@elding/cli 0.1.0 → 0.2.0

package/dist/commands/logout.d.ts

@@ -0,0 +1 @@
+export declare function logout(): Promise<void>;

package/dist/commands/logout.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.logout = logout;
+const config_js_1 = require("../lib/config.js");
+const api_js_1 = require("../lib/api.js");
+async function logout() {
+    const { default: chalk } = await import("chalk");
+    const { default: ora } = await import("ora");
+    const config = (0, config_js_1.readConfig)();
+    if (!config) {
+        console.log(chalk.dim("Déjà déconnecté."));
+        return;
+    }
+    const spinner = ora("Déconnexion...").start();
+    // Révoque côté serveur (best-effort) puis efface le token local
+    await (0, api_js_1.revokeToken)(config.refreshToken);
+    (0, config_js_1.clearConfig)();
+    spinner.succeed(chalk.green("Déconnecté. Token révoqué et supprimé localement."));
+}

package/dist/commands/proxy.d.ts

@@ -0,0 +1 @@
+export declare function proxy(cmd: string, args: string[]): Promise<void>;

package/dist/commands/proxy.js

@@ -0,0 +1,51 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.proxy = proxy;
+const child_process_1 = require("child_process");
+const config_js_1 = require("../lib/config.js");
+const api_js_1 = require("../lib/api.js");
+const proxyServer_js_1 = require("../lib/proxyServer.js");
+async function proxy(cmd, args) {
+    const { default: chalk } = await import("chalk");
+    const { default: ora } = await import("ora");
+    const config = (0, config_js_1.readConfig)();
+    if (!config) {
+        console.error(chalk.red("Non connecté. Lancez `elding login` d'abord."));
+        process.exit(1);
+    }
+    const project = (0, config_js_1.readProject)();
+    if (!project) {
+        console.error(chalk.red("Projet non initialisé. Lancez `elding init` d'abord."));
+        process.exit(1);
+    }
+    const spinner = ora("Démarrage du proxy...").start();
+    let secrets;
+    let hosts;
+    try {
+        const accessToken = await (0, api_js_1.exchangeToken)(config.refreshToken);
+        ({ secrets, hosts } = await (0, api_js_1.fetchSecrets)(accessToken, project.setId));
+    }
+    catch (err) {
+        spinner.fail(chalk.red(err instanceof Error ? err.message : "Erreur inconnue"));
+        process.exit(1);
+    }
+    const server = await (0, proxyServer_js_1.startProxy)(secrets, hosts);
+    spinner.succeed(chalk.green(`Proxy actif sur ${server.url} — ${Object.keys(secrets).length} secret(s)`));
+    console.log(chalk.dim("Les clés restent dans le proxy, jamais dans la mémoire de l'app."));
+    const child = (0, child_process_1.spawn)(cmd, args, {
+        env: {
+            ...process.env,
+            ELDING_PROXY_URL: server.url,
+            ELDING_PROXY_TOKEN: server.token,
+        },
+        stdio: "inherit",
+        shell: true,
+    });
+    const shutdown = () => server.close();
+    process.on("SIGINT", shutdown);
+    process.on("SIGTERM", shutdown);
+    child.on("exit", (code) => {
+        server.close();
+        process.exit(code ?? 0);
+    });
+}

package/dist/commands/run.js

@@ -21,7 +21,7 @@ async function run(cmd, args) {
     let secrets;
     try {
         const accessToken = await (0, api_js_1.exchangeToken)(config.refreshToken);
-        secrets = await (0, api_js_1.fetchSecrets)(accessToken, project.setId);
+        ({ secrets } = await (0, api_js_1.fetchSecrets)(accessToken, project.setId));
         spinner.succeed(chalk.green(`${Object.keys(secrets).length} secret(s) chargé(s).`));
     }
     catch (err) {

package/dist/commands/status.d.ts

@@ -0,0 +1 @@
+export declare function status(): Promise<void>;

package/dist/commands/status.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.status = status;
+const config_js_1 = require("../lib/config.js");
+const api_js_1 = require("../lib/api.js");
+async function status() {
+    const { default: chalk } = await import("chalk");
+    const config = (0, config_js_1.readConfig)();
+    if (!config) {
+        console.log(chalk.yellow("Non connecté.") + chalk.dim("  Lancez `elding login`."));
+        return;
+    }
+    // Vérifie la validité du token + récupère l'utilisateur
+    let user = null;
+    try {
+        const accessToken = await (0, api_js_1.exchangeToken)(config.refreshToken);
+        user = await (0, api_js_1.getMe)(accessToken);
+    }
+    catch {
+        console.log(chalk.red("Token expiré ou révoqué.") + chalk.dim("  Relancez `elding login`."));
+        return;
+    }
+    const project = (0, config_js_1.readProject)();
+    const proxyActive = !!process.env.ELDING_PROXY_URL;
+    console.log(chalk.green("● Connecté"));
+    console.log(`  ${chalk.dim("Utilisateur")}  ${user.email}${user.name ? chalk.dim(` (${user.name})`) : ""}`);
+    console.log(`  ${chalk.dim("Set actif")}    ${project ? `${project.setName} ${chalk.dim(`(${project.setId})`)}` : chalk.yellow("aucun — `elding init`")}`);
+    console.log(`  ${chalk.dim("Proxy")}        ${proxyActive ? chalk.green("actif") : chalk.dim("inactif")}`);
+}

package/dist/index.js

@@ -5,6 +5,9 @@ const commander_1 = require("commander");
 const login_js_1 = require("./commands/login.js");
 const init_js_1 = require("./commands/init.js");
 const run_js_1 = require("./commands/run.js");
+const proxy_js_1 = require("./commands/proxy.js");
+const logout_js_1 = require("./commands/logout.js");
+const status_js_1 = require("./commands/status.js");
 const program = new commander_1.Command();
 program
     .name("elding")
@@ -39,4 +42,33 @@ program
         process.exit(1);
     });
 });
+program
+    .command("proxy <cmd>")
+    .description("Lancer une commande derrière un proxy local qui injecte les clés — jamais en mémoire de l'app")
+    .allowUnknownOption()
+    .action(async (cmd, options, command) => {
+    const args = command.args.slice(1);
+    await (0, proxy_js_1.proxy)(cmd, args).catch((err) => {
+        console.error(err.message);
+        process.exit(1);
+    });
+});
+program
+    .command("logout")
+    .description("Révoquer le token et le supprimer localement")
+    .action(async () => {
+    await (0, logout_js_1.logout)().catch((err) => {
+        console.error(err.message);
+        process.exit(1);
+    });
+});
+program
+    .command("status")
+    .description("Afficher l'état de connexion, le set actif et le proxy")
+    .action(async () => {
+    await (0, status_js_1.status)().catch((err) => {
+        console.error(err.message);
+        process.exit(1);
+    });
+});
 program.parse();

package/dist/lib/api.d.ts

@@ -3,5 +3,14 @@ export type ApiKeySetItem = {
     name: string;
 };
 export declare function exchangeToken(refreshToken: string): Promise<string>;
+export declare function revokeToken(refreshToken: string): Promise<void>;
+export declare function getMe(accessToken: string): Promise<{
+    email: string;
+    name: string | null;
+}>;
 export declare function listSets(accessToken: string): Promise<ApiKeySetItem[]>;
-export declare function fetchSecrets(accessToken: string, setId: string): Promise<Record<string, string>>;
+export type SecretsResult = {
+    secrets: Record<string, string>;
+    hosts: Record<string, string>;
+};
+export declare function fetchSecrets(accessToken: string, setId: string): Promise<SecretsResult>;

package/dist/lib/api.js

@@ -1,6 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.exchangeToken = exchangeToken;
+exports.revokeToken = revokeToken;
+exports.getMe = getMe;
 exports.listSets = listSets;
 exports.fetchSecrets = fetchSecrets;
 const BASE_URL = process.env.ELDING_API_URL ?? "https://app.elding.io";
@@ -15,6 +17,24 @@ async function exchangeToken(refreshToken) {
         throw new Error(body.error ?? "Impossible d'obtenir un access token");
     return body.accessToken;
 }
+async function revokeToken(refreshToken) {
+    await fetch(`${BASE_URL}/api/cli/auth/logout`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ refreshToken }),
+    }).catch(() => { });
+}
+async function getMe(accessToken) {
+    const res = await fetch(`${BASE_URL}/api/cli/me`, {
+        headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (!res.ok)
+        throw new Error("Impossible de récupérer l'utilisateur");
+    const body = (await res.json());
+    if (!body.success || !body.user)
+        throw new Error("Réponse invalide");
+    return body.user;
+}
 async function listSets(accessToken) {
     const res = await fetch(`${BASE_URL}/api/cli/sets`, {
         headers: { Authorization: `Bearer ${accessToken}` },
@@ -35,7 +55,10 @@ async function fetchSecrets(accessToken, setId) {
     const body = (await res.json());
     if (!body.success || !body.secrets || typeof body.secrets !== "object")
         throw new Error("Réponse invalide");
-    return sanitizeSecrets(body.secrets);
+    return {
+        secrets: sanitizeSecrets(body.secrets),
+        hosts: body.hosts && typeof body.hosts === "object" ? sanitizeSecrets(body.hosts) : {},
+    };
 }
 const DANGEROUS_KEYS = new Set(["__proto__", "constructor", "prototype"]);
 // Garde seulement les paires clé/valeur string sûres — évite injection d'objets ou pollution de prototype dans process.env

package/dist/lib/proxyServer.d.ts

@@ -0,0 +1,6 @@
+export type ProxyServer = {
+    url: string;
+    token: string;
+    close: () => void;
+};
+export declare function startProxy(secrets: Record<string, string>, hosts?: Record<string, string>): Promise<ProxyServer>;

package/dist/lib/proxyServer.js

@@ -0,0 +1,133 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startProxy = startProxy;
+const http_1 = __importDefault(require("http"));
+const crypto_1 = require("crypto");
+const PLACEHOLDER = /\{\{([A-Z0-9_]+)\}\}/g;
+// Bloque loopback + plages privées + métadata cloud — empêche le proxy de servir de pivot SSRF
+function isBlockedHost(hostname) {
+    const h = hostname.replace(/^\[|\]$/g, "");
+    if (h === "localhost" || h === "::1")
+        return true;
+    if (/^127\./.test(h))
+        return true;
+    if (/^10\./.test(h))
+        return true;
+    if (/^192\.168\./.test(h))
+        return true;
+    if (/^172\.(1[6-9]|2\d|3[01])\./.test(h))
+        return true;
+    if (/^169\.254\./.test(h))
+        return true; // link-local + metadata (169.254.169.254)
+    if (/^fe80:/i.test(h) || /^fc00:/i.test(h) || /^fd/i.test(h))
+        return true;
+    return false;
+}
+// hosts: map nom_secret -> domaine autorisé. Si défini, le secret ne peut être envoyé qu'à ce host.
+function startProxy(secrets, hosts = {}) {
+    const token = (0, crypto_1.randomBytes)(24).toString("hex");
+    // Vérifie que chaque placeholder utilisé est autorisé pour ce host. Retourne le nom fautif, ou null.
+    const findHostViolation = (val, targetHost) => {
+        for (const m of val.matchAll(PLACEHOLDER)) {
+            const name = m[1];
+            const allowed = hosts[name];
+            if (allowed && allowed !== targetHost)
+                return name;
+        }
+        return null;
+    };
+    const substitute = (val) => val.replace(PLACEHOLDER, (_, name) => secrets[name] ?? "");
+    const server = http_1.default.createServer(async (req, res) => {
+        try {
+            if (req.headers["x-elding-token"] !== token) {
+                res.writeHead(401);
+                res.end("unauthorized");
+                return;
+            }
+            const target = req.headers["x-elding-target"];
+            if (typeof target !== "string") {
+                res.writeHead(400);
+                res.end("missing x-elding-target");
+                return;
+            }
+            let targetUrl;
+            try {
+                targetUrl = new URL(target);
+            }
+            catch {
+                res.writeHead(400);
+                res.end("bad target");
+                return;
+            }
+            if (targetUrl.protocol !== "https:") {
+                res.writeHead(400);
+                res.end("https only");
+                return;
+            }
+            if (isBlockedHost(targetUrl.hostname)) {
+                res.writeHead(403);
+                res.end("blocked host");
+                return;
+            }
+            const upstream = new URL(req.url ?? "/", targetUrl);
+            upstream.protocol = "https:";
+            upstream.host = targetUrl.host;
+            // Enforce host binding : un secret lié à un domaine ne peut partir que vers celui-ci
+            for (const v of Object.values(req.headers)) {
+                if (typeof v !== "string")
+                    continue;
+                const bad = findHostViolation(v, targetUrl.hostname);
+                if (bad) {
+                    res.writeHead(403);
+                    res.end(`secret "${bad}" non autorisé pour ${targetUrl.hostname}`);
+                    return;
+                }
+            }
+            const headers = {};
+            for (const [k, v] of Object.entries(req.headers)) {
+                const lk = k.toLowerCase();
+                if (lk.startsWith("x-elding-"))
+                    continue;
+                if (lk === "host" || lk === "connection" || lk === "content-length")
+                    continue;
+                if (typeof v === "string")
+                    headers[k] = substitute(v);
+            }
+            const chunks = [];
+            for await (const c of req)
+                chunks.push(c);
+            const hasBody = chunks.length > 0 && req.method !== "GET" && req.method !== "HEAD";
+            const upstreamRes = await fetch(upstream.toString(), {
+                method: req.method,
+                headers,
+                body: hasBody ? Buffer.concat(chunks) : undefined,
+            });
+            res.writeHead(upstreamRes.status, Object.fromEntries(upstreamRes.headers));
+            if (upstreamRes.body) {
+                const reader = upstreamRes.body.getReader();
+                for (;;) {
+                    const { done, value } = await reader.read();
+                    if (done)
+                        break;
+                    res.write(value);
+                }
+            }
+            res.end();
+        }
+        catch {
+            if (!res.headersSent)
+                res.writeHead(502);
+            res.end("proxy error");
+        }
+    });
+    return new Promise((resolve) => {
+        server.listen(0, "127.0.0.1", () => {
+            const addr = server.address();
+            const port = typeof addr === "object" && addr ? addr.port : 0;
+            resolve({ url: `http://127.0.0.1:${port}`, token, close: () => server.close() });
+        });
+    });
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elding/cli",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Elding CLI — zero .env, secrets from vault",
   "bin": {
     "elding": "./dist/index.js"