lockedpass-cli 0.1.0__tar.gz

lockedpass_cli-0.1.0/LICENSE

@@ -0,0 +1,8 @@
+Copyright (c) 2026 Nextcoders LLC. All Rights Reserved.
+
+This software and its source code are proprietary and confidential.
+Unauthorized copying, distribution, modification, or use of this software,
+via any medium, is strictly prohibited without the express written permission
+of Nextcoders LLC.
+
+For licensing inquiries, contact: hello@lockedpass.com

lockedpass_cli-0.1.0/PKG-INFO

@@ -0,0 +1,107 @@
+Metadata-Version: 2.4
+Name: lockedpass-cli
+Version: 0.1.0
+Summary: Official CLI for LockedPass — zero-knowledge password manager
+Author-email: Nextcoders <hello@lockedpass.com>
+License-Expression: LicenseRef-Proprietary
+Project-URL: Homepage, https://lockedpass.com
+Project-URL: Documentation, https://account.lockedpass.com/api-docs
+Project-URL: Repository, https://github.com/nextcoders/lockedpass-cli
+Keywords: password,manager,cli,zero-knowledge,vault,encryption
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: End Users/Desktop
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: Utilities
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: click>=8.0
+Requires-Dist: httpx>=0.28
+Requires-Dist: pynacl>=1.5
+Requires-Dist: argon2-cffi>=23.0
+Requires-Dist: cryptography>=41.0
+Requires-Dist: pyperclip>=1.8
+Dynamic: license-file
+
+# LockedPass CLI
+
+Official command-line interface for [LockedPass](https://lockedpass.com) — a zero-knowledge password manager for teams and AI agents.
+
+All encryption and decryption happens **locally on your machine**. The server never sees your master password, private key, or any plaintext credential data.
+
+## Requirements
+
+- Python 3.11+
+- A LockedPass account (Pro plan or higher)
+- An active CLI token generated from **Settings → API & CLI**
+
+## Install
+
+```bash
+pip install lockedpass-cli
+```
+
+## Quick start
+
+```bash
+lp login you@example.com
+# Master password: ••••••••  (prompted once, then cached)
+
+lp vault list
+lp ls
+lp get "GitHub"
+lp get "GitHub" --field password
+```
+
+## Commands
+
+| Command | Description |
+|---|---|
+| `lp login <email>` | Authenticate — master password required once |
+| `lp lock` | Wipe cached keys (re-prompt on next use) |
+| `lp unlock` | Re-cache keys from master password after lock |
+| `lp vault list` | List all vaults |
+| `lp ls` | List credentials in default vault |
+| `lp get <name>` | Show a credential |
+| `lp get <name> --field password` | Print a single field (scriptable) |
+| `lp add` | Create a credential interactively |
+| `lp edit <name>` | Edit a credential |
+| `lp rm <name>` | Delete a credential |
+| `lp otp <name>` | Generate a live TOTP code |
+| `lp generate` | Generate a random password |
+| `lp copy <name>` | Copy password to clipboard (clears in 30s) |
+| `lp status` | Show session status |
+| `lp logout` | Clear saved session |
+
+## Non-interactive / AI agent use
+
+The master password can be passed as an argument or environment variable — useful for automation and AI agents:
+
+```bash
+# Argument
+lp login lp.aivault@example.com "$LP_AI_PASSWORD"
+
+# Environment variable
+LP_MASTER_PASSWORD="$LP_AI_PASSWORD" lp login lp.aivault@example.com
+```
+
+After login the session is cached — subsequent commands run without any password.
+
+See [AGENT.md](AGENT.md) for the full AI agent setup guide.
+
+## Security
+
+- **Argon2id** key derivation — only a one-way hash (`auth_verifier`) is sent to the server
+- **X25519 + XSalsa20-Poly1305** (NaCl) for vault key encryption
+- **XSalsa20-Poly1305** for credential data encryption
+- Private key and vault keys never leave your machine in plaintext
+- Session cached with a random local key — wiped on `lp lock`
+
+## License
+
+Copyright (c) 2026 Nextcoders LLC. All Rights Reserved. — see [LICENSE](LICENSE)

lockedpass_cli-0.1.0/README.md

@@ -0,0 +1,77 @@
+# LockedPass CLI
+
+Official command-line interface for [LockedPass](https://lockedpass.com) — a zero-knowledge password manager for teams and AI agents.
+
+All encryption and decryption happens **locally on your machine**. The server never sees your master password, private key, or any plaintext credential data.
+
+## Requirements
+
+- Python 3.11+
+- A LockedPass account (Pro plan or higher)
+- An active CLI token generated from **Settings → API & CLI**
+
+## Install
+
+```bash
+pip install lockedpass-cli
+```
+
+## Quick start
+
+```bash
+lp login you@example.com
+# Master password: ••••••••  (prompted once, then cached)
+
+lp vault list
+lp ls
+lp get "GitHub"
+lp get "GitHub" --field password
+```
+
+## Commands
+
+| Command | Description |
+|---|---|
+| `lp login <email>` | Authenticate — master password required once |
+| `lp lock` | Wipe cached keys (re-prompt on next use) |
+| `lp unlock` | Re-cache keys from master password after lock |
+| `lp vault list` | List all vaults |
+| `lp ls` | List credentials in default vault |
+| `lp get <name>` | Show a credential |
+| `lp get <name> --field password` | Print a single field (scriptable) |
+| `lp add` | Create a credential interactively |
+| `lp edit <name>` | Edit a credential |
+| `lp rm <name>` | Delete a credential |
+| `lp otp <name>` | Generate a live TOTP code |
+| `lp generate` | Generate a random password |
+| `lp copy <name>` | Copy password to clipboard (clears in 30s) |
+| `lp status` | Show session status |
+| `lp logout` | Clear saved session |
+
+## Non-interactive / AI agent use
+
+The master password can be passed as an argument or environment variable — useful for automation and AI agents:
+
+```bash
+# Argument
+lp login lp.aivault@example.com "$LP_AI_PASSWORD"
+
+# Environment variable
+LP_MASTER_PASSWORD="$LP_AI_PASSWORD" lp login lp.aivault@example.com
+```
+
+After login the session is cached — subsequent commands run without any password.
+
+See [AGENT.md](AGENT.md) for the full AI agent setup guide.
+
+## Security
+
+- **Argon2id** key derivation — only a one-way hash (`auth_verifier`) is sent to the server
+- **X25519 + XSalsa20-Poly1305** (NaCl) for vault key encryption
+- **XSalsa20-Poly1305** for credential data encryption
+- Private key and vault keys never leave your machine in plaintext
+- Session cached with a random local key — wiped on `lp lock`
+
+## License
+
+Copyright (c) 2026 Nextcoders LLC. All Rights Reserved. — see [LICENSE](LICENSE)

lockedpass_cli-0.1.0/lockedpass_cli.egg-info/PKG-INFO

@@ -0,0 +1,107 @@
+Metadata-Version: 2.4
+Name: lockedpass-cli
+Version: 0.1.0
+Summary: Official CLI for LockedPass — zero-knowledge password manager
+Author-email: Nextcoders <hello@lockedpass.com>
+License-Expression: LicenseRef-Proprietary
+Project-URL: Homepage, https://lockedpass.com
+Project-URL: Documentation, https://account.lockedpass.com/api-docs
+Project-URL: Repository, https://github.com/nextcoders/lockedpass-cli
+Keywords: password,manager,cli,zero-knowledge,vault,encryption
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: End Users/Desktop
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: Utilities
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: click>=8.0
+Requires-Dist: httpx>=0.28
+Requires-Dist: pynacl>=1.5
+Requires-Dist: argon2-cffi>=23.0
+Requires-Dist: cryptography>=41.0
+Requires-Dist: pyperclip>=1.8
+Dynamic: license-file
+
+# LockedPass CLI
+
+Official command-line interface for [LockedPass](https://lockedpass.com) — a zero-knowledge password manager for teams and AI agents.
+
+All encryption and decryption happens **locally on your machine**. The server never sees your master password, private key, or any plaintext credential data.
+
+## Requirements
+
+- Python 3.11+
+- A LockedPass account (Pro plan or higher)
+- An active CLI token generated from **Settings → API & CLI**
+
+## Install
+
+```bash
+pip install lockedpass-cli
+```
+
+## Quick start
+
+```bash
+lp login you@example.com
+# Master password: ••••••••  (prompted once, then cached)
+
+lp vault list
+lp ls
+lp get "GitHub"
+lp get "GitHub" --field password
+```
+
+## Commands
+
+| Command | Description |
+|---|---|
+| `lp login <email>` | Authenticate — master password required once |
+| `lp lock` | Wipe cached keys (re-prompt on next use) |
+| `lp unlock` | Re-cache keys from master password after lock |
+| `lp vault list` | List all vaults |
+| `lp ls` | List credentials in default vault |
+| `lp get <name>` | Show a credential |
+| `lp get <name> --field password` | Print a single field (scriptable) |
+| `lp add` | Create a credential interactively |
+| `lp edit <name>` | Edit a credential |
+| `lp rm <name>` | Delete a credential |
+| `lp otp <name>` | Generate a live TOTP code |
+| `lp generate` | Generate a random password |
+| `lp copy <name>` | Copy password to clipboard (clears in 30s) |
+| `lp status` | Show session status |
+| `lp logout` | Clear saved session |
+
+## Non-interactive / AI agent use
+
+The master password can be passed as an argument or environment variable — useful for automation and AI agents:
+
+```bash
+# Argument
+lp login lp.aivault@example.com "$LP_AI_PASSWORD"
+
+# Environment variable
+LP_MASTER_PASSWORD="$LP_AI_PASSWORD" lp login lp.aivault@example.com
+```
+
+After login the session is cached — subsequent commands run without any password.
+
+See [AGENT.md](AGENT.md) for the full AI agent setup guide.
+
+## Security
+
+- **Argon2id** key derivation — only a one-way hash (`auth_verifier`) is sent to the server
+- **X25519 + XSalsa20-Poly1305** (NaCl) for vault key encryption
+- **XSalsa20-Poly1305** for credential data encryption
+- Private key and vault keys never leave your machine in plaintext
+- Session cached with a random local key — wiped on `lp lock`
+
+## License
+
+Copyright (c) 2026 Nextcoders LLC. All Rights Reserved. — see [LICENSE](LICENSE)

lockedpass_cli-0.1.0/lockedpass_cli.egg-info/SOURCES.txt

@@ -0,0 +1,15 @@
+LICENSE
+README.md
+pyproject.toml
+lockedpass_cli.egg-info/PKG-INFO
+lockedpass_cli.egg-info/SOURCES.txt
+lockedpass_cli.egg-info/dependency_links.txt
+lockedpass_cli.egg-info/entry_points.txt
+lockedpass_cli.egg-info/requires.txt
+lockedpass_cli.egg-info/top_level.txt
+lp/__init__.py
+lp/__main__.py
+lp/api.py
+lp/cli.py
+lp/crypto.py
+lp/session.py

lockedpass_cli-0.1.0/lockedpass_cli.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

lockedpass_cli-0.1.0/lockedpass_cli.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+lp = lp.cli:cli

lockedpass_cli-0.1.0/lockedpass_cli.egg-info/requires.txt

@@ -0,0 +1,6 @@
+click>=8.0
+httpx>=0.28
+pynacl>=1.5
+argon2-cffi>=23.0
+cryptography>=41.0
+pyperclip>=1.8

lockedpass_cli-0.1.0/lockedpass_cli.egg-info/top_level.txt

@@ -0,0 +1 @@
+lp

lockedpass_cli-0.1.0/lp/__init__.py

@@ -0,0 +1,2 @@
+"""LockedPass CLI — zero-knowledge password manager."""
+__version__ = "0.1.0"

lockedpass_cli-0.1.0/lp/__main__.py

@@ -0,0 +1,4 @@
+from lp.cli import cli
+
+if __name__ == "__main__":
+    cli()

lockedpass_cli-0.1.0/lp/api.py

@@ -0,0 +1,140 @@
+"""HTTP client for the LockedPass API."""
+
+import httpx
+
+_DEFAULT_TIMEOUT = 15
+
+
+class APIError(Exception):
+    def __init__(self, status: int, detail: str):
+        super().__init__(detail)
+        self.status = status
+
+    @classmethod
+    def from_response(cls, r: httpx.Response) -> "APIError":
+        try:
+            d = r.json()
+            detail = d.get("detail", f"HTTP {r.status_code}")
+            if isinstance(detail, list):
+                detail = "; ".join(e.get("msg", str(e)) for e in detail)
+        except Exception:
+            detail = f"HTTP {r.status_code}"
+        return cls(r.status_code, str(detail))
+
+
+class Client:
+    def __init__(self, base_url: str, token: str | None = None):
+        self.base_url = base_url.rstrip("/")
+        self.token    = token
+
+    def _headers(self) -> dict:
+        h = {"Content-Type": "application/json"}
+        if self.token:
+            h["Authorization"] = f"Bearer {self.token}"
+        return h
+
+    def _check(self, r: httpx.Response) -> httpx.Response:
+        if not r.is_success:
+            raise APIError.from_response(r)
+        return r
+
+    def get(self, path: str) -> dict:
+        r = httpx.get(f"{self.base_url}{path}", headers=self._headers(), timeout=_DEFAULT_TIMEOUT)
+        return self._check(r).json()
+
+    def post(self, path: str, body: dict) -> dict | None:
+        r = httpx.post(f"{self.base_url}{path}", json=body, headers=self._headers(), timeout=_DEFAULT_TIMEOUT)
+        self._check(r)
+        return r.json() if r.status_code != 204 else None
+
+    def patch(self, path: str, body: dict) -> dict:
+        r = httpx.patch(f"{self.base_url}{path}", json=body, headers=self._headers(), timeout=_DEFAULT_TIMEOUT)
+        return self._check(r).json()
+
+    def delete(self, path: str) -> None:
+        r = httpx.delete(f"{self.base_url}{path}", headers=self._headers(), timeout=_DEFAULT_TIMEOUT)
+        self._check(r)
+
+    # ── Auth ─────────────────────────────────────────────────────────────────
+
+    def login_init(self, email: str) -> dict:
+        return self.post("/api/v1/auth/login/init", {"email": email})
+
+    def cli_login(self, email: str, auth_verifier: str) -> dict:
+        """Authenticate and get a 30-day CLI token."""
+        return self.post("/api/v1/auth/cli/token", {"email": email, "auth_verifier": auth_verifier})
+
+    def me(self) -> dict:
+        return self.get("/api/v1/cli/me")
+
+    # ── Vaults ───────────────────────────────────────────────────────────────
+
+    def list_vaults(self) -> list:
+        """Returns vaults with embedded members (no extra request needed)."""
+        return self.get("/api/v1/cli/vaults")
+
+    def create_vault(self, name_encrypted: str, vault_type: str, encrypted_vault_key: str) -> dict:
+        return self.post("/api/v1/vaults", {
+            "name_encrypted": name_encrypted,
+            "type": vault_type,
+            "encrypted_vault_key": encrypted_vault_key,
+        })
+
+    # ── Credentials ──────────────────────────────────────────────────────────
+
+    def list_credentials(self, vault_id: str, limit: int = 2000) -> list:
+        return self.get(f"/api/v1/cli/vaults/{vault_id}/credentials?limit={limit}")
+
+    def list_all_credentials(self, vault_id: str) -> list:
+        PAGE, skip, all_creds = 2000, 0, []
+        while True:
+            page = self.get(f"/api/v1/cli/vaults/{vault_id}/credentials?skip={skip}&limit={PAGE}")
+            all_creds.extend(page)
+            if len(page) < PAGE:
+                break
+            skip += PAGE
+        return all_creds
+
+    def get_credential_with_key(self, cred_id: str) -> dict:
+        """Single request — returns credential + vault_key_encrypted."""
+        return self.get(f"/api/v1/cli/credentials/{cred_id}")
+
+    def create_credential(self, vault_id: str, cred_type: str, name_enc: str, data_enc: str) -> dict:
+        return self.post("/api/v1/cli/credentials", {
+            "vault_id": vault_id,
+            "type": cred_type,
+            "name_encrypted": name_enc,
+            "encrypted_data": data_enc,
+        })
+
+    def update_credential(self, vault_id: str, cred_id: str, name_enc: str, data_enc: str) -> dict:
+        return self.patch(f"/api/v1/vaults/{vault_id}/credentials/{cred_id}", {
+            "name_encrypted": name_enc,
+            "encrypted_data": data_enc,
+        })
+
+    def delete_credential(self, vault_id: str, cred_id: str) -> None:
+        self.delete(f"/api/v1/vaults/{vault_id}/credentials/{cred_id}")
+
+    def get_otp_secret(self, cred_id: str) -> dict:
+        return self.get(f"/api/v1/cli/otps/{cred_id}/secret")
+
+    def generate_password(self, length: int = 20, upper: bool = True, lower: bool = True,
+                           numbers: bool = True, symbols: bool = True) -> str:
+        r = self.get(
+            f"/api/v1/cli/generate-password?length={length}"
+            f"&upper={str(upper).lower()}&lower={str(lower).lower()}"
+            f"&numbers={str(numbers).lower()}&symbols={str(symbols).lower()}"
+        )
+        return r["password"]
+
+    def log_action(self, vault_id: str, cred_id: str, action: str) -> None:
+        try:
+            self.post(f"/api/v1/vaults/{vault_id}/credentials/{cred_id}/log", {"action": action})
+        except Exception:
+            pass  # non-critical
+
+    # ── Users ────────────────────────────────────────────────────────────────
+
+    def lookup_user(self, email: str) -> dict:
+        return self.get(f"/api/v1/users/lookup?email={email}")