feat: release v0.9.0 - feature complete -m

Rakosn1cek · Rakosn1cek · commit 88e60e8f6179 · 2026-04-16T00:15:22.000+01:00
- Added symmetric GPG encryption for vault security
- Implemented extension-aware logic for .txt and .gpg files
- Hardened pre-flight checks to prevent accidental data leaks
- Updated documentation and README to reflect feature-complete status
- Finalised community-vault sync logic and fzf-widget integration
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.9.0] - 2026-04-16
+### Added
+- Vault Encryption. Symmetric GPG support for sensitive data.
+- New commands `xc lock` and `xc unlock` for vault security.
+- Security Gates. Global pre-flight checks to prevent accidental leaks of encrypted data.
+- Extension Awareness. The system now seamlessly handles both .txt and .gpg files.
+- Visual Feedback. Added warnings and status labels for locked vaults in the list view.
+
+### Changed
+- Refined fzf-vault-widget to respect vault lock states.
+- Hardened placeholder logic to prevent execution on empty inputs.
+- Improved `xc use` logic to handle switching between mixed-format vaults.
+
+---
+
 ## [0.8.0] - 2026-04-10
 ### Added
 - Raw Input Mode: Implemented `xc add --raw` to allow capturing complex commands via stdin. This prevents the shell from evaluating subshells or stripping quotes during the saving process.
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 
-## XC Manager
-**Version: 0.8.0**
+## XC - command vault manager
+**Version: 0.9.0**
 
 [![Awesome Zsh Plugins](https://img.shields.io/badge/Awesome-Zsh%20Plugins-brightgreen)](https://github.com/unixorn/awesome-zsh-plugins)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
@@ -9,18 +9,23 @@
 
 ![XC-Manager TUI](https://github.com/Rakosn1cek/xc-manager/blob/main/preview-2.png)
 
-**XC manager in Action:**
+**XC in Action:**
 <p align="center">
   <video src="https://github.com/user-attachments/assets/d67640fb-4e9e-4d36-b7a1-d588a24ab9a6" width="700" controls muted autoplay loop>
     Your browser does not support the video tag.
   </video>
 </p>
 
-A high-performance, minimal dependency Zsh vault for managing complex commands.
+XC is a lightweight, Zsh-native vault manager for command execution. It’s for anyone who live in the CLI and need a fast, searchable, and now secure way to manage their most important one-liners. No bloat, no complex dependencies. Just your commands, vaulted.
 
-**Recent Fixes** [0.8.0]
-- **Raw Input Capture**: Added `xc add --raw` to handle complex commands. This bypasses shell evaluation, allowing you to save curl, jq, and nested subshells exactly as they are written without the shell stripping quotes or expanding variables.
-- **Community-Vaults**: Added a few more curated community-vaults. All vaults now have at least 50 usefull commands and strings.
+**Status:** Feature Complete [v0.9.0]
+XC command vault manager has officially reached its feature-complete milestone. All planned functionality, including template engines, global search, and GPG security, is now implemented and stable.
+
+**Recent Fixes & Updates** [0.9.0]
+- **Vault Security**: Integrated GPG symmetric encryption. Use `xc lock` and `xc unlock` to protect sensitive commands, API keys, and environment variables.
+- **Pre-flight Safety**: Added extension-aware logic to prevent accidental operations on encrypted vaults.
+- **Raw Input Capture**: Added `xc add --raw` to handle complex commands. This bypasses shell evaluation, allowing you to save `curl`, `jq`, and nested subshells exactly as they are written without the shell stripping quotes or expanding variables.
+- **Community Vaults**: Expanded the curated collection via `xc sync`. All community vaults now contain at least 50 useful commands and strings.
 
 ---
 
@@ -57,6 +62,21 @@ zstyle ':xc:*' fzf_colors "fg:7,hl:4,fg+:15,hl+:12,info:2,prompt:5,pointer:12"
 
 ---
 
+**Dependencies:**
+
+To ensure all features work as intended, make sure the following are installed:
+
+- **Zsh**: The core shell environment (version 5.8+ recommended).
+- **fzf**: Powering the fuzzy search and interactive selection.
+- **GnuPG**: Required for the `lock` and `unlock` encryption features.
+- **curl**: Necessary for synchronising community vaults via `xc sync`.
+
+**Arch Linux:**
+```zsh
+pacman -S zsh fzf gnupg curl
+```
+---
+
 **Community Sync:**
 Pull any curated, Arch Wiki-verified "Problem-Solution" vaults directly from the repository.
 
@@ -92,6 +112,7 @@ Pull any curated, Arch Wiki-verified "Problem-Solution" vaults directly from the
 - Proactive Saving: Run `xc` to save the command you just executed.
 - FZF Integration: Fuzzy search with live previews.
 - Distro Agnostic: Works on Arch, Fedora, Debian, and macOS.
+- Vault Security: Symmetric GPG encryption to protect sensitive commands and API keys.
 - Save commands with {{variables}} to create templates. XC prompts for input during execution.
 - Global Swap: Using the same name (e.g. cp {{file}} {{file}}.bak) prompts once and updates all instances.
 - Individual Control: Use unique names (e.g. mv {{old}} {{new}}) to prompt for each value separately.
@@ -112,6 +133,12 @@ Pull any curated, Arch Wiki-verified "Problem-Solution" vaults directly from the
 - Capture Raw Text: Run `xc add --raw` -> paste complex command -> Press Enter -> then `Ctrl+D` to enter descriptions -> Save
 - Check Version: Run `xc -v` 
 
+**Security & Encryption**
+- For vaults containing sensitive environment variables, API keys, or internal IPs, XC now supports symmetric encryption via GPG.
+- Lock a vault: `xc lock` encrypts the active vault and removes the plain text file.
+- Unlock a vault: `xc unlock` restores the vault to plain text for editing/searching.
+- Protection: XC will automatically block search and add operations if a vault is locked, preventing binary data corruption or accidental plain text writes.
+
 > *Note 1:
 Aliases are saved by default to ~/.zsh_aliases. If you prefer to save them directly into your main config file, add this to your .zshrc:
 `export XC_ALIAS_TARGET="$HOME/.zshrc"`
@@ -133,16 +160,22 @@ View Script: on GitHub [Show-Aliases Script](https://github.com/Rakosn1cek/dotfi
 
 [x] Dynamic Placeholders
 
-[ ] Encrypted Vaults (GPG/age support)
+[x] Encrypted Vaults (GPG/age support)
+
+**Long-term research**
 
 [ ] Cross-Shell Research (Bash/Fish wrappers)
 
+> **Note:** I have reached the original goals for this project and will not be personally pursuing cross-shell support. If you are interested in implementing Bash or Fish wrappers, contributions and PRs are welcome.
+
 **License**
 Distributed under the MIT License. See LICENSE for more information.
 
-⭐ Star XC-Manager on GitHub
-
 **Support & Feedback**
 - Bug Reports: If something isn't working, please open an [Issue](https://github.com/Rakosn1cek/XC-Manager/issues).
 - Feature Ideas: To discuss the roadmap or suggest a polish, head over to the[Discussions](https://github.com/Rakosn1cek/XC-Manager/discussions) tab.
 - Community Snippets: Have a complex one-liner you've vaulted? Share it in the "Show and Tell" discussion.
+
+If XC-Manager has made your CLI life easier, consider giving it a star on GitHub! It helps other developers find the tool.
+
+[⭐ Star XC on GitHub](https://github.com/Rakosn1cek/XC-Manager)
diff --git a/autoload/fzf-vault-widget b/autoload/fzf-vault-widget
@@ -1,9 +1,18 @@
 #!/usr/bin/env zsh
+
+# ==============================================================================
+# XC-Manager: A functional vault for command execution.
+# Copyright (c) 2026 Lukas Grumlik - (Rakosn1cek)
+# License: MIT
+# Part of the Awesome-Zsh-Plugins collection.
 # File: ~/arch-projects/XC-Manager/autoload/fzf-vault-widget
+# ==============================================================================
+
 
 # --- 1. User Configuration ---
 local alias_target="${XC_ALIAS_TARGET:-$HOME/.zsh_aliases}"
 local marker="# --- XC-Manager Aliases ---"
+autoload -U colors && colors
 
 # --- 2. Helper Function: The Alias Engine ---
 _xc_add_alias() {
@@ -39,9 +48,17 @@ local vault_dir="${XC_VAULT_DIR:-$HOME/.local/share/xc}"
 local state_file="$HOME/.cache/xc_active_vault"
 local active_name="main"
 [[ -f "$state_file" ]] && active_name=$(<"$state_file")
+
+# Check for both extensions
 local vault_file="$vault_dir/${active_name}.txt"
+[[ -f "$vault_dir/${active_name}.gpg" ]] && vault_file="$vault_dir/${active_name}.gpg"
 
-if [[ ! -f "$vault_file" ]]; then
+# If the file we found is a GPG file, show the locked warning
+if [[ "$vault_file" == *.gpg ]]; then
+    zle -M "Vault '$active_name' is locked. Run 'xc unlock' to use it."
+    return 1
+# If neither .txt nor .gpg exists
+elif [[ ! -f "$vault_file" ]]; then
     zle -M "Vault '$active_name' not found."
     return 1
 fi
diff --git a/autoload/xc b/autoload/xc
@@ -7,7 +7,7 @@
 # File: ~/arch-projects/XC-Manager/autoload/xc
 # ==============================================================================
 
-readonly XC_VERSION="0.8.0"
+readonly XC_VERSION="0.9.0"
 setopt EXTENDED_GLOB
 
 # ==============================================================================
@@ -22,6 +22,7 @@ local active_name="main"
 [[ -f "$state_file" ]] && active_name=$(<"$state_file")
 
 local vault_file="$vault_dir/${active_name}.txt"
+[[ -f "$vault_dir/${active_name}.gpg" ]] && vault_file="$vault_dir/${active_name}.gpg"
 
 # --- Placeholder Processor Helper ---
 __xc_fill_placeholders() {
@@ -57,14 +58,17 @@ A functional vault for command execution and alias management.
 Usage: xc <command> [arguments]
 
 Commands:
-  add        Vault a new command or one-liner.
-  add --raw  Paste raw text (use for curl, jq). Finish with Enter then Ctrl+D.
-  list       List of available vaults with current vault in use marked with *.
-  select     Open fzf to vault a command from your history.
-  clean      Interactively remove entries with a safety lock.
-  use        Switch between different vault files.
-  sync       Interactive "Package Manager" for community vaults.
-  alias      Promote a vaulted command to a permanent Zsh alias.
+  add               Vault a new command or one-liner.
+  add --raw         Paste raw text (use for curl, jq). Finish with Enter then Ctrl+D.
+  list              List of available vaults with current vault in use marked with *.
+  select            Open fzf to vault a command from your history.
+  clean             Interactively remove entries with a safety lock.
+  use               Switch between different vault files.
+  lock              Encrypt a vault currently in use with GPG (requires passphrase).
+  lock <vault-name> Encrypt any vault specified by the user.
+  unlock            Decrypt a locked vault back to plain text.
+  sync              Interactive "Package Manager" for community vaults.
+  alias             Promote a vaulted command to a permanent Zsh alias.
 
 Templating:
   Use {{var}} in your commands to create interactive prompts.
@@ -94,16 +98,65 @@ elif [[ "$1" == "init" ]]; then
 # List Available Vaults (Inventory Check)
 elif [[ "$1" == "list" ]]; then
     echo "Available Vaults in $vault_dir:"
-    for f in "$vault_dir"/*.txt(N); do
+    for f in "$vault_dir"/*.(txt|gpg)(N); do
         local v_name="${f:t:r}"
+        local v_ext="${f:e}"
+        local lock_label=""
+        [[ "$v_ext" == "gpg" ]] && lock_label=" [LOCKED]"
+
         if [[ "$v_name" == "$active_name" ]]; then
-            echo "  * $v_name (active)"
+            echo "  * $v_name (active)$lock_label"
         else
-            echo "    $v_name"
+            echo "    $v_name$lock_label"
         fi
     done
     return 0
 
+# --- Lock Vault (Symmetric Encryption) ---
+elif [[ "$1" == "lock" ]]; then
+    local target_name="${2:-$active_name}"
+    local target_file="$vault_dir/${target_name}.txt"
+    local encrypted_file="$vault_dir/${target_name}.gpg"
+
+    if [[ ! -f "$target_file" ]]; then
+        echo "Error: Vault '$target_name' not found or already encrypted."
+        return 1
+    fi
+
+    echo "Encrypting vault: $target_name"
+    # gpg --symmetric handles the passphrase prompt via pinentry
+    if gpg --symmetric --output "$encrypted_file" "$target_file"; then
+        rm "$target_file"
+        echo "Success: Vault '$target_name' is now locked (.gpg)."
+        echo "The original .txt file has been removed."
+    else
+        echo "Error: Encryption failed."
+        return 1
+    fi
+    return 0
+
+# --- Unlock Vault (Decryption) ---
+elif [[ "$1" == "unlock" ]]; then
+    local target_name="${2:-$active_name}"
+    local target_file="$vault_dir/${target_name}.txt"
+    local encrypted_file="$vault_dir/${target_name}.gpg"
+
+    if [[ ! -f "$encrypted_file" ]]; then
+        echo "Error: Encrypted vault '$target_name.gpg' not found."
+        return 1
+    fi
+
+    echo "Decrypting vault: $target_name"
+    if gpg --decrypt --output "$target_file" "$encrypted_file"; then
+        rm "$encrypted_file"
+        echo "Success: Vault '$target_name' is now unlocked (.txt)."
+        echo "The .gpg file has been removed."
+    else
+        echo "Error: Decryption failed. Incorrect passphrase or GPG error."
+        return 1
+    fi
+    return 0
+
 # Clean Vault
 elif [[ "$1" == "clean" ]]; then
     [[ ! -f "$vault_file" ]] && echo "Vault not found." && return 1
@@ -143,14 +196,20 @@ elif [[ "$1" == "use" ]]; then
     if [[ -z "$2" ]]; then
         echo "Active Vault: [${active_name}]"
         echo "Available Vaults:"
-        for f in "$vault_dir"/*.txt(N); do
+        for f in "$vault_dir"/*.(txt|gpg)(N); do
             local v_name="${f:t:r}"
-            [[ "$v_name" == "$active_name" ]] && echo "  * $v_name (active)" || echo "    $v_name"
+            local v_ext="${f:e}"
+            local lock_label=""
+            [[ "$v_ext" == "gpg" ]] && lock_label=" [LOCKED]"
+            [[ "$v_name" == "$active_name" ]] && echo "  * $v_name (active)$lock_label" || echo "    $v_name$lock_label"
         done
     else
         echo "$2" > "$state_file"
         echo "Switched to vault: $2"
-        [[ ! -f "$vault_dir/$2.txt" ]] && touch "$vault_dir/$2.txt"
+        # Check if either .txt OR .gpg exists. If neither, create a new .txt.
+        if [[ ! -f "$vault_dir/$2.txt" && ! -f "$vault_dir/$2.gpg" ]]; then
+            touch "$vault_dir/$2.txt"
+        fi
     fi
     return 0
 
@@ -244,7 +303,16 @@ fi
 # ==============================================================================
 # SECTION 3: PRE-FLIGHT CHECK
 # ==============================================================================
-if [[ ! -f "$vault_file" ]]; then
+# 1. Check if the vault is locked (extension is .gpg)
+if [[ "$vault_file" == *.gpg ]]; then
+    # If the command is empty (Ctrl+G) or not a management command, block it
+    if [[ -z "$1" || ( "$1" != "unlock" && "$1" != "use" && "$1" != "list" && "$1" != "lock" ) ]]; then
+        print -P "%F{yellow}Vault [${active_name}] is currently locked (.gpg).%f"
+        print -P "Run 'xc unlock' to access or add commands to this vault."
+        return 1
+    fi
+# 2. If it's not locked, check if the file actually exists
+elif [[ ! -f "$vault_file" ]]; then
     echo "Vault not found. Please run 'xc init' first."
     return 1
 fi
