Skip to content

ROADMAP.md

Latest commit

 

History

History
346 lines (213 loc) · 8.18 KB

ROADMAP.md

File metadata and controls

346 lines (213 loc) · 8.18 KB

OmniVault Roadmap

This roadmap documents planned and completed features for this project.

The format is based on and generated by Structured Roadmap, which provides a machine-readable JSON intermediate representation with deterministic Markdown generation.

Overview

Item Status Priority Area
AES-256-GCM encryption with Argon2id key derivation High Security
Built-in providers (env, file, memory) High Providers
CLI entrypoint High CLI
Core vault.Vault interface High Core Library
Daemon control commands High CLI
Encrypted file store implementing vault.Vault High Security
External provider module architecture High Providers
HTTP server over Unix socket High Daemon
IPC protocol definitions High Daemon
Lock/unlock session management High Daemon
Master password protection High Security
Platform-specific paths (~/.omnivault/) High Daemon
Secret commands (get, set, list, delete) High CLI
URI-based resolver High Core Library
Unix socket client High Client
Vault commands (init, lock, unlock, status) High CLI
Configurable auto-lock timeout Medium Security
omnivault-aws provider module Medium Providers
omnivault-keyring provider module Medium Providers
Secret list UI 📋 High UI
Swift Unix socket client 📋 High UI
Swift models for secret info and vault status 📋 High UI
Swift state management 📋 High UI
Add/edit secret UI 📋 Medium UI
Automatic daemon startup on first use 📋 Medium Client
Lock/unlock UI 📋 Medium UI
Connection pooling 📋 Low Client

Overview ↑ Top

OmniVault is a unified Go library for secret management. This roadmap covers the evolution from a library to a complete local secret management solution with daemon and CLI.

Core Library ↑ Top

[x] Core vault.Vault interface

Version: v0.1.0

[x] URI-based resolver

Version: v0.1.0

Providers ↑ Top

[x] Built-in providers (env, file, memory)

Version: v0.1.0

[x] External provider module architecture

Version: v0.1.0

[x] omnivault-aws provider module

Version: v0.1.0

[x] omnivault-keyring provider module

Version: v0.1.0

Security ↑ Top

[x] AES-256-GCM encryption with Argon2id key derivation

internal/store/crypto.go

Version: v0.2.0

[x] Encrypted file store implementing vault.Vault

internal/store/encrypted.go

Version: v0.2.0

[x] Master password protection

Version: v0.2.0

[x] Configurable auto-lock timeout

Version: v0.2.0

Daemon ↑ Top

[x] HTTP server over Unix socket

internal/daemon/server.go

Version: v0.2.0

[x] IPC protocol definitions

internal/daemon/protocol.go

Version: v0.2.0

[x] Lock/unlock session management

Version: v0.2.0

[x] Platform-specific paths (~/.omnivault/)

internal/config/paths.go

Version: v0.2.0

CLI ↑ Top

[x] CLI entrypoint

cmd/omnivault/main.go

Version: v0.2.0

[x] Daemon control commands

cmd/omnivault/daemon.go

Version: v0.2.0

[x] Secret commands (get, set, list, delete)

cmd/omnivault/secrets.go

Version: v0.2.0

[x] Vault commands (init, lock, unlock, status)

cmd/omnivault/init.go

Version: v0.2.0

Client ↑ Top

[x] Unix socket client

internal/client/client.go

Version: v0.2.0

[ ] Automatic daemon startup on first use

[ ] Connection pooling

UI ↑ Top

[ ] Secret list UI

VaultView.swift

[ ] Swift Unix socket client

VaultDaemonClient.swift

[ ] Swift models for secret info and vault status

VaultModels.swift

[ ] Swift state management

VaultManager.swift

[ ] Add/edit secret UI

[ ] Lock/unlock UI

Daemon API ↑ Top

Endpoint Method Description
/status GET Daemon status (running, locked, secret count)
/secrets GET List all secrets (metadata only)
/secret/:path GET Get secret value
/secret/:path PUT Set secret
/secret/:path DELETE Delete secret
/lock POST Lock the vault
/unlock POST Unlock with master password

Socket Path ↑ Top

Platform Path
macOS/Linux ~/.omnivault/omnivaultd.sock
Windows \\.\pipe\omnivault

CLI Commands ↑ Top

# Vault initialization
omnivault init                    # Initialize new vault with master password

# Secret operations
omnivault set <path> [value]      # Set secret (prompts if no value)
omnivault get <path>              # Get secret value
omnivault list [prefix]           # List secrets
omnivault delete <path>           # Delete secret

# Vault control
omnivault lock                    # Lock the vault
omnivault unlock                  # Unlock with master password
omnivault status                  # Show vault status

# Daemon control
omnivault daemon start            # Start daemon
omnivault daemon stop             # Stop daemon
omnivault daemon status           # Daemon status

Security Model ↑ Top

Encryption

  • Algorithm: AES-256-GCM (authenticated encryption)
  • Key Derivation: Argon2id (memory-hard, resistant to GPU attacks)
  • Salt: Random 32 bytes per vault
  • Nonce: Random 12 bytes per secret

Master Password

  • Never stored, only used to derive encryption key
  • Minimum 8 characters enforced
  • Session-based unlock with configurable timeout

Storage

  • Encrypted vault file: ~/.omnivault/vault.enc
  • Metadata stored separately: ~/.omnivault/vault.meta
  • No plaintext secrets on disk

Data Format ↑ Top

Vault File Structure

~/.omnivault/
├── vault.enc           # Encrypted secrets (AES-256-GCM)
├── vault.meta          # Unencrypted metadata (salt, created date)
├── omnivaultd.sock     # Unix socket (runtime)
└── omnivaultd.pid      # Daemon PID file (runtime)

Secret Metadata (in vault.meta)

{
  "version": 1,
  "created_at": "2024-01-01T00:00:00Z",
  "salt": "base64-encoded-salt",
  "argon2_params": {
    "time": 3,
    "memory": 65536,
    "threads": 4
  }
}

Version History ↑ Top

Version Date Status Summary
v0.2.0 2026-01-10 CLI, daemon, encrypted store
v0.1.0 2025-01-01 Core library with providers