passwd-sso-cli 0.4.3

package/dist/lib/openssh-key-parser.js

@@ -0,0 +1,273 @@
+/**
+ * OpenSSH private key format parser.
+ *
+ * Handles `-----BEGIN OPENSSH PRIVATE KEY-----` format that
+ * Node.js/OpenSSL `createPrivateKey()` cannot always parse
+ * (notably encrypted keys using bcrypt-pbkdf).
+ *
+ * Supports: Ed25519, RSA, ECDSA (encrypted and unencrypted).
+ *
+ * Reference: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key
+ */
+import { createPrivateKey, createDecipheriv } from "node:crypto";
+const OPENSSH_MAGIC = "openssh-key-v1\0";
+/**
+ * Parse an OpenSSH private key PEM into a Node.js KeyObject.
+ * Falls back to this when `createPrivateKey()` can't handle the format.
+ */
+export async function parseOpenSshPrivateKey(pem, passphrase) {
+    const lines = pem.trim().split(/\r?\n/);
+    if (lines[0] !== "-----BEGIN OPENSSH PRIVATE KEY-----" ||
+        lines[lines.length - 1] !== "-----END OPENSSH PRIVATE KEY-----") {
+        throw new Error("Not an OpenSSH private key");
+    }
+    const b64 = lines.slice(1, -1).join("");
+    const buf = Buffer.from(b64, "base64");
+    let offset = 0;
+    // Verify magic
+    const magic = buf.subarray(0, OPENSSH_MAGIC.length).toString("ascii");
+    if (magic !== OPENSSH_MAGIC) {
+        throw new Error("Invalid OpenSSH key magic");
+    }
+    offset += OPENSSH_MAGIC.length;
+    // Read cipher name
+    const cipherName = readString(buf, offset);
+    offset += 4 + cipherName.length;
+    // Read KDF name
+    const kdfName = readString(buf, offset);
+    offset += 4 + kdfName.length;
+    // Read KDF options
+    const kdfOptionsLen = buf.readUInt32BE(offset);
+    offset += 4;
+    const kdfOptions = buf.subarray(offset, offset + kdfOptionsLen);
+    offset += kdfOptionsLen;
+    // Number of keys
+    const numKeys = buf.readUInt32BE(offset);
+    offset += 4;
+    if (numKeys !== 1) {
+        throw new Error(`Expected 1 key, got ${numKeys}`);
+    }
+    // Skip public key blob
+    const pubKeyLen = buf.readUInt32BE(offset);
+    offset += 4 + pubKeyLen;
+    // Read private section
+    const privSectionLen = buf.readUInt32BE(offset);
+    offset += 4;
+    let privSection = buf.subarray(offset, offset + privSectionLen);
+    // Decrypt if encrypted
+    const isEncrypted = cipherName !== "none" || kdfName !== "none";
+    if (isEncrypted) {
+        if (!passphrase) {
+            throw new Error("This SSH key is encrypted but no passphrase is stored. " +
+                "Edit the vault entry and add the key passphrase.");
+        }
+        privSection = await decryptPrivateSection(privSection, cipherName, kdfName, kdfOptions, passphrase);
+    }
+    // Parse unencrypted private section
+    let pOff = 0;
+    // Check integers (random, must match)
+    const check1 = privSection.readUInt32BE(pOff);
+    pOff += 4;
+    const check2 = privSection.readUInt32BE(pOff);
+    pOff += 4;
+    if (check1 !== check2) {
+        throw new Error("Check integers mismatch — key data may be corrupted");
+    }
+    // Key type
+    const keyType = readString(privSection, pOff);
+    pOff += 4 + keyType.length;
+    switch (keyType) {
+        case "ssh-ed25519":
+            return parseEd25519(privSection, pOff);
+        case "ssh-rsa":
+            return parseRsa(privSection, pOff);
+        case "ecdsa-sha2-nistp256":
+        case "ecdsa-sha2-nistp384":
+        case "ecdsa-sha2-nistp521":
+            return parseEcdsa(privSection, pOff, keyType);
+        default:
+            throw new Error(`Unsupported OpenSSH key type: ${keyType}`);
+    }
+}
+// ─── Decryption ───────────────────────────────────────────
+/** Cipher info: Node.js algorithm name, key length, IV length */
+const CIPHER_INFO = {
+    "aes256-ctr": { algo: "aes-256-ctr", keyLen: 32, ivLen: 16 },
+    "aes256-cbc": { algo: "aes-256-cbc", keyLen: 32, ivLen: 16 },
+    "aes128-ctr": { algo: "aes-128-ctr", keyLen: 16, ivLen: 16 },
+    "aes128-cbc": { algo: "aes-128-cbc", keyLen: 16, ivLen: 16 },
+    "aes192-ctr": { algo: "aes-192-ctr", keyLen: 24, ivLen: 16 },
+    "aes192-cbc": { algo: "aes-192-cbc", keyLen: 24, ivLen: 16 },
+};
+async function decryptPrivateSection(encrypted, cipherName, kdfName, kdfOptions, passphrase) {
+    if (kdfName !== "bcrypt") {
+        throw new Error(`Unsupported KDF: ${kdfName}`);
+    }
+    const cipher = CIPHER_INFO[cipherName];
+    if (!cipher) {
+        throw new Error(`Unsupported cipher: ${cipherName}`);
+    }
+    // Parse KDF options: uint32 salt_len, salt, uint32 rounds
+    let kOff = 0;
+    const saltLen = kdfOptions.readUInt32BE(kOff);
+    kOff += 4;
+    const salt = kdfOptions.subarray(kOff, kOff + saltLen);
+    kOff += saltLen;
+    const rounds = kdfOptions.readUInt32BE(kOff);
+    // Derive key + IV using bcrypt-pbkdf
+    const { pbkdf } = await import("bcrypt-pbkdf");
+    const derivedLen = cipher.keyLen + cipher.ivLen;
+    const derived = Buffer.alloc(derivedLen);
+    const ret = pbkdf(Buffer.from(passphrase, "utf-8"), passphrase.length, salt, salt.length, derived, derivedLen, rounds);
+    if (ret !== 0) {
+        throw new Error("bcrypt-pbkdf failed");
+    }
+    const key = derived.subarray(0, cipher.keyLen);
+    const iv = derived.subarray(cipher.keyLen);
+    // Decrypt
+    const decipher = createDecipheriv(cipher.algo, key, iv);
+    decipher.setAutoPadding(false);
+    const decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);
+    // Zero derived key material
+    derived.fill(0);
+    key.fill(0);
+    iv.fill(0);
+    return decrypted;
+}
+// ─── Ed25519 ──────────────────────────────────────────────
+function parseEd25519(buf, offset) {
+    // Public key (32 bytes)
+    const pubLen = buf.readUInt32BE(offset);
+    offset += 4;
+    const pubKey = buf.subarray(offset, offset + pubLen);
+    offset += pubLen;
+    // Private key (64 bytes = 32-byte seed + 32-byte pubkey)
+    // Skip 4-byte private key length prefix
+    offset += 4;
+    const seed = buf.subarray(offset, offset + 32);
+    // Build JWK from raw key material
+    return createPrivateKey({
+        key: {
+            kty: "OKP",
+            crv: "Ed25519",
+            d: base64url(seed),
+            x: base64url(pubKey),
+        },
+        format: "jwk",
+    });
+}
+// ─── RSA ──────────────────────────────────────────────────
+function parseRsa(buf, offset) {
+    // OpenSSH RSA format: n, e, d, iqmp, p, q
+    const n = readMpint(buf, offset);
+    offset += 4 + n.length;
+    const e = readMpint(buf, offset);
+    offset += 4 + e.length;
+    const d = readMpint(buf, offset);
+    offset += 4 + d.length;
+    const iqmp = readMpint(buf, offset);
+    offset += 4 + iqmp.length;
+    const p = readMpint(buf, offset);
+    offset += 4 + p.length;
+    const q = readMpint(buf, offset);
+    return createPrivateKey({
+        key: {
+            kty: "RSA",
+            n: base64url(stripLeadingZero(n)),
+            e: base64url(stripLeadingZero(e)),
+            d: base64url(stripLeadingZero(d)),
+            p: base64url(stripLeadingZero(p)),
+            q: base64url(stripLeadingZero(q)),
+            qi: base64url(stripLeadingZero(iqmp)),
+            // dp and dq are required by JWK but can be derived
+            dp: base64url(stripLeadingZero(modBuf(d, pMinus1(p)))),
+            dq: base64url(stripLeadingZero(modBuf(d, pMinus1(q)))),
+        },
+        format: "jwk",
+    });
+}
+// ─── ECDSA ────────────────────────────────────────────────
+function parseEcdsa(buf, offset, keyType) {
+    // Curve identifier string
+    const curveId = readString(buf, offset);
+    offset += 4 + curveId.length;
+    // Public key point (uncompressed: 0x04 + x + y)
+    const pubPointLen = buf.readUInt32BE(offset);
+    offset += 4;
+    const pubPoint = buf.subarray(offset, offset + pubPointLen);
+    offset += pubPointLen;
+    // Private key scalar
+    const privScalar = readMpint(buf, offset);
+    const curveMap = {
+        "ecdsa-sha2-nistp256": { crv: "P-256", size: 32 },
+        "ecdsa-sha2-nistp384": { crv: "P-384", size: 48 },
+        "ecdsa-sha2-nistp521": { crv: "P-521", size: 66 },
+    };
+    const curve = curveMap[keyType];
+    if (!curve)
+        throw new Error(`Unsupported ECDSA curve: ${keyType}`);
+    // pubPoint format: 0x04 + x (size bytes) + y (size bytes)
+    const x = pubPoint.subarray(1, 1 + curve.size);
+    const y = pubPoint.subarray(1 + curve.size, 1 + 2 * curve.size);
+    const d = stripLeadingZero(privScalar);
+    // Pad d to curve size if needed
+    const dPadded = d.length < curve.size
+        ? Buffer.concat([Buffer.alloc(curve.size - d.length), d])
+        : d;
+    return createPrivateKey({
+        key: {
+            kty: "EC",
+            crv: curve.crv,
+            x: base64url(x),
+            y: base64url(y),
+            d: base64url(dPadded),
+        },
+        format: "jwk",
+    });
+}
+// ─── Binary helpers ───────────────────────────────────────
+function readString(buf, offset) {
+    const len = buf.readUInt32BE(offset);
+    return buf.subarray(offset + 4, offset + 4 + len).toString("utf-8");
+}
+function readMpint(buf, offset) {
+    const len = buf.readUInt32BE(offset);
+    return buf.subarray(offset + 4, offset + 4 + len);
+}
+function base64url(buf) {
+    return Buffer.from(buf)
+        .toString("base64")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/, "");
+}
+function stripLeadingZero(buf) {
+    let i = 0;
+    while (i < buf.length - 1 && buf[i] === 0)
+        i++;
+    return i > 0 ? buf.subarray(i) : buf;
+}
+// ─── BigInt math for RSA dp/dq ────────────────────────────
+function bufToBigInt(buf) {
+    let result = 0n;
+    for (const byte of buf) {
+        result = (result << 8n) | BigInt(byte);
+    }
+    return result;
+}
+function bigIntToBuf(n) {
+    if (n === 0n)
+        return Buffer.from([0]);
+    const hex = n.toString(16);
+    const padded = hex.length % 2 ? "0" + hex : hex;
+    return Buffer.from(padded, "hex");
+}
+function pMinus1(p) {
+    return bufToBigInt(stripLeadingZero(p)) - 1n;
+}
+function modBuf(d, m) {
+    const dBig = bufToBigInt(stripLeadingZero(d));
+    const result = dBig % m;
+    return bigIntToBuf(result);
+}
+//# sourceMappingURL=openssh-key-parser.js.map

package/dist/lib/output.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Output formatting for CLI display.
+ */
+export declare function success(message: string): void;
+export declare function error(message: string): void;
+export declare function warn(message: string): void;
+export declare function info(message: string): void;
+export declare function table(headers: string[], rows: string[][]): void;
+export declare function json(data: unknown): void;
+export declare function masked(value: string): string;

package/dist/lib/output.js

@@ -0,0 +1,36 @@
+/**
+ * Output formatting for CLI display.
+ */
+import chalk from "chalk";
+import Table from "cli-table3";
+export function success(message) {
+    console.log(chalk.green(`✓ ${message}`));
+}
+export function error(message) {
+    console.error(chalk.red(`✗ ${message}`));
+}
+export function warn(message) {
+    console.log(chalk.yellow(`! ${message}`));
+}
+export function info(message) {
+    console.log(chalk.blue(`ℹ ${message}`));
+}
+export function table(headers, rows) {
+    const t = new Table({
+        head: headers.map((h) => chalk.cyan(h)),
+        style: { head: [], border: [] },
+    });
+    for (const row of rows) {
+        t.push(row);
+    }
+    console.log(t.toString());
+}
+export function json(data) {
+    console.log(JSON.stringify(data, null, 2));
+}
+export function masked(value) {
+    if (value.length <= 4)
+        return "****";
+    return "*".repeat(value.length - 4) + value.slice(-4);
+}
+//# sourceMappingURL=output.js.map

package/dist/lib/paths.d.ts

@@ -0,0 +1,17 @@
+/**
+ * XDG Base Directory compliant path resolution.
+ *
+ * Config:  $XDG_CONFIG_HOME/passwd-sso/  (default: ~/.config/passwd-sso/)
+ * Data:    $XDG_DATA_HOME/passwd-sso/    (default: ~/.local/share/passwd-sso/)
+ * Legacy:  ~/.passwd-sso/                (auto-migrated on first access)
+ */
+/** Resolve config directory (lazy — reads env at call time). */
+export declare function getConfigDir(): string;
+/** Resolve data directory (lazy — reads env at call time). */
+export declare function getDataDir(): string;
+/** Legacy directory path (for migration detection). */
+export declare function getLegacyDir(): string;
+/** Full path to config.json. */
+export declare function getConfigFilePath(): string;
+/** Full path to credentials file. */
+export declare function getCredentialsFilePath(): string;

package/dist/lib/paths.js

@@ -0,0 +1,39 @@
+/**
+ * XDG Base Directory compliant path resolution.
+ *
+ * Config:  $XDG_CONFIG_HOME/passwd-sso/  (default: ~/.config/passwd-sso/)
+ * Data:    $XDG_DATA_HOME/passwd-sso/    (default: ~/.local/share/passwd-sso/)
+ * Legacy:  ~/.passwd-sso/                (auto-migrated on first access)
+ */
+import { homedir } from "node:os";
+import { isAbsolute, join } from "node:path";
+const APP_NAME = "passwd-sso";
+/** Resolve config directory (lazy — reads env at call time). */
+export function getConfigDir() {
+    const xdgConfig = process.env.XDG_CONFIG_HOME;
+    const base = xdgConfig && isAbsolute(xdgConfig)
+        ? xdgConfig
+        : join(homedir(), ".config");
+    return join(base, APP_NAME);
+}
+/** Resolve data directory (lazy — reads env at call time). */
+export function getDataDir() {
+    const xdgData = process.env.XDG_DATA_HOME;
+    const base = xdgData && isAbsolute(xdgData)
+        ? xdgData
+        : join(homedir(), ".local", "share");
+    return join(base, APP_NAME);
+}
+/** Legacy directory path (for migration detection). */
+export function getLegacyDir() {
+    return join(homedir(), `.${APP_NAME}`);
+}
+/** Full path to config.json. */
+export function getConfigFilePath() {
+    return join(getConfigDir(), "config.json");
+}
+/** Full path to credentials file. */
+export function getCredentialsFilePath() {
+    return join(getDataDir(), "credentials");
+}
+//# sourceMappingURL=paths.js.map

package/dist/lib/secrets-config.d.ts

@@ -0,0 +1,31 @@
+/**
+ * .passwd-sso-env.json loader.
+ *
+ * Schema:
+ * {
+ *   "server": "https://...",
+ *   "apiKey?": "api_...",         // optional — uses /api/v1/ path
+ *   "secrets": {
+ *     "ENV_VAR_NAME": { "entry": "<entryId>", "field": "password" }
+ *   }
+ * }
+ *
+ * Auth flow:
+ *   apiKey present → /api/v1/passwords (Bearer api_key)
+ *   apiKey absent  → /api/passwords   (Bearer extension token via login)
+ */
+export interface SecretMapping {
+    entry: string;
+    field: string;
+}
+export interface SecretsConfig {
+    server: string;
+    apiKey?: string;
+    secrets: Record<string, SecretMapping>;
+}
+export declare function loadSecretsConfig(configPath?: string): SecretsConfig;
+/**
+ * Returns the API path for fetching a single password entry.
+ * If apiKey is configured, use the public /api/v1/ path.
+ */
+export declare function getPasswordPath(entryId: string, useV1: boolean): string;

package/dist/lib/secrets-config.js

@@ -0,0 +1,48 @@
+/**
+ * .passwd-sso-env.json loader.
+ *
+ * Schema:
+ * {
+ *   "server": "https://...",
+ *   "apiKey?": "api_...",         // optional — uses /api/v1/ path
+ *   "secrets": {
+ *     "ENV_VAR_NAME": { "entry": "<entryId>", "field": "password" }
+ *   }
+ * }
+ *
+ * Auth flow:
+ *   apiKey present → /api/v1/passwords (Bearer api_key)
+ *   apiKey absent  → /api/passwords   (Bearer extension token via login)
+ */
+import { readFileSync, existsSync } from "node:fs";
+import { resolve } from "node:path";
+export function loadSecretsConfig(configPath) {
+    const filePath = configPath
+        ? resolve(configPath)
+        : resolve(process.cwd(), ".passwd-sso-env.json");
+    if (!existsSync(filePath)) {
+        throw new Error(`Config file not found: ${filePath}`);
+    }
+    const raw = readFileSync(filePath, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (!parsed.server || typeof parsed.server !== "string") {
+        throw new Error("Config file must have a 'server' field.");
+    }
+    if (!parsed.secrets || typeof parsed.secrets !== "object") {
+        throw new Error("Config file must have a 'secrets' field.");
+    }
+    return parsed;
+}
+/**
+ * Returns the API path for fetching a single password entry.
+ * If apiKey is configured, use the public /api/v1/ path.
+ */
+export function getPasswordPath(entryId, useV1) {
+    if (/[\/\\]/.test(entryId)) {
+        throw new Error(`Invalid entry ID: "${entryId}"`);
+    }
+    return useV1
+        ? `/api/v1/passwords/${encodeURIComponent(entryId)}`
+        : `/api/passwords/${encodeURIComponent(entryId)}`;
+}
+//# sourceMappingURL=secrets-config.js.map

package/dist/lib/ssh-agent-protocol.d.ts

@@ -0,0 +1,56 @@
+/**
+ * SSH agent protocol constants and framing helpers.
+ *
+ * Implements the subset of the SSH agent protocol needed for key listing
+ * and signing operations. Reference: draft-miller-ssh-agent.
+ */
+/** Client → Agent */
+export declare const SSH2_AGENTC_REQUEST_IDENTITIES = 11;
+export declare const SSH2_AGENTC_SIGN_REQUEST = 13;
+/** Agent → Client */
+export declare const SSH2_AGENT_FAILURE = 5;
+export declare const SSH2_AGENT_IDENTITIES_ANSWER = 12;
+export declare const SSH2_AGENT_SIGN_RESPONSE = 14;
+export declare const SSH_AGENT_RSA_SHA2_256 = 2;
+export declare const SSH_AGENT_RSA_SHA2_512 = 4;
+/**
+ * Read a uint32-be from buffer at offset.
+ */
+export declare function readUint32(buf: Buffer, offset: number): number;
+/**
+ * Write a uint32-be into buffer at offset.
+ */
+export declare function writeUint32(buf: Buffer, offset: number, value: number): void;
+/**
+ * Read an SSH "string" (uint32 length + data) from buffer at offset.
+ * Returns the data slice and the new offset after the string.
+ */
+export declare function readString(buf: Buffer, offset: number): {
+    data: Buffer;
+    nextOffset: number;
+};
+/**
+ * Build an SSH "string" (uint32 length prefix + data).
+ */
+export declare function encodeString(data: Buffer | string): Buffer;
+/**
+ * Wrap a message body with the 4-byte length prefix.
+ */
+export declare function frameMessage(body: Buffer): Buffer;
+/**
+ * Build an SSH_AGENT_FAILURE response.
+ */
+export declare function buildFailure(): Buffer;
+/**
+ * Build an SSH2_AGENT_IDENTITIES_ANSWER response.
+ *
+ * @param keys Array of { publicKeyBlob, comment } pairs
+ */
+export declare function buildIdentitiesAnswer(keys: {
+    publicKeyBlob: Buffer;
+    comment: string;
+}[]): Buffer;
+/**
+ * Build an SSH2_AGENT_SIGN_RESPONSE.
+ */
+export declare function buildSignResponse(signature: Buffer): Buffer;

package/dist/lib/ssh-agent-protocol.js

@@ -0,0 +1,108 @@
+/**
+ * SSH agent protocol constants and framing helpers.
+ *
+ * Implements the subset of the SSH agent protocol needed for key listing
+ * and signing operations. Reference: draft-miller-ssh-agent.
+ */
+// ─── Message types ────────────────────────────────────────────
+/** Client → Agent */
+export const SSH2_AGENTC_REQUEST_IDENTITIES = 11;
+export const SSH2_AGENTC_SIGN_REQUEST = 13;
+/** Agent → Client */
+export const SSH2_AGENT_FAILURE = 5;
+export const SSH2_AGENT_IDENTITIES_ANSWER = 12;
+export const SSH2_AGENT_SIGN_RESPONSE = 14;
+// ─── Signature algorithm flags (SSH2_AGENTC_SIGN_REQUEST flags field) ─
+export const SSH_AGENT_RSA_SHA2_256 = 2;
+export const SSH_AGENT_RSA_SHA2_512 = 4;
+// ─── Framing helpers (pure functions) ─────────────────────────
+/**
+ * Read a uint32-be from buffer at offset.
+ */
+export function readUint32(buf, offset) {
+    return buf.readUInt32BE(offset);
+}
+/**
+ * Write a uint32-be into buffer at offset.
+ */
+export function writeUint32(buf, offset, value) {
+    buf.writeUInt32BE(value, offset);
+}
+/**
+ * Read an SSH "string" (uint32 length + data) from buffer at offset.
+ * Returns the data slice and the new offset after the string.
+ */
+export function readString(buf, offset) {
+    const len = readUint32(buf, offset);
+    const data = buf.subarray(offset + 4, offset + 4 + len);
+    return { data, nextOffset: offset + 4 + len };
+}
+/**
+ * Build an SSH "string" (uint32 length prefix + data).
+ */
+export function encodeString(data) {
+    const buf = typeof data === "string" ? Buffer.from(data) : data;
+    const result = Buffer.alloc(4 + buf.length);
+    result.writeUInt32BE(buf.length, 0);
+    buf.copy(result, 4);
+    return result;
+}
+/**
+ * Wrap a message body with the 4-byte length prefix.
+ */
+export function frameMessage(body) {
+    const frame = Buffer.alloc(4 + body.length);
+    frame.writeUInt32BE(body.length, 0);
+    body.copy(frame, 4);
+    return frame;
+}
+/**
+ * Build an SSH_AGENT_FAILURE response.
+ */
+export function buildFailure() {
+    const body = Buffer.alloc(1);
+    body[0] = SSH2_AGENT_FAILURE;
+    return frameMessage(body);
+}
+/**
+ * Build an SSH2_AGENT_IDENTITIES_ANSWER response.
+ *
+ * @param keys Array of { publicKeyBlob, comment } pairs
+ */
+export function buildIdentitiesAnswer(keys) {
+    // Calculate total size: 1 (type) + 4 (nkeys) + per-key data
+    let size = 1 + 4;
+    for (const key of keys) {
+        size += 4 + key.publicKeyBlob.length; // string: public key blob
+        size += 4 + Buffer.byteLength(key.comment); // string: comment
+    }
+    const body = Buffer.alloc(size);
+    let offset = 0;
+    body[offset++] = SSH2_AGENT_IDENTITIES_ANSWER;
+    body.writeUInt32BE(keys.length, offset);
+    offset += 4;
+    for (const key of keys) {
+        body.writeUInt32BE(key.publicKeyBlob.length, offset);
+        offset += 4;
+        key.publicKeyBlob.copy(body, offset);
+        offset += key.publicKeyBlob.length;
+        const commentBuf = Buffer.from(key.comment);
+        body.writeUInt32BE(commentBuf.length, offset);
+        offset += 4;
+        commentBuf.copy(body, offset);
+        offset += commentBuf.length;
+    }
+    return frameMessage(body);
+}
+/**
+ * Build an SSH2_AGENT_SIGN_RESPONSE.
+ */
+export function buildSignResponse(signature) {
+    // SSH2_AGENT_SIGN_RESPONSE: byte(14) + string(signature_blob)
+    const sigString = encodeString(signature);
+    const body = Buffer.alloc(1 + sigString.length);
+    body[0] = SSH2_AGENT_SIGN_RESPONSE;
+    sigString.copy(body, 1);
+    return frameMessage(body);
+}
+//# sourceMappingURL=ssh-agent-protocol.js.map

package/dist/lib/ssh-agent-socket.d.ts

@@ -0,0 +1,20 @@
+/**
+ * SSH agent Unix domain socket server.
+ *
+ * Creates a Unix socket that implements the SSH agent protocol,
+ * serving keys from the passwd-sso vault.
+ */
+/**
+ * Start the SSH agent socket server.
+ *
+ * @returns The socket path for SSH_AUTH_SOCK
+ */
+export declare function startAgent(): string;
+/**
+ * Stop the SSH agent socket server.
+ */
+export declare function stopAgent(): void;
+/**
+ * Get the current socket path, or null if not running.
+ */
+export declare function getSocketPath(): string | null;