@reegaviljoen/eldlock 0.1.0

package/eldlock-cli/src/cli.ts

@@ -0,0 +1,490 @@
+import { spawn, spawnSync } from "node:child_process";
+import fs from "node:fs";
+import path from "node:path";
+import process from "node:process";
+import { fileURLToPath } from "node:url";
+import {
+  checkServerHealth,
+  cleanupPidFile,
+  defaultLogPath,
+  defaultPidPath,
+  defaultSocketPath,
+  defaultStateDir,
+  isNodeError,
+  isPidAlive,
+  printResponse,
+  readPid,
+  requestWithPINPrompt,
+  waitForHealth,
+  waitForStop,
+  type OutputMode,
+} from "./api.js";
+import { openTUI } from "./tui.js";
+
+export async function runCli(argv: string[]): Promise<void> {
+  const [command, ...args] = argv;
+
+  switch (command ?? "tui") {
+    case "version":
+      console.log("eldlock-cli dev");
+      return;
+    case "start":
+      await startServer();
+      return;
+    case "stop":
+      await stopServer();
+      return;
+    case "status":
+      await statusServer();
+      return;
+    case "init":
+      await initVault(args);
+      return;
+    case "tui":
+      await openTUI();
+      return;
+    case "secret":
+      await handleSecret(args);
+      return;
+    case "import":
+      await importEnvFile(args);
+      return;
+    case "exec":
+      await execProcess(args);
+      return;
+    case "shell":
+      await openShell(args);
+      return;
+    case "help":
+    default:
+      printHelp();
+  }
+}
+
+async function startServer(): Promise<void> {
+  const health = await checkServerHealth();
+  if (health.ok) {
+    console.log(`eldlock-server is already running at ${defaultSocketPath()}`);
+    return;
+  }
+
+  const serverPath = resolveServerPath();
+
+  fs.mkdirSync(defaultStateDir(), { recursive: true });
+  const logFd = fs.openSync(defaultLogPath(), "a");
+  const child = spawn(serverPath, ["serve"], {
+    cwd: process.cwd(),
+    detached: true,
+    env: {
+      ...process.env,
+      ELDLOCK_STATE_DIR: defaultStateDir(),
+      ELDLOCK_SOCKET: defaultSocketPath(),
+    },
+    stdio: ["ignore", logFd, logFd],
+  });
+
+  child.unref();
+  fs.closeSync(logFd);
+  fs.writeFileSync(defaultPidPath(), `${child.pid}\n`, { mode: 0o600 });
+
+  const started = await waitForHealth(5000);
+  if (!started.ok) {
+    throw new Error(`eldlock-server did not become ready; see ${defaultLogPath()}`);
+  }
+
+  console.log(`started eldlock-server pid ${child.pid}`);
+  console.log(`socket ${defaultSocketPath()}`);
+  console.log(`log ${defaultLogPath()}`);
+}
+
+async function initVault(args: string[]): Promise<void> {
+  const { values, vault } = parseVaultFlag(args);
+  if (values.length > 1) {
+    throw new Error("usage: eldlock init [name]");
+  }
+  const response = await requestWithPINPrompt({ action: "init", vault: values[0] ?? vault });
+  printResponse(response);
+}
+
+async function stopServer(): Promise<void> {
+  const pid = readPid();
+  const health = await checkServerHealth();
+
+  if (!pid) {
+    if (health.ok) {
+      throw new Error(`eldlock-server is running at ${defaultSocketPath()}, but no pid file exists at ${defaultPidPath()}`);
+    }
+    console.log("eldlock-server is not running");
+    return;
+  }
+
+  if (!isPidAlive(pid)) {
+    cleanupPidFile();
+    console.log(`removed stale pid file for pid ${pid}`);
+    return;
+  }
+
+  process.kill(-pid, "SIGTERM");
+  await waitForStop(pid, 5000);
+  cleanupPidFile();
+  console.log(`stopped eldlock-server pid ${pid}`);
+}
+
+async function statusServer(): Promise<void> {
+  const pid = readPid();
+  const health = await checkServerHealth();
+
+  if (health.ok) {
+    console.log("eldlock-server is running");
+  } else {
+    console.log("eldlock-server is not responding");
+  }
+  console.log(`state ${defaultStateDir()}`);
+  console.log(`socket ${defaultSocketPath()}`);
+  console.log(`pid ${pid ?? "none"}`);
+  console.log(`log ${defaultLogPath()}`);
+
+  if (pid && !isPidAlive(pid)) {
+    console.log("pid file is stale");
+  }
+}
+
+async function handleSecret(args: string[]): Promise<void> {
+  const [subcommand, ...rest] = args;
+  switch (subcommand) {
+    case "add":
+      await addSecret(rest);
+      return;
+    case "read":
+      await readSecret(rest);
+      return;
+    case "remove":
+      await removeSecret(rest);
+      return;
+    case "list":
+      await listSecrets(rest);
+      return;
+    default:
+      throw new Error("usage: eldlock secret add|read|remove|list");
+  }
+}
+
+async function addSecret(args: string[]): Promise<void> {
+  const { values, vault } = parseVaultFlag(args);
+  const [assignment, ...flags] = values;
+  if (!assignment) {
+    throw new Error("usage: eldlock secret add <key>=<value> [--vault <name>]");
+  }
+
+  if (flags.length > 0) {
+    throw new Error(`unknown flag: ${flags[0]}`);
+  }
+
+  const { key, value } = parseAssignment(assignment);
+
+  const response = await requestWithPINPrompt({
+    action: "secret.add",
+    vault,
+    type: "env",
+    name: key,
+    value,
+  });
+  printResponse(response);
+}
+
+async function readSecret(args: string[]): Promise<void> {
+  const { values, vault } = parseVaultFlag(args);
+  const [name, ...flags] = values;
+  if (!name) {
+    throw new Error("usage: eldlock secret read <key> [--plain] [--vault <name>]");
+  }
+
+  let output: OutputMode = "clipboard";
+  for (const flag of flags) {
+    if (flag === "--plain") {
+      output = "plain";
+    } else {
+      throw new Error(`unknown flag: ${flag}`);
+    }
+  }
+
+  const response = await requestWithPINPrompt({ action: "secret.read", vault, name, output });
+  printResponse(response);
+}
+
+async function removeSecret(args: string[]): Promise<void> {
+  const { values, vault } = parseVaultFlag(args);
+  const [name, ...flags] = values;
+  if (!name) {
+    throw new Error("usage: eldlock secret remove <key> [--vault <name>]");
+  }
+  if (flags.length > 0) {
+    throw new Error(`unknown flag: ${flags[0]}`);
+  }
+
+  const response = await requestWithPINPrompt({ action: "secret.remove", vault, name });
+  printResponse(response);
+}
+
+async function listSecrets(args: string[] = []): Promise<void> {
+  const { values, vault } = parseVaultFlag(args);
+  if (values.length > 0) {
+    throw new Error(`unknown argument: ${values[0]}`);
+  }
+  const response = await requestWithPINPrompt({ action: "secret.list", vault });
+  if (!response.ok) {
+    throw new Error(response.error ?? "request failed");
+  }
+  for (const secret of response.secrets ?? []) {
+    console.log(`${secret.type}\t${secret.name}`);
+  }
+}
+
+async function execProcess(args: string[]): Promise<void> {
+  const { values, vault } = parseVaultFlag(args);
+  const separator = values.indexOf("--");
+  const command = separator >= 0 ? values.slice(separator + 1) : values;
+  if (command.length === 0) {
+    throw new Error("usage: eldlock exec [--vault <name>] -- <command>");
+  }
+
+  const response = await requestWithPINPrompt({
+    action: "exec",
+    vault,
+    command,
+    shell: process.env.SHELL,
+    shell_command: command.join(" "),
+    cwd: process.cwd(),
+    env: currentEnv(),
+  });
+  if (!response.ok) {
+    throw new Error(response.error ?? "request failed");
+  }
+  if (response.stdout) {
+    process.stdout.write(response.stdout);
+  }
+  if (response.stderr) {
+    process.stderr.write(response.stderr);
+  }
+  process.exitCode = response.exit_code ?? 0;
+}
+
+async function openShell(args: string[]): Promise<void> {
+  const { values, vault } = parseVaultFlag(args);
+  if (values.length > 0) {
+    throw new Error(`unknown argument: ${values[0]}`);
+  }
+
+  const shell = process.env.SHELL || "/bin/sh";
+  const env = shellEnv(currentEnv(), vault);
+  console.error("eldlock: unlocking vault; use your YubiKey/fingerprint if prompted.");
+  const response = await requestWithPINPrompt({
+    action: "exec",
+    vault,
+    interactive: true,
+  });
+  if (!response.ok) {
+    throw new Error(response.error ?? "request failed");
+  }
+
+  const vaultName = vault && vault.trim() ? vault.trim() : "default";
+  console.error(`eldlock: unlocked vault "${vaultName}"; starting shell. Type exit to leave.`);
+  const shellCommand = interactiveShellCommand(shell);
+  const result = spawnSync(shellCommand[0], shellCommand.slice(1), {
+    cwd: process.cwd(),
+    env: {
+      ...env,
+      ...(response.env ?? {}),
+    },
+    stdio: "inherit",
+  });
+  if (typeof result.status === "number") {
+    process.exitCode = result.status;
+    return;
+  }
+  if (result.error) {
+    throw result.error;
+  }
+  process.exitCode = 1;
+}
+
+async function importEnvFile(args: string[]): Promise<void> {
+  const { values, vault } = parseVaultFlag(args);
+  const [sourcePath = ".env", ...flags] = values;
+  if (flags.length > 0) {
+    throw new Error(`unknown argument: ${flags[0]}`);
+  }
+
+  const response = await requestWithPINPrompt({
+    action: "secret.import_env",
+    vault,
+    source_path: sourcePath,
+    cwd: process.cwd(),
+  });
+  printResponse(response);
+}
+
+function parseAssignment(assignment: string): { key: string; value: string } {
+  const equalsIndex = assignment.indexOf("=");
+  if (equalsIndex <= 0) {
+    throw new Error("usage: eldlock secret add <key>=<value>");
+  }
+  const key = assignment.slice(0, equalsIndex).trim();
+  const value = assignment.slice(equalsIndex + 1);
+  if (!key) {
+    throw new Error("secret key is required");
+  }
+  if (!value) {
+    throw new Error("secret value is required");
+  }
+  return { key, value };
+}
+
+function parseVaultFlag(args: string[]): { values: string[]; vault?: string } {
+  const values: string[] = [];
+  let vault: string | undefined;
+
+  for (let index = 0; index < args.length; index += 1) {
+    const arg = args[index];
+    if (arg === "--vault") {
+      const next = args[index + 1];
+      if (next === undefined || next.startsWith("--")) {
+        vault = "";
+        continue;
+      }
+      vault = next;
+      index += 1;
+      continue;
+    }
+    if (arg.startsWith("--vault=")) {
+      vault = arg.slice("--vault=".length);
+      continue;
+    }
+    values.push(arg);
+  }
+
+  return { values, vault };
+}
+
+function currentEnv(): Record<string, string> {
+  const env: Record<string, string> = {};
+  for (const [key, value] of Object.entries(process.env)) {
+    if (value !== undefined) {
+      env[key] = value;
+    }
+  }
+  return env;
+}
+
+function shellEnv(env: Record<string, string>, vault?: string): Record<string, string> {
+  const vaultName = vault && vault.trim() ? vault.trim() : "default";
+  const marker = `(eldlock:${vaultName}) `;
+  return {
+    ...env,
+    ELDLOCK_SHELL: "1",
+    ELDLOCK_VAULT: vaultName,
+    PS1: `${marker}${env.PS1 ?? "\\$ "}`,
+    PROMPT: `${marker}${env.PROMPT ?? "%# "}`,
+  };
+}
+
+function interactiveShellCommand(shell: string): string[] {
+  const name = path.basename(shell);
+  switch (name) {
+    case "bash":
+      return [shell, "--noprofile", "--norc", "-i"];
+    case "zsh":
+      return [shell, "-f", "-i"];
+    case "fish":
+      return [shell, "--no-config", "--interactive"];
+    default:
+      return [shell, "-i"];
+  }
+}
+
+function resolveServerPath(): string {
+  const configured = process.env.ELDLOCK_SERVER_PATH;
+  if (configured) {
+    if (!isExecutableFile(configured)) {
+      throw new Error(`ELDLOCK_SERVER_PATH points to a missing or non-executable file: ${configured}`);
+    }
+    return configured;
+  }
+
+  const pathMatch = findExecutableOnPath("eldlock-server");
+  if (pathMatch) {
+    return pathMatch;
+  }
+
+  const localMatch = localServerCandidates().find(isExecutableFile);
+  if (localMatch) {
+    return localMatch;
+  }
+
+  throw new Error("could not find eldlock-server; set ELDLOCK_SERVER_PATH to the eldlock-server binary");
+}
+
+function localServerCandidates(): string[] {
+  const thisFile = fileURLToPath(import.meta.url);
+  const thisDir = path.dirname(thisFile);
+  return [
+    path.join(process.cwd(), "eldlock-server", "bin", "eldlock-server-dev"),
+    path.join(process.cwd(), "../eldlock-server", "bin", "eldlock-server-dev"),
+    path.join(thisDir, "../../eldlock-server", "bin", "eldlock-server-dev"),
+    path.join(thisDir, "../eldlock-server"),
+  ];
+}
+
+function findExecutableOnPath(name: string): string | undefined {
+  const pathEnv = process.env.PATH ?? "";
+  for (const dir of pathEnv.split(path.delimiter)) {
+    if (!dir) {
+      continue;
+    }
+    const candidate = path.join(dir, name);
+    if (isExecutableFile(candidate)) {
+      return candidate;
+    }
+  }
+  return undefined;
+}
+
+function isExecutableFile(candidate: string): boolean {
+  try {
+    fs.accessSync(candidate, fs.constants.X_OK);
+    return fs.statSync(candidate).isFile();
+  } catch (error) {
+    if (isNodeError(error)) {
+      return false;
+    }
+    return false;
+  }
+}
+
+function printHelp(): void {
+  console.log(`Eldlock CLI
+
+Usage:
+  eldlock
+  eldlock version
+  eldlock start
+  eldlock stop
+  eldlock status
+  eldlock init [name]
+  eldlock secret add <key>=<value> [--vault <name>]
+  eldlock secret read <key> [--vault <name>]
+  eldlock secret read <key> --plain [--vault <name>]
+  eldlock secret remove <key> [--vault <name>]
+  eldlock secret list [--vault <name>]
+  eldlock import [path-to-.env] [--vault <name>]
+  eldlock exec [--vault <name>] -- <command>
+  eldlock shell [--vault <name>]
+
+Running eldlock without a command opens the TUI.
+start runs the local daemon in the background. Set ELDLOCK_SERVER_PATH to choose the server binary.
+init without a name uses the default vault.
+exec launches the command from eldlock-server through your current shell with env secrets injected.
+shell unlocks the vault through eldlock-server, then opens your current shell locally with env secrets injected.
+By default, read copies to the clipboard. --plain writes the value to stdout.
+This CLI is a frontend only. Vault initialization, secret storage, release behavior, and clipboard writes happen in eldlock-server.`);
+}

package/eldlock-cli/src/main.ts

@@ -0,0 +1,10 @@
+#!/usr/bin/env node
+
+import process from "node:process";
+import { runCli } from "./cli.js";
+
+runCli(process.argv.slice(2)).catch((error: unknown) => {
+  const message = error instanceof Error ? error.message : String(error);
+  console.error(`eldlock: ${message}`);
+  process.exit(1);
+});