L0&jV dZddlmZddlZddlZddlZddlZddlZddlm Z ddl m Z m Z ddl mZddlmZddlmZdd lmZdd lmZmZmZmZdd lmZd.dZd/dZd/dZd/dZ d/dZ!d/dZ"d0dZ#d1dZ$d d!d2d'Z%d(d)gZ&d3d-Z'dS)4uCLI handlers for ``hermes secrets bitwarden ...``. Subcommands: setup — interactive wizard: install bws, prompt for token + project, test fetch status — show current config + binary version + last fetch outcome sync — run a fetch right now and show what would be applied (dry-run friendly) disable — flip ``secrets.bitwarden.enabled`` to False install — just download the bws binary (no token / project required) ) annotationsN)Path)ListOptional)Console)Panel)Table) bitwarden) get_env_path load_config save_configsave_env_value)masked_secret_prompt parent_parserargparse.ArgumentParserreturnNonec,|d}|dd}|dd|dd |d d |t |d d}|t |dd}|ddd|t |dd}|t |ddtj d}|ddd|t dS)zAttach the ``bitwarden`` subcommand tree to a parent parser. Called from ``hermes_cli.main`` as part of building the top-level ``hermes secrets`` parser. secrets_bw_command)destsetupzAInteractive wizard: install bws, store access token, pick project)help --project-idz.Pre-select a project UUID instead of prompting--access-tokenzCProvide the access token non-interactively (will be stored in .env) --server-urlzBitwarden region / self-hosted endpoint. Examples: https://vault.bitwarden.com (US, default), https://vault.bitwarden.eu (EU), or your self-hosted URL. Skips the interactive region prompt.)funcstatusz!Show config + binary + last fetchsyncz)Fetch secrets now and report what changedz--apply store_truezKActually export the secrets into the current shell's env (default: dry-run))actionrdisablez"Turn off the Bitwarden integrationinstallz,Download and verify the pinned bws binary (v)z--forcez1Re-download even if a managed copy already existsN) add_subparsers add_parser add_argument set_defaults cmd_setup cmd_statuscmd_sync cmd_disablebw _BWS_VERSION cmd_install)rsubrrrr!r"s ;/home/ubuntu/.hermes/hermes-agent/hermes_cli/secrets_cli.py register_clir1(s  & &,@ & A AC NN P   E  =  R  3 I&&& ^^H+N^ O OF Z((( >>&'R> S SD Z  8$$$nnY-QnRRG k***nn NBO N N NG  @  k*****argsargparse.Namespaceintc t}|tjdd||d t jd}|(|dt j}t|}|d|d |d nF#t$r9}|d |d |d Yd}~dSd}~wwxYwtj sg}|j r|j s|d|jr|j sGt jdd s|d|jr|j s|d|r.|dd|ddS||dt+}|didi}|dd}|j pd } | s%t/d|d } | s|ddS| ds|d t3|| | t j|<|d!t5d"|||d#t7|||} | dS| r|d$| n|d%|jr4|j r|j } n||d&d} t9|| || '} | dS| s,|d(|d)dSt;d*d+,} | d-dd./| d0| d1d23t?| dD]Q\}}| tC||d4d5|d6d5R||  |"d7tG| d8 }|s< tI|}n%#tJ$r|d9YnwxYwd|cxkrtG| krnn| |dz d6} n'|d:tG| d;||jr|j sd t j&| | |d| ?\}}n1#t$r$}|d@|d Yd}~dSd}~wwxYw|s|dAnt;d*d+,} | d0d3| dBtO|D]E}||krdC}n$t j|rdD}ndE}| ||F|| |D]}|dF|d*|dG<| |dH<| |dI<|d||dJdK|dLd*|dMd*tQ|||dN|dOdPS)QNu[bold]Bitwarden Secrets Manager setup[/bold] Need an access token? In the Bitwarden web app: Secrets Manager → Machine accounts → [your account] → Access tokens → Create access token Copy the token (starts with [cyan]0.[/cyan]…) — it cannot be retrieved later.cyan) border_stylez([bold]Step 1[/bold] Install the bws CLIFinstall_if_missingu# No bws on PATH — downloading…u [green]✓[/green]  (r#u" [red]✗ Could not install bws: [/red]z> Manual install: https://github.com/bitwarden/sdk-sm/releasesrBWS_SERVER_URLrrzP [red]Non-interactive mode (no TTY) requires all setup flags.[/red] Missing: z, z Usage: hermes secrets bitwarden setup \ --access-token '0.xxx' \ --server-url 'https://vault.bitwarden.com' \ --project-id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'z.[bold]Step 2[/bold] Provide your access tokensecretsr access_token_envBWS_ACCESS_TOKENz Paste access token (z): z# [red]Empty token, aborting.[/red]z0.u [yellow]Warning: token doesn't start with '0.' — usually that means you pasted something other than a BSM access token. Continuing anyway.[/yellow]u [green]✓[/green] stored in z as z,[bold]Step 3[/bold] Pick a Bitwarden regionu [green]✓[/green] using uN [green]✓[/green] using bws default (US Cloud, https://vault.bitwarden.com)z#[bold]Step 4[/bold] Pick a project server_urlz? [yellow]No projects visible to this machine account.[/yellow]ur In the Bitwarden web app, open the machine account → Projects tab and grant it access to at least one project.Tbold show_header header_style#stylewidthNameIDdimrLname?idz Select project [1-z]:  [red]Enter a number.[/red] [red]Out of range — pick 1-.[/red]z [bold]Step z[/bold] Test fetch) access_token project_idbinary use_cacherDu [red]✗ Fetch failed: zB [yellow]Fetch succeeded but the project has no secrets.[/yellow]Statusu5[dim]bootstrap token — never overrides itself[/dim]z9[yellow]already set in env (will be overwritten)[/yellow]z[green]new[/green]z [yellow]warning:[/yellow] enabledrZrDcache_ttl_seconds,override_existing auto_installuv[green]✓ Bitwarden Secrets Manager is enabled.[/green] Secrets will be pulled at the start of every Hermes process.z Status: [cyan]hermes secrets bitwarden status[/cyan] Refresh: [cyan]hermes secrets bitwarden sync[/cyan] Disable: [cyan]hermes secrets bitwarden disable[/cyan]r))rprintrfitr,find_bws install_bws _bws_version ExceptionsysstdinisattyrYstripappendrDosenvirongetrZjoinr setdefaultr startswithrr _resolve_server_url_list_projectsr add_column enumerateadd_rowstrinputlenr5 ValueErrorfetch_bitwarden_secretssortedr )r3consoler[versionexcmissingcfg secrets_cfg token_envtokenrDrZprojectstableipchoiceidxstep_numr@warningskeyrws r0r(r(fs4 iiG MM  `         MMOOO MM<=== 666 > MM? @ @ @^%%Fv&& CfCCCCCDDDD  F3FFFGGG  ;   qqqqq  9    ! -d&7&=&=&?&? - NN+ , , , /DO$9$9$;$; /:>>"2B77==?? /~... +DO$9$9$;$; + NN> * * *   MML"ii00LLL   1 MMOOO MMBCCC --C>>)R00 jb11 24FGGI   $" + + - -E V$%Li%L%L%LMMSSUU  ;<<<q   D ! !   _   9e$$$!BJy MMSLNNSS SSTTT MMOOO MM@AAA$T;@@Jq  @J@@AAAA  6    %T4?0022%T_**,,   ;<<< !&%ZPPP  1  MM[ \ \ \ MM?   1$V<<< F!444     U+++h** H HDAq MM#a&&!%%"4"4aeeD#6F6F G G G G e T]]#L#h--#L#L#LMMSSUUF  &kk    <=== C((((3x==(((((%cAg.t4  MMRCMMRRR S S S T MMOOOLT_-B-B-D-DLqq1H MM====>>> 6!!      =#===>>>qqqqq  Z[[[[$V<<< v... """'?? ' 'CiP$$ .T- MM#v & & & & e :: 8Q889999"K  *K  *K -y999.444.555>4000 MMOOO MM G MM C 1sC"A*C D.D  DV))W  W 6Z [Z<<[c t}t}|dpidpi}t|d}|dd}|dd}t |ddpd}tt j|}td dd } | dd | d| dt|| d|| dt|| d|pd| d|pd| dtt|dd | dt |dd| dtt|ddtj d } | r*| d| dt| d n| dd!|t!| d"d#$|s|d%d&S|s|d'|d(|s|d)d&S)*Nr@r r^rArBrZr?rDFr)rGboxpaddingrErQEnabledz Token env varz Token in envz Project IDz[dim](unset)[/dim]z Server URLz:[dim]default (US Cloud, https://vault.bitwarden.com)[/dim]zOverride existingraz Cache TTL (s)r_r`z Auto-installrbTr9z bws binaryz (r#z[yellow]not installed[/yellow]zBitwarden Secrets Managerr7)titler8z= Run [cyan]hermes secrets bitwarden setup[/cyan] to enable.rz [yellow]Enabled but uG is not set — Hermes will skip BSM and warn on next startup.[/yellow]uC [yellow]Enabled but no project_id — nothing to fetch.[/yellow])rr rpboolryrlrnror rvrx_ynr,rergrcr) r3rrbw_cfgr^rrZrD token_setrr[s r0r)r)#siiG --Cggi  &B + +K 8 8 >BF6::i(())G -/ABBIL"--JVZZ b117R88>>@@JRZ^^I..//I ev > > >E Rv&&& R MM)S\\222 MM/Y/// MM.S^^444 MM,Z%G3GHHH MMRR MM%s4 ;NPU0V0V+W+W'X'XYYY MM/S4G)M)M%N%NOOO MM.Sfjj.N.N)O)O%P%PQQQ [E 2 2 2F G l%I%I,v2F2F%I%I%IJJJJ l%EFFF MM%%@vVVVWWW  VWWWq    1y 1 1 1      R    1r2ct}t}|dpidpi}|ds|ddS|dd}tj|d}|s|d |d dS|d d}|s|d dSt|d dpd} tj ||d|\}} n1#t$r$} |d| dYd} ~ dSd} ~ wwxYw|s|ddSt|ddp|j } tdd} | dd| dd} t|D]}||kr| |dttj|}|r| s| |df|j r8||tj|<| dz } | |d|rdndz| |d |rd!ndz|| | D]}|d"||j s|d#n|d$| d%dS)&Nr@r r^z`[yellow]Bitwarden integration is disabled. Run `hermes secrets bitwarden setup` first.[/yellow]r=rArBr?z[red]z is not set.[/red]rZz$[red]No project_id configured.[/red]rDF)rYrZr\rDz[red]Fetch failed: r<z'[yellow]No secrets in project.[/yellow]rraTrErFrNr7rQActionz![dim]skip (bootstrap token)[/dim]z[dim]skip (already set)[/dim]z[green]exported[/green]z (overrode)zreen]would export[/green]z (overrides)z[yellow]warning:[/yellow] u This was a dry-run — secrets are picked up automatically on the next [cyan]hermes[/cyan] invocation. Re-run with [cyan]--apply[/cyan] to export into the current shell instead.z [green]Exported z( secret(s) into current process.[/green])rr rprcrnrorlryr,r}rhrapplyr rvr~rx)r3rrrrrrZrDr@rroverriderappliedralreadyrs r0r*r*TsiiG --Cggi  &B + +K 8 8 >BF ::i   ?   q -/ABBI JNN9b ) ) / / 1 1E  ;i;;;<<<qL"--J  <===qVZZ b117R88>>@@J 6!!      7C777888qqqqq  ?@@@qFJJ2E::;;ItzH d 8 8 8E V6*** XGg d d )   MM#B C C C rz~~c**++  8  MM#> ? ? ?  : d%clBJsO qLG MM#8W<\MMZ\] ^ ^ ^ ^ MM#Q  J,#*3355@@BB1E E  Z. /      sA)A--BBr?rCrrrrDOptional[List[dict]]c|tj}||d<|dd|r||d< t jt |ddddg|d d d }n=#ttjf$r$}| d |d Yd}~dSd}~wwxYw|j dkr|j p|j dd}| d|d |}d|vsd|vr| dnd|vsd|vr| ddS tj|j pd} n6#tj$r$}| d|d Yd}~dSd}~wwxYwt%| t&sgSd| DS)zICall ``bws project list`` and return the parsed list, or None on failure.rBNO_COLOR1r>projectlistz--outputjsonT)envrrrz [red]Couldn't list projects: r<Nrr`z [red]bws project list failed: invalid_clientz400 bad requesta$ [yellow]'invalid_client' from the US identity endpoint usually means the token is for a different Bitwarden region. Re-run [cyan]hermes secrets bitwarden setup[/cyan] and pick EU or self-hosted at the region prompt, or set [cyan]secrets.bitwarden.server_url[/cyan] in config.yaml.[/yellow] authorizationinvalidzu [yellow]This usually means the access token is wrong or revoked. Double-check it in the Bitwarden web app.[/yellow]z[]z [red]bws returned non-JSON: cfg|].}t|t|d,|/S)rT) isinstancedictrp).0rs r0 z"_list_projects..s6 C C C!z!T22 CquuT{{ CA C C Cr2)rnrocopyrrrrryrrrcrrrrllowerrloadsJSONDecodeErrorrr) r[rrrDrrrerrlowereddatas r0rurus< *//  C#CNN:s###+ *  n [[)VZ @     Z. / CCCCDDDttttt ~z'SZ..00#6 DDDDEEE))++ w & &*;w*F*F MM=     ' '9+?+? MME   tz#*,--   BsBBBCCCttttt dD ! ! C Ct C C CCs0+A..B(B##B( E%%F4FF)u7US Cloud (https://vault.bitwarden.com — bws default)r?)z&EU Cloud (https://vault.bitwarden.eu)zhttps://vault.bitwarden.eurr Optional[str]c"|jr2|jr|jStjdd}|r|d|d|St |ddpd}|r|d|dtdd d d }|d dd|dttdD]+\}\}}| t ||,| t ttdzd||ttdz} d| d} |r| dz } | dz } | | } | s|r|S|dV t| } n%#t$r|dYwxYwd| cxkrttkrnnt| dz dS| | krl| d} | s|dd S| ds|d| S|d| dP)aPick a Bitwarden server URL for setup. Resolution order: 1. ``--server-url`` CLI flag (non-interactive) 2. ``BWS_SERVER_URL`` env var (so users running with that already set in their shell don't have to re-enter it) 3. Existing ``secrets.bitwarden.server_url`` value (for re-runs) 4. Interactive menu: US / EU / self-hosted Returns the chosen URL as a string (empty string = bws default, i.e. US Cloud). Returns None if the user aborted with an empty custom URL. r>r?z' Detected [cyan]BWS_SERVER_URL[/cyan]=u in your shell — using it.rDz Existing config: [cyan]z?[/cyan]. Press Enter to keep, or pick a different option below.TrENr)rGrHrrrIr7rJrKzRegion / endpointr=zSelf-hosted / custom URLz Select region [1-]z (Enter to keep current)z: rUzD Enter your Bitwarden server URL (e.g. https://vault.example.com): z! [red]Empty URL, aborting.[/red])zhttp://zhttps://u] [yellow]Warning: URL doesn't start with http:// or https:// — bws may reject it.[/yellow]rVrW)rDrlrnrorprcryr rvrw_REGION_PRESETSrxr{rzr5r|rs)r3rrenv_urlexistingrrlabel_url custom_idxpromptrrcustoms r0rtrt su$ '4?0022'$$&&&jnn-r2288::G [g [ [ [   ;??<44:;;AACCH   E E E E   dT6 R R RE Sa000 ()))%oq99%%=E4 c!ffe$$$$ MM#c/**Q.//1KLLL MM%_%%)J M4z444  1 0 0F$v&&,,..   MM8 9 9 9  f++CC    MM8 9 9 9 H   + + + +s?++ + + + + +"37+A. . *  ]]5egg   ABBBt$$%<==  ?M K KKKLLLA MsH''I I )rrrr)r3r4rr5)rrrry)r[rrry) r[rrryrrrDryrr)r3r4rrrrrr)(__doc__ __future__rargparserrnrripathlibrtypingrr rich.consoler rich.panelr rich.tabler agent.secret_sourcesr r,hermes_cli.configr r r rhermes_cli.secret_promptrr1r(r)r*r+r.rrgrurrtrr2r0rs'#"""""  !!!!!!!! 000000 :999996+6+6+6+|z z z z z. . . . bG G G G T      ::::     FH/D/D/D/D/D/DlDL LMLMLMLMLMLMr2