xtra-cli 0.1.0

package/dist/commands/watch.js

@@ -0,0 +1,121 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.watchCommand = void 0;
+/**
+ * watch.ts — Live reload secrets in dev mode
+ *
+ * Polls XtraSecurity Cloud for secret changes at a configurable interval.
+ * When a change is detected, restarts the child process with fresh secrets.
+ *
+ * Usage:
+ *   xtra watch -p proj123 -e dev node app.js
+ *   xtra watch -p proj123 -e dev --interval 10 npm run dev --shell
+ */
+const commander_1 = require("commander");
+const api_1 = require("../lib/api");
+const config_1 = require("../lib/config");
+const chalk_1 = __importDefault(require("chalk"));
+const child_process_1 = require("child_process");
+let child = null;
+let lastHash = "";
+function hashSecrets(secrets) {
+    return JSON.stringify(Object.keys(secrets).sort().map(k => `${k}=${secrets[k]}`));
+}
+async function startProcess(command, args, secrets, useShell) {
+    if (child) {
+        process.stdout.write(chalk_1.default.yellow("\n  [watch] Secret change detected — restarting...\n"));
+        child.kill("SIGTERM");
+        // Give it 500ms to terminate gracefully
+        await new Promise(r => setTimeout(r, 500));
+    }
+    const envVars = { ...process.env, ...secrets };
+    process.stdout.write(chalk_1.default.green(`  [watch] Starting: ${command} ${args.join(" ")}\n`));
+    child = (0, child_process_1.spawn)(command, args, {
+        env: envVars,
+        stdio: "inherit",
+        shell: useShell,
+    });
+    child.on("exit", (code) => {
+        if (code !== null && code !== 0) {
+            process.stdout.write(chalk_1.default.red(`  [watch] Process exited with code ${code}\n`));
+        }
+        child = null;
+    });
+    child.on("error", (err) => {
+        process.stdout.write(chalk_1.default.red(`  [watch] Failed to start: ${err.message}\n`));
+        child = null;
+    });
+}
+exports.watchCommand = new commander_1.Command("watch")
+    .description("Live reload — auto-restart process when secrets change in cloud")
+    .option("-p, --project <id>", "Project ID")
+    .option("-e, --env <environment>", "Environment", "development")
+    .option("-b, --branch <branch>", "Branch", "main")
+    .option("--interval <seconds>", "Poll interval in seconds", "5")
+    .option("--shell", "Use shell mode for the child process (for npm run etc.)", false)
+    .argument("<command>", "Command to run")
+    .argument("[args...]", "Command arguments")
+    .addHelpText("after", `
+Examples:
+  $ xtra watch -p proj123 -e dev node app.js
+  $ xtra watch -p proj123 -e dev --interval 10 --shell npm run dev
+  $ xtra watch -p proj123 -e dev -- node -r dotenv/config server.js
+`)
+    .action(async (command, args, options) => {
+    let { project, env, branch, interval, shell: useShell } = options;
+    const envMap = { dev: "development", stg: "staging", prod: "production" };
+    env = envMap[env] || env;
+    if (!project)
+        project = (0, config_1.getConfigValue)("project");
+    if (!project) {
+        console.error(chalk_1.default.red("Error: Project ID required. Use -p <id> or run 'xtra project set'."));
+        process.exit(1);
+    }
+    // Block production watch — too dangerous
+    if (env === "production") {
+        console.error(chalk_1.default.red("⚠  xtra watch is not allowed in PRODUCTION for safety reasons."));
+        console.error(chalk_1.default.gray("   Use xtra run for one-shot production injection."));
+        process.exit(1);
+    }
+    const pollMs = Math.max(3, parseInt(interval)) * 1000;
+    console.log(chalk_1.default.bold(`\n👁  xtra watch — watching ${env}/${branch} (every ${interval}s)\n`));
+    console.log(chalk_1.default.gray(`   Press Ctrl+C to stop.\n`));
+    // Graceful shutdown
+    process.on("SIGINT", () => {
+        if (child)
+            child.kill("SIGTERM");
+        console.log(chalk_1.default.gray("\n  [watch] Stopped."));
+        process.exit(0);
+    });
+    // Initial fetch & start
+    try {
+        const secrets = await api_1.api.getSecrets(project, env, branch);
+        lastHash = hashSecrets(secrets);
+        await startProcess(command, args, secrets, useShell);
+    }
+    catch (e) {
+        console.error(chalk_1.default.red("Failed to fetch secrets: " + (e?.response?.data?.error || e.message)));
+        process.exit(1);
+    }
+    // Poll loop
+    setInterval(async () => {
+        try {
+            const secrets = await api_1.api.getSecrets(project, env, branch);
+            const hash = hashSecrets(secrets);
+            if (hash !== lastHash) {
+                lastHash = hash;
+                await startProcess(command, args, secrets, useShell);
+            }
+            else {
+                process.stdout.write(chalk_1.default.gray(`  [watch] ${new Date().toLocaleTimeString()} — no changes\r`));
+            }
+        }
+        catch (e) {
+            process.stdout.write(chalk_1.default.yellow(`\n  [watch] Poll failed: ${e.message}\n`));
+            // Don't exit — keep trying
+        }
+    }, pollMs);
+});

package/dist/lib/api.js

@@ -0,0 +1,172 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.api = void 0;
+const axios_1 = __importDefault(require("axios"));
+const config_1 = require("./config");
+const getClient = () => {
+    const { apiUrl } = (0, config_1.getConfig)();
+    const token = (0, config_1.getAuthToken)();
+    const client = axios_1.default.create({
+        baseURL: apiUrl,
+        headers: {
+            "Content-Type": "application/json",
+            ...(token ? { Authorization: `Bearer ${token}` } : {}),
+        },
+    });
+    return client;
+};
+exports.api = {
+    login: async (email, password, apiKey) => {
+        const response = await getClient().post("/auth/cli-login", {
+            email,
+            password,
+            apiKey,
+        });
+        return response.data;
+    },
+    // Placeholders for future methods
+    getSecrets: async (projectId, env, branch = "main") => {
+        // Fixed path to match Next.js dynamic route folder structure
+        const response = await getClient().get(`/projects/${projectId}/envs/${env}/secrets?branch=${branch}`);
+        return response.data;
+    },
+    getSecretVersions: async (projectId, env, branch = "main") => {
+        const response = await getClient().get(`/projects/${projectId}/envs/${env}/secrets?includeVersions=true&branch=${branch}`);
+        return response.data;
+    },
+    setSecrets: async (projectId, env, secrets, expectedVersions, branch = "main") => {
+        const response = await getClient().post(`/projects/${projectId}/envs/${env}/secrets`, { secrets, expectedVersions, branch });
+        return response.data;
+    },
+    getSecretDetails: async (projectId, env, key, branch = "main") => {
+        const response = await getClient().get(`/projects/${projectId}/envs/${env}/secrets/${key}?branch=${branch}`);
+        return response.data;
+    },
+    syncLogs: async (logs) => {
+        const response = await getClient().post("/audit/cli-logs", { logs });
+        return response.data;
+    },
+    linkSecret: async (projectId, env, key, sourceProjectId, sourceEnv, sourceKey) => {
+        const response = await getClient().post(`/projects/${projectId}/envs/${env}/secrets/link`, {
+            key,
+            sourceProjectId,
+            sourceEnv,
+            sourceKey
+        });
+        return response.data;
+    },
+    rotateSecret: async (projectId, env, key, strategy, parsedNewValue) => {
+        const response = await getClient().post(`/projects/${projectId}/envs/${env}/secrets/${key}/rotate`, {
+            strategy,
+            parsedNewValue
+        });
+        return response.data;
+    },
+    promoteSecret: async (projectId, env, key) => {
+        const response = await getClient().post(`/projects/${projectId}/envs/${env}/secrets/${key}/promote`, {});
+        return response.data;
+    },
+    verifyAuditLogs: async () => {
+        const response = await getClient().get("/audit/verify");
+        return response.data;
+    },
+    exportAuditLogs: async (format, start, end, projectId) => {
+        const body = { format };
+        if (start)
+            body.startDate = start;
+        if (end)
+            body.endDate = end;
+        if (projectId)
+            body.projectId = projectId;
+        const response = await getClient().post("/audit/export", body, { responseType: format === "csv" ? "text" : "json" });
+        return response.data;
+    },
+    // JIT Access
+    requestAccess: async (projectId, reason, duration, secretId) => {
+        const response = await getClient().post("/access/request", { projectId, secretId, reason, duration });
+        return response.data;
+    },
+    approveAccess: async (requestId, decision) => {
+        const response = await getClient().post("/access/approve", { requestId, decision });
+        return response.data;
+    },
+    listAccessRequests: async (mode) => {
+        const response = await getClient().get(`/access/list?mode=${mode}`);
+        return response.data;
+    },
+    // Project Management
+    getProjects: async () => {
+        const response = await getClient().get("/project");
+        return response.data;
+    },
+    // Branch Management
+    getBranches: async (projectId) => {
+        const response = await getClient().get(`/branch?projectId=${projectId}`);
+        return response.data;
+    },
+    createBranch: async (projectId, name, description) => {
+        const response = await getClient().post("/branch", { projectId, name, description });
+        return response.data;
+    },
+    deleteBranch: async (branchId) => {
+        const response = await getClient().delete(`/branch/${branchId}`);
+        return response.data;
+    },
+    updateBranch: async (branchId, updates) => {
+        const response = await getClient().put("/branch", { id: branchId, ...updates });
+        return response.data;
+    },
+    // Admin - Role Management
+    getRoles: async () => {
+        const response = await getClient().get("/admin/roles");
+        return response.data;
+    },
+    getUsers: async (teamId) => {
+        const params = teamId ? `?teamId=${teamId}` : "";
+        const response = await getClient().get(`/admin/users${params}`);
+        return response.data;
+    },
+    setUserRole: async (email, role, teamId) => {
+        const response = await getClient().put("/admin/users/role", { email, role, teamId });
+        return response.data;
+    },
+    // Integrations
+    getIntegrationStatus: async (provider) => {
+        const response = await getClient().get(`/integrations/${provider}`);
+        return response.data;
+    },
+    getIntegrationRepos: async (provider) => {
+        const response = await getClient().get(`/integrations/${provider}/sync`);
+        return response.data.repos;
+    },
+    syncSecretsToGithub: async (data) => {
+        const response = await getClient().post("/api/integrations/github/sync", data);
+        return response.data;
+    },
+    exportKubernetesSecret: async (projectId, params) => {
+        const query = new URLSearchParams(params).toString();
+        const response = await getClient().get(`/projects/${projectId}/kubernetes?${query}`);
+        return response.data; // This returns the YAML string directly
+    },
+    // Advanced Features
+    getSecretHistory: async (projectId, env, key) => {
+        const response = await getClient().get(`/projects/${projectId}/envs/${env}/secrets/${key}/history`);
+        return response.data;
+    },
+    rollbackSecret: async (projectId, env, key, version) => {
+        const response = await getClient().post(`/projects/${projectId}/envs/${env}/secrets/${key}/history`, { version });
+        return response.data;
+    },
+    cloneEnvironment: async (projectId, fromEnv, toEnv, overwrite, branch) => {
+        const response = await getClient().post(`/projects/${projectId}/envs/clone`, { fromEnv, toEnv, overwrite, branch });
+        return response.data;
+    },
+    // Generic POST method for audit logging and other uses
+    post: async (endpoint, data) => {
+        const response = await getClient().post(endpoint, data);
+        return response.data;
+    }
+};

package/dist/lib/api.test.js

@@ -0,0 +1,89 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const api_1 = require("./api");
+const axios_1 = __importDefault(require("axios"));
+const config_1 = require("./config");
+// Mock axios and config
+jest.mock('axios');
+jest.mock('./config');
+const mockAxios = axios_1.default;
+describe('API Client', () => {
+    const mockCreate = jest.fn();
+    const mockGet = jest.fn();
+    const mockPost = jest.fn();
+    beforeAll(() => {
+        mockAxios.create = mockCreate;
+        config_1.getConfig.mockReturnValue({ apiUrl: 'http://localhost:3000/api' });
+        config_1.getAuthToken.mockReturnValue('test-token-123');
+        mockCreate.mockReturnValue({
+            get: mockGet,
+            post: mockPost,
+        });
+    });
+    beforeEach(() => {
+        jest.clearAllMocks();
+    });
+    describe('login', () => {
+        it('should send login request with email and password', async () => {
+            mockPost.mockResolvedValue({ data: { token: 'new-token' } });
+            const result = await api_1.api.login('user@example.com', 'password123');
+            expect(mockPost).toHaveBeenCalledWith('/auth/cli-login', {
+                email: 'user@example.com',
+                password: 'password123',
+                apiKey: undefined
+            });
+            expect(result).toEqual({ token: 'new-token' });
+        });
+        it('should send login request with API key', async () => {
+            mockPost.mockResolvedValue({ data: { token: 'api-key-token' } });
+            const result = await api_1.api.login(undefined, undefined, 'xtra_key_abc123');
+            expect(mockPost).toHaveBeenCalledWith('/auth/cli-login', {
+                email: undefined,
+                password: undefined,
+                apiKey: 'xtra_key_abc123'
+            });
+            expect(result).toEqual({ token: 'api-key-token' });
+        });
+    });
+    describe('getSecrets', () => {
+        it('should fetch secrets for project and environment', async () => {
+            const mockSecrets = { secrets: [{ key: 'DB_URL', value: 'postgres://...' }] };
+            mockGet.mockResolvedValue({ data: mockSecrets });
+            const result = await api_1.api.getSecrets('proj-123', 'production', 'main');
+            expect(mockGet).toHaveBeenCalledWith('/projects/proj-123/envs/production/secrets?branch=main');
+            expect(result).toEqual(mockSecrets);
+        });
+        it('should use default branch if not specified', async () => {
+            mockGet.mockResolvedValue({ data: { secrets: [] } });
+            await api_1.api.getSecrets('proj-123', 'dev');
+            expect(mockGet).toHaveBeenCalledWith('/projects/proj-123/envs/dev/secrets?branch=main');
+        });
+    });
+    describe('setSecrets', () => {
+        it('should post secrets to API', async () => {
+            const secrets = { DB_URL: 'postgres://new', API_KEY: 'key123' };
+            mockPost.mockResolvedValue({ data: { success: true } });
+            const result = await api_1.api.setSecrets('proj-123', 'staging', secrets);
+            expect(mockPost).toHaveBeenCalledWith('/projects/proj-123/envs/staging/secrets', {
+                secrets,
+                expectedVersions: undefined,
+                branch: 'main'
+            });
+            expect(result).toEqual({ success: true });
+        });
+    });
+    describe('rotateSecret', () => {
+        it('should rotate secret with strategy', async () => {
+            mockPost.mockResolvedValue({ data: { newValue: 'rotated-value' } });
+            const result = await api_1.api.rotateSecret('proj-123', 'prod', 'API_KEY', 'regenerate');
+            expect(mockPost).toHaveBeenCalledWith('/projects/proj-123/envs/prod/secrets/API_KEY/rotate', {
+                strategy: 'regenerate',
+                parsedNewValue: undefined
+            });
+            expect(result).toEqual({ newValue: 'rotated-value' });
+        });
+    });
+});

package/dist/lib/audit.js

@@ -0,0 +1,136 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.logAudit = logAudit;
+exports.loadAuditLogs = loadAuditLogs;
+exports.saveAuditLogs = saveAuditLogs;
+exports.syncAuditLogs = syncAuditLogs;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const uuid_1 = require("uuid");
+const crypto_1 = require("./crypto");
+const config_1 = require("./config");
+const api_1 = require("./api");
+const MANIFEST_DIR = path_1.default.join(process.cwd(), ".xtra");
+const AUDIT_FILE = path_1.default.join(MANIFEST_DIR, "audit.enc");
+/**
+ * Sanitize sensitive data from details
+ */
+function sanitizeDetails(details) {
+    if (!details || typeof details !== 'object')
+        return details;
+    const sanitized = { ...details };
+    const sensitiveKeys = ['password', 'token', 'secret', 'value', 'apiKey', 'secretValue'];
+    for (const key of Object.keys(sanitized)) {
+        if (sensitiveKeys.some(sk => key.toLowerCase().includes(sk))) {
+            sanitized[key] = '[REDACTED]';
+        }
+    }
+    return sanitized;
+}
+/**
+ * Send audit log to backend API
+ */
+async function sendToBackend(entry) {
+    try {
+        const config = (0, config_1.getConfig)();
+        // Skip if not authenticated
+        if (!config.token) {
+            return false;
+        }
+        const payload = {
+            action: entry.action,
+            entity: 'cli-project',
+            entityId: entry.projectId || 'global',
+            details: sanitizeDetails(entry.details),
+            timestamp: entry.timestamp,
+            projectId: entry.projectId,
+        };
+        await api_1.api.post('/audit/cli-logs', { logs: [payload] });
+        return true;
+    }
+    catch (error) {
+        // Silently fail - don't disrupt CLI operations
+        if (process.env.DEBUG) {
+            console.error('Failed to send audit log to backend:', error);
+        }
+        return false;
+    }
+}
+function logAudit(action, projectId, environment, details) {
+    const entry = {
+        id: (0, uuid_1.v4)(),
+        timestamp: new Date().toISOString(),
+        action,
+        projectId,
+        environment,
+        details,
+        synced: false
+    };
+    // Save locally
+    const logs = loadAuditLogs();
+    logs.push(entry);
+    saveAuditLogs(logs);
+    // Send to backend (non-blocking)
+    sendToBackend(entry).then((synced) => {
+        if (synced) {
+            // Mark as synced in local logs
+            entry.synced = true;
+            const updatedLogs = loadAuditLogs();
+            const index = updatedLogs.findIndex(l => l.id === entry.id);
+            if (index !== -1) {
+                updatedLogs[index].synced = true;
+                saveAuditLogs(updatedLogs);
+            }
+        }
+    }).catch(() => {
+        // Ignore errors
+    });
+}
+function loadAuditLogs() {
+    if (!fs_1.default.existsSync(AUDIT_FILE)) {
+        return [];
+    }
+    try {
+        const encryptedStr = fs_1.default.readFileSync(AUDIT_FILE, "utf-8");
+        const encryptedObj = JSON.parse(encryptedStr);
+        const decrypted = (0, crypto_1.decrypt)(encryptedObj);
+        return JSON.parse(decrypted);
+    }
+    catch (error) {
+        // console.error("Failed to load audit logs", error);
+        return [];
+    }
+}
+function saveAuditLogs(logs) {
+    if (!fs_1.default.existsSync(MANIFEST_DIR)) {
+        fs_1.default.mkdirSync(MANIFEST_DIR, { recursive: true });
+    }
+    const serialized = JSON.stringify(logs);
+    const encryptedObj = (0, crypto_1.encrypt)(serialized);
+    fs_1.default.writeFileSync(AUDIT_FILE, JSON.stringify(encryptedObj), "utf-8");
+}
+/**
+ * Sync unsynced audit logs to backend
+ */
+async function syncAuditLogs() {
+    const logs = loadAuditLogs();
+    const unsynced = logs.filter(l => !l.synced);
+    if (unsynced.length === 0) {
+        return 0;
+    }
+    let syncedCount = 0;
+    for (const entry of unsynced) {
+        const success = await sendToBackend(entry);
+        if (success) {
+            entry.synced = true;
+            syncedCount++;
+        }
+    }
+    if (syncedCount > 0) {
+        saveAuditLogs(logs);
+    }
+    return syncedCount;
+}

package/dist/lib/config.js

@@ -0,0 +1,42 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getProjectConfig = exports.getAuthToken = exports.clearConfig = exports.setConfig = exports.getConfigValue = exports.getConfig = void 0;
+const conf_1 = __importDefault(require("conf"));
+const config = new conf_1.default({
+    projectName: "xtra-cli",
+    defaults: {
+        apiUrl: "http://localhost:3000/api", // Default for dev
+    },
+});
+const getConfig = () => ({
+    ...config.store,
+    apiUrl: process.env.XTRA_API_URL || config.get("apiUrl") || "http://localhost:3000/api"
+});
+exports.getConfig = getConfig;
+const getConfigValue = (key) => config.get(key);
+exports.getConfigValue = getConfigValue;
+const setConfig = (key, value) => config.set(key, value);
+exports.setConfig = setConfig;
+const clearConfig = () => config.clear();
+exports.clearConfig = clearConfig;
+const getAuthToken = () => config.get("token");
+exports.getAuthToken = getAuthToken;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const getProjectConfig = async () => {
+    try {
+        const configPath = path_1.default.join(process.cwd(), "xtra.json");
+        if (fs_1.default.existsSync(configPath)) {
+            const content = fs_1.default.readFileSync(configPath, "utf-8");
+            return JSON.parse(content);
+        }
+        return null;
+    }
+    catch (error) {
+        return null;
+    }
+};
+exports.getProjectConfig = getProjectConfig;

package/dist/lib/config.test.js

@@ -0,0 +1,47 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const config_1 = require("./config");
+const fs_1 = __importDefault(require("fs"));
+// Mock Conf module
+jest.mock('conf');
+describe('Config Management', () => {
+    beforeEach(() => {
+        jest.clearAllMocks();
+    });
+    describe('getConfig', () => {
+        it('should return config with API URL from env if set', () => {
+            process.env.XTRA_API_URL = 'https://api.production.com';
+            const config = (0, config_1.getConfig)();
+            expect(config.apiUrl).toBe('https://api.production.com');
+            delete process.env.XTRA_API_URL;
+        });
+        it('should fallback to default API URL', () => {
+            delete process.env.XTRA_API_URL;
+            const config = (0, config_1.getConfig)();
+            expect(config.apiUrl).toBeDefined();
+        });
+    });
+    describe('getProjectConfig', () => {
+        it('should return null if xtra.json does not exist', async () => {
+            jest.spyOn(fs_1.default, 'existsSync').mockReturnValue(false);
+            const projectConfig = await (0, config_1.getProjectConfig)();
+            expect(projectConfig).toBeNull();
+        });
+        it('should parse and return xtra.json if it exists', async () => {
+            const mockConfig = { projectId: 'test-project', env: 'production' };
+            jest.spyOn(fs_1.default, 'existsSync').mockReturnValue(true);
+            jest.spyOn(fs_1.default, 'readFileSync').mockReturnValue(JSON.stringify(mockConfig));
+            const projectConfig = await (0, config_1.getProjectConfig)();
+            expect(projectConfig).toEqual(mockConfig);
+        });
+        it('should return null if JSON parsing fails', async () => {
+            jest.spyOn(fs_1.default, 'existsSync').mockReturnValue(true);
+            jest.spyOn(fs_1.default, 'readFileSync').mockReturnValue('invalid json{');
+            const projectConfig = await (0, config_1.getProjectConfig)();
+            expect(projectConfig).toBeNull();
+        });
+    });
+});

package/dist/lib/crypto.js

@@ -0,0 +1,50 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hash = exports.decrypt = exports.encrypt = void 0;
+const crypto_1 = __importDefault(require("crypto"));
+const conf_1 = __importDefault(require("conf"));
+// We'll use the machine-id or a generated master key stored in the system keychain 
+// (or simple config for MVP) to encrypt the local cache.
+// For now, we will generate a random key and store it in the config (simulate keychain).
+const algorithm = "aes-256-gcm";
+const config = new conf_1.default({ projectName: "xtra-cli-crypto" });
+function getMasterKey() {
+    let keyHex = config.get("masterKey");
+    if (!keyHex) {
+        keyHex = crypto_1.default.randomBytes(32).toString("hex");
+        config.set("masterKey", keyHex);
+    }
+    return Buffer.from(keyHex, "hex");
+}
+const encrypt = (text) => {
+    const iv = crypto_1.default.randomBytes(16);
+    const key = getMasterKey();
+    const cipher = crypto_1.default.createCipheriv(algorithm, key, iv);
+    let encrypted = cipher.update(text, "utf8", "hex");
+    encrypted += cipher.final("hex");
+    const tag = cipher.getAuthTag();
+    return {
+        iv: iv.toString("hex"),
+        content: encrypted,
+        tag: tag.toString("hex"),
+    };
+};
+exports.encrypt = encrypt;
+const decrypt = (encrypted) => {
+    const key = getMasterKey();
+    const iv = Buffer.from(encrypted.iv, "hex");
+    const tag = Buffer.from(encrypted.tag, "hex");
+    const decipher = crypto_1.default.createDecipheriv(algorithm, key, iv);
+    decipher.setAuthTag(tag);
+    let decrypted = decipher.update(encrypted.content, "hex", "utf8");
+    decrypted += decipher.final("utf8");
+    return decrypted;
+};
+exports.decrypt = decrypt;
+const hash = (text) => {
+    return crypto_1.default.createHash("sha256").update(text).digest("hex");
+};
+exports.hash = hash;