@nightlybuildgroup/vault 0.1.0

package/README.md

@@ -0,0 +1,69 @@
+# @nightlybuildgroup/vault (`nbg-pw`)
+
+Store your Vaultwarden/Bitwarden credentials in the **macOS Keychain** with an
+interactive wizard, then let local agents and scripts read secrets back through
+the Bitwarden CLI. macOS only. Nothing is hardcoded — you supply the server URL
+and credentials at setup time.
+
+## Requirements
+
+- macOS
+- Node.js >= 18
+- Bitwarden CLI: `brew install bitwarden-cli`
+
+## Setup
+
+```sh
+npx @nightlybuildgroup/vault setup
+```
+
+You'll be asked for your server URL, email, API-key client id/secret, and master
+password. Credentials are verified against the server before anything is saved.
+
+> Get your API key from your Vaultwarden web vault: **Settings → Security →
+> Keys → API Key** (`client_id` / `client_secret`).
+
+## Usage
+
+```sh
+nbg-pw get "GitHub"                 # prints the password
+nbg-pw get "GitHub" --field username   # a built-in field
+nbg-pw get "GitHub" --custom apiToken  # a custom field, looked up by name
+nbg-pw serve --port 8087            # local bw REST API for fast repeated reads
+nbg-pw status                       # presence + auth state (no secrets)
+nbg-pw doctor                       # diagnose bw / Keychain / connectivity
+nbg-pw logout                       # lock the session
+nbg-pw reset                        # log out and delete stored credentials
+```
+
+### Reading custom fields over `serve`
+
+`serve` is a thin wrapper around Bitwarden's own `bw serve` REST API, which has
+no route for a single custom field. Built-in fields are addressable directly:
+
+```sh
+curl -s localhost:8087/object/username/GitHub | jq -r .data.data
+```
+
+For a **custom** field, fetch the whole item and pluck it from `data.fields[]`:
+
+```sh
+curl -s localhost:8087/object/item/GitHub \
+  | jq -r '.data.fields[] | select(.name=="apiToken").value'
+```
+
+(The CLI `nbg-pw get "GitHub" --custom apiToken` does this lookup for you.)
+
+## Security notes
+
+- Credentials live in one macOS Keychain item (`service: com.nightlybuild.vault`),
+  encrypted at rest by the Keychain.
+- Secrets are passed to `bw` via environment variables, never command-line
+  arguments. `nbg-pw` never prints secret values in `status`, `doctor`, logs, or
+  errors.
+- Vaultwarden does not support Bitwarden Secrets Manager / machine accounts, so
+  this uses the password-manager API-key + master-password flow.
+
+## License
+
+MIT

package/bin/nbg-pw.js

@@ -0,0 +1,10 @@
+#!/usr/bin/env node
+import { readFileSync } from 'node:fs';
+import { runCli } from '../src/cli.js';
+
+const pkg = JSON.parse(
+  readFileSync(new URL('../package.json', import.meta.url), 'utf8')
+);
+
+const code = await runCli(process.argv.slice(2), { version: pkg.version });
+process.exit(code);

package/package.json

@@ -0,0 +1,28 @@
+{
+  "name": "@nightlybuildgroup/vault",
+  "version": "0.1.0",
+  "description": "Store Vaultwarden/Bitwarden credentials in the macOS Keychain and read secrets back for local agents.",
+  "type": "module",
+  "bin": { "nbg-pw": "bin/nbg-pw.js" },
+  "files": ["bin", "src", "README.md"],
+  "engines": { "node": ">=18" },
+  "os": ["darwin"],
+  "scripts": {
+    "test": "node --test \"test/**/*.test.js\"",
+    "prepublishOnly": "npm test",
+    "release": "semantic-release"
+  },
+  "publishConfig": { "access": "public" },
+  "dependencies": { "@clack/prompts": "^0.7.0" },
+  "devDependencies": {
+    "@semantic-release/changelog": "^6.0.3",
+    "@semantic-release/commit-analyzer": "^13.0.1",
+    "@semantic-release/exec": "^7.1.0",
+    "@semantic-release/git": "^10.0.1",
+    "@semantic-release/github": "^11.0.6",
+    "@semantic-release/release-notes-generator": "^14.1.1",
+    "conventional-changelog-conventionalcommits": "^8.0.0",
+    "semantic-release": "^24.2.9"
+  },
+  "license": "MIT"
+}

package/src/bw.js

@@ -0,0 +1,85 @@
+import { run as realRun } from './exec.js';
+
+function isAlreadyLoggedIn(msg) {
+  return /already logged in/i.test(msg);
+}
+function isNotLoggedIn(msg) {
+  return /not logged in/i.test(msg);
+}
+
+export async function bwVersion(deps = {}) {
+  const run = deps.run ?? realRun;
+  try {
+    const { stdout } = await run('bw', ['--version']);
+    return stdout;
+  } catch {
+    return null;
+  }
+}
+
+export async function configServer(url, deps = {}) {
+  const run = deps.run ?? realRun;
+  await run('bw', ['config', 'server', url]);
+}
+
+export async function loginApiKey({ clientId, clientSecret }, deps = {}) {
+  const run = deps.run ?? realRun;
+  try {
+    await run('bw', ['login', '--apikey'], {
+      env: { BW_CLIENTID: clientId, BW_CLIENTSECRET: clientSecret },
+    });
+  } catch (e) {
+    if (isAlreadyLoggedIn(e.message)) return;
+    throw e;
+  }
+}
+
+export async function unlock({ masterPassword }, deps = {}) {
+  const run = deps.run ?? realRun;
+  const { stdout } = await run('bw', ['unlock', '--passwordenv', 'BW_PASSWORD', '--raw'], {
+    env: { BW_PASSWORD: masterPassword },
+  });
+  return stdout;
+}
+
+export async function getItem({ item, field, session }, deps = {}) {
+  const run = deps.run ?? realRun;
+  const { stdout } = await run('bw', ['get', field, item], {
+    env: { BW_SESSION: session },
+    trim: false,
+  });
+  return stdout.replace(/\n$/, '');
+}
+
+export async function getCustomField({ item, name, session }, deps = {}) {
+  const run = deps.run ?? realRun;
+  const { stdout } = await run('bw', ['get', 'item', item], {
+    env: { BW_SESSION: session },
+  });
+  const parsed = JSON.parse(stdout);
+  const match = (parsed.fields ?? []).find((f) => f.name === name);
+  if (!match) throw new Error(`item "${item}" has no custom field "${name}"`);
+  return match.value;
+}
+
+export async function status(deps = {}) {
+  const run = deps.run ?? realRun;
+  const { stdout } = await run('bw', ['status']);
+  return JSON.parse(stdout);
+}
+
+export async function logout(deps = {}) {
+  const run = deps.run ?? realRun;
+  try {
+    await run('bw', ['logout']);
+  } catch (e) {
+    if (isNotLoggedIn(e.message)) return;
+    throw e;
+  }
+}
+
+export async function ensureSession(config, deps = {}) {
+  await configServer(config.serverUrl, deps);
+  await loginApiKey({ clientId: config.clientId, clientSecret: config.clientSecret }, deps);
+  return unlock({ masterPassword: config.masterPassword }, deps);
+}

package/src/cli.js

@@ -0,0 +1,65 @@
+const HELP = `nbg-pw — Vaultwarden credential helper for macOS
+
+Usage: nbg-pw <command> [options]
+
+Commands:
+  setup     Interactive wizard: store your Vaultwarden credentials in the Keychain
+  get       Fetch a secret value (e.g. nbg-pw get "GitHub" --field password)
+  serve     Start a local bw API daemon (unlocked) for fast repeated reads
+  status    Show config + auth state (no secret values)
+  doctor    Diagnose bw / Keychain / server connectivity
+  logout    Lock the session (bw logout)
+  reset     Log out and delete the stored Keychain item
+`;
+
+export async function runCli(argv, deps = {}) {
+  const out = deps.out ?? ((s) => process.stdout.write(s));
+  const err = deps.err ?? ((s) => process.stderr.write(s));
+  const commands = deps.commands ?? (await loadCommands());
+
+  const [name, ...rest] = argv;
+
+  if (!name || name === 'help' || name === '--help' || name === '-h') {
+    out(HELP);
+    return 0;
+  }
+  if (name === '--version' || name === 'version') {
+    out('nbg-pw ' + (deps.version ?? 'dev') + '\n');
+    return 0;
+  }
+
+  const cmd = commands[name];
+  if (!cmd) {
+    err(`Unknown command: ${name}\nRun "nbg-pw help" for usage.\n`);
+    return 1;
+  }
+  try {
+    const code = await cmd(rest);
+    return typeof code === 'number' ? code : 0;
+  } catch (e) {
+    // e.message here is trusted child-process stderr (bw/security), surfaced
+    // verbatim by design. Do not interpolate secret-bearing context into it.
+    err(`Error: ${e.message}\n`);
+    return e.exitCode ?? 2;
+  }
+}
+
+async function loadCommands() {
+  const [setup, get, status, doctor, serve, reset] = await Promise.all([
+    import('./commands/setup.js'),
+    import('./commands/get.js'),
+    import('./commands/status.js'),
+    import('./commands/doctor.js'),
+    import('./commands/serve.js'),
+    import('./commands/reset.js'),
+  ]);
+  return {
+    setup: setup.default,
+    get: get.default,
+    status: status.default,
+    doctor: doctor.default,
+    serve: serve.default,
+    logout: reset.default,
+    reset: reset.reset,
+  };
+}

package/src/commands/doctor.js

@@ -0,0 +1,47 @@
+import * as bwModule from '../bw.js';
+import * as keychainModule from '../keychain.js';
+
+async function defaultFetchUrl(url) {
+  try {
+    const res = await globalThis.fetch(url, { method: 'HEAD' });
+    return { ok: true, status: res.status };
+  } catch {
+    return { ok: false };
+  }
+}
+
+export async function runDoctor(args, deps) {
+  const { keychain, bw, out } = deps;
+  const fetchUrl = deps.fetchUrl ?? defaultFetchUrl;
+  let failed = false;
+  const line = (label, ok, hint) => {
+    out(`  ${label} [${ok ? 'OK' : 'FAIL'}]${ok ? '' : `  -> ${hint}`}\n`);
+    if (!ok) failed = true;
+  };
+
+  out('nbg-pw doctor\n');
+
+  const version = await bw.bwVersion();
+  line('bw installed', !!version, 'brew install bitwarden-cli');
+
+  const config = await keychain.readConfig();
+  line('Keychain credentials present & readable', !!config, 'run "nbg-pw setup"');
+
+  if (config) {
+    const r = await fetchUrl(config.serverUrl);
+    line(`server reachable (${config.serverUrl})`, r.ok, 'check the URL / your network / VPN');
+  } else {
+    line('server reachable', false, 'no stored server URL — run "nbg-pw setup"');
+  }
+
+  out(failed ? '\nSome checks failed.\n' : '\nAll checks passed.\n');
+  return failed ? 1 : 0;
+}
+
+export default async function doctor(args) {
+  return runDoctor(args, {
+    keychain: keychainModule,
+    bw: bwModule,
+    out: (s) => process.stdout.write(s),
+  });
+}

package/src/commands/get.js

@@ -0,0 +1,55 @@
+import * as bwModule from '../bw.js';
+import * as keychainModule from '../keychain.js';
+
+export function parseGetArgs(args) {
+  let item = null;
+  let field = 'password';
+  let custom = null;
+  let fieldGiven = false;
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === '--field') {
+      const v = args[++i];
+      if (v === undefined) throw new Error('--field requires a value');
+      field = v;
+      fieldGiven = true;
+    }
+    else if (args[i] === '--custom') {
+      const v = args[++i];
+      if (v === undefined) throw new Error('--custom requires a value');
+      custom = v;
+    }
+    else if (!item) { item = args[i]; }
+  }
+  if (!item) throw new Error('usage: nbg-pw get <item> [--field password|username|uri|notes] [--custom <name>]');
+  if (fieldGiven && custom !== null) throw new Error('--field and --custom are mutually exclusive');
+  const result = { item, field };
+  if (custom !== null) result.custom = custom;
+  return result;
+}
+
+export async function runGet(args, deps) {
+  const { keychain, bw, out, err } = deps;
+  const { item, field, custom } = parseGetArgs(args);
+
+  const config = await keychain.readConfig();
+  if (!config) {
+    err('No stored credentials. Run "nbg-pw setup" first.\n');
+    return 1;
+  }
+
+  const session = await bw.ensureSession(config);
+  const value = custom !== undefined
+    ? await bw.getCustomField({ item, name: custom, session })
+    : await bw.getItem({ item, field, session });
+  out(value + '\n');
+  return 0;
+}
+
+export default async function get(args) {
+  return runGet(args, {
+    keychain: keychainModule,
+    bw: bwModule,
+    out: (s) => process.stdout.write(s),
+    err: (s) => process.stderr.write(s),
+  });
+}

package/src/commands/reset.js

@@ -0,0 +1,25 @@
+import * as bwModule from '../bw.js';
+import * as keychainModule from '../keychain.js';
+
+export async function runLogout(args, deps) {
+  const { bw, out } = deps;
+  await bw.logout();
+  out('Logged out (session locked).\n');
+  return 0;
+}
+
+export async function runReset(args, deps) {
+  const { bw, keychain, out } = deps;
+  await bw.logout();
+  const removed = await keychain.deleteConfig();
+  out(removed ? 'Removed stored credentials from the Keychain.\n' : 'Nothing to remove (no stored credentials).\n');
+  return 0;
+}
+
+export default async function logout(args) {
+  return runLogout(args, { bw: bwModule, out: (s) => process.stdout.write(s) });
+}
+
+export async function reset(args) {
+  return runReset(args, { bw: bwModule, keychain: keychainModule, out: (s) => process.stdout.write(s) });
+}

package/src/commands/serve.js

@@ -0,0 +1,56 @@
+import { spawn } from 'node:child_process';
+import * as bwModule from '../bw.js';
+import * as keychainModule from '../keychain.js';
+
+export function parseServeArgs(args) {
+  let port = 8087;
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === '--port') {
+      const v = args[++i];
+      const n = Number(v);
+      if (v === undefined || !Number.isInteger(n) || n < 1 || n > 65535) {
+        throw new Error('--port requires a valid port (1-65535)');
+      }
+      port = n;
+    }
+  }
+  return { port };
+}
+
+function defaultSpawnServe({ port, session }) {
+  return spawn('bw', ['serve', '--port', String(port)], {
+    env: { ...process.env, BW_SESSION: session },
+    stdio: 'inherit',
+  });
+}
+
+export async function runServe(args, deps) {
+  const { keychain, bw, out, err } = deps;
+  const spawnServe = deps.spawnServe ?? defaultSpawnServe;
+  const { port } = parseServeArgs(args);
+
+  const config = await keychain.readConfig();
+  if (!config) {
+    err('No stored credentials. Run "nbg-pw setup" first.\n');
+    return 1;
+  }
+
+  const session = await bw.ensureSession(config);
+  const child = spawnServe({ port, session });
+  out(`Starting bw serve on http://localhost:${port}  (Ctrl-C to stop)\n`);
+  // Keep the event loop alive until the child exits when run for real.
+  let exitCode = 0;
+  if (child && typeof child.once === 'function') {
+    exitCode = await new Promise((resolve) => child.once('close', (code) => resolve(code ?? 0)));
+  }
+  return exitCode;
+}
+
+export default async function serve(args) {
+  return runServe(args, {
+    keychain: keychainModule,
+    bw: bwModule,
+    out: (s) => process.stdout.write(s),
+    err: (s) => process.stderr.write(s),
+  });
+}

package/src/commands/setup.js

@@ -0,0 +1,93 @@
+import * as clack from '@clack/prompts';
+import * as bwModule from '../bw.js';
+import * as keychainModule from '../keychain.js';
+import { buildConfig as realBuildConfig, isValidUrl, isValidEmail } from '../config.js';
+
+export async function validateCredentials(input, deps) {
+  const { bw } = deps;
+  await bw.configServer(input.serverUrl);
+  await bw.loginApiKey({ clientId: input.clientId, clientSecret: input.clientSecret });
+  try {
+    const session = await bw.unlock({ masterPassword: input.masterPassword });
+    if (!session) throw new Error('credential check did not return a session');
+  } finally {
+    await bw.logout();
+  }
+}
+
+export async function runSetup(deps) {
+  const { prompts, bw, keychain, buildConfig, nowIso, out } = deps;
+
+  prompts.intro('nbg-pw setup');
+
+  const version = await bw.bwVersion();
+  if (!version) {
+    out('The Bitwarden CLI (bw) is not installed.\n');
+    out('Install it with:  brew install bitwarden-cli\n');
+    prompts.outro('Setup aborted.');
+    return 1;
+  }
+
+  const serverUrl = await prompts.text({
+    message: 'Vaultwarden server URL',
+    placeholder: 'https://vault.example.com/',
+    validate: (v) => (isValidUrl(v) ? undefined : 'Enter a valid http(s) URL'),
+  });
+  if (prompts.isCancel(serverUrl)) { prompts.cancel('Cancelled.'); return 1; }
+
+  const email = await prompts.text({
+    message: 'Account email',
+    validate: (v) => (isValidEmail(v) ? undefined : 'Enter a valid email'),
+  });
+  if (prompts.isCancel(email)) { prompts.cancel('Cancelled.'); return 1; }
+
+  const clientId = await prompts.text({
+    message: 'API key client id',
+    placeholder: 'user.xxxxxxxx-...',
+    validate: (v) => (v && v.length > 0 ? undefined : 'Required'),
+  });
+  if (prompts.isCancel(clientId)) { prompts.cancel('Cancelled.'); return 1; }
+
+  const clientSecret = await prompts.password({
+    message: 'API key client secret',
+    validate: (v) => (v && v.length > 0 ? undefined : 'Required'),
+  });
+  if (prompts.isCancel(clientSecret)) { prompts.cancel('Cancelled.'); return 1; }
+
+  const masterPassword = await prompts.password({
+    message: 'Master password',
+    validate: (v) => (v && v.length > 0 ? undefined : 'Required'),
+  });
+  if (prompts.isCancel(masterPassword)) { prompts.cancel('Cancelled.'); return 1; }
+
+  const input = { serverUrl, email, clientId, clientSecret, masterPassword };
+
+  const spin = prompts.spinner();
+  spin.start('Verifying credentials against the server');
+  try {
+    await validateCredentials(input, { bw });
+  } catch (e) {
+    spin.stop('Credential check failed.');
+    out(`Could not verify credentials: ${e.message}\n`);
+    prompts.outro('Nothing was saved.');
+    return 1;
+  }
+  spin.stop('Credentials verified.');
+
+  const config = buildConfig(input, nowIso);
+  await keychain.writeConfig(config);
+
+  prompts.outro('Saved to your macOS Keychain. Try:  nbg-pw status');
+  return 0;
+}
+
+export default async function setup() {
+  return runSetup({
+    prompts: clack,
+    bw: bwModule,
+    keychain: keychainModule,
+    buildConfig: realBuildConfig,
+    nowIso: new Date().toISOString(),
+    out: (s) => process.stdout.write(s),
+  });
+}

package/src/commands/status.js

@@ -0,0 +1,33 @@
+import * as bwModule from '../bw.js';
+import * as keychainModule from '../keychain.js';
+
+export async function runStatus(args, deps) {
+  const { keychain, bw, out } = deps;
+  const config = await keychain.readConfig();
+  const version = await bw.bwVersion();
+
+  out('nbg-pw status\n');
+  out(`  bw CLI:        ${version ?? 'NOT INSTALLED (brew install bitwarden-cli)'}\n`);
+  if (config) {
+    out(`  stored creds:  yes\n`);
+    out(`  server URL:    ${config.serverUrl}\n`);
+    out(`  email:         ${config.email}\n`);
+  } else {
+    out('  stored creds:  No credentials stored (run "nbg-pw setup")\n');
+  }
+  try {
+    const s = await bw.status();
+    out(`  bw session:    ${s.status}\n`);
+  } catch {
+    out('  bw session:    unknown\n');
+  }
+  return 0;
+}
+
+export default async function status(args) {
+  return runStatus(args, {
+    keychain: keychainModule,
+    bw: bwModule,
+    out: (s) => process.stdout.write(s),
+  });
+}

package/src/config.js

@@ -0,0 +1,42 @@
+export const SERVICE = 'com.nightlybuild.vault';
+export const ACCOUNT = 'default';
+export const FIELDS = ['serverUrl', 'email', 'clientId', 'clientSecret', 'masterPassword'];
+export const READ_FIELDS = [...FIELDS, 'savedAt'];
+
+export function isValidUrl(s) {
+  if (typeof s !== 'string' || s.length === 0) return false;
+  try {
+    const u = new URL(s);
+    return u.protocol === 'http:' || u.protocol === 'https:';
+  } catch {
+    return false;
+  }
+}
+
+export function isValidEmail(s) {
+  return typeof s === 'string' && /^[^@\s]+@[^@\s]+\.[^@\s]+$/.test(s);
+}
+
+export function validateConfig(obj) {
+  if (!obj || typeof obj !== 'object') throw new Error('config is not an object');
+  for (const f of READ_FIELDS) {
+    if (typeof obj[f] !== 'string' || obj[f].length === 0) {
+      throw new Error(`config missing or empty field: ${f}`);
+    }
+  }
+  if (!isValidUrl(obj.serverUrl)) throw new Error('config serverUrl is not a valid URL');
+  if (!isValidEmail(obj.email)) throw new Error('config email is not a valid email');
+  return obj;
+}
+
+export function buildConfig(input, nowIso) {
+  const c = {
+    serverUrl: input.serverUrl,
+    email: input.email,
+    clientId: input.clientId,
+    clientSecret: input.clientSecret,
+    masterPassword: input.masterPassword,
+    savedAt: nowIso,
+  };
+  return c;
+}

package/src/exec.js

@@ -0,0 +1,37 @@
+import { spawn } from 'node:child_process';
+
+export function run(cmd, args, opts = {}) {
+  const env = { ...process.env, ...(opts.env ?? {}) };
+  const doTrim = opts.trim !== false;
+  return new Promise((resolve, reject) => {
+    const child = spawn(cmd, args, { env });
+    let stdout = '';
+    let stderr = '';
+    child.stdout.on('data', (d) => { stdout += d; });
+    child.stderr.on('data', (d) => { stderr += d; });
+    child.on('error', (e) => {
+      const err = new Error(`failed to run ${cmd}: ${e.message}`);
+      err.exitCode = 1;
+      err.stderr = '';
+      reject(err);
+    });
+    child.on('close', (code, signal) => {
+      // A signal-kill (code === null, signal set) is a failure, not success.
+      const failed = code !== 0 || signal != null;
+      const result = { code: failed ? (code ?? 1) : 0, stdout: doTrim ? stdout.trim() : stdout, stderr: stderr.trim() };
+      if (failed && !opts.allowFail) {
+        const msg = result.stderr || `${cmd} ${signal ? `killed by signal ${signal}` : `exited with code ${code}`}`;
+        const err = new Error(msg);
+        // Contract: failures throw with .exitCode === 1. The raw OS exit code
+        // is also forwarded as .code so callers can distinguish specific failures
+        // (e.g. macOS `security` exits 44 for item-not-found vs other errors).
+        err.exitCode = 1;
+        err.code = code;
+        err.stderr = result.stderr;
+        reject(err);
+      } else {
+        resolve(result);
+      }
+    });
+  });
+}

package/src/keychain.js

@@ -0,0 +1,54 @@
+import { run as realRun } from './exec.js';
+import { SERVICE, ACCOUNT, validateConfig } from './config.js';
+
+// NOTE: `security add-generic-password -w <value>` places the JSON (which
+// contains the master password) in argv for the duration of one local exec.
+// This is an accepted, local-only exposure: `security` provides no stdin path
+// for the value. All *repeated* secret use (bw) goes through env vars instead.
+
+const LABEL = 'nbg-pw';
+const DESC = 'Vaultwarden credentials';
+
+function isItemNotFound(e) {
+  // macOS `security` exits 44 when the item is not in the keychain.
+  return e.code === 44 || /could not be found/i.test(e.stderr || e.message || '');
+}
+
+export async function writeConfig(config, deps = {}) {
+  const run = deps.run ?? realRun;
+  validateConfig(config);
+  const json = JSON.stringify(config);
+  await run('security', [
+    'add-generic-password',
+    '-U',
+    '-s', SERVICE,
+    '-a', ACCOUNT,
+    '-D', LABEL,
+    '-j', DESC,
+    '-w', json,
+  ]);
+}
+
+export async function readConfig(deps = {}) {
+  const run = deps.run ?? realRun;
+  try {
+    const { stdout } = await run('security', [
+      'find-generic-password', '-s', SERVICE, '-a', ACCOUNT, '-w',
+    ]);
+    return validateConfig(JSON.parse(stdout));
+  } catch (e) {
+    if (isItemNotFound(e)) return null;
+    throw e;
+  }
+}
+
+export async function deleteConfig(deps = {}) {
+  const run = deps.run ?? realRun;
+  try {
+    await run('security', ['delete-generic-password', '-s', SERVICE, '-a', ACCOUNT]);
+    return true;
+  } catch (e) {
+    if (isItemNotFound(e)) return false;
+    throw e;
+  }
+}