lsh-framework 1.2.0 → 1.2.1

package/dist/commands/init.js

@@ -0,0 +1,371 @@
+/**
+ * LSH Init Command
+ * Interactive setup wizard for first-time configuration
+ */
+import inquirer from 'inquirer';
+import chalk from 'chalk';
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import * as crypto from 'crypto';
+import { createClient } from '@supabase/supabase-js';
+import ora from 'ora';
+import { getPlatformPaths } from '../lib/platform-utils.js';
+/**
+ * Register init commands
+ */
+export function registerInitCommands(program) {
+    program
+        .command('init')
+        .description('Interactive setup wizard (first-time configuration)')
+        .option('--local', 'Use local-only encryption (no cloud sync)')
+        .option('--supabase', 'Use Supabase cloud storage')
+        .option('--postgres', 'Use self-hosted PostgreSQL')
+        .option('--skip-test', 'Skip connection testing')
+        .action(async (options) => {
+        try {
+            await runSetupWizard(options);
+        }
+        catch (error) {
+            const err = error;
+            console.error(chalk.red('\n❌ Setup failed:'), err.message);
+            process.exit(1);
+        }
+    });
+}
+/**
+ * Run the interactive setup wizard
+ */
+async function runSetupWizard(options) {
+    console.log(chalk.bold.cyan('\n🔐 LSH Secrets Manager - Setup Wizard'));
+    console.log(chalk.gray('━'.repeat(50)));
+    console.log('');
+    // Check if already configured
+    const existingConfig = await checkExistingConfig();
+    if (existingConfig) {
+        const { overwrite } = await inquirer.prompt([
+            {
+                type: 'confirm',
+                name: 'overwrite',
+                message: 'Configuration already exists. Overwrite?',
+                default: false,
+            },
+        ]);
+        if (!overwrite) {
+            console.log(chalk.yellow('\n⚠️  Setup cancelled. Existing configuration preserved.'));
+            console.log(chalk.gray('\nRun'), chalk.cyan('lsh doctor'), chalk.gray('to check your current setup.'));
+            return;
+        }
+    }
+    // Determine storage type
+    let storageType;
+    if (options.local) {
+        storageType = 'local';
+    }
+    else if (options.postgres) {
+        storageType = 'postgres';
+    }
+    else if (options.supabase) {
+        storageType = 'supabase';
+    }
+    else {
+        // Ask user
+        const { storage } = await inquirer.prompt([
+            {
+                type: 'list',
+                name: 'storage',
+                message: 'Choose storage backend:',
+                choices: [
+                    {
+                        name: 'Supabase (free, cloud-hosted, recommended)',
+                        value: 'supabase',
+                    },
+                    {
+                        name: 'Local encryption (file-based, no cloud sync)',
+                        value: 'local',
+                    },
+                    {
+                        name: 'Self-hosted PostgreSQL',
+                        value: 'postgres',
+                    },
+                ],
+                default: 'supabase',
+            },
+        ]);
+        storageType = storage;
+    }
+    const config = {
+        storageType,
+        encryptionKey: generateEncryptionKey(),
+    };
+    // Configure based on storage type
+    if (storageType === 'supabase') {
+        await configureSupabase(config, options.skipTest);
+    }
+    else if (storageType === 'postgres') {
+        await configurePostgres(config, options.skipTest);
+    }
+    else {
+        await configureLocal(config);
+    }
+    // Save configuration
+    await saveConfiguration(config);
+    // Show success message
+    showSuccessMessage(config);
+}
+/**
+ * Check if LSH is already configured
+ */
+async function checkExistingConfig() {
+    try {
+        const envPath = path.join(process.cwd(), '.env');
+        // Read file directly without access check to avoid TOCTOU race condition
+        const content = await fs.readFile(envPath, 'utf-8');
+        return content.includes('LSH_SECRETS_KEY') ||
+            content.includes('SUPABASE_URL') ||
+            content.includes('DATABASE_URL');
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Configure Supabase
+ */
+async function configureSupabase(config, skipTest) {
+    console.log(chalk.cyan('\n📦 Supabase Configuration'));
+    console.log(chalk.gray('Need credentials? Visit: https://supabase.com/dashboard'));
+    console.log('');
+    const answers = await inquirer.prompt([
+        {
+            type: 'input',
+            name: 'url',
+            message: 'Enter your Supabase URL:',
+            validate: (input) => {
+                if (!input.trim())
+                    return 'URL is required';
+                if (!input.startsWith('https://'))
+                    return 'URL must start with https://';
+                if (!input.includes('.supabase.co'))
+                    return 'Must be a valid Supabase URL';
+                return true;
+            },
+        },
+        {
+            type: 'password',
+            name: 'key',
+            message: 'Enter your Supabase anon key:',
+            mask: '*',
+            validate: (input) => {
+                if (!input.trim())
+                    return 'Anon key is required';
+                if (input.length < 100)
+                    return 'Anon key seems too short';
+                return true;
+            },
+        },
+    ]);
+    config.supabaseUrl = answers.url.trim();
+    config.supabaseKey = answers.key.trim();
+    // Test connection
+    if (!skipTest && config.supabaseUrl && config.supabaseKey) {
+        await testSupabaseConnection(config.supabaseUrl, config.supabaseKey);
+    }
+}
+/**
+ * Test Supabase connection
+ */
+async function testSupabaseConnection(url, key) {
+    const spinner = ora('Testing Supabase connection...').start();
+    try {
+        const supabase = createClient(url, key);
+        // Try to query the database (even if table doesn't exist, connection will work)
+        const { error } = await supabase.from('lsh_secrets').select('count').limit(0);
+        // Connection successful (404 table not found is fine - means connection works)
+        if (!error || error.code === 'PGRST116' || error.message.includes('relation')) {
+            spinner.succeed(chalk.green('✅ Connection successful!'));
+        }
+        else {
+            spinner.fail(chalk.red('❌ Connection failed'));
+            throw new Error(`Supabase error: ${error.message}`);
+        }
+    }
+    catch (error) {
+        spinner.fail(chalk.red('❌ Connection failed'));
+        const err = error;
+        throw new Error(`Could not connect to Supabase: ${err.message}`);
+    }
+}
+/**
+ * Configure self-hosted PostgreSQL
+ */
+async function configurePostgres(config, skipTest) {
+    console.log(chalk.cyan('\n🐘 PostgreSQL Configuration'));
+    console.log('');
+    const { url } = await inquirer.prompt([
+        {
+            type: 'input',
+            name: 'url',
+            message: 'Enter PostgreSQL connection URL:',
+            default: 'postgresql://user:password@localhost:5432/lsh',
+            validate: (input) => {
+                if (!input.trim())
+                    return 'Connection URL is required';
+                if (!input.startsWith('postgres'))
+                    return 'Must be a valid PostgreSQL URL';
+                return true;
+            },
+        },
+    ]);
+    config.postgresUrl = url.trim();
+    if (!skipTest) {
+        const spinner = ora('Testing PostgreSQL connection...').start();
+        // Note: We'll skip actual testing for now as we don't have pg client imported
+        spinner.info(chalk.yellow('⚠️  Connection test skipped. Run "lsh doctor" after setup to verify.'));
+    }
+}
+/**
+ * Configure local-only mode
+ */
+async function configureLocal(config) {
+    console.log(chalk.cyan('\n💾 Local Encryption Mode'));
+    console.log(chalk.gray('Secrets will be encrypted locally. No cloud sync available.'));
+    console.log('');
+    const paths = getPlatformPaths();
+    console.log(chalk.gray('Encrypted secrets will be stored in:'));
+    console.log(chalk.cyan(`  ${path.join(paths.dataDir, 'encrypted')}`));
+    console.log('');
+}
+/**
+ * Generate a secure encryption key
+ */
+function generateEncryptionKey() {
+    return crypto.randomBytes(32).toString('hex');
+}
+/**
+ * Save configuration to .env file
+ */
+async function saveConfiguration(config) {
+    const spinner = ora('Saving configuration...').start();
+    try {
+        const envPath = path.join(process.cwd(), '.env');
+        let envContent = '';
+        // Try to read existing .env
+        try {
+            envContent = await fs.readFile(envPath, 'utf-8');
+        }
+        catch {
+            // File doesn't exist, start fresh
+        }
+        // Update or add configuration
+        const updates = {
+            LSH_SECRETS_KEY: config.encryptionKey,
+        };
+        if (config.storageType === 'supabase' && config.supabaseUrl && config.supabaseKey) {
+            updates.SUPABASE_URL = config.supabaseUrl;
+            updates.SUPABASE_ANON_KEY = config.supabaseKey;
+        }
+        if (config.storageType === 'postgres' && config.postgresUrl) {
+            updates.DATABASE_URL = config.postgresUrl;
+        }
+        if (config.storageType === 'local') {
+            updates.LSH_STORAGE_MODE = 'local';
+        }
+        // Update .env content
+        for (const [key, value] of Object.entries(updates)) {
+            const regex = new RegExp(`^${key}=.*$`, 'm');
+            if (regex.test(envContent)) {
+                envContent = envContent.replace(regex, `${key}=${value}`);
+            }
+            else {
+                if (envContent && !envContent.endsWith('\n')) {
+                    envContent += '\n';
+                }
+                envContent += `${key}=${value}\n`;
+            }
+        }
+        // Write .env file
+        await fs.writeFile(envPath, envContent, 'utf-8');
+        // Update .gitignore
+        await updateGitignore();
+        spinner.succeed(chalk.green('✅ Configuration saved'));
+    }
+    catch (error) {
+        spinner.fail(chalk.red('❌ Failed to save configuration'));
+        throw error;
+    }
+}
+/**
+ * Update .gitignore to include .env
+ */
+async function updateGitignore() {
+    try {
+        const gitignorePath = path.join(process.cwd(), '.gitignore');
+        let gitignoreContent = '';
+        try {
+            gitignoreContent = await fs.readFile(gitignorePath, 'utf-8');
+        }
+        catch {
+            // File doesn't exist
+        }
+        if (!gitignoreContent.includes('.env')) {
+            if (gitignoreContent && !gitignoreContent.endsWith('\n')) {
+                gitignoreContent += '\n';
+            }
+            gitignoreContent += '\n# LSH secrets\n.env\n';
+            await fs.writeFile(gitignorePath, gitignoreContent, 'utf-8');
+        }
+    }
+    catch {
+        // Ignore errors with .gitignore
+    }
+}
+/**
+ * Show success message with next steps
+ */
+function showSuccessMessage(config) {
+    console.log('');
+    console.log(chalk.bold.green('✨ Setup complete!'));
+    console.log(chalk.gray('━'.repeat(50)));
+    console.log('');
+    // Show encryption key
+    console.log(chalk.yellow('📝 Your encryption key (save this securely):'));
+    console.log(chalk.cyan(`   ${config.encryptionKey}`));
+    console.log('');
+    console.log(chalk.gray('   This key is saved in your .env file.'));
+    console.log(chalk.gray('   Share it with your team to sync secrets.'));
+    console.log('');
+    // Storage info
+    if (config.storageType === 'supabase') {
+        console.log(chalk.cyan('☁️  Using Supabase cloud storage'));
+    }
+    else if (config.storageType === 'postgres') {
+        console.log(chalk.cyan('🐘 Using PostgreSQL storage'));
+    }
+    else {
+        console.log(chalk.cyan('💾 Using local encryption'));
+    }
+    console.log('');
+    // Next steps
+    console.log(chalk.bold('🚀 Next steps:'));
+    console.log('');
+    console.log(chalk.gray('   1. Verify your setup:'));
+    console.log(chalk.cyan('      lsh doctor'));
+    console.log('');
+    if (config.storageType !== 'local') {
+        console.log(chalk.gray('   2. Push your secrets:'));
+        console.log(chalk.cyan('      lsh push --env dev'));
+        console.log('');
+        console.log(chalk.gray('   3. On another machine:'));
+        console.log(chalk.cyan('      lsh init          ') + chalk.gray('# Use the same credentials'));
+        console.log(chalk.cyan('      lsh pull --env dev'));
+    }
+    else {
+        console.log(chalk.gray('   2. Start managing secrets:'));
+        console.log(chalk.cyan('      lsh set API_KEY myvalue'));
+        console.log(chalk.cyan('      lsh list'));
+    }
+    console.log('');
+    console.log(chalk.gray('📖 Documentation: https://github.com/gwicho38/lsh'));
+    console.log('');
+}
+export default registerInitCommands;

package/dist/constants/api.js

@@ -0,0 +1,94 @@
+/**
+ * HTTP/API strings
+ *
+ * All API endpoints, HTTP headers, content types, and API-related constants.
+ */
+export const ENDPOINTS = {
+    // Health and status
+    HEALTH: '/health',
+    ROOT: '/',
+    // Authentication
+    AUTH: '/api/auth',
+    AUTH_REGISTER: '/auth/register',
+    AUTH_LOGIN: '/auth/login',
+    AUTH_API_KEY: '/auth/api-key',
+    // Jobs API
+    API_STATUS: '/api/status',
+    API_JOBS: '/api/jobs',
+    API_JOB_BY_ID: '/api/jobs/:id',
+    API_JOB_START: '/api/jobs/:id/start',
+    API_JOB_STOP: '/api/jobs/:id/stop',
+    API_JOB_TRIGGER: '/api/jobs/:id/trigger',
+    API_JOB_DELETE: '/api/jobs/:id',
+    API_JOBS_BULK: '/api/jobs/bulk',
+    // Events and webhooks
+    API_EVENTS: '/api/events',
+    API_WEBHOOKS: '/api/webhooks',
+    // Export
+    API_EXPORT_JOBS: '/api/export/jobs',
+    // Supabase sync
+    API_SUPABASE_SYNC: '/api/supabase/sync',
+    // CI/CD Webhooks
+    WEBHOOK_GITHUB: '/webhook/github',
+    WEBHOOK_GITLAB: '/webhook/gitlab',
+    WEBHOOK_JENKINS: '/webhook/jenkins',
+    // Dashboard
+    DASHBOARD_ROOT: '/dashboard/',
+    DASHBOARD: '/dashboard/',
+    DASHBOARD_ANALYTICS: '/dashboard/analytics',
+    DASHBOARD_ADMIN: '/dashboard/admin',
+    // Pipeline and metrics API
+    API_PIPELINES: '/api/pipelines',
+    API_METRICS: '/api/metrics',
+    // Analytics endpoints
+    API_ANALYTICS_REPORT: '/api/analytics/report',
+    API_ANALYTICS_TRENDS: '/api/analytics/trends',
+    API_ANALYTICS_ANOMALIES: '/api/analytics/anomalies',
+    API_ANALYTICS_INSIGHTS: '/api/analytics/insights',
+    API_ANALYTICS_PREDICTIONS: '/api/analytics/predictions',
+    API_ANALYTICS_COSTS: '/api/analytics/costs',
+    API_ANALYTICS_BOTTLENECKS: '/api/analytics/bottlenecks',
+};
+export const HTTP_HEADERS = {
+    // Standard headers
+    CONTENT_TYPE: 'Content-Type',
+    CACHE_CONTROL: 'Cache-Control',
+    CONNECTION: 'Connection',
+    AUTHORIZATION: 'authorization',
+    // Custom headers
+    X_API_KEY: 'x-api-key',
+    X_ACCEL_BUFFERING: 'X-Accel-Buffering',
+    // Webhook headers
+    GITHUB_SIGNATURE: 'x-hub-signature-256',
+    GITLAB_TOKEN: 'x-gitlab-token',
+    JENKINS_TOKEN: 'x-jenkins-token',
+};
+export const CONTENT_TYPES = {
+    EVENT_STREAM: 'text/event-stream',
+    JSON: 'application/json',
+    TEXT_PLAIN: 'text/plain',
+};
+export const CACHE_CONTROL_VALUES = {
+    NO_CACHE: 'no-cache',
+};
+export const CONNECTION_VALUES = {
+    KEEP_ALIVE: 'keep-alive',
+};
+export const X_ACCEL_BUFFERING_VALUES = {
+    NO: 'no',
+};
+export const AUTH = {
+    BEARER_PREFIX: 'Bearer ',
+};
+export const SOCKET_EVENTS = {
+    PIPELINE_UPDATE: 'pipeline_event',
+    METRICS_UPDATE: 'metrics_update',
+};
+export const METRICS = {
+    TOTAL_BUILDS: 'total_builds',
+    SUCCESSFUL_BUILDS: 'successful_builds',
+    FAILED_BUILDS: 'failed_builds',
+};
+export const REDIS_KEY_TEMPLATES = {
+    PIPELINE: 'pipeline:${eventId}',
+};

package/dist/constants/commands.js

@@ -0,0 +1,64 @@
+/**
+ * Command names and CLI strings
+ *
+ * All command names, subcommands, and CLI-related strings.
+ */
+export const CLI = {
+    NAME: 'lsh',
+    DESCRIPTION: 'LSH - Encrypted secrets manager with automatic rotation and team sync',
+    BANNER: 'LSH - Encrypted Secrets Manager with Automatic Rotation',
+};
+export const COMMANDS = {
+    // Core commands
+    SCRIPT: 'script <file>',
+    CONFIG: 'config',
+    ZSH: 'zsh',
+    HELP: 'help',
+    // Secrets commands
+    PUSH: 'push',
+    PULL: 'pull',
+    LIST: 'list',
+    ENV: 'env [environment]',
+    KEY: 'key',
+    CREATE: 'create',
+    SYNC: 'sync',
+    STATUS: 'status',
+    INFO: 'info',
+    GET: 'get [key]',
+    SET: 'set [key] [value]',
+    DELETE: 'delete',
+};
+export const JOB_COMMANDS = {
+    SECRETS_SYNC: 'secrets_sync',
+};
+export const JOB_STATUSES = {
+    CREATED: 'created',
+    RUNNING: 'running',
+    STOPPED: 'stopped',
+    COMPLETED: 'completed',
+    FAILED: 'failed',
+    KILLED: 'killed',
+};
+export const JOB_TYPES = {
+    SHELL: 'shell',
+    SYSTEM: 'system',
+    SCHEDULED: 'scheduled',
+    SERVICE: 'service',
+};
+export const IPC_COMMANDS = {
+    STATUS: 'status',
+    ADD_JOB: 'addJob',
+    START_JOB: 'startJob',
+    TRIGGER_JOB: 'triggerJob',
+    STOP_JOB: 'stopJob',
+    LIST_JOBS: 'listJobs',
+    GET_JOB: 'getJob',
+    REMOVE_JOB: 'removeJob',
+    RESTART: 'restart',
+    STOP: 'stop',
+};
+export const PLATFORMS = {
+    GITHUB: 'github',
+    GITLAB: 'gitlab',
+    JENKINS: 'jenkins',
+};

package/dist/constants/config.js

@@ -0,0 +1,56 @@
+/**
+ * Configuration keys and environment variables
+ *
+ * All environment variable names, configuration keys, and default values.
+ */
+export const ENV_VARS = {
+    // Core environment
+    NODE_ENV: 'NODE_ENV',
+    USER: 'USER',
+    HOSTNAME: 'HOSTNAME',
+    // LSH API configuration
+    LSH_API_ENABLED: 'LSH_API_ENABLED',
+    LSH_API_PORT: 'LSH_API_PORT',
+    LSH_API_KEY: 'LSH_API_KEY',
+    LSH_JWT_SECRET: 'LSH_JWT_SECRET',
+    LSH_ALLOW_DANGEROUS_COMMANDS: 'LSH_ALLOW_DANGEROUS_COMMANDS',
+    // Secrets management
+    LSH_SECRETS_KEY: 'LSH_SECRETS_KEY',
+    // Webhooks
+    LSH_ENABLE_WEBHOOKS: 'LSH_ENABLE_WEBHOOKS',
+    WEBHOOK_PORT: 'WEBHOOK_PORT',
+    GITHUB_WEBHOOK_SECRET: 'GITHUB_WEBHOOK_SECRET',
+    GITLAB_WEBHOOK_SECRET: 'GITLAB_WEBHOOK_SECRET',
+    JENKINS_WEBHOOK_SECRET: 'JENKINS_WEBHOOK_SECRET',
+    // Database and persistence
+    DATABASE_URL: 'DATABASE_URL',
+    SUPABASE_URL: 'SUPABASE_URL',
+    SUPABASE_ANON_KEY: 'SUPABASE_ANON_KEY',
+    REDIS_URL: 'REDIS_URL',
+    // Monitoring
+    MONITORING_API_PORT: 'MONITORING_API_PORT',
+};
+export const DEFAULTS = {
+    // Version
+    VERSION: '0.5.1',
+    // Ports
+    API_PORT: 3030,
+    WEBHOOK_PORT: 3033,
+    MONITORING_API_PORT: 3031,
+    // URLs
+    REDIS_URL: 'redis://localhost:6379',
+    DATABASE_URL: 'postgresql://localhost:5432/cicd',
+    // Timeouts and intervals
+    CHECK_INTERVAL_MS: 2000,
+    REQUEST_TIMEOUT_MS: 10000,
+    // Sizes
+    MAX_BUFFER_SIZE_BYTES: 1024 * 1024, // 1MB
+    MAX_LOG_SIZE_BYTES: 10 * 1024 * 1024, // 10MB
+    MAX_COMMAND_LENGTH: 10000,
+    // Limits
+    MAX_COMMAND_CHAINS: 5,
+    MAX_PIPE_USAGE: 3,
+    // Cache and retention
+    REDIS_CACHE_EXPIRY_SECONDS: 3600, // 1 hour
+    METRICS_RETENTION_SECONDS: 30 * 24 * 60 * 60, // 30 days
+};

package/dist/constants/database.js

@@ -0,0 +1,21 @@
+/**
+ * Database tables and schema constants
+ *
+ * All database table names, column names, and database-related constants.
+ */
+export const TABLES = {
+    // Shell-related tables
+    SHELL_HISTORY: 'shell_history',
+    SHELL_JOBS: 'shell_jobs',
+    SHELL_CONFIGURATION: 'shell_configuration',
+    SHELL_ALIASES: 'shell_aliases',
+    SHELL_FUNCTIONS: 'shell_functions',
+    SHELL_SESSIONS: 'shell_sessions',
+    SHELL_COMPLETIONS: 'shell_completions',
+    // CI/CD tables
+    PIPELINE_EVENTS: 'pipeline_events',
+    // Trading/ML tables (legacy)
+    TRADING_DISCLOSURES: 'trading_disclosures',
+    POLITICIANS: 'politicians',
+    DATA_PULL_JOBS: 'data_pull_jobs',
+};

package/dist/constants/errors.js

@@ -0,0 +1,79 @@
+/**
+ * Error messages
+ *
+ * All error messages, error prefixes, and error templates used throughout LSH.
+ * Use template strings with ${variable} for dynamic content.
+ */
+export const ERRORS = {
+    // General errors
+    ERROR_PREFIX: 'Error: ${message}',
+    ERROR_UNKNOWN: 'Unknown error',
+    ERROR_UNKNOWN_COMMAND: 'error: unknown command',
+    ERROR_UNKNOWN_COMMAND_PREFIX: 'error: unknown command',
+    // Daemon errors
+    DAEMON_ALREADY_RUNNING: 'Daemon is already running',
+    ERROR_DAEMON_ALREADY_RUNNING: 'Another daemon instance is already running',
+    SOCKET_NOT_FOUND: 'Daemon socket not found at ${socketPath}. Is the daemon running?',
+    SOCKET_PERMISSION_DENIED: 'Permission denied to access socket at ${socketPath}. Check file permissions.',
+    NOT_CONNECTED: 'Not connected to daemon',
+    RESPONSE_TOO_LARGE: 'Daemon response too large, truncating buffer',
+    REQUEST_TIMEOUT: 'Request timeout after 10 seconds for command: ${command}',
+    // Job errors
+    JOB_NOT_FOUND: 'Job ${jobId} not found',
+    // Script and config errors
+    ERROR_SCRIPT_PREFIX: 'Script error: ${message}',
+    ERROR_CONFIG_PREFIX: 'Config error: ${message}',
+    ERROR_SCRIPT_NOT_FOUND: 'Script file not found: ${scriptPath}',
+    ERROR_CONFIG_NOT_FOUND: 'Configuration file not found: ${rcFile}',
+    // File errors
+    FILE_NOT_FOUND: 'File not found: ${filePath}',
+    INVALID_FILENAME: 'Invalid filename: ${filename}. Filenames must not contain path separators or special characters.',
+    // ZSH compatibility errors
+    ERROR_ZSH_COMPAT_PREFIX: 'ZSH compatibility error: ${message}',
+    // Environment validation errors
+    INVALID_ENV_CONFIG: 'Invalid environment configuration. Check logs for details.',
+    // Command validation errors
+    COMMAND_EMPTY_STRING: 'Command must be a non-empty string',
+    COMMAND_WHITESPACE_ONLY: 'Command cannot be empty or whitespace only',
+    COMMAND_TOO_LONG: 'Command exceeds maximum length of ${maxLength} characters',
+    COMMAND_NOT_WHITELISTED: 'Command \'${commandName}\' is not in whitelist',
+    COMMAND_VALIDATION_FAILED: 'Command validation failed: ${errors}',
+    // Secrets errors
+    INVALID_ENCRYPTED_FORMAT: 'Invalid encrypted format',
+    DECRYPTION_FAILED_MESSAGE: `Failed to decrypt secrets.
+
+This could happen if:
+1. The LSH_SECRETS_KEY is incorrect or has changed
+2. The encrypted data is corrupted
+3. The data was encrypted with a different key
+
+To fix this:
+- Verify LSH_SECRETS_KEY matches the key used to encrypt
+- Or re-push your secrets with the current key: lsh push --env <environment>`,
+    DESTRUCTIVE_CHANGE: 'Destructive change detected',
+    NO_SECRETS_FOUND: 'No secrets found for file: ${filename} in environment: ${environment}',
+    NO_ENCRYPTED_DATA: 'No encrypted data found for environment: ${environment}',
+    // Security errors
+    DELETE_ROOT: 'Attempting to delete root filesystem',
+    MKFS_DETECTED: 'Filesystem formatting command detected',
+    DD_DETECTED: 'Direct disk write detected',
+    PRIV_ESCALATION: 'Privilege escalation attempt',
+    PASSWORD_MOD: 'Password modification attempt',
+    REMOTE_EXEC_CURL: 'Remote code execution via curl',
+    REMOTE_EXEC_WGET: 'Remote code execution via wget',
+    REVERSE_SHELL: 'Reverse shell attempt with netcat',
+    READ_SHADOW: 'Attempting to read shadow password file',
+    READ_PASSWD: 'Attempting to read user account file',
+    ACCESS_SSH_KEY: 'Attempting to access SSH private keys',
+    KILL_INIT: 'Attempting to kill init process',
+    KILL_SSHD: 'Attempting to kill SSH daemon',
+    BASE64_COMMAND: 'Base64 encoded command detected',
+    DYNAMIC_EVAL: 'Dynamic command evaluation detected',
+    NULL_BYTE: 'Null byte injection detected',
+};
+export const RISK_LEVELS = {
+    CRITICAL: 'critical',
+    HIGH: 'high',
+    MEDIUM: 'medium',
+    LOW: 'low',
+};