xtra-cli 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 XtraSecurity
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,87 @@
+# XtraSync CLI
+
+**Secure Runtime Secret Injection**
+
+XtraSync CLI is a powerful command-line tool designed to seamlessly and securely inject environment variables into your application at runtime. Say goodbye to scattered `.env` files and leaked secrets—XtraSync brings central secret management directly to your local development and CI/CD pipelines.
+
+## Installation
+
+Install the CLI globally via npm:
+
+```bash
+npm install -g xtra-cli
+```
+
+## Quick Start
+
+1. **Login and Authenticate:**
+   Authenticate your machine with the XtraSecurity platform. You can log in via Single Sign-On (SSO), email, or an Access Key.
+   ```bash
+   xtra login
+   ```
+
+2. **Initialize a Project:**
+   Bootstrap your project by creating an `.xtrarc` configuration file.
+   ```bash
+   xtra init
+   ```
+
+3. **Run your Application securely:**
+   Inject secrets directly into your running process without ever touching a disk.
+   ```bash
+   xtra run npm start
+   ```
+
+## Core Commands
+
+### `xtra run [command]`
+Run a command with secrets injected at runtime.
+```bash
+# Example: Inject production secrets and run the build script
+xtra run -e production npm run build
+```
+
+### `xtra secrets list`
+List all secrets available for a given project and environment.
+```bash
+xtra secrets list -e staging
+```
+
+### `xtra secrets set [KEY=VALUE...]`
+Set one or more secrets.
+```bash
+xtra secrets set API_KEY=123x DB_PASS=secret
+```
+
+### `xtra env clone`
+Clone secrets from one environment to another.
+```bash
+xtra env clone --from development --to production
+```
+
+### `xtra local sync`
+Pull cloud secrets to a `.env.local` file for offline development.
+```bash
+xtra local sync
+```
+
+## Advanced Usage
+
+- **CI/CD Integration (`xtra ci`)**: Run headless operations in your pipelines.
+- **Auditing (`xtra logs`)**: View your local audit trails and access history.
+- **Profiles (`xtra profile`)**: Manage multiple connection setups and environments.
+- **TUI Dashboard (`xtra ui`)**: Launch an interactive terminal user interface to manage secrets visually.
+
+## Help & Documentation
+
+For a complete list of commands and options, run:
+
+```bash
+xtra --help
+```
+
+To see help for a specific command, use:
+
+```bash
+xtra <command> --help
+```

package/dist/bin/xtra.js

@@ -0,0 +1,124 @@
+#!/usr/bin/env node
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const commander_1 = require("commander");
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const login_1 = require("../commands/login");
+const run_1 = require("../commands/run");
+const secrets_1 = require("../commands/secrets");
+const generate_1 = require("../commands/generate");
+const status_1 = require("../commands/status");
+const diff_1 = require("../commands/diff");
+const rollback_1 = require("../commands/rollback");
+const scan_1 = require("../commands/scan");
+const logs_1 = require("../commands/logs");
+const export_1 = require("../commands/export");
+const import_1 = require("../commands/import");
+const rotate_1 = require("../commands/rotate");
+const audit_1 = require("../commands/audit");
+const access_1 = require("../commands/access");
+const branch_1 = require("../commands/branch");
+const checkout_1 = require("../commands/checkout");
+const project_1 = require("../commands/project");
+const admin_1 = require("../commands/admin");
+const integration_1 = require("../commands/integration");
+const history_1 = require("../commands/history");
+const env_1 = require("../commands/env");
+const ui_1 = require("../commands/ui");
+const completion_1 = require("../commands/completion");
+const profile_1 = require("../commands/profile");
+const profiles_1 = require("../lib/profiles");
+const ci_1 = require("../commands/ci");
+const template_1 = require("../commands/template");
+const doctor_1 = require("../commands/doctor");
+const init_1 = require("../commands/init");
+const watch_1 = require("../commands/watch");
+const simulate_1 = require("../commands/simulate");
+const local_1 = require("../commands/local");
+const program = new commander_1.Command();
+const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, "../../package.json"), "utf-8"));
+program
+    .name("xtra")
+    .description("XtraSync CLI - Secure Runtime Secret Injection")
+    .version(pkg.version)
+    .option("--profile <name>", "Use a specific named profile for this command");
+// Apply profile before any subcommand runs
+program.hook("preSubcommand", (thisCommand) => {
+    const profileName = thisCommand.opts().profile;
+    if (profileName) {
+        try {
+            (0, profiles_1.useProfile)(profileName);
+        }
+        catch (e) {
+            console.error(`\x1b[31mError: ${e.message}\x1b[0m`);
+            process.exit(1);
+        }
+    }
+});
+program.addCommand(login_1.loginCommand);
+program.addCommand(run_1.runCommand);
+program.addCommand(secrets_1.secretsCommand);
+program.addCommand(generate_1.generateCommand);
+program.addCommand(status_1.statusCommand);
+program.addCommand(diff_1.diffCommand);
+program.addCommand(rollback_1.rollbackCommand);
+program.addCommand(scan_1.scanCommand);
+program.addCommand(logs_1.logsCommand);
+program.addCommand(export_1.exportCommand);
+program.addCommand(import_1.importCommand);
+program.addCommand(rotate_1.rotateCommand);
+program.addCommand(audit_1.auditCommand);
+program.addCommand(access_1.accessCommand);
+program.addCommand(branch_1.branchCommand);
+program.addCommand(checkout_1.checkoutCommand);
+program.addCommand(project_1.projectCommand);
+program.addCommand(admin_1.adminCommand);
+program.addCommand(integration_1.integrationCommand);
+program.addCommand(integration_1.kubernetesCommand);
+program.addCommand(history_1.historyCommand);
+program.addCommand(env_1.envCommand);
+program.addCommand(ui_1.uiCommand);
+program.addCommand(completion_1.completionCommand);
+program.addCommand(profile_1.profileCommand);
+program.addCommand(ci_1.ciCommand);
+program.addCommand(template_1.templateCommand);
+program.addCommand(doctor_1.doctorCommand);
+program.addCommand(init_1.initCommand);
+program.addCommand(watch_1.watchCommand);
+program.addCommand(simulate_1.simulateCommand);
+program.addCommand(local_1.localCommand);
+program.parse(process.argv);

package/dist/commands/access.js

@@ -0,0 +1,107 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.accessCommand = void 0;
+const commander_1 = require("commander");
+const api_1 = require("../lib/api");
+const chalk_1 = __importDefault(require("chalk"));
+const ora_1 = __importDefault(require("ora"));
+const table_1 = require("table");
+const config_1 = require("../lib/config");
+const logAuditSafe = (event, projectId, meta) => {
+    try {
+        const { logAudit } = require("../lib/audit");
+        logAudit(event, projectId, null, meta);
+    }
+    catch (e) { }
+};
+const safeError = (error) => error?.response?.data?.error || error?.message || "Unknown error";
+exports.accessCommand = new commander_1.Command("access")
+    .description("Manage Just-in-Time access requests")
+    .addCommand(new commander_1.Command("request")
+    .description("Request access to a secret or project")
+    .option("-p, --project <projectId>", "Project ID")
+    .option("-s, --secret <secretId>", "Specific Secret ID (optional)")
+    .requiredOption("-d, --duration <minutes>", "Duration in minutes")
+    .requiredOption("-r, --reason <text>", "Reason for access")
+    .action(async (options) => {
+    let { project, secret, duration, reason } = options;
+    if (!project) {
+        project = (0, config_1.getConfigValue)("project");
+    }
+    if (!project) {
+        console.error(chalk_1.default.red("Error: Project ID is required. Use -p <id> or run 'xtra project set' first."));
+        process.exit(1);
+    }
+    const spinner = (0, ora_1.default)("Submitting access request...").start();
+    try {
+        const result = await api_1.api.requestAccess(project, reason, parseInt(duration), secret);
+        spinner.succeed(chalk_1.default.green(`Access request submitted! (ID: ${result.requestId})`));
+        console.log(chalk_1.default.yellow(`Status: ${result.status}`));
+        // Audit log
+        logAuditSafe("ACCESS_REQUESTED", project, { requestId: result.requestId, secretId: secret, duration, reason });
+    }
+    catch (error) {
+        spinner.fail("Request failed");
+        console.error(chalk_1.default.red(safeError(error)));
+    }
+}))
+    .addCommand(new commander_1.Command("list")
+    .description("List access requests")
+    .option("--pending", "Show pending approvals (for admins)", false)
+    .action(async (options) => {
+    try {
+        const mode = options.pending ? "pending" : "my";
+        const requests = await api_1.api.listAccessRequests(mode);
+        if (requests.length === 0) {
+            console.log(chalk_1.default.yellow("No requests found."));
+            return;
+        }
+        const data = [
+            [chalk_1.default.bold("ID"), chalk_1.default.bold("User"), chalk_1.default.bold("Target"), chalk_1.default.bold("Duration"), chalk_1.default.bold("Reason"), chalk_1.default.bold("Status")]
+        ];
+        requests.forEach((r) => {
+            const target = r.secret ? `Secret: ${r.secret.key}` : `Project: ${r.projectId}`;
+            data.push([
+                r.id,
+                r.user.email,
+                target,
+                `${r.duration}m`,
+                r.reason,
+                r.status === "pending" ? chalk_1.default.yellow(r.status) : r.status === "approved" ? chalk_1.default.green(r.status) : chalk_1.default.red(r.status)
+            ]);
+        });
+        console.log((0, table_1.table)(data));
+    }
+    catch (error) {
+        console.error(chalk_1.default.red("Failed to list requests: " + safeError(error)));
+    }
+}))
+    .addCommand(new commander_1.Command("approve")
+    .description("Approve or reject a request")
+    .argument("<requestId>", "Request ID")
+    .requiredOption("--decision <decision>", "approved or rejected")
+    .action(async (requestId, options) => {
+    // Validate decision value
+    const validDecisions = ["approved", "rejected"];
+    if (!validDecisions.includes(options.decision.toLowerCase())) {
+        console.error(chalk_1.default.red(`Invalid decision: '${options.decision}'. Must be 'approved' or 'rejected'.`));
+        process.exit(1);
+    }
+    const spinner = (0, ora_1.default)("Processing decision...").start();
+    try {
+        const result = await api_1.api.approveAccess(requestId, options.decision);
+        spinner.succeed(chalk_1.default.green(`Request ${options.decision}!`));
+        if (result.expiresAt) {
+            console.log(chalk_1.default.blue(`Access granted until: ${new Date(result.expiresAt).toLocaleString()}`));
+        }
+        // Audit log — privileged action
+        logAuditSafe(options.decision === "approved" ? "ACCESS_APPROVED" : "ACCESS_REJECTED", null, { requestId, decision: options.decision, expiresAt: result.expiresAt });
+    }
+    catch (error) {
+        spinner.fail("Operation failed");
+        console.error(chalk_1.default.red(safeError(error)));
+    }
+}));

package/dist/commands/admin.js

@@ -0,0 +1,118 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.adminCommand = void 0;
+const commander_1 = require("commander");
+const api_1 = require("../lib/api");
+const chalk_1 = __importDefault(require("chalk"));
+const ora_1 = __importDefault(require("ora"));
+const table_1 = require("table");
+exports.adminCommand = new commander_1.Command("admin")
+    .description("Admin commands for user and role management");
+// Role Management
+const roleCommand = new commander_1.Command("role")
+    .description("Manage user roles and permissions");
+const listRoles = async () => {
+    const spinner = (0, ora_1.default)("Fetching roles from server...").start();
+    try {
+        const roles = await api_1.api.getRoles();
+        spinner.stop();
+        console.log(chalk_1.default.bold("\nAvailable Roles:\n"));
+        const tableData = [
+            [chalk_1.default.bold("Role"), chalk_1.default.bold("Description"), chalk_1.default.bold("Permissions")]
+        ];
+        roles.forEach((role) => {
+            tableData.push([
+                chalk_1.default.cyan(role.name),
+                role.description || "-",
+                Array.isArray(role.permissions) ? role.permissions.join(", ") : role.permissions || "-",
+            ]);
+        });
+        console.log((0, table_1.table)(tableData));
+    }
+    catch (error) {
+        spinner.fail("Failed to fetch roles");
+        const safeErr = error.response?.data?.error || error.message || "Unknown error";
+        console.error(chalk_1.default.red(safeErr));
+    }
+};
+roleCommand
+    .command("list")
+    .description("List all available roles")
+    .alias("ls")
+    .action(listRoles);
+exports.adminCommand.addCommand(roleCommand);
+// Legacy/Short support: `xtra admin roles` -> alias to `xtra admin role list`
+exports.adminCommand
+    .command("roles")
+    .description("Alias for 'role list'")
+    .action(listRoles);
+// List all users (admin only)
+exports.adminCommand
+    .command("users")
+    .description("List all users with their roles")
+    .option("-t, --team <teamId>", "Filter by team ID")
+    .action(async (options) => {
+    const spinner = (0, ora_1.default)("Fetching users...").start();
+    try {
+        const users = await api_1.api.getUsers(options.team);
+        spinner.stop();
+        if (!users || users.length === 0) {
+            console.log(chalk_1.default.yellow("No users found."));
+            return;
+        }
+        console.log(chalk_1.default.bold("\nUsers:\n"));
+        const tableData = [
+            [chalk_1.default.bold("Email"), chalk_1.default.bold("Name"), chalk_1.default.bold("Role"), chalk_1.default.bold("Status")]
+        ];
+        users.forEach((user) => {
+            const roleColor = user.role === "owner" || user.role === "admin"
+                ? chalk_1.default.magenta
+                : user.role === "viewer"
+                    ? chalk_1.default.gray
+                    : chalk_1.default.cyan;
+            tableData.push([
+                user.email,
+                user.name || "-",
+                roleColor(user.role),
+                user.status || "active"
+            ]);
+        });
+        console.log((0, table_1.table)(tableData));
+    }
+    catch (error) {
+        spinner.fail("Failed to fetch users");
+        console.error(chalk_1.default.red(error.message));
+    }
+});
+// Set user role
+exports.adminCommand
+    .command("set-role <email> <role>")
+    .description("Change a user's role (owner, admin, developer, viewer, guest)")
+    .option("-t, --team <teamId>", "Team ID (for team-specific role)")
+    .action(async (email, role, options) => {
+    const validRoles = ["owner", "admin", "developer", "viewer", "guest"];
+    if (!validRoles.includes(role.toLowerCase())) {
+        console.error(chalk_1.default.red(`Invalid role: ${role}`));
+        console.log(chalk_1.default.yellow(`Valid roles: ${validRoles.join(", ")}`));
+        process.exit(1);
+    }
+    const spinner = (0, ora_1.default)(`Updating role for ${email}...`).start();
+    try {
+        await api_1.api.setUserRole(email, role.toLowerCase(), options.team);
+        spinner.succeed(chalk_1.default.green(`Role updated: ${email} → ${role}`));
+        // Audit log this privileged action
+        try {
+            const { logAudit } = require("../lib/audit");
+            logAudit("ADMIN_ROLE_CHANGE", null, null, { email, newRole: role, teamId: options.team });
+        }
+        catch (e) { }
+    }
+    catch (error) {
+        spinner.fail("Failed to update role");
+        const safeErr = error.response?.data?.error || error.message || "Unknown error";
+        console.error(chalk_1.default.red(safeErr));
+    }
+});

package/dist/commands/audit.js

@@ -0,0 +1,67 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.auditCommand = void 0;
+const commander_1 = require("commander");
+const api_1 = require("../lib/api");
+const chalk_1 = __importDefault(require("chalk"));
+const ora_1 = __importDefault(require("ora"));
+const fs_1 = __importDefault(require("fs"));
+exports.auditCommand = new commander_1.Command("audit")
+    .description("Manage and verify audit logs")
+    // Subcommand: Verify
+    .addCommand(new commander_1.Command("verify")
+    .description("Verify the integrity of the audit log chain (Tamper-Evident)")
+    .action(async () => {
+    const spinner = (0, ora_1.default)("Verifying audit chain integrity...").start();
+    try {
+        const result = await api_1.api.verifyAuditLogs();
+        if (result.valid) {
+            spinner.succeed(chalk_1.default.green(result.message));
+        }
+        else {
+            spinner.fail(chalk_1.default.red("Verification Failed!"));
+            console.error(chalk_1.default.red(`Broken at Log ID: ${result.details?.brokenAtId}`));
+            console.error(chalk_1.default.red(`Reason: ${result.details?.reason}`));
+        }
+    }
+    catch (error) {
+        spinner.fail("Verification failed");
+        if (error.response?.data?.details) {
+            console.error(chalk_1.default.red(`Chain Broken: ${error.response.data.message}`));
+            console.error(chalk_1.default.yellow(`Details: ${JSON.stringify(error.response.data.details, null, 2)}`));
+        }
+        else {
+            console.error(chalk_1.default.red(error.message));
+        }
+    }
+}))
+    // Subcommand: Export
+    .addCommand(new commander_1.Command("export")
+    .description("Export audit logs for compliance (SOC2/ISO)")
+    .option("-f, --format <format>", "Output format (json, csv)", "json")
+    .option("--start <date>", "Start date (YYYY-MM-DD)")
+    .option("--end <date>", "End date (YYYY-MM-DD)")
+    .option("-o, --output <file>", "Output file path")
+    .action(async (options) => {
+    const { format, start, end, output } = options;
+    const spinner = (0, ora_1.default)(`Exporting audit logs (${format})...`).start();
+    try {
+        const data = await api_1.api.exportAuditLogs(format, start, end);
+        const content = typeof data === 'object' ? JSON.stringify(data, null, 2) : data;
+        if (output) {
+            fs_1.default.writeFileSync(output, content);
+            spinner.succeed(chalk_1.default.green(`Export saved to ${output}`));
+        }
+        else {
+            spinner.stop();
+            console.log(content);
+        }
+    }
+    catch (error) {
+        spinner.fail("Export failed");
+        console.error(chalk_1.default.red(error.message));
+    }
+}));