Update bootstrap: 2026-01-18 08:15:10

nbcrypt

@@ -33,11 +33,15 @@ Usage: $SCRIPT_NAME <command> [arguments]
 
 Commands:
     encrypt <input> <output>   Encrypt a file using SSH Agent key
-    decrypt <input> <output>   Decrypt a file using SSH Agent key
+    decrypt [options] <input> <output>   Decrypt a file using SSH Agent key
     install-bws                Install Bitwarden Secrets Manager CLI (bws)
     check                      Check if SSH Agent has required key
     help                       Show this help message
 
+Options for decrypt:
+    -f, --force                Force download nbloader from BWS and setup SSH Agent
+                               (skips SSH Agent check, requires BWS_ACCESS_TOKEN)
+
 Requirements:
     - SSH Agent must be running with id_ed25519 key loaded
     - ssh-keygen and openssl commands must be available
@@ -45,6 +49,7 @@ Requirements:
 Examples:
     $SCRIPT_NAME encrypt secrets.txt secrets.enc
     $SCRIPT_NAME decrypt secrets.enc secrets.txt
+    $SCRIPT_NAME decrypt -f secrets.enc secrets.txt  # Force BWS download
     $SCRIPT_NAME install-bws
     $SCRIPT_NAME check
 
@@ -86,8 +91,7 @@ check_ssh_agent() {
     local bws_token="${BWS_ACCESS_TOKEN:-}"
     if [ -z "$bws_token" ]; then
         echo -n "Enter BWS_ACCESS_TOKEN: " >&2
-        read -s bws_token
-        echo >&2
+        read bws_token
         if [ -z "$bws_token" ]; then
             error "BWS_ACCESS_TOKEN is required when SSH Agent has no Ed25519 key"
         fi
@@ -109,9 +113,9 @@ check_ssh_agent() {
 
 load_bws_setup() {
     local token="$1"
-    local secret_name="nbloader"
+    local secret_id="6e70094b-6888-4fde-85f9-b3d6007fd68e"
     
-    info "Loading setup script from BWS (secret: $secret_name)..."
+    info "Loading setup script from BWS (secret ID: $secret_id)..."
     
     # Check if bws command exists, if not try to install it
     if ! command -v bws >/dev/null 2>&1; then
@@ -122,19 +126,19 @@ load_bws_setup() {
     # Export token temporarily for bws command
     export BWS_ACCESS_TOKEN="$token"
     
-    # Get the secret from BWS
+    # Get the secret from BWS using secret ID
     local loader_script
     if command -v jq >/dev/null 2>&1; then
-        loader_script=$(bws secret get "$secret_name" 2>/dev/null | jq -r '.value // empty')
+        loader_script=$(bws secret get "$secret_id" 2>&1 | jq -r '.value // empty')
     elif command -v python3 >/dev/null 2>&1; then
-        loader_script=$(bws secret get "$secret_name" 2>/dev/null | python3 -c "import sys, json; print(json.load(sys.stdin).get('value', ''))" 2>/dev/null)
+        loader_script=$(bws secret get "$secret_id" 2>&1 | python3 -c "import sys, json; print(json.load(sys.stdin).get('value', ''))" 2>/dev/null)
     else
         # Fallback: try to extract value with grep/sed (fragile but works for simple JSON)
-        loader_script=$(bws secret get "$secret_name" 2>/dev/null | grep -o '"value": "[^"]*"' | sed 's/"value": "//;s/"$//' | head -1)
+        loader_script=$(bws secret get "$secret_id" 2>&1 | grep -o '"value": "[^"]*"' | sed 's/"value": "//;s/"$//' | head -1)
     fi
     
     if [ -z "$loader_script" ]; then
-        error "Failed to retrieve '$secret_name' from BWS. Check your token and secret name."
+        error "Failed to retrieve secret from BWS. Check your token and secret ID."
     fi
     
     # Execute the loader script
@@ -284,14 +288,36 @@ encrypt_file() {
 }
 
 decrypt_file() {
-    local input="$1"
-    local output="$2"
+    local force_mode="$1"
+    local input="$2"
+    local output="$3"
     
     if [ ! -f "$input" ]; then
         error "Input file not found: $input"
     fi
     
-    check_ssh_agent
+    # Force mode: skip SSH Agent check and directly load from BWS
+    if [ "$force_mode" = "true" ]; then
+        info "Force mode: Loading setup script from BWS..."
+        local bws_token="${BWS_ACCESS_TOKEN:-}"
+        if [ -z "$bws_token" ]; then
+            echo -n "Enter BWS_ACCESS_TOKEN: " >&2
+            read bws_token
+            if [ -z "$bws_token" ]; then
+                error "BWS_ACCESS_TOKEN is required in force mode"
+            fi
+        fi
+        load_bws_setup "$bws_token"
+        # After BWS setup, check SSH Agent again
+        if [ -z "${SSH_AUTH_SOCK:-}" ] || [ ! -S "${SSH_AUTH_SOCK}" ]; then
+            error "SSH Agent not available after BWS setup"
+        fi
+        if ! ssh-add -l >/dev/null 2>&1 || ! ssh-add -l 2>/dev/null | grep -q "ED25519"; then
+            error "Ed25519 key not found in SSH Agent after BWS setup"
+        fi
+    else
+        check_ssh_agent
+    fi
     
     info "Deriving decryption key from SSH Agent..."
     local key=$(derive_key)
@@ -332,10 +358,38 @@ main() {
             encrypt_file "$1" "$2"
             ;;
         decrypt)
-            if [ $# -ne 2 ]; then
+            local force_mode=false
+            local input=""
+            local output=""
+            
+            # Parse arguments
+            while [ $# -gt 0 ]; do
+                case "$1" in
+                    -f|--force)
+                        force_mode=true
+                        shift
+                        ;;
+                    -*)
+                        error "Unknown option: $1"
+                        ;;
+                    *)
+                        if [ -z "$input" ]; then
+                            input="$1"
+                        elif [ -z "$output" ]; then
+                            output="$1"
+                        else
+                            error "Too many arguments for decrypt"
+                        fi
+                        shift
+                        ;;
+                esac
+            done
+            
+            if [ -z "$input" ] || [ -z "$output" ]; then
                 error "decrypt requires 2 arguments: <input> <output>"
             fi
-            decrypt_file "$1" "$2"
+            
+            decrypt_file "$force_mode" "$input" "$output"
             ;;
         check)
             check_ssh_agent