39 lines
1.2 KiB
Bash
39 lines
1.2 KiB
Bash
#!/usr/bin/env bash
|
|
# credbridge.sh — resolve credctl secrets into env vars for the child command.
|
|
# Secrets are NEVER on argv, NEVER in logs, NEVER persisted. credctl is queried
|
|
# per-call; the secret enters the child process env only for the duration of the call.
|
|
#
|
|
# Usage:
|
|
# credbridge.sh <tool> [args...]
|
|
#
|
|
# Supports: gh (GitHub CLI) — needs github-pat
|
|
# v2 will add: deploy keys, cloud creds (aws/gcp/etc)
|
|
set -euo pipefail
|
|
|
|
CREDCTL="${CREDCTL:-/home/svrnty/workspaces/cortex/L6-svrnty.core-credentials/credctl}"
|
|
|
|
if [ $# -eq 0 ]; then
|
|
echo "usage: credbridge.sh <tool> [args...]" >&2
|
|
echo " supported tools: gh" >&2
|
|
exit 2
|
|
fi
|
|
|
|
TOOL="$1"; shift
|
|
|
|
case "$TOOL" in
|
|
gh)
|
|
# GitHub CLI — needs GITHUB_TOKEN from credctl github-pat
|
|
export GITHUB_TOKEN="$($CREDCTL get github-pat --unmask 2>/dev/null | awk '/^Value:/ {print $2}')"
|
|
if [ -z "${GITHUB_TOKEN:-}" ]; then
|
|
echo "ERROR: github-pat not in credctl. Set with: credctl set github-pat" >&2
|
|
exit 3
|
|
fi
|
|
exec gh "$@"
|
|
;;
|
|
*)
|
|
echo "ERROR: unknown tool '$TOOL'" >&2
|
|
echo "supported tools: gh" >&2
|
|
exit 2
|
|
;;
|
|
esac
|