@passwd/passwd-agent-cli 1.4.2 → 1.4.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands/exec.js +3 -12
- package/dist/commands/exec.js.map +1 -1
- package/dist/index.js +1 -6
- package/dist/index.js.map +1 -1
- package/dist/util/parse-injection.d.ts +15 -0
- package/dist/util/parse-injection.js +67 -0
- package/dist/util/parse-injection.js.map +1 -0
- package/package.json +2 -2
- package/dist/commands/resolve.d.ts +0 -10
- package/dist/commands/resolve.js +0 -81
- package/dist/commands/resolve.js.map +0 -1
package/dist/commands/exec.js
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { spawn } from "node:child_process";
|
|
2
2
|
import { getSecret } from "@passwd/passwd-lib";
|
|
3
|
+
import { parseInjection } from "../util/parse-injection.js";
|
|
3
4
|
export async function execCommand(args, opts) {
|
|
4
5
|
if (!args.length) {
|
|
5
6
|
console.error("Usage: passwd-agent exec --inject VAR=SECRET_ID:FIELD -- command [args...]");
|
|
@@ -9,22 +10,12 @@ export async function execCommand(args, opts) {
|
|
|
9
10
|
const injections = opts.inject ?? [];
|
|
10
11
|
const env = { ...process.env };
|
|
11
12
|
// Scrub passwd config so the child only gets the specific fields requested
|
|
13
|
+
delete env.PASSWD_ORIGIN;
|
|
12
14
|
delete env.PASSWD_API_URL;
|
|
13
15
|
delete env.PASSWD_CLIENT_ID;
|
|
14
16
|
// Parse and fetch all injections in parallel
|
|
15
17
|
const tasks = injections.map(async (spec) => {
|
|
16
|
-
const
|
|
17
|
-
if (eqIdx === -1) {
|
|
18
|
-
throw new Error(`Invalid --inject format: '${spec}'. Expected VAR=SECRET_ID:FIELD`);
|
|
19
|
-
}
|
|
20
|
-
const varName = spec.slice(0, eqIdx);
|
|
21
|
-
const rest = spec.slice(eqIdx + 1);
|
|
22
|
-
const colonIdx = rest.indexOf(":");
|
|
23
|
-
if (colonIdx === -1) {
|
|
24
|
-
throw new Error(`Invalid --inject format: '${spec}'. Expected VAR=SECRET_ID:FIELD`);
|
|
25
|
-
}
|
|
26
|
-
const secretId = rest.slice(0, colonIdx);
|
|
27
|
-
const field = rest.slice(colonIdx + 1);
|
|
18
|
+
const { varName, secretId, field } = parseInjection(spec);
|
|
28
19
|
const secret = await getSecret(secretId);
|
|
29
20
|
const value = secret[field];
|
|
30
21
|
if (value === undefined) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"exec.js","sourceRoot":"","sources":["../../src/commands/exec.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;
|
|
1
|
+
{"version":3,"file":"exec.js","sourceRoot":"","sources":["../../src/commands/exec.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,OAAO,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAC;AAE5D,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,IAAc,EACd,IAA2B;IAE3B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;QACjB,OAAO,CAAC,KAAK,CAAC,4EAA4E,CAAC,CAAC;QAC5F,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC;IACrC,MAAM,GAAG,GAA2B,EAAE,GAAG,OAAO,CAAC,GAAG,EAA4B,CAAC;IAEjF,2EAA2E;IAC3E,OAAO,GAAG,CAAC,aAAa,CAAC;IACzB,OAAO,GAAG,CAAC,cAAc,CAAC;IAC1B,OAAO,GAAG,CAAC,gBAAgB,CAAC;IAE5B,6CAA6C;IAC7C,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;QAC1C,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;QAE1D,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,KAAK,GAAI,MAA6C,CAAC,KAAK,CAAC,CAAC;QACpE,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,UAAU,KAAK,0BAA0B,QAAQ,GAAG,CAAC,CAAC;QACxE,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC1C,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,QAAQ,EAAE,CAAC;QAC1C,GAAG,CAAC,OAAO,CAAC,GAAG,KAAK,CAAC;IACvB,CAAC;IAED,MAAM,YAAY,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAE9E,MAAM,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,IAAI,CAAC;IAC/B,6DAA6D;IAC7D,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,EAAE,OAAO,EAAE;QAChC,GAAG;QACH,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC;KACnC,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,CAAC,KAAa,EAAU,EAAE;QACrC,IAAI,GAAG,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAC;QAC3B,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;YAC7B,GAAG,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,EAAE,uBAAuB,CAAC,CAAC;QACnD,CAAC;QACD,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC,CAAC;IAEF,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC/E,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAE/E,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;QACzB,OAAO,CAAC,QAAQ,GAAG,IAAI,IAAI,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;AACL,CAAC"}
|
package/dist/index.js
CHANGED
|
@@ -7,14 +7,13 @@ import { getCommand } from "./commands/get.js";
|
|
|
7
7
|
import { totpCommand } from "./commands/totp.js";
|
|
8
8
|
import { execCommand } from "./commands/exec.js";
|
|
9
9
|
import { envsCommand } from "./commands/envs.js";
|
|
10
|
-
import { resolveCommand } from "./commands/resolve.js";
|
|
11
10
|
import { formatError } from "./util/format.js";
|
|
12
11
|
import { resetDiscoveryCache, getTokenDir, resolveEnv } from "@passwd/passwd-lib";
|
|
13
12
|
const program = new Command();
|
|
14
13
|
program
|
|
15
14
|
.name("passwd-agent")
|
|
16
15
|
.description("Agent-safe CLI for passwd.team — no command exposes raw credential values")
|
|
17
|
-
.version("1.4.
|
|
16
|
+
.version("1.4.4")
|
|
18
17
|
.enablePositionalOptions()
|
|
19
18
|
.option("--env <name>", "Target a specific environment (substring match against known origins)");
|
|
20
19
|
program.hook("preAction", async (thisCommand) => {
|
|
@@ -67,10 +66,6 @@ program
|
|
|
67
66
|
.description("List known environments")
|
|
68
67
|
.option("--json", "Output as JSON")
|
|
69
68
|
.action((opts) => envsCommand(opts).catch(die));
|
|
70
|
-
program
|
|
71
|
-
.command("resolve", { hidden: true })
|
|
72
|
-
.description("Resolve secrets for exec secrets provider (reads JSON from stdin)")
|
|
73
|
-
.action(() => resolveCommand().catch(die));
|
|
74
69
|
function die(err) {
|
|
75
70
|
console.error(`Error: ${formatError(err)}`);
|
|
76
71
|
process.exitCode = 1;
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,mBAAmB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAElF,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,cAAc,CAAC;KACpB,WAAW,CAAC,2EAA2E,CAAC;KACxF,OAAO,CAAC,OAAO,CAAC;KAChB,uBAAuB,EAAE;KACzB,MAAM,CAAC,cAAc,EAAE,uEAAuE,CAAC,CAAC;AAEnG,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE;IAC9C,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC,GAAyB,CAAC;IAC7D,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,aAAa,GAAG,MAAM,CAAC;QACnC,mBAAmB,EAAE,CAAC;IACxB,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,gCAAgC,CAAC;KAC7C,MAAM,CAAC,GAAG,EAAE,CAAC,YAAY,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;AAE3C,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,mBAAmB,CAAC;KAChC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;KAClC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;AAEpD,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,cAAc,CAAC;KAC3B,MAAM,CAAC,oBAAoB,EAAE,kCAAkC,CAAC;KAChE,MAAM,CAAC,mBAAmB,EAAE,uBAAuB,CAAC;KACpD,MAAM,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;KAC5C,MAAM,CAAC,kBAAkB,EAAE,sBAAsB,CAAC;KAClD,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;KAClC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;AAElD,OAAO;KACJ,OAAO,CAAC,UAAU,CAAC;KACnB,WAAW,CAAC,4CAA4C,CAAC;KACzD,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;KAClC,MAAM,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,CAAC,UAAU,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;AAEzD,OAAO;KACJ,OAAO,CAAC,WAAW,CAAC;KACpB,WAAW,CAAC,uBAAuB,CAAC;KACpC,MAAM,CAAC,QAAQ,EAAE,6CAA6C,CAAC;KAC/D,MAAM,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;AAE1D,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,8DAA8D,CAAC;KAC3E,MAAM,CAAC,uBAAuB,EAAE,kCAAkC,CAAC;KACnE,QAAQ,CAAC,WAAW,EAAE,+BAA+B,CAAC;KACtD,kBAAkB,EAAE;KACpB,MAAM,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE;IACrB,WAAW,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AACrC,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,yBAAyB,CAAC;KACtC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;KAClC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;AAElD,SAAS,GAAG,CAAC,GAAY;IACvB,OAAO,CAAC,KAAK,CAAC,UAAU,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC5C,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;AACvB,CAAC;AAED,OAAO,CAAC,KAAK,EAAE,CAAC"}
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Parsed injection spec from --inject VAR=SECRET_ID:FIELD.
|
|
3
|
+
*/
|
|
4
|
+
export interface InjectionSpec {
|
|
5
|
+
varName: string;
|
|
6
|
+
secretId: string;
|
|
7
|
+
field: string;
|
|
8
|
+
}
|
|
9
|
+
/**
|
|
10
|
+
* Parse a single --inject spec string into its components.
|
|
11
|
+
* Format: VAR=SECRET_ID:FIELD
|
|
12
|
+
*
|
|
13
|
+
* Throws on malformed input or blocked variable names.
|
|
14
|
+
*/
|
|
15
|
+
export declare function parseInjection(spec: string): InjectionSpec;
|
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Environment variables that must never be set via --inject.
|
|
3
|
+
* These can hijack process execution, load arbitrary code, or redirect
|
|
4
|
+
* network traffic before the child process runs user-visible commands.
|
|
5
|
+
*/
|
|
6
|
+
const BLOCKED_ENV_VARS = new Set([
|
|
7
|
+
// Dynamic linker — load arbitrary shared objects
|
|
8
|
+
"LD_PRELOAD",
|
|
9
|
+
"LD_LIBRARY_PATH",
|
|
10
|
+
"DYLD_INSERT_LIBRARIES",
|
|
11
|
+
"DYLD_LIBRARY_PATH",
|
|
12
|
+
"DYLD_FRAMEWORK_PATH",
|
|
13
|
+
// Runtime code injection
|
|
14
|
+
"NODE_OPTIONS",
|
|
15
|
+
"NODE_EXTRA_CA_CERTS",
|
|
16
|
+
"PYTHONPATH",
|
|
17
|
+
"PYTHONSTARTUP",
|
|
18
|
+
"RUBYLIB",
|
|
19
|
+
"RUBYOPT",
|
|
20
|
+
"PERL5LIB",
|
|
21
|
+
"PERL5OPT",
|
|
22
|
+
// Process execution redirection
|
|
23
|
+
"PATH",
|
|
24
|
+
"HOME",
|
|
25
|
+
"SHELL",
|
|
26
|
+
"BASH_ENV",
|
|
27
|
+
"ENV",
|
|
28
|
+
"CDPATH",
|
|
29
|
+
// TLS / proxy interception
|
|
30
|
+
"SSL_CERT_FILE",
|
|
31
|
+
"SSL_CERT_DIR",
|
|
32
|
+
"HTTP_PROXY",
|
|
33
|
+
"HTTPS_PROXY",
|
|
34
|
+
"http_proxy",
|
|
35
|
+
"https_proxy",
|
|
36
|
+
"ALL_PROXY",
|
|
37
|
+
"NO_PROXY",
|
|
38
|
+
// passwd-internal (already scrubbed, but block explicit override too)
|
|
39
|
+
"PASSWD_ORIGIN",
|
|
40
|
+
"PASSWD_API_URL",
|
|
41
|
+
"PASSWD_CLIENT_ID",
|
|
42
|
+
]);
|
|
43
|
+
/**
|
|
44
|
+
* Parse a single --inject spec string into its components.
|
|
45
|
+
* Format: VAR=SECRET_ID:FIELD
|
|
46
|
+
*
|
|
47
|
+
* Throws on malformed input or blocked variable names.
|
|
48
|
+
*/
|
|
49
|
+
export function parseInjection(spec) {
|
|
50
|
+
const eqIdx = spec.indexOf("=");
|
|
51
|
+
if (eqIdx === -1) {
|
|
52
|
+
throw new Error(`Invalid --inject format: '${spec}'. Expected VAR=SECRET_ID:FIELD`);
|
|
53
|
+
}
|
|
54
|
+
const varName = spec.slice(0, eqIdx);
|
|
55
|
+
const rest = spec.slice(eqIdx + 1);
|
|
56
|
+
const colonIdx = rest.indexOf(":");
|
|
57
|
+
if (colonIdx === -1) {
|
|
58
|
+
throw new Error(`Invalid --inject format: '${spec}'. Expected VAR=SECRET_ID:FIELD`);
|
|
59
|
+
}
|
|
60
|
+
if (BLOCKED_ENV_VARS.has(varName)) {
|
|
61
|
+
throw new Error(`Blocked environment variable: '${varName}'. Cannot override security-sensitive variables via --inject.`);
|
|
62
|
+
}
|
|
63
|
+
const secretId = rest.slice(0, colonIdx);
|
|
64
|
+
const field = rest.slice(colonIdx + 1);
|
|
65
|
+
return { varName, secretId, field };
|
|
66
|
+
}
|
|
67
|
+
//# sourceMappingURL=parse-injection.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"parse-injection.js","sourceRoot":"","sources":["../../src/util/parse-injection.ts"],"names":[],"mappings":"AASA;;;;GAIG;AACH,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,iDAAiD;IACjD,YAAY;IACZ,iBAAiB;IACjB,uBAAuB;IACvB,mBAAmB;IACnB,qBAAqB;IAErB,yBAAyB;IACzB,cAAc;IACd,qBAAqB;IACrB,YAAY;IACZ,eAAe;IACf,SAAS;IACT,SAAS;IACT,UAAU;IACV,UAAU;IAEV,gCAAgC;IAChC,MAAM;IACN,MAAM;IACN,OAAO;IACP,UAAU;IACV,KAAK;IACL,QAAQ;IAER,2BAA2B;IAC3B,eAAe;IACf,cAAc;IACd,YAAY;IACZ,aAAa;IACb,YAAY;IACZ,aAAa;IACb,WAAW;IACX,UAAU;IAEV,sEAAsE;IACtE,eAAe;IACf,gBAAgB;IAChB,kBAAkB;CACnB,CAAC,CAAC;AAEH;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAChC,IAAI,KAAK,KAAK,CAAC,CAAC,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,iCAAiC,CAAC,CAAC;IACtF,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;IACnC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,iCAAiC,CAAC,CAAC;IACtF,CAAC;IACD,IAAI,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,kCAAkC,OAAO,+DAA+D,CAAC,CAAC;IAC5H,CAAC;IACD,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;IACvC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;AACtC,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@passwd/passwd-agent-cli",
|
|
3
|
-
"version": "1.4.
|
|
3
|
+
"version": "1.4.4",
|
|
4
4
|
"description": "Agent-safe CLI for passwd.team — no command exposes raw credential values",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "dist/index.js",
|
|
@@ -23,7 +23,7 @@
|
|
|
23
23
|
],
|
|
24
24
|
"license": "MIT",
|
|
25
25
|
"dependencies": {
|
|
26
|
-
"@passwd/passwd-lib": "1.4.
|
|
26
|
+
"@passwd/passwd-lib": "1.4.4",
|
|
27
27
|
"commander": "^13.1.0"
|
|
28
28
|
},
|
|
29
29
|
"repository": {
|
|
@@ -1,10 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* OpenClaw exec secrets provider protocol.
|
|
3
|
-
*
|
|
4
|
-
* Reads a JSON request from stdin:
|
|
5
|
-
* { "protocolVersion": 1, "provider": "passwd", "ids": ["secretId:field", ...] }
|
|
6
|
-
*
|
|
7
|
-
* Writes a JSON response to stdout:
|
|
8
|
-
* { "protocolVersion": 1, "values": { "secretId:field": "value", ... }, "errors": { "id": "msg", ... } }
|
|
9
|
-
*/
|
|
10
|
-
export declare function resolveCommand(): Promise<void>;
|
package/dist/commands/resolve.js
DELETED
|
@@ -1,81 +0,0 @@
|
|
|
1
|
-
import { getSecret } from "@passwd/passwd-lib";
|
|
2
|
-
/**
|
|
3
|
-
* OpenClaw exec secrets provider protocol.
|
|
4
|
-
*
|
|
5
|
-
* Reads a JSON request from stdin:
|
|
6
|
-
* { "protocolVersion": 1, "provider": "passwd", "ids": ["secretId:field", ...] }
|
|
7
|
-
*
|
|
8
|
-
* Writes a JSON response to stdout:
|
|
9
|
-
* { "protocolVersion": 1, "values": { "secretId:field": "value", ... }, "errors": { "id": "msg", ... } }
|
|
10
|
-
*/
|
|
11
|
-
export async function resolveCommand() {
|
|
12
|
-
const input = await readStdin();
|
|
13
|
-
let request;
|
|
14
|
-
try {
|
|
15
|
-
request = JSON.parse(input);
|
|
16
|
-
}
|
|
17
|
-
catch {
|
|
18
|
-
writeResponse({}, { _parse: "Invalid JSON on stdin" });
|
|
19
|
-
return;
|
|
20
|
-
}
|
|
21
|
-
const ids = request.ids ?? [];
|
|
22
|
-
if (!Array.isArray(ids) || ids.length === 0) {
|
|
23
|
-
writeResponse({}, {});
|
|
24
|
-
return;
|
|
25
|
-
}
|
|
26
|
-
// Deduplicate secret IDs to minimize API calls
|
|
27
|
-
const secretIds = [...new Set(ids.map((id) => id.split(":")[0]))];
|
|
28
|
-
const secrets = new Map();
|
|
29
|
-
const fetchErrors = new Map();
|
|
30
|
-
const results = await Promise.allSettled(secretIds.map(async (sid) => {
|
|
31
|
-
const secret = await getSecret(sid);
|
|
32
|
-
return { sid, secret };
|
|
33
|
-
}));
|
|
34
|
-
for (const result of results) {
|
|
35
|
-
if (result.status === "fulfilled") {
|
|
36
|
-
secrets.set(result.value.sid, result.value.secret);
|
|
37
|
-
}
|
|
38
|
-
else {
|
|
39
|
-
const sid = secretIds[results.indexOf(result)];
|
|
40
|
-
fetchErrors.set(sid, String(result.reason));
|
|
41
|
-
}
|
|
42
|
-
}
|
|
43
|
-
const values = {};
|
|
44
|
-
const errors = {};
|
|
45
|
-
for (const id of ids) {
|
|
46
|
-
const [secretId, field = "password"] = id.split(":");
|
|
47
|
-
const fetchError = fetchErrors.get(secretId);
|
|
48
|
-
if (fetchError) {
|
|
49
|
-
errors[id] = fetchError;
|
|
50
|
-
continue;
|
|
51
|
-
}
|
|
52
|
-
const secret = secrets.get(secretId);
|
|
53
|
-
if (!secret) {
|
|
54
|
-
errors[id] = "Secret not found";
|
|
55
|
-
continue;
|
|
56
|
-
}
|
|
57
|
-
const value = secret[field];
|
|
58
|
-
if (value === undefined || value === null) {
|
|
59
|
-
errors[id] = `Field '${field}' not found`;
|
|
60
|
-
continue;
|
|
61
|
-
}
|
|
62
|
-
values[id] = String(value);
|
|
63
|
-
}
|
|
64
|
-
writeResponse(values, errors);
|
|
65
|
-
}
|
|
66
|
-
function writeResponse(values, errors) {
|
|
67
|
-
const response = { protocolVersion: 1, values };
|
|
68
|
-
if (Object.keys(errors).length > 0) {
|
|
69
|
-
response.errors = errors;
|
|
70
|
-
}
|
|
71
|
-
process.stdout.write(JSON.stringify(response) + "\n");
|
|
72
|
-
}
|
|
73
|
-
function readStdin() {
|
|
74
|
-
return new Promise((resolve, reject) => {
|
|
75
|
-
const chunks = [];
|
|
76
|
-
process.stdin.on("data", (chunk) => chunks.push(chunk));
|
|
77
|
-
process.stdin.on("end", () => resolve(Buffer.concat(chunks).toString("utf-8")));
|
|
78
|
-
process.stdin.on("error", reject);
|
|
79
|
-
});
|
|
80
|
-
}
|
|
81
|
-
//# sourceMappingURL=resolve.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"resolve.js","sourceRoot":"","sources":["../../src/commands/resolve.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAE/C;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc;IAClC,MAAM,KAAK,GAAG,MAAM,SAAS,EAAE,CAAC;IAEhC,IAAI,OAAqD,CAAC;IAC1D,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,aAAa,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,uBAAuB,EAAE,CAAC,CAAC;QACvD,OAAO;IACT,CAAC;IAED,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC;IAC9B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5C,aAAa,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QACtB,OAAO;IACT,CAAC;IAED,+CAA+C;IAC/C,MAAM,SAAS,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAClE,MAAM,OAAO,GAAG,IAAI,GAAG,EAAmC,CAAC;IAC3D,MAAM,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAC;IAE9C,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CACtC,SAAS,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QAC1B,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;QACpC,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;IACzB,CAAC,CAAC,CACH,CAAC;IAEF,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,MAAM,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAClC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,MAA4C,CAAC,CAAC;QAC3F,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;YAC/C,WAAW,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,MAAM,MAAM,GAA2B,EAAE,CAAC;IAE1C,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,MAAM,CAAC,QAAQ,EAAE,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACrD,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC7C,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC;YACxB,SAAS;QACX,CAAC;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACrC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,CAAC,EAAE,CAAC,GAAG,kBAAkB,CAAC;YAChC,SAAS;QACX,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QAC5B,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YAC1C,MAAM,CAAC,EAAE,CAAC,GAAG,UAAU,KAAK,aAAa,CAAC;YAC1C,SAAS;QACX,CAAC;QACD,MAAM,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC;IAED,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,aAAa,CAAC,MAA8B,EAAE,MAA8B;IACnF,MAAM,QAAQ,GAA4B,EAAE,eAAe,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC;IACzE,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAC;IAC3B,CAAC;IACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,SAAS;IAChB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QACxD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QAChF,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;AACL,CAAC"}
|