opc-agent 4.1.0 → 4.1.2

package/src/security/keys.ts

@@ -1,87 +1,87 @@
-import * as fs from 'fs';
-import * as path from 'path';
-import * as crypto from 'crypto';
-import * as os from 'os';
-
-export class KeyManager {
-  private keys: Map<string, string> = new Map();
-  private keyFile: string;
-  private secret: Buffer;
-
-  constructor(keyFile: string = '.opc/keys.json') {
-    this.keyFile = path.resolve(keyFile);
-    this.secret = this.deriveSecret();
-    this.load();
-  }
-
-  private deriveSecret(): Buffer {
-    // Derive a key from machine-specific info (hostname + homedir)
-    const machineId = `${os.hostname()}:${os.homedir()}:opc-agent-keys`;
-    return crypto.createHash('sha256').update(machineId).digest();
-  }
-
-  set(name: string, value: string): void {
-    this.keys.set(name, value);
-    this.save();
-  }
-
-  get(name: string): string | undefined {
-    return this.keys.get(name);
-  }
-
-  delete(name: string): boolean {
-    const result = this.keys.delete(name);
-    if (result) this.save();
-    return result;
-  }
-
-  list(): string[] {
-    return Array.from(this.keys.keys());
-  }
-
-  private load(): void {
-    try {
-      if (fs.existsSync(this.keyFile)) {
-        const data = JSON.parse(fs.readFileSync(this.keyFile, 'utf-8'));
-        for (const [name, encoded] of Object.entries(data)) {
-          try {
-            this.keys.set(name, this.decode(encoded as string));
-          } catch {
-            // Skip corrupted entries
-          }
-        }
-      }
-    } catch {
-      // File doesn't exist or is corrupted — start fresh
-    }
-  }
-
-  private save(): void {
-    const dir = path.dirname(this.keyFile);
-    if (!fs.existsSync(dir)) {
-      fs.mkdirSync(dir, { recursive: true });
-    }
-    const data: Record<string, string> = {};
-    for (const [name, value] of this.keys) {
-      data[name] = this.encode(value);
-    }
-    fs.writeFileSync(this.keyFile, JSON.stringify(data, null, 2), 'utf-8');
-  }
-
-  private encode(value: string): string {
-    const iv = crypto.randomBytes(16);
-    const cipher = crypto.createCipheriv('aes-256-cbc', this.secret, iv);
-    let encrypted = cipher.update(value, 'utf-8', 'hex');
-    encrypted += cipher.final('hex');
-    return iv.toString('hex') + ':' + encrypted;
-  }
-
-  private decode(encoded: string): string {
-    const [ivHex, encrypted] = encoded.split(':');
-    const iv = Buffer.from(ivHex, 'hex');
-    const decipher = crypto.createDecipheriv('aes-256-cbc', this.secret, iv);
-    let decrypted = decipher.update(encrypted, 'hex', 'utf-8');
-    decrypted += decipher.final('utf-8');
-    return decrypted;
-  }
-}
+import * as fs from 'fs';
+import * as path from 'path';
+import * as crypto from 'crypto';
+import * as os from 'os';
+
+export class KeyManager {
+  private keys: Map<string, string> = new Map();
+  private keyFile: string;
+  private secret: Buffer;
+
+  constructor(keyFile: string = '.opc/keys.json') {
+    this.keyFile = path.resolve(keyFile);
+    this.secret = this.deriveSecret();
+    this.load();
+  }
+
+  private deriveSecret(): Buffer {
+    // Derive a key from machine-specific info (hostname + homedir)
+    const machineId = `${os.hostname()}:${os.homedir()}:opc-agent-keys`;
+    return crypto.createHash('sha256').update(machineId).digest();
+  }
+
+  set(name: string, value: string): void {
+    this.keys.set(name, value);
+    this.save();
+  }
+
+  get(name: string): string | undefined {
+    return this.keys.get(name);
+  }
+
+  delete(name: string): boolean {
+    const result = this.keys.delete(name);
+    if (result) this.save();
+    return result;
+  }
+
+  list(): string[] {
+    return Array.from(this.keys.keys());
+  }
+
+  private load(): void {
+    try {
+      if (fs.existsSync(this.keyFile)) {
+        const data = JSON.parse(fs.readFileSync(this.keyFile, 'utf-8'));
+        for (const [name, encoded] of Object.entries(data)) {
+          try {
+            this.keys.set(name, this.decode(encoded as string));
+          } catch {
+            // Skip corrupted entries
+          }
+        }
+      }
+    } catch {
+      // File doesn't exist or is corrupted — start fresh
+    }
+  }
+
+  private save(): void {
+    const dir = path.dirname(this.keyFile);
+    if (!fs.existsSync(dir)) {
+      fs.mkdirSync(dir, { recursive: true });
+    }
+    const data: Record<string, string> = {};
+    for (const [name, value] of this.keys) {
+      data[name] = this.encode(value);
+    }
+    fs.writeFileSync(this.keyFile, JSON.stringify(data, null, 2), 'utf-8');
+  }
+
+  private encode(value: string): string {
+    const iv = crypto.randomBytes(16);
+    const cipher = crypto.createCipheriv('aes-256-cbc', this.secret, iv);
+    let encrypted = cipher.update(value, 'utf-8', 'hex');
+    encrypted += cipher.final('hex');
+    return iv.toString('hex') + ':' + encrypted;
+  }
+
+  private decode(encoded: string): string {
+    const [ivHex, encrypted] = encoded.split(':');
+    const iv = Buffer.from(ivHex, 'hex');
+    const decipher = crypto.createDecipheriv('aes-256-cbc', this.secret, iv);
+    let decrypted = decipher.update(encrypted, 'hex', 'utf-8');
+    decrypted += decipher.final('utf-8');
+    return decrypted;
+  }
+}

package/src/security/secrets.ts

@@ -1,129 +1,129 @@
-/**
- * Secrets Manager - v1.0.0
- * AES-256-GCM encrypted secrets storage with rotation, export/import.
- */
-
-import { randomBytes, createCipheriv, createDecipheriv, scryptSync } from 'crypto';
-import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs';
-import { dirname, join } from 'path';
-import { homedir } from 'os';
-
-const ALGORITHM = 'aes-256-gcm';
-const KEY_LEN = 32;
-const IV_LEN = 12;
-const SALT_LEN = 16;
-const TAG_LEN = 16;
-
-export interface SecretsStore {
-  version: number;
-  secrets: Record<string, string>;
-}
-
-export class SecretsManager {
-  private masterKey: Buffer;
-  private filePath: string;
-  private store: SecretsStore;
-
-  constructor(options: { password: string; filePath?: string }) {
-    this.filePath = options.filePath ?? join(homedir(), '.opc', 'secrets.enc');
-    // Derive a stable key from password (we store salt in the file)
-    this.masterKey = Buffer.alloc(KEY_LEN); // placeholder, set on load/init
-    this.store = { version: 1, secrets: {} };
-    this.init(options.password);
-  }
-
-  private init(password: string): void {
-    if (existsSync(this.filePath)) {
-      this.load(password);
-    } else {
-      const salt = randomBytes(SALT_LEN);
-      this.masterKey = scryptSync(password, salt, KEY_LEN) as Buffer;
-      this.store = { version: 1, secrets: {} };
-      this.save(salt);
-    }
-  }
-
-  private load(password: string): void {
-    const data = readFileSync(this.filePath);
-    const salt = data.subarray(0, SALT_LEN);
-    const iv = data.subarray(SALT_LEN, SALT_LEN + IV_LEN);
-    const tag = data.subarray(SALT_LEN + IV_LEN, SALT_LEN + IV_LEN + TAG_LEN);
-    const encrypted = data.subarray(SALT_LEN + IV_LEN + TAG_LEN);
-
-    this.masterKey = scryptSync(password, salt, KEY_LEN) as Buffer;
-    const decipher = createDecipheriv(ALGORITHM, this.masterKey, iv);
-    decipher.setAuthTag(tag);
-    const decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);
-    this.store = JSON.parse(decrypted.toString('utf8'));
-  }
-
-  private save(salt?: Buffer): void {
-    const dir = dirname(this.filePath);
-    if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
-
-    if (!salt && existsSync(this.filePath)) {
-      salt = readFileSync(this.filePath).subarray(0, SALT_LEN);
-    }
-    if (!salt) salt = randomBytes(SALT_LEN);
-
-    const iv = randomBytes(IV_LEN);
-    const cipher = createCipheriv(ALGORITHM, this.masterKey, iv);
-    const encrypted = Buffer.concat([cipher.update(JSON.stringify(this.store), 'utf8'), cipher.final()]);
-    const tag = cipher.getAuthTag();
-
-    writeFileSync(this.filePath, Buffer.concat([salt, iv, tag, encrypted]));
-  }
-
-  set(key: string, value: string): void {
-    this.store.secrets[key] = value;
-    this.save();
-  }
-
-  get(key: string): string | undefined {
-    return this.store.secrets[key];
-  }
-
-  delete(key: string): boolean {
-    if (!(key in this.store.secrets)) return false;
-    delete this.store.secrets[key];
-    this.save();
-    return true;
-  }
-
-  list(): string[] {
-    return Object.keys(this.store.secrets);
-  }
-
-  has(key: string): boolean {
-    return key in this.store.secrets;
-  }
-
-  /** Inject secrets into env-like object */
-  inject(env: Record<string, string | undefined>, keys?: string[]): Record<string, string | undefined> {
-    const toInject = keys ?? this.list();
-    for (const k of toInject) {
-      if (this.has(k)) env[k] = this.store.secrets[k];
-    }
-    return env;
-  }
-
-  /** Rotate: re-encrypt with new password */
-  rotate(newPassword: string): void {
-    const salt = randomBytes(SALT_LEN);
-    this.masterKey = scryptSync(newPassword, salt, KEY_LEN) as Buffer;
-    this.save(salt);
-  }
-
-  /** Export as encrypted buffer */
-  exportEncrypted(): Buffer {
-    return readFileSync(this.filePath);
-  }
-
-  /** Import from encrypted buffer (must know password) */
-  static importEncrypted(data: Buffer, password: string, filePath: string): SecretsManager {
-    const dir = dirname(filePath);
-    if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
-    writeFileSync(filePath, data);
-    return new SecretsManager({ password, filePath });
-  }
-}
+/**
+ * Secrets Manager - v1.0.0
+ * AES-256-GCM encrypted secrets storage with rotation, export/import.
+ */
+
+import { randomBytes, createCipheriv, createDecipheriv, scryptSync } from 'crypto';
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs';
+import { dirname, join } from 'path';
+import { homedir } from 'os';
+
+const ALGORITHM = 'aes-256-gcm';
+const KEY_LEN = 32;
+const IV_LEN = 12;
+const SALT_LEN = 16;
+const TAG_LEN = 16;
+
+export interface SecretsStore {
+  version: number;
+  secrets: Record<string, string>;
+}
+
+export class SecretsManager {
+  private masterKey: Buffer;
+  private filePath: string;
+  private store: SecretsStore;
+
+  constructor(options: { password: string; filePath?: string }) {
+    this.filePath = options.filePath ?? join(homedir(), '.opc', 'secrets.enc');
+    // Derive a stable key from password (we store salt in the file)
+    this.masterKey = Buffer.alloc(KEY_LEN); // placeholder, set on load/init
+    this.store = { version: 1, secrets: {} };
+    this.init(options.password);
+  }
+
+  private init(password: string): void {
+    if (existsSync(this.filePath)) {
+      this.load(password);
+    } else {
+      const salt = randomBytes(SALT_LEN);
+      this.masterKey = scryptSync(password, salt, KEY_LEN) as Buffer;
+      this.store = { version: 1, secrets: {} };
+      this.save(salt);
+    }
+  }
+
+  private load(password: string): void {
+    const data = readFileSync(this.filePath);
+    const salt = data.subarray(0, SALT_LEN);
+    const iv = data.subarray(SALT_LEN, SALT_LEN + IV_LEN);
+    const tag = data.subarray(SALT_LEN + IV_LEN, SALT_LEN + IV_LEN + TAG_LEN);
+    const encrypted = data.subarray(SALT_LEN + IV_LEN + TAG_LEN);
+
+    this.masterKey = scryptSync(password, salt, KEY_LEN) as Buffer;
+    const decipher = createDecipheriv(ALGORITHM, this.masterKey, iv);
+    decipher.setAuthTag(tag);
+    const decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);
+    this.store = JSON.parse(decrypted.toString('utf8'));
+  }
+
+  private save(salt?: Buffer): void {
+    const dir = dirname(this.filePath);
+    if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+
+    if (!salt && existsSync(this.filePath)) {
+      salt = readFileSync(this.filePath).subarray(0, SALT_LEN);
+    }
+    if (!salt) salt = randomBytes(SALT_LEN);
+
+    const iv = randomBytes(IV_LEN);
+    const cipher = createCipheriv(ALGORITHM, this.masterKey, iv);
+    const encrypted = Buffer.concat([cipher.update(JSON.stringify(this.store), 'utf8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+
+    writeFileSync(this.filePath, Buffer.concat([salt, iv, tag, encrypted]));
+  }
+
+  set(key: string, value: string): void {
+    this.store.secrets[key] = value;
+    this.save();
+  }
+
+  get(key: string): string | undefined {
+    return this.store.secrets[key];
+  }
+
+  delete(key: string): boolean {
+    if (!(key in this.store.secrets)) return false;
+    delete this.store.secrets[key];
+    this.save();
+    return true;
+  }
+
+  list(): string[] {
+    return Object.keys(this.store.secrets);
+  }
+
+  has(key: string): boolean {
+    return key in this.store.secrets;
+  }
+
+  /** Inject secrets into env-like object */
+  inject(env: Record<string, string | undefined>, keys?: string[]): Record<string, string | undefined> {
+    const toInject = keys ?? this.list();
+    for (const k of toInject) {
+      if (this.has(k)) env[k] = this.store.secrets[k];
+    }
+    return env;
+  }
+
+  /** Rotate: re-encrypt with new password */
+  rotate(newPassword: string): void {
+    const salt = randomBytes(SALT_LEN);
+    this.masterKey = scryptSync(newPassword, salt, KEY_LEN) as Buffer;
+    this.save(salt);
+  }
+
+  /** Export as encrypted buffer */
+  exportEncrypted(): Buffer {
+    return readFileSync(this.filePath);
+  }
+
+  /** Import from encrypted buffer (must know password) */
+  static importEncrypted(data: Buffer, password: string, filePath: string): SecretsManager {
+    const dir = dirname(filePath);
+    if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+    writeFileSync(filePath, data);
+    return new SecretsManager({ password, filePath });
+  }
+}