@tuskydp/cli 0.1.2 → 0.2.1

package/dist/src/seal.js

@@ -0,0 +1,207 @@
+/**
+ * SEAL encryption service for shared vaults (headless/CLI mode).
+ *
+ * Ported from packages/web/src/lib/seal.ts, adapted for headless use
+ * with an Ed25519 keypair instead of a browser wallet signer.
+ *
+ * Handles client-side encrypt/decrypt using the @mysten/seal SDK.
+ * - Encrypt: uses the vault's Whitelist object ID as the identity namespace
+ * - Decrypt: creates a SessionKey, signs with Ed25519 keypair, builds seal_approve PTB
+ *
+ * Requires TUSKYDP_SUI_PRIVATE_KEY env var for decrypt operations.
+ * Encrypt only requires a Sui RPC client (no signing needed).
+ */
+import { SealClient, SessionKey, EncryptedObject } from '@mysten/seal';
+import { Ed25519Keypair } from '@mysten/sui/keypairs/ed25519';
+import { SuiJsonRpcClient } from '@mysten/sui/jsonRpc';
+import { Transaction } from '@mysten/sui/transactions';
+import { fromHex } from '@mysten/sui/utils';
+import { getSuiPrivateKey } from './config.js';
+// ---------------------------------------------------------------------------
+// Lazy singletons
+// ---------------------------------------------------------------------------
+let _suiClient = null;
+let _suiKeypair = null;
+let _keypairLoaded = false;
+function getSuiNetwork() {
+    const tuskyEnv = process.env.TUSKY_ENV || 'production';
+    const rpcOverride = process.env.SUI_RPC_URL;
+    const network = tuskyEnv === 'development' ? 'testnet' : 'mainnet';
+    const url = rpcOverride || (network === 'testnet'
+        ? 'https://fullnode.testnet.sui.io:443'
+        : 'https://fullnode.mainnet.sui.io:443');
+    return { url, network };
+}
+function getSuiClient() {
+    if (!_suiClient) {
+        const { url, network } = getSuiNetwork();
+        _suiClient = new SuiJsonRpcClient({ url, network });
+    }
+    return _suiClient;
+}
+/**
+ * Load the Sui keypair from TUSKYDP_SUI_PRIVATE_KEY env var.
+ * Returns null if the env var is not set.
+ * Cached after first call.
+ */
+export function getSuiKeypair() {
+    if (_keypairLoaded)
+        return _suiKeypair;
+    _keypairLoaded = true;
+    const privateKey = getSuiPrivateKey();
+    if (!privateKey)
+        return null;
+    try {
+        _suiKeypair = Ed25519Keypair.fromSecretKey(privateKey);
+    }
+    catch {
+        console.error('Invalid TUSKYDP_SUI_PRIVATE_KEY — could not load Ed25519 keypair.');
+        return null;
+    }
+    return _suiKeypair;
+}
+/**
+ * Get the Sui address for the loaded keypair, or null.
+ */
+export function getSuiAddress() {
+    const kp = getSuiKeypair();
+    return kp ? kp.toSuiAddress() : null;
+}
+// ---------------------------------------------------------------------------
+// SealClient factory
+// ---------------------------------------------------------------------------
+const _sealClients = new Map();
+function getSealClient(serverConfigs) {
+    const cacheKey = serverConfigs.map((c) => c.objectId).join(',');
+    let client = _sealClients.get(cacheKey);
+    if (!client) {
+        client = new SealClient({
+            suiClient: getSuiClient(),
+            serverConfigs,
+            verifyKeyServers: true,
+        });
+        _sealClients.set(cacheKey, client);
+    }
+    return client;
+}
+// ---------------------------------------------------------------------------
+// Identity helpers
+// ---------------------------------------------------------------------------
+/**
+ * Build SEAL identity bytes for a file in a shared vault.
+ * Format: [whitelist_object_id_bytes][file_nonce_hex]
+ * Must match the web implementation in packages/web/src/lib/seal.ts.
+ */
+export function buildSealId(whitelistObjectId, fileNonce) {
+    const wlBytes = whitelistObjectId.replace(/^0x/, '');
+    const nonceHex = Array.from(new TextEncoder().encode(fileNonce))
+        .map((b) => b.toString(16).padStart(2, '0'))
+        .join('');
+    return wlBytes + nonceHex;
+}
+/**
+ * Check if a vault is SEAL-configured (has the necessary on-chain objects).
+ */
+export function isSealConfigured(vault) {
+    return !!(vault.visibility === 'shared' &&
+        vault.sealAllowlistObjectId &&
+        vault.sealPackageId &&
+        vault.sealKeyServerIds?.length);
+}
+/**
+ * Encrypt file data using SEAL for a shared vault.
+ *
+ * Does NOT require a Sui keypair — encryption is purely a client-side
+ * operation using the SEAL key servers and vault's allowlist identity.
+ */
+export async function sealEncrypt(data, vault, fileNonce) {
+    if (!vault.sealAllowlistObjectId || !vault.sealPackageId) {
+        throw new Error('Vault is not configured for SEAL encryption (missing allowlist or package ID)');
+    }
+    const threshold = vault.sealThreshold ?? 1;
+    const serverConfigs = (vault.sealKeyServerIds ?? []).map((id) => ({
+        objectId: id,
+        weight: 1,
+    }));
+    if (serverConfigs.length === 0) {
+        throw new Error('No SEAL key servers configured for this vault');
+    }
+    const sealClient = getSealClient(serverConfigs);
+    const sealIdentity = buildSealId(vault.sealAllowlistObjectId, fileNonce);
+    const { encryptedObject } = await sealClient.encrypt({
+        threshold,
+        packageId: vault.sealPackageId,
+        id: sealIdentity,
+        data,
+    });
+    // Store compact metadata for the API (same format as web app).
+    // The full BCS-encoded EncryptedObject (ciphertext) goes to S3.
+    const sealEncryptedObject = Buffer.from(JSON.stringify({
+        id: sealIdentity,
+        packageId: vault.sealPackageId,
+        threshold,
+    })).toString('base64');
+    return {
+        encryptedData: encryptedObject,
+        sealIdentity,
+        sealEncryptedObject,
+    };
+}
+// ---------------------------------------------------------------------------
+// Decrypt
+// ---------------------------------------------------------------------------
+const SESSION_TTL_MIN = 10;
+/**
+ * Decrypt SEAL-encrypted file data.
+ *
+ * Requires a Sui keypair (TUSKYDP_SUI_PRIVATE_KEY) to sign the SessionKey
+ * and authorize decryption through the SEAL key servers.
+ */
+export async function sealDecrypt(encryptedData, vault, keypair) {
+    if (!vault.sealPackageId || !vault.sealAllowlistObjectId) {
+        throw new Error('Vault is not configured for SEAL decryption');
+    }
+    const serverConfigs = (vault.sealKeyServerIds ?? []).map((id) => ({
+        objectId: id,
+        weight: 1,
+    }));
+    const suiClient = getSuiClient();
+    const sealClient = getSealClient(serverConfigs);
+    const userAddress = keypair.toSuiAddress();
+    // Parse the encrypted object to extract the identity
+    const encryptedObject = EncryptedObject.parse(encryptedData);
+    // Create a session key — in CLI mode we create a fresh one each time
+    // (unlike the web app which caches per vault for 10 minutes).
+    const sessionKey = await SessionKey.create({
+        address: userAddress,
+        packageId: vault.sealPackageId,
+        ttlMin: SESSION_TTL_MIN,
+        suiClient: suiClient,
+    });
+    // Sign the session key with the Ed25519 keypair
+    const personalMessage = sessionKey.getPersonalMessage();
+    const { signature } = await keypair.signPersonalMessage(personalMessage);
+    await sessionKey.setPersonalMessageSignature(signature);
+    // Build the seal_approve transaction kind bytes
+    const tx = new Transaction();
+    tx.setSender(userAddress);
+    tx.moveCall({
+        target: `${vault.sealPackageId}::shared_vault::seal_approve`,
+        arguments: [
+            tx.pure.vector('u8', Array.from(fromHex(encryptedObject.id))),
+            tx.object(vault.sealAllowlistObjectId),
+        ],
+    });
+    const txBytes = await tx.build({
+        client: suiClient,
+        onlyTransactionKind: true,
+    });
+    // Decrypt via SEAL key servers
+    const decrypted = await sealClient.decrypt({
+        data: encryptedData,
+        sessionKey,
+        txBytes,
+    });
+    return decrypted;
+}
+//# sourceMappingURL=seal.js.map

package/dist/src/seal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"seal.js","sourceRoot":"","sources":["../../src/seal.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAEvE,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAC9D,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAG5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE/C,8EAA8E;AAC9E,kBAAkB;AAClB,8EAA8E;AAE9E,IAAI,UAAU,GAA4B,IAAI,CAAC;AAC/C,IAAI,WAAW,GAA0B,IAAI,CAAC;AAC9C,IAAI,cAAc,GAAG,KAAK,CAAC;AAE3B,SAAS,aAAa;IACpB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,YAAY,CAAC;IACvD,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;IAC5C,MAAM,OAAO,GAAG,QAAQ,KAAK,aAAa,CAAC,CAAC,CAAC,SAAkB,CAAC,CAAC,CAAC,SAAkB,CAAC;IACrF,MAAM,GAAG,GAAG,WAAW,IAAI,CAAC,OAAO,KAAK,SAAS;QAC/C,CAAC,CAAC,qCAAqC;QACvC,CAAC,CAAC,qCAAqC,CAAC,CAAC;IAC3C,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;AAC1B,CAAC;AAED,SAAS,YAAY;IACnB,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,aAAa,EAAE,CAAC;QACzC,UAAU,GAAG,IAAI,gBAAgB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa;IAC3B,IAAI,cAAc;QAAE,OAAO,WAAW,CAAC;IACvC,cAAc,GAAG,IAAI,CAAC;IAEtB,MAAM,UAAU,GAAG,gBAAgB,EAAE,CAAC;IACtC,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAE7B,IAAI,CAAC;QACH,WAAW,GAAG,cAAc,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,KAAK,CAAC,mEAAmE,CAAC,CAAC;QACnF,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa;IAC3B,MAAM,EAAE,GAAG,aAAa,EAAE,CAAC;IAC3B,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACvC,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E,MAAM,YAAY,GAAG,IAAI,GAAG,EAAsB,CAAC;AAEnD,SAAS,aAAa,CACpB,aAAqD;IAErD,MAAM,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAChE,IAAI,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,GAAG,IAAI,UAAU,CAAC;YACtB,SAAS,EAAE,YAAY,EAAqC;YAC5D,aAAa;YACb,gBAAgB,EAAE,IAAI;SACvB,CAAC,CAAC;QACH,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACrC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,UAAU,WAAW,CAAC,iBAAyB,EAAE,SAAiB;IACtE,MAAM,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;SAC7D,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;IACZ,OAAO,OAAO,GAAG,QAAQ,CAAC;AAC5B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAoB;IACnD,OAAO,CAAC,CAAC,CACP,KAAK,CAAC,UAAU,KAAK,QAAQ;QAC7B,KAAK,CAAC,qBAAqB;QAC3B,KAAK,CAAC,aAAa;QACnB,KAAK,CAAC,gBAAgB,EAAE,MAAM,CAC/B,CAAC;AACJ,CAAC;AAeD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,IAAgB,EAChB,KAAoB,EACpB,SAAiB;IAEjB,IAAI,CAAC,KAAK,CAAC,qBAAqB,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,+EAA+E,CAAC,CAAC;IACnG,CAAC;IAED,MAAM,SAAS,GAAG,KAAK,CAAC,aAAa,IAAI,CAAC,CAAC;IAC3C,MAAM,aAAa,GAAG,CAAC,KAAK,CAAC,gBAAgB,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAChE,QAAQ,EAAE,EAAE;QACZ,MAAM,EAAE,CAAC;KACV,CAAC,CAAC,CAAC;IAEJ,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IAED,MAAM,UAAU,GAAG,aAAa,CAAC,aAAa,CAAC,CAAC;IAChD,MAAM,YAAY,GAAG,WAAW,CAAC,KAAK,CAAC,qBAAqB,EAAE,SAAS,CAAC,CAAC;IAEzE,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC;QACnD,SAAS;QACT,SAAS,EAAE,KAAK,CAAC,aAAa;QAC9B,EAAE,EAAE,YAAY;QAChB,IAAI;KACL,CAAC,CAAC;IAEH,+DAA+D;IAC/D,gEAAgE;IAChE,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CACrC,IAAI,CAAC,SAAS,CAAC;QACb,EAAE,EAAE,YAAY;QAChB,SAAS,EAAE,KAAK,CAAC,aAAa;QAC9B,SAAS;KACV,CAAC,CACH,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAErB,OAAO;QACL,aAAa,EAAE,eAAe;QAC9B,YAAY;QACZ,mBAAmB;KACpB,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,MAAM,eAAe,GAAG,EAAE,CAAC;AAE3B;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,aAAyB,EACzB,KAAoB,EACpB,OAAuB;IAEvB,IAAI,CAAC,KAAK,CAAC,aAAa,IAAI,CAAC,KAAK,CAAC,qBAAqB,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IAED,MAAM,aAAa,GAAG,CAAC,KAAK,CAAC,gBAAgB,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAChE,QAAQ,EAAE,EAAE;QACZ,MAAM,EAAE,CAAC;KACV,CAAC,CAAC,CAAC;IAEJ,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;IACjC,MAAM,UAAU,GAAG,aAAa,CAAC,aAAa,CAAC,CAAC;IAChD,MAAM,WAAW,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAE3C,qDAAqD;IACrD,MAAM,eAAe,GAAG,eAAe,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;IAE7D,qEAAqE;IACrE,8DAA8D;IAC9D,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC;QACzC,OAAO,EAAE,WAAW;QACpB,SAAS,EAAE,KAAK,CAAC,aAAa;QAC9B,MAAM,EAAE,eAAe;QACvB,SAAS,EAAE,SAA4C;KACxD,CAAC,CAAC;IAEH,gDAAgD;IAChD,MAAM,eAAe,GAAG,UAAU,CAAC,kBAAkB,EAAE,CAAC;IACxD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAAC,eAAe,CAAC,CAAC;IACzE,MAAM,UAAU,CAAC,2BAA2B,CAAC,SAAS,CAAC,CAAC;IAExD,gDAAgD;IAChD,MAAM,EAAE,GAAG,IAAI,WAAW,EAAE,CAAC;IAC7B,EAAE,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;IAC1B,EAAE,CAAC,QAAQ,CAAC;QACV,MAAM,EAAE,GAAG,KAAK,CAAC,aAAa,8BAA8B;QAC5D,SAAS,EAAE;YACT,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC,CAAC;YAC7D,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,qBAAqB,CAAC;SACvC;KACF,CAAC,CAAC;IACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC;QAC7B,MAAM,EAAE,SAAgB;QACxB,mBAAmB,EAAE,IAAI;KAC1B,CAAC,CAAC;IAEH,+BAA+B;IAC/B,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC;QACzC,IAAI,EAAE,aAAa;QACnB,UAAU;QACV,OAAO;KACR,CAAC,CAAC;IAEH,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/package.json

@@ -1,21 +1,15 @@
 {
   "name": "@tuskydp/cli",
-  "version": "0.1.2",
+  "version": "0.2.1",
   "type": "module",
   "bin": {
-    "tusky": "./dist/bin/tuskydp.js"
-  },
-  "scripts": {
-    "dev": "tsx src/index.ts",
-    "build": "tsc",
-    "typecheck": "tsc --noEmit",
-    "test": "vitest run",
-    "test:watch": "vitest"
+    "tusky": "./dist/bin/tuskydp.js",
+    "tusky-dev": "./bin/tusky-dev.sh"
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.27.1",
-    "@tuskydp/sdk": "0.1.2",
-    "@tuskydp/shared": "0.1.2",
+    "@mysten/seal": "^1.1.1",
+    "@mysten/sui": "^2.9.0",
     "blessed": "^0.1.81",
     "chalk": "^5.4.1",
     "cli-table3": "^0.6.0",
@@ -24,7 +18,9 @@
     "inquirer": "^12.0.0",
     "mime-types": "^3.0.0",
     "ora": "^8.0.0",
-    "zod": "3"
+    "zod": "3",
+    "@tuskydp/sdk": "0.2.0",
+    "@tuskydp/shared": "0.2.0"
   },
   "devDependencies": {
     "@types/blessed": "^0.1.27",
@@ -32,5 +28,12 @@
     "@types/node": "^22.0.0",
     "tsx": "^4.0.0",
     "typescript": "^5.6.0"
+  },
+  "scripts": {
+    "dev": "tsx src/index.ts",
+    "build": "tsc",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest"
   }
-}
+}

package/src/__tests__/seal.test.ts

@@ -0,0 +1,357 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { buildSealId, isSealConfigured, getSuiKeypair, getSuiAddress } from '../seal.js';
+import type { VaultResponse, EncryptionInfo } from '@tuskydp/sdk';
+
+// ---------------------------------------------------------------------------
+// buildSealId
+// ---------------------------------------------------------------------------
+
+describe('buildSealId', () => {
+  it('concatenates whitelist object ID (without 0x) and nonce hex', () => {
+    const whitelistObjectId = '0xabcdef1234567890';
+    const fileNonce = 'test';
+    const result = buildSealId(whitelistObjectId, fileNonce);
+
+    // 'test' in hex: 74 65 73 74
+    expect(result).toBe('abcdef123456789074657374');
+  });
+
+  it('strips 0x prefix from whitelist object ID', () => {
+    const result = buildSealId('0x1234', 'a');
+    expect(result.startsWith('1234')).toBe(true);
+    expect(result).not.toContain('0x');
+  });
+
+  it('handles whitelist ID without 0x prefix', () => {
+    const result = buildSealId('aabb', 'x');
+    // 'x' = 0x78
+    expect(result).toBe('aabb78');
+  });
+
+  it('handles empty nonce', () => {
+    const result = buildSealId('0xaabb', '');
+    expect(result).toBe('aabb');
+  });
+
+  it('handles UUID nonce', () => {
+    const nonce = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890';
+    const result = buildSealId('0x1234', nonce);
+    expect(result.startsWith('1234')).toBe(true);
+    // UUID is 36 chars, each encoded as 2-char hex = 72 hex chars + '1234' prefix = 76
+    expect(result.length).toBe(4 + 36 * 2);
+  });
+
+  it('matches web implementation format', () => {
+    // Verify the encoding matches the web app's buildSealId:
+    // nonceHex = Array.from(new TextEncoder().encode(fileNonce))
+    //   .map(b => b.toString(16).padStart(2, '0')).join('')
+    const nonce = 'ABC';
+    const result = buildSealId('0xff', nonce);
+    // 'A'=0x41, 'B'=0x42, 'C'=0x43
+    expect(result).toBe('ff414243');
+  });
+
+  it('produces deterministic output', () => {
+    const a = buildSealId('0x1234', 'hello');
+    const b = buildSealId('0x1234', 'hello');
+    expect(a).toBe(b);
+  });
+
+  it('produces different output for different nonces', () => {
+    const a = buildSealId('0x1234', 'nonce-1');
+    const b = buildSealId('0x1234', 'nonce-2');
+    expect(a).not.toBe(b);
+  });
+
+  it('produces different output for different whitelist IDs', () => {
+    const a = buildSealId('0x1111', 'nonce');
+    const b = buildSealId('0x2222', 'nonce');
+    expect(a).not.toBe(b);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// isSealConfigured
+// ---------------------------------------------------------------------------
+
+describe('isSealConfigured', () => {
+  const baseVault: VaultResponse = {
+    id: 'vault-1',
+    name: 'test',
+    slug: 'test',
+    description: null,
+    visibility: 'shared',
+    isDefault: false,
+    fileCount: 0,
+    totalSizeBytes: 0,
+    sealAllowlistObjectId: '0xabc',
+    sealPackageId: '0xpkg',
+    sealKeyServerIds: ['0xserver1'],
+    sealThreshold: 1,
+    createdAt: '2025-01-01T00:00:00Z',
+    updatedAt: '2025-01-01T00:00:00Z',
+    deletedAt: null,
+  };
+
+  it('returns true for fully configured shared vault', () => {
+    expect(isSealConfigured(baseVault)).toBe(true);
+  });
+
+  it('returns true with multiple key servers', () => {
+    expect(isSealConfigured({
+      ...baseVault,
+      sealKeyServerIds: ['0xserver1', '0xserver2', '0xserver3'],
+      sealThreshold: 2,
+    })).toBe(true);
+  });
+
+  it('returns false for private vault', () => {
+    expect(isSealConfigured({ ...baseVault, visibility: 'private' })).toBe(false);
+  });
+
+  it('returns false for public vault', () => {
+    expect(isSealConfigured({ ...baseVault, visibility: 'public' })).toBe(false);
+  });
+
+  it('returns false if sealAllowlistObjectId is missing', () => {
+    expect(isSealConfigured({ ...baseVault, sealAllowlistObjectId: null })).toBe(false);
+  });
+
+  it('returns false if sealAllowlistObjectId is undefined', () => {
+    expect(isSealConfigured({ ...baseVault, sealAllowlistObjectId: undefined })).toBe(false);
+  });
+
+  it('returns false if sealPackageId is missing', () => {
+    expect(isSealConfigured({ ...baseVault, sealPackageId: null })).toBe(false);
+  });
+
+  it('returns false if sealKeyServerIds is empty', () => {
+    expect(isSealConfigured({ ...baseVault, sealKeyServerIds: [] })).toBe(false);
+  });
+
+  it('returns false if sealKeyServerIds is null', () => {
+    expect(isSealConfigured({ ...baseVault, sealKeyServerIds: null })).toBe(false);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// getSuiKeypair / getSuiAddress
+// ---------------------------------------------------------------------------
+
+describe('getSuiKeypair', () => {
+  const originalEnv = process.env;
+
+  beforeEach(() => {
+    process.env = { ...originalEnv };
+  });
+
+  afterEach(() => {
+    process.env = originalEnv;
+  });
+
+  // getSuiKeypair uses a module-level cache. We test the exported helpers
+  // since we can't easily reset module state between tests.
+
+  it('returns null when TUSKYDP_SUI_PRIVATE_KEY is not set', async () => {
+    delete process.env.TUSKYDP_SUI_PRIVATE_KEY;
+    const mod = await import('../seal.js');
+    const addr = mod.getSuiAddress();
+    if (addr === null) {
+      expect(addr).toBeNull();
+    } else {
+      expect(typeof addr).toBe('string');
+    }
+  });
+});
+
+// ---------------------------------------------------------------------------
+// EncryptionInfo discriminated union (SDK type tests)
+// ---------------------------------------------------------------------------
+
+describe('EncryptionInfo type discrimination', () => {
+  it('narrows passphrase encryption correctly', () => {
+    const enc: EncryptionInfo = {
+      type: 'passphrase',
+      encrypted: true,
+      wrappedKey: 'abc123',
+      iv: 'def456',
+      plaintextSizeBytes: 1024,
+      plaintextChecksumSha256: 'sha256hash',
+    };
+
+    expect(enc.encrypted).toBe(true);
+    if (enc.encrypted && 'type' in enc && enc.type === 'passphrase') {
+      expect(enc.wrappedKey).toBe('abc123');
+      expect(enc.iv).toBe('def456');
+      expect(enc.plaintextSizeBytes).toBe(1024);
+      expect(enc.plaintextChecksumSha256).toBe('sha256hash');
+    }
+  });
+
+  it('narrows SEAL encryption correctly', () => {
+    const enc: EncryptionInfo = {
+      type: 'seal',
+      encrypted: true,
+      sealIdentity: 'identity123',
+      sealEncryptedObject: 'base64meta',
+    };
+
+    expect(enc.encrypted).toBe(true);
+    if (enc.encrypted && 'type' in enc && enc.type === 'seal') {
+      expect(enc.sealIdentity).toBe('identity123');
+      expect(enc.sealEncryptedObject).toBe('base64meta');
+    }
+  });
+
+  it('narrows unencrypted correctly', () => {
+    const enc: EncryptionInfo = { encrypted: false };
+    expect(enc.encrypted).toBe(false);
+  });
+
+  it('type guard works for download dispatch pattern', () => {
+    // This tests the exact pattern used in download.ts and MCP files.ts
+    const sealEnc: EncryptionInfo = {
+      type: 'seal',
+      encrypted: true,
+      sealIdentity: 'id1',
+      sealEncryptedObject: 'obj1',
+    };
+
+    const passphraseEnc: EncryptionInfo = {
+      type: 'passphrase',
+      encrypted: true,
+      wrappedKey: 'key1',
+      iv: 'iv1',
+      plaintextSizeBytes: 100,
+      plaintextChecksumSha256: null,
+    };
+
+    const noEnc: EncryptionInfo = { encrypted: false };
+
+    // Test the dispatch pattern
+    function getEncType(enc: EncryptionInfo): string {
+      if (!enc.encrypted) return 'none';
+      if ('type' in enc && enc.type === 'seal') return 'seal';
+      return 'passphrase';
+    }
+
+    expect(getEncType(sealEnc)).toBe('seal');
+    expect(getEncType(passphraseEnc)).toBe('passphrase');
+    expect(getEncType(noEnc)).toBe('none');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Upload branching logic (unit-level)
+// ---------------------------------------------------------------------------
+
+describe('upload encryption branching', () => {
+  // These tests verify the conditional logic that determines which
+  // encryption path to take, extracted from upload.ts/MCP files.ts
+
+  const sharedVault: VaultResponse = {
+    id: 'v-shared',
+    name: 'Shared Vault',
+    slug: 'shared-vault',
+    description: null,
+    visibility: 'shared',
+    isDefault: false,
+    fileCount: 0,
+    totalSizeBytes: 0,
+    sealAllowlistObjectId: '0xallowlist',
+    sealPackageId: '0xpackage',
+    sealKeyServerIds: ['0xserver1'],
+    sealThreshold: 1,
+    createdAt: '2025-01-01T00:00:00Z',
+    updatedAt: '2025-01-01T00:00:00Z',
+    deletedAt: null,
+  };
+
+  const privateVault: VaultResponse = {
+    ...sharedVault,
+    id: 'v-private',
+    name: 'Private Vault',
+    slug: 'private-vault',
+    visibility: 'private',
+    sealAllowlistObjectId: null,
+    sealPackageId: null,
+    sealKeyServerIds: null,
+    sealThreshold: null,
+  };
+
+  const publicVault: VaultResponse = {
+    ...privateVault,
+    id: 'v-public',
+    name: 'Public Vault',
+    slug: 'public-vault',
+    visibility: 'public',
+  };
+
+  const sharedVaultNoSeal: VaultResponse = {
+    ...sharedVault,
+    id: 'v-shared-noseal',
+    sealAllowlistObjectId: null,
+    sealPackageId: null,
+    sealKeyServerIds: null,
+    sealThreshold: null,
+  };
+
+  function getEncryptionPath(vault: VaultResponse): 'passphrase' | 'seal' | 'none' {
+    const isPrivate = vault.visibility === 'private';
+    const isShared = vault.visibility === 'shared' && isSealConfigured(vault);
+    if (isPrivate) return 'passphrase';
+    if (isShared) return 'seal';
+    return 'none';
+  }
+
+  it('routes private vault to passphrase encryption', () => {
+    expect(getEncryptionPath(privateVault)).toBe('passphrase');
+  });
+
+  it('routes shared vault with SEAL config to SEAL encryption', () => {
+    expect(getEncryptionPath(sharedVault)).toBe('seal');
+  });
+
+  it('routes public vault to no encryption', () => {
+    expect(getEncryptionPath(publicVault)).toBe('none');
+  });
+
+  it('routes shared vault without SEAL config to no encryption', () => {
+    // A shared vault that hasn't been configured with SEAL on-chain
+    // should not attempt SEAL encryption
+    expect(getEncryptionPath(sharedVaultNoSeal)).toBe('none');
+  });
+});
+
+// ---------------------------------------------------------------------------
+// sealEncryptedObject metadata format
+// ---------------------------------------------------------------------------
+
+describe('SEAL metadata format', () => {
+  it('sealEncryptedObject is base64-encoded JSON with id, packageId, threshold', () => {
+    // The format produced by sealEncrypt and expected by the API
+    const metadata = {
+      id: 'abc123identity',
+      packageId: '0xpackage',
+      threshold: 1,
+    };
+    const encoded = Buffer.from(JSON.stringify(metadata)).toString('base64');
+    const decoded = JSON.parse(Buffer.from(encoded, 'base64').toString('utf-8'));
+
+    expect(decoded.id).toBe('abc123identity');
+    expect(decoded.packageId).toBe('0xpackage');
+    expect(decoded.threshold).toBe(1);
+  });
+
+  it('metadata round-trips through base64', () => {
+    const original = {
+      id: buildSealId('0xdeadbeef', 'test-nonce'),
+      packageId: '0x10665bec0c95576917bed949bfe978d97e7e9986e10040d7104b4fd3a47b0736',
+      threshold: 1,
+    };
+    const b64 = Buffer.from(JSON.stringify(original)).toString('base64');
+    const restored = JSON.parse(Buffer.from(b64, 'base64').toString('utf-8'));
+
+    expect(restored).toEqual(original);
+  });
+});

package/src/commands/account.ts

@@ -4,6 +4,13 @@ import { cliConfig, getApiUrl, getApiKey } from '../config.js';
 import { createSDKClient, AuthClient } from '../sdk.js';
 import { formatBytes } from '../lib/output.js';
 
+/** Map vault visibility to a display label. */
+function visibilityIcon(v: string): string {
+  if (v === 'private') return '[private]';
+  if (v === 'shared') return '[shared]';
+  return '[public]';
+}
+
 export function registerAccountCommands(program: Command) {
   const account = program.command('account').description('Account management');
 
@@ -29,6 +36,9 @@ export function registerAccountCommands(program: Command) {
       console.log(`Plan:            ${acct.planName}`);
       console.log(`Storage Used:    ${acct.storageUsedFormatted} / ${acct.storageLimitFormatted} (${usagePct}%)`);
       console.log(`Encryption:      ${acct.encryptionSetupComplete ? chalk.green('Set up') : chalk.yellow('Not set up')}`);
+      if ((acct as any).suiAddress) {
+        console.log(`Sui Address:     ${(acct as any).suiAddress}`);
+      }
     });
 
   account.command('plan')
@@ -67,13 +77,36 @@ export function registerAccountCommands(program: Command) {
 
       console.log(chalk.bold('Storage Usage by Vault:\n'));
       for (const v of vaults) {
-        const icon = v.visibility === 'private' ? '[private]' : '[public]';
-        console.log(`  ${v.name} ${icon} — ${v.fileCount} files, ${formatBytes(v.totalSizeBytes)}`);
+        console.log(`  ${v.name} ${visibilityIcon(v.visibility)} — ${v.fileCount} files, ${formatBytes(v.totalSizeBytes)}`);
       }
       console.log('');
       console.log(`  Total: ${formatBytes(acct.storageUsedBytes)} / ${formatBytes(acct.storageLimitBytes)}`);
     });
 
+  // ── link-sui ────────────────────────────────────────────────────────
+  account.command('link-sui <sui-address>')
+    .description('Link a Sui wallet address to your account (required for shared vaults)')
+    .action(async (suiAddress: string) => {
+      const apiUrl = getApiUrl(program.opts().apiUrl);
+      const apiKey = getApiKey(program.opts().apiKey);
+      const sdk = createSDKClient(apiUrl, apiKey);
+
+      await sdk.sharedVaults.linkSuiAddress(suiAddress);
+      console.log(chalk.green(`Sui address ${suiAddress} linked to account.`));
+    });
+
+  // ── unlink-sui ──────────────────────────────────────────────────────
+  account.command('unlink-sui')
+    .description('Unlink your Sui wallet address')
+    .action(async () => {
+      const apiUrl = getApiUrl(program.opts().apiUrl);
+      const apiKey = getApiKey(program.opts().apiKey);
+      const sdk = createSDKClient(apiUrl, apiKey);
+
+      await sdk.sharedVaults.unlinkSuiAddress();
+      console.log(chalk.green('Sui address unlinked from account.'));
+    });
+
   // Default action for `tuskydp account` with no subcommand
   account.action(async () => {
     // Run `info` subcommand