up

scripts/rotate-policy-cli-secret.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+usage() {
+  cat <<'EOF'
+Usage: rotate-policy-cli-secret.sh [--output <path>] [--dry-run]
+
+Generates a new random shared secret suitable for the Authority
+`policy-cli` client and optionally writes it to the target file
+in `etc/secrets/` with the standard header comment.
+
+Options:
+  --output <path>  Destination file (default: etc/secrets/policy-cli.secret)
+  --dry-run        Print the generated secret to stdout without writing.
+  -h, --help       Show this help.
+EOF
+}
+
+OUTPUT="etc/secrets/policy-cli.secret"
+DRY_RUN=0
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --output)
+      OUTPUT="$2"
+      shift 2
+      ;;
+    --dry-run)
+      DRY_RUN=1
+      shift
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "Unknown argument: $1" >&2
+      usage >&2
+      exit 1
+      ;;
+  esac
+done
+
+if ! command -v openssl >/dev/null 2>&1; then
+  echo "openssl is required to generate secrets" >&2
+  exit 1
+fi
+
+# Generate a 48-byte random secret, base64 encoded without padding.
+RAW_SECRET=$(openssl rand -base64 48 | tr -d '\n=')
+SECRET="policy-cli-${RAW_SECRET}"
+
+if [[ "$DRY_RUN" -eq 1 ]]; then
+  echo "$SECRET"
+  exit 0
+fi
+
+cat <<EOF > "$OUTPUT"
+# generated $(date -u +%Y-%m-%dT%H:%M:%SZ) via scripts/rotate-policy-cli-secret.sh
+$SECRET
+EOF
+
+echo "Wrote new policy-cli secret to $OUTPUT"