hop-claude 1.0.0

package/SECURITY.md

@@ -0,0 +1,280 @@
+# Security Policy
+
+## Reporting Security Vulnerabilities
+
+If you discover a security vulnerability in hop-claude, please report it responsibly:
+
+- **Email:** Create an issue on GitHub with the tag `security` (or email the maintainer privately for sensitive issues)
+- **Response Time:** We aim to respond within 48 hours and provide a fix within 7 days for critical vulnerabilities
+
+**Please do not** publicly disclose the vulnerability until a fix has been released.
+
+---
+
+## Security Model
+
+hop-claude manages sensitive API keys for Claude Code CLI. Understanding our security model helps you use the tool safely.
+
+### Encryption Modes
+
+hop-claude supports three encryption modes with different security trade-offs:
+
+#### 1. Keychain Mode (Recommended) ⭐
+
+**Security Level:** HIGH
+
+- API keys stored in OS-managed keychain:
+  - macOS: Keychain Access
+  - Windows: Credential Manager
+  - Linux: libsecret
+- Keys never written to disk in plain text
+- Encrypted by OS using hardware-backed secrets (when available)
+- No password required for daily use
+
+**Limitations:**
+- Not portable across machines
+- Requires functional OS keychain
+
+**Best for:** Single-machine usage, maximum security
+
+#### 2. Passphrase Mode
+
+**Security Level:** MEDIUM to HIGH (depends on passphrase strength)
+
+- API keys encrypted with AES-256-GCM using user-provided passphrase
+- PBKDF2 key derivation with 100,000 iterations
+- Fully portable across machines
+- Password required for each operation
+
+**Limitations:**
+- Security depends on passphrase strength (minimum 8 characters enforced)
+- Password must be remembered or stored securely
+- Vulnerable to brute-force if weak password used
+
+**Best for:** Multi-machine usage, team sharing (with secure password management)
+
+#### 3. Legacy Mode (Deprecated)
+
+**Security Level:** LOW
+
+- Machine-bound encryption using hostname + username as key material
+- Provides obfuscation, not true security
+- Backwards compatible with v0.0.x
+
+**Limitations:**
+- Not portable across machines
+- Weak against local attackers with filesystem access
+- Keys can be decrypted if attacker knows hostname and username
+
+**Status:** Deprecated. Migrate to Keychain or Passphrase mode.
+
+---
+
+## What We Protect Against
+
+hop-claude is designed to protect against:
+
+✅ **Accidental Exposure**
+- Prevents API keys from appearing in git commits
+- Keys not visible in process listings
+- Redacted in terminal output (masked as `sk-ant-***xyz`)
+
+✅ **Casual Filesystem Access**
+- Config directory permissions: `0700` (Unix) or restricted ACL (Windows)
+- Config file permissions: `0600` (Unix)
+- Encrypted storage prevents casual browsing
+
+✅ **Command Injection Attacks**
+- No shell interpretation of user input (fixed in v0.1.0)
+- Safe subprocess spawning without `shell: true`
+
+✅ **Concurrent Write Corruption**
+- File locking prevents data corruption from simultaneous access
+- Safe for multiple terminal sessions
+
+---
+
+## What We Do NOT Protect Against
+
+hop-claude is a local development tool with inherent limitations:
+
+❌ **Root/Admin Access Attacks**
+- Local root users can access any file, including encrypted configs
+- OS keychain can be accessed by users with physical machine access
+
+❌ **Memory Inspection**
+- API keys exist in plain text in memory during use
+- Process memory can be dumped by privileged users
+
+❌ **Physical Access**
+- Unattended, unlocked machines are vulnerable
+- Screen capture or keyloggers can steal passwords
+
+❌ **Malware**
+- If your machine is compromised, all local data is at risk
+- Use antivirus and keep your system updated
+
+❌ **Network Interception**
+- hop-claude only manages local storage
+- API requests from Claude Code CLI are subject to network security
+
+---
+
+## Security Best Practices
+
+### For Keychain Mode Users
+
+1. ✅ Enable full disk encryption (FileVault, BitLocker, LUKS)
+2. ✅ Use strong machine login password
+3. ✅ Lock your screen when away (auto-lock recommended)
+4. ✅ Keep OS up to date for keychain security patches
+
+### For Passphrase Mode Users
+
+1. ✅ Use strong, unique passphrase (≥12 characters, mixed case, symbols)
+2. ✅ Consider using a password manager
+3. ✅ Never commit encrypted config to public repositories
+4. ✅ Rotate API keys if passphrase is compromised
+
+### For All Users
+
+1. ✅ Run `hop-claude --encryption-info` to verify your current mode
+2. ✅ Migrate from Legacy mode: `hop-claude --migrate-encryption`
+3. ✅ Review file permissions: Config directory should be owner-only
+4. ✅ Monitor API usage on Anthropic dashboard for suspicious activity
+5. ✅ Rotate API keys periodically (every 90 days recommended)
+
+---
+
+## Known Security Issues
+
+### v0.0.x (Legacy)
+
+- **CRITICAL:** Command injection vulnerability via `shell: true` ➜ Fixed in v0.1.0
+- **HIGH:** Machine-bound encryption is weak ➜ Migrate to Keychain/Passphrase mode
+
+### v0.1.0+
+
+- No known critical vulnerabilities
+- Legacy mode still available for compatibility but deprecated
+
+---
+
+## Threat Model
+
+### Attacker Profiles
+
+| Attacker Type | Can They Access Keys? | Mitigation |
+|---------------|----------------------|------------|
+| Remote attacker (no local access) | ❌ No | N/A - keys only stored locally |
+| Casual user on shared machine | ❌ No | File permissions + encryption |
+| Determined user with physical access | ⚠️ Maybe | Use keychain mode + strong login password |
+| Malware on your machine | ✅ Yes | Antivirus, system updates, vigilance |
+| Root/Admin with physical access | ✅ Yes | No defense - rotate keys if compromised |
+
+### Attack Scenarios
+
+**Scenario 1: Laptop Theft**
+- **Keychain Mode:** Safe if disk encrypted and powered off
+- **Passphrase Mode:** Safe if strong passphrase used
+- **Legacy Mode:** Vulnerable if attacker can boot system
+
+**Scenario 2: Shared Development Server**
+- **Keychain Mode:** Safe from other users (OS isolation)
+- **Passphrase Mode:** Safe from other users (file permissions)
+- **Legacy Mode:** Vulnerable to other users
+
+**Scenario 3: Git Commit Accident**
+- **All Modes:** Keys are encrypted, not plain text
+- **Keychain Mode:** Config file only has placeholders
+- **Passphrase/Legacy:** Encrypted keys in config, but remove from git immediately
+
+---
+
+## Migration Guide
+
+### From v0.0.x to v0.1.0+
+
+```bash
+# 1. Backup your config
+hop-claude -e backup-before-migration.json
+
+# 2. Run migration
+hop-claude --migrate-encryption
+
+# 3. Choose Keychain (most secure) or Passphrase (portable)
+
+# 4. Verify migration
+hop-claude --encryption-info
+```
+
+### Emergency Recovery
+
+If migration fails:
+
+```bash
+# Restore from backup
+hop-claude -i backup-before-migration.json
+
+# Or manually restore
+# macOS/Linux:
+cp ~/.hop-claude-config/config.json.backup-TIMESTAMP ~/.hop-claude-config/config.json
+
+# Windows:
+copy %APPDATA%\hop-claude-config\config.json.backup-TIMESTAMP %APPDATA%\hop-claude-config\config.json
+```
+
+---
+
+## Security Changelog
+
+### v0.1.0 (2025-01-03)
+- ✅ Fixed command injection vulnerability (CRITICAL)
+- ✅ Added Keychain and Passphrase encryption modes
+- ✅ Implemented file locking for concurrent access
+- ✅ Improved Windows binary detection
+- ✅ Enhanced error handling with type safety
+- ✅ Deprecated Legacy mode
+
+### v0.0.x
+- ⚠️ Legacy encryption only (machine-bound)
+- ⚠️ Command injection vulnerability present
+- ⚠️ No concurrent write protection
+
+---
+
+## Security Audits
+
+- **Internal:** Code reviewed by gemini-3-pro-preview and openai/o3 models (2025-01-03)
+- **Community:** Awaiting external security audit
+- **Automated:** 31 security and functionality tests pass
+
+---
+
+## Compliance & Certifications
+
+hop-claude is a development tool intended for:
+- Local development environments
+- Individual developer use
+- Small team collaboration
+
+It is **NOT** certified for:
+- HIPAA, PCI-DSS, SOC 2, or other compliance frameworks
+- Production secrets management
+- Enterprise deployment without additional security controls
+
+For enterprise use, consider:
+- HashiCorp Vault
+- AWS Secrets Manager
+- Azure Key Vault
+- 1Password Secrets Automation
+
+---
+
+## Contact
+
+For security concerns:
+- GitHub Issues: https://github.com/0bipinnata0/hop-claude/issues
+- Email: [your-email@example.com]
+
+Last updated: 2025-01-03

package/bin/cli.js

@@ -0,0 +1,6 @@
+#!/usr/bin/env node
+
+import('../dist/index.js').catch((err) => {
+  console.error('Failed to load CLI:', err);
+  process.exit(1);
+});

package/dist/cli.d.ts

@@ -0,0 +1,6 @@
+import { Command } from 'commander';
+/**
+ * 创建 CLI 程序
+ */
+export declare function createCLI(): Promise<Command>;
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AASpC;;GAEG;AACH,wBAAsB,SAAS,qBAiH9B"}

package/dist/cli.js

@@ -0,0 +1,147 @@
+import { Command } from 'commander';
+import { ConfigManager } from './config/config-manager.js';
+import { InteractiveUI } from './ui/prompts.js';
+import { launchClaude } from './utils/claude-launcher.js';
+import { displayError, displaySuccess } from './ui/display.js';
+import { backupConfig, restoreConfig } from './utils/backup.js';
+import { EncryptionMigration } from './utils/migration.js';
+import pkg from '../package.json' with { type: 'json' };
+/**
+ * 创建 CLI 程序
+ */
+export async function createCLI() {
+    const program = new Command();
+    const configManager = new ConfigManager();
+    const ui = new InteractiveUI(configManager);
+    program
+        .name('hop-claude')
+        .version(pkg.version)
+        .description('Claude Code configuration manager and launcher')
+        .option('-c, --config', 'Enter configuration management mode')
+        .option('-l, --list', 'List all configurations')
+        .option('-s, --switch <profile>', 'Switch to a specific profile')
+        .option('-e, --export <file>', 'Export configuration to file')
+        .option('-i, --import <file>', 'Import configuration from file')
+        .option('--migrate-encryption', 'Migrate to a different encryption mode')
+        .option('--encryption-info', 'Show current encryption mode information')
+        .allowUnknownOption(true) // 允许未知选项（用于透传给 claude）
+        .action(async (options) => {
+        try {
+            // 加密模式迁移
+            if (options.migrateEncryption) {
+                const migration = new EncryptionMigration(configManager);
+                await migration.migrate();
+                return;
+            }
+            // 显示加密模式信息
+            if (options.encryptionInfo) {
+                const migration = new EncryptionMigration(configManager);
+                await migration.showEncryptionInfo();
+                return;
+            }
+            // 列出配置
+            if (options.list) {
+                await ui.listConfigurations();
+                return;
+            }
+            // 快速切换 profile
+            if (options.switch) {
+                const profile = await configManager.getProfile(options.switch);
+                if (!profile) {
+                    displayError(`Profile "${options.switch}" not found`);
+                    process.exit(1);
+                }
+                await configManager.setCurrentProfile(options.switch);
+                displaySuccess(`Switched to: ${options.switch}`);
+                // 如果有透传参数，继续启动 claude
+                const claudeArgs = getClaudeArgs(process.argv);
+                if (claudeArgs.length > 0) {
+                    await launchClaude(profile, claudeArgs);
+                }
+                return;
+            }
+            // 导出配置
+            if (options.export) {
+                await backupConfig(configManager, options.export);
+                displaySuccess(`Configuration exported to: ${options.export}`);
+                return;
+            }
+            // 导入配置
+            if (options.import) {
+                await restoreConfig(configManager, options.import);
+                displaySuccess('Configuration imported successfully');
+                return;
+            }
+            // 强制进入配置模式
+            if (options.config) {
+                await ui.manageConfiguration();
+                return;
+            }
+            // 正常流程：显示当前配置 + 询问是否修改
+            const shouldContinue = await ui.showCurrentAndAsk();
+            if (!shouldContinue) {
+                // 用户选择退出
+                return;
+            }
+            // 获取当前配置并启动 claude
+            const currentProfile = await configManager.getCurrentProfile();
+            if (!currentProfile) {
+                displayError('No configuration selected');
+                process.exit(1);
+            }
+            // 获取透传参数
+            const claudeArgs = getClaudeArgs(process.argv);
+            // 启动 claude
+            await launchClaude(currentProfile, claudeArgs);
+        }
+        catch (error) {
+            const err = error instanceof Error ? error : new Error(String(error));
+            displayError(err.message);
+            // 在 DEBUG 模式下显示完整的堆栈跟踪
+            if (process.env.DEBUG) {
+                console.error('\nStack trace:');
+                console.error(err.stack);
+            }
+            process.exit(1);
+        }
+    });
+    return program;
+}
+/**
+ * 获取需要透传给 claude 的参数
+ * 过滤掉 cproxy 自己的参数
+ */
+function getClaudeArgs(argv) {
+    const cproxyFlags = [
+        '-c', '--config',
+        '-l', '--list',
+        '-s', '--switch',
+        '-e', '--export',
+        '-i', '--import',
+        '-v', '--version',
+        '-h', '--help',
+        '--migrate-encryption',
+        '--encryption-info'
+    ];
+    const result = [];
+    let skip = false;
+    for (let i = 2; i < argv.length; i++) {
+        const arg = argv[i];
+        if (skip) {
+            skip = false;
+            continue;
+        }
+        // 跳过 cproxy 的选项
+        if (cproxyFlags.includes(arg)) {
+            // 如果是需要值的选项，跳过下一个参数
+            if (['-s', '--switch', '-e', '--export', '-i', '--import'].includes(arg)) {
+                skip = true;
+            }
+            continue;
+        }
+        // 其他所有参数都透传
+        result.push(arg);
+    }
+    return result;
+}
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAC1D,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAChE,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,GAAG,MAAM,iBAAiB,CAAC,OAAO,IAAI,EAAE,MAAM,EAAE,CAAC;AAExD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS;IAC7B,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;IAC9B,MAAM,aAAa,GAAG,IAAI,aAAa,EAAE,CAAC;IAC1C,MAAM,EAAE,GAAG,IAAI,aAAa,CAAC,aAAa,CAAC,CAAC;IAE5C,OAAO;SACJ,IAAI,CAAC,YAAY,CAAC;SAClB,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;SACpB,WAAW,CAAC,gDAAgD,CAAC;SAC7D,MAAM,CAAC,cAAc,EAAE,qCAAqC,CAAC;SAC7D,MAAM,CAAC,YAAY,EAAE,yBAAyB,CAAC;SAC/C,MAAM,CAAC,wBAAwB,EAAE,8BAA8B,CAAC;SAChE,MAAM,CAAC,qBAAqB,EAAE,8BAA8B,CAAC;SAC7D,MAAM,CAAC,qBAAqB,EAAE,gCAAgC,CAAC;SAC/D,MAAM,CAAC,sBAAsB,EAAE,wCAAwC,CAAC;SACxE,MAAM,CAAC,mBAAmB,EAAE,0CAA0C,CAAC;SACvE,kBAAkB,CAAC,IAAI,CAAC,CAAC,uBAAuB;SAChD,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;QACxB,IAAI,CAAC;YACH,SAAS;YACT,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;gBAC9B,MAAM,SAAS,GAAG,IAAI,mBAAmB,CAAC,aAAa,CAAC,CAAC;gBACzD,MAAM,SAAS,CAAC,OAAO,EAAE,CAAC;gBAC1B,OAAO;YACT,CAAC;YAED,WAAW;YACX,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;gBAC3B,MAAM,SAAS,GAAG,IAAI,mBAAmB,CAAC,aAAa,CAAC,CAAC;gBACzD,MAAM,SAAS,CAAC,kBAAkB,EAAE,CAAC;gBACrC,OAAO;YACT,CAAC;YACD,OAAO;YACP,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,MAAM,EAAE,CAAC,kBAAkB,EAAE,CAAC;gBAC9B,OAAO;YACT,CAAC;YAED,eAAe;YACf,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACnB,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;gBAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,YAAY,CAAC,YAAY,OAAO,CAAC,MAAM,aAAa,CAAC,CAAC;oBACtD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,CAAC;gBACD,MAAM,aAAa,CAAC,iBAAiB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;gBACtD,cAAc,CAAC,gBAAgB,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;gBAEjD,sBAAsB;gBACtB,MAAM,UAAU,GAAG,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBAC/C,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC1B,MAAM,YAAY,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;gBAC1C,CAAC;gBACD,OAAO;YACT,CAAC;YAED,OAAO;YACP,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACnB,MAAM,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;gBAClD,cAAc,CAAC,8BAA8B,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;gBAC/D,OAAO;YACT,CAAC;YAED,OAAO;YACP,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACnB,MAAM,aAAa,CAAC,aAAa,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;gBACnD,cAAc,CAAC,qCAAqC,CAAC,CAAC;gBACtD,OAAO;YACT,CAAC;YAED,WAAW;YACX,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACnB,MAAM,EAAE,CAAC,mBAAmB,EAAE,CAAC;gBAC/B,OAAO;YACT,CAAC;YAED,uBAAuB;YACvB,MAAM,cAAc,GAAG,MAAM,EAAE,CAAC,iBAAiB,EAAE,CAAC;YAEpD,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,SAAS;gBACT,OAAO;YACT,CAAC;YAED,mBAAmB;YACnB,MAAM,cAAc,GAAG,MAAM,aAAa,CAAC,iBAAiB,EAAE,CAAC;YAE/D,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,YAAY,CAAC,2BAA2B,CAAC,CAAC;gBAC1C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YAED,SAAS;YACT,MAAM,UAAU,GAAG,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAE/C,YAAY;YACZ,MAAM,YAAY,CAAC,cAAc,EAAE,UAAU,CAAC,CAAC;QAEjD,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;YACtE,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAE1B,uBAAuB;YACvB,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC;gBACtB,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;gBAChC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YAC3B,CAAC;YAED,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACH,SAAS,aAAa,CAAC,IAAc;IACnC,MAAM,WAAW,GAAG;QAClB,IAAI,EAAE,UAAU;QAChB,IAAI,EAAE,QAAQ;QACd,IAAI,EAAE,UAAU;QAChB,IAAI,EAAE,UAAU;QAChB,IAAI,EAAE,UAAU;QAChB,IAAI,EAAE,WAAW;QACjB,IAAI,EAAE,QAAQ;QACd,sBAAsB;QACtB,mBAAmB;KACpB,CAAC;IACF,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,IAAI,GAAG,KAAK,CAAC;IAEjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAEpB,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,GAAG,KAAK,CAAC;YACb,SAAS;QACX,CAAC;QAED,gBAAgB;QAChB,IAAI,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9B,oBAAoB;YACpB,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACzE,IAAI,GAAG,IAAI,CAAC;YACd,CAAC;YACD,SAAS;QACX,CAAC;QAED,YAAY;QACZ,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/config/config-manager.d.ts

@@ -0,0 +1,88 @@
+import type { ConfigStore, ProfileConfig, DecryptedProfile, EncryptionMode } from '../types/index.js';
+/**
+ * 配置管理核心类
+ * 支持三种加密模式：
+ * - legacy: 机器绑定加密（向后兼容）
+ * - keychain: OS 密钥链存储（推荐）
+ * - passphrase: 用户密码加密（可移植）
+ */
+export declare class ConfigManager {
+    private storage;
+    private legacyEncryption;
+    private passphraseEncryption;
+    private keychainManager;
+    private sessionPassphrase?;
+    constructor();
+    /**
+     * 设置会话密码（用于 passphrase 模式）
+     */
+    setSessionPassphrase(passphrase: string): void;
+    /**
+     * 清除会话密码
+     */
+    clearSessionPassphrase(): void;
+    /**
+     * 获取当前加密模式
+     */
+    getEncryptionMode(): Promise<EncryptionMode>;
+    /**
+     * 初始化配置文件
+     */
+    initialize(): Promise<ConfigStore>;
+    /**
+     * 获取所有配置
+     */
+    getConfig(): Promise<ConfigStore>;
+    /**
+     * 添加或更新 profile
+     * @param profile 解密后的 profile
+     * @param passphrase 密码（仅 passphrase 模式需要）
+     */
+    saveProfile(profile: DecryptedProfile, passphrase?: string): Promise<void>;
+    /**
+     * 获取解密后的 profile
+     * @param domain profile 名称
+     * @param passphrase 密码（仅 passphrase 模式需要）
+     */
+    getProfile(domain: string, passphrase?: string): Promise<DecryptedProfile | null>;
+    /**
+     * 设置当前激活的 profile
+     */
+    setCurrentProfile(domain: string): Promise<void>;
+    /**
+     * 获取当前激活的 profile
+     * @param passphrase 密码（仅 passphrase 模式需要）
+     */
+    getCurrentProfile(passphrase?: string): Promise<DecryptedProfile | null>;
+    /**
+     * 列出所有 profiles（API Key 部分隐藏）
+     * @param passphrase 密码（仅 passphrase 模式需要）
+     */
+    listProfiles(passphrase?: string): Promise<Array<ProfileConfig & {
+        maskedApiKey: string;
+    }>>;
+    /**
+     * 删除 profile
+     */
+    deleteProfile(domain: string): Promise<void>;
+    /**
+     * 导出配置（包含加密的数据）
+     * 注意：keychain 模式无法导出实际密钥
+     */
+    exportConfig(): Promise<string>;
+    /**
+     * 导入配置
+     */
+    importConfig(data: string): Promise<void>;
+    /**
+     * 切换加密模式（需要提供所有必要的凭据）
+     * @param newMode 新的加密模式
+     * @param passphrase 密码（切换到 passphrase 模式时需要）
+     */
+    switchEncryptionMode(newMode: EncryptionMode, passphrase?: string): Promise<void>;
+    /**
+     * 获取配置文件路径
+     */
+    getConfigPath(): string;
+}
+//# sourceMappingURL=config-manager.d.ts.map

package/dist/config/config-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-manager.d.ts","sourceRoot":"","sources":["../../src/config/config-manager.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAEtG;;;;;;GAMG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,OAAO,CAAgB;IAC/B,OAAO,CAAC,gBAAgB,CAAa;IACrC,OAAO,CAAC,oBAAoB,CAAuB;IACnD,OAAO,CAAC,eAAe,CAAkB;IAGzC,OAAO,CAAC,iBAAiB,CAAC,CAAS;;IASnC;;OAEG;IACH,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI;IAI9C;;OAEG;IACH,sBAAsB,IAAI,IAAI;IAI9B;;OAEG;IACG,iBAAiB,IAAI,OAAO,CAAC,cAAc,CAAC;IAKlD;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,WAAW,CAAC;IAsBxC;;OAEG;IACG,SAAS,IAAI,OAAO,CAAC,WAAW,CAAC;IAYvC;;;;OAIG;IACG,WAAW,CAAC,OAAO,EAAE,gBAAgB,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAiEhF;;;;OAIG;IACG,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAuDvF;;OAEG;IACG,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAMtD;;;OAGG;IACG,iBAAiB,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAM9E;;;OAGG;IACG,YAAY,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,aAAa,GAAG;QAAE,YAAY,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IA0DjG;;OAEG;IACG,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAkBlD;;;OAGG;IACG,YAAY,IAAI,OAAO,CAAC,MAAM,CAAC;IAWrC;;OAEG;IACG,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAgB/C;;;;OAIG;IACG,oBAAoB,CACxB,OAAO,EAAE,cAAc,EACvB,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC;IAyChB;;OAEG;IACH,aAAa,IAAI,MAAM;CAGxB"}