@awcp/transport-sshfs 0.0.0-dev-202601300724 → 0.0.0-dev-202601301521

package/dist/cli/setup.d.ts

@@ -0,0 +1,13 @@
+#!/usr/bin/env node
+/**
+ * AWCP SSHFS Transport Setup CLI
+ *
+ * Configures SSH certificate authentication for AWCP.
+ *
+ * Usage:
+ *   npx @awcp/transport-sshfs setup          # Check and guide
+ *   npx @awcp/transport-sshfs setup --auto   # Auto-configure (needs sudo)
+ *   npx @awcp/transport-sshfs setup --check  # Check only
+ */
+export {};
+//# sourceMappingURL=setup.d.ts.map

package/dist/cli/setup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"setup.d.ts","sourceRoot":"","sources":["../../src/cli/setup.ts"],"names":[],"mappings":";AACA;;;;;;;;;GASG"}

package/dist/cli/setup.js

@@ -0,0 +1,286 @@
+#!/usr/bin/env node
+/**
+ * AWCP SSHFS Transport Setup CLI
+ *
+ * Configures SSH certificate authentication for AWCP.
+ *
+ * Usage:
+ *   npx @awcp/transport-sshfs setup          # Check and guide
+ *   npx @awcp/transport-sshfs setup --auto   # Auto-configure (needs sudo)
+ *   npx @awcp/transport-sshfs setup --check  # Check only
+ */
+import { spawn, execSync } from 'node:child_process';
+import { access, mkdir, readFile, constants } from 'node:fs/promises';
+import { join } from 'node:path';
+import { homedir, platform } from 'node:os';
+import * as net from 'node:net';
+const CA_KEY_PATH = join(homedir(), '.awcp', 'ca');
+const SSHD_CONFIG_PATH = '/etc/ssh/sshd_config';
+/**
+ * Print colored output
+ */
+function print(message) {
+    console.log(message);
+}
+function printStatus(name, status, message) {
+    const icon = status === 'ok' ? '✓' : status === 'missing' ? '✗' : '!';
+    const color = status === 'ok' ? '\x1b[32m' : status === 'missing' ? '\x1b[31m' : '\x1b[33m';
+    console.log(`  ${color}[${icon}]\x1b[0m ${name.padEnd(20)} ${message}`);
+}
+/**
+ * Check if a command exists
+ */
+async function commandExists(cmd) {
+    try {
+        execSync(`which ${cmd}`, { stdio: 'ignore' });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Check if sshd is running
+ */
+/**
+ * Check if sshd is running by trying to connect to port 22
+ */
+async function isSshdRunning() {
+    return new Promise((resolve) => {
+        const socket = new net.Socket();
+        socket.setTimeout(2000);
+        socket.on('connect', () => {
+            socket.destroy();
+            resolve(true);
+        });
+        socket.on('timeout', () => {
+            socket.destroy();
+            resolve(false);
+        });
+        socket.on('error', () => {
+            resolve(false);
+        });
+        socket.connect(22, 'localhost');
+    });
+}
+/**
+ * Check if sshd_config has TrustedUserCAKeys configured
+ */
+async function isSshdConfigured() {
+    try {
+        const content = await readFile(SSHD_CONFIG_PATH, 'utf-8');
+        const caKeyPub = `${CA_KEY_PATH}.pub`;
+        return content.includes(`TrustedUserCAKeys`) && content.includes(caKeyPub);
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Check if CA key exists
+ */
+async function caKeyExists() {
+    try {
+        await access(CA_KEY_PATH, constants.R_OK);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Generate CA key pair
+ */
+async function generateCaKey() {
+    const caDir = join(CA_KEY_PATH, '..');
+    await mkdir(caDir, { recursive: true, mode: 0o700 });
+    return new Promise((resolve, reject) => {
+        const proc = spawn('ssh-keygen', [
+            '-t', 'ed25519',
+            '-f', CA_KEY_PATH,
+            '-N', '',
+            '-C', 'awcp-ca',
+        ], { stdio: 'inherit' });
+        proc.on('close', (code) => {
+            if (code === 0)
+                resolve();
+            else
+                reject(new Error(`ssh-keygen failed with code ${code}`));
+        });
+        proc.on('error', reject);
+    });
+}
+/**
+ * Configure sshd (requires sudo)
+ */
+async function configureSshd() {
+    const caKeyPub = `${CA_KEY_PATH}.pub`;
+    print('\n  Configuring sshd (requires sudo)...');
+    // Add TrustedUserCAKeys to sshd_config
+    execSync(`echo "TrustedUserCAKeys ${caKeyPub}" | sudo tee -a ${SSHD_CONFIG_PATH}`, {
+        stdio: 'inherit',
+    });
+    // Restart sshd
+    if (platform() === 'darwin') {
+        execSync('sudo launchctl stop com.openssh.sshd', { stdio: 'inherit' });
+    }
+    else {
+        execSync('sudo systemctl restart sshd || sudo systemctl restart ssh', { stdio: 'inherit' });
+    }
+}
+/**
+ * Run all checks
+ */
+async function runChecks() {
+    const results = [];
+    // Check ssh-keygen
+    const hasSshKeygen = await commandExists('ssh-keygen');
+    results.push({
+        name: 'ssh-keygen',
+        status: hasSshKeygen ? 'ok' : 'missing',
+        message: hasSshKeygen ? 'found' : 'not found',
+        hint: 'Install OpenSSH client',
+    });
+    // Check sshfs
+    const hasSshfs = await commandExists('sshfs');
+    results.push({
+        name: 'sshfs',
+        status: hasSshfs ? 'ok' : 'missing',
+        message: hasSshfs ? 'found' : 'not found',
+        hint: platform() === 'darwin'
+            ? 'Install: brew install macfuse && brew install sshfs'
+            : 'Install: sudo apt install sshfs',
+    });
+    // Check sshd
+    const sshdRunning = await isSshdRunning();
+    results.push({
+        name: 'sshd',
+        status: sshdRunning ? 'ok' : 'missing',
+        message: sshdRunning ? 'running' : 'not running',
+        hint: platform() === 'darwin'
+            ? 'Enable: System Settings → General → Sharing → Remote Login'
+            : 'Install & start: sudo apt install openssh-server && sudo systemctl start sshd',
+    });
+    // Check CA key
+    const hasCaKey = await caKeyExists();
+    results.push({
+        name: 'CA key',
+        status: hasCaKey ? 'ok' : 'missing',
+        message: hasCaKey ? `exists at ${CA_KEY_PATH}` : 'not found',
+        hint: 'Will be auto-generated',
+    });
+    // Check sshd config (only if CA key exists)
+    if (hasCaKey) {
+        const sshdConfigured = await isSshdConfigured();
+        results.push({
+            name: 'sshd TrustedUserCAKeys',
+            status: sshdConfigured ? 'ok' : 'missing',
+            message: sshdConfigured ? 'configured' : 'not configured',
+            hint: `Add to ${SSHD_CONFIG_PATH}: TrustedUserCAKeys ${CA_KEY_PATH}.pub`,
+        });
+    }
+    return results;
+}
+/**
+ * Print setup instructions
+ */
+function printInstructions(results) {
+    const missing = results.filter(r => r.status === 'missing');
+    if (missing.length === 0) {
+        print('\n  \x1b[32m✓ All checks passed! AWCP is ready to use.\x1b[0m\n');
+        return;
+    }
+    print('\n  \x1b[33mSetup required:\x1b[0m\n');
+    for (const result of missing) {
+        if (result.hint) {
+            print(`  • ${result.name}: ${result.hint}`);
+        }
+    }
+    // Print auto command hint
+    const needsSshdConfig = missing.some(r => r.name === 'sshd TrustedUserCAKeys');
+    const needsCaKey = missing.some(r => r.name === 'CA key');
+    if (needsCaKey || needsSshdConfig) {
+        print('\n  Or run with --auto to configure automatically:');
+        print('    npx @awcp/transport-sshfs setup --auto\n');
+    }
+}
+/**
+ * Main setup function
+ */
+async function setup(options) {
+    print('');
+    print('╔════════════════════════════════════════════════════════════╗');
+    print('║         AWCP SSHFS Transport Setup                         ║');
+    print('╚════════════════════════════════════════════════════════════╝');
+    print('');
+    print('  Checking dependencies...');
+    print('');
+    const results = await runChecks();
+    for (const result of results) {
+        printStatus(result.name, result.status, result.message);
+    }
+    if (options.check) {
+        const allOk = results.every(r => r.status === 'ok');
+        process.exit(allOk ? 0 : 1);
+    }
+    if (options.auto) {
+        // Auto-configure
+        const needsCaKey = results.some(r => r.name === 'CA key' && r.status === 'missing');
+        const needsSshdConfig = results.some(r => r.name === 'sshd TrustedUserCAKeys' && r.status === 'missing');
+        if (needsCaKey) {
+            print('\n  Generating CA key pair...');
+            await generateCaKey();
+            printStatus('CA key', 'ok', `generated at ${CA_KEY_PATH}`);
+        }
+        if (needsSshdConfig || needsCaKey) {
+            // Re-check if sshd config is needed after CA key generation
+            const sshdConfigured = await isSshdConfigured();
+            if (!sshdConfigured) {
+                await configureSshd();
+                printStatus('sshd TrustedUserCAKeys', 'ok', 'configured');
+            }
+        }
+        print('\n  \x1b[32m✓ Setup complete! AWCP is ready to use.\x1b[0m\n');
+    }
+    else {
+        printInstructions(results);
+    }
+}
+/**
+ * Parse CLI arguments and run
+ */
+async function main() {
+    const args = process.argv.slice(2);
+    // Handle help
+    if (args.includes('--help') || args.includes('-h')) {
+        print(`
+AWCP SSHFS Transport Setup
+
+Usage:
+  npx @awcp/transport-sshfs setup [options]
+
+Options:
+  --auto    Auto-configure everything (requires sudo for sshd config)
+  --check   Check only, don't print setup instructions
+  --help    Show this help message
+
+Examples:
+  npx @awcp/transport-sshfs setup          # Check and show instructions
+  npx @awcp/transport-sshfs setup --auto   # Auto-configure
+`);
+        process.exit(0);
+    }
+    const options = {
+        auto: args.includes('--auto'),
+        check: args.includes('--check'),
+    };
+    try {
+        await setup(options);
+    }
+    catch (error) {
+        console.error('\n  \x1b[31mError:\x1b[0m', error instanceof Error ? error.message : error);
+        process.exit(1);
+    }
+}
+main();
+//# sourceMappingURL=setup.js.map

package/dist/cli/setup.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"setup.js","sourceRoot":"","sources":["../../src/cli/setup.ts"],"names":[],"mappings":";AACA;;;;;;;;;GASG;AAEH,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACtE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC5C,OAAO,KAAK,GAAG,MAAM,UAAU,CAAC;AAEhC,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;AACnD,MAAM,gBAAgB,GAAG,sBAAsB,CAAC;AAShD;;GAEG;AACH,SAAS,KAAK,CAAC,OAAe;IAC5B,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AACvB,CAAC;AAED,SAAS,WAAW,CAAC,IAAY,EAAE,MAAkC,EAAE,OAAe;IACpF,MAAM,IAAI,GAAG,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;IACtE,MAAM,KAAK,GAAG,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC;IAC5F,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,IAAI,IAAI,YAAY,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,OAAO,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,aAAa,CAAC,GAAW;IACtC,IAAI,CAAC;QACH,QAAQ,CAAC,SAAS,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC9C,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH;;GAEG;AACH,KAAK,UAAU,aAAa;IAC1B,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;QAChC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QACxB,MAAM,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;YACxB,MAAM,CAAC,OAAO,EAAE,CAAC;YACjB,OAAO,CAAC,IAAI,CAAC,CAAC;QAChB,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;YACxB,MAAM,CAAC,OAAO,EAAE,CAAC;YACjB,OAAO,CAAC,KAAK,CAAC,CAAC;QACjB,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;YACtB,OAAO,CAAC,KAAK,CAAC,CAAC;QACjB,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,OAAO,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,gBAAgB;IAC7B,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;QAC1D,MAAM,QAAQ,GAAG,GAAG,WAAW,MAAM,CAAC;QACtC,OAAO,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC7E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,WAAW;IACxB,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,WAAW,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,aAAa;IAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;IACtC,MAAM,KAAK,CAAC,KAAK,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAErD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,IAAI,GAAG,KAAK,CAAC,YAAY,EAAE;YAC/B,IAAI,EAAE,SAAS;YACf,IAAI,EAAE,WAAW;YACjB,IAAI,EAAE,EAAE;YACR,IAAI,EAAE,SAAS;SAChB,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;QAEzB,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACxB,IAAI,IAAI,KAAK,CAAC;gBAAE,OAAO,EAAE,CAAC;;gBACrB,MAAM,CAAC,IAAI,KAAK,CAAC,+BAA+B,IAAI,EAAE,CAAC,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC3B,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,aAAa;IAC1B,MAAM,QAAQ,GAAG,GAAG,WAAW,MAAM,CAAC;IAEtC,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAEjD,uCAAuC;IACvC,QAAQ,CAAC,2BAA2B,QAAQ,mBAAmB,gBAAgB,EAAE,EAAE;QACjF,KAAK,EAAE,SAAS;KACjB,CAAC,CAAC;IAEH,eAAe;IACf,IAAI,QAAQ,EAAE,KAAK,QAAQ,EAAE,CAAC;QAC5B,QAAQ,CAAC,sCAAsC,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IACzE,CAAC;SAAM,CAAC;QACN,QAAQ,CAAC,2DAA2D,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IAC9F,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,SAAS;IACtB,MAAM,OAAO,GAAkB,EAAE,CAAC;IAElC,mBAAmB;IACnB,MAAM,YAAY,GAAG,MAAM,aAAa,CAAC,YAAY,CAAC,CAAC;IACvD,OAAO,CAAC,IAAI,CAAC;QACX,IAAI,EAAE,YAAY;QAClB,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;QACvC,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW;QAC7C,IAAI,EAAE,wBAAwB;KAC/B,CAAC,CAAC;IAEH,cAAc;IACd,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,CAAC;IAC9C,OAAO,CAAC,IAAI,CAAC;QACX,IAAI,EAAE,OAAO;QACb,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;QACnC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW;QACzC,IAAI,EAAE,QAAQ,EAAE,KAAK,QAAQ;YAC3B,CAAC,CAAC,qDAAqD;YACvD,CAAC,CAAC,iCAAiC;KACtC,CAAC,CAAC;IAEH,aAAa;IACb,MAAM,WAAW,GAAG,MAAM,aAAa,EAAE,CAAC;IAC1C,OAAO,CAAC,IAAI,CAAC;QACX,IAAI,EAAE,MAAM;QACZ,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;QACtC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,aAAa;QAChD,IAAI,EAAE,QAAQ,EAAE,KAAK,QAAQ;YAC3B,CAAC,CAAC,4DAA4D;YAC9D,CAAC,CAAC,+EAA+E;KACpF,CAAC,CAAC;IAEH,eAAe;IACf,MAAM,QAAQ,GAAG,MAAM,WAAW,EAAE,CAAC;IACrC,OAAO,CAAC,IAAI,CAAC;QACX,IAAI,EAAE,QAAQ;QACd,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;QACnC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,aAAa,WAAW,EAAE,CAAC,CAAC,CAAC,WAAW;QAC5D,IAAI,EAAE,wBAAwB;KAC/B,CAAC,CAAC;IAEH,4CAA4C;IAC5C,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,cAAc,GAAG,MAAM,gBAAgB,EAAE,CAAC;QAChD,OAAO,CAAC,IAAI,CAAC;YACX,IAAI,EAAE,wBAAwB;YAC9B,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;YACzC,OAAO,EAAE,cAAc,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,gBAAgB;YACzD,IAAI,EAAE,UAAU,gBAAgB,uBAAuB,WAAW,MAAM;SACzE,CAAC,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,OAAsB;IAC/C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC;IAE5D,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,KAAK,CAAC,iEAAiE,CAAC,CAAC;QACzE,OAAO;IACT,CAAC;IAED,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAE9C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;YAChB,KAAK,CAAC,OAAO,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,0BAA0B;IAC1B,MAAM,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,wBAAwB,CAAC,CAAC;IAC/E,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;IAE1D,IAAI,UAAU,IAAI,eAAe,EAAE,CAAC;QAClC,KAAK,CAAC,oDAAoD,CAAC,CAAC;QAC5D,KAAK,CAAC,8CAA8C,CAAC,CAAC;IACxD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,KAAK,CAAC,OAA4C;IAC/D,KAAK,CAAC,EAAE,CAAC,CAAC;IACV,KAAK,CAAC,gEAAgE,CAAC,CAAC;IACxE,KAAK,CAAC,gEAAgE,CAAC,CAAC;IACxE,KAAK,CAAC,gEAAgE,CAAC,CAAC;IACxE,KAAK,CAAC,EAAE,CAAC,CAAC;IACV,KAAK,CAAC,4BAA4B,CAAC,CAAC;IACpC,KAAK,CAAC,EAAE,CAAC,CAAC;IAEV,MAAM,OAAO,GAAG,MAAM,SAAS,EAAE,CAAC;IAElC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,WAAW,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;IAC1D,CAAC;IAED,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC;QACpD,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;QACjB,iBAAiB;QACjB,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC;QACpF,MAAM,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,wBAAwB,IAAI,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC;QAEzG,IAAI,UAAU,EAAE,CAAC;YACf,KAAK,CAAC,+BAA+B,CAAC,CAAC;YACvC,MAAM,aAAa,EAAE,CAAC;YACtB,WAAW,CAAC,QAAQ,EAAE,IAAI,EAAE,gBAAgB,WAAW,EAAE,CAAC,CAAC;QAC7D,CAAC;QAED,IAAI,eAAe,IAAI,UAAU,EAAE,CAAC;YAClC,4DAA4D;YAC5D,MAAM,cAAc,GAAG,MAAM,gBAAgB,EAAE,CAAC;YAChD,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,MAAM,aAAa,EAAE,CAAC;gBACtB,WAAW,CAAC,wBAAwB,EAAE,IAAI,EAAE,YAAY,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC;QAED,KAAK,CAAC,8DAA8D,CAAC,CAAC;IACxE,CAAC;SAAM,CAAC;QACN,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,IAAI;IACjB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAEnC,cAAc;IACd,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACnD,KAAK,CAAC;;;;;;;;;;;;;;CAcT,CAAC,CAAC;QACC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG;QACd,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC7B,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;KAChC,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,KAAK,CAAC,OAAO,CAAC,CAAC;IACvB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,2BAA2B,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QAC3F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC"}

package/dist/delegator/credential-manager.d.ts

@@ -1,53 +1,20 @@
-/**
- * SSH Credential Manager configuration
- */
-export interface CredentialManagerConfig {
-    /** Directory to store temporary keys (default: ~/.awcp/keys) */
-    keyDir?: string;
-    /** SSH server port (default: 22) */
-    sshPort?: number;
-    /** SSH server host (default: localhost) */
-    sshHost?: string;
-    /** SSH user for connections */
-    sshUser?: string;
-    /** Path to authorized_keys file (default: ~/.ssh/authorized_keys) */
-    authorizedKeysPath?: string;
-}
-/**
- * Generated credential
- */
-export interface GeneratedCredential {
-    /** The private key content */
-    privateKey: string;
-    /** The public key content */
-    publicKey: string;
-    /** Path to the private key file */
-    privateKeyPath: string;
-    /** Path to the public key file */
-    publicKeyPath: string;
-    /** Delegation ID for tracking */
-    delegationId: string;
-}
+import type { SshCredential } from '@awcp/core';
+import type { CredentialManagerConfig, GeneratedCredential } from '../types.js';
 /**
  * SSH Credential Manager
  *
- * Manages temporary SSH keys for AWCP delegations.
- *
- * TODO [Security]: Consider SSH certificates with built-in expiry for production.
+ * Manages temporary SSH certificates for AWCP delegations.
+ * Uses SSH certificates with built-in expiry for automatic TTL enforcement.
  */
 export declare class CredentialManager {
     private config;
     private activeCredentials;
-    constructor(config?: CredentialManagerConfig);
+    constructor(config: CredentialManagerConfig);
     /**
-     * Get the path to authorized_keys file
+     * Generate a temporary SSH key pair and sign certificate with TTL
      */
-    private getAuthorizedKeysPath;
-    /**
-     * Generate a temporary SSH key pair for a delegation
-     */
-    generateCredential(delegationId: string, _ttlSeconds: number): Promise<{
-        credential: string;
+    generateCredential(delegationId: string, ttlSeconds: number): Promise<{
+        credential: SshCredential;
         endpoint: {
             host: string;
             port: number;
@@ -55,7 +22,11 @@ export declare class CredentialManager {
         };
     }>;
     /**
-     * Revoke a credential
+     * Ensure CA key exists, auto-generate if not present
+     */
+    private ensureCaKey;
+    /**
+     * Revoke a credential (delete key files, certificate expires automatically)
      */
     revokeCredential(delegationId: string): Promise<void>;
     /**
@@ -66,22 +37,14 @@ export declare class CredentialManager {
      * Revoke all credentials
      */
     revokeAll(): Promise<void>;
-    /**
-     * Clean up stale AWCP keys from authorized_keys (call on startup)
-     */
-    cleanupStaleKeys(): Promise<number>;
     /**
      * Clean up stale key files from key directory (call on startup)
      */
     cleanupStaleKeyFiles(): Promise<number>;
     /**
-     * Add a public key to authorized_keys
-     */
-    private addToAuthorizedKeys;
-    /**
-     * Remove a public key from authorized_keys by delegation ID
+     * Sign public key with CA to create certificate with TTL
      */
-    private removeFromAuthorizedKeys;
+    private signCertificate;
     /**
      * Execute ssh-keygen to generate a key pair
      */

package/dist/delegator/credential-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"credential-manager.d.ts","sourceRoot":"","sources":["../../src/delegator/credential-manager.ts"],"names":[],"mappings":"AAKA;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,gEAAgE;IAChE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,oCAAoC;IACpC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,2CAA2C;IAC3C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,+BAA+B;IAC/B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,qEAAqE;IACrE,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,8BAA8B;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,6BAA6B;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,mCAAmC;IACnC,cAAc,EAAE,MAAM,CAAC;IACvB,kCAAkC;IAClC,aAAa,EAAE,MAAM,CAAC;IACtB,iCAAiC;IACjC,YAAY,EAAE,MAAM,CAAC;CACtB;AASD;;;;;;GAMG;AACH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,MAAM,CAA0B;IACxC,OAAO,CAAC,iBAAiB,CAA0C;gBAEvD,MAAM,CAAC,EAAE,uBAAuB;IAI5C;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAI7B;;OAEG;IACG,kBAAkB,CACtB,YAAY,EAAE,MAAM,EACpB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC;QACT,UAAU,EAAE,MAAM,CAAC;QACnB,QAAQ,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAA;SAAE,CAAC;KACxD,CAAC;IAsCF;;OAEG;IACG,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAwB3D;;OAEG;IACH,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,mBAAmB,GAAG,SAAS;IAIpE;;OAEG;IACG,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;IAMhC;;OAEG;IACG,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC;IA0BzC;;OAEG;IACG,oBAAoB,IAAI,OAAO,CAAC,MAAM,CAAC;IAkC7C;;OAEG;YACW,mBAAmB;IAcjC;;OAEG;YACW,wBAAwB;IAkBtC;;OAEG;IACH,OAAO,CAAC,aAAa;CAyBtB"}
+{"version":3,"file":"credential-manager.d.ts","sourceRoot":"","sources":["../../src/delegator/credential-manager.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAChD,OAAO,KAAK,EAAE,uBAAuB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAIhF;;;;;GAKG;AACH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,MAAM,CAA0B;IACxC,OAAO,CAAC,iBAAiB,CAA0C;gBAEvD,MAAM,EAAE,uBAAuB;IAI3C;;OAEG;IACG,kBAAkB,CACtB,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC;QACT,UAAU,EAAE,aAAa,CAAC;QAC1B,QAAQ,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAA;SAAE,CAAC;KACxD,CAAC;IA4CF;;OAEG;YACW,WAAW;IA0BzB;;OAEG;IACG,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAc3D;;OAEG;IACH,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,mBAAmB,GAAG,SAAS;IAIpE;;OAEG;IACG,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;IAMhC;;OAEG;IACG,oBAAoB,IAAI,OAAO,CAAC,MAAM,CAAC;IA8B7C;;OAEG;IACH,OAAO,CAAC,eAAe;IAgCvB;;OAEG;IACH,OAAO,CAAC,aAAa;CAyBtB"}