Documentation
¶
Index ¶
- Constants
- Variables
- func CreateSignedLogin(gpgClient gpg.Client, fingerprint string) (*config.Login, error)
- func ExitWithError(err error)
- func PrintHelp(w io.Writer)
- func PrintSuccess(w io.Writer, message string)
- func PrintVersion(w io.Writer, version, commit, date string)
- func PrintVersionJSON(w io.Writer, version, commit, date string)
- func PrintWarning(w io.Writer, message string)
- func ResolveConfigPath(configPath string, silent bool, stderr io.Writer) string
- type CLI
- func (c *CLI) Close() error
- func (c *CLI) IdentityCreate(opts IdentityCreateOptions) *Error
- func (c *CLI) Login(fingerprint string) *Error
- func (c *CLI) Output() *output.Handler
- func (c *CLI) SecretForget(secretKeyArg, vaultPath string, fromIndex int) *Error
- func (c *CLI) SecretGet(secretKey string, all bool, last bool, jsonOutput bool, vaultPath string, ...) *Error
- func (c *CLI) SecretList(jsonOutput bool, vaultPath string, fromIndex int) *Error
- func (c *CLI) SecretPut(secretKeyArg, vaultPath string, fromIndex int, preReadValue string) *Error
- func (c *CLI) SecretRevoke(secretKey, targetFingerprint string, vaultIndex int) *Error
- func (c *CLI) SecretRevokeAll(secretKey, targetFingerprint string) *Error
- func (c *CLI) SecretShare(secretKey, targetFingerprint string, vaultIndex int) *Error
- func (c *CLI) SecretShareAll(secretKey, targetFingerprint string) *Error
- func (c *CLI) SetJSONMode(enabled bool)
- func (c *CLI) Validate(fix bool) *Error
- func (c *CLI) VaultDescribe(jsonOutput bool) *Error
- func (c *CLI) VaultDoctor(jsonOutput bool, vaultPath string, fromIndex int) *Error
- func (c *CLI) Warnf(format string, args ...interface{})
- type CryptoInfo
- type DoctorCheckJSON
- type DoctorResultJSON
- type Error
- func HandleInteractiveSelection(options []string, prompt string, stderr io.Writer) (int, *Error)
- func IdentityCreateStandalone(opts IdentityCreateOptions, out *output.Handler) *Error
- func InitConfig(configPath string, initialVaults []string, gpgProgram string, ...) *Error
- func InitVaultFile(vaultPath string, out *output.Handler) *Error
- func InitVaultInteractiveStandalone(configPath string, out *output.Handler) *Error
- func NewError(message string, code ExitCode) *Error
- func PromptConfirm(prompt string, stderr io.Writer) (bool, *Error)
- func ValidateVaultPathsAgainstConfig(configPath string, vaultPaths []string, out *output.Handler) *Error
- type ExitCode
- type IdentityCreateOptions
- type SecretListJSON
- type SecretValueJSON
- type ValidationError
- type VaultDescribeIdentityJSON
- type VaultDescribeJSON
- type VaultDescribeSecretJSON
- type VaultResolver
- type VersionInfo
Constants ¶
const ( ExitSuccess = output.ExitSuccess ExitGeneralError = output.ExitGeneralError ExitConfigError = output.ExitConfigError ExitVaultError = output.ExitVaultError ExitGPGError = output.ExitGPGError ExitAuthError = output.ExitAuthError ExitValidationError = output.ExitValidationError ExitFingerprintRequired = output.ExitFingerprintRequired ExitAccessDenied = output.ExitAccessDenied ExitAlgorithmNotAllowed = output.ExitAlgorithmNotAllowed )
Exit code constants - aliases to output package.
Variables ¶
var ErrUserCancelled = errors.New("cancelled by user")
ErrUserCancelled is returned when the user cancels an interactive prompt (Ctrl-C or Escape)
Functions ¶
func CreateSignedLogin ¶ added in v0.0.9
CreateSignedLogin is the exported version for use by init.go
func ExitWithError ¶
func ExitWithError(err error)
ExitWithError exits the program with the given error.
func PrintSuccess ¶
PrintSuccess prints a success message to stdout.
func PrintVersion ¶
PrintVersion prints the version information
func PrintVersionJSON ¶ added in v0.0.9
PrintVersionJSON prints version information as JSON.
func PrintWarning ¶
PrintWarning prints a warning to stderr.
func ResolveConfigPath ¶
ResolveConfigPath returns the effective config path considering: 1. Explicit configPath argument (highest priority, e.g. -c flag) 2. /etc/dotsecenv/config (if SUID mode) 3. DOTSECENV_CONFIG env var (if not SUID mode) 4. XDG default path If configPath is specified and DOTSECENV_CONFIG is set, prints a warning to stderr (unless silent).
Types ¶
type CLI ¶
type CLI struct {
Silent bool
Strict bool // Strict mode: certain warnings become errors
// contains filtered or unexported fields
}
CLI represents the command-line interface
func (*CLI) IdentityCreate ¶ added in v0.0.9
func (c *CLI) IdentityCreate(opts IdentityCreateOptions) *Error
IdentityCreate generates a new GPG key or outputs the generation template.
func (*CLI) Login ¶
Login initializes the user's identity with a signed login proof. If fingerprint is empty, it will interactively prompt the user to select from available secret keys.
func (*CLI) SecretForget ¶ added in v0.0.9
SecretForget marks a secret as deleted by adding a deletion marker value. The deletion marker has deleted=true and an empty available_to list.
func (*CLI) SecretGet ¶
func (c *CLI) SecretGet(secretKey string, all bool, last bool, jsonOutput bool, vaultPath string, fromIndex int) *Error
SecretGet retrieves a secret from the vault. If the user cannot access the latest value, falls back to older accessible values with a warning.
func (*CLI) SecretList ¶ added in v0.4.3
SecretList lists all secret keys from vaults. If vaultPath is specified or fromIndex > 0, lists secrets only from that vault. Otherwise, lists secrets from all vaults.
func (*CLI) SecretPut ¶
SecretPut stores a secret in the vault. If preReadValue is non-empty, it's used as the secret value (for piped input read before vault lock). If preReadValue is empty, the secret is read from stdin (interactive TTY mode).
func (*CLI) SecretRevoke ¶
SecretRevoke re-encrypts a secret without the specified fingerprint, effectively revoking their access. If the secret is shared with the fingerprint, it re-encrypts with every other public key except the one corresponding to the fingerprint, updates available_to, regenerates the hash, and signs it.
func (*CLI) SecretRevokeAll ¶
SecretRevokeAll revokes access to a secret from a fingerprint across all vaults.
func (*CLI) SecretShare ¶
SecretShare shares a secret with another identity
func (*CLI) SecretShareAll ¶
SecretShareAll shares a secret with a fingerprint across all vaults where the secret exists.
func (*CLI) SetJSONMode ¶
SetJSONMode enables or disables JSON output mode for the current command. This creates a new handler with fresh warning collection.
func (*CLI) VaultDescribe ¶ added in v0.0.9
VaultDescribe lists all vaults with their identities and secrets
func (*CLI) VaultDoctor ¶ added in v0.0.9
VaultDoctor runs health checks on the vault configuration and environment. In CI environments, interactive prompts are skipped automatically.
type CryptoInfo ¶ added in v0.0.9
type CryptoInfo struct {
GOFIPS140 string `json:"GOFIPS140,omitempty"`
FIPS140Enabled bool `json:"fips140Enabled"`
}
CryptoInfo represents cryptographic module information.
type DoctorCheckJSON ¶ added in v0.0.9
type DoctorCheckJSON struct {
Name string `json:"name"`
Status string `json:"status"` // "ok", "warning", "error"
Message string `json:"message,omitempty"`
Details string `json:"details,omitempty"`
}
DoctorCheckJSON represents a single health check in JSON output
type DoctorResultJSON ¶ added in v0.0.9
type DoctorResultJSON struct {
Status string `json:"status"` // "healthy", "warning", "error"
Checks []DoctorCheckJSON `json:"checks"`
}
DoctorResultJSON is the JSON output structure for doctor
type Error ¶
Error represents a CLI error with an exit code. Kept for backward compatibility; new code should use output.Error.
func HandleInteractiveSelection ¶
HandleInteractiveSelection prompts the user to select from options and handles cancellation uniformly. It opens /dev/tty directly for input, allowing interactive selection even when stdin is piped. Returns the selected index and nil on success, or writes "Cancelled." to stderr and returns an error on cancellation.
func IdentityCreateStandalone ¶ added in v0.0.9
func IdentityCreateStandalone(opts IdentityCreateOptions, out *output.Handler) *Error
IdentityCreateStandalone runs identity create without requiring full CLI initialization. This is used when no config exists yet.
func InitConfig ¶
func InitConfig(configPath string, initialVaults []string, gpgProgram string, noGPGProgram bool, loginFingerprint string, out *output.Handler) *Error
InitConfig initializes a configuration file with FIPS-compliant defaults. gpgProgram: if non-empty, use this value for gpg.program (without validation) noGPGProgram: if true, skip GPG detection entirely and leave gpg.program empty loginFingerprint: if non-empty, creates a signed login proof for this fingerprint
func InitVaultFile ¶
InitVaultFile initializes a specific vault file
func InitVaultInteractiveStandalone ¶
InitVaultInteractiveStandalone allows user to select a vault from config to initialize This runs without requiring the vaults to be openable (since they might not exist yet)
func NewError ¶
NewError creates a new CLI error. For new code, prefer output.NewError with a structured code.
func PromptConfirm ¶
PromptConfirm asks the user for a y/n confirmation. Returns true if confirmed, false if declined, or an error on cancellation. Opens /dev/tty directly to work even when stdin is piped.
func ValidateVaultPathsAgainstConfig ¶ added in v0.4.4
func ValidateVaultPathsAgainstConfig(configPath string, vaultPaths []string, out *output.Handler) *Error
ValidateVaultPathsAgainstConfig checks if specified vault paths are allowed per config. Returns an error if restrict_to_configured_vaults is true and paths are not in config. Prints a warning if paths are not in config but restriction is off. If configPath is empty, uses the default resolved config path.
type ExitCode ¶
ExitCode represents the exit code for an error. This is an alias to the output package for backward compatibility.
type IdentityCreateOptions ¶ added in v0.0.9
type IdentityCreateOptions struct {
Algorithm string // Algorithm to use (ED25519, RSA4096, P384, P521)
Name string // User's full name
Email string // User's email address
TemplateOnly bool // If true, only output the template without generating
NoPassphrase bool // If true, create key without passphrase (for CI/automation)
}
IdentityCreateOptions holds options for the identity create command.
type SecretListJSON ¶ added in v0.4.3
type SecretListJSON struct {
Key string `json:"key"`
Vault string `json:"vault,omitempty"`
Deleted bool `json:"deleted,omitempty"`
}
SecretListJSON is the JSON output structure for secret list
type SecretValueJSON ¶
type SecretValueJSON struct {
AddedAt time.Time `json:"added_at"`
Value string `json:"value"`
Vault string `json:"vault,omitempty"`
}
SecretValueJSON is the JSON output structure for secret values
type ValidationError ¶
type ValidationError struct {
Level string // "GLOBAL", "IDENTITY", "SECRET", "STRUCTURE"
Message string
Path string // For errors in specific items
}
ValidationError represents a validation error with context
type VaultDescribeIdentityJSON ¶ added in v0.0.9
type VaultDescribeIdentityJSON struct {
UID string `json:"uid"`
Fingerprint string `json:"fingerprint"`
Algorithm string `json:"algorithm"`
AlgorithmBits int `json:"algorithm_bits"`
Curve string `json:"curve,omitempty"`
CreatedAt time.Time `json:"created_at"`
ExpiresAt *time.Time `json:"expires_at,omitempty"`
}
VaultDescribeIdentityJSON represents an identity in the vault describe JSON output
type VaultDescribeJSON ¶ added in v0.0.9
type VaultDescribeJSON struct {
Position int `json:"position"`
Vault string `json:"vault"`
Identities []VaultDescribeIdentityJSON `json:"identities"`
Secrets []VaultDescribeSecretJSON `json:"secrets"`
}
VaultDescribeJSON is the JSON output structure for vault describe
type VaultDescribeSecretJSON ¶ added in v0.0.9
type VaultDescribeSecretJSON struct {
Key string `json:"key"`
Deleted bool `json:"deleted,omitempty"`
}
VaultDescribeSecretJSON represents a secret in the vault describe JSON output
type VaultResolver ¶
type VaultResolver interface {
GetIdentityByFingerprint(fingerprint string) *vault.Identity
AddSecret(secret vault.Secret, index int) error
SaveAll() error
GetSecretFromAnyVault(key string, stderr io.Writer) (*vault.SecretValue, error)
GetAccessibleSecretFromAnyVault(key, fingerprint string, strict bool) (*vault.SecretValue, error)
GetSecretByKeyFromVault(index int, key string) *vault.Secret
FindSecretVaultIndex(key string) int
GetVaultManager(index int) *vault.Manager
AddIdentity(identity vault.Identity, index int) error
GetConfig() vault.VaultConfig
GetVaultPaths() []string
GetAvailableVaultPathsWithIndices() []vault.VaultPathWithIndex
IsPathInConfig(path string) bool
IdentityExistsInVault(fingerprint string, index int) bool
SaveVault(index int) error
CloseAll() error
GetLoadError(index int) error
GetSecret(index int, key string) (*vault.SecretValue, error)
OpenVaultsFromPaths(paths []string, stderr io.Writer) error
OpenVaults(stderr io.Writer) error
VaultCount() int
ListAllSecretKeys() []vault.SecretKeyInfo
ListSecretKeysFromVault(index int) []vault.SecretKeyInfo
}
VaultResolver defines the interface for vault operations required by the CLI
type VersionInfo ¶ added in v0.0.9
type VersionInfo struct {
Version string `json:"version"`
Commit string `json:"commit"`
BuiltAt string `json:"builtAt"`
GoBuildVersion string `json:"goBuildVersion"`
Crypto CryptoInfo `json:"crypto"`
}
VersionInfo represents version information as a structured object.
Source Files