RubyGems - localvault - Versions diffs - 1.2.3 → 1.2.4 - Mend

localvault 1.2.3 → 1.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4e30526cd10f0e0e29efe3db5b5c73d8de353cad6ad797d02fe1ac7f626ef7bc
-  data.tar.gz: e6f53442c299ba9836eddd53de5715a3f14577c2213080bfe2b7eab9f4646f41
+  metadata.gz: 27e49afd2aae0e73dc4e78e00d81765f77f0c7870a643db8c3549a99b777f27c
+  data.tar.gz: 17cba7049d299d9581dceab6dd9c4a10a55214fafa7c08a51d793b05a39282e1
 SHA512:
-  metadata.gz: 9d707292c02dace77c7595a61885273145f524e917a1b79a04670b428e5812cbc59564f74cacad4bd73f9a1d0843d91ad45588b33c5b1cf2fae58840df3e484f
-  data.tar.gz: 761ac32c6161f3c52d6c51ef7f254b8bd8689739cd7a692fc3ae33f03e014de311514f7753d2470068aca7ef005045f672ea87d386cc06daa0909e136521f325
+  metadata.gz: 8b38a8ac1fc8774c0f505c65365e91db5a7ea2b7557a6bf437f43c807969be0c4521619f2eccdbc55c402c34e4f097342014c638d3691b5c5c265a2f6a1e0788
+  data.tar.gz: 5d35c1ad8fa8573dcec3f9d6a267dead9024cf72cf92faaba4700ac15238d1c72b08d4c746499d1abe23dab92fd19c17cc6c69fb0667e4e94fc75afd770953ba

data/lib/localvault/cli/team.rb CHANGED Viewed

@@ -185,7 +185,7 @@ module LocalVault
           return
         end
-        handle = handle.delete_prefix("@")
+        target = handle
         vault_name = options[:vault] || Config.default_vault
         scope_list = options[:scope]
@@ -210,7 +210,6 @@ module LocalVault
           return
         end
-        # Only owner can add members
         unless data[:owner] == Config.inventlist_handle
           $stderr.puts "Error: Only the vault owner (@#{data[:owner]}) can manage team access."
           return
@@ -218,67 +217,76 @@ module LocalVault
         key_slots = data[:key_slots].is_a?(Hash) ? data[:key_slots] : {}
-        # Check if member already has full access
-        if key_slots.key?(handle) && key_slots[handle].is_a?(Hash) && key_slots[handle]["scopes"].nil?
-          if scope_list
-            $stdout.puts "@#{handle} already has full vault access."
-            return
-          end
-        end
-        # Fetch recipient's public key
-        result = client.get_public_key(handle)
-        pub_key = result["public_key"]
-        unless pub_key && !pub_key.empty?
-          $stderr.puts "Error: @#{handle} has no public key published."
+        # Resolve recipients — single @handle, team:HANDLE, or crew:SLUG
+        recipients = resolve_add_recipients(client, target)
+        if recipients.empty?
+          $stderr.puts "Error: No recipients with public keys found for '#{target}'"
           return
         end
-        if scope_list
-          # Accumulate scopes if member already has some
-          existing_scopes = key_slots.dig(handle, "scopes") || []
-          merged_scopes = (existing_scopes + scope_list).uniq
+        added = 0
+        recipients.each do |member_handle, pub_key|
+          next if member_handle == Config.inventlist_handle  # skip self
-          # Create per-member blob with filtered secrets
-          vault = Vault.new(name: vault_name, master_key: master_key)
-          filtered = vault.filter(merged_scopes)
+          # Skip if already has full access
+          if key_slots.key?(member_handle) && key_slots[member_handle].is_a?(Hash) && key_slots[member_handle]["scopes"].nil?
+            $stdout.puts "@#{member_handle} already has full vault access." if scope_list
+            next
+          end
-          member_key = RbNaCl::Random.random_bytes(32)
-          encrypted_blob = Crypto.encrypt(JSON.generate(filtered), member_key)
+          if scope_list
+            existing_scopes = key_slots.dig(member_handle, "scopes") || []
+            merged_scopes = (existing_scopes + scope_list).uniq
-          begin
-            enc_key = KeySlot.create(member_key, pub_key)
-          rescue ArgumentError, KeySlot::DecryptionError => e
-            $stderr.puts "Error: @#{handle}'s public key is invalid: #{e.message}"
-            return
-          end
+            vault = Vault.new(name: vault_name, master_key: master_key)
+            filtered = vault.filter(merged_scopes)
-          key_slots[handle] = {
-            "pub" => pub_key,
-            "enc_key" => enc_key,
-            "scopes" => merged_scopes,
-            "blob" => Base64.strict_encode64(encrypted_blob)
-          }
-        else
-          # Full vault access — encrypt master key directly
-          begin
-            enc_key = KeySlot.create(master_key, pub_key)
-          rescue ArgumentError, KeySlot::DecryptionError => e
-            $stderr.puts "Error: @#{handle}'s public key is invalid: #{e.message}"
-            return
+            member_key = RbNaCl::Random.random_bytes(32)
+            encrypted_blob = Crypto.encrypt(JSON.generate(filtered), member_key)
+            begin
+              enc_key = KeySlot.create(member_key, pub_key)
+            rescue ArgumentError, KeySlot::DecryptionError => e
+              $stderr.puts "Error: @#{member_handle}'s public key is invalid: #{e.message}"
+              next
+            end
+            key_slots[member_handle] = {
+              "pub" => pub_key, "enc_key" => enc_key,
+              "scopes" => merged_scopes,
+              "blob" => Base64.strict_encode64(encrypted_blob)
+            }
+          else
+            begin
+              enc_key = KeySlot.create(master_key, pub_key)
+            rescue ArgumentError, KeySlot::DecryptionError => e
+              $stderr.puts "Error: @#{member_handle}'s public key is invalid: #{e.message}"
+              next
+            end
+            key_slots[member_handle] = { "pub" => pub_key, "enc_key" => enc_key, "scopes" => nil, "blob" => nil }
           end
+          added += 1
+        end
-          key_slots[handle] = { "pub" => pub_key, "enc_key" => enc_key, "scopes" => nil, "blob" => nil }
+        if added == 0
+          $stdout.puts "No new members added."
+          return
         end
         store = Store.new(vault_name)
         blob = SyncBundle.pack_v3(store, owner: data[:owner], key_slots: key_slots)
         client.push_vault(vault_name, blob)
-        if scope_list
-          $stdout.puts "Added @#{handle} to vault '#{vault_name}' (scopes: #{key_slots[handle]["scopes"].join(", ")})."
+        if recipients.size == 1
+          h = recipients.first[0]
+          if scope_list
+            $stdout.puts "Added @#{h} to vault '#{vault_name}' (scopes: #{key_slots[h]["scopes"].join(", ")})."
+          else
+            $stdout.puts "Added @#{h} to vault '#{vault_name}'."
+          end
         else
-          $stdout.puts "Added @#{handle} to vault '#{vault_name}'."
+          $stdout.puts "Added #{added} member(s) to vault '#{vault_name}'."
         end
       rescue ApiClient::ApiError => e
         if e.status == 404
@@ -456,6 +464,33 @@ module LocalVault
         nil
       end
+      # Resolve target into list of [handle, public_key] pairs.
+      # Supports @handle, team:HANDLE, and crew:SLUG.
+      def resolve_add_recipients(client, target)
+        if target.start_with?("team:")
+          team_handle = target.delete_prefix("team:")
+          result = client.team_public_keys(team_handle)
+          (result["members"] || [])
+            .select { |m| m["handle"] && m["public_key"] && !m["public_key"].empty? }
+            .map { |m| [m["handle"], m["public_key"]] }
+        elsif target.start_with?("crew:")
+          slug = target.delete_prefix("crew:")
+          result = client.crew_public_keys(slug)
+          (result["members"] || [])
+            .select { |m| m["handle"] && m["public_key"] && !m["public_key"].empty? }
+            .map { |m| [m["handle"], m["public_key"]] }
+        else
+          handle = target.delete_prefix("@")
+          result = client.get_public_key(handle)
+          pub_key = result["public_key"]
+          return [] unless pub_key && !pub_key.empty?
+          [[handle, pub_key]]
+        end
+      rescue ApiClient::ApiError => e
+        $stderr.puts "Warning: #{e.message}"
+        []
+      end
       # Remove a member's key slot, optionally rotating the vault master key.
       # Supports partial scope removal via remove_scopes.
       def remove_key_slot(handle, vault_name, key_slots, client, rotate: false, remove_scopes: nil, owner: nil)

data/lib/localvault/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module LocalVault
-  VERSION = "1.2.3"
+  VERSION = "1.2.4"
 end

metadata CHANGED Viewed

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: localvault
 version: !ruby/object:Gem::Version
-  version: 1.2.3
+  version: 1.2.4
 platform: ruby
 authors:
 - Nauman Tariq
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-04-06 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -131,7 +130,6 @@ metadata:
   homepage_uri: https://inventlist.com/tools/localvault
   source_code_uri: https://github.com/inventlist/localvault
   funding_uri: https://inventlist.com
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -146,8 +144,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Zero-infrastructure secrets manager
 test_files: []