localvault 1.5.2 → 1.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6281a806d5f5838ea6802eaae4cb16a4276590636476151b45ed0d7ae639f1a9
-  data.tar.gz: b1aad2994aff9c31e45759672a6f2fb35f77f5f5a3fabc24b897a112997abd80
+  metadata.gz: 6c3cc5ee20ea5b0017e6ce6b7879234c36d2c30f6a507ca8dd119c9b24a32fa9
+  data.tar.gz: 28c32bd08489c90748782c8320bca666e95a1cf71cf5deb22bcb443bf776e406
 SHA512:
-  metadata.gz: b4b948bc2126f8ac488190d3f4d07f1ebe995d32baaf7fb458b95256507f62438d09e472cbcc059cf23d2bb91a63f05ffcd11d5585d6c0a4fec827fdc667d4cd
-  data.tar.gz: a32de3dd3fde6cba7da103d7c6d76924b236604e1cd80c28873a47dba01f52e0f99f2db7f44121a5343845e1a41a5644ff42548d96528b8c1551d0c2f47c3a10
+  metadata.gz: efd141b468fe4f8c0ec3b1b180ef492c3521f074574bbb600ec0d2cc871927df73d7db4c06093eb25444816ae0fa7b92452470f41b65ad7b959a1f6e8a1511b8
+  data.tar.gz: c385bc4e21bec7ca233633e452496589a626f6706672270efc3365b4036f1da1c0274809a96d4d4880f6ba519bf319c7f860afe644f742d01d657e3b3d8327e1

data/lib/localvault/cli/sync.rb

@@ -1,95 +1,234 @@
 require "thor"
 require "fileutils"
+require "digest"
 
 module LocalVault
   class CLI
     class Sync < Thor
-      desc "push [NAME]", "Push a vault to InventList cloud sync"
-      # Push a local vault to InventList cloud sync.
+      desc "all", "Sync all vaults bidirectionally (push local changes, pull remote changes)"
+      method_option :dry_run, type: :boolean, default: false, desc: "Show what would happen without making changes"
+      # Smart bidirectional sync for all vaults.
+      #
+      # Uses per-vault .sync_state files (written by push/pull) to track
+      # the last-synced checksum and detect what changed on each side:
       #
-      # Packs the vault's meta and encrypted secrets into a SyncBundle and uploads
-      # it. Preserves existing key slots from the remote and bootstraps an owner
-      # slot if the current identity has no slot yet. Defaults to the configured
-      # default vault if no name is given.
+      # - Local-only vault → push
+      # - Remote-only vault → pull
+      # - Both exist, only local changed → push
+      # - Both exist, only remote changed → pull
+      # - Both exist, neither changed → skip
+      # - Both exist, both changed → CONFLICT (manual resolution)
+      # - Shared vault (not owned by you) → pull-only
+      def all
+        return unless logged_in?
+
+        client     = ApiClient.new(token: Config.token)
+        my_handle  = Config.inventlist_handle
+        result     = client.list_vaults
+        remote_map = (result["vaults"] || []).each_with_object({}) { |v, h| h[v["name"]] = v }
+        local_set  = Store.list_vaults.to_set
+        all_names  = (remote_map.keys + local_set.to_a).uniq.sort
+
+        if all_names.empty?
+          $stdout.puts "No vaults to sync."
+          return
+        end
+
+        plan = all_names.map { |name| classify_vault(name, local_set, remote_map, my_handle) }
+
+        # Print plan
+        max_name   = (["Vault"]  + plan.map { |p| p[:name] }).map(&:length).max
+        max_action = (["Action"] + plan.map { |p| p[:action].to_s }).map(&:length).max
+
+        $stdout.puts
+        $stdout.puts "  #{"Vault".ljust(max_name)}  #{"Action".ljust(max_action)}  Reason"
+        $stdout.puts "  #{"─" * max_name}  #{"─" * max_action}  ──────"
+        plan.each do |p|
+          label = p[:action] == :conflict ? "CONFLICT" : p[:action].to_s
+          $stdout.puts "  #{p[:name].ljust(max_name)}  #{label.ljust(max_action)}  #{p[:reason]}"
+        end
+        $stdout.puts
+
+        if options[:dry_run]
+          $stdout.puts "Dry run — no changes made."
+          return
+        end
+
+        # Execute
+        pushed = pulled = skipped = conflicts = errors = 0
+        plan.each do |entry|
+          case entry[:action]
+          when :push
+            if perform_push(entry[:name], client)
+              pushed += 1
+            else
+              errors += 1
+            end
+          when :pull
+            if perform_pull(entry[:name], client, force: true)
+              pulled += 1
+            else
+              errors += 1
+            end
+          when :skip
+            skipped += 1
+          when :conflict
+            conflicts += 1
+          end
+        end
+
+        # Summary
+        parts = []
+        parts << "#{pushed} pushed"     if pushed > 0
+        parts << "#{pulled} pulled"     if pulled > 0
+        parts << "#{skipped} up to date" if skipped > 0
+        parts << "#{errors} failed"     if errors > 0
+        parts << "#{conflicts} conflict#{conflicts == 1 ? "" : "s"}" if conflicts > 0
+        $stdout.puts "Summary: #{parts.join(", ")}"
+
+        # Conflict guidance
+        if conflicts > 0
+          $stdout.puts
+          plan.select { |p| p[:action] == :conflict }.each do |p|
+            $stderr.puts "  #{p[:name]} — #{p[:reason]}"
+            $stderr.puts "    Resolve with:"
+            $stderr.puts "      localvault sync push #{p[:name]}   (keep local, overwrite remote)"
+            $stderr.puts "      localvault sync pull #{p[:name]} --force  (keep remote, overwrite local)"
+          end
+        end
+      rescue ApiClient::ApiError => e
+        $stderr.puts "Error: #{e.message}"
+      end
+
+      default_task :all
+
+      desc "push [NAME]", "Push a vault to InventList cloud sync"
       def push(vault_name = nil)
         return unless logged_in?
+        vault_name ||= Config.default_vault
+        client = ApiClient.new(token: Config.token)
+        perform_push(vault_name, client)
+      end
 
+      desc "pull [NAME]", "Pull a vault from InventList cloud sync"
+      method_option :force, type: :boolean, default: false, desc: "Overwrite existing local vault"
+      def pull(vault_name = nil)
+        return unless logged_in?
         vault_name ||= Config.default_vault
-        store = Store.new(vault_name)
+        client = ApiClient.new(token: Config.token)
+        perform_pull(vault_name, client, force: options[:force])
+      end
+
+      desc "status", "Show sync status for all vaults"
+      def status
+        return unless logged_in?
+
+        client    = ApiClient.new(token: Config.token)
+        result    = client.list_vaults
+        remote    = (result["vaults"] || []).each_with_object({}) { |v, h| h[v["name"]] = v }
+        local_set = Store.list_vaults.to_set
+        all_names = (remote.keys + local_set.to_a).uniq.sort
+
+        if all_names.empty?
+          $stdout.puts "No vaults found locally or in cloud."
+          return
+        end
+
+        rows = all_names.map do |name|
+          r         = remote[name]
+          l_exists  = local_set.include?(name)
+          row_status = if r && l_exists then "synced"
+                       elsif r          then "remote only"
+                       else                  "local only"
+                       end
+          synced_at = r ? (r["synced_at"]&.slice(0, 10) || "—") : "—"
+          [name, row_status, synced_at]
+        end
+
+        max_name   = (["Vault"] + rows.map { |r| r[0] }).map(&:length).max
+        max_status = (["Status"] + rows.map { |r| r[1] }).map(&:length).max
+
+        $stdout.puts "#{"Vault".ljust(max_name)}  #{"Status".ljust(max_status)}  Synced At"
+        $stdout.puts "#{"─" * max_name}  #{"─" * max_status}  ─────────"
+        rows.each do |name, row_status, synced_at|
+          $stdout.puts "#{name.ljust(max_name)}  #{row_status.ljust(max_status)}  #{synced_at}"
+        end
+      rescue ApiClient::ApiError => e
+        $stderr.puts "Error: #{e.message}"
+      end
+
+      def self.exit_on_failure?
+        true
+      end
 
+      private
+
+      # ── Core push logic ──────────────────────────────────────────
+
+      def perform_push(vault_name, client)
+        store = Store.new(vault_name)
         unless store.exists?
           $stderr.puts "Error: Vault '#{vault_name}' does not exist. Run: localvault init #{vault_name}"
-          return
+          return false
         end
 
-        # Load remote state to determine vault mode. MUST distinguish a
-        # genuinely-absent remote (404) from a transient API failure: treating
-        # a 5xx as "no remote" would silently downgrade a team vault to a
-        # personal v1 bundle on the next push.
         remote_data, load_error = load_remote_bundle_data(vault_name)
         if load_error
           $stderr.puts "Error: #{load_error}"
-          $stderr.puts "Refusing to push — cannot verify vault mode. Retry when the server is reachable."
-          return
+          $stderr.puts "Refusing to push — cannot verify vault mode."
+          return false
         end
+
         handle = Config.inventlist_handle
 
         if remote_data && remote_data[:owner]
-          # Team vault — check push authorization
-          owner = remote_data[:owner]
+          owner     = remote_data[:owner]
           key_slots = remote_data[:key_slots] || {}
           has_scoped = key_slots.values.any? { |s| s.is_a?(Hash) && s["scopes"].is_a?(Array) }
-          my_slot = key_slots[handle]
-          am_scoped = my_slot.is_a?(Hash) && my_slot["scopes"].is_a?(Array)
+          my_slot    = key_slots[handle]
+          am_scoped  = my_slot.is_a?(Hash) && my_slot["scopes"].is_a?(Array)
 
           if am_scoped
             $stderr.puts "Error: You have scoped access to vault '#{vault_name}'. Only the owner (@#{owner}) can push."
-            return
+            return false
           end
-
           if has_scoped && owner != handle
             $stderr.puts "Error: Vault '#{vault_name}' has scoped members. Only the owner (@#{owner}) can push."
-            return
+            return false
           end
 
-          # Authorized — push as v3, preserve key_slots
           key_slots = bootstrap_owner_slot(key_slots, store)
           blob = SyncBundle.pack_v3(store, owner: owner, key_slots: key_slots)
         else
-          # Personal vault — push as v1
           blob = SyncBundle.pack(store)
         end
 
-        client = ApiClient.new(token: Config.token)
         client.push_vault(vault_name, blob)
 
-        $stdout.puts "Synced vault '#{vault_name}' (#{blob.bytesize} bytes)"
+        # Record sync state
+        SyncState.new(vault_name).write!(
+          checksum: SyncState.local_checksum(store),
+          direction: "push"
+        )
+
+        $stdout.puts "  pushed #{vault_name} (#{blob.bytesize} bytes)"
+        true
       rescue ApiClient::ApiError => e
-        $stderr.puts "Error: #{e.message}"
+        $stderr.puts "Error pushing '#{vault_name}': #{e.message}"
+        false
       end
 
-      desc "pull [NAME]", "Pull a vault from InventList cloud sync"
-      method_option :force, type: :boolean, default: false, desc: "Overwrite existing local vault"
-      # Pull a vault from InventList cloud sync to the local filesystem.
-      #
-      # Downloads the SyncBundle, writes meta.yml and secrets.enc locally, and
-      # attempts automatic unlock via key slot. Refuses to overwrite an existing
-      # local vault unless +--force+ is passed. Defaults to the configured default
-      # vault if no name is given.
-      def pull(vault_name = nil)
-        return unless logged_in?
-
-        vault_name ||= Config.default_vault
-        store  = Store.new(vault_name)
+      # ── Core pull logic ──────────────────────────────────────────
 
-        if store.exists? && !options[:force]
+      def perform_pull(vault_name, client, force: false)
+        store = Store.new(vault_name)
+        if store.exists? && !force
           $stderr.puts "Error: Vault '#{vault_name}' already exists locally. Use --force to overwrite."
-          return
+          return false
         end
 
-        client = ApiClient.new(token: Config.token)
-        blob   = client.pull_vault(vault_name)
-        data   = SyncBundle.unpack(blob, expected_name: vault_name)
+        blob = client.pull_vault(vault_name)
+        data = SyncBundle.unpack(blob, expected_name: vault_name)
 
         FileUtils.mkdir_p(store.vault_path, mode: 0o700)
         File.write(store.meta_path, data[:meta])
@@ -100,78 +239,100 @@ module LocalVault
           store.write_encrypted(data[:secrets])
         end
 
-        $stdout.puts "Pulled vault '#{vault_name}'."
+        # Record sync state
+        SyncState.new(vault_name).write!(
+          checksum: SyncState.local_checksum(store),
+          direction: "pull"
+        )
+
+        $stdout.puts "  pulled #{vault_name}"
 
         if try_unlock_via_key_slot(vault_name, data[:key_slots])
-          $stdout.puts "Unlocked via your identity key."
+          $stdout.puts "  unlocked via identity key"
         else
-          $stdout.puts "Unlock it with: localvault unlock -v #{vault_name}"
+          $stdout.puts "  unlock it with: localvault unlock #{vault_name}"
         end
+        true
       rescue SyncBundle::UnpackError => e
-        $stderr.puts "Error: #{e.message}"
+        $stderr.puts "Error pulling '#{vault_name}': #{e.message}"
+        false
       rescue ApiClient::ApiError => e
         if e.status == 404
           $stderr.puts "Error: Vault '#{vault_name}' not found in cloud."
         else
-          $stderr.puts "Error: #{e.message}"
+          $stderr.puts "Error pulling '#{vault_name}': #{e.message}"
         end
+        false
       end
 
-      desc "status", "Show sync status for all vaults"
-      # Display sync status for all local and remote vaults.
-      #
-      # Shows a table with vault name, status (synced / remote only / local only),
-      # and last sync timestamp. Compares local vaults against the cloud inventory.
-      def status
-        return unless logged_in?
+      # ── Classification ───────────────────────────────────────────
 
-        client    = ApiClient.new(token: Config.token)
-        result    = client.list_vaults
-        remote    = (result["vaults"] || []).each_with_object({}) { |v, h| h[v["name"]] = v }
-        local_set = Store.list_vaults.to_set
-        all_names = (remote.keys + local_set.to_a).uniq.sort
+      def classify_vault(name, local_set, remote_map, my_handle)
+        l_exists = local_set.include?(name)
+        r_info   = remote_map[name]
+        r_exists = !r_info.nil?
 
-        if all_names.empty?
-          $stdout.puts "No vaults found locally or in cloud."
-          return
-        end
+        store      = l_exists ? Store.new(name) : nil
+        ss         = SyncState.new(name)
+        s_exists   = ss.exists?
+        baseline   = ss.last_synced_checksum
 
-        rows = all_names.map do |name|
-          r         = remote[name]
-          l_exists  = local_set.include?(name)
-          row_status = if r && l_exists then "synced"
-                       elsif r          then "remote only"
-                       else                  "local only"
-                       end
-          synced_at = r ? (r["synced_at"]&.slice(0, 10) || "—") : "—"
-          [name, row_status, synced_at]
+        local_checksum  = l_exists && store ? SyncState.local_checksum(store) : nil
+        remote_checksum = r_info&.dig("checksum")
+
+        # Ownership
+        owner_handle = r_info&.dig("owner_handle")
+        is_shared    = r_info&.dig("shared") == true
+        is_read_only = is_shared || (owner_handle && owner_handle != my_handle)
+
+        action, reason = determine_action(
+          l_exists, r_exists, s_exists,
+          local_checksum, remote_checksum, baseline,
+          is_read_only
+        )
+
+        { name: name, action: action, reason: reason }
+      end
+
+      def determine_action(l_exists, r_exists, s_exists,
+                           local_cs, remote_cs, baseline, is_read_only)
+        # Only local
+        if l_exists && !r_exists
+          return is_read_only ? [:skip, "shared vault, local copy only"] : [:push, "local only"]
         end
 
-        max_name   = (["Vault"] + rows.map { |r| r[0] }).map(&:length).max
-        max_status = (["Status"] + rows.map { |r| r[1] }).map(&:length).max
+        # Only remote
+        return [:pull, "remote only"] if !l_exists && r_exists
 
-        $stdout.puts "#{"Vault".ljust(max_name)}  #{"Status".ljust(max_status)}  Synced At"
-        $stdout.puts "#{"─" * max_name}  #{"─" * max_status}  ─────────"
-        rows.each do |name, row_status, synced_at|
-          $stdout.puts "#{name.ljust(max_name)}  #{row_status.ljust(max_status)}  #{synced_at}"
+        # Neither (shouldn't happen since we iterate union)
+        return [:skip, "no data"] unless l_exists && r_exists
+
+        # Both exist — no baseline (first sync for this vault)
+        unless s_exists
+          if local_cs == remote_cs || (local_cs.nil? && remote_cs.nil?)
+            return [:skip, "already in sync (first check)"]
+          else
+            return [:conflict, "both exist, no sync baseline — cannot determine which side changed"]
+          end
         end
-      rescue ApiClient::ApiError => e
-        $stderr.puts "Error: #{e.message}"
-      end
 
-      def self.exit_on_failure?
-        true
+        # Both exist, have baseline
+        local_changed  = local_cs != baseline
+        remote_changed = remote_cs != baseline
+
+        if !local_changed && !remote_changed
+          [:skip, "up to date"]
+        elsif local_changed && !remote_changed
+          is_read_only ? [:skip, "shared vault (local edits, pull-only)"] : [:push, "local changes"]
+        elsif !local_changed && remote_changed
+          [:pull, "remote changes"]
+        else
+          [:conflict, "both local and remote changed since last sync"]
+        end
       end
 
-      private
+      # ── Helpers ──────────────────────────────────────────────────
 
-      # Try to decrypt via key slot matching the current identity.
-      #
-      # For full-access members (scopes: nil): decrypts enc_key to get the master key.
-      # For scoped members (scopes: [...]): decrypts enc_key to get the per-member key,
-      # then decrypts the per-member blob and writes it as the local vault's secrets.
-      #
-      # On success, caches the key in SessionCache. Returns true/false.
       def try_unlock_via_key_slot(vault_name, key_slots)
         return false unless key_slots.is_a?(Hash) && !key_slots.empty?
         return false unless Identity.exists?
@@ -185,22 +346,16 @@ module LocalVault
         decrypted_key = KeySlot.decrypt(slot["enc_key"], Identity.private_key_bytes)
 
         if slot["scopes"].is_a?(Array) && slot["blob"].is_a?(String)
-          # Scoped member: decrypt per-member blob and write as local vault
           blob_encrypted = Base64.strict_decode64(slot["blob"])
           filtered_json = Crypto.decrypt(blob_encrypted, decrypted_key)
-          # Verify it's valid JSON
           JSON.parse(filtered_json)
 
-          # Re-encrypt the filtered secrets with the member key as local "master key"
           store = Store.new(vault_name)
           store.write_encrypted(Crypto.encrypt(filtered_json, decrypted_key))
-
           SessionCache.set(vault_name, decrypted_key)
         else
-          # Full-access member: decrypted_key IS the master key
           vault = Vault.new(name: vault_name, master_key: decrypted_key)
-          vault.all  # verify
-
+          vault.all
           SessionCache.set(vault_name, decrypted_key)
         end
         true
@@ -221,16 +376,6 @@ module LocalVault
         false
       end
 
-      # Load the full unpacked remote bundle data (owner, key_slots, etc).
-      # Returns [data, error_message]:
-      #   - [hash, nil] on success
-      #   - [nil,  nil] when there genuinely is no remote bundle (404 / empty)
-      #   - [nil,  msg] on any other failure (transient network, 5xx, bad bundle)
-      #
-      # The caller MUST distinguish these cases — treating a transient error
-      # as "no remote" is a data-corruption bug: sync push would then re-upload
-      # the vault as a v1 personal bundle, silently downgrading a team vault
-      # and wiping its owner + key_slots.
       def load_remote_bundle_data(vault_name)
         client = ApiClient.new(token: Config.token)
         blob = client.pull_vault(vault_name)
@@ -243,8 +388,6 @@ module LocalVault
         [nil, "Could not parse remote bundle for '#{vault_name}': #{e.message}"]
       end
 
-      # Load key_slots from the last pushed blob (if any).
-      # Returns {} if no remote blob or if it's a v1 bundle.
       def load_existing_key_slots(vault_name)
         client = ApiClient.new(token: Config.token)
         blob = client.pull_vault(vault_name)
@@ -255,17 +398,12 @@ module LocalVault
         {}
       end
 
-      # Add the owner's key slot if identity exists and no slot is present.
-      # Requires the vault to be unlockable (needs master key for encryption).
       def bootstrap_owner_slot(key_slots, store)
         return key_slots unless Identity.exists?
         handle = Config.inventlist_handle
         return key_slots unless handle
-
-        # Already has owner slot — don't churn
         return key_slots if key_slots.key?(handle)
 
-        # Need the master key to create the slot — try SessionCache
         master_key = SessionCache.get(store.vault_name)
         return key_slots unless master_key
 

data/lib/localvault/sync_state.rb

@@ -0,0 +1,71 @@
+require "yaml"
+require "digest"
+require "time"
+
+module LocalVault
+  # Per-vault sync state tracking. Stores the checksum of secrets.enc at the
+  # time of the last successful push or pull, so the next `localvault sync`
+  # can determine whether local, remote, or both sides have changed.
+  #
+  # Stored as `~/.localvault/vaults/<name>/.sync_state` (YAML, mode 0600).
+  # Separate from meta.yml because meta.yml is part of the SyncBundle and
+  # including sync bookkeeping there would create a checksum feedback loop.
+  class SyncState
+    FILENAME = ".sync_state"
+
+    attr_reader :vault_name
+
+    def initialize(vault_name)
+      @vault_name = vault_name
+    end
+
+    def path
+      File.join(Config.vaults_path, vault_name, FILENAME)
+    end
+
+    def exists?
+      File.exist?(path)
+    end
+
+    # @return [Hash, nil] parsed YAML data or nil
+    def read
+      return nil unless exists?
+      YAML.safe_load_file(path)
+    rescue Psych::SyntaxError
+      nil
+    end
+
+    def last_synced_checksum
+      read&.dig("last_synced_checksum")
+    end
+
+    def last_synced_at
+      read&.dig("last_synced_at")
+    end
+
+    # Record a successful sync operation.
+    #
+    # @param checksum [String] SHA256 hex of the local secrets.enc
+    # @param direction [String] "push" or "pull"
+    def write!(checksum:, direction:)
+      FileUtils.mkdir_p(File.dirname(path), mode: 0o700)
+      data = {
+        "last_synced_checksum" => checksum,
+        "last_synced_at"       => Time.now.utc.iso8601,
+        "direction"            => direction
+      }
+      File.write(path, YAML.dump(data))
+      File.chmod(0o600, path)
+    end
+
+    # Compute the SHA256 hex digest of a vault's local secrets.enc.
+    #
+    # @param store [Store] vault store
+    # @return [String, nil] hex digest or nil if no secrets file
+    def self.local_checksum(store)
+      bytes = store.read_encrypted
+      return nil if bytes.nil? || bytes.empty?
+      Digest::SHA256.hexdigest(bytes)
+    end
+  end
+end

data/lib/localvault/version.rb

@@ -1,3 +1,3 @@
 module LocalVault
-  VERSION = "1.5.2"
+  VERSION = "1.6.0"
 end

data/lib/localvault.rb

@@ -8,6 +8,7 @@ require_relative "localvault/share_crypto"
 require_relative "localvault/key_slot"
 require_relative "localvault/api_client"
 require_relative "localvault/sync_bundle"
+require_relative "localvault/sync_state"
 
 module LocalVault
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: localvault
 version: !ruby/object:Gem::Version
-  version: 1.5.2
+  version: 1.6.0
 platform: ruby
 authors:
 - Nauman Tariq
@@ -122,6 +122,7 @@ files:
 - lib/localvault/share_crypto.rb
 - lib/localvault/store.rb
 - lib/localvault/sync_bundle.rb
+- lib/localvault/sync_state.rb
 - lib/localvault/vault.rb
 - lib/localvault/version.rb
 homepage: https://github.com/inventlist/localvault