mirror of
https://github.com/sipeed/picoclaw.git
synced 2026-06-12 18:08:54 +00:00
sky5454
2f10b47f59
* feat(credential): add AES-GCM encryption, SecureStore, and onboard keygen - pkg/credential: new package with AES-256-GCM enc:// credential format, HKDF-SHA256 key derivation (passphrase + optional SSH key binding), ErrPassphraseRequired / ErrDecryptionFailed sentinel errors, and PassphraseProvider hook for runtime passphrase injection - pkg/credential/store: lock-free SecureStore via atomic.Pointer[string]; passphrase never written to disk or os.Environ - pkg/credential/keygen: ed25519 SSH key generation helper used by onboard - pkg/config: replace os.Getenv(PassphraseEnvVar) with credential.PassphraseProvider() at all three call sites so that LoadConfig and SaveConfig use whatever passphrase source is active - cmd/picoclaw/onboard: prompt for passphrase with echo-off, generate picoclaw-specific SSH key, re-encrypt existing config on re-onboard - docs/credential_encryption.md: design doc for the enc:// format * fix(credential): address Copilot review comments on PR #1521 - credential.go: decouple ErrPassphraseRequired from env var name; message is now 'enc:// passphrase required' since PassphraseProvider may come from any source, not just os.Environ - credential.go: Resolver resolves symlinks via EvalSymlinks before the isWithinDir containment check, preventing symlink-based path traversal for file:// credential references - store.go: tighten comment to describe only what SecureStore guarantees (in-memory only); remove claims about how callers transport the value - store_test.go: replace the meaningless GetReturnsCopy test (Go strings are immutable, equality across two calls proves nothing) with TestSecureStore_ConcurrentSetGet that exercises atomic.Pointer under 10-goroutine concurrent Set/Get load - config_test.go: update error-message assertion to match new sentinel text - docs/credential_encryption.md: remove reference to non-existent 'picoclaw encrypt' subcommand; describe the onboard flow instead * fix(config): encryptPlaintextAPIKeys: struct-based encryption, fail-fast, remove raw []byte * fix(credential): require SSH private key for encryption/decryption, remove passphrase-only mode * lint: fix credential keygen lint, fix test keygen * onboard: make encryption opt-in via --enc flag Encryption (passphrase prompt + SSH key generation) is now only triggered when the user passes --enc to 'picoclaw onboard'. Without the flag, onboard skips the credential-encryption setup and writes a plain config + workspace templates directly. - Add --enc BoolFlag in NewOnboardCommand() - Pass encrypt bool into onboard() - Guard passphrase prompt, SSH key generation, and related env-var setup behind the encrypt branch - Adjust 'Next steps' output so the passphrase reminder only appears when --enc was used
45 lines
1.0 KiB
Go
45 lines
1.0 KiB
Go
package credential
|
|
|
|
import "sync/atomic"
|
|
|
|
// SecureStore holds a passphrase in memory.
|
|
//
|
|
// Uses atomic.Pointer so reads and writes are lock-free.
|
|
// The passphrase is never written to disk; callers decide how to
|
|
// transport it outside this store (e.g., via cmd.Env or os.Environ).
|
|
type SecureStore struct {
|
|
val atomic.Pointer[string]
|
|
}
|
|
|
|
// NewSecureStore creates an empty SecureStore.
|
|
func NewSecureStore() *SecureStore {
|
|
return &SecureStore{}
|
|
}
|
|
|
|
// SetString stores the passphrase. An empty string clears the store.
|
|
func (s *SecureStore) SetString(passphrase string) {
|
|
if passphrase == "" {
|
|
s.val.Store(nil)
|
|
return
|
|
}
|
|
s.val.Store(&passphrase)
|
|
}
|
|
|
|
// Get returns the stored passphrase, or "" if not set.
|
|
func (s *SecureStore) Get() string {
|
|
if p := s.val.Load(); p != nil {
|
|
return *p
|
|
}
|
|
return ""
|
|
}
|
|
|
|
// IsSet reports whether a passphrase is currently stored.
|
|
func (s *SecureStore) IsSet() bool {
|
|
return s.val.Load() != nil
|
|
}
|
|
|
|
// Clear removes the stored passphrase.
|
|
func (s *SecureStore) Clear() {
|
|
s.val.Store(nil)
|
|
}
|