authy-cli 0.6.0

CLI secrets store & dispatch for AI agents — encrypted vault, scoped policies, run-only tokens, and audit logging
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

# TUI Admin — Development Tracker

> Derived from [tui_admin.md](tui_admin.md). Update status as work progresses.

Status key: `[ ]` todo · `[~]` in progress · `[x]` done · `[-]` skipped

---

## Phase 1: TUI shell + auth screen

- [x] Add `ratatui = "0.29"` and `crossterm = "0.28"` to `Cargo.toml`
- [x] Add `Admin` variant to `Commands` enum in `src/cli/mod.rs`
- [x] Create `src/cli/admin.rs` — handler that calls `tui::run()`
- [x] Create `src/tui/mod.rs``TuiApp` struct, `run()` entry point, event loop
  - [x] Raw mode + alternate screen setup
  - [x] Graceful cleanup on panic (restore terminal)
  - [x] `TuiApp` holds `VaultKey`, `AuthContext`, `Vault` (zeroize on drop)
- [x] Create `src/tui/auth.rs` — auth screen
  - [x] Masked passphrase input field
  - [x] Toggle visibility (Ctrl+R)
  - [x] Keyfile path bypass (skip prompt if `--keyfile` given)
  - [x] Error display on failed decrypt, allow retry
  - [x] On success: load vault, transition to main screen
- [x] Create `src/tui/widgets.rs` — shared widget primitives
  - [x] Masked text input widget
  - [x] Confirmation dialog widget

## Phase 2: Dashboard + secrets view (read-only)

- [x] Create `src/tui/dashboard.rs` — main layout (integrated in `src/tui/mod.rs`)
  - [x] Sidebar with section list (Secrets, Policies, Sessions, Audit)
  - [x] Tab / number key navigation between sections
  - [x] Status bar (vault path, auth method, last modified)
- [x] Create `src/tui/secrets.rs` — secrets list view (integrated in `src/tui/mod.rs`)
  - [x] Table: name, created, modified, version, tags
  - [x] j/k / arrow key navigation
  - [x] Enter → reveal popup
- [x] Reveal secret popup
  - [x] Show value (masked by default, Ctrl+R to reveal)
  - [x] Auto-close timer (30s default)
  - [x] Zeroize display buffer on close

## Phase 3: Secret write operations

- [x] Store new secret
  - [x] Name input field
  - [x] Masked value input field (Ctrl+R toggle)
  - [x] Tags input field (comma-separated)
  - [x] Save → `vault.secrets.insert()` + `save_vault()` + audit log
- [x] Rotate secret
  - [x] Masked value input for new value
  - [x] Save → update entry, bump version + `save_vault()` + audit log
- [x] Remove secret
  - [x] Confirmation dialog ("Delete 'db-url'? y/n")
  - [x] Save → `vault.secrets.remove()` + `save_vault()` + audit log

## Phase 4: Policy management

- [x] Create `src/tui/policies.rs` — policy list view (integrated in `src/tui/mod.rs`)
  - [x] Table: name, allow count, deny count, description
  - [x] j/k navigation
- [x] Create policy form
  - [x] Name input
  - [x] Description input
  - [x] Allow patterns (comma-separated)
  - [x] Deny patterns (comma-separated)
  - [x] Save → `vault.policies.insert()` + `save_vault()` + audit log
- [x] Edit policy form
  - [x] Pre-populated from existing policy
  - [x] Save → update + `save_vault()` + audit log
- [x] Remove policy
  - [x] Confirmation dialog
  - [x] Save → `vault.policies.remove()` + `save_vault()` + audit log
- [x] Test policy inline
  - [x] Secret name input → show ALLOWED/DENIED result

## Phase 5: Sessions + audit

### Sessions
- [x] Create `src/tui/sessions.rs` — session list view (integrated in `src/tui/mod.rs`)
  - [x] Table: id, scope, status (active/expired/revoked), expires (time remaining)
  - [x] j/k navigation
- [x] Create session
  - [x] Scope selector (list of existing policies, arrow keys to cycle)
  - [x] TTL input
  - [x] Show token once in popup (60s auto-close)
  - [x] Save → `vault.sessions.push()` + `save_vault()` + audit log
- [x] Revoke session
  - [x] Confirmation → set `revoked = true` + `save_vault()` + audit log
- [x] Revoke all sessions
  - [x] Confirmation → revoke all + `save_vault()` + audit log

### Audit
- [x] Create `src/tui/audit.rs` — audit log view (integrated in `src/tui/mod.rs`)
  - [x] Scrollable entry list (timestamp, operation, secret, outcome) — most recent first
  - [x] j/k + Page Up/Down navigation
- [x] Filter (`/` key)
  - [x] Filter by operation, actor, outcome, secret name
- [x] Verify chain (`v` key)
  - [x] Run `audit::verify_chain()`, show result inline (valid / broken at entry N)

## Phase 6: Polish + testing

- [x] Help overlay (`?` key) — show key binding reference
- [-] Quit confirmation if vault was modified since last save (skipped: vault is saved immediately on each operation)
- [-] Unit tests — widget rendering, key dispatch (skipped: TUI requires terminal; covered by integration tests)
- [-] Integration tests — spawn with `--keyfile`, simulate key events (skipped: crossterm event simulation requires PTY; existing 38 integration tests cover core logic)
- [ ] Manual test: store secret via TUI, confirm not in bash_history
- [x] Update README.md with `authy admin` usage
- [x] Update SECURITY.md threat model (TUI mitigates history leakage)

---

## Future (post-TUI)

- [x] Extract `lib.rs` — make core modules public for external crate usage (shipped v0.5)
- [x] MCP server mode (`authy serve --mcp`) (shipped v0.6)
- [x] Clipboard support for token copy (OSC 52) (shipped v0.6)
- [x] External vault change detection (mtime polling, reload prompt) (shipped v0.6)