@nightlybuildgroup/vault 1.4.0 → 1.6.0

package/README.md

@@ -38,6 +38,7 @@ nbg-pw attach "GitHub" --file ./key.pem   # add an attachment; --list/--get/--de
 nbg-pw delete "GitHub"              # soft-delete to trash (alias: rm; --permanent skips it)
 nbg-pw items --search git           # list item names; also: folders, collections
 nbg-pw generate --length 24 --symbols   # generate a password (no vault needed)
+nbg-pw config set collection "Shared"   # new items share into this org collection
 nbg-pw serve --port 8087            # local bw REST API for fast repeated reads
 nbg-pw status                       # presence + auth state (no secrets)
 nbg-pw doctor                       # diagnose bw / Keychain / connectivity
@@ -110,6 +111,33 @@ for path in $(keepassxc-cli ls -R -f "$DB"); do
 done
 ```
 
+### Sharing new items with an organization (`config`)
+
+By default `add` creates items in the API account's **personal** vault, which
+other org members (and your own interactive login) can't see. To make every new
+item land in a shared **organization collection** instead, set a default — it's
+stored in your Keychain, never in this repo, so nothing org-specific is baked
+into the tool:
+
+```sh
+nbg-pw config set organization "Acme Inc"     # by name or id
+nbg-pw config set collection   "Shared"        # by name or id
+nbg-pw config show                             # current defaults
+nbg-pw config unset collection                 # back to personal-vault default
+```
+
+Once a default collection is set, every `add` shares the new item into it:
+
+```sh
+printf '%s' "$pw" | nbg-pw add "GitHub" --username octocat --password-stdin
+# → Created "GitHub" (…) → shared to "Shared"
+
+nbg-pw add "Personal Note" --personal          # opt a single item out (personal vault)
+```
+
+An explicit `--collection`/`--organization` on `add` overrides the default for
+that call. `status` shows the active default share.
+
 ### Editing items (`edit`)
 
 Fetch-merge-write: only the flags you pass are changed; everything else stays.
@@ -153,8 +181,22 @@ nbg-pw items --search git         # filtered by search
 nbg-pw items --folder "Agents"    # filtered by folder
 nbg-pw folders                    # folder names
 nbg-pw collections                # collection names
+nbg-pw organizations              # organization names
+```
+
+Add `--ids` to any of them to print ids alongside names — useful for `config set`
+or scripting. `collections --ids` also shows each collection's org id:
+
+```sh
+$ nbg-pw organizations --ids
+dfff…  Acme Inc
+$ nbg-pw collections --ids
+bf2b…  Shared  (org dfff…)
 ```
 
+(You can pass either a **name or an id** to `config set` / `add --collection`, so
+ids are optional — handy mainly when names are ambiguous.)
+
 ### Generating secrets (`generate`)
 
 Pure generator — needs no vault session.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nightlybuildgroup/vault",
-  "version": "1.4.0",
+  "version": "1.6.0",
   "description": "Store Vaultwarden/Bitwarden credentials in the macOS Keychain and read secrets back for local agents.",
   "type": "module",
   "bin": {

package/src/bw.js

@@ -144,14 +144,29 @@ export async function listOrganizations({ session }, deps = {}) {
   return JSON.parse(stdout);
 }
 
+export async function sync({ session }, deps = {}) {
+  const run = deps.run ?? realRun;
+  await run('bw', ['sync'], { env: { BW_SESSION: session } });
+}
+
 // Share an existing item into an organization's collection(s). This is bw's only
-// path to put an item in a collection; the item must already exist.
+// path to put an item in a collection; the item must already exist. bw's local
+// cache can lag a just-created item ("client copy ... out of date"); a sync +
+// single retry clears that.
 export async function moveItemToCollection({ itemId, organizationId, collectionIds, session }, deps = {}) {
   const run = deps.run ?? realRun;
-  await run('bw', ['move', itemId, organizationId], {
-    env: { BW_SESSION: session },
-    input: encode(collectionIds),
-  });
+  const move = () =>
+    run('bw', ['move', itemId, organizationId], { env: { BW_SESSION: session }, input: encode(collectionIds) });
+  try {
+    await move();
+  } catch (e) {
+    if (/out of date/i.test(e.message || '')) {
+      await run('bw', ['sync'], { env: { BW_SESSION: session } });
+      await move();
+    } else {
+      throw e;
+    }
+  }
 }
 
 export async function editItem({ id, item, session }, deps = {}) {

package/src/cli.js

@@ -10,10 +10,12 @@ Commands:
   delete      Delete an item or folder (alias: rm; --permanent skips trash)
   attach      Manage an item's attachments (--file/--list/--get/--delete)
   list        Show an item's field names + types, no values (nbg-pw list "My Visa")
-  items       List item names (--search, --folder, --collection)
-  folders     List folder names
-  collections List collection names
+  items       List item names (--search, --folder, --collection; --ids)
+  folders     List folder names (--ids)
+  collections List collection names (--ids shows collection + org ids)
+  organizations List organization names (--ids)
   generate    Generate a password or passphrase (bw generate)
+  config      Show/set defaults, e.g. the org collection new items share into
   serve       Start a local bw API daemon (unlocked) for fast repeated reads
   status      Show config + auth state (no secret values)
   doctor      Diagnose bw / Keychain / server connectivity (--fix resets a wedged bw session)
@@ -54,7 +56,7 @@ export async function runCli(argv, deps = {}) {
 }
 
 async function loadCommands() {
-  const [setup, get, add, edit, del, attach, list, items, folders, collections, generate, status, doctor, serve, reset] =
+  const [setup, get, add, edit, del, attach, list, items, folders, collections, organizations, generate, config, status, doctor, serve, reset] =
     await Promise.all([
       import('./commands/setup.js'),
       import('./commands/get.js'),
@@ -66,7 +68,9 @@ async function loadCommands() {
       import('./commands/items.js'),
       import('./commands/folders.js'),
       import('./commands/collections.js'),
+      import('./commands/organizations.js'),
       import('./commands/generate.js'),
+      import('./commands/config.js'),
       import('./commands/status.js'),
       import('./commands/doctor.js'),
       import('./commands/serve.js'),
@@ -84,7 +88,9 @@ async function loadCommands() {
     items: items.default,
     folders: folders.default,
     collections: collections.default,
+    organizations: organizations.default,
     generate: generate.default,
+    config: config.default,
     status: status.default,
     doctor: doctor.default,
     serve: serve.default,

package/src/commands/add.js

@@ -5,7 +5,7 @@ const USAGE =
   'usage: nbg-pw add <name> [--username <u>] [--url <uri>]... [--notes <n>] ' +
   '[--folder <name>] [--collection <name>] [--organization <name|id>] ' +
   '[--field <name>=<value>]... [--field-hidden <name>=<value>]... [--totp <secret>] ' +
-  '[--password-stdin]\n   or: nbg-pw add --json   (reads one entry as a JSON object on stdin)';
+  '[--password-stdin] [--personal]\n   or: nbg-pw add --json   (reads one entry as a JSON object on stdin)';
 
 // `--field name=value` → { name, value, type }. Splits on the FIRST `=` so the
 // value may itself contain `=`.
@@ -16,7 +16,7 @@ function parseField(raw, type) {
 }
 
 export function parseAddArgs(args) {
-  const opts = { uris: [], fields: [], passwordStdin: false, json: false };
+  const opts = { uris: [], fields: [], passwordStdin: false, json: false, personal: false };
   let name = null;
   for (let i = 0; i < args.length; i++) {
     const a = args[i];
@@ -27,6 +27,7 @@ export function parseAddArgs(args) {
     };
     switch (a) {
       case '--json': opts.json = true; break;
+      case '--personal': opts.personal = true; break;
       case '--password-stdin': opts.passwordStdin = true; break;
       case '--username': opts.username = need(); break;
       case '--url': opts.uris.push(need()); break;
@@ -122,23 +123,36 @@ export async function runAdd(args, deps) {
     if (opts.passwordStdin) entry.password = (await readStdin()).replace(/\r?\n$/, '');
   }
 
+  // Where the item lands: an explicit --collection wins; otherwise the
+  // configured default shares every new item into the org collection, unless
+  // --personal (or a json `personal:true`) opts out into the personal vault.
+  const personal = opts.personal || entry.personal;
+  let collectionName = entry.collection;
+  let organizationName = entry.organization;
+  if (!personal && !collectionName && config.defaultCollection) {
+    collectionName = config.defaultCollection;
+    organizationName = organizationName ?? config.defaultOrganization;
+  }
+
   const session = await bw.ensureSession(config);
 
   if (entry.folder) entry.folderId = await resolveFolderId(bw, session, entry.folder);
 
   const created = await bw.createItem({ item: buildLoginItem(entry), session });
 
-  if (entry.collection) {
-    const col = await resolveCollection(bw, session, entry.collection, entry.organization);
+  let shared = '';
+  if (collectionName) {
+    const col = await resolveCollection(bw, session, collectionName, organizationName);
     await bw.moveItemToCollection({
       itemId: created.id,
       organizationId: col.organizationId,
       collectionIds: [col.id],
       session,
     });
+    shared = ` → shared to "${col.name}"`;
   }
 
-  out(`Created "${created.name}" (${created.id})\n`);
+  out(`Created "${created.name}" (${created.id})${shared}\n`);
   return 0;
 }
 

package/src/commands/collections.js

@@ -2,13 +2,17 @@ import * as bwModule from '../bw.js';
 import * as keychainModule from '../keychain.js';
 
 export function parseCollectionsArgs(args) {
-  if (args.length > 0) throw new Error(`unexpected argument: ${args[0]}`);
-  return {};
+  let ids = false;
+  for (const a of args) {
+    if (a === '--ids') ids = true;
+    else throw new Error(`unexpected argument: ${a}`);
+  }
+  return { ids };
 }
 
 export async function runCollections(args, deps) {
   const { keychain, bw, out, err } = deps;
-  parseCollectionsArgs(args);
+  const { ids } = parseCollectionsArgs(args);
 
   const config = await keychain.readConfig();
   if (!config) {
@@ -17,11 +21,11 @@ export async function runCollections(args, deps) {
   }
 
   const session = await bw.ensureSession(config);
-  const collections = await bw.listCollections({ session });
-  const names = collections
-    .map((c) => c.name)
-    .sort((a, b) => a.toLowerCase().localeCompare(b.toLowerCase()));
-  for (const name of names) out(name + '\n');
+  const collections = (await bw.listCollections({ session }))
+    .sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()));
+  for (const c of collections) {
+    out(ids ? `${c.id}  ${c.name}  (org ${c.organizationId})\n` : c.name + '\n');
+  }
   return 0;
 }
 

package/src/commands/config.js

@@ -0,0 +1,60 @@
+import * as keychainModule from '../keychain.js';
+
+// User-facing key → stored config field.
+const KEYS = { organization: 'defaultOrganization', collection: 'defaultCollection' };
+
+const USAGE = 'usage: nbg-pw config [show | set <organization|collection> <value> | unset <organization|collection>]';
+
+export function parseConfigArgs(args) {
+  const [sub, ...rest] = args;
+  if (!sub || sub === 'show') return { action: 'show' };
+  if (sub === 'set') {
+    const [key, value] = rest;
+    if (!key || !(key in KEYS)) throw new Error(USAGE);
+    if (value === undefined) throw new Error('config set requires a value');
+    return { action: 'set', key, value };
+  }
+  if (sub === 'unset') {
+    const [key] = rest;
+    if (!key || !(key in KEYS)) throw new Error(USAGE);
+    return { action: 'unset', key };
+  }
+  throw new Error(`unknown config subcommand "${sub}"\n${USAGE}`);
+}
+
+export async function runConfig(args, deps) {
+  const { keychain, out, err } = deps;
+  const opts = parseConfigArgs(args);
+
+  const config = await keychain.readConfig();
+  if (!config) {
+    err('No stored credentials. Run "nbg-pw setup" first.\n');
+    return 1;
+  }
+
+  if (opts.action === 'show') {
+    out(`default organization: ${config.defaultOrganization ?? '(not set)'}\n`);
+    out(`default collection:   ${config.defaultCollection ?? '(not set)'}\n`);
+    return 0;
+  }
+
+  const field = KEYS[opts.key];
+  if (opts.action === 'set') {
+    config[field] = opts.value;
+    await keychain.writeConfig(config);
+    out(`Set default ${opts.key} = ${opts.value}\n`);
+  } else {
+    delete config[field];
+    await keychain.writeConfig(config);
+    out(`Unset default ${opts.key}\n`);
+  }
+  return 0;
+}
+
+export default async function config(args) {
+  return runConfig(args, {
+    keychain: keychainModule,
+    out: (s) => process.stdout.write(s),
+    err: (s) => process.stderr.write(s),
+  });
+}

package/src/commands/folders.js

@@ -2,13 +2,17 @@ import * as bwModule from '../bw.js';
 import * as keychainModule from '../keychain.js';
 
 export function parseFoldersArgs(args) {
-  if (args.length > 0) throw new Error(`unexpected argument: ${args[0]}`);
-  return {};
+  let ids = false;
+  for (const a of args) {
+    if (a === '--ids') ids = true;
+    else throw new Error(`unexpected argument: ${a}`);
+  }
+  return { ids };
 }
 
 export async function runFolders(args, deps) {
   const { keychain, bw, out, err } = deps;
-  parseFoldersArgs(args);
+  const { ids } = parseFoldersArgs(args);
 
   const config = await keychain.readConfig();
   if (!config) {
@@ -17,11 +21,11 @@ export async function runFolders(args, deps) {
   }
 
   const session = await bw.ensureSession(config);
-  const folders = await bw.listFolders({ session });
-  const names = folders
-    .map((f) => f.name)
-    .sort((a, b) => a.toLowerCase().localeCompare(b.toLowerCase()));
-  for (const name of names) out(name + '\n');
+  const folders = (await bw.listFolders({ session }))
+    .sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()));
+  for (const f of folders) {
+    out(ids ? `${f.id ?? '-'}  ${f.name}\n` : f.name + '\n');
+  }
   return 0;
 }
 

package/src/commands/items.js

@@ -5,6 +5,7 @@ export function parseItemsArgs(args) {
   let search = null;
   let folder = null;
   let collection = null;
+  let ids = false;
   for (let i = 0; i < args.length; i++) {
     if (args[i] === '--search') {
       const v = args[++i];
@@ -18,16 +19,18 @@ export function parseItemsArgs(args) {
       const v = args[++i];
       if (v === undefined) throw new Error('--collection requires a value');
       collection = v;
+    } else if (args[i] === '--ids') {
+      ids = true;
     } else {
       throw new Error(`unknown option: ${args[i]}`);
     }
   }
-  return { search, folder, collection };
+  return { search, folder, collection, ids };
 }
 
 export async function runItems(args, deps) {
   const { keychain, bw, out, err } = deps;
-  const { search, folder, collection } = parseItemsArgs(args);
+  const { search, folder, collection, ids } = parseItemsArgs(args);
 
   const config = await keychain.readConfig();
   if (!config) {
@@ -58,11 +61,11 @@ export async function runItems(args, deps) {
   if (folderId !== undefined) filters.folderId = folderId;
   if (collectionId !== undefined) filters.collectionId = collectionId;
 
-  const items = await bw.listItems(filters);
-  const names = items
-    .map((i) => i.name)
-    .sort((a, b) => a.toLowerCase().localeCompare(b.toLowerCase()));
-  for (const name of names) out(name + '\n');
+  const items = (await bw.listItems(filters))
+    .sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()));
+  for (const i of items) {
+    out(ids ? `${i.id}  ${i.name}\n` : i.name + '\n');
+  }
   return 0;
 }
 

package/src/commands/organizations.js

@@ -0,0 +1,39 @@
+import * as bwModule from '../bw.js';
+import * as keychainModule from '../keychain.js';
+
+export function parseOrganizationsArgs(args) {
+  let ids = false;
+  for (const a of args) {
+    if (a === '--ids') ids = true;
+    else throw new Error(`unexpected argument: ${a}`);
+  }
+  return { ids };
+}
+
+export async function runOrganizations(args, deps) {
+  const { keychain, bw, out, err } = deps;
+  const { ids } = parseOrganizationsArgs(args);
+
+  const config = await keychain.readConfig();
+  if (!config) {
+    err('No stored credentials. Run "nbg-pw setup" first.\n');
+    return 1;
+  }
+
+  const session = await bw.ensureSession(config);
+  const orgs = (await bw.listOrganizations({ session }))
+    .sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()));
+  for (const o of orgs) {
+    out(ids ? `${o.id}  ${o.name}\n` : o.name + '\n');
+  }
+  return 0;
+}
+
+export default async function organizations(args) {
+  return runOrganizations(args, {
+    keychain: keychainModule,
+    bw: bwModule,
+    out: (s) => process.stdout.write(s),
+    err: (s) => process.stderr.write(s),
+  });
+}

package/src/commands/status.js

@@ -12,6 +12,10 @@ export async function runStatus(args, deps) {
     out(`  stored creds:  yes\n`);
     out(`  server URL:    ${config.serverUrl}\n`);
     out(`  email:         ${config.email}\n`);
+    if (config.defaultCollection) {
+      const org = config.defaultOrganization ? `${config.defaultOrganization} / ` : '';
+      out(`  default share: ${org}${config.defaultCollection}\n`);
+    }
   } else {
     out('  stored creds:  No credentials stored (run "nbg-pw setup")\n');
   }

package/src/config.js

@@ -2,6 +2,8 @@ export const SERVICE = 'com.nightlybuild.vault';
 export const ACCOUNT = 'default';
 export const FIELDS = ['serverUrl', 'email', 'clientId', 'clientSecret', 'masterPassword'];
 export const READ_FIELDS = [...FIELDS, 'savedAt'];
+// Optional: when set, `add` shares new items into this org collection by default.
+export const OPTIONAL_FIELDS = ['defaultOrganization', 'defaultCollection'];
 
 export function isValidUrl(s) {
   if (typeof s !== 'string' || s.length === 0) return false;
@@ -26,6 +28,11 @@ export function validateConfig(obj) {
   }
   if (!isValidUrl(obj.serverUrl)) throw new Error('config serverUrl is not a valid URL');
   if (!isValidEmail(obj.email)) throw new Error('config email is not a valid email');
+  for (const f of OPTIONAL_FIELDS) {
+    if (obj[f] !== undefined && (typeof obj[f] !== 'string' || obj[f].length === 0)) {
+      throw new Error(`config field ${f} must be a non-empty string when set`);
+    }
+  }
   return obj;
 }