Skip to content

feat: add auto-lock support for vault agent#7

Merged
danpasecinic merged 4 commits intomainfrom
feat/enable-auto-locking-support
Jan 25, 2026
Merged

feat: add auto-lock support for vault agent#7
danpasecinic merged 4 commits intomainfrom
feat/enable-auto-locking-support

Conversation

@danpasecinic
Copy link
Owner

@danpasecinic danpasecinic commented Jan 25, 2026
edited
Loading

Summary

  • Add automatic vault locking after configurable inactivity period
  • Default timeout: 30 minutes (configurable via [security] auto_lock_minutes)
  • Set to 0 to disable auto-lock
  • Activity resets on any vault operation (get, list, totp, etc.)

Changes

  1. agent.zig: Core auto-lock logic with poll-based timeout checking
  2. unlock.zig: Wire config to agent, add status message and help docs

Test plan

  • Run zig build test - all tests pass
  • zault unlock shows auto-lock status message
  • zault unlock --help documents auto-lock behavior
  • Verify vault auto-locks after configured timeout (manual test)
  • Verify auto_lock_minutes = 0 disables auto-lock

@danpasecinic
feat(agent): add auto-lock timeout support
634662e 
Add automatic locking capability to AgentServer based on inactivity:

- Accept auto_lock_minutes parameter in init()
- Track last_activity timestamp, reset on each client interaction
- Use poll() with 10s timeout instead of blocking accept
- Auto-lock when inactivity exceeds configured timeout
- Set auto_lock_minutes=0 to disable (auto_lock_ns becomes null)

Includes tests for timeout calculation and disabled state.
@danpasecinic
feat(cli): integrate auto-lock with unlock command
2c7f2ce 
Wire up auto-lock configuration to the agent:

- Pass config.auto_lock_minutes to AgentServer.init()
- Display auto-lock status message on successful unlock
- Update help text documenting auto-lock behavior and config
@danpasecinic
fix(agent): improve auto-lock security and robustness
5998e15 
Security fixes:
- Zero derived_key immediately when auto-lock triggers
- Zero derived_key on repeated poll errors (>10 consecutive)

Robustness improvements:
- Handle clock skew by resetting activity on negative elapsed time
- Track consecutive poll errors, exit if threshold exceeded
- Only reset activity timer on active commands (GET_KEY), not STATUS

Code quality:
- Add comment explaining poll timeout tradeoff
- handleClient now returns bool indicating active vs passive command
- Add test for max timeout value (24 hours)
@danpasecinic
feat(config): add max validation for auto_lock_minutes
4b08dd0 
Cap auto_lock_minutes at 1440 (24 hours) to prevent unreasonable
configuration values. Values above 24 hours are silently clamped.

Includes tests for validation behavior.
@danpasecinic danpasecinic force-pushed the feat/enable-auto-locking-support branch from 265b486 to 4b08dd0 Compare January 25, 2026 14:26
@danpasecinic danpasecinic self-assigned this Jan 25, 2026
@danpasecinic danpasecinic added the enhancement New feature or request label Jan 25, 2026
@danpasecinic danpasecinic merged commit 14ca428 into main Jan 25, 2026
4 checks passed
@danpasecinic danpasecinic deleted the feat/enable-auto-locking-support branch January 25, 2026 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@danpasecinic danpasecinic

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@danpasecinic