npm - bitwarden-cli-bio - Versions diffs - 0.0.1 → 1.1.0 - Mend

bitwarden-cli-bio 0.0.1 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 Jean Regisser
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,110 @@
+# bitwarden-cli-bio
+Unlock your Bitwarden CLI vault with biometrics (Touch ID, Windows Hello, Linux Polkit) instead of typing your master password. Again. And again.
+```bash
+# before: ugh
+bw get password github
+? Master password: [type your 30-character password]
+# after: nice
+bwbio get password github
+# [Touch ID prompt] → done
+```
+## How?
+`bwbio` talks to the Bitwarden Desktop app over IPC — the same protocol the browser extension uses — to unlock your vault with biometrics. Then it hands off to the official `bw` CLI with the session key. You still need `bw` installed; `bwbio` just handles the unlock part.
+```
+┌─────────────────┐         ┌─────────────────┐         ┌─────────────────┐
+│                 │         │    Bitwarden    │         │   Touch ID /    │
+│      bwbio      │   IPC   │    Desktop      │  System │  Windows Hello  │
+│                 │ ◄─────► │    App          │ ◄─────► │  Linux Polkit   │
+└─────────────────┘         └─────────────────┘         └─────────────────┘
+        │
+        │ delegates (with BW_SESSION)
+        ▼
+┌─────────────────┐
+│   Official bw   │
+│      CLI        │
+└─────────────────┘
+```
+If biometrics fail for any reason (Desktop app closed, prompt cancelled, etc.), it falls back to the regular password prompt. It never blocks you.
+## Setup
+**You'll need:**
+- Bitwarden Desktop app with biometrics enabled + "Allow browser integration" on
+- Node.js >= 22
+- Official `bw` CLI in your PATH
+**Install:**
+```bash
+npm install -g bitwarden-cli-bio
+```
+## Usage
+```bash
+# The magic: alias it and forget about it
+alias bw=bwbio
+bw get password github        # Touch ID, done
+bw list items --search email  # still Touch ID, still done
+# Or use it directly
+bwbio get password github
+# For scripts — get a session key
+eval $(bwbio unlock)
+```
+If `BW_SESSION` is already set, `bwbio` stays out of the way and passes everything straight to `bw`.
+### Commands that skip biometrics
+Some commands don't need an unlocked vault and go directly to `bw`:
+```
+login, logout, lock, config, update, completion, status, serve
+--help / -h, --version / -v
+```
+Everything else triggers biometric unlock if the vault is locked.
+## Environment variables
+| Variable | Description |
+|----------|-------------|
+| `BW_SESSION` | Already set? `bwbio` passes through to `bw` directly |
+| `BW_QUIET` | Set to `true` to suppress all biometric-related messages |
+| `BW_NOINTERACTION` | Set to `true` to skip biometric unlock (requires user interaction) |
+| `BWBIO_VERBOSE` | Set to `true` for verbose logging |
+| `BWBIO_DEBUG` | Set to `true` for raw IPC message dumps |
+| `BWBIO_IPC_SOCKET_PATH` | Override the IPC socket path (advanced) |
+## Platforms
+- **macOS** — Touch ID (including App Store builds) — tested
+- **Windows** — Windows Hello — should work, not yet tested
+- **Linux** — Polkit — should work, not yet tested
+The IPC protocol is the same across platforms. If you try Windows or Linux, please [open an issue](https://github.com/jeanregisser/bitwarden-cli-bio/issues) and let us know how it goes!
+## Supply chain trust
+Every npm release is automatically built and published from CI via [semantic-release](https://github.com/semantic-release/semantic-release), with [npm provenance](https://docs.npmjs.com/generating-provenance-statements) enabled. This means:
+- No human runs `npm publish` — releases come directly from GitHub Actions
+- Each package on npm links back to the exact source commit and CI run that produced it
+- You can verify this on the [npm package page](https://www.npmjs.com/package/bitwarden-cli-bio) (look for the "Provenance" badge)
+## Background
+This should really be a feature of the official CLI. A [PR was proposed](https://github.com/bitwarden/clients/pull/18273) but was closed — the Bitwarden team wants to wait until they have a proper IPC framework. This wrapper fills the gap in the meantime using the same IPC code from that PR.
+## License
+[MIT](LICENSE)

package/dist/index.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ #!/usr/bin/env node

package/dist/index.js ADDED Viewed

@@ -0,0 +1,928 @@
+#!/usr/bin/env node
+// src/main.ts
+import { spawn } from "child_process";
+// src/biometrics.ts
+import * as crypto4 from "crypto";
+// src/ipc/ipc-socket.service.ts
+import * as crypto from "crypto";
+import * as fs from "fs";
+import * as net from "net";
+import * as os from "os";
+import * as path from "path";
+var DEBUG = process.env.BWBIO_DEBUG === "true";
+var IpcSocketService = class {
+  socket = null;
+  messageBuffer = Buffer.alloc(0);
+  messageHandler = null;
+  disconnectHandler = null;
+  /**
+   * Get the IPC socket path for the current platform.
+   * This mirrors the logic in desktop_native/core/src/ipc/mod.rs
+   */
+  getSocketPath() {
+    if (process.env.BWBIO_IPC_SOCKET_PATH) {
+      return process.env.BWBIO_IPC_SOCKET_PATH;
+    }
+    const platform3 = os.platform();
+    if (platform3 === "win32") {
+      return this.getWindowsSocketPath();
+    }
+    if (platform3 === "darwin") {
+      return this.getMacSocketPath();
+    }
+    return this.getLinuxSocketPath();
+  }
+  /**
+   * Windows named pipe path - uses hash of home directory.
+   */
+  getWindowsSocketPath() {
+    const homeDir = os.homedir();
+    const hash = crypto.createHash("sha256").update(homeDir).digest();
+    const hashB64 = hash.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+    return `\\\\.\\pipe\\${hashB64}.s.bw`;
+  }
+  /**
+   * Get the socket path on macOS.
+   * The Desktop app can be sandboxed (Mac App Store) or non-sandboxed.
+   * We check both paths and return the one that exists.
+   */
+  getMacSocketPath() {
+    const homeDir = os.homedir();
+    const sandboxedPath = path.join(
+      homeDir,
+      "Library",
+      "Group Containers",
+      "LTZ2PFU5D6.com.bitwarden.desktop",
+      "s.bw"
+    );
+    const nonSandboxedPath = path.join(
+      homeDir,
+      "Library",
+      "Caches",
+      "com.bitwarden.desktop",
+      "s.bw"
+    );
+    try {
+      fs.accessSync(sandboxedPath);
+      return sandboxedPath;
+    } catch {
+    }
+    try {
+      fs.accessSync(nonSandboxedPath);
+      return nonSandboxedPath;
+    } catch {
+    }
+    return sandboxedPath;
+  }
+  /**
+   * Linux socket path - uses XDG_CACHE_HOME or ~/.cache.
+   */
+  getLinuxSocketPath() {
+    const cacheDir = process.env.XDG_CACHE_HOME != null ? process.env.XDG_CACHE_HOME : path.join(os.homedir(), ".cache");
+    return path.join(cacheDir, "com.bitwarden.desktop", "s.bw");
+  }
+  /**
+   * Check if the desktop app socket exists (quick availability check).
+   */
+  async isSocketAvailable() {
+    const socketPath = this.getSocketPath();
+    try {
+      await fs.promises.access(socketPath);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Connect to the desktop app's IPC socket.
+   */
+  async connect() {
+    if (this.socket != null) {
+      return;
+    }
+    const socketPath = this.getSocketPath();
+    if (DEBUG) {
+      console.error(`[DEBUG] Connecting to socket: ${socketPath}`);
+    }
+    return new Promise((resolve2, reject) => {
+      const socket = net.createConnection(socketPath);
+      socket.on("connect", () => {
+        if (DEBUG) {
+          console.error(`[DEBUG] Socket connected`);
+        }
+        this.socket = socket;
+        resolve2();
+      });
+      socket.on("data", (data) => {
+        if (DEBUG) {
+          console.error(`[DEBUG] Received raw data: ${data.length} bytes`);
+        }
+        this.processIncomingData(data);
+      });
+      socket.on("error", (err) => {
+        if (this.socket == null) {
+          reject(new Error(`Failed to connect to desktop app: ${err.message}`));
+        }
+      });
+      socket.on("close", () => {
+        this.socket = null;
+        this.messageBuffer = Buffer.alloc(0);
+        if (this.disconnectHandler) {
+          this.disconnectHandler();
+        }
+      });
+      socket.setTimeout(5e3, () => {
+        if (this.socket == null) {
+          socket.destroy();
+          reject(new Error("Connection to desktop app timed out"));
+        }
+      });
+    });
+  }
+  /**
+   * Disconnect from the socket.
+   */
+  disconnect() {
+    if (this.socket != null) {
+      this.socket.destroy();
+      this.socket = null;
+    }
+    this.messageBuffer = Buffer.alloc(0);
+  }
+  /**
+   * Check if currently connected.
+   */
+  isConnected() {
+    return this.socket != null && !this.socket.destroyed;
+  }
+  /**
+   * Set the handler for incoming messages.
+   */
+  onMessage(handler) {
+    this.messageHandler = handler;
+  }
+  /**
+   * Set the handler for disconnect events.
+   */
+  onDisconnect(handler) {
+    this.disconnectHandler = handler;
+  }
+  /**
+   * Send a message to the desktop app.
+   * Uses length-delimited protocol: 4-byte little-endian length prefix + JSON payload.
+   */
+  sendMessage(message) {
+    if (this.socket == null || this.socket.destroyed) {
+      throw new Error("Not connected to desktop app");
+    }
+    const messageStr = JSON.stringify(message);
+    const messageBytes = Buffer.from(messageStr, "utf8");
+    const buffer = Buffer.alloc(4 + messageBytes.length);
+    buffer.writeUInt32LE(messageBytes.length, 0);
+    messageBytes.copy(buffer, 4);
+    if (DEBUG) {
+      console.error(
+        `[DEBUG] Sending ${buffer.length} bytes (message: ${messageBytes.length} bytes)`
+      );
+    }
+    this.socket.write(buffer);
+  }
+  /**
+   * Process incoming data from the socket.
+   * Messages are length-delimited: 4-byte LE length + JSON payload.
+   */
+  processIncomingData(data) {
+    this.messageBuffer = Buffer.concat([this.messageBuffer, data]);
+    while (this.messageBuffer.length >= 4) {
+      const messageLength = this.messageBuffer.readUInt32LE(0);
+      if (this.messageBuffer.length < 4 + messageLength) {
+        break;
+      }
+      const messageBytes = this.messageBuffer.subarray(4, 4 + messageLength);
+      const messageStr = messageBytes.toString("utf8");
+      this.messageBuffer = this.messageBuffer.subarray(4 + messageLength);
+      try {
+        const message = JSON.parse(messageStr);
+        if (this.messageHandler) {
+          this.messageHandler(message);
+        }
+      } catch {
+      }
+    }
+  }
+};
+// src/ipc/native-messaging-client.ts
+import * as crypto2 from "crypto";
+var MESSAGE_VALID_TIMEOUT = 10 * 1e3;
+var DEFAULT_TIMEOUT = 10 * 1e3;
+var USER_INTERACTION_TIMEOUT = 60 * 1e3;
+var DEBUG2 = process.env.BWBIO_DEBUG === "true";
+var BiometricsCommands = {
+  AuthenticateWithBiometrics: "authenticateWithBiometrics",
+  GetBiometricsStatus: "getBiometricsStatus",
+  UnlockWithBiometricsForUser: "unlockWithBiometricsForUser",
+  GetBiometricsStatusForUser: "getBiometricsStatusForUser",
+  CanEnableBiometricUnlock: "canEnableBiometricUnlock"
+};
+var BiometricsStatus = /* @__PURE__ */ ((BiometricsStatus2) => {
+  BiometricsStatus2[BiometricsStatus2["Available"] = 0] = "Available";
+  BiometricsStatus2[BiometricsStatus2["UnlockNeeded"] = 1] = "UnlockNeeded";
+  BiometricsStatus2[BiometricsStatus2["HardwareUnavailable"] = 2] = "HardwareUnavailable";
+  BiometricsStatus2[BiometricsStatus2["AutoSetupNeeded"] = 3] = "AutoSetupNeeded";
+  BiometricsStatus2[BiometricsStatus2["ManualSetupNeeded"] = 4] = "ManualSetupNeeded";
+  BiometricsStatus2[BiometricsStatus2["PlatformUnsupported"] = 5] = "PlatformUnsupported";
+  BiometricsStatus2[BiometricsStatus2["DesktopDisconnected"] = 6] = "DesktopDisconnected";
+  BiometricsStatus2[BiometricsStatus2["NotEnabledLocally"] = 7] = "NotEnabledLocally";
+  BiometricsStatus2[BiometricsStatus2["NotEnabledInConnectedDesktopApp"] = 8] = "NotEnabledInConnectedDesktopApp";
+  BiometricsStatus2[BiometricsStatus2["NativeMessagingPermissionMissing"] = 9] = "NativeMessagingPermissionMissing";
+  return BiometricsStatus2;
+})(BiometricsStatus || {});
+var NativeMessagingClient = class {
+  connected = false;
+  connecting = false;
+  appId;
+  secureChannel = null;
+  messageId = 0;
+  callbacks = /* @__PURE__ */ new Map();
+  ipcSocket;
+  userId = null;
+  constructor(appId, userId) {
+    this.appId = appId;
+    this.userId = userId ?? null;
+    this.ipcSocket = new IpcSocketService();
+  }
+  /**
+   * Check if the desktop app is available (socket exists).
+   */
+  async isDesktopAppAvailable() {
+    return this.ipcSocket.isSocketAvailable();
+  }
+  /**
+   * Connect to the desktop app.
+   */
+  async connect() {
+    if (this.connected || this.connecting) {
+      return;
+    }
+    this.connecting = true;
+    try {
+      await this.ipcSocket.connect();
+      this.ipcSocket.onMessage((message) => {
+        this.handleMessage(message);
+      });
+      this.ipcSocket.onDisconnect(() => {
+        this.connected = false;
+        this.secureChannel = null;
+        for (const callback of this.callbacks.values()) {
+          clearTimeout(callback.timeout);
+          callback.rejecter(new Error("Disconnected from Desktop app"));
+        }
+        this.callbacks.clear();
+      });
+      this.connected = true;
+      this.connecting = false;
+    } catch (e) {
+      this.connecting = false;
+      throw e;
+    }
+  }
+  /**
+   * Disconnect from the desktop app.
+   */
+  disconnect() {
+    this.ipcSocket.disconnect();
+    this.connected = false;
+    this.secureChannel = null;
+  }
+  /**
+   * Send a command to the desktop app and wait for a response.
+   */
+  async callCommand(message, timeoutMs = DEFAULT_TIMEOUT) {
+    const messageId = this.messageId++;
+    const callback = new Promise((resolver, rejecter) => {
+      const timeout = setTimeout(() => {
+        if (this.callbacks.has(messageId)) {
+          this.callbacks.delete(messageId);
+          rejecter(
+            new Error("Message timed out waiting for Desktop app response")
+          );
+        }
+      }, timeoutMs);
+      this.callbacks.set(messageId, { resolver, rejecter, timeout });
+    });
+    message.messageId = messageId;
+    try {
+      await this.send(message);
+    } catch (e) {
+      const cb = this.callbacks.get(messageId);
+      if (cb) {
+        clearTimeout(cb.timeout);
+        this.callbacks.delete(messageId);
+        cb.rejecter(e instanceof Error ? e : new Error(String(e)));
+      }
+    }
+    return callback;
+  }
+  /**
+   * Get biometrics status from the desktop app.
+   */
+  async getBiometricsStatus() {
+    const response = await this.callCommand({
+      command: BiometricsCommands.GetBiometricsStatus
+    });
+    return response.response;
+  }
+  /**
+   * Get biometrics status for a specific user.
+   */
+  async getBiometricsStatusForUser(userId) {
+    const response = await this.callCommand({
+      command: BiometricsCommands.GetBiometricsStatusForUser,
+      userId
+    });
+    return response.response;
+  }
+  /**
+   * Unlock with biometrics for a specific user.
+   * Returns the user key if successful.
+   */
+  async unlockWithBiometricsForUser(userId) {
+    const response = await this.callCommand(
+      {
+        command: BiometricsCommands.UnlockWithBiometricsForUser,
+        userId
+      },
+      USER_INTERACTION_TIMEOUT
+    );
+    if (response.response) {
+      return response.userKeyB64 ?? null;
+    }
+    return null;
+  }
+  /**
+   * Send a message to the desktop app (encrypted if secure channel is established).
+   */
+  async send(message) {
+    if (!this.connected) {
+      await this.connect();
+    }
+    message.userId = this.userId ?? void 0;
+    message.timestamp = Date.now();
+    this.postMessage({
+      appId: this.appId,
+      message: await this.encryptMessage(message)
+    });
+  }
+  /**
+   * Encrypt a message using the secure channel's shared secret.
+   */
+  async encryptMessage(message) {
+    if (this.secureChannel?.sharedSecret == null) {
+      await this.secureCommunication();
+    }
+    const sharedSecret = this.secureChannel.sharedSecret;
+    const messageJson = JSON.stringify(message);
+    const iv = crypto2.randomBytes(16);
+    const cipher = crypto2.createCipheriv(
+      "aes-256-cbc",
+      sharedSecret.subarray(0, 32),
+      iv
+    );
+    const encrypted = Buffer.concat([
+      cipher.update(messageJson, "utf8"),
+      cipher.final()
+    ]);
+    const macKey = sharedSecret.subarray(32, 64);
+    const hmac = crypto2.createHmac("sha256", macKey);
+    hmac.update(iv);
+    hmac.update(encrypted);
+    const mac = hmac.digest();
+    return {
+      encryptionType: 2,
+      // AesCbc256_HmacSha256_B64
+      encryptedString: `2.${iv.toString("base64")}|${encrypted.toString("base64")}|${mac.toString("base64")}`,
+      iv: iv.toString("base64"),
+      data: encrypted.toString("base64"),
+      mac: mac.toString("base64")
+    };
+  }
+  /**
+   * Post a message to the IPC socket.
+   */
+  postMessage(message) {
+    try {
+      this.ipcSocket.sendMessage(message);
+    } catch (e) {
+      this.secureChannel = null;
+      this.connected = false;
+      throw e;
+    }
+  }
+  /**
+   * Handle incoming messages from the desktop app.
+   */
+  async handleMessage(message) {
+    if (DEBUG2) {
+      console.error(
+        `[DEBUG] Received message:`,
+        JSON.stringify(message, null, 2)
+      );
+    }
+    switch (message.command) {
+      case "setupEncryption":
+        if (message.appId !== this.appId) {
+          return;
+        }
+        await this.handleSetupEncryption(message);
+        break;
+      case "invalidateEncryption": {
+        if (message.appId !== this.appId) {
+          return;
+        }
+        const invalidError = new Error(
+          "Encryption channel invalidated by Desktop app"
+        );
+        if (this.secureChannel?.setupReject) {
+          this.secureChannel.setupReject(invalidError);
+        }
+        this.secureChannel = null;
+        for (const callback of this.callbacks.values()) {
+          clearTimeout(callback.timeout);
+          callback.rejecter(invalidError);
+        }
+        this.callbacks.clear();
+        this.connected = false;
+        this.ipcSocket.disconnect();
+        break;
+      }
+      case "wrongUserId": {
+        const wrongUserError = new Error(
+          "Account mismatch: CLI and Desktop app are logged into different accounts"
+        );
+        if (this.secureChannel?.setupReject) {
+          this.secureChannel.setupReject(wrongUserError);
+        }
+        this.secureChannel = null;
+        for (const callback of this.callbacks.values()) {
+          clearTimeout(callback.timeout);
+          callback.rejecter(wrongUserError);
+        }
+        this.callbacks.clear();
+        this.connected = false;
+        this.ipcSocket.disconnect();
+        break;
+      }
+      case "verifyDesktopIPCFingerprint":
+        await this.showFingerprint();
+        break;
+      default:
+        if (message.appId !== this.appId) {
+          return;
+        }
+        if (message.message != null) {
+          await this.handleEncryptedMessage(message.message);
+        }
+    }
+  }
+  /**
+   * Handle the setupEncryption response from the desktop app.
+   */
+  async handleSetupEncryption(message) {
+    if (DEBUG2) {
+      console.error(
+        `[DEBUG] handleSetupEncryption called, sharedSecret present: ${message.sharedSecret != null}`
+      );
+    }
+    if (message.sharedSecret == null) {
+      if (DEBUG2) {
+        console.error(`[DEBUG] No sharedSecret in message`);
+      }
+      return;
+    }
+    if (this.secureChannel == null) {
+      if (DEBUG2) {
+        console.error(`[DEBUG] No secureChannel setup`);
+      }
+      return;
+    }
+    const encrypted = Buffer.from(message.sharedSecret, "base64");
+    if (DEBUG2) {
+      console.error(
+        `[DEBUG] Encrypted sharedSecret length: ${encrypted.length}`
+      );
+    }
+    const decrypted = crypto2.privateDecrypt(
+      {
+        key: this.secureChannel.privateKey,
+        oaepHash: "sha1",
+        padding: crypto2.constants.RSA_PKCS1_OAEP_PADDING
+      },
+      encrypted
+    );
+    this.secureChannel.sharedSecret = decrypted;
+    if (DEBUG2) {
+      console.error(
+        `[DEBUG] Decrypted sharedSecret length: ${this.secureChannel.sharedSecret.length}`
+      );
+    }
+    if (this.secureChannel.setupResolve) {
+      this.secureChannel.setupResolve();
+    }
+  }
+  /**
+   * Handle an encrypted message from the desktop app.
+   */
+  async handleEncryptedMessage(rawMessage) {
+    if (this.secureChannel?.sharedSecret == null) {
+      return;
+    }
+    let message;
+    if ("encryptionType" in rawMessage || "encryptedString" in rawMessage) {
+      const encMsg = rawMessage;
+      const iv = Buffer.from(encMsg.iv, "base64");
+      const data = Buffer.from(encMsg.data, "base64");
+      const mac = Buffer.from(encMsg.mac, "base64");
+      const sharedSecret = this.secureChannel.sharedSecret;
+      const encKey = sharedSecret.subarray(0, 32);
+      const macKey = sharedSecret.subarray(32, 64);
+      const hmac = crypto2.createHmac("sha256", macKey);
+      hmac.update(iv);
+      hmac.update(data);
+      const expectedMac = hmac.digest();
+      if (!crypto2.timingSafeEqual(mac, expectedMac)) {
+        throw new Error("Message integrity check failed");
+      }
+      const decipher = crypto2.createDecipheriv("aes-256-cbc", encKey, iv);
+      const decrypted = Buffer.concat([
+        decipher.update(data),
+        decipher.final()
+      ]);
+      message = JSON.parse(decrypted.toString("utf8"));
+    } else {
+      message = rawMessage;
+    }
+    this.processDecryptedMessage(message);
+  }
+  /**
+   * Process a decrypted message and resolve any pending callbacks.
+   */
+  processDecryptedMessage(message) {
+    if (DEBUG2) {
+      console.error(
+        `[DEBUG] Decrypted message:`,
+        JSON.stringify(message, null, 2)
+      );
+    }
+    if (Math.abs(message.timestamp - Date.now()) > MESSAGE_VALID_TIMEOUT) {
+      if (DEBUG2) {
+        console.error(
+          `[DEBUG] Message too old, ignoring. Timestamp: ${message.timestamp}, now: ${Date.now()}`
+        );
+      }
+      return;
+    }
+    const messageId = message.messageId;
+    if (this.callbacks.has(messageId)) {
+      const callback = this.callbacks.get(messageId);
+      clearTimeout(callback.timeout);
+      this.callbacks.delete(messageId);
+      callback.resolver(message);
+    } else if (DEBUG2) {
+      console.error(`[DEBUG] No callback found for messageId: ${messageId}`);
+    }
+  }
+  /**
+   * Set up secure communication with RSA key exchange.
+   */
+  async secureCommunication() {
+    const { publicKey, privateKey } = crypto2.generateKeyPairSync("rsa", {
+      modulusLength: 2048
+    });
+    const publicKeyDer = publicKey.export({ type: "spki", format: "der" });
+    const publicKeyB64 = publicKeyDer.toString("base64");
+    const setupMessage = {
+      appId: this.appId,
+      message: {
+        command: "setupEncryption",
+        publicKey: publicKeyB64,
+        userId: this.userId ?? void 0,
+        messageId: this.messageId++,
+        timestamp: Date.now()
+      }
+    };
+    if (DEBUG2) {
+      console.error(
+        `[DEBUG] Sending setupEncryption:`,
+        JSON.stringify(
+          {
+            ...setupMessage,
+            message: {
+              ...setupMessage.message,
+              publicKey: `${publicKeyB64.slice(0, 50)}...`
+            }
+          },
+          null,
+          2
+        )
+      );
+    }
+    this.postMessage(setupMessage);
+    return new Promise((resolve2, reject) => {
+      this.secureChannel = {
+        publicKey,
+        privateKey,
+        setupResolve: resolve2,
+        setupReject: reject
+      };
+      setTimeout(() => {
+        if (this.secureChannel && !this.secureChannel.sharedSecret) {
+          reject(new Error("Secure channel setup timed out"));
+        }
+      }, DEFAULT_TIMEOUT);
+    });
+  }
+  /**
+   * Display the fingerprint for verification.
+   */
+  async showFingerprint() {
+    if (this.secureChannel?.publicKey == null) {
+      return;
+    }
+    const publicKeyDer = this.secureChannel.publicKey.export({
+      type: "spki",
+      format: "der"
+    });
+    const hash = crypto2.createHash("sha256").update(publicKeyDer).digest();
+    const fingerprint = hash.toString("hex").slice(0, 25).toUpperCase();
+    const formatted = fingerprint.match(/.{1,5}/g)?.join("-") || fingerprint;
+    const dim = "\x1B[2m";
+    const cyan = "\x1B[36m";
+    const bold = "\x1B[1m";
+    const reset = "\x1B[0m";
+    console.error("");
+    console.error(`${bold}Bitwarden Desktop App Verification${reset}`);
+    console.error(
+      "Verify this fingerprint matches the one shown in the Desktop app:"
+    );
+    console.error("");
+    console.error(`${dim}  ${cyan}${formatted}${reset}`);
+    console.error("");
+    console.error("Accept the connection in the Desktop app to continue.");
+    console.error("");
+  }
+};
+// src/log.ts
+function log(message) {
+  if (process.env.BW_QUIET !== "true") {
+    console.error(message);
+  }
+}
+function logVerbose(message) {
+  if (process.env.BWBIO_VERBOSE === "true" && process.env.BW_QUIET !== "true") {
+    console.error(message);
+  }
+}
+// src/session-storage.ts
+import * as crypto3 from "crypto";
+import * as fs2 from "fs";
+import * as os2 from "os";
+import * as path2 from "path";
+var ENCRYPTION_TYPE = 2;
+function getCliDataDir() {
+  if (process.env.BITWARDENCLI_APPDATA_DIR) {
+    return path2.resolve(process.env.BITWARDENCLI_APPDATA_DIR);
+  }
+  const platform3 = os2.platform();
+  const homeDir = os2.homedir();
+  if (platform3 === "darwin") {
+    return path2.join(homeDir, "Library/Application Support/Bitwarden CLI");
+  } else if (platform3 === "win32") {
+    return path2.join(process.env.APPDATA ?? homeDir, "Bitwarden CLI");
+  } else {
+    const configDir = process.env.XDG_CONFIG_HOME ?? path2.join(homeDir, ".config");
+    return path2.join(configDir, "Bitwarden CLI");
+  }
+}
+function generateSessionKey() {
+  const keyBytes = crypto3.randomBytes(64);
+  return keyBytes.toString("base64");
+}
+function encryptWithSessionKey(data, sessionKey) {
+  const keyBytes = Buffer.from(sessionKey, "base64");
+  if (keyBytes.length !== 64) {
+    throw new Error("Session key must be 64 bytes");
+  }
+  const encKey = keyBytes.subarray(0, 32);
+  const macKey = keyBytes.subarray(32, 64);
+  const iv = crypto3.randomBytes(16);
+  const cipher = crypto3.createCipheriv("aes-256-cbc", encKey, iv);
+  const encrypted = Buffer.concat([cipher.update(data), cipher.final()]);
+  const hmac = crypto3.createHmac("sha256", macKey);
+  hmac.update(iv);
+  hmac.update(encrypted);
+  const mac = hmac.digest();
+  const result = Buffer.alloc(1 + 16 + 32 + encrypted.length);
+  result.writeUInt8(ENCRYPTION_TYPE, 0);
+  iv.copy(result, 1);
+  mac.copy(result, 17);
+  encrypted.copy(result, 49);
+  return result.toString("base64");
+}
+function readCliData() {
+  const dataPath = path2.join(getCliDataDir(), "data.json");
+  try {
+    const content = fs2.readFileSync(dataPath, "utf-8");
+    return content ? JSON.parse(content) : {};
+  } catch {
+    return {};
+  }
+}
+function getActiveUserId() {
+  const data = readCliData();
+  const userId = data.global_account_activeAccountId;
+  return typeof userId === "string" ? userId : null;
+}
+function writeCliData(data) {
+  const dataDir = getCliDataDir();
+  const dataPath = path2.join(dataDir, "data.json");
+  if (!fs2.existsSync(dataDir)) {
+    fs2.mkdirSync(dataDir, { recursive: true, mode: 448 });
+  }
+  fs2.writeFileSync(dataPath, JSON.stringify(data, null, 2), { mode: 384 });
+}
+function storeUserKeyForSession(userKeyB64, userId, sessionKey) {
+  const userKeyBytes = Buffer.from(userKeyB64, "base64");
+  const encryptedUserKey = encryptWithSessionKey(userKeyBytes, sessionKey);
+  const storageKey = `__PROTECTED__${userId}_user_auto`;
+  const data = readCliData();
+  data[storageKey] = encryptedUserKey;
+  writeCliData(data);
+}
+// src/biometrics.ts
+function getBiometricMethodName() {
+  switch (process.platform) {
+    case "darwin":
+      return "Touch ID";
+    case "win32":
+      return "Windows Hello";
+    default:
+      return "Polkit";
+  }
+}
+function generateAppId() {
+  return `bwbio-${crypto4.randomUUID()}`;
+}
+async function attemptBiometricUnlock(options = {}) {
+  const userId = options.userId || getActiveUserId();
+  if (!userId) {
+    logVerbose(
+      "Biometric unlock unavailable: No user ID available - please log in first"
+    );
+    return { success: false };
+  }
+  const appId = generateAppId();
+  const client = new NativeMessagingClient(appId, userId);
+  try {
+    const available = await client.isDesktopAppAvailable();
+    if (!available) {
+      logVerbose(
+        "Biometric unlock unavailable: Bitwarden Desktop app is not running"
+      );
+      return { success: false };
+    }
+    logVerbose("Connecting to Bitwarden Desktop...");
+    await client.connect();
+    logVerbose("Checking biometrics status...");
+    const userStatus = await client.getBiometricsStatusForUser(userId);
+    if (userStatus !== 0 /* Available */) {
+      const statusName = BiometricsStatus[userStatus] || `Unknown(${userStatus})`;
+      logVerbose(`Biometric unlock unavailable: ${statusName}`);
+      return { success: false };
+    }
+    log(
+      `Authenticate with ${getBiometricMethodName()} on Desktop app to continue...`
+    );
+    const userKey = await client.unlockWithBiometricsForUser(userId);
+    if (!userKey) {
+      log("Biometric unlock was denied or failed");
+      return { success: false };
+    }
+    return {
+      success: true,
+      userKeyB64: userKey,
+      userId
+    };
+  } catch (err) {
+    const error = err instanceof Error ? err.message : String(err);
+    log(`Biometric unlock failed: ${error}`);
+    return { success: false };
+  } finally {
+    client.disconnect();
+  }
+}
+// src/passthrough.ts
+var PASSTHROUGH_COMMANDS = /* @__PURE__ */ new Set([
+  "login",
+  "logout",
+  "lock",
+  "config",
+  "update",
+  "completion",
+  "status",
+  "serve"
+]);
+var PASSTHROUGH_FLAGS = /* @__PURE__ */ new Set(["--help", "-h", "--version", "-v"]);
+function isPassthroughCommand(args2) {
+  if (args2.length === 0) {
+    return true;
+  }
+  const firstArg = args2[0];
+  if (args2.some((arg) => PASSTHROUGH_FLAGS.has(arg))) {
+    return true;
+  }
+  if (PASSTHROUGH_COMMANDS.has(firstArg)) {
+    return true;
+  }
+  return false;
+}
+// src/main.ts
+function writeLn(s) {
+  if (process.env.BW_QUIET !== "true") {
+    process.stdout.write(`${s}
+`);
+  }
+}
+function getBwPath() {
+  return "bw";
+}
+async function executeBw(args2, sessionKey) {
+  return new Promise((resolve2) => {
+    const env = { ...process.env };
+    if (sessionKey) {
+      env.BW_SESSION = sessionKey;
+    }
+    const child = spawn(getBwPath(), args2, {
+      stdio: "inherit",
+      env,
+      // On Windows, spawn needs shell to resolve .cmd wrappers (e.g. bw.cmd)
+      shell: process.platform === "win32"
+    });
+    child.on("error", (err) => {
+      console.error(`Failed to execute bw: ${err.message}`);
+      resolve2(1);
+    });
+    child.on("close", (code) => {
+      resolve2(code ?? 0);
+    });
+  });
+}
+async function handleUnlock(args2, sessionKey) {
+  const isRaw = args2.includes("--raw");
+  if (isRaw) {
+    writeLn(sessionKey);
+  } else {
+    writeLn(`export BW_SESSION="${sessionKey}"`);
+    writeLn(`# Run this command to set the session: eval $(bwbio unlock)`);
+  }
+  return 0;
+}
+async function main(args2) {
+  if (args2.includes("--quiet")) {
+    process.env.BW_QUIET = "true";
+  }
+  if (args2.includes("--nointeraction")) {
+    process.env.BW_NOINTERACTION = "true";
+  }
+  if (process.env.BW_SESSION || process.env.BW_NOINTERACTION === "true" || isPassthroughCommand(args2)) {
+    return executeBw(args2);
+  }
+  const result = await attemptBiometricUnlock();
+  if (result.success) {
+    const sessionKey = generateSessionKey();
+    storeUserKeyForSession(result.userKeyB64, result.userId, sessionKey);
+    if (args2[0] === "unlock") {
+      return handleUnlock(args2, sessionKey);
+    }
+    return executeBw(args2, sessionKey);
+  }
+  return executeBw(args2);
+}
+// src/index.ts
+var args = process.argv.slice(2);
+main(args).then((code) => {
+  process.exit(code);
+}).catch((err) => {
+  console.error("Unexpected error:", err);
+  process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/main.ts","../src/biometrics.ts","../src/ipc/ipc-socket.service.ts","../src/ipc/native-messaging-client.ts","../src/log.ts","../src/session-storage.ts","../src/passthrough.ts","../src/index.ts"],"sourcesContent":["import { spawn } from \"node:child_process\";\nimport { attemptBiometricUnlock } from \"./biometrics\";\nimport { isPassthroughCommand } from \"./passthrough\";\nimport { generateSessionKey, storeUserKeyForSession } from \"./session-storage\";\n\nfunction writeLn(s: string): void {\n if (process.env.BW_QUIET !== \"true\") {\n process.stdout.write(`${s}\\n`);\n }\n}\n\n/**\n * Get the path to the official bw CLI.\n *\n * Shell aliases don't apply when spawning via child_process,\n * so aliasing bwbio as bw won't cause a conflict here.\n */\nfunction getBwPath(): string {\n return \"bw\";\n}\n\n/**\n * Execute the official bw CLI with the given arguments.\n *\n * @param args - Command line arguments to pass to bw\n * @param sessionKey - Optional BW_SESSION value to set\n * @returns Exit code from bw\n */\nasync function executeBw(args: string[], sessionKey?: string): Promise<number> {\n return new Promise((resolve) => {\n const env = { ...process.env };\n\n if (sessionKey) {\n env.BW_SESSION = sessionKey;\n }\n\n const child = spawn(getBwPath(), args, {\n stdio: \"inherit\",\n env,\n // On Windows, spawn needs shell to resolve .cmd wrappers (e.g. bw.cmd)\n shell: process.platform === \"win32\",\n });\n\n child.on(\"error\", (err) => {\n console.error(`Failed to execute bw: ${err.message}`);\n resolve(1);\n });\n\n child.on(\"close\", (code) => {\n resolve(code ?? 0);\n });\n });\n}\n\n/**\n * Handle the 'unlock' command specially to output BW_SESSION export.\n */\nasync function handleUnlock(\n args: string[],\n sessionKey: string,\n): Promise<number> {\n // Check if --raw flag is present\n const isRaw = args.includes(\"--raw\");\n\n if (isRaw) {\n writeLn(sessionKey);\n } else {\n writeLn(`export BW_SESSION=\"${sessionKey}\"`);\n writeLn(`# Run this command to set the session: eval $(bwbio unlock)`);\n }\n\n return 0;\n}\n\n/**\n * Main entry point for the CLI wrapper.\n *\n * Attempts biometric unlock via the Desktop app, then delegates to bw.\n * Skips biometrics when BW_SESSION is set, in non-interactive mode, or for passthrough commands.\n */\nexport async function main(args: string[]): Promise<number> {\n // Mirror --quiet and --nointeraction flags to env vars (same as bw CLI)\n if (args.includes(\"--quiet\")) {\n process.env.BW_QUIET = \"true\";\n }\n if (args.includes(\"--nointeraction\")) {\n process.env.BW_NOINTERACTION = \"true\";\n }\n\n // Skip biometric unlock when not needed or not possible\n if (\n process.env.BW_SESSION ||\n process.env.BW_NOINTERACTION === \"true\" ||\n isPassthroughCommand(args)\n ) {\n return executeBw(args);\n }\n\n // Attempt biometric unlock\n const result = await attemptBiometricUnlock();\n\n if (result.success) {\n // Generate a new session key and store the user key\n const sessionKey = generateSessionKey();\n storeUserKeyForSession(result.userKeyB64, result.userId, sessionKey);\n\n // Check if this is an explicit 'unlock' command\n if (args[0] === \"unlock\") {\n return handleUnlock(args, sessionKey);\n }\n\n // Execute the requested command with the session\n return executeBw(args, sessionKey);\n }\n\n // Biometric unlock failed or unavailable - fall back to regular bw CLI\n return executeBw(args);\n}\n","import * as crypto from \"node:crypto\";\nimport { BiometricsStatus, NativeMessagingClient } from \"./ipc\";\nimport { log, logVerbose } from \"./log\";\nimport { getActiveUserId } from \"./session-storage\";\n\n/**\n * Get the platform-specific biometric method name.\n */\nfunction getBiometricMethodName(): string {\n switch (process.platform) {\n case \"darwin\":\n return \"Touch ID\";\n case \"win32\":\n return \"Windows Hello\";\n default:\n return \"Polkit\";\n }\n}\n\n/**\n * Result of a biometric unlock attempt.\n */\nexport type BiometricUnlockResult =\n | {\n success: true;\n /** The user's encryption key (base64 encoded) - NOT the session key */\n userKeyB64: string;\n userId: string;\n }\n | {\n success: false;\n };\n\n/**\n * Options for biometric unlock.\n */\nexport interface BiometricUnlockOptions {\n userId?: string;\n}\n\n/**\n * Generate a unique app ID for this CLI instance.\n */\nfunction generateAppId(): string {\n return `bwbio-${crypto.randomUUID()}`;\n}\n\n/**\n * Attempt to unlock the vault using biometrics via the Desktop app.\n */\nexport async function attemptBiometricUnlock(\n options: BiometricUnlockOptions = {},\n): Promise<BiometricUnlockResult> {\n // Get the user ID from CLI data - this is required for the desktop app\n const userId = options.userId || getActiveUserId();\n if (!userId) {\n logVerbose(\n \"Biometric unlock unavailable: No user ID available - please log in first\",\n );\n return { success: false };\n }\n\n const appId = generateAppId();\n const client = new NativeMessagingClient(appId, userId);\n\n try {\n // Check if desktop app is available\n const available = await client.isDesktopAppAvailable();\n if (!available) {\n logVerbose(\n \"Biometric unlock unavailable: Bitwarden Desktop app is not running\",\n );\n return { success: false };\n }\n\n logVerbose(\"Connecting to Bitwarden Desktop...\");\n\n await client.connect();\n\n // Get user-specific biometrics status\n logVerbose(\"Checking biometrics status...\");\n\n const userStatus = await client.getBiometricsStatusForUser(userId);\n\n // BiometricsStatus is an enum - Available (0) means biometrics can be used\n if (userStatus !== BiometricsStatus.Available) {\n const statusName =\n BiometricsStatus[userStatus] || `Unknown(${userStatus})`;\n logVerbose(`Biometric unlock unavailable: ${statusName}`);\n return { success: false };\n }\n\n // Request biometric unlock\n log(\n `Authenticate with ${getBiometricMethodName()} on Desktop app to continue...`,\n );\n\n const userKey = await client.unlockWithBiometricsForUser(userId);\n\n if (!userKey) {\n log(\"Biometric unlock was denied or failed\");\n return { success: false };\n }\n\n return {\n success: true,\n userKeyB64: userKey,\n userId,\n };\n } catch (err) {\n const error = err instanceof Error ? err.message : String(err);\n log(`Biometric unlock failed: ${error}`);\n return { success: false };\n } finally {\n client.disconnect();\n }\n}\n\n/**\n * Check biometrics availability without attempting unlock.\n */\nexport async function checkBiometricsAvailable(): Promise<boolean> {\n const userId = getActiveUserId();\n if (!userId) {\n return false;\n }\n\n const appId = generateAppId();\n const client = new NativeMessagingClient(appId, userId);\n\n try {\n const available = await client.isDesktopAppAvailable();\n if (!available) {\n return false;\n }\n\n await client.connect();\n const status = await client.getBiometricsStatusForUser(userId);\n return status === BiometricsStatus.Available;\n } catch {\n return false;\n } finally {\n client.disconnect();\n }\n}\n","import * as crypto from \"node:crypto\";\nimport * as fs from \"node:fs\";\nimport * as net from \"node:net\";\nimport * as os from \"node:os\";\nimport * as path from \"node:path\";\n\nconst DEBUG = process.env.BWBIO_DEBUG === \"true\";\n\n/**\n * Platform-specific IPC socket service for connecting to the Bitwarden desktop app.\n *\n * The desktop app listens on a Unix domain socket (macOS/Linux) or named pipe (Windows).\n * This service provides a platform-agnostic way to connect and communicate with it.\n */\nexport class IpcSocketService {\n private socket: net.Socket | null = null;\n private messageBuffer: Buffer = Buffer.alloc(0);\n private messageHandler: ((message: unknown) => void) | null = null;\n private disconnectHandler: (() => void) | null = null;\n\n /**\n * Get the IPC socket path for the current platform.\n * This mirrors the logic in desktop_native/core/src/ipc/mod.rs\n */\n getSocketPath(): string {\n if (process.env.BWBIO_IPC_SOCKET_PATH) {\n return process.env.BWBIO_IPC_SOCKET_PATH;\n }\n\n const platform = os.platform();\n\n if (platform === \"win32\") {\n return this.getWindowsSocketPath();\n }\n\n if (platform === \"darwin\") {\n return this.getMacSocketPath();\n }\n\n // Linux: use XDG cache directory or fallback\n return this.getLinuxSocketPath();\n }\n\n /**\n * Windows named pipe path - uses hash of home directory.\n */\n private getWindowsSocketPath(): string {\n const homeDir = os.homedir();\n const hash = crypto.createHash(\"sha256\").update(homeDir).digest();\n // Use URL-safe base64 without padding (like Rust's URL_SAFE_NO_PAD)\n const hashB64 = hash\n .toString(\"base64\")\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=+$/, \"\");\n return `\\\\\\\\.\\\\pipe\\\\${hashB64}.s.bw`;\n }\n\n /**\n * Get the socket path on macOS.\n * The Desktop app can be sandboxed (Mac App Store) or non-sandboxed.\n * We check both paths and return the one that exists.\n */\n private getMacSocketPath(): string {\n const homeDir = os.homedir();\n\n // Path for sandboxed Desktop app (Mac App Store version)\n const sandboxedPath = path.join(\n homeDir,\n \"Library\",\n \"Group Containers\",\n \"LTZ2PFU5D6.com.bitwarden.desktop\",\n \"s.bw\",\n );\n\n // Path for non-sandboxed Desktop app\n const nonSandboxedPath = path.join(\n homeDir,\n \"Library\",\n \"Caches\",\n \"com.bitwarden.desktop\",\n \"s.bw\",\n );\n\n // Check sandboxed path first (most common for Mac App Store users)\n try {\n fs.accessSync(sandboxedPath);\n return sandboxedPath;\n } catch {\n // Socket not found at sandboxed path\n }\n\n // Check non-sandboxed path\n try {\n fs.accessSync(nonSandboxedPath);\n return nonSandboxedPath;\n } catch {\n // Socket not found at non-sandboxed path either\n }\n\n // Default to sandboxed path\n return sandboxedPath;\n }\n\n /**\n * Linux socket path - uses XDG_CACHE_HOME or ~/.cache.\n */\n private getLinuxSocketPath(): string {\n const cacheDir =\n process.env.XDG_CACHE_HOME != null\n ? process.env.XDG_CACHE_HOME\n : path.join(os.homedir(), \".cache\");\n return path.join(cacheDir, \"com.bitwarden.desktop\", \"s.bw\");\n }\n\n /**\n * Check if the desktop app socket exists (quick availability check).\n */\n async isSocketAvailable(): Promise<boolean> {\n const socketPath = this.getSocketPath();\n try {\n await fs.promises.access(socketPath);\n return true;\n } catch {\n return false;\n }\n }\n\n /**\n * Connect to the desktop app's IPC socket.\n */\n async connect(): Promise<void> {\n if (this.socket != null) {\n return;\n }\n\n const socketPath = this.getSocketPath();\n\n if (DEBUG) {\n console.error(`[DEBUG] Connecting to socket: ${socketPath}`);\n }\n\n return new Promise((resolve, reject) => {\n const socket = net.createConnection(socketPath);\n\n socket.on(\"connect\", () => {\n if (DEBUG) {\n console.error(`[DEBUG] Socket connected`);\n }\n this.socket = socket;\n resolve();\n });\n\n socket.on(\"data\", (data: Buffer) => {\n if (DEBUG) {\n console.error(`[DEBUG] Received raw data: ${data.length} bytes`);\n }\n this.processIncomingData(data);\n });\n\n socket.on(\"error\", (err) => {\n if (this.socket == null) {\n reject(new Error(`Failed to connect to desktop app: ${err.message}`));\n }\n });\n\n socket.on(\"close\", () => {\n this.socket = null;\n this.messageBuffer = Buffer.alloc(0);\n if (this.disconnectHandler) {\n this.disconnectHandler();\n }\n });\n\n // Timeout for initial connection\n socket.setTimeout(5000, () => {\n if (this.socket == null) {\n socket.destroy();\n reject(new Error(\"Connection to desktop app timed out\"));\n }\n });\n });\n }\n\n /**\n * Disconnect from the socket.\n */\n disconnect(): void {\n if (this.socket != null) {\n this.socket.destroy();\n this.socket = null;\n }\n this.messageBuffer = Buffer.alloc(0);\n }\n\n /**\n * Check if currently connected.\n */\n isConnected(): boolean {\n return this.socket != null && !this.socket.destroyed;\n }\n\n /**\n * Set the handler for incoming messages.\n */\n onMessage(handler: (message: unknown) => void): void {\n this.messageHandler = handler;\n }\n\n /**\n * Set the handler for disconnect events.\n */\n onDisconnect(handler: () => void): void {\n this.disconnectHandler = handler;\n }\n\n /**\n * Send a message to the desktop app.\n * Uses length-delimited protocol: 4-byte little-endian length prefix + JSON payload.\n */\n sendMessage(message: unknown): void {\n if (this.socket == null || this.socket.destroyed) {\n throw new Error(\"Not connected to desktop app\");\n }\n\n const messageStr = JSON.stringify(message);\n const messageBytes = Buffer.from(messageStr, \"utf8\");\n\n // Create buffer with 4-byte length prefix (little-endian)\n const buffer = Buffer.alloc(4 + messageBytes.length);\n buffer.writeUInt32LE(messageBytes.length, 0);\n messageBytes.copy(buffer, 4);\n\n if (DEBUG) {\n console.error(\n `[DEBUG] Sending ${buffer.length} bytes (message: ${messageBytes.length} bytes)`,\n );\n }\n\n this.socket.write(buffer);\n }\n\n /**\n * Process incoming data from the socket.\n * Messages are length-delimited: 4-byte LE length + JSON payload.\n */\n private processIncomingData(data: Buffer): void {\n this.messageBuffer = Buffer.concat([this.messageBuffer, data]);\n\n // Process all complete messages in the buffer\n while (this.messageBuffer.length >= 4) {\n const messageLength = this.messageBuffer.readUInt32LE(0);\n\n // Check if we have the full message\n if (this.messageBuffer.length < 4 + messageLength) {\n break;\n }\n\n // Extract and parse the message\n const messageBytes = this.messageBuffer.subarray(4, 4 + messageLength);\n const messageStr = messageBytes.toString(\"utf8\");\n\n // Update buffer to remove processed message\n this.messageBuffer = this.messageBuffer.subarray(4 + messageLength);\n\n try {\n const message = JSON.parse(messageStr);\n if (this.messageHandler) {\n this.messageHandler(message);\n }\n } catch {\n // Failed to parse message\n }\n }\n }\n}\n","import * as crypto from \"node:crypto\";\nimport { IpcSocketService } from \"./ipc-socket.service\";\n\nconst MESSAGE_VALID_TIMEOUT = 10 * 1000; // 10 seconds\nconst DEFAULT_TIMEOUT = 10 * 1000; // 10 seconds for protocol messages\nconst USER_INTERACTION_TIMEOUT = 60 * 1000; // 60 seconds for biometric prompts\n\nconst DEBUG = process.env.BWBIO_DEBUG === \"true\";\n\n/**\n * Biometrics commands matching the desktop app's expected commands.\n */\nexport const BiometricsCommands = {\n AuthenticateWithBiometrics: \"authenticateWithBiometrics\",\n GetBiometricsStatus: \"getBiometricsStatus\",\n UnlockWithBiometricsForUser: \"unlockWithBiometricsForUser\",\n GetBiometricsStatusForUser: \"getBiometricsStatusForUser\",\n CanEnableBiometricUnlock: \"canEnableBiometricUnlock\",\n} as const;\n\n/**\n * Biometrics status enum matching the desktop app's BiometricsStatus.\n */\nexport enum BiometricsStatus {\n Available = 0,\n UnlockNeeded = 1,\n HardwareUnavailable = 2,\n AutoSetupNeeded = 3,\n ManualSetupNeeded = 4,\n PlatformUnsupported = 5,\n DesktopDisconnected = 6,\n NotEnabledLocally = 7,\n NotEnabledInConnectedDesktopApp = 8,\n NativeMessagingPermissionMissing = 9,\n}\n\ntype Message = {\n command: string;\n messageId?: number;\n userId?: string;\n timestamp?: number;\n publicKey?: string;\n};\n\ntype OuterMessage = {\n message: Message | EncryptedMessage;\n appId: string;\n};\n\ntype EncryptedMessage = {\n encryptedString: string;\n encryptionType: number;\n data: string;\n iv: string;\n mac: string;\n};\n\ntype ReceivedMessage = {\n timestamp: number;\n command: string;\n messageId: number;\n response?: unknown;\n userKeyB64?: string;\n};\n\ntype ReceivedMessageOuter = {\n command: string;\n appId: string;\n messageId?: number;\n message?: ReceivedMessage | EncryptedMessage;\n sharedSecret?: string;\n};\n\ntype Callback = {\n resolver: (value: ReceivedMessage) => void;\n rejecter: (reason?: unknown) => void;\n timeout: ReturnType<typeof setTimeout>;\n};\n\ntype SecureChannel = {\n privateKey: crypto.KeyObject;\n publicKey: crypto.KeyObject;\n sharedSecret?: Buffer;\n setupResolve?: () => void;\n setupReject?: (reason?: unknown) => void;\n};\n\n/**\n * Native messaging client for communicating with the Bitwarden desktop app.\n *\n * This implements the same IPC protocol used by the browser extension:\n * 1. Connect to the desktop app via Unix socket / named pipe\n * 2. Set up encrypted communication using RSA key exchange\n * 3. Send/receive encrypted commands (biometric unlock, status checks, etc.)\n */\nexport class NativeMessagingClient {\n private connected = false;\n private connecting = false;\n private appId: string;\n\n private secureChannel: SecureChannel | null = null;\n private messageId = 0;\n private callbacks = new Map<number, Callback>();\n\n private ipcSocket: IpcSocketService;\n private userId: string | null = null;\n\n constructor(appId: string, userId?: string) {\n this.appId = appId;\n this.userId = userId ?? null;\n this.ipcSocket = new IpcSocketService();\n }\n\n /**\n * Check if the desktop app is available (socket exists).\n */\n async isDesktopAppAvailable(): Promise<boolean> {\n return this.ipcSocket.isSocketAvailable();\n }\n\n /**\n * Connect to the desktop app.\n */\n async connect(): Promise<void> {\n if (this.connected || this.connecting) {\n return;\n }\n\n this.connecting = true;\n\n try {\n await this.ipcSocket.connect();\n\n // Set up message handler\n this.ipcSocket.onMessage((message) => {\n this.handleMessage(message as ReceivedMessageOuter);\n });\n\n this.ipcSocket.onDisconnect(() => {\n this.connected = false;\n this.secureChannel = null;\n\n // Clear timeouts and reject all pending callbacks\n for (const callback of this.callbacks.values()) {\n clearTimeout(callback.timeout);\n callback.rejecter(new Error(\"Disconnected from Desktop app\"));\n }\n this.callbacks.clear();\n });\n\n this.connected = true;\n this.connecting = false;\n } catch (e) {\n this.connecting = false;\n throw e;\n }\n }\n\n /**\n * Disconnect from the desktop app.\n */\n disconnect(): void {\n this.ipcSocket.disconnect();\n this.connected = false;\n this.secureChannel = null;\n }\n\n /**\n * Send a command to the desktop app and wait for a response.\n */\n async callCommand(\n message: Message,\n timeoutMs: number = DEFAULT_TIMEOUT,\n ): Promise<ReceivedMessage> {\n const messageId = this.messageId++;\n\n const callback = new Promise<ReceivedMessage>((resolver, rejecter) => {\n const timeout = setTimeout(() => {\n if (this.callbacks.has(messageId)) {\n this.callbacks.delete(messageId);\n rejecter(\n new Error(\"Message timed out waiting for Desktop app response\"),\n );\n }\n }, timeoutMs);\n\n this.callbacks.set(messageId, { resolver, rejecter, timeout });\n });\n\n message.messageId = messageId;\n\n try {\n await this.send(message);\n } catch (e) {\n const cb = this.callbacks.get(messageId);\n if (cb) {\n clearTimeout(cb.timeout);\n this.callbacks.delete(messageId);\n cb.rejecter(e instanceof Error ? e : new Error(String(e)));\n }\n }\n\n return callback;\n }\n\n /**\n * Get biometrics status from the desktop app.\n */\n async getBiometricsStatus(): Promise<BiometricsStatus> {\n const response = await this.callCommand({\n command: BiometricsCommands.GetBiometricsStatus,\n });\n return response.response as BiometricsStatus;\n }\n\n /**\n * Get biometrics status for a specific user.\n */\n async getBiometricsStatusForUser(userId: string): Promise<BiometricsStatus> {\n const response = await this.callCommand({\n command: BiometricsCommands.GetBiometricsStatusForUser,\n userId: userId,\n });\n return response.response as BiometricsStatus;\n }\n\n /**\n * Unlock with biometrics for a specific user.\n * Returns the user key if successful.\n */\n async unlockWithBiometricsForUser(userId: string): Promise<string | null> {\n const response = await this.callCommand(\n {\n command: BiometricsCommands.UnlockWithBiometricsForUser,\n userId: userId,\n },\n USER_INTERACTION_TIMEOUT,\n );\n\n if (response.response) {\n return response.userKeyB64 ?? null;\n }\n\n return null;\n }\n\n /**\n * Send a message to the desktop app (encrypted if secure channel is established).\n */\n private async send(message: Message): Promise<void> {\n if (!this.connected) {\n await this.connect();\n }\n\n message.userId = this.userId ?? undefined;\n message.timestamp = Date.now();\n\n this.postMessage({\n appId: this.appId,\n message: await this.encryptMessage(message),\n });\n }\n\n /**\n * Encrypt a message using the secure channel's shared secret.\n */\n private async encryptMessage(\n message: Message,\n ): Promise<EncryptedMessage | Message> {\n if (this.secureChannel?.sharedSecret == null) {\n await this.secureCommunication();\n }\n\n // biome-ignore lint/style/noNonNullAssertion: guaranteed by secureCommunication() above\n const sharedSecret = this.secureChannel!.sharedSecret!;\n const messageJson = JSON.stringify(message);\n\n // Use AES-256-CBC encryption (matching Bitwarden's EncryptionType.AesCbc256_HmacSha256_B64 = 2)\n const iv = crypto.randomBytes(16);\n const cipher = crypto.createCipheriv(\n \"aes-256-cbc\",\n sharedSecret.subarray(0, 32),\n iv,\n );\n const encrypted = Buffer.concat([\n cipher.update(messageJson, \"utf8\"),\n cipher.final(),\n ]);\n\n // Create HMAC using the second half of the key\n const macKey = sharedSecret.subarray(32, 64);\n const hmac = crypto.createHmac(\"sha256\", macKey);\n hmac.update(iv);\n hmac.update(encrypted);\n const mac = hmac.digest();\n\n return {\n encryptionType: 2, // AesCbc256_HmacSha256_B64\n encryptedString: `2.${iv.toString(\"base64\")}|${encrypted.toString(\"base64\")}|${mac.toString(\"base64\")}`,\n iv: iv.toString(\"base64\"),\n data: encrypted.toString(\"base64\"),\n mac: mac.toString(\"base64\"),\n };\n }\n\n /**\n * Post a message to the IPC socket.\n */\n private postMessage(message: OuterMessage): void {\n try {\n this.ipcSocket.sendMessage(message);\n } catch (e) {\n this.secureChannel = null;\n this.connected = false;\n throw e;\n }\n }\n\n /**\n * Handle incoming messages from the desktop app.\n */\n private async handleMessage(message: ReceivedMessageOuter): Promise<void> {\n if (DEBUG) {\n console.error(\n `[DEBUG] Received message:`,\n JSON.stringify(message, null, 2),\n );\n }\n\n switch (message.command) {\n case \"setupEncryption\":\n if (message.appId !== this.appId) {\n return;\n }\n await this.handleSetupEncryption(message);\n break;\n\n case \"invalidateEncryption\": {\n if (message.appId !== this.appId) {\n return;\n }\n const invalidError = new Error(\n \"Encryption channel invalidated by Desktop app\",\n );\n if (this.secureChannel?.setupReject) {\n this.secureChannel.setupReject(invalidError);\n }\n this.secureChannel = null;\n for (const callback of this.callbacks.values()) {\n clearTimeout(callback.timeout);\n callback.rejecter(invalidError);\n }\n this.callbacks.clear();\n this.connected = false;\n this.ipcSocket.disconnect();\n break;\n }\n\n case \"wrongUserId\": {\n const wrongUserError = new Error(\n \"Account mismatch: CLI and Desktop app are logged into different accounts\",\n );\n if (this.secureChannel?.setupReject) {\n this.secureChannel.setupReject(wrongUserError);\n }\n this.secureChannel = null;\n for (const callback of this.callbacks.values()) {\n clearTimeout(callback.timeout);\n callback.rejecter(wrongUserError);\n }\n this.callbacks.clear();\n this.connected = false;\n this.ipcSocket.disconnect();\n break;\n }\n\n case \"verifyDesktopIPCFingerprint\":\n await this.showFingerprint();\n break;\n\n default:\n // Ignore messages for other apps\n if (message.appId !== this.appId) {\n return;\n }\n\n if (message.message != null) {\n await this.handleEncryptedMessage(message.message);\n }\n }\n }\n\n /**\n * Handle the setupEncryption response from the desktop app.\n */\n private async handleSetupEncryption(\n message: ReceivedMessageOuter,\n ): Promise<void> {\n if (DEBUG) {\n console.error(\n `[DEBUG] handleSetupEncryption called, sharedSecret present: ${message.sharedSecret != null}`,\n );\n }\n\n if (message.sharedSecret == null) {\n if (DEBUG) {\n console.error(`[DEBUG] No sharedSecret in message`);\n }\n return;\n }\n\n if (this.secureChannel == null) {\n if (DEBUG) {\n console.error(`[DEBUG] No secureChannel setup`);\n }\n return;\n }\n\n // Decrypt the shared secret using our private key (RSA-OAEP with SHA-1)\n const encrypted = Buffer.from(message.sharedSecret, \"base64\");\n if (DEBUG) {\n console.error(\n `[DEBUG] Encrypted sharedSecret length: ${encrypted.length}`,\n );\n }\n\n const decrypted = crypto.privateDecrypt(\n {\n key: this.secureChannel.privateKey,\n oaepHash: \"sha1\",\n padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,\n },\n encrypted,\n );\n\n this.secureChannel.sharedSecret = decrypted;\n\n if (DEBUG) {\n console.error(\n `[DEBUG] Decrypted sharedSecret length: ${this.secureChannel.sharedSecret.length}`,\n );\n }\n\n if (this.secureChannel.setupResolve) {\n this.secureChannel.setupResolve();\n }\n }\n\n /**\n * Handle an encrypted message from the desktop app.\n */\n private async handleEncryptedMessage(\n rawMessage: ReceivedMessage | EncryptedMessage,\n ): Promise<void> {\n if (this.secureChannel?.sharedSecret == null) {\n return;\n }\n\n let message: ReceivedMessage;\n\n if (\"encryptionType\" in rawMessage || \"encryptedString\" in rawMessage) {\n // Decrypt the message\n const encMsg = rawMessage as EncryptedMessage;\n const iv = Buffer.from(encMsg.iv, \"base64\");\n const data = Buffer.from(encMsg.data, \"base64\");\n const mac = Buffer.from(encMsg.mac, \"base64\");\n\n const sharedSecret = this.secureChannel.sharedSecret;\n const encKey = sharedSecret.subarray(0, 32);\n const macKey = sharedSecret.subarray(32, 64);\n\n // Verify HMAC\n const hmac = crypto.createHmac(\"sha256\", macKey);\n hmac.update(iv);\n hmac.update(data);\n const expectedMac = hmac.digest();\n\n if (!crypto.timingSafeEqual(mac, expectedMac)) {\n throw new Error(\"Message integrity check failed\");\n }\n\n // Decrypt\n const decipher = crypto.createDecipheriv(\"aes-256-cbc\", encKey, iv);\n const decrypted = Buffer.concat([\n decipher.update(data),\n decipher.final(),\n ]);\n message = JSON.parse(decrypted.toString(\"utf8\"));\n } else {\n message = rawMessage as ReceivedMessage;\n }\n\n this.processDecryptedMessage(message);\n }\n\n /**\n * Process a decrypted message and resolve any pending callbacks.\n */\n private processDecryptedMessage(message: ReceivedMessage): void {\n if (DEBUG) {\n console.error(\n `[DEBUG] Decrypted message:`,\n JSON.stringify(message, null, 2),\n );\n }\n\n if (Math.abs(message.timestamp - Date.now()) > MESSAGE_VALID_TIMEOUT) {\n if (DEBUG) {\n console.error(\n `[DEBUG] Message too old, ignoring. Timestamp: ${message.timestamp}, now: ${Date.now()}`,\n );\n }\n return;\n }\n\n const messageId = message.messageId;\n\n if (this.callbacks.has(messageId)) {\n // biome-ignore lint/style/noNonNullAssertion: guaranteed by .has() check above\n const callback = this.callbacks.get(messageId)!;\n clearTimeout(callback.timeout);\n this.callbacks.delete(messageId);\n callback.resolver(message);\n } else if (DEBUG) {\n console.error(`[DEBUG] No callback found for messageId: ${messageId}`);\n }\n }\n\n /**\n * Set up secure communication with RSA key exchange.\n */\n private async secureCommunication(): Promise<void> {\n // Generate RSA key pair\n const { publicKey, privateKey } = crypto.generateKeyPairSync(\"rsa\", {\n modulusLength: 2048,\n });\n\n // Export public key in SPKI/DER format (base64 encoded)\n const publicKeyDer = publicKey.export({ type: \"spki\", format: \"der\" });\n const publicKeyB64 = publicKeyDer.toString(\"base64\");\n\n const setupMessage = {\n appId: this.appId,\n message: {\n command: \"setupEncryption\",\n publicKey: publicKeyB64,\n userId: this.userId ?? undefined,\n messageId: this.messageId++,\n timestamp: Date.now(),\n },\n };\n\n if (DEBUG) {\n console.error(\n `[DEBUG] Sending setupEncryption:`,\n JSON.stringify(\n {\n ...setupMessage,\n message: {\n ...setupMessage.message,\n publicKey: `${publicKeyB64.slice(0, 50)}...`,\n },\n },\n null,\n 2,\n ),\n );\n }\n\n this.postMessage(setupMessage);\n\n return new Promise((resolve, reject) => {\n this.secureChannel = {\n publicKey,\n privateKey,\n setupResolve: resolve,\n setupReject: reject,\n };\n\n // Timeout for key exchange\n setTimeout(() => {\n if (this.secureChannel && !this.secureChannel.sharedSecret) {\n reject(new Error(\"Secure channel setup timed out\"));\n }\n }, DEFAULT_TIMEOUT);\n });\n }\n\n /**\n * Display the fingerprint for verification.\n */\n private async showFingerprint(): Promise<void> {\n if (this.secureChannel?.publicKey == null) {\n return;\n }\n\n // Generate fingerprint from public key\n const publicKeyDer = this.secureChannel.publicKey.export({\n type: \"spki\",\n format: \"der\",\n });\n const hash = crypto.createHash(\"sha256\").update(publicKeyDer).digest();\n\n // Format as 5 groups of alphanumeric characters (like Bitwarden)\n const fingerprint = hash.toString(\"hex\").slice(0, 25).toUpperCase();\n const formatted = fingerprint.match(/.{1,5}/g)?.join(\"-\") || fingerprint;\n\n // Write to stderr so it doesn't interfere with command output\n const dim = \"\\x1b[2m\";\n const cyan = \"\\x1b[36m\";\n const bold = \"\\x1b[1m\";\n const reset = \"\\x1b[0m\";\n\n console.error(\"\");\n console.error(`${bold}Bitwarden Desktop App Verification${reset}`);\n console.error(\n \"Verify this fingerprint matches the one shown in the Desktop app:\",\n );\n console.error(\"\");\n console.error(`${dim} ${cyan}${formatted}${reset}`);\n console.error(\"\");\n console.error(\"Accept the connection in the Desktop app to continue.\");\n console.error(\"\");\n }\n}\n","/**\n * Log a message to stderr unless BW_QUIET is set.\n */\nexport function log(message: string): void {\n if (process.env.BW_QUIET !== \"true\") {\n console.error(message);\n }\n}\n\n/**\n * Log a message to stderr only when BWBIO_VERBOSE is set (and not quiet).\n */\nexport function logVerbose(message: string): void {\n if (process.env.BWBIO_VERBOSE === \"true\" && process.env.BW_QUIET !== \"true\") {\n console.error(message);\n }\n}\n","import * as crypto from \"node:crypto\";\nimport * as fs from \"node:fs\";\nimport * as os from \"node:os\";\nimport * as path from \"node:path\";\n\n/**\n * AesCbc256_HmacSha256_B64 encryption type (matches Bitwarden's format)\n */\nconst ENCRYPTION_TYPE = 2;\n\n/**\n * Get the CLI data directory path for the current platform.\n */\nfunction getCliDataDir(): string {\n if (process.env.BITWARDENCLI_APPDATA_DIR) {\n return path.resolve(process.env.BITWARDENCLI_APPDATA_DIR);\n }\n\n const platform = os.platform();\n const homeDir = os.homedir();\n\n if (platform === \"darwin\") {\n return path.join(homeDir, \"Library/Application Support/Bitwarden CLI\");\n } else if (platform === \"win32\") {\n return path.join(process.env.APPDATA ?? homeDir, \"Bitwarden CLI\");\n } else {\n // Linux\n const configDir =\n process.env.XDG_CONFIG_HOME ?? path.join(homeDir, \".config\");\n return path.join(configDir, \"Bitwarden CLI\");\n }\n}\n\n/**\n * Generate a new session key (64 random bytes, base64 encoded).\n */\nexport function generateSessionKey(): string {\n const keyBytes = crypto.randomBytes(64);\n return keyBytes.toString(\"base64\");\n}\n\n/**\n * Encrypt data using AES-256-CBC with HMAC-SHA256 (Bitwarden's type 2 format).\n *\n * @param data - The data to encrypt (as Uint8Array)\n * @param sessionKey - The session key (base64 encoded, 64 bytes when decoded)\n * @returns Encrypted data as base64 string\n */\nfunction encryptWithSessionKey(data: Uint8Array, sessionKey: string): string {\n // Decode session key - first 32 bytes for AES, last 32 for HMAC\n const keyBytes = Buffer.from(sessionKey, \"base64\");\n if (keyBytes.length !== 64) {\n throw new Error(\"Session key must be 64 bytes\");\n }\n\n const encKey = keyBytes.subarray(0, 32);\n const macKey = keyBytes.subarray(32, 64);\n\n // Generate random IV\n const iv = crypto.randomBytes(16);\n\n // Encrypt with AES-256-CBC\n const cipher = crypto.createCipheriv(\"aes-256-cbc\", encKey, iv);\n const encrypted = Buffer.concat([cipher.update(data), cipher.final()]);\n\n // Calculate HMAC-SHA256 over IV + ciphertext\n const hmac = crypto.createHmac(\"sha256\", macKey);\n hmac.update(iv);\n hmac.update(encrypted);\n const mac = hmac.digest();\n\n // Assemble: [encType, iv, mac, ciphertext]\n const result = Buffer.alloc(1 + 16 + 32 + encrypted.length);\n result.writeUInt8(ENCRYPTION_TYPE, 0);\n iv.copy(result, 1);\n mac.copy(result, 17);\n encrypted.copy(result, 49);\n\n return result.toString(\"base64\");\n}\n\n/**\n * Read the CLI's data.json file.\n */\nfunction readCliData(): Record<string, unknown> {\n const dataPath = path.join(getCliDataDir(), \"data.json\");\n\n try {\n const content = fs.readFileSync(dataPath, \"utf-8\");\n return content ? JSON.parse(content) : {};\n } catch {\n return {};\n }\n}\n\n/**\n * Get the active user ID from CLI's data storage.\n */\nexport function getActiveUserId(): string | null {\n const data = readCliData();\n const userId = data.global_account_activeAccountId;\n return typeof userId === \"string\" ? userId : null;\n}\n\n/**\n * Write to the CLI's data.json file.\n */\nfunction writeCliData(data: Record<string, unknown>): void {\n const dataDir = getCliDataDir();\n const dataPath = path.join(dataDir, \"data.json\");\n\n // Ensure directory exists\n if (!fs.existsSync(dataDir)) {\n fs.mkdirSync(dataDir, { recursive: true, mode: 0o700 });\n }\n\n // Write with restrictive permissions\n fs.writeFileSync(dataPath, JSON.stringify(data, null, 2), { mode: 0o600 });\n}\n\n/**\n * Store the user key in CLI's data storage, encrypted with the session key.\n *\n * This mimics what the CLI does internally:\n * - Encrypts the user key with BW_SESSION\n * - Stores it in data.json with key \"__PROTECTED__{userId}_user_auto\"\n *\n * @param userKeyB64 - The user key from biometric unlock (base64 encoded)\n * @param userId - The user ID\n * @param sessionKey - The BW_SESSION key (base64 encoded, 64 bytes)\n */\nexport function storeUserKeyForSession(\n userKeyB64: string,\n userId: string,\n sessionKey: string,\n): void {\n // The user key is already base64 - convert to bytes for encryption\n const userKeyBytes = Buffer.from(userKeyB64, \"base64\");\n\n // Encrypt the user key with the session key\n const encryptedUserKey = encryptWithSessionKey(userKeyBytes, sessionKey);\n\n // Store in CLI's data.json\n const storageKey = `__PROTECTED__${userId}_user_auto`;\n\n const data = readCliData();\n data[storageKey] = encryptedUserKey;\n writeCliData(data);\n}\n\n/**\n * Clean up the stored user key.\n *\n * @param userId - The user ID\n */\nexport function clearStoredUserKey(userId: string): void {\n const storageKey = `__PROTECTED__${userId}_user_auto`;\n\n const data = readCliData();\n delete data[storageKey];\n writeCliData(data);\n}\n","/**\n * Passthrough command detection\n *\n * These commands are passed directly to `bw` without attempting biometric unlock.\n */\n\nconst PASSTHROUGH_COMMANDS = new Set([\n \"login\",\n \"logout\",\n \"lock\",\n \"config\",\n \"update\",\n \"completion\",\n \"status\",\n \"serve\",\n]);\n\nconst PASSTHROUGH_FLAGS = new Set([\"--help\", \"-h\", \"--version\", \"-v\"]);\n\n/**\n * Determines if the given arguments represent a passthrough command.\n *\n * Passthrough commands are executed directly without biometric unlock:\n * - Commands that don't need an unlocked vault (login, logout, status, etc.)\n * - Help and version flags\n *\n * @param args - Command line arguments (without node and script path)\n * @returns true if this is a passthrough command\n */\nexport function isPassthroughCommand(args: string[]): boolean {\n if (args.length === 0) {\n // No args = show help, which is passthrough\n return true;\n }\n\n const firstArg = args[0];\n\n // Check for passthrough flags anywhere in args\n if (args.some((arg) => PASSTHROUGH_FLAGS.has(arg))) {\n return true;\n }\n\n // Check if first arg is a passthrough command\n if (PASSTHROUGH_COMMANDS.has(firstArg)) {\n return true;\n }\n\n return false;\n}\n","#!/usr/bin/env node\n\nimport { main } from \"./main\";\n\n// Get command line arguments (skip node and script path)\nconst args = process.argv.slice(2);\n\nmain(args)\n .then((code) => {\n process.exit(code);\n })\n .catch((err) => {\n console.error(\"Unexpected error:\", err);\n process.exit(1);\n });\n"],"mappings":";;;AAAA,SAAS,aAAa;;;ACAtB,YAAYA,aAAY;;;ACAxB,YAAY,YAAY;AACxB,YAAY,QAAQ;AACpB,YAAY,SAAS;AACrB,YAAY,QAAQ;AACpB,YAAY,UAAU;AAEtB,IAAM,QAAQ,QAAQ,IAAI,gBAAgB;AAQnC,IAAM,mBAAN,MAAuB;AAAA,EACpB,SAA4B;AAAA,EAC5B,gBAAwB,OAAO,MAAM,CAAC;AAAA,EACtC,iBAAsD;AAAA,EACtD,oBAAyC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMjD,gBAAwB;AACtB,QAAI,QAAQ,IAAI,uBAAuB;AACrC,aAAO,QAAQ,IAAI;AAAA,IACrB;AAEA,UAAMC,YAAc,YAAS;AAE7B,QAAIA,cAAa,SAAS;AACxB,aAAO,KAAK,qBAAqB;AAAA,IACnC;AAEA,QAAIA,cAAa,UAAU;AACzB,aAAO,KAAK,iBAAiB;AAAA,IAC/B;AAGA,WAAO,KAAK,mBAAmB;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA,EAKQ,uBAA+B;AACrC,UAAM,UAAa,WAAQ;AAC3B,UAAM,OAAc,kBAAW,QAAQ,EAAE,OAAO,OAAO,EAAE,OAAO;AAEhE,UAAM,UAAU,KACb,SAAS,QAAQ,EACjB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,EAAE;AACpB,WAAO,gBAAgB,OAAO;AAAA,EAChC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,mBAA2B;AACjC,UAAM,UAAa,WAAQ;AAG3B,UAAM,gBAAqB;AAAA,MACzB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAGA,UAAM,mBAAwB;AAAA,MAC5B;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAGA,QAAI;AACF,MAAG,cAAW,aAAa;AAC3B,aAAO;AAAA,IACT,QAAQ;AAAA,IAER;AAGA,QAAI;AACF,MAAG,cAAW,gBAAgB;AAC9B,aAAO;AAAA,IACT,QAAQ;AAAA,IAER;AAGA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,qBAA6B;AACnC,UAAM,WACJ,QAAQ,IAAI,kBAAkB,OAC1B,QAAQ,IAAI,iBACP,UAAQ,WAAQ,GAAG,QAAQ;AACtC,WAAY,UAAK,UAAU,yBAAyB,MAAM;AAAA,EAC5D;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,oBAAsC;AAC1C,UAAM,aAAa,KAAK,cAAc;AACtC,QAAI;AACF,YAAS,YAAS,OAAO,UAAU;AACnC,aAAO;AAAA,IACT,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,UAAyB;AAC7B,QAAI,KAAK,UAAU,MAAM;AACvB;AAAA,IACF;AAEA,UAAM,aAAa,KAAK,cAAc;AAEtC,QAAI,OAAO;AACT,cAAQ,MAAM,iCAAiC,UAAU,EAAE;AAAA,IAC7D;AAEA,WAAO,IAAI,QAAQ,CAACC,UAAS,WAAW;AACtC,YAAM,SAAa,qBAAiB,UAAU;AAE9C,aAAO,GAAG,WAAW,MAAM;AACzB,YAAI,OAAO;AACT,kBAAQ,MAAM,0BAA0B;AAAA,QAC1C;AACA,aAAK,SAAS;AACd,QAAAA,SAAQ;AAAA,MACV,CAAC;AAED,aAAO,GAAG,QAAQ,CAAC,SAAiB;AAClC,YAAI,OAAO;AACT,kBAAQ,MAAM,8BAA8B,KAAK,MAAM,QAAQ;AAAA,QACjE;AACA,aAAK,oBAAoB,IAAI;AAAA,MAC/B,CAAC;AAED,aAAO,GAAG,SAAS,CAAC,QAAQ;AAC1B,YAAI,KAAK,UAAU,MAAM;AACvB,iBAAO,IAAI,MAAM,qCAAqC,IAAI,OAAO,EAAE,CAAC;AAAA,QACtE;AAAA,MACF,CAAC;AAED,aAAO,GAAG,SAAS,MAAM;AACvB,aAAK,SAAS;AACd,aAAK,gBAAgB,OAAO,MAAM,CAAC;AACnC,YAAI,KAAK,mBAAmB;AAC1B,eAAK,kBAAkB;AAAA,QACzB;AAAA,MACF,CAAC;AAGD,aAAO,WAAW,KAAM,MAAM;AAC5B,YAAI,KAAK,UAAU,MAAM;AACvB,iBAAO,QAAQ;AACf,iBAAO,IAAI,MAAM,qCAAqC,CAAC;AAAA,QACzD;AAAA,MACF,CAAC;AAAA,IACH,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,aAAmB;AACjB,QAAI,KAAK,UAAU,MAAM;AACvB,WAAK,OAAO,QAAQ;AACpB,WAAK,SAAS;AAAA,IAChB;AACA,SAAK,gBAAgB,OAAO,MAAM,CAAC;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA,EAKA,cAAuB;AACrB,WAAO,KAAK,UAAU,QAAQ,CAAC,KAAK,OAAO;AAAA,EAC7C;AAAA;AAAA;AAAA;AAAA,EAKA,UAAU,SAA2C;AACnD,SAAK,iBAAiB;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,SAA2B;AACtC,SAAK,oBAAoB;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,YAAY,SAAwB;AAClC,QAAI,KAAK,UAAU,QAAQ,KAAK,OAAO,WAAW;AAChD,YAAM,IAAI,MAAM,8BAA8B;AAAA,IAChD;AAEA,UAAM,aAAa,KAAK,UAAU,OAAO;AACzC,UAAM,eAAe,OAAO,KAAK,YAAY,MAAM;AAGnD,UAAM,SAAS,OAAO,MAAM,IAAI,aAAa,MAAM;AACnD,WAAO,cAAc,aAAa,QAAQ,CAAC;AAC3C,iBAAa,KAAK,QAAQ,CAAC;AAE3B,QAAI,OAAO;AACT,cAAQ;AAAA,QACN,mBAAmB,OAAO,MAAM,oBAAoB,aAAa,MAAM;AAAA,MACzE;AAAA,IACF;AAEA,SAAK,OAAO,MAAM,MAAM;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,oBAAoB,MAAoB;AAC9C,SAAK,gBAAgB,OAAO,OAAO,CAAC,KAAK,eAAe,IAAI,CAAC;AAG7D,WAAO,KAAK,cAAc,UAAU,GAAG;AACrC,YAAM,gBAAgB,KAAK,cAAc,aAAa,CAAC;AAGvD,UAAI,KAAK,cAAc,SAAS,IAAI,eAAe;AACjD;AAAA,MACF;AAGA,YAAM,eAAe,KAAK,cAAc,SAAS,GAAG,IAAI,aAAa;AACrE,YAAM,aAAa,aAAa,SAAS,MAAM;AAG/C,WAAK,gBAAgB,KAAK,cAAc,SAAS,IAAI,aAAa;AAElE,UAAI;AACF,cAAM,UAAU,KAAK,MAAM,UAAU;AACrC,YAAI,KAAK,gBAAgB;AACvB,eAAK,eAAe,OAAO;AAAA,QAC7B;AAAA,MACF,QAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AACF;;;ACnRA,YAAYC,aAAY;AAGxB,IAAM,wBAAwB,KAAK;AACnC,IAAM,kBAAkB,KAAK;AAC7B,IAAM,2BAA2B,KAAK;AAEtC,IAAMC,SAAQ,QAAQ,IAAI,gBAAgB;AAKnC,IAAM,qBAAqB;AAAA,EAChC,4BAA4B;AAAA,EAC5B,qBAAqB;AAAA,EACrB,6BAA6B;AAAA,EAC7B,4BAA4B;AAAA,EAC5B,0BAA0B;AAC5B;AAKO,IAAK,mBAAL,kBAAKC,sBAAL;AACL,EAAAA,oCAAA,eAAY,KAAZ;AACA,EAAAA,oCAAA,kBAAe,KAAf;AACA,EAAAA,oCAAA,yBAAsB,KAAtB;AACA,EAAAA,oCAAA,qBAAkB,KAAlB;AACA,EAAAA,oCAAA,uBAAoB,KAApB;AACA,EAAAA,oCAAA,yBAAsB,KAAtB;AACA,EAAAA,oCAAA,yBAAsB,KAAtB;AACA,EAAAA,oCAAA,uBAAoB,KAApB;AACA,EAAAA,oCAAA,qCAAkC,KAAlC;AACA,EAAAA,oCAAA,sCAAmC,KAAnC;AAVU,SAAAA;AAAA,GAAA;AAwEL,IAAM,wBAAN,MAA4B;AAAA,EACzB,YAAY;AAAA,EACZ,aAAa;AAAA,EACb;AAAA,EAEA,gBAAsC;AAAA,EACtC,YAAY;AAAA,EACZ,YAAY,oBAAI,IAAsB;AAAA,EAEtC;AAAA,EACA,SAAwB;AAAA,EAEhC,YAAY,OAAe,QAAiB;AAC1C,SAAK,QAAQ;AACb,SAAK,SAAS,UAAU;AACxB,SAAK,YAAY,IAAI,iBAAiB;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,wBAA0C;AAC9C,WAAO,KAAK,UAAU,kBAAkB;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,UAAyB;AAC7B,QAAI,KAAK,aAAa,KAAK,YAAY;AACrC;AAAA,IACF;AAEA,SAAK,aAAa;AAElB,QAAI;AACF,YAAM,KAAK,UAAU,QAAQ;AAG7B,WAAK,UAAU,UAAU,CAAC,YAAY;AACpC,aAAK,cAAc,OAA+B;AAAA,MACpD,CAAC;AAED,WAAK,UAAU,aAAa,MAAM;AAChC,aAAK,YAAY;AACjB,aAAK,gBAAgB;AAGrB,mBAAW,YAAY,KAAK,UAAU,OAAO,GAAG;AAC9C,uBAAa,SAAS,OAAO;AAC7B,mBAAS,SAAS,IAAI,MAAM,+BAA+B,CAAC;AAAA,QAC9D;AACA,aAAK,UAAU,MAAM;AAAA,MACvB,CAAC;AAED,WAAK,YAAY;AACjB,WAAK,aAAa;AAAA,IACpB,SAAS,GAAG;AACV,WAAK,aAAa;AAClB,YAAM;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,aAAmB;AACjB,SAAK,UAAU,WAAW;AAC1B,SAAK,YAAY;AACjB,SAAK,gBAAgB;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YACJ,SACA,YAAoB,iBACM;AAC1B,UAAM,YAAY,KAAK;AAEvB,UAAM,WAAW,IAAI,QAAyB,CAAC,UAAU,aAAa;AACpE,YAAM,UAAU,WAAW,MAAM;AAC/B,YAAI,KAAK,UAAU,IAAI,SAAS,GAAG;AACjC,eAAK,UAAU,OAAO,SAAS;AAC/B;AAAA,YACE,IAAI,MAAM,oDAAoD;AAAA,UAChE;AAAA,QACF;AAAA,MACF,GAAG,SAAS;AAEZ,WAAK,UAAU,IAAI,WAAW,EAAE,UAAU,UAAU,QAAQ,CAAC;AAAA,IAC/D,CAAC;AAED,YAAQ,YAAY;AAEpB,QAAI;AACF,YAAM,KAAK,KAAK,OAAO;AAAA,IACzB,SAAS,GAAG;AACV,YAAM,KAAK,KAAK,UAAU,IAAI,SAAS;AACvC,UAAI,IAAI;AACN,qBAAa,GAAG,OAAO;AACvB,aAAK,UAAU,OAAO,SAAS;AAC/B,WAAG,SAAS,aAAa,QAAQ,IAAI,IAAI,MAAM,OAAO,CAAC,CAAC,CAAC;AAAA,MAC3D;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,sBAAiD;AACrD,UAAM,WAAW,MAAM,KAAK,YAAY;AAAA,MACtC,SAAS,mBAAmB;AAAA,IAC9B,CAAC;AACD,WAAO,SAAS;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,2BAA2B,QAA2C;AAC1E,UAAM,WAAW,MAAM,KAAK,YAAY;AAAA,MACtC,SAAS,mBAAmB;AAAA,MAC5B;AAAA,IACF,CAAC;AACD,WAAO,SAAS;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,4BAA4B,QAAwC;AACxE,UAAM,WAAW,MAAM,KAAK;AAAA,MAC1B;AAAA,QACE,SAAS,mBAAmB;AAAA,QAC5B;AAAA,MACF;AAAA,MACA;AAAA,IACF;AAEA,QAAI,SAAS,UAAU;AACrB,aAAO,SAAS,cAAc;AAAA,IAChC;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,KAAK,SAAiC;AAClD,QAAI,CAAC,KAAK,WAAW;AACnB,YAAM,KAAK,QAAQ;AAAA,IACrB;AAEA,YAAQ,SAAS,KAAK,UAAU;AAChC,YAAQ,YAAY,KAAK,IAAI;AAE7B,SAAK,YAAY;AAAA,MACf,OAAO,KAAK;AAAA,MACZ,SAAS,MAAM,KAAK,eAAe,OAAO;AAAA,IAC5C,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,eACZ,SACqC;AACrC,QAAI,KAAK,eAAe,gBAAgB,MAAM;AAC5C,YAAM,KAAK,oBAAoB;AAAA,IACjC;AAGA,UAAM,eAAe,KAAK,cAAe;AACzC,UAAM,cAAc,KAAK,UAAU,OAAO;AAG1C,UAAM,KAAY,oBAAY,EAAE;AAChC,UAAM,SAAgB;AAAA,MACpB;AAAA,MACA,aAAa,SAAS,GAAG,EAAE;AAAA,MAC3B;AAAA,IACF;AACA,UAAM,YAAY,OAAO,OAAO;AAAA,MAC9B,OAAO,OAAO,aAAa,MAAM;AAAA,MACjC,OAAO,MAAM;AAAA,IACf,CAAC;AAGD,UAAM,SAAS,aAAa,SAAS,IAAI,EAAE;AAC3C,UAAM,OAAc,mBAAW,UAAU,MAAM;AAC/C,SAAK,OAAO,EAAE;AACd,SAAK,OAAO,SAAS;AACrB,UAAM,MAAM,KAAK,OAAO;AAExB,WAAO;AAAA,MACL,gBAAgB;AAAA;AAAA,MAChB,iBAAiB,KAAK,GAAG,SAAS,QAAQ,CAAC,IAAI,UAAU,SAAS,QAAQ,CAAC,IAAI,IAAI,SAAS,QAAQ,CAAC;AAAA,MACrG,IAAI,GAAG,SAAS,QAAQ;AAAA,MACxB,MAAM,UAAU,SAAS,QAAQ;AAAA,MACjC,KAAK,IAAI,SAAS,QAAQ;AAAA,IAC5B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAY,SAA6B;AAC/C,QAAI;AACF,WAAK,UAAU,YAAY,OAAO;AAAA,IACpC,SAAS,GAAG;AACV,WAAK,gBAAgB;AACrB,WAAK,YAAY;AACjB,YAAM;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,cAAc,SAA8C;AACxE,QAAID,QAAO;AACT,cAAQ;AAAA,QACN;AAAA,QACA,KAAK,UAAU,SAAS,MAAM,CAAC;AAAA,MACjC;AAAA,IACF;AAEA,YAAQ,QAAQ,SAAS;AAAA,MACvB,KAAK;AACH,YAAI,QAAQ,UAAU,KAAK,OAAO;AAChC;AAAA,QACF;AACA,cAAM,KAAK,sBAAsB,OAAO;AACxC;AAAA,MAEF,KAAK,wBAAwB;AAC3B,YAAI,QAAQ,UAAU,KAAK,OAAO;AAChC;AAAA,QACF;AACA,cAAM,eAAe,IAAI;AAAA,UACvB;AAAA,QACF;AACA,YAAI,KAAK,eAAe,aAAa;AACnC,eAAK,cAAc,YAAY,YAAY;AAAA,QAC7C;AACA,aAAK,gBAAgB;AACrB,mBAAW,YAAY,KAAK,UAAU,OAAO,GAAG;AAC9C,uBAAa,SAAS,OAAO;AAC7B,mBAAS,SAAS,YAAY;AAAA,QAChC;AACA,aAAK,UAAU,MAAM;AACrB,aAAK,YAAY;AACjB,aAAK,UAAU,WAAW;AAC1B;AAAA,MACF;AAAA,MAEA,KAAK,eAAe;AAClB,cAAM,iBAAiB,IAAI;AAAA,UACzB;AAAA,QACF;AACA,YAAI,KAAK,eAAe,aAAa;AACnC,eAAK,cAAc,YAAY,cAAc;AAAA,QAC/C;AACA,aAAK,gBAAgB;AACrB,mBAAW,YAAY,KAAK,UAAU,OAAO,GAAG;AAC9C,uBAAa,SAAS,OAAO;AAC7B,mBAAS,SAAS,cAAc;AAAA,QAClC;AACA,aAAK,UAAU,MAAM;AACrB,aAAK,YAAY;AACjB,aAAK,UAAU,WAAW;AAC1B;AAAA,MACF;AAAA,MAEA,KAAK;AACH,cAAM,KAAK,gBAAgB;AAC3B;AAAA,MAEF;AAEE,YAAI,QAAQ,UAAU,KAAK,OAAO;AAChC;AAAA,QACF;AAEA,YAAI,QAAQ,WAAW,MAAM;AAC3B,gBAAM,KAAK,uBAAuB,QAAQ,OAAO;AAAA,QACnD;AAAA,IACJ;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,sBACZ,SACe;AACf,QAAIA,QAAO;AACT,cAAQ;AAAA,QACN,+DAA+D,QAAQ,gBAAgB,IAAI;AAAA,MAC7F;AAAA,IACF;AAEA,QAAI,QAAQ,gBAAgB,MAAM;AAChC,UAAIA,QAAO;AACT,gBAAQ,MAAM,oCAAoC;AAAA,MACpD;AACA;AAAA,IACF;AAEA,QAAI,KAAK,iBAAiB,MAAM;AAC9B,UAAIA,QAAO;AACT,gBAAQ,MAAM,gCAAgC;AAAA,MAChD;AACA;AAAA,IACF;AAGA,UAAM,YAAY,OAAO,KAAK,QAAQ,cAAc,QAAQ;AAC5D,QAAIA,QAAO;AACT,cAAQ;AAAA,QACN,0CAA0C,UAAU,MAAM;AAAA,MAC5D;AAAA,IACF;AAEA,UAAM,YAAmB;AAAA,MACvB;AAAA,QACE,KAAK,KAAK,cAAc;AAAA,QACxB,UAAU;AAAA,QACV,SAAgB,kBAAU;AAAA,MAC5B;AAAA,MACA;AAAA,IACF;AAEA,SAAK,cAAc,eAAe;AAElC,QAAIA,QAAO;AACT,cAAQ;AAAA,QACN,0CAA0C,KAAK,cAAc,aAAa,MAAM;AAAA,MAClF;AAAA,IACF;AAEA,QAAI,KAAK,cAAc,cAAc;AACnC,WAAK,cAAc,aAAa;AAAA,IAClC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,uBACZ,YACe;AACf,QAAI,KAAK,eAAe,gBAAgB,MAAM;AAC5C;AAAA,IACF;AAEA,QAAI;AAEJ,QAAI,oBAAoB,cAAc,qBAAqB,YAAY;AAErE,YAAM,SAAS;AACf,YAAM,KAAK,OAAO,KAAK,OAAO,IAAI,QAAQ;AAC1C,YAAM,OAAO,OAAO,KAAK,OAAO,MAAM,QAAQ;AAC9C,YAAM,MAAM,OAAO,KAAK,OAAO,KAAK,QAAQ;AAE5C,YAAM,eAAe,KAAK,cAAc;AACxC,YAAM,SAAS,aAAa,SAAS,GAAG,EAAE;AAC1C,YAAM,SAAS,aAAa,SAAS,IAAI,EAAE;AAG3C,YAAM,OAAc,mBAAW,UAAU,MAAM;AAC/C,WAAK,OAAO,EAAE;AACd,WAAK,OAAO,IAAI;AAChB,YAAM,cAAc,KAAK,OAAO;AAEhC,UAAI,CAAQ,wBAAgB,KAAK,WAAW,GAAG;AAC7C,cAAM,IAAI,MAAM,gCAAgC;AAAA,MAClD;AAGA,YAAM,WAAkB,yBAAiB,eAAe,QAAQ,EAAE;AAClE,YAAM,YAAY,OAAO,OAAO;AAAA,QAC9B,SAAS,OAAO,IAAI;AAAA,QACpB,SAAS,MAAM;AAAA,MACjB,CAAC;AACD,gBAAU,KAAK,MAAM,UAAU,SAAS,MAAM,CAAC;AAAA,IACjD,OAAO;AACL,gBAAU;AAAA,IACZ;AAEA,SAAK,wBAAwB,OAAO;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA,EAKQ,wBAAwB,SAAgC;AAC9D,QAAIA,QAAO;AACT,cAAQ;AAAA,QACN;AAAA,QACA,KAAK,UAAU,SAAS,MAAM,CAAC;AAAA,MACjC;AAAA,IACF;AAEA,QAAI,KAAK,IAAI,QAAQ,YAAY,KAAK,IAAI,CAAC,IAAI,uBAAuB;AACpE,UAAIA,QAAO;AACT,gBAAQ;AAAA,UACN,iDAAiD,QAAQ,SAAS,UAAU,KAAK,IAAI,CAAC;AAAA,QACxF;AAAA,MACF;AACA;AAAA,IACF;AAEA,UAAM,YAAY,QAAQ;AAE1B,QAAI,KAAK,UAAU,IAAI,SAAS,GAAG;AAEjC,YAAM,WAAW,KAAK,UAAU,IAAI,SAAS;AAC7C,mBAAa,SAAS,OAAO;AAC7B,WAAK,UAAU,OAAO,SAAS;AAC/B,eAAS,SAAS,OAAO;AAAA,IAC3B,WAAWA,QAAO;AAChB,cAAQ,MAAM,4CAA4C,SAAS,EAAE;AAAA,IACvE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,sBAAqC;AAEjD,UAAM,EAAE,WAAW,WAAW,IAAW,4BAAoB,OAAO;AAAA,MAClE,eAAe;AAAA,IACjB,CAAC;AAGD,UAAM,eAAe,UAAU,OAAO,EAAE,MAAM,QAAQ,QAAQ,MAAM,CAAC;AACrE,UAAM,eAAe,aAAa,SAAS,QAAQ;AAEnD,UAAM,eAAe;AAAA,MACnB,OAAO,KAAK;AAAA,MACZ,SAAS;AAAA,QACP,SAAS;AAAA,QACT,WAAW;AAAA,QACX,QAAQ,KAAK,UAAU;AAAA,QACvB,WAAW,KAAK;AAAA,QAChB,WAAW,KAAK,IAAI;AAAA,MACtB;AAAA,IACF;AAEA,QAAIA,QAAO;AACT,cAAQ;AAAA,QACN;AAAA,QACA,KAAK;AAAA,UACH;AAAA,YACE,GAAG;AAAA,YACH,SAAS;AAAA,cACP,GAAG,aAAa;AAAA,cAChB,WAAW,GAAG,aAAa,MAAM,GAAG,EAAE,CAAC;AAAA,YACzC;AAAA,UACF;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,SAAK,YAAY,YAAY;AAE7B,WAAO,IAAI,QAAQ,CAACE,UAAS,WAAW;AACtC,WAAK,gBAAgB;AAAA,QACnB;AAAA,QACA;AAAA,QACA,cAAcA;AAAA,QACd,aAAa;AAAA,MACf;AAGA,iBAAW,MAAM;AACf,YAAI,KAAK,iBAAiB,CAAC,KAAK,cAAc,cAAc;AAC1D,iBAAO,IAAI,MAAM,gCAAgC,CAAC;AAAA,QACpD;AAAA,MACF,GAAG,eAAe;AAAA,IACpB,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,kBAAiC;AAC7C,QAAI,KAAK,eAAe,aAAa,MAAM;AACzC;AAAA,IACF;AAGA,UAAM,eAAe,KAAK,cAAc,UAAU,OAAO;AAAA,MACvD,MAAM;AAAA,MACN,QAAQ;AAAA,IACV,CAAC;AACD,UAAM,OAAc,mBAAW,QAAQ,EAAE,OAAO,YAAY,EAAE,OAAO;AAGrE,UAAM,cAAc,KAAK,SAAS,KAAK,EAAE,MAAM,GAAG,EAAE,EAAE,YAAY;AAClE,UAAM,YAAY,YAAY,MAAM,SAAS,GAAG,KAAK,GAAG,KAAK;AAG7D,UAAM,MAAM;AACZ,UAAM,OAAO;AACb,UAAM,OAAO;AACb,UAAM,QAAQ;AAEd,YAAQ,MAAM,EAAE;AAChB,YAAQ,MAAM,GAAG,IAAI,qCAAqC,KAAK,EAAE;AACjE,YAAQ;AAAA,MACN;AAAA,IACF;AACA,YAAQ,MAAM,EAAE;AAChB,YAAQ,MAAM,GAAG,GAAG,KAAK,IAAI,GAAG,SAAS,GAAG,KAAK,EAAE;AACnD,YAAQ,MAAM,EAAE;AAChB,YAAQ,MAAM,uDAAuD;AACrE,YAAQ,MAAM,EAAE;AAAA,EAClB;AACF;;;AC7mBO,SAAS,IAAI,SAAuB;AACzC,MAAI,QAAQ,IAAI,aAAa,QAAQ;AACnC,YAAQ,MAAM,OAAO;AAAA,EACvB;AACF;AAKO,SAAS,WAAW,SAAuB;AAChD,MAAI,QAAQ,IAAI,kBAAkB,UAAU,QAAQ,IAAI,aAAa,QAAQ;AAC3E,YAAQ,MAAM,OAAO;AAAA,EACvB;AACF;;;AChBA,YAAYC,aAAY;AACxB,YAAYC,SAAQ;AACpB,YAAYC,SAAQ;AACpB,YAAYC,WAAU;AAKtB,IAAM,kBAAkB;AAKxB,SAAS,gBAAwB;AAC/B,MAAI,QAAQ,IAAI,0BAA0B;AACxC,WAAY,cAAQ,QAAQ,IAAI,wBAAwB;AAAA,EAC1D;AAEA,QAAMC,YAAc,aAAS;AAC7B,QAAM,UAAa,YAAQ;AAE3B,MAAIA,cAAa,UAAU;AACzB,WAAY,WAAK,SAAS,2CAA2C;AAAA,EACvE,WAAWA,cAAa,SAAS;AAC/B,WAAY,WAAK,QAAQ,IAAI,WAAW,SAAS,eAAe;AAAA,EAClE,OAAO;AAEL,UAAM,YACJ,QAAQ,IAAI,mBAAwB,WAAK,SAAS,SAAS;AAC7D,WAAY,WAAK,WAAW,eAAe;AAAA,EAC7C;AACF;AAKO,SAAS,qBAA6B;AAC3C,QAAM,WAAkB,oBAAY,EAAE;AACtC,SAAO,SAAS,SAAS,QAAQ;AACnC;AASA,SAAS,sBAAsB,MAAkB,YAA4B;AAE3E,QAAM,WAAW,OAAO,KAAK,YAAY,QAAQ;AACjD,MAAI,SAAS,WAAW,IAAI;AAC1B,UAAM,IAAI,MAAM,8BAA8B;AAAA,EAChD;AAEA,QAAM,SAAS,SAAS,SAAS,GAAG,EAAE;AACtC,QAAM,SAAS,SAAS,SAAS,IAAI,EAAE;AAGvC,QAAM,KAAY,oBAAY,EAAE;AAGhC,QAAM,SAAgB,uBAAe,eAAe,QAAQ,EAAE;AAC9D,QAAM,YAAY,OAAO,OAAO,CAAC,OAAO,OAAO,IAAI,GAAG,OAAO,MAAM,CAAC,CAAC;AAGrE,QAAM,OAAc,mBAAW,UAAU,MAAM;AAC/C,OAAK,OAAO,EAAE;AACd,OAAK,OAAO,SAAS;AACrB,QAAM,MAAM,KAAK,OAAO;AAGxB,QAAM,SAAS,OAAO,MAAM,IAAI,KAAK,KAAK,UAAU,MAAM;AAC1D,SAAO,WAAW,iBAAiB,CAAC;AACpC,KAAG,KAAK,QAAQ,CAAC;AACjB,MAAI,KAAK,QAAQ,EAAE;AACnB,YAAU,KAAK,QAAQ,EAAE;AAEzB,SAAO,OAAO,SAAS,QAAQ;AACjC;AAKA,SAAS,cAAuC;AAC9C,QAAM,WAAgB,WAAK,cAAc,GAAG,WAAW;AAEvD,MAAI;AACF,UAAM,UAAa,iBAAa,UAAU,OAAO;AACjD,WAAO,UAAU,KAAK,MAAM,OAAO,IAAI,CAAC;AAAA,EAC1C,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAKO,SAAS,kBAAiC;AAC/C,QAAM,OAAO,YAAY;AACzB,QAAM,SAAS,KAAK;AACpB,SAAO,OAAO,WAAW,WAAW,SAAS;AAC/C;AAKA,SAAS,aAAa,MAAqC;AACzD,QAAM,UAAU,cAAc;AAC9B,QAAM,WAAgB,WAAK,SAAS,WAAW;AAG/C,MAAI,CAAI,eAAW,OAAO,GAAG;AAC3B,IAAG,cAAU,SAAS,EAAE,WAAW,MAAM,MAAM,IAAM,CAAC;AAAA,EACxD;AAGA,EAAG,kBAAc,UAAU,KAAK,UAAU,MAAM,MAAM,CAAC,GAAG,EAAE,MAAM,IAAM,CAAC;AAC3E;AAaO,SAAS,uBACd,YACA,QACA,YACM;AAEN,QAAM,eAAe,OAAO,KAAK,YAAY,QAAQ;AAGrD,QAAM,mBAAmB,sBAAsB,cAAc,UAAU;AAGvE,QAAM,aAAa,gBAAgB,MAAM;AAEzC,QAAM,OAAO,YAAY;AACzB,OAAK,UAAU,IAAI;AACnB,eAAa,IAAI;AACnB;;;AJ5IA,SAAS,yBAAiC;AACxC,UAAQ,QAAQ,UAAU;AAAA,IACxB,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT;AACE,aAAO;AAAA,EACX;AACF;AA0BA,SAAS,gBAAwB;AAC/B,SAAO,SAAgB,mBAAW,CAAC;AACrC;AAKA,eAAsB,uBACpB,UAAkC,CAAC,GACH;AAEhC,QAAM,SAAS,QAAQ,UAAU,gBAAgB;AACjD,MAAI,CAAC,QAAQ;AACX;AAAA,MACE;AAAA,IACF;AACA,WAAO,EAAE,SAAS,MAAM;AAAA,EAC1B;AAEA,QAAM,QAAQ,cAAc;AAC5B,QAAM,SAAS,IAAI,sBAAsB,OAAO,MAAM;AAEtD,MAAI;AAEF,UAAM,YAAY,MAAM,OAAO,sBAAsB;AACrD,QAAI,CAAC,WAAW;AACd;AAAA,QACE;AAAA,MACF;AACA,aAAO,EAAE,SAAS,MAAM;AAAA,IAC1B;AAEA,eAAW,oCAAoC;AAE/C,UAAM,OAAO,QAAQ;AAGrB,eAAW,+BAA+B;AAE1C,UAAM,aAAa,MAAM,OAAO,2BAA2B,MAAM;AAGjE,QAAI,kCAA2C;AAC7C,YAAM,aACJ,iBAAiB,UAAU,KAAK,WAAW,UAAU;AACvD,iBAAW,iCAAiC,UAAU,EAAE;AACxD,aAAO,EAAE,SAAS,MAAM;AAAA,IAC1B;AAGA;AAAA,MACE,qBAAqB,uBAAuB,CAAC;AAAA,IAC/C;AAEA,UAAM,UAAU,MAAM,OAAO,4BAA4B,MAAM;AAE/D,QAAI,CAAC,SAAS;AACZ,UAAI,uCAAuC;AAC3C,aAAO,EAAE,SAAS,MAAM;AAAA,IAC1B;AAEA,WAAO;AAAA,MACL,SAAS;AAAA,MACT,YAAY;AAAA,MACZ;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,UAAM,QAAQ,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC7D,QAAI,4BAA4B,KAAK,EAAE;AACvC,WAAO,EAAE,SAAS,MAAM;AAAA,EAC1B,UAAE;AACA,WAAO,WAAW;AAAA,EACpB;AACF;;;AK9GA,IAAM,uBAAuB,oBAAI,IAAI;AAAA,EACnC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAED,IAAM,oBAAoB,oBAAI,IAAI,CAAC,UAAU,MAAM,aAAa,IAAI,CAAC;AAY9D,SAAS,qBAAqBC,OAAyB;AAC5D,MAAIA,MAAK,WAAW,GAAG;AAErB,WAAO;AAAA,EACT;AAEA,QAAM,WAAWA,MAAK,CAAC;AAGvB,MAAIA,MAAK,KAAK,CAAC,QAAQ,kBAAkB,IAAI,GAAG,CAAC,GAAG;AAClD,WAAO;AAAA,EACT;AAGA,MAAI,qBAAqB,IAAI,QAAQ,GAAG;AACtC,WAAO;AAAA,EACT;AAEA,SAAO;AACT;;;AN3CA,SAAS,QAAQ,GAAiB;AAChC,MAAI,QAAQ,IAAI,aAAa,QAAQ;AACnC,YAAQ,OAAO,MAAM,GAAG,CAAC;AAAA,CAAI;AAAA,EAC/B;AACF;AAQA,SAAS,YAAoB;AAC3B,SAAO;AACT;AASA,eAAe,UAAUC,OAAgB,YAAsC;AAC7E,SAAO,IAAI,QAAQ,CAACC,aAAY;AAC9B,UAAM,MAAM,EAAE,GAAG,QAAQ,IAAI;AAE7B,QAAI,YAAY;AACd,UAAI,aAAa;AAAA,IACnB;AAEA,UAAM,QAAQ,MAAM,UAAU,GAAGD,OAAM;AAAA,MACrC,OAAO;AAAA,MACP;AAAA;AAAA,MAEA,OAAO,QAAQ,aAAa;AAAA,IAC9B,CAAC;AAED,UAAM,GAAG,SAAS,CAAC,QAAQ;AACzB,cAAQ,MAAM,yBAAyB,IAAI,OAAO,EAAE;AACpD,MAAAC,SAAQ,CAAC;AAAA,IACX,CAAC;AAED,UAAM,GAAG,SAAS,CAAC,SAAS;AAC1B,MAAAA,SAAQ,QAAQ,CAAC;AAAA,IACnB,CAAC;AAAA,EACH,CAAC;AACH;AAKA,eAAe,aACbD,OACA,YACiB;AAEjB,QAAM,QAAQA,MAAK,SAAS,OAAO;AAEnC,MAAI,OAAO;AACT,YAAQ,UAAU;AAAA,EACpB,OAAO;AACL,YAAQ,sBAAsB,UAAU,GAAG;AAC3C,YAAQ,6DAA6D;AAAA,EACvE;AAEA,SAAO;AACT;AAQA,eAAsB,KAAKA,OAAiC;AAE1D,MAAIA,MAAK,SAAS,SAAS,GAAG;AAC5B,YAAQ,IAAI,WAAW;AAAA,EACzB;AACA,MAAIA,MAAK,SAAS,iBAAiB,GAAG;AACpC,YAAQ,IAAI,mBAAmB;AAAA,EACjC;AAGA,MACE,QAAQ,IAAI,cACZ,QAAQ,IAAI,qBAAqB,UACjC,qBAAqBA,KAAI,GACzB;AACA,WAAO,UAAUA,KAAI;AAAA,EACvB;AAGA,QAAM,SAAS,MAAM,uBAAuB;AAE5C,MAAI,OAAO,SAAS;AAElB,UAAM,aAAa,mBAAmB;AACtC,2BAAuB,OAAO,YAAY,OAAO,QAAQ,UAAU;AAGnE,QAAIA,MAAK,CAAC,MAAM,UAAU;AACxB,aAAO,aAAaA,OAAM,UAAU;AAAA,IACtC;AAGA,WAAO,UAAUA,OAAM,UAAU;AAAA,EACnC;AAGA,SAAO,UAAUA,KAAI;AACvB;;;AOhHA,IAAM,OAAO,QAAQ,KAAK,MAAM,CAAC;AAEjC,KAAK,IAAI,EACN,KAAK,CAAC,SAAS;AACd,UAAQ,KAAK,IAAI;AACnB,CAAC,EACA,MAAM,CAAC,QAAQ;AACd,UAAQ,MAAM,qBAAqB,GAAG;AACtC,UAAQ,KAAK,CAAC;AAChB,CAAC;","names":["crypto","platform","resolve","crypto","DEBUG","BiometricsStatus","resolve","crypto","fs","os","path","platform","args","args","resolve"]}

package/package.json CHANGED Viewed

@@ -1,8 +1,24 @@
 {
   "name": "bitwarden-cli-bio",
-  "version": "0.0.1",
+  "version": "1.1.0",
   "description": "A CLI wrapper for Bitwarden that adds biometric unlock support via the Desktop app",
-  "main": "index.js",
+  "type": "module",
+  "main": "dist/index.js",
+  "bin": {
+    "bwbio": "dist/index.js"
+  },
+  "scripts": {
+    "build": "tsup src/index.ts --format esm --dts --clean",
+    "dev": "tsup src/index.ts --format esm --watch",
+    "test": "vitest run --project unit",
+    "test:e2e": "vitest run --project e2e",
+    "test:watch": "vitest",
+    "typecheck": "tsc --noEmit",
+    "lint": "biome check .",
+    "lint:fix": "biome check --write .",
+    "prepublishOnly": "npm run build",
+    "release": "semantic-release"
+  },
   "keywords": [
     "bitwarden",
     "cli",
@@ -11,5 +27,38 @@
     "windows-hello"
   ],
   "author": "Jean Regisser",
-  "license": "MIT"
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/jeanregisser/bitwarden-cli-bio.git"
+  },
+  "homepage": "https://github.com/jeanregisser/bitwarden-cli-bio",
+  "bugs": {
+    "url": "https://github.com/jeanregisser/bitwarden-cli-bio/issues"
+  },
+  "files": [
+    "dist"
+  ],
+  "license": "MIT",
+  "engines": {
+    "node": ">=22"
+  },
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
+  "release": {
+    "branches": [
+      "main"
+    ],
+    "preset": "conventionalcommits"
+  },
+  "devDependencies": {
+    "@biomejs/biome": "2.3.13",
+    "@types/node": "^22.19.7",
+    "conventional-changelog-conventionalcommits": "^9.1.0",
+    "semantic-release": "^25.0.2",
+    "tsup": "^8.5.1",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.18"
+  }
 }