@elding/cli 0.1.0 → 0.3.0

package/dist/commands/doctor.d.ts

@@ -0,0 +1 @@
+export declare function doctor(): Promise<void>;

package/dist/commands/doctor.js

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.doctor = doctor;
+const config_js_1 = require("../lib/config.js");
+const api_js_1 = require("../lib/api.js");
+async function doctor() {
+    const { default: chalk } = await import("chalk");
+    const ok = (m) => console.log(`${chalk.green("✓")} ${m}`);
+    const warn = (m) => console.log(`${chalk.yellow("!")} ${m}`);
+    const fail = (m) => console.log(`${chalk.red("✗")} ${m}`);
+    console.log(chalk.dim(`API : ${api_js_1.BASE_URL}\n`));
+    // 1. Token local
+    const config = (0, config_js_1.readConfig)();
+    if (!config) {
+        fail("Non connecté — lancez `elding login`");
+        return;
+    }
+    ok("Token local présent (~/.elding/config.json)");
+    // 2. Token valide + utilisateur
+    let accessToken;
+    try {
+        accessToken = await (0, api_js_1.exchangeToken)(config.refreshToken);
+        const me = await (0, api_js_1.getMe)(accessToken);
+        ok(`Authentifié : ${me.email}`);
+    }
+    catch {
+        fail("Token expiré ou révoqué — relancez `elding login`");
+        return;
+    }
+    // 3. Set du projet
+    const project = (0, config_js_1.readProject)();
+    if (!project) {
+        warn("Aucun set configuré — lancez `elding init` ou `elding use <set>`");
+        return;
+    }
+    ok(`Set actif : ${project.setName}`);
+    // 4. Clés + verrouillage host
+    try {
+        const keys = await (0, api_js_1.listKeys)(accessToken, project.setId);
+        if (keys.length === 0)
+            warn("Le set ne contient aucune clé");
+        else {
+            const locked = keys.filter((k) => k.allowedHost).length;
+            ok(`${keys.length} clé(s) — ${locked} verrouillée(s) sur un domaine`);
+            if (locked < keys.length)
+                warn(`${keys.length - locked} clé(s) sans domaine : exfiltrables via le proxy`);
+        }
+    }
+    catch {
+        fail("Impossible de lire les clés du set");
+    }
+    // 5. Proxy
+    if (process.env.ELDING_PROXY_URL)
+        ok(`Proxy actif : ${process.env.ELDING_PROXY_URL}`);
+    else
+        console.log(chalk.dim("○ Proxy inactif (normal hors `elding proxy`)"));
+}

package/dist/commands/keys.d.ts

@@ -0,0 +1 @@
+export declare function keys(): Promise<void>;

package/dist/commands/keys.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.keys = keys;
+const api_js_1 = require("../lib/api.js");
+const config_js_1 = require("../lib/config.js");
+const session_js_1 = require("../lib/session.js");
+async function keys() {
+    const { default: chalk } = await import("chalk");
+    const { default: ora } = await import("ora");
+    const project = (0, config_js_1.readProject)();
+    if (!project) {
+        console.error(chalk.red("Projet non initialisé. Lancez `elding init` ou `elding use <set>`."));
+        process.exit(1);
+    }
+    const spinner = ora("Récupération des clés...").start();
+    const accessToken = await (0, session_js_1.requireAccessToken)();
+    const list = await (0, api_js_1.listKeys)(accessToken, project.setId);
+    spinner.stop();
+    console.log(chalk.dim(`Set : ${project.setName}`));
+    if (list.length === 0) {
+        console.log(chalk.yellow("Aucune clé dans ce set."));
+        return;
+    }
+    for (const k of list) {
+        const host = k.allowedHost
+            ? chalk.dim(` → ${k.allowedHost}`)
+            : chalk.yellow(" → aucun domaine (non verrouillé)");
+        console.log(`  ${k.name}${host}`);
+    }
+}

package/dist/commands/logout.d.ts

@@ -0,0 +1 @@
+export declare function logout(): Promise<void>;

package/dist/commands/logout.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.logout = logout;
+const config_js_1 = require("../lib/config.js");
+const api_js_1 = require("../lib/api.js");
+async function logout() {
+    const { default: chalk } = await import("chalk");
+    const { default: ora } = await import("ora");
+    const config = (0, config_js_1.readConfig)();
+    if (!config) {
+        console.log(chalk.dim("Déjà déconnecté."));
+        return;
+    }
+    const spinner = ora("Déconnexion...").start();
+    // Révoque côté serveur (best-effort) puis efface le token local
+    await (0, api_js_1.revokeToken)(config.refreshToken);
+    (0, config_js_1.clearConfig)();
+    spinner.succeed(chalk.green("Déconnecté. Token révoqué et supprimé localement."));
+}

package/dist/commands/open.d.ts

@@ -0,0 +1 @@
+export declare function open(): Promise<void>;

package/dist/commands/open.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.open = open;
+const api_js_1 = require("../lib/api.js");
+async function open() {
+    const { default: chalk } = await import("chalk");
+    const { default: openUrl } = await import("open");
+    const url = `${api_js_1.BASE_URL}/vault`;
+    await openUrl(url).catch(() => {
+        console.log(chalk.cyan(`Ouvrez manuellement : ${url}`));
+    });
+    console.log(chalk.dim(`Vault ouvert : ${url}`));
+}

package/dist/commands/proxy.d.ts

@@ -0,0 +1 @@
+export declare function proxy(cmd: string, args: string[], verbose?: boolean): Promise<void>;

package/dist/commands/proxy.js

@@ -0,0 +1,51 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.proxy = proxy;
+const child_process_1 = require("child_process");
+const config_js_1 = require("../lib/config.js");
+const api_js_1 = require("../lib/api.js");
+const proxyServer_js_1 = require("../lib/proxyServer.js");
+async function proxy(cmd, args, verbose = false) {
+    const { default: chalk } = await import("chalk");
+    const { default: ora } = await import("ora");
+    const config = (0, config_js_1.readConfig)();
+    if (!config) {
+        console.error(chalk.red("Non connecté. Lancez `elding login` d'abord."));
+        process.exit(1);
+    }
+    const project = (0, config_js_1.readProject)();
+    if (!project) {
+        console.error(chalk.red("Projet non initialisé. Lancez `elding init` d'abord."));
+        process.exit(1);
+    }
+    const spinner = ora("Démarrage du proxy...").start();
+    let secrets;
+    let hosts;
+    try {
+        const accessToken = await (0, api_js_1.exchangeToken)(config.refreshToken);
+        ({ secrets, hosts } = await (0, api_js_1.fetchSecrets)(accessToken, project.setId));
+    }
+    catch (err) {
+        spinner.fail(chalk.red(err instanceof Error ? err.message : "Erreur inconnue"));
+        process.exit(1);
+    }
+    const server = await (0, proxyServer_js_1.startProxy)(secrets, hosts, verbose);
+    spinner.succeed(chalk.green(`Proxy actif sur ${server.url} — ${Object.keys(secrets).length} secret(s)`));
+    console.log(chalk.dim("Les clés restent dans le proxy, jamais dans la mémoire de l'app."));
+    const child = (0, child_process_1.spawn)(cmd, args, {
+        env: {
+            ...process.env,
+            ELDING_PROXY_URL: server.url,
+            ELDING_PROXY_TOKEN: server.token,
+        },
+        stdio: "inherit",
+        shell: true,
+    });
+    const shutdown = () => server.close();
+    process.on("SIGINT", shutdown);
+    process.on("SIGTERM", shutdown);
+    child.on("exit", (code) => {
+        server.close();
+        process.exit(code ?? 0);
+    });
+}

package/dist/commands/run.js

@@ -21,7 +21,7 @@ async function run(cmd, args) {
     let secrets;
     try {
         const accessToken = await (0, api_js_1.exchangeToken)(config.refreshToken);
-        secrets = await (0, api_js_1.fetchSecrets)(accessToken, project.setId);
+        ({ secrets } = await (0, api_js_1.fetchSecrets)(accessToken, project.setId, "run"));
         spinner.succeed(chalk.green(`${Object.keys(secrets).length} secret(s) chargé(s).`));
     }
     catch (err) {

package/dist/commands/sets.d.ts

@@ -0,0 +1 @@
+export declare function sets(): Promise<void>;

package/dist/commands/sets.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sets = sets;
+const api_js_1 = require("../lib/api.js");
+const config_js_1 = require("../lib/config.js");
+const session_js_1 = require("../lib/session.js");
+async function sets() {
+    const { default: chalk } = await import("chalk");
+    const { default: ora } = await import("ora");
+    const spinner = ora("Récupération des sets...").start();
+    const accessToken = await (0, session_js_1.requireAccessToken)();
+    const list = await (0, api_js_1.listSets)(accessToken);
+    spinner.stop();
+    if (list.length === 0) {
+        console.log(chalk.yellow("Aucun set. Créez-en un sur le vault."));
+        return;
+    }
+    const activeId = (0, config_js_1.readProject)()?.setId;
+    for (const s of list) {
+        const marker = s.id === activeId ? chalk.green("●") : chalk.dim("○");
+        const name = s.id === activeId ? chalk.green(s.name) : s.name;
+        console.log(`${marker} ${name} ${chalk.dim(`(${s.id})`)}`);
+    }
+}

package/dist/commands/status.d.ts

@@ -0,0 +1 @@
+export declare function status(): Promise<void>;

package/dist/commands/status.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.status = status;
+const config_js_1 = require("../lib/config.js");
+const api_js_1 = require("../lib/api.js");
+async function status() {
+    const { default: chalk } = await import("chalk");
+    const config = (0, config_js_1.readConfig)();
+    if (!config) {
+        console.log(chalk.yellow("Non connecté.") + chalk.dim("  Lancez `elding login`."));
+        return;
+    }
+    // Vérifie la validité du token + récupère l'utilisateur
+    let user = null;
+    try {
+        const accessToken = await (0, api_js_1.exchangeToken)(config.refreshToken);
+        user = await (0, api_js_1.getMe)(accessToken);
+    }
+    catch {
+        console.log(chalk.red("Token expiré ou révoqué.") + chalk.dim("  Relancez `elding login`."));
+        return;
+    }
+    const project = (0, config_js_1.readProject)();
+    const proxyActive = !!process.env.ELDING_PROXY_URL;
+    console.log(chalk.green("● Connecté"));
+    console.log(`  ${chalk.dim("Utilisateur")}  ${user.email}${user.name ? chalk.dim(` (${user.name})`) : ""}`);
+    console.log(`  ${chalk.dim("Set actif")}    ${project ? `${project.setName} ${chalk.dim(`(${project.setId})`)}` : chalk.yellow("aucun — `elding init`")}`);
+    console.log(`  ${chalk.dim("Proxy")}        ${proxyActive ? chalk.green("actif") : chalk.dim("inactif")}`);
+}

package/dist/commands/use.d.ts

@@ -0,0 +1 @@
+export declare function use(nameArg: string): Promise<void>;

package/dist/commands/use.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.use = use;
+const api_js_1 = require("../lib/api.js");
+const config_js_1 = require("../lib/config.js");
+const session_js_1 = require("../lib/session.js");
+async function use(nameArg) {
+    const { default: chalk } = await import("chalk");
+    const { default: ora } = await import("ora");
+    const spinner = ora("Récupération des sets...").start();
+    const accessToken = await (0, session_js_1.requireAccessToken)();
+    const list = await (0, api_js_1.listSets)(accessToken);
+    spinner.stop();
+    const query = nameArg.trim().toLowerCase();
+    const matches = list.filter((s) => s.name.toLowerCase() === query);
+    const candidates = matches.length ? matches : list.filter((s) => s.name.toLowerCase().includes(query));
+    if (candidates.length === 0) {
+        console.error(chalk.red(`Aucun set nommé "${nameArg}".`) + chalk.dim("  Voir `elding sets`."));
+        process.exit(1);
+    }
+    if (candidates.length > 1) {
+        console.error(chalk.red(`Plusieurs sets correspondent à "${nameArg}" :`));
+        candidates.forEach((s) => console.error(chalk.dim(`  - ${s.name}`)));
+        process.exit(1);
+    }
+    const set = candidates[0];
+    (0, config_js_1.writeProject)({ setId: set.id, setName: set.name });
+    console.log(chalk.green(`✓ Set actif : "${set.name}"`));
+}

package/dist/commands/whoami.d.ts

@@ -0,0 +1 @@
+export declare function whoami(): Promise<void>;

package/dist/commands/whoami.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.whoami = whoami;
+const api_js_1 = require("../lib/api.js");
+const session_js_1 = require("../lib/session.js");
+async function whoami() {
+    const { default: chalk } = await import("chalk");
+    const accessToken = await (0, session_js_1.requireAccessToken)();
+    const me = await (0, api_js_1.getMe)(accessToken);
+    console.log(`${me.email}${me.name ? chalk.dim(` (${me.name})`) : ""}`);
+}

package/dist/index.js

@@ -5,6 +5,15 @@ const commander_1 = require("commander");
 const login_js_1 = require("./commands/login.js");
 const init_js_1 = require("./commands/init.js");
 const run_js_1 = require("./commands/run.js");
+const proxy_js_1 = require("./commands/proxy.js");
+const logout_js_1 = require("./commands/logout.js");
+const status_js_1 = require("./commands/status.js");
+const sets_js_1 = require("./commands/sets.js");
+const use_js_1 = require("./commands/use.js");
+const keys_js_1 = require("./commands/keys.js");
+const doctor_js_1 = require("./commands/doctor.js");
+const open_js_1 = require("./commands/open.js");
+const whoami_js_1 = require("./commands/whoami.js");
 const program = new commander_1.Command();
 program
     .name("elding")
@@ -39,4 +48,88 @@ program
         process.exit(1);
     });
 });
+program
+    .command("proxy <cmd>")
+    .description("Lancer une commande derrière un proxy local qui injecte les clés — jamais en mémoire de l'app")
+    .option("-v, --verbose", "Logger chaque requête (méthode/host/status/latence)")
+    .allowUnknownOption()
+    .action(async (cmd, options, command) => {
+    const args = command.args.slice(1);
+    await (0, proxy_js_1.proxy)(cmd, args, !!options.verbose).catch((err) => {
+        console.error(err.message);
+        process.exit(1);
+    });
+});
+program
+    .command("logout")
+    .description("Révoquer le token et le supprimer localement")
+    .action(async () => {
+    await (0, logout_js_1.logout)().catch((err) => {
+        console.error(err.message);
+        process.exit(1);
+    });
+});
+program
+    .command("status")
+    .description("Afficher l'état de connexion, le set actif et le proxy")
+    .action(async () => {
+    await (0, status_js_1.status)().catch((err) => {
+        console.error(err.message);
+        process.exit(1);
+    });
+});
+program
+    .command("sets")
+    .description("Lister les sets accessibles")
+    .action(async () => {
+    await (0, sets_js_1.sets)().catch((err) => {
+        console.error(err.message);
+        process.exit(1);
+    });
+});
+program
+    .command("use <name>")
+    .description("Changer le set actif du projet")
+    .action(async (name) => {
+    await (0, use_js_1.use)(name).catch((err) => {
+        console.error(err.message);
+        process.exit(1);
+    });
+});
+program
+    .command("keys")
+    .description("Lister les noms de clés du set actif (jamais les valeurs)")
+    .action(async () => {
+    await (0, keys_js_1.keys)().catch((err) => {
+        console.error(err.message);
+        process.exit(1);
+    });
+});
+program
+    .command("doctor")
+    .description("Diagnostiquer la configuration (connexion, set, clés, proxy)")
+    .action(async () => {
+    await (0, doctor_js_1.doctor)().catch((err) => {
+        console.error(err.message);
+        process.exit(1);
+    });
+});
+program
+    .command("open")
+    .description("Ouvrir le vault dans le navigateur")
+    .action(async () => {
+    await (0, open_js_1.open)().catch((err) => {
+        console.error(err.message);
+        process.exit(1);
+    });
+});
+program
+    .command("whoami")
+    .description("Afficher l'utilisateur connecté")
+    .action(async () => {
+    await (0, whoami_js_1.whoami)().catch((err) => {
+        console.error(err.message);
+        process.exit(1);
+    });
+});
 program.parse();

package/dist/lib/api.d.ts

@@ -1,7 +1,22 @@
+export declare const BASE_URL: string;
 export type ApiKeySetItem = {
     id: string;
     name: string;
 };
+export type KeyItem = {
+    name: string;
+    allowedHost: string | null;
+};
+export declare function listKeys(accessToken: string, setId: string): Promise<KeyItem[]>;
 export declare function exchangeToken(refreshToken: string): Promise<string>;
+export declare function revokeToken(refreshToken: string): Promise<void>;
+export declare function getMe(accessToken: string): Promise<{
+    email: string;
+    name: string | null;
+}>;
 export declare function listSets(accessToken: string): Promise<ApiKeySetItem[]>;
-export declare function fetchSecrets(accessToken: string, setId: string): Promise<Record<string, string>>;
+export type SecretsResult = {
+    secrets: Record<string, string>;
+    hosts: Record<string, string>;
+};
+export declare function fetchSecrets(accessToken: string, setId: string, mode?: "run" | "proxy"): Promise<SecretsResult>;

package/dist/lib/api.js

@@ -1,11 +1,24 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.BASE_URL = void 0;
+exports.listKeys = listKeys;
 exports.exchangeToken = exchangeToken;
+exports.revokeToken = revokeToken;
+exports.getMe = getMe;
 exports.listSets = listSets;
 exports.fetchSecrets = fetchSecrets;
-const BASE_URL = process.env.ELDING_API_URL ?? "https://app.elding.io";
+exports.BASE_URL = process.env.ELDING_API_URL ?? "https://app.elding.io";
+async function listKeys(accessToken, setId) {
+    const res = await fetch(`${exports.BASE_URL}/api/cli/keys?setId=${encodeURIComponent(setId)}`, {
+        headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (!res.ok)
+        throw new Error("Impossible de récupérer les clés");
+    const body = (await res.json());
+    return Array.isArray(body.keys) ? body.keys : [];
+}
 async function exchangeToken(refreshToken) {
-    const res = await fetch(`${BASE_URL}/api/cli/auth/token`, {
+    const res = await fetch(`${exports.BASE_URL}/api/cli/auth/token`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({ refreshToken }),
@@ -15,8 +28,26 @@ async function exchangeToken(refreshToken) {
         throw new Error(body.error ?? "Impossible d'obtenir un access token");
     return body.accessToken;
 }
+async function revokeToken(refreshToken) {
+    await fetch(`${exports.BASE_URL}/api/cli/auth/logout`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ refreshToken }),
+    }).catch(() => { });
+}
+async function getMe(accessToken) {
+    const res = await fetch(`${exports.BASE_URL}/api/cli/me`, {
+        headers: { Authorization: `Bearer ${accessToken}` },
+    });
+    if (!res.ok)
+        throw new Error("Impossible de récupérer l'utilisateur");
+    const body = (await res.json());
+    if (!body.success || !body.user)
+        throw new Error("Réponse invalide");
+    return body.user;
+}
 async function listSets(accessToken) {
-    const res = await fetch(`${BASE_URL}/api/cli/sets`, {
+    const res = await fetch(`${exports.BASE_URL}/api/cli/sets`, {
         headers: { Authorization: `Bearer ${accessToken}` },
     });
     if (!res.ok)
@@ -24,10 +55,8 @@ async function listSets(accessToken) {
     const body = (await res.json());
     return Array.isArray(body.sets) ? body.sets : [];
 }
-async function fetchSecrets(accessToken, setId) {
-    const res = await fetch(`${BASE_URL}/api/cli/secrets?setId=${encodeURIComponent(setId)}`, {
-        headers: { Authorization: `Bearer ${accessToken}` },
-    });
+async function fetchSecrets(accessToken, setId, mode = "proxy") {
+    const res = await fetch(`${exports.BASE_URL}/api/cli/secrets?setId=${encodeURIComponent(setId)}&mode=${mode}`, { headers: { Authorization: `Bearer ${accessToken}` } });
     if (!res.ok) {
         const body = (await res.json().catch(() => ({})));
         throw new Error(body.error ?? `Erreur ${res.status}`);
@@ -35,7 +64,10 @@ async function fetchSecrets(accessToken, setId) {
     const body = (await res.json());
     if (!body.success || !body.secrets || typeof body.secrets !== "object")
         throw new Error("Réponse invalide");
-    return sanitizeSecrets(body.secrets);
+    return {
+        secrets: sanitizeSecrets(body.secrets),
+        hosts: body.hosts && typeof body.hosts === "object" ? sanitizeSecrets(body.hosts) : {},
+    };
 }
 const DANGEROUS_KEYS = new Set(["__proto__", "constructor", "prototype"]);
 // Garde seulement les paires clé/valeur string sûres — évite injection d'objets ou pollution de prototype dans process.env

package/dist/lib/proxyServer.d.ts

@@ -0,0 +1,6 @@
+export type ProxyServer = {
+    url: string;
+    token: string;
+    close: () => void;
+};
+export declare function startProxy(secrets: Record<string, string>, hosts?: Record<string, string>, verbose?: boolean): Promise<ProxyServer>;

package/dist/lib/proxyServer.js

@@ -0,0 +1,154 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startProxy = startProxy;
+const http_1 = __importDefault(require("http"));
+const crypto_1 = require("crypto");
+const PLACEHOLDER = /\{\{([A-Z0-9_]+)\}\}/g;
+// Bloque loopback + plages privées + métadata cloud — empêche le proxy de servir de pivot SSRF
+function isBlockedHost(hostname) {
+    const h = hostname.replace(/^\[|\]$/g, "");
+    if (h === "localhost" || h === "::1")
+        return true;
+    if (/^127\./.test(h))
+        return true;
+    if (/^10\./.test(h))
+        return true;
+    if (/^192\.168\./.test(h))
+        return true;
+    if (/^172\.(1[6-9]|2\d|3[01])\./.test(h))
+        return true;
+    if (/^169\.254\./.test(h))
+        return true; // link-local + metadata (169.254.169.254)
+    if (/^fe80:/i.test(h) || /^fc00:/i.test(h) || /^fd/i.test(h))
+        return true;
+    return false;
+}
+// hosts: map nom_secret -> domaine autorisé. Si défini, le secret ne peut être envoyé qu'à ce host.
+function startProxy(secrets, hosts = {}, verbose = false) {
+    const token = (0, crypto_1.randomBytes)(24).toString("hex");
+    // Log une ligne par requête — jamais les valeurs, seulement les placeholders référencés
+    const log = (method, host, path, status, ms, note = "") => {
+        if (!verbose)
+            return;
+        const code = status === "BLOCKED" ? "BLOCKED" : String(status);
+        console.error(`[elding] ${method} ${host}${path}  → ${code}  ${ms}ms${note ? "  " + note : ""}`);
+    };
+    const placeholdersIn = (headers) => {
+        const names = new Set();
+        for (const v of Object.values(headers))
+            for (const m of v.matchAll(PLACEHOLDER))
+                names.add(m[1]);
+        return names.size ? `{{${[...names].join(",")}}}` : "";
+    };
+    // Vérifie que chaque placeholder utilisé est autorisé pour ce host. Retourne le nom fautif, ou null.
+    const findHostViolation = (val, targetHost) => {
+        for (const m of val.matchAll(PLACEHOLDER)) {
+            const name = m[1];
+            const allowed = hosts[name];
+            if (allowed && allowed !== targetHost)
+                return name;
+        }
+        return null;
+    };
+    const substitute = (val) => val.replace(PLACEHOLDER, (_, name) => secrets[name] ?? "");
+    const server = http_1.default.createServer(async (req, res) => {
+        const started = Date.now();
+        try {
+            if (req.headers["x-elding-token"] !== token) {
+                res.writeHead(401);
+                res.end("unauthorized");
+                return;
+            }
+            const target = req.headers["x-elding-target"];
+            if (typeof target !== "string") {
+                res.writeHead(400);
+                res.end("missing x-elding-target");
+                return;
+            }
+            let targetUrl;
+            try {
+                targetUrl = new URL(target);
+            }
+            catch {
+                res.writeHead(400);
+                res.end("bad target");
+                return;
+            }
+            if (targetUrl.protocol !== "https:") {
+                res.writeHead(400);
+                res.end("https only");
+                return;
+            }
+            if (isBlockedHost(targetUrl.hostname)) {
+                log(req.method ?? "?", targetUrl.hostname, req.url ?? "/", "BLOCKED", Date.now() - started, "host bloqué");
+                res.writeHead(403);
+                res.end("blocked host");
+                return;
+            }
+            const upstream = new URL(req.url ?? "/", targetUrl);
+            upstream.protocol = "https:";
+            upstream.host = targetUrl.host;
+            // Enforce host binding : un secret lié à un domaine ne peut partir que vers celui-ci
+            for (const v of Object.values(req.headers)) {
+                if (typeof v !== "string")
+                    continue;
+                const bad = findHostViolation(v, targetUrl.hostname);
+                if (bad) {
+                    log(req.method ?? "?", targetUrl.hostname, upstream.pathname, "BLOCKED", Date.now() - started, `${bad} non autorisé`);
+                    res.writeHead(403);
+                    res.end(`secret "${bad}" non autorisé pour ${targetUrl.hostname}`);
+                    return;
+                }
+            }
+            const headers = {};
+            const rawHeaders = {};
+            for (const [k, v] of Object.entries(req.headers)) {
+                const lk = k.toLowerCase();
+                if (lk.startsWith("x-elding-"))
+                    continue;
+                if (lk === "host" || lk === "connection" || lk === "content-length")
+                    continue;
+                if (typeof v === "string") {
+                    rawHeaders[k] = v;
+                    headers[k] = substitute(v);
+                }
+            }
+            const chunks = [];
+            for await (const c of req)
+                chunks.push(c);
+            const hasBody = chunks.length > 0 && req.method !== "GET" && req.method !== "HEAD";
+            const upstreamRes = await fetch(upstream.toString(), {
+                method: req.method,
+                headers,
+                body: hasBody ? Buffer.concat(chunks) : undefined,
+            });
+            log(req.method ?? "?", targetUrl.hostname, upstream.pathname, upstreamRes.status, Date.now() - started, placeholdersIn(rawHeaders));
+            res.writeHead(upstreamRes.status, Object.fromEntries(upstreamRes.headers));
+            if (upstreamRes.body) {
+                const reader = upstreamRes.body.getReader();
+                for (;;) {
+                    const { done, value } = await reader.read();
+                    if (done)
+                        break;
+                    res.write(value);
+                }
+            }
+            res.end();
+        }
+        catch {
+            if (!res.headersSent)
+                res.writeHead(502);
+            res.end("proxy error");
+        }
+    });
+    return new Promise((resolve) => {
+        server.listen(0, "127.0.0.1", () => {
+            const addr = server.address();
+            const port = typeof addr === "object" && addr ? addr.port : 0;
+            resolve({ url: `http://127.0.0.1:${port}`, token, close: () => server.close() });
+        });
+    });
+}

package/dist/lib/session.d.ts

@@ -0,0 +1 @@
+export declare function requireAccessToken(): Promise<string>;

package/dist/lib/session.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requireAccessToken = requireAccessToken;
+const config_js_1 = require("./config.js");
+const api_js_1 = require("./api.js");
+// Lit le token local, l'échange contre un access token. Lève une erreur claire sinon.
+async function requireAccessToken() {
+    const config = (0, config_js_1.readConfig)();
+    if (!config)
+        throw new Error("Non connecté. Lancez `elding login` d'abord.");
+    try {
+        return await (0, api_js_1.exchangeToken)(config.refreshToken);
+    }
+    catch {
+        throw new Error("Token expiré ou révoqué. Relancez `elding login`.");
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elding/cli",
-  "version": "0.1.0",
+  "version": "0.3.0",
   "description": "Elding CLI — zero .env, secrets from vault",
   "bin": {
     "elding": "./dist/index.js"