feat: add background key rotation via LaunchAgent

cmd/cassh-menubar/main.go

@@ -79,6 +79,19 @@ type ConnectionStatus struct {
 
 func main() {
 	log.SetFlags(log.LstdFlags | log.Lshortfile)
+
+	// Check for headless mode flags
+	if len(os.Args) > 1 {
+		switch os.Args[1] {
+		case "--rotate-keys":
+			runHeadlessKeyRotation()
+			return
+		case "--version":
+			fmt.Printf("cassh %s (commit %s)\n", version, buildCommit)
+			return
+		}
+	}
+
 	log.Println("Starting cassh-menubar...")
 
 	// Initialize native notifications (request permission)
@@ -397,10 +410,19 @@ func handleConnectionAction(connID string) {
 		return
 	}
 
+	// Find the connection index for UI updates
+	connIdx := -1
+	for i, c := range cfg.User.Connections {
+		if c.ID == connID {
+			connIdx = i
+			break
+		}
+	}
+
 	if conn.Type == config.ConnectionTypeEnterprise {
 		generateCertForConnection(conn)
 	} else {
-		refreshKeyForConnection(conn)
+		refreshKeyForConnection(conn, connIdx)
 	}
 }
 
@@ -478,7 +500,7 @@ func generateCertForConnection(conn *config.Connection) {
 }
 
 // refreshKeyForConnection handles key refresh for personal GitHub connection
-func refreshKeyForConnection(conn *config.Connection) {
+func refreshKeyForConnection(conn *config.Connection, connIdx int) {
 	// Check if gh CLI is authenticated
 	ghStatus := checkGHAuth()
 	if !ghStatus.Installed {
@@ -494,6 +516,9 @@ func refreshKeyForConnection(conn *config.Connection) {
 	if err := rotatePersonalGitHubSSH(conn); err != nil {
 		log.Printf("Failed to rotate key: %v", err)
 		sendNotification("cassh", fmt.Sprintf("Failed to rotate key: %v", err), false)
+		if connIdx >= 0 {
+			updateConnectionStatus(connIdx)
+		}
 		return
 	}
 
@@ -502,6 +527,11 @@ func refreshKeyForConnection(conn *config.Connection) {
 		log.Printf("Failed to save config after key rotation: %v", err)
 	}
 
+	// Update UI immediately
+	if connIdx >= 0 {
+		updateConnectionStatus(connIdx)
+	}
+
 	sendNotification("cassh", fmt.Sprintf("SSH key rotated for %s", conn.Name), false)
 	log.Printf("Rotated SSH key for: %s", conn.Name)
 }
@@ -1182,7 +1212,6 @@ func formatDuration(d time.Duration) string {
 	return fmt.Sprintf("%d minutes", minutes)
 }
 
-
 // uninstallCassh removes cassh and all its data from the system
 func uninstallCassh() {
 	// Show confirmation dialog
@@ -1214,16 +1243,21 @@ func uninstallCassh() {
 		removeGitConfigForConnection(&conn)
 	}
 
-	// 2. Unregister from login items (SMAppService) and remove LaunchAgent
+	// 2. Unregister from login items (SMAppService) and remove LaunchAgents
 	unregisterAsLoginItem()
-	// Remove user-level LaunchAgent
+	// Remove user-level LaunchAgents
 	userLaunchAgentPath := filepath.Join(homeDir, "Library", "LaunchAgents", "com.shawnschwartz.cassh.plist")
 	exec.Command("launchctl", "unload", userLaunchAgentPath).Run()
 	os.Remove(userLaunchAgentPath)
-	// Remove system-level LaunchAgent (installed by PKG)
+	userRotateAgentPath := filepath.Join(homeDir, "Library", "LaunchAgents", "com.shawnschwartz.cassh.rotate.plist")
+	exec.Command("launchctl", "unload", userRotateAgentPath).Run()
+	os.Remove(userRotateAgentPath)
+	// Remove system-level LaunchAgents (installed by PKG)
 	systemLaunchAgentPath := "/Library/LaunchAgents/com.shawnschwartz.cassh.plist"
 	exec.Command("launchctl", "unload", systemLaunchAgentPath).Run()
-	// System LaunchAgent requires admin to remove - will be handled by the uninstall script
+	systemRotateAgentPath := "/Library/LaunchAgents/com.shawnschwartz.cassh.rotate.plist"
+	exec.Command("launchctl", "unload", systemRotateAgentPath).Run()
+	// System LaunchAgents require admin to remove - will be handled by the uninstall script
 
 	// 3. Remove Application Support directory (contains user config)
 	appSupportDir := filepath.Join(homeDir, "Library", "Application Support", "cassh")
@@ -1264,7 +1298,7 @@ LAUNCH_AGENT='/Library/LaunchAgents/com.shawnschwartz.cassh.plist'
 
 # Create AppleScript to run with admin privileges
 cat > /tmp/cassh_uninstall.scpt << 'APPLESCRIPT'
-do shell script "rm -rf '/Applications/cassh.app' '/Library/LaunchAgents/com.shawnschwartz.cassh.plist' 2>/dev/null || true" with prompt "cassh needs to remove the application." with administrator privileges
+do shell script "rm -rf '/Applications/cassh.app' '/Library/LaunchAgents/com.shawnschwartz.cassh.plist' '/Library/LaunchAgents/com.shawnschwartz.cassh.rotate.plist' 2>/dev/null || true" with prompt "cassh needs to remove the application." with administrator privileges
 APPLESCRIPT
 
 if osascript /tmp/cassh_uninstall.scpt 2>/dev/null; then
@@ -1279,12 +1313,13 @@ rm -f /tmp/cassh_uninstall.scpt
 rm -f "$0"
 `, appPath)
 	} else if appPath != "" {
-		// Can delete app without admin privileges, but still try to remove system LaunchAgent
+		// Can delete app without admin privileges, but still try to remove system LaunchAgents
 		uninstallScript = fmt.Sprintf(`#!/bin/bash
 sleep 2
 rm -rf '%s'
-# Try to remove system LaunchAgent (may fail without admin)
+# Try to remove system LaunchAgents (may fail without admin)
 rm -f /Library/LaunchAgents/com.shawnschwartz.cassh.plist 2>/dev/null || true
+rm -f /Library/LaunchAgents/com.shawnschwartz.cassh.rotate.plist 2>/dev/null || true
 osascript -e 'display notification "cassh has been uninstalled" with title "Uninstall Complete"'
 rm -f "$0"
 `, appPath)
@@ -2014,8 +2049,8 @@ func findGHBinary() string {
 
 	// Check common Homebrew locations
 	commonPaths := []string{
-		"/opt/homebrew/bin/gh",  // Apple Silicon
-		"/usr/local/bin/gh",     // Intel Mac
+		"/opt/homebrew/bin/gh",              // Apple Silicon
+		"/usr/local/bin/gh",                 // Intel Mac
 		"/home/linuxbrew/.linuxbrew/bin/gh", // Linux Homebrew
 	}
 
@@ -2113,6 +2148,28 @@ func generateSSHKeyForPersonal(conn *config.Connection) error {
 	return nil
 }
 
+// getKeyTitle generates a unique SSH key title for GitHub
+// Format: cassh-{connID}@{hostname} (e.g., cassh-personal-123@MacBook-Pro)
+func getKeyTitle(connID string) string {
+	hostname, err := os.Hostname()
+	if err != nil || hostname == "" {
+		hostname = "unknown"
+	}
+	// Clean hostname - replace dots with dashes for cleaner display
+	hostname = strings.ReplaceAll(hostname, ".", "-")
+	// Truncate long hostnames
+	if len(hostname) > 30 {
+		hostname = hostname[:30]
+	}
+	return fmt.Sprintf("cassh-%s@%s", connID, hostname)
+}
+
+// getLegacyKeyTitle returns the old key title format without hostname
+// Used for backwards compatibility when looking up existing keys
+func getLegacyKeyTitle(connID string) string {
+	return fmt.Sprintf("cassh-%s", connID)
+}
+
 // uploadSSHKeyToGitHub uploads an SSH public key to GitHub using gh CLI
 // Returns the GitHub key ID for later deletion
 func uploadSSHKeyToGitHub(keyPath string, title string) (string, error) {
@@ -2145,6 +2202,7 @@ func uploadSSHKeyToGitHub(keyPath string, title string) (string, error) {
 }
 
 // findGitHubKeyIDByTitle finds the GitHub SSH key ID by its title
+// Also checks legacy title format for backward compatibility
 func findGitHubKeyIDByTitle(title string) string {
 	cmd := exec.Command(findGHBinary(), "ssh-key", "list")
 	output, err := cmd.Output()
@@ -2153,18 +2211,41 @@ func findGitHubKeyIDByTitle(title string) string {
 		return ""
 	}
 
+	// Prepare legacy title if applicable
+	// Check for new format (cassh-{connID}@{hostname}) vs legacy (cassh-{connID})
+	var legacyTitle string
+	if strings.Contains(title, "@") && strings.HasPrefix(title, "cassh-") {
+		// Extract connection ID from new title format (cassh-{connID}@{hostname})
+		withoutPrefix := strings.TrimPrefix(title, "cassh-")
+		parts := strings.Split(withoutPrefix, "@")
+		// Validate both connection ID and hostname are present
+		if len(parts) >= 2 && parts[0] != "" && parts[1] != "" {
+			connID := parts[0]
+			legacyTitle = getLegacyKeyTitle(connID)
+		}
+	}
+
 	// Parse output to find our key
-	// Format: "TITLE    TYPE    ADDED    KEY_ID"
+	// Format: "TITLE    TYPE    KEY    ADDED    KEY_ID    KEY_TYPE"
+	// Example: "cassh-personal-123    ssh-ed25519    AAAA...    2025-12-09T02:43:40Z    137889594    authentication"
 	lines := strings.Split(string(output), "\n")
 	for _, line := range lines {
-		if strings.Contains(line, title) {
-			fields := strings.Fields(line)
-			if len(fields) >= 4 {
-				// Key ID is typically the last field
-				return fields[len(fields)-1]
+		fields := strings.Fields(line)
+		if len(fields) >= 5 {
+			keyTitle := fields[0]
+			keyID := fields[len(fields)-2] // Key ID is the second-to-last field
+			// Check for exact match with new title format
+			if keyTitle == title {
+				return keyID
+			}
+			// Check for exact match with legacy title format (if applicable)
+			if legacyTitle != "" && keyTitle == legacyTitle {
+				log.Printf("Found key with legacy title format: %s", legacyTitle)
+				return keyID
 			}
 		}
 	}
+
 	return ""
 }
 
@@ -2198,7 +2279,7 @@ func setupPersonalGitHubSSH(conn *config.Connection) error {
 	}
 
 	// 2. Upload to GitHub
-	keyTitle := fmt.Sprintf("cassh-%s", conn.ID)
+	keyTitle := getKeyTitle(conn.ID)
 	keyID, err := uploadSSHKeyToGitHub(conn.SSHKeyPath, keyTitle)
 	if err != nil {
 		return fmt.Errorf("key upload failed: %w", err)
@@ -2217,10 +2298,31 @@ func rotatePersonalGitHubSSH(conn *config.Connection) error {
 	log.Printf("Rotating SSH key for %s", conn.Name)
 
 	// 1. Delete old key from GitHub
-	if conn.GitHubKeyID != "" {
-		if err := deleteSSHKeyFromGitHub(conn.GitHubKeyID); err != nil {
-			log.Printf("Warning: failed to delete old key: %v", err)
+	keyID := conn.GitHubKeyID
+	if keyID == "" {
+		// Try to find by current title
+		keyID = findGitHubKeyIDByTitle(getKeyTitle(conn.ID))
+		if keyID == "" {
+			// Try to find by legacy title
+			keyID = findGitHubKeyIDByTitle(getLegacyKeyTitle(conn.ID))
+		}
+	}
+	if keyID != "" {
+		if err := deleteSSHKeyFromGitHub(keyID); err != nil {
+			log.Printf("Warning: failed to delete old key (ID: %s): %v", keyID, err)
 			// Continue anyway - we still want to generate a new key
+		} else {
+			log.Printf("Deleted old GitHub SSH key (ID: %s)", keyID)
+		}
+	} else if conn.ID != "" {
+		// No stored key ID - try to find and delete using both new and legacy title formats
+		// This handles migration from older versions where GitHubKeyID wasn't tracked
+		keyTitle := getKeyTitle(conn.ID)
+		if keyID := findGitHubKeyIDByTitle(keyTitle); keyID != "" {
+			log.Printf("Found existing key on GitHub during rotation (ID: %s)", keyID)
+			if err := deleteSSHKeyFromGitHub(keyID); err != nil {
+				log.Printf("Warning: failed to delete existing key: %v", err)
+			}
 		}
 	}
 
@@ -2234,17 +2336,17 @@ func rotatePersonalGitHubSSH(conn *config.Connection) error {
 	}
 
 	// 4. Upload new key to GitHub
-	keyTitle := fmt.Sprintf("cassh-%s", conn.ID)
-	keyID, err := uploadSSHKeyToGitHub(conn.SSHKeyPath, keyTitle)
+	keyTitle := getKeyTitle(conn.ID)
+	newKeyID, err := uploadSSHKeyToGitHub(conn.SSHKeyPath, keyTitle)
 	if err != nil {
 		return fmt.Errorf("key upload failed: %w", err)
 	}
 
 	// 5. Update connection metadata
-	conn.GitHubKeyID = keyID
+	conn.GitHubKeyID = newKeyID
 	conn.KeyCreatedAt = time.Now().Unix()
 
-	log.Printf("SSH key rotated for %s (new key ID: %s)", conn.Name, keyID)
+	log.Printf("SSH key rotated for %s (new key ID: %s)", conn.Name, newKeyID)
 	return nil
 }
 
@@ -2311,6 +2413,68 @@ func checkAndRotateExpiredKeys() {
 	}
 }
 
+// runHeadlessKeyRotation runs key rotation without starting the GUI
+// This is called when the app is launched with --rotate-keys flag
+// Used by the LaunchAgent for background key rotation
+func runHeadlessKeyRotation() {
+	log.Println("Running headless key rotation...")
+
+	// Load config
+	userCfg, err := config.LoadUserConfig()
+	if err != nil {
+		log.Printf("Could not load user config: %v", err)
+		os.Exit(1)
+	}
+
+	if len(userCfg.Connections) == 0 {
+		log.Println("No connections configured, nothing to rotate")
+		os.Exit(0)
+	}
+
+	// Check if gh CLI is available
+	ghStatus := checkGHAuth()
+	if !ghStatus.Installed {
+		log.Println("GitHub CLI (gh) not installed, cannot rotate keys")
+		os.Exit(1)
+	}
+	if !ghStatus.Authenticated {
+		log.Println("GitHub CLI not authenticated, cannot rotate keys")
+		os.Exit(1)
+	}
+
+	rotatedCount := 0
+	for i := range userCfg.Connections {
+		conn := &userCfg.Connections[i]
+		if needsKeyRotation(conn) {
+			log.Printf("Key rotation needed for %s (age: %v, policy: %dh)",
+				conn.Name,
+				time.Since(time.Unix(conn.KeyCreatedAt, 0)).Round(time.Hour),
+				conn.KeyRotationHours)
+
+			if err := rotatePersonalGitHubSSH(conn); err != nil {
+				log.Printf("Failed to rotate key for %s: %v", conn.Name, err)
+				continue
+			}
+
+			rotatedCount++
+			log.Printf("Successfully rotated key for %s", conn.Name)
+		}
+	}
+
+	// Save config if any keys were rotated
+	if rotatedCount > 0 {
+		if err := config.SaveUserConfig(userCfg); err != nil {
+			log.Printf("Failed to save config: %v", err)
+			os.Exit(1)
+		}
+		log.Printf("Rotated %d key(s)", rotatedCount)
+	} else {
+		log.Println("No keys needed rotation")
+	}
+
+	os.Exit(0)
+}
+
 // scheduleRestart restarts the app to rebuild the menu after adding connections
 func scheduleRestart() {
 	// Wait for the HTTP response to be sent

packaging/macos/com.shawnschwartz.cassh.rotate.plist

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>Label</key>
+    <string>com.shawnschwartz.cassh.rotate</string>
+
+    <key>ProgramArguments</key>
+    <array>
+        <string>/Applications/cassh.app/Contents/MacOS/cassh</string>
+        <string>--rotate-keys</string>
+    </array>
+
+    <!-- Run every hour (no immediate execution on load) -->
+    <key>StartInterval</key>
+    <integer>3600</integer>
+
+    <!-- Also run shortly after load (30 seconds delay) -->
+    <key>RunAtLoad</key>
+    <true/>
+
+    <!-- Low priority background task -->
+    <key>ProcessType</key>
+    <string>Background</string>
+
+    <!-- Nice value for low CPU priority -->
+    <key>Nice</key>
+    <integer>10</integer>
+
+    <!-- Logging -->
+    <key>StandardOutPath</key>
+    <string>~/Library/Logs/cassh/cassh-rotate.log</string>
+    <key>StandardErrorPath</key>
+    <string>~/Library/Logs/cassh/cassh-rotate.log</string>
+</dict>
+</plist>