chore: major upgrade to v3.1 architecture (Go 1.25, Zero-Knowledge, TUI)

Author: kanywst

.github/workflows/quality.yml

@@ -0,0 +1,57 @@
+name: Quality & Security
+
+on:
+  push:
+    branches: [ "master", "main" ]
+  pull_request:
+    branches: [ "master", "main" ]
+
+jobs:
+  quality:
+    name: Code Quality
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version: '1.25'
+
+      - name: Install dependencies
+        run: sudo apt-get update && sudo apt-get install -y libsqlite3-dev
+
+      - name: Format Check
+        run: |
+          if [ -n "$(gofmt -l .)" ]; then
+            echo "Go code is not formatted:"
+            gofmt -d .
+            exit 1
+          fi
+
+      - name: Vet
+        run: go vet ./...
+
+      - name: Staticcheck
+        uses: dominikh/staticcheck-action@v1.3.0
+        with:
+          version: "latest"
+          install-go: false
+
+  security:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version: '1.25'
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Run Vulnerability Check
+        run: govulncheck ./...
+
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: ./...

.github/workflows/test.yml

@@ -0,0 +1,29 @@
+name: Test and Build
+
+on:
+  push:
+    branches: [ "master", "main" ]
+  pull_request:
+    branches: [ "master", "main" ]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: '1.25'
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y libsqlite3-dev
+
+    - name: Build
+      run: go build -v ./cmd/rapg/...
+
+    - name: Test
+      run: go test -v -race ./...

.gitignore

@@ -0,0 +1,43 @@
+# Binaries
+/rapg
+*.exe
+*.dll
+*.so
+*.dylib
+*.test
+
+# Output & Build
+/dist/
+coverage.out
+
+# OS Specific
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db
+
+# Editors / IDEs
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# Go
+go.work
+go.work.sum
+vendor/
+
+# Project Specific
+# Local database (SQLite)
+*.db
+*.db-journal
+*.db-wal
+
+# Generated env files
+.env
+
+# User config directory (if created locally during dev)
+.rapg/

.goreleaser.yaml

@@ -0,0 +1,104 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+version: 2
+
+before:
+  hooks:
+    - go mod tidy
+
+builds:
+  - env:
+      - CGO_ENABLED=1
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    main: ./cmd/rapg/main.go
+    ldflags:
+      - -s -w
+
+archives:
+  - format: tar.gz
+    # this name template makes the OS and Arch compatible with the results of uname.
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+    # use zip for windows archives
+    format_overrides:
+    - goos: windows
+      format: zip
+
+checksum:
+  name_template: 'checksums.txt'
+
+snapshot:
+  name_template: "{{ incpatch .Version }}-next"
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - '^docs:'
+      - '^test:'
+
+brews:
+  -
+    name: rapg
+    
+    # GitHub/GitLab repository to push the formula to
+    repository:
+      owner: kanywst
+      name: homebrew-tap
+      token: "{{ .Env.TAP_GITHUB_TOKEN }}"
+
+    # Template for the url which is determined by the given Token (github, gitlab or gitea)
+    url_template: "https://github.com/kanywst/rapg/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
+
+    # Git author used to commit to the repository.
+    # Defaults are shown.
+    commit_author:
+      name: goreleaserbot
+      email: goreleaser@carlosbecker.com
+
+    # The project name and current git tag are used in the format string.
+    commit_msg_template: "Brew formula update for {{ .ProjectName }} version {{ .Tag }}"
+
+    # Folder inside the repository to put the formula.
+    # Default is the root folder.
+    directory: Formula
+
+    # Your app's homepage.
+    # Default is empty.
+    homepage: "https://github.com/kanywst/rapg"
+
+    # Template of your app's description.
+    # Default is empty.
+    description: "The Developer-First Secret Manager."
+
+    # SPDX identifier of your app's license.
+    # Default is empty.
+    license: "MIT"
+
+    # Setting this will prevent goreleaser to actually try to commit the updated
+    # formula - instead, the formula file will be stored on the dist folder only,
+    # leaving the responsibility of publishing it to the user.
+    # If set to auto, the release will not be published to the homebrew tap if
+    # one of and Linux and macOS (darwin) builds are missing.
+    skip_upload: auto # Upload requires a real TAP repo, skipping for this demo context.
+
+    # So you can `brew test` your formula.
+    # Default is empty.
+    test: |
+      system "#{bin}/rapg gen --help"
+    
+    # Custom install script for brew.
+    # Default is 'bin.install "program"'.
+    install: |
+      bin.install "rapg"

GEMINI.md

@@ -0,0 +1,40 @@
+# GEMINI.md
+
+## Project Overview
+
+**Rapg** is a secure, developer-focused, TUI-based secret manager written in Go.
+It allows developers to manage secrets securely, inject them into processes without writing `.env` files to disk, and share encrypted secrets.
+
+## Architecture
+
+The project follows a standard Go project layout:
+
+- **`cmd/rapg/`**: Entry point. Contains `main.go` which uses `cobra` for CLI command handling and `bubble tea` for the TUI.
+- **`internal/`**: Private application code.
+    - **`core/`**: Business logic. Orchestrates interactions between the UI, storage, and crypto packages. Handles CSV import, auditing, and secret injection logic.
+    - **`crypto/`**: Cryptographic primitives.
+        - **AES-256-GCM** for data encryption.
+        - **Argon2id** for Key Derivation Function (KDF) from the master password.
+        - **SHA256** for key verification hashing.
+        - **TOTP** implementation via library.
+    - **`storage/`**: Persistence layer.
+        - Uses **SQLite** via **GORM**.
+        - Stores encrypted data (blob) and metadata (salt, validation hash).
+        - Local database location: `~/.rapg/rapg.db`.
+    - **`ui/`**: TUI implementation using **Bubble Tea** and **Lip Gloss**.
+
+## Key Concepts
+
+1.  **Zero-Knowledge Architecture:** The master password is never stored. A derived key (SessionKey) is kept in memory only while the application is running.
+2.  **Environment Injection:** `rapg run` decrypts secrets in memory and passes them directly to the child process environment, avoiding disk I/O for sensitive data.
+3.  **Local-First:** All data is stored locally in an SQLite database.
+
+## Development Workflow
+
+1.  **Build:** `go build -v ./cmd/rapg/...`
+2.  **Test:** `go test -v ./...`
+3.  **Run:** `go run cmd/rapg/main.go`
+
+## Security Details
+
+See `TECH.md` for detailed security specifications, including encryption modes and standards compliance.

Makefile

@@ -1,34 +1,12 @@
-.DEFAULT_GOAL := help
+.PHONY: build run clean
 
-ifeq ($(GOPATH),)
-	GOPATH := $(shell pwd)
-endif
+build:
+	go build -o rapg cmd/rapg/main.go
 
-export GOPATH
+run:
+	go run cmd/rapg/main.go
 
-BIN_NAME := ra
-
-.PHONY: help
-help:
-	@echo "Usage: make [target]"
-	@echo ""
-	@echo "Targets:"
-	@echo "  build-mac       Build for macOS"
-	@echo "  build-linux     Build for Linux"
-	@echo "  clean           Clean build artifacts"
-	@echo "  help            Show this help message"
-
-.PHONY: build-mac
-build-mac:
-	@echo "Building for macOS..."
-	GOOS=darwin GOARCH=amd64 go build -o ${GOPATH}/$(BIN_NAME) cmd/rapg/main.go
-
-.PHONY: build-linux
-build-linux:
-	@echo "Building for Linux..."
-	GOOS=linux GOARCH=amd64 go build -o $(GOPATH)/$(BIN_NAME).linux cmd/rapg/main.go
-
-.PHONY: clean
 clean:
-	@echo "Cleaning build artifacts..."
-	rm -rf $(GOPATH)
+	rm -f rapg
+	rm -rf dist/
+	rm -f coverage.out