Skip to content

Encrypted full-state backup and restore (zip.enc) with Arweave manifest and Vault passphrase#48

Open
johnnyclem wants to merge 1 commit into
mainfrom
codex/update-backup-process-with-encryption-and-restore
Open

Encrypted full-state backup and restore (zip.enc) with Arweave manifest and Vault passphrase#48
johnnyclem wants to merge 1 commit into
mainfrom
codex/update-backup-process-with-encryption-and-restore

Conversation

@johnnyclem
Copy link
Copy Markdown
Owner

@johnnyclem johnnyclem commented Apr 26, 2026

Motivation

  • Replace the previous manifest-only backup with a full-state, portable backup that captures on-disk state, deps, logs and encrypted keys so a vault can be reconstructed offline.
  • Keep the large encrypted backup file local/offline while publishing a small manifest + hash for long-term proof (Arweave).
  • Provide a secure encrypted artifact (AES-256-GCM with PBKDF2) and a restore flow that can decrypt, restore files and deploy a fresh canister from bundled WASM.

Description

  • Implemented an encrypted full-state export pipeline in src/backup/backup.ts that stages agent state, encrypted keys, logs, dependencies, optional WASM, and optional live canister-state metadata, zips the payload, encrypts with a passphrase and records SHA-256 checksums and metadata.
  • Added optional Arweave manifest upload (manifest + encrypted zip SHA-256) while leaving the encrypted zip local, and wrote a local sidecar manifest (<basename>.manifest.json) to preserve listing/preview functionality.
  • Added restore flow restoreFromEncryptedZip that decrypts a .zip.enc, extracts the payload, copies state files back into ~/.agentvault, locates a bundled WASM and invokes deployAgent to install a fresh canister.
  • Extended the CLI agentvault backup command (cli/commands/backup.ts) with new options and a restore subcommand, plus Vault-backed passphrase lookup: --passphrase, --vault-passphrase-key, --arweave-jwk, --wasm, and agentvault backup restore --zip <path> --passphrase <secret> (or read passphrase from Vault).

Files changed: src/backup/backup.ts, cli/commands/backup.ts (added backup export/restore/encryption/Arweave/Vault glue).

Testing

  • Ran ESLint: npx eslint cli/commands/backup.ts src/backup/backup.ts — passed (no reported lint errors). ✅
  • Type-check: npm run typecheck — did not fully pass; the run surfaced existing, pre-existing type errors outside this change (errors reported in cli/commands/pilot.ts and src/pilot/private-replica.ts) and therefore the repo-wide typecheck fails; changes in this PR were adjusted to avoid introducing new type errors in the modified files. ⚠️
  • Basic smoke checks performed during development: local npx eslint and manual invocation of the new CLI help/usage paths for backup export and backup restore (commands were exercised, no runtime exceptions in the modified code paths without external deps). ✅

If you want, I can follow up with isolated unit tests for the new exportBackup/restoreFromEncryptedZip functions and a small integration test that writes a temporary encrypted zip and restores it (then remove the test helper before merge if preferred).

Codex Task

@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 26, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
agent-vault Ready Ready Preview, Comment Apr 26, 2026 2:44pm
agentvault Ready Ready Preview, Comment Apr 26, 2026 2:44pm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@johnnyclem