Bump version to 1.3.0

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add config validation, remove command, status filtering, and unlock method display
2026-03-24 11:04:42 -07:00 · 2026-03-24 10:22:52 -07:00 · 2026-03-24 09:37:19 -07:00 · 2026-03-24 09:36:40 -07:00
11 changed files with 394 additions and 28 deletions
--- a/cmd/config.go
+++ b/cmd/config.go
@@ -0,0 +1,45 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+
+	"git.wntrmute.dev/kyle/arca/internal/config"
+	"github.com/spf13/cobra"
+)
+
+var configCmd = &cobra.Command{
+	Use:   "config",
+	Short: "Manage arca configuration",
+}
+
+var configCheckCmd = &cobra.Command{
+	Use:   "check",
+	Short: "Validate the config file",
+	RunE:  runConfigCheck,
+}
+
+func init() {
+	configCmd.AddCommand(configCheckCmd)
+	rootCmd.AddCommand(configCmd)
+}
+
+func runConfigCheck(cmd *cobra.Command, args []string) error {
+	cfg := config.Load()
+
+	if len(cfg.Devices) == 0 {
+		fmt.Println("No devices configured.")
+		return nil
+	}
+
+	errs := config.Validate(cfg)
+	if len(errs) == 0 {
+		fmt.Printf("Config OK (%d device(s))\n", len(cfg.Devices))
+		return nil
+	}
+
+	for _, e := range errs {
+		fmt.Fprintln(os.Stderr, e)
+	}
+	return fmt.Errorf("config has %d issue(s)", len(errs))
+}
--- a/cmd/format.go
+++ b/cmd/format.go
@@ -0,0 +1,19 @@
+package cmd
+
+import (
+	"fmt"
+
+	"git.wntrmute.dev/kyle/arca/internal/unlock"
+)
+
+// formatMethod returns a parenthesized string describing how a device
+// was unlocked, e.g. "(fido2, key slot 1)" or "(passphrase)".
+func formatMethod(r *unlock.Result) string {
+	if r.Method == "" {
+		return ""
+	}
+	if r.KeySlot != "" {
+		return fmt.Sprintf("(%s, key slot %s)", r.Method, r.KeySlot)
+	}
+	return fmt.Sprintf("(%s)", r.Method)
+}
--- a/cmd/lock.go
+++ b/cmd/lock.go
@@ -0,0 +1,68 @@
+package cmd
+
+import (
+	"fmt"
+
+	"git.wntrmute.dev/kyle/arca/internal/config"
+	"git.wntrmute.dev/kyle/arca/internal/cryptsetup"
+	"git.wntrmute.dev/kyle/arca/internal/udisks"
+	"github.com/spf13/cobra"
+)
+
+var lockCmd = &cobra.Command{
+	Use:               "lock <device|alias>",
+	Short:             "Lock a LUKS volume without unmounting",
+	Long:              "Locks (closes) a LUKS volume. If the volume is mounted, it will be unmounted first.",
+	Args:              cobra.ExactArgs(1),
+	RunE:              runLock,
+	ValidArgsFunction: completeDeviceOrAlias,
+}
+
+func init() {
+	rootCmd.AddCommand(lockCmd)
+}
+
+func runLock(cmd *cobra.Command, args []string) error {
+	cfg := config.Load()
+	target := args[0]
+
+	client, err := udisks.NewClient()
+	if err != nil {
+		return fmt.Errorf("connecting to udisks2: %w", err)
+	}
+	defer client.Close()
+
+	devCfg := cfg.ResolveDevice(target)
+
+	dev, err := client.FindDevice(devCfg.UUID, target)
+	if err != nil {
+		return err
+	}
+
+	// Check if already locked.
+	cleartext, err := client.CleartextDevice(dev)
+	if err != nil {
+		fmt.Fprintf(cmd.ErrOrStderr(), "%s is already locked\n", target)
+		return nil
+	}
+
+	// If mounted, unmount first — can't lock a mounted device.
+	if mp, mounted := client.IsMounted(cleartext); mounted {
+		if err := client.Unmount(cleartext); err != nil {
+			if err := cryptsetup.Unmount(mp); err != nil {
+				return fmt.Errorf("unmounting before lock: %w", err)
+			}
+		}
+	}
+
+	// Lock: try udisks2 first, fall back to cryptsetup close.
+	if err := client.Lock(dev); err != nil {
+		mapperName := cryptsetup.MapperName(dev.DevicePath)
+		if err := cryptsetup.Close(mapperName); err != nil {
+			return fmt.Errorf("locking: %w", err)
+		}
+	}
+
+	fmt.Printf("Locked %s\n", target)
+	return nil
+}
--- a/cmd/mount.go
+++ b/cmd/mount.go
@@ -3,11 +3,13 @@ package cmd
 import (
 	"fmt"
 	"os"
+	"strings"

 	"git.wntrmute.dev/kyle/arca/internal/config"
 	"git.wntrmute.dev/kyle/arca/internal/cryptsetup"
 	"git.wntrmute.dev/kyle/arca/internal/udisks"
 	"git.wntrmute.dev/kyle/arca/internal/unlock"
+	"git.wntrmute.dev/kyle/arca/internal/verbose"
 	"github.com/spf13/cobra"
 	"golang.org/x/term"
 )
@@ -57,7 +59,18 @@ func runMount(cmd *cobra.Command, args []string) error {
 			fmt.Println(existing)
 			return nil
 		}
-		// Unlocked but not mounted — just mount it.
+		// Unlocked but not mounted — mount it. If the mapper name
+		// indicates arca opened it via cryptsetup (privileged path),
+		// use privileged mount since udisks2 won't authorize it.
+		if isPrivilegedMapping(dev) {
+			verbose.Printf("detected arca-managed mapping, using privileged mount")
+			mnt, err := cryptsetup.Mount(cleartext.DevicePath, mp)
+			if err != nil {
+				return fmt.Errorf("mounting: %w", err)
+			}
+			fmt.Println(mnt)
+			return nil
+		}
 		return doMount(client, cleartext, mp)
 	}

@@ -72,37 +85,52 @@ func runMount(cmd *cobra.Command, args []string) error {
 		return err
 	}

+	methodInfo := formatMethod(result)
+
 	if result.Privileged {
 		mnt, err := cryptsetup.Mount(result.Device.DevicePath, mp)
 		if err != nil {
 			return fmt.Errorf("mounting: %w", err)
 		}
-		fmt.Println(mnt)
+		fmt.Printf("%s %s\n", mnt, methodInfo)
 		return nil
 	}

 	if mp != "" {
 		fmt.Fprintf(os.Stderr, "warning: --mountpoint is ignored for udisks2 mounts (passphrase/keyfile path)\n")
 	}
-	return doMount(client, result.Device, "")
+	return doMountWithInfo(client, result.Device, "", methodInfo)
 }

 func doMount(client *udisks.Client, cleartext *udisks.BlockDevice, mp string) error {
+	return doMountWithInfo(client, cleartext, mp, "")
+}
+
+func doMountWithInfo(client *udisks.Client, cleartext *udisks.BlockDevice, mp, methodInfo string) error {
+	var mnt string
+	var err error
 	if mp != "" {
-		// udisks2 doesn't support custom mount points; use privileged mount.
-		mnt, err := cryptsetup.Mount(cleartext.DevicePath, mp)
+		mnt, err = cryptsetup.Mount(cleartext.DevicePath, mp)
+	} else {
+		mnt, err = client.Mount(cleartext)
+	}
 	if err != nil {
 		return fmt.Errorf("mounting: %w", err)
 	}
+	if methodInfo != "" {
+		fmt.Printf("%s %s\n", mnt, methodInfo)
+	} else {
 		fmt.Println(mnt)
+	}
 	return nil
 }
-	mnt, err := client.Mount(cleartext)
-	if err != nil {
-		return fmt.Errorf("mounting: %w", err)
-	}
-	fmt.Println(mnt)
-	return nil
+
+// isPrivilegedMapping checks if a LUKS device was opened via arca's
+// cryptsetup path by checking if the expected mapper name exists.
+func isPrivilegedMapping(dev *udisks.BlockDevice) bool {
+	expected := cryptsetup.MapperName(dev.DevicePath)
+	_, err := os.Stat("/dev/mapper/" + expected)
+	return err == nil && strings.HasPrefix(expected, "arca-")
 }

 func readPassphrase() (string, error) {
--- a/cmd/remove.go
+++ b/cmd/remove.go
@@ -0,0 +1,38 @@
+package cmd
+
+import (
+	"fmt"
+
+	"git.wntrmute.dev/kyle/arca/internal/config"
+	"github.com/spf13/cobra"
+)
+
+var removeCmd = &cobra.Command{
+	Use:               "remove <alias>",
+	Short:             "Remove a device from the config",
+	Args:              cobra.ExactArgs(1),
+	RunE:              runRemove,
+	ValidArgsFunction: completeDeviceOrAlias,
+}
+
+func init() {
+	rootCmd.AddCommand(removeCmd)
+}
+
+func runRemove(cmd *cobra.Command, args []string) error {
+	alias := args[0]
+	cfg := config.Load()
+
+	if _, ok := cfg.Devices[alias]; !ok {
+		return fmt.Errorf("no device with alias %q in config", alias)
+	}
+
+	delete(cfg.Devices, alias)
+
+	if err := cfg.Save(); err != nil {
+		return fmt.Errorf("saving config: %w", err)
+	}
+
+	fmt.Printf("Removed %q from config\n", alias)
+	return nil
+}
--- a/cmd/status.go
+++ b/cmd/status.go
@@ -10,6 +10,12 @@ import (
 	"github.com/spf13/cobra"
 )

+var (
+	filterMounted  bool
+	filterUnlocked bool
+	filterLocked   bool
+)
+
 var statusCmd = &cobra.Command{
 	Use:   "status",
 	Short: "Show LUKS volume status",
@@ -17,6 +23,9 @@ var statusCmd = &cobra.Command{
 }

 func init() {
+	statusCmd.Flags().BoolVar(&filterMounted, "mounted", false, "show only mounted devices")
+	statusCmd.Flags().BoolVar(&filterUnlocked, "unlocked", false, "show only unlocked (but not mounted) devices")
+	statusCmd.Flags().BoolVar(&filterLocked, "locked", false, "show only locked devices")
 	rootCmd.AddCommand(statusCmd)
 }

@@ -34,6 +43,8 @@ func runStatus(cmd *cobra.Command, args []string) error {
 		return err
 	}

+	filtering := filterMounted || filterUnlocked || filterLocked
+
 	w := tabwriter.NewWriter(os.Stdout, 0, 4, 2, ' ', 0)
 	fmt.Fprintln(w, "DEVICE\tUUID\tALIAS\tSTATE\tMOUNTPOINT")

@@ -50,6 +61,23 @@ func runStatus(cmd *cobra.Command, args []string) error {
 			}
 		}

+		if filtering {
+			switch state {
+			case "mounted":
+				if !filterMounted {
+					continue
+				}
+			case "unlocked":
+				if !filterUnlocked {
+					continue
+				}
+			case "locked":
+				if !filterLocked {
+					continue
+				}
+			}
+		}
+
 		fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n",
 			dev.DevicePath, dev.UUID, alias, state, mountpoint)
 	}
--- a/cmd/unlock.go
+++ b/cmd/unlock.go
@@ -0,0 +1,59 @@
+package cmd
+
+import (
+	"fmt"
+
+	"git.wntrmute.dev/kyle/arca/internal/config"
+	"git.wntrmute.dev/kyle/arca/internal/udisks"
+	"git.wntrmute.dev/kyle/arca/internal/unlock"
+	"github.com/spf13/cobra"
+)
+
+var unlockCmd = &cobra.Command{
+	Use:               "unlock <device|alias>",
+	Short:             "Unlock a LUKS volume without mounting",
+	Args:              cobra.ExactArgs(1),
+	RunE:              runUnlock,
+	ValidArgsFunction: completeDeviceOrAlias,
+}
+
+func init() {
+	rootCmd.AddCommand(unlockCmd)
+}
+
+func runUnlock(cmd *cobra.Command, args []string) error {
+	cfg := config.Load()
+	target := args[0]
+
+	client, err := udisks.NewClient()
+	if err != nil {
+		return fmt.Errorf("connecting to udisks2: %w", err)
+	}
+	defer client.Close()
+
+	devCfg := cfg.ResolveDevice(target)
+
+	dev, err := client.FindDevice(devCfg.UUID, target)
+	if err != nil {
+		return err
+	}
+
+	// Check if already unlocked.
+	if cleartext, err := client.CleartextDevice(dev); err == nil {
+		fmt.Printf("%s is already unlocked (%s)\n", target, cleartext.DevicePath)
+		return nil
+	}
+
+	u := unlock.New(client, unlock.Options{
+		ReadPassphrase: readPassphrase,
+		KeyfilePath:    devCfg.Keyfile,
+	})
+
+	result, err := u.Unlock(dev, devCfg.Methods)
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("Unlocked %s -> %s %s\n", target, result.Device.DevicePath, formatMethod(result))
+	return nil
+}
--- a/flake.nix
+++ b/flake.nix
@@ -10,7 +10,7 @@
    let
      system = "x86_64-linux";
      pkgs = nixpkgs.legacyPackages.${system};
-      version = "1.2.0";
+      version = "1.3.0";
    in
    {
      packages.${system}.default = pkgs.buildGoModule {
--- a/internal/config/validate.go
+++ b/internal/config/validate.go
@@ -0,0 +1,60 @@
+package config
+
+import (
+	"fmt"
+	"os"
+	"regexp"
+)
+
+var (
+	ValidMethods = []string{"passphrase", "keyfile", "fido2", "tpm2"}
+	uuidPattern  = regexp.MustCompile(`^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$`)
+)
+
+// Validate checks the config for common issues. Returns a list of errors.
+func Validate(cfg *Config) []error {
+	var errs []error
+
+	for alias, dev := range cfg.Devices {
+		if dev.UUID == "" {
+			errs = append(errs, fmt.Errorf("%s: missing uuid", alias))
+		} else if !uuidPattern.MatchString(dev.UUID) {
+			errs = append(errs, fmt.Errorf("%s: malformed uuid %q", alias, dev.UUID))
+		}
+
+		for _, m := range dev.Methods {
+			if !isValidMethod(m) {
+				errs = append(errs, fmt.Errorf("%s: unknown method %q (valid: %v)", alias, m, ValidMethods))
+			}
+		}
+
+		hasKeyfileMethod := false
+		for _, m := range dev.Methods {
+			if m == "keyfile" {
+				hasKeyfileMethod = true
+				break
+			}
+		}
+
+		if hasKeyfileMethod && dev.Keyfile == "" {
+			errs = append(errs, fmt.Errorf("%s: method 'keyfile' listed but no keyfile path set", alias))
+		}
+
+		if dev.Keyfile != "" {
+			if _, err := os.Stat(dev.Keyfile); err != nil {
+				errs = append(errs, fmt.Errorf("%s: keyfile %q not found (may be on removable media)", alias, dev.Keyfile))
+			}
+		}
+	}
+
+	return errs
+}
+
+func isValidMethod(m string) bool {
+	for _, v := range ValidMethods {
+		if m == v {
+			return true
+		}
+	}
+	return false
+}
--- a/internal/cryptsetup/cryptsetup.go
+++ b/internal/cryptsetup/cryptsetup.go
@@ -1,31 +1,49 @@
 package cryptsetup

 import (
+	"bytes"
 	"fmt"
+	"io"
 	"os"
 	"os/exec"
 	"path/filepath"
+	"regexp"
 	"strings"

 	"git.wntrmute.dev/kyle/arca/internal/verbose"
 )

+// OpenResult holds information about a successful cryptsetup open.
+type OpenResult struct {
+	KeySlot string // e.g., "1", or "" if not parsed
+}
+
+var keySlotPattern = regexp.MustCompile(`Key slot (\d+) unlocked`)
+
 // Open opens a LUKS device using cryptsetup with token-based unlock.
-func Open(devicePath, mapperName string) error {
-	args := withTokenPluginEnv([]string{"cryptsetup", "open", devicePath, mapperName, "--token-only"})
+// Returns info about which key slot was used.
+func Open(devicePath, mapperName string) (OpenResult, error) {
+	args := withTokenPluginEnv([]string{"cryptsetup", "open", devicePath, mapperName, "--token-only", "-v"})
 	args = withPrivilege(args)

 	verbose.Printf("exec: %s", strings.Join(args, " "))

+	var buf bytes.Buffer
 	cmd := exec.Command(args[0], args[1:]...)
 	cmd.Stdin = os.Stdin
 	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
+	cmd.Stderr = io.MultiWriter(os.Stderr, &buf)

 	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("cryptsetup open --token-only: %w", err)
+		return OpenResult{}, fmt.Errorf("cryptsetup open --token-only: %w", err)
 	}
-	return nil
+
+	var result OpenResult
+	if m := keySlotPattern.FindStringSubmatch(buf.String()); len(m) > 1 {
+		result.KeySlot = m[1]
+	}
+
+	return result, nil
 }

 // Close closes a LUKS mapping.
--- a/internal/unlock/unlock.go
+++ b/internal/unlock/unlock.go
@@ -15,6 +15,8 @@ import (
 type Result struct {
 	Device     *udisks.BlockDevice
 	Privileged bool   // true if unlock required root (cryptsetup path)
+	Method     string // which method succeeded: "fido2", "tpm2", "passphrase", "keyfile"
+	KeySlot    string // key slot used, from cryptsetup verbose output (or "")
 }

 // Options configures the unlock behavior.
@@ -58,19 +60,19 @@ func (u *Unlocker) tryMethod(dev *udisks.BlockDevice, method string) (*Result, e
 		if err != nil {
 			return nil, err
 		}
-		return &Result{Device: ct, Privileged: false}, nil
+		return &Result{Device: ct, Privileged: false, Method: method}, nil
 	case "keyfile":
 		ct, err := u.unlockKeyfile(dev)
 		if err != nil {
 			return nil, err
 		}
-		return &Result{Device: ct, Privileged: false}, nil
+		return &Result{Device: ct, Privileged: false, Method: method}, nil
 	case "fido2", "tpm2":
-		ct, err := u.unlockCryptsetup(dev)
+		ct, openResult, err := u.unlockCryptsetup(dev)
 		if err != nil {
 			return nil, err
 		}
-		return &Result{Device: ct, Privileged: true}, nil
+		return &Result{Device: ct, Privileged: true, Method: method, KeySlot: openResult.KeySlot}, nil
 	default:
 		return nil, fmt.Errorf("unknown unlock method: %s", method)
 	}
@@ -98,19 +100,20 @@ func (u *Unlocker) unlockKeyfile(dev *udisks.BlockDevice) (*udisks.BlockDevice,
 	return u.client.UnlockWithKeyfile(dev, contents)
 }

-func (u *Unlocker) unlockCryptsetup(dev *udisks.BlockDevice) (*udisks.BlockDevice, error) {
+func (u *Unlocker) unlockCryptsetup(dev *udisks.BlockDevice) (*udisks.BlockDevice, cryptsetup.OpenResult, error) {
 	name := cryptsetup.MapperName(dev.DevicePath)
-	if err := cryptsetup.Open(dev.DevicePath, name); err != nil {
-		return nil, fmt.Errorf("%w (is the FIDO2/TPM2 key plugged in?)", err)
+	openResult, err := cryptsetup.Open(dev.DevicePath, name)
+	if err != nil {
+		return nil, openResult, fmt.Errorf("%w (is the FIDO2/TPM2 key plugged in?)", err)
 	}

 	// Wait for udisks2 to pick up the new dm device.
 	for i := 0; i < 10; i++ {
 		ct, err := u.client.CleartextDevice(dev)
 		if err == nil {
-			return ct, nil
+			return ct, openResult, nil
 		}
 		time.Sleep(200 * time.Millisecond)
 	}
-	return nil, fmt.Errorf("timed out waiting for udisks2 to discover cleartext device")
+	return nil, openResult, fmt.Errorf("timed out waiting for udisks2 to discover cleartext device")
 }
Author	SHA1	Message	Date
Kyle Isom	4d014f7872	Bump version to 1.3.0 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-24 11:04:42 -07:00
Kyle Isom	e9247c720a	Add config validation, remove command, status filtering, and unlock method display config check: validates UUID format, recognized methods, keyfile consistency and existence. Reports all issues with alias context. remove: deletes a device from config by alias. Inverse of add. status: --mounted, --unlocked, --locked flags filter the device table. Flags combine as OR. mount/unlock: display which method succeeded and key slot used, e.g. "(fido2, key slot 1)". cryptsetup Open now runs with -v and parses "Key slot N unlocked" from stderr via io.MultiWriter. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-24 10:22:52 -07:00
Kyle Isom	ce10c41466	Add unlock and lock commands for decrypt-only operations unlock: decrypts a LUKS volume without mounting. Idempotent — reports existing cleartext device if already unlocked. lock: locks a LUKS volume. If mounted, unmounts first (udisks2 with privileged fallback) then locks. Idempotent — reports if already locked. Both commands support alias completion and config resolution. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-24 09:37:19 -07:00
Kyle Isom	aadc01383b	Fix privileged mount for unlocked-but-not-mounted devices When a device was unlocked via arca's cryptsetup path (FIDO2/TPM2) but not yet mounted, the mount command tried the udisks2 path which failed with "Not authorized". Now detects arca-managed mappings by checking /dev/mapper/arca-* and uses privileged mount automatically. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-24 09:36:40 -07:00