lsh-framework 0.8.1 → 0.8.3

package/dist/lib/git-utils.js

@@ -0,0 +1,186 @@
+/**
+ * Git Utilities
+ * Helper functions for git repository detection and information extraction
+ */
+import * as fs from 'fs';
+import * as path from 'path';
+import { execSync } from 'child_process';
+import { createLogger } from './logger.js';
+const logger = createLogger('GitUtils');
+/**
+ * Check if a directory is inside a git repository
+ */
+export function isInGitRepo(dir = process.cwd()) {
+    try {
+        execSync('git rev-parse --is-inside-work-tree', {
+            cwd: dir,
+            stdio: 'pipe',
+            encoding: 'utf8',
+        });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Get git repository root path
+ */
+export function getGitRootPath(dir = process.cwd()) {
+    try {
+        const output = execSync('git rev-parse --show-toplevel', {
+            cwd: dir,
+            stdio: 'pipe',
+            encoding: 'utf8',
+        });
+        return output.trim();
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Get git remote URL
+ */
+export function getGitRemoteUrl(dir = process.cwd()) {
+    try {
+        const output = execSync('git remote get-url origin', {
+            cwd: dir,
+            stdio: 'pipe',
+            encoding: 'utf8',
+        });
+        return output.trim();
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Extract repository name from git remote URL or directory name
+ */
+export function extractRepoName(remoteUrl, rootPath) {
+    if (remoteUrl) {
+        // Extract from URL patterns:
+        // git@github.com:user/repo.git -> repo
+        // https://github.com/user/repo.git -> repo
+        const match = remoteUrl.match(/[/:]([\w-]+?)(\.git)?$/);
+        if (match) {
+            return match[1];
+        }
+    }
+    if (rootPath) {
+        // Use directory name as fallback
+        return path.basename(rootPath);
+    }
+    return undefined;
+}
+/**
+ * Get current git branch
+ */
+export function getCurrentBranch(dir = process.cwd()) {
+    try {
+        const output = execSync('git rev-parse --abbrev-ref HEAD', {
+            cwd: dir,
+            stdio: 'pipe',
+            encoding: 'utf8',
+        });
+        return output.trim();
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Get comprehensive git repository information
+ */
+export function getGitRepoInfo(dir = process.cwd()) {
+    const isGitRepo = isInGitRepo(dir);
+    if (!isGitRepo) {
+        return { isGitRepo: false };
+    }
+    const rootPath = getGitRootPath(dir);
+    const remoteUrl = getGitRemoteUrl(dir);
+    const repoName = extractRepoName(remoteUrl, rootPath);
+    const currentBranch = getCurrentBranch(dir);
+    return {
+        isGitRepo: true,
+        rootPath,
+        repoName,
+        remoteUrl,
+        currentBranch,
+    };
+}
+/**
+ * Check if .env.example exists in the repo
+ */
+export function hasEnvExample(dir = process.cwd()) {
+    const patterns = ['.env.example', '.env.sample', '.env.template'];
+    for (const pattern of patterns) {
+        const filePath = path.join(dir, pattern);
+        if (fs.existsSync(filePath)) {
+            return filePath;
+        }
+    }
+    return undefined;
+}
+/**
+ * Check if .gitignore exists and contains .env
+ */
+export function isEnvIgnored(dir = process.cwd()) {
+    const gitignorePath = path.join(dir, '.gitignore');
+    if (!fs.existsSync(gitignorePath)) {
+        return false;
+    }
+    try {
+        const content = fs.readFileSync(gitignorePath, 'utf8');
+        const lines = content.split('\n');
+        for (const line of lines) {
+            const trimmed = line.trim();
+            // Check for .env or *.env patterns
+            if (trimmed === '.env' || trimmed === '*.env' || trimmed.includes('.env')) {
+                return true;
+            }
+        }
+        return false;
+    }
+    catch (error) {
+        logger.warn(`Failed to read .gitignore: ${error.message}`);
+        return false;
+    }
+}
+/**
+ * Add .env to .gitignore if not already present
+ */
+export function ensureEnvInGitignore(dir = process.cwd()) {
+    const gitignorePath = path.join(dir, '.gitignore');
+    if (isEnvIgnored(dir)) {
+        return; // Already ignored
+    }
+    try {
+        let content = '';
+        if (fs.existsSync(gitignorePath)) {
+            content = fs.readFileSync(gitignorePath, 'utf8');
+            // Ensure newline at end
+            if (!content.endsWith('\n')) {
+                content += '\n';
+            }
+        }
+        content += '\n# Environment variables (managed by LSH)\n.env\n.env.local\n.env.*.local\n';
+        fs.writeFileSync(gitignorePath, content, 'utf8');
+        logger.info('✅ Added .env to .gitignore');
+    }
+    catch (error) {
+        logger.warn(`Failed to update .gitignore: ${error.message}`);
+    }
+}
+export default {
+    isInGitRepo,
+    getGitRootPath,
+    getGitRemoteUrl,
+    extractRepoName,
+    getCurrentBranch,
+    getGitRepoInfo,
+    hasEnvExample,
+    isEnvIgnored,
+    ensureEnvInGitignore,
+};

package/dist/lib/secrets-manager.js

@@ -6,15 +6,21 @@ import * as fs from 'fs';
 import * as path from 'path';
 import * as crypto from 'crypto';
 import DatabasePersistence from './database-persistence.js';
-import { createLogger } from './logger.js';
+import { createLogger, LogLevel } from './logger.js';
+import { getGitRepoInfo, hasEnvExample, ensureEnvInGitignore } from './git-utils.js';
 const logger = createLogger('SecretsManager');
 export class SecretsManager {
     persistence;
     encryptionKey;
-    constructor(userId, encryptionKey) {
+    gitInfo;
+    constructor(userId, encryptionKey, detectGit = true) {
         this.persistence = new DatabasePersistence(userId);
         // Use provided key or generate from machine ID + user
         this.encryptionKey = encryptionKey || this.getDefaultEncryptionKey();
+        // Auto-detect git repo context
+        if (detectGit) {
+            this.gitInfo = getGitRepoInfo();
+        }
     }
     /**
      * Get default encryption key from environment or machine
@@ -328,7 +334,343 @@ export class SecretsManager {
         return status;
     }
     /**
-     * Sync command - check status and suggest actions
+     * Get repo-aware environment namespace
+     * Returns environment name with repo context if in a git repo
+     */
+    getRepoAwareEnvironment(environment) {
+        if (this.gitInfo?.repoName) {
+            return `${this.gitInfo.repoName}_${environment}`;
+        }
+        return environment;
+    }
+    /**
+     * Generate encryption key if not set
+     */
+    async ensureEncryptionKey() {
+        if (process.env.LSH_SECRETS_KEY) {
+            return true; // Key already set
+        }
+        logger.warn('⚠️  No encryption key found. Generating a new key...');
+        const key = crypto.randomBytes(32).toString('hex');
+        // Try to add to .env file
+        const envPath = path.join(process.cwd(), '.env');
+        try {
+            let content = '';
+            if (fs.existsSync(envPath)) {
+                content = fs.readFileSync(envPath, 'utf8');
+                if (!content.endsWith('\n')) {
+                    content += '\n';
+                }
+            }
+            // Check if LSH_SECRETS_KEY already exists (but empty)
+            if (content.includes('LSH_SECRETS_KEY=')) {
+                content = content.replace(/LSH_SECRETS_KEY=.*$/m, `LSH_SECRETS_KEY=${key}`);
+            }
+            else {
+                content += `\n# LSH Secrets Encryption Key (do not commit!)\nLSH_SECRETS_KEY=${key}\n`;
+            }
+            fs.writeFileSync(envPath, content, 'utf8');
+            // Set in current process
+            process.env.LSH_SECRETS_KEY = key;
+            this.encryptionKey = key;
+            logger.info('✅ Generated and saved encryption key to .env');
+            logger.info('💡 Load it now: export LSH_SECRETS_KEY=' + key.substring(0, 8) + '...');
+            return true;
+        }
+        catch (error) {
+            logger.error(`Failed to save encryption key: ${error.message}`);
+            logger.info('Please set it manually:');
+            logger.info(`export LSH_SECRETS_KEY=${key}`);
+            return false;
+        }
+    }
+    /**
+     * Create .env from .env.example if available
+     */
+    async createEnvFromExample(envFilePath) {
+        const examplePath = hasEnvExample(process.cwd());
+        if (!examplePath) {
+            // Create minimal template
+            const template = `# Environment Configuration
+# Generated by LSH Secrets Manager
+
+# Application
+NODE_ENV=development
+
+# Database
+DATABASE_URL=
+
+# API Keys
+API_KEY=
+
+# LSH Secrets Encryption Key (auto-generated)
+LSH_SECRETS_KEY=${this.encryptionKey}
+
+# Add your environment variables below
+`;
+            try {
+                fs.writeFileSync(envFilePath, template, 'utf8');
+                logger.info(`✅ Created ${envFilePath} from template`);
+                return true;
+            }
+            catch (error) {
+                logger.error(`Failed to create ${envFilePath}: ${error.message}`);
+                return false;
+            }
+        }
+        // Copy from example
+        try {
+            const content = fs.readFileSync(examplePath, 'utf8');
+            let newContent = content;
+            // Add encryption key if not present
+            if (!content.includes('LSH_SECRETS_KEY')) {
+                newContent += `\n# LSH Secrets Encryption Key (auto-generated)\nLSH_SECRETS_KEY=${this.encryptionKey}\n`;
+            }
+            fs.writeFileSync(envFilePath, newContent, 'utf8');
+            logger.info(`✅ Created ${envFilePath} from ${path.basename(examplePath)}`);
+            return true;
+        }
+        catch (error) {
+            logger.error(`Failed to create ${envFilePath}: ${error.message}`);
+            return false;
+        }
+    }
+    /**
+     * Generate shell export commands for loading .env file
+     */
+    generateExportCommands(envFilePath) {
+        if (!fs.existsSync(envFilePath)) {
+            return '# No .env file found\n';
+        }
+        const content = fs.readFileSync(envFilePath, 'utf8');
+        const lines = content.split('\n');
+        const exports = [];
+        for (const line of lines) {
+            // Skip comments and empty lines
+            if (line.trim().startsWith('#') || !line.trim()) {
+                continue;
+            }
+            // Parse KEY=VALUE
+            const match = line.match(/^([^=]+)=(.*)$/);
+            if (match) {
+                const key = match[1].trim();
+                let value = match[2].trim();
+                // Remove quotes if present (we'll add them back for the export)
+                if ((value.startsWith('"') && value.endsWith('"')) ||
+                    (value.startsWith("'") && value.endsWith("'"))) {
+                    value = value.slice(1, -1);
+                }
+                // Escape special characters for shell
+                const escapedValue = value
+                    .replace(/\\/g, '\\\\')
+                    .replace(/"/g, '\\"')
+                    .replace(/\$/g, '\\$')
+                    .replace(/`/g, '\\`');
+                exports.push(`export ${key}="${escapedValue}"`);
+            }
+        }
+        return exports.join('\n') + '\n';
+    }
+    /**
+     * Smart sync command - automatically set up and synchronize secrets
+     * This is the new enhanced sync that does everything automatically
+     */
+    async smartSync(envFilePath = '.env', environment = 'dev', autoExecute = true, loadMode = false) {
+        // In load mode, suppress all logger output to prevent zsh glob interpretation
+        // Save original level and restore at the end
+        const originalLogLevel = loadMode ? logger['config'].level : undefined;
+        if (loadMode) {
+            logger.setLevel(LogLevel.NONE);
+        }
+        try {
+            // Use repo-aware environment if in git repo
+            const effectiveEnv = this.getRepoAwareEnvironment(environment);
+            const displayEnv = this.gitInfo?.repoName ? `${this.gitInfo.repoName}/${environment}` : environment;
+            // In load mode, suppress all output except the final export commands
+            const out = loadMode ? () => { } : console.log;
+            out(`\n🔍 Smart sync for: ${displayEnv}\n`);
+            // Show git repo context if detected
+            if (this.gitInfo?.isGitRepo) {
+                out('📁 Git Repository:');
+                out(`   Repo: ${this.gitInfo.repoName || 'unknown'}`);
+                if (this.gitInfo.currentBranch) {
+                    out(`   Branch: ${this.gitInfo.currentBranch}`);
+                }
+                out();
+            }
+            // Step 1: Ensure encryption key exists
+            if (!process.env.LSH_SECRETS_KEY) {
+                logger.info('🔑 No encryption key found...');
+                await this.ensureEncryptionKey();
+                out();
+            }
+            // Step 2: Ensure .gitignore includes .env
+            if (this.gitInfo?.isGitRepo) {
+                ensureEnvInGitignore(process.cwd());
+            }
+            // Step 3: Check current status
+            const status = await this.status(envFilePath, effectiveEnv);
+            out('📊 Current Status:');
+            out(`   Encryption key: ${status.keySet ? '✅' : '❌'}`);
+            out(`   Local ${envFilePath}: ${status.localExists ? `✅ (${status.localKeys} keys)` : '❌'}`);
+            out(`   Cloud storage: ${status.cloudExists ? `✅ (${status.cloudKeys} keys)` : '❌'}`);
+            if (status.cloudExists && status.keyMatches !== undefined) {
+                out(`   Key matches: ${status.keyMatches ? '✅' : '❌'}`);
+            }
+            out();
+            // Step 4: Determine action and execute if auto mode
+            let action = 'in-sync';
+            if (status.cloudExists && status.keyMatches === false) {
+                action = 'key-mismatch';
+                out('⚠️  Encryption key mismatch!');
+                out('   The local key does not match the cloud storage.');
+                out('   Please use the original key or push new secrets with:');
+                out(`   lsh lib secrets push -f ${envFilePath} -e ${environment}`);
+                out();
+                return;
+            }
+            if (!status.localExists && !status.cloudExists) {
+                action = 'create-and-push';
+                out('🆕 No secrets found locally or in cloud');
+                out('   Creating new .env file...');
+                if (autoExecute) {
+                    await this.createEnvFromExample(envFilePath);
+                    out('   Pushing to cloud...');
+                    await this.push(envFilePath, effectiveEnv);
+                    out();
+                    out('✅ Setup complete! Edit your .env and run sync again to update.');
+                }
+                else {
+                    out('💡 Run: lsh lib secrets create && lsh lib secrets push');
+                }
+                out();
+                // Output export commands in load mode
+                if (loadMode && fs.existsSync(envFilePath)) {
+                    console.log(this.generateExportCommands(envFilePath));
+                }
+                return;
+            }
+            if (status.localExists && !status.cloudExists) {
+                action = 'push';
+                out('⬆️  Local .env exists but not in cloud');
+                if (autoExecute) {
+                    out('   Pushing to cloud...');
+                    await this.push(envFilePath, effectiveEnv);
+                    out('✅ Secrets pushed to cloud!');
+                }
+                else {
+                    out(`💡 Run: lsh lib secrets push -f ${envFilePath} -e ${environment}`);
+                }
+                out();
+                // Output export commands in load mode
+                if (loadMode && fs.existsSync(envFilePath)) {
+                    console.log(this.generateExportCommands(envFilePath));
+                }
+                return;
+            }
+            if (!status.localExists && status.cloudExists && status.keyMatches) {
+                action = 'pull';
+                out('⬇️  Cloud secrets available but no local file');
+                if (autoExecute) {
+                    out('   Pulling from cloud...');
+                    await this.pull(envFilePath, effectiveEnv, false);
+                    out('✅ Secrets pulled from cloud!');
+                }
+                else {
+                    out(`💡 Run: lsh lib secrets pull -f ${envFilePath} -e ${environment}`);
+                }
+                out();
+                // Output export commands in load mode
+                if (loadMode && fs.existsSync(envFilePath)) {
+                    console.log(this.generateExportCommands(envFilePath));
+                }
+                return;
+            }
+            if (status.localExists && status.cloudExists && status.keyMatches) {
+                if (status.localModified && status.cloudModified) {
+                    const localNewer = status.localModified > status.cloudModified;
+                    const timeDiff = Math.abs(status.localModified.getTime() - status.cloudModified.getTime());
+                    const minutesDiff = Math.floor(timeDiff / (1000 * 60));
+                    // If difference is less than 1 minute, consider in sync
+                    if (minutesDiff < 1) {
+                        out('✅ Local and cloud are in sync!');
+                        out();
+                        if (!loadMode) {
+                            this.showLoadInstructions(envFilePath);
+                        }
+                        else if (fs.existsSync(envFilePath)) {
+                            console.log(this.generateExportCommands(envFilePath));
+                        }
+                        return;
+                    }
+                    if (localNewer) {
+                        action = 'push';
+                        out('⬆️  Local file is newer than cloud');
+                        out(`   Local: ${status.localModified.toLocaleString()}`);
+                        out(`   Cloud: ${status.cloudModified.toLocaleString()}`);
+                        if (autoExecute) {
+                            out('   Pushing to cloud...');
+                            await this.push(envFilePath, effectiveEnv);
+                            out('✅ Secrets synced to cloud!');
+                        }
+                        else {
+                            out(`💡 Run: lsh lib secrets push -f ${envFilePath} -e ${environment}`);
+                        }
+                    }
+                    else {
+                        action = 'pull';
+                        out('⬇️  Cloud is newer than local file');
+                        out(`   Local: ${status.localModified.toLocaleString()}`);
+                        out(`   Cloud: ${status.cloudModified.toLocaleString()}`);
+                        if (autoExecute) {
+                            out('   Pulling from cloud (backup created)...');
+                            await this.pull(envFilePath, effectiveEnv, false);
+                            out('✅ Secrets synced from cloud!');
+                        }
+                        else {
+                            out(`💡 Run: lsh lib secrets pull -f ${envFilePath} -e ${environment}`);
+                        }
+                    }
+                    out();
+                    if (!loadMode) {
+                        this.showLoadInstructions(envFilePath);
+                    }
+                    else if (fs.existsSync(envFilePath)) {
+                        console.log(this.generateExportCommands(envFilePath));
+                    }
+                    return;
+                }
+            }
+            // Default: everything is in sync
+            out('✅ Secrets are synchronized!');
+            out();
+            if (!loadMode) {
+                this.showLoadInstructions(envFilePath);
+            }
+            else if (fs.existsSync(envFilePath)) {
+                console.log(this.generateExportCommands(envFilePath));
+            }
+        }
+        finally {
+            // Restore original logger level if it was changed
+            if (loadMode && originalLogLevel !== undefined) {
+                logger.setLevel(originalLogLevel);
+            }
+        }
+    }
+    /**
+     * Show instructions for loading secrets
+     */
+    showLoadInstructions(envFilePath) {
+        console.log('📝 To load secrets in your current shell:');
+        console.log(`   export $(cat ${envFilePath} | grep -v '^#' | xargs)`);
+        console.log();
+        console.log('   Or for safer loading (preserves quotes):');
+        console.log(`   set -a; source ${envFilePath}; set +a`);
+        console.log();
+    }
+    /**
+     * Sync command - check status and suggest actions (legacy, kept for compatibility)
      */
     async sync(envFilePath = '.env', environment = 'dev') {
         console.log(`\n🔍 Checking secrets status for environment: ${environment}\n`);

package/dist/services/api/api.js

@@ -0,0 +1,58 @@
+import AsyncLock from 'async-lock';
+import request from 'request';
+import { CONFIG } from './config.js';
+import { FILE } from './file.js';
+const semaphore = new AsyncLock();
+let pkgId;
+export const makePOSTRequest = async (typeName, method, data, onSuccess) => {
+    console.log("makePostRequest");
+    const url = CONFIG.URL + '/api/8' + '/' + typeName + '/' + method;
+    console.log(url);
+    // Prevent parallel writes/deletions
+    return semaphore.acquire('request', (done) => {
+        return request.post(url, {
+            method: 'POST',
+            body: data,
+            json: true,
+            headers: {
+                Authorization: CONFIG.AUTH_TOKEN,
+            },
+        }, (err, response, body) => {
+            console.log(body);
+            onSuccess?.(response);
+            done();
+        });
+    });
+};
+const getMetadataPath = (path) => {
+    console.log("getMetadataPath");
+    return path.substring(path.indexOf(CONFIG.PATH_TO_PACKAGE_REPO) + CONFIG.PATH_TO_PACKAGE_REPO.length);
+};
+const getPkgId = async () => {
+    console.log("getPkgId");
+    if (pkgId) {
+        return pkgId;
+    }
+    await makePOSTRequest('Pkg', 'inst', ['Pkg'], (body) => {
+        pkgId = body;
+    });
+    return pkgId;
+};
+const _writeContent = async (path) => {
+    console.log("writeContent");
+    const pkgId = await getPkgId();
+    const metadataPath = getMetadataPath(path);
+    const content = FILE.encodeContent(path);
+    if (await content === FILE.NO_CHANGE_TO_FILE) {
+        return;
+    }
+    return makePOSTRequest('Pkg', 'writeContent', [pkgId, metadataPath, {
+            type: 'ContentValue',
+            content,
+        }], () => console.log("Success"));
+};
+const _deleteContent = async (path) => {
+    const pkgId = await getPkgId();
+    const metadataPath = getMetadataPath(path);
+    return makePOSTRequest('Pkg', 'deleteContent', [pkgId, metadataPath, true], () => console.log("deleted!"));
+};

package/dist/services/secrets/secrets.js

@@ -169,19 +169,29 @@ API_KEY=
             process.exit(1);
         }
     });
-    // Sync command - check status and suggest actions
+    // Sync command - automatically set up and synchronize secrets
     secretsCmd
         .command('sync')
-        .description('Check secrets sync status and show recommended actions')
+        .description('Automatically set up and synchronize secrets (smart mode)')
         .option('-f, --file <path>', 'Path to .env file', '.env')
         .option('-e, --env <name>', 'Environment name', 'dev')
+        .option('--dry-run', 'Show what would be done without executing')
+        .option('--legacy', 'Use legacy sync mode (suggestions only)')
+        .option('--load', 'Output eval-able export commands for loading secrets')
         .action(async (options) => {
         try {
             const manager = new SecretsManager();
-            await manager.sync(options.file, options.env);
+            if (options.legacy) {
+                // Use legacy sync (suggestions only)
+                await manager.sync(options.file, options.env);
+            }
+            else {
+                // Use new smart sync (auto-execute)
+                await manager.smartSync(options.file, options.env, !options.dryRun, options.load);
+            }
         }
         catch (error) {
-            console.error('❌ Failed to check sync status:', error.message);
+            console.error('❌ Failed to sync:', error.message);
             process.exit(1);
         }
     });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lsh-framework",
-  "version": "0.8.1",
+  "version": "0.8.3",
   "description": "Encrypted secrets manager with automatic rotation, team sync, and multi-environment support. Built on a powerful shell with daemon scheduling and CI/CD integration.",
   "main": "dist/app.js",
   "bin": {
@@ -106,6 +106,7 @@
     "ioredis": "^5.8.0",
     "jsonwebtoken": "^9.0.2",
     "lodash": "^4.17.21",
+    "lsh-framework": "^0.8.2",
     "node-cron": "^3.0.3",
     "node-fetch": "^3.3.2",
     "ora": "^8.0.1",