sec-ry 1.1.5

package/dist/lib/crypto.js

@@ -0,0 +1,312 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VERSION = exports.TOKEN_PREFIX = void 0;
+exports.encrypt = encrypt;
+exports.decrypt = decrypt;
+exports.verify = verify;
+exports.hmacFingerprint = hmacFingerprint;
+exports.inspectToken = inspectToken;
+exports.generatePassword = generatePassword;
+exports.parseExpiry = parseExpiry;
+exports.seal = seal;
+exports.sealVerify = sealVerify;
+exports.sealS2 = sealS2;
+exports.sealVerifyS2 = sealVerifyS2;
+const crypto_1 = require("crypto");
+const _PFX_V1 = "secry:v1:";
+const _PFX_V2 = "secry:v2:";
+const _PFX_V3 = "secry:v3:";
+const _CPX_V1 = "sec:v1:";
+const _CPX_V2 = "sec:v2:";
+const _CPX_V3 = "sec:v3:";
+const _ALG_V1 = "aes-256-gcm";
+const _ALG_V2 = "chacha20-poly1305";
+const _ALG_V3 = "aes-256-cbc";
+const _SL = 16;
+const _NL = 12;
+const _NL_V3 = 16;
+const _TL = 16;
+const _KL = 32;
+const _SL_C = 8;
+const _SCRYPT = { N: 16384, r: 8, p: 1 };
+const _IS_TERMUX = (process.env.PREFIX ?? "").includes("com.termux");
+const _SCRYPT_S2 = _IS_TERMUX
+    ? { N: 16384, r: 4, p: 2 }
+    : { N: 65536, r: 8, p: 1 };
+exports.TOKEN_PREFIX = _PFX_V2;
+exports.VERSION = "v2";
+function _kdf(pass, salt) {
+    const buf = Buffer.from(pass, "utf8");
+    const key = (0, crypto_1.scryptSync)(buf, salt, _KL, _SCRYPT);
+    buf.fill(0);
+    return key;
+}
+function _encExp(ms) {
+    const b = Buffer.allocUnsafe(8);
+    b.writeUInt32BE(Math.floor(ms / 0x100000000), 0);
+    b.writeUInt32BE(ms >>> 0, 4);
+    return b;
+}
+function _decExp(b) {
+    return b.readUInt32BE(0) * 0x100000000 + b.readUInt32BE(4);
+}
+function encrypt(plaintext, password, opts = {}, version = 2, compact = false) {
+    const pfx = compact ? (version === 3 ? _CPX_V3 : version === 1 ? _CPX_V1 : _CPX_V2) : (version === 3 ? _PFX_V3 : version === 1 ? _PFX_V1 : _PFX_V2);
+    const sl = compact ? _SL_C : _SL;
+    const alg = version === 2 ? _ALG_V2 : version === 3 ? _ALG_V3 : _ALG_V1;
+    const nl = version === 3 ? _NL_V3 : _NL;
+    const salt = (0, crypto_1.randomBytes)(sl);
+    const nonce = (0, crypto_1.randomBytes)(nl);
+    const key = _kdf(password, salt);
+    const hasx = opts.expiresMs !== undefined;
+    const meta = Buffer.alloc(1);
+    meta[0] = hasx ? 1 : 0;
+    const inner = Buffer.concat([meta, hasx ? _encExp(opts.expiresMs) : Buffer.alloc(0), Buffer.from(plaintext, "utf8")]);
+    if (version === 3) {
+        const ciph = (0, crypto_1.createCipheriv)(alg, key, nonce);
+        const body = Buffer.concat([ciph.update(inner), ciph.final()]);
+        return pfx + Buffer.concat([salt, nonce, body]).toString("base64url");
+    }
+    const ciph = (0, crypto_1.createCipheriv)(alg, key, nonce, { authTagLength: _TL });
+    const body = Buffer.concat([ciph.update(inner), ciph.final()]);
+    const tag = ciph.getAuthTag();
+    return pfx + Buffer.concat([salt, nonce, tag, body]).toString("base64url");
+}
+function decrypt(token, password) {
+    let pfx;
+    let alg;
+    let ver;
+    let nl;
+    let compact = false;
+    if (token.startsWith(_PFX_V3)) {
+        pfx = _PFX_V3;
+        alg = _ALG_V3;
+        ver = 3;
+        nl = _NL_V3;
+    }
+    else if (token.startsWith(_PFX_V2)) {
+        pfx = _PFX_V2;
+        alg = _ALG_V2;
+        ver = 2;
+        nl = _NL;
+    }
+    else if (token.startsWith(_PFX_V1)) {
+        pfx = _PFX_V1;
+        alg = _ALG_V1;
+        ver = 1;
+        nl = _NL;
+    }
+    else if (token.startsWith(_CPX_V3)) {
+        pfx = _CPX_V3;
+        alg = _ALG_V3;
+        ver = 3;
+        nl = _NL_V3;
+        compact = true;
+    }
+    else if (token.startsWith(_CPX_V2)) {
+        pfx = _CPX_V2;
+        alg = _ALG_V2;
+        ver = 2;
+        nl = _NL;
+        compact = true;
+    }
+    else if (token.startsWith(_CPX_V1)) {
+        pfx = _CPX_V1;
+        alg = _ALG_V1;
+        ver = 1;
+        nl = _NL;
+        compact = true;
+    }
+    else
+        throw Object.assign(new Error("invalid token format"), { code: "ERR_FORMAT" });
+    const payload = Buffer.from(token.slice(pfx.length), "base64url");
+    const sl = compact ? _SL_C : _SL;
+    const salt = payload.subarray(0, sl);
+    const nonce = payload.subarray(sl, sl + nl);
+    const key = _kdf(password, salt);
+    let inner;
+    try {
+        if (ver === 3) {
+            const dc = (0, crypto_1.createDecipheriv)(alg, key, nonce);
+            inner = Buffer.concat([dc.update(payload.subarray(sl + nl)), dc.final()]);
+        }
+        else {
+            const tag = payload.subarray(sl + nl, sl + nl + _TL);
+            const body = payload.subarray(sl + nl + _TL);
+            const dc = (0, crypto_1.createDecipheriv)(alg, key, nonce, ver >= 2 ? { authTagLength: _TL } : undefined);
+            dc.setAuthTag(tag);
+            inner = Buffer.concat([dc.update(body), dc.final()]);
+        }
+    }
+    catch {
+        throw Object.assign(new Error("wrong password or corrupted token"), { code: "ERR_AUTH" });
+    }
+    const hasx = inner[0] === 1;
+    if (hasx) {
+        const expMs = _decExp(inner.subarray(1, 9));
+        const expDate = new Date(expMs);
+        if (Date.now() > expMs)
+            throw Object.assign(new Error(`token expired at ${expDate.toISOString()}`), { code: "ERR_EXPIRED", expiredAt: expDate });
+        return { plaintext: inner.subarray(9).toString("utf8"), expiresAt: expDate, tokenVersion: ver };
+    }
+    return { plaintext: inner.subarray(1).toString("utf8"), tokenVersion: ver };
+}
+function verify(token, password) {
+    try {
+        decrypt(token, password);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function hmacFingerprint(input, secret) {
+    return (0, crypto_1.createHmac)("sha256", secret).update(input).digest("hex").slice(0, 16);
+}
+function inspectToken(token) {
+    let pfx;
+    let algo;
+    let ver;
+    let nl;
+    let compact2 = false;
+    if (token.startsWith(_PFX_V3)) {
+        pfx = _PFX_V3;
+        algo = "AES-256-CBC";
+        ver = 3;
+        nl = _NL_V3;
+    }
+    else if (token.startsWith(_PFX_V2)) {
+        pfx = _PFX_V2;
+        algo = "ChaCha20-Poly1305";
+        ver = 2;
+        nl = _NL;
+    }
+    else if (token.startsWith(_PFX_V1)) {
+        pfx = _PFX_V1;
+        algo = "AES-256-GCM";
+        ver = 1;
+        nl = _NL;
+    }
+    else if (token.startsWith(_CPX_V3)) {
+        pfx = _CPX_V3;
+        algo = "AES-256-CBC";
+        ver = 3;
+        nl = _NL_V3;
+        compact2 = true;
+    }
+    else if (token.startsWith(_CPX_V2)) {
+        pfx = _CPX_V2;
+        algo = "ChaCha20-Poly1305";
+        ver = 2;
+        nl = _NL;
+        compact2 = true;
+    }
+    else if (token.startsWith(_CPX_V1)) {
+        pfx = _CPX_V1;
+        algo = "AES-256-GCM";
+        ver = 1;
+        nl = _NL;
+        compact2 = true;
+    }
+    else
+        throw Object.assign(new Error("invalid token format"), { code: "ERR_FORMAT" });
+    const payload = Buffer.from(token.slice(pfx.length), "base64url");
+    const sl2 = compact2 ? _SL_C : _SL;
+    if (payload.length < sl2 + nl + 2)
+        throw Object.assign(new Error("token is too short or malformed"), { code: "ERR_MALFORMED" });
+    return { version: `v${ver}`, prefix: pfx, algo, compact: compact2, saltHex: payload.subarray(0, sl2).toString("hex"), nonceHex: payload.subarray(sl2, sl2 + nl).toString("hex"), payloadBytes: payload.length };
+}
+function generatePassword(bytes = 24) { return (0, crypto_1.randomBytes)(bytes).toString("base64url"); }
+function parseExpiry(raw) {
+    const m = raw.match(/^(\d+)(s|m|h|d)$/);
+    if (!m)
+        throw new Error(`invalid expiry format: "${raw}" — use 30s, 5m, 2h, 7d`);
+    const u = { s: 1000, m: 60000, h: 3600000, d: 86400000 };
+    return Date.now() + parseInt(m[1], 10) * u[m[2]];
+}
+const _PFX_S1 = "secry:s1:";
+const _PFX_S2 = "secry:s2:";
+const _PEPPER_S2 = "enclove.secry.s2.pepper.v1";
+function seal(input, secret) {
+    const salt = (0, crypto_1.randomBytes)(16);
+    const key = (0, crypto_1.scryptSync)(Buffer.from(secret, "utf8"), salt, 32, _SCRYPT);
+    const mac = (0, crypto_1.createHmac)("sha256", key).update(input, "utf8").digest();
+    return _PFX_S1 + Buffer.concat([salt, mac]).toString("base64url");
+}
+function sealVerify(input, secret, token) {
+    if (!token.startsWith(_PFX_S1))
+        return false;
+    try {
+        const raw = Buffer.from(token.slice(_PFX_S1.length), "base64url");
+        if (raw.length < 48)
+            return false;
+        const salt = raw.subarray(0, 16);
+        const mac = raw.subarray(16);
+        const key = (0, crypto_1.scryptSync)(Buffer.from(secret, "utf8"), salt, 32, _SCRYPT);
+        const exp = (0, crypto_1.createHmac)("sha256", key).update(input, "utf8").digest();
+        return exp.length === mac.length && require("crypto").timingSafeEqual(exp, mac);
+    }
+    catch {
+        return false;
+    }
+}
+async function sealS2(input, secret) {
+    const salt = (0, crypto_1.randomBytes)(32);
+    const peppered = Buffer.from(_PEPPER_S2 + secret, "utf8");
+    const key = (0, crypto_1.scryptSync)(peppered, salt, 32, _SCRYPT_S2);
+    const { blake3 } = await Promise.resolve().then(() => __importStar(require("@noble/hashes/blake3.js")));
+    const out = blake3(new TextEncoder().encode(input), { key, dkLen: 64 });
+    return _PFX_S2 + Buffer.concat([salt, Buffer.from(out)]).toString("base64url");
+}
+async function sealVerifyS2(input, secret, token) {
+    if (!token.startsWith(_PFX_S2))
+        return false;
+    try {
+        const raw = Buffer.from(token.slice(_PFX_S2.length), "base64url");
+        if (raw.length < 96)
+            return false;
+        const salt = raw.subarray(0, 32);
+        const mac = raw.subarray(32);
+        const peppered = Buffer.from(_PEPPER_S2 + secret, "utf8");
+        const key = (0, crypto_1.scryptSync)(peppered, salt, 32, _SCRYPT_S2);
+        const { blake3 } = await Promise.resolve().then(() => __importStar(require("@noble/hashes/blake3.js")));
+        const exp = Buffer.from(blake3(new TextEncoder().encode(input), { key, dkLen: 64 }));
+        return exp.length === mac.length && require("crypto").timingSafeEqual(exp, mac);
+    }
+    catch {
+        return false;
+    }
+}

package/dist/lib/env.d.ts

@@ -0,0 +1,13 @@
+export type Env = "termux" | "linux" | "macos" | "unknown";
+export interface EnvInfo {
+    type: Env;
+    isTermux: boolean;
+    isLinux: boolean;
+    isMacOS: boolean;
+    hasTTY: boolean;
+    hasRawMode: boolean;
+    hasColor: boolean;
+    cols: number;
+    rows: number;
+}
+export declare const env: EnvInfo;

package/dist/lib/env.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.env = void 0;
+function _detect() {
+    if (process.env.TERMUX_VERSION !== undefined ||
+        (process.env.PREFIX ?? "").includes("com.termux") ||
+        (process.env.HOME ?? "").includes("com.termux"))
+        return "termux";
+    if (process.platform === "darwin")
+        return "macos";
+    if (process.platform === "linux")
+        return "linux";
+    return "unknown";
+}
+function _cols() {
+    try {
+        return process.stdout.columns || 80;
+    }
+    catch {
+        return 80;
+    }
+}
+function _rows() {
+    try {
+        return process.stdout.rows || 24;
+    }
+    catch {
+        return 24;
+    }
+}
+const _type = _detect();
+exports.env = {
+    type: _type,
+    isTermux: _type === "termux",
+    isLinux: _type === "linux",
+    isMacOS: _type === "macos",
+    hasTTY: !!process.stdin.isTTY,
+    hasRawMode: typeof process.stdin.setRawMode === "function",
+    hasColor: process.env.NO_COLOR === undefined && !!process.stderr.isTTY,
+    cols: _cols(),
+    rows: _rows(),
+};

package/dist/lib/errors.d.ts

@@ -0,0 +1 @@
+export declare function installErrorHandler(): void;

package/dist/lib/errors.js

@@ -0,0 +1,61 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.installErrorHandler = installErrorHandler;
+const _nc = !process.stderr.isTTY || process.env.NO_COLOR !== undefined;
+const _e = _nc ? "" : "\x1b[31m";
+const _c = _nc ? "" : "\x1b[36m";
+const _d = _nc ? "" : "\x1b[2m";
+const _r = _nc ? "" : "\x1b[0m";
+const _DEFS = [
+    { match: (m) => m.includes("secry:") && (m.includes("$") || m.includes("expanded")),
+        message: "token contains unescaped shell characters",
+        fix: "use single quotes:  secry denc 'secry:v2:...' -sw password", exit: 2 },
+    { match: (m, c) => c === "EACCES" || m.includes("permission denied"),
+        message: "permission denied",
+        fix: "check file permissions", exit: 2 },
+    { match: (m, c) => c === "ENOMEM" || m.includes("out of memory") || m.includes("heap"),
+        message: "out of memory",
+        fix: "input may be too large. try: NODE_OPTIONS=--max-old-space-size=512 secry ...", exit: 2 },
+    { match: (m) => m.includes("scrypt") || m.includes("memory limit exceeded"),
+        message: "scrypt memory limit exceeded",
+        fix: "device may have limited memory. try a shorter input or restart Termux", exit: 2 },
+    { match: (m, c) => c === "MODULE_NOT_FOUND" || m.includes("cannot find module"),
+        message: "internal module not found",
+        fix: "reinstall secry:  npm install -g secry", exit: 1 },
+    { match: (m, c) => c === "ERR_INVALID_ARG_TYPE" || c === "ERR_INVALID_ARG_VALUE" || m.includes("invalid argument"),
+        message: "invalid argument",
+        fix: "run  secry -h  to see correct usage", exit: 1 },
+    { match: (m, c) => c === "ENOENT" || m.includes("no such file"),
+        message: "file not found",
+        fix: "check that the file path is correct", exit: 2 },
+];
+function _fmt(msg, fix) {
+    return `\n${_e}error${_r}  ${msg}\n${_d}fix${_r}    ${_c}${fix}${_r}\n`;
+}
+function _handle(err) {
+    const msg = (err.message ?? "").toLowerCase();
+    const code = err.code ?? "";
+    for (const d of _DEFS) {
+        if (d.match(msg, code)) {
+            process.stderr.write(_fmt(d.message, d.fix));
+            process.exit(d.exit);
+        }
+    }
+    return false;
+}
+function _unknown(msg) {
+    process.stderr.write(`\n${_e}error${_r}  unexpected error\n${_d}fix${_r}    ${_c}run  secry -h  for usage${_r}\n${_d}      ${msg}${_r}\n`);
+    process.exit(1);
+}
+function installErrorHandler() {
+    process.on("uncaughtException", (err) => { if (!_handle(err))
+        _unknown(err.message ?? String(err)); });
+    process.on("unhandledRejection", (reason) => {
+        const err = reason instanceof Error ? reason : new Error(String(reason));
+        if (!_handle(err))
+            _unknown(err.message);
+    });
+    process.on("warning", () => { });
+    const _orig = process.emit.bind(process);
+    process.emit = (ev, ...a) => ev === "warning" ? false : _orig(ev, ...a);
+}

package/dist/lib/history.d.ts

@@ -0,0 +1,9 @@
+interface _Entry {
+    ts: number;
+    cmd: string;
+    fp: string;
+}
+export declare function recordHistory(cmd: string, token: string): void;
+export declare function getHistory(): _Entry[];
+export declare function clearHistory(): void;
+export {};

package/dist/lib/history.js

@@ -0,0 +1,35 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.recordHistory = recordHistory;
+exports.getHistory = getHistory;
+exports.clearHistory = clearHistory;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const os_1 = require("os");
+const crypto_1 = require("crypto");
+const _FILE = (0, path_1.join)((0, os_1.tmpdir)(), ".secry_history");
+function _load() {
+    if (!(0, fs_1.existsSync)(_FILE))
+        return [];
+    try {
+        return JSON.parse((0, fs_1.readFileSync)(_FILE, "utf8"));
+    }
+    catch {
+        return [];
+    }
+}
+function _save(e) {
+    try {
+        (0, fs_1.writeFileSync)(_FILE, JSON.stringify(e), "utf8");
+    }
+    catch { }
+}
+function recordHistory(cmd, token) {
+    const e = _load();
+    e.push({ ts: Date.now(), cmd, fp: (0, crypto_1.createHash)("sha256").update(token).digest("hex").slice(0, 8) });
+    if (e.length > 50)
+        e.splice(0, e.length - 50);
+    _save(e);
+}
+function getHistory() { return _load(); }
+function clearHistory() { _save([]); }

package/dist/lib/password.d.ts

@@ -0,0 +1,2 @@
+export declare function resolvePassword(raw: string): string;
+export declare function describePasswordSource(raw: string): string;

package/dist/lib/password.js

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolvePassword = resolvePassword;
+exports.describePasswordSource = describePasswordSource;
+const fs_1 = require("fs");
+function resolvePassword(raw) {
+    if (raw.startsWith("@")) {
+        const path = raw.slice(1).trim();
+        try {
+            return (0, fs_1.readFileSync)(path, "utf8").trim();
+        }
+        catch {
+            throw Object.assign(new Error(`cannot read password file: ${path}`), { code: "ERR_PWFILE" });
+        }
+    }
+    if (raw.startsWith("env:")) {
+        const name = raw.slice(4).trim();
+        const val = process.env[name];
+        if (!val)
+            throw Object.assign(new Error(`env variable not set: ${name}`), { code: "ERR_PWENV" });
+        return val;
+    }
+    return raw;
+}
+function describePasswordSource(raw) {
+    if (raw.startsWith("@"))
+        return `file(${raw.slice(1)})`;
+    if (raw.startsWith("env:"))
+        return `env(${raw.slice(4)})`;
+    return "inline";
+}

package/dist/lib/rc.d.ts

@@ -0,0 +1,7 @@
+export interface XH32RC {
+    password?: string;
+    bytes?: number;
+    maxSize?: number;
+    clip?: boolean;
+}
+export declare function loadRC(): XH32RC;

package/dist/lib/rc.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadRC = loadRC;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const os_1 = require("os");
+const _DEFAULTS = { bytes: 24, maxSize: 20, clip: false };
+const _RC_FILE = ".secryrc";
+function _parse(raw) {
+    const out = {};
+    for (const line of raw.split("\n")) {
+        const t = line.trim();
+        if (!t || t.startsWith("#"))
+            continue;
+        const eq = t.indexOf("=");
+        if (eq === -1)
+            continue;
+        const k = t.slice(0, eq).trim();
+        const v = t.slice(eq + 1).trim();
+        if (k === "password")
+            out.password = v;
+        if (k === "bytes")
+            out.bytes = parseInt(v, 10);
+        if (k === "maxSize")
+            out.maxSize = parseInt(v, 10);
+        if (k === "clip")
+            out.clip = v === "true";
+    }
+    return out;
+}
+function _load(path) {
+    if (!(0, fs_1.existsSync)(path))
+        return null;
+    try {
+        return _parse((0, fs_1.readFileSync)(path, "utf8"));
+    }
+    catch {
+        return null;
+    }
+}
+function loadRC() {
+    const local = _load((0, path_1.resolve)(process.cwd(), _RC_FILE));
+    const global = _load((0, path_1.join)((0, os_1.homedir)(), _RC_FILE));
+    return { ..._DEFAULTS, ...global, ...local };
+}

package/dist/lib/ui.d.ts

@@ -0,0 +1,21 @@
+export declare const VERSION: string;
+export declare const PKG = "secry";
+export declare const BIN = "secry";
+export declare let QUIET: boolean;
+export declare function setQuiet(v: boolean): void;
+export declare function data(s: string): void;
+export declare function err(msg: string, code?: number): never;
+export declare function warn(msg: string): void;
+export declare function info(msg: string): void;
+export declare function ok(msg: string): void;
+export interface BoxRow {
+    label: string;
+    value: string;
+    valueColor?: string;
+}
+export declare function box(rows: BoxRow[]): void;
+export declare function section(title: string): void;
+export declare function token(t: string): void;
+export declare function ms(elapsed: number): void;
+export declare function row(label: string, value: string, color?: string): void;
+export declare function usage(): void;