config check: validates UUID format, recognized methods, keyfile
consistency and existence. Reports all issues with alias context.
remove: deletes a device from config by alias. Inverse of add.
status: --mounted, --unlocked, --locked flags filter the device table.
Flags combine as OR.
mount/unlock: display which method succeeded and key slot used, e.g.
"(fido2, key slot 1)". cryptsetup Open now runs with -v and parses
"Key slot N unlocked" from stderr via io.MultiWriter.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
unlock: decrypts a LUKS volume without mounting. Idempotent — reports
existing cleartext device if already unlocked.
lock: locks a LUKS volume. If mounted, unmounts first (udisks2 with
privileged fallback) then locks. Idempotent — reports if already locked.
Both commands support alias completion and config resolution.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When a device was unlocked via arca's cryptsetup path (FIDO2/TPM2) but
not yet mounted, the mount command tried the udisks2 path which failed
with "Not authorized". Now detects arca-managed mappings by checking
/dev/mapper/arca-* and uses privileged mount automatically.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add --merge flag to init that loads existing config, skips devices
whose UUID is already configured, and appends only new discoveries.
--force and --merge are mutually exclusive. Uses Config.Save() from M8.
Error message now suggests both --force and --merge.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New 'arca add <device>' subcommand detects a LUKS device via udisks2 and
appends it to the config with passphrase as default method. Supports
--alias/-a to override the generated name. Skips if UUID already
configured. Adds Config.Save() and Config.HasUUID() to config package.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add -v/--verbose persistent flag that prints debug info to stderr:
D-Bus connection status, token plugin directory discovery, unlock method
sequencing with per-method success/failure, and full cryptsetup command
lines including LD_LIBRARY_PATH.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add ValidArgsFunction to mount and unmount commands that reads config
aliases for tab completion. Install zsh, bash, and fish completion
scripts via flake postInstall. Update PLAN.md with post-1.0 roadmap.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add --version flag with build-time injection via ldflags. Add
--mountpoint/-m flag to mount for one-off mount point override. Change
init aliases from device path basename (sda1) to UUID prefix (b8b2f8e3)
for stability across boots. Add .gitignore. Update flake.nix with
version injection.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
mount now detects already-unlocked and already-mounted devices, returning
the existing mount point instead of failing. unmount handles already-locked
devices gracefully and skips unmount if not mounted before locking.
Adds IsMounted helper to udisks client. Updates PLAN.md with refined
v1.0.0 milestones.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Go CLI using cobra with mount, unmount, status, and init subcommands.
Unlocks via udisks2 D-Bus (passphrase/keyfile) or cryptsetup (FIDO2/TPM2)
with ordered method fallback. Includes NixOS-specific LD_LIBRARY_PATH
injection for systemd cryptsetup token plugins.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
