@nightlybuildgroup/vault 1.4.0 → 1.5.0

package/README.md

@@ -38,6 +38,7 @@ nbg-pw attach "GitHub" --file ./key.pem   # add an attachment; --list/--get/--de
 nbg-pw delete "GitHub"              # soft-delete to trash (alias: rm; --permanent skips it)
 nbg-pw items --search git           # list item names; also: folders, collections
 nbg-pw generate --length 24 --symbols   # generate a password (no vault needed)
+nbg-pw config set collection "Shared"   # new items share into this org collection
 nbg-pw serve --port 8087            # local bw REST API for fast repeated reads
 nbg-pw status                       # presence + auth state (no secrets)
 nbg-pw doctor                       # diagnose bw / Keychain / connectivity
@@ -110,6 +111,33 @@ for path in $(keepassxc-cli ls -R -f "$DB"); do
 done
 ```
 
+### Sharing new items with an organization (`config`)
+
+By default `add` creates items in the API account's **personal** vault, which
+other org members (and your own interactive login) can't see. To make every new
+item land in a shared **organization collection** instead, set a default — it's
+stored in your Keychain, never in this repo, so nothing org-specific is baked
+into the tool:
+
+```sh
+nbg-pw config set organization "Acme Inc"     # by name or id
+nbg-pw config set collection   "Shared"        # by name or id
+nbg-pw config show                             # current defaults
+nbg-pw config unset collection                 # back to personal-vault default
+```
+
+Once a default collection is set, every `add` shares the new item into it:
+
+```sh
+printf '%s' "$pw" | nbg-pw add "GitHub" --username octocat --password-stdin
+# → Created "GitHub" (…) → shared to "Shared"
+
+nbg-pw add "Personal Note" --personal          # opt a single item out (personal vault)
+```
+
+An explicit `--collection`/`--organization` on `add` overrides the default for
+that call. `status` shows the active default share.
+
 ### Editing items (`edit`)
 
 Fetch-merge-write: only the flags you pass are changed; everything else stays.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nightlybuildgroup/vault",
-  "version": "1.4.0",
+  "version": "1.5.0",
   "description": "Store Vaultwarden/Bitwarden credentials in the macOS Keychain and read secrets back for local agents.",
   "type": "module",
   "bin": {

package/src/bw.js

@@ -144,14 +144,29 @@ export async function listOrganizations({ session }, deps = {}) {
   return JSON.parse(stdout);
 }
 
+export async function sync({ session }, deps = {}) {
+  const run = deps.run ?? realRun;
+  await run('bw', ['sync'], { env: { BW_SESSION: session } });
+}
+
 // Share an existing item into an organization's collection(s). This is bw's only
-// path to put an item in a collection; the item must already exist.
+// path to put an item in a collection; the item must already exist. bw's local
+// cache can lag a just-created item ("client copy ... out of date"); a sync +
+// single retry clears that.
 export async function moveItemToCollection({ itemId, organizationId, collectionIds, session }, deps = {}) {
   const run = deps.run ?? realRun;
-  await run('bw', ['move', itemId, organizationId], {
-    env: { BW_SESSION: session },
-    input: encode(collectionIds),
-  });
+  const move = () =>
+    run('bw', ['move', itemId, organizationId], { env: { BW_SESSION: session }, input: encode(collectionIds) });
+  try {
+    await move();
+  } catch (e) {
+    if (/out of date/i.test(e.message || '')) {
+      await run('bw', ['sync'], { env: { BW_SESSION: session } });
+      await move();
+    } else {
+      throw e;
+    }
+  }
 }
 
 export async function editItem({ id, item, session }, deps = {}) {

package/src/cli.js

@@ -14,6 +14,7 @@ Commands:
   folders     List folder names
   collections List collection names
   generate    Generate a password or passphrase (bw generate)
+  config      Show/set defaults, e.g. the org collection new items share into
   serve       Start a local bw API daemon (unlocked) for fast repeated reads
   status      Show config + auth state (no secret values)
   doctor      Diagnose bw / Keychain / server connectivity (--fix resets a wedged bw session)
@@ -54,7 +55,7 @@ export async function runCli(argv, deps = {}) {
 }
 
 async function loadCommands() {
-  const [setup, get, add, edit, del, attach, list, items, folders, collections, generate, status, doctor, serve, reset] =
+  const [setup, get, add, edit, del, attach, list, items, folders, collections, generate, config, status, doctor, serve, reset] =
     await Promise.all([
       import('./commands/setup.js'),
       import('./commands/get.js'),
@@ -67,6 +68,7 @@ async function loadCommands() {
       import('./commands/folders.js'),
       import('./commands/collections.js'),
       import('./commands/generate.js'),
+      import('./commands/config.js'),
       import('./commands/status.js'),
       import('./commands/doctor.js'),
       import('./commands/serve.js'),
@@ -85,6 +87,7 @@ async function loadCommands() {
     folders: folders.default,
     collections: collections.default,
     generate: generate.default,
+    config: config.default,
     status: status.default,
     doctor: doctor.default,
     serve: serve.default,

package/src/commands/add.js

@@ -5,7 +5,7 @@ const USAGE =
   'usage: nbg-pw add <name> [--username <u>] [--url <uri>]... [--notes <n>] ' +
   '[--folder <name>] [--collection <name>] [--organization <name|id>] ' +
   '[--field <name>=<value>]... [--field-hidden <name>=<value>]... [--totp <secret>] ' +
-  '[--password-stdin]\n   or: nbg-pw add --json   (reads one entry as a JSON object on stdin)';
+  '[--password-stdin] [--personal]\n   or: nbg-pw add --json   (reads one entry as a JSON object on stdin)';
 
 // `--field name=value` → { name, value, type }. Splits on the FIRST `=` so the
 // value may itself contain `=`.
@@ -16,7 +16,7 @@ function parseField(raw, type) {
 }
 
 export function parseAddArgs(args) {
-  const opts = { uris: [], fields: [], passwordStdin: false, json: false };
+  const opts = { uris: [], fields: [], passwordStdin: false, json: false, personal: false };
   let name = null;
   for (let i = 0; i < args.length; i++) {
     const a = args[i];
@@ -27,6 +27,7 @@ export function parseAddArgs(args) {
     };
     switch (a) {
       case '--json': opts.json = true; break;
+      case '--personal': opts.personal = true; break;
       case '--password-stdin': opts.passwordStdin = true; break;
       case '--username': opts.username = need(); break;
       case '--url': opts.uris.push(need()); break;
@@ -122,23 +123,36 @@ export async function runAdd(args, deps) {
     if (opts.passwordStdin) entry.password = (await readStdin()).replace(/\r?\n$/, '');
   }
 
+  // Where the item lands: an explicit --collection wins; otherwise the
+  // configured default shares every new item into the org collection, unless
+  // --personal (or a json `personal:true`) opts out into the personal vault.
+  const personal = opts.personal || entry.personal;
+  let collectionName = entry.collection;
+  let organizationName = entry.organization;
+  if (!personal && !collectionName && config.defaultCollection) {
+    collectionName = config.defaultCollection;
+    organizationName = organizationName ?? config.defaultOrganization;
+  }
+
   const session = await bw.ensureSession(config);
 
   if (entry.folder) entry.folderId = await resolveFolderId(bw, session, entry.folder);
 
   const created = await bw.createItem({ item: buildLoginItem(entry), session });
 
-  if (entry.collection) {
-    const col = await resolveCollection(bw, session, entry.collection, entry.organization);
+  let shared = '';
+  if (collectionName) {
+    const col = await resolveCollection(bw, session, collectionName, organizationName);
     await bw.moveItemToCollection({
       itemId: created.id,
       organizationId: col.organizationId,
       collectionIds: [col.id],
       session,
     });
+    shared = ` → shared to "${col.name}"`;
   }
 
-  out(`Created "${created.name}" (${created.id})\n`);
+  out(`Created "${created.name}" (${created.id})${shared}\n`);
   return 0;
 }
 

package/src/commands/config.js

@@ -0,0 +1,60 @@
+import * as keychainModule from '../keychain.js';
+
+// User-facing key → stored config field.
+const KEYS = { organization: 'defaultOrganization', collection: 'defaultCollection' };
+
+const USAGE = 'usage: nbg-pw config [show | set <organization|collection> <value> | unset <organization|collection>]';
+
+export function parseConfigArgs(args) {
+  const [sub, ...rest] = args;
+  if (!sub || sub === 'show') return { action: 'show' };
+  if (sub === 'set') {
+    const [key, value] = rest;
+    if (!key || !(key in KEYS)) throw new Error(USAGE);
+    if (value === undefined) throw new Error('config set requires a value');
+    return { action: 'set', key, value };
+  }
+  if (sub === 'unset') {
+    const [key] = rest;
+    if (!key || !(key in KEYS)) throw new Error(USAGE);
+    return { action: 'unset', key };
+  }
+  throw new Error(`unknown config subcommand "${sub}"\n${USAGE}`);
+}
+
+export async function runConfig(args, deps) {
+  const { keychain, out, err } = deps;
+  const opts = parseConfigArgs(args);
+
+  const config = await keychain.readConfig();
+  if (!config) {
+    err('No stored credentials. Run "nbg-pw setup" first.\n');
+    return 1;
+  }
+
+  if (opts.action === 'show') {
+    out(`default organization: ${config.defaultOrganization ?? '(not set)'}\n`);
+    out(`default collection:   ${config.defaultCollection ?? '(not set)'}\n`);
+    return 0;
+  }
+
+  const field = KEYS[opts.key];
+  if (opts.action === 'set') {
+    config[field] = opts.value;
+    await keychain.writeConfig(config);
+    out(`Set default ${opts.key} = ${opts.value}\n`);
+  } else {
+    delete config[field];
+    await keychain.writeConfig(config);
+    out(`Unset default ${opts.key}\n`);
+  }
+  return 0;
+}
+
+export default async function config(args) {
+  return runConfig(args, {
+    keychain: keychainModule,
+    out: (s) => process.stdout.write(s),
+    err: (s) => process.stderr.write(s),
+  });
+}

package/src/commands/status.js

@@ -12,6 +12,10 @@ export async function runStatus(args, deps) {
     out(`  stored creds:  yes\n`);
     out(`  server URL:    ${config.serverUrl}\n`);
     out(`  email:         ${config.email}\n`);
+    if (config.defaultCollection) {
+      const org = config.defaultOrganization ? `${config.defaultOrganization} / ` : '';
+      out(`  default share: ${org}${config.defaultCollection}\n`);
+    }
   } else {
     out('  stored creds:  No credentials stored (run "nbg-pw setup")\n');
   }

package/src/config.js

@@ -2,6 +2,8 @@ export const SERVICE = 'com.nightlybuild.vault';
 export const ACCOUNT = 'default';
 export const FIELDS = ['serverUrl', 'email', 'clientId', 'clientSecret', 'masterPassword'];
 export const READ_FIELDS = [...FIELDS, 'savedAt'];
+// Optional: when set, `add` shares new items into this org collection by default.
+export const OPTIONAL_FIELDS = ['defaultOrganization', 'defaultCollection'];
 
 export function isValidUrl(s) {
   if (typeof s !== 'string' || s.length === 0) return false;
@@ -26,6 +28,11 @@ export function validateConfig(obj) {
   }
   if (!isValidUrl(obj.serverUrl)) throw new Error('config serverUrl is not a valid URL');
   if (!isValidEmail(obj.email)) throw new Error('config email is not a valid email');
+  for (const f of OPTIONAL_FIELDS) {
+    if (obj[f] !== undefined && (typeof obj[f] !== 'string' || obj[f].length === 0)) {
+      throw new Error(`config field ${f} must be a non-empty string when set`);
+    }
+  }
   return obj;
 }