@tuskydp/cli 0.1.2 → 0.2.0

package/src/commands/download.ts

@@ -8,6 +8,7 @@ import { formatBytes } from '../lib/output.js';
 import { createSpinner } from '../lib/progress.js';
 import { decryptBuffer } from '../crypto.js';
 import { loadMasterKey } from '../lib/keyring.js';
+import { sealDecrypt, getSuiKeypair } from '../seal.js';
 
 export async function downloadCommand(fileId: string, options: {
   output?: string;
@@ -53,21 +54,41 @@ export async function downloadCommand(fileId: string, options: {
     const arrayBuf = await response.arrayBuffer();
     let fileBuffer: Buffer = Buffer.from(new Uint8Array(arrayBuf));
 
-    // Decrypt if needed
+    // Decrypt if needed — dispatch on encryption type
     if (encryption?.encrypted) {
-      spinner.text = 'Decrypting...';
-      const masterKey = loadMasterKey();
-      if (!masterKey) {
-        spinner.fail('Encryption session not unlocked. Run: tusky encryption unlock');
-        return;
+      if ('type' in encryption && encryption.type === 'seal') {
+        // SEAL-encrypted (shared vault)
+        spinner.text = 'SEAL decrypting...';
+        const keypair = getSuiKeypair();
+        if (!keypair) {
+          spinner.fail(
+            'TUSKYDP_SUI_PRIVATE_KEY env var required to decrypt shared vault files (SEAL encryption).',
+          );
+          return;
+        }
+        // Need vault details for SEAL config
+        const fileInfo = await sdk.files.get(fileId);
+        const vault = await sdk.vaults.get(fileInfo.vaultId);
+        const decrypted = await sealDecrypt(new Uint8Array(fileBuffer), vault, keypair);
+        fileBuffer = Buffer.from(decrypted);
+      } else {
+        // Passphrase-encrypted (private vault)
+        spinner.text = 'Decrypting...';
+        const masterKey = loadMasterKey();
+        if (!masterKey) {
+          spinner.fail('Encryption session not unlocked. Run: tusky encryption unlock');
+          return;
+        }
+        // Narrow to passphrase type
+        const enc = encryption as { type: 'passphrase'; encrypted: true; wrappedKey: string; iv: string; plaintextChecksumSha256: string | null };
+        fileBuffer = decryptBuffer(
+          fileBuffer,
+          enc.wrappedKey,
+          enc.iv,
+          masterKey,
+          enc.plaintextChecksumSha256 ?? undefined,
+        );
       }
-      fileBuffer = decryptBuffer(
-        fileBuffer,
-        encryption.wrappedKey!,
-        encryption.iv!,
-        masterKey,
-        encryption.plaintextChecksumSha256 ?? undefined,
-      );
     }
 
     // Write to disk — use getStatus to get filename

package/src/commands/upload.ts

@@ -1,5 +1,6 @@
 import type { Command } from 'commander';
 import { readFileSync, statSync, readdirSync } from 'fs';
+import { randomUUID } from 'crypto';
 import { basename, join, resolve } from 'path';
 import { lookup } from 'mime-types';
 import chalk from 'chalk';
@@ -10,6 +11,7 @@ import { formatBytes } from '../lib/output.js';
 import { createSpinner } from '../lib/progress.js';
 import { encryptBuffer } from '../crypto.js';
 import { loadMasterKey } from '../lib/keyring.js';
+import { isSealConfigured, sealEncrypt, getSuiKeypair } from '../seal.js';
 
 async function expandPaths(paths: string[], recursive?: boolean): Promise<string[]> {
   const result: string[] = [];
@@ -50,6 +52,7 @@ export async function uploadCommand(paths: string[], options: {
   const vaultId = await resolveVault(sdk, options.vault);
   const vault = await sdk.vaults.get(vaultId);
   const isPrivate = vault.visibility === 'private';
+  const isShared = vault.visibility === 'shared' && isSealConfigured(vault);
 
   let masterKey: Buffer | null = null;
   if (isPrivate) {
@@ -60,6 +63,14 @@ export async function uploadCommand(paths: string[], options: {
     }
   }
 
+  if (isShared) {
+    const keypair = getSuiKeypair();
+    if (!keypair) {
+      console.error(chalk.red('TUSKYDP_SUI_PRIVATE_KEY env var required for shared vault uploads (SEAL encryption).'));
+      process.exit(1);
+    }
+  }
+
   const filePaths = await expandPaths(paths, options.recursive);
   if (filePaths.length === 0) {
     console.log(chalk.yellow('No files to upload.'));
@@ -84,6 +95,8 @@ export async function uploadCommand(paths: string[], options: {
         encryptionIv?: string;
         plaintextSizeBytes?: number;
         plaintextChecksumSha256?: string;
+        sealIdentity?: string;
+        sealEncryptedObject?: string;
       } = {};
 
       if (isPrivate && masterKey) {
@@ -96,6 +109,16 @@ export async function uploadCommand(paths: string[], options: {
           plaintextSizeBytes: stat.size,
           plaintextChecksumSha256: plaintextChecksum,
         };
+      } else if (isShared) {
+        spinner.text = `SEAL encrypting ${basename(filePath)}...`;
+        const fileNonce = randomUUID();
+        const sealResult = await sealEncrypt(new Uint8Array(fileBuffer), vault, fileNonce);
+        uploadBody = Buffer.from(sealResult.encryptedData);
+        encryptionMeta = {
+          sealIdentity: sealResult.sealIdentity,
+          sealEncryptedObject: sealResult.sealEncryptedObject,
+          plaintextSizeBytes: stat.size,
+        };
       } else {
         uploadBody = fileBuffer;
       }
@@ -137,7 +160,7 @@ export async function uploadCommand(paths: string[], options: {
   }
 
   if (filePaths.length > 1) {
-    const icon = isPrivate ? 'private' : 'public';
-    console.log(`\nUploaded ${successCount} file(s) (${formatBytes(totalSize)}) to vault "${vault.name}" [${icon}]`);
+    const label = isPrivate ? 'private' : isShared ? 'shared' : 'public';
+    console.log(`\nUploaded ${successCount} file(s) (${formatBytes(totalSize)}) to vault "${vault.name}" [${label}]`);
   }
 }

package/src/commands/vault.ts

@@ -3,19 +3,35 @@ import chalk from 'chalk';
 import inquirer from 'inquirer';
 import { cliConfig } from '../config.js';
 import { getSDKClientFromParent } from '../sdk.js';
-import { createTable, formatBytes, shortId } from '../lib/output.js';
+import { createTable, formatBytes, formatDate, shortId } from '../lib/output.js';
 import { resolveVault } from '../lib/resolve.js';
 
+/** Map vault visibility to a display label. */
+function visibilityLabel(v: string): string {
+  if (v === 'private') return 'private';
+  if (v === 'shared') return 'shared';
+  return 'public';
+}
+
 export function registerVaultCommands(program: Command) {
   const vault = program.command('vault').description('Manage vaults');
 
+  // ── create ──────────────────────────────────────────────────────────
   vault.command('create <name>')
     .description('Create a new vault (private/encrypted by default)')
     .option('--public', 'Create as public vault (unencrypted, shareable via URL)')
+    .option('--shared', 'Create as shared vault (SEAL-encrypted, requires linked Sui address)')
     .option('--description <text>', 'Vault description')
     .action(async (name: string, options) => {
       const sdk = getSDKClientFromParent(vault);
-      const visibility = options.public ? 'public' as const : 'private' as const;
+      let visibility: 'public' | 'private' | 'shared' = 'private';
+      if (options.public) visibility = 'public';
+      if (options.shared) visibility = 'shared';
+
+      if (options.public && options.shared) {
+        console.error(chalk.red('Cannot use both --public and --shared.'));
+        return;
+      }
 
       if (visibility === 'private') {
         try {
@@ -30,11 +46,28 @@ export function registerVaultCommands(program: Command) {
         }
       }
 
+      if (visibility === 'shared') {
+        try {
+          const acct = await sdk.account.get();
+          if (!(acct as any).suiAddress) {
+            console.error(chalk.red('A Sui address must be linked to create shared vaults.'));
+            console.error(chalk.dim('  Run: tusky account link-sui <address>'));
+            return;
+          }
+        } catch {
+          // Proceed and let the API return the error
+        }
+      }
+
       const created = await sdk.vaults.create({ name, description: options.description, visibility });
-      const icon = visibility === 'private' ? 'private' : 'public';
-      console.log(chalk.green(`Created ${visibility} vault [${icon}] "${created.name}" (${created.id})`));
+      console.log(chalk.green(`Created ${visibility} vault [${visibilityLabel(visibility)}] "${created.name}" (${created.id})`));
+
+      if (visibility === 'shared' && created.sealAllowlistObjectId) {
+        console.log(chalk.dim(`  SEAL allowlist: ${created.sealAllowlistObjectId}`));
+      }
     });
 
+  // ── list ────────────────────────────────────────────────────────────
   vault.command('list')
     .description('List all vaults')
     .action(async () => {
@@ -54,11 +87,10 @@ export function registerVaultCommands(program: Command) {
 
       const table = createTable(['Name', 'Slug', 'Visibility', 'Files', 'Size', 'ID']);
       for (const v of vaults) {
-        const visIcon = v.visibility === 'private' ? 'private' : 'public';
         table.push([
           v.isDefault ? `${v.name} ${chalk.dim('(default)')}` : v.name,
           v.slug,
-          visIcon,
+          visibilityLabel(v.visibility),
           String(v.fileCount),
           formatBytes(v.totalSizeBytes),
           chalk.dim(shortId(v.id)),
@@ -67,6 +99,40 @@ export function registerVaultCommands(program: Command) {
       console.log(table.toString());
     });
 
+  // ── shared ──────────────────────────────────────────────────────────
+  vault.command('shared')
+    .description('List shared vaults you are a member of (not owner)')
+    .action(async () => {
+      const sdk = getSDKClientFromParent(vault);
+      const format = program.opts().format || cliConfig.get('outputFormat');
+      const { vaults } = await sdk.sharedVaults.list();
+
+      if (format === 'json') {
+        console.log(JSON.stringify(vaults, null, 2));
+        return;
+      }
+
+      if (vaults.length === 0) {
+        console.log(chalk.dim('No shared vault memberships found.'));
+        return;
+      }
+
+      const table = createTable(['Name', 'Slug', 'Role', 'Files', 'Size', 'Granted', 'ID']);
+      for (const entry of vaults) {
+        table.push([
+          entry.vault.name,
+          entry.vault.slug,
+          entry.role,
+          String(entry.vault.fileCount),
+          formatBytes(entry.vault.totalSizeBytes),
+          formatDate(entry.grantedAt),
+          chalk.dim(shortId(entry.vault.id)),
+        ]);
+      }
+      console.log(table.toString());
+    });
+
+  // ── info ────────────────────────────────────────────────────────────
   vault.command('info <vault>')
     .description('Show vault details')
     .action(async (vaultRef: string) => {
@@ -82,15 +148,47 @@ export function registerVaultCommands(program: Command) {
 
       console.log(`Name:        ${v.name}`);
       console.log(`Slug:        ${v.slug}`);
-      console.log(`Visibility:  ${v.visibility === 'private' ? 'private' : 'public'}`);
+      console.log(`Visibility:  ${visibilityLabel(v.visibility)}`);
       console.log(`Description: ${v.description || chalk.dim('(none)')}`);
       console.log(`Files:       ${v.fileCount}`);
       console.log(`Total Size:  ${formatBytes(v.totalSizeBytes)}`);
       console.log(`Default:     ${v.isDefault ? 'Yes' : 'No'}`);
       console.log(`Created:     ${new Date(v.createdAt).toLocaleString()}`);
       console.log(`ID:          ${v.id}`);
+
+      if (v.visibility === 'shared') {
+        console.log('');
+        console.log(chalk.bold('SEAL Configuration:'));
+        console.log(`  Allowlist:   ${v.sealAllowlistObjectId || chalk.dim('(none)')}`);
+        console.log(`  Package:     ${v.sealPackageId || chalk.dim('(none)')}`);
+        console.log(`  Threshold:   ${v.sealThreshold ?? chalk.dim('(none)')}`);
+        console.log(`  Key Servers: ${v.sealKeyServerIds?.length ?? 0}`);
+      }
+    });
+
+  // ── update ──────────────────────────────────────────────────────────
+  vault.command('update <vault>')
+    .description('Update vault name and/or description')
+    .option('--name <name>', 'New vault name')
+    .option('--description <text>', 'New vault description')
+    .action(async (vaultRef: string, options) => {
+      const sdk = getSDKClientFromParent(vault);
+      const vaultId = await resolveVault(sdk, vaultRef);
+
+      if (!options.name && !options.description) {
+        console.error(chalk.red('Provide --name and/or --description to update.'));
+        return;
+      }
+
+      const params: { name?: string; description?: string } = {};
+      if (options.name) params.name = options.name;
+      if (options.description) params.description = options.description;
+
+      await sdk.vaults.update(vaultId, params);
+      console.log(chalk.green('Vault updated.'));
     });
 
+  // ── rename (alias for update --name) ────────────────────────────────
   vault.command('rename <vault> <new-name>')
     .description('Rename a vault')
     .action(async (vaultRef: string, newName: string) => {
@@ -100,6 +198,7 @@ export function registerVaultCommands(program: Command) {
       console.log(chalk.green(`Vault renamed to "${newName}"`));
     });
 
+  // ── delete ──────────────────────────────────────────────────────────
   vault.command('delete <vault>')
     .description('Delete a vault')
     .option('--force', 'Delete vault and all its files')
@@ -121,6 +220,7 @@ export function registerVaultCommands(program: Command) {
       console.log(chalk.green('Vault deleted.'));
     });
 
+  // ── set-default ─────────────────────────────────────────────────────
   vault.command('set-default <vault>')
     .description('Set the default vault for uploads')
     .action(async (vaultRef: string) => {
@@ -129,4 +229,55 @@ export function registerVaultCommands(program: Command) {
       cliConfig.set('defaultVault', vaultId);
       console.log(chalk.green(`Default vault set to ${vaultRef}`));
     });
+
+  // ── members ─────────────────────────────────────────────────────────
+  const members = vault.command('members').description('Manage shared vault members');
+
+  members.command('list <vault>')
+    .description('List members of a shared vault')
+    .action(async (vaultRef: string) => {
+      const sdk = getSDKClientFromParent(vault);
+      const format = program.opts().format || cliConfig.get('outputFormat');
+      const vaultId = await resolveVault(sdk, vaultRef);
+      const { members: memberList } = await sdk.sharedVaults.listMembers(vaultId);
+
+      if (format === 'json') {
+        console.log(JSON.stringify(memberList, null, 2));
+        return;
+      }
+
+      if (memberList.length === 0) {
+        console.log(chalk.dim('No members found.'));
+        return;
+      }
+
+      const table = createTable(['Sui Address', 'Role', 'Granted', 'Member ID']);
+      for (const m of memberList) {
+        table.push([
+          m.suiAddress,
+          m.role,
+          formatDate(m.grantedAt),
+          chalk.dim(shortId(m.id)),
+        ]);
+      }
+      console.log(table.toString());
+    });
+
+  members.command('add <vault> <sui-address>')
+    .description('Grant access to a shared vault by Sui address')
+    .action(async (vaultRef: string, suiAddress: string) => {
+      const sdk = getSDKClientFromParent(vault);
+      const vaultId = await resolveVault(sdk, vaultRef);
+      const { member } = await sdk.sharedVaults.addMember(vaultId, { suiAddress });
+      console.log(chalk.green(`Access granted to ${suiAddress} (member ID: ${member.id})`));
+    });
+
+  members.command('remove <vault> <member-id>')
+    .description('Revoke access from a shared vault member')
+    .action(async (vaultRef: string, memberId: string) => {
+      const sdk = getSDKClientFromParent(vault);
+      const vaultId = await resolveVault(sdk, vaultRef);
+      await sdk.sharedVaults.removeMember(vaultId, memberId);
+      console.log(chalk.green(`Access revoked for member ${memberId}`));
+    });
 }

package/src/config.ts

@@ -36,3 +36,11 @@ export function getOutputFormat(override?: string): 'table' | 'json' | 'plain' {
   if (override && VALID_FORMATS.has(override)) return override as 'table' | 'json' | 'plain';
   return cliConfig.get('outputFormat');
 }
+
+/**
+ * Get the Sui private key for SEAL operations on shared vaults.
+ * Only read from env var (never persisted to config for security).
+ */
+export function getSuiPrivateKey(): string | null {
+  return process.env.TUSKYDP_SUI_PRIVATE_KEY || null;
+}

package/src/mcp/context.ts

@@ -1,11 +1,13 @@
 /**
  * Shared context for MCP tool handlers.
  *
- * Holds the authenticated SDK client and (optionally) the unlocked
- * master key for client-side encryption/decryption of private vault files.
+ * Holds the authenticated SDK client, the unlocked master key for
+ * private vault encryption, and the Sui keypair for shared vault
+ * SEAL encryption/decryption.
  */
 
 import type { TuskyClient } from '@tuskydp/sdk';
+import type { Ed25519Keypair } from '@mysten/sui/keypairs/ed25519';
 
 export interface McpContext {
   /** Authenticated Tusky SDK client. */
@@ -19,4 +21,13 @@ export interface McpContext {
 
   /** True when the master key is available for encrypt/decrypt operations. */
   isEncryptionReady(): boolean;
+
+  /**
+   * Returns the Sui Ed25519 keypair for SEAL operations, or null if
+   * TUSKYDP_SUI_PRIVATE_KEY was not provided.
+   */
+  getSuiKeypair(): Ed25519Keypair | null;
+
+  /** True when the Sui keypair is available for shared vault operations. */
+  isSealReady(): boolean;
 }

package/src/mcp/server.ts

@@ -15,6 +15,7 @@ import {
   unwrapMasterKey,
 } from '../crypto.js';
 import { loadMasterKey } from '../lib/keyring.js';
+import { getSuiKeypair } from '../seal.js';
 import type { McpContext } from './context.js';
 
 // Tool registrars
@@ -23,6 +24,7 @@ import { registerVaultTools } from './tools/vaults.js';
 import { registerFolderTools } from './tools/folders.js';
 import { registerFileTools } from './tools/files.js';
 import { registerTrashTools } from './tools/trash.js';
+import { registerSharedVaultTools } from './tools/sharedVaults.js';
 
 // ---------------------------------------------------------------------------
 // Encryption bootstrap
@@ -113,11 +115,21 @@ export async function startMcpServer(options: McpServerOptions): Promise<void> {
     console.error('[tusky-mcp] Set TUSKYDP_PASSWORD env var or run `tusky encryption unlock` first.');
   }
 
+  // Load Sui keypair for SEAL shared vault operations (best effort)
+  const suiKeypair = getSuiKeypair();
+  if (suiKeypair) {
+    console.error(`[tusky-mcp] Sui wallet loaded (${suiKeypair.toSuiAddress()}) — shared vault operations available.`);
+  } else {
+    console.error('[tusky-mcp] No TUSKYDP_SUI_PRIVATE_KEY — shared vault encrypt/decrypt unavailable.');
+  }
+
   // Build context
   const ctx: McpContext = {
     sdk,
     getMasterKey: () => masterKey,
     isEncryptionReady: () => masterKey !== null,
+    getSuiKeypair: () => suiKeypair,
+    isSealReady: () => suiKeypair !== null,
   };
 
   // Create MCP server
@@ -132,6 +144,7 @@ export async function startMcpServer(options: McpServerOptions): Promise<void> {
   registerFolderTools(server, ctx);
   registerFileTools(server, ctx);
   registerTrashTools(server, ctx);
+  registerSharedVaultTools(server, ctx);
 
   // Connect via stdio transport
   const transport = new StdioServerTransport();

package/src/mcp/tools/files.ts

@@ -2,16 +2,19 @@
  * MCP tools — File operations
  *
  * Handles upload with client-side encryption for private vaults,
- * download with decryption and rehydration polling for cold files.
+ * SEAL encryption for shared vaults, download with decryption and
+ * rehydration polling for cold files.
  */
 
 import { z } from 'zod';
+import { randomUUID } from 'crypto';
 import { readFileSync, writeFileSync, statSync } from 'fs';
 import { basename, resolve, join } from 'path';
 import { lookup } from 'mime-types';
 import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import type { McpContext } from '../context.js';
 import { encryptBuffer, decryptBuffer } from '../../crypto.js';
+import { isSealConfigured, sealEncrypt, sealDecrypt } from '../../seal.js';
 import { wrapToolError } from './helpers.js';
 
 // ---------------------------------------------------------------------------
@@ -76,22 +79,39 @@ async function fetchAndDecryptFile(fileId: string, ctx: McpContext) {
   const arrayBuf = await response.arrayBuffer();
   let fileBuffer: Buffer = Buffer.from(arrayBuf as ArrayBuffer);
 
-  // Decrypt if needed
+  // Decrypt if needed — dispatch on encryption type
   if (encryption?.encrypted) {
-    const masterKey = ctx.getMasterKey();
-    if (!masterKey) {
-      throw new Error(
-        'Encryption passphrase required to decrypt this file. ' +
-        'Set the TUSKYDP_PASSWORD environment variable in your MCP server config.',
+    if ('type' in encryption && encryption.type === 'seal') {
+      // SEAL-encrypted (shared vault)
+      const keypair = ctx.getSuiKeypair();
+      if (!keypair) {
+        throw new Error(
+          'Sui wallet key required to decrypt shared vault files. ' +
+          'Set the TUSKYDP_SUI_PRIVATE_KEY environment variable in your MCP server config.',
+        );
+      }
+      const fileInfo = await ctx.sdk.files.get(fileId);
+      const vault = await ctx.sdk.vaults.get(fileInfo.vaultId);
+      const decrypted = await sealDecrypt(new Uint8Array(fileBuffer), vault, keypair);
+      fileBuffer = Buffer.from(decrypted);
+    } else {
+      // Passphrase-encrypted (private vault)
+      const masterKey = ctx.getMasterKey();
+      if (!masterKey) {
+        throw new Error(
+          'Encryption passphrase required to decrypt this file. ' +
+          'Set the TUSKYDP_PASSWORD environment variable in your MCP server config.',
+        );
+      }
+      const enc = encryption as { type: 'passphrase'; encrypted: true; wrappedKey: string; iv: string; plaintextChecksumSha256: string | null };
+      fileBuffer = decryptBuffer(
+        fileBuffer,
+        enc.wrappedKey,
+        enc.iv,
+        masterKey,
+        enc.plaintextChecksumSha256 ?? undefined,
       );
     }
-    fileBuffer = decryptBuffer(
-      fileBuffer,
-      encryption.wrappedKey!,
-      encryption.iv!,
-      masterKey,
-      encryption.plaintextChecksumSha256 ?? undefined,
-    );
   }
 
   return { fileBuffer, encryption };
@@ -111,6 +131,7 @@ async function encryptAndUpload(
 ) {
   const vault = await ctx.sdk.vaults.get(vaultId);
   const isPrivate = vault.visibility === 'private';
+  const isShared = vault.visibility === 'shared' && isSealConfigured(vault);
 
   let uploadBody: Buffer;
   let encryptionMeta: {
@@ -118,6 +139,8 @@ async function encryptAndUpload(
     encryptionIv?: string;
     plaintextSizeBytes?: number;
     plaintextChecksumSha256?: string;
+    sealIdentity?: string;
+    sealEncryptedObject?: string;
   } = {};
 
   if (isPrivate) {
@@ -137,6 +160,23 @@ async function encryptAndUpload(
       plaintextSizeBytes: fileBuffer.length,
       plaintextChecksumSha256: plaintextChecksum,
     };
+  } else if (isShared) {
+    const keypair = ctx.getSuiKeypair();
+    if (!keypair) {
+      throw new Error(
+        'Sui wallet key required for shared vault uploads (SEAL encryption). ' +
+        'Set the TUSKYDP_SUI_PRIVATE_KEY environment variable in your MCP server config.',
+      );
+    }
+
+    const fileNonce = randomUUID();
+    const sealResult = await sealEncrypt(new Uint8Array(fileBuffer), vault, fileNonce);
+    uploadBody = Buffer.from(sealResult.encryptedData);
+    encryptionMeta = {
+      sealIdentity: sealResult.sealIdentity,
+      sealEncryptedObject: sealResult.sealEncryptedObject,
+      plaintextSizeBytes: fileBuffer.length,
+    };
   } else {
     uploadBody = fileBuffer;
   }
@@ -165,7 +205,7 @@ async function encryptAndUpload(
   // Confirm upload
   const file = await ctx.sdk.files.confirmUpload(fileId);
 
-  return { file, isPrivate, uploadedSizeBytes: uploadBody.length };
+  return { file, isPrivate, isShared, uploadedSizeBytes: uploadBody.length };
 }
 
 // ---------------------------------------------------------------------------
@@ -201,7 +241,7 @@ export function registerFileTools(server: McpServer, ctx: McpContext) {
         const fileName = basename(resolvedPath);
         const mimeType = lookup(resolvedPath) || 'application/octet-stream';
 
-        const { file, isPrivate, uploadedSizeBytes } = await encryptAndUpload(
+        const { file, isPrivate, isShared, uploadedSizeBytes } = await encryptAndUpload(
           fileBuffer, fileName, mimeType, vaultId, folderId, ctx,
         );
 
@@ -209,7 +249,8 @@ export function registerFileTools(server: McpServer, ctx: McpContext) {
           content: [{ type: 'text' as const, text: JSON.stringify({
             ...file,
             localPath: resolvedPath,
-            encrypted: isPrivate,
+            encrypted: isPrivate || isShared,
+            encryptionType: isPrivate ? 'passphrase' : isShared ? 'seal' : 'none',
             uploadedSizeBytes,
           }, null, 2) }],
         };
@@ -241,14 +282,15 @@ export function registerFileTools(server: McpServer, ctx: McpContext) {
 
         const mimeType = lookup(name) || 'application/octet-stream';
 
-        const { file, isPrivate, uploadedSizeBytes } = await encryptAndUpload(
+        const { file, isPrivate, isShared, uploadedSizeBytes } = await encryptAndUpload(
           fileBuffer, name, mimeType, vaultId, folderId, ctx,
         );
 
         return {
           content: [{ type: 'text' as const, text: JSON.stringify({
             ...file,
-            encrypted: isPrivate,
+            encrypted: isPrivate || isShared,
+            encryptionType: isPrivate ? 'passphrase' : isShared ? 'seal' : 'none',
             uploadedSizeBytes,
           }, null, 2) }],
         };