bump: version 0.4.0 → 0.4.1 [skip ci]

.github/PULL_REQUEST_TEMPLATE/pull_request_template.md

@@ -0,0 +1,11 @@
+### AI assistance (if any):
+- List tools here and files touched by them
+
+### Authorship & Understanding
+
+- [ ] I wrote or heavily modified this code myself
+- [ ] I understand how it works end-to-end
+- [ ] I can maintain this code in the future
+- [ ] No undisclosed AI-generated code was used
+- [ ] If AI assistance was used, it is documented below
+

CHANGELOG.md

@@ -5,6 +5,28 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## v0.4.1 (2026-03-20)
+
+### Feat
+
+- Upgraded aws-lc-sys version to address high severity CWE-295
+
+## v0.4.0 (2026-03-09)
+
+### Feat
+
+- Added 1password support
+- sort local keys alphabetically when listing them
+
+## v0.3.0 (2026-02-02)
+
+### Fix
+
+- Upgraded AWS dependencies to address CWE-20
+- A critical security flaw was discovered that essentially had all local secrets be encrypted with an all-zero key
+- Addressed XNonce::from_slice deprecation warning
+- Secrets are now stored exactly as passed without newlines stripped
+
 ## v0.2.3 (2025-10-14)
 
 ### Refactor

CONTRIBUTING.md

@@ -48,7 +48,8 @@ cz commit
 1. Clone this repo
 2. Run `cargo test` to set up hooks
 3. Make changes
-4. Run the application using `make run` or `cargo run`
+4. Run the application using `just run` or `just run`
+   - Install `just` (`cargo install just`) if you haven't already to use the [justfile](./justfile) in this project.
 5. Commit changes. This will trigger pre-commit hooks that will run format, test and lint. If there are errors or 
    warnings from Clippy, please fix them.
 6. Push your code to a new branch named after the feature/bug/etc. you're adding. This will trigger pre-push hooks that 
@@ -75,6 +76,13 @@ Then, you can run workflows locally without having to commit and see if the GitH
 act -W .github/workflows/release.yml --input_type bump=minor
 ```
 
+ ## Authorship Policy
+
+All code in this repository is written and reviewed by humans. AI-generated code (e.g., Copilot, ChatGPT,
+Claude, etc.) is not permitted unless explicitly disclosed and approved.
+
+Submissions must certify that the contributor understands and can maintain the code they submit.
+
 ## Questions? Reach out to me!
 If you encounter any questions while developing G-Man, please don't hesitate to reach out to me at 
 alex.j.tusa@gmail.com. I'm happy to help contributors in any way I can, regardless of if they're new or experienced!

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "gman"
-version = "0.2.3"
+version = "0.4.1"
 edition = "2024"
 authors = ["Alex Clarke <alex.j.tusa@gmail.com>"]
 description = "Universal command line secret management and injection tool"
@@ -32,7 +32,7 @@ clap = { version = "4.5.47", features = [
   "wrap_help",
 ] }
 clap_complete = { version = "4.5.57", features = ["unstable-dynamic"] }
-confy = { version = "1.0.0", default-features = false, features = [
+confy = { version = "2.0.0", default-features = false, features = [
   "yaml_conf",
 ] }
 crossterm = "0.29.0"
@@ -53,18 +53,19 @@ indoc = "2.0.6"
 regex = "1.11.2"
 serde_yaml = "0.9.34"
 tempfile = "3.22.0"
-aws-sdk-secretsmanager = "1.88.0"
+aws-sdk-secretsmanager = "1.98.0"
 tokio = { version = "1.47.1", features = ["full"] }
-aws-config = { version = "1.8.6", features = ["behavior-version-latest"] }
+aws-config = { version = "1.8.12", features = ["behavior-version-latest"] }
 async-trait = "0.1.89"
 futures = "0.3.31"
-gcloud-sdk = { version = "0.28.1", features = [
+gcloud-sdk = { version = "0.28.5", features = [
   "google-cloud-secretmanager-v1",
 ] }
 crc32c = "0.6.8"
-azure_identity = "0.27.0"
+azure_core = "0.31.0"
-azure_security_keyvault_secrets = "0.6.0"
+azure_identity = "0.31.0"
-aws-lc-sys = { version = "0.31.0", features = ["bindgen"] }
+azure_security_keyvault_secrets = "0.10.0"
+aws-lc-sys = { version = "0.39.0", features = ["bindgen"] }
 which = "8.0.0"
 once_cell = "1.21.3"
 

Makefile

@@ -1,40 +0,0 @@
-#!make
-default: run
-
-.PHONY: test test-cov build run lint lint-fix fmt minimal-versions analyze release delete-tag
-
-test:
-	@cargo test --all
-
-## Run all tests with coverage - `cargo install cargo-tarpaulin`
-test-cov:
-	@cargo tarpaulin
-
-build: test
-	@cargo build --release
-
-run:
-	@CARGO_INCREMENTAL=1 cargo fmt && make lint && cargo run
-
-lint:
-	@find . | grep '\.\/src\/.*\.rs$$' | xargs touch && CARGO_INCREMENTAL=0 cargo clippy --all-targets --workspace
-
-lint-fix:
-	@cargo fix
-
-fmt:
-	@cargo fmt
-
-minimal-versions:
-	@cargo +nightly update -Zdirect-minimal-versions
-
-## Analyze for unsafe usage - `cargo install cargo-geiger`
-analyze:
-	@cargo geiger
-
-release:
-	@git tag -a ${V} -m "Release ${V}" && git push origin ${V}
-
-delete-tag:
-	@git tag -d ${V} && git push --delete origin ${V}
-

README.md

@@ -14,8 +14,8 @@ files or sprinkling environment variables everywhere.
 
 ## Overview
 
-`gman` acts as a universal wrapper for any command that needs credentials. Store your secrets—API tokens, passwords,
+`gman` acts as a universal wrapper for any command that needs credentials. Store your secrets (e.g. API tokens, passwords,
-certs—with a provider, then either fetch them directly or run your command through `gman` to inject what it needs as
+certs, etc.) with a provider, then either fetch them directly or run your command through `gman` to inject what it needs as
 environment variables, flags, or file content.
 
 ## Quick Examples: Before vs After
@@ -96,6 +96,7 @@ gman aws sts get-caller-identity
   - [GCP Secret Manager](#provider-gcp_secret_manager)
   - [Azure Key Vault](#provider-azure_key_vault)
   - [Gopass](#provider-gopass)
+  - [1Password](#provider-one_password)
 - [Run Configurations](#run-configurations) 
   - [Specifying a Default Provider per Run Config](#specifying-a-default-provider-per-run-config)
   - [Environment Variable Secret Injection](#environment-variable-secret-injection)
@@ -142,7 +143,7 @@ You can use the following command to run a bash script that downloads and instal
 OS (Linux/MacOS) and architecture (x86_64/arm64):
 
 ```shell
-curl -fsSL https://raw.githubusercontent.com/Dark-Alex-17/gman/main/install.sh | bash
+curl -fsSL https://raw.githubusercontent.com/Dark-Alex-17/gman/main/install_gman.sh | bash
 ```
 
 #### Windows/Linux/MacOS (`PowerShell`)
@@ -287,7 +288,7 @@ documented and added without breaking existing setups. The following table shows
 | [`azure_key_vault`](https://azure.microsoft.com/en-us/products/key-vault/)                                               | ✅      | [Azure Key Vault](#provider-azure_key_vault)         |                                            |
 | [`gcp_secret_manager`](https://cloud.google.com/security/products/secret-manager?hl=en)                                  | ✅      | [GCP Secret Manager](#provider-gcp_secret_manager)   |                                            |
 | [`gopass`](https://www.gopass.pw/)                                                                                      | ✅     |                                                      |                                            |
-| [`1password`](https://1password.com/)                                                                                    | 🕒     |                                                      |                                            |
+| [`1password`](https://1password.com/)                                                                                    | ✅      | [1Password](#provider-one_password)                  |                                            |
 | [`bitwarden`](https://bitwarden.com/)                                                                                    | 🕒     |                                                      |                                            |
 | [`dashlane`](https://www.dashlane.com/)                                                                                  | 🕒     |                                                      | Waiting for CLI support for adding secrets |
 | [`lastpass`](https://www.lastpass.com/)                                                                                  | 🕒     |                                                      |                                            |
@@ -450,6 +451,42 @@ Important notes:
 - Secrets are managed using gopass's native commands; `gman` acts as a wrapper to interface with gopass.
 - Updates overwrite existing secrets
 - If no store is specified, the default gopass store is used and `gman sync` will sync with all configured stores.
+
+### Provider: `one_password`
+The `one_password` provider uses the [1Password CLI (`op`)](https://developer.1password.com/docs/cli/) as the backing
+storage location for secrets.
+
+- Optional: `vault` (string) to specify which 1Password vault to use. If omitted, the default vault is used.
+- Optional: `account` (string) to specify which 1Password account to use. Useful if you have multiple accounts. If
+  omitted, the default signed-in account is used.
+
+Configuration example:
+
+```yaml
+default_provider: op
+providers:
+  - name: op
+    type: one_password
+    vault: Production          # Optional; if omitted, uses the default vault
+    account: my.1password.com  # Optional; if omitted, uses the default account
+```
+
+Authentication:
+- **Interactive**: Run `op signin` to sign in interactively.
+- **Service Account**: Set the `OP_SERVICE_ACCOUNT_TOKEN` environment variable for non-interactive/CI usage.
+- **Desktop App Integration**: If the 1Password desktop app is installed and configured, the CLI can use biometric
+  authentication (Touch ID, Windows Hello, etc.).
+
+Important notes:
+- Ensure the 1Password CLI (`op`) is installed on your system. Install instructions are at
+  https://developer.1password.com/docs/cli/get-started/.
+- Secrets are stored as 1Password Password items. The item title is the secret name and the `password` field holds the
+  secret value.
+- **Deletions are permanent. Deleted items are not archived.**
+- `add` creates a new Password item. If an item with the same title already exists in the vault, `op` will create a
+  duplicate. Use `update` to change an existing secret value.
+- `list` returns the titles of all items in the configured vault.
+
 ## Run Configurations
 
 Run configurations (or "profiles") tell `gman` how to inject secrets into a command. Three modes of secret injection are
@@ -657,7 +694,7 @@ gman managarr
 
 ### Multiple Providers and Switching
 
-You can define multiple providers—even multiple of the same type—and switch between them per command.
+You can define multiple providers (even multiple of the same type) and switch between them per command.
 
 Example: two AWS Secrets Manager providers named `lab` and `prod`.
 

justfile

@@ -0,0 +1,35 @@
+# List all recipes
+default:
+    @just --list
+
+# Format all files
+[group: 'style']
+fmt:
+    @cargo fmt --all
+
+alias clippy := lint
+# Run Clippy to inspect all files
+[group: 'style']
+lint:
+    @cargo clippy --all
+
+alias clippy-fix := lint-fix
+# Automatically fix clippy issues where possible
+[group: 'style']
+lint-fix:
+    @cargo fix
+
+# Run all tests
+[group: 'test']
+test:
+    @cargo test --all
+
+# Build and run the binary for the current system
+run:
+    @cargo run
+
+# Build the project for the current system architecture
+[group: 'build']
+[arg('build_type', pattern="debug|release")]
+build build_type='debug':
+    @cargo build {{ if build_type == "release" { "--release" } else { "" } }}

src/bin/gman/main.rs

@@ -116,6 +116,12 @@ enum Commands {
     /// Sync secrets with remote storage (if supported by the provider)
     Sync {},
 
+    // TODO: Remove once all users have migrated their local vaults
+    /// Migrate local vault secrets to the current secure encryption format.
+    /// This is only needed if you have secrets encrypted with older versions of gman.
+    /// Only works with the local provider.
+    Migrate {},
+
     /// Open and edit the config file in the default text editor
     Config {},
 
@@ -159,7 +165,7 @@ async fn main() -> Result<()> {
             let plaintext =
                 read_all_stdin().with_context(|| "unable to read plaintext from stdin")?;
             secrets_provider
-                .set_secret(&name, plaintext.trim_end())
+                .set_secret(&name, &plaintext)
                 .await
                 .map(|_| match cli.output {
                     Some(_) => (),
@@ -190,7 +196,7 @@ async fn main() -> Result<()> {
             let plaintext =
                 read_all_stdin().with_context(|| "unable to read plaintext from stdin")?;
             secrets_provider
-                .update_secret(&name, plaintext.trim_end())
+                .update_secret(&name, &plaintext)
                 .await
                 .map(|_| match cli.output {
                     Some(_) => (),
@@ -258,6 +264,49 @@ async fn main() -> Result<()> {
                 }
             })?;
         }
+        // TODO: Remove once all users have migrated their local vaults
+        Commands::Migrate {} => {
+            use gman::providers::SupportedProvider;
+            use gman::providers::local::LocalProvider;
+
+            let provider_config_for_migrate =
+                config.extract_provider_config(cli.provider.clone())?;
+
+            let local_provider: LocalProvider = match provider_config_for_migrate.provider_type {
+                SupportedProvider::Local { provider_def } => provider_def,
+                _ => {
+                    anyhow::bail!("The migrate command only works with the local provider.");
+                }
+            };
+
+            println!("Migrating vault secrets to current secure format...");
+            let result = local_provider.migrate_vault().await?;
+
+            if result.total == 0 {
+                println!("Vault is empty, nothing to migrate.");
+            } else {
+                println!(
+                    "Migration complete: {} total, {} migrated, {} already current",
+                    result.total, result.migrated, result.already_current
+                );
+
+                if !result.failed.is_empty() {
+                    eprintln!("\n⚠ Failed to migrate {} secret(s):", result.failed.len());
+                    for (key, error) in &result.failed {
+                        eprintln!("  - {}: {}", key, error);
+                    }
+                }
+
+                if result.migrated > 0 {
+                    println!(
+                        "\n✓ Successfully migrated {} secret(s) to the secure format.",
+                        result.migrated
+                    );
+                } else if result.failed.is_empty() {
+                    println!("\n✓ All secrets are already using the current secure format.");
+                }
+            }
+        }
         Commands::External(tokens) => {
             wrap_and_run_command(cli.provider, &config, tokens, cli.profile, cli.dry_run).await?;
         }

src/config.rs

@@ -169,6 +169,10 @@ impl ProviderConfig {
                 debug!("Using Gopass provider");
                 provider_def
             }
+            SupportedProvider::OnePassword { provider_def } => {
+                debug!("Using 1Password provider");
+                provider_def
+            }
         }
     }
 }

src/lib.rs

@@ -22,10 +22,7 @@
 //! filesystem. Prefer `no_run` doctests for those.
 
 use anyhow::{Context, Result, anyhow, bail};
-use argon2::{
+use argon2::{Algorithm, Argon2, Params, Version, password_hash::rand_core::RngCore};
-    Algorithm, Argon2, Params, Version,
-    password_hash::{SaltString, rand_core::RngCore},
-};
 use base64::{Engine as _, engine::general_purpose::STANDARD as B64};
 use chacha20poly1305::{
     Key, XChaCha20Poly1305, XNonce,
@@ -43,8 +40,8 @@ pub(crate) const HEADER: &str = "$VAULT";
 pub(crate) const VERSION: &str = "v1";
 pub(crate) const KDF: &str = "argon2id";
 
-pub(crate) const ARGON_M_COST_KIB: u32 = 19_456;
+pub(crate) const ARGON_M_COST_KIB: u32 = 65_536;
-pub(crate) const ARGON_T_COST: u32 = 2;
+pub(crate) const ARGON_T_COST: u32 = 3;
 pub(crate) const ARGON_P: u32 = 1;
 
 pub(crate) const SALT_LEN: usize = 16;
@@ -61,7 +58,7 @@ fn derive_key(password: &SecretString, salt: &[u8]) -> Result<Key> {
         .hash_password_into(password.expose_secret().as_bytes(), salt, &mut key_bytes)
         .map_err(|e| anyhow!("argon2 into error: {:?}", e))?;
 
-    let key = *Key::from_slice(&key_bytes);
+    let key: Key = key_bytes.into();
     key_bytes.zeroize();
     Ok(key)
 }
@@ -84,20 +81,28 @@ fn derive_key(password: &SecretString, salt: &[u8]) -> Result<Key> {
 pub fn encrypt_string(password: impl Into<SecretString>, plaintext: &str) -> Result<String> {
     let password = password.into();
 
-    let salt = SaltString::generate(&mut OsRng);
+    if password.expose_secret().is_empty() {
+        bail!("password cannot be empty");
+    }
+
+    let mut salt = [0u8; SALT_LEN];
+    OsRng.fill_bytes(&mut salt);
     let mut nonce_bytes = [0u8; NONCE_LEN];
     OsRng.fill_bytes(&mut nonce_bytes);
 
-    let key = derive_key(&password, salt.as_str().as_bytes())?;
+    let mut key = derive_key(&password, &salt)?;
     let cipher = XChaCha20Poly1305::new(&key);
 
-    let aad = format!("{};{}", HEADER, VERSION);
+    let aad = format!(
+        "{};{};{};m={},t={},p={}",
+        HEADER, VERSION, KDF, ARGON_M_COST_KIB, ARGON_T_COST, ARGON_P
+    );
 
-    let nonce = XNonce::from_slice(&nonce_bytes);
+    let nonce: XNonce = nonce_bytes.into();
     let mut pt = plaintext.as_bytes().to_vec();
     let ct = cipher
         .encrypt(
-            nonce,
+            &nonce,
             chacha20poly1305::aead::Payload {
                 msg: &pt,
                 aad: aad.as_bytes(),
@@ -115,13 +120,14 @@ pub fn encrypt_string(password: impl Into<SecretString>, plaintext: &str) -> Res
         m = ARGON_M_COST_KIB,
         t = ARGON_T_COST,
         p = ARGON_P,
-        salt = B64.encode(salt.as_str().as_bytes()),
+        salt = B64.encode(salt),
         nonce = B64.encode(nonce_bytes),
         ct = B64.encode(&ct),
     );
 
     drop(cipher);
-    let _ = key;
+    key.zeroize();
+    salt.zeroize();
     nonce_bytes.zeroize();
 
     Ok(env)
@@ -132,6 +138,9 @@ pub fn encrypt_string(password: impl Into<SecretString>, plaintext: &str) -> Res
 /// Returns the original plaintext on success or an error if the password is
 /// wrong, the envelope was tampered with, or the input is malformed.
 ///
+/// This function supports both the current format (with KDF params in AAD) and
+/// the legacy format (without KDF params in AAD) for backwards compatibility.
+///
 /// Example
 /// ```
 /// use gman::{encrypt_string, decrypt_string};
@@ -145,6 +154,10 @@ pub fn encrypt_string(password: impl Into<SecretString>, plaintext: &str) -> Res
 pub fn decrypt_string(password: impl Into<SecretString>, envelope: &str) -> Result<String> {
     let password = password.into();
 
+    if password.expose_secret().is_empty() {
+        bail!("password cannot be empty");
+    }
+
     let parts: Vec<&str> = envelope.split(';').collect();
     if parts.len() < 7 {
         bail!("invalid envelope format");
@@ -178,34 +191,55 @@ pub fn decrypt_string(password: impl Into<SecretString>, envelope: &str) -> Resu
     let nonce_b64 = parts[5].strip_prefix("nonce=").context("missing nonce")?;
     let ct_b64 = parts[6].strip_prefix("ct=").context("missing ct")?;
 
-    let salt_bytes = B64.decode(salt_b64).context("bad salt b64")?;
+    let mut salt_bytes = B64.decode(salt_b64).context("bad salt b64")?;
-    let mut nonce_bytes = B64.decode(nonce_b64).context("bad nonce b64")?;
+    let nonce_bytes = B64.decode(nonce_b64).context("bad nonce b64")?;
     let mut ct = B64.decode(ct_b64).context("bad ct b64")?;
 
     if nonce_bytes.len() != NONCE_LEN {
         bail!("nonce length mismatch");
     }
 
-    let key = derive_key(&password, &salt_bytes)?;
+    let mut key = derive_key(&password, &salt_bytes)?;
 
     let cipher = XChaCha20Poly1305::new(&key);
 
-    let aad = format!("{};{}", HEADER, VERSION);
+    let aad_new = format!("{};{};{};m={},t={},p={}", HEADER, VERSION, KDF, m, t, p);
-    let nonce = XNonce::from_slice(&nonce_bytes);
+    let aad_legacy = format!("{};{}", HEADER, VERSION);
-    let pt = cipher
+
-        .decrypt(
+    let mut nonce_arr: [u8; NONCE_LEN] = nonce_bytes
-            nonce,
+        .try_into()
+        .map_err(|_| anyhow!("invalid nonce length"))?;
+    let nonce: XNonce = nonce_arr.into();
+
+    let decrypt_result = cipher.decrypt(
+        &nonce,
         chacha20poly1305::aead::Payload {
             msg: &ct,
-                aad: aad.as_bytes(),
+            aad: aad_new.as_bytes(),
+        },
+    );
+
+    let mut pt = match decrypt_result {
+        Ok(pt) => pt,
+        Err(_) => cipher
+            .decrypt(
+                &nonce,
+                chacha20poly1305::aead::Payload {
+                    msg: &ct,
+                    aad: aad_legacy.as_bytes(),
                 },
             )
-        .map_err(|_| anyhow!("decryption failed (wrong password or corrupted data)"))?;
+            .map_err(|_| anyhow!("decryption failed (wrong password or corrupted data)"))?,
+    };
 
-    nonce_bytes.zeroize();
+    let s = String::from_utf8(pt.clone()).context("plaintext not valid UTF-8")?;
+
+    key.zeroize();
+    salt_bytes.zeroize();
+    nonce_arr.zeroize();
     ct.zeroize();
+    pt.zeroize();
 
-    let s = String::from_utf8(pt).context("plaintext not valid UTF-8")?;
     Ok(s)
 }
 
@@ -247,12 +281,10 @@ mod tests {
     }
 
     #[test]
-    fn empty_password() {
+    fn empty_password_rejected() {
         let pw = SecretString::new("".into());
         let msg = "hello";
-        let env = encrypt_string(pw.clone(), msg).unwrap();
+        assert!(encrypt_string(pw.clone(), msg).is_err());
-        let out = decrypt_string(pw, &env).unwrap();
-        assert_eq!(msg, out);
     }
 
     #[test]
@@ -274,7 +306,7 @@ mod tests {
         let mut ct = base64::engine::general_purpose::STANDARD
             .decode(ct_b64)
             .unwrap();
-        ct[0] ^= 0x01; // Flip a bit
+        ct[0] ^= 0x01;
         let new_ct_b64 = base64::engine::general_purpose::STANDARD.encode(&ct);
         let new_ct_part = format!("ct={}", new_ct_b64);
         parts[6] = &new_ct_part;

src/providers/azure_key_vault.rs

@@ -1,11 +1,13 @@
 use crate::providers::SecretProvider;
 use anyhow::{Context, Result};
-use azure_identity::DefaultAzureCredential;
+use azure_core::credentials::TokenCredential;
+use azure_identity::DeveloperToolsCredential;
 use azure_security_keyvault_secrets::models::SetSecretParameters;
 use azure_security_keyvault_secrets::{ResourceExt, SecretClient};
 use futures::TryStreamExt;
 use serde::{Deserialize, Serialize};
 use serde_with::skip_serializing_none;
+use std::sync::Arc;
 use validator::Validate;
 
 #[skip_serializing_none]
@@ -40,12 +42,8 @@ impl SecretProvider for AzureKeyVaultProvider {
     }
 
     async fn get_secret(&self, key: &str) -> Result<String> {
-        let body = self
+        let response = self.get_client()?.get_secret(key, None).await?;
-            .get_client()?
+        let body = response.into_model()?;
-            .get_secret(key, "", None)
-            .await?
-            .into_body()
-            .await?;
 
         body.value
             .with_context(|| format!("Secret '{}' not found", key))
@@ -60,8 +58,7 @@ impl SecretProvider for AzureKeyVaultProvider {
         self.get_client()?
             .set_secret(key, params.try_into()?, None)
             .await?
-            .into_body()
+            .into_model()?;
-            .await?;
 
         Ok(())
     }
@@ -77,10 +74,7 @@ impl SecretProvider for AzureKeyVaultProvider {
     }
 
     async fn list_secrets(&self) -> Result<Vec<String>> {
-        let mut pager = self
+        let mut pager = self.get_client()?.list_secret_properties(None)?;
-            .get_client()?
-            .list_secret_properties(None)?
-            .into_stream();
         let mut secrets = Vec::new();
         while let Some(props) = pager.try_next().await? {
             let name = props.resource_id()?.name;
@@ -93,7 +87,7 @@ impl SecretProvider for AzureKeyVaultProvider {
 
 impl AzureKeyVaultProvider {
     fn get_client(&self) -> Result<SecretClient> {
-        let credential = DefaultAzureCredential::new()?;
+        let credential: Arc<dyn TokenCredential> = DeveloperToolsCredential::new(None)?;
         let client = SecretClient::new(
             format!(
                 "https://{}.vault.azure.net",

src/providers/local.rs

@@ -158,7 +158,8 @@ impl SecretProvider for LocalProvider {
     async fn list_secrets(&self) -> Result<Vec<String>> {
         let vault_path = self.active_vault_path()?;
         let vault: HashMap<String, String> = load_vault(&vault_path).unwrap_or_default();
-        let keys: Vec<String> = vault.keys().cloned().collect();
+        let mut keys: Vec<String> = vault.keys().cloned().collect();
+        keys.sort();
 
         Ok(keys)
     }
@@ -321,6 +322,22 @@ impl LocalProvider {
 
     fn get_password(&self) -> Result<SecretString> {
         if let Some(password_file) = &self.password_file {
+            #[cfg(unix)]
+            {
+                use std::os::unix::fs::PermissionsExt;
+                let metadata = fs::metadata(password_file).with_context(|| {
+                    format!("failed to read password file metadata {:?}", password_file)
+                })?;
+                let mode = metadata.permissions().mode();
+                if mode & 0o077 != 0 {
+                    bail!(
+                        "password file {:?} has insecure permissions {:o} (should be 0600 or 0400)",
+                        password_file,
+                        mode & 0o777
+                    );
+                }
+            }
+
             let password = SecretString::new(
                 fs::read_to_string(password_file)
                     .with_context(|| format!("failed to read password file {:?}", password_file))?
@@ -369,24 +386,41 @@ fn store_vault(path: &Path, map: &HashMap<String, String>) -> Result<()> {
         fs::create_dir_all(parent).with_context(|| format!("create {}", parent.display()))?;
     }
     let s = serde_yaml::to_string(map).with_context(|| "serialize vault")?;
-    fs::write(path, s).with_context(|| format!("write {}", path.display()))
+    fs::write(path, &s).with_context(|| format!("write {}", path.display()))?;
+
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::PermissionsExt;
+        fs::set_permissions(path, fs::Permissions::from_mode(0o600))
+            .with_context(|| format!("set permissions on {}", path.display()))?;
+    }
+
+    Ok(())
 }
 
 fn encrypt_string(password: &SecretString, plaintext: &str) -> Result<String> {
+    if password.expose_secret().is_empty() {
+        bail!("password cannot be empty");
+    }
+
     let mut salt = [0u8; SALT_LEN];
     OsRng.fill_bytes(&mut salt);
     let mut nonce_bytes = [0u8; NONCE_LEN];
     OsRng.fill_bytes(&mut nonce_bytes);
 
-    let key = derive_key(password, &salt)?;
+    let mut key = derive_key(password, &salt)?;
     let cipher = XChaCha20Poly1305::new(&key);
-    let aad = format!("{};{}", HEADER, VERSION);
 
-    let nonce = XNonce::from_slice(&nonce_bytes);
+    let aad = format!(
+        "{};{};{};m={},t={},p={}",
+        HEADER, VERSION, KDF, ARGON_M_COST_KIB, ARGON_T_COST, ARGON_P
+    );
+
+    let nonce: XNonce = nonce_bytes.into();
     let mut pt = plaintext.as_bytes().to_vec();
     let ct = cipher
         .encrypt(
-            nonce,
+            &nonce,
             chacha20poly1305::aead::Payload {
                 msg: &pt,
                 aad: aad.as_bytes(),
@@ -409,6 +443,7 @@ fn encrypt_string(password: &SecretString, plaintext: &str) -> Result<String> {
     );
 
     drop(cipher);
+    key.zeroize();
     salt.zeroize();
     nonce_bytes.zeroize();
 
@@ -429,16 +464,30 @@ fn derive_key_with_params(
     argon
         .hash_password_into(password.expose_secret().as_bytes(), salt, &mut key_bytes)
         .map_err(|e| anyhow!("argon2 derive error: {:?}", e))?;
+    let key: Key = key_bytes.into();
     key_bytes.zeroize();
-    let key = Key::from_slice(&key_bytes);
+    Ok(key)
-    Ok(*key)
 }
 
 fn derive_key(password: &SecretString, salt: &[u8]) -> Result<Key> {
     derive_key_with_params(password, salt, ARGON_M_COST_KIB, ARGON_T_COST, ARGON_P)
 }
 
-fn decrypt_string(password: &SecretString, envelope: &str) -> Result<String> {
+/// Attempts to decrypt with the given cipher, nonce, ciphertext, and AAD.
+fn try_decrypt(
+    cipher: &XChaCha20Poly1305,
+    nonce: &XNonce,
+    ct: &[u8],
+    aad: &[u8],
+) -> std::result::Result<Vec<u8>, chacha20poly1305::aead::Error> {
+    cipher.decrypt(nonce, chacha20poly1305::aead::Payload { msg: ct, aad })
+}
+
+type EnvelopeComponents = (u32, u32, u32, Vec<u8>, [u8; NONCE_LEN], Vec<u8>);
+
+/// Parse an envelope string and extract its components.
+/// Returns (m, t, p, salt, nonce_arr, ct) on success.
+fn parse_envelope(envelope: &str) -> Result<EnvelopeComponents> {
     let parts: Vec<&str> = envelope.trim().split(';').collect();
     if parts.len() < 7 {
         debug!("Invalid envelope format: {:?}", parts);
@@ -480,40 +529,202 @@ fn decrypt_string(password: &SecretString, envelope: &str) -> Result<String> {
         .with_context(|| "missing nonce")?;
     let ct_b64 = parts[6].strip_prefix("ct=").with_context(|| "missing ct")?;
 
-    let mut salt = B64.decode(salt_b64).with_context(|| "bad salt b64")?;
+    let salt = B64.decode(salt_b64).with_context(|| "bad salt b64")?;
-    let mut nonce_bytes = B64.decode(nonce_b64).with_context(|| "bad nonce b64")?;
+    let nonce_bytes = B64.decode(nonce_b64).with_context(|| "bad nonce b64")?;
-    let mut ct = B64.decode(ct_b64).with_context(|| "bad ct b64")?;
+    let ct = B64.decode(ct_b64).with_context(|| "bad ct b64")?;
 
-    if salt.len() != SALT_LEN || nonce_bytes.len() != NONCE_LEN {
+    if nonce_bytes.len() != NONCE_LEN {
-        debug!(
+        debug!("Nonce length mismatch: {}", nonce_bytes.len());
-            "Salt/nonce length mismatch: salt {}, nonce {}",
+        bail!("nonce length mismatch");
-            salt.len(),
-            nonce_bytes.len()
-        );
-        bail!("salt/nonce length mismatch");
     }
 
-    let key = derive_key_with_params(password, &salt, m, t, p)?;
+    let nonce_arr: [u8; NONCE_LEN] = nonce_bytes
+        .try_into()
+        .map_err(|_| anyhow!("invalid nonce length"))?;
+
+    Ok((m, t, p, salt, nonce_arr, ct))
+}
+
+fn decrypt_string(password: &SecretString, envelope: &str) -> Result<String> {
+    if password.expose_secret().is_empty() {
+        bail!("password cannot be empty");
+    }
+
+    let (m, t, p, mut salt, mut nonce_arr, mut ct) = parse_envelope(envelope)?;
+    let nonce: XNonce = nonce_arr.into();
+
+    let aad_current = format!("{};{};{};m={},t={},p={}", HEADER, VERSION, KDF, m, t, p);
+
+    let mut key = derive_key_with_params(password, &salt, m, t, p)?;
     let cipher = XChaCha20Poly1305::new(&key);
-    let aad = format!("{};{}", HEADER, VERSION);
-    let nonce = XNonce::from_slice(&nonce_bytes);
-
-    let pt = cipher
-        .decrypt(
-            nonce,
-            chacha20poly1305::aead::Payload {
-                msg: &ct,
-                aad: aad.as_bytes(),
-            },
-        )
-        .map_err(|_| anyhow!("decryption failed (wrong password or corrupted data)"))?;
 
+    if let Ok(pt) = try_decrypt(&cipher, &nonce, &ct, aad_current.as_bytes()) {
+        let s = String::from_utf8(pt.clone()).with_context(|| "plaintext not valid UTF-8")?;
+        key.zeroize();
         salt.zeroize();
-    nonce_bytes.zeroize();
+        nonce_arr.zeroize();
+        ct.zeroize();
+        return Ok(s);
+    }
+
+    key.zeroize();
+    salt.zeroize();
+    nonce_arr.zeroize();
     ct.zeroize();
 
-    let s = String::from_utf8(pt).with_context(|| "plaintext not valid UTF-8")?;
+    // TODO: Remove once all users have migrated their local vaults
-    Ok(s)
+    if let Ok(plaintext) = legacy::decrypt_string_legacy(password, envelope) {
+        return Ok(plaintext);
+    }
+
+    bail!("decryption failed (wrong password or corrupted data)")
+}
+
+// TODO: Remove this entire module once all users have migrated their vaults.
+mod legacy {
+    use super::*;
+
+    fn legacy_aad() -> String {
+        format!("{};{}", HEADER, VERSION)
+    }
+
+    pub fn decrypt_string_legacy(password: &SecretString, envelope: &str) -> Result<String> {
+        if password.expose_secret().is_empty() {
+            bail!("password cannot be empty");
+        }
+
+        let (m, t, p, mut salt, mut nonce_arr, mut ct) = parse_envelope(envelope)?;
+        let nonce: XNonce = nonce_arr.into();
+        let aad = legacy_aad();
+
+        let mut key = derive_key_with_params(password, &salt, m, t, p)?;
+        let cipher = XChaCha20Poly1305::new(&key);
+
+        if let Ok(pt) = try_decrypt(&cipher, &nonce, &ct, aad.as_bytes()) {
+            let s = String::from_utf8(pt.clone()).with_context(|| "plaintext not valid UTF-8")?;
+            key.zeroize();
+            salt.zeroize();
+            nonce_arr.zeroize();
+            ct.zeroize();
+            return Ok(s);
+        }
+
+        key.zeroize();
+
+        let mut zeros_key: Key = [0u8; KEY_LEN].into();
+        let zeros_cipher = XChaCha20Poly1305::new(&zeros_key);
+
+        if let Ok(pt) = try_decrypt(&zeros_cipher, &nonce, &ct, aad.as_bytes()) {
+            debug!("Decrypted using legacy all-zeros key - secret needs migration");
+            let s = String::from_utf8(pt.clone()).with_context(|| "plaintext not valid UTF-8")?;
+            zeros_key.zeroize();
+            salt.zeroize();
+            nonce_arr.zeroize();
+            ct.zeroize();
+            return Ok(s);
+        }
+
+        zeros_key.zeroize();
+        salt.zeroize();
+        nonce_arr.zeroize();
+        ct.zeroize();
+
+        bail!("legacy decryption failed")
+    }
+
+    pub fn is_current_format(password: &SecretString, envelope: &str) -> Result<bool> {
+        if password.expose_secret().is_empty() {
+            bail!("password cannot be empty");
+        }
+
+        let (m, t, p, salt, nonce_arr, ct) = parse_envelope(envelope)?;
+        let nonce: XNonce = nonce_arr.into();
+
+        let aad_current = format!("{};{};{};m={},t={},p={}", HEADER, VERSION, KDF, m, t, p);
+        let key = derive_key_with_params(password, &salt, m, t, p)?;
+        let cipher = XChaCha20Poly1305::new(&key);
+
+        Ok(try_decrypt(&cipher, &nonce, &ct, aad_current.as_bytes()).is_ok())
+    }
+}
+
+// TODO: Remove once all users have migrated their local vaults
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum SecretStatus {
+    Current,
+    NeedsMigration,
+}
+
+// TODO: Remove once all users have migrated their local vaults
+#[derive(Debug)]
+pub struct MigrationResult {
+    pub total: usize,
+    pub migrated: usize,
+    pub already_current: usize,
+    pub failed: Vec<(String, String)>,
+}
+
+impl LocalProvider {
+    // TODO: Remove once all users have migrated their local vaults
+    pub async fn migrate_vault(&self) -> Result<MigrationResult> {
+        let vault_path = self.active_vault_path()?;
+        let vault: HashMap<String, String> = load_vault(&vault_path).unwrap_or_default();
+
+        if vault.is_empty() {
+            return Ok(MigrationResult {
+                total: 0,
+                migrated: 0,
+                already_current: 0,
+                failed: vec![],
+            });
+        }
+
+        let password = self.get_password()?;
+        let mut migrated_vault = HashMap::new();
+        let mut migrated_count = 0;
+        let mut already_current_count = 0;
+        let mut failed = vec![];
+
+        for (key, envelope) in &vault {
+            match legacy::is_current_format(&password, envelope) {
+                Ok(true) => {
+                    migrated_vault.insert(key.clone(), envelope.clone());
+                    already_current_count += 1;
+                }
+                Ok(false) => match decrypt_string(&password, envelope) {
+                    Ok(plaintext) => match encrypt_string(&password, &plaintext) {
+                        Ok(new_envelope) => {
+                            migrated_vault.insert(key.clone(), new_envelope);
+                            migrated_count += 1;
+                        }
+                        Err(e) => {
+                            failed.push((key.clone(), format!("re-encryption failed: {}", e)));
+                            migrated_vault.insert(key.clone(), envelope.clone());
+                        }
+                    },
+                    Err(e) => {
+                        failed.push((key.clone(), format!("decryption failed: {}", e)));
+                        migrated_vault.insert(key.clone(), envelope.clone());
+                    }
+                },
+                Err(e) => {
+                    failed.push((key.clone(), format!("status check failed: {}", e)));
+                    migrated_vault.insert(key.clone(), envelope.clone());
+                }
+            }
+        }
+
+        if migrated_count > 0 {
+            store_vault(&vault_path, &migrated_vault)?;
+        }
+
+        Ok(MigrationResult {
+            total: vault.len(),
+            migrated: migrated_count,
+            already_current: already_current_count,
+            failed,
+        })
+    }
 }
 
 #[cfg(test)]
@@ -529,7 +740,7 @@ mod tests {
         let password = SecretString::new("test_password".to_string().into());
         let salt = [0u8; 16];
         let key = derive_key(&password, &salt).unwrap();
-        assert_eq!(key.as_slice().len(), 32);
+        assert_eq!(key.len(), 32);
     }
 
     #[test]
@@ -537,7 +748,7 @@ mod tests {
         let password = SecretString::new("test_password".to_string().into());
         let salt = [0u8; 16];
         let key = derive_key_with_params(&password, &salt, 10, 1, 1).unwrap();
-        assert_eq!(key.as_slice().len(), 32);
+        assert_eq!(key.len(), 32);
     }
 
     #[test]
@@ -550,6 +761,40 @@ mod tests {
     }
 
     #[test]
+    #[cfg(unix)]
+    fn get_password_reads_password_file() {
+        use std::os::unix::fs::PermissionsExt;
+        let dir = tempdir().unwrap();
+        let file = dir.path().join("pw.txt");
+        fs::write(&file, "secretpw\n").unwrap();
+        fs::set_permissions(&file, fs::Permissions::from_mode(0o600)).unwrap();
+        let provider = LocalProvider {
+            password_file: Some(file),
+            runtime_provider_name: None,
+            ..LocalProvider::default()
+        };
+        let pw = provider.get_password().unwrap();
+        assert_eq!(pw.expose_secret(), "secretpw");
+    }
+
+    #[test]
+    #[cfg(unix)]
+    fn get_password_rejects_insecure_file() {
+        use std::os::unix::fs::PermissionsExt;
+        let dir = tempdir().unwrap();
+        let file = dir.path().join("pw.txt");
+        fs::write(&file, "secretpw\n").unwrap();
+        fs::set_permissions(&file, fs::Permissions::from_mode(0o644)).unwrap();
+        let provider = LocalProvider {
+            password_file: Some(file),
+            runtime_provider_name: None,
+            ..LocalProvider::default()
+        };
+        assert!(provider.get_password().is_err());
+    }
+
+    #[test]
+    #[cfg(not(unix))]
     fn get_password_reads_password_file() {
         let dir = tempdir().unwrap();
         let file = dir.path().join("pw.txt");

src/providers/mod.rs

@@ -8,9 +8,11 @@ pub mod gcp_secret_manager;
 mod git_sync;
 pub mod gopass;
 pub mod local;
+pub mod one_password;
 
 use crate::providers::gopass::GopassProvider;
 use crate::providers::local::LocalProvider;
+use crate::providers::one_password::OnePasswordProvider;
 use anyhow::{Context, Result, anyhow};
 use aws_secrets_manager::AwsSecretsManagerProvider;
 use azure_key_vault::AzureKeyVaultProvider;
@@ -76,6 +78,10 @@ pub enum SupportedProvider {
         #[serde(flatten)]
         provider_def: GopassProvider,
     },
+    OnePassword {
+        #[serde(flatten)]
+        provider_def: OnePasswordProvider,
+    },
 }
 
 impl Validate for SupportedProvider {
@@ -86,6 +92,7 @@ impl Validate for SupportedProvider {
             SupportedProvider::GcpSecretManager { provider_def } => provider_def.validate(),
             SupportedProvider::AzureKeyVault { provider_def } => provider_def.validate(),
             SupportedProvider::Gopass { provider_def } => provider_def.validate(),
+            SupportedProvider::OnePassword { provider_def } => provider_def.validate(),
         }
     }
 }
@@ -106,6 +113,7 @@ impl Display for SupportedProvider {
             SupportedProvider::GcpSecretManager { .. } => write!(f, "gcp_secret_manager"),
             SupportedProvider::AzureKeyVault { .. } => write!(f, "azure_key_vault"),
             SupportedProvider::Gopass { .. } => write!(f, "gopass"),
+            SupportedProvider::OnePassword { .. } => write!(f, "one_password"),
         }
     }
 }

src/providers/one_password.rs

@@ -0,0 +1,199 @@
+use crate::providers::{ENV_PATH, SecretProvider};
+use anyhow::{Context, Result, anyhow};
+use serde::{Deserialize, Serialize};
+use serde_with::skip_serializing_none;
+use std::io::Read;
+use std::process::{Command, Stdio};
+use validator::Validate;
+
+#[skip_serializing_none]
+/// 1Password-based secret provider.
+/// See [1Password CLI](https://developer.1password.com/docs/cli/) for more
+/// information.
+///
+/// You must already have the 1Password CLI (`op`) installed and configured
+/// on your system.
+///
+/// This provider stores secrets as 1Password Password items. It requires
+/// an optional vault name and an optional account identifier to be specified.
+/// If no vault is specified, the user's default vault is used. If no account
+/// is specified, the default signed-in account is used.
+///
+/// Example
+/// ```no_run
+/// use gman::providers::one_password::OnePasswordProvider;
+/// use gman::providers::{SecretProvider, SupportedProvider};
+/// use gman::config::Config;
+///
+/// let provider = OnePasswordProvider::default();
+/// let _ = provider.set_secret("MY_SECRET", "value");
+/// ```
+#[derive(Debug, Default, Clone, Validate, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(deny_unknown_fields)]
+pub struct OnePasswordProvider {
+    pub vault: Option<String>,
+    pub account: Option<String>,
+}
+
+impl OnePasswordProvider {
+    fn base_command(&self) -> Command {
+        let mut cmd = Command::new("op");
+        cmd.env("PATH", ENV_PATH.as_ref().expect("No ENV_PATH set"));
+        if let Some(account) = &self.account {
+            cmd.args(["--account", account]);
+        }
+        cmd
+    }
+
+    fn vault_args(&self) -> Vec<&str> {
+        match &self.vault {
+            Some(vault) => vec!["--vault", vault],
+            None => vec![],
+        }
+    }
+}
+
+#[async_trait::async_trait]
+impl SecretProvider for OnePasswordProvider {
+    fn name(&self) -> &'static str {
+        "OnePasswordProvider"
+    }
+
+    async fn get_secret(&self, key: &str) -> Result<String> {
+        ensure_op_installed()?;
+
+        let mut cmd = self.base_command();
+        cmd.args(["item", "get", key, "--fields", "password", "--reveal"]);
+        cmd.args(self.vault_args());
+        cmd.stdin(Stdio::inherit())
+            .stdout(Stdio::piped())
+            .stderr(Stdio::inherit());
+
+        let mut child = cmd.spawn().context("Failed to spawn op command")?;
+
+        let mut output = String::new();
+        child
+            .stdout
+            .as_mut()
+            .expect("Failed to open op stdout")
+            .read_to_string(&mut output)
+            .context("Failed to read op output")?;
+
+        let status = child.wait().context("Failed to wait on op process")?;
+        if !status.success() {
+            return Err(anyhow!("op command failed with status: {}", status));
+        }
+
+        Ok(output.trim_end_matches(&['\r', '\n'][..]).to_string())
+    }
+
+    async fn set_secret(&self, key: &str, value: &str) -> Result<()> {
+        ensure_op_installed()?;
+
+        let mut cmd = self.base_command();
+        cmd.args(["item", "create", "--category", "password", "--title", key]);
+        cmd.args(self.vault_args());
+        cmd.arg(format!("password={}", value));
+        cmd.stdin(Stdio::inherit())
+            .stdout(Stdio::piped())
+            .stderr(Stdio::inherit());
+
+        let mut child = cmd.spawn().context("Failed to spawn op command")?;
+
+        let status = child.wait().context("Failed to wait on op process")?;
+        if !status.success() {
+            return Err(anyhow!("op command failed with status: {}", status));
+        }
+
+        Ok(())
+    }
+
+    async fn update_secret(&self, key: &str, value: &str) -> Result<()> {
+        ensure_op_installed()?;
+
+        let mut cmd = self.base_command();
+        cmd.args(["item", "edit", key]);
+        cmd.args(self.vault_args());
+        cmd.arg(format!("password={}", value));
+        cmd.stdin(Stdio::inherit())
+            .stdout(Stdio::piped())
+            .stderr(Stdio::inherit());
+
+        let mut child = cmd.spawn().context("Failed to spawn op command")?;
+
+        let status = child.wait().context("Failed to wait on op process")?;
+        if !status.success() {
+            return Err(anyhow!("op command failed with status: {}", status));
+        }
+
+        Ok(())
+    }
+
+    async fn delete_secret(&self, key: &str) -> Result<()> {
+        ensure_op_installed()?;
+
+        let mut cmd = self.base_command();
+        cmd.args(["item", "delete", key]);
+        cmd.args(self.vault_args());
+        cmd.stdin(Stdio::inherit())
+            .stdout(Stdio::inherit())
+            .stderr(Stdio::inherit());
+
+        let mut child = cmd.spawn().context("Failed to spawn op command")?;
+
+        let status = child.wait().context("Failed to wait on op process")?;
+        if !status.success() {
+            return Err(anyhow!("op command failed with status: {}", status));
+        }
+
+        Ok(())
+    }
+
+    async fn list_secrets(&self) -> Result<Vec<String>> {
+        ensure_op_installed()?;
+
+        let mut cmd = self.base_command();
+        cmd.args(["item", "list", "--format", "json"]);
+        cmd.args(self.vault_args());
+        cmd.stdin(Stdio::inherit())
+            .stdout(Stdio::piped())
+            .stderr(Stdio::inherit());
+
+        let mut child = cmd.spawn().context("Failed to spawn op command")?;
+
+        let mut output = String::new();
+        child
+            .stdout
+            .as_mut()
+            .expect("Failed to open op stdout")
+            .read_to_string(&mut output)
+            .context("Failed to read op output")?;
+
+        let status = child.wait().context("Failed to wait on op process")?;
+        if !status.success() {
+            return Err(anyhow!("op command failed with status: {}", status));
+        }
+
+        let items: Vec<serde_json::Value> =
+            serde_json::from_str(&output).context("Failed to parse op item list JSON output")?;
+
+        let secrets: Vec<String> = items
+            .iter()
+            .filter_map(|item| item.get("title").and_then(|t| t.as_str()))
+            .map(|s| s.to_string())
+            .collect();
+
+        Ok(secrets)
+    }
+}
+
+fn ensure_op_installed() -> Result<()> {
+    if which::which("op").is_err() {
+        Err(anyhow!(
+            "1Password CLI (op) is not installed or not found in PATH. \
+             Please install it from https://developer.1password.com/docs/cli/get-started/"
+        ))
+    } else {
+        Ok(())
+    }
+}

tests/bin/cli_tests.rs

@@ -1,3 +1,8 @@
+//! CLI integration tests that execute the gman binary.
+//!
+//! These tests are skipped when cross-compiling because the compiled binary
+//! cannot be executed on a different architecture (e.g., ARM64 binary on x86_64 host).
+
 use assert_cmd::prelude::*;
 use predicates::prelude::*;
 use std::fs;
@@ -7,6 +12,20 @@ use std::path::{Path, PathBuf};
 use std::process::{Command, Stdio};
 use tempfile::TempDir;
 
+fn gman_bin() -> PathBuf {
+    PathBuf::from(env!("CARGO_BIN_EXE_gman"))
+}
+
+/// Check if the gman binary can be executed on this system.
+/// Returns false when cross-compiling (e.g., ARM64 binary on x86_64 host).
+fn can_execute_binary() -> bool {
+    Command::new(gman_bin())
+        .arg("--version")
+        .output()
+        .map(|o| o.status.success())
+        .unwrap_or(false)
+}
+
 fn setup_env() -> (TempDir, PathBuf, PathBuf) {
     let td = tempfile::tempdir().expect("tempdir");
     let cfg_home = td.path().join("config");
@@ -46,27 +65,38 @@ providers:
             password_file.display()
         )
     };
-    // Confy with yaml feature typically uses .yml; write both to be safe.
     fs::write(app_dir.join("config.yml"), &cfg).unwrap();
     fs::write(app_dir.join("config.yaml"), &cfg).unwrap();
 }
 
+fn create_password_file(path: &Path, content: &[u8]) {
+    fs::write(path, content).unwrap();
+    #[cfg(unix)]
+    {
+        fs::set_permissions(path, fs::Permissions::from_mode(0o600)).unwrap();
+    }
+}
+
 #[test]
 #[cfg(unix)]
 fn cli_config_no_changes() {
+    if !can_execute_binary() {
+        eprintln!("Skipping test: cannot execute cross-compiled binary");
+        return;
+    }
+
     let (td, xdg_cfg, xdg_cache) = setup_env();
     let pw_file = td.path().join("pw.txt");
-    fs::write(&pw_file, b"pw\n").unwrap();
+    create_password_file(&pw_file, b"pw\n");
     write_yaml_config(&xdg_cfg, &pw_file, None);
 
-    // Create a no-op editor script that exits successfully without modifying the file
     let editor = td.path().join("noop-editor.sh");
     fs::write(&editor, b"#!/bin/sh\nexit 0\n").unwrap();
     let mut perms = fs::metadata(&editor).unwrap().permissions();
     perms.set_mode(0o755);
     fs::set_permissions(&editor, perms).unwrap();
 
-    let mut cmd = Command::cargo_bin("gman").unwrap();
+    let mut cmd = Command::new(gman_bin());
     cmd.env("XDG_CONFIG_HOME", &xdg_cfg)
         .env("XDG_CACHE_HOME", &xdg_cache)
         .env("EDITOR", &editor)
@@ -80,15 +110,23 @@ fn cli_config_no_changes() {
 #[test]
 #[cfg(unix)]
 fn cli_config_updates_and_persists() {
+    if !can_execute_binary() {
+        eprintln!("Skipping test: cannot execute cross-compiled binary");
+        return;
+    }
+
     let (td, xdg_cfg, xdg_cache) = setup_env();
     let pw_file = td.path().join("pw.txt");
-    fs::write(&pw_file, b"pw\n").unwrap();
+    create_password_file(&pw_file, b"pw\n");
     write_yaml_config(&xdg_cfg, &pw_file, None);
 
-    // Editor script appends a valid run_configs section to the YAML file
     let editor = td.path().join("append-run-config.sh");
+    // Note: We need a small sleep to ensure the file modification timestamp changes.
+    // The dialoguer Editor uses file modification time to detect changes, and on fast
+    // systems the edit can complete within the same timestamp granularity.
     let script = r#"#!/bin/sh
 FILE="$1"
+sleep 0.1
 cat >> "$FILE" <<'EOF'
 run_configs:
   - name: echo
@@ -101,7 +139,7 @@ exit 0
     perms.set_mode(0o755);
     fs::set_permissions(&editor, perms).unwrap();
 
-    let mut cmd = Command::cargo_bin("gman").unwrap();
+    let mut cmd = Command::new(gman_bin());
     cmd.env("XDG_CONFIG_HOME", &xdg_cfg)
         .env("XDG_CACHE_HOME", &xdg_cache)
         .env("EDITOR", &editor)
@@ -111,7 +149,6 @@ exit 0
         "Configuration updated successfully",
     ));
 
-    // Verify that the config file now contains the run_configs key
     let cfg_path = xdg_cfg.join("gman").join("config.yml");
     let written = fs::read_to_string(&cfg_path).expect("config file readable");
     assert!(written.contains("run_configs:"));
@@ -120,8 +157,13 @@ exit 0
 
 #[test]
 fn cli_shows_help() {
+    if !can_execute_binary() {
+        eprintln!("Skipping test: cannot execute cross-compiled binary");
+        return;
+    }
+
     let (_td, cfg, cache) = setup_env();
-    let mut cmd = Command::cargo_bin("gman").unwrap();
+    let mut cmd = Command::new(gman_bin());
     cmd.env("XDG_CACHE_HOME", &cache)
         .env("XDG_CONFIG_HOME", &cfg)
         .arg("--help");
@@ -132,13 +174,17 @@ fn cli_shows_help() {
 
 #[test]
 fn cli_add_get_list_update_delete_roundtrip() {
+    if !can_execute_binary() {
+        eprintln!("Skipping test: cannot execute cross-compiled binary");
+        return;
+    }
+
     let (td, xdg_cfg, xdg_cache) = setup_env();
     let pw_file = td.path().join("pw.txt");
-    fs::write(&pw_file, b"testpw\n").unwrap();
+    create_password_file(&pw_file, b"testpw\n");
     write_yaml_config(&xdg_cfg, &pw_file, None);
 
-    // add
+    let mut add = Command::new(gman_bin());
-    let mut add = Command::cargo_bin("gman").unwrap();
     add.env("XDG_CONFIG_HOME", &xdg_cfg)
         .env("XDG_CACHE_HOME", &xdg_cache)
         .stdin(Stdio::piped())
@@ -154,8 +200,7 @@ fn cli_add_get_list_update_delete_roundtrip() {
     let add_out = child.wait_with_output().unwrap();
     assert!(add_out.status.success());
 
-    // get (text)
+    let mut get = Command::new(gman_bin());
-    let mut get = Command::cargo_bin("gman").unwrap();
     get.env("XDG_CONFIG_HOME", &xdg_cfg)
         .env("XDG_CACHE_HOME", &xdg_cache)
         .args(["get", "my_api_key"]);
@@ -163,8 +208,7 @@ fn cli_add_get_list_update_delete_roundtrip() {
         .success()
         .stdout(predicate::str::contains("super_secret"));
 
-    // get as JSON
+    let mut get_json = Command::new(gman_bin());
-    let mut get_json = Command::cargo_bin("gman").unwrap();
     get_json
         .env("XDG_CONFIG_HOME", &xdg_cfg)
         .env("XDG_CACHE_HOME", &xdg_cache)
@@ -173,8 +217,7 @@ fn cli_add_get_list_update_delete_roundtrip() {
         predicate::str::contains("my_api_key").and(predicate::str::contains("super_secret")),
     );
 
-    // list
+    let mut list = Command::new(gman_bin());
-    let mut list = Command::cargo_bin("gman").unwrap();
     list.env("XDG_CONFIG_HOME", &xdg_cfg)
         .env("XDG_CACHE_HOME", &xdg_cache)
         .arg("list");
@@ -182,8 +225,7 @@ fn cli_add_get_list_update_delete_roundtrip() {
         .success()
         .stdout(predicate::str::contains("my_api_key"));
 
-    // update
+    let mut update = Command::new(gman_bin());
-    let mut update = Command::cargo_bin("gman").unwrap();
     update
         .env("XDG_CONFIG_HOME", &xdg_cfg)
         .env("XDG_CACHE_HOME", &xdg_cache)
@@ -199,8 +241,7 @@ fn cli_add_get_list_update_delete_roundtrip() {
     let upd_out = child.wait_with_output().unwrap();
     assert!(upd_out.status.success());
 
-    // get again
+    let mut get2 = Command::new(gman_bin());
-    let mut get2 = Command::cargo_bin("gman").unwrap();
     get2.env("XDG_CONFIG_HOME", &xdg_cfg)
         .env("XDG_CACHE_HOME", &xdg_cache)
         .args(["get", "my_api_key"]);
@@ -208,15 +249,13 @@ fn cli_add_get_list_update_delete_roundtrip() {
         .success()
         .stdout(predicate::str::contains("new_val"));
 
-    // delete
+    let mut del = Command::new(gman_bin());
-    let mut del = Command::cargo_bin("gman").unwrap();
     del.env("XDG_CONFIG_HOME", &xdg_cfg)
         .env("XDG_CACHE_HOME", &xdg_cache)
         .args(["delete", "my_api_key"]);
     del.assert().success();
 
-    // get should now fail
+    let mut get_missing = Command::new(gman_bin());
-    let mut get_missing = Command::cargo_bin("gman").unwrap();
     get_missing
         .env("XDG_CONFIG_HOME", &xdg_cfg)
         .env("XDG_CACHE_HOME", &xdg_cache)
@@ -226,13 +265,17 @@ fn cli_add_get_list_update_delete_roundtrip() {
 
 #[test]
 fn cli_wrap_dry_run_env_injection() {
+    if !can_execute_binary() {
+        eprintln!("Skipping test: cannot execute cross-compiled binary");
+        return;
+    }
+
     let (td, xdg_cfg, xdg_cache) = setup_env();
     let pw_file = td.path().join("pw.txt");
-    fs::write(&pw_file, b"pw\n").unwrap();
+    create_password_file(&pw_file, b"pw\n");
     write_yaml_config(&xdg_cfg, &pw_file, Some("echo"));
 
-    // Add the secret so the profile can read it
+    let mut add = Command::new(gman_bin());
-    let mut add = Command::cargo_bin("gman").unwrap();
     add.env("XDG_CONFIG_HOME", &xdg_cfg)
         .env("XDG_CACHE_HOME", &xdg_cache)
         .stdin(Stdio::piped())
@@ -243,8 +286,7 @@ fn cli_wrap_dry_run_env_injection() {
     let add_out = child.wait_with_output().unwrap();
     assert!(add_out.status.success());
 
-    // Dry-run wrapping: prints preview command
+    let mut wrap = Command::new(gman_bin());
-    let mut wrap = Command::cargo_bin("gman").unwrap();
     wrap.env("XDG_CONFIG_HOME", &xdg_cfg)
         .env("XDG_CACHE_HOME", &xdg_cache)
         .arg("--dry-run")

tests/prop_crypto.proptest-regressions

@@ -0,0 +1,8 @@
+# Seeds for failure cases proptest has generated in the past. It is
+# automatically read and these particular cases re-run before any
+# novel cases are generated.
+#
+# It is recommended to check this file in to source control so that
+# everyone who runs the test benefits from these saved cases.
+cc 155469a45d7311cd4003e23a3bcdaa8e55879e6222c1b6313a2b1f0b563bb195 # shrinks to password = "", msg = " "
+cc 0bc9f608677234c082d10ff51b15dc39b4c194cdf920b4d87e553467c93824ed # shrinks to password = "", msg = ""

tests/prop_crypto.rs

@@ -1,15 +1,15 @@
 use base64::Engine;
 use gman::{decrypt_string, encrypt_string};
 use proptest::prelude::*;
-
-proptest! {
-    #![proptest_config(ProptestConfig::with_cases(64))]
-}
 use secrecy::SecretString;
 
 proptest! {
+    // Reduced case count because Argon2 key derivation is intentionally slow
+    // (65 MiB memory, 3 iterations per encryption/decryption)
+    #![proptest_config(ProptestConfig::with_cases(4))]
+
     #[test]
-    fn prop_encrypt_decrypt_roundtrip(password in ".{0,64}", msg in ".{0,512}") {
+    fn prop_encrypt_decrypt_roundtrip(password in ".{1,64}", msg in ".{0,512}") {
         let pw = SecretString::new(password.into());
         let env = encrypt_string(pw.clone(), &msg).unwrap();
         let out = decrypt_string(pw, &env).unwrap();
@@ -18,10 +18,9 @@ proptest! {
     }
 
     #[test]
-    fn prop_tamper_ciphertext_detected(password in ".{0,32}", msg in ".{1,128}") {
+    fn prop_tamper_ciphertext_detected(password in ".{1,32}", msg in ".{1,128}") {
         let pw = SecretString::new(password.into());
         let env = encrypt_string(pw.clone(), &msg).unwrap();
-        // Flip a bit in the ct payload segment
         let mut parts: Vec<&str> = env.split(';').collect();
         let ct_b64 = parts[6].strip_prefix("ct=").unwrap();
         let mut ct = base64::engine::general_purpose::STANDARD.decode(ct_b64).unwrap();

tests/providers/mod.rs

@@ -3,4 +3,5 @@ mod azure_key_vault_tests;
 mod gcp_secret_manager_tests;
 mod gopass_tests;
 mod local_tests;
+mod one_password_tests;
 mod provider_tests;

tests/providers/one_password_tests.rs

@@ -0,0 +1,113 @@
+use gman::config::{Config, ProviderConfig};
+use gman::providers::{SecretProvider, SupportedProvider};
+use pretty_assertions::{assert_eq, assert_str_eq};
+use validator::Validate;
+
+#[test]
+fn test_one_password_supported_provider_display_and_validate_from_yaml() {
+    let yaml = r#"---
+type: one_password
+vault: Production
+account: my.1password.com
+"#;
+
+    let sp: SupportedProvider = serde_yaml::from_str(yaml).expect("valid supported provider yaml");
+    assert!(sp.validate().is_ok());
+    assert_eq!(sp.to_string(), "one_password");
+}
+
+#[test]
+fn test_one_password_supported_provider_minimal_yaml() {
+    let yaml = r#"---
+type: one_password
+"#;
+
+    let sp: SupportedProvider = serde_yaml::from_str(yaml).expect("valid supported provider yaml");
+    assert!(sp.validate().is_ok());
+    assert_eq!(sp.to_string(), "one_password");
+}
+
+#[test]
+fn test_one_password_supported_provider_vault_only() {
+    let yaml = r#"---
+type: one_password
+vault: Personal
+"#;
+
+    let sp: SupportedProvider = serde_yaml::from_str(yaml).expect("valid supported provider yaml");
+    assert!(sp.validate().is_ok());
+}
+
+#[test]
+fn test_one_password_supported_provider_account_only() {
+    let yaml = r#"---
+type: one_password
+account: team.1password.com
+"#;
+
+    let sp: SupportedProvider = serde_yaml::from_str(yaml).expect("valid supported provider yaml");
+    assert!(sp.validate().is_ok());
+}
+
+#[test]
+fn test_one_password_supported_provider_rejects_unknown_fields() {
+    let yaml = r#"---
+type: one_password
+vault: Production
+unknown_field: bad
+"#;
+
+    let result: Result<SupportedProvider, _> = serde_yaml::from_str(yaml);
+    assert!(result.is_err());
+}
+
+#[test]
+fn test_provider_config_with_one_password_deserialize_and_extract() {
+    let yaml = r#"---
+name: op
+type: one_password
+"#;
+
+    let pc: ProviderConfig = serde_yaml::from_str(yaml).expect("valid provider config yaml");
+    assert!(pc.validate().is_ok());
+
+    let mut pc_owned = pc.clone();
+    let provider: &mut dyn SecretProvider = pc_owned.extract_provider();
+    assert_str_eq!(provider.name(), "OnePasswordProvider");
+
+    let cfg_yaml = r#"---
+default_provider: op
+providers:
+  - name: op
+    type: one_password
+    vault: Production
+    account: my.1password.com
+"#;
+    let cfg: Config = serde_yaml::from_str(cfg_yaml).expect("valid config yaml");
+    assert!(cfg.validate().is_ok());
+
+    let extracted = cfg
+        .extract_provider_config(None)
+        .expect("should find default provider");
+    assert_eq!(extracted.name.as_deref(), Some("op"));
+}
+
+#[test]
+fn test_one_password_config_with_multiple_providers() {
+    let cfg_yaml = r#"---
+default_provider: local
+providers:
+  - name: local
+    type: local
+  - name: op
+    type: one_password
+    vault: Production
+"#;
+    let cfg: Config = serde_yaml::from_str(cfg_yaml).expect("valid config yaml");
+    assert!(cfg.validate().is_ok());
+
+    let extracted = cfg
+        .extract_provider_config(Some("op".into()))
+        .expect("should find op provider");
+    assert_eq!(extracted.name.as_deref(), Some("op"));
+}