Bump VERSION to 3.1.7.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Pull auto-inits repo, restores files, and add -r global shorthand.
2026-03-26 11:57:26 -07:00 · 2026-03-26 11:57:16 -07:00 · 2026-03-26 11:27:17 -07:00 · 2026-03-26 11:27:12 -07:00 · 2026-03-26 11:26:16 -07:00 · 2026-03-26 11:14:28 -07:00
15 changed files with 321 additions and 64 deletions
--- a/ARCHITECTURE.md
+++ b/ARCHITECTURE.md
@@ -708,7 +708,8 @@ sgard/
  sgardpb/                # Generated protobuf + gRPC Go code
  proto/sgard/v1/         # Proto source definitions
-  flake.nix               # Nix flake (builds sgard + sgardd)
+  VERSION                 # Semver string, read by flake.nix; synced from latest git tag via `make version`
  flake.nix               # Nix flake (builds sgard + sgardd, version from VERSION file)
  .goreleaser.yaml        # GoReleaser (builds both binaries)
 ```
--- a/9
+++ b/9
@@ -1,4 +1,6 @@
-.PHONY: proto build test lint clean
+VERSION := $(shell git describe --tags --abbrev=0 | sed 's/^v//')
 .PHONY: proto build test lint clean version
 proto:
 	protoc \
@@ -7,8 +9,11 @@ proto:
 		-I proto \
 		proto/sgard/v1/sgard.proto
 version:
 	@echo $(VERSION) > VERSION
 build:
-	go build ./...
+	go build -ldflags "-X main.version=$(VERSION)" ./...
 test:
 	go test ./...
--- a/PROGRESS.md
+++ b/PROGRESS.md
@@ -46,6 +46,15 @@ Phase 6: Manifest Signing (to be planned).
 ## Standalone Additions
 - **Deployment to rift**: sgardd deployed as Podman container on rift behind
  mc-proxy (L4 SNI passthrough on :9443, multiplexed with metacrypt gRPC).
  TLS cert issued by Metacrypt, SSH-key auth. DNS at
  `sgard.svc.mcp.metacircular.net`.
 - **Default remote config**: `sgard remote set/show` commands. Saves addr,
  TLS, and CA path to `<repo>/remote.yaml`. `dialRemote` merges saved config
  with CLI flags (flags win). Removes need for `--remote`/`--tls` on every
  push/pull.
 ## Known Issues / Decisions Deferred
 - **Manifest signing**: deferred — trust model (which key signs, how do
@@ -100,3 +109,7 @@ Phase 6: Manifest Signing (to be planned).
 | 2026-03-24 | 31 | Proto + sync: only/never fields on ManifestEntry, conversion, round-trip test. |
 | 2026-03-24 | 32 | Phase 5 polish: e2e test (targeting + push/pull + restore), docs updated. Phase 5 complete. |
 | 2026-03-25 | — | `sgard info` command: shows detailed file information (status, hash, timestamps, mode, encryption, targeting). 5 tests. |
 | 2026-03-25 | — | Deploy sgardd to rift: Dockerfile, docker-compose, mc-proxy L4 route on :9443, Metacrypt TLS cert, DNS. |
 | 2026-03-25 | — | `sgard remote set/show`: persistent remote config in `<repo>/remote.yaml` (addr, tls, tls_ca). |
 | 2026-03-26 | — | `sgard list` remote support: uses `resolveRemoteConfig()` to list server manifest via `PullManifest` RPC. Client `List()` method added. |
 | 2026-03-26 | — | Version derived from git tags via `VERSION` file. flake.nix reads `VERSION`; Makefile `version` target syncs from latest tag, `build` injects via ldflags. |
--- a/1
+++ b/1
@@ -0,0 +1 @@
 3.1.7
--- a/client/client.go
+++ b/client/client.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"github.com/kisom/sgard/garden"
 	"github.com/kisom/sgard/manifest"
 	"github.com/kisom/sgard/server"
 	"github.com/kisom/sgard/sgardpb"
 	"golang.org/x/crypto/ssh"
@@ -205,8 +206,8 @@ func (c *Client) doPull(ctx context.Context, g *garden.Garden) (int, error) {
 	serverManifest := server.ProtoToManifest(pullResp.GetManifest())
 	localManifest := g.GetManifest()
-	// If local is newer or equal, nothing to do.
+	// If local has files and is newer or equal, nothing to do.
-	if !serverManifest.Updated.After(localManifest.Updated) {
+	if len(localManifest.Files) > 0 && !serverManifest.Updated.After(localManifest.Updated) {
 		return 0, nil
 	}
@@ -273,6 +274,22 @@ func (c *Client) doPull(ctx context.Context, g *garden.Garden) (int, error) {
 	return blobCount, nil
 }
 // List fetches the server's manifest and returns its entries without
 // downloading any blobs. Automatically re-authenticates if needed.
 func (c *Client) List(ctx context.Context) ([]manifest.Entry, error) {
 	var entries []manifest.Entry
 	err := c.retryOnAuth(ctx, func() error {
 		resp, err := c.rpc.PullManifest(ctx, &sgardpb.PullManifestRequest{})
 		if err != nil {
 			return fmt.Errorf("list remote: %w", err)
 		}
 		m := server.ProtoToManifest(resp.GetManifest())
 		entries = m.Files
 		return nil
 	})
 	return entries, err
 }
 // Prune requests the server to remove orphaned blobs. Returns the count removed.
 // Automatically re-authenticates if needed.
 func (c *Client) Prune(ctx context.Context) (int, error) {
--- a/cmd/sgard/add.go
+++ b/cmd/sgard/add.go
@@ -1,13 +1,12 @@
 package main
 import (
 	"bufio"
 	"fmt"
 	"os"
 	"strings"
 	"github.com/kisom/sgard/garden"
 	"github.com/spf13/cobra"
 	"golang.org/x/term"
 )
 var (
@@ -60,12 +59,17 @@ var addCmd = &cobra.Command{
 func promptPassphrase() (string, error) {
 	fmt.Fprint(os.Stderr, "Passphrase: ")
-	scanner := bufio.NewScanner(os.Stdin)
+	fd := int(os.Stdin.Fd())
-	if scanner.Scan() {
+	passphrase, err := term.ReadPassword(fd)
-		return strings.TrimSpace(scanner.Text()), nil
+	fmt.Fprintln(os.Stderr)
 	if err != nil {
 		return "", fmt.Errorf("reading passphrase: %w", err)
 	}
 	if len(passphrase) == 0 {
 		return "", fmt.Errorf("no passphrase provided")
 	}
 	return string(passphrase), nil
 }
 func init() {
 	addCmd.Flags().BoolVar(&encryptFlag, "encrypt", false, "encrypt file contents before storing")
--- a/cmd/sgard/list.go
+++ b/cmd/sgard/list.go
@@ -1,22 +1,56 @@
 package main
 import (
 	"context"
 	"fmt"
 	"github.com/kisom/sgard/garden"
 	"github.com/kisom/sgard/manifest"
 	"github.com/spf13/cobra"
 )
 var listCmd = &cobra.Command{
 	Use:   "list",
 	Short: "List all tracked files",
 	Long:  "List all tracked files locally, or on the remote server with -r.",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		addr, _, _, _ := resolveRemoteConfig()
 		if addr != "" {
 			return listRemote()
 		}
 		return listLocal()
 	},
 }
 func listLocal() error {
 	g, err := garden.Open(repoFlag)
 	if err != nil {
 		return err
 	}
-		entries := g.List()
+	printEntries(g.List())
 	return nil
 }
 func listRemote() error {
 	ctx := context.Background()
 	c, cleanup, err := dialRemote(ctx)
 	if err != nil {
 		return err
 	}
 	defer cleanup()
 	entries, err := c.List(ctx)
 	if err != nil {
 		return err
 	}
 	printEntries(entries)
 	return nil
 }
 func printEntries(entries []manifest.Entry) {
 	for _, e := range entries {
 		switch e.Type {
 		case "file":
@@ -31,9 +65,6 @@ var listCmd = &cobra.Command{
 			fmt.Printf("%-6s %s\n", "dir", e.Path)
 		}
 	}
 		return nil
 	},
 }
 func init() {
--- a/cmd/sgard/main.go
+++ b/cmd/sgard/main.go
@@ -37,28 +37,49 @@ func defaultRepo() string {
 	return filepath.Join(home, ".sgard")
 }
-// resolveRemote returns the remote address from flag, env, or repo config file.
+// resolveRemoteConfig returns the effective remote address, TLS flag, and CA
-func resolveRemote() (string, error) {
+// path by merging CLI flags, environment, and the saved remote.yaml config.
-	if remoteFlag != "" {
+// CLI flags take precedence, then env, then the saved config.
-		return remoteFlag, nil
+func resolveRemoteConfig() (addr string, useTLS bool, caPath string, err error) {
 	// Start with saved config as baseline.
 	saved, _ := loadRemoteConfig()
 	// Address: flag > env > saved > legacy file.
 	addr = remoteFlag
 	if addr == "" {
 		addr = os.Getenv("SGARD_REMOTE")
 	}
-	if env := os.Getenv("SGARD_REMOTE"); env != "" {
+	if addr == "" && saved != nil {
-		return env, nil
+		addr = saved.Addr
 	}
-	// Try <repo>/remote file.
+	if addr == "" {
-	data, err := os.ReadFile(filepath.Join(repoFlag, "remote"))
+		data, ferr := os.ReadFile(filepath.Join(repoFlag, "remote"))
-	if err == nil {
+		if ferr == nil {
-		addr := strings.TrimSpace(string(data))
+			addr = strings.TrimSpace(string(data))
 		if addr != "" {
 			return addr, nil
 		}
 	}
-	return "", fmt.Errorf("no remote configured; use --remote, SGARD_REMOTE, or create %s/remote", repoFlag)
+	if addr == "" {
 		return "", false, "", fmt.Errorf("no remote configured; use 'sgard remote set' or --remote")
 	}
 	// TLS: flag wins if explicitly set, otherwise use saved.
 	useTLS = tlsFlag
 	if !useTLS && saved != nil {
 		useTLS = saved.TLS
 	}
 	// CA: flag wins if set, otherwise use saved.
 	caPath = tlsCAFlag
 	if caPath == "" && saved != nil {
 		caPath = saved.TLSCA
 	}
 	return addr, useTLS, caPath, nil
 }
 // dialRemote creates a gRPC client with token-based auth and auto-renewal.
 func dialRemote(ctx context.Context) (*client.Client, func(), error) {
-	addr, err := resolveRemote()
+	addr, useTLS, caPath, err := resolveRemoteConfig()
 	if err != nil {
 		return nil, nil, err
 	}
@@ -72,16 +93,16 @@ func dialRemote(ctx context.Context) (*client.Client, func(), error) {
 	creds := client.NewTokenCredentials(cachedToken)
 	var transportCreds grpc.DialOption
-	if tlsFlag {
+	if useTLS {
 		tlsCfg := &tls.Config{MinVersion: tls.VersionTLS12}
-		if tlsCAFlag != "" {
+		if caPath != "" {
-			caPEM, err := os.ReadFile(tlsCAFlag)
+			caPEM, err := os.ReadFile(caPath)
 			if err != nil {
 				return nil, nil, fmt.Errorf("reading CA cert: %w", err)
 			}
 			pool := x509.NewCertPool()
 			if !pool.AppendCertsFromPEM(caPEM) {
-				return nil, nil, fmt.Errorf("failed to parse CA cert %s", tlsCAFlag)
+				return nil, nil, fmt.Errorf("failed to parse CA cert %s", caPath)
 			}
 			tlsCfg.RootCAs = pool
 		}
@@ -112,7 +133,7 @@ func dialRemote(ctx context.Context) (*client.Client, func(), error) {
 func main() {
 	rootCmd.PersistentFlags().StringVar(&repoFlag, "repo", defaultRepo(), "path to sgard repository")
-	rootCmd.PersistentFlags().StringVar(&remoteFlag, "remote", "", "gRPC server address (host:port)")
+	rootCmd.PersistentFlags().StringVarP(&remoteFlag, "remote", "r", "", "gRPC server address (host:port)")
 	rootCmd.PersistentFlags().StringVar(&sshKeyFlag, "ssh-key", "", "path to SSH private key")
 	rootCmd.PersistentFlags().BoolVar(&tlsFlag, "tls", false, "use TLS for remote connection")
 	rootCmd.PersistentFlags().StringVar(&tlsCAFlag, "tls-ca", "", "path to CA certificate for TLS verification")
--- a/cmd/sgard/prune.go
+++ b/cmd/sgard/prune.go
@@ -13,7 +13,7 @@ var pruneCmd = &cobra.Command{
 	Short: "Remove orphaned blobs not referenced by the manifest",
 	Long:  "Remove orphaned blobs locally, or on the remote server with --remote.",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		addr, _ := resolveRemote()
+		addr, _, _, _ := resolveRemoteConfig()
 		if addr != "" {
 			return pruneRemote()
--- a/cmd/sgard/pull.go
+++ b/cmd/sgard/pull.go
@@ -10,13 +10,17 @@ import (
 var pullCmd = &cobra.Command{
 	Use:   "pull",
-	Short: "Pull checkpoint from remote server",
+	Short: "Pull checkpoint from remote server and restore files",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx := context.Background()
 		g, err := garden.Open(repoFlag)
 		if err != nil {
-			return err
+			// Repo doesn't exist yet — init it so pull can populate it.
 			g, err = garden.Init(repoFlag)
 			if err != nil {
 				return fmt.Errorf("init repo for pull: %w", err)
 			}
 		}
 		c, cleanup, err := dialRemote(ctx)
@@ -32,9 +36,22 @@ var pullCmd = &cobra.Command{
 		if pulled == 0 {
 			fmt.Println("Already up to date.")
-		} else {
+			return nil
 			fmt.Printf("Pulled %d blob(s).\n", pulled)
 		}
 		fmt.Printf("Pulled %d blob(s).\n", pulled)
 		if g.HasEncryption() && g.NeedsDEK(g.List()) {
 			if err := unlockDEK(g); err != nil {
 				return err
 			}
 		}
 		if err := g.Restore(nil, true, nil); err != nil {
 			return fmt.Errorf("restore after pull: %w", err)
 		}
 		fmt.Println("Restore complete.")
 		return nil
 	},
 }
--- a/cmd/sgard/remote.go
+++ b/cmd/sgard/remote.go
@@ -0,0 +1,97 @@
 package main
 import (
 	"fmt"
 	"os"
 	"path/filepath"
 	"github.com/spf13/cobra"
 	"gopkg.in/yaml.v3"
 )
 type remoteConfig struct {
 	Addr  string `yaml:"addr"`
 	TLS   bool   `yaml:"tls"`
 	TLSCA string `yaml:"tls_ca,omitempty"`
 }
 func remoteConfigPath() string {
 	return filepath.Join(repoFlag, "remote.yaml")
 }
 func loadRemoteConfig() (*remoteConfig, error) {
 	data, err := os.ReadFile(remoteConfigPath())
 	if err != nil {
 		return nil, err
 	}
 	var cfg remoteConfig
 	if err := yaml.Unmarshal(data, &cfg); err != nil {
 		return nil, fmt.Errorf("parsing remote config: %w", err)
 	}
 	return &cfg, nil
 }
 func saveRemoteConfig(cfg *remoteConfig) error {
 	data, err := yaml.Marshal(cfg)
 	if err != nil {
 		return fmt.Errorf("encoding remote config: %w", err)
 	}
 	return os.WriteFile(remoteConfigPath(), data, 0o644)
 }
 var remoteCmd = &cobra.Command{
 	Use:   "remote",
 	Short: "Manage default remote server",
 }
 var remoteSetCmd = &cobra.Command{
 	Use:   "set <addr>",
 	Short: "Set the default remote address",
 	Args:  cobra.ExactArgs(1),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		cfg := &remoteConfig{
 			Addr:  args[0],
 			TLS:   tlsFlag,
 			TLSCA: tlsCAFlag,
 		}
 		if err := saveRemoteConfig(cfg); err != nil {
 			return err
 		}
 		fmt.Printf("Remote set: %s", cfg.Addr)
 		if cfg.TLS {
 			fmt.Print(" (TLS")
 			if cfg.TLSCA != "" {
 				fmt.Printf(", CA: %s", cfg.TLSCA)
 			}
 			fmt.Print(")")
 		}
 		fmt.Println()
 		return nil
 	},
 }
 var remoteShowCmd = &cobra.Command{
 	Use:   "show",
 	Short: "Show the configured remote",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		cfg, err := loadRemoteConfig()
 		if err != nil {
 			if os.IsNotExist(err) {
 				fmt.Println("No remote configured.")
 				return nil
 			}
 			return err
 		}
 		fmt.Printf("addr:   %s\n", cfg.Addr)
 		fmt.Printf("tls:    %v\n", cfg.TLS)
 		if cfg.TLSCA != "" {
 			fmt.Printf("tls-ca: %s\n", cfg.TLSCA)
 		}
 		return nil
 	},
 }
 func init() {
 	remoteCmd.AddCommand(remoteSetCmd, remoteShowCmd)
 	rootCmd.AddCommand(remoteCmd)
 }
--- a/deploy/docker/Dockerfile
+++ b/deploy/docker/Dockerfile
@@ -0,0 +1,30 @@
 # Build stage
 FROM golang:1.25-alpine AS builder
 WORKDIR /build
 COPY go.mod go.sum ./
 RUN go mod download
 COPY . .
 ARG VERSION=dev
 RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /sgardd ./cmd/sgardd
 # Runtime stage
 FROM alpine:3.21
 RUN apk add --no-cache ca-certificates tzdata \
    && adduser -D -h /srv/sgard sgard
 COPY --from=builder /sgardd /usr/local/bin/sgardd
 VOLUME /srv/sgard
 EXPOSE 9473
 USER sgard
 ENTRYPOINT ["sgardd", \
    "--repo", "/srv/sgard", \
    "--authorized-keys", "/srv/sgard/authorized_keys", \
    "--tls-cert", "/srv/sgard/certs/sgard.pem", \
    "--tls-key", "/srv/sgard/certs/sgard.key"]
--- a/deploy/docker/docker-compose-rift.yml
+++ b/deploy/docker/docker-compose-rift.yml
@@ -0,0 +1,16 @@
 services:
  sgardd:
    image: localhost/sgardd:latest
    container_name: sgardd
    restart: unless-stopped
    user: "0:0"
    ports:
      - "127.0.0.1:19473:9473"
    volumes:
      - /srv/sgard:/srv/sgard
    healthcheck:
      test: ["CMD", "true"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s
--- a/flake.nix
+++ b/flake.nix
@@ -11,17 +11,20 @@
      let
        pkgs = import nixpkgs { inherit system; };
      in
      let
        version = builtins.replaceStrings [ "\n" ] [ "" ] (builtins.readFile ./VERSION);
      in
      {
        packages = {
-          sgard = pkgs.buildGoModule {
+          sgard = pkgs.buildGoModule rec {
            pname = "sgard";
-            version = "2.1.0";
+            inherit version;
            src = pkgs.lib.cleanSource ./.;
            subPackages = [ "cmd/sgard" "cmd/sgardd" ];
-            vendorHash = "sha256-LSz15iFsP4N3Cif1PFHEKg3udeqH/9WQQbZ50sxtWTk=";
+            vendorHash = "sha256-Z/Ja4j7YesNYefQQcWWRG2v8WuIL+UNqPGwYD5AipZY=";
-            ldflags = [ "-s" "-w" ];
+            ldflags = [ "-s" "-w" "-X main.version=${version}" ];
            meta = {
              description = "Shimmering Clarity Gardener: dotfile management";
@@ -29,19 +32,19 @@
            };
          };
-          sgard-fido2 = pkgs.buildGoModule {
+          sgard-fido2 = pkgs.buildGoModule rec {
            pname = "sgard-fido2";
-            version = "2.1.0";
+            inherit version;
            src = pkgs.lib.cleanSource ./.;
            subPackages = [ "cmd/sgard" "cmd/sgardd" ];
-            vendorHash = "sha256-LSz15iFsP4N3Cif1PFHEKg3udeqH/9WQQbZ50sxtWTk=";
+            vendorHash = "sha256-Z/Ja4j7YesNYefQQcWWRG2v8WuIL+UNqPGwYD5AipZY=";
            buildInputs = [ pkgs.libfido2 ];
            nativeBuildInputs = [ pkgs.pkg-config ];
            tags = [ "fido2" ];
-            ldflags = [ "-s" "-w" ];
+            ldflags = [ "-s" "-w" "-X main.version=${version}" ];
            meta = {
              description = "Shimmering Clarity Gardener: dotfile management (with FIDO2 hardware support)";
--- a/go.mod
+++ b/go.mod
@@ -8,6 +8,7 @@ require (
 	github.com/keys-pub/go-libfido2 v1.5.3
 	github.com/spf13/cobra v1.10.2
 	golang.org/x/crypto v0.49.0
 	golang.org/x/term v0.41.0
 	google.golang.org/grpc v1.79.3
 	google.golang.org/protobuf v1.36.11
 	gopkg.in/yaml.v3 v3.0.1
Author	SHA1	Message	Date
Kyle Isom	b9b9082008	Bump VERSION to 3.1.7. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-26 11:57:26 -07:00
Kyle Isom	bd54491c1d	Pull auto-inits repo, restores files, and add -r global shorthand. pull now works on a fresh machine: inits ~/.sgard if missing, always pulls when local manifest is empty, and restores all files after downloading blobs. -r is now a global shorthand for --remote; list uses resolveRemoteConfig() like prune. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-26 11:57:16 -07:00
Kyle Isom	57d252cee4	Bump VERSION to 3.1.6. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-26 11:27:17 -07:00
Kyle Isom	78030230c5	Update docs for VERSION file and build versioning. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-26 11:27:12 -07:00
Kyle Isom	adfb087037	Derive build version from git tags via VERSION file. flake.nix reads from VERSION instead of hardcoding; Makefile gains a version target that syncs VERSION from the latest git tag and injects it into go build ldflags. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-26 11:26:16 -07:00
Kyle Isom	5570f82eb4	Add version in flake.	2026-03-26 11:14:28 -07:00
Kyle Isom	bffe7bde12	Add remote listing support to sgard list via -r flag. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-26 09:22:59 -07:00
Kyle Isom	3e0aabef4a	Suppress passphrase echo in terminal prompts. Use golang.org/x/term.ReadPassword so passphrases are not displayed while typing, matching ssh behavior. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-25 21:49:56 -07:00
Kyle Isom	4ec71eae00	Deploy sgardd to rift and add persistent remote config. Deployment: Dockerfile + docker-compose for sgardd on rift behind mc-proxy (L4 SNI passthrough on :9443, multiplexed with metacrypt gRPC). TLS via Metacrypt-issued cert, SSH-key auth. CLI: `sgard remote set/show` saves addr, TLS, and CA path to <repo>/remote.yaml so push/pull work without flags. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-25 21:23:21 -07:00