@lamalibre/portlama-agent 1.0.5 → 1.0.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lamalibre/portlama-agent",
-  "version": "1.0.5",
+  "version": "1.0.6",
   "description": "Mac agent for Portlama — installs Chisel tunnel client and manages launchd agent",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE.md",

package/src/commands/cp.js

@@ -96,9 +96,7 @@ async function runDownload(config, source, dest) {
 
   try {
     await downloadRemoteFile(
-      config.panelUrl,
-      config.p12Path,
-      config.p12Password,
+      config,
       agentLabel,
       remotePath,
       localPath,
@@ -152,9 +150,7 @@ async function runUpload(config, source, dest) {
 
   try {
     await uploadRemoteFile(
-      config.panelUrl,
-      config.p12Path,
-      config.p12Password,
+      config,
       agentLabel,
       remotePath,
       localPath,

package/src/commands/deploy.js

@@ -71,7 +71,7 @@ export async function runDeploy(args) {
 
   let data;
   try {
-    data = await fetchSites(config.panelUrl, config.p12Path, config.p12Password);
+    data = await fetchSites(config);
   } catch (err) {
     console.error(`\n  ${chalk.red(`Failed to connect to panel: ${err.message}`)}\n`);
     process.exit(1);
@@ -161,22 +161,10 @@ export async function runDeploy(args) {
       {
         title: 'Clearing remote files',
         task: async (_ctx, task) => {
-          const { files: remoteFiles } = await fetchSiteFiles(
-            config.panelUrl,
-            config.p12Path,
-            config.p12Password,
-            siteId,
-            '.',
-          );
+          const { files: remoteFiles } = await fetchSiteFiles(config, siteId, '.');
           for (const f of remoteFiles) {
             task.output = `Removing ${f.name}`;
-            await deleteSiteFile(
-              config.panelUrl,
-              config.p12Path,
-              config.p12Password,
-              siteId,
-              f.name,
-            );
+            await deleteSiteFile(config, siteId, f.name);
           }
         },
         rendererOptions: { persistentOutput: false },
@@ -200,9 +188,7 @@ export async function runDeploy(args) {
               const batch = groupFiles.slice(i, i + 10);
               const uploadDir = dir === '.' ? '.' : dir;
               await uploadSiteFiles(
-                config.panelUrl,
-                config.p12Path,
-                config.p12Password,
+                config,
                 siteId,
                 uploadDir,
                 batch.map((f) => f.absolutePath),
@@ -220,13 +206,7 @@ export async function runDeploy(args) {
           // Count remote files recursively to match local recursive scan
           let remoteCount = 0;
           const countRemote = async (dirPath) => {
-            const { files: entries } = await fetchSiteFiles(
-              config.panelUrl,
-              config.p12Path,
-              config.p12Password,
-              siteId,
-              dirPath,
-            );
+            const { files: entries } = await fetchSiteFiles(config, siteId, dirPath);
             for (const entry of entries) {
               if (entry.type === 'directory') {
                 const subPath = dirPath === '.' ? entry.name : `${dirPath}/${entry.name}`;

package/src/commands/setup.js

@@ -1,16 +1,18 @@
 import { createInterface } from 'node:readline';
 import { existsSync } from 'node:fs';
-import { mkdir } from 'node:fs/promises';
+import { mkdir, writeFile } from 'node:fs/promises';
 import { resolve } from 'node:path';
+import path from 'node:path';
 import { Listr } from 'listr2';
 import chalk from 'chalk';
-import { assertMacOS, CHISEL_BIN_DIR, LOGS_DIR } from '../lib/platform.js';
+import { assertMacOS, CHISEL_BIN_DIR, LOGS_DIR, AGENT_DIR } from '../lib/platform.js';
 import { loadAgentConfig, saveAgentConfig } from '../lib/config.js';
-import { fetchHealth, fetchPlist, fetchTunnels } from '../lib/panel-api.js';
+import { fetchHealth, fetchPlist, fetchTunnels, curlPostUnauthenticated } from '../lib/panel-api.js';
 import { extractPemFromP12, cleanupPemFiles } from '../lib/ws-helpers.js';
 import { installChisel } from '../lib/chisel.js';
 import { rewritePlist, writePlistFile } from '../lib/plist.js';
 import { isAgentLoaded, unloadAgent, loadAgent, getAgentPid } from '../lib/launchctl.js';
+import { generateKeypairAndCSR, importIdentityToKeychain, secureDelete } from '../lib/keychain.js';
 
 /**
  * Prompt for user input via readline.
@@ -34,10 +36,283 @@ function prompt(question, defaultValue) {
   });
 }
 
+/**
+ * Parse --token and --panel-url flags from argv.
+ * @returns {{ token?: string, panelUrl?: string }}
+ */
+function parseSetupFlags() {
+  const args = process.argv.slice(2);
+  const flags = {};
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === '--token' && args[i + 1]) {
+      flags.token = args[++i];
+    } else if (args[i] === '--panel-url' && args[i + 1]) {
+      flags.panelUrl = args[++i];
+    }
+  }
+  return flags;
+}
+
 /**
  * Run the interactive setup flow.
+ * If --token is provided, uses the hardware-bound enrollment flow.
  */
 export async function runSetup() {
+  const flags = parseSetupFlags();
+
+  if (flags.token) {
+    return runTokenSetup(flags);
+  }
+
+  return runP12Setup();
+}
+
+/**
+ * Hardware-bound enrollment flow using a one-time token.
+ * Generates a keypair locally, sends CSR to the panel, imports the signed
+ * certificate into macOS Keychain as a non-extractable identity.
+ *
+ * @param {{ token: string, panelUrl?: string }} flags
+ */
+async function runTokenSetup(flags) {
+  // Step 1: Verify macOS
+  assertMacOS();
+
+  // Check for existing config
+  const existingConfig = await loadAgentConfig();
+  if (existingConfig) {
+    console.log('');
+    console.log(chalk.yellow('  An existing agent configuration was found.'));
+    console.log(chalk.yellow('  Running setup again will overwrite it.'));
+    console.log('');
+  }
+
+  console.log('');
+  console.log(chalk.bold('  Portlama Agent Setup (Hardware-Bound Certificate)'));
+  console.log(chalk.dim('  Connect this Mac to your Portlama server using a Keychain-bound certificate.'));
+  console.log('');
+
+  let panelUrl = flags.panelUrl;
+  if (!panelUrl) {
+    panelUrl = await prompt('Panel URL (e.g. https://1.2.3.4:9292)', existingConfig?.panelUrl);
+  }
+  if (!panelUrl) {
+    throw new Error('Panel URL is required. Pass --panel-url <url> or enter interactively.');
+  }
+
+  const normalizedUrl = panelUrl.replace(/\/+$/, '');
+
+  console.log('');
+
+  // Context shared across tasks
+  const ctx = {
+    panelUrl: normalizedUrl,
+    token: flags.token,
+    agentLabel: null,
+    keychainIdentity: null,
+    chiselVersion: null,
+    plistXml: null,
+    domain: null,
+    tunnels: [],
+  };
+
+  const tasks = new Listr(
+    [
+      {
+        title: 'Creating directories',
+        task: async () => {
+          await mkdir(AGENT_DIR, { recursive: true, mode: 0o700 });
+          await mkdir(CHISEL_BIN_DIR, { recursive: true });
+          await mkdir(LOGS_DIR, { recursive: true });
+        },
+      },
+      {
+        title: 'Generating keypair and CSR',
+        task: async (_ctx, task) => {
+          // We use a temporary label placeholder — the actual label comes from the token
+          // We'll pass 'pending' and fix after enrollment
+          ctx._keyData = await generateKeypairAndCSR('pending');
+          task.output = 'Keypair generated (4096-bit RSA)';
+        },
+        rendererOptions: { persistentOutput: true },
+      },
+      {
+        title: 'Enrolling with panel',
+        task: async (_ctx, task) => {
+          const enrollUrl = `${ctx.panelUrl}/api/enroll`;
+          const result = await curlPostUnauthenticated(enrollUrl, {
+            token: ctx.token,
+            csr: ctx._keyData.csrPem,
+          });
+
+          if (!result.ok) {
+            throw new Error(result.error || 'Enrollment failed');
+          }
+
+          ctx.agentLabel = result.label;
+          ctx._certPem = result.cert;
+          ctx._caCertPem = result.caCert;
+          task.output = `Enrolled as "${result.label}" (serial: ${result.serial})`;
+        },
+        rendererOptions: { persistentOutput: true },
+      },
+      {
+        title: 'Importing certificate into Keychain',
+        task: async (_ctx, task) => {
+          // The server overrides the CSR subject with the correct CN=agent:<label>
+          // during signing, so the CSR placeholder subject doesn't matter.
+          const { identity } = await importIdentityToKeychain(
+            ctx._keyData.keyPath,
+            ctx._certPem,
+            ctx._caCertPem,
+            ctx.agentLabel,
+            console,
+          );
+          ctx.keychainIdentity = identity;
+          task.output = `Identity "${identity}" imported (non-extractable)`;
+        },
+        rendererOptions: { persistentOutput: true },
+      },
+      {
+        title: 'Saving CA certificate',
+        task: async () => {
+          const caPath = path.join(AGENT_DIR, 'ca.crt');
+          await writeFile(caPath, ctx._caCertPem, { mode: 0o644 });
+        },
+      },
+      {
+        title: 'Verifying panel connectivity',
+        task: async (_ctx, task) => {
+          const config = {
+            panelUrl: ctx.panelUrl,
+            authMethod: 'keychain',
+            keychainIdentity: ctx.keychainIdentity,
+          };
+          const health = await fetchHealth(config);
+          task.output = `Panel is reachable (status: ${health.status || 'ok'})`;
+        },
+        rendererOptions: { persistentOutput: true },
+      },
+      {
+        title: 'Installing Chisel',
+        task: async (_ctx, task) => {
+          const result = await installChisel();
+          ctx.chiselVersion = result.version;
+          if (result.skipped) {
+            task.output = `Already installed (${result.version})`;
+          } else {
+            task.output = `Installed ${result.version}`;
+          }
+        },
+        rendererOptions: { persistentOutput: true },
+      },
+      {
+        title: 'Fetching tunnel configuration',
+        task: async (_ctx, task) => {
+          const config = {
+            panelUrl: ctx.panelUrl,
+            authMethod: 'keychain',
+            keychainIdentity: ctx.keychainIdentity,
+          };
+          const data = await fetchPlist(config);
+          ctx.plistXml = data.plist;
+
+          const tunnelData = await fetchTunnels(config);
+          ctx.tunnels = tunnelData.tunnels || [];
+          task.output = `${ctx.tunnels.length} tunnel(s) configured`;
+        },
+        rendererOptions: { persistentOutput: true },
+      },
+      {
+        title: 'Rewriting plist paths',
+        task: async () => {
+          ctx.plistXml = rewritePlist(ctx.plistXml);
+        },
+      },
+      {
+        title: 'Writing plist file',
+        task: async () => {
+          await writePlistFile(ctx.plistXml);
+        },
+      },
+      {
+        title: 'Unloading previous agent',
+        skip: async () => {
+          const loaded = await isAgentLoaded();
+          return !loaded && 'No previous agent loaded';
+        },
+        task: async () => {
+          await unloadAgent();
+        },
+      },
+      {
+        title: 'Loading agent',
+        task: async () => {
+          await loadAgent();
+        },
+      },
+      {
+        title: 'Verifying agent is running',
+        task: async (_ctx, task) => {
+          await new Promise((r) => setTimeout(r, 2000));
+          const pid = await getAgentPid();
+          if (pid) {
+            task.output = `Agent running (PID ${pid})`;
+          } else {
+            const loaded = await isAgentLoaded();
+            if (loaded) {
+              task.output = 'Agent loaded (process starting...)';
+            } else {
+              throw new Error('Agent failed to load. Check logs with: portlama-agent logs');
+            }
+          }
+        },
+        rendererOptions: { persistentOutput: true },
+      },
+      {
+        title: 'Saving configuration',
+        task: async () => {
+          const domainMatch = ctx.plistXml.match(/wss:\/\/tunnel\.([^:]+):/);
+          ctx.domain = domainMatch ? domainMatch[1] : null;
+
+          await saveAgentConfig({
+            panelUrl: ctx.panelUrl,
+            authMethod: 'keychain',
+            keychainIdentity: ctx.keychainIdentity,
+            agentLabel: ctx.agentLabel,
+            domain: ctx.domain,
+            chiselVersion: ctx.chiselVersion,
+            setupAt: new Date().toISOString(),
+          });
+        },
+      },
+    ],
+    {
+      renderer: 'default',
+      rendererOptions: { collapseSubtasks: false },
+      exitOnError: true,
+    },
+  );
+
+  try {
+    await tasks.run();
+  } catch (err) {
+    // Securely delete the temporary private key if it was generated but not
+    // yet imported into Keychain (importIdentityToKeychain handles its own cleanup).
+    if (ctx._keyData?.keyPath) {
+      await secureDelete(ctx._keyData.keyPath).catch(() => {});
+    }
+    throw err;
+  }
+
+  // Print summary
+  printSetupSummary(ctx);
+}
+
+/**
+ * Traditional P12-based setup flow.
+ */
+async function runP12Setup() {
   // Step 1: Verify macOS
   assertMacOS();
 
@@ -206,6 +481,7 @@ export async function runSetup() {
 
           await saveAgentConfig({
             panelUrl: ctx.panelUrl,
+            authMethod: 'p12',
             p12Path: ctx.p12Path,
             p12Password: ctx.p12Password,
             domain: ctx.domain,

package/src/commands/shell-log.js

@@ -76,7 +76,7 @@ async function runList(config, agentLabel) {
 
   let sessions;
   try {
-    const data = await fetchShellSessions(config.panelUrl, config.p12Path, config.p12Password);
+    const data = await fetchShellSessions(config);
     sessions = data.sessions || [];
   } catch (err) {
     console.log(`  ${y(`Could not fetch sessions: ${err.message}`)}`);
@@ -142,9 +142,7 @@ async function runDownload(config, agentLabel, sessionId) {
 
   try {
     await downloadShellRecording(
-      config.panelUrl,
-      config.p12Path,
-      config.p12Password,
+      config,
       agentLabel,
       sessionId,
       outputPath,

package/src/commands/shell-server.js

@@ -399,6 +399,13 @@ export async function runShellServer() {
     process.exit(1);
   }
 
+  // WebSocket requires PEM cert/key — not available with Keychain-bound keys
+  if (config.authMethod === 'keychain') {
+    console.error(chalk.red('  Shell server is not yet supported with hardware-bound (Keychain) certificates.'));
+    console.error(chalk.dim('  Use a P12-enrolled agent for shell access.'));
+    process.exit(1);
+  }
+
   // Extract PEM certificates from p12
   let pem;
   try {
@@ -438,7 +445,7 @@ export async function runShellServer() {
   while (running) {
     let agentStatus;
     try {
-      agentStatus = await fetchAgentStatus(config.panelUrl, config.p12Path, config.p12Password);
+      agentStatus = await fetchAgentStatus(config);
     } catch (err) {
       console.error(chalk.yellow(`  Could not reach panel: ${err.message}`));
       await sleep(POLL_INTERVAL_MS);

package/src/commands/shell.js

@@ -20,6 +20,13 @@ export async function runShell(args) {
   console.log('');
   console.log(chalk.dim(`  Connecting to agent ${chalk.bold(agentLabel)}...`));
 
+  // WebSocket requires PEM cert/key — not available with Keychain-bound keys
+  if (config.authMethod === 'keychain') {
+    console.error(chalk.red('\n  Shell access is not yet supported with hardware-bound (Keychain) certificates.'));
+    console.error(chalk.dim('  Use a P12-enrolled agent for shell access.\n'));
+    process.exit(1);
+  }
+
   // Extract PEM certificates from p12
   let pem;
   try {

package/src/commands/sites.js

@@ -87,7 +87,7 @@ async function runList(config) {
 
   let sites;
   try {
-    const data = await fetchSites(config.panelUrl, config.p12Path, config.p12Password);
+    const data = await fetchSites(config);
     sites = data.sites || [];
   } catch {
     console.log(`  ${y('Could not reach panel to fetch site list.')}`);
@@ -163,7 +163,7 @@ async function runCreate(config, args) {
 
   let result;
   try {
-    result = await createSite(config.panelUrl, config.p12Path, config.p12Password, body);
+    result = await createSite(config, body);
   } catch (err) {
     const detail = err.message || 'Unknown error';
     console.error(`\n  ${chalk.red(`Failed to create site: ${detail}`)}\n`);
@@ -207,7 +207,7 @@ async function runDelete(config, args) {
   } else {
     let data;
     try {
-      data = await fetchSites(config.panelUrl, config.p12Path, config.p12Password);
+      data = await fetchSites(config);
     } catch (err) {
       console.error(`\n  ${chalk.red(`Failed to connect to panel: ${err.message}`)}\n`);
       process.exit(1);
@@ -229,7 +229,7 @@ async function runDelete(config, args) {
   }
 
   try {
-    await deleteSite(config.panelUrl, config.p12Path, config.p12Password, siteId);
+    await deleteSite(config, siteId);
   } catch (err) {
     const detail = err.message || 'Unknown error';
     console.error(`\n  ${chalk.red(`Failed to delete site: ${detail}`)}\n`);

package/src/commands/status.js

@@ -69,7 +69,7 @@ export async function runStatus() {
   console.log(d('  ─'.repeat(28)));
 
   try {
-    const data = await fetchTunnels(config.panelUrl, config.p12Path, config.p12Password);
+    const data = await fetchTunnels(config);
     const tunnels = data.tunnels || [];
 
     if (tunnels.length === 0) {

package/src/commands/update.js

@@ -25,14 +25,10 @@ export async function runUpdate() {
       {
         title: 'Fetching updated tunnel configuration',
         task: async (_ctx, task) => {
-          const data = await fetchPlist(config.panelUrl, config.p12Path, config.p12Password);
+          const data = await fetchPlist(config);
           ctx.plistXml = data.plist;
 
-          const tunnelData = await fetchTunnels(
-            config.panelUrl,
-            config.p12Path,
-            config.p12Password,
-          );
+          const tunnelData = await fetchTunnels(config);
           ctx.tunnels = tunnelData.tunnels || [];
           task.output = `${ctx.tunnels.length} tunnel(s) configured`;
         },

package/src/lib/config.js

@@ -4,12 +4,29 @@ import { CONFIG_PATH, AGENT_DIR } from './platform.js';
 /**
  * Load the agent config from ~/.portlama/agent.json.
  * Returns null if the file does not exist.
+ *
+ * Config fields:
+ * - panelUrl: string — Panel URL
+ * - authMethod: 'p12' | 'keychain' — Authentication method (defaults to 'p12' if missing)
+ * - p12Path: string — Path to P12 file (when authMethod is 'p12')
+ * - p12Password: string — P12 password (when authMethod is 'p12')
+ * - keychainIdentity: string — Keychain identity name (when authMethod is 'keychain')
+ * - agentLabel: string — Agent label (when authMethod is 'keychain')
+ * - domain?: string
+ * - chiselVersion?: string
+ * - setupAt?: string
+ *
  * @returns {Promise<object | null>}
  */
 export async function loadAgentConfig() {
   try {
     const raw = await readFile(CONFIG_PATH, 'utf8');
-    return JSON.parse(raw);
+    const config = JSON.parse(raw);
+    // Default authMethod to 'p12' for backwards compatibility
+    if (config && !config.authMethod) {
+      config.authMethod = 'p12';
+    }
+    return config;
   } catch {
     return null;
   }