@zincapp/znvault-cli 2.29.1 → 2.29.3

package/dist/commands/ssh/helpers.js

@@ -0,0 +1,175 @@
+// Path: src/commands/ssh/helpers.ts
+/**
+ * SSH CA command helper functions
+ */
+import { client } from '../../lib/client.js';
+import { formatTtl, parseTtl } from '../../lib/format-helpers.js';
+// Re-export common formatters from centralized location
+export { formatTtl, parseTtl };
+/**
+ * Get path to the default SSH key
+ */
+export async function getDefaultKeyPath() {
+    const fs = await import('fs');
+    const path = await import('path');
+    const os = await import('os');
+    const sshDir = path.join(os.homedir(), '.ssh');
+    const keyTypes = ['id_ed25519', 'id_ecdsa', 'id_rsa'];
+    for (const keyType of keyTypes) {
+        const keyPath = path.join(sshDir, keyType);
+        const pubPath = path.join(sshDir, `${keyType}.pub`);
+        if (fs.existsSync(keyPath) && fs.existsSync(pubPath)) {
+            return keyPath;
+        }
+    }
+    return null;
+}
+/**
+ * Get the certificate path for a given key path
+ */
+export async function getCertificatePath(keyPath) {
+    const path = await import('path');
+    const dir = path.dirname(keyPath);
+    const base = path.basename(keyPath);
+    return path.join(dir, `${base}-cert.pub`);
+}
+/**
+ * Check if a certificate is valid (exists and not expired)
+ */
+export async function isCertificateValid(certPath) {
+    const fs = await import('fs');
+    const { execSync } = await import('child_process');
+    if (!fs.existsSync(certPath)) {
+        return { valid: false, reason: 'Certificate does not exist' };
+    }
+    try {
+        // Use ssh-keygen -L to inspect the certificate
+        const output = execSync(`ssh-keygen -L -f "${certPath}"`, { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] });
+        // Parse "Valid: from YYYY-MM-DDTHH:MM:SS to YYYY-MM-DDTHH:MM:SS"
+        const validMatch = output.match(/Valid:\s+from\s+(\S+)\s+to\s+(\S+)/);
+        if (!validMatch) {
+            return { valid: false, reason: 'Could not parse certificate validity' };
+        }
+        const validBefore = new Date(validMatch[2]);
+        const now = new Date();
+        // Check if expired (with 5 minute buffer)
+        if (validBefore.getTime() - now.getTime() < 5 * 60 * 1000) {
+            return { valid: false, reason: 'Certificate expired or expiring soon' };
+        }
+        return { valid: true };
+    }
+    catch {
+        return { valid: false, reason: 'Failed to inspect certificate' };
+    }
+}
+/**
+ * Sign a certificate using the vault API
+ */
+export async function signCertificate(publicKeyPath, certPath, principals, ttl, tenant) {
+    const fs = await import('fs');
+    const publicKey = fs.readFileSync(publicKeyPath, 'utf8').trim();
+    const query = tenant ? `?tenantId=${encodeURIComponent(tenant)}` : '';
+    const body = { publicKey };
+    if (ttl) {
+        body.ttlSeconds = parseTtl(ttl);
+    }
+    if (principals) {
+        body.principals = principals.split(',').map(p => p.trim());
+    }
+    const result = await client.post(`/v1/ssh/sign${query}`, body);
+    fs.writeFileSync(certPath, result.certificate + '\n');
+}
+/**
+ * Check if a certificate is expired
+ */
+export function isExpired(validBefore) {
+    return new Date(validBefore) < new Date();
+}
+/**
+ * Build tenant query string parameter
+ */
+export function buildTenantQuery(tenant) {
+    return tenant ? `?tenantId=${encodeURIComponent(tenant)}` : '';
+}
+/**
+ * Parse local certificate details using ssh-keygen
+ */
+export async function parseCertificateInfo(certPath) {
+    const fs = await import('fs');
+    const { execSync } = await import('child_process');
+    if (!fs.existsSync(certPath)) {
+        return {
+            valid: false,
+            principals: [],
+            validAfter: null,
+            validBefore: null,
+            fingerprint: null,
+            keyId: null,
+            serial: null,
+        };
+    }
+    try {
+        const output = execSync(`ssh-keygen -L -f "${certPath}"`, { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] });
+        // Parse principals
+        const principals = [];
+        const principalsMatch = output.match(/Principals:\s*([\s\S]*?)(?=\s+Critical Options:)/);
+        if (principalsMatch) {
+            const lines = principalsMatch[1].trim().split('\n');
+            for (const line of lines) {
+                const principal = line.trim();
+                if (principal) {
+                    principals.push(principal);
+                }
+            }
+        }
+        // Parse validity
+        const validMatch = output.match(/Valid:\s+from\s+(\S+)\s+to\s+(\S+)/);
+        const validAfter = validMatch ? new Date(validMatch[1]) : null;
+        const validBefore = validMatch ? new Date(validMatch[2]) : null;
+        // Parse fingerprint
+        const fpMatch = output.match(/Public key:.*?(\S+:\S+)/);
+        const fingerprint = fpMatch ? fpMatch[1] : null;
+        // Parse key ID
+        const keyIdMatch = output.match(/Key ID:\s*"([^"]+)"/);
+        const keyId = keyIdMatch ? keyIdMatch[1] : null;
+        // Parse serial
+        const serialMatch = output.match(/Serial:\s*(\d+)/);
+        const serial = serialMatch ? serialMatch[1] : null;
+        // Check validity
+        const now = new Date();
+        const valid = validBefore ? validBefore.getTime() > now.getTime() : false;
+        return { valid, principals, validAfter, validBefore, fingerprint, keyId, serial };
+    }
+    catch {
+        return {
+            valid: false,
+            principals: [],
+            validAfter: null,
+            validBefore: null,
+            fingerprint: null,
+            keyId: null,
+            serial: null,
+        };
+    }
+}
+/**
+ * Format remaining time as human-readable string
+ */
+export function formatRemainingTime(validBefore) {
+    const now = new Date();
+    const diff = validBefore.getTime() - now.getTime();
+    if (diff <= 0) {
+        return 'expired';
+    }
+    const hours = Math.floor(diff / (1000 * 60 * 60));
+    const minutes = Math.floor((diff % (1000 * 60 * 60)) / (1000 * 60));
+    if (hours > 24) {
+        const days = Math.floor(hours / 24);
+        return `${days}d ${hours % 24}h`;
+    }
+    if (hours > 0) {
+        return `${hours}h ${minutes}m`;
+    }
+    return `${minutes}m`;
+}
+//# sourceMappingURL=helpers.js.map

package/dist/commands/ssh/helpers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.js","sourceRoot":"","sources":["../../../src/commands/ssh/helpers.ts"],"names":[],"mappings":"AAAA,oCAAoC;AAEpC;;GAEG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,6BAA6B,CAAC;AAGlE,wDAAwD;AACxD,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AAE/B;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB;IACrC,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;IAC9B,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;IAClC,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;IAE9B,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,MAAM,CAAC,CAAC;IAC/C,MAAM,QAAQ,GAAG,CAAC,YAAY,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;IAEtD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC3C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,OAAO,MAAM,CAAC,CAAC;QACpD,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACrD,OAAO,OAAO,CAAC;QACjB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,OAAe;IACtD,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;IAClC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAClC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACpC,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,WAAW,CAAC,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,QAAgB;IACvD,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;IAC9B,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;IAEnD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,4BAA4B,EAAE,CAAC;IAChE,CAAC;IAED,IAAI,CAAC;QACH,+CAA+C;QAC/C,MAAM,MAAM,GAAG,QAAQ,CAAC,qBAAqB,QAAQ,GAAG,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;QAEjH,iEAAiE;QACjE,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACtE,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,sCAAsC,EAAE,CAAC;QAC1E,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QAEvB,0CAA0C;QAC1C,IAAI,WAAW,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;YAC1D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,sCAAsC,EAAE,CAAC;QAC1E,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,+BAA+B,EAAE,CAAC;IACnE,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,aAAqB,EACrB,QAAgB,EAChB,UAAmB,EACnB,GAAY,EACZ,MAAe;IAEf,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;IAE9B,MAAM,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;IAChE,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,aAAa,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAQtE,MAAM,IAAI,GAAa,EAAE,SAAS,EAAE,CAAC;IACrC,IAAI,GAAG,EAAE,CAAC;QACR,IAAI,CAAC,UAAU,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAClC,CAAC;IACD,IAAI,UAAU,EAAE,CAAC;QACf,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,IAAI,CAAa,eAAe,KAAK,EAAE,EAAE,IAAI,CAAC,CAAC;IAC3E,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,MAAM,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,WAAmB;IAC3C,OAAO,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,IAAI,IAAI,EAAE,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAe;IAC9C,OAAO,MAAM,CAAC,CAAC,CAAC,aAAa,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AACjE,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,QAAgB;IASzD,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;IAC9B,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;IAEnD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,UAAU,EAAE,EAAE;YACd,UAAU,EAAE,IAAI;YAChB,WAAW,EAAE,IAAI;YACjB,WAAW,EAAE,IAAI;YACjB,KAAK,EAAE,IAAI;YACX,MAAM,EAAE,IAAI;SACb,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,QAAQ,CAAC,qBAAqB,QAAQ,GAAG,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;QAEjH,mBAAmB;QACnB,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,MAAM,eAAe,GAAG,MAAM,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACzF,IAAI,eAAe,EAAE,CAAC;YACpB,MAAM,KAAK,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACpD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC9B,IAAI,SAAS,EAAE,CAAC;oBACd,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBAC7B,CAAC;YACH,CAAC;QACH,CAAC;QAED,iBAAiB;QACjB,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACtE,MAAM,UAAU,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAC/D,MAAM,WAAW,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAEhE,oBAAoB;QACpB,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;QACxD,MAAM,WAAW,GAAG,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAEhD,eAAe;QACf,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACvD,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAEhD,eAAe;QACf,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;QACpD,MAAM,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAEnD,iBAAiB;QACjB,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;QAE1E,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;IACpF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,UAAU,EAAE,EAAE;YACd,UAAU,EAAE,IAAI;YAChB,WAAW,EAAE,IAAI;YACjB,WAAW,EAAE,IAAI;YACjB,KAAK,EAAE,IAAI;YACX,MAAM,EAAE,IAAI;SACb,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,WAAiB;IACnD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC;IAEnD,IAAI,IAAI,IAAI,CAAC,EAAE,CAAC;QACd,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;IAClD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC;IAEpE,IAAI,KAAK,GAAG,EAAE,EAAE,CAAC;QACf,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,EAAE,CAAC,CAAC;QACpC,OAAO,GAAG,IAAI,KAAK,KAAK,GAAG,EAAE,GAAG,CAAC;IACnC,CAAC;IACD,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;QACd,OAAO,GAAG,KAAK,KAAK,OAAO,GAAG,CAAC;IACjC,CAAC;IACD,OAAO,GAAG,OAAO,GAAG,CAAC;AACvB,CAAC"}

package/dist/commands/ssh/hosts.d.ts

@@ -0,0 +1,6 @@
+/**
+ * SSH host discovery from registered agents
+ */
+import type { Command } from 'commander';
+export declare function registerHostsCommand(parent: Command): void;
+//# sourceMappingURL=hosts.d.ts.map

package/dist/commands/ssh/hosts.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hosts.d.ts","sourceRoot":"","sources":["../../../src/commands/ssh/hosts.ts"],"names":[],"mappings":"AAEA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AA4BzC,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,OAAO,GAAG,IAAI,CAsF1D"}

package/dist/commands/ssh/hosts.js

@@ -0,0 +1,101 @@
+// Path: src/commands/ssh/hosts.ts
+import ora from 'ora';
+import { client } from '../../lib/client.js';
+import * as output from '../../lib/output.js';
+export function registerHostsCommand(parent) {
+    parent
+        .command('hosts')
+        .description('List available hosts from registered agents')
+        .option('--tenant <id>', 'Tenant ID (superadmin only)')
+        .option('--online-only', 'Show only online agents')
+        .option('--json', 'Output as JSON')
+        .action(async (options) => {
+        const spinner = ora('Fetching hosts...').start();
+        try {
+            const params = new URLSearchParams();
+            if (options.tenant)
+                params.set('tenantId', options.tenant);
+            params.set('limit', '100');
+            const queryString = params.toString();
+            const url = queryString ? '/v1/agents?' + queryString : '/v1/agents';
+            const response = await client.get(url);
+            spinner.stop();
+            // Handle both array and paginated response formats
+            let agents;
+            if (Array.isArray(response)) {
+                agents = response;
+            }
+            else if (response && 'items' in response) {
+                agents = response.items ?? [];
+            }
+            else {
+                agents = [];
+            }
+            // Filter online only if requested
+            if (options.onlineOnly) {
+                agents = agents.filter(a => a.status === 'online');
+            }
+            if (options.json) {
+                output.json(agents.map(a => ({
+                    id: a.id,
+                    name: a.name,
+                    hostname: a.hostname,
+                    ip: a.ip,
+                    status: a.status,
+                    lastSeen: a.lastSeen,
+                    hostConfig: a.hostConfigName,
+                })));
+                return;
+            }
+            if (agents.length === 0) {
+                output.info('No hosts found');
+                if (options.onlineOnly) {
+                    output.info('Try without --online-only to see all hosts');
+                }
+                return;
+            }
+            output.section('Available Hosts');
+            output.table(['Name', 'Hostname', 'IP', 'Status', 'Last Seen', 'Config'], agents.map(a => [
+                a.name,
+                a.hostname ?? '-',
+                a.ip ?? '-',
+                a.status === 'online' ? '● Online' : a.status === 'offline' ? '○ Offline' : '? Unknown',
+                a.lastSeen ? formatLastSeen(a.lastSeen) : '-',
+                a.hostConfigName ?? '-',
+            ]));
+            output.info('Total: ' + agents.length + ' host(s)');
+            // Show connection hint
+            if (agents.some(a => a.ip)) {
+                console.log();
+                const firstWithIp = agents.find(a => a.ip);
+                if (firstWithIp) {
+                    output.info('Connect: znvault ssh connect ' + firstWithIp.ip);
+                    output.info('Or add a bookmark: znvault ssh bookmark add ' + firstWithIp.name + ' ' + firstWithIp.ip);
+                }
+            }
+        }
+        catch (err) {
+            spinner.fail('Failed to fetch hosts');
+            output.error(err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+    });
+}
+function formatLastSeen(lastSeen) {
+    const date = new Date(lastSeen);
+    const now = new Date();
+    const diff = now.getTime() - date.getTime();
+    const minutes = Math.floor(diff / (1000 * 60));
+    const hours = Math.floor(diff / (1000 * 60 * 60));
+    const days = Math.floor(diff / (1000 * 60 * 60 * 24));
+    if (minutes < 1)
+        return 'just now';
+    if (minutes < 60)
+        return minutes + 'm ago';
+    if (hours < 24)
+        return hours + 'h ago';
+    if (days < 7)
+        return days + 'd ago';
+    return date.toLocaleDateString();
+}
+//# sourceMappingURL=hosts.js.map

package/dist/commands/ssh/hosts.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hosts.js","sourceRoot":"","sources":["../../../src/commands/ssh/hosts.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAOlC,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAC7C,OAAO,KAAK,MAAM,MAAM,qBAAqB,CAAC;AAyB9C,MAAM,UAAU,oBAAoB,CAAC,MAAe;IAClD,MAAM;SACH,OAAO,CAAC,OAAO,CAAC;SAChB,WAAW,CAAC,6CAA6C,CAAC;SAC1D,MAAM,CAAC,eAAe,EAAE,6BAA6B,CAAC;SACtD,MAAM,CAAC,eAAe,EAAE,yBAAyB,CAAC;SAClD,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,KAAK,EAAE,OAAkE,EAAE,EAAE;QACnF,MAAM,OAAO,GAAG,GAAG,CAAC,mBAAmB,CAAC,CAAC,KAAK,EAAE,CAAC;QAEjD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;YACrC,IAAI,OAAO,CAAC,MAAM;gBAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;YAC3D,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;YAE3B,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;YACtC,MAAM,GAAG,GAAG,WAAW,CAAC,CAAC,CAAC,aAAa,GAAG,WAAW,CAAC,CAAC,CAAC,YAAY,CAAC;YACrE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,GAAG,CAA8B,GAAG,CAAC,CAAC;YACpE,OAAO,CAAC,IAAI,EAAE,CAAC;YAEf,mDAAmD;YACnD,IAAI,MAAe,CAAC;YACpB,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC5B,MAAM,GAAG,QAAQ,CAAC;YACpB,CAAC;iBAAM,IAAI,QAAQ,IAAI,OAAO,IAAI,QAAQ,EAAE,CAAC;gBAC3C,MAAM,GAAG,QAAQ,CAAC,KAAK,IAAI,EAAE,CAAC;YAChC,CAAC;iBAAM,CAAC;gBACN,MAAM,GAAG,EAAE,CAAC;YACd,CAAC;YAED,kCAAkC;YAClC,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;gBACvB,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC;YACrD,CAAC;YAED,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;oBAC3B,EAAE,EAAE,CAAC,CAAC,EAAE;oBACR,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,QAAQ,EAAE,CAAC,CAAC,QAAQ;oBACpB,EAAE,EAAE,CAAC,CAAC,EAAE;oBACR,MAAM,EAAE,CAAC,CAAC,MAAM;oBAChB,QAAQ,EAAE,CAAC,CAAC,QAAQ;oBACpB,UAAU,EAAE,CAAC,CAAC,cAAc;iBAC7B,CAAC,CAAC,CAAC,CAAC;gBACL,OAAO;YACT,CAAC;YAED,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACxB,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;gBAC9B,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;oBACvB,MAAM,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;gBAC5D,CAAC;gBACD,OAAO;YACT,CAAC;YAED,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;YAClC,MAAM,CAAC,KAAK,CACV,CAAC,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,QAAQ,CAAC,EAC3D,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACd,CAAC,CAAC,IAAI;gBACN,CAAC,CAAC,QAAQ,IAAI,GAAG;gBACjB,CAAC,CAAC,EAAE,IAAI,GAAG;gBACX,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,WAAW;gBACvF,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG;gBAC7C,CAAC,CAAC,cAAc,IAAI,GAAG;aACxB,CAAC,CACH,CAAC;YAEF,MAAM,CAAC,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,MAAM,GAAG,UAAU,CAAC,CAAC;YAEpD,uBAAuB;YACvB,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;gBAC3B,OAAO,CAAC,GAAG,EAAE,CAAC;gBACd,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBAC3C,IAAI,WAAW,EAAE,CAAC;oBAChB,MAAM,CAAC,IAAI,CAAC,+BAA+B,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;oBAC9D,MAAM,CAAC,IAAI,CAAC,8CAA8C,GAAG,WAAW,CAAC,IAAI,GAAG,GAAG,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;gBACxG,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;YACtC,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB;IACtC,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC;IAChC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;IAE5C,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC;IAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;IAClD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;IAEtD,IAAI,OAAO,GAAG,CAAC;QAAE,OAAO,UAAU,CAAC;IACnC,IAAI,OAAO,GAAG,EAAE;QAAE,OAAO,OAAO,GAAG,OAAO,CAAC;IAC3C,IAAI,KAAK,GAAG,EAAE;QAAE,OAAO,KAAK,GAAG,OAAO,CAAC;IACvC,IAAI,IAAI,GAAG,CAAC;QAAE,OAAO,IAAI,GAAG,OAAO,CAAC;IACpC,OAAO,IAAI,CAAC,kBAAkB,EAAE,CAAC;AACnC,CAAC"}

package/dist/commands/ssh/index.d.ts

@@ -0,0 +1,24 @@
+/**
+ * SSH Certificate Authority commands
+ *
+ * This module provides comprehensive SSH CA management including:
+ * - CA lifecycle (init, status, delete, public-key)
+ * - Certificate signing and management
+ * - Principal mappings (SSO groups → SSH principals)
+ * - Server groups with access rules
+ * - Local SSH configuration and defaults
+ * - Host bookmarks for quick access
+ * - Host discovery from registered agents
+ * - SCP file transfer with certificate auth
+ * - Convenience connect command with auto-signing
+ *
+ * Quick connect shortcut:
+ *   znvault ssh user@host          # Direct connection
+ *   znvault ssh my-bookmark        # Connect via bookmark
+ */
+import type { Command } from 'commander';
+export declare function registerSSHCommands(program: Command): void;
+export * from './types.js';
+export { getDefaultKeyPath, getCertificatePath, isCertificateValid, signCertificate, formatTtl, parseTtl, isExpired, buildTenantQuery, parseCertificateInfo, formatRemainingTime, } from './helpers.js';
+export { resolveBookmark } from './bookmark.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/commands/ssh/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/commands/ssh/index.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AA6DzC,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAmD1D;AAGD,cAAc,YAAY,CAAC;AAG3B,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,kBAAkB,EAClB,eAAe,EACf,SAAS,EACT,QAAQ,EACR,SAAS,EACT,gBAAgB,EAChB,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC"}

package/dist/commands/ssh/index.js

@@ -0,0 +1,109 @@
+// Path: src/commands/ssh/index.ts
+import { registerCACommands } from './ca.js';
+import { registerCertCommands } from './cert.js';
+import { registerMappingCommands } from './mapping.js';
+import { registerServerGroupCommands } from './server-group.js';
+import { registerConfigCommands } from './config.js';
+import { registerConnectCommand, executeConnect } from './connect.js';
+import { registerBookmarkCommands, resolveBookmark } from './bookmark.js';
+import { registerSCPCommand } from './scp.js';
+import { registerHostsCommand } from './hosts.js';
+import { registerExecCommand } from './exec.js';
+// Known subcommands that should NOT be treated as destinations
+const SSH_SUBCOMMANDS = new Set([
+    'ca', 'cert', 'mapping', 'server-group', 'config',
+    'bookmark', 'bm', 'hosts', 'scp', 'connect', 'exec',
+    'help', '--help', '-h',
+]);
+/**
+ * Check if a string looks like an SSH destination rather than a subcommand
+ */
+function looksLikeDestination(arg) {
+    // Known subcommand - definitely not a destination
+    if (SSH_SUBCOMMANDS.has(arg)) {
+        return false;
+    }
+    // Contains @ - it's user@host format
+    if (arg.includes('@')) {
+        return true;
+    }
+    // Is a bookmark
+    if (resolveBookmark(arg)) {
+        return true;
+    }
+    // Looks like an IP address (v4 or v6)
+    if (/^[\d.:]+$/.test(arg) || arg.startsWith('[')) {
+        return true;
+    }
+    // Contains dots - likely a hostname
+    if (arg.includes('.')) {
+        return true;
+    }
+    // Short hostname without dots - could be a bookmark or local host
+    // Only treat as destination if it doesn't look like a flag
+    if (!arg.startsWith('-') && /^[a-zA-Z0-9][\w-]*$/.test(arg)) {
+        // Could be an unknown subcommand or a simple hostname
+        // Be conservative: only treat as destination if it resolves to a bookmark
+        // This prevents `znvault ssh typo` from trying to connect
+        return false;
+    }
+    return false;
+}
+export function registerSSHCommands(program) {
+    const ssh = program
+        .command('ssh')
+        .description('SSH CA management and quick connect (znvault ssh user@host)')
+        .argument('[destination]', 'Host to connect to (user@host or bookmark name)')
+        .argument('[command...]', 'Remote command to execute')
+        .option('-i, --identity <file>', 'Path to SSH private key')
+        .option('-p, --port <port>', 'SSH port', '22')
+        .option('--principals <principals>', 'Principals for signing (comma-separated)')
+        .option('--ttl <ttl>', 'Certificate TTL (e.g., 8h, 1d)')
+        .option('--tenant <id>', 'Tenant ID (superadmin only)')
+        .option('--force-sign', 'Force re-signing even if certificate is valid')
+        .option('--dry-run', 'Show what would be done without executing SSH')
+        .option('-v, --verbose', 'Show verbose output')
+        .option('-t', 'Force pseudo-terminal allocation')
+        .option('-T', 'Disable pseudo-terminal allocation')
+        .allowUnknownOption(false)
+        .action(async (destination, remoteCommand, options) => {
+        // If no destination provided, show help
+        if (!destination) {
+            ssh.outputHelp();
+            return;
+        }
+        // Check if it looks like a destination
+        if (looksLikeDestination(destination)) {
+            await executeConnect(destination, remoteCommand, options);
+        }
+        else {
+            // Not a destination - might be a typo or unknown subcommand
+            // Show help with a hint
+            console.error(`Unknown subcommand or destination: ${destination}`);
+            console.error('');
+            console.error('For quick connect, use: znvault ssh user@host');
+            console.error('For subcommands, use:  znvault ssh <command> --help');
+            console.error('');
+            ssh.outputHelp();
+            process.exit(1);
+        }
+    });
+    // Register all sub-command groups
+    registerCACommands(ssh);
+    registerCertCommands(ssh);
+    registerMappingCommands(ssh);
+    registerServerGroupCommands(ssh);
+    registerConfigCommands(ssh);
+    registerBookmarkCommands(ssh);
+    registerHostsCommand(ssh);
+    registerSCPCommand(ssh);
+    registerConnectCommand(ssh);
+    registerExecCommand(ssh);
+}
+// Re-export types for external use
+export * from './types.js';
+// Re-export helpers for potential reuse
+export { getDefaultKeyPath, getCertificatePath, isCertificateValid, signCertificate, formatTtl, parseTtl, isExpired, buildTenantQuery, parseCertificateInfo, formatRemainingTime, } from './helpers.js';
+// Re-export bookmark resolver
+export { resolveBookmark } from './bookmark.js';
+//# sourceMappingURL=index.js.map

package/dist/commands/ssh/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/commands/ssh/index.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAsBlC,OAAO,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAC7C,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AACjD,OAAO,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AACvD,OAAO,EAAE,2BAA2B,EAAE,MAAM,mBAAmB,CAAC;AAChE,OAAO,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,EAAE,sBAAsB,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AACtE,OAAO,EAAE,wBAAwB,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAGhD,+DAA+D;AAC/D,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC;IAC9B,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,cAAc,EAAE,QAAQ;IACjD,UAAU,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM;IACnD,MAAM,EAAE,QAAQ,EAAE,IAAI;CACvB,CAAC,CAAC;AAEH;;GAEG;AACH,SAAS,oBAAoB,CAAC,GAAW;IACvC,kDAAkD;IAClD,IAAI,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,qCAAqC;IACrC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gBAAgB;IAChB,IAAI,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;QACzB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sCAAsC;IACtC,IAAI,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACjD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,oCAAoC;IACpC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,kEAAkE;IAClE,2DAA2D;IAC3D,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,qBAAqB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5D,sDAAsD;QACtD,0EAA0E;QAC1E,0DAA0D;QAC1D,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,OAAgB;IAClD,MAAM,GAAG,GAAG,OAAO;SAChB,OAAO,CAAC,KAAK,CAAC;SACd,WAAW,CAAC,6DAA6D,CAAC;SAC1E,QAAQ,CAAC,eAAe,EAAE,iDAAiD,CAAC;SAC5E,QAAQ,CAAC,cAAc,EAAE,2BAA2B,CAAC;SACrD,MAAM,CAAC,uBAAuB,EAAE,yBAAyB,CAAC;SAC1D,MAAM,CAAC,mBAAmB,EAAE,UAAU,EAAE,IAAI,CAAC;SAC7C,MAAM,CAAC,2BAA2B,EAAE,0CAA0C,CAAC;SAC/E,MAAM,CAAC,aAAa,EAAE,gCAAgC,CAAC;SACvD,MAAM,CAAC,eAAe,EAAE,6BAA6B,CAAC;SACtD,MAAM,CAAC,cAAc,EAAE,+CAA+C,CAAC;SACvE,MAAM,CAAC,WAAW,EAAE,+CAA+C,CAAC;SACpE,MAAM,CAAC,eAAe,EAAE,qBAAqB,CAAC;SAC9C,MAAM,CAAC,IAAI,EAAE,kCAAkC,CAAC;SAChD,MAAM,CAAC,IAAI,EAAE,oCAAoC,CAAC;SAClD,kBAAkB,CAAC,KAAK,CAAC;SACzB,MAAM,CAAC,KAAK,EAAE,WAA+B,EAAE,aAAuB,EAAE,OAAuB,EAAE,EAAE;QAClG,wCAAwC;QACxC,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,GAAG,CAAC,UAAU,EAAE,CAAC;YACjB,OAAO;QACT,CAAC;QAED,uCAAuC;QACvC,IAAI,oBAAoB,CAAC,WAAW,CAAC,EAAE,CAAC;YACtC,MAAM,cAAc,CAAC,WAAW,EAAE,aAAa,EAAE,OAAO,CAAC,CAAC;QAC5D,CAAC;aAAM,CAAC;YACN,4DAA4D;YAC5D,wBAAwB;YACxB,OAAO,CAAC,KAAK,CAAC,sCAAsC,WAAW,EAAE,CAAC,CAAC;YACnE,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,+CAA+C,CAAC,CAAC;YAC/D,OAAO,CAAC,KAAK,CAAC,qDAAqD,CAAC,CAAC;YACrE,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;YAClB,GAAG,CAAC,UAAU,EAAE,CAAC;YACjB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,kCAAkC;IAClC,kBAAkB,CAAC,GAAG,CAAC,CAAC;IACxB,oBAAoB,CAAC,GAAG,CAAC,CAAC;IAC1B,uBAAuB,CAAC,GAAG,CAAC,CAAC;IAC7B,2BAA2B,CAAC,GAAG,CAAC,CAAC;IACjC,sBAAsB,CAAC,GAAG,CAAC,CAAC;IAC5B,wBAAwB,CAAC,GAAG,CAAC,CAAC;IAC9B,oBAAoB,CAAC,GAAG,CAAC,CAAC;IAC1B,kBAAkB,CAAC,GAAG,CAAC,CAAC;IACxB,sBAAsB,CAAC,GAAG,CAAC,CAAC;IAC5B,mBAAmB,CAAC,GAAG,CAAC,CAAC;AAC3B,CAAC;AAED,mCAAmC;AACnC,cAAc,YAAY,CAAC;AAE3B,wCAAwC;AACxC,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,kBAAkB,EAClB,eAAe,EACf,SAAS,EACT,QAAQ,EACR,SAAS,EACT,gBAAgB,EAChB,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,cAAc,CAAC;AAEtB,8BAA8B;AAC9B,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC"}

package/dist/commands/ssh/mapping.d.ts

@@ -0,0 +1,6 @@
+/**
+ * SSH principal mapping commands
+ */
+import type { Command } from 'commander';
+export declare function registerMappingCommands(parent: Command): void;
+//# sourceMappingURL=mapping.d.ts.map

package/dist/commands/ssh/mapping.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mapping.d.ts","sourceRoot":"","sources":["../../../src/commands/ssh/mapping.ts"],"names":[],"mappings":"AAEA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAQzC,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,OAAO,GAAG,IAAI,CAwI7D"}

package/dist/commands/ssh/mapping.js

@@ -0,0 +1,130 @@
+// Path: src/commands/ssh/mapping.ts
+import ora from 'ora';
+import { client } from '../../lib/client.js';
+import { promptConfirm } from '../../lib/prompts.js';
+import * as output from '../../lib/output.js';
+import { buildTenantQuery } from './helpers.js';
+export function registerMappingCommands(parent) {
+    const mapping = parent
+        .command('mapping')
+        .description('SSH principal mapping management (SSO groups → SSH principals)');
+    // List Mappings
+    mapping
+        .command('list')
+        .description('List principal mappings')
+        .option('--tenant <id>', 'Tenant ID (superadmin only)')
+        .option('--json', 'Output as JSON')
+        .action(async (options) => {
+        const spinner = ora('Fetching mappings...').start();
+        try {
+            const query = buildTenantQuery(options.tenant);
+            const response = await client.get(`/v1/ssh/principal-mappings${query}`);
+            spinner.stop();
+            if (options.json) {
+                output.json(response.items);
+                return;
+            }
+            if (response.items.length === 0) {
+                output.info('No principal mappings found');
+                output.info('Use "znvault ssh mapping create" to create a mapping');
+                return;
+            }
+            output.table(['ID', 'Group', 'Principals', 'Created'], response.items.map(m => [
+                m.id.substring(0, 8) + '...',
+                m.groupDisplayName ?? m.groupName ?? m.groupId.substring(0, 8),
+                m.principals.join(', '),
+                output.formatDate(m.createdAt),
+            ]));
+            output.info(`Total: ${response.items.length} mapping(s)`);
+        }
+        catch (err) {
+            spinner.fail('Failed to list mappings');
+            output.error(err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+    });
+    // Create Mapping
+    mapping
+        .command('create <groupId> <principals...>')
+        .description('Create principal mapping (SSO group → SSH principals)')
+        .option('--tenant <id>', 'Tenant ID (superadmin only)')
+        .option('--json', 'Output as JSON')
+        .action(async (groupId, principals, options) => {
+        const spinner = ora('Creating mapping...').start();
+        try {
+            const query = buildTenantQuery(options.tenant);
+            const mappingResult = await client.post(`/v1/ssh/principal-mappings${query}`, {
+                groupId,
+                principals,
+            });
+            spinner.succeed('Mapping created successfully');
+            if (options.json) {
+                output.json(mappingResult);
+                return;
+            }
+            output.keyValue({
+                'ID': mappingResult.id,
+                'Group ID': mappingResult.groupId,
+                'Principals': mappingResult.principals.join(', '),
+                'Created': output.formatDate(mappingResult.createdAt),
+            });
+        }
+        catch (err) {
+            spinner.fail('Failed to create mapping');
+            output.error(err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+    });
+    // Update Mapping
+    mapping
+        .command('update <mappingId> <principals...>')
+        .description('Update principal mapping')
+        .option('--tenant <id>', 'Tenant ID (superadmin only)')
+        .action(async (mappingId, principals, options) => {
+        const spinner = ora('Updating mapping...').start();
+        try {
+            const query = buildTenantQuery(options.tenant);
+            await client.put(`/v1/ssh/principal-mappings/${encodeURIComponent(mappingId)}${query}`, {
+                principals,
+            });
+            spinner.succeed('Mapping updated successfully');
+        }
+        catch (err) {
+            spinner.fail('Failed to update mapping');
+            output.error(err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+    });
+    // Delete Mapping
+    mapping
+        .command('delete <mappingId>')
+        .description('Delete principal mapping')
+        .option('--tenant <id>', 'Tenant ID (superadmin only)')
+        .option('-y, --yes', 'Skip confirmation')
+        .action(async (mappingId, options) => {
+        try {
+            const query = buildTenantQuery(options.tenant);
+            if (!options.yes) {
+                const confirmed = await promptConfirm('Delete this mapping?');
+                if (!confirmed) {
+                    output.info('Delete cancelled');
+                    return;
+                }
+            }
+            const spinner = ora('Deleting mapping...').start();
+            try {
+                await client.delete(`/v1/ssh/principal-mappings/${encodeURIComponent(mappingId)}${query}`);
+                spinner.succeed('Mapping deleted successfully');
+            }
+            catch (err) {
+                spinner.fail('Failed to delete mapping');
+                throw err;
+            }
+        }
+        catch (err) {
+            output.error(err instanceof Error ? err.message : String(err));
+            process.exit(1);
+        }
+    });
+}
+//# sourceMappingURL=mapping.js.map

package/dist/commands/ssh/mapping.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mapping.js","sourceRoot":"","sources":["../../../src/commands/ssh/mapping.ts"],"names":[],"mappings":"AAAA,oCAAoC;AAOpC,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,KAAK,MAAM,MAAM,qBAAqB,CAAC;AAE9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD,MAAM,UAAU,uBAAuB,CAAC,MAAe;IACrD,MAAM,OAAO,GAAG,MAAM;SACnB,OAAO,CAAC,SAAS,CAAC;SAClB,WAAW,CAAC,gEAAgE,CAAC,CAAC;IAEjF,gBAAgB;IAChB,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,yBAAyB,CAAC;SACtC,MAAM,CAAC,eAAe,EAAE,6BAA6B,CAAC;SACtD,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,KAAK,EAAE,OAAoB,EAAE,EAAE;QACrC,MAAM,OAAO,GAAG,GAAG,CAAC,sBAAsB,CAAC,CAAC,KAAK,EAAE,CAAC;QAEpD,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,gBAAgB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YAC/C,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,GAAG,CAAgC,6BAA6B,KAAK,EAAE,CAAC,CAAC;YACvG,OAAO,CAAC,IAAI,EAAE,CAAC;YAEf,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;gBAC5B,OAAO;YACT,CAAC;YAED,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAChC,MAAM,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;gBAC3C,MAAM,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;gBACpE,OAAO;YACT,CAAC;YAED,MAAM,CAAC,KAAK,CACV,CAAC,IAAI,EAAE,OAAO,EAAE,YAAY,EAAE,SAAS,CAAC,EACxC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACtB,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK;gBAC5B,CAAC,CAAC,gBAAgB,IAAI,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC;gBAC9D,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;gBACvB,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;aAC/B,CAAC,CACH,CAAC;YAEF,MAAM,CAAC,IAAI,CAAC,UAAU,QAAQ,CAAC,KAAK,CAAC,MAAM,aAAa,CAAC,CAAC;QAC5D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;YACxC,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,iBAAiB;IACjB,OAAO;SACJ,OAAO,CAAC,kCAAkC,CAAC;SAC3C,WAAW,CAAC,uDAAuD,CAAC;SACpE,MAAM,CAAC,eAAe,EAAE,6BAA6B,CAAC;SACtD,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;SAClC,MAAM,CAAC,KAAK,EAAE,OAAe,EAAE,UAAoB,EAAE,OAA6B,EAAE,EAAE;QACrF,MAAM,OAAO,GAAG,GAAG,CAAC,qBAAqB,CAAC,CAAC,KAAK,EAAE,CAAC;QAEnD,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,gBAAgB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YAC/C,MAAM,aAAa,GAAG,MAAM,MAAM,CAAC,IAAI,CAAmB,6BAA6B,KAAK,EAAE,EAAE;gBAC9F,OAAO;gBACP,UAAU;aACX,CAAC,CAAC;YACH,OAAO,CAAC,OAAO,CAAC,8BAA8B,CAAC,CAAC;YAEhD,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;gBAC3B,OAAO;YACT,CAAC;YAED,MAAM,CAAC,QAAQ,CAAC;gBACd,IAAI,EAAE,aAAa,CAAC,EAAE;gBACtB,UAAU,EAAE,aAAa,CAAC,OAAO;gBACjC,YAAY,EAAE,aAAa,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;gBACjD,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,SAAS,CAAC;aACtD,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;YACzC,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,iBAAiB;IACjB,OAAO;SACJ,OAAO,CAAC,oCAAoC,CAAC;SAC7C,WAAW,CAAC,0BAA0B,CAAC;SACvC,MAAM,CAAC,eAAe,EAAE,6BAA6B,CAAC;SACtD,MAAM,CAAC,KAAK,EAAE,SAAiB,EAAE,UAAoB,EAAE,OAA4B,EAAE,EAAE;QACtF,MAAM,OAAO,GAAG,GAAG,CAAC,qBAAqB,CAAC,CAAC,KAAK,EAAE,CAAC;QAEnD,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,gBAAgB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YAC/C,MAAM,MAAM,CAAC,GAAG,CAAC,8BAA8B,kBAAkB,CAAC,SAAS,CAAC,GAAG,KAAK,EAAE,EAAE;gBACtF,UAAU;aACX,CAAC,CAAC;YACH,OAAO,CAAC,OAAO,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;YACzC,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,iBAAiB;IACjB,OAAO;SACJ,OAAO,CAAC,oBAAoB,CAAC;SAC7B,WAAW,CAAC,0BAA0B,CAAC;SACvC,MAAM,CAAC,eAAe,EAAE,6BAA6B,CAAC;SACtD,MAAM,CAAC,WAAW,EAAE,mBAAmB,CAAC;SACxC,MAAM,CAAC,KAAK,EAAE,SAAiB,EAAE,OAAsB,EAAE,EAAE;QAC1D,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,gBAAgB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YAE/C,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;gBACjB,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,sBAAsB,CAAC,CAAC;gBAC9D,IAAI,CAAC,SAAS,EAAE,CAAC;oBACf,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;oBAChC,OAAO;gBACT,CAAC;YACH,CAAC;YAED,MAAM,OAAO,GAAG,GAAG,CAAC,qBAAqB,CAAC,CAAC,KAAK,EAAE,CAAC;YAEnD,IAAI,CAAC;gBACH,MAAM,MAAM,CAAC,MAAM,CAAC,8BAA8B,kBAAkB,CAAC,SAAS,CAAC,GAAG,KAAK,EAAE,CAAC,CAAC;gBAC3F,OAAO,CAAC,OAAO,CAAC,8BAA8B,CAAC,CAAC;YAClD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;gBACzC,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/commands/ssh/scp.d.ts

@@ -0,0 +1,6 @@
+/**
+ * SCP file transfer with certificate authentication
+ */
+import type { Command } from 'commander';
+export declare function registerSCPCommand(parent: Command): void;
+//# sourceMappingURL=scp.d.ts.map

package/dist/commands/ssh/scp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scp.d.ts","sourceRoot":"","sources":["../../../src/commands/ssh/scp.ts"],"names":[],"mappings":"AAEA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAmEzC,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,OAAO,GAAG,IAAI,CA+LxD"}