locker-cli 0.1.0

package/src/commands/api.test.ts

@@ -0,0 +1,143 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import { apiRequest, authRequest, getDefaultApiUrl } from "../auth/client";
+
+// Mock global fetch
+const mockFetch = vi.fn();
+vi.stubGlobal("fetch", mockFetch);
+
+const testConfig = {
+  token: "jwt-test-token",
+  email: "test@example.com",
+  apiUrl: "http://localhost:3001",
+};
+
+beforeEach(() => {
+  vi.restoreAllMocks();
+  vi.stubGlobal("fetch", mockFetch);
+});
+
+describe("apiRequest", () => {
+  it("sends authenticated request with Bearer token", async () => {
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      status: 200,
+      json: async () => ({ services: [] }),
+    });
+
+    const res = await apiRequest("GET", "/keys", testConfig);
+
+    expect(mockFetch).toHaveBeenCalledWith(
+      "http://localhost:3001/keys",
+      expect.objectContaining({
+        method: "GET",
+        headers: expect.objectContaining({
+          Authorization: "Bearer jwt-test-token",
+        }),
+      })
+    );
+    expect(res.ok).toBe(true);
+  });
+
+  it("sends custom headers (e.g. X-Agent-Identifier)", async () => {
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      status: 200,
+      json: async () => ({ key: "sk-123" }),
+    });
+
+    await apiRequest("GET", "/keys/resend", testConfig, undefined, {
+      "X-Agent-Identifier": "claude-code",
+    });
+
+    expect(mockFetch).toHaveBeenCalledWith(
+      "http://localhost:3001/keys/resend",
+      expect.objectContaining({
+        headers: expect.objectContaining({
+          "X-Agent-Identifier": "claude-code",
+          Authorization: "Bearer jwt-test-token",
+        }),
+      })
+    );
+  });
+
+  it("sends JSON body for POST requests", async () => {
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      status: 201,
+      json: async () => ({ service: "resend", message: "Key stored" }),
+    });
+
+    await apiRequest("POST", "/keys", testConfig, {
+      service: "resend",
+      key: "sk-resend-123",
+    });
+
+    expect(mockFetch).toHaveBeenCalledWith(
+      "http://localhost:3001/keys",
+      expect.objectContaining({
+        method: "POST",
+        body: JSON.stringify({ service: "resend", key: "sk-resend-123" }),
+      })
+    );
+  });
+
+  it("returns error data on non-ok response", async () => {
+    mockFetch.mockResolvedValueOnce({
+      ok: false,
+      status: 404,
+      json: async () => ({ error: "No key found for service: unknown" }),
+    });
+
+    const res = await apiRequest("GET", "/keys/unknown", testConfig);
+    expect(res.ok).toBe(false);
+    expect(res.status).toBe(404);
+    expect(res.data.error).toContain("No key found");
+  });
+});
+
+describe("authRequest", () => {
+  it("sends unauthenticated request", async () => {
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      status: 200,
+      json: async () => ({
+        token: "new-jwt",
+        user: { id: "1", email: "test@example.com" },
+      }),
+    });
+
+    const res = await authRequest("POST", "/auth/login", "http://localhost:3001", {
+      email: "test@example.com",
+      password: "password123",
+    });
+
+    expect(res.ok).toBe(true);
+    expect(res.data.token).toBe("new-jwt");
+
+    // Should NOT have Authorization header
+    const callArgs = mockFetch.mock.calls[0];
+    expect(callArgs[1].headers).not.toHaveProperty("Authorization");
+  });
+});
+
+describe("getDefaultApiUrl", () => {
+  const originalEnv = process.env.LOCKER_API_URL;
+
+  afterEach(() => {
+    if (originalEnv) {
+      process.env.LOCKER_API_URL = originalEnv;
+    } else {
+      delete process.env.LOCKER_API_URL;
+    }
+  });
+
+  it("returns default URL when env var is not set", () => {
+    delete process.env.LOCKER_API_URL;
+    expect(getDefaultApiUrl()).toBe("http://localhost:3001");
+  });
+
+  it("returns env var when set", () => {
+    process.env.LOCKER_API_URL = "https://api.locker.dev";
+    expect(getDefaultApiUrl()).toBe("https://api.locker.dev");
+  });
+});

package/src/commands/commands.test.ts

@@ -0,0 +1,87 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { logoutCommand } from "./logout";
+import { whoamiCommand } from "./whoami";
+
+// Mock the config module
+vi.mock("../auth/config", () => {
+  let mockConfig: any = null;
+
+  return {
+    readConfig: vi.fn(() => mockConfig),
+    writeConfig: vi.fn(),
+    clearConfig: vi.fn(),
+    requireAuth: vi.fn(() => {
+      if (!mockConfig) {
+        // Simulate process.exit by throwing
+        throw new Error("NOT_LOGGED_IN");
+      }
+      return mockConfig;
+    }),
+    __setMockConfig: (config: any) => {
+      mockConfig = config;
+    },
+  };
+});
+
+// Get the mock helpers
+import * as configModule from "../auth/config";
+
+const setMockConfig = (configModule as any).__setMockConfig;
+const clearConfigMock = configModule.clearConfig as ReturnType<typeof vi.fn>;
+
+describe("logout", () => {
+  beforeEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it("clears config and confirms logout", () => {
+    setMockConfig({
+      token: "jwt-123",
+      email: "test@example.com",
+      apiUrl: "http://localhost:3001",
+    });
+
+    const consoleSpy = vi.spyOn(console, "log").mockImplementation(() => {});
+    logoutCommand();
+
+    expect(clearConfigMock).toHaveBeenCalled();
+    expect(consoleSpy).toHaveBeenCalledWith(
+      expect.stringContaining("test@example.com")
+    );
+  });
+
+  it("handles already logged out", () => {
+    setMockConfig(null);
+
+    const consoleSpy = vi.spyOn(console, "log").mockImplementation(() => {});
+    logoutCommand();
+
+    expect(clearConfigMock).toHaveBeenCalled();
+    expect(consoleSpy).toHaveBeenCalledWith("Already logged out.");
+  });
+});
+
+describe("whoami", () => {
+  beforeEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it("prints the logged-in email", () => {
+    setMockConfig({
+      token: "jwt-123",
+      email: "user@locker.dev",
+      apiUrl: "http://localhost:3001",
+    });
+
+    const consoleSpy = vi.spyOn(console, "log").mockImplementation(() => {});
+    whoamiCommand();
+
+    expect(consoleSpy).toHaveBeenCalledWith("user@locker.dev");
+  });
+
+  it("throws when not logged in", () => {
+    setMockConfig(null);
+
+    expect(() => whoamiCommand()).toThrow("NOT_LOGGED_IN");
+  });
+});

package/src/commands/get.ts

@@ -0,0 +1,32 @@
+import { requireAuth } from "../auth/config";
+import { apiRequest } from "../auth/client";
+
+export async function getCommand(service: string, options: { agent?: string }) {
+  const config = requireAuth();
+
+  const headers: Record<string, string> = {};
+  if (options.agent) {
+    headers["X-Agent-Identifier"] = options.agent;
+  }
+
+  const res = await apiRequest<{ service: string; key: string }>(
+    "GET",
+    `/keys/${encodeURIComponent(service)}`,
+    config,
+    undefined,
+    headers
+  );
+
+  if (!res.ok) {
+    if (res.status === 404) {
+      console.error(`No key found for service: ${service}`);
+      console.error(`Store one with: locker set ${service} <key>`);
+      process.exit(1);
+    }
+    console.error(res.data.error || "Failed to retrieve key.");
+    process.exit(1);
+  }
+
+  // Print key to stdout only — no extra formatting, no logging to disk
+  process.stdout.write(res.data.key);
+}

package/src/commands/list.ts

@@ -0,0 +1,38 @@
+import { requireAuth } from "../auth/config";
+import { apiRequest } from "../auth/client";
+
+interface Service {
+  service: string;
+  createdAt: string;
+  lastUsed: string | null;
+}
+
+export async function listCommand() {
+  const config = requireAuth();
+
+  const res = await apiRequest<{ services: Service[] }>(
+    "GET",
+    "/keys",
+    config
+  );
+
+  if (!res.ok) {
+    console.error(res.data.error || "Failed to list keys.");
+    process.exit(1);
+  }
+
+  const services = res.data.services;
+  if (services.length === 0) {
+    console.log("No keys stored yet.");
+    console.log("Store one with: locker set <service> <key>");
+    return;
+  }
+
+  console.log(`${services.length} key${services.length === 1 ? "" : "s"} stored:\n`);
+  for (const svc of services) {
+    const lastUsed = svc.lastUsed
+      ? `last used ${new Date(svc.lastUsed).toLocaleDateString()}`
+      : "never used";
+    console.log(`  ${svc.service}  (${lastUsed})`);
+  }
+}

package/src/commands/login.ts

@@ -0,0 +1,93 @@
+import readline from "node:readline";
+import { writeConfig } from "../auth/config";
+import { authRequest, getDefaultApiUrl } from "../auth/client";
+
+function prompt(question: string, hidden = false): Promise<string> {
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  });
+
+  return new Promise((resolve) => {
+    if (hidden && process.stdin.isTTY) {
+      // Hide password input
+      process.stdout.write(question);
+      const stdin = process.stdin;
+      stdin.setRawMode(true);
+      stdin.resume();
+      stdin.setEncoding("utf8");
+
+      let input = "";
+      const onData = (ch: string) => {
+        if (ch === "\n" || ch === "\r" || ch === "\u0004") {
+          stdin.setRawMode(false);
+          stdin.removeListener("data", onData);
+          stdin.pause();
+          rl.close();
+          process.stdout.write("\n");
+          resolve(input);
+        } else if (ch === "\u0003") {
+          // Ctrl-C
+          process.exit(0);
+        } else if (ch === "\u007F" || ch === "\b") {
+          // Backspace
+          if (input.length > 0) {
+            input = input.slice(0, -1);
+          }
+        } else {
+          input += ch;
+        }
+      };
+      stdin.on("data", onData);
+    } else {
+      rl.question(question, (answer) => {
+        rl.close();
+        resolve(answer);
+      });
+    }
+  });
+}
+
+export async function loginCommand(options: { register?: boolean; api?: string }) {
+  const apiUrl = options.api || getDefaultApiUrl();
+  const isRegister = options.register || false;
+
+  console.log(isRegister ? "Create a new Locker account" : "Log in to Locker");
+  console.log();
+
+  const email = await prompt("Email: ");
+  const password = await prompt("Password: ", true);
+
+  if (!email || !password) {
+    console.error("Email and password are required.");
+    process.exit(1);
+  }
+
+  if (isRegister && password.length < 8) {
+    console.error("Password must be at least 8 characters.");
+    process.exit(1);
+  }
+
+  const endpoint = isRegister ? "/auth/register" : "/auth/login";
+  const res = await authRequest<{ token: string; user: { id: string; email: string } }>(
+    "POST",
+    endpoint,
+    apiUrl,
+    { email, password }
+  );
+
+  if (!res.ok) {
+    console.error(res.data.error || "Authentication failed.");
+    process.exit(1);
+  }
+
+  writeConfig({
+    token: res.data.token,
+    email: res.data.user.email,
+    apiUrl,
+  });
+
+  console.log();
+  console.log(`Logged in as ${res.data.user.email}`);
+  console.log("Token stored in ~/.locker/config");
+}

package/src/commands/logout.ts

@@ -0,0 +1,12 @@
+import { clearConfig, readConfig } from "../auth/config";
+
+export function logoutCommand() {
+  const config = readConfig();
+  clearConfig();
+
+  if (config) {
+    console.log(`Logged out (${config.email}). Token cleared.`);
+  } else {
+    console.log("Already logged out.");
+  }
+}

package/src/commands/mcp.ts

@@ -0,0 +1,87 @@
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+
+interface McpConfig {
+  mcpServers?: Record<string, { command: string; args: string[] }>;
+  [key: string]: unknown;
+}
+
+const TARGETS: Record<string, string> = {
+  claude: path.join(os.homedir(), ".claude", "claude_desktop_config.json"),
+  cursor: path.join(os.homedir(), ".cursor", "mcp.json"),
+};
+
+function getMcpEntry() {
+  // Use the published npm package — npx resolves it globally
+  return { command: "npx", args: ["locker-mcp-server"] };
+}
+
+function installToTarget(name: string, configPath: string): boolean {
+  const dir = path.dirname(configPath);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true });
+  }
+
+  let config: McpConfig = {};
+  if (fs.existsSync(configPath)) {
+    try {
+      config = JSON.parse(fs.readFileSync(configPath, "utf8"));
+    } catch {
+      console.error(`  Could not parse ${configPath}`);
+      return false;
+    }
+  }
+
+  if (!config.mcpServers) {
+    config.mcpServers = {};
+  }
+
+  const entry = getMcpEntry();
+  config.mcpServers.locker = entry;
+
+  fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
+  console.log(`  ✓ ${name} — ${configPath}`);
+  return true;
+}
+
+export function mcpInstallCommand() {
+  console.log("Installing Locker MCP server...\n");
+
+  let installed = 0;
+  for (const [name, configPath] of Object.entries(TARGETS)) {
+    const dir = path.dirname(configPath);
+    // Only install if the tool's config directory exists (tool is installed)
+    if (fs.existsSync(dir) || name === "claude") {
+      if (installToTarget(name, configPath)) installed++;
+    }
+  }
+
+  if (installed === 0) {
+    console.log("No supported AI tools detected.");
+    console.log("Manually add to your tool's MCP config:");
+    const entry = getMcpEntry();
+    console.log(JSON.stringify({ locker: entry }, null, 2));
+  } else {
+    console.log(`\nDone. Restart your AI tool to activate.`);
+  }
+}
+
+export function mcpUninstallCommand() {
+  console.log("Removing Locker MCP server...\n");
+
+  for (const [name, configPath] of Object.entries(TARGETS)) {
+    if (!fs.existsSync(configPath)) continue;
+    try {
+      const config: McpConfig = JSON.parse(fs.readFileSync(configPath, "utf8"));
+      if (config.mcpServers?.locker) {
+        delete config.mcpServers.locker;
+        fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n");
+        console.log(`  ✓ Removed from ${name}`);
+      }
+    } catch {
+      // Skip
+    }
+  }
+  console.log("\nDone.");
+}

package/src/commands/revoke.ts

@@ -0,0 +1,23 @@
+import { requireAuth } from "../auth/config";
+import { apiRequest } from "../auth/client";
+
+export async function revokeCommand(service: string) {
+  const config = requireAuth();
+
+  const res = await apiRequest(
+    "DELETE",
+    `/keys/${encodeURIComponent(service)}`,
+    config
+  );
+
+  if (!res.ok) {
+    if (res.status === 404) {
+      console.error(`No key found for service: ${service}`);
+      process.exit(1);
+    }
+    console.error(res.data.error || "Failed to revoke key.");
+    process.exit(1);
+  }
+
+  console.log(`Key revoked for ${service}`);
+}

package/src/commands/set.ts

@@ -0,0 +1,20 @@
+import { requireAuth } from "../auth/config";
+import { apiRequest } from "../auth/client";
+
+export async function setCommand(service: string, key: string) {
+  const config = requireAuth();
+
+  const res = await apiRequest(
+    "POST",
+    "/keys",
+    config,
+    { service, key }
+  );
+
+  if (!res.ok) {
+    console.error(res.data.error || "Failed to store key.");
+    process.exit(1);
+  }
+
+  console.log(`Key stored for ${service}`);
+}

package/src/commands/whoami.ts

@@ -0,0 +1,6 @@
+import { requireAuth } from "../auth/config";
+
+export function whoamiCommand() {
+  const config = requireAuth();
+  console.log(config.email);
+}

package/src/index.ts

@@ -0,0 +1,72 @@
+#!/usr/bin/env node
+
+import { Command } from "commander";
+import { loginCommand } from "./commands/login";
+import { logoutCommand } from "./commands/logout";
+import { whoamiCommand } from "./commands/whoami";
+import { getCommand } from "./commands/get";
+import { setCommand } from "./commands/set";
+import { listCommand } from "./commands/list";
+import { revokeCommand } from "./commands/revoke";
+import { mcpInstallCommand, mcpUninstallCommand } from "./commands/mcp";
+
+const program = new Command();
+
+program
+  .name("locker")
+  .description("Secure API credential manager for AI agents")
+  .version("0.1.0");
+
+program
+  .command("login")
+  .description("Log in to Locker")
+  .option("--register", "Create a new account")
+  .option("--api <url>", "API server URL")
+  .action(loginCommand);
+
+program
+  .command("logout")
+  .description("Log out and clear stored token")
+  .action(logoutCommand);
+
+program
+  .command("whoami")
+  .description("Show the currently logged-in user")
+  .action(whoamiCommand);
+
+program
+  .command("get <service>")
+  .description("Retrieve an API key (prints to stdout)")
+  .option("--agent <name>", "Agent identifier for audit log")
+  .action(getCommand);
+
+program
+  .command("set <service> <key>")
+  .description("Store an API key")
+  .action(setCommand);
+
+program
+  .command("list")
+  .description("List all stored services")
+  .action(listCommand);
+
+program
+  .command("revoke <service>")
+  .description("Delete a stored API key")
+  .action(revokeCommand);
+
+const mcp = program
+  .command("mcp")
+  .description("Manage the Locker MCP server");
+
+mcp
+  .command("install")
+  .description("Install Locker MCP server into Claude Code, Cursor, etc.")
+  .action(mcpInstallCommand);
+
+mcp
+  .command("uninstall")
+  .description("Remove Locker MCP server from AI tools")
+  .action(mcpUninstallCommand);
+
+program.parse();

package/tsconfig.json

@@ -0,0 +1,18 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "commonjs",
+    "lib": ["ES2022"],
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "resolveJsonModule": true,
+    "declaration": true,
+    "sourceMap": true
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist"]
+}

package/vitest.config.ts

@@ -0,0 +1,8 @@
+import { defineConfig } from "vitest/config";
+
+export default defineConfig({
+  test: {
+    globals: true,
+    environment: "node",
+  },
+});