@icoretech/warden-mcp 0.1.0

package/dist/bw/bwSession.js

@@ -0,0 +1,230 @@
+// src/bw/bwSession.ts
+import { rm } from 'node:fs/promises';
+import { join } from 'node:path';
+import { runBw } from './bwCli.js';
+import { Mutex } from './mutex.js';
+function requiredEnv(name) {
+    const v = process.env[name];
+    if (!v)
+        throw new Error(`Missing required env var: ${name}`);
+    return v;
+}
+export function readBwEnv() {
+    const unlockIntervalSecondsRaw = process.env.BW_UNLOCK_INTERVAL ?? '300';
+    const unlockIntervalSeconds = Number.parseInt(unlockIntervalSecondsRaw, 10);
+    const host = requiredEnv('BW_HOST');
+    const password = requiredEnv('BW_PASSWORD');
+    const clientId = process.env.BW_CLIENTID;
+    const clientSecret = process.env.BW_CLIENTSECRET;
+    const user = process.env.BW_USER ?? process.env.BW_USERNAME;
+    const login = clientId && clientSecret
+        ? { method: 'apikey', clientId, clientSecret }
+        : user
+            ? { method: 'userpass', user }
+            : (() => {
+                throw new Error('Missing login env: set BW_CLIENTID+BW_CLIENTSECRET or BW_USER/BW_USERNAME');
+            })();
+    return {
+        host,
+        password,
+        unlockIntervalSeconds: Number.isFinite(unlockIntervalSeconds)
+            ? unlockIntervalSeconds
+            : 300,
+        login,
+    };
+}
+export class BwSessionManager {
+    env;
+    lock = new Mutex();
+    session = null;
+    templateItem = null;
+    keepaliveTimer = null;
+    configuredHost = null;
+    homeDir;
+    constructor(env) {
+        this.env = env;
+        this.homeDir = env.homeDir ?? process.env.HOME ?? '/data';
+    }
+    baseEnv(extra) {
+        return { HOME: this.homeDir, ...(extra ?? {}) };
+    }
+    // Must be called while holding `this.lock` (i.e. from within `withSession`).
+    async getTemplateItemLocked(session) {
+        if (this.templateItem)
+            return this.templateItem;
+        const { stdout } = await runBw(['--session', session, 'get', 'template', 'item'], {
+            env: this.baseEnv(),
+            timeoutMs: 60_000,
+        });
+        const parsed = JSON.parse(stdout);
+        this.templateItem = parsed;
+        return parsed;
+    }
+    startKeepUnlocked() {
+        if (this.keepaliveTimer)
+            return;
+        const intervalMs = Math.max(10, this.env.unlockIntervalSeconds) * 1000;
+        this.keepaliveTimer = setInterval(() => {
+            void this.lock.runExclusive(async () => {
+                try {
+                    await this.ensureUnlockedInternal();
+                }
+                catch {
+                    // Keepalive is best-effort; tools will surface failures.
+                }
+            });
+        }, intervalMs);
+        this.keepaliveTimer.unref?.();
+    }
+    async withSession(fn) {
+        return this.lock.runExclusive(async () => {
+            const session = await this.ensureUnlockedInternal();
+            return fn(session);
+        });
+    }
+    async getTemplateItem() {
+        return this.lock.runExclusive(async () => {
+            const session = await this.ensureUnlockedInternal();
+            return this.getTemplateItemLocked(session);
+        });
+    }
+    // Use this inside a `withSession` callback to avoid deadlocking by re-taking the same mutex.
+    async getTemplateItemForSession(session) {
+        return this.getTemplateItemLocked(session);
+    }
+    async status() {
+        return this.withSession(async (session) => {
+            const { stdout } = await runBw(['--session', session, 'status'], {
+                env: this.baseEnv(),
+                timeoutMs: 60_000,
+            });
+            const parsed = JSON.parse(stdout);
+            const serverUrl = typeof parsed.serverUrl === 'string' ? parsed.serverUrl : this.env.host;
+            const userEmail = typeof parsed.userEmail === 'string'
+                ? parsed.userEmail
+                : this.env.login.method === 'userpass'
+                    ? this.env.login.user
+                    : null;
+            const summaryParts = ['Vault access ready'];
+            if (userEmail)
+                summaryParts.push(`for ${userEmail}`);
+            if (serverUrl)
+                summaryParts.push(`on ${serverUrl}`);
+            return {
+                ...parsed,
+                summary: `${summaryParts.join(' ')}.`,
+                operational: {
+                    ready: true,
+                    sessionValid: true,
+                    source: 'session_manager',
+                },
+            };
+        });
+    }
+    // Run a bw command within an existing session, using this manager's HOME/profile.
+    // Intended to be used from inside `withSession` to avoid relocking.
+    async runForSession(session, args, opts = {}) {
+        return runBw(['--session', session, ...args], {
+            ...opts,
+            env: this.baseEnv(opts.env),
+        });
+    }
+    async ensureUnlockedInternal() {
+        // Ensure server config points to BW_HOST.
+        await this.ensureServerConfigured();
+        // If we already have a session, check if it still works.
+        if (this.session) {
+            try {
+                const { stdout } = await runBw(['--session', this.session, 'unlock', '--check'], {
+                    env: this.baseEnv(),
+                    timeoutMs: 30_000,
+                });
+                // unlock --check prints "Vault is unlocked!" or similar; exit code 0 means ok.
+                void stdout;
+                return this.session;
+            }
+            catch {
+                this.session = null;
+            }
+        }
+        const unlockEnv = this.baseEnv({
+            BW_PASSWORD: this.env.password,
+            BW_HOST: this.env.host,
+        });
+        const tryUnlock = async () => {
+            try {
+                const { stdout } = await runBw(['unlock', '--passwordenv', 'BW_PASSWORD', '--raw'], { env: unlockEnv, timeoutMs: 60_000 });
+                return stdout.trim();
+            }
+            catch {
+                return '';
+            }
+        };
+        const tryLoginRaw = async () => {
+            try {
+                if (this.env.login.method === 'apikey') {
+                    const { stdout } = await runBw(['login', '--apikey', '--raw'], {
+                        env: this.baseEnv({
+                            BW_CLIENTID: this.env.login.clientId,
+                            BW_CLIENTSECRET: this.env.login.clientSecret,
+                            BW_HOST: this.env.host,
+                        }),
+                        timeoutMs: 60_000,
+                    });
+                    return stdout.trim();
+                }
+                const { stdout } = await runBw([
+                    'login',
+                    this.env.login.user,
+                    '--passwordenv',
+                    'BW_PASSWORD',
+                    '--raw',
+                ], { env: unlockEnv, timeoutMs: 60_000 });
+                return stdout.trim();
+            }
+            catch {
+                return '';
+            }
+        };
+        // Prefer unlocking first (works when already logged in). If it yields an empty
+        // stdout on exit=0 (observed in some bw builds), fall back to login --raw.
+        let session = await tryUnlock();
+        if (!session)
+            session = await tryLoginRaw();
+        if (!session)
+            session = await tryUnlock();
+        if (!session)
+            throw new Error('bw login/unlock returned an empty session');
+        this.session = session;
+        return session;
+    }
+    async ensureServerConfigured() {
+        if (this.configuredHost === this.env.host)
+            return;
+        // bw requires logout before config server update.
+        await runBw(['logout'], { env: this.baseEnv(), timeoutMs: 30_000 }).catch(() => { });
+        try {
+            await runBw(['config', 'server', this.env.host], {
+                env: this.baseEnv(),
+                timeoutMs: 30_000,
+            });
+            this.configuredHost = this.env.host;
+            return;
+        }
+        catch {
+            // If the CLI data is corrupt/out-of-sync, wiping config is the fastest recovery.
+        }
+        const home = this.homeDir;
+        await rm(join(home, '.config', 'Bitwarden CLI', 'data.json'), {
+            force: true,
+        }).catch(() => { });
+        await rm(join(home, '.config', 'Bitwarden CLI', 'config.json'), {
+            force: true,
+        }).catch(() => { });
+        await runBw(['config', 'server', this.env.host], {
+            env: this.baseEnv(),
+            timeoutMs: 30_000,
+        });
+        this.configuredHost = this.env.host;
+    }
+}

package/dist/bw/mutex.js

@@ -0,0 +1,19 @@
+// src/bw/mutex.ts
+export class Mutex {
+    current = Promise.resolve();
+    async runExclusive(fn) {
+        let release;
+        const next = new Promise((resolve) => {
+            release = resolve;
+        });
+        const prev = this.current;
+        this.current = this.current.then(() => next);
+        await prev;
+        try {
+            return await fn();
+        }
+        finally {
+            release?.();
+        }
+    }
+}

package/dist/sdk/generateArgs.js

@@ -0,0 +1,64 @@
+function hasOwn(o, k) {
+    return Object.hasOwn(o, k);
+}
+/**
+ * Build args for `bw --raw generate ...`.
+ *
+ * Defaults:
+ * - If the caller does not specify any of {uppercase, lowercase, number, special},
+ *   we do NOT pass charset flags and let `bw` use its defaults (`-uln --length 14`).
+ * - If the caller specifies any charset flag, we treat unspecified flags as
+ *   "UI defaults": uppercase/lowercase/number default to true; special defaults
+ *   to false. This makes `{ special: true }` behave like "toggle special on".
+ *
+ * Note: `bw` doesn’t support explicit "disable numbers"; to exclude a charset you
+ * omit that flag. We avoid accidentally triggering `bw` defaults by including
+ * at least one charset flag when the user is in "explicit charset" mode.
+ */
+export function buildBwGenerateArgs(input) {
+    const args = ['--raw', 'generate'];
+    if (input.passphrase) {
+        args.push('--passphrase');
+        if (typeof input.words === 'number')
+            args.push('--words', String(input.words));
+        if (typeof input.separator === 'string')
+            args.push('--separator', input.separator);
+        if (input.capitalize)
+            args.push('--capitalize');
+        if (input.includeNumber)
+            args.push('--includeNumber');
+    }
+    else {
+        const hasUpper = hasOwn(input, 'uppercase');
+        const hasLower = hasOwn(input, 'lowercase');
+        const hasNumber = hasOwn(input, 'number');
+        const hasSpecial = hasOwn(input, 'special');
+        const explicitCharset = hasUpper || hasLower || hasNumber || hasSpecial;
+        if (explicitCharset) {
+            const uppercase = hasUpper ? input.uppercase === true : true;
+            const lowercase = hasLower ? input.lowercase === true : true;
+            const number = hasNumber ? input.number === true : true;
+            const special = hasSpecial ? input.special === true : false;
+            if (!uppercase && !lowercase && !number && !special) {
+                throw new Error('At least one of uppercase/lowercase/number/special must be true');
+            }
+            if (uppercase)
+                args.push('--uppercase');
+            if (lowercase)
+                args.push('--lowercase');
+            if (number)
+                args.push('--number');
+            if (special)
+                args.push('--special');
+        }
+    }
+    if (typeof input.length === 'number')
+        args.push('--length', String(input.length));
+    if (typeof input.minNumber === 'number')
+        args.push('--minNumber', String(input.minNumber));
+    if (typeof input.minSpecial === 'number')
+        args.push('--minSpecial', String(input.minSpecial));
+    if (input.ambiguous)
+        args.push('--ambiguous');
+    return args;
+}