rubyn-code 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f91f304118c243f82ce9165db84f303b111d9c18daf74c75cdc7dcec4289647b
-  data.tar.gz: 2cfc8263c1532d805ea9b9592c3601033e4fdab8dc19c6b0329a0eec40316cbb
+  metadata.gz: 1a3ef81b040a1c9a75050f2545f229ba69aa88808ced47ad5cc8634ea52f115c
+  data.tar.gz: 9020382400cdf70d332858a9b85c89e5aa4a90e07965709e8520a803273d43b2
 SHA512:
-  metadata.gz: 6bb339794d0cbe8d149e0b2e94c408b304d48f786aa2a297af5c8028c15c9796d4e5f0313be20c1ecf8b449c0ef80afa4263f581603c5c915b540c7a89b8257c
-  data.tar.gz: 2f1fc37549f2223a5c5f07be4817bade9a4d6466ef30b8927fb0de94cf4c78c41b1b5e9e8a3379fb69e503d34226df9d22e4988bb45231666afc49e4f325d789
+  metadata.gz: d7c2b95f2eec7e20e589c377784a2236f5ca7fa62402012358137a895f18e899e521ab2a3280854dda2376d515d906a40ad56dcc9c21d65062da6c9549a18912
+  data.tar.gz: cbb80d2749475054829c46aadd8ed5b7244d99f9d6ee05f73a0cd85618866e4e43881ae77e6718dbdcc6cced9e57222752b2a5c403185ae92a039a13da5105e1

data/README.md

@@ -333,6 +333,8 @@ rubyn-code --help             # Show help
 | `/budget [amt]` | Show or set session budget |
 | `/skill [name]` | Load or list available skills |
 | `/resume [id]` | Resume or list sessions |
+| `/provider` | Add or list providers |
+| `/model` | Show/switch model and provider |
 
 ## Authentication
 
@@ -354,14 +356,50 @@ export OPENAI_API_KEY=sk-...
 
 Available models: `gpt-5.4`, `gpt-5.4-mini`, `gpt-5.4-nano`, `gpt-4o`, `gpt-4o-mini`, `o3`, `o4-mini`
 
-### OpenAI-Compatible Providers (Groq, Together, Ollama, etc.)
+### Other Providers (Groq, Together, Ollama, etc.)
 
-Set the provider-specific API key and configure via `config.yml`:
+Add a provider and its API key in one command:
 
 ```bash
-export GROQ_API_KEY=gsk-...
+/provider add groq https://api.groq.com/openai/v1 --key gsk-xxx --models llama-3.3-70b
+
+# For Anthropic-format proxies (e.g., Bedrock, custom gateways)
+/provider add my-proxy https://proxy.example.com/v1 --format anthropic --key sk-xxx --models claude-sonnet-4-6
+
+# Update a key later
+/provider set-key groq gsk-new-key
+
+# List configured providers
+/provider list
+```
+
+API keys are **encrypted at rest** using AES-256-GCM. The encryption key is derived from
+your machine identity (username, hostname, home directory) via PBKDF2, so keys are only
+decryptable on the same machine by the same user. Rubyn decrypts them automatically at
+runtime and re-encrypts on save — no manual steps required.
+
+Keys stored via environment variables (`GROQ_API_KEY`, `TOGETHER_API_KEY`, etc.) also work
+as a fallback if you prefer that approach.
+
+Or add directly to `~/.rubyn-code/config.yml`:
+
+```yaml
+providers:
+  groq:
+    base_url: https://api.groq.com/openai/v1
+    env_key: GROQ_API_KEY
+    models:
+      top: llama-3.3-70b
+  my-proxy:
+    api_format: anthropic        # 'openai' (default) or 'anthropic'
+    base_url: https://proxy.example.com/v1
+    env_key: PROXY_API_KEY
+    models:
+      top: claude-sonnet-4-6
 ```
 
+Then switch with `/model groq:llama-3.3-70b`.
+
 Local providers (Ollama, LM Studio) running on `localhost`/`127.0.0.1` don't require an API key.
 
 ## Architecture
@@ -391,30 +429,21 @@ Local providers (Ollama, LM Studio) running on `localhost`/`127.0.0.1` don't req
 
 ## Configuration
 
+The `provider` and `model` keys at the top set the **default provider and model** used at startup.
+These must match a provider defined in the `providers` section (or a built-in like `anthropic`/`openai`).
+
 ```yaml
 # ~/.rubyn-code/config.yml (global)
-model: claude-opus-4-6
+provider: anthropic              # default provider on startup
+model: claude-opus-4-6           # default model on startup
 permission_mode: allow_read
 session_budget: 5.00
 daily_budget: 10.00
 
 # .rubyn-code/config.yml (project — overrides global)
-model: claude-sonnet-4-6
+provider: minimax                # this project uses MiniMax by default
+model: MiniMax-M2.7-highspeed
 permission_mode: autonomous
-
-# Use OpenAI instead of Anthropic
-# provider: openai
-# model: gpt-4o
-
-# Use an OpenAI-compatible provider
-# provider: groq
-# provider_base_url: https://api.groq.com/openai/v1
-# model: llama-3.3-70b
-
-# Local Ollama (no API key needed)
-# provider: ollama
-# provider_base_url: http://localhost:11434/v1
-# model: llama3
 ```
 
 ### Multi-Provider Model Routing
@@ -469,6 +498,35 @@ providers:
 
 You can also set custom pricing per model so `/cost` reports accurate spending for third-party providers.
 
+## Security
+
+### Credential Storage
+
+All provider API keys are encrypted at rest using **AES-256-GCM** (authenticated encryption).
+Keys are never stored as plaintext on disk.
+
+| Layer | Detail |
+|-------|--------|
+| **Cipher** | AES-256-GCM (authenticated — detects tampering) |
+| **Key derivation** | PBKDF2-HMAC-SHA256, 100,000 iterations |
+| **Machine binding** | Key derived from username + hostname + home directory |
+| **Salt** | Random 32-byte salt, generated once, stored in `~/.rubyn-code/.encryption_salt` |
+| **File permissions** | `tokens.yml` and `.encryption_salt` are `0600` (owner read/write only) |
+
+This means:
+- Keys copied to another machine or user account cannot be decrypted
+- The encryption key is never stored — it is derived at runtime
+- Plaintext keys from older versions are automatically encrypted on first read
+
+### File Permissions
+
+| File | Permissions | Contents |
+|------|------------|----------|
+| `~/.rubyn-code/` | `0700` | Home directory |
+| `~/.rubyn-code/tokens.yml` | `0600` | Encrypted API keys, OAuth tokens |
+| `~/.rubyn-code/.encryption_salt` | `0600` | PBKDF2 salt (not secret alone, but protected) |
+| `~/.rubyn-code/config.yml` | `0600` | Provider config (no secrets) |
+
 ## Development
 
 Requires Ruby 4.0+.

data/db/migrations/013_add_failed_status_to_tasks.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+# Expands the tasks CHECK constraint on status to include 'failed',
+# used by the GOLEM daemon to mark tasks that have exceeded max retries.
+#
+# SQLite does not support ALTER CONSTRAINT, so we rebuild the table.
+# The Migrator already wraps .up in a transaction — no manual BEGIN/COMMIT here.
+module Migration013AddFailedStatusToTasks
+  module_function
+
+  def up(db)
+    create_new_tasks_table(db)
+    migrate_data(db)
+    swap_tables(db)
+  end
+
+  def create_new_tasks_table(db)
+    db.execute(<<~SQL)
+      CREATE TABLE tasks_new (
+        id TEXT PRIMARY KEY,
+        session_id TEXT REFERENCES sessions(id) ON DELETE SET NULL,
+        title TEXT NOT NULL,
+        description TEXT,
+        status TEXT NOT NULL DEFAULT 'pending'
+          CHECK(status IN ('pending','in_progress','blocked','completed','cancelled','failed')),
+        priority INTEGER NOT NULL DEFAULT 0,
+        owner TEXT,
+        result TEXT,
+        metadata TEXT DEFAULT '{}',
+        created_at TEXT NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now')),
+        updated_at TEXT NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ','now'))
+      )
+    SQL
+  end
+
+  def migrate_data(db)
+    db.execute(<<~SQL)
+      INSERT INTO tasks_new (id, session_id, title, description, status, priority, owner, result, metadata, created_at, updated_at)
+      SELECT id, session_id, title, description, status, priority, owner, result, metadata, created_at, updated_at
+      FROM tasks
+    SQL
+  end
+
+  def swap_tables(db)
+    db.execute('DROP TABLE tasks')
+    db.execute('ALTER TABLE tasks_new RENAME TO tasks')
+    db.execute('CREATE INDEX IF NOT EXISTS idx_tasks_session ON tasks(session_id)')
+    db.execute('CREATE INDEX IF NOT EXISTS idx_tasks_status ON tasks(status)')
+    db.execute('CREATE INDEX IF NOT EXISTS idx_tasks_owner ON tasks(owner)')
+  end
+end

data/lib/rubyn_code/agent/conversation.rb

@@ -126,19 +126,48 @@ module RubynCode
 
       # Ensure every tool_use block has a matching tool_result.
       # If a tool_use is orphaned (e.g. from Ctrl-C interruption),
-      # inject a synthetic tool_result so the API doesn't reject the request.
+      # inject a synthetic tool_result immediately after the assistant
+      # message that contains the orphaned tool_use.
       def repair_orphaned_tool_uses(formatted)
         orphaned = collect_tool_use_ids(formatted) - collect_tool_result_ids(formatted)
         return formatted if orphaned.empty?
 
-        orphan_results = orphaned.map do |id|
+        insert_orphan_results(formatted, orphaned)
+      end
+
+      # Walk backwards to find the assistant message containing each orphaned
+      # tool_use and insert a user/tool_result message right after it.
+      # -- walks messages to find insertion point
+      def insert_orphan_results(formatted, orphaned)
+        orphan_set = orphaned.to_a.to_set
+        insert_idx = find_orphan_insert_index(formatted, orphan_set)
+
+        results = orphaned.map do |id|
           { type: 'tool_result', tool_use_id: id, content: '[interrupted]', is_error: true }
         end
 
-        formatted << { role: 'user', content: orphan_results }
+        formatted.insert(insert_idx, { role: 'user', content: results })
         formatted
       end
 
+      # Find the index right after the last assistant message that contains
+      # any of the orphaned tool_use IDs.
+      def find_orphan_insert_index(formatted, orphan_set)
+        formatted.each_with_index.reverse_each do |msg, idx|
+          next unless msg[:role] == 'assistant' && msg[:content].is_a?(Array)
+          return idx + 1 if assistant_has_orphan?(msg, orphan_set)
+        end
+
+        formatted.length # fallback: append at end
+      end
+
+      def assistant_has_orphan?(msg, orphan_set)
+        msg[:content].any? do |block|
+          block.is_a?(Hash) && block_matches_type?(block, 'tool_use') &&
+            orphan_set.include?(block[:id] || block['id'])
+        end
+      end
+
       def collect_tool_use_ids(formatted)
         collect_block_ids(formatted, role: 'assistant', type: 'tool_use', id_key: :id, id_str_key: 'id')
       end

data/lib/rubyn_code/agent/dynamic_tool_schema.rb

@@ -31,8 +31,10 @@ module RubynCode
         #
         # @param task_context [Symbol, nil] detected task type
         # @param discovered_tools [Set<String>] tools already discovered this session
+        # @param codebase_index [RubynCode::Index::CodebaseIndex, nil] optional index for deeper context detection
+        # @param message [String, nil] original user message for index-based matching
         # @return [Array<String>] tool names to include in the schema
-        def active_tools(task_context: nil, discovered_tools: Set.new)
+        def active_tools(task_context: nil, discovered_tools: Set.new, codebase_index: nil, message: nil)
           tools = BASE_TOOLS.dup
 
           # Always include interaction tools
@@ -45,6 +47,12 @@ module RubynCode
             tools.concat(context_tools)
           end
 
+          # Add index-aware tools when a codebase index and message are available
+          if codebase_index && message
+            index_contexts = detect_index_contexts(message, codebase_index)
+            index_contexts.each { |ctx| tools.concat(resolve_context_tools(ctx)) }
+          end
+
           # Always include previously discovered tools
           tools.concat(discovered_tools.to_a)
 
@@ -54,8 +62,9 @@ module RubynCode
         # Detect task context from a user message.
         #
         # @param message [String]
+        # @param codebase_index [RubynCode::Index::CodebaseIndex, nil] optional index for deeper detection
         # @return [Symbol, nil]
-        def detect_context(message) # rubocop:disable Metrics/CyclomaticComplexity -- context detection dispatch
+        def detect_context(message, codebase_index: nil) # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity -- context detection dispatch
           msg = message.to_s.downcase
           return :testing if msg.match?(/\b(test|spec|rspec)\b/)
           return :git     if msg.match?(/\b(commit|push|diff|branch|merge|git)\b/)
@@ -65,7 +74,27 @@ module RubynCode
           return :explore if msg.match?(/\b(explore|architecture|structure)\b/)
           return :teams   if msg.match?(/\b(team|spawn|message|inbox)\b/)
 
-          nil
+          # Fall back to index-based detection when keyword matching yields nothing
+          return nil unless codebase_index
+
+          index_contexts = detect_index_contexts(message, codebase_index)
+          index_contexts.first
+        end
+
+        # Detect additional tool contexts based on codebase index content.
+        #
+        # @param message [String] user message
+        # @param codebase_index [RubynCode::Index::CodebaseIndex] codebase index instance
+        # @return [Array<Symbol>] detected context symbols
+        def detect_index_contexts(message, codebase_index)
+          contexts = []
+          return contexts unless codebase_index
+
+          contexts << :rails if message_mentions_model?(message, codebase_index)
+          contexts << :testing if message_mentions_specced_file?(message, codebase_index)
+          contexts.uniq
+        rescue StandardError
+          []
         end
 
         # Filter full tool definitions to only include active tools.
@@ -93,6 +122,30 @@ module RubynCode
             []
           end
         end
+
+        # Check if the user message mentions a model name from the index.
+        def message_mentions_model?(message, codebase_index)
+          model_names = codebase_index.nodes
+                                      .select { |n| n['type'] == 'model' }
+                                      .map { |n| n['name'] }
+          return false if model_names.empty?
+
+          msg_lower = message.to_s.downcase
+          model_names.any? { |name| msg_lower.include?(name.downcase) }
+        end
+
+        # Check if the user message mentions a file that has specs in the index.
+        def message_mentions_specced_file?(message, codebase_index)
+          spec_edges = codebase_index.edges.select { |e| e['relationship'] == 'tests' }
+          return false if spec_edges.empty?
+
+          tested_files = spec_edges.map { |e| e['to'] }.compact
+          msg_lower = message.to_s.downcase
+          tested_files.any? do |file|
+            basename = File.basename(file, '.rb')
+            msg_lower.include?(basename)
+          end
+        end
       end
     end
   end

data/lib/rubyn_code/agent/llm_caller.rb

@@ -43,7 +43,9 @@ module RubynCode
       # Only returns models from the active provider — never crosses
       # provider boundaries (e.g., won't send a GPT model to Anthropic).
       # Falls back to nil (use client's default) if routing fails.
-      def routed_model
+      def routed_model # rubocop:disable Metrics/CyclomaticComplexity -- guard clauses for provider/mode checks
+        return nil if manual_model_mode?
+
         last_user = last_user_message_text
         return nil unless last_user
 
@@ -60,6 +62,12 @@ module RubynCode
         nil
       end
 
+      def manual_model_mode?
+        Config::Settings.new.get('model_mode', 'auto') == 'manual'
+      rescue StandardError
+        false
+      end
+
       def last_user_message_text
         msg = @conversation.messages.reverse_each.find { |m| m[:role] == 'user' }
         return nil unless msg

data/lib/rubyn_code/agent/loop.rb

@@ -44,6 +44,9 @@ module RubynCode
       # @return [Boolean]
       attr_accessor :plan_mode
 
+      # @return [Index::CodebaseIndex, nil]
+      attr_reader :codebase_index
+
       # Send a user message and run the agent loop until a final text
       # response is produced or the iteration limit is reached.
       #
@@ -91,6 +94,7 @@ module RubynCode
         @stall_detector     = opts.fetch(:stall_detector, LoopDetector.new)
         @skill_loader       = opts[:skill_loader]
         @project_root       = opts[:project_root]
+        @tool_wrapper       = opts[:tool_wrapper]
         @decision_compactor = build_decision_compactor
         @skill_ttl          = Skills::TtlManager.new
         @session_initialized = false
@@ -123,6 +127,7 @@ module RubynCode
       def build_codebase_index!
         index = Index::CodebaseIndex.new(project_root: @project_root)
         index.load_or_build!
+        @codebase_index = index
         RubynCode::Debug.agent("Codebase index: #{index.stats[:nodes]} nodes, #{index.stats[:files_indexed]} files")
       rescue StandardError => e
         RubynCode::Debug.warn("Codebase index failed: #{e.message}")
@@ -143,6 +148,7 @@ module RubynCode
 
       def run_iteration(iteration)
         log_iteration(iteration)
+        @context_manager.advance_turn!
         compact_if_needed # ensure context is under threshold before LLM call
         response   = call_llm
         tool_calls = extract_tool_calls(response)
@@ -224,6 +230,7 @@ module RubynCode
         @conversation.add_assistant_message(get_content(response))
         process_tool_calls(tool_calls)
         drain_background_notifications
+        @decision_compactor&.check!(@conversation)
         run_maintenance(iteration)
         nil
       end

data/lib/rubyn_code/agent/system_prompt_builder.rb

@@ -64,15 +64,21 @@ module RubynCode
       def append_codebase_index(parts)
         return unless @project_root
 
-        index = Index::CodebaseIndex.new(project_root: @project_root)
-        loaded = index.load
-        return unless loaded && index.nodes.any?
+        index = resolve_codebase_index
+        return unless index&.nodes&.any?
 
-        parts << "\n## #{index.to_prompt_summary}"
+        parts << "\n## #{index.to_structural_summary}"
       rescue StandardError
         nil
       end
 
+      def resolve_codebase_index
+        return @codebase_index if defined?(@codebase_index) && @codebase_index
+
+        idx = Index::CodebaseIndex.new(project_root: @project_root)
+        idx.load
+      end
+
       def append_memories(parts)
         memories = load_memories
         return if memories.empty?

data/lib/rubyn_code/agent/tool_processor.rb

@@ -51,6 +51,7 @@ module RubynCode
         Tools::Registry.all.select { |t| PLAN_MODE_RISK_LEVELS.include?(t::RISK_LEVEL) }.map(&:to_schema)
       end
 
+      # -- tool dispatch with budget + signals
       def process_tool_calls(tool_calls)
         aggregate_chars = 0
         budget = Config::Defaults::MAX_MESSAGE_TOOL_RESULTS_CHARS
@@ -62,6 +63,7 @@ module RubynCode
           notify_tool_result(field(tool_call, :name), result, is_error)
           record_tool_result(tool_call, result, is_error)
         end
+        @decision_compactor&.signal_edit_batch_complete!
       end
 
       def run_single_tool(tool_call)
@@ -114,14 +116,32 @@ module RubynCode
       def execute_tool(tool_name, tool_input)
         discover_tool(tool_name)
         @hook_runner.fire(:pre_tool_use, tool_name: tool_name, tool_input: tool_input)
-        result = @tool_executor.execute(tool_name, symbolize_keys(tool_input))
+        result = dispatch_tool(tool_name, tool_input)
         @hook_runner.fire(:post_tool_use, tool_name: tool_name, tool_input: tool_input, result: result)
         signal_decision_compactor(tool_name, tool_input, result)
         [result.to_s, false]
+      rescue RubynCode::UserDeniedError => e
+        # User refused this call via the IDE. Surface as is_error so the model
+        # knows the tool did not run, not that it ran and returned text.
+        [e.message, true]
       rescue StandardError => e
         ["Error executing #{tool_name}: #{e.message}", true]
       end
 
+      # Run the tool through @tool_wrapper if one is configured (IDE mode),
+      # otherwise call the executor directly. The wrapper receives the raw
+      # tool name/input so it can emit protocol notifications and gate the
+      # call; the block below is what actually performs the work.
+      def dispatch_tool(tool_name, tool_input)
+        if @tool_wrapper
+          @tool_wrapper.call(tool_name, tool_input) do
+            @tool_executor.execute(tool_name, symbolize_keys(tool_input))
+          end
+        else
+          @tool_executor.execute(tool_name, symbolize_keys(tool_input))
+        end
+      end
+
       def signal_decision_compactor(tool_name, tool_input, result) # rubocop:disable Metrics/CyclomaticComplexity -- tool dispatch
         return unless @decision_compactor
 

data/lib/rubyn_code/auth/key_encryption.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'base64'
+require 'securerandom'
+require 'etc'
+require 'socket'
+
+module RubynCode
+  module Auth
+    # Encrypts and decrypts provider API keys at rest using AES-256-GCM.
+    #
+    # The encryption key is derived via PBKDF2 from machine-specific identifiers
+    # (username, hostname, home directory) combined with a random salt stored in
+    # ~/.rubyn-code/.encryption_salt. This means keys are only decryptable on the
+    # same machine by the same user.
+    #
+    # Encrypted values are prefixed with "enc:v1:" so plaintext values from older
+    # versions are transparently migrated on first read.
+    module KeyEncryption
+      CIPHER = 'aes-256-gcm'
+      PREFIX = 'enc:v1:'
+      IV_LENGTH = 12
+      TAG_LENGTH = 16
+      PBKDF2_ITERATIONS = 100_000
+      KEY_LENGTH = 32
+      SALT_LENGTH = 32
+
+      class << self
+        def encrypt(plaintext)
+          return nil unless plaintext
+
+          cipher = OpenSSL::Cipher.new(CIPHER).encrypt
+          key = derive_key
+          cipher.key = key
+          iv = cipher.random_iv
+
+          ciphertext = cipher.update(plaintext) + cipher.final
+          tag = cipher.auth_tag(TAG_LENGTH)
+
+          encoded = Base64.strict_encode64(iv + ciphertext + tag)
+          "#{PREFIX}#{encoded}"
+        end
+
+        def decrypt(value)
+          return nil unless value
+          return value unless encrypted?(value)
+
+          raw = Base64.strict_decode64(value.delete_prefix(PREFIX))
+          decrypt_raw(raw)
+        rescue OpenSSL::Cipher::CipherError, ArgumentError
+          nil
+        end
+
+        def encrypted?(value)
+          value.is_a?(String) && value.start_with?(PREFIX)
+        end
+
+        private
+
+        def decrypt_raw(raw)
+          iv = raw[0, IV_LENGTH]
+          tag = raw[-TAG_LENGTH, TAG_LENGTH]
+          ciphertext = raw[IV_LENGTH...-TAG_LENGTH]
+
+          cipher = OpenSSL::Cipher.new(CIPHER).decrypt
+          cipher.key = derive_key
+          cipher.iv = iv
+          cipher.auth_tag = tag
+          (cipher.update(ciphertext) + cipher.final).force_encoding('UTF-8')
+        end
+
+        def derive_key
+          OpenSSL::KDF.pbkdf2_hmac(
+            machine_identity,
+            salt: load_or_create_salt,
+            iterations: PBKDF2_ITERATIONS,
+            length: KEY_LENGTH,
+            hash: 'SHA256'
+          )
+        end
+
+        def machine_identity
+          # Use the real UID's login name rather than Etc.getlogin. Etc.getlogin
+          # reads the controlling tty's owner and can return "root" when the tty
+          # is root-owned (common after `sudo`, and in some VSCode integrated
+          # terminal setups) — even though the process itself is running as the
+          # real user. That mismatch derives a different AES key on decrypt vs.
+          # encrypt and the AEAD tag check fails, which surfaces as a misleading
+          # "No <provider> API key configured" error.
+          user = begin
+            Etc.getpwuid(Process.uid).name
+          rescue StandardError
+            ENV['USER'] || Etc.getlogin || 'unknown'
+          end
+          [user, Socket.gethostname, Dir.home].join(':')
+        end
+
+        def load_or_create_salt
+          path = salt_path
+          if File.exist?(path)
+            File.binread(path)
+          else
+            salt = SecureRandom.random_bytes(SALT_LENGTH)
+            FileUtils.mkdir_p(File.dirname(path), mode: 0o700)
+            File.binwrite(path, salt)
+            File.chmod(0o600, path)
+            salt
+          end
+        end
+
+        def salt_path
+          File.join(Config::Defaults::HOME_DIR, '.encryption_salt')
+        end
+      end
+    end
+  end
+end