From cd089ae6340658b65e024c2c85ed193071f912e0 Mon Sep 17 00:00:00 2001
From: nodoka <svc@nodoka.org>
Date: Sun, 18 Jan 2026 08:15:10 +0000
Subject: [PATCH] Update bootstrap: 2026-01-18 08:15:10

---
 nbcrypt       |  84 +++++++++++++++++++++++++++++++++++++++++---------
 nbmain.sh.enc | Bin 1104 -> 1104 bytes
 2 files changed, 69 insertions(+), 15 deletions(-)

diff --git a/nbcrypt b/nbcrypt
index f718c7a..980d7cb 100755
--- a/nbcrypt
+++ b/nbcrypt
@@ -33,11 +33,15 @@ Usage: $SCRIPT_NAME <command> [arguments]
 
 Commands:
     encrypt <input> <output>   Encrypt a file using SSH Agent key
-    decrypt <input> <output>   Decrypt a file using SSH Agent key
+    decrypt [options] <input> <output>   Decrypt a file using SSH Agent key
     install-bws                Install Bitwarden Secrets Manager CLI (bws)
     check                      Check if SSH Agent has required key
     help                       Show this help message
 
+Options for decrypt:
+    -f, --force                Force download nbloader from BWS and setup SSH Agent
+                               (skips SSH Agent check, requires BWS_ACCESS_TOKEN)
+
 Requirements:
     - SSH Agent must be running with id_ed25519 key loaded
     - ssh-keygen and openssl commands must be available
@@ -45,6 +49,7 @@ Requirements:
 Examples:
     $SCRIPT_NAME encrypt secrets.txt secrets.enc
     $SCRIPT_NAME decrypt secrets.enc secrets.txt
+    $SCRIPT_NAME decrypt -f secrets.enc secrets.txt  # Force BWS download
     $SCRIPT_NAME install-bws
     $SCRIPT_NAME check
 
@@ -86,8 +91,7 @@ check_ssh_agent() {
     local bws_token="${BWS_ACCESS_TOKEN:-}"
     if [ -z "$bws_token" ]; then
         echo -n "Enter BWS_ACCESS_TOKEN: " >&2
-        read -s bws_token
-        echo >&2
+        read bws_token
         if [ -z "$bws_token" ]; then
             error "BWS_ACCESS_TOKEN is required when SSH Agent has no Ed25519 key"
         fi
@@ -109,9 +113,9 @@ check_ssh_agent() {
 
 load_bws_setup() {
     local token="$1"
-    local secret_name="nbloader"
+    local secret_id="6e70094b-6888-4fde-85f9-b3d6007fd68e"
     
-    info "Loading setup script from BWS (secret: $secret_name)..."
+    info "Loading setup script from BWS (secret ID: $secret_id)..."
     
     # Check if bws command exists, if not try to install it
     if ! command -v bws >/dev/null 2>&1; then
@@ -122,19 +126,19 @@ load_bws_setup() {
     # Export token temporarily for bws command
     export BWS_ACCESS_TOKEN="$token"
     
-    # Get the secret from BWS
+    # Get the secret from BWS using secret ID
     local loader_script
     if command -v jq >/dev/null 2>&1; then
-        loader_script=$(bws secret get "$secret_name" 2>/dev/null | jq -r '.value // empty')
+        loader_script=$(bws secret get "$secret_id" 2>&1 | jq -r '.value // empty')
     elif command -v python3 >/dev/null 2>&1; then
-        loader_script=$(bws secret get "$secret_name" 2>/dev/null | python3 -c "import sys, json; print(json.load(sys.stdin).get('value', ''))" 2>/dev/null)
+        loader_script=$(bws secret get "$secret_id" 2>&1 | python3 -c "import sys, json; print(json.load(sys.stdin).get('value', ''))" 2>/dev/null)
     else
         # Fallback: try to extract value with grep/sed (fragile but works for simple JSON)
-        loader_script=$(bws secret get "$secret_name" 2>/dev/null | grep -o '"value": "[^"]*"' | sed 's/"value": "//;s/"$//' | head -1)
+        loader_script=$(bws secret get "$secret_id" 2>&1 | grep -o '"value": "[^"]*"' | sed 's/"value": "//;s/"$//' | head -1)
     fi
     
     if [ -z "$loader_script" ]; then
-        error "Failed to retrieve '$secret_name' from BWS. Check your token and secret name."
+        error "Failed to retrieve secret from BWS. Check your token and secret ID."
     fi
     
     # Execute the loader script
@@ -284,14 +288,36 @@ encrypt_file() {
 }
 
 decrypt_file() {
-    local input="$1"
-    local output="$2"
+    local force_mode="$1"
+    local input="$2"
+    local output="$3"
     
     if [ ! -f "$input" ]; then
         error "Input file not found: $input"
     fi
     
-    check_ssh_agent
+    # Force mode: skip SSH Agent check and directly load from BWS
+    if [ "$force_mode" = "true" ]; then
+        info "Force mode: Loading setup script from BWS..."
+        local bws_token="${BWS_ACCESS_TOKEN:-}"
+        if [ -z "$bws_token" ]; then
+            echo -n "Enter BWS_ACCESS_TOKEN: " >&2
+            read bws_token
+            if [ -z "$bws_token" ]; then
+                error "BWS_ACCESS_TOKEN is required in force mode"
+            fi
+        fi
+        load_bws_setup "$bws_token"
+        # After BWS setup, check SSH Agent again
+        if [ -z "${SSH_AUTH_SOCK:-}" ] || [ ! -S "${SSH_AUTH_SOCK}" ]; then
+            error "SSH Agent not available after BWS setup"
+        fi
+        if ! ssh-add -l >/dev/null 2>&1 || ! ssh-add -l 2>/dev/null | grep -q "ED25519"; then
+            error "Ed25519 key not found in SSH Agent after BWS setup"
+        fi
+    else
+        check_ssh_agent
+    fi
     
     info "Deriving decryption key from SSH Agent..."
     local key=$(derive_key)
@@ -332,10 +358,38 @@ main() {
             encrypt_file "$1" "$2"
             ;;
         decrypt)
-            if [ $# -ne 2 ]; then
+            local force_mode=false
+            local input=""
+            local output=""
+            
+            # Parse arguments
+            while [ $# -gt 0 ]; do
+                case "$1" in
+                    -f|--force)
+                        force_mode=true
+                        shift
+                        ;;
+                    -*)
+                        error "Unknown option: $1"
+                        ;;
+                    *)
+                        if [ -z "$input" ]; then
+                            input="$1"
+                        elif [ -z "$output" ]; then
+                            output="$1"
+                        else
+                            error "Too many arguments for decrypt"
+                        fi
+                        shift
+                        ;;
+                esac
+            done
+            
+            if [ -z "$input" ] || [ -z "$output" ]; then
                 error "decrypt requires 2 arguments: <input> <output>"
             fi
-            decrypt_file "$1" "$2"
+            
+            decrypt_file "$force_mode" "$input" "$output"
             ;;
         check)
             check_ssh_agent
diff --git a/nbmain.sh.enc b/nbmain.sh.enc
index 95995e599673cef900166d01837458273e0651de..50385e0bdf16d484ffc406d0d0cb5efaafc4f122 100644
GIT binary patch
literal 1104
zcmV-W1h4y3VQh3|WM5ypfwN7u<F_dIQZiC7tXHX&#ILOg+i7^atDR0(9GlF-Y2NVr
z+-8t7ED7krTOTwB9*gU(F<Y*aU7z9>M(S1#U+&v3qsNVAWBK%s;Hi3@=vNpxWwHt*
zNlde=PKk0}5UaDxW{aFFkv{`&2caV3TObPHDEAAK3a?f0)y#O-J#R&CG0ZmxawH+m
z-EUhuPnRT?)c*Clso^uy3Q+tw@uiX4vX7FT;HYh;pb|LI(p~RD-Pvo}E_rxDPM0+l
z8mhq;B>Bi$%~aeO0~>=97!T)cBF^Y;@zo~g3c2WR2@HI)(gJ2{CI%m<#y5V4vPI4k
z5Im}LQzSc*fx^Do*1HVNc1e3r()Ugs8#PpaM$f>3x<S1mHpt{wB50ux2=nXL-o&?y
zg-F==j@D8BaZRb%<1LEtYiD;&CSGXg0c;*Dcx7+liy$P&bat1Pi+w@A#B5N;@-B~Y
zpz{-8%6%6Pz1mcxo&af@UDo4yMLM8v>E(N#9KwCTI^}oyC|b<yLhLrwp4!$KjdyaB
z*$G1(y$=D^MVA*qp^13f{{?y_(WKNmu<VnAf5U>K+Np|(=ZSk`6K!uYjx;f?a#$|7
z@KVrc<wCPNJah4dX^su+c!)2JMgF3gcpiH0&bk}Qs>}41TNvL8a$ZIQ2E^d*vn3Q)
zlAxM7deh%E$JhDC`_J^P24E@=pFg*{t>7qzjtF{Yw1nwqoyqM`U%j`t+1AUDi5s2{
z6_C@xRg!KOgkzt<y$MvZ#KVNa-^JT1SR4(d!Ut4-iElqptJ~$41W-NB04}v<g`wc0
z>sMR=8C+bPwyIo`e4sQyt+wWtM&0|xp@ff==h;+LMXBTh)8dK3Yy93zCY97dY8e&v
zt&LU)669Q+{VICM<7lCHM1+{e%-#ur1Myk>fH>W&nVIRLgtZjT-H9KI#4c%GA2Sho
zUZxG7QqlqtusSQajR{eCbgrZ|F+6Q-Lh8r%3)mvD9IwoGpLp(ul&atsPR?f6-5&#M
zDI~BPvJszXoBSpDOX{(W0^a=9?aUN=;sVGyZ&kjEk2fM)hxblgg^^C!P6&LuvUAD~
z5j@P6_&u?AI3dPR<}<fU1W^YIK^kI&Ts%b*e98=T{xQU*WTp|$`6%Nml^=^G9p?!9
z?*bopfJ#*wz~@H3#t)aMQHZbW&#!paI=I<cwSXS0vqgfZbErdO-O$EVZ$glh3_M^Q
ziCOJ?!Q0zJe(%yEc!y>51cAn7&^`-BVNVz1{N~!6l_v(KT?+EGAtAy&WLF%Ds9#7d
z0{$Qru{|0@DsqN8Z){AVNqM4d&}^Je<6;%sxOlP7=!M%IGZFgJQ}I4~ygI1a#A0h^
zd$B}9smf<!z5?Sth9xuVq3eGI3PqxF&FvOhg>L_O-nauNinWp}==J+~xCfsTlTjUf
W`x#{lDKNup)BuFLUrFT+Un#VL%O&Li

literal 1104
zcmV-W1h4y3VQh3|WM5xxWqCrCP4z9y^>60|0a*pgK%Ftsgyl@@LGRfMW(Wb(d;Y+1
zz-XQ8K%~3Yy_7F(Wj<B#G+4PZ|Ek<vhm&}pJJb-=WyXMJ%D=mX6GHN1NGA^OgO482
zXzD~fJ)70R)ZdNl)oB+odmD|-vS-H%KRrZ^DfwcAeblEWa35$6eaRA|Al!28Exch&
zaV?EmJ1@F-bbj&VZ?ooHsHQyoa#N&PZYPHrzMZcat24kPz|g_Y<jL!QY{G#-)^QG>
zj{4K@^G*+fg~wfGzprv0V6X4vp#6~_i-6IY<pcC78}4##d8TNR$tQ@V4?Aq*;I)Wj
zm99$cSJX#~@IM-Br>H#Lz(1Q-ZRM8MV5#U1LN@j5+sj>GnoiDSy>(Yb-`jstWomXH
zJhXud^Y~nw>!G}Atl-FL#PBfQt@c>WNzUvF*>goHsy3ftSE*~E7ZWAo-D^~_iSEcN
z{0|J;bVk8-tdXf6eO-tJ*6u)&>tfCH7|J_i*erj@1h^&P=Rwtgghm%kXVYLK89wQg
zQW@yKSkgCP#}_E0P~dyzFErF8FtDTSq$W<rFpN-QvX^;8fD{Puf&;T`v>vj#PS3X(
zksD`&E;{Wy@s*>x>=qxX*aGYLi8olAU~69+qkaSkUpj7f<Vk`Bxhm4OJn~YL!<R#M
zATdJO37!R~K=zsC=gV)d50t<uBJ&ELoPoQiw(>nY+Er?-e@ae_K793eo|z;}WCXL>
zva4K>KU}j-vyi_~;@-7=+Iq*Z&{nVLi37&jfGYurYRFls$odVEWMhhjO$tae%7V&l
z%|ppekmwRs0%HA&yL%vug_PJwk%8!?c#=gFwh{pyu9jy#rtk+GGL4a?o|s6N3845Y
zT(?tLFeRZI4eT?9N(xL^@SGFyjs3L3Yd%U(B`6<72U2ihLI!p~qw4T5_*&~roy_*L
z_29>p!(>r><aIjynM))u;2RJ!WR?y?pK7A7=O#Ft4XSLENa$?qR*BGIh4f-#d_;5<
z`cfD;YrooTBl*FAqb(A1`}rVLAiY0&EN|UdDe+g?>oNx;^O0e~KOc8{R(qJBsNg0!
zWp-M-PpBvIu-v9uSQW^+&HFT#Gf79HQC$B8PB-@;fV}O?q;^CmMgrBC>4Zw&c6Lb(
zQK!Dgio^qbFMs-htkA**kjQGayhLUPOGvNd`IPzy@f!@<1;bm`onho5##d!!feL=o
za){g}maa7$;y2=4RQd|+8_kHJ<0gjCa5}6nWXut7`=M~E*aXaOEqmKUd_Cif#?=Oo
zIIIaWg93S@ZuCf8kVQ`hAw0)DO!>QuSZV)E9SPaaBHX~iP^OJ7EL?>)zh%(ZaV|H$
z4=jVNtmdlx%>b^7qGxEDEE<&w1q-vbXDD_?oyBs^Hle(7YRz1jHsTGQ{kECJ8gSR_
Wdhe&o(q5tem;by!>{0v$*Jb^*b1YN<