spike cipher encrypt discards nonce in JSON mode. #256
Description
The spike cipher encrypt command in JSON mode discards the version and nonce fields from the API response, making it impossible to decrypt the output. JSON encrypt → JSON decrypt cannot round-trip.
Current Behavior
When encrypting in JSON mode:
spike cipher encrypt --plaintext "$BASE64_PLAINTEXT"
The API returns a CipherEncryptResponse with:
- Version (byte)
- Nonce ([]byte)
- Ciphertext ([]byte)
But the CLI (encrypt_impl.go:encryptJSON) only outputs the Ciphertext, discarding Version and Nonce.
To decrypt in JSON mode, the user needs all three:
spike cipher decrypt --version V --nonce NONCE_B64 --ciphertext CT_B64
Since version and nonce are never output during encryption, there's no way to provide them for decryption.
Why Streaming Mode Works
Streaming mode works correctly because the server packages version + nonce + ciphertext into a single binary blob that round-trips intact.
Expected Behavior
JSON mode should output all fields needed for decryption:
$ spike cipher encrypt --plaintext "SGVsbG8gV29ybGQ="
{
"version": 1,
"nonce": "abc123...",
"ciphertext": "xyz789..."
}
Then decryption can use the same structure:
$ spike cipher decrypt --input '{"version":1,"nonce":"abc123...","ciphertext":"xyz789..."}'
Or with explicit flags that match the encrypt output:
$ spike cipher decrypt --version 1 --nonce "abc123..." --ciphertext "xyz789..."
Proposed Solution
Output structured JSON from encrypt (Recommended)
{
"version": 1,
"nonce": "base64-encoded-nonce",
"ciphertext": "base64-encoded-ciphertext"
}
This is self-documenting and allows easy round-tripping.
Files to Modify
- app/spike/internal/cmd/cipher/encrypt_impl.go - encryptJSON function
- app/spike/internal/cmd/cipher/decrypt_impl.go - decryptJSON function
- spike-sdk-go/api/entity/v1/reqres/cipher.go - CipherEncryptResponse struct (for reference)