kc 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8d9fd3f9d9435dac8fd474111770fdc9648407d6880a8399a4d642c99b528907
-  data.tar.gz: e45b7d10dde259a3d44f661848dcaf282b6b3779d99bf5f647e34f3e89eb4d07
+  metadata.gz: a784b3ff753a30bc3f560d8cd417b6597fe77996da2cc95a96d58f431aa9bff1
+  data.tar.gz: d3c844cf4e13e797ee98cde972fc52706bdeb08724e19b94de3c2cebe5b1c928
 SHA512:
-  metadata.gz: b571902e2874562153524032e6ec2addcb26c8e6e84ebabd2ba6ab153aad5b1ecbab639faaa163caa9c1fc7d32088e7184a1efe87754da15e6d75df7155589c6
-  data.tar.gz: bbe081e64f7098788f833f3127c5ccdab1fe5c87881956dac76ac93a6680fa479f4610d4e1cde8152fabd560f333e75a7d878d9447cf0e16b77244074565a3ba
+  metadata.gz: 60b2e62994b43f2d2396c930a046e0bac7a4834cb60d3be101e8615da7c5e0e651a7031aaa5f947ed2cd27c34918aa5d8dc49682379489ebe698d1956e746d29
+  data.tar.gz: 5db7687b87fdcab2b7b295b3c7a183394142291230561f673a49ce7969c8557fda062da156f26c95f4f1f3404ce34bc872c85ab47e4c3e6cb7e1e9ab89a56447

data/README.md

@@ -1,15 +1,16 @@
-# kc - Keychain Manager
+# kc - Secure Secrets Manager with iCloud Sync
 
-A CLI tool to securely store and retrieve secrets from macOS Keychain with namespace support and automatic iCloud sync.
+A CLI tool to securely store and retrieve secrets with automatic iCloud Drive synchronization across all your Macs.
 
 ## Features
 
-- 🔐 Securely store any secrets in macOS Keychain
-- ☁️ **iCloud Keychain sync** - automatically sync secrets across all your Macs
+- 🔐 **AES-256 encryption** - military-grade encryption for your secrets
+- ☁️ **iCloud Drive sync** - automatically sync encrypted secrets across all your Macs
+- 🔑 **Master password in local keychain** - password stored securely, never synced
 - 🏷️ **Namespace support** - organize secrets by type (env, ssh, token, etc.)
-- 🚀 Native implementation using FFI (no shell command overhead)
-- 📦 Simple CLI interface
-- 📋 List and filter secrets by namespace
+- 📝 **Append-only log** - automatic conflict resolution for concurrent edits
+- 🚀 **Simple CLI interface** - easy to use command-line tool
+- 📋 **Filter and search** - list secrets by namespace prefix
 
 ## Installation
 
@@ -23,11 +24,31 @@ Or add to your Gemfile:
 gem 'kc'
 ```
 
+## Quick Start
+
+### First Time Setup
+
+Initialize kc with a master password:
+
+```bash
+$ kc init
+Enter master password: ****
+Confirm master password: ****
+
+✓ Master password saved to local keychain
+✓ iCloud Drive sync enabled at:
+  ~/Library/Mobile Documents/com~apple~CloudDocs/kc
+
+Your secrets will be encrypted and synced across your Macs!
+```
+
+**Important**: You'll need to run `kc init` on each Mac with the same master password.
+
 ## Usage
 
-All commands require a **namespace** in the format `<namespace>:<name>`. Namespaces help organize different types of secrets.
+All commands use the format `<namespace>:<name>`. Namespaces help organize different types of secrets.
 
-### Save to Keychain
+### Save Secrets
 
 Read from stdin and save to keychain with namespace:
 
@@ -96,10 +117,11 @@ source_env .env
 
 ## Commands
 
-- `kc save <namespace>:<name>` - Read from stdin and save to keychain
-- `kc load <namespace>:<name>` - Load from keychain and output to stdout  
-- `kc delete <namespace>:<name>` - Delete entry from keychain
-- `kc list [prefix]` - List all entries (optionally filter by prefix)
+- `kc init` - Initialize with master password (first time setup)
+- `kc save <namespace>:<name>` - Read from stdin and save encrypted
+- `kc load <namespace>:<name>` - Decrypt and output to stdout  
+- `kc delete <namespace>:<name>` - Mark entry as deleted
+- `kc list [prefix]` - List all current entries (optionally filter by prefix)
 
 ## Namespaces
 
@@ -117,24 +139,48 @@ You can create custom namespaces as needed.
 
 ## How it works
 
-`kc` uses macOS Security framework via FFI to directly interact with the Keychain, avoiding shell command overhead. All entries are stored as **Internet Passwords** with:
+### Architecture
+
+`kc` uses a hybrid approach combining local keychain security with iCloud Drive synchronization:
+
+1. **Master Password**: Stored securely in your local macOS Keychain (never synced)
+2. **Encrypted Secrets**: Stored in `~/Library/Mobile Documents/com~apple~CloudDocs/kc/secrets.jsonl`
+3. **Encryption**: AES-256-CBC with PBKDF2 key derivation (10,000 iterations)
+4. **Sync**: iCloud Drive automatically syncs the encrypted file across your Macs
+
+### Data Format
 
-- Server: `kc`
-- Account: `<namespace>:<name>` (e.g., `env:myproject`)
-- Protocol: HTTPS
+Secrets are stored in an append-only JSONL (JSON Lines) file:
 
-### iCloud Keychain Sync
+```json
+{"ts":"2026-01-05T10:00:00.123Z","op":"set","ns":"aws","key":"ACCESS_KEY","val":"<encrypted>"}
+{"ts":"2026-01-05T11:30:00.456Z","op":"set","ns":"hubot","key":"TOKEN","val":"<encrypted>"}
+{"ts":"2026-01-05T12:00:00.789Z","op":"del","ns":"aws","key":"OLD_KEY"}
+```
+
+- **Append-only**: New entries are always appended, never modified
+- **Timestamps**: ISO8601 format with millisecond precision
+- **Operations**: `set` (save/update) or `del` (delete)
+- **Conflict Resolution**: Automatic merge based on timestamps
 
-All secrets saved by `kc` are automatically synchronized across your Macs via **iCloud Keychain** (if enabled in System Settings). This means:
+### Security
 
-- 💾 Save a secret on one Mac → Access it instantly on all your other Macs
-- 🔄 Changes and deletions are synced automatically
-- 🔐 End-to-end encryption ensures your secrets remain secure during sync
-- 🌐 No manual export/import needed
+- ✅ **Master password** stored in local keychain (not synced)
+- ✅ **AES-256 encryption** for all secret values
+- ✅ **Unique salt and IV** for each encrypted value
+- ✅ **PBKDF2 key derivation** with 10,000 iterations
+- ✅ **End-to-end encryption** - iCloud only sees encrypted data
+- ❌ **Metadata not encrypted** - namespace and key names are visible (but not values)
 
-To verify sync is working, open **Keychain Access.app** and select the **iCloud** keychain. Look for entries with server name `kc`.
+### Conflict Resolution
 
-**Note:** Internet Passwords (used by `kc`) are automatically synced by macOS when iCloud Keychain is enabled. You don't need to do anything special!
+If you edit secrets on multiple Macs simultaneously:
+
+1. iCloud Drive creates "conflicted copy" files
+2. `kc` automatically detects and merges them
+3. Entries are sorted by timestamp (oldest first)
+4. Latest value for each key wins
+5. Conflicted copies are deleted after merge
 
 ## Full Workflow Example
 
@@ -195,8 +241,11 @@ bundle exec rspec
 
 ## Requirements
 
-- macOS (uses macOS Keychain)
-- Ruby 2.5 or later
+- **macOS** - uses macOS Keychain for master password storage
+- **iCloud Drive** - enabled in System Settings for sync
+- **Ruby 2.5 or later**
+
+**Note**: Each Mac needs to run `kc init` with the same master password to decrypt synced secrets.
 
 ## Contributing
 

data/kc.gemspec

@@ -8,8 +8,8 @@ Gem::Specification.new do |spec|
   spec.authors       = ['AILERON']
   spec.email         = ['masa@aileron.cc']
 
-  spec.summary       = 'Manage secrets in macOS Keychain with iCloud sync and namespace support'
-  spec.description   = 'A CLI tool to securely store and retrieve secrets from macOS Keychain with automatic iCloud sync across your Macs. Features namespace support for organizing different types of secrets (env files, SSH keys, API tokens, etc.) and works seamlessly with direnv.'
+  spec.summary       = 'Secure secrets manager with iCloud Drive sync and AES-256 encryption'
+  spec.description   = 'A CLI tool to securely store and retrieve secrets with AES-256 encryption and automatic iCloud Drive synchronization. Master password stored in local keychain, secrets encrypted and synced via iCloud Drive. Features namespace support, automatic conflict resolution, and append-only JSONL format.'
   spec.homepage      = 'https://github.com/aileron/kc'
   spec.license       = 'MIT'
 

data/lib/kc/cli.rb

@@ -13,13 +13,15 @@ module Kc
       name = @argv[1]
 
       case command
-      when "save"
+      when 'init'
+        handle_init
+      when 'save'
         handle_save(name)
-      when "load"
+      when 'load'
         handle_load(name)
-      when "delete"
+      when 'delete'
         handle_delete(name)
-      when "list"
+      when 'list'
         handle_list(name)
       else
         show_usage
@@ -29,30 +31,64 @@ module Kc
 
     private
 
+    def handle_init
+      require 'io/console'
+
+      puts 'Setting up kc with iCloud Drive sync...'
+      puts
+      print 'Enter master password: '
+      password = STDIN.noecho(&:gets).chomp
+      puts
+      print 'Confirm master password: '
+      password_confirm = STDIN.noecho(&:gets).chomp
+      puts
+
+      unless password == password_confirm
+        puts 'Error: Passwords do not match'
+        exit 1
+      end
+
+      if password.empty?
+        puts 'Error: Password cannot be empty'
+        exit 1
+      end
+
+      Keychain.init(password)
+      puts
+      puts '✓ Master password saved to local keychain'
+      puts '✓ iCloud Drive sync enabled at:'
+      puts "  #{Keychain::ICLOUD_DRIVE_PATH}"
+      puts
+      puts 'Your secrets will be encrypted and synced across your Macs!'
+    rescue StandardError => e
+      puts "Error: #{e.message}"
+      exit 1
+    end
+
     def validate_namespace(name)
-      unless name&.include?(":")
-        puts "Error: Namespace required. Format: <namespace>:<name>"
-        puts "Examples: env:myproject, ssh:id_rsa, token:github"
+      unless name&.include?(':')
+        puts 'Error: Namespace required. Format: <namespace>:<name>'
+        puts 'Examples: env:myproject, ssh:id_rsa, token:github'
         exit 1
       end
 
-      namespace, key = name.split(":", 2)
-      
+      namespace, key = name.split(':', 2)
+
       if namespace.empty? || key.empty?
-        puts "Error: Invalid format. Use <namespace>:<name>"
+        puts 'Error: Invalid format. Use <namespace>:<name>'
         exit 1
       end
 
       # Validate namespace format (alphanumeric and hyphen only)
-      unless namespace.match?(/^[a-z0-9-]+$/)
-        puts "Error: Namespace must contain only lowercase letters, numbers, and hyphens"
-        exit 1
-      end
+      return if namespace.match?(/^[a-z0-9-]+$/)
+
+      puts 'Error: Namespace must contain only lowercase letters, numbers, and hyphens'
+      exit 1
     end
 
     def handle_save(name)
       unless name
-        puts "Error: name is required"
+        puts 'Error: name is required'
         show_usage
         exit 1
       end
@@ -61,26 +97,26 @@ module Kc
 
       # Read from stdin
       if STDIN.tty?
-        puts "Error: No input provided. Use: cat file | kc save <namespace>:<name>"
+        puts 'Error: No input provided. Use: cat file | kc save <namespace>:<name>'
         exit 1
       end
 
       content = STDIN.read
       if content.empty?
-        puts "Error: Input is empty"
+        puts 'Error: Input is empty'
         exit 1
       end
 
       Keychain.save(name, content)
       puts "Successfully saved to keychain as '#{name}'"
-    rescue => e
+    rescue StandardError => e
       puts "Error: #{e.message}"
       exit 1
     end
 
     def handle_load(name)
       unless name
-        puts "Error: name is required"
+        puts 'Error: name is required'
         show_usage
         exit 1
       end
@@ -89,14 +125,14 @@ module Kc
 
       content = Keychain.load(name)
       puts content
-    rescue => e
+    rescue StandardError => e
       puts "Error: #{e.message}"
       exit 1
     end
 
     def handle_delete(name)
       unless name
-        puts "Error: name is required"
+        puts 'Error: name is required'
         show_usage
         exit 1
       end
@@ -105,24 +141,24 @@ module Kc
 
       Keychain.delete(name)
       puts "Successfully deleted '#{name}' from keychain"
-    rescue => e
+    rescue StandardError => e
       puts "Error: #{e.message}"
       exit 1
     end
 
     def handle_list(prefix)
       items = Keychain.list(prefix)
-      
+
       if items.empty?
         if prefix
           puts "No items found with prefix '#{prefix}'"
         else
-          puts "No items found in keychain"
+          puts 'No items found in keychain'
         end
       else
         items.each { |item| puts item }
       end
-    rescue => e
+    rescue StandardError => e
       puts "Error: #{e.message}"
       exit 1
     end
@@ -130,12 +166,14 @@ module Kc
     def show_usage
       puts <<~USAGE
         Usage:
-          kc save <namespace>:<name>      Save from stdin to keychain
-          kc load <namespace>:<name>      Load from keychain to stdout
-          kc delete <namespace>:<name>    Delete from keychain
+          kc init                         Initialize kc with master password
+          kc save <namespace>:<name>      Save from stdin
+          kc load <namespace>:<name>      Load to stdout
+          kc delete <namespace>:<name>    Delete entry
           kc list [prefix]                List all items (optionally filter by prefix)
 
         Examples:
+          kc init                          # First time setup
           cat .env | kc save env:myproject
           kc load env:myproject > .env
           kc save ssh:id_rsa < ~/.ssh/id_rsa

data/lib/kc/keychain.rb

@@ -1,309 +1,352 @@
 require 'ffi'
+require 'json'
+require 'openssl'
+require 'base64'
+require 'fileutils'
+require 'time'
 
 module Kc
   class Keychain
-    SERVICE_NAME = 'kc'
-
-    module CoreFoundation
-      extend FFI::Library
-      ffi_lib '/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation'
-
-      # CFString functions
-      attach_function :CFStringCreateWithCString, %i[pointer string uint32], :pointer
-      attach_function :CFStringGetCString, %i[pointer pointer long uint32], :bool
-      attach_function :CFStringGetLength, [:pointer], :long
-
-      # CFData functions
-      attach_function :CFDataCreate, %i[pointer pointer long], :pointer
-      attach_function :CFDataGetLength, [:pointer], :long
-      attach_function :CFDataGetBytePtr, [:pointer], :pointer
-
-      # CFDictionary functions
-      attach_function :CFDictionaryCreateMutable, %i[pointer long pointer pointer], :pointer
-      attach_function :CFDictionarySetValue, %i[pointer pointer pointer], :void
-      attach_function :CFDictionaryGetValue, %i[pointer pointer], :pointer
-
-      # CFArray functions
-      attach_function :CFArrayGetCount, [:pointer], :long
-      attach_function :CFArrayGetValueAtIndex, %i[pointer long], :pointer
-
-      # CFNumber functions
-      attach_function :CFNumberCreate, %i[pointer int pointer], :pointer
-      attach_function :CFBooleanGetValue, [:pointer], :bool
-
-      # CFRelease
-      attach_function :CFRelease, [:pointer], :void
-
-      # Constants
-      KCFStringEncodingUTF8 = 0x08000100
-      KCFNumberSInt32Type = 3
-
-      # Get Boolean constants using symbols
-      def self.kCFBooleanTrue
-        @kCFBooleanTrue ||= begin
-          ptr_ptr = FFI::DynamicLibrary.open(
-            '/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation',
-            FFI::DynamicLibrary::RTLD_LAZY | FFI::DynamicLibrary::RTLD_GLOBAL
-          ).find_symbol('kCFBooleanTrue')
-          FFI::Pointer.new(:pointer, ptr_ptr.address).read_pointer
-        end
-      end
-
-      def self.kCFBooleanFalse
-        @kCFBooleanFalse ||= begin
-          ptr_ptr = FFI::DynamicLibrary.open(
-            '/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation',
-            FFI::DynamicLibrary::RTLD_LAZY | FFI::DynamicLibrary::RTLD_GLOBAL
-          ).find_symbol('kCFBooleanFalse')
-          FFI::Pointer.new(:pointer, ptr_ptr.address).read_pointer
-        end
-      end
-    end
+    MASTER_PASSWORD_SERVICE = 'kc-master-password'
+    MASTER_PASSWORD_ACCOUNT = 'default'
+    ICLOUD_DRIVE_PATH = File.expand_path('~/Library/Mobile Documents/com~apple~CloudDocs/kc')
+    SECRETS_FILE = File.join(ICLOUD_DRIVE_PATH, 'secrets.jsonl')
 
     module SecurityFramework
       extend FFI::Library
       ffi_lib '/System/Library/Frameworks/Security.framework/Security'
 
-      # Modern SecItem API
-      attach_function :SecItemAdd, %i[pointer pointer], :int
-      attach_function :SecItemCopyMatching, %i[pointer pointer], :int
-      attach_function :SecItemUpdate, %i[pointer pointer], :int
-      attach_function :SecItemDelete, [:pointer], :int
+      # OSStatus SecKeychainAddGenericPassword(...)
+      attach_function :SecKeychainAddGenericPassword, %i[
+        pointer uint32 string uint32 string
+        uint32 pointer pointer
+      ], :int
+
+      # OSStatus SecKeychainFindGenericPassword(...)
+      attach_function :SecKeychainFindGenericPassword, %i[
+        pointer uint32 string uint32 string
+        pointer pointer pointer
+      ], :int
+
+      # OSStatus SecKeychainItemDelete(...)
+      attach_function :SecKeychainItemDelete, [:pointer], :int
+
+      # void SecKeychainItemFreeContent(...)
+      attach_function :SecKeychainItemFreeContent, %i[pointer pointer], :int
 
-      # Error codes
       ErrSecSuccess = 0
       ErrSecItemNotFound = -25_300
-      ErrSecDuplicateItem = -25_299
-
-      # Helper to get constant addresses from library
-      def self.get_constant(name)
-        ptr = FFI::DynamicLibrary.open(
-          '/System/Library/Frameworks/Security.framework/Security',
-          FFI::DynamicLibrary::RTLD_LAZY | FFI::DynamicLibrary::RTLD_GLOBAL
-        ).find_variable(name)
-        ptr.read_pointer
-      end
     end
 
     class << self
-      # Helper methods for CoreFoundation
-      def create_cf_string(str)
-        CoreFoundation.CFStringCreateWithCString(nil, str, CoreFoundation::KCFStringEncodingUTF8)
-      end
+      # Initialize master password
+      def init(password)
+        # Delete existing if any
+        begin
+          delete_master_password
+        rescue StandardError
+          nil
+        end
 
-      def create_cf_data(data)
-        ptr = FFI::MemoryPointer.from_string(data)
-        CoreFoundation.CFDataCreate(nil, ptr, data.bytesize)
-      end
+        # Save new master password to local keychain
+        status = SecurityFramework.SecKeychainAddGenericPassword(
+          nil,
+          MASTER_PASSWORD_SERVICE.bytesize,
+          MASTER_PASSWORD_SERVICE,
+          MASTER_PASSWORD_ACCOUNT.bytesize,
+          MASTER_PASSWORD_ACCOUNT,
+          password.bytesize,
+          FFI::MemoryPointer.from_string(password),
+          nil
+        )
+
+        unless status == SecurityFramework::ErrSecSuccess
+          raise Error, "Failed to save master password (status: #{status})"
+        end
 
-      def create_cf_boolean(value)
-        value ? CoreFoundation.kCFBooleanTrue : CoreFoundation.kCFBooleanFalse
+        # Ensure iCloud Drive directory exists
+        FileUtils.mkdir_p(ICLOUD_DRIVE_PATH)
+
+        # Create empty secrets file if it doesn't exist
+        File.write(SECRETS_FILE, '') unless File.exist?(SECRETS_FILE)
       end
 
-      def cf_string_to_ruby(cf_string)
-        return nil if cf_string.null?
+      # Get master password from local keychain
+      def master_password
+        password_length = FFI::MemoryPointer.new(:uint32)
+        password_data = FFI::MemoryPointer.new(:pointer)
+
+        status = SecurityFramework.SecKeychainFindGenericPassword(
+          nil,
+          MASTER_PASSWORD_SERVICE.bytesize,
+          MASTER_PASSWORD_SERVICE,
+          MASTER_PASSWORD_ACCOUNT.bytesize,
+          MASTER_PASSWORD_ACCOUNT,
+          password_length,
+          password_data,
+          nil
+        )
 
-        length = CoreFoundation.CFStringGetLength(cf_string)
-        buffer = FFI::MemoryPointer.new(:char, length * 4 + 1)
-        if CoreFoundation.CFStringGetCString(cf_string, buffer, buffer.size, CoreFoundation::KCFStringEncodingUTF8)
-          buffer.read_string
+        if status == SecurityFramework::ErrSecItemNotFound
+          raise Error, "Master password not found. Please run 'kc init' first."
         end
-      end
 
-      def cf_data_to_ruby(cf_data)
-        return nil if cf_data.null?
+        unless status == SecurityFramework::ErrSecSuccess
+          raise Error, "Failed to load master password (status: #{status})"
+        end
 
-        length = CoreFoundation.CFDataGetLength(cf_data)
-        ptr = CoreFoundation.CFDataGetBytePtr(cf_data)
-        ptr.read_bytes(length)
-      end
+        length = password_length.read_uint32
+        data_ptr = password_data.read_pointer
+        password = data_ptr.read_string(length)
 
-      # Get Security framework constants
-      def kSecClass
-        @kSecClass ||= SecurityFramework.get_constant('kSecClass')
-      end
+        SecurityFramework.SecKeychainItemFreeContent(nil, data_ptr)
 
-      def kSecClassInternetPassword
-        @kSecClassInternetPassword ||= SecurityFramework.get_constant('kSecClassInternetPassword')
+        password
       end
 
-      def kSecAttrServer
-        @kSecAttrServer ||= SecurityFramework.get_constant('kSecAttrServer')
-      end
+      # Delete master password
+      def delete_master_password
+        item_ref = FFI::MemoryPointer.new(:pointer)
 
-      def kSecAttrAccount
-        @kSecAttrAccount ||= SecurityFramework.get_constant('kSecAttrAccount')
-      end
+        status = SecurityFramework.SecKeychainFindGenericPassword(
+          nil,
+          MASTER_PASSWORD_SERVICE.bytesize,
+          MASTER_PASSWORD_SERVICE,
+          MASTER_PASSWORD_ACCOUNT.bytesize,
+          MASTER_PASSWORD_ACCOUNT,
+          nil,
+          nil,
+          item_ref
+        )
 
-      def kSecAttrProtocol
-        @kSecAttrProtocol ||= SecurityFramework.get_constant('kSecAttrProtocol')
-      end
+        return if status == SecurityFramework::ErrSecItemNotFound
 
-      def kSecAttrProtocolHTTPS
-        @kSecAttrProtocolHTTPS ||= SecurityFramework.get_constant('kSecAttrProtocolHTTPS')
-      end
+        unless status == SecurityFramework::ErrSecSuccess
+          raise Error, "Failed to find master password (status: #{status})"
+        end
 
-      def kSecValueData
-        @kSecValueData ||= SecurityFramework.get_constant('kSecValueData')
-      end
+        delete_status = SecurityFramework.SecKeychainItemDelete(item_ref.read_pointer)
+        return if delete_status == SecurityFramework::ErrSecSuccess
 
-      def kSecReturnData
-        @kSecReturnData ||= SecurityFramework.get_constant('kSecReturnData')
+        raise Error, "Failed to delete master password (status: #{delete_status})"
       end
 
-      def kSecMatchLimit
-        @kSecMatchLimit ||= SecurityFramework.get_constant('kSecMatchLimit')
+      # Encrypt data with master password
+      def encrypt(data)
+        password = master_password
+        cipher = OpenSSL::Cipher.new('AES-256-CBC')
+        cipher.encrypt
+
+        # Derive key from password
+        salt = OpenSSL::Random.random_bytes(16)
+        key = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, 10_000, cipher.key_len, 'sha256')
+        cipher.key = key
+
+        iv = cipher.random_iv
+        encrypted = cipher.update(data) + cipher.final
+
+        # Return: salt + iv + encrypted_data (all base64 encoded)
+        result = {
+          salt: Base64.strict_encode64(salt),
+          iv: Base64.strict_encode64(iv),
+          data: Base64.strict_encode64(encrypted)
+        }
+        Base64.strict_encode64(result.to_json)
       end
 
-      def kSecMatchLimitAll
-        @kSecMatchLimitAll ||= SecurityFramework.get_constant('kSecMatchLimitAll')
-      end
+      # Decrypt data with master password
+      def decrypt(encrypted_str)
+        password = master_password
 
-      def kSecReturnAttributes
-        @kSecReturnAttributes ||= SecurityFramework.get_constant('kSecReturnAttributes')
-      end
+        # Decode outer base64
+        payload = JSON.parse(Base64.strict_decode64(encrypted_str))
 
-      def save(account_name, content)
-        # Try to delete existing entry first (update semantics)
-        delete(account_name) rescue nil
+        salt = Base64.strict_decode64(payload['salt'])
+        iv = Base64.strict_decode64(payload['iv'])
+        encrypted_data = Base64.strict_decode64(payload['data'])
 
-        # Create query dictionary for Internet Password
-        # Note: Internet Passwords are automatically synced via iCloud Keychain when enabled
-        query = CoreFoundation.CFDictionaryCreateMutable(nil, 0, nil, nil)
+        cipher = OpenSSL::Cipher.new('AES-256-CBC')
+        cipher.decrypt
 
-        server_str = create_cf_string(SERVICE_NAME)
-        account_str = create_cf_string(account_name)
-        data_obj = create_cf_data(content)
+        key = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, 10_000, cipher.key_len, 'sha256')
+        cipher.key = key
+        cipher.iv = iv
 
-        CoreFoundation.CFDictionarySetValue(query, kSecClass, kSecClassInternetPassword)
-        CoreFoundation.CFDictionarySetValue(query, kSecAttrServer, server_str)
-        CoreFoundation.CFDictionarySetValue(query, kSecAttrAccount, account_str)
-        CoreFoundation.CFDictionarySetValue(query, kSecAttrProtocol, kSecAttrProtocolHTTPS)
-        CoreFoundation.CFDictionarySetValue(query, kSecValueData, data_obj)
+        cipher.update(encrypted_data) + cipher.final
+      end
 
-        status = SecurityFramework.SecItemAdd(query, nil)
+      # Append entry to JSONL
+      def append_entry(namespace, key, value, operation: 'set')
+        ensure_secrets_file
 
-        # Cleanup
-        CoreFoundation.CFRelease(server_str)
-        CoreFoundation.CFRelease(account_str)
-        CoreFoundation.CFRelease(data_obj)
-        CoreFoundation.CFRelease(query)
+        entry = {
+          ts: Time.now.utc.iso8601(3),
+          op: operation,
+          ns: namespace,
+          key: key
+        }
 
-        unless status == SecurityFramework::ErrSecSuccess
-          raise Error, "Failed to save to keychain (status: #{status})"
+        entry[:val] = encrypt(value) if operation == 'set'
+
+        File.open(SECRETS_FILE, 'a') do |f|
+          f.puts(entry.to_json)
         end
       end
 
-      def load(account_name)
-        # Create query dictionary for Internet Password
-        query = CoreFoundation.CFDictionaryCreateMutable(nil, 0, nil, nil)
+      # Detect and merge conflicted copies
+      def detect_and_merge_conflicts
+        return unless File.exist?(SECRETS_FILE)
 
-        server_str = create_cf_string(SERVICE_NAME)
-        account_str = create_cf_string(account_name)
+        dir = File.dirname(SECRETS_FILE)
+        base = File.basename(SECRETS_FILE, '.jsonl')
 
-        CoreFoundation.CFDictionarySetValue(query, kSecClass, kSecClassInternetPassword)
-        CoreFoundation.CFDictionarySetValue(query, kSecAttrServer, server_str)
-        CoreFoundation.CFDictionarySetValue(query, kSecAttrAccount, account_str)
-        CoreFoundation.CFDictionarySetValue(query, kSecAttrProtocol, kSecAttrProtocolHTTPS)
-        CoreFoundation.CFDictionarySetValue(query, kSecReturnData, create_cf_boolean(true))
+        # Find all conflicted copies
+        conflicted = Dir.glob(File.join(dir, "#{base} (*conflicted copy*).jsonl"))
+        return if conflicted.empty?
 
-        result_ptr = FFI::MemoryPointer.new(:pointer)
-        status = SecurityFramework.SecItemCopyMatching(query, result_ptr)
+        # Read all files
+        all_entries = []
 
-        # Cleanup query
-        CoreFoundation.CFRelease(server_str)
-        CoreFoundation.CFRelease(account_str)
-        CoreFoundation.CFRelease(query)
+        # Main file
+        if File.exist?(SECRETS_FILE)
+          File.readlines(SECRETS_FILE).each do |line|
+            line = line.strip
+            next if line.empty?
 
-        unless status == SecurityFramework::ErrSecSuccess
-          if status == SecurityFramework::ErrSecItemNotFound
-            raise Error, "Entry '#{account_name}' not found in keychain"
-          else
-            raise Error, "Failed to load from keychain (status: #{status})"
+            begin
+              all_entries << JSON.parse(line, symbolize_names: true)
+            rescue JSON::ParserError
+              # Skip malformed lines
+            end
           end
         end
 
-        # Extract data
-        result = result_ptr.read_pointer
-        data = cf_data_to_ruby(result)
-        CoreFoundation.CFRelease(result)
+        # Conflicted files
+        conflicted.each do |file|
+          File.readlines(file).each do |line|
+            line = line.strip
+            next if line.empty?
+
+            begin
+              all_entries << JSON.parse(line, symbolize_names: true)
+            rescue JSON::ParserError
+              # Skip malformed lines
+            end
+          end
+        end
+
+        # Sort by timestamp (oldest first)
+        all_entries.sort_by! { |e| e[:ts] }
+
+        # Write merged entries back to main file
+        File.open(SECRETS_FILE, 'w') do |f|
+          all_entries.each { |e| f.puts(e.to_json) }
+        end
 
-        data
+        # Delete conflicted copies
+        conflicted.each { |file| File.delete(file) }
       end
 
-      def delete(account_name)
-        # Create query dictionary for Internet Password
-        query = CoreFoundation.CFDictionaryCreateMutable(nil, 0, nil, nil)
+      # Read all entries from JSONL
+      def read_entries
+        # First, detect and merge any conflicts
+        detect_and_merge_conflicts
 
-        server_str = create_cf_string(SERVICE_NAME)
-        account_str = create_cf_string(account_name)
+        return [] unless File.exist?(SECRETS_FILE)
 
-        CoreFoundation.CFDictionarySetValue(query, kSecClass, kSecClassInternetPassword)
-        CoreFoundation.CFDictionarySetValue(query, kSecAttrServer, server_str)
-        CoreFoundation.CFDictionarySetValue(query, kSecAttrAccount, account_str)
-        CoreFoundation.CFDictionarySetValue(query, kSecAttrProtocol, kSecAttrProtocolHTTPS)
+        entries = []
+        File.readlines(SECRETS_FILE).each do |line|
+          line = line.strip
+          next if line.empty?
 
-        status = SecurityFramework.SecItemDelete(query)
+          begin
+            entries << JSON.parse(line, symbolize_names: true)
+          rescue JSON::ParserError
+            # Skip malformed lines
+          end
+        end
 
-        # Cleanup
-        CoreFoundation.CFRelease(server_str)
-        CoreFoundation.CFRelease(account_str)
-        CoreFoundation.CFRelease(query)
+        entries
+      end
 
-        unless status == SecurityFramework::ErrSecSuccess
-          if status == SecurityFramework::ErrSecItemNotFound
-            raise Error, "Entry '#{account_name}' not found in keychain"
-          else
-            raise Error, "Failed to delete from keychain (status: #{status})"
+      # Get current state (latest values for each key)
+      def current_state
+        entries = read_entries
+        state = {}
+
+        entries.each do |entry|
+          ns_key = "#{entry[:ns]}:#{entry[:key]}"
+
+          if entry[:op] == 'set'
+            state[ns_key] = {
+              namespace: entry[:ns],
+              key: entry[:key],
+              encrypted_value: entry[:val],
+              timestamp: entry[:ts]
+            }
+          elsif entry[:op] == 'del'
+            state.delete(ns_key)
           end
         end
+
+        state
       end
 
-      def list(prefix = nil)
-        # Create query dictionary for Internet Password
-        query = CoreFoundation.CFDictionaryCreateMutable(nil, 0, nil, nil)
+      # Save a secret
+      def save(account_name, content)
+        namespace, key = parse_account_name(account_name)
+        append_entry(namespace, key, content, operation: 'set')
+      end
 
-        server_str = create_cf_string(SERVICE_NAME)
+      # Load a secret
+      def load(account_name)
+        namespace, key = parse_account_name(account_name)
+        state = current_state
+        ns_key = "#{namespace}:#{key}"
 
-        CoreFoundation.CFDictionarySetValue(query, kSecClass, kSecClassInternetPassword)
-        CoreFoundation.CFDictionarySetValue(query, kSecAttrServer, server_str)
-        CoreFoundation.CFDictionarySetValue(query, kSecAttrProtocol, kSecAttrProtocolHTTPS)
-        CoreFoundation.CFDictionarySetValue(query, kSecMatchLimit, kSecMatchLimitAll)
-        CoreFoundation.CFDictionarySetValue(query, kSecReturnAttributes, create_cf_boolean(true))
+        entry = state[ns_key]
+        raise Error, "Entry '#{account_name}' not found" unless entry
 
-        result_ptr = FFI::MemoryPointer.new(:pointer)
-        status = SecurityFramework.SecItemCopyMatching(query, result_ptr)
+        decrypt(entry[:encrypted_value])
+      end
 
-        # Cleanup query
-        CoreFoundation.CFRelease(server_str)
-        CoreFoundation.CFRelease(query)
+      # Delete a secret
+      def delete(account_name)
+        namespace, key = parse_account_name(account_name)
 
-        if status == SecurityFramework::ErrSecItemNotFound
-          return []
-        end
+        # Check if exists
+        state = current_state
+        ns_key = "#{namespace}:#{key}"
+        raise Error, "Entry '#{account_name}' not found" unless state[ns_key]
 
-        unless status == SecurityFramework::ErrSecSuccess
-          raise Error, "Failed to list keychain items (status: #{status})"
-        end
+        append_entry(namespace, key, nil, operation: 'del')
+      end
 
-        # Parse results
-        result = result_ptr.read_pointer
-        count = CoreFoundation.CFArrayGetCount(result)
-        accounts = []
+      # List secrets
+      def list(prefix = nil)
+        state = current_state
+        keys = state.keys
 
-        count.times do |i|
-          item = CoreFoundation.CFArrayGetValueAtIndex(result, i)
-          account_cf = CoreFoundation.CFDictionaryGetValue(item, kSecAttrAccount)
-          account_name = cf_string_to_ruby(account_cf)
+        keys = keys.select { |k| k.start_with?(prefix) } if prefix
 
-          if account_name && (prefix.nil? || account_name.start_with?(prefix))
-            accounts << account_name
-          end
-        end
+        keys.sort
+      end
+
+      private
 
-        CoreFoundation.CFRelease(result)
+      def parse_account_name(account_name)
+        raise Error, 'Invalid format. Use <namespace>:<name>' unless account_name&.include?(':')
+
+        namespace, key = account_name.split(':', 2)
+
+        raise Error, 'Invalid format. Use <namespace>:<name>' if namespace.empty? || key.empty?
+
+        [namespace, key]
+      end
 
-        accounts.sort.uniq
+      def ensure_secrets_file
+        FileUtils.mkdir_p(ICLOUD_DRIVE_PATH) unless Dir.exist?(ICLOUD_DRIVE_PATH)
+        File.write(SECRETS_FILE, '') unless File.exist?(SECRETS_FILE)
       end
     end
   end

data/lib/kc/version.rb

@@ -1,3 +1,3 @@
 module Kc
-  VERSION = '0.2.0'
+  VERSION = '0.3.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: kc
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - AILERON
@@ -65,10 +65,10 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
-description: A CLI tool to securely store and retrieve secrets from macOS Keychain
-  with automatic iCloud sync across your Macs. Features namespace support for organizing
-  different types of secrets (env files, SSH keys, API tokens, etc.) and works seamlessly
-  with direnv.
+description: A CLI tool to securely store and retrieve secrets with AES-256 encryption
+  and automatic iCloud Drive synchronization. Master password stored in local keychain,
+  secrets encrypted and synced via iCloud Drive. Features namespace support, automatic
+  conflict resolution, and append-only JSONL format.
 email:
 - masa@aileron.cc
 executables:
@@ -115,5 +115,5 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 rubygems_version: 3.6.9
 specification_version: 4
-summary: Manage secrets in macOS Keychain with iCloud sync and namespace support
+summary: Secure secrets manager with iCloud Drive sync and AES-256 encryption
 test_files: []