Skip to content

feat: unlock agent for password-free vault access#6

Merged
danpasecinic merged 6 commits intomainfrom
feat/unlock-agent
Jan 25, 2026
Merged

feat: unlock agent for password-free vault access#6
danpasecinic merged 6 commits intomainfrom
feat/unlock-agent

Conversation

@danpasecinic
Copy link
Owner

@danpasecinic danpasecinic commented Jan 25, 2026
edited
Loading

Summary

  • Add Unix domain socket-based agent service for credential caching (like ssh-agent)
  • Add unlock command to start agent with derived key in memory
  • Add lock command to stop agent and securely clear key
  • Update vault_helpers to check agent first, skip password prompt if running

Security

  • Socket permissions set to 0o600 (owner-only)
  • Peer credential verification using getpeereid (macOS) / SO_PEERCRED (Linux)
  • Key securely zeroed on agent shutdown
  • Child process closes stdin/stdout/stderr when daemonizing

Usage

zault unlock              # Prompts password, starts background agent
zault unlock --foreground # Run in foreground (Ctrl+C to lock)
zault get github.com      # No password prompt if agent running
zault lock                # Stops agent, clears key from memory

Test plan

  • Run zault unlock and verify agent starts
  • Run zault list without password prompt
  • Run zault lock and verify agent stops
  • Verify subsequent commands require password again
  • Test --foreground mode with Ctrl+C

@danpasecinic
feat: add agent service for credential caching
728dcd2 
Add Unix domain socket-based agent service that holds the derived
encryption key in memory. This enables password-free access to the
vault after initial unlock, similar to ssh-agent.

- AgentServer: Listens on XDG_RUNTIME_DIR/zault/agent.sock
- AgentClient: Connects to running agent to retrieve key
- Protocol: GET_KEY, LOCK, STATUS commands
- Key is securely zeroed on agent shutdown
@danpasecinic
feat: add unlock/lock commands for agent control
e025bc3 
- unlock: Prompts for password, starts agent in background (or foreground with -f)
- lock: Stops agent and securely clears key from memory
- vault_helpers: Check agent first, skip password prompt if running
- Updated help text with new commands
@danpasecinic
fix: link libc in test module for chmod support
2aa25f2
@danpasecinic danpasecinic self-assigned this Jan 25, 2026
@danpasecinic danpasecinic added the enhancement New feature or request label Jan 25, 2026
@danpasecinic
fix: properly decrypt vault entries when using agent key
1a70f08
@danpasecinic
fix: don't delete socket file in parent process after fork
f279ca5
@danpasecinic
fix: security improvements for agent service
b19b2ce 
- Peer credential verification returns false on unsupported platforms
- Added symlink and ownership check for socket directory path
- Verify socket ownership after bind to prevent race conditions
- Securely zero key buffer in client getKey() method
- Extract duplicated decryption logic into helper methods
- Add error logging for unexpected agent key failures
@danpasecinic danpasecinic merged commit dbf5b5d into main Jan 25, 2026
4 checks passed
@danpasecinic danpasecinic deleted the feat/unlock-agent branch January 25, 2026 11:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@danpasecinic danpasecinic

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@danpasecinic