@attest-it/cli 0.6.1 → 0.8.0

package/dist/index.cjs

@@ -363,7 +363,7 @@ async function runStatus(gates, options) {
       process.exit(ExitCode.CONFIG_ERROR);
     }
     const projectRoot = process.cwd();
-    const sealsFile = core.readSealsSync(projectRoot);
+    const sealsFile = core.readSealsSync(projectRoot, attestItConfig.settings.sealsPath);
     const gatesToCheck = gates.length > 0 ? gates : Object.keys(attestItConfig.gates);
     for (const gateId of gatesToCheck) {
       if (!attestItConfig.gates[gateId]) {
@@ -1015,12 +1015,24 @@ async function getAllSuiteStatuses(config) {
   const attestations = attestationsFile?.attestations ?? [];
   const results = [];
   for (const [suiteName, suiteConfig] of Object.entries(config.suites)) {
-    if (!suiteConfig.packages) {
+    let packages;
+    let ignore;
+    if (suiteConfig.gate && config.gates) {
+      const gateConfig = config.gates[suiteConfig.gate];
+      if (gateConfig) {
+        packages = gateConfig.fingerprint.paths;
+        ignore = gateConfig.fingerprint.exclude;
+      }
+    } else if (suiteConfig.packages) {
+      packages = suiteConfig.packages;
+      ignore = suiteConfig.ignore;
+    }
+    if (!packages || packages.length === 0) {
       continue;
     }
     const fingerprintResult = await core.computeFingerprint({
-      packages: suiteConfig.packages,
-      ...suiteConfig.ignore && { ignore: suiteConfig.ignore }
+      packages,
+      ...ignore && { ignore }
     });
     const attestation = core.findAttestation(
       { schemaVersion: "1", attestations, signature: "" },
@@ -1585,18 +1597,19 @@ async function promptForSeal(suiteName, gateId, config) {
     const fs4 = await import('fs/promises');
     const privateKeyPem = await fs4.readFile(keyResult.keyPath, "utf8");
     await keyResult.cleanup();
+    const identitySlug = localConfig.activeIdentity;
     const seal = core.createSeal({
       gateId,
       fingerprint: gateFingerprint.fingerprint,
-      sealedBy: identity.name,
+      sealedBy: identitySlug,
       privateKey: privateKeyPem
     });
     const projectRoot = process.cwd();
-    const sealsFile = core.readSealsSync(projectRoot);
+    const sealsFile = core.readSealsSync(projectRoot, attestItConfig.settings.sealsPath);
     sealsFile.seals[gateId] = seal;
-    core.writeSealsSync(projectRoot, sealsFile);
+    core.writeSealsSync(projectRoot, sealsFile, attestItConfig.settings.sealsPath);
     success(`Seal created for gate '${gateId}'`);
-    log(`  Sealed by: ${identity.name}`);
+    log(`  Sealed by: ${identitySlug} (${identity.name})`);
     log(`  Timestamp: ${seal.timestamp}`);
   } catch (err) {
     if (err instanceof Error) {
@@ -1664,18 +1677,31 @@ function getKeyRefFromIdentity(identity) {
     }
   }
 }
+var MIN_PASSPHRASE_LENGTH = 8;
 function KeygenInteractive(props) {
-  const { onComplete, onError } = props;
+  const { onComplete, onCancel, onError } = props;
   const [step, setStep] = React7.useState("checking-providers");
   const [opAvailable, setOpAvailable] = React7.useState(false);
   const [keychainAvailable, setKeychainAvailable] = React7.useState(false);
+  const [yubiKeyAvailable, setYubiKeyAvailable] = React7.useState(false);
   const [accounts, setAccounts] = React7.useState([]);
   const [vaults, setVaults] = React7.useState([]);
+  const [yubiKeyDevices, setYubiKeyDevices] = React7.useState([]);
   const [_selectedProvider, setSelectedProvider] = React7.useState();
   const [selectedAccount, setSelectedAccount] = React7.useState();
   const [selectedVault, setSelectedVault] = React7.useState();
   const [itemName, setItemName] = React7.useState("attest-it-private-key");
   const [keychainItemName, setKeychainItemName] = React7.useState("attest-it-private-key");
+  const [selectedYubiKeySerial, setSelectedYubiKeySerial] = React7.useState();
+  const [selectedYubiKeySlot, setSelectedYubiKeySlot] = React7.useState(2);
+  const [slot1Configured, setSlot1Configured] = React7.useState(false);
+  const [slot2Configured, setSlot2Configured] = React7.useState(false);
+  const [encryptionPassphrase, setEncryptionPassphrase] = React7.useState();
+  ink.useInput((_input, key) => {
+    if (key.escape) {
+      onCancel();
+    }
+  });
   React7.useEffect(() => {
     const checkProviders = async () => {
       try {
@@ -1690,6 +1716,19 @@ function KeygenInteractive(props) {
       }
       const isKeychainAvailable = core.MacOSKeychainKeyProvider.isAvailable();
       setKeychainAvailable(isKeychainAvailable);
+      try {
+        const isInstalled = await core.YubiKeyProvider.isInstalled();
+        if (isInstalled) {
+          const isConnected = await core.YubiKeyProvider.isConnected();
+          if (isConnected) {
+            const devices = await core.YubiKeyProvider.listDevices();
+            setYubiKeyDevices(devices);
+            setYubiKeyAvailable(devices.length > 0);
+          }
+        }
+      } catch {
+        setYubiKeyAvailable(false);
+      }
       setStep("select-provider");
     };
     void checkProviders();
@@ -1707,10 +1746,31 @@ function KeygenInteractive(props) {
       void fetchVaults();
     }
   }, [step, selectedAccount, onError]);
+  const checkYubiKeySlots = async (serial) => {
+    try {
+      const slot1 = await core.YubiKeyProvider.isChallengeResponseConfigured(1, serial);
+      const slot2 = await core.YubiKeyProvider.isChallengeResponseConfigured(2, serial);
+      setSlot1Configured(slot1);
+      setSlot2Configured(slot2);
+      if (slot1 && slot2) {
+        setStep("select-yubikey-slot");
+      } else if (slot2) {
+        setSelectedYubiKeySlot(2);
+        void generateKeys("yubikey");
+      } else if (slot1) {
+        setSelectedYubiKeySlot(1);
+        void generateKeys("yubikey");
+      } else {
+        setStep("yubikey-offer-setup");
+      }
+    } catch (err) {
+      onError(err instanceof Error ? err : new Error("Failed to check YubiKey slots"));
+    }
+  };
   const handleProviderSelect = (value) => {
     if (value === "filesystem") {
       setSelectedProvider("filesystem");
-      void generateKeys("filesystem");
+      setStep("select-filesystem-encryption");
     } else if (value === "1password") {
       setSelectedProvider("1password");
       if (accounts.length === 1 && accounts[0]) {
@@ -1722,6 +1782,14 @@ function KeygenInteractive(props) {
     } else if (value === "macos-keychain") {
       setSelectedProvider("macos-keychain");
       setStep("enter-keychain-item-name");
+    } else if (value === "yubikey") {
+      setSelectedProvider("yubikey");
+      if (yubiKeyDevices.length > 1) {
+        setStep("select-yubikey-device");
+      } else if (yubiKeyDevices.length === 1 && yubiKeyDevices[0]) {
+        setSelectedYubiKeySerial(yubiKeyDevices[0].serial);
+        void checkYubiKeySlots(yubiKeyDevices[0].serial);
+      }
     }
   };
   const handleAccountSelect = (value) => {
@@ -1740,23 +1808,98 @@ function KeygenInteractive(props) {
     setKeychainItemName(value);
     void generateKeys("macos-keychain");
   };
+  const handleYubiKeyDeviceSelect = (value) => {
+    setSelectedYubiKeySerial(value);
+    void checkYubiKeySlots(value);
+  };
+  const handleYubiKeySlotSelect = (value) => {
+    const slot = value === "1" ? 1 : 2;
+    setSelectedYubiKeySlot(slot);
+    void generateKeys("yubikey");
+  };
+  const handleYubiKeySetupConfirm = (value) => {
+    if (value === "yes") {
+      void setupYubiKeySlot();
+    } else {
+      onError(new Error("YubiKey setup cancelled"));
+    }
+  };
+  const handleEncryptionMethodSelect = (value) => {
+    if (value === "passphrase") {
+      setStep("enter-encryption-passphrase");
+    } else {
+      setEncryptionPassphrase(void 0);
+      void generateKeys("filesystem");
+    }
+  };
+  const handleEncryptionPassphrase = (value) => {
+    if (value.length < MIN_PASSPHRASE_LENGTH) {
+      onError(new Error(`Passphrase must be at least ${String(MIN_PASSPHRASE_LENGTH)} characters`));
+      return;
+    }
+    setEncryptionPassphrase(value);
+    setStep("confirm-encryption-passphrase");
+  };
+  const handleConfirmPassphrase = (value) => {
+    if (value !== encryptionPassphrase) {
+      onError(new Error("Passphrases do not match. Please try again."));
+      setEncryptionPassphrase(void 0);
+      setStep("enter-encryption-passphrase");
+      return;
+    }
+    void generateKeys("filesystem");
+  };
+  const setupYubiKeySlot = async () => {
+    setStep("yubikey-configuring");
+    try {
+      const { spawn: spawn3 } = await import('child_process');
+      const args = ["otp", "chalresp", "--touch", "--generate", "2"];
+      if (selectedYubiKeySerial) {
+        args.unshift("--device", selectedYubiKeySerial);
+      }
+      await new Promise((resolve2, reject) => {
+        const proc = spawn3("ykman", args, { stdio: "inherit" });
+        proc.on("close", (code) => {
+          if (code === 0) {
+            resolve2();
+          } else {
+            reject(new Error(`ykman exited with code ${String(code)}`));
+          }
+        });
+        proc.on("error", reject);
+      });
+      setSelectedYubiKeySlot(2);
+      void generateKeys("yubikey");
+    } catch (err) {
+      onError(err instanceof Error ? err : new Error("Failed to configure YubiKey"));
+    }
+  };
   const generateKeys = async (provider) => {
     setStep("generating");
     try {
       const publicKeyPath = props.publicKeyPath ?? core.getDefaultPublicKeyPath();
       if (provider === "filesystem") {
         const fsProvider = new core.FilesystemKeyProvider();
-        const genOptions = { publicKeyPath };
+        const genOptions = {
+          publicKeyPath
+        };
         if (props.force !== void 0) {
           genOptions.force = props.force;
         }
+        if (encryptionPassphrase !== void 0) {
+          genOptions.passphrase = encryptionPassphrase;
+        }
         const result = await fsProvider.generateKeyPair(genOptions);
-        onComplete({
+        const completionResult = {
           provider: "filesystem",
           publicKeyPath: result.publicKeyPath,
           privateKeyRef: result.privateKeyRef,
           storageDescription: result.storageDescription
-        });
+        };
+        if (result.encrypted) {
+          completionResult.encrypted = result.encrypted;
+        }
+        onComplete(completionResult);
       } else if (provider === "1password") {
         if (!selectedVault || !itemName) {
           throw new Error("Vault and item name are required for 1Password");
@@ -1790,7 +1933,7 @@ function KeygenInteractive(props) {
           completionResult.account = selectedAccount;
         }
         onComplete(completionResult);
-      } else {
+      } else if (provider === "macos-keychain") {
         if (!keychainItemName) {
           throw new Error("Item name is required for macOS Keychain");
         }
@@ -1809,10 +1952,39 @@ function KeygenInteractive(props) {
           storageDescription: result.storageDescription,
           itemName: keychainItemName
         });
+      } else {
+        const encryptedKeyPath = core.getDefaultYubiKeyEncryptedKeyPath();
+        const providerOptions = {
+          encryptedKeyPath,
+          slot: selectedYubiKeySlot
+        };
+        if (selectedYubiKeySerial !== void 0) {
+          providerOptions.serial = selectedYubiKeySerial;
+        }
+        const ykProvider = new core.YubiKeyProvider(providerOptions);
+        const genOptions = { publicKeyPath };
+        if (props.force !== void 0) {
+          genOptions.force = props.force;
+        }
+        const result = await ykProvider.generateKeyPair(genOptions);
+        const completionResult = {
+          provider: "yubikey",
+          publicKeyPath: result.publicKeyPath,
+          privateKeyRef: result.privateKeyRef,
+          storageDescription: result.storageDescription,
+          slot: selectedYubiKeySlot,
+          encryptedKeyPath
+        };
+        if (selectedYubiKeySerial !== void 0) {
+          completionResult.serial = selectedYubiKeySerial;
+        }
+        onComplete(completionResult);
       }
       setStep("done");
     } catch (err) {
       onError(err instanceof Error ? err : new Error("Key generation failed"));
+    } finally {
+      setEncryptionPassphrase(void 0);
     }
   };
   if (step === "checking-providers") {
@@ -1834,6 +2006,12 @@ function KeygenInteractive(props) {
         value: "macos-keychain"
       });
     }
+    if (yubiKeyAvailable) {
+      options.push({
+        label: "YubiKey (hardware security key)",
+        value: "yubikey"
+      });
+    }
     if (opAvailable) {
       options.push({
         label: "1Password (requires op CLI)",
@@ -1846,9 +2024,42 @@ function KeygenInteractive(props) {
       /* @__PURE__ */ jsxRuntime.jsx(ui.Select, { options, onChange: handleProviderSelect })
     ] });
   }
+  if (step === "select-filesystem-encryption") {
+    return /* @__PURE__ */ jsxRuntime.jsxs(ink.Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { bold: true, children: "Would you like to encrypt your private key with a passphrase?" }),
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { dimColor: true, children: "A passphrase adds extra security but must be entered each time you sign." }),
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsxRuntime.jsx(
+        ui.Select,
+        {
+          options: [
+            { label: "No encryption (key protected by file permissions only)", value: "none" },
+            { label: "Passphrase protection (AES-256 encryption)", value: "passphrase" }
+          ],
+          onChange: handleEncryptionMethodSelect
+        }
+      )
+    ] });
+  }
+  if (step === "enter-encryption-passphrase") {
+    return /* @__PURE__ */ jsxRuntime.jsxs(ink.Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { bold: true, children: "Enter a passphrase to encrypt your private key:" }),
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { dimColor: true, children: `(Minimum ${String(MIN_PASSPHRASE_LENGTH)} characters. You will need this passphrase each time you sign.)` }),
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsxRuntime.jsx(ui.PasswordInput, { onSubmit: handleEncryptionPassphrase })
+    ] });
+  }
+  if (step === "confirm-encryption-passphrase") {
+    return /* @__PURE__ */ jsxRuntime.jsxs(ink.Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { bold: true, children: "Confirm your passphrase:" }),
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { dimColor: true, children: "(Enter the same passphrase again to confirm.)" }),
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsxRuntime.jsx(ui.PasswordInput, { onSubmit: handleConfirmPassphrase })
+    ] });
+  }
   if (step === "select-account") {
     const options = accounts.map((account) => ({
-      label: account.email,
+      label: account.name ? `${account.name} (${account.email})` : account.email,
       value: account.user_uuid
     }));
     return /* @__PURE__ */ jsxRuntime.jsxs(ink.Box, { flexDirection: "column", children: [
@@ -1890,6 +2101,65 @@ function KeygenInteractive(props) {
       /* @__PURE__ */ jsxRuntime.jsx(ui.TextInput, { defaultValue: keychainItemName, onSubmit: handleKeychainItemNameSubmit })
     ] });
   }
+  if (step === "select-yubikey-device") {
+    const options = yubiKeyDevices.map((device) => ({
+      label: `${device.type} (Serial: ${device.serial})`,
+      value: device.serial
+    }));
+    return /* @__PURE__ */ jsxRuntime.jsxs(ink.Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { bold: true, children: "Select YubiKey device:" }),
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsxRuntime.jsx(ui.Select, { options, onChange: handleYubiKeyDeviceSelect })
+    ] });
+  }
+  if (step === "select-yubikey-slot") {
+    const options = [];
+    if (slot2Configured) {
+      options.push({
+        label: "Slot 2 (recommended)",
+        value: "2"
+      });
+    }
+    if (slot1Configured) {
+      options.push({
+        label: "Slot 1",
+        value: "1"
+      });
+    }
+    return /* @__PURE__ */ jsxRuntime.jsxs(ink.Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { bold: true, children: "Select YubiKey slot for challenge-response:" }),
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsxRuntime.jsx(ui.Select, { options, onChange: handleYubiKeySlotSelect })
+    ] });
+  }
+  if (step === "yubikey-offer-setup") {
+    return /* @__PURE__ */ jsxRuntime.jsxs(ink.Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { bold: true, children: "Your YubiKey is not configured for challenge-response." }),
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { children: "Would you like to configure slot 2 for challenge-response now?" }),
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { dimColor: true, children: "This will enable touch-to-sign functionality." }),
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsxRuntime.jsx(
+        ui.Select,
+        {
+          options: [
+            { label: "Yes, configure my YubiKey", value: "yes" },
+            { label: "No, cancel", value: "no" }
+          ],
+          onChange: handleYubiKeySetupConfirm
+        }
+      )
+    ] });
+  }
+  if (step === "yubikey-configuring") {
+    return /* @__PURE__ */ jsxRuntime.jsxs(ink.Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsxRuntime.jsxs(ink.Box, { flexDirection: "row", gap: 1, children: [
+        /* @__PURE__ */ jsxRuntime.jsx(ui.Spinner, {}),
+        /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { children: "Configuring YubiKey slot 2 for challenge-response..." })
+      ] }),
+      /* @__PURE__ */ jsxRuntime.jsx(ink.Text, { dimColor: true, children: "Touch your YubiKey when it flashes." })
+    ] });
+  }
   if (step === "generating") {
     return /* @__PURE__ */ jsxRuntime.jsx(ink.Box, { flexDirection: "column", children: /* @__PURE__ */ jsxRuntime.jsxs(ink.Box, { flexDirection: "row", gap: 1, children: [
       /* @__PURE__ */ jsxRuntime.jsx(ui.Spinner, {}),
@@ -2202,7 +2472,7 @@ async function runVerify(gates, options) {
       process.exit(ExitCode.CONFIG_ERROR);
     }
     const projectRoot = process.cwd();
-    const sealsFile = core.readSealsSync(projectRoot);
+    const sealsFile = core.readSealsSync(projectRoot, attestItConfig.settings.sealsPath);
     const gatesToVerify = gates.length > 0 ? gates : Object.keys(attestItConfig.gates);
     for (const gateId of gatesToVerify) {
       if (!attestItConfig.gates[gateId]) {
@@ -2358,7 +2628,7 @@ async function runSeal(gates, options) {
       process.exit(ExitCode.CONFIG_ERROR);
     }
     const projectRoot = process.cwd();
-    const sealsFile = core.readSealsSync(projectRoot);
+    const sealsFile = core.readSealsSync(projectRoot, attestItConfig.settings.sealsPath);
     const gatesToSeal = gates.length > 0 ? gates : getAllGateIds(attestItConfig);
     for (const gateId of gatesToSeal) {
       if (!attestItConfig.gates[gateId]) {
@@ -2371,9 +2641,17 @@ async function runSeal(gates, options) {
       skipped: [],
       failed: []
     };
+    const identitySlug = localConfig.activeIdentity;
     for (const gateId of gatesToSeal) {
       try {
-        const result = await processSingleGate(gateId, attestItConfig, identity, sealsFile, options);
+        const result = await processSingleGate(
+          gateId,
+          attestItConfig,
+          identity,
+          identitySlug,
+          sealsFile,
+          options
+        );
         if (result.sealed) {
           summary.sealed.push(gateId);
         } else if (result.skipped) {
@@ -2385,7 +2663,7 @@ async function runSeal(gates, options) {
       }
     }
     if (!options.dryRun && summary.sealed.length > 0) {
-      core.writeSealsSync(projectRoot, sealsFile);
+      core.writeSealsSync(projectRoot, sealsFile, attestItConfig.settings.sealsPath);
     }
     displaySummary(summary, options.dryRun);
     if (summary.failed.length > 0) {
@@ -2404,7 +2682,7 @@ async function runSeal(gates, options) {
     process.exit(ExitCode.CONFIG_ERROR);
   }
 }
-async function processSingleGate(gateId, config, identity, sealsFile, options) {
+async function processSingleGate(gateId, config, identity, identitySlug, sealsFile, options) {
   verbose(`Processing gate: ${gateId}`);
   const gate = core.getGate(config, gateId);
   if (!gate) {
@@ -2444,12 +2722,12 @@ async function processSingleGate(gateId, config, identity, sealsFile, options) {
   const seal = core.createSeal({
     gateId,
     fingerprint: fingerprintResult.fingerprint,
-    sealedBy: identity.name,
+    sealedBy: identitySlug,
     privateKey: privateKeyPem
   });
   sealsFile.seals[gateId] = seal;
   log(`  Sealed gate: ${gateId}`);
-  verbose(`    Sealed by: ${identity.name}`);
+  verbose(`    Sealed by: ${identitySlug} (${identity.name})`);
   verbose(`    Timestamp: ${seal.timestamp}`);
   return { sealed: true, skipped: false };
 }
@@ -2974,6 +3252,7 @@ async function runCreate() {
       };
     }
     await core.saveLocalConfig(newConfig);
+    const publicKeyResult = await core.savePublicKey(slug, keyPair.publicKey);
     log("");
     success("Identity created successfully");
     log("");
@@ -2988,6 +3267,12 @@ async function runCreate() {
     log(`  Public Key:  ${keyPair.publicKey.slice(0, 32)}...`);
     log(`  Private Key: ${keyStorageDescription}`);
     log("");
+    log(theme3.blue.bold()("Public key saved to:"));
+    log(`  ${publicKeyResult.homePath}`);
+    if (publicKeyResult.projectPath) {
+      log(`  ${publicKeyResult.projectPath}`);
+    }
+    log("");
     if (!existingConfig) {
       success(`Set as active identity`);
       log("");
@@ -3879,7 +4164,7 @@ async function runRemove2(slug, options) {
     const projectRoot = process.cwd();
     let sealsFile;
     try {
-      sealsFile = core.readSealsSync(projectRoot);
+      sealsFile = core.readSealsSync(projectRoot, attestItConfig.settings.sealsPath);
     } catch {
       sealsFile = { version: 1, seals: {} };
     }