xtra-cli 1.0.0

package/dist/lib/api.test.js

@@ -0,0 +1,89 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const api_1 = require("./api");
+const axios_1 = __importDefault(require("axios"));
+const config_1 = require("./config");
+// Mock axios and config
+jest.mock('axios');
+jest.mock('./config');
+const mockAxios = axios_1.default;
+describe('API Client', () => {
+    const mockCreate = jest.fn();
+    const mockGet = jest.fn();
+    const mockPost = jest.fn();
+    beforeAll(() => {
+        mockAxios.create = mockCreate;
+        config_1.getConfig.mockReturnValue({ apiUrl: 'http://localhost:3000/api' });
+        config_1.getAuthToken.mockReturnValue('test-token-123');
+        mockCreate.mockReturnValue({
+            get: mockGet,
+            post: mockPost,
+        });
+    });
+    beforeEach(() => {
+        jest.clearAllMocks();
+    });
+    describe('login', () => {
+        it('should send login request with email and password', async () => {
+            mockPost.mockResolvedValue({ data: { token: 'new-token' } });
+            const result = await api_1.api.login('user@example.com', 'password123');
+            expect(mockPost).toHaveBeenCalledWith('/auth/cli-login', {
+                email: 'user@example.com',
+                password: 'password123',
+                apiKey: undefined
+            });
+            expect(result).toEqual({ token: 'new-token' });
+        });
+        it('should send login request with API key', async () => {
+            mockPost.mockResolvedValue({ data: { token: 'api-key-token' } });
+            const result = await api_1.api.login(undefined, undefined, 'xtra_key_abc123');
+            expect(mockPost).toHaveBeenCalledWith('/auth/cli-login', {
+                email: undefined,
+                password: undefined,
+                apiKey: 'xtra_key_abc123'
+            });
+            expect(result).toEqual({ token: 'api-key-token' });
+        });
+    });
+    describe('getSecrets', () => {
+        it('should fetch secrets for project and environment', async () => {
+            const mockSecrets = { secrets: [{ key: 'DB_URL', value: 'postgres://...' }] };
+            mockGet.mockResolvedValue({ data: mockSecrets });
+            const result = await api_1.api.getSecrets('proj-123', 'production', 'main');
+            expect(mockGet).toHaveBeenCalledWith('/projects/proj-123/envs/production/secrets?branch=main');
+            expect(result).toEqual(mockSecrets);
+        });
+        it('should use default branch if not specified', async () => {
+            mockGet.mockResolvedValue({ data: { secrets: [] } });
+            await api_1.api.getSecrets('proj-123', 'dev');
+            expect(mockGet).toHaveBeenCalledWith('/projects/proj-123/envs/dev/secrets?branch=main');
+        });
+    });
+    describe('setSecrets', () => {
+        it('should post secrets to API', async () => {
+            const secrets = { DB_URL: 'postgres://new', API_KEY: 'key123' };
+            mockPost.mockResolvedValue({ data: { success: true } });
+            const result = await api_1.api.setSecrets('proj-123', 'staging', secrets);
+            expect(mockPost).toHaveBeenCalledWith('/projects/proj-123/envs/staging/secrets', {
+                secrets,
+                expectedVersions: undefined,
+                branch: 'main'
+            });
+            expect(result).toEqual({ success: true });
+        });
+    });
+    describe('rotateSecret', () => {
+        it('should rotate secret with strategy', async () => {
+            mockPost.mockResolvedValue({ data: { newValue: 'rotated-value' } });
+            const result = await api_1.api.rotateSecret('proj-123', 'prod', 'API_KEY', 'regenerate');
+            expect(mockPost).toHaveBeenCalledWith('/projects/proj-123/envs/prod/secrets/API_KEY/rotate', {
+                strategy: 'regenerate',
+                parsedNewValue: undefined
+            });
+            expect(result).toEqual({ newValue: 'rotated-value' });
+        });
+    });
+});

package/dist/lib/audit.js

@@ -0,0 +1,136 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.logAudit = logAudit;
+exports.loadAuditLogs = loadAuditLogs;
+exports.saveAuditLogs = saveAuditLogs;
+exports.syncAuditLogs = syncAuditLogs;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const uuid_1 = require("uuid");
+const crypto_1 = require("./crypto");
+const config_1 = require("./config");
+const api_1 = require("./api");
+const MANIFEST_DIR = path_1.default.join(process.cwd(), ".xtra");
+const AUDIT_FILE = path_1.default.join(MANIFEST_DIR, "audit.enc");
+/**
+ * Sanitize sensitive data from details
+ */
+function sanitizeDetails(details) {
+    if (!details || typeof details !== 'object')
+        return details;
+    const sanitized = { ...details };
+    const sensitiveKeys = ['password', 'token', 'secret', 'value', 'apiKey', 'secretValue'];
+    for (const key of Object.keys(sanitized)) {
+        if (sensitiveKeys.some(sk => key.toLowerCase().includes(sk))) {
+            sanitized[key] = '[REDACTED]';
+        }
+    }
+    return sanitized;
+}
+/**
+ * Send audit log to backend API
+ */
+async function sendToBackend(entry) {
+    try {
+        const config = (0, config_1.getConfig)();
+        // Skip if not authenticated
+        if (!config.token) {
+            return false;
+        }
+        const payload = {
+            action: entry.action,
+            entity: 'cli-project',
+            entityId: entry.projectId || 'global',
+            details: sanitizeDetails(entry.details),
+            timestamp: entry.timestamp,
+            projectId: entry.projectId,
+        };
+        await api_1.api.post('/audit/cli-logs', { logs: [payload] });
+        return true;
+    }
+    catch (error) {
+        // Silently fail - don't disrupt CLI operations
+        if (process.env.DEBUG) {
+            console.error('Failed to send audit log to backend:', error);
+        }
+        return false;
+    }
+}
+function logAudit(action, projectId, environment, details) {
+    const entry = {
+        id: (0, uuid_1.v4)(),
+        timestamp: new Date().toISOString(),
+        action,
+        projectId,
+        environment,
+        details,
+        synced: false
+    };
+    // Save locally
+    const logs = loadAuditLogs();
+    logs.push(entry);
+    saveAuditLogs(logs);
+    // Send to backend (non-blocking)
+    sendToBackend(entry).then((synced) => {
+        if (synced) {
+            // Mark as synced in local logs
+            entry.synced = true;
+            const updatedLogs = loadAuditLogs();
+            const index = updatedLogs.findIndex(l => l.id === entry.id);
+            if (index !== -1) {
+                updatedLogs[index].synced = true;
+                saveAuditLogs(updatedLogs);
+            }
+        }
+    }).catch(() => {
+        // Ignore errors
+    });
+}
+function loadAuditLogs() {
+    if (!fs_1.default.existsSync(AUDIT_FILE)) {
+        return [];
+    }
+    try {
+        const encryptedStr = fs_1.default.readFileSync(AUDIT_FILE, "utf-8");
+        const encryptedObj = JSON.parse(encryptedStr);
+        const decrypted = (0, crypto_1.decrypt)(encryptedObj);
+        return JSON.parse(decrypted);
+    }
+    catch (error) {
+        // console.error("Failed to load audit logs", error);
+        return [];
+    }
+}
+function saveAuditLogs(logs) {
+    if (!fs_1.default.existsSync(MANIFEST_DIR)) {
+        fs_1.default.mkdirSync(MANIFEST_DIR, { recursive: true });
+    }
+    const serialized = JSON.stringify(logs);
+    const encryptedObj = (0, crypto_1.encrypt)(serialized);
+    fs_1.default.writeFileSync(AUDIT_FILE, JSON.stringify(encryptedObj), "utf-8");
+}
+/**
+ * Sync unsynced audit logs to backend
+ */
+async function syncAuditLogs() {
+    const logs = loadAuditLogs();
+    const unsynced = logs.filter(l => !l.synced);
+    if (unsynced.length === 0) {
+        return 0;
+    }
+    let syncedCount = 0;
+    for (const entry of unsynced) {
+        const success = await sendToBackend(entry);
+        if (success) {
+            entry.synced = true;
+            syncedCount++;
+        }
+    }
+    if (syncedCount > 0) {
+        saveAuditLogs(logs);
+    }
+    return syncedCount;
+}

package/dist/lib/config.js

@@ -0,0 +1,70 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getRcConfig = exports.getProjectConfig = exports.getAuthToken = exports.clearConfig = exports.setConfig = exports.getConfigValue = exports.getConfig = void 0;
+const conf_1 = __importDefault(require("conf"));
+const PRODUCTION_API_URL = "https://xtra-security.vercel.app/api";
+const config = new conf_1.default({
+    projectName: "xtra-cli",
+    defaults: {
+        apiUrl: PRODUCTION_API_URL,
+    },
+});
+// Auto-heal: if an old localhost value was persisted, clear it so we use production.
+// Users who intentionally want localhost should set XTRA_API_URL env var instead.
+const _storedApiUrl = config.get("apiUrl");
+if (_storedApiUrl && _storedApiUrl.includes("localhost") && !process.env.XTRA_API_URL) {
+    config.set("apiUrl", PRODUCTION_API_URL);
+}
+const getConfig = () => ({
+    ...config.store,
+    apiUrl: process.env.XTRA_API_URL || config.get("apiUrl") || PRODUCTION_API_URL
+});
+exports.getConfig = getConfig;
+const getConfigValue = (key) => config.get(key);
+exports.getConfigValue = getConfigValue;
+const setConfig = (key, value) => config.set(key, value);
+exports.setConfig = setConfig;
+const clearConfig = () => config.clear();
+exports.clearConfig = clearConfig;
+const getAuthToken = () => config.get("token");
+exports.getAuthToken = getAuthToken;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const getProjectConfig = async () => {
+    try {
+        const configPath = path_1.default.join(process.cwd(), "xtra.json");
+        if (fs_1.default.existsSync(configPath)) {
+            const content = fs_1.default.readFileSync(configPath, "utf-8");
+            return JSON.parse(content);
+        }
+        return null;
+    }
+    catch (error) {
+        return null;
+    }
+};
+exports.getProjectConfig = getProjectConfig;
+/**
+ * Reads .xtrarc from the current working directory.
+ * Returns project/env/branch with fallback to the global conf store.
+ * All commands should use this instead of calling getConfigValue() directly.
+ */
+const getRcConfig = () => {
+    let rc = {};
+    try {
+        const rcPath = path_1.default.join(process.cwd(), ".xtrarc");
+        if (fs_1.default.existsSync(rcPath)) {
+            rc = JSON.parse(fs_1.default.readFileSync(rcPath, "utf-8"));
+        }
+    }
+    catch (_) { }
+    return {
+        project: rc.project || config.get("project") || "",
+        env: rc.env || config.get("env") || "development",
+        branch: rc.branch || config.get("branch") || "main",
+    };
+};
+exports.getRcConfig = getRcConfig;

package/dist/lib/config.test.js

@@ -0,0 +1,47 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const config_1 = require("./config");
+const fs_1 = __importDefault(require("fs"));
+// Mock Conf module
+jest.mock('conf');
+describe('Config Management', () => {
+    beforeEach(() => {
+        jest.clearAllMocks();
+    });
+    describe('getConfig', () => {
+        it('should return config with API URL from env if set', () => {
+            process.env.XTRA_API_URL = 'https://api.production.com';
+            const config = (0, config_1.getConfig)();
+            expect(config.apiUrl).toBe('https://api.production.com');
+            delete process.env.XTRA_API_URL;
+        });
+        it('should fallback to default API URL', () => {
+            delete process.env.XTRA_API_URL;
+            const config = (0, config_1.getConfig)();
+            expect(config.apiUrl).toBeDefined();
+        });
+    });
+    describe('getProjectConfig', () => {
+        it('should return null if xtra.json does not exist', async () => {
+            jest.spyOn(fs_1.default, 'existsSync').mockReturnValue(false);
+            const projectConfig = await (0, config_1.getProjectConfig)();
+            expect(projectConfig).toBeNull();
+        });
+        it('should parse and return xtra.json if it exists', async () => {
+            const mockConfig = { projectId: 'test-project', env: 'production' };
+            jest.spyOn(fs_1.default, 'existsSync').mockReturnValue(true);
+            jest.spyOn(fs_1.default, 'readFileSync').mockReturnValue(JSON.stringify(mockConfig));
+            const projectConfig = await (0, config_1.getProjectConfig)();
+            expect(projectConfig).toEqual(mockConfig);
+        });
+        it('should return null if JSON parsing fails', async () => {
+            jest.spyOn(fs_1.default, 'existsSync').mockReturnValue(true);
+            jest.spyOn(fs_1.default, 'readFileSync').mockReturnValue('invalid json{');
+            const projectConfig = await (0, config_1.getProjectConfig)();
+            expect(projectConfig).toBeNull();
+        });
+    });
+});

package/dist/lib/crypto.js

@@ -0,0 +1,50 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hash = exports.decrypt = exports.encrypt = void 0;
+const crypto_1 = __importDefault(require("crypto"));
+const conf_1 = __importDefault(require("conf"));
+// We'll use the machine-id or a generated master key stored in the system keychain 
+// (or simple config for MVP) to encrypt the local cache.
+// For now, we will generate a random key and store it in the config (simulate keychain).
+const algorithm = "aes-256-gcm";
+const config = new conf_1.default({ projectName: "xtra-cli-crypto" });
+function getMasterKey() {
+    let keyHex = config.get("masterKey");
+    if (!keyHex) {
+        keyHex = crypto_1.default.randomBytes(32).toString("hex");
+        config.set("masterKey", keyHex);
+    }
+    return Buffer.from(keyHex, "hex");
+}
+const encrypt = (text) => {
+    const iv = crypto_1.default.randomBytes(16);
+    const key = getMasterKey();
+    const cipher = crypto_1.default.createCipheriv(algorithm, key, iv);
+    let encrypted = cipher.update(text, "utf8", "hex");
+    encrypted += cipher.final("hex");
+    const tag = cipher.getAuthTag();
+    return {
+        iv: iv.toString("hex"),
+        content: encrypted,
+        tag: tag.toString("hex"),
+    };
+};
+exports.encrypt = encrypt;
+const decrypt = (encrypted) => {
+    const key = getMasterKey();
+    const iv = Buffer.from(encrypted.iv, "hex");
+    const tag = Buffer.from(encrypted.tag, "hex");
+    const decipher = crypto_1.default.createDecipheriv(algorithm, key, iv);
+    decipher.setAuthTag(tag);
+    let decrypted = decipher.update(encrypted.content, "hex", "utf8");
+    decrypted += decipher.final("utf8");
+    return decrypted;
+};
+exports.decrypt = decrypt;
+const hash = (text) => {
+    return crypto_1.default.createHash("sha256").update(text).digest("hex");
+};
+exports.hash = hash;

package/dist/lib/manifest.js

@@ -0,0 +1,52 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MANIFEST_FILE = exports.MANIFEST_DIR = void 0;
+exports.loadManifest = loadManifest;
+exports.saveManifest = saveManifest;
+exports.updateManifest = updateManifest;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+exports.MANIFEST_DIR = path_1.default.join(process.cwd(), ".xtra");
+exports.MANIFEST_FILE = path_1.default.join(exports.MANIFEST_DIR, "manifest.json");
+function loadManifest() {
+    if (!fs_1.default.existsSync(exports.MANIFEST_FILE)) {
+        return null;
+    }
+    try {
+        const data = fs_1.default.readFileSync(exports.MANIFEST_FILE, "utf-8");
+        return JSON.parse(data);
+    }
+    catch (error) {
+        return null;
+    }
+}
+function saveManifest(manifest) {
+    if (!fs_1.default.existsSync(exports.MANIFEST_DIR)) {
+        fs_1.default.mkdirSync(exports.MANIFEST_DIR, { recursive: true });
+    }
+    fs_1.default.writeFileSync(exports.MANIFEST_FILE, JSON.stringify(manifest, null, 2), "utf-8");
+}
+function updateManifest(projectId, env, secrets, hasher) {
+    const manifest = loadManifest() || {
+        projectId,
+        environment: env,
+        lastSyncedAt: new Date().toISOString(),
+        secrets: {}
+    };
+    // Update sync metadata
+    manifest.projectId = projectId;
+    manifest.environment = env;
+    manifest.lastSyncedAt = new Date().toISOString();
+    // Update secrets
+    Object.entries(secrets).forEach(([key, value]) => {
+        const hash = hasher(value);
+        manifest.secrets[key] = {
+            hash,
+            updatedAt: new Date().toISOString()
+        };
+    });
+    saveManifest(manifest);
+}

package/dist/lib/profiles.js

@@ -0,0 +1,103 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.listProfiles = listProfiles;
+exports.getActiveProfileName = getActiveProfileName;
+exports.getActiveProfile = getActiveProfile;
+exports.setActiveProfile = setActiveProfile;
+exports.createProfile = createProfile;
+exports.deleteProfile = deleteProfile;
+exports.setProfileValue = setProfileValue;
+exports.getProfileValue = getProfileValue;
+exports.useProfile = useProfile;
+/**
+ * profiles.ts - Multi-Profile config management for xtra-cli
+ *
+ * Profiles are stored in the existing Conf store under the key "profiles"
+ * as a nested object: { profileName: { token, apiUrl, project, ... } }
+ *
+ * The active profile is tracked under "activeProfile".
+ */
+const conf_1 = __importDefault(require("conf"));
+const store = new conf_1.default({
+    projectName: "xtra-cli",
+    defaults: {
+        activeProfile: "default",
+        profiles: {
+            default: {
+                apiUrl: process.env.XTRA_API_URL || "https://xtra-security.vercel.app/api",
+            },
+        },
+    },
+});
+// ── Profile CRUD ───────────────────────────────────────────────────────────────
+function listProfiles() {
+    return store.get("profiles") || {};
+}
+function getActiveProfileName() {
+    // Environment variable always wins
+    return process.env.XTRA_PROFILE || store.get("activeProfile") || "default";
+}
+function getActiveProfile() {
+    const name = getActiveProfileName();
+    const profiles = listProfiles();
+    return profiles[name] || {};
+}
+function setActiveProfile(name) {
+    const profiles = listProfiles();
+    if (!profiles[name]) {
+        throw new Error(`Profile '${name}' does not exist. Create it first with 'xtra profile create ${name}'.`);
+    }
+    store.set("activeProfile", name);
+}
+function createProfile(name, data = {}) {
+    const profiles = listProfiles();
+    if (profiles[name]) {
+        throw new Error(`Profile '${name}' already exists. Use 'xtra profile set' to edit it.`);
+    }
+    profiles[name] = {
+        apiUrl: process.env.XTRA_API_URL || "https://xtra-security.vercel.app/api",
+        ...data,
+    };
+    store.set("profiles", profiles);
+}
+function deleteProfile(name) {
+    if (name === "default") {
+        throw new Error("Cannot delete the 'default' profile.");
+    }
+    const profiles = listProfiles();
+    if (!profiles[name]) {
+        throw new Error(`Profile '${name}' not found.`);
+    }
+    delete profiles[name];
+    store.set("profiles", profiles);
+    // If the deleted profile was active, fall back to default
+    if (getActiveProfileName() === name) {
+        store.set("activeProfile", "default");
+    }
+}
+function setProfileValue(name, key, value) {
+    const profiles = listProfiles();
+    if (!profiles[name]) {
+        throw new Error(`Profile '${name}' not found.`);
+    }
+    profiles[name][key] = value;
+    store.set("profiles", profiles);
+}
+function getProfileValue(key) {
+    return getActiveProfile()[key];
+}
+/**
+ * Called at startup when --profile flag is passed.
+ * Temporarily overrides the active profile for this CLI run.
+ */
+function useProfile(name) {
+    const profiles = listProfiles();
+    if (!profiles[name]) {
+        throw new Error(`Profile '${name}' does not exist. Run 'xtra profile create ${name}' first.`);
+    }
+    // Override in environment so all subsequent getActiveProfileName() calls pick it up
+    process.env.XTRA_PROFILE = name;
+}

package/package.json

@@ -0,0 +1,67 @@
+{
+    "name": "xtra-cli",
+    "version": "1.0.0",
+    "description": "CLI for XtraSecurity Platform",
+    "main": "dist/index.js",
+    "bin": {
+        "xtra": "dist/bin/xtra.js"
+    },
+    "scripts": {
+        "build": "tsc",
+        "start": "node dist/bin/xtra.js",
+        "dev": "ts-node src/bin/xtra.ts",
+        "test": "jest",
+        "test:watch": "jest --watch",
+        "prepublishOnly": "npm run build"
+    },
+    "engines": {
+        "node": ">=16.0.0"
+    },
+    "files": [
+        "dist",
+        "README.md"
+    ],
+    "dependencies": {
+        "@types/diff": "^7.0.2",
+        "@types/dotenv": "^6.1.1",
+        "@types/table": "^6.0.0",
+        "@types/uuid": "^10.0.0",
+        "axios": "^1.6.0",
+        "chalk": "^4.1.2",
+        "commander": "^11.0.0",
+        "conf": "^10.2.0",
+        "csv-parse": "^6.1.0",
+        "csv-stringify": "^6.6.0",
+        "diff": "^8.0.3",
+        "dotenv": "^17.2.3",
+        "ink": "^6.8.0",
+        "ink-select-input": "^6.2.0",
+        "ink-text-input": "^6.0.0",
+        "inquirer": "^8.2.5",
+        "open": "^11.0.0",
+        "ora": "^5.4.1",
+        "react": "^19.2.4",
+        "table": "^6.9.0",
+        "uuid": "^13.0.0",
+        "yaml": "^2.8.2"
+    },
+    "devDependencies": {
+        "@types/babel__core": "^7.20.5",
+        "@types/inquirer": "^9.0.7",
+        "@types/jest": "^29.5.14",
+        "@types/node": "^20.0.0",
+        "@types/prettier": "^2.7.3",
+        "@types/react": "^19.2.14",
+        "jest": "^29.7.0",
+        "ts-jest": "^29.4.6",
+        "ts-node": "^10.9.1",
+        "typescript": "^5.0.0"
+    },
+    "keywords": [
+        "secrets",
+        "cli",
+        "security"
+    ],
+    "author": "XtraSecurity",
+    "license": "ISC"
+}