FjRdZddlmZddlZddlZddlZddlZddlmZddl m Z m Z ddl m Z ddlmZddlmZdd lmZdd lmZmZmZmZdd lmZd.dZd/dZd/dZd/dZd/dZ d/dZ!d0dZ"d1dZ#d d!d2d'Z$d(d)gZ%d3d-Z&dS)4uCLI handlers for ``hermes secrets bitwarden ...``. Subcommands: setup — interactive wizard: install bws, prompt for token + project, test fetch status — show current config + binary version + last fetch outcome sync — run a fetch right now and show what would be applied (dry-run friendly) disable — flip ``secrets.bitwarden.enabled`` to False install — just download the bws binary (no token / project required) ) annotationsN)Path)ListOptional)Console)Panel)Table) bitwarden) get_env_path load_config save_configsave_env_value)masked_secret_prompt parent_parserargparse.ArgumentParserreturnNonec,|d}|dd}|dd|dd |d d |t |d d}|t |dd}|ddd|t |dd}|t |ddtj d}|ddd|t dS)zAttach the ``bitwarden`` subcommand tree to a parent parser. Called from ``hermes_cli.main`` as part of building the top-level ``hermes secrets`` parser. secrets_bw_command)destsetupzAInteractive wizard: install bws, store access token, pick project)helpz --project-idz.Pre-select a project UUID instead of promptingz--access-tokenzCProvide the access token non-interactively (will be stored in .env)z --server-urlzBitwarden region / self-hosted endpoint. Examples: https://vault.bitwarden.com (US, default), https://vault.bitwarden.eu (EU), or your self-hosted URL. Skips the interactive region prompt.)funcstatusz!Show config + binary + last fetchsyncz)Fetch secrets now and report what changedz--apply store_truezKActually export the secrets into the current shell's env (default: dry-run))actionrdisablez"Turn off the Bitwarden integrationinstallz,Download and verify the pinned bws binary (v)z--forcez1Re-download even if a managed copy already existsN) add_subparsers add_parser add_argument set_defaults cmd_setup cmd_statuscmd_sync cmd_disablebw _BWS_VERSION cmd_install)rsubrrrrrs 5/usr/local/lib/hermes-agent/hermes_cli/secrets_cli.py register_clir.'s  & &,@ & A AC NN P   E  =  R  3 I&&& ^^H+N^ O OF Z((( >>&'R> S SD Z  8$$$nnY-QnRRG k***nn NBO N N NG  @  k*****argsargparse.Namespaceintc ht}|tjdd||d t jd}|(|dt j}t|}|d|d |d nF#t$r9}|d |d |d Yd}~dSd}~wwxYw||dt}| di di}| dd}|j pd }|s%td|d }|s|ddS|ds|dt!|||t"j|<|dt'd|||dt)|||} | dS| r|d| n|d|jr4|j r|j } n||dd} t-|||| } | dS| s,|d!|d"dSt/d#d$%} | d&dd'(| d)| d*d+,t3| dD]Q\} }| t7| | d-d.| d/d.R||  |d0t;| d1 }|s< t=|}n%#t>$r|d2YnwxYwd|cxkrt;| krnn| |dz d/} n'|d3t;| d4||jr|j sd5nd'}|d6|d7 t j || |d| 8\}}n1#t$r$}|d9|d Yd}~dSd}~wwxYw|s|d:nt/d#d$%} | d)d,| d;tC|D]E}||krd<}n$t"j |rd=}nd>}| ||F|| |D]}|d?|d#|d@<| |dA<| |dB<| d|| dCdD| dEd#| dFd#tE|||dG|dHdIS)JNu[bold]Bitwarden Secrets Manager setup[/bold] Need an access token? In the Bitwarden web app: Secrets Manager → Machine accounts → [your account] → Access tokens → Create access token Copy the token (starts with [cyan]0.[/cyan]…) — it cannot be retrieved later.cyan) border_stylez([bold]Step 1[/bold] Install the bws CLIFinstall_if_missingu# No bws on PATH — downloading…u [green]✓[/green]  (r u" [red]✗ Could not install bws: [/red]z> Manual install: https://github.com/bitwarden/sdk-sm/releasesz.[bold]Step 2[/bold] Provide your access tokensecretsr access_token_envBWS_ACCESS_TOKENz Paste access token (z): z# [red]Empty token, aborting.[/red]z0.u [yellow]Warning: token doesn't start with '0.' — usually that means you pasted something other than a BSM access token. Continuing anyway.[/yellow]u [green]✓[/green] stored in z as z,[bold]Step 3[/bold] Pick a Bitwarden regionu [green]✓[/green] using uN [green]✓[/green] using bws default (US Cloud, https://vault.bitwarden.com)z#[bold]Step 4[/bold] Pick a project server_urlz? [yellow]No projects visible to this machine account.[/yellow]ur In the Bitwarden web app, open the machine account → Projects tab and grant it access to at least one project.Tbold show_header header_style#stylewidthNameIDdimrHname?idz Select project [1-z]:  [red]Enter a number.[/red] [red]Out of range — pick 1-.[/red]z [bold]Step z[/bold] Test fetch) access_token project_idbinary use_cacher@u [red]✗ Fetch failed: zB [yellow]Fetch succeeded but the project has no secrets.[/yellow]Statusu5[dim]bootstrap token — never overrides itself[/dim]z9[yellow]already set in env (will be overwritten)[/yellow]z[green]new[/green]z [yellow]warning:[/yellow] enabledrVr@cache_ttl_seconds,override_existing auto_installuv[green]✓ Bitwarden Secrets Manager is enabled.[/green] Secrets will be pulled at the start of every Hermes process.z Status: [cyan]hermes secrets bitwarden status[/cyan] Refresh: [cyan]hermes secrets bitwarden sync[/cyan] Disable: [cyan]hermes secrets bitwarden disable[/cyan]r)#rprintrfitr)find_bws install_bws _bws_version Exceptionr setdefaultgetrUstripr startswithrosenvironr _resolve_server_urlrV_list_projectsr add_column enumerateadd_rowstrinputlenr2 ValueErrorfetch_bitwarden_secretssortedr )r0consolerWversionexccfg secrets_cfg token_envtokenr@rVprojectstableipchoiceidxstep_numr;warningskeyrws r-r%r%esiiG MM  `         MMOOO MM<=== 666 > MM? @ @ @^%%Fv&& CfCCCCCDDDD  F3FFFGGG  ;   qqqqq  MMOOO MMBCCC --C>>)R00 jb11 24FGGI   $" + + - -E V$%Li%L%L%LMMSSUU  ;<<<q   D ! !   _   9e$$$!BJy MMSLNNSS SSTTT MMOOO MM@AAA$T;@@Jq  @J@@AAAA  6    %T4?0022%T_**,,   ;<<< !&%ZPPP  1  MM[ \ \ \ MM?   1$V<<< F!444     U+++h** H HDAq MM#a&&!%%"4"4aeeD#6F6F G G G G e T]]#L#h--#L#L#LMMSSUUF  &kk    <=== C((((3x==(((((%cAg.t4  MMRCMMRRR S S S T MMOOOLT_-B-B-D-DLqq1H MM====>>> 6!!      =#===>>>qqqqq  Z[[[[$V<<< v... """'?? ' 'CiP$$ .T- MM#v & & & & e :: 8Q889999"K  *K  *K -y999.444.555>4000 MMOOO MM G MM C 1sC"A*C D.D  D7RR)(R)U11 V;VVc t}t}|dpidpi}t|d}|dd}|dd}t |ddpd}tt j|}td dd } | dd | d| dt|| d|| dt|| d|pd| d|pd| dtt|dd | dt |dd| dtt|ddtj d } | r*| d| dt| d n| dd!|t!| d"d#$|s|d%d&S|s|d'|d(|s|d)d&S)*Nr;r rZr<r=rVr>r@Fr)rCboxpaddingrArMEnabledz Token env varz Token in envz Project IDz[dim](unset)[/dim]z Server URLz:[dim]default (US Cloud, https://vault.bitwarden.com)[/dim]zOverride existingr]z Cache TTL (s)r[r\z Auto-installr^Tr6z bws binaryz (r z[yellow]not installed[/yellow]zBitwarden Secrets Managerr4)titler5z= Run [cyan]hermes secrets bitwarden setup[/cyan] to enable.rz [yellow]Enabled but uG is not set — Hermes will skip BSM and warn on next startup.[/yellow]uC [yellow]Enabled but no project_id — nothing to fetch.[/yellow])rr rfboolrprgrirjr rmro_ynr)rarcr_r) r0rvrybw_cfgrZr{rVr@ token_setr~rWs r-r&r& siiG --Cggi  &B + +K 8 8 >BF6::i(())G -/ABBIL"--JVZZ b117R88>>@@JRZ^^I..//I ev > > >E Rv&&& R MM)S\\222 MM/Y/// MM.S^^444 MM,Z%G3GHHH MMRR MM%s4 ;NPU0V0V+W+W'X'XYYY MM/S4G)M)M%N%NOOO MM.Sfjj.N.N)O)O%P%PQQQ [E 2 2 2F G l%I%I,v2F2F%I%I%IJJJJ l%EFFF MM%%@vVVVWWW  VWWWq    1y 1 1 1      R    1r/ct}t}|dpidpi}|ds|ddS|dd}tj|d}|s|d |d dS|d d}|s|d dSt|d dpd} tj ||d|\}} n1#t$r$} |d| dYd} ~ dSd} ~ wwxYw|s|ddSt|ddp|j } tdd} | dd| dd} t|D]}||kr| |dttj|}|r| s| |df|j r8||tj|<| dz } | |d|rdndz| |d |rd!ndz|| | D]}|d"||j s|d#n|d$| d%dS)&Nr;r rZz`[yellow]Bitwarden integration is disabled. Run `hermes secrets bitwarden setup` first.[/yellow]r:r<r=r>z[red]z is not set.[/red]rVz$[red]No project_id configured.[/red]r@F)rUrVrXr@z[red]Fetch failed: r9z'[yellow]No secrets in project.[/yellow]rr]TrArBrJr4rMActionz![dim]skip (bootstrap token)[/dim]z[dim]skip (already set)[/dim]z[green]exported[/green]z (overrode)zreen]would export[/green]z (overrides)z[yellow]warning:[/yellow] u This was a dry-run — secrets are picked up automatically on the next [cyan]hermes[/cyan] invocation. Re-run with [cyan]--apply[/cyan] to export into the current shell instead.z [green]Exported z( secret(s) into current process.[/green])rr rfr_rirjrgrpr)rtrdrapplyr rmruro)r0rvryrr{r|rVr@r;rrxoverrider~appliedralreadyrs r-r'r'<siiG --Cggi  &B + +K 8 8 >BF ::i   ?   q -/ABBI JNN9b ) ) / / 1 1E  ;i;;;<<<qL"--J  <===qVZZ b117R88>>@@J 6!!      7C777888qqqqq  ?@@@qFJJ2E::;;ItzH d 8 8 8E V6*** XGg d d )   MM#B C C C rz~~c**++  8  MM#> ? ? ?  : d%clBJsO qLG MM#8W<\MMZ\] ^ ^ ^ ^ MM#Q  J,#*3355@@BB1E E  Z. /      sA)A--BBr>r?r|rvrr@Optional[List[dict]]c|tj}||d<|dd|r||d< t jt |ddddg|d d d }n=#ttjf$r$}| d |d Yd}~dSd}~wwxYw|j dkr|j p|j dd}| d|d |}d|vsd|vr| dnd|vsd|vr| ddS tj|j pd} n6#tj$r$}| d|d Yd}~dSd}~wwxYwt%| t&sgSd| DS)zICall ``bws project list`` and return the parsed list, or None on failure.r=NO_COLOR1BWS_SERVER_URLprojectlistz--outputjsonT)envrrrz [red]Couldn't list projects: r9Nrr\z [red]bws project list failed: invalid_clientz400 bad requesta$ [yellow]'invalid_client' from the US identity endpoint usually means the token is for a different Bitwarden region. Re-run [cyan]hermes secrets bitwarden setup[/cyan] and pick EU or self-hosted at the region prompt, or set [cyan]secrets.bitwarden.server_url[/cyan] in config.yaml.[/yellow] authorizationinvalidzu [yellow]This usually means the access token is wrong or revoked. Double-check it in the Bitwarden web app.[/yellow]z[]z [red]bws returned non-JSON: cfg|].}t|t|d,|/S)rP) isinstancedictrf).0rs r- z"_list_projects..s6 C C C!z!T22 CquuT{{ CA C C Cr/)rirjcopyrerrrprrr_rrrrglowerrloadsJSONDecodeErrorrr) rWr|rvr@rrrxerrlowereddatas r-rlrls< *//  C#CNN:s###+ *  n [[)VZ @     Z. / CCCCDDDttttt ~z'SZ..00#6 DDDDEEE))++ w & &*;w*F*F MM=     ' '9+?+? MME   tz#*,--   BsBBBCCCttttt dD ! ! C Ct C C CCs0+A..B(B##B( E%%F4FF)u7US Cloud (https://vault.bitwarden.com — bws default)r>)z&EU Cloud (https://vault.bitwarden.eu)zhttps://vault.bitwarden.eurzr Optional[str]c"|jr2|jr|jStjdd}|r|d|d|St |ddpd}|r|d|dtdd d d }|d dd|dttdD]+\}\}}| t ||,| t ttdzd||ttdz} d| d} |r| dz } | dz } | | } | s|r|S|dV t| } n%#t$r|dYwxYwd| cxkrttkrnnt| dz dS| | krl| d} | s|dd S| ds|d| S|d| dP)aPick a Bitwarden server URL for setup. Resolution order: 1. ``--server-url`` CLI flag (non-interactive) 2. ``BWS_SERVER_URL`` env var (so users running with that already set in their shell don't have to re-enter it) 3. Existing ``secrets.bitwarden.server_url`` value (for re-runs) 4. Interactive menu: US / EU / self-hosted Returns the chosen URL as a string (empty string = bws default, i.e. US Cloud). Returns None if the user aborted with an empty custom URL. rr>z' Detected [cyan]BWS_SERVER_URL[/cyan]=u in your shell — using it.r@z Existing config: [cyan]z?[/cyan]. Press Enter to keep, or pick a different option below.TrANr)rCrDrrrEr4rFrGzRegion / endpointr:zSelf-hosted / custom URLz Select region [1-]z (Enter to keep current)z: rQzD Enter your Bitwarden server URL (e.g. https://vault.example.com): z! [red]Empty URL, aborting.[/red])zhttp://zhttps://u] [yellow]Warning: URL doesn't start with http:// or https:// — bws may reject it.[/yellow]rRrS)r@rgrirjrfr_rpr rmrn_REGION_PRESETSrorrrqr2rsrh)r0rzrvenv_urlexistingr~rlabel_url custom_idxpromptrrcustoms r-rkrksu$ '4?0022'$$&&&jnn-r2288::G [g [ [ [   ;??<44:;;AACCH   E E E E   dT6 R R RE Sa000 ()))%oq99%%=E4 c!ffe$$$$ MM#c/**Q.//1KLLL MM%_%%)J M4z444  1 0 0F$v&&,,..   MM8 9 9 9  f++CC    MM8 9 9 9 H   + + + +s?++ + + + + +"37+A. . *  ]]5egg   ABBBt$$%<==  ?M K KKKLLLA MsH''I I )rrrr)r0r1rr2)rrrrp)rWrrrp) rWrr|rprvrr@rprr)r0r1rzrrvrrr)'__doc__ __future__rargparserrirpathlibrtypingrr rich.consoler rich.panelr rich.tabler agent.secret_sourcesr r)hermes_cli.configr r r rhermes_cli.secret_promptrr.r%r&r'r(r+rrcrlrrkrr/r-rs#""""" !!!!!!!! 000000 :999996+6+6+6+|c c c c L. . . . bG G G G T      ::::     FH/D/D/D/D/D/DlDL LMLMLMLMLMLMr/