keyra-cli 0.1.0 → 0.1.1

package/cli/src/commands/push.ts

@@ -1,118 +0,0 @@
-import { Command } from 'commander';
-import chalk from 'chalk';
-import { requireAuth, requireProjectConfig } from '../lib/config.js';
-import { upsertVaultEntries, getProjects } from '../lib/api.js';
-import { readEnvFile } from '../lib/env-file.js';
-import { encrypt, decrypt } from '../lib/encryption.js';
-import { success, error, warning, spinner, promptSecret } from '../lib/ui.js';
-
-export const pushCommand = new Command('push')
-  .description('Push local .env to vault')
-  .action(async () => {
-    let config;
-    try {
-      config = requireAuth();
-    } catch (err: any) {
-      error(err.message);
-      return;
-    }
-
-    let projectConfig;
-    try {
-      projectConfig = requireProjectConfig();
-    } catch (err: any) {
-      error(err.message);
-      return;
-    }
-
-    const envData = readEnvFile();
-    if (!envData) {
-      warning('No .env file found in current directory.');
-      return;
-    }
-
-    const vars = envData.vars;
-    const varCount = Object.keys(vars).length;
-
-    if (varCount === 0) {
-      warning('No variables found in .env file.');
-      return;
-    }
-
-    // Check if project has a password
-    let projectPassword: string | null = null;
-    try {
-      const projects = await getProjects();
-      const project = projects.find((p) => p.id === projectConfig.projectId);
-      if (project?.has_project_password) {
-        projectPassword = await promptSecret('Project password: ');
-        const blob = JSON.parse(project.project_password_salt as string) as { encrypted: string; iv: string; salt: string; authTag: string };
-        try {
-          const result = decrypt(blob.encrypted, blob.iv, blob.salt, blob.authTag, projectPassword);
-          if (result !== 'keyra-verified') {
-            error('Incorrect project password');
-            return;
-          }
-        } catch {
-          error('Incorrect project password');
-          return;
-        }
-      }
-    } catch (err: any) {
-      error('Failed to fetch project info: ' + err.message);
-      return;
-    }
-
-    const s = spinner('Encrypting and uploading ' + varCount + ' variable' + (varCount !== 1 ? 's' : '') + '...');
-    s.start();
-
-    try {
-      const entries = Object.entries(vars).map(([key, value]) => {
-        let encrypted;
-        if (projectPassword) {
-          // Double encrypt: inner with project password, outer with vault passphrase
-          const inner = encrypt(value, projectPassword);
-          const innerJson = JSON.stringify(inner);
-          encrypted = encrypt(innerJson, config.passphrase);
-        } else {
-          encrypted = encrypt(value, config.passphrase);
-        }
-        return {
-          key_name: key,
-          encrypted_value: encrypted.encrypted,
-          iv: encrypted.iv,
-          salt: encrypted.salt,
-          auth_tag: encrypted.authTag,
-          category: guessCategory(key),
-        };
-      });
-
-      await upsertVaultEntries(projectConfig.projectId, entries);
-      s.stop();
-      success(
-        'Pushed ' + varCount + ' variable' + (varCount !== 1 ? 's' : '') + ' to vault ' + chalk.dim('(' + projectConfig.projectName + ')')
-      );
-    } catch (err: any) {
-      s.stop();
-      error(err.message);
-    }
-  });
-
-function guessCategory(key: string): string {
-  const k = key.toUpperCase();
-  if (k.includes('OPENAI') || k.includes('ANTHROPIC') || k.includes('AI'))
-    return 'ai';
-  if (k.includes('DATABASE') || k.includes('DB_') || k.includes('POSTGRES') || k.includes('MYSQL') || k.includes('MONGO') || k.includes('REDIS') || k.includes('SUPABASE'))
-    return 'database';
-  if (k.includes('AUTH') || k.includes('JWT') || k.includes('SESSION') || k.includes('NEXTAUTH') || k.includes('CLERK'))
-    return 'auth';
-  if (k.includes('STRIPE') || k.includes('PAYMENT') || k.includes('PAYPAL'))
-    return 'payment';
-  if (k.includes('VERCEL') || k.includes('AWS') || k.includes('GCP') || k.includes('AZURE') || k.includes('HEROKU'))
-    return 'hosting';
-  if (k.includes('SMTP') || k.includes('EMAIL') || k.includes('SENDGRID') || k.includes('RESEND') || k.includes('MAILGUN'))
-    return 'email';
-  if (k.includes('ANALYTICS') || k.includes('MIXPANEL') || k.includes('GA_') || k.includes('POSTHOG') || k.includes('SENTRY'))
-    return 'analytics';
-  return 'general';
-}

package/cli/src/commands/scan.ts

@@ -1,145 +0,0 @@
-import { Command } from 'commander';
-import fs from 'fs';
-import path from 'path';
-import crypto from 'crypto';
-import chalk from 'chalk';
-import { success, error, warning, info, spinner, printBox } from '../lib/ui.js';
-import { requireAuth } from '../lib/config.js';
-import { decrypt } from '../lib/encryption.js';
-import { apiGet } from '../lib/api.js';
-
-async function checkHibp(value: string): Promise<number> {
-  const hash = crypto.createHash('sha1').update(value).digest('hex').toUpperCase();
-  const prefix = hash.slice(0, 5);
-  const suffix = hash.slice(5);
-
-  try {
-    const res = await fetch(`https://api.pwnedpasswords.com/range/${prefix}`, {
-      headers: { 'Add-Padding': 'true' },
-    });
-    if (!res.ok) return 0;
-    const text = await res.text();
-    for (const line of text.split('\n')) {
-      const [lineSuffix, countStr] = line.trim().split(':');
-      if (lineSuffix === suffix) return parseInt(countStr, 10) || 0;
-    }
-    return 0;
-  } catch {
-    return 0;
-  }
-}
-
-async function parseEnvFile(filePath: string): Promise<Record<string, string>> {
-  const content = fs.readFileSync(filePath, 'utf-8');
-  const result: Record<string, string> = {};
-  for (const line of content.split('\n')) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith('#')) continue;
-    const eqIdx = trimmed.indexOf('=');
-    if (eqIdx === -1) continue;
-    const key = trimmed.slice(0, eqIdx).trim();
-    const value = trimmed.slice(eqIdx + 1).trim().replace(/^['"]|['"]$/g, '');
-    if (key && value) result[key] = value;
-  }
-  return result;
-}
-
-export const scanCommand = new Command('scan')
-  .description('Check secrets for known data breaches using HaveIBeenPwned')
-  .option('-f, --file <path>', 'Path to .env file to scan', '.env')
-  .option('--project <id>', 'Scan a vault project instead of a local file')
-  .action(async (opts) => {
-    const s = spinner('Preparing scan...').start();
-
-    let secrets: Record<string, string> = {};
-
-    if (opts.project) {
-      // Scan from vault
-      const config = requireAuth();
-      try {
-        const entries = await apiGet(`/api/vault?project_id=${opts.project}`);
-        for (const entry of entries) {
-          try {
-            const value = decrypt(
-              entry.encrypted_value,
-              entry.iv,
-              entry.salt,
-              entry.auth_tag,
-              config.passphrase
-            );
-            secrets[entry.key_name] = value;
-          } catch {
-            // skip undecrytable entries
-          }
-        }
-      } catch (err: any) {
-        s.fail('Failed to fetch vault entries.');
-        error(err.message);
-        process.exit(1);
-      }
-    } else {
-      // Scan local .env file
-      const filePath = path.resolve(process.cwd(), opts.file);
-      if (!fs.existsSync(filePath)) {
-        s.fail(`File not found: ${filePath}`);
-        process.exit(1);
-      }
-      try {
-        secrets = await parseEnvFile(filePath);
-      } catch {
-        s.fail(`Failed to read ${opts.file}`);
-        process.exit(1);
-      }
-    }
-
-    const keys = Object.keys(secrets);
-    if (keys.length === 0) {
-      s.stop();
-      info('No secrets found to scan.');
-      return;
-    }
-
-    s.text = `Scanning ${keys.length} secret${keys.length === 1 ? '' : 's'} against breach databases...`;
-
-    const breached: { key: string; count: number }[] = [];
-
-    for (const key of keys) {
-      const value = secrets[key];
-      // Skip empty or very short values (env flags, etc.)
-      if (!value || value.length < 8) continue;
-      const count = await checkHibp(value);
-      if (count > 0) {
-        breached.push({ key, count });
-      }
-    }
-
-    s.stop();
-    console.log('');
-
-    if (breached.length === 0) {
-      printBox(
-        chalk.green.bold('No breaches detected') +
-          '\n\n' +
-          chalk.dim(`Scanned ${keys.length} secret${keys.length === 1 ? '' : 's'} · 0 found in breach databases`),
-        'green'
-      );
-    } else {
-      printBox(
-        chalk.red.bold(`${breached.length} secret${breached.length === 1 ? '' : 's'} found in breach databases`) +
-          '\n\n' +
-          breached
-            .map(
-              ({ key, count }) =>
-                chalk.red('✗') +
-                ' ' +
-                chalk.bold(key) +
-                chalk.dim(` — seen ${count.toLocaleString()} times`)
-            )
-            .join('\n') +
-          '\n\n' +
-          chalk.yellow('Rotate these secrets immediately.'),
-        'red'
-      );
-      process.exit(1);
-    }
-  });

package/cli/src/commands/share.ts

@@ -1,84 +0,0 @@
-import { Command } from 'commander';
-import crypto from 'crypto';
-import chalk from 'chalk';
-import { requireAuth, requireProjectConfig } from '../lib/config.js';
-import { createShareLink } from '../lib/api.js';
-import { readEnvFile, toEnvFileString } from '../lib/env-file.js';
-import { encrypt } from '../lib/encryption.js';
-import { error, warning, spinner, printBox } from '../lib/ui.js';
-
-export const shareCommand = new Command('share')
-  .description('Create an encrypted share link for your .env')
-  .action(async () => {
-    let config;
-    try {
-      config = requireAuth();
-    } catch (err: any) {
-      error(err.message);
-      return;
-    }
-
-    let projectConfig;
-    try {
-      projectConfig = requireProjectConfig();
-    } catch (err: any) {
-      error(err.message);
-      return;
-    }
-
-    const envData = readEnvFile();
-    if (!envData) {
-      warning('No .env file found in current directory.');
-      return;
-    }
-
-    const varCount = Object.keys(envData.vars).length;
-    if (varCount === 0) {
-      warning('No variables found in .env file.');
-      return;
-    }
-
-    const s = spinner('Creating share link...');
-    s.start();
-
-    try {
-      // Generate a one-time passphrase (NOT the user's vault passphrase)
-      const oneTimeKey = crypto.randomBytes(32).toString('hex');
-
-      // Encrypt the entire .env content with the one-time key
-      const envContent = toEnvFileString(envData.vars);
-      const encrypted = encrypt(envContent, oneTimeKey);
-
-      const result = await createShareLink({
-        project_id: projectConfig.projectId,
-        encrypted_data: encrypted.encrypted,
-        iv: encrypted.iv,
-        salt: encrypted.salt,
-        auth_tag: encrypted.authTag,
-      });
-
-      s.stop();
-
-      const shareUrl = result.url || `${config.apiUrl}/share/${result.token}`;
-
-      printBox(
-        chalk.green.bold('Share link created!') +
-          chalk.dim(` (${varCount} variables)`) +
-          '\n\n' +
-          chalk.white.bold('Link ') +
-          chalk.dim('(expires in 24h, viewable once):') +
-          '\n' +
-          chalk.cyan(shareUrl) +
-          '\n\n' +
-          chalk.white.bold('Decryption key ') +
-          chalk.dim('(send separately!):') +
-          '\n' +
-          chalk.yellow(oneTimeKey) +
-          '\n\n' +
-          chalk.yellow('⚠ The link and key should be sent via different channels for security.')
-      );
-    } catch (err: any) {
-      s.stop();
-      error(err.message);
-    }
-  });

package/cli/src/commands/status.ts

@@ -1,91 +0,0 @@
-import { Command } from 'commander';
-import chalk from 'chalk';
-import {
-  isLoggedIn,
-  requireAuth,
-  loadProjectConfig,
-} from '../lib/config.js';
-import { getVaultEntries } from '../lib/api.js';
-import { readEnvFile } from '../lib/env-file.js';
-import { error, info, spinner } from '../lib/ui.js';
-
-export const statusCommand = new Command('status')
-  .description('Show current project status')
-  .action(async () => {
-    const projectConfig = loadProjectConfig();
-
-    if (!projectConfig) {
-      info('Not in a Keyra project. Run `keyra init` first.');
-      return;
-    }
-
-    console.log();
-    console.log(chalk.bold('  Keyra Status'));
-    console.log(chalk.dim(`  ${'─'.repeat(40)}`));
-    console.log(`  ${chalk.dim('Project:')}  ${chalk.green(projectConfig.projectName)}`);
-    console.log(`  ${chalk.dim('ID:')}       ${chalk.dim(projectConfig.projectId)}`);
-
-    if (!isLoggedIn()) {
-      console.log();
-      info('Not logged in. Run `keyra login` to sync.');
-      return;
-    }
-
-    let config;
-    try {
-      config = requireAuth();
-    } catch (err: any) {
-      error(err.message);
-      return;
-    }
-
-    const s = spinner('Checking vault...');
-    s.start();
-
-    try {
-      const entries = await getVaultEntries(projectConfig.projectId);
-      s.stop();
-
-      console.log(`  ${chalk.dim('Vault:')}    ${entries.length} variable${entries.length !== 1 ? 's' : ''}`);
-
-      // Compare with local .env
-      const envData = readEnvFile();
-      if (envData) {
-        const localKeys = new Set(Object.keys(envData.vars));
-        const vaultKeys = new Set(entries.map((e) => e.key_name));
-
-        const onlyLocal = [...localKeys].filter((k) => !vaultKeys.has(k));
-        const onlyVault = [...vaultKeys].filter((k) => !localKeys.has(k));
-        const inBoth = [...localKeys].filter((k) => vaultKeys.has(k));
-
-        console.log(`  ${chalk.dim('Local:')}    ${localKeys.size} variable${localKeys.size !== 1 ? 's' : ''} (${envData.filename})`);
-        console.log();
-
-        if (onlyLocal.length === 0 && onlyVault.length === 0) {
-          console.log(chalk.green('  ✓ Local and vault keys are in sync'));
-        } else {
-          if (onlyLocal.length > 0) {
-            console.log(
-              chalk.yellow(
-                `  ⚠ ${onlyLocal.length} key${onlyLocal.length !== 1 ? 's' : ''} only in local: ${onlyLocal.join(', ')}`
-              )
-            );
-          }
-          if (onlyVault.length > 0) {
-            console.log(
-              chalk.yellow(
-                `  ⚠ ${onlyVault.length} key${onlyVault.length !== 1 ? 's' : ''} only in vault: ${onlyVault.join(', ')}`
-              )
-            );
-          }
-        }
-      } else {
-        console.log(`  ${chalk.dim('Local:')}    ${chalk.yellow('no .env file found')}`);
-      }
-
-      console.log();
-    } catch (err: any) {
-      s.stop();
-      error(err.message);
-    }
-  });

package/cli/src/commands/validate.ts

@@ -1,101 +0,0 @@
-import { Command } from 'commander';
-import chalk from 'chalk';
-import { requireAuth, requireProjectConfig } from '../lib/config.js';
-import { getVaultEntries } from '../lib/api.js';
-import { readEnvFile } from '../lib/env-file.js';
-import { error, warning, spinner, printTable } from '../lib/ui.js';
-
-export const validateCommand = new Command('validate')
-  .description('Check local .env has all required vault variables')
-  .action(async () => {
-    let projectConfig;
-    try {
-      projectConfig = requireProjectConfig();
-    } catch (err: any) {
-      error(err.message);
-      process.exit(1);
-      return;
-    }
-
-    // Need auth to fetch vault key names
-    let config;
-    try {
-      config = requireAuth();
-    } catch (err: any) {
-      error(err.message);
-      process.exit(1);
-      return;
-    }
-
-    const s = spinner('Checking vault...');
-    s.start();
-
-    let entries;
-    try {
-      entries = await getVaultEntries(projectConfig.projectId);
-      s.stop();
-    } catch (err: any) {
-      s.stop();
-      error(err.message);
-      process.exit(1);
-      return;
-    }
-
-    if (entries.length === 0) {
-      warning('No variables in vault to validate against.');
-      return;
-    }
-
-    const envData = readEnvFile();
-    const localVars = envData?.vars ?? {};
-
-    const rows: { key: string; value: string; status: string }[] = [];
-    let passed = 0;
-    let issues = 0;
-
-    for (const entry of entries) {
-      const localValue = localVars[entry.key_name];
-      if (localValue === undefined) {
-        rows.push({
-          key: entry.key_name,
-          value: 'MISSING',
-          status: 'missing',
-        });
-        issues++;
-      } else if (localValue.trim() === '') {
-        rows.push({
-          key: entry.key_name,
-          value: 'EMPTY',
-          status: 'empty',
-        });
-        issues++;
-      } else {
-        rows.push({
-          key: entry.key_name,
-          value: 'present',
-          status: 'present',
-        });
-        passed++;
-      }
-    }
-
-    console.log();
-    printTable(rows);
-    console.log();
-
-    const total = entries.length;
-    if (issues === 0) {
-      console.log(
-        chalk.green.bold(`  ${passed} of ${total} checks passed. All good!`)
-      );
-    } else {
-      console.log(
-        chalk.yellow(
-          `  ${passed} of ${total} checks passed. ${issues} issue${issues !== 1 ? 's' : ''} found.`
-        )
-      );
-    }
-
-    console.log();
-    process.exit(issues > 0 ? 1 : 0);
-  });

package/cli/src/index.ts

@@ -1,38 +0,0 @@
-#!/usr/bin/env node
-import { Command } from 'commander';
-import chalk from 'chalk';
-import { loginCommand } from './commands/login.js';
-import { logoutCommand } from './commands/logout.js';
-import { initCommand } from './commands/init.js';
-import { pushCommand } from './commands/push.js';
-import { pullCommand } from './commands/pull.js';
-import { validateCommand } from './commands/validate.js';
-import { shareCommand } from './commands/share.js';
-import { listCommand } from './commands/list.js';
-import { statusCommand } from './commands/status.js';
-import { guardCommand } from './commands/guard.js';
-import { scanCommand } from './commands/scan.js';
-
-const program = new Command();
-
-program
-  .name('keyra')
-  .description('Encrypted .env vault. Sync, share, never lose an API key.')
-  .version('0.1.0');
-
-program.addCommand(loginCommand);
-program.addCommand(logoutCommand);
-program.addCommand(initCommand);
-program.addCommand(pushCommand);
-program.addCommand(pullCommand);
-program.addCommand(validateCommand);
-program.addCommand(shareCommand);
-program.addCommand(listCommand);
-program.addCommand(statusCommand);
-program.addCommand(guardCommand);
-program.addCommand(scanCommand);
-
-program.parseAsync(process.argv).catch((err) => {
-  console.error(chalk.red('Error:'), err.message);
-  process.exit(1);
-});