#!/bin/bash # Tractatus Credential Retrieval Script # Populates .env file from KeePassXC vault set -e GREEN='\033[0;32m' YELLOW='\033[1;33m' RED='\033[0;31m' NC='\033[0m' VAULT_FILE="$HOME/Documents/credentials/vault.kdbx" KEY_FILE="$HOME/Documents/credentials/vault.kdbx.key" PROJECT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" ENV_FILE="$PROJECT_DIR/.env" LOG_FILE="$HOME/Documents/credentials/logs/access-log.txt" # Check if vault exists if [ ! -f "$VAULT_FILE" ]; then echo -e "${RED}✗ Vault not found: $VAULT_FILE${NC}" echo "Run: ~/Documents/credentials/scripts/create-vault.sh" exit 1 fi # Determine if key file exists KEY_FILE_ARG="" if [ -f "$KEY_FILE" ]; then KEY_FILE_ARG="-k $KEY_FILE" fi echo -e "${YELLOW}═══════════════════════════════════════════════════════════${NC}" echo -e "${YELLOW} TRACTATUS CREDENTIAL RETRIEVAL${NC}" echo -e "${YELLOW}═══════════════════════════════════════════════════════════${NC}" echo "" # Prompt for master password read -sp "Enter master password: " MASTER_PASSWORD echo "" # Test vault access echo "$MASTER_PASSWORD" | keepassxc-cli ls "$VAULT_FILE" /tractatus $KEY_FILE_ARG > /dev/null 2>&1 if [ $? -ne 0 ]; then echo -e "${RED}✗ Failed to unlock vault (wrong password?)${NC}" exit 1 fi echo -e "${GREEN}✓ Vault unlocked${NC}" echo "" # Function to get credential from vault get_credential() { local entry_path="$1" local field="${2:-password}" # Default to password field echo "$MASTER_PASSWORD" | keepassxc-cli show "$VAULT_FILE" "$entry_path" $KEY_FILE_ARG 2>&1 | \ grep "^$field:" | cut -d' ' -f2- } # Function to log access log_access() { local entry="$1" local action="$2" echo "$(date '+%Y-%m-%d %H:%M:%S') | $action | $entry | get-credentials.sh | SUCCESS" >> "$LOG_FILE" } echo -e "${GREEN}Retrieving credentials...${NC}" echo "" # Backup existing .env if it exists if [ -f "$ENV_FILE" ]; then backup_file="$ENV_FILE.backup-$(date +%Y%m%d-%H%M%S)" cp "$ENV_FILE" "$backup_file" echo -e "${GREEN}✓ Backed up existing .env to: $(basename $backup_file)${NC}" fi # Create new .env file cat > "$ENV_FILE" << 'HEADER' # Tractatus Environment Variables # Auto-generated from KeePassXC credential vault # Generated: TIMESTAMP # DO NOT COMMIT THIS FILE TO GIT # WARNING: This file contains sensitive credentials # File permissions: 600 (owner read/write only) HEADER # Replace timestamp sed -i "s/TIMESTAMP/$(date '+%Y-%m-%d %H:%M:%S')/" "$ENV_FILE" # Retrieve credentials from vault and add to .env echo "# === Anthropic API ===" >> "$ENV_FILE" ANTHROPIC_KEY=$(get_credential "/tractatus/Anthropic API Key" "Password") if [ -n "$ANTHROPIC_KEY" ]; then echo "CLAUDE_API_KEY=$ANTHROPIC_KEY" >> "$ENV_FILE" echo -e "${GREEN}✓ Retrieved: Anthropic API Key${NC}" log_access "tractatus/Anthropic API Key" "READ" else echo -e "${YELLOW}⚠️ Not found: Anthropic API Key${NC}" fi echo "" >> "$ENV_FILE" echo "# === MongoDB ===" >> "$ENV_FILE" MONGODB_USER=$(get_credential "/tractatus/MongoDB Production" "UserName") MONGODB_PASS=$(get_credential "/tractatus/MongoDB Production" "Password") if [ -n "$MONGODB_USER" ] && [ -n "$MONGODB_PASS" ]; then # URL encode the password MONGODB_PASS_ENCODED=$(echo -n "$MONGODB_PASS" | jq -sRr @uri) echo "MONGODB_URI=mongodb://${MONGODB_USER}:${MONGODB_PASS_ENCODED}@localhost:27017/tractatus_prod?authSource=tractatus_prod" >> "$ENV_FILE" echo "MONGODB_USER=$MONGODB_USER" >> "$ENV_FILE" echo "MONGODB_PASSWORD=$MONGODB_PASS" >> "$ENV_FILE" echo "MONGODB_DB=tractatus_prod" >> "$ENV_FILE" echo -e "${GREEN}✓ Retrieved: MongoDB credentials${NC}" log_access "tractatus/MongoDB Production" "READ" else echo -e "${YELLOW}⚠️ Not found: MongoDB credentials${NC}" fi echo "" >> "$ENV_FILE" echo "# === JWT Secret ===" >> "$ENV_FILE" JWT_SECRET=$(get_credential "/tractatus/JWT Secret" "Password") if [ -n "$JWT_SECRET" ]; then echo "JWT_SECRET=$JWT_SECRET" >> "$ENV_FILE" echo -e "${GREEN}✓ Retrieved: JWT Secret${NC}" log_access "tractatus/JWT Secret" "READ" else echo -e "${YELLOW}⚠️ Not found: JWT Secret${NC}" fi echo "" >> "$ENV_FILE" echo "# === Server Configuration ===" >> "$ENV_FILE" echo "PORT=9000" >> "$ENV_FILE" echo "NODE_ENV=development" >> "$ENV_FILE" # Set file permissions chmod 600 "$ENV_FILE" echo "" echo -e "${YELLOW}═══════════════════════════════════════════════════════════${NC}" echo -e "${YELLOW} CREDENTIALS RETRIEVED SUCCESSFULLY${NC}" echo -e "${YELLOW}═══════════════════════════════════════════════════════════${NC}" echo "" echo "Output file: $ENV_FILE" echo "Permissions: $(stat -c '%a' $ENV_FILE) (should be 600)" echo "" echo "Credentials retrieved:" if [ -n "$ANTHROPIC_KEY" ]; then echo " ✓ Anthropic API Key"; fi if [ -n "$MONGODB_USER" ]; then echo " ✓ MongoDB credentials"; fi if [ -n "$JWT_SECRET" ]; then echo " ✓ JWT Secret"; fi echo "" echo "Next steps:" echo " 1. Verify .env file: cat $ENV_FILE" echo " 2. Test server starts: npm start" echo " 3. Check access log: cat $LOG_FILE" echo ""