tsafe-cli 1.0.27

Secrets runtime for developers — inject credentials into processes via exec, never into shell history or .env files
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174

[package]
name        = "tsafe-cli"
version = "1.0.27"
edition.workspace = true
authors.workspace = true
license.workspace = true
repository.workspace = true
homepage = "https://github.com/0ryant/tsafe"
documentation = "https://docs.rs/tsafe-cli"
rust-version.workspace = true
description = "Secrets runtime for developers — inject credentials into processes via exec, never into shell history or .env files"
readme = "../../README.md"
categories = ["command-line-utilities", "cryptography"]
keywords = ["secrets", "vault", "cli", "credentials", "devops"]

[lib]
name = "tsafe_cli"
path = "src/lib.rs"

[[bin]]
name = "tsafe"
path = "src/main.rs"

[dependencies]
tsafe-core      = { path = "../tsafe-core", version = "1.0.9" }
tsafe-azure     = { path = "../tsafe-azure", version = "1.0.3", optional = true }
tsafe-bitwarden = { path = "../tsafe-bitwarden", version = "0.1.0", optional = true }
tsafe-tui       = { path = "../tsafe-tui", version = "1.0.8", optional = true }
tsafe-collab    = { path = "../tsafe-collab", version = "0.1.0", optional = true }
anyhow      = { workspace = true }
chrono      = { workspace = true }
rand        = { workspace = true }
zeroize     = { workspace = true }
serde       = { workspace = true }
serde_json  = { workspace = true }
ureq        = { workspace = true }
clap        = { version = "4", features = ["derive", "env"] }
clap_complete = "4"
clap_mangen = "0.2"
rpassword   = "7"
inquire     = "0.7"
colored     = "2"
qr2term     = "0.3"
base64      = { workspace = true }
age         = { workspace = true }
directories = { workspace = true }
sha1        = "0.10"
sha2        = { workspace = true }
flate2      = "1"
tracing     = { workspace = true }
tracing-subscriber = { workspace = true }
hmac        = { version = "0.12", optional = true }
toml        = { version = "0.8", optional = true }
jsonwebtoken = { workspace = true, optional = true }
thiserror   = { workspace = true, optional = true }
keepass     = { version = "0.12", optional = true }

# Optional: enable with `cargo build --features otel`
opentelemetry         = { workspace = true, optional = true }
opentelemetry_sdk     = { workspace = true, optional = true }
opentelemetry-stdout  = { workspace = true, optional = true }
opentelemetry-otlp    = { workspace = true, optional = true }
tracing-opentelemetry = { workspace = true, optional = true }

# SSH key generation and agent (enabled via the `ssh` feature).
ssh-key       = { version = "0.6", features = ["ed25519", "rsa", "alloc"], optional = true }
ssh-agent-lib = { version = "0.5", optional = true }
tokio         = { version = "1", features = ["rt", "net", "macros"], optional = true }

[features]
# Frozen core-only default release surface:
# always-on authority/runtime base plus tui, akv-pull, biometric, agent, team-core.
# Non-core surfaces stay available as explicit opt-ins below.
default = [
    "tui",
    "akv-pull",
    "biometric",
    "agent",
    "team-core",
    "ssh",
]

# Dependency-backed topology slices.
tui = ["dep:tsafe-tui"]
akv-pull = ["dep:tsafe-azure"]
cloud-pull-aws = ["dep:hmac", "dep:thiserror"]
cloud-pull-gcp = ["dep:jsonwebtoken", "dep:thiserror"]
cloud-pull-keepass = ["dep:keepass", "dep:thiserror"]
cloud-pull-bitwarden = ["dep:tsafe-bitwarden"]

# Core/default-on roadmap slices that do not need extra Cargo deps here.
# `agent` stays a core CLI surface; the actual `tsafe-agent` runtime remains a
# separately published companion binary rather than an in-process dependency.
agent = []
biometric = ["tsafe-core/biometric", "dep:windows", "dep:windows-future"]
team-core = []

# Gated non-core roadmap slices.
cloud-pull-vault = ["dep:thiserror"]
cloud-pull-1password = ["dep:thiserror"]
multi-pull = [
    "akv-pull",
    "cloud-pull-aws",
    "cloud-pull-gcp",
    "cloud-pull-vault",
    "cloud-pull-1password",
    "cloud-pull-keepass",
    "cloud-pull-bitwarden",
]
pm-import-extended = []
ots-sharing = []
git-helpers = []
browser = ["nativehost"]
nativehost = []
ssh = ["dep:ssh-key", "dep:ssh-agent-lib", "dep:tokio"]

# Plugin command surface (`tsafe plugin <tool> [args...]`).
# Explicit opt-in only for the core-only release reset.
plugins = ["dep:toml"]

# Collaboration service scaffolding (ADR-027/028). Off by default.
# No network calls in Tranche 2; full implementation is Tranche 3+.
collab = ["dep:tsafe-collab"]

# Feature-gated OpenTelemetry tracing bridge.
# When enabled, tsafe emits OpenTelemetry spans from existing tracing::instrument
# call-sites.  Configure the export target via environment variables:
#   OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318  (future: full OTLP)
#   TSAFE_OTEL_STDOUT=1                               (stdout/stderr export, this release)
otel = [
    "dep:opentelemetry",
    "dep:opentelemetry_sdk",
    "dep:opentelemetry-stdout",
    "dep:opentelemetry-otlp",
    "dep:tracing-opentelemetry",
]

[dev-dependencies]
assert_cmd  = "2"
predicates  = "3"
tempfile    = { workspace = true }
temp-env    = "0.3"
mockito     = "1"
keepass     = { version = "0.12", features = ["save_kdbx4"] }
serde_yaml  = { workspace = true }

[target.'cfg(unix)'.dependencies]
# UID lookup for the default SSH agent socket path.
libc = "0.2"

[target.'cfg(windows)'.dependencies]
# Native messaging host registration (HKCU + manifest JSON).
winreg = "0.52"
# Windows Hello IUserConsentVerifierInterop challenge (E4.1).
# Optional — compiled only when the `biometric` feature is enabled.
windows = { version = "0.61", features = [
    "Security_Credentials_UI",
    "Win32_System_Console",
    "Win32_System_WinRT",
    "Foundation",
], optional = true }
# windows_future is a public crate from the windows-rs project that exposes
# IAsyncOperation<T> and its blocking .get() method.  It is a transitive dep
# of `windows = "0.61"` but must be named explicitly to import in user code.
windows-future = { version = "0.2", optional = true }

[build-dependencies]
# Embeds the tsafe icon + version metadata into tsafe.exe on Windows builds.
# No-op on other platforms — cross-compile safe.
winres = "0.1"

[package.metadata.wix]
# WiX extensions required for WixUI_Minimal (license dialog) and WixUtilExtension (util namespace).
extensions = ["WixUIExtension", "WixUtilExtension"]