keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/_primitives/_rust/kei-auth/src/main.rs
Parfii-bot a4e667de10 KeiSeiKit-public — clean state 
Single-commit clean baseline after security scrub of niche-tells,
project codenames, internal jargon, and contributor-email leaks.

Contents:
- 100 Rust crates (_primitives/_rust/)
- 37 agent manifests (_manifests/) + generated specs (_generated/)
- 67 user-invocable skills (skills/)
- 33 hooks (hooks/)
- Composition blocks (_blocks/)
- Documentation (docs/, README.md)
- TS adapter packages (_ts_packages/)
- Assembler (_assembler/)
- Roles (_roles/)
- Templates (_templates/)
- Forgejo CI (.forgejo/)

Author: Denis Parfionovich <info@greendragon.info>

License: see LICENSE.
2026-05-01 12:09:03 +08:00

80 lines
2.6 KiB
Rust
Raw Blame History

//! kei-auth CLI — issue/verify/revoke.
//!
//! v0.14.1 security fix: the `--key` CLI flag was removed because it
//! leaked the HMAC signing secret through `/proc/<pid>/cmdline` and
//! shell history. The only supported key source is the `KEI_AUTH_KEY`
//! env var (sourced from `~/.claude/secrets/.env` per RULE 0.8).
use clap::{Parser, Subcommand};
use kei_auth::schema::open;
use kei_auth::scopes::Scope;
use kei_auth::tokens::{issue, revoke, verify};
use std::path::PathBuf;
use std::process::ExitCode;
use std::str::FromStr;
#[derive(Parser)]
#[command(name = "kei-auth", version)]
struct Cli {
#[arg(long)] db: Option<PathBuf>,
#[command(subcommand)] cmd: Cmd,
}
#[derive(Subcommand)]
enum Cmd {
Issue { #[arg(long)] user: String,
#[arg(long)] project: String,
#[arg(long, default_value = "read")] scope: String,
#[arg(long, default_value_t = 86400)] ttl: i64 },
Verify { token: String },
Revoke { token: String },
}
fn db_path(o: Option<PathBuf>) -> PathBuf {
if let Some(p) = o { return p; }
if let Ok(e) = std::env::var("KEI_AUTH_DB") { return PathBuf::from(e); }
let home = std::env::var("HOME").unwrap_or_else(|_| ".".into());
PathBuf::from(home).join(".claude/auth/auth.sqlite")
}
fn key() -> anyhow::Result<Vec<u8>> {
let k = std::env::var("KEI_AUTH_KEY").map_err(|_| {
anyhow::anyhow!(
"KEI_AUTH_KEY env var not set.\n \
Set it before running kei-auth:\n \
export KEI_AUTH_KEY=\"$(openssl rand -hex 32)\"\n \
Or read from ~/.claude/secrets/.env (RULE 0.8 SSoT).\n \
The previous --key CLI flag was removed in v0.14.1 because \
it leaked the secret via /proc/<pid>/cmdline."
)
})?;
Ok(k.into_bytes())
}
fn run() -> anyhow::Result<()> {
let cli = Cli::parse();
let conn = open(&db_path(cli.db))?;
let k = key()?;
match cli.cmd {
Cmd::Issue { user, project, scope, ttl } => {
let sc = Scope::from_str(&scope).map_err(|e| anyhow::anyhow!(e))?;
println!("{}", issue(&conn, &user, &project, sc, ttl, &k)?);
}
Cmd::Verify { token } => {
let out = verify(&conn, &token, &k)?;
println!("user={} project={} scope={}", out.user_id, out.project, out.scope);
}
Cmd::Revoke { token } => {
let n = revoke(&conn, &token)?;
println!("revoked {} row(s)", n);
}
}
Ok(())
}
fn main() -> ExitCode {
match run() {
Ok(()) => ExitCode::SUCCESS,
Err(e) => { eprintln!("kei-auth: {e:#}"); ExitCode::from(1) }
}
}
Reference in a new issue View git blame Copy permalink