nsauditor-ai 0.1.4 → 0.1.6

package/README.md

@@ -7,7 +7,7 @@ A modular, AI-assisted network security audit platform that scans, understands,
 [![npm](https://img.shields.io/npm/v/nsauditor-ai.svg)](https://www.npmjs.com/package/nsauditor-ai)
 [![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
 [![Node.js 20+](https://img.shields.io/badge/node-20%2B-green.svg)](https://nodejs.org)
-[![Tests](https://img.shields.io/badge/tests-487%20passing-brightgreen.svg)](#tests)
+[![Tests](https://img.shields.io/badge/tests-493%20passing-brightgreen.svg)](#tests)
 
 ---
 
@@ -303,6 +303,38 @@ claude mcp add nsauditor-ai -- npx nsauditor-ai-mcp
 
 ---
 
+## Secure Credential Storage
+
+Store API keys in the macOS Keychain instead of plaintext `.env` files:
+
+```bash
+# Store keys
+nsauditor-ai security set ANTHROPIC_API_KEY
+nsauditor-ai security set OPENAI_API_KEY
+
+# List stored keys (masked)
+nsauditor-ai security list
+
+# Delete a key
+nsauditor-ai security delete OPENAI_API_KEY
+```
+
+Then reference them with the `keychain:` prefix in `.env` or Claude Desktop config:
+
+```env
+ANTHROPIC_API_KEY=keychain:ANTHROPIC_API_KEY
+```
+
+```json
+"env": {
+  "ANTHROPIC_API_KEY": "keychain:ANTHROPIC_API_KEY"
+}
+```
+
+The `keychain:` prefix works anywhere an API key is read — CLI, MCP server, or programmatic API.
+
+---
+
 ## CLI Reference
 
 ```

package/cli.mjs

@@ -3,6 +3,10 @@ import 'dotenv/config';
 import PluginManager from './plugin_manager.mjs';
 import { buildHtmlReport } from './utils/report_html.mjs';
 import fsp from 'node:fs/promises';
+import { dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
 import path from 'node:path';
 import { openaiSimplePrompt, openaiPrompt as openaiProPrompt, openaiPromptOptimized } from './utils/prompts.mjs';
 import { parseHostArg, parseHostFile } from './utils/host_iterator.mjs';
@@ -92,11 +96,12 @@ async function maybeSendToOpenAI({ host, results, conclusion, promptMode = 'basi
     : aiProvider === 'ollama'
     ? toCleanPath(process.env.OLLAMA_MODEL || 'llama3')
     : toCleanPath(process.env.OPENAI_MODEL || 'gpt-4o-mini');
+  const { resolveSecret } = await import('./utils/keychain.mjs');
   const keyRaw        = aiProvider === 'claude'
-    ? process.env.ANTHROPIC_API_KEY
+    ? await resolveSecret(process.env.ANTHROPIC_API_KEY)
     : aiProvider === 'ollama'
     ? 'ollama'   // Ollama needs no real key; OpenAI SDK requires a non-empty string
-    : process.env.OPENAI_API_KEY;
+    : await resolveSecret(process.env.OPENAI_API_KEY);
   const key           = keyRaw ? String(keyRaw).trim() : null;
 
   // Base output folder (directory ONLY; if a file path is given, take its dir)
@@ -650,6 +655,27 @@ const SEVERITY_RANK = { critical: 4, high: 3, medium: 2, low: 1, info: 0 };
  * @param {object} conclusion
  * @returns {number} highest severity rank found (0-4)
  */
+async function readSecretFromStdin(keyName) {
+  if (!process.stdin.isTTY) {
+    // Piped input
+    return new Promise((resolve) => {
+      let data = '';
+      process.stdin.setEncoding('utf8');
+      process.stdin.on('data', (chunk) => { data += chunk; });
+      process.stdin.on('end', () => resolve(data.trim() || null));
+    });
+  }
+  // Interactive prompt
+  const { createInterface } = await import('node:readline');
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => {
+    rl.question(`Enter value for ${keyName}: `, (answer) => {
+      rl.close();
+      resolve(answer.trim() || null);
+    });
+  });
+}
+
 function maxSeverityInConclusion(conclusion) {
   const services = conclusion?.result?.services || [];
   let max = 0;
@@ -709,6 +735,42 @@ async function main() {
     process.exit(0);
   }
 
+  if (cmd === 'security') {
+    const { keychainSet, keychainDelete, keychainList, keychainGet } = await import('./utils/keychain.mjs');
+    const rawArgs = process.argv.slice(2);
+    const subCmd = rawArgs[1]; // set | delete | list | get
+    const keyName = rawArgs[2];
+
+    if (subCmd === 'set' && keyName) {
+      // Read secret from stdin (piped) or prompt
+      const secret = await readSecretFromStdin(keyName);
+      if (!secret) { console.error('No secret provided.'); process.exit(1); }
+      await keychainSet(keyName, secret);
+      console.log(`Stored "${keyName}" in macOS Keychain (service: nsauditor-ai)`);
+    } else if (subCmd === 'delete' && keyName) {
+      const ok = await keychainDelete(keyName);
+      console.log(ok ? `Deleted "${keyName}" from Keychain` : `"${keyName}" not found in Keychain`);
+    } else if (subCmd === 'list') {
+      const entries = await keychainList();
+      if (entries.length === 0) {
+        console.log('No nsauditor-ai keys stored in Keychain.');
+      } else {
+        console.log('Stored keys (service: nsauditor-ai):\n');
+        for (const name of entries) {
+          const val = await keychainGet(name);
+          const masked = val ? `${val.slice(0, 8)}...(${val.length} chars)` : '(empty)';
+          console.log(`  ${name} = ${masked}`);
+        }
+      }
+    } else {
+      console.log(`Usage:
+  nsauditor-ai security set <KEY_NAME>     Store a secret in macOS Keychain
+  nsauditor-ai security delete <KEY_NAME>  Remove a secret from Keychain
+  nsauditor-ai security list               List stored secrets (masked)`);
+    }
+    process.exit(0);
+  }
+
   if (cmd !== 'scan') {
     console.error(`Unknown command: ${cmd}`);
     process.exit(2);
@@ -732,7 +794,7 @@ async function main() {
 
   const opts = { insecureHttps };
   if (ports) opts.ports = ports;
-  const pm = await PluginManager.create('./plugins');
+  const pm = await PluginManager.create(`${__dirname}/plugins`);
   const promptMode = String(process.env.OPENAI_PROMPT_MODE || 'basic').toLowerCase().trim();
 
   // --- CTEM: continuous watch mode ---

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nsauditor-ai",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "description": "Modular AI-assisted network security audit platform — Community Edition",
   "type": "module",
   "private": false,

package/utils/keychain.mjs

@@ -0,0 +1,120 @@
+// utils/keychain.mjs
+// macOS Keychain integration for secure credential storage.
+// Falls back gracefully on non-macOS platforms.
+
+import { execFile } from 'node:child_process';
+import { platform } from 'node:os';
+
+const SERVICE = 'nsauditor-ai';
+const isMac = platform() === 'darwin';
+
+function exec(cmd, args) {
+  return new Promise((resolve, reject) => {
+    execFile(cmd, args, { timeout: 5000 }, (err, stdout, stderr) => {
+      if (err) return reject(new Error(stderr?.trim() || err.message));
+      resolve(stdout.trim());
+    });
+  });
+}
+
+/**
+ * Read a secret from the macOS Keychain.
+ * @param {string} account - Key name (e.g., 'ANTHROPIC_API_KEY')
+ * @returns {Promise<string|null>} The secret value, or null if not found
+ */
+export async function keychainGet(account) {
+  if (!isMac) return null;
+  try {
+    return await exec('security', [
+      'find-generic-password', '-s', SERVICE, '-a', account, '-w'
+    ]);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Store a secret in the macOS Keychain.
+ * Updates existing entry if present.
+ * @param {string} account - Key name
+ * @param {string} secret - The secret value
+ */
+export async function keychainSet(account, secret) {
+  if (!isMac) throw new Error('Keychain storage is only supported on macOS');
+  // Delete existing entry first (ignore errors if not found)
+  try {
+    await exec('security', ['delete-generic-password', '-s', SERVICE, '-a', account]);
+  } catch { /* not found — fine */ }
+  await exec('security', [
+    'add-generic-password', '-s', SERVICE, '-a', account, '-w', secret
+  ]);
+}
+
+/**
+ * Delete a secret from the macOS Keychain.
+ * @param {string} account - Key name
+ * @returns {Promise<boolean>} true if deleted, false if not found
+ */
+export async function keychainDelete(account) {
+  if (!isMac) throw new Error('Keychain storage is only supported on macOS');
+  try {
+    await exec('security', ['delete-generic-password', '-s', SERVICE, '-a', account]);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * List all nsauditor-ai entries in the Keychain.
+ * @returns {Promise<string[]>} Array of account names
+ */
+export async function keychainList() {
+  if (!isMac) return [];
+  try {
+    const raw = await exec('security', ['dump-keychain']);
+    const entries = [];
+    const lines = raw.split('\n');
+    let inOurService = false;
+    for (const line of lines) {
+      const trimmed = line.trim();
+      // Match both formats: 0x00000007 <blob>="nsauditor-ai" and "svce"<blob>="nsauditor-ai"
+      if (trimmed.includes(`="${SERVICE}"`)) {
+        inOurService = true;
+      } else if (inOurService && trimmed.includes('"acct"<blob>="')) {
+        const m = trimmed.match(/"acct"<blob>="([^"]+)"/);
+        if (m) entries.push(m[1]);
+        inOurService = false;
+      } else if (trimmed.startsWith('keychain:') || trimmed.startsWith('class:')) {
+        inOurService = false;
+      }
+    }
+    return [...new Set(entries)];
+  } catch {
+    return [];
+  }
+}
+
+/**
+ * Resolve a value that may be a keychain reference.
+ * If the value starts with 'keychain:', read from Keychain.
+ * Otherwise return the value as-is.
+ * @param {string|undefined} value - Raw env var value
+ * @returns {Promise<string|null>} Resolved secret
+ */
+export async function resolveSecret(value) {
+  if (!value) return null;
+  const str = String(value).trim();
+  if (!str) return null;
+  if (str.startsWith('keychain:')) {
+    const label = str.slice('keychain:'.length).trim();
+    if (!label) return null;
+    const secret = await keychainGet(label);
+    if (!secret) {
+      console.error(`[keychain] No entry found for "${label}" in Keychain (service: ${SERVICE})`);
+      console.error(`[keychain] Store it with: nsauditor-ai security set ${label}`);
+    }
+    return secret;
+  }
+  return str;
+}