@attest-it/cli 0.7.0 → 0.8.0

package/dist/bin/attest-it.js

@@ -16,7 +16,7 @@ import { useState, useEffect } from 'react';
 import { render, useApp, Box, Text, useInput } from 'ink';
 import { jsx, jsxs, Fragment } from 'react/jsx-runtime';
 import { mkdir, writeFile, unlink, readFile } from 'fs/promises';
-import { Spinner, Select, TextInput } from '@inkjs/ui';
+import { Spinner, Select, PasswordInput, TextInput } from '@inkjs/ui';
 import { stringify } from 'yaml';
 import { fileURLToPath } from 'url';
 
@@ -337,7 +337,7 @@ async function runStatus(gates, options) {
       process.exit(ExitCode.CONFIG_ERROR);
     }
     const projectRoot = process.cwd();
-    const sealsFile = readSealsSync(projectRoot);
+    const sealsFile = readSealsSync(projectRoot, attestItConfig.settings.sealsPath);
     const gatesToCheck = gates.length > 0 ? gates : Object.keys(attestItConfig.gates);
     for (const gateId of gatesToCheck) {
       if (!attestItConfig.gates[gateId]) {
@@ -989,12 +989,24 @@ async function getAllSuiteStatuses(config) {
   const attestations = attestationsFile?.attestations ?? [];
   const results = [];
   for (const [suiteName, suiteConfig] of Object.entries(config.suites)) {
-    if (!suiteConfig.packages) {
+    let packages;
+    let ignore;
+    if (suiteConfig.gate && config.gates) {
+      const gateConfig = config.gates[suiteConfig.gate];
+      if (gateConfig) {
+        packages = gateConfig.fingerprint.paths;
+        ignore = gateConfig.fingerprint.exclude;
+      }
+    } else if (suiteConfig.packages) {
+      packages = suiteConfig.packages;
+      ignore = suiteConfig.ignore;
+    }
+    if (!packages || packages.length === 0) {
       continue;
     }
     const fingerprintResult = await computeFingerprint({
-      packages: suiteConfig.packages,
-      ...suiteConfig.ignore && { ignore: suiteConfig.ignore }
+      packages,
+      ...ignore && { ignore }
     });
     const attestation = findAttestation(
       { schemaVersion: "1", attestations, signature: "" },
@@ -1559,18 +1571,19 @@ async function promptForSeal(suiteName, gateId, config) {
     const fs4 = await import('fs/promises');
     const privateKeyPem = await fs4.readFile(keyResult.keyPath, "utf8");
     await keyResult.cleanup();
+    const identitySlug = localConfig.activeIdentity;
     const seal = createSeal({
       gateId,
       fingerprint: gateFingerprint.fingerprint,
-      sealedBy: identity.name,
+      sealedBy: identitySlug,
       privateKey: privateKeyPem
     });
     const projectRoot = process.cwd();
-    const sealsFile = readSealsSync(projectRoot);
+    const sealsFile = readSealsSync(projectRoot, attestItConfig.settings.sealsPath);
     sealsFile.seals[gateId] = seal;
-    writeSealsSync(projectRoot, sealsFile);
+    writeSealsSync(projectRoot, sealsFile, attestItConfig.settings.sealsPath);
     success(`Seal created for gate '${gateId}'`);
-    log(`  Sealed by: ${identity.name}`);
+    log(`  Sealed by: ${identitySlug} (${identity.name})`);
     log(`  Timestamp: ${seal.timestamp}`);
   } catch (err) {
     if (err instanceof Error) {
@@ -1638,6 +1651,7 @@ function getKeyRefFromIdentity(identity) {
     }
   }
 }
+var MIN_PASSPHRASE_LENGTH = 8;
 function KeygenInteractive(props) {
   const { onComplete, onCancel, onError } = props;
   const [step, setStep] = useState("checking-providers");
@@ -1656,6 +1670,7 @@ function KeygenInteractive(props) {
   const [selectedYubiKeySlot, setSelectedYubiKeySlot] = useState(2);
   const [slot1Configured, setSlot1Configured] = useState(false);
   const [slot2Configured, setSlot2Configured] = useState(false);
+  const [encryptionPassphrase, setEncryptionPassphrase] = useState();
   useInput((_input, key) => {
     if (key.escape) {
       onCancel();
@@ -1729,7 +1744,7 @@ function KeygenInteractive(props) {
   const handleProviderSelect = (value) => {
     if (value === "filesystem") {
       setSelectedProvider("filesystem");
-      void generateKeys("filesystem");
+      setStep("select-filesystem-encryption");
     } else if (value === "1password") {
       setSelectedProvider("1password");
       if (accounts.length === 1 && accounts[0]) {
@@ -1783,6 +1798,31 @@ function KeygenInteractive(props) {
       onError(new Error("YubiKey setup cancelled"));
     }
   };
+  const handleEncryptionMethodSelect = (value) => {
+    if (value === "passphrase") {
+      setStep("enter-encryption-passphrase");
+    } else {
+      setEncryptionPassphrase(void 0);
+      void generateKeys("filesystem");
+    }
+  };
+  const handleEncryptionPassphrase = (value) => {
+    if (value.length < MIN_PASSPHRASE_LENGTH) {
+      onError(new Error(`Passphrase must be at least ${String(MIN_PASSPHRASE_LENGTH)} characters`));
+      return;
+    }
+    setEncryptionPassphrase(value);
+    setStep("confirm-encryption-passphrase");
+  };
+  const handleConfirmPassphrase = (value) => {
+    if (value !== encryptionPassphrase) {
+      onError(new Error("Passphrases do not match. Please try again."));
+      setEncryptionPassphrase(void 0);
+      setStep("enter-encryption-passphrase");
+      return;
+    }
+    void generateKeys("filesystem");
+  };
   const setupYubiKeySlot = async () => {
     setStep("yubikey-configuring");
     try {
@@ -1814,17 +1854,26 @@ function KeygenInteractive(props) {
       const publicKeyPath = props.publicKeyPath ?? getDefaultPublicKeyPath();
       if (provider === "filesystem") {
         const fsProvider = new FilesystemKeyProvider();
-        const genOptions = { publicKeyPath };
+        const genOptions = {
+          publicKeyPath
+        };
         if (props.force !== void 0) {
           genOptions.force = props.force;
         }
+        if (encryptionPassphrase !== void 0) {
+          genOptions.passphrase = encryptionPassphrase;
+        }
         const result = await fsProvider.generateKeyPair(genOptions);
-        onComplete({
+        const completionResult = {
           provider: "filesystem",
           publicKeyPath: result.publicKeyPath,
           privateKeyRef: result.privateKeyRef,
           storageDescription: result.storageDescription
-        });
+        };
+        if (result.encrypted) {
+          completionResult.encrypted = result.encrypted;
+        }
+        onComplete(completionResult);
       } else if (provider === "1password") {
         if (!selectedVault || !itemName) {
           throw new Error("Vault and item name are required for 1Password");
@@ -1908,6 +1957,8 @@ function KeygenInteractive(props) {
       setStep("done");
     } catch (err) {
       onError(err instanceof Error ? err : new Error("Key generation failed"));
+    } finally {
+      setEncryptionPassphrase(void 0);
     }
   };
   if (step === "checking-providers") {
@@ -1947,6 +1998,39 @@ function KeygenInteractive(props) {
       /* @__PURE__ */ jsx(Select, { options, onChange: handleProviderSelect })
     ] });
   }
+  if (step === "select-filesystem-encryption") {
+    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsx(Text, { bold: true, children: "Would you like to encrypt your private key with a passphrase?" }),
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "A passphrase adds extra security but must be entered each time you sign." }),
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsx(
+        Select,
+        {
+          options: [
+            { label: "No encryption (key protected by file permissions only)", value: "none" },
+            { label: "Passphrase protection (AES-256 encryption)", value: "passphrase" }
+          ],
+          onChange: handleEncryptionMethodSelect
+        }
+      )
+    ] });
+  }
+  if (step === "enter-encryption-passphrase") {
+    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsx(Text, { bold: true, children: "Enter a passphrase to encrypt your private key:" }),
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: `(Minimum ${String(MIN_PASSPHRASE_LENGTH)} characters. You will need this passphrase each time you sign.)` }),
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsx(PasswordInput, { onSubmit: handleEncryptionPassphrase })
+    ] });
+  }
+  if (step === "confirm-encryption-passphrase") {
+    return /* @__PURE__ */ jsxs(Box, { flexDirection: "column", children: [
+      /* @__PURE__ */ jsx(Text, { bold: true, children: "Confirm your passphrase:" }),
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "(Enter the same passphrase again to confirm.)" }),
+      /* @__PURE__ */ jsx(Text, { dimColor: true, children: "" }),
+      /* @__PURE__ */ jsx(PasswordInput, { onSubmit: handleConfirmPassphrase })
+    ] });
+  }
   if (step === "select-account") {
     const options = accounts.map((account) => ({
       label: account.name ? `${account.name} (${account.email})` : account.email,
@@ -2362,7 +2446,7 @@ async function runVerify(gates, options) {
       process.exit(ExitCode.CONFIG_ERROR);
     }
     const projectRoot = process.cwd();
-    const sealsFile = readSealsSync(projectRoot);
+    const sealsFile = readSealsSync(projectRoot, attestItConfig.settings.sealsPath);
     const gatesToVerify = gates.length > 0 ? gates : Object.keys(attestItConfig.gates);
     for (const gateId of gatesToVerify) {
       if (!attestItConfig.gates[gateId]) {
@@ -2518,7 +2602,7 @@ async function runSeal(gates, options) {
       process.exit(ExitCode.CONFIG_ERROR);
     }
     const projectRoot = process.cwd();
-    const sealsFile = readSealsSync(projectRoot);
+    const sealsFile = readSealsSync(projectRoot, attestItConfig.settings.sealsPath);
     const gatesToSeal = gates.length > 0 ? gates : getAllGateIds(attestItConfig);
     for (const gateId of gatesToSeal) {
       if (!attestItConfig.gates[gateId]) {
@@ -2531,9 +2615,17 @@ async function runSeal(gates, options) {
       skipped: [],
       failed: []
     };
+    const identitySlug = localConfig.activeIdentity;
     for (const gateId of gatesToSeal) {
       try {
-        const result = await processSingleGate(gateId, attestItConfig, identity, sealsFile, options);
+        const result = await processSingleGate(
+          gateId,
+          attestItConfig,
+          identity,
+          identitySlug,
+          sealsFile,
+          options
+        );
         if (result.sealed) {
           summary.sealed.push(gateId);
         } else if (result.skipped) {
@@ -2545,7 +2637,7 @@ async function runSeal(gates, options) {
       }
     }
     if (!options.dryRun && summary.sealed.length > 0) {
-      writeSealsSync(projectRoot, sealsFile);
+      writeSealsSync(projectRoot, sealsFile, attestItConfig.settings.sealsPath);
     }
     displaySummary(summary, options.dryRun);
     if (summary.failed.length > 0) {
@@ -2564,7 +2656,7 @@ async function runSeal(gates, options) {
     process.exit(ExitCode.CONFIG_ERROR);
   }
 }
-async function processSingleGate(gateId, config, identity, sealsFile, options) {
+async function processSingleGate(gateId, config, identity, identitySlug, sealsFile, options) {
   verbose(`Processing gate: ${gateId}`);
   const gate = getGate(config, gateId);
   if (!gate) {
@@ -2604,12 +2696,12 @@ async function processSingleGate(gateId, config, identity, sealsFile, options) {
   const seal = createSeal({
     gateId,
     fingerprint: fingerprintResult.fingerprint,
-    sealedBy: identity.name,
+    sealedBy: identitySlug,
     privateKey: privateKeyPem
   });
   sealsFile.seals[gateId] = seal;
   log(`  Sealed gate: ${gateId}`);
-  verbose(`    Sealed by: ${identity.name}`);
+  verbose(`    Sealed by: ${identitySlug} (${identity.name})`);
   verbose(`    Timestamp: ${seal.timestamp}`);
   return { sealed: true, skipped: false };
 }
@@ -4046,7 +4138,7 @@ async function runRemove2(slug, options) {
     const projectRoot = process.cwd();
     let sealsFile;
     try {
-      sealsFile = readSealsSync(projectRoot);
+      sealsFile = readSealsSync(projectRoot, attestItConfig.settings.sealsPath);
     } catch {
       sealsFile = { version: 1, seals: {} };
     }