Module admin 

Admin-locked, password-protected, encrypted settings (the crypto core).

A sysadmin provisions a machine with an admin password and a set of locked settings (recording on/off, autostart, “password required to stop”, …). The settings are sealed at rest so a non-privileged user — or an AI agent running as that user — can neither read nor forge them, and privileged operations (stop, change-password, disable-recording) require proving knowledge of the password.

This module is the crypto + storage core only; the daemon-side auth handshake and the “password to stop” enforcement live separately (they consume these primitives). Design decisions follow the security review:

• Domain separation: the password verifier and the sealing key are independent argon2id derivations (different random salts), so the stored verifier is never the encryption key.
• Pinned, versioned KDF: argon2id parameters are stored with the vault and carry a version, so they can be raised later without breaking old files.
• AEAD discipline: XChaCha20-Poly1305 with a random 192-bit nonce per seal (XChaCha’s large nonce makes random nonces safe), and the AAD binds the version + salt + a context label so a blob can’t be repurposed.
• Recovery: a one-time random recovery key wraps the sealing key in its own AEAD slot, so a lost password is recoverable without any Kintsugi-held escrow (nothing leaves the machine). Possession of the recovery key is a second root credential — documented, not hidden.
• Zeroization: derived key material is wiped from memory after use.

Honest scope: this protects against a non-root user / agent and a disk thief (argon2id at rest). It does not stop a root user — see the threat model in the design doc. The caller must keep the failure mode fail-closed-on-lock: if the vault can’t be read, refuse privileged ops; never silently unlock.

Structs

KdfParams

Pinned, versioned argon2id parameters, stored with the vault for re-derivation.

LockedSettings

The settings an admin can lock. Every field is a tightening control: it can only add caution (the catastrophic rule floor is enforced elsewhere and can never be unlocked by a setting — see policy::adjust_for_policy).

Provisioned

Result of provisioning: the vault to persist + the one-time recovery key to show the admin once (never stored in plaintext anywhere).

SealedVault

The sealed-at-rest vault. Serialized (hex-encoded byte fields) to a root-owned 0600 file on headless hosts, or wrapped by an OS keychain on desktops.

Enums

AdminError

Enforcement

VaultState

The provisioning state of a machine, derived from the on-disk vault.

Functions

compute_proof

Client side: derive the verifier from password + salt_hex (the daemon’s challenge) and compute the proof for op under nonce. The password is used only locally; only the resulting proof is sent.

default_vault_path

The default on-disk location of the sealed admin vault. Overridable with KINTSUGI_VAULT (tests, or a root-owned /etc/kintsugi/ path in the locked system posture). Shared by the CLI and the TUI so both read the same vault.

load_vault

Load the vault state from path. Distinguishes “absent” (genuinely unprovisioned) from “present but unreadable” (Degraded → stay locked).

provision

Provision a fresh vault from an admin password + initial settings.

random_auth_nonce

A fresh random challenge nonce (24 bytes, matching the AEAD nonce width).

save_vault

Persist the vault to path atomically (temp file + rename), 0600 on Unix so a non-privileged user can’t read or replace it. The caller chooses a path the audited user can’t write (e.g. root-owned /etc/kintsugi/ in the locked system posture).