Add programs

Author: astrovm

.gitignore

@@ -202,4 +202,3 @@ dist
 # .pnp.*
 
 # End of https://www.toptal.com/developers/gitignore/api/hugo,node,go,yarn
-utils/src/

static/terminal-window/encrypted-commands.js.enc

@@ -1,9 +1,8 @@
-// This script encrypts/decrypts your secret commands with multiple passwords
-// Each password will decrypt to different content
-// Run it with Node.js:
-// To encrypt: node encrypt-commands.js encrypt [master_password]
-// To decrypt: node encrypt-commands.js decrypt password output.js
-//            or node encrypt-commands.js decrypt master_password src/  (recreates all files)
+// Encrypt/decrypt multi-part commands; binary-safe; auto-injects __SECRETS__
+// Usage:
+//   node encrypt-commands.js encrypt [master_password]
+//   node encrypt-commands.js decrypt password output.js        // single
+//   node encrypt-commands.js decrypt master_password src/      // restore all
 
 const crypto = require("crypto");
 const path = require("path");
@@ -14,191 +13,174 @@ const ENCRYPTED_FILE = path.resolve(
   "../static/terminal-window/encrypted-commands.js.enc"
 );
 
-// Simplified encryption configuration
-const CONFIG = {
-  iterations: 1000000,
-  keyLength: 32,
-  ivLength: 16,
-  saltLength: 32,
-  tagLength: 16,
-};
+const CONFIG = { iterations: 1_000_000, keyLength: 32, ivLength: 16, saltLength: 32, tagLength: 16 };
+const BINARY_EXT = new Set([".png", ".jpg", ".jpeg", ".gif", ".webp", ".webm"]);
 
 function deriveKey(password, salt) {
-  return crypto.pbkdf2Sync(
-    password,
-    salt,
-    CONFIG.iterations,
-    CONFIG.keyLength,
-    "sha512"
-  );
+  return crypto.pbkdf2Sync(password, salt, CONFIG.iterations, CONFIG.keyLength, "sha512");
 }
 
-function encryptContent(content, password, salt, iv) {
+function encryptBuffer(buffer, password, salt, iv) {
   const key = deriveKey(password, salt);
   const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
-  const encrypted = Buffer.concat([
-    cipher.update(content, "utf8"),
-    cipher.final(),
-  ]);
+  const encrypted = Buffer.concat([cipher.update(buffer), cipher.final()]);
   return { encrypted, authTag: cipher.getAuthTag() };
 }
 
+function walk(dir, basedir, out = []) {
+  for (const ent of fs.readdirSync(dir, { withFileTypes: true })) {
+    const abs = path.join(dir, ent.name);
+    if (ent.isDirectory()) walk(abs, basedir, out);
+    else if (ent.isFile()) {
+      const rel = path.posix.normalize(path.relative(basedir, abs).split(path.sep).join("/"));
+      out.push(rel);
+    }
+  }
+  return out;
+}
+
+function isBinaryByExt(rel) {
+  return BINARY_EXT.has(path.extname(rel).toLowerCase());
+}
+
+function makeUint8Literal(buf) {
+  const nums = Array.from(buf);
+  return `new Uint8Array([${nums.join(",")}])`;
+}
+
+function buildSecretsBlock(assets) {
+  const lines = [];
+  lines.push("(function(){");
+  lines.push("  try { if (!window.__SECRETS__) window.__SECRETS__ = Object.create(null);");
+  for (const a of assets) {
+    lines.push(`    window.__SECRETS__[${JSON.stringify(a.rel)}] = ${makeUint8Literal(a.buffer)};`);
+  }
+  lines.push("  } catch(e){ console.error('SECRETS inject failed', e); }");
+  lines.push("})();");
+  return lines.join("\n");
+}
+
 async function encryptCommands(masterPassword) {
   const srcDir = path.resolve(__dirname, "src");
-  const files = fs.readdirSync(srcDir);
-
-  // Each file in src becomes a password:content pair
-  const entries = files.map((filename) => {
-    const password = path.parse(filename).name; // Use filename without extension as password
-    const file = path.resolve(srcDir, filename);
-    const content = fs.readFileSync(file, "utf8");
-    return { password, content, filename };
+  if (!fs.existsSync(srcDir)) throw new Error("Missing src/ directory");
+
+  const relPaths = walk(srcDir, srcDir);
+  if (!relPaths.length) throw new Error("No files found in src/");
+
+  const files = relPaths.map((rel) => {
+    const abs = path.join(srcDir, rel);
+    return { rel, buffer: fs.readFileSync(abs), isBinary: isBinaryByExt(rel) };
   });
 
-  if (entries.length === 0) {
-    throw new Error("No files found in src directory");
-  }
+  // All custom cat assets to embed
+  const onekoAssets = files.filter((f) => f.rel.startsWith("oneko_custom/"));
+
+  // Build encrypted parts (password = filename without extension, as before)
+  const entries = files.map((f) => {
+    const parsed = path.parse(f.rel);
+    const password = parsed.name;
+
+    // For su:* login payloads, **prepend** the secrets so they exist before file runs
+    if (/^su:[^:]+:.+$/i.test(password) && parsed.ext === ".js") {
+      const jsText = f.buffer.toString("utf8");
+      const secretsCode = buildSecretsBlock(onekoAssets);
+      const merged = Buffer.from(
+        "// --- AUTO-INJECTED (oneko_custom assets) ---\n" +
+          secretsCode +
+          "\n// --- END AUTO-INJECTED ---\n\n" +
+          jsText,
+        "utf8"
+      );
+      return { password, buffer: merged, rel: f.rel };
+    }
+    return { password, buffer: f.buffer, rel: f.rel };
+  });
 
-  // Use the same salt and IV for all encryptions
+  // Single salt+IV for whole bundle (keeps legacy layout)
   const salt = crypto.randomBytes(CONFIG.saltLength);
   const iv = crypto.randomBytes(CONFIG.ivLength);
 
-  // If master password provided, add master entry with all files info
-  if (masterPassword) {
-    const masterContent = JSON.stringify(
-      entries.map((e) => ({
-        filename: e.filename,
-        content: e.content,
-      }))
-    );
-    entries.push({ password: masterPassword, content: masterContent });
-  }
-
-  // Encrypt each content with its password
-  const encryptedParts = entries.map(({ password, content }) => {
-    const { encrypted, authTag } = encryptContent(content, password, salt, iv);
+  const encryptedParts = entries.map(({ password, buffer }) => {
+    const { encrypted, authTag } = encryptBuffer(buffer, password, salt, iv);
     return { encrypted, authTag };
   });
 
-  // Combine all encrypted parts
-  // Format: [salt][iv][size1][enc1][tag1][size2][enc2][tag2]...
-  const parts = [salt, iv];
-  encryptedParts.forEach(({ encrypted, authTag }) => {
-    // Add 4-byte size header for each part
-    const sizeBuffer = Buffer.alloc(4);
-    sizeBuffer.writeUInt32BE(encrypted.length);
-    parts.push(sizeBuffer, encrypted, authTag);
-  });
+  // Optional master archive (JSON manifest, binary-safe)
+  if (masterPassword) {
+    const masterPayload = files.map((f) => ({
+      filename: f.rel,
+      isBinary: f.isBinary,
+      content: f.isBinary ? f.buffer.toString("base64") : f.buffer.toString("utf8"),
+    }));
+    const masterBuf = Buffer.from(JSON.stringify(masterPayload), "utf8");
+    const { encrypted, authTag } = encryptBuffer(masterBuf, masterPassword, salt, iv);
+    encryptedParts.push({ encrypted, authTag });
+  }
 
-  const result = Buffer.concat(parts);
-  fs.writeFileSync(ENCRYPTED_FILE, result);
-
-  console.log(`Encrypted commands saved to ${ENCRYPTED_FILE}`);
-  console.log(`\nSecurity parameters:`);
-  console.log(`- Key derivation: SHA-512`);
-  console.log(`- Iterations: ${CONFIG.iterations.toLocaleString()}`);
-  console.log(
-    `- Salt/Key/IV lengths: ${CONFIG.saltLength * 8}/${CONFIG.keyLength * 8}/${
-      CONFIG.ivLength * 8
-    } bits`
-  );
-  console.log(`- Number of encrypted parts: ${entries.length}`);
+  // Write bundle: [salt][iv][sizeN][encN][tagN]...
+  const parts = [salt, iv];
+  for (const { encrypted, authTag } of encryptedParts) {
+    const size = Buffer.alloc(4);
+    size.writeUInt32BE(encrypted.length);
+    parts.push(size, encrypted, authTag);
+  }
+  fs.writeFileSync(ENCRYPTED_FILE, Buffer.concat(parts));
+  console.log(`Encrypted → ${ENCRYPTED_FILE}  (parts=${encryptedParts.length})`);
 }
 
 async function decryptCommands(password, outputPath) {
-  const encryptedData = fs.readFileSync(ENCRYPTED_FILE);
-
-  // Extract common components
-  let offset = 0;
-  const salt = encryptedData.slice(offset, (offset += CONFIG.saltLength));
-  const iv = encryptedData.slice(offset, (offset += CONFIG.ivLength));
-
+  const buf = fs.readFileSync(ENCRYPTED_FILE);
+  let off = 0;
+  const salt = buf.slice(off, (off += CONFIG.saltLength));
+  const iv = buf.slice(off, (off += CONFIG.ivLength));
   const key = deriveKey(password, salt);
-  const decryptedParts = [];
 
-  // Try to decrypt each part
-  while (offset < encryptedData.length) {
+  const outs = [];
+  while (off < buf.length) {
     try {
-      // Read size of next encrypted part
-      const size = encryptedData.readUInt32BE(offset);
-      offset += 4;
-
-      // Extract encrypted content and tag
-      const encrypted = encryptedData.slice(offset, offset + size);
-      offset += size;
-      const authTag = encryptedData.slice(offset, offset + CONFIG.tagLength);
-      offset += CONFIG.tagLength;
-
-      // Try to decrypt this part
-      const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
-      decipher.setAuthTag(authTag);
-      const decrypted = Buffer.concat([
-        decipher.update(encrypted),
-        decipher.final(),
-      ]);
-
-      decryptedParts.push(decrypted);
-    } catch (error) {
-      // Try next part
-      continue;
-    }
+      const size = buf.readUInt32BE(off); off += 4;
+      const enc = buf.slice(off, off + size); off += size;
+      const tag = buf.slice(off, off + CONFIG.tagLength); off += CONFIG.tagLength;
+      const d = crypto.createDecipheriv("aes-256-gcm", key, iv);
+      d.setAuthTag(tag);
+      outs.push(Buffer.concat([d.update(enc), d.final()]));
+    } catch { /* skip wrong key part */ }
   }
-
-  if (decryptedParts.length === 0) {
-    console.error("Decryption failed. Invalid password or corrupted file.");
+  if (!outs.length) {
+    console.error("Decryption failed (bad password or file).");
     process.exit(1);
   }
 
-  // If output is a directory, try to parse as master password result
   if (outputPath.endsWith("/")) {
-    try {
-      // Try to parse as JSON (master password result)
-      const files = JSON.parse(decryptedParts[0]);
-
-      // Ensure directory exists
-      if (!fs.existsSync(outputPath)) {
-        fs.mkdirSync(outputPath, { recursive: true });
-      }
-
-      // Write each file
-      files.forEach(({ filename, content }) => {
-        const outputFile = path.join(outputPath, filename);
-        fs.writeFileSync(outputFile, content);
-        console.log(`Decrypted ${filename} saved to ${outputFile}`);
-      });
-      return;
-    } catch (e) {
-      // Not master password result, fall through to single file
+    // Master payload restore
+    const list = JSON.parse(outs[0].toString("utf8"));
+    if (!fs.existsSync(outputPath)) fs.mkdirSync(outputPath, { recursive: true });
+    for (const f of list) {
+      const outFile = path.join(outputPath, f.filename);
+      fs.mkdirSync(path.dirname(outFile), { recursive: true });
+      const data = f.isBinary ? Buffer.from(f.content, "base64") : Buffer.from(f.content, "utf8");
+      fs.writeFileSync(outFile, data);
+      console.log("Decrypted", f.filename);
     }
+    return;
   }
 
-  // Normal single-file decryption
-  fs.writeFileSync(outputPath, decryptedParts[0]);
-  console.log(`Decrypted commands saved to ${outputPath}`);
+  fs.writeFileSync(outputPath, outs[0]);
+  console.log(`Decrypted → ${outputPath}`);
 }
 
 const action = process.argv[2];
 const args = process.argv.slice(3);
-
-if (!action || !["encrypt", "decrypt"].includes(action)) {
-  console.error(
-    "Usage:\n" +
-      "  Encrypt: node encrypt-commands.js encrypt [master_password]\n" +
-      "  Decrypt: node encrypt-commands.js decrypt password output.js"
-  );
+if (!["encrypt", "decrypt"].includes(action)) {
+  console.error("Usage:\n  node encrypt-commands.js encrypt [master_password]\n  node encrypt-commands.js decrypt password output.js\n  node encrypt-commands.js decrypt master_password src/");
   process.exit(1);
 }
-
 if (action === "encrypt") {
-  const masterPassword = args[0]; // Optional master password
-  encryptCommands(masterPassword);
+  encryptCommands(args[0]);
 } else {
   const [password, outputPath] = args;
   if (!password || !outputPath) {
-    console.error("Decrypt requires password and output path");
-    console.error(
-      "Use directory path ending with / for master password to recreate all files"
-    );
+    console.error("decrypt requires: password outputPath  (use a dir ending with / for master)");
     process.exit(1);
   }
   decryptCommands(password, outputPath);