keyra-cli 0.1.0

package/cli/src/commands/scan.ts

@@ -0,0 +1,145 @@
+import { Command } from 'commander';
+import fs from 'fs';
+import path from 'path';
+import crypto from 'crypto';
+import chalk from 'chalk';
+import { success, error, warning, info, spinner, printBox } from '../lib/ui.js';
+import { requireAuth } from '../lib/config.js';
+import { decrypt } from '../lib/encryption.js';
+import { apiGet } from '../lib/api.js';
+
+async function checkHibp(value: string): Promise<number> {
+  const hash = crypto.createHash('sha1').update(value).digest('hex').toUpperCase();
+  const prefix = hash.slice(0, 5);
+  const suffix = hash.slice(5);
+
+  try {
+    const res = await fetch(`https://api.pwnedpasswords.com/range/${prefix}`, {
+      headers: { 'Add-Padding': 'true' },
+    });
+    if (!res.ok) return 0;
+    const text = await res.text();
+    for (const line of text.split('\n')) {
+      const [lineSuffix, countStr] = line.trim().split(':');
+      if (lineSuffix === suffix) return parseInt(countStr, 10) || 0;
+    }
+    return 0;
+  } catch {
+    return 0;
+  }
+}
+
+async function parseEnvFile(filePath: string): Promise<Record<string, string>> {
+  const content = fs.readFileSync(filePath, 'utf-8');
+  const result: Record<string, string> = {};
+  for (const line of content.split('\n')) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    const eqIdx = trimmed.indexOf('=');
+    if (eqIdx === -1) continue;
+    const key = trimmed.slice(0, eqIdx).trim();
+    const value = trimmed.slice(eqIdx + 1).trim().replace(/^['"]|['"]$/g, '');
+    if (key && value) result[key] = value;
+  }
+  return result;
+}
+
+export const scanCommand = new Command('scan')
+  .description('Check secrets for known data breaches using HaveIBeenPwned')
+  .option('-f, --file <path>', 'Path to .env file to scan', '.env')
+  .option('--project <id>', 'Scan a vault project instead of a local file')
+  .action(async (opts) => {
+    const s = spinner('Preparing scan...').start();
+
+    let secrets: Record<string, string> = {};
+
+    if (opts.project) {
+      // Scan from vault
+      const config = requireAuth();
+      try {
+        const entries = await apiGet(`/api/vault?project_id=${opts.project}`);
+        for (const entry of entries) {
+          try {
+            const value = decrypt(
+              entry.encrypted_value,
+              entry.iv,
+              entry.salt,
+              entry.auth_tag,
+              config.passphrase
+            );
+            secrets[entry.key_name] = value;
+          } catch {
+            // skip undecrytable entries
+          }
+        }
+      } catch (err: any) {
+        s.fail('Failed to fetch vault entries.');
+        error(err.message);
+        process.exit(1);
+      }
+    } else {
+      // Scan local .env file
+      const filePath = path.resolve(process.cwd(), opts.file);
+      if (!fs.existsSync(filePath)) {
+        s.fail(`File not found: ${filePath}`);
+        process.exit(1);
+      }
+      try {
+        secrets = await parseEnvFile(filePath);
+      } catch {
+        s.fail(`Failed to read ${opts.file}`);
+        process.exit(1);
+      }
+    }
+
+    const keys = Object.keys(secrets);
+    if (keys.length === 0) {
+      s.stop();
+      info('No secrets found to scan.');
+      return;
+    }
+
+    s.text = `Scanning ${keys.length} secret${keys.length === 1 ? '' : 's'} against breach databases...`;
+
+    const breached: { key: string; count: number }[] = [];
+
+    for (const key of keys) {
+      const value = secrets[key];
+      // Skip empty or very short values (env flags, etc.)
+      if (!value || value.length < 8) continue;
+      const count = await checkHibp(value);
+      if (count > 0) {
+        breached.push({ key, count });
+      }
+    }
+
+    s.stop();
+    console.log('');
+
+    if (breached.length === 0) {
+      printBox(
+        chalk.green.bold('No breaches detected') +
+          '\n\n' +
+          chalk.dim(`Scanned ${keys.length} secret${keys.length === 1 ? '' : 's'} · 0 found in breach databases`),
+        'green'
+      );
+    } else {
+      printBox(
+        chalk.red.bold(`${breached.length} secret${breached.length === 1 ? '' : 's'} found in breach databases`) +
+          '\n\n' +
+          breached
+            .map(
+              ({ key, count }) =>
+                chalk.red('✗') +
+                ' ' +
+                chalk.bold(key) +
+                chalk.dim(` — seen ${count.toLocaleString()} times`)
+            )
+            .join('\n') +
+          '\n\n' +
+          chalk.yellow('Rotate these secrets immediately.'),
+        'red'
+      );
+      process.exit(1);
+    }
+  });

package/cli/src/commands/share.ts

@@ -0,0 +1,84 @@
+import { Command } from 'commander';
+import crypto from 'crypto';
+import chalk from 'chalk';
+import { requireAuth, requireProjectConfig } from '../lib/config.js';
+import { createShareLink } from '../lib/api.js';
+import { readEnvFile, toEnvFileString } from '../lib/env-file.js';
+import { encrypt } from '../lib/encryption.js';
+import { error, warning, spinner, printBox } from '../lib/ui.js';
+
+export const shareCommand = new Command('share')
+  .description('Create an encrypted share link for your .env')
+  .action(async () => {
+    let config;
+    try {
+      config = requireAuth();
+    } catch (err: any) {
+      error(err.message);
+      return;
+    }
+
+    let projectConfig;
+    try {
+      projectConfig = requireProjectConfig();
+    } catch (err: any) {
+      error(err.message);
+      return;
+    }
+
+    const envData = readEnvFile();
+    if (!envData) {
+      warning('No .env file found in current directory.');
+      return;
+    }
+
+    const varCount = Object.keys(envData.vars).length;
+    if (varCount === 0) {
+      warning('No variables found in .env file.');
+      return;
+    }
+
+    const s = spinner('Creating share link...');
+    s.start();
+
+    try {
+      // Generate a one-time passphrase (NOT the user's vault passphrase)
+      const oneTimeKey = crypto.randomBytes(32).toString('hex');
+
+      // Encrypt the entire .env content with the one-time key
+      const envContent = toEnvFileString(envData.vars);
+      const encrypted = encrypt(envContent, oneTimeKey);
+
+      const result = await createShareLink({
+        project_id: projectConfig.projectId,
+        encrypted_data: encrypted.encrypted,
+        iv: encrypted.iv,
+        salt: encrypted.salt,
+        auth_tag: encrypted.authTag,
+      });
+
+      s.stop();
+
+      const shareUrl = result.url || `${config.apiUrl}/share/${result.token}`;
+
+      printBox(
+        chalk.green.bold('Share link created!') +
+          chalk.dim(` (${varCount} variables)`) +
+          '\n\n' +
+          chalk.white.bold('Link ') +
+          chalk.dim('(expires in 24h, viewable once):') +
+          '\n' +
+          chalk.cyan(shareUrl) +
+          '\n\n' +
+          chalk.white.bold('Decryption key ') +
+          chalk.dim('(send separately!):') +
+          '\n' +
+          chalk.yellow(oneTimeKey) +
+          '\n\n' +
+          chalk.yellow('⚠ The link and key should be sent via different channels for security.')
+      );
+    } catch (err: any) {
+      s.stop();
+      error(err.message);
+    }
+  });

package/cli/src/commands/status.ts

@@ -0,0 +1,91 @@
+import { Command } from 'commander';
+import chalk from 'chalk';
+import {
+  isLoggedIn,
+  requireAuth,
+  loadProjectConfig,
+} from '../lib/config.js';
+import { getVaultEntries } from '../lib/api.js';
+import { readEnvFile } from '../lib/env-file.js';
+import { error, info, spinner } from '../lib/ui.js';
+
+export const statusCommand = new Command('status')
+  .description('Show current project status')
+  .action(async () => {
+    const projectConfig = loadProjectConfig();
+
+    if (!projectConfig) {
+      info('Not in a Keyra project. Run `keyra init` first.');
+      return;
+    }
+
+    console.log();
+    console.log(chalk.bold('  Keyra Status'));
+    console.log(chalk.dim(`  ${'─'.repeat(40)}`));
+    console.log(`  ${chalk.dim('Project:')}  ${chalk.green(projectConfig.projectName)}`);
+    console.log(`  ${chalk.dim('ID:')}       ${chalk.dim(projectConfig.projectId)}`);
+
+    if (!isLoggedIn()) {
+      console.log();
+      info('Not logged in. Run `keyra login` to sync.');
+      return;
+    }
+
+    let config;
+    try {
+      config = requireAuth();
+    } catch (err: any) {
+      error(err.message);
+      return;
+    }
+
+    const s = spinner('Checking vault...');
+    s.start();
+
+    try {
+      const entries = await getVaultEntries(projectConfig.projectId);
+      s.stop();
+
+      console.log(`  ${chalk.dim('Vault:')}    ${entries.length} variable${entries.length !== 1 ? 's' : ''}`);
+
+      // Compare with local .env
+      const envData = readEnvFile();
+      if (envData) {
+        const localKeys = new Set(Object.keys(envData.vars));
+        const vaultKeys = new Set(entries.map((e) => e.key_name));
+
+        const onlyLocal = [...localKeys].filter((k) => !vaultKeys.has(k));
+        const onlyVault = [...vaultKeys].filter((k) => !localKeys.has(k));
+        const inBoth = [...localKeys].filter((k) => vaultKeys.has(k));
+
+        console.log(`  ${chalk.dim('Local:')}    ${localKeys.size} variable${localKeys.size !== 1 ? 's' : ''} (${envData.filename})`);
+        console.log();
+
+        if (onlyLocal.length === 0 && onlyVault.length === 0) {
+          console.log(chalk.green('  ✓ Local and vault keys are in sync'));
+        } else {
+          if (onlyLocal.length > 0) {
+            console.log(
+              chalk.yellow(
+                `  ⚠ ${onlyLocal.length} key${onlyLocal.length !== 1 ? 's' : ''} only in local: ${onlyLocal.join(', ')}`
+              )
+            );
+          }
+          if (onlyVault.length > 0) {
+            console.log(
+              chalk.yellow(
+                `  ⚠ ${onlyVault.length} key${onlyVault.length !== 1 ? 's' : ''} only in vault: ${onlyVault.join(', ')}`
+              )
+            );
+          }
+        }
+      } else {
+        console.log(`  ${chalk.dim('Local:')}    ${chalk.yellow('no .env file found')}`);
+      }
+
+      console.log();
+    } catch (err: any) {
+      s.stop();
+      error(err.message);
+    }
+  });

package/cli/src/commands/validate.ts

@@ -0,0 +1,101 @@
+import { Command } from 'commander';
+import chalk from 'chalk';
+import { requireAuth, requireProjectConfig } from '../lib/config.js';
+import { getVaultEntries } from '../lib/api.js';
+import { readEnvFile } from '../lib/env-file.js';
+import { error, warning, spinner, printTable } from '../lib/ui.js';
+
+export const validateCommand = new Command('validate')
+  .description('Check local .env has all required vault variables')
+  .action(async () => {
+    let projectConfig;
+    try {
+      projectConfig = requireProjectConfig();
+    } catch (err: any) {
+      error(err.message);
+      process.exit(1);
+      return;
+    }
+
+    // Need auth to fetch vault key names
+    let config;
+    try {
+      config = requireAuth();
+    } catch (err: any) {
+      error(err.message);
+      process.exit(1);
+      return;
+    }
+
+    const s = spinner('Checking vault...');
+    s.start();
+
+    let entries;
+    try {
+      entries = await getVaultEntries(projectConfig.projectId);
+      s.stop();
+    } catch (err: any) {
+      s.stop();
+      error(err.message);
+      process.exit(1);
+      return;
+    }
+
+    if (entries.length === 0) {
+      warning('No variables in vault to validate against.');
+      return;
+    }
+
+    const envData = readEnvFile();
+    const localVars = envData?.vars ?? {};
+
+    const rows: { key: string; value: string; status: string }[] = [];
+    let passed = 0;
+    let issues = 0;
+
+    for (const entry of entries) {
+      const localValue = localVars[entry.key_name];
+      if (localValue === undefined) {
+        rows.push({
+          key: entry.key_name,
+          value: 'MISSING',
+          status: 'missing',
+        });
+        issues++;
+      } else if (localValue.trim() === '') {
+        rows.push({
+          key: entry.key_name,
+          value: 'EMPTY',
+          status: 'empty',
+        });
+        issues++;
+      } else {
+        rows.push({
+          key: entry.key_name,
+          value: 'present',
+          status: 'present',
+        });
+        passed++;
+      }
+    }
+
+    console.log();
+    printTable(rows);
+    console.log();
+
+    const total = entries.length;
+    if (issues === 0) {
+      console.log(
+        chalk.green.bold(`  ${passed} of ${total} checks passed. All good!`)
+      );
+    } else {
+      console.log(
+        chalk.yellow(
+          `  ${passed} of ${total} checks passed. ${issues} issue${issues !== 1 ? 's' : ''} found.`
+        )
+      );
+    }
+
+    console.log();
+    process.exit(issues > 0 ? 1 : 0);
+  });

package/cli/src/index.ts

@@ -0,0 +1,38 @@
+#!/usr/bin/env node
+import { Command } from 'commander';
+import chalk from 'chalk';
+import { loginCommand } from './commands/login.js';
+import { logoutCommand } from './commands/logout.js';
+import { initCommand } from './commands/init.js';
+import { pushCommand } from './commands/push.js';
+import { pullCommand } from './commands/pull.js';
+import { validateCommand } from './commands/validate.js';
+import { shareCommand } from './commands/share.js';
+import { listCommand } from './commands/list.js';
+import { statusCommand } from './commands/status.js';
+import { guardCommand } from './commands/guard.js';
+import { scanCommand } from './commands/scan.js';
+
+const program = new Command();
+
+program
+  .name('keyra')
+  .description('Encrypted .env vault. Sync, share, never lose an API key.')
+  .version('0.1.0');
+
+program.addCommand(loginCommand);
+program.addCommand(logoutCommand);
+program.addCommand(initCommand);
+program.addCommand(pushCommand);
+program.addCommand(pullCommand);
+program.addCommand(validateCommand);
+program.addCommand(shareCommand);
+program.addCommand(listCommand);
+program.addCommand(statusCommand);
+program.addCommand(guardCommand);
+program.addCommand(scanCommand);
+
+program.parseAsync(process.argv).catch((err) => {
+  console.error(chalk.red('Error:'), err.message);
+  process.exit(1);
+});

package/cli/src/lib/api.ts

@@ -0,0 +1,136 @@
+import { loadConfig } from './config.js';
+import type { Project, VaultEntry, EncryptedEntry, ShareData } from '../types.js';
+
+function getBaseUrl(): string {
+  const config = loadConfig();
+  return config.apiUrl || 'http://localhost:3000';
+}
+
+function getHeaders(): Record<string, string> {
+  const config = loadConfig();
+  const headers: Record<string, string> = {
+    'Content-Type': 'application/json',
+  };
+  if (config.accessToken) {
+    headers['Authorization'] = `Bearer ${config.accessToken}`;
+  }
+  return headers;
+}
+
+async function handleResponse(res: Response): Promise<any> {
+  if (res.status === 401) {
+    throw new Error('Session expired. Run `keyra login` to re-authenticate.');
+  }
+  if (res.status === 403) {
+    const data = await res.json().catch(() => ({}));
+    const msg: string = data.error || '';
+    if (msg.toLowerCase().includes('project')) {
+      throw new Error(
+        'Project limit reached for your plan.\n  Upgrade at keyra.dev/dashboard/settings for more projects.'
+      );
+    }
+    if (msg.toLowerCase().includes('variable') || msg.toLowerCase().includes('vars')) {
+      throw new Error(
+        'Variable limit reached for this project.\n  Upgrade at keyra.dev/dashboard/settings for more variables.'
+      );
+    }
+    if (msg.toLowerCase().includes('sharing') || msg.toLowerCase().includes('share')) {
+      throw new Error(
+        'Sharing requires a Pro plan.\n  Upgrade at keyra.dev/dashboard/settings to enable sharing.'
+      );
+    }
+    if (data.upgrade) {
+      throw new Error(
+        `${msg || 'Plan limit reached.'}\n  Upgrade at keyra.dev/dashboard/settings`
+      );
+    }
+    throw new Error(msg || 'Access denied.');
+  }
+  if (!res.ok) {
+    const data = await res.json().catch(() => ({}));
+    throw new Error(data.error || `Request failed with status ${res.status}`);
+  }
+  return res.json();
+}
+
+export async function apiGet(path: string): Promise<any> {
+  const res = await fetch(`${getBaseUrl()}${path}`, {
+    method: 'GET',
+    headers: getHeaders(),
+  }).catch(() => {
+    throw new Error("Can't reach server. Check your connection.");
+  });
+  return handleResponse(res);
+}
+
+export async function apiPost(path: string, body: any): Promise<any> {
+  const res = await fetch(`${getBaseUrl()}${path}`, {
+    method: 'POST',
+    headers: getHeaders(),
+    body: JSON.stringify(body),
+  }).catch(() => {
+    throw new Error("Can't reach server. Check your connection.");
+  });
+  return handleResponse(res);
+}
+
+export async function apiPatch(path: string, body: any): Promise<any> {
+  const res = await fetch(`${getBaseUrl()}${path}`, {
+    method: 'PATCH',
+    headers: getHeaders(),
+    body: JSON.stringify(body),
+  }).catch(() => {
+    throw new Error("Can't reach server. Check your connection.");
+  });
+  return handleResponse(res);
+}
+
+export async function apiDelete(path: string): Promise<any> {
+  const res = await fetch(`${getBaseUrl()}${path}`, {
+    method: 'DELETE',
+    headers: getHeaders(),
+  }).catch(() => {
+    throw new Error("Can't reach server. Check your connection.");
+  });
+  return handleResponse(res);
+}
+
+// Specific endpoints
+
+export async function createDeviceCode(): Promise<{ deviceCode: string }> {
+  return apiPost('/api/cli/auth', {});
+}
+
+export async function pollAuth(
+  deviceCode: string
+): Promise<{ status: string; accessToken?: string }> {
+  return apiGet(`/api/cli/auth?code=${deviceCode}`);
+}
+
+export async function getProjects(): Promise<Project[]> {
+  return apiGet('/api/projects');
+}
+
+export async function createProject(
+  name: string,
+  description?: string
+): Promise<Project> {
+  return apiPost('/api/projects', { name, description });
+}
+
+export async function getVaultEntries(projectId: string): Promise<VaultEntry[]> {
+  return apiGet(`/api/vault?project_id=${projectId}`);
+}
+
+export async function upsertVaultEntries(
+  projectId: string,
+  entries: EncryptedEntry[]
+): Promise<void> {
+  await apiPost('/api/vault/sync', { projectId, entries });
+}
+
+export async function createShareLink(
+  data: ShareData
+): Promise<{ url: string; token: string }> {
+  return apiPost('/api/share', data);
+}

package/cli/src/lib/config.ts

@@ -0,0 +1,94 @@
+import fs from 'fs';
+import path from 'path';
+import os from 'os';
+import type { Config, ProjectConfig } from '../types.js';
+
+const CONFIG_DIR = path.join(os.homedir(), '.keyra');
+const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json');
+const PROJECT_CONFIG_FILE = '.keyra.json';
+
+function ensureConfigDir(): void {
+  if (!fs.existsSync(CONFIG_DIR)) {
+    fs.mkdirSync(CONFIG_DIR, { recursive: true });
+  }
+}
+
+export function loadConfig(): Partial<Config> {
+  ensureConfigDir();
+  if (!fs.existsSync(CONFIG_FILE)) return {};
+  try {
+    return JSON.parse(fs.readFileSync(CONFIG_FILE, 'utf-8'));
+  } catch {
+    return {};
+  }
+}
+
+export function saveConfig(partial: Partial<Config>): void {
+  ensureConfigDir();
+  const existing = loadConfig();
+  const merged = { ...existing, ...partial };
+  fs.writeFileSync(CONFIG_FILE, JSON.stringify(merged, null, 2));
+}
+
+export function clearConfig(): void {
+  ensureConfigDir();
+  if (fs.existsSync(CONFIG_FILE)) {
+    fs.unlinkSync(CONFIG_FILE);
+  }
+}
+
+export function isLoggedIn(): boolean {
+  const config = loadConfig();
+  return !!(config.accessToken && config.passphrase);
+}
+
+export function requireAuth(): Config {
+  const config = loadConfig();
+  if (!config.accessToken || !config.passphrase) {
+    throw new Error('Not logged in. Run `keyra login` first.');
+  }
+  return {
+    apiUrl: config.apiUrl || 'http://localhost:3000',
+    accessToken: config.accessToken,
+    passphrase: config.passphrase,
+  };
+}
+
+export function loadProjectConfig(): ProjectConfig | null {
+  const filePath = path.join(process.cwd(), PROJECT_CONFIG_FILE);
+  if (!fs.existsSync(filePath)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(filePath, 'utf-8'));
+  } catch {
+    return null;
+  }
+}
+
+export function saveProjectConfig(data: ProjectConfig): void {
+  const filePath = path.join(process.cwd(), PROJECT_CONFIG_FILE);
+  fs.writeFileSync(filePath, JSON.stringify(data, null, 2));
+}
+
+export function hasProjectConfig(): boolean {
+  return fs.existsSync(path.join(process.cwd(), PROJECT_CONFIG_FILE));
+}
+
+export function requireProjectConfig(): ProjectConfig {
+  const config = loadProjectConfig();
+  if (!config) {
+    throw new Error('Not in a Keyra project. Run `keyra init` first.');
+  }
+  return config;
+}
+
+export function addToGitignore(entry: string): void {
+  const gitignorePath = path.join(process.cwd(), '.gitignore');
+  if (fs.existsSync(gitignorePath)) {
+    const content = fs.readFileSync(gitignorePath, 'utf-8');
+    if (!content.includes(entry)) {
+      fs.appendFileSync(gitignorePath, `\n${entry}\n`);
+    }
+  } else {
+    fs.writeFileSync(gitignorePath, `${entry}\n`);
+  }
+}