Security: passphrase-wrap Graphex master key + gate human-only

Closes the Phase 3 deviation (docs/TODO.md P0). With
$GPP_GRAPHEX_PASSPHRASE set (or KeyStore::{generate,open}_with):
- master.age is scrypt-passphrase-wrapped at rest;
- the human-only tier key is sealed directly to the passphrase, so the
  master identity alone can no longer decrypt human-only content.
Legacy unwrapped stores are auto-detected and keep working unchanged;
agent-readable/agent-restricted stay master-sealed (unattended agent
reads still work). crypto::age_open dispatches on the age envelope
type; dead age_decrypt removed. gpp keys show/generate report the mode.

ROADMAP Phase 3 deviation marked resolved; docs/TODO.md item checked
off. Also includes the updated README + docs/TODO.md backlog.

126 workspace tests pass (+3 net: crypto/keys passphrase tests);
clippy + rustfmt clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: mahabubul470

README.md

@@ -10,9 +10,22 @@ full specification (architecture, data model, CLI, protocols, roadmap), and
 
 ## Status
 
-**All 9 phases (0–8) complete.** See [`docs/ROADMAP.md`](docs/ROADMAP.md)
-for the per-phase deliverables and documented deviations. 123 workspace
-tests pass; `cargo clippy` / `cargo fmt` clean. No stub crates remain.
+**All 9 phases (0–8) implemented.** See [`docs/ROADMAP.md`](docs/ROADMAP.md)
+for the per-phase deliverables and documented deviations, and
+[`docs/TODO.md`](docs/TODO.md) for the prioritized backlog of what's next.
+
+Verified 2026-05-18: **123 workspace tests pass**, `cargo clippy` and
+`cargo fmt` clean, full workspace builds. No stub crates remain — every
+crate has a working implementation.
+
+The test suite is currently all in-crate unit tests (no `tests/`
+integration dirs yet) and its depth is **uneven**: foundational layers are
+well covered (`gpp-core` 23, `gpp-graphex` 17, `gpp-diff` 13, CLI 16),
+while several integration/UI crates have only smoke-level coverage
+(`gpp-sdk` 1; `gpp-notify`/`gpp-rbac`/`gpp-replay`/`gpp-tui` 2 each).
+"Implemented" here means *built and smoke-tested against its milestone*,
+not *exhaustively tested or hardened* everywhere. Closing that gap is the
+top item in [`docs/TODO.md`](docs/TODO.md).
 
 | Layer | Crate | What's implemented |
 |---|---|---|

crates/gpp-cli/src/phase3.rs

@@ -64,6 +64,19 @@ pub fn keys(args: &KeysArgs, repo_override: Option<&Path>) -> Result<()> {
                     .collect::<Vec<_>>()
                     .join(", ")
             );
+            if ks.passphrase_protected() {
+                println!(
+                    "  master key: passphrase-wrapped; human-only tier is \
+                     passphrase-gated (keep ${} safe — it cannot be recovered)",
+                    gpp_graphex::PASSPHRASE_ENV
+                );
+            } else {
+                println!(
+                    "  master key: stored unwrapped (set ${} before generate \
+                     to passphrase-protect at rest)",
+                    gpp_graphex::PASSPHRASE_ENV
+                );
+            }
             Ok(())
         }
         KeysAction::Rotate => {
@@ -76,18 +89,24 @@ pub fn keys(args: &KeysArgs, repo_override: Option<&Path>) -> Result<()> {
             if !KeyStore::exists(&gpp) {
                 bail!("no key store — run `gpp keys generate`");
             }
+            let protected = KeyStore::is_passphrase_protected(&gpp);
             let ks = KeyStore::open(&gpp)?;
             println!("master recipient: {}", ks.master_recipient());
+            println!(
+                "master key:       {}",
+                if protected {
+                    "passphrase-wrapped"
+                } else {
+                    "unwrapped (set $GPP_GRAPHEX_PASSPHRASE to protect)"
+                }
+            );
             for t in ks.present_tiers() {
-                println!(
-                    "  {:<18} {}",
-                    t.as_str(),
-                    if KeyStore::is_encrypted(t) {
-                        "encrypted (master-sealed)"
-                    } else {
-                        "plaintext"
-                    }
-                );
+                let how = match (t.as_str(), protected) {
+                    ("public", _) => "plaintext",
+                    ("human-only", true) => "encrypted (passphrase-gated)",
+                    _ => "encrypted (master-sealed)",
+                };
+                println!("  {:<18} {how}", t.as_str());
             }
             Ok(())
         }

crates/gpp-graphex/src/crypto.rs

@@ -89,28 +89,75 @@ pub fn age_encrypt(recipient: &str, data: &[u8]) -> Result<Vec<u8>> {
     Ok(out)
 }
 
-/// Decrypt `age` ciphertext with an X25519 identity string (`AGE-SECRET-KEY-…`).
-pub fn age_decrypt(identity: &str, data: &[u8]) -> Result<Vec<u8>> {
-    let id: age::x25519::Identity = identity
-        .parse()
-        .map_err(|e| Error::Crypto(format!("bad identity: {e}")))?;
-    let dec = match age::Decryptor::new(data).map_err(|e| Error::Crypto(format!("age: {e}")))? {
-        age::Decryptor::Recipients(d) => d,
-        _ => return Err(Error::Crypto("expected recipients envelope".into())),
-    };
+/// Encrypt `data` with a passphrase (age scrypt recipient).
+pub fn passphrase_encrypt(pass: &str, data: &[u8]) -> Result<Vec<u8>> {
+    let enc = age::Encryptor::with_user_passphrase(age::secrecy::Secret::new(pass.to_owned()));
     let mut out = Vec::new();
-    let mut r = dec
-        .decrypt(std::iter::once(&id as &dyn age::Identity))
-        .map_err(|e| Error::Crypto(format!("age decrypt: {e}")))?;
-    r.read_to_end(&mut out)
-        .map_err(|e| Error::Crypto(format!("age read: {e}")))?;
+    let mut w = enc
+        .wrap_output(&mut out)
+        .map_err(|e| Error::Crypto(format!("age wrap: {e}")))?;
+    w.write_all(data)
+        .map_err(|e| Error::Crypto(format!("age write: {e}")))?;
+    w.finish()
+        .map_err(|e| Error::Crypto(format!("age finish: {e}")))?;
+    Ok(out)
+}
+
+/// Open an `age` blob that may be sealed *either* to an X25519 identity
+/// (legacy / master-sealed) *or* to a passphrase (hardened). The envelope
+/// header selects the path, so callers don't need to know which was used.
+pub fn age_open(identity: Option<&str>, passphrase: Option<&str>, data: &[u8]) -> Result<Vec<u8>> {
+    let mut out = Vec::new();
+    match age::Decryptor::new(data).map_err(|e| Error::Crypto(format!("age: {e}")))? {
+        age::Decryptor::Recipients(d) => {
+            let id_str = identity.ok_or_else(|| {
+                Error::Crypto("recipients envelope but no identity available".into())
+            })?;
+            let id: age::x25519::Identity = id_str
+                .parse()
+                .map_err(|e| Error::Crypto(format!("bad identity: {e}")))?;
+            let mut r = d
+                .decrypt(std::iter::once(&id as &dyn age::Identity))
+                .map_err(|e| Error::Crypto(format!("age decrypt: {e}")))?;
+            r.read_to_end(&mut out)
+                .map_err(|e| Error::Crypto(format!("age read: {e}")))?;
+        }
+        age::Decryptor::Passphrase(d) => {
+            let pass = passphrase.ok_or(Error::Crypto("passphrase required".into()))?;
+            let mut r = d
+                .decrypt(&age::secrecy::Secret::new(pass.to_owned()), None)
+                .map_err(|e| Error::Crypto(format!("age passphrase decrypt: {e}")))?;
+            r.read_to_end(&mut out)
+                .map_err(|e| Error::Crypto(format!("age read: {e}")))?;
+        }
+    }
     Ok(out)
 }
 
 #[cfg(test)]
 mod tests {
     use super::*;
 
+    #[test]
+    fn passphrase_roundtrip_and_wrong_pass_fails() {
+        let ct = passphrase_encrypt("correct horse", b"master identity").unwrap();
+        assert_eq!(
+            age_open(None, Some("correct horse"), &ct).unwrap(),
+            b"master identity"
+        );
+        assert!(age_open(None, Some("wrong"), &ct).is_err());
+        assert!(age_open(None, None, &ct).is_err());
+    }
+
+    #[test]
+    fn age_open_handles_recipient_envelopes_too() {
+        use age::secrecy::ExposeSecret;
+        let id = age::x25519::Identity::generate();
+        let ct = age_encrypt(&id.to_public().to_string(), b"tier key").unwrap();
+        let pt = age_open(Some(id.to_string().expose_secret()), None, &ct).unwrap();
+        assert_eq!(pt, b"tier key");
+    }
+
     #[test]
     fn seal_open_roundtrip_encrypted() {
         let key = new_symmetric_key().unwrap();
@@ -133,14 +180,4 @@ mod tests {
         let env = seal(b"x", &k1, true).unwrap();
         assert!(open(&env, &k2).is_err());
     }
-
-    #[test]
-    fn age_envelope_roundtrip() {
-        use age::secrecy::ExposeSecret;
-        let id = age::x25519::Identity::generate();
-        let pk = id.to_public().to_string();
-        let ct = age_encrypt(&pk, b"tier key bytes").unwrap();
-        let pt = age_decrypt(id.to_string().expose_secret(), &ct).unwrap();
-        assert_eq!(pt, b"tier key bytes");
-    }
 }

crates/gpp-graphex/src/error.rs

@@ -22,6 +22,9 @@ pub enum Error {
     #[error("key store not initialized — run `gpp keys generate`")]
     NoKeys,
 
+    #[error("this key store is passphrase-protected — set $GPP_GRAPHEX_PASSPHRASE")]
+    PassphraseRequired,
+
     #[error("unknown access tier {0:?}")]
     UnknownTier(String),