Add config validation, remove command, status filtering, and unlock method display

config check: validates UUID format, recognized methods, keyfile
consistency and existence. Reports all issues with alias context.

remove: deletes a device from config by alias. Inverse of add.

status: --mounted, --unlocked, --locked flags filter the device table.
Flags combine as OR.

mount/unlock: display which method succeeded and key slot used, e.g.
"(fido2, key slot 1)". cryptsetup Open now runs with -v and parses
"Key slot N unlocked" from stderr via io.MultiWriter.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/config/validate.go

@@ -0,0 +1,60 @@
+package config
+
+import (
+	"fmt"
+	"os"
+	"regexp"
+)
+
+var (
+	ValidMethods = []string{"passphrase", "keyfile", "fido2", "tpm2"}
+	uuidPattern  = regexp.MustCompile(`^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$`)
+)
+
+// Validate checks the config for common issues. Returns a list of errors.
+func Validate(cfg *Config) []error {
+	var errs []error
+
+	for alias, dev := range cfg.Devices {
+		if dev.UUID == "" {
+			errs = append(errs, fmt.Errorf("%s: missing uuid", alias))
+		} else if !uuidPattern.MatchString(dev.UUID) {
+			errs = append(errs, fmt.Errorf("%s: malformed uuid %q", alias, dev.UUID))
+		}
+
+		for _, m := range dev.Methods {
+			if !isValidMethod(m) {
+				errs = append(errs, fmt.Errorf("%s: unknown method %q (valid: %v)", alias, m, ValidMethods))
+			}
+		}
+
+		hasKeyfileMethod := false
+		for _, m := range dev.Methods {
+			if m == "keyfile" {
+				hasKeyfileMethod = true
+				break
+			}
+		}
+
+		if hasKeyfileMethod && dev.Keyfile == "" {
+			errs = append(errs, fmt.Errorf("%s: method 'keyfile' listed but no keyfile path set", alias))
+		}
+
+		if dev.Keyfile != "" {
+			if _, err := os.Stat(dev.Keyfile); err != nil {
+				errs = append(errs, fmt.Errorf("%s: keyfile %q not found (may be on removable media)", alias, dev.Keyfile))
+			}
+		}
+	}
+
+	return errs
+}
+
+func isValidMethod(m string) bool {
+	for _, v := range ValidMethods {
+		if m == v {
+			return true
+		}
+	}
+	return false
+}

internal/cryptsetup/cryptsetup.go

@@ -1,31 +1,49 @@
 package cryptsetup
 
 import (
+	"bytes"
 	"fmt"
+	"io"
 	"os"
 	"os/exec"
 	"path/filepath"
+	"regexp"
 	"strings"
 
 	"git.wntrmute.dev/kyle/arca/internal/verbose"
 )
 
+// OpenResult holds information about a successful cryptsetup open.
+type OpenResult struct {
+	KeySlot string // e.g., "1", or "" if not parsed
+}
+
+var keySlotPattern = regexp.MustCompile(`Key slot (\d+) unlocked`)
+
 // Open opens a LUKS device using cryptsetup with token-based unlock.
-func Open(devicePath, mapperName string) error {
-	args := withTokenPluginEnv([]string{"cryptsetup", "open", devicePath, mapperName, "--token-only"})
+// Returns info about which key slot was used.
+func Open(devicePath, mapperName string) (OpenResult, error) {
+	args := withTokenPluginEnv([]string{"cryptsetup", "open", devicePath, mapperName, "--token-only", "-v"})
 	args = withPrivilege(args)
 
 	verbose.Printf("exec: %s", strings.Join(args, " "))
 
+	var buf bytes.Buffer
 	cmd := exec.Command(args[0], args[1:]...)
 	cmd.Stdin = os.Stdin
 	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
+	cmd.Stderr = io.MultiWriter(os.Stderr, &buf)
 
 	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("cryptsetup open --token-only: %w", err)
+		return OpenResult{}, fmt.Errorf("cryptsetup open --token-only: %w", err)
 	}
-	return nil
+
+	var result OpenResult
+	if m := keySlotPattern.FindStringSubmatch(buf.String()); len(m) > 1 {
+		result.KeySlot = m[1]
+	}
+
+	return result, nil
 }
 
 // Close closes a LUKS mapping.

internal/unlock/unlock.go

@@ -14,7 +14,9 @@ import (
 // Result holds the outcome of a successful unlock.
 type Result struct {
 	Device     *udisks.BlockDevice
-	Privileged bool // true if unlock required root (cryptsetup path)
+	Privileged bool   // true if unlock required root (cryptsetup path)
+	Method     string // which method succeeded: "fido2", "tpm2", "passphrase", "keyfile"
+	KeySlot    string // key slot used, from cryptsetup verbose output (or "")
 }
 
 // Options configures the unlock behavior.
@@ -58,19 +60,19 @@ func (u *Unlocker) tryMethod(dev *udisks.BlockDevice, method string) (*Result, e
 		if err != nil {
 			return nil, err
 		}
-		return &Result{Device: ct, Privileged: false}, nil
+		return &Result{Device: ct, Privileged: false, Method: method}, nil
 	case "keyfile":
 		ct, err := u.unlockKeyfile(dev)
 		if err != nil {
 			return nil, err
 		}
-		return &Result{Device: ct, Privileged: false}, nil
+		return &Result{Device: ct, Privileged: false, Method: method}, nil
 	case "fido2", "tpm2":
-		ct, err := u.unlockCryptsetup(dev)
+		ct, openResult, err := u.unlockCryptsetup(dev)
 		if err != nil {
 			return nil, err
 		}
-		return &Result{Device: ct, Privileged: true}, nil
+		return &Result{Device: ct, Privileged: true, Method: method, KeySlot: openResult.KeySlot}, nil
 	default:
 		return nil, fmt.Errorf("unknown unlock method: %s", method)
 	}
@@ -98,19 +100,20 @@ func (u *Unlocker) unlockKeyfile(dev *udisks.BlockDevice) (*udisks.BlockDevice,
 	return u.client.UnlockWithKeyfile(dev, contents)
 }
 
-func (u *Unlocker) unlockCryptsetup(dev *udisks.BlockDevice) (*udisks.BlockDevice, error) {
+func (u *Unlocker) unlockCryptsetup(dev *udisks.BlockDevice) (*udisks.BlockDevice, cryptsetup.OpenResult, error) {
 	name := cryptsetup.MapperName(dev.DevicePath)
-	if err := cryptsetup.Open(dev.DevicePath, name); err != nil {
-		return nil, fmt.Errorf("%w (is the FIDO2/TPM2 key plugged in?)", err)
+	openResult, err := cryptsetup.Open(dev.DevicePath, name)
+	if err != nil {
+		return nil, openResult, fmt.Errorf("%w (is the FIDO2/TPM2 key plugged in?)", err)
 	}
 
 	// Wait for udisks2 to pick up the new dm device.
 	for i := 0; i < 10; i++ {
 		ct, err := u.client.CleartextDevice(dev)
 		if err == nil {
-			return ct, nil
+			return ct, openResult, nil
 		}
 		time.Sleep(200 * time.Millisecond)
 	}
-	return nil, fmt.Errorf("timed out waiting for udisks2 to discover cleartext device")
+	return nil, openResult, fmt.Errorf("timed out waiting for udisks2 to discover cleartext device")
 }