fix(keys): KeysExist must respect WithKeyParts#2
Merged
Conversation
Background
----------
Vault delivers only the Encryption-side material (EncKey) to clients via
the agent manifest — Eval/Sec stay inside Vault for FHE evaluation and
re-encryption. A consumer reading that bundle calls
OpenKeysFromFile(WithKeyPath(...), ..., WithKeyParts(KeyPartEnc))
OpenKeysFromFile begins with a `KeysExist(opts...)` gate; if it returns
false, the open fails fast with ErrKeysNotFound.
Bug
---
KeysExist walked all three slots (Enc / Eval / Sec) unconditionally,
ignoring the caller's WithKeyParts. So the Vault-delivered Enc-only
bundle was rejected even when the caller had explicitly said "I only
need Enc".
Reproducer (the path the rune-mcp boot loop hit on first GetAgentManifest):
dir := t.TempDir()
os.WriteFile(filepath.Join(dir, "EncKey.json"), []byte("{}"), 0o600)
KeysExist(
WithKeyPath(dir),
WithKeyID("k"), WithKeyDim(1024),
WithKeyParts(KeyPartEnc),
)
// pre-fix: false → bundle rejected
// fixed: true → bundle accepted
Fix
---
KeysExist now resolves the requested KeyParts via the same helper
OpenKeysFromFile uses (resolveKeyParts) and only checks the slots the
caller actually requested. Default behavior (no WithKeyParts) is
preserved: resolveKeyParts returns enc=true,eval=true,sec=true, so a
bare KeysExist(WithKeyPath(...)) still requires all three.
Tests
-----
TestKeysExist_PartsAware covers:
- enc-only dir + WithKeyParts(KeyPartEnc) → true (Vault use case)
- enc-only dir + default parts → false (backward compat)
- enc-only dir + WithKeyParts(KeyPartEval) → false (other parts still missing)
Existing TestKeysExist_FalseWhenEmpty / TestGenerateKeys_CreatesAllThreeFiles
keep their prior expectations — both are exercised through the same
resolveKeyParts code path now.
Discovered while wiring rune-mcp v0.4 (Go port) against Vault's
GetAgentManifest flow; the boot loop's envector adapter opens keys with
KeyPartEnc only and was bouncing on this gate every retry.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
다음 상황에서 발견되었습니다.
Vault.GetAgentManifest호출envector.OpenKeysFromFile(..., WithKeyParts(KeyPartEnc))if !KeysExist(opts...) { return ErrKeysNotFound }
↓
수정 전
KeysExist가EncKey + EvalKey + SecKey모두 검사→ EvalKey/SecKey 는 vault 가 보관 → 사용자의 dir 에는 없음
→ false → ErrKeysNotFound
→ boot loop bootRetry → 영원히 retry
→ state Active 도달 못 함
수정 후
KeysExist가WithKeyParts(KeyPartEnc)따라 EncKey 만 검사→ 우리 dir 에 EncKey.json 있음 → true
→ OpenKeysFromFile 진행 → 정상 완료