Update bootstrap: 2026-01-18 07:52:01

install.sh

@@ -33,6 +33,22 @@ TEMP_SCRIPT="/tmp/${TARGET}-$$.sh"
 
 if "$NBCRYPT" decrypt "$ENC_FILE" "$TEMP_SCRIPT" 2>/dev/null; then
     chmod +x "$TEMP_SCRIPT"
+    
+    # Load SSH Agent environment if it was created by nbcrypt/BWS setup
+    # Only load if we don't already have a valid Agent Forward
+    AGENT_ENV_FILE="/tmp/.nb_agent_env_${USER:-$(id -un)}"
+    if [ -f "$AGENT_ENV_FILE" ]; then
+        # Check if we already have a valid SSH_AUTH_SOCK (Agent Forward)
+        if [ -z "${SSH_AUTH_SOCK:-}" ] || [ ! -S "${SSH_AUTH_SOCK}" ]; then
+            # No valid agent, safe to load from file
+            echo "🔑 Loading SSH Agent environment..."
+            source "$AGENT_ENV_FILE"
+        else
+            # Agent Forward exists, preserve it and skip file loading
+            echo "🔑 Using existing SSH Agent Forward (preserved)"
+        fi
+    fi
+    
     echo "✅ Executing ${TARGET} setup..."
     exec bash "$TEMP_SCRIPT"
 else
@@ -42,3 +58,6 @@ else
     exit 1
 fi
 
+
+
+

nbcrypt

@@ -34,6 +34,7 @@ Usage: $SCRIPT_NAME <command> [arguments]
 Commands:
     encrypt <input> <output>   Encrypt a file using SSH Agent key
     decrypt <input> <output>   Decrypt a file using SSH Agent key
+    install-bws                Install Bitwarden Secrets Manager CLI (bws)
     check                      Check if SSH Agent has required key
     help                       Show this help message
 
@@ -44,6 +45,7 @@ Requirements:
 Examples:
     $SCRIPT_NAME encrypt secrets.txt secrets.enc
     $SCRIPT_NAME decrypt secrets.enc secrets.txt
+    $SCRIPT_NAME install-bws
     $SCRIPT_NAME check
 
 EOF
@@ -65,27 +67,140 @@ check_dependencies() {
 }
 
 check_ssh_agent() {
-    # Check if SSH_AUTH_SOCK is set
+    # Check if SSH_AUTH_SOCK is set and valid
-    if [ -z "${SSH_AUTH_SOCK:-}" ]; then
+    if [ -n "${SSH_AUTH_SOCK:-}" ] && [ -S "${SSH_AUTH_SOCK}" ]; then
-        error "SSH Agent is not running or SSH_AUTH_SOCK is not set"
-    fi
-    
         # Check if ssh-add can connect to agent
-    if ! ssh-add -l >/dev/null 2>&1; then
+        if ssh-add -l >/dev/null 2>&1; then
-        local rc=$?
-        if [ $rc -eq 2 ]; then
-            error "Cannot connect to SSH Agent"
-        elif [ $rc -eq 1 ]; then
-            error "SSH Agent has no identities loaded"
-        fi
-    fi
-    
             # Check if Ed25519 key is loaded
-    if ! ssh-add -l 2>/dev/null | grep -q "ED25519"; then
+            if ssh-add -l 2>/dev/null | grep -q "ED25519"; then
-        error "No Ed25519 key found in SSH Agent. Please add id_ed25519 with: ssh-add ~/.ssh/id_ed25519"
+                info "SSH Agent check passed (Ed25519 key found)"
+                return 0
+            fi
+        fi
     fi
     
-    info "SSH Agent check passed (Ed25519 key found)"
+    # No valid agent or no Ed25519 key - try BWS bootstrap
+    info "No Ed25519 key found in SSH Agent. Attempting BWS bootstrap..."
+    
+    # Get BWS access token
+    local bws_token="${BWS_ACCESS_TOKEN:-}"
+    if [ -z "$bws_token" ]; then
+        echo -n "Enter BWS_ACCESS_TOKEN: " >&2
+        read -s bws_token
+        echo >&2
+        if [ -z "$bws_token" ]; then
+            error "BWS_ACCESS_TOKEN is required when SSH Agent has no Ed25519 key"
+        fi
+    fi
+    
+    # Try to load setup script from BWS
+    load_bws_setup "$bws_token"
+    
+    # Re-check agent after BWS setup
+    if [ -n "${SSH_AUTH_SOCK:-}" ] && [ -S "${SSH_AUTH_SOCK}" ]; then
+        if ssh-add -l >/dev/null 2>&1 && ssh-add -l 2>/dev/null | grep -q "ED25519"; then
+            info "SSH Agent check passed (Ed25519 key found after BWS setup)"
+            return 0
+        fi
+    fi
+    
+    error "No Ed25519 key found in SSH Agent. Please add id_ed25519 with: ssh-add ~/.ssh/id_ed25519"
+}
+
+load_bws_setup() {
+    local token="$1"
+    local secret_name="nbloader"
+    
+    info "Loading setup script from BWS (secret: $secret_name)..."
+    
+    # Check if bws command exists, if not try to install it
+    if ! command -v bws >/dev/null 2>&1; then
+        warn "bws command not found. Attempting to install..."
+        install_bws || error "Failed to install bws CLI"
+    fi
+    
+    # Export token temporarily for bws command
+    export BWS_ACCESS_TOKEN="$token"
+    
+    # Get the secret from BWS
+    local loader_script
+    if command -v jq >/dev/null 2>&1; then
+        loader_script=$(bws secret get "$secret_name" 2>/dev/null | jq -r '.value // empty')
+    elif command -v python3 >/dev/null 2>&1; then
+        loader_script=$(bws secret get "$secret_name" 2>/dev/null | python3 -c "import sys, json; print(json.load(sys.stdin).get('value', ''))" 2>/dev/null)
+    else
+        # Fallback: try to extract value with grep/sed (fragile but works for simple JSON)
+        loader_script=$(bws secret get "$secret_name" 2>/dev/null | grep -o '"value": "[^"]*"' | sed 's/"value": "//;s/"$//' | head -1)
+    fi
+    
+    if [ -z "$loader_script" ]; then
+        error "Failed to retrieve '$secret_name' from BWS. Check your token and secret name."
+    fi
+    
+    # Execute the loader script
+    info "Executing BWS setup script..."
+    eval "$loader_script"
+    
+    # Load agent environment if it was created
+    local env_file="/tmp/.nb_agent_env_${USER:-$(id -un)}"
+    if [ -f "$env_file" ]; then
+        source "$env_file"
+        info "SSH Agent environment loaded from $env_file"
+    fi
+}
+
+install_bws() {
+    local arch
+    arch=$(uname -m)
+    local bws_version="1.0.0"
+    local bws_bin_dir="${HOME}/.local/bin"
+    local bws_path="${bws_bin_dir}/bws"
+    
+    mkdir -p "$bws_bin_dir"
+    export PATH="$bws_bin_dir:$PATH"
+    
+    # Determine architecture
+    case "$arch" in
+        x86_64)
+            arch="x86_64-unknown-linux-gnu"
+            ;;
+        aarch64|arm64)
+            arch="aarch64-unknown-linux-gnu"
+            ;;
+        *)
+            error "Unsupported architecture: $arch"
+            ;;
+    esac
+    
+    local zip_name="bws-${arch}-${bws_version}.zip"
+    local url="https://github.com/bitwarden/sdk-sm/releases/download/bws-v${bws_version}/${zip_name}"
+    
+    info "Downloading bws v${bws_version} for ${arch}..."
+    
+    # Install dependencies if needed
+    if ! command -v unzip >/dev/null 2>&1; then
+        if command -v apt-get >/dev/null 2>&1; then
+            sudo apt-get update -qq && sudo apt-get install -y unzip >/dev/null 2>&1
+        elif command -v yum >/dev/null 2>&1; then
+            sudo yum install -y unzip >/dev/null 2>&1
+        fi
+    fi
+    
+    # Download and extract
+    local temp_zip="/tmp/${zip_name}"
+    if command -v wget >/dev/null 2>&1; then
+        wget -q "$url" -O "$temp_zip" || return 1
+    elif command -v curl >/dev/null 2>&1; then
+        curl -sL "$url" -o "$temp_zip" || return 1
+    else
+        error "wget or curl is required to download bws"
+    fi
+    
+    unzip -o "$temp_zip" -d "$bws_bin_dir" >/dev/null 2>&1 || return 1
+    chmod +x "$bws_path"
+    rm -f "$temp_zip"
+    
+    info "bws installed successfully at $bws_path"
     return 0
 }
 
@@ -201,11 +316,14 @@ main() {
         usage
     fi
     
-    check_dependencies
-    
     local command="$1"
     shift
     
+    # install-bws コマンドの場合は check_dependencies をスキップ
+    if [ "$command" != "install-bws" ] && [ "$command" != "help" ] && [ "$command" != "--help" ] && [ "$command" != "-h" ]; then
+        check_dependencies
+    fi
+    
     case "$command" in
         encrypt)
             if [ $# -ne 2 ]; then
@@ -223,6 +341,9 @@ main() {
             check_ssh_agent
             echo "✅ All checks passed"
             ;;
+        install-bws)
+            install_bws
+            ;;
         help|--help|-h)
             usage
             ;;