npm - lsh-framework - Versions diffs - 2.2.4 → 2.3.0 - Mend

lsh-framework 2.2.4 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/lib/lsh-config.js +139 -0
package/dist/lib/secrets-manager.js +77 -15
package/package.json +1 -1

package/dist/lib/lsh-config.js ADDED Viewed

@@ -0,0 +1,139 @@
+/**
+ * LSH Configuration Manager
+ *
+ * Manages encryption keys and configuration for different repositories.
+ * Keys are stored in ~/.lsh/config.json separate from the .env files being synced.
+ *
+ * This prevents sync conflicts where different hosts overwrite each other's keys.
+ */
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+import { logger } from './logger.js';
+export class LshConfigManager {
+    configPath;
+    config;
+    constructor(configPath) {
+        this.configPath = configPath || path.join(os.homedir(), '.lsh', 'config.json');
+        this.config = this.loadConfig();
+    }
+    /**
+     * Load config from disk, or create default if it doesn't exist
+     */
+    loadConfig() {
+        try {
+            if (fs.existsSync(this.configPath)) {
+                const data = fs.readFileSync(this.configPath, 'utf-8');
+                return JSON.parse(data);
+            }
+        }
+        catch (error) {
+            const err = error;
+            logger.warn(`Failed to load config: ${err.message}`);
+        }
+        // Return default config
+        return {
+            version: '1.0.0',
+            keys: {},
+        };
+    }
+    /**
+     * Save config to disk
+     */
+    saveConfig() {
+        try {
+            const dir = path.dirname(this.configPath);
+            if (!fs.existsSync(dir)) {
+                fs.mkdirSync(dir, { recursive: true });
+            }
+            fs.writeFileSync(this.configPath, JSON.stringify(this.config, null, 2), 'utf-8');
+        }
+        catch (error) {
+            const err = error;
+            logger.error(`Failed to save config: ${err.message}`);
+            throw error;
+        }
+    }
+    /**
+     * Get encryption key for a specific repository
+     */
+    getKey(repoName) {
+        // Check config file first
+        if (this.config.keys[repoName]) {
+            // Update last used timestamp
+            this.config.keys[repoName].lastUsed = new Date().toISOString();
+            this.saveConfig();
+            return this.config.keys[repoName].key;
+        }
+        // Fall back to environment variables
+        const envKey = process.env.LSH_SECRETS_KEY || process.env.LSH_MASTER_KEY;
+        if (envKey) {
+            logger.debug(`Using encryption key from environment for ${repoName}`);
+            return envKey;
+        }
+        return null;
+    }
+    /**
+     * Set encryption key for a specific repository
+     */
+    setKey(repoName, key) {
+        this.config.keys[repoName] = {
+            key,
+            createdAt: this.config.keys[repoName]?.createdAt || new Date().toISOString(),
+            lastUsed: new Date().toISOString(),
+        };
+        this.saveConfig();
+        logger.debug(`Saved encryption key for ${repoName}`);
+    }
+    /**
+     * Check if a key exists for a repository
+     */
+    hasKey(repoName) {
+        return !!this.config.keys[repoName];
+    }
+    /**
+     * Remove encryption key for a repository
+     */
+    removeKey(repoName) {
+        delete this.config.keys[repoName];
+        this.saveConfig();
+        logger.debug(`Removed encryption key for ${repoName}`);
+    }
+    /**
+     * List all repositories with stored keys
+     */
+    listKeys() {
+        return Object.entries(this.config.keys).map(([repoName, data]) => ({
+            repoName,
+            createdAt: data.createdAt,
+            lastUsed: data.lastUsed,
+        }));
+    }
+    /**
+     * Export key for sharing with other hosts
+     */
+    exportKey(repoName) {
+        const key = this.getKey(repoName);
+        if (!key) {
+            return null;
+        }
+        return `export LSH_SECRETS_KEY='${key}'`;
+    }
+    /**
+     * Get config file path (for debugging/migration)
+     */
+    getConfigPath() {
+        return this.configPath;
+    }
+}
+// Singleton instance
+let _configManager = null;
+/**
+ * Get the global LSH config manager instance
+ */
+export function getLshConfig() {
+    if (!_configManager) {
+        _configManager = new LshConfigManager();
+    }
+    return _configManager;
+}

package/dist/lib/secrets-manager.js CHANGED Viewed

@@ -112,6 +112,32 @@ export class SecretsManager {
         }
         return env;
     }
+    /**
+     * Filter out LSH-internal keys that should not be synced
+     * These keys are host-specific and syncing them would cause conflicts
+     */
+    filterLshInternalKeys(env) {
+        const filtered = {};
+        const excludedKeys = new Set([
+            'LSH_SECRETS_KEY', // Encryption key - host-specific, managed separately
+            'LSH_MASTER_KEY', // Alternative encryption key name
+            'LSH_INTERNAL_', // Any other LSH internal keys
+        ]);
+        for (const [key, value] of Object.entries(env)) {
+            // Skip exact matches
+            if (excludedKeys.has(key)) {
+                logger.debug(`Filtering out LSH-internal key: ${key}`);
+                continue;
+            }
+            // Skip keys starting with LSH_INTERNAL_
+            if (key.startsWith('LSH_INTERNAL_')) {
+                logger.debug(`Filtering out LSH-internal key: ${key}`);
+                continue;
+            }
+            filtered[key] = value;
+        }
+        return filtered;
+    }
     /**
      * Format env vars as .env file content
      */
@@ -186,13 +212,20 @@ export class SecretsManager {
         }
         logger.info(`Pushing ${envFilePath} to IPFS (${effectiveEnv})...`);
         const content = fs.readFileSync(envFilePath, 'utf8');
-        const env = this.parseEnvFile(content);
+        const envParsed = this.parseEnvFile(content);
+        // Filter out LSH-internal keys (encryption keys, etc.) that should not be synced
+        const env = this.filterLshInternalKeys(envParsed);
+        const filteredCount = Object.keys(envParsed).length - Object.keys(env).length;
+        if (filteredCount > 0) {
+            logger.debug(`Filtered out ${filteredCount} LSH-internal key(s) from sync`);
+        }
         // Check for destructive changes unless force is true
         if (!force) {
             try {
                 // Check if secrets already exist for this environment
-                if (this.storage.exists(effectiveEnv, this.gitInfo?.repoName)) {
-                    const existingSecrets = await this.storage.pull(effectiveEnv, this.encryptionKey, this.gitInfo?.repoName);
+                // Use raw environment to match storage.push() behavior
+                if (this.storage.exists(environment, this.gitInfo?.repoName)) {
+                    const existingSecrets = await this.storage.pull(environment, this.encryptionKey, this.gitInfo?.repoName);
                     const cloudEnv = {};
                     existingSecrets.forEach(s => {
                         cloudEnv[s.key] = s.value;
@@ -221,7 +254,8 @@ export class SecretsManager {
             updatedAt: new Date(),
         }));
         // Store on IPFS
-        const cid = await this.storage.push(secrets, effectiveEnv, this.encryptionKey, this.gitInfo?.repoName, this.gitInfo?.currentBranch);
+        const cid = await this.storage.push(secrets, environment, // Use raw environment, storage will apply repo-aware naming
+        this.encryptionKey, this.gitInfo?.repoName, this.gitInfo?.currentBranch);
         logger.info(`✅ Pushed ${secrets.length} secrets from ${filename} to IPFS`);
         console.log(`📦 IPFS CID: ${cid}`);
         // Log to IPFS for immutable audit record
@@ -239,22 +273,50 @@ export class SecretsManager {
         const effectiveEnv = this.getRepoAwareEnvironment(environment);
         logger.info(`Pulling ${filename} (${effectiveEnv}) from IPFS...`);
         // Get secrets from IPFS storage
-        const secrets = await this.storage.pull(effectiveEnv, this.encryptionKey, this.gitInfo?.repoName);
+        // Use raw environment parameter to match how push() stores them
+        const secrets = await this.storage.pull(environment, // Use raw environment, not effectiveEnv
+        this.encryptionKey, this.gitInfo?.repoName);
         if (secrets.length === 0) {
             throw new Error(`No secrets found for environment: ${effectiveEnv}\n\n` +
                 `💡 Tip: Check available environments with: lsh env\n` +
                 `   Or push secrets first with: lsh push --env ${environment}`);
         }
-        // Backup existing .env if it exists (unless force is true)
-        if (fs.existsSync(envFilePath) && !force) {
-            const backup = `${envFilePath}.backup.${Date.now()}`;
-            fs.copyFileSync(envFilePath, backup);
-            logger.info(`Backed up existing .env to ${backup}`);
-        }
-        // Convert secrets back to .env format
-        const envContent = secrets
-            .map(s => `${s.key}=${s.value}`)
-            .join('\n') + '\n';
+        // Preserve local LSH-internal keys before overwriting
+        let localLshKeys = {};
+        if (fs.existsSync(envFilePath)) {
+            const existingContent = fs.readFileSync(envFilePath, 'utf8');
+            const existingEnv = this.parseEnvFile(existingContent);
+            // Extract LSH-internal keys to preserve
+            const lshKeyNames = ['LSH_SECRETS_KEY', 'LSH_MASTER_KEY'];
+            for (const keyName of lshKeyNames) {
+                if (existingEnv[keyName]) {
+                    localLshKeys[keyName] = existingEnv[keyName];
+                    logger.debug(`Preserving local ${keyName}`);
+                }
+            }
+            // Also preserve any LSH_INTERNAL_* keys
+            for (const [key, value] of Object.entries(existingEnv)) {
+                if (key.startsWith('LSH_INTERNAL_')) {
+                    localLshKeys[key] = value;
+                    logger.debug(`Preserving local ${key}`);
+                }
+            }
+            // Backup existing .env (unless force is true)
+            if (!force) {
+                const backup = `${envFilePath}.backup.${Date.now()}`;
+                fs.copyFileSync(envFilePath, backup);
+                logger.info(`Backed up existing ${filename} to ${backup}`);
+            }
+        }
+        // Convert secrets back to env object
+        const pulledEnv = {};
+        secrets.forEach(s => {
+            pulledEnv[s.key] = s.value;
+        });
+        // Merge pulled secrets with preserved local LSH keys
+        const finalEnv = { ...pulledEnv, ...localLshKeys };
+        // Convert to .env format
+        const envContent = this.formatEnvFile(finalEnv);
         // Write new .env
         fs.writeFileSync(envFilePath, envContent, 'utf8');
         logger.info(`✅ Pulled ${secrets.length} secrets from IPFS`);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "lsh-framework",
-  "version": "2.2.4",
+  "version": "2.3.0",
   "description": "Simple, cross-platform encrypted secrets manager with automatic sync, IPFS audit logs, and multi-environment support. Just run lsh sync and start managing your secrets.",
   "main": "dist/app.js",
   "bin": {