Merge pull request #19 from bitwarden/anders/cache-subcommand

Introduce `cache` sub command

Author: abergs

.claude/CLAUDE.md

@@ -60,7 +60,7 @@ bw-remote (CLI binary)
 - **bw-noise-protocol** — Noise NNpsk2 handshake, `MultiDeviceTransport` for encrypted messaging, XChaCha20-Poly1305 transport encryption, session state persistence for resumption.
 - **bw-proxy** — WebSocket relay server (`bw-proxy` binary) and `ProxyProtocolClient` library. Three-phase protocol: authentication, rendezvous, messaging. Default listen address: `ws://localhost:8080`.
 - **bw-rat-client** — `RemoteClient` (untrusted device requesting credentials) and `UserClient` (trusted device serving credentials). Uses trait abstractions (`SessionStore`, `IdentityProvider`, `ProxyClient`) and async event/response channels.
-- **bw-remote** — CLI driver with interactive TUI (ratatui + crossterm) and non-interactive single-shot mode. Subcommands: `connect`, `listen`, `clear-cache`, `list-cache`, `list-devices`, `clear-keypairs`. Integrates with `bw` CLI for credential lookup via `bw get item`.
+- **bw-remote** — CLI driver with interactive TUI (ratatui + crossterm) and non-interactive single-shot mode. Subcommands: `connect`, `listen`, `cache` (with `clear`/`list`), `list-devices`, `clear-keypairs`. Integrates with `bw` CLI for credential lookup via `bw get item`.
 - **bw-error / bw-error-macro** — Error handling utilities ported from Bitwarden's `sdk-internal`.
 
 ## Key Design Patterns

README.md

@@ -35,10 +35,9 @@ Connect to a user-client through a proxy to request credentials over a secure ch
 Usage: bw-remote [OPTIONS] [COMMAND]
 
 Commands:
-  clear-cache  Clear all cached sessions
-  list-cache   List cached sessions
-  connect      Connect to proxy and request credentials (default)
-  listen       Listen for remote client connections (user-client mode)
+  cache    Manage the session cache
+  connect  Connect to proxy and request credentials (default)
+  listen   Listen for remote client connections (user-client mode)
   help         Print this message or the help of the given subcommand(s)
 
 Options:

crates/bw-remote/src/command/cache.rs

@@ -1,58 +1,157 @@
 //! Cache management commands
 //!
-//! Commands for managing the session cache:
-//! - `clear-cache`: Clear all cached sessions
-//! - `list-cache`: List all cached sessions with fingerprints
+//! Commands for managing the session cache and identity keys:
+//! - `cache list`: List cached sessions and identity fingerprints
+//! - `cache clear [sessions|all]`: Clear cached sessions and/or identity keys
 
 use bw_rat_client::SessionStore;
-use clap::Args;
+use clap::{Args, Subcommand, ValueEnum};
 use color_eyre::eyre::Result;
 
 use super::util::format_relative_time;
-use crate::storage::FileSessionCache;
+use crate::storage::{FileIdentityStorage, FileSessionCache};
 
-/// Arguments for the clear-cache command
+/// Which client type to operate on
+#[derive(Clone, Copy, Debug, ValueEnum)]
+pub enum ClientType {
+    /// Only the remote (connect) side
+    Remote,
+    /// Only the user (listen) side
+    User,
+}
+
+/// What to clear
+#[derive(Clone, Copy, Debug, Default, ValueEnum)]
+pub enum ClearScope {
+    /// Clear sessions only (keep identity key)
+    Sessions,
+    /// Clear sessions and delete identity key
+    #[default]
+    All,
+}
+
+/// Manage the session cache
 #[derive(Args)]
-pub struct ClearCacheArgs;
+pub struct CacheArgs {
+    #[command(subcommand)]
+    command: CacheCommands,
 
-impl ClearCacheArgs {
-    /// Execute the clear-cache command
+    /// Limit to a specific client type (omit for both)
+    #[arg(long, global = true)]
+    client_type: Option<ClientType>,
+}
+
+#[derive(Subcommand)]
+enum CacheCommands {
+    /// Clear cached sessions and/or identity keys
+    Clear {
+        /// What to clear: "sessions" (keep identity key) or "all" (sessions + identity key)
+        #[arg(default_value = "all")]
+        scope: ClearScope,
+    },
+    /// List cached sessions and identity info
+    List,
+}
+
+impl CacheArgs {
     pub fn run(self) -> Result<()> {
-        let mut cache = FileSessionCache::load_or_create("remote_client")?;
-        cache.clear()?;
-        println!("Session cache cleared.");
-        Ok(())
+        match self.command {
+            CacheCommands::Clear { scope } => clear_cache(self.client_type, scope),
+            CacheCommands::List => list_cache(self.client_type),
+        }
     }
 }
 
-/// Arguments for the list-cache command
-#[derive(Args)]
-pub struct ListCacheArgs;
+/// Describes one client side for display and storage lookup
+struct CacheSide {
+    label: &'static str,
+    description: &'static str,
+    storage_name: &'static str,
+}
 
-impl ListCacheArgs {
-    /// Execute the list-cache command
-    pub fn run(self) -> Result<()> {
-        let cache = FileSessionCache::load_or_create("remote_client")?;
-        let mut sessions = cache.list_sessions();
+const REMOTE_SIDE: CacheSide = CacheSide {
+    label: "Remote",
+    description: "connect",
+    storage_name: "remote_client",
+};
 
-        if sessions.is_empty() {
-            println!("No cached sessions.");
-            return Ok(());
+const USER_SIDE: CacheSide = CacheSide {
+    label: "User",
+    description: "listen",
+    storage_name: "user_client",
+};
+
+fn sides_for(client_type: Option<ClientType>) -> Vec<&'static CacheSide> {
+    match client_type {
+        Some(ClientType::Remote) => vec![&REMOTE_SIDE],
+        Some(ClientType::User) => vec![&USER_SIDE],
+        None => vec![&REMOTE_SIDE, &USER_SIDE],
+    }
+}
+
+fn clear_cache(client_type: Option<ClientType>, scope: ClearScope) -> Result<()> {
+    let sides = sides_for(client_type);
+
+    for side in &sides {
+        // Always clear sessions
+        let mut cache = FileSessionCache::load_or_create(side.storage_name)?;
+        cache.clear()?;
+        println!(
+            "{} ({}) session cache cleared.",
+            side.label, side.description
+        );
+
+        // Clear identity key if scope is All
+        if matches!(scope, ClearScope::All) {
+            FileIdentityStorage::delete(side.storage_name)?;
+            println!(
+                "{} ({}) identity key deleted.",
+                side.label, side.description
+            );
         }
+    }
 
-        // Sort by last_connected descending (most recent first)
-        sessions.sort_by(|a, b| b.3.cmp(&a.3));
+    Ok(())
+}
 
-        for (fingerprint, name, _cached_at, last_connected) in &sessions {
-            let hex = hex::encode(fingerprint.0);
-            let relative = format_relative_time(*last_connected);
-            if let Some(name) = name {
-                println!("{name}  {hex}  (last used: {relative})");
-            } else {
-                println!("{hex}  (last used: {relative})");
-            }
+fn list_cache(client_type: Option<ClientType>) -> Result<()> {
+    let sides = sides_for(client_type);
+    for (i, side) in sides.iter().enumerate() {
+        if i > 0 {
+            println!();
         }
 
-        Ok(())
+        // Load identity fingerprint (if key exists)
+        let fingerprint = FileIdentityStorage::load_fingerprint(side.storage_name)?;
+        let fp_display = match &fingerprint {
+            Some(fp) => hex::encode(fp.0),
+            None => "no identity key".to_string(),
+        };
+
+        println!(
+            "{} ({}) \u{2014} identity: {}",
+            side.label, side.description, fp_display
+        );
+
+        // Load and display sessions
+        let cache = FileSessionCache::load_or_create(side.storage_name)?;
+        let mut sessions = cache.list_sessions();
+
+        if sessions.is_empty() {
+            println!("  No cached sessions.");
+        } else {
+            sessions.sort_by(|a, b| b.3.cmp(&a.3));
+            for (session_fp, name, _cached_at, last_connected) in &sessions {
+                let hex = hex::encode(session_fp.0);
+                let relative = format_relative_time(*last_connected);
+                if let Some(name) = name {
+                    println!("  {name}  {hex}  (last used: {relative})");
+                } else {
+                    println!("  {hex}  (last used: {relative})");
+                }
+            }
+        }
     }
+
+    Ok(())
 }

crates/bw-remote/src/command/mod.rs

@@ -15,7 +15,7 @@ use color_eyre::eyre::Result;
 
 use output::OutputFormat;
 
-pub use cache::{ClearCacheArgs, ListCacheArgs};
+pub use cache::CacheArgs;
 pub use connect::ConnectArgs;
 pub use listen::ListenArgs;
 
@@ -64,10 +64,8 @@ pub struct Cli {
 
 #[derive(Subcommand)]
 pub enum Commands {
-    /// Clear all cached sessions
-    ClearCache(ClearCacheArgs),
-    /// List cached sessions
-    ListCache(ListCacheArgs),
+    /// Manage the session cache
+    Cache(CacheArgs),
     /// Connect to proxy and request credentials (default)
     Connect(ConnectArgs),
     /// Listen for remote client connections (user-client mode)
@@ -77,8 +75,7 @@ pub enum Commands {
 /// Process the parsed command and execute the appropriate handler
 pub async fn process_command(cli: Cli) -> Result<()> {
     match cli.command {
-        Some(Commands::ClearCache(args)) => args.run(),
-        Some(Commands::ListCache(args)) => args.run(),
+        Some(Commands::Cache(args)) => args.run(),
         Some(Commands::Connect(args)) => args.run().await,
         Some(Commands::Listen(args)) => args.run().await,
         None => {

crates/bw-remote/src/storage/identity_storage.rs

@@ -1,7 +1,7 @@
 use std::fs;
 use std::path::{Path, PathBuf};
 
-use bw_proxy::IdentityKeyPair;
+use bw_proxy::{IdentityFingerprint, IdentityKeyPair};
 use bw_rat_client::{IdentityProvider, RemoteClientError};
 use tracing::{debug, info};
 
@@ -35,6 +35,37 @@ impl FileIdentityStorage {
         Ok(Self { keypair })
     }
 
+    /// Load the identity fingerprint without generating a new key if none exists.
+    ///
+    /// Returns `None` if no key file exists, `Some(fingerprint)` if it does.
+    pub fn load_fingerprint(
+        storage_name: &str,
+    ) -> Result<Option<IdentityFingerprint>, RemoteClientError> {
+        let storage_path = Self::default_storage_path(storage_name)?;
+        if !storage_path.exists() {
+            return Ok(None);
+        }
+        let keypair = Self::load_from_file(&storage_path)?;
+        Ok(Some(keypair.identity().fingerprint()))
+    }
+
+    /// Delete the identity key file for the given storage name.
+    ///
+    /// Does nothing if the file does not exist.
+    pub fn delete(storage_name: &str) -> Result<(), RemoteClientError> {
+        let storage_path = Self::default_storage_path(storage_name)?;
+        match fs::remove_file(&storage_path) {
+            Ok(()) => {
+                info!("Deleted identity key file: {:?}", storage_path);
+                Ok(())
+            }
+            Err(e) if e.kind() == std::io::ErrorKind::NotFound => Ok(()),
+            Err(e) => Err(RemoteClientError::IdentityStorageFailed(format!(
+                "Failed to delete identity file: {e}"
+            ))),
+        }
+    }
+
     /// Get the default storage path (~/.bw-remote/identity.key)
     fn default_storage_path(storage_name: &str) -> Result<PathBuf, RemoteClientError> {
         let home_dir = dirs::home_dir().ok_or_else(|| {