passwd-sso-cli 0.4.50 → 0.4.55

package/dist/commands/agent-decrypt.js

@@ -12,7 +12,7 @@ import { join } from "node:path";
 import { z } from "zod";
 import { apiRequest, startBackgroundRefresh } from "../lib/api-client.js";
 import { decryptData, hexEncode } from "../lib/crypto.js";
-import { buildPersonalEntryAAD } from "../lib/crypto-aad.js";
+import { buildPersonalEntryAAD, VAULT_TYPE } from "../lib/crypto-aad.js";
 import { getEncryptionKey, getUserId, getSecretKeyBytes, setEncryptionKey } from "../lib/vault-state.js";
 import { readPassphrase, unlockWithPassphrase } from "./unlock.js";
 import * as output from "../lib/output.js";
@@ -50,6 +50,14 @@ function prepareSocket(socketPath) {
         process.stderr.write(`Error: Socket directory ${dir} is owned by uid ${dirStat.uid}, expected ${uid}\n`);
         process.exit(1);
     }
+    // mkdirSync's mode applies only to a freshly-created dir; a pre-existing dir
+    // (e.g. a custom $XDG_RUNTIME_DIR) may be group/other-accessible. Re-stat the
+    // mode and reject anything other than 0700 (matches ssh-agent-socket.ts).
+    const dirMode = dirStat.mode & 0o7777;
+    if (dirMode !== 0o700) {
+        process.stderr.write(`Error: Socket directory ${dir} has mode ${dirMode.toString(8)}, expected 700\n`);
+        process.exit(1);
+    }
     // Remove stale socket if present, verify ownership first
     try {
         const sockStat = lstatSync(socketPath);
@@ -89,7 +97,7 @@ async function handleDecryptRequest(req) {
     const userId = getUserId();
     try {
         const aad = entry.aadVersion >= 1 && userId
-            ? buildPersonalEntryAAD(userId, entry.id)
+            ? buildPersonalEntryAAD(userId, entry.id, VAULT_TYPE.BLOB)
             : undefined;
         const plaintext = await decryptData(entry.encryptedBlob, encryptionKey, aad);
         const blob = JSON.parse(plaintext);

package/dist/commands/agent.js

@@ -8,7 +8,7 @@
  */
 import { apiRequest } from "../lib/api-client.js";
 import { decryptData } from "../lib/crypto.js";
-import { buildPersonalEntryAAD } from "../lib/crypto-aad.js";
+import { buildPersonalEntryAAD, VAULT_TYPE } from "../lib/crypto-aad.js";
 import { getEncryptionKey, getUserId, isUnlocked } from "../lib/vault-state.js";
 import { autoUnlockIfNeeded } from "./unlock.js";
 import { loadKey, clearKeys } from "../lib/ssh-key-agent.js";
@@ -60,7 +60,7 @@ export async function agentCommand(opts) {
     for (const entry of entries) {
         try {
             const aad = entry.aadVersion >= 1 && userId
-                ? buildPersonalEntryAAD(userId, entry.id)
+                ? buildPersonalEntryAAD(userId, entry.id, VAULT_TYPE.BLOB)
                 : undefined;
             const plaintext = await decryptData(entry.encryptedBlob, encryptionKey, aad);
             const blob = JSON.parse(plaintext);

package/dist/commands/env.js

@@ -12,7 +12,7 @@ import { getEncryptionKey, getUserId } from "../lib/vault-state.js";
 import { autoUnlockIfNeeded } from "./unlock.js";
 import { getToken } from "../lib/api-client.js";
 import { decryptData } from "../lib/crypto.js";
-import { buildPersonalEntryAAD } from "../lib/crypto-aad.js";
+import { buildPersonalEntryAAD, VAULT_TYPE } from "../lib/crypto-aad.js";
 import { BLOCKED_KEYS } from "../lib/blocked-keys.js";
 import * as output from "../lib/output.js";
 export async function envCommand(opts) {
@@ -72,7 +72,7 @@ export async function envCommand(opts) {
         const data = (await res.json());
         let additionalData;
         if (data.aadVersion && data.aadVersion >= 1 && userId) {
-            additionalData = buildPersonalEntryAAD(userId, data.id);
+            additionalData = buildPersonalEntryAAD(userId, data.id, VAULT_TYPE.BLOB);
         }
         const decrypted = await decryptData(data.encryptedBlob, encryptionKey, additionalData);
         const blob = JSON.parse(decrypted);

package/dist/commands/export.js

@@ -6,7 +6,8 @@ import { existsSync, lstatSync } from "node:fs";
 import { apiRequest } from "../lib/api-client.js";
 import { getEncryptionKey, getUserId } from "../lib/vault-state.js";
 import { decryptData } from "../lib/crypto.js";
-import { buildPersonalEntryAAD } from "../lib/crypto-aad.js";
+import { buildPersonalEntryAAD, VAULT_TYPE } from "../lib/crypto-aad.js";
+import { writeSecretFile } from "../lib/secure-file.js";
 import * as output from "../lib/output.js";
 function escapeCSV(value) {
     if (value.includes(",") || value.includes('"') || value.includes("\n")) {
@@ -50,7 +51,7 @@ export async function exportCommand(options) {
     for (const entry of entries) {
         try {
             const aad = entry.aadVersion >= 1 && userId
-                ? buildPersonalEntryAAD(userId, entry.id)
+                ? buildPersonalEntryAAD(userId, entry.id, VAULT_TYPE.BLOB)
                 : undefined;
             const plaintext = await decryptData(entry.encryptedBlob, key, aad);
             decrypted.push(JSON.parse(plaintext));
@@ -65,8 +66,7 @@ export async function exportCommand(options) {
     if (format === "json") {
         const out = JSON.stringify(decrypted, null, 2);
         if (outputPath) {
-            const { writeFileSync } = await import("node:fs");
-            writeFileSync(outputPath, out, { encoding: "utf-8", mode: 0o600 });
+            writeSecretFile(outputPath, out);
             output.success(`Exported ${decrypted.length} entries to ${outputPath}`);
         }
         else {
@@ -87,8 +87,7 @@ export async function exportCommand(options) {
         }
         const csvOut = csvRows.join("\n");
         if (outputPath) {
-            const { writeFileSync } = await import("node:fs");
-            writeFileSync(outputPath, csvOut, { encoding: "utf-8", mode: 0o600 });
+            writeSecretFile(outputPath, csvOut);
             output.success(`Exported ${decrypted.length} entries to ${outputPath}`);
         }
         else {

package/dist/commands/get.js

@@ -4,7 +4,7 @@
 import { apiRequest } from "../lib/api-client.js";
 import { getEncryptionKey, getUserId } from "../lib/vault-state.js";
 import { decryptData } from "../lib/crypto.js";
-import { buildPersonalEntryAAD } from "../lib/crypto-aad.js";
+import { buildPersonalEntryAAD, VAULT_TYPE } from "../lib/crypto-aad.js";
 import { copyToClipboard } from "../lib/clipboard.js";
 import * as output from "../lib/output.js";
 export async function getCommand(id, options) {
@@ -22,7 +22,7 @@ export async function getCommand(id, options) {
     const entry = res.data;
     try {
         const aad = entry.aadVersion >= 1 && userId
-            ? buildPersonalEntryAAD(userId, entry.id)
+            ? buildPersonalEntryAAD(userId, entry.id, VAULT_TYPE.BLOB)
             : undefined;
         const plaintext = await decryptData(entry.encryptedBlob, key, aad);
         const blob = JSON.parse(plaintext);

package/dist/commands/list.js

@@ -4,7 +4,7 @@
 import { apiRequest } from "../lib/api-client.js";
 import { getEncryptionKey, getUserId } from "../lib/vault-state.js";
 import { decryptData } from "../lib/crypto.js";
-import { buildPersonalEntryAAD } from "../lib/crypto-aad.js";
+import { buildPersonalEntryAAD, VAULT_TYPE } from "../lib/crypto-aad.js";
 import * as output from "../lib/output.js";
 export async function listCommand(options) {
     const key = getEncryptionKey();
@@ -27,7 +27,7 @@ export async function listCommand(options) {
     for (const entry of entries) {
         try {
             const aad = entry.aadVersion >= 1 && userId
-                ? buildPersonalEntryAAD(userId, entry.id)
+                ? buildPersonalEntryAAD(userId, entry.id, VAULT_TYPE.OVERVIEW)
                 : undefined;
             const plaintext = await decryptData(entry.encryptedOverview, key, aad);
             const overview = JSON.parse(plaintext);

package/dist/commands/run.js

@@ -10,7 +10,7 @@ import { getEncryptionKey, getUserId } from "../lib/vault-state.js";
 import { autoUnlockIfNeeded } from "./unlock.js";
 import { getToken } from "../lib/api-client.js";
 import { decryptData } from "../lib/crypto.js";
-import { buildPersonalEntryAAD } from "../lib/crypto-aad.js";
+import { buildPersonalEntryAAD, VAULT_TYPE } from "../lib/crypto-aad.js";
 import * as output from "../lib/output.js";
 import { BLOCKED_KEYS } from "../lib/blocked-keys.js";
 export async function runCommand(opts) {
@@ -74,7 +74,7 @@ export async function runCommand(opts) {
         const data = (await res.json());
         let additionalData;
         if (data.aadVersion && data.aadVersion >= 1 && userId) {
-            additionalData = buildPersonalEntryAAD(userId, data.id);
+            additionalData = buildPersonalEntryAAD(userId, data.id, VAULT_TYPE.BLOB);
         }
         const decrypted = await decryptData(data.encryptedBlob, encryptionKey, additionalData);
         const blob = JSON.parse(decrypted);

package/dist/commands/totp.js

@@ -4,7 +4,7 @@
 import { apiRequest } from "../lib/api-client.js";
 import { getEncryptionKey, getUserId } from "../lib/vault-state.js";
 import { decryptData } from "../lib/crypto.js";
-import { buildPersonalEntryAAD } from "../lib/crypto-aad.js";
+import { buildPersonalEntryAAD, VAULT_TYPE } from "../lib/crypto-aad.js";
 import { generateTOTPCode } from "../lib/totp.js";
 import { copyToClipboard } from "../lib/clipboard.js";
 import * as output from "../lib/output.js";
@@ -22,7 +22,7 @@ export async function totpCommand(id, options) {
     }
     try {
         const aad = res.data.aadVersion >= 1 && userId
-            ? buildPersonalEntryAAD(userId, res.data.id)
+            ? buildPersonalEntryAAD(userId, res.data.id, VAULT_TYPE.BLOB)
             : undefined;
         const plaintext = await decryptData(res.data.encryptedBlob, key, aad);
         const blob = JSON.parse(plaintext);

package/dist/lib/config.js

@@ -6,8 +6,9 @@
  *
  * Legacy ~/.passwd-sso/ is auto-migrated on first access.
  */
-import { existsSync, mkdirSync, readFileSync, writeFileSync, lstatSync, openSync, writeSync, closeSync, unlinkSync, constants as fsConstants, } from "node:fs";
+import { existsSync, mkdirSync, readFileSync, writeFileSync, lstatSync, unlinkSync, } from "node:fs";
 import { getConfigDir, getDataDir, getConfigFilePath, getCredentialsFilePath, } from "./paths.js";
+import { writeSecretFile, readSecretFile } from "./secure-file.js";
 import { migrateIfNeeded } from "./migrate.js";
 const DEFAULT_CONFIG = {
     serverUrl: "",
@@ -49,21 +50,10 @@ export function saveConfig(config) {
 export function saveCredentials(creds) {
     ensureDataDir();
     const dataDir = getDataDir();
-    const stat = lstatSync(dataDir);
-    if (stat.isSymbolicLink()) {
+    if (lstatSync(dataDir).isSymbolicLink()) {
         throw new Error("Data directory is a symlink — refusing to write credentials.");
     }
-    const credPath = getCredentialsFilePath();
-    const fd = openSync(credPath, fsConstants.O_WRONLY |
-        fsConstants.O_CREAT |
-        fsConstants.O_TRUNC |
-        (fsConstants.O_NOFOLLOW ?? 0), 0o600);
-    try {
-        writeSync(fd, JSON.stringify(creds)); // codeql[js/network-data-written-to-file] OAuth tokens are intentionally persisted for session continuity
-    }
-    finally {
-        closeSync(fd);
-    }
+    writeSecretFile(getCredentialsFilePath(), JSON.stringify(creds));
 }
 /**
  * Load stored credentials. Returns null if the file does not exist,
@@ -73,7 +63,14 @@ export function saveCredentials(creds) {
 export function loadCredentials() {
     migrateIfNeeded();
     try {
-        const raw = readFileSync(getCredentialsFilePath(), "utf-8").trim();
+        // Mirror saveCredentials' symlink hardening on the read side: refuse a
+        // symlinked data dir, and open the file with O_NOFOLLOW so a pre-planted
+        // symlink at the credentials path cannot redirect the read elsewhere.
+        const dataDir = getDataDir();
+        if (existsSync(dataDir) && lstatSync(dataDir).isSymbolicLink()) {
+            return null;
+        }
+        const raw = readSecretFile(getCredentialsFilePath()).trim();
         let parsed;
         try {
             parsed = JSON.parse(raw);

package/dist/lib/crypto-aad.d.ts

@@ -2,4 +2,9 @@
  * AAD (Additional Authenticated Data) builders for AES-256-GCM encryption.
  * Ported from src/lib/crypto-aad.ts for CLI compatibility.
  */
-export declare function buildPersonalEntryAAD(userId: string, entryId: string): Uint8Array;
+export declare const VAULT_TYPE: {
+    readonly BLOB: "blob";
+    readonly OVERVIEW: "overview";
+};
+export type VaultType = (typeof VAULT_TYPE)[keyof typeof VAULT_TYPE];
+export declare function buildPersonalEntryAAD(userId: string, entryId: string, vaultType: VaultType): Uint8Array;

package/dist/lib/crypto-aad.js

@@ -38,7 +38,13 @@ function buildAADBytes(scope, expectedFieldCount, fields) {
     }
     return bytes;
 }
-export function buildPersonalEntryAAD(userId, entryId) {
-    return buildAADBytes(SCOPE_PERSONAL, 2, [userId, entryId]);
+// Mirror of src/lib/crypto/crypto-aad.ts VAULT_TYPE. Keep in sync —
+// any change to the wire string values would break decrypt interop.
+export const VAULT_TYPE = {
+    BLOB: "blob",
+    OVERVIEW: "overview",
+};
+export function buildPersonalEntryAAD(userId, entryId, vaultType) {
+    return buildAADBytes(SCOPE_PERSONAL, 3, [userId, entryId, vaultType]);
 }
 //# sourceMappingURL=crypto-aad.js.map

package/dist/lib/secure-file.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Symlink-safe file I/O for secret material (credentials, decrypted exports).
+ *
+ * O_NOFOLLOW refuses to follow a symlink at the final path component, closing
+ * the symlink / check-then-write TOCTOU window that plain writeFileSync/
+ * readFileSync leave open. Used wherever the CLI persists or reads secrets.
+ *
+ * MIRROR: e2e/helpers/secure-file.ts holds the same O_NOFOLLOW logic (the cli
+ * package and the e2e tree compile under separate tsconfigs and cannot share a
+ * module). Keep the O_NOFOLLOW semantics in sync. This copy adds an `encoding`
+ * param + codeql annotation the e2e copy intentionally omits.
+ */
+/** Write `data` to `path` with O_NOFOLLOW + the given mode (default 0600). */
+export declare function writeSecretFile(path: string, data: string, mode?: number): void;
+/** Read `path` with O_NOFOLLOW (refuses a symlinked final component). */
+export declare function readSecretFile(path: string, encoding?: BufferEncoding): string;

package/dist/lib/secure-file.js

@@ -0,0 +1,41 @@
+/**
+ * Symlink-safe file I/O for secret material (credentials, decrypted exports).
+ *
+ * O_NOFOLLOW refuses to follow a symlink at the final path component, closing
+ * the symlink / check-then-write TOCTOU window that plain writeFileSync/
+ * readFileSync leave open. Used wherever the CLI persists or reads secrets.
+ *
+ * MIRROR: e2e/helpers/secure-file.ts holds the same O_NOFOLLOW logic (the cli
+ * package and the e2e tree compile under separate tsconfigs and cannot share a
+ * module). Keep the O_NOFOLLOW semantics in sync. This copy adds an `encoding`
+ * param + codeql annotation the e2e copy intentionally omits.
+ */
+import { openSync, writeSync, closeSync, readFileSync, constants as fsConstants, } from "node:fs";
+/** Write `data` to `path` with O_NOFOLLOW + the given mode (default 0600). */
+export function writeSecretFile(path, data, mode = 0o600) {
+    const fd = openSync(path, fsConstants.O_WRONLY |
+        fsConstants.O_CREAT |
+        fsConstants.O_TRUNC |
+        (fsConstants.O_NOFOLLOW ?? 0), mode);
+    try {
+        // Intentional persistence of the caller's own secrets (OAuth tokens /
+        // decrypted export) to a 0600 O_NOFOLLOW file. CodeQL js/http-to-file-access
+        // is excluded for this in .github/codeql/codeql-config.yml (inline
+        // // codeql[...] suppression is not honored by GitHub code scanning here).
+        writeSync(fd, data);
+    }
+    finally {
+        closeSync(fd);
+    }
+}
+/** Read `path` with O_NOFOLLOW (refuses a symlinked final component). */
+export function readSecretFile(path, encoding = "utf-8") {
+    const fd = openSync(path, fsConstants.O_RDONLY | (fsConstants.O_NOFOLLOW ?? 0));
+    try {
+        return readFileSync(fd, encoding);
+    }
+    finally {
+        closeSync(fd);
+    }
+}
+//# sourceMappingURL=secure-file.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "passwd-sso-cli",
-  "version": "0.4.50",
+  "version": "0.4.55",
   "description": "CLI for passwd-sso password manager",
   "type": "module",
   "license": "MIT",