keyfork shard remote-combine: impl

2025-06-10 15:42:48 -04:00 · 2025-06-10 15:42:48 -04:00 · 8eb7676b44
parent fa47bc28a8
commit 8eb7676b44
1 changed files with 13 additions and 0 deletions
--- a/crates/keyfork/src/cli/shard.rs
+++ b/crates/keyfork/src/cli/shard.rs
@ -176,6 +176,13 @@ pub enum ShardSubcommands {
        key_discovery: Option<PathBuf>,
    },

+    /// Combine multiple transport-encrypted shares into a hex-encoded secret, printed to stdout.
+    ///
+    /// This command is format-agnostic and relies on transport encryption of remote-decrypted
+    /// shards to determine the threshold to reconstitute the secret. Operators decrypting shards
+    /// should run `keyfork shard transport`.
+    RemoteCombine,
+
    /// Decrypt metadata for a shardfile, including the threshold and the public keys. Public keys
    /// are serialized to a file.
    Metadata {
@ -257,6 +264,12 @@ impl ShardSubcommands {
                    None => panic!("{COULD_NOT_DETERMINE_FORMAT}"),
                }
            }
+            ShardSubcommands::RemoteCombine => {
+                let mut output = vec![];
+                keyfork_shard::remote_decrypt(&mut output)?;
+                println!("{}", smex::encode(output));
+                Ok(())
+            }
            ShardSubcommands::Metadata {
                shardfile,
                output_pubkeys,