@lamalibre/portlama-agent 1.0.5 → 1.0.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lamalibre/portlama-agent",
-  "version": "1.0.5",
+  "version": "1.0.7",
   "description": "Mac agent for Portlama — installs Chisel tunnel client and manages launchd agent",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE.md",

package/src/commands/deploy.js

@@ -71,7 +71,7 @@ export async function runDeploy(args) {
 
   let data;
   try {
-    data = await fetchSites(config.panelUrl, config.p12Path, config.p12Password);
+    data = await fetchSites(config);
   } catch (err) {
     console.error(`\n  ${chalk.red(`Failed to connect to panel: ${err.message}`)}\n`);
     process.exit(1);
@@ -161,22 +161,10 @@ export async function runDeploy(args) {
       {
         title: 'Clearing remote files',
         task: async (_ctx, task) => {
-          const { files: remoteFiles } = await fetchSiteFiles(
-            config.panelUrl,
-            config.p12Path,
-            config.p12Password,
-            siteId,
-            '.',
-          );
+          const { files: remoteFiles } = await fetchSiteFiles(config, siteId, '.');
           for (const f of remoteFiles) {
             task.output = `Removing ${f.name}`;
-            await deleteSiteFile(
-              config.panelUrl,
-              config.p12Path,
-              config.p12Password,
-              siteId,
-              f.name,
-            );
+            await deleteSiteFile(config, siteId, f.name);
           }
         },
         rendererOptions: { persistentOutput: false },
@@ -200,9 +188,7 @@ export async function runDeploy(args) {
               const batch = groupFiles.slice(i, i + 10);
               const uploadDir = dir === '.' ? '.' : dir;
               await uploadSiteFiles(
-                config.panelUrl,
-                config.p12Path,
-                config.p12Password,
+                config,
                 siteId,
                 uploadDir,
                 batch.map((f) => f.absolutePath),
@@ -220,13 +206,7 @@ export async function runDeploy(args) {
           // Count remote files recursively to match local recursive scan
           let remoteCount = 0;
           const countRemote = async (dirPath) => {
-            const { files: entries } = await fetchSiteFiles(
-              config.panelUrl,
-              config.p12Path,
-              config.p12Password,
-              siteId,
-              dirPath,
-            );
+            const { files: entries } = await fetchSiteFiles(config, siteId, dirPath);
             for (const entry of entries) {
               if (entry.type === 'directory') {
                 const subPath = dirPath === '.' ? entry.name : `${dirPath}/${entry.name}`;

package/src/commands/setup.js

@@ -1,16 +1,18 @@
 import { createInterface } from 'node:readline';
 import { existsSync } from 'node:fs';
-import { mkdir } from 'node:fs/promises';
+import { mkdir, writeFile } from 'node:fs/promises';
 import { resolve } from 'node:path';
+import path from 'node:path';
 import { Listr } from 'listr2';
 import chalk from 'chalk';
-import { assertMacOS, CHISEL_BIN_DIR, LOGS_DIR } from '../lib/platform.js';
+import { assertMacOS, CHISEL_BIN_DIR, LOGS_DIR, AGENT_DIR } from '../lib/platform.js';
 import { loadAgentConfig, saveAgentConfig } from '../lib/config.js';
-import { fetchHealth, fetchPlist, fetchTunnels } from '../lib/panel-api.js';
+import { fetchHealth, fetchPlist, fetchTunnels, curlPostUnauthenticated } from '../lib/panel-api.js';
 import { extractPemFromP12, cleanupPemFiles } from '../lib/ws-helpers.js';
 import { installChisel } from '../lib/chisel.js';
 import { rewritePlist, writePlistFile } from '../lib/plist.js';
 import { isAgentLoaded, unloadAgent, loadAgent, getAgentPid } from '../lib/launchctl.js';
+import { generateKeypairAndCSR, importIdentityToKeychain, secureDelete } from '../lib/keychain.js';
 
 /**
  * Prompt for user input via readline.
@@ -34,10 +36,283 @@ function prompt(question, defaultValue) {
   });
 }
 
+/**
+ * Parse --token and --panel-url flags from argv.
+ * @returns {{ token?: string, panelUrl?: string }}
+ */
+function parseSetupFlags() {
+  const args = process.argv.slice(2);
+  const flags = {};
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === '--token' && args[i + 1]) {
+      flags.token = args[++i];
+    } else if (args[i] === '--panel-url' && args[i + 1]) {
+      flags.panelUrl = args[++i];
+    }
+  }
+  return flags;
+}
+
 /**
  * Run the interactive setup flow.
+ * If --token is provided, uses the hardware-bound enrollment flow.
  */
 export async function runSetup() {
+  const flags = parseSetupFlags();
+
+  if (flags.token) {
+    return runTokenSetup(flags);
+  }
+
+  return runP12Setup();
+}
+
+/**
+ * Hardware-bound enrollment flow using a one-time token.
+ * Generates a keypair locally, sends CSR to the panel, imports the signed
+ * certificate into macOS Keychain as a non-extractable identity.
+ *
+ * @param {{ token: string, panelUrl?: string }} flags
+ */
+async function runTokenSetup(flags) {
+  // Step 1: Verify macOS
+  assertMacOS();
+
+  // Check for existing config
+  const existingConfig = await loadAgentConfig();
+  if (existingConfig) {
+    console.log('');
+    console.log(chalk.yellow('  An existing agent configuration was found.'));
+    console.log(chalk.yellow('  Running setup again will overwrite it.'));
+    console.log('');
+  }
+
+  console.log('');
+  console.log(chalk.bold('  Portlama Agent Setup (Hardware-Bound Certificate)'));
+  console.log(chalk.dim('  Connect this Mac to your Portlama server using a Keychain-bound certificate.'));
+  console.log('');
+
+  let panelUrl = flags.panelUrl;
+  if (!panelUrl) {
+    panelUrl = await prompt('Panel URL (e.g. https://1.2.3.4:9292)', existingConfig?.panelUrl);
+  }
+  if (!panelUrl) {
+    throw new Error('Panel URL is required. Pass --panel-url <url> or enter interactively.');
+  }
+
+  const normalizedUrl = panelUrl.replace(/\/+$/, '');
+
+  console.log('');
+
+  // Context shared across tasks
+  const ctx = {
+    panelUrl: normalizedUrl,
+    token: flags.token,
+    agentLabel: null,
+    keychainIdentity: null,
+    chiselVersion: null,
+    plistXml: null,
+    domain: null,
+    tunnels: [],
+  };
+
+  const tasks = new Listr(
+    [
+      {
+        title: 'Creating directories',
+        task: async () => {
+          await mkdir(AGENT_DIR, { recursive: true, mode: 0o700 });
+          await mkdir(CHISEL_BIN_DIR, { recursive: true });
+          await mkdir(LOGS_DIR, { recursive: true });
+        },
+      },
+      {
+        title: 'Generating keypair and CSR',
+        task: async (_ctx, task) => {
+          // We use a temporary label placeholder — the actual label comes from the token
+          // We'll pass 'pending' and fix after enrollment
+          ctx._keyData = await generateKeypairAndCSR('pending');
+          task.output = 'Keypair generated (4096-bit RSA)';
+        },
+        rendererOptions: { persistentOutput: true },
+      },
+      {
+        title: 'Enrolling with panel',
+        task: async (_ctx, task) => {
+          const enrollUrl = `${ctx.panelUrl}/api/enroll`;
+          const result = await curlPostUnauthenticated(enrollUrl, {
+            token: ctx.token,
+            csr: ctx._keyData.csrPem,
+          });
+
+          if (!result.ok) {
+            throw new Error(result.error || 'Enrollment failed');
+          }
+
+          ctx.agentLabel = result.label;
+          ctx._certPem = result.cert;
+          ctx._caCertPem = result.caCert;
+          task.output = `Enrolled as "${result.label}" (serial: ${result.serial})`;
+        },
+        rendererOptions: { persistentOutput: true },
+      },
+      {
+        title: 'Importing certificate into Keychain',
+        task: async (_ctx, task) => {
+          // The server overrides the CSR subject with the correct CN=agent:<label>
+          // during signing, so the CSR placeholder subject doesn't matter.
+          const { identity } = await importIdentityToKeychain(
+            ctx._keyData.keyPath,
+            ctx._certPem,
+            ctx._caCertPem,
+            ctx.agentLabel,
+            console,
+          );
+          ctx.keychainIdentity = identity;
+          task.output = `Identity "${identity}" imported (non-extractable)`;
+        },
+        rendererOptions: { persistentOutput: true },
+      },
+      {
+        title: 'Saving CA certificate',
+        task: async () => {
+          const caPath = path.join(AGENT_DIR, 'ca.crt');
+          await writeFile(caPath, ctx._caCertPem, { mode: 0o644 });
+        },
+      },
+      {
+        title: 'Verifying panel connectivity',
+        task: async (_ctx, task) => {
+          const config = {
+            panelUrl: ctx.panelUrl,
+            authMethod: 'keychain',
+            keychainIdentity: ctx.keychainIdentity,
+          };
+          const health = await fetchHealth(config);
+          task.output = `Panel is reachable (status: ${health.status || 'ok'})`;
+        },
+        rendererOptions: { persistentOutput: true },
+      },
+      {
+        title: 'Installing Chisel',
+        task: async (_ctx, task) => {
+          const result = await installChisel();
+          ctx.chiselVersion = result.version;
+          if (result.skipped) {
+            task.output = `Already installed (${result.version})`;
+          } else {
+            task.output = `Installed ${result.version}`;
+          }
+        },
+        rendererOptions: { persistentOutput: true },
+      },
+      {
+        title: 'Fetching tunnel configuration',
+        task: async (_ctx, task) => {
+          const config = {
+            panelUrl: ctx.panelUrl,
+            authMethod: 'keychain',
+            keychainIdentity: ctx.keychainIdentity,
+          };
+          const data = await fetchPlist(config);
+          ctx.plistXml = data.plist;
+
+          const tunnelData = await fetchTunnels(config);
+          ctx.tunnels = tunnelData.tunnels || [];
+          task.output = `${ctx.tunnels.length} tunnel(s) configured`;
+        },
+        rendererOptions: { persistentOutput: true },
+      },
+      {
+        title: 'Rewriting plist paths',
+        task: async () => {
+          ctx.plistXml = rewritePlist(ctx.plistXml);
+        },
+      },
+      {
+        title: 'Writing plist file',
+        task: async () => {
+          await writePlistFile(ctx.plistXml);
+        },
+      },
+      {
+        title: 'Unloading previous agent',
+        skip: async () => {
+          const loaded = await isAgentLoaded();
+          return !loaded && 'No previous agent loaded';
+        },
+        task: async () => {
+          await unloadAgent();
+        },
+      },
+      {
+        title: 'Loading agent',
+        task: async () => {
+          await loadAgent();
+        },
+      },
+      {
+        title: 'Verifying agent is running',
+        task: async (_ctx, task) => {
+          await new Promise((r) => setTimeout(r, 2000));
+          const pid = await getAgentPid();
+          if (pid) {
+            task.output = `Agent running (PID ${pid})`;
+          } else {
+            const loaded = await isAgentLoaded();
+            if (loaded) {
+              task.output = 'Agent loaded (process starting...)';
+            } else {
+              throw new Error('Agent failed to load. Check logs with: portlama-agent logs');
+            }
+          }
+        },
+        rendererOptions: { persistentOutput: true },
+      },
+      {
+        title: 'Saving configuration',
+        task: async () => {
+          const domainMatch = ctx.plistXml.match(/wss:\/\/tunnel\.([^:]+):/);
+          ctx.domain = domainMatch ? domainMatch[1] : null;
+
+          await saveAgentConfig({
+            panelUrl: ctx.panelUrl,
+            authMethod: 'keychain',
+            keychainIdentity: ctx.keychainIdentity,
+            agentLabel: ctx.agentLabel,
+            domain: ctx.domain,
+            chiselVersion: ctx.chiselVersion,
+            setupAt: new Date().toISOString(),
+          });
+        },
+      },
+    ],
+    {
+      renderer: 'default',
+      rendererOptions: { collapseSubtasks: false },
+      exitOnError: true,
+    },
+  );
+
+  try {
+    await tasks.run();
+  } catch (err) {
+    // Securely delete the temporary private key if it was generated but not
+    // yet imported into Keychain (importIdentityToKeychain handles its own cleanup).
+    if (ctx._keyData?.keyPath) {
+      await secureDelete(ctx._keyData.keyPath).catch(() => {});
+    }
+    throw err;
+  }
+
+  // Print summary
+  printSetupSummary(ctx);
+}
+
+/**
+ * Traditional P12-based setup flow.
+ */
+async function runP12Setup() {
   // Step 1: Verify macOS
   assertMacOS();
 
@@ -206,6 +481,7 @@ export async function runSetup() {
 
           await saveAgentConfig({
             panelUrl: ctx.panelUrl,
+            authMethod: 'p12',
             p12Path: ctx.p12Path,
             p12Password: ctx.p12Password,
             domain: ctx.domain,

package/src/commands/sites.js

@@ -87,7 +87,7 @@ async function runList(config) {
 
   let sites;
   try {
-    const data = await fetchSites(config.panelUrl, config.p12Path, config.p12Password);
+    const data = await fetchSites(config);
     sites = data.sites || [];
   } catch {
     console.log(`  ${y('Could not reach panel to fetch site list.')}`);
@@ -163,7 +163,7 @@ async function runCreate(config, args) {
 
   let result;
   try {
-    result = await createSite(config.panelUrl, config.p12Path, config.p12Password, body);
+    result = await createSite(config, body);
   } catch (err) {
     const detail = err.message || 'Unknown error';
     console.error(`\n  ${chalk.red(`Failed to create site: ${detail}`)}\n`);
@@ -207,7 +207,7 @@ async function runDelete(config, args) {
   } else {
     let data;
     try {
-      data = await fetchSites(config.panelUrl, config.p12Path, config.p12Password);
+      data = await fetchSites(config);
     } catch (err) {
       console.error(`\n  ${chalk.red(`Failed to connect to panel: ${err.message}`)}\n`);
       process.exit(1);
@@ -229,7 +229,7 @@ async function runDelete(config, args) {
   }
 
   try {
-    await deleteSite(config.panelUrl, config.p12Path, config.p12Password, siteId);
+    await deleteSite(config, siteId);
   } catch (err) {
     const detail = err.message || 'Unknown error';
     console.error(`\n  ${chalk.red(`Failed to delete site: ${detail}`)}\n`);

package/src/commands/status.js

@@ -69,7 +69,7 @@ export async function runStatus() {
   console.log(d('  ─'.repeat(28)));
 
   try {
-    const data = await fetchTunnels(config.panelUrl, config.p12Path, config.p12Password);
+    const data = await fetchTunnels(config);
     const tunnels = data.tunnels || [];
 
     if (tunnels.length === 0) {

package/src/commands/update.js

@@ -25,14 +25,10 @@ export async function runUpdate() {
       {
         title: 'Fetching updated tunnel configuration',
         task: async (_ctx, task) => {
-          const data = await fetchPlist(config.panelUrl, config.p12Path, config.p12Password);
+          const data = await fetchPlist(config);
           ctx.plistXml = data.plist;
 
-          const tunnelData = await fetchTunnels(
-            config.panelUrl,
-            config.p12Path,
-            config.p12Password,
-          );
+          const tunnelData = await fetchTunnels(config);
           ctx.tunnels = tunnelData.tunnels || [];
           task.output = `${ctx.tunnels.length} tunnel(s) configured`;
         },

package/src/index.js

@@ -24,10 +24,6 @@ ${b('COMMANDS')}
   ${c('logs')}            Stream Chisel log output (tail -f)
   ${c('sites')}           List, create, or delete static sites
   ${c('deploy')}          Deploy a local directory to a static site
-  ${c('shell-server')}    Run the shell gateway (background service)
-  ${c('shell')}           Connect to a remote agent shell
-  ${c('cp')}              Copy files to/from a remote agent
-  ${c('shell-log')}       List or download shell session recordings
   ${c('plugin')}          Manage agent plugins (install, uninstall, update, status)
 
 ${b('EXAMPLES')}
@@ -50,18 +46,6 @@ ${b('EXAMPLES')}
   ${d('# Deploy local build to a site')}
   ${c('portlama-agent deploy blog ./dist')}
 
-  ${d('# Start the shell gateway (runs as background service)')}
-  ${c('portlama-agent shell-server')}
-
-  ${d('# Connect to a remote agent shell')}
-  ${c('portlama-agent shell myagent')}
-
-  ${d('# Copy a file from a remote agent')}
-  ${c('portlama-agent cp myagent:/var/log/app.log ./app.log')}
-
-  ${d('# List shell session recordings')}
-  ${c('portlama-agent shell-log myagent')}
-
   ${d('# Manage plugins')}
   ${c('portlama-agent plugin status')}
   ${c('portlama-agent plugin install @lamalibre/shell-agent')}
@@ -123,26 +107,6 @@ export async function main() {
       await runDeploy(args.slice(1));
       break;
     }
-    case 'shell-server': {
-      const { runShellServer } = await import('./commands/shell-server.js');
-      await runShellServer();
-      break;
-    }
-    case 'shell': {
-      const { runShell } = await import('./commands/shell.js');
-      await runShell(args.slice(1));
-      break;
-    }
-    case 'cp': {
-      const { runCp } = await import('./commands/cp.js');
-      await runCp(args.slice(1));
-      break;
-    }
-    case 'shell-log': {
-      const { runShellLog } = await import('./commands/shell-log.js');
-      await runShellLog(args.slice(1));
-      break;
-    }
     case 'plugin': {
       const { runPlugin } = await import('./commands/plugin.js');
       await runPlugin(args.slice(1));

package/src/lib/config.js

@@ -4,12 +4,29 @@ import { CONFIG_PATH, AGENT_DIR } from './platform.js';
 /**
  * Load the agent config from ~/.portlama/agent.json.
  * Returns null if the file does not exist.
+ *
+ * Config fields:
+ * - panelUrl: string — Panel URL
+ * - authMethod: 'p12' | 'keychain' — Authentication method (defaults to 'p12' if missing)
+ * - p12Path: string — Path to P12 file (when authMethod is 'p12')
+ * - p12Password: string — P12 password (when authMethod is 'p12')
+ * - keychainIdentity: string — Keychain identity name (when authMethod is 'keychain')
+ * - agentLabel: string — Agent label (when authMethod is 'keychain')
+ * - domain?: string
+ * - chiselVersion?: string
+ * - setupAt?: string
+ *
  * @returns {Promise<object | null>}
  */
 export async function loadAgentConfig() {
   try {
     const raw = await readFile(CONFIG_PATH, 'utf8');
-    return JSON.parse(raw);
+    const config = JSON.parse(raw);
+    // Default authMethod to 'p12' for backwards compatibility
+    if (config && !config.authMethod) {
+      config.authMethod = 'p12';
+    }
+    return config;
   } catch {
     return null;
   }