@smilintux/skmemory 0.5.0 → 0.7.2

package/tests/test_fortress.py

@@ -0,0 +1,255 @@
+"""Tests for Memory Fortress — auto-seal, audit trail, tamper alerts.
+
+Tests the FortifiedMemoryStore, AuditLog, and TamperAlert classes.
+All tests use in-memory/temp-path backends — no GPG required for basic tests.
+"""
+
+from __future__ import annotations
+
+import json
+import tempfile
+from pathlib import Path
+
+import pytest
+
+from skmemory.fortress import AuditLog, FortifiedMemoryStore, TamperAlert
+from skmemory.models import Memory, MemoryLayer
+
+
+# ---------------------------------------------------------------------------
+# Fixtures
+# ---------------------------------------------------------------------------
+
+@pytest.fixture
+def tmp_audit(tmp_path):
+    """Return a temporary audit log."""
+    return AuditLog(path=tmp_path / "audit.jsonl")
+
+
+@pytest.fixture
+def fortress(tmp_path):
+    """Return a FortifiedMemoryStore using a temp directory."""
+    from skmemory.backends.sqlite_backend import SQLiteBackend
+    backend = SQLiteBackend(base_path=str(tmp_path / "memories"))
+    return FortifiedMemoryStore(
+        primary=backend,
+        use_sqlite=False,
+        audit_path=tmp_path / "audit.jsonl",
+    )
+
+
+# ---------------------------------------------------------------------------
+# AuditLog tests
+# ---------------------------------------------------------------------------
+
+class TestAuditLog:
+    def test_append_creates_file(self, tmp_audit, tmp_path):
+        tmp_audit.append("store", "abc123", ok=True)
+        assert (tmp_path / "audit.jsonl").exists()
+
+    def test_record_format(self, tmp_audit):
+        tmp_audit.append("recall", "mem1", ok=True, integrity="ok")
+        records = tmp_audit.tail(1)
+        assert len(records) == 1
+        r = records[0]
+        assert r["op"] == "recall"
+        assert r["id"] == "mem1"
+        assert r["ok"] is True
+        assert r["integrity"] == "ok"
+        assert "ts" in r
+        assert "chain_hash" in r
+
+    def test_chain_hash_progresses(self, tmp_audit):
+        tmp_audit.append("store", "a")
+        tmp_audit.append("store", "b")
+        tmp_audit.append("recall", "a")
+        records = tmp_audit.tail(10)
+        assert len(records) == 3
+        # Each chain hash should be different
+        hashes = [r["chain_hash"] for r in records]
+        assert len(set(hashes)) == 3
+
+    def test_verify_chain_valid(self, tmp_audit):
+        for i in range(5):
+            tmp_audit.append("store", f"mem{i}", ok=True)
+        ok, errors = tmp_audit.verify_chain()
+        assert ok, f"Chain should be valid but got errors: {errors}"
+
+    def test_verify_chain_tampered(self, tmp_audit, tmp_path):
+        for i in range(3):
+            tmp_audit.append("store", f"mem{i}", ok=True)
+
+        # Tamper with the file — alter the second line
+        audit_path = tmp_path / "audit.jsonl"
+        lines = audit_path.read_text().splitlines()
+        record = json.loads(lines[1])
+        record["op"] = "delete"  # tamper!
+        lines[1] = json.dumps(record)
+        audit_path.write_text("\n".join(lines) + "\n")
+
+        ok, errors = tmp_audit.verify_chain()
+        assert not ok
+        assert len(errors) > 0
+
+    def test_tail_respects_limit(self, tmp_audit):
+        for i in range(10):
+            tmp_audit.append("store", f"mem{i}")
+        records = tmp_audit.tail(3)
+        assert len(records) == 3
+
+    def test_empty_log_verify(self, tmp_audit):
+        ok, errors = tmp_audit.verify_chain()
+        assert ok
+        assert errors == []
+
+
+# ---------------------------------------------------------------------------
+# TamperAlert tests
+# ---------------------------------------------------------------------------
+
+class TestTamperAlert:
+    def test_to_dict(self):
+        alert = TamperAlert(
+            memory_id="abc",
+            expected_hash="aaa",
+            actual_hash="bbb",
+        )
+        d = alert.to_dict()
+        assert d["memory_id"] == "abc"
+        assert d["expected_hash"] == "aaa"
+        assert d["actual_hash"] == "bbb"
+        assert d["severity"] == "CRITICAL"
+        assert "tamper" in d["message"].lower() or "integrity" in d["message"].lower()
+        assert "detected_at" in d
+
+    def test_repr(self):
+        alert = TamperAlert("x", "a", "b")
+        assert "x" in repr(alert)
+
+
+# ---------------------------------------------------------------------------
+# FortifiedMemoryStore tests
+# ---------------------------------------------------------------------------
+
+class TestFortifiedMemoryStore:
+    def test_snapshot_seals_memory(self, fortress):
+        mem = fortress.snapshot("Test title", "Test content")
+        assert mem.integrity_hash != "", "Memory should be sealed on write"
+
+    def test_recall_passes_clean_memory(self, fortress):
+        mem = fortress.snapshot("Clean", "No tampering here")
+        recalled = fortress.recall(mem.id)
+        assert recalled is not None
+        assert "integrity_warning" not in recalled.metadata
+
+    def test_recall_missing_returns_none(self, fortress):
+        result = fortress.recall("nonexistent-id")
+        assert result is None
+
+    def test_tamper_detection_triggers_callback(self, fortress, tmp_path):
+        alerts_received: list[TamperAlert] = []
+        fortress.register_alert_callback(alerts_received.append)
+
+        mem = fortress.snapshot("Secret", "Original content")
+
+        # Tamper: directly modify the stored memory file
+        # We need to find and corrupt the JSON
+        from skmemory.backends.sqlite_backend import SQLiteBackend
+        backend = fortress.primary
+        # Load raw, mutate, save back bypassing seal
+        raw = backend.load(mem.id)
+        assert raw is not None
+        raw.content = "TAMPERED CONTENT"
+        raw.integrity_hash = mem.integrity_hash  # keep old hash
+        backend.save(raw)  # save tampered version with original hash
+
+        # Now recall — should trigger tamper alert
+        recalled = fortress.recall(mem.id)
+        assert recalled is not None
+        assert "integrity_warning" in recalled.metadata
+        assert len(alerts_received) == 1
+        alert = alerts_received[0]
+        assert alert.memory_id == mem.id
+        assert alert.expected_hash == mem.integrity_hash
+
+    def test_forget_audited(self, fortress):
+        mem = fortress.snapshot("Temp", "Will be deleted")
+        fortress.forget(mem.id)
+        trail = fortress.audit_trail(10)
+        ops = [r["op"] for r in trail]
+        assert "delete" in ops
+
+    def test_audit_trail_records_all_ops(self, fortress):
+        mem = fortress.snapshot("Op tracking", "content")
+        fortress.recall(mem.id)
+        fortress.forget(mem.id)
+
+        trail = fortress.audit_trail(10)
+        ops = [r["op"] for r in trail]
+        assert "store" in ops
+        assert "recall" in ops
+        assert "delete" in ops
+
+    def test_verify_all_clean_store(self, fortress):
+        for i in range(5):
+            fortress.snapshot(f"Memory {i}", f"Content {i}")
+        result = fortress.verify_all()
+        assert result["total"] == 5
+        assert result["passed"] == 5
+        assert result["tampered"] == []
+
+    def test_verify_all_finds_tampered(self, fortress):
+        alerts: list[TamperAlert] = []
+        fortress.register_alert_callback(alerts.append)
+
+        mem = fortress.snapshot("Good memory", "Original")
+
+        # Tamper via backend
+        raw = fortress.primary.load(mem.id)
+        raw.content = "CORRUPTED"
+        raw.integrity_hash = mem.integrity_hash
+        fortress.primary.save(raw)
+
+        result = fortress.verify_all()
+        assert mem.id in result["tampered"]
+        assert len(alerts) > 0
+
+    def test_verify_audit_chain(self, fortress):
+        fortress.snapshot("A", "a")
+        fortress.snapshot("B", "b")
+        ok, errors = fortress.verify_audit_chain()
+        assert ok, errors
+
+    def test_encryption_not_configured_raises(self, fortress):
+        with pytest.raises(RuntimeError, match="not configured"):
+            fortress.encrypt_payload('{"test": 1}')
+
+    def test_encryption_active_false_by_default(self, fortress):
+        assert fortress.encryption_active is False
+
+    def test_multiple_callbacks(self, fortress):
+        c1, c2 = [], []
+        fortress.register_alert_callback(c1.append)
+        fortress.register_alert_callback(c2.append)
+
+        mem = fortress.snapshot("Multi", "content")
+        raw = fortress.primary.load(mem.id)
+        raw.content = "bad"
+        raw.integrity_hash = mem.integrity_hash
+        fortress.primary.save(raw)
+
+        fortress.recall(mem.id)
+        assert len(c1) == 1
+        assert len(c2) == 1
+
+    def test_unsealed_memory_passes_silently(self, fortress):
+        """A memory with no integrity_hash is not flagged as tampered."""
+        mem = fortress.snapshot("Unsealed", "content")
+        raw = fortress.primary.load(mem.id)
+        raw.integrity_hash = ""  # strip the seal
+        fortress.primary.save(raw)
+
+        recalled = fortress.recall(mem.id)
+        assert recalled is not None
+        # Should not have a warning — unsealed != tampered
+        assert "integrity_warning" not in recalled.metadata

package/tests/test_fortress_hardening.py

@@ -0,0 +1,444 @@
+"""Tests for Memory Fortress hardening — Sprint 6 Layer 3.
+
+Covers:
+- VaultedSQLiteBackend: transparent AES-256-GCM at-rest encryption
+- FortifiedMemoryStore with vault_passphrase
+- seal_all / unseal_all / vault_status
+- Mixed (partially-encrypted) store migration
+- CLI fortress and vault commands
+"""
+
+from __future__ import annotations
+
+import json
+import tempfile
+from pathlib import Path
+
+import pytest
+
+try:
+    from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+
+    CRYPTO_AVAILABLE = True
+except ImportError:
+    CRYPTO_AVAILABLE = False
+
+from skmemory.vault import VAULT_HEADER, MemoryVault
+
+pytestmark = pytest.mark.skipif(
+    not CRYPTO_AVAILABLE,
+    reason="cryptography package not installed",
+)
+
+
+# ---------------------------------------------------------------------------
+# Fixtures
+# ---------------------------------------------------------------------------
+
+
+@pytest.fixture
+def vaulted_backend(tmp_path):
+    """A VaultedSQLiteBackend with a temp directory."""
+    from skmemory.backends.vaulted_backend import VaultedSQLiteBackend
+
+    return VaultedSQLiteBackend(
+        passphrase="pengu-nation-test-key", base_path=str(tmp_path / "memories")
+    )
+
+
+@pytest.fixture
+def plain_backend(tmp_path):
+    """A plain SQLiteBackend for comparison / migration tests."""
+    from skmemory.backends.sqlite_backend import SQLiteBackend
+
+    return SQLiteBackend(base_path=str(tmp_path / "memories"))
+
+
+@pytest.fixture
+def fortress_vaulted(tmp_path):
+    """A FortifiedMemoryStore backed by VaultedSQLiteBackend."""
+    from skmemory.fortress import FortifiedMemoryStore
+
+    return FortifiedMemoryStore(
+        vault_passphrase="pengu-test-passphrase",
+        audit_path=tmp_path / "audit.jsonl",
+        use_sqlite=False,
+        base_path=str(tmp_path / "memories"),
+    )
+
+
+# ---------------------------------------------------------------------------
+# VaultedSQLiteBackend tests
+# ---------------------------------------------------------------------------
+
+
+class TestVaultedSQLiteBackend:
+    def test_save_produces_encrypted_file(self, vaulted_backend, tmp_path):
+        """Saved memory files must start with the SKMV1 vault header."""
+        from skmemory.models import Memory
+
+        mem = Memory(title="Secret", content="Classified info")
+        mem.seal()
+        vaulted_backend.save(mem)
+
+        # Find the written file
+        files = list((tmp_path / "memories").rglob("*.json"))
+        assert len(files) == 1, "Expected exactly one memory file"
+        raw = files[0].read_bytes()
+        assert raw[: len(VAULT_HEADER)] == VAULT_HEADER, "File must be vault-encrypted"
+
+    def test_load_roundtrip(self, vaulted_backend):
+        """Save then load should return the original memory content."""
+        from skmemory.models import Memory
+
+        mem = Memory(title="Trip Memory", content="The roundtrip works perfectly")
+        mem.seal()
+        vaulted_backend.save(mem)
+
+        loaded = vaulted_backend.load(mem.id)
+        assert loaded is not None
+        assert loaded.title == "Trip Memory"
+        assert loaded.content == "The roundtrip works perfectly"
+
+    def test_list_memories_with_encryption(self, vaulted_backend):
+        """list_memories should decrypt transparently."""
+        from skmemory.models import Memory
+
+        for i in range(3):
+            mem = Memory(title=f"Memory {i}", content=f"Content {i}")
+            mem.seal()
+            vaulted_backend.save(mem)
+
+        results = vaulted_backend.list_memories(limit=10)
+        assert len(results) == 3
+        titles = {m.title for m in results}
+        assert titles == {"Memory 0", "Memory 1", "Memory 2"}
+
+    def test_reindex_with_encrypted_files(self, vaulted_backend):
+        """reindex() should correctly parse encrypted files."""
+        from skmemory.models import Memory
+
+        for i in range(4):
+            mem = Memory(title=f"Reindex {i}", content=f"Data {i}")
+            mem.seal()
+            vaulted_backend.save(mem)
+
+        count = vaulted_backend.reindex()
+        assert count == 4
+
+    def test_seal_all_encrypts_plaintext(self, tmp_path):
+        """seal_all() should encrypt any plaintext JSON files."""
+        from skmemory.backends.sqlite_backend import SQLiteBackend
+        from skmemory.backends.vaulted_backend import VaultedSQLiteBackend
+        from skmemory.models import Memory
+
+        mem_path = tmp_path / "memories"
+
+        # First write plaintext via plain backend
+        plain = SQLiteBackend(base_path=str(mem_path))
+        for i in range(3):
+            mem = Memory(title=f"Plain {i}", content=f"Unencrypted {i}")
+            mem.seal()
+            plain.save(mem)
+        plain.close()
+
+        # Now create vaulted backend and seal_all
+        vaulted = VaultedSQLiteBackend(passphrase="seal-test", base_path=str(mem_path))
+        count = vaulted.seal_all()
+        assert count == 3
+
+        # All files should now have vault header
+        for json_file in mem_path.rglob("*.json"):
+            raw = json_file.read_bytes()
+            assert raw[: len(VAULT_HEADER)] == VAULT_HEADER, f"{json_file} not encrypted"
+
+    def test_seal_all_idempotent(self, vaulted_backend):
+        """seal_all() on an already-encrypted store should encrypt 0 files."""
+        from skmemory.models import Memory
+
+        mem = Memory(title="Already sealed", content="content")
+        mem.seal()
+        vaulted_backend.save(mem)
+
+        count = vaulted_backend.seal_all()
+        assert count == 0, "Re-sealing should skip already-encrypted files"
+
+    def test_unseal_all_decrypts(self, tmp_path):
+        """unseal_all() should decrypt all vault files back to plaintext JSON."""
+        from skmemory.backends.vaulted_backend import VaultedSQLiteBackend
+        from skmemory.models import Memory
+
+        mem_path = tmp_path / "memories"
+        vaulted = VaultedSQLiteBackend(passphrase="unseal-test", base_path=str(mem_path))
+
+        for i in range(2):
+            mem = Memory(title=f"Sealed {i}", content=f"Encrypted {i}")
+            mem.seal()
+            vaulted.save(mem)
+
+        count = vaulted.unseal_all()
+        assert count == 2
+
+        # Files should now be valid JSON (not encrypted)
+        for json_file in mem_path.rglob("*.json"):
+            raw = json_file.read_bytes()
+            assert raw[: len(VAULT_HEADER)] != VAULT_HEADER, f"{json_file} still encrypted"
+            parsed = json.loads(raw.decode("utf-8"))
+            assert "title" in parsed
+
+    def test_vault_status_all_encrypted(self, vaulted_backend):
+        """vault_status() should report 100% coverage when all files are encrypted."""
+        from skmemory.models import Memory
+
+        for i in range(3):
+            mem = Memory(title=f"Status {i}", content=f"Data {i}")
+            mem.seal()
+            vaulted_backend.save(mem)
+
+        status = vaulted_backend.vault_status()
+        assert status["total"] == 3
+        assert status["encrypted"] == 3
+        assert status["plaintext"] == 0
+        assert status["coverage_pct"] == 100.0
+
+    def test_vault_status_empty_store(self, vaulted_backend):
+        """vault_status() on an empty store should report 100% (trivially)."""
+        status = vaulted_backend.vault_status()
+        assert status["total"] == 0
+        assert status["coverage_pct"] == 100.0
+
+    def test_wrong_passphrase_fails_load(self, tmp_path):
+        """Loading with wrong passphrase should return None (graceful failure)."""
+        from skmemory.backends.vaulted_backend import VaultedSQLiteBackend
+        from skmemory.models import Memory
+
+        mem_path = tmp_path / "memories"
+        correct = VaultedSQLiteBackend(passphrase="correct-key", base_path=str(mem_path))
+        mem = Memory(title="Locked", content="Top secret")
+        mem.seal()
+        correct.save(mem)
+
+        wrong = VaultedSQLiteBackend(passphrase="wrong-key", base_path=str(mem_path))
+        result = wrong.load(mem.id)
+        assert result is None, "Wrong passphrase should return None, not raise"
+
+    def test_export_all_decrypts(self, vaulted_backend, tmp_path):
+        """export_all() should produce a plaintext JSON backup."""
+        from skmemory.models import Memory
+
+        mem = Memory(title="Export Test", content="Exportable content")
+        mem.seal()
+        vaulted_backend.save(mem)
+
+        backup_path = str(tmp_path / "backup.json")
+        out_path = vaulted_backend.export_all(output_path=backup_path)
+
+        backup = json.loads(Path(out_path).read_text())
+        assert backup["memory_count"] == 1
+        assert backup["memories"][0]["title"] == "Export Test"
+
+
+# ---------------------------------------------------------------------------
+# FortifiedMemoryStore + vault_passphrase integration
+# ---------------------------------------------------------------------------
+
+
+class TestFortifiedMemoryStoreVault:
+    def test_vault_passphrase_activates_encryption(self, fortress_vaulted, tmp_path):
+        """FortifiedMemoryStore with vault_passphrase should encrypt files."""
+        mem = fortress_vaulted.snapshot("Vaulted Title", "Encrypted content")
+
+        # Find the physical file
+        base = fortress_vaulted.primary.base_path
+        files = list(base.rglob("*.json"))
+        assert len(files) == 1
+        raw = files[0].read_bytes()
+        assert raw[: len(VAULT_HEADER)] == VAULT_HEADER, "File should be vault-encrypted"
+
+    def test_vault_active_property(self, fortress_vaulted):
+        """vault_active should be True when vault_passphrase is set."""
+        assert fortress_vaulted.vault_active is True
+
+    def test_vault_active_false_by_default(self, tmp_path):
+        """vault_active should be False without vault_passphrase."""
+        from skmemory.backends.sqlite_backend import SQLiteBackend
+        from skmemory.fortress import FortifiedMemoryStore
+
+        backend = SQLiteBackend(base_path=str(tmp_path / "memories"))
+        fortress = FortifiedMemoryStore(
+            primary=backend,
+            use_sqlite=False,
+            audit_path=tmp_path / "audit.jsonl",
+        )
+        assert fortress.vault_active is False
+
+    def test_recall_after_vault_store(self, fortress_vaulted):
+        """recall() should transparently decrypt and verify integrity."""
+        mem = fortress_vaulted.snapshot("Recall Test", "Content for recall")
+        recalled = fortress_vaulted.recall(mem.id)
+
+        assert recalled is not None
+        assert recalled.title == "Recall Test"
+        assert recalled.content == "Content for recall"
+        assert "integrity_warning" not in recalled.metadata
+
+    def test_tamper_alert_on_encrypted_store(self, fortress_vaulted, tmp_path):
+        """Tamper alert should fire even when vault is active."""
+        alerts = []
+        fortress_vaulted.register_alert_callback(alerts.append)
+
+        mem = fortress_vaulted.snapshot("Tamper Me", "Original")
+
+        # Directly corrupt the stored file (bypass encryption by writing junk)
+        raw = fortress_vaulted.primary.load(mem.id)
+        raw.content = "TAMPERED"
+        raw.integrity_hash = mem.integrity_hash  # old hash
+        fortress_vaulted.primary.save(raw)
+
+        recalled = fortress_vaulted.recall(mem.id)
+        assert recalled is not None
+        assert "integrity_warning" in recalled.metadata
+        assert len(alerts) == 1
+
+    def test_vault_status_method(self, fortress_vaulted):
+        """vault_status() on FortifiedMemoryStore should report coverage."""
+        fortress_vaulted.snapshot("Coverage Test", "data")
+        status = fortress_vaulted.vault_status()
+        assert status["total"] == 1
+        assert status["encrypted"] == 1
+        assert status["coverage_pct"] == 100.0
+
+    def test_vault_status_raises_without_vault(self, tmp_path):
+        """vault_status() raises when no vault is configured."""
+        from skmemory.backends.sqlite_backend import SQLiteBackend
+        from skmemory.fortress import FortifiedMemoryStore
+
+        backend = SQLiteBackend(base_path=str(tmp_path / "memories"))
+        fortress = FortifiedMemoryStore(
+            primary=backend,
+            use_sqlite=False,
+            audit_path=tmp_path / "audit.jsonl",
+        )
+        with pytest.raises(RuntimeError, match="vault_passphrase"):
+            fortress.vault_status()
+
+    def test_seal_vault_audited(self, fortress_vaulted):
+        """seal_vault() should append an audit record."""
+        fortress_vaulted.snapshot("Pre-existing", "data")
+        fortress_vaulted.seal_vault()
+
+        trail = fortress_vaulted.audit_trail(10)
+        ops = [r["op"] for r in trail]
+        assert "vault_seal" in ops
+
+    def test_unseal_vault(self, fortress_vaulted, tmp_path):
+        """unseal_vault() should decrypt all files and audit the action."""
+        fortress_vaulted.snapshot("Will unseal", "data")
+        count = fortress_vaulted.unseal_vault()
+        assert count >= 0  # Unseal ran without error
+
+        trail = fortress_vaulted.audit_trail(10)
+        ops = [r["op"] for r in trail]
+        assert "vault_unseal" in ops
+
+    def test_verify_all_with_vault(self, fortress_vaulted):
+        """verify_all() should work correctly on an encrypted store."""
+        for i in range(3):
+            fortress_vaulted.snapshot(f"Verify {i}", f"Content {i}")
+
+        result = fortress_vaulted.verify_all()
+        assert result["total"] == 3
+        assert result["passed"] == 3
+        assert result["tampered"] == []
+
+
+# ---------------------------------------------------------------------------
+# CLI integration tests
+# ---------------------------------------------------------------------------
+
+
+class TestFortressCLI:
+    def test_fortress_verify_clean(self, tmp_path):
+        """skmemory fortress verify should exit 0 for a clean store."""
+        from click.testing import CliRunner
+        from skmemory.cli import cli
+        from skmemory.backends.sqlite_backend import SQLiteBackend
+        from skmemory.store import MemoryStore
+
+        runner = CliRunner()
+
+        result = runner.invoke(
+            cli,
+            ["fortress", "verify"],
+            obj={
+                "store": MemoryStore(
+                    primary=SQLiteBackend(base_path=str(tmp_path / "memories"))
+                ),
+                "ai": None,
+            },
+        )
+        assert result.exit_code == 0, result.output
+        assert "Total memories" in result.output
+
+    def test_vault_status_cli(self, tmp_path):
+        """skmemory vault status should show encryption coverage."""
+        from click.testing import CliRunner
+        from skmemory.cli import cli
+        from skmemory.backends.sqlite_backend import SQLiteBackend
+        from skmemory.store import MemoryStore
+
+        runner = CliRunner()
+        result = runner.invoke(
+            cli,
+            ["vault", "status"],
+            obj={
+                "store": MemoryStore(
+                    primary=SQLiteBackend(base_path=str(tmp_path / "memories"))
+                ),
+                "ai": None,
+            },
+        )
+        assert result.exit_code == 0, result.output
+        assert "Total files" in result.output
+
+    def test_fortress_audit_cli(self, tmp_path):
+        """skmemory fortress audit should show audit entries."""
+        from click.testing import CliRunner
+        from skmemory.cli import cli
+        from skmemory.fortress import AuditLog
+
+        # Seed an audit entry
+        audit = AuditLog(path=tmp_path / "audit.jsonl")
+        audit.append("store", "test-id", ok=True)
+
+        runner = CliRunner()
+        result = runner.invoke(
+            cli,
+            ["fortress", "audit"],
+            obj={"store": None, "ai": None},
+            env={"SKMEMORY_HOME": str(tmp_path)},
+        )
+        # May fail if SKMEMORY_HOME is not picked up in test, but should not crash
+        assert result.exit_code in (0, 1)
+
+    def test_vault_seal_cli_requires_passphrase(self, tmp_path):
+        """vault seal without passphrase should prompt or fail."""
+        from click.testing import CliRunner
+        from skmemory.cli import cli
+        from skmemory.backends.sqlite_backend import SQLiteBackend
+        from skmemory.store import MemoryStore
+
+        runner = CliRunner()
+        result = runner.invoke(
+            cli,
+            ["vault", "seal", "--yes"],
+            input="badpass\nbadpass\n",
+            obj={
+                "store": MemoryStore(
+                    primary=SQLiteBackend(base_path=str(tmp_path / "memories"))
+                ),
+                "ai": None,
+            },
+        )
+        # Should succeed (0 files to seal in empty store) or error out cleanly
+        assert result.exit_code in (0, 1, 2)