agent-vault-cli 0.1.0

package/dist/core/secure-memory.js

@@ -0,0 +1,68 @@
+/**
+ * Secure memory utilities for handling sensitive data.
+ * Uses Buffer to allow explicit zeroing of memory.
+ */
+/**
+ * A secure string container that can be explicitly cleared from memory.
+ * Uses Buffer internally for memory that can be overwritten.
+ */
+export class SecureString {
+    buffer;
+    cleared = false;
+    constructor(value) {
+        this.buffer = Buffer.from(value, 'utf-8');
+    }
+    /**
+     * Get the string value. Throws if already cleared.
+     */
+    getValue() {
+        if (this.cleared) {
+            throw new Error('SecureString has been cleared');
+        }
+        return this.buffer.toString('utf-8');
+    }
+    /**
+     * Securely clear the buffer by overwriting with zeros.
+     */
+    clear() {
+        if (!this.cleared) {
+            this.buffer.fill(0);
+            this.cleared = true;
+        }
+    }
+    /**
+     * Check if the string has been cleared.
+     */
+    isCleared() {
+        return this.cleared;
+    }
+    /**
+     * Get the length of the stored string.
+     */
+    get length() {
+        return this.cleared ? 0 : this.buffer.length;
+    }
+}
+/**
+ * Execute a function with secure strings, ensuring cleanup on completion.
+ * @param values - Object with string values to protect
+ * @param fn - Function to execute with SecureString versions
+ * @returns Result of the function
+ */
+export async function withSecureStrings(values, fn) {
+    const secureValues = {};
+    // Create secure versions
+    for (const key of Object.keys(values)) {
+        secureValues[key] = new SecureString(values[key]);
+    }
+    try {
+        return await fn(secureValues);
+    }
+    finally {
+        // Always clear secure strings
+        for (const key of Object.keys(secureValues)) {
+            secureValues[key].clear();
+        }
+    }
+}
+//# sourceMappingURL=secure-memory.js.map

package/dist/core/secure-memory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secure-memory.js","sourceRoot":"","sources":["../../src/core/secure-memory.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;GAGG;AACH,MAAM,OAAO,YAAY;IACf,MAAM,CAAS;IACf,OAAO,GAAG,KAAK,CAAC;IAExB,YAAY,KAAa;QACvB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IAC5C,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACvC,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACpB,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACtB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;IAC/C,CAAC;CACF;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAAS,EACT,EAA4D;IAE5D,MAAM,YAAY,GAAG,EAAsC,CAAC;IAE5D,yBAAyB;IACzB,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAgB,EAAE,CAAC;QACrD,YAAY,CAAC,GAAG,CAAC,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IACpD,CAAC;IAED,IAAI,CAAC;QACH,OAAO,MAAM,EAAE,CAAC,YAAY,CAAC,CAAC;IAChC,CAAC;YAAS,CAAC;QACT,8BAA8B;QAC9B,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAgB,EAAE,CAAC;YAC3D,YAAY,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC;QAC5B,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}

package/dist/index.js

@@ -0,0 +1,129 @@
+#!/usr/bin/env node
+import { Command } from 'commander';
+import { register } from './commands/register.js';
+import { login } from './commands/login.js';
+import { deleteCommand } from './commands/delete.js';
+import { config } from './commands/config.js';
+const program = new Command();
+program
+    .name('vault')
+    .description('Secure credential vault CLI for AI agents')
+    .version('0.1.0');
+program
+    .command('register')
+    .description('Register credentials for a new site')
+    .requiredOption('--cdp <endpoint>', 'CDP WebSocket endpoint (e.g., ws://localhost:9222)')
+    .requiredOption('--username-selector <selector>', 'CSS selector for username/email field')
+    .requiredOption('--password-selector <selector>', 'CSS selector for password field')
+    .option('--submit-selector <selector>', 'CSS selector for submit button')
+    .option('--username <username>', 'Username/email (non-interactive)')
+    .option('--password <password>', 'Password (non-interactive)')
+    .option('--generate-password', 'Generate a secure password (non-interactive)')
+    .option('-f, --force', 'Skip confirmation prompts')
+    .option('--allow-http', 'Allow HTTP origins (insecure - not recommended)')
+    .action(async (options) => {
+    try {
+        await register({
+            cdp: options.cdp,
+            usernameSelector: options.usernameSelector,
+            passwordSelector: options.passwordSelector,
+            submitSelector: options.submitSelector,
+            username: options.username,
+            password: options.password,
+            generatePassword: options.generatePassword,
+            force: options.force,
+            allowHttp: options.allowHttp,
+        });
+    }
+    catch (error) {
+        console.error('Error:', error instanceof Error ? error.message : error);
+        process.exit(1);
+    }
+});
+program
+    .command('login')
+    .description('Fill credentials for a known site')
+    .requiredOption('--cdp <endpoint>', 'CDP WebSocket endpoint (e.g., ws://localhost:9222)')
+    .option('--submit', 'Click submit button after filling credentials')
+    .action(async (options) => {
+    try {
+        await login({
+            cdp: options.cdp,
+            submit: options.submit,
+        });
+    }
+    catch (error) {
+        console.error('Error:', error instanceof Error ? error.message : error);
+        process.exit(1);
+    }
+});
+program
+    .command('delete')
+    .description('Delete credentials for a site')
+    .requiredOption('--origin <url>', 'Origin to delete (e.g., https://github.com)')
+    .option('-f, --force', 'Skip confirmation prompt')
+    .action(async (options) => {
+    try {
+        await deleteCommand({
+            origin: options.origin,
+            force: options.force,
+        });
+    }
+    catch (error) {
+        console.error('Error:', error instanceof Error ? error.message : error);
+        process.exit(1);
+    }
+});
+const configCmd = program
+    .command('config')
+    .description('Manage vault configuration');
+configCmd
+    .command('list')
+    .description('List all configuration values')
+    .action(async () => {
+    try {
+        await config({ action: 'list' });
+    }
+    catch (error) {
+        console.error('Error:', error instanceof Error ? error.message : error);
+        process.exit(1);
+    }
+});
+configCmd
+    .command('get <key>')
+    .description('Get a configuration value')
+    .action(async (key) => {
+    try {
+        await config({ action: 'get', key });
+    }
+    catch (error) {
+        console.error('Error:', error instanceof Error ? error.message : error);
+        process.exit(1);
+    }
+});
+configCmd
+    .command('set <key> <value>')
+    .description('Set a configuration value')
+    .action(async (key, value) => {
+    try {
+        await config({ action: 'set', key, value });
+    }
+    catch (error) {
+        console.error('Error:', error instanceof Error ? error.message : error);
+        process.exit(1);
+    }
+});
+configCmd
+    .command('unset <key>')
+    .description('Remove a configuration value')
+    .action(async (key) => {
+    try {
+        await config({ action: 'unset', key });
+    }
+    catch (error) {
+        console.error('Error:', error instanceof Error ? error.message : error);
+        process.exit(1);
+    }
+});
+program.parse();
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AAClD,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAE9C,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,OAAO,CAAC;KACb,WAAW,CAAC,2CAA2C,CAAC;KACxD,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,UAAU,CAAC;KACnB,WAAW,CAAC,qCAAqC,CAAC;KAClD,cAAc,CAAC,kBAAkB,EAAE,oDAAoD,CAAC;KACxF,cAAc,CAAC,gCAAgC,EAAE,uCAAuC,CAAC;KACzF,cAAc,CAAC,gCAAgC,EAAE,iCAAiC,CAAC;KACnF,MAAM,CAAC,8BAA8B,EAAE,gCAAgC,CAAC;KACxE,MAAM,CAAC,uBAAuB,EAAE,kCAAkC,CAAC;KACnE,MAAM,CAAC,uBAAuB,EAAE,4BAA4B,CAAC;KAC7D,MAAM,CAAC,qBAAqB,EAAE,8CAA8C,CAAC;KAC7E,MAAM,CAAC,aAAa,EAAE,2BAA2B,CAAC;KAClD,MAAM,CAAC,cAAc,EAAE,iDAAiD,CAAC;KACzE,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;IACxB,IAAI,CAAC;QACH,MAAM,QAAQ,CAAC;YACb,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;YAC1C,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,SAAS,EAAE,OAAO,CAAC,SAAS;SAC7B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QACxE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,mCAAmC,CAAC;KAChD,cAAc,CAAC,kBAAkB,EAAE,oDAAoD,CAAC;KACxF,MAAM,CAAC,UAAU,EAAE,+CAA+C,CAAC;KACnE,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;IACxB,IAAI,CAAC;QACH,MAAM,KAAK,CAAC;YACV,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QACxE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,+BAA+B,CAAC;KAC5C,cAAc,CAAC,gBAAgB,EAAE,6CAA6C,CAAC;KAC/E,MAAM,CAAC,aAAa,EAAE,0BAA0B,CAAC;KACjD,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;IACxB,IAAI,CAAC;QACH,MAAM,aAAa,CAAC;YAClB,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QACxE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,MAAM,SAAS,GAAG,OAAO;KACtB,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,4BAA4B,CAAC,CAAC;AAE7C,SAAS;KACN,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,+BAA+B,CAAC;KAC5C,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QACxE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,SAAS;KACN,OAAO,CAAC,WAAW,CAAC;KACpB,WAAW,CAAC,2BAA2B,CAAC;KACxC,MAAM,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;IACpB,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;IACvC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QACxE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,SAAS;KACN,OAAO,CAAC,mBAAmB,CAAC;KAC5B,WAAW,CAAC,2BAA2B,CAAC;KACxC,MAAM,CAAC,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE;IAC3B,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;IAC9C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QACxE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,SAAS;KACN,OAAO,CAAC,aAAa,CAAC;KACtB,WAAW,CAAC,8BAA8B,CAAC;KAC3C,MAAM,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;IACpB,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QACxE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/types/index.d.ts

@@ -0,0 +1,27 @@
+export interface Selectors {
+    username: string;
+    password: string;
+    submit?: string;
+}
+export interface Credentials {
+    username: string;
+    password: string;
+}
+export interface RPConfig {
+    origin: string;
+    selectors: Selectors;
+    credentials: Credentials;
+}
+export interface BrowserConnection {
+    browser: import('playwright').Browser;
+    page: import('playwright').Page;
+}
+export interface VaultConfig {
+    defaultUsername?: string;
+    /** Allow HTTP origins (insecure - not recommended) */
+    allowHttp?: string;
+    /** Comma-separated list of allowed CDP hostnames */
+    cdpAllowlist?: string;
+}
+export type ConfigKey = keyof VaultConfig;
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,SAAS;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,QAAQ;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,SAAS,CAAC;IACrB,WAAW,EAAE,WAAW,CAAC;CAC1B;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,OAAO,YAAY,EAAE,OAAO,CAAC;IACtC,IAAI,EAAE,OAAO,YAAY,EAAE,IAAI,CAAC;CACjC;AAED,MAAM,WAAW,WAAW;IAC1B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,sDAAsD;IACtD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,oDAAoD;IACpD,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC"}

package/dist/types/index.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=index.js.map

package/dist/types/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,58 @@
+{
+  "name": "agent-vault-cli",
+  "version": "0.1.0",
+  "description": "Secure credential vault CLI for AI agents - fills login forms via CDP without exposing credentials",
+  "type": "module",
+  "main": "dist/index.js",
+  "bin": {
+    "vault": "dist/index.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "start": "node dist/index.js",
+    "test": "vitest",
+    "test:headful": "HEADFUL=1 vitest --run",
+    "lint": "eslint src/",
+    "prepublishOnly": "npm run build",
+    "demo:auto": "tsx demo/automated-demo.ts",
+    "demo:interactive": "tsx demo/interactive-demo.ts",
+    "demo:manual": "chmod +x demo/manual-demo.sh && ./demo/manual-demo.sh",
+    "demo:video": "cd demo/remotion && npm install && npm run render",
+    "demo:preview": "cd demo/remotion && npm install && npm start",
+    "demo:verify": "tsx demo/verify-setup.ts"
+  },
+  "keywords": [
+    "cli",
+    "vault",
+    "credentials",
+    "agent",
+    "ai",
+    "keychain",
+    "security",
+    "cdp",
+    "playwright"
+  ],
+  "author": "",
+  "license": "MIT",
+  "dependencies": {
+    "commander": "^12.1.0",
+    "inquirer": "^9.2.23",
+    "keytar": "^7.9.0",
+    "nanoid": "^5.0.7",
+    "playwright": "^1.48.0",
+    "proper-lockfile": "^4.1.2",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "@types/inquirer": "^9.0.7",
+    "@types/node": "^22.0.0",
+    "@types/proper-lockfile": "^4.1.4",
+    "tsx": "^4.21.0",
+    "typescript": "^5.6.0",
+    "vitest": "^2.1.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}

package/src/commands/config.ts

@@ -0,0 +1,84 @@
+import {
+  loadConfig,
+  getConfigValue,
+  setConfigValue,
+  unsetConfigValue,
+  isValidConfigKey,
+  getValidConfigKeys,
+} from '../core/config.js';
+import type { ConfigKey } from '../types/index.js';
+
+export type ConfigAction = 'get' | 'set' | 'unset' | 'list';
+
+export interface ConfigOptions {
+  action: ConfigAction;
+  key?: string;
+  value?: string;
+}
+
+export async function config(options: ConfigOptions): Promise<void> {
+  const { action, key, value } = options;
+
+  switch (action) {
+    case 'list': {
+      const cfg = await loadConfig();
+      const entries = Object.entries(cfg);
+      if (entries.length === 0) {
+        console.log('No configuration values set.');
+        console.log(`Available keys: ${getValidConfigKeys().join(', ')}`);
+      } else {
+        for (const [k, v] of entries) {
+          console.log(`${k}=${v}`);
+        }
+      }
+      break;
+    }
+
+    case 'get': {
+      if (!key) {
+        throw new Error('Key is required for get operation');
+      }
+      if (!isValidConfigKey(key)) {
+        throw new Error(`Invalid config key: ${key}. Valid keys: ${getValidConfigKeys().join(', ')}`);
+      }
+      const val = await getConfigValue(key as ConfigKey);
+      if (val !== undefined) {
+        console.log(val);
+      } else {
+        console.log(`(not set)`);
+      }
+      break;
+    }
+
+    case 'set': {
+      if (!key) {
+        throw new Error('Key is required for set operation');
+      }
+      if (!isValidConfigKey(key)) {
+        throw new Error(`Invalid config key: ${key}. Valid keys: ${getValidConfigKeys().join(', ')}`);
+      }
+      if (!value) {
+        throw new Error('Value is required for set operation');
+      }
+      await setConfigValue(key as ConfigKey, value);
+      console.log(`✓ Set ${key}=${value}`);
+      break;
+    }
+
+    case 'unset': {
+      if (!key) {
+        throw new Error('Key is required for unset operation');
+      }
+      if (!isValidConfigKey(key)) {
+        throw new Error(`Invalid config key: ${key}. Valid keys: ${getValidConfigKeys().join(', ')}`);
+      }
+      const deleted = await unsetConfigValue(key as ConfigKey);
+      if (deleted) {
+        console.log(`✓ Unset ${key}`);
+      } else {
+        console.log(`${key} was not set`);
+      }
+      break;
+    }
+  }
+}

package/src/commands/delete.ts

@@ -0,0 +1,39 @@
+import inquirer from 'inquirer';
+import { deleteRP, getRP } from '../core/keychain.js';
+
+interface DeleteOptions {
+  origin: string;
+  force?: boolean;
+}
+
+export async function deleteCommand(options: DeleteOptions): Promise<void> {
+  const config = await getRP(options.origin);
+
+  if (!config) {
+    throw new Error(`No credentials found for ${options.origin}`);
+  }
+
+  if (!options.force) {
+    const { confirm } = await inquirer.prompt<{ confirm: boolean }>([
+      {
+        type: 'confirm',
+        name: 'confirm',
+        message: `Delete credentials for ${options.origin}?`,
+        default: false,
+      },
+    ]);
+
+    if (!confirm) {
+      console.log('Deletion cancelled.');
+      return;
+    }
+  }
+
+  const deleted = await deleteRP(options.origin);
+
+  if (deleted) {
+    console.log(`✓ Deleted credentials for ${options.origin}`);
+  } else {
+    throw new Error(`Failed to delete credentials for ${options.origin}`);
+  }
+}

package/src/commands/login.ts

@@ -0,0 +1,49 @@
+import { connectToBrowser, fillField, clickElement } from '../core/browser.js';
+import { extractOrigin, extractAndValidateOrigin } from '../core/origin.js';
+import { getRP } from '../core/keychain.js';
+
+interface LoginOptions {
+  cdp: string;
+  submit?: boolean;
+}
+
+export async function login(options: LoginOptions): Promise<void> {
+  const { browser, page } = await connectToBrowser(options.cdp);
+
+  try {
+    const currentUrl = page.url();
+    const origin = extractAndValidateOrigin(currentUrl);
+
+    // Lookup stored config for this origin
+    const config = await getRP(origin);
+
+    if (!config) {
+      throw new Error('No credentials found for this site');
+    }
+
+    // Verify origin hasn't changed before filling
+    const verifyOrigin = extractOrigin(page.url());
+    if (verifyOrigin !== origin) {
+      throw new Error('Page navigation detected - aborting for security');
+    }
+
+    // Fill username and password using STORED selectors
+    await fillField(page, config.selectors.username, config.credentials.username);
+    await fillField(page, config.selectors.password, config.credentials.password);
+
+    // Verify again after filling
+    const postFillOrigin = extractOrigin(page.url());
+    if (postFillOrigin !== origin) {
+      throw new Error('Page changed during credential fill - possible attack');
+    }
+
+    // Optionally click submit
+    if (options.submit && config.selectors.submit) {
+      await clickElement(page, config.selectors.submit);
+    }
+
+    console.log('Login filled successfully');
+  } finally {
+    await browser.close();
+  }
+}

package/src/commands/register.ts

@@ -0,0 +1,188 @@
+import inquirer from 'inquirer';
+import { connectToBrowser, fillField, validateSelector } from '../core/browser.js';
+import {
+  extractAndValidateOrigin,
+  extractAndValidateOriginSecure,
+  type OriginValidationOptions,
+} from '../core/origin.js';
+import { storeRP, getRP } from '../core/keychain.js';
+import { generatePassword } from '../core/crypto.js';
+import { getConfigValue } from '../core/config.js';
+import { SecureString } from '../core/secure-memory.js';
+import type { Selectors } from '../types/index.js';
+
+export interface RegisterOptions {
+  cdp: string;
+  usernameSelector: string;
+  passwordSelector: string;
+  submitSelector?: string;
+  // Non-interactive options
+  username?: string;
+  password?: string;
+  generatePassword?: boolean;
+  force?: boolean;
+  allowHttp?: boolean;
+}
+
+export async function register(options: RegisterOptions): Promise<void> {
+  const { browser, page } = await connectToBrowser(options.cdp);
+
+  // Use SecureString for sensitive credential handling
+  let secureUsername: SecureString | null = null;
+  let securePassword: SecureString | null = null;
+
+  try {
+    const currentUrl = page.url();
+
+    // Use secure origin validation with HTTP blocking
+    const originOptions: OriginValidationOptions = {
+      allowHttp: options.allowHttp,
+    };
+    const origin = await extractAndValidateOriginSecure(currentUrl, originOptions);
+
+    // Validate selectors exist on page (don't expose selector in error)
+    const usernameValid = await validateSelector(page, options.usernameSelector);
+    const passwordValid = await validateSelector(page, options.passwordSelector);
+
+    if (!usernameValid) {
+      throw new Error('Username field selector not found on page');
+    }
+
+    if (!passwordValid) {
+      throw new Error('Password field selector not found on page');
+    }
+
+    if (options.submitSelector) {
+      const submitValid = await validateSelector(page, options.submitSelector);
+      if (!submitValid) {
+        console.warn('Warning: Submit button selector not found on page');
+      }
+    }
+
+    // Check if already registered
+    const existing = await getRP(origin);
+    if (existing) {
+      if (options.force) {
+        // Non-interactive: overwrite without prompting
+      } else {
+        const { overwrite } = await inquirer.prompt<{ overwrite: boolean }>([
+          {
+            type: 'confirm',
+            name: 'overwrite',
+            message: `Credentials already exist for this site. Overwrite?`,
+            default: false,
+          },
+        ]);
+
+        if (!overwrite) {
+          console.log('Registration cancelled.');
+          return;
+        }
+      }
+    }
+
+    // Confirm registration (skip if force or username provided non-interactively)
+    if (!options.force && !options.username) {
+      const { confirm } = await inquirer.prompt<{ confirm: boolean }>([
+        {
+          type: 'confirm',
+          name: 'confirm',
+          message: `Register credentials for this site?`,
+          default: true,
+        },
+      ]);
+
+      if (!confirm) {
+        console.log('Registration cancelled.');
+        return;
+      }
+    }
+
+    // Get username
+    let usernameValue: string;
+    if (options.username) {
+      usernameValue = options.username;
+    } else {
+      const defaultUsername = await getConfigValue('defaultUsername');
+      const response = await inquirer.prompt<{ username: string }>([
+        {
+          type: 'input',
+          name: 'username',
+          message: 'Enter username/email:',
+          default: defaultUsername,
+          validate: (input) => input.length > 0 || 'Username is required',
+        },
+      ]);
+      usernameValue = response.username;
+    }
+    secureUsername = new SecureString(usernameValue);
+
+    // Get password
+    let passwordValue: string;
+    if (options.password) {
+      passwordValue = options.password;
+    } else if (options.generatePassword) {
+      passwordValue = generatePassword();
+      // Security: Don't preview any part of the password
+      console.log('Secure password generated (stored in keychain)');
+    } else {
+      const { passwordOption } = await inquirer.prompt<{ passwordOption: string }>([
+        {
+          type: 'list',
+          name: 'passwordOption',
+          message: 'Password:',
+          choices: [
+            { name: 'Generate secure password', value: 'generate' },
+            { name: 'Enter existing password', value: 'enter' },
+          ],
+        },
+      ]);
+
+      if (passwordOption === 'generate') {
+        passwordValue = generatePassword();
+        // Security: Don't preview any part of the password
+        console.log('Secure password generated (stored in keychain)');
+      } else {
+        const { enteredPassword } = await inquirer.prompt<{ enteredPassword: string }>([
+          {
+            type: 'password',
+            name: 'enteredPassword',
+            message: 'Enter password:',
+            mask: '*',
+            validate: (input) => input.length > 0 || 'Password is required',
+          },
+        ]);
+        passwordValue = enteredPassword;
+      }
+    }
+    securePassword = new SecureString(passwordValue);
+
+    const selectors: Selectors = {
+      username: options.usernameSelector,
+      password: options.passwordSelector,
+      submit: options.submitSelector,
+    };
+
+    // Fill form fields using secure values
+    await fillField(page, options.usernameSelector, secureUsername.getValue());
+    await fillField(page, options.passwordSelector, securePassword.getValue());
+
+    // Store in keychain
+    await storeRP({
+      origin,
+      selectors,
+      credentials: {
+        username: secureUsername.getValue(),
+        password: securePassword.getValue(),
+      },
+    });
+
+    console.log('Credentials registered successfully');
+    console.log('Complete signup/login in browser.');
+  } finally {
+    // Securely clear sensitive data from memory
+    if (secureUsername) secureUsername.clear();
+    if (securePassword) securePassword.clear();
+    await browser.close();
+  }
+}