Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
76e9c10
docs: add data model expansion design
danpasecinic Jan 28, 2026
019c189
docs: add Phase 1 implementation plan for core data model
danpasecinic Jan 28, 2026
0db4613
feat(core): add UUID type for item identifiers
danpasecinic Jan 28, 2026
2661afb
feat(core): add Item type with enums and base structures
danpasecinic Jan 28, 2026
36f7090
feat(core): implement full LoginData with URIs, TOTP, and passkeys
danpasecinic Jan 28, 2026
cdb46c6
feat(core): implement CardData with brand and secure field handling
danpasecinic Jan 28, 2026
8c25fa2
feat(core): implement IdentityData with address and sensitive field h…
danpasecinic Jan 28, 2026
cb15b5e
feat(core): implement SshKeyData, ApiCredentialData, DatabaseData, Wi…
danpasecinic Jan 28, 2026
f884002
feat(core): add item factory functions for login, secure note, and card
danpasecinic Jan 28, 2026
9f033f8
feat(core): add serializer v2 with serialize functions for all item t…
danpasecinic Jan 28, 2026
72174b1
feat(core): replace Entry-based serializer with Item-based serializer
danpasecinic Jan 28, 2026
e593664
feat(core): update Vault and CLI commands to use Item-based data model
danpasecinic Jan 28, 2026
a80e4e0
refactor(core): remove old Entry module
danpasecinic Jan 28, 2026
1f7b4a9
docs: update help text to use 'items' instead of 'entries'
danpasecinic Jan 28, 2026
2de5d3a
fix(core): add memory safety to deserialization and bump vault version
danpasecinic Jan 28, 2026
bedff6d
refactor(core): rename items field to item_list for clarity
danpasecinic Jan 28, 2026
3c141e1
refactor(memory): add helper functions for secure/optional free
danpasecinic Jan 28, 2026
f586fee
docs: mark Phase 1 as completed with summary
danpasecinic Jan 28, 2026
335cd16
docs: update README with accurate commands and cleaner format
danpasecinic Jan 28, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
104 changes: 30 additions & 74 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,117 +1,73 @@
# zault

A secure credential manager written in Zig. Passwords, TOTP, and Passkeys.

## Features

- **Passwords** - Encrypted vault with Argon2id + XChaCha20-Poly1305
- **TOTP** - Time-based one-time passwords (2FA)
- **Passkeys** - WebAuthn/FIDO2 software authenticator
- **Clipboard** - Auto-clearing clipboard integration
- **TUI** - Full terminal UI with fuzzy search
- **Browser** - Native messaging for passkey authentication
A command-line credential manager written in Zig.

## Installation

### From source

```bash
zig build -Doptimize=ReleaseSafe
```

The binary will be in `zig-out/bin/zault`.

### Requirements

- Zig 0.13.0 or later
Binary will be at `zig-out/bin/zault`. Requires Zig 0.15+.

## Quick Start
## Usage

```bash
# Initialize a new vault
# Create a vault
zault init

# Add a password
# Add credentials
zault add github.com -u myuser

# Get a password (copies to clipboard)
# Retrieve (copies to clipboard)
zault get github.com

# Add TOTP secret
zault totp add github.com
# List all items
zault list

# Get current TOTP code
# TOTP
zault totp add github.com
zault totp github.com

# Generate a secure password
# Generate password
zault generate

# Launch TUI
zault
```

## Commands

| Command | Description |
|---------|-------------|
| `init` | Create a new vault |
| `add <name>` | Add a new credential |
| `get <name>` | Retrieve and copy credential |
| `list` | List all entries |
| `delete <name>` | Remove an entry |
| `generate` | Generate a secure password |
| `add <name>` | Add a credential |
| `get <name>` | Retrieve and copy to clipboard |
| `list` | List all items |
| `delete <name>` | Remove an item |
| `generate` | Generate a password |
| `totp add <name>` | Add TOTP secret |
| `totp <name>` | Get current TOTP code |
| `passkey list` | List stored passkeys |
| `lock` | Lock the vault |
| `export` | Export vault (encrypted) |
| `import` | Import credentials |
| `totp <name>` | Get TOTP code |
| `totp list` | List items with TOTP |
| `passkey list` | List passkeys |
| `passkey show <name>` | Show passkey details |
| `unlock` | Unlock vault (start agent) |
| `lock` | Lock vault (stop agent) |

## Security

### Cryptographic Primitives

| Purpose | Algorithm |
|---------|-----------|
| Key Derivation | Argon2id |
| Encryption | XChaCha20-Poly1305 |
| TOTP | HMAC-SHA1/SHA256/SHA512 |
| Passkeys | Ed25519 / ECDSA P-256 |
- **Key Derivation:** Argon2id
- **Encryption:** XChaCha20-Poly1305
- **TOTP:** HMAC-SHA1/SHA256/SHA512

### Memory Security
Sensitive data uses locked memory (`mlock`) and is zeroed before deallocation.

- Sensitive data is allocated in locked memory (`mlock`)
- All secrets are zeroed before deallocation
- No garbage collector - deterministic memory management

### Vault Format

The vault is stored as an encrypted binary file at `~/.config/zault/vault.zault`.

See [SECURITY.md](docs/SECURITY.md) for detailed security information.
Vault stored at `~/.local/share/zault/vault.zault`.

## Development

```bash
# Build
zig build

# Run tests
zig build test

# Run with arguments
zig build run -- --help

# Generate docs
zig build docs
zig build # build
zig build test # run tests
```

## License

MIT License - see [LICENSE](LICENSE) for details.

## Acknowledgments

- [libsodium](https://libsodium.org/) - Cryptographic library
- [zig-clap](https://github.com/Hejsil/zig-clap) - CLI argument parsing
- [libvaxis](https://github.com/rockorager/libvaxis) - TUI framework
MIT
Loading