diff --git a/docs/AUTOUNLOCK.md b/docs/AUTOUNLOCK.md index 6e0bd1b..1c0552f 100644 --- a/docs/AUTOUNLOCK.md +++ b/docs/AUTOUNLOCK.md @@ -35,11 +35,14 @@ the autounlock pass runs: 1. Read the passphrase from the configured source. Failure to read (missing file, no permission) is fatal at boot. -2. Enumerate every row in the `Key` Prisma table where - `deletedAt IS NULL`. -3. For each row, call `unlockKey(keyName, passphrase)`. `unlockKey` - is idempotent post-#16: if the key was already unlocked by a - prior pass, it's a no-op. +2. Enumerate the encrypted-at-rest entries in `nsecbunker.json`'s + `keys` map — entries carrying the `{iv, data}` shape from + `create_new_key`. Plain-key entries (`{key: ...}` shape from + `create_account`) are already loaded by the existing + `startKeys()` passes and are skipped here for log clarity. +3. For each candidate, call `unlockKey(keyName, passphrase)`. + `unlockKey` is idempotent post-#16: if the key was already + unlocked by a prior pass, it's a no-op. 4. Log per-key INFO on success, WARN on `unlockKey → false` (typically: wrong passphrase, possibly the key was created under a historical passphrase that differs from the current one), ERROR on diff --git a/src/daemon/run.ts b/src/daemon/run.ts index 7945867..743606d 100644 --- a/src/daemon/run.ts +++ b/src/daemon/run.ts @@ -278,32 +278,52 @@ class Daemon { source = `NSEC_BUNKER_AUTOUNLOCK_PASSPHRASE_FILE=${filePath}`; } - const keys = await prisma.key.findMany({ where: { deletedAt: null } }); + // Enumerate encrypted-at-rest keys from `config.allKeys`. The + // Prisma `Key` table is only populated by the NIP-05 `create_account` + // path (which stores keys plain-at-rest in nsecbunker.json); + // `create_new_key` provisions keys with the `{iv, data}` encrypted + // shape directly into the JSON blob without a Prisma row. So the + // canonical "what's encrypted at rest" source is `allKeys` filtered + // to entries carrying `iv`+`data` — that's the set of keys for + // which the manual `unlock_key` admin RPC was previously required + // per restart, and exactly the set we want to autounlock here. + // + // Plain-key entries (`{key: "..."}` shape, populated by `create_account`) + // were already loaded by the second loop in `startKeys` above and + // appear in `activeKeys` — `unlockKey`'s idempotency guard makes + // re-calling them safe but unnecessary, so we filter them out for + // log clarity. + const candidates = Object.entries(this.config.allKeys || {}) + .filter(([, entry]) => + entry && typeof entry === 'object' && 'iv' in entry && 'data' in entry + ) + .map(([keyName]) => keyName); + const start = Date.now(); let success = 0; - for (const key of keys) { + for (const keyName of candidates) { try { - const ok = await this.unlockKey(key.keyName, passphrase); + const ok = await this.unlockKey(keyName, passphrase); if (ok) { - console.log(`🔓 autounlock: unlocked ${key.keyName}`); + console.log(`🔓 autounlock: unlocked ${keyName}`); success++; } else { console.warn( - `⚠️ autounlock: unlockKey returned false for ${key.keyName} ` + + `⚠️ autounlock: unlockKey returned false for ${keyName} ` + `(likely wrong passphrase — encrypted under a different secret?)` ); } } catch (e: any) { console.error( - `❌ autounlock: ${key.keyName} failed: ${e?.message ?? e}` + `❌ autounlock: ${keyName} failed: ${e?.message ?? e}` ); } } const elapsed = Date.now() - start; console.log( - `🔓 autounlock: enabled (source=${source}), unlocked ${success}/${keys.length} keys in ${elapsed}ms` + `🔓 autounlock: enabled (source=${source}), unlocked ${success}/${candidates.length} keys in ${elapsed}ms` ); }