passwd-sso-cli 0.4.3

package/dist/commands/decrypt.js

@@ -0,0 +1,108 @@
+/**
+ * `passwd-sso decrypt <id>` — Thin client that connects to the decrypt agent socket.
+ * Sends a decrypt request and prints the result to stdout.
+ * Used by Claude Code hooks to decrypt credentials without exposing them to the LLM.
+ *
+ * Usage:
+ *   passwd-sso decrypt <entryId> --field password --mcp-client <mcpc_xxx>
+ *   passwd-sso decrypt <entryId> --json --mcp-client <mcpc_xxx>
+ *   passwd-sso decrypt abc123 --field password --mcp-client mcpc_xxx | curl --config - ...
+ *
+ * --json outputs all decrypted fields as JSON (ignores --field).
+ */
+import { createConnection } from "node:net";
+export async function decryptCommand(id, options) {
+    const socketPath = process.env.PSSO_AGENT_SOCK;
+    if (!socketPath) {
+        process.stderr.write("Error: Agent not running. Start with:\n" +
+            "  eval $(passwd-sso agent --decrypt --eval)\n");
+        process.exit(1);
+    }
+    if (options.json && options.field) {
+        process.stderr.write("Error: --json and --field are mutually exclusive\n");
+        process.exitCode = 1;
+        return;
+    }
+    const field = options.json ? "_json" : (options.field ?? "password");
+    const request = JSON.stringify({
+        entryId: id,
+        clientId: options.mcpClient,
+        field,
+    });
+    await new Promise((resolve, reject) => {
+        const socket = createConnection(socketPath);
+        let responseBuffer = "";
+        let settled = false;
+        const finish = (err) => {
+            if (settled)
+                return;
+            settled = true;
+            socket.destroy();
+            if (err)
+                reject(err);
+            else
+                resolve();
+        };
+        socket.on("connect", () => {
+            socket.write(request + "\n");
+        });
+        socket.on("data", (chunk) => {
+            responseBuffer += chunk.toString("utf-8");
+            const lines = responseBuffer.split("\n");
+            responseBuffer = lines.pop() ?? "";
+            for (const line of lines) {
+                const trimmed = line.trim();
+                if (!trimmed)
+                    continue;
+                try {
+                    const res = JSON.parse(trimmed);
+                    if (res.ok && res.value !== undefined) {
+                        // Write value + newline to stdout.
+                        // When piped (e.g., to curl), the trailing newline is typically
+                        // consumed by the receiving process. For interactive use, it
+                        // ensures the value is visible before the next shell prompt.
+                        process.stdout.write(res.value + "\n");
+                        finish();
+                    }
+                    else {
+                        process.stderr.write(`Error: ${res.error ?? "Decrypt failed"}\n`);
+                        process.exitCode = 1;
+                        finish();
+                    }
+                }
+                catch (err) {
+                    process.stderr.write(`Error: Invalid response from agent: ${err instanceof Error ? err.message : "unknown"}\n`);
+                    process.exitCode = 1;
+                    finish();
+                }
+            }
+        });
+        socket.on("end", () => {
+            finish();
+        });
+        socket.on("error", (err) => {
+            if (err.code === "ENOENT") {
+                process.stderr.write("Error: Agent socket not found. Start the agent with:\n" +
+                    "  eval $(passwd-sso agent --decrypt --eval)\n");
+            }
+            else if (err.code === "ECONNREFUSED") {
+                process.stderr.write("Error: Agent is not running. Start with:\n" +
+                    "  eval $(passwd-sso agent --decrypt --eval)\n");
+            }
+            else {
+                process.stderr.write(`Error: Socket error: ${err.message}\n`);
+            }
+            process.exitCode = 1;
+            finish(err);
+        });
+        socket.setTimeout(10_000);
+        socket.on("timeout", () => {
+            process.stderr.write("Error: Agent request timed out\n");
+            process.exitCode = 1;
+            finish(new Error("timeout"));
+        });
+    }).catch(() => {
+        // exitCode already set above
+    });
+}
+//# sourceMappingURL=decrypt.js.map

package/dist/commands/env.d.ts

@@ -0,0 +1,15 @@
+/**
+ * `passwd-sso env` — Output vault secrets as environment variables.
+ *
+ * Reads .passwd-sso-env.json, fetches & decrypts entries, then outputs
+ * env vars in the requested format (shell, dotenv, json).
+ *
+ * Requires the vault to be unlocked (encryption key in memory) OR
+ * an apiKey + PSSO_PASSPHRASE env var for non-interactive mode.
+ */
+interface EnvOptions {
+    config?: string;
+    format: string;
+}
+export declare function envCommand(opts: EnvOptions): Promise<void>;
+export {};

package/dist/commands/env.js

@@ -0,0 +1,102 @@
+/**
+ * `passwd-sso env` — Output vault secrets as environment variables.
+ *
+ * Reads .passwd-sso-env.json, fetches & decrypts entries, then outputs
+ * env vars in the requested format (shell, dotenv, json).
+ *
+ * Requires the vault to be unlocked (encryption key in memory) OR
+ * an apiKey + PSSO_PASSPHRASE env var for non-interactive mode.
+ */
+import { loadSecretsConfig, getPasswordPath } from "../lib/secrets-config.js";
+import { getEncryptionKey, getUserId } from "../lib/vault-state.js";
+import { autoUnlockIfNeeded } from "./unlock.js";
+import { getToken } from "../lib/api-client.js";
+import { decryptData } from "../lib/crypto.js";
+import { buildPersonalEntryAAD } from "../lib/crypto-aad.js";
+import { BLOCKED_KEYS } from "../lib/blocked-keys.js";
+import * as output from "../lib/output.js";
+export async function envCommand(opts) {
+    let config;
+    try {
+        config = loadSecretsConfig(opts.config);
+    }
+    catch (err) {
+        output.error(err instanceof Error ? err.message : "Failed to load config.");
+        return;
+    }
+    const useV1 = !!config.apiKey;
+    const baseUrl = config.server.replace(/\/$/, "");
+    // Determine auth header
+    let authHeader;
+    if (config.apiKey) {
+        authHeader = `Bearer ${config.apiKey}`;
+    }
+    else {
+        const token = await getToken();
+        if (!token) {
+            output.error("Not logged in. Run `passwd-sso login` first, or set apiKey in config.");
+            return;
+        }
+        authHeader = `Bearer ${token}`;
+    }
+    // Auto-unlock with PSSO_PASSPHRASE if needed
+    if (!await autoUnlockIfNeeded()) {
+        output.error("Vault is not unlocked. Run `passwd-sso unlock` first, or set PSSO_PASSPHRASE.");
+        return;
+    }
+    const encryptionKey = getEncryptionKey();
+    const userId = getUserId();
+    const result = {};
+    const entries = Object.entries(config.secrets);
+    for (const [envName, mapping] of entries) {
+        if (BLOCKED_KEYS.has(envName.toUpperCase())) {
+            output.error(`Blocked: cannot output '${envName}' (security restriction)`);
+            process.exit(1);
+        }
+        const path = getPasswordPath(mapping.entry, useV1);
+        const url = `${baseUrl}${path}`;
+        const res = await fetch(url, {
+            headers: { Authorization: authHeader },
+        });
+        if (!res.ok) {
+            output.error(`Failed to fetch entry ${mapping.entry}: HTTP ${res.status}`);
+            process.exit(1);
+        }
+        const data = (await res.json());
+        let additionalData;
+        if (data.aadVersion && data.aadVersion >= 1 && userId) {
+            additionalData = buildPersonalEntryAAD(userId, data.id);
+        }
+        const decrypted = await decryptData(data.encryptedBlob, encryptionKey, additionalData);
+        const blob = JSON.parse(decrypted);
+        const value = blob[mapping.field];
+        if (value === undefined || value === null) {
+            output.warn(`Field '${mapping.field}' not found in entry ${mapping.entry}`);
+            continue;
+        }
+        result[envName] = String(value);
+    }
+    // Output
+    switch (opts.format) {
+        case "json":
+            console.log(JSON.stringify(result, null, 2));
+            break;
+        case "dotenv":
+            for (const [k, v] of Object.entries(result)) {
+                console.log(`${k}=${shellEscape(v)}`);
+            }
+            break;
+        case "shell":
+        default:
+            for (const [k, v] of Object.entries(result)) {
+                console.log(`export ${k}=${shellEscape(v)}`);
+            }
+            break;
+    }
+}
+function shellEscape(s) {
+    if (/^[a-zA-Z0-9._\-/:@]+$/.test(s))
+        return s;
+    return `'${s.replace(/'/g, "'\\''")}'`;
+}
+//# sourceMappingURL=env.js.map

package/dist/commands/export.d.ts

@@ -0,0 +1,7 @@
+/**
+ * `passwd-sso export` — Export vault entries to JSON or CSV.
+ */
+export declare function exportCommand(options: {
+    format?: string;
+    output?: string;
+}): Promise<void>;

package/dist/commands/export.js

@@ -0,0 +1,99 @@
+/**
+ * `passwd-sso export` — Export vault entries to JSON or CSV.
+ */
+import { resolve } from "node:path";
+import { existsSync, lstatSync } from "node:fs";
+import { apiRequest } from "../lib/api-client.js";
+import { getEncryptionKey, getUserId } from "../lib/vault-state.js";
+import { decryptData } from "../lib/crypto.js";
+import { buildPersonalEntryAAD } from "../lib/crypto-aad.js";
+import * as output from "../lib/output.js";
+function escapeCSV(value) {
+    if (value.includes(",") || value.includes('"') || value.includes("\n")) {
+        return `"${value.replace(/"/g, '""')}"`;
+    }
+    return value;
+}
+export async function exportCommand(options) {
+    const key = getEncryptionKey();
+    if (!key) {
+        output.error("Vault is locked. Run `unlock` first.");
+        return;
+    }
+    const format = options.format ?? "json";
+    if (format !== "json" && format !== "csv") {
+        output.error("Format must be 'json' or 'csv'.");
+        return;
+    }
+    const res = await apiRequest("/api/passwords?include=blob");
+    if (!res.ok) {
+        output.error(`Failed to fetch entries: ${res.status}`);
+        return;
+    }
+    const entries = res.data;
+    if (!Array.isArray(entries) || entries.length === 0) {
+        output.info("No entries to export.");
+        return;
+    }
+    // Validate and resolve output path before processing
+    const outputPath = options.output ? resolve(options.output) : undefined;
+    if (!outputPath) {
+        output.warn("Decrypted passwords will be printed to stdout.");
+    }
+    if (outputPath && existsSync(outputPath) && lstatSync(outputPath).isSymbolicLink()) {
+        output.error("Output path is a symlink — refusing to write.");
+        return;
+    }
+    const userId = getUserId();
+    const decrypted = [];
+    let failedCount = 0;
+    for (const entry of entries) {
+        try {
+            const aad = entry.aadVersion >= 1 && userId
+                ? buildPersonalEntryAAD(userId, entry.id)
+                : undefined;
+            const plaintext = await decryptData(entry.encryptedBlob, key, aad);
+            decrypted.push(JSON.parse(plaintext));
+        }
+        catch {
+            failedCount++;
+        }
+    }
+    if (failedCount > 0) {
+        output.warn(`${failedCount} entries failed to decrypt and were skipped.`);
+    }
+    if (format === "json") {
+        const out = JSON.stringify(decrypted, null, 2);
+        if (outputPath) {
+            const { writeFileSync } = await import("node:fs");
+            writeFileSync(outputPath, out, { encoding: "utf-8", mode: 0o600 });
+            output.success(`Exported ${decrypted.length} entries to ${outputPath}`);
+        }
+        else {
+            console.log(out);
+        }
+    }
+    else {
+        const headers = ["title", "username", "password", "url", "notes", "totp"];
+        const csvRows = [headers.join(",")];
+        for (const entry of decrypted) {
+            csvRows.push(headers.map((h) => {
+                const val = entry[h];
+                if (h === "totp" && val && typeof val === "object") {
+                    return escapeCSV(val.secret ?? "");
+                }
+                return escapeCSV(String(val ?? ""));
+            }).join(","));
+        }
+        const csvOut = csvRows.join("\n");
+        if (outputPath) {
+            const { writeFileSync } = await import("node:fs");
+            writeFileSync(outputPath, csvOut, { encoding: "utf-8", mode: 0o600 });
+            output.success(`Exported ${decrypted.length} entries to ${outputPath}`);
+        }
+        else {
+            console.log(csvOut);
+        }
+    }
+}
+//# sourceMappingURL=export.js.map

package/dist/commands/generate.d.ts

@@ -0,0 +1,11 @@
+/**
+ * `passwd-sso generate` — Generate a secure password (offline).
+ */
+export declare function generateCommand(options: {
+    length?: number;
+    noUppercase?: boolean;
+    noDigits?: boolean;
+    noSymbols?: boolean;
+    copy?: boolean;
+    json?: boolean;
+}): Promise<void>;

package/dist/commands/generate.js

@@ -0,0 +1,45 @@
+/**
+ * `passwd-sso generate` — Generate a secure password (offline).
+ */
+import { randomBytes } from "node:crypto";
+import { copyToClipboard } from "../lib/clipboard.js";
+import * as output from "../lib/output.js";
+const LOWERCASE = "abcdefghijklmnopqrstuvwxyz";
+const UPPERCASE = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+const DIGITS = "0123456789";
+const SYMBOLS = "!@#$%^&*()_+-=[]{}|;:',.<>?/`~";
+export async function generateCommand(options) {
+    const length = options.length ?? 20;
+    if (length < 4 || length > 128) {
+        output.error("Length must be between 4 and 128.");
+        return;
+    }
+    let charset = LOWERCASE;
+    if (!options.noUppercase)
+        charset += UPPERCASE;
+    if (!options.noDigits)
+        charset += DIGITS;
+    if (!options.noSymbols)
+        charset += SYMBOLS;
+    // Rejection sampling to avoid modulo bias
+    const limit = Math.floor(0x100000000 / charset.length) * charset.length;
+    const password = Array.from({ length }, () => {
+        let val;
+        do {
+            val = randomBytes(4).readUInt32BE(0);
+        } while (val >= limit);
+        return charset[val % charset.length];
+    }).join("");
+    if (options.json) {
+        output.json({ password });
+        return;
+    }
+    if (options.copy) {
+        await copyToClipboard(password);
+        output.success("Password generated and copied to clipboard (auto-clears in 30s).");
+    }
+    else {
+        console.log(password);
+    }
+}
+//# sourceMappingURL=generate.js.map

package/dist/commands/get.d.ts

@@ -0,0 +1,8 @@
+/**
+ * `passwd-sso get <id>` — Show a single entry (decrypted blob).
+ */
+export declare function getCommand(id: string, options: {
+    copy?: boolean;
+    json?: boolean;
+    field?: string;
+}): Promise<void>;

package/dist/commands/get.js

@@ -0,0 +1,73 @@
+/**
+ * `passwd-sso get <id>` — Show a single entry (decrypted blob).
+ */
+import { apiRequest } from "../lib/api-client.js";
+import { getEncryptionKey, getUserId } from "../lib/vault-state.js";
+import { decryptData } from "../lib/crypto.js";
+import { buildPersonalEntryAAD } from "../lib/crypto-aad.js";
+import { copyToClipboard } from "../lib/clipboard.js";
+import * as output from "../lib/output.js";
+export async function getCommand(id, options) {
+    const key = getEncryptionKey();
+    if (!key) {
+        output.error("Vault is locked. Run `unlock` first.");
+        return;
+    }
+    const userId = getUserId();
+    const res = await apiRequest(`/api/passwords/${id}`);
+    if (!res.ok) {
+        output.error(`Entry not found: ${res.status}`);
+        return;
+    }
+    const entry = res.data;
+    try {
+        const aad = entry.aadVersion >= 1 && userId
+            ? buildPersonalEntryAAD(userId, entry.id)
+            : undefined;
+        const plaintext = await decryptData(entry.encryptedBlob, key, aad);
+        const blob = JSON.parse(plaintext);
+        if (options.field) {
+            const value = blob[options.field];
+            if (value === undefined) {
+                output.error(`Field "${options.field}" not found.`);
+                return;
+            }
+            const str = typeof value === "object" && value !== null
+                ? JSON.stringify(value)
+                : String(value);
+            if (options.copy) {
+                await copyToClipboard(str);
+                output.success(`Copied ${options.field} to clipboard (auto-clears in 30s).`);
+            }
+            else {
+                console.log(str);
+            }
+            return;
+        }
+        if (options.json) {
+            output.json(blob);
+            return;
+        }
+        // Formatted display
+        if (blob.title)
+            console.log(`Title:    ${blob.title}`);
+        if (blob.username)
+            console.log(`Username: ${blob.username}`);
+        if (blob.password)
+            console.log(`Password: ${output.masked(blob.password)}`);
+        if (blob.url)
+            console.log(`URL:      ${blob.url}`);
+        if (blob.notes)
+            console.log(`Notes:    ${blob.notes}`);
+        if (blob.totp)
+            console.log(`TOTP:     (configured)`);
+        if (options.copy && blob.password) {
+            await copyToClipboard(blob.password);
+            output.success("Password copied to clipboard (auto-clears in 30s).");
+        }
+    }
+    catch {
+        output.error("Failed to decrypt entry.");
+    }
+}
+//# sourceMappingURL=get.js.map

package/dist/commands/list.d.ts

@@ -0,0 +1,6 @@
+/**
+ * `passwd-sso list` — List vault entries (decrypted overview).
+ */
+export declare function listCommand(options: {
+    json?: boolean;
+}): Promise<void>;

package/dist/commands/list.js

@@ -0,0 +1,66 @@
+/**
+ * `passwd-sso list` — List vault entries (decrypted overview).
+ */
+import { apiRequest } from "../lib/api-client.js";
+import { getEncryptionKey, getUserId } from "../lib/vault-state.js";
+import { decryptData } from "../lib/crypto.js";
+import { buildPersonalEntryAAD } from "../lib/crypto-aad.js";
+import * as output from "../lib/output.js";
+export async function listCommand(options) {
+    const key = getEncryptionKey();
+    if (!key) {
+        output.error("Vault is locked. Run `unlock` first.");
+        return;
+    }
+    const userId = getUserId();
+    const res = await apiRequest("/api/passwords");
+    if (!res.ok) {
+        output.error(`Failed to fetch entries: ${res.status}`);
+        return;
+    }
+    const entries = res.data;
+    if (!Array.isArray(entries) || entries.length === 0) {
+        output.info("No entries found.");
+        return;
+    }
+    const decrypted = [];
+    for (const entry of entries) {
+        try {
+            const aad = entry.aadVersion >= 1 && userId
+                ? buildPersonalEntryAAD(userId, entry.id)
+                : undefined;
+            const plaintext = await decryptData(entry.encryptedOverview, key, aad);
+            const overview = JSON.parse(plaintext);
+            decrypted.push({
+                id: entry.id,
+                title: overview.title ?? "(untitled)",
+                username: overview.username ?? "",
+                url: overview.urlHost ?? "",
+                type: entry.entryType ?? "LOGIN",
+            });
+        }
+        catch {
+            decrypted.push({
+                id: entry.id,
+                title: "(decryption failed)",
+                username: "",
+                url: "",
+                type: entry.entryType ?? "?",
+            });
+        }
+    }
+    if (options.json) {
+        output.json(decrypted);
+    }
+    else {
+        output.table(["ID", "Type", "Title", "Username", "URL"], decrypted.map((d) => [
+            d.id,
+            d.type,
+            d.title,
+            d.username,
+            d.url,
+        ]));
+        output.info(`${decrypted.length} entries`);
+    }
+}
+//# sourceMappingURL=list.js.map

package/dist/commands/login.d.ts

@@ -0,0 +1,4 @@
+/**
+ * `passwd-sso login` — Configure server URL and Bearer token.
+ */
+export declare function loginCommand(): Promise<void>;

package/dist/commands/login.js

@@ -0,0 +1,45 @@
+/**
+ * `passwd-sso login` — Configure server URL and Bearer token.
+ */
+import { createInterface } from "node:readline";
+import { loadConfig, saveConfig, saveToken } from "../lib/config.js";
+import { setTokenCache } from "../lib/api-client.js";
+import * as output from "../lib/output.js";
+async function prompt(question) {
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    return new Promise((resolve) => {
+        rl.question(question, (answer) => {
+            rl.close();
+            resolve(answer.trim());
+        });
+    });
+}
+export async function loginCommand() {
+    const config = loadConfig();
+    const serverUrl = await prompt(`Server URL${config.serverUrl ? ` [${config.serverUrl}]` : ""}: `);
+    if (serverUrl) {
+        config.serverUrl = serverUrl.replace(/\/$/, "");
+    }
+    if (!config.serverUrl) {
+        output.error("Server URL is required.");
+        return;
+    }
+    output.info("Open your browser and go to the token page to generate a CLI token.");
+    output.info(`  ${config.serverUrl}/dashboard/settings`);
+    console.log();
+    const token = await prompt("Paste your token: ");
+    if (!token) {
+        output.error("Token is required.");
+        return;
+    }
+    // Approximate token expiry (15 min from now)
+    config.tokenExpiresAt = new Date(Date.now() + 15 * 60 * 1000).toISOString();
+    saveConfig(config);
+    const storage = await saveToken(token);
+    setTokenCache(token, config.tokenExpiresAt);
+    if (storage === "file") {
+        output.warn("Token saved to file (plaintext). Consider installing keytar for OS keychain storage.");
+    }
+    output.success(`Logged in to ${config.serverUrl}`);
+}
+//# sourceMappingURL=login.js.map

package/dist/commands/run.d.ts

@@ -0,0 +1,12 @@
+/**
+ * `passwd-sso run` — Inject vault secrets into a command's environment.
+ *
+ * Uses child_process.execFile (NOT shell) for security.
+ * Blocks certain dangerous env var names from being overwritten.
+ */
+interface RunOptions {
+    config?: string;
+    command: string[];
+}
+export declare function runCommand(opts: RunOptions): Promise<void>;
+export {};