feat: yubikey scripts, clarify prompts in s3 script

bash/add-keys-to-git.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+echo "🔄 Extracting new keys from YubiKey and updating Git config..."
+
+# 1. Update PERSONAL (Slot 9a) -> .git-naomi
+# ---------------------------------------------------------
+echo "   -> Processing Slot 9a (Personal)..."
+KEY_9A=$(ykman piv keys export 9a - | ssh-keygen -i -m PKCS8 -f /dev/stdin)
+git config -f ~/.git-naomi user.signingkey "key::$KEY_9A"
+
+# 2. Update DEEPGRAM (Slot 9c) -> .git-dg
+# ---------------------------------------------------------
+echo "   -> Processing Slot 9c (Deepgram)..."
+KEY_9C=$(ykman piv keys export 9c - | ssh-keygen -i -m PKCS8 -f /dev/stdin)
+git config -f ~/.git-dg user.signingkey "key::$KEY_9C"
+
+# 3. Update FREECODECAMP (Slot 9e) -> .git-fcc
+# ---------------------------------------------------------
+echo "   -> Processing Slot 9e (FreeCodeCamp)..."
+KEY_9D=$(ykman piv keys export 9e - | ssh-keygen -i -m PKCS8 -f /dev/stdin)
+git config -f ~/.git-fcc user.signingkey "key::$KEY_9D"
+
+echo "✅ Done! Your local Git is now synced with your new hardware keys."
+echo "⚠️  REMINDER: You must now upload these new public keys to GitHub and your 'prod' server!"

bash/fix-yubikey-perms.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+
+# Colors for pretty output
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+echo -e "${YELLOW}🔧 Starting YubiKey WSL Repair...${NC}"
+
+# 1. CHECK: Is the key actually attached?
+if ! lsusb -d 1050: > /dev/null; then
+    echo -e "${RED}❌ Error: No YubiKey detected in Linux!${NC}"
+    echo "   Please go to Windows PowerShell and run:"
+    echo "   usbipd attach --wsl --busid <YOUR_ID>"
+    exit 1
+fi
+echo -e "${GREEN}✅ YubiKey Hardware detected.${NC}"
+
+# 2. PERMISSIONS: The "Nuclear" Polkit Fix
+# This forces the smart card service to accept connections even if WSL looks "inactive"
+POLICY_FILE="/usr/share/polkit-1/actions/org.debian.pcsc-lite.policy"
+
+if [ -f "$POLICY_FILE" ]; then
+    echo "   Applying 'Nuclear' permission fix to PC/SC Policy..."
+    # Backup original if not exists
+    if [ ! -f "$POLICY_FILE.bak" ]; then
+        sudo cp "$POLICY_FILE" "$POLICY_FILE.bak"
+    fi
+    # Force permissions to 'yes'
+    sudo sed -i 's/<allow_any>.*<\/allow_any>/<allow_any>yes<\/allow_any>/' "$POLICY_FILE"
+    sudo sed -i 's/<allow_inactive>.*<\/allow_inactive>/<allow_inactive>yes<\/allow_inactive>/' "$POLICY_FILE"
+    sudo sed -i 's/<allow_active>.*<\/allow_active>/<allow_active>yes<\/allow_active>/' "$POLICY_FILE"
+else
+    echo -e "${YELLOW}⚠️  Warning: Polkit policy file not found. Skipping nuclear fix.${NC}"
+fi
+
+# 3. GROUP: Ensure user is in plugdev
+if ! groups $USER | grep -q "plugdev"; then
+    echo "   Adding $USER to plugdev group..."
+    sudo usermod -aG plugdev $USER
+fi
+
+# 4. USB NODE: Force read/write permissions on the raw USB device
+# This fixes the "Failed to connect" error from yubico-piv-tool
+echo "   Forcing permissions on USB device node..."
+lsusb -d 1050: | while read -r line; do
+    BUS=$(echo "$line" | awk '{print $2}')
+    DEV=$(echo "$line" | awk '{print $4}' | tr -d :)
+    PATH="/dev/bus/usb/$BUS/$DEV"
+    echo "   -> Unlocking $PATH"
+    sudo chmod 666 "$PATH"
+done
+
+# 5. SERVICES: Restart everything to pick up changes
+echo "   Restarting Smart Card Services..."
+# Kill any stuck GPG agents that might hog the card
+gpgconf --kill gpg-agent 2>/dev/null || true
+# Restart the main daemon
+sudo systemctl restart polkit
+sudo systemctl restart pcscd
+
+# 6. CONFIG CHECK: Warn if SSH config is bad
+if grep -q "IdentityFile.*yubi" ~/.ssh/config; then
+    echo -e "${YELLOW}⚠️  WARNING: Found 'IdentityFile' pointing to a YubiKey in ~/.ssh/config!${NC}"
+    echo "   You should remove that line so SSH doesn't throw 'libcrypto' errors."
+fi
+
+# 7. FINAL TEST
+echo -e "${YELLOW}🔎 Verifying connection...${NC}"
+if yubico-piv-tool -a status > /dev/null 2>&1; then
+    echo -e "${GREEN}🎉 SUCCESS! Your YubiKey is ready.${NC}"
+    yubico-piv-tool -a status | grep "Serial Number"
+else
+    echo -e "${RED}❌ Status check failed.${NC}"
+    echo "   Try running: yubico-piv-tool -a status"
+fi

bash/list-yubikey-ssh-keys.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+echo "Scanning YubiKey slots for SSH keys..."
+echo "---------------------------------------------------"
+
+# Loop through the slots that support SSH keys
+for SLOT in 9a 9c 9d 9e; do
+    # Try to export the key to a temp file
+    if ykman piv keys export $SLOT /tmp/yubi_tmp.pem > /dev/null 2>&1; then
+        echo -e "\033[0;32mFOUND KEY IN SLOT $SLOT:\033[0m"
+        
+        # Check if there is a certificate label
+        LABEL=$(ykman piv certificates export $SLOT - 2>/dev/null | openssl x509 -noout -subject 2>/dev/null)
+        if [ ! -z "$LABEL" ]; then
+            echo "Certificate Label: $LABEL"
+        fi
+
+        # Convert to SSH format and print
+        ssh-keygen -i -m PKCS8 -f /tmp/yubi_tmp.pem
+        echo "---------------------------------------------------"
+        rm /tmp/yubi_tmp.pem
+    fi
+done

src/s3/upload.ts

@@ -15,7 +15,7 @@ if (accessKeyId === undefined || secretAccessKey === undefined) {
 }
 
 const fileName = await input({
-  message: "Enter the ABSOLUTE PATH of the file to upload",
+  message: "Enter the ABSOLUTE PATH of the file to upload, including leading slash:",
 });
 if (fileName === "") {
   throw new Error("File name is not set");
@@ -24,7 +24,7 @@ if (fileName === "") {
 const file = await readFile(fileName);
 
 const uploadPath = await input({
-  message: "Enter the PATH to upload the file to",
+  message: "Enter the PATH to upload the file to, WITHOUT leading slash:",
 });
 if (uploadPath === "") {
   throw new Error("Upload path is not set");