feat: add item attachment and member tools

Author: hesreallyhim

README.md

@@ -20,6 +20,7 @@ As this project is in its initial stages, it exposes the following tools:
 | `view_session_info`               | Session/account status from `pass-cli info`      |
 | `view_user_info`                  | User account details from `pass-cli user info`   |
 | `check_status`                    | Check user authentication status and CLI version |
+| `support`                         | Show Proton Pass CLI support guidance            |
 | `inject`                          | Inject secrets into template files               |
 | `run`                             | Run commands with secret references resolved     |
 | `list_vaults`                     | List vaults                                      |
@@ -44,13 +45,21 @@ As this project is in its initial stages, it exposes the following tools:
 | `create_wifi_item`                | Create a WiFi item                               |
 | `create_custom_item`              | Create a custom item from template payload       |
 | `create_identity_item`            | Create an identity item from template payload    |
+| `move_item`                       | Move an item between vaults                      |
+| `trash_item`                      | Move an item to trash                            |
+| `untrash_item`                    | Restore an item from trash                       |
 | `update_item`                     | Update an item field set                         |
 | `delete_item`                     | Delete an item                                   |
+| `download_item_attachment`        | Download an item attachment                      |
+| `list_item_members`               | List members of an item                          |
+| `update_item_member`              | Update an item member role                       |
+| `remove_item_member`              | Remove an item member                            |
 | `create_item_alias`               | Create an alias item                             |
 | `share_item`                      | Share an item with a user                        |
 | `generate_item_totp`              | Generate item TOTP codes                         |
 | `generate_random_password`        | Generate a random password                       |
 | `generate_passphrase`             | Generate a passphrase                            |
+| `generate_totp`                   | Generate TOTP from secret/URI                    |
 | `score_password`                  | Score password strength                          |
 
 The `search_items` operation is additional functionality that is not provided by the base CLI.

docs/TOOL_SCHEMA_PLAN.md

@@ -283,7 +283,7 @@ Input summary convention:
 | `view_session_info` | `pass-cli info`                        | Implemented                | `output?`                                              | Account/session info                                    |
 | `view_user_info`    | `pass-cli user info`                   | Implemented                | `output?`                                              | User profile                                            |
 | `update`            | `pass-cli update`                      | Out of Scope (Out-of-Band) | n/a                                                    | n/a                                                     |
-| `support`           | `pass-cli support`                     | Planned                    | none                                                   | Support guidance text                                   |
+| `support`           | `pass-cli support`                     | Implemented                | none                                                   | Support guidance text                                   |
 | `inject`            | `pass-cli inject`                      | Implemented                | `inFile`, `outFile?`, `fileMode?`, `force?`, `confirm` | Output path/status                                      |
 | `run`               | `pass-cli run`                         | Implemented                | `command[]`, `envFile[]?`, `noMasking?`, `confirm`     | Exit code/stdout/stderr summary                         |
 
@@ -312,14 +312,14 @@ Input summary convention:
 
 ### Item Write and Lifecycle
 
-| Tool           | Source                  | Status      | Input Summary                                                             | Output Summary           |
-| -------------- | ----------------------- | ----------- | ------------------------------------------------------------------------- | ------------------------ | -------------------------- | ------------- |
-| `update_item`  | `pass-cli item update`  | Implemented | required: `fields[]`, `confirm`; selector: `shareId                       | vaultName`; xor: `itemId | itemTitle`; optional: none | Update status |
-| `move_item`    | `pass-cli item move`    | Planned     | required: `confirm`; selector: source + destination + item selector (TBD) | Move status              |
-| `delete_item`  | `pass-cli item delete`  | Implemented | required: `shareId`, `itemId`, `confirm`; optional: none                  | Delete status            |
-| `share_item`   | `pass-cli item share`   | Implemented | required: `shareId`, `itemId`, `email`, `confirm`; optional: `role`       | Share status             |
-| `trash_item`   | `pass-cli item trash`   | Planned     | required: `confirm`; selector: item selector (TBD)                        | Trash status             |
-| `untrash_item` | `pass-cli item untrash` | Planned     | required: `confirm`; selector: item selector (TBD)                        | Restore status           |
+| Tool           | Source                  | Status      | Input Summary                                                                                                                                      | Output Summary |
+| -------------- | ----------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- |
+| `update_item`  | `pass-cli item update`  | Implemented | required: `fields[]`, `confirm`; selector: `shareId \| vaultName`; xor: `itemId \| itemTitle`                                                      | Update status  |
+| `move_item`    | `pass-cli item move`    | Implemented | required: `confirm`; source selector: `fromShareId \| fromVaultName`; destination selector: `toShareId \| toVaultName`; xor: `itemId \| itemTitle` | Move status    |
+| `delete_item`  | `pass-cli item delete`  | Implemented | required: `shareId`, `itemId`, `confirm`                                                                                                           | Delete status  |
+| `share_item`   | `pass-cli item share`   | Implemented | required: `shareId`, `itemId`, `email`, `confirm`; optional: `role`                                                                                | Share status   |
+| `trash_item`   | `pass-cli item trash`   | Implemented | required: `confirm`; selector: `shareId? \| vaultName?`; xor: `itemId \| itemTitle`                                                                | Trash status   |
+| `untrash_item` | `pass-cli item untrash` | Implemented | required: `confirm`; selector: `shareId? \| vaultName?`; xor: `itemId \| itemTitle`                                                                | Restore status |
 
 ### Item Creation
 
@@ -350,10 +350,10 @@ Notes:
 | Tool                       | Source                              | Status      | Input Summary                                                | Output Summary       |
 | -------------------------- | ----------------------------------- | ----------- | ------------------------------------------------------------ | -------------------- |
 | `create_item_alias`        | `pass-cli item alias create`        | Implemented | `shareId \| vaultName`, `prefix`, `output?`, `confirm`       | Alias item           |
-| `download_item_attachment` | `pass-cli item attachment download` | Planned     | `shareId`, `itemId`, `attachmentId`, `outputPath`, `confirm` | Download status/path |
-| `list_item_members`        | `pass-cli item member list`         | Planned     | `shareId`, `itemId`, `output?`                               | Member list          |
-| `update_item_member`       | `pass-cli item member update`       | Planned     | `shareId`, `memberShareId`, `role`, `confirm`                | Update status        |
-| `remove_item_member`       | `pass-cli item member remove`       | Planned     | `shareId`, `memberShareId`, `confirm`                        | Remove status        |
+| `download_item_attachment` | `pass-cli item attachment download` | Implemented | `shareId`, `itemId`, `attachmentId`, `outputPath`, `confirm` | Download status/path |
+| `list_item_members`        | `pass-cli item member list`         | Implemented | `shareId`, `itemId`, `output?`                               | Member list          |
+| `update_item_member`       | `pass-cli item member update`       | Implemented | `shareId`, `memberShareId`, `role`, `confirm`                | Update status        |
+| `remove_item_member`       | `pass-cli item member remove`       | Implemented | `shareId`, `memberShareId`, `confirm`                        | Remove status        |
 
 ### Share, Invite, Password, TOTP, User, Settings, SSH Agent
 
@@ -366,7 +366,7 @@ Notes:
 | `generate_random_password` | `pass-cli password generate random`      | Implemented                | generation flags                       | Password value/metadata   |
 | `generate_passphrase`      | `pass-cli password generate passphrase`  | Implemented                | generation flags                       | Passphrase value/metadata |
 | `score_password`           | `pass-cli password score`                | Implemented                | `password`                             | Strength report           |
-| `generate_totp`            | `pass-cli totp generate`                 | Planned                    | `secretOrUri`, `output?`               | TOTP value                |
+| `generate_totp`            | `pass-cli totp generate`                 | Implemented                | `secretOrUri`, `output?`               | TOTP value                |
 | `view_settings`            | `pass-cli settings view`                 | Implemented                | none                                   | Settings object           |
 | `set_default_vault`        | `pass-cli settings set default-vault`    | Implemented                | `vaultName \| shareId`, `confirm`      | Set status                |
 | `unset_default_vault`      | `pass-cli settings unset default-vault`  | Implemented                | `confirm`                              | Unset status              |

src/server/register-tools.ts

@@ -10,6 +10,8 @@ import {
   createCreditCardItemInputSchema,
   createCustomItemHandler,
   createCustomItemInputSchema,
+  downloadItemAttachmentHandler,
+  downloadItemAttachmentInputSchema,
   createIdentityItemHandler,
   createIdentityItemInputSchema,
   createItemAliasHandler,
@@ -32,12 +34,18 @@ import {
   deleteItemInputSchema,
   itemTotpHandler,
   itemTotpInputSchema,
+  listItemMembersHandler,
+  listItemMembersInputSchema,
   listItemsHandler,
   listItemsInputSchema,
+  removeItemMemberHandler,
+  removeItemMemberInputSchema,
   searchItemsHandler,
   searchItemsInputSchema,
   shareItemHandler,
   shareItemInputSchema,
+  updateItemMemberHandler,
+  updateItemMemberInputSchema,
   updateItemHandler,
   updateItemInputSchema,
   viewItemHandler,
@@ -468,6 +476,15 @@ export function registerTools(
     withAuthErrorHandling(async (input) => deleteItemHandler(passCli, input)),
   );
 
+  server.registerTool(
+    "download_item_attachment",
+    {
+      description: "Download an item attachment to a local path.",
+      inputSchema: downloadItemAttachmentInputSchema,
+    },
+    withAuthErrorHandling(async (input) => downloadItemAttachmentHandler(passCli, input)),
+  );
+
   server.registerTool(
     "create_item_alias",
     {
@@ -477,6 +494,33 @@ export function registerTools(
     withAuthErrorHandling(async (input) => createItemAliasHandler(passCli, input)),
   );
 
+  server.registerTool(
+    "list_item_members",
+    {
+      description: "List item members.",
+      inputSchema: listItemMembersInputSchema,
+    },
+    withAuthErrorHandling(async (input) => listItemMembersHandler(passCli, input)),
+  );
+
+  server.registerTool(
+    "update_item_member",
+    {
+      description: "Update an item member role.",
+      inputSchema: updateItemMemberInputSchema,
+    },
+    withAuthErrorHandling(async (input) => updateItemMemberHandler(passCli, input)),
+  );
+
+  server.registerTool(
+    "remove_item_member",
+    {
+      description: "Remove an item member.",
+      inputSchema: removeItemMemberInputSchema,
+    },
+    withAuthErrorHandling(async (input) => removeItemMemberHandler(passCli, input)),
+  );
+
   server.registerTool(
     "share_item",
     {

src/tools/item.ts

@@ -425,6 +425,14 @@ export const untrashItemInputSchema = z
     message: "Provide exactly one of itemId or itemTitle.",
   });
 
+export const downloadItemAttachmentInputSchema = z.object({
+  shareId: z.string().max(100).describe("Share ID containing the item"),
+  itemId: z.string().max(100).describe("Item ID containing the attachment"),
+  attachmentId: z.string().max(100).describe("Attachment ID to download"),
+  outputPath: z.string().min(1).max(4096).describe("Output path for downloaded attachment"),
+  confirm: z.boolean().optional().describe("Must be true to execute the write operation"),
+});
+
 export const deleteItemInputSchema = z.object({
   shareId: z.string().max(100).describe("Share ID containing the item to delete"),
   itemId: z.string().max(100).describe("Item ID to delete"),
@@ -441,6 +449,25 @@ export const shareItemInputSchema = z.object({
   confirm: z.boolean().optional().describe("Must be true to execute the write operation"),
 });
 
+export const listItemMembersInputSchema = z.object({
+  shareId: z.string().max(100).describe("Share ID containing the item"),
+  itemId: z.string().max(100).describe("Item ID"),
+  output: z.enum(["json", "human"]).default("json").describe("Output format"),
+});
+
+export const updateItemMemberInputSchema = z.object({
+  shareId: z.string().max(100).describe("Share ID containing the item"),
+  memberShareId: z.string().max(100).describe("Member share ID"),
+  role: z.enum(SHARE_ROLE_OPTIONS).describe("Role for the member"),
+  confirm: z.boolean().optional().describe("Must be true to execute the write operation"),
+});
+
+export const removeItemMemberInputSchema = z.object({
+  shareId: z.string().max(100).describe("Share ID containing the item"),
+  memberShareId: z.string().max(100).describe("Member share ID"),
+  confirm: z.boolean().optional().describe("Must be true to execute the write operation"),
+});
+
 export const createItemAliasInputSchema = z
   .object({
     shareId: z.string().max(100).optional().describe("Share ID where alias item will be created"),
@@ -474,8 +501,12 @@ export type MoveItemInput = z.infer<typeof moveItemInputSchema>;
 export type UpdateItemInput = z.infer<typeof updateItemInputSchema>;
 export type TrashItemInput = z.infer<typeof trashItemInputSchema>;
 export type UntrashItemInput = z.infer<typeof untrashItemInputSchema>;
+export type DownloadItemAttachmentInput = z.infer<typeof downloadItemAttachmentInputSchema>;
 export type DeleteItemInput = z.infer<typeof deleteItemInputSchema>;
 export type ShareItemInput = z.infer<typeof shareItemInputSchema>;
+export type ListItemMembersInput = z.infer<typeof listItemMembersInputSchema>;
+export type UpdateItemMemberInput = z.infer<typeof updateItemMemberInputSchema>;
+export type RemoveItemMemberInput = z.infer<typeof removeItemMemberInputSchema>;
 export type CreateItemAliasInput = z.infer<typeof createItemAliasInputSchema>;
 
 export async function listItemsHandler(
@@ -946,6 +977,28 @@ export async function untrashItemHandler(
   return asTextContent(out || "OK");
 }
 
+export async function downloadItemAttachmentHandler(
+  passCli: PassCliRunner,
+  { shareId, itemId, attachmentId, outputPath, confirm }: DownloadItemAttachmentInput,
+) {
+  requireWriteGate(confirm);
+  const { stdout, stderr } = await passCli([
+    "item",
+    "attachment",
+    "download",
+    "--share-id",
+    shareId,
+    "--item-id",
+    itemId,
+    "--attachment-id",
+    attachmentId,
+    "--output",
+    outputPath,
+  ]);
+  const out = joinStdoutStderr(stdout, stderr);
+  return asTextContent(out || "OK");
+}
+
 export async function deleteItemHandler(
   passCli: PassCliRunner,
   { shareId, itemId, confirm }: DeleteItemInput,
@@ -975,6 +1028,62 @@ export async function shareItemHandler(
   return asTextContent(out || "OK");
 }
 
+export async function listItemMembersHandler(
+  passCli: PassCliRunner,
+  { shareId, itemId, output }: ListItemMembersInput,
+) {
+  const { stdout } = await passCli([
+    "item",
+    "member",
+    "list",
+    "--share-id",
+    shareId,
+    "--item-id",
+    itemId,
+    "--output",
+    output,
+  ]);
+  return asTextContent(asJsonTextOrRaw(stdout));
+}
+
+export async function updateItemMemberHandler(
+  passCli: PassCliRunner,
+  { shareId, memberShareId, role, confirm }: UpdateItemMemberInput,
+) {
+  requireWriteGate(confirm);
+  const { stdout, stderr } = await passCli([
+    "item",
+    "member",
+    "update",
+    "--share-id",
+    shareId,
+    "--member-share-id",
+    memberShareId,
+    "--role",
+    role,
+  ]);
+  const out = joinStdoutStderr(stdout, stderr);
+  return asTextContent(out || "OK");
+}
+
+export async function removeItemMemberHandler(
+  passCli: PassCliRunner,
+  { shareId, memberShareId, confirm }: RemoveItemMemberInput,
+) {
+  requireWriteGate(confirm);
+  const { stdout, stderr } = await passCli([
+    "item",
+    "member",
+    "remove",
+    "--share-id",
+    shareId,
+    "--member-share-id",
+    memberShareId,
+  ]);
+  const out = joinStdoutStderr(stdout, stderr);
+  return asTextContent(out || "OK");
+}
+
 export async function createItemAliasHandler(
   passCli: PassCliRunner,
   { shareId, vaultName, prefix, output, confirm }: CreateItemAliasInput,