lsh-framework 1.7.3 → 1.7.4

package/dist/commands/init.js

@@ -257,8 +257,9 @@ async function saveConfiguration(config) {
             // File doesn't exist, start fresh
         }
         // Update or add configuration
-        // SECURITY: DO NOT save LSH_SECRETS_KEY to .env (circular encryption vulnerability)
-        const updates = {};
+        const updates = {
+            LSH_SECRETS_KEY: config.encryptionKey,
+        };
         if (config.storageType === 'supabase' && config.supabaseUrl && config.supabaseKey) {
             updates.SUPABASE_URL = config.supabaseUrl;
             updates.SUPABASE_ANON_KEY = config.supabaseKey;
@@ -326,23 +327,12 @@ function showSuccessMessage(config) {
     console.log(chalk.bold.green('✨ Setup complete!'));
     console.log(chalk.gray('━'.repeat(50)));
     console.log('');
-    // Show encryption key with shell profile instructions
-    console.log(chalk.yellow('🔑 Your encryption key (save this securely):'));
+    // Show encryption key
+    console.log(chalk.yellow('📝 Your encryption key (save this securely):'));
     console.log(chalk.cyan(`   ${config.encryptionKey}`));
     console.log('');
-    console.log(chalk.bold('⚠️  IMPORTANT: Add this to your shell profile, NOT to .env'));
-    console.log('');
-    console.log(chalk.gray('   Add to your shell profile:'));
-    console.log(chalk.cyan(`   echo 'export LSH_SECRETS_KEY="${config.encryptionKey}"' >> ~/.zshrc`));
-    console.log(chalk.cyan('   source ~/.zshrc'));
-    console.log('');
-    console.log(chalk.gray('   Then verify it\'s set:'));
-    console.log(chalk.cyan('   echo $LSH_SECRETS_KEY'));
-    console.log('');
-    console.log(chalk.gray('   Share this key securely with your team:'));
-    console.log(chalk.gray('   - Use 1Password, LastPass, or Bitwarden'));
-    console.log(chalk.gray('   - Send via encrypted email or Signal'));
-    console.log(chalk.gray('   - Never commit to git or post in public channels'));
+    console.log(chalk.gray('   This key is saved in your .env file.'));
+    console.log(chalk.gray('   Share it with your team to sync secrets.'));
     console.log('');
     // Storage info
     if (config.storageType === 'supabase') {

package/dist/lib/secrets-manager.js

@@ -371,84 +371,45 @@ export class SecretsManager {
         return environment;
     }
     /**
-     * Ensure encryption key is set in environment
-     * SECURITY: Key must be in shell profile, NEVER in project .env
+     * Generate encryption key if not set
      */
     async ensureEncryptionKey() {
-        if (process.env.LSH_SECRETS_KEY || this.encryptionKey) {
-            return true; // Key already set (env or constructor)
-        }
-        // DO NOT AUTO-GENERATE - This is a security violation
-        console.log('');
-        logger.error('❌ LSH_SECRETS_KEY environment variable not set');
-        console.log('');
-        logger.error('🔒 For security, this key must be stored in your shell profile,');
-        logger.error('   NOT in your project\'s .env file.');
-        console.log('');
-        logger.error('📝 Quick setup:');
-        console.log('');
-        logger.error('   1. Generate a key:');
-        logger.error('      lsh key');
-        console.log('');
-        logger.error('   2. Add to your shell profile:');
-        logger.error('      echo "export LSH_SECRETS_KEY=\'your-key-here\'" >> ~/.zshrc');
-        logger.error('      source ~/.zshrc');
-        console.log('');
-        logger.error('   3. Verify it\'s set:');
-        logger.error('      echo $LSH_SECRETS_KEY');
-        console.log('');
-        logger.error('📖 See SECURITY.md for complete details and team sharing.');
-        console.log('');
-        throw new Error('LSH_SECRETS_KEY not set in environment');
-    }
-    /**
-     * Check if LSH_SECRETS_KEY is in .env file (security violation)
-     * SECURITY: Keys in .env files create circular encryption and expose secrets
-     */
-    checkForKeyInEnvFile() {
-        // Skip check in test environment
-        if (process.env.NODE_ENV === 'test' || process.env.JEST_WORKER_ID) {
-            return;
+        if (process.env.LSH_SECRETS_KEY) {
+            return true; // Key already set
         }
+        logger.warn('⚠️  No encryption key found. Generating a new key...');
+        const key = crypto.randomBytes(32).toString('hex');
+        // Try to add to .env file
         const envPath = path.join(process.cwd(), '.env');
-        if (!fs.existsSync(envPath)) {
-            return; // No .env file, nothing to check
-        }
         try {
-            const content = fs.readFileSync(envPath, 'utf8');
+            let content = '';
+            if (fs.existsSync(envPath)) {
+                content = fs.readFileSync(envPath, 'utf8');
+                if (!content.endsWith('\n')) {
+                    content += '\n';
+                }
+            }
+            // Check if LSH_SECRETS_KEY already exists (but empty)
             if (content.includes('LSH_SECRETS_KEY=')) {
-                console.log('');
-                logger.error('🚨 SECURITY ISSUE: LSH_SECRETS_KEY found in .env file!');
-                console.log('');
-                logger.error('⚠️  This is a critical security vulnerability:');
-                logger.error('   - Creates circular encryption (key encrypts itself)');
-                logger.error('   - Exposes key if .env is accidentally committed');
-                logger.error('   - Makes IPFS storage completely insecure');
-                console.log('');
-                logger.error('🔧 Fix this immediately:');
-                console.log('');
-                logger.error('   1. Copy the key value from .env');
-                logger.error('   2. Add to your shell profile:');
-                logger.error('      echo "export LSH_SECRETS_KEY=\'your-key\'" >> ~/.zshrc');
-                logger.error('      source ~/.zshrc');
-                console.log('');
-                logger.error('   3. Remove LSH_SECRETS_KEY line from .env:');
-                logger.error('      # Edit .env and DELETE the LSH_SECRETS_KEY= line');
-                console.log('');
-                logger.error('   4. Verify it\'s set correctly:');
-                logger.error('      echo $LSH_SECRETS_KEY');
-                console.log('');
-                logger.error('📖 See SECURITY.md for complete details.');
-                console.log('');
-                throw new Error('LSH_SECRETS_KEY must not be in .env file');
+                content = content.replace(/LSH_SECRETS_KEY=.*$/m, `LSH_SECRETS_KEY=${key}`);
+            }
+            else {
+                content += `\n# LSH Secrets Encryption Key (do not commit!)\nLSH_SECRETS_KEY=${key}\n`;
             }
+            fs.writeFileSync(envPath, content, 'utf8');
+            // Set in current process
+            process.env.LSH_SECRETS_KEY = key;
+            this.encryptionKey = key;
+            logger.info('✅ Generated and saved encryption key to .env');
+            logger.info('💡 Load it now: export LSH_SECRETS_KEY=' + key.substring(0, 8) + '...');
+            return true;
         }
         catch (error) {
-            // If we already threw our error, re-throw it
-            if (error.message === 'LSH_SECRETS_KEY must not be in .env file') {
-                throw error;
-            }
-            // Otherwise, ignore read errors
+            const _err = error;
+            logger.error(`Failed to save encryption key: ${_err.message}`);
+            logger.info('Please set it manually:');
+            logger.info(`export LSH_SECRETS_KEY=${key}`);
+            return false;
         }
     }
     /**
@@ -567,19 +528,17 @@ LSH_SECRETS_KEY=${this.encryptionKey}
                 }
                 out();
             }
-            // Step 1: Check for security violations
-            this.checkForKeyInEnvFile(); // Must be BEFORE ensureEncryptionKey
-            // Step 2: Ensure encryption key exists
+            // Step 1: Ensure encryption key exists
             if (!process.env.LSH_SECRETS_KEY) {
                 logger.info('🔑 No encryption key found...');
                 await this.ensureEncryptionKey();
                 out();
             }
-            // Step 3: Ensure .gitignore includes .env
+            // Step 2: Ensure .gitignore includes .env
             if (this.gitInfo?.isGitRepo) {
                 ensureEnvInGitignore(process.cwd());
             }
-            // Step 4: Check current status
+            // Step 3: Check current status
             const status = await this.status(envFilePath, effectiveEnv);
             out('📊 Current Status:');
             out(`   Encryption key: ${status.keySet ? '✅' : '❌'}`);
@@ -589,7 +548,7 @@ LSH_SECRETS_KEY=${this.encryptionKey}
                 out(`   Key matches: ${status.keyMatches ? '✅' : '❌'}`);
             }
             out();
-            // Step 5: Determine action and execute if auto mode
+            // Step 4: Determine action and execute if auto mode
             let _action = 'in-sync';
             if (status.cloudExists && status.keyMatches === false) {
                 _action = 'key-mismatch';

package/dist/services/secrets/secrets.js

@@ -7,7 +7,6 @@ import * as fs from 'fs';
 import * as path from 'path';
 import * as readline from 'readline';
 import { getGitRepoInfo } from '../../lib/git-utils.js';
-import chalk from 'chalk';
 export async function init_secrets(program) {
     // Push secrets to cloud
     program
@@ -198,27 +197,11 @@ export async function init_secrets(program) {
         }
         else {
             // Interactive output with tips
-            console.log('');
-            console.log('🔑 New encryption key generated!\n');
-            console.log(chalk.cyan(`   ${key}`));
-            console.log('');
-            console.log(chalk.bold('⚠️  IMPORTANT: Add to your shell profile, NOT to .env'));
-            console.log('');
-            console.log(chalk.gray('   1. Add to your shell profile:'));
-            console.log(chalk.cyan(`      echo 'export LSH_SECRETS_KEY="${key}"' >> ~/.zshrc`));
-            console.log(chalk.cyan('      source ~/.zshrc'));
-            console.log('');
-            console.log(chalk.gray('   2. Verify it\'s set:'));
-            console.log(chalk.cyan('      echo $LSH_SECRETS_KEY'));
-            console.log('');
-            console.log(chalk.gray('   3. Share securely with your team:'));
-            console.log(chalk.gray('      - Use 1Password, LastPass, or Bitwarden'));
-            console.log(chalk.gray('      - Send via encrypted email or Signal'));
-            console.log(chalk.gray('      - NEVER commit to git or .env file'));
-            console.log('');
-            console.log(chalk.gray('💡 Quick load: eval "$(lsh key --export)"'));
-            console.log(chalk.gray('📖 Details: See SECURITY.md'));
-            console.log('');
+            console.log('\n🔑 New encryption key (add to your .env):\n');
+            console.log(`export LSH_SECRETS_KEY='${key}'\n`);
+            console.log('💡 Tip: Share this key securely with your team to sync secrets.');
+            console.log('    Never commit it to git!\n');
+            console.log('💡 To load immediately: eval "$(lsh key --export)"\n');
         }
     });
     // Create .env file

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lsh-framework",
-  "version": "1.7.3",
+  "version": "1.7.4",
   "description": "Simple, cross-platform encrypted secrets manager with automatic sync, IPFS audit logs, and multi-environment support. Just run lsh sync and start managing your secrets.",
   "main": "dist/app.js",
   "bin": {