autho 3.0.0 → 3.0.2

package/dist/autho.js

@@ -15,6 +15,7 @@ var __export = (target, all) => {
     });
 };
 var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+var __require = import.meta.require;
 
 // packages/storage/src/index.ts
 import { Database } from "bun:sqlite";
@@ -105,6 +106,13 @@ class AuthoDatabase {
   setVaultConfig(config) {
     this.db.query("INSERT OR REPLACE INTO meta (key, value) VALUES (?1, ?2)").run("vault.config", JSON.stringify(config));
   }
+  getVaultAuth() {
+    const row = this.db.query("SELECT value FROM meta WHERE key = ?1").get("vault.auth");
+    return row ? parseJson(row.value) : null;
+  }
+  setVaultAuth(auth) {
+    this.db.query("INSERT OR REPLACE INTO meta (key, value) VALUES (?1, ?2)").run("vault.auth", JSON.stringify(auth));
+  }
   countSecrets() {
     const row = this.db.query("SELECT COUNT(*) AS count FROM secrets").get();
     return row.count;
@@ -221,6 +229,7 @@ var init_src = () => {};
 import {
   createCipheriv,
   createDecipheriv,
+  createHmac,
   randomBytes,
   scryptSync
 } from "crypto";
@@ -280,6 +289,78 @@ function unlockRootKey(password, config) {
   const key = deriveKeyFromPassword(password, config.kdf);
   return decryptWithKey(config.wrappedRootKey, key, "autho:vault-root");
 }
+function decodeBase32(input) {
+  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+  const normalized = input.toUpperCase().replace(/=+$/g, "").replace(/\s+/g, "");
+  let bits = 0;
+  let value = 0;
+  const output = [];
+  for (const char of normalized) {
+    const index = alphabet.indexOf(char);
+    if (index === -1) {
+      throw new Error("OTP secret must be valid base32");
+    }
+    value = value << 5 | index;
+    bits += 5;
+    if (bits >= 8) {
+      output.push(value >>> bits - 8 & 255);
+      bits -= 8;
+    }
+  }
+  return Uint8Array.from(output);
+}
+function generateTotpCode(secret, options, now) {
+  const algorithm = (options?.algorithm ?? "sha1").toLowerCase();
+  const digits = options?.digits ?? 6;
+  const key = decodeBase32(secret);
+  const counter = Math.floor(now / 30000);
+  const message = Buffer.alloc(8);
+  let cursor = counter;
+  for (let index = 7;index >= 0; index -= 1) {
+    message[index] = cursor & 255;
+    cursor >>= 8;
+  }
+  const hash = createHmac(algorithm, Buffer.from(key)).update(message).digest();
+  const offset = hash[hash.length - 1] & 15;
+  const binary = (hash[offset] & 127) << 24 | (hash[offset + 1] & 255) << 16 | (hash[offset + 2] & 255) << 8 | hash[offset + 3] & 255;
+  const mod = 10 ** digits;
+  return String(binary % mod).padStart(digits, "0");
+}
+function generateTotpSecret() {
+  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+  const bytes = randomBytes(20);
+  let bits = 0;
+  let value = 0;
+  let result = "";
+  for (const byte of bytes) {
+    value = value << 8 | byte;
+    bits += 8;
+    while (bits >= 5) {
+      result += alphabet[value >>> bits - 5 & 31];
+      bits -= 5;
+    }
+  }
+  if (bits > 0) {
+    result += alphabet[value << 5 - bits & 31];
+  }
+  return result;
+}
+function totpUri(secret, issuer, account) {
+  return `otpauth://totp/${encodeURIComponent(issuer)}:${encodeURIComponent(account)}?secret=${secret}&issuer=${encodeURIComponent(issuer)}&algorithm=SHA1&digits=6&period=30`;
+}
+function verifyTotpCode(secret, code, opts) {
+  const digits = opts?.digits ?? 6;
+  if (code.length !== digits) {
+    return false;
+  }
+  const now = Date.now();
+  for (const offset of [-30000, 0, 30000]) {
+    if (generateTotpCode(secret, opts, now + offset) === code) {
+      return true;
+    }
+  }
+  return false;
+}
 var DEFAULT_KDF;
 var init_src2 = __esm(() => {
   DEFAULT_KDF = {
@@ -293,7 +374,7 @@ var init_src2 = __esm(() => {
 });
 
 // packages/core/src/paths.ts
-import { chmodSync as chmodSync2, mkdirSync as mkdirSync2, writeFileSync } from "fs";
+import { chmodSync as chmodSync2, existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync, writeFileSync } from "fs";
 import { homedir } from "os";
 import { dirname as dirname2, join, resolve } from "path";
 function normalizePath(path) {
@@ -307,9 +388,51 @@ function tryChmod2(path, mode) {
     chmodSync2(path, mode);
   } catch {}
 }
-function authoHomeDir() {
+function authoConfigDir() {
   return normalizePath(process.env.AUTHO_HOME ?? join(homedir(), ".autho"));
 }
+function configFilePath() {
+  return normalizePath(join(authoConfigDir(), "config.json"));
+}
+function loadConfig() {
+  if (configCache.loaded)
+    return configCache.value ?? {};
+  const path = configFilePath();
+  if (!existsSync2(path)) {
+    configCache.loaded = true;
+    configCache.value = {};
+    return {};
+  }
+  try {
+    const raw = JSON.parse(readFileSync(path, "utf8"));
+    configCache.loaded = true;
+    configCache.value = raw;
+    return raw;
+  } catch {
+    configCache.loaded = true;
+    configCache.value = {};
+    return {};
+  }
+}
+function saveConfig(config) {
+  const path = configFilePath();
+  ensurePrivateParent(path);
+  writeFileSync(path, JSON.stringify(config, null, 2) + `
+`, { encoding: "utf8", mode: 384 });
+  hardenFilePermissions(path);
+  configCache.value = config;
+  configCache.loaded = true;
+}
+function authoHomeDir() {
+  if (process.env.AUTHO_HOME) {
+    return normalizePath(process.env.AUTHO_HOME);
+  }
+  const config = loadConfig();
+  if (config.vaultDir) {
+    return normalizePath(config.vaultDir);
+  }
+  return normalizePath(join(homedir(), ".autho"));
+}
 function defaultVaultPath() {
   return normalizePath(join(authoHomeDir(), "vault.db"));
 }
@@ -339,13 +462,16 @@ function writeBinaryFileSecure(path, content) {
   writeFileSync(path, content, { mode: 384 });
   hardenFilePermissions(path);
 }
-var init_paths = () => {};
+var configCache;
+var init_paths = __esm(() => {
+  configCache = { value: null, loaded: false };
+});
 
 // packages/core/src/artifacts.ts
 import { randomBytes as randomBytes2 } from "crypto";
 import {
   readdirSync,
-  readFileSync,
+  readFileSync as readFileSync2,
   statSync
 } from "fs";
 import { basename, join as join2, relative, resolve as resolve2, sep } from "path";
@@ -381,7 +507,7 @@ function defaultDecryptedFolderPath(inputPath) {
 }
 function encryptFileArtifact(inputPath, outputPath, rootKey) {
   const fileKey = randomBytes2(32);
-  const payload = encryptWithKey(readFileSync(inputPath), fileKey, `autho:file:${basename(inputPath)}`);
+  const payload = encryptWithKey(readFileSync2(inputPath), fileKey, `autho:file:${basename(inputPath)}`);
   const envelope = {
     kind: "file",
     originalName: basename(inputPath),
@@ -393,7 +519,7 @@ function encryptFileArtifact(inputPath, outputPath, rootKey) {
   return { outputPath };
 }
 function decryptFileArtifact(inputPath, outputPath, rootKey) {
-  const envelope = JSON.parse(readFileSync(inputPath, "utf8"));
+  const envelope = JSON.parse(readFileSync2(inputPath, "utf8"));
   if (envelope.kind !== "file" || envelope.version !== 1) {
     throw new Error(`Unsupported file artifact: ${inputPath}`);
   }
@@ -411,7 +537,7 @@ function encryptFolderArtifact(inputPath, outputPath, rootKey) {
       const relativePath = normalizeRelativePath(relative(inputPath, filePath));
       return {
         path: relativePath,
-        payload: encryptWithKey(readFileSync(filePath), folderKey, `autho:folder:${relativePath}`)
+        payload: encryptWithKey(readFileSync2(filePath), folderKey, `autho:folder:${relativePath}`)
       };
     }),
     kind: "folder",
@@ -426,7 +552,7 @@ function encryptFolderArtifact(inputPath, outputPath, rootKey) {
   };
 }
 function decryptFolderArtifact(inputPath, outputPath, rootKey) {
-  const envelope = JSON.parse(readFileSync(inputPath, "utf8"));
+  const envelope = JSON.parse(readFileSync2(inputPath, "utf8"));
   if (envelope.kind !== "folder" || envelope.version !== 1) {
     throw new Error(`Unsupported folder artifact: ${inputPath}`);
   }
@@ -465,10 +591,10 @@ var init_artifacts = __esm(() => {
 
 // packages/core/src/index.ts
 import { spawnSync } from "child_process";
-import { createHmac, randomBytes as randomBytes3 } from "crypto";
+import { createHmac as createHmac2, randomBytes as randomBytes3 } from "crypto";
 import {
-  existsSync as existsSync2,
-  readFileSync as readFileSync2
+  existsSync as existsSync3,
+  readFileSync as readFileSync3
 } from "fs";
 import { basename as basename2 } from "path";
 function requireValue(value, label) {
@@ -477,7 +603,7 @@ function requireValue(value, label) {
   }
   return value;
 }
-function decodeBase32(input) {
+function decodeBase322(input) {
   const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
   const normalized = input.toUpperCase().replace(/=+$/g, "").replace(/\s+/g, "");
   let bits = 0;
@@ -500,7 +626,7 @@ function decodeBase32(input) {
 function generateTotp(secret, options, now = Date.now()) {
   const algorithm = (options?.algorithm ?? "sha1").toLowerCase();
   const digits = options?.digits ?? 6;
-  const key = decodeBase32(secret);
+  const key = decodeBase322(secret);
   const counter = Math.floor(now / 30000);
   const message = Buffer.alloc(8);
   let cursor = counter;
@@ -508,7 +634,7 @@ function generateTotp(secret, options, now = Date.now()) {
     message[index] = cursor & 255;
     cursor >>= 8;
   }
-  const hash = createHmac(algorithm, Buffer.from(key)).update(message).digest();
+  const hash = createHmac2(algorithm, Buffer.from(key)).update(message).digest();
   const offset = hash[hash.length - 1] & 15;
   const binary = (hash[offset] & 127) << 24 | (hash[offset + 1] & 255) << 16 | (hash[offset + 2] & 255) << 8 | hash[offset + 3] & 255;
   const mod = 10 ** digits;
@@ -523,7 +649,7 @@ function normalizeSecretType(type) {
   throw new Error(`Unsupported secret type: ${type}`);
 }
 function parseProjectMappings(projectFile) {
-  const raw = JSON.parse(readFileSync2(projectFile, "utf8"));
+  const raw = JSON.parse(readFileSync3(projectFile, "utf8"));
   return Object.entries(raw.env ?? {}).map(([envName, secretRef]) => ({
     envName,
     secretRef
@@ -601,7 +727,7 @@ function summarizeCommand(cmd) {
   };
 }
 function projectMappingsForStatus(projectFile) {
-  if (!projectFile || !existsSync2(projectFile)) {
+  if (!projectFile || !existsSync3(projectFile)) {
     return {
       mappings: [],
       path: projectFile ?? null
@@ -624,7 +750,7 @@ function resolveMappings(options) {
     };
   });
   if (options.projectFile) {
-    if (!existsSync2(options.projectFile)) {
+    if (!existsSync3(options.projectFile)) {
       throw new Error(`Project mapping file not found: ${options.projectFile}`);
     }
     return [...parseProjectMappings(options.projectFile), ...fromMaps];
@@ -635,7 +761,7 @@ function writeProjectConfig(input) {
   if (input.mappings.length === 0) {
     throw new Error("Provide at least one env mapping");
   }
-  if (!input.force && existsSync2(input.outputPath)) {
+  if (!input.force && existsSync3(input.outputPath)) {
     throw new Error(`Project config already exists: ${input.outputPath}`);
   }
   const env = Object.fromEntries(input.mappings.map((mapping) => [mapping.envName, mapping.secretRef]));
@@ -710,21 +836,212 @@ class VaultService {
       db.close();
     }
   }
-  static unlock(vaultPath, password) {
+  static unlock(vaultPath, credentials) {
+    const creds = typeof credentials === "string" ? { password: credentials } : credentials;
     const db = new AuthoDatabase(vaultPath);
     const config = db.getVaultConfig();
     if (!config) {
       db.close();
       throw new Error(`Vault is not initialized at ${vaultPath}`);
     }
+    const vaultAuth = db.getVaultAuth();
+    if (creds.recovery) {
+      if (!vaultAuth?.recovery) {
+        db.close();
+        throw new Error("No recovery token configured for this vault");
+      }
+      try {
+        const recoveryKEK = deriveKeyFromPassword(creds.recovery, vaultAuth.recovery.kdf);
+        const rootKey = decryptWithKey(vaultAuth.recovery.wrappedRootKey, recoveryKEK, "autho:vault-recovery");
+        db.insertAudit({
+          createdAt: new Date().toISOString(),
+          eventType: "auth.unlock.recovery",
+          id: randomId(),
+          message: "Vault unlocked via recovery file",
+          metadata: JSON.stringify({}),
+          subjectRef: null,
+          subjectType: "vault"
+        });
+        return new VaultSession(db, rootKey);
+      } catch (error) {
+        db.close();
+        throw new Error("Invalid recovery token", { cause: error });
+      }
+    }
     try {
-      const rootKey = unlockRootKey(password, config);
+      const passwordKEK = deriveKeyFromPassword(creds.password, config.kdf);
+      if (vaultAuth?.totp) {
+        const totpSecret = decryptWithKey(vaultAuth.totp.encryptedSecret, passwordKEK, "autho:vault-totp").toString("utf8");
+        if (!creds.totp || !verifyTotpCode(totpSecret, creds.totp)) {
+          throw new Error("Invalid or missing TOTP code");
+        }
+      }
+      const rootKey = decryptWithKey(config.wrappedRootKey, passwordKEK, "autho:vault-root");
       return new VaultSession(db, rootKey);
     } catch (error) {
       db.close();
+      if (error instanceof Error && error.message === "Invalid or missing TOTP code") {
+        throw error;
+      }
       throw new Error("Invalid vault password", { cause: error });
     }
   }
+  static getAuthConfig(vaultPath) {
+    const db = new AuthoDatabase(vaultPath);
+    try {
+      return db.getVaultAuth();
+    } finally {
+      db.close();
+    }
+  }
+  static setupTotp(vaultPath) {
+    const secret = generateTotpSecret();
+    const uri = totpUri(secret, "autho", vaultPath);
+    return { secret, uri };
+  }
+  static enableTotp(vaultPath, credentials, secret, code) {
+    if (!verifyTotpCode(secret, code)) {
+      throw new Error("Invalid TOTP code \u2014 make sure your authenticator app is showing the right code");
+    }
+    const session = VaultService.unlock(vaultPath, credentials);
+    session.close();
+    const db = new AuthoDatabase(vaultPath);
+    try {
+      const config = db.getVaultConfig();
+      const passwordKEK = deriveKeyFromPassword(credentials.password, config.kdf);
+      const encryptedSecret = encryptWithKey(Buffer.from(secret, "utf8"), passwordKEK, "autho:vault-totp");
+      const existing = db.getVaultAuth();
+      db.setVaultAuth({
+        version: 1,
+        ...existing,
+        totp: {
+          algorithm: "SHA1",
+          digits: 6,
+          encryptedSecret,
+          period: 30
+        }
+      });
+      db.insertAudit({
+        createdAt: new Date().toISOString(),
+        eventType: "auth.totp.enabled",
+        id: randomId(),
+        message: "TOTP vault unlock enabled",
+        metadata: JSON.stringify({}),
+        subjectRef: null,
+        subjectType: "vault"
+      });
+    } finally {
+      db.close();
+    }
+  }
+  static removeTotp(vaultPath, credentials) {
+    const session = VaultService.unlock(vaultPath, credentials);
+    session.close();
+    const db = new AuthoDatabase(vaultPath);
+    try {
+      const existing = db.getVaultAuth();
+      if (existing) {
+        const { totp: _removed, ...rest } = existing;
+        db.setVaultAuth({ ...rest, version: 1 });
+      }
+      db.insertAudit({
+        createdAt: new Date().toISOString(),
+        eventType: "auth.totp.removed",
+        id: randomId(),
+        message: "TOTP vault unlock removed",
+        metadata: JSON.stringify({}),
+        subjectRef: null,
+        subjectType: "vault"
+      });
+    } finally {
+      db.close();
+    }
+  }
+  static generateRecovery(vaultPath, credentials) {
+    const session = VaultService.unlock(vaultPath, credentials);
+    const rootKey = session.getRootKey();
+    session.close();
+    const db = new AuthoDatabase(vaultPath);
+    try {
+      const tokenBytes = randomBytes3(32);
+      const token = tokenBytes.toString("hex");
+      const recoverySalt = randomBytes3(16).toString("base64");
+      const recoveryKdf = {
+        keyLength: 32,
+        name: "scrypt",
+        salt: recoverySalt,
+        N: 1 << 17,
+        p: 1,
+        r: 8
+      };
+      const recoveryKEK = deriveKeyFromPassword(token, recoveryKdf);
+      const wrappedRootKey = encryptWithKey(rootKey, recoveryKEK, "autho:vault-recovery");
+      const existing = db.getVaultAuth();
+      db.setVaultAuth({
+        version: 1,
+        ...existing,
+        recovery: {
+          createdAt: new Date().toISOString(),
+          kdf: recoveryKdf,
+          wrappedRootKey
+        }
+      });
+      const formattedToken = token.toUpperCase().match(/.{1,8}/g).join("-");
+      const fileContent = [
+        "================================================================================",
+        "AUTHO VAULT RECOVERY FILE",
+        "================================================================================",
+        `Generated : ${new Date().toISOString()}`,
+        `Vault     : ${vaultPath}`,
+        "",
+        "WARNING: Anyone with this file can open your vault regardless of password,",
+        "PIN, or authenticator app. Store it offline (printed paper, encrypted USB,",
+        "safety deposit box). Revoke with: autho recovery revoke",
+        "",
+        "RECOVERY TOKEN:",
+        formattedToken,
+        "",
+        "To use: autho unlock --recovery-file <path-to-this-file>",
+        "================================================================================"
+      ].join(`
+`);
+      db.insertAudit({
+        createdAt: new Date().toISOString(),
+        eventType: "auth.recovery.generated",
+        id: randomId(),
+        message: "Recovery file generated",
+        metadata: JSON.stringify({}),
+        subjectRef: null,
+        subjectType: "vault"
+      });
+      return { fileContent };
+    } finally {
+      db.close();
+    }
+  }
+  static revokeRecovery(vaultPath, credentials) {
+    const session = VaultService.unlock(vaultPath, credentials);
+    session.close();
+    const db = new AuthoDatabase(vaultPath);
+    try {
+      const existing = db.getVaultAuth();
+      if (existing) {
+        const { recovery: _removed, ...rest } = existing;
+        db.setVaultAuth({ ...rest, version: 1 });
+      }
+      db.insertAudit({
+        createdAt: new Date().toISOString(),
+        eventType: "auth.recovery.revoked",
+        id: randomId(),
+        message: "Recovery file revoked",
+        metadata: JSON.stringify({}),
+        subjectRef: null,
+        subjectType: "vault"
+      });
+    } finally {
+      db.close();
+    }
+  }
 }
 
 class VaultSession {
@@ -734,6 +1051,9 @@ class VaultSession {
     this.db = db;
     this.rootKey = rootKey;
   }
+  getRootKey() {
+    return Buffer.from(this.rootKey);
+  }
   close() {
     this.db.close();
   }
@@ -882,7 +1202,7 @@ class VaultSession {
     };
   }
   importLegacyFile(filePath, options) {
-    const raw = JSON.parse(readFileSync2(filePath, "utf8"));
+    const raw = JSON.parse(readFileSync3(filePath, "utf8"));
     let imported = 0;
     let skipped = 0;
     for (const entry of raw) {
@@ -1015,7 +1335,7 @@ class VaultSession {
   }
   syncEnvFile(input) {
     const env = this.buildEnv(input.mappings, input.leaseId);
-    if (!input.force && existsSync2(input.outputPath)) {
+    if (!input.force && existsSync3(input.outputPath)) {
       throw new Error(`Env file already exists: ${input.outputPath}`);
     }
     const createdAt = new Date().toISOString();
@@ -1067,7 +1387,7 @@ class VaultSession {
   encryptFile(inputPath, outputPath, options) {
     assertPathIsFile(inputPath);
     const resolvedOutput = outputPath ?? defaultEncryptedFilePath(inputPath);
-    if (!options?.force && existsSync2(resolvedOutput)) {
+    if (!options?.force && existsSync3(resolvedOutput)) {
       throw new Error(`Output file already exists: ${resolvedOutput}`);
     }
     const result = encryptFileArtifact(inputPath, resolvedOutput, this.rootKey);
@@ -1079,7 +1399,7 @@ class VaultSession {
   decryptFile(inputPath, outputPath, options) {
     assertPathIsFile(inputPath);
     const resolvedOutput = outputPath ?? defaultDecryptedFilePath(inputPath);
-    if (!options?.force && existsSync2(resolvedOutput)) {
+    if (!options?.force && existsSync3(resolvedOutput)) {
       throw new Error(`Output file already exists: ${resolvedOutput}`);
     }
     const result = decryptFileArtifact(inputPath, resolvedOutput, this.rootKey);
@@ -1091,7 +1411,7 @@ class VaultSession {
   encryptFolder(inputPath, outputPath, options) {
     assertPathIsDirectory(inputPath);
     const resolvedOutput = outputPath ?? defaultEncryptedFolderPath(inputPath);
-    if (!options?.force && existsSync2(resolvedOutput)) {
+    if (!options?.force && existsSync3(resolvedOutput)) {
       throw new Error(`Output file already exists: ${resolvedOutput}`);
     }
     const result = encryptFolderArtifact(inputPath, resolvedOutput, this.rootKey);
@@ -1104,7 +1424,7 @@ class VaultSession {
   decryptFolder(inputPath, outputPath, options) {
     assertPathIsFile(inputPath);
     const resolvedOutput = outputPath ?? defaultDecryptedFolderPath(inputPath);
-    if (!options?.force && existsSync2(resolvedOutput)) {
+    if (!options?.force && existsSync3(resolvedOutput)) {
       throw new Error(`Output path already exists: ${resolvedOutput}`);
     }
     const result = decryptFolderArtifact(inputPath, resolvedOutput, this.rootKey);
@@ -1126,6 +1446,146 @@ var init_src3 = __esm(() => {
   init_paths();
 });
 
+// packages/core/src/os-secrets.ts
+import { createHash as createHash2, randomBytes as randomBytes4, scryptSync as scryptSync2, timingSafeEqual as timingSafeEqual2 } from "crypto";
+import { resolve as resolve3 } from "path";
+function vaultPasswordName(vaultPath) {
+  return createHash2("sha256").update(resolve3(vaultPath)).digest("hex");
+}
+function osSecretsDisabled() {
+  return process.env.AUTHO_DISABLE_OS_SECRETS === "1";
+}
+async function storeVaultPassword(vaultPath, password) {
+  if (osSecretsDisabled()) {
+    return false;
+  }
+  try {
+    await Bun.secrets.set({
+      name: vaultPasswordName(vaultPath),
+      service: VAULT_PASSWORD_SERVICE,
+      value: password
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function loadVaultPassword(vaultPath) {
+  if (osSecretsDisabled()) {
+    return null;
+  }
+  try {
+    const password = await Bun.secrets.get({
+      name: vaultPasswordName(vaultPath),
+      service: VAULT_PASSWORD_SERVICE
+    });
+    return password ?? null;
+  } catch {
+    return null;
+  }
+}
+async function deleteVaultPassword(vaultPath) {
+  if (osSecretsDisabled()) {
+    return false;
+  }
+  try {
+    return await Bun.secrets.delete({
+      name: vaultPasswordName(vaultPath),
+      service: VAULT_PASSWORD_SERVICE
+    });
+  } catch {
+    return false;
+  }
+}
+async function setOsSecret(name, value) {
+  if (osSecretsDisabled()) {
+    return false;
+  }
+  try {
+    await Bun.secrets.set({ name, service: USER_SECRETS_SERVICE, value });
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function getOsSecret(name) {
+  if (osSecretsDisabled()) {
+    return null;
+  }
+  try {
+    const value = await Bun.secrets.get({ name, service: USER_SECRETS_SERVICE });
+    return value ?? null;
+  } catch {
+    return null;
+  }
+}
+async function deleteOsSecret(name) {
+  if (osSecretsDisabled()) {
+    return false;
+  }
+  try {
+    return await Bun.secrets.delete({ name, service: USER_SECRETS_SERVICE });
+  } catch {
+    return false;
+  }
+}
+async function storePinHash(vaultPath, pin) {
+  if (osSecretsDisabled()) {
+    return false;
+  }
+  try {
+    const salt = randomBytes4(16);
+    const hash = scryptSync2(pin, salt, 32, { N: 1 << 15, r: 8, p: 1, maxmem: 64 * 1024 * 1024 });
+    const value = `${salt.toString("base64")}:${hash.toString("base64")}`;
+    await Bun.secrets.set({ name: vaultPasswordName(vaultPath), service: PIN_SERVICE, value });
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function verifyPin(vaultPath, pin) {
+  if (osSecretsDisabled()) {
+    return false;
+  }
+  try {
+    const stored = await Bun.secrets.get({ name: vaultPasswordName(vaultPath), service: PIN_SERVICE });
+    if (!stored)
+      return false;
+    const colonIdx = stored.indexOf(":");
+    if (colonIdx === -1)
+      return false;
+    const salt = Buffer.from(stored.slice(0, colonIdx), "base64");
+    const expectedHash = Buffer.from(stored.slice(colonIdx + 1), "base64");
+    const actualHash = scryptSync2(pin, salt, 32, { N: 1 << 15, r: 8, p: 1, maxmem: 64 * 1024 * 1024 });
+    return timingSafeEqual2(actualHash, expectedHash);
+  } catch {
+    return false;
+  }
+}
+async function hasPinSet(vaultPath) {
+  if (osSecretsDisabled()) {
+    return false;
+  }
+  try {
+    const stored = await Bun.secrets.get({ name: vaultPasswordName(vaultPath), service: PIN_SERVICE });
+    return stored != null;
+  } catch {
+    return false;
+  }
+}
+async function deletePin(vaultPath) {
+  if (osSecretsDisabled()) {
+    return false;
+  }
+  try {
+    return await Bun.secrets.delete({ name: vaultPasswordName(vaultPath), service: PIN_SERVICE });
+  } catch {
+    return false;
+  }
+}
+var VAULT_PASSWORD_SERVICE = "autho.vault", USER_SECRETS_SERVICE = "autho", PIN_SERVICE = "autho.pin";
+var init_os_secrets = () => {};
+
 // apps/cli/src/tui.tsx
 var exports_tui = {};
 __export(exports_tui, {
@@ -1240,28 +1700,33 @@ function useToast() {
   }, []);
   return { toast, show };
 }
-function PasswordScreen({ onUnlock, vaultPath }) {
+function tryUnlockWithPassword(vaultPath, password) {
+  try {
+    return VaultService.unlock(vaultPath, { password });
+  } catch {
+    return null;
+  }
+}
+function tryUnlockWithRecovery(vaultPath, token) {
+  try {
+    return VaultService.unlock(vaultPath, { password: "", recovery: token });
+  } catch {
+    return null;
+  }
+}
+function PasswordMethod({ onSubmit, vaultPath: _vaultPath }) {
   const [password, setPassword] = useState("");
-  const [error, setError] = useState("");
-  const [unlocking, setUnlocking] = useState(false);
+  const [submitting, setSubmitting] = useState(false);
   useKeyboard((key) => {
     if (key.eventType !== "press" && key.eventType !== "repeat")
       return;
-    if (unlocking)
+    if (submitting)
       return;
     if (key.name === "enter" || key.name === "return") {
       if (!password)
         return;
-      setUnlocking(true);
-      setError("");
-      try {
-        const session = VaultService.unlock(vaultPath, password);
-        onUnlock(session);
-      } catch {
-        setError("Wrong password");
-        setPassword("");
-        setUnlocking(false);
-      }
+      setSubmitting(true);
+      onSubmit(password);
       return;
     }
     if (key.name === "backspace") {
@@ -1274,6 +1739,284 @@ function PasswordScreen({ onUnlock, vaultPath }) {
     if (char && char.length === 1 && char.charCodeAt(0) >= 32)
       setPassword((p) => p + char);
   });
+  return /* @__PURE__ */ jsxDEV("box", {
+    flexDirection: "row",
+    gap: 1,
+    marginTop: 1,
+    children: [
+      /* @__PURE__ */ jsxDEV("text", {
+        fg: "#AAAAAA",
+        children: "Password "
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV("box", {
+        backgroundColor: "#111111",
+        flexGrow: 1,
+        paddingX: 1,
+        height: 1,
+        children: /* @__PURE__ */ jsxDEV("text", {
+          fg: "#FFD700",
+          children: password ? "*".repeat(password.length) : ""
+        }, undefined, false, undefined, this)
+      }, undefined, false, undefined, this),
+      submitting ? /* @__PURE__ */ jsxDEV("text", {
+        fg: "#FFD700",
+        children: " ..."
+      }, undefined, false, undefined, this) : null
+    ]
+  }, undefined, true, undefined, this);
+}
+function PinMethod({ vaultPath, password, onVerified, onError }) {
+  const [pin, setPin] = useState("");
+  const [verifying, setVerifying] = useState(false);
+  useKeyboard((key) => {
+    if (key.eventType !== "press" && key.eventType !== "repeat")
+      return;
+    if (verifying)
+      return;
+    if (key.name === "enter" || key.name === "return") {
+      if (!pin)
+        return;
+      setVerifying(true);
+      verifyPin(vaultPath, pin).then((ok) => {
+        if (ok) {
+          onVerified(password);
+        } else {
+          onError("Wrong PIN");
+          setPin("");
+          setVerifying(false);
+        }
+      });
+      return;
+    }
+    if (key.name === "backspace") {
+      setPin((p) => p.slice(0, -1));
+      return;
+    }
+    if (key.ctrl || key.meta || key.name === "escape" || key.name === "tab" || key.name === "up" || key.name === "down" || key.name === "left" || key.name === "right" || key.name === "home" || key.name === "end" || key.name === "delete" || key.name === "insert" || key.name === "pageup" || key.name === "pagedown" || key.name.startsWith("f") && /^f\d+$/.test(key.name))
+      return;
+    const char = key.sequence;
+    if (char && char.length === 1 && char.charCodeAt(0) >= 32)
+      setPin((p) => p + char);
+  });
+  return /* @__PURE__ */ jsxDEV("box", {
+    flexDirection: "row",
+    gap: 1,
+    marginTop: 1,
+    children: [
+      /* @__PURE__ */ jsxDEV("text", {
+        fg: "#AAAAAA",
+        children: "PIN      "
+      }, undefined, false, undefined, this),
+      /* @__PURE__ */ jsxDEV("box", {
+        backgroundColor: "#111111",
+        flexGrow: 1,
+        paddingX: 1,
+        height: 1,
+        children: /* @__PURE__ */ jsxDEV("text", {
+          fg: "#FFD700",
+          children: pin ? "*".repeat(pin.length) : ""
+        }, undefined, false, undefined, this)
+      }, undefined, false, undefined, this),
+      verifying ? /* @__PURE__ */ jsxDEV("text", {
+        fg: "#FFD700",
+        children: " ..."
+      }, undefined, false, undefined, this) : null
+    ]
+  }, undefined, true, undefined, this);
+}
+function TotpMethod({ onSubmit, onError: _onError }) {
+  const [code, setCode] = useState("");
+  const [remaining, setRemaining] = useState(0);
+  useEffect(() => {
+    const update = () => {
+      const secs = Math.ceil((30000 - Date.now() % 30000) / 1000);
+      setRemaining(secs);
+    };
+    update();
+    const interval = setInterval(update, 1000);
+    return () => clearInterval(interval);
+  }, []);
+  useKeyboard((key) => {
+    if (key.eventType !== "press" && key.eventType !== "repeat")
+      return;
+    if (key.name === "enter" || key.name === "return") {
+      if (code.length !== 6)
+        return;
+      onSubmit(code);
+      return;
+    }
+    if (key.name === "backspace") {
+      setCode((c) => c.slice(0, -1));
+      return;
+    }
+    if (key.ctrl || key.meta || key.name === "escape" || key.name === "tab" || key.name === "up" || key.name === "down" || key.name === "left" || key.name === "right" || key.name === "home" || key.name === "end" || key.name === "delete" || key.name === "insert" || key.name === "pageup" || key.name === "pagedown" || key.name.startsWith("f") && /^f\d+$/.test(key.name))
+      return;
+    const char = key.sequence;
+    if (char && /^\d$/.test(char) && code.length < 6) {
+      const next = code + char;
+      setCode(next);
+      if (next.length === 6) {
+        onSubmit(next);
+      }
+    }
+  });
+  return /* @__PURE__ */ jsxDEV("box", {
+    flexDirection: "column",
+    gap: 1,
+    marginTop: 1,
+    children: [
+      /* @__PURE__ */ jsxDEV("box", {
+        flexDirection: "row",
+        gap: 1,
+        children: [
+          /* @__PURE__ */ jsxDEV("text", {
+            fg: "#AAAAAA",
+            children: "Auth code "
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ jsxDEV("box", {
+            backgroundColor: "#111111",
+            flexGrow: 1,
+            paddingX: 1,
+            height: 1,
+            children: /* @__PURE__ */ jsxDEV("text", {
+              fg: "#FFD700",
+              children: code || "_".repeat(6)
+            }, undefined, false, undefined, this)
+          }, undefined, false, undefined, this),
+          /* @__PURE__ */ jsxDEV("text", {
+            fg: remaining <= 5 ? "#FF4444" : "#555555",
+            children: [
+              " ",
+              remaining,
+              "s"
+            ]
+          }, undefined, true, undefined, this)
+        ]
+      }, undefined, true, undefined, this),
+      /* @__PURE__ */ jsxDEV("text", {
+        fg: "#555555",
+        children: "Enter 6-digit authenticator code"
+      }, undefined, false, undefined, this)
+    ]
+  }, undefined, true, undefined, this);
+}
+function UnlockScreen({ onUnlock, vaultPath }) {
+  const [step, setStep] = useState("loading");
+  const [error, setError] = useState("");
+  const [password, setPasswordState] = useState("");
+  const [pinNeeded, setPinNeeded] = useState(false);
+  const [totpNeeded, setTotpNeeded] = useState(false);
+  useEffect(() => {
+    let cancelled = false;
+    (async () => {
+      const recoveryFile = process.env.AUTHO_RECOVERY_FILE;
+      if (recoveryFile) {
+        try {
+          const { readFileSync: readFileSync5 } = await import("fs");
+          const content = readFileSync5(recoveryFile, "utf8");
+          const lines = content.split(`
+`);
+          const idx = lines.findIndex((l) => l.trim() === "RECOVERY TOKEN:");
+          if (idx !== -1) {
+            const rawToken = lines.slice(idx + 1).find((l) => l.trim() !== "") ?? "";
+            const token = rawToken.replace(/-/g, "").toLowerCase();
+            if (token) {
+              const session = tryUnlockWithRecovery(vaultPath, token);
+              if (!cancelled && session) {
+                onUnlock(session);
+                return;
+              }
+              if (!cancelled)
+                setError("Recovery file failed \u2014 enter password instead");
+            } else {
+              if (!cancelled)
+                setError("Recovery file is malformed \u2014 enter password instead");
+            }
+          } else {
+            if (!cancelled)
+              setError("Recovery file is malformed \u2014 enter password instead");
+          }
+        } catch {
+          if (!cancelled)
+            setError("Recovery file could not be read \u2014 enter password instead");
+        }
+      }
+      const pinSet = await hasPinSet(vaultPath);
+      if (!cancelled)
+        setPinNeeded(pinSet);
+      const authConfig = VaultService.getAuthConfig(vaultPath);
+      if (!cancelled)
+        setTotpNeeded(authConfig?.totp !== undefined);
+      if (!pinSet) {
+        const pw = await loadVaultPassword(vaultPath);
+        if (!cancelled && pw && !authConfig?.totp) {
+          const session = tryUnlockWithPassword(vaultPath, pw);
+          if (!cancelled && session) {
+            onUnlock(session);
+            return;
+          }
+        }
+        if (!cancelled && pw) {
+          setPasswordState(pw);
+          if (!cancelled)
+            setStep(authConfig?.totp ? "totp" : "password");
+          return;
+        }
+      }
+      if (!cancelled)
+        setStep("password");
+    })();
+    return () => {
+      cancelled = true;
+    };
+  }, [vaultPath, onUnlock]);
+  const doUnlock = useCallback((pw, totp) => {
+    const creds = { password: pw, totp };
+    try {
+      const session = VaultService.unlock(vaultPath, creds);
+      onUnlock(session);
+    } catch (e) {
+      setError(e instanceof Error ? e.message : String(e));
+      setStep("password");
+      setPasswordState("");
+    }
+  }, [vaultPath, onUnlock]);
+  const handlePasswordSubmit = useCallback((pw) => {
+    setPasswordState(pw);
+    if (pinNeeded) {
+      setStep("pin");
+    } else if (totpNeeded) {
+      setStep("totp");
+    } else {
+      setStep("unlocking");
+      doUnlock(pw, undefined);
+    }
+  }, [pinNeeded, totpNeeded, doUnlock]);
+  const handlePinVerified = useCallback((pw) => {
+    if (totpNeeded) {
+      setStep("totp");
+    } else {
+      setStep("unlocking");
+      doUnlock(pw, undefined);
+    }
+  }, [totpNeeded, doUnlock]);
+  const handleTotpSubmit = useCallback((totp) => {
+    setStep("unlocking");
+    doUnlock(password, totp);
+  }, [password, doUnlock]);
+  if (step === "loading" || step === "unlocking") {
+    return /* @__PURE__ */ jsxDEV("box", {
+      flexDirection: "column",
+      alignItems: "center",
+      justifyContent: "center",
+      width: "100%",
+      height: "100%",
+      children: /* @__PURE__ */ jsxDEV("text", {
+        fg: "#FFD700",
+        children: step === "loading" ? "Unlocking..." : "Verifying..."
+      }, undefined, false, undefined, this)
+    }, undefined, false, undefined, this);
+  }
   return /* @__PURE__ */ jsxDEV("box", {
     flexDirection: "column",
     alignItems: "center",
@@ -1306,31 +2049,21 @@ function PasswordScreen({ onUnlock, vaultPath }) {
             children: error
           }, undefined, false, undefined, this)
         }, undefined, false, undefined, this) : null,
-        /* @__PURE__ */ jsxDEV("box", {
-          flexDirection: "row",
-          gap: 1,
-          marginTop: 1,
-          children: [
-            /* @__PURE__ */ jsxDEV("text", {
-              fg: "#AAAAAA",
-              children: "Password "
-            }, undefined, false, undefined, this),
-            /* @__PURE__ */ jsxDEV("box", {
-              backgroundColor: "#111111",
-              flexGrow: 1,
-              paddingX: 1,
-              height: 1,
-              children: /* @__PURE__ */ jsxDEV("text", {
-                fg: "#FFD700",
-                children: password ? "*".repeat(password.length) : ""
-              }, undefined, false, undefined, this)
-            }, undefined, false, undefined, this)
-          ]
-        }, undefined, true, undefined, this),
-        unlocking ? /* @__PURE__ */ jsxDEV("text", {
-          fg: "#FFD700",
-          children: "Unlocking..."
-        }, undefined, false, undefined, this) : /* @__PURE__ */ jsxDEV("text", {
+        step === "password" && /* @__PURE__ */ jsxDEV(PasswordMethod, {
+          vaultPath,
+          onSubmit: handlePasswordSubmit
+        }, undefined, false, undefined, this),
+        step === "pin" && /* @__PURE__ */ jsxDEV(PinMethod, {
+          vaultPath,
+          password,
+          onVerified: handlePinVerified,
+          onError: setError
+        }, undefined, false, undefined, this),
+        step === "totp" && /* @__PURE__ */ jsxDEV(TotpMethod, {
+          onSubmit: handleTotpSubmit,
+          onError: setError
+        }, undefined, false, undefined, this),
+        /* @__PURE__ */ jsxDEV("text", {
           fg: "#444444",
           children: "Enter to unlock | Ctrl+C to exit"
         }, undefined, false, undefined, this)
@@ -2322,7 +3055,7 @@ function EditScreen({ session, secret, onDone, onBack }) {
   }, undefined, true, undefined, this);
 }
 function App({ vaultPath }) {
-  const [screen, setScreen] = useState("password");
+  const [screen, setScreen] = useState("unlock");
   const [session, setSession] = useState(null);
   const [selectedSecret, setSelectedSecret] = useState(null);
   const { toast, show: showToast } = useToast();
@@ -2336,8 +3069,8 @@ function App({ vaultPath }) {
     goHome();
     showToast(msg, msg.startsWith("Error:") ? "error" : "success");
   }, [goHome, showToast]);
-  if (screen === "password") {
-    return /* @__PURE__ */ jsxDEV(PasswordScreen, {
+  if (screen === "unlock") {
+    return /* @__PURE__ */ jsxDEV(UnlockScreen, {
       vaultPath,
       onUnlock: (s) => {
         setSession(s);
@@ -2423,6 +3156,7 @@ async function runTui(vaultPath) {
 var EDIT_FIELDS;
 var init_tui = __esm(() => {
   init_src3();
+  init_os_secrets();
   EDIT_FIELDS = [
     { key: "name", label: "Name", forTypes: ["password", "note", "otp"] },
     { key: "value", label: "Value", forTypes: ["password", "note", "otp"] },
@@ -2434,11 +3168,30 @@ var init_tui = __esm(() => {
 
 // apps/cli/src/index.ts
 import { spawn } from "child_process";
-import { existsSync as existsSync4 } from "fs";
-import { createInterface } from "readline/promises";
-import { resolve as resolve3 } from "path";
+import { existsSync as existsSync5, readFileSync as readFileSync5, writeFileSync as writeFileSync2 } from "fs";
+import { createInterface as createInterface2 } from "readline/promises";
+import { resolve as resolve4 } from "path";
 
 // apps/cli/src/password.ts
+import { createInterface } from "readline/promises";
+async function readLine(prompt) {
+  if (!process.stdin.isTTY) {
+    throw new Error("Cannot read input: stdin is not a TTY");
+  }
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    return await rl.question(prompt);
+  } finally {
+    rl.close();
+  }
+}
+async function confirm(question, defaultYes = true) {
+  const hint = defaultYes ? "Y/n" : "y/N";
+  const answer = (await readLine(`${question} (${hint}) `)).trim().toLowerCase();
+  if (answer === "")
+    return defaultYes;
+  return answer === "y" || answer === "yes";
+}
 async function readPasswordMasked(prompt = "Master password: ") {
   if (!process.stdin.isTTY) {
     throw new Error("Cannot read password: stdin is not a TTY");
@@ -2480,9 +3233,8 @@ async function readPasswordMasked(prompt = "Master password: ") {
         }
         return;
       }
-      if (code === 27) {
+      if (code === 27)
         return;
-      }
       if (code >= 32) {
         password += char;
         process.stdout.write("*");
@@ -2504,7 +3256,7 @@ init_src3();
 init_paths();
 init_paths();
 import { createHash, timingSafeEqual } from "crypto";
-import { existsSync as existsSync3, readFileSync as readFileSync3, rmSync } from "fs";
+import { existsSync as existsSync4, readFileSync as readFileSync4, rmSync } from "fs";
 var DAEMON_TOKEN_SERVICE = "autho.daemon";
 function daemonTokenName(statePath) {
   return createHash("sha256").update(statePath).digest("hex");
@@ -2562,10 +3314,10 @@ async function deleteStoredDaemonToken(state) {
   } catch {}
 }
 function readDaemonState(statePath) {
-  if (!existsSync3(statePath)) {
+  if (!existsSync4(statePath)) {
     return null;
   }
-  const stored = JSON.parse(readFileSync3(statePath, "utf8"));
+  const stored = JSON.parse(readFileSync4(statePath, "utf8"));
   return {
     pid: stored.pid,
     port: stored.port,
@@ -2594,7 +3346,7 @@ async function writeDaemonState(statePath, state) {
 async function deleteDaemonState(statePath) {
   const state = readDaemonState(statePath);
   await deleteStoredDaemonToken(state);
-  if (existsSync3(statePath)) {
+  if (existsSync4(statePath)) {
     rmSync(statePath, { force: true });
   }
 }
@@ -2781,12 +3533,12 @@ async function startDaemonServer(options) {
 }
 async function waitForDaemonStateDeletion(statePath) {
   for (let attempt = 0;attempt < 20; attempt += 1) {
-    if (!existsSync3(statePath)) {
+    if (!existsSync4(statePath)) {
       return true;
     }
     await Bun.sleep(25);
   }
-  return !existsSync3(statePath);
+  return !existsSync4(statePath);
 }
 async function daemonRequest(state, path, body) {
   const token = await resolveDaemonToken(state);
@@ -2861,6 +3613,7 @@ async function daemonStop(options) {
 
 // apps/cli/src/index.ts
 init_src3();
+init_os_secrets();
 function parseArgs(argv) {
   const dashDashIndex = argv.indexOf("--");
   const main = dashDashIndex === -1 ? argv : argv.slice(0, dashDashIndex);
@@ -2937,7 +3690,7 @@ function output(value, jsonMode = false) {
   console.log(value);
 }
 function absolutePath(path) {
-  return resolve3(path);
+  return resolve4(path);
 }
 function buildSecretMetadata(args) {
   return Object.fromEntries(Object.entries({
@@ -2957,7 +3710,7 @@ async function readBufferedStdin() {
 }
 async function createPromptAdapter() {
   if (process.stdin.isTTY) {
-    const rl = createInterface({
+    const rl = createInterface2({
       input: process.stdin,
       output: process.stdout
     });
@@ -3049,6 +3802,128 @@ async function runPromptMode(vaultPath, initialPassword) {
     prompt.close();
   }
 }
+async function resolveUnlockCredentials(vaultPath, args, existingPassword) {
+  let password = existingPassword ?? getString(args, "password") ?? process.env.AUTHO_MASTER_PASSWORD;
+  if (!password) {
+    password = await loadVaultPassword(vaultPath) ?? undefined;
+  }
+  if (!password && process.stdin.isTTY) {
+    password = await readPasswordMasked("Master password: ");
+  }
+  const creds = { password: required(password, "--password") };
+  if (await hasPinSet(vaultPath)) {
+    const pin = process.env.AUTHO_PIN ?? getString(args, "pin") ?? (process.stdin.isTTY ? await readPasswordMasked("PIN: ") : undefined);
+    if (!pin)
+      throw new Error("PIN is set on this vault \u2014 provide it with AUTHO_PIN, --pin, or interactively");
+    const ok = await verifyPin(vaultPath, pin);
+    if (!ok)
+      throw new Error("Wrong PIN");
+  }
+  const authConfig = VaultService.getAuthConfig(vaultPath);
+  if (authConfig?.totp) {
+    const totp = process.env.AUTHO_TOTP_CODE ?? getString(args, "totp") ?? (process.stdin.isTTY ? await readPasswordMasked("Authenticator code: ") : undefined);
+    if (!totp)
+      throw new Error("TOTP is enabled \u2014 provide a 6-digit code with AUTHO_TOTP_CODE, --totp, or interactively");
+    creds.totp = totp;
+  }
+  return creds;
+}
+function osKeychainName() {
+  const p = process.platform;
+  if (p === "darwin")
+    return "macOS Keychain";
+  if (p === "win32")
+    return "Windows Credential Manager";
+  return "Secret Service (libsecret)";
+}
+async function runInitWizard(vaultPath, password, existingCreds) {
+  const creds = existingCreds ?? { password };
+  console.log("");
+  if (!osSecretsDisabled()) {
+    const passwordStored = await loadVaultPassword(vaultPath) !== null;
+    if (passwordStored) {
+      console.log(`\x1B[32m\u2713\x1B[0m Master password is saved in ${osKeychainName()}.`);
+      if (await confirm("  Remove it?", false)) {
+        const deleted = await deleteVaultPassword(vaultPath);
+        console.log(deleted ? "  Removed." : "  Could not remove.");
+      }
+    } else {
+      console.log(`\x1B[33m?\x1B[0m Save master password to ${osKeychainName()}?`);
+      console.log("  This lets all vault commands unlock without prompting on this machine.");
+      if (await confirm("  Save to keychain?")) {
+        const stored = await storeVaultPassword(vaultPath, password);
+        console.log(stored ? "  \x1B[32m\u2713\x1B[0m Saved." : "  Could not save \u2014 OS secret store may be unavailable.");
+      } else {
+        console.log("  Skipped.");
+      }
+    }
+    console.log("");
+  }
+  if (!osSecretsDisabled()) {
+    const pinSet = await hasPinSet(vaultPath);
+    if (pinSet) {
+      console.log("\x1B[32m\u2713\x1B[0m PIN is set on this machine.");
+      if (await confirm("  Remove PIN?", false)) {
+        const pin = await readPasswordMasked("  Enter current PIN: ");
+        const ok = await verifyPin(vaultPath, pin);
+        if (ok) {
+          await deletePin(vaultPath);
+          console.log("  Removed.");
+        } else {
+          console.log("  Wrong PIN, not removed.");
+        }
+      }
+    } else {
+      if (await confirm("Set up a PIN for quick unlock on this machine?", false)) {
+        const newPin = await readPasswordMasked("  New PIN: ");
+        if (!newPin) {
+          console.log("  PIN cannot be empty, skipped.");
+        } else {
+          const confirmPin = await readPasswordMasked("  Confirm PIN: ");
+          if (newPin !== confirmPin) {
+            console.log("  PINs do not match, skipped.");
+          } else {
+            await storePinHash(vaultPath, newPin);
+            console.log("  \x1B[32m\u2713\x1B[0m PIN set.");
+          }
+        }
+      }
+    }
+    console.log("");
+  }
+  const authConfig = VaultService.getAuthConfig(vaultPath);
+  const totpEnabled = authConfig?.totp !== undefined;
+  if (totpEnabled) {
+    console.log("\x1B[32m\u2713\x1B[0m TOTP is enabled (authenticator app required to unlock).");
+    if (await confirm("  Disable TOTP?", false)) {
+      const code = await readPasswordMasked("  Enter current TOTP code: ");
+      try {
+        VaultService.removeTotp(vaultPath, { ...creds, totp: code });
+        console.log("  Disabled.");
+      } catch (e) {
+        console.log(`  Error: ${e instanceof Error ? e.message : String(e)}`);
+      }
+    }
+  } else {
+    if (await confirm("Enable TOTP (authenticator app verification)?", false)) {
+      const { secret, uri } = VaultService.setupTotp(vaultPath);
+      console.log("");
+      console.log(`  Secret: ${secret}`);
+      console.log(`  URI:    ${uri}`);
+      console.log("");
+      console.log("  Add this to your authenticator app, then enter the 6-digit code.");
+      const code = await readPasswordMasked("  Code: ");
+      try {
+        VaultService.enableTotp(vaultPath, creds, secret, code);
+        console.log("  \x1B[32m\u2713\x1B[0m TOTP enabled.");
+      } catch (e) {
+        console.log(`  Error: ${e instanceof Error ? e.message : String(e)}`);
+      }
+    }
+  }
+  console.log("");
+  console.log("Setup complete. Run \x1B[1mautho init\x1B[0m anytime to change these settings.");
+}
 async function runWebServer(vaultPath, args) {
   const commandArgs = [
     "run",
@@ -3092,6 +3967,10 @@ function help() {
     "  prompt [--vault <path>]",
     "  init [--vault <path>]",
     "  status [--vault <path>] [--project-file <path>] [--json]",
+    "  config [show]                   Show current configuration",
+    "  config set <key> <value>        Set a config value",
+    "  config unset <key>              Remove a config value",
+    "  config path                     Print config file path",
     "  project init --map <ENV=ref> [--output <path>] [--force] [--json]",
     "  web serve [--vault <path>] [--host <value>] [--port <value>]",
     "  daemon serve [--vault <path>] [--state-file <path>] [--host <value>] [--port <value>]",
@@ -3118,20 +3997,40 @@ function help() {
     "  files encrypt --input <path> [--output <path>] [--force] [--vault <path>] [--json]",
     "  files decrypt --input <path> [--output <path>] [--force] [--vault <path>] [--json]",
     "  audit list [--limit <number>] [--vault <path>] [--json]",
+    "  recovery generate --output <path> [--vault <path>] [--json]",
+    "  recovery revoke [--vault <path>] [--json]",
+    "  unlock --recovery-file <path> [--vault <path>] [--json]",
+    "  os-secrets set --name <name> [--value <value>] [--json]",
+    "  os-secrets get --name <name> [--json]",
+    "  os-secrets delete --name <name> [--json]",
     "",
     "Authentication:",
     "  When running interactively (TTY), you will be securely prompted for your",
     "  master password with masked input (no --password flag needed).",
     "",
     "  For automation and coding agents, use one of:",
-    "    AUTHO_MASTER_PASSWORD=<value>    Environment variable (recommended for agents)",
+    "    autho init                        Setup wizard \u2014 choose to save password in OS keychain, set PIN, enable TOTP",
+    "    AUTHO_MASTER_PASSWORD=<value>    Environment variable (master password)",
+    "    AUTHO_PIN=<value>                Environment variable (PIN, if set on this machine)",
+    "    AUTHO_TOTP_CODE=<value>          Environment variable (TOTP code, if enabled)",
     "    --password <value>               CLI flag (visible in shell history - avoid!)",
     "",
+    "  Native OS secret store support (via Bun.secrets):",
+    "    macOS   \u2192 Keychain Services",
+    "    Linux   \u2192 libsecret / GNOME Keyring / KWallet",
+    "    Windows \u2192 Windows Credential Manager",
+    "",
+    "  The OS secret store is checked automatically before prompting.",
+    "  Set AUTHO_DISABLE_OS_SECRETS=1 to opt out.",
+    "",
     "Notes:",
     "  Running `autho` with no arguments opens the interactive TUI.",
-    "  The default vault path is ~/.autho/vault.db (override with AUTHO_HOME).",
-    "  The default project file is ~/.autho/project.json.",
-    "  The default daemon state file is ~/.autho/daemon.json."
+    "  Config is stored in ~/.autho/config.json (always at ~/.autho).",
+    "  The vault directory can be customized via `autho init` or `autho config set vaultDir <path>`.",
+    "  Config keys: vaultDir, defaultLeaseTtl, editor, autoLock, autoLockTimeout",
+    "  The default vault path is ~/.autho/vault.db (override with config or AUTHO_HOME).",
+    "  The default project file is <vaultDir>/project.json.",
+    "  The default daemon state file is <vaultDir>/daemon.json."
   ].join(`
 `);
 }
@@ -3143,8 +4042,11 @@ async function main() {
   const statePath = absolutePath(getString(args, "state-file") ?? defaultDaemonStatePath());
   const explicitProjectFile = getString(args, "project-file");
   const fallbackProjectFile = defaultProjectFilePath();
-  const projectFile = explicitProjectFile ?? (existsSync4(fallbackProjectFile) ? fallbackProjectFile : undefined);
+  const projectFile = explicitProjectFile ?? (existsSync5(fallbackProjectFile) ? fallbackProjectFile : undefined);
   let password = getString(args, "password") ?? process.env.AUTHO_MASTER_PASSWORD;
+  if (!password) {
+    password = await loadVaultPassword(vaultPath) ?? undefined;
+  }
   if (!scope) {
     if (process.stdin.isTTY) {
       const { runTui: runTui2 } = await Promise.resolve().then(() => (init_tui(), exports_tui));
@@ -3164,7 +4066,6 @@ async function main() {
   }
   if (!password && process.stdin.isTTY) {
     const needsPassword = [
-      "init",
       "secrets",
       "otp",
       "lease",
@@ -3173,7 +4074,9 @@ async function main() {
       "file",
       "files",
       "audit",
-      "import"
+      "import",
+      "recovery",
+      "unlock"
     ].includes(scope);
     const daemonNeedsPassword = scope === "daemon" && action === "unlock";
     if (needsPassword || daemonNeedsPassword) {
@@ -3181,7 +4084,39 @@ async function main() {
     }
   }
   if (scope === "init") {
-    output(VaultService.initialize(vaultPath, required(password, "--password")), jsonMode);
+    let effectiveVaultPath = vaultPath;
+    if (!VaultService.status(vaultPath).initialized && process.stdin.isTTY && !jsonMode) {
+      const config = loadConfig();
+      const currentDir = config.vaultDir ?? authoConfigDir();
+      console.log(`
+\x1B[1mVault directory\x1B[0m`);
+      console.log(`  Default: ${currentDir}`);
+      console.log("  Tip: Use a cloud-synced folder (e.g. Google Drive) to share the vault across machines.");
+      const customDir = (await readLine(`  Path (Enter to keep default): `)).trim();
+      if (customDir && customDir !== currentDir) {
+        const resolved = resolve4(customDir).replace(/\\/g, "/");
+        saveConfig({ ...config, vaultDir: resolved });
+        effectiveVaultPath = resolved + "/vault.db";
+        console.log(`  \x1B[32m\u2713\x1B[0m Vault directory set to ${resolved}`);
+        console.log(`  Config saved to ${authoConfigDir()}/config.json`);
+      }
+      console.log("");
+    }
+    const existingStatus = VaultService.status(effectiveVaultPath);
+    if (!existingStatus.initialized) {
+      const pw = required(password, "--password");
+      output(VaultService.initialize(effectiveVaultPath, pw), jsonMode);
+      if (process.stdin.isTTY && !jsonMode) {
+        await runInitWizard(effectiveVaultPath, pw);
+      }
+    } else {
+      const creds2 = await resolveUnlockCredentials(effectiveVaultPath, args, password);
+      if (process.stdin.isTTY && !jsonMode) {
+        await runInitWizard(effectiveVaultPath, creds2.password, creds2);
+      } else {
+        console.log("Vault already initialized. Use interactive mode (TTY) to reconfigure.");
+      }
+    }
     return;
   }
   if (scope === "status") {
@@ -3191,6 +4126,72 @@ async function main() {
     }), jsonMode);
     return;
   }
+  if (scope === "config") {
+    const config = loadConfig();
+    if (!action || action === "show") {
+      if (jsonMode) {
+        output({ configDir: authoConfigDir(), config }, jsonMode);
+      } else {
+        console.log(`Config: ${authoConfigDir()}/config.json`);
+        console.log(`Vault dir: ${config.vaultDir ?? authoConfigDir()} ${config.vaultDir ? "(custom)" : "(default)"}`);
+        if (config.defaultLeaseTtl)
+          console.log(`Default lease TTL: ${config.defaultLeaseTtl}`);
+        if (config.editor)
+          console.log(`Editor: ${config.editor}`);
+        if (config.autoLock !== undefined)
+          console.log(`Auto-lock: ${config.autoLock}`);
+        if (config.autoLockTimeout)
+          console.log(`Auto-lock timeout: ${config.autoLockTimeout}`);
+      }
+      return;
+    }
+    if (action === "set") {
+      const key = subaction;
+      const value = process.argv[process.argv.indexOf("set") + 2];
+      if (!key || value === undefined) {
+        console.error("Usage: autho config set <key> <value>");
+        console.error("Keys: vaultDir, defaultLeaseTtl, editor, autoLock, autoLockTimeout");
+        process.exit(1);
+      }
+      const updated = { ...config };
+      if (key === "autoLock") {
+        updated.autoLock = value === "true";
+      } else if (key === "vaultDir") {
+        updated.vaultDir = value;
+      } else if (key === "defaultLeaseTtl") {
+        updated.defaultLeaseTtl = value;
+      } else if (key === "editor") {
+        updated.editor = value;
+      } else if (key === "autoLockTimeout") {
+        updated.autoLockTimeout = value;
+      } else {
+        console.error(`Unknown config key: ${key}`);
+        console.error("Keys: vaultDir, defaultLeaseTtl, editor, autoLock, autoLockTimeout");
+        process.exit(1);
+      }
+      saveConfig(updated);
+      console.log(`Set ${key} = ${value}`);
+      return;
+    }
+    if (action === "unset") {
+      const key = subaction;
+      if (!key) {
+        console.error("Usage: autho config unset <key>");
+        process.exit(1);
+      }
+      const updated = { ...config };
+      delete updated[key];
+      saveConfig(updated);
+      console.log(`Removed ${key}`);
+      return;
+    }
+    if (action === "path") {
+      console.log(authoConfigDir() + "/config.json");
+      return;
+    }
+    console.error(`Unknown config action: ${action}. Use: show, set, unset, path`);
+    process.exit(1);
+  }
   if (scope === "project" && action === "init") {
     output(writeProjectConfig({
       force: getBoolean(args, "force"),
@@ -3199,6 +4200,31 @@ async function main() {
     }), jsonMode);
     return;
   }
+  if (scope === "os-secrets" && action === "set") {
+    const name = required(getString(args, "name"), "--name");
+    const value = getString(args, "value") ?? await readPasswordMasked(`Value for "${name}": `);
+    const stored = await setOsSecret(name, value);
+    if (!stored) {
+      throw new Error("OS secret store is unavailable on this system (try AUTHO_DISABLE_OS_SECRETS=1 to confirm, or check that a secret service daemon is running on Linux)");
+    }
+    output({ name, stored: true }, jsonMode);
+    return;
+  }
+  if (scope === "os-secrets" && action === "get") {
+    const name = required(getString(args, "name"), "--name");
+    const value = await getOsSecret(name);
+    if (value === null) {
+      throw new Error(`Secret "${name}" not found in OS secret store`);
+    }
+    output({ name, value }, jsonMode);
+    return;
+  }
+  if (scope === "os-secrets" && action === "delete") {
+    const name = required(getString(args, "name"), "--name");
+    const deleted = await deleteOsSecret(name);
+    output({ deleted, name }, jsonMode);
+    return;
+  }
   if (scope === "web" && action === "serve") {
     await runWebServer(vaultPath, args);
     return;
@@ -3256,7 +4282,44 @@ async function main() {
     process.stderr.write(result.stderr);
     process.exit(result.exitCode);
   }
-  const session = VaultService.unlock(vaultPath, required(password, "--password"));
+  if (scope === "recovery" && action === "generate") {
+    const outputPath = absolutePath(required(getString(args, "output"), "--output"));
+    const creds2 = await resolveUnlockCredentials(vaultPath, args, password);
+    const { fileContent } = VaultService.generateRecovery(vaultPath, creds2);
+    writeFileSync2(outputPath, fileContent, { encoding: "utf8", mode: 384 });
+    if (!jsonMode) {
+      console.log(`Recovery file written to ${outputPath}`);
+      console.log("WARNING: Anyone with this file can open your vault. Store it offline.");
+    } else {
+      output({ outputPath, written: true }, jsonMode);
+    }
+    return;
+  }
+  if (scope === "recovery" && action === "revoke") {
+    const creds2 = await resolveUnlockCredentials(vaultPath, args, password);
+    VaultService.revokeRecovery(vaultPath, creds2);
+    output({ revoked: true }, jsonMode);
+    return;
+  }
+  if (scope === "unlock" && getString(args, "recovery-file")) {
+    const recoveryFilePath = absolutePath(getString(args, "recovery-file"));
+    const content = readFileSync5(recoveryFilePath, "utf8");
+    const lines = content.split(`
+`);
+    const tokenLineIdx = lines.findIndex((l) => l.trim() === "RECOVERY TOKEN:");
+    if (tokenLineIdx === -1)
+      throw new Error("Invalid recovery file format");
+    const rawTokenLine = lines.slice(tokenLineIdx + 1).find((l) => l.trim() !== "") ?? "";
+    const token = rawTokenLine.replace(/-/g, "").toLowerCase();
+    if (!token)
+      throw new Error("Invalid recovery file format: missing token");
+    const recoverySession = VaultService.unlock(vaultPath, { password: "", recovery: token });
+    output({ unlocked: true, vaultPath }, jsonMode);
+    recoverySession.close();
+    return;
+  }
+  const creds = await resolveUnlockCredentials(vaultPath, args, password);
+  const session = VaultService.unlock(vaultPath, creds);
   try {
     if (scope === "import" && action === "legacy") {
       output(session.importLegacyFile(absolutePath(required(getString(args, "file"), "--file")), {