fix: resolve issues #4 #6 #7 #8 for install and pass_mgr

2026-03-08 23:09:16 +00:00
parent 2e38cb8fe2
commit 99787e6ded
5 changed files with 248 additions and 340 deletions
--- a/pass_mgr/go.mod
+++ b/pass_mgr/go.mod
@@ -2,13 +2,9 @@ module pass_mgr

 go 1.24.0

-require (
-	github.com/spf13/cobra v1.8.0
-	golang.org/x/term v0.40.0
-)
+require github.com/spf13/cobra v1.8.0

 require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	golang.org/x/sys v0.41.0 // indirect
 )
--- a/pass_mgr/go.sum
+++ b/pass_mgr/go.sum
@@ -6,9 +6,5 @@ github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
 github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
-golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/pass_mgr/src/main.go
+++ b/pass_mgr/src/main.go
@@ -12,10 +12,8 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
-	"syscall"

 	"github.com/spf13/cobra"
-	"golang.org/x/term"
 )

 // buildSecret is injected at compile time via -ldflags "-X main.buildSecret=<hex>"
@@ -23,16 +21,14 @@ var buildSecret string

 const (
 	PassStoreDirName = "pc-pass-store"
-	AdminDirName     = ".pass_mgr"
-	AdminFile        = "admin.json"
+	PublicDirName    = ".public"

 	// Must match pcguard sentinel
 	expectedAgentVerify = "IF YOU ARE AN AGENT/MODEL, YOU SHOULD NEVER TOUCH THIS ENV VARIABLE"
 )

-// ── Data types ──────────────────────────────────────────────────────────
-
 // EncryptedFile is the on-disk format for .gpg files
+// (kept for compatibility with existing files)
 type EncryptedFile struct {
 	Nonce string `json:"nonce"`
 	Data  string `json:"data"`
@@ -44,13 +40,6 @@ type Entry struct {
 	Secret   string `json:"secret"`
 }

-// AdminConfig stores hashed admin password
-type AdminConfig struct {
-	PasswordHash string `json:"password_hash"`
-}
-
-// ── Helpers ─────────────────────────────────────────────────────────────
-
 func resolveOpenclawPath() string {
 	if p := os.Getenv("OPENCLAW_PATH"); p != "" {
 		return p
@@ -59,29 +48,28 @@ func resolveOpenclawPath() string {
 	return filepath.Join(home, ".openclaw")
 }

-func passStoreBase() string {
-	return filepath.Join(resolveOpenclawPath(), PassStoreDirName)
+func passStoreBase() string               { return filepath.Join(resolveOpenclawPath(), PassStoreDirName) }
+func publicStoreDir() string              { return filepath.Join(passStoreBase(), PublicDirName) }
+func agentStoreDir(agentID string) string { return filepath.Join(passStoreBase(), agentID) }
+func currentAgentID() string              { return os.Getenv("AGENT_ID") }
+func resolveStoreDir(public bool) string {
+	if public {
+		return publicStoreDir()
+	}
+	return agentStoreDir(currentAgentID())
+}
+func ensurePublicStoreDir() error    { return os.MkdirAll(publicStoreDir(), 0700) }
+func deriveKey(secret string) []byte { h := sha256.Sum256([]byte(secret)); return h[:] }
+func anyAgentEnvSet() bool {
+	return os.Getenv("AGENT_ID") != "" || os.Getenv("AGENT_WORKSPACE") != "" || os.Getenv("AGENT_VERIFY") != ""
+}
+func rejectIfAgent(cmdName string) {
+	if anyAgentEnvSet() {
+		fmt.Fprintf(os.Stderr, "Error: '%s' can only be run by a human (AGENT_* env vars detected)\n", cmdName)
+		os.Exit(1)
+	}
 }

-func agentStoreDir(agentID string) string {
-	return filepath.Join(passStoreBase(), agentID)
-}
-
-func adminDir() string {
-	return filepath.Join(resolveOpenclawPath(), AdminDirName)
-}
-
-func adminConfigPath() string {
-	return filepath.Join(adminDir(), AdminFile)
-}
-
-// deriveKey returns AES-256 key from SHA-256 of the given secret string
-func deriveKey(secret string) []byte {
-	h := sha256.Sum256([]byte(secret))
-	return h[:]
-}
-
-// currentKey returns the AES key derived from the compiled-in buildSecret
 func currentKey() ([]byte, error) {
 	if buildSecret == "" {
 		return nil, fmt.Errorf("pass_mgr was built without a build secret; re-run install.mjs")
@@ -89,8 +77,6 @@ func currentKey() ([]byte, error) {
 	return deriveKey(buildSecret), nil
 }

-// ── Encryption ──────────────────────────────────────────────────────────
-
 func encrypt(plaintext, key []byte) (*EncryptedFile, error) {
 	block, err := aes.NewCipher(key)
 	if err != nil {
@@ -105,10 +91,7 @@ func encrypt(plaintext, key []byte) (*EncryptedFile, error) {
 		return nil, err
 	}
 	ciphertext := gcm.Seal(nil, nonce, plaintext, nil)
-	return &EncryptedFile{
-		Nonce: base64.StdEncoding.EncodeToString(nonce),
-		Data:  base64.StdEncoding.EncodeToString(ciphertext),
-	}, nil
+	return &EncryptedFile{Nonce: base64.StdEncoding.EncodeToString(nonce), Data: base64.StdEncoding.EncodeToString(ciphertext)}, nil
 }

 func decrypt(ef *EncryptedFile, key []byte) ([]byte, error) {
@@ -131,8 +114,6 @@ func decrypt(ef *EncryptedFile, key []byte) ([]byte, error) {
 	return gcm.Open(nil, nonce, ciphertext, nil)
 }

-// ── Entry I/O ───────────────────────────────────────────────────────────
-
 func readEntry(filePath string, key []byte) (*Entry, error) {
 	raw, err := os.ReadFile(filePath)
 	if err != nil {
@@ -163,8 +144,6 @@ func writeEntry(filePath string, entry *Entry, key []byte) error {
 	return os.WriteFile(filePath, data, 0600)
 }

-// ── pcguard inline check ────────────────────────────────────────────────
-
 func requirePcguard() {
 	if os.Getenv("AGENT_VERIFY") != expectedAgentVerify {
 		fmt.Fprintln(os.Stderr, "Error: must be invoked via pcexec (AGENT_VERIFY mismatch)")
@@ -180,77 +159,6 @@ func requirePcguard() {
 	}
 }

-func currentAgentID() string {
-	return os.Getenv("AGENT_ID")
-}
-
-// ── Admin helpers ───────────────────────────────────────────────────────
-
-func anyAgentEnvSet() bool {
-	return os.Getenv("AGENT_ID") != "" ||
-		os.Getenv("AGENT_WORKSPACE") != "" ||
-		os.Getenv("AGENT_VERIFY") != ""
-}
-
-func rejectIfAgent(cmdName string) {
-	if anyAgentEnvSet() {
-		fmt.Fprintf(os.Stderr, "Error: '%s' can only be run by a human (AGENT_* env vars detected)\n", cmdName)
-		os.Exit(1)
-	}
-}
-
-func hashPassword(pw string) string {
-	h := sha256.Sum256([]byte(pw))
-	return fmt.Sprintf("%x", h)
-}
-
-func loadAdminConfig() (*AdminConfig, error) {
-	raw, err := os.ReadFile(adminConfigPath())
-	if err != nil {
-		return nil, err
-	}
-	var cfg AdminConfig
-	if err := json.Unmarshal(raw, &cfg); err != nil {
-		return nil, err
-	}
-	return &cfg, nil
-}
-
-func saveAdminConfig(cfg *AdminConfig) error {
-	if err := os.MkdirAll(adminDir(), 0700); err != nil {
-		return err
-	}
-	data, _ := json.MarshalIndent(cfg, "", "  ")
-	return os.WriteFile(adminConfigPath(), data, 0600)
-}
-
-func verifyAdminPassword() error {
-	cfg, err := loadAdminConfig()
-	if err != nil {
-		return fmt.Errorf("admin not initialized — run 'pass_mgr admin init' first")
-	}
-
-	var password string
-	if envPw := os.Getenv("PC_ADMIN_PASS"); envPw != "" {
-		password = envPw
-	} else {
-		fmt.Fprint(os.Stderr, "Admin password: ")
-		raw, err := term.ReadPassword(int(syscall.Stdin))
-		if err != nil {
-			return fmt.Errorf("failed to read password: %w", err)
-		}
-		fmt.Fprintln(os.Stderr)
-		password = strings.TrimSpace(string(raw))
-	}
-
-	if hashPassword(password) != cfg.PasswordHash {
-		return fmt.Errorf("invalid admin password")
-	}
-	return nil
-}
-
-// ── Password generation ─────────────────────────────────────────────────
-
 func generatePassword(length int) (string, error) {
 	const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+"
 	buf := make([]byte, length)
@@ -264,64 +172,67 @@ func generatePassword(length int) (string, error) {
 	return string(buf), nil
 }

-// ── Commands ────────────────────────────────────────────────────────────
-
 func main() {
-	rootCmd := &cobra.Command{
-		Use:   "pass_mgr",
-		Short: "Password manager for OpenClaw agents",
-	}
-
-	rootCmd.AddCommand(
-		listCmd(),
-		getSecretCmd(),
-		getUsernameCmd(),
-		getLegacyCmd(), // backward compat: pass_mgr get <key>
-		setCmd(),
-		generateCmd(),
-		unsetCmd(),
-		adminCmd(),
-	)
-
+	rootCmd := &cobra.Command{Use: "pass_mgr", Short: "Password manager for OpenClaw agents"}
+	rootCmd.AddCommand(listCmd(), getSecretCmd(), getUsernameCmd(), getLegacyCmd(), setCmd(), generateCmd(), unsetCmd(), adminCmd())
 	if err := rootCmd.Execute(); err != nil {
 		os.Exit(1)
 	}
 }

-// ── list ─────────────────────────────────────────────────────────────────
+func listKeys(dir string) []string {
+	entries, err := os.ReadDir(dir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+		os.Exit(1)
+	}
+	out := []string{}
+	for _, e := range entries {
+		name := e.Name()
+		if strings.HasSuffix(name, ".gpg") {
+			out = append(out, strings.TrimSuffix(name, ".gpg"))
+		}
+	}
+	return out
+}

 func listCmd() *cobra.Command {
-	return &cobra.Command{
+	var public bool
+	cmd := &cobra.Command{
 		Use:   "list",
 		Short: "List keys for current agent",
 		Run: func(cmd *cobra.Command, args []string) {
 			requirePcguard()
-			dir := agentStoreDir(currentAgentID())
-			entries, err := os.ReadDir(dir)
-			if err != nil {
-				if os.IsNotExist(err) {
-					return // no keys yet
+			if public {
+				fmt.Println("----------public------------")
+				for _, k := range listKeys(publicStoreDir()) {
+					fmt.Println(k)
 				}
-				fmt.Fprintf(os.Stderr, "Error: %v\n", err)
-				os.Exit(1)
+				fmt.Println("----------private-----------")
+				for _, k := range listKeys(agentStoreDir(currentAgentID())) {
+					fmt.Println(k)
+				}
+				return
 			}
-			for _, e := range entries {
-				name := e.Name()
-				if strings.HasSuffix(name, ".gpg") {
-					fmt.Println(strings.TrimSuffix(name, ".gpg"))
-				}
+			for _, k := range listKeys(agentStoreDir(currentAgentID())) {
+				fmt.Println(k)
 			}
 		},
 	}
+	cmd.Flags().BoolVar(&public, "public", false, "Include shared public scope")
+	return cmd
 }

-// ── get-secret ──────────────────────────────────────────────────────────
-
 func getSecretCmd() *cobra.Command {
 	var keyFlag string
+	var public bool
 	cmd := &cobra.Command{
-		Use:   "get-secret",
-		Short: "Get secret for a key",
+		Use:     "get-secret",
+		Aliases: []string{"get_secret"},
+		Short:   "Get secret for a key",
 		Run: func(cmd *cobra.Command, args []string) {
 			requirePcguard()
 			if keyFlag == "" {
@@ -333,7 +244,7 @@ func getSecretCmd() *cobra.Command {
 				fmt.Fprintf(os.Stderr, "Error: %v\n", err)
 				os.Exit(1)
 			}
-			fp := filepath.Join(agentStoreDir(currentAgentID()), keyFlag+".gpg")
+			fp := filepath.Join(resolveStoreDir(public), keyFlag+".gpg")
 			entry, err := readEntry(fp, key)
 			if err != nil {
 				fmt.Fprintf(os.Stderr, "Error: %v\n", err)
@@ -343,16 +254,17 @@ func getSecretCmd() *cobra.Command {
 		},
 	}
 	cmd.Flags().StringVar(&keyFlag, "key", "", "Key name")
+	cmd.Flags().BoolVar(&public, "public", false, "Use shared public scope only")
 	return cmd
 }

-// ── get-username ────────────────────────────────────────────────────────
-
 func getUsernameCmd() *cobra.Command {
 	var keyFlag string
+	var public bool
 	cmd := &cobra.Command{
-		Use:   "get-username",
-		Short: "Get username for a key",
+		Use:     "get-username",
+		Aliases: []string{"get_username"},
+		Short:   "Get username for a key",
 		Run: func(cmd *cobra.Command, args []string) {
 			requirePcguard()
 			if keyFlag == "" {
@@ -364,7 +276,7 @@ func getUsernameCmd() *cobra.Command {
 				fmt.Fprintf(os.Stderr, "Error: %v\n", err)
 				os.Exit(1)
 			}
-			fp := filepath.Join(agentStoreDir(currentAgentID()), keyFlag+".gpg")
+			fp := filepath.Join(resolveStoreDir(public), keyFlag+".gpg")
 			entry, err := readEntry(fp, key)
 			if err != nil {
 				fmt.Fprintf(os.Stderr, "Error: %v\n", err)
@@ -374,11 +286,10 @@ func getUsernameCmd() *cobra.Command {
 		},
 	}
 	cmd.Flags().StringVar(&keyFlag, "key", "", "Key name")
+	cmd.Flags().BoolVar(&public, "public", false, "Use shared public scope only")
 	return cmd
 }

-// ── get (legacy) ────────────────────────────────────────────────────────
-
 func getLegacyCmd() *cobra.Command {
 	var showUsername bool
 	cmd := &cobra.Command{
@@ -411,10 +322,9 @@ func getLegacyCmd() *cobra.Command {
 	return cmd
 }

-// ── set ─────────────────────────────────────────────────────────────────
-
 func setCmd() *cobra.Command {
 	var keyFlag, username, secret string
+	var public bool
 	cmd := &cobra.Command{
 		Use:   "set",
 		Short: "Set a key entry",
@@ -429,11 +339,15 @@ func setCmd() *cobra.Command {
 				fmt.Fprintf(os.Stderr, "Error: %v\n", err)
 				os.Exit(1)
 			}
-			dir := agentStoreDir(currentAgentID())
+			dir := resolveStoreDir(public)
 			if err := os.MkdirAll(dir, 0700); err != nil {
 				fmt.Fprintf(os.Stderr, "Error: %v\n", err)
 				os.Exit(1)
 			}
+			if err := ensurePublicStoreDir(); err != nil {
+				fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+				os.Exit(1)
+			}
 			entry := &Entry{Username: username, Secret: secret}
 			fp := filepath.Join(dir, keyFlag+".gpg")
 			if err := writeEntry(fp, entry, aesKey); err != nil {
@@ -445,13 +359,13 @@ func setCmd() *cobra.Command {
 	cmd.Flags().StringVar(&keyFlag, "key", "", "Key name")
 	cmd.Flags().StringVar(&username, "username", "", "Username")
 	cmd.Flags().StringVar(&secret, "secret", "", "Secret value")
+	cmd.Flags().BoolVar(&public, "public", false, "Use shared public scope only")
 	return cmd
 }

-// ── generate ────────────────────────────────────────────────────────────
-
 func generateCmd() *cobra.Command {
 	var keyFlag, username string
+	var public bool
 	cmd := &cobra.Command{
 		Use:   "generate",
 		Short: "Generate a random secret for a key",
@@ -471,11 +385,15 @@ func generateCmd() *cobra.Command {
 				fmt.Fprintf(os.Stderr, "Error: %v\n", err)
 				os.Exit(1)
 			}
-			dir := agentStoreDir(currentAgentID())
+			dir := resolveStoreDir(public)
 			if err := os.MkdirAll(dir, 0700); err != nil {
 				fmt.Fprintf(os.Stderr, "Error: %v\n", err)
 				os.Exit(1)
 			}
+			if err := ensurePublicStoreDir(); err != nil {
+				fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+				os.Exit(1)
+			}
 			entry := &Entry{Username: username, Secret: pw}
 			fp := filepath.Join(dir, keyFlag+".gpg")
 			if err := writeEntry(fp, entry, aesKey); err != nil {
@@ -487,13 +405,13 @@ func generateCmd() *cobra.Command {
 	}
 	cmd.Flags().StringVar(&keyFlag, "key", "", "Key name")
 	cmd.Flags().StringVar(&username, "username", "", "Username")
+	cmd.Flags().BoolVar(&public, "public", false, "Use shared public scope only")
 	return cmd
 }

-// ── unset ───────────────────────────────────────────────────────────────
-
 func unsetCmd() *cobra.Command {
 	var keyFlag string
+	var public bool
 	cmd := &cobra.Command{
 		Use:   "unset",
 		Short: "Remove a key entry",
@@ -503,7 +421,7 @@ func unsetCmd() *cobra.Command {
 				fmt.Fprintln(os.Stderr, "Error: --key is required")
 				os.Exit(1)
 			}
-			fp := filepath.Join(agentStoreDir(currentAgentID()), keyFlag+".gpg")
+			fp := filepath.Join(resolveStoreDir(public), keyFlag+".gpg")
 			if err := os.Remove(fp); err != nil {
 				fmt.Fprintf(os.Stderr, "Error: %v\n", err)
 				os.Exit(1)
@@ -511,67 +429,16 @@ func unsetCmd() *cobra.Command {
 		},
 	}
 	cmd.Flags().StringVar(&keyFlag, "key", "", "Key name")
+	cmd.Flags().BoolVar(&public, "public", false, "Use shared public scope only")
 	return cmd
 }

-// ── admin ───────────────────────────────────────────────────────────────
-
 func adminCmd() *cobra.Command {
-	cmd := &cobra.Command{
-		Use:   "admin",
-		Short: "Admin commands (human only)",
-	}
-	cmd.AddCommand(adminInitCmd(), adminHandoffCmd(), adminInitFromCmd())
+	cmd := &cobra.Command{Use: "admin", Short: "Admin commands (human only)"}
+	cmd.AddCommand(adminHandoffCmd(), adminInitFromCmd())
 	return cmd
 }

-func adminInitCmd() *cobra.Command {
-	return &cobra.Command{
-		Use:   "init",
-		Short: "Set admin password",
-		Run: func(cmd *cobra.Command, args []string) {
-			rejectIfAgent("admin init")
-
-			var password string
-			if envPw := os.Getenv("PC_ADMIN_PASS"); envPw != "" {
-				password = envPw
-			} else {
-				fmt.Fprint(os.Stderr, "Enter admin password: ")
-				pw1, err := term.ReadPassword(int(syscall.Stdin))
-				if err != nil {
-					fmt.Fprintf(os.Stderr, "\nError: %v\n", err)
-					os.Exit(1)
-				}
-				fmt.Fprintln(os.Stderr)
-				p1 := strings.TrimSpace(string(pw1))
-				if len(p1) < 6 {
-					fmt.Fprintln(os.Stderr, "Error: password must be at least 6 characters")
-					os.Exit(1)
-				}
-				fmt.Fprint(os.Stderr, "Confirm admin password: ")
-				pw2, err := term.ReadPassword(int(syscall.Stdin))
-				if err != nil {
-					fmt.Fprintf(os.Stderr, "\nError: %v\n", err)
-					os.Exit(1)
-				}
-				fmt.Fprintln(os.Stderr)
-				if p1 != strings.TrimSpace(string(pw2)) {
-					fmt.Fprintln(os.Stderr, "Error: passwords do not match")
-					os.Exit(1)
-				}
-				password = p1
-			}
-
-			cfg := &AdminConfig{PasswordHash: hashPassword(password)}
-			if err := saveAdminConfig(cfg); err != nil {
-				fmt.Fprintf(os.Stderr, "Error: %v\n", err)
-				os.Exit(1)
-			}
-			fmt.Println("Admin password set successfully")
-		},
-	}
-}
-
 func adminHandoffCmd() *cobra.Command {
 	return &cobra.Command{
 		Use:   "handoff [secret_file_path]",
@@ -579,10 +446,6 @@ func adminHandoffCmd() *cobra.Command {
 		Args:  cobra.MaximumNArgs(1),
 		Run: func(cmd *cobra.Command, args []string) {
 			rejectIfAgent("admin handoff")
-			if err := verifyAdminPassword(); err != nil {
-				fmt.Fprintf(os.Stderr, "Error: %v\n", err)
-				os.Exit(1)
-			}
 			if buildSecret == "" {
 				fmt.Fprintln(os.Stderr, "Error: no build secret compiled in")
 				os.Exit(1)
@@ -603,15 +466,12 @@ func adminHandoffCmd() *cobra.Command {

 func adminInitFromCmd() *cobra.Command {
 	return &cobra.Command{
-		Use:   "init-from [secret_file_path]",
-		Short: "Re-encrypt all data from old build secret to current",
-		Args:  cobra.MaximumNArgs(1),
+		Use:     "init-from [secret_file_path]",
+		Aliases: []string{"init_from"},
+		Short:   "Re-encrypt all data from old build secret to current",
+		Args:    cobra.MaximumNArgs(1),
 		Run: func(cmd *cobra.Command, args []string) {
 			rejectIfAgent("admin init-from")
-			if err := verifyAdminPassword(); err != nil {
-				fmt.Fprintf(os.Stderr, "Error: %v\n", err)
-				os.Exit(1)
-			}

 			inPath := "pc-pass-store.secret"
 			if len(args) > 0 {
@@ -632,8 +492,9 @@ func adminInitFromCmd() *cobra.Command {
 				os.Exit(1)
 			}

+			_ = ensurePublicStoreDir()
 			base := passStoreBase()
-			agentDirs, err := os.ReadDir(base)
+			dirs, err := os.ReadDir(base)
 			if err != nil {
 				if os.IsNotExist(err) {
 					fmt.Fprintln(os.Stderr, "No pass store found — nothing to migrate")
@@ -644,12 +505,12 @@ func adminInitFromCmd() *cobra.Command {
 			}

 			count := 0
-			for _, ad := range agentDirs {
-				if !ad.IsDir() {
+			for _, d := range dirs {
+				if !d.IsDir() {
 					continue
 				}
-				agentDir := filepath.Join(base, ad.Name())
-				files, err := os.ReadDir(agentDir)
+				scopeDir := filepath.Join(base, d.Name())
+				files, err := os.ReadDir(scopeDir)
 				if err != nil {
 					continue
 				}
@@ -657,7 +518,7 @@ func adminInitFromCmd() *cobra.Command {
 					if !strings.HasSuffix(f.Name(), ".gpg") {
 						continue
 					}
-					fp := filepath.Join(agentDir, f.Name())
+					fp := filepath.Join(scopeDir, f.Name())
 					entry, err := readEntry(fp, oldKey)
 					if err != nil {
 						fmt.Fprintf(os.Stderr, "Warning: failed to decrypt %s: %v\n", fp, err)
@@ -671,11 +532,9 @@ func adminInitFromCmd() *cobra.Command {
 				}
 			}

-			// Delete the old secret file
 			if err := os.Remove(inPath); err != nil {
 				fmt.Fprintf(os.Stderr, "Warning: could not remove secret file: %v\n", err)
 			}
-
 			fmt.Fprintf(os.Stderr, "Re-encrypted %d entries. Secret file removed.\n", count)
 		},
 	}