sec-ry 1.1.5

package/dist/cmd/root.js

@@ -0,0 +1,191 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cmdRoot = cmdRoot;
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const fs = __importStar(require("fs"));
+const crypto = __importStar(require("crypto"));
+const cp = __importStar(require("child_process"));
+const _D = path.join(os.homedir(), ".secry");
+const _PF = path.join(_D, ".adm");
+const _FF = path.join(_D, ".fgp");
+const _LF = path.join(_D, "changelog.audit.log");
+const $ = {
+    r: "\x1b[0m", d: "\x1b[2m", b: "\x1b[1m",
+    w: "\x1b[97m", c: "\x1b[96m", g: "\x1b[92m",
+    e: "\x1b[91m", y: "\x1b[93m",
+};
+const _w = (s) => process.stderr.write(s);
+function _box(title) {
+    const l = "─".repeat(48);
+    _w(`\n  ${$.d}${l}${$.r}\n  ${$.b}${$.w}  ${title}${$.r}\n  ${$.d}${l}${$.r}\n\n`);
+}
+function _audit(action, detail) {
+    try {
+        if (!fs.existsSync(_D))
+            fs.mkdirSync(_D, { recursive: true });
+        fs.appendFileSync(_LF, `${new Date().toISOString()}  ${action.padEnd(12)}  ${detail}\n`, "utf8");
+    }
+    catch { }
+}
+function _exec(cmd) {
+    try {
+        return cp.execSync(cmd, { encoding: "utf8", timeout: 2000, stdio: ["ignore", "pipe", "ignore"] }).trim();
+    }
+    catch {
+        return "";
+    }
+}
+function _gatherFp() {
+    const home = os.homedir();
+    const hardware = _exec("grep 'Hardware' /proc/cpuinfo | head -1");
+    const prefix = process.env.PREFIX ?? "";
+    const uid = _exec("id -u");
+    return [home, hardware, prefix, uid].join("|");
+}
+function _hashFp(data, salt) {
+    return crypto.scryptSync(Buffer.from(data, "utf8"), salt, 32, { N: 4096, r: 8, p: 1 }).toString("hex");
+}
+function _registerFp() {
+    const salt = crypto.randomBytes(16);
+    const hashed = _hashFp(_gatherFp(), salt);
+    const store = { salt: salt.toString("hex"), stable: hashed };
+    if (!fs.existsSync(_D))
+        fs.mkdirSync(_D, { recursive: true });
+    fs.writeFileSync(_FF, Buffer.from(JSON.stringify(store)).toString("base64"), "utf8");
+    try {
+        fs.chmodSync(_FF, 0o600);
+    }
+    catch { }
+    _audit("fp-register", "device fingerprint registered");
+}
+function _verifyFp() {
+    try {
+        if (!fs.existsSync(_FF))
+            return false;
+        const store = JSON.parse(Buffer.from(fs.readFileSync(_FF, "utf8").trim(), "base64").toString("utf8"));
+        const salt = Buffer.from(store.salt, "hex");
+        const hashed = _hashFp(_gatherFp(), salt);
+        const expected = Buffer.from(store.stable, "hex");
+        const got = Buffer.from(hashed, "hex");
+        if (expected.length !== got.length)
+            return false;
+        return crypto.timingSafeEqual(expected, got);
+    }
+    catch {
+        return false;
+    }
+}
+let _mr = false;
+function _menu(items) {
+    return new Promise(resolve => {
+        let idx = 0;
+        while (items[idx]?.dim)
+            idx = (idx + 1) % items.length;
+        function render() {
+            if (_mr)
+                process.stderr.write(`\x1b[${items.length}A`);
+            _mr = true;
+            for (let i = 0; i < items.length; i++) {
+                const item = items[i];
+                if (item.dim) {
+                    _w(`  ${$.d}  ${item.label}${$.r}\n`);
+                    continue;
+                }
+                const sel = i === idx;
+                _w(`  ${sel ? `${$.b}${$.c}›${$.r} ` : `${$.d}  `}${sel ? $.b : ""}${item.label}${$.r}\n`);
+            }
+        }
+        process.stdin.setRawMode?.(true);
+        process.stdin.resume();
+        process.stdin.setEncoding("utf8");
+        render();
+        process.stdin.on("data", function h(ch) {
+            if (ch === "\u0003")
+                process.exit(0);
+            if (ch === "\u001b[A") {
+                do {
+                    idx = (idx - 1 + items.length) % items.length;
+                } while (items[idx]?.dim);
+                render();
+            }
+            else if (ch === "\u001b[B") {
+                do {
+                    idx = (idx + 1) % items.length;
+                } while (items[idx]?.dim);
+                render();
+            }
+            else if (ch === "\r" || ch === "\n") {
+                process.stdin.setRawMode?.(false);
+                process.stdin.pause();
+                process.stdin.removeListener("data", h);
+                _mr = false;
+                _w("\n");
+                resolve(items[idx].key);
+            }
+        });
+    });
+}
+async function cmdRoot() {
+    const { adminPanel } = await Promise.resolve().then(() => __importStar(require("./changelog")));
+    if (!fs.existsSync(_FF)) {
+        _registerFp();
+    }
+    if (!_verifyFp()) {
+        _audit("fp-deny", "fingerprint mismatch");
+        _w(`\n  unknown command\n\n`);
+        process.exit(1);
+    }
+    if (!fs.existsSync(_PF)) {
+        _w(`\n  ${$.y}no admin password set yet.${$.r}\n`);
+        _w(`  ${$.d}run: secry changelog --admin${$.r}\n\n`);
+        process.exit(1);
+    }
+    _audit("fp-ok", "fingerprint verified");
+    while (true) {
+        _box("secry — root");
+        const choice = await _menu([
+            { label: "changelog", key: "changelog" },
+            { label: "───────────────", key: "_", dim: true },
+            { label: "exit", key: "0" },
+        ]);
+        if (choice === "changelog")
+            await adminPanel();
+        else
+            break;
+    }
+    _w(`\n  ${$.d}exiting root.${$.r}\n\n`);
+}

package/dist/cmd/seal.d.ts

@@ -0,0 +1,3 @@
+import type { ParsedArgs } from "../lib/args";
+export declare function cmdSeal(parsed: ParsedArgs): Promise<void>;
+export declare function cmdSealVerify(parsed: ParsedArgs): Promise<void>;

package/dist/cmd/seal.js

@@ -0,0 +1,81 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cmdSeal = cmdSeal;
+exports.cmdSealVerify = cmdSealVerify;
+const crypto_1 = require("../lib/crypto");
+const password_1 = require("../lib/password");
+const ui_1 = require("../lib/ui");
+const clip_1 = require("../lib/clip");
+const rc_1 = require("../lib/rc");
+const args_1 = require("../lib/args");
+async function cmdSeal(parsed) {
+    const rc = (0, rc_1.loadRC)();
+    const text = parsed.positional[0];
+    if (!text)
+        (0, ui_1.err)("missing <value> argument");
+    const rawPw = (0, args_1.getFlag)(parsed.flags, "sw") ?? rc.password;
+    const secret = (0, password_1.resolvePassword)(rawPw ?? "");
+    const useClip = (0, args_1.hasFlag)(parsed.flags, "clip") || !!rc.clip;
+    const quiet = (0, args_1.hasFlag)(parsed.flags, "quiet") || (0, args_1.hasFlag)(parsed.flags, "q");
+    const useS2 = (0, args_1.hasFlag)(parsed.flags, "s2");
+    const t0 = Date.now();
+    const token = useS2
+        ? await (0, crypto_1.sealS2)(text, secret)
+        : (0, crypto_1.seal)(text, secret);
+    const elapsed = Date.now() - t0;
+    if (!quiet) {
+        (0, ui_1.section)("seal");
+        (0, ui_1.box)([
+            { label: "input", value: text.length > 52 ? text.slice(0, 52) + "…" : text },
+            { label: "algo", value: useS2 ? "BLAKE3 / scrypt N=2^16" : "HMAC-SHA256 / scrypt" },
+            { label: "version", value: useS2 ? "s2" : "s1" },
+            { label: "note", value: "one-way — cannot be reversed" },
+            { label: "token", value: token },
+        ]);
+        (0, ui_1.ms)(elapsed);
+        if (!useS2)
+            (0, ui_1.warn)("s1 is less secure — consider using --s2 for stronger protection");
+    }
+    if (useClip) {
+        const copied = (0, clip_1.copyToClipboard)(token);
+        if (copied) {
+            const { info } = require("../lib/ui");
+            if (!quiet)
+                info("copied to clipboard");
+        }
+        else if (!quiet)
+            (0, ui_1.warn)("--clip: no clipboard tool found");
+    }
+    (0, ui_1.data)(token);
+}
+async function cmdSealVerify(parsed) {
+    const rc = (0, rc_1.loadRC)();
+    const text = parsed.positional[0];
+    const token = (0, args_1.getFlag)(parsed.flags, "token");
+    if (!text)
+        (0, ui_1.err)("missing <value> argument");
+    if (!token)
+        (0, ui_1.err)("--token <token> is required");
+    const rawPw = (0, args_1.getFlag)(parsed.flags, "sw") ?? rc.password;
+    if (!rawPw)
+        (0, ui_1.err)("-sw <secret> is required");
+    const secret = (0, password_1.resolvePassword)(rawPw);
+    const quiet = (0, args_1.hasFlag)(parsed.flags, "quiet") || (0, args_1.hasFlag)(parsed.flags, "q");
+    const isS2 = token.startsWith("secry:s2:");
+    const t0 = Date.now();
+    const ok = isS2
+        ? await (0, crypto_1.sealVerifyS2)(text, secret, token)
+        : (0, crypto_1.sealVerify)(text, secret, token);
+    const elapsed = Date.now() - t0;
+    if (!quiet) {
+        (0, ui_1.section)("seal verify");
+        (0, ui_1.box)([
+            { label: "input", value: text.length > 52 ? text.slice(0, 52) + "…" : text },
+            { label: "version", value: isS2 ? "s2" : "s1" },
+            { label: "result", value: ok ? "match" : "no match" },
+        ]);
+        (0, ui_1.ms)(elapsed);
+    }
+    if (!ok)
+        process.exit(1);
+}

package/dist/cmd/upgrade.d.ts

@@ -0,0 +1 @@
+export declare function cmdUpgrade(): void;

package/dist/cmd/upgrade.js

@@ -0,0 +1,44 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cmdUpgrade = cmdUpgrade;
+const child_process_1 = require("child_process");
+const ui_1 = require("../lib/ui");
+function _latest() {
+    try {
+        return (0, child_process_1.execSync)("npm info secry version", { encoding: "utf8", timeout: 8000 }).trim();
+    }
+    catch {
+        return null;
+    }
+}
+function _cmp(a, b) {
+    const pa = a.split(".").map(Number);
+    const pb = b.split(".").map(Number);
+    for (let i = 0; i < 3; i++) {
+        const d = (pa[i] ?? 0) - (pb[i] ?? 0);
+        if (d)
+            return d;
+    }
+    return 0;
+}
+function cmdUpgrade() {
+    (0, ui_1.section)("upgrade");
+    (0, ui_1.row)("current", ui_1.VERSION);
+    process.stderr.write("\n");
+    (0, ui_1.info)("checking npm registry...");
+    process.stderr.write("\n");
+    const latest = _latest();
+    if (!latest)
+        (0, ui_1.err)("could not reach npm registry. check your connection.", 1);
+    (0, ui_1.row)("latest", latest);
+    process.stderr.write("\n");
+    if (_cmp(latest, ui_1.VERSION) <= 0) {
+        (0, ui_1.ok)("already up to date");
+        process.stderr.write("\n");
+        return;
+    }
+    (0, ui_1.info)(`update available  ${ui_1.VERSION} → ${latest}`);
+    process.stderr.write("\n");
+    process.stdout.write("npm install -g secry\n");
+    process.stderr.write("\n");
+}

package/dist/cmd/verify.d.ts

@@ -0,0 +1,2 @@
+import type { ParsedArgs } from "../lib/args";
+export declare function cmdVerify(parsed: ParsedArgs): void;

package/dist/cmd/verify.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cmdVerify = cmdVerify;
+const crypto_1 = require("../lib/crypto");
+const password_1 = require("../lib/password");
+const ui_1 = require("../lib/ui");
+const rc_1 = require("../lib/rc");
+const args_1 = require("../lib/args");
+function cmdVerify(parsed) {
+    const rc = (0, rc_1.loadRC)();
+    const token = parsed.positional[0];
+    if (!token)
+        (0, ui_1.err)("missing <token> argument");
+    const rawPw = (0, args_1.getFlag)(parsed.flags, "sw") ?? rc.password;
+    if (!rawPw)
+        (0, ui_1.err)("-sw <password> is required");
+    const password = (0, password_1.resolvePassword)(rawPw);
+    const t0 = Date.now();
+    const isOk = (0, crypto_1.verify)(token, password);
+    const elapsed = Date.now() - t0;
+    (0, ui_1.section)("verify");
+    (0, ui_1.box)([
+        { label: "token", value: token.length > 40 ? token.slice(0, 40) + "…" : token },
+        { label: "status", value: isOk ? "valid" : "invalid", valueColor: isOk ? "\x1b[32m" : "\x1b[31m" },
+    ]);
+    (0, ui_1.ms)(elapsed);
+    process.stdout.write((isOk ? "valid" : "invalid") + "\n");
+    if (!isOk)
+        process.exit(2);
+}

package/dist/index.d.ts

@@ -0,0 +1,28 @@
+interface DecryptChain {
+    key(password: string): string;
+    k(password: string): string;
+}
+interface InspectResult {
+    version: string;
+    prefix: string;
+    saltHex: string;
+    nonceHex: string;
+    payloadBytes: number;
+    algo: string;
+}
+interface XH32 {
+    readonly version: string;
+    readonly TOKEN_PREFIX: string;
+    encrypt(text: string, password: string, opts?: {
+        expiresMs?: number;
+    }): string;
+    decrypt(token: string): DecryptChain;
+    verify(token: string, password: string): boolean;
+    fingerprint(text: string, secret: string): string;
+    generate(bytes?: number): string;
+    inspect(token: string): InspectResult;
+}
+declare const secry: XH32;
+export default secry;
+export { secry };
+export type { XH32, DecryptChain, InspectResult };

package/dist/index.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.secry = void 0;
+const crypto_1 = require("./lib/crypto");
+const secry = {
+    version: crypto_1.VERSION, TOKEN_PREFIX: crypto_1.TOKEN_PREFIX,
+    encrypt(text, password, opts = {}) {
+        if (!text)
+            throw new TypeError("text must be a non-empty string");
+        if (!password)
+            throw new TypeError("password must be a non-empty string");
+        return (0, crypto_1.encrypt)(text, password, opts);
+    },
+    decrypt(token) {
+        if (!token)
+            throw new TypeError("token must be a non-empty string");
+        const _r = (pw) => { if (!pw)
+            throw new TypeError("password required"); return (0, crypto_1.decrypt)(token, pw).plaintext; };
+        return { key: _r, k: _r };
+    },
+    verify: (t, p) => (0, crypto_1.verify)(t, p),
+    fingerprint: (t, s) => (0, crypto_1.hmacFingerprint)(t, s),
+    generate: (b = 24) => (0, crypto_1.generatePassword)(b),
+    inspect: (t) => (0, crypto_1.inspectToken)(t),
+};
+exports.secry = secry;
+exports.default = secry;

package/dist/lib/args.d.ts

@@ -0,0 +1,8 @@
+export interface ParsedArgs {
+    cmd: string;
+    positional: string[];
+    flags: Record<string, string | true>;
+}
+export declare function parseArgs(argv: string[]): ParsedArgs;
+export declare function getFlag(flags: Record<string, string | true>, ...keys: string[]): string | undefined;
+export declare function hasFlag(flags: Record<string, string | true>, ...keys: string[]): boolean;

package/dist/lib/args.js

@@ -0,0 +1,43 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseArgs = parseArgs;
+exports.getFlag = getFlag;
+exports.hasFlag = hasFlag;
+function parseArgs(argv) {
+    const flags = {};
+    const positional = [];
+    let i = 0;
+    const cmd = argv[0] ?? "";
+    i = 1;
+    while (i < argv.length) {
+        const a = argv[i];
+        if (a.startsWith("-")) {
+            const key = a.replace(/^-+/, "");
+            const next = argv[i + 1];
+            if (next && !next.startsWith("-")) {
+                flags[key] = next;
+                i += 2;
+            }
+            else {
+                flags[key] = true;
+                i++;
+            }
+        }
+        else {
+            positional.push(a);
+            i++;
+        }
+    }
+    return { cmd, positional, flags };
+}
+function getFlag(flags, ...keys) {
+    for (const k of keys) {
+        const v = flags[k];
+        if (typeof v === "string")
+            return v;
+    }
+    return undefined;
+}
+function hasFlag(flags, ...keys) {
+    return keys.some((k) => k in flags);
+}

package/dist/lib/clip.d.ts

@@ -0,0 +1,2 @@
+export declare function copyToClipboard(text: string): boolean;
+export declare function clipAvailable(): boolean;

package/dist/lib/clip.js

@@ -0,0 +1,39 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.copyToClipboard = copyToClipboard;
+exports.clipAvailable = clipAvailable;
+const child_process_1 = require("child_process");
+const env_1 = require("./env");
+function _cmd() {
+    if (env_1.env.isMacOS)
+        return "pbcopy";
+    if (env_1.env.isTermux) {
+        try {
+            (0, child_process_1.execSync)("which termux-clipboard-set", { stdio: "ignore" });
+            return "termux-clipboard-set";
+        }
+        catch { }
+        return null;
+    }
+    for (const [bin, cmd] of [["xclip", "xclip -selection clipboard"], ["xsel", "xsel --clipboard --input"], ["wl-copy", "wl-copy"]]) {
+        try {
+            (0, child_process_1.execSync)(`which ${bin}`, { stdio: "ignore" });
+            return cmd;
+        }
+        catch { }
+    }
+    return null;
+}
+function copyToClipboard(text) {
+    const cmd = _cmd();
+    if (!cmd)
+        return false;
+    try {
+        (0, child_process_1.execSync)(cmd, { input: text, stdio: ["pipe", "ignore", "ignore"] });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function clipAvailable() { return _cmd() !== null; }

package/dist/lib/crypto.d.ts

@@ -0,0 +1,29 @@
+export declare const TOKEN_PREFIX = "secry:v2:";
+export declare const VERSION = "v2";
+export interface EncryptOptions {
+    expiresMs?: number;
+}
+export declare function encrypt(plaintext: string, password: string, opts?: EncryptOptions, version?: 1 | 2 | 3, compact?: boolean): string;
+export interface DecryptResult {
+    plaintext: string;
+    expiresAt?: Date;
+    tokenVersion: number;
+}
+export declare function decrypt(token: string, password: string): DecryptResult;
+export declare function verify(token: string, password: string): boolean;
+export declare function hmacFingerprint(input: string, secret: string): string;
+export declare function inspectToken(token: string): {
+    version: string;
+    saltHex: string;
+    nonceHex: string;
+    payloadBytes: number;
+    prefix: string;
+    algo: string;
+    compact: boolean;
+};
+export declare function generatePassword(bytes?: number): string;
+export declare function parseExpiry(raw: string): number;
+export declare function seal(input: string, secret: string): string;
+export declare function sealVerify(input: string, secret: string, token: string): boolean;
+export declare function sealS2(input: string, secret: string): Promise<string>;
+export declare function sealVerifyS2(input: string, secret: string, token: string): Promise<boolean>;