@lifestreamdynamics/vault-cli 1.2.0 → 1.3.1

package/dist/commands/teams.js

@@ -97,10 +97,15 @@ EXAMPLES
     });
     addGlobalFlags(teams.command('delete')
         .description('Permanently delete a team and all its data')
-        .argument('<teamId>', 'Team ID'))
+        .argument('<teamId>', 'Team ID')
+        .option('-y, --yes', 'Skip confirmation prompt'))
         .action(async (teamId, _opts) => {
         const flags = resolveFlags(_opts);
         const out = createOutput(flags);
+        if (!_opts.yes) {
+            out.status(chalk.yellow(`Pass --yes to permanently delete team ${teamId} and all its data.`));
+            return;
+        }
         out.startSpinner('Deleting team...');
         try {
             const client = await getClientAsync();
@@ -125,7 +130,7 @@ EXAMPLES
             const memberList = await client.teams.listMembers(teamId);
             out.stopSpinner();
             out.list(memberList.map(m => ({
-                name: m.user.name || m.user.email,
+                name: m.user.displayName || m.user.email,
                 userId: m.userId,
                 role: m.role,
                 email: m.user.email,
@@ -169,10 +174,15 @@ EXAMPLES
     addGlobalFlags(members.command('remove')
         .description('Remove a member from the team')
         .argument('<teamId>', 'Team ID')
-        .argument('<userId>', 'User ID'))
+        .argument('<userId>', 'User ID')
+        .option('-y, --yes', 'Skip confirmation prompt'))
         .action(async (teamId, userId, _opts) => {
         const flags = resolveFlags(_opts);
         const out = createOutput(flags);
+        if (!_opts.yes) {
+            out.status(chalk.yellow(`Pass --yes to remove user ${userId} from team ${teamId}.`));
+            return;
+        }
         out.startSpinner('Removing member...');
         try {
             const client = await getClientAsync();
@@ -284,7 +294,7 @@ EXAMPLES
             const client = await getClientAsync();
             const vaultList = await client.teams.listVaults(teamId);
             out.stopSpinner();
-            out.list(vaultList.map(v => ({ name: String(v.name), slug: String(v.slug), description: String(v.description) || 'No description' })), {
+            out.list(vaultList.map(v => ({ name: String(v.name), slug: String(v.slug), description: v.description ?? 'No description' })), {
                 emptyMessage: 'No team vaults found.',
                 columns: [
                     { key: 'name', header: 'Name' },
@@ -343,8 +353,8 @@ EXAMPLES
             }
             else {
                 for (const [date, day] of Object.entries(cal.days ?? {})) {
-                    if (day && day.count) {
-                        process.stdout.write(`${chalk.cyan(date)}: ${day.count} events\n`);
+                    if (day && day.activityCount) {
+                        process.stdout.write(`${chalk.cyan(date)}: ${day.activityCount} events\n`);
                     }
                 }
             }
@@ -374,8 +384,8 @@ EXAMPLES
             }
             else {
                 for (const day of activity.days ?? []) {
-                    if (day.count) {
-                        process.stdout.write(`${chalk.cyan(day.date)}: ${day.count} activities\n`);
+                    if (day.total) {
+                        process.stdout.write(`${chalk.cyan(day.date)}: ${day.total} activities\n`);
                     }
                 }
             }
@@ -415,4 +425,127 @@ EXAMPLES
             handleError(out, err, 'Failed to fetch team calendar events');
         }
     });
+    addGlobalFlags(teamCalendar.command('upcoming')
+        .description('View upcoming events and due items for a team')
+        .argument('<teamId>', 'Team ID'))
+        .action(async (teamId, _opts) => {
+        const flags = resolveFlags(_opts);
+        const out = createOutput(flags);
+        out.startSpinner('Fetching upcoming items...');
+        try {
+            const client = await getClientAsync();
+            const upcoming = await client.teams.getUpcoming(teamId);
+            out.stopSpinner();
+            if (flags.output === 'json') {
+                out.raw(JSON.stringify(upcoming, null, 2) + '\n');
+            }
+            else {
+                if (upcoming.events && upcoming.events.length > 0) {
+                    process.stdout.write(chalk.bold('Events:\n'));
+                    for (const e of upcoming.events) {
+                        process.stdout.write(`  ${chalk.cyan(String(e.title))} — ${String(e.startDate)}\n`);
+                    }
+                }
+                else {
+                    process.stdout.write(chalk.dim('No upcoming events.\n'));
+                }
+                if (upcoming.dueDocs && upcoming.dueDocs.length > 0) {
+                    process.stdout.write(chalk.bold('Due Documents:\n'));
+                    for (const d of upcoming.dueDocs) {
+                        process.stdout.write(`  ${chalk.cyan(String(d.path))} — due ${String(d.dueAt)}\n`);
+                    }
+                }
+                else {
+                    process.stdout.write(chalk.dim('No upcoming due documents.\n'));
+                }
+            }
+        }
+        catch (err) {
+            handleError(out, err, 'Failed to fetch upcoming items');
+        }
+    });
+    addGlobalFlags(teamCalendar.command('due')
+        .description('List due documents for a team')
+        .argument('<teamId>', 'Team ID')
+        .option('--status <status>', 'Filter by status (overdue|upcoming|all)'))
+        .action(async (teamId, _opts) => {
+        const flags = resolveFlags(_opts);
+        const out = createOutput(flags);
+        out.startSpinner('Fetching due documents...');
+        try {
+            const client = await getClientAsync();
+            const dueDocs = await client.teams.getDue(teamId, {
+                status: _opts.status,
+            });
+            out.stopSpinner();
+            out.list(dueDocs.map(d => ({
+                path: d.path,
+                title: d.title ?? '',
+                dueAt: d.dueAt,
+                overdue: d.overdue ? 'yes' : 'no',
+            })), {
+                emptyMessage: 'No due documents found.',
+                columns: [
+                    { key: 'path', header: 'Path' },
+                    { key: 'title', header: 'Title' },
+                    { key: 'dueAt', header: 'Due At' },
+                    { key: 'overdue', header: 'Overdue' },
+                ],
+                textFn: (d) => `${chalk.cyan(String(d.path))} — due ${String(d.dueAt)} ${d.overdue === 'yes' ? chalk.red('[overdue]') : ''}`,
+            });
+        }
+        catch (err) {
+            handleError(out, err, 'Failed to fetch due documents');
+        }
+    });
+    addGlobalFlags(teamCalendar.command('agenda')
+        .description('View the team calendar agenda')
+        .argument('<teamId>', 'Team ID')
+        .option('--range <days>', 'Number of days to include')
+        .option('--group-by <period>', 'Group by period (day|week|month)'))
+        .action(async (teamId, _opts) => {
+        const flags = resolveFlags(_opts);
+        const out = createOutput(flags);
+        out.startSpinner('Fetching team agenda...');
+        try {
+            const client = await getClientAsync();
+            const agenda = await client.teams.getAgenda(teamId, {
+                range: _opts.range,
+                groupBy: _opts.groupBy,
+            });
+            out.stopSpinner();
+            if (flags.output === 'json') {
+                out.raw(JSON.stringify(agenda, null, 2) + '\n');
+            }
+            else {
+                process.stdout.write(`Total items: ${chalk.cyan(String(agenda.total))}\n`);
+                for (const group of agenda.groups ?? []) {
+                    process.stdout.write(`\n${chalk.bold(String(group.label))}:\n`);
+                    for (const item of group.items ?? []) {
+                        process.stdout.write(`  ${chalk.cyan(String(item.title ?? item.path))} — ${String(item.dueAt ?? '')}\n`);
+                    }
+                }
+            }
+        }
+        catch (err) {
+            handleError(out, err, 'Failed to fetch team agenda');
+        }
+    });
+    addGlobalFlags(teamCalendar.command('ical')
+        .description('Get the iCal feed for a team calendar')
+        .argument('<teamId>', 'Team ID'))
+        .action(async (teamId, _opts) => {
+        const flags = resolveFlags(_opts);
+        const out = createOutput(flags);
+        out.startSpinner('Fetching iCal feed...');
+        try {
+            const client = await getClientAsync();
+            const ical = await client.teams.getICalFeed(teamId);
+            out.stopSpinner();
+            out.raw(ical);
+        }
+        catch (err) {
+            handleError(out, err, 'Failed to fetch iCal feed');
+        }
+    });
 }

package/dist/commands/user.js

@@ -1,8 +1,10 @@
 import chalk from 'chalk';
+import { writeFile } from 'node:fs/promises';
 import { getClientAsync } from '../client.js';
 import { addGlobalFlags, resolveFlags } from '../utils/flags.js';
 import { createOutput, handleError } from '../utils/output.js';
 import { formatBytes } from '../utils/format.js';
+import { promptPassword, readPasswordFromStdin } from '../utils/prompt.js';
 export function registerUserCommands(program) {
     const user = program.command('user').description('View account details and storage usage');
     addGlobalFlags(user.command('storage')
@@ -56,7 +58,7 @@ export function registerUserCommands(program) {
             const client = await getClientAsync();
             const me = await client.user.me();
             out.stopSpinner();
-            out.record({ id: me.id, email: me.email, name: me.name, role: me.role, createdAt: me.createdAt });
+            out.record({ id: me.id, email: me.email, displayName: me.displayName, role: me.role, createdAt: me.createdAt });
         }
         catch (err) {
             handleError(out, err, 'Failed to fetch profile');
@@ -65,15 +67,39 @@ export function registerUserCommands(program) {
     // user password
     addGlobalFlags(user.command('password')
         .description('Change your password')
-        .requiredOption('--current <pwd>', 'Current password')
-        .requiredOption('--new <pwd>', 'New password'))
+        .option('--password-stdin', 'Read current and new passwords from stdin (one per line) for CI usage'))
         .action(async (_opts) => {
         const flags = resolveFlags(_opts);
         const out = createOutput(flags);
+        let currentPassword;
+        let newPassword;
+        if (_opts.passwordStdin) {
+            currentPassword = await readPasswordFromStdin();
+            newPassword = await readPasswordFromStdin();
+        }
+        else {
+            currentPassword = await promptPassword('Current password: ');
+            if (!currentPassword) {
+                out.error('Current password is required.');
+                process.exitCode = 1;
+                return;
+            }
+            newPassword = await promptPassword('New password: ');
+        }
+        if (!currentPassword) {
+            out.error('Current password is required.');
+            process.exitCode = 1;
+            return;
+        }
+        if (!newPassword) {
+            out.error('New password is required.');
+            process.exitCode = 1;
+            return;
+        }
         out.startSpinner('Changing password...');
         try {
             const client = await getClientAsync();
-            await client.user.changePassword({ currentPassword: _opts.current, newPassword: _opts.new });
+            await client.user.changePassword({ currentPassword, newPassword });
             out.success('Password changed successfully', { changed: true });
         }
         catch (err) {
@@ -84,14 +110,26 @@ export function registerUserCommands(program) {
     addGlobalFlags(user.command('email')
         .description('Request email address change')
         .requiredOption('--new <email>', 'New email address')
-        .requiredOption('--password <pwd>', 'Current password'))
+        .option('--password-stdin', 'Read password from stdin for CI usage'))
         .action(async (_opts) => {
         const flags = resolveFlags(_opts);
         const out = createOutput(flags);
+        let password;
+        if (_opts.passwordStdin) {
+            password = await readPasswordFromStdin();
+        }
+        else {
+            password = await promptPassword('Password: ');
+        }
+        if (!password) {
+            out.error('Password is required to change your email address.');
+            process.exitCode = 1;
+            return;
+        }
         out.startSpinner('Requesting email change...');
         try {
             const client = await getClientAsync();
-            const result = await client.user.requestEmailChange({ newEmail: _opts.new, password: _opts.password });
+            const result = await client.user.requestEmailChange({ newEmail: _opts.new, password });
             out.success(result.message, { message: result.message });
         }
         catch (err) {
@@ -126,7 +164,7 @@ export function registerUserCommands(program) {
         out.startSpinner('Updating profile...');
         try {
             const client = await getClientAsync();
-            const result = await client.user.updateProfile({ name: _opts.name, slug: _opts.slug });
+            const result = await client.user.updateProfile({ displayName: _opts.name, profileSlug: _opts.slug });
             out.success(result.message, { message: result.message });
         }
         catch (err) {
@@ -136,17 +174,29 @@ export function registerUserCommands(program) {
     // user delete
     addGlobalFlags(user.command('delete')
         .description('Request account deletion')
-        .requiredOption('--password <pwd>', 'Current password')
+        .option('--password-stdin', 'Read password from stdin for CI usage')
         .option('--reason <reason>', 'Reason for deletion')
         .option('--export-data', 'Request data export before deletion'))
         .action(async (_opts) => {
         const flags = resolveFlags(_opts);
         const out = createOutput(flags);
+        let password;
+        if (_opts.passwordStdin) {
+            password = await readPasswordFromStdin();
+        }
+        else {
+            password = await promptPassword('Password: ');
+        }
+        if (!password) {
+            out.error('Password is required to delete your account.');
+            process.exitCode = 1;
+            return;
+        }
         out.startSpinner('Requesting account deletion...');
         try {
             const client = await getClientAsync();
             const result = await client.user.requestAccountDeletion({
-                password: _opts.password,
+                password,
                 reason: _opts.reason,
                 exportData: _opts.exportData === true,
             });
@@ -266,6 +316,69 @@ export function registerUserCommands(program) {
             handleError(out, err, 'Failed to fetch export status');
         }
     });
+    addGlobalFlags(userExport.command('list')
+        .description('List all data exports'))
+        .action(async (_opts) => {
+        const flags = resolveFlags(_opts);
+        const out = createOutput(flags);
+        out.startSpinner('Fetching data exports...');
+        try {
+            const client = await getClientAsync();
+            const exports = await client.user.listDataExports();
+            out.stopSpinner();
+            out.list(exports.map(e => ({
+                id: e.id,
+                status: e.status,
+                format: e.format,
+                createdAt: e.createdAt,
+                completedAt: e.completedAt ?? '',
+            })), {
+                emptyMessage: 'No data exports found.',
+                columns: [
+                    { key: 'id', header: 'ID' },
+                    { key: 'status', header: 'Status' },
+                    { key: 'format', header: 'Format' },
+                    { key: 'createdAt', header: 'Created' },
+                    { key: 'completedAt', header: 'Completed' },
+                ],
+                textFn: (e) => `${chalk.cyan(String(e.id))} [${String(e.status)}] ${String(e.format)} — created ${String(e.createdAt)}`,
+            });
+        }
+        catch (err) {
+            handleError(out, err, 'Failed to fetch data exports');
+        }
+    });
+    addGlobalFlags(userExport.command('download')
+        .description('Download a completed data export')
+        .argument('<exportId>', 'Export ID')
+        .option('-f, --file <filepath>', 'File path to write the export to'))
+        .action(async (exportId, _opts) => {
+        const flags = resolveFlags(_opts);
+        const out = createOutput(flags);
+        const outputPath = _opts.file;
+        if (!outputPath && process.stdout.isTTY) {
+            process.stderr.write(chalk.yellow('Warning: binary export data would corrupt your terminal. Use -f <filepath> to save to a file.\n'));
+            process.exitCode = 1;
+            return;
+        }
+        out.startSpinner('Downloading data export...');
+        try {
+            const client = await getClientAsync();
+            const blob = await client.user.downloadDataExport(exportId);
+            out.stopSpinner();
+            const buffer = Buffer.from(await blob.arrayBuffer());
+            if (outputPath) {
+                await writeFile(outputPath, buffer);
+                out.success(`Export saved to ${chalk.cyan(outputPath)}`, { exportId, path: outputPath });
+            }
+            else {
+                process.stdout.write(buffer);
+            }
+        }
+        catch (err) {
+            handleError(out, err, 'Failed to download data export');
+        }
+    });
     // user consents subgroup
     const consents = user.command('consents').description('Consent management');
     addGlobalFlags(consents.command('list')

package/dist/commands/vaults.js

@@ -3,7 +3,7 @@ import { getClientAsync } from '../client.js';
 import { addGlobalFlags, resolveFlags } from '../utils/flags.js';
 import { createOutput, handleError } from '../utils/output.js';
 import { generateVaultKey } from '@lifestreamdynamics/vault-sdk';
-import { createCredentialManager } from '../lib/credential-manager.js';
+import { getCredentialManager } from '../config.js';
 export function registerVaultCommands(program) {
     const vaults = program.command('vaults').description('Create, list, and inspect document vaults');
     addGlobalFlags(vaults.command('list')
@@ -84,7 +84,7 @@ EXAMPLES
             });
             if (isEncrypted) {
                 const key = generateVaultKey();
-                const credManager = createCredentialManager();
+                const credManager = getCredentialManager();
                 await credManager.saveVaultKey(vault.id, key);
                 out.success(`Encrypted vault created: ${chalk.cyan(vault.name)} (${vault.slug})`, {
                     id: vault.id,
@@ -93,10 +93,13 @@ EXAMPLES
                     encrypted: true,
                     vaultKey: key,
                 });
-                out.warn('IMPORTANT: Save this encryption key securely. If lost, your data cannot be recovered.');
-                out.status(`Vault Key: ${chalk.green(key)}`);
-                out.status(chalk.dim('The key has been saved to your credential store.'));
-                out.status(chalk.dim('You can export it later with: lsvault vaults export-key ' + vault.id));
+                // Always write key warning to stderr — even in JSON mode the caller must not miss this.
+                process.stderr.write(chalk.yellow('WARNING: Save this encryption key securely. If lost, your data cannot be recovered.\n'));
+                if (flags.output !== 'json') {
+                    out.status(`Vault Key: ${chalk.green(key)}`);
+                    out.status(chalk.dim('The key has been saved to your credential store.'));
+                    out.status(chalk.dim('You can export it later with: lsvault vaults export-key ' + vault.id));
+                }
                 out.warn('Encrypted vaults disable: full-text search, AI features, hooks, and webhooks.');
             }
             else {
@@ -118,7 +121,7 @@ EXAMPLES
         const flags = resolveFlags(_opts);
         const out = createOutput(flags);
         try {
-            const credManager = createCredentialManager();
+            const credManager = getCredentialManager();
             const key = await credManager.getVaultKey(vaultId);
             if (!key) {
                 out.error('No encryption key found for vault ' + vaultId);
@@ -146,7 +149,7 @@ EXAMPLES
                 process.exitCode = 1;
                 return;
             }
-            const credManager = createCredentialManager();
+            const credManager = getCredentialManager();
             await credManager.saveVaultKey(vaultId, keyValue);
             out.success('Vault encryption key saved successfully.', { vaultId });
         }
@@ -343,6 +346,12 @@ EXAMPLES
         .action(async (vaultId, _opts) => {
         const flags = resolveFlags(_opts);
         const out = createOutput(flags);
+        // Require an explicit --require or --no-require flag to avoid silent side-effects.
+        if (_opts.require === undefined) {
+            out.error('You must pass --require or --no-require to set the MFA policy.');
+            process.exitCode = 1;
+            return;
+        }
         out.startSpinner('Updating MFA config...');
         try {
             const client = await getClientAsync();

package/dist/commands/webhooks.js

@@ -119,10 +119,15 @@ export function registerWebhookCommands(program) {
     addGlobalFlags(webhooks.command('delete')
         .description('Delete a webhook')
         .argument('<vaultId>', 'Vault ID')
-        .argument('<webhookId>', 'Webhook ID'))
+        .argument('<webhookId>', 'Webhook ID')
+        .option('-y, --yes', 'Skip confirmation prompt'))
         .action(async (vaultId, webhookId, _opts) => {
         const flags = resolveFlags(_opts);
         const out = createOutput(flags);
+        if (!_opts.yes) {
+            out.status(chalk.yellow(`Pass --yes to delete webhook ${webhookId}.`));
+            return;
+        }
         out.startSpinner('Deleting webhook...');
         try {
             const client = await getClientAsync();

package/dist/config.d.ts

@@ -5,6 +5,8 @@ export interface CliConfig {
     apiKey?: string;
     accessToken?: string;
     refreshToken?: string;
+    /** Per-vault client-side encryption keys, keyed by vaultId */
+    vaultKeys?: Record<string, string>;
 }
 export declare function getCredentialManager(): CredentialManager;
 /**

package/dist/config.js

@@ -71,19 +71,23 @@ export async function loadConfigAsync() {
         const fileConfig = JSON.parse(fs.readFileSync(CONFIG_FILE, 'utf-8'));
         if (fileConfig.apiUrl && !config.apiUrl)
             config.apiUrl = fileConfig.apiUrl;
-        if (fileConfig.apiKey && !config.apiKey)
+        if (fileConfig.apiKey && !config.apiKey) {
             config.apiKey = fileConfig.apiKey;
+            process.stderr.write('\x1b[33mWarning: API key loaded from plaintext config (~/.lsvault/config.json).\n' +
+                'Run `lsvault auth migrate` to migrate to secure storage.\n' +
+                'See: https://docs.lifestreamdynamics.com/migration-to-secure-storage\x1b[0m\n');
+        }
     }
     return config;
 }
 export function saveConfig(config) {
     if (!fs.existsSync(CONFIG_DIR)) {
-        fs.mkdirSync(CONFIG_DIR, { recursive: true });
+        fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
     }
     let existing = {};
     if (fs.existsSync(CONFIG_FILE)) {
         existing = JSON.parse(fs.readFileSync(CONFIG_FILE, 'utf-8'));
     }
     const merged = { ...existing, ...config };
-    fs.writeFileSync(CONFIG_FILE, JSON.stringify(merged, null, 2) + '\n');
+    fs.writeFileSync(CONFIG_FILE, JSON.stringify(merged, null, 2) + '\n', { mode: 0o600 });
 }

package/dist/index.js

@@ -1,5 +1,14 @@
 #!/usr/bin/env node
+import { createRequire } from 'node:module';
 import { Command } from 'commander';
+import chalk from 'chalk';
+const require = createRequire(import.meta.url);
+const pkg = require('../package.json');
+// Apply --no-color / NO_COLOR at startup so it takes effect for all output,
+// including messages printed before any action handler runs.
+if (process.argv.includes('--no-color') || process.env.NO_COLOR !== undefined) {
+    chalk.level = 0;
+}
 import { registerAuthCommands } from './commands/auth.js';
 import { registerMfaCommands } from './commands/mfa.js';
 import { registerVaultCommands } from './commands/vaults.js';
@@ -21,15 +30,20 @@ import { registerSyncCommands } from './commands/sync.js';
 import { registerVersionCommands } from './commands/versions.js';
 import { registerLinkCommands } from './commands/links.js';
 import { registerCalendarCommands } from './commands/calendar.js';
+import { registerBookingCommands } from './commands/booking.js';
 import { registerAiCommands } from './commands/ai.js';
 import { registerAnalyticsCommands } from './commands/analytics.js';
 import { registerCustomDomainCommands } from './commands/custom-domains.js';
 import { registerPublishVaultCommands } from './commands/publish-vault.js';
+import { registerSamlCommands } from './commands/saml.js';
+import { registerScimCommands } from './commands/scim.js';
+import { registerPluginCommands } from './commands/plugins.js';
+import { registerCompletionCommands } from './commands/completion.js';
 const program = new Command();
 program
     .name('lsvault')
     .description('Lifestream Vault CLI - manage vaults, documents, and settings')
-    .version('0.1.0')
+    .version(pkg.version)
     .addHelpText('after', `
 GETTING STARTED
   lsvault auth login --email <email>         Log in with email/password
@@ -70,8 +84,13 @@ registerSyncCommands(program);
 registerVersionCommands(program);
 registerLinkCommands(program);
 registerCalendarCommands(program);
+registerBookingCommands(program);
 registerAiCommands(program);
 registerAnalyticsCommands(program);
 registerCustomDomainCommands(program);
 registerPublishVaultCommands(program);
+registerSamlCommands(program);
+registerScimCommands(program);
+registerPluginCommands(program);
+registerCompletionCommands(program);
 program.parse();

package/dist/lib/credential-manager.js

@@ -1,13 +1,38 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import crypto from 'node:crypto';
+import os from 'node:os';
 import { createKeychainBackend } from './keychain.js';
 import { createEncryptedConfigBackend } from './encrypted-config.js';
-// Default passphrase for encrypted config when no interactive prompt is available.
-// This provides basic obfuscation — the real security benefit is file permissions (0600)
-// and the fact that credentials aren't in a JSON file that's easy to grep for API keys.
-const DEFAULT_PASSPHRASE = 'lsvault-cli-local-encryption-key';
+/**
+ * Returns the machine-specific passphrase used to encrypt the local credential
+ * store.  On first call it generates a cryptographically random 32-byte hex
+ * string, writes it to `~/.lsvault/.passphrase` (mode 0o600, directory 0o700),
+ * and returns it.  Subsequent calls read the stored value.
+ *
+ * This replaces the old hardcoded `DEFAULT_PASSPHRASE` constant so that the
+ * passphrase is never present in source code or version control.
+ */
+function getOrCreatePassphrase() {
+    const configDir = path.join(os.homedir(), '.lsvault');
+    const passphrasePath = path.join(configDir, '.passphrase');
+    try {
+        return fs.readFileSync(passphrasePath, 'utf-8').trim();
+    }
+    catch {
+        // File does not exist yet — generate a new one.
+        const passphrase = crypto.randomBytes(32).toString('hex');
+        fs.mkdirSync(configDir, { recursive: true, mode: 0o700 });
+        fs.writeFileSync(passphrasePath, passphrase, { mode: 0o600 });
+        return passphrase;
+    }
+}
 export function createCredentialManager(options = {}) {
     const keychain = options.keychain ?? createKeychainBackend();
     const encryptedConfig = options.encryptedConfig ?? createEncryptedConfigBackend();
-    const passphrase = options.passphrase ?? DEFAULT_PASSPHRASE;
+    // Use the caller-supplied passphrase (tests pass one explicitly) or lazily
+    // generate / load the per-machine passphrase from ~/.lsvault/.passphrase.
+    const passphrase = options.passphrase ?? getOrCreatePassphrase();
     return {
         async getCredentials() {
             const result = {};
@@ -87,13 +112,13 @@ export function createCredentialManager(options = {}) {
         async saveVaultKey(vaultId, keyHex) {
             // Read existing config, merge vault key, save
             const existing = encryptedConfig.getCredentials(passphrase) ?? {};
-            const vaultKeys = existing.vaultKeys ?? {};
+            const vaultKeys = { ...(existing.vaultKeys ?? {}) };
             vaultKeys[vaultId] = keyHex;
             encryptedConfig.saveCredentials({ ...existing, vaultKeys }, passphrase);
         },
         async deleteVaultKey(vaultId) {
             const existing = encryptedConfig.getCredentials(passphrase) ?? {};
-            const vaultKeys = existing.vaultKeys ?? {};
+            const vaultKeys = { ...(existing.vaultKeys ?? {}) };
             delete vaultKeys[vaultId];
             encryptedConfig.saveCredentials({ ...existing, vaultKeys }, passphrase);
         },

package/dist/lib/migration.js

@@ -85,8 +85,8 @@ export async function migrateCredentials(credentialManager, promptFn) {
 export async function checkAndPromptMigration(credentialManager) {
     if (!hasPlaintextCredentials())
         return false;
-    console.log(chalk.yellow('\nWarning: API key found in plaintext config (~/.lsvault/config.json)'));
-    console.log(chalk.yellow('Run `lsvault auth migrate` to migrate to secure storage.\n'));
+    process.stderr.write(chalk.yellow('\nWarning: API key found in plaintext config (~/.lsvault/config.json)') + '\n');
+    process.stderr.write(chalk.yellow('Run `lsvault auth migrate` to migrate to secure storage.\n') + '\n');
     return false;
 }
 export { CONFIG_FILE, CONFIG_DIR };