localvault 1.3.5 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e44a0545063601cd7e83f453e89e1fca4c952651ef43e576465de057e68914c3
-  data.tar.gz: 5b541ed9dbf57090d92a45c36887edf1e5e0c6ded7c680487d95a8519e4c79c9
+  metadata.gz: 6ec85a7f67eb8705f2078a55eeeb1a24997f61e965a76284ef9a9eb314eef032
+  data.tar.gz: d799cbfabdced0595eb91132e35daa2930f19a705cc189357cb9a5c3b794cc05
 SHA512:
-  metadata.gz: d7706066c8dc5ed32c513ffccc1fdcb242c54c83289abf559eeb651b01d948d6eb00606ce213438fb390ab6fc9d05a1c7d96a3fdcdc59289c8fcdcffd11b94ec
-  data.tar.gz: 4b882262f40a9cbe7c60487c1ec1b5ebf61e07c005261676ef4b2eb6cfdb17ec328ef41731ef7b570bbae201dceba2f22b6f4eaa8ea44a1a9de36f1b649b2b91
+  metadata.gz: 74123bc8d783ace6773c11223486974d7210870903d5901d0f1c3410266d7d9c29d2ffe9f0bead2137629b3132495854c490c1a771becf06355a26b527afa435
+  data.tar.gz: b95d606abec4fe145d23b7028a5091f4ec1fab3a9b5d6df3a8ae201b238b9a334a8c07033892a6d3ae36d73f1e116cc3f0c72dcde955f1109f09d58405025021

data/lib/localvault/cli/team.rb

@@ -177,35 +177,35 @@ module LocalVault
           return
         end
 
+        # Decrypt existing secrets with the CURRENT master key. After this
+        # point we must not touch the store until the push has succeeded —
+        # see finding #5 (transactional rotate).
         vault = Vault.new(name: vault_name, master_key: master_key)
         secrets = vault.all
-        store = Store.new(vault_name)
 
         new_salt = Crypto.generate_salt
         new_master_key = Crypto.derive_master_key(passphrase, new_salt)
 
-        store.write_encrypted(Crypto.encrypt(JSON.generate(secrets), new_master_key))
-        store.create_meta!(salt: new_salt)
-
-        new_slots = {}
-        key_slots.each do |h, slot|
-          next unless slot.is_a?(Hash) && slot["pub"].is_a?(String)
-          if slot["scopes"].is_a?(Array)
-            filtered = vault.filter(slot["scopes"])
-            member_key = RbNaCl::Random.random_bytes(32)
-            encrypted_blob = Crypto.encrypt(JSON.generate(filtered), member_key)
-            new_slots[h] = { "pub" => slot["pub"], "enc_key" => KeySlot.create(member_key, slot["pub"]), "scopes" => slot["scopes"], "blob" => Base64.strict_encode64(encrypted_blob) }
-          else
-            new_slots[h] = { "pub" => slot["pub"], "enc_key" => KeySlot.create(new_master_key, slot["pub"]), "scopes" => nil, "blob" => nil }
-          end
-        end
-
-        blob = SyncBundle.pack_v3(store, owner: vault_owner, key_slots: new_slots)
-        client.push_vault(vault_name, blob)
+        bundle = build_rotated_bundle(
+          secrets:        secrets,
+          key_slots:      key_slots,
+          new_master_key: new_master_key,
+          new_salt:       new_salt,
+          owner:          vault_owner,
+          vault_name:     vault_name,
+          vault:          vault
+        )
+
+        # Push first. If this raises, nothing on local disk has changed, so
+        # the user can safely retry with the same passphrase.
+        client.push_vault(vault_name, bundle[:bundle_json])
+
+        # Push succeeded — commit locally and update the session cache.
+        commit_rotated_bundle_locally(vault_name, bundle[:new_secrets_bytes], bundle[:new_meta_bytes])
         SessionCache.set(vault_name, new_master_key)
 
         $stdout.puts "Vault '#{vault_name}' re-encrypted with new master key."
-        $stdout.puts "#{new_slots.size} member(s) updated."
+        $stdout.puts "#{bundle[:new_slots].size} member(s) updated."
       rescue ApiClient::ApiError => e
         $stderr.puts "Error: #{e.message}"
       end

data/lib/localvault/cli/team_helpers.rb

@@ -1,6 +1,8 @@
 require "json"
 require "base64"
 require "securerandom"
+require "yaml"
+require "time"
 
 module LocalVault
   class CLI < Thor
@@ -86,6 +88,90 @@ module LocalVault
         []
       end
 
+      # Build everything a rotate needs in memory, without touching local disk.
+      #
+      # Returns a hash of in-memory bytes and derived state that the caller
+      # can either push to the remote before committing locally
+      # (+pack+ + +client.push_vault+), or discard without side effects if
+      # the user interrupts or the push fails.
+      #
+      # This is the centerpiece of finding #5 (transactional rotate): by
+      # producing everything in memory first, the caller can push + commit
+      # atomically — no half-rotated local state if the network dies.
+      #
+      # It also fixes finding #6 (scoped-sharing inefficiency): the plaintext
+      # secrets are decrypted exactly once and passed into +Vault#filter+
+      # for each scoped member instead of being re-decrypted per member.
+      #
+      # @param secrets [Hash] plaintext secrets hash (from +vault.all+)
+      # @param key_slots [Hash] existing key slots from the remote bundle
+      # @param new_master_key [String] the rotation target master key
+      # @param new_salt [String] raw salt bytes for the new meta.yml
+      # @param owner [String] the owner's InventList handle
+      # @param vault_name [String]
+      # @param vault [Vault] a Vault instance (used only for its +filter+ helper)
+      # @return [Hash] +{ new_slots:, new_secrets_bytes:, new_meta_bytes:, bundle_json: }+
+      def build_rotated_bundle(secrets:, key_slots:, new_master_key:, new_salt:,
+                               owner:, vault_name:, vault:)
+        new_secrets_bytes = Crypto.encrypt(JSON.generate(secrets), new_master_key)
+        new_meta_bytes    = YAML.dump(
+          "name"       => vault_name,
+          "created_at" => Store.new(vault_name).meta&.dig("created_at") || Time.now.utc.iso8601,
+          "version"    => 1,
+          "salt"       => Base64.strict_encode64(new_salt)
+        )
+
+        new_slots = {}
+        key_slots.each do |h, slot|
+          next unless slot.is_a?(Hash) && slot["pub"].is_a?(String)
+          if slot["scopes"].is_a?(Array)
+            # Scoped member — rebuild per-member blob. Pass the already-loaded
+            # plaintext `secrets` into filter so we don't re-decrypt the whole
+            # vault for every scoped member.
+            filtered = vault.filter(slot["scopes"], from: secrets)
+            member_key = RbNaCl::Random.random_bytes(32)
+            encrypted_blob = Crypto.encrypt(JSON.generate(filtered), member_key)
+            new_slots[h] = {
+              "pub" => slot["pub"],
+              "enc_key" => KeySlot.create(member_key, slot["pub"]),
+              "scopes" => slot["scopes"],
+              "blob" => Base64.strict_encode64(encrypted_blob)
+            }
+          else
+            # Full-access member — enc_key wraps the new master key.
+            new_slots[h] = {
+              "pub" => slot["pub"],
+              "enc_key" => KeySlot.create(new_master_key, slot["pub"]),
+              "scopes" => nil,
+              "blob" => nil
+            }
+          end
+        end
+
+        bundle_json = SyncBundle.pack_v3_bytes(
+          meta_bytes:    new_meta_bytes,
+          secrets_bytes: new_secrets_bytes,
+          owner:         owner,
+          key_slots:     new_slots
+        )
+
+        {
+          new_slots:         new_slots,
+          new_secrets_bytes: new_secrets_bytes,
+          new_meta_bytes:    new_meta_bytes,
+          bundle_json:       bundle_json
+        }
+      end
+
+      # Commit a rotated bundle to local disk AFTER the remote push has
+      # succeeded. Writes the new ciphertext + meta.yml atomically.
+      def commit_rotated_bundle_locally(vault_name, new_secrets_bytes, new_meta_bytes)
+        store = Store.new(vault_name)
+        store.write_encrypted(new_secrets_bytes)
+        File.write(store.meta_path, new_meta_bytes)
+        File.chmod(0o600, store.meta_path)
+      end
+
       # Remove a member's key slot, optionally rotating the vault master key.
       # Supports partial scope removal via remove_scopes.
       def remove_key_slot(handle, vault_name, key_slots, client, rotate: false, remove_scopes: nil, owner: nil)
@@ -162,41 +248,32 @@ module LocalVault
             return
           end
 
+          # Decrypt with the CURRENT master key. After this point we must
+          # not touch the store until the push has succeeded — see
+          # finding #5 (transactional rotate).
           vault = Vault.new(name: vault_name, master_key: master_key)
           secrets = vault.all
 
           new_salt = Crypto.generate_salt
           new_master_key = Crypto.derive_master_key(passphrase, new_salt)
 
-          new_json = JSON.generate(secrets)
-          new_encrypted = Crypto.encrypt(new_json, new_master_key)
-          store.write_encrypted(new_encrypted)
-          store.create_meta!(salt: new_salt)
-
-          new_slots = {}
-          key_slots.each do |h, slot|
-            next unless slot.is_a?(Hash) && slot["pub"].is_a?(String)
-            if slot["scopes"].is_a?(Array)
-              # Scoped member — rebuild per-member blob
-              filtered = vault.filter(slot["scopes"])
-              member_key = RbNaCl::Random.random_bytes(32)
-              encrypted_blob = Crypto.encrypt(JSON.generate(filtered), member_key)
-              new_slots[h] = {
-                "pub" => slot["pub"],
-                "enc_key" => KeySlot.create(member_key, slot["pub"]),
-                "scopes" => slot["scopes"],
-                "blob" => Base64.strict_encode64(encrypted_blob)
-              }
-            else
-              # Full-access member
-              new_slots[h] = { "pub" => slot["pub"], "enc_key" => KeySlot.create(new_master_key, slot["pub"]), "scopes" => nil, "blob" => nil }
-            end
-          end
+          bundle = build_rotated_bundle(
+            secrets:        secrets,
+            key_slots:      key_slots, # already has `handle` removed above
+            new_master_key: new_master_key,
+            new_salt:       new_salt,
+            owner:          owner,
+            vault_name:     vault_name,
+            vault:          vault
+          )
 
-          blob = SyncBundle.pack_v3(store, owner: owner, key_slots: new_slots)
-          client.push_vault(vault_name, blob)
+          # Push first. If this raises, nothing on local disk has changed.
+          client.push_vault(vault_name, bundle[:bundle_json])
+
+          # Push succeeded — commit locally.
+          commit_rotated_bundle_locally(vault_name, bundle[:new_secrets_bytes], bundle[:new_meta_bytes])
 
-          if new_slots.key?(Config.inventlist_handle)
+          if bundle[:new_slots].key?(Config.inventlist_handle)
             SessionCache.set(vault_name, new_master_key)
           else
             SessionCache.clear(vault_name)

data/lib/localvault/cli.rb

@@ -839,6 +839,12 @@ module LocalVault
         return
       end
 
+      # Decrypt the vault ONCE if we're going to need filtered blobs for
+      # scoped members. Without this, a `team add team:HANDLE --scope KEY`
+      # call against an N-member team re-decrypts the whole vault N times.
+      vault        = scope_list ? Vault.new(name: vault_name, master_key: master_key) : nil
+      all_secrets  = scope_list ? vault.all                                             : nil
+
       added = 0
       recipients.each do |member_handle, pub_key|
         next if member_handle == Config.inventlist_handle  # skip self
@@ -853,8 +859,7 @@ module LocalVault
           existing_scopes = key_slots.dig(member_handle, "scopes") || []
           merged_scopes = (existing_scopes + scope_list).uniq
 
-          vault = Vault.new(name: vault_name, master_key: master_key)
-          filtered = vault.filter(merged_scopes)
+          filtered = vault.filter(merged_scopes, from: all_secrets)
 
           member_key = RbNaCl::Random.random_bytes(32)
           encrypted_blob = Crypto.encrypt(JSON.generate(filtered), member_key)

data/lib/localvault/sync_bundle.rb

@@ -42,18 +42,41 @@ module LocalVault
 
     # Pack a team vault — v3 format with owner, key_slots, and per-member blobs.
     #
+    # Reads +store.meta_path+ and +store.read_encrypted+ off disk. For flows
+    # that need to build a bundle from in-memory bytes without touching disk
+    # first (e.g. transactional rotate), use +pack_v3_bytes+.
+    #
     # @param store [Store] the vault store to pack
     # @param owner [String] the owner's InventList handle
     # @param key_slots [Hash] per-user key slot data
     # @return [String] JSON string ready for upload
     def self.pack_v3(store, owner:, key_slots: {})
-      meta_content    = File.read(store.meta_path)
-      secrets_content = store.read_encrypted || ""
+      pack_v3_bytes(
+        meta_bytes:    File.read(store.meta_path),
+        secrets_bytes: store.read_encrypted || "",
+        owner:         owner,
+        key_slots:     key_slots
+      )
+    end
+
+    # Pack a v3 team bundle from raw in-memory bytes without touching disk.
+    #
+    # Used by transactional rotate flows that need to push the new bundle to
+    # the server BEFORE committing the rotated secrets + meta to local disk —
+    # if the push fails, nothing on disk changes, so the user can retry
+    # without being left with a locally-rotated but remotely-stale vault.
+    #
+    # @param meta_bytes [String] raw meta YAML bytes (same shape as +store.meta_path+ contents)
+    # @param secrets_bytes [String] raw encrypted secrets bytes
+    # @param owner [String] the owner's InventList handle
+    # @param key_slots [Hash] per-user key slot data
+    # @return [String] JSON string ready for upload
+    def self.pack_v3_bytes(meta_bytes:, secrets_bytes:, owner:, key_slots: {})
       JSON.generate(
         "version"   => 3,
         "owner"     => owner,
-        "meta"      => Base64.strict_encode64(meta_content),
-        "secrets"   => Base64.strict_encode64(secrets_content),
+        "meta"      => Base64.strict_encode64(meta_bytes),
+        "secrets"   => Base64.strict_encode64(secrets_bytes),
         "key_slots" => key_slots
       )
     end

data/lib/localvault/vault.rb

@@ -333,13 +333,19 @@ module LocalVault
     # Scopes can be group names (returns entire nested hash) or flat key names.
     # +nil+ means full access (returns all). Empty array means nothing.
     #
+    # Pass +from:+ to avoid re-decrypting when you already have the plaintext
+    # secrets hash (e.g. inside a rotate loop that filters once per member).
+    # Without +from:+, this method calls +all+ on every invocation, which
+    # decrypts the whole vault — expensive when called in a loop.
+    #
     # @param scopes [Array<String>, nil] list of group/key names, or nil for all
+    # @param from [Hash, nil] pre-loaded secrets hash (avoids a re-decrypt)
     # @return [Hash] filtered secrets
-    def filter(scopes)
-      return all if scopes.nil?
+    def filter(scopes, from: nil)
+      secrets = from || all
+      return secrets if scopes.nil?
       return {} if scopes.empty?
 
-      secrets = all
       result = {}
       scopes.each do |scope|
         value = secrets[scope]

data/lib/localvault/version.rb

@@ -1,3 +1,3 @@
 module LocalVault
-  VERSION = "1.3.5"
+  VERSION = "1.4.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: localvault
 version: !ruby/object:Gem::Version
-  version: 1.3.5
+  version: 1.4.0
 platform: ruby
 authors:
 - Nauman Tariq