certops 0.0.1

package/dist/api.js

@@ -0,0 +1,27 @@
+export function createApiClient(options) {
+    const base = (options.apiUrl ?? 'https://ssl-manager.dcom.at').replace(/\/$/, '');
+    async function request(path) {
+        const res = await fetch(`${base}/api/cli${path}`, {
+            headers: {
+                'Authorization': `Bearer ${options.apiKey}`,
+                'Content-Type': 'application/json',
+            },
+        });
+        const body = (await res.json());
+        if (!res.ok || 'errors' in body) {
+            const errBody = body;
+            const msg = errBody.errors?.[0]?.message ?? `HTTP ${res.status}`;
+            throw new Error(msg);
+        }
+        return body.data;
+    }
+    return {
+        async listCerts() {
+            const data = await request('/certs');
+            return data.certs;
+        },
+        async downloadCert(id) {
+            return request(`/certs/${id}/download`);
+        },
+    };
+}

package/dist/client.js

@@ -0,0 +1,21 @@
+import input from '@inquirer/input';
+import { readConfig } from './config.js';
+import { createApiClient } from './api.js';
+export async function getConfiguredClient() {
+    let apiKey = process.env['SSL_PILOT_API_KEY'];
+    if (!apiKey) {
+        if (!process.stdin.isTTY) {
+            process.stderr.write('Error: SSL_PILOT_API_KEY is not set and no TTY is available for prompt.\n');
+            process.stderr.write('  export SSL_PILOT_API_KEY=\'sslpilot_...\'\n\n');
+            process.exit(1);
+        }
+        apiKey = await input({
+            message: 'API key (sslpilot_...):',
+            validate: (v) => v.startsWith('sslpilot_') && v.length > 10
+                ? true
+                : 'Key must start with sslpilot_',
+        });
+    }
+    const config = await readConfig();
+    return createApiClient({ apiKey, apiUrl: config.apiUrl });
+}

package/dist/commands/download.js

@@ -0,0 +1,87 @@
+import { Command } from 'commander';
+import select from '@inquirer/select';
+import {} from '../api.js';
+import { getConfiguredClient } from '../client.js';
+import { saveCert } from '../files.js';
+async function performDownload(cert, client) {
+    process.stdout.write(`\nDownloading ${cert.certName}…\n`);
+    const files = await client.downloadCert(cert._id);
+    const { certPath, keyPath } = await saveCert(files.certName, files.certPem, files.keyPem);
+    process.stdout.write(`  ✓ Certificate : ${certPath}\n`);
+    process.stdout.write(`  ✓ Private key : ${keyPath}\n`);
+    if (files.expiryDate) {
+        process.stdout.write(`  ✓ Expires     : ${new Date(files.expiryDate).toLocaleDateString()}\n`);
+    }
+    process.stdout.write('\n');
+}
+export const downloadCommand = new Command('download')
+    .description('Download a certificate to /etc/certops/certs/<domain>/ — requires sudo')
+    .argument('[certName]', 'Certificate name, e.g. *.example.com (omit to pick interactively)')
+    .option('-i, --id <id>', 'Download by certificate ID')
+    .addHelpText('after', `
+Examples:
+  sudo certops download                         Interactive picker
+  sudo certops download '*.example.com'         By domain name
+  sudo certops download --id 6643abc...         By certificate ID
+`)
+    .action(async (certName, opts) => {
+    const DOWNLOADABLE = new Set(['active', 'renewing']);
+    try {
+        const client = await getConfiguredClient();
+        if (opts.id) {
+            const certs = await client.listCerts();
+            const cert = certs.find(c => c._id === opts.id);
+            if (!cert) {
+                process.stderr.write(`\nError: no certificate found with ID "${opts.id}"\n\n`);
+                process.exit(1);
+            }
+            await performDownload(cert, client);
+            return;
+        }
+        const certs = await client.listCerts();
+        if (certs.length === 0) {
+            process.stdout.write('\nNo certificates found in your account.\n\n');
+            return;
+        }
+        if (certName) {
+            const match = certs.find(c => c.certName === certName);
+            if (!match) {
+                process.stderr.write(`\nError: no certificate found for "${certName}"\n`);
+                process.stderr.write('Run "sp list" to see available certificates.\n\n');
+                process.exit(1);
+            }
+            if (!DOWNLOADABLE.has(match.status)) {
+                process.stderr.write(`\nError: "${certName}" is not available for download (status: ${match.status})\n\n`);
+                process.exit(1);
+            }
+            await performDownload(match, client);
+            return;
+        }
+        const active = certs.filter(c => DOWNLOADABLE.has(c.status));
+        if (active.length === 0) {
+            process.stdout.write('\nNo active certificates available.\n\n');
+            return;
+        }
+        const chosen = await select({
+            message: 'Select a certificate to download:',
+            choices: active.map(c => {
+                const expiry = c.expiryDate
+                    ? `expires ${new Date(c.expiryDate).toLocaleDateString()}`
+                    : 'no expiry';
+                const renewingTag = c.status === 'renewing' ? ' [renewing]' : '';
+                const tag = c.certType === 'wildcard' ? ' [wildcard]' : c.certType === 'apex' ? ' [apex]' : '';
+                return {
+                    name: `${c.certName}${tag}${renewingTag}  —  ${expiry}`,
+                    value: c,
+                };
+            }),
+        });
+        await performDownload(chosen, client);
+    }
+    catch (err) {
+        if (err.name === 'ExitPromptError')
+            process.exit(0);
+        process.stderr.write(`\nError: ${err.message}\n\n`);
+        process.exit(1);
+    }
+});

package/dist/commands/list.js

@@ -0,0 +1,40 @@
+import { Command } from 'commander';
+import { getConfiguredClient } from '../client.js';
+export const listCommand = new Command('list')
+    .description('List all certificates in your organisation')
+    .action(async () => {
+    try {
+        const client = await getConfiguredClient();
+        const certs = await client.listCerts();
+        if (certs.length === 0) {
+            process.stdout.write('\nNo certificates found in your account.\n\n');
+            return;
+        }
+        const active = certs.filter(c => c.status === 'active');
+        const inactive = certs.filter(c => c.status !== 'active');
+        const maxLen = Math.max(...certs.map(c => c.certName.length), 10);
+        const pad = (s, n) => s.padEnd(n);
+        const typeTag = (type) => type === 'wildcard' ? '[wildcard]' : type === 'apex' ? '[apex]    ' : '[single]  ';
+        process.stdout.write(`\nFound ${certs.length} certificate(s)\n`);
+        if (active.length > 0) {
+            process.stdout.write(`\nACTIVE (${active.length})\n`);
+            for (const c of active) {
+                const expiry = c.expiryDate
+                    ? `expires ${new Date(c.expiryDate).toLocaleDateString()}`
+                    : 'no expiry info';
+                process.stdout.write(`  ${pad(c.certName, maxLen)}  ${typeTag(c.certType)}  ${expiry}\n`);
+            }
+        }
+        if (inactive.length > 0) {
+            process.stdout.write(`\nOTHER (${inactive.length})\n`);
+            for (const c of inactive) {
+                process.stdout.write(`  ${pad(c.certName, maxLen)}  ${typeTag(c.certType)}  ${c.status}\n`);
+            }
+        }
+        process.stdout.write('\n');
+    }
+    catch (err) {
+        process.stderr.write(`\nError: ${err.message}\n\n`);
+        process.exit(1);
+    }
+});

package/dist/commands/service/configure.js

@@ -0,0 +1,67 @@
+import { Command } from 'commander';
+import input from '@inquirer/input';
+import { spawnSync } from 'child_process';
+import { readConfig, writeConfig } from '../../config.js';
+export const configureCommand = new Command('configure')
+    .description('Update service config (watch domains, check interval) and restart')
+    .action(async () => {
+    try {
+        if (process.getuid?.() !== 0) {
+            console.error('Error: certops service configure must run as root.');
+            console.error('\n  sudo sp service configure\n');
+            process.exit(1);
+        }
+        const existing = await readConfig();
+        console.log('\nSSL Pilot — Update Service Config\n');
+        console.log('  (API key is stored in the systemd unit, not changed here)\n');
+        const intervalStr = await input({
+            message: 'Check interval (hours):',
+            default: String(existing.checkIntervalHours),
+            validate: (v) => Number.isInteger(Number(v)) && Number(v) > 0 ? true : 'Must be a positive integer',
+        });
+        const thresholdStr = await input({
+            message: 'Download cert when expiry within (days):',
+            default: String(existing.renewalThresholdDays),
+            validate: (v) => Number.isInteger(Number(v)) && Number(v) > 0 ? true : 'Must be a positive integer',
+        });
+        const retriesStr = await input({
+            message: 'Max download retries per cert:',
+            default: String(existing.maxDownloadRetries),
+            validate: (v) => Number.isInteger(Number(v)) && Number(v) >= 0 ? true : 'Must be a non-negative integer',
+        });
+        const domainsRaw = await input({
+            message: 'Watch specific domains (comma-separated, blank = all active):',
+            default: existing.watchDomains.join(', '),
+        });
+        const watchDomains = domainsRaw
+            .split(',')
+            .map(d => d.trim())
+            .filter(Boolean);
+        await writeConfig({
+            ...existing,
+            checkIntervalHours: Number(intervalStr),
+            renewalThresholdDays: Number(thresholdStr),
+            maxDownloadRetries: Number(retriesStr),
+            watchDomains,
+        });
+        console.log('\n✓ Config updated at /etc/certops/config.json');
+        const result = spawnSync('systemctl', ['restart', 'certops'], {
+            stdio: ['inherit', 'inherit', 'pipe'],
+            encoding: 'utf8',
+        });
+        if (result.status !== 0) {
+            if (result.stderr?.trim())
+                process.stderr.write(result.stderr + '\n');
+            process.stderr.write('\nWarning: config saved but service restart failed.\n');
+            process.stderr.write('  Run: sudo sp service start\n\n');
+            process.exit(1);
+        }
+        console.log('✓ Service restarted with new config.\n');
+    }
+    catch (err) {
+        if (err.name === 'ExitPromptError')
+            process.exit(0);
+        console.error(`\nError: ${err.message}`);
+        process.exit(1);
+    }
+});

package/dist/commands/service/control.js

@@ -0,0 +1,86 @@
+import { Command } from 'commander';
+import { spawnSync } from 'child_process';
+import { unlink } from 'fs/promises';
+import { resolveApiKey, runRenewalCycle } from './renew.js';
+const UNIT = 'certops';
+const UNIT_PATH = '/etc/systemd/system/certops.service';
+/**
+ * Runs systemctl with stdout inherited (visible) and stderr captured.
+ * Stderr is only printed if the command fails, so noisy shim warnings
+ * from Python-based systemctl stubs don't pollute normal output.
+ */
+function systemctl(args, exitOnFail = true) {
+    const result = spawnSync('systemctl', args, {
+        stdio: ['inherit', 'inherit', 'pipe'],
+        encoding: 'utf8',
+    });
+    if (result.status !== 0) {
+        if (result.stderr?.trim())
+            process.stderr.write(result.stderr + '\n');
+        if (exitOnFail)
+            process.exit(1);
+        return false;
+    }
+    return true;
+}
+function requireRoot() {
+    if (process.getuid?.() !== 0) {
+        process.stderr.write('\nError: this command requires root. Use sudo.\n\n');
+        process.exit(1);
+    }
+}
+export const startCommand = new Command('start')
+    .description('Start the SSL Pilot service')
+    .action(() => { requireRoot(); systemctl(['start', UNIT]); });
+export const stopCommand = new Command('stop')
+    .description('Stop the SSL Pilot service')
+    .action(() => { requireRoot(); systemctl(['stop', UNIT]); });
+export const restartCommand = new Command('restart')
+    .description('Restart the service — picks up config.json changes immediately')
+    .action(() => { requireRoot(); systemctl(['restart', UNIT]); });
+export const statusCommand = new Command('status')
+    .description('Show SSL Pilot service status')
+    .action(() => { systemctl(['status', UNIT]); });
+export const checkCommand = new Command('check')
+    .description('Run one renewal check cycle immediately (for testing)')
+    .action(async () => {
+    requireRoot();
+    const apiKey = await resolveApiKey();
+    if (!apiKey) {
+        process.stderr.write('\nError: SSL_PILOT_API_KEY not found in environment or service unit.\n');
+        process.stderr.write('  Set the env var or run: sudo sp service install\n\n');
+        process.exit(1);
+    }
+    const log = (msg) => process.stdout.write(`  ${msg}\n`);
+    process.stdout.write('\nRunning renewal check…\n\n');
+    try {
+        const result = await runRenewalCycle(apiKey, log);
+        process.stdout.write(`\n  Done — checked: ${result.checked}, downloaded: ${result.downloaded}, errors: ${result.errors}\n\n`);
+        if (result.errors > 0)
+            process.exit(1);
+    }
+    catch (err) {
+        process.stderr.write(`\nError: ${err.message}\n\n`);
+        process.exit(1);
+    }
+});
+export const uninstallServiceCommand = new Command('uninstall')
+    .description('Stop, disable, and remove the SSL Pilot service unit')
+    .action(async () => {
+    requireRoot();
+    process.stdout.write('\nRemoving SSL Pilot service…\n\n');
+    systemctl(['stop', UNIT], false);
+    systemctl(['disable', UNIT], false);
+    try {
+        await unlink(UNIT_PATH);
+        process.stdout.write(`  ✓ Removed ${UNIT_PATH}\n`);
+    }
+    catch (err) {
+        if (err.code !== 'ENOENT')
+            throw err;
+    }
+    systemctl(['daemon-reload'], false);
+    process.stdout.write('\n  ✓ Service uninstalled.\n');
+    process.stdout.write('    /etc/certops/ (config, state, certs, hooks) was NOT removed.\n');
+    process.stdout.write('    Run "sudo sp service install" to reinstall.\n\n');
+});

package/dist/commands/service/daemon.js

@@ -0,0 +1,35 @@
+import { Command } from 'commander';
+import { readConfig } from '../../config.js';
+import { resolveApiKey, runRenewalCycle } from './renew.js';
+function log(msg) {
+    process.stdout.write(`[${new Date().toISOString()}] ${msg}\n`);
+}
+function sleep(ms) {
+    return new Promise(resolve => setTimeout(resolve, ms));
+}
+async function tick() {
+    const apiKey = await resolveApiKey();
+    if (!apiKey) {
+        log('SSL_PILOT_API_KEY not available — skipping cycle.');
+        return;
+    }
+    try {
+        const result = await runRenewalCycle(apiKey, log);
+        log(`Cycle complete — checked: ${result.checked}, downloaded: ${result.downloaded}, errors: ${result.errors}`);
+    }
+    catch (err) {
+        log(`Cycle failed: ${err.message}`);
+    }
+}
+export const daemonCommand = new Command('run')
+    .description('Run the monitoring daemon (managed by systemd)')
+    .action(async () => {
+    log('SSL Pilot daemon starting.');
+    process.on('SIGTERM', () => { log('SIGTERM — shutting down.'); process.exit(0); });
+    process.on('SIGINT', () => { log('SIGINT — shutting down.'); process.exit(0); });
+    while (true) {
+        await tick();
+        const config = await readConfig();
+        await sleep(config.checkIntervalHours * 60 * 60 * 1000);
+    }
+});

package/dist/commands/service/index.js

@@ -0,0 +1,34 @@
+import { Command } from 'commander';
+import { installCommand } from './install.js';
+import { configureCommand } from './configure.js';
+import { daemonCommand } from './daemon.js';
+import { startCommand, stopCommand, restartCommand, statusCommand, checkCommand, uninstallServiceCommand } from './control.js';
+export const serviceCommand = new Command('service')
+    .description('Manage the SSL Pilot auto-renewal background service')
+    .addHelpText('after', `
+Commands:
+  install      Interactive setup — writes config, hooks, and installs systemd unit
+  configure    Update watch domains, interval, thresholds — restarts service
+  start        Start the service        (requires sudo)
+  stop         Stop the service         (requires sudo)
+  restart      Restart — picks up /etc/certops/config.json changes (requires sudo)
+  status       Show service status
+  check        Run one renewal cycle immediately (requires sudo)
+  uninstall    Remove the systemd unit (config and certs are kept) (requires sudo)
+
+Examples:
+  sudo certops service install
+  sudo certops service configure
+  sudo certops service restart
+  certops service status
+  journalctl -u certops -f
+`);
+serviceCommand.addCommand(installCommand);
+serviceCommand.addCommand(configureCommand);
+serviceCommand.addCommand(startCommand);
+serviceCommand.addCommand(stopCommand);
+serviceCommand.addCommand(restartCommand);
+serviceCommand.addCommand(statusCommand);
+serviceCommand.addCommand(checkCommand);
+serviceCommand.addCommand(uninstallServiceCommand);
+serviceCommand.addCommand(daemonCommand, { hidden: true });

package/dist/commands/service/install.js

@@ -0,0 +1,132 @@
+import { Command } from 'commander';
+import input from '@inquirer/input';
+import { writeFile, mkdir } from 'fs/promises';
+import { spawnSync } from 'child_process';
+import { readConfig, writeConfig, CERTS_DIR, HOOKS_DIR } from '../../config.js';
+import { domainHookPath, GLOBAL_HOOK } from '../../hooks.js';
+const UNIT_PATH = '/etc/systemd/system/certops.service';
+function buildUnitContent(apiKey) {
+    return `\
+[Unit]
+Description=SSL Pilot Certificate Monitor
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+Environment=SSL_PILOT_API_KEY=${apiKey}
+ExecStart=/usr/local/bin/certops service run
+Restart=on-failure
+RestartSec=30
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=certops
+
+[Install]
+WantedBy=multi-user.target
+`;
+}
+const HOOK_TEMPLATE = `#!/usr/bin/env bash
+# Available env vars:
+#   SSL_PILOT_CERT_NAME  — certificate name (e.g. *.example.com)
+#   SSL_PILOT_DOMAIN     — domain without wildcard (e.g. example.com)
+#   SSL_PILOT_CERT_PATH  — path to certificate.crt
+#   SSL_PILOT_KEY_PATH   — path to private.key
+
+# Example: reload nginx after cert update
+# systemctl reload nginx
+`;
+export const installCommand = new Command('install')
+    .description('Install and configure the SSL Pilot background service')
+    .action(async () => {
+    try {
+        if (process.getuid?.() !== 0) {
+            console.error('Error: certops service install must run as root.');
+            console.error('\n  sudo -E sp service install\n');
+            process.exit(1);
+        }
+        console.log('\nSSL Pilot Service Setup\n');
+        const existing = await readConfig();
+        // API key — env takes precedence, otherwise prompt
+        const apiKey = process.env['SSL_PILOT_API_KEY'] ?? await input({
+            message: 'SSL Pilot API key (sslpilot_...):',
+            validate: (v) => v.startsWith('sslpilot_') && v.length > 10
+                ? true
+                : 'Key must start with sslpilot_',
+        });
+        const apiUrl = await input({
+            message: 'API URL (leave blank for default https://ssl-manager.dcom.at):',
+            default: existing.apiUrl ?? '',
+        });
+        const intervalStr = await input({
+            message: 'Check interval (hours):',
+            default: String(existing.checkIntervalHours),
+            validate: (v) => Number.isInteger(Number(v)) && Number(v) > 0 ? true : 'Must be a positive integer',
+        });
+        const domainsRaw = await input({
+            message: 'Watch specific domains (comma-separated, blank = all active):',
+            default: existing.watchDomains.join(', '),
+        });
+        const watchDomains = domainsRaw
+            .split(',')
+            .map(d => d.trim())
+            .filter(Boolean);
+        const config = {
+            apiUrl: apiUrl.trim() || undefined,
+            renewalThresholdDays: existing.renewalThresholdDays,
+            checkIntervalHours: Number(intervalStr),
+            watchDomains,
+            maxDownloadRetries: existing.maxDownloadRetries,
+        };
+        // Write config + create directories
+        await writeConfig(config);
+        await mkdir(CERTS_DIR, { recursive: true });
+        await mkdir(HOOKS_DIR, { recursive: true });
+        console.log('\n✓ Config written to /etc/certops/config.json');
+        // Create hook stubs only if they don't exist yet
+        for (const domain of watchDomains) {
+            const hookFile = domainHookPath(domain);
+            try {
+                await writeFile(hookFile, HOOK_TEMPLATE, { flag: 'wx', mode: 0o755 });
+                console.log(`✓ Hook stub created: ${hookFile}`);
+            }
+            catch (err) {
+                if (err.code !== 'EEXIST')
+                    throw err;
+            }
+        }
+        try {
+            await writeFile(GLOBAL_HOOK, HOOK_TEMPLATE, { flag: 'wx', mode: 0o755 });
+            console.log(`✓ Global hook stub created: ${GLOBAL_HOOK}`);
+        }
+        catch (err) {
+            if (err.code !== 'EEXIST')
+                throw err;
+        }
+        // Write systemd unit
+        await writeFile(UNIT_PATH, buildUnitContent(apiKey), { encoding: 'utf8', mode: 0o600 });
+        console.log(`✓ Systemd unit written to ${UNIT_PATH}`);
+        for (const args of [
+            ['daemon-reload'],
+            ['enable', 'certops'],
+            ['restart', 'certops'],
+        ]) {
+            const r = spawnSync('systemctl', args, { stdio: ['inherit', 'inherit', 'pipe'], encoding: 'utf8' });
+            if (r.status !== 0) {
+                if (r.stderr?.trim())
+                    process.stderr.write(r.stderr + '\n');
+                process.exit(1);
+            }
+        }
+        console.log('\n✓ Service enabled and started.\n');
+        console.log('  Edit hooks in  : /etc/certops/hooks/');
+        console.log('  Check status   : certops service status');
+        console.log('  Follow logs    : journalctl -u certops -f\n');
+    }
+    catch (err) {
+        if (err.name === 'ExitPromptError')
+            process.exit(0);
+        console.error(`\nError: ${err.message}`);
+        process.exit(1);
+    }
+});

package/dist/commands/service/renew.js

@@ -0,0 +1,89 @@
+import { createApiClient } from '../../api.js';
+import { saveCert } from '../../files.js';
+import { readConfig } from '../../config.js';
+import { readState, updateCertState } from '../../state.js';
+import { runHooks } from '../../hooks.js';
+const BASE_RETRY_DELAY_MS = 2_000; // 2 s → 4 s → 8 s …
+function sleep(ms) {
+    return new Promise(resolve => setTimeout(resolve, ms));
+}
+export async function resolveApiKey() {
+    if (process.env['SSL_PILOT_API_KEY'])
+        return process.env['SSL_PILOT_API_KEY'];
+    try {
+        const { execSync } = await import('child_process');
+        const out = execSync('systemctl show certops -p Environment --value', { encoding: 'utf8' });
+        const match = out.match(/SSL_PILOT_API_KEY=(\S+)/);
+        return match?.[1] ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+export async function runRenewalCycle(apiKey, log) {
+    const config = await readConfig();
+    const client = createApiClient({ apiKey, apiUrl: config.apiUrl });
+    const allCerts = await client.listCerts();
+    const DOWNLOADABLE = new Set(['active', 'renewing']);
+    const certs = config.watchDomains.length > 0
+        ? allCerts.filter(c => config.watchDomains.includes(c.certName))
+        : allCerts.filter(c => DOWNLOADABLE.has(c.status));
+    const state = await readState();
+    const thresholdMs = config.renewalThresholdDays * 24 * 60 * 60 * 1000;
+    const maxRetries = Math.max(0, config.maxDownloadRetries);
+    const now = Date.now();
+    let downloaded = 0;
+    let errors = 0;
+    for (const cert of certs) {
+        if (!DOWNLOADABLE.has(cert.status)) {
+            log(`Skip ${cert.certName} — ${cert.status}`);
+            continue;
+        }
+        const local = state[cert.certName];
+        const parsed = cert.expiryDate ? new Date(cert.expiryDate).getTime() : 0;
+        const certExpiry = Number.isFinite(parsed) ? parsed : 0;
+        const neverDownloaded = !local;
+        const expiryChanged = !neverDownloaded && local.expiryDate !== cert.expiryDate;
+        const expiringInTime = certExpiry > 0 && certExpiry - now <= thresholdMs;
+        if (!neverDownloaded && !expiryChanged && !expiringInTime) {
+            const daysLeft = certExpiry ? Math.ceil((certExpiry - now) / 86_400_000) : 0;
+            log(`OK ${cert.certName} — ${daysLeft}d until expiry`);
+            continue;
+        }
+        const reason = neverDownloaded ? 'first download' : expiryChanged ? 'cert renewed' : 'expiring soon';
+        log(`Downloading ${cert.certName} (${reason})…`);
+        let lastError;
+        let attempt = 0;
+        while (attempt <= maxRetries) {
+            if (attempt > 0) {
+                const delay = BASE_RETRY_DELAY_MS * Math.pow(2, attempt - 1);
+                log(`  retry ${attempt}/${maxRetries} in ${delay / 1000}s…`);
+                await sleep(delay);
+            }
+            try {
+                const files = await client.downloadCert(cert._id);
+                const { certPath, keyPath } = await saveCert(files.certName, files.certPem, files.keyPem);
+                log(`  cert : ${certPath}`);
+                log(`  key  : ${keyPath}`);
+                await updateCertState(cert.certName, files.expiryDate ?? cert.expiryDate ?? '');
+                await runHooks(cert.certName, {
+                    SSL_PILOT_DOMAIN: cert.certName.replace(/^\*\./, ''),
+                    SSL_PILOT_CERT_PATH: certPath,
+                    SSL_PILOT_KEY_PATH: keyPath,
+                }, log);
+                downloaded++;
+                lastError = undefined;
+                break;
+            }
+            catch (err) {
+                lastError = err instanceof Error ? err : new Error(String(err));
+                attempt++;
+            }
+        }
+        if (lastError) {
+            log(`  error (gave up after ${maxRetries + 1} attempt${maxRetries !== 0 ? 's' : ''}): ${lastError.message}`);
+            errors++;
+        }
+    }
+    return { checked: certs.length, downloaded, errors };
+}

package/dist/config.js

@@ -0,0 +1,30 @@
+import { readFile, writeFile, mkdir } from 'fs/promises';
+import { join } from 'path';
+export const SSL_PILOT_DIR = '/etc/certops';
+export const CERTS_DIR = join(SSL_PILOT_DIR, 'certs');
+export const HOOKS_DIR = join(SSL_PILOT_DIR, 'hooks');
+const CONFIG_PATH = join(SSL_PILOT_DIR, 'config.json');
+const DEFAULTS = {
+    renewalThresholdDays: 5,
+    checkIntervalHours: 12,
+    watchDomains: [],
+    maxDownloadRetries: 3,
+};
+export async function readConfig() {
+    try {
+        const raw = await readFile(CONFIG_PATH, 'utf8');
+        return { ...DEFAULTS, ...JSON.parse(raw) };
+    }
+    catch (err) {
+        if (err instanceof Error && err.code === 'ENOENT')
+            return { ...DEFAULTS };
+        throw err;
+    }
+}
+export async function writeConfig(config) {
+    await mkdir(SSL_PILOT_DIR, { recursive: true });
+    await writeFile(CONFIG_PATH, JSON.stringify(config, null, 2) + '\n', {
+        encoding: 'utf8',
+        mode: 0o600,
+    });
+}

package/dist/files.js

@@ -0,0 +1,43 @@
+import { mkdir, writeFile, chmod } from 'fs/promises';
+import { join } from 'path';
+import { CERTS_DIR } from './config.js';
+function domainDir(certName) {
+    return join(CERTS_DIR, certName.replace(/^\*\./, ''));
+}
+export async function saveCert(certName, certPem, keyPem) {
+    const dir = domainDir(certName);
+    const certPath = join(dir, 'certificate.crt');
+    const keyPath = join(dir, 'private.key');
+    try {
+        await mkdir(dir, { recursive: true });
+    }
+    catch (err) {
+        fsError(err, certName, dir);
+    }
+    try {
+        await writeFile(certPath, certPem, 'utf8');
+        await chmod(certPath, 0o644);
+    }
+    catch (err) {
+        fsError(err, certName, certPath);
+    }
+    try {
+        await writeFile(keyPath, keyPem, 'utf8');
+        await chmod(keyPath, 0o600);
+    }
+    catch (err) {
+        fsError(err, certName, keyPath);
+    }
+    return { certPath, keyPath };
+}
+function fsError(err, certName, path) {
+    const e = err instanceof Error ? err : null;
+    if (e?.code === 'EACCES' || e?.code === 'EPERM') {
+        const name = certName.startsWith('*.') ? `'${certName}'` : certName;
+        process.stderr.write(`\nPermission denied: ${path}\n`);
+        process.stderr.write(`/etc/certops/certs requires root. Re-run:\n\n`);
+        process.stderr.write(`  sudo sp download ${name}\n\n`);
+        process.exit(1);
+    }
+    throw err;
+}

package/dist/hooks.js

@@ -0,0 +1,58 @@
+import { spawn } from 'child_process';
+import { access } from 'fs/promises';
+import { join } from 'path';
+import { HOOKS_DIR } from './config.js';
+const GLOBAL_HOOK = join(HOOKS_DIR, 'global.sh');
+function domainHookPath(certName) {
+    const safe = certName.replace(/^\*\./, 'wildcard.');
+    return join(HOOKS_DIR, `${safe}.sh`);
+}
+async function fileExists(path) {
+    try {
+        await access(path);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+async function execHook(scriptPath, vars) {
+    return new Promise((resolve, reject) => {
+        const child = spawn('bash', [scriptPath], {
+            env: { ...process.env, ...vars },
+            stdio: 'inherit',
+        });
+        child.on('close', (code) => {
+            if (code === 0)
+                resolve();
+            else
+                reject(new Error(`Hook exited with code ${code}`));
+        });
+        child.on('error', reject);
+    });
+}
+export async function runHooks(certName, vars, log) {
+    const domainHook = domainHookPath(certName);
+    const hookVars = { ...vars, SSL_PILOT_CERT_NAME: certName };
+    if (await fileExists(domainHook)) {
+        log(`  Running domain hook: ${domainHook}`);
+        try {
+            await execHook(domainHook, hookVars);
+            log('  Domain hook OK');
+        }
+        catch (err) {
+            log(`  Domain hook failed: ${err.message}`);
+        }
+    }
+    if (await fileExists(GLOBAL_HOOK)) {
+        log(`  Running global hook: ${GLOBAL_HOOK}`);
+        try {
+            await execHook(GLOBAL_HOOK, hookVars);
+            log('  Global hook OK');
+        }
+        catch (err) {
+            log(`  Global hook failed: ${err.message}`);
+        }
+    }
+}
+export { domainHookPath, GLOBAL_HOOK };

package/dist/index.js

@@ -0,0 +1,25 @@
+#!/usr/bin/env node
+import { Command } from 'commander';
+import { listCommand } from './commands/list.js';
+import { downloadCommand } from './commands/download.js';
+import { serviceCommand } from './commands/service/index.js';
+const program = new Command()
+    .name('certops')
+    .description('CertOps CLI — manage and auto-renew your SSL certificates')
+    .version('1.0.0')
+    .addHelpText('after', `
+Examples:
+  certops list                          List all certificates
+  sudo certops download                 Pick and download interactively
+  sudo certops download '*.example.com' Download a specific domain
+  sudo certops service install          Set up the auto-renewal service
+  certops service status                Check service status
+
+Documentation:
+  https://github.com/Vimosoftdev/ssl-checker-web/blob/main/SETUP.md
+`);
+program.addCommand(listCommand);
+program.addCommand(downloadCommand);
+program.addCommand(serviceCommand);
+program.action(() => program.outputHelp());
+program.parse();

package/dist/state.js

@@ -0,0 +1,25 @@
+import { readFile, writeFile, rename, mkdir } from 'fs/promises';
+import { join } from 'path';
+import { randomBytes } from 'crypto';
+import { SSL_PILOT_DIR } from './config.js';
+const STATE_PATH = join(SSL_PILOT_DIR, 'state.json');
+export async function readState() {
+    try {
+        const raw = await readFile(STATE_PATH, 'utf8');
+        return JSON.parse(raw);
+    }
+    catch (err) {
+        if (err instanceof Error && err.code === 'ENOENT')
+            return {};
+        throw err;
+    }
+}
+export async function updateCertState(certName, expiryDate) {
+    await mkdir(SSL_PILOT_DIR, { recursive: true });
+    const state = await readState();
+    state[certName] = { expiryDate, downloadedAt: new Date().toISOString() };
+    const content = JSON.stringify(state, null, 2) + '\n';
+    const tmp = join(SSL_PILOT_DIR, `.state-${randomBytes(4).toString('hex')}.tmp`);
+    await writeFile(tmp, content, { encoding: 'utf8', mode: 0o600 });
+    await rename(tmp, STATE_PATH);
+}

package/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "certops",
+  "version": "0.0.1",
+  "description": "SSL Pilot CLI — download and manage your SSL certificates",
+  "type": "module",
+  "files": [
+    "dist"
+  ],
+  "bin": {
+    "certops": "./dist/index.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsx src/index.ts",
+    "typecheck": "tsc --noEmit"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@inquirer/input": "^4.0.0",
+    "@inquirer/select": "^4.0.0",
+    "commander": "^12.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "tsx": "^4.7.1",
+    "typescript": "^5.8.3"
+  },
+  "engines": {
+    "node": ">=18"
+  }
+}