@ouro.bot/cli 0.1.0-alpha.35 → 0.1.0-alpha.351

package/dist/repertoire/credential-access.js

@@ -0,0 +1,527 @@
+"use strict";
+/**
+ * Credential access layer — store-agnostic credential management.
+ *
+ * Two backends, one interface:
+ *   - BuiltInCredentialStore: AES-256-GCM encrypted files, zero npm deps
+ *   - AacCredentialStore: delegates to the `aac` CLI (Bitwarden Agent Access)
+ *
+ * Raw secrets are NEVER returned to callers except via getRawSecret(),
+ * which is reserved for internal use by the credential gateway (apiRequest).
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AacCredentialStore = exports.BuiltInCredentialStore = void 0;
+exports.domainToSlug = domainToSlug;
+exports.ensureVaultDefaults = ensureVaultDefaults;
+exports.getCredentialStore = getCredentialStore;
+exports.resetCredentialStore = resetCredentialStore;
+const crypto = __importStar(require("node:crypto"));
+const fs = __importStar(require("node:fs"));
+const path = __importStar(require("node:path"));
+const os = __importStar(require("node:os"));
+const node_child_process_1 = require("node:child_process");
+const runtime_1 = require("../nerves/runtime");
+const identity = __importStar(require("../heart/identity"));
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/** Convert a domain string to a filesystem-safe slug. */
+function domainToSlug(domain) {
+    return domain
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, "-")
+        .replace(/^-+|-+$/g, "");
+}
+class BuiltInCredentialStore {
+    vaultDir;
+    keyPath;
+    masterKey = null;
+    constructor(agentName, vaultDir, keyDir) {
+        const homeBase = process.env.WEBSITE_SITE_NAME ? "/home" : os.homedir();
+        this.vaultDir = vaultDir ?? path.join(homeBase, "AgentBundles", `${agentName}.ouro`, "vault");
+        const effectiveKeyDir = keyDir ?? path.join(homeBase, ".agentsecrets", agentName);
+        this.keyPath = path.join(effectiveKeyDir, "vault.key");
+    }
+    isReady() {
+        return true;
+    }
+    async get(domain) {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.credential_get_start",
+            component: "repertoire",
+            message: `getting credential for ${domain}`,
+            meta: { domain },
+        });
+        const stored = this.readEncrypted(domain);
+        if (!stored) {
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.credential_get_end",
+                component: "repertoire",
+                message: `no credential found for ${domain}`,
+                meta: { domain, found: false },
+            });
+            return null;
+        }
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.credential_get_end",
+            component: "repertoire",
+            message: `credential found for ${domain}`,
+            meta: { domain, found: true },
+        });
+        return {
+            domain: stored.domain,
+            username: stored.username,
+            notes: stored.notes,
+            createdAt: stored.createdAt,
+        };
+    }
+    async getRawSecret(domain, field) {
+        const stored = this.readEncrypted(domain);
+        if (!stored) {
+            (0, runtime_1.emitNervesEvent)({
+                level: "error",
+                event: "repertoire.credential_get_error",
+                component: "repertoire",
+                message: `no credential found for domain "${domain}"`,
+                meta: { domain, field, reason: `no credential found for domain "${domain}"` },
+            });
+            throw new Error(`no credential found for domain "${domain}"`);
+        }
+        const value = stored[field];
+        if (value === undefined || value === null) {
+            (0, runtime_1.emitNervesEvent)({
+                level: "error",
+                event: "repertoire.credential_get_error",
+                component: "repertoire",
+                message: `field "${field}" not found for domain "${domain}"`,
+                meta: { domain, field, reason: `field "${field}" not found for domain "${domain}"` },
+            });
+            throw new Error(`field "${field}" not found for domain "${domain}"`);
+        }
+        return String(value);
+    }
+    async store(domain, data) {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.credential_store_start",
+            component: "repertoire",
+            message: `storing credential for ${domain}`,
+            meta: { domain },
+        });
+        this.ensureDirs();
+        const key = this.getOrCreateKey();
+        const credential = {
+            domain,
+            username: data.username,
+            password: data.password,
+            notes: data.notes,
+            createdAt: new Date().toISOString(),
+        };
+        const plaintext = JSON.stringify(credential);
+        const iv = crypto.randomBytes(12);
+        const cipher = crypto.createCipheriv("aes-256-gcm", key, iv);
+        const encrypted = Buffer.concat([cipher.update(plaintext, "utf-8"), cipher.final()]);
+        const tag = cipher.getAuthTag();
+        const payload = {
+            iv: iv.toString("hex"),
+            tag: tag.toString("hex"),
+            data: encrypted.toString("hex"),
+        };
+        const slug = domainToSlug(domain);
+        const encPath = path.join(this.vaultDir, `${slug}.enc`);
+        fs.writeFileSync(encPath, JSON.stringify(payload), "utf-8");
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.credential_store_end",
+            component: "repertoire",
+            message: `credential stored for ${domain}`,
+            meta: { domain },
+        });
+    }
+    async list() {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.credential_list_start",
+            component: "repertoire",
+            message: "listing credentials",
+            meta: {},
+        });
+        if (!fs.existsSync(this.vaultDir)) {
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.credential_list_end",
+                component: "repertoire",
+                message: "credential list complete (no vault dir)",
+                meta: { count: 0 },
+            });
+            return [];
+        }
+        const files = fs.readdirSync(this.vaultDir).filter((f) => f.endsWith(".enc"));
+        const results = [];
+        for (const file of files) {
+            const slug = file.replace(/\.enc$/, "");
+            let stored = null;
+            try {
+                stored = this.readEncryptedBySlug(slug);
+            }
+            catch {
+                // Skip corrupt/unreadable files
+            }
+            if (stored) {
+                results.push({
+                    domain: stored.domain,
+                    username: stored.username,
+                    notes: stored.notes,
+                    createdAt: stored.createdAt,
+                });
+            }
+        }
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.credential_list_end",
+            component: "repertoire",
+            message: "credential list complete",
+            meta: { count: results.length },
+        });
+        return results;
+    }
+    async delete(domain) {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.credential_delete_start",
+            component: "repertoire",
+            message: `deleting credential for ${domain}`,
+            meta: { domain },
+        });
+        const slug = domainToSlug(domain);
+        const encPath = path.join(this.vaultDir, `${slug}.enc`);
+        if (!fs.existsSync(encPath)) {
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.credential_delete_end",
+                component: "repertoire",
+                message: `no credential to delete for ${domain}`,
+                meta: { domain, deleted: false },
+            });
+            return false;
+        }
+        fs.unlinkSync(encPath);
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.credential_delete_end",
+            component: "repertoire",
+            message: `credential deleted for ${domain}`,
+            meta: { domain, deleted: true },
+        });
+        return true;
+    }
+    // --- Private ---
+    ensureDirs() {
+        if (!fs.existsSync(this.vaultDir)) {
+            fs.mkdirSync(this.vaultDir, { recursive: true });
+        }
+        const keyDir = path.dirname(this.keyPath);
+        if (!fs.existsSync(keyDir)) {
+            fs.mkdirSync(keyDir, { recursive: true, mode: 0o700 });
+        }
+    }
+    getOrCreateKey() {
+        if (this.masterKey)
+            return this.masterKey;
+        if (fs.existsSync(this.keyPath)) {
+            this.masterKey = fs.readFileSync(this.keyPath);
+            return this.masterKey;
+        }
+        // Generate new 256-bit key
+        const key = crypto.randomBytes(32);
+        fs.writeFileSync(this.keyPath, key, { mode: 0o600 });
+        this.masterKey = key;
+        return key;
+    }
+    readEncrypted(domain) {
+        return this.readEncryptedBySlug(domainToSlug(domain));
+    }
+    readEncryptedBySlug(slug) {
+        const encPath = path.join(this.vaultDir, `${slug}.enc`);
+        if (!fs.existsSync(encPath))
+            return null;
+        const key = this.getOrCreateKey();
+        const raw = fs.readFileSync(encPath, "utf-8");
+        const payload = JSON.parse(raw);
+        const iv = Buffer.from(payload.iv, "hex");
+        const tag = Buffer.from(payload.tag, "hex");
+        const encrypted = Buffer.from(payload.data, "hex");
+        const decipher = crypto.createDecipheriv("aes-256-gcm", key, iv);
+        decipher.setAuthTag(tag);
+        const decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);
+        return JSON.parse(decrypted.toString("utf-8"));
+    }
+}
+exports.BuiltInCredentialStore = BuiltInCredentialStore;
+// ---------------------------------------------------------------------------
+// AacCredentialStore — delegates to `aac` CLI
+// ---------------------------------------------------------------------------
+function execAac(args) {
+    return new Promise((resolve, reject) => {
+        (0, node_child_process_1.execFile)("aac", args, { timeout: 10_000 }, (err, stdout) => {
+            if (err) {
+                reject(new Error(`aac CLI error: ${err.message}`));
+                return;
+            }
+            resolve(stdout);
+        });
+    });
+}
+class AacCredentialStore {
+    aacAvailable = null;
+    isReady() {
+        // Synchronous check — returns last-known state or false if unchecked
+        return this.aacAvailable === true;
+    }
+    async checkReady() {
+        try {
+            const stdout = await execAac(["connections", "list"]);
+            const parsed = JSON.parse(stdout);
+            this.aacAvailable = Array.isArray(parsed) && parsed.length > 0;
+        }
+        catch {
+            this.aacAvailable = false;
+        }
+        return this.aacAvailable;
+    }
+    async get(domain) {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.credential_get_start",
+            component: "repertoire",
+            message: `getting credential via aac for ${domain}`,
+            meta: { domain, backend: "aac" },
+        });
+        try {
+            const stdout = await execAac(["--domain", domain, "--output", "json"]);
+            const parsed = JSON.parse(stdout);
+            if (!parsed.success) {
+                (0, runtime_1.emitNervesEvent)({
+                    event: "repertoire.credential_get_end",
+                    component: "repertoire",
+                    message: `no aac credential for ${domain}`,
+                    meta: { domain, found: false, backend: "aac" },
+                });
+                return null;
+            }
+            const cred = parsed.credential;
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.credential_get_end",
+                component: "repertoire",
+                message: `aac credential found for ${domain}`,
+                meta: { domain, found: true, backend: "aac" },
+            });
+            return {
+                domain,
+                username: cred.username,
+                notes: cred.notes,
+                createdAt: cred.createdAt ?? new Date().toISOString(),
+            };
+        }
+        catch {
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.credential_get_end",
+                component: "repertoire",
+                message: `aac credential lookup failed for ${domain}`,
+                meta: { domain, found: false, backend: "aac" },
+            });
+            return null;
+        }
+    }
+    async getRawSecret(domain, field) {
+        const stdout = await execAac(["--domain", domain, "--output", "json"]);
+        const parsed = JSON.parse(stdout);
+        if (!parsed.success) {
+            throw new Error(`aac lookup failed for domain "${domain}": ${parsed.error ?? "unknown error"}`);
+        }
+        const value = parsed.credential[field];
+        if (value === undefined || value === null) {
+            throw new Error(`field "${field}" not found for domain "${domain}"`);
+        }
+        return String(value);
+    }
+    async store(_domain, _data) {
+        throw new Error("store() is not supported in aac mode — aac is read-from-vault only. " +
+            "Use BuiltInCredentialStore for agent-owned credentials, or manage vault items " +
+            "directly in Bitwarden.");
+    }
+    async list() {
+        (0, runtime_1.emitNervesEvent)({
+            event: "repertoire.credential_list_start",
+            component: "repertoire",
+            message: "listing aac connections",
+            meta: { backend: "aac" },
+        });
+        try {
+            const stdout = await execAac(["connections", "list"]);
+            const parsed = JSON.parse(stdout);
+            const results = (Array.isArray(parsed) ? parsed : []).map((item) => ({
+                domain: String(item.domain ?? ""),
+                username: item.username ? String(item.username) : undefined,
+                notes: item.notes ? String(item.notes) : undefined,
+                createdAt: item.createdAt ? String(item.createdAt) : new Date().toISOString(),
+            }));
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.credential_list_end",
+                component: "repertoire",
+                message: "aac connections listed",
+                meta: { backend: "aac", count: results.length },
+            });
+            return results;
+        }
+        catch {
+            (0, runtime_1.emitNervesEvent)({
+                event: "repertoire.credential_list_end",
+                component: "repertoire",
+                message: "aac connections list failed",
+                meta: { backend: "aac", count: 0 },
+            });
+            return [];
+        }
+    }
+    async delete(_domain) {
+        throw new Error("delete() is not supported in aac mode — manage vault items directly in Bitwarden.");
+    }
+}
+exports.AacCredentialStore = AacCredentialStore;
+// ---------------------------------------------------------------------------
+// Singleton + auto-detection
+// ---------------------------------------------------------------------------
+let _store = null;
+/**
+ * Auto-add vault defaults to agent.json when no vault section exists.
+ * Returns the vault config (either existing or freshly written defaults).
+ */
+function ensureVaultDefaults(agentName, agentRoot, existingVault) {
+    if (existingVault) {
+        return existingVault;
+    }
+    const configPath = path.join(agentRoot, "agent.json");
+    let raw;
+    try {
+        raw = JSON.parse(fs.readFileSync(configPath, "utf-8"));
+    }
+    catch {
+        // agent.json unreadable — cannot auto-configure
+        return undefined;
+    }
+    const defaults = {
+        email: `${agentName}@ouro.bot`,
+        serverUrl: "https://vault.ouro.bot",
+    };
+    raw.vault = defaults;
+    fs.writeFileSync(configPath, JSON.stringify(raw, null, 2) + "\n", "utf-8");
+    (0, runtime_1.emitNervesEvent)({
+        event: "repertoire.vault_defaults_auto_configured",
+        component: "repertoire",
+        message: "auto-configured vault defaults in agent.json",
+        meta: { agentName, email: defaults.email, serverUrl: defaults.serverUrl },
+    });
+    return defaults;
+}
+/**
+ * Get the credential store singleton.
+ *
+ * Priority:
+ *   1. BitwardenCredentialStore — if vault config exists in agent.json + secrets.json
+ *   2. BuiltInCredentialStore — fallback for agents without a vault (local-only, encrypted files)
+ *
+ * Future auth providers (1Password, etc.) would be added here as additional backends.
+ */
+function getCredentialStore() {
+    if (_store)
+        return _store;
+    // Resolve identity up front. The previous implementation wrapped this call
+    // in a try/catch that silently fell back to `agentName = "default"`, which
+    // meant any test that hit getCredentialStore() without mocking identity
+    // silently constructed a BuiltInCredentialStore("default") routing writes
+    // to `~/AgentBundles/default.ouro/vault/` and `~/.agentsecrets/default/`.
+    // Same silent-leak class we just fixed in coding/manager.ts. No fallback:
+    // getAgentName() throws loudly if argv lacks --agent, which is correct for
+    // the only caller (production agents with a real identity). Uses the
+    // static ESM import above instead of `require("../heart/identity")` so
+    // `vi.mock("../heart/identity", ...)` in tests actually intercepts the
+    // call — require() bypasses vitest's module registry.
+    const agentName = identity.getAgentName();
+    const agentRoot = identity.getAgentRoot(agentName);
+    // Try to load vault config from agent.json + secrets.json. Only this block
+    // is defended with try/catch — bitwarden wiring can legitimately fail
+    // (missing vault config, no bw CLI, unreachable server) and the fallback
+    // to BuiltInCredentialStore is the intended behavior.
+    let backend = "built-in";
+    try {
+        const config = identity.loadAgentConfig?.();
+        // Auto-configure vault defaults if missing
+        const vaultSection = ensureVaultDefaults(agentName, agentRoot, config?.vault);
+        const vaultConfig = identity.resolveVaultConfig?.(agentName, vaultSection);
+        const secretsPath = identity.getAgentSecretsPath?.(agentName);
+        let vaultSecrets;
+        /* v8 ignore start -- requires real agent secrets.json + vault config + bw CLI @preserve */
+        if (secretsPath) {
+            try {
+                const fsSync = require("fs");
+                const secrets = JSON.parse(fsSync.readFileSync(secretsPath, "utf-8"));
+                vaultSecrets = secrets.vault;
+            }
+            catch {
+                // No secrets file or no vault section — fall through to built-in
+            }
+        }
+        const serverUrl = vaultConfig?.serverUrl;
+        const email = vaultConfig?.email;
+        const masterPassword = vaultSecrets?.masterPassword;
+        if (serverUrl && email && masterPassword) {
+            const { BitwardenCredentialStore } = require("./bitwarden-store");
+            _store = new BitwardenCredentialStore(serverUrl, email, masterPassword);
+            backend = "bitwarden";
+        }
+        /* v8 ignore stop */
+    }
+    catch {
+        // Bitwarden wiring failed — fall through to built-in store below.
+    }
+    /* v8 ignore next -- false branch only reachable when BitwardenCredentialStore was created above @preserve */
+    if (!_store) {
+        _store = new BuiltInCredentialStore(agentName);
+    }
+    (0, runtime_1.emitNervesEvent)({
+        event: "repertoire.credential_store_init",
+        component: "repertoire",
+        message: "credential store initialized",
+        meta: { backend, agentName },
+    });
+    return _store;
+}
+/** Reset the singleton — for tests only. */
+function resetCredentialStore() {
+    _store = null;
+}