agent-vault-cli 0.1.0

package/src/core/ratelimit.ts

@@ -0,0 +1,89 @@
+import { readFile, writeFile, mkdir } from 'node:fs/promises';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import { logAuditEvent } from './audit.js';
+
+const RATE_LIMIT_DIR = join(homedir(), '.agent-vault');
+const RATE_LIMIT_FILE = join(RATE_LIMIT_DIR, '.ratelimit');
+
+// Rate limit configuration
+const MAX_ATTEMPTS = 5;
+const WINDOW_MS = 60 * 1000; // 1 minute window
+const LOCKOUT_MS = 5 * 60 * 1000; // 5 minute lockout after exceeding
+
+interface RateLimitState {
+  attempts: number[];
+  lockedUntil?: number;
+}
+
+async function ensureRateLimitDir(): Promise<void> {
+  await mkdir(RATE_LIMIT_DIR, { recursive: true, mode: 0o700 });
+}
+
+async function loadRateLimitState(): Promise<RateLimitState> {
+  try {
+    const data = await readFile(RATE_LIMIT_FILE, 'utf-8');
+    return JSON.parse(data);
+  } catch {
+    return { attempts: [] };
+  }
+}
+
+async function saveRateLimitState(state: RateLimitState): Promise<void> {
+  await ensureRateLimitDir();
+  await writeFile(RATE_LIMIT_FILE, JSON.stringify(state), { mode: 0o600 });
+}
+
+/**
+ * Check if an operation is rate limited.
+ * Returns true if allowed, throws if rate limited.
+ */
+export async function checkRateLimit(operation: string): Promise<void> {
+  const now = Date.now();
+  const state = await loadRateLimitState();
+
+  // Check if currently locked out
+  if (state.lockedUntil && now < state.lockedUntil) {
+    const remainingSeconds = Math.ceil((state.lockedUntil - now) / 1000);
+    await logAuditEvent('rate_limit_exceeded', {
+      details: `Operation: ${operation}, locked for ${remainingSeconds}s`,
+      success: false,
+    });
+    throw new Error(
+      `Rate limit exceeded. Please wait ${remainingSeconds} seconds before trying again.`
+    );
+  }
+
+  // Clear lockout if expired
+  if (state.lockedUntil && now >= state.lockedUntil) {
+    state.lockedUntil = undefined;
+    state.attempts = [];
+  }
+
+  // Filter attempts within the window
+  state.attempts = state.attempts.filter((ts) => now - ts < WINDOW_MS);
+
+  // Check if exceeding limit
+  if (state.attempts.length >= MAX_ATTEMPTS) {
+    state.lockedUntil = now + LOCKOUT_MS;
+    await saveRateLimitState(state);
+    await logAuditEvent('rate_limit_exceeded', {
+      details: `Operation: ${operation}, lockout initiated`,
+      success: false,
+    });
+    throw new Error(
+      `Too many attempts. Please wait ${Math.ceil(LOCKOUT_MS / 1000)} seconds before trying again.`
+    );
+  }
+
+  // Record this attempt
+  state.attempts.push(now);
+  await saveRateLimitState(state);
+}
+
+/**
+ * Reset rate limit state (for testing or admin purposes)
+ */
+export async function resetRateLimit(): Promise<void> {
+  await saveRateLimitState({ attempts: [] });
+}

package/src/core/secure-memory.ts

@@ -0,0 +1,78 @@
+/**
+ * Secure memory utilities for handling sensitive data.
+ * Uses Buffer to allow explicit zeroing of memory.
+ */
+
+/**
+ * A secure string container that can be explicitly cleared from memory.
+ * Uses Buffer internally for memory that can be overwritten.
+ */
+export class SecureString {
+  private buffer: Buffer;
+  private cleared = false;
+
+  constructor(value: string) {
+    this.buffer = Buffer.from(value, 'utf-8');
+  }
+
+  /**
+   * Get the string value. Throws if already cleared.
+   */
+  getValue(): string {
+    if (this.cleared) {
+      throw new Error('SecureString has been cleared');
+    }
+    return this.buffer.toString('utf-8');
+  }
+
+  /**
+   * Securely clear the buffer by overwriting with zeros.
+   */
+  clear(): void {
+    if (!this.cleared) {
+      this.buffer.fill(0);
+      this.cleared = true;
+    }
+  }
+
+  /**
+   * Check if the string has been cleared.
+   */
+  isCleared(): boolean {
+    return this.cleared;
+  }
+
+  /**
+   * Get the length of the stored string.
+   */
+  get length(): number {
+    return this.cleared ? 0 : this.buffer.length;
+  }
+}
+
+/**
+ * Execute a function with secure strings, ensuring cleanup on completion.
+ * @param values - Object with string values to protect
+ * @param fn - Function to execute with SecureString versions
+ * @returns Result of the function
+ */
+export async function withSecureStrings<T extends Record<string, string>, R>(
+  values: T,
+  fn: (secure: { [K in keyof T]: SecureString }) => Promise<R>
+): Promise<R> {
+  const secureValues = {} as { [K in keyof T]: SecureString };
+
+  // Create secure versions
+  for (const key of Object.keys(values) as (keyof T)[]) {
+    secureValues[key] = new SecureString(values[key]);
+  }
+
+  try {
+    return await fn(secureValues);
+  } finally {
+    // Always clear secure strings
+    for (const key of Object.keys(secureValues) as (keyof T)[]) {
+      secureValues[key].clear();
+    }
+  }
+}

package/src/index.ts

@@ -0,0 +1,133 @@
+#!/usr/bin/env node
+
+import { Command } from 'commander';
+import { register } from './commands/register.js';
+import { login } from './commands/login.js';
+import { deleteCommand } from './commands/delete.js';
+import { config } from './commands/config.js';
+
+const program = new Command();
+
+program
+  .name('vault')
+  .description('Secure credential vault CLI for AI agents')
+  .version('0.1.0');
+
+program
+  .command('register')
+  .description('Register credentials for a new site')
+  .requiredOption('--cdp <endpoint>', 'CDP WebSocket endpoint (e.g., ws://localhost:9222)')
+  .requiredOption('--username-selector <selector>', 'CSS selector for username/email field')
+  .requiredOption('--password-selector <selector>', 'CSS selector for password field')
+  .option('--submit-selector <selector>', 'CSS selector for submit button')
+  .option('--username <username>', 'Username/email (non-interactive)')
+  .option('--password <password>', 'Password (non-interactive)')
+  .option('--generate-password', 'Generate a secure password (non-interactive)')
+  .option('-f, --force', 'Skip confirmation prompts')
+  .option('--allow-http', 'Allow HTTP origins (insecure - not recommended)')
+  .action(async (options) => {
+    try {
+      await register({
+        cdp: options.cdp,
+        usernameSelector: options.usernameSelector,
+        passwordSelector: options.passwordSelector,
+        submitSelector: options.submitSelector,
+        username: options.username,
+        password: options.password,
+        generatePassword: options.generatePassword,
+        force: options.force,
+        allowHttp: options.allowHttp,
+      });
+    } catch (error) {
+      console.error('Error:', error instanceof Error ? error.message : error);
+      process.exit(1);
+    }
+  });
+
+program
+  .command('login')
+  .description('Fill credentials for a known site')
+  .requiredOption('--cdp <endpoint>', 'CDP WebSocket endpoint (e.g., ws://localhost:9222)')
+  .option('--submit', 'Click submit button after filling credentials')
+  .action(async (options) => {
+    try {
+      await login({
+        cdp: options.cdp,
+        submit: options.submit,
+      });
+    } catch (error) {
+      console.error('Error:', error instanceof Error ? error.message : error);
+      process.exit(1);
+    }
+  });
+
+program
+  .command('delete')
+  .description('Delete credentials for a site')
+  .requiredOption('--origin <url>', 'Origin to delete (e.g., https://github.com)')
+  .option('-f, --force', 'Skip confirmation prompt')
+  .action(async (options) => {
+    try {
+      await deleteCommand({
+        origin: options.origin,
+        force: options.force,
+      });
+    } catch (error) {
+      console.error('Error:', error instanceof Error ? error.message : error);
+      process.exit(1);
+    }
+  });
+
+const configCmd = program
+  .command('config')
+  .description('Manage vault configuration');
+
+configCmd
+  .command('list')
+  .description('List all configuration values')
+  .action(async () => {
+    try {
+      await config({ action: 'list' });
+    } catch (error) {
+      console.error('Error:', error instanceof Error ? error.message : error);
+      process.exit(1);
+    }
+  });
+
+configCmd
+  .command('get <key>')
+  .description('Get a configuration value')
+  .action(async (key) => {
+    try {
+      await config({ action: 'get', key });
+    } catch (error) {
+      console.error('Error:', error instanceof Error ? error.message : error);
+      process.exit(1);
+    }
+  });
+
+configCmd
+  .command('set <key> <value>')
+  .description('Set a configuration value')
+  .action(async (key, value) => {
+    try {
+      await config({ action: 'set', key, value });
+    } catch (error) {
+      console.error('Error:', error instanceof Error ? error.message : error);
+      process.exit(1);
+    }
+  });
+
+configCmd
+  .command('unset <key>')
+  .description('Remove a configuration value')
+  .action(async (key) => {
+    try {
+      await config({ action: 'unset', key });
+    } catch (error) {
+      console.error('Error:', error instanceof Error ? error.message : error);
+      process.exit(1);
+    }
+  });
+
+program.parse();

package/src/types/index.ts

@@ -0,0 +1,31 @@
+export interface Selectors {
+  username: string;
+  password: string;
+  submit?: string;
+}
+
+export interface Credentials {
+  username: string;
+  password: string;
+}
+
+export interface RPConfig {
+  origin: string;
+  selectors: Selectors;
+  credentials: Credentials;
+}
+
+export interface BrowserConnection {
+  browser: import('playwright').Browser;
+  page: import('playwright').Page;
+}
+
+export interface VaultConfig {
+  defaultUsername?: string;
+  /** Allow HTTP origins (insecure - not recommended) */
+  allowHttp?: string;
+  /** Comma-separated list of allowed CDP hostnames */
+  cdpAllowlist?: string;
+}
+
+export type ConfigKey = keyof VaultConfig;