From 8ecc8db2173b851220ad88a133a6e45f82cd923f Mon Sep 17 00:00:00 2001
From: MaksTinyWorkshop <makstinyworkshop@gmail.com>
Date: Thu, 26 Mar 2026 18:52:36 +0100
Subject: [PATCH] =?UTF-8?q?refactor(scripts):=20supprimer=20expect=20?=
 =?UTF-8?q?=E2=80=94=20passer=20le=20mdp=20via=20stdin=20=C3=A0=20keepassx?=
 =?UTF-8?q?c-cli?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 scripts/load-global-secrets.sh  | 33 ++++----------------------
 scripts/sync-service-secrets.sh | 42 ++++++---------------------------
 2 files changed, 12 insertions(+), 63 deletions(-)

diff --git a/scripts/load-global-secrets.sh b/scripts/load-global-secrets.sh
index 211ce34..d8b7cfb 100755
--- a/scripts/load-global-secrets.sh
+++ b/scripts/load-global-secrets.sh
@@ -13,11 +13,6 @@ _load_global_secrets() {
     return 1
   fi
 
-  if ! command -v expect >/dev/null 2>&1; then
-    echo "expect introuvable" >&2
-    return 1
-  fi
-
   if [ -z "${KDBX_PASSWORD:-}" ]; then
     printf "Mot de passe KeePassXC : " >&2
     stty -echo
@@ -28,39 +23,21 @@ _load_global_secrets() {
 
   echo "Chargement des secrets globaux..." >&2
 
-  # Export CSV complet — log_file capture tout dès le début du spawn
-  local tmpfile
-  tmpfile=$(mktemp)
-  KDBX_PASSWORD="$KDBX_PASSWORD" SECRETS_KDBX="$SECRETS_KDBX" TMPFILE="$tmpfile" expect <<'EOF'
-    log_user 0
-    log_file -noappend $env(TMPFILE)
-    set timeout 30
-    spawn keepassxc-cli export --format csv $env(SECRETS_KDBX)
-    expect "Saisir le mot de passe pour déverrouiller*"
-    send -- "$env(KDBX_PASSWORD)\r"
-    expect eof
-    catch wait result
-    exit [lindex $result 3]
-EOF
-  local rc=$?
   local csv
-  csv=$(cat "$tmpfile")
-  rm -f "$tmpfile"
-  [ $rc -ne 0 ] && { echo "Impossible d'exporter le coffre." >&2; return 1; }
+  csv=$(printf '%s\n' "$KDBX_PASSWORD" | keepassxc-cli export --format csv "$SECRETS_KDBX" 2>/dev/null) || {
+    echo "Impossible d'exporter le coffre." >&2
+    return 1
+  }
 
-  # Parser le CSV avec python3 — gère les champs multilignes et les virgules dans les valeurs
-  # On cherche la ligne d'en-tête CSV pour ignorer le bruit du buffer expect
   local pairs
   pairs=$(printf '%s' "$csv" | python3 -c "
 import sys, csv, re, io
 
 raw = sys.stdin.read()
-# Trouver la ligne d'en-tête CSV
 start = raw.find('\"Group\"')
 if start == -1:
     sys.exit(0)
-clean = raw[start:]
-reader = csv.DictReader(io.StringIO(clean))
+reader = csv.DictReader(io.StringIO(raw[start:]))
 for row in reader:
     group = row.get('Group', '')
     title = row.get('Title', '')
diff --git a/scripts/sync-service-secrets.sh b/scripts/sync-service-secrets.sh
index d54e468..8243ad6 100755
--- a/scripts/sync-service-secrets.sh
+++ b/scripts/sync-service-secrets.sh
@@ -13,18 +13,7 @@ _sync_service_secrets() {
     return 1
   fi
 
-  if ! command -v expect >/dev/null 2>&1; then
-    echo "expect introuvable" >&2
-    return 1
-  fi
-
-  local target_file
-  case "$(uname -s)" in
-    Darwin) target_file="$HOME/.config/auto-secrets/service.env" ;;
-    Linux)  target_file="$HOME/.config/auto-secrets/service.env" ;;
-    *)      echo "OS non supporté" >&2; return 1 ;;
-  esac
-
+  local target_file="$HOME/.config/auto-secrets/service.env"
   mkdir -p "$(dirname "$target_file")"
   touch "$target_file"
   chmod 600 "$target_file"
@@ -39,28 +28,12 @@ _sync_service_secrets() {
 
   echo "Sync des secrets de service..." >&2
 
-  # Export CSV complet — log_file capture tout dès le début du spawn
-  local tmpfile
-  tmpfile=$(mktemp)
-  KDBX_PASSWORD="$KDBX_PASSWORD" SECRETS_KDBX="$SECRETS_KDBX" TMPFILE="$tmpfile" expect <<'EOF'
-    log_user 0
-    log_file -noappend $env(TMPFILE)
-    set timeout 30
-    spawn keepassxc-cli export --format csv $env(SECRETS_KDBX)
-    expect "Saisir le mot de passe pour déverrouiller*"
-    send -- "$env(KDBX_PASSWORD)\r"
-    expect eof
-    catch wait result
-    exit [lindex $result 3]
-EOF
-  local rc=$?
   local csv
-  csv=$(cat "$tmpfile")
-  rm -f "$tmpfile"
-  [ $rc -ne 0 ] && { echo "Impossible d'exporter le coffre." >&2; return 1; }
+  csv=$(printf '%s\n' "$KDBX_PASSWORD" | keepassxc-cli export --format csv "$SECRETS_KDBX" 2>/dev/null) || {
+    echo "Impossible d'exporter le coffre." >&2
+    return 1
+  }
 
-  # Parser le CSV avec python3 — gère les champs multilignes et les virgules dans les valeurs
-  # On cherche la ligne d'en-tête CSV pour ignorer le bruit du buffer expect
   local rendered_lines
   rendered_lines=$(printf '%s' "$csv" | python3 -c "
 import sys, csv, re, io
@@ -69,8 +42,7 @@ raw = sys.stdin.read()
 start = raw.find('\"Group\"')
 if start == -1:
     sys.exit(0)
-clean = raw[start:]
-reader = csv.DictReader(io.StringIO(clean))
+reader = csv.DictReader(io.StringIO(raw[start:]))
 for row in reader:
     group = row.get('Group', '')
     title = row.get('Title', '')
@@ -90,7 +62,7 @@ for row in reader:
   fi
 
   local loaded
-  loaded=$(echo "$rendered_lines" | grep -c '.')
+  loaded=$(printf '%s' "$rendered_lines" | grep -c '.')
 
   printf '%s\n' "$rendered_lines" > "$target_file"
   chmod 600 "$target_file"