passwd-sso-cli 0.4.3

package/dist/commands/run.js

@@ -0,0 +1,97 @@
+/**
+ * `passwd-sso run` — Inject vault secrets into a command's environment.
+ *
+ * Uses child_process.execFile (NOT shell) for security.
+ * Blocks certain dangerous env var names from being overwritten.
+ */
+import { spawn } from "node:child_process";
+import { loadSecretsConfig, getPasswordPath } from "../lib/secrets-config.js";
+import { getEncryptionKey, getUserId } from "../lib/vault-state.js";
+import { autoUnlockIfNeeded } from "./unlock.js";
+import { getToken } from "../lib/api-client.js";
+import { decryptData } from "../lib/crypto.js";
+import { buildPersonalEntryAAD } from "../lib/crypto-aad.js";
+import * as output from "../lib/output.js";
+import { BLOCKED_KEYS } from "../lib/blocked-keys.js";
+export async function runCommand(opts) {
+    if (opts.command.length === 0) {
+        output.error("No command specified. Usage: passwd-sso run -- <command>");
+        process.exit(1);
+    }
+    let config;
+    try {
+        config = loadSecretsConfig(opts.config);
+    }
+    catch (err) {
+        output.error(err instanceof Error ? err.message : "Failed to load config.");
+        process.exit(1);
+    }
+    const useV1 = !!config.apiKey;
+    const baseUrl = config.server.replace(/\/$/, "");
+    let authHeader;
+    if (config.apiKey) {
+        authHeader = `Bearer ${config.apiKey}`;
+    }
+    else {
+        const token = await getToken();
+        if (!token) {
+            output.error("Not logged in. Run `passwd-sso login` first, or set apiKey in config.");
+            process.exit(1);
+        }
+        authHeader = `Bearer ${token}`;
+    }
+    if (!await autoUnlockIfNeeded()) {
+        output.error("Vault is not unlocked. Run `passwd-sso unlock` first, or set PSSO_PASSPHRASE.");
+        process.exit(1);
+    }
+    const encryptionKey = getEncryptionKey();
+    const userId = getUserId();
+    // Resolve secrets
+    const secretEnv = {};
+    const entries = Object.entries(config.secrets);
+    for (const [envName, mapping] of entries) {
+        // Block dangerous keys
+        if (BLOCKED_KEYS.has(envName.toUpperCase())) {
+            output.error(`Blocked: cannot inject '${envName}' (security restriction)`);
+            process.exit(1);
+        }
+        const path = getPasswordPath(mapping.entry, useV1);
+        const url = `${baseUrl}${path}`;
+        const res = await fetch(url, {
+            headers: { Authorization: authHeader },
+        });
+        if (!res.ok) {
+            output.error(`Failed to fetch entry ${mapping.entry}: HTTP ${res.status}`);
+            process.exit(1);
+        }
+        const data = (await res.json());
+        let additionalData;
+        if (data.aadVersion && data.aadVersion >= 1 && userId) {
+            additionalData = buildPersonalEntryAAD(userId, data.id);
+        }
+        const decrypted = await decryptData(data.encryptedBlob, encryptionKey, additionalData);
+        const blob = JSON.parse(decrypted);
+        const value = blob[mapping.field];
+        if (value === undefined || value === null) {
+            output.error(`Field '${mapping.field}' not found in entry ${mapping.entry}`);
+            process.exit(1);
+        }
+        secretEnv[envName] = String(value);
+    }
+    // Execute command with injected env vars (shell-free)
+    // Strip PSSO_ credentials from parent env to prevent leakage to child (CWE-214)
+    const { PSSO_PASSPHRASE: _pass, PSSO_API_KEY: _key, ...safeParentEnv } = process.env;
+    const [cmd, ...args] = opts.command;
+    const child = spawn(cmd, args, {
+        env: { ...safeParentEnv, ...secretEnv },
+        stdio: "inherit",
+    });
+    child.on("exit", (code) => {
+        process.exit(code ?? 1);
+    });
+    child.on("error", (err) => {
+        output.error(`Failed to execute: ${err.message}`);
+        process.exit(1);
+    });
+}
+//# sourceMappingURL=run.js.map

package/dist/commands/status.d.ts

@@ -0,0 +1,6 @@
+/**
+ * `passwd-sso status` — Show connection and vault status.
+ */
+export declare function statusCommand(options?: {
+    json?: boolean;
+}): Promise<void>;

package/dist/commands/status.js

@@ -0,0 +1,62 @@
+/**
+ * `passwd-sso status` — Show connection and vault status.
+ */
+import { apiRequest } from "../lib/api-client.js";
+import { isUnlocked } from "../lib/vault-state.js";
+import { loadConfig } from "../lib/config.js";
+import * as output from "../lib/output.js";
+export async function statusCommand(options = {}) {
+    const config = loadConfig();
+    const unlocked = isUnlocked();
+    if (!config.serverUrl) {
+        if (options.json) {
+            output.json({ server: null, vault: unlocked ? "unlocked" : "locked", connected: false });
+        }
+        else {
+            console.log(`Server: (not configured)`);
+            console.log(`Vault:  ${unlocked ? "Unlocked" : "Locked"}`);
+        }
+        return;
+    }
+    try {
+        const res = await apiRequest("/api/vault/status");
+        if (res.ok) {
+            const vaultSetup = res.data.setupRequired === false;
+            if (options.json) {
+                output.json({
+                    server: config.serverUrl,
+                    vault: unlocked ? "unlocked" : "locked",
+                    setup: vaultSetup ? "complete" : "required",
+                    connected: true,
+                });
+            }
+            else {
+                console.log(`Server: ${config.serverUrl}`);
+                console.log(`Vault:  ${unlocked ? "Unlocked" : "Locked"}`);
+                console.log(`Setup:  ${vaultSetup ? "Complete" : "Required"}`);
+                output.success("Connected");
+            }
+        }
+        else {
+            if (options.json) {
+                output.json({ server: config.serverUrl, vault: unlocked ? "unlocked" : "locked", connected: false, error: `HTTP ${res.status}` });
+            }
+            else {
+                console.log(`Server: ${config.serverUrl}`);
+                console.log(`Vault:  ${unlocked ? "Unlocked" : "Locked"}`);
+                output.error(`Server returned ${res.status}`);
+            }
+        }
+    }
+    catch (err) {
+        if (options.json) {
+            output.json({ server: config.serverUrl, vault: unlocked ? "unlocked" : "locked", connected: false, error: err instanceof Error ? err.message : "unknown error" });
+        }
+        else {
+            console.log(`Server: ${config.serverUrl}`);
+            console.log(`Vault:  ${unlocked ? "Unlocked" : "Locked"}`);
+            output.error(`Connection failed: ${err instanceof Error ? err.message : "unknown error"}`);
+        }
+    }
+}
+//# sourceMappingURL=status.js.map

package/dist/commands/totp.d.ts

@@ -0,0 +1,7 @@
+/**
+ * `passwd-sso totp <id>` — Generate TOTP code for an entry.
+ */
+export declare function totpCommand(id: string, options: {
+    copy?: boolean;
+    json?: boolean;
+}): Promise<void>;

package/dist/commands/totp.js

@@ -0,0 +1,57 @@
+/**
+ * `passwd-sso totp <id>` — Generate TOTP code for an entry.
+ */
+import { apiRequest } from "../lib/api-client.js";
+import { getEncryptionKey, getUserId } from "../lib/vault-state.js";
+import { decryptData } from "../lib/crypto.js";
+import { buildPersonalEntryAAD } from "../lib/crypto-aad.js";
+import { generateTOTPCode } from "../lib/totp.js";
+import { copyToClipboard } from "../lib/clipboard.js";
+import * as output from "../lib/output.js";
+export async function totpCommand(id, options) {
+    const key = getEncryptionKey();
+    if (!key) {
+        output.error("Vault is locked. Run `unlock` first.");
+        return;
+    }
+    const userId = getUserId();
+    const res = await apiRequest(`/api/passwords/${id}`);
+    if (!res.ok) {
+        output.error(`Entry not found: ${res.status}`);
+        return;
+    }
+    try {
+        const aad = res.data.aadVersion >= 1 && userId
+            ? buildPersonalEntryAAD(userId, res.data.id)
+            : undefined;
+        const plaintext = await decryptData(res.data.encryptedBlob, key, aad);
+        const blob = JSON.parse(plaintext);
+        if (!blob.totp?.secret) {
+            output.error("No TOTP configured for this entry.");
+            return;
+        }
+        const code = generateTOTPCode({
+            secret: blob.totp.secret,
+            algorithm: blob.totp.algorithm,
+            digits: blob.totp.digits,
+            period: blob.totp.period,
+        });
+        const period = blob.totp.period ?? 30;
+        const remaining = period - (Math.floor(Date.now() / 1000) % period);
+        if (options.json) {
+            output.json({ code, remaining, period });
+            return;
+        }
+        if (options.copy) {
+            await copyToClipboard(code);
+            output.success(`TOTP: ${code} (expires in ${remaining}s) — copied to clipboard`);
+        }
+        else {
+            console.log(`${code}  (${remaining}s remaining)`);
+        }
+    }
+    catch {
+        output.error("Failed to generate TOTP code.");
+    }
+}
+//# sourceMappingURL=totp.js.map

package/dist/commands/unlock.d.ts

@@ -0,0 +1,19 @@
+/**
+ * `passwd-sso unlock` — Unlock the vault with passphrase.
+ *
+ * Derives the encryption key and stores it in process memory.
+ */
+export declare function readPassphrase(prompt: string, opts?: {
+    useStderr?: boolean;
+}): Promise<string>;
+/**
+ * Core unlock logic — derives encryption key from passphrase and stores it.
+ * Returns true on success, false on failure.
+ */
+export declare function unlockWithPassphrase(passphrase: string): Promise<boolean>;
+export declare function unlockCommand(): Promise<void>;
+/**
+ * Auto-unlock using PSSO_PASSPHRASE env var if vault is locked.
+ * Returns true if vault is unlocked (already or just now), false otherwise.
+ */
+export declare function autoUnlockIfNeeded(): Promise<boolean>;

package/dist/commands/unlock.js

@@ -0,0 +1,125 @@
+/**
+ * `passwd-sso unlock` — Unlock the vault with passphrase.
+ *
+ * Derives the encryption key and stores it in process memory.
+ */
+import { apiRequest } from "../lib/api-client.js";
+import { hexDecode, deriveWrappingKey, unwrapSecretKey, deriveEncryptionKey, verifyKey, } from "../lib/crypto.js";
+import { setEncryptionKey, setSecretKeyBytes, isUnlocked } from "../lib/vault-state.js";
+import * as output from "../lib/output.js";
+export async function readPassphrase(prompt, opts) {
+    // When used with eval $(...), stdout is captured by the shell.
+    // Write prompt to stderr so it's visible but not evaluated.
+    const out = opts?.useStderr ? process.stderr : process.stdout;
+    out.write(prompt);
+    if (process.stdin.isTTY) {
+        process.stdin.setRawMode?.(true);
+    }
+    process.stdin.resume();
+    return new Promise((resolve) => {
+        let passphrase = "";
+        const onData = (key) => {
+            const char = key.toString("utf-8");
+            if (char === "\n" || char === "\r" || char === "\u0003") {
+                process.stdin.removeListener("data", onData);
+                process.stdin.removeListener("end", onEnd);
+                if (process.stdin.isTTY) {
+                    process.stdin.setRawMode?.(false);
+                }
+                process.stdin.pause();
+                console.log(); // newline after hidden input
+                if (char === "\u0003") {
+                    process.exit(130);
+                }
+                resolve(passphrase);
+            }
+            else if (char === "\u007F" || char === "\b") {
+                passphrase = passphrase.slice(0, -1);
+            }
+            else {
+                passphrase += char;
+            }
+        };
+        const onEnd = () => {
+            process.stdin.removeListener("data", onData);
+            process.stdin.removeListener("end", onEnd);
+            if (process.stdin.isTTY) {
+                process.stdin.setRawMode?.(false);
+            }
+            process.stdin.pause();
+            console.log();
+            resolve(passphrase);
+        };
+        process.stdin.on("data", onData);
+        process.stdin.on("end", onEnd);
+    });
+}
+/**
+ * Core unlock logic — derives encryption key from passphrase and stores it.
+ * Returns true on success, false on failure.
+ */
+export async function unlockWithPassphrase(passphrase) {
+    const res = await apiRequest("/api/vault/unlock/data");
+    if (!res.ok) {
+        output.error(`Failed to fetch vault data: ${res.status}`);
+        return false;
+    }
+    const data = res.data;
+    if (!data.accountSalt || !data.encryptedSecretKey) {
+        output.error("Vault is not set up. Please set up your vault in the web UI first.");
+        return false;
+    }
+    try {
+        const accountSalt = hexDecode(data.accountSalt);
+        const wrappingKey = await deriveWrappingKey(passphrase, accountSalt);
+        const encryptedSecret = {
+            ciphertext: data.encryptedSecretKey,
+            iv: data.secretKeyIv,
+            authTag: data.secretKeyAuthTag,
+        };
+        const secretKey = await unwrapSecretKey(encryptedSecret, wrappingKey);
+        const encryptionKey = await deriveEncryptionKey(secretKey);
+        if (data.verificationArtifact) {
+            const valid = await verifyKey(encryptionKey, data.verificationArtifact);
+            if (!valid) {
+                output.error("Incorrect passphrase.");
+                return false;
+            }
+        }
+        setEncryptionKey(encryptionKey, data.userId);
+        setSecretKeyBytes(secretKey);
+        return true;
+    }
+    catch {
+        output.error("Failed to unlock vault. Check your passphrase.");
+        return false;
+    }
+}
+export async function unlockCommand() {
+    if (isUnlocked()) {
+        output.info("Vault is already unlocked.");
+        return;
+    }
+    const passphrase = await readPassphrase("Master passphrase: ");
+    if (!passphrase) {
+        output.error("Passphrase is required.");
+        return;
+    }
+    if (await unlockWithPassphrase(passphrase)) {
+        output.success("Vault unlocked.");
+    }
+}
+/**
+ * Auto-unlock using PSSO_PASSPHRASE env var if vault is locked.
+ * Returns true if vault is unlocked (already or just now), false otherwise.
+ */
+export async function autoUnlockIfNeeded() {
+    if (isUnlocked())
+        return true;
+    const passphrase = process.env.PSSO_PASSPHRASE;
+    if (!passphrase) {
+        return false;
+    }
+    return unlockWithPassphrase(passphrase);
+}
+//# sourceMappingURL=unlock.js.map

package/dist/index.d.ts

@@ -0,0 +1,8 @@
+#!/usr/bin/env node
+/**
+ * passwd-sso CLI — Password manager command-line interface.
+ *
+ * Long-lived process model: `unlock` enters a REPL loop where
+ * commands can be executed interactively. `lock` exits the process.
+ */
+export {};