repo-cloak-cli 1.3.2 → 1.3.4

package/src/core/anonymizer.js

@@ -69,18 +69,28 @@ function escapeRegex(string) {
  * Match the case pattern of the original to the replacement
  */
 function matchCase(original, replacement) {
-    // If original is all uppercase, make replacement uppercase
+    // Helper to check if string contains any letters
+    const hasLetters = /[a-zA-Z]/.test(original);
+    
+    if (!hasLetters) {
+        return replacement;
+    }
+
+    // Check if original is entirely uppercase
     if (original === original.toUpperCase()) {
         return replacement.toUpperCase();
     }
 
-    // If original is all lowercase, make replacement lowercase
+    // Check if original is entirely lowercase
     if (original === original.toLowerCase()) {
         return replacement.toLowerCase();
     }
 
-    // If original is Title Case, make replacement Title Case
-    if (original[0] === original[0].toUpperCase()) {
+    // Check if original is Title Case (first letter uppercase, rest lowercase)
+    const firstLetter = original.charAt(0);
+    const restOfStr = original.slice(1);
+    
+    if (firstLetter === firstLetter.toUpperCase() && restOfStr === restOfStr.toLowerCase()) {
         return replacement.charAt(0).toUpperCase() + replacement.slice(1).toLowerCase();
     }
 

package/src/core/git.js

@@ -59,3 +59,71 @@ export async function getChangedFiles(dirPath) {
         return [];
     }
 }
+
+/**
+ * Get recent commits
+ * @param {string} dirPath - Repository root
+ * @param {number} count - Number of commits to retrieve
+ * @returns {Promise<Array<{hash: string, message: string}>>} List of commit objects
+ */
+export async function getRecentCommits(dirPath, count = 10) {
+    try {
+        const { stdout } = await execAsync(`git log -n ${count} --pretty=format:"%h - %s"`, { cwd: dirPath });
+        if (!stdout) return [];
+
+        return stdout
+            .split(/\r?\n/)
+            .filter(line => line.trim() !== '')
+            .map(line => {
+                const sepIndex = line.indexOf(' - ');
+                if (sepIndex === -1) return { hash: line.trim(), message: '' };
+                const hash = line.substring(0, sepIndex).trim();
+                const message = line.substring(sepIndex + 3).trim();
+                return { hash, message };
+            });
+    } catch (error) {
+        return [];
+    }
+}
+
+/**
+ * Get list of files changed in specific commits
+ * @param {string} dirPath - Repository root
+ * @param {string[]} commits - List of commit hashes
+ * @returns {Promise<string[]>} List of relative file paths
+ */
+export async function getFilesChangedInCommits(dirPath, commits) {
+    if (!commits || commits.length === 0) return [];
+
+    try {
+        const filesSet = new Set();
+
+        for (const commit of commits) {
+            // --name-status outputs lines like "status\tfilePath" (e.g., "M\tfile.txt")
+            const { stdout } = await execAsync(`git show --name-status --pretty="" ${commit}`, { cwd: dirPath });
+            if (stdout) {
+                const lines = stdout.split(/\r?\n/).filter(line => line.trim() !== '');
+                for (const line of lines) {
+                    const parts = line.split('\t');
+                    if (parts.length < 2) continue;
+
+                    const status = parts[0];
+                    // Skip deleted files since we cannot pull them
+                    if (!status.startsWith('D')) {
+                        // For renamed files (Rxxx or Cxxx), parts[2] might be the new file name
+                        let file = parts.length > 2 ? parts[2] : parts[1];
+
+                        // Remove quotes if present (git status/show quotes files with spaces)
+                        const cleanFile = file.replace(/^"|"$/g, '');
+
+                        filesSet.add(cleanFile);
+                    }
+                }
+            }
+        }
+
+        return Array.from(filesSet);
+    } catch (error) {
+        return [];
+    }
+}

package/src/core/path-cache.js

@@ -0,0 +1,131 @@
+/**
+ * Path Cache Module
+ * Stores recently used source and destination paths, encrypted with the user's secret key.
+ * Persisted to ~/.repo-cloak/path-cache.json
+ */
+
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { encrypt, decrypt, getOrCreateSecret, hasSecret } from './crypto.js';
+
+const CONFIG_DIR = join(homedir(), '.repo-cloak');
+const CACHE_FILE = join(CONFIG_DIR, 'path-cache.json');
+const MAX_PATHS = 10;
+
+/**
+ * Load the raw cache file (entries are stored encrypted)
+ * @returns {{ sources: string[], destinations: string[] }}
+ */
+function loadRawCache() {
+    try {
+        if (!existsSync(CACHE_FILE)) {
+            return { sources: [], destinations: [] };
+        }
+        const raw = readFileSync(CACHE_FILE, 'utf-8');
+        const parsed = JSON.parse(raw);
+        return {
+            sources: Array.isArray(parsed.sources) ? parsed.sources : [],
+            destinations: Array.isArray(parsed.destinations) ? parsed.destinations : []
+        };
+    } catch {
+        return { sources: [], destinations: [] };
+    }
+}
+
+/**
+ * Save entries back to the cache file
+ * @param {{ sources: string[], destinations: string[] }} cache
+ */
+function saveRawCache(cache) {
+    try {
+        if (!existsSync(CONFIG_DIR)) {
+            mkdirSync(CONFIG_DIR, { recursive: true });
+        }
+        writeFileSync(CACHE_FILE, JSON.stringify(cache, null, 2), { mode: 0o600 });
+    } catch {
+        // Silently ignore write errors – caching is best-effort
+    }
+}
+
+/**
+ * Decrypt a list of encrypted path strings. Returns only successfully decrypted values.
+ * @param {string[]} encrypted
+ * @param {string} secret
+ * @returns {string[]}
+ */
+function decryptPaths(encrypted, secret) {
+    return encrypted
+        .map(e => {
+            try {
+                return decrypt(e, secret);
+            } catch {
+                return null;
+            }
+        })
+        .filter(Boolean);
+}
+
+// ─── Public API ──────────────────────────────────────────────────────────────
+
+/**
+ * Get recently used source paths (decrypted). Returns empty array if no secret exists yet.
+ * @returns {string[]}
+ */
+export function getSourcePaths() {
+    if (!hasSecret()) return [];
+    const secret = getOrCreateSecret();
+    const cache = loadRawCache();
+    return decryptPaths(cache.sources, secret);
+}
+
+/**
+ * Get recently used destination paths (decrypted). Returns empty array if no secret exists yet.
+ * @returns {string[]}
+ */
+export function getDestPaths() {
+    if (!hasSecret()) return [];
+    const secret = getOrCreateSecret();
+    const cache = loadRawCache();
+    return decryptPaths(cache.destinations, secret);
+}
+
+/**
+ * Persist a source path to the cache (encrypted). Moves it to the front and deduplicates.
+ * @param {string} path - Absolute path
+ */
+export function addSourcePath(path) {
+    try {
+        const secret = getOrCreateSecret();
+        const cache = loadRawCache();
+
+        // Decrypt existing to deduplicate
+        const existing = decryptPaths(cache.sources, secret);
+        const deduped = [path, ...existing.filter(p => p !== path)].slice(0, MAX_PATHS);
+
+        cache.sources = deduped.map(p => encrypt(p, secret));
+        saveRawCache(cache);
+    } catch {
+        // Silently ignore
+    }
+}
+
+/**
+ * Persist a destination path to the cache (encrypted). Moves it to the front and deduplicates.
+ * @param {string} path - Absolute path
+ */
+export function addDestPath(path) {
+    try {
+        const secret = getOrCreateSecret();
+        const cache = loadRawCache();
+
+        // Decrypt existing to deduplicate
+        const existing = decryptPaths(cache.destinations, secret);
+        const deduped = [path, ...existing.filter(p => p !== path)].slice(0, MAX_PATHS);
+
+        cache.destinations = deduped.map(p => encrypt(p, secret));
+        saveRawCache(cache);
+    } catch {
+        // Silently ignore
+    }
+}

package/src/core/secrets.js

@@ -0,0 +1,169 @@
+/**
+ * Secret Data Scanner
+ * Scans files for common sensitive data patterns (e.g. AWS keys, private keys, generic tokens)
+ */
+
+import { readFileSync, statSync } from 'fs';
+import { isBinaryFile } from './scanner.js';
+
+// Max file size to scan (2MB). Prevents blocking on massive files like minified bundles.
+const MAX_SCAN_SIZE = 2 * 1024 * 1024;
+
+// Common regular expressions for sensitive data detection
+export const SECRET_PATTERNS = [
+    {
+        name: 'AWS Access Key ID',
+        regex: /(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}/g
+    },
+    {
+        name: 'AWS Secret Access Key',
+        regex: /aws_(?:secret_)?(?:access_)?key(?:\s*=?\s*["']?)(?!<)[a-zA-Z0-9/+=]{40}(?!>)/gi
+    },
+    {
+        name: 'RSA Private Key',
+        regex: /-----BEGIN RSA PRIVATE KEY-----/g
+    },
+    {
+        name: 'Generic Private Key',
+        regex: /-----BEGIN PRIVATE KEY-----/g
+    },
+    {
+        name: 'DSA Private Key',
+        regex: /-----BEGIN DSA PRIVATE KEY-----/g
+    },
+    {
+        name: 'OpenSSH Private Key',
+        regex: /-----BEGIN OPENSSH PRIVATE KEY-----/g
+    },
+    {
+        name: 'Generic API Key / Token',
+        regex: /(?:api_?key|auth_?token|access_?token|secret_?key|bearer_?token)(?:\s*[:=]\s*["']?)(?!<)[a-zA-Z0-9\-_]{20,}(?!>)/gi
+    },
+    {
+        name: 'Generic Password / Secret',
+        regex: /(?:password|passwd|pwd|secret|pass)(?:\s*[:=]\s*["']?)(?!<)[a-zA-Z0-9\-_@!#$%^&*]{8,}(?!>)/gi
+    },
+    {
+        name: 'JSON Web Token (JWT)',
+        regex: /eyJ[a-zA-Z0-9_-]{10,}\.eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}/g
+    },
+    {
+        name: 'GitHub Token',
+        regex: /(?:ghp|gho|ghu|ghs|ghr)_[a-zA-Z0-9]{36}/g
+    },
+    {
+        name: 'GitHub OAuth App Token',
+        regex: /gho_[a-zA-Z0-9]{36}/g
+    },
+    {
+        name: 'Slack Token',
+        regex: /(xox[pboar]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})/g
+    },
+    {
+        name: 'Slack Webhook',
+        regex: /https:\/\/hooks\.slack\.com\/services\/T[a-zA-Z0-9_]{8,}\/B[a-zA-Z0-9_]{8,}\/[a-zA-Z0-9_]{24}/g
+    },
+    {
+        name: 'Stripe API Key',
+        regex: /(?:sk_live|rk_live|sk_test|rk_test)_[0-9a-zA-Z]{24}/g
+    },
+    {
+        name: 'Google API Key',
+        regex: /AIza[0-9A-Za-z\-_]{35}/g
+    },
+    {
+        name: 'Google OAuth Access Token',
+        regex: /ya29\.[0-9A-Za-z\-_]+/g
+    },
+    {
+        name: 'Discord Bot Token',
+        regex: /[M|N][a-zA-Z0-9_-]{23,}\.[a-zA-Z0-9_-]{6,}\.[a-zA-Z0-9_-]{27,}/g
+    },
+    {
+        name: 'Discord Webhook',
+        regex: /https:\/\/discord\.com\/api\/webhooks\/[0-9]{18,19}\/[a-zA-Z0-9_-]{68}/g
+    },
+    {
+        name: 'Database Connection String',
+        regex: /(?:mysql|postgresql|mongodb|mssql|sqlite|redis|amqp):\/\/[a-zA-Z0-9_-]+:[a-zA-Z0-9_-]+@[a-zA-Z0-9_.-]+:[0-9]{1,5}\/[a-zA-Z0-9_-]+/gi
+    },
+    {
+        name: 'Heroku API Key',
+        regex: /[h|H]eroku[0-9a-zA-Z_-]{8}-[0-9a-zA-Z_-]{4}-[0-9a-zA-Z_-]{4}-[0-9a-zA-Z_-]{4}-[0-9a-zA-Z_-]{12}/g
+    },
+    {
+        name: 'Mailgun API Key',
+        regex: /key-[0-9a-zA-Z]{32}/g
+    }
+];
+
+/**
+ * Scan a single file for secrets
+ * @param {string} filePath - Absolute path to the file
+ * @returns {Array<{type: string, file: string, line: number}>} Array of found secrets
+ */
+export function scanFileForSecrets(filePath) {
+    const findings = [];
+
+    try {
+        if (isBinaryFile(filePath)) {
+            return findings;
+        }
+
+        const stats = statSync(filePath);
+        if (stats.size > MAX_SCAN_SIZE) {
+            return findings; // Skip huge files
+        }
+
+        const content = readFileSync(filePath, 'utf-8');
+        const lines = content.split(/\r?\n/);
+
+        // Keep track of which patterns found what to avoid duplicate reports per line
+        const seenOnLine = new Set();
+
+        for (let i = 0; i < lines.length; i++) {
+            const lineContent = lines[i];
+
+            for (const pattern of SECRET_PATTERNS) {
+                // Reset regex state since it has the 'g' flag
+                pattern.regex.lastIndex = 0;
+                
+                if (pattern.regex.test(lineContent)) {
+                    const uniqueKey = `${i}-${pattern.name}`;
+                    if (!seenOnLine.has(uniqueKey)) {
+                        findings.push({
+                            type: pattern.name,
+                            file: filePath,
+                            line: i + 1
+                        });
+                        seenOnLine.add(uniqueKey);
+                    }
+                }
+            }
+        }
+    } catch (error) {
+        // Ignore read errors or permission issues for scanning
+    }
+
+    return findings;
+}
+
+/**
+ * Scan multiple files for secrets
+ * @param {string[]} filePaths - Array of absolute file paths
+ * @returns {Array<{type: string, file: string, line: number}>} Flattened array of all findings
+ */
+export async function scanFilesForSecrets(filePaths) {
+    if (!filePaths || filePaths.length === 0) return [];
+
+    let allFindings = [];
+
+    for (const filePath of filePaths) {
+        const fileFindings = scanFileForSecrets(filePath);
+        if (fileFindings.length > 0) {
+            allFindings = allFindings.concat(fileFindings);
+        }
+    }
+
+    return allFindings;
+}

package/src/ui/banner.js

@@ -1,51 +1,50 @@
 /**
- * Fancy ASCII Banner
- * Shows a colorful intro when the CLI starts
+ * Banner
+ * Clean, elegant CLI header
  */
 
 import chalk from 'chalk';
 import figlet from 'figlet';
+import { readFileSync } from 'fs';
+import { join, dirname } from 'path';
+import { fileURLToPath } from 'url';
+
+function getVersion() {
+    try {
+        const __dirname = dirname(fileURLToPath(import.meta.url));
+        const pkg = JSON.parse(readFileSync(join(__dirname, '../../package.json'), 'utf-8'));
+        return pkg.version || '1.0.0';
+    } catch {
+        return '1.0.0';
+    }
+}
 
 export async function showBanner() {
     return new Promise((resolve) => {
         figlet.text('repo-cloak', {
-            font: 'Standard',
+            font: 'Slant',
             horizontalLayout: 'default',
             verticalLayout: 'default'
         }, (err, data) => {
-            if (err) {
-                console.log(chalk.magentaBright.bold('\n🎭 repo-cloak\n'));
+            const version = getVersion();
+
+            if (err || !data) {
+                console.log('\n' + chalk.bold.white('  repo-cloak') + chalk.dim(`  v${version}\n`));
                 resolve();
                 return;
             }
 
-            // Create gradient effect
-            const lines = data.split('\n');
-            const colors = [
-                chalk.hex('#FF6B6B'),  // Coral
-                chalk.hex('#FF8E53'),  // Orange
-                chalk.hex('#FEC89A'),  // Peach
-                chalk.hex('#A8E6CF'),  // Mint
-                chalk.hex('#88D8B0'),  // Seafoam
-                chalk.hex('#7B68EE'),  // Medium Slate Blue
-                chalk.hex('#9D4EDD'),  // Purple
-            ];
-
-            console.log('\n');
-            lines.forEach((line, index) => {
-                const color = colors[index % colors.length];
-                console.log(color(line));
+            console.log('');
+            // Render the ASCII art in a single elegant dim-white color
+            data.split('\n').forEach(line => {
+                console.log(chalk.white.dim('  ' + line));
             });
 
-            // Tagline box
-            const tagline = '🎭 Selectively extract & anonymize repository files';
-            const version = 'v1.0.0';
-
             console.log('');
-            console.log(chalk.dim('─'.repeat(55)));
-            console.log(chalk.white.bold(`  ${tagline}`));
-            console.log(chalk.dim(`  Compatible with Windows, macOS, and Linux | ${version}`));
-            console.log(chalk.dim('─'.repeat(55)));
+            console.log(
+                chalk.dim('  Selectively extract & anonymize repository files') +
+                chalk.dim(`   v${version}`)
+            );
             console.log('');
 
             resolve();
@@ -54,17 +53,17 @@ export async function showBanner() {
 }
 
 export function showSuccess(message) {
-    console.log(chalk.green.bold(`\n✅ ${message}\n`));
+    console.log(chalk.green(`\n  ✓ ${message}\n`));
 }
 
 export function showError(message) {
-    console.log(chalk.red.bold(`\n❌ ${message}\n`));
+    console.log(chalk.red(`\n  ✗ ${message}\n`));
 }
 
 export function showWarning(message) {
-    console.log(chalk.yellow.bold(`\n⚠️  ${message}\n`));
+    console.log(chalk.yellow(`\n  ! ${message}\n`));
 }
 
 export function showInfo(message) {
-    console.log(chalk.cyan(`\nℹ️  ${message}\n`));
+    console.log(chalk.dim(`\n  ${message}\n`));
 }