npm - autho - Versions diffs - 3.0.0 → 3.0.1 - Mend

autho 3.0.0 → 3.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -28,7 +28,9 @@ autho secrets get --password "..." --ref github --json
 autho otp code --password "..." --ref my-totp --json
 ```
-You can also set `AUTHO_MASTER_PASSWORD` to avoid passing `--password` on every call.
+Run `autho init` to save your master password to the native OS secret store (macOS Keychain, Linux Secret Service, Windows Credential Manager). After that, all commands unlock silently without prompting.
+You can also set `AUTHO_MASTER_PASSWORD` to avoid passing `--password` on every call, or set `AUTHO_DISABLE_OS_SECRETS=1` to opt out of OS secret storage.
 ## Features

package/dist/autho.js CHANGED Viewed

@@ -15,6 +15,7 @@ var __export = (target, all) => {
     });
 };
 var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+var __require = import.meta.require;
 // packages/storage/src/index.ts
 import { Database } from "bun:sqlite";
@@ -105,6 +106,13 @@ class AuthoDatabase {
   setVaultConfig(config) {
     this.db.query("INSERT OR REPLACE INTO meta (key, value) VALUES (?1, ?2)").run("vault.config", JSON.stringify(config));
   }
+  getVaultAuth() {
+    const row = this.db.query("SELECT value FROM meta WHERE key = ?1").get("vault.auth");
+    return row ? parseJson(row.value) : null;
+  }
+  setVaultAuth(auth) {
+    this.db.query("INSERT OR REPLACE INTO meta (key, value) VALUES (?1, ?2)").run("vault.auth", JSON.stringify(auth));
+  }
   countSecrets() {
     const row = this.db.query("SELECT COUNT(*) AS count FROM secrets").get();
     return row.count;
@@ -221,6 +229,7 @@ var init_src = () => {};
 import {
   createCipheriv,
   createDecipheriv,
+  createHmac,
   randomBytes,
   scryptSync
 } from "crypto";
@@ -280,6 +289,78 @@ function unlockRootKey(password, config) {
   const key = deriveKeyFromPassword(password, config.kdf);
   return decryptWithKey(config.wrappedRootKey, key, "autho:vault-root");
 }
+function decodeBase32(input) {
+  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+  const normalized = input.toUpperCase().replace(/=+$/g, "").replace(/\s+/g, "");
+  let bits = 0;
+  let value = 0;
+  const output = [];
+  for (const char of normalized) {
+    const index = alphabet.indexOf(char);
+    if (index === -1) {
+      throw new Error("OTP secret must be valid base32");
+    }
+    value = value << 5 | index;
+    bits += 5;
+    if (bits >= 8) {
+      output.push(value >>> bits - 8 & 255);
+      bits -= 8;
+    }
+  }
+  return Uint8Array.from(output);
+}
+function generateTotpCode(secret, options, now) {
+  const algorithm = (options?.algorithm ?? "sha1").toLowerCase();
+  const digits = options?.digits ?? 6;
+  const key = decodeBase32(secret);
+  const counter = Math.floor(now / 30000);
+  const message = Buffer.alloc(8);
+  let cursor = counter;
+  for (let index = 7;index >= 0; index -= 1) {
+    message[index] = cursor & 255;
+    cursor >>= 8;
+  }
+  const hash = createHmac(algorithm, Buffer.from(key)).update(message).digest();
+  const offset = hash[hash.length - 1] & 15;
+  const binary = (hash[offset] & 127) << 24 | (hash[offset + 1] & 255) << 16 | (hash[offset + 2] & 255) << 8 | hash[offset + 3] & 255;
+  const mod = 10 ** digits;
+  return String(binary % mod).padStart(digits, "0");
+}
+function generateTotpSecret() {
+  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+  const bytes = randomBytes(20);
+  let bits = 0;
+  let value = 0;
+  let result = "";
+  for (const byte of bytes) {
+    value = value << 8 | byte;
+    bits += 8;
+    while (bits >= 5) {
+      result += alphabet[value >>> bits - 5 & 31];
+      bits -= 5;
+    }
+  }
+  if (bits > 0) {
+    result += alphabet[value << 5 - bits & 31];
+  }
+  return result;
+}
+function totpUri(secret, issuer, account) {
+  return `otpauth://totp/${encodeURIComponent(issuer)}:${encodeURIComponent(account)}?secret=${secret}&issuer=${encodeURIComponent(issuer)}&algorithm=SHA1&digits=6&period=30`;
+}
+function verifyTotpCode(secret, code, opts) {
+  const digits = opts?.digits ?? 6;
+  if (code.length !== digits) {
+    return false;
+  }
+  const now = Date.now();
+  for (const offset of [-30000, 0, 30000]) {
+    if (generateTotpCode(secret, opts, now + offset) === code) {
+      return true;
+    }
+  }
+  return false;
+}
 var DEFAULT_KDF;
 var init_src2 = __esm(() => {
   DEFAULT_KDF = {
@@ -465,7 +546,7 @@ var init_artifacts = __esm(() => {
 // packages/core/src/index.ts
 import { spawnSync } from "child_process";
-import { createHmac, randomBytes as randomBytes3 } from "crypto";
+import { createHmac as createHmac2, randomBytes as randomBytes3 } from "crypto";
 import {
   existsSync as existsSync2,
   readFileSync as readFileSync2
@@ -477,7 +558,7 @@ function requireValue(value, label) {
   }
   return value;
 }
-function decodeBase32(input) {
+function decodeBase322(input) {
   const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
   const normalized = input.toUpperCase().replace(/=+$/g, "").replace(/\s+/g, "");
   let bits = 0;
@@ -500,7 +581,7 @@ function decodeBase32(input) {
 function generateTotp(secret, options, now = Date.now()) {
   const algorithm = (options?.algorithm ?? "sha1").toLowerCase();
   const digits = options?.digits ?? 6;
-  const key = decodeBase32(secret);
+  const key = decodeBase322(secret);
   const counter = Math.floor(now / 30000);
   const message = Buffer.alloc(8);
   let cursor = counter;
@@ -508,7 +589,7 @@ function generateTotp(secret, options, now = Date.now()) {
     message[index] = cursor & 255;
     cursor >>= 8;
   }
-  const hash = createHmac(algorithm, Buffer.from(key)).update(message).digest();
+  const hash = createHmac2(algorithm, Buffer.from(key)).update(message).digest();
   const offset = hash[hash.length - 1] & 15;
   const binary = (hash[offset] & 127) << 24 | (hash[offset + 1] & 255) << 16 | (hash[offset + 2] & 255) << 8 | hash[offset + 3] & 255;
   const mod = 10 ** digits;
@@ -710,21 +791,212 @@ class VaultService {
       db.close();
     }
   }
-  static unlock(vaultPath, password) {
+  static unlock(vaultPath, credentials) {
+    const creds = typeof credentials === "string" ? { password: credentials } : credentials;
     const db = new AuthoDatabase(vaultPath);
     const config = db.getVaultConfig();
     if (!config) {
       db.close();
       throw new Error(`Vault is not initialized at ${vaultPath}`);
     }
+    const vaultAuth = db.getVaultAuth();
+    if (creds.recovery) {
+      if (!vaultAuth?.recovery) {
+        db.close();
+        throw new Error("No recovery token configured for this vault");
+      }
+      try {
+        const recoveryKEK = deriveKeyFromPassword(creds.recovery, vaultAuth.recovery.kdf);
+        const rootKey = decryptWithKey(vaultAuth.recovery.wrappedRootKey, recoveryKEK, "autho:vault-recovery");
+        db.insertAudit({
+          createdAt: new Date().toISOString(),
+          eventType: "auth.unlock.recovery",
+          id: randomId(),
+          message: "Vault unlocked via recovery file",
+          metadata: JSON.stringify({}),
+          subjectRef: null,
+          subjectType: "vault"
+        });
+        return new VaultSession(db, rootKey);
+      } catch (error) {
+        db.close();
+        throw new Error("Invalid recovery token", { cause: error });
+      }
+    }
     try {
-      const rootKey = unlockRootKey(password, config);
+      const passwordKEK = deriveKeyFromPassword(creds.password, config.kdf);
+      if (vaultAuth?.totp) {
+        const totpSecret = decryptWithKey(vaultAuth.totp.encryptedSecret, passwordKEK, "autho:vault-totp").toString("utf8");
+        if (!creds.totp || !verifyTotpCode(totpSecret, creds.totp)) {
+          throw new Error("Invalid or missing TOTP code");
+        }
+      }
+      const rootKey = decryptWithKey(config.wrappedRootKey, passwordKEK, "autho:vault-root");
       return new VaultSession(db, rootKey);
     } catch (error) {
       db.close();
+      if (error instanceof Error && error.message === "Invalid or missing TOTP code") {
+        throw error;
+      }
       throw new Error("Invalid vault password", { cause: error });
     }
   }
+  static getAuthConfig(vaultPath) {
+    const db = new AuthoDatabase(vaultPath);
+    try {
+      return db.getVaultAuth();
+    } finally {
+      db.close();
+    }
+  }
+  static setupTotp(vaultPath) {
+    const secret = generateTotpSecret();
+    const uri = totpUri(secret, "autho", vaultPath);
+    return { secret, uri };
+  }
+  static enableTotp(vaultPath, credentials, secret, code) {
+    if (!verifyTotpCode(secret, code)) {
+      throw new Error("Invalid TOTP code \u2014 make sure your authenticator app is showing the right code");
+    }
+    const session = VaultService.unlock(vaultPath, credentials);
+    session.close();
+    const db = new AuthoDatabase(vaultPath);
+    try {
+      const config = db.getVaultConfig();
+      const passwordKEK = deriveKeyFromPassword(credentials.password, config.kdf);
+      const encryptedSecret = encryptWithKey(Buffer.from(secret, "utf8"), passwordKEK, "autho:vault-totp");
+      const existing = db.getVaultAuth();
+      db.setVaultAuth({
+        version: 1,
+        ...existing,
+        totp: {
+          algorithm: "SHA1",
+          digits: 6,
+          encryptedSecret,
+          period: 30
+        }
+      });
+      db.insertAudit({
+        createdAt: new Date().toISOString(),
+        eventType: "auth.totp.enabled",
+        id: randomId(),
+        message: "TOTP vault unlock enabled",
+        metadata: JSON.stringify({}),
+        subjectRef: null,
+        subjectType: "vault"
+      });
+    } finally {
+      db.close();
+    }
+  }
+  static removeTotp(vaultPath, credentials) {
+    const session = VaultService.unlock(vaultPath, credentials);
+    session.close();
+    const db = new AuthoDatabase(vaultPath);
+    try {
+      const existing = db.getVaultAuth();
+      if (existing) {
+        const { totp: _removed, ...rest } = existing;
+        db.setVaultAuth({ ...rest, version: 1 });
+      }
+      db.insertAudit({
+        createdAt: new Date().toISOString(),
+        eventType: "auth.totp.removed",
+        id: randomId(),
+        message: "TOTP vault unlock removed",
+        metadata: JSON.stringify({}),
+        subjectRef: null,
+        subjectType: "vault"
+      });
+    } finally {
+      db.close();
+    }
+  }
+  static generateRecovery(vaultPath, credentials) {
+    const session = VaultService.unlock(vaultPath, credentials);
+    const rootKey = session.getRootKey();
+    session.close();
+    const db = new AuthoDatabase(vaultPath);
+    try {
+      const tokenBytes = randomBytes3(32);
+      const token = tokenBytes.toString("hex");
+      const recoverySalt = randomBytes3(16).toString("base64");
+      const recoveryKdf = {
+        keyLength: 32,
+        name: "scrypt",
+        salt: recoverySalt,
+        N: 1 << 17,
+        p: 1,
+        r: 8
+      };
+      const recoveryKEK = deriveKeyFromPassword(token, recoveryKdf);
+      const wrappedRootKey = encryptWithKey(rootKey, recoveryKEK, "autho:vault-recovery");
+      const existing = db.getVaultAuth();
+      db.setVaultAuth({
+        version: 1,
+        ...existing,
+        recovery: {
+          createdAt: new Date().toISOString(),
+          kdf: recoveryKdf,
+          wrappedRootKey
+        }
+      });
+      const formattedToken = token.toUpperCase().match(/.{1,8}/g).join("-");
+      const fileContent = [
+        "================================================================================",
+        "AUTHO VAULT RECOVERY FILE",
+        "================================================================================",
+        `Generated : ${new Date().toISOString()}`,
+        `Vault     : ${vaultPath}`,
+        "",
+        "WARNING: Anyone with this file can open your vault regardless of password,",
+        "PIN, or authenticator app. Store it offline (printed paper, encrypted USB,",
+        "safety deposit box). Revoke with: autho recovery revoke",
+        "",
+        "RECOVERY TOKEN:",
+        formattedToken,
+        "",
+        "To use: autho unlock --recovery-file <path-to-this-file>",
+        "================================================================================"
+      ].join(`
+`);
+      db.insertAudit({
+        createdAt: new Date().toISOString(),
+        eventType: "auth.recovery.generated",
+        id: randomId(),
+        message: "Recovery file generated",
+        metadata: JSON.stringify({}),
+        subjectRef: null,
+        subjectType: "vault"
+      });
+      return { fileContent };
+    } finally {
+      db.close();
+    }
+  }
+  static revokeRecovery(vaultPath, credentials) {
+    const session = VaultService.unlock(vaultPath, credentials);
+    session.close();
+    const db = new AuthoDatabase(vaultPath);
+    try {
+      const existing = db.getVaultAuth();
+      if (existing) {
+        const { recovery: _removed, ...rest } = existing;
+        db.setVaultAuth({ ...rest, version: 1 });
+      }
+      db.insertAudit({
+        createdAt: new Date().toISOString(),
+        eventType: "auth.recovery.revoked",
+        id: randomId(),
+        message: "Recovery file revoked",
+        metadata: JSON.stringify({}),
+        subjectRef: null,
+        subjectType: "vault"
+      });
+    } finally {
+      db.close();
+    }
+  }
 }
 class VaultSession {
@@ -734,6 +1006,9 @@ class VaultSession {
     this.db = db;
     this.rootKey = rootKey;
   }
+  getRootKey() {
+    return Buffer.from(this.rootKey);
+  }
   close() {
     this.db.close();
   }
@@ -1126,6 +1401,146 @@ var init_src3 = __esm(() => {
   init_paths();
 });
+// packages/core/src/os-secrets.ts
+import { createHash as createHash2, randomBytes as randomBytes4, scryptSync as scryptSync2, timingSafeEqual as timingSafeEqual2 } from "crypto";
+import { resolve as resolve3 } from "path";
+function vaultPasswordName(vaultPath) {
+  return createHash2("sha256").update(resolve3(vaultPath)).digest("hex");
+}
+function osSecretsDisabled() {
+  return process.env.AUTHO_DISABLE_OS_SECRETS === "1";
+}
+async function storeVaultPassword(vaultPath, password) {
+  if (osSecretsDisabled()) {
+    return false;
+  }
+  try {
+    await Bun.secrets.set({
+      name: vaultPasswordName(vaultPath),
+      service: VAULT_PASSWORD_SERVICE,
+      value: password
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function loadVaultPassword(vaultPath) {
+  if (osSecretsDisabled()) {
+    return null;
+  }
+  try {
+    const password = await Bun.secrets.get({
+      name: vaultPasswordName(vaultPath),
+      service: VAULT_PASSWORD_SERVICE
+    });
+    return password ?? null;
+  } catch {
+    return null;
+  }
+}
+async function deleteVaultPassword(vaultPath) {
+  if (osSecretsDisabled()) {
+    return false;
+  }
+  try {
+    return await Bun.secrets.delete({
+      name: vaultPasswordName(vaultPath),
+      service: VAULT_PASSWORD_SERVICE
+    });
+  } catch {
+    return false;
+  }
+}
+async function setOsSecret(name, value) {
+  if (osSecretsDisabled()) {
+    return false;
+  }
+  try {
+    await Bun.secrets.set({ name, service: USER_SECRETS_SERVICE, value });
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function getOsSecret(name) {
+  if (osSecretsDisabled()) {
+    return null;
+  }
+  try {
+    const value = await Bun.secrets.get({ name, service: USER_SECRETS_SERVICE });
+    return value ?? null;
+  } catch {
+    return null;
+  }
+}
+async function deleteOsSecret(name) {
+  if (osSecretsDisabled()) {
+    return false;
+  }
+  try {
+    return await Bun.secrets.delete({ name, service: USER_SECRETS_SERVICE });
+  } catch {
+    return false;
+  }
+}
+async function storePinHash(vaultPath, pin) {
+  if (osSecretsDisabled()) {
+    return false;
+  }
+  try {
+    const salt = randomBytes4(16);
+    const hash = scryptSync2(pin, salt, 32, { N: 1 << 15, r: 8, p: 1, maxmem: 64 * 1024 * 1024 });
+    const value = `${salt.toString("base64")}:${hash.toString("base64")}`;
+    await Bun.secrets.set({ name: vaultPasswordName(vaultPath), service: PIN_SERVICE, value });
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function verifyPin(vaultPath, pin) {
+  if (osSecretsDisabled()) {
+    return false;
+  }
+  try {
+    const stored = await Bun.secrets.get({ name: vaultPasswordName(vaultPath), service: PIN_SERVICE });
+    if (!stored)
+      return false;
+    const colonIdx = stored.indexOf(":");
+    if (colonIdx === -1)
+      return false;
+    const salt = Buffer.from(stored.slice(0, colonIdx), "base64");
+    const expectedHash = Buffer.from(stored.slice(colonIdx + 1), "base64");
+    const actualHash = scryptSync2(pin, salt, 32, { N: 1 << 15, r: 8, p: 1, maxmem: 64 * 1024 * 1024 });
+    return timingSafeEqual2(actualHash, expectedHash);
+  } catch {
+    return false;
+  }
+}
+async function hasPinSet(vaultPath) {
+  if (osSecretsDisabled()) {
+    return false;
+  }
+  try {
+    const stored = await Bun.secrets.get({ name: vaultPasswordName(vaultPath), service: PIN_SERVICE });
+    return stored != null;
+  } catch {
+    return false;
+  }
+}
+async function deletePin(vaultPath) {
+  if (osSecretsDisabled()) {
+    return false;
+  }
+  try {
+    return await Bun.secrets.delete({ name: vaultPasswordName(vaultPath), service: PIN_SERVICE });
+  } catch {
+    return false;
+  }
+}
+var VAULT_PASSWORD_SERVICE = "autho.vault", USER_SECRETS_SERVICE = "autho", PIN_SERVICE = "autho.pin";
+var init_os_secrets = () => {};
 // apps/cli/src/tui.tsx
 var exports_tui = {};
 __export(exports_tui, {
@@ -1240,28 +1655,33 @@ function useToast() {
   }, []);
   return { toast, show };
 }
-function PasswordScreen({ onUnlock, vaultPath }) {
+function tryUnlockWithPassword(vaultPath, password) {
+  try {
+    return VaultService.unlock(vaultPath, { password });
+  } catch {
+    return null;
+  }
+}
+function tryUnlockWithRecovery(vaultPath, token) {
+  try {
+    return VaultService.unlock(vaultPath, { password: "", recovery: token });
+  } catch {
+    return null;
+  }
+}
+function PasswordMethod({ onSubmit, vaultPath: _vaultPath }) {
   const [password, setPassword] = useState("");
-  const [error, setError] = useState("");
-  const [unlocking, setUnlocking] = useState(false);
+  const [submitting, setSubmitting] = useState(false);
   useKeyboard((key) => {
     if (key.eventType !== "press" && key.eventType !== "repeat")
       return;
-    if (unlocking)
+    if (submitting)
       return;
     if (key.name === "enter" || key.name === "return") {
       if (!password)
         return;
-      setUnlocking(true);
-      setError("");
-      try {
-        const session = VaultService.unlock(vaultPath, password);
-        onUnlock(session);
-      } catch {
-        setError("Wrong password");
-        setPassword("");
-        setUnlocking(false);
-      }
+      setSubmitting(true);
+      onSubmit(password);
       return;
     }
     if (key.name === "backspace") {
@@ -1274,6 +1694,284 @@ function PasswordScreen({ onUnlock, vaultPath }) {
     if (char && char.length === 1 && char.charCodeAt(0) >= 32)
       setPassword((p) => p + char);
   });
+  return /* @__PURE__ */ jsxDEV("box", {
+    flexDirection: "row",
+    gap: 1,
+    marginTop: 1,
+    children: [
+      /* @__PURE__ */ jsxDEV("text", {
+        fg: "#AAAAAA",
+        children: "Password "
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV("box", {
+        backgroundColor: "#111111",
+        flexGrow: 1,
+        paddingX: 1,
+        height: 1,
+        children: /* @__PURE__ */ jsxDEV("text", {
+          fg: "#FFD700",
+          children: password ? "*".repeat(password.length) : ""
+        }, undefined, false, undefined, this)
+      }, undefined, false, undefined, this),
+      submitting ? /* @__PURE__ */ jsxDEV("text", {
+        fg: "#FFD700",
+        children: " ..."
+      }, undefined, false, undefined, this) : null
+    ]
+  }, undefined, true, undefined, this);
+}
+function PinMethod({ vaultPath, password, onVerified, onError }) {
+  const [pin, setPin] = useState("");
+  const [verifying, setVerifying] = useState(false);
+  useKeyboard((key) => {
+    if (key.eventType !== "press" && key.eventType !== "repeat")
+      return;
+    if (verifying)
+      return;
+    if (key.name === "enter" || key.name === "return") {
+      if (!pin)
+        return;
+      setVerifying(true);
+      verifyPin(vaultPath, pin).then((ok) => {
+        if (ok) {
+          onVerified(password);
+        } else {
+          onError("Wrong PIN");
+          setPin("");
+          setVerifying(false);
+        }
+      });
+      return;
+    }
+    if (key.name === "backspace") {
+      setPin((p) => p.slice(0, -1));
+      return;
+    }
+    if (key.ctrl || key.meta || key.name === "escape" || key.name === "tab" || key.name === "up" || key.name === "down" || key.name === "left" || key.name === "right" || key.name === "home" || key.name === "end" || key.name === "delete" || key.name === "insert" || key.name === "pageup" || key.name === "pagedown" || key.name.startsWith("f") && /^f\d+$/.test(key.name))
+      return;
+    const char = key.sequence;
+    if (char && char.length === 1 && char.charCodeAt(0) >= 32)
+      setPin((p) => p + char);
+  });
+  return /* @__PURE__ */ jsxDEV("box", {
+    flexDirection: "row",
+    gap: 1,
+    marginTop: 1,
+    children: [
+      /* @__PURE__ */ jsxDEV("text", {
+        fg: "#AAAAAA",
+        children: "PIN      "
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV("box", {
+        backgroundColor: "#111111",
+        flexGrow: 1,
+        paddingX: 1,
+        height: 1,
+        children: /* @__PURE__ */ jsxDEV("text", {
+          fg: "#FFD700",
+          children: pin ? "*".repeat(pin.length) : ""
+        }, undefined, false, undefined, this)
+      }, undefined, false, undefined, this),
+      verifying ? /* @__PURE__ */ jsxDEV("text", {
+        fg: "#FFD700",
+        children: " ..."
+      }, undefined, false, undefined, this) : null
+    ]
+  }, undefined, true, undefined, this);
+}
+function TotpMethod({ onSubmit, onError: _onError }) {
+  const [code, setCode] = useState("");
+  const [remaining, setRemaining] = useState(0);
+  useEffect(() => {
+    const update = () => {
+      const secs = Math.ceil((30000 - Date.now() % 30000) / 1000);
+      setRemaining(secs);
+    };
+    update();
+    const interval = setInterval(update, 1000);
+    return () => clearInterval(interval);
+  }, []);
+  useKeyboard((key) => {
+    if (key.eventType !== "press" && key.eventType !== "repeat")
+      return;
+    if (key.name === "enter" || key.name === "return") {
+      if (code.length !== 6)
+        return;
+      onSubmit(code);
+      return;
+    }
+    if (key.name === "backspace") {
+      setCode((c) => c.slice(0, -1));
+      return;
+    }
+    if (key.ctrl || key.meta || key.name === "escape" || key.name === "tab" || key.name === "up" || key.name === "down" || key.name === "left" || key.name === "right" || key.name === "home" || key.name === "end" || key.name === "delete" || key.name === "insert" || key.name === "pageup" || key.name === "pagedown" || key.name.startsWith("f") && /^f\d+$/.test(key.name))
+      return;
+    const char = key.sequence;
+    if (char && /^\d$/.test(char) && code.length < 6) {
+      const next = code + char;
+      setCode(next);
+      if (next.length === 6) {
+        onSubmit(next);
+      }
+    }
+  });
+  return /* @__PURE__ */ jsxDEV("box", {
+    flexDirection: "column",
+    gap: 1,
+    marginTop: 1,
+    children: [
+      /* @__PURE__ */ jsxDEV("box", {
+        flexDirection: "row",
+        gap: 1,
+        children: [
+          /* @__PURE__ */ jsxDEV("text", {
+            fg: "#AAAAAA",
+            children: "Auth code "
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ jsxDEV("box", {
+            backgroundColor: "#111111",
+            flexGrow: 1,
+            paddingX: 1,
+            height: 1,
+            children: /* @__PURE__ */ jsxDEV("text", {
+              fg: "#FFD700",
+              children: code || "_".repeat(6)
+            }, undefined, false, undefined, this)
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ jsxDEV("text", {
+            fg: remaining <= 5 ? "#FF4444" : "#555555",
+            children: [
+              " ",
+              remaining,
+              "s"
+            ]
+          }, undefined, true, undefined, this)
+        ]
+      }, undefined, true, undefined, this),
+      /* @__PURE__ */ jsxDEV("text", {
+        fg: "#555555",
+        children: "Enter 6-digit authenticator code"
+      }, undefined, false, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+function UnlockScreen({ onUnlock, vaultPath }) {
+  const [step, setStep] = useState("loading");
+  const [error, setError] = useState("");
+  const [password, setPasswordState] = useState("");
+  const [pinNeeded, setPinNeeded] = useState(false);
+  const [totpNeeded, setTotpNeeded] = useState(false);
+  useEffect(() => {
+    let cancelled = false;
+    (async () => {
+      const recoveryFile = process.env.AUTHO_RECOVERY_FILE;
+      if (recoveryFile) {
+        try {
+          const { readFileSync: readFileSync4 } = await import("fs");
+          const content = readFileSync4(recoveryFile, "utf8");
+          const lines = content.split(`
+`);
+          const idx = lines.findIndex((l) => l.trim() === "RECOVERY TOKEN:");
+          if (idx !== -1) {
+            const rawToken = lines.slice(idx + 1).find((l) => l.trim() !== "") ?? "";
+            const token = rawToken.replace(/-/g, "").toLowerCase();
+            if (token) {
+              const session = tryUnlockWithRecovery(vaultPath, token);
+              if (!cancelled && session) {
+                onUnlock(session);
+                return;
+              }
+              if (!cancelled)
+                setError("Recovery file failed \u2014 enter password instead");
+            } else {
+              if (!cancelled)
+                setError("Recovery file is malformed \u2014 enter password instead");
+            }
+          } else {
+            if (!cancelled)
+              setError("Recovery file is malformed \u2014 enter password instead");
+          }
+        } catch {
+          if (!cancelled)
+            setError("Recovery file could not be read \u2014 enter password instead");
+        }
+      }
+      const pinSet = await hasPinSet(vaultPath);
+      if (!cancelled)
+        setPinNeeded(pinSet);
+      const authConfig = VaultService.getAuthConfig(vaultPath);
+      if (!cancelled)
+        setTotpNeeded(authConfig?.totp !== undefined);
+      if (!pinSet) {
+        const pw = await loadVaultPassword(vaultPath);
+        if (!cancelled && pw && !authConfig?.totp) {
+          const session = tryUnlockWithPassword(vaultPath, pw);
+          if (!cancelled && session) {
+            onUnlock(session);
+            return;
+          }
+        }
+        if (!cancelled && pw) {
+          setPasswordState(pw);
+          if (!cancelled)
+            setStep(authConfig?.totp ? "totp" : "password");
+          return;
+        }
+      }
+      if (!cancelled)
+        setStep("password");
+    })();
+    return () => {
+      cancelled = true;
+    };
+  }, [vaultPath, onUnlock]);
+  const doUnlock = useCallback((pw, totp) => {
+    const creds = { password: pw, totp };
+    try {
+      const session = VaultService.unlock(vaultPath, creds);
+      onUnlock(session);
+    } catch (e) {
+      setError(e instanceof Error ? e.message : String(e));
+      setStep("password");
+      setPasswordState("");
+    }
+  }, [vaultPath, onUnlock]);
+  const handlePasswordSubmit = useCallback((pw) => {
+    setPasswordState(pw);
+    if (pinNeeded) {
+      setStep("pin");
+    } else if (totpNeeded) {
+      setStep("totp");
+    } else {
+      setStep("unlocking");
+      doUnlock(pw, undefined);
+    }
+  }, [pinNeeded, totpNeeded, doUnlock]);
+  const handlePinVerified = useCallback((pw) => {
+    if (totpNeeded) {
+      setStep("totp");
+    } else {
+      setStep("unlocking");
+      doUnlock(pw, undefined);
+    }
+  }, [totpNeeded, doUnlock]);
+  const handleTotpSubmit = useCallback((totp) => {
+    setStep("unlocking");
+    doUnlock(password, totp);
+  }, [password, doUnlock]);
+  if (step === "loading" || step === "unlocking") {
+    return /* @__PURE__ */ jsxDEV("box", {
+      flexDirection: "column",
+      alignItems: "center",
+      justifyContent: "center",
+      width: "100%",
+      height: "100%",
+      children: /* @__PURE__ */ jsxDEV("text", {
+        fg: "#FFD700",
+        children: step === "loading" ? "Unlocking..." : "Verifying..."
+      }, undefined, false, undefined, this)
+    }, undefined, false, undefined, this);
+  }
   return /* @__PURE__ */ jsxDEV("box", {
     flexDirection: "column",
     alignItems: "center",
@@ -1306,31 +2004,21 @@ function PasswordScreen({ onUnlock, vaultPath }) {
             children: error
           }, undefined, false, undefined, this)
         }, undefined, false, undefined, this) : null,
-        /* @__PURE__ */ jsxDEV("box", {
-          flexDirection: "row",
-          gap: 1,
-          marginTop: 1,
-          children: [
-            /* @__PURE__ */ jsxDEV("text", {
-              fg: "#AAAAAA",
-              children: "Password "
-            }, undefined, false, undefined, this),
-            /* @__PURE__ */ jsxDEV("box", {
-              backgroundColor: "#111111",
-              flexGrow: 1,
-              paddingX: 1,
-              height: 1,
-              children: /* @__PURE__ */ jsxDEV("text", {
-                fg: "#FFD700",
-                children: password ? "*".repeat(password.length) : ""
-              }, undefined, false, undefined, this)
-            }, undefined, false, undefined, this)
-          ]
-        }, undefined, true, undefined, this),
-        unlocking ? /* @__PURE__ */ jsxDEV("text", {
-          fg: "#FFD700",
-          children: "Unlocking..."
-        }, undefined, false, undefined, this) : /* @__PURE__ */ jsxDEV("text", {
+        step === "password" && /* @__PURE__ */ jsxDEV(PasswordMethod, {
+          vaultPath,
+          onSubmit: handlePasswordSubmit
+        }, undefined, false, undefined, this),
+        step === "pin" && /* @__PURE__ */ jsxDEV(PinMethod, {
+          vaultPath,
+          password,
+          onVerified: handlePinVerified,
+          onError: setError
+        }, undefined, false, undefined, this),
+        step === "totp" && /* @__PURE__ */ jsxDEV(TotpMethod, {
+          onSubmit: handleTotpSubmit,
+          onError: setError
+        }, undefined, false, undefined, this),
+        /* @__PURE__ */ jsxDEV("text", {
           fg: "#444444",
           children: "Enter to unlock | Ctrl+C to exit"
         }, undefined, false, undefined, this)
@@ -2322,7 +3010,7 @@ function EditScreen({ session, secret, onDone, onBack }) {
   }, undefined, true, undefined, this);
 }
 function App({ vaultPath }) {
-  const [screen, setScreen] = useState("password");
+  const [screen, setScreen] = useState("unlock");
   const [session, setSession] = useState(null);
   const [selectedSecret, setSelectedSecret] = useState(null);
   const { toast, show: showToast } = useToast();
@@ -2336,8 +3024,8 @@ function App({ vaultPath }) {
     goHome();
     showToast(msg, msg.startsWith("Error:") ? "error" : "success");
   }, [goHome, showToast]);
-  if (screen === "password") {
-    return /* @__PURE__ */ jsxDEV(PasswordScreen, {
+  if (screen === "unlock") {
+    return /* @__PURE__ */ jsxDEV(UnlockScreen, {
       vaultPath,
       onUnlock: (s) => {
         setSession(s);
@@ -2423,6 +3111,7 @@ async function runTui(vaultPath) {
 var EDIT_FIELDS;
 var init_tui = __esm(() => {
   init_src3();
+  init_os_secrets();
   EDIT_FIELDS = [
     { key: "name", label: "Name", forTypes: ["password", "note", "otp"] },
     { key: "value", label: "Value", forTypes: ["password", "note", "otp"] },
@@ -2434,11 +3123,30 @@ var init_tui = __esm(() => {
 // apps/cli/src/index.ts
 import { spawn } from "child_process";
-import { existsSync as existsSync4 } from "fs";
-import { createInterface } from "readline/promises";
-import { resolve as resolve3 } from "path";
+import { existsSync as existsSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
+import { createInterface as createInterface2 } from "readline/promises";
+import { resolve as resolve4 } from "path";
 // apps/cli/src/password.ts
+import { createInterface } from "readline/promises";
+async function readLine(prompt) {
+  if (!process.stdin.isTTY) {
+    throw new Error("Cannot read input: stdin is not a TTY");
+  }
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    return await rl.question(prompt);
+  } finally {
+    rl.close();
+  }
+}
+async function confirm(question, defaultYes = true) {
+  const hint = defaultYes ? "Y/n" : "y/N";
+  const answer = (await readLine(`${question} (${hint}) `)).trim().toLowerCase();
+  if (answer === "")
+    return defaultYes;
+  return answer === "y" || answer === "yes";
+}
 async function readPasswordMasked(prompt = "Master password: ") {
   if (!process.stdin.isTTY) {
     throw new Error("Cannot read password: stdin is not a TTY");
@@ -2480,9 +3188,8 @@ async function readPasswordMasked(prompt = "Master password: ") {
         }
         return;
       }
-      if (code === 27) {
+      if (code === 27)
         return;
-      }
       if (code >= 32) {
         password += char;
         process.stdout.write("*");
@@ -2861,6 +3568,7 @@ async function daemonStop(options) {
 // apps/cli/src/index.ts
 init_src3();
+init_os_secrets();
 function parseArgs(argv) {
   const dashDashIndex = argv.indexOf("--");
   const main = dashDashIndex === -1 ? argv : argv.slice(0, dashDashIndex);
@@ -2937,7 +3645,7 @@ function output(value, jsonMode = false) {
   console.log(value);
 }
 function absolutePath(path) {
-  return resolve3(path);
+  return resolve4(path);
 }
 function buildSecretMetadata(args) {
   return Object.fromEntries(Object.entries({
@@ -2957,7 +3665,7 @@ async function readBufferedStdin() {
 }
 async function createPromptAdapter() {
   if (process.stdin.isTTY) {
-    const rl = createInterface({
+    const rl = createInterface2({
       input: process.stdin,
       output: process.stdout
     });
@@ -3049,6 +3757,128 @@ async function runPromptMode(vaultPath, initialPassword) {
     prompt.close();
   }
 }
+async function resolveUnlockCredentials(vaultPath, args, existingPassword) {
+  let password = existingPassword ?? getString(args, "password") ?? process.env.AUTHO_MASTER_PASSWORD;
+  if (!password) {
+    password = await loadVaultPassword(vaultPath) ?? undefined;
+  }
+  if (!password && process.stdin.isTTY) {
+    password = await readPasswordMasked("Master password: ");
+  }
+  const creds = { password: required(password, "--password") };
+  if (await hasPinSet(vaultPath)) {
+    const pin = process.env.AUTHO_PIN ?? getString(args, "pin") ?? (process.stdin.isTTY ? await readPasswordMasked("PIN: ") : undefined);
+    if (!pin)
+      throw new Error("PIN is set on this vault \u2014 provide it with AUTHO_PIN, --pin, or interactively");
+    const ok = await verifyPin(vaultPath, pin);
+    if (!ok)
+      throw new Error("Wrong PIN");
+  }
+  const authConfig = VaultService.getAuthConfig(vaultPath);
+  if (authConfig?.totp) {
+    const totp = process.env.AUTHO_TOTP_CODE ?? getString(args, "totp") ?? (process.stdin.isTTY ? await readPasswordMasked("Authenticator code: ") : undefined);
+    if (!totp)
+      throw new Error("TOTP is enabled \u2014 provide a 6-digit code with AUTHO_TOTP_CODE, --totp, or interactively");
+    creds.totp = totp;
+  }
+  return creds;
+}
+function osKeychainName() {
+  const p = process.platform;
+  if (p === "darwin")
+    return "macOS Keychain";
+  if (p === "win32")
+    return "Windows Credential Manager";
+  return "Secret Service (libsecret)";
+}
+async function runInitWizard(vaultPath, password, existingCreds) {
+  const creds = existingCreds ?? { password };
+  console.log("");
+  if (!osSecretsDisabled()) {
+    const passwordStored = await loadVaultPassword(vaultPath) !== null;
+    if (passwordStored) {
+      console.log(`\x1B[32m\u2713\x1B[0m Master password is saved in ${osKeychainName()}.`);
+      if (await confirm("  Remove it?", false)) {
+        const deleted = await deleteVaultPassword(vaultPath);
+        console.log(deleted ? "  Removed." : "  Could not remove.");
+      }
+    } else {
+      console.log(`\x1B[33m?\x1B[0m Save master password to ${osKeychainName()}?`);
+      console.log("  This lets all vault commands unlock without prompting on this machine.");
+      if (await confirm("  Save to keychain?")) {
+        const stored = await storeVaultPassword(vaultPath, password);
+        console.log(stored ? "  \x1B[32m\u2713\x1B[0m Saved." : "  Could not save \u2014 OS secret store may be unavailable.");
+      } else {
+        console.log("  Skipped.");
+      }
+    }
+    console.log("");
+  }
+  if (!osSecretsDisabled()) {
+    const pinSet = await hasPinSet(vaultPath);
+    if (pinSet) {
+      console.log("\x1B[32m\u2713\x1B[0m PIN is set on this machine.");
+      if (await confirm("  Remove PIN?", false)) {
+        const pin = await readPasswordMasked("  Enter current PIN: ");
+        const ok = await verifyPin(vaultPath, pin);
+        if (ok) {
+          await deletePin(vaultPath);
+          console.log("  Removed.");
+        } else {
+          console.log("  Wrong PIN, not removed.");
+        }
+      }
+    } else {
+      if (await confirm("Set up a PIN for quick unlock on this machine?", false)) {
+        const newPin = await readPasswordMasked("  New PIN: ");
+        if (!newPin) {
+          console.log("  PIN cannot be empty, skipped.");
+        } else {
+          const confirmPin = await readPasswordMasked("  Confirm PIN: ");
+          if (newPin !== confirmPin) {
+            console.log("  PINs do not match, skipped.");
+          } else {
+            await storePinHash(vaultPath, newPin);
+            console.log("  \x1B[32m\u2713\x1B[0m PIN set.");
+          }
+        }
+      }
+    }
+    console.log("");
+  }
+  const authConfig = VaultService.getAuthConfig(vaultPath);
+  const totpEnabled = authConfig?.totp !== undefined;
+  if (totpEnabled) {
+    console.log("\x1B[32m\u2713\x1B[0m TOTP is enabled (authenticator app required to unlock).");
+    if (await confirm("  Disable TOTP?", false)) {
+      const code = await readPasswordMasked("  Enter current TOTP code: ");
+      try {
+        VaultService.removeTotp(vaultPath, { ...creds, totp: code });
+        console.log("  Disabled.");
+      } catch (e) {
+        console.log(`  Error: ${e instanceof Error ? e.message : String(e)}`);
+      }
+    }
+  } else {
+    if (await confirm("Enable TOTP (authenticator app verification)?", false)) {
+      const { secret, uri } = VaultService.setupTotp(vaultPath);
+      console.log("");
+      console.log(`  Secret: ${secret}`);
+      console.log(`  URI:    ${uri}`);
+      console.log("");
+      console.log("  Add this to your authenticator app, then enter the 6-digit code.");
+      const code = await readPasswordMasked("  Code: ");
+      try {
+        VaultService.enableTotp(vaultPath, creds, secret, code);
+        console.log("  \x1B[32m\u2713\x1B[0m TOTP enabled.");
+      } catch (e) {
+        console.log(`  Error: ${e instanceof Error ? e.message : String(e)}`);
+      }
+    }
+  }
+  console.log("");
+  console.log("Setup complete. Run \x1B[1mautho init\x1B[0m anytime to change these settings.");
+}
 async function runWebServer(vaultPath, args) {
   const commandArgs = [
     "run",
@@ -3118,15 +3948,32 @@ function help() {
     "  files encrypt --input <path> [--output <path>] [--force] [--vault <path>] [--json]",
     "  files decrypt --input <path> [--output <path>] [--force] [--vault <path>] [--json]",
     "  audit list [--limit <number>] [--vault <path>] [--json]",
+    "  recovery generate --output <path> [--vault <path>] [--json]",
+    "  recovery revoke [--vault <path>] [--json]",
+    "  unlock --recovery-file <path> [--vault <path>] [--json]",
+    "  os-secrets set --name <name> [--value <value>] [--json]",
+    "  os-secrets get --name <name> [--json]",
+    "  os-secrets delete --name <name> [--json]",
     "",
     "Authentication:",
     "  When running interactively (TTY), you will be securely prompted for your",
     "  master password with masked input (no --password flag needed).",
     "",
     "  For automation and coding agents, use one of:",
-    "    AUTHO_MASTER_PASSWORD=<value>    Environment variable (recommended for agents)",
+    "    autho init                        Setup wizard \u2014 choose to save password in OS keychain, set PIN, enable TOTP",
+    "    AUTHO_MASTER_PASSWORD=<value>    Environment variable (master password)",
+    "    AUTHO_PIN=<value>                Environment variable (PIN, if set on this machine)",
+    "    AUTHO_TOTP_CODE=<value>          Environment variable (TOTP code, if enabled)",
     "    --password <value>               CLI flag (visible in shell history - avoid!)",
     "",
+    "  Native OS secret store support (via Bun.secrets):",
+    "    macOS   \u2192 Keychain Services",
+    "    Linux   \u2192 libsecret / GNOME Keyring / KWallet",
+    "    Windows \u2192 Windows Credential Manager",
+    "",
+    "  The OS secret store is checked automatically before prompting.",
+    "  Set AUTHO_DISABLE_OS_SECRETS=1 to opt out.",
+    "",
     "Notes:",
     "  Running `autho` with no arguments opens the interactive TUI.",
     "  The default vault path is ~/.autho/vault.db (override with AUTHO_HOME).",
@@ -3145,6 +3992,9 @@ async function main() {
   const fallbackProjectFile = defaultProjectFilePath();
   const projectFile = explicitProjectFile ?? (existsSync4(fallbackProjectFile) ? fallbackProjectFile : undefined);
   let password = getString(args, "password") ?? process.env.AUTHO_MASTER_PASSWORD;
+  if (!password) {
+    password = await loadVaultPassword(vaultPath) ?? undefined;
+  }
   if (!scope) {
     if (process.stdin.isTTY) {
       const { runTui: runTui2 } = await Promise.resolve().then(() => (init_tui(), exports_tui));
@@ -3164,7 +4014,6 @@ async function main() {
   }
   if (!password && process.stdin.isTTY) {
     const needsPassword = [
-      "init",
       "secrets",
       "otp",
       "lease",
@@ -3173,7 +4022,9 @@ async function main() {
       "file",
       "files",
       "audit",
-      "import"
+      "import",
+      "recovery",
+      "unlock"
     ].includes(scope);
     const daemonNeedsPassword = scope === "daemon" && action === "unlock";
     if (needsPassword || daemonNeedsPassword) {
@@ -3181,7 +4032,21 @@ async function main() {
     }
   }
   if (scope === "init") {
-    output(VaultService.initialize(vaultPath, required(password, "--password")), jsonMode);
+    const existingStatus = VaultService.status(vaultPath);
+    if (!existingStatus.initialized) {
+      const pw = required(password, "--password");
+      output(VaultService.initialize(vaultPath, pw), jsonMode);
+      if (process.stdin.isTTY && !jsonMode) {
+        await runInitWizard(vaultPath, pw);
+      }
+    } else {
+      const creds2 = await resolveUnlockCredentials(vaultPath, args, password);
+      if (process.stdin.isTTY && !jsonMode) {
+        await runInitWizard(vaultPath, creds2.password, creds2);
+      } else {
+        console.log("Vault already initialized. Use interactive mode (TTY) to reconfigure.");
+      }
+    }
     return;
   }
   if (scope === "status") {
@@ -3199,6 +4064,31 @@ async function main() {
     }), jsonMode);
     return;
   }
+  if (scope === "os-secrets" && action === "set") {
+    const name = required(getString(args, "name"), "--name");
+    const value = getString(args, "value") ?? await readPasswordMasked(`Value for "${name}": `);
+    const stored = await setOsSecret(name, value);
+    if (!stored) {
+      throw new Error("OS secret store is unavailable on this system (try AUTHO_DISABLE_OS_SECRETS=1 to confirm, or check that a secret service daemon is running on Linux)");
+    }
+    output({ name, stored: true }, jsonMode);
+    return;
+  }
+  if (scope === "os-secrets" && action === "get") {
+    const name = required(getString(args, "name"), "--name");
+    const value = await getOsSecret(name);
+    if (value === null) {
+      throw new Error(`Secret "${name}" not found in OS secret store`);
+    }
+    output({ name, value }, jsonMode);
+    return;
+  }
+  if (scope === "os-secrets" && action === "delete") {
+    const name = required(getString(args, "name"), "--name");
+    const deleted = await deleteOsSecret(name);
+    output({ deleted, name }, jsonMode);
+    return;
+  }
   if (scope === "web" && action === "serve") {
     await runWebServer(vaultPath, args);
     return;
@@ -3256,7 +4146,44 @@ async function main() {
     process.stderr.write(result.stderr);
     process.exit(result.exitCode);
   }
-  const session = VaultService.unlock(vaultPath, required(password, "--password"));
+  if (scope === "recovery" && action === "generate") {
+    const outputPath = absolutePath(required(getString(args, "output"), "--output"));
+    const creds2 = await resolveUnlockCredentials(vaultPath, args, password);
+    const { fileContent } = VaultService.generateRecovery(vaultPath, creds2);
+    writeFileSync2(outputPath, fileContent, { encoding: "utf8", mode: 384 });
+    if (!jsonMode) {
+      console.log(`Recovery file written to ${outputPath}`);
+      console.log("WARNING: Anyone with this file can open your vault. Store it offline.");
+    } else {
+      output({ outputPath, written: true }, jsonMode);
+    }
+    return;
+  }
+  if (scope === "recovery" && action === "revoke") {
+    const creds2 = await resolveUnlockCredentials(vaultPath, args, password);
+    VaultService.revokeRecovery(vaultPath, creds2);
+    output({ revoked: true }, jsonMode);
+    return;
+  }
+  if (scope === "unlock" && getString(args, "recovery-file")) {
+    const recoveryFilePath = absolutePath(getString(args, "recovery-file"));
+    const content = readFileSync4(recoveryFilePath, "utf8");
+    const lines = content.split(`
+`);
+    const tokenLineIdx = lines.findIndex((l) => l.trim() === "RECOVERY TOKEN:");
+    if (tokenLineIdx === -1)
+      throw new Error("Invalid recovery file format");
+    const rawTokenLine = lines.slice(tokenLineIdx + 1).find((l) => l.trim() !== "") ?? "";
+    const token = rawTokenLine.replace(/-/g, "").toLowerCase();
+    if (!token)
+      throw new Error("Invalid recovery file format: missing token");
+    const recoverySession = VaultService.unlock(vaultPath, { password: "", recovery: token });
+    output({ unlocked: true, vaultPath }, jsonMode);
+    recoverySession.close();
+    return;
+  }
+  const creds = await resolveUnlockCredentials(vaultPath, args, password);
+  const session = VaultService.unlock(vaultPath, creds);
   try {
     if (scope === "import" && action === "legacy") {
       output(session.importLegacyFile(absolutePath(required(getString(args, "file"), "--file")), {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "autho",
-  "version": "3.0.0",
+  "version": "3.0.1",
   "description": "Local-first secret manager for humans and coding agents, rebuilt on Bun",
   "type": "module",
   "bin": {