From 1eb801fe6381ff224516fa8e80110c68da0c9cf6 Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Tue, 24 Mar 2026 10:57:05 -0700
Subject: [PATCH] Plan Phase 4: lock/unlock, shell completion, TLS, DEK
 rotation, FIDO2 hardware, test cleanup.

Steps 21-27. Phase 5 (multi-repo + per-machine) and Phase 6
(manifest signing) noted as future.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 PROGRESS.md     |  6 +++--
 PROJECT_PLAN.md | 64 +++++++++++++++++++++++++++++++++++++++++++++----
 2 files changed, 63 insertions(+), 7 deletions(-)

diff --git a/PROGRESS.md b/PROGRESS.md
index 1616873..2a405d2 100644
--- a/PROGRESS.md
+++ b/PROGRESS.md
@@ -7,7 +7,7 @@ ARCHITECTURE.md for design details.
 
 ## Current Status
 
-**Phase:** Phase 3 complete (Steps 17–20). Encryption fully implemented.
+**Phase:** Phase 3 complete. v2.0.0 released. Phase 4 planned, ready for Step 21.
 
 **Last updated:** 2026-03-24
 
@@ -42,7 +42,7 @@ ARCHITECTURE.md for design details.
 
 ## Up Next
 
-Phase 3 complete. Future: TLS transport, shell completions, manifest signing, real FIDO2 hardware binding.
+Phase 4: Hardening + Completeness. Step 21 (lock/unlock toggle) is next.
 
 ## Known Issues / Decisions Deferred
 
@@ -82,3 +82,5 @@ Phase 3 complete. Future: TLS transport, shell completions, manifest signing, re
 | 2026-03-24 | 18 | FIDO2: FIDO2Device interface, AddFIDO2Slot, unlock resolution (fido2 first → passphrase fallback), mock device, 6 tests. |
 | 2026-03-24 | 19 | Encryption CLI: encrypt init/add-fido2/remove-slot/list-slots/change-passphrase, --encrypt on add, proto + convert updates. |
 | 2026-03-24 | 20 | Polish: encryption e2e test, all docs updated, flake vendorHash updated. |
+| 2026-03-24 | — | Locked files + dir-only entries. v2.0.0 released. |
+| 2026-03-24 | — | Phase 4 planned (Steps 21–27): lock/unlock, shell completion, TLS, DEK rotation, real FIDO2, test cleanup. |
diff --git a/PROJECT_PLAN.md b/PROJECT_PLAN.md
index e27d9e2..f89ae75 100644
--- a/PROJECT_PLAN.md
+++ b/PROJECT_PLAN.md
@@ -222,8 +222,62 @@ Depends on Steps 17, 18.
 
 ## Future Steps (Not Phase 3)
 
-- Shell completion via cobra
-- TLS transport (optional --tls-cert/--tls-key on sgardd)
-- Multiple repo support on server
-- Manifest signing (requires trust model design)
-- DEK rotation (`sgard encrypt rotate-dek` — re-encrypt all blobs)
+## Phase 4: Hardening + Completeness
+
+### Step 21: Lock/Unlock Toggle Commands
+
+- [ ] `garden/garden.go`: `Lock(paths []string) error` — set `locked: true` on existing entries
+- [ ] `garden/garden.go`: `Unlock(paths []string) error` — set `locked: false` on existing entries
+- [ ] `cmd/sgard/lock.go`: `sgard lock <path>...`, `sgard unlock <path>...`
+- [ ] Tests: lock existing entry, unlock it, verify behavior changes
+
+### Step 22: Shell Completion
+
+- [ ] `cmd/sgard/completion.go`: cobra's built-in completion for bash, zsh, fish
+- [ ] Update README with completion installation instructions
+
+### Step 23: TLS Transport for sgardd
+
+- [ ] `cmd/sgardd/main.go`: add `--tls-cert`, `--tls-key` flags
+- [ ] Server uses `credentials.NewTLS()` when cert/key provided, insecure otherwise
+- [ ] Client: add `--tls` flag and `--tls-ca` for custom CA
+- [ ] Update `cmd/sgard/main.go` and `dialRemote()` for TLS
+- [ ] Tests: TLS connection with self-signed cert
+- [ ] Update ARCHITECTURE.md and README.md
+
+### Step 24: DEK Rotation
+
+- [ ] `garden/encrypt.go`: `RotateDEK(promptPassphrase func() (string, error)) error` — generate new DEK, re-encrypt all encrypted blobs, re-wrap with all existing KEK slots
+- [ ] `cmd/sgard/encrypt.go`: `sgard encrypt rotate-dek`
+- [ ] Tests: rotate DEK, verify all encrypted entries still decrypt correctly
+
+### Step 25: Real FIDO2 Hardware Binding
+
+- [ ] Evaluate approach: libfido2 CGo bindings vs subprocess (`fido2-token`/`fido2-cred`)
+- [ ] Implement real `FIDO2Device` satisfying the existing interface
+- [ ] `cmd/sgard/encrypt.go`: wire real device into `add-fido2` and unlock resolution
+- [ ] Build tag or runtime detection for FIDO2 availability
+- [ ] Tests: skip on CI without hardware, manual test instructions
+
+### Step 26: Test Cleanup
+
+- [ ] Standardize all test calls to use `AddOptions{}` struct (remove any legacy variadic patterns)
+- [ ] Ensure all tests use `t.TempDir()` consistently
+- [ ] Review lint config, tighten if possible
+- [ ] Verify test coverage for lock/unlock, encrypted locked files, dir-only locked entries
+
+### Step 27: Phase 4 Polish + Release
+
+- [ ] Update all docs (ARCHITECTURE.md, README.md, CLAUDE.md, PROGRESS.md)
+- [ ] Update flake.nix vendorHash if deps changed
+- [ ] Update .goreleaser.yaml if needed
+- [ ] E2e test covering TLS + encryption + locked files
+- [ ] Verify: all tests pass, lint clean, both binaries compile
+
+## Phase 5: Multi-Repo + Per-Machine Inclusion
+
+(To be planned)
+
+## Phase 6: Manifest Signing
+
+(To be planned — requires trust model design)