feat(vault): M5 slice 2 — TUI reveal + agent-side clipboard copy#1
Merged
Conversation
Wire the TUI's detail pane to show and copy secrets, gated on a new
agent-side copy path so the plaintext never crosses the socket and the
auto-clear survives the TUI quitting.
Protocol (vault-ipc): Request::Get gains `id: Option<String>`; new
Request::Copy { id, name, field, clear_after_secs } returns Response::Ok.
Agent: get_item targets an exact cipher id when given (name is the
fallback/label), closing the duplicate-name footgun where copy/reveal
could hit the wrong item. New default-on `clipboard` feature holds an
arboard handle; the Copy arm decrypts the field, places it on the agent's
own clipboard, and schedules a 30s auto-clear that wipes only if the
clipboard still holds what we wrote (or can't be read — fail-safe).
--no-default-features drops the X11/Wayland tree and declines Copy cleanly.
CLI: cmd_get passes `id: None` (behavior unchanged).
TUI: Space reveals the selected login's password (id-targeted Get,
re-masked on any navigation, held in a zeroizing/Debug-redacted
RevealedSecret); c/u/o copy password/username/URI via Copy with a
status-bar toast. Copy/reveal act only when the item list is focused.
Tests: id-targeting-among-duplicates regression, should_clear_clipboard
and clipboard_set-when-None units, a dispatch-level Copy-while-locked
test, and TUI reveal/re-mask/toast/Debug-redaction units plus TestBackend
smokes for masked/revealed/toast states.
Supply-chain: arboard pulls error-code (BSL-1.0, via Windows-only
clipboard-win) — added to deny.toml's allow-list (FSF GPL-compatible).
No new advisories.
Known limitation (tracked): on Quit/stop-agent a pending clear task dies
with the runtime, so a just-copied secret can linger until overwritten.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Wires the
vault-tuidetail pane to reveal and copy secrets, gated on a new agent-side copy path so plaintext never crosses the socket and the auto-clear survives the TUI quitting. Also closes a duplicate-name targeting footgun.Protocol (
vault-ipc)Request::Getgainsid: Option<String>(serde-defaulted, forward-compatible).Request::Copy { id, name, field, clear_after_secs }→Response::Ok. The plaintext stays in the agent.Agent (
vault-agent)get_itemtargets an exact cipheridwhen given (name becomes the fallback/label), so reveal/copy always hit the selected row even when names collide.clipboardfeature holds anarboardhandle. TheCopyarm decrypts the field, places it on the agent's own clipboard, and schedules a 30s auto-clear that wipes only if the clipboard still holds what we wrote (or can't be read — fail-safe).--no-default-featuresdrops the X11/Wayland tree and declinesCopycleanly.CLI (
vault-cli)cmd_getpassesid: None— behavior unchanged.TUI (
vault-tui)Spacereveals the selected login's password (id-targetedGet, re-masked on any navigation, held in a zeroizing/Debug-redactedRevealedSecret).c/u/ocopy password / username / URI viaCopy, with a status-bar toast.Tests
id-targeting-among-duplicates regression,
should_clear_clipboard+clipboard_set-when-Noneunits, a dispatch-level Copy-while-locked test, and TUI reveal/re-mask/toast/Debug-redaction units plusTestBackendsmokes for masked/revealed/toast states.Supply-chain
arboardpullserror-code(BSL-1.0, via Windows-onlyclipboard-win) — added todeny.toml's allow-list (FSF GPL-compatible). No new advisories.Known limitation (tracked)
On
Quit/stop-agenta pending clear task dies with the runtime, so a just-copied secret can linger until overwritten. A clear-on-shutdown sweep is a tracked follow-up.🤖 Generated with Claude Code