@attest-it/cli 0.4.0 → 0.5.0

package/dist/index.cjs

@@ -15,9 +15,12 @@ var jsxRuntime = require('react/jsx-runtime');
 var promises = require('fs/promises');
 var ui = require('@inkjs/ui');
 var yaml = require('yaml');
+var tabtab = require('@pnpm/tabtab');
 var url = require('url');
 
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
+function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
+
 function _interopNamespace(e) {
   if (e && e.__esModule) return e;
   var n = Object.create(null);
@@ -40,6 +43,7 @@ var fs__namespace = /*#__PURE__*/_interopNamespace(fs);
 var path__namespace = /*#__PURE__*/_interopNamespace(path);
 var os__namespace = /*#__PURE__*/_interopNamespace(os);
 var React7__namespace = /*#__PURE__*/_interopNamespace(React7);
+var tabtab__default = /*#__PURE__*/_interopDefault(tabtab);
 
 // src/index.ts
 var globalOptions = {};
@@ -2486,31 +2490,46 @@ async function runList() {
     process.exit(ExitCode.CONFIG_ERROR);
   }
 }
+
+// src/commands/identity/validation.ts
+function validateSlug(value, existingIdentities) {
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return "Slug cannot be empty";
+  }
+  if (!/^[a-z0-9-]+$/.test(trimmed)) {
+    return "Slug must contain only lowercase letters, numbers, and hyphens";
+  }
+  if (existingIdentities?.[trimmed]) {
+    return `Identity "${trimmed}" already exists`;
+  }
+  return true;
+}
+var EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+function validateEmail(value, required = false) {
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return required ? "Email cannot be empty" : true;
+  }
+  if (!EMAIL_REGEX.test(trimmed)) {
+    return "Please enter a valid email address";
+  }
+  return true;
+}
 var createCommand = new commander.Command("create").description("Create a new identity with Ed25519 keypair").action(async () => {
   await runCreate();
 });
 async function runCreate() {
   try {
-    const theme3 = getTheme2();
+    const theme3 = getTheme();
     log("");
     log(theme3.blue.bold()("Create New Identity"));
     log("");
     const existingConfig = await core.loadLocalConfig();
-    const slug = await prompts.input({
+    const slug = (await prompts.input({
       message: "Identity slug (unique identifier):",
-      validate: (value) => {
-        if (!value || value.trim().length === 0) {
-          return "Slug cannot be empty";
-        }
-        if (!/^[a-z0-9-]+$/.test(value)) {
-          return "Slug must contain only lowercase letters, numbers, and hyphens";
-        }
-        if (existingConfig?.identities[value]) {
-          return `Identity "${value}" already exists`;
-        }
-        return true;
-      }
-    });
+      validate: (value) => validateSlug(value, existingConfig?.identities)
+    })).trim();
     const name = await prompts.input({
       message: "Display name:",
       validate: (value) => {
@@ -2520,21 +2539,31 @@ async function runCreate() {
         return true;
       }
     });
-    const email = await prompts.input({
+    const email = (await prompts.input({
       message: "Email (optional):",
-      default: ""
-    });
+      default: "",
+      validate: validateEmail
+    })).trim();
     const github = await prompts.input({
       message: "GitHub username (optional):",
       default: ""
     });
+    info("Checking available key storage providers...");
+    const opAvailable = await core.OnePasswordKeyProvider.isInstalled();
+    const keychainAvailable = core.MacOSKeychainKeyProvider.isAvailable();
+    const configDir = core.getAttestItConfigDir();
+    const storageChoices = [
+      { name: `File system (${path.join(configDir, "keys")})`, value: "file" }
+    ];
+    if (keychainAvailable) {
+      storageChoices.push({ name: "macOS Keychain", value: "keychain" });
+    }
+    if (opAvailable) {
+      storageChoices.push({ name: "1Password", value: "1password" });
+    }
     const keyStorageType = await prompts.select({
       message: "Where should the private key be stored?",
-      choices: [
-        { name: "File system (~/.config/attest-it/keys/)", value: "file" },
-        { name: "macOS Keychain", value: "keychain" },
-        { name: "1Password", value: "1password" }
-      ]
+      choices: storageChoices
     });
     log("");
     log("Generating Ed25519 keypair...");
@@ -2543,7 +2572,7 @@ async function runCreate() {
     let keyStorageDescription;
     switch (keyStorageType) {
       case "file": {
-        const keysDir = path.join(os.homedir(), ".config", "attest-it", "keys");
+        const keysDir = path.join(core.getAttestItConfigDir(), "keys");
         await promises.mkdir(keysDir, { recursive: true });
         const keyPath = path.join(keysDir, `${slug}.pem`);
         await promises.writeFile(keyPath, keyPair.privateKey, { mode: 384 });
@@ -2552,44 +2581,138 @@ async function runCreate() {
         break;
       }
       case "keychain": {
-        const { MacOSKeychainKeyProvider: MacOSKeychainKeyProvider3 } = await import('@attest-it/core');
-        if (!MacOSKeychainKeyProvider3.isAvailable()) {
+        if (!core.MacOSKeychainKeyProvider.isAvailable()) {
           error("macOS Keychain is not available on this system");
           process.exit(ExitCode.CONFIG_ERROR);
         }
+        const keychains = await core.MacOSKeychainKeyProvider.listKeychains();
+        if (keychains.length === 0) {
+          throw new Error("No keychains found on this system");
+        }
+        const formatKeychainChoice = (kc) => {
+          return `${theme3.blue.bold()(kc.name)} ${theme3.muted(`(${kc.path})`)}`;
+        };
+        let selectedKeychain;
+        if (keychains.length === 1 && keychains[0]) {
+          selectedKeychain = keychains[0];
+          info(`Using keychain: ${formatKeychainChoice(selectedKeychain)}`);
+        } else {
+          const selectedPath = await prompts.select({
+            message: "Select keychain:",
+            choices: keychains.map((kc) => ({
+              name: formatKeychainChoice(kc),
+              value: kc.path
+            }))
+          });
+          const foundKeychain = keychains.find((kc) => kc.path === selectedPath);
+          if (!foundKeychain) {
+            throw new Error("Selected keychain not found");
+          }
+          selectedKeychain = foundKeychain;
+        }
+        const keychainItemName = await prompts.input({
+          message: "Keychain item name:",
+          default: `attest-it-${slug}`,
+          validate: (value) => {
+            if (!value || value.trim().length === 0) {
+              return "Item name cannot be empty";
+            }
+            return true;
+          }
+        });
         const { execFile } = await import('child_process');
         const { promisify } = await import('util');
         const execFileAsync = promisify(execFile);
         const encodedKey = Buffer.from(keyPair.privateKey).toString("base64");
         try {
-          await execFileAsync("security", [
+          const addArgs = [
             "add-generic-password",
             "-a",
             "attest-it",
             "-s",
-            slug,
+            keychainItemName,
             "-w",
             encodedKey,
-            "-U"
-          ]);
+            "-U",
+            selectedKeychain.path
+          ];
+          await execFileAsync("security", addArgs);
         } catch (err) {
           throw new Error(
             `Failed to store key in macOS Keychain: ${err instanceof Error ? err.message : String(err)}`
           );
         }
-        privateKeyRef = { type: "keychain", service: slug, account: "attest-it" };
-        keyStorageDescription = "macOS Keychain (" + slug + "/attest-it)";
+        privateKeyRef = {
+          type: "keychain",
+          service: keychainItemName,
+          account: "attest-it",
+          keychain: selectedKeychain.path
+        };
+        keyStorageDescription = `macOS Keychain: ${selectedKeychain.name}/${keychainItemName}`;
         break;
       }
       case "1password": {
-        const vault = await prompts.input({
-          message: "1Password vault name:",
-          validate: (value) => {
-            if (!value || value.trim().length === 0) {
-              return "Vault name cannot be empty";
+        const accounts = await core.OnePasswordKeyProvider.listAccounts();
+        if (accounts.length === 0) {
+          throw new Error(
+            '1Password CLI is installed but no accounts are signed in. Run "op signin" first.'
+          );
+        }
+        const { execFile } = await import('child_process');
+        const { promisify } = await import('util');
+        const execFileAsync = promisify(execFile);
+        const accountDetails = await Promise.all(
+          accounts.map(async (acc) => {
+            try {
+              const { stdout } = await execFileAsync("op", [
+                "account",
+                "get",
+                "--account",
+                acc.user_uuid,
+                "--format=json"
+              ]);
+              const details = JSON.parse(stdout);
+              const name2 = details !== null && typeof details === "object" && "name" in details && typeof details.name === "string" ? details.name : acc.url;
+              return {
+                url: acc.url,
+                email: acc.email,
+                name: name2
+              };
+            } catch {
+              return {
+                url: acc.url,
+                email: acc.email,
+                name: acc.url
+              };
             }
-            return true;
-          }
+          })
+        );
+        const formatAccountChoice = (acc) => {
+          return `${theme3.blue.bold()(acc.name)} ${theme3.muted(`(${acc.url})`)}`;
+        };
+        let selectedAccount;
+        if (accountDetails.length === 1 && accountDetails[0]) {
+          selectedAccount = accountDetails[0].url;
+          info(`Using 1Password account: ${formatAccountChoice(accountDetails[0])}`);
+        } else {
+          selectedAccount = await prompts.select({
+            message: "Select 1Password account:",
+            choices: accountDetails.map((acc) => ({
+              name: formatAccountChoice(acc),
+              value: acc.url
+            }))
+          });
+        }
+        const vaults = await core.OnePasswordKeyProvider.listVaults(selectedAccount);
+        if (vaults.length === 0) {
+          throw new Error(`No vaults found in 1Password account: ${selectedAccount}`);
+        }
+        const selectedVault = await prompts.select({
+          message: "Select vault for private key storage:",
+          choices: vaults.map((v) => ({
+            name: v.name,
+            value: v.name
+          }))
         });
         const item = await prompts.input({
           message: "1Password item name:",
@@ -2601,26 +2724,40 @@ async function runCreate() {
             return true;
           }
         });
-        const { execFile } = await import('child_process');
-        const { promisify } = await import('util');
-        const execFileAsync = promisify(execFile);
+        const { tmpdir } = await import('os');
+        const tempDir = path.join(tmpdir(), `attest-it-${String(Date.now())}`);
+        await promises.mkdir(tempDir, { recursive: true });
+        const tempPrivatePath = path.join(tempDir, "private.pem");
         try {
-          await execFileAsync("op", [
-            "item",
+          await promises.writeFile(tempPrivatePath, keyPair.privateKey, { mode: 384 });
+          const { execFile: execFile2 } = await import('child_process');
+          const { promisify: promisify2 } = await import('util');
+          const execFileAsync2 = promisify2(execFile2);
+          const opArgs = [
+            "document",
             "create",
-            "--category=SecureNote",
+            tempPrivatePath,
+            "--title",
+            item,
             "--vault",
-            vault,
-            `--title=${item}`,
-            `privateKey[password]=${keyPair.privateKey}`
-          ]);
-        } catch (err) {
-          throw new Error(
-            `Failed to store key in 1Password: ${err instanceof Error ? err.message : String(err)}`
-          );
+            selectedVault
+          ];
+          if (selectedAccount) {
+            opArgs.push("--account", selectedAccount);
+          }
+          await execFileAsync2("op", opArgs);
+        } finally {
+          const { rm } = await import('fs/promises');
+          await rm(tempDir, { recursive: true, force: true }).catch(() => {
+          });
         }
-        privateKeyRef = { type: "1password", vault, item, field: "privateKey" };
-        keyStorageDescription = `1Password (${vault}/${item})`;
+        privateKeyRef = {
+          type: "1password",
+          vault: selectedVault,
+          item,
+          ...selectedAccount && { account: selectedAccount }
+        };
+        keyStorageDescription = `1Password (${selectedVault}/${item})`;
         break;
       }
       default:
@@ -2932,6 +3069,32 @@ async function runEdit(slug) {
     process.exit(ExitCode.CONFIG_ERROR);
   }
 }
+
+// src/utils/format-key-location.ts
+function formatKeyLocation(privateKey) {
+  const theme3 = getTheme();
+  switch (privateKey.type) {
+    case "file":
+      return `${theme3.blue.bold()("File")}: ${theme3.muted(privateKey.path)}`;
+    case "keychain": {
+      let keychainName = "default";
+      if (privateKey.keychain) {
+        const filename = privateKey.keychain.split("/").pop() ?? privateKey.keychain;
+        keychainName = filename.replace(/\.keychain(-db)?$/, "");
+      }
+      return `${theme3.blue.bold()("macOS Keychain")}: ${theme3.muted(`${keychainName}/${privateKey.service}`)}`;
+    }
+    case "1password": {
+      const parts = [privateKey.vault, privateKey.item];
+      if (privateKey.account) {
+        parts.unshift(privateKey.account);
+      }
+      return `${theme3.blue.bold()("1Password")}: ${theme3.muted(parts.join("/"))}`;
+    }
+    default:
+      return "Unknown storage";
+  }
+}
 var removeCommand = new commander.Command("remove").description("Delete identity and optionally delete private key").argument("<slug>", "Identity slug to remove").action(async (slug) => {
   await runRemove(slug);
 });
@@ -2947,7 +3110,7 @@ async function runRemove(slug) {
       error(`Identity "${slug}" not found`);
       process.exit(ExitCode.CONFIG_ERROR);
     }
-    const theme3 = getTheme2();
+    const theme3 = getTheme();
     log("");
     log(theme3.blue.bold()(`Remove Identity: ${slug}`));
     log("");
@@ -2964,6 +3127,9 @@ async function runRemove(slug) {
       log("Cancelled");
       process.exit(ExitCode.CANCELLED);
     }
+    const keyLocation = formatKeyLocation(identity.privateKey);
+    log(`  Private key: ${keyLocation}`);
+    log("");
     const deletePrivateKey = await prompts.confirm({
       message: "Also delete the private key from storage?",
       default: false
@@ -2986,13 +3152,17 @@ async function runRemove(slug) {
           const { promisify } = await import('util');
           const execFileAsync = promisify(execFile);
           try {
-            await execFileAsync("security", [
+            const deleteArgs = [
               "delete-generic-password",
               "-s",
               identity.privateKey.service,
               "-a",
               identity.privateKey.account
-            ]);
+            ];
+            if (identity.privateKey.keychain) {
+              deleteArgs.push(identity.privateKey.keychain);
+            }
+            await execFileAsync("security", deleteArgs);
             log(`  Deleted private key from macOS Keychain`);
           } catch (err) {
             if (err instanceof Error && !err.message.includes("could not be found") && !err.message.includes("does not exist")) {
@@ -3130,17 +3300,20 @@ async function runWhoami() {
       error("Active identity not found");
       process.exit(ExitCode.CONFIG_ERROR);
     }
-    const theme3 = getTheme2();
+    const theme3 = getTheme();
     log("");
-    log(theme3.green.bold()(identity.name));
+    log(theme3.blue.bold()("Active Identity"));
+    log("");
+    log(`  Slug:       ${theme3.green.bold()(config.activeIdentity)}`);
+    log(`  Name:       ${identity.name}`);
     if (identity.email) {
-      log(theme3.muted(identity.email));
+      log(`  Email:      ${theme3.muted(identity.email)}`);
     }
     if (identity.github) {
-      log(theme3.muted("@" + identity.github));
+      log(`  GitHub:     ${theme3.muted("@" + identity.github)}`);
     }
-    log("");
-    log(`Identity: ${theme3.blue(config.activeIdentity)}`);
+    log(`  Public Key: ${theme3.muted(identity.publicKey.slice(0, 24) + "...")}`);
+    log(`  Key Store:  ${formatKeyLocation(identity.privateKey)}`);
     log("");
   } catch (err) {
     if (err instanceof Error) {
@@ -3591,6 +3764,207 @@ async function runRemove2(slug, options) {
 
 // src/commands/team/index.ts
 var teamCommand = new commander.Command("team").description("Manage team members and authorizations").addCommand(listCommand2).addCommand(addCommand).addCommand(editCommand2).addCommand(removeCommand2);
+var PROGRAM_NAME = "attest-it";
+async function getCompletions(env) {
+  let shell;
+  try {
+    const detectedShell = tabtab__default.default.getShellFromEnv(process.env);
+    shell = detectedShell === "pwsh" ? "bash" : detectedShell;
+  } catch {
+    shell = "bash";
+  }
+  const commands = [
+    { name: "init", description: "Initialize a new config file" },
+    { name: "status", description: "Show status of all gates" },
+    { name: "run", description: "Run test suites interactively" },
+    { name: "verify", description: "Verify all seals are valid" },
+    { name: "seal", description: "Create a seal for a gate" },
+    { name: "keygen", description: "Generate a new keypair" },
+    { name: "prune", description: "Remove stale attestations" },
+    { name: "identity", description: "Manage identities" },
+    { name: "team", description: "Manage team members" },
+    { name: "whoami", description: "Show active identity" },
+    { name: "completion", description: "Shell completion commands" }
+  ];
+  const globalOptions2 = [
+    { name: "--help", description: "Show help" },
+    { name: "--version", description: "Show version" },
+    { name: "--verbose", description: "Verbose output" },
+    { name: "--quiet", description: "Minimal output" },
+    { name: "--config", description: "Path to config file" }
+  ];
+  const identitySubcommands = [
+    { name: "create", description: "Create a new identity" },
+    { name: "list", description: "List all identities" },
+    { name: "use", description: "Switch active identity" },
+    { name: "remove", description: "Remove an identity" }
+  ];
+  const teamSubcommands = [
+    { name: "add", description: "Add yourself to the team" },
+    { name: "list", description: "List team members" },
+    { name: "remove", description: "Remove a team member" }
+  ];
+  const completionSubcommands = [
+    { name: "install", description: "Install shell completion" },
+    { name: "uninstall", description: "Uninstall shell completion" }
+  ];
+  const words = env.line.split(/\s+/).filter(Boolean);
+  const lastWord = env.last;
+  const prevWord = env.prev;
+  if (prevWord === "--config" || prevWord === "-c") {
+    tabtab__default.default.logFiles();
+    return;
+  }
+  if (lastWord.startsWith("-")) {
+    tabtab__default.default.log(globalOptions2, shell, console.log);
+    return;
+  }
+  const commandIndex = words.findIndex(
+    (w) => !w.startsWith("-") && w !== PROGRAM_NAME && w !== "npx"
+  );
+  const currentCommand = commandIndex >= 0 ? words[commandIndex] ?? null : null;
+  if (currentCommand === "identity") {
+    const subcommandIndex = words.findIndex(
+      (w, i) => i > commandIndex && !w.startsWith("-")
+    );
+    const subcommand = subcommandIndex >= 0 ? words[subcommandIndex] ?? null : null;
+    if (subcommand === "use" || subcommand === "remove") {
+      const identities = await getIdentitySlugs();
+      if (identities.length > 0) {
+        tabtab__default.default.log(identities, shell, console.log);
+        return;
+      }
+    }
+    if (!subcommand || subcommandIndex < 0) {
+      tabtab__default.default.log(identitySubcommands, shell, console.log);
+      return;
+    }
+  }
+  if (currentCommand === "team") {
+    const subcommandIndex = words.findIndex(
+      (w, i) => i > commandIndex && !w.startsWith("-")
+    );
+    const subcommand = subcommandIndex >= 0 ? words[subcommandIndex] ?? null : null;
+    if (!subcommand || subcommandIndex < 0) {
+      tabtab__default.default.log(teamSubcommands, shell, console.log);
+      return;
+    }
+  }
+  if (currentCommand === "completion") {
+    const subcommandIndex = words.findIndex(
+      (w, i) => i > commandIndex && !w.startsWith("-")
+    );
+    const subcommand = subcommandIndex >= 0 ? words[subcommandIndex] ?? null : null;
+    if (subcommand === "install") {
+      tabtab__default.default.log(["bash", "zsh", "fish"], shell, console.log);
+      return;
+    }
+    if (!subcommand || subcommandIndex < 0) {
+      tabtab__default.default.log(completionSubcommands, shell, console.log);
+      return;
+    }
+  }
+  if (currentCommand === "status" || currentCommand === "verify" || currentCommand === "seal") {
+    const gates = await getGateNames();
+    if (gates.length > 0) {
+      tabtab__default.default.log(gates, shell, console.log);
+      return;
+    }
+  }
+  if (currentCommand === "run") {
+    const suites = await getSuiteNames();
+    if (suites.length > 0) {
+      tabtab__default.default.log(suites, shell, console.log);
+      return;
+    }
+  }
+  if (!currentCommand) {
+    tabtab__default.default.log([...commands, ...globalOptions2], shell, console.log);
+  }
+}
+async function getIdentitySlugs() {
+  try {
+    const config = await core.loadLocalConfig();
+    if (config?.identities) {
+      return Object.keys(config.identities);
+    }
+  } catch {
+  }
+  return [];
+}
+async function getGateNames() {
+  try {
+    const config = await core.loadConfig();
+    if (config.gates) {
+      return Object.keys(config.gates);
+    }
+  } catch {
+  }
+  return [];
+}
+async function getSuiteNames() {
+  try {
+    const config = await core.loadConfig();
+    return Object.keys(config.suites);
+  } catch {
+  }
+  return [];
+}
+var completionCommand = new commander.Command("completion").description("Shell completion commands");
+completionCommand.command("install [shell]").description("Install shell completion (bash, zsh, or fish)").action(async (shellArg) => {
+  try {
+    let shell;
+    if (shellArg !== void 0) {
+      if (tabtab__default.default.isShellSupported(shellArg)) {
+        shell = shellArg;
+      } else {
+        error(`Shell "${shellArg}" is not supported. Use bash, zsh, or fish.`);
+        process.exit(ExitCode.CONFIG_ERROR);
+      }
+    }
+    await tabtab__default.default.install({
+      name: PROGRAM_NAME,
+      completer: PROGRAM_NAME,
+      shell
+    });
+    log("");
+    success("Shell completion installed!");
+    log("");
+    info("Restart your shell or run:");
+    if (shell === "bash" || !shell) {
+      log("  source ~/.bashrc");
+    }
+    if (shell === "zsh" || !shell) {
+      log("  source ~/.zshrc");
+    }
+    if (shell === "fish" || !shell) {
+      log("  source ~/.config/fish/config.fish");
+    }
+    log("");
+  } catch (err) {
+    error(`Failed to install completion: ${err instanceof Error ? err.message : String(err)}`);
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+});
+completionCommand.command("uninstall").description("Uninstall shell completion").action(async () => {
+  try {
+    await tabtab__default.default.uninstall({
+      name: PROGRAM_NAME
+    });
+    log("");
+    success("Shell completion uninstalled!");
+    log("");
+  } catch (err) {
+    error(`Failed to uninstall completion: ${err instanceof Error ? err.message : String(err)}`);
+    process.exit(ExitCode.CONFIG_ERROR);
+  }
+});
+completionCommand.command("server", { hidden: true }).description("Completion server (internal)").action(async () => {
+  const env = tabtab__default.default.parseEnv(process.env);
+  if (env.complete) {
+    await getCompletions(env);
+  }
+});
 function hasVersion(data) {
   return typeof data === "object" && data !== null && "version" in data && // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
   typeof data.version === "string";
@@ -3634,7 +4008,19 @@ program.addCommand(sealCommand);
 program.addCommand(identityCommand);
 program.addCommand(teamCommand);
 program.addCommand(whoamiCommand);
+program.addCommand(completionCommand);
+function processHomeDirOption() {
+  const homeDirIndex = process.argv.indexOf("--home-dir");
+  if (homeDirIndex !== -1 && homeDirIndex + 1 < process.argv.length) {
+    const homeDir = process.argv[homeDirIndex + 1];
+    if (homeDir && !homeDir.startsWith("-")) {
+      core.setAttestItHomeDir(homeDir);
+      process.argv.splice(homeDirIndex, 2);
+    }
+  }
+}
 async function run() {
+  processHomeDirOption();
   if (process.argv.includes("--version") || process.argv.includes("-V")) {
     console.log(getPackageVersion());
     process.exit(0);