Releases: ofoxai/hal-vault
Releases · ofoxai/hal-vault
Release list
v0.0.3
- Homebrew is now the recommended install:
brew install ofoxai/tap/hal-vault. - The CLI found its voice. Messages are calmer, clearer, and occasionally quote a certain shipboard computer.
- A much leaner README.
Binaries are built by CI with build provenance attestations: verify with gh attestation verify <archive> --repo ofoxai/hal-vault.
v0.0.2
initnow defaults to a dedicated~/.ssh/hal-vault_ed25519key pair, generated on first use, instead of borrowing~/.ssh/id_ed25519/id_rsa. Rotating your day-to-day SSH keys can no longer lock the vault. Bring an existing key with-r/-i; pick the database directory with-d(unchanged).- New library function
vault.GenerateSSHKeyPair. - Companion agent skill released: ofoxai/hal-vault-skill (
npx skills add ofoxai/hal-vault-skill) — teaches agents the safety contract and workflows, and recommends per-project vaults (.hal-vault/, gitignored, key kept in~/.ssh).
Binaries are built by CI with build provenance attestations: verify with gh attestation verify <archive> --repo ofoxai/hal-vault.
v0.0.1
Initial release.
- Single-file vault: the whole database is one age-encrypted blob (
secrets.db) with an automatic previous-generation backup (secrets.db.bak) and atomic, durable saves (fsync + single rename; a complete database exists at every instant). - Concurrency-safe writes: mutating commands serialize through an exclusive advisory file lock, so concurrent hal-vault processes cannot lose each other's writes.
- SSH-key encryption via
filippo.io/age/agessh: encrypt tossh-ed25519orssh-rsapublic keys, decrypt with the matching OpenSSH private key, with terminal passphrase prompting for protected keys. - Entry model with id, label, value, type (
api_key,password,token,ssh_key,cert,identity,other), tags, note, and timestamps. - Agent-safe masking: all output is masked by default, revealing at most 8 characters of any secret; raw values reach stdout only via
get --reveal. - CLI commands:
init,add,get,list,search,update,rm,version,help— with--jsonoutput for machine parsing and-d/HAL_VAULT_DIRvault-directory overrides. - Secrets are never accepted on argv: values are read from stdin or a hidden double prompt on the terminal.
- Search with case-insensitive substring query plus exact
--tagand--typefilters. - Public Go library (
github.com/ofoxai/hal-vault/vault) that never prints and whose errors never contain secret values.
Binaries below are built by CI with build provenance attestations: verify with gh attestation verify <archive> --repo ofoxai/hal-vault.