feat: security hardening, tests, doctor command, CI update, CHANGELOG

- Add AES-256-GCM encryption for API keys (internal/secret)
- Add dangerous command detection in terminal
- Add muyue doctor command for system health checks
- Add scanner TTL cache, orchestrator history mutex, shared HTTP client
- Deduplicate MCP config generation, refactor skills YAML parser
- Add XDG-compliant config dir with legacy migration
- Add cleanup on all TUI quit paths
- Add 8 test files (config, workflow, skills, orchestrator, version,
  platform, scanner, secret)
- Update CI to actions/setup-go@v5
- Add CHANGELOG.md, update README and Makefile

🤖 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

internal/secret/secret.go

@@ -0,0 +1,125 @@
+package secret
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"os"
+	"path/filepath"
+	"sync"
+)
+
+const keyFileName = ".muyue_key"
+
+var (
+	masterKey []byte
+	once      sync.Once
+	keyErr    error
+)
+
+func getKey() ([]byte, error) {
+	once.Do(func() {
+		keyPath := keyPath()
+		data, err := os.ReadFile(keyPath)
+		if err == nil && len(data) == 32 {
+			masterKey = data
+			return
+		}
+		masterKey = make([]byte, 32)
+		if _, err := rand.Read(masterKey); err != nil {
+			keyErr = fmt.Errorf("generate key: %w", err)
+			return
+		}
+		keyDir := filepath.Dir(keyPath)
+		os.MkdirAll(keyDir, 0700)
+		if err := os.WriteFile(keyPath, masterKey, 0600); err != nil {
+			keyErr = fmt.Errorf("write key: %w", err)
+			return
+		}
+	})
+	return masterKey, keyErr
+}
+
+func keyPath() string {
+	home, err := os.UserHomeDir()
+	if err != nil {
+		return ".muyue_key"
+	}
+	return filepath.Join(home, keyFileName)
+}
+
+func Encrypt(plaintext string) (string, error) {
+	if plaintext == "" {
+		return "", nil
+	}
+	key, err := getKey()
+	if err != nil {
+		return "", err
+	}
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return "", err
+	}
+	aesgcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", err
+	}
+	nonce := make([]byte, aesgcm.NonceSize())
+	if _, err := rand.Read(nonce); err != nil {
+		return "", err
+	}
+	ciphertext := aesgcm.Seal(nonce, nonce, []byte(plaintext), nil)
+	return base64.StdEncoding.EncodeToString(ciphertext), nil
+}
+
+func Decrypt(encoded string) (string, error) {
+	if encoded == "" {
+		return "", nil
+	}
+	data, err := base64.StdEncoding.DecodeString(encoded)
+	if err != nil {
+		return "", fmt.Errorf("decode: %w", err)
+	}
+	key, err := getKey()
+	if err != nil {
+		return "", err
+	}
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return "", err
+	}
+	aesgcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", err
+	}
+	nonceSize := aesgcm.NonceSize()
+	if len(data) < nonceSize {
+		return "", fmt.Errorf("ciphertext too short")
+	}
+	nonce, ciphertext := data[:nonceSize], data[nonceSize:]
+	plaintext, err := aesgcm.Open(nil, nonce, ciphertext, nil)
+	if err != nil {
+		return "", fmt.Errorf("decrypt: %w", err)
+	}
+	return string(plaintext), nil
+}
+
+func IsEncrypted(s string) bool {
+	if s == "" {
+		return false
+	}
+	_, err := base64.StdEncoding.DecodeString(s)
+	if err != nil {
+		return false
+	}
+	decrypted, err := Decrypt(s)
+	return err == nil && decrypted != ""
+}
+
+func resetForTesting() {
+	masterKey = nil
+	keyErr = nil
+	once = sync.Once{}
+}

internal/secret/secret_test.go

@@ -0,0 +1,119 @@
+package secret
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func setupTestEnv(t *testing.T) {
+	t.Helper()
+	tmpDir := t.TempDir()
+	origHome := os.Getenv("HOME")
+	os.Setenv("HOME", tmpDir)
+	t.Cleanup(func() { os.Setenv("HOME", origHome) })
+	resetForTesting()
+}
+
+func TestEncryptDecryptRoundtrip(t *testing.T) {
+	setupTestEnv(t)
+
+	plaintext := "my-super-secret-api-key-12345"
+	encrypted, err := Encrypt(plaintext)
+	if err != nil {
+		t.Fatalf("Encrypt failed: %v", err)
+	}
+	if encrypted == "" {
+		t.Error("Encrypted should not be empty")
+	}
+	if encrypted == plaintext {
+		t.Error("Encrypted should differ from plaintext")
+	}
+
+	decrypted, err := Decrypt(encrypted)
+	if err != nil {
+		t.Fatalf("Decrypt failed: %v", err)
+	}
+	if decrypted != plaintext {
+		t.Errorf("Expected %s, got %s", plaintext, decrypted)
+	}
+}
+
+func TestEncryptEmpty(t *testing.T) {
+	enc, err := Encrypt("")
+	if err != nil {
+		t.Fatalf("Encrypt empty failed: %v", err)
+	}
+	if enc != "" {
+		t.Error("Empty input should return empty output")
+	}
+}
+
+func TestDecryptEmpty(t *testing.T) {
+	dec, err := Decrypt("")
+	if err != nil {
+		t.Fatalf("Decrypt empty failed: %v", err)
+	}
+	if dec != "" {
+		t.Error("Empty input should return empty output")
+	}
+}
+
+func TestIsEncrypted(t *testing.T) {
+	setupTestEnv(t)
+
+	if IsEncrypted("") {
+		t.Error("Empty string should not be encrypted")
+	}
+	if IsEncrypted("not-encrypted") {
+		t.Error("Random string should not be encrypted")
+	}
+
+	enc, _ := Encrypt("test")
+	if !IsEncrypted(enc) {
+		t.Error("Encrypted string should be detected as encrypted")
+	}
+}
+
+func TestKeyFileCreation(t *testing.T) {
+	setupTestEnv(t)
+
+	_, err := Encrypt("test")
+	if err != nil {
+		t.Fatalf("Encrypt failed: %v", err)
+	}
+
+	home, _ := os.UserHomeDir()
+	keyPath := filepath.Join(home, ".muyue_key")
+	if _, err := os.Stat(keyPath); os.IsNotExist(err) {
+		t.Error("Key file should be created")
+	}
+
+	info, _ := os.Stat(keyPath)
+	if info.Mode().Perm()&0077 != 0 {
+		t.Error("Key file should have restrictive permissions")
+	}
+}
+
+func TestDecryptInvalidBase64(t *testing.T) {
+	setupTestEnv(t)
+
+	_, _ = Encrypt("init")
+
+	_, err := Decrypt("not-valid-base64!!!")
+	if err == nil {
+		t.Error("Should fail with invalid base64")
+	}
+}
+
+func TestDifferentKeysProduceDifferentCiphertext(t *testing.T) {
+	setupTestEnv(t)
+
+	enc1, _ := Encrypt("same-input")
+	resetForTesting()
+	enc2, _ := Encrypt("same-input")
+
+	if enc1 == enc2 {
+		t.Error("Different keys should produce different ciphertext (different nonce)")
+	}
+}