kc 0.1.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: acd1a1a4d4b98a8f4972a7be12a56485af6364a446ad9cc0981b92c0bae38e3b
-  data.tar.gz: 510e50ff16ddf681620775f0a1488615b5c68bafb8345d10e1447571762d68c9
+  metadata.gz: a784b3ff753a30bc3f560d8cd417b6597fe77996da2cc95a96d58f431aa9bff1
+  data.tar.gz: d3c844cf4e13e797ee98cde972fc52706bdeb08724e19b94de3c2cebe5b1c928
 SHA512:
-  metadata.gz: 70d120e84e72ef0c79c63c72eb69c21f1a14950c52a8cbc9d4765a6c555a4c163bf441668892a2f642c4dc3136c6466c7d577416352630ba7f912feed258f897
-  data.tar.gz: 5d05fae5c846ee424b5627b04770b4a3b3c4af5b1614985f48d18226ffab562a92366511ef61f4bea1f289993016f1920703978bf9e4e983ef7875385c31ac5a
+  metadata.gz: 60b2e62994b43f2d2396c930a046e0bac7a4834cb60d3be101e8615da7c5e0e651a7031aaa5f947ed2cd27c34918aa5d8dc49682379489ebe698d1956e746d29
+  data.tar.gz: 5db7687b87fdcab2b7b295b3c7a183394142291230561f673a49ce7969c8557fda062da156f26c95f4f1f3404ce34bc872c85ab47e4c3e6cb7e1e9ab89a56447

data/README.md

@@ -1,15 +1,16 @@
-# kc - Keychain Manager for direnv
+# kc - Secure Secrets Manager with iCloud Sync
 
-A CLI tool to securely store and retrieve secrets from macOS Keychain with namespace support, designed to work seamlessly with direnv.
+A CLI tool to securely store and retrieve secrets with automatic iCloud Drive synchronization across all your Macs.
 
 ## Features
 
-- 🔐 Securely store any secrets in macOS Keychain
+- 🔐 **AES-256 encryption** - military-grade encryption for your secrets
+- ☁️ **iCloud Drive sync** - automatically sync encrypted secrets across all your Macs
+- 🔑 **Master password in local keychain** - password stored securely, never synced
 - 🏷️ **Namespace support** - organize secrets by type (env, ssh, token, etc.)
-- 🚀 Native implementation using FFI (no shell command overhead)
-- 🎯 Designed for direnv integration
-- 📦 Simple CLI interface
-- 📋 List and filter secrets by namespace
+- 📝 **Append-only log** - automatic conflict resolution for concurrent edits
+- 🚀 **Simple CLI interface** - easy to use command-line tool
+- 📋 **Filter and search** - list secrets by namespace prefix
 
 ## Installation
 
@@ -23,11 +24,31 @@ Or add to your Gemfile:
 gem 'kc'
 ```
 
+## Quick Start
+
+### First Time Setup
+
+Initialize kc with a master password:
+
+```bash
+$ kc init
+Enter master password: ****
+Confirm master password: ****
+
+✓ Master password saved to local keychain
+✓ iCloud Drive sync enabled at:
+  ~/Library/Mobile Documents/com~apple~CloudDocs/kc
+
+Your secrets will be encrypted and synced across your Macs!
+```
+
+**Important**: You'll need to run `kc init` on each Mac with the same master password.
+
 ## Usage
 
-All commands require a **namespace** in the format `<namespace>:<name>`. Namespaces help organize different types of secrets.
+All commands use the format `<namespace>:<name>`. Namespaces help organize different types of secrets.
 
-### Save to Keychain
+### Save Secrets
 
 Read from stdin and save to keychain with namespace:
 
@@ -96,10 +117,11 @@ source_env .env
 
 ## Commands
 
-- `kc save <namespace>:<name>` - Read from stdin and save to keychain
-- `kc load <namespace>:<name>` - Load from keychain and output to stdout  
-- `kc delete <namespace>:<name>` - Delete entry from keychain
-- `kc list [prefix]` - List all entries (optionally filter by prefix)
+- `kc init` - Initialize with master password (first time setup)
+- `kc save <namespace>:<name>` - Read from stdin and save encrypted
+- `kc load <namespace>:<name>` - Decrypt and output to stdout  
+- `kc delete <namespace>:<name>` - Mark entry as deleted
+- `kc list [prefix]` - List all current entries (optionally filter by prefix)
 
 ## Namespaces
 
@@ -117,10 +139,48 @@ You can create custom namespaces as needed.
 
 ## How it works
 
-`kc` uses macOS Security framework via FFI to directly interact with the Keychain, avoiding shell command overhead. All entries are stored under:
+### Architecture
+
+`kc` uses a hybrid approach combining local keychain security with iCloud Drive synchronization:
+
+1. **Master Password**: Stored securely in your local macOS Keychain (never synced)
+2. **Encrypted Secrets**: Stored in `~/Library/Mobile Documents/com~apple~CloudDocs/kc/secrets.jsonl`
+3. **Encryption**: AES-256-CBC with PBKDF2 key derivation (10,000 iterations)
+4. **Sync**: iCloud Drive automatically syncs the encrypted file across your Macs
 
-- Service name: `kc`
-- Account name: `<namespace>:<name>` (e.g., `env:myproject`)
+### Data Format
+
+Secrets are stored in an append-only JSONL (JSON Lines) file:
+
+```json
+{"ts":"2026-01-05T10:00:00.123Z","op":"set","ns":"aws","key":"ACCESS_KEY","val":"<encrypted>"}
+{"ts":"2026-01-05T11:30:00.456Z","op":"set","ns":"hubot","key":"TOKEN","val":"<encrypted>"}
+{"ts":"2026-01-05T12:00:00.789Z","op":"del","ns":"aws","key":"OLD_KEY"}
+```
+
+- **Append-only**: New entries are always appended, never modified
+- **Timestamps**: ISO8601 format with millisecond precision
+- **Operations**: `set` (save/update) or `del` (delete)
+- **Conflict Resolution**: Automatic merge based on timestamps
+
+### Security
+
+- ✅ **Master password** stored in local keychain (not synced)
+- ✅ **AES-256 encryption** for all secret values
+- ✅ **Unique salt and IV** for each encrypted value
+- ✅ **PBKDF2 key derivation** with 10,000 iterations
+- ✅ **End-to-end encryption** - iCloud only sees encrypted data
+- ❌ **Metadata not encrypted** - namespace and key names are visible (but not values)
+
+### Conflict Resolution
+
+If you edit secrets on multiple Macs simultaneously:
+
+1. iCloud Drive creates "conflicted copy" files
+2. `kc` automatically detects and merges them
+3. Entries are sorted by timestamp (oldest first)
+4. Latest value for each key wins
+5. Conflicted copies are deleted after merge
 
 ## Full Workflow Example
 
@@ -181,12 +241,15 @@ bundle exec rspec
 
 ## Requirements
 
-- macOS (uses macOS Keychain)
-- Ruby 2.5 or later
+- **macOS** - uses macOS Keychain for master password storage
+- **iCloud Drive** - enabled in System Settings for sync
+- **Ruby 2.5 or later**
+
+**Note**: Each Mac needs to run `kc init` with the same master password to decrypt synced secrets.
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/aileron-inc/kc.
+Bug reports and pull requests are welcome on GitHub at https://github.com/aileron-inc/tools.
 
 ## License
 
@@ -194,4 +257,4 @@ The gem is available as open source under the terms of the [MIT License](https:/
 
 ## Code of Conduct
 
-Everyone interacting in the Kc project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/aileron-inc/kc/blob/master/CODE_OF_CONDUCT.md).
+Everyone interacting in the Kc project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/aileron-inc/tools/blob/main/CODE_OF_CONDUCT.md).

data/kc.gemspec

@@ -1,41 +1,40 @@
-
-lib = File.expand_path("../lib", __FILE__)
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require "kc/version"
+require 'kc/version'
 
 Gem::Specification.new do |spec|
-  spec.name          = "kc"
+  spec.name          = 'kc'
   spec.version       = Kc::VERSION
-  spec.authors       = ["AILERON"]
-  spec.email         = ["masa@aileron.cc"]
+  spec.authors       = ['AILERON']
+  spec.email         = ['masa@aileron.cc']
 
-  spec.summary       = %q{Manage .env files in Mac Keychain with direnv}
-  spec.description   = %q{A CLI tool to save and load .env files from Mac Keychain, designed to work seamlessly with direnv}
-  spec.homepage      = "https://github.com/aileron/kc"
-  spec.license       = "MIT"
+  spec.summary       = 'Secure secrets manager with iCloud Drive sync and AES-256 encryption'
+  spec.description   = 'A CLI tool to securely store and retrieve secrets with AES-256 encryption and automatic iCloud Drive synchronization. Master password stored in local keychain, secrets encrypted and synced via iCloud Drive. Features namespace support, automatic conflict resolution, and append-only JSONL format.'
+  spec.homepage      = 'https://github.com/aileron/kc'
+  spec.license       = 'MIT'
 
   # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
   # to allow pushing to a single host or delete this section to allow pushing to any host.
   if spec.respond_to?(:metadata)
-    spec.metadata["homepage_uri"] = spec.homepage
-    spec.metadata["source_code_uri"] = "https://github.com/aileron/kc"
+    spec.metadata['homepage_uri'] = spec.homepage
+    spec.metadata['source_code_uri'] = 'https://github.com/aileron/kc'
   else
-    raise "RubyGems 2.0 or newer is required to protect against " \
-      "public gem pushes."
+    raise 'RubyGems 2.0 or newer is required to protect against ' \
+      'public gem pushes.'
   end
 
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
-  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
     `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   end
-  spec.bindir        = "exe"
+  spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
-  spec.require_paths = ["lib"]
+  spec.require_paths = ['lib']
 
-  spec.add_dependency "ffi", "~> 1.15"
+  spec.add_dependency 'ffi', '~> 1.15'
 
-  spec.add_development_dependency "bundler"
-  spec.add_development_dependency "rake"
-  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec', '~> 3.0'
 end

data/lib/kc/cli.rb

@@ -13,13 +13,15 @@ module Kc
       name = @argv[1]
 
       case command
-      when "save"
+      when 'init'
+        handle_init
+      when 'save'
         handle_save(name)
-      when "load"
+      when 'load'
         handle_load(name)
-      when "delete"
+      when 'delete'
         handle_delete(name)
-      when "list"
+      when 'list'
         handle_list(name)
       else
         show_usage
@@ -29,30 +31,64 @@ module Kc
 
     private
 
+    def handle_init
+      require 'io/console'
+
+      puts 'Setting up kc with iCloud Drive sync...'
+      puts
+      print 'Enter master password: '
+      password = STDIN.noecho(&:gets).chomp
+      puts
+      print 'Confirm master password: '
+      password_confirm = STDIN.noecho(&:gets).chomp
+      puts
+
+      unless password == password_confirm
+        puts 'Error: Passwords do not match'
+        exit 1
+      end
+
+      if password.empty?
+        puts 'Error: Password cannot be empty'
+        exit 1
+      end
+
+      Keychain.init(password)
+      puts
+      puts '✓ Master password saved to local keychain'
+      puts '✓ iCloud Drive sync enabled at:'
+      puts "  #{Keychain::ICLOUD_DRIVE_PATH}"
+      puts
+      puts 'Your secrets will be encrypted and synced across your Macs!'
+    rescue StandardError => e
+      puts "Error: #{e.message}"
+      exit 1
+    end
+
     def validate_namespace(name)
-      unless name&.include?(":")
-        puts "Error: Namespace required. Format: <namespace>:<name>"
-        puts "Examples: env:myproject, ssh:id_rsa, token:github"
+      unless name&.include?(':')
+        puts 'Error: Namespace required. Format: <namespace>:<name>'
+        puts 'Examples: env:myproject, ssh:id_rsa, token:github'
         exit 1
       end
 
-      namespace, key = name.split(":", 2)
-      
+      namespace, key = name.split(':', 2)
+
       if namespace.empty? || key.empty?
-        puts "Error: Invalid format. Use <namespace>:<name>"
+        puts 'Error: Invalid format. Use <namespace>:<name>'
         exit 1
       end
 
       # Validate namespace format (alphanumeric and hyphen only)
-      unless namespace.match?(/^[a-z0-9-]+$/)
-        puts "Error: Namespace must contain only lowercase letters, numbers, and hyphens"
-        exit 1
-      end
+      return if namespace.match?(/^[a-z0-9-]+$/)
+
+      puts 'Error: Namespace must contain only lowercase letters, numbers, and hyphens'
+      exit 1
     end
 
     def handle_save(name)
       unless name
-        puts "Error: name is required"
+        puts 'Error: name is required'
         show_usage
         exit 1
       end
@@ -61,26 +97,26 @@ module Kc
 
       # Read from stdin
       if STDIN.tty?
-        puts "Error: No input provided. Use: cat file | kc save <namespace>:<name>"
+        puts 'Error: No input provided. Use: cat file | kc save <namespace>:<name>'
         exit 1
       end
 
       content = STDIN.read
       if content.empty?
-        puts "Error: Input is empty"
+        puts 'Error: Input is empty'
         exit 1
       end
 
       Keychain.save(name, content)
       puts "Successfully saved to keychain as '#{name}'"
-    rescue => e
+    rescue StandardError => e
       puts "Error: #{e.message}"
       exit 1
     end
 
     def handle_load(name)
       unless name
-        puts "Error: name is required"
+        puts 'Error: name is required'
         show_usage
         exit 1
       end
@@ -89,14 +125,14 @@ module Kc
 
       content = Keychain.load(name)
       puts content
-    rescue => e
+    rescue StandardError => e
       puts "Error: #{e.message}"
       exit 1
     end
 
     def handle_delete(name)
       unless name
-        puts "Error: name is required"
+        puts 'Error: name is required'
         show_usage
         exit 1
       end
@@ -105,24 +141,24 @@ module Kc
 
       Keychain.delete(name)
       puts "Successfully deleted '#{name}' from keychain"
-    rescue => e
+    rescue StandardError => e
       puts "Error: #{e.message}"
       exit 1
     end
 
     def handle_list(prefix)
       items = Keychain.list(prefix)
-      
+
       if items.empty?
         if prefix
           puts "No items found with prefix '#{prefix}'"
         else
-          puts "No items found in keychain"
+          puts 'No items found in keychain'
         end
       else
         items.each { |item| puts item }
       end
-    rescue => e
+    rescue StandardError => e
       puts "Error: #{e.message}"
       exit 1
     end
@@ -130,12 +166,14 @@ module Kc
     def show_usage
       puts <<~USAGE
         Usage:
-          kc save <namespace>:<name>      Save from stdin to keychain
-          kc load <namespace>:<name>      Load from keychain to stdout
-          kc delete <namespace>:<name>    Delete from keychain
+          kc init                         Initialize kc with master password
+          kc save <namespace>:<name>      Save from stdin
+          kc load <namespace>:<name>      Load to stdout
+          kc delete <namespace>:<name>    Delete entry
           kc list [prefix]                List all items (optionally filter by prefix)
 
         Examples:
+          kc init                          # First time setup
           cat .env | kc save env:myproject
           kc load env:myproject > .env
           kc save ssh:id_rsa < ~/.ssh/id_rsa

data/lib/kc/keychain.rb

@@ -1,227 +1,352 @@
-require "ffi"
+require 'ffi'
+require 'json'
+require 'openssl'
+require 'base64'
+require 'fileutils'
+require 'time'
 
 module Kc
   class Keychain
-    SERVICE_NAME = "kc"
+    MASTER_PASSWORD_SERVICE = 'kc-master-password'
+    MASTER_PASSWORD_ACCOUNT = 'default'
+    ICLOUD_DRIVE_PATH = File.expand_path('~/Library/Mobile Documents/com~apple~CloudDocs/kc')
+    SECRETS_FILE = File.join(ICLOUD_DRIVE_PATH, 'secrets.jsonl')
 
     module SecurityFramework
       extend FFI::Library
-      ffi_lib "/System/Library/Frameworks/Security.framework/Security"
-
-      # OSStatus SecKeychainAddGenericPassword(
-      #   SecKeychainRef keychain,
-      #   UInt32 serviceNameLength,
-      #   const char *serviceName,
-      #   UInt32 accountNameLength,
-      #   const char *accountName,
-      #   UInt32 passwordLength,
-      #   const void *passwordData,
-      #   SecKeychainItemRef *itemRef
-      # )
-      attach_function :SecKeychainAddGenericPassword, [
-        :pointer,  # keychain (NULL for default)
-        :uint32,   # serviceNameLength
-        :string,   # serviceName
-        :uint32,   # accountNameLength
-        :string,   # accountName
-        :uint32,   # passwordLength
-        :pointer,  # passwordData
-        :pointer   # itemRef (can be NULL)
-      ], :int
+      ffi_lib '/System/Library/Frameworks/Security.framework/Security'
 
-      # OSStatus SecKeychainFindGenericPassword(
-      #   CFTypeRef keychainOrArray,
-      #   UInt32 serviceNameLength,
-      #   const char *serviceName,
-      #   UInt32 accountNameLength,
-      #   const char *accountName,
-      #   UInt32 *passwordLength,
-      #   void **passwordData,
-      #   SecKeychainItemRef *itemRef
-      # )
-      attach_function :SecKeychainFindGenericPassword, [
-        :pointer,  # keychainOrArray (NULL for default)
-        :uint32,   # serviceNameLength
-        :string,   # serviceName
-        :uint32,   # accountNameLength
-        :string,   # accountName
-        :pointer,  # passwordLength (output)
-        :pointer,  # passwordData (output)
-        :pointer   # itemRef (output, can be NULL if not needed)
+      # OSStatus SecKeychainAddGenericPassword(...)
+      attach_function :SecKeychainAddGenericPassword, %i[
+        pointer uint32 string uint32 string
+        uint32 pointer pointer
       ], :int
 
-      # OSStatus SecKeychainItemDelete(SecKeychainItemRef itemRef)
-      attach_function :SecKeychainItemDelete, [:pointer], :int
-
-      # void SecKeychainItemFreeContent(SecKeychainAttributeList *attrList, void *data)
-      attach_function :SecKeychainItemFreeContent, [:pointer, :pointer], :int
-
-      # Constants for attribute tags
-      KSecAccountItemAttr = 0x61636374  # 'acct' in FourCC
-
-      # Attribute structure
-      class SecKeychainAttribute < FFI::Struct
-        layout :tag, :uint32,
-               :length, :uint32,
-               :data, :pointer
-      end
-
-      class SecKeychainAttributeList < FFI::Struct
-        layout :count, :uint32,
-               :attr, :pointer  # Array of SecKeychainAttribute
-      end
-
-      # OSStatus SecKeychainSearchCreateFromAttributes(
-      #   CFTypeRef keychainOrArray,
-      #   SecItemClass itemClass,
-      #   const SecKeychainAttributeList *attrList,
-      #   SecKeychainSearchRef *searchRef
-      # )
-      attach_function :SecKeychainSearchCreateFromAttributes, [
-        :pointer,  # keychainOrArray
-        :uint32,   # itemClass (kSecGenericPasswordItemClass = 'genp')
-        :pointer,  # attrList
-        :pointer   # searchRef (output)
-      ], :int
-
-      # OSStatus SecKeychainSearchCopyNext(
-      #   SecKeychainSearchRef searchRef,
-      #   SecKeychainItemRef *itemRef
-      # )
-      attach_function :SecKeychainSearchCopyNext, [
-        :pointer,  # searchRef
-        :pointer   # itemRef (output)
+      # OSStatus SecKeychainFindGenericPassword(...)
+      attach_function :SecKeychainFindGenericPassword, %i[
+        pointer uint32 string uint32 string
+        pointer pointer pointer
       ], :int
 
-      # OSStatus SecKeychainItemCopyAttributesAndData(
-      #   SecKeychainItemRef itemRef,
-      #   SecKeychainAttributeInfo *info,
-      #   SecItemClass *itemClass,
-      #   SecKeychainAttributeList **attrList,
-      #   UInt32 *length,
-      #   void **outData
-      # )
-      attach_function :SecKeychainItemCopyAttributesAndData, [
-        :pointer,  # itemRef
-        :pointer,  # info (NULL for default keychain)
-        :pointer,  # itemClass (can be NULL)
-        :pointer,  # attrList (output)
-        :pointer,  # length (can be NULL)
-        :pointer   # outData (can be NULL)
-      ], :int
+      # OSStatus SecKeychainItemDelete(...)
+      attach_function :SecKeychainItemDelete, [:pointer], :int
 
-      # OSStatus SecKeychainItemFreeAttributesAndData(
-      #   SecKeychainAttributeList *attrList,
-      #   void *data
-      # )
-      attach_function :SecKeychainItemFreeAttributesAndData, [:pointer, :pointer], :int
+      # void SecKeychainItemFreeContent(...)
+      attach_function :SecKeychainItemFreeContent, %i[pointer pointer], :int
 
-      # void CFRelease(CFTypeRef cf)
-      attach_function :CFRelease, [:pointer], :void
+      ErrSecSuccess = 0
+      ErrSecItemNotFound = -25_300
     end
 
     class << self
-      def save(account_name, content)
-        # Try to delete existing entry first
-        delete(account_name) rescue nil
+      # Initialize master password
+      def init(password)
+        # Delete existing if any
+        begin
+          delete_master_password
+        rescue StandardError
+          nil
+        end
 
-        # Add new entry
+        # Save new master password to local keychain
         status = SecurityFramework.SecKeychainAddGenericPassword(
-          nil,                        # default keychain
-          SERVICE_NAME.bytesize,      # service name length
-          SERVICE_NAME,               # service name
-          account_name.bytesize,      # account name length
-          account_name,               # account name
-          content.bytesize,           # password length
-          FFI::MemoryPointer.from_string(content),  # password data
-          nil                         # don't need item ref
+          nil,
+          MASTER_PASSWORD_SERVICE.bytesize,
+          MASTER_PASSWORD_SERVICE,
+          MASTER_PASSWORD_ACCOUNT.bytesize,
+          MASTER_PASSWORD_ACCOUNT,
+          password.bytesize,
+          FFI::MemoryPointer.from_string(password),
+          nil
         )
 
-        unless status.zero?
-          raise Error, "Failed to save to keychain (status: #{status})"
+        unless status == SecurityFramework::ErrSecSuccess
+          raise Error, "Failed to save master password (status: #{status})"
         end
+
+        # Ensure iCloud Drive directory exists
+        FileUtils.mkdir_p(ICLOUD_DRIVE_PATH)
+
+        # Create empty secrets file if it doesn't exist
+        File.write(SECRETS_FILE, '') unless File.exist?(SECRETS_FILE)
       end
 
-      def load(account_name)
+      # Get master password from local keychain
+      def master_password
         password_length = FFI::MemoryPointer.new(:uint32)
         password_data = FFI::MemoryPointer.new(:pointer)
 
         status = SecurityFramework.SecKeychainFindGenericPassword(
-          nil,                        # default keychain
-          SERVICE_NAME.bytesize,      # service name length
-          SERVICE_NAME,               # service name
-          account_name.bytesize,      # account name length
-          account_name,               # account name
-          password_length,            # password length (output)
-          password_data,              # password data (output)
-          nil                         # don't need item ref
+          nil,
+          MASTER_PASSWORD_SERVICE.bytesize,
+          MASTER_PASSWORD_SERVICE,
+          MASTER_PASSWORD_ACCOUNT.bytesize,
+          MASTER_PASSWORD_ACCOUNT,
+          password_length,
+          password_data,
+          nil
         )
 
-        unless status.zero?
-          raise Error, "Failed to load from keychain (status: #{status})"
+        if status == SecurityFramework::ErrSecItemNotFound
+          raise Error, "Master password not found. Please run 'kc init' first."
+        end
+
+        unless status == SecurityFramework::ErrSecSuccess
+          raise Error, "Failed to load master password (status: #{status})"
         end
 
-        # Read the password data
         length = password_length.read_uint32
         data_ptr = password_data.read_pointer
         password = data_ptr.read_string(length)
 
-        # Free the memory allocated by Security framework
         SecurityFramework.SecKeychainItemFreeContent(nil, data_ptr)
 
         password
       end
 
-      def delete(account_name)
+      # Delete master password
+      def delete_master_password
         item_ref = FFI::MemoryPointer.new(:pointer)
 
         status = SecurityFramework.SecKeychainFindGenericPassword(
           nil,
-          SERVICE_NAME.bytesize,
-          SERVICE_NAME,
-          account_name.bytesize,
-          account_name,
+          MASTER_PASSWORD_SERVICE.bytesize,
+          MASTER_PASSWORD_SERVICE,
+          MASTER_PASSWORD_ACCOUNT.bytesize,
+          MASTER_PASSWORD_ACCOUNT,
           nil,
           nil,
           item_ref
         )
 
-        unless status.zero?
-          raise Error, "Entry '#{account_name}' not found in keychain"
+        return if status == SecurityFramework::ErrSecItemNotFound
+
+        unless status == SecurityFramework::ErrSecSuccess
+          raise Error, "Failed to find master password (status: #{status})"
         end
 
         delete_status = SecurityFramework.SecKeychainItemDelete(item_ref.read_pointer)
-        
-        unless delete_status.zero?
-          raise Error, "Failed to delete from keychain (status: #{delete_status})"
+        return if delete_status == SecurityFramework::ErrSecSuccess
+
+        raise Error, "Failed to delete master password (status: #{delete_status})"
+      end
+
+      # Encrypt data with master password
+      def encrypt(data)
+        password = master_password
+        cipher = OpenSSL::Cipher.new('AES-256-CBC')
+        cipher.encrypt
+
+        # Derive key from password
+        salt = OpenSSL::Random.random_bytes(16)
+        key = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, 10_000, cipher.key_len, 'sha256')
+        cipher.key = key
+
+        iv = cipher.random_iv
+        encrypted = cipher.update(data) + cipher.final
+
+        # Return: salt + iv + encrypted_data (all base64 encoded)
+        result = {
+          salt: Base64.strict_encode64(salt),
+          iv: Base64.strict_encode64(iv),
+          data: Base64.strict_encode64(encrypted)
+        }
+        Base64.strict_encode64(result.to_json)
+      end
+
+      # Decrypt data with master password
+      def decrypt(encrypted_str)
+        password = master_password
+
+        # Decode outer base64
+        payload = JSON.parse(Base64.strict_decode64(encrypted_str))
+
+        salt = Base64.strict_decode64(payload['salt'])
+        iv = Base64.strict_decode64(payload['iv'])
+        encrypted_data = Base64.strict_decode64(payload['data'])
+
+        cipher = OpenSSL::Cipher.new('AES-256-CBC')
+        cipher.decrypt
+
+        key = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, 10_000, cipher.key_len, 'sha256')
+        cipher.key = key
+        cipher.iv = iv
+
+        cipher.update(encrypted_data) + cipher.final
+      end
+
+      # Append entry to JSONL
+      def append_entry(namespace, key, value, operation: 'set')
+        ensure_secrets_file
+
+        entry = {
+          ts: Time.now.utc.iso8601(3),
+          op: operation,
+          ns: namespace,
+          key: key
+        }
+
+        entry[:val] = encrypt(value) if operation == 'set'
+
+        File.open(SECRETS_FILE, 'a') do |f|
+          f.puts(entry.to_json)
         end
       end
 
-      def list(prefix = nil)
-        accounts = []
-        
-        # Use security dump-keychain and parse output
-        # We need to look for entries with service="kc"
-        output = `security dump-keychain login.keychain-db 2>/dev/null`
-        
-        # Split by keychain entries
-        entries = output.split(/^keychain:/).drop(1)
-        
-        entries.each do |entry|
-          # Check if this entry has svce="kc"
-          if entry =~ /"svce"<blob>="#{SERVICE_NAME}"/
-            # Extract account name
-            if entry =~ /"acct"<blob>="([^"]+)"/
-              account_name = $1
-              # Filter by prefix if provided
-              if prefix.nil? || account_name.start_with?(prefix)
-                accounts << account_name
-              end
+      # Detect and merge conflicted copies
+      def detect_and_merge_conflicts
+        return unless File.exist?(SECRETS_FILE)
+
+        dir = File.dirname(SECRETS_FILE)
+        base = File.basename(SECRETS_FILE, '.jsonl')
+
+        # Find all conflicted copies
+        conflicted = Dir.glob(File.join(dir, "#{base} (*conflicted copy*).jsonl"))
+        return if conflicted.empty?
+
+        # Read all files
+        all_entries = []
+
+        # Main file
+        if File.exist?(SECRETS_FILE)
+          File.readlines(SECRETS_FILE).each do |line|
+            line = line.strip
+            next if line.empty?
+
+            begin
+              all_entries << JSON.parse(line, symbolize_names: true)
+            rescue JSON::ParserError
+              # Skip malformed lines
             end
           end
         end
 
-        accounts.sort.uniq
+        # Conflicted files
+        conflicted.each do |file|
+          File.readlines(file).each do |line|
+            line = line.strip
+            next if line.empty?
+
+            begin
+              all_entries << JSON.parse(line, symbolize_names: true)
+            rescue JSON::ParserError
+              # Skip malformed lines
+            end
+          end
+        end
+
+        # Sort by timestamp (oldest first)
+        all_entries.sort_by! { |e| e[:ts] }
+
+        # Write merged entries back to main file
+        File.open(SECRETS_FILE, 'w') do |f|
+          all_entries.each { |e| f.puts(e.to_json) }
+        end
+
+        # Delete conflicted copies
+        conflicted.each { |file| File.delete(file) }
+      end
+
+      # Read all entries from JSONL
+      def read_entries
+        # First, detect and merge any conflicts
+        detect_and_merge_conflicts
+
+        return [] unless File.exist?(SECRETS_FILE)
+
+        entries = []
+        File.readlines(SECRETS_FILE).each do |line|
+          line = line.strip
+          next if line.empty?
+
+          begin
+            entries << JSON.parse(line, symbolize_names: true)
+          rescue JSON::ParserError
+            # Skip malformed lines
+          end
+        end
+
+        entries
+      end
+
+      # Get current state (latest values for each key)
+      def current_state
+        entries = read_entries
+        state = {}
+
+        entries.each do |entry|
+          ns_key = "#{entry[:ns]}:#{entry[:key]}"
+
+          if entry[:op] == 'set'
+            state[ns_key] = {
+              namespace: entry[:ns],
+              key: entry[:key],
+              encrypted_value: entry[:val],
+              timestamp: entry[:ts]
+            }
+          elsif entry[:op] == 'del'
+            state.delete(ns_key)
+          end
+        end
+
+        state
+      end
+
+      # Save a secret
+      def save(account_name, content)
+        namespace, key = parse_account_name(account_name)
+        append_entry(namespace, key, content, operation: 'set')
+      end
+
+      # Load a secret
+      def load(account_name)
+        namespace, key = parse_account_name(account_name)
+        state = current_state
+        ns_key = "#{namespace}:#{key}"
+
+        entry = state[ns_key]
+        raise Error, "Entry '#{account_name}' not found" unless entry
+
+        decrypt(entry[:encrypted_value])
+      end
+
+      # Delete a secret
+      def delete(account_name)
+        namespace, key = parse_account_name(account_name)
+
+        # Check if exists
+        state = current_state
+        ns_key = "#{namespace}:#{key}"
+        raise Error, "Entry '#{account_name}' not found" unless state[ns_key]
+
+        append_entry(namespace, key, nil, operation: 'del')
+      end
+
+      # List secrets
+      def list(prefix = nil)
+        state = current_state
+        keys = state.keys
+
+        keys = keys.select { |k| k.start_with?(prefix) } if prefix
+
+        keys.sort
+      end
+
+      private
+
+      def parse_account_name(account_name)
+        raise Error, 'Invalid format. Use <namespace>:<name>' unless account_name&.include?(':')
+
+        namespace, key = account_name.split(':', 2)
+
+        raise Error, 'Invalid format. Use <namespace>:<name>' if namespace.empty? || key.empty?
+
+        [namespace, key]
+      end
+
+      def ensure_secrets_file
+        FileUtils.mkdir_p(ICLOUD_DRIVE_PATH) unless Dir.exist?(ICLOUD_DRIVE_PATH)
+        File.write(SECRETS_FILE, '') unless File.exist?(SECRETS_FILE)
       end
     end
   end

data/lib/kc/version.rb

@@ -1,3 +1,3 @@
 module Kc
-  VERSION = "0.1.0"
+  VERSION = '0.3.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: kc
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.3.0
 platform: ruby
 authors:
 - AILERON
@@ -65,8 +65,10 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
-description: A CLI tool to save and load .env files from Mac Keychain, designed to
-  work seamlessly with direnv
+description: A CLI tool to securely store and retrieve secrets with AES-256 encryption
+  and automatic iCloud Drive synchronization. Master password stored in local keychain,
+  secrets encrypted and synced via iCloud Drive. Features namespace support, automatic
+  conflict resolution, and append-only JSONL format.
 email:
 - masa@aileron.cc
 executables:
@@ -113,5 +115,5 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 rubygems_version: 3.6.9
 specification_version: 4
-summary: Manage .env files in Mac Keychain with direnv
+summary: Secure secrets manager with iCloud Drive sync and AES-256 encryption
 test_files: []