@tuskydp/cli 0.3.0 → 0.4.0

package/src/mcp/server.ts

@@ -9,12 +9,6 @@
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import { TuskyClient, TuskyError } from '@tuskydp/sdk';
-import {
-  deriveMasterKey,
-  verifyPassphrase,
-  unwrapMasterKey,
-} from '../crypto.js';
-import { loadMasterKey } from '../lib/keyring.js';
 import { getSuiKeypair } from '../seal.js';
 import type { McpContext } from './context.js';
 
@@ -27,58 +21,6 @@ import { registerTrashTools } from './tools/trash.js';
 import { registerSharedVaultTools } from './tools/sharedVaults.js';
 import { CLI_VERSION } from '../version.js';
 
-// ---------------------------------------------------------------------------
-// Encryption bootstrap
-// ---------------------------------------------------------------------------
-
-/**
- * Attempt to unlock the master key using (in order):
- *   1. TUSKYDP_PASSWORD env var  →  derive wrapping key  →  unwrap master key
- *   2. Existing session file (~/.tusky/session.enc)
- *
- * Returns the master key Buffer, or null if neither method works.
- */
-async function unlockMasterKey(sdk: TuskyClient): Promise<Buffer | null> {
-  const password = process.env.TUSKYDP_PASSWORD;
-
-  if (password) {
-    try {
-      const params = await sdk.account.getEncryptionParams();
-      if (!params.setupComplete) {
-        console.error('[tusky-mcp] Encryption not set up on this account. Skipping encryption unlock.');
-        return null;
-      }
-
-      const salt = Buffer.from(params.salt!, 'base64');
-      const verifier = Buffer.from(params.verifier!, 'base64');
-      const wrappingKey = deriveMasterKey(password, salt);
-
-      if (!verifyPassphrase(wrappingKey, verifier)) {
-        console.error('[tusky-mcp] TUSKYDP_PASSWORD is incorrect. Encryption will be unavailable.');
-        return null;
-      }
-
-      if (params.encryptedMasterKey) {
-        return unwrapMasterKey(Buffer.from(params.encryptedMasterKey, 'base64'), wrappingKey);
-      }
-      // Legacy accounts where wrapping key IS the master key
-      return wrappingKey;
-    } catch (err: any) {
-      console.error(`[tusky-mcp] Failed to unlock encryption: ${err.message}`);
-      return null;
-    }
-  }
-
-  // Fallback: try existing session file
-  const sessionKey = loadMasterKey();
-  if (sessionKey) {
-    console.error('[tusky-mcp] Using encryption key from existing session.');
-    return sessionKey;
-  }
-
-  return null;
-}
-
 // ---------------------------------------------------------------------------
 // Server lifecycle
 // ---------------------------------------------------------------------------
@@ -107,15 +49,6 @@ export async function startMcpServer(options: McpServerOptions): Promise<void> {
     process.exit(1);
   }
 
-  // Unlock encryption (best effort)
-  const masterKey = await unlockMasterKey(sdk);
-  if (masterKey) {
-    console.error('[tusky-mcp] Encryption unlocked — private vault operations are available.');
-  } else {
-    console.error('[tusky-mcp] Encryption not unlocked — private vault encrypt/decrypt unavailable.');
-    console.error('[tusky-mcp] Set TUSKYDP_PASSWORD env var or run `tusky encryption unlock` first.');
-  }
-
   // Load Sui keypair for SEAL shared vault operations (best effort)
   const suiKeypair = getSuiKeypair();
   if (suiKeypair) {
@@ -127,8 +60,6 @@ export async function startMcpServer(options: McpServerOptions): Promise<void> {
   // Build context
   const ctx: McpContext = {
     sdk,
-    getMasterKey: () => masterKey,
-    isEncryptionReady: () => masterKey !== null,
     getSuiKeypair: () => suiKeypair,
     isSealReady: () => suiKeypair !== null,
   };

package/src/mcp/tools/account.ts

@@ -9,7 +9,7 @@ import { wrapToolError } from './helpers.js';
 export function registerAccountTools(server: McpServer, ctx: McpContext) {
   server.tool(
     'tusky_account_info',
-    'Get account information including email, plan, storage usage, and encryption status',
+    'Get account information including email, plan, and storage usage',
     {},
     async () => {
       try {
@@ -24,8 +24,6 @@ export function registerAccountTools(server: McpServer, ctx: McpContext) {
           storageLimit: account.storageLimitFormatted,
           storageUsedBytes: account.storageUsedBytes,
           storageLimitBytes: account.storageLimitBytes,
-          encryptionSetup: account.encryptionSetupComplete,
-          encryptionUnlocked: ctx.isEncryptionReady(),
           createdAt: account.createdAt,
         };
 

package/src/mcp/tools/files.ts

@@ -1,9 +1,8 @@
 /**
  * MCP tools — File operations
  *
- * Handles upload with client-side encryption for private vaults,
- * SEAL encryption for shared vaults, download with decryption and
- * rehydration polling for cold files.
+ * Handles upload with SEAL encryption for shared vaults, download
+ * with decryption and rehydration polling for cold files.
  */
 
 import { z } from 'zod';
@@ -13,7 +12,6 @@ import { basename, resolve, join } from 'path';
 import { lookup } from 'mime-types';
 import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import type { McpContext } from '../context.js';
-import { encryptBuffer, decryptBuffer, encryptMetadata, decryptMetadata } from '../../crypto.js';
 import { isSealConfigured, sealEncrypt, sealDecrypt, sealEncryptMetadata, sealDecryptMetadata } from '../../seal.js';
 import { wrapToolError } from './helpers.js';
 
@@ -79,10 +77,9 @@ async function fetchAndDecryptFile(fileId: string, ctx: McpContext) {
   const arrayBuf = await response.arrayBuffer();
   let fileBuffer: Buffer = Buffer.from(arrayBuf as ArrayBuffer);
 
-  // Decrypt if needed — dispatch on encryption type
+  // Decrypt if needed — SEAL-encrypted (shared vault)
   if (encryption?.encrypted) {
     if ('type' in encryption && encryption.type === 'seal') {
-      // SEAL-encrypted (shared vault)
       const keypair = ctx.getSuiKeypair();
       if (!keypair) {
         throw new Error(
@@ -94,23 +91,6 @@ async function fetchAndDecryptFile(fileId: string, ctx: McpContext) {
       const vault = await ctx.sdk.vaults.get(fileInfo.vaultId);
       const decrypted = await sealDecrypt(new Uint8Array(fileBuffer), vault, keypair);
       fileBuffer = Buffer.from(decrypted);
-    } else {
-      // Passphrase-encrypted (private vault)
-      const masterKey = ctx.getMasterKey();
-      if (!masterKey) {
-        throw new Error(
-          'Encryption passphrase required to decrypt this file. ' +
-          'Set the TUSKYDP_PASSWORD environment variable in your MCP server config.',
-        );
-      }
-      const enc = encryption as { type: 'passphrase'; encrypted: true; wrappedKey: string; iv: string; plaintextChecksumSha256: string | null };
-      fileBuffer = decryptBuffer(
-        fileBuffer,
-        enc.wrappedKey,
-        enc.iv,
-        masterKey,
-        enc.plaintextChecksumSha256 ?? undefined,
-      );
     }
   }
 
@@ -119,22 +99,16 @@ async function fetchAndDecryptFile(fileId: string, ctx: McpContext) {
 
 /**
  * Resolve the real filename from a FileStatusResponse.
- * Decrypts encryptedName (private vaults) or encryptedMetadata (shared vaults) when present.
+ * Decrypts encryptedMetadata (shared vaults) when present.
  * Falls back to the stored placeholder name on failure.
  */
 async function resolveFilename(
-  fileInfo: { name: string; nameEncrypted?: boolean; encryptedName?: string | null; encryptedMetadata?: string | null; fileId?: string },
+  fileInfo: { name: string; nameEncrypted?: boolean; encryptedMetadata?: string | null; fileId?: string },
   ctx: McpContext,
 ): Promise<string> {
   if (!fileInfo.nameEncrypted) return fileInfo.name;
   try {
-    if (fileInfo.encryptedName) {
-      const masterKey = ctx.getMasterKey();
-      if (masterKey) {
-        const meta = decryptMetadata(fileInfo.encryptedName, masterKey);
-        return meta.n;
-      }
-    } else if (fileInfo.encryptedMetadata && fileInfo.fileId) {
+    if (fileInfo.encryptedMetadata && fileInfo.fileId) {
       const keypair = ctx.getSuiKeypair();
       if (keypair) {
         const fileObj = await ctx.sdk.files.get(fileInfo.fileId);
@@ -150,7 +124,7 @@ async function resolveFilename(
 }
 
 /**
- * Encrypt (if private vault) and upload a buffer to Tusky.
+ * Encrypt (if shared vault) and upload a buffer to Tusky.
  * Shared by tusky_file_upload (from disk) and tusky_file_create (from content).
  */
 async function encryptAndUpload(
@@ -162,40 +136,16 @@ async function encryptAndUpload(
   ctx: McpContext,
 ) {
   const vault = await ctx.sdk.vaults.get(vaultId);
-  const isPrivate = vault.visibility === 'private';
   const isShared = vault.visibility === 'shared' && isSealConfigured(vault);
 
   let uploadBody: Buffer;
   let encryptionMeta: {
-    wrappedKey?: string;
-    encryptionIv?: string;
-    plaintextSizeBytes?: number;
-    plaintextChecksumSha256?: string;
     sealIdentity?: string;
     sealEncryptedObject?: string;
-    encryptedName?: string;
     encryptedMetadata?: string;
   } = {};
 
-  if (isPrivate) {
-    const masterKey = ctx.getMasterKey();
-    if (!masterKey) {
-      throw new Error(
-        'Encryption passphrase required for private vault uploads. ' +
-        'Set the TUSKYDP_PASSWORD environment variable in your MCP server config.',
-      );
-    }
-
-    const { ciphertext, wrappedKey, iv, plaintextChecksum } = encryptBuffer(fileBuffer, masterKey);
-    uploadBody = ciphertext;
-    encryptionMeta = {
-      wrappedKey,
-      encryptionIv: iv,
-      plaintextSizeBytes: fileBuffer.length,
-      plaintextChecksumSha256: plaintextChecksum,
-      encryptedName: encryptMetadata(fileName, mimeType, masterKey),
-    };
-  } else if (isShared) {
+  if (isShared) {
     const keypair = ctx.getSuiKeypair();
     if (!keypair) {
       throw new Error(
@@ -210,7 +160,6 @@ async function encryptAndUpload(
     encryptionMeta = {
       sealIdentity: sealResult.sealIdentity,
       sealEncryptedObject: sealResult.sealEncryptedObject,
-      plaintextSizeBytes: fileBuffer.length,
       encryptedMetadata: await sealEncryptMetadata(fileName, mimeType, vault, fileNonce),
     };
   } else {
@@ -241,7 +190,7 @@ async function encryptAndUpload(
   // Confirm upload
   const file = await ctx.sdk.files.confirmUpload(fileId);
 
-  return { file, isPrivate, isShared, uploadedSizeBytes: uploadBody.length };
+  return { file, isShared, uploadedSizeBytes: uploadBody.length };
 }
 
 // ---------------------------------------------------------------------------
@@ -252,7 +201,7 @@ export function registerFileTools(server: McpServer, ctx: McpContext) {
   // ── Upload file from disk ──────────────────────────────────────────────
   server.tool(
     'tusky_file_upload',
-    'Upload a file from a local filesystem path to a vault. Handles encryption transparently for private vaults. Use tusky_file_create instead if you want to upload content directly without a file on disk.',
+    'Upload a file from a local filesystem path to a vault. Handles SEAL encryption transparently for shared vaults. Use tusky_file_create instead if you want to upload content directly without a file on disk.',
     {
       filePath: z.string().describe('Absolute or relative path to the local file to upload'),
       vaultId: z.string().describe('Target vault ID'),
@@ -277,7 +226,7 @@ export function registerFileTools(server: McpServer, ctx: McpContext) {
         const fileName = basename(resolvedPath);
         const mimeType = lookup(resolvedPath) || 'application/octet-stream';
 
-        const { file, isPrivate, isShared, uploadedSizeBytes } = await encryptAndUpload(
+        const { file, isShared, uploadedSizeBytes } = await encryptAndUpload(
           fileBuffer, fileName, mimeType, vaultId, folderId, ctx,
         );
 
@@ -285,8 +234,8 @@ export function registerFileTools(server: McpServer, ctx: McpContext) {
           content: [{ type: 'text' as const, text: JSON.stringify({
             ...file,
             localPath: resolvedPath,
-            encrypted: isPrivate || isShared,
-            encryptionType: isPrivate ? 'passphrase' : isShared ? 'seal' : 'none',
+            encrypted: isShared,
+            encryptionType: isShared ? 'seal' : 'none',
             uploadedSizeBytes,
           }, null, 2) }],
         };
@@ -299,7 +248,7 @@ export function registerFileTools(server: McpServer, ctx: McpContext) {
   // ── Create file from content ─────────────────────────────────────────
   server.tool(
     'tusky_file_create',
-    'Create a file in a vault from raw content (text or base64-encoded binary). Use this when you want to upload content directly without needing a file on disk. Handles encryption transparently for private vaults.',
+    'Create a file in a vault from raw content (text or base64-encoded binary). Use this when you want to upload content directly without needing a file on disk. Handles SEAL encryption transparently for shared vaults.',
     {
       name: z.string().describe('File name including extension (e.g. "report.md", "data.json", "image.png")'),
       content: z.string().describe('File content: plain text for text files, or base64-encoded string for binary files'),
@@ -318,15 +267,15 @@ export function registerFileTools(server: McpServer, ctx: McpContext) {
 
         const mimeType = lookup(name) || 'application/octet-stream';
 
-        const { file, isPrivate, isShared, uploadedSizeBytes } = await encryptAndUpload(
+        const { file, isShared, uploadedSizeBytes } = await encryptAndUpload(
           fileBuffer, name, mimeType, vaultId, folderId, ctx,
         );
 
         return {
           content: [{ type: 'text' as const, text: JSON.stringify({
             ...file,
-            encrypted: isPrivate || isShared,
-            encryptionType: isPrivate ? 'passphrase' : isShared ? 'seal' : 'none',
+            encrypted: isShared,
+            encryptionType: isShared ? 'seal' : 'none',
             uploadedSizeBytes,
           }, null, 2) }],
         };
@@ -339,7 +288,7 @@ export function registerFileTools(server: McpServer, ctx: McpContext) {
   // ── Download file (to disk) ────────────────────────────────────────────
   server.tool(
     'tusky_file_download',
-    'Download a file by ID and save it to a local path on disk. Handles decryption for private vaults and rehydration for cold files. Use tusky_file_read instead if you just want the file content returned directly.',
+    'Download a file by ID and save it to a local path on disk. Handles SEAL decryption for shared vaults and rehydration for cold files. Use tusky_file_read instead if you just want the file content returned directly.',
     {
       fileId: z.string().describe('File ID to download'),
       outputPath: z.string().describe('Local path to save the file (must be writable)'),
@@ -375,7 +324,7 @@ export function registerFileTools(server: McpServer, ctx: McpContext) {
   // ── Read file content (inline) ───────────────────────────────────────
   server.tool(
     'tusky_file_read',
-    'Read a file\'s content and return it directly. For text files the content is returned as text. For binary files it is returned as base64. Handles decryption for private vaults and rehydration for cold files transparently. Prefer this over tusky_file_download when you need to inspect file content.',
+    'Read a file\'s content and return it directly. For text files the content is returned as text. For binary files it is returned as base64. Handles SEAL decryption for shared vaults and rehydration for cold files transparently. Prefer this over tusky_file_download when you need to inspect file content.',
     {
       fileId: z.string().describe('File ID to read'),
     },

package/src/mcp/tools/vaults.ts

@@ -15,8 +15,8 @@ export function registerVaultTools(server: McpServer, ctx: McpContext) {
     {
       name: z.string().describe('Vault name'),
       description: z.string().optional().describe('Vault description'),
-      visibility: z.enum(['public', 'private', 'shared']).optional().describe(
-        'Vault visibility. "private" uses passphrase-based E2E encryption. "shared" uses SEAL protocol for multi-party access. Defaults to "private".',
+      visibility: z.enum(['public', 'shared']).optional().describe(
+        'Vault visibility. "shared" uses SEAL protocol for multi-party access. Defaults to "public".',
       ),
     },
     async ({ name, description, visibility }) => {
@@ -24,7 +24,7 @@ export function registerVaultTools(server: McpServer, ctx: McpContext) {
         const vault = await ctx.sdk.vaults.create({
           name,
           description,
-          visibility: visibility ?? 'private',
+          visibility: visibility ?? 'public',
         });
         return {
           content: [{ type: 'text' as const, text: JSON.stringify(vault, null, 2) }],

package/src/tui/files-panel.ts

@@ -12,7 +12,6 @@ export interface FileItem {
   id: string;
   name: string;
   sizeBytes: number;
-  plaintextSizeBytes: number | null;
   mimeType: string;
   status: string;
   createdAt: string;
@@ -118,7 +117,6 @@ export class FilesPanel {
         id: f.id,
         name: f.name,
         sizeBytes: f.sizeBytes || 0,
-        plaintextSizeBytes: f.plaintextSizeBytes || null,
         mimeType: f.mimeType || '',
         status: f.status || 'unknown',
         createdAt: f.createdAt || '',
@@ -183,7 +181,7 @@ export class FilesPanel {
           }
           // file
           const f = item.file;
-          const size = formatBytes(f.plaintextSizeBytes ?? f.sizeBytes);
+          const size = formatBytes(f.sizeBytes);
           const status = f.status;
           const statusTagged = `${statusColor(f.status)}${f.status}${statusColorClose(f.status)}`;
           const date = f.createdAt ? formatDate(f.createdAt) : '';

package/src/tui/index.ts

@@ -16,8 +16,6 @@ function collectFiles(dir: string): string[] {
 import { lookup } from 'mime-types';
 import { createSDKClient } from '../sdk.js';
 import { cliConfig, getApiUrl } from '../config.js';
-import { encryptBuffer, decryptBuffer } from '../crypto.js';
-import { loadMasterKey } from '../lib/keyring.js';
 import { isSealConfigured, sealEncrypt, sealDecrypt, getSuiKeypair } from '../seal.js';
 import { showAuthScreen } from './auth-screen.js';
 import { VaultsPanel, VaultItem } from './vaults-panel.js';
@@ -135,12 +133,12 @@ export async function launchTui() {
       setFocus(currentFocus);
       return;
     }
-    const visIdx = await selectDialog(screen, 'Visibility', ['private', 'public', 'shared']);
+    const visIdx = await selectDialog(screen, 'Visibility', ['public', 'shared']);
     if (visIdx < 0) {
       setFocus(currentFocus);
       return;
     }
-    const visMap = ['private', 'public', 'shared'] as const;
+    const visMap = ['public', 'shared'] as const;
     const visibility = visMap[visIdx];
 
     try {
@@ -225,18 +223,7 @@ export async function launchTui() {
 
     try {
       const vault = await sdk.vaults.get(vaultId);
-      const isPrivate = vault.visibility === 'private';
       const isShared = vault.visibility === 'shared' && isSealConfigured(vault);
-      let masterKey: Buffer | null = null;
-
-      if (isPrivate) {
-        masterKey = loadMasterKey();
-        if (!masterKey) {
-          showError(screen, 'Encryption session not unlocked. Run: tusky encryption unlock');
-          setFocus(currentFocus);
-          return;
-        }
-      }
 
       if (isShared) {
         const keypair = getSuiKeypair();
@@ -262,24 +249,11 @@ export async function launchTui() {
 
         let uploadBody: Buffer;
         let encryptionMeta: {
-          wrappedKey?: string;
-          encryptionIv?: string;
-          plaintextSizeBytes?: number;
-          plaintextChecksumSha256?: string;
           sealIdentity?: string;
           sealEncryptedObject?: string;
         } = {};
 
-        if (isPrivate && masterKey) {
-          const { ciphertext, wrappedKey, iv, plaintextChecksum } = encryptBuffer(fileBuffer, masterKey);
-          uploadBody = ciphertext;
-          encryptionMeta = {
-            wrappedKey,
-            encryptionIv: iv,
-            plaintextSizeBytes: stat.size,
-            plaintextChecksumSha256: plaintextChecksum,
-          };
-        } else if (isShared) {
+        if (isShared) {
           statusBar.setHints(`SEAL encrypting ${successCount + 1}/${total}: ${fileName}...`);
           screen.render();
           const fileNonce = randomUUID();
@@ -288,7 +262,6 @@ export async function launchTui() {
           encryptionMeta = {
             sealIdentity: sealResult.sealIdentity,
             sealEncryptedObject: sealResult.sealEncryptedObject,
-            plaintextSizeBytes: stat.size,
           };
         } else {
           uploadBody = fileBuffer;
@@ -315,7 +288,7 @@ export async function launchTui() {
         successCount++;
       }
 
-      const label = isPrivate ? 'private' : isShared ? 'shared/SEAL' : 'public';
+      const label = isShared ? 'shared/SEAL' : 'public';
       showMessage(screen, `Uploaded ${successCount} file(s) [${label}]`);
       await filesPanel.loadForVault(vaultId, filesPanel.getCurrentVaultName());
       await vaultsPanel.load();
@@ -378,7 +351,7 @@ export async function launchTui() {
       const arrayBuf = await response.arrayBuffer();
       let fileBuffer: Buffer = Buffer.from(new Uint8Array(arrayBuf));
 
-      // Decrypt if needed
+      // Decrypt if needed — SEAL-encrypted (shared vault)
       if (encryption?.encrypted) {
         if ('type' in encryption && encryption.type === 'seal') {
           statusBar.setHints(`SEAL decrypting "${file.name}"...`);
@@ -393,23 +366,6 @@ export async function launchTui() {
           const vault = await sdk.vaults.get(fileInfo.vaultId);
           const decrypted = await sealDecrypt(new Uint8Array(fileBuffer), vault, keypair);
           fileBuffer = Buffer.from(decrypted);
-        } else {
-          statusBar.setHints(`Decrypting "${file.name}"...`);
-          screen.render();
-          const masterKey = loadMasterKey();
-          if (!masterKey) {
-            showError(screen, 'Encryption not unlocked. Run: tusky encryption unlock');
-            setFocus(currentFocus);
-            return;
-          }
-          const enc = encryption as { type: 'passphrase'; encrypted: true; wrappedKey: string; iv: string; plaintextChecksumSha256: string | null };
-          fileBuffer = decryptBuffer(
-            fileBuffer,
-            enc.wrappedKey,
-            enc.iv,
-            masterKey,
-            enc.plaintextChecksumSha256 ?? undefined,
-          );
         }
       }
 
@@ -542,7 +498,7 @@ export async function launchTui() {
           ['Name', file.name],
           ['ID', file.id],
           ['MIME', file.mimeType],
-          ['Size', formatBytes(file.plaintextSizeBytes ?? file.sizeBytes)],
+          ['Size', formatBytes(file.sizeBytes)],
           ['Status', `${open}${file.status}${close}`],
           ['Encrypted', file.encrypted ? 'Yes' : 'No'],
           ['Uploaded', file.createdAt ? formatDate(file.createdAt) : 'N/A'],
@@ -647,7 +603,7 @@ export async function launchTui() {
       '  Enter      Open folder / view details',
       '',
       '{bold}Actions{/bold}',
-      '  n          Create new vault (private/public/shared)',
+      '  n          Create new vault (public/shared)',
       '  f          Create folder in current vault',
       '  u          Upload file to current vault/folder',
       '  d          Download selected file',

package/src/tui/overview.ts

@@ -77,10 +77,7 @@ export async function showOverview(
           const vaultRows = vaults.map((v) => {
             let vis: string;
             let visTag: string;
-            if (v.visibility === 'private') {
-              vis = 'private';
-              visTag = '{yellow-fg}private{/yellow-fg}';
-            } else if (v.visibility === 'shared') {
+            if (v.visibility === 'shared') {
               vis = 'shared';
               visTag = '{magenta-fg}shared{/magenta-fg}';
             } else {
@@ -119,7 +116,7 @@ export async function showOverview(
           // Calculate column widths for files table
           const fileRows = files.map((f) => ({
             name: f.name || '',
-            size: formatBytes(f.plaintextSizeBytes ?? f.sizeBytes ?? 0),
+            size: formatBytes(f.sizeBytes ?? 0),
             status: f.status || '',
             statusTag: `${statusColor(f.status)}${f.status}${statusColorClose(f.status)}`,
             date: f.createdAt ? formatDate(f.createdAt) : 'N/A',

package/src/tui/trash-screen.ts

@@ -78,7 +78,7 @@ export async function showTrashScreen(
             id: f.id,
             type: 'file',
             name: f.name,
-            size: f.plaintextSizeBytes || f.sizeBytes,
+            size: f.sizeBytes,
             deletedAt: f.deletedAt || '',
           });
         }

package/dist/src/commands/decrypt.d.ts

@@ -1,15 +0,0 @@
-/**
- * `tusky decrypt` — Decrypt a file downloaded from Walrus.
- *
- * Works in two modes:
- *   1. With --export <manifest.json> — reads wrappedKey/iv from the export
- *      manifest, derives master key from passphrase + salt. Fully offline.
- *   2. Without --export — fetches encryption params from the Tusky API and
- *      looks up the file metadata by ID. Requires API access.
- *
- * In both modes, the passphrase is resolved from:
- *   --passphrase flag > TUSKYDP_PASSWORD env var > interactive prompt
- */
-import type { Command } from 'commander';
-export declare function registerDecryptCommand(program: Command): void;
-//# sourceMappingURL=decrypt.d.ts.map

package/dist/src/commands/decrypt.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"decrypt.d.ts","sourceRoot":"","sources":["../../../src/commands/decrypt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAsFzC,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,OAAO,QAiNtD"}