Initial upload: api-token-vault Rust CLI tool with encrypted vault storage

2026-01-31 22:54:32 +00:00
parent d5d170a0f0
commit 3cd086c22f
1 changed files with 209 additions and 0 deletions
--- a/app/api-token-vault/README.md
+++ b/app/api-token-vault/README.md
@@ -0,0 +1,209 @@
+# API Token Vault
+
+[![CI](https://img.shields.io/badge/CI-Gitea%20Actions-blue)](https://7000pct.gitea.bloupla.net/7000pctAUTO/api-token-vault/actions)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow)](https://opensource.org/licenses/MIT)
+[![Rust](https://img.shields.io/badge/Rust-1.70+-orange)](https://www.rust-lang.org)
+
+A Rust CLI tool that generates cryptographically secure API tokens, stores them in an encrypted local vault, rotates them on configurable schedules, and injects them into .env files. Provides multi-project isolation with separate vaults per project.
+
+## Features
+
+- **Secure Token Generation**: Generate cryptographically secure API tokens using libsodium
+- **Encrypted Vault Storage**: All tokens stored encrypted using libsodium's secretbox
+- **Auto-Rotation Schedules**: Configure automatic token rotation with configurable intervals
+- **.env File Injection**: Inject tokens directly into .env files with custom prefixes
+- **Multi-Project Isolation**: Separate vaults for different projects with independent passwords
+- **Secure Key Derivation**: Uses Argon2id for deriving encryption keys from master passwords
+
+## Installation
+
+### From Crates.io
+
+```bash
+cargo install api-token-vault
+```
+
+### From Source
+
+```bash
+git clone https://7000pct.gitea.bloupla.net/7000pctAUTO/api-token-vault.git
+cd api-token-vault
+cargo build --release
+```
+
+The binary will be at `target/release/api-token-vault`.
+
+## Quick Start
+
+### Initialize a Vault
+
+```bash
+api-token-vault init --project my-project
+```
+
+You can also set the project via environment variable:
+
+```bash
+export API_VAULT_PROJECT=my-project
+api-token-vault init
+```
+
+### Generate a Token
+
+```bash
+api-token-vault generate --name api_key --length 32
+```
+
+### List All Tokens
+
+```bash
+api-token-vault list
+```
+
+### Get a Token Value
+
+```bash
+api-token-vault get --name api_key
+api-token-vault get --name api_key --raw  # Output only the token value
+```
+
+### Rotate a Token
+
+```bash
+api-token-vault rotate --name api_key
+api-token-vault rotate --name api_key --force  # Force rotation even if not due
+```
+
+### Set Auto-Rotation
+
+```bash
+api-token-vault set-rotation --name api_key --days 30
+```
+
+### Check Expired Tokens
+
+```bash
+api-token-vault check-expired
+```
+
+### Rotate All Expired Tokens
+
+```bash
+api-token-vault rotate-expired
+```
+
+### Inject Tokens into .env File
+
+```bash
+api-token-vault inject --env-file .env
+api-token-vault inject --env-file .env --dry-run  # Preview changes without writing
+api-token-vault inject --env-file .env --token-prefix MY_TOKEN_  # Custom prefix
+```
+
+### Delete a Token
+
+```bash
+api-token-vault delete --name api_key
+```
+
+## Command Reference
+
+| Command | Description |
+|---------|-------------|
+| `init` | Initialize a new vault for a project |
+| `generate` | Generate a new secure API token |
+| `list` | List all tokens in the vault |
+| `get` | Get a specific token value |
+| `delete` | Delete a token from the vault |
+| `rotate` | Rotate (regenerate) a specific token |
+| `set-rotation` | Set auto-rotation schedule for a token |
+| `inject` | Inject tokens into a .env file |
+| `check-expired` | Check for expired tokens |
+| `rotate-expired` | Rotate all expired tokens |
+
+## Configuration
+
+### Environment Variables
+
+| Variable | Description |
+|----------|-------------|
+| `API_VAULT_PATH` | Custom path for vault storage directory |
+| `API_VAULT_PROJECT` | Default project name (used when not specified via CLI) |
+
+### Vault Location
+
+By default, vaults are stored in:
+- Linux/macOS: `~/.config/api-token-vault/`
+- Windows: `%APPDATA%\api-token-vault\`
+
+Each project has its own vault file: `~/.config/api-token-vault/{project_name}.json`
+
+## Security
+
+- **Encryption**: Uses libsodium's secretbox for authenticated encryption
+- **Key Derivation**: Uses Argon2id (via libsodium's pwhash) for key derivation
+- **Master Password**: Required to access each vault
+- **Salt**: Unique salt per vault for key derivation
+
+## Token Formats
+
+The tool can generate tokens in various formats:
+- **Default**: Base64-encoded secure random bytes
+- **Hex**: Hexadecimal encoded
+- **Alphanumeric**: Letters and numbers only
+- **API Key**: With custom prefix (e.g., `sk_live_xxxxx`)
+
+## Development
+
+### Build
+
+```bash
+cargo build
+cargo build --release
+```
+
+### Run Tests
+
+```bash
+cargo test
+cargo test --all
+```
+
+### Lint
+
+```bash
+cargo clippy
+```
+
+### Benchmarks
+
+```bash
+cargo bench
+```
+
+## Project Structure
+
+```
+api-token-vault/
+├── Cargo.toml
+├── Cargo.lock
+├── README.md
+├── src/
+│   ├── main.rs           # Entry point and command handling
+│   ├── cli.rs            # CLI argument parsing with clap
+│   ├── vault.rs          # Vault storage and management
+│   ├── token.rs          # Token generation and data structures
+│   ├── rotation.rs       # Token rotation scheduling
+│   ├── env_injector.rs   # .env file injection
+│   └── crypto.rs         # Cryptographic operations
+└── tests/
+    └── integration_tests.rs
+```
+
+## Contributing
+
+Contributions are welcome! Please feel free to submit a Pull Request.
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.