sharenv 1.0.0

package/.env.example

@@ -0,0 +1,5 @@
+# envcrypt configuration (optional)
+# Copy this to .env in your shell profile or set as system environment variable
+
+# Your backend API URL (default: https://shareenv-backend.onrender.com/api)
+ENVCRYPT_API=https://your-backend-url.com/api

package/README.md

@@ -0,0 +1,116 @@
+# envcrypt CLI
+
+A zero-dependency Node.js CLI that **encrypts your `.env` file locally** and shares it securely via the [EnvShare](https://github.com) backend.
+
+> 🔒 Your passkey **never leaves your machine**. Only the AES-256-GCM ciphertext is stored on the server.
+
+---
+
+## Install (global)
+
+```bash
+cd cli
+npm link
+```
+
+After linking, `envcrypt` is available everywhere in your terminal.
+
+---
+
+## Usage
+
+### `envcrypt set [path]`
+
+Encrypts a `.env` file and uploads it. Prints a **Share ID** for the recipient.
+
+```bash
+# Encrypt .env in the current folder
+envcrypt set
+
+# Encrypt .env from a specific project
+envcrypt set C:/projects/myapp
+envcrypt set /home/user/backend
+```
+
+You'll be prompted for:
+- **Passkey** (confirmed twice) — stay at 8+ chars
+- **TTL** in minutes (default 1440 = 24 h, max 10080 = 7 days)
+- **Max reads** (default 10, max 100) — link auto-deletes after this many reads
+
+Output example:
+```
+  ✓ Encrypted locally
+  ✓ Uploaded to backend
+
+  Share ID
+    a1b2c3d4e5f6...
+
+  Recipient command
+    envcrypt get a1b2c3d4e5f6...
+```
+
+---
+
+### `envcrypt get <share-id> [output-path]`
+
+Fetches and decrypts a `.env`. Writes it to the specified folder (or current directory).
+
+```bash
+# Write .env to current folder
+envcrypt get a1b2c3d4e5f6
+
+# Write .env to a specific project folder
+envcrypt get a1b2c3d4e5f6 C:/projects/myapp
+envcrypt get a1b2c3d4e5f6 ./backend
+```
+
+You'll be prompted for the passkey. If wrong, decryption fails with an error — nothing is written.
+
+---
+
+### `envcrypt info <share-id>`
+
+Peek at a share's metadata without consuming a read.
+
+```bash
+envcrypt info a1b2c3d4e5f6
+```
+
+---
+
+## Backend URL
+
+By default the CLI uses `http://localhost:3001/api`.
+
+To point it at your deployed backend:
+
+```bash
+# Windows PowerShell
+$env:ENVCRYPT_API="https://your-backend.onrender.com/api"
+envcrypt set
+
+# Linux / macOS
+ENVCRYPT_API=https://your-backend.onrender.com/api envcrypt set
+```
+
+Or set it permanently in your system environment variables.
+
+---
+
+## Security
+
+| Property | Value |
+|---|---|
+| Encryption | AES-256-GCM |
+| Key derivation | PBKDF2-SHA256, 310 000 iterations |
+| Salt / IV | Random per upload (16 / 12 bytes) |
+| Compatibility | Works with the EnvShare web UI |
+| Dependencies | **Zero** — uses Node.js built-ins only |
+
+Blobs created in the browser can be retrieved from the CLI and vice versa.
+
+---
+
+## Requirements
+
+- Node.js ≥ 18

package/bin/sharenv.js

@@ -0,0 +1,385 @@
+#!/usr/bin/env node
+/**
+ * envcrypt — Encrypt & share .env files via your EnvShare backend.
+ *
+ * Crypto is 100% compatible with the EnvShare web frontend:
+ *   - PBKDF2 (310,000 iterations, SHA-256) for key derivation
+ *   - AES-256-GCM for encryption
+ *   - Base64 for iv / salt / ciphertext encoding
+ *
+ * Your passkey NEVER leaves this machine — only the ciphertext is uploaded.
+ */
+
+import { createCipheriv, createDecipheriv, pbkdf2Sync, randomBytes } from "crypto";
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
+import { join, resolve } from "path";
+import { createInterface } from "readline";
+
+// ─── CONFIG ────────────────────────────────────────────────────────────────────
+const API_BASE = process.env.ENVCRYPT_API || "http://localhost:3001/api";
+
+// ─── ANSI COLOURS ─────────────────────────────────────────────────────────────
+const bold   = (s) => `\x1b[1m${s}\x1b[0m`;
+const dim    = (s) => `\x1b[2m${s}\x1b[0m`;
+const green  = (s) => `\x1b[32m${s}\x1b[0m`;
+const cyan   = (s) => `\x1b[36m${s}\x1b[0m`;
+const yellow = (s) => `\x1b[33m${s}\x1b[0m`;
+const red    = (s) => `\x1b[31m${s}\x1b[0m`;
+
+// ─── PROMPT HELPERS ────────────────────────────────────────────────────────────
+
+/** Normal visible prompt via readline. */
+function ask(question) {
+  return new Promise((res) => {
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    rl.question(question, (answer) => {
+      rl.close();
+      res(answer.trim());
+    });
+  });
+}
+
+/**
+ * Hidden password prompt using raw mode stdin.
+ * Reads char by char, prints * for each character, handles backspace.
+ * Does NOT use readline at all — avoids the Windows readline conflicts.
+ */
+function askPassword(prompt) {
+  return new Promise((res) => {
+    process.stdout.write(prompt);
+    let password = "";
+
+    process.stdin.setRawMode(true);
+    process.stdin.resume();
+    process.stdin.setEncoding("utf8");
+
+    const onData = (key) => {
+      // Ctrl+C
+      if (key === "\u0003") {
+        process.stdin.setRawMode(false);
+        process.stdin.pause();
+        process.stdin.removeListener("data", onData);
+        process.stdout.write("\n");
+        process.exit(0);
+      }
+      // Enter
+      if (key === "\r" || key === "\n") {
+        process.stdin.setRawMode(false);
+        process.stdin.pause();
+        process.stdin.removeListener("data", onData);
+        process.stdout.write("\n");
+        res(password);
+        return;
+      }
+      // Backspace
+      if (key === "\b" || key === "\x7f") {
+        if (password.length > 0) {
+          password = password.slice(0, -1);
+          process.stdout.write("\b \b"); // erase last *
+        }
+        return;
+      }
+      // Normal character
+      password += key;
+      process.stdout.write("*");
+    };
+
+    process.stdin.on("data", onData);
+  });
+}
+
+// ─── CRYPTO (matches frontend WebCrypto exactly) ──────────────────────────────
+
+function deriveKey(password, saltBuf) {
+  return pbkdf2Sync(password, saltBuf, 310_000, 32, "sha256");
+}
+
+function encryptEnv(plaintext, password) {
+  const saltBuf = randomBytes(16);
+  const ivBuf   = randomBytes(12);
+  const key     = deriveKey(password, saltBuf);
+
+  const cipher  = createCipheriv("aes-256-gcm", key, ivBuf);
+  const enc     = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+
+  return {
+    encryptedData: Buffer.concat([enc, authTag]).toString("base64"),
+    iv:   ivBuf.toString("base64"),
+    salt: saltBuf.toString("base64"),
+  };
+}
+
+function decryptEnv(encryptedDataB64, ivB64, saltB64, password) {
+  const saltBuf  = Buffer.from(saltB64, "base64");
+  const ivBuf    = Buffer.from(ivB64,   "base64");
+  const combined = Buffer.from(encryptedDataB64, "base64");
+  const key      = deriveKey(password, saltBuf);
+
+  const authTag = combined.slice(combined.length - 16);
+  const encBuf  = combined.slice(0, combined.length - 16);
+
+  const decipher = createDecipheriv("aes-256-gcm", key, ivBuf);
+  decipher.setAuthTag(authTag);
+  return Buffer.concat([decipher.update(encBuf), decipher.final()]).toString("utf8");
+}
+
+// ─── API ───────────────────────────────────────────────────────────────────────
+
+async function apiPost(path, body) {
+  const res  = await fetch(`${API_BASE}${path}`, {
+    method:  "POST",
+    headers: { "Content-Type": "application/json" },
+    body:    JSON.stringify(body),
+  });
+  const json = await res.json();
+  if (!res.ok) throw new Error(json.error || `HTTP ${res.status}`);
+  return json;
+}
+
+async function apiGet(path) {
+  const res  = await fetch(`${API_BASE}${path}`);
+  const json = await res.json();
+  if (!res.ok) throw new Error(json.error || `HTTP ${res.status}`);
+  return json;
+}
+
+// ─── RESOLVE .env PATH ────────────────────────────────────────────────────────
+
+function resolveEnvPath(arg) {
+  if (!arg) {
+    const p = join(process.cwd(), ".env");
+    if (!existsSync(p)) {
+      console.error(red(`\n  ✗ No .env found in current directory.`));
+      console.error(dim(`    Run inside a project folder or give a path:`));
+      console.error(dim(`       envcrypt set C:/projects/myapp\n`));
+      process.exit(1);
+    }
+    return p;
+  }
+  const given = resolve(arg);
+  if (given.endsWith(".env") && existsSync(given)) return given;
+  const candidate = join(given, ".env");
+  if (!existsSync(candidate)) {
+    console.error(red(`\n  ✗ No .env found at: ${candidate}\n`));
+    process.exit(1);
+  }
+  return candidate;
+}
+
+// ─── COMMAND: set ─────────────────────────────────────────────────────────────
+
+async function cmdSet(args) {
+  console.log(`\n  ${bold(cyan("🔐  envcrypt set"))}\n`);
+
+  const envPath = resolveEnvPath(args[0]);
+  console.log(dim(`  Source: ${envPath}\n`));
+
+  const envContent = readFileSync(envPath, "utf8");
+  if (!envContent.trim()) {
+    console.error(yellow("  ⚠  .env file is empty — nothing to upload.\n"));
+    process.exit(1);
+  }
+
+  // ── Step 1: Passkey (hidden with ***) ──
+  const passkey = await askPassword(bold("  Enter passkey: "));
+  if (!passkey || passkey.length < 4) {
+    console.error(red("\n  ✗ Passkey must be at least 4 characters.\n"));
+    process.exit(1);
+  }
+
+  const passkey2 = await askPassword(bold("  Confirm passkey: "));
+  if (passkey !== passkey2) {
+    console.error(red("\n  ✗ Passkeys do not match.\n"));
+    process.exit(1);
+  }
+
+  // ── Step 2: TTL & max reads ──
+  const ttlInput   = await ask(dim("  TTL in minutes [default 1440 = 24h]: "));
+  const readsInput = await ask(dim("  Max reads [default 10]: "));
+
+  const ttlMinutes = (ttlInput && !isNaN(ttlInput))   ? parseInt(ttlInput)   : 1440;
+  const maxReads   = (readsInput && !isNaN(readsInput)) ? parseInt(readsInput) : 10;
+
+  // ── Step 3: Encrypt locally ──
+  console.log(dim("\n  Encrypting locally..."));
+  let encResult;
+  try {
+    encResult = encryptEnv(envContent, passkey);
+    console.log(green("  ✓ Encrypted (passkey stays on your machine)"));
+  } catch (e) {
+    console.error(red(`  ✗ Encryption error: ${e.message}`));
+    process.exit(1);
+  }
+
+  // ── Step 4: Upload ──
+  console.log(dim("  Uploading encrypted blob..."));
+  let result;
+  try {
+    result = await apiPost("/store", { ...encResult, maxReads, ttlMinutes });
+    console.log(green("  ✓ Uploaded to backend"));
+  } catch (e) {
+    console.error(red(`\n  ✗ Upload failed: ${e.message}`));
+    console.error(dim(`  Is the backend running? API: ${API_BASE}\n`));
+    process.exit(1);
+  }
+
+  // ── Result ──
+  console.log(`
+  ${bold(green("✓ Done!"))}
+
+  ${bold("Share ID:")}
+    ${cyan(result.id)}
+
+  ${bold("Recipient runs:")}
+    ${yellow("envcrypt get " + result.id)}
+
+  ${dim(`TTL: ${result.ttlMinutes} min  ·  Max reads: ${result.maxReads}`)}
+  ${dim("Share your passkey separately — NOT in the same message as the ID.")}
+`);
+}
+
+// ─── COMMAND: get ─────────────────────────────────────────────────────────────
+
+async function cmdGet(args) {
+  console.log(`\n  ${bold(cyan("📥  envcrypt get"))}\n`);
+
+  const shareId = args[0];
+  if (!shareId) {
+    console.error(red("  ✗ Usage: envcrypt get <share-id> [output-path]\n"));
+    process.exit(1);
+  }
+
+  const outDir  = args[1] ? resolve(args[1]) : process.cwd();
+  const outFile = join(outDir, ".env");
+
+  if (existsSync(outFile)) {
+    const ans = await ask(yellow(`  ⚠  .env already exists at ${outFile}\n  Overwrite? (y/N): `));
+    if (!ans.toLowerCase().startsWith("y")) {
+      console.log(dim("\n  Aborted.\n"));
+      process.exit(0);
+    }
+  }
+
+  // ── Passkey (hidden with ***) ──
+  const passkey = await askPassword(bold("  Enter passkey: "));
+  if (!passkey) {
+    console.error(red("  ✗ Passkey cannot be empty.\n"));
+    process.exit(1);
+  }
+
+  // ── Fetch ──
+  console.log(dim("\n  Fetching encrypted blob..."));
+  let data;
+  try {
+    data = await apiGet(`/retrieve/${shareId}`);
+    console.log(green("  ✓ Fetched"));
+  } catch (e) {
+    console.error(red(`  ✗ Fetch failed: ${e.message}`));
+    process.exit(1);
+  }
+
+  // ── Decrypt ──
+  console.log(dim("  Decrypting locally..."));
+  let envContent;
+  try {
+    envContent = decryptEnv(data.encryptedData, data.iv, data.salt, passkey);
+    console.log(green("  ✓ Decrypted"));
+  } catch {
+    console.error(red("  ✗ Decryption failed — wrong passkey or corrupted data."));
+    process.exit(1);
+  }
+
+  // ── Write ──
+  if (!existsSync(outDir)) mkdirSync(outDir, { recursive: true });
+  writeFileSync(outFile, envContent, "utf8");
+
+  const varCount = envContent
+    .split("\n")
+    .filter((l) => l.trim() && !l.startsWith("#") && l.includes("="))
+    .length;
+
+  console.log(`
+  ${bold(green("✓ .env created!"))}
+
+  ${dim("Location : ")} ${outFile}
+  ${dim("Variables: ")} ${varCount}
+  ${dim("Reads    : ")} ${data.readsUsed} / ${data.maxReads}
+`);
+}
+
+// ─── COMMAND: info ────────────────────────────────────────────────────────────
+
+async function cmdInfo(args) {
+  const shareId = args[0];
+  if (!shareId) {
+    console.error(red("  ✗ Usage: envcrypt info <share-id>\n"));
+    process.exit(1);
+  }
+  let data;
+  try {
+    data = await apiGet(`/info/${shareId}`);
+  } catch (e) {
+    console.error(red(`\n  ✗ ${e.message}\n`));
+    process.exit(1);
+  }
+  console.log(`
+  ${bold(cyan("📊  Share Info"))}
+
+  ${dim("ID:          ")} ${cyan(shareId)}
+  ${dim("Reads left:  ")} ${bold(String(data.readsLeft))}
+  ${dim("Max reads:   ")} ${data.maxReads}
+  ${dim("TTL left:    ")} ${Math.ceil(data.ttlSeconds / 60)} min
+`);
+}
+
+// ─── HELP ─────────────────────────────────────────────────────────────────────
+
+function printHelp() {
+  console.log(`
+  ${bold(cyan("sharenv"))} — Encrypt & share .env files securely
+
+  ${bold("Usage:")}
+    ${yellow("sharenv set")}  ${dim("[path]")}          Encrypt .env and upload
+    ${yellow("sharenv get")}  ${dim("<id> [path]")}     Download & decrypt a .env
+    ${yellow("sharenv info")} ${dim("<id>")}            Check share status
+
+  ${bold("Examples:")}
+    ${green("sharenv set")}                    # encrypts .env in current folder
+    ${green("sharenv set C:/projects/myapp")}  # encrypts .env from that project
+    ${green("sharenv get abc123def456")}       # write .env to current folder
+    ${green("sharenv get abc123 ./myapp")}     # write .env to ./myapp folder
+
+
+  ${bold("Security:")}
+    • AES-256-GCM + PBKDF2-SHA256 (310k iterations)
+    • Compatible with senvsecure web frontend
+    • Your passkey ${bold("never")} leaves this machine
+`);
+}
+
+// ─── MAIN ─────────────────────────────────────────────────────────────────────
+
+const [,, cmd, ...rest] = process.argv;
+
+switch (cmd) {
+  case "set":
+    cmdSet(rest).catch((e) => { console.error(red(`\n  ✗ ${e.message}\n`)); process.exit(1); });
+    break;
+  case "get":
+    cmdGet(rest).catch((e) => { console.error(red(`\n  ✗ ${e.message}\n`)); process.exit(1); });
+    break;
+  case "info":
+    cmdInfo(rest).catch((e) => { console.error(red(`\n  ✗ ${e.message}\n`)); process.exit(1); });
+    break;
+  case "--help":
+  case "-h":
+  case "help":
+  case undefined:
+    printHelp();
+    break;
+  default:
+    console.error(red(`\n  ✗ Unknown command: ${cmd}`));
+    printHelp();
+    process.exit(1);
+}

package/package.json

@@ -0,0 +1,25 @@
+{
+  "name": "sharenv",
+  "version": "1.0.0",
+  "description": "Encrypt & share .env files securely via the EnvShare backend",
+  "type": "module",
+  "bin": {
+    "sharenv": "./bin/sharenv.js"
+  },
+  "scripts": {
+    "start": "node bin/sharenv.js"
+  },
+  "keywords": [
+    "env",
+    "sharenv",
+    "cli",
+    "dotenv",
+    "share",
+    "aes",
+    "pbkdf2"
+  ],
+  "license": "MIT",
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}