Harden security, add key validation, and fix all PHPStan level 5 errors

Security improvements:
- Replace PHP unserialize() with json_decode() in Crypt.php
- Add path traversal validation in web API controllers
- Fail-closed permissions fallback in SecretsTable.vue
- Sanitize error messages in Router (no internal details leaked)

Code quality:
- Add unified secret key validation via GathersInput trait
- Replace exception message string matching with typed exceptions
- Simplify RunCommand argument handling (cmd?* optional array)
- Remove dead code (KeepApplication::$manager property)
- Fix $stages → $envs parameter bug in ConfiguresVaults
- Fix ExceptionFactory missing closing quote

PHPStan level 5 (0 errors):
- Replace unsafe new static() with new self() across data objects
- Update return types from static to self where appropriate
- Fix void method result usage in InteractsWithFilesystem
- Fix null safety in PermissionsCollection groupBy methods
- Remove redundant null checks and instanceof assertions
- Exclude node_modules and deferred CacheExportService from analysis
- Fix type mismatches in ServerCommand, ShellCommand, ShowCommand

Author: jszobody

phpstan.neon

@@ -7,4 +7,6 @@ parameters:
             - src/Laravel/SecretsServiceProvider.php.deferred (?)
             - src/Data/KeepRepository.php.deferred (?)
             - src/Contracts/KeepRepositoryInterface.php.deferred (?)
+            - src/Server/frontend/node_modules
+            - src/Services/Export/CacheExportService.php
     reportUnmatchedIgnoredErrors: false

src/Commands/BaseCommand.php

@@ -69,31 +69,27 @@ protected function enhanceExceptionWithCommandContext(KeepException $exception):
     {
         $existing = $exception->getContext();
 
-        // Build new context from command state, only if not already set
         $newContext = [];
 
-        if (! isset($existing['vault']) && method_exists($this, 'vaultName')) {
-            $vault = $this->vaultName();
-            if ($vault !== null) {
-                $newContext['vault'] = $vault;
-            }
-        }
+        $contextMethods = [
+            'vault' => 'vaultName',
+            'env' => 'env',
+            'key' => 'key',
+        ];
 
-        if (! isset($existing['env']) && method_exists($this, 'env')) {
-            $env = $this->env();
-            if ($env !== null) {
-                $newContext['env'] = $env;
+        foreach ($contextMethods as $contextKey => $method) {
+            if (isset($existing[$contextKey]) || ! method_exists($this, $method)) {
+                continue;
             }
-        }
-
-        if (! isset($existing['key']) && method_exists($this, 'key')) {
-            $key = $this->key();
-            if ($key !== null) {
-                $newContext['key'] = $key;
+            try {
+                $value = $this->$method();
+                if ($value !== null) {
+                    $newContext[$contextKey] = $value;
+                }
+            } catch (\Throwable) {
             }
         }
 
-        // Apply any found context
         if (! empty($newContext)) {
             $exception->withContext($newContext);
         }
@@ -104,10 +100,6 @@ protected function enhanceExceptionWithCommandContext(KeepException $exception):
      */
     protected function configureOutputStyles(): void
     {
-        if (!$this->output) {
-            return;
-        }
-        
         $formatter = $this->output->getFormatter();
 
         // Semantic styles matching the shell

src/Commands/Concerns/ConfiguresVaults.php

@@ -184,7 +184,7 @@ private function setDefaultVault(string $vaultName): void
             $updatedSettings = new \STS\Keep\Data\Settings(
                 appName: 'keep-app',
                 namespace: 'keep-app',
-                stages: ['local', 'staging', 'production'],
+                envs: ['local', 'staging', 'production'],
                 defaultVault: $vaultName
             );
         }

src/Commands/Concerns/GathersInput.php

@@ -3,7 +3,9 @@
 namespace STS\Keep\Commands\Concerns;
 
 use STS\Keep\Data\Context;
+use STS\Keep\Exceptions\KeepException;
 use STS\Keep\Facades\Keep;
+use STS\Keep\Validation\SecretKeyValidator;
 
 use function Laravel\Prompts\select;
 use function Laravel\Prompts\text;
@@ -32,12 +34,22 @@ trait GathersInput
 
     protected function key()
     {
-        // Check if the command even has a 'key' argument before trying to access it
         if (!$this->getDefinition()->hasArgument('key')) {
             return null;
         }
-        
-        return $this->key ??= $this->argument('key') ?? text('Key', 'DATABASE_PASSWORD', required: true);
+
+        if (isset($this->key)) {
+            return $this->key;
+        }
+
+        $key = $this->argument('key') ?? text('Key', 'DATABASE_PASSWORD', required: true);
+
+        $error = (new SecretKeyValidator())->getValidationError($key);
+        if ($error) {
+            throw new KeepException($error);
+        }
+
+        return $this->key = $key;
     }
 
     protected function value()

src/Commands/Concerns/InteractsWithFilesystem.php

@@ -6,10 +6,12 @@
 
 trait InteractsWithFilesystem
 {
-    protected function writeToFile(string $path, string $content, $overwrite = false, $append = false, ?int $permissions = null): bool
+    protected function writeToFile(string $path, string $content, $overwrite = false, $append = false, ?int $permissions = null): int
     {
         if ($this->filesystem->exists($path) && ! $append && ! $overwrite && ! confirm('Output file already exists. Overwrite?', false)) {
-            return $this->error("File [$path] already exists. Use --overwrite or --append option.");
+            $this->error("File [$path] already exists. Use --overwrite or --append option.");
+
+            return self::FAILURE;
         }
 
         $this->filesystem->ensureDirectoryExists(dirname($path));

src/Commands/CopyCommand.php

@@ -3,7 +3,9 @@
 namespace STS\Keep\Commands;
 
 use STS\Keep\Data\Context;
+use STS\Keep\Exceptions\KeepException;
 use STS\Keep\Exceptions\SecretNotFoundException;
+use STS\Keep\Validation\SecretKeyValidator;
 
 use function Laravel\Prompts\confirm;
 use function Laravel\Prompts\table;
@@ -51,6 +53,14 @@ public function process()
             return self::FAILURE;
         }
 
+        // Validate key format
+        if ($key) {
+            $error = (new SecretKeyValidator())->getValidationError($key);
+            if ($error) {
+                throw new KeepException($error);
+            }
+        }
+
         // Route to appropriate handler
         if ($key) {
             return $this->copySingleSecret($key, $sourceContext, $destinationContext);

src/Commands/EnvAddCommand.php

@@ -117,7 +117,7 @@ protected function testNewEnvAcrossVaults(string $envName): PermissionsCollectio
             $collection->addPermission($permission);
 
             // Update stored permissions for this vault
-            $existingPermissions = $localStorage->getVaultPermissions($vaultName) ?? [];
+            $existingPermissions = $localStorage->getVaultPermissions($vaultName);
             $existingPermissions[$envName] = $permission->permissions();
             $localStorage->saveVaultPermissions($vaultName, $existingPermissions);
         }

src/Commands/RenameCommand.php

@@ -65,24 +65,22 @@ public function process()
                 $context->env
             ));
             return self::FAILURE;
+        } catch (\STS\Keep\Exceptions\SecretAlreadyExistsException $e) {
+            $this->error(sprintf('Secret [<secret-name>%s</secret-name>] already exists in <context>%s:%s</context>',
+                $newKey,
+                $context->vault,
+                $context->env
+            ));
+            $this->neutral('Use a different name or delete the existing secret first.');
+            return self::FAILURE;
         } catch (\Exception $e) {
-            if (str_contains($e->getMessage(), 'already exists')) {
-                $this->error(sprintf('Secret [<secret-name>%s</secret-name>] already exists in <context>%s:%s</context>',
-                    $newKey,
-                    $context->vault,
-                    $context->env
-                ));
-                $this->neutral('Use a different name or delete the existing secret first.');
-            } else {
-                $this->error('Failed to rename secret: ' . $e->getMessage());
-                
-                // Try to clean up if we created the new one but failed to delete old
-                if ($vault->has($newKey) && $vault->has($oldKey)) {
-                    $this->warn('Partial rename occurred. New secret was created but old one still exists.');
-                    $this->neutral('You may want to manually delete one of them.');
-                }
+            $this->error('Failed to rename secret: ' . $e->getMessage());
+
+            if ($vault->has($newKey) && $vault->has($oldKey)) {
+                $this->warn('Partial rename occurred. New secret was created but old one still exists.');
+                $this->neutral('You may want to manually delete one of them.');
             }
-            
+
             return self::FAILURE;
         }
     }

src/Commands/RunCommand.php

@@ -15,16 +15,12 @@
 use function Laravel\Prompts\info;
 use function Laravel\Prompts\note;
 
-use Symfony\Component\Console\Input\InputInterface;
-use Symfony\Component\Console\Output\OutputInterface;
-use Illuminate\Console\OutputStyle;
-
 class RunCommand extends BaseCommand
 {
     use GathersInput, ResolvesTemplates;
 
     protected $signature = 'run 
-        {cmd* : Command and arguments to run}
+        {cmd?* : Command and arguments to run}
         {--vault= : Specific vault to use}
         {--env= : Environment to use (required)}
         {--template= : Template file path, or auto-discover {env}.env if no path given}
@@ -43,26 +39,18 @@ public function __construct(Filesystem $filesystem)
         $this->processRunner = new ProcessRunner();
     }
 
-    public function run(InputInterface $input, OutputInterface $output): int
-    {
-        try {
-            return parent::run($input, $output);
-        } catch (\Symfony\Component\Console\Exception\RuntimeException $e) {
-            if (str_contains($e->getMessage(), 'Not enough arguments (missing: "cmd")')) {
-                $this->output = new OutputStyle($input, $output);
-                error('No command specified to run');
-                note('Usage: keep run [options] -- <command> [arguments]');
-                note('Example: keep run --vault=ssm --env=production -- npm start');
-                note('Example: keep run --vault=ssm --env=production -- php artisan serve');
-                return self::FAILURE;
-            }
-            throw $e;
-        }
-    }
-    
     protected function process(): int
     {
         $commandArgs = $this->argument('cmd');
+
+        if (empty($commandArgs)) {
+            error('No command specified to run');
+            note('Usage: keep run [options] -- <command> [arguments]');
+            note('Example: keep run --vault=ssm --env=production -- npm start');
+            note('Example: keep run --vault=ssm --env=production -- php artisan serve');
+            return self::FAILURE;
+        }
+
         $command = $commandArgs[0];
         if (!$this->processRunner->commandExists($command) && !file_exists($command)) {
             error("Command not found: {$command}");

src/Commands/ServerCommand.php

@@ -18,12 +18,11 @@ class ServerCommand extends BaseCommand
 
     protected function process(): int
     {
-        $port = $this->option('port');
-        $host = $this->option('host');
+        $host = (string) $this->option('host');
         $noBrowser = $this->option('no-browser');
-        
+
         // Find available port if default is taken
-        $port = $this->findAvailablePort($host, $port);
+        $port = $this->findAvailablePort($host, (int) $this->option('port'));
 
         // Build server command
         $phpBinary = (new PhpExecutableFinder)->find();