use named import, options to select encodings, add streaming encryption

Author: ddebin

.github/codecov.yml

@@ -0,0 +1,4 @@
+codecov:
+  parsers:
+    lcov:
+      partials_as_hits: true

.github/workflows/main.yml

@@ -12,7 +12,7 @@ jobs:
       matrix:
         node-version: [18, 20, 22, 24, latest]
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: webfactory/ssh-agent@v0.10.0
         with:
           ssh-private-key: |
@@ -29,6 +29,6 @@ jobs:
       - run: node ./dist/src/cli.js --help
       - run: npm run coverage
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v6
         with:
           token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/npm-publish.yml

@@ -15,7 +15,7 @@ jobs:
       id-token: write # Required for OIDC
       contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: webfactory/ssh-agent@v0.10.0
         with:
           ssh-private-key: |

README.md

@@ -2,7 +2,7 @@
 
 [![CI](https://img.shields.io/github/actions/workflow/status/ddebin/ssh-agent-secrets/main.yml)](https://github.com/ddebin/ssh-agent-secrets/actions)
 [![Codecov](https://img.shields.io/codecov/c/github/ddebin/ssh-agent-secrets)](https://app.codecov.io/gh/ddebin/ssh-agent-secrets)
-[![Release](https://img.shields.io/github/v/release/ddebin/ssh-agent-secrets)](https://github.com/ddebin/ssh-agent-secrets/releases)
+[![NPM](https://img.shields.io/npm/v/ssh-agent-secrets)](https://www.npmjs.com/package/ssh-agent-secrets)
 [![License](https://img.shields.io/github/license/ddebin/ssh-agent-secrets)](./LICENSE)
 
 > Encrypt and decrypt secrets using your SSH agent — no plaintext, no extra key management.
@@ -43,14 +43,19 @@ Usage: ssh-crypt [options] <command>
 Encrypt/Decrypt a file with your ssh-agent private key
 
 Arguments:
-  command              action (choices: "encrypt", "decrypt")
+  command                       action (choices: "encrypt", "decrypt")
 
 Options:
-  -i, --input <path>   input path (default to stdin)
-  -o, --output <path>  output path (default to stdout)
-  -k, --key <string>   select the first matching pubkey in the ssh-agent
-  -s, --seed <string>  is used to generate the secret
-  -h, --help           display help for command
+  -i, --input <path>            input path (default to stdin)
+  --encryptEncoding <encoding>  encrypt output encoding (choices: "hex",
+                                "base64")
+  -o, --output <path>           output path (default to stdout)
+  --decryptEncoding <encoding>  decrypt input encoding (choices: "hex",
+                                "base64")
+  -k, --key <string>            select the first matching pubkey in the
+                                ssh-agent
+  -s, --seed <string>           is used to generate the secret
+  -h, --help                    display help for command
 ```
 
 ## 🛠️ Library installation
@@ -68,6 +73,7 @@ const agent = new SSHAgentClient()
 
 const identities = await agent.getIdentities()
 console.log(identities)
+
 const identity = await agent.getIdentity('AWS')
 
 const encrypted = await agent.encrypt(

codecov.yml

@@ -0,0 +1,5 @@
+parsers:
+  lcov:
+    partials_as_hits: true
+  javascript:
+    enable_partials: true

eslint.config.js

@@ -33,13 +33,17 @@ export default defineConfig([
       'max-statements': 'off',
       'max-lines': 'off',
       'max-lines-per-function': 'off',
+      'max-params': 'off',
       'sort-imports': [
         'error',
         {
           ignoreCase: true,
-          ignoreDeclarationSort: true,
+          ignoreMemberSort: false,
+          memberSyntaxSortOrder: ['none', 'all', 'multiple', 'single'],
+          allowSeparatedGroups: false,
         },
       ],
+      '@typescript-eslint/no-explicit-any': 'off',
       '@typescript-eslint/restrict-template-expressions': [
         'error',
         {

package-lock.json

@@ -1,13 +1,13 @@
 {
   "name": "ssh-agent-secrets",
-  "version": "0.2.1",
-  "description": "Node library to encrypt and decrypt secrets using an SSH agent",
+  "version": "0.3.0",
+  "description": "Encrypt and decrypt secrets using an SSH agent",
   "keywords": [
     "ssh",
-    "encryption",
-    "decryption",
-    "typescript",
     "ssh-agent",
+    "encryption",
+    "ssh-key",
+    "cryptography",
     "cli"
   ],
   "homepage": "https://github.com/ddebin/ssh-agent-secrets",
@@ -21,8 +21,8 @@
   "license": "MIT",
   "author": "Damien Debin <damien.debin@gmail.com>",
   "type": "module",
-  "main": "dist/src/lib/ssh_agent_client.js",
-  "types": "dist/src/lib/ssh_agent_client.d.ts",
+  "main": "dist/src/lib/index.js",
+  "types": "dist/src/lib/index.d.ts",
   "bin": {
     "ssh-crypt": "dist/src/cli.js"
   },
@@ -32,7 +32,7 @@
   "scripts": {
     "build": "npm run clean && tsc -b",
     "clean": "del-cli ./dist",
-    "coverage": "nyc --reporter=lcov --reporter=text npm test",
+    "coverage": "nyc --reporter=lcovonly --reporter=text npm test",
     "eslint:check": "eslint .",
     "eslint:fix": "eslint . --fix",
     "fix": "npm run eslint:fix && npm run prettier:fix",
@@ -49,6 +49,8 @@
   },
   "devDependencies": {
     "@eslint/js": "^10",
+    "@tsconfig/node-ts": "^23.6.4",
+    "@tsconfig/node16": "^16.1.8",
     "@types/chai": "^5",
     "@types/chai-as-promised": "^8",
     "@types/mocha": "^10",
@@ -65,7 +67,7 @@
     "prettier-plugin-packagejson": "^3",
     "ts-node": "^10",
     "tsx": "^4",
-    "typescript": "^5",
+    "typescript": "^5.8",
     "typescript-eslint": "^8"
   },
   "engines": {

package.json

@@ -1,45 +1,33 @@
 #!/usr/bin/env node
 
-import * as fs from 'fs'
-import { Argument, program } from '@commander-js/extra-typings'
+import { Argument, Option, program } from '@commander-js/extra-typings'
+import { createReadStream, createWriteStream } from 'node:fs'
 import { SSHAgentClient } from './lib/ssh_agent_client.js'
-import { buffer, text } from 'stream/consumers'
 
 program
   .name('ssh-crypt')
   .description('Encrypt/Decrypt a file with your ssh-agent private key')
   .addArgument(new Argument('<command>', 'action').choices(['encrypt', 'decrypt']))
   .option('-i, --input <path>', 'input path (default to stdin)')
+  .addOption(new Option('--encryptEncoding <encoding>', 'encrypt output encoding').choices(['hex', 'base64']))
   .option('-o, --output <path>', 'output path (default to stdout)')
+  .addOption(new Option('--decryptEncoding <encoding>', 'decrypt input encoding').choices(['hex', 'base64']))
   .requiredOption('-k, --key <string>', 'select the first matching pubkey in the ssh-agent')
   .requiredOption('-s, --seed <string>', 'is used to generate the secret')
   .action(async (action, options) => {
     try {
-      const agent = new SSHAgentClient()
+      const agent = new SSHAgentClient({ timeout: 10000 })
       const key = await agent.getIdentity(options.key)
       if (!key) {
         program.error(`Error: no SSH key found for "${options.key}"`)
       }
-      const readable = options.input ? fs.createReadStream(options.input) : process.stdin
-      const writable = options.output ? fs.createWriteStream(options.output) : process.stdout
-      switch (action) {
-        case 'encrypt': {
-          await buffer(readable)
-            .then(data => agent.encrypt(key, options.seed, data))
-            .then(encrypted => writable.write(encrypted))
-
-          break
-        }
-        case 'decrypt': {
-          await text(readable)
-            .then(data => agent.decrypt(key, options.seed, data.trim()))
-            .then(decrypted => writable.write(decrypted))
-
-          break
-        }
-        default:
-          throw new Error('unknwon action')
-      }
+      const readable = options.input ? createReadStream(options.input) : process.stdin
+      const writable = options.output ? createWriteStream(options.output) : process.stdout
+      const transform =
+        action === 'decrypt'
+          ? await agent.getDecryptTransform(key, options.seed, options.decryptEncoding)
+          : await agent.getEncryptTransform(key, options.seed, options.encryptEncoding)
+      readable.pipe(transform).pipe(writable)
     } catch (err) {
       program.error(`Error: ${(err as Error).message}`)
     }

src/cli.ts

@@ -0,0 +1,45 @@
+import * as crypto from 'node:crypto'
+import { Transform, type TransformCallback, type TransformOptions } from 'node:stream'
+
+export class DecryptTransform extends Transform {
+  private decipher?: crypto.Decipher
+  private algo: string
+  private cipherKey: crypto.KeyObject
+  private cipherIvLength: number
+  private inputEncoding?: BufferEncoding
+
+  constructor(
+    algo: string,
+    cipherKey: crypto.KeyObject,
+    cipherIvLength: number,
+    inputEncoding?: BufferEncoding,
+    opts?: TransformOptions,
+  ) {
+    super(opts)
+    this.algo = algo
+    this.cipherKey = cipherKey
+    this.cipherIvLength = cipherIvLength
+    this.inputEncoding = inputEncoding
+  }
+
+  override _transform(chunk: any, _encoding: BufferEncoding, callback: TransformCallback) {
+    let data = chunk as Buffer
+    if (this.inputEncoding && this.inputEncoding !== 'binary') {
+      data = Buffer.from(data.toString().trim(), this.inputEncoding)
+    }
+    if (!this.decipher) {
+      // Unpackage the combined iv + encrypted message.
+      // Since we are using a fixed size IV, we can hard code the slice length.
+      const iv = data.subarray(0, this.cipherIvLength)
+      this.decipher = crypto.createDecipheriv(this.algo, this.cipherKey, iv)
+      data = data.subarray(this.cipherIvLength)
+    }
+    this.push(this.decipher.update(data))
+    callback()
+  }
+
+  override _flush(callback: TransformCallback) {
+    this.push(this.decipher?.final())
+    callback()
+  }
+}