Derive build version from git tags via VERSION file.

flake.nix reads from VERSION instead of hardcoding; Makefile gains a version target that syncs VERSION from the latest git tag and injects it into go build ldflags. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add version in flake.
2026-03-26 11:26:16 -07:00 · 2026-03-26 11:14:28 -07:00 · 2026-03-26 09:22:59 -07:00 · 2026-03-25 21:49:56 -07:00 · 2026-03-25 21:23:21 -07:00
13 changed files with 296 additions and 56 deletions
--- a/9
+++ b/9
@@ -1,4 +1,6 @@
-.PHONY: proto build test lint clean
+VERSION := $(shell git describe --tags --abbrev=0 | sed 's/^v//')
+
+.PHONY: proto build test lint clean version

 proto:
 	protoc \
@@ -7,8 +9,11 @@ proto:
 		-I proto \
 		proto/sgard/v1/sgard.proto

+version:
+	@echo $(VERSION) > VERSION
+
 build:
-	go build ./...
+	go build -ldflags "-X main.version=$(VERSION)" ./...

 test:
 	go test ./...
--- a/PROGRESS.md
+++ b/PROGRESS.md
@@ -46,6 +46,15 @@ Phase 6: Manifest Signing (to be planned).

 ## Standalone Additions

+- **Deployment to rift**: sgardd deployed as Podman container on rift behind
+  mc-proxy (L4 SNI passthrough on :9443, multiplexed with metacrypt gRPC).
+  TLS cert issued by Metacrypt, SSH-key auth. DNS at
+  `sgard.svc.mcp.metacircular.net`.
+- **Default remote config**: `sgard remote set/show` commands. Saves addr,
+  TLS, and CA path to `<repo>/remote.yaml`. `dialRemote` merges saved config
+  with CLI flags (flags win). Removes need for `--remote`/`--tls` on every
+  push/pull.
+
 ## Known Issues / Decisions Deferred

 - **Manifest signing**: deferred — trust model (which key signs, how do
@@ -100,3 +109,6 @@ Phase 6: Manifest Signing (to be planned).
 | 2026-03-24 | 31 | Proto + sync: only/never fields on ManifestEntry, conversion, round-trip test. |
 | 2026-03-24 | 32 | Phase 5 polish: e2e test (targeting + push/pull + restore), docs updated. Phase 5 complete. |
 | 2026-03-25 | — | `sgard info` command: shows detailed file information (status, hash, timestamps, mode, encryption, targeting). 5 tests. |
+| 2026-03-25 | — | Deploy sgardd to rift: Dockerfile, docker-compose, mc-proxy L4 route on :9443, Metacrypt TLS cert, DNS. |
+| 2026-03-25 | — | `sgard remote set/show`: persistent remote config in `<repo>/remote.yaml` (addr, tls, tls_ca). |
+| 2026-03-26 | — | `sgard list` remote support: uses `resolveRemoteConfig()` to list server manifest via `PullManifest` RPC. Client `List()` method added. |
--- a/1
+++ b/1
@@ -0,0 +1 @@
+3.1.5
--- a/client/client.go
+++ b/client/client.go
@@ -8,6 +8,7 @@ import (
 	"io"

 	"github.com/kisom/sgard/garden"
+	"github.com/kisom/sgard/manifest"
 	"github.com/kisom/sgard/server"
 	"github.com/kisom/sgard/sgardpb"
 	"golang.org/x/crypto/ssh"
@@ -273,6 +274,22 @@ func (c *Client) doPull(ctx context.Context, g *garden.Garden) (int, error) {
 	return blobCount, nil
 }

+// List fetches the server's manifest and returns its entries without
+// downloading any blobs. Automatically re-authenticates if needed.
+func (c *Client) List(ctx context.Context) ([]manifest.Entry, error) {
+	var entries []manifest.Entry
+	err := c.retryOnAuth(ctx, func() error {
+		resp, err := c.rpc.PullManifest(ctx, &sgardpb.PullManifestRequest{})
+		if err != nil {
+			return fmt.Errorf("list remote: %w", err)
+		}
+		m := server.ProtoToManifest(resp.GetManifest())
+		entries = m.Files
+		return nil
+	})
+	return entries, err
+}
+
 // Prune requests the server to remove orphaned blobs. Returns the count removed.
 // Automatically re-authenticates if needed.
 func (c *Client) Prune(ctx context.Context) (int, error) {
--- a/cmd/sgard/add.go
+++ b/cmd/sgard/add.go
@@ -1,13 +1,12 @@
 package main

 import (
-	"bufio"
 	"fmt"
 	"os"
-	"strings"

 	"github.com/kisom/sgard/garden"
 	"github.com/spf13/cobra"
+	"golang.org/x/term"
 )

 var (
@@ -60,11 +59,16 @@ var addCmd = &cobra.Command{

 func promptPassphrase() (string, error) {
 	fmt.Fprint(os.Stderr, "Passphrase: ")
-	scanner := bufio.NewScanner(os.Stdin)
-	if scanner.Scan() {
-		return strings.TrimSpace(scanner.Text()), nil
+	fd := int(os.Stdin.Fd())
+	passphrase, err := term.ReadPassword(fd)
+	fmt.Fprintln(os.Stderr)
+	if err != nil {
+		return "", fmt.Errorf("reading passphrase: %w", err)
 	}
-	return "", fmt.Errorf("no passphrase provided")
+	if len(passphrase) == 0 {
+		return "", fmt.Errorf("no passphrase provided")
+	}
+	return string(passphrase), nil
 }

 func init() {
--- a/cmd/sgard/list.go
+++ b/cmd/sgard/list.go
@@ -1,41 +1,74 @@
 package main

 import (
+	"context"
 	"fmt"

 	"github.com/kisom/sgard/garden"
+	"github.com/kisom/sgard/manifest"
 	"github.com/spf13/cobra"
 )

+var listRemoteFlag bool
+
 var listCmd = &cobra.Command{
 	Use:   "list",
 	Short: "List all tracked files",
+	Long:  "List all tracked files locally, or on the remote server with -r.",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		g, err := garden.Open(repoFlag)
-		if err != nil {
-			return err
+		if listRemoteFlag {
+			return listRemote()
 		}
-
-		entries := g.List()
-		for _, e := range entries {
-			switch e.Type {
-			case "file":
-				hash := e.Hash
-				if len(hash) > 8 {
-					hash = hash[:8]
-				}
-				fmt.Printf("%-6s %s\t%s\n", "file", e.Path, hash)
-			case "link":
-				fmt.Printf("%-6s %s\t-> %s\n", "link", e.Path, e.Target)
-			case "directory":
-				fmt.Printf("%-6s %s\n", "dir", e.Path)
-			}
-		}
-
-		return nil
+		return listLocal()
 	},
 }

+func listLocal() error {
+	g, err := garden.Open(repoFlag)
+	if err != nil {
+		return err
+	}
+
+	printEntries(g.List())
+	return nil
+}
+
+func listRemote() error {
+	ctx := context.Background()
+
+	c, cleanup, err := dialRemote(ctx)
+	if err != nil {
+		return err
+	}
+	defer cleanup()
+
+	entries, err := c.List(ctx)
+	if err != nil {
+		return err
+	}
+
+	printEntries(entries)
+	return nil
+}
+
+func printEntries(entries []manifest.Entry) {
+	for _, e := range entries {
+		switch e.Type {
+		case "file":
+			hash := e.Hash
+			if len(hash) > 8 {
+				hash = hash[:8]
+			}
+			fmt.Printf("%-6s %s\t%s\n", "file", e.Path, hash)
+		case "link":
+			fmt.Printf("%-6s %s\t-> %s\n", "link", e.Path, e.Target)
+		case "directory":
+			fmt.Printf("%-6s %s\n", "dir", e.Path)
+		}
+	}
+}
+
 func init() {
+	listCmd.Flags().BoolVarP(&listRemoteFlag, "use-remote", "r", false, "list files on the remote server")
 	rootCmd.AddCommand(listCmd)
 }
--- a/cmd/sgard/main.go
+++ b/cmd/sgard/main.go
@@ -37,28 +37,49 @@ func defaultRepo() string {
 	return filepath.Join(home, ".sgard")
 }

-// resolveRemote returns the remote address from flag, env, or repo config file.
-func resolveRemote() (string, error) {
-	if remoteFlag != "" {
-		return remoteFlag, nil
+// resolveRemoteConfig returns the effective remote address, TLS flag, and CA
+// path by merging CLI flags, environment, and the saved remote.yaml config.
+// CLI flags take precedence, then env, then the saved config.
+func resolveRemoteConfig() (addr string, useTLS bool, caPath string, err error) {
+	// Start with saved config as baseline.
+	saved, _ := loadRemoteConfig()
+
+	// Address: flag > env > saved > legacy file.
+	addr = remoteFlag
+	if addr == "" {
+		addr = os.Getenv("SGARD_REMOTE")
 	}
-	if env := os.Getenv("SGARD_REMOTE"); env != "" {
-		return env, nil
+	if addr == "" && saved != nil {
+		addr = saved.Addr
 	}
-	// Try <repo>/remote file.
-	data, err := os.ReadFile(filepath.Join(repoFlag, "remote"))
-	if err == nil {
-		addr := strings.TrimSpace(string(data))
-		if addr != "" {
-			return addr, nil
+	if addr == "" {
+		data, ferr := os.ReadFile(filepath.Join(repoFlag, "remote"))
+		if ferr == nil {
+			addr = strings.TrimSpace(string(data))
 		}
 	}
-	return "", fmt.Errorf("no remote configured; use --remote, SGARD_REMOTE, or create %s/remote", repoFlag)
+	if addr == "" {
+		return "", false, "", fmt.Errorf("no remote configured; use 'sgard remote set' or --remote")
+	}
+
+	// TLS: flag wins if explicitly set, otherwise use saved.
+	useTLS = tlsFlag
+	if !useTLS && saved != nil {
+		useTLS = saved.TLS
+	}
+
+	// CA: flag wins if set, otherwise use saved.
+	caPath = tlsCAFlag
+	if caPath == "" && saved != nil {
+		caPath = saved.TLSCA
+	}
+
+	return addr, useTLS, caPath, nil
 }

 // dialRemote creates a gRPC client with token-based auth and auto-renewal.
 func dialRemote(ctx context.Context) (*client.Client, func(), error) {
-	addr, err := resolveRemote()
+	addr, useTLS, caPath, err := resolveRemoteConfig()
 	if err != nil {
 		return nil, nil, err
 	}
@@ -72,16 +93,16 @@ func dialRemote(ctx context.Context) (*client.Client, func(), error) {
 	creds := client.NewTokenCredentials(cachedToken)

 	var transportCreds grpc.DialOption
-	if tlsFlag {
+	if useTLS {
 		tlsCfg := &tls.Config{MinVersion: tls.VersionTLS12}
-		if tlsCAFlag != "" {
-			caPEM, err := os.ReadFile(tlsCAFlag)
+		if caPath != "" {
+			caPEM, err := os.ReadFile(caPath)
 			if err != nil {
 				return nil, nil, fmt.Errorf("reading CA cert: %w", err)
 			}
 			pool := x509.NewCertPool()
 			if !pool.AppendCertsFromPEM(caPEM) {
-				return nil, nil, fmt.Errorf("failed to parse CA cert %s", tlsCAFlag)
+				return nil, nil, fmt.Errorf("failed to parse CA cert %s", caPath)
 			}
 			tlsCfg.RootCAs = pool
 		}
--- a/cmd/sgard/prune.go
+++ b/cmd/sgard/prune.go
@@ -13,7 +13,7 @@ var pruneCmd = &cobra.Command{
 	Short: "Remove orphaned blobs not referenced by the manifest",
 	Long:  "Remove orphaned blobs locally, or on the remote server with --remote.",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		addr, _ := resolveRemote()
+		addr, _, _, _ := resolveRemoteConfig()

 		if addr != "" {
 			return pruneRemote()
--- a/cmd/sgard/remote.go
+++ b/cmd/sgard/remote.go
@@ -0,0 +1,97 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/spf13/cobra"
+	"gopkg.in/yaml.v3"
+)
+
+type remoteConfig struct {
+	Addr  string `yaml:"addr"`
+	TLS   bool   `yaml:"tls"`
+	TLSCA string `yaml:"tls_ca,omitempty"`
+}
+
+func remoteConfigPath() string {
+	return filepath.Join(repoFlag, "remote.yaml")
+}
+
+func loadRemoteConfig() (*remoteConfig, error) {
+	data, err := os.ReadFile(remoteConfigPath())
+	if err != nil {
+		return nil, err
+	}
+	var cfg remoteConfig
+	if err := yaml.Unmarshal(data, &cfg); err != nil {
+		return nil, fmt.Errorf("parsing remote config: %w", err)
+	}
+	return &cfg, nil
+}
+
+func saveRemoteConfig(cfg *remoteConfig) error {
+	data, err := yaml.Marshal(cfg)
+	if err != nil {
+		return fmt.Errorf("encoding remote config: %w", err)
+	}
+	return os.WriteFile(remoteConfigPath(), data, 0o644)
+}
+
+var remoteCmd = &cobra.Command{
+	Use:   "remote",
+	Short: "Manage default remote server",
+}
+
+var remoteSetCmd = &cobra.Command{
+	Use:   "set <addr>",
+	Short: "Set the default remote address",
+	Args:  cobra.ExactArgs(1),
+	RunE: func(cmd *cobra.Command, args []string) error {
+		cfg := &remoteConfig{
+			Addr:  args[0],
+			TLS:   tlsFlag,
+			TLSCA: tlsCAFlag,
+		}
+		if err := saveRemoteConfig(cfg); err != nil {
+			return err
+		}
+		fmt.Printf("Remote set: %s", cfg.Addr)
+		if cfg.TLS {
+			fmt.Print(" (TLS")
+			if cfg.TLSCA != "" {
+				fmt.Printf(", CA: %s", cfg.TLSCA)
+			}
+			fmt.Print(")")
+		}
+		fmt.Println()
+		return nil
+	},
+}
+
+var remoteShowCmd = &cobra.Command{
+	Use:   "show",
+	Short: "Show the configured remote",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		cfg, err := loadRemoteConfig()
+		if err != nil {
+			if os.IsNotExist(err) {
+				fmt.Println("No remote configured.")
+				return nil
+			}
+			return err
+		}
+		fmt.Printf("addr:   %s\n", cfg.Addr)
+		fmt.Printf("tls:    %v\n", cfg.TLS)
+		if cfg.TLSCA != "" {
+			fmt.Printf("tls-ca: %s\n", cfg.TLSCA)
+		}
+		return nil
+	},
+}
+
+func init() {
+	remoteCmd.AddCommand(remoteSetCmd, remoteShowCmd)
+	rootCmd.AddCommand(remoteCmd)
+}
--- a/deploy/docker/Dockerfile
+++ b/deploy/docker/Dockerfile
@@ -0,0 +1,30 @@
+# Build stage
+FROM golang:1.25-alpine AS builder
+
+WORKDIR /build
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . .
+
+ARG VERSION=dev
+RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /sgardd ./cmd/sgardd
+
+# Runtime stage
+FROM alpine:3.21
+
+RUN apk add --no-cache ca-certificates tzdata \
+    && adduser -D -h /srv/sgard sgard
+
+COPY --from=builder /sgardd /usr/local/bin/sgardd
+
+VOLUME /srv/sgard
+EXPOSE 9473
+
+USER sgard
+
+ENTRYPOINT ["sgardd", \
+    "--repo", "/srv/sgard", \
+    "--authorized-keys", "/srv/sgard/authorized_keys", \
+    "--tls-cert", "/srv/sgard/certs/sgard.pem", \
+    "--tls-key", "/srv/sgard/certs/sgard.key"]
--- a/deploy/docker/docker-compose-rift.yml
+++ b/deploy/docker/docker-compose-rift.yml
@@ -0,0 +1,16 @@
+services:
+  sgardd:
+    image: localhost/sgardd:latest
+    container_name: sgardd
+    restart: unless-stopped
+    user: "0:0"
+    ports:
+      - "127.0.0.1:19473:9473"
+    volumes:
+      - /srv/sgard:/srv/sgard
+    healthcheck:
+      test: ["CMD", "true"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
--- a/flake.nix
+++ b/flake.nix
@@ -11,17 +11,20 @@
      let
        pkgs = import nixpkgs { inherit system; };
      in
+      let
+        version = builtins.replaceStrings [ "\n" ] [ "" ] (builtins.readFile ./VERSION);
+      in
      {
        packages = {
-          sgard = pkgs.buildGoModule {
+          sgard = pkgs.buildGoModule rec {
            pname = "sgard";
-            version = "2.1.0";
+            inherit version;
            src = pkgs.lib.cleanSource ./.;
            subPackages = [ "cmd/sgard" "cmd/sgardd" ];

-            vendorHash = "sha256-LSz15iFsP4N3Cif1PFHEKg3udeqH/9WQQbZ50sxtWTk=";
+            vendorHash = "sha256-Z/Ja4j7YesNYefQQcWWRG2v8WuIL+UNqPGwYD5AipZY=";

-            ldflags = [ "-s" "-w" ];
+            ldflags = [ "-s" "-w" "-X main.version=${version}" ];

            meta = {
              description = "Shimmering Clarity Gardener: dotfile management";
@@ -29,19 +32,19 @@
            };
          };

-          sgard-fido2 = pkgs.buildGoModule {
+          sgard-fido2 = pkgs.buildGoModule rec {
            pname = "sgard-fido2";
-            version = "2.1.0";
+            inherit version;
            src = pkgs.lib.cleanSource ./.;
            subPackages = [ "cmd/sgard" "cmd/sgardd" ];

-            vendorHash = "sha256-LSz15iFsP4N3Cif1PFHEKg3udeqH/9WQQbZ50sxtWTk=";
+            vendorHash = "sha256-Z/Ja4j7YesNYefQQcWWRG2v8WuIL+UNqPGwYD5AipZY=";

            buildInputs = [ pkgs.libfido2 ];
            nativeBuildInputs = [ pkgs.pkg-config ];
            tags = [ "fido2" ];

-            ldflags = [ "-s" "-w" ];
+            ldflags = [ "-s" "-w" "-X main.version=${version}" ];

            meta = {
              description = "Shimmering Clarity Gardener: dotfile management (with FIDO2 hardware support)";
--- a/go.mod
+++ b/go.mod
@@ -8,6 +8,7 @@ require (
 	github.com/keys-pub/go-libfido2 v1.5.3
 	github.com/spf13/cobra v1.10.2
 	golang.org/x/crypto v0.49.0
+	golang.org/x/term v0.41.0
 	google.golang.org/grpc v1.79.3
 	google.golang.org/protobuf v1.36.11
 	gopkg.in/yaml.v3 v3.0.1
Author	SHA1	Message	Date
Kyle Isom	adfb087037	Derive build version from git tags via VERSION file. flake.nix reads from VERSION instead of hardcoding; Makefile gains a version target that syncs VERSION from the latest git tag and injects it into go build ldflags. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-26 11:26:16 -07:00
Kyle Isom	5570f82eb4	Add version in flake.	2026-03-26 11:14:28 -07:00
Kyle Isom	bffe7bde12	Add remote listing support to sgard list via -r flag. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-26 09:22:59 -07:00
Kyle Isom	3e0aabef4a	Suppress passphrase echo in terminal prompts. Use golang.org/x/term.ReadPassword so passphrases are not displayed while typing, matching ssh behavior. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-25 21:49:56 -07:00
Kyle Isom	4ec71eae00	Deploy sgardd to rift and add persistent remote config. Deployment: Dockerfile + docker-compose for sgardd on rift behind mc-proxy (L4 SNI passthrough on :9443, multiplexed with metacrypt gRPC). TLS via Metacrypt-issued cert, SSH-key auth. CLI: `sgard remote set/show` saves addr, TLS, and CA path to <repo>/remote.yaml so push/pull work without flags. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-25 21:23:21 -07:00