@tuskydp/cli 0.3.0 → 0.4.0

package/src/commands/export.ts

@@ -1,14 +1,13 @@
 /**
  * `tusky export` — Export file metadata for disaster recovery.
  *
- * Dumps all file records (including Walrus blob IDs, encryption keys,
- * and epoch info) to a JSON file. This allows users to recover their
- * data directly from Walrus if the Tusky service is unavailable.
+ * Dumps all file records (including Walrus blob IDs and epoch info)
+ * to a JSON file. This allows users to recover their data directly
+ * from Walrus if the Tusky service is unavailable.
  *
  * The export contains everything needed to:
  *   1. Fetch files from Walrus aggregators using blobId
- *   2. Decrypt private vault files using wrappedKey + iv + master key
- *   3. Renew Walrus epochs using blobObjectId + a Sui wallet
+ *   2. Renew Walrus epochs using blobObjectId + a Sui wallet
  */
 
 import type { Command } from 'commander';
@@ -35,20 +34,10 @@ export interface ExportedFile {
   walrusBlobObjectId: string | null;
   /** Epoch when Walrus storage expires (renew before this) */
   walrusEpochEnd: string | null;
-  /** Whether the file is client-side encrypted */
+  /** Whether the file is client-side encrypted (SEAL for shared vaults) */
   encrypted: boolean;
-  /** AES-256-GCM file key, wrapped with the master key (base64) */
-  wrappedKey: string | null;
-  /** AES-256-GCM initialization vector (base64) */
-  encryptionIv: string | null;
-  /** SHA-256 of the plaintext — for integrity verification after decryption */
-  plaintextChecksumSha256: string | null;
-  /** Original plaintext size in bytes (before encryption) */
-  plaintextSizeBytes: number | null;
   /** Whether the filename is encrypted */
   nameEncrypted: boolean;
-  /** AES-256-GCM encrypted filename+mimeType blob (private vaults) */
-  encryptedName: string | null;
   /** SEAL-encrypted filename+mimeType blob (shared vaults) */
   encryptedMetadata: string | null;
   createdAt: string;
@@ -62,16 +51,6 @@ export interface ExportManifest {
     email: string;
     plan: string;
   };
-  /** Account encryption params — needed to derive master key from passphrase */
-  encryption: {
-    setupComplete: boolean;
-    /** PBKDF2 salt (base64) */
-    salt: string | null;
-    /** HMAC verifier for passphrase validation (base64) */
-    verifier: string | null;
-    /** Master key wrapped with passphrase-derived key (base64) */
-    encryptedMasterKey: string | null;
-  };
   walrusNetwork: string;
   walrusAggregatorUrl: string;
   totalFiles: number;
@@ -85,7 +64,7 @@ export interface ExportManifest {
 export function registerExportCommand(program: Command) {
   program
     .command('export')
-    .description('Export file metadata for disaster recovery (Walrus blob IDs, encryption keys)')
+    .description('Export file metadata for disaster recovery (Walrus blob IDs, epoch info)')
     .option('-o, --output <path>', 'Output file path', 'tusky-export.json')
     .option('--stdout', 'Write JSON manifest to stdout instead of a file')
     .option('--vault <vaultId>', 'Export only files from a specific vault')
@@ -98,9 +77,8 @@ export function registerExportCommand(program: Command) {
       spinner.start();
 
       try {
-        // Fetch account + encryption params
+        // Fetch account
         const account = await sdk.account.get();
-        const encryptionParams = await sdk.account.getEncryptionParams();
 
         // Fetch all vaults
         spinner.text = 'Fetching vaults...';
@@ -146,12 +124,7 @@ export function registerExportCommand(program: Command) {
                 walrusBlobObjectId: file.walrusBlobObjectId,
                 walrusEpochEnd: file.walrusEpochEnd,
                 encrypted: file.encrypted,
-                wrappedKey: file.wrappedKey,
-                encryptionIv: file.encryptionIv,
-                plaintextChecksumSha256: file.plaintextChecksumSha256,
-                plaintextSizeBytes: file.plaintextSizeBytes,
                 nameEncrypted: file.nameEncrypted ?? false,
-                encryptedName: file.encryptedName ?? null,
                 encryptedMetadata: file.encryptedMetadata ?? null,
                 createdAt: file.createdAt,
               });
@@ -178,12 +151,6 @@ export function registerExportCommand(program: Command) {
             email: account.email,
             plan: account.planName,
           },
-          encryption: {
-            setupComplete: encryptionParams.setupComplete,
-            salt: encryptionParams.salt ?? null,
-            verifier: encryptionParams.verifier ?? null,
-            encryptedMasterKey: encryptionParams.encryptedMasterKey ?? null,
-          },
           walrusNetwork: isMainnet ? 'mainnet' : 'testnet',
           walrusAggregatorUrl,
           totalFiles: exportedFiles.length,
@@ -201,30 +168,6 @@ export function registerExportCommand(program: Command) {
               '  OR: walrus read <walrusBlobId> -o <filename>',
               '  OR: tusky rehydrate <walrusBlobId> -o <filename>',
               '',
-              '--- DECRYPT PRIVATE VAULT FILES ---',
-              'Files with encrypted=true are AES-256-GCM encrypted.',
-              '',
-              'Option A — Using the Tusky CLI decrypt command (easiest):',
-              '  tusky decrypt <encrypted-file> --export <this-file.json> -o <output>',
-              '  This reads the wrappedKey/iv from this manifest and prompts for your passphrase.',
-              '  You can also pass --passphrase <passphrase> or set TUSKYDP_PASSWORD env var.',
-              '  If the Tusky API is still reachable, you can skip the export and use:',
-              '  tusky decrypt <encrypted-file> --file-id <fileId> -o <output>',
-              '',
-              'Option B — Using the standalone script (zero dependencies, fully offline):',
-              '  node tusky-decrypt.mjs <encrypted-file> <output> <passphrase> <salt> <wrappedKey> <iv> [encryptedMasterKey]',
-              '  The salt and encryptedMasterKey come from your account encryption params.',
-              '',
-              'Option C — Manual decryption (any language with AES-256-GCM + PBKDF2):',
-              '  1. Derive wrapping key: PBKDF2(passphrase, salt, 600000 iterations, SHA-256, 32 bytes)',
-              '  2. If your account has an encryptedMasterKey, unwrap it: AES-256-GCM-decrypt(encryptedMasterKey, wrappingKey)',
-              '     Otherwise the wrapping key IS the master key (legacy accounts)',
-              '  3. Unwrap the file key: AES-256-GCM-decrypt(wrappedKey, masterKey)',
-              '     wrappedKey format: [12-byte IV | ciphertext | 16-byte auth tag]',
-              '  4. Decrypt the file: AES-256-GCM-decrypt(fileData, fileKey, encryptionIv)',
-              '     File data format: [ciphertext | 16-byte auth tag]',
-              '  5. Verify integrity: SHA-256(plaintext) should match plaintextChecksumSha256',
-              '',
               '--- RENEW WALRUS EPOCHS ---',
               'Files with a walrusBlobObjectId can have their storage extended:',
               '  walrus extend <walrusBlobObjectId> --epochs 5',
@@ -248,16 +191,13 @@ export function registerExportCommand(program: Command) {
         if (!options.stdout) {
           // Summary stats (only for disk output — stdout is clean JSON)
           const withBlob = exportedFiles.filter((f) => f.walrusBlobId).length;
-          const encrypted = exportedFiles.filter((f) => f.encrypted).length;
           const hotOnly = exportedFiles.filter((f) => !f.walrusBlobId && f.status === 'hot').length;
 
           console.log(`  On Walrus:     ${withBlob} files (recoverable from Walrus network)`);
-          console.log(`  Encrypted:     ${encrypted} files (require passphrase to decrypt)`);
           if (hotOnly > 0) {
             console.log(chalk.yellow(`  Hot only:      ${hotOnly} files (NOT yet on Walrus — only in Tusky hot cache)`));
           }
           console.log('');
-          console.log(chalk.yellow('  Store this file securely — it contains encryption keys.'));
           console.log(chalk.dim('  See the "recovery.instructions" field inside for full recovery steps.'));
         }
       } catch (err: any) {

package/src/commands/files.ts

@@ -62,7 +62,7 @@ export function registerFileCommands(program: Command) {
 
           const row = [
             f.name,
-            formatBytes(f.plaintextSizeBytes || f.sizeBytes),
+            formatBytes(f.sizeBytes),
             statusColor(f.status),
           ];
           if (showFolder) {
@@ -113,7 +113,7 @@ export function registerFileCommands(program: Command) {
       }
 
       console.log(`Name:        ${file.name}`);
-      console.log(`Size:        ${formatBytes(file.plaintextSizeBytes || file.sizeBytes)}`);
+      console.log(`Size:        ${formatBytes(file.sizeBytes)}`);
       console.log(`MIME:        ${file.mimeType}`);
       console.log(`Status:      ${file.status}`);
       console.log(`Encrypted:   ${file.encrypted ? 'Yes' : 'No'}`);

package/src/commands/mcp.ts

@@ -9,7 +9,7 @@ import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs';
 import { join, dirname, resolve } from 'path';
 import { homedir } from 'os';
 import chalk from 'chalk';
-import { getApiUrl, getApiKey, cliConfig } from '../config.js';
+import { getApiUrl, getApiKey, cliConfig, getSuiPrivateKey } from '../config.js';
 import { startMcpServer } from '../mcp/server.js';
 
 // ---------------------------------------------------------------------------
@@ -93,15 +93,16 @@ function getTuskyBinaryCommand(): { command: string; args: string[] } {
   return { command: 'npx', args: ['-y', '@tuskydp/cli', 'mcp', 'serve'] };
 }
 
-function buildMcpServerEntry(apiKey?: string, apiUrl?: string) {
+function buildMcpServerEntry(apiKey?: string, apiUrl?: string, suiPrivKey?: string) {
   const { command, args } = getTuskyBinaryCommand();
 
   const env: Record<string, string> = {};
   if (apiKey) env.TUSKYDP_API_KEY = apiKey;
   if (apiUrl) env.TUSKYDP_API_URL = apiUrl;
 
-  // Placeholder for password — user fills in
-  env.TUSKYDP_PASSWORD = '';
+  // Include Sui private key if provided or stored in config
+  const resolvedSuiKey = suiPrivKey || getSuiPrivateKey() || '';
+  env.TUSKYDP_SUI_PRIVATE_KEY = resolvedSuiKey;
 
   const entry: Record<string, unknown> = {
     command,
@@ -158,7 +159,8 @@ export function registerMcpCommands(program: Command) {
     .option('--target <target>', 'Target client: claude-code, claude-desktop, cursor', 'claude-code')
     .option('--api-key <key>', 'API key to embed (defaults to stored key)')
     .option('--api-url <url>', 'API URL override')
-    .action(async (options: { target: string; apiKey?: string; apiUrl?: string }) => {
+    .option('--sui-priv-key <key>', 'Sui Ed25519 private key for shared vault access (defaults to stored key)')
+    .action(async (options: { target: string; apiKey?: string; apiUrl?: string; suiPrivKey?: string }) => {
       const targets = getTargets();
       const target = targets.find((t) => t.name === options.target);
 
@@ -177,8 +179,8 @@ export function registerMcpCommands(program: Command) {
       // Only include non-default values
       const resolvedApiUrl = apiUrl && apiUrl !== 'https://api.tusky.ai' ? apiUrl : undefined;
 
-      // Build the server entry
-      const serverEntry = buildMcpServerEntry(apiKey, resolvedApiUrl);
+      // Build the server entry (SUI key: flag > config)
+      const serverEntry = buildMcpServerEntry(apiKey, resolvedApiUrl, options.suiPrivKey);
 
       // Read existing config
       const config = readJsonFile(target.configPath);
@@ -205,9 +207,13 @@ export function registerMcpCommands(program: Command) {
         console.log('');
       }
 
-      console.log(chalk.yellow('  Remember to set TUSKYDP_PASSWORD in the config for private vault encryption:'));
-      console.log(chalk.dim(`  Edit the env block in ${target.configPath}`));
-      console.log('');
+      const suiKey = options.suiPrivKey || getSuiPrivateKey();
+      if (!suiKey) {
+        console.log(chalk.yellow('  Note: No Sui key found. Set it up for shared vault access:'));
+        console.log(chalk.dim('  Run: tusky sui setup <suiprivkey1...>'));
+        console.log(chalk.dim('  Then re-run: tusky mcp install-config'));
+        console.log('');
+      }
 
       if (options.target === 'claude-desktop') {
         console.log(chalk.dim('  Restart Claude Desktop to pick up the changes.'));

package/src/commands/sui.ts

@@ -0,0 +1,69 @@
+import type { Command } from 'commander';
+import chalk from 'chalk';
+import { cliConfig } from '../config.js';
+import { Ed25519Keypair } from '@mysten/sui/keypairs/ed25519';
+
+export function registerSuiCommands(program: Command) {
+  const sui = program
+    .command('sui')
+    .description('Manage Sui wallet key for shared vault access');
+
+  // ── tusky sui setup ──────────────────────────────────────────────────
+  sui
+    .command('setup <private-key>')
+    .description('Save a Sui Ed25519 private key to config for shared vault operations')
+    .action((privateKey: string) => {
+      let address: string;
+      try {
+        const keypair = Ed25519Keypair.fromSecretKey(privateKey);
+        address = keypair.toSuiAddress();
+      } catch {
+        console.error(chalk.red('Invalid Sui private key. Expected suiprivkey1... format.'));
+        process.exit(1);
+      }
+
+      cliConfig.set('suiPrivateKey', privateKey);
+      console.log(chalk.green('Sui private key saved to config.'));
+      console.log(chalk.dim(`  Sui address: ${address}`));
+      console.log('');
+      console.log(chalk.yellow('  Security note: The key is stored in your local config file.'));
+      console.log(chalk.dim(`  Location: ${cliConfig.path}`));
+      console.log(chalk.dim('  Run `tusky sui clear` to remove it.'));
+    });
+
+  // ── tusky sui show ───────────────────────────────────────────────────
+  sui
+    .command('show')
+    .description('Show the configured Sui address (does not reveal the private key)')
+    .action(() => {
+      const envKey = process.env.TUSKYDP_SUI_PRIVATE_KEY;
+      const configKey = cliConfig.get('suiPrivateKey');
+      const key = envKey || configKey;
+      const source = envKey ? 'env var (TUSKYDP_SUI_PRIVATE_KEY)' : 'config';
+
+      if (!key) {
+        console.log(chalk.dim('No Sui private key configured.'));
+        console.log(chalk.dim('Run: tusky sui setup <private-key>'));
+        return;
+      }
+
+      try {
+        const keypair = Ed25519Keypair.fromSecretKey(key);
+        const address = keypair.toSuiAddress();
+        console.log(`Sui address: ${address}`);
+        console.log(chalk.dim(`Source:      ${source}`));
+      } catch {
+        console.error(chalk.red('Stored Sui key is invalid. Run: tusky sui setup <private-key>'));
+        process.exit(1);
+      }
+    });
+
+  // ── tusky sui clear ──────────────────────────────────────────────────
+  sui
+    .command('clear')
+    .description('Remove the stored Sui private key from config')
+    .action(() => {
+      cliConfig.delete('suiPrivateKey');
+      console.log(chalk.green('Sui private key removed from config.'));
+    });
+}

package/src/commands/trash.ts

@@ -51,7 +51,7 @@ export function registerTrashCommands(program: Command) {
         for (const f of trashed.files) {
           table.push([
             f.name,
-            formatBytes(f.plaintextSizeBytes || f.sizeBytes),
+            formatBytes(f.sizeBytes),
             f.status,
             f.deletedAt ? formatDate(f.deletedAt) : 'N/A',
             chalk.dim(shortId(f.id)),

package/src/commands/upload.ts

@@ -9,8 +9,6 @@ import { createSDKClient } from '../sdk.js';
 import { resolveVault } from '../lib/resolve.js';
 import { formatBytes } from '../lib/output.js';
 import { createSpinner } from '../lib/progress.js';
-import { encryptBuffer, encryptMetadata } from '../crypto.js';
-import { loadMasterKey } from '../lib/keyring.js';
 import { isSealConfigured, sealEncrypt, sealEncryptMetadata, getSuiKeypair } from '../seal.js';
 
 async function readStdin(): Promise<Buffer> {
@@ -79,18 +77,8 @@ export async function uploadCommand(paths: string[], options: {
 
     const vaultId = await resolveVault(sdk, options.vault);
     const vault = await sdk.vaults.get(vaultId);
-    const isPrivate = vault.visibility === 'private';
     const isShared = vault.visibility === 'shared' && isSealConfigured(vault);
 
-    let masterKey: Buffer | null = null;
-    if (isPrivate) {
-      masterKey = loadMasterKey();
-      if (!masterKey) {
-        console.error(chalk.red('Encryption session not unlocked. Run: tusky encryption unlock'));
-        process.exit(1);
-      }
-    }
-
     const spinner = createSpinner(`Uploading ${fileName}`);
     spinner.start();
 
@@ -98,28 +86,12 @@ export async function uploadCommand(paths: string[], options: {
       const mimeType = lookup(fileName) || 'application/octet-stream';
       let uploadBody: Buffer;
       let encryptionMeta: {
-        wrappedKey?: string;
-        encryptionIv?: string;
-        plaintextSizeBytes?: number;
-        plaintextChecksumSha256?: string;
         sealIdentity?: string;
         sealEncryptedObject?: string;
-        encryptedName?: string;
         encryptedMetadata?: string;
       } = {};
 
-      if (isPrivate && masterKey) {
-        spinner.text = `Encrypting ${fileName}...`;
-        const { ciphertext, wrappedKey, iv, plaintextChecksum } = encryptBuffer(fileBuffer, masterKey);
-        uploadBody = ciphertext;
-        encryptionMeta = {
-          wrappedKey,
-          encryptionIv: iv,
-          plaintextSizeBytes: fileBuffer.length,
-          plaintextChecksumSha256: plaintextChecksum,
-          encryptedName: encryptMetadata(fileName, mimeType, masterKey),
-        };
-      } else if (isShared) {
+      if (isShared) {
         spinner.text = `SEAL encrypting ${fileName}...`;
         const fileNonce = randomUUID();
         const sealResult = await sealEncrypt(new Uint8Array(fileBuffer), vault, fileNonce);
@@ -127,7 +99,6 @@ export async function uploadCommand(paths: string[], options: {
         encryptionMeta = {
           sealIdentity: sealResult.sealIdentity,
           sealEncryptedObject: sealResult.sealEncryptedObject,
-          plaintextSizeBytes: fileBuffer.length,
           encryptedMetadata: await sealEncryptMetadata(fileName, mimeType, vault, fileNonce),
         };
       } else {
@@ -169,18 +140,8 @@ export async function uploadCommand(paths: string[], options: {
   // ── File path mode (original behavior) ───────────────────────────
   const vaultId = await resolveVault(sdk, options.vault);
   const vault = await sdk.vaults.get(vaultId);
-  const isPrivate = vault.visibility === 'private';
   const isShared = vault.visibility === 'shared' && isSealConfigured(vault);
 
-  let masterKey: Buffer | null = null;
-  if (isPrivate) {
-    masterKey = loadMasterKey();
-    if (!masterKey) {
-      console.error(chalk.red('Encryption session not unlocked. Run: tusky encryption unlock'));
-      process.exit(1);
-    }
-  }
-
   if (isShared) {
     const keypair = getSuiKeypair();
     if (!keypair) {
@@ -209,28 +170,12 @@ export async function uploadCommand(paths: string[], options: {
 
       let uploadBody: Buffer;
       let encryptionMeta: {
-        wrappedKey?: string;
-        encryptionIv?: string;
-        plaintextSizeBytes?: number;
-        plaintextChecksumSha256?: string;
         sealIdentity?: string;
         sealEncryptedObject?: string;
-        encryptedName?: string;
         encryptedMetadata?: string;
       } = {};
 
-      if (isPrivate && masterKey) {
-        spinner.text = `Encrypting ${basename(filePath)}...`;
-        const { ciphertext, wrappedKey, iv, plaintextChecksum } = encryptBuffer(fileBuffer, masterKey);
-        uploadBody = ciphertext;
-        encryptionMeta = {
-          wrappedKey,
-          encryptionIv: iv,
-          plaintextSizeBytes: stat.size,
-          plaintextChecksumSha256: plaintextChecksum,
-          encryptedName: encryptMetadata(basename(filePath), mimeType, masterKey),
-        };
-      } else if (isShared) {
+      if (isShared) {
         spinner.text = `SEAL encrypting ${basename(filePath)}...`;
         const fileNonce = randomUUID();
         const sealResult = await sealEncrypt(new Uint8Array(fileBuffer), vault, fileNonce);
@@ -238,7 +183,6 @@ export async function uploadCommand(paths: string[], options: {
         encryptionMeta = {
           sealIdentity: sealResult.sealIdentity,
           sealEncryptedObject: sealResult.sealEncryptedObject,
-          plaintextSizeBytes: stat.size,
           encryptedMetadata: await sealEncryptMetadata(basename(filePath), mimeType, vault, fileNonce),
         };
       } else {
@@ -283,7 +227,7 @@ export async function uploadCommand(paths: string[], options: {
   }
 
   if (filePaths.length > 1) {
-    const label = isPrivate ? 'private' : isShared ? 'shared' : 'public';
+    const label = isShared ? 'shared' : 'public';
     console.log(`\nUploaded ${successCount} file(s) (${formatBytes(totalSize)}) to vault "${vault.name}" [${label}]`);
   }
 }

package/src/commands/vault.ts

@@ -8,7 +8,6 @@ import { resolveVault } from '../lib/resolve.js';
 
 /** Map vault visibility to a display label. */
 function visibilityLabel(v: string): string {
-  if (v === 'private') return 'private';
   if (v === 'shared') return 'shared';
   return 'public';
 }
@@ -18,34 +17,14 @@ export function registerVaultCommands(program: Command) {
 
   // ── create ──────────────────────────────────────────────────────────
   vault.command('create <name>')
-    .description('Create a new vault (private/encrypted by default)')
-    .option('--public', 'Create as public vault (unencrypted, shareable via URL)')
+    .description('Create a new vault (public by default)')
     .option('--shared', 'Create as shared vault (SEAL-encrypted, requires linked Sui address)')
     .option('--description <text>', 'Vault description')
     .action(async (name: string, options) => {
       const sdk = getSDKClientFromParent(vault);
-      let visibility: 'public' | 'private' | 'shared' = 'private';
-      if (options.public) visibility = 'public';
+      let visibility: 'public' | 'shared' = 'public';
       if (options.shared) visibility = 'shared';
 
-      if (options.public && options.shared) {
-        console.error(chalk.red('Cannot use both --public and --shared.'));
-        return;
-      }
-
-      if (visibility === 'private') {
-        try {
-          const { setupComplete } = await sdk.account.getEncryptionParams();
-          if (!setupComplete) {
-            console.log(chalk.red('Encryption must be set up before creating private vaults.'));
-            console.log(chalk.dim('  Run: tusky encryption setup'));
-            return;
-          }
-        } catch {
-          // If endpoint fails, proceed anyway
-        }
-      }
-
       if (visibility === 'shared') {
         try {
           const acct = await sdk.account.get();

package/src/config.ts

@@ -5,7 +5,7 @@ export interface TuskyDPConfig {
   apiKey?: string;
   defaultVault?: string;
   outputFormat: 'table' | 'json' | 'plain';
-  encryptionEnabled: boolean;
+  suiPrivateKey?: string;
 }
 
 export const cliConfig = new Conf<TuskyDPConfig>({
@@ -13,7 +13,6 @@ export const cliConfig = new Conf<TuskyDPConfig>({
   defaults: {
     apiUrl: 'https://api.tusky.ai',
     outputFormat: 'table',
-    encryptionEnabled: true,
   },
 });
 
@@ -39,8 +38,8 @@ export function getOutputFormat(override?: string): 'table' | 'json' | 'plain' {
 
 /**
  * Get the Sui private key for SEAL operations on shared vaults.
- * Only read from env var (never persisted to config for security).
+ * Priority: TUSKYDP_SUI_PRIVATE_KEY env var > stored config key.
  */
 export function getSuiPrivateKey(): string | null {
-  return process.env.TUSKYDP_SUI_PRIVATE_KEY || null;
+  return process.env.TUSKYDP_SUI_PRIVATE_KEY || cliConfig.get('suiPrivateKey') || null;
 }

package/src/index.ts

@@ -1,7 +1,6 @@
 import { Command } from 'commander';
 import chalk from 'chalk';
 import { registerAuthCommands } from './commands/auth.js';
-import { registerEncryptionCommands } from './commands/encryption.js';
 import { registerVaultCommands } from './commands/vault.js';
 import { registerFileCommands } from './commands/files.js';
 import { registerAccountCommands } from './commands/account.js';
@@ -14,8 +13,8 @@ import { downloadCommand } from './commands/download.js';
 import { rehydrateCommand } from './commands/rehydrate.js';
 import { registerTuiCommand } from './commands/tui.js';
 import { registerMcpCommands } from './commands/mcp.js';
+import { registerSuiCommands } from './commands/sui.js';
 import { registerExportCommand } from './commands/export.js';
-import { registerDecryptCommand } from './commands/decrypt.js';
 import { CLI_VERSION } from './version.js';
 
 const program = new Command();
@@ -39,7 +38,6 @@ program
   });
 
 registerAuthCommands(program);
-registerEncryptionCommands(program);
 registerVaultCommands(program);
 registerFileCommands(program);
 registerFolderCommands(program);
@@ -49,8 +47,8 @@ registerWalletCommands(program);
 registerAccountCommands(program);
 registerTuiCommand(program);
 registerMcpCommands(program);
+registerSuiCommands(program);
 registerExportCommand(program);
-registerDecryptCommand(program);
 
 // Direct shortcuts for common operations
 program.command('upload [paths...]')

package/src/lib/resolve.ts

@@ -7,12 +7,11 @@ export async function resolveVault(sdk: TuskyClient, vaultRef?: string): Promise
     const defaultVault = cliConfig.get('defaultVault');
     if (defaultVault) return defaultVault;
 
-    // Fall back to the user's default vault
+    // Fall back to the first vault
     const vaults = await sdk.vaults.list();
-    const defaultV = vaults.find((v) => v.isDefault);
-    if (defaultV) return defaultV.id;
+    if (vaults.length > 0) return vaults[0].id;
 
-    throw new Error('No default vault found. Create one with: tusky vault create <name>');
+    throw new Error('No vault found. Create one with: tusky vault create <name>');
   }
 
   // If it looks like a UUID, use it directly

package/src/mcp/context.ts

@@ -1,8 +1,7 @@
 /**
  * Shared context for MCP tool handlers.
  *
- * Holds the authenticated SDK client, the unlocked master key for
- * private vault encryption, and the Sui keypair for shared vault
+ * Holds the authenticated SDK client and the Sui keypair for shared vault
  * SEAL encryption/decryption.
  */
 
@@ -13,15 +12,6 @@ export interface McpContext {
   /** Authenticated Tusky SDK client. */
   sdk: TuskyClient;
 
-  /**
-   * Returns the in-memory master key, or null if encryption was not
-   * unlocked (i.e. TUSKYDP_PASSWORD was not provided or setup is incomplete).
-   */
-  getMasterKey(): Buffer | null;
-
-  /** True when the master key is available for encrypt/decrypt operations. */
-  isEncryptionReady(): boolean;
-
   /**
    * Returns the Sui Ed25519 keypair for SEAL operations, or null if
    * TUSKYDP_SUI_PRIVATE_KEY was not provided.