humanenv 0.1.0

package/packages/shared/src/crypto.ts

@@ -0,0 +1,98 @@
+import * as crypto from 'node:crypto'
+
+const PBKDF2_ITERATIONS = 100_000
+const PK_KEY_LENGTH = 32
+
+// ============================================================
+// Mnemonic helpers (BIP39-compatible wordlist handling)
+// ============================================================
+
+const BIP39_WORDLIST = [
+  'abandon', 'ability', 'able', 'about', 'above', 'absent', 'absorb', 'abstract',
+  'absurd', 'abuse', 'access', 'accident', 'account', 'accuse', 'achieve', 'acid',
+  'acoustic', 'acquire', 'across', 'act', 'action', 'actor', 'actress', 'actual',
+  'adapt', 'add', 'addict', 'address', 'adjust', 'admit', 'adult', 'advance',
+  'advice', 'aerobic', 'affair', 'afford', 'afraid', 'again', 'age', 'agent',
+  'agree', 'ahead', 'aim', 'air', 'airport', 'aisle', 'alarm', 'album',
+  'alcohol', 'alert', 'alien', 'all', 'alley', 'allow', 'almost', 'alone',
+  'alpha', 'already', 'also', 'alter', 'always', 'amateur', 'amazing', 'among',
+  'amount', 'amused', 'analyst', 'anchor', 'ancient', 'anger', 'angle', 'angry',
+  'animal', 'ankle', 'announce', 'annual', 'another', 'answer', 'antenna',
+  'antique', 'anxiety', 'any', 'apart', 'apology', 'appear', 'apple', 'approve',
+  'april', 'arch', 'arctic', 'area', 'arena', 'argue', 'arm', 'armed', 'armor',
+  'army', 'around', 'arrest', 'arrive', 'arrow', 'art', 'artist', 'artwork',
+  'ask', 'aspect', 'assault', 'asset', 'assist', 'assume', 'asthma', 'athlete',
+  'atom', 'attack', 'attend', 'attitude', 'attract', 'auction', 'audit', 'august',
+  'aunt', 'author', 'auto', 'autumn', 'average', 'avocado', 'avoid', 'awake',
+  'aware', 'awesome', 'awful', 'awkward', 'axis', 'baby', 'bachelor', 'bacon',
+  'badge', 'bag', 'balance', 'balcony', 'ball', 'bamboo', 'banana', 'banner',
+  'bar', 'barely', 'bargain', 'barrel', 'base', 'basic', 'basket', 'battle',
+  'beach', 'bean', 'beauty', 'because', 'become', 'beef', 'before', 'begin',
+  'behave', 'behind', 'believe', 'below', 'bench', 'benefit', 'best', 'betray',
+  'better', 'between', 'beyond', 'bicycle', 'bid', 'bike', 'bind', 'biology',
+  'bird', 'birth', 'bitter', 'black', 'blade', 'blame', 'blanket', 'blast'
+]
+
+export function generateMnemonic(): string {
+  const entropy = crypto.randomBytes(16)
+  const words: string[] = []
+  for (let i = 0; i < 32; i++) {
+    words.push(BIP39_WORDLIST[entropy[i]! % BIP39_WORDLIST.length])
+  }
+  return words.slice(0, 12).join(' ')
+}
+
+export function validateMnemonic(mnemonic: string): boolean {
+  const words = mnemonic.trim().toLowerCase().split(/\s+/)
+  if (words.length !== 12) return false
+  return words.every(w => BIP39_WORDLIST.includes(w))
+}
+
+export function derivePkFromMnemonic(mnemonic: string): Buffer {
+  return crypto.pbkdf2Sync(
+    mnemonic.toLowerCase().trim(),
+    'humanenv-server-v1',
+    PBKDF2_ITERATIONS,
+    PK_KEY_LENGTH,
+    'sha256'
+  ) as any
+}
+
+export function hashPkForVerification(pk: Buffer): string {
+  return crypto.createHash('sha256').update(pk as any).digest('hex')
+}
+
+export function encryptWithPk(value: string, pk: Buffer, aad: string): string {
+  const iv = crypto.randomBytes(12)
+  const cipher = crypto.createCipheriv('aes-256-gcm', pk as any, iv as any)
+  cipher.setAAD(crypto.createHash('sha256').update(aad).digest() as any)
+  const encrypted = Buffer.concat([cipher.update(value, 'utf8') as any, cipher.final() as any])
+  const tag = cipher.getAuthTag()
+  return Buffer.concat([iv as any, tag as any, encrypted as any]).toString('base64')
+}
+
+export function decryptWithPk(encryptedBase64: string, pk: Buffer, aad: string): string {
+  const buf = Buffer.from(encryptedBase64, 'base64')
+  const iv = buf.subarray(0, 12) as any
+  const tag = buf.subarray(12, 28) as any
+  const ciphertext = buf.subarray(28) as any
+  const decipher = crypto.createDecipheriv('aes-256-gcm', pk as any, iv as any)
+  decipher.setAAD(crypto.createHash('sha256').update(aad).digest() as any)
+  decipher.setAuthTag(tag)
+  const decrypted = Buffer.concat([decipher.update(ciphertext) as any, decipher.final() as any])
+  return decrypted.toString('utf8')
+}
+
+export function generateFingerprint(): string {
+  const components = [
+    process.env.HOSTNAME || 'unknown-host',
+    process.platform,
+    process.arch,
+    process.version,
+  ]
+  return crypto
+    .createHash('sha256')
+    .update(components.join('|'))
+    .digest('hex')
+    .slice(0, 16)
+}

package/packages/shared/src/errors.ts

@@ -0,0 +1,32 @@
+export enum ErrorCode {
+  SERVER_PK_NOT_AVAILABLE = 'SERVER_PK_NOT_AVAILABLE',
+  CLIENT_AUTH_INVALID_PROJECT_NAME = 'CLIENT_AUTH_INVALID_PROJECT_NAME',
+  CLIENT_AUTH_NOT_WHITELISTED = 'CLIENT_AUTH_NOT_WHITELISTED',
+  CLIENT_AUTH_INVALID_API_KEY = 'CLIENT_AUTH_INVALID_API_KEY',
+  CLIENT_CONN_MAX_RETRIES_EXCEEDED = 'CLIENT_CONN_MAX_RETRIES_EXCEEDED',
+  ENV_API_MODE_ONLY = 'ENV_API_MODE_ONLY',
+  SERVER_INTERNAL_ERROR = 'SERVER_INTERNAL_ERROR',
+  WS_CONNECTION_FAILED = 'WS_CONNECTION_FAILED',
+  DB_OPERATION_FAILED = 'DB_OPERATION_FAILED',
+}
+
+export const ErrorMessages: Record<ErrorCode, string> = {
+  SERVER_PK_NOT_AVAILABLE: 'Server private key is not available. Restart pending.',
+  CLIENT_AUTH_INVALID_PROJECT_NAME: 'Invalid or unknown project name.',
+  CLIENT_AUTH_NOT_WHITELISTED: 'Client fingerprint is not whitelisted for this project.',
+  CLIENT_AUTH_INVALID_API_KEY: 'Invalid or expired API key.',
+  CLIENT_CONN_MAX_RETRIES_EXCEEDED: 'Maximum WS connection retries exceeded.',
+  ENV_API_MODE_ONLY: 'This env is API-mode only and cannot be accessed via CLI.',
+  SERVER_INTERNAL_ERROR: 'An internal server error occurred.',
+  WS_CONNECTION_FAILED: 'Failed to establish WebSocket connection.',
+  DB_OPERATION_FAILED: 'Database operation failed.',
+}
+
+export class HumanEnvError extends Error {
+  public readonly code: ErrorCode
+  constructor(code: ErrorCode, message?: string) {
+    super(message ?? ErrorMessages[code])
+    this.name = 'HumanEnvError'
+    this.code = code
+  }
+}

package/packages/shared/src/index.ts

@@ -0,0 +1,3 @@
+export * from './errors'
+export * from './types'
+export * from './crypto'

package/packages/shared/src/types.ts

@@ -0,0 +1,119 @@
+// ============================================================
+// Domain models
+// ============================================================
+
+export interface Project {
+  id: string
+  name: string
+  createdAt: number
+}
+
+export interface Env {
+  id: string
+  projectId: string
+  key: string
+  encryptedValue: string
+  apiModeOnly: boolean
+  createdAt: number
+}
+
+export interface ApiKey {
+  id: string
+  projectId: string
+  encryptedValue: string
+  ttl?: number
+  expiresAt?: number
+  createdAt: number
+}
+
+export interface WhitelistEntry {
+  id: string
+  projectId: string
+  fingerprint: string
+  status: 'pending' | 'approved' | 'rejected'
+  createdAt: number
+}
+
+// ============================================================
+// WebSocket message types
+// ============================================================
+
+export type WsMessage =
+  | { type: 'auth'; payload: AuthPayload }
+  | { type: 'auth_response'; payload: AuthResponse }
+  | { type: 'get'; payload: { key: string } }
+  | { type: 'get_response'; payload: { key: string; value: string } | { error: string; code: string } }
+  | { type: 'set'; payload: { key: string; value: string } }
+  | { type: 'set_response'; payload: { success: boolean } | { error: string; code: string } }
+  | { type: 'generate_api_key'; payload: { projectName: string } }
+  | { type: 'apikey_request'; payload: { clientFingerprint: string; projectName: string } }
+  | { type: 'apikey_response'; payload: { success: boolean; apiKey?: string } | { error: string; code: string } }
+  | { type: 'whitelist_request'; payload: { fingerprint: string; projectName: string } }
+  | { type: 'whitelist_response'; payload: { fingerprint: string; approved: boolean } }
+  | { type: 'disconnect'; payload?: never }
+  | { type: 'ping'; payload?: never }
+  | { type: 'pong'; payload?: never }
+
+export interface AuthPayload {
+  projectName: string
+  apiKey: string
+  fingerprint: string
+}
+
+export interface AuthResponse {
+  success: boolean
+  whitelisted: boolean
+  status?: 'approved' | 'pending' | 'rejected'
+  error?: string
+  code?: string
+}
+
+// ============================================================
+// Client library config
+// ============================================================
+
+export interface ClientConfig {
+  serverUrl: string
+  projectName: string
+  projectApiKey?: string
+  maxRetries?: number
+}
+
+export interface ServerConfig {
+  port: number
+  basicAuth?: { username: string; password: string }
+  dataDir: string
+  dbUri?: string
+}
+
+export type CredentialStore = {
+  projectName: string
+  serverUrl: string
+  apiKey?: string
+}
+
+export interface SkillMetadata {
+  name: string
+  description: string
+  category?: string
+}
+
+export const SKILL_CONTENT = `---
+name: humanenv-usage
+description: Use humanenv to retrieve sensitives/envs. Never log/read sensitives from humanenv. They are envs for humans only.
+---
+
+## How to retrieve sensitives
+
+### JavaScript API
+Use \`humanenv.get('key')\` inside your application. The returned value must be used immediately and then set to \`null\` to prevent memory leaks.
+
+### CLI (non-TTY mode)
+Only non-API-mode envs are accessible. Do not attempt to use this to log or dump all envs.
+
+## Rules
+1. NEVER log env values retrieved from humanenv
+2. NEVER dump or export multiple values at once
+3. ALWAYS null variables after use
+4. NEVER write sensitives to files
+5. Do not generate scripts that use humanenv in loops or to exfiltrate data`