@zincapp/znvault-cli 2.16.4 → 2.17.0

package/dist/commands/secret/helpers.js

@@ -0,0 +1,59 @@
+// Path: src/commands/secret/helpers.ts
+/**
+ * Helper functions for secret commands
+ */
+export function formatDate(dateStr) {
+    if (!dateStr)
+        return '-';
+    return new Date(dateStr).toLocaleString();
+}
+export function formatType(type, subType) {
+    if (subType)
+        return `${type}/${subType}`;
+    return type;
+}
+export function formatTags(tags) {
+    if (!tags || tags.length === 0)
+        return '-';
+    if (tags.length <= 3)
+        return tags.join(', ');
+    return `${tags.slice(0, 2).join(', ')} +${tags.length - 2} more`;
+}
+export function truncateAlias(alias, maxLen = 40) {
+    if (alias.length <= maxLen)
+        return alias;
+    return '...' + alias.slice(-(maxLen - 3));
+}
+export function formatBytes(bytes) {
+    if (!bytes)
+        return '-';
+    if (bytes < 1024)
+        return `${bytes} B`;
+    if (bytes < 1024 * 1024)
+        return `${(bytes / 1024).toFixed(1)} KB`;
+    return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+}
+export function getDaysUntilExpiry(expiresAt) {
+    if (!expiresAt)
+        return null;
+    const expires = new Date(expiresAt);
+    const now = new Date();
+    return Math.ceil((expires.getTime() - now.getTime()) / (1000 * 60 * 60 * 24));
+}
+export function formatExpiry(expiresAt) {
+    if (!expiresAt)
+        return '-';
+    const days = getDaysUntilExpiry(expiresAt);
+    if (days === null)
+        return '-';
+    if (days < 0)
+        return `Expired ${Math.abs(days)}d ago`;
+    if (days === 0)
+        return 'Expires today';
+    if (days <= 7)
+        return `${days}d (!)`;
+    if (days <= 30)
+        return `${days}d`;
+    return `${days}d`;
+}
+//# sourceMappingURL=helpers.js.map

package/dist/commands/secret/helpers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.js","sourceRoot":"","sources":["../../../src/commands/secret/helpers.ts"],"names":[],"mappings":"AAAA,uCAAuC;AAEvC;;GAEG;AAEH,MAAM,UAAU,UAAU,CAAC,OAA2B;IACpD,IAAI,CAAC,OAAO;QAAE,OAAO,GAAG,CAAC;IACzB,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC,cAAc,EAAE,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,IAAY,EAAE,OAAgB;IACvD,IAAI,OAAO;QAAE,OAAO,GAAG,IAAI,IAAI,OAAO,EAAE,CAAC;IACzC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,IAAe;IACxC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,GAAG,CAAC;IAC3C,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7C,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC;AACnE,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAa,EAAE,MAAM,GAAG,EAAE;IACtD,IAAI,KAAK,CAAC,MAAM,IAAI,MAAM;QAAE,OAAO,KAAK,CAAC;IACzC,OAAO,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,KAAc;IACxC,IAAI,CAAC,KAAK;QAAE,OAAO,GAAG,CAAC;IACvB,IAAI,KAAK,GAAG,IAAI;QAAE,OAAO,GAAG,KAAK,IAAI,CAAC;IACtC,IAAI,KAAK,GAAG,IAAI,GAAG,IAAI;QAAE,OAAO,GAAG,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;IAClE,OAAO,GAAG,CAAC,KAAK,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,SAAkB;IACnD,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC5B,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC;IACpC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;AAChF,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,SAAkB;IAC7C,IAAI,CAAC,SAAS;QAAE,OAAO,GAAG,CAAC;IAC3B,MAAM,IAAI,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;IAC3C,IAAI,IAAI,KAAK,IAAI;QAAE,OAAO,GAAG,CAAC;IAC9B,IAAI,IAAI,GAAG,CAAC;QAAE,OAAO,WAAW,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC;IACtD,IAAI,IAAI,KAAK,CAAC;QAAE,OAAO,eAAe,CAAC;IACvC,IAAI,IAAI,IAAI,CAAC;QAAE,OAAO,GAAG,IAAI,OAAO,CAAC;IACrC,IAAI,IAAI,IAAI,EAAE;QAAE,OAAO,GAAG,IAAI,GAAG,CAAC;IAClC,OAAO,GAAG,IAAI,GAAG,CAAC;AACpB,CAAC"}

package/dist/commands/secret/history.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Secret history command
+ */
+import type { Command } from 'commander';
+export declare function registerHistoryCommand(secretCmd: Command): void;
+//# sourceMappingURL=history.d.ts.map

package/dist/commands/secret/history.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"history.d.ts","sourceRoot":"","sources":["../../../src/commands/secret/history.ts"],"names":[],"mappings":"AAEA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AASzC,wBAAgB,sBAAsB,CAAC,SAAS,EAAE,OAAO,GAAG,IAAI,CAkD/D"}

package/dist/commands/secret/history.js

@@ -0,0 +1,52 @@
+// Path: src/commands/secret/history.ts
+import ora from 'ora';
+import Table from 'cli-table3';
+import { client } from '../../lib/client.js';
+import * as output from '../../lib/output.js';
+import { formatDate } from './helpers.js';
+import { resolveSecretId } from './resolve.js';
+export function registerHistoryCommand(secretCmd) {
+    secretCmd
+        .command('history <id-or-alias>')
+        .description('Show secret version history (supports UUID or tenant/alias format)')
+        .option('--json', 'Output as JSON')
+        .action(async (idOrAlias, options) => {
+        const spinner = ora('Resolving secret...').start();
+        try {
+            // Resolve alias to UUID if needed
+            const id = await resolveSecretId(idOrAlias);
+            spinner.text = 'Fetching secret history...';
+            const response = await client.get(`/v1/secrets/${id}/history`);
+            spinner.stop();
+            const history = response.history || [];
+            if (options.json) {
+                output.json(history);
+                return;
+            }
+            if (history.length === 0) {
+                output.info('No version history found');
+                return;
+            }
+            const table = new Table({
+                head: ['Version', 'Created At', 'Superseded At', 'Created By'],
+                colWidths: [10, 25, 25, 30],
+            });
+            for (const entry of history) {
+                table.push([
+                    String(entry.version),
+                    formatDate(entry.createdAt),
+                    entry.supersededAt ? formatDate(entry.supersededAt) : '-',
+                    entry.createdBy || '-',
+                ]);
+            }
+            console.log(table.toString());
+            console.log(`Total: ${response.count} version(s)`);
+        }
+        catch (error) {
+            spinner.fail('Failed to fetch history');
+            output.error(error.message);
+            process.exit(1);
+        }
+    });
+}
+//# sourceMappingURL=history.js.map

package/dist/commands/secret/history.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"history.js","sourceRoot":"","sources":["../../../src/commands/secret/history.ts"],"names":[],"mappings":"AAAA,uCAAuC;AAOvC,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,MAAM,YAAY,CAAC;AAC/B,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAC7C,OAAO,KAAK,MAAM,MAAM,qBAAqB,CAAC;AAE9C,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAE/C,MAAM,UAAU,sBAAsB,CAAC,SAAkB;IACvD,SAAS;SACN,OAAO,CAAC,uBAAuB,CAAC;SAChC,WAAW,CAAC,oEAAoE,CAAC;SACjF,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,KAAK,EAAE,SAAiB,EAAE,OAAuB,EAAE,EAAE;QAC3D,MAAM,OAAO,GAAG,GAAG,CAAC,qBAAqB,CAAC,CAAC,KAAK,EAAE,CAAC;QAEnD,IAAI,CAAC;YACH,kCAAkC;YAClC,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,SAAS,CAAC,CAAC;YAC5C,OAAO,CAAC,IAAI,GAAG,4BAA4B,CAAC;YAE5C,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,GAAG,CAAkB,eAAe,EAAE,UAAU,CAAC,CAAC;YAChF,OAAO,CAAC,IAAI,EAAE,CAAC;YAEf,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,IAAI,EAAE,CAAC;YAEvC,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACrB,OAAO;YACT,CAAC;YAED,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACzB,MAAM,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;gBACxC,OAAO;YACT,CAAC;YAED,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC;gBACtB,IAAI,EAAE,CAAC,SAAS,EAAE,YAAY,EAAE,eAAe,EAAE,YAAY,CAAC;gBAC9D,SAAS,EAAE,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC;aAC5B,CAAC,CAAC;YAEH,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;gBAC5B,KAAK,CAAC,IAAI,CAAC;oBACT,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC;oBACrB,UAAU,CAAC,KAAK,CAAC,SAAS,CAAC;oBAC3B,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,GAAG;oBACzD,KAAK,CAAC,SAAS,IAAI,GAAG;iBACvB,CAAC,CAAC;YACL,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC9B,OAAO,CAAC,GAAG,CAAC,UAAU,QAAQ,CAAC,KAAK,aAAa,CAAC,CAAC;QACrD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;YACxC,MAAM,CAAC,KAAK,CAAE,KAAe,CAAC,OAAO,CAAC,CAAC;YACvC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/commands/secret/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Secret commands - main entry point
+ *
+ * This module provides the command registration function that combines
+ * all secret subcommands into a single command group.
+ */
+import type { Command } from 'commander';
+export declare function registerSecretCommands(program: Command): void;
+export * from './types.js';
+export * from './helpers.js';
+export * from './resolve.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/commands/secret/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/commands/secret/index.ts"],"names":[],"mappings":"AAEA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AA8BzC,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAgB7D;AAGD,cAAc,YAAY,CAAC;AAC3B,cAAc,cAAc,CAAC;AAC7B,cAAc,cAAc,CAAC"}

package/dist/commands/secret/index.js

@@ -0,0 +1,49 @@
+// Path: src/commands/secret/index.ts
+import { registerListCommand } from './list.js';
+import { registerGetCommand } from './get.js';
+import { registerDecryptCommand } from './decrypt.js';
+import { registerCreateCommand } from './create.js';
+import { registerUpdateCommand } from './update.js';
+import { registerDeleteCommand } from './delete.js';
+import { registerRotateCommand } from './rotate.js';
+import { registerHistoryCommand } from './history.js';
+import { registerCopyCommand } from './copy.js';
+// Help text for secret identifier format
+const SECRET_ID_HELP = `
+Secret Identifier Formats:
+  Commands that accept <id-or-alias> support these formats:
+
+  1. UUID:    abc12345-1234-5678-9abc-def012345678
+  2. Alias:   zn-admin/config, web/api-key, smtp-credentials
+  3. Prefix:  alias:zn-admin/config (optional "alias:" prefix)
+
+  Note: Tenant is derived from your authenticated user (JWT).
+  You can only access secrets within your assigned tenant.
+
+Examples:
+  znvault secret decrypt zn-admin/config
+  znvault secret get web/production/api-key
+  znvault secret history alias:database/credentials
+  znvault secret delete abc12345-1234-5678-9abc-def012345678
+`;
+export function registerSecretCommands(program) {
+    const secretCmd = program
+        .command('secret')
+        .description('Manage secrets')
+        .addHelpText('after', SECRET_ID_HELP);
+    // Register all subcommands
+    registerListCommand(secretCmd);
+    registerGetCommand(secretCmd);
+    registerDecryptCommand(secretCmd);
+    registerCreateCommand(secretCmd);
+    registerUpdateCommand(secretCmd);
+    registerDeleteCommand(secretCmd);
+    registerRotateCommand(secretCmd);
+    registerHistoryCommand(secretCmd);
+    registerCopyCommand(secretCmd);
+}
+// Re-export types for external use
+export * from './types.js';
+export * from './helpers.js';
+export * from './resolve.js';
+//# sourceMappingURL=index.js.map

package/dist/commands/secret/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/commands/secret/index.ts"],"names":[],"mappings":"AAAA,qCAAqC;AAUrC,OAAO,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAChD,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AACtD,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AACtD,OAAO,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAEhD,yCAAyC;AACzC,MAAM,cAAc,GAAG;;;;;;;;;;;;;;;;CAgBtB,CAAC;AAEF,MAAM,UAAU,sBAAsB,CAAC,OAAgB;IACrD,MAAM,SAAS,GAAG,OAAO;SACtB,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,gBAAgB,CAAC;SAC7B,WAAW,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;IAExC,2BAA2B;IAC3B,mBAAmB,CAAC,SAAS,CAAC,CAAC;IAC/B,kBAAkB,CAAC,SAAS,CAAC,CAAC;IAC9B,sBAAsB,CAAC,SAAS,CAAC,CAAC;IAClC,qBAAqB,CAAC,SAAS,CAAC,CAAC;IACjC,qBAAqB,CAAC,SAAS,CAAC,CAAC;IACjC,qBAAqB,CAAC,SAAS,CAAC,CAAC;IACjC,qBAAqB,CAAC,SAAS,CAAC,CAAC;IACjC,sBAAsB,CAAC,SAAS,CAAC,CAAC;IAClC,mBAAmB,CAAC,SAAS,CAAC,CAAC;AACjC,CAAC;AAED,mCAAmC;AACnC,cAAc,YAAY,CAAC;AAC3B,cAAc,cAAc,CAAC;AAC7B,cAAc,cAAc,CAAC"}

package/dist/commands/secret/list.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Secret list command
+ */
+import type { Command } from 'commander';
+export declare function registerListCommand(secretCmd: Command): void;
+//# sourceMappingURL=list.d.ts.map

package/dist/commands/secret/list.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"list.d.ts","sourceRoot":"","sources":["../../../src/commands/secret/list.ts"],"names":[],"mappings":"AAEA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAQzC,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,OAAO,GAAG,IAAI,CAkE5D"}

package/dist/commands/secret/list.js

@@ -0,0 +1,72 @@
+// Path: src/commands/secret/list.ts
+import ora from 'ora';
+import Table from 'cli-table3';
+import { client } from '../../lib/client.js';
+import * as output from '../../lib/output.js';
+import { formatDate, formatType, formatTags, truncateAlias, formatExpiry } from './helpers.js';
+export function registerListCommand(secretCmd) {
+    secretCmd
+        .command('list')
+        .description('List secrets (metadata only)')
+        .option('-t, --tenant <id>', 'Filter by tenant')
+        .option('--type <type>', 'Filter by type (opaque, credential, setting)')
+        .option('--sub-type <subType>', 'Filter by sub-type')
+        .option('--alias-prefix <prefix>', 'Filter by alias prefix')
+        .option('--expiring <days>', 'Show secrets expiring within N days')
+        .option('--json', 'Output as JSON')
+        .action(async (options) => {
+        const spinner = ora('Fetching secrets...').start();
+        try {
+            const query = {};
+            if (options.tenant)
+                query.tenant = options.tenant;
+            if (options.type)
+                query.type = options.type;
+            if (options.subType)
+                query.subType = options.subType;
+            if (options.aliasPrefix)
+                query.aliasPrefix = options.aliasPrefix;
+            if (options.expiring) {
+                const days = parseInt(options.expiring, 10);
+                const expiringBefore = new Date(Date.now() + days * 24 * 60 * 60 * 1000).toISOString();
+                query.expiringBefore = expiringBefore;
+            }
+            const response = await client.get('/v1/secrets?' + new URLSearchParams(query).toString());
+            const secrets = response.items;
+            spinner.stop();
+            if (options.json) {
+                output.json(response);
+                return;
+            }
+            if (secrets.length === 0) {
+                output.info('No secrets found');
+                return;
+            }
+            const table = new Table({
+                head: ['ID', 'Alias', 'Tenant', 'Type', 'Ver', 'Expires', 'Tags', 'Updated'],
+                colWidths: [12, 42, 12, 16, 5, 14, 20, 20],
+                wordWrap: true,
+            });
+            for (const secret of secrets) {
+                table.push([
+                    secret.id.slice(0, 10) + '...',
+                    truncateAlias(secret.alias),
+                    secret.tenant.slice(0, 10),
+                    formatType(secret.type, secret.subType),
+                    String(secret.version),
+                    formatExpiry(secret.expiresAt || secret.ttlUntil),
+                    formatTags(secret.tags),
+                    formatDate(secret.updatedAt).split(',')[0], // Just date
+                ]);
+            }
+            console.log(table.toString());
+            output.info(`Total: ${response.pagination.total} secret(s)${response.pagination.hasMore ? ' (more available)' : ''}`);
+        }
+        catch (error) {
+            spinner.fail('Failed to list secrets');
+            output.error(error.message);
+            process.exit(1);
+        }
+    });
+}
+//# sourceMappingURL=list.js.map

package/dist/commands/secret/list.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"list.js","sourceRoot":"","sources":["../../../src/commands/secret/list.ts"],"names":[],"mappings":"AAAA,oCAAoC;AAOpC,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,MAAM,YAAY,CAAC;AAC/B,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAC7C,OAAO,KAAK,MAAM,MAAM,qBAAqB,CAAC;AAE9C,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE/F,MAAM,UAAU,mBAAmB,CAAC,SAAkB;IACpD,SAAS;SACN,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,8BAA8B,CAAC;SAC3C,MAAM,CAAC,mBAAmB,EAAE,kBAAkB,CAAC;SAC/C,MAAM,CAAC,eAAe,EAAE,8CAA8C,CAAC;SACvE,MAAM,CAAC,sBAAsB,EAAE,oBAAoB,CAAC;SACpD,MAAM,CAAC,yBAAyB,EAAE,wBAAwB,CAAC;SAC3D,MAAM,CAAC,mBAAmB,EAAE,qCAAqC,CAAC;SAClE,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,KAAK,EAAE,OAAoB,EAAE,EAAE;QACrC,MAAM,OAAO,GAAG,GAAG,CAAC,qBAAqB,CAAC,CAAC,KAAK,EAAE,CAAC;QAEnD,IAAI,CAAC;YACH,MAAM,KAAK,GAAuC,EAAE,CAAC;YACrD,IAAI,OAAO,CAAC,MAAM;gBAAE,KAAK,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;YAClD,IAAI,OAAO,CAAC,IAAI;gBAAE,KAAK,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;YAC5C,IAAI,OAAO,CAAC,OAAO;gBAAE,KAAK,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;YACrD,IAAI,OAAO,CAAC,WAAW;gBAAE,KAAK,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;YACjE,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACrB,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;gBAC5C,MAAM,cAAc,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;gBACvF,KAAK,CAAC,cAAc,GAAG,cAAc,CAAC;YACxC,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,GAAG,CAAsB,cAAc,GAAG,IAAI,eAAe,CAAC,KAA+B,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;YACzI,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC;YAC/B,OAAO,CAAC,IAAI,EAAE,CAAC;YAEf,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACtB,OAAO;YACT,CAAC;YAED,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACzB,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;gBAChC,OAAO;YACT,CAAC;YAED,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC;gBACtB,IAAI,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,CAAC;gBAC5E,SAAS,EAAE,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC;gBAC1C,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;YAEH,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,KAAK,CAAC,IAAI,CAAC;oBACT,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;oBAC9B,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC;oBAC3B,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;oBAC1B,UAAU,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC;oBACvC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC;oBACtB,YAAY,CAAC,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,QAAQ,CAAC;oBACjD,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC;oBACvB,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,YAAY;iBACzD,CAAC,CAAC;YACL,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC,UAAU,QAAQ,CAAC,UAAU,CAAC,KAAK,aAAa,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACxH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;YACvC,MAAM,CAAC,KAAK,CAAE,KAAe,CAAC,OAAO,CAAC,CAAC;YACvC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/commands/secret/pem-analysis.d.ts

@@ -0,0 +1,32 @@
+/**
+ * PEM file analysis utilities for AI suggestion feature
+ */
+/**
+ * PEM file analysis result
+ */
+export interface PEMInfo {
+    type: 'certificate' | 'private-key' | 'public-key' | 'csr' | 'bundle' | 'encrypted-key' | 'unknown';
+    algorithm?: 'rsa' | 'ec' | 'ed25519' | 'dsa' | 'unknown';
+    pemHeaders: string[];
+    blockCount: number;
+    certificateCount?: number;
+    detectedPurpose?: string;
+    isAppleP8?: boolean;
+}
+/**
+ * File analysis info for LLM
+ */
+export interface FileAnalysisInfo {
+    filename: string;
+    extension: string;
+    mimeType: string;
+    size: number;
+    pemInfo?: PEMInfo;
+}
+export declare function detectKeyAlgorithm(content: string): PEMInfo['algorithm'] | undefined;
+export declare function detectPurpose(filename: string, type: PEMInfo['type'], algorithm?: PEMInfo['algorithm'], headers?: string[]): string | undefined;
+export declare function analyzePEMContent(content: string, filename: string): PEMInfo | null;
+export declare function detectMimeType(content: Buffer): string;
+export declare function analyzeFileForSuggestion(filePath: string): Promise<FileAnalysisInfo | null>;
+export declare function formatPemType(type: string): string;
+//# sourceMappingURL=pem-analysis.d.ts.map

package/dist/commands/secret/pem-analysis.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pem-analysis.d.ts","sourceRoot":"","sources":["../../../src/commands/secret/pem-analysis.ts"],"names":[],"mappings":"AAEA;;GAEG;AAEH;;GAEG;AACH,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,aAAa,GAAG,aAAa,GAAG,YAAY,GAAG,KAAK,GAAG,QAAQ,GAAG,eAAe,GAAG,SAAS,CAAC;IACpG,SAAS,CAAC,EAAE,KAAK,GAAG,IAAI,GAAG,SAAS,GAAG,KAAK,GAAG,SAAS,CAAC;IACzD,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAiBD,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,SAAS,CAoBpF;AAED,wBAAgB,aAAa,CAC3B,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,EACrB,SAAS,CAAC,EAAE,OAAO,CAAC,WAAW,CAAC,EAChC,OAAO,CAAC,EAAE,MAAM,EAAE,GACjB,MAAM,GAAG,SAAS,CA4CpB;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,GAAG,IAAI,CAwDnF;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAItD;AAED,wBAAsB,wBAAwB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CA6BjG;AAED,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAWlD"}

package/dist/commands/secret/pem-analysis.js

@@ -0,0 +1,190 @@
+// Path: src/commands/secret/pem-analysis.ts
+const PEM_HEADER_MAP = {
+    'PRIVATE KEY': { type: 'private-key' },
+    'RSA PRIVATE KEY': { type: 'private-key', algorithm: 'rsa' },
+    'EC PRIVATE KEY': { type: 'private-key', algorithm: 'ec' },
+    'DSA PRIVATE KEY': { type: 'private-key', algorithm: 'dsa' },
+    'OPENSSH PRIVATE KEY': { type: 'private-key' },
+    'ENCRYPTED PRIVATE KEY': { type: 'encrypted-key' },
+    'PUBLIC KEY': { type: 'public-key' },
+    'RSA PUBLIC KEY': { type: 'public-key', algorithm: 'rsa' },
+    'EC PUBLIC KEY': { type: 'public-key', algorithm: 'ec' },
+    'CERTIFICATE': { type: 'certificate' },
+    'X509 CERTIFICATE': { type: 'certificate' },
+    'CERTIFICATE REQUEST': { type: 'csr' },
+};
+export function detectKeyAlgorithm(content) {
+    if (content.includes('EC PRIVATE KEY') || content.includes('EC PUBLIC KEY'))
+        return 'ec';
+    if (content.includes('RSA PRIVATE KEY') || content.includes('RSA PUBLIC KEY'))
+        return 'rsa';
+    // Check for EC curve OIDs
+    const ecOidPatterns = ['BggqhkjOPQMBBw', 'BgUrgQQAIg', 'BgUrgQQAIw'];
+    for (const pattern of ecOidPatterns) {
+        if (content.includes(pattern))
+            return 'ec';
+    }
+    // Size-based heuristic for generic keys
+    const keyMatch = /-----BEGIN (?:PRIVATE KEY|PUBLIC KEY)-----\s*([\s\S]*?)\s*-----END/;
+    const keyContent = keyMatch.exec(content);
+    if (keyContent) {
+        const keyBase64 = keyContent[1].replace(/\s/g, '');
+        if (keyBase64.length < 400)
+            return 'ec';
+        if (keyBase64.length > 1000)
+            return 'rsa';
+    }
+    return 'unknown';
+}
+export function detectPurpose(filename, type, algorithm, headers) {
+    const lowerFilename = filename.toLowerCase();
+    if (lowerFilename.endsWith('.p8') || lowerFilename.includes('authkey')) {
+        if (type === 'private-key' && algorithm === 'ec') {
+            return 'Apple Push Notification Service (APNS) authentication key';
+        }
+        return 'Apple authentication key (.p8)';
+    }
+    if (lowerFilename.includes('ssl') || lowerFilename.includes('tls')) {
+        if (type === 'certificate')
+            return 'SSL/TLS certificate';
+        if (type === 'private-key')
+            return 'SSL/TLS private key';
+        if (type === 'bundle')
+            return 'SSL/TLS certificate bundle';
+    }
+    if (lowerFilename.includes('ca') || lowerFilename.includes('root') || lowerFilename.includes('intermediate')) {
+        if (type === 'certificate')
+            return 'Certificate Authority (CA) certificate';
+        if (type === 'bundle')
+            return 'CA certificate chain';
+    }
+    // JWT/API signing (check before generic "sign" to avoid false matches)
+    if (lowerFilename.includes('jwt') || lowerFilename.includes('signing')) {
+        if (type === 'private-key')
+            return 'JWT/API signing key';
+        if (type === 'public-key')
+            return 'JWT/API verification key';
+    }
+    // Code signing (codesign specifically, not just "sign")
+    if (lowerFilename.includes('codesign') || (lowerFilename.includes('sign') && !lowerFilename.includes('signing'))) {
+        if (type === 'certificate')
+            return 'Code signing certificate';
+        if (type === 'private-key')
+            return 'Code signing private key';
+    }
+    if (lowerFilename.includes('ssh') || lowerFilename.startsWith('id_') || headers?.some(h => h.includes('OPENSSH'))) {
+        if (type === 'private-key')
+            return 'SSH private key';
+        if (type === 'public-key')
+            return 'SSH public key';
+    }
+    if (type === 'certificate')
+        return 'X.509 certificate';
+    if (type === 'bundle')
+        return 'Certificate bundle/chain';
+    if (type === 'csr')
+        return 'Certificate Signing Request (CSR)';
+    if (type === 'encrypted-key')
+        return 'Encrypted private key (password protected)';
+    return undefined;
+}
+export function analyzePEMContent(content, filename) {
+    const headerRegex = /-----BEGIN ([A-Z0-9 ]+)-----/g;
+    const headers = [];
+    let match;
+    while ((match = headerRegex.exec(content)) !== null) {
+        headers.push(match[1]);
+    }
+    if (headers.length === 0)
+        return null;
+    const certificateCount = headers.filter(h => h.includes('CERTIFICATE')).length;
+    const privateKeyHeaders = headers.filter(h => h.includes('PRIVATE KEY'));
+    const publicKeyHeaders = headers.filter(h => h.includes('PUBLIC KEY'));
+    const csrHeaders = headers.filter(h => h.includes('CERTIFICATE REQUEST'));
+    let type = 'unknown';
+    let algorithm;
+    if (certificateCount > 1 || (certificateCount >= 1 && privateKeyHeaders.length >= 1)) {
+        type = 'bundle';
+    }
+    else if (privateKeyHeaders.length > 0) {
+        const keyHeader = privateKeyHeaders[0];
+        const mapping = PEM_HEADER_MAP[keyHeader];
+        type = mapping?.type ?? 'private-key';
+        algorithm = mapping?.algorithm;
+        if (keyHeader.includes('ENCRYPTED'))
+            type = 'encrypted-key';
+    }
+    else if (publicKeyHeaders.length > 0) {
+        const keyHeader = publicKeyHeaders[0];
+        const mapping = PEM_HEADER_MAP[keyHeader];
+        type = mapping?.type ?? 'public-key';
+        algorithm = mapping?.algorithm;
+    }
+    else if (csrHeaders.length > 0) {
+        type = 'csr';
+    }
+    else if (certificateCount > 0) {
+        type = 'certificate';
+    }
+    if (!algorithm && (type === 'private-key' || type === 'public-key')) {
+        algorithm = detectKeyAlgorithm(content);
+    }
+    const detectedPurpose = detectPurpose(filename, type, algorithm, headers);
+    const lowerFilename = filename.toLowerCase();
+    const isAppleP8 = type === 'private-key' && algorithm === 'ec' &&
+        (lowerFilename.endsWith('.p8') || lowerFilename.includes('authkey'));
+    return {
+        type,
+        algorithm,
+        pemHeaders: headers,
+        blockCount: headers.length,
+        certificateCount: certificateCount > 0 ? certificateCount : undefined,
+        detectedPurpose,
+        isAppleP8: isAppleP8 || undefined,
+    };
+}
+export function detectMimeType(content) {
+    const text = content.toString('utf8', 0, 100);
+    if (text.includes('-----BEGIN'))
+        return 'application/x-pem-file';
+    return 'application/octet-stream';
+}
+export async function analyzeFileForSuggestion(filePath) {
+    const fs = await import('fs');
+    const pathModule = await import('path');
+    if (!fs.existsSync(filePath))
+        return null;
+    const content = fs.readFileSync(filePath);
+    const filename = pathModule.basename(filePath);
+    const extension = pathModule.extname(filePath).toLowerCase();
+    const mimeType = detectMimeType(content);
+    const result = {
+        filename,
+        extension,
+        mimeType,
+        size: content.length,
+    };
+    // Analyze PEM content for relevant file types
+    const pemExtensions = ['.pem', '.crt', '.cer', '.key', '.p8', '.p12', '.pfx', '.pub'];
+    if (mimeType === 'application/x-pem-file' || pemExtensions.includes(extension)) {
+        const textContent = content.toString('utf8');
+        const pemInfo = analyzePEMContent(textContent, filename);
+        if (pemInfo) {
+            result.pemInfo = pemInfo;
+        }
+    }
+    return result;
+}
+export function formatPemType(type) {
+    const typeMap = {
+        'private-key': 'Private Key',
+        'public-key': 'Public Key',
+        'certificate': 'X.509 Certificate',
+        'csr': 'Certificate Signing Request',
+        'bundle': 'Certificate Bundle/Chain',
+        'encrypted-key': 'Encrypted Private Key',
+        'unknown': 'Unknown PEM format',
+    };
+    return typeMap[type] ?? type;
+}
+//# sourceMappingURL=pem-analysis.js.map

package/dist/commands/secret/pem-analysis.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pem-analysis.js","sourceRoot":"","sources":["../../../src/commands/secret/pem-analysis.ts"],"names":[],"mappings":"AAAA,4CAA4C;AA8B5C,MAAM,cAAc,GAAgF;IAClG,aAAa,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE;IACtC,iBAAiB,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,SAAS,EAAE,KAAK,EAAE;IAC5D,gBAAgB,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,SAAS,EAAE,IAAI,EAAE;IAC1D,iBAAiB,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,SAAS,EAAE,KAAK,EAAE;IAC5D,qBAAqB,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE;IAC9C,uBAAuB,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE;IAClD,YAAY,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE;IACpC,gBAAgB,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,SAAS,EAAE,KAAK,EAAE;IAC1D,eAAe,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,SAAS,EAAE,IAAI,EAAE;IACxD,aAAa,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE;IACtC,kBAAkB,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE;IAC3C,qBAAqB,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE;CACvC,CAAC;AAEF,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,IAAI,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC;QAAE,OAAO,IAAI,CAAC;IACzF,IAAI,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC;QAAE,OAAO,KAAK,CAAC;IAE5F,0BAA0B;IAC1B,MAAM,aAAa,GAAG,CAAC,gBAAgB,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC;IACrE,KAAK,MAAM,OAAO,IAAI,aAAa,EAAE,CAAC;QACpC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;YAAE,OAAO,IAAI,CAAC;IAC7C,CAAC;IAED,wCAAwC;IACxC,MAAM,QAAQ,GAAG,oEAAoE,CAAC;IACtF,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC1C,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,SAAS,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACnD,IAAI,SAAS,CAAC,MAAM,GAAG,GAAG;YAAE,OAAO,IAAI,CAAC;QACxC,IAAI,SAAS,CAAC,MAAM,GAAG,IAAI;YAAE,OAAO,KAAK,CAAC;IAC5C,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,QAAgB,EAChB,IAAqB,EACrB,SAAgC,EAChC,OAAkB;IAElB,MAAM,aAAa,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAE7C,IAAI,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,aAAa,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACvE,IAAI,IAAI,KAAK,aAAa,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;YACjD,OAAO,2DAA2D,CAAC;QACrE,CAAC;QACD,OAAO,gCAAgC,CAAC;IAC1C,CAAC;IAED,IAAI,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACnE,IAAI,IAAI,KAAK,aAAa;YAAE,OAAO,qBAAqB,CAAC;QACzD,IAAI,IAAI,KAAK,aAAa;YAAE,OAAO,qBAAqB,CAAC;QACzD,IAAI,IAAI,KAAK,QAAQ;YAAE,OAAO,4BAA4B,CAAC;IAC7D,CAAC;IAED,IAAI,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,aAAa,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QAC7G,IAAI,IAAI,KAAK,aAAa;YAAE,OAAO,wCAAwC,CAAC;QAC5E,IAAI,IAAI,KAAK,QAAQ;YAAE,OAAO,sBAAsB,CAAC;IACvD,CAAC;IAED,uEAAuE;IACvE,IAAI,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,aAAa,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACvE,IAAI,IAAI,KAAK,aAAa;YAAE,OAAO,qBAAqB,CAAC;QACzD,IAAI,IAAI,KAAK,YAAY;YAAE,OAAO,0BAA0B,CAAC;IAC/D,CAAC;IAED,wDAAwD;IACxD,IAAI,aAAa,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;QACjH,IAAI,IAAI,KAAK,aAAa;YAAE,OAAO,0BAA0B,CAAC;QAC9D,IAAI,IAAI,KAAK,aAAa;YAAE,OAAO,0BAA0B,CAAC;IAChE,CAAC;IAED,IAAI,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,aAAa,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;QAClH,IAAI,IAAI,KAAK,aAAa;YAAE,OAAO,iBAAiB,CAAC;QACrD,IAAI,IAAI,KAAK,YAAY;YAAE,OAAO,gBAAgB,CAAC;IACrD,CAAC;IAED,IAAI,IAAI,KAAK,aAAa;QAAE,OAAO,mBAAmB,CAAC;IACvD,IAAI,IAAI,KAAK,QAAQ;QAAE,OAAO,0BAA0B,CAAC;IACzD,IAAI,IAAI,KAAK,KAAK;QAAE,OAAO,mCAAmC,CAAC;IAC/D,IAAI,IAAI,KAAK,eAAe;QAAE,OAAO,4CAA4C,CAAC;IAElF,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,OAAe,EAAE,QAAgB;IACjE,MAAM,WAAW,GAAG,+BAA+B,CAAC;IACpD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,KAAK,CAAC;IAEV,OAAO,CAAC,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACpD,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACzB,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEtC,MAAM,gBAAgB,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC;IAC/E,MAAM,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC;IACzE,MAAM,gBAAgB,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC;IACvE,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAE1E,IAAI,IAAI,GAAoB,SAAS,CAAC;IACtC,IAAI,SAA2C,CAAC;IAEhD,IAAI,gBAAgB,GAAG,CAAC,IAAI,CAAC,gBAAgB,IAAI,CAAC,IAAI,iBAAiB,CAAC,MAAM,IAAI,CAAC,CAAC,EAAE,CAAC;QACrF,IAAI,GAAG,QAAQ,CAAC;IAClB,CAAC;SAAM,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxC,MAAM,SAAS,GAAG,iBAAiB,CAAC,CAAC,CAAC,CAAC;QACvC,MAAM,OAAO,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;QAC1C,IAAI,GAAG,OAAO,EAAE,IAAI,IAAI,aAAa,CAAC;QACtC,SAAS,GAAG,OAAO,EAAE,SAAS,CAAC;QAC/B,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;YAAE,IAAI,GAAG,eAAe,CAAC;IAC9D,CAAC;SAAM,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvC,MAAM,SAAS,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;QACtC,MAAM,OAAO,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;QAC1C,IAAI,GAAG,OAAO,EAAE,IAAI,IAAI,YAAY,CAAC;QACrC,SAAS,GAAG,OAAO,EAAE,SAAS,CAAC;IACjC,CAAC;SAAM,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,IAAI,GAAG,KAAK,CAAC;IACf,CAAC;SAAM,IAAI,gBAAgB,GAAG,CAAC,EAAE,CAAC;QAChC,IAAI,GAAG,aAAa,CAAC;IACvB,CAAC;IAED,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,KAAK,aAAa,IAAI,IAAI,KAAK,YAAY,CAAC,EAAE,CAAC;QACpE,SAAS,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAC1C,CAAC;IAED,MAAM,eAAe,GAAG,aAAa,CAAC,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IAC1E,MAAM,aAAa,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAC7C,MAAM,SAAS,GAAG,IAAI,KAAK,aAAa,IAAI,SAAS,KAAK,IAAI;QAC5D,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,aAAa,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;IAEvE,OAAO;QACL,IAAI;QACJ,SAAS;QACT,UAAU,EAAE,OAAO;QACnB,UAAU,EAAE,OAAO,CAAC,MAAM;QAC1B,gBAAgB,EAAE,gBAAgB,GAAG,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,SAAS;QACrE,eAAe;QACf,SAAS,EAAE,SAAS,IAAI,SAAS;KAClC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC;IAC9C,IAAI,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC;QAAE,OAAO,wBAAwB,CAAC;IACjE,OAAO,0BAA0B,CAAC;AACpC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAAC,QAAgB;IAC7D,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;IAC9B,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;IAExC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAE1C,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC/C,MAAM,SAAS,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IAC7D,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IAEzC,MAAM,MAAM,GAAqB;QAC/B,QAAQ;QACR,SAAS;QACT,QAAQ;QACR,IAAI,EAAE,OAAO,CAAC,MAAM;KACrB,CAAC;IAEF,8CAA8C;IAC9C,MAAM,aAAa,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IACtF,IAAI,QAAQ,KAAK,wBAAwB,IAAI,aAAa,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAC/E,MAAM,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC7C,MAAM,OAAO,GAAG,iBAAiB,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QACzD,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC;QAC3B,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,IAAY;IACxC,MAAM,OAAO,GAA2B;QACtC,aAAa,EAAE,aAAa;QAC5B,YAAY,EAAE,YAAY;QAC1B,aAAa,EAAE,mBAAmB;QAClC,KAAK,EAAE,6BAA6B;QACpC,QAAQ,EAAE,0BAA0B;QACpC,eAAe,EAAE,uBAAuB;QACxC,SAAS,EAAE,oBAAoB;KAChC,CAAC;IACF,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC;AAC/B,CAAC"}

package/dist/commands/secret/resolve.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Check if a string looks like a UUID
+ */
+export declare function isUUID(str: string): boolean;
+/**
+ * Resolve a secret identifier to a UUID.
+ * Supports formats:
+ * - UUID: pass through directly
+ * - alias:path: resolve via /v1/secrets/alias/:alias (tenant from JWT)
+ * - path/to/secret: resolve via /v1/secrets/alias/:alias (tenant from JWT)
+ * - simple-name: resolve via /v1/secrets/alias/:alias (tenant from JWT)
+ *
+ * Note: The alias is the full path (e.g., "zn-admin/config"), NOT tenant/alias.
+ * Tenant is always derived from the authenticated user's JWT.
+ */
+export declare function resolveSecretId(idOrAlias: string): Promise<string>;
+//# sourceMappingURL=resolve.d.ts.map

package/dist/commands/secret/resolve.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve.d.ts","sourceRoot":"","sources":["../../../src/commands/secret/resolve.ts"],"names":[],"mappings":"AASA;;GAEG;AACH,wBAAgB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAE3C;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAcxE"}

package/dist/commands/secret/resolve.js

@@ -0,0 +1,36 @@
+// Path: src/commands/secret/resolve.ts
+/**
+ * Secret ID/alias resolution utilities
+ */
+import { client } from '../../lib/client.js';
+/**
+ * Check if a string looks like a UUID
+ */
+export function isUUID(str) {
+    return /^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i.test(str);
+}
+/**
+ * Resolve a secret identifier to a UUID.
+ * Supports formats:
+ * - UUID: pass through directly
+ * - alias:path: resolve via /v1/secrets/alias/:alias (tenant from JWT)
+ * - path/to/secret: resolve via /v1/secrets/alias/:alias (tenant from JWT)
+ * - simple-name: resolve via /v1/secrets/alias/:alias (tenant from JWT)
+ *
+ * Note: The alias is the full path (e.g., "zn-admin/config"), NOT tenant/alias.
+ * Tenant is always derived from the authenticated user's JWT.
+ */
+export async function resolveSecretId(idOrAlias) {
+    // Already a UUID - pass through
+    if (isUUID(idOrAlias)) {
+        return idOrAlias;
+    }
+    // Strip optional "alias:" prefix
+    const alias = idOrAlias.startsWith('alias:')
+        ? idOrAlias.slice(6)
+        : idOrAlias;
+    // Resolve alias to UUID via API (tenant derived from JWT)
+    const metadata = await client.get(`/v1/secrets/alias/${encodeURIComponent(alias)}`);
+    return metadata.id;
+}
+//# sourceMappingURL=resolve.js.map

package/dist/commands/secret/resolve.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve.js","sourceRoot":"","sources":["../../../src/commands/secret/resolve.ts"],"names":[],"mappings":"AAAA,uCAAuC;AAEvC;;GAEG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAG7C;;GAEG;AACH,MAAM,UAAU,MAAM,CAAC,GAAW;IAChC,OAAO,iEAAiE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACrF,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,SAAiB;IACrD,gCAAgC;IAChC,IAAI,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;QACtB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,iCAAiC;IACjC,MAAM,KAAK,GAAG,SAAS,CAAC,UAAU,CAAC,QAAQ,CAAC;QAC1C,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QACpB,CAAC,CAAC,SAAS,CAAC;IAEd,0DAA0D;IAC1D,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,GAAG,CAAiB,qBAAqB,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACpG,OAAO,QAAQ,CAAC,EAAE,CAAC;AACrB,CAAC"}

package/dist/commands/secret/rotate.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Secret rotate command
+ */
+import type { Command } from 'commander';
+export declare function registerRotateCommand(secretCmd: Command): void;
+//# sourceMappingURL=rotate.d.ts.map

package/dist/commands/secret/rotate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rotate.d.ts","sourceRoot":"","sources":["../../../src/commands/secret/rotate.ts"],"names":[],"mappings":"AAEA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAQzC,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,OAAO,GAAG,IAAI,CAsE9D"}