feat(runtime): add shared token generator

commit: 23a84de
parent: d574288
author: im_wower
date: 2026-03-23 22:19:20 +0800 CST

feat(runtime): add shared token generator

2 files changed, +93, -0

M docs/runtime/launchd.md

A scripts/runtime/generate-shared-token.sh

M docs/runtime/launchd.md

+8, -0

 1@@ -28,6 +28,14 @@
 2 
 3 - `~/.config/baa-conductor/shared-token.txt`
 4 
 5+如果你只是想先生成一个新的本地 token，再安装运行面，可以直接执行：
 6+
 7+```bash
 8+./scripts/runtime/generate-shared-token.sh
 9+```
10+
11+默认会生成一个 32-byte hex token，并写入上面的固定路径。
12+
13 如果这个文件不存在，脚本会尝试从：
14 
15 - `~/.config/baa-conductor/runtime-secrets.env`

A scripts/runtime/generate-shared-token.sh

+85, -0

 1@@ -0,0 +1,85 @@
 2+#!/usr/bin/env bash
 3+set -euo pipefail
 4+
 5+SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
 6+# shellcheck source=./common.sh
 7+source "${SCRIPT_DIR}/common.sh"
 8+
 9+usage() {
10+  cat <<'EOF'
11+Usage:
12+  scripts/runtime/generate-shared-token.sh [options]
13+
14+Options:
15+  --output PATH     Target file. Defaults to ~/.config/baa-conductor/shared-token.txt
16+  --bytes N         Random byte length before encoding. Defaults to 32.
17+  --hex             Write hex output. This is the default.
18+  --base64          Write base64 output.
19+  --help            Show this help text.
20+
21+Notes:
22+  The generated token is written with mode 600.
23+  Re-run install-mini.sh or install-launchd.sh after rotating this file so launchd
24+  services pick up the new BAA_SHARED_TOKEN value.
25+EOF
26+}
27+
28+require_command chmod
29+require_command mkdir
30+require_command openssl
31+
32+output_path="${HOME:-$(default_home_dir)}/.config/baa-conductor/shared-token.txt"
33+byte_length="32"
34+encoding="hex"
35+
36+while [[ $# -gt 0 ]]; do
37+  case "$1" in
38+    --output)
39+      output_path="$2"
40+      shift 2
41+      ;;
42+    --bytes)
43+      byte_length="$2"
44+      shift 2
45+      ;;
46+    --hex)
47+      encoding="hex"
48+      shift
49+      ;;
50+    --base64)
51+      encoding="base64"
52+      shift
53+      ;;
54+    --help)
55+      usage
56+      exit 0
57+      ;;
58+    *)
59+      die "Unknown option: $1"
60+      ;;
61+  esac
62+done
63+
64+if ! [[ "$byte_length" =~ ^[0-9]+$ ]] || [[ "$byte_length" -le 0 ]]; then
65+  die "--bytes must be a positive integer."
66+fi
67+
68+ensure_directory "$(dirname "$output_path")" "700"
69+
70+case "$encoding" in
71+  hex)
72+    token="$(openssl rand -hex "$byte_length")"
73+    ;;
74+  base64)
75+    token="$(openssl rand -base64 "$byte_length" | tr -d '\n')"
76+    ;;
77+  *)
78+    die "Unsupported encoding: $encoding"
79+    ;;
80+esac
81+
82+printf '%s\n' "$token" >"$output_path"
83+chmod 600 "$output_path"
84+
85+runtime_log "generated BAA_SHARED_TOKEN at ${output_path}"
86+runtime_log "encoding=${encoding} bytes=${byte_length}"