cryptoserve 0.1.0

package/lib/credentials.mjs

@@ -0,0 +1,67 @@
+/**
+ * Credential storage for CryptoServe platform integration.
+ *
+ * Stores/reads tokens at ~/.cryptoserve/credentials.json with 0o600 permissions.
+ */
+
+import { existsSync, readFileSync, writeFileSync, mkdirSync, unlinkSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+
+const CONFIG_DIR = join(homedir(), '.cryptoserve');
+const CREDENTIALS_PATH = join(CONFIG_DIR, 'credentials.json');
+
+function ensureDir() {
+  if (!existsSync(CONFIG_DIR)) {
+    mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+  }
+}
+
+export function saveToken(token, server = 'https://localhost:8003') {
+  ensureDir();
+  const data = {
+    token,
+    server,
+    savedAt: new Date().toISOString(),
+  };
+  writeFileSync(CREDENTIALS_PATH, JSON.stringify(data, null, 2), { mode: 0o600 });
+}
+
+export function loadToken() {
+  if (!existsSync(CREDENTIALS_PATH)) return null;
+  try {
+    return JSON.parse(readFileSync(CREDENTIALS_PATH, 'utf-8'));
+  } catch {
+    return null;
+  }
+}
+
+export function clearToken() {
+  if (existsSync(CREDENTIALS_PATH)) {
+    unlinkSync(CREDENTIALS_PATH);
+  }
+}
+
+export function maskToken(token) {
+  if (!token || token.length < 12) return '***';
+  return token.slice(0, 8) + '...' + token.slice(-4);
+}
+
+export function parseJwtExpiry(token) {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) return null;
+    const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+    if (!payload.exp) return null;
+    const expiresAt = new Date(payload.exp * 1000);
+    const remaining = expiresAt - Date.now();
+    return {
+      expiresAt,
+      remainingMs: remaining,
+      expired: remaining <= 0,
+      subject: payload.sub || null,
+    };
+  } catch {
+    return null;
+  }
+}

package/lib/init.mjs

@@ -0,0 +1,241 @@
+/**
+ * Project initialization for CryptoServe.
+ *
+ * `cryptoserve init` sets up:
+ * 1. Master key generation + OS keychain storage
+ * 2. AI tool protection (block .env from AI context — secretless-ai pattern)
+ * 3. Project configuration file
+ *
+ * Idempotent — safe to run multiple times.
+ */
+
+import { existsSync, readFileSync, writeFileSync, mkdirSync, chmodSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+import {
+  generateMasterKey,
+  storeMasterKey,
+  loadMasterKey,
+  isKeychainAvailable,
+  promptPassword,
+} from './keychain.mjs';
+
+const MARKER = '<!-- cryptoserve:managed -->';
+const CONFIG_DIR = join(homedir(), '.cryptoserve');
+
+// ---------------------------------------------------------------------------
+// AI tool detection (borrowed from secretless-ai)
+// ---------------------------------------------------------------------------
+
+const AI_TOOLS = [
+  { name: 'Claude Code',  markers: ['.claude', 'CLAUDE.md'],           hasHooks: true },
+  { name: 'Cursor',       markers: ['.cursor', '.cursorrules'],        hasHooks: false },
+  { name: 'Copilot',      markers: ['.github/copilot-instructions.md'], hasHooks: false },
+  { name: 'Windsurf',     markers: ['.windsurf', '.windsurfrules'],    hasHooks: false },
+  { name: 'Cline',        markers: ['.cline', '.clinerules'],          hasHooks: false },
+  { name: 'Aider',        markers: ['.aider', '.aiderignore'],         hasHooks: false },
+];
+
+const SECRET_FILE_PATTERNS = [
+  '.env', '.env.local', '.env.*',
+  '*.key', '*.pem', '*.p12', '*.pfx', '*.crt',
+  '.aws/credentials', '.ssh/*', '.docker/config.json',
+  '.git-credentials', '.npmrc', '.pypirc',
+  '*.tfstate', '*.tfvars',
+  'secrets/', 'credentials/',
+];
+
+function detectAiTools(projectDir) {
+  const detected = [];
+  for (const tool of AI_TOOLS) {
+    for (const marker of tool.markers) {
+      if (existsSync(join(projectDir, marker))) {
+        detected.push(tool);
+        break;
+      }
+    }
+  }
+  return detected;
+}
+
+// ---------------------------------------------------------------------------
+// AI tool protection setup
+// ---------------------------------------------------------------------------
+
+function buildSecretlessInstructions() {
+  const patterns = SECRET_FILE_PATTERNS.map(p => `- \`${p}\``).join('\n');
+  return `
+
+${MARKER}
+## CryptoServe Security
+
+**Blocked file patterns** (never read or reference):
+${patterns}
+
+**If you need a credential:**
+1. Reference via \`$VAR_NAME\` in shell commands
+2. Never hardcode credentials in source files
+3. Use \`cryptoserve vault run -- <command>\` to inject secrets at runtime
+`;
+}
+
+function protectClaudeCode(projectDir, result) {
+  // 1. Add deny rules to .claude/settings.json
+  const claudeDir = join(projectDir, '.claude');
+  if (!existsSync(claudeDir)) mkdirSync(claudeDir, { recursive: true });
+
+  const settingsPath = join(claudeDir, 'settings.json');
+  let settings = {};
+  if (existsSync(settingsPath)) {
+    try { settings = JSON.parse(readFileSync(settingsPath, 'utf-8')); }
+    catch { settings = {}; }
+  }
+
+  if (!settings.permissions) settings.permissions = {};
+  if (!Array.isArray(settings.permissions.deny)) settings.permissions.deny = [];
+
+  const denyRules = [
+    'Read(.env*)', 'Read(*.key)', 'Read(*.pem)', 'Read(*.p12)',
+    'Grep(.env*)', 'Glob(.env*)',
+    'Bash(cat .env*)', 'Bash(head .env*)', 'Bash(tail .env*)',
+  ];
+  for (const rule of denyRules) {
+    if (!settings.permissions.deny.includes(rule)) {
+      settings.permissions.deny.push(rule);
+    }
+  }
+
+  writeFileSync(settingsPath, JSON.stringify(settings, null, 2));
+  result.filesModified.push('.claude/settings.json');
+
+  // 2. Add instructions to CLAUDE.md
+  addInstructions(join(projectDir, 'CLAUDE.md'), result);
+}
+
+function protectCursor(projectDir, result) {
+  addInstructions(join(projectDir, '.cursorrules'), result);
+}
+
+function protectCopilot(projectDir, result) {
+  const dir = join(projectDir, '.github');
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+  addInstructions(join(dir, 'copilot-instructions.md'), result);
+}
+
+function protectWindsurf(projectDir, result) {
+  addInstructions(join(projectDir, '.windsurfrules'), result);
+}
+
+function protectCline(projectDir, result) {
+  addInstructions(join(projectDir, '.clinerules'), result);
+}
+
+function protectAider(projectDir, result) {
+  const aiderIgnore = join(projectDir, '.aiderignore');
+  let content = existsSync(aiderIgnore) ? readFileSync(aiderIgnore, 'utf-8') : '';
+  if (content.includes(MARKER)) return;
+
+  const patterns = SECRET_FILE_PATTERNS.join('\n');
+  content += `\n# ${MARKER}\n${patterns}\n`;
+  writeFileSync(aiderIgnore, content);
+  result.filesModified.push('.aiderignore');
+}
+
+function addInstructions(filePath, result) {
+  let content = existsSync(filePath) ? readFileSync(filePath, 'utf-8') : '';
+  if (content.includes(MARKER)) return;
+
+  content += buildSecretlessInstructions();
+  writeFileSync(filePath, content);
+
+  const existed = existsSync(filePath);
+  if (existed) {
+    result.filesModified.push(filePath);
+  } else {
+    result.filesCreated.push(filePath);
+  }
+}
+
+const PROTECTORS = {
+  'Claude Code': protectClaudeCode,
+  'Cursor': protectCursor,
+  'Copilot': protectCopilot,
+  'Windsurf': protectWindsurf,
+  'Cline': protectCline,
+  'Aider': protectAider,
+};
+
+// ---------------------------------------------------------------------------
+// Main init function
+// ---------------------------------------------------------------------------
+
+export async function initProject(projectDir, options = {}) {
+  const result = {
+    toolsDetected: [],
+    toolsConfigured: [],
+    filesCreated: [],
+    filesModified: [],
+    keyStorage: null,
+    secretsWarning: 0,
+  };
+
+  // 1. Ensure config directory
+  if (!existsSync(CONFIG_DIR)) {
+    mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+  }
+
+  // 2. Generate or load master key
+  let existingKey = null;
+  try { existingKey = await loadMasterKey(); } catch { /* not found */ }
+
+  if (!existingKey) {
+    const keyBase64 = await generateMasterKey();
+    const keychainOk = await isKeychainAvailable();
+
+    if (keychainOk && !options.insecureStorage) {
+      result.keyStorage = await storeMasterKey(keyBase64, { useKeychain: true });
+    } else if (options.insecureStorage) {
+      // Plaintext fallback (requires explicit opt-in)
+      writeFileSync(
+        join(CONFIG_DIR, 'master.key'),
+        keyBase64,
+        { mode: 0o600 }
+      );
+      result.keyStorage = { storage: 'plaintext-file', path: join(CONFIG_DIR, 'master.key') };
+    } else {
+      // Encrypted file with password
+      const pw = await promptPassword('Set vault password (for encrypted key storage): ');
+      result.keyStorage = await storeMasterKey(keyBase64, {
+        useKeychain: false,
+        fallbackPassword: pw,
+      });
+    }
+  } else {
+    result.keyStorage = { storage: 'existing' };
+  }
+
+  // 3. Detect and protect AI tools
+  const detected = detectAiTools(projectDir);
+  result.toolsDetected = detected.map(t => t.name);
+
+  for (const tool of detected) {
+    const protector = PROTECTORS[tool.name];
+    if (protector) {
+      protector(projectDir, result);
+      result.toolsConfigured.push(tool.name);
+    }
+  }
+
+  // 4. Create project config
+  const configPath = join(projectDir, '.cryptoserve.json');
+  if (!existsSync(configPath)) {
+    writeFileSync(configPath, JSON.stringify({
+      version: 1,
+      project: projectDir.split('/').pop(),
+      createdAt: new Date().toISOString(),
+    }, null, 2));
+    result.filesCreated.push('.cryptoserve.json');
+  }
+
+  return result;
+}

package/lib/keychain.mjs

@@ -0,0 +1,303 @@
+/**
+ * OS keychain integration for secure local key storage.
+ *
+ * Uses native OS keychain via child_process (zero dependencies):
+ * - macOS: /usr/bin/security (Keychain.app)
+ * - Linux: secret-tool (freedesktop.org Secret Service / GNOME Keyring)
+ * - Windows: cmdkey.exe + PowerShell (Credential Manager)
+ *
+ * Fallback: encrypted JSON file at ~/.cryptoserve/keystore.enc
+ */
+
+import { execFile, spawn } from 'node:child_process';
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir, platform } from 'node:os';
+import { randomBytes, scryptSync, createCipheriv, createDecipheriv, hkdfSync } from 'node:crypto';
+import { createInterface } from 'node:readline';
+
+const SERVICE_NAME = 'cryptoserve';
+const ACCOUNT_NAME = 'master-key';
+const CONFIG_DIR = join(homedir(), '.cryptoserve');
+const KEYSTORE_PATH = join(CONFIG_DIR, 'keystore.enc');
+
+// ---------------------------------------------------------------------------
+// Platform-specific keychain backends
+// ---------------------------------------------------------------------------
+
+function execPromise(cmd, args) {
+  return new Promise((resolve, reject) => {
+    execFile(cmd, args, { timeout: 10000 }, (err, stdout, stderr) => {
+      if (err) return reject(Object.assign(err, { stderr }));
+      resolve({ stdout, stderr });
+    });
+  });
+}
+
+function spawnWrite(cmd, args, stdin) {
+  return new Promise((resolve, reject) => {
+    const proc = spawn(cmd, args, { timeout: 10000 });
+    let stderr = '';
+    proc.stderr.on('data', d => { stderr += d; });
+    proc.stdin.write(stdin);
+    proc.stdin.end();
+    proc.on('close', code => {
+      if (code !== 0) return reject(new Error(`${cmd} exited ${code}: ${stderr}`));
+      resolve();
+    });
+    proc.on('error', reject);
+  });
+}
+
+const backends = {
+  darwin: {
+    async set(value) {
+      // Delete existing (ignore error if not found)
+      try {
+        await execPromise('/usr/bin/security', [
+          'delete-generic-password', '-a', ACCOUNT_NAME, '-s', SERVICE_NAME,
+        ]);
+      } catch { /* not found — OK */ }
+      await execPromise('/usr/bin/security', [
+        'add-generic-password', '-a', ACCOUNT_NAME, '-s', SERVICE_NAME,
+        '-w', value, '-U',
+      ]);
+    },
+    async get() {
+      const { stderr } = await execPromise('/usr/bin/security', [
+        'find-generic-password', '-a', ACCOUNT_NAME, '-s', SERVICE_NAME, '-g',
+      ]);
+      const match = stderr.match(/password:\s*"(.+)"/);
+      if (match) return match[1];
+      const hexMatch = stderr.match(/password:\s*0x([0-9A-Fa-f]+)/);
+      if (hexMatch) return Buffer.from(hexMatch[1], 'hex').toString();
+      throw new Error('Could not parse keychain response');
+    },
+    async delete() {
+      await execPromise('/usr/bin/security', [
+        'delete-generic-password', '-a', ACCOUNT_NAME, '-s', SERVICE_NAME,
+      ]);
+    },
+  },
+
+  linux: {
+    async set(value) {
+      await spawnWrite('secret-tool', [
+        'store', '--label', 'CryptoServe Master Key',
+        'service', SERVICE_NAME, 'account', ACCOUNT_NAME,
+      ], value);
+    },
+    async get() {
+      const { stdout } = await execPromise('secret-tool', [
+        'lookup', 'service', SERVICE_NAME, 'account', ACCOUNT_NAME,
+      ]);
+      return stdout.trim();
+    },
+    async delete() {
+      await execPromise('secret-tool', [
+        'clear', 'service', SERVICE_NAME, 'account', ACCOUNT_NAME,
+      ]);
+    },
+  },
+
+  win32: {
+    async set(value) {
+      await execPromise('cmdkey.exe', [
+        `/generic:${SERVICE_NAME}`, `/user:${ACCOUNT_NAME}`, `/pass:${value}`,
+      ]);
+    },
+    async get() {
+      const { stdout } = await execPromise('powershell', [
+        '-Command',
+        `(New-Object System.Net.NetworkCredential("","$(cmdkey /list:${SERVICE_NAME} | Out-Null; [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR((Get-StoredCredential -Target '${SERVICE_NAME}').Password)))")).Password`,
+      ]);
+      return stdout.trim();
+    },
+    async delete() {
+      await execPromise('cmdkey.exe', [`/delete:${SERVICE_NAME}`]);
+    },
+  },
+};
+
+// ---------------------------------------------------------------------------
+// Encrypted file fallback
+// ---------------------------------------------------------------------------
+
+const FALLBACK_SALT_SIZE = 32;
+const FALLBACK_IV_SIZE = 12;
+const FALLBACK_TAG_SIZE = 16;
+
+function ensureConfigDir() {
+  if (!existsSync(CONFIG_DIR)) {
+    mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+  }
+}
+
+function encryptForStorage(data, password) {
+  const salt = randomBytes(FALLBACK_SALT_SIZE);
+  const key = scryptSync(password, salt, 32, { N: 2 ** 15, r: 8, p: 1, maxmem: 64 * 1024 * 1024 });
+  const iv = randomBytes(FALLBACK_IV_SIZE);
+  const cipher = createCipheriv('aes-256-gcm', key, iv);
+  const encrypted = Buffer.concat([cipher.update(data, 'utf-8'), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([salt, iv, tag, encrypted]);
+}
+
+function decryptFromStorage(packed, password) {
+  const salt = packed.subarray(0, FALLBACK_SALT_SIZE);
+  const iv = packed.subarray(FALLBACK_SALT_SIZE, FALLBACK_SALT_SIZE + FALLBACK_IV_SIZE);
+  const tag = packed.subarray(FALLBACK_SALT_SIZE + FALLBACK_IV_SIZE, FALLBACK_SALT_SIZE + FALLBACK_IV_SIZE + FALLBACK_TAG_SIZE);
+  const encrypted = packed.subarray(FALLBACK_SALT_SIZE + FALLBACK_IV_SIZE + FALLBACK_TAG_SIZE);
+  const key = scryptSync(password, salt, 32, { N: 2 ** 15, r: 8, p: 1, maxmem: 64 * 1024 * 1024 });
+  const decipher = createDecipheriv('aes-256-gcm', key, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(encrypted), decipher.final()]).toString('utf-8');
+}
+
+// ---------------------------------------------------------------------------
+// Password prompting
+// ---------------------------------------------------------------------------
+
+export function promptPassword(prompt = 'Password: ') {
+  return new Promise((resolve) => {
+    const rl = createInterface({ input: process.stdin, output: process.stderr });
+    // Hide input
+    process.stderr.write(prompt);
+    const originalWrite = process.stdout.write;
+    process.stdout.write = () => true;
+
+    let password = '';
+    process.stdin.setRawMode?.(true);
+    process.stdin.resume();
+    process.stdin.on('data', function handler(ch) {
+      const c = ch.toString();
+      if (c === '\n' || c === '\r') {
+        process.stdin.setRawMode?.(false);
+        process.stdin.removeListener('data', handler);
+        process.stdout.write = originalWrite;
+        process.stderr.write('\n');
+        rl.close();
+        resolve(password);
+      } else if (c === '\x7f' || c === '\b') {
+        password = password.slice(0, -1);
+      } else if (c === '\x03') {
+        // Ctrl+C
+        process.stdout.write = originalWrite;
+        rl.close();
+        process.exit(1);
+      } else {
+        password += c;
+      }
+    });
+  });
+}
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+export async function isKeychainAvailable() {
+  const os = platform();
+  const backend = backends[os];
+  if (!backend) return false;
+
+  try {
+    if (os === 'darwin') {
+      await execPromise('/usr/bin/security', ['list-keychains']);
+      return true;
+    }
+    if (os === 'linux') {
+      await execPromise('which', ['secret-tool']);
+      return true;
+    }
+    if (os === 'win32') {
+      await execPromise('where', ['cmdkey.exe']);
+      return true;
+    }
+  } catch {
+    return false;
+  }
+  return false;
+}
+
+export async function generateMasterKey() {
+  return randomBytes(32).toString('base64');
+}
+
+export async function storeMasterKey(keyBase64, { useKeychain = true, fallbackPassword = null } = {}) {
+  ensureConfigDir();
+
+  if (useKeychain) {
+    const backend = backends[platform()];
+    if (backend) {
+      try {
+        await backend.set(keyBase64);
+        return { storage: 'keychain', platform: platform() };
+      } catch {
+        // Keychain failed, fall through to file fallback
+      }
+    }
+  }
+
+  // Encrypted file fallback
+  if (!fallbackPassword) {
+    throw new Error(
+      'No keychain available. Use --insecure-storage or provide a password for encrypted file storage.'
+    );
+  }
+
+  const encrypted = encryptForStorage(keyBase64, fallbackPassword);
+  writeFileSync(KEYSTORE_PATH, encrypted, { mode: 0o600 });
+  return { storage: 'encrypted-file', path: KEYSTORE_PATH };
+}
+
+export async function loadMasterKey({ fallbackPassword = null } = {}) {
+  // Try OS keychain first
+  const backend = backends[platform()];
+  if (backend) {
+    try {
+      return await backend.get();
+    } catch {
+      // Not in keychain, try file fallback
+    }
+  }
+
+  // Try encrypted file
+  if (existsSync(KEYSTORE_PATH)) {
+    if (!fallbackPassword) {
+      throw new Error(
+        'Master key is stored in encrypted file. Provide password or use OS keychain.'
+      );
+    }
+    return decryptFromStorage(readFileSync(KEYSTORE_PATH), fallbackPassword);
+  }
+
+  return null;
+}
+
+export async function deleteMasterKey() {
+  const backend = backends[platform()];
+  if (backend) {
+    try { await backend.delete(); } catch { /* OK */ }
+  }
+  // Also remove file fallback if exists
+  if (existsSync(KEYSTORE_PATH)) {
+    const { unlinkSync } = await import('node:fs');
+    unlinkSync(KEYSTORE_PATH);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Key derivation (HKDF) for per-context/per-project keys
+// ---------------------------------------------------------------------------
+
+export function deriveKey(masterKeyBase64, context, keySize = 32) {
+  const masterKey = Buffer.from(masterKeyBase64, 'base64');
+  return Buffer.from(
+    hkdfSync('sha256', masterKey, 'cryptoserve-v1', context, keySize)
+  );
+}
+
+export function deriveProjectKey(masterKeyBase64, projectName, environment = 'development') {
+  return deriveKey(masterKeyBase64, `project:${projectName}:${environment}`);
+}