ssh-picker 0.1.0

package/dist/vault/crypto.js

@@ -0,0 +1,43 @@
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync, timingSafeEqual } from 'node:crypto';
+export const KDF = 'scrypt';
+export const CIPHER = 'aes-256-gcm';
+export const KEY_LENGTH = 32;
+export const SCRYPT_OPTIONS = { N: 2 ** 15, r: 8, p: 1, maxmem: 64 * 1024 * 1024 };
+export function generateSalt() {
+    return randomBytes(16).toString('base64');
+}
+export function deriveKey(masterPassword, saltBase64) {
+    return scryptSync(masterPassword, Buffer.from(saltBase64, 'base64'), KEY_LENGTH, SCRYPT_OPTIONS);
+}
+export function encryptString(plaintext, key) {
+    const iv = randomBytes(12);
+    const cipher = createCipheriv(CIPHER, key, iv);
+    const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const value = {
+        version: 1,
+        algorithm: CIPHER,
+        iv: iv.toString('base64'),
+        tag: cipher.getAuthTag().toString('base64'),
+        ciphertext: ciphertext.toString('base64')
+    };
+    return JSON.stringify(value);
+}
+export function decryptString(serialized, key) {
+    const value = JSON.parse(serialized);
+    if (value.version !== 1 || value.algorithm !== CIPHER) {
+        throw new Error('Unsupported encrypted value format.');
+    }
+    const decipher = createDecipheriv(CIPHER, key, Buffer.from(value.iv, 'base64'));
+    decipher.setAuthTag(Buffer.from(value.tag, 'base64'));
+    const plaintext = Buffer.concat([
+        decipher.update(Buffer.from(value.ciphertext, 'base64')),
+        decipher.final()
+    ]);
+    return plaintext.toString('utf8');
+}
+export function safeEquals(a, b) {
+    const left = Buffer.from(a);
+    const right = Buffer.from(b);
+    return left.length === right.length && timingSafeEqual(left, right);
+}
+//# sourceMappingURL=crypto.js.map

package/dist/vault/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/vault/crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAGzG,MAAM,CAAC,MAAM,GAAG,GAAG,QAAQ,CAAC;AAC5B,MAAM,CAAC,MAAM,MAAM,GAAG,aAAa,CAAC;AACpC,MAAM,CAAC,MAAM,UAAU,GAAG,EAAE,CAAC;AAC7B,MAAM,CAAC,MAAM,cAAc,GAAG,EAAE,CAAC,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAW,CAAC;AAE5F,MAAM,UAAU,YAAY;IAC1B,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,cAAsB,EAAE,UAAkB;IAClE,OAAO,UAAU,CAAC,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;AACnG,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE,GAAW;IAC1D,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC3B,MAAM,MAAM,GAAG,cAAc,CAAC,MAAM,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC/C,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACrF,MAAM,KAAK,GAAmB;QAC5B,OAAO,EAAE,CAAC;QACV,SAAS,EAAE,MAAM;QACjB,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACzB,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC3C,UAAU,EAAE,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAC1C,CAAC;IACF,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;AAC/B,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,UAAkB,EAAE,GAAW;IAC3D,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAmB,CAAC;IACvD,IAAI,KAAK,CAAC,OAAO,KAAK,CAAC,IAAI,KAAK,CAAC,SAAS,KAAK,MAAM,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IACD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC;IAChF,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC;IACtD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;QACxD,QAAQ,CAAC,KAAK,EAAE;KACjB,CAAC,CAAC;IACH,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,CAAS,EAAE,CAAS;IAC7C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC7B,OAAO,IAAI,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,IAAI,eAAe,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AACtE,CAAC"}

package/dist/vault/vault.d.ts

@@ -0,0 +1,7 @@
+import { type Database } from '../db/connection.js';
+import type { VaultContext } from '../shared/types.js';
+export declare function vaultExists(dataDir?: string): boolean;
+export declare function isVaultInitialized(db: Database): boolean;
+export declare function initVault(masterPassword: string, dataDir?: string): VaultContext;
+export declare function unlockVault(masterPassword: string, dataDir?: string): VaultContext;
+export declare function openVaultDatabase(vault: VaultContext): Database;

package/dist/vault/vault.js

@@ -0,0 +1,67 @@
+import { existsSync } from 'node:fs';
+import { ensureDataDir, resolveDataDir, resolveDbPath } from '../config/paths.js';
+import { openMigratedDatabase } from '../db/connection.js';
+import { SettingsRepository } from '../db/repositories/settingsRepository.js';
+import { InvalidMasterPasswordError, MissingVaultError, VaultExistsError } from '../shared/errors.js';
+import { decryptString, deriveKey, encryptString, generateSalt, KDF } from './crypto.js';
+const VAULT_VERSION = '1';
+const VERIFIER_TEXT = 'sshp-vault-verifier';
+export function vaultExists(dataDir = resolveDataDir()) {
+    return existsSync(resolveDbPath(dataDir));
+}
+export function isVaultInitialized(db) {
+    const settings = new SettingsRepository(db);
+    return settings.get('vault.version') === VAULT_VERSION;
+}
+export function initVault(masterPassword, dataDir = resolveDataDir()) {
+    ensureDataDir(dataDir);
+    const dbPath = resolveDbPath(dataDir);
+    const db = openMigratedDatabase(dbPath);
+    try {
+        if (isVaultInitialized(db))
+            throw new VaultExistsError(dataDir);
+        const salt = generateSalt();
+        const key = deriveKey(masterPassword, salt);
+        const settings = new SettingsRepository(db);
+        settings.set('vault.version', VAULT_VERSION);
+        settings.set('vault.kdf', KDF);
+        settings.set('vault.kdfSalt', salt);
+        settings.set('vault.verifier', encryptString(VERIFIER_TEXT, key));
+        return { dataDir, dbPath, key };
+    }
+    finally {
+        db.close();
+    }
+}
+export function unlockVault(masterPassword, dataDir = resolveDataDir()) {
+    const dbPath = resolveDbPath(dataDir);
+    if (!existsSync(dbPath))
+        throw new MissingVaultError(dataDir);
+    const db = openMigratedDatabase(dbPath);
+    try {
+        const settings = new SettingsRepository(db);
+        if (!isVaultInitialized(db))
+            throw new MissingVaultError(dataDir);
+        const salt = settings.get('vault.kdfSalt');
+        const verifier = settings.get('vault.verifier');
+        if (!salt || !verifier)
+            throw new MissingVaultError(dataDir);
+        const key = deriveKey(masterPassword, salt);
+        try {
+            const plaintext = decryptString(verifier, key);
+            if (plaintext !== VERIFIER_TEXT)
+                throw new InvalidMasterPasswordError();
+        }
+        catch {
+            throw new InvalidMasterPasswordError();
+        }
+        return { dataDir, dbPath, key };
+    }
+    finally {
+        db.close();
+    }
+}
+export function openVaultDatabase(vault) {
+    return openMigratedDatabase(vault.dbPath);
+}
+//# sourceMappingURL=vault.js.map

package/dist/vault/vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.js","sourceRoot":"","sources":["../../src/vault/vault.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAClF,OAAO,EAAE,oBAAoB,EAAiB,MAAM,qBAAqB,CAAC;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,0CAA0C,CAAC;AAC9E,OAAO,EAAE,0BAA0B,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAEtG,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,aAAa,EAAE,YAAY,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAEzF,MAAM,aAAa,GAAG,GAAG,CAAC;AAC1B,MAAM,aAAa,GAAG,qBAAqB,CAAC;AAE5C,MAAM,UAAU,WAAW,CAAC,OAAO,GAAG,cAAc,EAAE;IACpD,OAAO,UAAU,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,EAAY;IAC7C,MAAM,QAAQ,GAAG,IAAI,kBAAkB,CAAC,EAAE,CAAC,CAAC;IAC5C,OAAO,QAAQ,CAAC,GAAG,CAAC,eAAe,CAAC,KAAK,aAAa,CAAC;AACzD,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,cAAsB,EAAE,OAAO,GAAG,cAAc,EAAE;IAC1E,aAAa,CAAC,OAAO,CAAC,CAAC;IACvB,MAAM,MAAM,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IACtC,MAAM,EAAE,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,CAAC;QACH,IAAI,kBAAkB,CAAC,EAAE,CAAC;YAAE,MAAM,IAAI,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAChE,MAAM,IAAI,GAAG,YAAY,EAAE,CAAC;QAC5B,MAAM,GAAG,GAAG,SAAS,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC;QAC5C,MAAM,QAAQ,GAAG,IAAI,kBAAkB,CAAC,EAAE,CAAC,CAAC;QAC5C,QAAQ,CAAC,GAAG,CAAC,eAAe,EAAE,aAAa,CAAC,CAAC;QAC7C,QAAQ,CAAC,GAAG,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;QAC/B,QAAQ,CAAC,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC;QACpC,QAAQ,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC,CAAC;QAClE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;IAClC,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC;AACH,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,cAAsB,EAAE,OAAO,GAAG,cAAc,EAAE;IAC5E,MAAM,MAAM,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IACtC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,MAAM,IAAI,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAC9D,MAAM,EAAE,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,kBAAkB,CAAC,EAAE,CAAC,CAAC;QAC5C,IAAI,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAAE,MAAM,IAAI,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAClE,MAAM,IAAI,GAAG,QAAQ,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAC3C,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;QAChD,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ;YAAE,MAAM,IAAI,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAC7D,MAAM,GAAG,GAAG,SAAS,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC;QAC5C,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,aAAa,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;YAC/C,IAAI,SAAS,KAAK,aAAa;gBAAE,MAAM,IAAI,0BAA0B,EAAE,CAAC;QAC1E,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,0BAA0B,EAAE,CAAC;QACzC,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;IAClC,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,KAAK,EAAE,CAAC;IACb,CAAC;AACH,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,KAAmB;IACnD,OAAO,oBAAoB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;AAC5C,CAAC"}

package/package.json

@@ -0,0 +1,47 @@
+{
+  "name": "ssh-picker",
+  "version": "0.1.0",
+  "description": "SSHP - a portable encrypted SSH/SFTP picker for the terminal.",
+  "type": "module",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/adittanu/ssh-picker.git"
+  },
+  "bugs": {
+    "url": "https://github.com/adittanu/ssh-picker/issues"
+  },
+  "homepage": "https://github.com/adittanu/ssh-picker#readme",
+  "bin": {
+    "sshp": "dist/cli/index.js"
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "dev": "tsx src/cli/index.tsx",
+    "test": "vitest run",
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "prepack": "npm run build"
+  },
+  "engines": {
+    "node": ">=24.0.0"
+  },
+  "dependencies": {
+    "@inquirer/prompts": "^7.10.1",
+    "commander": "^14.0.2",
+    "ink": "^6.5.1",
+    "react": "^19.2.3",
+    "ssh2": "^1.17.0"
+  },
+  "devDependencies": {
+    "@types/node": "^24.10.1",
+    "@types/react": "^19.2.7",
+    "@types/ssh2": "^1.15.5",
+    "tsx": "^4.21.0",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.15"
+  }
+}