localvault 0.9.6 → 0.9.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 671f50a3af0358b5344e1ee94f39cee7b74c7d45c5a55fce9e42da3b1f5b3ffc
-  data.tar.gz: a7f41141bff442117b919c5aba3864d51830aedf32ca8ef0ee025bd15bd5ea57
+  metadata.gz: fb41c4ac2d8dd408f4e1add9e9d79a7ec8f3f9fc139a8c8575008d0c0a4dd53d
+  data.tar.gz: d530b0a5e4924f270fe7386a6efb46feaf8ebd27f4b6474b288a6567fc31a9a5
 SHA512:
-  metadata.gz: bde2aaed764d7317de96dda2f962a569fe4a9ae9084e14971ee7a0f838d9c2c0a698bf0f3c0ba151f6179b16522ca61a368f5b881b9491d5db7ab74ec8f50e43
-  data.tar.gz: dfdeb12993ae4236e98b8b19424b9b03d60f29f842c4586f5f31b4dfeef13e44791e04f0b53d50fb14fb2794bc2939b69eedb71c1029b614a907868a27df0958
+  metadata.gz: 48c14b4bca2e1de6e48e35f8fba1a44bfb63d2291d86e6a60b4c07baa9b07d77180b8e511c9ad1a93c80681f4ec4c17c885707bb6c50b24545f973c4d770adb2
+  data.tar.gz: 56c1b8aa333146e7d2553e5c8a81dbaa8077f4185f5b76208086e72a886f2db253e8334232076ca7b6c16ee16bebad391713cbe472f1db75978bfbb7a6107370

data/lib/localvault/api_client.rb

@@ -20,6 +20,11 @@ module LocalVault
       @base_url = base_url || Config.api_url
     end
 
+    # GET /api/v1/me
+    def me
+      get("/me")
+    end
+
     # GET /api/v1/users/:handle/public_key
     def get_public_key(handle)
       get("/users/#{handle}/public_key")
@@ -71,6 +76,26 @@ module LocalVault
       get("/sites/#{site_slug}/crew/public_keys")
     end
 
+    # GET /api/v1/vaults
+    def list_vaults
+      get("/vaults")
+    end
+
+    # PUT /api/v1/vaults/:name — sends raw binary blob, returns JSON
+    def push_vault(name, blob)
+      request_binary(:put, "/vaults/#{URI.encode_uri_component(name)}", blob)
+    end
+
+    # GET /api/v1/vaults/:name — returns raw binary blob
+    def pull_vault(name)
+      request_raw(:get, "/vaults/#{URI.encode_uri_component(name)}")
+    end
+
+    # DELETE /api/v1/vaults/:name
+    def delete_vault(name)
+      delete("/vaults/#{URI.encode_uri_component(name)}")
+    end
+
     private
 
     def get(path)
@@ -121,5 +146,49 @@ module LocalVault
     rescue Errno::ECONNREFUSED, SocketError => e
       raise ApiError.new("Cannot connect to #{@base_url}: #{e.message}")
     end
+
+    # PUT /api/v1/vaults/:name — sends raw binary body, expects JSON response
+    def request_binary(method, path, blob)
+      uri  = URI("#{@base_url}#{BASE_PATH}#{path}")
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = uri.scheme == "https"
+
+      req_class = { put: Net::HTTP::Put }.fetch(method)
+      req = req_class.new(uri.request_uri)
+      req["Authorization"] = "Bearer #{@token}"
+      req["Content-Type"]  = "application/octet-stream"
+      req["Accept"]        = "application/json"
+      req.body = blob
+
+      res = http.request(req)
+      unless res.is_a?(Net::HTTPSuccess)
+        err = begin JSON.parse(res.body)["error"] rescue nil end
+        raise ApiError.new(err || "HTTP #{res.code}", status: res.code.to_i)
+      end
+      JSON.parse(res.body)
+    rescue Errno::ECONNREFUSED, SocketError => e
+      raise ApiError.new("Cannot connect to #{@base_url}: #{e.message}")
+    end
+
+    # GET /api/v1/vaults/:name — returns raw binary body
+    def request_raw(method, path)
+      uri  = URI("#{@base_url}#{BASE_PATH}#{path}")
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = uri.scheme == "https"
+
+      req_class = { get: Net::HTTP::Get }.fetch(method)
+      req = req_class.new(uri.request_uri)
+      req["Authorization"] = "Bearer #{@token}"
+      req["Accept"]        = "application/octet-stream"
+
+      res = http.request(req)
+      unless res.is_a?(Net::HTTPSuccess)
+        err = begin JSON.parse(res.body)["error"] rescue nil end
+        raise ApiError.new(err || "HTTP #{res.code}", status: res.code.to_i)
+      end
+      res.body
+    rescue Errno::ECONNREFUSED, SocketError => e
+      raise ApiError.new("Cannot connect to #{@base_url}: #{e.message}")
+    end
   end
 end

data/lib/localvault/cli/sync.rb

@@ -0,0 +1,111 @@
+require "thor"
+require "fileutils"
+
+module LocalVault
+  class CLI
+    class Sync < Thor
+      desc "push [NAME]", "Push a vault to InventList cloud sync"
+      def push(vault_name = nil)
+        return unless logged_in?
+
+        vault_name ||= Config.default_vault
+        store = Store.new(vault_name)
+
+        unless store.exists?
+          $stderr.puts "Error: Vault '#{vault_name}' does not exist. Run: localvault init #{vault_name}"
+          return
+        end
+
+        blob   = SyncBundle.pack(store)
+        client = ApiClient.new(token: Config.token)
+        client.push_vault(vault_name, blob)
+
+        $stdout.puts "Synced vault '#{vault_name}' (#{blob.bytesize} bytes)"
+      rescue ApiClient::ApiError => e
+        $stderr.puts "Error: #{e.message}"
+      end
+
+      desc "pull [NAME]", "Pull a vault from InventList cloud sync"
+      method_option :force, type: :boolean, default: false, desc: "Overwrite existing local vault"
+      def pull(vault_name = nil)
+        return unless logged_in?
+
+        vault_name ||= Config.default_vault
+        store  = Store.new(vault_name)
+
+        if store.exists? && !options[:force]
+          $stderr.puts "Error: Vault '#{vault_name}' already exists locally. Use --force to overwrite."
+          return
+        end
+
+        client = ApiClient.new(token: Config.token)
+        blob   = client.pull_vault(vault_name)
+        data   = SyncBundle.unpack(blob)
+
+        FileUtils.mkdir_p(store.vault_path)
+        File.write(store.meta_path, data[:meta])
+        store.write_encrypted(data[:secrets]) unless data[:secrets].empty?
+
+        $stdout.puts "Pulled vault '#{vault_name}'."
+        $stdout.puts "Unlock it with: localvault unlock -v #{vault_name}"
+      rescue ApiClient::ApiError => e
+        if e.status == 404
+          $stderr.puts "Error: Vault '#{vault_name}' not found in cloud."
+        else
+          $stderr.puts "Error: #{e.message}"
+        end
+      end
+
+      desc "status", "Show sync status for all vaults"
+      def status
+        return unless logged_in?
+
+        client    = ApiClient.new(token: Config.token)
+        result    = client.list_vaults
+        remote    = (result["vaults"] || []).each_with_object({}) { |v, h| h[v["name"]] = v }
+        local_set = Store.list_vaults.to_set
+        all_names = (remote.keys + local_set.to_a).uniq.sort
+
+        if all_names.empty?
+          $stdout.puts "No vaults found locally or in cloud."
+          return
+        end
+
+        rows = all_names.map do |name|
+          r         = remote[name]
+          l_exists  = local_set.include?(name)
+          row_status = if r && l_exists then "synced"
+                       elsif r          then "remote only"
+                       else                  "local only"
+                       end
+          synced_at = r ? (r["synced_at"]&.slice(0, 10) || "—") : "—"
+          [name, row_status, synced_at]
+        end
+
+        max_name   = (["Vault"] + rows.map { |r| r[0] }).map(&:length).max
+        max_status = (["Status"] + rows.map { |r| r[1] }).map(&:length).max
+
+        $stdout.puts "#{"Vault".ljust(max_name)}  #{"Status".ljust(max_status)}  Synced At"
+        $stdout.puts "#{"─" * max_name}  #{"─" * max_status}  ─────────"
+        rows.each do |name, row_status, synced_at|
+          $stdout.puts "#{name.ljust(max_name)}  #{row_status.ljust(max_status)}  #{synced_at}"
+        end
+      rescue ApiClient::ApiError => e
+        $stderr.puts "Error: #{e.message}"
+      end
+
+      def self.exit_on_failure?
+        true
+      end
+
+      private
+
+      def logged_in?
+        return true if Config.token
+
+        $stderr.puts "Error: Not logged in. Run: localvault login TOKEN"
+        false
+      end
+    end
+  end
+end

data/lib/localvault/cli/team.rb

@@ -4,13 +4,14 @@ module LocalVault
   class CLI
     class Team < Thor
       desc "list [VAULT]", "Show who has access to a vault"
+      method_option :vault, type: :string, aliases: "-v"
       def list(vault_name = nil)
         unless Config.token
           $stderr.puts "Error: Not connected. Run: localvault connect --token TOKEN --handle HANDLE"
           return
         end
 
-        vault_name ||= Config.default_vault
+        vault_name ||= options[:vault] || Config.default_vault
         client = ApiClient.new(token: Config.token)
         result = client.sent_shares(vault_name: vault_name)
         shares = (result["shares"] || []).reject { |s| s["status"] == "revoked" }
@@ -32,6 +33,34 @@ module LocalVault
       rescue ApiClient::ApiError => e
         $stderr.puts "Error: #{e.message}"
       end
+
+      desc "remove HANDLE", "Remove a person's access to a vault"
+      method_option :vault, type: :string, aliases: "-v"
+      def remove(handle)
+        unless Config.token
+          $stderr.puts "Error: Not connected. Run: localvault connect --token TOKEN --handle HANDLE"
+          return
+        end
+
+        handle = handle.delete_prefix("@")
+        vault_name = options[:vault] || Config.default_vault
+        client = ApiClient.new(token: Config.token)
+
+        result = client.sent_shares(vault_name: vault_name)
+        share = (result["shares"] || []).find do |s|
+          s["recipient_handle"] == handle && s["status"] != "revoked"
+        end
+
+        unless share
+          $stderr.puts "Error: No active share found for @#{handle}."
+          return
+        end
+
+        client.revoke_share(share["id"])
+        $stdout.puts "Removed @#{handle} from vault '#{vault_name}'."
+      rescue ApiClient::ApiError => e
+        $stderr.puts "Error: #{e.message}"
+      end
     end
   end
 end

data/lib/localvault/cli.rb

@@ -421,13 +421,95 @@ module LocalVault
       $stdout.puts "  localvault exec -- env | grep -E 'DATABASE|REDIS'"
     end
 
-    # ── Teams / sharing ──────────────────────────────────────────────
+    # ── Teams / sharing / sync ────────────────────────────────────
 
     require_relative "cli/keys"
     require_relative "cli/team"
+    require_relative "cli/sync"
 
     register(Keys, "keys", "keys SUBCOMMAND", "Manage your X25519 keypair for vault sharing")
     register(Team, "team", "team SUBCOMMAND", "Manage vault team access")
+    register(Sync, "sync", "sync SUBCOMMAND", "Sync vaults to InventList cloud")
+
+    desc "keygen", "Generate your identity keypair for vault sync"
+    method_option :force, type: :boolean, default: false, desc: "Overwrite existing keypair"
+    method_option :show,  type: :boolean, default: false, desc: "Print your existing public key"
+    def keygen
+      if options[:show]
+        unless Identity.exists?
+          $stdout.puts "No keypair found. Run: localvault keygen"
+          return
+        end
+        $stdout.puts Identity.public_key
+        return
+      end
+
+      if Identity.exists? && !options[:force]
+        $stdout.puts "Keypair already exists. Use --force to regenerate."
+        return
+      end
+
+      Config.ensure_directories!
+      Identity.generate!(force: options[:force])
+      $stdout.puts "Keypair generated."
+      $stdout.puts "Public key: #{Identity.public_key}"
+    end
+
+    desc "login [TOKEN]", "Log in to InventList — validate token, auto-keygen, publish public key"
+    method_option :status, type: :boolean, default: false, desc: "Show current login status"
+    def login(token = nil)
+      if options[:status]
+        handle = Config.inventlist_handle
+        if handle
+          $stdout.puts "Logged in as @#{handle}"
+        else
+          $stdout.puts "Not logged in. Run: localvault login TOKEN"
+        end
+        return
+      end
+
+      unless token
+        $stdout.puts "Usage: localvault login TOKEN"
+        $stdout.puts "Get your token at: https://inventlist.com/settings"
+        return
+      end
+
+      client = ApiClient.new(token: token)
+      data   = client.me
+      handle = data.dig("user", "handle")
+
+      Config.token             = token
+      Config.inventlist_handle = handle
+
+      Config.ensure_directories!
+      Identity.generate! unless Identity.exists?
+
+      client.publish_public_key(Identity.public_key)
+
+      $stdout.puts "Logged in as @#{handle}"
+      $stdout.puts "Public key published to your InventList profile."
+      $stdout.puts
+      $stdout.puts "Next: localvault sync push   # sync your vault to the cloud"
+    rescue ApiClient::ApiError => e
+      if e.status == 401
+        $stdout.puts "Invalid token. Check your token at: https://inventlist.com/settings"
+      else
+        $stdout.puts "Error connecting to InventList: #{e.message}"
+      end
+    end
+
+    desc "logout", "Log out of InventList"
+    def logout
+      unless Config.token
+        $stdout.puts "Not logged in."
+        return
+      end
+
+      handle = Config.inventlist_handle
+      Config.token             = nil
+      Config.inventlist_handle = nil
+      $stdout.puts "Logged out#{" @#{handle}" if handle}."
+    end
 
     desc "connect", "Connect to InventList for vault sharing"
     method_option :token,  required: true, type: :string, desc: "InventList API token"

data/lib/localvault/sync_bundle.rb

@@ -0,0 +1,30 @@
+require "json"
+require "base64"
+require "digest"
+
+module LocalVault
+  module SyncBundle
+    VERSION = 1
+
+    # Pack a vault's meta.yml + secrets.enc into a single JSON blob.
+    # The secrets.enc is already encrypted — this bundle is opaque to the server.
+    def self.pack(store)
+      meta_content    = File.read(store.meta_path)
+      secrets_content = store.read_encrypted || ""
+      JSON.generate(
+        "version" => VERSION,
+        "meta"    => Base64.strict_encode64(meta_content),
+        "secrets" => Base64.strict_encode64(secrets_content)
+      )
+    end
+
+    # Unpack a blob back into {meta:, secrets:} strings.
+    def self.unpack(blob)
+      data = JSON.parse(blob)
+      {
+        meta:    Base64.strict_decode64(data.fetch("meta")),
+        secrets: Base64.strict_decode64(data.fetch("secrets"))
+      }
+    end
+  end
+end

data/lib/localvault/version.rb

@@ -1,3 +1,3 @@
 module LocalVault
-  VERSION = "0.9.6"
+  VERSION = "0.9.8"
 end

data/lib/localvault.rb

@@ -6,6 +6,7 @@ require_relative "localvault/vault"
 require_relative "localvault/identity"
 require_relative "localvault/share_crypto"
 require_relative "localvault/api_client"
+require_relative "localvault/sync_bundle"
 
 module LocalVault
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: localvault
 version: !ruby/object:Gem::Version
-  version: 0.9.6
+  version: 0.9.8
 platform: ruby
 authors:
 - Nauman Tariq
@@ -109,6 +109,7 @@ files:
 - lib/localvault/api_client.rb
 - lib/localvault/cli.rb
 - lib/localvault/cli/keys.rb
+- lib/localvault/cli/sync.rb
 - lib/localvault/cli/team.rb
 - lib/localvault/config.rb
 - lib/localvault/crypto.rb
@@ -118,6 +119,7 @@ files:
 - lib/localvault/session_cache.rb
 - lib/localvault/share_crypto.rb
 - lib/localvault/store.rb
+- lib/localvault/sync_bundle.rb
 - lib/localvault/vault.rb
 - lib/localvault/version.rb
 homepage: https://github.com/inventlist/localvault