npm - @harry-kp/vortix - Versions diffs - 0.2.2 → 0.3.1 - Mend

@harry-kp/vortix 0.2.2 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -2,322 +2,59 @@
 All notable changes to this project will be documented in this file.
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [0.3.1] - 2026-05-25
-## [Unreleased]
-## [0.2.2] - 2026-04-23
-### Miscellaneous
-- Update Cargo.lock dependencies
-## [0.2.1] - 2026-04-04
-### Fixed
-- Detect missing `resolvconf` before WireGuard connect on Linux ([#186](https://github.com/Harry-kp/vortix/issues/186), [#187](https://github.com/Harry-kp/vortix/pull/187)) — Vortix now shows clear install instructions instead of cryptic wg-quick errors when DNS is configured but resolvconf isn't available on Arch/Fedora
-- Add CLI dependency check to catch missing tools before connection attempts
-### Documentation
+### Changed
-- Add comprehensive Arch Linux troubleshooting FAQ and distribution-specific guidance in README
-- Add WireGuard configuration guide explaining AllowedIPs, cloud provider limitations, and routing best practices
-- Add quick error reference table for common connection issues
+- **Flattened to single crate.** Merged all 8 internal crates into the main `vortix` crate as modules. Enables `cargo install vortix` from crates.io. No functional changes.
+- Internal modules marked `#[doc(hidden)]` to keep public API surface clean.
+## [0.3.0] - 2026-05-24
+### Architecture
-## [0.2.0] - 2026-03-31
+- **Cargo workspace split.** Codebase restructured into 12 internal crates under `crates/` (vortix-core, vortix-process, vortix-config, vortix-platform-{linux,macos,windows}, vortix-protocol-{wireguard,openvpn}, xtask). Single published binary remains `vortix`.
+- **Capability ports.** 7 trait-based ports (Tunnel, Killswitch, DNS, Interface, NetworkStats, RouteTable, CommandRunner) in `vortix-core` with per-OS implementations behind them. Adding new protocols or platforms is now mechanical.
+- **Engine FSM.** Internal connection state is now a typed 5-variant state machine (`Disconnected`, `Connecting`, `Connected`, `Disconnecting`, `AwaitingUserInput`) with compile-time transition enforcement.
+- **CI boundary lints.** Three `cargo xtask` lints enforce that `Command::new` only appears in `vortix-process`, `cfg(target_os)` only in platform crates, and protocol strings only in protocol crates.
 ### Added
-- Add a CLI-first headless mode with structured JSON output for scripting, automation, and AI-agent workflows, including `vortix status` for scriptable connection and kill-switch visibility ([#156](https://github.com/Harry-kp/vortix/issues/156), [#176](https://github.com/Harry-kp/vortix/pull/176)).
-- Add the new flip-panel dashboard interaction with animated card transitions ([#165](https://github.com/Harry-kp/vortix/pull/165)).
-### Changed
-- VPN sessions can now keep running after the TUI or CLI exits, so leaving the interface no longer tears down an active connection unexpectedly ([#155](https://github.com/Harry-kp/vortix/issues/155), [#176](https://github.com/Harry-kp/vortix/pull/176)).
-- Make `vortix down` wait for the OpenVPN daemon to fully exit before reporting success ([#176](https://github.com/Harry-kp/vortix/pull/176)).
+- **Session journal.** Every session writes a JSONL event log to `${XDG_DATA_HOME}/vortix/sessions/*.jsonl` with 30-day / 30-file retention. Path surfaced via `vortix info`.
+- **`vortix secrets {set,get,delete}`** -- Layered secret store backed by OS keyring (Keychain / Secret Service) with AES-256-GCM + argon2id on-disk fallback. Opt-in; existing `.auth` files keep working.
+- **`vortix audit`** -- Per-process socket snapshot for VPN leak detection. `--pid <N>` filters to one process, `--vpn-only` to tunnel sockets, `--json` for structured output. Linux (`/proc/net`) + macOS (`lsof`) implementations.
+- **`vortix daemon`** -- IPC server skeleton with Unix socket (mode 0600) and length-prefixed JSON framing. Engine routing through daemon completes in v0.3.x.
+- **`vortix show --raw --inline-secrets`** -- Streams profile config to stdout with stored credentials appended as `# vortix-secret:<base64>` trailing comment.
+- **CI integration tests.** Privileged Docker container with network namespaces running real `wg-quick` + killswitch engage/release end-to-end.
+- **`settings.toml`** -- Figment-layered config (defaults -> system -> user -> env). Not required; runtime defaults match v0.2.x behavior.
+- **JSON `schema_version`.** Every `--json` envelope now includes `"schema_version": 1`.
+- **Windows stub crate.** `vortix-platform-windows` compiles on Windows; every port returns `PlatformUnsupported`.
+- **Startup orphan scan.** Warn-only detection of leftover `wg-quick`/`openvpn` processes from previous runs.
+- **Cold-start performance test.** CI ceiling on `vortix --version` startup time.
 ### Fixed
-- Remove the stale quit confirmation now that active connections can continue independently of the UI process ([#179](https://github.com/Harry-kp/vortix/issues/179), [#182](https://github.com/Harry-kp/vortix/pull/182)).
-- Fix help overlay scrolling edge cases, including opening before the first resize and clamping scroll correctly after keyboard and mouse input ([#180](https://github.com/Harry-kp/vortix/issues/180), [#182](https://github.com/Harry-kp/vortix/pull/182)).
-- Harden CLI lifecycle handling around disconnect flow, error paths, and config isolation ([#176](https://github.com/Harry-kp/vortix/pull/176)).
-### Documentation
-- Clarify current Linux support expectations and improve Linux bug-reporting guidance for distro-specific issues ([#185](https://github.com/Harry-kp/vortix/pull/185)).
-### CI
-- Add Fedora 41 CI coverage for `cargo check`, `cargo clippy`, `cargo test`, and `cargo doc`, including unprivileged test execution for Linux-specific validation ([#160](https://github.com/Harry-kp/vortix/issues/160), [#183](https://github.com/Harry-kp/vortix/pull/183)).
-## [0.1.8] - 2026-03-19
-### Features
-- Add centralized theming system — all colors now flow through `theme.rs`, replacing hardcoded `Color::Rgb` across 13 UI files ([#109](https://github.com/Harry-kp/vortix/issues/109), [#147](https://github.com/Harry-kp/vortix/issues/147))
-- Add mouse click-to-select for profiles in the sidebar ([#139](https://github.com/Harry-kp/vortix/issues/139))
-- Add Wayland clipboard support via `wl-copy`, with `xclip`/`xsel` fallback on X11 ([#107](https://github.com/Harry-kp/vortix/issues/107))
-- Add word-wrapped log messages with accurate scroll using `Paragraph::line_count()` — long OpenVPN errors no longer truncate
-### Bug Fixes
-- Fix OpenVPN error messages not shown in UI — vortix now reads the daemon log file when stderr is empty due to `--daemon --log` ([#154](https://github.com/Harry-kp/vortix/issues/154))
-- Fix footer truncating Help and Quit hints first on narrow terminals — critical hints now have priority, with unicode-aware width calculation ([#134](https://github.com/Harry-kp/vortix/issues/134))
-- Fix cursor style inconsistent across overlays — all text fields now use the same blinking block cursor ([#135](https://github.com/Harry-kp/vortix/issues/135))
-- Fix URL import leaving temp files behind in system temp directory ([#136](https://github.com/Harry-kp/vortix/issues/136))
-- Fix race condition where temp file could be deleted before import completes on TUI URL import
-- Fix clipboard copy reporting success without checking the tool's exit status
-- Fix toast messages logged at wrong severity level (e.g., connection failures logged as INFO instead of ERROR)
-### Refactor
-- Generalize `centered_rect` helper to support both percentage-based and fixed-size centering, removing duplicate code ([#123](https://github.com/Harry-kp/vortix/issues/123))
-- Eliminate per-frame `String` allocations in footer hint rendering
-### Testing
-- Add unit tests for rename-profile path traversal validation with rejection assertions ([#137](https://github.com/Harry-kp/vortix/issues/137))
-- Add unit tests for `cleanup_temp_download`, footer hint width calculations, `centered_rect` variants, and theme alias consistency
-### Miscellaneous
-- **deps:** Bump the rust-minor group with 2 updates ([#152](https://github.com/Harry-kp/vortix/pull/152))
-## [0.1.7] - 2026-03-11
-### Bug Fixes
-- Fix Escape/CloseOverlay resetting zoomed panel back to normal layout ([#105](https://github.com/Harry-kp/vortix/issues/105))
-- Fix sidebar "Reconnect" action disconnecting instead of reconnecting the selected profile ([#106](https://github.com/Harry-kp/vortix/issues/106), [#145](https://github.com/Harry-kp/vortix/issues/145))
-- Fix exponential backoff overflow causing infinite retry delays at high attempt counts ([#110](https://github.com/Harry-kp/vortix/issues/110))
-- Fix renaming a profile breaking reconnect by not updating `last_connected_profile` ([#111](https://github.com/Harry-kp/vortix/issues/111))
-- Fix deleting a profile during Connecting or Disconnecting state causing state corruption ([#112](https://github.com/Harry-kp/vortix/issues/112))
-- Fix "IP unchanged" warning flooding logs every telemetry poll cycle while connected ([#113](https://github.com/Harry-kp/vortix/issues/113))
-- Fix 0ms latency falsely showing EXCELLENT quality instead of UNKNOWN ([#146](https://github.com/Harry-kp/vortix/issues/146))
-### Features
-- Add `ConnectSelected` action: sidebar `r` key now connects the highlighted profile rather than the last-used one
-- Add `Unknown` quality state when no metrics have arrived yet, displayed as "─────" in header and "UNKNOWN" in details
-- Include latency in connection quality scoring (Poor ≥ 300ms, Fair ≥ 100ms)
-- Cap retry backoff at configurable `connect_retry_max_delay_secs` (default 300s)
-### Documentation
-- Rewrite ROADMAP as a product journey with themed releases and user stories
-### Miscellaneous
-- **deps:** Bump the rust-minor group with 3 updates ([#149](https://github.com/Harry-kp/vortix/pull/149))
-## [0.1.6] - 2026-03-08
-### Bug Fixes
-- Fix `pkill openvpn` killing all system OpenVPN processes instead of only Vortix-managed ones ([#95](https://github.com/Harry-kp/vortix/issues/95))
-- Fix kill switch state file written to world-readable `/tmp/` ([#96](https://github.com/Harry-kp/vortix/issues/96))
-- Fix kill switch displaying "Blocking" without root, giving a false sense of security ([#97](https://github.com/Harry-kp/vortix/issues/97))
-- Fix Unicode text input causing panic in text field handlers ([#98](https://github.com/Harry-kp/vortix/issues/98))
-- Add `Drop` impl on `App` to clean up kill switch rules and VPN processes on panic ([#99](https://github.com/Harry-kp/vortix/issues/99))
-- Fix disconnect failure leaving app in "Disconnected" state while VPN process may still be running ([#100](https://github.com/Harry-kp/vortix/issues/100))
-- Fix spurious "VPN dropped" auto-reconnect triggered by force-kill
-- Fix config viewer overlay not loading file contents on open
-- Fix minimum terminal size check causing blank screen on small terminals
-- Fix search and rename cursor position on multi-byte UTF-8 input
-- Fix mouse events passing through overlays to background panels
-- Fix help overlay not being scrollable
-- Fix ISP and location text truncated too aggressively on narrow terminals ([#104](https://github.com/Harry-kp/vortix/issues/104))
-- Fix connection details panel mostly empty when disconnected ([#102](https://github.com/Harry-kp/vortix/issues/102))
-- Fix import overlay closing immediately on URL import or empty directory
-- Fix `g`/`G`/Home/End keys not routing correctly when logs panel is focused
-- Fix mouse scroll not working on hovered panel (only worked on focused panel)
-- Fix profile names overflowing sidebar column when names are long
-- Fix password mask using byte count instead of character count for multi-byte input
-- Enable config viewer overlay to be scrollable with mouse
-- Fix action menus not listing all available panel actions (Sort, Rename, Filter, Kill Switch)
-### Features
-- Add human-readable connection duration format (e.g., "2h 15m" instead of seconds)
-- Add throughput chart with upload/download speed labels and color legend ([#103](https://github.com/Harry-kp/vortix/issues/103))
-- Add active connection badge (checkmark) next to connected profile in sidebar
-- Clear stale telemetry data on disconnect to avoid showing previous session info
-- Add keyboard accessibility for all panels with Tab/Shift+Tab cycling
-- Add panel-specific keyboard shortcuts displayed in context footer
-- Add log level filtering (Error/Warn/Info) with `f` key
-- Show protocol tag (WG/OVPN) in cockpit header bar when connected
-- Show DNS server provider name (Cloudflare, Google, Quad9) in security panel
-- Add confirmation dialog when switching profiles while connected
-- Add confirmation dialog when quitting with an active VPN connection
-- Add profile sorting (name, protocol, last used) with `s` key
-- Add connection quality thresholds (Poor/Fair/Excellent) based on latency, jitter, and packet loss
-- Move toast notifications from bottom-right to top-right for better visibility
-### Refactor
-- Split 2081-line `dashboard.rs` into 13 focused per-panel modules ([#114](https://github.com/Harry-kp/vortix/issues/114))
-- Extract shared confirmation dialog component to reduce code duplication
-- Adopt `tempfile` crate for panic-safe test cleanup across all 31 test sites ([#116](https://github.com/Harry-kp/vortix/issues/116))
-- Sanitize profile names with strict ASCII-only validation for process management
-- Consolidate confirmation dialog input handling into shared `handle_confirm_keys`
-- Route inline key handlers (rename, search, help, log filter) through Message dispatch for TEA consistency
-### Testing
+- **WireGuard shows Connected with no handshake on invalid server address** ([#31](https://github.com/Harry-kp/vortix/issues/31)). FSM now requires a real `TunnelUp` event before entering `Connected` state.
+- **CLI hardening** ([#177](https://github.com/Harry-kp/vortix/issues/177)). Typed errors via `thiserror` at every port boundary, config value masking in output.
-- Enable 6 previously-ignored auth tests to run without root privileges
-- Add 19 new tests covering confirm dialog keys, Home/End panel awareness, profile name sanitization, truncation edge cases, and import overlay behavior
-- Migrate all test temp file creation to `tempfile` crate for automatic cleanup on panic
-### CI
-- Pin Rust 1.91.0 in CI and fix remaining lint issues
-## [0.1.5] - 2026-02-16
-### Bug Fixes
-- Address PR review feedback for bug report feature
-### Documentation
-- Add roadmap and feature voting links to README
-- Add vortix report and Nix installation to README
-- Rearrange badges, add Nix flake and npm downloads badges
-### Features
-- Add `vortix report` bug report command
-### Miscellaneous
-- **deps:** Bump the rust-minor group with 2 updates ([#40](https://github.com/Harry-kp/vortix/pull/40))
-## [0.1.4] - 2026-02-12
-### Documentation
-- Add sudo PATH troubleshooting for cargo install on Linux
-- Restructure README for clarity and fix misleading info
-- Move sudo PATH fix to prominent section after installation
-### Features
-- Add Homebrew and npm package manager support
-## [0.1.3] - 2026-02-11
-### Bug Fixes
-- Prevent TUI freeze when no network connection is available
-- **ci:** Gate macOS-only symbols behind cfg to resolve Linux dead_code errors
-- Prevent UTF-8 panic when truncating log messages in TUI
-### Documentation
-- **readme:** Add installation for arch linux ([#27](https://github.com/Harry-kp/vortix/pull/27))
-- Add directory structure and configuration guide to README
-- Clarify file ownership and permissions in README
-- Update configuration reference with all configurable settings
-### Features
-- Configurable config directory with settings, migration, and sudo ownership
-- Harden VPN lifecycle, structured logging, and configurable settings
-- Startup dependency check with toast warning for missing tools
-## [0.1.2] - 2026-02-07
-### Bug Fixes
+### Changed
-- Resolve clippy errors on Linux CI (Rust 1.93)
+- Profile sidecar backfill runs automatically at first launch. A `<name>.meta.toml` appears next to each `.conf`/`.ovpn`. Idempotent; v0.2.x ignores these files.
+- Killswitch state and active VPN sessions survive the binary upgrade unchanged.
 ### Documentation
-- Add star history graph to README
-- Add ROADMAP and GitHub Sponsors funding
-- Add downloads and stars badges to README
-- Add Terminal Trove feature mention
-- Fix roadmap links to point to feature requests
-- Add comparison table, CONTRIBUTING.md, and issue/PR templates
-- Add macOS, Rust, Sponsors, and PRs Welcome badges
-### Features
-- Add Linux platform support with cross-platform abstraction layer
-- Robust VPN state machine and strict config import validation
-- OpenVPN credential management and UX improvements
-### Miscellaneous
-- **deps:** Bump clap from 4.5.54 to 4.5.56 in the rust-minor group ([#23](https://github.com/Harry-kp/vortix/pull/23))
-## [0.1.1] - 2026-01-14
-### Bug Fixes
-- Address Clippy and Copilot review comments
-### Miscellaneous
-- **deps:** Bump nix from 0.29.0 to 0.30.1 ([#7](https://github.com/Harry-kp/vortix/pull/7))
-- **deps:** Bump libc from 0.2.179 to 0.2.180 in the rust-minor group ([#9](https://github.com/Harry-kp/vortix/pull/9))
-### Refactor
-- Centralized logging, optimized deps, improved UI
-## [0.1.0] - 2026-01-02
-### Added
-- Initial release of Vortix VPN Manager
-- TUI dashboard with real-time network telemetry
-- WireGuard profile support (.conf files)
-- OpenVPN profile support (.ovpn files)
-- Quick slots (1-5) for favorite connections
-- Profile import via TUI (`i` key) and CLI (`vortix import`)
-- Self-update command (`vortix update`)
-- IPv6 leak detection
-- DNS leak detection
-- Insecure protocol detection (HTTP, FTP, Telnet)
-- Live throughput monitoring (upload/download speeds)
-- Connection uptime tracking
-- Nordic Frost color theme
-- Keyboard-driven interface with help overlay (`?` key)
+- `docs/MIGRATION.md` -- upgrade guide from v0.2.x
+- `docs/v0.3.0-RELEASE-NOTES.md` -- full release notes
+- `docs/v0.3.0-FAQ.md` -- common upgrade questions
+- `docs/architecture-migration-v1.md` -- technical surface map
+- `docs/RELEASE-PLAYBOOK-v0.3.0.md` -- maintainer runbook
+- `SECURITY.md` updated with daemon authentication model
+- 15 plan documents in `docs/plans/` (001-015)
-### Security
-- Config files stored with 600 permissions
-- Root privilege requirement for network interface management
+### Not in v0.3.0 (deferred)
-[Unreleased]: https://github.com/Harry-kp/vortix/compare/v0.1.7...HEAD
-[0.1.7]: https://github.com/Harry-kp/vortix/compare/v0.1.6...v0.1.7
-[0.1.6]: https://github.com/Harry-kp/vortix/compare/v0.1.5...v0.1.6
-[0.1.5]: https://github.com/Harry-kp/vortix/compare/v0.1.4...v0.1.5
-[0.1.4]: https://github.com/Harry-kp/vortix/compare/v0.1.3...v0.1.4
-[0.1.3]: https://github.com/Harry-kp/vortix/compare/v0.1.2...v0.1.3
-[0.1.2]: https://github.com/Harry-kp/vortix/compare/v0.1.1...v0.1.2
-[0.1.1]: https://github.com/Harry-kp/vortix/compare/v0.1.0...v0.1.1
-[0.1.0]: https://github.com/Harry-kp/vortix/releases/tag/v0.1.0
+- No Windows binary (stub only, [#17](https://github.com/Harry-kp/vortix/issues/17))
+- Daemon engine routing (skeleton only, [#16](https://github.com/Harry-kp/vortix/issues/16))
+- Privilege separation / no-sudo ([#153](https://github.com/Harry-kp/vortix/issues/153))
+- Lifecycle hooks (backed out after UX iteration, [#36](https://github.com/Harry-kp/vortix/issues/36))

package/README.md CHANGED Viewed

@@ -17,6 +17,12 @@
 Terminal UI for WireGuard and OpenVPN with real-time telemetry and leak guarding.
+> **New in v0.3.0 — architectural migration v1.** Engine FSM (internal), session journal, encrypted secret store. One new top-level subcommand (`vortix secrets`); existing CLI unchanged. Upgrade is automatic.
+>
+> - [Release notes](docs/v0.3.0-RELEASE-NOTES.md) — what changed (60s read)
+> - [Upgrade guide](docs/MIGRATION.md) — for v0.2.x users
+> - [FAQ](docs/v0.3.0-FAQ.md) — common upgrade questions
 ![Vortix Demo](assets/demo.gif)
 ## Why Vortix?
@@ -45,6 +51,10 @@ Existing options (`wg show`, NetworkManager, Tunnelblick) either lack real-time
 - **Geo-Location** — Instant detection of your exit IP's city and country
 - **Leak detection** — Monitors for IPv6 leaks and DNS leaks in real-time
 - **Kill Switch** — Built-in firewall management for maximum security
+- **Encrypted credential store** *(new in v0.3.0)* — OS keyring (Keychain / Secret Service) with AES-256-GCM + argon2id encrypted-file fallback for headless installs
+- **Session event journal** *(new in v0.3.0)* — JSONL event log per session under `${XDG_DATA_HOME}/vortix/sessions/`, 30-day retention; useful for diagnostics and scripting
+- **Per-process socket audit** *(new in v0.3.0)* — `vortix audit` answers "is this traffic actually routing through the tunnel?" with per-PID socket inventory; Linux + macOS supported
+- **Versioned structured output** *(new in v0.3.0)* — every `--json` envelope carries `schema_version: 1` so consumers can detect breaking changes instead of finding them at runtime
 - **Interactive Import** — Easily add new profiles directly within the TUI
 - **Config Viewer** — Inspect profile configurations directly within the TUI
 - **Keyboard-driven** — No mouse required
@@ -226,6 +236,43 @@ vortix completions bash >> ~/.bashrc      # Shell completions
 vortix completions zsh > ~/.zfunc/_vortix
 ```
+**New in v0.3.0 — secrets store, socket audit, daemon skeleton, profile-export flag (additive):**
+```bash
+# Encrypted secret store — OS keyring (Keychain / Secret Service) with
+# AES-256-GCM + argon2id fallback. Opt-in; existing .auth files keep
+# working unchanged.
+echo -n 'user:pass' | vortix secrets set creds/work-vpn
+vortix secrets get creds/work-vpn
+vortix secrets delete creds/work-vpn
+# Per-process socket audit — "is this traffic actually routing
+# through the tunnel?" Pull-based snapshots; Linux + macOS supported.
+vortix audit                                  # tabular
+vortix audit --json                           # structured envelope
+vortix audit --pid 12345                      # filter to one process
+vortix audit --vpn-only                       # only sockets on the tunnel
+# Daemon IPC skeleton — host the engine as a long-running process.
+# v0.3.0 ships the wire contract + socket binding; engine routing
+# through the daemon completes in v0.3.x.
+vortix daemon                                 # default socket path
+vortix daemon --socket /tmp/vortix.sock       # custom path
+# Share a profile with credentials inlined (for the recipient to
+# re-import). The output gets a trailing `# vortix-secret:<base64>`
+# comment that v0.3.x picks up on import.
+vortix show work-vpn --raw --inline-secrets > /tmp/work-with-creds.ovpn
+```
+The Engine FSM, JSONL session journal, layered settings, and sidecar
+migration all live behind existing commands — the journal path
+surfaces in `vortix info` output, the migration runs at startup, and
+`settings.toml` works whether or not you ever create one.
+See [`docs/MIGRATION.md`](docs/MIGRATION.md) for the upgrade guide and
+opt-in details on the secret store, journal, and daemon.
 **JSON output for AI agents / scripts:**
 ```bash
 # Structured JSON envelope on every command
@@ -294,7 +341,9 @@ When running with `sudo`, vortix automatically resolves the invoking user's home
 ~/.config/vortix/
 ├── profiles/                 VPN configuration files
 │   ├── work.conf             WireGuard profile
-│   └── office.ovpn           OpenVPN profile
+│   ├── work.meta.toml        Sidecar metadata (new in v0.3.0; auto-generated)
+│   ├── office.ovpn           OpenVPN profile
+│   └── office.meta.toml      Sidecar metadata (new in v0.3.0; auto-generated)
 ├── auth/                     Saved OpenVPN credentials
 │   └── office                Username + password for "office" profile
 ├── run/                      OpenVPN runtime files (temporary)
@@ -303,19 +352,38 @@ When running with `sudo`, vortix automatically resolves the invoking user's home
 ├── logs/                     Application logs (daily rotation)
 │   └── 2026-02-09.log        Same content as the TUI Logs panel
 ├── config.toml               User settings (optional, see below)
+├── settings.toml             Figment-layered settings (optional, new in v0.3.0)
+├── secrets.enc               Encrypted secret store, fallback when no OS keyring (new in v0.3.0)
 ├── metadata.json             Profile metadata (last used, sort order)
 └── killswitch.state          Kill switch state for crash recovery
 ```
-All files and directories are owned by your user account, even when vortix runs under `sudo`. You can read, modify, or delete anything here without elevated privileges.
+Session event journals live in a separate XDG directory because they're observability data, not user config:
+```
+${XDG_DATA_HOME}/vortix/sessions/                   (new in v0.3.0)
+├── 2026-...-pid.jsonl        JSONL event log per session
+└── ...                       30-day / 30-file retention
+```
+Resolved paths by platform:
+- **Linux:** `~/.local/share/vortix/sessions/`
+- **macOS:** `~/Library/Application Support/vortix/sessions/`
+Find the current session's path with `vortix info`.
+All files and directories under the config dir are owned by your user account, even when vortix runs under `sudo`. You can read, modify, or delete anything here without elevated privileges.
 | Path | Mode | Description |
 |------|:----:|-------------|
-| `profiles/` | `600` | Your `.conf` and `.ovpn` files. Added via `vortix import` or the TUI. |
-| `auth/` | `600` | Saved OpenVPN username/password pairs. One file per profile. |
+| `profiles/` | `600` | Your `.conf` and `.ovpn` files plus the auto-generated `.meta.toml` sidecars (new in v0.3.0). Sidecars are idempotent — delete and they regenerate. |
+| `auth/` | `600` | Saved OpenVPN username/password pairs. One file per profile. Still honored in v0.3.0 — credentials can optionally move to the encrypted store via `vortix secrets set creds/<profile>`. |
 | `run/` | `644` | **OpenVPN only.** PID and log files created during a VPN session. The `.pid` file identifies which daemon to kill; the `.log` is polled for success/failure. Cleaned up on disconnect. WireGuard doesn't use this. |
 | `logs/` | `644` | Application session logs (daily rotation, configurable size/retention). Not the raw OpenVPN output in `run/`. |
-| `config.toml` | `644` | Optional user settings. Only exists if you create it manually (see below). |
+| `config.toml` | `644` | Optional user settings (legacy). Only exists if you create it manually (see below). |
+| `settings.toml` | `644` | Optional figment-layered settings (new in v0.3.0): defaults → system file → this user file → `VORTIX_*` env vars. Not auto-created. |
+| `secrets.enc` | `600` | Encrypted-file fallback for the SecretStore (new in v0.3.0). Only created if you use `vortix secrets set` without a working OS keyring. |
 | `metadata.json` | `644` | Internal bookkeeping (last used, sort order). Auto-managed. |
 | `killswitch.state` | `644` | Persists kill switch mode across crashes. Auto-managed. |

package/npm-shrinkwrap.json CHANGED Viewed

@@ -23,7 +23,7 @@
       "hasInstallScript": true,
       "license": "MIT",
       "name": "@harry-kp/vortix",
-      "version": "0.2.2"
+      "version": "0.3.1"
     },
     "node_modules/@isaacs/balanced-match": {
       "engines": {
@@ -515,5 +515,5 @@
     }
   },
   "requires": true,
-  "version": "0.2.2"
+  "version": "0.3.1"
 }

package/package.json CHANGED Viewed

@@ -1,5 +1,5 @@
 {
-  "artifactDownloadUrl": "https://github.com/Harry-kp/vortix/releases/download/v0.2.2",
+  "artifactDownloadUrl": "https://github.com/Harry-kp/vortix/releases/download/v0.3.1",
   "author": "Harry KP <harrykp@users.noreply.github.com>",
   "bin": {
     "vortix": "run-vortix.js"
@@ -100,7 +100,7 @@
       "zipExt": ".tar.xz"
     }
   },
-  "version": "0.2.2",
+  "version": "0.3.1",
   "volta": {
     "node": "18.14.1",
     "npm": "9.5.0"