+23 -11

TODO.md

reviewed

··· 21 21 22 22 ## Git SSH Key Management 23 23 24 24 - - [ ] Implement `tangled ssh-key add <public-key-path>` command. 25 25 - - [ ] This command should upload the provided public SSH key to the user's tangled.org account via the API, similar to how `gh ssh-key add` works. If no path is provided, it should default to `~/.ssh/id_rsa.pub` or prompt the user for a path. 26 26 - - [ ] The CLI is not responsible for generating SSH keys or managing the local ssh-agent; users are expected to handle these steps externally. 27 27 - - [ ] Implement `tangled ssh-key verify` command. 28 28 - - [ ] This command should execute `ssh -T git@tangled.org`, parse the DID from its output, and then resolve that DID to a Bluesky handle, displaying the result to the user. 29 29 - - [ ] Ensure all Git operations leverage SSH keys for authentication, as `tangled.org` exclusively supports SSH for Git. 24 24 + - [x] Implement `tangled ssh-key verify` command. 25 25 + - [x] This command executes `ssh -T git@tangled.org`, parses the DID from its output, and displays it to the user. 26 26 + - [x] If the user is logged in with the CLI and their DID matches the SSH DID, their handle is also displayed. 30 27 31 28 ## Context Engine (Git Integration) 32 29 ··· 78 75 79 76 - [ ] This phase primarily involves local Git operations (pushing new commits) and using `tangled pr comment` for clarifications, which are covered by existing or planned commands. 80 77 78 78 + ## SSH Key Upload & Management (Phase 4) 79 79 + 80 80 + This phase adds CLI-based SSH key management for users who want to upload keys programmatically. 81 81 + 82 82 + - [ ] Implement `tangled ssh-key add <public-key-path>` command. 83 83 + - [ ] This command should upload the provided public SSH key to the user's tangled.org account via the API, similar to how `gh ssh-key add` works. If no path is provided, it should default to `~/.ssh/id_ed25519.pub` or prompt the user for a path. 84 84 + - [ ] Support reading keys from SSH agent via `ssh-add -L` for 1Password SSH agent users. 85 85 + - [ ] The CLI is not responsible for generating SSH keys or managing the local ssh-agent; users are expected to handle these steps externally. 86 86 + - [ ] Implement `tangled ssh-key list` command. 87 87 + - [ ] List all SSH keys stored in the user's PDS. 88 88 + - [ ] Display key type, name, creation date, and URI. 89 89 + 81 90 ## Output & LLM Integration 82 91 83 92 - [ ] Implement output formatting based on `is-interactive` check. ··· 88 97 89 98 ## Testing 90 99 91 91 - - [ ] Set up a testing framework (e.g., Jest, Vitest). 92 92 - - [ ] Write unit tests for core modules (Auth, Context Resolver, API client). 93 93 - - [ ] Write integration tests for CLI commands. 100 100 + - [x] Set up a testing framework (Vitest). 101 101 + - [x] Write unit tests for core modules (Auth, Session, API client, Validation, Prompts). 102 102 + - [x] Write integration tests for CLI commands (Auth, SSH key verify). 103 103 + - [ ] Add integration tests for remaining commands as they are implemented. 94 104 95 105 ## Documentation & Deployment 96 106 ··· 99 109 100 110 ## Outstanding Issues / Future Considerations (from README) 101 111 102 102 - - [ ] Secure cross-platform AT Proto session storage (OS keychain). 103 103 - - [ ] Git authentication management similar to GitHub CLI (SSH keys, 1Password integration). 112 112 + - [x] Secure cross-platform AT Proto session storage (OS keychain) - Implemented with @napi-rs/keyring. 113 113 + - [x] SSH key verification for Git authentication - Implemented `tangled ssh-key verify`. 114 114 + - [ ] SSH key upload management (See Phase 4 above). 115 115 + - [ ] 1Password SSH agent integration for key upload (See Phase 4 above). 104 116 - [ ] Define clear precedence order for settings resolution (local config, home folder, CLI flags). 105 117 - [ ] Consider adding extensions/plugins (Out of Scope for V1, but keep in mind).

+75

src/commands/ssh-key.ts

reviewed

··· 1 1 + import { execSync } from 'node:child_process'; 2 2 + import { Command } from 'commander'; 3 3 + import { getCurrentSessionMetadata } from '../lib/session.js'; 4 4 + 5 5 + /** 6 6 + * Create the ssh-key command with subcommands for managing SSH keys 7 7 + */ 8 8 + export function createSshKeyCommand(): Command { 9 9 + const sshKey = new Command('ssh-key'); 10 10 + sshKey.description('Verify SSH key setup for Git authentication'); 11 11 + 12 12 + // Verify command 13 13 + sshKey 14 14 + .command('verify') 15 15 + .description('Verify SSH key authentication with git@tangled.org') 16 16 + .action(async () => { 17 17 + try { 18 18 + console.log('Testing SSH connection to git@tangled.org...\n'); 19 19 + 20 20 + // Execute ssh -T git@tangled.org to test authentication 21 21 + let output: string; 22 22 + try { 23 23 + output = execSync('ssh -T git@tangled.org', { 24 24 + encoding: 'utf-8', 25 25 + stdio: 'pipe', 26 26 + }); 27 27 + } catch (error) { 28 28 + // ssh -T returns non-zero exit code even on success 29 29 + // Capture stderr which contains the authentication message 30 30 + if (error instanceof Error && 'stderr' in error) { 31 31 + output = (error as { stderr: string }).stderr; 32 32 + } else { 33 33 + throw error; 34 34 + } 35 35 + } 36 36 + 37 37 + // Parse the DID from the output 38 38 + // Expected format: "Hi @did:plc:...! You've successfully authenticated." 39 39 + const didMatch = output.match(/@(did:plc:[a-z0-9]+)/i); 40 40 + 41 41 + if (!didMatch) { 42 42 + console.error('✗ SSH authentication failed'); 43 43 + console.error('Could not find authenticated DID in response'); 44 44 + console.error('\nPlease ensure you have:'); 45 45 + console.error('1. Generated an SSH key (ssh-keygen -t ed25519)'); 46 46 + console.error('2. Added your public key to https://tangled.org/settings/keys'); 47 47 + console.error('3. Your SSH agent is running (ssh-add -l)'); 48 48 + process.exit(1); 49 49 + } 50 50 + 51 51 + const did = didMatch[1]; 52 52 + console.log('✓ SSH authentication successful'); 53 53 + console.log(` Authenticated as: ${did}`); 54 54 + 55 55 + // Check if this matches the logged-in user 56 56 + const session = await getCurrentSessionMetadata(); 57 57 + if (session && session.did === did) { 58 58 + console.log(` Handle: @${session.handle}`); 59 59 + } 60 60 + 61 61 + console.log('\n✓ Your SSH setup is working correctly!'); 62 62 + } catch (error) { 63 63 + console.error( 64 64 + `\n✗ Failed to verify SSH setup: ${error instanceof Error ? error.message : 'Unknown error'}` 65 65 + ); 66 66 + console.error('\nPlease ensure you have:'); 67 67 + console.error('1. Generated an SSH key (ssh-keygen -t ed25519)'); 68 68 + console.error('2. Added your public key to https://tangled.org/settings/keys'); 69 69 + console.error('3. Your SSH agent is running (ssh-add -l)'); 70 70 + process.exit(1); 71 71 + } 72 72 + }); 73 73 + 74 74 + return sshKey; 75 75 + }

+2

src/index.ts

reviewed

··· 4 4 import { fileURLToPath } from 'node:url'; 5 5 import { Command } from 'commander'; 6 6 import { createAuthCommand } from './commands/auth.js'; 7 7 + import { createSshKeyCommand } from './commands/ssh-key.js'; 7 8 8 9 // Get package.json for version 9 10 const __filename = fileURLToPath(import.meta.url); ··· 19 20 20 21 // Register commands 21 22 program.addCommand(createAuthCommand()); 23 23 + program.addCommand(createSshKeyCommand()); 22 24 23 25 program.parse(process.argv);

+150

tests/commands/ssh-key.test.ts

reviewed

··· 1 1 + import { execSync } from 'node:child_process'; 2 2 + import { beforeEach, describe, expect, it, vi } from 'vitest'; 3 3 + import { createSshKeyCommand } from '../../src/commands/ssh-key.js'; 4 4 + import * as sessionModule from '../../src/lib/session.js'; 5 5 + 6 6 + vi.mock('node:child_process'); 7 7 + vi.mock('../../src/lib/session.js'); 8 8 + 9 9 + describe('SSH Key Commands', () => { 10 10 + let consoleLogSpy: ReturnType<typeof vi.fn>; 11 11 + let consoleErrorSpy: ReturnType<typeof vi.fn>; 12 12 + let processExitSpy: ReturnType<typeof vi.fn>; 13 13 + 14 14 + beforeEach(() => { 15 15 + vi.clearAllMocks(); 16 16 + 17 17 + // Mock console methods 18 18 + consoleLogSpy = vi.spyOn(console, 'log').mockImplementation(() => {}) as never; 19 19 + consoleErrorSpy = vi.spyOn(console, 'error').mockImplementation(() => {}) as never; 20 20 + 21 21 + // Mock process.exit to throw to stop execution 22 22 + processExitSpy = vi.spyOn(process, 'exit').mockImplementation((code) => { 23 23 + throw new Error(`process.exit(${code})`); 24 24 + }) as never; 25 25 + }); 26 26 + 27 27 + describe('verify command', () => { 28 28 + it('should parse DID from successful SSH response', async () => { 29 29 + // Mock successful SSH response with actual format from tangled.org 30 30 + const mockSshOutput = 31 31 + "Hi @did:plc:b2mcbcamkwyznc5fkplwlxbf! You've successfully authenticated.\n"; 32 32 + 33 33 + vi.mocked(execSync).mockImplementation(() => { 34 34 + // ssh -T returns non-zero exit code even on success, throw with stderr 35 35 + const error = new Error('SSH command') as Error & { stderr: string }; 36 36 + error.stderr = mockSshOutput; 37 37 + throw error; 38 38 + }); 39 39 + 40 40 + vi.mocked(sessionModule.getCurrentSessionMetadata).mockResolvedValue(null); 41 41 + 42 42 + const sshKey = createSshKeyCommand(); 43 43 + await sshKey.parseAsync(['node', 'test', 'verify']); 44 44 + 45 45 + expect(consoleLogSpy).toHaveBeenCalledWith( 46 46 + expect.stringContaining('SSH authentication successful') 47 47 + ); 48 48 + expect(consoleLogSpy).toHaveBeenCalledWith( 49 49 + expect.stringContaining('did:plc:b2mcbcamkwyznc5fkplwlxbf') 50 50 + ); 51 51 + expect(consoleLogSpy).toHaveBeenCalledWith( 52 52 + expect.stringContaining('Your SSH setup is working correctly') 53 53 + ); 54 54 + }); 55 55 + 56 56 + it('should show handle when logged in user matches SSH DID', async () => { 57 57 + const mockDid = 'did:plc:b2mcbcamkwyznc5fkplwlxbf'; 58 58 + const mockSshOutput = `Hi @${mockDid}! You've successfully authenticated.\n`; 59 59 + 60 60 + vi.mocked(execSync).mockImplementation(() => { 61 61 + const error = new Error('SSH command') as Error & { stderr: string }; 62 62 + error.stderr = mockSshOutput; 63 63 + throw error; 64 64 + }); 65 65 + 66 66 + vi.mocked(sessionModule.getCurrentSessionMetadata).mockResolvedValue({ 67 67 + handle: 'user.bsky.social', 68 68 + did: mockDid, 69 69 + pds: 'https://bsky.social', 70 70 + lastUsed: new Date().toISOString(), 71 71 + }); 72 72 + 73 73 + const sshKey = createSshKeyCommand(); 74 74 + await sshKey.parseAsync(['node', 'test', 'verify']); 75 75 + 76 76 + expect(consoleLogSpy).toHaveBeenCalledWith( 77 77 + expect.stringContaining('did:plc:b2mcbcamkwyznc5fkplwlxbf') 78 78 + ); 79 79 + expect(consoleLogSpy).toHaveBeenCalledWith(expect.stringContaining('@user.bsky.social')); 80 80 + }); 81 81 + 82 82 + it('should not show handle when logged in user does not match SSH DID', async () => { 83 83 + const mockSshOutput = 84 84 + "Hi @did:plc:b2mcbcamkwyznc5fkplwlxbf! You've successfully authenticated.\n"; 85 85 + 86 86 + vi.mocked(execSync).mockImplementation(() => { 87 87 + const error = new Error('SSH command') as Error & { stderr: string }; 88 88 + error.stderr = mockSshOutput; 89 89 + throw error; 90 90 + }); 91 91 + 92 92 + vi.mocked(sessionModule.getCurrentSessionMetadata).mockResolvedValue({ 93 93 + handle: 'otheruser.bsky.social', 94 94 + did: 'did:plc:differentuser', 95 95 + pds: 'https://bsky.social', 96 96 + lastUsed: new Date().toISOString(), 97 97 + }); 98 98 + 99 99 + const sshKey = createSshKeyCommand(); 100 100 + await sshKey.parseAsync(['node', 'test', 'verify']); 101 101 + 102 102 + expect(consoleLogSpy).toHaveBeenCalledWith( 103 103 + expect.stringContaining('did:plc:b2mcbcamkwyznc5fkplwlxbf') 104 104 + ); 105 105 + expect(consoleLogSpy).not.toHaveBeenCalledWith( 106 106 + expect.stringContaining('@otheruser.bsky.social') 107 107 + ); 108 108 + }); 109 109 + 110 110 + it('should handle SSH authentication failure', async () => { 111 111 + const mockSshOutput = 'Permission denied (publickey).\n'; 112 112 + 113 113 + vi.mocked(execSync).mockImplementation(() => { 114 114 + const error = new Error('SSH command') as Error & { stderr: string }; 115 115 + error.stderr = mockSshOutput; 116 116 + throw error; 117 117 + }); 118 118 + 119 119 + const sshKey = createSshKeyCommand(); 120 120 + await expect(sshKey.parseAsync(['node', 'test', 'verify'])).rejects.toThrow('process.exit'); 121 121 + 122 122 + expect(consoleErrorSpy).toHaveBeenCalledWith( 123 123 + expect.stringContaining('SSH authentication failed') 124 124 + ); 125 125 + expect(consoleErrorSpy).toHaveBeenCalledWith( 126 126 + expect.stringContaining('Could not find authenticated DID') 127 127 + ); 128 128 + expect(processExitSpy).toHaveBeenCalledWith(1); 129 129 + }); 130 130 + 131 131 + it('should provide helpful error message on failure', async () => { 132 132 + const mockSshOutput = 'Connection refused'; 133 133 + 134 134 + vi.mocked(execSync).mockImplementation(() => { 135 135 + const error = new Error('SSH command') as Error & { stderr: string }; 136 136 + error.stderr = mockSshOutput; 137 137 + throw error; 138 138 + }); 139 139 + 140 140 + const sshKey = createSshKeyCommand(); 141 141 + await expect(sshKey.parseAsync(['node', 'test', 'verify'])).rejects.toThrow('process.exit'); 142 142 + 143 143 + expect(consoleErrorSpy).toHaveBeenCalledWith(expect.stringContaining('Generated an SSH key')); 144 144 + expect(consoleErrorSpy).toHaveBeenCalledWith( 145 145 + expect.stringContaining('tangled.org/settings/keys') 146 146 + ); 147 147 + expect(consoleErrorSpy).toHaveBeenCalledWith(expect.stringContaining('SSH agent is running')); 148 148 + }); 149 149 + }); 150 150 + });