console.log(`✓ Token saved securely to: ${configPath}`);
+  } catch (error) {
+    throw new Error(`Failed to save token: ${error.message}`);
+  }
+}
+/**
+ * Load and decrypt auth token from config file
+ * @returns {string|null} Decrypted auth token, or null if no config exists
+ * @throws {Error} If config is corrupted or decryption fails
+ */
+function loadToken() {
+  const configPath = getConfigPath();
+  if (!fs.existsSync(configPath)) {
+    return null; // No token saved yet
+  }
+  try {
+    // Read config file
+    const configData = fs.readFileSync(configPath, 'utf8');
+    const config = JSON.parse(configData);
+    // Validate config structure
+    if (!config.encrypted || !config.machineId) {
+      throw new Error('Config file is corrupted (missing required fields)');
+    }
+    // Verify machine ID matches
+    const currentMachineId = getMachineId();
+    if (config.machineId !== currentMachineId) {
+      console.warn('Warning: Config was created on a different machine');
+      console.warn('This may cause decryption to fail');
+    }
+    // Decrypt token
+    const key = getMachineKey();
+    const authToken = decrypt(config.encrypted, key);
+    return authToken;
+  } catch (error) {
+    if (error.message.includes('tampered')) {
+      throw new Error('Config file has been tampered with. Please re-authenticate.');
+    }
+    if (error.message.includes('JSON')) {
+      throw new Error('Config file is corrupted. Please re-authenticate.');
+    }
+    throw new Error(`Failed to load token: ${error.message}`);
+  }
+}
+/**
+ * Delete config file (logout)
+ * @returns {boolean} true if config was deleted, false if it didn't exist
+ */
+function deleteToken() {
+  const configPath = getConfigPath();
+  if (fs.existsSync(configPath)) {
+    try {
+      fs.unlinkSync(configPath);
+      console.log(`✓ Token deleted: ${configPath}`);
+      return true;
+    } catch (error) {
+      throw new Error(`Failed to delete token: ${error.message}`);
+    }
+  }
+  return false;
+}
+/**
+ * Check if auth token exists
+ * @returns {boolean} true if config file exists
+ */
+function hasToken() {
+  return fs.existsSync(getConfigPath());
+}
+/**
+ * Validate config file integrity
+ * Checks file permissions and structure
+ * @returns {Object} Validation result with issues array
+ */
+function validateConfig() {
+  const configPath = getConfigPath();
+  const issues = [];
+  if (!fs.existsSync(configPath)) {
+    return { valid: true, issues: [] }; // No config is valid
+  }
+  try {
+    // Check file permissions
+    const stats = fs.statSync(configPath);
+    const currentMode = stats.mode & 0o777;
+    if (currentMode !== FILE_PERMISSIONS) {
+      issues.push(`Insecure file permissions: ${currentMode.toString(8)} (should be 600)`);
+    }
+    // Check file structure
+    const configData = fs.readFileSync(configPath, 'utf8');
+    const config = JSON.parse(configData);
+    if (!config.version) {
+      issues.push('Missing version field');
+    }
+    if (!config.encrypted || !config.encrypted.ciphertext || !config.encrypted.iv || !config.encrypted.authTag) {
+      issues.push('Missing or incomplete encrypted data');
+    }
+    if (!config.machineId) {
+      issues.push('Missing machine ID');
+    }
+    return {
+      valid: issues.length === 0,
+      issues
+    };
+  } catch (error) {
+    return {
+      valid: false,
+      issues: [`Config validation failed: ${error.message}`]
+    };
+  }
+}
+/**
+ * Repair config file issues
+ * Fixes file permissions and recreates config if corrupted
+ * @returns {boolean} true if repairs were made
+ */
+function repairConfig() {
+  const configPath = getConfigPath();
+  let repaired = false;
+  if (!fs.existsSync(configPath)) {
+    return false; // Nothing to repair
+  }
+  try {
+    // Fix file permissions
+    const stats = fs.statSync(configPath);
+    const currentMode = stats.mode & 0o777;
+    if (currentMode !== FILE_PERMISSIONS) {
+      fs.chmodSync(configPath, FILE_PERMISSIONS);
+      console.log(`✓ Fixed config file permissions`);
+      repaired = true;
+    }
+    // Validate structure
+    const validation = validateConfig();
+    if (!validation.valid && validation.issues.some(issue => issue.includes('corrupted') || issue.includes('Missing'))) {
+      console.warn('Config file is corrupted and cannot be repaired.');
+      console.warn('Please run: bgit auth login');
+      return false;
+    }
+    return repaired;
+  } catch (error) {
+    console.error(`Config repair failed: ${error.message}`);
+    return false;
+  }
+}
+/**
+ * Payment mode configuration
+ * Determines which git commands require payment
+ */
+const PAYMENT_MODES = {
+  minimal: ['commit', 'push'],                    // Default: only publishing operations
+  universal: require('./commands')                 // All 155 git commands
+};
+/**
+ * Get current payment mode
+ * @returns {string} Payment mode ('minimal' or 'universal')
+ */
+function getPaymentMode() {
+  const configPath = getConfigPath();
+  if (!fs.existsSync(configPath)) {
+    return 'minimal'; // Default mode
+  }
+  try {
+    const configData = fs.readFileSync(configPath, 'utf8');
+    const config = JSON.parse(configData);
+    return config.paymentMode || 'minimal';
+  } catch (error) {
+    return 'minimal';
+  }
+}
+/**
+ * Set payment mode
+ * @param {string} mode - 'minimal' or 'universal'
+ * @throws {Error} If invalid mode
+ */
+function setPaymentMode(mode) {
+  if (!PAYMENT_MODES[mode]) {
+    throw new Error(`Invalid payment mode: ${mode}. Use 'minimal' or 'universal'`);
+  }
+  ensureConfigDir();
+  const configPath = getConfigPath();
+  let config = {};
+  if (fs.existsSync(configPath)) {
+    try {
+      const configData = fs.readFileSync(configPath, 'utf8');
+      config = JSON.parse(configData);
+    } catch (error) {
+      // If config is corrupted, start fresh
+      config = {};
+    }
+  }
+  config.paymentMode = mode;
+  fs.writeFileSync(
+    configPath,
+    JSON.stringify(config, null, 2),
+    { mode: FILE_PERMISSIONS }
+  );
+  console.log(`✓ Payment mode set to: ${mode}`);
+  // Show helpful info
+  if (mode === 'universal') {
+    console.log('\n⚠️  Universal mode enabled - ALL git commands now require payment (0.001 BSV each)');
+    console.log('This includes: status, log, diff, and all other commands.');
+  } else {
+    console.log('\n✓ Minimal mode - Only commit and push require payment');
+    console.log('All read operations (status, log, diff, etc.) are FREE');
+  }
+}
+/**
+ * Get list of payment-gated commands for current mode
+ * @returns {string[]} Array of command names
+ */
+function getPaymentGatedCommands() {
+  const mode = getPaymentMode();
+  return PAYMENT_MODES[mode];
+}
+module.exports = {
+  getConfigDir,
+  getConfigPath,
+  getSaltPath,
+  ensureConfigDir,
+  getMachineId,
+  getMachineKey,
+  saveToken,
+  loadToken,
+  deleteToken,
+  hasToken,
+  validateConfig,
+  repairConfig,
+  // Payment mode functions
+  getPaymentMode,
+  setPaymentMode,
+  getPaymentGatedCommands,
+  PAYMENT_MODES
+};

package/lib/constants.js ADDED Viewed

@@ -0,0 +1,57 @@
+/**
+ * bgit Constants - Hardcoded application credentials and configuration
+ *
+ * IMPORTANT: Before deploying to production, you must:
+ * 1. Register your app at https://dashboard.handcash.io/
+ * 2. Obtain production APP_ID and APP_SECRET
+ * 3. Replace the placeholder values below
+ * 4. Configure OAuth redirect URLs in HandCash dashboard:
+ *    Success: http://localhost:3333/callback
+ *    Decline: http://localhost:3333/error
+ */
+module.exports = {
+  // HandCash Application Credentials
+  HANDCASH_APP_ID: process.env.HANDCASH_APP_ID || '6959a82a9b2206d9465b3fe4',
+  HANDCASH_APP_SECRET: process.env.HANDCASH_APP_SECRET || '964f849219ff0feb2c03a2322fc1441d9c0ec1b0d6c3a98e60b393a94a2cac2c',
+  // Treasury wallet handle (where developer premiums are sent)
+  TREASURY_HANDLE: '$b0ase',
+  // OAuth server configuration
+  OAUTH_PORT_START: 3333,
+  OAUTH_PORT_END: 3333, // Fixed port to avoid conflicts with typical dev servers
+  OAUTH_TIMEOUT_MS: 300000, // 5 minutes
+  OAUTH_HOST: 'localhost',
+  // Payment amounts in BSV
+  PAYMENT_AMOUNTS: {
+    commit: 0.001,  // 0.001 BSV per commit timestamp
+    push: 0.001     // 0.001 BSV per push
+  },
+  // Config file paths (relative to user home directory)
+  CONFIG_DIR_NAME: '.bgit',
+  CONFIG_FILE_NAME: 'config.json',
+  SALT_FILE_NAME: '.salt',
+  // Encryption settings
+  CRYPTO_ALGORITHM: 'aes-256-gcm',
+  CRYPTO_KEY_LENGTH: 32,        // 256 bits
+  CRYPTO_IV_LENGTH: 12,          // 96 bits for GCM
+  CRYPTO_SALT_LENGTH: 32,        // 256 bits
+  CRYPTO_TAG_LENGTH: 16,         // 128 bits
+  CRYPTO_PBKDF2_ITERATIONS: 100000,  // 100k iterations for key derivation
+  // Token validation cache TTL (1 hour)
+  TOKEN_VALIDATION_CACHE_TTL_MS: 3600000,
+  // Payment retry configuration
+  PAYMENT_RETRY_MAX_ATTEMPTS: 3,
+  PAYMENT_RETRY_BASE_DELAY_MS: 1000,
+  PAYMENT_RETRY_MAX_DELAY_MS: 10000,
+  // File permissions (Unix)
+  DIR_PERMISSIONS: 0o700,   // rwx------
+  FILE_PERMISSIONS: 0o600,  // rw-------
+};

package/lib/crypto.js ADDED Viewed

@@ -0,0 +1,164 @@
+/**
+ * bgit Cryptography Module
+ *
+ * Provides AES-256-GCM authenticated encryption for secure token storage.
+ * Uses PBKDF2 for key derivation with 100,000 iterations.
+ *
+ * Security features:
+ * - AES-256-GCM (authenticated encryption prevents tampering)
+ * - Random IV per encryption (prevents pattern analysis)
+ * - PBKDF2 key derivation (prevents brute force attacks)
+ * - Authentication tag (detects any modifications)
+ */
+const crypto = require('crypto');
+const {
+  CRYPTO_ALGORITHM,
+  CRYPTO_KEY_LENGTH,
+  CRYPTO_IV_LENGTH,
+  CRYPTO_SALT_LENGTH,
+  CRYPTO_TAG_LENGTH,
+  CRYPTO_PBKDF2_ITERATIONS
+} = require('./constants');
+/**
+ * Generate a cryptographically random salt
+ * @returns {Buffer} 32-byte random salt
+ */
+function generateSalt() {
+  return crypto.randomBytes(CRYPTO_SALT_LENGTH);
+}
+/**
+ * Derive encryption key from password and salt using PBKDF2
+ * @param {string|Buffer} password - Password or machine ID
+ * @param {Buffer} salt - Salt for key derivation
+ * @returns {Buffer} 32-byte encryption key
+ */
+function deriveKey(password, salt) {
+  try {
+    const passwordBuffer = Buffer.isBuffer(password)
+      ? password
+      : Buffer.from(password, 'utf8');
+    return crypto.pbkdf2Sync(
+      passwordBuffer,
+      salt,
+      CRYPTO_PBKDF2_ITERATIONS,
+      CRYPTO_KEY_LENGTH,
+      'sha256'
+    );
+  } catch (error) {
+    throw new Error(`Key derivation failed: ${error.message}`);
+  }
+}
+/**
+ * Encrypt plaintext using AES-256-GCM
+ * @param {string} plaintext - Text to encrypt
+ * @param {Buffer} key - 32-byte encryption key
+ * @returns {Object} Object containing ciphertext, iv, and authTag (all hex strings)
+ * @throws {Error} If encryption fails
+ */
+function encrypt(plaintext, key) {
+  if (!plaintext || typeof plaintext !== 'string') {
+    throw new Error('Plaintext must be a non-empty string');
+  }
+  if (!Buffer.isBuffer(key) || key.length !== CRYPTO_KEY_LENGTH) {
+    throw new Error(`Key must be a ${CRYPTO_KEY_LENGTH}-byte Buffer`);
+  }
+  try {
+    // Generate random IV (Initialization Vector)
+    const iv = crypto.randomBytes(CRYPTO_IV_LENGTH);
+    // Create cipher
+    const cipher = crypto.createCipheriv(CRYPTO_ALGORITHM, key, iv);
+    // Encrypt
+    let ciphertext = cipher.update(plaintext, 'utf8', 'hex');
+    ciphertext += cipher.final('hex');
+    // Get authentication tag (prevents tampering)
+    const authTag = cipher.getAuthTag();
+    return {
+      ciphertext,
+      iv: iv.toString('hex'),
+      authTag: authTag.toString('hex')
+    };
+  } catch (error) {
+    throw new Error(`Encryption failed: ${error.message}`);
+  }
+}
+/**
+ * Decrypt ciphertext using AES-256-GCM
+ * @param {Object} encrypted - Object with ciphertext, iv, and authTag (hex strings)
+ * @param {Buffer} key - 32-byte encryption key
+ * @returns {string} Decrypted plaintext
+ * @throws {Error} If decryption fails or authentication tag is invalid
+ */
+function decrypt(encrypted, key) {
+  if (!encrypted || typeof encrypted !== 'object') {
+    throw new Error('Encrypted data must be an object');
+  }
+  if (!encrypted.ciphertext || !encrypted.iv || !encrypted.authTag) {
+    throw new Error('Encrypted data must contain ciphertext, iv, and authTag');
+  }
+  if (!Buffer.isBuffer(key) || key.length !== CRYPTO_KEY_LENGTH) {
+    throw new Error(`Key must be a ${CRYPTO_KEY_LENGTH}-byte Buffer`);
+  }
+  try {
+    // Create decipher
+    const decipher = crypto.createDecipheriv(
+      CRYPTO_ALGORITHM,
+      key,
+      Buffer.from(encrypted.iv, 'hex')
+    );
+    // Set authentication tag (will throw if data was tampered with)
+    decipher.setAuthTag(Buffer.from(encrypted.authTag, 'hex'));
+    // Decrypt
+    let plaintext = decipher.update(encrypted.ciphertext, 'hex', 'utf8');
+    plaintext += decipher.final('utf8');
+    return plaintext;
+  } catch (error) {
+    // This error indicates either tampering or wrong key
+    if (error.message.includes('Unsupported state or unable to authenticate data')) {
+      throw new Error('Decryption failed: Data has been tampered with or wrong encryption key');
+    }
+    throw new Error(`Decryption failed: ${error.message}`);
+  }
+}
+/**
+ * Test encrypt/decrypt roundtrip
+ * Used for internal testing and validation
+ * @param {string} plaintext - Test plaintext
+ * @param {Buffer} key - Encryption key
+ * @returns {boolean} true if roundtrip succeeds
+ */
+function testRoundtrip(plaintext, key) {
+  try {
+    const encrypted = encrypt(plaintext, key);
+    const decrypted = decrypt(encrypted, key);
+    return decrypted === plaintext;
+  } catch (error) {
+    return false;
+  }
+}
+module.exports = {
+  generateSalt,
+  deriveKey,
+  encrypt,
+  decrypt,
+  testRoundtrip
+};