security-migrate 1.0.0

package/dist/cli.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/cli.js

@@ -0,0 +1,170 @@
+#!/usr/bin/env node
+import { existsSync } from "node:fs";
+import { resolve, join } from "node:path";
+import { execSync } from "node:child_process";
+import { discoverSecurityFiles } from "./discover.js";
+import { migrateFiles } from "./migrate.js";
+import { banner, bold, dim, error, yellow, green } from "./log.js";
+const VERSION = "1.0.0";
+const HELP = `
+${bold("security-migrate")} — Migrate gitignored security files to git worktrees
+
+${bold("Usage:")}
+  security-migrate <target-worktree> [options]
+
+${bold("Options:")}
+  --copy         Copy files instead of symlinking (default: symlink)
+  --dry-run      Show what would be done without doing it
+  --force        Overwrite existing files in target
+  --source <dir> Source worktree (default: current git root)
+  --help         Show this help
+  --version      Show version
+
+${bold("Examples:")}
+  security-migrate ../worktrees/feature-x
+  security-migrate ../worktrees/feature-x --dry-run
+  security-migrate ../worktrees/feature-x --copy --force
+  security-migrate ../worktrees/feature-x --source /path/to/main
+
+${bold("Manifest:")}
+  Add a ${dim(".security-migrate")} file to your project root with extra
+  glob patterns (one per line, # for comments).
+`.trim();
+function parseArgs(argv) {
+    const args = argv.slice(2);
+    let target = "";
+    let source = null;
+    let copy = false;
+    let dryRun = false;
+    let force = false;
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i];
+        if (arg === "--help" || arg === "-h") {
+            console.log(HELP);
+            process.exit(0);
+        }
+        if (arg === "--version" || arg === "-v") {
+            console.log(VERSION);
+            process.exit(0);
+        }
+        if (arg === "--copy") {
+            copy = true;
+            continue;
+        }
+        if (arg === "--dry-run") {
+            dryRun = true;
+            continue;
+        }
+        if (arg === "--force") {
+            force = true;
+            continue;
+        }
+        if (arg === "--source") {
+            source = args[++i];
+            if (!source) {
+                error("--source requires a path argument");
+                process.exit(1);
+            }
+            continue;
+        }
+        if (arg.startsWith("-")) {
+            error(`Unknown option: ${arg}`);
+            console.log(`Run ${dim("security-migrate --help")} for usage.`);
+            process.exit(1);
+        }
+        if (!target) {
+            target = arg;
+        }
+        else {
+            error(`Unexpected argument: ${arg}`);
+            process.exit(1);
+        }
+    }
+    if (!target) {
+        return null;
+    }
+    return { target, source, copy, dryRun, force };
+}
+function getGitRoot() {
+    try {
+        return execSync("git rev-parse --show-toplevel", { encoding: "utf-8" }).trim();
+    }
+    catch {
+        error("Not inside a git repository.");
+        process.exit(1);
+    }
+}
+function isGitWorktreeOrRepo(path) {
+    // .git can be a file (worktree) or directory (main repo)
+    return existsSync(join(path, ".git"));
+}
+function main() {
+    const parsed = parseArgs(process.argv);
+    if (!parsed) {
+        console.log(HELP);
+        process.exit(1);
+    }
+    banner(VERSION);
+    const sourceRoot = resolve(parsed.source ?? getGitRoot());
+    const targetRoot = resolve(parsed.target);
+    // Validate source
+    if (!existsSync(sourceRoot)) {
+        error(`Source directory does not exist: ${sourceRoot}`);
+        process.exit(1);
+    }
+    if (!isGitWorktreeOrRepo(sourceRoot)) {
+        error(`Source is not a git repository or worktree: ${sourceRoot}`);
+        process.exit(1);
+    }
+    // Validate target
+    if (!existsSync(targetRoot)) {
+        error(`Target directory does not exist: ${targetRoot}`);
+        process.exit(1);
+    }
+    if (!isGitWorktreeOrRepo(targetRoot)) {
+        error(`Target is not a git repository or worktree: ${targetRoot}`);
+        process.exit(1);
+    }
+    console.log(`Source: ${dim(sourceRoot)}`);
+    console.log(`Target: ${dim(targetRoot)}`);
+    console.log();
+    if (parsed.dryRun) {
+        console.log(yellow("(dry run — no changes will be made)"));
+        console.log();
+    }
+    // Discover
+    console.log("Discovering security files...");
+    const files = discoverSecurityFiles({ sourceRoot });
+    if (files.length === 0) {
+        console.log("No gitignored security files found.");
+        process.exit(0);
+    }
+    console.log(`Found ${bold(String(files.length))} gitignored security file${files.length === 1 ? "" : "s"}`);
+    console.log();
+    // Migrate
+    const result = migrateFiles({
+        sourceRoot,
+        targetRoot,
+        files,
+        copy: parsed.copy,
+        force: parsed.force,
+        dryRun: parsed.dryRun,
+    });
+    // Summary
+    console.log();
+    const parts = [];
+    if (result.linked > 0)
+        parts.push(green(`${result.linked} symlinked`));
+    if (result.copied > 0)
+        parts.push(green(`${result.copied} copied`));
+    if (result.skipped > 0)
+        parts.push(yellow(`${result.skipped} skipped`));
+    if (parsed.dryRun) {
+        const total = result.linked + result.copied;
+        console.log(`Dry run complete. ${bold(String(total))} file${total === 1 ? "" : "s"} would be ${parsed.copy ? "copied" : "symlinked"}, ${result.skipped} skipped.`);
+    }
+    else {
+        console.log(`Done! ${parts.join(", ")}`);
+    }
+}
+main();

package/dist/discover.d.ts

@@ -0,0 +1,8 @@
+export interface DiscoverOptions {
+    sourceRoot: string;
+}
+/**
+ * Discover gitignored security files in the source tree.
+ * Returns relative paths from sourceRoot.
+ */
+export declare function discoverSecurityFiles(opts: DiscoverOptions): string[];

package/dist/discover.js

@@ -0,0 +1,115 @@
+import { readdirSync } from "node:fs";
+import { join, relative, basename } from "node:path";
+import { execSync } from "node:child_process";
+import { DEFAULT_PATTERNS, loadManifestPatterns, getSkipDirs } from "./patterns.js";
+/**
+ * Minimal glob matcher supporting:
+ *   *  — matches anything except /
+ *   ** — matches any number of path segments (including zero)
+ *   ?  — matches a single char except /
+ */
+function matchGlob(pattern, filePath) {
+    // Normalize separators
+    const p = pattern.replace(/\\/g, "/");
+    const f = filePath.replace(/\\/g, "/");
+    // Convert glob to regex
+    let regex = "";
+    let i = 0;
+    while (i < p.length) {
+        if (p[i] === "*" && p[i + 1] === "*") {
+            // ** matches any number of path segments
+            if (p[i + 2] === "/") {
+                regex += "(?:.+/)?";
+                i += 3;
+            }
+            else {
+                regex += ".*";
+                i += 2;
+            }
+        }
+        else if (p[i] === "*") {
+            regex += "[^/]*";
+            i++;
+        }
+        else if (p[i] === "?") {
+            regex += "[^/]";
+            i++;
+        }
+        else if (p[i] === ".") {
+            regex += "\\.";
+            i++;
+        }
+        else {
+            regex += p[i];
+            i++;
+        }
+    }
+    return new RegExp(`^${regex}$`).test(f);
+}
+/**
+ * Walk the source tree recursively, collecting all file paths
+ * relative to sourceRoot. Skips known non-content directories.
+ */
+function walkDir(dir, sourceRoot, skipDirs) {
+    const results = [];
+    let entries;
+    try {
+        entries = readdirSync(dir, { withFileTypes: true });
+    }
+    catch {
+        return results;
+    }
+    for (const entry of entries) {
+        if (skipDirs.has(entry.name))
+            continue;
+        const fullPath = join(dir, entry.name);
+        if (entry.isDirectory()) {
+            results.push(...walkDir(fullPath, sourceRoot, skipDirs));
+        }
+        else if (entry.isFile() || entry.isSymbolicLink()) {
+            results.push(relative(sourceRoot, fullPath));
+        }
+    }
+    return results;
+}
+/**
+ * Check if a file is gitignored by running `git check-ignore`.
+ */
+function isGitIgnored(filePath, cwd) {
+    try {
+        execSync(`git check-ignore -q ${JSON.stringify(filePath)}`, {
+            cwd,
+            stdio: "ignore",
+        });
+        return true; // exit code 0 = ignored
+    }
+    catch {
+        return false; // exit code 1 = not ignored
+    }
+}
+/**
+ * Discover gitignored security files in the source tree.
+ * Returns relative paths from sourceRoot.
+ */
+export function discoverSecurityFiles(opts) {
+    const { sourceRoot } = opts;
+    const skipDirs = getSkipDirs();
+    // Combine default + manifest patterns
+    const patterns = [...DEFAULT_PATTERNS, ...loadManifestPatterns(sourceRoot)];
+    // Walk the tree
+    const allFiles = walkDir(sourceRoot, sourceRoot, skipDirs);
+    // Filter by pattern match
+    const matched = allFiles.filter((filePath) => patterns.some((pattern) => {
+        // Match against the full relative path
+        if (matchGlob(pattern, filePath))
+            return true;
+        // Also match against just the filename for non-** patterns
+        if (!pattern.includes("/") && !pattern.startsWith("**/")) {
+            return matchGlob(pattern, basename(filePath));
+        }
+        return false;
+    }));
+    // Filter to only gitignored files
+    const gitignored = matched.filter((filePath) => isGitIgnored(filePath, sourceRoot));
+    return gitignored.sort();
+}

package/dist/log.d.ts

@@ -0,0 +1,11 @@
+export declare const green: (s: string) => string;
+export declare const yellow: (s: string) => string;
+export declare const red: (s: string) => string;
+export declare const dim: (s: string) => string;
+export declare const bold: (s: string) => string;
+export declare const cyan: (s: string) => string;
+export declare function banner(version: string): void;
+export declare function info(label: string, msg: string): void;
+export declare function skip(msg: string): void;
+export declare function warn(msg: string): void;
+export declare function error(msg: string): void;

package/dist/log.js

@@ -0,0 +1,24 @@
+const isColorSupported = process.stdout.isTTY && !process.env.NO_COLOR;
+const wrap = (code) => isColorSupported ? (s) => `\x1b[${code}m${s}\x1b[0m` : (s) => s;
+export const green = wrap("32");
+export const yellow = wrap("33");
+export const red = wrap("31");
+export const dim = wrap("2");
+export const bold = wrap("1");
+export const cyan = wrap("36");
+export function banner(version) {
+    console.log(bold(`security-migrate v${version}`));
+    console.log();
+}
+export function info(label, msg) {
+    console.log(`  ${green(label.padEnd(6))} ${msg}`);
+}
+export function skip(msg) {
+    console.log(`  ${yellow("SKIP".padEnd(6))} ${msg}`);
+}
+export function warn(msg) {
+    console.log(`  ${yellow("WARN".padEnd(6))} ${msg}`);
+}
+export function error(msg) {
+    console.error(`${red("Error:")} ${msg}`);
+}

package/dist/migrate.d.ts

@@ -0,0 +1,17 @@
+export interface MigrateOptions {
+    sourceRoot: string;
+    targetRoot: string;
+    files: string[];
+    copy: boolean;
+    force: boolean;
+    dryRun: boolean;
+}
+export interface MigrateResult {
+    linked: number;
+    copied: number;
+    skipped: number;
+}
+/**
+ * Migrate discovered security files from source to target worktree.
+ */
+export declare function migrateFiles(opts: MigrateOptions): MigrateResult;

package/dist/migrate.js

@@ -0,0 +1,62 @@
+import { existsSync, mkdirSync, symlinkSync, copyFileSync, lstatSync, unlinkSync } from "node:fs";
+import { join, dirname, resolve } from "node:path";
+import { info, skip } from "./log.js";
+/**
+ * Migrate discovered security files from source to target worktree.
+ */
+export function migrateFiles(opts) {
+    const { sourceRoot, targetRoot, files, copy, force, dryRun } = opts;
+    const result = { linked: 0, copied: 0, skipped: 0 };
+    const mode = copy ? "COPY" : "LINK";
+    for (const relPath of files) {
+        const sourcePath = resolve(sourceRoot, relPath);
+        const targetPath = join(targetRoot, relPath);
+        const targetDir = dirname(targetPath);
+        // Check if target already exists
+        if (existsSync(targetPath) || isSymlink(targetPath)) {
+            if (!force) {
+                if (!dryRun) {
+                    skip(`${relPath} (already exists, use --force)`);
+                }
+                result.skipped++;
+                continue;
+            }
+            // Force mode: remove existing
+            if (!dryRun) {
+                unlinkSync(targetPath);
+            }
+        }
+        if (dryRun) {
+            const arrow = copy ? "←" : "→";
+            info(mode, `${relPath} ${arrow} ${sourcePath}`);
+        }
+        else {
+            // Ensure parent directory exists
+            mkdirSync(targetDir, { recursive: true });
+            if (copy) {
+                copyFileSync(sourcePath, targetPath);
+                info("COPY", relPath);
+            }
+            else {
+                symlinkSync(sourcePath, targetPath);
+                info("LINK", `${relPath} → ${sourcePath}`);
+            }
+        }
+        if (copy) {
+            result.copied++;
+        }
+        else {
+            result.linked++;
+        }
+    }
+    return result;
+}
+function isSymlink(path) {
+    try {
+        lstatSync(path);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}

package/dist/patterns.d.ts

@@ -0,0 +1,7 @@
+export declare const DEFAULT_PATTERNS: string[];
+export declare function getSkipDirs(): Set<string>;
+/**
+ * Load additional patterns from a `.security-migrate` manifest file
+ * in the source root, if it exists. One glob per line, # for comments.
+ */
+export declare function loadManifestPatterns(sourceRoot: string): string[];

package/dist/patterns.js

@@ -0,0 +1,51 @@
+import { readFileSync, existsSync } from "node:fs";
+import { join } from "node:path";
+export const DEFAULT_PATTERNS = [
+    // Environment files
+    ".env",
+    ".env.*",
+    "**/.env",
+    "**/.env.*",
+    // Firebase
+    "**/serviceAccountKey*.json",
+    "**/service-account*.json",
+    "**/GoogleService-Info.plist",
+    "**/google-services.json",
+    "**/.firebaserc",
+    // Certificates & keys
+    "**/*.p8",
+    "**/*.p12",
+    "**/*.pem",
+    "**/*.key",
+    // Common secrets
+    "**/*.secret",
+    "**/secrets.json",
+    "**/secrets.yaml",
+];
+const SKIP_DIRS = new Set([
+    "node_modules",
+    ".git",
+    "dist",
+    "build",
+    ".build",
+    ".next",
+    "Pods",
+    "DerivedData",
+]);
+export function getSkipDirs() {
+    return SKIP_DIRS;
+}
+/**
+ * Load additional patterns from a `.security-migrate` manifest file
+ * in the source root, if it exists. One glob per line, # for comments.
+ */
+export function loadManifestPatterns(sourceRoot) {
+    const manifestPath = join(sourceRoot, ".security-migrate");
+    if (!existsSync(manifestPath))
+        return [];
+    const content = readFileSync(manifestPath, "utf-8");
+    return content
+        .split("\n")
+        .map((line) => line.trim())
+        .filter((line) => line.length > 0 && !line.startsWith("#"));
+}

package/package.json

@@ -0,0 +1,18 @@
+{
+  "name": "security-migrate",
+  "version": "1.0.0",
+  "description": "Migrate gitignored security files (env, credentials, keys) to new git worktrees",
+  "type": "module",
+  "bin": {
+    "security-migrate": "./dist/cli.js"
+  },
+  "files": ["dist"],
+  "scripts": {
+    "build": "tsc",
+    "dev": "bun run src/cli.ts"
+  },
+  "devDependencies": {
+    "typescript": "^5.0.0",
+    "@types/node": "^20.0.0"
+  }
+}