Add interactive setup wizard and authentication management; enhance release workflow with version checks and checksum generation

Author: Kinin-Code-Offical

.github/workflows/release.yml

@@ -23,12 +23,25 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+      - name: Check Version
+        run: |
+          $tag = $env:GITHUB_REF -replace 'refs/tags/v', ''
+          $pkg = Get-Content package.json | ConvertFrom-Json
+          if ($pkg.version -ne $tag) {
+            Write-Error "Version mismatch: Tag $tag vs Package $($pkg.version)"
+            exit 1
+          }
+
       - name: Build
         run: npm run build
 
       - name: Package
         run: npm run package
 
+      - name: Generate Checksums
+        run: |
+          Get-FileHash dist\*, installer\Output\* -Algorithm SHA256 | Select-Object Hash, Path | ForEach-Object { "$($_.Hash)  $(Split-Path $_.Path -Leaf)" } | Out-File SHA256SUMS.txt
+
       - name: Install Inno Setup
         run: choco install innosetup
 

CHANGELOG_DRAFT.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## [0.3.0] - 2025-12-21
+
+### Added
+
+- **Setup Wizard**: New `setup` command for interactive initialization.
+- **Authentication**: New `auth` command suite (`login`, `adc`, `status`, `set-service-account`).
+- **Service Account Support**: Securely manage service account keys with ACL hardening.
+- **Windows Service**: Enhanced `service` command with `install` and `configure` options for instance/port.
+- **Installer**: Improved Inno Setup script with smart binary reuse and permission management.
+- **Diagnostics**: Expanded `doctor` command to check ADC, network connectivity, and service credentials.
+
+### Changed
+
+- **Proxy**: `startProxy` now respects `GOOGLE_APPLICATION_CREDENTIALS` from environment or config.
+- **Logging**: Credential paths are now masked in logs.
+- **CLI**: Version is now dynamically read from `package.json`.
+- **Release**: Added SHA256 checksum generation to release workflow.
+
 ## [0.2.0] - 2025-12-21
 
 ### Added

README.md

@@ -4,16 +4,26 @@
 
 ## Features
 
+- **Setup Wizard**: Interactive `setup` command to get everything running in minutes.
+- **Authentication Management**: Built-in `auth` command for gcloud login, ADC setup, and Service Account management.
 - **Automated Installation**: Downloads and verifies the official Cloud SQL Proxy binary.
 - **Instance Management**: Lists and selects Cloud SQL instances using your active `gcloud` configuration.
-- **Process Management**: Starts, stops, and restarts the proxy as a background process with PID tracking.
-- **Structured Logging**: JSON logging with automatic masking of sensitive tokens, stored in `%LOCALAPPDATA%`.
-- **Diagnostics**: Built-in `doctor` command to check environment health (gcloud, ADC, network).
+- **Process Management**: Starts, stops, and restarts the proxy as a background process or Windows Service.
+- **Structured Logging**: JSON logging with automatic masking of sensitive tokens.
+- **Diagnostics**: Built-in `doctor` command to check environment health (gcloud, ADC, network, service).
 - **Self-Update**: Easily update the proxy binary to the latest version.
 
 ## Installation
 
-Download the latest `cloudsqlctl.exe` from the [Releases](https://github.com/your-org/cloudsqlctl/releases) page and add it to your PATH.
+Download the latest installer (`cloudsqlctl-setup.exe`) from the [Releases](https://github.com/Kinin-Code-Offical/cloudsqlctl/releases) page.
+
+## Quick Start
+
+Run the setup wizard to configure gcloud, authentication, and the proxy:
+
+```powershell
+cloudsqlctl setup
+```
 
 ## Usage
 
@@ -23,29 +33,53 @@ cloudsqlctl [command] [options]
 
 ### Commands
 
-| Command   | Description                                                   |
-| :-------- | :------------------------------------------------------------ |
-| `install` | Download and install the Cloud SQL Proxy binary (User scope). |
-| `update`  | Update the Cloud SQL Proxy binary to the latest version.      |
-| `list`    | List available Cloud SQL instances.                           |
-| `select`  | Interactively select a Cloud SQL instance to proxy.           |
-| `connect` | Connect to a specific instance directly.                      |
-| `start`   | Start the proxy for the selected instance.                    |
-| `stop`    | Stop the running proxy process.                               |
-| `service` | Manage Windows Service (Admin required).                      |
-| `env`     | Manage environment variables (User/Machine scope).            |
-| `gcloud`  | Manage Google Cloud CLI (install portable version).           |
-| `restart` | Restart the proxy process.                                    |
-| `status`  | Check if the proxy is running and view details.               |
-| `logs`    | View the tail of the proxy logs.                              |
-| `doctor`  | Run diagnostics to verify environment setup.                  |
-| `reset`   | Reset configuration and remove local files.                   |
-
-### Example
+| Command   | Description                                              |
+| :-------- | :------------------------------------------------------- |
+| `setup`   | Interactive setup wizard (Recommended for first run).    |
+| `auth`    | Manage authentication (Login, ADC, Service Accounts).    |
+| `install` | Download and install the Cloud SQL Proxy binary.         |
+| `update`  | Update the Cloud SQL Proxy binary to the latest version. |
+| `list`    | List available Cloud SQL instances.                      |
+| `select`  | Interactively select a Cloud SQL instance to proxy.      |
+| `connect` | Connect to a specific instance directly.                 |
+| `start`   | Start the proxy for the selected instance.               |
+| `stop`    | Stop the running proxy process.                          |
+| `service` | Manage Windows Service (Admin required).                 |
+| `env`     | Manage environment variables (User/Machine scope).       |
+| `gcloud`  | Manage Google Cloud CLI (install portable version).      |
+| `status`  | Check if the proxy is running and view details.          |
+| `logs`    | View the tail of the proxy logs.                         |
+| `doctor`  | Run diagnostics to verify environment setup.             |
+| `reset`   | Reset configuration and remove local files.              |
+
+### Authentication Modes
+
+**1. Developer Mode (Interactive)**
+Uses your personal Google Cloud credentials via `gcloud`.
 
 ```powershell
-# 1. Install the proxy
-cloudsqlctl install
+cloudsqlctl auth login
+cloudsqlctl auth adc
+```
+
+**2. Machine/Service Mode (Service Account)**
+Uses a Service Account JSON key. Ideal for automated environments or Windows Services.
+
+```powershell
+# Securely install service account key (Machine scope requires Admin)
+cloudsqlctl auth set-service-account --file "C:\path\to\key.json" --scope Machine
+```
+
+### Windows Service
+
+Run the proxy as a Windows Service for background persistence.
+
+```powershell
+# Install service (Admin required)
+cloudsqlctl service install --instance "my-project:region:instance" --port 5432
+
+# Start service
+cloudsqlctl service start
 
 # 2. Select your database instance
 cloudsqlctl select

installer/cloudsqlctl.iss

@@ -43,6 +43,7 @@ Root: HKLM; Subkey: "SYSTEM\CurrentControlSet\Control\Session Manager\Environmen
 Name: "{commonappdata}\CloudSQLCTL"; Permissions: users-modify
 Name: "{commonappdata}\CloudSQLCTL\logs"; Permissions: users-modify
 Name: "{commonappdata}\CloudSQLCTL\bin"; Permissions: users-modify
+Name: "{commonappdata}\CloudSQLCTL\secrets"; Permissions: admins-full system-full
 
 [Code]
 var

package.json

@@ -1,6 +1,6 @@
 {
   "name": "cloudsqlctl",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "Windows-native CLI tool that installs, updates, and manages Google Cloud SQL Auth Proxy via gcloud CLI.",
   "main": "dist/cli.cjs",
   "type": "module",

src/cli.ts

@@ -17,14 +17,20 @@ import { ps1Command } from './commands/ps1.js';
 import { repairCommand } from './commands/repair.js';
 import { checkCommand } from './commands/check.js';
 import { gcloudCommand } from './commands/gcloud.js';
+import { authCommand } from './commands/auth.js';
+import { setupCommand } from './commands/setup.js';
 import { logger } from './core/logger.js';
+import { createRequire } from 'module';
+
+const require = createRequire(import.meta.url);
+const pkg = require('../package.json');
 
 const program = new Command();
 
 program
     .name('cloudsqlctl')
     .description('CLI for managing Google Cloud SQL Auth Proxy')
-    .version('1.0.0');
+    .version(pkg.version);
 
 program.addCommand(installCommand);
 program.addCommand(updateCommand);
@@ -43,6 +49,8 @@ program.addCommand(ps1Command);
 program.addCommand(repairCommand);
 program.addCommand(checkCommand);
 program.addCommand(gcloudCommand);
+program.addCommand(authCommand);
+program.addCommand(setupCommand);
 
 program.parseAsync(process.argv).catch(err => {
     logger.error('Unhandled error', err);

src/commands/auth.ts

@@ -0,0 +1,107 @@
+import { Command } from 'commander';
+import { logger } from '../core/logger.js';
+import { getActiveAccount, getProject, checkAdc, login, adcLogin, setProject } from '../core/gcloud.js';
+import { setEnv } from '../system/env.js';
+import { SYSTEM_PATHS, USER_PATHS, ENV_VARS } from '../system/paths.js';
+import { runPs } from '../system/powershell.js';
+import fs from 'fs-extra';
+import path from 'path';
+
+export const authCommand = new Command('auth')
+    .description('Manage authentication and credentials');
+
+authCommand.command('status')
+    .description('Check authentication status')
+    .action(async () => {
+        const account = await getActiveAccount();
+        const project = await getProject();
+        const adc = await checkAdc();
+        const credsEnv = process.env[ENV_VARS.GOOGLE_CREDS];
+
+        logger.info('Authentication Status:');
+        logger.info(`  Active Account: ${account || 'Not logged in'}`);
+        logger.info(`  Active Project: ${project || 'Not set'}`);
+        logger.info(`  ADC Status:     ${adc ? '✅ Configured' : '❌ Not configured'}`);
+        if (credsEnv) {
+            logger.info(`  Credentials:    ${credsEnv}`);
+        }
+    });
+
+authCommand.command('login')
+    .description('Login via gcloud')
+    .action(async () => {
+        try {
+            await login();
+            logger.info('Successfully logged in.');
+        } catch (error) {
+            logger.error('Login failed', error);
+            process.exit(1);
+        }
+    });
+
+authCommand.command('adc')
+    .description('Setup Application Default Credentials')
+    .action(async () => {
+        try {
+            await adcLogin();
+            logger.info('ADC configured successfully.');
+        } catch (error) {
+            logger.error('ADC setup failed', error);
+            process.exit(1);
+        }
+    });
+
+authCommand.command('project')
+    .description('Set active project')
+    .argument('<projectId>', 'Project ID')
+    .action(async (projectId) => {
+        try {
+            await setProject(projectId);
+            logger.info(`Project set to ${projectId}`);
+        } catch (error) {
+            logger.error('Failed to set project', error);
+            process.exit(1);
+        }
+    });
+
+authCommand.command('set-service-account')
+    .description('Configure service account credentials')
+    .requiredOption('-f, --file <path>', 'Path to service account JSON key')
+    .option('-s, --scope <scope>', 'Scope (Machine or User)', 'User')
+    .action(async (options) => {
+        const { file, scope } = options;
+        if (!['Machine', 'User'].includes(scope)) {
+            logger.error('Scope must be either Machine or User');
+            process.exit(1);
+        }
+
+        try {
+            if (!await fs.pathExists(file)) {
+                logger.error(`File not found: ${file}`);
+                process.exit(1);
+            }
+
+            const paths = scope === 'Machine' ? SYSTEM_PATHS : USER_PATHS;
+            await fs.ensureDir(paths.SECRETS);
+
+            const fileName = path.basename(file);
+            const dest = path.join(paths.SECRETS, fileName);
+
+            await fs.copy(file, dest, { overwrite: true });
+            logger.info(`Copied credentials to ${dest}`);
+
+            if (scope === 'Machine') {
+                // Hardening ACLs
+                // Remove inheritance, grant Administrators and SYSTEM full access
+                await runPs(`icacls "${dest}" /inheritance:r /grant:r "Administrators:(R)" "SYSTEM:(R)"`);
+                logger.info('Applied security ACLs to credentials file.');
+            }
+
+            await setEnv(ENV_VARS.GOOGLE_CREDS, dest, scope);
+            logger.info(`Set ${ENV_VARS.GOOGLE_CREDS} environment variable.`);
+
+        } catch (error) {
+            logger.error('Failed to set service account', error);
+            process.exit(1);
+        }
+    });

src/commands/doctor.ts

@@ -1,9 +1,10 @@
 import { Command } from 'commander';
 import { logger } from '../core/logger.js';
-import { checkGcloudInstalled, getActiveAccount } from '../core/gcloud.js';
+import { checkGcloudInstalled, getActiveAccount, checkAdc, listInstances } from '../core/gcloud.js';
 import { checkEnvironment } from '../system/env.js';
 import { isServiceInstalled } from '../system/service.js';
-import { PATHS } from '../system/paths.js';
+import { getEnvVar } from '../system/powershell.js';
+import { PATHS, ENV_VARS } from '../system/paths.js';
 import fs from 'fs-extra';
 import axios from 'axios';
 
@@ -28,6 +29,22 @@ export const doctorCommand = new Command('doctor')
             logger.warn('⚠️ No active gcloud account found. Run "gcloud auth login"');
         }
 
+        // Check ADC
+        const adc = await checkAdc();
+        if (adc) {
+            logger.info('✅ Application Default Credentials configured');
+        } else {
+            logger.warn('⚠️ Application Default Credentials NOT configured');
+        }
+
+        // Check Network/Permissions
+        try {
+            await listInstances();
+            logger.info('✅ Network/Permissions OK (Can list instances)');
+        } catch {
+            logger.error('❌ Network/Permissions Check Failed (Cannot list instances)');
+        }
+
         // Check Environment Variables
         const envOk = await checkEnvironment('Machine');
         if (envOk) {
@@ -46,6 +63,12 @@ export const doctorCommand = new Command('doctor')
         // Check Service
         if (await isServiceInstalled()) {
             logger.info('✅ Windows Service is installed');
+            const serviceCreds = await getEnvVar(ENV_VARS.GOOGLE_CREDS, 'Machine');
+            if (serviceCreds) {
+                logger.info('✅ Service Credentials configured');
+            } else {
+                logger.warn('⚠️ Service Credentials NOT configured (Service might fail)');
+            }
         } else {
             logger.info('ℹ️ Windows Service is NOT installed (Optional)');
         }