Extension submission: Bitwarden v0.2.0

extensions/bitwarden/CHANGELOG.md

@@ -0,0 +1,110 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.2.0] - 2026-05-11
+
+### Added
+
+- Search TOTP Codes command — browse accounts with TOTP 2FA enabled, view live verification codes with 30-second countdown timers, and copy codes with a keystroke
+- TOTP countdown progress bar on the item detail view showing remaining code validity
+- File attachment support — upload files when creating or editing items; download attachments to a configurable directory (new Download Directory preference)
+- Per-field copy and show/hide actions for custom fields in the item detail view
+- Auto-Lock Timeout preference — automatically lock the vault after a configurable period of inactivity (15 min to 24 h, or Never)
+
+### Fixed
+
+- Detail view actions now disabled during loading, preventing a stuck-loader bug when no session is active; shows a Loading indicator with only the Back action available
+- Security hardening — master password passed via environment variable instead of command-line arguments; sensitive payloads written through stdin; API credentials stored in system keyring
+- API credentials cleared from disk after every login, while the libsecret-stored session is preserved on logout
+- FilePicker control added to the edit form for selecting file attachments
+- Custom fields no longer duplicated in the markdown body — rendered only in the metadata sidebar
+
+### Changed
+
+- Custom field actions now appear before Open URL in the action panel
+
+## [0.1.3] - 2026-05-06
+
+### Added
+
+- Themed placeholder icons for each item type — white symbol on a coloured rounded rectangle matching Vicinae's native icon style (Login=Blue, Card=Green, Identity=Orange, SecureNote=Purple), with light/dark mode support
+- iOS-style rounded favicon corners, pre-rendered into the PNG bytes at fetch time
+
+### Fixed
+
+- Favicons are now stored on disk (`supportPath/favicons/`) with a 7-day TTL, surviving extension restarts with correct timestamps
+- Concurrent favicon fetches capped at 8 to prevent Google's favicon service timing out on large vaults
+- Search bar now disabled during gate states (loading, unlock, login) to prevent crashes when the List unmounts
+- Race condition removed: favicons are no longer cleared on Sync, so stale entries drop out when the vault item is deleted rather than on every refresh
+- Login favicon fallback now uses the themed Login placeholder icon instead of a bare key string
+
+### Changed
+
+- Favicons cached as base64 data URIs for direct rendering instead of file paths that required a separate disk read
+- Favicon cache prunes entries for domains no longer in the vault on each Sync
+
+## [0.1.2] - 2026-05-06
+
+### Added
+
+- Custom CA certificate path preference for self-hosted servers using a private CA — sets `NODE_EXTRA_CA_CERTS` in the `bw` process environment
+
+### Fixed
+
+- Favicon cache now persists timestamps so the 24-hour TTL survives extension restarts; previously all entries were reset to `Date.now()` on every module init
+- Favicon resolution handles bare domain URIs (e.g. `example.com` without a protocol) and tries all item URIs, not just the first one
+- Login failures are now surfaced as a dedicated error screen with a Retry button, instead of showing the Unlock form
+- Logout no longer throws when the CLI is already logged out — handles the "not logged in" response gracefully
+
+### Changed
+
+- Startup time reduced by running CLI checks (`bw status`, `secret-tool`, `bw --version`) in parallel via `Promise.allSettled`
+- Cached vault favicons and item list load synchronously on mount for instant display; sync runs in the background
+- `getErrorMessage` now filters Node.js deprecation warnings from `bw` stderr output
+- Logout now clears the cached vault in addition to the session
+- De-duplicated gate error rendering pattern into a shared `renderGate` function
+- Extracted shared test mock utilities to reduce test boilerplate
+
+## [0.1.1] - 2026-05-05
+
+### Changed
+
+- Session tokens are now stored in the system keyring via `libsecret-tools` instead of plaintext LocalStorage, providing encrypted at-rest storage
+- Removed Lock Vault action from the vault list — Log Out achieves the same behaviour
+
+### Added
+
+- Generate Password command (no-view) — copies a random password to clipboard using the configured generation preferences
+- Not-installed gate for `libsecret-tools` with OS-specific install instructions
+- Full custom field type support — field-type dropdown (Text/Hidden/Boolean) in edit forms, show/hide toggle for hidden fields in detail view, boolean fields displayed as Yes/No
+
+### Fixed
+
+- Negative `secret-tool` availability check no longer caches failures, so installing the package and re-opening the command works without restarting Vicinae
+- Use `secret-tool lookup` instead of unsupported `--version` flag for the install check
+- Stripped sensitive fields (passwords, card numbers, TOTP seeds, notes, custom fields) from the LocalStorage vault cache; only display metadata is persisted
+- Restored list-view copy actions (password, card number, security code, TOTP) that were lost after sensitive-field stripping — actions fetch fresh values from the CLI on demand and only appear when the field actually exists on the item
+
+## [0.1.0] - 2026-05-04
+
+Initial release.
+
+### Added
+
+- Search Vault command — browse items grouped by Folder, filter by name, and copy credentials (password, username, TOTP, etc.) with a keystroke
+- Create Item command — add new Login, Card, Identity, or Secure Note entries to the vault
+- Log Out command — clear stored Session and API key
+- Unlock gate with masked master password input and Session caching via LocalStorage
+- Automatic vault Sync after Unlock
+- Preference-based configuration for server region (US cloud, EU cloud, or self-hosted), API key (client ID + client secret), and password generation options
+- Item type-specific actions: copy password/username/TOTP/URL for Logins, copy number/code for Cards, copy name/email/phone for Identities, view notes for Secure Notes
+- Item Detail view with full field inspection and show/hide password toggle
+- Edit item with dynamic custom field support
+- Generate password action with configurable length and character sets
+- Delete item from vault list
+- Create new folder from the search view
+- Cached vault items and favicons for instant loading on subsequent opens

extensions/bitwarden/README.md

@@ -0,0 +1,127 @@
+<div align="center">
+  <img src="https://raw.githubusercontent.com/edmogeor/vicinae-bitwarden/master/assets/extension_icon.png" width="140" alt="Bitwarden for Vicinae Logo"/>
+  <h1>Bitwarden for Vicinae</h1>
+  <p>
+    <a href="https://github.com/edmogeor/vicinae-bitwarden/actions/workflows/ci.yml">
+      <img src="https://github.com/edmogeor/vicinae-bitwarden/actions/workflows/ci.yml/badge.svg?branch=master" alt="CI"/>
+    </a>
+    <a href="https://github.com/edmogeor/vicinae-bitwarden/releases">
+      <img src="https://img.shields.io/github/v/release/edmogeor/vicinae-bitwarden" alt="version"/>
+    </a>
+    <a href="https://github.com/fallow-rs/fallow">
+      <img src="https://raw.githubusercontent.com/edmogeor/vicinae-bitwarden/badges/badge.svg" alt="fallow health"/>
+    </a>
+    <a href="./LICENSE">
+      <img src="https://img.shields.io/badge/License-MIT-blue.svg" alt="License: MIT"/>
+    </a>
+  </p>
+</div>
+
+Keyboard-driven access to your Bitwarden vault — right from the Vicinae launcher. Unlock once with your master password, then search for any item, copy credentials, grab a TOTP code, or create new entries, all without leaving the keyboard.
+
+## Prerequisites
+
+- **[Bitwarden CLI](https://bitwarden.com/download/)** (`bw`) must be installed and on your PATH.
+- **`libsecret-tools`** is needed for secure session storage in your system keyring:
+  - **Debian / Ubuntu**: `sudo apt install libsecret-tools`
+  - **Fedora**: `sudo dnf install libsecret`
+  - **Arch**: `sudo pacman -S libsecret`
+
+## Installation
+
+Install from the Vicinae Extensions Store (Pending), or build from source:
+
+```bash
+git clone https://github.com/edmogeor/vicinae-bitwarden.git
+cd vicinae-bitwarden
+npm install
+npm run build
+```
+
+## Configuration
+
+Set these preferences in the extension settings before you start. Generate your API key from the Bitwarden web vault under **Settings → Security → View API key**.
+
+### Connection
+
+| Preference            | Type      | Description                                                                    |
+| --------------------- | --------- | ------------------------------------------------------------------------------ |
+| Server Region         | dropdown  | `bitwarden.com` (US), `bitwarden.eu` (EU), or `Self-hosted`                    |
+| Custom Server URL     | textfield | Required when Server Region is `Self-hosted`. e.g. `https://vault.example.com` |
+| Custom CA Certificate | file      | Path to a custom CA cert bundle for self-hosted servers with a private CA      |
+| API Client ID         | textfield | Your personal API key `client_id`                                              |
+| API Client Secret     | textfield | Your personal API key `client_secret`                                          |
+
+### Security
+
+| Preference        | Type     | Description                                                                                               |
+| ----------------- | -------- | --------------------------------------------------------------------------------------------------------- |
+| Auto-Lock Timeout | dropdown | Lock the vault after inactivity. Options: Never, 15 min, 30 min, 1 h, 2 h, 6 h, 12 h, 24 h (default: 6 h) |
+
+### File Attachments
+
+| Preference         | Type      | Description                                                               |
+| ------------------ | --------- | ------------------------------------------------------------------------- |
+| Download Directory | textfield | Where attached files are saved. Defaults to `~/Downloads` when left empty |
+
+### Password Generation
+
+| Preference        | Type      | Description                                              |
+| ----------------- | --------- | -------------------------------------------------------- |
+| Password Length   | textfield | Characters per generated password (default: `20`)        |
+| Include Uppercase | checkbox  | Include A–Z (default: on)                                |
+| Include Lowercase | checkbox  | Include a–z (default: on)                                |
+| Include Numbers   | checkbox  | Include 0–9 (default: on)                                |
+| Include Symbols   | checkbox  | Include special characters like `!@#$%^&*` (default: on) |
+
+## Commands
+
+### Search Vault
+
+Filter your vault by name (case-insensitive). Items are grouped by Folder so you can browse at a glance.
+
+**Item actions** available from the list:
+
+| Item type   | Quick actions                                             |
+| ----------- | --------------------------------------------------------- |
+| Login       | Copy password, username, TOTP code; open URL; view detail |
+| Card        | Copy number, security code; view detail                   |
+| Identity    | Copy name, email, phone; view detail                      |
+| Secure Note | View note text                                            |
+
+**Detail view** shows every field for the item, plus:
+
+- A TOTP countdown timer with a live verification code that refreshes every 30 seconds.
+- Per-field copy and show/hide toggles for each custom field.
+- File attachments — download them directly from the detail view.
+
+A **Sync Now** action pulls the latest vault state from the server.
+
+### Search TOTP Codes
+
+Browse every account that has TOTP two-factor authentication set up. Live verification codes are displayed next to each item with a 30-second countdown timer. Press a key to copy the code — no need to open the item first.
+
+### Create Item
+
+Add a new Login, Card, Identity, or Secure Note to your vault. The form adapts its fields to the item type you pick. You can also:
+
+- Attach files to any item you create or edit.
+- Add custom fields of type Text, Hidden, or Boolean.
+
+### Log Out
+
+Clears your API key session and removes the cached token from the system keyring. The next command invocation will prompt you for your master password.
+
+### Generate Password
+
+Creates a random password using your configured settings (length, character sets) and copies it straight to your clipboard. No vault access needed.
+
+## Session Caching
+
+Once unlocked, your session token is stored securely in the system keyring via `secret-tool`. Future command invocations show your vault immediately — no need to re-enter your master password until the token expires.
+
+If you enabled **Auto-Lock Timeout**, the vault locks itself after the chosen period of inactivity so your data is never left exposed.
+
+## License
+
+[MIT](./LICENSE)