mossring 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 anonymoustest
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,52 @@
+# anonymoustest
+
+用密钥文件对本地文件进行 **AES-256-GCM** 加密 / 解密的命令行工具。零第三方依赖，仅使用 Node.js 内置 `crypto`。
+
+隐私保护靠的是**真正的加密**，而不是改后缀或伪装——没有密钥，文件内容就是无法读取的密文。
+
+## 安装
+
+```bash
+npm install -g mossring
+# 或免安装直接用：
+npx mossring --help
+```
+
+## 使用
+
+```bash
+# 1. 生成一把密钥（请离线备份）
+mossring keygen -o my.key
+
+# 2. 加密文件 → 生成 secret.pdf.enc
+mossring encrypt secret.pdf -k my.key
+
+# 3. 解密 → 还原 secret.pdf
+mossring decrypt secret.pdf.enc -k my.key
+```
+
+### 选项
+
+| 选项 | 说明 |
+| --- | --- |
+| `-k, --key` | 密钥文件路径 |
+| `-o, --out` | 输出文件路径 |
+| `-f, --force` | 覆盖已存在的输出文件 |
+| `-h, --help` | 显示帮助 |
+
+## 加密细节
+
+- **算法**：AES-256-GCM（带完整性校验，文件被篡改会在解密时报错）
+- **密钥派生**：每个文件用随机 16 字节 salt 经 HKDF-SHA256 派生独立子密钥，避免 IV 重用风险
+- **文件格式**：`MAGIC(5) | VERSION(1) | SALT(16) | IV(12) | TAG(16) | 密文`
+- **密钥**：256-bit 随机密钥，base64 存储于密钥文件（权限 `0600`）
+
+## 重要提示
+
+- **密钥丢失 = 数据永久无法恢复**，请离线备份密钥文件。
+- 密钥文件不要和加密文件放在一起，也不要提交到代码仓库。
+- 当前实现会将整个文件读入内存，超大文件请注意内存占用。
+
+## License
+
+MIT

package/bin/cli.js

@@ -0,0 +1,111 @@
+#!/usr/bin/env node
+import { readFileSync, writeFileSync, existsSync, chmodSync } from "node:fs";
+import { argv, exit } from "node:process";
+import { generateKey, encodeKey, decodeKey, encrypt, decrypt } from "../src/crypto.js";
+
+const HELP = `mossring — 用密钥文件加密/解密本地文件 (AES-256-GCM)
+
+用法:
+  mossring keygen [-o <密钥文件>] [-f]
+  mossring encrypt <文件> -k <密钥文件> [-o <输出>] [-f]
+  mossring decrypt <文件> -k <密钥文件> [-o <输出>] [-f]
+
+选项:
+  -k, --key    密钥文件路径
+  -o, --out    输出文件路径
+  -f, --force  覆盖已存在的输出文件
+  -h, --help   显示帮助
+
+示例:
+  mossring keygen -o my.key
+  mossring encrypt secret.pdf -k my.key        # 生成 secret.pdf.enc
+  mossring decrypt secret.pdf.enc -k my.key    # 还原 secret.pdf
+
+注意: 密钥文件丢失后，加密文件无法恢复，请务必离线备份。`;
+
+function fail(msg) {
+  console.error("错误：" + msg);
+  exit(1);
+}
+
+function parseArgs(args) {
+  const positional = [];
+  const opts = {};
+  for (let i = 0; i < args.length; i++) {
+    const a = args[i];
+    if (a === "-k" || a === "--key") opts.key = args[++i];
+    else if (a === "-o" || a === "--out") opts.out = args[++i];
+    else if (a === "-f" || a === "--force") opts.force = true;
+    else if (a === "-h" || a === "--help") opts.help = true;
+    else positional.push(a);
+  }
+  return { positional, opts };
+}
+
+function ensureWritable(path, force) {
+  if (existsSync(path) && !force) {
+    fail(`目标文件已存在：${path}（加 -f 覆盖）`);
+  }
+}
+
+function loadKey(keyPath) {
+  if (!keyPath) fail("缺少密钥文件，请用 -k <密钥文件> 指定");
+  if (!existsSync(keyPath)) fail(`密钥文件不存在：${keyPath}`);
+  try {
+    return decodeKey(readFileSync(keyPath, "utf8"));
+  } catch (e) {
+    return fail(e.message);
+  }
+}
+
+const [, , cmd, ...rest] = argv;
+const { positional, opts } = parseArgs(rest);
+
+if (!cmd || cmd === "help" || opts.help) {
+  console.log(HELP);
+  exit(0);
+}
+
+if (cmd === "keygen") {
+  const out = opts.out || "mossring.key";
+  ensureWritable(out, opts.force);
+  writeFileSync(out, encodeKey(generateKey()) + "\n", { mode: 0o600 });
+  try {
+    chmodSync(out, 0o600);
+  } catch {
+    /* Windows 等平台忽略权限设置 */
+  }
+  console.log(`已生成密钥：${out}`);
+  console.log("⚠️  请离线备份此密钥。密钥丢失 = 加密文件永久无法恢复。");
+  exit(0);
+}
+
+if (cmd === "encrypt" || cmd === "decrypt") {
+  const input = positional[0];
+  if (!input) fail("缺少输入文件");
+  if (!existsSync(input)) fail(`输入文件不存在：${input}`);
+  const masterKey = loadKey(opts.key);
+  const data = readFileSync(input);
+
+  if (cmd === "encrypt") {
+    const out = opts.out || input + ".enc";
+    ensureWritable(out, opts.force);
+    writeFileSync(out, encrypt(data, masterKey));
+    console.log(`已加密：${input} → ${out}`);
+  } else {
+    const out =
+      opts.out || (input.endsWith(".enc") ? input.slice(0, -4) : input + ".dec");
+    ensureWritable(out, opts.force);
+    let plain;
+    try {
+      plain = decrypt(data, masterKey);
+    } catch (e) {
+      fail(e.message);
+    }
+    writeFileSync(out, plain);
+    console.log(`已解密：${input} → ${out}`);
+  }
+  exit(0);
+}
+
+fail(`未知命令：${cmd}（运行 mossring --help 查看用法）`);

package/package.json

@@ -0,0 +1,27 @@
+{
+  "name": "mossring",
+  "version": "1.0.0",
+  "description": "用密钥文件对本地文件进行 AES-256-GCM 加密/解密的命令行工具",
+  "type": "module",
+  "bin": {
+    "mossring": "bin/cli.js"
+  },
+  "files": [
+    "bin",
+    "src",
+    "README.md",
+    "LICENSE"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "keywords": [
+    "encryption",
+    "aes-256-gcm",
+    "cli",
+    "privacy",
+    "file-encryption",
+    "crypto"
+  ],
+  "license": "MIT"
+}

package/src/crypto.js

@@ -0,0 +1,67 @@
+import { createCipheriv, createDecipheriv, randomBytes, hkdfSync } from "node:crypto";
+
+// 文件格式：MAGIC(5) | VERSION(1) | SALT(16) | IV(12) | TAG(16) | CIPHERTEXT
+const MAGIC = Buffer.from("ANON1", "utf8");
+const VERSION = 1;
+const KEY_LEN = 32; // AES-256
+const SALT_LEN = 16;
+const IV_LEN = 12; // GCM 推荐 96-bit
+const TAG_LEN = 16;
+const HKDF_INFO = Buffer.from("anonymoustest/file-encryption/v1", "utf8");
+
+// 生成一把全新的 256-bit 主密钥
+export function generateKey() {
+  return randomBytes(KEY_LEN);
+}
+
+export function encodeKey(keyBuf) {
+  return keyBuf.toString("base64");
+}
+
+export function decodeKey(text) {
+  const buf = Buffer.from(String(text).trim(), "base64");
+  if (buf.length !== KEY_LEN) {
+    throw new Error(`无效的密钥文件：期望 ${KEY_LEN} 字节，实际 ${buf.length} 字节`);
+  }
+  return buf;
+}
+
+// 每个文件用随机 salt 派生独立子密钥，避免在同一主密钥下重用 IV 的风险
+function deriveKey(masterKey, salt) {
+  return Buffer.from(hkdfSync("sha256", masterKey, salt, HKDF_INFO, KEY_LEN));
+}
+
+export function encrypt(plaintext, masterKey) {
+  const salt = randomBytes(SALT_LEN);
+  const iv = randomBytes(IV_LEN);
+  const key = deriveKey(masterKey, salt);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([MAGIC, Buffer.from([VERSION]), salt, iv, tag, ciphertext]);
+}
+
+export function decrypt(blob, masterKey) {
+  let offset = 0;
+  const magic = blob.subarray(offset, (offset += MAGIC.length));
+  if (!magic.equals(MAGIC)) {
+    throw new Error("文件格式无法识别：这不是本工具加密的文件");
+  }
+  const version = blob.readUInt8(offset);
+  offset += 1;
+  if (version !== VERSION) {
+    throw new Error(`不支持的文件版本：${version}`);
+  }
+  const salt = blob.subarray(offset, (offset += SALT_LEN));
+  const iv = blob.subarray(offset, (offset += IV_LEN));
+  const tag = blob.subarray(offset, (offset += TAG_LEN));
+  const ciphertext = blob.subarray(offset);
+  const key = deriveKey(masterKey, salt);
+  const decipher = createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  try {
+    return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+  } catch {
+    throw new Error("解密失败：密钥不正确，或文件已损坏/被篡改");
+  }
+}