feat: Allow owner to destroy a vault

davidolrik · davidolrik · commit bb85c9be4064 · 2026-03-16T11:00:06.000+01:00
diff --git a/README.md b/README.md
@@ -178,6 +178,7 @@ Use colon syntax to target a vault: `vault:path`.
 | `vault accept <name> <token>`   | Accept a vault invitation                             |
 | `vault promote <name> <user>`   | Promote a member to admin (admin/owner)               |
 | `vault members <name>`          | List vault members and roles                          |
+| `vault destroy <name>`          | Permanently destroy a vault (owner only)              |
 
 #### Administration
 
diff --git a/docs/guide/vaults.md b/docs/guide/vaults.md
@@ -47,6 +47,14 @@ Promotes a `member` to `admin`.
 ssh -A alice@keys.example.com vault members team
 ```
 
+## Destroying a vault
+
+```sh
+ssh -A alice@keys.example.com vault destroy team
+```
+
+This permanently deletes the vault and all its secrets. Only the vault owner can destroy a vault. You will be prompted to type the vault name to confirm — this action cannot be undone.
+
 ## Vault secrets
 
 Use colon syntax to target a vault — `vault:path`:
diff --git a/docs/reference/commands.md b/docs/reference/commands.md
@@ -33,6 +33,7 @@ Use colon syntax to target a vault: `vault:path`.
 | `vault accept <name> <token>`   | Accept a vault invitation               |
 | `vault promote <name> <user>`   | Promote a member to admin (admin/owner) |
 | `vault members <name>`          | List vault members and roles            |
+| `vault destroy <name>`          | Permanently destroy a vault (owner only)|
 
 ## Administration
 
diff --git a/internal/command/command.go b/internal/command/command.go
@@ -22,6 +22,7 @@ const (
 	OpVaultPromote
 	OpVaultMembers
 	OpVaultList
+	OpVaultDestroy
 	OpMove
 )
 
@@ -52,6 +53,8 @@ func (op Op) String() string {
 		return "vault members"
 	case OpVaultList:
 		return "vault list"
+	case OpVaultDestroy:
+		return "vault destroy"
 	case OpMove:
 		return "move"
 	default:
@@ -209,7 +212,7 @@ func parseListArg(arg string) (Command, error) {
 // parseVaultSubcommand parses "vault <subcommand> ..." args.
 func parseVaultSubcommand(args []string) (Command, error) {
 	if len(args) == 0 {
-		return Command{}, fmt.Errorf("vault requires a subcommand: create, invite, accept, promote, members, list")
+		return Command{}, fmt.Errorf("vault requires a subcommand: create, invite, accept, promote, members, list, destroy")
 	}
 
 	sub := args[0]
@@ -252,6 +255,12 @@ func parseVaultSubcommand(args []string) (Command, error) {
 		}
 		return Command{Op: OpVaultList}, nil
 
+	case "destroy":
+		if len(subArgs) != 1 {
+			return Command{}, fmt.Errorf("vault destroy requires exactly one name argument")
+		}
+		return Command{Op: OpVaultDestroy, Vault: subArgs[0]}, nil
+
 	default:
 		return Command{}, fmt.Errorf("unknown vault subcommand %q", sub)
 	}
diff --git a/internal/command/handler.go b/internal/command/handler.go
@@ -90,6 +90,8 @@ func (h *Handler) Handle(sess ssh.Session, username string, pubKey gossh.PublicK
 		return h.handleVaultMembers(sess, username, cmd.Vault)
 	case OpVaultList:
 		return h.handleVaultListAll(sess, username)
+	case OpVaultDestroy:
+		return h.handleVaultDestroy(sess, username, cmd.Vault)
 	case OpMove:
 		return h.handleMove(sess, username, pubKey, cmd)
 	case OpHelp:
@@ -415,6 +417,33 @@ func (h *Handler) handleVaultListAll(sess ssh.Session, username string) error {
 	return nil
 }
 
+func (h *Handler) handleVaultDestroy(sess ssh.Session, username, vaultName string) error {
+	if vaultName == "personal" {
+		return fmt.Errorf("cannot destroy the personal vault")
+	}
+
+	fmt.Fprintf(sess, "WARNING: This will permanently destroy vault %q and all its secrets.\n", vaultName)
+	fmt.Fprintln(sess, "This action cannot be undone.")
+	fmt.Fprintf(sess, "\nType the vault name to confirm: ")
+
+	confirmation, err := readLine(sess)
+	if err != nil {
+		return fmt.Errorf("read confirmation: %w", err)
+	}
+
+	if strings.TrimSpace(string(confirmation)) != vaultName {
+		fmt.Fprintln(sess, "Destroy cancelled.")
+		return nil
+	}
+
+	if err := h.vaultMgr.Destroy(vaultName, username); err != nil {
+		return fmt.Errorf("destroy vault: %w", err)
+	}
+
+	fmt.Fprintf(sess, "Vault %q destroyed.\n", vaultName)
+	return nil
+}
+
 func (h *Handler) handleMove(sess ssh.Session, username string, pubKey gossh.PublicKey, cmd Command) error {
 	ag, cleanup, err := requireAgent(sess)
 	if err != nil {
@@ -674,6 +703,7 @@ func helpText(color bool, version string) string {
 		cmd2("vault accept", yellow+"<name> <token>"+reset, "Accept vault invite") +
 		cmd2("vault promote", yellow+"<name> <user>"+reset, "Promote member to admin") +
 		cmd2("vault members", yellow+"<name>"+reset, "List vault members") +
+		cmd2("vault destroy", yellow+"<name>"+reset, "Permanently destroy a vault "+dim+"[owner]"+reset) +
 		cmd2("vault list", "", "List your vaults") +
 		"\n" +
 		bold + "NOTES\n" + reset +
diff --git a/internal/server/server_test.go b/internal/server/server_test.go
@@ -1082,14 +1082,104 @@ func TestHelpIncludesVersion(t *testing.T) {
 	}
 }
 
+func TestVaultDestroyByOwner(t *testing.T) {
+	addr, alice, _ := testServerSetupMultiUser(t)
+
+	// Create vault and set a secret
+	sshRun(t, addr, alice.cfg, alice.ag, "vault create doomed")
+	sshRunWithStdin(t, addr, alice.cfg, alice.ag, "set doomed:secret/key", "value")
+
+	// Destroy the vault — type vault name to confirm
+	out, err := sshRunWithStdin(t, addr, alice.cfg, alice.ag, "vault destroy doomed", "doomed\n")
+	if err != nil {
+		t.Fatalf("vault destroy: %v (output: %q)", err, out)
+	}
+	if !strings.Contains(out, "destroyed") {
+		t.Errorf("vault destroy output = %q, expected 'destroyed'", out)
+	}
+
+	// vault list should no longer include "doomed"
+	listOut, err := sshRun(t, addr, alice.cfg, alice.ag, "vault list")
+	if err != nil {
+		t.Fatalf("vault list: %v", err)
+	}
+	if strings.Contains(listOut, "doomed") {
+		t.Errorf("vault list still contains 'doomed' after destroy: %q", listOut)
+	}
+
+	// get on the vault secret should fail
+	_, err = sshRun(t, addr, alice.cfg, alice.ag, "get doomed:secret/key")
+	if err == nil {
+		t.Error("expected error getting secret from destroyed vault")
+	}
+}
+
+func TestVaultDestroyNonOwnerFails(t *testing.T) {
+	addr, alice, bob := testServerSetupMultiUser(t)
+
+	// Alice creates vault and invites Bob
+	sshRun(t, addr, alice.cfg, alice.ag, "vault create protected")
+	tokenOut, _ := sshRun(t, addr, alice.cfg, alice.ag, "vault invite protected bob")
+	token := strings.TrimSpace(tokenOut)
+	sshRun(t, addr, bob.cfg, bob.ag, "vault accept protected "+token)
+
+	// Bob (member) attempts destroy — should fail
+	_, err := sshRunWithStdin(t, addr, bob.cfg, bob.ag, "vault destroy protected", "protected\n")
+	if err == nil {
+		t.Error("expected error when non-owner tries to destroy vault")
+	}
+
+	// Vault should still exist
+	listOut, err := sshRun(t, addr, alice.cfg, alice.ag, "vault list")
+	if err != nil {
+		t.Fatalf("vault list: %v", err)
+	}
+	if !strings.Contains(listOut, "protected") {
+		t.Errorf("vault list missing 'protected' after failed destroy: %q", listOut)
+	}
+}
+
+func TestVaultDestroyCancelledOnMismatch(t *testing.T) {
+	addr, alice, _ := testServerSetupMultiUser(t)
+
+	sshRun(t, addr, alice.cfg, alice.ag, "vault create keepsafe")
+
+	// Send wrong name at confirmation
+	out, err := sshRunWithStdin(t, addr, alice.cfg, alice.ag, "vault destroy keepsafe", "wrong-name\n")
+	if err != nil {
+		t.Fatalf("vault destroy (mismatch): %v (output: %q)", err, out)
+	}
+	if !strings.Contains(out, "cancelled") {
+		t.Errorf("vault destroy mismatch output = %q, expected 'cancelled'", out)
+	}
+
+	// Vault should still exist
+	listOut, err := sshRun(t, addr, alice.cfg, alice.ag, "vault list")
+	if err != nil {
+		t.Fatalf("vault list: %v", err)
+	}
+	if !strings.Contains(listOut, "keepsafe") {
+		t.Errorf("vault list missing 'keepsafe' after cancelled destroy: %q", listOut)
+	}
+}
+
+func TestVaultDestroyPersonalRejected(t *testing.T) {
+	addr, alice := testServerSetup(t)
+
+	_, err := sshRunWithStdin(t, addr, alice.cfg, alice.ag, "vault destroy personal", "personal\n")
+	if err == nil {
+		t.Error("expected error when trying to destroy personal vault")
+	}
+}
+
 func TestHelpIncludesVaultCommands(t *testing.T) {
 	addr, alice := testServerSetup(t)
 
 	out, err := sshRun(t, addr, alice.cfg, alice.ag, "help")
 	if err != nil {
 		t.Fatalf("help: %v", err)
 	}
-	for _, want := range []string{"vault create", "vault invite", "vault accept", "vault promote", "vault members", "vault list", "move"} {
+	for _, want := range []string{"vault create", "vault invite", "vault accept", "vault promote", "vault members", "vault destroy", "vault list", "move"} {
 		if !strings.Contains(out, want) {
 			t.Errorf("help output missing %q", want)
 		}
diff --git a/internal/storage/vault_store.go b/internal/storage/vault_store.go
@@ -204,6 +204,11 @@ func (s *FileStore) ListVaults() ([]string, error) {
 	return vaults, nil
 }
 
+// DeleteVault removes an entire vault directory and all its contents.
+func (s *FileStore) DeleteVault(vault string) error {
+	return os.RemoveAll(s.vaultDir(vault))
+}
+
 func (s *FileStore) vaultDir(vault string) string {
 	return filepath.Join(s.dataDir, "vaults", vault)
 }
diff --git a/internal/vault/vault.go b/internal/vault/vault.go
@@ -290,6 +290,22 @@ func (m *Manager) Promote(name, promoter, targetUser string) error {
 	return m.store.WriteVaultMembers(name, membersJSON)
 }
 
+// Destroy permanently deletes a vault. Only the vault owner can do this.
+func (m *Manager) Destroy(name, username string) error {
+	data, err := m.store.ReadVaultMeta(name)
+	if err != nil {
+		return fmt.Errorf("read vault meta: %w", err)
+	}
+	var meta vaultMeta
+	if err := json.Unmarshal(data, &meta); err != nil {
+		return fmt.Errorf("unmarshal meta: %w", err)
+	}
+	if meta.Owner != username {
+		return fmt.Errorf("only the vault owner can destroy a vault")
+	}
+	return m.store.DeleteVault(name)
+}
+
 // deriveTokenKey derives an AES-256 key from an invite token using HKDF-SHA256.
 func deriveTokenKey(tokenBytes []byte) []byte {
 	reader := hkdf.New(sha256.New, tokenBytes, nil, []byte("keyhole-vault-invite-v1"))

Original file line number	Diff line number	Diff line change
`@@ -204,6 +204,11 @@ func (s *FileStore) ListVaults() ([]string, error) {`
`204`	`204`	`return vaults, nil`
`205`	`205`	`}`
`206`	`206`
	`207`	`+// DeleteVault removes an entire vault directory and all its contents.`
	`208`	`+func (s *FileStore) DeleteVault(vault string) error {`
	`209`	`+ return os.RemoveAll(s.vaultDir(vault))`
	`210`	`+}`
	`211`	`+`
`207`	`212`	`func (s *FileStore) vaultDir(vault string) string {`
`208`	`213`	`return filepath.Join(s.dataDir, "vaults", vault)`
`209`	`214`	`}`