localvault 1.0.5 → 1.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bb92b726fe45e83ae0f84124af3d6f2c452c3bafabce5a910a526a9a872651df
-  data.tar.gz: 109d0432aeca53aa65db977ecf8bf5e0fdd9650866997c849ae34aad4a65e884
+  metadata.gz: c7a7a9c4bee5e2c661610323979b91de29205e4316213bde33496d7785f09d8e
+  data.tar.gz: aa0a9d9c4e1387cecc27f7f5de8b67ac7d843f603d3940bd3b5d726f95d2f433
 SHA512:
-  metadata.gz: 5857befd8cc78b20dc0ebfd3dc2995b6ed0887e7084d8b843504d51089f9be977ebf79ac7ed323123a482b9d8a6a20b18caf825743c3ba5bdbea9c28bc18b99d
-  data.tar.gz: 4e01a56bf7e7e253dcf655feabffb03c9f4c1e8ca6ca5c70e3d0eed99fef80fe6079d06871d5a53a5d748f1aefbc1c6a55e889149ed9d6d6b0d8e93e13a77f59
+  metadata.gz: c39e166b61c0021798884390112dddd051b23c5569ab0d41ec0dc420d0d0e472bff487e8fda5f9dd6bb47c7c1b2de99644fd3463cf9d334634b78dfc4f0f95f3
+  data.tar.gz: e3f4423241183217c1a08ea2ee5eae7aeccb167f698b94aedfbe730551b02a1567ed864f0406a84ea425cfc8233dde59221a4380f63d318512e2c1449f294c9d

data/lib/localvault/cli/sync.rb

@@ -16,7 +16,10 @@ module LocalVault
           return
         end
 
-        blob   = SyncBundle.pack(store)
+        key_slots = load_existing_key_slots(vault_name)
+        key_slots = bootstrap_owner_slot(key_slots, store)
+
+        blob   = SyncBundle.pack(store, key_slots: key_slots)
         client = ApiClient.new(token: Config.token)
         client.push_vault(vault_name, blob)
 
@@ -52,7 +55,12 @@ module LocalVault
         end
 
         $stdout.puts "Pulled vault '#{vault_name}'."
-        $stdout.puts "Unlock it with: localvault unlock -v #{vault_name}"
+
+        if try_unlock_via_key_slot(vault_name, data[:key_slots])
+          $stdout.puts "Unlocked via your identity key."
+        else
+          $stdout.puts "Unlock it with: localvault unlock -v #{vault_name}"
+        end
       rescue SyncBundle::UnpackError => e
         $stderr.puts "Error: #{e.message}"
       rescue ApiClient::ApiError => e
@@ -107,12 +115,68 @@ module LocalVault
 
       private
 
+      # Try to decrypt the master key from a key slot matching the current identity.
+      # On success, caches the master key in SessionCache. Returns true/false.
+      def try_unlock_via_key_slot(vault_name, key_slots)
+        return false unless key_slots.is_a?(Hash) && !key_slots.empty?
+        return false unless Identity.exists?
+
+        handle = Config.inventlist_handle
+        return false unless handle
+
+        slot = key_slots[handle]
+        return false unless slot.is_a?(Hash) && slot["enc_key"].is_a?(String)
+
+        master_key = KeySlot.decrypt(slot["enc_key"], Identity.private_key_bytes)
+
+        # Verify the key actually works by trying to decrypt
+        vault = Vault.new(name: vault_name, master_key: master_key)
+        vault.all
+
+        SessionCache.set(vault_name, master_key)
+        true
+      rescue KeySlot::DecryptionError, Crypto::DecryptionError
+        false
+      end
+
       def logged_in?
         return true if Config.token
 
         $stderr.puts "Error: Not logged in. Run: localvault login TOKEN"
         false
       end
+
+      # Load key_slots from the last pushed blob (if any).
+      # Returns {} if no remote blob or if it's a v1 bundle.
+      def load_existing_key_slots(vault_name)
+        client = ApiClient.new(token: Config.token)
+        blob = client.pull_vault(vault_name)
+        return {} unless blob.is_a?(String) && !blob.empty?
+        data = SyncBundle.unpack(blob)
+        data[:key_slots] || {}
+      rescue ApiClient::ApiError, SyncBundle::UnpackError
+        {}
+      end
+
+      # Add the owner's key slot if identity exists and no slot is present.
+      # Requires the vault to be unlockable (needs master key for encryption).
+      def bootstrap_owner_slot(key_slots, store)
+        return key_slots unless Identity.exists?
+        handle = Config.inventlist_handle
+        return key_slots unless handle
+
+        # Already has owner slot — don't churn
+        return key_slots if key_slots.key?(handle)
+
+        # Need the master key to create the slot — try SessionCache
+        master_key = SessionCache.get(store.vault_name)
+        return key_slots unless master_key
+
+        pub_b64 = Identity.public_key
+        enc_key = KeySlot.create(master_key, pub_b64)
+        key_slots[handle] = { "pub" => pub_b64, "enc_key" => enc_key }
+        key_slots
+      end
     end
   end
 end

data/lib/localvault/cli/team.rb

@@ -13,6 +13,15 @@ module LocalVault
 
         vault_name ||= options[:vault] || Config.default_vault
         client = ApiClient.new(token: Config.token)
+
+        # Try sync-based key slots first
+        key_slots = load_key_slots(client, vault_name)
+        if key_slots && !key_slots.empty?
+          list_key_slots(vault_name, key_slots)
+          return
+        end
+
+        # Fall back to direct shares
         result = client.sent_shares(vault_name: vault_name)
         shares = (result["shares"] || []).reject { |s| s["status"] == "revoked" }
 
@@ -34,8 +43,83 @@ module LocalVault
         $stderr.puts "Error: #{e.message}"
       end
 
+      desc "add HANDLE", "Add a teammate to a synced vault via key slot"
+      method_option :vault, type: :string, aliases: "-v"
+      def add(handle)
+        unless Config.token
+          $stderr.puts "Error: Not logged in. Run: localvault login TOKEN"
+          return
+        end
+
+        unless Identity.exists?
+          $stderr.puts "Error: No keypair found. Run: localvault keygen"
+          return
+        end
+
+        handle = handle.delete_prefix("@")
+        vault_name = options[:vault] || Config.default_vault
+
+        # Need master key from session
+        master_key = SessionCache.get(vault_name)
+        unless master_key
+          $stderr.puts "Error: Vault '#{vault_name}' is not unlocked. Run: localvault show -v #{vault_name}"
+          return
+        end
+
+        # Fetch recipient's public key
+        client = ApiClient.new(token: Config.token)
+        result = client.get_public_key(handle)
+        pub_key = result["public_key"]
+
+        unless pub_key && !pub_key.empty?
+          $stderr.puts "Error: @#{handle} has no public key published."
+          return
+        end
+
+        # Load existing key slots from remote
+        existing_blob = client.pull_vault(vault_name) rescue nil
+        key_slots = if existing_blob.is_a?(String) && !existing_blob.empty?
+                      data = SyncBundle.unpack(existing_blob)
+                      data[:key_slots].is_a?(Hash) ? data[:key_slots] : {}
+                    else
+                      {}
+                    end
+
+        # Create key slot for recipient
+        begin
+          enc_key = KeySlot.create(master_key, pub_key)
+        rescue ArgumentError, KeySlot::DecryptionError => e
+          $stderr.puts "Error: @#{handle}'s public key is invalid: #{e.message}"
+          return
+        end
+        key_slots[handle] = { "pub" => pub_key, "enc_key" => enc_key }
+
+        # Ensure owner slot exists too
+        owner_handle = Config.inventlist_handle
+        unless key_slots.key?(owner_handle)
+          owner_pub = Identity.public_key
+          key_slots[owner_handle] = { "pub" => owner_pub, "enc_key" => KeySlot.create(master_key, owner_pub) }
+        end
+
+        # Pack and push
+        store = Store.new(vault_name)
+        blob = SyncBundle.pack(store, key_slots: key_slots)
+        client.push_vault(vault_name, blob)
+
+        $stdout.puts "Added @#{handle} to vault '#{vault_name}'."
+      rescue ApiClient::ApiError => e
+        if e.status == 404
+          $stderr.puts "Error: @#{handle} not found or has no public key."
+        else
+          $stderr.puts "Error: #{e.message}"
+        end
+      rescue SyncBundle::UnpackError => e
+        $stderr.puts "Error: #{e.message}"
+      end
+
       desc "remove HANDLE", "Remove a person's access to a vault"
       method_option :vault, type: :string, aliases: "-v"
+      method_option :rotate, type: :boolean, default: false, desc: "Re-encrypt vault with new master key (full revocation)"
       def remove(handle)
         unless Config.token
           $stderr.puts "Error: Not connected. Run: localvault connect --token TOKEN --handle HANDLE"
@@ -46,6 +130,14 @@ module LocalVault
         vault_name = options[:vault] || Config.default_vault
         client = ApiClient.new(token: Config.token)
 
+        # Try sync-based key slot removal first
+        key_slots = load_key_slots(client, vault_name)
+        if key_slots && !key_slots.empty?
+          remove_key_slot(handle, vault_name, key_slots, client, rotate: options[:rotate])
+          return
+        end
+
+        # Fall back to direct share revocation
         result = client.sent_shares(vault_name: vault_name)
         share = (result["shares"] || []).find do |s|
           s["recipient_handle"] == handle && s["status"] != "revoked"
@@ -61,6 +153,97 @@ module LocalVault
       rescue ApiClient::ApiError => e
         $stderr.puts "Error: #{e.message}"
       end
+
+      private
+
+      def load_key_slots(client, vault_name)
+        return nil unless client.respond_to?(:pull_vault)
+        blob = client.pull_vault(vault_name)
+        return nil unless blob.is_a?(String) && !blob.empty?
+        data = SyncBundle.unpack(blob)
+        slots = data[:key_slots]
+        slots.is_a?(Hash) ? slots : nil
+      rescue ApiClient::ApiError, SyncBundle::UnpackError, NoMethodError
+        nil
+      end
+
+      def remove_key_slot(handle, vault_name, key_slots, client, rotate: false)
+        unless key_slots.key?(handle)
+          $stderr.puts "Error: @#{handle} has no slot in vault '#{vault_name}'."
+          return
+        end
+
+        valid_slots = key_slots.select { |_, v| v.is_a?(Hash) && v["pub"].is_a?(String) }
+        if handle == Config.inventlist_handle && valid_slots.size <= 1
+          $stderr.puts "Error: Cannot remove yourself — you are the only member."
+          return
+        end
+
+        key_slots.delete(handle)
+        store = Store.new(vault_name)
+
+        if rotate
+          master_key = SessionCache.get(vault_name)
+          unless master_key
+            $stderr.puts "Error: Vault '#{vault_name}' is not unlocked. Run: localvault show -v #{vault_name}"
+            return
+          end
+
+          # Decrypt current secrets, generate new master key, re-encrypt
+          vault = Vault.new(name: vault_name, master_key: master_key)
+          secrets = vault.all
+
+          new_salt = Crypto.generate_salt
+          new_master_key = Crypto.derive_master_key(SecureRandom.hex(32), new_salt)
+
+          # Re-encrypt secrets with new master key
+          new_json = JSON.generate(secrets)
+          new_encrypted = Crypto.encrypt(new_json, new_master_key)
+          store.write_encrypted(new_encrypted)
+          store.create_meta!(salt: new_salt)
+
+          # Re-create key slots for remaining members with new master key
+          new_slots = {}
+          key_slots.each do |h, slot|
+            next unless slot.is_a?(Hash) && slot["pub"].is_a?(String)
+            new_slots[h] = { "pub" => slot["pub"], "enc_key" => KeySlot.create(new_master_key, slot["pub"]) }
+          end
+
+          blob = SyncBundle.pack(store, key_slots: new_slots)
+          client.push_vault(vault_name, blob)
+
+          # Only cache new master key if the caller is still a member
+          if new_slots.key?(Config.inventlist_handle)
+            SessionCache.set(vault_name, new_master_key)
+          else
+            SessionCache.clear(vault_name)
+          end
+
+          $stdout.puts "Removed @#{handle} from vault '#{vault_name}'."
+          $stdout.puts "Vault re-encrypted with new master key (rotated)."
+        else
+          blob = SyncBundle.pack(store, key_slots: key_slots)
+          client.push_vault(vault_name, blob)
+          $stdout.puts "Removed @#{handle} from vault '#{vault_name}'."
+        end
+      end
+
+      def list_key_slots(vault_name, key_slots)
+        my_handle = Config.inventlist_handle
+        valid = key_slots.select { |_, v| v.is_a?(Hash) && v["pub"].is_a?(String) }
+
+        if valid.empty?
+          $stdout.puts "No key slots for vault '#{vault_name}'."
+          return
+        end
+
+        $stdout.puts "Vault: #{vault_name} — #{valid.size} member(s)"
+        $stdout.puts
+        valid.sort.each do |handle, slot|
+          marker = handle == my_handle ? " (you)" : ""
+          $stdout.puts "  @#{handle}#{marker}"
+        end
+      end
     end
   end
 end

data/lib/localvault/key_slot.rb

@@ -0,0 +1,46 @@
+require "rbnacl"
+require "base64"
+
+module LocalVault
+  module KeySlot
+    class DecryptionError < StandardError; end
+
+    # Encrypt a master key for a recipient's X25519 public key.
+    # Returns a base64-encoded ciphertext string.
+    # Uses an ephemeral sender keypair (same Box construction as ShareCrypto).
+    def self.create(master_key, recipient_pub_key_b64)
+      recipient_pub = RbNaCl::PublicKey.new(Base64.strict_decode64(recipient_pub_key_b64))
+      ephemeral_sk  = RbNaCl::PrivateKey.generate
+      box           = RbNaCl::Box.new(recipient_pub, ephemeral_sk)
+      nonce         = RbNaCl::Random.random_bytes(RbNaCl::Box.nonce_bytes)
+      ciphertext    = box.box(nonce, master_key)
+
+      payload = {
+        "v"          => 1,
+        "sender_pub" => Base64.strict_encode64(ephemeral_sk.public_key.to_bytes),
+        "nonce"      => Base64.strict_encode64(nonce),
+        "ciphertext" => Base64.strict_encode64(ciphertext)
+      }
+      Base64.strict_encode64(JSON.generate(payload))
+    end
+
+    # Decrypt a key slot using the recipient's private key.
+    # Returns the raw master key bytes.
+    def self.decrypt(slot_b64, my_private_key_bytes)
+      raw        = Base64.strict_decode64(slot_b64)
+      payload    = JSON.parse(raw)
+      sender_pub = RbNaCl::PublicKey.new(Base64.strict_decode64(payload.fetch("sender_pub")))
+      my_sk      = RbNaCl::PrivateKey.new(my_private_key_bytes)
+      box        = RbNaCl::Box.new(sender_pub, my_sk)
+      nonce      = Base64.strict_decode64(payload.fetch("nonce"))
+      ciphertext = Base64.strict_decode64(payload.fetch("ciphertext"))
+      box.open(nonce, ciphertext)
+    rescue RbNaCl::CryptoError => e
+      raise DecryptionError, "Failed to decrypt key slot: #{e.message}"
+    rescue JSON::ParserError, KeyError => e
+      raise DecryptionError, "Invalid key slot format: #{e.message}"
+    rescue ArgumentError => e
+      raise DecryptionError, "Invalid key slot encoding: #{e.message}"
+    end
+  end
+end

data/lib/localvault/store.rb

@@ -2,6 +2,7 @@ require "yaml"
 require "fileutils"
 require "tempfile"
 require "base64"
+require "time"
 
 module LocalVault
   class Store

data/lib/localvault/sync_bundle.rb

@@ -6,29 +6,34 @@ module LocalVault
   module SyncBundle
     class UnpackError < StandardError; end
 
-    VERSION = 1
+    VERSION = 2
+    SUPPORTED_VERSIONS = [1, 2].freeze
 
     # Pack a vault's meta.yml + secrets.enc into a single JSON blob.
     # The secrets.enc is already encrypted — this bundle is opaque to the server.
-    def self.pack(store)
+    # key_slots: optional hash of { "handle" => { "pub" => b64, "enc_key" => b64 }, ... }
+    def self.pack(store, key_slots: {})
       meta_content    = File.read(store.meta_path)
       secrets_content = store.read_encrypted || ""
       JSON.generate(
-        "version" => VERSION,
-        "meta"    => Base64.strict_encode64(meta_content),
-        "secrets" => Base64.strict_encode64(secrets_content)
+        "version"   => VERSION,
+        "meta"      => Base64.strict_encode64(meta_content),
+        "secrets"   => Base64.strict_encode64(secrets_content),
+        "key_slots" => key_slots
       )
     end
 
-    # Unpack a blob back into {meta:, secrets:} strings.
+    # Unpack a blob back into {meta:, secrets:, key_slots:}.
     # Pass expected_name: to validate the meta.yml name matches the vault being pulled.
+    # v1 bundles return empty key_slots for backward compatibility.
     def self.unpack(blob, expected_name: nil)
       data = JSON.parse(blob)
       version = data["version"]
-      raise UnpackError, "Unsupported bundle version: #{version}" if version && version != VERSION
+      raise UnpackError, "Unsupported bundle version: #{version}" if version && !SUPPORTED_VERSIONS.include?(version)
 
       meta_raw    = Base64.strict_decode64(data.fetch("meta"))
       secrets_raw = Base64.strict_decode64(data.fetch("secrets"))
+      key_slots   = data["key_slots"].is_a?(Hash) ? data["key_slots"] : {}
 
       if expected_name
         meta_parsed = YAML.safe_load(meta_raw)
@@ -38,7 +43,7 @@ module LocalVault
         end
       end
 
-      { meta: meta_raw, secrets: secrets_raw }
+      { meta: meta_raw, secrets: secrets_raw, key_slots: key_slots }
     rescue JSON::ParserError => e
       raise UnpackError, "Invalid sync bundle format: #{e.message}"
     rescue KeyError => e

data/lib/localvault/version.rb

@@ -1,3 +1,3 @@
 module LocalVault
-  VERSION = "1.0.5"
+  VERSION = "1.1.1"
 end

data/lib/localvault.rb

@@ -5,6 +5,7 @@ require_relative "localvault/store"
 require_relative "localvault/vault"
 require_relative "localvault/identity"
 require_relative "localvault/share_crypto"
+require_relative "localvault/key_slot"
 require_relative "localvault/api_client"
 require_relative "localvault/sync_bundle"
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: localvault
 version: !ruby/object:Gem::Version
-  version: 1.0.5
+  version: 1.1.1
 platform: ruby
 authors:
 - Nauman Tariq
@@ -114,6 +114,7 @@ files:
 - lib/localvault/config.rb
 - lib/localvault/crypto.rb
 - lib/localvault/identity.rb
+- lib/localvault/key_slot.rb
 - lib/localvault/mcp/server.rb
 - lib/localvault/mcp/tools.rb
 - lib/localvault/session_cache.rb