lsh-framework 1.7.2 → 1.7.3

package/README.md

@@ -512,6 +512,11 @@ lsh -s script.sh
 
 ## Security
 
+> **⚠️ CRITICAL: Read [SECURITY.md](SECURITY.md) for complete security guidelines**
+>
+> The security of your secrets depends entirely on how you store your `LSH_SECRETS_KEY`.
+> **Never store it in your project's `.env` file** - use your shell profile instead.
+
 ### Encryption
 
 - **Algorithm**: AES-256-CBC
@@ -522,16 +527,18 @@ lsh -s script.sh
 ### Best Practices
 
 **✅ DO:**
-- Generate unique keys per project
-- Share keys via 1Password/LastPass
-- Use different keys for personal vs team projects
+- Store `LSH_SECRETS_KEY` in your shell profile (`~/.zshrc`, `~/.bashrc`)
+- Generate unique keys per project/team
+- Share keys securely via 1Password/LastPass/Bitwarden
+- Use different keys for dev/staging/production environments
 - Rotate keys periodically
-- Keep backups of your .env files
+- Keep encrypted backups of your encryption key
 
 **❌ DON'T:**
+- Store `LSH_SECRETS_KEY` in your project's `.env` file
 - Commit `LSH_SECRETS_KEY` to git
 - Share keys in plain text (Slack, email, etc.)
-- Reuse keys across projects
+- Reuse keys across different teams/projects
 - Store production secrets in dev environment
 
 ### Command Validation

package/dist/commands/init.js

@@ -257,9 +257,8 @@ async function saveConfiguration(config) {
             // File doesn't exist, start fresh
         }
         // Update or add configuration
-        const updates = {
-            LSH_SECRETS_KEY: config.encryptionKey,
-        };
+        // SECURITY: DO NOT save LSH_SECRETS_KEY to .env (circular encryption vulnerability)
+        const updates = {};
         if (config.storageType === 'supabase' && config.supabaseUrl && config.supabaseKey) {
             updates.SUPABASE_URL = config.supabaseUrl;
             updates.SUPABASE_ANON_KEY = config.supabaseKey;
@@ -327,12 +326,23 @@ function showSuccessMessage(config) {
     console.log(chalk.bold.green('✨ Setup complete!'));
     console.log(chalk.gray('━'.repeat(50)));
     console.log('');
-    // Show encryption key
-    console.log(chalk.yellow('📝 Your encryption key (save this securely):'));
+    // Show encryption key with shell profile instructions
+    console.log(chalk.yellow('🔑 Your encryption key (save this securely):'));
     console.log(chalk.cyan(`   ${config.encryptionKey}`));
     console.log('');
-    console.log(chalk.gray('   This key is saved in your .env file.'));
-    console.log(chalk.gray('   Share it with your team to sync secrets.'));
+    console.log(chalk.bold('⚠️  IMPORTANT: Add this to your shell profile, NOT to .env'));
+    console.log('');
+    console.log(chalk.gray('   Add to your shell profile:'));
+    console.log(chalk.cyan(`   echo 'export LSH_SECRETS_KEY="${config.encryptionKey}"' >> ~/.zshrc`));
+    console.log(chalk.cyan('   source ~/.zshrc'));
+    console.log('');
+    console.log(chalk.gray('   Then verify it\'s set:'));
+    console.log(chalk.cyan('   echo $LSH_SECRETS_KEY'));
+    console.log('');
+    console.log(chalk.gray('   Share this key securely with your team:'));
+    console.log(chalk.gray('   - Use 1Password, LastPass, or Bitwarden'));
+    console.log(chalk.gray('   - Send via encrypted email or Signal'));
+    console.log(chalk.gray('   - Never commit to git or post in public channels'));
     console.log('');
     // Storage info
     if (config.storageType === 'supabase') {

package/dist/lib/secrets-manager.js

@@ -371,45 +371,84 @@ export class SecretsManager {
         return environment;
     }
     /**
-     * Generate encryption key if not set
+     * Ensure encryption key is set in environment
+     * SECURITY: Key must be in shell profile, NEVER in project .env
      */
     async ensureEncryptionKey() {
-        if (process.env.LSH_SECRETS_KEY) {
-            return true; // Key already set
+        if (process.env.LSH_SECRETS_KEY || this.encryptionKey) {
+            return true; // Key already set (env or constructor)
+        }
+        // DO NOT AUTO-GENERATE - This is a security violation
+        console.log('');
+        logger.error('❌ LSH_SECRETS_KEY environment variable not set');
+        console.log('');
+        logger.error('🔒 For security, this key must be stored in your shell profile,');
+        logger.error('   NOT in your project\'s .env file.');
+        console.log('');
+        logger.error('📝 Quick setup:');
+        console.log('');
+        logger.error('   1. Generate a key:');
+        logger.error('      lsh key');
+        console.log('');
+        logger.error('   2. Add to your shell profile:');
+        logger.error('      echo "export LSH_SECRETS_KEY=\'your-key-here\'" >> ~/.zshrc');
+        logger.error('      source ~/.zshrc');
+        console.log('');
+        logger.error('   3. Verify it\'s set:');
+        logger.error('      echo $LSH_SECRETS_KEY');
+        console.log('');
+        logger.error('📖 See SECURITY.md for complete details and team sharing.');
+        console.log('');
+        throw new Error('LSH_SECRETS_KEY not set in environment');
+    }
+    /**
+     * Check if LSH_SECRETS_KEY is in .env file (security violation)
+     * SECURITY: Keys in .env files create circular encryption and expose secrets
+     */
+    checkForKeyInEnvFile() {
+        // Skip check in test environment
+        if (process.env.NODE_ENV === 'test' || process.env.JEST_WORKER_ID) {
+            return;
         }
-        logger.warn('⚠️  No encryption key found. Generating a new key...');
-        const key = crypto.randomBytes(32).toString('hex');
-        // Try to add to .env file
         const envPath = path.join(process.cwd(), '.env');
+        if (!fs.existsSync(envPath)) {
+            return; // No .env file, nothing to check
+        }
         try {
-            let content = '';
-            if (fs.existsSync(envPath)) {
-                content = fs.readFileSync(envPath, 'utf8');
-                if (!content.endsWith('\n')) {
-                    content += '\n';
-                }
-            }
-            // Check if LSH_SECRETS_KEY already exists (but empty)
+            const content = fs.readFileSync(envPath, 'utf8');
             if (content.includes('LSH_SECRETS_KEY=')) {
-                content = content.replace(/LSH_SECRETS_KEY=.*$/m, `LSH_SECRETS_KEY=${key}`);
-            }
-            else {
-                content += `\n# LSH Secrets Encryption Key (do not commit!)\nLSH_SECRETS_KEY=${key}\n`;
+                console.log('');
+                logger.error('🚨 SECURITY ISSUE: LSH_SECRETS_KEY found in .env file!');
+                console.log('');
+                logger.error('⚠️  This is a critical security vulnerability:');
+                logger.error('   - Creates circular encryption (key encrypts itself)');
+                logger.error('   - Exposes key if .env is accidentally committed');
+                logger.error('   - Makes IPFS storage completely insecure');
+                console.log('');
+                logger.error('🔧 Fix this immediately:');
+                console.log('');
+                logger.error('   1. Copy the key value from .env');
+                logger.error('   2. Add to your shell profile:');
+                logger.error('      echo "export LSH_SECRETS_KEY=\'your-key\'" >> ~/.zshrc');
+                logger.error('      source ~/.zshrc');
+                console.log('');
+                logger.error('   3. Remove LSH_SECRETS_KEY line from .env:');
+                logger.error('      # Edit .env and DELETE the LSH_SECRETS_KEY= line');
+                console.log('');
+                logger.error('   4. Verify it\'s set correctly:');
+                logger.error('      echo $LSH_SECRETS_KEY');
+                console.log('');
+                logger.error('📖 See SECURITY.md for complete details.');
+                console.log('');
+                throw new Error('LSH_SECRETS_KEY must not be in .env file');
             }
-            fs.writeFileSync(envPath, content, 'utf8');
-            // Set in current process
-            process.env.LSH_SECRETS_KEY = key;
-            this.encryptionKey = key;
-            logger.info('✅ Generated and saved encryption key to .env');
-            logger.info('💡 Load it now: export LSH_SECRETS_KEY=' + key.substring(0, 8) + '...');
-            return true;
         }
         catch (error) {
-            const _err = error;
-            logger.error(`Failed to save encryption key: ${_err.message}`);
-            logger.info('Please set it manually:');
-            logger.info(`export LSH_SECRETS_KEY=${key}`);
-            return false;
+            // If we already threw our error, re-throw it
+            if (error.message === 'LSH_SECRETS_KEY must not be in .env file') {
+                throw error;
+            }
+            // Otherwise, ignore read errors
         }
     }
     /**
@@ -528,17 +567,19 @@ LSH_SECRETS_KEY=${this.encryptionKey}
                 }
                 out();
             }
-            // Step 1: Ensure encryption key exists
+            // Step 1: Check for security violations
+            this.checkForKeyInEnvFile(); // Must be BEFORE ensureEncryptionKey
+            // Step 2: Ensure encryption key exists
             if (!process.env.LSH_SECRETS_KEY) {
                 logger.info('🔑 No encryption key found...');
                 await this.ensureEncryptionKey();
                 out();
             }
-            // Step 2: Ensure .gitignore includes .env
+            // Step 3: Ensure .gitignore includes .env
             if (this.gitInfo?.isGitRepo) {
                 ensureEnvInGitignore(process.cwd());
             }
-            // Step 3: Check current status
+            // Step 4: Check current status
             const status = await this.status(envFilePath, effectiveEnv);
             out('📊 Current Status:');
             out(`   Encryption key: ${status.keySet ? '✅' : '❌'}`);
@@ -548,7 +589,7 @@ LSH_SECRETS_KEY=${this.encryptionKey}
                 out(`   Key matches: ${status.keyMatches ? '✅' : '❌'}`);
             }
             out();
-            // Step 4: Determine action and execute if auto mode
+            // Step 5: Determine action and execute if auto mode
             let _action = 'in-sync';
             if (status.cloudExists && status.keyMatches === false) {
                 _action = 'key-mismatch';

package/dist/services/secrets/secrets.js

@@ -7,6 +7,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 import * as readline from 'readline';
 import { getGitRepoInfo } from '../../lib/git-utils.js';
+import chalk from 'chalk';
 export async function init_secrets(program) {
     // Push secrets to cloud
     program
@@ -197,11 +198,27 @@ export async function init_secrets(program) {
         }
         else {
             // Interactive output with tips
-            console.log('\n🔑 New encryption key (add to your .env):\n');
-            console.log(`export LSH_SECRETS_KEY='${key}'\n`);
-            console.log('💡 Tip: Share this key securely with your team to sync secrets.');
-            console.log('    Never commit it to git!\n');
-            console.log('💡 To load immediately: eval "$(lsh key --export)"\n');
+            console.log('');
+            console.log('🔑 New encryption key generated!\n');
+            console.log(chalk.cyan(`   ${key}`));
+            console.log('');
+            console.log(chalk.bold('⚠️  IMPORTANT: Add to your shell profile, NOT to .env'));
+            console.log('');
+            console.log(chalk.gray('   1. Add to your shell profile:'));
+            console.log(chalk.cyan(`      echo 'export LSH_SECRETS_KEY="${key}"' >> ~/.zshrc`));
+            console.log(chalk.cyan('      source ~/.zshrc'));
+            console.log('');
+            console.log(chalk.gray('   2. Verify it\'s set:'));
+            console.log(chalk.cyan('      echo $LSH_SECRETS_KEY'));
+            console.log('');
+            console.log(chalk.gray('   3. Share securely with your team:'));
+            console.log(chalk.gray('      - Use 1Password, LastPass, or Bitwarden'));
+            console.log(chalk.gray('      - Send via encrypted email or Signal'));
+            console.log(chalk.gray('      - NEVER commit to git or .env file'));
+            console.log('');
+            console.log(chalk.gray('💡 Quick load: eval "$(lsh key --export)"'));
+            console.log(chalk.gray('📖 Details: See SECURITY.md'));
+            console.log('');
         }
     });
     // Create .env file

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lsh-framework",
-  "version": "1.7.2",
+  "version": "1.7.3",
   "description": "Simple, cross-platform encrypted secrets manager with automatic sync, IPFS audit logs, and multi-environment support. Just run lsh sync and start managing your secrets.",
   "main": "dist/app.js",
   "bin": {