Bump VERSION to 3.1.7.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

ARCHITECTURE.md

@@ -708,7 +708,8 @@ sgard/
   sgardpb/                # Generated protobuf + gRPC Go code
   proto/sgard/v1/         # Proto source definitions
 
-  flake.nix               # Nix flake (builds sgard + sgardd)
+  VERSION                 # Semver string, read by flake.nix; synced from latest git tag via `make version`
+  flake.nix               # Nix flake (builds sgard + sgardd, version from VERSION file)
   .goreleaser.yaml        # GoReleaser (builds both binaries)
 ```
 

Makefile

@@ -1,4 +1,6 @@
-.PHONY: proto build test lint clean
+VERSION := $(shell git describe --tags --abbrev=0 | sed 's/^v//')
+
+.PHONY: proto build test lint clean version
 
 proto:
 	protoc \
@@ -7,8 +9,11 @@ proto:
 		-I proto \
 		proto/sgard/v1/sgard.proto
 
+version:
+	@echo $(VERSION) > VERSION
+
 build:
-	go build ./...
+	go build -ldflags "-X main.version=$(VERSION)" ./...
 
 test:
 	go test ./...

PROGRESS.md

@@ -111,3 +111,5 @@ Phase 6: Manifest Signing (to be planned).
 | 2026-03-25 | — | `sgard info` command: shows detailed file information (status, hash, timestamps, mode, encryption, targeting). 5 tests. |
 | 2026-03-25 | — | Deploy sgardd to rift: Dockerfile, docker-compose, mc-proxy L4 route on :9443, Metacrypt TLS cert, DNS. |
 | 2026-03-25 | — | `sgard remote set/show`: persistent remote config in `<repo>/remote.yaml` (addr, tls, tls_ca). |
+| 2026-03-26 | — | `sgard list` remote support: uses `resolveRemoteConfig()` to list server manifest via `PullManifest` RPC. Client `List()` method added. |
+| 2026-03-26 | — | Version derived from git tags via `VERSION` file. flake.nix reads `VERSION`; Makefile `version` target syncs from latest tag, `build` injects via ldflags. |

VERSION

@@ -0,0 +1 @@
+3.1.7

client/client.go

@@ -8,6 +8,7 @@ import (
 	"io"
 
 	"github.com/kisom/sgard/garden"
+	"github.com/kisom/sgard/manifest"
 	"github.com/kisom/sgard/server"
 	"github.com/kisom/sgard/sgardpb"
 	"golang.org/x/crypto/ssh"
@@ -205,8 +206,8 @@ func (c *Client) doPull(ctx context.Context, g *garden.Garden) (int, error) {
 	serverManifest := server.ProtoToManifest(pullResp.GetManifest())
 	localManifest := g.GetManifest()
 
-	// If local is newer or equal, nothing to do.
+	// If local has files and is newer or equal, nothing to do.
-	if !serverManifest.Updated.After(localManifest.Updated) {
+	if len(localManifest.Files) > 0 && !serverManifest.Updated.After(localManifest.Updated) {
 		return 0, nil
 	}
 
@@ -273,6 +274,22 @@ func (c *Client) doPull(ctx context.Context, g *garden.Garden) (int, error) {
 	return blobCount, nil
 }
 
+// List fetches the server's manifest and returns its entries without
+// downloading any blobs. Automatically re-authenticates if needed.
+func (c *Client) List(ctx context.Context) ([]manifest.Entry, error) {
+	var entries []manifest.Entry
+	err := c.retryOnAuth(ctx, func() error {
+		resp, err := c.rpc.PullManifest(ctx, &sgardpb.PullManifestRequest{})
+		if err != nil {
+			return fmt.Errorf("list remote: %w", err)
+		}
+		m := server.ProtoToManifest(resp.GetManifest())
+		entries = m.Files
+		return nil
+	})
+	return entries, err
+}
+
 // Prune requests the server to remove orphaned blobs. Returns the count removed.
 // Automatically re-authenticates if needed.
 func (c *Client) Prune(ctx context.Context) (int, error) {

cmd/sgard/add.go

@@ -1,13 +1,12 @@
 package main
 
 import (
-	"bufio"
 	"fmt"
 	"os"
-	"strings"
 
 	"github.com/kisom/sgard/garden"
 	"github.com/spf13/cobra"
+	"golang.org/x/term"
 )
 
 var (
@@ -60,11 +59,16 @@ var addCmd = &cobra.Command{
 
 func promptPassphrase() (string, error) {
 	fmt.Fprint(os.Stderr, "Passphrase: ")
-	scanner := bufio.NewScanner(os.Stdin)
+	fd := int(os.Stdin.Fd())
-	if scanner.Scan() {
+	passphrase, err := term.ReadPassword(fd)
-		return strings.TrimSpace(scanner.Text()), nil
+	fmt.Fprintln(os.Stderr)
+	if err != nil {
+		return "", fmt.Errorf("reading passphrase: %w", err)
 	}
-	return "", fmt.Errorf("no passphrase provided")
+	if len(passphrase) == 0 {
+		return "", fmt.Errorf("no passphrase provided")
+	}
+	return string(passphrase), nil
 }
 
 func init() {

cmd/sgard/list.go

@@ -1,41 +1,72 @@
 package main
 
 import (
+	"context"
 	"fmt"
 
 	"github.com/kisom/sgard/garden"
+	"github.com/kisom/sgard/manifest"
 	"github.com/spf13/cobra"
 )
 
 var listCmd = &cobra.Command{
 	Use:   "list",
 	Short: "List all tracked files",
+	Long:  "List all tracked files locally, or on the remote server with -r.",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		g, err := garden.Open(repoFlag)
+		addr, _, _, _ := resolveRemoteConfig()
-		if err != nil {
+		if addr != "" {
-			return err
+			return listRemote()
 		}
-
+		return listLocal()
-		entries := g.List()
-		for _, e := range entries {
-			switch e.Type {
-			case "file":
-				hash := e.Hash
-				if len(hash) > 8 {
-					hash = hash[:8]
-				}
-				fmt.Printf("%-6s %s\t%s\n", "file", e.Path, hash)
-			case "link":
-				fmt.Printf("%-6s %s\t-> %s\n", "link", e.Path, e.Target)
-			case "directory":
-				fmt.Printf("%-6s %s\n", "dir", e.Path)
-			}
-		}
-
-		return nil
 	},
 }
 
+func listLocal() error {
+	g, err := garden.Open(repoFlag)
+	if err != nil {
+		return err
+	}
+
+	printEntries(g.List())
+	return nil
+}
+
+func listRemote() error {
+	ctx := context.Background()
+
+	c, cleanup, err := dialRemote(ctx)
+	if err != nil {
+		return err
+	}
+	defer cleanup()
+
+	entries, err := c.List(ctx)
+	if err != nil {
+		return err
+	}
+
+	printEntries(entries)
+	return nil
+}
+
+func printEntries(entries []manifest.Entry) {
+	for _, e := range entries {
+		switch e.Type {
+		case "file":
+			hash := e.Hash
+			if len(hash) > 8 {
+				hash = hash[:8]
+			}
+			fmt.Printf("%-6s %s\t%s\n", "file", e.Path, hash)
+		case "link":
+			fmt.Printf("%-6s %s\t-> %s\n", "link", e.Path, e.Target)
+		case "directory":
+			fmt.Printf("%-6s %s\n", "dir", e.Path)
+		}
+	}
+}
+
 func init() {
 	rootCmd.AddCommand(listCmd)
 }

cmd/sgard/main.go

@@ -133,7 +133,7 @@ func dialRemote(ctx context.Context) (*client.Client, func(), error) {
 
 func main() {
 	rootCmd.PersistentFlags().StringVar(&repoFlag, "repo", defaultRepo(), "path to sgard repository")
-	rootCmd.PersistentFlags().StringVar(&remoteFlag, "remote", "", "gRPC server address (host:port)")
+	rootCmd.PersistentFlags().StringVarP(&remoteFlag, "remote", "r", "", "gRPC server address (host:port)")
 	rootCmd.PersistentFlags().StringVar(&sshKeyFlag, "ssh-key", "", "path to SSH private key")
 	rootCmd.PersistentFlags().BoolVar(&tlsFlag, "tls", false, "use TLS for remote connection")
 	rootCmd.PersistentFlags().StringVar(&tlsCAFlag, "tls-ca", "", "path to CA certificate for TLS verification")

cmd/sgard/pull.go

@@ -10,13 +10,17 @@ import (
 
 var pullCmd = &cobra.Command{
 	Use:   "pull",
-	Short: "Pull checkpoint from remote server",
+	Short: "Pull checkpoint from remote server and restore files",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx := context.Background()
 
 		g, err := garden.Open(repoFlag)
 		if err != nil {
-			return err
+			// Repo doesn't exist yet — init it so pull can populate it.
+			g, err = garden.Init(repoFlag)
+			if err != nil {
+				return fmt.Errorf("init repo for pull: %w", err)
+			}
 		}
 
 		c, cleanup, err := dialRemote(ctx)
@@ -32,9 +36,22 @@ var pullCmd = &cobra.Command{
 
 		if pulled == 0 {
 			fmt.Println("Already up to date.")
-		} else {
+			return nil
-			fmt.Printf("Pulled %d blob(s).\n", pulled)
 		}
+
+		fmt.Printf("Pulled %d blob(s).\n", pulled)
+
+		if g.HasEncryption() && g.NeedsDEK(g.List()) {
+			if err := unlockDEK(g); err != nil {
+				return err
+			}
+		}
+
+		if err := g.Restore(nil, true, nil); err != nil {
+			return fmt.Errorf("restore after pull: %w", err)
+		}
+
+		fmt.Println("Restore complete.")
 		return nil
 	},
 }

flake.nix

@@ -11,17 +11,20 @@
       let
         pkgs = import nixpkgs { inherit system; };
       in
+      let
+        version = builtins.replaceStrings [ "\n" ] [ "" ] (builtins.readFile ./VERSION);
+      in
       {
         packages = {
-          sgard = pkgs.buildGoModule {
+          sgard = pkgs.buildGoModule rec {
             pname = "sgard";
-            version = "2.1.0";
+            inherit version;
             src = pkgs.lib.cleanSource ./.;
             subPackages = [ "cmd/sgard" "cmd/sgardd" ];
 
-            vendorHash = "sha256-LSz15iFsP4N3Cif1PFHEKg3udeqH/9WQQbZ50sxtWTk=";
+            vendorHash = "sha256-Z/Ja4j7YesNYefQQcWWRG2v8WuIL+UNqPGwYD5AipZY=";
 
-            ldflags = [ "-s" "-w" ];
+            ldflags = [ "-s" "-w" "-X main.version=${version}" ];
 
             meta = {
               description = "Shimmering Clarity Gardener: dotfile management";
@@ -29,19 +32,19 @@
             };
           };
 
-          sgard-fido2 = pkgs.buildGoModule {
+          sgard-fido2 = pkgs.buildGoModule rec {
             pname = "sgard-fido2";
-            version = "2.1.0";
+            inherit version;
             src = pkgs.lib.cleanSource ./.;
             subPackages = [ "cmd/sgard" "cmd/sgardd" ];
 
-            vendorHash = "sha256-LSz15iFsP4N3Cif1PFHEKg3udeqH/9WQQbZ50sxtWTk=";
+            vendorHash = "sha256-Z/Ja4j7YesNYefQQcWWRG2v8WuIL+UNqPGwYD5AipZY=";
 
             buildInputs = [ pkgs.libfido2 ];
             nativeBuildInputs = [ pkgs.pkg-config ];
             tags = [ "fido2" ];
 
-            ldflags = [ "-s" "-w" ];
+            ldflags = [ "-s" "-w" "-X main.version=${version}" ];
 
             meta = {
               description = "Shimmering Clarity Gardener: dotfile management (with FIDO2 hardware support)";

go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/keys-pub/go-libfido2 v1.5.3
 	github.com/spf13/cobra v1.10.2
 	golang.org/x/crypto v0.49.0
+	golang.org/x/term v0.41.0
 	google.golang.org/grpc v1.79.3
 	google.golang.org/protobuf v1.36.11
 	gopkg.in/yaml.v3 v3.0.1