vibe-safe-push 1.0.0

package/README.md

@@ -0,0 +1,125 @@
+# VibeSafePush 🛡️✨
+
+**Your friendly neighborhood CLI for keeping secrets out of your code.**
+
+SafePush is an educational tool designed for "vibe coders," beginners, and anyone who wants a simple, friendly way to learn about the dangers of accidental sensitive data exposure. It scans your local files for common secrets and credentials, teaching you *why* they're dangerous and how to handle them.
+
+![SafePush Demo](https://i.imgur.com/your-demo-image.gif) <!-- Placeholder for a cool demo GIF -->
+
+---
+
+## Features
+
+### 💖 Free Features (Always)
+
+- **.env File Check:** Warns you if a `.env` file is present, reminding you to add it to `.gitignore`.
+- **node_modules Check:** Reminds you that this hefty folder should never be in version control.
+- **Basic Secret Scanning:** Scans your files for common, easy-to-spot API key patterns.
+- **Educational Output:** Explains *why* each finding is a risk in simple, encouraging language.
+
+### 💎 Premium Features (Unlockable via Donation)
+
+- **Advanced Secret Scanning:** Hunts for more complex and specific patterns, including:
+  - AWS Keys (Access Key ID & Secret)
+  - Firebase Configs
+  - JWTs (JSON Web Tokens)
+  - Private Key blocks (`-----BEGIN RSA PRIVATE KEY-----`)
+- **Verbose Output:** Provides more detail on potential vulnerabilities.
+- **Pre-commit Hook Template:** Gives you a ready-to-use Git hook to automate scans before every commit.
+- **Support the Project:** Your donation helps keep this tool alive and growing!
+
+---
+
+## Installation & Usage
+
+No installation needed! Just run it directly in your project folder using `npx`.
+
+```bash
+npx vibe-safe-push
+```
+
+Or, if you've cloned the repository:
+
+```bash
+node index.js
+```
+
+### Example Output (Free Scan)
+
+```
+--- Welcome to SafePush! 🛡️ ---
+💡 A friendly tool to help you avoid committing secrets to your code.
+💡 Running in free mode. For advanced scanning, unlock premium features.
+👉 Run `npx vibe-safe-push --unlock` to begin.
+
+--- Running Free Scan ✨ ---
+
+⚠️  Found a .env file.
+💡 While .env files are common for local development, they should NOT be committed to version control. Make sure it is listed in your .gitignore file!
+
+🔥 Found a Generic API Key in: src/config.js
+💡 Found a potential API key. These keys grant access to services and should never be stored directly in code.
+
+--- Scan Complete ---
+💡 Remember to always keep your secrets safe!
+```
+
+---
+
+## How to Unlock Premium Features 💎
+
+We use a simple, crypto-based unlock system. No sign-ups, no credit cards, no fuss.
+
+### Step 1: Donate
+
+Send a small donation (around **$2 USD** worth of SOL) to our Solana wallet. This proves you're a real human and helps us maintain the project!
+
+**Recipient Wallet Address:**
+```
+YOUR_SOLANA_WALLET_ADDRESS_HERE 
+```
+*(Please replace this with the actual address from `constants.js` if you are forking this project).*
+
+### Step 2: Get Your Transaction Details
+
+After your transaction is confirmed on the Solana network, you'll need two pieces of information:
+1.  **Your Wallet Address:** The address you sent the SOL *from*.
+2.  **Transaction Signature (TXID):** The unique ID for your transaction. You can find this in your wallet's transaction history or on a Solana explorer like [Solscan](https://solscan.io/) or [Explorer by Solana Labs](https://explorer.solana.com/).
+
+### Step 3: Run the Unlock Command
+
+Run the following command in your terminal:
+
+```bash
+npx vibe-safe-push --unlock
+```
+
+The CLI will prompt you to enter the two pieces of information from Step 2.
+
+```
+--- Premium Unlock via Solana Donation 💎 ---
+💡 To unlock premium features, please send a small donation (e.g., ~$2 in SOL) to this address:
+   YOUR_SOLANA_WALLET_ADDRESS_HERE
+💡 Once sent, please provide the transaction details below.
+
+? What is the wallet address you sent the donation FROM? › ...
+? What is the transaction hash (signature)? › ...
+
+💡 Verifying transaction... This may take a moment.
+✅ Donation confirmed!
+✅ Premium features unlocked! Thank you for your support! 🙏
+```
+
+Once unlocked, SafePush creates a `.safepush_premium` file in your project's root directory. As long as that file is there, you'll have access to premium features!
+
+---
+
+## For Vibe Coders ✌️
+
+Coding should be fun and creative. But seeing your app on the front page of Hacker News because you accidentally leaked your AWS keys? Not a vibe.
+
+- **Think of secrets like your house key.** You wouldn't post a picture of it on Instagram. Don't post your API keys on GitHub.
+- **Use `.env` files for your secrets.** These files let you use your keys in your local project without ever writing them in your main code.
+- **Always add `.env` to your `.gitignore` file.** This is the magic spell that tells Git, "Hey, ignore this file, it's just for me."
+
+Happy coding, and stay safe!

package/constants.js

@@ -0,0 +1,12 @@
+// ⚠️ IMPORTANT: Replace with your actual Solana wallet address.
+// This is the address where users will send their donation.
+const RECIPIENT_WALLET_ADDRESS = 'GgANeKwJecCMPhna9HvZCtELUCg3c6snJZsqi8vx2JqW';
+
+// A free, public Solana RPC endpoint.
+// You can find more at https://solana.com/rpc
+const SOLANA_RPC_ENDPOINT = 'https://api.mainnet-beta.solana.com';
+
+module.exports = {
+  RECIPIENT_WALLET_ADDRESS,
+  SOLANA_RPC_ENDPOINT,
+};

package/index.js

@@ -0,0 +1,120 @@
+#!/usr/bin/env node
+
+const fs = require('fs');
+const axios = require('axios');
+const prompts = require('prompts');
+const minimist = require('minimist');
+const chalk = require('chalk');
+const logger = require('./utils/logger');
+const basicScanner = require('./scanners/basicScanner');
+const advancedScanner = require('./scanners/advancedScanner');
+const { RECIPIENT_WALLET_ADDRESS, SOLANA_RPC_ENDPOINT } = require('./constants');
+
+const PREMIUM_LOCK_FILE = '.safepush_premium';
+
+function isPremiumUnlocked() {
+  return fs.existsSync(PREMIUM_LOCK_FILE);
+}
+
+function unlockPremium() {
+  fs.writeFileSync(PREMIUM_LOCK_FILE, 'unlocked');
+  logger.success('Premium features unlocked! Thank you for your support! 🙏');
+}
+
+async function verifyDonation() {
+  logger.header('Premium Unlock via Solana Donation 💎');
+  logger.info(`To unlock premium features, please send a small donation (e.g., ~$2 in SOL) to this address:`);
+  logger.log(chalk.bold.cyan(RECIPIENT_WALLET_ADDRESS));
+  logger.info('Once sent, please provide the transaction details below.');
+
+  const response = await prompts([
+    {
+      type: 'text',
+      name: 'fromAddress',
+      message: 'What is the wallet address you sent the donation FROM?',
+    },
+    {
+      type: 'text',
+      name: 'txid',
+      message: 'What is the transaction hash (signature)?',
+    },
+  ]);
+
+  if (!response.fromAddress || !response.txid) {
+    logger.danger('Unlock process cancelled.');
+    return;
+  }
+
+  logger.info('Verifying transaction... This may take a moment.');
+
+  try {
+    const rpcResponse = await axios.post(SOLANA_RPC_ENDPOINT, {
+      jsonrpc: '2.0',
+      id: 1,
+      method: 'getTransaction',
+      params: [response.txid, 'json'],
+    });
+
+    const transaction = rpcResponse.data.result;
+
+    if (!transaction) {
+      throw new Error('Transaction not found. Make sure the transaction has been confirmed on the network.');
+    }
+
+    const { postBalances, preBalances } = transaction.meta;
+    const accountKeys = transaction.transaction.message.accountKeys;
+    const fromIndex = accountKeys.findIndex(acc => acc === response.fromAddress);
+    const toIndex = accountKeys.findIndex(acc => acc === RECIPIENT_WALLET_ADDRESS);
+
+    if (fromIndex === -1 || toIndex === -1) {
+      throw new Error('The "from" or "to" address does not match the transaction details.');
+    }
+    
+    const fromBalanceChange = postBalances[fromIndex] - preBalances[fromIndex];
+    const toBalanceChange = postBalances[toIndex] - preBalances[toIndex];
+
+    if (fromBalanceChange < 0 && toBalanceChange > 0) {
+      logger.success('Donation confirmed!');
+      unlockPremium();
+    } else {
+      throw new Error('Transaction details are incorrect. Could not verify the transfer.');
+    }
+
+  } catch (error) {
+    logger.danger('Verification failed!');
+    logger.info(error.message || 'Please double-check your transaction hash and wallet address. It can also take a few minutes for a transaction to be confirmed.');
+  }
+}
+
+
+async function main() {
+  const args = minimist(process.argv.slice(2));
+
+  logger.log(chalk.bold.magenta('--- Welcome to SafePush! 🛡️ ---'));
+  logger.info('A friendly tool to help you avoid committing secrets to your code.');
+
+  if (args.unlock) {
+    await verifyDonation();
+    return;
+  }
+
+  const premium = isPremiumUnlocked();
+
+  if (premium) {
+    logger.success('Premium features are enabled. Running full scan.');
+  } else {
+    logger.info('Running in free mode. For advanced scanning, unlock premium features.');
+    logger.link('Run `npx safe-push --unlock` to begin.');
+  }
+
+  await basicScanner();
+
+  if (premium) {
+    await advancedScanner();
+  }
+
+  logger.header('Scan Complete');
+  logger.info('Remember to always keep your secrets safe!');
+}
+
+main();

package/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "vibe-safe-push",
+  "version": "1.0.0",
+  "description": "A beginner-friendly CLI to learn about accidental sensitive data exposure.",
+  "main": "index.js",
+  "bin": {
+    "safe-push": "index.js"
+  },
+  "scripts": {
+    "start": "node index.js"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/a-zmuth/vibe-safe-push.git"
+  },
+  "keywords": [
+    "security",
+    "education",
+    "cli",
+    "secrets",
+    "solana"
+  ],
+  "author": "Azmoth (Chris Alih)",
+  "license": "MIT",
+  "dependencies": {
+    "axios": "^1.6.8",
+    "chalk": "^4.1.2",
+    "glob": "^10.3.10",
+    "minimist": "^1.2.8",
+    "prompts": "^2.4.2"
+  }
+}

package/patterns-premium.js

@@ -0,0 +1,37 @@
+// Advanced patterns for the premium scan.
+// These are more specific and cover a wider range of sensitive data.
+
+const premiumPatterns = [
+  {
+    name: 'AWS Access Key ID',
+    regex: /AKIA[0-9A-Z]{16}/,
+    explanation: 'Found an AWS Access Key ID. When paired with a Secret Access Key, this grants full programmatic access to your AWS account.',
+  },
+  {
+    name: 'AWS Secret Access Key',
+    regex: /[0-9a-zA-Z\/+=]{40}/,
+    explanation: 'Found a string that looks like an AWS Secret Access Key. This is highly sensitive and provides administrator-level access to your AWS resources.',
+  },
+  {
+    name: 'Firebase Config',
+    regex: /"firebase":\s*\{/,
+    explanation: 'Found a Firebase configuration block. This can expose your database URL, API keys, and other sensitive project details.',
+  },
+  {
+    name: 'JSON Web Token (JWT)',
+    regex: /ey[a-zA-Z0-9_-]+\.ey[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+/,
+    explanation: 'Found a JSON Web Token (JWT). If this token is not expired, it can be used to impersonate a user and access protected routes in an application.',
+  },
+  {
+    name: 'Private Key',
+    regex: /-----BEGIN ((RSA|OPENSSH|EC|PGP) )?PRIVATE KEY-----/,
+    explanation: 'Found a private key block. Private keys are the ultimate secret and are used for encryption and signing. They should never be hardcoded.',
+  },
+  {
+    name: 'OAuth 2.0 Client Secret',
+    regex: /client_secret\s*=\s*['"]?[a-zA-Z0-9_.-]+['"]?/,
+    explanation: 'Found an OAuth 2.0 Client Secret. This secret is used to authenticate your application with an OAuth provider.',
+  },
+];
+
+module.exports = premiumPatterns;

package/patterns.js

@@ -0,0 +1,22 @@
+// Basic patterns for the free scan.
+// These are simple, common patterns that are easy for beginners to understand.
+
+const basicPatterns = [
+  {
+    name: 'Generic API Key',
+    regex: /api[_-]?key\s*=\s*['"]?[a-zA-Z0-9_.-]+['"]?/i,
+    explanation: 'Found a potential API key. These keys grant access to services and should never be stored directly in code.',
+  },
+  {
+    name: 'Google API Key',
+    regex: /AIza[0-9A-Za-z\-_]{35}/,
+    explanation: 'Found a Google API Key. Exposing this can lead to misuse of your Google Cloud services and unexpected charges.',
+  },
+  {
+    name: 'Stripe API Key',
+    regex: /(?:r|s)k_live_[0-9a-zA-Z]{24}/,
+    explanation: 'Found a Stripe API Key. This key can be used to make payments and access your Stripe account data. Keep it secret!',
+  },
+];
+
+module.exports = basicPatterns;

package/scanners/advancedScanner.js

@@ -0,0 +1,56 @@
+const fs = require('fs');
+const { glob } = require('glob');
+const logger = require('../utils/logger');
+const premiumPatterns = require('../patterns-premium');
+
+const IGNORE_PATTERNS = ['node_modules/**', 'package-lock.json', 'yarn.lock'];
+
+async function advancedScanner() {
+  logger.header('Running Premium Scan 💎');
+  let findings = 0;
+
+  const files = await glob('**/*', { nodir: true, ignore: IGNORE_PATTERNS });
+
+  for (const file of files) {
+    const content = fs.readFileSync(file, 'utf8');
+    for (const pattern of premiumPatterns) {
+      if (pattern.regex.test(content)) {
+        logger.danger(`Found a ${pattern.name} in: ${file}`);
+        logger.info(pattern.explanation);
+        findings++;
+      }
+    }
+  }
+
+  // Offer pre-commit hook template
+  logger.info('As a premium user, you can use a pre-commit hook to automate these checks.');
+  logger.log('To set it up, create a file at .git/hooks/pre-commit and add this content:');
+  const hookScript = `
+#!/bin/sh
+#
+# A basic pre-commit hook to run safe-push before committing.
+#
+
+echo "Running safe-push scan before commit..."
+npx safe-push
+
+# If the scan fails (exits with a non-zero code), prevent the commit
+if [ $? -ne 0 ]; then
+  echo "Commit aborted by safe-push scan. Please fix the issues."
+  exit 1
+fi
+
+echo "Scan passed. Proceeding with commit."
+exit 0
+`;
+  logger.log(chalk.gray(hookScript));
+
+
+  if (findings === 0) {
+    logger.success('No advanced vulnerabilities found. Your code looks very secure! 🚀');
+  } else {
+    logger.warning(`Found ${findings} potential issues in the premium scan.`);
+  }
+}
+
+module.exports = advancedScanner;

package/scanners/basicScanner.js

@@ -0,0 +1,48 @@
+const fs = require('fs');
+const path = require('path');
+const { glob } = require('glob');
+const logger = require('../utils/logger');
+const basicPatterns = require('../patterns');
+
+const IGNORE_PATTERNS = ['node_modules/**', 'package-lock.json', 'yarn.lock'];
+
+async function basicScanner() {
+  logger.header('Running Free Scan ✨');
+  let findings = 0;
+
+  // 1. Check for .env file
+  if (fs.existsSync('.env')) {
+    logger.warning('Found a .env file.');
+    logger.info('While .env files are common for local development, they should NOT be committed to version control. Make sure it is listed in your .gitignore file!');
+    findings++;
+  }
+
+  // 2. Check for node_modules directory
+  if (fs.existsSync('node_modules')) {
+    logger.warning('Found a node_modules directory.');
+    logger.info('This directory can contain thousands of files and should never be committed to version control. Ensure it is in your .gitignore file.');
+    findings++;
+  }
+
+  // 3. Scan files for basic patterns
+  const files = await glob('**/*', { nodir: true, ignore: IGNORE_PATTERNS });
+
+  for (const file of files) {
+    const content = fs.readFileSync(file, 'utf8');
+    for (const pattern of basicPatterns) {
+      if (pattern.regex.test(content)) {
+        logger.danger(`Found a ${pattern.name} in: ${file}`);
+        logger.info(pattern.explanation);
+        findings++;
+      }
+    }
+  }
+
+  if (findings === 0) {
+    logger.success('No basic vulnerabilities found. Good job! 🎉');
+  } else {
+    logger.warning(`Found ${findings} potential issues in the free scan.`);
+  }
+}
+
+module.exports = basicScanner;

package/utils/logger.js

@@ -0,0 +1,23 @@
+
+const chalk = require('chalk');
+
+const log = (message) => console.log(message);
+
+const info = (message) => log(chalk.blue(`💡 ${message}`));
+const success = (message) => log(chalk.green(`✅ ${message}`));
+const warning = (message) => log(chalk.yellow(`⚠️  ${message}`));
+const danger = (message) => log(chalk.red(`🔥 ${message}`));
+const header = (message) => log(chalk.bold.magenta(`
+--- ${message} ---
+`));
+const link = (message) => log(chalk.cyan.underline(message));
+
+module.exports = {
+  log,
+  info,
+  success,
+  warning,
+  danger,
+  header,
+  link,
+};