Merge pull request #86 from imbue-ai/hynek/re-encrypt

Version 2.16.0

Author: hynek-urban

README.md

@@ -275,6 +275,14 @@ latchkey auth clear
 ```
 
 
+### Re-encrypting credentials
+
+If you want to export your stored credentials encrypted with
+a different key or containing only some of the credentials (for
+example to move them to another machine) , use the `auth re-encrypt`
+subcommand.
+
+
 ### Permissions
 
 Optionally, you can specify rules for approving / rejecting
@@ -381,7 +389,7 @@ defaults:
 - `LATCHKEY_PERMISSIONS_CONFIG`: override the `permissions.json` location.
 - `LATCHKEY_PERMISSIONS_DO_NOT_USE_BUILTIN_SCHEMAS`: do not use the built-in permission definitions.
 - `LATCHKEY_PASSTHROUGH_UNKNOWN`: if set, Latchkey will forward requests (via `latchkey curl` or gateway) even if no credentials are injected.
-- `LATCHKEY_GATEWAY`: when set to a base URL (e.g. `http://localhost:1989`), the CLI delegates commands to a remote Latchkey gateway instead of running them locally. Commands that change local state (`auth set`, `auth clear`, `services register`, `ensure-browser`, `gateway`) cannot run in this mode.
+- `LATCHKEY_GATEWAY`: when set to a base URL (e.g. `http://localhost:1989`), the CLI delegates commands to a remote Latchkey gateway instead of running them locally. Commands that change local state (`auth set`, `auth clear`, `auth re-encrypt`, `services register`, `ensure-browser`, `gateway`) cannot run in this mode.
 - `LATCHKEY_GATEWAY_LISTEN_HOST`, `LATCHKEY_GATEWAY_LISTEN_PORT`: default address and port the local `latchkey gateway` command binds to when `--host` / `--port` are not supplied (defaults: `localhost`, `1989`). Distinct from `LATCHKEY_GATEWAY`, which configures a *remote* gateway URL.
 - `LATCHKEY_GATEWAY_PASSWORD`: optional shared secret used by the client side. When set together with `LATCHKEY_GATEWAY`, the CLI sends the value in the `X-Latchkey-Gateway-Password` header on every outgoing gateway request.
 - `LATCHKEY_GATEWAY_LISTEN_PASSWORD`: optional shared secret used by the server side. When set, `latchkey gateway` rejects (with `401`) any request that does not present the same value in the `X-Latchkey-Gateway-Password` header. The header is stripped before requests are forwarded upstream.

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "latchkey",
-  "version": "2.15.4",
+  "version": "2.16.0",
   "description": "A CLI tool that injects API credentials into curl requests to third-party services",
   "author": "Imbue <hynek@imbue.com>",
   "repository": {

package.json

@@ -35,11 +35,17 @@ export async function getCredentialStatus(
   service: Service,
   credentials: ApiCredentials | null,
   apiCredentialStore: ApiCredentialStore,
-  disableRefresh = false
+  disableRefresh = false,
+  offline = false
 ): Promise<ApiCredentialStatus> {
   if (credentials === null) {
     return ApiCredentialStatus.Missing;
   }
+  // In offline mode we never send a validation request, so we can only report
+  // that credentials exist without knowing whether they are actually valid.
+  if (offline) {
+    return ApiCredentialStatus.Unknown;
+  }
   const refreshed = await maybeRefreshCredentials(
     service,
     credentials,

src/apiCredentials/utils.ts

@@ -3,9 +3,10 @@
  */
 
 import type { Command } from 'commander';
-import { existsSync, unlinkSync } from 'node:fs';
+import { existsSync, statSync, unlinkSync } from 'node:fs';
+import { basename, join } from 'node:path';
 import { createInterface } from 'node:readline';
-import { ApiCredentialStore } from './apiCredentials/store.js';
+import { ApiCredentialStore, ApiCredentialStoreError } from './apiCredentials/store.js';
 import { ApiCredentials, RawCurlCredentials } from './apiCredentials/base.js';
 import {
   CredentialsExpiredError,
@@ -31,8 +32,8 @@ import {
 } from './playwrightUtils.js';
 import { BrowserFeaturesUnavailableError, loadPlaywright } from './playwrightLoader.js';
 import type { CurlResult } from './curl.js';
-import { EncryptedStorage } from './encryptedStorage.js';
-import { resolveEncryptionKey } from './encryption.js';
+import { EncryptedStorage, EncryptedStorageError } from './encryptedStorage.js';
+import { encrypt, EncryptionError, resolveEncryptionKey } from './encryption.js';
 import {
   DuplicateServiceNameError,
   InvalidServiceNameError,
@@ -103,6 +104,7 @@ export interface CliDependencies {
     doNotUseBuiltinSchemas: boolean
   ) => Promise<boolean>;
   readonly confirm: (message: string) => Promise<boolean>;
+  readonly readStdin: () => Promise<string>;
   readonly exit: (code: number) => never;
   readonly log: (message: string) => void;
   readonly errorLog: (message: string) => void;
@@ -120,6 +122,7 @@ export function createDefaultDependencies(): CliDependencies {
     runCurlAsync: curlRunAsync,
     checkPermission: checkPermission,
     confirm: defaultConfirm,
+    readStdin: defaultReadStdin,
     exit: (code: number) => process.exit(code),
     log: (message: string) => {
       console.log(message);
@@ -168,6 +171,14 @@ function refuseInGatewayMode(deps: CliDependencies, commandName: string): void {
   }
 }
 
+async function defaultReadStdin(): Promise<string> {
+  const chunks: Buffer[] = [];
+  for await (const chunk of process.stdin) {
+    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(String(chunk)));
+  }
+  return Buffer.concat(chunks).toString('utf-8');
+}
+
 async function defaultConfirm(message: string): Promise<boolean> {
   const readline = createInterface({
     input: process.stdin,
@@ -298,11 +309,15 @@ export function registerCommands(program: Command, deps: CliDependencies): void
     .command('info')
     .description('Show information about a service.')
     .argument('<service_name>', 'Name of the service to get info for')
-    .action(async (serviceName: string) => {
+    .option(
+      '--offline',
+      'Do not send a request to validate credentials; report them as only "missing" or "unknown".'
+    )
+    .action(async (serviceName: string, options: { offline?: boolean }) => {
       if (deps.config.gatewayUrl !== null) {
         const info = await forwardToGateway(deps, {
           command: 'services info',
-          params: { serviceName },
+          params: { serviceName, offline: options.offline },
         });
         deps.log(JSON.stringify(info, null, 2));
         return;
@@ -317,7 +332,8 @@ export function registerCommands(program: Command, deps: CliDependencies): void
           deps.registry,
           apiCredentialStore,
           deps.config,
-          serviceName
+          serviceName,
+          options.offline ?? false
         );
         deps.log(JSON.stringify(info, null, 2));
       } catch (error) {
@@ -929,6 +945,103 @@ export function registerCommands(program: Command, deps: CliDependencies): void
       }
     );
 
+  authCommand
+    .command('re-encrypt')
+    .description(
+      'Re-encrypt stored credentials with a new key and write them into a ' +
+        'destination directory, using the same filename Latchkey itself expects. ' +
+        'The new key is read from stdin so that it does not appear in the process ' +
+        'arguments or shell history. When stdin is empty, the existing encryption ' +
+        'key is reused.'
+    )
+    .argument(
+      '<destination_directory>',
+      'Directory to write the re-encrypted credential store into'
+    )
+    .option(
+      '--services <services...>',
+      'Only include these services in the new encrypted store (default: all stored services)'
+    )
+    .addHelpText(
+      'after',
+      `\nExamples:\n  $ openssl rand -base64 32 | latchkey auth re-encrypt ~/latchkey-export` +
+        `\n  $ echo "" | latchkey auth re-encrypt ~/latchkey-export --services gitlab slack`
+    )
+    .action(async (destinationDirectory: string, options: { services?: string[] }) => {
+      refuseInGatewayMode(deps, 'auth re-encrypt');
+
+      if (existsSync(destinationDirectory) && !statSync(destinationDirectory).isDirectory()) {
+        deps.errorLog(`Error: Destination is not a directory: ${destinationDirectory}`);
+        deps.exit(1);
+      }
+
+      const destination = join(destinationDirectory, basename(deps.config.credentialStorePath));
+      if (existsSync(destination)) {
+        deps.errorLog(`Error: Destination file already exists: ${destination}`);
+        deps.errorLog('Remove it first or choose a different destination directory.');
+        deps.exit(1);
+      }
+
+      const sourceKey = await resolveEncryptionKeyFromConfig(deps.config);
+
+      // An empty stdin means "reuse the existing encryption key".
+      const stdinKey = (await deps.readStdin()).trim();
+      const destinationKey = stdinKey === '' ? sourceKey : stdinKey;
+      // Validate the key up front using the encryption routine itself, rather
+      // than duplicating its key-format checks.
+      try {
+        encrypt('', destinationKey);
+      } catch (error) {
+        if (error instanceof EncryptionError) {
+          deps.errorLog(`Error: ${error.message}. Generate a key with: openssl rand -base64 32`);
+          deps.exit(1);
+        }
+        throw error;
+      }
+
+      const sourceStorage = new EncryptedStorage(sourceKey);
+      const sourceStore = new ApiCredentialStore(deps.config.credentialStorePath, sourceStorage);
+
+      let allCredentials: ReadonlyMap<string, ApiCredentials>;
+      try {
+        allCredentials = sourceStore.getAll();
+      } catch (error) {
+        if (error instanceof ApiCredentialStoreError || error instanceof EncryptedStorageError) {
+          deps.errorLog(`Error: ${error.message}`);
+          deps.exit(1);
+        }
+        throw error;
+      }
+
+      let selectedServiceNames: string[];
+      if (options.services !== undefined) {
+        const missing = options.services.filter((name) => !allCredentials.has(name));
+        if (missing.length > 0) {
+          deps.errorLog(`Error: No stored credentials for: ${missing.join(', ')}`);
+          deps.exit(1);
+        }
+        selectedServiceNames = options.services;
+      } else {
+        selectedServiceNames = [...allCredentials.keys()];
+      }
+
+      if (selectedServiceNames.length === 0) {
+        deps.errorLog('Error: No stored credentials found to re-encrypt.');
+        deps.exit(1);
+      }
+
+      const destinationStorage = new EncryptedStorage(destinationKey);
+      const destinationStore = new ApiCredentialStore(destination, destinationStorage);
+      for (const serviceName of selectedServiceNames) {
+        const credentials = allCredentials.get(serviceName);
+        if (credentials !== undefined) {
+          destinationStore.save(serviceName, credentials);
+        }
+      }
+
+      deps.log(`Re-encrypted ${String(selectedServiceNames.length)} service(s) to ${destination}.`);
+    });
+
   program
     .command('skill-md')
     .description('Print the SKILL.md file for AI agent integration.')

src/cliCommands.ts

@@ -48,7 +48,9 @@ const ServicesListRequestSchema = z.object({
 
 const ServicesInfoRequestSchema = z.object({
   command: z.literal('services info'),
-  params: serviceNameParams,
+  params: serviceNameParams.extend({
+    offline: z.boolean().optional(),
+  }),
 });
 
 const AuthListRequestSchema = z.object({
@@ -131,7 +133,8 @@ async function dispatch(
         deps.registry,
         apiCredentialStore,
         deps.config,
-        parsed.params.serviceName
+        parsed.params.serviceName,
+        parsed.params.offline ?? false
       );
 
     case 'auth list':

src/gateway/latchkeyEndpoint.ts

@@ -123,7 +123,8 @@ export async function servicesInfo(
   registry: ServiceRegistry,
   apiCredentialStore: ApiCredentialStore,
   config: Config,
-  serviceName: string
+  serviceName: string,
+  offline = false
 ): Promise<ServicesInfoResult> {
   const service = lookupService(registry, serviceName);
 
@@ -135,7 +136,8 @@ export async function servicesInfo(
     service,
     apiCredentials,
     apiCredentialStore,
-    config.credentialsRefreshDisabled
+    config.credentialsRefreshDisabled,
+    offline
   );
 
   const serviceType = service instanceof RegisteredService ? 'user-registered' : 'built-in';

src/sharedOperations.ts

@@ -1,3 +1,3 @@
 // Auto-generated from package.json by scripts/generateVersion.js.
 // Do not edit by hand; run `node scripts/generateVersion.js` to refresh.
-export const VERSION = "2.15.4";
+export const VERSION = "2.16.0";