localvault 1.6.0 → 1.6.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6c3cc5ee20ea5b0017e6ce6b7879234c36d2c30f6a507ca8dd119c9b24a32fa9
-  data.tar.gz: 28c32bd08489c90748782c8320bca666e95a1cf71cf5deb22bcb443bf776e406
+  metadata.gz: 3fe9cdf4fe4857588507532f6478318a7b02cdc47487bbecbe7ce54715e69e33
+  data.tar.gz: 1be1af8d9476e1171895a0ba0677e206832de1386416cd5fb7e7060e7b8b85f5
 SHA512:
-  metadata.gz: efd141b468fe4f8c0ec3b1b180ef492c3521f074574bbb600ec0d2cc871927df73d7db4c06093eb25444816ae0fa7b92452470f41b65ad7b959a1f6e8a1511b8
-  data.tar.gz: c385bc4e21bec7ca233633e452496589a626f6706672270efc3365b4036f1da1c0274809a96d4d4880f6ba519bf319c7f860afe644f742d01d657e3b3d8327e1
+  metadata.gz: 500451ad18462b5380839eb06b031b83b3acb91872430855e07038896c392f9488934aaf1649bd311886890400aaef9c45a062d8503c6db0760a2927b56a1650
+  data.tar.gz: aa1aa1b764c2de50ab0c8fb425b14a77e05085f2224131c7f53dc1eaaccc9b80732f160716a1826ef479c0d9653e5451074ca585927a86630ef68a92f23b9b8c

data/README.md

@@ -100,10 +100,11 @@ localvault exec -- rails server
 | `login [TOKEN]` | Log in to InventList — auto-generates X25519 keypair + publishes public key |
 | `login --status` | Show current login status |
 | `logout` | Clear stored credentials |
-| `sync push [NAME]` | Push encrypted vault to cloud |
-| `sync pull [NAME]` | Pull vault from cloud (auto-unlocks if you have a key slot) |
+| `sync` | Sync all vaults bidirectionally (push local, pull remote, detect conflicts) |
+| `sync --dry-run` | Preview what sync would do without making changes |
+| `sync push [NAME]` | Push one vault to cloud |
+| `sync pull [NAME]` | Pull one vault from cloud (auto-unlocks if you have a key slot) |
 | `sync status` | Show sync state for all vaults |
-| `config set server URL` | Point at a custom server (default: inventlist.com) |
 
 ### Team Sharing (v1.3.0)
 
@@ -137,7 +138,7 @@ backward compatibility but the top-level forms are preferred.
 
 | Command | Description |
 |---------|-------------|
-| `install-mcp [CLIENT]` | Configure MCP server in claude-code, cursor, windsurf, or zed |
+| `install-mcp [CLIENT]` | Configure MCP server in claude-code, cursor, or windsurf |
 | `mcp` | Start MCP server (stdio transport) |
 
 All commands accept `--vault NAME` (or `-v NAME`) to target a specific vault. Default vault is `default`.
@@ -147,22 +148,32 @@ All commands accept `--vault NAME` (or `-v NAME`) to target a specific vault. De
 Sync your vaults between machines — same passphrase, no team features needed:
 
 ```bash
-# Machine A: push your vault
-localvault sync push
+# Machine A: push all your vaults at once
+localvault sync
 
-# Machine B: install, login, pull
+# Machine B: install, login, sync
 brew install inventlist/tap/localvault
 localvault login YOUR_TOKEN
-localvault sync pull
-localvault show  # enter your passphrase — same secrets
+localvault sync                # pulls everything, pushes local-only vaults
+localvault show                # enter your passphrase — same secrets
 ```
 
-Check what's synced:
+Or push/pull individual vaults:
 
 ```bash
-localvault sync status
-# default        synced        2 minutes ago
-# production     local only    —
+localvault sync push production    # push one vault
+localvault sync pull production    # pull one vault
+localvault sync status             # check what's synced vs local-only
+```
+
+Preview before syncing:
+
+```bash
+localvault sync --dry-run
+#   Vault         Action    Reason
+#   default       skip      up to date
+#   production    push      local changes
+#   staging       pull      remote changes
 ```
 
 ## Team Sharing

data/lib/localvault/cli/sync.rb

@@ -17,6 +17,7 @@ module LocalVault
       # - Both exist, only local changed → push
       # - Both exist, only remote changed → pull
       # - Both exist, neither changed → skip
+      # - Both exist, no baseline but secrets identical → adopt (record baseline)
       # - Both exist, both changed → CONFLICT (manual resolution)
       # - Shared vault (not owned by you) → pull-only
       def all
@@ -34,7 +35,7 @@ module LocalVault
           return
         end
 
-        plan = all_names.map { |name| classify_vault(name, local_set, remote_map, my_handle) }
+        plan = all_names.map { |name| classify_vault(name, local_set, remote_map, my_handle, client) }
 
         # Print plan
         max_name   = (["Vault"]  + plan.map { |p| p[:name] }).map(&:length).max
@@ -55,7 +56,7 @@ module LocalVault
         end
 
         # Execute
-        pushed = pulled = skipped = conflicts = errors = 0
+        pushed = pulled = skipped = adopted = conflicts = errors = 0
         plan.each do |entry|
           case entry[:action]
           when :push
@@ -70,6 +71,12 @@ module LocalVault
             else
               errors += 1
             end
+          when :adopt
+            if perform_adopt(entry[:name])
+              adopted += 1
+            else
+              errors += 1
+            end
           when :skip
             skipped += 1
           when :conflict
@@ -79,10 +86,11 @@ module LocalVault
 
         # Summary
         parts = []
-        parts << "#{pushed} pushed"     if pushed > 0
-        parts << "#{pulled} pulled"     if pulled > 0
+        parts << "#{pushed} pushed"      if pushed > 0
+        parts << "#{pulled} pulled"      if pulled > 0
+        parts << "#{adopted} baselined"  if adopted > 0
         parts << "#{skipped} up to date" if skipped > 0
-        parts << "#{errors} failed"     if errors > 0
+        parts << "#{errors} failed"      if errors > 0
         parts << "#{conflicts} conflict#{conflicts == 1 ? "" : "s"}" if conflicts > 0
         $stdout.puts "Summary: #{parts.join(", ")}"
 
@@ -165,6 +173,15 @@ module LocalVault
 
       # ── Core push logic ──────────────────────────────────────────
 
+      # Push a single vault to the cloud. Detects team vs personal mode,
+      # checks push authorization, packs the SyncBundle, uploads, and
+      # records the checksum in +.sync_state+ on success.
+      #
+      # Used by both the public +push+ command and the +all+ sync loop.
+      #
+      # @param vault_name [String] vault to push
+      # @param client [ApiClient] authenticated API client
+      # @return [Boolean] true on success, false on any error
       def perform_push(vault_name, client)
         store = Store.new(vault_name)
         unless store.exists?
@@ -220,6 +237,14 @@ module LocalVault
 
       # ── Core pull logic ──────────────────────────────────────────
 
+      # Pull a single vault from the cloud. Downloads the SyncBundle,
+      # writes meta.yml and secrets.enc locally, records +.sync_state+,
+      # and attempts automatic unlock via the user's identity key slot.
+      #
+      # @param vault_name [String] vault to pull
+      # @param client [ApiClient] authenticated API client
+      # @param force [Boolean] overwrite existing local vault (default: false)
+      # @return [Boolean] true on success, false on any error
       def perform_pull(vault_name, client, force: false)
         store = Store.new(vault_name)
         if store.exists? && !force
@@ -267,7 +292,17 @@ module LocalVault
 
       # ── Classification ───────────────────────────────────────────
 
-      def classify_vault(name, local_set, remote_map, my_handle)
+      # Determine the sync action for a single vault by comparing local,
+      # remote, and baseline state. Returns a hash with +:name+, +:action+
+      # (one of +:push+, +:pull+, +:skip+, +:conflict+), and +:reason+.
+      #
+      # @param name [String] vault name
+      # @param local_set [Set<String>] vaults that exist on disk
+      # @param remote_map [Hash{String => Hash}] remote vault info keyed by name
+      # @param my_handle [String] current user's InventList handle
+      # @param client [ApiClient] authenticated API client (used to hash remote secrets)
+      # @return [Hash] +{name:, action:, reason:}+
+      def classify_vault(name, local_set, remote_map, my_handle, client)
         l_exists = local_set.include?(name)
         r_info   = remote_map[name]
         r_exists = !r_info.nil?
@@ -277,8 +312,25 @@ module LocalVault
         s_exists   = ss.exists?
         baseline   = ss.last_synced_checksum
 
-        local_checksum  = l_exists && store ? SyncState.local_checksum(store) : nil
-        remote_checksum = r_info&.dig("checksum")
+        local_checksum = l_exists && store ? SyncState.local_checksum(store) : nil
+
+        # The server's list `checksum` hashes the whole sync bundle, which lives
+        # in a different hash space than our baseline and +local_checksum+ (both
+        # SHA256 of the encrypted *secrets* bytes). Comparing across those spaces
+        # never matches, so it would flag every both-exist vault as changed or
+        # conflicting. To compare like-for-like we download the bundle and hash
+        # its secrets bytes — but only when both sides exist, since for local-only
+        # / remote-only vaults the direction is unambiguous and no compare is needed.
+        if l_exists && r_exists
+          begin
+            remote_checksum = remote_secrets_checksum(name, client)
+          rescue SyncBundle::UnpackError
+            # A corrupt/unparseable remote bundle must not be conflated with an
+            # empty vault (both would otherwise yield nil and could falsely
+            # "adopt"). Surface it as a conflict the user can inspect.
+            return { name: name, action: :conflict, reason: "remote bundle unreadable — cannot compare" }
+          end
+        end
 
         # Ownership
         owner_handle = r_info&.dig("owner_handle")
@@ -294,6 +346,10 @@ module LocalVault
         { name: name, action: action, reason: reason }
       end
 
+      # Core decision matrix. Compares local/remote existence, checksums,
+      # and the stored baseline to decide: push, pull, skip, or conflict.
+      #
+      # @return [Array(Symbol, String)] +[action, reason]+ tuple
       def determine_action(l_exists, r_exists, s_exists,
                            local_cs, remote_cs, baseline, is_read_only)
         # Only local
@@ -307,12 +363,14 @@ module LocalVault
         # Neither (shouldn't happen since we iterate union)
         return [:skip, "no data"] unless l_exists && r_exists
 
-        # Both exist — no baseline (first sync for this vault)
+        # Both exist — no baseline (first sync for this vault). Compare the
+        # secrets bytes directly: if they match, the sides are already in sync
+        # and we just record a baseline so future syncs can detect drift.
         unless s_exists
-          if local_cs == remote_cs || (local_cs.nil? && remote_cs.nil?)
-            return [:skip, "already in sync (first check)"]
+          if local_cs == remote_cs
+            return [:adopt, "in sync — recording baseline"]
           else
-            return [:conflict, "both exist, no sync baseline — cannot determine which side changed"]
+            return [:conflict, "both exist, no sync baseline — run 'sync push' or 'sync pull' to resolve"]
           end
         end
 
@@ -333,6 +391,45 @@ module LocalVault
 
       # ── Helpers ──────────────────────────────────────────────────
 
+      # Record a sync baseline for a vault whose local and remote secrets are
+      # already byte-identical, without transferring any data. Lets the next
+      # sync detect drift instead of re-comparing from scratch every time.
+      #
+      # @param vault_name [String] vault to baseline
+      # @return [Boolean] true on success, false on any error
+      def perform_adopt(vault_name)
+        store = Store.new(vault_name)
+        SyncState.new(vault_name).write!(
+          checksum: SyncState.local_checksum(store),
+          direction: "adopt"
+        )
+        $stdout.puts "  baselined #{vault_name} (already in sync)"
+        true
+      rescue StandardError => e
+        $stderr.puts "Error baselining '#{vault_name}': #{e.message}"
+        false
+      end
+
+      # SHA256 of a remote vault's encrypted secrets bytes — the same hash space
+      # as +SyncState.local_checksum+ and the stored baseline, so the two can be
+      # compared directly. Returns nil when the vault has no secrets (empty), is
+      # missing remotely (404), or the bundle can't be parsed.
+      #
+      # @param vault_name [String] vault to fetch
+      # @param client [ApiClient] authenticated API client
+      # @return [String, nil] hex digest of the remote secrets bytes, or nil if empty/missing
+      # @raise [SyncBundle::UnpackError] if the bundle exists but can't be parsed
+      def remote_secrets_checksum(vault_name, client)
+        blob = client.pull_vault(vault_name)
+        return nil unless blob.is_a?(String) && !blob.empty?
+        secrets = SyncBundle.unpack(blob)[:secrets]
+        return nil if secrets.nil? || secrets.empty?
+        Digest::SHA256.hexdigest(secrets)
+      rescue ApiClient::ApiError => e
+        raise unless e.status == 404
+        nil
+      end
+
       def try_unlock_via_key_slot(vault_name, key_slots)
         return false unless key_slots.is_a?(Hash) && !key_slots.empty?
         return false unless Identity.exists?

data/lib/localvault/cli.rb

@@ -42,10 +42,11 @@ module LocalVault
       shell.say "  localvault copy KEY --to V    Copy a secret to another vault"
       shell.say ""
       shell.say "SYNC  (requires localvault login)"
-      shell.say "  localvault sync push [NAME]   Push vault to cloud"
-      shell.say "  localvault sync pull [NAME]   Pull vault from cloud"
-      shell.say "  localvault sync status        Show sync status"
-      shell.say "  localvault sync SUBCOMMAND    See `localvault help sync` for full sync reference"
+      shell.say "  localvault sync               Sync all vaults bidirectionally (smart push/pull with conflict detection)"
+      shell.say "  localvault sync --dry-run     Show what would happen without making changes"
+      shell.say "  localvault sync push [NAME]   Push one vault to cloud"
+      shell.say "  localvault sync pull [NAME]   Pull one vault from cloud"
+      shell.say "  localvault sync status        Show sync status for all vaults"
       shell.say ""
       shell.say "TEAM SHARING  (requires localvault login)"
       shell.say "  localvault dashboard          Aggregate view: owned vaults, vaults shared with you, legacy shares"

data/lib/localvault/session_cache.rb

@@ -116,7 +116,11 @@ module LocalVault
         # Fall back to file store if Keychain fails (e.g., in CI or sandboxed env)
         unless success
           file = session_file(vault_name)
-          File.write(file, payload, perm: 0o600)
+          File.write(file, payload)
+          # chmod unconditionally: File.write's perm: only applies on creation,
+          # so an existing looser-mode file would otherwise keep its perms and
+          # leak the master key.
+          File.chmod(0o600, file)
         end
       else
         keychain_delete(vault_name)

data/lib/localvault/sync_bundle.rb

@@ -90,7 +90,7 @@ module LocalVault
     def self.unpack(blob, expected_name: nil)
       data = JSON.parse(blob)
       version = data["version"]
-      raise UnpackError, "Unsupported bundle version: #{version}" if version && !SUPPORTED_VERSIONS.include?(version)
+      raise UnpackError, "Unsupported bundle version: #{version.inspect}" unless SUPPORTED_VERSIONS.include?(version)
 
       meta_raw    = Base64.strict_decode64(data.fetch("meta"))
       secrets_raw = Base64.strict_decode64(data.fetch("secrets"))

data/lib/localvault/version.rb

@@ -1,3 +1,3 @@
 module LocalVault
-  VERSION = "1.6.0"
+  VERSION = "1.6.2"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: localvault
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 1.6.2
 platform: ruby
 authors:
 - Nauman Tariq