Shorter TTL for cached CertStatus::Invalid entries produced by check
failures (e.g. unresolvable cert path). Error entries use this backoff
instead of the 5-minute re-check TTL so transient errors recover quickly
without hammering the background check thread on every poll tick.
TTL (in seconds) for the in-memory cert status cache before we re-run
ssh-keygen -L against an on-disk certificate. Distinct from
RENEWAL_THRESHOLD_SECS: this controls how often we re-check a cert’s
validity, while RENEWAL_THRESHOLD_SECS is the minimum lifetime below which
we actually request a new signature from Vault.
Build the strip’s row list from the cert cache. Hosts that have a
configured role (or a purple-managed cert path) but no cached
Valid status are omitted; the gauge has nothing to fill until the
lazy cert check populates the cache. Sort: longest remaining first
so the user sees healthy certs at the top and expiring ones at the
bottom.
CertificateFile path looks like a purple-managed cert when it
references the per-user .purple/certs/ directory. We match on the
substring so the check works regardless of whether the path is
tilde-expanded or absolute.
Compute the fill ratio (0.0..=1.0) for a Vault SSH cert TTL gauge.
Clamped so a cert in renewal-overlap or one whose total_secs was
recorded as i64::MAX (“Valid: forever”) does not produce NaN.
True iff a host has any purple-managed Vault context: either an
explicit # purple:vault-ssh role marker, or a CertificateFile
directive pointing into ~/.purple/certs/. The second branch covers
users who sign certs directly with the vault CLI and wire them in
via CertificateFile without setting the role marker.
Normalize a vault address so bare IPs and hostnames work.
Prepends https:// when no scheme is present and appends a default
port when none is specified: :80 for http://, :443 for
https://, :8200 for bare hostnames (Vault’s default). The
default scheme is https:// because production Vault always uses
TLS. Dev-mode users can set http:// explicitly.
Resolve the public key path for signing.
Priority: host IdentityFile + “.pub” > ~/.ssh/id_ed25519.pub fallback.
Returns an error when the user’s home directory cannot be determined. Any
IdentityFile pointing outside $HOME is rejected and falls back to the
default ~/.ssh/id_ed25519.pub to prevent reading arbitrary filesystem
locations via a crafted IdentityFile directive.
Scrub a raw Vault CLI stderr for display. Drops lines containing credential-like
tokens (token, secret, x-vault-, cookie, authorization), joins the rest with spaces
and truncates to 200 chars.
Sign an SSH public key via Vault SSH secrets engine.
Runs: vault write -field=signed_key <role> public_key=@<pubkey_path>
Writes the signed certificate to ~/.purple/certs/<alias>-cert.pub.
True when any host has a purple-managed Vault context. The Keys-tab
strip renders iff this returns true. Even hosts whose cert is not
yet cached count, so the strip appears the moment the user
configures their first Vault role or sets a cert path.