localvault 1.2.3 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4e30526cd10f0e0e29efe3db5b5c73d8de353cad6ad797d02fe1ac7f626ef7bc
-  data.tar.gz: e6f53442c299ba9836eddd53de5715a3f14577c2213080bfe2b7eab9f4646f41
+  metadata.gz: 2fb8eb382004083b9fcd03144139013da7eda568be14370e08a66a1adb7bd332
+  data.tar.gz: 5e03b4a0b7a7c5ff7e560dd79ef2ada9a4413f8414b275a54478044c90bd267c
 SHA512:
-  metadata.gz: 9d707292c02dace77c7595a61885273145f524e917a1b79a04670b428e5812cbc59564f74cacad4bd73f9a1d0843d91ad45588b33c5b1cf2fae58840df3e484f
-  data.tar.gz: 761ac32c6161f3c52d6c51ef7f254b8bd8689739cd7a692fc3ae33f03e014de311514f7753d2470068aca7ef005045f672ea87d386cc06daa0909e136521f325
+  metadata.gz: d241d6f3fa8ddcd176c78bdc8b8d58d66d511f9527d139c3896fdfd84b92462c7f72f705851f05ec8c9be26a14419613093bfda1265cde860f861f6bbfddebcd
+  data.tar.gz: fc9ec7322791d8eedcdfbb252c11cdd995dc67008d7de6fd7c34b208a9fd0bb913e2a13550e0336104f36f0f3eeaf410d56b2035e699a1a495cd75c67acb310a

data/README.md

@@ -105,19 +105,25 @@ localvault exec -- rails server
 | `sync status` | Show sync state for all vaults |
 | `config set server URL` | Point at a custom server (default: inventlist.com) |
 
-### Team Sharing (v1.2.0)
+### Team Sharing (v1.3.0)
+
+Vault-level operations live under `team`. Person operations (the `@handle`
+already signals a person) are top-level.
 
 | Command | Description |
 |---------|-------------|
 | `team init` | Convert vault to team vault (sets you as owner, SyncBundle v3) |
-| `team verify @handle` | Check if a user has a published public key (dry-run) |
-| `team add @handle` | Add teammate with full vault access |
-| `team add @handle --scope KEY...` | Add teammate with access to specific keys only |
-| `team remove @handle` | Remove teammate's access |
-| `team remove @handle --scope KEY` | Remove one scoped key (keeps other scopes) |
-| `team remove @handle --rotate` | Full revocation + re-encrypt with new passphrase |
 | `team list` | List vault members |
 | `team rotate` | Re-key vault with new passphrase, keep all members |
+| `verify @handle` | Check if a user has a published public key (dry-run) |
+| `add @handle` | Add teammate with full vault access |
+| `add @handle --scope KEY...` | Add teammate with access to specific keys only |
+| `remove @handle` | Remove teammate's access |
+| `remove @handle --scope KEY` | Remove one scoped key (keeps other scopes) |
+| `remove @handle --rotate` | Full revocation + re-encrypt with new passphrase |
+
+The `team add`, `team remove`, and `team verify` aliases still work for
+backward compatibility but the top-level forms are preferred.
 
 ### Keys
 
@@ -168,13 +174,13 @@ Share vault access with teammates using X25519 asymmetric encryption. The server
 localvault team init -v production
 
 # 2. Verify teammate has a published key
-localvault team verify @alice
+localvault verify @alice
 
 # 3. Add with full access
-localvault team add @alice -v production
+localvault add @alice -v production
 
 # 4. Or scoped — they only see specific keys
-localvault team add @bob -v production --scope STRIPE_KEY WEBHOOK_SECRET
+localvault add @bob -v production --scope STRIPE_KEY WEBHOOK_SECRET
 
 # 5. When Alice pulls, auto-unlocks via her identity key
 # (on Alice's machine)
@@ -190,7 +196,7 @@ localvault sync push production
 localvault team rotate -v production
 
 # 8. Full revocation + re-key
-localvault team remove @alice -v production --rotate
+localvault remove @alice -v production --rotate
 ```
 
 **Prerequisites:** Teammates must have a published public key. `localvault login` does this automatically, or: `localvault keys generate && localvault keys publish`.

data/lib/localvault/cli/team.rb

@@ -4,6 +4,8 @@ require "securerandom"
 module LocalVault
   class CLI
     class Team < Thor
+      include LocalVault::CLI::TeamHelpers
+
       desc "init", "Initialize a vault as a team vault (sets you as owner)"
       method_option :vault, type: :string, aliases: "-v"
       # Initialize a vault as a team vault with you as the owner.
@@ -73,7 +75,7 @@ module LocalVault
 
         $stdout.puts "Vault '#{vault_name}' is now a team vault."
         $stdout.puts "Owner: @#{handle}"
-        $stdout.puts "\nNext: localvault team add @handle -v #{vault_name}"
+        $stdout.puts "\nNext: localvault add @handle -v #{vault_name}"
       rescue SyncBundle::UnpackError => e
         $stderr.puts "Error: #{e.message}"
       end
@@ -129,228 +131,6 @@ module LocalVault
         $stderr.puts "Error: #{e.message}"
       end
 
-      desc "verify HANDLE", "Check if a user exists and has a public key for sharing"
-      # Verify a user's handle and public key status before adding them.
-      #
-      # Checks InventList for the handle and whether they have a published
-      # X25519 public key. Does not modify anything.
-      def verify(handle)
-        unless Config.token
-          $stderr.puts "Error: Not logged in."
-          $stderr.puts "\n  localvault login YOUR_TOKEN\n"
-          $stderr.puts "Get your token at: https://inventlist.com/@YOUR_HANDLE/edit#developer"
-          return
-        end
-
-        handle = handle.delete_prefix("@")
-        client = ApiClient.new(token: Config.token)
-        result = client.get_public_key(handle)
-        pub_key = result["public_key"]
-
-        if pub_key && !pub_key.empty?
-          fingerprint = pub_key.length > 12 ? "#{pub_key[0..7]}...#{pub_key[-4..]}" : pub_key
-          $stdout.puts "@#{handle} — public key published"
-          $stdout.puts "  Fingerprint: #{fingerprint}"
-          $stdout.puts "  Ready for: localvault team add @#{handle} -v VAULT"
-        else
-          $stderr.puts "@#{handle} exists but has no public key published."
-          $stderr.puts "They need to run: localvault login TOKEN"
-        end
-      rescue ApiClient::ApiError => e
-        if e.status == 404
-          $stderr.puts "Error: @#{handle} not found on InventList."
-        else
-          $stderr.puts "Error: #{e.message}"
-        end
-      end
-
-      desc "add HANDLE", "Add a teammate to a synced vault via key slot"
-      method_option :vault, type: :string, aliases: "-v"
-      method_option :scope, type: :array, desc: "Groups or keys to share (omit for full access)"
-      # Grant a user access to a synced vault by creating a key slot.
-      #
-      # With --scope, creates a per-member encrypted blob containing only the
-      # specified keys. Without --scope, grants full vault access.
-      # Requires the vault to be a team vault (run team init first).
-      def add(handle)
-        unless Config.token
-          $stderr.puts "Error: Not logged in."
-          $stderr.puts "\n  localvault login YOUR_TOKEN\n"
-          $stderr.puts "Get your token at: https://inventlist.com/@YOUR_HANDLE/edit#developer"
-          return
-        end
-
-        unless Identity.exists?
-          $stderr.puts "Error: No keypair found. Run: localvault keygen"
-          return
-        end
-
-        handle = handle.delete_prefix("@")
-        vault_name = options[:vault] || Config.default_vault
-        scope_list = options[:scope]
-
-        master_key = SessionCache.get(vault_name)
-        unless master_key
-          $stderr.puts "Error: Vault '#{vault_name}' is not unlocked. Run: localvault show -v #{vault_name}"
-          return
-        end
-
-        client = ApiClient.new(token: Config.token)
-
-        # Load existing bundle — must be a team vault (v3)
-        existing_blob = client.pull_vault(vault_name) rescue nil
-        unless existing_blob.is_a?(String) && !existing_blob.empty?
-          $stderr.puts "Error: Vault '#{vault_name}' is not a team vault. Run: localvault team init -v #{vault_name}"
-          return
-        end
-
-        data = SyncBundle.unpack(existing_blob)
-        unless data[:owner]
-          $stderr.puts "Error: Vault '#{vault_name}' is not a team vault. Run: localvault team init -v #{vault_name}"
-          return
-        end
-
-        # Only owner can add members
-        unless data[:owner] == Config.inventlist_handle
-          $stderr.puts "Error: Only the vault owner (@#{data[:owner]}) can manage team access."
-          return
-        end
-
-        key_slots = data[:key_slots].is_a?(Hash) ? data[:key_slots] : {}
-
-        # Check if member already has full access
-        if key_slots.key?(handle) && key_slots[handle].is_a?(Hash) && key_slots[handle]["scopes"].nil?
-          if scope_list
-            $stdout.puts "@#{handle} already has full vault access."
-            return
-          end
-        end
-
-        # Fetch recipient's public key
-        result = client.get_public_key(handle)
-        pub_key = result["public_key"]
-        unless pub_key && !pub_key.empty?
-          $stderr.puts "Error: @#{handle} has no public key published."
-          return
-        end
-
-        if scope_list
-          # Accumulate scopes if member already has some
-          existing_scopes = key_slots.dig(handle, "scopes") || []
-          merged_scopes = (existing_scopes + scope_list).uniq
-
-          # Create per-member blob with filtered secrets
-          vault = Vault.new(name: vault_name, master_key: master_key)
-          filtered = vault.filter(merged_scopes)
-
-          member_key = RbNaCl::Random.random_bytes(32)
-          encrypted_blob = Crypto.encrypt(JSON.generate(filtered), member_key)
-
-          begin
-            enc_key = KeySlot.create(member_key, pub_key)
-          rescue ArgumentError, KeySlot::DecryptionError => e
-            $stderr.puts "Error: @#{handle}'s public key is invalid: #{e.message}"
-            return
-          end
-
-          key_slots[handle] = {
-            "pub" => pub_key,
-            "enc_key" => enc_key,
-            "scopes" => merged_scopes,
-            "blob" => Base64.strict_encode64(encrypted_blob)
-          }
-        else
-          # Full vault access — encrypt master key directly
-          begin
-            enc_key = KeySlot.create(master_key, pub_key)
-          rescue ArgumentError, KeySlot::DecryptionError => e
-            $stderr.puts "Error: @#{handle}'s public key is invalid: #{e.message}"
-            return
-          end
-
-          key_slots[handle] = { "pub" => pub_key, "enc_key" => enc_key, "scopes" => nil, "blob" => nil }
-        end
-
-        store = Store.new(vault_name)
-        blob = SyncBundle.pack_v3(store, owner: data[:owner], key_slots: key_slots)
-        client.push_vault(vault_name, blob)
-
-        if scope_list
-          $stdout.puts "Added @#{handle} to vault '#{vault_name}' (scopes: #{key_slots[handle]["scopes"].join(", ")})."
-        else
-          $stdout.puts "Added @#{handle} to vault '#{vault_name}'."
-        end
-      rescue ApiClient::ApiError => e
-        if e.status == 404
-          $stderr.puts "Error: @#{handle} not found or has no public key."
-        else
-          $stderr.puts "Error: #{e.message}"
-        end
-      rescue SyncBundle::UnpackError => e
-        $stderr.puts "Error: #{e.message}"
-      end
-
-      desc "remove HANDLE", "Remove a person's access to a vault"
-      method_option :vault, type: :string, aliases: "-v"
-      method_option :rotate, type: :boolean, default: false, desc: "Re-encrypt vault with new master key (full revocation)"
-      method_option :scope, type: :array, desc: "Remove specific scopes only (keeps other scopes)"
-      # Remove a user's access to a vault.
-      #
-      # Removes the user's key slot and pushes the updated bundle. With +--rotate+,
-      # re-encrypts the vault with a new master key and recreates all remaining
-      # key slots for full cryptographic revocation. Falls back to revoking a
-      # direct share if no key slots exist.
-      def remove(handle)
-        unless Config.token
-          $stderr.puts "Error: Not logged in."
-          $stderr.puts
-          $stderr.puts "  localvault login YOUR_TOKEN"
-          $stderr.puts
-          $stderr.puts "Get your token at: https://inventlist.com/@YOUR_HANDLE/edit#developer"
-          $stderr.puts "New to InventList? Sign up free at https://inventlist.com"
-          $stderr.puts "Docs: https://inventlist.com/sites/localvault/series/localvault"
-          return
-        end
-
-        handle = handle.delete_prefix("@")
-        vault_name = options[:vault] || Config.default_vault
-        client = ApiClient.new(token: Config.token)
-
-        # Try sync-based key slot removal first
-        team_data = load_team_data(client, vault_name)
-        if team_data && team_data[:key_slots] && !team_data[:key_slots].empty?
-          # Must be a v3 team vault with owner
-          unless team_data[:owner]
-            $stderr.puts "Error: Vault '#{vault_name}' is not a team vault. Run: localvault team init -v #{vault_name}"
-            return
-          end
-          unless team_data[:owner] == Config.inventlist_handle
-            $stderr.puts "Error: Only the vault owner (@#{team_data[:owner]}) can manage team access."
-            return
-          end
-          remove_key_slot(handle, vault_name, team_data[:key_slots], client,
-                          rotate: options[:rotate], remove_scopes: options[:scope],
-                          owner: team_data[:owner])
-          return
-        end
-
-        # Fall back to direct share revocation
-        result = client.sent_shares(vault_name: vault_name)
-        share = (result["shares"] || []).find do |s|
-          s["recipient_handle"] == handle && s["status"] != "revoked"
-        end
-
-        unless share
-          $stderr.puts "Error: No active share found for @#{handle}."
-          return
-        end
-
-        client.revoke_share(share["id"])
-        $stdout.puts "Removed @#{handle} from vault '#{vault_name}'."
-      rescue ApiClient::ApiError => e
-        $stderr.puts "Error: #{e.message}"
-      end
-
       desc "rotate", "Re-encrypt a team vault with a new master key (no member changes)"
       method_option :vault, type: :string, aliases: "-v"
       # Re-key a team vault without adding or removing members.
@@ -430,161 +210,40 @@ module LocalVault
         $stderr.puts "Error: #{e.message}"
       end
 
-      private
-
-      def prompt_passphrase(msg = "Passphrase: ")
-        IO.console&.getpass(msg) || $stdin.gets&.chomp || ""
-      rescue Interrupt
-        $stderr.puts
-        ""
-      end
+      # ── Backward-compat delegates ─────────────────────────────────
+      # `add`, `remove`, and `verify` moved to the top-level CLI in v1.3.0
+      # (the leading @ in the handle already signals a person operation).
+      # The `team add/remove/verify` aliases keep existing scripts and muscle
+      # memory working — they forward to the top-level commands with the same
+      # options.
 
-      def load_key_slots(client, vault_name)
-        data = load_team_data(client, vault_name)
-        data ? data[:key_slots] : nil
+      desc "add HANDLE", "(alias) Add a teammate — prefer `localvault add @HANDLE`"
+      method_option :vault, type: :string, aliases: "-v"
+      method_option :scope, type: :array, desc: "Groups or keys to share (omit for full access)"
+      def add(handle)
+        LocalVault::CLI.new([], options, {}).add(handle)
       end
 
-      # Load full bundle data including owner. Returns nil if no remote or not a team vault.
-      def load_team_data(client, vault_name)
-        return nil unless client.respond_to?(:pull_vault)
-        blob = client.pull_vault(vault_name)
-        return nil unless blob.is_a?(String) && !blob.empty?
-        data = SyncBundle.unpack(blob)
-        return nil unless data[:key_slots].is_a?(Hash)
-        data
-      rescue ApiClient::ApiError, SyncBundle::UnpackError, NoMethodError
-        nil
+      desc "remove HANDLE", "(alias) Remove a teammate — prefer `localvault remove @HANDLE`"
+      method_option :vault, type: :string, aliases: "-v"
+      method_option :rotate, type: :boolean, default: false, desc: "Re-encrypt vault with new master key (full revocation)"
+      method_option :scope, type: :array, desc: "Remove specific scopes only (keeps other scopes)"
+      def remove(handle)
+        LocalVault::CLI.new([], options, {}).remove(handle)
       end
 
-      # Remove a member's key slot, optionally rotating the vault master key.
-      # Supports partial scope removal via remove_scopes.
-      def remove_key_slot(handle, vault_name, key_slots, client, rotate: false, remove_scopes: nil, owner: nil)
-        owner ||= Config.inventlist_handle
-        unless key_slots.key?(handle)
-          $stderr.puts "Error: @#{handle} has no slot in vault '#{vault_name}'."
-          return
-        end
-
-        store = Store.new(vault_name)
-
-        # Partial scope removal
-        if remove_scopes && key_slots[handle].is_a?(Hash) && key_slots[handle]["scopes"].is_a?(Array)
-          remaining = key_slots[handle]["scopes"] - remove_scopes
-          if remaining.empty?
-            # Last scope removed — remove member entirely
-            key_slots.delete(handle)
-            $stdout.puts "Removed @#{handle} from vault '#{vault_name}' (last scope removed)."
-          else
-            # Rebuild blob with remaining scopes
-            master_key = SessionCache.get(vault_name)
-            if master_key
-              vault = Vault.new(name: vault_name, master_key: master_key)
-              filtered = vault.filter(remaining)
-              member_key = RbNaCl::Random.random_bytes(32)
-              encrypted_blob = Crypto.encrypt(JSON.generate(filtered), member_key)
-              enc_key = KeySlot.create(member_key, key_slots[handle]["pub"])
-              key_slots[handle] = {
-                "pub" => key_slots[handle]["pub"],
-                "enc_key" => enc_key,
-                "scopes" => remaining,
-                "blob" => Base64.strict_encode64(encrypted_blob)
-              }
-            end
-            $stdout.puts "Removed scope(s) #{remove_scopes.join(", ")} from @#{handle}. Remaining: #{remaining.join(", ")}"
-          end
-
-          blob = SyncBundle.pack_v3(store, owner: owner, key_slots: key_slots)
-          client.push_vault(vault_name, blob)
-          return
-        end
-
-        # Full member removal
-        valid_slots = key_slots.select { |_, v| v.is_a?(Hash) && v["pub"].is_a?(String) }
-        if handle == Config.inventlist_handle && valid_slots.size <= 1
-          $stderr.puts "Error: Cannot remove yourself — you are the only member."
-          return
-        end
-
-        key_slots.delete(handle)
-
-        if rotate
-          master_key = SessionCache.get(vault_name)
-          unless master_key
-            $stderr.puts "Error: Vault '#{vault_name}' is not unlocked. Run: localvault show -v #{vault_name}"
-            return
-          end
-
-          # Prompt for new passphrase
-          passphrase = prompt_passphrase("New passphrase for vault '#{vault_name}': ")
-          if passphrase.nil? || passphrase.empty?
-            $stderr.puts "Error: Passphrase cannot be empty."
-            return
-          end
-
-          vault = Vault.new(name: vault_name, master_key: master_key)
-          secrets = vault.all
-
-          new_salt = Crypto.generate_salt
-          new_master_key = Crypto.derive_master_key(passphrase, new_salt)
-
-          new_json = JSON.generate(secrets)
-          new_encrypted = Crypto.encrypt(new_json, new_master_key)
-          store.write_encrypted(new_encrypted)
-          store.create_meta!(salt: new_salt)
-
-          new_slots = {}
-          key_slots.each do |h, slot|
-            next unless slot.is_a?(Hash) && slot["pub"].is_a?(String)
-            if slot["scopes"].is_a?(Array)
-              # Scoped member — rebuild per-member blob
-              filtered = vault.filter(slot["scopes"])
-              member_key = RbNaCl::Random.random_bytes(32)
-              encrypted_blob = Crypto.encrypt(JSON.generate(filtered), member_key)
-              new_slots[h] = {
-                "pub" => slot["pub"],
-                "enc_key" => KeySlot.create(member_key, slot["pub"]),
-                "scopes" => slot["scopes"],
-                "blob" => Base64.strict_encode64(encrypted_blob)
-              }
-            else
-              # Full-access member
-              new_slots[h] = { "pub" => slot["pub"], "enc_key" => KeySlot.create(new_master_key, slot["pub"]), "scopes" => nil, "blob" => nil }
-            end
-          end
-
-          blob = SyncBundle.pack_v3(store, owner: owner, key_slots: new_slots)
-          client.push_vault(vault_name, blob)
-
-          if new_slots.key?(Config.inventlist_handle)
-            SessionCache.set(vault_name, new_master_key)
-          else
-            SessionCache.clear(vault_name)
-          end
-
-          $stdout.puts "Removed @#{handle} from vault '#{vault_name}'."
-          $stdout.puts "Vault re-encrypted with new master key (rotated)."
-        else
-          blob = SyncBundle.pack_v3(store, owner: owner, key_slots: key_slots)
-          client.push_vault(vault_name, blob)
-          $stdout.puts "Removed @#{handle} from vault '#{vault_name}'."
-        end
+      desc "verify HANDLE", "(alias) Verify a public key — prefer `localvault verify @HANDLE`"
+      def verify(handle)
+        LocalVault::CLI.new([], options, {}).verify(handle)
       end
 
-      def list_key_slots(vault_name, key_slots)
-        my_handle = Config.inventlist_handle
-        valid = key_slots.select { |_, v| v.is_a?(Hash) && v["pub"].is_a?(String) }
-
-        if valid.empty?
-          $stdout.puts "No key slots for vault '#{vault_name}'."
-          return
-        end
+      private
 
-        $stdout.puts "Vault: #{vault_name} — #{valid.size} member(s)"
-        $stdout.puts
-        valid.sort.each do |handle, slot|
-          marker = handle == my_handle ? " (you)" : ""
-          $stdout.puts "  @#{handle}#{marker}"
-        end
+      def prompt_passphrase(msg = "Passphrase: ")
+        IO.console&.getpass(msg) || $stdin.gets&.chomp || ""
+      rescue Interrupt
+        $stderr.puts
+        ""
       end
     end
   end

data/lib/localvault/cli/team_helpers.rb

@@ -0,0 +1,190 @@
+require "json"
+require "base64"
+require "securerandom"
+
+module LocalVault
+  class CLI < Thor
+    # Shared helpers for team-vault commands. Included by both CLI (for the
+    # top-level `add`/`remove`/`verify` commands) and CLI::Team (for `init`/
+    # `list`/`rotate` and the backward-compat delegators).
+    module TeamHelpers
+      private
+
+      def load_key_slots(client, vault_name)
+        data = load_team_data(client, vault_name)
+        data ? data[:key_slots] : nil
+      end
+
+      # Load full bundle data including owner. Returns nil if no remote or
+      # not a team vault.
+      def load_team_data(client, vault_name)
+        return nil unless client.respond_to?(:pull_vault)
+        blob = client.pull_vault(vault_name)
+        return nil unless blob.is_a?(String) && !blob.empty?
+        data = SyncBundle.unpack(blob)
+        return nil unless data[:key_slots].is_a?(Hash)
+        data
+      rescue ApiClient::ApiError, SyncBundle::UnpackError, NoMethodError
+        nil
+      end
+
+      # Resolve target into list of [handle, public_key] pairs.
+      # Supports @handle, team:HANDLE, and crew:SLUG.
+      def resolve_add_recipients(client, target)
+        if target.start_with?("team:")
+          team_handle = target.delete_prefix("team:")
+          result = client.team_public_keys(team_handle)
+          (result["members"] || [])
+            .select { |m| m["handle"] && m["public_key"] && !m["public_key"].empty? }
+            .map { |m| [m["handle"], m["public_key"]] }
+        elsif target.start_with?("crew:")
+          slug = target.delete_prefix("crew:")
+          result = client.crew_public_keys(slug)
+          (result["members"] || [])
+            .select { |m| m["handle"] && m["public_key"] && !m["public_key"].empty? }
+            .map { |m| [m["handle"], m["public_key"]] }
+        else
+          handle = target.delete_prefix("@")
+          result = client.get_public_key(handle)
+          pub_key = result["public_key"]
+          return [] unless pub_key && !pub_key.empty?
+          [[handle, pub_key]]
+        end
+      rescue ApiClient::ApiError => e
+        $stderr.puts "Warning: #{e.message}"
+        []
+      end
+
+      # Remove a member's key slot, optionally rotating the vault master key.
+      # Supports partial scope removal via remove_scopes.
+      def remove_key_slot(handle, vault_name, key_slots, client, rotate: false, remove_scopes: nil, owner: nil)
+        owner ||= Config.inventlist_handle
+        unless key_slots.key?(handle)
+          $stderr.puts "Error: @#{handle} has no slot in vault '#{vault_name}'."
+          return
+        end
+
+        store = Store.new(vault_name)
+
+        # Partial scope removal
+        if remove_scopes && key_slots[handle].is_a?(Hash) && key_slots[handle]["scopes"].is_a?(Array)
+          remaining = key_slots[handle]["scopes"] - remove_scopes
+          if remaining.empty?
+            # Last scope removed — remove member entirely
+            key_slots.delete(handle)
+            $stdout.puts "Removed @#{handle} from vault '#{vault_name}' (last scope removed)."
+          else
+            # Rebuild blob with remaining scopes
+            master_key = SessionCache.get(vault_name)
+            if master_key
+              vault = Vault.new(name: vault_name, master_key: master_key)
+              filtered = vault.filter(remaining)
+              member_key = RbNaCl::Random.random_bytes(32)
+              encrypted_blob = Crypto.encrypt(JSON.generate(filtered), member_key)
+              enc_key = KeySlot.create(member_key, key_slots[handle]["pub"])
+              key_slots[handle] = {
+                "pub" => key_slots[handle]["pub"],
+                "enc_key" => enc_key,
+                "scopes" => remaining,
+                "blob" => Base64.strict_encode64(encrypted_blob)
+              }
+            end
+            $stdout.puts "Removed scope(s) #{remove_scopes.join(", ")} from @#{handle}. Remaining: #{remaining.join(", ")}"
+          end
+
+          blob = SyncBundle.pack_v3(store, owner: owner, key_slots: key_slots)
+          client.push_vault(vault_name, blob)
+          return
+        end
+
+        # Full member removal
+        valid_slots = key_slots.select { |_, v| v.is_a?(Hash) && v["pub"].is_a?(String) }
+        if handle == Config.inventlist_handle && valid_slots.size <= 1
+          $stderr.puts "Error: Cannot remove yourself — you are the only member."
+          return
+        end
+
+        key_slots.delete(handle)
+
+        if rotate
+          master_key = SessionCache.get(vault_name)
+          unless master_key
+            $stderr.puts "Error: Vault '#{vault_name}' is not unlocked. Run: localvault show -v #{vault_name}"
+            return
+          end
+
+          # Prompt for new passphrase
+          passphrase = prompt_passphrase("New passphrase for vault '#{vault_name}': ")
+          if passphrase.nil? || passphrase.empty?
+            $stderr.puts "Error: Passphrase cannot be empty."
+            return
+          end
+
+          vault = Vault.new(name: vault_name, master_key: master_key)
+          secrets = vault.all
+
+          new_salt = Crypto.generate_salt
+          new_master_key = Crypto.derive_master_key(passphrase, new_salt)
+
+          new_json = JSON.generate(secrets)
+          new_encrypted = Crypto.encrypt(new_json, new_master_key)
+          store.write_encrypted(new_encrypted)
+          store.create_meta!(salt: new_salt)
+
+          new_slots = {}
+          key_slots.each do |h, slot|
+            next unless slot.is_a?(Hash) && slot["pub"].is_a?(String)
+            if slot["scopes"].is_a?(Array)
+              # Scoped member — rebuild per-member blob
+              filtered = vault.filter(slot["scopes"])
+              member_key = RbNaCl::Random.random_bytes(32)
+              encrypted_blob = Crypto.encrypt(JSON.generate(filtered), member_key)
+              new_slots[h] = {
+                "pub" => slot["pub"],
+                "enc_key" => KeySlot.create(member_key, slot["pub"]),
+                "scopes" => slot["scopes"],
+                "blob" => Base64.strict_encode64(encrypted_blob)
+              }
+            else
+              # Full-access member
+              new_slots[h] = { "pub" => slot["pub"], "enc_key" => KeySlot.create(new_master_key, slot["pub"]), "scopes" => nil, "blob" => nil }
+            end
+          end
+
+          blob = SyncBundle.pack_v3(store, owner: owner, key_slots: new_slots)
+          client.push_vault(vault_name, blob)
+
+          if new_slots.key?(Config.inventlist_handle)
+            SessionCache.set(vault_name, new_master_key)
+          else
+            SessionCache.clear(vault_name)
+          end
+
+          $stdout.puts "Removed @#{handle} from vault '#{vault_name}'."
+          $stdout.puts "Vault re-encrypted with new master key (rotated)."
+        else
+          blob = SyncBundle.pack_v3(store, owner: owner, key_slots: key_slots)
+          client.push_vault(vault_name, blob)
+          $stdout.puts "Removed @#{handle} from vault '#{vault_name}'."
+        end
+      end
+
+      def list_key_slots(vault_name, key_slots)
+        my_handle = Config.inventlist_handle
+        valid = key_slots.select { |_, v| v.is_a?(Hash) && v["pub"].is_a?(String) }
+
+        if valid.empty?
+          $stdout.puts "No key slots for vault '#{vault_name}'."
+          return
+        end
+
+        $stdout.puts "Vault: #{vault_name} — #{valid.size} member(s)"
+        $stdout.puts
+        valid.sort.each do |handle, slot|
+          marker = handle == my_handle ? " (you)" : ""
+          $stdout.puts "  @#{handle}#{marker}"
+        end
+      end
+    end
+  end
+end

data/lib/localvault/cli.rb

@@ -45,9 +45,10 @@ module LocalVault
       shell.say "  localvault sync push [NAME]   Push vault to cloud"
       shell.say "  localvault sync pull [NAME]   Pull vault from cloud"
       shell.say "  localvault sync status        Show sync status"
-      shell.say "  localvault team init          Convert vault to team vault (required before team add)"
-      shell.say "  localvault team add HANDLE    Add teammate (use --scope KEY... for partial access)"
-      shell.say "  localvault team remove HANDLE Remove teammate  (--scope KEY to strip one key, --rotate to re-key)"
+      shell.say "  localvault team init          Convert vault to team vault (required before add)"
+      shell.say "  localvault verify @HANDLE     Check if a person has a published public key"
+      shell.say "  localvault add @HANDLE        Add teammate (use --scope KEY... for partial access)"
+      shell.say "  localvault remove @HANDLE     Remove teammate  (--scope KEY to strip one key, --rotate to re-key)"
       shell.say "  localvault team list          List vault members and their access"
       shell.say "  localvault team rotate        Re-key vault, keep all members"
       shell.say "  localvault keys generate      Generate X25519 identity keypair"
@@ -499,6 +500,9 @@ module LocalVault
 
     # ── Teams / sharing / sync ────────────────────────────────────
 
+    require_relative "cli/team_helpers"
+    include TeamHelpers
+
     require_relative "cli/keys"
     require_relative "cli/team"
     require_relative "cli/sync"
@@ -735,6 +739,240 @@ module LocalVault
       abort_with e.message
     end
 
+    # ── Person operations: add / remove / verify ──────────────────
+    # The leading `@` in the handle already signals these act on a person.
+    # Vault-level team operations (init/list/rotate) live under `localvault team`.
+
+    desc "verify HANDLE", "Check if a user has a published public key (for sharing)"
+    # Verify a user's handle and public key status before adding them.
+    #
+    # Checks InventList for the handle and whether they have a published
+    # X25519 public key. Does not modify anything.
+    def verify(handle)
+      unless Config.token
+        $stderr.puts "Error: Not logged in."
+        $stderr.puts "\n  localvault login YOUR_TOKEN\n"
+        $stderr.puts "Get your token at: https://inventlist.com/@YOUR_HANDLE/edit#developer"
+        return
+      end
+
+      handle = handle.delete_prefix("@")
+      client = ApiClient.new(token: Config.token)
+      result = client.get_public_key(handle)
+      pub_key = result["public_key"]
+
+      if pub_key && !pub_key.empty?
+        fingerprint = pub_key.length > 12 ? "#{pub_key[0..7]}...#{pub_key[-4..]}" : pub_key
+        $stdout.puts "@#{handle} — public key published"
+        $stdout.puts "  Fingerprint: #{fingerprint}"
+        $stdout.puts "  Ready for: localvault add @#{handle} -v VAULT"
+      else
+        $stderr.puts "@#{handle} exists but has no public key published."
+        $stderr.puts "They need to run: localvault login TOKEN"
+      end
+    rescue ApiClient::ApiError => e
+      if e.status == 404
+        $stderr.puts "Error: @#{handle} not found on InventList."
+      else
+        $stderr.puts "Error: #{e.message}"
+      end
+    end
+
+    desc "add HANDLE", "Add a teammate to a synced team vault via key slot"
+    method_option :vault, type: :string, aliases: "-v"
+    method_option :scope, type: :array, desc: "Groups or keys to share (omit for full access)"
+    # Grant a user access to a synced vault by creating a key slot.
+    #
+    # With --scope, creates a per-member encrypted blob containing only the
+    # specified keys. Without --scope, grants full vault access.
+    # Requires the vault to be a team vault (run `localvault team init` first).
+    def add(handle)
+      unless Config.token
+        $stderr.puts "Error: Not logged in."
+        $stderr.puts "\n  localvault login YOUR_TOKEN\n"
+        $stderr.puts "Get your token at: https://inventlist.com/@YOUR_HANDLE/edit#developer"
+        return
+      end
+
+      unless Identity.exists?
+        $stderr.puts "Error: No keypair found. Run: localvault keygen"
+        return
+      end
+
+      target = handle
+      vault_name = options[:vault] || Config.default_vault
+      scope_list = options[:scope]
+
+      master_key = SessionCache.get(vault_name)
+      unless master_key
+        $stderr.puts "Error: Vault '#{vault_name}' is not unlocked. Run: localvault show -v #{vault_name}"
+        return
+      end
+
+      client = ApiClient.new(token: Config.token)
+
+      # Load existing bundle — must be a team vault (v3)
+      existing_blob = client.pull_vault(vault_name) rescue nil
+      unless existing_blob.is_a?(String) && !existing_blob.empty?
+        $stderr.puts "Error: Vault '#{vault_name}' is not a team vault. Run: localvault team init -v #{vault_name}"
+        return
+      end
+
+      data = SyncBundle.unpack(existing_blob)
+      unless data[:owner]
+        $stderr.puts "Error: Vault '#{vault_name}' is not a team vault. Run: localvault team init -v #{vault_name}"
+        return
+      end
+
+      unless data[:owner] == Config.inventlist_handle
+        $stderr.puts "Error: Only the vault owner (@#{data[:owner]}) can manage team access."
+        return
+      end
+
+      key_slots = data[:key_slots].is_a?(Hash) ? data[:key_slots] : {}
+
+      # Resolve recipients — single @handle, team:HANDLE, or crew:SLUG
+      recipients = resolve_add_recipients(client, target)
+      if recipients.empty?
+        $stderr.puts "Error: No recipients with public keys found for '#{target}'"
+        return
+      end
+
+      added = 0
+      recipients.each do |member_handle, pub_key|
+        next if member_handle == Config.inventlist_handle  # skip self
+
+        # Skip if already has full access
+        if key_slots.key?(member_handle) && key_slots[member_handle].is_a?(Hash) && key_slots[member_handle]["scopes"].nil?
+          $stdout.puts "@#{member_handle} already has full vault access." if scope_list
+          next
+        end
+
+        if scope_list
+          existing_scopes = key_slots.dig(member_handle, "scopes") || []
+          merged_scopes = (existing_scopes + scope_list).uniq
+
+          vault = Vault.new(name: vault_name, master_key: master_key)
+          filtered = vault.filter(merged_scopes)
+
+          member_key = RbNaCl::Random.random_bytes(32)
+          encrypted_blob = Crypto.encrypt(JSON.generate(filtered), member_key)
+
+          begin
+            enc_key = KeySlot.create(member_key, pub_key)
+          rescue ArgumentError, KeySlot::DecryptionError => e
+            $stderr.puts "Error: @#{member_handle}'s public key is invalid: #{e.message}"
+            next
+          end
+
+          key_slots[member_handle] = {
+            "pub" => pub_key, "enc_key" => enc_key,
+            "scopes" => merged_scopes,
+            "blob" => Base64.strict_encode64(encrypted_blob)
+          }
+        else
+          begin
+            enc_key = KeySlot.create(master_key, pub_key)
+          rescue ArgumentError, KeySlot::DecryptionError => e
+            $stderr.puts "Error: @#{member_handle}'s public key is invalid: #{e.message}"
+            next
+          end
+
+          key_slots[member_handle] = { "pub" => pub_key, "enc_key" => enc_key, "scopes" => nil, "blob" => nil }
+        end
+        added += 1
+      end
+
+      if added == 0
+        $stdout.puts "No new members added."
+        return
+      end
+
+      store = Store.new(vault_name)
+      blob = SyncBundle.pack_v3(store, owner: data[:owner], key_slots: key_slots)
+      client.push_vault(vault_name, blob)
+
+      if recipients.size == 1
+        h = recipients.first[0]
+        if scope_list
+          $stdout.puts "Added @#{h} to vault '#{vault_name}' (scopes: #{key_slots[h]["scopes"].join(", ")})."
+        else
+          $stdout.puts "Added @#{h} to vault '#{vault_name}'."
+        end
+      else
+        $stdout.puts "Added #{added} member(s) to vault '#{vault_name}'."
+      end
+    rescue ApiClient::ApiError => e
+      if e.status == 404
+        $stderr.puts "Error: @#{handle} not found or has no public key."
+      else
+        $stderr.puts "Error: #{e.message}"
+      end
+    rescue SyncBundle::UnpackError => e
+      $stderr.puts "Error: #{e.message}"
+    end
+
+    desc "remove HANDLE", "Remove a person's access to a vault"
+    method_option :vault, type: :string, aliases: "-v"
+    method_option :rotate, type: :boolean, default: false, desc: "Re-encrypt vault with new master key (full revocation)"
+    method_option :scope, type: :array, desc: "Remove specific scopes only (keeps other scopes)"
+    # Remove a user's access to a vault.
+    #
+    # Removes the user's key slot and pushes the updated bundle. With +--rotate+,
+    # re-encrypts the vault with a new master key and recreates all remaining
+    # key slots for full cryptographic revocation. Falls back to revoking a
+    # direct share if no key slots exist.
+    def remove(handle)
+      unless Config.token
+        $stderr.puts "Error: Not logged in."
+        $stderr.puts
+        $stderr.puts "  localvault login YOUR_TOKEN"
+        $stderr.puts
+        $stderr.puts "Get your token at: https://inventlist.com/@YOUR_HANDLE/edit#developer"
+        $stderr.puts "New to InventList? Sign up free at https://inventlist.com"
+        $stderr.puts "Docs: https://inventlist.com/sites/localvault/series/localvault"
+        return
+      end
+
+      handle = handle.delete_prefix("@")
+      vault_name = options[:vault] || Config.default_vault
+      client = ApiClient.new(token: Config.token)
+
+      # Try sync-based key slot removal first
+      team_data = load_team_data(client, vault_name)
+      if team_data && team_data[:key_slots] && !team_data[:key_slots].empty?
+        # Must be a v3 team vault with owner
+        unless team_data[:owner]
+          $stderr.puts "Error: Vault '#{vault_name}' is not a team vault. Run: localvault team init -v #{vault_name}"
+          return
+        end
+        unless team_data[:owner] == Config.inventlist_handle
+          $stderr.puts "Error: Only the vault owner (@#{team_data[:owner]}) can manage team access."
+          return
+        end
+        remove_key_slot(handle, vault_name, team_data[:key_slots], client,
+                        rotate: options[:rotate], remove_scopes: options[:scope],
+                        owner: team_data[:owner])
+        return
+      end
+
+      # Fall back to direct share revocation
+      result = client.sent_shares(vault_name: vault_name)
+      share = (result["shares"] || []).find do |s|
+        s["recipient_handle"] == handle && s["status"] != "revoked"
+      end
+
+      unless share
+        $stderr.puts "Error: No active share found for @#{handle}."
+        return
+      end
+
+      client.revoke_share(share["id"])
+      $stdout.puts "Removed @#{handle} from vault '#{vault_name}'."
+    rescue ApiClient::ApiError => e
+      $stderr.puts "Error: #{e.message}"
+    end
+
     desc "import FILE", "Bulk-import secrets from a .env, .json, or .yml file"
     long_desc <<~DESC
       Import all secrets from a file into a vault. Supports .env, .json, and .yml.

data/lib/localvault/version.rb

@@ -1,3 +1,3 @@
 module LocalVault
-  VERSION = "1.2.3"
+  VERSION = "1.3.0"
 end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: localvault
 version: !ruby/object:Gem::Version
-  version: 1.2.3
+  version: 1.3.0
 platform: ruby
 authors:
 - Nauman Tariq
-autorequire: 
 bindir: bin
 cert_chain: []
-date: 2026-04-06 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -112,6 +111,7 @@ files:
 - lib/localvault/cli/keys.rb
 - lib/localvault/cli/sync.rb
 - lib/localvault/cli/team.rb
+- lib/localvault/cli/team_helpers.rb
 - lib/localvault/config.rb
 - lib/localvault/crypto.rb
 - lib/localvault/identity.rb
@@ -131,7 +131,6 @@ metadata:
   homepage_uri: https://inventlist.com/tools/localvault
   source_code_uri: https://github.com/inventlist/localvault
   funding_uri: https://inventlist.com
-post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -146,8 +145,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
-signing_key: 
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Zero-infrastructure secrets manager
 test_files: []