ctx-sync 1.0.0

package/dist/commands/audit.d.ts

@@ -0,0 +1,76 @@
+/**
+ * `ctx-sync audit` command.
+ *
+ * Runs a comprehensive security audit:
+ *   - Key file permissions (0o600).
+ *   - Config directory permissions (0o700).
+ *   - Remote transport security (SSH/HTTPS only).
+ *   - All state files are .age (no plaintext .json state).
+ *   - Git history scan for plaintext secret patterns.
+ *   - Repo size report.
+ *
+ * Reports issues with severity levels: critical, warning, info.
+ *
+ * @module commands/audit
+ */
+import type { Command } from 'commander';
+/** Severity level for audit findings */
+export type AuditSeverity = 'critical' | 'warning' | 'info';
+/** A single audit finding */
+export interface AuditFinding {
+    severity: AuditSeverity;
+    check: string;
+    message: string;
+}
+/** Result of the full audit */
+export interface AuditResult {
+    findings: AuditFinding[];
+    passed: boolean;
+    repoSizeBytes: number | null;
+    repoSizeHuman: string | null;
+    stateFileCount: number;
+    hasRemote: boolean;
+}
+/**
+ * Check key file and config directory permissions.
+ */
+export declare function checkPermissions(configDir: string): AuditFinding[];
+/**
+ * Validate remote transport security.
+ */
+export declare function checkRemoteTransport(syncDir: string): {
+    findings: AuditFinding[];
+    hasRemote: boolean;
+};
+/**
+ * Verify all state files are .age (not .json).
+ */
+export declare function checkStateFiles(syncDir: string): {
+    findings: AuditFinding[];
+    stateFileCount: number;
+};
+/**
+ * Scan Git history for plaintext secret patterns.
+ */
+export declare function checkGitHistory(syncDir: string): AuditFinding[];
+/**
+ * Report repository size.
+ */
+export declare function checkRepoSize(syncDir: string): {
+    findings: AuditFinding[];
+    sizeBytes: number | null;
+    sizeHuman: string | null;
+};
+/**
+ * Format bytes into human-readable string.
+ */
+export declare function formatBytes(bytes: number): string;
+/**
+ * Execute the full audit.
+ */
+export declare function executeAudit(): AuditResult;
+/**
+ * Register the `ctx-sync audit` command on the given program.
+ */
+export declare function registerAuditCommand(program: Command): void;
+//# sourceMappingURL=audit.d.ts.map

package/dist/commands/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/commands/audit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAKH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AASzC,wCAAwC;AACxC,MAAM,MAAM,aAAa,GAAG,UAAU,GAAG,SAAS,GAAG,MAAM,CAAC;AAE5D,6BAA6B;AAC7B,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,aAAa,CAAC;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,+BAA+B;AAC/B,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,YAAY,EAAE,CAAC;IACzB,MAAM,EAAE,OAAO,CAAC;IAChB,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,OAAO,CAAC;CACpB;AAiBD;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,YAAY,EAAE,CAqBlE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG;IACrD,QAAQ,EAAE,YAAY,EAAE,CAAC;IACzB,SAAS,EAAE,OAAO,CAAC;CACpB,CAmEA;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG;IAChD,QAAQ,EAAE,YAAY,EAAE,CAAC;IACzB,cAAc,EAAE,MAAM,CAAC;CACxB,CAuEA;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,YAAY,EAAE,CA6C/D;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG;IAC9C,QAAQ,EAAE,YAAY,EAAE,CAAC;IACzB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B,CAsBA;AAqBD;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CASjD;AAED;;GAEG;AACH,wBAAgB,YAAY,IAAI,WAAW,CAkC1C;AAID;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CA0D3D"}

package/dist/commands/audit.js

@@ -0,0 +1,367 @@
+/**
+ * `ctx-sync audit` command.
+ *
+ * Runs a comprehensive security audit:
+ *   - Key file permissions (0o600).
+ *   - Config directory permissions (0o700).
+ *   - Remote transport security (SSH/HTTPS only).
+ *   - All state files are .age (no plaintext .json state).
+ *   - Git history scan for plaintext secret patterns.
+ *   - Repo size report.
+ *
+ * Reports issues with severity levels: critical, warning, info.
+ *
+ * @module commands/audit
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { execSync } from 'node:child_process';
+import { withErrorHandler } from '../utils/errors.js';
+import { STATE_FILES } from '@ctx-sync/shared';
+import { verifyPermissions } from '../core/key-store.js';
+import { validateRemoteUrl } from '../core/transport.js';
+import { getConfigDir, getSyncDir } from './init.js';
+// ─── Audit Checks ─────────────────────────────────────────────────────────
+/** Secret patterns to scan for in Git history */
+const SECRET_PATTERNS = [
+    { pattern: /sk_live_[a-zA-Z0-9]+/, label: 'Stripe live key' },
+    { pattern: /sk_test_[a-zA-Z0-9]+/, label: 'Stripe test key' },
+    { pattern: /ghp_[a-zA-Z0-9]+/, label: 'GitHub PAT' },
+    { pattern: /gho_[a-zA-Z0-9]+/, label: 'GitHub OAuth token' },
+    { pattern: /github_pat_[a-zA-Z0-9]+/, label: 'GitHub fine-grained PAT' },
+    { pattern: /xoxb-[0-9]+-[0-9]+-[a-zA-Z0-9]+/, label: 'Slack bot token' },
+    { pattern: /xoxp-[0-9]+-[0-9]+-[a-zA-Z0-9]+/, label: 'Slack user token' },
+    { pattern: /AKIA[A-Z0-9]{16}/, label: 'AWS access key' },
+    { pattern: /AGE-SECRET-KEY-[A-Z0-9]+/, label: 'Age private key' },
+];
+/**
+ * Check key file and config directory permissions.
+ */
+export function checkPermissions(configDir) {
+    const findings = [];
+    const result = verifyPermissions(configDir);
+    if (result.valid) {
+        findings.push({
+            severity: 'info',
+            check: 'permissions',
+            message: 'Key file (600) and config directory (700) permissions are correct.',
+        });
+    }
+    else {
+        for (const issue of result.issues) {
+            findings.push({
+                severity: 'critical',
+                check: 'permissions',
+                message: issue,
+            });
+        }
+    }
+    return findings;
+}
+/**
+ * Validate remote transport security.
+ */
+export function checkRemoteTransport(syncDir) {
+    const findings = [];
+    let hasRemote = false;
+    const gitDir = path.join(syncDir, '.git');
+    if (!fs.existsSync(gitDir)) {
+        findings.push({
+            severity: 'warning',
+            check: 'transport',
+            message: 'No Git repository found in sync directory.',
+        });
+        return { findings, hasRemote };
+    }
+    try {
+        const remoteOutput = execSync('git remote -v', {
+            cwd: syncDir,
+            encoding: 'utf-8',
+            stdio: ['pipe', 'pipe', 'pipe'],
+        }).trim();
+        if (!remoteOutput) {
+            findings.push({
+                severity: 'info',
+                check: 'transport',
+                message: 'No remote configured (local-only mode).',
+            });
+            return { findings, hasRemote };
+        }
+        hasRemote = true;
+        // Parse remote URLs
+        const lines = remoteOutput.split('\n');
+        const urls = new Set();
+        for (const line of lines) {
+            const parts = line.split(/\s+/);
+            if (parts[1]) {
+                urls.add(parts[1]);
+            }
+        }
+        for (const url of urls) {
+            try {
+                validateRemoteUrl(url);
+                findings.push({
+                    severity: 'info',
+                    check: 'transport',
+                    message: `Remote URL is secure: ${url}`,
+                });
+            }
+            catch (err) {
+                findings.push({
+                    severity: 'critical',
+                    check: 'transport',
+                    message: `Insecure remote: ${err instanceof Error ? err.message : String(err)}`,
+                });
+            }
+        }
+    }
+    catch {
+        findings.push({
+            severity: 'warning',
+            check: 'transport',
+            message: 'Could not check remote URLs (git command failed).',
+        });
+    }
+    return { findings, hasRemote };
+}
+/**
+ * Verify all state files are .age (not .json).
+ */
+export function checkStateFiles(syncDir) {
+    const findings = [];
+    if (!fs.existsSync(syncDir)) {
+        findings.push({
+            severity: 'warning',
+            check: 'state-files',
+            message: 'Sync directory does not exist.',
+        });
+        return { findings, stateFileCount: 0 };
+    }
+    const entries = fs.readdirSync(syncDir).filter((e) => !e.startsWith('.') && e !== 'sessions');
+    const ageFiles = entries.filter((e) => e.endsWith('.age'));
+    const jsonFiles = entries.filter((e) => e.endsWith('.json') && e !== STATE_FILES.MANIFEST);
+    if (jsonFiles.length > 0) {
+        for (const file of jsonFiles) {
+            findings.push({
+                severity: 'critical',
+                check: 'state-files',
+                message: `Plaintext state file found: ${file}. State files must be encrypted as .age files.`,
+            });
+        }
+    }
+    if (ageFiles.length > 0) {
+        findings.push({
+            severity: 'info',
+            check: 'state-files',
+            message: `${String(ageFiles.length)} encrypted state file(s) found.`,
+        });
+    }
+    // Check manifest is present and minimal
+    const manifestPath = path.join(syncDir, STATE_FILES.MANIFEST);
+    if (fs.existsSync(manifestPath)) {
+        try {
+            const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf-8'));
+            const allowedKeys = ['version', 'lastSync', 'files'];
+            const extraKeys = Object.keys(manifest).filter((k) => !allowedKeys.includes(k));
+            if (extraKeys.length > 0) {
+                findings.push({
+                    severity: 'warning',
+                    check: 'state-files',
+                    message: `Manifest contains unexpected keys: ${extraKeys.join(', ')}`,
+                });
+            }
+            else {
+                findings.push({
+                    severity: 'info',
+                    check: 'state-files',
+                    message: 'Manifest contains only version and timestamps (correct).',
+                });
+            }
+        }
+        catch {
+            findings.push({
+                severity: 'warning',
+                check: 'state-files',
+                message: 'Could not parse manifest.json.',
+            });
+        }
+    }
+    return { findings, stateFileCount: ageFiles.length };
+}
+/**
+ * Scan Git history for plaintext secret patterns.
+ */
+export function checkGitHistory(syncDir) {
+    const findings = [];
+    const gitDir = path.join(syncDir, '.git');
+    if (!fs.existsSync(gitDir)) {
+        return findings; // No git repo, nothing to scan
+    }
+    try {
+        const history = execSync('git log -p --all --full-history', {
+            cwd: syncDir,
+            encoding: 'utf-8',
+            stdio: ['pipe', 'pipe', 'pipe'],
+            maxBuffer: 50 * 1024 * 1024, // 50MB
+        });
+        let foundSecrets = false;
+        for (const { pattern, label } of SECRET_PATTERNS) {
+            if (pattern.test(history)) {
+                foundSecrets = true;
+                findings.push({
+                    severity: 'critical',
+                    check: 'git-history',
+                    message: `Potential ${label} found in Git history. Run \`key rotate\` to re-encrypt and rewrite history.`,
+                });
+            }
+        }
+        if (!foundSecrets) {
+            findings.push({
+                severity: 'info',
+                check: 'git-history',
+                message: 'No plaintext secret patterns found in Git history.',
+            });
+        }
+    }
+    catch {
+        // May fail if there's no commit history yet
+        findings.push({
+            severity: 'info',
+            check: 'git-history',
+            message: 'No Git history to scan (no commits yet).',
+        });
+    }
+    return findings;
+}
+/**
+ * Report repository size.
+ */
+export function checkRepoSize(syncDir) {
+    const findings = [];
+    if (!fs.existsSync(syncDir)) {
+        return { findings, sizeBytes: null, sizeHuman: null };
+    }
+    try {
+        // Calculate total size recursively
+        const sizeBytes = getDirectorySize(syncDir);
+        const sizeHuman = formatBytes(sizeBytes);
+        findings.push({
+            severity: sizeBytes > 100 * 1024 * 1024 ? 'warning' : 'info',
+            check: 'repo-size',
+            message: `Repository size: ${sizeHuman}${sizeBytes > 100 * 1024 * 1024 ? ' (consider cleanup)' : ''}`,
+        });
+        return { findings, sizeBytes, sizeHuman };
+    }
+    catch {
+        return { findings, sizeBytes: null, sizeHuman: null };
+    }
+}
+/**
+ * Calculate directory size recursively.
+ */
+function getDirectorySize(dirPath) {
+    let totalSize = 0;
+    const entries = fs.readdirSync(dirPath, { withFileTypes: true });
+    for (const entry of entries) {
+        const fullPath = path.join(dirPath, entry.name);
+        if (entry.isDirectory()) {
+            totalSize += getDirectorySize(fullPath);
+        }
+        else if (entry.isFile()) {
+            totalSize += fs.statSync(fullPath).size;
+        }
+    }
+    return totalSize;
+}
+/**
+ * Format bytes into human-readable string.
+ */
+export function formatBytes(bytes) {
+    if (bytes === 0)
+        return '0 B';
+    const units = ['B', 'KB', 'MB', 'GB'];
+    const k = 1024;
+    const i = Math.floor(Math.log(bytes) / Math.log(k));
+    const value = bytes / Math.pow(k, i);
+    return `${value.toFixed(i === 0 ? 0 : 1)} ${units[i] ?? 'TB'}`;
+}
+/**
+ * Execute the full audit.
+ */
+export function executeAudit() {
+    const configDir = getConfigDir();
+    const syncDir = getSyncDir();
+    const allFindings = [];
+    // 1. Permissions check
+    allFindings.push(...checkPermissions(configDir));
+    // 2. Remote transport check
+    const transport = checkRemoteTransport(syncDir);
+    allFindings.push(...transport.findings);
+    // 3. State files check
+    const stateFiles = checkStateFiles(syncDir);
+    allFindings.push(...stateFiles.findings);
+    // 4. Git history scan
+    allFindings.push(...checkGitHistory(syncDir));
+    // 5. Repo size
+    const repoSize = checkRepoSize(syncDir);
+    allFindings.push(...repoSize.findings);
+    const hasCritical = allFindings.some((f) => f.severity === 'critical');
+    return {
+        findings: allFindings,
+        passed: !hasCritical,
+        repoSizeBytes: repoSize.sizeBytes,
+        repoSizeHuman: repoSize.sizeHuman,
+        stateFileCount: stateFiles.stateFileCount,
+        hasRemote: transport.hasRemote,
+    };
+}
+// ─── Commander Registration ───────────────────────────────────────────────
+/**
+ * Register the `ctx-sync audit` command on the given program.
+ */
+export function registerAuditCommand(program) {
+    program
+        .command('audit')
+        .description('Run a comprehensive security audit')
+        .action(withErrorHandler(async () => {
+        const result = executeAudit();
+        const critical = result.findings.filter((f) => f.severity === 'critical');
+        const warnings = result.findings.filter((f) => f.severity === 'warning');
+        const info = result.findings.filter((f) => f.severity === 'info');
+        console.log('\n🔒 ctx-sync Security Audit\n');
+        if (critical.length > 0) {
+            console.log('❌ Critical Issues:');
+            for (const f of critical) {
+                console.log(`  [${f.check}] ${f.message}`);
+            }
+            console.log('');
+        }
+        if (warnings.length > 0) {
+            console.log('⚠ Warnings:');
+            for (const f of warnings) {
+                console.log(`  [${f.check}] ${f.message}`);
+            }
+            console.log('');
+        }
+        if (info.length > 0) {
+            console.log('ℹ Info:');
+            for (const f of info) {
+                console.log(`  [${f.check}] ${f.message}`);
+            }
+            console.log('');
+        }
+        if (result.repoSizeHuman) {
+            console.log(`📦 Repository size: ${result.repoSizeHuman}`);
+        }
+        console.log(`📄 Encrypted state files: ${String(result.stateFileCount)}`);
+        console.log('');
+        if (result.passed) {
+            console.log('✅ Audit passed — no critical issues found.');
+        }
+        else {
+            console.log('❌ Audit failed — critical issues require attention.');
+            process.exit(1);
+        }
+    }));
+}
+//# sourceMappingURL=audit.js.map

package/dist/commands/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/commands/audit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAE9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAwBrD,6EAA6E;AAE7E,iDAAiD;AACjD,MAAM,eAAe,GAA8C;IACjE,EAAE,OAAO,EAAE,sBAAsB,EAAE,KAAK,EAAE,iBAAiB,EAAE;IAC7D,EAAE,OAAO,EAAE,sBAAsB,EAAE,KAAK,EAAE,iBAAiB,EAAE;IAC7D,EAAE,OAAO,EAAE,kBAAkB,EAAE,KAAK,EAAE,YAAY,EAAE;IACpD,EAAE,OAAO,EAAE,kBAAkB,EAAE,KAAK,EAAE,oBAAoB,EAAE;IAC5D,EAAE,OAAO,EAAE,yBAAyB,EAAE,KAAK,EAAE,yBAAyB,EAAE;IACxE,EAAE,OAAO,EAAE,iCAAiC,EAAE,KAAK,EAAE,iBAAiB,EAAE;IACxE,EAAE,OAAO,EAAE,iCAAiC,EAAE,KAAK,EAAE,kBAAkB,EAAE;IACzE,EAAE,OAAO,EAAE,kBAAkB,EAAE,KAAK,EAAE,gBAAgB,EAAE;IACxD,EAAE,OAAO,EAAE,0BAA0B,EAAE,KAAK,EAAE,iBAAiB,EAAE;CAClE,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAAiB;IAChD,MAAM,QAAQ,GAAmB,EAAE,CAAC;IACpC,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;IAE5C,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,aAAa;YACpB,OAAO,EAAE,oEAAoE;SAC9E,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClC,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,UAAU;gBACpB,KAAK,EAAE,aAAa;gBACpB,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAe;IAIlD,MAAM,QAAQ,GAAmB,EAAE,CAAC;IACpC,IAAI,SAAS,GAAG,KAAK,CAAC;IAEtB,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC1C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,SAAS;YACnB,KAAK,EAAE,WAAW;YAClB,OAAO,EAAE,4CAA4C;SACtD,CAAC,CAAC;QACH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;IACjC,CAAC;IAED,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,QAAQ,CAAC,eAAe,EAAE;YAC7C,GAAG,EAAE,OAAO;YACZ,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CAAC,CAAC,IAAI,EAAE,CAAC;QAEV,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,yCAAyC;aACnD,CAAC,CAAC;YACH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;QACjC,CAAC;QAED,SAAS,GAAG,IAAI,CAAC;QAEjB,oBAAoB;QACpB,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YAChC,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;gBACb,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YACrB,CAAC;QACH,CAAC;QAED,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,IAAI,CAAC;gBACH,iBAAiB,CAAC,GAAG,CAAC,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,yBAAyB,GAAG,EAAE;iBACxC,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,GAAY,EAAE,CAAC;gBACtB,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,UAAU;oBACpB,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,oBAAoB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;iBAChF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,SAAS;YACnB,KAAK,EAAE,WAAW;YAClB,OAAO,EAAE,mDAAmD;SAC7D,CAAC,CAAC;IACL,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;AACjC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,OAAe;IAI7C,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,SAAS;YACnB,KAAK,EAAE,aAAa;YACpB,OAAO,EAAE,gCAAgC;SAC1C,CAAC,CAAC;QACH,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAC,EAAE,CAAC;IACzC,CAAC;IAED,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAC5C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,UAAU,CAC9C,CAAC;IAEF,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IAC3D,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAC9B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,WAAW,CAAC,QAAQ,CACzD,CAAC;IAEF,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,UAAU;gBACpB,KAAK,EAAE,aAAa;gBACpB,OAAO,EAAE,+BAA+B,IAAI,gDAAgD;aAC7F,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,aAAa;YACpB,OAAO,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,iCAAiC;SACrE,CAAC,CAAC;IACL,CAAC;IAED,wCAAwC;IACxC,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC;IAC9D,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAChC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAA4B,CAAC;YAC/F,MAAM,WAAW,GAAG,CAAC,SAAS,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;YACrD,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,CAC5C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,CAChC,CAAC;YACF,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACzB,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,SAAS;oBACnB,KAAK,EAAE,aAAa;oBACpB,OAAO,EAAE,sCAAsC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;iBACtE,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,aAAa;oBACpB,OAAO,EAAE,0DAA0D;iBACpE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,SAAS;gBACnB,KAAK,EAAE,aAAa;gBACpB,OAAO,EAAE,gCAAgC;aAC1C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC;AACvD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,MAAM,QAAQ,GAAmB,EAAE,CAAC;IACpC,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAE1C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,OAAO,QAAQ,CAAC,CAAC,+BAA+B;IAClD,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,QAAQ,CAAC,iCAAiC,EAAE;YAC1D,GAAG,EAAE,OAAO;YACZ,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,OAAO;SACrC,CAAC,CAAC;QAEH,IAAI,YAAY,GAAG,KAAK,CAAC;QACzB,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,eAAe,EAAE,CAAC;YACjD,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1B,YAAY,GAAG,IAAI,CAAC;gBACpB,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,UAAU;oBACpB,KAAK,EAAE,aAAa;oBACpB,OAAO,EAAE,aAAa,KAAK,8EAA8E;iBAC1G,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,aAAa;gBACpB,OAAO,EAAE,oDAAoD;aAC9D,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,4CAA4C;QAC5C,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,aAAa;YACpB,OAAO,EAAE,0CAA0C;SACpD,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,OAAe;IAK3C,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IACxD,CAAC;IAED,IAAI,CAAC;QACH,mCAAmC;QACnC,MAAM,SAAS,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAC5C,MAAM,SAAS,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;QAEzC,QAAQ,CAAC,IAAI,CAAC;YACZ,QAAQ,EAAE,SAAS,GAAG,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM;YAC5D,KAAK,EAAE,WAAW;YAClB,OAAO,EAAE,oBAAoB,SAAS,GAAG,SAAS,GAAG,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,EAAE;SACtG,CAAC,CAAC;QAEH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IACxD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,OAAe;IACvC,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IACjE,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QAChD,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,SAAS,IAAI,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC1C,CAAC;aAAM,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YAC1B,SAAS,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,KAAa;IACvC,IAAI,KAAK,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAE9B,MAAM,KAAK,GAAG,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IACtC,MAAM,CAAC,GAAG,IAAI,CAAC;IACf,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACpD,MAAM,KAAK,GAAG,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAErC,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;AACjE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY;IAC1B,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IACjC,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;IAE7B,MAAM,WAAW,GAAmB,EAAE,CAAC;IAEvC,uBAAuB;IACvB,WAAW,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC,CAAC;IAEjD,4BAA4B;IAC5B,MAAM,SAAS,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;IAChD,WAAW,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;IAExC,uBAAuB;IACvB,MAAM,UAAU,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC5C,WAAW,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAEzC,sBAAsB;IACtB,WAAW,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC;IAE9C,eAAe;IACf,MAAM,QAAQ,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IACxC,WAAW,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAEvC,MAAM,WAAW,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC;IAEvE,OAAO;QACL,QAAQ,EAAE,WAAW;QACrB,MAAM,EAAE,CAAC,WAAW;QACpB,aAAa,EAAE,QAAQ,CAAC,SAAS;QACjC,aAAa,EAAE,QAAQ,CAAC,SAAS;QACjC,cAAc,EAAE,UAAU,CAAC,cAAc;QACzC,SAAS,EAAE,SAAS,CAAC,SAAS;KAC/B,CAAC;AACJ,CAAC;AAED,6EAA6E;AAE7E;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAgB;IACnD,OAAO;SACJ,OAAO,CAAC,OAAO,CAAC;SAChB,WAAW,CAAC,oCAAoC,CAAC;SACjD,MAAM,CAAC,gBAAgB,CAAC,KAAK,IAAI,EAAE;QAClC,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;QAE9B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CACrC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CACjC,CAAC;QACF,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CACrC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAChC,CAAC;QACF,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC;QAElE,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAE9C,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;YAClC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;gBACzB,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YAC7C,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YAC3B,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;gBACzB,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YAC7C,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpB,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACvB,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;gBACrB,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YAC7C,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,CAAC,uBAAuB,MAAM,CAAC,aAAa,EAAE,CAAC,CAAC;QAC7D,CAAC;QACD,OAAO,CAAC,GAAG,CACT,6BAA6B,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,EAAE,CAC7D,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEhB,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC;QAC5D,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CACT,qDAAqD,CACtD,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC,CAAC;AACR,CAAC"}

package/dist/commands/config.d.ts

@@ -0,0 +1,58 @@
+/**
+ * `ctx-sync config` command group.
+ *
+ * Subcommands:
+ *   - `config safe-list` — View the current safe-list (default + custom).
+ *   - `config safe-list add <key>` — Add a key to the user's custom safe-list.
+ *   - `config safe-list remove <key>` — Remove a key from the custom safe-list.
+ *
+ * The safe-list determines which env var keys MAY be stored as plaintext
+ * when `--allow-plain` is used during `env import`. Everything else is
+ * encrypted by default.
+ *
+ * Config is stored in `~/.config/ctx-sync/config.json` (local, never synced).
+ *
+ * @module commands/config
+ */
+import type { Command } from 'commander';
+/**
+ * Result of listing the safe-list.
+ */
+export interface SafeListViewResult {
+    defaults: readonly string[];
+    custom: string[];
+    effective: string[];
+}
+/**
+ * Execute safe-list view.
+ *
+ * @returns The safe-list broken down by defaults, custom, and effective.
+ */
+export declare function executeSafeListView(): SafeListViewResult;
+/**
+ * Execute safe-list add.
+ *
+ * @param key - The env var key to add to the safe-list.
+ * @returns Object with `added` flag and descriptive message.
+ */
+export declare function executeSafeListAdd(key: string): {
+    added: boolean;
+    message: string;
+};
+/**
+ * Execute safe-list remove.
+ *
+ * @param key - The env var key to remove from the safe-list.
+ * @returns Object with `removed` flag and descriptive message.
+ */
+export declare function executeSafeListRemove(key: string): {
+    removed: boolean;
+    message: string;
+};
+/**
+ * Register the `config` command group on the given Commander program.
+ *
+ * @param program - The Commander program instance.
+ */
+export declare function registerConfigCommand(program: Command): void;
+//# sourceMappingURL=config.d.ts.map

package/dist/commands/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/commands/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AASzC;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,SAAS,MAAM,EAAE,CAAC;IAC5B,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,SAAS,EAAE,MAAM,EAAE,CAAC;CACrB;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,IAAI,kBAAkB,CAGxD;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG;IAC/C,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB,CAGA;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,GAAG;IAClD,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;CACjB,CAGA;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAiF5D"}

package/dist/commands/config.js

@@ -0,0 +1,114 @@
+/**
+ * `ctx-sync config` command group.
+ *
+ * Subcommands:
+ *   - `config safe-list` — View the current safe-list (default + custom).
+ *   - `config safe-list add <key>` — Add a key to the user's custom safe-list.
+ *   - `config safe-list remove <key>` — Remove a key from the custom safe-list.
+ *
+ * The safe-list determines which env var keys MAY be stored as plaintext
+ * when `--allow-plain` is used during `env import`. Everything else is
+ * encrypted by default.
+ *
+ * Config is stored in `~/.config/ctx-sync/config.json` (local, never synced).
+ *
+ * @module commands/config
+ */
+import { withErrorHandler } from '../utils/errors.js';
+import { getConfigDir } from './init.js';
+import { listSafeList, addToSafeList, removeFromSafeList, } from '../core/config-store.js';
+/**
+ * Execute safe-list view.
+ *
+ * @returns The safe-list broken down by defaults, custom, and effective.
+ */
+export function executeSafeListView() {
+    const configDir = getConfigDir();
+    return listSafeList(configDir);
+}
+/**
+ * Execute safe-list add.
+ *
+ * @param key - The env var key to add to the safe-list.
+ * @returns Object with `added` flag and descriptive message.
+ */
+export function executeSafeListAdd(key) {
+    const configDir = getConfigDir();
+    return addToSafeList(configDir, key);
+}
+/**
+ * Execute safe-list remove.
+ *
+ * @param key - The env var key to remove from the safe-list.
+ * @returns Object with `removed` flag and descriptive message.
+ */
+export function executeSafeListRemove(key) {
+    const configDir = getConfigDir();
+    return removeFromSafeList(configDir, key);
+}
+/**
+ * Register the `config` command group on the given Commander program.
+ *
+ * @param program - The Commander program instance.
+ */
+export function registerConfigCommand(program) {
+    const configCmd = program
+        .command('config')
+        .description('Manage local configuration and preferences');
+    // ── config safe-list ──────────────────────────────────────────────
+    const safeListCmd = configCmd
+        .command('safe-list')
+        .description('View or manage the env var safe-list');
+    // Default action: view the safe-list
+    safeListCmd.action(withErrorHandler(async () => {
+        const result = executeSafeListView();
+        const chalk = (await import('chalk')).default;
+        console.log(chalk.bold('\nEnvironment Variable Safe-List\n'));
+        console.log(chalk.dim('Keys on the safe-list MAY be stored as plaintext when --allow-plain is used.\n' +
+            'Everything else is always encrypted (encrypt-by-default).\n'));
+        console.log(chalk.cyan('Built-in defaults:'));
+        for (const key of result.defaults) {
+            console.log(`  ${key}`);
+        }
+        if (result.custom.length > 0) {
+            console.log(chalk.cyan('\nCustom additions:'));
+            for (const key of result.custom) {
+                console.log(`  ${key}`);
+            }
+        }
+        else {
+            console.log(chalk.dim('\nNo custom additions.'));
+        }
+        console.log(chalk.dim(`\nTotal effective safe-list: ${result.effective.length} keys`));
+    }));
+    // ── config safe-list add <key> ────────────────────────────────────
+    safeListCmd
+        .command('add <key>')
+        .description('Add a key to your custom safe-list')
+        .action(withErrorHandler(async (key) => {
+        const result = executeSafeListAdd(key);
+        const chalk = (await import('chalk')).default;
+        if (result.added) {
+            console.log(chalk.green(`✅ ${result.message}`));
+            console.log(chalk.dim('   This key will be treated as plaintext-safe when --allow-plain is used.'));
+        }
+        else {
+            console.log(chalk.yellow(`⚠️  ${result.message}`));
+        }
+    }));
+    // ── config safe-list remove <key> ─────────────────────────────────
+    safeListCmd
+        .command('remove <key>')
+        .description('Remove a key from your custom safe-list')
+        .action(withErrorHandler(async (key) => {
+        const result = executeSafeListRemove(key);
+        const chalk = (await import('chalk')).default;
+        if (result.removed) {
+            console.log(chalk.green(`✅ ${result.message}`));
+        }
+        else {
+            console.log(chalk.yellow(`⚠️  ${result.message}`));
+        }
+    }));
+}
+//# sourceMappingURL=config.js.map

package/dist/commands/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/commands/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EACL,YAAY,EACZ,aAAa,EACb,kBAAkB,GACnB,MAAM,yBAAyB,CAAC;AAWjC;;;;GAIG;AACH,MAAM,UAAU,mBAAmB;IACjC,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IACjC,OAAO,YAAY,CAAC,SAAS,CAAC,CAAC;AACjC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAI5C,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IACjC,OAAO,aAAa,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;AACvC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB,CAAC,GAAW;IAI/C,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IACjC,OAAO,kBAAkB,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;AAC5C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAAgB;IACpD,MAAM,SAAS,GAAG,OAAO;SACtB,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,4CAA4C,CAAC,CAAC;IAE7D,qEAAqE;IACrE,MAAM,WAAW,GAAG,SAAS;SAC1B,OAAO,CAAC,WAAW,CAAC;SACpB,WAAW,CAAC,sCAAsC,CAAC,CAAC;IAEvD,qCAAqC;IACrC,WAAW,CAAC,MAAM,CAAC,gBAAgB,CAAC,KAAK,IAAI,EAAE;QAC7C,MAAM,MAAM,GAAG,mBAAmB,EAAE,CAAC;QAErC,MAAM,KAAK,GAAG,CAAC,MAAM,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;QAE9C,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CACP,gFAAgF;YAC9E,6DAA6D,CAChE,CACF,CAAC;QAEF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,CAAC;QAC9C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YAClC,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,CAAC,CAAC;QAC1B,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC;YAC/C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;gBAChC,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,CAAC,CAAC;YAC1B,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CACP,gCAAgC,MAAM,CAAC,SAAS,CAAC,MAAM,OAAO,CAC/D,CACF,CAAC;IACJ,CAAC,CAAC,CAAC,CAAC;IAEJ,qEAAqE;IACrE,WAAW;SACR,OAAO,CAAC,WAAW,CAAC;SACpB,WAAW,CAAC,oCAAoC,CAAC;SACjD,MAAM,CAAC,gBAAgB,CAAC,KAAK,EAAE,GAAW,EAAE,EAAE;QAC7C,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;QAEvC,MAAM,KAAK,GAAG,CAAC,MAAM,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;QAE9C,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YAChD,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CACP,2EAA2E,CAC5E,CACF,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACrD,CAAC;IACH,CAAC,CAAC,CAAC,CAAC;IAEN,qEAAqE;IACrE,WAAW;SACR,OAAO,CAAC,cAAc,CAAC;SACvB,WAAW,CAAC,yCAAyC,CAAC;SACtD,MAAM,CAAC,gBAAgB,CAAC,KAAK,EAAE,GAAW,EAAE,EAAE;QAC7C,MAAM,MAAM,GAAG,qBAAqB,CAAC,GAAG,CAAC,CAAC;QAE1C,MAAM,KAAK,GAAG,CAAC,MAAM,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;QAE9C,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAClD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACrD,CAAC;IACH,CAAC,CAAC,CAAC,CAAC;AACR,CAAC"}