feat: smart sync with change detection

cmd/add.go

@@ -114,8 +114,8 @@ func runAdd(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to create vault service at %s: %w", vaultPath, err)
 	}
 
-	// Sync pull before unlock to get latest version
-	maybeSyncPull(vaultPath)
+	// Smart sync pull before unlock to get latest version
+	syncPullBeforeUnlock(vaultService)
 
 	// Unlock vault
 	if err := unlockVault(vaultService); err != nil {
@@ -234,9 +234,6 @@ func runAdd(cmd *cobra.Command, args []string) error {
 		fmt.Printf("🔐 TOTP: configured\n")
 	}
 
-	// Sync push after successful write
-	maybeSyncPush(vaultPath)
-
 	return nil
 }
 

cmd/delete.go

@@ -61,8 +61,8 @@ func runDelete(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to create vault service at %s: %w", vaultPath, err)
 	}
 
-	// Sync pull before unlock to get latest version
-	maybeSyncPull(vaultPath)
+	// Smart sync pull before unlock to get latest version
+	syncPullBeforeUnlock(vaultService)
 
 	// Unlock vault
 	if err := unlockVault(vaultService); err != nil {
@@ -143,10 +143,5 @@ func runDelete(cmd *cobra.Command, args []string) error {
 		fmt.Printf("Skipped %d credential(s)\n", skipped)
 	}
 
-	// Sync push after successful writes (only if any credentials were deleted)
-	if deleted > 0 {
-		maybeSyncPush(vaultPath)
-	}
-
 	return nil
 }

cmd/get.go

@@ -101,8 +101,8 @@ func runGet(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to create vault service at %s: %w", vaultPath, err)
 	}
 
-	// Sync pull before unlock to get latest version
-	maybeSyncPull(vaultPath)
+	// Smart sync pull before unlock to get latest version
+	syncPullBeforeUnlock(vaultService)
 
 	// Unlock vault
 	if err := unlockVault(vaultService); err != nil {

cmd/helpers.go

@@ -4,9 +4,7 @@ import (
 	"bufio"
 	"fmt"
 	"os"
-	"pass-cli/internal/config"
 	"pass-cli/internal/recovery"
-	intsync "pass-cli/internal/sync"
 	"pass-cli/internal/vault"
 	"path/filepath"
 	"runtime"
@@ -28,12 +26,6 @@ var (
 	scannerOnce      sync.Once
 )
 
-// Session state for sync - tracks if we've already synced this session
-// This prevents repeated pulls on every command
-var (
-	syncedThisSession bool
-	syncMu            sync.Mutex
-)
 
 // readLine reads a line from stdin in test mode using the shared scanner
 // This prevents multiple readers from conflicting when reading piped stdin
@@ -379,61 +371,15 @@ func unlockVault(vaultService *vault.VaultService) error {
 	return nil
 }
 
-// maybeSyncPull performs a sync pull if sync is enabled and we haven't synced this session.
-// This should be called before unlocking the vault to ensure we have the latest version.
-// Safe to call even if sync is disabled - will no-op.
-func maybeSyncPull(vaultPath string) {
-	syncMu.Lock()
-	defer syncMu.Unlock()
-
-	// Skip if already synced this session
-	if syncedThisSession {
-		return
-	}
-
-	// Load config to check if sync is enabled
-	cfg, _ := config.Load()
-	if cfg == nil || !cfg.Sync.Enabled {
-		return
-	}
-
-	// Create sync service and pull
-	syncService := intsync.NewService(cfg.Sync)
-	if !syncService.IsEnabled() {
-		return
-	}
-
-	vaultDir := intsync.GetVaultDir(vaultPath)
+// syncPullBeforeUnlock performs a smart sync pull before vault unlock.
+// This ensures we have the latest version from remote before reading.
+func syncPullBeforeUnlock(vaultService *vault.VaultService) {
 	if IsVerbose() {
-		fmt.Fprintln(os.Stderr, "🔄 Syncing vault from remote...")
-	}
-	_ = syncService.Pull(vaultDir)
-
-	// Mark as synced for this session
-	syncedThisSession = true
-}
-
-// maybeSyncPush performs a sync push if sync is enabled.
-// This should be called after any write operation (add, update, delete).
-// Safe to call even if sync is disabled - will no-op.
-func maybeSyncPush(vaultPath string) {
-	// Load config to check if sync is enabled
-	cfg, _ := config.Load()
-	if cfg == nil || !cfg.Sync.Enabled {
-		return
+		fmt.Fprintln(os.Stderr, "🔄 Checking remote for vault changes...")
 	}
-
-	// Create sync service and push
-	syncService := intsync.NewService(cfg.Sync)
-	if !syncService.IsEnabled() {
-		return
-	}
-
-	vaultDir := intsync.GetVaultDir(vaultPath)
-	if IsVerbose() {
-		fmt.Fprintln(os.Stderr, "🔄 Syncing vault to remote...")
+	if err := vaultService.SyncPull(); err != nil {
+		fmt.Fprintf(os.Stderr, "Warning: sync pull failed: %v\n", err)
 	}
-	_ = syncService.Push(vaultDir)
 }
 
 // T031: displayMnemonic formats 24-word mnemonic as 4x6 grid

cmd/list.go

@@ -97,8 +97,8 @@ func runList(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to create vault service at %s: %w", vaultPath, err)
 	}
 
-	// Sync pull before unlock to get latest version
-	maybeSyncPull(vaultPath)
+	// Smart sync pull before unlock to get latest version
+	syncPullBeforeUnlock(vaultService)
 
 	// Unlock vault
 	if err := unlockVault(vaultService); err != nil {

cmd/tui.go

@@ -63,6 +63,11 @@ func runTUI(cmd *cobra.Command, args []string) {
 		os.Exit(1)
 	}
 
+	// Smart sync pull before unlock
+	if syncErr := vaultService.SyncPull(); syncErr != nil {
+		fmt.Fprintf(os.Stderr, "Warning: sync pull failed: %v\n", syncErr)
+	}
+
 	// Try keychain unlock first
 	err = vaultService.UnlockWithKeychain()
 	if err != nil {

cmd/tui/main.go

@@ -44,6 +44,11 @@ func Run(vaultPath string) error {
 		return fmt.Errorf("failed to initialize vault service: %w", err)
 	}
 
+	// 2a. Smart sync pull before unlock
+	if syncErr := vaultService.SyncPull(); syncErr != nil {
+		fmt.Fprintf(os.Stderr, "Warning: sync pull failed: %v\n", syncErr)
+	}
+
 	// 3. Check metadata to see if keychain is enabled (T019)
 	metadata, err := vaultService.LoadMetadata()
 	if err != nil {

cmd/update.go

@@ -139,8 +139,8 @@ func runUpdate(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to create vault service at %s: %w", vaultPath, err)
 	}
 
-	// Sync pull before unlock to get latest version
-	maybeSyncPull(vaultPath)
+	// Smart sync pull before unlock to get latest version
+	syncPullBeforeUnlock(vaultService)
 
 	// Unlock vault
 	if err := unlockVault(vaultService); err != nil {
@@ -344,9 +344,6 @@ func runUpdate(cmd *cobra.Command, args []string) error {
 		fmt.Printf("🔐 TOTP configured\n")
 	}
 
-	// Sync push after successful write
-	maybeSyncPush(vaultPath)
-
 	return nil
 }
 

internal/sync/state.go

@@ -0,0 +1,74 @@
+package sync
+
+import (
+	"crypto/sha256"
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"time"
+)
+
+const syncStateFile = ".sync-state"
+
+// SyncState tracks sync metadata to avoid unnecessary rclone operations.
+type SyncState struct {
+	LastPushHash  string    `json:"last_push_hash"`
+	LastPushTime  time.Time `json:"last_push_time"`
+	RemoteModTime time.Time `json:"remote_mod_time"`
+	RemoteSize    int64     `json:"remote_size"`
+}
+
+// LoadState reads the sync state from the vault directory.
+// Returns a zero-value SyncState if the file doesn't exist.
+func LoadState(vaultDir string) (*SyncState, error) {
+	path := filepath.Join(vaultDir, syncStateFile)
+	data, err := os.ReadFile(path) // #nosec G304 -- path is constructed from user-configured vault dir
+	if err != nil {
+		if os.IsNotExist(err) {
+			return &SyncState{}, nil
+		}
+		return nil, fmt.Errorf("failed to read sync state: %w", err)
+	}
+
+	var state SyncState
+	if err := json.Unmarshal(data, &state); err != nil {
+		return nil, fmt.Errorf("failed to parse sync state: %w", err)
+	}
+	return &state, nil
+}
+
+// SaveState writes the sync state to the vault directory.
+func SaveState(vaultDir string, state *SyncState) error {
+	data, err := json.MarshalIndent(state, "", "  ")
+	if err != nil {
+		return fmt.Errorf("failed to marshal sync state: %w", err)
+	}
+
+	path := filepath.Join(vaultDir, syncStateFile)
+	if err := os.WriteFile(path, data, 0600); err != nil {
+		return fmt.Errorf("failed to write sync state: %w", err)
+	}
+	return nil
+}
+
+// HashFile computes the SHA-256 hex digest of the file at the given path.
+func HashFile(path string) (string, error) {
+	f, err := os.Open(path) // #nosec G304 -- path is user-configured vault file
+	if err != nil {
+		return "", fmt.Errorf("failed to open file for hashing: %w", err)
+	}
+	defer func() { _ = f.Close() }()
+
+	h := sha256.New()
+	if _, err := io.Copy(h, f); err != nil {
+		return "", fmt.Errorf("failed to hash file: %w", err)
+	}
+	return fmt.Sprintf("%x", h.Sum(nil)), nil
+}
+
+// StatePath returns the full path to the sync state file in a vault directory.
+func StatePath(vaultDir string) string {
+	return filepath.Join(vaultDir, syncStateFile)
+}

internal/sync/state_test.go

@@ -0,0 +1,110 @@
+package sync
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+)
+
+func TestLoadState_NoFile(t *testing.T) {
+	tmpDir := t.TempDir()
+	state, err := LoadState(tmpDir)
+	if err != nil {
+		t.Fatalf("LoadState with no file returned error: %v", err)
+	}
+	if state.LastPushHash != "" {
+		t.Errorf("expected empty LastPushHash, got %q", state.LastPushHash)
+	}
+}
+
+func TestSaveAndLoadState(t *testing.T) {
+	tmpDir := t.TempDir()
+	now := time.Now().Truncate(time.Second)
+
+	original := &SyncState{
+		LastPushHash:  "abc123",
+		LastPushTime:  now,
+		RemoteModTime: now.Add(-time.Hour),
+		RemoteSize:    12345,
+	}
+
+	if err := SaveState(tmpDir, original); err != nil {
+		t.Fatalf("SaveState failed: %v", err)
+	}
+
+	loaded, err := LoadState(tmpDir)
+	if err != nil {
+		t.Fatalf("LoadState failed: %v", err)
+	}
+
+	if loaded.LastPushHash != original.LastPushHash {
+		t.Errorf("LastPushHash = %q, want %q", loaded.LastPushHash, original.LastPushHash)
+	}
+	if loaded.RemoteSize != original.RemoteSize {
+		t.Errorf("RemoteSize = %d, want %d", loaded.RemoteSize, original.RemoteSize)
+	}
+}
+
+func TestLoadState_CorruptedFile(t *testing.T) {
+	tmpDir := t.TempDir()
+	path := filepath.Join(tmpDir, syncStateFile)
+	if err := os.WriteFile(path, []byte("not json"), 0600); err != nil {
+		t.Fatal(err)
+	}
+
+	_, err := LoadState(tmpDir)
+	if err == nil {
+		t.Error("expected error for corrupted state file")
+	}
+}
+
+func TestHashFile(t *testing.T) {
+	tmpDir := t.TempDir()
+	path := filepath.Join(tmpDir, "test.bin")
+	if err := os.WriteFile(path, []byte("hello world"), 0600); err != nil {
+		t.Fatal(err)
+	}
+
+	hash, err := HashFile(path)
+	if err != nil {
+		t.Fatalf("HashFile failed: %v", err)
+	}
+
+	// SHA-256 of "hello world"
+	expected := "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"
+	if hash != expected {
+		t.Errorf("hash = %q, want %q", hash, expected)
+	}
+}
+
+func TestHashFile_NotExist(t *testing.T) {
+	_, err := HashFile("/nonexistent/file")
+	if err == nil {
+		t.Error("expected error for non-existent file")
+	}
+}
+
+func TestHashFile_DifferentContent(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	path1 := filepath.Join(tmpDir, "a.bin")
+	path2 := filepath.Join(tmpDir, "b.bin")
+	_ = os.WriteFile(path1, []byte("content-a"), 0600)
+	_ = os.WriteFile(path2, []byte("content-b"), 0600)
+
+	hash1, _ := HashFile(path1)
+	hash2, _ := HashFile(path2)
+
+	if hash1 == hash2 {
+		t.Error("different files should have different hashes")
+	}
+}
+
+func TestStatePath(t *testing.T) {
+	got := StatePath("/home/user/.pass-cli")
+	expected := filepath.Join("/home/user/.pass-cli", ".sync-state")
+	if got != expected {
+		t.Errorf("StatePath = %q, want %q", got, expected)
+	}
+}