latchkey 0.1.0

package/.nvmrc

@@ -0,0 +1 @@
+24.13.0

package/.pre-commit-config.yaml

@@ -0,0 +1,22 @@
+default_install_hook_types: [pre-commit]
+
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+    -   id: trailing-whitespace
+    -   id: end-of-file-fixer
+    -   id: check-added-large-files
+        exclude: 'uv.lock'
+    -   id: check-yaml
+-   repo: https://github.com/astral-sh/uv-pre-commit
+    rev: 0.7.22
+    hooks:
+    -   id: uv-lock
+-   repo: local
+    hooks:
+    -   id: ruff
+        name: "Python formatter + import sorter (ruff)"
+        entry: bash -c 'uv run ruff check --select UP006,UP007,I,F401 --fix --force-exclude --config pyproject.toml "$@" && uv run ruff format --force-exclude --config pyproject.toml "$@"' --
+        language: system
+        types: [python]

package/.prettierignore

@@ -0,0 +1,4 @@
+dist
+node_modules
+coverage
+*.md

package/.prettierrc

@@ -0,0 +1,7 @@
+{
+  "semi": true,
+  "singleQuote": true,
+  "trailingComma": "es5",
+  "tabWidth": 2,
+  "printWidth": 100
+}

package/CLAUDE.md

@@ -0,0 +1,13 @@
+For information about the high-level goal and motivations, see README.md.
+
+You are a highly intelligent and experienced software creator that codes in a straightforward way, prefers simplicity and avoids overengineering.
+
+Typescript style guide:
+
+- Use modern Typescript code.
+- Prefer functional, stateless logic as much as possible.
+- Use immutable data structures as much as possible.
+- Do not use abbreviations in variable (class, function, ...) names. It's fine for names to be somewhat verbose.
+- Omit docstrings if they don't add any value beyond what can be obviously inferred from the function signature / class name.
+- Do not throw builtin errors; always replace them with dedicated error subclasses.
+- When done, validate your changes by running `npm lint` and `npm test`.

package/LICENSE

@@ -0,0 +1,7 @@
+Copyright 2026 Imbue (Generally Intelligent, Inc.)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/README.md

@@ -0,0 +1,167 @@
+# Latchkey
+
+Turn browser logins into usable credentials for local agents.
+
+## Quick example
+
+```
+latchkey curl -X POST 'https://slack.com/api/conversations.create' \
+  -H 'Content-Type: application/json' \
+  -d '{"name":"something-urgent"}'
+```
+
+## Overview
+
+Latchkey is a command-line tool that injects credentials to curl requests to known public APIs.
+
+- `latchkey services`
+	- Get a list of known and supported third-party services (Slack, Discord, Linear, GitHub, etc.).
+- `latchkey curl <arguments>`
+	- Automatically inject credentials to your otherwise standard curl calls to public APIs.
+	- (The first time you access a service, a browser pop-up with a login screen appears.)
+
+Latchkey is primarily designed for AI agents. By invoking Latchkey, agents can
+prompt the user to authenticate when needed, then continue interacting with
+third-party APIs using standard curl syntax - no custom integrations or embedded
+credentials required.
+
+Unlike OAuth-based flows or typical MCP-style integrations, Latchkey does not
+introduce an intermediary between the agent and the service. Requests are made
+directly on the user’s behalf, which enables greater flexibility at the cost of
+formal delegation: agents authenticate as the user.
+
+If a service you need isn’t supported yet, contributions are welcome. Adding
+support typically involves writing a small browser automation class that
+extracts API credentials after login. See the [development docs](docs/development.md)
+for details.
+
+## Installation
+
+### Prerequisites
+
+- `curl`, `node` and `npm` need to be present on your system in reasonably recent versions.
+- The browser requires a graphical environment.
+
+### Steps
+
+```
+npm install -g latchkey
+```
+
+**nvm users**: Global packages are per node version. If you switch versions, reinstall with `npm install -g latchkey`
+
+## Integrations
+
+Warning: giving AI agents access to your API credentials is potentially
+dangerous. They will be able to perform most of the actions you can. Only do this if
+you're willing to accept the risks.
+
+
+### OpenCode
+```
+mkdir -p ~/.opencode/skills/latchkey
+cp integrations/SKILL.md ~/.opencode/skills/latchkey/SKILL.md
+```
+
+### Claude Code
+```
+mkdir -p ~/.claude/skills/latchkey
+cp integrations/SKILL.md ~/.claude/skills/latchkey/SKILL.md
+```
+
+### Codex
+```
+mkdir -p ~/.codex/skills/latchkey
+cp integrations/SKILL.md ~/.codex/skills/latchkey/SKILL.md
+```
+
+
+## Direct usage
+
+Let's revisit the initial example:
+
+```
+latchkey curl -X POST 'https://slack.com/api/conversations.create' \
+  -H 'Content-Type: application/json' \
+  -d '{"name":"something-urgent"}'
+```
+
+Notice that `-H 'Authorization: Bearer ...'` is absent. This is because Latchkey:
+
+- Opens the browser with a login screen.
+- After the user logs in, Latchkey extracts the necessary API credentials from the browser session.
+- The browser is closed, the credentials are injected into the arguments, and `curl` is invoked.
+- The credentials are stored so that they can be reused the next time.
+
+Otherwise, `latchkey curl` passes your arguments straight
+through to `curl` so you can use the same interface you are used
+to. The return code, stdin and stdout are passed back from curl
+to the caller of `latchkey`.
+
+### Remembering API credentials
+
+Your API credentials and browser state are stored by default
+under `~/.latchkey`. When a functioning keyring is detected
+(which is the case on most systems), the data is properly
+encrypted.
+
+
+### Inspecting the status of stored credentials
+
+Calling `latchkey status <service_name>` will give you
+information about the status of remembered credentials for the
+given service. Possible results are:
+
+- `missing`
+- `invalid`
+- `valid`
+
+### Clearing credentials
+
+Remembered API credentials can expire. The caller of `latchkey
+curl` will typically notice this because the calls will start returning
+HTTP 401 or 403. To verify that, first call `latchkey status`, e.g.:
+
+```
+latchkey status discord
+```
+
+If the result is `invalid` , meaning the Unauthorized/Forbidden responses are
+caused by invalid or expired credentials rather than insufficient permissions,
+force a new login in the next `latchkey curl` call by clearing the remembered
+API credentials for the service in question, e.g.:
+
+```
+latchkey clear discord
+```
+
+The next `latchkey curl` call will then trigger a new login flow.
+
+To clear all stored data (both the credentials store and browser
+state file), run:
+
+```
+latchkey clear
+```
+
+### Advanced configuration
+
+You can set these environment variables to override certain
+defaults:
+
+- `LATCHKEY_STORE`: path to the (typically encrypted) file
+containing stored API credentials
+- `LATCHKEY_BROWSER_STATE`: path to the (typically encrypted) file
+containing the state (cookies, local storage, etc.) of
+the browser used for the login popup
+- `LATCHKEY_CURL_PATH`: path to the curl binary
+- `LATCHKEY_KEYRING_SERVICE_NAME`, `LATCHKEY_KEYRING_ACCOUNT_NAME`: identifiers that are used to store the encryption password in your keyring
+
+
+## Disclaimers
+
+- Invoking `latchkey curl ...` can sometimes have side effects in the form of
+  new API keys being created on your accounts (through browser automation).
+- Using agents for automated access may be prohibited by some services' ToS.
+- We reserve the right to change the license of future releases of Latchkey.
+- Latchkey was not tested on Windows.

package/dist/scripts/cryptFile.d.ts

@@ -0,0 +1,21 @@
+#!/usr/bin/env npx tsx
+/**
+ * CLI tool for encrypting and decrypting latchkey files.
+ *
+ * This is a developer utility for inspecting and modifying encrypted
+ * credential and browser state files.
+ *
+ * Usage:
+ *   npx tsx scripts/cryptFile.ts decrypt <file>     # Decrypt file in place
+ *   npx tsx scripts/cryptFile.ts encrypt <file>     # Encrypt file in place
+ *
+ * The encryption key is sourced from:
+ *   1. LATCHKEY_ENCRYPTION_KEY environment variable
+ *   2. System keychain
+ *
+ * Examples:
+ *   npx tsx scripts/cryptFile.ts decrypt ~/.latchkey/credentials.json
+ *   npx tsx scripts/cryptFile.ts encrypt ~/.latchkey/credentials.json
+ */
+export {};
+//# sourceMappingURL=cryptFile.d.ts.map

package/dist/scripts/cryptFile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cryptFile.d.ts","sourceRoot":"","sources":["../../scripts/cryptFile.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;GAiBG"}

package/dist/scripts/cryptFile.js

@@ -0,0 +1,106 @@
+#!/usr/bin/env npx tsx
+/**
+ * CLI tool for encrypting and decrypting latchkey files.
+ *
+ * This is a developer utility for inspecting and modifying encrypted
+ * credential and browser state files.
+ *
+ * Usage:
+ *   npx tsx scripts/cryptFile.ts decrypt <file>     # Decrypt file in place
+ *   npx tsx scripts/cryptFile.ts encrypt <file>     # Encrypt file in place
+ *
+ * The encryption key is sourced from:
+ *   1. LATCHKEY_ENCRYPTION_KEY environment variable
+ *   2. System keychain
+ *
+ * Examples:
+ *   npx tsx scripts/cryptFile.ts decrypt ~/.latchkey/credentials.json
+ *   npx tsx scripts/cryptFile.ts encrypt ~/.latchkey/credentials.json
+ */
+import { program } from 'commander';
+import { existsSync, readFileSync, writeFileSync } from 'node:fs';
+import { CONFIG } from '../src/config.js';
+import { EncryptedStorage } from '../src/encryptedStorage.js';
+import { encrypt, generateKey } from '../src/encryption.js';
+import { isKeychainAvailable, retrieveFromKeychain } from '../src/keychain.js';
+const ENCRYPTED_FILE_PREFIX = 'LATCHKEY_ENCRYPTED:';
+function getEncryptionKey() {
+    // 1. Check environment variable via Config
+    if (CONFIG.encryptionKeyOverride) {
+        return CONFIG.encryptionKeyOverride;
+    }
+    // 2. Check keychain
+    if (isKeychainAvailable(CONFIG.serviceName, CONFIG.accountName)) {
+        const keychainKey = retrieveFromKeychain(CONFIG.serviceName, CONFIG.accountName);
+        if (keychainKey) {
+            return keychainKey;
+        }
+    }
+    console.error(`\
+Error: No encryption key available.
+Set LATCHKEY_ENCRYPTION_KEY or ensure the system keychain has a stored key.
+
+To generate a new key:
+  export LATCHKEY_ENCRYPTION_KEY="${generateKey()}"`);
+    process.exit(1);
+}
+function decryptCommand(filePath) {
+    if (!existsSync(filePath)) {
+        console.error(`Error: File not found: ${filePath}`);
+        process.exit(1);
+    }
+    const rawContent = readFileSync(filePath, 'utf-8');
+    if (!rawContent.startsWith(ENCRYPTED_FILE_PREFIX)) {
+        console.error(`Error: File is not encrypted: ${filePath}`);
+        process.exit(1);
+    }
+    const storage = new EncryptedStorage({
+        serviceName: CONFIG.serviceName,
+        accountName: CONFIG.accountName,
+    });
+    const content = storage.readFile(filePath);
+    if (content === null) {
+        console.error(`Error: Could not read file: ${filePath}`);
+        process.exit(1);
+    }
+    writeFileSync(filePath, content, { encoding: 'utf-8', mode: 0o600 });
+    console.error(`Decrypted: ${filePath}`);
+}
+function encryptCommand(filePath) {
+    if (!existsSync(filePath)) {
+        console.error(`Error: File not found: ${filePath}`);
+        process.exit(1);
+    }
+    const content = readFileSync(filePath, 'utf-8');
+    if (content.startsWith(ENCRYPTED_FILE_PREFIX)) {
+        console.error(`Error: File is already encrypted: ${filePath}`);
+        process.exit(1);
+    }
+    const key = getEncryptionKey();
+    const encryptedData = encrypt(content, key);
+    const dataToWrite = ENCRYPTED_FILE_PREFIX + encryptedData;
+    writeFileSync(filePath, dataToWrite, { encoding: 'utf-8', mode: 0o600 });
+    console.error(`Encrypted: ${filePath}`);
+}
+program.name('cryptFile').description(`\
+CLI tool for encrypting and decrypting latchkey files.
+
+The encryption key is sourced from:
+  1. LATCHKEY_ENCRYPTION_KEY environment variable
+  2. System keychain`);
+program
+    .command('decrypt')
+    .description('Decrypt file in place')
+    .argument('<file>', 'Path to the encrypted file')
+    .action((filePath) => {
+    decryptCommand(filePath);
+});
+program
+    .command('encrypt')
+    .description('Encrypt an unencrypted file in place')
+    .argument('<file>', 'Path to the file to encrypt')
+    .action((filePath) => {
+    encryptCommand(filePath);
+});
+program.parse();
+//# sourceMappingURL=cryptFile.js.map

package/dist/scripts/cryptFile.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cryptFile.js","sourceRoot":"","sources":["../../scripts/cryptFile.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAC9D,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC5D,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE/E,MAAM,qBAAqB,GAAG,qBAAqB,CAAC;AAEpD,SAAS,gBAAgB;IACvB,2CAA2C;IAC3C,IAAI,MAAM,CAAC,qBAAqB,EAAE,CAAC;QACjC,OAAO,MAAM,CAAC,qBAAqB,CAAC;IACtC,CAAC;IAED,oBAAoB;IACpB,IAAI,mBAAmB,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;QAChE,MAAM,WAAW,GAAG,oBAAoB,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;QACjF,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,WAAW,CAAC;QACrB,CAAC;IACH,CAAC;IAED,OAAO,CAAC,KAAK,CAAC;;;;;oCAKoB,WAAW,EAAE,GAAG,CAAC,CAAC;IACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB;IACtC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,KAAK,CAAC,0BAA0B,QAAQ,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,UAAU,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACnD,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,qBAAqB,CAAC,EAAE,CAAC;QAClD,OAAO,CAAC,KAAK,CAAC,iCAAiC,QAAQ,EAAE,CAAC,CAAC;QAC3D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,gBAAgB,CAAC;QACnC,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,WAAW,EAAE,MAAM,CAAC,WAAW;KAChC,CAAC,CAAC;IACH,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAE3C,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACrB,OAAO,CAAC,KAAK,CAAC,+BAA+B,QAAQ,EAAE,CAAC,CAAC;QACzD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,aAAa,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACrE,OAAO,CAAC,KAAK,CAAC,cAAc,QAAQ,EAAE,CAAC,CAAC;AAC1C,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB;IACtC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,KAAK,CAAC,0BAA0B,QAAQ,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAChD,IAAI,OAAO,CAAC,UAAU,CAAC,qBAAqB,CAAC,EAAE,CAAC;QAC9C,OAAO,CAAC,KAAK,CAAC,qCAAqC,QAAQ,EAAE,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,GAAG,GAAG,gBAAgB,EAAE,CAAC;IAC/B,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IAC5C,MAAM,WAAW,GAAG,qBAAqB,GAAG,aAAa,CAAC;IAE1D,aAAa,CAAC,QAAQ,EAAE,WAAW,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACzE,OAAO,CAAC,KAAK,CAAC,cAAc,QAAQ,EAAE,CAAC,CAAC;AAC1C,CAAC;AAED,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,WAAW,CAAC;;;;;qBAKjB,CAAC,CAAC;AAEvB,OAAO;KACJ,OAAO,CAAC,SAAS,CAAC;KAClB,WAAW,CAAC,uBAAuB,CAAC;KACpC,QAAQ,CAAC,QAAQ,EAAE,4BAA4B,CAAC;KAChD,MAAM,CAAC,CAAC,QAAgB,EAAE,EAAE;IAC3B,cAAc,CAAC,QAAQ,CAAC,CAAC;AAC3B,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,SAAS,CAAC;KAClB,WAAW,CAAC,sCAAsC,CAAC;KACnD,QAAQ,CAAC,QAAQ,EAAE,6BAA6B,CAAC;KACjD,MAAM,CAAC,CAAC,QAAgB,EAAE,EAAE;IAC3B,cAAc,CAAC,QAAQ,CAAC,CAAC;AAC3B,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/scripts/encryptFile.d.ts

@@ -0,0 +1,21 @@
+#!/usr/bin/env npx tsx
+/**
+ * CLI tool for encrypting and decrypting latchkey files.
+ *
+ * This is a developer utility for inspecting and modifying encrypted
+ * credential and browser state files.
+ *
+ * Usage:
+ *   npx tsx scripts/encryptFile.ts decrypt <file>     # Decrypt file to stdout
+ *   npx tsx scripts/encryptFile.ts encrypt <file>     # Encrypt file in place
+ *
+ * The encryption key is sourced from:
+ *   1. LATCHKEY_ENCRYPTION_KEY environment variable
+ *   2. System keychain
+ *
+ * Examples:
+ *   npx tsx scripts/encryptFile.ts decrypt ~/.latchkey/credentials.json
+ *   npx tsx scripts/encryptFile.ts encrypt ~/.latchkey/credentials.json
+ */
+export {};
+//# sourceMappingURL=encryptFile.d.ts.map

package/dist/scripts/encryptFile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encryptFile.d.ts","sourceRoot":"","sources":["../../scripts/encryptFile.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;GAiBG"}

package/dist/scripts/encryptFile.js

@@ -0,0 +1,101 @@
+#!/usr/bin/env npx tsx
+/**
+ * CLI tool for encrypting and decrypting latchkey files.
+ *
+ * This is a developer utility for inspecting and modifying encrypted
+ * credential and browser state files.
+ *
+ * Usage:
+ *   npx tsx scripts/encryptFile.ts decrypt <file>     # Decrypt file to stdout
+ *   npx tsx scripts/encryptFile.ts encrypt <file>     # Encrypt file in place
+ *
+ * The encryption key is sourced from:
+ *   1. LATCHKEY_ENCRYPTION_KEY environment variable
+ *   2. System keychain
+ *
+ * Examples:
+ *   npx tsx scripts/encryptFile.ts decrypt ~/.latchkey/credentials.json
+ *   npx tsx scripts/encryptFile.ts encrypt ~/.latchkey/credentials.json
+ */
+import { program } from 'commander';
+import { existsSync, readFileSync, writeFileSync } from 'node:fs';
+import { CONFIG } from '../src/config.js';
+import { EncryptedStorage } from '../src/encryptedStorage.js';
+import { encrypt, generateKey } from '../src/encryption.js';
+import { isKeychainAvailable, retrieveFromKeychain } from '../src/keychain.js';
+const ENCRYPTED_FILE_PREFIX = 'LATCHKEY_ENCRYPTED:';
+function getEncryptionKey() {
+    // 1. Check environment variable via Config
+    if (CONFIG.encryptionKeyOverride) {
+        return CONFIG.encryptionKeyOverride;
+    }
+    // 2. Check keychain
+    if (isKeychainAvailable(CONFIG.serviceName, CONFIG.accountName)) {
+        const keychainKey = retrieveFromKeychain(CONFIG.serviceName, CONFIG.accountName);
+        if (keychainKey) {
+            return keychainKey;
+        }
+    }
+    console.error(`\
+Error: No encryption key available.
+Set LATCHKEY_ENCRYPTION_KEY or ensure the system keychain has a stored key.
+
+To generate a new key:
+  export LATCHKEY_ENCRYPTION_KEY="${generateKey()}"`);
+    process.exit(1);
+}
+function decryptCommand(filePath) {
+    if (!existsSync(filePath)) {
+        console.error(`Error: File not found: ${filePath}`);
+        process.exit(1);
+    }
+    const storage = new EncryptedStorage({
+        serviceName: CONFIG.serviceName,
+        accountName: CONFIG.accountName,
+    });
+    const content = storage.readFile(filePath);
+    if (content === null) {
+        console.error(`Error: Could not read file: ${filePath}`);
+        process.exit(1);
+    }
+    // Output to stdout
+    process.stdout.write(content);
+}
+function encryptCommand(filePath) {
+    if (!existsSync(filePath)) {
+        console.error(`Error: File not found: ${filePath}`);
+        process.exit(1);
+    }
+    const content = readFileSync(filePath, 'utf-8');
+    if (content.startsWith(ENCRYPTED_FILE_PREFIX)) {
+        console.error(`Error: File is already encrypted: ${filePath}`);
+        process.exit(1);
+    }
+    const key = getEncryptionKey();
+    const encryptedData = encrypt(content, key);
+    const dataToWrite = ENCRYPTED_FILE_PREFIX + encryptedData;
+    writeFileSync(filePath, dataToWrite, { encoding: 'utf-8', mode: 0o600 });
+    console.error(`Encrypted: ${filePath}`);
+}
+program.name('encryptFile').description(`\
+CLI tool for encrypting and decrypting latchkey files.
+
+The encryption key is sourced from:
+  1. LATCHKEY_ENCRYPTION_KEY environment variable
+  2. System keychain`);
+program
+    .command('decrypt')
+    .description('Decrypt file and print to stdout')
+    .argument('<file>', 'Path to the encrypted file')
+    .action((filePath) => {
+    decryptCommand(filePath);
+});
+program
+    .command('encrypt')
+    .description('Encrypt an unencrypted file in place')
+    .argument('<file>', 'Path to the file to encrypt')
+    .action((filePath) => {
+    encryptCommand(filePath);
+});
+program.parse();
+//# sourceMappingURL=encryptFile.js.map

package/dist/scripts/encryptFile.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encryptFile.js","sourceRoot":"","sources":["../../scripts/encryptFile.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAC9D,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC5D,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE/E,MAAM,qBAAqB,GAAG,qBAAqB,CAAC;AAEpD,SAAS,gBAAgB;IACvB,2CAA2C;IAC3C,IAAI,MAAM,CAAC,qBAAqB,EAAE,CAAC;QACjC,OAAO,MAAM,CAAC,qBAAqB,CAAC;IACtC,CAAC;IAED,oBAAoB;IACpB,IAAI,mBAAmB,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;QAChE,MAAM,WAAW,GAAG,oBAAoB,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;QACjF,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,WAAW,CAAC;QACrB,CAAC;IACH,CAAC;IAED,OAAO,CAAC,KAAK,CAAC;;;;;oCAKoB,WAAW,EAAE,GAAG,CAAC,CAAC;IACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB;IACtC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,KAAK,CAAC,0BAA0B,QAAQ,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,gBAAgB,CAAC;QACnC,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,WAAW,EAAE,MAAM,CAAC,WAAW;KAChC,CAAC,CAAC;IACH,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAE3C,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;QACrB,OAAO,CAAC,KAAK,CAAC,+BAA+B,QAAQ,EAAE,CAAC,CAAC;QACzD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,mBAAmB;IACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB;IACtC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,KAAK,CAAC,0BAA0B,QAAQ,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAChD,IAAI,OAAO,CAAC,UAAU,CAAC,qBAAqB,CAAC,EAAE,CAAC;QAC9C,OAAO,CAAC,KAAK,CAAC,qCAAqC,QAAQ,EAAE,CAAC,CAAC;QAC/D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,GAAG,GAAG,gBAAgB,EAAE,CAAC;IAC/B,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IAC5C,MAAM,WAAW,GAAG,qBAAqB,GAAG,aAAa,CAAC;IAE1D,aAAa,CAAC,QAAQ,EAAE,WAAW,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACzE,OAAO,CAAC,KAAK,CAAC,cAAc,QAAQ,EAAE,CAAC,CAAC;AAC1C,CAAC;AAED,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,WAAW,CAAC;;;;;qBAKnB,CAAC,CAAC;AAEvB,OAAO;KACJ,OAAO,CAAC,SAAS,CAAC;KAClB,WAAW,CAAC,kCAAkC,CAAC;KAC/C,QAAQ,CAAC,QAAQ,EAAE,4BAA4B,CAAC;KAChD,MAAM,CAAC,CAAC,QAAgB,EAAE,EAAE;IAC3B,cAAc,CAAC,QAAQ,CAAC,CAAC;AAC3B,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,SAAS,CAAC;KAClB,WAAW,CAAC,sCAAsC,CAAC;KACnD,QAAQ,CAAC,QAAQ,EAAE,6BAA6B,CAAC;KACjD,MAAM,CAAC,CAAC,QAAgB,EAAE,EAAE;IAC3B,cAAc,CAAC,QAAQ,CAAC,CAAC;AAC3B,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/scripts/recordBrowserSession.d.ts

@@ -0,0 +1,18 @@
+#!/usr/bin/env npx tsx
+/**
+ * Record browser requests and responses during a login session.
+ *
+ * This script opens a browser at a service's login URL and records all HTTP
+ * requests and responses (including their headers and timing). When you close the
+ * browser, the recording is saved. This is useful for recording login flows that
+ * can be replayed later for testing credentials extraction.
+ *
+ * Usage:
+ *   npx tsx scripts/recordBrowserSession.ts <service_name> [recording_name]
+ *
+ * Examples:
+ *   npx tsx scripts/recordBrowserSession.ts slack
+ *   npx tsx scripts/recordBrowserSession.ts discord custom_session.json
+ */
+export {};
+//# sourceMappingURL=recordBrowserSession.d.ts.map

package/dist/scripts/recordBrowserSession.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"recordBrowserSession.d.ts","sourceRoot":"","sources":["../../scripts/recordBrowserSession.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;GAcG"}