tsafe-cli 1.0.26

Secrets runtime for developers — inject credentials into processes via exec, never into shell history or .env files
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262

//! Vault sync command handler.
//!
//! Implements `tsafe sync` — a three-way merge of the local vault against a
//! remote git branch, followed by commit and push with optional PAT injection.

use anyhow::{Context, Result};
use colored::Colorize;
use tsafe_core::{audit::AuditEntry, profile};

use crate::helpers::*;

pub(crate) fn cmd_sync(
    profile: &str,
    remote: &str,
    branch: &str,
    vault_file_override: Option<&str>,
    dry_run: bool,
) -> Result<()> {
    use std::process::Command;
    use tsafe_core::sync::three_way_merge;
    use tsafe_core::vault::VaultFile;

    // 1. Find git repo root.
    let repo_root = String::from_utf8(
        Command::new("git")
            .args(["rev-parse", "--show-toplevel"])
            .output()
            .context("failed to run git — is this a git repository?")?
            .stdout,
    )?
    .trim()
    .to_string();

    // 2. Determine vault file path relative to repo root.
    let vault_path = profile::vault_path(profile);
    let rel_path = vault_file_override.map(String::from).unwrap_or_else(|| {
        vault_path
            .strip_prefix(&repo_root)
            .or_else(|_| vault_path.strip_prefix("/"))
            .unwrap_or(&vault_path)
            .to_string_lossy()
            .replace('\\', "/")
    });

    println!("Syncing vault: {rel_path} ({remote}/{branch})");

    // 3. Snapshot current vault as safety net.
    if vault_path.exists() {
        let _ = tsafe_core::snapshot::take(
            &vault_path,
            profile,
            tsafe_core::snapshot::DEFAULT_SNAPSHOT_KEEP,
        );
    }

    // 4. Git fetch.
    let fetch = Command::new("git")
        .args(["fetch", remote, branch])
        .status()
        .context("git fetch failed")?;
    if !fetch.success() {
        anyhow::bail!("git fetch {remote} {branch} failed");
    }

    // 5. Find merge base.
    let remote_ref = format!("{remote}/{branch}");
    let merge_base_output = Command::new("git")
        .args(["merge-base", "HEAD", &remote_ref])
        .output()
        .context("git merge-base failed")?;
    let has_base = merge_base_output.status.success();
    let merge_base = String::from_utf8_lossy(&merge_base_output.stdout)
        .trim()
        .to_string();

    // 6. Read base vault (empty if no common ancestor).
    let base: VaultFile = if has_base {
        let base_json = Command::new("git")
            .args(["show", &format!("{merge_base}:{rel_path}")])
            .output()
            .ok()
            .filter(|o| o.status.success())
            .map(|o| String::from_utf8_lossy(&o.stdout).to_string());
        match base_json {
            Some(json) => serde_json::from_str(&json)
                .context("failed to parse base vault from git history")?,
            None => serde_json::from_str("{}").unwrap_or_else(|_| empty_vault_file()),
        }
    } else {
        empty_vault_file()
    };

    // 7. Read theirs (remote HEAD).
    let theirs_json = Command::new("git")
        .args(["show", &format!("{remote_ref}:{rel_path}")])
        .output()
        .ok()
        .filter(|o| o.status.success())
        .map(|o| String::from_utf8_lossy(&o.stdout).to_string());
    let theirs: VaultFile = match theirs_json {
        Some(json) => serde_json::from_str(&json).context("failed to parse remote vault")?,
        None => {
            println!("  Vault file not found on remote — will push local vault.");
            empty_vault_file()
        }
    };

    // 8. Read ours (local file).
    let ours: VaultFile = if vault_path.exists() {
        let json = std::fs::read_to_string(&vault_path)?;
        serde_json::from_str(&json).context("failed to parse local vault")?
    } else {
        println!("  Vault file not found locally — will pull from remote.");
        empty_vault_file()
    };

    // 9. Three-way merge.
    let result = three_way_merge(&base, &ours, &theirs)?;

    // 10. Report.
    if result.is_noop {
        println!("{} Already in sync — nothing to do.", "".green());
        return Ok(());
    }

    println!();
    if !result.added_from_theirs.is_empty() {
        println!(
            "  {} keys added from remote: {}",
            result.added_from_theirs.len(),
            result.added_from_theirs.join(", ")
        );
    }
    if !result.updated_from_theirs.is_empty() {
        println!(
            "  {} keys updated from remote: {}",
            result.updated_from_theirs.len(),
            result.updated_from_theirs.join(", ")
        );
    }
    if !result.added_from_ours.is_empty() {
        println!(
            "  {} keys added from local: {}",
            result.added_from_ours.len(),
            result.added_from_ours.join(", ")
        );
    }
    if !result.deleted.is_empty() {
        println!(
            "  {} keys deleted: {}",
            result.deleted.len(),
            result.deleted.join(", ")
        );
    }
    if !result.conflicts.is_empty() {
        println!(
            "  {} {} (resolved by last-write-wins): {}",
            "".yellow(),
            format!("{} conflicts", result.conflicts.len()).yellow(),
            result.conflicts.join(", ")
        );
    }

    if dry_run {
        println!("\n{} Dry run — no changes made.", "i".blue());
        return Ok(());
    }

    // 11. Write merged vault.
    let json = serde_json::to_string_pretty(&result.merged)?;
    let tmp = vault_path.with_extension("vault.tmp");
    std::fs::write(&tmp, &json)?;
    std::fs::rename(&tmp, &vault_path)?;

    // 12. Git add + commit + push.
    let add_status = Command::new("git")
        .args(["add", &vault_path.to_string_lossy()])
        .status()
        .context("git add failed")?;
    if !add_status.success() {
        anyhow::bail!("git add failed");
    }

    let total_changes = result.added_from_theirs.len()
        + result.updated_from_theirs.len()
        + result.added_from_ours.len()
        + result.deleted.len()
        + result.conflicts.len();
    let commit_msg = format!(
        "tsafe sync: {} changes ({} added, {} updated, {} deleted, {} conflicts)",
        total_changes,
        result.added_from_theirs.len() + result.added_from_ours.len(),
        result.updated_from_theirs.len(),
        result.deleted.len(),
        result.conflicts.len(),
    );

    let commit_status = Command::new("git")
        .args(["commit", "-m", &commit_msg])
        .status()
        .context("git commit failed")?;
    if !commit_status.success() {
        // Commit may fail if nothing changed (already in sync after merge).
        eprintln!("  git commit reported no changes — vault may already be committed.");
    }

    // Push with injected credentials (reuse cmd_git's PAT pattern).
    let vault = open_vault(profile).ok();
    let mut push_cmd = Command::new("git");
    push_cmd.args(["push", remote, branch]);
    if let Some(ref v) = vault {
        let pat_key = std::env::var("TSAFE_GIT_PAT_KEY").unwrap_or_else(|_| "ADO_PAT".to_string());
        if let Ok(pat) = v.get(&pat_key) {
            use base64::{engine::general_purpose::STANDARD as B64, Engine as _};
            let encoded = B64.encode(format!(":{}", &*pat));
            push_cmd.env("GIT_CONFIG_COUNT", "1");
            push_cmd.env("GIT_CONFIG_KEY_0", "http.extraHeader");
            push_cmd.env(
                "GIT_CONFIG_VALUE_0",
                format!("Authorization: Basic {encoded}"),
            );
        }
    }
    drop(vault);

    let push_status = push_cmd.status().context("git push failed")?;
    if !push_status.success() {
        anyhow::bail!("git push failed — you may need to pull first or resolve upstream conflicts");
    }

    audit(profile)
        .append(&AuditEntry::success(profile, "sync", None))
        .ok();

    println!("\n{} Sync complete.", "".green());
    Ok(())
}

/// Create a minimal empty VaultFile for use as a merge base when no common ancestor exists.
fn empty_vault_file() -> tsafe_core::vault::VaultFile {
    use tsafe_core::vault::{KdfParams, VaultChallenge, VaultFile};
    VaultFile {
        schema: "tsafe/vault/v1".into(),
        kdf: KdfParams {
            algorithm: "argon2id".into(),
            m_cost: 65536,
            t_cost: 3,
            p_cost: 4,
            salt: String::new(),
        },
        cipher: "xchacha20poly1305".into(),
        vault_challenge: VaultChallenge {
            nonce: String::new(),
            ciphertext: String::new(),
        },
        created_at: chrono::Utc::now(),
        updated_at: chrono::Utc::now(),
        secrets: std::collections::HashMap::new(),
        age_recipients: Vec::new(),
        wrapped_dek: None,
    }
}