@zincapp/zn-vault-agent 1.3.0

package/deploy/systemd/zn-vault-agent.service

@@ -0,0 +1,75 @@
+[Unit]
+Description=ZN-Vault Certificate Agent
+Documentation=https://github.com/zincapp/zn-vault
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=zn-vault-agent
+Group=zn-vault-agent
+
+# Working directory
+WorkingDirectory=/var/lib/zn-vault-agent
+
+# Main executable
+ExecStart=/usr/local/bin/zn-vault-agent start --health-port 9100
+
+# Restart policy
+Restart=always
+RestartSec=5
+StartLimitInterval=60
+StartLimitBurst=5
+
+# Environment
+EnvironmentFile=/etc/zn-vault-agent/agent.env
+EnvironmentFile=-/etc/zn-vault-agent/secrets.env
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=zn-vault-agent
+
+# Shutdown
+TimeoutStopSec=30
+KillMode=mixed
+KillSignal=SIGTERM
+
+# Security hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+LockPersonality=true
+
+# Allow writing certificates and logs
+ReadWritePaths=/etc/ssl/znvault
+ReadWritePaths=/var/lib/zn-vault-agent
+ReadWritePaths=/var/log/zn-vault-agent
+
+# Network access
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+# System call filter
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+SystemCallArchitectures=native
+
+# Capabilities
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+# Resource limits
+MemoryHigh=256M
+MemoryMax=512M
+LimitNOFILE=4096
+
+[Install]
+WantedBy=multi-user.target

package/dist/commands/certs.d.ts

@@ -0,0 +1,3 @@
+import { Command } from 'commander';
+export declare function registerCertsCommands(program: Command): void;
+//# sourceMappingURL=certs.d.ts.map

package/dist/commands/certs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"certs.d.ts","sourceRoot":"","sources":["../../src/commands/certs.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAcpC,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAsY5D"}

package/dist/commands/certs.js

@@ -0,0 +1,369 @@
+import inquirer from 'inquirer';
+import ora from 'ora';
+import chalk from 'chalk';
+import { addTarget, removeTarget, getTargets, isConfigured, } from '../lib/config.js';
+import { listCertificates, getCertificate } from '../lib/api.js';
+export function registerCertsCommands(program) {
+    // List available certificates in vault
+    program
+        .command('available')
+        .description('List certificates available in vault')
+        .option('--json', 'Output as JSON')
+        .addHelpText('after', `
+Examples:
+  zn-vault-agent available         # Human-readable list with status
+  zn-vault-agent available --json  # JSON output for scripting
+`)
+        .action(async (options) => {
+        if (!isConfigured()) {
+            console.error(chalk.red('Not configured. Run: zn-vault-agent login'));
+            process.exit(1);
+        }
+        const spinner = ora('Fetching certificates...').start();
+        try {
+            const result = await listCertificates();
+            spinner.stop();
+            if (options.json) {
+                console.log(JSON.stringify(result.items, null, 2));
+                return;
+            }
+            if (result.items.length === 0) {
+                console.log('No certificates found in vault');
+                return;
+            }
+            console.log();
+            console.log(chalk.bold('Available Certificates'));
+            console.log();
+            const targets = getTargets();
+            const configuredIds = new Set(targets.map(t => t.certId));
+            for (const cert of result.items) {
+                const configured = configuredIds.has(cert.id);
+                const status = configured ? chalk.green('✓ configured') : chalk.gray('not configured');
+                const expiry = cert.daysUntilExpiry < 30
+                    ? chalk.yellow(`${cert.daysUntilExpiry}d`)
+                    : `${cert.daysUntilExpiry}d`;
+                console.log(`  ${cert.id.substring(0, 8)}  ${cert.alias.padEnd(25)} ${status}`);
+                console.log(`            ${chalk.gray(cert.subjectCn)} (expires: ${expiry})`);
+                console.log();
+            }
+            console.log(`Total: ${result.total} certificate(s)`);
+        }
+        catch (err) {
+            spinner.fail('Failed to fetch certificates');
+            console.error(chalk.red('Error:'), err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+    });
+    // Add a certificate target
+    program
+        .command('add')
+        .description('Add a certificate to sync')
+        .option('-c, --cert <id>', 'Certificate ID')
+        .option('-n, --name <name>', 'Local name for this certificate')
+        .option('--combined <path>', 'Path for combined cert+key file (HAProxy)')
+        .option('--cert-file <path>', 'Path for certificate file')
+        .option('--key-file <path>', 'Path for private key file')
+        .option('--chain-file <path>', 'Path for CA chain file')
+        .option('--fullchain-file <path>', 'Path for fullchain file')
+        .option('--owner <user:group>', 'File ownership (e.g., haproxy:haproxy)')
+        .option('--mode <mode>', 'File permissions (e.g., 0640)')
+        .option('--reload-cmd <cmd>', 'Command to reload service')
+        .option('--health-cmd <cmd>', 'Health check command after reload')
+        .addHelpText('after', `
+Examples:
+  # Interactive mode (prompts for all options)
+  zn-vault-agent add
+
+  # HAProxy: combined cert+key file
+  zn-vault-agent add --cert $CERT_ID \\
+    --name haproxy-frontend \\
+    --combined /etc/haproxy/certs/frontend.pem \\
+    --owner haproxy:haproxy --mode 0640 \\
+    --reload-cmd "systemctl reload haproxy"
+
+  # Nginx: separate fullchain and key files
+  zn-vault-agent add --cert $CERT_ID \\
+    --name nginx-api \\
+    --fullchain-file /etc/nginx/ssl/api-fullchain.pem \\
+    --key-file /etc/nginx/ssl/api.key \\
+    --reload-cmd "nginx -t && systemctl reload nginx"
+
+  # With health check
+  zn-vault-agent add --cert $CERT_ID \\
+    --name app-server \\
+    --combined /etc/ssl/app.pem \\
+    --reload-cmd "systemctl restart app" \\
+    --health-cmd "curl -sf http://localhost:8080/health"
+`)
+        .action(async (options) => {
+        if (!isConfigured()) {
+            console.error(chalk.red('Not configured. Run: zn-vault-agent login'));
+            process.exit(1);
+        }
+        // If cert ID not provided, show selection
+        let certId = options.cert;
+        let certAlias = '';
+        if (!certId) {
+            const spinner = ora('Fetching certificates...').start();
+            const result = await listCertificates();
+            spinner.stop();
+            if (result.items.length === 0) {
+                console.log('No certificates found in vault');
+                process.exit(1);
+            }
+            const { selectedCert } = await inquirer.prompt([
+                {
+                    type: 'list',
+                    name: 'selectedCert',
+                    message: 'Select certificate to add:',
+                    choices: result.items.map(c => ({
+                        name: `${c.alias} (${c.subjectCn}) - expires in ${c.daysUntilExpiry}d`,
+                        value: c.id,
+                    })),
+                },
+            ]);
+            certId = selectedCert;
+            certAlias = result.items.find(c => c.id === certId)?.alias || '';
+        }
+        // Get certificate details
+        const spinner = ora('Fetching certificate details...').start();
+        const cert = await getCertificate(certId);
+        spinner.stop();
+        console.log();
+        console.log(chalk.bold('Certificate:'), cert.alias);
+        console.log(chalk.gray(`Subject: ${cert.subjectCn}`));
+        console.log(chalk.gray(`Expires: ${cert.daysUntilExpiry} days`));
+        console.log();
+        // Gather output configuration
+        const answers = await inquirer.prompt([
+            {
+                type: 'input',
+                name: 'name',
+                message: 'Local name for this target:',
+                default: options.name || cert.alias.replace(/[^a-zA-Z0-9-_]/g, '-'),
+            },
+            {
+                type: 'list',
+                name: 'outputFormat',
+                message: 'Output format:',
+                choices: [
+                    { name: 'Combined (cert+key in one file) - for HAProxy', value: 'combined' },
+                    { name: 'Separate files (cert, key, chain)', value: 'separate' },
+                    { name: 'Custom', value: 'custom' },
+                ],
+            },
+            {
+                type: 'input',
+                name: 'combined',
+                message: 'Combined file path:',
+                when: (ans) => ans.outputFormat === 'combined',
+                default: options.combined || `/etc/ssl/${cert.alias}.pem`,
+            },
+            {
+                type: 'input',
+                name: 'certFile',
+                message: 'Certificate file path:',
+                when: (ans) => ans.outputFormat === 'separate',
+                default: options.certFile || `/etc/ssl/certs/${cert.alias}.crt`,
+            },
+            {
+                type: 'input',
+                name: 'keyFile',
+                message: 'Private key file path:',
+                when: (ans) => ans.outputFormat === 'separate',
+                default: options.keyFile || `/etc/ssl/private/${cert.alias}.key`,
+            },
+            {
+                type: 'input',
+                name: 'chainFile',
+                message: 'CA chain file path (optional):',
+                when: (ans) => ans.outputFormat === 'separate',
+                default: options.chainFile || '',
+            },
+            {
+                type: 'input',
+                name: 'owner',
+                message: 'File ownership (user:group):',
+                default: options.owner || 'root:root',
+            },
+            {
+                type: 'input',
+                name: 'mode',
+                message: 'File permissions:',
+                default: options.mode || '0640',
+            },
+            {
+                type: 'input',
+                name: 'reloadCmd',
+                message: 'Reload command (run after cert update):',
+                default: options.reloadCmd || 'systemctl reload haproxy',
+            },
+            {
+                type: 'input',
+                name: 'healthCmd',
+                message: 'Health check command (optional):',
+                default: options.healthCmd || '',
+            },
+        ]);
+        // Build target configuration
+        const target = {
+            certId,
+            name: answers.name,
+            outputs: {},
+            owner: answers.owner,
+            mode: answers.mode,
+            reloadCmd: answers.reloadCmd || undefined,
+            healthCheckCmd: answers.healthCmd || undefined,
+        };
+        if (answers.outputFormat === 'combined' || options.combined) {
+            target.outputs.combined = answers.combined || options.combined;
+        }
+        if (answers.certFile || options.certFile) {
+            target.outputs.cert = answers.certFile || options.certFile;
+        }
+        if (answers.keyFile || options.keyFile) {
+            target.outputs.key = answers.keyFile || options.keyFile;
+        }
+        if (answers.chainFile || options.chainFile) {
+            target.outputs.chain = answers.chainFile || options.chainFile;
+        }
+        if (options.fullchainFile) {
+            target.outputs.fullchain = options.fullchainFile;
+        }
+        // Handle custom output
+        if (answers.outputFormat === 'custom') {
+            const customAnswers = await inquirer.prompt([
+                {
+                    type: 'input',
+                    name: 'combined',
+                    message: 'Combined file path (leave empty to skip):',
+                    default: options.combined || '',
+                },
+                {
+                    type: 'input',
+                    name: 'cert',
+                    message: 'Certificate file path (leave empty to skip):',
+                    default: options.certFile || '',
+                },
+                {
+                    type: 'input',
+                    name: 'key',
+                    message: 'Private key file path (leave empty to skip):',
+                    default: options.keyFile || '',
+                },
+                {
+                    type: 'input',
+                    name: 'chain',
+                    message: 'CA chain file path (leave empty to skip):',
+                    default: options.chainFile || '',
+                },
+                {
+                    type: 'input',
+                    name: 'fullchain',
+                    message: 'Fullchain file path (leave empty to skip):',
+                    default: options.fullchainFile || '',
+                },
+            ]);
+            if (customAnswers.combined)
+                target.outputs.combined = customAnswers.combined;
+            if (customAnswers.cert)
+                target.outputs.cert = customAnswers.cert;
+            if (customAnswers.key)
+                target.outputs.key = customAnswers.key;
+            if (customAnswers.chain)
+                target.outputs.chain = customAnswers.chain;
+            if (customAnswers.fullchain)
+                target.outputs.fullchain = customAnswers.fullchain;
+        }
+        // Save target
+        addTarget(target);
+        console.log();
+        console.log(chalk.green('✓') + ` Certificate target "${answers.name}" added`);
+        console.log();
+        console.log('Output files:');
+        for (const [type, path] of Object.entries(target.outputs)) {
+            if (path)
+                console.log(`  ${type}: ${path}`);
+        }
+        console.log();
+        console.log('Run ' + chalk.cyan('zn-vault-agent sync') + ' to deploy now');
+    });
+    // List configured targets
+    program
+        .command('list')
+        .description('List configured certificate targets')
+        .option('--json', 'Output as JSON')
+        .addHelpText('after', `
+Examples:
+  zn-vault-agent list         # Human-readable list
+  zn-vault-agent list --json  # JSON output for scripting
+`)
+        .action(async (options) => {
+        const targets = getTargets();
+        if (options.json) {
+            console.log(JSON.stringify(targets, null, 2));
+            return;
+        }
+        if (targets.length === 0) {
+            console.log('No certificate targets configured.');
+            console.log('Run ' + chalk.cyan('zn-vault-agent add') + ' to add one.');
+            return;
+        }
+        console.log();
+        console.log(chalk.bold('Configured Certificate Targets'));
+        console.log();
+        for (const target of targets) {
+            const syncStatus = target.lastSync
+                ? chalk.green(`synced ${new Date(target.lastSync).toLocaleString()}`)
+                : chalk.yellow('not synced');
+            console.log(`  ${chalk.bold(target.name)}`);
+            console.log(`    Certificate: ${target.certId.substring(0, 8)}...`);
+            console.log(`    Status: ${syncStatus}`);
+            console.log(`    Outputs:`);
+            for (const [type, path] of Object.entries(target.outputs)) {
+                if (path)
+                    console.log(`      ${type}: ${path}`);
+            }
+            if (target.reloadCmd) {
+                console.log(`    Reload: ${target.reloadCmd}`);
+            }
+            console.log();
+        }
+        console.log(`Total: ${targets.length} target(s)`);
+    });
+    // Remove a target
+    program
+        .command('remove <name>')
+        .description('Remove a certificate target')
+        .option('-f, --force', 'Skip confirmation')
+        .addHelpText('after', `
+Examples:
+  zn-vault-agent remove haproxy-frontend          # Interactive confirmation
+  zn-vault-agent remove haproxy-frontend --force  # Skip confirmation
+`)
+        .action(async (name, options) => {
+        const targets = getTargets();
+        const target = targets.find(t => t.name === name || t.certId === name);
+        if (!target) {
+            console.error(chalk.red(`Target "${name}" not found`));
+            process.exit(1);
+        }
+        if (!options.force) {
+            const { confirm } = await inquirer.prompt([
+                {
+                    type: 'confirm',
+                    name: 'confirm',
+                    message: `Remove target "${target.name}"?`,
+                    default: false,
+                },
+            ]);
+            if (!confirm) {
+                console.log('Cancelled');
+                return;
+            }
+        }
+        removeTarget(name);
+        console.log(chalk.green('✓') + ` Target "${target.name}" removed`);
+    });
+}
+//# sourceMappingURL=certs.js.map

package/dist/commands/certs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"certs.js","sourceRoot":"","sources":["../../src/commands/certs.ts"],"names":[],"mappings":"AACA,OAAO,QAAQ,MAAM,UAAU,CAAC;AAChC,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAEL,SAAS,EACT,YAAY,EACZ,UAAU,EACV,YAAY,GAEb,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAEjE,MAAM,UAAU,qBAAqB,CAAC,OAAgB;IACpD,uCAAuC;IACvC,OAAO;SACJ,OAAO,CAAC,WAAW,CAAC;SACpB,WAAW,CAAC,sCAAsC,CAAC;SACnD,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,WAAW,CAAC,OAAO,EAAE;;;;CAIzB,CAAC;SACG,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;QACxB,IAAI,CAAC,YAAY,EAAE,EAAE,CAAC;YACpB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,2CAA2C,CAAC,CAAC,CAAC;YACtE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,OAAO,GAAG,GAAG,CAAC,0BAA0B,CAAC,CAAC,KAAK,EAAE,CAAC;QAExD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACxC,OAAO,CAAC,IAAI,EAAE,CAAC;YAEf,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBACnD,OAAO;YACT,CAAC;YAED,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC9B,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;gBAC9C,OAAO;YACT,CAAC;YAED,OAAO,CAAC,GAAG,EAAE,CAAC;YACd,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC,CAAC;YAClD,OAAO,CAAC,GAAG,EAAE,CAAC;YAEd,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;YAC7B,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;YAE1D,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBAChC,MAAM,UAAU,GAAG,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC9C,MAAM,MAAM,GAAG,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;gBACvF,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,GAAG,EAAE;oBACtC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,eAAe,GAAG,CAAC;oBAC1C,CAAC,CAAC,GAAG,IAAI,CAAC,eAAe,GAAG,CAAC;gBAE/B,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,MAAM,EAAE,CAAC,CAAC;gBAChF,OAAO,CAAC,GAAG,CAAC,eAAe,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,cAAc,MAAM,GAAG,CAAC,CAAC;gBAC9E,OAAO,CAAC,GAAG,EAAE,CAAC;YAChB,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,UAAU,MAAM,CAAC,KAAK,iBAAiB,CAAC,CAAC;QACvD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;YAC7C,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YACrF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,2BAA2B;IAC3B,OAAO;SACJ,OAAO,CAAC,KAAK,CAAC;SACd,WAAW,CAAC,2BAA2B,CAAC;SACxC,MAAM,CAAC,iBAAiB,EAAE,gBAAgB,CAAC;SAC3C,MAAM,CAAC,mBAAmB,EAAE,iCAAiC,CAAC;SAC9D,MAAM,CAAC,mBAAmB,EAAE,2CAA2C,CAAC;SACxE,MAAM,CAAC,oBAAoB,EAAE,2BAA2B,CAAC;SACzD,MAAM,CAAC,mBAAmB,EAAE,2BAA2B,CAAC;SACxD,MAAM,CAAC,qBAAqB,EAAE,wBAAwB,CAAC;SACvD,MAAM,CAAC,yBAAyB,EAAE,yBAAyB,CAAC;SAC5D,MAAM,CAAC,sBAAsB,EAAE,wCAAwC,CAAC;SACxE,MAAM,CAAC,eAAe,EAAE,+BAA+B,CAAC;SACxD,MAAM,CAAC,oBAAoB,EAAE,2BAA2B,CAAC;SACzD,MAAM,CAAC,oBAAoB,EAAE,mCAAmC,CAAC;SACjE,WAAW,CAAC,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;CAyBzB,CAAC;SACG,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;QACxB,IAAI,CAAC,YAAY,EAAE,EAAE,CAAC;YACpB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,2CAA2C,CAAC,CAAC,CAAC;YACtE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,0CAA0C;QAC1C,IAAI,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;QAC1B,IAAI,SAAS,GAAG,EAAE,CAAC;QAEnB,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,OAAO,GAAG,GAAG,CAAC,0BAA0B,CAAC,CAAC,KAAK,EAAE,CAAC;YACxD,MAAM,MAAM,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACxC,OAAO,CAAC,IAAI,EAAE,CAAC;YAEf,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC9B,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;gBAC9C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YAED,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC;gBAC7C;oBACE,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,cAAc;oBACpB,OAAO,EAAE,4BAA4B;oBACrC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;wBAC9B,IAAI,EAAE,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,SAAS,kBAAkB,CAAC,CAAC,eAAe,GAAG;wBACtE,KAAK,EAAE,CAAC,CAAC,EAAE;qBACZ,CAAC,CAAC;iBACJ;aACF,CAAC,CAAC;YAEH,MAAM,GAAG,YAAY,CAAC;YACtB,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,MAAM,CAAC,EAAE,KAAK,IAAI,EAAE,CAAC;QACnE,CAAC;QAED,0BAA0B;QAC1B,MAAM,OAAO,GAAG,GAAG,CAAC,iCAAiC,CAAC,CAAC,KAAK,EAAE,CAAC;QAC/D,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;QAC1C,OAAO,CAAC,IAAI,EAAE,CAAC;QAEf,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;QACtD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,eAAe,OAAO,CAAC,CAAC,CAAC;QACjE,OAAO,CAAC,GAAG,EAAE,CAAC;QAEd,8BAA8B;QAC9B,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC;YACpC;gBACE,IAAI,EAAE,OAAO;gBACb,IAAI,EAAE,MAAM;gBACZ,OAAO,EAAE,6BAA6B;gBACtC,OAAO,EAAE,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,iBAAiB,EAAE,GAAG,CAAC;aACpE;YACD;gBACE,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,cAAc;gBACpB,OAAO,EAAE,gBAAgB;gBACzB,OAAO,EAAE;oBACP,EAAE,IAAI,EAAE,+CAA+C,EAAE,KAAK,EAAE,UAAU,EAAE;oBAC5E,EAAE,IAAI,EAAE,mCAAmC,EAAE,KAAK,EAAE,UAAU,EAAE;oBAChE,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE;iBACpC;aACF;YACD;gBACE,IAAI,EAAE,OAAO;gBACb,IAAI,EAAE,UAAU;gBAChB,OAAO,EAAE,qBAAqB;gBAC9B,IAAI,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,YAAY,KAAK,UAAU;gBAC9C,OAAO,EAAE,OAAO,CAAC,QAAQ,IAAI,YAAY,IAAI,CAAC,KAAK,MAAM;aAC1D;YACD;gBACE,IAAI,EAAE,OAAO;gBACb,IAAI,EAAE,UAAU;gBAChB,OAAO,EAAE,wBAAwB;gBACjC,IAAI,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,YAAY,KAAK,UAAU;gBAC9C,OAAO,EAAE,OAAO,CAAC,QAAQ,IAAI,kBAAkB,IAAI,CAAC,KAAK,MAAM;aAChE;YACD;gBACE,IAAI,EAAE,OAAO;gBACb,IAAI,EAAE,SAAS;gBACf,OAAO,EAAE,wBAAwB;gBACjC,IAAI,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,YAAY,KAAK,UAAU;gBAC9C,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,oBAAoB,IAAI,CAAC,KAAK,MAAM;aACjE;YACD;gBACE,IAAI,EAAE,OAAO;gBACb,IAAI,EAAE,WAAW;gBACjB,OAAO,EAAE,gCAAgC;gBACzC,IAAI,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,YAAY,KAAK,UAAU;gBAC9C,OAAO,EAAE,OAAO,CAAC,SAAS,IAAI,EAAE;aACjC;YACD;gBACE,IAAI,EAAE,OAAO;gBACb,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE,8BAA8B;gBACvC,OAAO,EAAE,OAAO,CAAC,KAAK,IAAI,WAAW;aACtC;YACD;gBACE,IAAI,EAAE,OAAO;gBACb,IAAI,EAAE,MAAM;gBACZ,OAAO,EAAE,mBAAmB;gBAC5B,OAAO,EAAE,OAAO,CAAC,IAAI,IAAI,MAAM;aAChC;YACD;gBACE,IAAI,EAAE,OAAO;gBACb,IAAI,EAAE,WAAW;gBACjB,OAAO,EAAE,yCAAyC;gBAClD,OAAO,EAAE,OAAO,CAAC,SAAS,IAAI,0BAA0B;aACzD;YACD;gBACE,IAAI,EAAE,OAAO;gBACb,IAAI,EAAE,WAAW;gBACjB,OAAO,EAAE,kCAAkC;gBAC3C,OAAO,EAAE,OAAO,CAAC,SAAS,IAAI,EAAE;aACjC;SACF,CAAC,CAAC;QAEH,6BAA6B;QAC7B,MAAM,MAAM,GAAe;YACzB,MAAM;YACN,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,OAAO,EAAE,EAAE;YACX,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,SAAS;YACzC,cAAc,EAAE,OAAO,CAAC,SAAS,IAAI,SAAS;SAC/C,CAAC;QAEF,IAAI,OAAO,CAAC,YAAY,KAAK,UAAU,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YAC5D,MAAM,CAAC,OAAO,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;QACjE,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACzC,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;QAC7D,CAAC;QACD,IAAI,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YACvC,MAAM,CAAC,OAAO,CAAC,GAAG,GAAG,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC;QAC1D,CAAC;QACD,IAAI,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YAC3C,MAAM,CAAC,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,SAAS,CAAC;QAChE,CAAC;QACD,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;YAC1B,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC;QACnD,CAAC;QAED,uBAAuB;QACvB,IAAI,OAAO,CAAC,YAAY,KAAK,QAAQ,EAAE,CAAC;YACtC,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC;gBAC1C;oBACE,IAAI,EAAE,OAAO;oBACb,IAAI,EAAE,UAAU;oBAChB,OAAO,EAAE,2CAA2C;oBACpD,OAAO,EAAE,OAAO,CAAC,QAAQ,IAAI,EAAE;iBAChC;gBACD;oBACE,IAAI,EAAE,OAAO;oBACb,IAAI,EAAE,MAAM;oBACZ,OAAO,EAAE,8CAA8C;oBACvD,OAAO,EAAE,OAAO,CAAC,QAAQ,IAAI,EAAE;iBAChC;gBACD;oBACE,IAAI,EAAE,OAAO;oBACb,IAAI,EAAE,KAAK;oBACX,OAAO,EAAE,8CAA8C;oBACvD,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,EAAE;iBAC/B;gBACD;oBACE,IAAI,EAAE,OAAO;oBACb,IAAI,EAAE,OAAO;oBACb,OAAO,EAAE,2CAA2C;oBACpD,OAAO,EAAE,OAAO,CAAC,SAAS,IAAI,EAAE;iBACjC;gBACD;oBACE,IAAI,EAAE,OAAO;oBACb,IAAI,EAAE,WAAW;oBACjB,OAAO,EAAE,4CAA4C;oBACrD,OAAO,EAAE,OAAO,CAAC,aAAa,IAAI,EAAE;iBACrC;aACF,CAAC,CAAC;YAEH,IAAI,aAAa,CAAC,QAAQ;gBAAE,MAAM,CAAC,OAAO,CAAC,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC;YAC7E,IAAI,aAAa,CAAC,IAAI;gBAAE,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,aAAa,CAAC,IAAI,CAAC;YACjE,IAAI,aAAa,CAAC,GAAG;gBAAE,MAAM,CAAC,OAAO,CAAC,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC;YAC9D,IAAI,aAAa,CAAC,KAAK;gBAAE,MAAM,CAAC,OAAO,CAAC,KAAK,GAAG,aAAa,CAAC,KAAK,CAAC;YACpE,IAAI,aAAa,CAAC,SAAS;gBAAE,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,aAAa,CAAC,SAAS,CAAC;QAClF,CAAC;QAED,cAAc;QACd,SAAS,CAAC,MAAM,CAAC,CAAC;QAElB,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,wBAAwB,OAAO,CAAC,IAAI,SAAS,CAAC,CAAC;QAC9E,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC7B,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1D,IAAI,IAAI;gBAAE,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,KAAK,IAAI,EAAE,CAAC,CAAC;QAC9C,CAAC;QACD,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CAAC,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,qBAAqB,CAAC,GAAG,gBAAgB,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEL,0BAA0B;IAC1B,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,qCAAqC,CAAC;SAClD,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,WAAW,CAAC,OAAO,EAAE;;;;CAIzB,CAAC;SACG,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;QACxB,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;QAE7B,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YAC9C,OAAO;QACT,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;YAClD,OAAO,CAAC,GAAG,CAAC,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,GAAG,cAAc,CAAC,CAAC;YACxE,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC,CAAC;QAC1D,OAAO,CAAC,GAAG,EAAE,CAAC;QAEd,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ;gBAChC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,cAAc,EAAE,EAAE,CAAC;gBACrE,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;YAE/B,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAC5C,OAAO,CAAC,GAAG,CAAC,oBAAoB,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;YACpE,OAAO,CAAC,GAAG,CAAC,eAAe,UAAU,EAAE,CAAC,CAAC;YACzC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAC5B,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1D,IAAI,IAAI;oBAAE,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,KAAK,IAAI,EAAE,CAAC,CAAC;YAClD,CAAC;YACD,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;gBACrB,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;YACjD,CAAC;YACD,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,UAAU,OAAO,CAAC,MAAM,YAAY,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEL,kBAAkB;IAClB,OAAO;SACJ,OAAO,CAAC,eAAe,CAAC;SACxB,WAAW,CAAC,6BAA6B,CAAC;SAC1C,MAAM,CAAC,aAAa,EAAE,mBAAmB,CAAC;SAC1C,WAAW,CAAC,OAAO,EAAE;;;;CAIzB,CAAC;SACG,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE;QAC9B,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC;QAEvE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,IAAI,aAAa,CAAC,CAAC,CAAC;YACvD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YACnB,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC;gBACxC;oBACE,IAAI,EAAE,SAAS;oBACf,IAAI,EAAE,SAAS;oBACf,OAAO,EAAE,kBAAkB,MAAM,CAAC,IAAI,IAAI;oBAC1C,OAAO,EAAE,KAAK;iBACf;aACF,CAAC,CAAC;YAEH,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBACzB,OAAO;YACT,CAAC;QACH,CAAC;QAED,YAAY,CAAC,IAAI,CAAC,CAAC;QACnB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,YAAY,MAAM,CAAC,IAAI,WAAW,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/commands/exec.d.ts

@@ -0,0 +1,3 @@
+import { Command } from 'commander';
+export declare function registerExecCommand(program: Command): void;
+//# sourceMappingURL=exec.d.ts.map

package/dist/commands/exec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"exec.d.ts","sourceRoot":"","sources":["../../src/commands/exec.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAoGpC,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAoH1D"}

package/dist/commands/exec.js

@@ -0,0 +1,193 @@
+// Path: src/commands/exec.ts
+// Exec mode - run a command with secrets as environment variables
+import chalk from 'chalk';
+import { spawn } from 'node:child_process';
+import { isConfigured } from '../lib/config.js';
+import { getSecret } from '../lib/api.js';
+/**
+ * Parse secret mapping from CLI argument
+ * Formats:
+ *   ENV_VAR=alias:secret/path           -> entire secret as JSON
+ *   ENV_VAR=alias:secret/path.key       -> specific key from secret
+ *   ENV_VAR=uuid                        -> entire secret as JSON
+ *   ENV_VAR=uuid.key                    -> specific key from secret
+ */
+function parseSecretMapping(mapping) {
+    const eqIndex = mapping.indexOf('=');
+    if (eqIndex === -1) {
+        throw new Error(`Invalid mapping format: ${mapping}. Expected: ENV_VAR=secret-id[.key]`);
+    }
+    const envVar = mapping.substring(0, eqIndex);
+    let secretPath = mapping.substring(eqIndex + 1);
+    if (!envVar || !secretPath) {
+        throw new Error(`Invalid mapping format: ${mapping}. Expected: ENV_VAR=secret-id[.key]`);
+    }
+    // Check if there's a key after the secret ID
+    // For alias format: alias:path/to/secret.key
+    // For UUID format: uuid.key
+    let key;
+    if (secretPath.startsWith('alias:')) {
+        // Handle alias:path/to/secret.key
+        const lastDotIndex = secretPath.lastIndexOf('.');
+        if (lastDotIndex > secretPath.indexOf(':') + 1) {
+            // There's a dot after the alias prefix
+            const potentialKey = secretPath.substring(lastDotIndex + 1);
+            // Check if this looks like a key (not a file extension or path segment)
+            if (potentialKey && !potentialKey.includes('/')) {
+                key = potentialKey;
+                secretPath = secretPath.substring(0, lastDotIndex);
+            }
+        }
+    }
+    else {
+        // Handle uuid.key or uuid
+        const dotIndex = secretPath.indexOf('.');
+        if (dotIndex !== -1) {
+            key = secretPath.substring(dotIndex + 1);
+            secretPath = secretPath.substring(0, dotIndex);
+        }
+    }
+    return {
+        envVar,
+        secretId: secretPath,
+        key,
+    };
+}
+/**
+ * Fetch secrets and build environment variables
+ */
+async function buildSecretEnv(mappings) {
+    const env = {};
+    // Group by secretId to minimize API calls
+    const secretCache = new Map();
+    for (const mapping of mappings) {
+        let data = secretCache.get(mapping.secretId);
+        if (!data) {
+            const secret = await getSecret(mapping.secretId);
+            data = secret.data;
+            secretCache.set(mapping.secretId, data);
+        }
+        if (mapping.key) {
+            // Get specific key
+            const value = data[mapping.key];
+            if (value === undefined) {
+                throw new Error(`Key "${mapping.key}" not found in secret "${mapping.secretId}"`);
+            }
+            env[mapping.envVar] = typeof value === 'string' ? value : JSON.stringify(value);
+        }
+        else {
+            // Get entire secret as JSON
+            env[mapping.envVar] = JSON.stringify(data);
+        }
+    }
+    return env;
+}
+export function registerExecCommand(program) {
+    program
+        .command('exec')
+        .description('Run a command with secrets as environment variables')
+        .option('-s, --secret <mapping>', 'Secret mapping (ENV_VAR=secret-id[.key])', (val, acc) => {
+        acc.push(val);
+        return acc;
+    }, [])
+        .option('-o, --output <path>', 'Write secrets to env file instead of running command')
+        .option('--inherit', 'Inherit current environment variables (default: true)', true)
+        .option('--no-inherit', 'Do not inherit current environment variables')
+        .argument('[command...]', 'Command to execute')
+        .addHelpText('after', `
+Examples:
+  # Run node with database password
+  zn-vault-agent exec -s DB_PASSWORD=alias:db/prod.password -- node server.js
+
+  # Multiple secrets
+  zn-vault-agent exec \\
+    -s DB_HOST=alias:db/prod.host \\
+    -s DB_PASSWORD=alias:db/prod.password \\
+    -s API_KEY=alias:api/key.value \\
+    -- ./start.sh
+
+  # Export to env file
+  zn-vault-agent exec \\
+    -s DB_PASSWORD=alias:db/prod.password \\
+    --output /tmp/secrets.env
+
+  # Get entire secret as JSON
+  zn-vault-agent exec -s CONFIG=alias:app/config -- node app.js
+`)
+        .action(async (command, options) => {
+        if (!isConfigured()) {
+            console.error(chalk.red('Not configured. Run: zn-vault-agent login'));
+            process.exit(1);
+        }
+        if (options.secret.length === 0) {
+            console.error(chalk.red('At least one --secret mapping is required'));
+            process.exit(1);
+        }
+        // Parse mappings
+        let mappings;
+        try {
+            mappings = options.secret.map(parseSecretMapping);
+        }
+        catch (err) {
+            console.error(chalk.red('Error:'), err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+        // Fetch secrets
+        let secretEnv;
+        try {
+            secretEnv = await buildSecretEnv(mappings);
+        }
+        catch (err) {
+            console.error(chalk.red('Failed to fetch secrets:'), err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+        // If --output specified, write to file and exit
+        if (options.output) {
+            const fs = await import('node:fs');
+            const content = Object.entries(secretEnv)
+                .map(([k, v]) => `${k}="${v.replace(/"/g, '\\"')}"`)
+                .join('\n') + '\n';
+            fs.writeFileSync(options.output, content, { mode: 0o600 });
+            console.log(chalk.green('✓') + ` Secrets written to ${options.output}`);
+            return;
+        }
+        // Must have a command to run
+        if (command.length === 0) {
+            console.error(chalk.red('No command specified. Provide a command after --'));
+            console.error('Example: zn-vault-agent exec -s VAR=secret -- ./my-command');
+            process.exit(1);
+        }
+        // Build environment
+        const env = options.inherit
+            ? { ...process.env, ...secretEnv }
+            : secretEnv;
+        // Run the command
+        const [cmd, ...args] = command;
+        const child = spawn(cmd, args, {
+            env,
+            stdio: 'inherit',
+            shell: process.platform === 'win32',
+        });
+        // Forward signals to child
+        const signals = ['SIGINT', 'SIGTERM', 'SIGHUP'];
+        for (const signal of signals) {
+            process.on(signal, () => {
+                child.kill(signal);
+            });
+        }
+        // Exit with child's exit code
+        child.on('exit', (code, signal) => {
+            if (signal) {
+                process.kill(process.pid, signal);
+            }
+            else {
+                process.exit(code ?? 0);
+            }
+        });
+        child.on('error', (err) => {
+            console.error(chalk.red('Failed to start command:'), err.message);
+            process.exit(1);
+        });
+    });
+}
+//# sourceMappingURL=exec.js.map