tsafe-cli 1.2.0

Local-first secrets runtime for developers — inject credentials via exec, never shell history or .env files
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

//! TOTP, QR, pin, and unpin command handlers.
//!
//! Implements `tsafe qr`, `tsafe totp`, `tsafe pin`, and `tsafe unpin` —
//! two-factor seed management, QR-code display, and key pinning within a vault.

use std::collections::HashMap;
use std::io::Write;

use crate::cli::{TotpAction, TotpAlgorithm};
use anyhow::{Context, Result};
use colored::Colorize;
use tsafe_core::audit::AuditEntry;

use crate::helpers::*;

pub(crate) fn cmd_qr(profile: &str, key: &str) -> Result<()> {
    // Use the agent/biometric-aware open path so tsafe qr works without
    // re-prompting when the agent is running or biometric is enabled.
    let vault = crate::helpers::open_vault(profile)
        .with_context(|| format!("Cannot open vault '{profile}'"))?;
    let value = vault
        .get(key)
        .with_context(|| format!("Key '{key}' not found in profile '{profile}'"))?
        .clone();
    // Release the vault lock BEFORE blocking on stdin — prevents lock file
    // persisting if the user sends Ctrl+C while waiting for Enter.
    drop(vault);

    println!();
    qr2term::print_qr(&value)
        .with_context(|| "Failed to render QR code (value may be too long)")?;
    println!();

    eprint!("Press Enter to clear...");
    let _ = std::io::stdin().read_line(&mut String::new());

    // Move cursor up and clear from top to erase the QR from the terminal buffer
    print!("\x1b[2J\x1b[H");
    std::io::stdout().flush()?;

    audit(profile)
        .append(&AuditEntry::success(profile, "qr", Some(key)))
        .ok();

    Ok(())
}

pub(crate) fn cmd_totp(profile: &str, action: TotpAction) -> Result<()> {
    match action {
        TotpAction::Add {
            key,
            secret,
            algorithm,
            digits,
            period,
        } => {
            // Validate digits (most services use 6 or 8; guard against obvious mistakes).
            if digits.is_some_and(|digits| digits == 0 || digits > 10) {
                anyhow::bail!("--digits must be between 1 and 10 (most services use 6 or 8)");
            }
            // Validate period.
            if period.is_some_and(|period| period == 0) {
                anyhow::bail!("--period must be at least 1 second");
            }
            let mut vault = open_vault(profile)?;
            let mut tags = HashMap::new();
            tags.insert("type".into(), "totp".into());
            let algorithm_name = algorithm.map(TotpAlgorithm::as_uri_str);
            let uri =
                tsafe_core::totp::provisioning_uri(&key, &secret, algorithm_name, digits, period)
                    .map_err(|e| anyhow::anyhow!("{e}"))?;
            vault
                .set(&key, &uri, tags)
                .context("failed to store TOTP secret")?;
            audit(profile)
                .append(&AuditEntry::success(profile, "totp-add", Some(&key)))
                .ok();
            println!("{} TOTP seed stored for '{key}'", "".green());
            Ok(())
        }
        TotpAction::Get { key } => {
            let vault = open_vault(profile)?;
            let stored = vault.get(&key).map_err(|_| {
                anyhow::anyhow!(
                    "key '{key}' not found\n\
                     \n  See stored TOTP keys:  tsafe list --tag type=totp\
                     \n  Add a TOTP seed:       tsafe totp add {key} <base32-secret>"
                )
            })?;
            let code =
                tsafe_core::totp::generate_code(&stored).map_err(|e| anyhow::anyhow!("{e}"))?;
            let secs = tsafe_core::totp::seconds_remaining_for(&stored)
                .map_err(|e| anyhow::anyhow!("{e}"))?;
            println!("{code}  ({secs}s remaining)");
            audit(profile)
                .append(&AuditEntry::success(profile, "totp-get", Some(&key)))
                .ok();
            Ok(())
        }
    }
}

pub(crate) fn cmd_pin(profile: &str, key: &str) -> Result<()> {
    let mut vault = open_vault(profile)?;
    let existing_val = vault.get(key).map_err(|_| {
        anyhow::anyhow!(
            "key '{key}' not found\n\
             \n  See all keys: tsafe list"
        )
    })?;
    let mut tags = if let Some(entry) = vault.file().secrets.get(key) {
        entry.tags.clone()
    } else {
        HashMap::new()
    };
    tags.insert("pinned".into(), "true".into());
    vault.set(key, &existing_val, tags)?;
    audit(profile)
        .append(&AuditEntry::success(profile, "pin", Some(key)))
        .ok();
    println!("{} Pinned '{key}' to top of list", "".green());
    Ok(())
}

pub(crate) fn cmd_unpin(profile: &str, key: &str) -> Result<()> {
    let mut vault = open_vault(profile)?;
    let existing_val = vault.get(key).map_err(|_| {
        anyhow::anyhow!(
            "key '{key}' not found\n\
             \n  See all keys: tsafe list"
        )
    })?;
    let mut tags = if let Some(entry) = vault.file().secrets.get(key) {
        entry.tags.clone()
    } else {
        HashMap::new()
    };
    tags.remove("pinned");
    vault.set(key, &existing_val, tags)?;
    audit(profile)
        .append(&AuditEntry::success(profile, "unpin", Some(key)))
        .ok();
    println!("{} Unpinned '{key}'", "".green());
    Ok(())
}