svault-ai 0.8.0

AI-aware secret access layer — enforces structured requests and detects suspicious patterns
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106

# Roadmap

For the detailed build plan (stack, per-step checklists, design notes), see [PLAN.md](../PLAN.md).

Svault is built CLI-first. The major versions are deliberately sequenced so the
command-line tool is fully hardened and stable **before** any GUI or AI-platform
surface is added:

| Milestone | Status | What |
|---|---|---|
| **0.1 – 0.6** | Shipped | CLI core — encrypted vault (AES-256-GCM + Argon2id), Ratatui TUI, policy engine (`svault get`), Unix daemon, recovery + export/import, and the 0.6.0 security-hardening pass |
| **0.7.0** | Shipped | Security-hardening pass — `cargo audit` CI gate, client-side key derivation, daemon peer-UID bond, owner-only files/dirs, entropy floor, zeroized secrets, SLSA provenance |
| **0.8.0** | In progress | Security-review-response release — acts on the three independent 0.7.0 reviews (owner-only TUI export, daemon transport zeroization, `sigaction`, etc.); **policy enforcement deferred to 0.9.0** |
| **0.9.0** | Planned | **Policy as an enforced control** (the last substantive gap) — daemon-side policy + audit, caller authentication, signed/pinned policy file |
| **→ 1.0.0** | Planned | Install channels + final review, then the first **stable, audited** release |
| **1.0.0** | Planned | First **stable release**: a hardened, audited command-line tool |
| **2.0.0** | Planned | Desktop **GUI** (Tauri) for vault management + system tray |
| **3.0.0** | Planned | **Claude / AI-platform access** — MCP server + Pre/PostToolUse hooks (Claude Code, Cursor, Copilot, VS Code, Aider) |
| **Cloud** (opt-in) | Planned | Anomaly scoring via Claude Haiku — free tier + premium plans |

> Why this order: a secret manager has to be trustworthy as a CLI first. A GUI
> and AI-platform integrations widen the attack surface, so they come only after
> the core is hardened and the security-review process has had a full release
> cycle behind it.

## 0.7.0 → 1.0.0 — Hardening & stable CLI

The focus until 1.0.0 is the security-review backlog, not new surfaces.

**Done in 0.7.0** (see [0.7.0 findings](security-review/findings/0.7.0.md)): the
`cargo audit` CI gate + `ratatui` 0.30 (#9/#10), client-side key derivation so the
passphrase never crosses the socket (#3), the daemon peer-UID bond (#1), owner-only
files/dirs + atomic socket (#14/#16), graceful shutdown (#17), zeroized secrets
(#6), release checksums + SLSA provenance (#11), and the passphrase entropy floor
(#12).

**Done in 0.8.0** (review-response): owner-only TUI export (N-3) and import dir
(N-4), `0600` rotated `daemon.log` (N-10), daemon transport zeroization (N-6), and
`sigaction` shutdown signals (N-9).

**Remaining before 1.0.0:**
- **Policy as an enforced control (the gate)** — evaluate policy + write audit inside the daemon so the socket is the choke point (#2, N-5), authenticate the caller (N-1), sign/pin `svault.policy.yaml` and anchor its discovery (#5), fail closed on an unparseable policy (N-2), and verify `meta.yaml` on the fallback path (#22). All three 0.7.0 reviews flagged this as the blocker for a "stable / enforced" label. Scheduled for 0.9.0.
- **Accepted/backlog, not blockers** — Windows atomic owner-only DACL (N-7), tamper-evident audit sink (#15/N-8), tunable Argon2id (N-12).
- **Distribution**`install.sh`, Homebrew tap, cargo-binstall, Docker (see below).

## Step 3 — Daemon + recovery

**Done — recovery:**
- Recovery code generated at create; `svault recover` resets a lost passphrase (see [Recovery](recovery.md)).
- `svault export` / `svault import` — portable, checksummed encrypted bundles to move a vault between machines.

**Done — daemon (Unix):**
- Real daemon — unlock once, keys held in memory, served over a local `0600` Unix socket (no `.session` file while up); Windows keeps the file-session fallback. See [Daemon](daemon.md).
- `svault daemon start | stop | status | doctor | run`; `doctor` reports liveness, socket permissions, and stale-file cleanup.
- Idle timeout (default 15 min) + hard max lock (default 8h), configurable in `.svault/config.yaml`; keys zeroized on lock, auto-lock, and shutdown.

**Deferred** to a later step: extra auth methods — YubiKey (HMAC-SHA1), Google Authenticator (TOTP), Touch ID / Face ID (macOS Keychain), and the multi-method `svault unlock --yubikey/--otp/--biometric` selection.

## 2.0.0 — GUI client (Tauri)

- Vault dashboard, lock/unlock panel, auto-lock controls, session monitor.
- Secret management (names only, never values), policy viewer, audit log viewer.
- System tray icon + notifications; lightweight single binary, works offline.

## 3.0.0 — Claude / AI-platform access (MCP)

- `svault mcp` — MCP server exposing `svault_get_secret(name, scope, reason)`.
- `svault install` — auto-detect platform, write MCP config.
- Claude Code: MCP server + PreToolUse hook (blocks direct `.env` reads) + PostToolUse hook (scans output for leaked credentials).
- Cursor, Codex, Copilot, Aider, VS Code: MCP server.

## Distribution

All channels reuse the prebuilt binaries the release workflow already builds for four targets (macOS arm64/x64, Linux x64, Windows x64), so most are low-effort once wired.

**Done:**
- **crates.io**`cargo install svault-ai` (builds from source).

**Next (one pass — Mac/Linux/Rust users + agents):**
- **Install script**`curl -fsSL https://svault.soluzy.app/install.sh | sh`: detect OS/arch, download the matching release binary, drop it on PATH. The link the README and website lead with.
- **Homebrew tap**`brew install soluzy/tap/svault` from a `Soluzy/homebrew-tap` repo (own tap, not homebrew-core); CI bumps the formula on each `v*` tag.
- **cargo-binstall**`[package.metadata.binstall]` in `Cargo.toml` so `cargo binstall svault-ai` pulls a prebuilt binary instead of compiling.
- **Docker image**`ghcr.io/soluzy/svault`, pushed on each tag; matters for the AI-agent / CI use case (agents run in containers).

**Later (niche audiences, more upkeep):**
- **Scoop** (Windows, own bucket) and **WinGet** (PR per release).
- **AUR** (`PKGBUILD`) for Arch.
- **Nix** — flake / nixpkgs.

**Skip for now:**
- **homebrew-core** and other official repos — the notability/age bar rejects young projects; use the own tap until there's traction.
- **npm wrapper** — only if JS-ecosystem agents (`npx`) show real demand.

The website (`svault.soluzy.app`) becomes the hub: hosts `install.sh` and a tabbed Install block (brew / curl / cargo / docker).

## Cloud tier (optional)

- The per-vault **usage log** (human + agent activity, no secret values) is the local data foundation this builds on.
- `svault.soluzy.net/api/score` — Claude Haiku scores justification for anomaly detection.
- Personal plan — scored requests/month; Team plan — shared audit dashboard + Slack alerts.

## Not planned (yet)

- External backends (Vaultwarden, Infisical, AWS SM).
- Secret rotation.
- Linux biometric support (needs libpam + libfprint).