keystone-cli 0.1.0

package/src/utils/redactor.test.ts

@@ -0,0 +1,66 @@
+import { describe, expect, it } from 'bun:test';
+import { Redactor } from './redactor';
+
+describe('Redactor', () => {
+  const secrets = {
+    API_KEY: 'sk-123456789',
+    PASSWORD: 'p4ssw0rd-unique',
+    TOKEN: 'tkn-abc-123',
+  };
+
+  const redactor = new Redactor(secrets);
+
+  it('should redact secrets from a string', () => {
+    const text = 'Your API key is sk-123456789 and your password is p4ssw0rd-unique.';
+    const redacted = redactor.redact(text);
+    expect(redacted).toBe('Your API key is ***REDACTED*** and your password is ***REDACTED***.');
+  });
+
+  it('should handle special regex characters in secrets', () => {
+    const specialRedactor = new Redactor({ S1: 'secret.with*special+chars' });
+    const text = 'My secret is secret.with*special+chars';
+    expect(specialRedactor.redact(text)).toBe('My secret is ***REDACTED***');
+  });
+
+  it('should redact longer secrets first', () => {
+    // If we have 'abc' and 'abc-longer' as secrets
+    const redactor2 = new Redactor({ S1: 'abc', S2: 'abc-longer' });
+    const text = 'Value: abc-longer';
+    expect(redactor2.redact(text)).toBe('Value: ***REDACTED***');
+  });
+
+  it('should redact complex values recursively', () => {
+    const value = {
+      nested: {
+        key: 'sk-123456789',
+        list: ['p4ssw0rd-unique', 'safe'],
+      },
+      array: ['tkn-abc-123', 'def'],
+    };
+    const redacted = redactor.redactValue(value);
+    expect(redacted).toEqual({
+      nested: {
+        key: '***REDACTED***',
+        list: ['***REDACTED***', 'safe'],
+      },
+      array: ['***REDACTED***', 'def'],
+    });
+  });
+
+  it('should handle non-string values gracefully', () => {
+    expect(redactor.redactValue(123)).toBe(123);
+    expect(redactor.redactValue(true)).toBe(true);
+    expect(redactor.redactValue(null)).toBe(null);
+  });
+
+  it('should return input as is if not a string for redact', () => {
+    // @ts-ignore
+    expect(redactor.redact(123)).toBe(123);
+  });
+
+  it('should ignore secrets shorter than 3 characters', () => {
+    const shortRedactor = new Redactor({ S1: 'a', S2: '12', S3: 'abc' });
+    const text = 'a and 12 are safe, but abc is a secret';
+    expect(shortRedactor.redact(text)).toBe('a and 12 are safe, but ***REDACTED*** is a secret');
+  });
+});

package/src/utils/redactor.ts

@@ -0,0 +1,60 @@
+/**
+ * Redactor for masking secrets in output strings
+ *
+ * This utility helps prevent secret leakage by replacing secret values
+ * with masked strings before they are logged or stored in the database.
+ */
+
+export class Redactor {
+  private secrets: string[];
+
+  constructor(secrets: Record<string, string>) {
+    // Extract all secret values (not keys) and sort by length descending
+    // to ensure longer secrets are matched first.
+    // Filter out very short secrets (length < 3) to avoid redacting common words/numbers.
+    this.secrets = Object.values(secrets)
+      .filter((value) => value && value.length >= 3)
+      .sort((a, b) => b.length - a.length);
+  }
+
+  /**
+   * Redact all secrets from a string
+   */
+  redact(text: string): string {
+    if (!text || typeof text !== 'string') {
+      return text;
+    }
+
+    let redacted = text;
+    for (const secret of this.secrets) {
+      // Use a global replace to handle multiple occurrences
+      // Escape special regex characters in the secret
+      const escaped = secret.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+      redacted = redacted.replace(new RegExp(escaped, 'g'), '***REDACTED***');
+    }
+    return redacted;
+  }
+
+  /**
+   * Redact secrets from any value (string, object, array)
+   */
+  redactValue(value: unknown): unknown {
+    if (typeof value === 'string') {
+      return this.redact(value);
+    }
+
+    if (Array.isArray(value)) {
+      return value.map((item) => this.redactValue(item));
+    }
+
+    if (value !== null && typeof value === 'object') {
+      const redacted: Record<string, unknown> = {};
+      for (const [key, val] of Object.entries(value)) {
+        redacted[key] = this.redactValue(val);
+      }
+      return redacted;
+    }
+
+    return value;
+  }
+}

package/src/utils/workflow-registry.test.ts

@@ -0,0 +1,108 @@
+import { afterAll, beforeAll, describe, expect, it, spyOn } from 'bun:test';
+import { mkdirSync, rmSync, writeFileSync } from 'node:fs';
+import * as os from 'node:os';
+import { join } from 'node:path';
+import { ConfigSchema } from '../parser/config-schema.ts';
+import { ConfigLoader } from './config-loader.ts';
+import { WorkflowRegistry } from './workflow-registry.ts';
+
+describe('WorkflowRegistry', () => {
+  const tempWorkflowsDir = join(
+    process.cwd(),
+    `temp-workflows-${Math.random().toString(36).substring(7)}`
+  );
+
+  beforeAll(() => {
+    try {
+      mkdirSync(tempWorkflowsDir, { recursive: true });
+    } catch (e) {}
+  });
+
+  afterAll(() => {
+    try {
+      rmSync(tempWorkflowsDir, { recursive: true, force: true });
+    } catch (e) {}
+  });
+
+  it('should list workflows in the workflows directory', () => {
+    const keystoneWorkflowsDir = join(tempWorkflowsDir, '.keystone', 'workflows');
+    mkdirSync(keystoneWorkflowsDir, { recursive: true });
+
+    const workflowContent = `
+name: registry-test
+steps:
+  - id: s1
+    type: shell
+    run: echo 1
+`;
+    const filePath = join(keystoneWorkflowsDir, 'registry-test.yaml');
+    writeFileSync(filePath, workflowContent);
+
+    // Mock homedir and cwd to use our temp dir
+    const homedirSpy = spyOn(os, 'homedir').mockReturnValue(tempWorkflowsDir);
+    const cwdSpy = spyOn(process, 'cwd').mockReturnValue(tempWorkflowsDir);
+
+    try {
+      const workflows = WorkflowRegistry.listWorkflows();
+      const testWorkflow = workflows.find((w) => w.name === 'registry-test');
+      expect(testWorkflow).toBeDefined();
+      expect(testWorkflow?.name).toBe('registry-test');
+    } finally {
+      homedirSpy.mockRestore();
+      cwdSpy.mockRestore();
+    }
+  });
+
+  it('should resolve a workflow name to a path', () => {
+    const keystoneWorkflowsDir = join(tempWorkflowsDir, '.keystone', 'workflows');
+    mkdirSync(keystoneWorkflowsDir, { recursive: true });
+
+    const fileName = 'resolve-test.yaml';
+    const filePath = join(keystoneWorkflowsDir, fileName);
+    writeFileSync(filePath, 'name: resolve-test\nsteps: []');
+
+    const cwdSpy = spyOn(process, 'cwd').mockReturnValue(tempWorkflowsDir);
+
+    try {
+      const resolved = WorkflowRegistry.resolvePath('resolve-test');
+      expect(resolved.endsWith(fileName)).toBe(true);
+    } finally {
+      cwdSpy.mockRestore();
+    }
+  });
+
+  it('should resolve an absolute or relative path directly', () => {
+    const filePath = join(tempWorkflowsDir, 'direct-path.yaml');
+    writeFileSync(filePath, 'name: direct\nsteps: []');
+
+    expect(WorkflowRegistry.resolvePath(filePath)).toBe(filePath);
+    rmSync(filePath);
+  });
+
+  it('should look in the home directory .keystone folder', () => {
+    const mockHome = join(tempWorkflowsDir, 'mock-home');
+    const keystoneDir = join(mockHome, '.keystone', 'workflows');
+    mkdirSync(keystoneDir, { recursive: true });
+
+    const workflowPath = join(keystoneDir, 'home-test.yaml');
+    writeFileSync(workflowPath, 'name: home-test\nsteps: []');
+
+    const homedirSpy = spyOn(os, 'homedir').mockReturnValue(mockHome);
+
+    try {
+      const resolved = WorkflowRegistry.resolvePath('home-test');
+      expect(resolved).toBe(workflowPath);
+
+      const workflows = WorkflowRegistry.listWorkflows();
+      expect(workflows.some((w) => w.name === 'home-test')).toBe(true);
+    } finally {
+      homedirSpy.mockRestore();
+    }
+  });
+
+  it('should throw if workflow not found', () => {
+    expect(() => WorkflowRegistry.resolvePath('non-existent')).toThrow(
+      /Workflow "non-existent" not found/
+    );
+  });
+});

package/src/utils/workflow-registry.ts

@@ -0,0 +1,121 @@
+import { existsSync, readdirSync, statSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { basename, extname, join } from 'node:path';
+import type { Workflow } from '../parser/schema.ts';
+import { WorkflowParser } from '../parser/workflow-parser.ts';
+import { ConfigLoader } from './config-loader.ts';
+
+export class WorkflowRegistry {
+  private static getSearchPaths(): string[] {
+    const paths = new Set<string>();
+
+    paths.add(join(process.cwd(), '.keystone', 'workflows'));
+    paths.add(join(homedir(), '.keystone', 'workflows'));
+
+    return Array.from(paths);
+  }
+
+  /**
+   * List all available workflows with their metadata
+   */
+  static listWorkflows(): Array<{
+    name: string;
+    description?: string;
+    inputs?: Record<string, unknown>;
+  }> {
+    const workflows: Array<{
+      name: string;
+      description?: string;
+      inputs?: Record<string, unknown>;
+    }> = [];
+    const seen = new Set<string>();
+
+    for (const dir of WorkflowRegistry.getSearchPaths()) {
+      if (!existsSync(dir)) continue;
+
+      try {
+        const files = readdirSync(dir);
+        for (const file of files) {
+          if (!file.endsWith('.yaml') && !file.endsWith('.yml')) continue;
+
+          const fullPath = join(dir, file);
+          if (statSync(fullPath).isDirectory()) continue;
+
+          try {
+            // Parse strictly to get metadata
+            const workflow = WorkflowParser.loadWorkflow(fullPath);
+
+            // Deduplicate by name
+            if (seen.has(workflow.name)) continue;
+            seen.add(workflow.name);
+
+            workflows.push({
+              name: workflow.name,
+              description: workflow.description,
+              inputs: workflow.inputs,
+            });
+          } catch (e) {
+            // Skip invalid workflows during listing
+          }
+        }
+      } catch (e) {
+        console.warn(`Failed to scan directory ${dir}:`, e);
+      }
+    }
+
+    return workflows;
+  }
+
+  /**
+   * Resolve a workflow name to a file path
+   */
+  static resolvePath(name: string): string {
+    // 1. Check if it's already a path
+    if (existsSync(name) && (name.endsWith('.yaml') || name.endsWith('.yml'))) {
+      return name;
+    }
+
+    const searchPaths = WorkflowRegistry.getSearchPaths();
+
+    // 2. Search by filename in standard dirs
+    for (const dir of searchPaths) {
+      if (!existsSync(dir)) continue;
+
+      // Check exact filename match (name.yaml)
+      const pathYaml = join(dir, `${name}.yaml`);
+      if (existsSync(pathYaml)) return pathYaml;
+
+      const pathYml = join(dir, `${name}.yml`);
+      if (existsSync(pathYml)) return pathYml;
+    }
+
+    // 3. Search by internal workflow name
+    for (const dir of searchPaths) {
+      if (!existsSync(dir)) continue;
+
+      try {
+        const files = readdirSync(dir);
+        for (const file of files) {
+          if (!file.endsWith('.yaml') && !file.endsWith('.yml')) continue;
+
+          const fullPath = join(dir, file);
+          const stats = statSync(fullPath);
+          if (stats.isDirectory()) continue;
+
+          try {
+            const workflow = WorkflowParser.loadWorkflow(fullPath);
+            if (workflow.name === name) {
+              return fullPath;
+            }
+          } catch (e) {
+            // Skip invalid workflows
+          }
+        }
+      } catch (e) {
+        // Skip errors scanning directories
+      }
+    }
+
+    throw new Error(`Workflow "${name}" not found in: ${searchPaths.join(', ')}`);
+  }
+}