@zincapp/znvault-cli 2.26.4 → 2.29.0

package/dist/commands/ssh-ca/index.js

@@ -0,0 +1,180 @@
+// Path: src/commands/ssh-ca/index.ts
+import { getStatus, initCA, deleteCA, getPublicKey } from './ca.js';
+import { listMappings, createMapping, updateMapping, deleteMapping } from './mappings.js';
+import { listServerGroups, getServerGroup, createServerGroup, deleteServerGroup, setAccessRule, deleteAccessRule, getAuthorizedPrincipals, } from './server-groups.js';
+import { listCertificates, getCertificate, revokeCertificate } from './certificates.js';
+import { signCertificate } from './sign.js';
+// Re-export types
+export * from './types.js';
+export function registerSSHCACommands(program) {
+    const sshca = program
+        .command('ssh-ca')
+        .description('SSH Certificate Authority management')
+        .addHelpText('after', `
+Examples:
+  # Initialize the CA
+  znvault ssh-ca init --key-type ed25519 --default-ttl 28800
+
+  # Get CA public key for server configuration
+  znvault ssh-ca public-key --raw > /etc/ssh/trusted-user-ca-keys.pub
+
+  # Create a principal mapping
+  znvault ssh-ca mapping create --group-id GROUP_ID --principals deploy,developer
+
+  # Create a server group and add access rules
+  znvault ssh-ca server-group create --name production-web
+  znvault ssh-ca server-group set-access GROUP_ID --linux-user deploy --principals deploy,admin
+
+  # Sign your SSH public key
+  znvault ssh-ca sign --file ~/.ssh/id_ed25519.pub > ~/.ssh/id_ed25519-cert.pub
+
+  # List and revoke certificates
+  znvault ssh-ca cert list --active-only
+  znvault ssh-ca cert revoke CERT_ID --reason "User offboarded"
+`);
+    // -------------------------------------------------------------------------
+    // CA Commands
+    // -------------------------------------------------------------------------
+    sshca
+        .command('status')
+        .description('Get SSH CA status')
+        .option('--json', 'Output as JSON')
+        .action(getStatus);
+    sshca
+        .command('init')
+        .description('Initialize SSH CA')
+        .option('--key-type <type>', 'Key type: ed25519 or rsa-4096')
+        .option('--default-ttl <seconds>', 'Default certificate TTL in seconds')
+        .option('--max-ttl <seconds>', 'Maximum certificate TTL in seconds')
+        .option('--extensions <list>', 'Allowed extensions (comma-separated)')
+        .option('--json', 'Output as JSON')
+        .action(initCA);
+    sshca
+        .command('delete')
+        .description('Delete SSH CA (destructive!)')
+        .option('--force', 'Skip confirmation')
+        .option('--json', 'Output as JSON')
+        .action(deleteCA);
+    sshca
+        .command('public-key')
+        .description('Get CA public key')
+        .option('--raw', 'Output only the key (for piping to file)')
+        .option('--json', 'Output as JSON')
+        .action(getPublicKey);
+    // -------------------------------------------------------------------------
+    // Mapping Commands
+    // -------------------------------------------------------------------------
+    const mapping = sshca.command('mapping').description('Manage principal mappings (SSO group → SSH principals)');
+    mapping
+        .command('list')
+        .alias('ls')
+        .description('List principal mappings')
+        .option('--json', 'Output as JSON')
+        .action(listMappings);
+    mapping
+        .command('create')
+        .description('Create a principal mapping')
+        .option('--group-id <id>', 'SSO group ID')
+        .option('--principals <list>', 'SSH principals (comma-separated)')
+        .option('--json', 'Output as JSON')
+        .action(createMapping);
+    mapping
+        .command('update <mapping-id>')
+        .description('Update a principal mapping')
+        .option('--principals <list>', 'New SSH principals (comma-separated)')
+        .option('--json', 'Output as JSON')
+        .action(updateMapping);
+    mapping
+        .command('delete <mapping-id>')
+        .alias('rm')
+        .description('Delete a principal mapping')
+        .option('--force', 'Skip confirmation')
+        .option('--json', 'Output as JSON')
+        .action(deleteMapping);
+    // -------------------------------------------------------------------------
+    // Server Group Commands
+    // -------------------------------------------------------------------------
+    const serverGroup = sshca.command('server-group').alias('sg').description('Manage server groups');
+    serverGroup
+        .command('list')
+        .alias('ls')
+        .description('List server groups')
+        .option('--json', 'Output as JSON')
+        .action(listServerGroups);
+    serverGroup
+        .command('get <group-id>')
+        .description('Get server group details')
+        .option('--json', 'Output as JSON')
+        .action(getServerGroup);
+    serverGroup
+        .command('create')
+        .description('Create a server group')
+        .option('--name <name>', 'Server group name')
+        .option('--description <desc>', 'Description')
+        .option('--json', 'Output as JSON')
+        .action(createServerGroup);
+    serverGroup
+        .command('delete <group-id>')
+        .alias('rm')
+        .description('Delete a server group')
+        .option('--force', 'Skip confirmation')
+        .option('--json', 'Output as JSON')
+        .action(deleteServerGroup);
+    serverGroup
+        .command('set-access <group-id>')
+        .description('Set access rule for a server group')
+        .option('--linux-user <user>', 'Linux user name')
+        .option('--principals <list>', 'Allowed principals (comma-separated)')
+        .option('--json', 'Output as JSON')
+        .action(setAccessRule);
+    serverGroup
+        .command('delete-access <group-id> <linux-user>')
+        .description('Delete access rule from a server group')
+        .option('--force', 'Skip confirmation')
+        .option('--json', 'Output as JSON')
+        .action(deleteAccessRule);
+    serverGroup
+        .command('principals <group-id>')
+        .description('Get authorized principals for server configuration')
+        .option('--json', 'Output as JSON')
+        .action(getAuthorizedPrincipals);
+    // -------------------------------------------------------------------------
+    // Certificate Commands
+    // -------------------------------------------------------------------------
+    const cert = sshca.command('cert').alias('certificate').description('Manage SSH certificates');
+    cert
+        .command('list')
+        .alias('ls')
+        .description('List certificates')
+        .option('--active-only', 'Show only active certificates')
+        .option('--revoked', 'Show only revoked certificates')
+        .option('--user-id <id>', 'Filter by user ID')
+        .option('--limit <n>', 'Maximum number of results')
+        .option('--json', 'Output as JSON')
+        .action(listCertificates);
+    cert
+        .command('get <cert-id>')
+        .description('Get certificate details')
+        .option('--json', 'Output as JSON')
+        .action(getCertificate);
+    cert
+        .command('revoke <cert-id>')
+        .description('Revoke a certificate')
+        .option('--reason <reason>', 'Revocation reason')
+        .option('--force', 'Skip confirmation')
+        .option('--json', 'Output as JSON')
+        .action(revokeCertificate);
+    // -------------------------------------------------------------------------
+    // Sign Command
+    // -------------------------------------------------------------------------
+    sshca
+        .command('sign')
+        .description('Sign SSH public key to get a certificate')
+        .option('--public-key <key>', 'SSH public key string')
+        .option('--file <path>', 'Path to SSH public key file')
+        .option('--ttl <seconds>', 'Certificate TTL in seconds')
+        .option('--principals <list>', 'Direct principal specification (admin override, comma-separated). Requires ssh:ca:admin permission.')
+        .option('--json', 'Output as JSON')
+        .action(signCertificate);
+}
+//# sourceMappingURL=index.js.map

package/dist/commands/ssh-ca/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/commands/ssh-ca/index.ts"],"names":[],"mappings":"AAAA,qCAAqC;AAOrC,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC1F,OAAO,EACL,gBAAgB,EAChB,cAAc,EACd,iBAAiB,EACjB,iBAAiB,EACjB,aAAa,EACb,gBAAgB,EAChB,uBAAuB,GACxB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACxF,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAE5C,kBAAkB;AAClB,cAAc,YAAY,CAAC;AAE3B,MAAM,UAAU,qBAAqB,CAAC,OAAgB;IACpD,MAAM,KAAK,GAAG,OAAO;SAClB,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,sCAAsC,CAAC;SACnD,WAAW,CAAC,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;CAqBzB,CAAC,CAAC;IAED,4EAA4E;IAC5E,cAAc;IACd,4EAA4E;IAC5E,KAAK;SACF,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,mBAAmB,CAAC;SAChC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,SAAS,CAAC,CAAC;IAErB,KAAK;SACF,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,mBAAmB,CAAC;SAChC,MAAM,CAAC,mBAAmB,EAAE,+BAA+B,CAAC;SAC5D,MAAM,CAAC,yBAAyB,EAAE,oCAAoC,CAAC;SACvE,MAAM,CAAC,qBAAqB,EAAE,oCAAoC,CAAC;SACnE,MAAM,CAAC,qBAAqB,EAAE,sCAAsC,CAAC;SACrE,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,MAAM,CAAC,CAAC;IAElB,KAAK;SACF,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,8BAA8B,CAAC;SAC3C,MAAM,CAAC,SAAS,EAAE,mBAAmB,CAAC;SACtC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAEpB,KAAK;SACF,OAAO,CAAC,YAAY,CAAC;SACrB,WAAW,CAAC,mBAAmB,CAAC;SAChC,MAAM,CAAC,OAAO,EAAE,0CAA0C,CAAC;SAC3D,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,YAAY,CAAC,CAAC;IAExB,4EAA4E;IAC5E,mBAAmB;IACnB,4EAA4E;IAC5E,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,WAAW,CAAC,wDAAwD,CAAC,CAAC;IAE/G,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,KAAK,CAAC,IAAI,CAAC;SACX,WAAW,CAAC,yBAAyB,CAAC;SACtC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,YAAY,CAAC,CAAC;IAExB,OAAO;SACJ,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,4BAA4B,CAAC;SACzC,MAAM,CAAC,iBAAiB,EAAE,cAAc,CAAC;SACzC,MAAM,CAAC,qBAAqB,EAAE,kCAAkC,CAAC;SACjE,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,aAAa,CAAC,CAAC;IAEzB,OAAO;SACJ,OAAO,CAAC,qBAAqB,CAAC;SAC9B,WAAW,CAAC,4BAA4B,CAAC;SACzC,MAAM,CAAC,qBAAqB,EAAE,sCAAsC,CAAC;SACrE,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,aAAa,CAAC,CAAC;IAEzB,OAAO;SACJ,OAAO,CAAC,qBAAqB,CAAC;SAC9B,KAAK,CAAC,IAAI,CAAC;SACX,WAAW,CAAC,4BAA4B,CAAC;SACzC,MAAM,CAAC,SAAS,EAAE,mBAAmB,CAAC;SACtC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,aAAa,CAAC,CAAC;IAEzB,4EAA4E;IAC5E,wBAAwB;IACxB,4EAA4E;IAC5E,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,WAAW,CAAC,sBAAsB,CAAC,CAAC;IAElG,WAAW;SACR,OAAO,CAAC,MAAM,CAAC;SACf,KAAK,CAAC,IAAI,CAAC;SACX,WAAW,CAAC,oBAAoB,CAAC;SACjC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAE5B,WAAW;SACR,OAAO,CAAC,gBAAgB,CAAC;SACzB,WAAW,CAAC,0BAA0B,CAAC;SACvC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,cAAc,CAAC,CAAC;IAE1B,WAAW;SACR,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,uBAAuB,CAAC;SACpC,MAAM,CAAC,eAAe,EAAE,mBAAmB,CAAC;SAC5C,MAAM,CAAC,sBAAsB,EAAE,aAAa,CAAC;SAC7C,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAE7B,WAAW;SACR,OAAO,CAAC,mBAAmB,CAAC;SAC5B,KAAK,CAAC,IAAI,CAAC;SACX,WAAW,CAAC,uBAAuB,CAAC;SACpC,MAAM,CAAC,SAAS,EAAE,mBAAmB,CAAC;SACtC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAE7B,WAAW;SACR,OAAO,CAAC,uBAAuB,CAAC;SAChC,WAAW,CAAC,oCAAoC,CAAC;SACjD,MAAM,CAAC,qBAAqB,EAAE,iBAAiB,CAAC;SAChD,MAAM,CAAC,qBAAqB,EAAE,sCAAsC,CAAC;SACrE,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,aAAa,CAAC,CAAC;IAEzB,WAAW;SACR,OAAO,CAAC,uCAAuC,CAAC;SAChD,WAAW,CAAC,wCAAwC,CAAC;SACrD,MAAM,CAAC,SAAS,EAAE,mBAAmB,CAAC;SACtC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAE5B,WAAW;SACR,OAAO,CAAC,uBAAuB,CAAC;SAChC,WAAW,CAAC,oDAAoD,CAAC;SACjE,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,uBAAuB,CAAC,CAAC;IAEnC,4EAA4E;IAC5E,uBAAuB;IACvB,4EAA4E;IAC5E,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,WAAW,CAAC,yBAAyB,CAAC,CAAC;IAE/F,IAAI;SACD,OAAO,CAAC,MAAM,CAAC;SACf,KAAK,CAAC,IAAI,CAAC;SACX,WAAW,CAAC,mBAAmB,CAAC;SAChC,MAAM,CAAC,eAAe,EAAE,+BAA+B,CAAC;SACxD,MAAM,CAAC,WAAW,EAAE,gCAAgC,CAAC;SACrD,MAAM,CAAC,gBAAgB,EAAE,mBAAmB,CAAC;SAC7C,MAAM,CAAC,aAAa,EAAE,2BAA2B,CAAC;SAClD,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAE5B,IAAI;SACD,OAAO,CAAC,eAAe,CAAC;SACxB,WAAW,CAAC,yBAAyB,CAAC;SACtC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,cAAc,CAAC,CAAC;IAE1B,IAAI;SACD,OAAO,CAAC,kBAAkB,CAAC;SAC3B,WAAW,CAAC,sBAAsB,CAAC;SACnC,MAAM,CAAC,mBAAmB,EAAE,mBAAmB,CAAC;SAChD,MAAM,CAAC,SAAS,EAAE,mBAAmB,CAAC;SACtC,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAE7B,4EAA4E;IAC5E,eAAe;IACf,4EAA4E;IAC5E,KAAK;SACF,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,0CAA0C,CAAC;SACvD,MAAM,CAAC,oBAAoB,EAAE,uBAAuB,CAAC;SACrD,MAAM,CAAC,eAAe,EAAE,6BAA6B,CAAC;SACtD,MAAM,CAAC,iBAAiB,EAAE,4BAA4B,CAAC;SACvD,MAAM,CAAC,qBAAqB,EAAE,qGAAqG,CAAC;SACpI,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,eAAe,CAAC,CAAC;AAC7B,CAAC"}

package/dist/commands/ssh-ca/mappings.d.ts

@@ -0,0 +1,11 @@
+import type { MappingCreateOptions, MappingUpdateOptions } from './types.js';
+export declare function listMappings(options: {
+    json?: boolean;
+}): Promise<void>;
+export declare function createMapping(options: MappingCreateOptions): Promise<void>;
+export declare function updateMapping(mappingId: string, options: MappingUpdateOptions): Promise<void>;
+export declare function deleteMapping(mappingId: string, options: {
+    force?: boolean;
+    json?: boolean;
+}): Promise<void>;
+//# sourceMappingURL=mappings.d.ts.map

package/dist/commands/ssh-ca/mappings.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mappings.d.ts","sourceRoot":"","sources":["../../../src/commands/ssh-ca/mappings.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAGV,oBAAoB,EACpB,oBAAoB,EACrB,MAAM,YAAY,CAAC;AAapB,wBAAsB,YAAY,CAAC,OAAO,EAAE;IAAE,IAAI,CAAC,EAAE,OAAO,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAuC7E;AAED,wBAAsB,aAAa,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CA2EhF;AAED,wBAAsB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CA+BnG;AAED,wBAAsB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE;IAAE,KAAK,CAAC,EAAE,OAAO,CAAC;IAAC,IAAI,CAAC,EAAE,OAAO,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CA6BlH"}

package/dist/commands/ssh-ca/mappings.js

@@ -0,0 +1,178 @@
+// Path: src/commands/ssh-ca/mappings.ts
+/**
+ * Principal mapping commands for SSH CA
+ */
+import ora from 'ora';
+import Table from 'cli-table3';
+import inquirer from 'inquirer';
+import { client } from '../../lib/client.js';
+import * as output from '../../lib/output.js';
+import { formatDate, formatPrincipals, parsePrincipals, isValidPrincipal } from './helpers.js';
+export async function listMappings(options) {
+    const spinner = ora('Fetching principal mappings...').start();
+    try {
+        const response = await client.get('/v1/ssh/principal-mappings');
+        spinner.stop();
+        if (options.json) {
+            output.json(response.items);
+            return;
+        }
+        if (response.items.length === 0) {
+            output.info('No principal mappings found.');
+            output.info('Create one with: znvault ssh-ca mapping create');
+            return;
+        }
+        const table = new Table({
+            head: ['ID', 'SSO Group', 'Principals', 'Created'],
+            style: { head: ['cyan'] },
+        });
+        for (const mapping of response.items) {
+            table.push([
+                mapping.id.substring(0, 8) + '...',
+                mapping.groupDisplayName ?? mapping.groupName ?? mapping.groupId.substring(0, 8),
+                formatPrincipals(mapping.principals),
+                formatDate(mapping.createdAt),
+            ]);
+        }
+        console.log(table.toString());
+        output.info(`${response.items.length} mapping(s) found`);
+    }
+    catch (err) {
+        spinner.fail('Failed to list mappings');
+        output.error(err instanceof Error ? err.message : String(err));
+        process.exit(1);
+    }
+}
+export async function createMapping(options) {
+    // Fetch SSO groups for selection
+    let groups = [];
+    try {
+        const groupsResponse = await client.get('/v1/sso/groups');
+        groups = groupsResponse.items;
+    }
+    catch {
+        // Groups endpoint might fail, continue with manual input
+    }
+    let groupId = options.groupId;
+    if (!groupId) {
+        if (groups.length > 0) {
+            const { selectedGroup } = await inquirer.prompt([{
+                    type: 'list',
+                    name: 'selectedGroup',
+                    message: 'Select SSO group:',
+                    choices: groups.map(g => ({
+                        name: g.displayName ?? g.name,
+                        value: g.id,
+                    })),
+                }]);
+            groupId = selectedGroup;
+        }
+        else {
+            const { id } = await inquirer.prompt([{
+                    type: 'input',
+                    name: 'id',
+                    message: 'SSO Group ID:',
+                    validate: (input) => input.trim() ? true : 'Group ID is required',
+                }]);
+            groupId = id;
+        }
+    }
+    const principalsInput = options.principals ?? (await inquirer.prompt([{
+            type: 'input',
+            name: 'principals',
+            message: 'SSH Principals (comma-separated):',
+            validate: (input) => {
+                const principals = parsePrincipals(input);
+                if (principals.length === 0)
+                    return 'At least one principal is required';
+                for (const p of principals) {
+                    if (!isValidPrincipal(p))
+                        return `Invalid principal: ${p}`;
+                }
+                return true;
+            },
+        }])).principals;
+    const principals = parsePrincipals(principalsInput);
+    const spinner = ora('Creating principal mapping...').start();
+    try {
+        const response = await client.post('/v1/ssh/principal-mappings', {
+            groupId,
+            principals,
+        });
+        spinner.succeed('Principal mapping created');
+        if (options.json) {
+            output.json(response);
+            return;
+        }
+        output.keyValue({
+            'ID': response.id,
+            'Group ID': response.groupId,
+            'Principals': response.principals.join(', '),
+            'Created': formatDate(response.createdAt),
+        });
+    }
+    catch (err) {
+        spinner.fail('Failed to create mapping');
+        output.error(err instanceof Error ? err.message : String(err));
+        process.exit(1);
+    }
+}
+export async function updateMapping(mappingId, options) {
+    const principalsInput = options.principals ?? (await inquirer.prompt([{
+            type: 'input',
+            name: 'principals',
+            message: 'New SSH Principals (comma-separated):',
+            validate: (input) => {
+                const principals = parsePrincipals(input);
+                if (principals.length === 0)
+                    return 'At least one principal is required';
+                for (const p of principals) {
+                    if (!isValidPrincipal(p))
+                        return `Invalid principal: ${p}`;
+                }
+                return true;
+            },
+        }])).principals;
+    const principals = parsePrincipals(principalsInput);
+    const spinner = ora('Updating principal mapping...').start();
+    try {
+        await client.put(`/v1/ssh/principal-mappings/${mappingId}`, { principals });
+        spinner.succeed('Principal mapping updated');
+        if (options.json) {
+            output.json({ success: true, mappingId, principals });
+        }
+    }
+    catch (err) {
+        spinner.fail('Failed to update mapping');
+        output.error(err instanceof Error ? err.message : String(err));
+        process.exit(1);
+    }
+}
+export async function deleteMapping(mappingId, options) {
+    if (!options.force) {
+        const { confirm } = await inquirer.prompt([{
+                type: 'confirm',
+                name: 'confirm',
+                message: `Delete principal mapping ${mappingId}?`,
+                default: false,
+            }]);
+        if (!confirm) {
+            output.info('Operation cancelled.');
+            return;
+        }
+    }
+    const spinner = ora('Deleting principal mapping...').start();
+    try {
+        await client.delete(`/v1/ssh/principal-mappings/${mappingId}`);
+        spinner.succeed('Principal mapping deleted');
+        if (options.json) {
+            output.json({ success: true });
+        }
+    }
+    catch (err) {
+        spinner.fail('Failed to delete mapping');
+        output.error(err instanceof Error ? err.message : String(err));
+        process.exit(1);
+    }
+}
+//# sourceMappingURL=mappings.js.map

package/dist/commands/ssh-ca/mappings.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mappings.js","sourceRoot":"","sources":["../../../src/commands/ssh-ca/mappings.ts"],"names":[],"mappings":"AAAA,wCAAwC;AAExC;;GAEG;AAEH,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,MAAM,YAAY,CAAC;AAC/B,OAAO,QAAQ,MAAM,UAAU,CAAC;AAChC,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAC7C,OAAO,KAAK,MAAM,MAAM,qBAAqB,CAAC;AAO9C,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAY/F,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,OAA2B;IAC5D,MAAM,OAAO,GAAG,GAAG,CAAC,gCAAgC,CAAC,CAAC,KAAK,EAAE,CAAC;IAE9D,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,GAAG,CAAuB,4BAA4B,CAAC,CAAC;QACtF,OAAO,CAAC,IAAI,EAAE,CAAC;QAEf,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC5B,OAAO;QACT,CAAC;QAED,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAChC,MAAM,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;YAC5C,MAAM,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC;YACtB,IAAI,EAAE,CAAC,IAAI,EAAE,WAAW,EAAE,YAAY,EAAE,SAAS,CAAC;YAClD,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE;SAC1B,CAAC,CAAC;QAEH,KAAK,MAAM,OAAO,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;YACrC,KAAK,CAAC,IAAI,CAAC;gBACT,OAAO,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK;gBAClC,OAAO,CAAC,gBAAgB,IAAI,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC;gBAChF,gBAAgB,CAAC,OAAO,CAAC,UAAU,CAAC;gBACpC,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC;aAC9B,CAAC,CAAC;QACL,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,mBAAmB,CAAC,CAAC;IAC3D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QACxC,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,OAA6B;IAC/D,iCAAiC;IACjC,IAAI,MAAM,GAAe,EAAE,CAAC;IAC5B,IAAI,CAAC;QACH,MAAM,cAAc,GAAG,MAAM,MAAM,CAAC,GAAG,CAAoB,gBAAgB,CAAC,CAAC;QAC7E,MAAM,GAAG,cAAc,CAAC,KAAK,CAAC;IAChC,CAAC;IAAC,MAAM,CAAC;QACP,yDAAyD;IAC3D,CAAC;IAED,IAAI,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IAC9B,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,QAAQ,CAAC,MAAM,CAA4B,CAAC;oBAC1E,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,eAAe;oBACrB,OAAO,EAAE,mBAAmB;oBAC5B,OAAO,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;wBACxB,IAAI,EAAE,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,IAAI;wBAC7B,KAAK,EAAE,CAAC,CAAC,EAAE;qBACZ,CAAC,CAAC;iBACJ,CAAC,CAAC,CAAC;YACJ,OAAO,GAAG,aAAa,CAAC;QAC1B,CAAC;aAAM,CAAC;YACN,MAAM,EAAE,EAAE,EAAE,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAiB,CAAC;oBACpD,IAAI,EAAE,OAAO;oBACb,IAAI,EAAE,IAAI;oBACV,OAAO,EAAE,eAAe;oBACxB,QAAQ,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,sBAAsB;iBAC1E,CAAC,CAAC,CAAC;YACJ,OAAO,GAAG,EAAE,CAAC;QACf,CAAC;IACH,CAAC;IAED,MAAM,eAAe,GAAG,OAAO,CAAC,UAAU,IAAI,CAAC,MAAM,QAAQ,CAAC,MAAM,CAAyB,CAAC;YAC5F,IAAI,EAAE,OAAO;YACb,IAAI,EAAE,YAAY;YAClB,OAAO,EAAE,mCAAmC;YAC5C,QAAQ,EAAE,CAAC,KAAa,EAAE,EAAE;gBAC1B,MAAM,UAAU,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;gBAC1C,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAO,oCAAoC,CAAC;gBACzE,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;oBAC3B,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC;wBAAE,OAAO,sBAAsB,CAAC,EAAE,CAAC;gBAC7D,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;SACF,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;IAEhB,MAAM,UAAU,GAAG,eAAe,CAAC,eAAe,CAAC,CAAC;IAEpD,MAAM,OAAO,GAAG,GAAG,CAAC,+BAA+B,CAAC,CAAC,KAAK,EAAE,CAAC;IAE7D,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAmB,4BAA4B,EAAE;YACjF,OAAO;YACP,UAAU;SACX,CAAC,CAAC;QACH,OAAO,CAAC,OAAO,CAAC,2BAA2B,CAAC,CAAC;QAE7C,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACtB,OAAO;QACT,CAAC;QAED,MAAM,CAAC,QAAQ,CAAC;YACd,IAAI,EAAE,QAAQ,CAAC,EAAE;YACjB,UAAU,EAAE,QAAQ,CAAC,OAAO;YAC5B,YAAY,EAAE,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;YAC5C,SAAS,EAAE,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC;SAC1C,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QACzC,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,SAAiB,EAAE,OAA6B;IAClF,MAAM,eAAe,GAAG,OAAO,CAAC,UAAU,IAAI,CAAC,MAAM,QAAQ,CAAC,MAAM,CAAyB,CAAC;YAC5F,IAAI,EAAE,OAAO;YACb,IAAI,EAAE,YAAY;YAClB,OAAO,EAAE,uCAAuC;YAChD,QAAQ,EAAE,CAAC,KAAa,EAAE,EAAE;gBAC1B,MAAM,UAAU,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;gBAC1C,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAO,oCAAoC,CAAC;gBACzE,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;oBAC3B,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC;wBAAE,OAAO,sBAAsB,CAAC,EAAE,CAAC;gBAC7D,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;SACF,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;IAEhB,MAAM,UAAU,GAAG,eAAe,CAAC,eAAe,CAAC,CAAC;IAEpD,MAAM,OAAO,GAAG,GAAG,CAAC,+BAA+B,CAAC,CAAC,KAAK,EAAE,CAAC;IAE7D,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,GAAG,CAAC,8BAA8B,SAAS,EAAE,EAAE,EAAE,UAAU,EAAE,CAAC,CAAC;QAC5E,OAAO,CAAC,OAAO,CAAC,2BAA2B,CAAC,CAAC;QAE7C,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,MAAM,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QACzC,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,SAAiB,EAAE,OAA4C;IACjG,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAuB,CAAC;gBAC/D,IAAI,EAAE,SAAS;gBACf,IAAI,EAAE,SAAS;gBACf,OAAO,EAAE,4BAA4B,SAAS,GAAG;gBACjD,OAAO,EAAE,KAAK;aACf,CAAC,CAAC,CAAC;QAEJ,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;YACpC,OAAO;QACT,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,+BAA+B,CAAC,CAAC,KAAK,EAAE,CAAC;IAE7D,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,MAAM,CAAC,8BAA8B,SAAS,EAAE,CAAC,CAAC;QAC/D,OAAO,CAAC,OAAO,CAAC,2BAA2B,CAAC,CAAC;QAE7C,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,MAAM,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QACzC,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/commands/ssh-ca/server-groups.d.ts

@@ -0,0 +1,21 @@
+import type { ServerGroupCreateOptions, AccessRuleOptions } from './types.js';
+export declare function listServerGroups(options: {
+    json?: boolean;
+}): Promise<void>;
+export declare function getServerGroup(groupId: string, options: {
+    json?: boolean;
+}): Promise<void>;
+export declare function createServerGroup(options: ServerGroupCreateOptions): Promise<void>;
+export declare function deleteServerGroup(groupId: string, options: {
+    force?: boolean;
+    json?: boolean;
+}): Promise<void>;
+export declare function setAccessRule(groupId: string, options: AccessRuleOptions): Promise<void>;
+export declare function deleteAccessRule(groupId: string, linuxUser: string, options: {
+    force?: boolean;
+    json?: boolean;
+}): Promise<void>;
+export declare function getAuthorizedPrincipals(groupId: string, options: {
+    json?: boolean;
+}): Promise<void>;
+//# sourceMappingURL=server-groups.d.ts.map

package/dist/commands/ssh-ca/server-groups.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server-groups.d.ts","sourceRoot":"","sources":["../../../src/commands/ssh-ca/server-groups.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAIV,wBAAwB,EACxB,iBAAiB,EAClB,MAAM,YAAY,CAAC;AAGpB,wBAAsB,gBAAgB,CAAC,OAAO,EAAE;IAAE,IAAI,CAAC,EAAE,OAAO,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAuCjF;AAED,wBAAsB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE;IAAE,IAAI,CAAC,EAAE,OAAO,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CA+ChG;AAED,wBAAsB,iBAAiB,CAAC,OAAO,EAAE,wBAAwB,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CxF;AAED,wBAAsB,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE;IAAE,KAAK,CAAC,EAAE,OAAO,CAAC;IAAC,IAAI,CAAC,EAAE,OAAO,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CA6BpH;AAED,wBAAsB,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CA+C9F;AAED,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE;IAAE,KAAK,CAAC,EAAE,OAAO,CAAC;IAAC,IAAI,CAAC,EAAE,OAAO,CAAA;CAAE,GAC3C,OAAO,CAAC,IAAI,CAAC,CA6Bf;AAED,wBAAsB,uBAAuB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE;IAAE,IAAI,CAAC,EAAE,OAAO,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAoCzG"}