@zincapp/znvault-cli 2.29.1 → 2.29.2

package/dist/commands/ssh/connect.js

@@ -0,0 +1,219 @@
+// Path: src/commands/ssh/connect.ts
+import ora from 'ora';
+import * as output from '../../lib/output.js';
+import { getCurrentProfile } from '../../lib/config.js';
+import { getDefaultKeyPath, getCertificatePath, isCertificateValid, signCertificate, } from './helpers.js';
+import { resolveBookmark } from './bookmark.js';
+export function registerConnectCommand(parent) {
+    parent
+        .command('connect <destination> [command...]')
+        .description('SSH to a host using certificate authentication (auto-signs if needed)')
+        .option('-i, --identity <file>', 'Path to SSH private key (default: ~/.ssh/id_ed25519)')
+        .option('-p, --port <port>', 'SSH port', '22')
+        .option('--principals <principals>', 'Principals for signing (admin override, comma-separated)')
+        .option('--ttl <ttl>', 'Certificate TTL (e.g., 8h, 1d)')
+        .option('--tenant <id>', 'Tenant ID (superadmin only)')
+        .option('--force-sign', 'Force re-signing even if certificate is valid')
+        .option('--dry-run', 'Show what would be done without executing SSH')
+        .option('-v, --verbose', 'Show verbose output')
+        .option('-t', 'Force pseudo-terminal allocation (for interactive commands)')
+        .option('-T', 'Disable pseudo-terminal allocation')
+        .action(async (destination, remoteCommand, options) => {
+        const fs = await import('fs');
+        const path = await import('path');
+        const { spawn } = await import('child_process');
+        // Get profile config for defaults
+        const profile = getCurrentProfile();
+        // Resolve destination: could be a bookmark, user@host, or just host
+        let user;
+        let host;
+        let port = options.port ?? '22';
+        let identityOverride = options.identity;
+        let principalsOverride = options.principals;
+        // Check if destination is a bookmark
+        const bookmark = resolveBookmark(destination);
+        if (bookmark) {
+            host = bookmark.host;
+            user = bookmark.user;
+            if (bookmark.port) {
+                port = bookmark.port.toString();
+            }
+            if (bookmark.identity) {
+                identityOverride = bookmark.identity;
+            }
+            if (bookmark.principals && !options.principals) {
+                principalsOverride = bookmark.principals.join(',');
+            }
+            if (options.verbose) {
+                output.info(`Using bookmark '${destination}' → ${bookmark.host}`);
+            }
+        }
+        else if (destination.includes('@')) {
+            const parts = destination.split('@');
+            user = parts[0];
+            host = parts.slice(1).join('@'); // Handle IPv6 or multiple @
+        }
+        else {
+            host = destination;
+            // Use default user from config if available
+            if (profile.sshUser) {
+                user = profile.sshUser;
+            }
+        }
+        // Command line options override bookmark settings
+        if (options.port && options.port !== '22') {
+            port = options.port;
+        }
+        const verbose = (msg) => {
+            if (options.verbose) {
+                output.info(msg);
+            }
+        };
+        try {
+            // Step 1: Find SSH key
+            let keyPath;
+            if (identityOverride) {
+                keyPath = path.resolve(identityOverride.replace(/^~/, process.env.HOME ?? ''));
+                if (!fs.existsSync(keyPath)) {
+                    output.error(`SSH key not found: ${keyPath}`);
+                    process.exit(1);
+                }
+                verbose(`Using specified key: ${keyPath}`);
+            }
+            else if (profile.sshIdentity && fs.existsSync(profile.sshIdentity)) {
+                // Use configured identity from profile
+                keyPath = profile.sshIdentity;
+                verbose(`Using configured key: ${keyPath}`);
+            }
+            else {
+                const defaultKey = await getDefaultKeyPath();
+                if (!defaultKey) {
+                    output.error('No SSH key found in ~/.ssh/');
+                    output.info('Generate one with: ssh-keygen -t ed25519');
+                    output.info('Or specify a key with: znvault ssh connect -i /path/to/key user@host');
+                    process.exit(1);
+                }
+                keyPath = defaultKey;
+                verbose(`Using default key: ${keyPath}`);
+            }
+            const pubKeyPath = `${keyPath}.pub`;
+            if (!fs.existsSync(pubKeyPath)) {
+                output.error(`Public key not found: ${pubKeyPath}`);
+                process.exit(1);
+            }
+            // Step 2: Check certificate validity
+            const certPath = await getCertificatePath(keyPath);
+            verbose(`Certificate path: ${certPath}`);
+            const certStatus = await isCertificateValid(certPath);
+            const needsSign = options.forceSign || !certStatus.valid;
+            if (options.verbose && !certStatus.valid) {
+                output.warn(`Certificate needs signing: ${certStatus.reason}`);
+            }
+            else if (options.verbose && certStatus.valid) {
+                output.success('Certificate is valid');
+            }
+            // Step 3: Sign if needed
+            if (needsSign) {
+                const spinner = ora('Signing certificate...').start();
+                try {
+                    await signCertificate(pubKeyPath, certPath, principalsOverride, options.ttl, options.tenant);
+                    spinner.succeed('Certificate signed');
+                    // Show certificate info
+                    if (options.verbose) {
+                        const { execSync } = await import('child_process');
+                        try {
+                            const certInfo = execSync(`ssh-keygen -L -f "${certPath}"`, { encoding: 'utf8' });
+                            const principalsMatch = certInfo.match(/Principals:\s*([\s\S]*?)(?=\s+Critical Options:)/);
+                            const validMatch = certInfo.match(/Valid:\s+from\s+(\S+)\s+to\s+(\S+)/);
+                            if (principalsMatch) {
+                                const principals = principalsMatch[1].trim().split('\n').map(p => p.trim()).filter(Boolean);
+                                output.info(`Principals: ${principals.join(', ')}`);
+                            }
+                            if (validMatch) {
+                                output.info(`Valid until: ${validMatch[2]}`);
+                            }
+                        }
+                        catch {
+                            // Ignore cert inspection errors
+                        }
+                    }
+                }
+                catch (err) {
+                    spinner.fail('Failed to sign certificate');
+                    output.error(err instanceof Error ? err.message : String(err));
+                    process.exit(1);
+                }
+            }
+            else if (!options.verbose) {
+                // In non-verbose mode, just mention we're using existing cert
+                output.info('Using existing valid certificate');
+            }
+            // Step 4: Build SSH command
+            const sshArgs = [];
+            // Add identity file (this tells SSH to use our key + cert)
+            sshArgs.push('-i', keyPath);
+            // Add port if not default
+            if (port && port !== '22') {
+                sshArgs.push('-p', port);
+            }
+            // Add TTY allocation flags
+            if (options.t) {
+                sshArgs.push('-t');
+            }
+            else if (options.T) {
+                sshArgs.push('-T');
+            }
+            // Explicitly tell SSH to use the certificate
+            sshArgs.push('-o', `CertificateFile=${certPath}`);
+            // Add destination
+            if (user) {
+                sshArgs.push(`${user}@${host}`);
+            }
+            else {
+                sshArgs.push(host);
+            }
+            // Add remote command if specified
+            if (remoteCommand && remoteCommand.length > 0) {
+                sshArgs.push(...remoteCommand);
+            }
+            // Step 5: Execute SSH
+            if (options.dryRun) {
+                output.section('Dry Run');
+                output.keyValue({
+                    'Key': keyPath,
+                    'Certificate': certPath,
+                    'Host': host,
+                    'User': user ?? '(default)',
+                    'Port': port,
+                    'Principals': principalsOverride ?? '(from mapping)',
+                    'Command': remoteCommand.length > 0 ? remoteCommand.join(' ') : '(interactive shell)',
+                });
+                console.log();
+                output.info(`Would execute: ssh ${sshArgs.join(' ')}`);
+                return;
+            }
+            verbose(`Executing: ssh ${sshArgs.join(' ')}`);
+            // Only print empty line for interactive sessions
+            if (remoteCommand.length === 0) {
+                console.log();
+            }
+            // Spawn SSH with stdio inherited (interactive session)
+            const sshProcess = spawn('ssh', sshArgs, {
+                stdio: 'inherit',
+                env: process.env,
+            });
+            sshProcess.on('close', (code) => {
+                process.exit(code ?? 0);
+            });
+            sshProcess.on('error', (err) => {
+                output.error(`Failed to start SSH: ${err.message}`);
+                process.exit(1);
+            });
+        }
+        catch (err) {
+            output.error(err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+    });
+}
+//# sourceMappingURL=connect.js.map

package/dist/commands/ssh/connect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"connect.js","sourceRoot":"","sources":["../../../src/commands/ssh/connect.ts"],"names":[],"mappings":"AAAA,oCAAoC;AAOpC,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,MAAM,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAExD,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,kBAAkB,EAClB,eAAe,GAChB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAEhD,MAAM,UAAU,sBAAsB,CAAC,MAAe;IACpD,MAAM;SACH,OAAO,CAAC,oCAAoC,CAAC;SAC7C,WAAW,CAAC,uEAAuE,CAAC;SACpF,MAAM,CAAC,uBAAuB,EAAE,sDAAsD,CAAC;SACvF,MAAM,CAAC,mBAAmB,EAAE,UAAU,EAAE,IAAI,CAAC;SAC7C,MAAM,CAAC,2BAA2B,EAAE,0DAA0D,CAAC;SAC/F,MAAM,CAAC,aAAa,EAAE,gCAAgC,CAAC;SACvD,MAAM,CAAC,eAAe,EAAE,6BAA6B,CAAC;SACtD,MAAM,CAAC,cAAc,EAAE,+CAA+C,CAAC;SACvE,MAAM,CAAC,WAAW,EAAE,+CAA+C,CAAC;SACpE,MAAM,CAAC,eAAe,EAAE,qBAAqB,CAAC;SAC9C,MAAM,CAAC,IAAI,EAAE,6DAA6D,CAAC;SAC3E,MAAM,CAAC,IAAI,EAAE,oCAAoC,CAAC;SAClD,MAAM,CAAC,KAAK,EAAE,WAAmB,EAAE,aAAuB,EAAE,OAAuB,EAAE,EAAE;QACtF,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;QAC9B,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;QAClC,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;QAEhD,kCAAkC;QAClC,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;QAEpC,oEAAoE;QACpE,IAAI,IAAwB,CAAC;QAC7B,IAAI,IAAY,CAAC;QACjB,IAAI,IAAI,GAAW,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC;QACxC,IAAI,gBAAgB,GAAuB,OAAO,CAAC,QAAQ,CAAC;QAC5D,IAAI,kBAAkB,GAAuB,OAAO,CAAC,UAAU,CAAC;QAEhE,qCAAqC;QACrC,MAAM,QAAQ,GAAG,eAAe,CAAC,WAAW,CAAC,CAAC;QAC9C,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC;YACrB,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC;YACrB,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;gBAClB,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClC,CAAC;YACD,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;gBACtB,gBAAgB,GAAG,QAAQ,CAAC,QAAQ,CAAC;YACvC,CAAC;YACD,IAAI,QAAQ,CAAC,UAAU,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;gBAC/C,kBAAkB,GAAG,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACrD,CAAC;YACD,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;gBACpB,MAAM,CAAC,IAAI,CAAC,mBAAmB,WAAW,OAAO,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;YACpE,CAAC;QACH,CAAC;aAAM,IAAI,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACrC,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACrC,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAChB,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,4BAA4B;QAC/D,CAAC;aAAM,CAAC;YACN,IAAI,GAAG,WAAW,CAAC;YACnB,4CAA4C;YAC5C,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;gBACpB,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC;YACzB,CAAC;QACH,CAAC;QAED,kDAAkD;QAClD,IAAI,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;YAC1C,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;QACtB,CAAC;QAED,MAAM,OAAO,GAAG,CAAC,GAAW,EAAE,EAAE;YAC9B,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;gBACpB,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACnB,CAAC;QACH,CAAC,CAAC;QAEF,IAAI,CAAC;YACH,uBAAuB;YACvB,IAAI,OAAe,CAAC;YACpB,IAAI,gBAAgB,EAAE,CAAC;gBACrB,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC;gBAC/E,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC5B,MAAM,CAAC,KAAK,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAC;oBAC9C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,CAAC;gBACD,OAAO,CAAC,wBAAwB,OAAO,EAAE,CAAC,CAAC;YAC7C,CAAC;iBAAM,IAAI,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;gBACrE,uCAAuC;gBACvC,OAAO,GAAG,OAAO,CAAC,WAAW,CAAC;gBAC9B,OAAO,CAAC,yBAAyB,OAAO,EAAE,CAAC,CAAC;YAC9C,CAAC;iBAAM,CAAC;gBACN,MAAM,UAAU,GAAG,MAAM,iBAAiB,EAAE,CAAC;gBAC7C,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,MAAM,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;oBAC5C,MAAM,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;oBACxD,MAAM,CAAC,IAAI,CAAC,sEAAsE,CAAC,CAAC;oBACpF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,CAAC;gBACD,OAAO,GAAG,UAAU,CAAC;gBACrB,OAAO,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAC;YAC3C,CAAC;YAED,MAAM,UAAU,GAAG,GAAG,OAAO,MAAM,CAAC;YACpC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC/B,MAAM,CAAC,KAAK,CAAC,yBAAyB,UAAU,EAAE,CAAC,CAAC;gBACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YAED,qCAAqC;YACrC,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;YACnD,OAAO,CAAC,qBAAqB,QAAQ,EAAE,CAAC,CAAC;YAEzC,MAAM,UAAU,GAAG,MAAM,kBAAkB,CAAC,QAAQ,CAAC,CAAC;YACtD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;YAEzD,IAAI,OAAO,CAAC,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;gBACzC,MAAM,CAAC,IAAI,CAAC,8BAA8B,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;YACjE,CAAC;iBAAM,IAAI,OAAO,CAAC,OAAO,IAAI,UAAU,CAAC,KAAK,EAAE,CAAC;gBAC/C,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;YACzC,CAAC;YAED,yBAAyB;YACzB,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,OAAO,GAAG,GAAG,CAAC,wBAAwB,CAAC,CAAC,KAAK,EAAE,CAAC;gBACtD,IAAI,CAAC;oBACH,MAAM,eAAe,CAAC,UAAU,EAAE,QAAQ,EAAE,kBAAkB,EAAE,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;oBAC7F,OAAO,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;oBAEtC,wBAAwB;oBACxB,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;wBACpB,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;wBACnD,IAAI,CAAC;4BACH,MAAM,QAAQ,GAAG,QAAQ,CAAC,qBAAqB,QAAQ,GAAG,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;4BAClF,MAAM,eAAe,GAAG,QAAQ,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;4BAC3F,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;4BAExE,IAAI,eAAe,EAAE,CAAC;gCACpB,MAAM,UAAU,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;gCAC5F,MAAM,CAAC,IAAI,CAAC,eAAe,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;4BACtD,CAAC;4BACD,IAAI,UAAU,EAAE,CAAC;gCACf,MAAM,CAAC,IAAI,CAAC,gBAAgB,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;4BAC/C,CAAC;wBACH,CAAC;wBAAC,MAAM,CAAC;4BACP,gCAAgC;wBAClC,CAAC;oBACH,CAAC;gBACH,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,OAAO,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;oBAC3C,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;oBAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,CAAC;YACH,CAAC;iBAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;gBAC5B,8DAA8D;gBAC9D,MAAM,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;YAClD,CAAC;YAED,4BAA4B;YAC5B,MAAM,OAAO,GAAa,EAAE,CAAC;YAE7B,2DAA2D;YAC3D,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAE5B,0BAA0B;YAC1B,IAAI,IAAI,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;gBAC1B,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;YAC3B,CAAC;YAED,2BAA2B;YAC3B,IAAI,OAAO,CAAC,CAAC,EAAE,CAAC;gBACd,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACrB,CAAC;iBAAM,IAAI,OAAO,CAAC,CAAC,EAAE,CAAC;gBACrB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACrB,CAAC;YAED,6CAA6C;YAC7C,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,mBAAmB,QAAQ,EAAE,CAAC,CAAC;YAElD,kBAAkB;YAClB,IAAI,IAAI,EAAE,CAAC;gBACT,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC;YAClC,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACrB,CAAC;YAED,kCAAkC;YAClC,IAAI,aAAa,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9C,OAAO,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,CAAC;YACjC,CAAC;YAED,sBAAsB;YACtB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACnB,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;gBAC1B,MAAM,CAAC,QAAQ,CAAC;oBACd,KAAK,EAAE,OAAO;oBACd,aAAa,EAAE,QAAQ;oBACvB,MAAM,EAAE,IAAI;oBACZ,MAAM,EAAE,IAAI,IAAI,WAAW;oBAC3B,MAAM,EAAE,IAAI;oBACZ,YAAY,EAAE,kBAAkB,IAAI,gBAAgB;oBACpD,SAAS,EAAE,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,qBAAqB;iBACtF,CAAC,CAAC;gBACH,OAAO,CAAC,GAAG,EAAE,CAAC;gBACd,MAAM,CAAC,IAAI,CAAC,sBAAsB,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBACvD,OAAO;YACT,CAAC;YAED,OAAO,CAAC,kBAAkB,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAE/C,iDAAiD;YACjD,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC/B,OAAO,CAAC,GAAG,EAAE,CAAC;YAChB,CAAC;YAED,uDAAuD;YACvD,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,EAAE,OAAO,EAAE;gBACvC,KAAK,EAAE,SAAS;gBAChB,GAAG,EAAE,OAAO,CAAC,GAAG;aACjB,CAAC,CAAC;YAEH,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;gBAC9B,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC;YAC1B,CAAC,CAAC,CAAC;YAEH,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBAC7B,MAAM,CAAC,KAAK,CAAC,wBAAwB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;gBACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/commands/ssh/exec.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Multi-host command execution
+ */
+import type { Command } from 'commander';
+export declare function registerExecCommand(parent: Command): void;
+//# sourceMappingURL=exec.d.ts.map

package/dist/commands/ssh/exec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"exec.d.ts","sourceRoot":"","sources":["../../../src/commands/ssh/exec.ts"],"names":[],"mappings":"AAEA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAiIzC,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,OAAO,GAAG,IAAI,CAsJzD"}

package/dist/commands/ssh/exec.js

@@ -0,0 +1,218 @@
+// Path: src/commands/ssh/exec.ts
+import ora from 'ora';
+import * as output from '../../lib/output.js';
+import { getCurrentProfile } from '../../lib/config.js';
+import { getDefaultKeyPath, getCertificatePath, isCertificateValid, signCertificate, } from './helpers.js';
+import { resolveBookmark } from './bookmark.js';
+/**
+ * Resolve a destination to host connection info
+ */
+function resolveDestination(destination, profile) {
+    // Check if it's a bookmark
+    const bookmark = resolveBookmark(destination);
+    if (bookmark) {
+        return {
+            host: bookmark.host,
+            user: bookmark.user ?? profile.sshUser,
+            port: bookmark.port?.toString() ?? '22',
+            displayName: destination,
+        };
+    }
+    // Parse user@host format
+    if (destination.includes('@')) {
+        const parts = destination.split('@');
+        const user = parts[0];
+        const host = parts.slice(1).join('@');
+        return { host, user, port: '22', displayName: destination };
+    }
+    // Just a host
+    return {
+        host: destination,
+        user: profile.sshUser,
+        port: '22',
+        displayName: destination,
+    };
+}
+/**
+ * Execute command on a single host
+ */
+async function executeOnHost(command, hostInfo, keyPath, certPath, options) {
+    const { execSync } = await import('child_process');
+    const sshArgs = [
+        '-i', keyPath,
+        '-o', 'CertificateFile=' + certPath,
+        '-o', 'BatchMode=yes',
+        '-o', 'StrictHostKeyChecking=accept-new',
+        '-o', 'ConnectTimeout=' + (options.timeout ?? '10'),
+    ];
+    if (hostInfo.port !== '22') {
+        sshArgs.push('-p', hostInfo.port);
+    }
+    const destination = hostInfo.user
+        ? hostInfo.user + '@' + hostInfo.host
+        : hostInfo.host;
+    sshArgs.push(destination, command);
+    try {
+        const stdout = execSync('ssh ' + sshArgs.map(a => a.includes(' ') ? '"' + a + '"' : a).join(' '), {
+            encoding: 'utf8',
+            timeout: parseInt(options.timeout ?? '30') * 1000,
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        return {
+            host: hostInfo.host,
+            displayName: hostInfo.displayName,
+            success: true,
+            exitCode: 0,
+            stdout: stdout.trim(),
+            stderr: '',
+        };
+    }
+    catch (err) {
+        const error = err;
+        return {
+            host: hostInfo.host,
+            displayName: hostInfo.displayName,
+            success: false,
+            exitCode: error.status ?? 1,
+            stdout: (error.stdout ?? '').toString().trim(),
+            stderr: (error.stderr ?? '').toString().trim(),
+            error: error.message,
+        };
+    }
+}
+export function registerExecCommand(parent) {
+    parent
+        .command('exec <command> <hosts...>')
+        .description('Execute command on multiple hosts')
+        .option('-i, --identity <file>', 'Path to SSH private key')
+        .option('-p, --port <port>', 'SSH port (can be overridden per-host via bookmarks)')
+        .option('--principals <principals>', 'Principals for signing (admin override)')
+        .option('--ttl <ttl>', 'Certificate TTL (e.g., 8h, 1d)')
+        .option('--tenant <id>', 'Tenant ID (superadmin only)')
+        .option('--force-sign', 'Force re-signing certificate')
+        .option('--parallel', 'Run on all hosts in parallel (default: sequential)')
+        .option('--fail-fast', 'Stop on first failure (sequential mode only)')
+        .option('--timeout <seconds>', 'Connection timeout per host', '30')
+        .option('-q, --quiet', 'Only show output, no status messages')
+        .action(async (command, hosts, options) => {
+        const fs = await import('fs');
+        const pathModule = await import('path');
+        const profile = getCurrentProfile();
+        // Resolve all hosts first
+        const resolvedHosts = hosts.map(h => resolveDestination(h, profile));
+        if (!options.quiet) {
+            output.section('Multi-Host Execution');
+            output.info('Command: ' + command);
+            output.info('Hosts: ' + resolvedHosts.map(h => h.displayName).join(', '));
+            output.info('Mode: ' + (options.parallel ? 'parallel' : 'sequential'));
+            console.log();
+        }
+        // Find SSH key
+        let keyPath;
+        if (options.identity) {
+            keyPath = pathModule.resolve(options.identity.replace(/^~/, process.env.HOME ?? ''));
+            if (!fs.existsSync(keyPath)) {
+                output.error('SSH key not found: ' + keyPath);
+                process.exit(1);
+            }
+        }
+        else if (profile.sshIdentity && fs.existsSync(profile.sshIdentity)) {
+            keyPath = profile.sshIdentity;
+        }
+        else {
+            const defaultKey = await getDefaultKeyPath();
+            if (!defaultKey) {
+                output.error('No SSH key found');
+                process.exit(1);
+            }
+            keyPath = defaultKey;
+        }
+        const pubKeyPath = keyPath + '.pub';
+        if (!fs.existsSync(pubKeyPath)) {
+            output.error('Public key not found: ' + pubKeyPath);
+            process.exit(1);
+        }
+        // Check/sign certificate
+        const certPath = await getCertificatePath(keyPath);
+        const certStatus = await isCertificateValid(certPath);
+        if (options.forceSign || !certStatus.valid) {
+            const spinner = ora('Signing certificate...').start();
+            try {
+                await signCertificate(pubKeyPath, certPath, options.principals, options.ttl, options.tenant);
+                spinner.succeed('Certificate signed');
+            }
+            catch (err) {
+                spinner.fail('Failed to sign certificate');
+                output.error(err instanceof Error ? err.message : String(err));
+                process.exit(1);
+            }
+        }
+        // Execute on hosts
+        const results = [];
+        let hasFailure = false;
+        if (options.parallel) {
+            // Parallel execution
+            const spinner = ora('Executing on ' + resolvedHosts.length + ' hosts...').start();
+            const promises = resolvedHosts.map(hostInfo => executeOnHost(command, hostInfo, keyPath, certPath, options));
+            const parallelResults = await Promise.all(promises);
+            results.push(...parallelResults);
+            const successCount = results.filter(r => r.success).length;
+            spinner.stop();
+            if (!options.quiet) {
+                output.info('Completed: ' + successCount + '/' + results.length + ' succeeded');
+                console.log();
+            }
+        }
+        else {
+            // Sequential execution
+            for (const hostInfo of resolvedHosts) {
+                if (!options.quiet) {
+                    process.stdout.write('● ' + hostInfo.displayName + '... ');
+                }
+                const result = await executeOnHost(command, hostInfo, keyPath, certPath, options);
+                results.push(result);
+                if (!options.quiet) {
+                    if (result.success) {
+                        console.log('\x1b[32m✓\x1b[0m');
+                    }
+                    else {
+                        console.log('\x1b[31m✗\x1b[0m (exit ' + result.exitCode + ')');
+                    }
+                }
+                if (!result.success) {
+                    hasFailure = true;
+                    if (options.failFast) {
+                        output.warn('Stopping due to --fail-fast');
+                        break;
+                    }
+                }
+            }
+            console.log();
+        }
+        // Display results
+        for (const result of results) {
+            output.section(result.displayName + (result.success ? '' : ' (FAILED)'));
+            if (result.stdout) {
+                console.log(result.stdout);
+            }
+            if (result.stderr) {
+                console.log('\x1b[33m' + result.stderr + '\x1b[0m');
+            }
+            if (!result.stdout && !result.stderr && result.error) {
+                output.error(result.error);
+            }
+            console.log();
+        }
+        // Summary
+        const successCount = results.filter(r => r.success).length;
+        const failCount = results.filter(r => !r.success).length;
+        if (failCount > 0) {
+            output.warn('Summary: ' + successCount + ' succeeded, ' + failCount + ' failed');
+            process.exit(1);
+        }
+        else {
+            output.success('All ' + successCount + ' hosts completed successfully');
+        }
+    });
+}
+//# sourceMappingURL=exec.js.map

package/dist/commands/ssh/exec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"exec.js","sourceRoot":"","sources":["../../../src/commands/ssh/exec.ts"],"names":[],"mappings":"AAAA,iCAAiC;AAOjC,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,MAAM,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,kBAAkB,EAClB,eAAe,GAChB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAyBhD;;GAEG;AACH,SAAS,kBAAkB,CACzB,WAAmB,EACnB,OAA6B;IAE7B,2BAA2B;IAC3B,MAAM,QAAQ,GAAG,eAAe,CAAC,WAAW,CAAC,CAAC;IAC9C,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO;YACL,IAAI,EAAE,QAAQ,CAAC,IAAI;YACnB,IAAI,EAAE,QAAQ,CAAC,IAAI,IAAI,OAAO,CAAC,OAAO;YACtC,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,QAAQ,EAAE,IAAI,IAAI;YACvC,WAAW,EAAE,WAAW;SACzB,CAAC;IACJ,CAAC;IAED,yBAAyB;IACzB,IAAI,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACrC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACtC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC;IAC9D,CAAC;IAED,cAAc;IACd,OAAO;QACL,IAAI,EAAE,WAAW;QACjB,IAAI,EAAE,OAAO,CAAC,OAAO;QACrB,IAAI,EAAE,IAAI;QACV,WAAW,EAAE,WAAW;KACzB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,aAAa,CAC1B,OAAe,EACf,QAA4E,EAC5E,OAAe,EACf,QAAgB,EAChB,OAAoB;IAEpB,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;IAEnD,MAAM,OAAO,GAAa;QACxB,IAAI,EAAE,OAAO;QACb,IAAI,EAAE,kBAAkB,GAAG,QAAQ;QACnC,IAAI,EAAE,eAAe;QACrB,IAAI,EAAE,kCAAkC;QACxC,IAAI,EAAE,iBAAiB,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC;KACpD,CAAC;IAEF,IAAI,QAAQ,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;QAC3B,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC;IAED,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI;QAC/B,CAAC,CAAC,QAAQ,CAAC,IAAI,GAAG,GAAG,GAAG,QAAQ,CAAC,IAAI;QACrC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC;IAElB,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IAEnC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;YAChG,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,QAAQ,CAAC,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC,GAAG,IAAI;YACjD,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;SAChC,CAAC,CAAC;QAEH,OAAO;YACL,IAAI,EAAE,QAAQ,CAAC,IAAI;YACnB,WAAW,EAAE,QAAQ,CAAC,WAAW;YACjC,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE,CAAC;YACX,MAAM,EAAE,MAAM,CAAC,IAAI,EAAE;YACrB,MAAM,EAAE,EAAE;SACX,CAAC;IACJ,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,KAAK,GAAG,GAA8E,CAAC;QAC7F,OAAO;YACL,IAAI,EAAE,QAAQ,CAAC,IAAI;YACnB,WAAW,EAAE,QAAQ,CAAC,WAAW;YACjC,OAAO,EAAE,KAAK;YACd,QAAQ,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;YAC3B,MAAM,EAAE,CAAC,KAAK,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE;YAC9C,MAAM,EAAE,CAAC,KAAK,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE;YAC9C,KAAK,EAAE,KAAK,CAAC,OAAO;SACrB,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,MAAe;IACjD,MAAM;SACH,OAAO,CAAC,2BAA2B,CAAC;SACpC,WAAW,CAAC,mCAAmC,CAAC;SAChD,MAAM,CAAC,uBAAuB,EAAE,yBAAyB,CAAC;SAC1D,MAAM,CAAC,mBAAmB,EAAE,qDAAqD,CAAC;SAClF,MAAM,CAAC,2BAA2B,EAAE,yCAAyC,CAAC;SAC9E,MAAM,CAAC,aAAa,EAAE,gCAAgC,CAAC;SACvD,MAAM,CAAC,eAAe,EAAE,6BAA6B,CAAC;SACtD,MAAM,CAAC,cAAc,EAAE,8BAA8B,CAAC;SACtD,MAAM,CAAC,YAAY,EAAE,oDAAoD,CAAC;SAC1E,MAAM,CAAC,aAAa,EAAE,8CAA8C,CAAC;SACrE,MAAM,CAAC,qBAAqB,EAAE,6BAA6B,EAAE,IAAI,CAAC;SAClE,MAAM,CAAC,aAAa,EAAE,sCAAsC,CAAC;SAC7D,MAAM,CAAC,KAAK,EAAE,OAAe,EAAE,KAAe,EAAE,OAAoB,EAAE,EAAE;QACvE,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;QAC9B,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;QAExC,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;QAEpC,0BAA0B;QAC1B,MAAM,aAAa,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,kBAAkB,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;QAErE,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YACnB,MAAM,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;YACvC,MAAM,CAAC,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YAC1E,MAAM,CAAC,IAAI,CAAC,QAAQ,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;YACvE,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;QAED,eAAe;QACf,IAAI,OAAe,CAAC;QACpB,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC;YACrF,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC5B,MAAM,CAAC,KAAK,CAAC,qBAAqB,GAAG,OAAO,CAAC,CAAC;gBAC9C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;aAAM,IAAI,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;YACrE,OAAO,GAAG,OAAO,CAAC,WAAW,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,MAAM,UAAU,GAAG,MAAM,iBAAiB,EAAE,CAAC;YAC7C,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;gBACjC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,OAAO,GAAG,UAAU,CAAC;QACvB,CAAC;QAED,MAAM,UAAU,GAAG,OAAO,GAAG,MAAM,CAAC;QACpC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC/B,MAAM,CAAC,KAAK,CAAC,wBAAwB,GAAG,UAAU,CAAC,CAAC;YACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,yBAAyB;QACzB,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QACnD,MAAM,UAAU,GAAG,MAAM,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAEtD,IAAI,OAAO,CAAC,SAAS,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YAC3C,MAAM,OAAO,GAAG,GAAG,CAAC,wBAAwB,CAAC,CAAC,KAAK,EAAE,CAAC;YACtD,IAAI,CAAC;gBACH,MAAM,eAAe,CAAC,UAAU,EAAE,QAAQ,EAAE,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;gBAC7F,OAAO,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;YACxC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;gBAC3C,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,MAAM,OAAO,GAAiB,EAAE,CAAC;QACjC,IAAI,UAAU,GAAG,KAAK,CAAC;QAEvB,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,qBAAqB;YACrB,MAAM,OAAO,GAAG,GAAG,CAAC,eAAe,GAAG,aAAa,CAAC,MAAM,GAAG,WAAW,CAAC,CAAC,KAAK,EAAE,CAAC;YAElF,MAAM,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAC5C,aAAa,CAAC,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,CAAC,CAC7D,CAAC;YAEF,MAAM,eAAe,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACpD,OAAO,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,CAAC;YAEjC,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;YAC3D,OAAO,CAAC,IAAI,EAAE,CAAC;YAEf,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;gBACnB,MAAM,CAAC,IAAI,CAAC,aAAa,GAAG,YAAY,GAAG,GAAG,GAAG,OAAO,CAAC,MAAM,GAAG,YAAY,CAAC,CAAC;gBAChF,OAAO,CAAC,GAAG,EAAE,CAAC;YAChB,CAAC;QACH,CAAC;aAAM,CAAC;YACN,uBAAuB;YACvB,KAAK,MAAM,QAAQ,IAAI,aAAa,EAAE,CAAC;gBACrC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;oBACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,GAAG,QAAQ,CAAC,WAAW,GAAG,MAAM,CAAC,CAAC;gBAC7D,CAAC;gBAED,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;gBAClF,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBAErB,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;oBACnB,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;wBACnB,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;oBAClC,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC,GAAG,CAAC,yBAAyB,GAAG,MAAM,CAAC,QAAQ,GAAG,GAAG,CAAC,CAAC;oBACjE,CAAC;gBACH,CAAC;gBAED,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;oBACpB,UAAU,GAAG,IAAI,CAAC;oBAClB,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;wBACrB,MAAM,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;wBAC3C,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;QAED,kBAAkB;QAClB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC;YAEzE,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;gBAClB,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAC7B,CAAC;YACD,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;gBAClB,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,MAAM,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;YACtD,CAAC;YACD,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACrD,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC7B,CAAC;YACD,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;QAED,UAAU;QACV,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;QAC3D,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;QAEzD,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;YAClB,MAAM,CAAC,IAAI,CAAC,WAAW,GAAG,YAAY,GAAG,cAAc,GAAG,SAAS,GAAG,SAAS,CAAC,CAAC;YACjF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,YAAY,GAAG,+BAA+B,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/commands/ssh/helpers.d.ts

@@ -0,0 +1,46 @@
+import { formatTtl, parseTtl } from '../../lib/format-helpers.js';
+export { formatTtl, parseTtl };
+/**
+ * Get path to the default SSH key
+ */
+export declare function getDefaultKeyPath(): Promise<string | null>;
+/**
+ * Get the certificate path for a given key path
+ */
+export declare function getCertificatePath(keyPath: string): Promise<string>;
+/**
+ * Check if a certificate is valid (exists and not expired)
+ */
+export declare function isCertificateValid(certPath: string): Promise<{
+    valid: boolean;
+    reason?: string;
+}>;
+/**
+ * Sign a certificate using the vault API
+ */
+export declare function signCertificate(publicKeyPath: string, certPath: string, principals?: string, ttl?: string, tenant?: string): Promise<void>;
+/**
+ * Check if a certificate is expired
+ */
+export declare function isExpired(validBefore: string): boolean;
+/**
+ * Build tenant query string parameter
+ */
+export declare function buildTenantQuery(tenant?: string): string;
+/**
+ * Parse local certificate details using ssh-keygen
+ */
+export declare function parseCertificateInfo(certPath: string): Promise<{
+    valid: boolean;
+    principals: string[];
+    validAfter: Date | null;
+    validBefore: Date | null;
+    fingerprint: string | null;
+    keyId: string | null;
+    serial: string | null;
+}>;
+/**
+ * Format remaining time as human-readable string
+ */
+export declare function formatRemainingTime(validBefore: Date): string;
+//# sourceMappingURL=helpers.d.ts.map

package/dist/commands/ssh/helpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../src/commands/ssh/helpers.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,6BAA6B,CAAC;AAIlE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AAE/B;;GAEG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAgBhE;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAKzE;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA8BvG;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,aAAa,EAAE,MAAM,EACrB,QAAQ,EAAE,MAAM,EAChB,UAAU,CAAC,EAAE,MAAM,EACnB,GAAG,CAAC,EAAE,MAAM,EACZ,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,IAAI,CAAC,CAsBf;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAEtD;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,CAExD;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC;IACpE,KAAK,EAAE,OAAO,CAAC;IACf,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,WAAW,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB,CAAC,CAiED;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,WAAW,EAAE,IAAI,GAAG,MAAM,CAmB7D"}