eric8810
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 71 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 71 additions & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 16 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎CLAUDE.md‎
Lines changed: 4 additions & 1 deletion b/‎CLAUDE.md‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎Cargo.lock‎
Lines changed: 43 additions & 1 deletion b/‎Cargo.lock‎
Lines changed: 43 additions & 1 deletion
diff --git a/‎Cargo.toml‎
Lines changed: 13 additions & 2 deletions b/‎Cargo.toml‎
Lines changed: 13 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 25 additions & 0 deletions b/‎README.md‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎landing_page.md‎
Lines changed: 19 additions & 0 deletions b/‎landing_page.md‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎milestones.md‎
Lines changed: 24 additions & 11 deletions b/‎milestones.md‎
Lines changed: 24 additions & 11 deletions
diff --git a/‎skills/authy/SKILL.md‎
Lines changed: 1 addition & 1 deletion b/‎skills/authy/SKILL.md‎
Lines changed: 1 addition & 1 deletion
@@ -0,0 +1,71 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        run: |
+          rustup update stable
+          rustup default stable
+
+      - name: Cache cargo registry & build
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: ${{ runner.os }}-cargo-
+
+      - name: Build (default features)
+        run: cargo build
+
+      - name: Test (all)
+        run: cargo test
+
+      - name: Clippy
+        run: cargo clippy -- -D warnings
+
+  lib:
+    name: Library (no default features)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Rust toolchain
+        run: |
+          rustup update stable
+          rustup default stable
+
+      - name: Cache cargo registry & build
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-cargo-lib-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: ${{ runner.os }}-cargo-lib-
+
+      - name: Build lib (no default features)
+        run: cargo build --lib --no-default-features
+
+      - name: Test lib (no default features)
+        run: cargo test --lib --no-default-features
+
+      - name: Test API (lib integration tests)
+        run: cargo test --test api
@@ -2,6 +2,22 @@
 
 All notable changes to this project will be documented in this file.
 
+## [0.5.0] - 2026-02-20
+
+### Added
+
+- **Library API (`AuthyClient`)** — Use Authy as a Rust crate. `AuthyClient` provides a high-level facade for programmatic vault access: `get`, `store`, `remove`, `rotate`, `list`, `init_vault`, `audit_entries`, `verify_audit_chain`. Authenticate with `with_passphrase()`, `with_keyfile()`, or `from_env()`.
+- **Feature-gated CLI** — CLI dependencies (`clap`, `dialoguer`, `ratatui`, `crossterm`, `humantime`) are behind the `cli` feature (on by default). Build with `--no-default-features` for a minimal library-only build.
+- **API test suite** — 19 tests exercising the `AuthyClient` API directly (init, store/get, remove, rotate, list, audit, wrong passphrase, env auth, custom actor).
+- **CI workflow** — GitHub Actions CI with two jobs: full test suite + clippy, and library-only build/test with `--no-default-features`.
+- **Cargo.toml publish metadata** — `repository`, `homepage`, `readme`, `keywords`, `categories`, `rust-version` for crates.io readiness.
+
+### Changed
+
+- `auth::read_keyfile` visibility changed to `pub` for library API access
+- All internal module visibility adjusted for `lib.rs` re-exports
+- CLI modules use `authy::` crate paths instead of `crate::`
+
 ## [0.4.0] - 2026-02-19
 
 ### Added
 
@@ -21,13 +21,16 @@ cargo clippy -- -D warnings    # lint (must pass clean)
 - `src/cli/env.rs` — `authy env` command (output secrets as env vars)
 - `src/cli/import.rs` — `authy import` command (import from .env files)
 - `src/cli/export.rs` — `authy export` command (export as .env or JSON)
+- `src/lib.rs` — library crate root, re-exports core modules
+- `src/api.rs` — `AuthyClient` high-level programmatic API facade
 - `src/vault/` — encrypted vault storage (age encryption, MessagePack serialization)
 - `src/auth/` — authentication dispatcher (passphrase / keyfile / session token)
 - `src/policy/` — glob-based access control policies
 - `src/session/` — HMAC session token generation and validation
 - `src/audit/` — append-only JSONL audit log with HMAC chain
 - `src/subprocess/` — child process spawning with env var injection
-- `tests/integration/` — integration tests using assert_cmd + tempfile
+- `tests/api_test.rs` — lib-level tests for `AuthyClient` API (serial, isolated HOME)
+- `tests/integration/` — CLI integration tests using assert_cmd + tempfile
 - `skills/authy/` — Agent Skills standard skill (works with Claude Code, Cursor, OpenClaw, etc.)
 
 ## Key Conventions
 
@@ -1,9 +1,15 @@
 [package]
 name = "authy"
-version = "0.4.0"
+version = "0.5.0"
 edition = "2021"
-description = "CLI secrets store & dispatch for agents"
+rust-version = "1.70"
+description = "CLI secrets store & dispatch for AI agents — encrypted vault, scoped policies, run-only tokens, and audit logging"
 license = "MIT"
+repository = "https://github.com/eric8810/authy"
+homepage = "https://eric8810.github.io/authy"
+readme = "README.md"
+keywords = ["secrets", "vault", "agents", "encryption", "cli"]
+categories = ["command-line-utilities", "cryptography"]
 
 [lib]
 name = "authy"
@@ -71,6 +77,10 @@ rand = "0.8"
 # Subtle (constant-time compare)
 subtle = "2"
 
+[[test]]
+name = "api"
+path = "tests/api_test.rs"
+
 [[test]]
 name = "integration"
 path = "tests/integration/mod.rs"
@@ -83,3 +93,4 @@ lto = true
 tempfile = "3"
 assert_cmd = "2"
 predicates = "3"
+serial_test = "3.3.1"
@@ -26,6 +26,31 @@ authy resolve config.yaml.tpl --scope deploy --output config.yaml
 
 `authy run` covers env vars. `authy resolve` covers config files.
 
+## Library API
+
+Use Authy as a Rust crate for programmatic vault access:
+
+```rust
+use authy::api::AuthyClient;
+
+let client = AuthyClient::with_passphrase("my-vault-passphrase")?;
+client.init_vault()?;
+client.store("api-key", "sk-secret-value", false)?;
+let value = client.get("api-key")?; // Some("sk-secret-value")
+```
+
+```bash
+# Add to your project (library only, no CLI deps)
+cargo add authy --no-default-features
+```
+
+Auth from environment variables:
+
+```rust
+// Reads AUTHY_KEYFILE or AUTHY_PASSPHRASE
+let client = AuthyClient::from_env()?;
+```
+
 ## Install
 
 ```bash
 
@@ -58,6 +58,7 @@ Admin (TUI or CLI)          Agent
 
 | Feature | Description |
 |---------|-------------|
+| **Library API** | Use as a Rust crate — `AuthyClient` for programmatic vault access; `cargo add authy --no-default-features` |
 | **Encrypted Vault** | `age`-encrypted single file; passphrase or X25519 keyfile auth |
 | **Scoped Policies** | Glob-based allow/deny rules; deny overrides allow; default deny |
 | **Run-Only Mode** | Restrict agents to subprocess injection only — `get`, `env`, `export` blocked |
@@ -163,6 +164,24 @@ authy run --scope claude-code --uppercase --replace-dash _ -- claude
 
 ## Use Cases
 
+### Library API (Rust Crate)
+
+```rust
+use authy::api::AuthyClient;
+
+// Authenticate and access the vault programmatically
+let client = AuthyClient::from_env()?; // reads AUTHY_KEYFILE or AUTHY_PASSPHRASE
+client.store("api-key", "sk-secret-value", false)?;
+let value = client.get("api-key")?;
+let names = client.list(None)?;
+client.rotate("api-key", "sk-new-value")?;
+```
+
+```bash
+# Add to your Rust project (no CLI deps)
+cargo add authy --no-default-features
+```
+
 ### Config File Templates
 
 ```bash
 
@@ -84,25 +84,38 @@ Embed Authy into the places developers already are. Distribution, not features.
 
 **Success criteria:** A developer setting up Claude Code, OpenClaw, or a new agent project encounters Authy as the default secrets pattern.
 
-## v0.4 — File-Layer Secrets
+## v0.4 — File-Layer Secrets ✓
 
 `authy run` covers env vars. `authy resolve` covers config files. Together they handle both surfaces where secrets live.
 
-- [ ] **`authy resolve <file>`** — replace `<authy:key-name>` placeholders with real values from vault, output to `--output` path or stdout
-- [ ] **Placeholder format** — `<authy:key-name>` in any config file (yaml, json, toml, etc.), safe to commit and share
-- [ ] **Safe/sensitive command split** — formalize: safe commands (list, run, resolve) work with agent tokens; sensitive commands (get, store, export, import, rotate) require TTY or master key
-- [ ] **`authy rekey`** — change passphrase or switch between passphrase/keyfile auth
+- [x] **`authy resolve <file>`** — replace `<authy:key-name>` placeholders with real values from vault, output to `--output` path or stdout
+- [x] **Placeholder format** — `<authy:key-name>` in any config file (yaml, json, toml, etc.), safe to commit and share
+- [x] **Safe/sensitive command split** — formalize: safe commands (list, run, resolve) work with agent tokens; sensitive commands (get, store, export, import, rotate) require TTY or master key
+- [x] **`authy rekey`** — change passphrase or switch between passphrase/keyfile auth
 
 **Success criteria:** Secrets in config files use placeholders. `authy resolve` produces real files at deploy/launch time. Agents only see placeholder files.
 
-### Deferred to v0.5+
+## v0.5 — Library API & Publish Readiness ✓
+
+Expose core vault operations as a Rust library crate. Make Authy embeddable — not just callable.
+
+- [x] **`lib.rs` + `api.rs`** — `AuthyClient` high-level facade: `get`, `store`, `remove`, `rotate`, `list`, `init_vault`, `audit_entries`, `verify_audit_chain`
+- [x] **Feature-gated CLI** — CLI deps (`clap`, `dialoguer`, `ratatui`, etc.) behind `cli` feature; library builds with `--no-default-features`
+- [x] **`AuthyClient::from_env()`** — authenticate from `AUTHY_KEYFILE` or `AUTHY_PASSPHRASE` env vars without interactive prompts
+- [x] **Lib-level tests** — 19 tests exercising the `AuthyClient` API directly (init, store, get, remove, rotate, list, audit, wrong passphrase)
+- [x] **CI lib job** — GitHub Actions job that builds and tests with `--no-default-features` to prevent regressions
+- [x] **Cargo.toml publish metadata** — `repository`, `homepage`, `readme`, `keywords`, `categories`, `rust-version` for crates.io
+
+**Success criteria:** Rust programs can `cargo add authy` and use `AuthyClient` to manage secrets programmatically. CLI and library are independently buildable and tested.
+
+### Deferred to v0.6+
 
 - `authy up` / `authy down` (tool launcher — agent platforms already handle process management)
 - Agent identity (named agents with scoped access)
 - Per-agent audit attribution
 - Delegation tokens (agent-to-agent scope narrowing)
 
-## v0.5 — Platform Integration Layer
+## v0.6 — Platform Integration Layer
 
 Serve segment 3 (operators) through the platforms they already use. Serve platforms that need a service interface, not just CLI.
 
@@ -116,7 +129,7 @@ Serve segment 3 (operators) through the platforms they already use. Serve platfo
 
 **Success criteria:** Platforms can integrate Authy as their secrets backend. Operators use Authy through platforms without knowing it.
 
-## v0.6 — Breach Response & Security Hardening
+## v0.7 — Breach Response & Security Hardening
 
 When agents get compromised (not if — when), Authy is the incident response tool.
 
@@ -134,9 +147,9 @@ Authy is on every agent's PATH like `git` is on every developer's PATH.
 
 - [ ] Stable CLI interface — semver guarantee, output formats are API contracts
 - [ ] Daemon mode with auto-lock — keep vault unlocked in memory, lock after timeout
-- [ ] `lib.rs` extraction — make core modules public for Rust crate consumers
-- [ ] Publish to crates.io (lib + CLI split) via Trusted Publishing
-- [ ] Comprehensive unit test coverage
+- [x] `lib.rs` extraction — make core modules public for Rust crate consumers (shipped in v0.5)
+- [ ] Publish to crates.io via Trusted Publishing
+- [x] Comprehensive unit test coverage (API tests shipped in v0.5)
 - [ ] Vault format versioning + migration for future-proofing
 - [ ] cargo-dist for release automation (Homebrew tap, shell/PS installers, cargo-binstall)
 
 
@@ -5,7 +5,7 @@ license: MIT
 compatibility: Requires `authy` on PATH. Auth via AUTHY_TOKEN (run-only) + AUTHY_KEYFILE.
 metadata:
   author: eric8810
-  version: "0.4.0"
+  version: "0.5.0"
   homepage: https://github.com/eric8810/authy
   openclaw:
     requires: