@attest-it/cli 0.6.0 → 0.7.0

package/dist/index.cjs

@@ -1665,17 +1665,28 @@ function getKeyRefFromIdentity(identity) {
   }
 }
 function KeygenInteractive(props) {
-  const { onComplete, onError } = props;
+  const { onComplete, onCancel, onError } = props;
   const [step, setStep] = React7.useState("checking-providers");
   const [opAvailable, setOpAvailable] = React7.useState(false);
   const [keychainAvailable, setKeychainAvailable] = React7.useState(false);
+  const [yubiKeyAvailable, setYubiKeyAvailable] = React7.useState(false);
   const [accounts, setAccounts] = React7.useState([]);
   const [vaults, setVaults] = React7.useState([]);
+  const [yubiKeyDevices, setYubiKeyDevices] = React7.useState([]);
   const [_selectedProvider, setSelectedProvider] = React7.useState();
   const [selectedAccount, setSelectedAccount] = React7.useState();
   const [selectedVault, setSelectedVault] = React7.useState();
   const [itemName, setItemName] = React7.useState("attest-it-private-key");
   const [keychainItemName, setKeychainItemName] = React7.useState("attest-it-private-key");
+  const [selectedYubiKeySerial, setSelectedYubiKeySerial] = React7.useState();
+  const [selectedYubiKeySlot, setSelectedYubiKeySlot] = React7.useState(2);
+  const [slot1Configured, setSlot1Configured] = React7.useState(false);
+  const [slot2Configured, setSlot2Configured] = React7.useState(false);
+  ink.useInput((_input, key) => {
+    if (key.escape) {
+      onCancel();
+    }
+  });
   React7.useEffect(() => {
     const checkProviders = async () => {
       try {
@@ -1690,6 +1701,19 @@ function KeygenInteractive(props) {
       }
       const isKeychainAvailable = core.MacOSKeychainKeyProvider.isAvailable();
       setKeychainAvailable(isKeychainAvailable);
+      try {
+        const isInstalled = await core.YubiKeyProvider.isInstalled();
+        if (isInstalled) {
+          const isConnected = await core.YubiKeyProvider.isConnected();
+          if (isConnected) {
+            const devices = await core.YubiKeyProvider.listDevices();
+            setYubiKeyDevices(devices);
+            setYubiKeyAvailable(devices.length > 0);
+          }
+        }
+      } catch {
+        setYubiKeyAvailable(false);
+      }
       setStep("select-provider");
     };
     void checkProviders();
@@ -1707,6 +1731,27 @@ function KeygenInteractive(props) {
       void fetchVaults();
     }
   }, [step, selectedAccount, onError]);
+  const checkYubiKeySlots = async (serial) => {
+    try {
+      const slot1 = await core.YubiKeyProvider.isChallengeResponseConfigured(1, serial);
+      const slot2 = await core.YubiKeyProvider.isChallengeResponseConfigured(2, serial);
+      setSlot1Configured(slot1);
+      setSlot2Configured(slot2);
+      if (slot1 && slot2) {
+        setStep("select-yubikey-slot");
+      } else if (slot2) {
+        setSelectedYubiKeySlot(2);
+        void generateKeys("yubikey");
+      } else if (slot1) {
+        setSelectedYubiKeySlot(1);
+        void generateKeys("yubikey");
+      } else {
+        setStep("yubikey-offer-setup");
+      }
+    } catch (err) {
+      onError(err instanceof Error ? err : new Error("Failed to check YubiKey slots"));
+    }
+  };
   const handleProviderSelect = (value) => {
     if (value === "filesystem") {
       setSelectedProvider("filesystem");
@@ -1714,7 +1759,7 @@ function KeygenInteractive(props) {
     } else if (value === "1password") {
       setSelectedProvider("1password");
       if (accounts.length === 1 && accounts[0]) {
-        setSelectedAccount(accounts[0].email);
+        setSelectedAccount(accounts[0].user_uuid);
         setStep("select-vault");
       } else {
         setStep("select-account");
@@ -1722,6 +1767,14 @@ function KeygenInteractive(props) {
     } else if (value === "macos-keychain") {
       setSelectedProvider("macos-keychain");
       setStep("enter-keychain-item-name");
+    } else if (value === "yubikey") {
+      setSelectedProvider("yubikey");
+      if (yubiKeyDevices.length > 1) {
+        setStep("select-yubikey-device");
+      } else if (yubiKeyDevices.length === 1 && yubiKeyDevices[0]) {
+        setSelectedYubiKeySerial(yubiKeyDevices[0].serial);
+        void checkYubiKeySlots(yubiKeyDevices[0].serial);
+      }
     }
   };
   const handleAccountSelect = (value) => {
@@ -1740,6 +1793,47 @@ function KeygenInteractive(props) {
     setKeychainItemName(value);
     void generateKeys("macos-keychain");
   };
+  const handleYubiKeyDeviceSelect = (value) => {
+    setSelectedYubiKeySerial(value);
+    void checkYubiKeySlots(value);
+  };
+  const handleYubiKeySlotSelect = (value) => {
+    const slot = value === "1" ? 1 : 2;
+    setSelectedYubiKeySlot(slot);
+    void generateKeys("yubikey");
+  };
+  const handleYubiKeySetupConfirm = (value) => {
+    if (value === "yes") {
+      void setupYubiKeySlot();
+    } else {
+      onError(new Error("YubiKey setup cancelled"));
+    }
+  };
+  const setupYubiKeySlot = async () => {
+    setStep("yubikey-configuring");
+    try {
+      const { spawn: spawn3 } = await import('child_process');
+      const args = ["otp", "chalresp", "--touch", "--generate", "2"];
+      if (selectedYubiKeySerial) {
+        args.unshift("--device", selectedYubiKeySerial);
+      }
+      await new Promise((resolve2, reject) => {
+        const proc = spawn3("ykman", args, { stdio: "inherit" });
+        proc.on("close", (code) => {
+          if (code === 0) {
+            resolve2();
+          } else {
+            reject(new Error(`ykman exited with code ${String(code)}`));
+          }
+        });
+        proc.on("error", reject);
+      });
+      setSelectedYubiKeySlot(2);
+      void generateKeys("yubikey");
+    } catch (err) {
+      onError(err instanceof Error ? err : new Error("Failed to configure YubiKey"));
+    }
+  };
   const generateKeys = async (provider) => {
     setStep("generating");
     try {
@@ -1761,8 +1855,12 @@ function KeygenInteractive(props) {
         if (!selectedVault || !itemName) {
           throw new Error("Vault and item name are required for 1Password");
         }
+        const vault = vaults.find((v) => v.id === selectedVault);
+        if (!vault) {
+          throw new Error("Selected vault not found");
+        }
         const providerOptions = {
-          vault: selectedVault,
+          vault: vault.name,
           itemName
         };
         if (selectedAccount !== void 0) {
@@ -1779,14 +1877,14 @@ function KeygenInteractive(props) {
           publicKeyPath: result.publicKeyPath,
           privateKeyRef: result.privateKeyRef,
           storageDescription: result.storageDescription,
-          vault: selectedVault,
+          vault: vault.name,
           itemName
         };
         if (selectedAccount !== void 0) {
           completionResult.account = selectedAccount;
         }
         onComplete(completionResult);
-      } else {
+      } else if (provider === "macos-keychain") {
         if (!keychainItemName) {
           throw new Error("Item name is required for macOS Keychain");
         }
@@ -1805,6 +1903,33 @@ function KeygenInteractive(props) {
           storageDescription: result.storageDescription,
           itemName: keychainItemName
         });
+      } else {
+        const encryptedKeyPath = core.getDefaultYubiKeyEncryptedKeyPath();
+        const providerOptions = {
+          encryptedKeyPath,
+          slot: selectedYubiKeySlot
+        };
+        if (selectedYubiKeySerial !== void 0) {
+          providerOptions.serial = selectedYubiKeySerial;
+        }
+        const ykProvider = new core.YubiKeyProvider(providerOptions);
+        const genOptions = { publicKeyPath };
+        if (props.force !== void 0) {
+          genOptions.force = props.force;
+        }
+        const result = await ykProvider.generateKeyPair(genOptions);
+        const completionResult = {
+          provider: "yubikey",
+          publicKeyPath: result.publicKeyPath,
+          privateKeyRef: result.privateKeyRef,
+          storageDescription: result.storageDescription,
+          slot: selectedYubiKeySlot,
+          encryptedKeyPath
+        };
+        if (selectedYubiKeySerial !== void 0) {
+          completionResult.serial = selectedYubiKeySerial;
+        }
+        onComplete(completionResult);
       }
       setStep("done");
     } catch (err) {
@@ -1830,6 +1955,12 @@ function KeygenInteractive(props) {
         value: "macos-keychain"
       });
     }
+    if (yubiKeyAvailable) {
+      options.push({
+        label: "YubiKey (hardware security key)",
+        value: "yubikey"
+      });
+    }
     if (opAvailable) {
       options.push({
         label: "1Password (requires op CLI)",
@@ -1844,8 +1975,8 @@ function KeygenInteractive(props) {
   }
   if (step === "select-account") {
     const options = accounts.map((account) => ({
-      label: account.email,
-      value: account.email
+      label: account.name ? `${account.name} (${account.email})` : account.email,
+      value: account.user_uuid
     }));
     return /* @__PURE__ */ jsxRuntime.jsxs(ink.Box, { flexDirection: "column", children: [
       /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { bold: true, children: "Select 1Password account:" }),
@@ -1862,7 +1993,7 @@ function KeygenInteractive(props) {
     }
     const options = vaults.map((vault) => ({
       label: vault.name,
-      value: vault.name
+      value: vault.id
     }));
     return /* @__PURE__ */ jsxRuntime.jsxs(ink.Box, { flexDirection: "column", children: [
       /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { bold: true, children: "Select vault for private key storage:" }),
@@ -1886,6 +2017,65 @@ function KeygenInteractive(props) {
       /* @__PURE__ */ jsxRuntime.jsx(ui.TextInput, { defaultValue: keychainItemName, onSubmit: handleKeychainItemNameSubmit })
     ] });
   }
+  if (step === "select-yubikey-device") {
+    const options = yubiKeyDevices.map((device) => ({
+      label: `${device.type} (Serial: ${device.serial})`,
+      value: device.serial
+    }));
+    return /* @__PURE__ */ jsxRuntime.jsxs(ink.Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { bold: true, children: "Select YubiKey device:" }),
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsxRuntime.jsx(ui.Select, { options, onChange: handleYubiKeyDeviceSelect })
+    ] });
+  }
+  if (step === "select-yubikey-slot") {
+    const options = [];
+    if (slot2Configured) {
+      options.push({
+        label: "Slot 2 (recommended)",
+        value: "2"
+      });
+    }
+    if (slot1Configured) {
+      options.push({
+        label: "Slot 1",
+        value: "1"
+      });
+    }
+    return /* @__PURE__ */ jsxRuntime.jsxs(ink.Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { bold: true, children: "Select YubiKey slot for challenge-response:" }),
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsxRuntime.jsx(ui.Select, { options, onChange: handleYubiKeySlotSelect })
+    ] });
+  }
+  if (step === "yubikey-offer-setup") {
+    return /* @__PURE__ */ jsxRuntime.jsxs(ink.Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { bold: true, children: "Your YubiKey is not configured for challenge-response." }),
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { children: "Would you like to configure slot 2 for challenge-response now?" }),
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { dimColor: true, children: "This will enable touch-to-sign functionality." }),
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsxRuntime.jsx(
+        ui.Select,
+        {
+          options: [
+            { label: "Yes, configure my YubiKey", value: "yes" },
+            { label: "No, cancel", value: "no" }
+          ],
+          onChange: handleYubiKeySetupConfirm
+        }
+      )
+    ] });
+  }
+  if (step === "yubikey-configuring") {
+    return /* @__PURE__ */ jsxRuntime.jsxs(ink.Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsxRuntime.jsxs(ink.Box, { flexDirection: "row", gap: 1, children: [
+        /* @__PURE__ */ jsxRuntime.jsx(ui.Spinner, {}),
+        /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { children: "Configuring YubiKey slot 2 for challenge-response..." })
+      ] }),
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { dimColor: true, children: "Touch your YubiKey when it flashes." })
+    ] });
+  }
   if (step === "generating") {
     return /* @__PURE__ */ jsxRuntime.jsx(ink.Box, { flexDirection: "column", children: /* @__PURE__ */ jsxRuntime.jsxs(ink.Box, { flexDirection: "row", gap: 1, children: [
       /* @__PURE__ */ jsxRuntime.jsx(ui.Spinner, {}),
@@ -2970,6 +3160,7 @@ async function runCreate() {
       };
     }
     await core.saveLocalConfig(newConfig);
+    const publicKeyResult = await core.savePublicKey(slug, keyPair.publicKey);
     log("");
     success("Identity created successfully");
     log("");
@@ -2984,6 +3175,12 @@ async function runCreate() {
     log(`  Public Key:  ${keyPair.publicKey.slice(0, 32)}...`);
     log(`  Private Key: ${keyStorageDescription}`);
     log("");
+    log(theme3.blue.bold()("Public key saved to:"));
+    log(`  ${publicKeyResult.homePath}`);
+    if (publicKeyResult.projectPath) {
+      log(`  ${publicKeyResult.projectPath}`);
+    }
+    log("");
     if (!existingConfig) {
       success(`Set as active identity`);
       log("");